3CX Supply Chain Attack Network Indicators |
Compromise Software Supply Chain |
Network_Resolution |
7zip CommandLine To SMB Share Path |
Archive via Utility, Archive Collected Data |
Endpoint |
Access LSASS Memory for Dump Creation |
LSASS Memory, OS Credential Dumping |
None |
Account Discovery With Net App |
Domain Account, Account Discovery |
Endpoint |
Active Directory Lateral Movement Identified |
Exploitation of Remote Services |
Risk |
Active Directory Privilege Escalation Identified |
Domain or Tenant Policy Modification |
Risk |
Active Setup Registry Autostart |
Active Setup, Boot or Logon Autostart Execution |
Endpoint |
Add DefaultUser And Password In Registry |
Credentials in Registry, Unsecured Credentials |
Endpoint |
Add or Set Windows Defender Exclusion |
Disable or Modify Tools, Impair Defenses |
Endpoint |
AdsiSearcher Account Discovery |
Domain Account, Account Discovery |
None |
Allow File And Printing Sharing In Firewall |
Disable or Modify Cloud Firewall, Impair Defenses |
Endpoint |
Allow Inbound Traffic By Firewall Rule Registry |
Remote Desktop Protocol, Remote Services |
Endpoint |
Allow Inbound Traffic In Firewall Rule |
Remote Desktop Protocol, Remote Services |
None |
Allow Network Discovery In Firewall |
Disable or Modify Cloud Firewall, Impair Defenses |
Endpoint |
Allow Operation with Consent Admin |
Abuse Elevation Control Mechanism |
Endpoint |
Anomalous usage of 7zip |
Archive via Utility, Archive Collected Data |
Endpoint |
Anomalous usage of Archive Tools |
Archive via Utility, Archive Collected Data |
None |
Any Powershell DownloadFile |
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer |
Endpoint |
Any Powershell DownloadString |
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer |
Endpoint |
Attacker Tools On Endpoint |
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning |
Endpoint |
Attempt To Add Certificate To Untrusted Store |
Install Root Certificate, Subvert Trust Controls |
Endpoint |
Attempt To Delete Services |
Service Stop, Create or Modify System Process, Windows Service |
None |
Attempt To Disable Services |
Service Stop |
None |
Attempt To Stop Security Service |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Attempted Credential Dump From Registry via Reg exe |
Security Account Manager, OS Credential Dumping |
Endpoint |
Attempted Credential Dump From Registry via Reg exe |
OS Credential Dumping, Security Account Manager |
None |
Auto Admin Logon Registry Entry |
Credentials in Registry, Unsecured Credentials |
Endpoint |
BCDEdit Failure Recovery Modification |
Inhibit System Recovery |
Endpoint |
BCDEdit Failure Recovery Modification |
Inhibit System Recovery |
None |
BITS Job Persistence |
BITS Jobs |
Endpoint |
BITSAdmin Download File |
BITS Jobs, Ingress Tool Transfer |
Endpoint |
Batch File Write to System32 |
User Execution, Malicious File |
Endpoint |
Bcdedit Command Back To Normal Mode Boot |
Inhibit System Recovery |
Endpoint |
CHCP Command Execution |
Command and Scripting Interpreter |
Endpoint |
CMD Carry Out String Command Parameter |
Windows Command Shell, Command and Scripting Interpreter |
Endpoint |
CMD Echo Pipe - Escalation |
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process |
Endpoint |
CMLUA Or CMSTPLUA UAC Bypass |
System Binary Proxy Execution, CMSTP |
None |
CSC Net On The Fly Compilation |
Compile After Delivery, Obfuscated Files or Information |
Endpoint |
CertUtil Download With URLCache and Split Arguments |
Ingress Tool Transfer |
Endpoint |
CertUtil Download With VerifyCtl and Split Arguments |
Ingress Tool Transfer |
Endpoint |
CertUtil With Decode Argument |
Deobfuscate/Decode Files or Information |
Endpoint |
Certutil exe certificate extraction |
None |
Endpoint |
Change Default File Association |
Change Default File Association, Event Triggered Execution |
Endpoint |
Change To Safe Mode With Network Config |
Inhibit System Recovery |
Endpoint |
Check Elevated CMD using whoami |
System Owner/User Discovery |
Endpoint |
Child Processes of Spoolsv exe |
Exploitation for Privilege Escalation |
Endpoint |
Clear Unallocated Sector Using Cipher App |
File Deletion, Indicator Removal |
Endpoint |
Clear Unallocated Sector Using Cipher App |
File Deletion, Indicator Removal |
None |
Clop Common Exec Parameter |
User Execution |
Endpoint |
Clop Ransomware Known Service Name |
Create or Modify System Process |
None |
Cmdline Tool Not Executed In CMD Shell |
Command and Scripting Interpreter, JavaScript |
Endpoint |
Cobalt Strike Named Pipes |
Process Injection |
None |
Common Ransomware Extensions |
Data Destruction |
Endpoint |
Common Ransomware Notes |
Data Destruction |
Endpoint |
ConnectWise ScreenConnect Path Traversal |
Exploit Public-Facing Application |
Endpoint |
ConnectWise ScreenConnect Path Traversal Windows SACL |
Exploit Public-Facing Application |
None |
Conti Common Exec parameter |
User Execution |
Endpoint |
Control Loading from World Writable Directory |
System Binary Proxy Execution, Control Panel |
Endpoint |
Create Local Admin Accounts Using Net Exe |
Local Account, Create Account |
None |
Create Local User Accounts Using Net Exe |
Local Account, Create Account |
None |
Create Remote Thread In Shell Application |
Process Injection |
None |
Create Remote Thread into LSASS |
LSASS Memory, OS Credential Dumping |
None |
Create local admin accounts using net exe |
Local Account, Create Account |
Endpoint |
Create or delete windows shares using net exe |
Indicator Removal, Network Share Connection Removal |
Endpoint |
Creation of Shadow Copy |
NTDS, OS Credential Dumping |
Endpoint |
Creation of Shadow Copy with wmic and powershell |
NTDS, OS Credential Dumping |
Endpoint |
Creation of lsass Dump with Taskmgr |
LSASS Memory, OS Credential Dumping |
None |
Credential Dumping via Copy Command from Shadow Copy |
NTDS, OS Credential Dumping |
Endpoint |
Credential Dumping via Symlink to Shadow Copy |
NTDS, OS Credential Dumping |
Endpoint |
Crowdstrike Admin Weak Password Policy |
Brute Force |
None |
Crowdstrike Admin With Duplicate Password |
Brute Force |
None |
Crowdstrike High Identity Risk Severity |
Brute Force |
None |
Crowdstrike Medium Identity Risk Severity |
Brute Force |
None |
Crowdstrike Medium Severity Alert |
Brute Force |
Endpoint |
Crowdstrike Multiple LOW Severity Alerts |
Brute Force |
Endpoint |
Crowdstrike Privilege Escalation For Non-Admin User |
Brute Force |
Endpoint |
Crowdstrike User Weak Password Policy |
Brute Force |
None |
Crowdstrike User with Duplicate Password |
Brute Force |
None |
Curl Download and Bash Execution |
Ingress Tool Transfer |
Endpoint |
DLLHost with no Command Line Arguments with Network |
Process Injection |
Endpoint, Network_Traffic |
DNS Exfiltration Using Nslookup App |
Exfiltration Over Alternative Protocol |
Endpoint |
DNS Exfiltration Using Nslookup App |
Exfiltration Over Alternative Protocol |
None |
DSQuery Domain Discovery |
Domain Trust Discovery |
Endpoint |
Delete A Net User |
Account Access Removal |
None |
Delete ShadowCopy With PowerShell |
Inhibit System Recovery |
None |
Deleting Of Net Users |
Account Access Removal |
Endpoint |
Deleting Shadow Copies |
Inhibit System Recovery |
Endpoint |
Deleting Shadow Copies |
Inhibit System Recovery |
None |
Deny Permission using Cacls Utility |
File and Directory Permissions Modification |
None |
Detect AzureHound Command-Line Arguments |
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery |
Endpoint |
Detect AzureHound File Modifications |
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery |
Endpoint |
Detect Baron Samedit CVE-2021-3156 |
Exploitation for Privilege Escalation |
None |
Detect Baron Samedit CVE-2021-3156 Segfault |
Exploitation for Privilege Escalation |
None |
Detect Baron Samedit CVE-2021-3156 via OSQuery |
Exploitation for Privilege Escalation |
None |
Detect Certify Command Line Arguments |
Steal or Forge Authentication Certificates, Ingress Tool Transfer |
Endpoint |
Detect Certify With PowerShell Script Block Logging |
Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell |
None |
Detect Certipy File Modifications |
Steal or Forge Authentication Certificates, Archive Collected Data |
Endpoint |
Detect Computer Changed with Anonymous Account |
Exploitation of Remote Services |
None |
Detect Copy of ShadowCopy with Script Block Logging |
Security Account Manager, OS Credential Dumping |
None |
Detect Credential Dumping through LSASS access |
LSASS Memory, OS Credential Dumping |
None |
Detect Empire with PowerShell Script Block Logging |
Command and Scripting Interpreter, PowerShell |
None |
Detect Excessive Account Lockouts From Endpoint |
Valid Accounts, Domain Accounts |
Change |
Detect Excessive User Account Lockouts |
Valid Accounts, Local Accounts |
Change |
Detect Exchange Web Shell |
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services |
Endpoint |
Detect HTML Help Renamed |
System Binary Proxy Execution, Compiled HTML File |
Endpoint |
Detect HTML Help Spawn Child Process |
System Binary Proxy Execution, Compiled HTML File |
Endpoint |
Detect HTML Help URL in Command Line |
System Binary Proxy Execution, Compiled HTML File |
Endpoint |
Detect HTML Help Using InfoTech Storage Handlers |
System Binary Proxy Execution, Compiled HTML File |
Endpoint |
Detect MSHTA Url in Command Line |
System Binary Proxy Execution, Mshta |
Endpoint |
Detect Mimikatz With PowerShell Script Block Logging |
OS Credential Dumping, PowerShell |
None |
Detect New Local Admin account |
Local Account, Create Account |
None |
Detect Outlook exe writing a zip file |
Phishing, Spearphishing Attachment |
Endpoint |
Detect Password Spray Attack Behavior From Source |
Password Spraying, Brute Force |
Authentication |
Detect Password Spray Attack Behavior On User |
Password Spraying, Brute Force |
Authentication |
Detect Path Interception By Creation Of program exe |
Path Interception by Unquoted Path, Hijack Execution Flow |
Endpoint |
Detect PowerShell Applications Spawning cmd exe |
Command and Scripting Interpreter |
None |
Detect Prohibited Applications Spawning cmd exe |
Command and Scripting Interpreter, Windows Command Shell |
Endpoint |
Detect Prohibited Browsers Spawning cmd exe |
Command and Scripting Interpreter |
None |
Detect Prohibited Office Applications Spawning cmd exe |
Command and Scripting Interpreter |
None |
Detect PsExec With accepteula Flag |
Remote Services, SMB/Windows Admin Shares |
Endpoint |
Detect RClone Command-Line Usage |
Automated Exfiltration |
Endpoint |
Detect RClone Command-Line Usage |
Automated Exfiltration |
None |
Detect RTLO In File Name |
Right-to-Left Override, Masquerading |
Endpoint |
Detect RTLO In Process |
Right-to-Left Override, Masquerading |
Endpoint |
Detect Rare Executables |
User Execution |
Endpoint |
Detect Regasm Spawning a Process |
System Binary Proxy Execution, Regsvcs/Regasm |
Endpoint |
Detect Regasm with Network Connection |
System Binary Proxy Execution, Regsvcs/Regasm |
None |
Detect Regasm with no Command Line Arguments |
System Binary Proxy Execution, Regsvcs/Regasm |
Endpoint |
Detect Regsvcs Spawning a Process |
System Binary Proxy Execution, Regsvcs/Regasm |
Endpoint |
Detect Regsvcs with Network Connection |
System Binary Proxy Execution, Regsvcs/Regasm |
None |
Detect Regsvcs with No Command Line Arguments |
System Binary Proxy Execution, Regsvcs/Regasm |
Endpoint |
Detect Regsvr32 Application Control Bypass |
System Binary Proxy Execution, Regsvr32 |
Endpoint |
Detect Remote Access Software Usage File |
Remote Access Software |
Endpoint |
Detect Remote Access Software Usage FileInfo |
Remote Access Software |
None |
Detect Remote Access Software Usage Process |
Remote Access Software |
Endpoint |
Detect Renamed 7-Zip |
Archive via Utility, Archive Collected Data |
Endpoint |
Detect Renamed PSExec |
System Services, Service Execution |
Endpoint |
Detect Renamed RClone |
Automated Exfiltration |
Endpoint |
Detect Renamed WinRAR |
Archive via Utility, Archive Collected Data |
Endpoint |
Detect Rundll32 Application Control Bypass - advpack |
System Binary Proxy Execution, Rundll32 |
Endpoint |
Detect Rundll32 Application Control Bypass - setupapi |
System Binary Proxy Execution, Rundll32 |
Endpoint |
Detect Rundll32 Application Control Bypass - syssetup |
System Binary Proxy Execution, Rundll32 |
Endpoint |
Detect Rundll32 Inline HTA Execution |
System Binary Proxy Execution, Mshta |
Endpoint |
Detect SharpHound Command-Line Arguments |
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery |
Endpoint |
Detect SharpHound File Modifications |
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery |
Endpoint |
Detect SharpHound Usage |
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery |
Endpoint |
Detect Use of cmd exe to Launch Script Interpreters |
Command and Scripting Interpreter, Windows Command Shell |
Endpoint |
Detect WMI Event Subscription Persistence |
Windows Management Instrumentation Event Subscription, Event Triggered Execution |
None |
Detect Webshell Exploit Behavior |
Server Software Component, Web Shell |
Endpoint |
Detect mshta inline hta execution |
System Binary Proxy Execution, Mshta |
Endpoint |
Detect mshta renamed |
System Binary Proxy Execution, Mshta |
Endpoint |
Detect processes used for System Network Configuration Discovery |
System Network Configuration Discovery |
Endpoint |
Detect suspicious processnames using pretrained model in DSDL |
Command and Scripting Interpreter |
Endpoint |
Detection of tools built by NirSoft |
Software Deployment Tools |
Endpoint |
Disable AMSI Through Registry |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Disable Defender AntiVirus Registry |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Disable Defender BlockAtFirstSeen Feature |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Disable Defender Enhanced Notification |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Disable Defender MpEngine Registry |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Disable Defender Spynet Reporting |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Disable Defender Submit Samples Consent Feature |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Disable ETW Through Registry |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Disable Logs Using WevtUtil |
Indicator Removal, Clear Windows Event Logs |
Endpoint |
Disable Net User Account |
Service Stop, Valid Accounts |
None |
Disable Registry Tool |
Disable or Modify Tools, Impair Defenses, Modify Registry |
Endpoint |
Disable Schedule Task |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Disable Security Logs Using MiniNt Registry |
Modify Registry |
Endpoint |
Disable Show Hidden Files |
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry |
Endpoint |
Disable UAC Remote Restriction |
Bypass User Account Control, Abuse Elevation Control Mechanism |
Endpoint |
Disable Windows App Hotkeys |
Disable or Modify Tools, Impair Defenses, Modify Registry |
Endpoint |
Disable Windows Behavior Monitoring |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Disable Windows SmartScreen Protection |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser |
Steal or Forge Kerberos Tickets, AS-REP Roasting |
None |
Disabled Kerberos Pre-Authentication Discovery With PowerView |
Steal or Forge Kerberos Tickets, AS-REP Roasting |
None |
Disabling CMD Application |
Disable or Modify Tools, Impair Defenses, Modify Registry |
Endpoint |
Disabling ControlPanel |
Disable or Modify Tools, Impair Defenses, Modify Registry |
Endpoint |
Disabling Defender Services |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Disabling Firewall with Netsh |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Disabling FolderOptions Windows Feature |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Disabling Net User Account |
Account Access Removal |
Endpoint |
Disabling NoRun Windows App |
Disable or Modify Tools, Impair Defenses, Modify Registry |
Endpoint |
Disabling Remote User Account Control |
Bypass User Account Control, Abuse Elevation Control Mechanism |
Endpoint |
Disabling SystemRestore In Registry |
Inhibit System Recovery |
Endpoint |
Disabling Task Manager |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Disabling Windows Local Security Authority Defences via Registry |
Modify Authentication Process |
Endpoint |
Domain Account Discovery With Net App |
Domain Account, Account Discovery |
Endpoint |
Domain Account Discovery with Dsquery |
Domain Account, Account Discovery |
Endpoint |
Domain Account Discovery with Wmic |
Domain Account, Account Discovery |
Endpoint |
Domain Controller Discovery with Nltest |
Remote System Discovery |
Endpoint |
Domain Controller Discovery with Wmic |
Remote System Discovery |
Endpoint |
Domain Group Discovery With Dsquery |
Permission Groups Discovery, Domain Groups |
Endpoint |
Domain Group Discovery With Net |
Permission Groups Discovery, Domain Groups |
Endpoint |
Domain Group Discovery With Wmic |
Permission Groups Discovery, Domain Groups |
Endpoint |
Domain Group Discovery with Adsisearcher |
Permission Groups Discovery, Domain Groups |
None |
Download Files Using Telegram |
Ingress Tool Transfer |
None |
Drop IcedID License dat |
User Execution, Malicious File |
None |
Dump LSASS via comsvcs DLL |
LSASS Memory, OS Credential Dumping |
Endpoint |
Dump LSASS via procdump |
LSASS Memory, OS Credential Dumping |
Endpoint |
ETW Registry Disabled |
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses |
Endpoint |
Elevated Group Discovery With Net |
Permission Groups Discovery, Domain Groups |
Endpoint |
Elevated Group Discovery With Wmic |
Permission Groups Discovery, Domain Groups |
Endpoint |
Elevated Group Discovery with PowerView |
Permission Groups Discovery, Domain Groups |
None |
Enable RDP In Other Port Number |
Remote Services |
Endpoint |
Enable WDigest UseLogonCredential Registry |
Modify Registry, OS Credential Dumping |
Endpoint |
Enumerate Users Local Group Using Telegram |
Account Discovery |
None |
Esentutl SAM Copy |
Security Account Manager, OS Credential Dumping |
Endpoint |
Eventvwr UAC Bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
Endpoint |
Excel Spawning PowerShell |
Security Account Manager, OS Credential Dumping |
Endpoint |
Excel Spawning Windows Script Host |
Security Account Manager, OS Credential Dumping |
Endpoint |
Excessive Attempt To Disable Services |
Service Stop |
Endpoint |
Excessive File Deletion In WinDefender Folder |
Data Destruction |
None |
Excessive Service Stop Attempt |
Service Stop |
Endpoint |
Excessive Usage Of Cacls App |
File and Directory Permissions Modification |
Endpoint |
Excessive Usage Of Net App |
Account Access Removal |
Endpoint |
Excessive Usage Of SC Service Utility |
System Services, Service Execution |
None |
Excessive Usage Of Taskkill |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Excessive Usage of NSLOOKUP App |
Exfiltration Over Alternative Protocol |
None |
Excessive distinct processes from Windows Temp |
Command and Scripting Interpreter |
Endpoint |
Excessive number of service control start as disabled |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Excessive number of taskhost processes |
Command and Scripting Interpreter |
Endpoint |
Exchange PowerShell Abuse via SSRF |
Exploit Public-Facing Application, External Remote Services |
None |
Exchange PowerShell Module Usage |
Command and Scripting Interpreter, PowerShell |
None |
Executable File Written in Administrative SMB Share |
Remote Services, SMB/Windows Admin Shares |
None |
Executables Or Script Creation In Suspicious Path |
Masquerading |
Endpoint |
Execute Javascript With Jscript COM CLSID |
Command and Scripting Interpreter, Visual Basic |
Endpoint |
Execution of File with Multiple Extensions |
Masquerading, Rename System Utilities |
Endpoint |
Extraction of Registry Hives |
Security Account Manager, OS Credential Dumping |
Endpoint |
File with Samsam Extension |
None |
Endpoint |
Firewall Allowed Program Enable |
Disable or Modify System Firewall, Impair Defenses |
Endpoint |
First Time Seen Child Process of Zoom |
Exploitation for Privilege Escalation |
Endpoint |
First Time Seen Running Windows Service |
System Services, Service Execution |
None |
FodHelper UAC Bypass |
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism |
Endpoint |
Fsutil Zeroing File |
Indicator Removal |
Endpoint |
Fsutil Zeroing File |
Indicator Removal |
None |
GPUpdate with no Command Line Arguments with Network |
Process Injection |
Endpoint, Network_Traffic |
Get ADDefaultDomainPasswordPolicy with Powershell |
Password Policy Discovery |
Endpoint |
Get ADDefaultDomainPasswordPolicy with Powershell Script Block |
Password Policy Discovery |
None |
Get ADUser with PowerShell |
Domain Account, Account Discovery |
Endpoint |
Get ADUser with PowerShell Script Block |
Domain Account, Account Discovery |
None |
Get ADUserResultantPasswordPolicy with Powershell |
Password Policy Discovery |
Endpoint |
Get ADUserResultantPasswordPolicy with Powershell Script Block |
Password Policy Discovery |
None |
Get DomainPolicy with Powershell |
Password Policy Discovery |
Endpoint |
Get DomainPolicy with Powershell Script Block |
Password Policy Discovery |
None |
Get DomainUser with PowerShell |
Domain Account, Account Discovery |
Endpoint |
Get DomainUser with PowerShell Script Block |
Domain Account, Account Discovery |
None |
Get WMIObject Group Discovery |
Permission Groups Discovery, Local Groups |
Endpoint |
Get WMIObject Group Discovery with Script Block Logging |
Permission Groups Discovery, Local Groups |
None |
Get-DomainTrust with PowerShell |
Domain Trust Discovery |
Endpoint |
Get-DomainTrust with PowerShell Script Block |
Domain Trust Discovery |
None |
Get-ForestTrust with PowerShell |
Domain Trust Discovery |
Endpoint |
Get-ForestTrust with PowerShell Script Block |
Domain Trust Discovery, PowerShell |
None |
GetAdComputer with PowerShell |
Remote System Discovery |
Endpoint |
GetAdComputer with PowerShell Script Block |
Remote System Discovery |
None |
GetAdGroup with PowerShell |
Permission Groups Discovery, Domain Groups |
Endpoint |
GetAdGroup with PowerShell Script Block |
Permission Groups Discovery, Domain Groups |
None |
GetCurrent User with PowerShell |
System Owner/User Discovery |
Endpoint |
GetCurrent User with PowerShell Script Block |
System Owner/User Discovery |
None |
GetDomainComputer with PowerShell |
Remote System Discovery |
Endpoint |
GetDomainComputer with PowerShell Script Block |
Remote System Discovery |
None |
GetDomainController with PowerShell |
Remote System Discovery |
Endpoint |
GetDomainController with PowerShell Script Block |
Remote System Discovery |
None |
GetDomainGroup with PowerShell |
Permission Groups Discovery, Domain Groups |
Endpoint |
GetDomainGroup with PowerShell Script Block |
Permission Groups Discovery, Domain Groups |
None |
GetLocalUser with PowerShell |
Account Discovery, Local Account |
Endpoint |
GetLocalUser with PowerShell Script Block |
Account Discovery, Local Account, PowerShell |
None |
GetNetTcpconnection with PowerShell |
System Network Connections Discovery |
Endpoint |
GetNetTcpconnection with PowerShell Script Block |
System Network Connections Discovery |
None |
GetWmiObject DS User with PowerShell |
Domain Account, Account Discovery |
Endpoint |
GetWmiObject DS User with PowerShell Script Block |
Domain Account, Account Discovery |
None |
GetWmiObject Ds Computer with PowerShell |
Remote System Discovery |
Endpoint |
GetWmiObject Ds Computer with PowerShell Script Block |
Remote System Discovery |
None |
GetWmiObject Ds Group with PowerShell |
Permission Groups Discovery, Domain Groups |
Endpoint |
GetWmiObject Ds Group with PowerShell Script Block |
Permission Groups Discovery, Domain Groups |
None |
GetWmiObject User Account with PowerShell |
Account Discovery, Local Account |
Endpoint |
GetWmiObject User Account with PowerShell Script Block |
Account Discovery, Local Account, PowerShell |
None |
Grant Permission Using Cacls Utility |
File and Directory Permissions Modification |
None |
Headless Browser Mockbin or Mocky Request |
Hidden Window |
Endpoint |
Headless Browser Usage |
Hidden Window |
Endpoint |
Hide User Account From Sign-In Screen |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Hiding Files And Directories With Attrib exe |
File and Directory Permissions Modification, Windows File and Directory Permissions Modification |
Endpoint |
Hiding Files And Directories With Attrib exe |
Windows File and Directory Permissions Modification, File and Directory Permissions Modification |
None |
High Frequency Copy Of Files In Network Share |
Transfer Data to Cloud Account |
None |
High Process Termination Frequency |
Data Encrypted for Impact |
None |
Hunting 3CXDesktopApp Software |
Compromise Software Supply Chain |
Endpoint |
ICACLS Grant Command |
File and Directory Permissions Modification |
Endpoint |
Icacls Deny Command |
File and Directory Permissions Modification |
Endpoint |
IcedID Exfiltrated Archived File Creation |
Archive via Utility, Archive Collected Data |
None |
Impacket Lateral Movement Commandline Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
Endpoint |
Impacket Lateral Movement WMIExec Commandline Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
Endpoint |
Impacket Lateral Movement WMIExec Commandline Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
None |
Impacket Lateral Movement smbexec CommandLine Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
Endpoint |
Impacket Lateral Movement smbexec CommandLine Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
None |
Interactive Session on Remote Endpoint with PowerShell |
Remote Services, Windows Remote Management |
None |
Java Class File download by Java User Agent |
Exploit Public-Facing Application |
Web |
Java Writing JSP File |
Exploit Public-Facing Application, External Remote Services |
Endpoint |
Jscript Execution Using Cscript App |
Command and Scripting Interpreter, JavaScript |
Endpoint |
Kerberoasting spn request with RC4 encryption |
Steal or Forge Kerberos Tickets, Kerberoasting |
None |
Kerberos Pre-Authentication Flag Disabled in UserAccountControl |
Steal or Forge Kerberos Tickets, AS-REP Roasting |
Change |
Kerberos Pre-Authentication Flag Disabled with PowerShell |
Steal or Forge Kerberos Tickets, AS-REP Roasting |
None |
Kerberos Service Ticket Request Using RC4 Encryption |
Steal or Forge Kerberos Tickets, Golden Ticket |
None |
Kerberos TGT Request Using RC4 Encryption |
Use Alternate Authentication Material |
None |
Kerberos User Enumeration |
Gather Victim Identity Information, Email Addresses |
None |
Known Services Killed by Ransomware |
Inhibit System Recovery |
None |
LOLBAS With Network Traffic |
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution |
Network_Traffic |
Linux APT Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Endpoint |
Linux AWK Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Endpoint |
Linux Account Manipulation Of SSH Config and Keys |
Data Destruction, File Deletion, Indicator Removal |
Endpoint |
Linux Add Files In Known Crontab Directories |
Cron, Scheduled Task/Job |
Endpoint |
Linux Add User Account |
Local Account, Create Account |
Endpoint |
Linux Adding Crontab Using List Parameter |
Cron, Scheduled Task/Job |
Endpoint |
Linux At Allow Config File Creation |
Cron, Scheduled Task/Job |
Endpoint |
Linux At Application Execution |
At, Scheduled Task/Job |
Endpoint |
Linux Auditd Add User Account |
Local Account, Create Account |
None |
Linux Auditd Add User Account Type |
Create Account, Local Account |
None |
Linux Auditd At Application Execution |
At, Scheduled Task/Job |
None |
Linux Auditd Auditd Service Stop |
Service Stop |
None |
Linux Auditd Base64 Decode Files |
Deobfuscate/Decode Files or Information |
None |
Linux Auditd Change File Owner To Root |
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification |
None |
Linux Auditd Clipboard Data Copy |
Clipboard Data |
None |
Linux Auditd Data Destruction Command |
Data Destruction |
None |
Linux Auditd Data Transfer Size Limits Via Split |
Data Transfer Size Limits |
None |
Linux Auditd Data Transfer Size Limits Via Split Syscall |
Data Transfer Size Limits |
None |
Linux Auditd Database File And Directory Discovery |
File and Directory Discovery |
None |
Linux Auditd Dd File Overwrite |
Data Destruction |
None |
Linux Auditd Disable Or Modify System Firewall |
Disable or Modify System Firewall, Impair Defenses |
None |
Linux Auditd Doas Conf File Creation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
None |
Linux Auditd Doas Tool Execution |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
None |
Linux Auditd Edit Cron Table Parameter |
Cron, Scheduled Task/Job |
None |
Linux Auditd File And Directory Discovery |
File and Directory Discovery |
None |
Linux Auditd File Permission Modification Via Chmod |
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification |
None |
Linux Auditd File Permissions Modification Via Chattr |
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification |
None |
Linux Auditd Find Credentials From Password Managers |
Password Managers, Credentials from Password Stores |
None |
Linux Auditd Find Credentials From Password Stores |
Password Managers, Credentials from Password Stores |
None |
Linux Auditd Find Private Keys |
Private Keys, Unsecured Credentials |
None |
Linux Auditd Find Ssh Private Keys |
Private Keys, Unsecured Credentials |
None |
Linux Auditd Hardware Addition Swapoff |
Hardware Additions |
None |
Linux Auditd Hidden Files And Directories Creation |
File and Directory Discovery |
None |
Linux Auditd Insert Kernel Module Using Insmod Utility |
Kernel Modules and Extensions, Boot or Logon Autostart Execution |
None |
Linux Auditd Install Kernel Module Using Modprobe Utility |
Kernel Modules and Extensions, Boot or Logon Autostart Execution |
None |
Linux Auditd Kernel Module Enumeration |
System Information Discovery, Rootkit |
None |
Linux Auditd Kernel Module Using Rmmod Utility |
Kernel Modules and Extensions, Boot or Logon Autostart Execution |
None |
Linux Auditd Nopasswd Entry In Sudoers File |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
None |
Linux Auditd Osquery Service Stop |
Service Stop |
None |
Linux Auditd Possible Access Or Modification Of Sshd Config File |
SSH Authorized Keys, Account Manipulation |
None |
Linux Auditd Possible Access To Credential Files |
/etc/passwd and /etc/shadow, OS Credential Dumping |
None |
Linux Auditd Possible Access To Sudoers File |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
None |
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File |
Cron, Scheduled Task/Job |
None |
Linux Auditd Preload Hijack Library Calls |
Dynamic Linker Hijacking, Hijack Execution Flow |
None |
Linux Auditd Preload Hijack Via Preload File |
Dynamic Linker Hijacking, Hijack Execution Flow |
None |
Linux Auditd Service Restarted |
Systemd Timers, Scheduled Task/Job |
None |
Linux Auditd Service Started |
Service Execution, System Services |
None |
Linux Auditd Setuid Using Chmod Utility |
Setuid and Setgid, Abuse Elevation Control Mechanism |
None |
Linux Auditd Setuid Using Setcap Utility |
Setuid and Setgid, Abuse Elevation Control Mechanism |
None |
Linux Auditd Shred Overwrite Command |
Data Destruction |
None |
Linux Auditd Stop Services |
Service Stop |
None |
Linux Auditd Sudo Or Su Execution |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
None |
Linux Auditd Sysmon Service Stop |
Service Stop |
None |
Linux Auditd System Network Configuration Discovery |
System Network Configuration Discovery |
None |
Linux Auditd Unix Shell Configuration Modification |
Unix Shell Configuration Modification, Event Triggered Execution |
None |
Linux Auditd Unload Module Via Modprobe |
Kernel Modules and Extensions, Boot or Logon Autostart Execution |
None |
Linux Auditd Virtual Disk File And Directory Discovery |
File and Directory Discovery |
None |
Linux Auditd Whoami User Discovery |
System Owner/User Discovery |
None |
Linux Busybox Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Endpoint |
Linux Change File Owner To Root |
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification |
Endpoint |
Linux Clipboard Data Copy |
Clipboard Data |
Endpoint |
Linux Common Process For Elevation Control |
Setuid and Setgid, Abuse Elevation Control Mechanism |
Endpoint |
Linux Composer Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Endpoint |
Linux Cpulimit Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Endpoint |
Linux Csvtool Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Endpoint |
Linux Curl Upload File |
Ingress Tool Transfer |
Endpoint |
Linux DD File Overwrite |
Data Destruction |
Endpoint |
Linux Data Destruction Command |
Data Destruction |
Endpoint |
Linux Decode Base64 to Shell |
Obfuscated Files or Information, Unix Shell |
Endpoint |
Linux Deleting Critical Directory Using RM Command |
Data Destruction |
Endpoint |
Linux Deletion Of Cron Jobs |
Data Destruction, File Deletion, Indicator Removal |
Endpoint |
Linux Deletion Of Init Daemon Script |
Data Destruction, File Deletion, Indicator Removal |
Endpoint |
Linux Deletion Of Services |
Data Destruction, File Deletion, Indicator Removal |
Endpoint |
Linux Deletion of SSL Certificate |
Data Destruction, File Deletion, Indicator Removal |
Endpoint |
Linux Disable Services |
Service Stop |
Endpoint |
Linux Doas Conf File Creation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Endpoint |
Linux Doas Tool Execution |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Endpoint |
Linux Docker Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Endpoint |
Linux Edit Cron Table Parameter |
Cron, Scheduled Task/Job |
Endpoint |
Linux Emacs Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Endpoint |
Linux File Created In Kernel Driver Directory |
Kernel Modules and Extensions, Boot or Logon Autostart Execution |
Endpoint |
Linux File Creation In Init Boot Directory |
RC Scripts, Boot or Logon Initialization Scripts |
Endpoint |
Linux File Creation In Profile Directory |
Unix Shell Configuration Modification, Event Triggered Execution |
Endpoint |
Linux Find Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Endpoint |
Linux GDB Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Endpoint |
Linux GNU Awk Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Endpoint |
Linux Gem Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Endpoint |
Linux Hardware Addition SwapOff |
Hardware Additions |
Endpoint |
Linux High Frequency Of File Deletion In Boot Folder |
Data Destruction, File Deletion, Indicator Removal |
Endpoint |
Linux High Frequency Of File Deletion In Etc Folder |
Data Destruction, File Deletion, Indicator Removal |
Endpoint |
Linux Impair Defenses Process Kill |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Linux Indicator Removal Clear Cache |
Indicator Removal |
Endpoint |
Linux Indicator Removal Service File Deletion |
File Deletion, Indicator Removal |
Endpoint |
Linux Ingress Tool Transfer Hunting |
Ingress Tool Transfer |
Endpoint |
Linux Ingress Tool Transfer with Curl |
Ingress Tool Transfer |
Endpoint |
Linux Insert Kernel Module Using Insmod Utility |
Kernel Modules and Extensions, Boot or Logon Autostart Execution |
Endpoint |
Linux Install Kernel Module Using Modprobe Utility |
Kernel Modules and Extensions, Boot or Logon Autostart Execution |
Endpoint |
Linux Iptables Firewall Modification |
Disable or Modify System Firewall, Impair Defenses |
Endpoint |
Linux Java Spawning Shell |
Exploit Public-Facing Application, External Remote Services |
Endpoint |
Linux Kernel Module Enumeration |
System Information Discovery, Rootkit |
Endpoint |
Linux Kworker Process In Writable Process Path |
Masquerade Task or Service, Masquerading |
Endpoint |
Linux Make Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Endpoint |
Linux MySQL Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Endpoint |
Linux NOPASSWD Entry In Sudoers File |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Endpoint |
Linux Ngrok Reverse Proxy Usage |
Protocol Tunneling, Proxy, Web Service |
Endpoint |
Linux Node Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Endpoint |
Linux Obfuscated Files or Information Base64 Decode |
Obfuscated Files or Information |
Endpoint |
Linux Octave Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Endpoint |
Linux OpenVPN Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Endpoint |
Linux PHP Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Endpoint |
Linux Persistence and Privilege Escalation Risk Behavior |
Abuse Elevation Control Mechanism |
Risk |
Linux Possible Access Or Modification Of sshd Config File |
SSH Authorized Keys, Account Manipulation |
Endpoint |
Linux Possible Access To Credential Files |
/etc/passwd and /etc/shadow, OS Credential Dumping |
Endpoint |
Linux Possible Access To Sudoers File |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Endpoint |
Linux Possible Append Command To At Allow Config File |
At, Scheduled Task/Job |
Endpoint |
Linux Possible Append Command To Profile Config File |
Unix Shell Configuration Modification, Event Triggered Execution |
Endpoint |
Linux Possible Append Cronjob Entry on Existing Cronjob File |
Cron, Scheduled Task/Job |
Endpoint |
Linux Possible Cronjob Modification With Editor |
Cron, Scheduled Task/Job |
Endpoint |
Linux Possible Ssh Key File Creation |
SSH Authorized Keys, Account Manipulation |
Endpoint |
Linux Preload Hijack Library Calls |
Dynamic Linker Hijacking, Hijack Execution Flow |
Endpoint |
Linux Proxy Socks Curl |
Proxy, Non-Application Layer Protocol |
Endpoint |
Linux Puppet Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Endpoint |
Linux RPM Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Endpoint |
Linux Ruby Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Endpoint |
Linux SSH Authorized Keys Modification |
SSH Authorized Keys |
Endpoint |
Linux SSH Remote Services Script Execute |
SSH |
Endpoint |
Linux Service File Created In Systemd Directory |
Systemd Timers, Scheduled Task/Job |
Endpoint |
Linux Service Restarted |
Systemd Timers, Scheduled Task/Job |
Endpoint |
Linux Service Started Or Enabled |
Systemd Timers, Scheduled Task/Job |
Endpoint |
Linux Setuid Using Chmod Utility |
Setuid and Setgid, Abuse Elevation Control Mechanism |
Endpoint |
Linux Setuid Using Setcap Utility |
Setuid and Setgid, Abuse Elevation Control Mechanism |
Endpoint |
Linux Shred Overwrite Command |
Data Destruction |
Endpoint |
Linux Sqlite3 Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Endpoint |
Linux Stdout Redirection To Dev Null File |
Disable or Modify System Firewall, Impair Defenses |
Endpoint |
Linux Stop Services |
Service Stop |
Endpoint |
Linux Sudo OR Su Execution |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Endpoint |
Linux Sudoers Tmp File Creation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Endpoint |
Linux System Network Discovery |
System Network Configuration Discovery |
Endpoint |
Linux System Reboot Via System Request Key |
System Shutdown/Reboot |
Endpoint |
Linux Unix Shell Enable All SysRq Functions |
Unix Shell, Command and Scripting Interpreter |
Endpoint |
Linux Visudo Utility Execution |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Endpoint |
Linux apt-get Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Endpoint |
Linux c89 Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Endpoint |
Linux c99 Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Endpoint |
Linux pkexec Privilege Escalation |
Exploitation for Privilege Escalation |
Endpoint |
Living Off The Land Detection |
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services |
Risk |
Loading Of Dynwrapx Module |
Process Injection, Dynamic-link Library Injection |
None |
Local Account Discovery With Wmic |
Account Discovery, Local Account |
Endpoint |
Local Account Discovery with Net |
Account Discovery, Local Account |
Endpoint |
Log4Shell CVE-2021-44228 Exploitation |
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services |
Risk |
Logon Script Event Trigger Execution |
Boot or Logon Initialization Scripts, Logon Script (Windows) |
Endpoint |
MOVEit Certificate Store Access Failure |
Exploit Public-Facing Application |
None |
MOVEit Empty Key Fingerprint Authentication Attempt |
Exploit Public-Facing Application |
None |
MS Exchange Mailbox Replication service writing Active Server Pages |
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services |
Endpoint |
MS Scripting Process Loading Ldap Module |
Command and Scripting Interpreter, JavaScript |
None |
MS Scripting Process Loading WMI Module |
Command and Scripting Interpreter, JavaScript |
None |
MSBuild Suspicious Spawned By Script Process |
MSBuild, Trusted Developer Utilities Proxy Execution |
Endpoint |
MSHTML Module Load in Office Product |
Phishing, Spearphishing Attachment |
None |
MSI Module Loaded by Non-System Binary |
DLL Side-Loading, Hijack Execution Flow |
None |
MacOS - Re-opened Applications |
None |
Endpoint |
MacOS LOLbin |
Unix Shell, Command and Scripting Interpreter |
None |
MacOS plutil |
Plist File Modification |
None |
Mailsniper Invoke functions |
Email Collection, Local Email Collection |
None |
Malicious InProcServer32 Modification |
Regsvr32, Modify Registry |
Endpoint |
Malicious PowerShell Process - Encoded Command |
Obfuscated Files or Information |
Endpoint |
Malicious PowerShell Process - Execution Policy Bypass |
Command and Scripting Interpreter, PowerShell |
Endpoint |
Malicious PowerShell Process With Obfuscation Techniques |
Command and Scripting Interpreter, PowerShell |
Endpoint |
Malicious Powershell Executed As A Service |
System Services, Service Execution |
None |
Mimikatz PassTheTicket CommandLine Parameters |
Use Alternate Authentication Material, Pass the Ticket |
Endpoint |
Mmc LOLBAS Execution Process Spawn |
Remote Services, Distributed Component Object Model, MMC |
Endpoint |
Modification Of Wallpaper |
Defacement |
None |
Modify ACL permission To Files Or Folder |
File and Directory Permissions Modification |
Endpoint |
Modify ACLs Permission Of Files Or Folders |
File and Directory Permissions Modification |
None |
Monitor Registry Keys for Print Monitors |
Port Monitors, Boot or Logon Autostart Execution |
Endpoint |
Mshta spawning Rundll32 OR Regsvr32 Process |
System Binary Proxy Execution, Mshta |
Endpoint |
Msmpeng Application DLL Side Loading |
DLL Side-Loading, Hijack Execution Flow |
Endpoint |
NET Profiler UAC bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
Endpoint |
NLTest Domain Trust Discovery |
Domain Trust Discovery |
Endpoint |
Net Localgroup Discovery |
Permission Groups Discovery, Local Groups |
Endpoint |
Network Connection Discovery With Arp |
System Network Connections Discovery |
Endpoint |
Network Connection Discovery With Net |
System Network Connections Discovery |
Endpoint |
Network Connection Discovery With Netstat |
System Network Connections Discovery |
Endpoint |
Network Discovery Using Route Windows App |
System Network Configuration Discovery, Internet Connection Discovery |
Endpoint |
Network Share Discovery Via Dir Command |
Network Share Discovery |
None |
Network Traffic to Active Directory Web Services Protocol |
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery |
Network_Traffic |
Nishang PowershellTCPOneLine |
Command and Scripting Interpreter, PowerShell |
Endpoint |
Non Chrome Process Accessing Chrome Default Dir |
Credentials from Password Stores, Credentials from Web Browsers |
None |
Non Firefox Process Access Firefox Profile Dir |
Credentials from Password Stores, Credentials from Web Browsers |
None |
Notepad with no Command Line Arguments |
Process Injection |
Endpoint |
Ntdsutil Export NTDS |
NTDS, OS Credential Dumping |
Endpoint |
Office Application Drop Executable |
Phishing, Spearphishing Attachment |
Endpoint |
Office Application Spawn Regsvr32 process |
Phishing, Spearphishing Attachment |
Endpoint |
Office Application Spawn rundll32 process |
Phishing, Spearphishing Attachment |
Endpoint |
Office Document Creating Schedule Task |
Phishing, Spearphishing Attachment |
None |
Office Document Executing Macro Code |
Phishing, Spearphishing Attachment |
None |
Office Document Spawned Child Process To Download |
Phishing, Spearphishing Attachment |
Endpoint |
Office Product Spawn CMD Process |
Phishing, Spearphishing Attachment |
Endpoint |
Office Product Spawning BITSAdmin |
Phishing, Spearphishing Attachment |
Endpoint |
Office Product Spawning CertUtil |
Phishing, Spearphishing Attachment |
Endpoint |
Office Product Spawning MSHTA |
Phishing, Spearphishing Attachment |
Endpoint |
Office Product Spawning Rundll32 with no DLL |
Phishing, Spearphishing Attachment |
Endpoint |
Office Product Spawning Windows Script Host |
Phishing, Spearphishing Attachment |
Endpoint |
Office Product Spawning Windows Script Host |
Phishing, Spearphishing Attachment |
None |
Office Product Spawning Wmic |
Phishing, Spearphishing Attachment |
Endpoint |
Office Product Writing cab or inf |
Phishing, Spearphishing Attachment |
Endpoint |
Office Spawning Control |
Phishing, Spearphishing Attachment |
Endpoint |
Outbound Network Connection from Java Using Default Ports |
Exploit Public-Facing Application, External Remote Services |
Endpoint, Network_Traffic |
Overwriting Accessibility Binaries |
Event Triggered Execution, Accessibility Features |
Endpoint |
PaperCut NG Suspicious Behavior Debug Log |
Exploit Public-Facing Application, External Remote Services |
None |
Password Policy Discovery with Net |
Password Policy Discovery |
Endpoint |
Permission Modification using Takeown App |
File and Directory Permissions Modification |
Endpoint |
PetitPotam Network Share Access Request |
Forced Authentication |
None |
PetitPotam Suspicious Kerberos TGT Request |
OS Credential Dumping |
None |
Ping Sleep Batch Command |
Virtualization/Sandbox Evasion, Time Based Evasion |
Endpoint |
Possible Browser Pass View Parameter |
Credentials from Web Browsers, Credentials from Password Stores |
Endpoint |
Possible Lateral Movement PowerShell Spawn |
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShell, MMC |
Endpoint |
Possible Lateral Movement PowerShell Spawn |
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShell, MMC |
None |
Potential password in username |
Local Accounts, Credentials In Files |
Authentication |
Potentially malicious code on commandline |
Windows Command Shell |
Endpoint |
PowerShell - Connect To Internet With Hidden Window |
PowerShell, Command and Scripting Interpreter |
Endpoint |
PowerShell 4104 Hunting |
Command and Scripting Interpreter, PowerShell |
None |
PowerShell Domain Enumeration |
Command and Scripting Interpreter, PowerShell |
None |
PowerShell Enable PowerShell Remoting |
PowerShell, Command and Scripting Interpreter |
None |
PowerShell Get LocalGroup Discovery |
Permission Groups Discovery, Local Groups |
Endpoint |
PowerShell Invoke CIMMethod CIMSession |
Windows Management Instrumentation |
None |
PowerShell Invoke WmiExec Usage |
Windows Management Instrumentation |
None |
PowerShell Loading DotNET into Memory via Reflection |
Command and Scripting Interpreter, PowerShell |
None |
PowerShell Script Block With URL Chain |
PowerShell, Ingress Tool Transfer |
None |
PowerShell Start or Stop Service |
PowerShell |
None |
PowerShell Start-BitsTransfer |
BITS Jobs |
Endpoint |
PowerShell WebRequest Using Memory Stream |
PowerShell, Ingress Tool Transfer, Fileless Storage |
None |
Powershell COM Hijacking InprocServer32 Modification |
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell |
None |
Powershell Creating Thread Mutex |
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell |
None |
Powershell Disable Security Monitoring |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Powershell Enable SMB1Protocol Feature |
Obfuscated Files or Information, Indicator Removal from Tools |
None |
Powershell Execute COM Object |
Component Object Model Hijacking, Event Triggered Execution, PowerShell |
None |
Powershell Fileless Process Injection via GetProcAddress |
Command and Scripting Interpreter, Process Injection, PowerShell |
None |
Powershell Fileless Script Contains Base64 Encoded Content |
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell |
None |
Powershell Get LocalGroup Discovery with Script Block Logging |
Permission Groups Discovery, Local Groups |
None |
Powershell Load Module in Meterpreter |
Command and Scripting Interpreter, PowerShell |
None |
Powershell Processing Stream Of Data |
Command and Scripting Interpreter, PowerShell |
None |
Powershell Remote Services Add TrustedHost |
Windows Remote Management, Remote Services |
None |
Powershell Remote Thread To Known Windows Process |
Process Injection |
None |
Powershell Remove Windows Defender Directory |
Disable or Modify Tools, Impair Defenses |
None |
Powershell Using memory As Backing Store |
PowerShell, Command and Scripting Interpreter |
None |
Powershell Windows Defender Exclusion Commands |
Disable or Modify Tools, Impair Defenses |
None |
Prevent Automatic Repair Mode using Bcdedit |
Inhibit System Recovery |
Endpoint |
Print Processor Registry Autostart |
Print Processors, Boot or Logon Autostart Execution |
Endpoint |
Print Spooler Adding A Printer Driver |
Print Processors, Boot or Logon Autostart Execution |
None |
Print Spooler Failed to Load a Plug-in |
Print Processors, Boot or Logon Autostart Execution |
None |
Process Creating LNK file in Suspicious Location |
Phishing, Spearphishing Link |
Endpoint |
Process Deleting Its Process File Path |
Indicator Removal |
None |
Process Execution via WMI |
Windows Management Instrumentation |
Endpoint |
Process Kill Base On File Path |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Process Writing DynamicWrapperX |
Command and Scripting Interpreter, Component Object Model |
Endpoint |
Processes Tapping Keyboard Events |
None |
None |
Processes launching netsh |
Disable or Modify System Firewall, Impair Defenses |
Endpoint |
Randomly Generated Scheduled Task Name |
Scheduled Task/Job, Scheduled Task |
None |
Randomly Generated Windows Service Name |
Create or Modify System Process, Windows Service |
None |
Ransomware Notes bulk creation |
Data Encrypted for Impact |
None |
Recon AVProduct Through Pwh or WMI |
Gather Victim Host Information |
None |
Recon Using WMI Class |
Gather Victim Host Information, PowerShell |
None |
Recursive Delete of Directory In Batch CMD |
File Deletion, Indicator Removal |
Endpoint |
Reg exe Manipulating Windows Services Registry Keys |
Services Registry Permissions Weakness, Hijack Execution Flow |
Endpoint |
Registry Keys Used For Persistence |
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution |
Endpoint |
Registry Keys Used For Privilege Escalation |
Image File Execution Options Injection, Event Triggered Execution |
Endpoint |
Registry Keys for Creating SHIM Databases |
Application Shimming, Event Triggered Execution |
Endpoint |
Regsvr32 Silent and Install Param Dll Loading |
System Binary Proxy Execution, Regsvr32 |
Endpoint |
Regsvr32 with Known Silent Switch Cmdline |
System Binary Proxy Execution, Regsvr32 |
Endpoint |
Remcos RAT File Creation in Remcos Folder |
Screen Capture |
Endpoint |
Remcos client registry install entry |
Modify Registry |
Endpoint |
Remote Desktop Process Running On System |
Remote Desktop Protocol, Remote Services |
Endpoint |
Remote Process Instantiation via DCOM and PowerShell |
Remote Services, Distributed Component Object Model |
Endpoint |
Remote Process Instantiation via DCOM and PowerShell Script Block |
Remote Services, Distributed Component Object Model |
None |
Remote Process Instantiation via WMI |
Windows Management Instrumentation |
Endpoint |
Remote Process Instantiation via WMI and PowerShell |
Windows Management Instrumentation |
Endpoint |
Remote Process Instantiation via WMI and PowerShell Script Block |
Windows Management Instrumentation |
None |
Remote Process Instantiation via WinRM and PowerShell |
Remote Services, Windows Remote Management |
Endpoint |
Remote Process Instantiation via WinRM and PowerShell Script Block |
Remote Services, Windows Remote Management |
None |
Remote Process Instantiation via WinRM and Winrs |
Remote Services, Windows Remote Management |
Endpoint |
Remote System Discovery with Adsisearcher |
Remote System Discovery |
None |
Remote System Discovery with Dsquery |
Remote System Discovery |
Endpoint |
Remote System Discovery with Net |
Remote System Discovery |
Endpoint |
Remote System Discovery with Wmic |
Remote System Discovery |
Endpoint |
Remote WMI Command Attempt |
Windows Management Instrumentation |
Endpoint |
Resize ShadowStorage volume |
Inhibit System Recovery |
Endpoint |
Resize Shadowstorage Volume |
Service Stop |
None |
Revil Common Exec Parameter |
User Execution |
Endpoint |
Revil Registry Entry |
Modify Registry |
Endpoint |
Rubeus Command Line Parameters |
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting |
Endpoint |
Rubeus Kerberos Ticket Exports Through Winlogon Access |
Use Alternate Authentication Material, Pass the Ticket |
None |
RunDLL Loading DLL By Ordinal |
System Binary Proxy Execution, Rundll32 |
Endpoint |
Runas Execution in CommandLine |
Access Token Manipulation, Token Impersonation/Theft |
Endpoint |
Rundll32 Control RunDLL Hunt |
System Binary Proxy Execution, Rundll32 |
Endpoint |
Rundll32 Control RunDLL World Writable Directory |
System Binary Proxy Execution, Rundll32 |
Endpoint |
Rundll32 Create Remote Thread To A Process |
Process Injection |
None |
Rundll32 CreateRemoteThread In Browser |
Process Injection |
None |
Rundll32 DNSQuery |
System Binary Proxy Execution, Rundll32 |
None |
Rundll32 LockWorkStation |
System Binary Proxy Execution, Rundll32 |
Endpoint |
Rundll32 Process Creating Exe Dll Files |
System Binary Proxy Execution, Rundll32 |
None |
Rundll32 Shimcache Flush |
Modify Registry |
Endpoint |
Rundll32 with no Command Line Arguments with Network |
System Binary Proxy Execution, Rundll32 |
Endpoint, Network_Traffic |
Ryuk Test Files Detected |
Data Encrypted for Impact |
Endpoint |
Ryuk Wake on LAN Command |
Command and Scripting Interpreter, Windows Command Shell |
Endpoint |
SAM Database File Access Attempt |
Security Account Manager, OS Credential Dumping |
None |
SLUI RunAs Elevated |
Bypass User Account Control, Abuse Elevation Control Mechanism |
Endpoint |
SLUI Spawning a Process |
Bypass User Account Control, Abuse Elevation Control Mechanism |
Endpoint |
Samsam Test File Write |
Data Encrypted for Impact |
Endpoint |
Sc exe Manipulating Windows Services |
Windows Service, Create or Modify System Process |
Endpoint |
SchCache Change By App Connect And Create ADSI Object |
Domain Account, Account Discovery |
None |
Schedule Task with HTTP Command Arguments |
Scheduled Task/Job |
None |
Schedule Task with Rundll32 Command Trigger |
Scheduled Task/Job |
None |
Scheduled Task Creation on Remote Endpoint using At |
Scheduled Task/Job, At |
Endpoint |
Scheduled Task Deleted Or Created via CMD |
Scheduled Task, Scheduled Task/Job |
Endpoint |
Scheduled Task Initiation on Remote Endpoint |
Scheduled Task/Job, Scheduled Task |
Endpoint |
Schtasks Run Task On Demand |
Scheduled Task/Job |
Endpoint |
Schtasks scheduling job on remote system |
Scheduled Task, Scheduled Task/Job |
Endpoint |
Schtasks used for forcing a reboot |
Scheduled Task, Scheduled Task/Job |
Endpoint |
Screensaver Event Trigger Execution |
Event Triggered Execution, Screensaver |
Endpoint |
Script Execution via WMI |
Windows Management Instrumentation |
Endpoint |
Sdclt UAC Bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
Endpoint |
Sdelete Application Execution |
Data Destruction, File Deletion, Indicator Removal |
Endpoint |
Sdelete Application Execution |
Data Destruction, File Deletion, Indicator Removal |
None |
SearchProtocolHost with no Command Line with Network |
Process Injection |
Endpoint, Network_Traffic |
SecretDumps Offline NTDS Dumping Tool |
NTDS, OS Credential Dumping |
Endpoint |
ServicePrincipalNames Discovery with PowerShell |
Kerberoasting |
None |
ServicePrincipalNames Discovery with PowerShell |
Kerberoasting |
None |
ServicePrincipalNames Discovery with SetSPN |
Kerberoasting |
Endpoint |
Services Escalate Exe |
Abuse Elevation Control Mechanism |
Endpoint |
Services LOLBAS Execution Process Spawn |
Create or Modify System Process, Windows Service |
Endpoint |
Set Default PowerShell Execution Policy To Unrestricted or Bypass |
Command and Scripting Interpreter, PowerShell |
Endpoint |
Shim Database File Creation |
Application Shimming, Event Triggered Execution |
Endpoint |
Shim Database Installation With Suspicious Parameters |
Application Shimming, Event Triggered Execution |
Endpoint |
Short Lived Scheduled Task |
Scheduled Task |
None |
Short Lived Windows Accounts |
Local Account, Create Account |
Change |
SilentCleanup UAC Bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
Endpoint |
Single Letter Process On Endpoint |
User Execution, Malicious File |
Endpoint |
Spike in File Writes |
None |
Endpoint |
Spoolsv Spawning Rundll32 |
Print Processors, Boot or Logon Autostart Execution |
Endpoint |
Spoolsv Suspicious Loaded Modules |
Print Processors, Boot or Logon Autostart Execution |
None |
Spoolsv Suspicious Process Access |
Exploitation for Privilege Escalation |
None |
Spoolsv Writing a DLL |
Print Processors, Boot or Logon Autostart Execution |
Endpoint |
Spoolsv Writing a DLL - Sysmon |
Print Processors, Boot or Logon Autostart Execution |
None |
Sqlite Module In Temp Folder |
Data from Local System |
None |
Steal or Forge Authentication Certificates Behavior Identified |
Steal or Forge Authentication Certificates |
Risk |
Sunburst Correlation DLL and Network Event |
Exploitation for Client Execution |
None |
Suspicious Computer Account Name Change |
Valid Accounts, Domain Accounts |
None |
Suspicious Copy on System32 |
Rename System Utilities, Masquerading |
Endpoint |
Suspicious Curl Network Connection |
Ingress Tool Transfer |
Endpoint |
Suspicious DLLHost no Command Line Arguments |
Process Injection |
Endpoint |
Suspicious Driver Loaded Path |
Windows Service, Create or Modify System Process |
None |
Suspicious Event Log Service Behavior |
Indicator Removal, Clear Windows Event Logs |
None |
Suspicious GPUpdate no Command Line Arguments |
Process Injection |
Endpoint |
Suspicious IcedID Rundll32 Cmdline |
System Binary Proxy Execution, Rundll32 |
Endpoint |
Suspicious Image Creation In Appdata Folder |
Screen Capture |
Endpoint |
Suspicious Kerberos Service Ticket Request |
Valid Accounts, Domain Accounts |
None |
Suspicious Linux Discovery Commands |
Unix Shell |
Endpoint |
Suspicious MSBuild Rename |
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild |
Endpoint |
Suspicious MSBuild Spawn |
Trusted Developer Utilities Proxy Execution, MSBuild |
Endpoint |
Suspicious PlistBuddy Usage |
Launch Agent, Create or Modify System Process |
Endpoint |
Suspicious PlistBuddy Usage via OSquery |
Launch Agent, Create or Modify System Process |
None |
Suspicious Process DNS Query Known Abuse Web Services |
Visual Basic, Command and Scripting Interpreter |
None |
Suspicious Process Executed From Container File |
Malicious File, Masquerade File Type |
Endpoint |
Suspicious Process File Path |
Create or Modify System Process |
Endpoint |
Suspicious Process With Discord DNS Query |
Visual Basic, Command and Scripting Interpreter |
None |
Suspicious Reg exe Process |
Modify Registry |
Endpoint |
Suspicious Regsvr32 Register Suspicious Path |
System Binary Proxy Execution, Regsvr32 |
Endpoint |
Suspicious Rundll32 PluginInit |
System Binary Proxy Execution, Rundll32 |
Endpoint |
Suspicious Rundll32 StartW |
System Binary Proxy Execution, Rundll32 |
Endpoint |
Suspicious Rundll32 dllregisterserver |
System Binary Proxy Execution, Rundll32 |
Endpoint |
Suspicious Rundll32 no Command Line Arguments |
System Binary Proxy Execution, Rundll32 |
Endpoint |
Suspicious SQLite3 LSQuarantine Behavior |
Data Staged |
Endpoint |
Suspicious Scheduled Task from Public Directory |
Scheduled Task, Scheduled Task/Job |
Endpoint |
Suspicious SearchProtocolHost no Command Line Arguments |
Process Injection |
Endpoint |
Suspicious Ticket Granting Ticket Request |
Valid Accounts, Domain Accounts |
None |
Suspicious WAV file in Appdata Folder |
Screen Capture |
Endpoint |
Suspicious microsoft workflow compiler rename |
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities |
Endpoint |
Suspicious microsoft workflow compiler usage |
Trusted Developer Utilities Proxy Execution |
Endpoint |
Suspicious msbuild path |
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild |
Endpoint |
Suspicious mshta child process |
System Binary Proxy Execution, Mshta |
Endpoint |
Suspicious mshta spawn |
System Binary Proxy Execution, Mshta |
Endpoint |
Suspicious wevtutil Usage |
Clear Windows Event Logs, Indicator Removal |
Endpoint |
Suspicious writes to windows Recycle Bin |
Masquerading |
Endpoint |
Svchost LOLBAS Execution Process Spawn |
Scheduled Task/Job, Scheduled Task |
Endpoint |
System Info Gathering Using Dxdiag Application |
Gather Victim Host Information |
Endpoint |
System Information Discovery Detection |
System Information Discovery |
Endpoint |
System Process Running from Unexpected Location |
Masquerading |
None |
System Processes Run From Unexpected Locations |
Masquerading, Rename System Utilities |
Endpoint |
System User Discovery With Query |
System Owner/User Discovery |
Endpoint |
System User Discovery With Whoami |
System Owner/User Discovery |
Endpoint |
Time Provider Persistence Registry |
Time Providers, Boot or Logon Autostart Execution |
Endpoint |
Trickbot Named Pipe |
Process Injection |
None |
UAC Bypass MMC Load Unsigned Dll |
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC |
None |
UAC Bypass With Colorui COM Object |
System Binary Proxy Execution, CMSTP |
None |
USN Journal Deletion |
Indicator Removal |
Endpoint |
Uninstall App Using MsiExec |
Msiexec, System Binary Proxy Execution |
Endpoint |
Unknown Process Using The Kerberos Protocol |
Use Alternate Authentication Material |
Endpoint, Network_Traffic |
Unload Sysmon Filter Driver |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Unloading AMSI via Reflection |
Impair Defenses, PowerShell, Command and Scripting Interpreter |
None |
Unusual Number of Computer Service Tickets Requested |
Valid Accounts |
None |
Unusual Number of Kerberos Service Tickets Requested |
Steal or Forge Kerberos Tickets, Kerberoasting |
None |
Unusual Number of Remote Endpoint Authentication Events |
Valid Accounts |
None |
Unusually Long Command Line |
None |
Endpoint |
Unusually Long Command Line - MLTK |
None |
Endpoint |
User Discovery With Env Vars PowerShell |
System Owner/User Discovery |
Endpoint |
User Discovery With Env Vars PowerShell Script Block |
System Owner/User Discovery |
None |
Vbscript Execution Using Wscript App |
Visual Basic, Command and Scripting Interpreter |
Endpoint |
Verclsid CLSID Execution |
Verclsid, System Binary Proxy Execution |
Endpoint |
W3WP Spawning Shell |
Server Software Component, Web Shell |
Endpoint |
WBAdmin Delete System Backups |
Inhibit System Recovery |
Endpoint |
WBAdmin Delete System Backups |
Inhibit System Recovery |
None |
WMI Permanent Event Subscription |
Windows Management Instrumentation |
None |
WMI Permanent Event Subscription - Sysmon |
Windows Management Instrumentation Event Subscription, Event Triggered Execution |
None |
WMI Recon Running Process Or Services |
Gather Victim Host Information |
None |
WMI Temporary Event Subscription |
Windows Management Instrumentation |
None |
WMIC XSL Execution via URL |
XSL Script Processing |
Endpoint |
WSReset UAC Bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
Endpoint |
Wbemprox COM Object Execution |
System Binary Proxy Execution, CMSTP |
None |
Wermgr Process Connecting To IP Check Web Services |
Gather Victim Network Information, IP Addresses |
None |
Wermgr Process Create Executable File |
Obfuscated Files or Information |
None |
Wermgr Process Spawned CMD Or Powershell Process |
Command and Scripting Interpreter |
Endpoint |
WevtUtil Usage To Clear Logs |
Indicator Removal, Clear Windows Event Logs |
None |
Wevtutil Usage To Disable Logs |
Indicator Removal, Clear Windows Event Logs |
None |
Wget Download and Bash Execution |
Ingress Tool Transfer |
Endpoint |
WinEvent Scheduled Task Created Within Public Path |
Scheduled Task, Scheduled Task/Job |
None |
WinEvent Scheduled Task Created to Spawn Shell |
Scheduled Task, Scheduled Task/Job |
None |
WinEvent Windows Task Scheduler Event Action Started |
Scheduled Task |
None |
WinRAR Spawning Shell Application |
Ingress Tool Transfer |
Endpoint |
WinRM Spawning a Process |
Exploit Public-Facing Application |
Endpoint |
Windows AD Abnormal Object Access Activity |
Account Discovery, Domain Account |
None |
Windows AD AdminSDHolder ACL Modified |
Event Triggered Execution |
None |
Windows AD Cross Domain SID History Addition |
SID-History Injection, Access Token Manipulation |
None |
Windows AD DSRM Account Changes |
Account Manipulation |
Endpoint |
Windows AD DSRM Password Reset |
Account Manipulation |
Change |
Windows AD Domain Controller Audit Policy Disabled |
Disable or Modify Tools |
Change |
Windows AD Domain Controller Promotion |
Rogue Domain Controller |
None |
Windows AD Domain Replication ACL Addition |
Domain or Tenant Policy Modification |
Change |
Windows AD Privileged Account SID History Addition |
SID-History Injection, Access Token Manipulation |
None |
Windows AD Privileged Object Access Activity |
Account Discovery, Domain Account |
None |
Windows AD Replication Request Initiated by User Account |
DCSync, OS Credential Dumping |
Authentication, Change |
Windows AD Replication Request Initiated from Unsanctioned Location |
DCSync, OS Credential Dumping |
Authentication, Change |
Windows AD SID History Attribute Modified |
Access Token Manipulation, SID-History Injection |
None |
Windows AD Same Domain SID History Addition |
SID-History Injection, Access Token Manipulation |
None |
Windows AD ServicePrincipalName Added To Domain Account |
Account Manipulation |
None |
Windows AD Short Lived Domain Account ServicePrincipalName |
Account Manipulation |
None |
Windows AD Short Lived Domain Controller SPN Attribute |
Rogue Domain Controller |
None |
Windows AD Short Lived Server Object |
Rogue Domain Controller |
None |
Windows Abused Web Services |
Web Service |
None |
Windows Access Token Manipulation SeDebugPrivilege |
Create Process with Token, Access Token Manipulation |
None |
Windows Access Token Manipulation Winlogon Duplicate Token Handle |
Token Impersonation/Theft, Access Token Manipulation |
None |
Windows Access Token Winlogon Duplicate Handle In Uncommon Path |
Token Impersonation/Theft, Access Token Manipulation |
None |
Windows Account Discovery With NetUser PreauthNotRequire |
Account Discovery |
None |
Windows Account Discovery for None Disable User Account |
Account Discovery, Local Account |
None |
Windows Account Discovery for Sam Account Name |
Account Discovery |
None |
Windows AdFind Exe |
Remote System Discovery |
Endpoint |
Windows Admin Permission Discovery |
Local Groups |
Endpoint |
Windows Administrative Shares Accessed On Multiple Hosts |
Network Share Discovery |
None |
Windows Admon Default Group Policy Object Modified |
Domain or Tenant Policy Modification, Group Policy Modification |
None |
Windows Admon Group Policy Object Created |
Domain or Tenant Policy Modification, Group Policy Modification |
None |
Windows Alternate DataStream - Base64 Content |
Hide Artifacts, NTFS File Attributes |
None |
Windows Alternate DataStream - Executable Content |
Hide Artifacts, NTFS File Attributes |
None |
Windows Alternate DataStream - Process Execution |
Hide Artifacts, NTFS File Attributes |
Endpoint |
Windows Apache Benchmark Binary |
Command and Scripting Interpreter |
Endpoint |
Windows App Layer Protocol Qakbot NamedPipe |
Application Layer Protocol |
None |
Windows App Layer Protocol Wermgr Connect To NamedPipe |
Application Layer Protocol |
None |
Windows AppLocker Block Events |
System Binary Proxy Execution |
None |
Windows AppLocker Execution from Uncommon Locations |
System Binary Proxy Execution |
None |
Windows AppLocker Privilege Escalation via Unauthorized Bypass |
System Binary Proxy Execution |
None |
Windows AppLocker Rare Application Launch Detection |
System Binary Proxy Execution |
None |
Windows Application Layer Protocol RMS Radmin Tool Namedpipe |
Application Layer Protocol |
None |
Windows Archive Collected Data via Powershell |
Archive Collected Data |
None |
Windows Archive Collected Data via Rar |
Archive via Utility, Archive Collected Data |
Endpoint |
Windows AutoIt3 Execution |
Command and Scripting Interpreter |
Endpoint |
Windows Autostart Execution LSASS Driver Registry Modification |
LSASS Driver |
Endpoint |
Windows Binary Proxy Execution Mavinject DLL Injection |
Mavinject, System Binary Proxy Execution |
Endpoint |
Windows Bits Job Persistence |
BITS Jobs |
None |
Windows Bitsadmin Download File |
BITS Jobs, Ingress Tool Transfer |
None |
Windows Boot or Logon Autostart Execution In Startup Folder |
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution |
Endpoint |
Windows BootLoader Inventory |
System Firmware, Pre-OS Boot |
None |
Windows Bypass UAC via Pkgmgr Tool |
Bypass User Account Control |
Endpoint |
Windows CAB File on Disk |
Spearphishing Attachment |
Endpoint |
Windows COM Hijacking InprocServer32 Modification |
Component Object Model Hijacking, Event Triggered Execution |
Endpoint |
Windows COM Hijacking InprocServer32 Modification |
Component Object Model Hijacking, Event Triggered Execution |
None |
Windows Cached Domain Credentials Reg Query |
Cached Domain Credentials, OS Credential Dumping |
Endpoint |
Windows CertUtil Decode File |
Deobfuscate/Decode Files or Information |
None |
Windows CertUtil URLCache Download |
Ingress Tool Transfer |
None |
Windows CertUtil VerifyCtl Download |
Ingress Tool Transfer |
None |
Windows Change Default File Association For No File Ext |
Change Default File Association, Event Triggered Execution |
Endpoint |
Windows ClipBoard Data via Get-ClipBoard |
Clipboard Data |
None |
Windows Command Shell DCRat ForkBomb Payload |
Windows Command Shell, Command and Scripting Interpreter |
Endpoint |
Windows Command Shell Fetch Env Variables |
Process Injection |
Endpoint |
Windows Command and Scripting Interpreter Hunting Path Traversal |
Command and Scripting Interpreter |
Endpoint |
Windows Command and Scripting Interpreter Path Traversal Exec |
Command and Scripting Interpreter |
Endpoint |
Windows Common Abused Cmd Shell Risk Behavior |
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Configuration Discovery, Command and Scripting Interpreter |
Risk |
Windows Computer Account Created by Computer Account |
Steal or Forge Kerberos Tickets |
None |
Windows Computer Account Requesting Kerberos Ticket |
Steal or Forge Kerberos Tickets |
None |
Windows Computer Account With SPN |
Steal or Forge Kerberos Tickets |
None |
Windows ConHost with Headless Argument |
Hidden Window, Run Virtual Instance |
Endpoint |
Windows Create Local Account |
Local Account, Create Account |
Change |
Windows Credential Access From Browser Password Store |
Query Registry |
None |
Windows Credential Dumping LSASS Memory Createdump |
LSASS Memory |
Endpoint |
Windows Credentials from Password Stores Chrome Extension Access |
Query Registry |
None |
Windows Credentials from Password Stores Chrome LocalState Access |
Query Registry |
None |
Windows Credentials from Password Stores Chrome Login Data Access |
Query Registry |
None |
Windows Credentials from Password Stores Creation |
Credentials from Password Stores |
Endpoint |
Windows Credentials from Password Stores Deletion |
Credentials from Password Stores |
Endpoint |
Windows Credentials from Password Stores Query |
Credentials from Password Stores |
Endpoint |
Windows Credentials in Registry Reg Query |
Credentials in Registry, Unsecured Credentials |
Endpoint |
Windows Curl Download to Suspicious Path |
Ingress Tool Transfer |
Endpoint |
Windows Curl Upload to Remote Destination |
Ingress Tool Transfer |
Endpoint |
Windows Curl Upload to Remote Destination |
Ingress Tool Transfer |
None |
Windows DISM Install PowerShell Web Access |
Bypass User Account Control |
Endpoint, Web |
Windows DISM Remove Defender |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Windows DLL Search Order Hijacking Hunt with Sysmon |
DLL Search Order Hijacking, Hijack Execution Flow |
None |
Windows DLL Search Order Hijacking with iscsicpl |
DLL Search Order Hijacking |
Endpoint |
Windows DLL Side-Loading In Calc |
DLL Side-Loading, Hijack Execution Flow |
None |
Windows DLL Side-Loading Process Child Of Calc |
DLL Side-Loading, Hijack Execution Flow |
Endpoint |
Windows DNS Gather Network Info |
DNS |
Endpoint |
Windows Data Destruction Recursive Exec Files Deletion |
Data Destruction |
None |
Windows Debugger Tool Execution |
Masquerading |
Endpoint |
Windows Defacement Modify Transcodedwallpaper File |
Defacement |
Endpoint |
Windows Default Group Policy Object Modified |
Domain or Tenant Policy Modification, Group Policy Modification |
None |
Windows Default Group Policy Object Modified with GPME |
Domain or Tenant Policy Modification, Group Policy Modification |
Endpoint |
Windows Default Group Policy Object Modified with GPME |
Domain or Tenant Policy Modification, Group Policy Modification |
None |
Windows Defender ASR Audit Events |
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link |
None |
Windows Defender ASR Block Events |
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link |
None |
Windows Defender ASR Registry Modification |
Modify Registry |
None |
Windows Defender ASR Rule Disabled |
Modify Registry |
None |
Windows Defender ASR Rules Stacking |
Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter |
None |
Windows Defender Exclusion Registry Entry |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Windows Defender Tools in Non Standard Path |
Masquerading, Rename System Utilities |
None |
Windows Delete or Modify System Firewall |
Impair Defenses, Disable or Modify System Firewall |
Endpoint |
Windows Deleted Registry By A Non Critical Process File Path |
Modify Registry |
Endpoint |
Windows Disable Change Password Through Registry |
Modify Registry |
Change, Endpoint |
Windows Disable Lock Workstation Feature Through Registry |
Modify Registry |
Endpoint |
Windows Disable LogOff Button Through Registry |
Modify Registry |
Endpoint |
Windows Disable Memory Crash Dump |
Data Destruction |
Endpoint |
Windows Disable Notification Center |
Modify Registry |
Endpoint |
Windows Disable Shutdown Button Through Registry |
Modify Registry |
Endpoint |
Windows Disable Windows Event Logging Disable HTTP Logging |
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components |
Endpoint |
Windows Disable Windows Group Policy Features Through Registry |
Modify Registry |
Endpoint |
Windows Disable or Modify Tools Via Taskkill |
Impair Defenses, Disable or Modify Tools |
Endpoint |
Windows DisableAntiSpyware Registry |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Windows DiskCryptor Usage |
Data Encrypted for Impact |
Endpoint |
Windows Diskshadow Proxy Execution |
System Binary Proxy Execution |
Endpoint |
Windows Diskshadow Proxy Execution |
System Binary Proxy Execution |
None |
Windows DnsAdmins New Member Added |
Account Manipulation |
None |
Windows Domain Account Discovery Via Get-NetComputer |
Account Discovery, Domain Account |
None |
Windows Domain Admin Impersonation Indicator |
Steal or Forge Kerberos Tickets |
None |
Windows DotNet Binary in Non Standard Path |
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil |
Endpoint |
Windows DotNet Binary in Non Standard Path |
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil |
None |
Windows Driver Inventory |
Exploitation for Privilege Escalation |
None |
Windows Driver Load Non-Standard Path |
Rootkit, Exploitation for Privilege Escalation |
None |
Windows Drivers Loaded by Signature |
Rootkit, Exploitation for Privilege Escalation |
None |
Windows ESX Admins Group Creation Security Event |
Local Account, Domain Account |
None |
Windows ESX Admins Group Creation via Net |
Domain Account, Local Account |
Endpoint |
Windows ESX Admins Group Creation via PowerShell |
Domain Account, Local Account |
None |
Windows Enable PowerShell Web Access |
PowerShell |
Web |
Windows Enable Win32 ScheduledJob via Registry |
Scheduled Task |
Endpoint |
Windows Event For Service Disabled |
Disable or Modify Tools, Impair Defenses |
None |
Windows Event Log Cleared |
Indicator Removal, Clear Windows Event Logs |
None |
Windows Event Triggered Image File Execution Options Injection |
Image File Execution Options Injection |
None |
Windows Excessive Disabled Services Event |
Disable or Modify Tools, Impair Defenses |
None |
Windows Exchange PowerShell Module Usage |
Command and Scripting Interpreter, PowerShell |
None |
Windows Executable in Loaded Modules |
Shared Modules |
None |
Windows Execute Arbitrary Commands with MSDT |
System Binary Proxy Execution |
Endpoint |
Windows Execute Arbitrary Commands with MSDT |
System Binary Proxy Execution |
None |
Windows Exfiltration Over C2 Via Invoke RestMethod |
Exfiltration Over C2 Channel |
None |
Windows Exfiltration Over C2 Via Powershell UploadString |
Exfiltration Over C2 Channel |
None |
Windows Export Certificate |
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates |
None |
Windows File Share Discovery With Powerview |
Network Share Discovery |
None |
Windows File Share Discovery With Powerview |
Unsecured Credentials, Group Policy Preferences |
None |
Windows File Transfer Protocol In Non-Common Process Path |
Mail Protocols, Application Layer Protocol |
None |
Windows File Without Extension In Critical Folder |
Data Destruction |
Endpoint |
Windows Files and Dirs Access Rights Modification Via Icacls |
Windows File and Directory Permissions Modification, File and Directory Permissions Modification |
Endpoint |
Windows Find Domain Organizational Units with GetDomainOU |
Account Discovery, Domain Account |
None |
Windows Find Interesting ACL with FindInterestingDomainAcl |
Account Discovery, Domain Account |
None |
Windows Findstr GPP Discovery |
Unsecured Credentials, Group Policy Preferences |
Endpoint |
Windows Findstr GPP Discovery |
Unsecured Credentials, Group Policy Preferences |
None |
Windows Forest Discovery with GetForestDomain |
Account Discovery, Domain Account |
None |
Windows Gather Victim Host Information Camera |
Hardware, Gather Victim Host Information |
None |
Windows Gather Victim Identity SAM Info |
Credentials, Gather Victim Identity Information |
None |
Windows Gather Victim Network Info Through Ip Check Web Services |
IP Addresses, Gather Victim Network Information |
None |
Windows Get Local Admin with FindLocalAdminAccess |
Account Discovery, Domain Account |
None |
Windows Get-AdComputer Unconstrained Delegation Discovery |
Remote System Discovery |
None |
Windows Group Policy Object Created |
Domain or Tenant Policy Modification, Group Policy Modification, Domain Accounts |
None |
Windows Hidden Schedule Task Settings |
Scheduled Task/Job |
None |
Windows Hide Notification Features Through Registry |
Modify Registry |
Endpoint |
Windows High File Deletion Frequency |
Data Destruction |
None |
Windows Hijack Execution Flow Version Dll Side Load |
DLL Search Order Hijacking, Hijack Execution Flow |
None |
Windows Hunting System Account Targeting Lsass |
LSASS Memory, OS Credential Dumping |
None |
Windows IIS Components Add New Module |
Server Software Component, IIS Components |
Endpoint |
Windows IIS Components Get-WebGlobalModule Module Query |
IIS Components, Server Software Component |
None |
Windows IIS Components Module Failed to Load |
Server Software Component, IIS Components |
None |
Windows IIS Components New Module Added |
Server Software Component, IIS Components |
None |
Windows ISO LNK File Creation |
Spearphishing Attachment, Phishing, Malicious Link, User Execution |
Endpoint |
Windows Identify Protocol Handlers |
Command and Scripting Interpreter |
Endpoint |
Windows Impair Defense Add Xml Applocker Rules |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Windows Impair Defense Change Win Defender Health Check Intervals |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Windows Impair Defense Change Win Defender Quick Scan Interval |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Windows Impair Defense Change Win Defender Throttle Rate |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Windows Impair Defense Change Win Defender Tracing Level |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Windows Impair Defense Configure App Install Control |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Windows Impair Defense Define Win Defender Threat Action |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Windows Impair Defense Delete Win Defender Context Menu |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Windows Impair Defense Delete Win Defender Profile Registry |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Windows Impair Defense Deny Security Software With Applocker |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Windows Impair Defense Disable Controlled Folder Access |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Windows Impair Defense Disable Defender Firewall And Network |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Windows Impair Defense Disable Defender Protocol Recognition |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Windows Impair Defense Disable PUA Protection |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Windows Impair Defense Disable Realtime Signature Delivery |
Disable or Modify Tools, Impair Defenses |
Endpoint, Updates |
Windows Impair Defense Disable Web Evaluation |
Disable or Modify Tools, Impair Defenses |
Endpoint, Web |
Windows Impair Defense Disable Win Defender App Guard |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Windows Impair Defense Disable Win Defender Compute File Hashes |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Windows Impair Defense Disable Win Defender Gen reports |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Windows Impair Defense Disable Win Defender Network Protection |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Windows Impair Defense Disable Win Defender Report Infection |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Windows Impair Defense Disable Win Defender Scan On Update |
Disable or Modify Tools, Impair Defenses |
Endpoint, Updates |
Windows Impair Defense Disable Win Defender Signature Retirement |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Windows Impair Defense Overide Win Defender Phishing Filter |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Windows Impair Defense Override SmartScreen Prompt |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Windows Impair Defense Set Win Defender Smart Screen Level To Warn |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Windows Impair Defenses Disable HVCI |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Windows Impair Defenses Disable Win Defender Auto Logging |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Windows InProcServer32 New Outlook Form |
Phishing, Modify Registry |
Endpoint |
Windows Indicator Removal Via Rmdir |
Indicator Removal |
Endpoint |
Windows Indirect Command Execution Via Series Of Forfiles |
Indirect Command Execution |
Endpoint |
Windows Indirect Command Execution Via forfiles |
Indirect Command Execution |
Endpoint |
Windows Indirect Command Execution Via pcalua |
Indirect Command Execution |
Endpoint |
Windows Information Discovery Fsutil |
System Information Discovery |
Endpoint |
Windows Ingress Tool Transfer Using Explorer |
Ingress Tool Transfer |
Endpoint |
Windows Ingress Tool Transfer Using Explorer |
Ingress Tool Transfer |
None |
Windows Input Capture Using Credential UI Dll |
GUI Input Capture, Input Capture |
None |
Windows InstallUtil Credential Theft |
InstallUtil, System Binary Proxy Execution |
None |
Windows InstallUtil Remote Network Connection |
InstallUtil, System Binary Proxy Execution |
Endpoint, Network_Traffic |
Windows InstallUtil URL in Command Line |
InstallUtil, System Binary Proxy Execution |
Endpoint |
Windows InstallUtil Uninstall Option |
InstallUtil, System Binary Proxy Execution |
Endpoint |
Windows InstallUtil Uninstall Option with Network |
InstallUtil, System Binary Proxy Execution |
Endpoint, Network_Traffic |
Windows InstallUtil in Non Standard Path |
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil |
Endpoint |
Windows Java Spawning Shells |
Exploit Public-Facing Application, External Remote Services |
Endpoint |
Windows Kerberos Local Successful Logon |
Steal or Forge Kerberos Tickets |
Authentication |
Windows Known Abused DLL Created |
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow |
Endpoint |
Windows Known Abused DLL Loaded Suspiciously |
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow |
None |
Windows Known GraphicalProton Loaded Modules |
DLL Side-Loading, Hijack Execution Flow |
None |
Windows KrbRelayUp Service Creation |
Windows Service |
None |
Windows LOLBAS Executed As Renamed File |
Masquerading, Rename System Utilities, Rundll32 |
Endpoint |
Windows LOLBAS Executed Outside Expected Path |
Masquerading, Match Legitimate Name or Location, Rundll32 |
Endpoint |
Windows LOLBin Binary in Non Standard Path |
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil |
None |
Windows LSA Secrets NoLMhash Registry |
LSA Secrets |
Endpoint |
Windows Large Number of Computer Service Tickets Requested |
Network Share Discovery, Valid Accounts |
None |
Windows Lateral Tool Transfer RemCom |
Lateral Tool Transfer |
Endpoint |
Windows Ldifde Directory Object Behavior |
Ingress Tool Transfer, Domain Groups |
Endpoint |
Windows Linked Policies In ADSI Discovery |
Domain Account, Account Discovery |
None |
Windows Local Administrator Credential Stuffing |
Brute Force, Credential Stuffing |
None |
Windows MOF Event Triggered Execution via WMI |
Windows Management Instrumentation Event Subscription |
Endpoint |
Windows MOVEit Transfer Writing ASPX |
Exploit Public-Facing Application, External Remote Services |
Endpoint |
Windows MSExchange Management Mailbox Cmdlet Usage |
Command and Scripting Interpreter, PowerShell |
None |
Windows MSHTA Child Process |
Mshta, System Binary Proxy Execution |
None |
Windows MSHTA Command-Line URL |
Mshta, System Binary Proxy Execution |
None |
Windows MSHTA Inline HTA Execution |
Mshta, System Binary Proxy Execution |
None |
Windows MSHTA Writing to World Writable Path |
Mshta |
None |
Windows MSIExec DLLRegisterServer |
Msiexec |
Endpoint |
Windows MSIExec Remote Download |
Msiexec |
Endpoint |
Windows MSIExec Spawn Discovery Command |
Msiexec |
Endpoint |
Windows MSIExec Spawn WinDBG |
Msiexec |
Endpoint |
Windows MSIExec Unregister DLLRegisterServer |
Msiexec |
Endpoint |
Windows MSIExec With Network Connections |
Msiexec |
Endpoint, Network_Traffic |
Windows Mail Protocol In Non-Common Process Path |
Mail Protocols, Application Layer Protocol |
None |
Windows Mark Of The Web Bypass |
Mark-of-the-Web Bypass |
None |
Windows Masquerading Explorer As Child Process |
DLL Side-Loading, Hijack Execution Flow |
Endpoint |
Windows Masquerading Msdtc Process |
Masquerading |
Endpoint |
Windows Mimikatz Binary Execution |
OS Credential Dumping |
Endpoint |
Windows Mimikatz Crypto Export File Extensions |
Steal or Forge Authentication Certificates |
Endpoint |
Windows Modify Registry AuthenticationLevelOverride |
Modify Registry |
Authentication, Endpoint |
Windows Modify Registry Auto Minor Updates |
Modify Registry |
Endpoint, Updates |
Windows Modify Registry Auto Update Notif |
Modify Registry |
Endpoint |
Windows Modify Registry Configure BitLocker |
Modify Registry |
Endpoint |
Windows Modify Registry Default Icon Setting |
Modify Registry |
Endpoint |
Windows Modify Registry Delete Firewall Rules |
Modify Registry |
None |
Windows Modify Registry DisAllow Windows App |
Modify Registry |
Endpoint |
Windows Modify Registry Disable RDP |
Modify Registry |
Endpoint |
Windows Modify Registry Disable Restricted Admin |
Modify Registry |
Endpoint |
Windows Modify Registry Disable Toast Notifications |
Modify Registry |
Endpoint |
Windows Modify Registry Disable Win Defender Raw Write Notif |
Modify Registry |
Endpoint |
Windows Modify Registry Disable WinDefender Notifications |
Modify Registry |
Endpoint |
Windows Modify Registry Disable Windows Security Center Notif |
Modify Registry |
Endpoint |
Windows Modify Registry DisableRemoteDesktopAntiAlias |
Modify Registry |
Endpoint |
Windows Modify Registry DisableSecuritySettings |
Modify Registry |
Endpoint |
Windows Modify Registry Disabling WER Settings |
Modify Registry |
Endpoint |
Windows Modify Registry Do Not Connect To Win Update |
Modify Registry |
Endpoint |
Windows Modify Registry DontShowUI |
Modify Registry |
Endpoint |
Windows Modify Registry EnableLinkedConnections |
Modify Registry |
Endpoint |
Windows Modify Registry LongPathsEnabled |
Modify Registry |
Endpoint |
Windows Modify Registry MaxConnectionPerServer |
Modify Registry |
Endpoint |
Windows Modify Registry No Auto Reboot With Logon User |
Modify Registry |
Endpoint |
Windows Modify Registry No Auto Update |
Modify Registry |
Endpoint |
Windows Modify Registry NoChangingWallPaper |
Modify Registry |
Endpoint |
Windows Modify Registry ProxyEnable |
Modify Registry |
Endpoint |
Windows Modify Registry ProxyServer |
Modify Registry |
Endpoint |
Windows Modify Registry Qakbot Binary Data Registry |
Modify Registry |
Endpoint |
Windows Modify Registry Reg Restore |
Query Registry |
Endpoint |
Windows Modify Registry Regedit Silent Reg Import |
Modify Registry |
Endpoint |
Windows Modify Registry Risk Behavior |
Modify Registry |
Risk |
Windows Modify Registry Suppress Win Defender Notif |
Modify Registry |
Endpoint |
Windows Modify Registry Tamper Protection |
Modify Registry |
Endpoint |
Windows Modify Registry USeWuServer |
Modify Registry |
Endpoint |
Windows Modify Registry UpdateServiceUrlAlternate |
Modify Registry |
Endpoint |
Windows Modify Registry With MD5 Reg Key Name |
Modify Registry |
Endpoint |
Windows Modify Registry WuServer |
Modify Registry |
Endpoint |
Windows Modify Registry on Smart Card Group Policy |
Modify Registry |
Endpoint |
Windows Modify Registry to Add or Modify Firewall Rule |
Modify Registry |
Endpoint |
Windows Modify Registry wuStatusServer |
Modify Registry |
Endpoint |
Windows Modify Show Compress Color And Info Tip Registry |
Modify Registry |
Endpoint |
Windows Modify System Firewall with Notable Process Path |
Disable or Modify System Firewall, Impair Defenses |
Endpoint |
Windows Mshta Execution In Registry |
Mshta |
Endpoint |
Windows MsiExec HideWindow Rundll32 Execution |
Msiexec, System Binary Proxy Execution |
Endpoint |
Windows Multi hop Proxy TOR Website Query |
Mail Protocols, Application Layer Protocol |
None |
Windows Multiple Account Passwords Changed |
Account Manipulation, Valid Accounts |
None |
Windows Multiple Accounts Deleted |
Account Manipulation, Valid Accounts |
None |
Windows Multiple Accounts Disabled |
Account Manipulation, Valid Accounts |
None |
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos |
Password Spraying, Brute Force |
None |
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos |
Password Spraying, Brute Force |
None |
Windows Multiple Invalid Users Failed To Authenticate Using NTLM |
Password Spraying, Brute Force |
None |
Windows Multiple NTLM Null Domain Authentications |
Brute Force, Password Spraying |
None |
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials |
Password Spraying, Brute Force |
None |
Windows Multiple Users Failed To Authenticate From Host Using NTLM |
Password Spraying, Brute Force |
None |
Windows Multiple Users Failed To Authenticate From Process |
Password Spraying, Brute Force |
None |
Windows Multiple Users Failed To Authenticate Using Kerberos |
Password Spraying, Brute Force |
None |
Windows Multiple Users Remotely Failed To Authenticate From Host |
Password Spraying, Brute Force |
None |
Windows Network Share Interaction With Net |
Network Share Discovery, Data from Network Shared Drive |
Endpoint |
Windows New InProcServer32 Added |
Modify Registry |
Endpoint |
Windows Ngrok Reverse Proxy Usage |
Protocol Tunneling, Proxy, Web Service |
Endpoint |
Windows NirSoft AdvancedRun |
Tool |
Endpoint |
Windows NirSoft Utilities |
Tool |
Endpoint |
Windows Njrat Fileless Storage via Registry |
Fileless Storage, Obfuscated Files or Information |
Endpoint |
Windows Non Discord App Access Discord LevelDB |
Query Registry |
None |
Windows Non-System Account Targeting Lsass |
LSASS Memory, OS Credential Dumping |
None |
Windows OS Credential Dumping with Ntdsutil Export NTDS |
NTDS, OS Credential Dumping |
None |
Windows OS Credential Dumping with Procdump |
LSASS Memory, OS Credential Dumping |
None |
Windows Odbcconf Hunting |
Odbcconf |
Endpoint |
Windows Odbcconf Load DLL |
Odbcconf |
Endpoint |
Windows Odbcconf Load Response File |
Odbcconf |
Endpoint |
Windows Odbcconf Load Response File |
Odbcconf, System Binary Proxy Execution |
None |
Windows Office Product Spawning MSDT |
Phishing, Spearphishing Attachment |
Endpoint |
Windows Outlook WebView Registry Modification |
Modify Registry |
Endpoint, Web |
Windows PaperCut NG Spawn Shell |
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services |
Endpoint |
Windows Parent PID Spoofing with Explorer |
Parent PID Spoofing, Access Token Manipulation |
Endpoint |
Windows Password Managers Discovery |
Password Managers |
Endpoint |
Windows Phishing Outlook Drop Dll In FORM Dir |
Phishing |
Endpoint |
Windows Phishing PDF File Executes URL Link |
Spearphishing Attachment, Phishing |
Endpoint |
Windows Phishing Recent ISO Exec Registry |
Spearphishing Attachment, Phishing |
Endpoint |
Windows Possible Credential Dumping |
LSASS Memory, OS Credential Dumping |
None |
Windows Post Exploitation Risk Behavior |
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Information Discovery, Clipboard Data, Unsecured Credentials |
Risk |
Windows PowerShell Add Module to Global Assembly Cache |
Server Software Component, IIS Components |
None |
Windows PowerShell Disable HTTP Logging |
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components |
Web |
Windows PowerShell Disabled Kerberos Pre-Authentication Discovery Get-ADUser |
Steal or Forge Kerberos Tickets, AS-REP Roasting |
None |
Windows PowerShell Disabled Kerberos Pre-Authentication Discovery With PowerView |
Steal or Forge Kerberos Tickets, AS-REP Roasting |
None |
Windows PowerShell Export Certificate |
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates |
None |
Windows PowerShell Export PfxCertificate |
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates |
None |
Windows PowerShell Get CIMInstance Remote Computer |
PowerShell |
None |
Windows PowerShell IIS Components WebGlobalModule Usage |
Server Software Component, IIS Components |
Web |
Windows PowerShell ScheduleTask |
Scheduled Task, PowerShell, Command and Scripting Interpreter |
None |
Windows PowerShell Start-BitsTransfer |
BITS Jobs, Ingress Tool Transfer |
None |
Windows PowerShell WMI Win32 ScheduledJob |
PowerShell, Command and Scripting Interpreter |
None |
Windows PowerSploit GPP Discovery |
Unsecured Credentials, Group Policy Preferences |
None |
Windows PowerSploit GPP Discovery |
Unsecured Credentials, Group Policy Preferences |
None |
Windows PowerView AD Access Control List Enumeration |
Domain Accounts, Permission Groups Discovery |
None |
Windows PowerView Constrained Delegation Discovery |
Remote System Discovery |
None |
Windows PowerView Kerberos Service Ticket Request |
Steal or Forge Kerberos Tickets, Kerberoasting |
None |
Windows PowerView SPN Discovery |
Steal or Forge Kerberos Tickets, Kerberoasting |
None |
Windows PowerView Unconstrained Delegation Discovery |
Remote System Discovery |
None |
Windows Powershell Connect to Internet With Hidden Window |
Automated Exfiltration |
None |
Windows Powershell Cryptography Namespace |
PowerShell, Command and Scripting Interpreter |
None |
Windows Powershell DownloadFile |
Automated Exfiltration |
None |
Windows Powershell DownloadString |
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer |
None |
Windows Powershell Import Applocker Policy |
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses |
None |
Windows Powershell RemoteSigned File |
PowerShell, Command and Scripting Interpreter |
Endpoint |
Windows Private Keys Discovery |
Private Keys, Unsecured Credentials |
Endpoint |
Windows Privilege Escalation Suspicious Process Elevation |
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation |
Endpoint |
Windows Privilege Escalation System Process Without System Parent |
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation |
None |
Windows Privilege Escalation User Process Spawn System Process |
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation |
Endpoint |
Windows Privileged Group Modification |
Local Account, Domain Account |
None |
Windows Process Commandline Discovery |
Process Discovery |
Endpoint |
Windows Process Injection In Non-Service SearchIndexer |
Process Injection |
Endpoint |
Windows Process Injection Of Wermgr to Known Browser |
Dynamic-link Library Injection, Process Injection |
None |
Windows Process Injection Remote Thread |
Process Injection, Portable Executable Injection |
None |
Windows Process Injection Wermgr Child Process |
Process Injection |
Endpoint |
Windows Process Injection With Public Source Path |
Process Injection, Portable Executable Injection |
None |
Windows Process Injection into Notepad |
Process Injection, Portable Executable Injection |
None |
Windows Process With NamedPipe CommandLine |
Process Injection |
Endpoint |
Windows Process Writing File to World Writable Path |
Mshta |
Endpoint |
Windows Processes Killed By Industroyer2 Malware |
Service Stop |
None |
Windows Protocol Tunneling with Plink |
Protocol Tunneling, SSH |
Endpoint |
Windows Proxy Via Netsh |
Internal Proxy, Proxy |
Endpoint |
Windows Proxy Via Registry |
Internal Proxy, Proxy |
Endpoint |
Windows Query Registry Browser List Application |
Query Registry |
None |
Windows Query Registry Reg Save |
Query Registry |
Endpoint |
Windows Query Registry UnInstall Program List |
Query Registry |
None |
Windows RDP Connection Successful |
RDP Hijacking |
None |
Windows Raccine Scheduled Task Deletion |
Disable or Modify Tools |
Endpoint |
Windows Rapid Authentication On Multiple Hosts |
Security Account Manager |
None |
Windows Rasautou DLL Execution |
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection |
Endpoint |
Windows Rasautou DLL Execution |
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection |
None |
Windows Raw Access To Disk Volume Partition |
Disk Structure Wipe, Disk Wipe |
None |
Windows Raw Access To Master Boot Record Drive |
Disk Structure Wipe, Disk Wipe |
None |
Windows Registry BootExecute Modification |
Pre-OS Boot, Registry Run Keys / Startup Folder |
Endpoint |
Windows Registry Certificate Added |
Install Root Certificate, Subvert Trust Controls |
Endpoint |
Windows Registry Delete Task SD |
Scheduled Task, Impair Defenses |
Endpoint |
Windows Registry Modification for Safe Mode Persistence |
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution |
Endpoint |
Windows Registry Payload Injection |
Obfuscated Files or Information, Fileless Storage |
Endpoint |
Windows Registry SIP Provider Modification |
SIP and Trust Provider Hijacking |
Endpoint |
Windows Regsvr32 Renamed Binary |
Regsvr32, System Binary Proxy Execution |
Endpoint |
Windows Remote Access Software BRC4 Loaded Dll |
Remote Access Software, OS Credential Dumping |
None |
Windows Remote Access Software Hunt |
Remote Access Software |
Endpoint |
Windows Remote Access Software RMS Registry |
Remote Access Software |
Endpoint |
Windows Remote Assistance Spawning Process |
Process Injection |
Endpoint |
Windows Remote Create Service |
Create or Modify System Process, Windows Service |
Endpoint |
Windows Remote Service Rdpwinst Tool Execution |
Remote Desktop Protocol, Remote Services |
Endpoint |
Windows Remote Services Allow Rdp In Firewall |
Remote Desktop Protocol, Remote Services |
Endpoint |
Windows Remote Services Allow Remote Assistance |
Remote Desktop Protocol, Remote Services |
Endpoint |
Windows Remote Services Rdp Enable |
Remote Desktop Protocol, Remote Services |
Endpoint |
Windows Rename System Utilities Acccheckconsole exe LOLBAS in Non Standard Path |
Masquerading, Rename System Utilities |
None |
Windows Rename System Utilities Adplus exe LOLBAS in Non Standard Path |
Masquerading, Rename System Utilities |
None |
Windows Rename System Utilities Advpack dll LOLBAS in Non Standard Path |
Masquerading, Rename System Utilities |
None |
Windows Rename System Utilities Agentexecutor exe LOLBAS in Non Standard Path |
Masquerading, Rename System Utilities |
None |
Windows Rename System Utilities Appinstaller exe LOLBAS in Non Standard Path |
Masquerading, Rename System Utilities |
None |
Windows Rename System Utilities Appvlp exe LOLBAS in Non Standard Path |
Masquerading, Rename System Utilities |
None |
Windows Rename System Utilities Aspnet compiler exe LOLBAS in Non Standard Path |
Masquerading, Rename System Utilities |
None |
Windows Rename System Utilities At exe LOLBAS in Non Standard Path |
Masquerading, Rename System Utilities |
None |
Windows Rename System Utilities Atbroker exe LOLBAS in Non Standard Path |
Masquerading, Rename System Utilities |
None |
Windows Replication Through Removable Media |
Replication Through Removable Media |
Endpoint |
Windows Root Domain linked policies Discovery |
Domain Account, Account Discovery |
None |
Windows Rundll32 Apply User Settings Changes |
System Binary Proxy Execution, Rundll32 |
Endpoint |
Windows Rundll32 Comsvcs Memory Dump |
NTDS, OS Credential Dumping |
None |
Windows Rundll32 Inline HTA Execution |
System Binary Proxy Execution, Mshta |
None |
Windows Rundll32 WebDAV Request |
Exfiltration Over Unencrypted Non-C2 Protocol |
Endpoint |
Windows Rundll32 WebDav With Network Connection |
Exfiltration Over Unencrypted Non-C2 Protocol |
Endpoint, Network_Traffic |
Windows SIP Provider Inventory |
SIP and Trust Provider Hijacking |
None |
Windows SIP WinVerifyTrust Failed Trust Validation |
SIP and Trust Provider Hijacking |
None |
Windows SOAPHound Binary Execution |
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery |
Endpoint |
Windows SQL Spawning CertUtil |
Ingress Tool Transfer |
Endpoint |
Windows Scheduled Task Created Via XML |
Scheduled Task, Scheduled Task/Job |
Endpoint |
Windows Scheduled Task Service Spawned Shell |
Scheduled Task, Command and Scripting Interpreter |
Endpoint |
Windows Scheduled Task with Highest Privileges |
Scheduled Task/Job, Scheduled Task |
Endpoint |
Windows Schtasks Create Run As System |
Scheduled Task, Scheduled Task/Job |
Endpoint |
Windows Screen Capture Via Powershell |
Screen Capture |
None |
Windows Screen Capture Via Powershell |
Screen Capture |
None |
Windows Script Host Spawn MSBuild |
MSBuild, Trusted Developer Utilities Proxy Execution |
None |
Windows Security Account Manager Stopped |
Service Stop |
Endpoint |
Windows Security Support Provider Reg Query |
Security Support Provider, Boot or Logon Autostart Execution |
Endpoint |
Windows Server Software Component GACUtil Install to GAC |
Server Software Component, IIS Components |
Endpoint |
Windows Service Create Kernel Mode Driver |
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation |
Endpoint |
Windows Service Create RemComSvc |
Windows Service, Create or Modify System Process |
None |
Windows Service Create SliverC2 |
System Services, Service Execution |
None |
Windows Service Create with Tscon |
RDP Hijacking, Remote Service Session Hijacking, Windows Service |
Endpoint |
Windows Service Created Within Public Path |
Create or Modify System Process, Windows Service |
None |
Windows Service Created with Suspicious Service Path |
System Services, Service Execution |
None |
Windows Service Creation Using Registry Entry |
Services Registry Permissions Weakness |
Endpoint |
Windows Service Creation on Remote Endpoint |
Create or Modify System Process, Windows Service |
Endpoint |
Windows Service Deletion In Registry |
Service Stop |
Endpoint |
Windows Service Initiation on Remote Endpoint |
Create or Modify System Process, Windows Service |
Endpoint |
Windows Service Stop By Deletion |
Service Stop |
Endpoint |
Windows Service Stop Via Net and SC Application |
Service Stop |
Endpoint |
Windows Service Stop Win Updates |
Service Stop |
None |
Windows Snake Malware File Modification Crmlog |
Obfuscated Files or Information |
Endpoint |
Windows Snake Malware Kernel Driver Comadmin |
Kernel Modules and Extensions |
Endpoint |
Windows Snake Malware Registry Modification wav OpenWithProgIds |
Modify Registry |
Endpoint |
Windows Snake Malware Service Create |
Kernel Modules and Extensions, Service Execution |
None |
Windows Spearphishing Attachment Connect To None MS Office Domain |
Spearphishing Attachment, Phishing |
None |
Windows Spearphishing Attachment Onenote Spawn Mshta |
Spearphishing Attachment, Phishing |
Endpoint |
Windows Special Privileged Logon On Multiple Hosts |
Account Discovery, SMB/Windows Admin Shares, Network Share Discovery |
None |
Windows SqlWriter SQLDumper DLL Sideload |
DLL Side-Loading |
None |
Windows Steal Authentication Certificates - ESC1 Abuse |
Steal or Forge Authentication Certificates |
None |
Windows Steal Authentication Certificates - ESC1 Authentication |
Steal or Forge Authentication Certificates, Use Alternate Authentication Material |
None |
Windows Steal Authentication Certificates CS Backup |
Steal or Forge Authentication Certificates |
None |
Windows Steal Authentication Certificates CertUtil Backup |
Steal or Forge Authentication Certificates |
Endpoint |
Windows Steal Authentication Certificates Certificate Issued |
Steal or Forge Authentication Certificates |
None |
Windows Steal Authentication Certificates Certificate Request |
Steal or Forge Authentication Certificates |
None |
Windows Steal Authentication Certificates CryptoAPI |
Steal or Forge Authentication Certificates |
None |
Windows Steal Authentication Certificates Export Certificate |
Steal or Forge Authentication Certificates |
Endpoint |
Windows Steal Authentication Certificates Export PfxCertificate |
Steal or Forge Authentication Certificates |
Endpoint |
Windows Steal or Forge Kerberos Tickets Klist |
Steal or Forge Kerberos Tickets |
Endpoint |
Windows Suspect Process With Authentication Traffic |
Account Discovery, Domain Account, User Execution, Malicious File |
Network_Traffic |
Windows System Binary Proxy Execution Compiled HTML File Decompile |
Compiled HTML File, System Binary Proxy Execution |
Endpoint |
Windows System Binary Proxy Execution Compiled HTML File Decompile |
Compiled HTML File, System Binary Proxy Execution |
None |
Windows System Binary Proxy Execution Compiled HTML File URL In Command Line |
Compiled HTML File, System Binary Proxy Execution |
None |
Windows System Binary Proxy Execution Compiled HTML File Using InfoTech Storage Handlers |
Compiled HTML File, System Binary Proxy Execution |
None |
Windows System Binary Proxy Execution MSIExec DLLRegisterServer |
Msiexec |
None |
Windows System Binary Proxy Execution MSIExec Remote Download |
Msiexec |
None |
Windows System Binary Proxy Execution MSIExec Unregister DLL |
Msiexec |
None |
Windows System Discovery Using Qwinsta |
System Owner/User Discovery |
Endpoint |
Windows System Discovery Using ldap Nslookup |
System Owner/User Discovery |
Endpoint |
Windows System File on Disk |
Exploitation for Privilege Escalation |
Endpoint |
Windows System LogOff Commandline |
System Shutdown/Reboot |
Endpoint |
Windows System Network Config Discovery Display DNS |
System Network Configuration Discovery |
Endpoint |
Windows System Network Connections Discovery Netsh |
System Network Connections Discovery |
Endpoint |
Windows System Reboot CommandLine |
System Shutdown/Reboot |
Endpoint |
Windows System Script Proxy Execution Syncappvpublishingserver |
System Script Proxy Execution, System Binary Proxy Execution |
Endpoint |
Windows System Shutdown CommandLine |
System Shutdown/Reboot |
Endpoint |
Windows System Time Discovery W32tm Delay |
System Time Discovery |
Endpoint |
Windows System User Discovery Via Quser |
System Owner/User Discovery |
Endpoint |
Windows System User Privilege Discovery |
System Owner/User Discovery |
Endpoint |
Windows Terminating Lsass Process |
Disable or Modify Tools, Impair Defenses |
None |
Windows Time Based Evasion |
Virtualization/Sandbox Evasion, Time Based Evasion |
Endpoint |
Windows Time Based Evasion via Choice Exec |
Time Based Evasion, Virtualization/Sandbox Evasion |
Endpoint |
Windows UAC Bypass Suspicious Child Process |
Abuse Elevation Control Mechanism, Bypass User Account Control |
Endpoint |
Windows UAC Bypass Suspicious Escalation Behavior |
Abuse Elevation Control Mechanism, Bypass User Account Control |
Endpoint |
Windows Unsecured Outlook Credentials Access In Registry |
Unsecured Credentials |
None |
Windows Unsigned DLL Side-Loading |
DLL Side-Loading |
None |
Windows Unsigned DLL Side-Loading In Same Process Path |
DLL Side-Loading, Hijack Execution Flow |
None |
Windows Unsigned MS DLL Side-Loading |
DLL Side-Loading, Boot or Logon Autostart Execution |
None |
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos |
Password Spraying, Brute Force |
None |
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos |
Password Spraying, Brute Force |
None |
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM |
Password Spraying, Brute Force |
None |
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials |
Password Spraying, Brute Force |
None |
Windows Unusual Count Of Users Failed To Auth Using Kerberos |
Password Spraying, Brute Force |
None |
Windows Unusual Count Of Users Failed To Authenticate From Process |
Password Spraying, Brute Force |
None |
Windows Unusual Count Of Users Failed To Authenticate Using NTLM |
Password Spraying, Brute Force |
None |
Windows Unusual Count Of Users Remotely Failed To Auth From Host |
Password Spraying, Brute Force |
None |
Windows Unusual NTLM Authentication Destinations By Source |
Brute Force, Password Spraying |
None |
Windows Unusual NTLM Authentication Destinations By User |
Brute Force, Password Spraying |
None |
Windows Unusual NTLM Authentication Users By Destination |
Brute Force, Password Spraying |
None |
Windows Unusual NTLM Authentication Users By Source |
Brute Force, Password Spraying |
None |
Windows User Execution Malicious URL Shortcut File |
Malicious File, User Execution |
Endpoint |
Windows Valid Account With Never Expires Password |
Service Stop |
Endpoint |
Windows Vulnerable 3CX Software |
Compromise Software Supply Chain |
None |
Windows Vulnerable Driver Installed |
Windows Service |
None |
Windows Vulnerable Driver Loaded |
Windows Service |
None |
Windows WMI Impersonate Token |
Windows Management Instrumentation |
None |
Windows WMI Process And Service List |
Windows Management Instrumentation |
Endpoint |
Windows WMI Process Call Create |
Windows Management Instrumentation |
Endpoint |
Windows WMIPrvse Spawn MSBuild |
Trusted Developer Utilities Proxy Execution, MSBuild |
None |
Windows WinDBG Spawning AutoIt3 |
Command and Scripting Interpreter |
Endpoint |
Windows WinLogon with Public Network Connection |
Bootkit |
Endpoint, Network_Traffic |
Winhlp32 Spawning a Process |
Process Injection |
Endpoint |
Winword Spawning Cmd |
Phishing, Spearphishing Attachment |
Endpoint |
Winword Spawning PowerShell |
Phishing, Spearphishing Attachment |
Endpoint |
Winword Spawning Windows Script Host |
Phishing, Spearphishing Attachment |
Endpoint |
Wmic Group Discovery |
Permission Groups Discovery, Local Groups |
Endpoint |
Wmic NonInteractive App Uninstallation |
Disable or Modify Tools, Impair Defenses |
Endpoint |
Wmiprsve LOLBAS Execution Process Spawn |
Windows Management Instrumentation |
Endpoint |
Wscript Or Cscript Suspicious Child Process |
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation |
Endpoint |
Wsmprovhost LOLBAS Execution Process Spawn |
Remote Services, Windows Remote Management |
Endpoint |
XMRIG Driver Loaded |
Windows Service, Create or Modify System Process |
None |
XSL Script Execution With WMIC |
XSL Script Processing |
Endpoint |