Endpoint

Name Technique Datamodel
3CX Supply Chain Attack Network Indicators Compromise Software Supply Chain Network_Resolution
7zip CommandLine To SMB Share Path Archive via Utility, Archive Collected Data Endpoint
Access LSASS Memory for Dump Creation LSASS Memory, OS Credential Dumping None
Account Discovery With Net App Domain Account, Account Discovery Endpoint
Active Directory Lateral Movement Identified Exploitation of Remote Services Risk
Active Directory Privilege Escalation Identified Domain Policy Modification Risk
Active Setup Registry Autostart Active Setup, Boot or Logon Autostart Execution Endpoint
Add DefaultUser And Password In Registry Credentials in Registry, Unsecured Credentials Endpoint
Add or Set Windows Defender Exclusion Disable or Modify Tools, Impair Defenses Endpoint
AdsiSearcher Account Discovery Domain Account, Account Discovery None
Allow File And Printing Sharing In Firewall Disable or Modify Cloud Firewall, Impair Defenses Endpoint
Allow Inbound Traffic By Firewall Rule Registry Remote Desktop Protocol, Remote Services Endpoint
Allow Inbound Traffic In Firewall Rule Remote Desktop Protocol, Remote Services None
Allow Network Discovery In Firewall Disable or Modify Cloud Firewall, Impair Defenses Endpoint
Allow Operation with Consent Admin Abuse Elevation Control Mechanism Endpoint
Anomalous usage of 7zip Archive via Utility, Archive Collected Data Endpoint
Anomalous usage of Archive Tools Archive via Utility, Archive Collected Data None
Any Powershell DownloadFile Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer Endpoint
Any Powershell DownloadString Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer Endpoint
Attacker Tools On Endpoint Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning Endpoint
Attempt To Add Certificate To Untrusted Store Install Root Certificate, Subvert Trust Controls Endpoint
Attempt To Delete Services Service Stop, Create or Modify System Process, Windows Service None
Attempt To Disable Services Service Stop None
Attempt To Stop Security Service Disable or Modify Tools, Impair Defenses Endpoint
Attempted Credential Dump From Registry via Reg exe Security Account Manager, OS Credential Dumping Endpoint
Attempted Credential Dump From Registry via Reg exe OS Credential Dumping, Security Account Manager None
Auto Admin Logon Registry Entry Credentials in Registry, Unsecured Credentials Endpoint
BCDEdit Failure Recovery Modification Inhibit System Recovery Endpoint
BCDEdit Failure Recovery Modification Inhibit System Recovery None
BITS Job Persistence BITS Jobs Endpoint
BITSAdmin Download File BITS Jobs, Ingress Tool Transfer Endpoint
Batch File Write to System32 User Execution, Malicious File Endpoint
Bcdedit Command Back To Normal Mode Boot Inhibit System Recovery Endpoint
CHCP Command Execution Command and Scripting Interpreter Endpoint
CMD Carry Out String Command Parameter Windows Command Shell, Command and Scripting Interpreter Endpoint
CMD Echo Pipe - Escalation Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process Endpoint
CMLUA Or CMSTPLUA UAC Bypass System Binary Proxy Execution, CMSTP None
CSC Net On The Fly Compilation Compile After Delivery, Obfuscated Files or Information Endpoint
CertUtil Download With URLCache and Split Arguments Ingress Tool Transfer Endpoint
CertUtil Download With VerifyCtl and Split Arguments Ingress Tool Transfer Endpoint
CertUtil With Decode Argument Deobfuscate/Decode Files or Information Endpoint
Certutil exe certificate extraction None Endpoint
Change Default File Association Change Default File Association, Event Triggered Execution Endpoint
Change To Safe Mode With Network Config Inhibit System Recovery Endpoint
Check Elevated CMD using whoami System Owner/User Discovery Endpoint
Child Processes of Spoolsv exe Exploitation for Privilege Escalation Endpoint
Clear Unallocated Sector Using Cipher App File Deletion, Indicator Removal Endpoint
Clear Unallocated Sector Using Cipher App File Deletion, Indicator Removal None
Clop Common Exec Parameter User Execution Endpoint
Clop Ransomware Known Service Name Create or Modify System Process None
Cmdline Tool Not Executed In CMD Shell Command and Scripting Interpreter, JavaScript Endpoint
Cobalt Strike Named Pipes Process Injection None
Common Ransomware Extensions Data Destruction Endpoint
Common Ransomware Notes Data Destruction Endpoint
ConnectWise ScreenConnect Path Traversal Exploit Public-Facing Application Endpoint
ConnectWise ScreenConnect Path Traversal Windows SACL Exploit Public-Facing Application None
Conti Common Exec parameter User Execution Endpoint
Control Loading from World Writable Directory System Binary Proxy Execution, Control Panel Endpoint
Create Remote Thread In Shell Application Process Injection None
Create Remote Thread into LSASS LSASS Memory, OS Credential Dumping None
Create local admin accounts using net exe Local Account, Create Account Endpoint
Create or delete windows shares using net exe Indicator Removal, Network Share Connection Removal Endpoint
Creation of Shadow Copy NTDS, OS Credential Dumping Endpoint
Creation of Shadow Copy with wmic and powershell NTDS, OS Credential Dumping Endpoint
Creation of lsass Dump with Taskmgr LSASS Memory, OS Credential Dumping None
Credential Dumping via Copy Command from Shadow Copy NTDS, OS Credential Dumping Endpoint
Credential Dumping via Symlink to Shadow Copy NTDS, OS Credential Dumping Endpoint
Curl Download and Bash Execution Ingress Tool Transfer Endpoint
DLLHost with no Command Line Arguments with Network Process Injection Endpoint, Network_Traffic
DNS Exfiltration Using Nslookup App Exfiltration Over Alternative Protocol Endpoint
DNS Exfiltration Using Nslookup App Exfiltration Over Alternative Protocol None
DSQuery Domain Discovery Domain Trust Discovery Endpoint
Delete A Net User Account Access Removal None
Delete ShadowCopy With PowerShell Inhibit System Recovery None
Deleting Of Net Users Account Access Removal Endpoint
Deleting Shadow Copies Inhibit System Recovery Endpoint
Deny Permission using Cacls Utility File and Directory Permissions Modification None
Detect AzureHound Command-Line Arguments Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery Endpoint
Detect AzureHound File Modifications Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery Endpoint
Detect Baron Samedit CVE-2021-3156 Exploitation for Privilege Escalation None
Detect Baron Samedit CVE-2021-3156 Segfault Exploitation for Privilege Escalation None
Detect Baron Samedit CVE-2021-3156 via OSQuery Exploitation for Privilege Escalation None
Detect Certify Command Line Arguments Steal or Forge Authentication Certificates, Ingress Tool Transfer Endpoint
Detect Certify With PowerShell Script Block Logging Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell None
Detect Certipy File Modifications Steal or Forge Authentication Certificates, Archive Collected Data Endpoint
Detect Computer Changed with Anonymous Account Exploitation of Remote Services None
Detect Copy of ShadowCopy with Script Block Logging Security Account Manager, OS Credential Dumping None
Detect Credential Dumping through LSASS access LSASS Memory, OS Credential Dumping None
Detect Empire with PowerShell Script Block Logging Command and Scripting Interpreter, PowerShell None
Detect Excessive Account Lockouts From Endpoint Valid Accounts, Domain Accounts Change
Detect Excessive User Account Lockouts Valid Accounts, Local Accounts Change
Detect Exchange Web Shell Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services Endpoint
Detect HTML Help Renamed System Binary Proxy Execution, Compiled HTML File Endpoint
Detect HTML Help Spawn Child Process System Binary Proxy Execution, Compiled HTML File Endpoint
Detect HTML Help URL in Command Line System Binary Proxy Execution, Compiled HTML File Endpoint
Detect HTML Help Using InfoTech Storage Handlers System Binary Proxy Execution, Compiled HTML File Endpoint
Detect MSHTA Url in Command Line System Binary Proxy Execution, Mshta Endpoint
Detect Mimikatz With PowerShell Script Block Logging OS Credential Dumping, PowerShell None
Detect New Local Admin account Local Account, Create Account None
Detect Outlook exe writing a zip file Phishing, Spearphishing Attachment Endpoint
Detect Path Interception By Creation Of program exe Path Interception by Unquoted Path, Hijack Execution Flow Endpoint
Detect PowerShell Applications Spawning cmd exe Command and Scripting Interpreter None
Detect Prohibited Applications Spawning cmd exe Command and Scripting Interpreter, Windows Command Shell Endpoint
Detect Prohibited Browsers Spawning cmd exe Command and Scripting Interpreter None
Detect Prohibited Office Applications Spawning cmd exe Command and Scripting Interpreter None
Detect PsExec With accepteula Flag Remote Services, SMB/Windows Admin Shares Endpoint
Detect RClone Command-Line Usage Automated Exfiltration Endpoint
Detect RClone Command-Line Usage Automated Exfiltration None
Detect RTLO In File Name Right-to-Left Override, Masquerading Endpoint
Detect RTLO In Process Right-to-Left Override, Masquerading Endpoint
Detect Rare Executables None Endpoint
Detect Regasm Spawning a Process System Binary Proxy Execution, Regsvcs/Regasm Endpoint
Detect Regasm with Network Connection System Binary Proxy Execution, Regsvcs/Regasm None
Detect Regasm with no Command Line Arguments System Binary Proxy Execution, Regsvcs/Regasm Endpoint
Detect Regsvcs Spawning a Process System Binary Proxy Execution, Regsvcs/Regasm Endpoint
Detect Regsvcs with Network Connection System Binary Proxy Execution, Regsvcs/Regasm None
Detect Regsvcs with No Command Line Arguments System Binary Proxy Execution, Regsvcs/Regasm Endpoint
Detect Regsvr32 Application Control Bypass System Binary Proxy Execution, Regsvr32 Endpoint
Detect Remote Access Software Usage File Remote Access Software Endpoint
Detect Remote Access Software Usage FileInfo Remote Access Software None
Detect Remote Access Software Usage Process Remote Access Software Endpoint
Detect Renamed 7-Zip Archive via Utility, Archive Collected Data Endpoint
Detect Renamed PSExec System Services, Service Execution Endpoint
Detect Renamed RClone Automated Exfiltration Endpoint
Detect Renamed WinRAR Archive via Utility, Archive Collected Data Endpoint
Detect Rundll32 Application Control Bypass - advpack System Binary Proxy Execution, Rundll32 Endpoint
Detect Rundll32 Application Control Bypass - setupapi System Binary Proxy Execution, Rundll32 Endpoint
Detect Rundll32 Application Control Bypass - syssetup System Binary Proxy Execution, Rundll32 Endpoint
Detect Rundll32 Inline HTA Execution System Binary Proxy Execution, Mshta Endpoint
Detect SharpHound Command-Line Arguments Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery Endpoint
Detect SharpHound File Modifications Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery Endpoint
Detect SharpHound Usage Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery Endpoint
Detect Use of cmd exe to Launch Script Interpreters Command and Scripting Interpreter, Windows Command Shell Endpoint
Detect WMI Event Subscription Persistence Windows Management Instrumentation Event Subscription, Event Triggered Execution None
Detect Webshell Exploit Behavior Server Software Component, Web Shell Endpoint
Detect mshta inline hta execution System Binary Proxy Execution, Mshta Endpoint
Detect mshta renamed System Binary Proxy Execution, Mshta Endpoint
Detect processes used for System Network Configuration Discovery System Network Configuration Discovery Endpoint
Detect suspicious processnames using pretrained model in DSDL Command and Scripting Interpreter Endpoint
Detection of tools built by NirSoft Software Deployment Tools Endpoint
Disable AMSI Through Registry Disable or Modify Tools, Impair Defenses Endpoint
Disable Defender AntiVirus Registry Disable or Modify Tools, Impair Defenses Endpoint
Disable Defender BlockAtFirstSeen Feature Disable or Modify Tools, Impair Defenses Endpoint
Disable Defender Enhanced Notification Disable or Modify Tools, Impair Defenses Endpoint
Disable Defender MpEngine Registry Disable or Modify Tools, Impair Defenses Endpoint
Disable Defender Spynet Reporting Disable or Modify Tools, Impair Defenses Endpoint
Disable Defender Submit Samples Consent Feature Disable or Modify Tools, Impair Defenses Endpoint
Disable ETW Through Registry Disable or Modify Tools, Impair Defenses Endpoint
Disable Logs Using WevtUtil Indicator Removal, Clear Windows Event Logs Endpoint
Disable Net User Account Service Stop, Valid Accounts None
Disable Registry Tool Disable or Modify Tools, Impair Defenses, Modify Registry Endpoint
Disable Schedule Task Disable or Modify Tools, Impair Defenses Endpoint
Disable Security Logs Using MiniNt Registry Modify Registry Endpoint
Disable Show Hidden Files Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry Endpoint
Disable UAC Remote Restriction Bypass User Account Control, Abuse Elevation Control Mechanism Endpoint
Disable Windows App Hotkeys Disable or Modify Tools, Impair Defenses, Modify Registry Endpoint
Disable Windows Behavior Monitoring Disable or Modify Tools, Impair Defenses Endpoint
Disable Windows SmartScreen Protection Disable or Modify Tools, Impair Defenses Endpoint
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser Steal or Forge Kerberos Tickets, AS-REP Roasting None
Disabled Kerberos Pre-Authentication Discovery With PowerView Steal or Forge Kerberos Tickets, AS-REP Roasting None
Disabling CMD Application Disable or Modify Tools, Impair Defenses, Modify Registry Endpoint
Disabling ControlPanel Disable or Modify Tools, Impair Defenses, Modify Registry Endpoint
Disabling Defender Services Disable or Modify Tools, Impair Defenses Endpoint
Disabling Firewall with Netsh Disable or Modify Tools, Impair Defenses Endpoint
Disabling FolderOptions Windows Feature Disable or Modify Tools, Impair Defenses Endpoint
Disabling Net User Account Account Access Removal Endpoint
Disabling NoRun Windows App Disable or Modify Tools, Impair Defenses, Modify Registry Endpoint
Disabling Remote User Account Control Bypass User Account Control, Abuse Elevation Control Mechanism Endpoint
Disabling SystemRestore In Registry Inhibit System Recovery Endpoint
Disabling Task Manager Disable or Modify Tools, Impair Defenses Endpoint
Disabling Windows Local Security Authority Defences via Registry Modify Authentication Process Endpoint
Domain Account Discovery With Net App Domain Account, Account Discovery Endpoint
Domain Account Discovery with Dsquery Domain Account, Account Discovery Endpoint
Domain Account Discovery with Wmic Domain Account, Account Discovery Endpoint
Domain Controller Discovery with Nltest Remote System Discovery Endpoint
Domain Controller Discovery with Wmic Remote System Discovery Endpoint
Domain Group Discovery With Dsquery Permission Groups Discovery, Domain Groups Endpoint
Domain Group Discovery With Net Permission Groups Discovery, Domain Groups Endpoint
Domain Group Discovery With Wmic Permission Groups Discovery, Domain Groups Endpoint
Domain Group Discovery with Adsisearcher Permission Groups Discovery, Domain Groups None
Download Files Using Telegram Ingress Tool Transfer None
Drop IcedID License dat User Execution, Malicious File None
Dump LSASS via comsvcs DLL LSASS Memory, OS Credential Dumping Endpoint
Dump LSASS via procdump LSASS Memory, OS Credential Dumping Endpoint
ETW Registry Disabled Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses Endpoint
Elevated Group Discovery With Net Permission Groups Discovery, Domain Groups Endpoint
Elevated Group Discovery With Wmic Permission Groups Discovery, Domain Groups Endpoint
Elevated Group Discovery with PowerView Permission Groups Discovery, Domain Groups None
Enable RDP In Other Port Number Remote Services Endpoint
Enable WDigest UseLogonCredential Registry Modify Registry, OS Credential Dumping Endpoint
Enumerate Users Local Group Using Telegram Account Discovery None
Esentutl SAM Copy Security Account Manager, OS Credential Dumping Endpoint
Eventvwr UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism Endpoint
Excel Spawning PowerShell Security Account Manager, OS Credential Dumping Endpoint
Excel Spawning Windows Script Host Security Account Manager, OS Credential Dumping Endpoint
Excessive Attempt To Disable Services Service Stop Endpoint
Excessive File Deletion In WinDefender Folder Data Destruction None
Excessive Service Stop Attempt Service Stop Endpoint
Excessive Usage Of Cacls App File and Directory Permissions Modification Endpoint
Excessive Usage Of Net App Account Access Removal Endpoint
Excessive Usage Of SC Service Utility System Services, Service Execution None
Excessive Usage Of Taskkill Disable or Modify Tools, Impair Defenses Endpoint
Excessive Usage of NSLOOKUP App Exfiltration Over Alternative Protocol None
Excessive distinct processes from Windows Temp Command and Scripting Interpreter Endpoint
Excessive number of service control start as disabled Disable or Modify Tools, Impair Defenses Endpoint
Excessive number of taskhost processes Command and Scripting Interpreter Endpoint
Exchange PowerShell Abuse via SSRF Exploit Public-Facing Application, External Remote Services None
Exchange PowerShell Module Usage Command and Scripting Interpreter, PowerShell None
Executable File Written in Administrative SMB Share Remote Services, SMB/Windows Admin Shares None
Executables Or Script Creation In Suspicious Path Masquerading Endpoint
Execute Javascript With Jscript COM CLSID Command and Scripting Interpreter, Visual Basic Endpoint
Execution of File with Multiple Extensions Masquerading, Rename System Utilities Endpoint
Extraction of Registry Hives Security Account Manager, OS Credential Dumping Endpoint
File with Samsam Extension None Endpoint
Firewall Allowed Program Enable Disable or Modify System Firewall, Impair Defenses Endpoint
First Time Seen Child Process of Zoom Exploitation for Privilege Escalation Endpoint
First Time Seen Running Windows Service System Services, Service Execution None
FodHelper UAC Bypass Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism Endpoint
Fsutil Zeroing File Indicator Removal Endpoint
Fsutil Zeroing File Indicator Removal None
GPUpdate with no Command Line Arguments with Network Process Injection Endpoint, Network_Traffic
Get ADDefaultDomainPasswordPolicy with Powershell Password Policy Discovery Endpoint
Get ADDefaultDomainPasswordPolicy with Powershell Script Block Password Policy Discovery None
Get ADUser with PowerShell Domain Account, Account Discovery Endpoint
Get ADUser with PowerShell Script Block Domain Account, Account Discovery None
Get ADUserResultantPasswordPolicy with Powershell Password Policy Discovery Endpoint
Get ADUserResultantPasswordPolicy with Powershell Script Block Password Policy Discovery None
Get DomainPolicy with Powershell Password Policy Discovery Endpoint
Get DomainPolicy with Powershell Script Block Password Policy Discovery None
Get DomainUser with PowerShell Domain Account, Account Discovery Endpoint
Get DomainUser with PowerShell Script Block Domain Account, Account Discovery None
Get WMIObject Group Discovery Permission Groups Discovery, Local Groups Endpoint
Get WMIObject Group Discovery with Script Block Logging Permission Groups Discovery, Local Groups None
Get-DomainTrust with PowerShell Domain Trust Discovery Endpoint
Get-DomainTrust with PowerShell Script Block Domain Trust Discovery None
Get-ForestTrust with PowerShell Domain Trust Discovery Endpoint
Get-ForestTrust with PowerShell Script Block Domain Trust Discovery, PowerShell None
GetAdComputer with PowerShell Remote System Discovery Endpoint
GetAdComputer with PowerShell Script Block Remote System Discovery None
GetAdGroup with PowerShell Permission Groups Discovery, Domain Groups Endpoint
GetAdGroup with PowerShell Script Block Permission Groups Discovery, Domain Groups None
GetCurrent User with PowerShell System Owner/User Discovery Endpoint
GetCurrent User with PowerShell Script Block System Owner/User Discovery None
GetDomainComputer with PowerShell Remote System Discovery Endpoint
GetDomainComputer with PowerShell Script Block Remote System Discovery None
GetDomainController with PowerShell Remote System Discovery Endpoint
GetDomainController with PowerShell Script Block Remote System Discovery None
GetDomainGroup with PowerShell Permission Groups Discovery, Domain Groups Endpoint
GetDomainGroup with PowerShell Script Block Permission Groups Discovery, Domain Groups None
GetLocalUser with PowerShell Account Discovery, Local Account Endpoint
GetLocalUser with PowerShell Script Block Account Discovery, Local Account, PowerShell None
GetNetTcpconnection with PowerShell System Network Connections Discovery Endpoint
GetNetTcpconnection with PowerShell Script Block System Network Connections Discovery None
GetWmiObject DS User with PowerShell Domain Account, Account Discovery Endpoint
GetWmiObject DS User with PowerShell Script Block Domain Account, Account Discovery None
GetWmiObject Ds Computer with PowerShell Remote System Discovery Endpoint
GetWmiObject Ds Computer with PowerShell Script Block Remote System Discovery None
GetWmiObject Ds Group with PowerShell Permission Groups Discovery, Domain Groups Endpoint
GetWmiObject Ds Group with PowerShell Script Block Permission Groups Discovery, Domain Groups None
GetWmiObject User Account with PowerShell Account Discovery, Local Account Endpoint
GetWmiObject User Account with PowerShell Script Block Account Discovery, Local Account, PowerShell None
Grant Permission Using Cacls Utility File and Directory Permissions Modification None
Headless Browser Mockbin or Mocky Request Hidden Window Endpoint
Headless Browser Usage Hidden Window Endpoint
Hide User Account From Sign-In Screen Disable or Modify Tools, Impair Defenses Endpoint
Hiding Files And Directories With Attrib exe File and Directory Permissions Modification, Windows File and Directory Permissions Modification Endpoint
Hiding Files And Directories With Attrib exe Windows File and Directory Permissions Modification, File and Directory Permissions Modification None
High Frequency Copy Of Files In Network Share Transfer Data to Cloud Account None
High Process Termination Frequency Data Encrypted for Impact None
Hunting 3CXDesktopApp Software Compromise Software Supply Chain Endpoint
ICACLS Grant Command File and Directory Permissions Modification Endpoint
Icacls Deny Command File and Directory Permissions Modification Endpoint
IcedID Exfiltrated Archived File Creation Archive via Utility, Archive Collected Data None
Impacket Lateral Movement Commandline Parameters Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service Endpoint
Impacket Lateral Movement WMIExec Commandline Parameters Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service Endpoint
Impacket Lateral Movement smbexec CommandLine Parameters Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service Endpoint
Interactive Session on Remote Endpoint with PowerShell Remote Services, Windows Remote Management None
Java Class File download by Java User Agent Exploit Public-Facing Application Web
Java Writing JSP File Exploit Public-Facing Application, External Remote Services Endpoint
Jscript Execution Using Cscript App Command and Scripting Interpreter, JavaScript Endpoint
Kerberoasting spn request with RC4 encryption Steal or Forge Kerberos Tickets, Kerberoasting None
Kerberos Pre-Authentication Flag Disabled in UserAccountControl Steal or Forge Kerberos Tickets, AS-REP Roasting Change
Kerberos Pre-Authentication Flag Disabled with PowerShell Steal or Forge Kerberos Tickets, AS-REP Roasting None
Kerberos Service Ticket Request Using RC4 Encryption Steal or Forge Kerberos Tickets, Golden Ticket None
Kerberos TGT Request Using RC4 Encryption Use Alternate Authentication Material None
Kerberos User Enumeration Gather Victim Identity Information, Email Addresses None
Known Services Killed by Ransomware Inhibit System Recovery None
LOLBAS With Network Traffic Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution Network_Traffic
Linux APT Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux AWK Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux Account Manipulation Of SSH Config and Keys Data Destruction, File Deletion, Indicator Removal Endpoint
Linux Add Files In Known Crontab Directories Cron, Scheduled Task/Job Endpoint
Linux Add User Account Local Account, Create Account Endpoint
Linux Adding Crontab Using List Parameter Cron, Scheduled Task/Job Endpoint
Linux At Allow Config File Creation Cron, Scheduled Task/Job Endpoint
Linux At Application Execution At, Scheduled Task/Job Endpoint
Linux Busybox Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux Change File Owner To Root Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification Endpoint
Linux Clipboard Data Copy Clipboard Data Endpoint
Linux Common Process For Elevation Control Setuid and Setgid, Abuse Elevation Control Mechanism Endpoint
Linux Composer Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux Cpulimit Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux Csvtool Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux Curl Upload File Ingress Tool Transfer Endpoint
Linux DD File Overwrite Data Destruction Endpoint
Linux Data Destruction Command Data Destruction Endpoint
Linux Decode Base64 to Shell Obfuscated Files or Information, Unix Shell Endpoint
Linux Deleting Critical Directory Using RM Command Data Destruction Endpoint
Linux Deletion Of Cron Jobs Data Destruction, File Deletion, Indicator Removal Endpoint
Linux Deletion Of Init Daemon Script Data Destruction, File Deletion, Indicator Removal Endpoint
Linux Deletion Of Services Data Destruction, File Deletion, Indicator Removal Endpoint
Linux Deletion of SSL Certificate Data Destruction, File Deletion, Indicator Removal Endpoint
Linux Disable Services Service Stop Endpoint
Linux Doas Conf File Creation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux Doas Tool Execution Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux Docker Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux Edit Cron Table Parameter Cron, Scheduled Task/Job Endpoint
Linux Emacs Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux File Created In Kernel Driver Directory Kernel Modules and Extensions, Boot or Logon Autostart Execution Endpoint
Linux File Creation In Init Boot Directory RC Scripts, Boot or Logon Initialization Scripts Endpoint
Linux File Creation In Profile Directory Unix Shell Configuration Modification, Event Triggered Execution Endpoint
Linux Find Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux GDB Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux GNU Awk Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux Gem Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux Hardware Addition SwapOff Hardware Additions Endpoint
Linux High Frequency Of File Deletion In Boot Folder Data Destruction, File Deletion, Indicator Removal Endpoint
Linux High Frequency Of File Deletion In Etc Folder Data Destruction, File Deletion, Indicator Removal Endpoint
Linux Impair Defenses Process Kill Disable or Modify Tools, Impair Defenses Endpoint
Linux Indicator Removal Clear Cache Indicator Removal Endpoint
Linux Indicator Removal Service File Deletion File Deletion, Indicator Removal Endpoint
Linux Ingress Tool Transfer Hunting Ingress Tool Transfer Endpoint
Linux Ingress Tool Transfer with Curl Ingress Tool Transfer Endpoint
Linux Insert Kernel Module Using Insmod Utility Kernel Modules and Extensions, Boot or Logon Autostart Execution Endpoint
Linux Install Kernel Module Using Modprobe Utility Kernel Modules and Extensions, Boot or Logon Autostart Execution Endpoint
Linux Iptables Firewall Modification Disable or Modify System Firewall, Impair Defenses Endpoint
Linux Java Spawning Shell Exploit Public-Facing Application, External Remote Services Endpoint
Linux Kernel Module Enumeration System Information Discovery, Rootkit Endpoint
Linux Kworker Process In Writable Process Path Masquerade Task or Service, Masquerading Endpoint
Linux Make Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux MySQL Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux NOPASSWD Entry In Sudoers File Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux Ngrok Reverse Proxy Usage Protocol Tunneling, Proxy, Web Service Endpoint
Linux Node Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux Obfuscated Files or Information Base64 Decode Obfuscated Files or Information Endpoint
Linux Octave Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux OpenVPN Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux PHP Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux Persistence and Privilege Escalation Risk Behavior Abuse Elevation Control Mechanism Risk
Linux Possible Access Or Modification Of sshd Config File SSH Authorized Keys, Account Manipulation Endpoint
Linux Possible Access To Credential Files /etc/passwd and /etc/shadow, OS Credential Dumping Endpoint
Linux Possible Access To Sudoers File Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux Possible Append Command To At Allow Config File At, Scheduled Task/Job Endpoint
Linux Possible Append Command To Profile Config File Unix Shell Configuration Modification, Event Triggered Execution Endpoint
Linux Possible Append Cronjob Entry on Existing Cronjob File Cron, Scheduled Task/Job Endpoint
Linux Possible Cronjob Modification With Editor Cron, Scheduled Task/Job Endpoint
Linux Possible Ssh Key File Creation SSH Authorized Keys, Account Manipulation Endpoint
Linux Preload Hijack Library Calls Dynamic Linker Hijacking, Hijack Execution Flow Endpoint
Linux Proxy Socks Curl Proxy, Non-Application Layer Protocol Endpoint
Linux Puppet Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux RPM Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux Ruby Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux SSH Authorized Keys Modification SSH Authorized Keys Endpoint
Linux SSH Remote Services Script Execute SSH Endpoint
Linux Service File Created In Systemd Directory Systemd Timers, Scheduled Task/Job Endpoint
Linux Service Restarted Systemd Timers, Scheduled Task/Job Endpoint
Linux Service Started Or Enabled Systemd Timers, Scheduled Task/Job Endpoint
Linux Setuid Using Chmod Utility Setuid and Setgid, Abuse Elevation Control Mechanism Endpoint
Linux Setuid Using Setcap Utility Setuid and Setgid, Abuse Elevation Control Mechanism Endpoint
Linux Shred Overwrite Command Data Destruction Endpoint
Linux Sqlite3 Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux Stdout Redirection To Dev Null File Disable or Modify System Firewall, Impair Defenses Endpoint
Linux Stop Services Service Stop Endpoint
Linux Sudo OR Su Execution Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux Sudoers Tmp File Creation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux System Network Discovery System Network Configuration Discovery Endpoint
Linux System Reboot Via System Request Key System Shutdown/Reboot Endpoint
Linux Unix Shell Enable All SysRq Functions Unix Shell, Command and Scripting Interpreter Endpoint
Linux Visudo Utility Execution Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux apt-get Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux c89 Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux c99 Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Endpoint
Linux pkexec Privilege Escalation Exploitation for Privilege Escalation Endpoint
Living Off The Land Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services Risk
Loading Of Dynwrapx Module Process Injection, Dynamic-link Library Injection None
Local Account Discovery With Wmic Account Discovery, Local Account Endpoint
Local Account Discovery with Net Account Discovery, Local Account Endpoint
Log4Shell CVE-2021-44228 Exploitation Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services Risk
Logon Script Event Trigger Execution Boot or Logon Initialization Scripts, Logon Script (Windows) Endpoint
MS Exchange Mailbox Replication service writing Active Server Pages Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services Endpoint
MS Scripting Process Loading Ldap Module Command and Scripting Interpreter, JavaScript None
MS Scripting Process Loading WMI Module Command and Scripting Interpreter, JavaScript None
MSBuild Suspicious Spawned By Script Process MSBuild, Trusted Developer Utilities Proxy Execution Endpoint
MSHTML Module Load in Office Product Phishing, Spearphishing Attachment None
MSI Module Loaded by Non-System Binary DLL Side-Loading, Hijack Execution Flow None
MacOS - Re-opened Applications None Endpoint
MacOS LOLbin Unix Shell, Command and Scripting Interpreter None
MacOS plutil Plist File Modification None
Mailsniper Invoke functions Email Collection, Local Email Collection None
Malicious InProcServer32 Modification Regsvr32, Modify Registry Endpoint
Malicious PowerShell Process - Encoded Command Obfuscated Files or Information Endpoint
Malicious PowerShell Process - Execution Policy Bypass Command and Scripting Interpreter, PowerShell Endpoint
Malicious PowerShell Process With Obfuscation Techniques Command and Scripting Interpreter, PowerShell Endpoint
Malicious Powershell Executed As A Service System Services, Service Execution None
Mimikatz PassTheTicket CommandLine Parameters Use Alternate Authentication Material, Pass the Ticket Endpoint
Mmc LOLBAS Execution Process Spawn Remote Services, Distributed Component Object Model, MMC Endpoint
Modification Of Wallpaper Defacement None
Modify ACL permission To Files Or Folder File and Directory Permissions Modification Endpoint
Modify ACLs Permission Of Files Or Folders File and Directory Permissions Modification None
Monitor Registry Keys for Print Monitors Port Monitors, Boot or Logon Autostart Execution Endpoint
Mshta spawning Rundll32 OR Regsvr32 Process System Binary Proxy Execution, Mshta Endpoint
Msmpeng Application DLL Side Loading DLL Side-Loading, Hijack Execution Flow Endpoint
NET Profiler UAC bypass Bypass User Account Control, Abuse Elevation Control Mechanism Endpoint
NLTest Domain Trust Discovery Domain Trust Discovery Endpoint
Net Localgroup Discovery Permission Groups Discovery, Local Groups Endpoint
Network Connection Discovery With Arp System Network Connections Discovery Endpoint
Network Connection Discovery With Net System Network Connections Discovery Endpoint
Network Connection Discovery With Netstat System Network Connections Discovery Endpoint
Network Discovery Using Route Windows App System Network Configuration Discovery, Internet Connection Discovery Endpoint
Network Share Discovery Via Dir Command Network Share Discovery None
Network Traffic to Active Directory Web Services Protocol Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery Network_Traffic
Nishang PowershellTCPOneLine Command and Scripting Interpreter, PowerShell Endpoint
Non Chrome Process Accessing Chrome Default Dir Credentials from Password Stores, Credentials from Web Browsers None
Non Firefox Process Access Firefox Profile Dir Credentials from Password Stores, Credentials from Web Browsers None
Notepad with no Command Line Arguments Process Injection Endpoint
Ntdsutil Export NTDS NTDS, OS Credential Dumping Endpoint
Office Application Drop Executable Phishing, Spearphishing Attachment Endpoint
Office Application Spawn Regsvr32 process Phishing, Spearphishing Attachment Endpoint
Office Application Spawn rundll32 process Phishing, Spearphishing Attachment Endpoint
Office Document Creating Schedule Task Phishing, Spearphishing Attachment None
Office Document Executing Macro Code Phishing, Spearphishing Attachment None
Office Document Spawned Child Process To Download Phishing, Spearphishing Attachment Endpoint
Office Product Spawn CMD Process Phishing, Spearphishing Attachment Endpoint
Office Product Spawning BITSAdmin Phishing, Spearphishing Attachment Endpoint
Office Product Spawning CertUtil Phishing, Spearphishing Attachment Endpoint
Office Product Spawning MSHTA Phishing, Spearphishing Attachment Endpoint
Office Product Spawning Rundll32 with no DLL Phishing, Spearphishing Attachment Endpoint
Office Product Spawning Windows Script Host Phishing, Spearphishing Attachment Endpoint
Office Product Spawning Windows Script Host Phishing, Spearphishing Attachment None
Office Product Spawning Wmic Phishing, Spearphishing Attachment Endpoint
Office Product Writing cab or inf Phishing, Spearphishing Attachment Endpoint
Office Spawning Control Phishing, Spearphishing Attachment Endpoint
Outbound Network Connection from Java Using Default Ports Exploit Public-Facing Application, External Remote Services Endpoint, Network_Traffic
Overwriting Accessibility Binaries Event Triggered Execution, Accessibility Features Endpoint
PaperCut NG Suspicious Behavior Debug Log Exploit Public-Facing Application, External Remote Services None
Password Policy Discovery with Net Password Policy Discovery Endpoint
Permission Modification using Takeown App File and Directory Permissions Modification Endpoint
PetitPotam Network Share Access Request Forced Authentication None
PetitPotam Suspicious Kerberos TGT Request OS Credential Dumping None
Ping Sleep Batch Command Virtualization/Sandbox Evasion, Time Based Evasion Endpoint
Possible Browser Pass View Parameter Credentials from Web Browsers, Credentials from Password Stores Endpoint
Possible Lateral Movement PowerShell Spawn Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShell, MMC Endpoint
Potential password in username Local Accounts, Credentials In Files Authentication
Potentially malicious code on commandline Windows Command Shell Endpoint
PowerShell - Connect To Internet With Hidden Window PowerShell, Command and Scripting Interpreter Endpoint
PowerShell 4104 Hunting Command and Scripting Interpreter, PowerShell None
PowerShell Domain Enumeration Command and Scripting Interpreter, PowerShell None
PowerShell Enable PowerShell Remoting PowerShell, Command and Scripting Interpreter None
PowerShell Get LocalGroup Discovery Permission Groups Discovery, Local Groups Endpoint
PowerShell Invoke CIMMethod CIMSession Windows Management Instrumentation None
PowerShell Invoke WmiExec Usage Windows Management Instrumentation None
PowerShell Loading DotNET into Memory via Reflection Command and Scripting Interpreter, PowerShell None
PowerShell Script Block With URL Chain PowerShell, Ingress Tool Transfer None
PowerShell Start or Stop Service PowerShell None
PowerShell Start-BitsTransfer BITS Jobs Endpoint
PowerShell WebRequest Using Memory Stream PowerShell, Ingress Tool Transfer, Fileless Storage None
Powershell COM Hijacking InprocServer32 Modification Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell None
Powershell Creating Thread Mutex Obfuscated Files or Information, Indicator Removal from Tools, PowerShell None
Powershell Disable Security Monitoring Disable or Modify Tools, Impair Defenses Endpoint
Powershell Enable SMB1Protocol Feature Obfuscated Files or Information, Indicator Removal from Tools None
Powershell Execute COM Object Component Object Model Hijacking, Event Triggered Execution, PowerShell None
Powershell Fileless Process Injection via GetProcAddress Command and Scripting Interpreter, Process Injection, PowerShell None
Powershell Fileless Script Contains Base64 Encoded Content Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell None
Powershell Get LocalGroup Discovery with Script Block Logging Permission Groups Discovery, Local Groups None
Powershell Load Module in Meterpreter Command and Scripting Interpreter, PowerShell None
Powershell Processing Stream Of Data Command and Scripting Interpreter, PowerShell None
Powershell Remote Services Add TrustedHost Windows Remote Management, Remote Services None
Powershell Remote Thread To Known Windows Process Process Injection None
Powershell Remove Windows Defender Directory Disable or Modify Tools, Impair Defenses None
Powershell Using memory As Backing Store PowerShell, Command and Scripting Interpreter None
Powershell Windows Defender Exclusion Commands Disable or Modify Tools, Impair Defenses None
Prevent Automatic Repair Mode using Bcdedit Inhibit System Recovery Endpoint
Print Processor Registry Autostart Print Processors, Boot or Logon Autostart Execution Endpoint
Print Spooler Adding A Printer Driver Print Processors, Boot or Logon Autostart Execution None
Print Spooler Failed to Load a Plug-in Print Processors, Boot or Logon Autostart Execution None
Process Creating LNK file in Suspicious Location Phishing, Spearphishing Link Endpoint
Process Deleting Its Process File Path Indicator Removal None
Process Execution via WMI Windows Management Instrumentation Endpoint
Process Kill Base On File Path Disable or Modify Tools, Impair Defenses Endpoint
Process Writing DynamicWrapperX Command and Scripting Interpreter, Component Object Model Endpoint
Processes Tapping Keyboard Events None None
Processes launching netsh Disable or Modify System Firewall, Impair Defenses Endpoint
Randomly Generated Scheduled Task Name Scheduled Task/Job, Scheduled Task None
Randomly Generated Windows Service Name Create or Modify System Process, Windows Service None
Ransomware Notes bulk creation Data Encrypted for Impact None
Recon AVProduct Through Pwh or WMI Gather Victim Host Information None
Recon Using WMI Class Gather Victim Host Information, PowerShell None
Recursive Delete of Directory In Batch CMD File Deletion, Indicator Removal Endpoint
Reg exe Manipulating Windows Services Registry Keys Services Registry Permissions Weakness, Hijack Execution Flow Endpoint
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution Endpoint
Registry Keys Used For Privilege Escalation Image File Execution Options Injection, Event Triggered Execution Endpoint
Registry Keys for Creating SHIM Databases Application Shimming, Event Triggered Execution Endpoint
Regsvr32 Silent and Install Param Dll Loading System Binary Proxy Execution, Regsvr32 Endpoint
Regsvr32 with Known Silent Switch Cmdline System Binary Proxy Execution, Regsvr32 Endpoint
Remcos RAT File Creation in Remcos Folder Screen Capture Endpoint
Remcos client registry install entry Modify Registry Endpoint
Remote Desktop Process Running On System Remote Desktop Protocol, Remote Services Endpoint
Remote Process Instantiation via DCOM and PowerShell Remote Services, Distributed Component Object Model Endpoint
Remote Process Instantiation via DCOM and PowerShell Script Block Remote Services, Distributed Component Object Model None
Remote Process Instantiation via WMI Windows Management Instrumentation Endpoint
Remote Process Instantiation via WMI and PowerShell Windows Management Instrumentation Endpoint
Remote Process Instantiation via WMI and PowerShell Script Block Windows Management Instrumentation None
Remote Process Instantiation via WinRM and PowerShell Remote Services, Windows Remote Management Endpoint
Remote Process Instantiation via WinRM and PowerShell Script Block Remote Services, Windows Remote Management None
Remote Process Instantiation via WinRM and Winrs Remote Services, Windows Remote Management Endpoint
Remote System Discovery with Adsisearcher Remote System Discovery None
Remote System Discovery with Dsquery Remote System Discovery Endpoint
Remote System Discovery with Net Remote System Discovery Endpoint
Remote System Discovery with Wmic Remote System Discovery Endpoint
Remote WMI Command Attempt Windows Management Instrumentation Endpoint
Resize ShadowStorage volume Inhibit System Recovery Endpoint
Resize Shadowstorage Volume Service Stop None
Revil Common Exec Parameter User Execution Endpoint
Revil Registry Entry Modify Registry Endpoint
Rubeus Command Line Parameters Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting Endpoint
Rubeus Kerberos Ticket Exports Through Winlogon Access Use Alternate Authentication Material, Pass the Ticket None
RunDLL Loading DLL By Ordinal System Binary Proxy Execution, Rundll32 Endpoint
Runas Execution in CommandLine Access Token Manipulation, Token Impersonation/Theft Endpoint
Rundll32 Control RunDLL Hunt System Binary Proxy Execution, Rundll32 Endpoint
Rundll32 Control RunDLL World Writable Directory System Binary Proxy Execution, Rundll32 Endpoint
Rundll32 Create Remote Thread To A Process Process Injection None
Rundll32 CreateRemoteThread In Browser Process Injection None
Rundll32 DNSQuery System Binary Proxy Execution, Rundll32 None
Rundll32 LockWorkStation System Binary Proxy Execution, Rundll32 Endpoint
Rundll32 Process Creating Exe Dll Files System Binary Proxy Execution, Rundll32 None
Rundll32 Shimcache Flush Modify Registry Endpoint
Rundll32 with no Command Line Arguments with Network System Binary Proxy Execution, Rundll32 Endpoint, Network_Traffic
Ryuk Test Files Detected Data Encrypted for Impact Endpoint
Ryuk Wake on LAN Command Command and Scripting Interpreter, Windows Command Shell Endpoint
SAM Database File Access Attempt Security Account Manager, OS Credential Dumping None
SLUI RunAs Elevated Bypass User Account Control, Abuse Elevation Control Mechanism Endpoint
SLUI Spawning a Process Bypass User Account Control, Abuse Elevation Control Mechanism Endpoint
Samsam Test File Write Data Encrypted for Impact Endpoint
Sc exe Manipulating Windows Services Windows Service, Create or Modify System Process Endpoint
SchCache Change By App Connect And Create ADSI Object Domain Account, Account Discovery None
Schedule Task with HTTP Command Arguments Scheduled Task/Job None
Schedule Task with Rundll32 Command Trigger Scheduled Task/Job None
Scheduled Task Creation on Remote Endpoint using At Scheduled Task/Job, At Endpoint
Scheduled Task Deleted Or Created via CMD Scheduled Task, Scheduled Task/Job Endpoint
Scheduled Task Initiation on Remote Endpoint Scheduled Task/Job, Scheduled Task Endpoint
Schtasks Run Task On Demand Scheduled Task/Job Endpoint
Schtasks scheduling job on remote system Scheduled Task, Scheduled Task/Job Endpoint
Schtasks used for forcing a reboot Scheduled Task, Scheduled Task/Job Endpoint
Screensaver Event Trigger Execution Event Triggered Execution, Screensaver Endpoint
Script Execution via WMI Windows Management Instrumentation Endpoint
Sdclt UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism Endpoint
Sdelete Application Execution Data Destruction, File Deletion, Indicator Removal Endpoint
Sdelete Application Execution Data Destruction, File Deletion, Indicator Removal None
SearchProtocolHost with no Command Line with Network Process Injection Endpoint, Network_Traffic
SecretDumps Offline NTDS Dumping Tool NTDS, OS Credential Dumping Endpoint
ServicePrincipalNames Discovery with PowerShell Kerberoasting None
ServicePrincipalNames Discovery with SetSPN Kerberoasting Endpoint
Services Escalate Exe Abuse Elevation Control Mechanism Endpoint
Services LOLBAS Execution Process Spawn Create or Modify System Process, Windows Service Endpoint
Set Default PowerShell Execution Policy To Unrestricted or Bypass Command and Scripting Interpreter, PowerShell Endpoint
Shim Database File Creation Application Shimming, Event Triggered Execution Endpoint
Shim Database Installation With Suspicious Parameters Application Shimming, Event Triggered Execution Endpoint
Short Lived Scheduled Task Scheduled Task None
Short Lived Windows Accounts Local Account, Create Account Change
SilentCleanup UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism Endpoint
Single Letter Process On Endpoint User Execution, Malicious File Endpoint
Spike in File Writes None Endpoint
Spoolsv Spawning Rundll32 Print Processors, Boot or Logon Autostart Execution Endpoint
Spoolsv Suspicious Loaded Modules Print Processors, Boot or Logon Autostart Execution None
Spoolsv Suspicious Process Access Exploitation for Privilege Escalation None
Spoolsv Writing a DLL Print Processors, Boot or Logon Autostart Execution Endpoint
Spoolsv Writing a DLL - Sysmon Print Processors, Boot or Logon Autostart Execution None
Sqlite Module In Temp Folder Data from Local System None
Steal or Forge Authentication Certificates Behavior Identified Steal or Forge Authentication Certificates Risk
Sunburst Correlation DLL and Network Event Exploitation for Client Execution None
Suspicious Computer Account Name Change Valid Accounts, Domain Accounts None
Suspicious Copy on System32 Rename System Utilities, Masquerading Endpoint
Suspicious Curl Network Connection Ingress Tool Transfer Endpoint
Suspicious DLLHost no Command Line Arguments Process Injection Endpoint
Suspicious Driver Loaded Path Windows Service, Create or Modify System Process None
Suspicious Event Log Service Behavior Indicator Removal, Clear Windows Event Logs None
Suspicious GPUpdate no Command Line Arguments Process Injection Endpoint
Suspicious IcedID Rundll32 Cmdline System Binary Proxy Execution, Rundll32 Endpoint
Suspicious Image Creation In Appdata Folder Screen Capture Endpoint
Suspicious Kerberos Service Ticket Request Valid Accounts, Domain Accounts None
Suspicious Linux Discovery Commands Unix Shell Endpoint
Suspicious MSBuild Rename Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild Endpoint
Suspicious MSBuild Spawn Trusted Developer Utilities Proxy Execution, MSBuild Endpoint
Suspicious PlistBuddy Usage Launch Agent, Create or Modify System Process Endpoint
Suspicious PlistBuddy Usage via OSquery Launch Agent, Create or Modify System Process None
Suspicious Process DNS Query Known Abuse Web Services Visual Basic, Command and Scripting Interpreter None
Suspicious Process Executed From Container File Malicious File, Masquerade File Type Endpoint
Suspicious Process File Path Create or Modify System Process Endpoint
Suspicious Process With Discord DNS Query Visual Basic, Command and Scripting Interpreter None
Suspicious Reg exe Process Modify Registry Endpoint
Suspicious Regsvr32 Register Suspicious Path System Binary Proxy Execution, Regsvr32 Endpoint
Suspicious Rundll32 PluginInit System Binary Proxy Execution, Rundll32 Endpoint
Suspicious Rundll32 StartW System Binary Proxy Execution, Rundll32 Endpoint
Suspicious Rundll32 dllregisterserver System Binary Proxy Execution, Rundll32 Endpoint
Suspicious Rundll32 no Command Line Arguments System Binary Proxy Execution, Rundll32 Endpoint
Suspicious SQLite3 LSQuarantine Behavior Data Staged Endpoint
Suspicious Scheduled Task from Public Directory Scheduled Task, Scheduled Task/Job Endpoint
Suspicious SearchProtocolHost no Command Line Arguments Process Injection Endpoint
Suspicious Ticket Granting Ticket Request Valid Accounts, Domain Accounts None
Suspicious WAV file in Appdata Folder Screen Capture Endpoint
Suspicious microsoft workflow compiler rename Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities Endpoint
Suspicious microsoft workflow compiler usage Trusted Developer Utilities Proxy Execution Endpoint
Suspicious msbuild path Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild Endpoint
Suspicious mshta child process System Binary Proxy Execution, Mshta Endpoint
Suspicious mshta spawn System Binary Proxy Execution, Mshta Endpoint
Suspicious wevtutil Usage Clear Windows Event Logs, Indicator Removal Endpoint
Suspicious writes to windows Recycle Bin Masquerading Endpoint
Svchost LOLBAS Execution Process Spawn Scheduled Task/Job, Scheduled Task Endpoint
System Info Gathering Using Dxdiag Application Gather Victim Host Information Endpoint
System Information Discovery Detection System Information Discovery Endpoint
System Process Running from Unexpected Location Masquerading None
System Processes Run From Unexpected Locations Masquerading, Rename System Utilities Endpoint
System User Discovery With Query System Owner/User Discovery Endpoint
System User Discovery With Whoami System Owner/User Discovery Endpoint
Time Provider Persistence Registry Time Providers, Boot or Logon Autostart Execution Endpoint
Trickbot Named Pipe Process Injection None
UAC Bypass MMC Load Unsigned Dll Bypass User Account Control, Abuse Elevation Control Mechanism, MMC None
UAC Bypass With Colorui COM Object System Binary Proxy Execution, CMSTP None
USN Journal Deletion Indicator Removal Endpoint
Uninstall App Using MsiExec Msiexec, System Binary Proxy Execution Endpoint
Unknown Process Using The Kerberos Protocol Use Alternate Authentication Material Endpoint, Network_Traffic
Unload Sysmon Filter Driver Disable or Modify Tools, Impair Defenses Endpoint
Unloading AMSI via Reflection Impair Defenses, PowerShell, Command and Scripting Interpreter None
Unusual Number of Computer Service Tickets Requested Valid Accounts None
Unusual Number of Kerberos Service Tickets Requested Steal or Forge Kerberos Tickets, Kerberoasting None
Unusual Number of Remote Endpoint Authentication Events Valid Accounts None
Unusually Long Command Line None Endpoint
Unusually Long Command Line - MLTK None Endpoint
User Discovery With Env Vars PowerShell System Owner/User Discovery Endpoint
User Discovery With Env Vars PowerShell Script Block System Owner/User Discovery None
Vbscript Execution Using Wscript App Visual Basic, Command and Scripting Interpreter Endpoint
Verclsid CLSID Execution Verclsid, System Binary Proxy Execution Endpoint
W3WP Spawning Shell Server Software Component, Web Shell Endpoint
WBAdmin Delete System Backups Inhibit System Recovery Endpoint
WBAdmin Delete System Backups Inhibit System Recovery None
WMI Permanent Event Subscription Windows Management Instrumentation None
WMI Permanent Event Subscription - Sysmon Windows Management Instrumentation Event Subscription, Event Triggered Execution None
WMI Recon Running Process Or Services Gather Victim Host Information None
WMI Temporary Event Subscription Windows Management Instrumentation None
WMIC XSL Execution via URL XSL Script Processing Endpoint
WSReset UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism Endpoint
Wbemprox COM Object Execution System Binary Proxy Execution, CMSTP None
Wermgr Process Connecting To IP Check Web Services Gather Victim Network Information, IP Addresses None
Wermgr Process Create Executable File Obfuscated Files or Information None
Wermgr Process Spawned CMD Or Powershell Process Command and Scripting Interpreter Endpoint
WevtUtil Usage To Clear Logs Indicator Removal, Clear Windows Event Logs None
Wevtutil Usage To Disable Logs Indicator Removal, Clear Windows Event Logs None
Wget Download and Bash Execution Ingress Tool Transfer Endpoint
WinEvent Scheduled Task Created Within Public Path Scheduled Task, Scheduled Task/Job None
WinEvent Scheduled Task Created to Spawn Shell Scheduled Task, Scheduled Task/Job None
WinEvent Windows Task Scheduler Event Action Started Scheduled Task None
WinRAR Spawning Shell Application Ingress Tool Transfer Endpoint
WinRM Spawning a Process Exploit Public-Facing Application Endpoint
Windows AD Abnormal Object Access Activity Account Discovery, Domain Account None
Windows AD AdminSDHolder ACL Modified Event Triggered Execution None
Windows AD Cross Domain SID History Addition SID-History Injection, Access Token Manipulation None
Windows AD DSRM Account Changes Account Manipulation Endpoint
Windows AD DSRM Password Reset Account Manipulation Change
Windows AD Domain Controller Audit Policy Disabled Disable or Modify Tools Change
Windows AD Domain Controller Promotion Rogue Domain Controller None
Windows AD Domain Replication ACL Addition Domain Policy Modification Change
Windows AD Privileged Account SID History Addition SID-History Injection, Access Token Manipulation None
Windows AD Privileged Object Access Activity Account Discovery, Domain Account None
Windows AD Replication Request Initiated by User Account DCSync, OS Credential Dumping Authentication, Change
Windows AD Replication Request Initiated from Unsanctioned Location DCSync, OS Credential Dumping Authentication, Change
Windows AD SID History Attribute Modified Access Token Manipulation, SID-History Injection None
Windows AD Same Domain SID History Addition SID-History Injection, Access Token Manipulation None
Windows AD ServicePrincipalName Added To Domain Account Account Manipulation None
Windows AD Short Lived Domain Account ServicePrincipalName Account Manipulation None
Windows AD Short Lived Domain Controller SPN Attribute Rogue Domain Controller None
Windows AD Short Lived Server Object Rogue Domain Controller None
Windows Abused Web Services Web Service None
Windows Access Token Manipulation SeDebugPrivilege Create Process with Token, Access Token Manipulation None
Windows Access Token Manipulation Winlogon Duplicate Token Handle Token Impersonation/Theft, Access Token Manipulation None
Windows Access Token Winlogon Duplicate Handle In Uncommon Path Token Impersonation/Theft, Access Token Manipulation None
Windows Account Discovery With NetUser PreauthNotRequire Account Discovery None
Windows Account Discovery for None Disable User Account Account Discovery, Local Account None
Windows Account Discovery for Sam Account Name Account Discovery None
Windows AdFind Exe Remote System Discovery Endpoint
Windows Admin Permission Discovery Local Groups Endpoint
Windows Administrative Shares Accessed On Multiple Hosts Network Share Discovery None
Windows Admon Default Group Policy Object Modified Domain Policy Modification, Group Policy Modification None
Windows Admon Group Policy Object Created Domain Policy Modification, Group Policy Modification None
Windows Alternate DataStream - Base64 Content Hide Artifacts, NTFS File Attributes None
Windows Alternate DataStream - Executable Content Hide Artifacts, NTFS File Attributes None
Windows Alternate DataStream - Process Execution Hide Artifacts, NTFS File Attributes Endpoint
Windows Apache Benchmark Binary Command and Scripting Interpreter Endpoint
Windows App Layer Protocol Qakbot NamedPipe Application Layer Protocol None
Windows App Layer Protocol Wermgr Connect To NamedPipe Application Layer Protocol None
Windows Application Layer Protocol RMS Radmin Tool Namedpipe Application Layer Protocol None
Windows Archive Collected Data via Powershell Archive Collected Data None
Windows Archive Collected Data via Rar Archive via Utility, Archive Collected Data Endpoint
Windows AutoIt3 Execution Command and Scripting Interpreter Endpoint
Windows Autostart Execution LSASS Driver Registry Modification LSASS Driver Endpoint
Windows Binary Proxy Execution Mavinject DLL Injection Mavinject, System Binary Proxy Execution Endpoint
Windows Bits Job Persistence BITS Jobs None
Windows Bitsadmin Download File BITS Jobs, Ingress Tool Transfer None
Windows Boot or Logon Autostart Execution In Startup Folder Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution Endpoint
Windows BootLoader Inventory System Firmware, Pre-OS Boot None
Windows Bypass UAC via Pkgmgr Tool Bypass User Account Control Endpoint
Windows CAB File on Disk Spearphishing Attachment Endpoint
Windows COM Hijacking InprocServer32 Modification Component Object Model Hijacking, Event Triggered Execution Endpoint
Windows COM Hijacking InprocServer32 Modification Component Object Model Hijacking, Event Triggered Execution None
Windows Cached Domain Credentials Reg Query Cached Domain Credentials, OS Credential Dumping Endpoint
Windows CertUtil Decode File Deobfuscate/Decode Files or Information None
Windows CertUtil URLCache Download Ingress Tool Transfer None
Windows CertUtil VerifyCtl Download Ingress Tool Transfer None
Windows Change Default File Association For No File Ext Change Default File Association, Event Triggered Execution Endpoint
Windows ClipBoard Data via Get-ClipBoard Clipboard Data None
Windows Command Shell DCRat ForkBomb Payload Windows Command Shell, Command and Scripting Interpreter Endpoint
Windows Command Shell Fetch Env Variables Process Injection Endpoint
Windows Command and Scripting Interpreter Hunting Path Traversal Command and Scripting Interpreter Endpoint
Windows Command and Scripting Interpreter Path Traversal Exec Command and Scripting Interpreter Endpoint
Windows Common Abused Cmd Shell Risk Behavior File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Configuration Discovery, Command and Scripting Interpreter Risk
Windows Computer Account Created by Computer Account Steal or Forge Kerberos Tickets None
Windows Computer Account Requesting Kerberos Ticket Steal or Forge Kerberos Tickets None
Windows Computer Account With SPN Steal or Forge Kerberos Tickets Change
Windows ConHost with Headless Argument Hidden Window, Run Virtual Instance Endpoint
Windows Create Local Account Local Account, Create Account Change
Windows Credential Access From Browser Password Store Query Registry None
Windows Credential Dumping LSASS Memory Createdump LSASS Memory Endpoint
Windows Credentials from Password Stores Chrome Extension Access Query Registry None
Windows Credentials from Password Stores Chrome LocalState Access Query Registry None
Windows Credentials from Password Stores Chrome Login Data Access Query Registry None
Windows Credentials from Password Stores Creation Credentials from Password Stores Endpoint
Windows Credentials from Password Stores Deletion Credentials from Password Stores Endpoint
Windows Credentials from Password Stores Query Credentials from Password Stores Endpoint
Windows Credentials in Registry Reg Query Credentials in Registry, Unsecured Credentials Endpoint
Windows Curl Download to Suspicious Path Ingress Tool Transfer Endpoint
Windows Curl Upload to Remote Destination Ingress Tool Transfer Endpoint
Windows Curl Upload to Remote Destination Ingress Tool Transfer None
Windows DISM Remove Defender Disable or Modify Tools, Impair Defenses Endpoint
Windows DLL Search Order Hijacking Hunt DLL Search Order Hijacking, Hijack Execution Flow Endpoint
Windows DLL Search Order Hijacking Hunt with Sysmon DLL Search Order Hijacking, Hijack Execution Flow None
Windows DLL Search Order Hijacking with iscsicpl DLL Search Order Hijacking Endpoint
Windows DLL Side-Loading In Calc DLL Side-Loading, Hijack Execution Flow None
Windows DLL Side-Loading Process Child Of Calc DLL Side-Loading, Hijack Execution Flow Endpoint
Windows DNS Gather Network Info DNS Endpoint
Windows Data Destruction Recursive Exec Files Deletion Data Destruction None
Windows Defacement Modify Transcodedwallpaper File Defacement Endpoint
Windows Default Group Policy Object Modified Domain Policy Modification, Group Policy Modification None
Windows Default Group Policy Object Modified with GPME Domain Policy Modification, Group Policy Modification Endpoint
Windows Default Group Policy Object Modified with GPME Domain Policy Modification, Group Policy Modification None
Windows Defender ASR Audit Events Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link None
Windows Defender ASR Block Events Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link None
Windows Defender ASR Registry Modification Modify Registry None
Windows Defender ASR Rule Disabled Modify Registry None
Windows Defender ASR Rules Stacking Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter None
Windows Defender Exclusion Registry Entry Disable or Modify Tools, Impair Defenses Endpoint
Windows Defender Tools in Non Standard Path Masquerading, Rename System Utilities None
Windows Delete or Modify System Firewall Impair Defenses, Disable or Modify System Firewall Endpoint
Windows Deleted Registry By A Non Critical Process File Path Modify Registry Endpoint
Windows Disable Change Password Through Registry Modify Registry Change, Endpoint
Windows Disable Lock Workstation Feature Through Registry Modify Registry Endpoint
Windows Disable LogOff Button Through Registry Modify Registry Endpoint
Windows Disable Memory Crash Dump Data Destruction Endpoint
Windows Disable Notification Center Modify Registry Endpoint
Windows Disable Shutdown Button Through Registry Modify Registry Endpoint
Windows Disable Windows Event Logging Disable HTTP Logging Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components Endpoint
Windows Disable Windows Group Policy Features Through Registry Modify Registry Endpoint
Windows Disable or Modify Tools Via Taskkill Impair Defenses, Disable or Modify Tools Endpoint
Windows DisableAntiSpyware Registry Disable or Modify Tools, Impair Defenses Endpoint
Windows DiskCryptor Usage Data Encrypted for Impact Endpoint
Windows Diskshadow Proxy Execution System Binary Proxy Execution Endpoint
Windows Diskshadow Proxy Execution System Binary Proxy Execution None
Windows DnsAdmins New Member Added Account Manipulation None
Windows Domain Account Discovery Via Get-NetComputer Account Discovery, Domain Account None
Windows Domain Admin Impersonation Indicator Steal or Forge Kerberos Tickets None
Windows DotNet Binary in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil Endpoint
Windows DotNet Binary in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil None
Windows Driver Inventory Exploitation for Privilege Escalation None
Windows Driver Load Non-Standard Path Rootkit, Exploitation for Privilege Escalation None
Windows Drivers Loaded by Signature Rootkit, Exploitation for Privilege Escalation None
Windows Enable Win32 ScheduledJob via Registry Scheduled Task Endpoint
Windows Event For Service Disabled Disable or Modify Tools, Impair Defenses None
Windows Event Log Cleared Indicator Removal, Clear Windows Event Logs None
Windows Event Triggered Image File Execution Options Injection Image File Execution Options Injection None
Windows Excessive Disabled Services Event Disable or Modify Tools, Impair Defenses None
Windows Exchange PowerShell Module Usage Command and Scripting Interpreter, PowerShell None
Windows Executable in Loaded Modules Shared Modules None
Windows Execute Arbitrary Commands with MSDT System Binary Proxy Execution Endpoint
Windows Execute Arbitrary Commands with MSDT System Binary Proxy Execution None
Windows Exfiltration Over C2 Via Invoke RestMethod Exfiltration Over C2 Channel None
Windows Exfiltration Over C2 Via Powershell UploadString Exfiltration Over C2 Channel None
Windows Export Certificate Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates None
Windows File Share Discovery With Powerview Network Share Discovery None
Windows File Share Discovery With Powerview Unsecured Credentials, Group Policy Preferences None
Windows File Transfer Protocol In Non-Common Process Path Mail Protocols, Application Layer Protocol None
Windows File Without Extension In Critical Folder Data Destruction Endpoint
Windows Files and Dirs Access Rights Modification Via Icacls Windows File and Directory Permissions Modification, File and Directory Permissions Modification Endpoint
Windows Find Domain Organizational Units with GetDomainOU Account Discovery, Domain Account None
Windows Find Interesting ACL with FindInterestingDomainAcl Account Discovery, Domain Account None
Windows Findstr GPP Discovery Unsecured Credentials, Group Policy Preferences Endpoint
Windows Findstr GPP Discovery Unsecured Credentials, Group Policy Preferences None
Windows Forest Discovery with GetForestDomain Account Discovery, Domain Account None
Windows Gather Victim Host Information Camera Hardware, Gather Victim Host Information None
Windows Gather Victim Identity SAM Info Credentials, Gather Victim Identity Information None
Windows Gather Victim Network Info Through Ip Check Web Services IP Addresses, Gather Victim Network Information None
Windows Get Local Admin with FindLocalAdminAccess Account Discovery, Domain Account None
Windows Get-AdComputer Unconstrained Delegation Discovery Remote System Discovery None
Windows Group Policy Object Created Domain Policy Modification, Group Policy Modification, Domain Accounts None
Windows Hidden Schedule Task Settings Scheduled Task/Job None
Windows Hide Notification Features Through Registry Modify Registry Endpoint
Windows High File Deletion Frequency Data Destruction None
Windows Hijack Execution Flow Version Dll Side Load DLL Search Order Hijacking, Hijack Execution Flow None
Windows Hunting System Account Targeting Lsass LSASS Memory, OS Credential Dumping None
Windows IIS Components Add New Module Server Software Component, IIS Components Endpoint
Windows IIS Components Get-WebGlobalModule Module Query IIS Components, Server Software Component None
Windows IIS Components Module Failed to Load Server Software Component, IIS Components None
Windows IIS Components New Module Added Server Software Component, IIS Components None
Windows ISO LNK File Creation Spearphishing Attachment, Phishing, Malicious Link, User Execution Endpoint
Windows Identify Protocol Handlers Command and Scripting Interpreter Endpoint
Windows Impair Defense Add Xml Applocker Rules Disable or Modify Tools, Impair Defenses Endpoint
Windows Impair Defense Change Win Defender Health Check Intervals Disable or Modify Tools, Impair Defenses Endpoint
Windows Impair Defense Change Win Defender Quick Scan Interval Disable or Modify Tools, Impair Defenses Endpoint
Windows Impair Defense Change Win Defender Throttle Rate Disable or Modify Tools, Impair Defenses Endpoint
Windows Impair Defense Change Win Defender Tracing Level Disable or Modify Tools, Impair Defenses Endpoint
Windows Impair Defense Configure App Install Control Disable or Modify Tools, Impair Defenses Endpoint
Windows Impair Defense Define Win Defender Threat Action Disable or Modify Tools, Impair Defenses Endpoint
Windows Impair Defense Delete Win Defender Context Menu Disable or Modify Tools, Impair Defenses Endpoint
Windows Impair Defense Delete Win Defender Profile Registry Disable or Modify Tools, Impair Defenses Endpoint
Windows Impair Defense Deny Security Software With Applocker Disable or Modify Tools, Impair Defenses Endpoint
Windows Impair Defense Disable Controlled Folder Access Disable or Modify Tools, Impair Defenses Endpoint
Windows Impair Defense Disable Defender Firewall And Network Disable or Modify Tools, Impair Defenses Endpoint
Windows Impair Defense Disable Defender Protocol Recognition Disable or Modify Tools, Impair Defenses Endpoint
Windows Impair Defense Disable PUA Protection Disable or Modify Tools, Impair Defenses Endpoint
Windows Impair Defense Disable Realtime Signature Delivery Disable or Modify Tools, Impair Defenses Endpoint, Updates
Windows Impair Defense Disable Web Evaluation Disable or Modify Tools, Impair Defenses Endpoint, Web
Windows Impair Defense Disable Win Defender App Guard Disable or Modify Tools, Impair Defenses Endpoint
Windows Impair Defense Disable Win Defender Compute File Hashes Disable or Modify Tools, Impair Defenses Endpoint
Windows Impair Defense Disable Win Defender Gen reports Disable or Modify Tools, Impair Defenses Endpoint
Windows Impair Defense Disable Win Defender Network Protection Disable or Modify Tools, Impair Defenses Endpoint
Windows Impair Defense Disable Win Defender Report Infection Disable or Modify Tools, Impair Defenses Endpoint
Windows Impair Defense Disable Win Defender Scan On Update Disable or Modify Tools, Impair Defenses Endpoint, Updates
Windows Impair Defense Disable Win Defender Signature Retirement Disable or Modify Tools, Impair Defenses Endpoint
Windows Impair Defense Overide Win Defender Phishing Filter Disable or Modify Tools, Impair Defenses Endpoint
Windows Impair Defense Override SmartScreen Prompt Disable or Modify Tools, Impair Defenses Endpoint
Windows Impair Defense Set Win Defender Smart Screen Level To Warn Disable or Modify Tools, Impair Defenses Endpoint
Windows Impair Defenses Disable HVCI Disable or Modify Tools, Impair Defenses Endpoint
Windows Impair Defenses Disable Win Defender Auto Logging Disable or Modify Tools, Impair Defenses Endpoint
Windows Indicator Removal Via Rmdir Indicator Removal Endpoint
Windows Indirect Command Execution Via Series Of Forfiles Indirect Command Execution Endpoint
Windows Indirect Command Execution Via forfiles Indirect Command Execution Endpoint
Windows Indirect Command Execution Via pcalua Indirect Command Execution Endpoint
Windows Information Discovery Fsutil System Information Discovery Endpoint
Windows Ingress Tool Transfer Using Explorer Ingress Tool Transfer Endpoint
Windows Ingress Tool Transfer Using Explorer Ingress Tool Transfer None
Windows Input Capture Using Credential UI Dll GUI Input Capture, Input Capture None
Windows InstallUtil Credential Theft InstallUtil, System Binary Proxy Execution None
Windows InstallUtil Remote Network Connection InstallUtil, System Binary Proxy Execution Endpoint, Network_Traffic
Windows InstallUtil URL in Command Line InstallUtil, System Binary Proxy Execution Endpoint
Windows InstallUtil Uninstall Option InstallUtil, System Binary Proxy Execution Endpoint
Windows InstallUtil Uninstall Option with Network InstallUtil, System Binary Proxy Execution Endpoint, Network_Traffic
Windows InstallUtil in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil Endpoint
Windows Java Spawning Shells Exploit Public-Facing Application, External Remote Services Endpoint
Windows Kerberos Local Successful Logon Steal or Forge Kerberos Tickets Authentication
Windows Known Abused DLL Created DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow Endpoint
Windows Known GraphicalProton Loaded Modules DLL Side-Loading, Hijack Execution Flow None
Windows KrbRelayUp Service Creation Windows Service None
Windows LOLBin Binary in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil None
Windows LSA Secrets NoLMhash Registry LSA Secrets Endpoint
Windows Large Number of Computer Service Tickets Requested Network Share Discovery, Valid Accounts None
Windows Lateral Tool Transfer RemCom Lateral Tool Transfer Endpoint
Windows Ldifde Directory Object Behavior Ingress Tool Transfer, Domain Groups Endpoint
Windows Linked Policies In ADSI Discovery Domain Account, Account Discovery None
Windows Local Administrator Credential Stuffing Brute Force, Credential Stuffing None
Windows MOF Event Triggered Execution via WMI Windows Management Instrumentation Event Subscription Endpoint
Windows MOVEit Transfer Writing ASPX Exploit Public-Facing Application, External Remote Services Endpoint
Windows MSExchange Management Mailbox Cmdlet Usage Command and Scripting Interpreter, PowerShell None
Windows MSHTA Child Process Mshta, System Binary Proxy Execution None
Windows MSHTA Command-Line URL Mshta, System Binary Proxy Execution None
Windows MSHTA Inline HTA Execution Mshta, System Binary Proxy Execution None
Windows MSIExec DLLRegisterServer Msiexec Endpoint
Windows MSIExec Remote Download Msiexec Endpoint
Windows MSIExec Spawn Discovery Command Msiexec Endpoint
Windows MSIExec Spawn WinDBG Msiexec Endpoint
Windows MSIExec Unregister DLLRegisterServer Msiexec Endpoint
Windows MSIExec With Network Connections Msiexec Endpoint, Network_Traffic
Windows Mail Protocol In Non-Common Process Path Mail Protocols, Application Layer Protocol None
Windows Mark Of The Web Bypass Mark-of-the-Web Bypass None
Windows Masquerading Explorer As Child Process DLL Side-Loading, Hijack Execution Flow Endpoint
Windows Masquerading Msdtc Process Masquerading Endpoint
Windows Mimikatz Binary Execution OS Credential Dumping Endpoint
Windows Mimikatz Crypto Export File Extensions Steal or Forge Authentication Certificates Endpoint
Windows Modify Registry AuthenticationLevelOverride Modify Registry Authentication, Endpoint
Windows Modify Registry Auto Minor Updates Modify Registry Endpoint, Updates
Windows Modify Registry Auto Update Notif Modify Registry Endpoint
Windows Modify Registry Default Icon Setting Modify Registry Endpoint
Windows Modify Registry DisAllow Windows App Modify Registry Endpoint
Windows Modify Registry Disable Restricted Admin Modify Registry Endpoint
Windows Modify Registry Disable Toast Notifications Modify Registry Endpoint
Windows Modify Registry Disable Win Defender Raw Write Notif Modify Registry Endpoint
Windows Modify Registry Disable WinDefender Notifications Modify Registry Endpoint
Windows Modify Registry Disable Windows Security Center Notif Modify Registry Endpoint
Windows Modify Registry DisableRemoteDesktopAntiAlias Modify Registry Endpoint
Windows Modify Registry DisableSecuritySettings Modify Registry Endpoint
Windows Modify Registry Disabling WER Settings Modify Registry Endpoint
Windows Modify Registry Do Not Connect To Win Update Modify Registry Endpoint
Windows Modify Registry DontShowUI Modify Registry Endpoint
Windows Modify Registry EnableLinkedConnections Modify Registry Endpoint
Windows Modify Registry LongPathsEnabled Modify Registry Endpoint
Windows Modify Registry MaxConnectionPerServer Modify Registry Endpoint
Windows Modify Registry No Auto Reboot With Logon User Modify Registry Endpoint
Windows Modify Registry No Auto Update Modify Registry Endpoint
Windows Modify Registry NoChangingWallPaper Modify Registry Endpoint
Windows Modify Registry ProxyEnable Modify Registry Endpoint
Windows Modify Registry ProxyServer Modify Registry Endpoint
Windows Modify Registry Qakbot Binary Data Registry Modify Registry Endpoint
Windows Modify Registry Reg Restore Query Registry Endpoint
Windows Modify Registry Regedit Silent Reg Import Modify Registry Endpoint
Windows Modify Registry Risk Behavior Modify Registry Risk
Windows Modify Registry Suppress Win Defender Notif Modify Registry Endpoint
Windows Modify Registry Tamper Protection Modify Registry Endpoint
Windows Modify Registry USeWuServer Modify Registry Endpoint
Windows Modify Registry UpdateServiceUrlAlternate Modify Registry Endpoint
Windows Modify Registry With MD5 Reg Key Name Modify Registry Endpoint
Windows Modify Registry WuServer Modify Registry Endpoint
Windows Modify Registry wuStatusServer Modify Registry Endpoint
Windows Modify Show Compress Color And Info Tip Registry Modify Registry Endpoint
Windows Modify System Firewall with Notable Process Path Disable or Modify System Firewall, Impair Defenses Endpoint
Windows Mshta Execution In Registry Mshta Endpoint
Windows MsiExec HideWindow Rundll32 Execution Msiexec, System Binary Proxy Execution Endpoint
Windows Multi hop Proxy TOR Website Query Mail Protocols, Application Layer Protocol None
Windows Multiple Account Passwords Changed Account Manipulation, Valid Accounts None
Windows Multiple Accounts Deleted Account Manipulation, Valid Accounts None
Windows Multiple Accounts Disabled Account Manipulation, Valid Accounts None
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos Password Spraying, Brute Force None
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos Password Spraying, Brute Force None
Windows Multiple Invalid Users Failed To Authenticate Using NTLM Password Spraying, Brute Force None
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials Password Spraying, Brute Force None
Windows Multiple Users Failed To Authenticate From Host Using NTLM Password Spraying, Brute Force None
Windows Multiple Users Failed To Authenticate From Process Password Spraying, Brute Force None
Windows Multiple Users Failed To Authenticate Using Kerberos Password Spraying, Brute Force None
Windows Multiple Users Remotely Failed To Authenticate From Host Password Spraying, Brute Force None
Windows Ngrok Reverse Proxy Usage Protocol Tunneling, Proxy, Web Service Endpoint
Windows NirSoft AdvancedRun Tool Endpoint
Windows NirSoft Utilities Tool Endpoint
Windows Njrat Fileless Storage via Registry Fileless Storage, Obfuscated Files or Information Endpoint
Windows Non Discord App Access Discord LevelDB Query Registry None
Windows Non-System Account Targeting Lsass LSASS Memory, OS Credential Dumping None
Windows OS Credential Dumping with Ntdsutil Export NTDS NTDS, OS Credential Dumping None
Windows OS Credential Dumping with Procdump LSASS Memory, OS Credential Dumping None
Windows Odbcconf Hunting Odbcconf Endpoint
Windows Odbcconf Load DLL Odbcconf Endpoint
Windows Odbcconf Load Response File Odbcconf Endpoint
Windows Odbcconf Load Response File Odbcconf, System Binary Proxy Execution None
Windows Office Product Spawning MSDT Phishing, Spearphishing Attachment Endpoint
Windows PaperCut NG Spawn Shell Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services Endpoint
Windows Parent PID Spoofing with Explorer Parent PID Spoofing, Access Token Manipulation Endpoint
Windows Password Managers Discovery Password Managers Endpoint
Windows Phishing PDF File Executes URL Link Spearphishing Attachment, Phishing Endpoint
Windows Phishing Recent ISO Exec Registry Spearphishing Attachment, Phishing Endpoint
Windows Possible Credential Dumping LSASS Memory, OS Credential Dumping None
Windows Post Exploitation Risk Behavior Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Information Discovery, Clipboard Data, Unsecured Credentials Risk
Windows PowerShell Add Module to Global Assembly Cache Server Software Component, IIS Components None
Windows PowerShell Disable HTTP Logging Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components Web
Windows PowerShell Disabled Kerberos Pre-Authentication Discovery Get-ADUser Steal or Forge Kerberos Tickets, AS-REP Roasting None
Windows PowerShell Disabled Kerberos Pre-Authentication Discovery With PowerView Steal or Forge Kerberos Tickets, AS-REP Roasting None
Windows PowerShell Export Certificate Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates None
Windows PowerShell Export PfxCertificate Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates None
Windows PowerShell Get CIMInstance Remote Computer PowerShell None
Windows PowerShell IIS Components WebGlobalModule Usage Server Software Component, IIS Components Web
Windows PowerShell ScheduleTask Scheduled Task, PowerShell, Command and Scripting Interpreter None
Windows PowerShell Start-BitsTransfer BITS Jobs, Ingress Tool Transfer None
Windows PowerShell WMI Win32 ScheduledJob PowerShell, Command and Scripting Interpreter None
Windows PowerSploit GPP Discovery Unsecured Credentials, Group Policy Preferences None
Windows PowerSploit GPP Discovery Unsecured Credentials, Group Policy Preferences None
Windows PowerView AD Access Control List Enumeration Domain Accounts, Permission Groups Discovery None
Windows PowerView Constrained Delegation Discovery Remote System Discovery None
Windows PowerView Kerberos Service Ticket Request Steal or Forge Kerberos Tickets, Kerberoasting None
Windows PowerView SPN Discovery Steal or Forge Kerberos Tickets, Kerberoasting None
Windows PowerView Unconstrained Delegation Discovery Remote System Discovery None
Windows Powershell Connect to Internet With Hidden Window Automated Exfiltration None
Windows Powershell Cryptography Namespace PowerShell, Command and Scripting Interpreter None
Windows Powershell DownloadFile Automated Exfiltration None
Windows Powershell Import Applocker Policy PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses None
Windows Powershell RemoteSigned File PowerShell, Command and Scripting Interpreter Endpoint
Windows Private Keys Discovery Private Keys, Unsecured Credentials Endpoint
Windows Privilege Escalation Suspicious Process Elevation Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation Endpoint
Windows Privilege Escalation System Process Without System Parent Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation None
Windows Privilege Escalation User Process Spawn System Process Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation Endpoint
Windows Process Commandline Discovery Process Discovery Endpoint
Windows Process Injection In Non-Service SearchIndexer Process Injection Endpoint
Windows Process Injection Of Wermgr to Known Browser Dynamic-link Library Injection, Process Injection None
Windows Process Injection Remote Thread Process Injection, Portable Executable Injection None
Windows Process Injection Wermgr Child Process Process Injection Endpoint
Windows Process Injection With Public Source Path Process Injection, Portable Executable Injection None
Windows Process Injection into Notepad Process Injection, Portable Executable Injection None
Windows Process With NamedPipe CommandLine Process Injection Endpoint
Windows Processes Killed By Industroyer2 Malware Service Stop None
Windows Protocol Tunneling with Plink Protocol Tunneling, SSH Endpoint
Windows Proxy Via Netsh Internal Proxy, Proxy Endpoint
Windows Proxy Via Registry Internal Proxy, Proxy Endpoint
Windows Query Registry Browser List Application Query Registry None
Windows Query Registry Reg Save Query Registry Endpoint
Windows Query Registry UnInstall Program List Query Registry None
Windows RDP Connection Successful RDP Hijacking None
Windows Raccine Scheduled Task Deletion Disable or Modify Tools Endpoint
Windows Rapid Authentication On Multiple Hosts Security Account Manager None
Windows Rasautou DLL Execution Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection Endpoint
Windows Rasautou DLL Execution Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection None
Windows Raw Access To Disk Volume Partition Disk Structure Wipe, Disk Wipe None
Windows Raw Access To Master Boot Record Drive Disk Structure Wipe, Disk Wipe None
Windows Registry BootExecute Modification Pre-OS Boot, Registry Run Keys / Startup Folder Endpoint
Windows Registry Certificate Added Install Root Certificate, Subvert Trust Controls Endpoint
Windows Registry Delete Task SD Scheduled Task, Impair Defenses Endpoint
Windows Registry Modification for Safe Mode Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution Endpoint
Windows Registry Payload Injection Obfuscated Files or Information, Fileless Storage Endpoint
Windows Registry SIP Provider Modification SIP and Trust Provider Hijacking Endpoint
Windows Regsvr32 Renamed Binary Regsvr32, System Binary Proxy Execution Endpoint
Windows Remote Access Software BRC4 Loaded Dll Remote Access Software, OS Credential Dumping None
Windows Remote Access Software Hunt Remote Access Software Endpoint
Windows Remote Access Software RMS Registry Remote Access Software Endpoint
Windows Remote Assistance Spawning Process Process Injection Endpoint
Windows Remote Create Service Create or Modify System Process, Windows Service Endpoint
Windows Remote Service Rdpwinst Tool Execution Remote Desktop Protocol, Remote Services Endpoint
Windows Remote Services Allow Rdp In Firewall Remote Desktop Protocol, Remote Services Endpoint
Windows Remote Services Allow Remote Assistance Remote Desktop Protocol, Remote Services Endpoint
Windows Remote Services Rdp Enable Remote Desktop Protocol, Remote Services Endpoint
Windows Rename System Utilities Acccheckconsole exe LOLBAS in Non Standard Path Masquerading, Rename System Utilities None
Windows Rename System Utilities Adplus exe LOLBAS in Non Standard Path Masquerading, Rename System Utilities None
Windows Rename System Utilities Advpack dll LOLBAS in Non Standard Path Masquerading, Rename System Utilities None
Windows Rename System Utilities Agentexecutor exe LOLBAS in Non Standard Path Masquerading, Rename System Utilities None
Windows Rename System Utilities Appinstaller exe LOLBAS in Non Standard Path Masquerading, Rename System Utilities None
Windows Rename System Utilities Appvlp exe LOLBAS in Non Standard Path Masquerading, Rename System Utilities None
Windows Rename System Utilities Aspnet compiler exe LOLBAS in Non Standard Path Masquerading, Rename System Utilities None
Windows Rename System Utilities At exe LOLBAS in Non Standard Path Masquerading, Rename System Utilities None
Windows Rename System Utilities Atbroker exe LOLBAS in Non Standard Path Masquerading, Rename System Utilities None
Windows Replication Through Removable Media Replication Through Removable Media Endpoint
Windows Root Domain linked policies Discovery Domain Account, Account Discovery None
Windows Rundll32 Apply User Settings Changes System Binary Proxy Execution, Rundll32 Endpoint
Windows Rundll32 Comsvcs Memory Dump NTDS, OS Credential Dumping None
Windows Rundll32 Inline HTA Execution System Binary Proxy Execution, Mshta None
Windows Rundll32 WebDAV Request Exfiltration Over Unencrypted Non-C2 Protocol Endpoint
Windows Rundll32 WebDav With Network Connection Exfiltration Over Unencrypted Non-C2 Protocol Endpoint, Network_Traffic
Windows SIP Provider Inventory SIP and Trust Provider Hijacking None
Windows SIP WinVerifyTrust Failed Trust Validation SIP and Trust Provider Hijacking None
Windows SOAPHound Binary Execution Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery Endpoint
Windows SQL Spawning CertUtil Ingress Tool Transfer Endpoint
Windows Scheduled Task Created Via XML Scheduled Task, Scheduled Task/Job Endpoint
Windows Scheduled Task Service Spawned Shell Scheduled Task, Command and Scripting Interpreter Endpoint
Windows Scheduled Task with Highest Privileges Scheduled Task/Job, Scheduled Task Endpoint
Windows Schtasks Create Run As System Scheduled Task, Scheduled Task/Job Endpoint
Windows Screen Capture Via Powershell Screen Capture None
Windows Script Host Spawn MSBuild MSBuild, Trusted Developer Utilities Proxy Execution None
Windows Security Account Manager Stopped Service Stop Endpoint
Windows Security Support Provider Reg Query Security Support Provider, Boot or Logon Autostart Execution Endpoint
Windows Server Software Component GACUtil Install to GAC Server Software Component, IIS Components Endpoint
Windows Service Create Kernel Mode Driver Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation Endpoint
Windows Service Create RemComSvc Windows Service, Create or Modify System Process None
Windows Service Create SliverC2 System Services, Service Execution None
Windows Service Create with Tscon RDP Hijacking, Remote Service Session Hijacking, Windows Service Endpoint
Windows Service Created Within Public Path Create or Modify System Process, Windows Service None
Windows Service Created with Suspicious Service Path System Services, Service Execution None
Windows Service Creation Using Registry Entry Services Registry Permissions Weakness Endpoint
Windows Service Creation on Remote Endpoint Create or Modify System Process, Windows Service Endpoint
Windows Service Deletion In Registry Service Stop Endpoint
Windows Service Initiation on Remote Endpoint Create or Modify System Process, Windows Service Endpoint
Windows Service Stop By Deletion Service Stop Endpoint
Windows Service Stop Via Net and SC Application Service Stop Endpoint
Windows Service Stop Win Updates Service Stop None
Windows Snake Malware File Modification Crmlog Obfuscated Files or Information Endpoint
Windows Snake Malware Kernel Driver Comadmin Kernel Modules and Extensions Endpoint
Windows Snake Malware Registry Modification wav OpenWithProgIds Modify Registry Endpoint
Windows Snake Malware Service Create Kernel Modules and Extensions, Service Execution None
Windows Spearphishing Attachment Connect To None MS Office Domain Spearphishing Attachment, Phishing None
Windows Spearphishing Attachment Onenote Spawn Mshta Spearphishing Attachment, Phishing Endpoint
Windows Special Privileged Logon On Multiple Hosts Account Discovery, SMB/Windows Admin Shares, Network Share Discovery None
Windows Steal Authentication Certificates - ESC1 Abuse Steal or Forge Authentication Certificates None
Windows Steal Authentication Certificates - ESC1 Authentication Steal or Forge Authentication Certificates, Use Alternate Authentication Material None
Windows Steal Authentication Certificates CS Backup Steal or Forge Authentication Certificates None
Windows Steal Authentication Certificates CertUtil Backup Steal or Forge Authentication Certificates Endpoint
Windows Steal Authentication Certificates Certificate Issued Steal or Forge Authentication Certificates None
Windows Steal Authentication Certificates Certificate Request Steal or Forge Authentication Certificates None
Windows Steal Authentication Certificates CryptoAPI Steal or Forge Authentication Certificates None
Windows Steal Authentication Certificates Export Certificate Steal or Forge Authentication Certificates Endpoint
Windows Steal Authentication Certificates Export PfxCertificate Steal or Forge Authentication Certificates Endpoint
Windows Steal or Forge Kerberos Tickets Klist Steal or Forge Kerberos Tickets Endpoint
Windows Suspect Process With Authentication Traffic Account Discovery, Domain Account, User Execution, Malicious File Network_Traffic
Windows System Binary Proxy Execution Compiled HTML File Decompile Compiled HTML File, System Binary Proxy Execution Endpoint
Windows System Binary Proxy Execution Compiled HTML File Decompile Compiled HTML File, System Binary Proxy Execution None
Windows System Binary Proxy Execution Compiled HTML File URL In Command Line Compiled HTML File, System Binary Proxy Execution None
Windows System Binary Proxy Execution Compiled HTML File Using InfoTech Storage Handlers Compiled HTML File, System Binary Proxy Execution None
Windows System Binary Proxy Execution MSIExec DLLRegisterServer Msiexec None
Windows System Binary Proxy Execution MSIExec Remote Download Msiexec None
Windows System Binary Proxy Execution MSIExec Unregister DLL Msiexec None
Windows System Discovery Using Qwinsta System Owner/User Discovery Endpoint
Windows System Discovery Using ldap Nslookup System Owner/User Discovery Endpoint
Windows System File on Disk Exploitation for Privilege Escalation Endpoint
Windows System LogOff Commandline System Shutdown/Reboot Endpoint
Windows System Network Config Discovery Display DNS System Network Configuration Discovery Endpoint
Windows System Network Connections Discovery Netsh System Network Connections Discovery Endpoint
Windows System Reboot CommandLine System Shutdown/Reboot Endpoint
Windows System Script Proxy Execution Syncappvpublishingserver System Script Proxy Execution, System Binary Proxy Execution Endpoint
Windows System Shutdown CommandLine System Shutdown/Reboot Endpoint
Windows System Time Discovery W32tm Delay System Time Discovery Endpoint
Windows System User Discovery Via Quser System Owner/User Discovery Endpoint
Windows System User Privilege Discovery System Owner/User Discovery Endpoint
Windows Terminating Lsass Process Disable or Modify Tools, Impair Defenses None
Windows Time Based Evasion Virtualization/Sandbox Evasion, Time Based Evasion Endpoint
Windows Time Based Evasion via Choice Exec Time Based Evasion, Virtualization/Sandbox Evasion Endpoint
Windows UAC Bypass Suspicious Child Process Abuse Elevation Control Mechanism, Bypass User Account Control Endpoint
Windows UAC Bypass Suspicious Escalation Behavior Abuse Elevation Control Mechanism, Bypass User Account Control Endpoint
Windows Unsecured Outlook Credentials Access In Registry Unsecured Credentials None
Windows Unsigned DLL Side-Loading DLL Side-Loading None
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos Password Spraying, Brute Force None
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos Password Spraying, Brute Force None
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM Password Spraying, Brute Force None
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials Password Spraying, Brute Force None
Windows Unusual Count Of Users Failed To Auth Using Kerberos Password Spraying, Brute Force None
Windows Unusual Count Of Users Failed To Authenticate From Process Password Spraying, Brute Force None
Windows Unusual Count Of Users Failed To Authenticate Using NTLM Password Spraying, Brute Force None
Windows Unusual Count Of Users Remotely Failed To Auth From Host Password Spraying, Brute Force None
Windows User Execution Malicious URL Shortcut File Malicious File, User Execution Endpoint
Windows Valid Account With Never Expires Password Service Stop Endpoint
Windows Vulnerable 3CX Software Compromise Software Supply Chain None
Windows Vulnerable Driver Loaded Windows Service None
Windows WMI Impersonate Token Windows Management Instrumentation None
Windows WMI Process And Service List Windows Management Instrumentation Endpoint
Windows WMI Process Call Create Windows Management Instrumentation Endpoint
Windows WMIPrvse Spawn MSBuild Trusted Developer Utilities Proxy Execution, MSBuild None
Windows WinDBG Spawning AutoIt3 Command and Scripting Interpreter Endpoint
Windows WinLogon with Public Network Connection Bootkit Endpoint, Network_Traffic
Winhlp32 Spawning a Process Process Injection Endpoint
Winword Spawning Cmd Phishing, Spearphishing Attachment Endpoint
Winword Spawning PowerShell Phishing, Spearphishing Attachment Endpoint
Winword Spawning Windows Script Host Phishing, Spearphishing Attachment Endpoint
Wmic Group Discovery Permission Groups Discovery, Local Groups Endpoint
Wmic NonInteractive App Uninstallation Disable or Modify Tools, Impair Defenses Endpoint
Wmiprsve LOLBAS Execution Process Spawn Windows Management Instrumentation Endpoint
Wscript Or Cscript Suspicious Child Process Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation Endpoint
Wsmprovhost LOLBAS Execution Process Spawn Remote Services, Windows Remote Management Endpoint
XMRIG Driver Loaded Windows Service, Create or Modify System Process None
XSL Script Execution With WMIC XSL Script Processing Endpoint

Endpoint

Detect SharpHound Usage

Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery

Disable Show Hidden Files

Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry

CMD Echo Pipe - Escalation

Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process

Windows Post Exploitation Risk Behavior

Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...

Living Off The Land

Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services

Back to Top ↑

Cloud

Back to Top ↑

Deprecated

Back to Top ↑

Application

Back to Top ↑

Web

Web JSP Request via URL

Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services

Back to Top ↑

Network

Detect ARP Poisoning

Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning

Back to Top ↑