Endpoint

Name Technique Datamodel
7zip CommandLine To SMB Share Path Archive via Utility, Archive Collected Data Endpoint
Access LSASS Memory for Dump Creation LSASS Memory, OS Credential Dumping None
Account Discovery With Net App Domain Account, Account Discovery Endpoint
Active Setup Registry Autostart Active Setup, Boot or Logon Autostart Execution Endpoint
Add DefaultUser And Password In Registry Credentials in Registry, Unsecured Credentials Endpoint
Add or Set Windows Defender Exclusion Disable or Modify Tools, Impair Defenses Endpoint
AdsiSearcher Account Discovery Domain Account, Account Discovery None
Allow File And Printing Sharing In Firewall Disable or Modify Cloud Firewall, Impair Defenses Endpoint
Allow Inbound Traffic By Firewall Rule Registry Remote Desktop Protocol, Remote Services Endpoint
Allow Inbound Traffic In Firewall Rule Remote Desktop Protocol, Remote Services Endpoint
Allow Network Discovery In Firewall Disable or Modify Cloud Firewall, Impair Defenses Endpoint
Allow Operation with Consent Admin Abuse Elevation Control Mechanism Endpoint
Anomalous usage of 7zip Archive via Utility, Archive Collected Data Endpoint
Anomalous usage of Archive Tools Archive via Utility, Archive Collected Data Endpoint_Processes
Any Powershell DownloadFile Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer Endpoint
Any Powershell DownloadString Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer Endpoint
Attacker Tools On Endpoint Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning Endpoint
Attempt To Add Certificate To Untrusted Store Install Root Certificate, Subvert Trust Controls Endpoint
Attempt To Delete Services Service Stop, Create or Modify System Process, Windows Service Endpoint_Processes
Attempt To Disable Services Service Stop Endpoint_Processes
Attempt To Stop Security Service Disable or Modify Tools, Impair Defenses Endpoint
Attempted Credential Dump From Registry via Reg exe OS Credential Dumping, Security Account Manager Endpoint_Processes
Attempted Credential Dump From Registry via Reg exe Security Account Manager, OS Credential Dumping Endpoint
Auto Admin Logon Registry Entry Credentials in Registry, Unsecured Credentials Endpoint
BCDEdit Failure Recovery Modification Inhibit System Recovery Endpoint_Processes
BCDEdit Failure Recovery Modification Inhibit System Recovery Endpoint
BITS Job Persistence BITS Jobs Endpoint
BITSAdmin Download File BITS Jobs, Ingress Tool Transfer Endpoint
Batch File Write to System32 User Execution, Malicious File Endpoint
Bcdedit Command Back To Normal Mode Boot Inhibit System Recovery Endpoint
CHCP Command Execution Command and Scripting Interpreter Endpoint
CMD Carry Out String Command Parameter Windows Command Shell, Command and Scripting Interpreter Endpoint
CMD Echo Pipe - Escalation Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process Endpoint
CMLUA Or CMSTPLUA UAC Bypass System Binary Proxy Execution, CMSTP Endpoint
CSC Net On The Fly Compilation Compile After Delivery, Obfuscated Files or Information Endpoint
CertUtil Download With URLCache and Split Arguments Ingress Tool Transfer Endpoint
CertUtil Download With VerifyCtl and Split Arguments Ingress Tool Transfer Endpoint
CertUtil With Decode Argument Deobfuscate/Decode Files or Information Endpoint
Certutil exe certificate extraction None Endpoint
Change Default File Association Change Default File Association, Event Triggered Execution Endpoint
Change To Safe Mode With Network Config Inhibit System Recovery Endpoint
Check Elevated CMD using whoami System Owner/User Discovery Endpoint
Child Processes of Spoolsv exe Exploitation for Privilege Escalation Endpoint
Clear Unallocated Sector Using Cipher App File Deletion, Indicator Removal Endpoint_Processes
Clear Unallocated Sector Using Cipher App File Deletion, Indicator Removal Endpoint
Clop Common Exec Parameter User Execution Endpoint
Clop Ransomware Known Service Name Create or Modify System Process Endpoint
Cmdline Tool Not Executed In CMD Shell Command and Scripting Interpreter, JavaScript Endpoint
Cobalt Strike Named Pipes Process Injection None
Common Ransomware Extensions Data Destruction Endpoint
Common Ransomware Notes Data Destruction Endpoint
Conti Common Exec parameter User Execution Endpoint
Control Loading from World Writable Directory System Binary Proxy Execution, Control Panel Endpoint
Create Remote Thread In Shell Application Process Injection Endpoint
Create Remote Thread into LSASS LSASS Memory, OS Credential Dumping None
Create local admin accounts using net exe Local Account, Create Account Endpoint
Create or delete windows shares using net exe Indicator Removal, Network Share Connection Removal Endpoint
Creation of Shadow Copy NTDS, OS Credential Dumping Endpoint
Creation of Shadow Copy with wmic and powershell NTDS, OS Credential Dumping Endpoint
Creation of lsass Dump with Taskmgr LSASS Memory, OS Credential Dumping None
Credential Dumping via Copy Command from Shadow Copy NTDS, OS Credential Dumping Endpoint
Credential Dumping via Symlink to Shadow Copy NTDS, OS Credential Dumping Endpoint
Curl Download and Bash Execution Ingress Tool Transfer Endpoint
DLLHost with no Command Line Arguments with Network Process Injection Endpoint
DNS Exfiltration Using Nslookup App Exfiltration Over Alternative Protocol Endpoint_Processes
DNS Exfiltration Using Nslookup App Exfiltration Over Alternative Protocol Endpoint
DSQuery Domain Discovery Domain Trust Discovery Endpoint
Delete A Net User Account Access Removal Endpoint_Processes
Delete ShadowCopy With PowerShell Inhibit System Recovery Endpoint
Deleting Of Net Users Account Access Removal Endpoint
Deleting Shadow Copies Inhibit System Recovery Endpoint
Deny Permission using Cacls Utility File and Directory Permissions Modification Endpoint_Processes
Detect Activity Related to Pass the Hash Attacks Use Alternate Authentication Material, Pass the Hash None
Detect AzureHound Command-Line Arguments Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery Endpoint
Detect AzureHound File Modifications Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery Endpoint
Detect Baron Samedit CVE-2021-3156 Exploitation for Privilege Escalation None
Detect Baron Samedit CVE-2021-3156 Segfault Exploitation for Privilege Escalation None
Detect Baron Samedit CVE-2021-3156 via OSQuery Exploitation for Privilege Escalation None
Detect Computer Changed with Anonymous Account Exploitation of Remote Services None
Detect Copy of ShadowCopy with Script Block Logging Security Account Manager, OS Credential Dumping None
Detect Credential Dumping through LSASS access LSASS Memory, OS Credential Dumping None
Detect Empire with PowerShell Script Block Logging Command and Scripting Interpreter, PowerShell None
Detect Excessive Account Lockouts From Endpoint Valid Accounts, Domain Accounts Change
Detect Excessive User Account Lockouts Valid Accounts, Local Accounts Change
Detect Exchange Web Shell Server Software Component, Web Shell, Exploit Public-Facing Application Endpoint
Detect HTML Help Renamed System Binary Proxy Execution, Compiled HTML File Endpoint
Detect HTML Help Spawn Child Process System Binary Proxy Execution, Compiled HTML File Endpoint
Detect HTML Help URL in Command Line System Binary Proxy Execution, Compiled HTML File Endpoint
Detect HTML Help Using InfoTech Storage Handlers System Binary Proxy Execution, Compiled HTML File Endpoint
Detect MSHTA Url in Command Line System Binary Proxy Execution, Mshta Endpoint
Detect Mimikatz Using Loaded Images LSASS Memory, OS Credential Dumping None
Detect Mimikatz With PowerShell Script Block Logging OS Credential Dumping, PowerShell None
Detect New Local Admin account Local Account, Create Account None
Detect Outlook exe writing a zip file Phishing, Spearphishing Attachment Endpoint
Detect Path Interception By Creation Of program exe Path Interception by Unquoted Path, Hijack Execution Flow Endpoint
Detect Prohibited Applications Spawning cmd exe Command and Scripting Interpreter Endpoint_Processes
Detect Prohibited Applications Spawning cmd exe Command and Scripting Interpreter, Windows Command Shell Endpoint
Detect PsExec With accepteula Flag Remote Services, SMB/Windows Admin Shares Endpoint
Detect RClone Command-Line Usage Automated Exfiltration Endpoint_Processes
Detect RClone Command-Line Usage Automated Exfiltration Endpoint
Detect Rare Executables None Endpoint
Detect Regasm Spawning a Process System Binary Proxy Execution, Regsvcs/Regasm Endpoint
Detect Regasm with Network Connection System Binary Proxy Execution, Regsvcs/Regasm None
Detect Regasm with no Command Line Arguments System Binary Proxy Execution, Regsvcs/Regasm Endpoint
Detect Regsvcs Spawning a Process System Binary Proxy Execution, Regsvcs/Regasm Endpoint
Detect Regsvcs with Network Connection System Binary Proxy Execution, Regsvcs/Regasm None
Detect Regsvcs with No Command Line Arguments System Binary Proxy Execution, Regsvcs/Regasm Endpoint
Detect Regsvr32 Application Control Bypass System Binary Proxy Execution, Regsvr32 Endpoint
Detect Renamed 7-Zip Archive via Utility, Archive Collected Data Endpoint
Detect Renamed PSExec System Services, Service Execution Endpoint
Detect Renamed RClone Automated Exfiltration Endpoint
Detect Renamed WinRAR Archive via Utility, Archive Collected Data Endpoint
Detect Rundll32 Application Control Bypass - advpack System Binary Proxy Execution, Rundll32 Endpoint
Detect Rundll32 Application Control Bypass - setupapi System Binary Proxy Execution, Rundll32 Endpoint
Detect Rundll32 Application Control Bypass - syssetup System Binary Proxy Execution, Rundll32 Endpoint
Detect Rundll32 Inline HTA Execution System Binary Proxy Execution, Mshta Endpoint
Detect SharpHound Command-Line Arguments Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery Endpoint
Detect SharpHound File Modifications Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery Endpoint
Detect SharpHound Usage Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery Endpoint
Detect Use of cmd exe to Launch Script Interpreters Command and Scripting Interpreter, Windows Command Shell Endpoint
Detect WMI Event Subscription Persistence Windows Management Instrumentation Event Subscription, Event Triggered Execution None
Detect mshta inline hta execution System Binary Proxy Execution, Mshta Endpoint
Detect mshta renamed System Binary Proxy Execution, Mshta Endpoint
Detect processes used for System Network Configuration Discovery System Network Configuration Discovery Endpoint
Detect suspicious processnames using a pretrained model in DSDL Command and Scripting Interpreter Endpoint
Detection of tools built by NirSoft Software Deployment Tools Endpoint
Disable AMSI Through Registry Disable or Modify Tools, Impair Defenses Endpoint
Disable Defender AntiVirus Registry Disable or Modify Tools, Impair Defenses Endpoint
Disable Defender BlockAtFirstSeen Feature Disable or Modify Tools, Impair Defenses Endpoint
Disable Defender Enhanced Notification Disable or Modify Tools, Impair Defenses Endpoint
Disable Defender MpEngine Registry Disable or Modify Tools, Impair Defenses Endpoint
Disable Defender Spynet Reporting Disable or Modify Tools, Impair Defenses Endpoint
Disable Defender Submit Samples Consent Feature Disable or Modify Tools, Impair Defenses Endpoint
Disable ETW Through Registry Disable or Modify Tools, Impair Defenses Endpoint
Disable Logs Using WevtUtil Indicator Removal, Clear Windows Event Logs Endpoint
Disable Net User Account Service Stop, Valid Accounts Endpoint_Processes
Disable Registry Tool Disable or Modify Tools, Impair Defenses Endpoint
Disable Schedule Task Disable or Modify Tools, Impair Defenses Endpoint
Disable Security Logs Using MiniNt Registry Modify Registry Endpoint
Disable Show Hidden Files Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses Endpoint
Disable UAC Remote Restriction Bypass User Account Control, Abuse Elevation Control Mechanism Endpoint
Disable Windows App Hotkeys Disable or Modify Tools, Impair Defenses Endpoint
Disable Windows Behavior Monitoring Disable or Modify Tools, Impair Defenses Endpoint
Disable Windows SmartScreen Protection Disable or Modify Tools, Impair Defenses Endpoint
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser Steal or Forge Kerberos Tickets, AS-REP Roasting None
Disabled Kerberos Pre-Authentication Discovery With PowerView Steal or Forge Kerberos Tickets, AS-REP Roasting None
Disabling CMD Application Disable or Modify Tools, Impair Defenses Endpoint
Disabling ControlPanel Disable or Modify Tools, Impair Defenses Endpoint
Disabling Defender Services Disable or Modify Tools, Impair Defenses Endpoint
Disabling Firewall with Netsh Disable or Modify Tools, Impair Defenses Endpoint
Disabling FolderOptions Windows Feature Disable or Modify Tools, Impair Defenses Endpoint
Disabling Net User Account Account Access Removal Endpoint
Disabling NoRun Windows App Disable or Modify Tools, Impair Defenses Endpoint
Disabling Remote User Account Control Bypass User Account Control, Abuse Elevation Control Mechanism Endpoint
Disabling SystemRestore In Registry Inhibit System Recovery Endpoint
Disabling Task Manager Disable or Modify Tools, Impair Defenses Endpoint
Disabling Windows Local Security Authority Defences via Registry Modify Authentication Process Endpoint
Domain Account Discovery With Net App Domain Account, Account Discovery Endpoint
Domain Account Discovery with Dsquery Domain Account, Account Discovery Endpoint
Domain Account Discovery with Wmic Domain Account, Account Discovery Endpoint
Domain Controller Discovery with Nltest Remote System Discovery Endpoint
Domain Controller Discovery with Wmic Remote System Discovery Endpoint
Domain Group Discovery With Dsquery Permission Groups Discovery, Domain Groups Endpoint
Domain Group Discovery With Net Permission Groups Discovery, Domain Groups Endpoint
Domain Group Discovery With Wmic Permission Groups Discovery, Domain Groups Endpoint
Domain Group Discovery with Adsisearcher Permission Groups Discovery, Domain Groups None
Download Files Using Telegram Ingress Tool Transfer Endpoint
Drop IcedID License dat User Execution, Malicious File Endpoint
Dump LSASS via comsvcs DLL LSASS Memory, OS Credential Dumping Endpoint
Dump LSASS via procdump LSASS Memory, OS Credential Dumping Endpoint
ETW Registry Disabled Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses Endpoint
Elevated Group Discovery With Net Permission Groups Discovery, Domain Groups Endpoint
Elevated Group Discovery With Wmic Permission Groups Discovery, Domain Groups Endpoint
Elevated Group Discovery with PowerView Permission Groups Discovery, Domain Groups None
Enable RDP In Other Port Number Remote Services Endpoint
Enable WDigest UseLogonCredential Registry Modify Registry, OS Credential Dumping Endpoint
Enumerate Users Local Group Using Telegram Account Discovery Endpoint
Esentutl SAM Copy Security Account Manager, OS Credential Dumping Endpoint
Eventvwr UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism Endpoint
Excel Spawning PowerShell Security Account Manager, OS Credential Dumping Endpoint
Excel Spawning Windows Script Host Security Account Manager, OS Credential Dumping Endpoint
Excessive Attempt To Disable Services Service Stop Endpoint
Excessive File Deletion In WinDefender Folder Data Destruction Endpoint
Excessive Service Stop Attempt Service Stop Endpoint
Excessive Usage Of Cacls App File and Directory Permissions Modification Endpoint
Excessive Usage Of Net App Account Access Removal Endpoint
Excessive Usage Of SC Service Utility System Services, Service Execution Endpoint
Excessive Usage Of Taskkill Disable or Modify Tools, Impair Defenses Endpoint
Excessive Usage of NSLOOKUP App Exfiltration Over Alternative Protocol Endpoint
Excessive distinct processes from Windows Temp Command and Scripting Interpreter Endpoint
Excessive number of service control start as disabled Disable or Modify Tools, Impair Defenses Endpoint
Excessive number of taskhost processes Command and Scripting Interpreter Endpoint
Exchange PowerShell Abuse via SSRF Exploit Public-Facing Application None
Exchange PowerShell Module Usage Command and Scripting Interpreter, PowerShell None
Executable File Written in Administrative SMB Share Remote Services, SMB/Windows Admin Shares None
Executables Or Script Creation In Suspicious Path Masquerading Endpoint
Execute Javascript With Jscript COM CLSID Command and Scripting Interpreter, Visual Basic Endpoint
Execution of File with Multiple Extensions Masquerading, Rename System Utilities Endpoint
Extraction of Registry Hives Security Account Manager, OS Credential Dumping Endpoint
File with Samsam Extension None Endpoint
Firewall Allowed Program Enable Disable or Modify System Firewall, Impair Defenses Endpoint
First Time Seen Child Process of Zoom Exploitation for Privilege Escalation Endpoint
First Time Seen Running Windows Service System Services, Service Execution None
FodHelper UAC Bypass Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism Endpoint
Fsutil Zeroing File Indicator Removal Endpoint
Fsutil Zeroing File Indicator Removal Endpoint_Processes
GPUpdate with no Command Line Arguments with Network Process Injection Endpoint
Get ADDefaultDomainPasswordPolicy with Powershell Password Policy Discovery Endpoint
Get ADDefaultDomainPasswordPolicy with Powershell Script Block Password Policy Discovery None
Get ADUser with PowerShell Domain Account, Account Discovery Endpoint
Get ADUser with PowerShell Script Block Domain Account, Account Discovery None
Get ADUserResultantPasswordPolicy with Powershell Password Policy Discovery Endpoint
Get ADUserResultantPasswordPolicy with Powershell Script Block Password Policy Discovery None
Get DomainPolicy with Powershell Password Policy Discovery Endpoint
Get DomainPolicy with Powershell Script Block Password Policy Discovery None
Get DomainUser with PowerShell Domain Account, Account Discovery Endpoint
Get DomainUser with PowerShell Script Block Domain Account, Account Discovery None
Get WMIObject Group Discovery Permission Groups Discovery, Local Groups Endpoint
Get WMIObject Group Discovery with Script Block Logging Permission Groups Discovery, Local Groups None
Get-DomainTrust with PowerShell Domain Trust Discovery Endpoint
Get-DomainTrust with PowerShell Script Block Domain Trust Discovery None
Get-ForestTrust with PowerShell Domain Trust Discovery Endpoint
Get-ForestTrust with PowerShell Script Block Domain Trust Discovery, PowerShell None
GetAdComputer with PowerShell Remote System Discovery Endpoint
GetAdComputer with PowerShell Script Block Remote System Discovery None
GetAdGroup with PowerShell Permission Groups Discovery, Domain Groups Endpoint
GetAdGroup with PowerShell Script Block Permission Groups Discovery, Domain Groups None
GetCurrent User with PowerShell System Owner/User Discovery Endpoint
GetCurrent User with PowerShell Script Block System Owner/User Discovery None
GetDomainComputer with PowerShell Remote System Discovery Endpoint
GetDomainComputer with PowerShell Script Block Remote System Discovery None
GetDomainController with PowerShell Remote System Discovery Endpoint
GetDomainController with PowerShell Script Block Remote System Discovery None
GetDomainGroup with PowerShell Permission Groups Discovery, Domain Groups Endpoint
GetDomainGroup with PowerShell Script Block Permission Groups Discovery, Domain Groups None
GetLocalUser with PowerShell Account Discovery, Local Account Endpoint
GetLocalUser with PowerShell Script Block Account Discovery, Local Account, PowerShell None
GetNetTcpconnection with PowerShell System Network Connections Discovery Endpoint
GetNetTcpconnection with PowerShell Script Block System Network Connections Discovery None
GetWmiObject DS User with PowerShell Domain Account, Account Discovery Endpoint
GetWmiObject DS User with PowerShell Script Block Domain Account, Account Discovery None
GetWmiObject Ds Computer with PowerShell Remote System Discovery Endpoint
GetWmiObject Ds Computer with PowerShell Script Block Remote System Discovery None
GetWmiObject Ds Group with PowerShell Permission Groups Discovery, Domain Groups Endpoint
GetWmiObject Ds Group with PowerShell Script Block Permission Groups Discovery, Domain Groups None
GetWmiObject User Account with PowerShell Account Discovery, Local Account Endpoint
GetWmiObject User Account with PowerShell Script Block Account Discovery, Local Account, PowerShell None
Grant Permission Using Cacls Utility File and Directory Permissions Modification Endpoint_Processes
Hide User Account From Sign-In Screen Disable or Modify Tools, Impair Defenses Endpoint
Hiding Files And Directories With Attrib exe Windows File and Directory Permissions Modification, File and Directory Permissions Modification Endpoint_Processes
Hiding Files And Directories With Attrib exe File and Directory Permissions Modification, Windows File and Directory Permissions Modification Endpoint
High Frequency Copy Of Files In Network Share Transfer Data to Cloud Account Endpoint
High Process Termination Frequency Data Encrypted for Impact Endpoint
Hunting for Log4Shell Exploit Public-Facing Application Web
ICACLS Grant Command File and Directory Permissions Modification Endpoint
Icacls Deny Command File and Directory Permissions Modification Endpoint
IcedID Exfiltrated Archived File Creation Archive via Utility, Archive Collected Data Endpoint
Impacket Lateral Movement Commandline Parameters Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service Endpoint
Interactive Session on Remote Endpoint with PowerShell Remote Services, Windows Remote Management None
Java Class File download by Java User Agent Exploit Public-Facing Application Web
Java Writing JSP File Exploit Public-Facing Application Endpoint
Jscript Execution Using Cscript App Command and Scripting Interpreter, JavaScript Endpoint
Kerberoasting spn request with RC4 encryption Steal or Forge Kerberos Tickets, Kerberoasting None
Kerberos Pre-Authentication Flag Disabled in UserAccountControl Steal or Forge Kerberos Tickets, AS-REP Roasting None
Kerberos Pre-Authentication Flag Disabled with PowerShell Steal or Forge Kerberos Tickets, AS-REP Roasting None
Kerberos Service Ticket Request Using RC4 Encryption Steal or Forge Kerberos Tickets, Golden Ticket None
Kerberos TGT Request Using RC4 Encryption Use Alternate Authentication Material None
Kerberos User Enumeration Gather Victim Identity Information, Email Addresses None
Known Services Killed by Ransomware Inhibit System Recovery Endpoint
LOLBAS With Network Traffic Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution Network_Traffic, Endpoint
Linux APT Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux AWK Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux Account Manipulation Of SSH Config and Keys Data Destruction, File Deletion, Indicator Removal Endpoint
Linux Add Files In Known Crontab Directories Cron, Scheduled Task/Job Endpoint
Linux Add User Account Local Account, Create Account Endpoint
Linux Adding Crontab Using List Parameter Cron, Scheduled Task/Job Endpoint
Linux At Allow Config File Creation Cron, Scheduled Task/Job Endpoint
Linux At Application Execution At, Scheduled Task/Job Endpoint
Linux Busybox Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux Change File Owner To Root Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification Endpoint
Linux Clipboard Data Copy Clipboard Data Endpoint
Linux Common Process For Elevation Control Setuid and Setgid, Abuse Elevation Control Mechanism Endpoint
Linux Composer Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux Cpulimit Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux Csvtool Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux Curl Upload File Ingress Tool Transfer Endpoint
Linux DD File Overwrite Data Destruction Endpoint
Linux Data Destruction Command Data Destruction Endpoint
Linux Decode Base64 to Shell Obfuscated Files or Information, Unix Shell Endpoint
Linux Deleting Critical Directory Using RM Command Data Destruction Endpoint
Linux Deletion Of Cron Jobs Data Destruction, File Deletion, Indicator Removal Endpoint
Linux Deletion Of Init Daemon Script Data Destruction, File Deletion, Indicator Removal Endpoint
Linux Deletion Of Services Data Destruction, File Deletion, Indicator Removal Endpoint
Linux Deletion of SSL Certificate Data Destruction, File Deletion, Indicator Removal Endpoint
Linux Disable Services Service Stop Endpoint
Linux Doas Conf File Creation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux Doas Tool Execution Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux Docker Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux Edit Cron Table Parameter Cron, Scheduled Task/Job Endpoint
Linux Emacs Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux File Created In Kernel Driver Directory Kernel Modules and Extensions, Boot or Logon Autostart Execution Endpoint
Linux File Creation In Init Boot Directory RC Scripts, Boot or Logon Initialization Scripts Endpoint
Linux File Creation In Profile Directory Unix Shell Configuration Modification, Event Triggered Execution Endpoint
Linux Find Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux GDB Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux GNU Awk Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux Gem Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux Hardware Addition SwapOff Hardware Additions Endpoint
Linux High Frequency Of File Deletion In Boot Folder Data Destruction, File Deletion, Indicator Removal Endpoint
Linux High Frequency Of File Deletion In Etc Folder Data Destruction, File Deletion, Indicator Removal Endpoint
Linux Impair Defenses Process Kill Disable or Modify Tools, Impair Defenses Endpoint
Linux Indicator Removal Clear Cache Indicator Removal Endpoint
Linux Indicator Removal Service File Deletion File Deletion, Indicator Removal Endpoint
Linux Ingress Tool Transfer Hunting Ingress Tool Transfer Endpoint
Linux Ingress Tool Transfer with Curl Ingress Tool Transfer Endpoint
Linux Insert Kernel Module Using Insmod Utility Kernel Modules and Extensions, Boot or Logon Autostart Execution Endpoint
Linux Install Kernel Module Using Modprobe Utility Kernel Modules and Extensions, Boot or Logon Autostart Execution Endpoint
Linux Iptables Firewall Modification Disable or Modify System Firewall, Impair Defenses Endpoint
Linux Java Spawning Shell Exploit Public-Facing Application Endpoint
Linux Kernel Module Enumeration System Information Discovery, Rootkit Endpoint
Linux Kworker Process In Writable Process Path Masquerade Task or Service, Masquerading Endpoint
Linux Make Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux MySQL Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux NOPASSWD Entry In Sudoers File Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux Ngrok Reverse Proxy Usage Protocol Tunneling, Proxy, Web Service Endpoint
Linux Node Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux Obfuscated Files or Information Base64 Decode Obfuscated Files or Information Endpoint
Linux Octave Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux OpenVPN Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux PHP Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux Persistence and Privilege Escalation Risk Behavior Abuse Elevation Control Mechanism Risk
Linux Possible Access Or Modification Of sshd Config File SSH Authorized Keys, Account Manipulation Endpoint
Linux Possible Access To Credential Files /etc/passwd and /etc/shadow, OS Credential Dumping Endpoint
Linux Possible Access To Sudoers File Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux Possible Append Command To At Allow Config File At, Scheduled Task/Job Endpoint
Linux Possible Append Command To Profile Config File Unix Shell Configuration Modification, Event Triggered Execution Endpoint
Linux Possible Append Cronjob Entry on Existing Cronjob File Cron, Scheduled Task/Job Endpoint
Linux Possible Cronjob Modification With Editor Cron, Scheduled Task/Job Endpoint
Linux Possible Ssh Key File Creation SSH Authorized Keys, Account Manipulation Endpoint
Linux Preload Hijack Library Calls Dynamic Linker Hijacking, Hijack Execution Flow Endpoint
Linux Proxy Socks Curl Proxy, Non-Application Layer Protocol Endpoint
Linux Puppet Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux RPM Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux Ruby Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux SSH Authorized Keys Modification SSH Authorized Keys Endpoint
Linux SSH Remote Services Script Execute SSH Endpoint
Linux Service File Created In Systemd Directory Systemd Timers, Scheduled Task/Job Endpoint
Linux Service Restarted Systemd Timers, Scheduled Task/Job Endpoint
Linux Service Started Or Enabled Systemd Timers, Scheduled Task/Job Endpoint
Linux Setuid Using Chmod Utility Setuid and Setgid, Abuse Elevation Control Mechanism Endpoint
Linux Setuid Using Setcap Utility Setuid and Setgid, Abuse Elevation Control Mechanism Endpoint
Linux Shred Overwrite Command Data Destruction Endpoint
Linux Sqlite3 Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux Stdout Redirection To Dev Null File Disable or Modify System Firewall, Impair Defenses Endpoint
Linux Stop Services Service Stop Endpoint
Linux Sudo OR Su Execution Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux Sudoers Tmp File Creation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux System Network Discovery System Network Configuration Discovery Endpoint
Linux System Reboot Via System Request Key System Shutdown/Reboot Endpoint
Linux Unix Shell Enable All SysRq Functions Unix Shell, Command and Scripting Interpreter Endpoint
Linux Visudo Utility Execution Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux apt-get Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux c89 Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux c99 Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux pkexec Privilege Escalation Exploitation for Privilege Escalation Endpoint
Living Off The Land Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter Risk
Loading Of Dynwrapx Module Process Injection, Dynamic-link Library Injection Endpoint
Local Account Discovery With Wmic Account Discovery, Local Account Endpoint
Local Account Discovery with Net Account Discovery, Local Account Endpoint
Log4Shell CVE-2021-44228 Exploitation Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter Risk
Logon Script Event Trigger Execution Boot or Logon Initialization Scripts, Logon Script (Windows) Endpoint
MS Exchange Mailbox Replication service writing Active Server Pages Server Software Component, Web Shell, Exploit Public-Facing Application Endpoint
MS Scripting Process Loading Ldap Module Command and Scripting Interpreter, JavaScript Endpoint
MS Scripting Process Loading WMI Module Command and Scripting Interpreter, JavaScript Endpoint
MSBuild Suspicious Spawned By Script Process MSBuild, Trusted Developer Utilities Proxy Execution Endpoint
MSHTML Module Load in Office Product Phishing, Spearphishing Attachment Endpoint
MSI Module Loaded by Non-System Binary DLL Side-Loading, Hijack Execution Flow None
MacOS - Re-opened Applications None Endpoint
MacOS LOLbin Unix Shell, Command and Scripting Interpreter Endpoint
MacOS plutil Plist File Modification Endpoint
Mailsniper Invoke functions Email Collection, Local Email Collection Endpoint
Malicious InProcServer32 Modification Regsvr32, Modify Registry Endpoint
Malicious PowerShell Process - Encoded Command Obfuscated Files or Information Endpoint
Malicious PowerShell Process - Execution Policy Bypass Command and Scripting Interpreter, PowerShell Endpoint
Malicious PowerShell Process With Obfuscation Techniques Command and Scripting Interpreter, PowerShell Endpoint
Malicious Powershell Executed As A Service System Services, Service Execution Endpoint
Mimikatz PassTheTicket CommandLine Parameters Use Alternate Authentication Material, Pass the Ticket Endpoint
Mmc LOLBAS Execution Process Spawn Remote Services, Distributed Component Object Model, MMC Endpoint
Modification Of Wallpaper Defacement Endpoint
Modify ACL permission To Files Or Folder File and Directory Permissions Modification Endpoint
Modify ACLs Permission Of Files Or Folders File and Directory Permissions Modification Endpoint_Processes
Monitor Registry Keys for Print Monitors Port Monitors, Boot or Logon Autostart Execution Endpoint
Mshta spawning Rundll32 OR Regsvr32 Process System Binary Proxy Execution, Mshta Endpoint
Msmpeng Application DLL Side Loading DLL Side-Loading, Hijack Execution Flow Endpoint
NET Profiler UAC bypass Bypass User Account Control, Abuse Elevation Control Mechanism Endpoint
NLTest Domain Trust Discovery Domain Trust Discovery Endpoint
Net Localgroup Discovery Permission Groups Discovery, Local Groups Endpoint
Network Connection Discovery With Arp System Network Connections Discovery Endpoint
Network Connection Discovery With Net System Network Connections Discovery Endpoint
Network Connection Discovery With Netstat System Network Connections Discovery Endpoint
Network Discovery Using Route Windows App System Network Configuration Discovery, Internet Connection Discovery Endpoint
Nishang PowershellTCPOneLine Command and Scripting Interpreter, PowerShell Endpoint
Non Chrome Process Accessing Chrome Default Dir Credentials from Password Stores, Credentials from Web Browsers Endpoint
Non Firefox Process Access Firefox Profile Dir Credentials from Password Stores, Credentials from Web Browsers Endpoint
Notepad with no Command Line Arguments Process Injection Endpoint
Ntdsutil Export NTDS NTDS, OS Credential Dumping Endpoint
Office Application Drop Executable Phishing, Spearphishing Attachment Endpoint
Office Application Spawn Regsvr32 process Phishing, Spearphishing Attachment Endpoint
Office Application Spawn rundll32 process Phishing, Spearphishing Attachment Endpoint
Office Document Creating Schedule Task Phishing, Spearphishing Attachment Endpoint
Office Document Executing Macro Code Phishing, Spearphishing Attachment Endpoint
Office Document Spawned Child Process To Download Phishing, Spearphishing Attachment Endpoint
Office Product Spawn CMD Process Phishing, Spearphishing Attachment Endpoint
Office Product Spawning BITSAdmin Phishing, Spearphishing Attachment Endpoint
Office Product Spawning CertUtil Phishing, Spearphishing Attachment Endpoint
Office Product Spawning MSHTA Phishing, Spearphishing Attachment Endpoint
Office Product Spawning Rundll32 with no DLL Phishing, Spearphishing Attachment Endpoint
Office Product Spawning Windows Script Host Phishing, Spearphishing Attachment Endpoint
Office Product Spawning Windows Script Host Phishing, Spearphishing Attachment Endpoint_Processes
Office Product Spawning Wmic Phishing, Spearphishing Attachment Endpoint
Office Product Writing cab or inf Phishing, Spearphishing Attachment Endpoint
Office Spawning Control Phishing, Spearphishing Attachment Endpoint
Outbound Network Connection from Java Using Default Ports Exploit Public-Facing Application Endpoint, Network_Traffic
Overwriting Accessibility Binaries Event Triggered Execution, Accessibility Features Endpoint
Password Policy Discovery with Net Password Policy Discovery Endpoint
Permission Modification using Takeown App File and Directory Permissions Modification Endpoint
PetitPotam Network Share Access Request Forced Authentication None
PetitPotam Suspicious Kerberos TGT Request OS Credential Dumping None
Ping Sleep Batch Command Virtualization/Sandbox Evasion, Time Based Evasion Endpoint
Possible Browser Pass View Parameter Credentials from Web Browsers, Credentials from Password Stores Endpoint
Possible Lateral Movement PowerShell Spawn Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShell, MMC Endpoint
Potential password in username Local Accounts, Credentials In Files Authentication
Potentially malicious code on commandline Windows Command Shell Endpoint
PowerShell - Connect To Internet With Hidden Window PowerShell, Command and Scripting Interpreter Endpoint
PowerShell 4104 Hunting Command and Scripting Interpreter, PowerShell None
PowerShell Domain Enumeration Command and Scripting Interpreter, PowerShell None
PowerShell Get LocalGroup Discovery Permission Groups Discovery, Local Groups Endpoint
PowerShell Loading DotNET into Memory via Reflection Command and Scripting Interpreter, PowerShell None
PowerShell Start-BitsTransfer BITS Jobs Endpoint
Powershell COM Hijacking InprocServer32 Modification Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell Endpoint
Powershell Creating Thread Mutex Obfuscated Files or Information, Indicator Removal from Tools, PowerShell None
Powershell Disable Security Monitoring Disable or Modify Tools, Impair Defenses Endpoint
Powershell Enable SMB1Protocol Feature Obfuscated Files or Information, Indicator Removal from Tools Endpoint
Powershell Execute COM Object Component Object Model Hijacking, Event Triggered Execution, PowerShell Endpoint
Powershell Fileless Process Injection via GetProcAddress Command and Scripting Interpreter, Process Injection, PowerShell None
Powershell Fileless Script Contains Base64 Encoded Content Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell None
Powershell Get LocalGroup Discovery with Script Block Logging Permission Groups Discovery, Local Groups None
Powershell Load Module in Meterpreter Command and Scripting Interpreter, PowerShell None
Powershell Processing Stream Of Data Command and Scripting Interpreter, PowerShell None
Powershell Remote Thread To Known Windows Process Process Injection Endpoint
Powershell Remove Windows Defender Directory Disable or Modify Tools, Impair Defenses Endpoint
Powershell Using memory As Backing Store PowerShell, Command and Scripting Interpreter None
Powershell Windows Defender Exclusion Commands Disable or Modify Tools, Impair Defenses Endpoint
Prevent Automatic Repair Mode using Bcdedit Inhibit System Recovery Endpoint
Print Processor Registry Autostart Print Processors, Boot or Logon Autostart Execution Endpoint
Print Spooler Adding A Printer Driver Print Processors, Boot or Logon Autostart Execution Endpoint
Print Spooler Failed to Load a Plug-in Print Processors, Boot or Logon Autostart Execution Endpoint
Process Creating LNK file in Suspicious Location Phishing, Spearphishing Link Endpoint
Process Deleting Its Process File Path Indicator Removal Endpoint
Process Execution via WMI Windows Management Instrumentation Endpoint
Process Kill Base On File Path Disable or Modify Tools, Impair Defenses Endpoint
Process Writing DynamicWrapperX Command and Scripting Interpreter, Component Object Model Endpoint
Processes Tapping Keyboard Events None None
Processes launching netsh Disable or Modify System Firewall, Impair Defenses Endpoint
Randomly Generated Scheduled Task Name Scheduled Task/Job, Scheduled Task None
Randomly Generated Windows Service Name Create or Modify System Process, Windows Service None
Ransomware Notes bulk creation Data Encrypted for Impact Endpoint
Recon AVProduct Through Pwh or WMI Gather Victim Host Information None
Recon Using WMI Class Gather Victim Host Information, PowerShell None
Recursive Delete of Directory In Batch CMD File Deletion, Indicator Removal Endpoint
Reg exe Manipulating Windows Services Registry Keys Services Registry Permissions Weakness, Hijack Execution Flow Endpoint
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution Endpoint
Registry Keys Used For Privilege Escalation Image File Execution Options Injection, Event Triggered Execution Endpoint
Registry Keys for Creating SHIM Databases Application Shimming, Event Triggered Execution Endpoint
Regsvr32 Silent and Install Param Dll Loading System Binary Proxy Execution, Regsvr32 Endpoint
Regsvr32 with Known Silent Switch Cmdline System Binary Proxy Execution, Regsvr32 Endpoint
Remcos RAT File Creation in Remcos Folder Screen Capture Endpoint
Remcos client registry install entry Modify Registry Endpoint
Remote Desktop Process Running On System Remote Desktop Protocol, Remote Services Endpoint
Remote Process Instantiation via DCOM and PowerShell Remote Services, Distributed Component Object Model Endpoint
Remote Process Instantiation via DCOM and PowerShell Script Block Remote Services, Distributed Component Object Model None
Remote Process Instantiation via WMI Windows Management Instrumentation Endpoint
Remote Process Instantiation via WMI and PowerShell Windows Management Instrumentation Endpoint
Remote Process Instantiation via WMI and PowerShell Script Block Windows Management Instrumentation None
Remote Process Instantiation via WinRM and PowerShell Remote Services, Windows Remote Management Endpoint
Remote Process Instantiation via WinRM and PowerShell Script Block Remote Services, Windows Remote Management None
Remote Process Instantiation via WinRM and Winrs Remote Services, Windows Remote Management Endpoint
Remote System Discovery with Adsisearcher Remote System Discovery None
Remote System Discovery with Dsquery Remote System Discovery Endpoint
Remote System Discovery with Net Remote System Discovery Endpoint
Remote System Discovery with Wmic Remote System Discovery Endpoint
Remote WMI Command Attempt Windows Management Instrumentation Endpoint
Resize ShadowStorage volume Inhibit System Recovery Endpoint
Resize Shadowstorage Volume Service Stop Endpoint_Processes
Revil Common Exec Parameter User Execution Endpoint
Revil Registry Entry Modify Registry Endpoint
Rubeus Command Line Parameters Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting Endpoint
Rubeus Kerberos Ticket Exports Through Winlogon Access Use Alternate Authentication Material, Pass the Ticket None
RunDLL Loading DLL By Ordinal System Binary Proxy Execution, Rundll32 Endpoint
Runas Execution in CommandLine Access Token Manipulation, Token Impersonation/Theft Endpoint
Rundll32 Control RunDLL Hunt System Binary Proxy Execution, Rundll32 Endpoint
Rundll32 Control RunDLL World Writable Directory System Binary Proxy Execution, Rundll32 Endpoint
Rundll32 Create Remote Thread To A Process Process Injection Endpoint
Rundll32 CreateRemoteThread In Browser Process Injection Endpoint
Rundll32 DNSQuery System Binary Proxy Execution, Rundll32 Endpoint
Rundll32 LockWorkStation System Binary Proxy Execution, Rundll32 Endpoint
Rundll32 Process Creating Exe Dll Files System Binary Proxy Execution, Rundll32 Endpoint
Rundll32 Shimcache Flush Modify Registry Endpoint
Rundll32 with no Command Line Arguments with Network System Binary Proxy Execution, Rundll32 Endpoint
Ryuk Test Files Detected Data Encrypted for Impact Endpoint
Ryuk Wake on LAN Command Command and Scripting Interpreter, Windows Command Shell Endpoint
SAM Database File Access Attempt Security Account Manager, OS Credential Dumping Endpoint
SLUI RunAs Elevated Bypass User Account Control, Abuse Elevation Control Mechanism Endpoint
SLUI Spawning a Process Bypass User Account Control, Abuse Elevation Control Mechanism Endpoint
Samsam Test File Write Data Encrypted for Impact Endpoint
Sc exe Manipulating Windows Services Windows Service, Create or Modify System Process Endpoint
SchCache Change By App Connect And Create ADSI Object Domain Account, Account Discovery Endpoint
Schedule Task with HTTP Command Arguments Scheduled Task/Job Endpoint
Schedule Task with Rundll32 Command Trigger Scheduled Task/Job Endpoint
Scheduled Task Creation on Remote Endpoint using At Scheduled Task/Job, At Endpoint
Scheduled Task Deleted Or Created via CMD Scheduled Task, Scheduled Task/Job Endpoint
Scheduled Task Initiation on Remote Endpoint Scheduled Task/Job, Scheduled Task Endpoint
Schtasks Run Task On Demand Scheduled Task/Job Endpoint
Schtasks scheduling job on remote system Scheduled Task, Scheduled Task/Job Endpoint
Schtasks used for forcing a reboot Scheduled Task, Scheduled Task/Job Endpoint
Screensaver Event Trigger Execution Event Triggered Execution, Screensaver Endpoint
Script Execution via WMI Windows Management Instrumentation Endpoint
Sdclt UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism Endpoint
Sdelete Application Execution Data Destruction, File Deletion, Indicator Removal Endpoint
Sdelete Application Execution Data Destruction, File Deletion, Indicator Removal Endpoint_Processes
SearchProtocolHost with no Command Line with Network Process Injection Endpoint
SecretDumps Offline NTDS Dumping Tool NTDS, OS Credential Dumping Endpoint
ServicePrincipalNames Discovery with PowerShell Kerberoasting None
ServicePrincipalNames Discovery with SetSPN Kerberoasting Endpoint
Services Escalate Exe Abuse Elevation Control Mechanism Endpoint
Services LOLBAS Execution Process Spawn Create or Modify System Process, Windows Service Endpoint
Set Default PowerShell Execution Policy To Unrestricted or Bypass Command and Scripting Interpreter, PowerShell Endpoint
Shim Database File Creation Application Shimming, Event Triggered Execution Endpoint
Shim Database Installation With Suspicious Parameters Application Shimming, Event Triggered Execution Endpoint
Short Lived Scheduled Task Scheduled Task None
Short Lived Windows Accounts Local Account, Create Account Change
SilentCleanup UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism Endpoint
Single Letter Process On Endpoint User Execution, Malicious File Endpoint
Spike in File Writes None None
Spoolsv Spawning Rundll32 Print Processors, Boot or Logon Autostart Execution Endpoint
Spoolsv Suspicious Loaded Modules Print Processors, Boot or Logon Autostart Execution Endpoint
Spoolsv Suspicious Process Access Exploitation for Privilege Escalation Endpoint
Spoolsv Writing a DLL Print Processors, Boot or Logon Autostart Execution Endpoint
Spoolsv Writing a DLL - Sysmon Print Processors, Boot or Logon Autostart Execution Endpoint
Sqlite Module In Temp Folder Data from Local System Endpoint
Sunburst Correlation DLL and Network Event Exploitation for Client Execution None
Suspicious Computer Account Name Change Valid Accounts, Domain Accounts Endpoint
Suspicious Copy on System32 Rename System Utilities, Masquerading Endpoint
Suspicious Curl Network Connection Ingress Tool Transfer Endpoint
Suspicious DLLHost no Command Line Arguments Process Injection Endpoint
Suspicious Driver Loaded Path Windows Service, Create or Modify System Process Endpoint
Suspicious Event Log Service Behavior Indicator Removal, Clear Windows Event Logs None
Suspicious GPUpdate no Command Line Arguments Process Injection Endpoint
Suspicious IcedID Rundll32 Cmdline System Binary Proxy Execution, Rundll32 Endpoint
Suspicious Image Creation In Appdata Folder Screen Capture Endpoint
Suspicious Kerberos Service Ticket Request Valid Accounts, Domain Accounts Endpoint
Suspicious Linux Discovery Commands Unix Shell Endpoint
Suspicious MSBuild Rename Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild Endpoint
Suspicious MSBuild Spawn Trusted Developer Utilities Proxy Execution, MSBuild Endpoint
Suspicious PlistBuddy Usage Launch Agent, Create or Modify System Process Endpoint
Suspicious PlistBuddy Usage via OSquery Launch Agent, Create or Modify System Process None
Suspicious Process DNS Query Known Abuse Web Services Visual Basic, Command and Scripting Interpreter Endpoint
Suspicious Process File Path Create or Modify System Process Endpoint
Suspicious Process With Discord DNS Query Visual Basic, Command and Scripting Interpreter Endpoint
Suspicious Reg exe Process Modify Registry Endpoint
Suspicious Regsvr32 Register Suspicious Path System Binary Proxy Execution, Regsvr32 Endpoint
Suspicious Rundll32 PluginInit System Binary Proxy Execution, Rundll32 Endpoint
Suspicious Rundll32 StartW System Binary Proxy Execution, Rundll32 Endpoint
Suspicious Rundll32 dllregisterserver System Binary Proxy Execution, Rundll32 Endpoint
Suspicious Rundll32 no Command Line Arguments System Binary Proxy Execution, Rundll32 Endpoint
Suspicious SQLite3 LSQuarantine Behavior Data Staged Endpoint
Suspicious Scheduled Task from Public Directory Scheduled Task, Scheduled Task/Job Endpoint
Suspicious SearchProtocolHost no Command Line Arguments Process Injection Endpoint
Suspicious Ticket Granting Ticket Request Valid Accounts, Domain Accounts Endpoint
Suspicious WAV file in Appdata Folder Screen Capture Endpoint
Suspicious microsoft workflow compiler rename Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities Endpoint
Suspicious microsoft workflow compiler usage Trusted Developer Utilities Proxy Execution Endpoint
Suspicious msbuild path Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild Endpoint
Suspicious mshta child process System Binary Proxy Execution, Mshta Endpoint
Suspicious mshta spawn System Binary Proxy Execution, Mshta Endpoint
Suspicious wevtutil Usage Clear Windows Event Logs, Indicator Removal Endpoint
Suspicious writes to windows Recycle Bin Masquerading Endpoint
Svchost LOLBAS Execution Process Spawn Scheduled Task/Job, Scheduled Task Endpoint
System Info Gathering Using Dxdiag Application Gather Victim Host Information Endpoint
System Information Discovery Detection System Information Discovery Endpoint
System Process Running from Unexpected Location Masquerading Endpoint_Processes
System Processes Run From Unexpected Locations Masquerading, Rename System Utilities Endpoint
System User Discovery With Query System Owner/User Discovery Endpoint
System User Discovery With Whoami System Owner/User Discovery Endpoint
Time Provider Persistence Registry Time Providers, Boot or Logon Autostart Execution Endpoint
Trickbot Named Pipe Process Injection Endpoint
UAC Bypass MMC Load Unsigned Dll Bypass User Account Control, Abuse Elevation Control Mechanism, MMC Endpoint
UAC Bypass With Colorui COM Object System Binary Proxy Execution, CMSTP Endpoint
USN Journal Deletion Indicator Removal Endpoint
Unified Messaging Service Spawning a Process Exploit Public-Facing Application Endpoint
Uninstall App Using MsiExec Msiexec, System Binary Proxy Execution Endpoint
Unknown Process Using The Kerberos Protocol Use Alternate Authentication Material Endpoint, Network_Traffic
Unload Sysmon Filter Driver Disable or Modify Tools, Impair Defenses Endpoint
Unloading AMSI via Reflection Impair Defenses, PowerShell, Command and Scripting Interpreter None
Unusual Number of Computer Service Tickets Requested Valid Accounts None
Unusual Number of Kerberos Service Tickets Requested Steal or Forge Kerberos Tickets, Kerberoasting None
Unusual Number of Remote Endpoint Authentication Events Valid Accounts None
Unusually Long Command Line None None
Unusually Long Command Line - MLTK None None
User Discovery With Env Vars PowerShell System Owner/User Discovery Endpoint
User Discovery With Env Vars PowerShell Script Block System Owner/User Discovery None
Vbscript Execution Using Wscript App Visual Basic, Command and Scripting Interpreter Endpoint
Verclsid CLSID Execution Verclsid, System Binary Proxy Execution Endpoint
W3WP Spawning Shell Server Software Component, Web Shell Endpoint
WBAdmin Delete System Backups Inhibit System Recovery Endpoint_Processes
WBAdmin Delete System Backups Inhibit System Recovery Endpoint
WMI Permanent Event Subscription Windows Management Instrumentation None
WMI Permanent Event Subscription - Sysmon Windows Management Instrumentation Event Subscription, Event Triggered Execution None
WMI Recon Running Process Or Services Gather Victim Host Information None
WMI Temporary Event Subscription Windows Management Instrumentation None
WMIC XSL Execution via URL XSL Script Processing Endpoint
WSReset UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism Endpoint
Wbemprox COM Object Execution System Binary Proxy Execution, CMSTP Endpoint
Wermgr Process Connecting To IP Check Web Services Gather Victim Network Information, IP Addresses Endpoint
Wermgr Process Create Executable File Obfuscated Files or Information Endpoint
Wermgr Process Spawned CMD Or Powershell Process Command and Scripting Interpreter Endpoint
WevtUtil Usage To Clear Logs Indicator Removal, Clear Windows Event Logs Endpoint_Processes
Wevtutil Usage To Disable Logs Indicator Removal, Clear Windows Event Logs Endpoint_Processes
Wget Download and Bash Execution Ingress Tool Transfer Endpoint
WinEvent Scheduled Task Created Within Public Path Scheduled Task, Scheduled Task/Job None
WinEvent Scheduled Task Created to Spawn Shell Scheduled Task, Scheduled Task/Job None
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Endpoint
WinRM Spawning a Process Exploit Public-Facing Application Endpoint
Windows AD AdminSDHolder ACL Modified Event Triggered Execution None
Windows AD Cross Domain SID History Addition SID-History Injection, Access Token Manipulation None
Windows AD DSRM Account Changes Account Manipulation Endpoint
Windows AD DSRM Password Reset Account Manipulation Change
Windows AD Domain Controller Audit Policy Disabled Disable or Modify Tools None
Windows AD Domain Controller Promotion Rogue Domain Controller None
Windows AD Domain Replication ACL Addition Domain Policy Modification None
Windows AD Privileged Account SID History Addition SID-History Injection, Access Token Manipulation None
Windows AD Replication Request Initiated by User Account DCSync, OS Credential Dumping None
Windows AD Replication Request Initiated from Unsanctioned Location DCSync, OS Credential Dumping None
Windows AD SID History Attribute Modified Access Token Manipulation, SID-History Injection None
Windows AD Same Domain SID History Addition SID-History Injection, Access Token Manipulation None
Windows AD ServicePrincipalName Added To Domain Account Account Manipulation None
Windows AD Short Lived Domain Account ServicePrincipalName Account Manipulation None
Windows AD Short Lived Domain Controller SPN Attribute Rogue Domain Controller None
Windows AD Short Lived Server Object Rogue Domain Controller None
Windows Access Token Manipulation SeDebugPrivilege Create Process with Token, Access Token Manipulation None
Windows Access Token Manipulation Winlogon Duplicate Token Handle Token Impersonation/Theft, Access Token Manipulation None
Windows Access Token Winlogon Duplicate Handle In Uncommon Path Token Impersonation/Theft, Access Token Manipulation None
Windows AdFind Exe Remote System Discovery Endpoint
Windows Apache Benchmark Binary Command and Scripting Interpreter Endpoint
Windows App Layer Protocol Qakbot NamedPipe Application Layer Protocol Endpoint
Windows App Layer Protocol Wermgr Connect To NamedPipe Application Layer Protocol Endpoint
Windows Application Layer Protocol RMS Radmin Tool Namedpipe Application Layer Protocol Endpoint
Windows Autostart Execution LSASS Driver Registry Modification LSASS Driver Endpoint
Windows Binary Proxy Execution Mavinject DLL Injection Mavinject, System Binary Proxy Execution Endpoint
Windows Bits Job Persistence BITS Jobs Endpoint_Processes
Windows Bitsadmin Download File BITS Jobs, Ingress Tool Transfer Endpoint_Processes
Windows Boot or Logon Autostart Execution In Startup Folder Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution Endpoint
Windows COM Hijacking InprocServer32 Modification Component Object Model Hijacking, Event Triggered Execution Endpoint
Windows COM Hijacking InprocServer32 Modification Component Object Model Hijacking, Event Triggered Execution Endpoint_Processes
Windows Cached Domain Credentials Reg Query Cached Domain Credentials, OS Credential Dumping Endpoint
Windows CertUtil Decode File Deobfuscate/Decode Files or Information Endpoint_Processes
Windows CertUtil URLCache Download Ingress Tool Transfer Endpoint_Processes
Windows CertUtil VerifyCtl Download Ingress Tool Transfer Endpoint_Processes
Windows Change Default File Association For No File Ext Change Default File Association, Event Triggered Execution Endpoint
Windows ClipBoard Data via Get-ClipBoard Clipboard Data Endpoint
Windows Command Shell DCRat ForkBomb Payload Windows Command Shell, Command and Scripting Interpreter Endpoint
Windows Command Shell Fetch Env Variables Process Injection Endpoint
Windows Command and Scripting Interpreter Hunting Path Traversal Command and Scripting Interpreter Endpoint
Windows Command and Scripting Interpreter Path Traversal Exec Command and Scripting Interpreter Endpoint
Windows Computer Account Created by Computer Account Steal or Forge Kerberos Tickets Endpoint
Windows Computer Account Requesting Kerberos Ticket Steal or Forge Kerberos Tickets Endpoint
Windows Computer Account With SPN Steal or Forge Kerberos Tickets Endpoint
Windows Create Local Account Local Account, Create Account Endpoint
Windows Credential Dumping LSASS Memory Createdump LSASS Memory Endpoint
Windows Credentials from Password Stores Query Credentials from Password Stores Endpoint
Windows Credentials in Registry Reg Query Credentials in Registry, Unsecured Credentials Endpoint
Windows Curl Download to Suspicious Path Ingress Tool Transfer Endpoint
Windows Curl Upload to Remote Destination Ingress Tool Transfer Endpoint_Processes
Windows Curl Upload to Remote Destination Ingress Tool Transfer Endpoint
Windows DISM Remove Defender Disable or Modify Tools, Impair Defenses Endpoint
Windows DLL Search Order Hijacking Hunt DLL Search Order Hijacking, Hijack Execution Flow Endpoint
Windows DLL Search Order Hijacking Hunt with Sysmon DLL Search Order Hijacking, Hijack Execution Flow Endpoint
Windows DLL Search Order Hijacking with iscsicpl DLL Search Order Hijacking Endpoint
Windows DLL Side-Loading In Calc DLL Side-Loading, Hijack Execution Flow Endpoint
Windows DLL Side-Loading Process Child Of Calc DLL Side-Loading, Hijack Execution Flow Endpoint
Windows Data Destruction Recursive Exec Files Deletion Data Destruction Endpoint
Windows Defacement Modify Transcodedwallpaper File Defacement Endpoint
Windows Defender Exclusion Registry Entry Disable or Modify Tools, Impair Defenses Endpoint
Windows Defender Tools in Non Standard Path Masquerading, Rename System Utilities Endpoint_Processes
Windows Deleted Registry By A Non Critical Process File Path Modify Registry Endpoint
Windows Disable Change Password Through Registry Modify Registry Endpoint
Windows Disable Lock Workstation Feature Through Registry Modify Registry Endpoint
Windows Disable LogOff Button Through Registry Modify Registry Endpoint
Windows Disable Memory Crash Dump Data Destruction Endpoint
Windows Disable Notification Center Modify Registry Endpoint
Windows Disable Shutdown Button Through Registry Modify Registry Endpoint
Windows Disable Windows Event Logging Disable HTTP Logging Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components None
Windows Disable Windows Group Policy Features Through Registry Modify Registry Endpoint
Windows DisableAntiSpyware Registry Disable or Modify Tools, Impair Defenses Endpoint
Windows DiskCryptor Usage Data Encrypted for Impact Endpoint
Windows Diskshadow Proxy Execution System Binary Proxy Execution Endpoint_Processes
Windows Diskshadow Proxy Execution System Binary Proxy Execution Endpoint
Windows DotNet Binary in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil Endpoint
Windows DotNet Binary in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil Endpoint_Processes
Windows Driver Inventory Exploitation for Privilege Escalation None
Windows Driver Load Non-Standard Path Rootkit, Exploitation for Privilege Escalation Endpoint
Windows Drivers Loaded by Signature Rootkit, Exploitation for Privilege Escalation Endpoint
Windows Event For Service Disabled Disable or Modify Tools, Impair Defenses Endpoint
Windows Event Log Cleared Indicator Removal, Clear Windows Event Logs None
Windows Event Triggered Image File Execution Options Injection Image File Execution Options Injection None
Windows Eventvwr UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism Endpoint_Registry
Windows Excessive Disabled Services Event Disable or Modify Tools, Impair Defenses Endpoint
Windows Exchange PowerShell Module Usage Command and Scripting Interpreter, PowerShell Endpoint_Processes
Windows Execute Arbitrary Commands with MSDT System Binary Proxy Execution Endpoint
Windows Execute Arbitrary Commands with MSDT System Binary Proxy Execution Endpoint_Processes
Windows Export Certificate Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates None
Windows File Transfer Protocol In Non-Common Process Path Mail Protocols, Application Layer Protocol Endpoint
Windows File Without Extension In Critical Folder Data Destruction Endpoint
Windows Gather Victim Host Information Camera Hardware, Gather Victim Host Information Endpoint
Windows Gather Victim Identity SAM Info Credentials, Gather Victim Identity Information Endpoint
Windows Gather Victim Network Info Through Ip Check Web Services IP Addresses, Gather Victim Network Information Endpoint
Windows Get-AdComputer Unconstrained Delegation Discovery Remote System Discovery None
Windows Hidden Schedule Task Settings Scheduled Task/Job Endpoint
Windows Hide Notification Features Through Registry Modify Registry Endpoint
Windows High File Deletion Frequency Data Destruction Endpoint
Windows Hijack Execution Flow Version Dll Side Load DLL Search Order Hijacking, Hijack Execution Flow Endpoint
Windows Hunting System Account Targeting Lsass LSASS Memory, OS Credential Dumping None
Windows IIS Components Add New Module Server Software Component, IIS Components Endpoint
Windows IIS Components Get-WebGlobalModule Module Query IIS Components, Server Software Component None
Windows IIS Components Module Failed to Load Server Software Component, IIS Components None
Windows IIS Components New Module Added Server Software Component, IIS Components None
Windows ISO LNK File Creation Spearphishing Attachment, Phishing, Malicious Link, User Execution Endpoint
Windows Identify Protocol Handlers Command and Scripting Interpreter Endpoint
Windows Impair Defense Add Xml Applocker Rules Disable or Modify Tools, Impair Defenses Endpoint
Windows Impair Defense Delete Win Defender Context Menu Disable or Modify Tools, Impair Defenses Endpoint
Windows Impair Defense Delete Win Defender Profile Registry Disable or Modify Tools, Impair Defenses Endpoint
Windows Impair Defense Deny Security Software With Applocker Disable or Modify Tools, Impair Defenses Endpoint
Windows Impair Defenses Disable Win Defender Auto Logging Disable or Modify Tools, Impair Defenses Endpoint
Windows Indirect Command Execution Via Series Of Forfiles Indirect Command Execution Endpoint
Windows Indirect Command Execution Via forfiles Indirect Command Execution Endpoint
Windows Indirect Command Execution Via pcalua Indirect Command Execution Endpoint
Windows Information Discovery Fsutil System Information Discovery Endpoint
Windows Ingress Tool Transfer Using Explorer Ingress Tool Transfer Endpoint
Windows Ingress Tool Transfer Using Explorer Ingress Tool Transfer Endpoint_Processes
Windows Input Capture Using Credential UI Dll GUI Input Capture, Input Capture Endpoint
Windows InstallUtil Credential Theft InstallUtil, System Binary Proxy Execution Endpoint
Windows InstallUtil Remote Network Connection InstallUtil, System Binary Proxy Execution Endpoint
Windows InstallUtil URL in Command Line InstallUtil, System Binary Proxy Execution Endpoint
Windows InstallUtil Uninstall Option InstallUtil, System Binary Proxy Execution Endpoint
Windows InstallUtil Uninstall Option with Network InstallUtil, System Binary Proxy Execution Endpoint
Windows InstallUtil in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil Endpoint
Windows Java Spawning Shells Exploit Public-Facing Application Endpoint
Windows Kerberos Local Successful Logon Steal or Forge Kerberos Tickets Endpoint
Windows KrbRelayUp Service Creation Windows Service Endpoint
Windows LOLBin Binary in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil Endpoint_Processes
Windows Linked Policies In ADSI Discovery Domain Account, Account Discovery Endpoint
Windows MOF Event Triggered Execution via WMI Windows Management Instrumentation Event Subscription Endpoint
Windows MSExchange Management Mailbox Cmdlet Usage Command and Scripting Interpreter, PowerShell None
Windows MSHTA Child Process Mshta, System Binary Proxy Execution Endpoint_Processes
Windows MSHTA Command-Line URL Mshta, System Binary Proxy Execution Endpoint_Processes
Windows MSHTA Inline HTA Execution Mshta, System Binary Proxy Execution Endpoint_Processes
Windows MSIExec DLLRegisterServer Msiexec Endpoint
Windows MSIExec Remote Download Msiexec Endpoint
Windows MSIExec Spawn Discovery Command Msiexec Endpoint
Windows MSIExec Unregister DLLRegisterServer Msiexec Endpoint
Windows MSIExec With Network Connections Msiexec Endpoint
Windows Mail Protocol In Non-Common Process Path Mail Protocols, Application Layer Protocol Endpoint
Windows Masquerading Explorer As Child Process DLL Side-Loading, Hijack Execution Flow Endpoint
Windows Mimikatz Binary Execution OS Credential Dumping Endpoint
Windows Mimikatz Crypto Export File Extensions Steal or Forge Authentication Certificates Endpoint
Windows Modify Registry Default Icon Setting Modify Registry Endpoint
Windows Modify Registry DisAllow Windows App Modify Registry Endpoint
Windows Modify Registry Disable Toast Notifications Modify Registry Endpoint
Windows Modify Registry Disable Win Defender Raw Write Notif Modify Registry Endpoint
Windows Modify Registry Disable Windows Security Center Notif Modify Registry Endpoint
Windows Modify Registry Disabling WER Settings Modify Registry Endpoint
Windows Modify Registry Qakbot Binary Data Registry Modify Registry Endpoint
Windows Modify Registry Reg Restore Query Registry Endpoint
Windows Modify Registry Regedit Silent Reg Import Modify Registry Endpoint
Windows Modify Registry Suppress Win Defender Notif Modify Registry Endpoint
Windows Modify Show Compress Color And Info Tip Registry Modify Registry Endpoint
Windows Mshta Execution In Registry Mshta Endpoint
Windows Multi hop Proxy TOR Website Query Mail Protocols, Application Layer Protocol Endpoint
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos Password Spraying, Brute Force None
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos Password Spraying, Brute Force None
Windows Multiple Invalid Users Failed To Authenticate Using NTLM Password Spraying, Brute Force None
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials Password Spraying, Brute Force None
Windows Multiple Users Failed To Authenticate From Host Using NTLM Password Spraying, Brute Force None
Windows Multiple Users Failed To Authenticate From Process Password Spraying, Brute Force None
Windows Multiple Users Failed To Authenticate Using Kerberos Password Spraying, Brute Force None
Windows Multiple Users Remotely Failed To Authenticate From Host Password Spraying, Brute Force None
Windows Ngrok Reverse Proxy Usage Protocol Tunneling, Proxy, Web Service Endpoint
Windows NirSoft AdvancedRun Tool Endpoint
Windows NirSoft Utilities Tool Endpoint
Windows Non-System Account Targeting Lsass LSASS Memory, OS Credential Dumping None
Windows OS Credential Dumping with Ntdsutil Export NTDS NTDS, OS Credential Dumping Endpoint_Processes
Windows OS Credential Dumping with Procdump LSASS Memory, OS Credential Dumping Endpoint_Processes
Windows Odbcconf Hunting Odbcconf Endpoint
Windows Odbcconf Load DLL Odbcconf Endpoint
Windows Odbcconf Load Response File Odbcconf Endpoint
Windows Odbcconf Load Response File Odbcconf, System Binary Proxy Execution Endpoint_Processes
Windows Office Product Spawning MSDT Phishing, Spearphishing Attachment Endpoint
Windows Password Managers Discovery Password Managers Endpoint
Windows Phishing PDF File Executes URL Link Spearphishing Attachment, Phishing Endpoint
Windows Phishing Recent ISO Exec Registry Spearphishing Attachment, Phishing Endpoint
Windows Possible Credential Dumping LSASS Memory, OS Credential Dumping None
Windows PowerShell Add Module to Global Assembly Cache Server Software Component, IIS Components None
Windows PowerShell Disable HTTP Logging Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components None
Windows PowerShell Disabled Kerberos Pre-Authentication Discovery Get-ADUser Steal or Forge Kerberos Tickets, AS-REP Roasting Endpoint_Processes
Windows PowerShell Disabled Kerberos Pre-Authentication Discovery With PowerView Steal or Forge Kerberos Tickets, AS-REP Roasting Endpoint_Processes
Windows PowerShell Export Certificate Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates None
Windows PowerShell Export PfxCertificate Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates None
Windows PowerShell IIS Components WebGlobalModule Usage Server Software Component, IIS Components None
Windows PowerShell Start-BitsTransfer BITS Jobs, Ingress Tool Transfer Endpoint_Processes
Windows PowerView Constrained Delegation Discovery Remote System Discovery None
Windows PowerView Kerberos Service Ticket Request Steal or Forge Kerberos Tickets, Kerberoasting None
Windows PowerView SPN Discovery Steal or Forge Kerberos Tickets, Kerberoasting None
Windows PowerView Unconstrained Delegation Discovery Remote System Discovery None
Windows Powershell Connect to Internet With Hidden Window Automated Exfiltration Endpoint_Processes
Windows Powershell Cryptography Namespace PowerShell, Command and Scripting Interpreter Endpoint
Windows Powershell DownloadFile Automated Exfiltration Endpoint_Processes
Windows Powershell Import Applocker Policy PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses Endpoint
Windows Private Keys Discovery Private Keys, Unsecured Credentials Endpoint
Windows Process Injection Of Wermgr to Known Browser Dynamic-link Library Injection, Process Injection Endpoint
Windows Process Injection Remote Thread Process Injection, Portable Executable Injection Endpoint
Windows Process Injection Wermgr Child Process Process Injection Endpoint
Windows Process Injection With Public Source Path Process Injection, Portable Executable Injection None
Windows Process Injection into Notepad Process Injection, Portable Executable Injection None
Windows Process With NamedPipe CommandLine Process Injection Endpoint
Windows Processes Killed By Industroyer2 Malware Service Stop Endpoint
Windows Protocol Tunneling with Plink Protocol Tunneling, SSH Endpoint
Windows Query Registry Reg Save Query Registry Endpoint
Windows Raccine Scheduled Task Deletion Disable or Modify Tools Endpoint
Windows Rasautou DLL Execution Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection Endpoint
Windows Rasautou DLL Execution Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection Endpoint_Processes
Windows Raw Access To Disk Volume Partition Disk Structure Wipe, Disk Wipe Endpoint
Windows Raw Access To Master Boot Record Drive Disk Structure Wipe, Disk Wipe Endpoint
Windows Registry Certificate Added Install Root Certificate, Subvert Trust Controls Endpoint
Windows Registry Delete Task SD Scheduled Task, Impair Defenses Endpoint
Windows Registry Modification for Safe Mode Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution Endpoint
Windows Regsvr32 Renamed Binary Regsvr32, System Binary Proxy Execution Endpoint
Windows Remote Access Software BRC4 Loaded Dll Remote Access Software, OS Credential Dumping Endpoint
Windows Remote Access Software Hunt Remote Access Software Endpoint
Windows Remote Access Software RMS Registry Remote Access Software Endpoint
Windows Remote Assistance Spawning Process Process Injection Endpoint
Windows Remote Service Rdpwinst Tool Execution Remote Desktop Protocol, Remote Services Endpoint
Windows Remote Services Allow Rdp In Firewall Remote Desktop Protocol, Remote Services Endpoint
Windows Remote Services Allow Remote Assistance Remote Desktop Protocol, Remote Services Endpoint
Windows Remote Services Rdp Enable Remote Desktop Protocol, Remote Services Endpoint
Windows Rename System Utilities Acccheckconsole exe LOLBAS in Non Standard Path Masquerading, Rename System Utilities Endpoint_Processes
Windows Rename System Utilities Adplus exe LOLBAS in Non Standard Path Masquerading, Rename System Utilities Endpoint_Processes
Windows Rename System Utilities Advpack dll LOLBAS in Non Standard Path Masquerading, Rename System Utilities Endpoint_Processes
Windows Rename System Utilities Agentexecutor exe LOLBAS in Non Standard Path Masquerading, Rename System Utilities Endpoint_Processes
Windows Rename System Utilities Appinstaller exe LOLBAS in Non Standard Path Masquerading, Rename System Utilities Endpoint_Processes
Windows Rename System Utilities Appvlp exe LOLBAS in Non Standard Path Masquerading, Rename System Utilities Endpoint_Processes
Windows Rename System Utilities Aspnet compiler exe LOLBAS in Non Standard Path Masquerading, Rename System Utilities Endpoint_Processes
Windows Rename System Utilities At exe LOLBAS in Non Standard Path Masquerading, Rename System Utilities Endpoint_Processes
Windows Rename System Utilities Atbroker exe LOLBAS in Non Standard Path Masquerading, Rename System Utilities Endpoint_Processes
Windows Replication Through Removable Media Replication Through Removable Media Endpoint
Windows Root Domain linked policies Discovery Domain Account, Account Discovery Endpoint
Windows Rundll32 Comsvcs Memory Dump NTDS, OS Credential Dumping Endpoint_Processes
Windows Rundll32 Inline HTA Execution System Binary Proxy Execution, Mshta Endpoint_Processes
Windows Rundll32 WebDAV Request Exfiltration Over Unencrypted Non-C2 Protocol Endpoint
Windows Rundll32 WebDav With Network Connection Exfiltration Over Unencrypted Non-C2 Protocol Endpoint
Windows Scheduled Task with Highest Privileges Scheduled Task/Job, Scheduled Task Endpoint
Windows Schtasks Create Run As System Scheduled Task, Scheduled Task/Job Endpoint
Windows Script Host Spawn MSBuild MSBuild, Trusted Developer Utilities Proxy Execution Endpoint_Processes
Windows Security Account Manager Stopped Service Stop Endpoint
Windows Security Support Provider Reg Query Security Support Provider, Boot or Logon Autostart Execution Endpoint
Windows Server Software Component GACUtil Install to GAC Server Software Component, IIS Components Endpoint
Windows Service Create Kernel Mode Driver Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation Endpoint
Windows Service Create SliverC2 System Services, Service Execution None
Windows Service Created Within Public Path Create or Modify System Process, Windows Service None
Windows Service Created with Suspicious Service Path System Services, Service Execution None
Windows Service Creation Using Registry Entry Services Registry Permissions Weakness Endpoint
Windows Service Creation on Remote Endpoint Create or Modify System Process, Windows Service Endpoint
Windows Service Deletion In Registry Service Stop Endpoint
Windows Service Initiation on Remote Endpoint Create or Modify System Process, Windows Service Endpoint
Windows Service Stop By Deletion Service Stop Endpoint
Windows Service Stop Via Net and SC Application Service Stop Endpoint
Windows Spearphishing Attachment Connect To None MS Office Domain Spearphishing Attachment, Phishing Endpoint
Windows Spearphishing Attachment Onenote Spawn Mshta Spearphishing Attachment, Phishing Endpoint
Windows Steal Authentication Certificates CS Backup Steal or Forge Authentication Certificates None
Windows Steal Authentication Certificates CertUtil Backup Steal or Forge Authentication Certificates Endpoint
Windows Steal Authentication Certificates Certificate Issued Steal or Forge Authentication Certificates None
Windows Steal Authentication Certificates Certificate Request Steal or Forge Authentication Certificates None
Windows Steal Authentication Certificates CryptoAPI Steal or Forge Authentication Certificates None
Windows Steal Authentication Certificates Export Certificate Steal or Forge Authentication Certificates Endpoint
Windows Steal Authentication Certificates Export PfxCertificate Steal or Forge Authentication Certificates Endpoint
Windows Steal or Forge Kerberos Tickets Klist Steal or Forge Kerberos Tickets Endpoint
Windows System Binary Proxy Execution Compiled HTML File Decompile Compiled HTML File, System Binary Proxy Execution Endpoint_Processes
Windows System Binary Proxy Execution Compiled HTML File Decompile Compiled HTML File, System Binary Proxy Execution Endpoint
Windows System Binary Proxy Execution Compiled HTML File URL In Command Line Compiled HTML File, System Binary Proxy Execution Endpoint_Processes
Windows System Binary Proxy Execution Compiled HTML File Using InfoTech Storage Handlers Compiled HTML File, System Binary Proxy Execution Endpoint_Processes
Windows System Binary Proxy Execution MSIExec DLLRegisterServer Msiexec Endpoint_Processes
Windows System Binary Proxy Execution MSIExec Remote Download Msiexec Endpoint_Processes
Windows System Binary Proxy Execution MSIExec Unregister DLL Msiexec Endpoint_Processes
Windows System Discovery Using Qwinsta System Owner/User Discovery Endpoint
Windows System Discovery Using ldap Nslookup System Owner/User Discovery Endpoint
Windows System File on Disk Exploitation for Privilege Escalation Endpoint
Windows System LogOff Commandline System Shutdown/Reboot Endpoint
Windows System Network Config Discovery Display DNS System Network Configuration Discovery Endpoint
Windows System Network Connections Discovery Netsh System Network Connections Discovery Endpoint
Windows System Reboot CommandLine System Shutdown/Reboot Endpoint
Windows System Script Proxy Execution Syncappvpublishingserver System Script Proxy Execution, System Binary Proxy Execution Endpoint
Windows System Shutdown CommandLine System Shutdown/Reboot Endpoint
Windows System Time Discovery W32tm Delay System Time Discovery Endpoint
Windows System User Discovery Via Quser System Owner/User Discovery Endpoint
Windows Terminating Lsass Process Disable or Modify Tools, Impair Defenses None
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos Password Spraying, Brute Force None
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos Password Spraying, Brute Force None
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM Password Spraying, Brute Force None
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials Password Spraying, Brute Force None
Windows Unusual Count Of Users Failed To Auth Using Kerberos Password Spraying, Brute Force None
Windows Unusual Count Of Users Failed To Authenticate From Process Password Spraying, Brute Force None
Windows Unusual Count Of Users Failed To Authenticate Using NTLM Password Spraying, Brute Force None
Windows Unusual Count Of Users Remotely Failed To Auth From Host Password Spraying, Brute Force None
Windows User Execution Malicious URL Shortcut File Malicious File, User Execution Endpoint
Windows Valid Account With Never Expires Password Service Stop Endpoint
Windows Vulnerable Driver Loaded Windows Service None
Windows WMI Impersonate Token Windows Management Instrumentation Endpoint
Windows WMI Process And Service List Windows Management Instrumentation Endpoint
Windows WMI Process Call Create Windows Management Instrumentation Endpoint
Windows WMIPrvse Spawn MSBuild Trusted Developer Utilities Proxy Execution, MSBuild Endpoint_Processes
Winhlp32 Spawning a Process Process Injection Endpoint
Winword Spawning Cmd Phishing, Spearphishing Attachment Endpoint
Winword Spawning PowerShell Phishing, Spearphishing Attachment Endpoint
Winword Spawning Windows Script Host Phishing, Spearphishing Attachment Endpoint
Wmic Group Discovery Permission Groups Discovery, Local Groups Endpoint
Wmic NonInteractive App Uninstallation Disable or Modify Tools, Impair Defenses Endpoint
Wmiprsve LOLBAS Execution Process Spawn Windows Management Instrumentation Endpoint
Wscript Or Cscript Suspicious Child Process Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation Endpoint
Wsmprovhost LOLBAS Execution Process Spawn Remote Services, Windows Remote Management Endpoint
XMRIG Driver Loaded Windows Service, Create or Modify System Process Endpoint
XSL Script Execution With WMIC XSL Script Processing Endpoint

Endpoint

Living Off The Land

Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter

Detect SharpHound Usage

Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery

CMD Echo Pipe - Escalation

Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process

Back to Top ↑

Cloud

Back to Top ↑

Deprecated

Back to Top ↑

Application