Windows Rundll32 WebDav With Network Connection
Exfiltration Over Unencrypted Non-C2 Protocol
Endpoint
Endpoint
Msmpeng Application DLL Side Loading
DLL Side-Loading, Hijack Execution Flow
Windows Rundll32 WebDAV Request
Exfiltration Over Unencrypted Non-C2 Protocol
Windows Java Spawning Shells
Exploit Public-Facing Application
Suspicious DLLHost no Command Line Arguments
Process Injection
Windows Service Create SliverC2
System Services, Service Execution
Suspicious Regsvr32 Register Suspicious Path
System Binary Proxy Execution, Regsvr32
Windows Driver Load Non-Standard Path
Rootkit, Exploitation for Privilege Escalation
Impacket Lateral Movement Commandline Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Windows Process Injection into Notepad
Process Injection, Portable Executable Injection
Notepad with no Command Line Arguments
Process Injection
Office Product Spawning Wmic
Phishing, Spearphishing Attachment
Office Product Writing cab or inf
Phishing, Spearphishing Attachment
Office Product Spawning BITSAdmin
Phishing, Spearphishing Attachment
Office Document Creating Schedule Task
Phishing, Spearphishing Attachment
Office Product Spawning Rundll32 with no DLL
Phishing, Spearphishing Attachment
Detect Prohibited Applications Spawning cmd exe
Command and Scripting Interpreter
Linux Deletion Of Services
Data Destruction, File Deletion, Indicator Removal
Office Product Spawning Windows Script Host
Phishing, Spearphishing Attachment
Office Application Spawn rundll32 process
Phishing, Spearphishing Attachment
Office Application Drop Executable
Phishing, Spearphishing Attachment
Office Document Spawned Child Process To Download
Phishing, Spearphishing Attachment
Office Product Spawning CertUtil
Phishing, Spearphishing Attachment
Office Product Spawning MSHTA
Phishing, Spearphishing Attachment
MSHTML Module Load in Office Product
Phishing, Spearphishing Attachment
Office Product Spawning Windows Script Host
Phishing, Spearphishing Attachment
Office Application Spawn Regsvr32 process
Phishing, Spearphishing Attachment
Windows Spearphishing Attachment Connect To None MS Office Domain
Spearphishing Attachment, Phishing
Windows Office Product Spawning MSDT
Phishing, Spearphishing Attachment
Office Spawning Control
Phishing, Spearphishing Attachment
Windows Export Certificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Linux Indicator Removal Clear Cache
Indicator Removal
Linux Unix Shell Enable All SysRq Functions
Unix Shell, Command and Scripting Interpreter
Linux System Reboot Via System Request Key
System Shutdown/Reboot
Linux Hardware Addition SwapOff
Hardware Additions
Linux Data Destruction Command
Data Destruction
Windows Steal Authentication Certificates CryptoAPI
Steal or Forge Authentication Certificates
Linux Indicator Removal Service File Deletion
File Deletion, Indicator Removal
Linux Impair Defenses Process Kill
Disable or Modify Tools, Impair Defenses
Detect Outlook exe writing a zip file
Phishing, Spearphishing Attachment
Windows Mimikatz Crypto Export File Extensions
Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates CertUtil Backup
Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates CS Backup
Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates Certificate Issued
Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates Certificate Request
Steal or Forge Authentication Certificates
Windows Driver Inventory
Exploitation for Privilege Escalation
Windows Data Destruction Recursive Exec Files Deletion
Data Destruction
Windows PowerShell Export PfxCertificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates Export Certificate
Steal or Forge Authentication Certificates
Windows PowerShell Export Certificate
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates Export PfxCertificate
Steal or Forge Authentication Certificates
Windows AD Domain Controller Audit Policy Disabled
Disable or Modify Tools
Windows Powershell Cryptography Namespace
PowerShell, Command and Scripting Interpreter
Windows AD Domain Controller Promotion
Rogue Domain Controller
Windows Scheduled Task with Highest Privileges
Scheduled Task/Job, Scheduled Task
Suspicious Process File Path
Create or Modify System Process
Office Document Executing Macro Code
Phishing, Spearphishing Attachment
Windows Spearphishing Attachment Onenote Spawn Mshta
Spearphishing Attachment, Phishing
Windows Credential Dumping LSASS Memory Createdump
LSASS Memory
Detect suspicious processnames using a pretrained model in DSDL
Command and Scripting Interpreter
Windows PowerShell Add Module to Global Assembly Cache
Server Software Component, IIS Components
Windows Phishing PDF File Executes URL Link
Spearphishing Attachment, Phishing
Windows Server Software Component GACUtil Install to GAC
Server Software Component, IIS Components
Windows Replication Through Removable Media
Replication Through Removable Media
Windows Modify Registry Default Icon Setting
Modify Registry
Windows Ngrok Reverse Proxy Usage
Protocol Tunneling, Proxy, Web Service
Linux Ngrok Reverse Proxy Usage
Protocol Tunneling, Proxy, Web Service
Windows Boot or Logon Autostart Execution In Startup Folder
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Windows User Execution Malicious URL Shortcut File
Malicious File, User Execution
Account Discovery With Net App
Domain Account, Account Discovery
Windows DLL Search Order Hijacking Hunt with Sysmon
DLL Search Order Hijacking, Hijack Execution Flow
Windows DLL Search Order Hijacking Hunt
DLL Search Order Hijacking, Hijack Execution Flow
Batch File Write to System32
User Execution, Malicious File
Windows PowerShell IIS Components WebGlobalModule Usage
Server Software Component, IIS Components
Windows PowerShell Disable HTTP Logging
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
Windows Disable Windows Event Logging Disable HTTP Logging
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Windows IIS Components Module Failed to Load
Server Software Component, IIS Components
Windows IIS Components Get-WebGlobalModule Module Query
IIS Components, Server Software Component
Windows IIS Components New Module Added
Server Software Component, IIS Components
Windows IIS Components Add New Module
Server Software Component, IIS Components
Windows Modify Registry Reg Restore
Query Registry
Windows Query Registry Reg Save
Query Registry
Windows Vulnerable Driver Loaded
Windows Service
Windows WMI Process And Service List
Windows Management Instrumentation
Windows System Network Config Discovery Display DNS
System Network Configuration Discovery
Windows Change Default File Association For No File Ext
Change Default File Association, Event Triggered Execution
Windows Credentials from Password Stores Query
Credentials from Password Stores
Windows Indirect Command Execution Via Series Of Forfiles
Indirect Command Execution
Windows System Network Connections Discovery Netsh
System Network Connections Discovery
Windows ClipBoard Data via Get-ClipBoard
Clipboard Data
Windows Credentials in Registry Reg Query
Credentials in Registry, Unsecured Credentials
Windows Password Managers Discovery
Password Managers
Windows Service Stop Via Net and SC Application
Service Stop
Windows Private Keys Discovery
Private Keys, Unsecured Credentials
Windows Cached Domain Credentials Reg Query
Cached Domain Credentials, OS Credential Dumping
Windows Security Support Provider Reg Query
Security Support Provider, Boot or Logon Autostart Execution
Windows Information Discovery Fsutil
System Information Discovery
Windows System User Discovery Via Quser
System Owner/User Discovery
Windows Steal or Forge Kerberos Tickets Klist
Steal or Forge Kerberos Tickets
BITSAdmin Download File
BITS Jobs, Ingress Tool Transfer
Powershell Load Module in Meterpreter
Command and Scripting Interpreter, PowerShell
Windows Apache Benchmark Binary
Command and Scripting Interpreter
Windows MSExchange Management Mailbox Cmdlet Usage
Command and Scripting Interpreter, PowerShell
Exchange PowerShell Module Usage
Command and Scripting Interpreter, PowerShell
Windows AD Short Lived Domain Account ServicePrincipalName
Account Manipulation
Windows AD Domain Replication ACL Addition
Domain Policy Modification
Windows AD ServicePrincipalName Added To Domain Account
Account Manipulation
Windows AD Replication Request Initiated from Unsanctioned Location
DCSync, OS Credential Dumping
Windows AD Cross Domain SID History Addition
SID-History Injection, Access Token Manipulation
Windows Mimikatz Binary Execution
OS Credential Dumping
Windows AD SID History Attribute Modified
Access Token Manipulation, SID-History Injection
Attempted Credential Dump From Registry via Reg exe
Security Account Manager, OS Credential Dumping
Remote Process Instantiation via WMI and PowerShell Script Block
Windows Management Instrumentation
Windows AD AdminSDHolder ACL Modified
Event Triggered Execution
Disabling CMD Application
Disable or Modify Tools, Impair Defenses
Active Setup Registry Autostart
Active Setup, Boot or Logon Autostart Execution
Monitor Registry Keys for Print Monitors
Port Monitors, Boot or Logon Autostart Execution
Registry Keys for Creating SHIM Databases
Application Shimming, Event Triggered Execution
Disabling SystemRestore In Registry
Inhibit System Recovery
Remcos client registry install entry
Modify Registry
Disable ETW Through Registry
Disable or Modify Tools, Impair Defenses
Revil Registry Entry
Modify Registry
Disabling NoRun Windows App
Disable or Modify Tools, Impair Defenses
Disable Defender Enhanced Notification
Disable or Modify Tools, Impair Defenses
Windows PowerShell Disabled Kerberos Pre-Authentication Discovery With PowerView
Steal or Forge Kerberos Tickets, AS-REP Roasting
Disabling Task Manager
Disable or Modify Tools, Impair Defenses
Sdclt UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Windows PowerShell Disabled Kerberos Pre-Authentication Discovery Get-ADUser
Steal or Forge Kerberos Tickets, AS-REP Roasting
Add DefaultUser And Password In Registry
Credentials in Registry, Unsecured Credentials
Disable Registry Tool
Disable or Modify Tools, Impair Defenses
Disable Defender MpEngine Registry
Disable or Modify Tools, Impair Defenses
Windows Hide Notification Features Through Registry
Modify Registry
Registry Keys Used For Privilege Escalation
Image File Execution Options Injection, Event Triggered Execution
Windows Disable Lock Workstation Feature Through Registry
Modify Registry
Set Default PowerShell Execution Policy To Unrestricted or Bypass
Command and Scripting Interpreter, PowerShell
Windows Modify Show Compress Color And Info Tip Registry
Modify Registry
Windows Disable LogOff Button Through Registry
Modify Registry
Disable Defender AntiVirus Registry
Disable or Modify Tools, Impair Defenses
Eventvwr UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Disable AMSI Through Registry
Disable or Modify Tools, Impair Defenses
Enable RDP In Other Port Number
Remote Services
Disable UAC Remote Restriction
Bypass User Account Control, Abuse Elevation Control Mechanism
Disabling Defender Services
Disable or Modify Tools, Impair Defenses
ETW Registry Disabled
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
WSReset UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Disable Defender Spynet Reporting
Disable or Modify Tools, Impair Defenses
Disabling FolderOptions Windows Feature
Disable or Modify Tools, Impair Defenses
Hide User Account From Sign-In Screen
Disable or Modify Tools, Impair Defenses
Allow Operation with Consent Admin
Abuse Elevation Control Mechanism
Disable Windows Behavior Monitoring
Disable or Modify Tools, Impair Defenses
Disable Defender Submit Samples Consent Feature
Disable or Modify Tools, Impair Defenses
Disable Show Hidden Files
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses
Disabling ControlPanel
Disable or Modify Tools, Impair Defenses
Disable Windows SmartScreen Protection
Disable or Modify Tools, Impair Defenses
Windows Disable Windows Group Policy Features Through Registry
Modify Registry
Time Provider Persistence Registry
Time Providers, Boot or Logon Autostart Execution
SilentCleanup UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Windows Disable Shutdown Button Through Registry
Modify Registry
Windows Service Created with Suspicious Service Path
System Services, Service Execution
Disable Security Logs Using MiniNt Registry
Modify Registry
Disable Defender BlockAtFirstSeen Feature
Disable or Modify Tools, Impair Defenses
Windows Service Creation Using Registry Entry
Services Registry Permissions Weakness
Windows Disable Notification Center
Modify Registry
Windows Deleted Registry By A Non Critical Process File Path
Modify Registry
Disable Windows App Hotkeys
Disable or Modify Tools, Impair Defenses
Auto Admin Logon Registry Entry
Credentials in Registry, Unsecured Credentials
Windows Defender Exclusion Registry Entry
Disable or Modify Tools, Impair Defenses
Windows Disable Change Password Through Registry
Modify Registry
Enable WDigest UseLogonCredential Registry
Modify Registry, OS Credential Dumping
Allow Inbound Traffic By Firewall Rule Registry
Remote Desktop Protocol, Remote Services
AdsiSearcher Account Discovery
Domain Account, Account Discovery
Get DomainUser with PowerShell Script Block
Domain Account, Account Discovery
Recursive Delete of Directory In Batch CMD
File Deletion, Indicator Removal
Common Ransomware Extensions
Data Destruction
Windows Process Injection Remote Thread
Process Injection, Portable Executable Injection
Windows App Layer Protocol Qakbot NamedPipe
Application Layer Protocol
Windows Modify Registry Qakbot Binary Data Registry
Modify Registry
Windows Process Injection Of Wermgr to Known Browser
Dynamic-link Library Injection, Process Injection
Windows App Layer Protocol Wermgr Connect To NamedPipe
Application Layer Protocol
Windows Regsvr32 Renamed Binary
Regsvr32, System Binary Proxy Execution
Cmdline Tool Not Executed In CMD Shell
Command and Scripting Interpreter, JavaScript
Windows Process Injection Wermgr Child Process
Process Injection
Windows Command Shell Fetch Env Variables
Process Injection
Windows WMI Impersonate Token
Windows Management Instrumentation
Windows DLL Side-Loading In Calc
DLL Side-Loading, Hijack Execution Flow
Windows System Discovery Using Qwinsta
System Owner/User Discovery
Windows System Discovery Using ldap Nslookup
System Owner/User Discovery
Windows Masquerading Explorer As Child Process
DLL Side-Loading, Hijack Execution Flow
Windows DLL Side-Loading Process Child Of Calc
DLL Side-Loading, Hijack Execution Flow
Windows Rename System Utilities Adplus exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Agentexecutor exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Aspnet compiler exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Acccheckconsole exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Atbroker exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Appvlp exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities At exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Advpack dll LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Appinstaller exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows AD Short Lived Server Object
Rogue Domain Controller
Windows Exchange PowerShell Module Usage
Command and Scripting Interpreter, PowerShell
Windows COM Hijacking InprocServer32 Modification
Component Object Model Hijacking, Event Triggered Execution
Recon Using WMI Class
Gather Victim Host Information, PowerShell
Detect SharpHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Windows Create Local Account
Local Account, Create Account
Unified Messaging Service Spawning a Process
Exploit Public-Facing Application
Exchange PowerShell Abuse via SSRF
Exploit Public-Facing Application
Detect Exchange Web Shell
Server Software Component, Web Shell, Exploit Public-Facing Application
Powershell COM Hijacking InprocServer32 Modification
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell
Windows COM Hijacking InprocServer32 Modification
Component Object Model Hijacking, Event Triggered Execution
Windows System Script Proxy Execution Syncappvpublishingserver
System Script Proxy Execution, System Binary Proxy Execution
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos
Password Spraying, Brute Force
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos
Password Spraying, Brute Force
Windows Unusual Count Of Users Remotely Failed To Auth From Host
Password Spraying, Brute Force
Windows Unusual Count Of Users Failed To Auth Using Kerberos
Password Spraying, Brute Force
Windows Unusual Count Of Users Failed To Authenticate Using NTLM
Password Spraying, Brute Force
Windows Unusual Count Of Users Failed To Authenticate From Process
Password Spraying, Brute Force
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
Password Spraying, Brute Force
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials
Password Spraying, Brute Force
Registry Keys Used For Persistence
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Windows ISO LNK File Creation
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Windows Phishing Recent ISO Exec Registry
Spearphishing Attachment, Phishing
Windows Mail Protocol In Non-Common Process Path
Mail Protocols, Application Layer Protocol
Windows Multi hop Proxy TOR Website Query
Mail Protocols, Application Layer Protocol
Windows File Transfer Protocol In Non-Common Process Path
Mail Protocols, Application Layer Protocol
Windows Execute Arbitrary Commands with MSDT
System Binary Proxy Execution
Windows Protocol Tunneling with Plink
Protocol Tunneling, SSH
Windows Odbcconf Load Response File
Odbcconf, System Binary Proxy Execution
High Process Termination Frequency
Data Encrypted for Impact
Windows Identify Protocol Handlers
Command and Scripting Interpreter
Windows Ingress Tool Transfer Using Explorer
Ingress Tool Transfer
Get ADUser with PowerShell Script Block
Domain Account, Account Discovery
Windows AD Privileged Account SID History Addition
SID-History Injection, Access Token Manipulation
Log4Shell CVE-2021-44228 Exploitation
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter
Windows AD Same Domain SID History Addition
SID-History Injection, Access Token Manipulation
Disabling Windows Local Security Authority Defences via Registry
Modify Authentication Process
Living Off The Land
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter
Windows Event Triggered Image File Execution Options Injection
Image File Execution Options Injection
Windows AD DSRM Password Reset
Account Manipulation
Windows AD Replication Request Initiated by User Account
DCSync, OS Credential Dumping
Windows AD DSRM Account Changes
Account Manipulation
Windows System Binary Proxy Execution Compiled HTML File Using InfoTech Storage Handlers
Compiled HTML File, System Binary Proxy Execution
Windows AD Short Lived Domain Controller SPN Attribute
Rogue Domain Controller
Windows System Binary Proxy Execution Compiled HTML File Decompile
Compiled HTML File, System Binary Proxy Execution
Windows System Binary Proxy Execution Compiled HTML File URL In Command Line
Compiled HTML File, System Binary Proxy Execution
Windows OS Credential Dumping with Procdump
LSASS Memory, OS Credential Dumping
Windows OS Credential Dumping with Ntdsutil Export NTDS
NTDS, OS Credential Dumping
Dump LSASS via procdump
LSASS Memory, OS Credential Dumping
Windows System Binary Proxy Execution Compiled HTML File Decompile
Compiled HTML File, System Binary Proxy Execution
Windows LOLBin Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Linux Persistence and Privilege Escalation Risk Behavior
Abuse Elevation Control Mechanism
Windows Ingress Tool Transfer Using Explorer
Ingress Tool Transfer
Powershell Remote Thread To Known Windows Process
Process Injection
Windows InstallUtil Credential Theft
InstallUtil, System Binary Proxy Execution
Detect Excessive Account Lockouts From Endpoint
Valid Accounts, Domain Accounts
Detect Excessive User Account Lockouts
Valid Accounts, Local Accounts
Windows Possible Credential Dumping
LSASS Memory, OS Credential Dumping
Windows Access Token Manipulation Winlogon Duplicate Token Handle
Token Impersonation/Theft, Access Token Manipulation
Windows Service Deletion In Registry
Service Stop
Windows Access Token Winlogon Duplicate Handle In Uncommon Path
Token Impersonation/Theft, Access Token Manipulation
Windows Gather Victim Identity SAM Info
Credentials, Gather Victim Identity Information
Windows Hijack Execution Flow Version Dll Side Load
DLL Search Order Hijacking, Hijack Execution Flow
Windows Remote Access Software BRC4 Loaded Dll
Remote Access Software, OS Credential Dumping
Windows Access Token Manipulation SeDebugPrivilege
Create Process with Token, Access Token Manipulation
Windows Process Injection With Public Source Path
Process Injection, Portable Executable Injection
Windows Input Capture Using Credential UI Dll
GUI Input Capture, Input Capture
Windows Remote Access Software Hunt
Remote Access Software
Linux Csvtool Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux c99 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux apt-get Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Cpulimit Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux OpenVPN Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sqlite3 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Composer Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Octave Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux c89 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux APT Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Busybox Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Puppet Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux RPM Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux MySQL Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Emacs Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Make Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux PHP Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux GDB Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Find Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux GNU Awk Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Ruby Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Gem Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux AWK Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Docker Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Node Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Windows Non-System Account Targeting Lsass
LSASS Memory, OS Credential Dumping
Windows DLL Search Order Hijacking with iscsicpl
DLL Search Order Hijacking
Linux Curl Upload File
Ingress Tool Transfer
Linux Proxy Socks Curl
Proxy, Non-Application Layer Protocol
Linux Ingress Tool Transfer with Curl
Ingress Tool Transfer
Linux Ingress Tool Transfer Hunting
Ingress Tool Transfer
Windows Gather Victim Host Information Camera
Hardware, Gather Victim Host Information
Windows System Time Discovery W32tm Delay
System Time Discovery
Linux Clipboard Data Copy
Clipboard Data
Windows Command Shell DCRat ForkBomb Payload
Windows Command Shell, Command and Scripting Interpreter
Linux SSH Authorized Keys Modification
SSH Authorized Keys
Windows System Reboot CommandLine
System Shutdown/Reboot
Windows System LogOff Commandline
System Shutdown/Reboot
Linux Kernel Module Enumeration
System Information Discovery, Rootkit
Linux Decode Base64 to Shell
Obfuscated Files or Information, Unix Shell
Windows System Shutdown CommandLine
System Shutdown/Reboot
Linux Obfuscated Files or Information Base64 Decode
Obfuscated Files or Information
Wmic NonInteractive App Uninstallation
Disable or Modify Tools, Impair Defenses
Windows Defender Tools in Non Standard Path
Masquerading, Rename System Utilities
Windows MOF Event Triggered Execution via WMI
Windows Management Instrumentation Event Subscription
Powershell Disable Security Monitoring
Disable or Modify Tools, Impair Defenses
Suspicious Image Creation In Appdata Folder
Screen Capture
Windows Binary Proxy Execution Mavinject DLL Injection
Mavinject, System Binary Proxy Execution
Suspicious WAV file in Appdata Folder
Screen Capture
Windows Odbcconf Load Response File
Odbcconf
Windows Powershell Import Applocker Policy
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
Windows Odbcconf Hunting
Odbcconf
Windows Execute Arbitrary Commands with MSDT
System Binary Proxy Execution
Remote System Discovery with Adsisearcher
Remote System Discovery
Outbound Network Connection from Java Using Default Ports
Exploit Public-Facing Application
Windows Odbcconf Load DLL
Odbcconf
Windows Impair Defense Deny Security Software With Applocker
Disable or Modify Tools, Impair Defenses
Windows Remote Service Rdpwinst Tool Execution
Remote Desktop Protocol, Remote Services
Windows Application Layer Protocol RMS Radmin Tool Namedpipe
Application Layer Protocol
Windows Modify Registry Regedit Silent Reg Import
Modify Registry
Windows Impair Defense Add Xml Applocker Rules
Disable or Modify Tools, Impair Defenses
Windows Valid Account With Never Expires Password
Service Stop
Windows Modify Registry Disable Win Defender Raw Write Notif
Modify Registry
Windows Modify Registry Disable Toast Notifications
Modify Registry
Windows Remote Access Software RMS Registry
Remote Access Software
Windows Modify Registry Suppress Win Defender Notif
Modify Registry
Windows PowerView SPN Discovery
Steal or Forge Kerberos Tickets, Kerberoasting
Windows PowerView Kerberos Service Ticket Request
Steal or Forge Kerberos Tickets, Kerberoasting
Windows Modify Registry DisAllow Windows App
Modify Registry
Windows Modify Registry Disable Windows Security Center Notif
Modify Registry
Windows Modify Registry Disabling WER Settings
Modify Registry
Windows Remote Services Allow Remote Assistance
Remote Desktop Protocol, Remote Services
Windows Remote Services Allow Rdp In Firewall
Remote Desktop Protocol, Remote Services
Windows Remote Services Rdp Enable
Remote Desktop Protocol, Remote Services
Windows Gather Victim Network Info Through Ip Check Web Services
IP Addresses, Gather Victim Network Information
Windows Service Stop By Deletion
Service Stop
Windows MSIExec Remote Download
Msiexec
Windows Impair Defenses Disable Win Defender Auto Logging
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Delete Win Defender Profile Registry
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Delete Win Defender Context Menu
Disable or Modify Tools, Impair Defenses
Java Writing JSP File
Exploit Public-Facing Application
Linux Iptables Firewall Modification
Disable or Modify System Firewall, Impair Defenses
Excessive Usage of NSLOOKUP App
Exfiltration Over Alternative Protocol
Wermgr Process Connecting To IP Check Web Services
Gather Victim Network Information, IP Addresses
Unload Sysmon Filter Driver
Disable or Modify Tools, Impair Defenses
Windows Command and Scripting Interpreter Hunting Path Traversal
Command and Scripting Interpreter
Windows Command and Scripting Interpreter Path Traversal Exec
Command and Scripting Interpreter
Suspicious Process With Discord DNS Query
Visual Basic, Command and Scripting Interpreter
MacOS plutil
Plist File Modification
Linux At Application Execution
At, Scheduled Task/Job
Linux Possible Append Command To At Allow Config File
At, Scheduled Task/Job
Schtasks scheduling job on remote system
Scheduled Task, Scheduled Task/Job
Windows System File on Disk
Exploitation for Privilege Escalation
Cobalt Strike Named Pipes
Process Injection
Potential password in username
Local Accounts, Credentials In Files
Windows Service Create Kernel Mode Driver
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
Disabled Kerberos Pre-Authentication Discovery With PowerView
Steal or Forge Kerberos Tickets, AS-REP Roasting
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
Steal or Forge Kerberos Tickets, AS-REP Roasting
GetWmiObject DS User with PowerShell Script Block
Domain Account, Account Discovery
GetDomainComputer with PowerShell Script Block
Remote System Discovery
Windows KrbRelayUp Service Creation
Windows Service
PowerShell 4104 Hunting
Command and Scripting Interpreter, PowerShell
WMI Recon Running Process Or Services
Gather Victim Host Information
Powershell Remove Windows Defender Directory
Disable or Modify Tools, Impair Defenses
GetAdComputer with PowerShell Script Block
Remote System Discovery
Mailsniper Invoke functions
Email Collection, Local Email Collection
Get DomainPolicy with Powershell Script Block
Password Policy Discovery
Get-DomainTrust with PowerShell Script Block
Domain Trust Discovery
PowerShell Loading DotNET into Memory via Reflection
Command and Scripting Interpreter, PowerShell
Get ADUserResultantPasswordPolicy with Powershell Script Block
Password Policy Discovery
GetWmiObject Ds Group with PowerShell Script Block
Permission Groups Discovery, Domain Groups
GetDomainController with PowerShell Script Block
Remote System Discovery
GetWmiObject User Account with PowerShell Script Block
Account Discovery, Local Account, PowerShell
Powershell Creating Thread Mutex
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell
Delete ShadowCopy With PowerShell
Inhibit System Recovery
GetWmiObject Ds Computer with PowerShell Script Block
Remote System Discovery
GetDomainGroup with PowerShell Script Block
Permission Groups Discovery, Domain Groups
Linux Kworker Process In Writable Process Path
Masquerade Task or Service, Masquerading
Windows Computer Account With SPN
Steal or Forge Kerberos Tickets
Windows Computer Account Requesting Kerberos Ticket
Steal or Forge Kerberos Tickets
Windows Computer Account Created by Computer Account
Steal or Forge Kerberos Tickets
Windows Kerberos Local Successful Logon
Steal or Forge Kerberos Tickets
Powershell Get LocalGroup Discovery with Script Block Logging
Permission Groups Discovery, Local Groups
Powershell Fileless Script Contains Base64 Encoded Content
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell
Windows Hidden Schedule Task Settings
Scheduled Task/Job
Windows Root Domain linked policies Discovery
Domain Account, Account Discovery
Windows Linked Policies In ADSI Discovery
Domain Account, Account Discovery
Linux Disable Services
Service Stop
Linux High Frequency Of File Deletion In Boot Folder
Data Destruction, File Deletion, Indicator Removal
Windows Processes Killed By Industroyer2 Malware
Service Stop
Linux Stop Services
Service Stop
Linux Shred Overwrite Command
Data Destruction
Linux Adding Crontab Using List Parameter
Cron, Scheduled Task/Job
Linux Deleting Critical Directory Using RM Command
Data Destruction
NLTest Domain Trust Discovery
Domain Trust Discovery
Windows Rundll32 Comsvcs Memory Dump
NTDS, OS Credential Dumping
Windows Registry Delete Task SD
Scheduled Task, Impair Defenses
Linux High Frequency Of File Deletion In Etc Folder
Data Destruction, File Deletion, Indicator Removal
Linux Deletion of SSL Certificate
Data Destruction, File Deletion, Indicator Removal
Linux Account Manipulation Of SSH Config and Keys
Data Destruction, File Deletion, Indicator Removal
Linux Deletion Of Init Daemon Script
Data Destruction, File Deletion, Indicator Removal
Linux Deletion Of Cron Jobs
Data Destruction, File Deletion, Indicator Removal
Suspicious microsoft workflow compiler rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Detect mshta renamed
System Binary Proxy Execution, Mshta
Detect Renamed PSExec
System Services, Service Execution
Detect HTML Help Renamed
System Binary Proxy Execution, Compiled HTML File
Any Powershell DownloadString
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Suspicious MSBuild Rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Any Powershell DownloadFile
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Linux Stdout Redirection To Dev Null File
Disable or Modify System Firewall, Impair Defenses
Windows Indirect Command Execution Via pcalua
Indirect Command Execution
Windows Indirect Command Execution Via forfiles
Indirect Command Execution
Windows Event For Service Disabled
Disable or Modify Tools, Impair Defenses
GetNetTcpconnection with PowerShell Script Block
System Network Connections Discovery
Windows Registry Modification for Safe Mode Persistence
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Windows PowerView Constrained Delegation Discovery
Remote System Discovery
Windows Registry Certificate Added
Install Root Certificate, Subvert Trust Controls
Windows Drivers Loaded by Signature
Rootkit, Exploitation for Privilege Escalation
Windows PowerView Unconstrained Delegation Discovery
Remote System Discovery
Windows Get-AdComputer Unconstrained Delegation Discovery
Remote System Discovery
Windows Terminating Lsass Process
Disable or Modify Tools, Impair Defenses
System Process Running from Unexpected Location
Masquerading
Remote Process Instantiation via DCOM and PowerShell Script Block
Remote Services, Distributed Component Object Model
GetAdGroup with PowerShell Script Block
Permission Groups Discovery, Domain Groups
Powershell Using memory As Backing Store
PowerShell, Command and Scripting Interpreter
Interactive Session on Remote Endpoint with PowerShell
Remote Services, Windows Remote Management
GetCurrent User with PowerShell Script Block
System Owner/User Discovery
Remote Process Instantiation via WinRM and PowerShell Script Block
Remote Services, Windows Remote Management
User Discovery With Env Vars PowerShell Script Block
System Owner/User Discovery
Get WMIObject Group Discovery with Script Block Logging
Permission Groups Discovery, Local Groups
Powershell Execute COM Object
Component Object Model Hijacking, Event Triggered Execution, PowerShell
Kerberos Pre-Authentication Flag Disabled with PowerShell
Steal or Forge Kerberos Tickets, AS-REP Roasting
GetLocalUser with PowerShell Script Block
Account Discovery, Local Account, PowerShell
Recon AVProduct Through Pwh or WMI
Gather Victim Host Information
Get ADDefaultDomainPasswordPolicy with Powershell Script Block
Password Policy Discovery
Modify ACLs Permission Of Files Or Folders
File and Directory Permissions Modification
Delete A Net User
Account Access Removal
Modify ACL permission To Files Or Folder
File and Directory Permissions Modification
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows InstallUtil Remote Network Connection
InstallUtil, System Binary Proxy Execution
Windows InstallUtil Uninstall Option with Network
InstallUtil, System Binary Proxy Execution
Suspicious SearchProtocolHost no Command Line Arguments
Process Injection
Suspicious GPUpdate no Command Line Arguments
Process Injection
DLLHost with no Command Line Arguments with Network
Process Injection
Suspicious Rundll32 no Command Line Arguments
System Binary Proxy Execution, Rundll32
Detect Regasm with no Command Line Arguments
System Binary Proxy Execution, Regsvcs/Regasm
SearchProtocolHost with no Command Line with Network
Process Injection
Kerberos Service Ticket Request Using RC4 Encryption
Steal or Forge Kerberos Tickets, Golden Ticket
Detect Regsvcs with No Command Line Arguments
System Binary Proxy Execution, Regsvcs/Regasm
Rundll32 with no Command Line Arguments with Network
System Binary Proxy Execution, Rundll32
GPUpdate with no Command Line Arguments with Network
Process Injection
Kerberos User Enumeration
Gather Victim Identity Information, Email Addresses
Unknown Process Using The Kerberos Protocol
Use Alternate Authentication Material
Suspicious msbuild path
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
MacOS LOLbin
Unix Shell, Command and Scripting Interpreter
Kerberos TGT Request Using RC4 Encryption
Use Alternate Authentication Material
Windows Script Host Spawn MSBuild
MSBuild, Trusted Developer Utilities Proxy Execution
Windows WMIPrvse Spawn MSBuild
Trusted Developer Utilities Proxy Execution, MSBuild
Excessive distinct processes from Windows Temp
Command and Scripting Interpreter
ServicePrincipalNames Discovery with PowerShell
Kerberoasting
PowerShell Domain Enumeration
Command and Scripting Interpreter, PowerShell
Powershell Enable SMB1Protocol Feature
Obfuscated Files or Information, Indicator Removal from Tools
Windows Raw Access To Disk Volume Partition
Disk Structure Wipe, Disk Wipe
Powershell Fileless Process Injection via GetProcAddress
Command and Scripting Interpreter, Process Injection, PowerShell
Windows Disable Memory Crash Dump
Data Destruction
Windows File Without Extension In Critical Folder
Data Destruction
Powershell Processing Stream Of Data
Command and Scripting Interpreter, PowerShell
Detect Empire with PowerShell Script Block Logging
Command and Scripting Interpreter, PowerShell
Detect Mimikatz With PowerShell Script Block Logging
OS Credential Dumping, PowerShell
Get-ForestTrust with PowerShell Script Block
Domain Trust Discovery, PowerShell
Windows MSHTA Child Process
Mshta, System Binary Proxy Execution
Windows Process With NamedPipe CommandLine
Process Injection
Windows Excessive Disabled Services Event
Disable or Modify Tools, Impair Defenses
Windows MSHTA Command-Line URL
Mshta, System Binary Proxy Execution
Windows MSHTA Inline HTA Execution
Mshta, System Binary Proxy Execution
Windows Rundll32 Inline HTA Execution
System Binary Proxy Execution, Mshta
Scheduled Task Deleted Or Created via CMD
Scheduled Task, Scheduled Task/Job
Kerberos Pre-Authentication Flag Disabled in UserAccountControl
Steal or Forge Kerberos Tickets, AS-REP Roasting
Windows WMI Process Call Create
Windows Management Instrumentation
Process Deleting Its Process File Path
Indicator Removal
Rundll32 DNSQuery
System Binary Proxy Execution, Rundll32
Detect Regsvcs with Network Connection
System Binary Proxy Execution, Regsvcs/Regasm
Windows Eventvwr UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Detect Regasm with Network Connection
System Binary Proxy Execution, Regsvcs/Regasm
NET Profiler UAC bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Windows Diskshadow Proxy Execution
System Binary Proxy Execution
Windows Raw Access To Master Boot Record Drive
Disk Structure Wipe, Disk Wipe
Windows Bitsadmin Download File
BITS Jobs, Ingress Tool Transfer
Windows CertUtil Decode File
Deobfuscate/Decode Files or Information
Windows CertUtil VerifyCtl Download
Ingress Tool Transfer
Windows CertUtil URLCache Download
Ingress Tool Transfer
Windows PowerShell Start-BitsTransfer
BITS Jobs, Ingress Tool Transfer
Office Product Spawn CMD Process
Phishing, Spearphishing Attachment
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Windows Diskshadow Proxy Execution
System Binary Proxy Execution
Windows Bits Job Persistence
BITS Jobs
Linux DD File Overwrite
Data Destruction
Linux System Network Discovery
System Network Configuration Discovery
Windows Powershell Connect to Internet With Hidden Window
Automated Exfiltration
Windows Powershell DownloadFile
Automated Exfiltration
Kerberoasting spn request with RC4 encryption
Steal or Forge Kerberos Tickets, Kerberoasting
Unusual Number of Kerberos Service Tickets Requested
Steal or Forge Kerberos Tickets, Kerberoasting
RunDLL Loading DLL By Ordinal
System Binary Proxy Execution, Rundll32
Windows Remote Assistance Spawning Process
Process Injection
Rubeus Kerberos Ticket Exports Through Winlogon Access
Use Alternate Authentication Material, Pass the Ticket
Windows Schtasks Create Run As System
Scheduled Task, Scheduled Task/Job
CertUtil Download With VerifyCtl and Split Arguments
Ingress Tool Transfer
CertUtil Download With URLCache and Split Arguments
Ingress Tool Transfer
Rubeus Command Line Parameters
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Mimikatz PassTheTicket CommandLine Parameters
Use Alternate Authentication Material, Pass the Ticket
Linux pkexec Privilege Escalation
Exploitation for Privilege Escalation
Ping Sleep Batch Command
Virtualization/Sandbox Evasion, Time Based Evasion
Excessive File Deletion In WinDefender Folder
Data Destruction
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows InstallUtil in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Malicious PowerShell Process - Encoded Command
Obfuscated Files or Information
CMD Carry Out String Command Parameter
Windows Command Shell, Command and Scripting Interpreter
Suspicious Process DNS Query Known Abuse Web Services
Visual Basic, Command and Scripting Interpreter
Potentially malicious code on commandline
Windows Command Shell
PowerShell - Connect To Internet With Hidden Window
PowerShell, Command and Scripting Interpreter
Windows Hunting System Account Targeting Lsass
LSASS Memory, OS Credential Dumping
Linux Possible Ssh Key File Creation
SSH Authorized Keys, Account Manipulation
Linux Possible Access Or Modification Of sshd Config File
SSH Authorized Keys, Account Manipulation
Linux Possible Access To Sudoers File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Possible Access To Credential Files
/etc/passwd and /etc/shadow, OS Credential Dumping
Linux Doas Conf File Creation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Doas Tool Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sudo OR Su Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sudoers Tmp File Creation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Common Process For Elevation Control
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux Preload Hijack Library Calls
Dynamic Linker Hijacking, Hijack Execution Flow
Linux File Created In Kernel Driver Directory
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Linux Install Kernel Module Using Modprobe Utility
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Linux Insert Kernel Module Using Insmod Utility
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Suspicious Ticket Granting Ticket Request
Valid Accounts, Domain Accounts
Linux Change File Owner To Root
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification
Linux Setuid Using Chmod Utility
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux NOPASSWD Entry In Sudoers File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Setuid Using Setcap Utility
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux Add User Account
Local Account, Create Account
Linux Visudo Utility Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Service Started Or Enabled
Systemd Timers, Scheduled Task/Job
Linux Service File Created In Systemd Directory
Systemd Timers, Scheduled Task/Job
Linux Possible Append Command To Profile Config File
Unix Shell Configuration Modification, Event Triggered Execution
Linux File Creation In Init Boot Directory
RC Scripts, Boot or Logon Initialization Scripts
Clear Unallocated Sector Using Cipher App
File Deletion, Indicator Removal
Suspicious Kerberos Service Ticket Request
Valid Accounts, Domain Accounts
Linux File Creation In Profile Directory
Unix Shell Configuration Modification, Event Triggered Execution
Suspicious Computer Account Name Change
Valid Accounts, Domain Accounts
Linux Service Restarted
Systemd Timers, Scheduled Task/Job
Hiding Files And Directories With Attrib exe
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
Linux Possible Cronjob Modification With Editor
Cron, Scheduled Task/Job
Linux Possible Append Cronjob Entry on Existing Cronjob File
Cron, Scheduled Task/Job
Linux At Allow Config File Creation
Cron, Scheduled Task/Job
Linux Edit Cron Table Parameter
Cron, Scheduled Task/Job
Linux Add Files In Known Crontab Directories
Cron, Scheduled Task/Job
Hunting for Log4Shell
Exploit Public-Facing Application
Java Class File download by Java User Agent
Exploit Public-Facing Application
Linux Java Spawning Shell
Exploit Public-Facing Application
Wget Download and Bash Execution
Ingress Tool Transfer
Curl Download and Bash Execution
Ingress Tool Transfer
LOLBAS With Network Traffic
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution
MSI Module Loaded by Non-System Binary
DLL Side-Loading, Hijack Execution Flow
Fsutil Zeroing File
Indicator Removal
Windows Raccine Scheduled Task Deletion
Disable or Modify Tools
MS Exchange Mailbox Replication service writing Active Server Pages
Server Software Component, Web Shell, Exploit Public-Facing Application
BCDEdit Failure Recovery Modification
Inhibit System Recovery
WBAdmin Delete System Backups
Inhibit System Recovery
DNS Exfiltration Using Nslookup App
Exfiltration Over Alternative Protocol
Suspicious Linux Discovery Commands
Unix Shell
Detect RClone Command-Line Usage
Automated Exfiltration
Windows Curl Upload to Remote Destination
Ingress Tool Transfer
Short Lived Scheduled Task
Scheduled Task
Unusual Number of Remote Endpoint Authentication Events
Valid Accounts
Unusual Number of Computer Service Tickets Requested
Valid Accounts
Resize Shadowstorage Volume
Service Stop
Grant Permission Using Cacls Utility
File and Directory Permissions Modification
Disable Net User Account
Service Stop, Valid Accounts
Possible Lateral Movement PowerShell Spawn
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Deny Permission using Cacls Utility
File and Directory Permissions Modification
Randomly Generated Scheduled Task Name
Scheduled Task/Job, Scheduled Task
Detect RClone Command-Line Usage
Automated Exfiltration
Randomly Generated Windows Service Name
Create or Modify System Process, Windows Service
Attempted Credential Dump From Registry via Reg exe
OS Credential Dumping, Security Account Manager
Powershell Windows Defender Exclusion Commands
Disable or Modify Tools, Impair Defenses
Add or Set Windows Defender Exclusion
Disable or Modify Tools, Impair Defenses
Attempt To Disable Services
Service Stop
Attempt To Delete Services
Service Stop, Create or Modify System Process, Windows Service
Mmc LOLBAS Execution Process Spawn
Remote Services, Distributed Component Object Model, MMC
Services LOLBAS Execution Process Spawn
Create or Modify System Process, Windows Service
Wmiprsve LOLBAS Execution Process Spawn
Windows Management Instrumentation
Possible Browser Pass View Parameter
Credentials from Web Browsers, Credentials from Password Stores
Anomalous usage of Archive Tools
Archive via Utility, Archive Collected Data
Windows Service Created Within Public Path
Create or Modify System Process, Windows Service
Wsmprovhost LOLBAS Execution Process Spawn
Remote Services, Windows Remote Management
Svchost LOLBAS Execution Process Spawn
Scheduled Task/Job, Scheduled Task
System Info Gathering Using Dxdiag Application
Gather Victim Host Information
Executable File Written in Administrative SMB Share
Remote Services, SMB/Windows Admin Shares
Loading Of Dynwrapx Module
Process Injection, Dynamic-link Library Injection
Windows DISM Remove Defender
Disable or Modify Tools, Impair Defenses
Remote Process Instantiation via WinRM and PowerShell
Remote Services, Windows Remote Management
High Frequency Copy Of Files In Network Share
Transfer Data to Cloud Account
Sdelete Application Execution
Data Destruction, File Deletion, Indicator Removal
Windows DiskCryptor Usage
Data Encrypted for Impact
Remote Process Instantiation via DCOM and PowerShell
Remote Services, Distributed Component Object Model
Remote Process Instantiation via WMI and PowerShell
Windows Management Instrumentation
CSC Net On The Fly Compilation
Compile After Delivery, Obfuscated Files or Information
Network Discovery Using Route Windows App
System Network Configuration Discovery, Internet Connection Discovery
Remote Process Instantiation via WMI
Windows Management Instrumentation
Windows InstallUtil Uninstall Option
InstallUtil, System Binary Proxy Execution
Firewall Allowed Program Enable
Disable or Modify System Firewall, Impair Defenses
Runas Execution in CommandLine
Access Token Manipulation, Token Impersonation/Theft
Windows InstallUtil URL in Command Line
InstallUtil, System Binary Proxy Execution
Scheduled Task Initiation on Remote Endpoint
Scheduled Task/Job, Scheduled Task
WMIC XSL Execution via URL
XSL Script Processing
Scheduled Task Creation on Remote Endpoint using At
Scheduled Task/Job, At
Remote Process Instantiation via WinRM and Winrs
Remote Services, Windows Remote Management
Windows Service Creation on Remote Endpoint
Create or Modify System Process, Windows Service
Windows Curl Upload to Remote Destination
Ingress Tool Transfer
Windows Service Initiation on Remote Endpoint
Create or Modify System Process, Windows Service
Attacker Tools On Endpoint
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Windows AdFind Exe
Remote System Discovery
Windows Curl Download to Suspicious Path
Ingress Tool Transfer
WinEvent Windows Task Scheduler Event Action Started
Scheduled Task
Disable Schedule Task
Disable or Modify Tools, Impair Defenses
ServicePrincipalNames Discovery with SetSPN
Kerberoasting
Suspicious wevtutil Usage
Clear Windows Event Logs, Indicator Removal
Executables Or Script Creation In Suspicious Path
Masquerading
Sdelete Application Execution
Data Destruction, File Deletion, Indicator Removal
Wscript Or Cscript Suspicious Child Process
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Winhlp32 Spawning a Process
Process Injection
Suspicious Copy on System32
Rename System Utilities, Masquerading
Process Writing DynamicWrapperX
Command and Scripting Interpreter, Component Object Model
Rundll32 Shimcache Flush
Modify Registry
Malicious InProcServer32 Modification
Regsvr32, Modify Registry
Regsvr32 Silent and Install Param Dll Loading
System Binary Proxy Execution, Regsvr32
MSBuild Suspicious Spawned By Script Process
MSBuild, Trusted Developer Utilities Proxy Execution
Vbscript Execution Using Wscript App
Visual Basic, Command and Scripting Interpreter
Verclsid CLSID Execution
Verclsid, System Binary Proxy Execution
Print Processor Registry Autostart
Print Processors, Boot or Logon Autostart Execution
Screensaver Event Trigger Execution
Event Triggered Execution, Screensaver
Logon Script Event Trigger Execution
Boot or Logon Initialization Scripts, Logon Script (Windows)
Change Default File Association
Change Default File Association, Event Triggered Execution
Remcos RAT File Creation in Remcos Folder
Screen Capture
BITS Job Persistence
BITS Jobs
Credential Dumping via Copy Command from Shadow Copy
NTDS, OS Credential Dumping
Credential Dumping via Symlink to Shadow Copy
NTDS, OS Credential Dumping
Processes launching netsh
Disable or Modify System Firewall, Impair Defenses
Detect mshta inline hta execution
System Binary Proxy Execution, Mshta
Detect MSHTA Url in Command Line
System Binary Proxy Execution, Mshta
Detect HTML Help URL in Command Line
System Binary Proxy Execution, Compiled HTML File
Detect Renamed RClone
Automated Exfiltration
Attempt To Add Certificate To Untrusted Store
Install Root Certificate, Subvert Trust Controls
Local Account Discovery with Net
Account Discovery, Local Account
Local Account Discovery With Wmic
Account Discovery, Local Account
Detect Renamed 7-Zip
Archive via Utility, Archive Collected Data
Creation of Shadow Copy with wmic and powershell
NTDS, OS Credential Dumping
Detect PsExec With accepteula Flag
Remote Services, SMB/Windows Admin Shares
Detect Renamed WinRAR
Archive via Utility, Archive Collected Data
Detect HTML Help Using InfoTech Storage Handlers
System Binary Proxy Execution, Compiled HTML File
Non Firefox Process Access Firefox Profile Dir
Credentials from Password Stores, Credentials from Web Browsers
Check Elevated CMD using whoami
System Owner/User Discovery
Non Chrome Process Accessing Chrome Default Dir
Credentials from Password Stores, Credentials from Web Browsers
PowerShell Get LocalGroup Discovery
Permission Groups Discovery, Local Groups
Wmic Group Discovery
Permission Groups Discovery, Local Groups
Net Localgroup Discovery
Permission Groups Discovery, Local Groups
Get WMIObject Group Discovery
Permission Groups Discovery, Local Groups
System User Discovery With Query
System Owner/User Discovery
System User Discovery With Whoami
System Owner/User Discovery
GetCurrent User with PowerShell
System Owner/User Discovery
MS Scripting Process Loading WMI Module
Command and Scripting Interpreter, JavaScript
User Discovery With Env Vars PowerShell
System Owner/User Discovery
MS Scripting Process Loading Ldap Module
Command and Scripting Interpreter, JavaScript
XSL Script Execution With WMIC
XSL Script Processing
Jscript Execution Using Cscript App
Command and Scripting Interpreter, JavaScript
Network Connection Discovery With Arp
System Network Connections Discovery
Network Connection Discovery With Net
System Network Connections Discovery
Network Connection Discovery With Netstat
System Network Connections Discovery
Extraction of Registry Hives
Security Account Manager, OS Credential Dumping
Rundll32 Control RunDLL Hunt
System Binary Proxy Execution, Rundll32
Create local admin accounts using net exe
Local Account, Create Account
Rundll32 Control RunDLL World Writable Directory
System Binary Proxy Execution, Rundll32
Control Loading from World Writable Directory
System Binary Proxy Execution, Control Panel
GetDomainComputer with PowerShell
Remote System Discovery
GetAdComputer with PowerShell
Remote System Discovery
SchCache Change By App Connect And Create ADSI Object
Domain Account, Account Discovery
System Information Discovery Detection
System Information Discovery
GetDomainController with PowerShell
Remote System Discovery
GetWmiObject Ds Computer with PowerShell
Remote System Discovery
Bcdedit Command Back To Normal Mode Boot
Inhibit System Recovery
Change To Safe Mode With Network Config
Inhibit System Recovery
Get-ForestTrust with PowerShell
Domain Trust Discovery
Domain Group Discovery With Dsquery
Permission Groups Discovery, Domain Groups
Remote System Discovery with Wmic
Remote System Discovery
Domain Controller Discovery with Wmic
Remote System Discovery
PetitPotam Suspicious Kerberos TGT Request
OS Credential Dumping
Remote System Discovery with Dsquery
Remote System Discovery
PetitPotam Network Share Access Request
Forced Authentication
Remote System Discovery with Net
Remote System Discovery
Domain Controller Discovery with Nltest
Remote System Discovery
Get DomainPolicy with Powershell
Password Policy Discovery
Get ADUserResultantPasswordPolicy with Powershell
Password Policy Discovery
Process Creating LNK file in Suspicious Location
Phishing, Spearphishing Link
Get ADDefaultDomainPasswordPolicy with Powershell
Password Policy Discovery
Password Policy Discovery with Net
Password Policy Discovery
Domain Group Discovery With Net
Permission Groups Discovery, Domain Groups
GetNetTcpconnection with PowerShell
System Network Connections Discovery
GetWmiObject Ds Group with PowerShell
Permission Groups Discovery, Domain Groups
Domain Group Discovery With Wmic
Permission Groups Discovery, Domain Groups
Elevated Group Discovery With Net
Permission Groups Discovery, Domain Groups
GetDomainGroup with PowerShell
Permission Groups Discovery, Domain Groups
GetAdGroup with PowerShell
Permission Groups Discovery, Domain Groups
Elevated Group Discovery With Wmic
Permission Groups Discovery, Domain Groups
Elevated Group Discovery with PowerView
Permission Groups Discovery, Domain Groups
Domain Group Discovery with Adsisearcher
Permission Groups Discovery, Domain Groups
Domain Account Discovery with Dsquery
Domain Account, Account Discovery
Get DomainUser with PowerShell
Domain Account, Account Discovery
Domain Account Discovery With Net App
Domain Account, Account Discovery
Get-DomainTrust with PowerShell
Domain Trust Discovery
Domain Account Discovery with Wmic
Domain Account, Account Discovery
GetWmiObject DS User with PowerShell
Domain Account, Account Discovery
Get ADUser with PowerShell
Domain Account, Account Discovery
GetWmiObject User Account with PowerShell
Account Discovery, Local Account
GetLocalUser with PowerShell
Account Discovery, Local Account
Esentutl SAM Copy
Security Account Manager, OS Credential Dumping
7zip CommandLine To SMB Share Path
Archive via Utility, Archive Collected Data
UAC Bypass With Colorui COM Object
System Binary Proxy Execution, CMSTP
Fsutil Zeroing File
Indicator Removal
Rundll32 LockWorkStation
System Binary Proxy Execution, Rundll32
Uninstall App Using MsiExec
Msiexec, System Binary Proxy Execution
Create Remote Thread In Shell Application
Process Injection
Sqlite Module In Temp Folder
Data from Local System
Drop IcedID License dat
User Execution, Malicious File
IcedID Exfiltrated Archived File Creation
Archive via Utility, Archive Collected Data
Rundll32 Create Remote Thread To A Process
Process Injection
Regsvr32 with Known Silent Switch Cmdline
System Binary Proxy Execution, Regsvr32
CHCP Command Execution
Command and Scripting Interpreter
Rundll32 CreateRemoteThread In Browser
Process Injection
Suspicious IcedID Rundll32 Cmdline
System Binary Proxy Execution, Rundll32
Suspicious Rundll32 PluginInit
System Binary Proxy Execution, Rundll32
Rundll32 Process Creating Exe Dll Files
System Binary Proxy Execution, Rundll32
SAM Database File Access Attempt
Security Account Manager, OS Credential Dumping
Detect Copy of ShadowCopy with Script Block Logging
Security Account Manager, OS Credential Dumping
Mshta spawning Rundll32 OR Regsvr32 Process
System Binary Proxy Execution, Mshta
UAC Bypass MMC Load Unsigned Dll
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
Spoolsv Writing a DLL
Print Processors, Boot or Logon Autostart Execution
Spoolsv Suspicious Loaded Modules
Print Processors, Boot or Logon Autostart Execution
Spoolsv Suspicious Process Access
Exploitation for Privilege Escalation
Spoolsv Writing a DLL - Sysmon
Print Processors, Boot or Logon Autostart Execution
Print Spooler Adding A Printer Driver
Print Processors, Boot or Logon Autostart Execution
Print Spooler Failed to Load a Plug-in
Print Processors, Boot or Logon Autostart Execution
Spoolsv Spawning Rundll32
Print Processors, Boot or Logon Autostart Execution
Excessive number of service control start as disabled
Disable or Modify Tools, Impair Defenses
Excessive Usage Of SC Service Utility
System Services, Service Execution
Allow File And Printing Sharing In Firewall
Disable or Modify Cloud Firewall, Impair Defenses
Allow Network Discovery In Firewall
Disable or Modify Cloud Firewall, Impair Defenses
Execute Javascript With Jscript COM CLSID
Command and Scripting Interpreter, Visual Basic
Suspicious Event Log Service Behavior
Indicator Removal, Clear Windows Event Logs
Detect WMI Event Subscription Persistence
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Wevtutil Usage To Disable Logs
Indicator Removal, Clear Windows Event Logs
WevtUtil Usage To Clear Logs
Indicator Removal, Clear Windows Event Logs
Permission Modification using Takeown App
File and Directory Permissions Modification
Clear Unallocated Sector Using Cipher App
File Deletion, Indicator Removal
Prevent Automatic Repair Mode using Bcdedit
Inhibit System Recovery
Disable Logs Using WevtUtil
Indicator Removal, Clear Windows Event Logs
Unloading AMSI via Reflection
Impair Defenses, PowerShell, Command and Scripting Interpreter
Excessive number of taskhost processes
Command and Scripting Interpreter
Known Services Killed by Ransomware
Inhibit System Recovery
Modification Of Wallpaper
Defacement
Wbemprox COM Object Execution
System Binary Proxy Execution, CMSTP
Revil Common Exec Parameter
User Execution
Conti Common Exec parameter
User Execution
Detect SharpHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound Usage
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
SecretDumps Offline NTDS Dumping Tool
NTDS, OS Credential Dumping
WinRM Spawning a Process
Exploit Public-Facing Application
CMD Echo Pipe - Escalation
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
Allow Inbound Traffic In Firewall Rule
Remote Desktop Protocol, Remote Services
Services Escalate Exe
Abuse Elevation Control Mechanism
CMLUA Or CMSTPLUA UAC Bypass
System Binary Proxy Execution, CMSTP
SLUI RunAs Elevated
Bypass User Account Control, Abuse Elevation Control Mechanism
SLUI Spawning a Process
Bypass User Account Control, Abuse Elevation Control Mechanism
Schtasks Run Task On Demand
Scheduled Task/Job
Excessive Usage Of Cacls App
File and Directory Permissions Modification
Enumerate Users Local Group Using Telegram
Account Discovery
Download Files Using Telegram
Ingress Tool Transfer
Excessive Usage Of Net App
Account Access Removal
Excessive Usage Of Taskkill
Disable or Modify Tools, Impair Defenses
Disabling Net User Account
Account Access Removal
ICACLS Grant Command
File and Directory Permissions Modification
Excessive Service Stop Attempt
Service Stop
Excessive Attempt To Disable Services
Service Stop
Process Kill Base On File Path
Disable or Modify Tools, Impair Defenses
Deleting Of Net Users
Account Access Removal
Suspicious Driver Loaded Path
Windows Service, Create or Modify System Process
Icacls Deny Command
File and Directory Permissions Modification
XMRIG Driver Loaded
Windows Service, Create or Modify System Process
Trickbot Named Pipe
Process Injection
Anomalous usage of 7zip
Archive via Utility, Archive Collected Data
Winword Spawning Cmd
Phishing, Spearphishing Attachment
Wermgr Process Spawned CMD Or Powershell Process
Command and Scripting Interpreter
Wermgr Process Create Executable File
Obfuscated Files or Information
Schedule Task with Rundll32 Command Trigger
Scheduled Task/Job
Schedule Task with HTTP Command Arguments
Scheduled Task/Job
Windows Multiple Invalid Users Failed To Authenticate Using NTLM
Password Spraying, Brute Force
DNS Exfiltration Using Nslookup App
Exfiltration Over Alternative Protocol
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos
Password Spraying, Brute Force
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos
Password Spraying, Brute Force
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials
Password Spraying, Brute Force
Windows Multiple Users Failed To Authenticate From Process
Password Spraying, Brute Force
Windows Multiple Users Remotely Failed To Authenticate From Host
Password Spraying, Brute Force
Windows Multiple Users Failed To Authenticate From Host Using NTLM
Password Spraying, Brute Force
Winword Spawning PowerShell
Phishing, Spearphishing Attachment
Winword Spawning Windows Script Host
Phishing, Spearphishing Attachment
Excel Spawning Windows Script Host
Security Account Manager, OS Credential Dumping
Excel Spawning PowerShell
Security Account Manager, OS Credential Dumping
WinEvent Scheduled Task Created to Spawn Shell
Scheduled Task, Scheduled Task/Job
WinEvent Scheduled Task Created Within Public Path
Scheduled Task, Scheduled Task/Job
Windows Multiple Users Failed To Authenticate Using Kerberos
Password Spraying, Brute Force
Malicious Powershell Executed As A Service
System Services, Service Execution
DSQuery Domain Discovery
Domain Trust Discovery
Disabling Firewall with Netsh
Disable or Modify Tools, Impair Defenses
PowerShell Start-BitsTransfer
BITS Jobs
CertUtil With Decode Argument
Deobfuscate/Decode Files or Information
Clop Common Exec Parameter
User Execution
Clop Ransomware Known Service Name
Create or Modify System Process
Windows High File Deletion Frequency
Data Destruction
Ransomware Notes bulk creation
Data Encrypted for Impact
Resize ShadowStorage volume
Inhibit System Recovery
Nishang PowershellTCPOneLine
Command and Scripting Interpreter, PowerShell
W3WP Spawning Shell
Server Software Component, Web Shell
Windows DisableAntiSpyware Registry
Disable or Modify Tools, Impair Defenses
FodHelper UAC Bypass
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Suspicious Scheduled Task from Public Directory
Scheduled Task, Scheduled Task/Job
Ryuk Wake on LAN Command
Command and Scripting Interpreter, Windows Command Shell
Suspicious SQLite3 LSQuarantine Behavior
Data Staged
Suspicious PlistBuddy Usage
Launch Agent, Create or Modify System Process
Suspicious Curl Network Connection
Ingress Tool Transfer
Suspicious PlistBuddy Usage via OSquery
Launch Agent, Create or Modify System Process
Detect Regsvcs Spawning a Process
System Binary Proxy Execution, Regsvcs/Regasm
Detect Regasm Spawning a Process
System Binary Proxy Execution, Regsvcs/Regasm
Detect HTML Help Spawn Child Process
System Binary Proxy Execution, Compiled HTML File
Suspicious Rundll32 dllregisterserver
System Binary Proxy Execution, Rundll32
Suspicious Rundll32 StartW
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - syssetup
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - setupapi
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - advpack
System Binary Proxy Execution, Rundll32
Detect Baron Samedit CVE-2021-3156 Segfault
Exploitation for Privilege Escalation
Ntdsutil Export NTDS
NTDS, OS Credential Dumping
Detect Baron Samedit CVE-2021-3156 via OSQuery
Exploitation for Privilege Escalation
Detect Regsvr32 Application Control Bypass
System Binary Proxy Execution, Regsvr32
Detect Baron Samedit CVE-2021-3156
Exploitation for Privilege Escalation
WBAdmin Delete System Backups
Inhibit System Recovery
Detect Rundll32 Inline HTA Execution
System Binary Proxy Execution, Mshta
Suspicious mshta spawn
System Binary Proxy Execution, Mshta
Malicious PowerShell Process With Obfuscation Techniques
Command and Scripting Interpreter, PowerShell
Suspicious MSBuild Spawn
Trusted Developer Utilities Proxy Execution, MSBuild
Suspicious microsoft workflow compiler usage
Trusted Developer Utilities Proxy Execution
Suspicious mshta child process
System Binary Proxy Execution, Mshta
BCDEdit Failure Recovery Modification
Inhibit System Recovery
Sunburst Correlation DLL and Network Event
Exploitation for Client Execution
WMI Permanent Event Subscription - Sysmon
Windows Management Instrumentation Event Subscription, Event Triggered Execution
Single Letter Process On Endpoint
User Execution, Malicious File
System Processes Run From Unexpected Locations
Masquerading, Rename System Utilities
Shim Database File Creation
Application Shimming, Event Triggered Execution
Schtasks used for forcing a reboot
Scheduled Task, Scheduled Task/Job
Reg exe Manipulating Windows Services Registry Keys
Services Registry Permissions Weakness, Hijack Execution Flow
Shim Database Installation With Suspicious Parameters
Application Shimming, Event Triggered Execution
Disabling Remote User Account Control
Bypass User Account Control, Abuse Elevation Control Mechanism
Execution of File with Multiple Extensions
Masquerading, Rename System Utilities
Detect Prohibited Applications Spawning cmd exe
Command and Scripting Interpreter, Windows Command Shell
Detect processes used for System Network Configuration Discovery
System Network Configuration Discovery
Deleting Shadow Copies
Inhibit System Recovery
Common Ransomware Notes
Data Destruction
Windows Security Account Manager Stopped
Service Stop
Ryuk Test Files Detected
Data Encrypted for Impact
Detect Activity Related to Pass the Hash Attacks
Use Alternate Authentication Material, Pass the Hash
Detect Computer Changed with Anonymous Account
Exploitation of Remote Services
Create or delete windows shares using net exe
Indicator Removal, Network Share Connection Removal
Suspicious writes to windows Recycle Bin
Masquerading
Suspicious Reg exe Process
Modify Registry
Remote Desktop Process Running On System
Remote Desktop Protocol, Remote Services
Sc exe Manipulating Windows Services
Windows Service, Create or Modify System Process
Attempt To Stop Security Service
Disable or Modify Tools, Impair Defenses
Detect Use of cmd exe to Launch Script Interpreters
Command and Scripting Interpreter, Windows Command Shell
Malicious PowerShell Process - Execution Policy Bypass
Command and Scripting Interpreter, PowerShell
First Time Seen Running Windows Service
System Services, Service Execution
Hiding Files And Directories With Attrib exe
File and Directory Permissions Modification, Windows File and Directory Permissions Modification
Detection of tools built by NirSoft
Software Deployment Tools
Overwriting Accessibility Binaries
Event Triggered Execution, Accessibility Features
Detect New Local Admin account
Local Account, Create Account
Short Lived Windows Accounts
Local Account, Create Account
Windows Event Log Cleared
Indicator Removal, Clear Windows Event Logs
Detect Path Interception By Creation Of program exe
Path Interception by Unquoted Path, Hijack Execution Flow
First Time Seen Child Process of Zoom
Exploitation for Privilege Escalation
Script Execution via WMI
Windows Management Instrumentation
Child Processes of Spoolsv exe
Exploitation for Privilege Escalation
Process Execution via WMI
Windows Management Instrumentation
Dump LSASS via comsvcs DLL
LSASS Memory, OS Credential Dumping
Creation of lsass Dump with Taskmgr
LSASS Memory, OS Credential Dumping
Creation of Shadow Copy
NTDS, OS Credential Dumping
Access LSASS Memory for Dump Creation
LSASS Memory, OS Credential Dumping
Create Remote Thread into LSASS
LSASS Memory, OS Credential Dumping
Detect Credential Dumping through LSASS access
LSASS Memory, OS Credential Dumping
Detect Mimikatz Using Loaded Images
LSASS Memory, OS Credential Dumping
Samsam Test File Write
Data Encrypted for Impact
USN Journal Deletion
Indicator Removal
Remote WMI Command Attempt
Windows Management Instrumentation
WMI Permanent Event Subscription
Windows Management Instrumentation
WMI Temporary Event Subscription
Windows Management Instrumentation
Cloud
AWS Concurrent Sessions From Different Ips
Browser Session Hijacking
AWS New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
AWS High Number Of Failed Authentications From Ip
Brute Force, Password Spraying, Credential Stuffing
Azure AD New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
AWS High Number Of Failed Authentications For User
Password Policy Discovery
AWS Password Policy Changes
Password Policy Discovery
Azure AD Successful Authentication From Different Ips
Brute Force, Password Guessing, Password Spraying
Azure AD Concurrent Sessions From Different Ips
Browser Session Hijacking
Azure AD High Number Of Failed Authentications From Ip
Brute Force, Password Guessing, Password Spraying
Azure AD High Number Of Failed Authentications For User
Brute Force, Password Guessing
AWS Successful Console Authentication From Multiple IPs
Compromise Accounts, Unused/Unsupported Cloud Regions
AWS Detect Users with KMS keys performing encryption S3
Data Encrypted for Impact
GCP Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
GCP Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
GCP Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
GCP Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
GCP Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
GCP Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
AWS Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
AWS Console Login Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
AWS Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
AWS Multiple Users Failing To Authenticate From Ip
Brute Force, Password Spraying, Credential Stuffing
AWS Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Azure AD New Federated Domain Added
Domain Policy Modification, Domain Trust Modification
Azure AD New Custom Domain Added
Domain Policy Modification, Domain Trust Modification
Azure AD User ImmutableId Attribute Updated
Account Manipulation
Azure AD Service Principal Owner Added
Account Manipulation
Azure AD Privileged Role Assigned
Account Manipulation, Additional Cloud Roles
Azure AD User Enabled And Password Reset
Account Manipulation
AWS ECR Container Scanning Findings Low Informational Unknown
Malicious Image, User Execution
Detect AWS Console Login by User from New Region
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Detect AWS Console Login by User from New Country
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Azure AD Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Detect AWS Console Login by User from New City
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Azure Runbook Webhook Created
Valid Accounts, Cloud Accounts
Azure Automation Runbook Created
Create Account, Cloud Account
Azure AD External Guest User Invited
Cloud Account
Azure Automation Account Created
Create Account, Cloud Account
Azure AD Service Principal Created
Cloud Account
Azure AD Service Principal New Client Credentials
Account Manipulation, Additional Cloud Credentials
Azure AD Global Administrator Role Assigned
Additional Cloud Roles
AWS Credential Access GetPasswordData
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
Azure AD Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
AWS Credential Access Failed Login
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing
AWS Credential Access RDS Password reset
Compromise Accounts, Cloud Accounts, Brute Force
AWS Defense Evasion Impair Security Services
Disable Cloud Logs, Impair Defenses
AWS Defense Evasion PutBucketLifecycle
Disable Cloud Logs, Impair Defenses
AWS Defense Evasion Delete CloudWatch Log Group
Impair Defenses, Disable Cloud Logs
AWS Defense Evasion Update Cloudtrail
Impair Defenses, Disable Cloud Logs
Azure AD Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
AWS Defense Evasion Delete Cloudtrail
Disable Cloud Logs, Impair Defenses
Azure AD Successful PowerShell Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Multiple Users Failing To Authenticate From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
AWS Defense Evasion Stop Logging Cloudtrail
Disable Cloud Logs, Impair Defenses
Azure AD Unusual Number of Failed Authentications From Ip
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing
Azure Active Directory High Risk Sign-in
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying
AWS ECR Container Scanning Findings High
Malicious Image, User Execution
AWS Create Policy Version to allow all resources
Cloud Accounts, Valid Accounts
Detect AWS Console Login by New User
Compromise Accounts, Cloud Accounts, Unsecured Credentials
GitHub Actions Disable Security Workflow
Compromise Software Supply Chain, Supply Chain Compromise
AWS UpdateLoginProfile
Cloud Account, Create Account
AWS CreateAccessKey
Cloud Account, Create Account
AWS Lambda UpdateFunctionCode
User Execution
O365 Excessive Authentication Failures Alert
Brute Force
O365 Bypass MFA via Trusted IP
Disable or Modify Cloud Firewall, Impair Defenses
O365 Disable MFA
Modify Authentication Process
O365 Added Service Principal
Cloud Account, Create Account
AWS IAM AccessDenied Discovery Events
Cloud Infrastructure Discovery
Gdrive suspicious file sharing
Phishing
Gsuite suspicious calendar invite
Phishing
Correlation by Repository and Risk
Malicious Image, User Execution
Correlation by User and Risk
Malicious Image, User Execution
Circle CI Disable Security Job
Compromise Client Software Binary
Github Commit In Develop
Trusted Relationship
GitHub Pull Request from Unknown User
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Circle CI Disable Security Step
Compromise Client Software Binary
GitHub Dependabot Alert
Compromise Software Dependencies and Development Tools, Supply Chain Compromise
Kubernetes Scanner Image Pulling
Cloud Service Discovery
Kubernetes Nginx Ingress RFI
Exploitation for Credential Access
Gsuite Email With Known Abuse Web Service Link
Spearphishing Attachment, Phishing
Gsuite Suspicious Shared File Name
Spearphishing Attachment, Phishing
Github Commit Changes In Master
Trusted Relationship
Kubernetes Nginx Ingress LFI
Exploitation for Credential Access
AWS ECR Container Upload Outside Business Hours
Malicious Image, User Execution
Gsuite Email Suspicious Subject With Attachment
Spearphishing Attachment, Phishing
AWS ECR Container Upload Unknown User
Malicious Image, User Execution
Gsuite Outbound Email With Attachment To External Domain
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol
AWS ECR Container Scanning Findings Medium
Malicious Image, User Execution
Gsuite Drive Share In External Email
Exfiltration to Cloud Storage, Exfiltration Over Web Service
GSuite Email Suspicious Attachment
Spearphishing Attachment, Phishing
Detect shared ec2 snapshot
Transfer Data to Cloud Account
Detect New Open S3 Buckets over AWS CLI
Data from Cloud Storage
Detect New Open S3 buckets
Data from Cloud Storage
AWS CreateLoginProfile
Cloud Account, Create Account
Cloud Compute Instance Created By Previously Unseen User
Cloud Accounts, Valid Accounts
AWS Excessive Security Scanning
Cloud Service Discovery
AWS IAM Assume Role Policy Brute Force
Cloud Infrastructure Discovery, Brute Force
AWS IAM Delete Policy
Account Manipulation
AWS IAM Failure Group Deletion
Account Manipulation
AWS IAM Successful Group Deletion
Cloud Groups, Account Manipulation, Permission Groups Discovery
AWS SetDefaultPolicyVersion
Cloud Accounts, Valid Accounts
O365 New Federated Domain Added
Cloud Account, Create Account
AWS SAML Access by Provider User and Principal
Valid Accounts
O365 Add App Role Assignment Grant User
Cloud Account, Create Account
O365 Excessive SSO logon errors
Modify Authentication Process
AWS SAML Update identity provider
Valid Accounts
AWS Network Access Control List Deleted
Disable or Modify Cloud Firewall, Impair Defenses
AWS Detect Users creating keys with encrypt policy without MFA
Data Encrypted for Impact
AWS Network Access Control List Created with All Open Ports
Disable or Modify Cloud Firewall, Impair Defenses
O365 Suspicious User Email Forwarding
Email Forwarding Rule, Email Collection
O365 Suspicious Admin Email Forwarding
Email Forwarding Rule, Email Collection
High Number of Login Failures from a single source
Password Guessing, Brute Force
O365 PST export alert
Email Collection
O365 Suspicious Rights Delegation
Remote Email Collection, Email Collection
Cloud Provisioning Activity From Previously Unseen City
Valid Accounts
Cloud Provisioning Activity From Previously Unseen Country
Valid Accounts
GCP Detect gcploit framework
Valid Accounts
Abnormally High Number Of Cloud Security Group API Calls
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Infrastructure API Calls
Cloud Accounts, Valid Accounts
Cloud API Calls From Previously Unseen User Roles
Valid Accounts
Cloud Compute Instance Created In Previously Unused Region
Unused/Unsupported Cloud Regions
Abnormally High Number Of Cloud Instances Launched
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Instances Destroyed
Cloud Accounts, Valid Accounts
Cloud Provisioning Activity From Previously Unseen Region
Valid Accounts
Detect GCP Storage access from a new IP
Data from Cloud Storage
Detect New Open GCP Storage Buckets
Data from Cloud Storage
Cloud Instance Modified By Previously Unseen User
Cloud Accounts, Valid Accounts
aws detect sts assume role abuse
Valid Accounts
aws detect attach to role policy
Valid Accounts
aws detect sts get session token abuse
Use Alternate Authentication Material
aws detect role creation
Valid Accounts
aws detect permanent key creation
Valid Accounts
GCP Kubernetes cluster pod scan detection
Cloud Service Discovery
Amazon EKS Kubernetes Pod scan detection
Cloud Service Discovery
Amazon EKS Kubernetes cluster scan detection
Cloud Service Discovery
Detect Spike in S3 Bucket deletion
Data from Cloud Storage
Detect S3 access from a new IP
Data from Cloud Storage
Deprecated
Suspicious Rundll32 Rename
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Detection of DNS Tunnels
Exfiltration Over Unencrypted Non-C2 Protocol
Dump LSASS via procdump Rename
LSASS Memory
Suspicious Powershell Command-Line Arguments
PowerShell
Processes created by netsh
Disable or Modify System Firewall
Execution of File With Spaces Before Extension
Rename System Utilities
Windows connhost exe started forcefully
Windows Command Shell
GCP Detect high risk permissions by resource and account
Valid Accounts
GCP Detect accounts with high risk roles by project
Valid Accounts
gcp detect oauth token abuse
Valid Accounts
Suspicious writes to System Volume Information
Masquerading
Suspicious Email - UBA Anomaly
Phishing
Uncommon Processes On Endpoint
Malicious File
Suspicious Changes to File Associations
Change Default File Association
Abnormally High AWS Instances Launched by User - MLTK
Cloud Accounts
Detect new user AWS Console Login
Cloud Accounts
Detect AWS API Activities From Unapproved Accounts
Cloud Accounts
Detect Spike in AWS API Activity
Cloud Accounts
First time seen command line argument
PowerShell, Windows Command Shell
Abnormally High AWS Instances Terminated by User
Cloud Accounts
Clients Connecting to Multiple DNS Servers
Exfiltration Over Unencrypted Non-C2 Protocol
EC2 Instance Modified With Previously Unseen User
Cloud Accounts
Abnormally High AWS Instances Launched by User
Cloud Accounts
Detect DNS requests to Phishing Sites leveraging EvilGinx2
Spearphishing via Service
EC2 Instance Started With Previously Unseen User
Cloud Accounts
Abnormally High AWS Instances Terminated by User - MLTK
Cloud Accounts
Detect web traffic to dynamic domain providers
Web Protocols
Scheduled tasks used in BadRabbit ransomware
Scheduled Task
Detect Long DNS TXT Record Response
Exfiltration Over Unencrypted Non-C2 Protocol
Kubernetes Azure scan fingerprint
Cloud Service Discovery
GCP Kubernetes cluster scan detection
Cloud Service Discovery
Unsigned Image Loaded by LSASS
LSASS Memory
Detect Mimikatz Via PowerShell And EventCode 4703
LSASS Memory
Reg exe used to hide files directories via registry keys
Hidden Files and Directories
Web Fraud - Account Harvesting
Create Account
Web Fraud - Anomalous User Clickspeed
Valid Accounts
Detect Spike in Network ACL Activity
Disable or Modify Cloud Firewall
Detect Spike in Security Group Activity
Cloud Accounts
Detect new API calls from user roles
Cloud Accounts
AWS Cloud Provisioning From Previously Unseen Country
Unused/Unsupported Cloud Regions
AWS Cloud Provisioning From Previously Unseen Region
Unused/Unsupported Cloud Regions
AWS Cloud Provisioning From Previously Unseen City
Unused/Unsupported Cloud Regions
EC2 Instance Started In Previously Unseen Region
Unused/Unsupported Cloud Regions
Identify New User Accounts
Domain Accounts
Application
Okta Mismatch Between Source and Response for Verify Push Request
Multi-Factor Authentication Request Generation
Okta Suspicious Use of a Session Cookie
Steal Web Session Cookie
Okta Multiple Failed Requests to Access Applications
Web Session Cookie, Cloud Service Dashboard
Okta Phishing Detection with FastPass Origin Check
Valid Accounts, Default Accounts, Modify Authentication Process
Okta ThreatInsight Login Failure with High Unknown users
Valid Accounts, Default Accounts, Credential Stuffing
Okta ThreatInsight Suspected PasswordSpray Attack
Valid Accounts, Default Accounts, Password Spraying
Splunk risky Command Abuse disclosed february 2023
Abuse Elevation Control Mechanism
Persistent XSS in RapidDiag through User Interface Views
Drive-by Compromise
Splunk unnecessary file extensions allowed by lookup table uploads
Drive-by Compromise
Splunk csrf in the ssg kvstore client endpoint
Drive-by Compromise
Splunk Improperly Formatted Parameter Crashes splunkd
Endpoint Denial of Service
Splunk XSS via View
Drive-by Compromise
Splunk list all nonstandard admin accounts
Drive-by Compromise
Splunk Data exfiltration from Analytics Workspace using sid query
Exfiltration Over Web Service
Splunk Reflected XSS in the templates lists radio
Drive-by Compromise
Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature
Exploitation of Remote Services
Splunk Code Injection via custom dashboard leading to RCE
Exploitation of Remote Services
Splunk XSS in Save table dialog header in search page
Drive-by Compromise
Splunk Stored XSS via Data Model objectName field
Drive-by Compromise
Okta Risk Threshold Exceeded
Valid Accounts, Brute Force
Okta Two or More Rejected Okta Pushes
Brute Force
Okta MFA Exhaustion Hunt
Brute Force
Okta Account Locked Out
Brute Force