Access LSASS Memory for Dump Creation |
LSASS Memory, OS Credential Dumping |
TTP |
AdsiSearcher Account Discovery |
Domain Account, Account Discovery |
TTP |
Attempted Credential Dump From Registry via Reg exe |
Security Account Manager, OS Credential Dumping |
TTP |
CMD Carry Out String Command Parameter |
Windows Command Shell, Command and Scripting Interpreter |
Hunting |
Cmdline Tool Not Executed In CMD Shell |
Command and Scripting Interpreter, JavaScript |
TTP |
Detect Credential Dumping through LSASS access |
LSASS Memory, OS Credential Dumping |
TTP |
Detect Mimikatz With PowerShell Script Block Logging |
OS Credential Dumping, PowerShell |
TTP |
Disable AMSI Through Registry |
Disable or Modify Tools, Impair Defenses |
TTP |
Disable Defender BlockAtFirstSeen Feature |
Disable or Modify Tools, Impair Defenses |
TTP |
Disable Defender Enhanced Notification |
Disable or Modify Tools, Impair Defenses |
TTP |
Disable Defender Spynet Reporting |
Disable or Modify Tools, Impair Defenses |
TTP |
Disable Defender Submit Samples Consent Feature |
Disable or Modify Tools, Impair Defenses |
TTP |
Disable ETW Through Registry |
Disable or Modify Tools, Impair Defenses |
TTP |
Disable Logs Using WevtUtil |
Indicator Removal, Clear Windows Event Logs |
TTP |
Disable Security Logs Using MiniNt Registry |
Modify Registry |
TTP |
Disable UAC Remote Restriction |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
Disable Windows Behavior Monitoring |
Disable or Modify Tools, Impair Defenses |
TTP |
Disable Windows SmartScreen Protection |
Disable or Modify Tools, Impair Defenses |
TTP |
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser |
Steal or Forge Kerberos Tickets, AS-REP Roasting |
TTP |
Disabling FolderOptions Windows Feature |
Disable or Modify Tools, Impair Defenses |
TTP |
Domain Controller Discovery with Nltest |
Remote System Discovery |
TTP |
ETW Registry Disabled |
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses |
TTP |
Executables Or Script Creation In Suspicious Path |
Masquerading |
Anomaly |
Extraction of Registry Hives |
Security Account Manager, OS Credential Dumping |
TTP |
Get ADUser with PowerShell |
Domain Account, Account Discovery |
Hunting |
Get ADUser with PowerShell Script Block |
Domain Account, Account Discovery |
Hunting |
Get ADUserResultantPasswordPolicy with Powershell |
Password Policy Discovery |
TTP |
Get ADUserResultantPasswordPolicy with Powershell Script Block |
Password Policy Discovery |
TTP |
Get DomainUser with PowerShell |
Domain Account, Account Discovery |
TTP |
Get DomainUser with PowerShell Script Block |
Domain Account, Account Discovery |
TTP |
JetBrains TeamCity RCE Attempt |
Exploit Public-Facing Application |
TTP |
Mimikatz PassTheTicket CommandLine Parameters |
Use Alternate Authentication Material, Pass the Ticket |
TTP |
Network Connection Discovery With Netstat |
System Network Connections Discovery |
Hunting |
Non Chrome Process Accessing Chrome Default Dir |
Credentials from Password Stores, Credentials from Web Browsers |
Anomaly |
Non Firefox Process Access Firefox Profile Dir |
Credentials from Password Stores, Credentials from Web Browsers |
Anomaly |
PowerShell 4104 Hunting |
Command and Scripting Interpreter, PowerShell |
Hunting |
PowerShell Domain Enumeration |
Command and Scripting Interpreter, PowerShell |
TTP |
Registry Keys Used For Persistence |
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution |
TTP |
Remote Process Instantiation via WMI |
Windows Management Instrumentation |
TTP |
Remote WMI Command Attempt |
Windows Management Instrumentation |
TTP |
Rubeus Command Line Parameters |
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting |
TTP |
Rubeus Kerberos Ticket Exports Through Winlogon Access |
Use Alternate Authentication Material, Pass the Ticket |
TTP |
Scheduled Task Deleted Or Created via CMD |
Scheduled Task, Scheduled Task/Job |
TTP |
Services Escalate Exe |
Abuse Elevation Control Mechanism |
TTP |
Services LOLBAS Execution Process Spawn |
Create or Modify System Process, Windows Service |
TTP |
Short Lived Scheduled Task |
Scheduled Task |
TTP |
Suspicious Process File Path |
Create or Modify System Process |
TTP |
Suspicious Scheduled Task from Public Directory |
Scheduled Task, Scheduled Task/Job |
Anomaly |
Suspicious wevtutil Usage |
Clear Windows Event Logs, Indicator Removal |
TTP |
System User Discovery With Whoami |
System Owner/User Discovery |
Hunting |
Unload Sysmon Filter Driver |
Disable or Modify Tools, Impair Defenses |
TTP |
WinEvent Scheduled Task Created Within Public Path |
Scheduled Task, Scheduled Task/Job |
TTP |
WinRM Spawning a Process |
Exploit Public-Facing Application |
TTP |
Windows Access Token Manipulation SeDebugPrivilege |
Create Process with Token, Access Token Manipulation |
Anomaly |
Windows Account Discovery With NetUser PreauthNotRequire |
Account Discovery |
Hunting |
Windows Account Discovery for None Disable User Account |
Account Discovery, Local Account |
Hunting |
Windows Account Discovery for Sam Account Name |
Account Discovery |
Anomaly |
Windows Archive Collected Data via Powershell |
Archive Collected Data |
Anomaly |
Windows Common Abused Cmd Shell Risk Behavior |
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Configuration Discovery, Command and Scripting Interpreter |
Correlation |
Windows Credentials from Password Stores Chrome Extension Access |
Query Registry |
Anomaly |
Windows DISM Remove Defender |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Disable Notification Center |
Modify Registry |
Anomaly |
Windows Disable Windows Event Logging Disable HTTP Logging |
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components |
TTP |
Windows Disable Windows Group Policy Features Through Registry |
Modify Registry |
Anomaly |
Windows DisableAntiSpyware Registry |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Domain Account Discovery Via Get-NetComputer |
Account Discovery, Domain Account |
Anomaly |
Windows Excessive Disabled Services Event |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Hunting System Account Targeting Lsass |
LSASS Memory, OS Credential Dumping |
Hunting |
Windows Impair Defenses Disable Win Defender Auto Logging |
Disable or Modify Tools, Impair Defenses |
Anomaly |
Windows Known GraphicalProton Loaded Modules |
DLL Side-Loading, Hijack Execution Flow |
Anomaly |
Windows LSA Secrets NoLMhash Registry |
LSA Secrets |
TTP |
Windows Mimikatz Binary Execution |
OS Credential Dumping |
TTP |
Windows Mimikatz Crypto Export File Extensions |
Steal or Forge Authentication Certificates |
Anomaly |
Windows Modify Registry Disable Restricted Admin |
Modify Registry |
TTP |
Windows Modify Registry Disable Win Defender Raw Write Notif |
Modify Registry |
Anomaly |
Windows Modify Registry Disable WinDefender Notifications |
Modify Registry |
TTP |
Windows Modify Registry Disable Windows Security Center Notif |
Modify Registry |
Anomaly |
Windows Modify Registry DisableSecuritySettings |
Modify Registry |
TTP |
Windows Modify Registry Disabling WER Settings |
Modify Registry |
TTP |
Windows Modify Registry No Auto Update |
Modify Registry |
Anomaly |
Windows Modify Registry Suppress Win Defender Notif |
Modify Registry |
Anomaly |
Windows Non-System Account Targeting Lsass |
LSASS Memory, OS Credential Dumping |
TTP |
Windows Possible Credential Dumping |
LSASS Memory, OS Credential Dumping |
TTP |
Windows PowerView Constrained Delegation Discovery |
Remote System Discovery |
TTP |
Windows PowerView SPN Discovery |
Steal or Forge Kerberos Tickets, Kerberoasting |
TTP |
Windows PowerView Unconstrained Delegation Discovery |
Remote System Discovery |
TTP |
Windows Process Commandline Discovery |
Process Discovery |
Hunting |
Windows Query Registry Reg Save |
Query Registry |
Hunting |
Windows Remote Create Service |
Create or Modify System Process, Windows Service |
Anomaly |
Windows Scheduled Task Created Via XML |
Scheduled Task, Scheduled Task/Job |
TTP |
Windows Scheduled Task with Highest Privileges |
Scheduled Task/Job, Scheduled Task |
TTP |
Windows Service Created with Suspicious Service Path |
System Services, Service Execution |
TTP |
Windows Service Creation Using Registry Entry |
Services Registry Permissions Weakness |
TTP |
Windows Service Creation on Remote Endpoint |
Create or Modify System Process, Windows Service |
TTP |
Windows Service Initiation on Remote Endpoint |
Create or Modify System Process, Windows Service |
TTP |
Windows Service Stop Win Updates |
Service Stop |
Anomaly |
Windows System User Privilege Discovery |
System Owner/User Discovery |
Hunting |
Windows WMI Process Call Create |
Windows Management Instrumentation |
Hunting |