Experimental

Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...

Windows Common Abused Cmd Shell Risk Behavior

File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...

PowerShell 4104 Hunting

Command and Scripting Interpreter, PowerShell

Executable File Written in Administrative SMB Share

Remote Services, SMB/Windows Admin Shares

Domain Group Discovery With Net

Permission Groups Discovery, Domain Groups

Windows Scheduled Task Service Spawned Shell

Scheduled Task, Command and Scripting Interpreter

Suspicious Process Executed From Container File

Malicious File, Masquerade File Type

Impacket Lateral Movement WMIExec Commandline Parameters

Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service

Attempt To Stop Security Service

Disable or Modify Tools, Impair Defenses

Windows AdFind Exe

Remote System Discovery

Impacket Lateral Movement smbexec CommandLine Parameters

Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service

Windows Raw Access To Disk Volume Partition

Disk Structure Wipe, Disk Wipe

Executables Or Script Creation In Suspicious Path

Masquerading

Suspicious Process File Path

Create or Modify System Process

Domain Account Discovery With Net App

Domain Account, Account Discovery

Windows Suspect Process With Authentication Traffic

Account Discovery, Domain Account, User Execution, Malicious File

Impacket Lateral Movement Commandline Parameters

Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service

Windows Service Stop Via Net and SC Application

Service Stop

Windows Raw Access To Master Boot Record Drive

Disk Structure Wipe, Disk Wipe

SAM Database File Access Attempt

Security Account Manager, OS Credential Dumping

SecretDumps Offline NTDS Dumping Tool

NTDS, OS Credential Dumping

Net Localgroup Discovery

Permission Groups Discovery, Local Groups

PowerShell Script Block With URL Chain

PowerShell, Ingress Tool Transfer

Excessive Usage Of Net App

Account Access Removal

Remote WMI Command Attempt

Windows Management Instrumentation

Deleting Of Net Users

Account Access Removal

Windows Service Stop By Deletion

Service Stop

PowerShell WebRequest Using Memory Stream

PowerShell, Ingress Tool Transfer, Fileless Storage

Windows PowerShell ScheduleTask

Scheduled Task, PowerShell, Command and Scripting Interpreter

Registry Keys Used For Persistence

Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution

Icacls Deny Command

File and Directory Permissions Modification

Windows Files and Dirs Access Rights Modification Via Icacls

Windows File and Directory Permissions Modification, File and Directory Permissions Modification

ICACLS Grant Command

File and Directory Permissions Modification

Windows AD Privileged Object Access Activity

Account Discovery, Domain Account

Windows MOVEit Transfer Writing ASPX

Exploit Public-Facing Application, External Remote Services

Windows AD Abnormal Object Access Activity

Account Discovery, Domain Account

Windows Steal Authentication Certificates - ESC1 Authentication

Steal or Forge Authentication Certificates, Use Alternate Authentication Material

Windows Proxy Via Netsh

Internal Proxy, Proxy

Windows Ldifde Directory Object Behavior

Ingress Tool Transfer, Domain Groups

Windows Proxy Via Registry

Internal Proxy, Proxy

Network Share Discovery Via Dir Command

Network Share Discovery

Active Directory Privilege Escalation Identified

Domain Policy Modification

Windows PaperCut NG Spawn Shell

Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services

PaperCut NG Suspicious Behavior Debug Log

Exploit Public-Facing Application, External Remote Services

Windows Snake Malware Service Create

Kernel Modules and Extensions, Service Execution

Windows Snake Malware Kernel Driver Comadmin

Kernel Modules and Extensions

Windows Snake Malware File Modification Crmlog

Obfuscated Files or Information

Windows Snake Malware Registry Modification wav OpenWithProgIds

Modify Registry

Windows Registry BootExecute Modification

Pre-OS Boot, Registry Run Keys / Startup Folder

Windows WinLogon with Public Network Connection

Bootkit

Windows PowerSploit GPP Discovery

Unsecured Credentials, Group Policy Preferences

Windows File Share Discovery With Powerview

Unsecured Credentials, Group Policy Preferences

Windows Default Group Policy Object Modified with GPME

Domain Policy Modification, Group Policy Modification

Windows Findstr GPP Discovery

Unsecured Credentials, Group Policy Preferences

Steal or Forge Authentication Certificates Behavior Identified

Steal or Forge Authentication Certificates

Disabling CMD Application

Disable or Modify Tools, Impair Defenses, Modify Registry

Active Setup Registry Autostart

Active Setup, Boot or Logon Autostart Execution

Monitor Registry Keys for Print Monitors

Port Monitors, Boot or Logon Autostart Execution

Registry Keys for Creating SHIM Databases

Application Shimming, Event Triggered Execution

Disabling SystemRestore In Registry

Inhibit System Recovery

Disable ETW Through Registry

Disable or Modify Tools, Impair Defenses

Linux High Frequency Of File Deletion In Boot Folder

Data Destruction, File Deletion, Indicator Removal

Disabling NoRun Windows App

Disable or Modify Tools, Impair Defenses, Modify Registry

Disabling Task Manager

Disable or Modify Tools, Impair Defenses

Disable Registry Tool

Disable or Modify Tools, Impair Defenses, Modify Registry

Windows Hide Notification Features Through Registry

Modify Registry

Registry Keys Used For Privilege Escalation

Image File Execution Options Injection, Event Triggered Execution

Windows Disable Lock Workstation Feature Through Registry

Modify Registry

Windows Registry Modification for Safe Mode Persistence

Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution

Windows Modify Show Compress Color And Info Tip Registry

Modify Registry

Linux Deletion Of Services

Data Destruction, File Deletion, Indicator Removal

Windows Disable LogOff Button Through Registry

Modify Registry

Linux High Frequency Of File Deletion In Etc Folder

Data Destruction, File Deletion, Indicator Removal

Enable RDP In Other Port Number

Remote Services

Disable UAC Remote Restriction

Bypass User Account Control, Abuse Elevation Control Mechanism

Disabling Defender Services

Disable or Modify Tools, Impair Defenses

ETW Registry Disabled

Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses

Disable Defender Spynet Reporting

Disable or Modify Tools, Impair Defenses

Linux Deletion of SSL Certificate

Data Destruction, File Deletion, Indicator Removal

Disabling FolderOptions Windows Feature

Disable or Modify Tools, Impair Defenses

Hide User Account From Sign-In Screen

Disable or Modify Tools, Impair Defenses

Disable Windows Behavior Monitoring

Disable or Modify Tools, Impair Defenses

Linux Account Manipulation Of SSH Config and Keys

Data Destruction, File Deletion, Indicator Removal

Disable Defender Submit Samples Consent Feature

Disable or Modify Tools, Impair Defenses

Linux Deletion Of Init Daemon Script

Data Destruction, File Deletion, Indicator Removal

Disable Show Hidden Files

Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry

Disabling ControlPanel

Disable or Modify Tools, Impair Defenses, Modify Registry

Disable Windows SmartScreen Protection

Disable or Modify Tools, Impair Defenses

Windows Disable Windows Group Policy Features Through Registry

Modify Registry

Windows Registry Certificate Added

Install Root Certificate, Subvert Trust Controls

Time Provider Persistence Registry

Time Providers, Boot or Logon Autostart Execution

Windows Disable Memory Crash Dump

Data Destruction

Windows Disable Shutdown Button Through Registry

Modify Registry

Linux Deletion Of Cron Jobs

Data Destruction, File Deletion, Indicator Removal

Disable Security Logs Using MiniNt Registry

Modify Registry

Windows Service Creation Using Registry Entry

Services Registry Permissions Weakness

Windows Disable Notification Center

Modify Registry

Disable Windows App Hotkeys

Disable or Modify Tools, Impair Defenses, Modify Registry

Windows Defender Exclusion Registry Entry

Disable or Modify Tools, Impair Defenses

Windows Disable Change Password Through Registry

Modify Registry

Windows Credentials from Password Stores Chrome Login Data Access

Query Registry

Enable WDigest UseLogonCredential Registry

Modify Registry, OS Credential Dumping

Detect RTLO In File Name

Right-to-Left Override, Masquerading

Windows Credentials from Password Stores Chrome LocalState Access

Query Registry

Windows Credentials from Password Stores Chrome Extension Access

Query Registry

Detect RTLO In Process

Right-to-Left Override, Masquerading

Non Firefox Process Access Firefox Profile Dir

Credentials from Password Stores, Credentials from Web Browsers

Windows Event For Service Disabled

Disable or Modify Tools, Impair Defenses

Non Chrome Process Accessing Chrome Default Dir

Credentials from Password Stores, Credentials from Web Browsers

Windows Query Registry UnInstall Program List

Query Registry

Windows Query Registry Browser List Application

Query Registry

Windows DisableAntiSpyware Registry

Disable or Modify Tools, Impair Defenses

Windows Default Group Policy Object Modified with GPME

Domain Policy Modification, Group Policy Modification

Windows Modify Registry No Auto Update

Modify Registry

Windows Modify Registry Do Not Connect To Win Update

Modify Registry

Windows Modify Registry UpdateServiceUrlAlternate

Modify Registry

Windows Modify Registry USeWuServer

Modify Registry

Windows Modify Registry Auto Minor Updates

Modify Registry

Windows Modify Registry WuServer

Modify Registry

Windows Modify Registry Disable WinDefender Notifications

Modify Registry

Windows Modify Registry No Auto Reboot With Logon User

Modify Registry

Windows Modify Registry Auto Update Notif

Modify Registry

Windows Modify Registry Tamper Protection

Modify Registry

Windows Service Stop Win Updates

Service Stop

Windows Modify Registry wuStatusServer

Modify Registry

Windows PowerView AD Access Control List Enumeration

Domain Accounts, Permission Groups Discovery

Active Directory Lateral Movement Identified

Exploitation of Remote Services

Windows RDP Connection Successful

RDP Hijacking

Windows DotNet Binary in Non Standard Path

Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil

Process Deleting Its Process File Path

Indicator Removal

Regsvr32 Silent and Install Param Dll Loading

System Binary Proxy Execution, Regsvr32

Linux Disable Services

Service Stop

PowerShell - Connect To Internet With Hidden Window

PowerShell, Command and Scripting Interpreter

Attempted Credential Dump From Registry via Reg exe

Security Account Manager, OS Credential Dumping

Linux Unix Shell Enable All SysRq Functions

Unix Shell, Command and Scripting Interpreter

Linux System Reboot Via System Request Key

System Shutdown/Reboot

PowerShell Domain Enumeration

Command and Scripting Interpreter, PowerShell

Linux Indicator Removal Clear Cache

Indicator Removal

AdsiSearcher Account Discovery

Domain Account, Account Discovery

Linux Stdout Redirection To Dev Null File

Disable or Modify System Firewall, Impair Defenses

Windows InstallUtil in Non Standard Path

Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil

Windows Processes Killed By Industroyer2 Malware

Service Stop

Linux Stop Services

Service Stop

Ping Sleep Batch Command

Virtualization/Sandbox Evasion, Time Based Evasion

Malicious PowerShell Process With Obfuscation Techniques

Command and Scripting Interpreter, PowerShell

MSI Module Loaded by Non-System Binary

DLL Side-Loading, Hijack Execution Flow

Possible Lateral Movement PowerShell Spawn

Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...

Powershell Using memory As Backing Store

PowerShell, Command and Scripting Interpreter

Set Default PowerShell Execution Policy To Unrestricted or Bypass

Command and Scripting Interpreter, PowerShell

Linux Hardware Addition SwapOff

Hardware Additions

Linux Shred Overwrite Command

Data Destruction

Detect Empire with PowerShell Script Block Logging

Command and Scripting Interpreter, PowerShell

Windows NirSoft AdvancedRun

Tool

Schtasks Run Task On Demand

Scheduled Task/Job

WMI Recon Running Process Or Services

Gather Victim Host Information

Excessive File Deletion In WinDefender Folder

Data Destruction

Linux Data Destruction Command

Data Destruction

Powershell Enable SMB1Protocol Feature

Obfuscated Files or Information, Indicator Removal from Tools

Powershell Remove Windows Defender Directory

Disable or Modify Tools, Impair Defenses

Child Processes of Spoolsv exe

Exploitation for Privilege Escalation

Powershell Fileless Process Injection via GetProcAddress

Command and Scripting Interpreter, Process Injection, PowerShell

Unloading AMSI via Reflection

Impair Defenses, PowerShell, Command and Scripting Interpreter

Linux DD File Overwrite

Data Destruction

Powershell Windows Defender Exclusion Commands

Disable or Modify Tools, Impair Defenses

Dump LSASS via comsvcs DLL

LSASS Memory, OS Credential Dumping

Windows Root Domain linked policies Discovery

Domain Account, Account Discovery

Linux Java Spawning Shell

Exploit Public-Facing Application, External Remote Services

Windows Terminating Lsass Process

Disable or Modify Tools, Impair Defenses

Add or Set Windows Defender Exclusion

Disable or Modify Tools, Impair Defenses

Linux Indicator Removal Service File Deletion

File Deletion, Indicator Removal

Powershell Execute COM Object

Component Object Model Hijacking, Event Triggered Execution, PowerShell

Kerberoasting spn request with RC4 encryption

Steal or Forge Kerberos Tickets, Kerberoasting

Windows NirSoft Utilities

Tool

Screensaver Event Trigger Execution

Event Triggered Execution, Screensaver

Linux System Network Discovery

System Network Configuration Discovery

Linux Adding Crontab Using List Parameter

Cron, Scheduled Task/Job

Windows Linked Policies In ADSI Discovery

Domain Account, Account Discovery

Windows BootLoader Inventory

System Firmware, Pre-OS Boot

Suspicious Process With Discord DNS Query

Visual Basic, Command and Scripting Interpreter

Logon Script Event Trigger Execution

Boot or Logon Initialization Scripts, Logon Script (Windows)

Runas Execution in CommandLine

Access Token Manipulation, Token Impersonation/Theft

Change Default File Association

Change Default File Association, Event Triggered Execution

Windows High File Deletion Frequency

Data Destruction

Linux Impair Defenses Process Kill

Disable or Modify Tools, Impair Defenses

Suspicious Process DNS Query Known Abuse Web Services

Visual Basic, Command and Scripting Interpreter

Windows Data Destruction Recursive Exec Files Deletion

Data Destruction

Linux Deleting Critical Directory Using RM Command

Data Destruction

Recon AVProduct Through Pwh or WMI

Gather Victim Host Information

Print Processor Registry Autostart

Print Processors, Boot or Logon Autostart Execution

Wscript Or Cscript Suspicious Child Process

Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation

Any Powershell DownloadFile

Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer

Windows Deleted Registry By A Non Critical Process File Path

Modify Registry

Overwriting Accessibility Binaries

Event Triggered Execution, Accessibility Features

Windows File Without Extension In Critical Folder

Data Destruction

Powershell Processing Stream Of Data

Command and Scripting Interpreter, PowerShell

Windows Hidden Schedule Task Settings

Scheduled Task/Job

Linux Service Restarted

Systemd Timers, Scheduled Task/Job

Recon Using WMI Class

Gather Victim Host Information, PowerShell

Windows Impair Defenses Disable HVCI

Disable or Modify Tools, Impair Defenses

Linux Iptables Firewall Modification

Disable or Modify System Firewall, Impair Defenses

Linux Kworker Process In Writable Process Path

Masquerade Task or Service, Masquerading

Batch File Write to System32

User Execution, Malicious File

Disable Defender MpEngine Registry

Disable or Modify Tools, Impair Defenses

Disable Defender AntiVirus Registry

Disable or Modify Tools, Impair Defenses

Disable AMSI Through Registry

Disable or Modify Tools, Impair Defenses

Disable Defender BlockAtFirstSeen Feature

Disable or Modify Tools, Impair Defenses

Auto Admin Logon Registry Entry

Credentials in Registry, Unsecured Credentials

Windows Admon Group Policy Object Created

Domain Policy Modification, Group Policy Modification

Windows DnsAdmins New Member Added

Account Manipulation

Scheduled Task Deleted Or Created via CMD

Scheduled Task, Scheduled Task/Job

GetWmiObject User Account with PowerShell

Account Discovery, Local Account

WinEvent Windows Task Scheduler Event Action Started

Scheduled Task

Powershell Fileless Script Contains Base64 Encoded Content

Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell

System User Discovery With Whoami

System Owner/User Discovery

PowerShell Loading DotNET into Memory via Reflection

Command and Scripting Interpreter, PowerShell

Windows Scheduled Task Created Via XML

Scheduled Task, Scheduled Task/Job

GetWmiObject User Account with PowerShell Script Block

Account Discovery, Local Account, PowerShell

Windows Screen Capture Via Powershell

Screen Capture

WinEvent Scheduled Task Created Within Public Path

Scheduled Task, Scheduled Task/Job

Windows Exfiltration Over C2 Via Powershell UploadString

Exfiltration Over C2 Channel

CMD Carry Out String Command Parameter

Windows Command Shell, Command and Scripting Interpreter

Schedule Task with HTTP Command Arguments

Scheduled Task/Job

Any Powershell DownloadString

Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer

Windows DNS Gather Network Info

DNS

WinEvent Scheduled Task Created to Spawn Shell

Scheduled Task, Scheduled Task/Job

Windows Exfiltration Over C2 Via Invoke RestMethod

Exfiltration Over C2 Channel

Windows Vulnerable 3CX Software

Compromise Software Supply Chain

3CX Supply Chain Attack Network Indicators

Compromise Software Supply Chain

Hunting 3CXDesktopApp Software

Compromise Software Supply Chain

Add DefaultUser And Password In Registry

Credentials in Registry, Unsecured Credentials

Windows Service Create with Tscon

RDP Hijacking, Remote Service Session Hijacking, Windows Service

Windows Admon Default Group Policy Object Modified

Domain Policy Modification, Group Policy Modification

Allow Operation with Consent Admin

Abuse Elevation Control Mechanism

Allow Inbound Traffic By Firewall Rule Registry

Remote Desktop Protocol, Remote Services

Windows Default Group Policy Object Modified

Domain Policy Modification, Group Policy Modification

Windows PowerShell Get CIMInstance Remote Computer

PowerShell

Windows Special Privileged Logon On Multiple Hosts

Account Discovery, SMB/Windows Admin Shares, Network Share Discovery

Windows PowerShell WMI Win32 ScheduledJob

PowerShell, Command and Scripting Interpreter

Windows Group Policy Object Created

Domain Policy Modification, Group Policy Modification, Domain Accounts

Windows Enable Win32 ScheduledJob via Registry

Scheduled Task

PowerShell Start or Stop Service

PowerShell

Windows Administrative Shares Accessed On Multiple Hosts

Network Share Discovery

Windows Rapid Authentication On Multiple Hosts

Security Account Manager

PowerShell Invoke CIMMethod CIMSession

Windows Management Instrumentation

PowerShell Enable PowerShell Remoting

PowerShell, Command and Scripting Interpreter

Windows Local Administrator Credential Stuffing

Brute Force, Credential Stuffing

PowerShell Invoke WmiExec Usage

Windows Management Instrumentation

Windows Lateral Tool Transfer RemCom

Lateral Tool Transfer

Windows File Share Discovery With Powerview

Network Share Discovery

Windows Large Number of Computer Service Tickets Requested

Network Share Discovery, Valid Accounts

Windows Remote Create Service

Create or Modify System Process, Windows Service

Windows Service Create RemComSvc

Windows Service, Create or Modify System Process

Clop Common Exec Parameter

User Execution

Windows Rundll32 WebDav With Network Connection

Exfiltration Over Unencrypted Non-C2 Protocol

Windows Findstr GPP Discovery

Unsecured Credentials, Group Policy Preferences

Windows PowerSploit GPP Discovery

Unsecured Credentials, Group Policy Preferences

Msmpeng Application DLL Side Loading

DLL Side-Loading, Hijack Execution Flow

Windows Rundll32 WebDAV Request

Exfiltration Over Unencrypted Non-C2 Protocol

Linux SSH Remote Services Script Execute

SSH

Windows Service Create SliverC2

System Services, Service Execution

Suspicious Regsvr32 Register Suspicious Path

System Binary Proxy Execution, Regsvr32

Windows Driver Load Non-Standard Path

Rootkit, Exploitation for Privilege Escalation

Windows Process Injection into Notepad

Process Injection, Portable Executable Injection

Notepad with no Command Line Arguments

Process Injection

Office Product Writing cab or inf

Phishing, Spearphishing Attachment

Office Document Creating Schedule Task

Phishing, Spearphishing Attachment

Office Application Spawn rundll32 process

Phishing, Spearphishing Attachment

Office Application Drop Executable

Phishing, Spearphishing Attachment

Office Application Spawn Regsvr32 process

Phishing, Spearphishing Attachment

Windows Spearphishing Attachment Connect To None MS Office Domain

Spearphishing Attachment, Phishing

Windows Office Product Spawning MSDT

Phishing, Spearphishing Attachment

Office Spawning Control

Phishing, Spearphishing Attachment

Windows Export Certificate

Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates

Windows Steal Authentication Certificates CryptoAPI

Steal or Forge Authentication Certificates

Detect Outlook exe writing a zip file

Phishing, Spearphishing Attachment

Windows Mimikatz Crypto Export File Extensions

Steal or Forge Authentication Certificates

Windows Steal Authentication Certificates CertUtil Backup

Steal or Forge Authentication Certificates

Windows Steal Authentication Certificates CS Backup

Steal or Forge Authentication Certificates

Windows Steal Authentication Certificates Certificate Issued

Steal or Forge Authentication Certificates

Windows Steal Authentication Certificates Certificate Request

Steal or Forge Authentication Certificates

Windows Driver Inventory

Exploitation for Privilege Escalation

Windows PowerShell Export PfxCertificate

Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates

Windows Steal Authentication Certificates Export Certificate

Steal or Forge Authentication Certificates

Windows PowerShell Export Certificate

Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates

Windows Steal Authentication Certificates Export PfxCertificate

Steal or Forge Authentication Certificates

Windows AD Domain Controller Audit Policy Disabled

Disable or Modify Tools

Windows Powershell Cryptography Namespace

PowerShell, Command and Scripting Interpreter

Windows AD Domain Controller Promotion

Rogue Domain Controller

Windows Scheduled Task with Highest Privileges

Scheduled Task/Job, Scheduled Task

Office Document Executing Macro Code

Phishing, Spearphishing Attachment

Windows Spearphishing Attachment Onenote Spawn Mshta

Spearphishing Attachment, Phishing

Windows Credential Dumping LSASS Memory Createdump

LSASS Memory

Detect suspicious processnames using pretrained model in DSDL

Command and Scripting Interpreter

Windows Java Spawning Shells

Exploit Public-Facing Application, External Remote Services

Windows PowerShell Add Module to Global Assembly Cache

Server Software Component, IIS Components

Windows Phishing PDF File Executes URL Link

Spearphishing Attachment, Phishing

Windows Server Software Component GACUtil Install to GAC

Server Software Component, IIS Components

Windows Replication Through Removable Media

Replication Through Removable Media

Windows Modify Registry Default Icon Setting

Modify Registry

Windows Ngrok Reverse Proxy Usage

Protocol Tunneling, Proxy, Web Service

Linux Ngrok Reverse Proxy Usage

Protocol Tunneling, Proxy, Web Service

Windows Boot or Logon Autostart Execution In Startup Folder

Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution

Windows User Execution Malicious URL Shortcut File

Malicious File, User Execution

Account Discovery With Net App

Domain Account, Account Discovery

Windows DLL Search Order Hijacking Hunt with Sysmon

DLL Search Order Hijacking, Hijack Execution Flow

Windows DLL Search Order Hijacking Hunt

DLL Search Order Hijacking, Hijack Execution Flow

Windows PowerShell IIS Components WebGlobalModule Usage

Server Software Component, IIS Components

Windows PowerShell Disable HTTP Logging

Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components

Windows Disable Windows Event Logging Disable HTTP Logging

Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components

Windows IIS Components Module Failed to Load

Server Software Component, IIS Components

Windows IIS Components Get-WebGlobalModule Module Query

IIS Components, Server Software Component

Windows IIS Components New Module Added

Server Software Component, IIS Components

Windows IIS Components Add New Module

Server Software Component, IIS Components

Windows Modify Registry Reg Restore

Query Registry

Windows Query Registry Reg Save

Query Registry

Windows Vulnerable Driver Loaded

Windows Service

Windows WMI Process And Service List

Windows Management Instrumentation

Windows System Network Config Discovery Display DNS

System Network Configuration Discovery

Windows Change Default File Association For No File Ext

Change Default File Association, Event Triggered Execution

Windows Credentials from Password Stores Query

Credentials from Password Stores

Windows Indirect Command Execution Via Series Of Forfiles

Indirect Command Execution

Windows System Network Connections Discovery Netsh

System Network Connections Discovery

Windows ClipBoard Data via Get-ClipBoard

Clipboard Data

Windows Credentials in Registry Reg Query

Credentials in Registry, Unsecured Credentials

Windows Password Managers Discovery

Password Managers

Windows Private Keys Discovery

Private Keys, Unsecured Credentials

Windows Cached Domain Credentials Reg Query

Cached Domain Credentials, OS Credential Dumping

Windows Security Support Provider Reg Query

Security Support Provider, Boot or Logon Autostart Execution

Windows Information Discovery Fsutil

System Information Discovery

Windows System User Discovery Via Quser

System Owner/User Discovery

Windows Steal or Forge Kerberos Tickets Klist

Steal or Forge Kerberos Tickets

BITSAdmin Download File

BITS Jobs, Ingress Tool Transfer

Powershell Load Module in Meterpreter

Command and Scripting Interpreter, PowerShell

Windows Apache Benchmark Binary

Command and Scripting Interpreter

Windows AD Short Lived Domain Account ServicePrincipalName

Account Manipulation

Windows AD Domain Replication ACL Addition

Domain Policy Modification

Windows AD ServicePrincipalName Added To Domain Account

Account Manipulation

Windows AD Replication Request Initiated from Unsanctioned Location

DCSync, OS Credential Dumping

Windows AD Cross Domain SID History Addition

SID-History Injection, Access Token Manipulation

Windows Mimikatz Binary Execution

OS Credential Dumping

Windows AD SID History Attribute Modified

Access Token Manipulation, SID-History Injection

Remote Process Instantiation via WMI and PowerShell Script Block

Windows Management Instrumentation

Windows AD AdminSDHolder ACL Modified

Event Triggered Execution

Remcos client registry install entry

Modify Registry

Revil Registry Entry

Modify Registry

Disable Defender Enhanced Notification

Disable or Modify Tools, Impair Defenses

Windows PowerShell Disabled Kerberos Pre-Authentication Discovery With PowerView

Steal or Forge Kerberos Tickets, AS-REP Roasting

Sdclt UAC Bypass

Bypass User Account Control, Abuse Elevation Control Mechanism

Windows PowerShell Disabled Kerberos Pre-Authentication Discovery Get-ADUser

Steal or Forge Kerberos Tickets, AS-REP Roasting

Eventvwr UAC Bypass

Bypass User Account Control, Abuse Elevation Control Mechanism

WSReset UAC Bypass

Bypass User Account Control, Abuse Elevation Control Mechanism

SilentCleanup UAC Bypass

Bypass User Account Control, Abuse Elevation Control Mechanism

Windows Service Created with Suspicious Service Path

System Services, Service Execution

Get DomainUser with PowerShell Script Block

Domain Account, Account Discovery

Recursive Delete of Directory In Batch CMD

File Deletion, Indicator Removal

Common Ransomware Extensions

Data Destruction

Windows App Layer Protocol Qakbot NamedPipe

Application Layer Protocol

Detect Rare Executables

Windows Modify Registry Qakbot Binary Data Registry

Modify Registry

Windows Process Injection Of Wermgr to Known Browser

Dynamic-link Library Injection, Process Injection

Windows App Layer Protocol Wermgr Connect To NamedPipe

Application Layer Protocol

Windows Regsvr32 Renamed Binary

Regsvr32, System Binary Proxy Execution

Cmdline Tool Not Executed In CMD Shell

Command and Scripting Interpreter, JavaScript

Windows Process Injection Wermgr Child Process

Process Injection

Windows Command Shell Fetch Env Variables

Process Injection

Windows WMI Impersonate Token

Windows Management Instrumentation

Windows DLL Side-Loading In Calc

DLL Side-Loading, Hijack Execution Flow

Windows System Discovery Using Qwinsta

System Owner/User Discovery

Windows System Discovery Using ldap Nslookup

System Owner/User Discovery

Windows Masquerading Explorer As Child Process

DLL Side-Loading, Hijack Execution Flow

Windows DLL Side-Loading Process Child Of Calc

DLL Side-Loading, Hijack Execution Flow

Windows Rename System Utilities Adplus exe LOLBAS in Non Standard Path

Masquerading, Rename System Utilities

Windows Rename System Utilities Agentexecutor exe LOLBAS in Non Standard Path

Masquerading, Rename System Utilities

Windows Rename System Utilities Aspnet compiler exe LOLBAS in Non Standard Path

Masquerading, Rename System Utilities

Windows Rename System Utilities Acccheckconsole exe LOLBAS in Non Standard Path

Masquerading, Rename System Utilities

Windows Rename System Utilities Atbroker exe LOLBAS in Non Standard Path

Masquerading, Rename System Utilities

Windows Rename System Utilities Appvlp exe LOLBAS in Non Standard Path

Masquerading, Rename System Utilities

Windows Rename System Utilities At exe LOLBAS in Non Standard Path

Masquerading, Rename System Utilities

Windows Rename System Utilities Advpack dll LOLBAS in Non Standard Path

Masquerading, Rename System Utilities

Windows Rename System Utilities Appinstaller exe LOLBAS in Non Standard Path

Masquerading, Rename System Utilities

Windows AD Short Lived Server Object

Rogue Domain Controller

Windows Mshta Execution In Registry

Mshta

Office Product Spawning Windows Script Host

Phishing, Spearphishing Attachment

Windows Exchange PowerShell Module Usage

Command and Scripting Interpreter, PowerShell

Windows COM Hijacking InprocServer32 Modification

Component Object Model Hijacking, Event Triggered Execution

Detect SharpHound File Modifications

Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery

Windows Create Local Account

Local Account, Create Account

Powershell COM Hijacking InprocServer32 Modification

Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell

Windows COM Hijacking InprocServer32 Modification

Component Object Model Hijacking, Event Triggered Execution

Windows System Script Proxy Execution Syncappvpublishingserver

System Script Proxy Execution, System Binary Proxy Execution

Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos

Password Spraying, Brute Force

Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos

Password Spraying, Brute Force

Windows Unusual Count Of Users Remotely Failed To Auth From Host

Password Spraying, Brute Force

Windows Unusual Count Of Users Failed To Auth Using Kerberos

Password Spraying, Brute Force

Windows Unusual Count Of Users Failed To Authenticate Using NTLM

Password Spraying, Brute Force

Windows Unusual Count Of Users Failed To Authenticate From Process

Password Spraying, Brute Force

Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM

Password Spraying, Brute Force

Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials

Password Spraying, Brute Force

Windows ISO LNK File Creation

Spearphishing Attachment, Phishing, Malicious Link, User Execution

Windows Phishing Recent ISO Exec Registry

Spearphishing Attachment, Phishing

Windows Mail Protocol In Non-Common Process Path

Mail Protocols, Application Layer Protocol

Windows Multi hop Proxy TOR Website Query

Mail Protocols, Application Layer Protocol

Windows File Transfer Protocol In Non-Common Process Path

Mail Protocols, Application Layer Protocol

Windows Execute Arbitrary Commands with MSDT

System Binary Proxy Execution

Windows Protocol Tunneling with Plink

Protocol Tunneling, SSH

Windows Odbcconf Load Response File

Odbcconf, System Binary Proxy Execution

High Process Termination Frequency

Data Encrypted for Impact

Windows Identify Protocol Handlers

Command and Scripting Interpreter

Windows Ingress Tool Transfer Using Explorer

Ingress Tool Transfer

Get ADUser with PowerShell Script Block

Domain Account, Account Discovery

Windows AD Privileged Account SID History Addition

SID-History Injection, Access Token Manipulation

Log4Shell CVE-2021-44228 Exploitation

Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services

Windows AD Same Domain SID History Addition

SID-History Injection, Access Token Manipulation

Disabling Windows Local Security Authority Defences via Registry

Modify Authentication Process

Living Off The Land

Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services

Windows Event Triggered Image File Execution Options Injection

Image File Execution Options Injection

Windows AD DSRM Password Reset

Account Manipulation

Windows AD Replication Request Initiated by User Account

DCSync, OS Credential Dumping

Windows AD DSRM Account Changes

Account Manipulation

Windows System Binary Proxy Execution Compiled HTML File Using InfoTech Storage Handlers

Compiled HTML File, System Binary Proxy Execution

Windows AD Short Lived Domain Controller SPN Attribute

Rogue Domain Controller

Windows System Binary Proxy Execution Compiled HTML File Decompile

Compiled HTML File, System Binary Proxy Execution

Windows System Binary Proxy Execution Compiled HTML File URL In Command Line

Compiled HTML File, System Binary Proxy Execution

Windows OS Credential Dumping with Procdump

LSASS Memory, OS Credential Dumping

Windows System Binary Proxy Execution MSIExec Unregister DLL

Msiexec

Windows OS Credential Dumping with Ntdsutil Export NTDS

NTDS, OS Credential Dumping

Windows System Binary Proxy Execution MSIExec Remote Download

Msiexec

Windows System Binary Proxy Execution MSIExec DLLRegisterServer

Msiexec

Dump LSASS via procdump

LSASS Memory, OS Credential Dumping

Windows System Binary Proxy Execution Compiled HTML File Decompile

Compiled HTML File, System Binary Proxy Execution

Windows LOLBin Binary in Non Standard Path

Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil

Linux Persistence and Privilege Escalation Risk Behavior

Abuse Elevation Control Mechanism

Windows Ingress Tool Transfer Using Explorer

Ingress Tool Transfer

Powershell Remote Thread To Known Windows Process

Process Injection

Windows Defacement Modify Transcodedwallpaper File

Defacement

Windows InstallUtil Credential Theft

InstallUtil, System Binary Proxy Execution

Detect Excessive Account Lockouts From Endpoint

Valid Accounts, Domain Accounts

Detect Excessive User Account Lockouts

Valid Accounts, Local Accounts

Windows Possible Credential Dumping

LSASS Memory, OS Credential Dumping

Windows Access Token Manipulation Winlogon Duplicate Token Handle

Token Impersonation/Theft, Access Token Manipulation

Windows Service Deletion In Registry

Service Stop

Windows Access Token Winlogon Duplicate Handle In Uncommon Path

Token Impersonation/Theft, Access Token Manipulation

Windows Gather Victim Identity SAM Info

Credentials, Gather Victim Identity Information

Windows Hijack Execution Flow Version Dll Side Load

DLL Search Order Hijacking, Hijack Execution Flow

Windows Remote Access Software BRC4 Loaded Dll

Remote Access Software, OS Credential Dumping

Windows Access Token Manipulation SeDebugPrivilege

Create Process with Token, Access Token Manipulation

Windows Process Injection With Public Source Path

Process Injection, Portable Executable Injection

Windows Input Capture Using Credential UI Dll

GUI Input Capture, Input Capture

Windows Remote Access Software Hunt

Remote Access Software

Windows Autostart Execution LSASS Driver Registry Modification

LSASS Driver

Linux Csvtool Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux c99 Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux apt-get Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Cpulimit Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux OpenVPN Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Sqlite3 Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Composer Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Octave Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux c89 Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux APT Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Busybox Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Puppet Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux RPM Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux MySQL Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Emacs Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Make Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux PHP Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux GDB Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Find Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux GNU Awk Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Ruby Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Gem Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux AWK Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Docker Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Node Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Windows Non-System Account Targeting Lsass

LSASS Memory, OS Credential Dumping

Windows DLL Search Order Hijacking with iscsicpl

DLL Search Order Hijacking

Linux Curl Upload File

Ingress Tool Transfer

Linux Proxy Socks Curl

Proxy, Non-Application Layer Protocol

Linux Ingress Tool Transfer with Curl

Ingress Tool Transfer

Linux Ingress Tool Transfer Hunting

Ingress Tool Transfer

Windows Gather Victim Host Information Camera

Hardware, Gather Victim Host Information

Windows System Time Discovery W32tm Delay

System Time Discovery

Linux Clipboard Data Copy

Clipboard Data

Windows Command Shell DCRat ForkBomb Payload

Windows Command Shell, Command and Scripting Interpreter

Linux SSH Authorized Keys Modification

SSH Authorized Keys

Windows System Reboot CommandLine

System Shutdown/Reboot

Windows System LogOff Commandline

System Shutdown/Reboot

Linux Kernel Module Enumeration

System Information Discovery, Rootkit

Linux Decode Base64 to Shell

Obfuscated Files or Information, Unix Shell

Linux Obfuscated Files or Information Base64 Decode

Obfuscated Files or Information

Wmic NonInteractive App Uninstallation

Disable or Modify Tools, Impair Defenses

Windows Defender Tools in Non Standard Path

Masquerading, Rename System Utilities

Windows MOF Event Triggered Execution via WMI

Windows Management Instrumentation Event Subscription

Powershell Disable Security Monitoring

Disable or Modify Tools, Impair Defenses

Certutil exe certificate extraction

Suspicious Image Creation In Appdata Folder

Screen Capture

Windows Binary Proxy Execution Mavinject DLL Injection

Mavinject, System Binary Proxy Execution

Suspicious WAV file in Appdata Folder

Screen Capture

Windows Odbcconf Load Response File

Odbcconf

Windows Powershell Import Applocker Policy

PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses

Windows Odbcconf Hunting

Odbcconf

Windows Execute Arbitrary Commands with MSDT

System Binary Proxy Execution

Remote System Discovery with Adsisearcher

Remote System Discovery

Outbound Network Connection from Java Using Default Ports

Exploit Public-Facing Application, External Remote Services

Windows Odbcconf Load DLL

Odbcconf

Windows Impair Defense Deny Security Software With Applocker

Disable or Modify Tools, Impair Defenses

Windows Remote Service Rdpwinst Tool Execution

Remote Desktop Protocol, Remote Services

Windows Application Layer Protocol RMS Radmin Tool Namedpipe

Application Layer Protocol

Windows Modify Registry Regedit Silent Reg Import

Modify Registry

Windows Impair Defense Add Xml Applocker Rules

Disable or Modify Tools, Impair Defenses

Windows Valid Account With Never Expires Password

Service Stop

Windows Modify Registry Disable Win Defender Raw Write Notif

Modify Registry

Windows Modify Registry Disable Toast Notifications

Modify Registry

Windows Remote Access Software RMS Registry

Remote Access Software

Windows Modify Registry Suppress Win Defender Notif

Modify Registry

Windows PowerView SPN Discovery

Steal or Forge Kerberos Tickets, Kerberoasting

Windows PowerView Kerberos Service Ticket Request

Steal or Forge Kerberos Tickets, Kerberoasting

Windows Modify Registry DisAllow Windows App

Modify Registry

Windows Modify Registry Disable Windows Security Center Notif

Modify Registry

Windows Modify Registry Disabling WER Settings

Modify Registry

Windows Remote Services Allow Remote Assistance

Remote Desktop Protocol, Remote Services

Windows Remote Services Allow Rdp In Firewall

Remote Desktop Protocol, Remote Services

Windows Remote Services Rdp Enable

Remote Desktop Protocol, Remote Services

Windows Gather Victim Network Info Through Ip Check Web Services

IP Addresses, Gather Victim Network Information

Windows MSIExec With Network Connections

Msiexec

Windows MSIExec Remote Download

Msiexec

Windows MSIExec DLLRegisterServer

Msiexec

Windows MSIExec Unregister DLLRegisterServer

Msiexec

Windows MSIExec Spawn Discovery Command

Msiexec

Windows Impair Defenses Disable Win Defender Auto Logging

Disable or Modify Tools, Impair Defenses

Windows Impair Defense Delete Win Defender Profile Registry

Disable or Modify Tools, Impair Defenses

Windows Impair Defense Delete Win Defender Context Menu

Disable or Modify Tools, Impair Defenses

Java Writing JSP File

Exploit Public-Facing Application, External Remote Services

Excessive Usage of NSLOOKUP App

Exfiltration Over Alternative Protocol

Wermgr Process Connecting To IP Check Web Services

Gather Victim Network Information, IP Addresses

Unload Sysmon Filter Driver

Disable or Modify Tools, Impair Defenses

Windows Command and Scripting Interpreter Hunting Path Traversal

Command and Scripting Interpreter

Windows Command and Scripting Interpreter Path Traversal Exec

Command and Scripting Interpreter

MacOS plutil

Plist File Modification

Linux At Application Execution

At, Scheduled Task/Job

Linux Possible Append Command To At Allow Config File

At, Scheduled Task/Job

Schtasks scheduling job on remote system

Scheduled Task, Scheduled Task/Job

Windows System File on Disk

Exploitation for Privilege Escalation

Potential password in username

Local Accounts, Credentials In Files

Windows Service Create Kernel Mode Driver

Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation

Disabled Kerberos Pre-Authentication Discovery With PowerView

Steal or Forge Kerberos Tickets, AS-REP Roasting

Disabled Kerberos Pre-Authentication Discovery With Get-ADUser

Steal or Forge Kerberos Tickets, AS-REP Roasting

GetWmiObject DS User with PowerShell Script Block

Domain Account, Account Discovery

GetDomainComputer with PowerShell Script Block

Remote System Discovery

Windows KrbRelayUp Service Creation

Windows Service

GetAdComputer with PowerShell Script Block

Remote System Discovery

Mailsniper Invoke functions

Email Collection, Local Email Collection

Get DomainPolicy with Powershell Script Block

Password Policy Discovery

Get-DomainTrust with PowerShell Script Block

Domain Trust Discovery

Get ADUserResultantPasswordPolicy with Powershell Script Block

Password Policy Discovery

GetWmiObject Ds Group with PowerShell Script Block

Permission Groups Discovery, Domain Groups

GetDomainController with PowerShell Script Block

Remote System Discovery

Powershell Creating Thread Mutex

Obfuscated Files or Information, Indicator Removal from Tools, PowerShell

Delete ShadowCopy With PowerShell

Inhibit System Recovery

GetWmiObject Ds Computer with PowerShell Script Block

Remote System Discovery

GetDomainGroup with PowerShell Script Block

Permission Groups Discovery, Domain Groups

Windows Computer Account With SPN

Steal or Forge Kerberos Tickets

Windows Computer Account Requesting Kerberos Ticket

Steal or Forge Kerberos Tickets

Windows Computer Account Created by Computer Account

Steal or Forge Kerberos Tickets

Windows Kerberos Local Successful Logon

Steal or Forge Kerberos Tickets

Powershell Get LocalGroup Discovery with Script Block Logging

Permission Groups Discovery, Local Groups

NLTest Domain Trust Discovery

Domain Trust Discovery

Windows Rundll32 Comsvcs Memory Dump

NTDS, OS Credential Dumping

Windows Registry Delete Task SD

Scheduled Task, Impair Defenses

Detect mshta renamed

System Binary Proxy Execution, Mshta

Detect Renamed PSExec

System Services, Service Execution

Detect HTML Help Renamed

System Binary Proxy Execution, Compiled HTML File

Windows Indirect Command Execution Via pcalua

Indirect Command Execution

Windows Indirect Command Execution Via forfiles

Indirect Command Execution

GetNetTcpconnection with PowerShell Script Block

System Network Connections Discovery

Windows PowerView Constrained Delegation Discovery

Remote System Discovery

Windows Drivers Loaded by Signature

Rootkit, Exploitation for Privilege Escalation

Windows PowerView Unconstrained Delegation Discovery

Remote System Discovery

Windows Get-AdComputer Unconstrained Delegation Discovery

Remote System Discovery

System Process Running from Unexpected Location

Masquerading

Remote Process Instantiation via DCOM and PowerShell Script Block

Remote Services, Distributed Component Object Model

GetAdGroup with PowerShell Script Block

Permission Groups Discovery, Domain Groups

Interactive Session on Remote Endpoint with PowerShell

Remote Services, Windows Remote Management

GetCurrent User with PowerShell Script Block

System Owner/User Discovery

Remote Process Instantiation via WinRM and PowerShell Script Block

Remote Services, Windows Remote Management

User Discovery With Env Vars PowerShell Script Block

System Owner/User Discovery

Get WMIObject Group Discovery with Script Block Logging

Permission Groups Discovery, Local Groups

Kerberos Pre-Authentication Flag Disabled with PowerShell

Steal or Forge Kerberos Tickets, AS-REP Roasting

GetLocalUser with PowerShell Script Block

Account Discovery, Local Account, PowerShell

Get ADDefaultDomainPasswordPolicy with Powershell Script Block

Password Policy Discovery

Modify ACLs Permission Of Files Or Folders

File and Directory Permissions Modification

Delete A Net User

Account Access Removal

Modify ACL permission To Files Or Folder

File and Directory Permissions Modification

Windows DotNet Binary in Non Standard Path

Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil

Windows InstallUtil Remote Network Connection

InstallUtil, System Binary Proxy Execution

Windows InstallUtil Uninstall Option with Network

InstallUtil, System Binary Proxy Execution

Detect Regasm with no Command Line Arguments

System Binary Proxy Execution, Regsvcs/Regasm

Kerberos Service Ticket Request Using RC4 Encryption

Steal or Forge Kerberos Tickets, Golden Ticket

Detect Regsvcs with No Command Line Arguments

System Binary Proxy Execution, Regsvcs/Regasm

Kerberos User Enumeration

Gather Victim Identity Information, Email Addresses

Unknown Process Using The Kerberos Protocol

Use Alternate Authentication Material

MacOS LOLbin

Unix Shell, Command and Scripting Interpreter

Kerberos TGT Request Using RC4 Encryption

Use Alternate Authentication Material

Windows Script Host Spawn MSBuild

MSBuild, Trusted Developer Utilities Proxy Execution

Windows WMIPrvse Spawn MSBuild

Trusted Developer Utilities Proxy Execution, MSBuild

Detect Prohibited Applications Spawning cmd exe

Command and Scripting Interpreter

Excessive distinct processes from Windows Temp

Command and Scripting Interpreter

ServicePrincipalNames Discovery with PowerShell

Kerberoasting

Detect Mimikatz With PowerShell Script Block Logging

OS Credential Dumping, PowerShell

Get-ForestTrust with PowerShell Script Block

Domain Trust Discovery, PowerShell

Windows MSHTA Child Process

Mshta, System Binary Proxy Execution

Windows Process With NamedPipe CommandLine

Process Injection

Windows Excessive Disabled Services Event

Disable or Modify Tools, Impair Defenses

Windows MSHTA Command-Line URL

Mshta, System Binary Proxy Execution

Windows MSHTA Inline HTA Execution

Mshta, System Binary Proxy Execution

Windows Rundll32 Inline HTA Execution

System Binary Proxy Execution, Mshta

Kerberos Pre-Authentication Flag Disabled in UserAccountControl

Steal or Forge Kerberos Tickets, AS-REP Roasting

Windows WMI Process Call Create

Windows Management Instrumentation

Rundll32 DNSQuery

System Binary Proxy Execution, Rundll32

Detect Regsvcs with Network Connection

System Binary Proxy Execution, Regsvcs/Regasm

Detect Regasm with Network Connection

System Binary Proxy Execution, Regsvcs/Regasm

NET Profiler UAC bypass

Bypass User Account Control, Abuse Elevation Control Mechanism

Windows Diskshadow Proxy Execution

System Binary Proxy Execution

Windows Bitsadmin Download File

BITS Jobs, Ingress Tool Transfer

Windows CertUtil Decode File

Deobfuscate/Decode Files or Information

Windows CertUtil VerifyCtl Download

Ingress Tool Transfer

Windows CertUtil URLCache Download

Ingress Tool Transfer

Windows PowerShell Start-BitsTransfer

BITS Jobs, Ingress Tool Transfer

Windows Rasautou DLL Execution

Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection

Windows Rasautou DLL Execution

Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection

Windows Diskshadow Proxy Execution

System Binary Proxy Execution

Windows Bits Job Persistence

BITS Jobs

Windows Powershell Connect to Internet With Hidden Window

Automated Exfiltration

Windows Powershell DownloadFile

Automated Exfiltration

Unusual Number of Kerberos Service Tickets Requested

Steal or Forge Kerberos Tickets, Kerberoasting

RunDLL Loading DLL By Ordinal

System Binary Proxy Execution, Rundll32

Windows Remote Assistance Spawning Process

Process Injection

Rubeus Kerberos Ticket Exports Through Winlogon Access

Use Alternate Authentication Material, Pass the Ticket

Windows Schtasks Create Run As System

Scheduled Task, Scheduled Task/Job

CertUtil Download With VerifyCtl and Split Arguments

Ingress Tool Transfer

CertUtil Download With URLCache and Split Arguments

Ingress Tool Transfer

Rubeus Command Line Parameters

Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting

Mimikatz PassTheTicket CommandLine Parameters

Use Alternate Authentication Material, Pass the Ticket

Linux pkexec Privilege Escalation

Exploitation for Privilege Escalation

Malicious PowerShell Process - Encoded Command

Obfuscated Files or Information

Potentially malicious code on commandline

Windows Command Shell

Windows Hunting System Account Targeting Lsass

LSASS Memory, OS Credential Dumping

Linux Possible Ssh Key File Creation

SSH Authorized Keys, Account Manipulation

Linux Possible Access Or Modification Of sshd Config File

SSH Authorized Keys, Account Manipulation

Linux Possible Access To Sudoers File

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Possible Access To Credential Files

/etc/passwd and /etc/shadow, OS Credential Dumping

Linux Doas Conf File Creation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Doas Tool Execution

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Sudo OR Su Execution

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Sudoers Tmp File Creation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Common Process For Elevation Control

Setuid and Setgid, Abuse Elevation Control Mechanism

Linux Preload Hijack Library Calls

Dynamic Linker Hijacking, Hijack Execution Flow

Linux File Created In Kernel Driver Directory

Kernel Modules and Extensions, Boot or Logon Autostart Execution

Linux Install Kernel Module Using Modprobe Utility

Kernel Modules and Extensions, Boot or Logon Autostart Execution

Linux Insert Kernel Module Using Insmod Utility

Kernel Modules and Extensions, Boot or Logon Autostart Execution

Suspicious Ticket Granting Ticket Request

Valid Accounts, Domain Accounts

Linux Change File Owner To Root

Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification

Linux Setuid Using Chmod Utility

Setuid and Setgid, Abuse Elevation Control Mechanism

Linux NOPASSWD Entry In Sudoers File

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Setuid Using Setcap Utility

Setuid and Setgid, Abuse Elevation Control Mechanism

Linux Add User Account

Local Account, Create Account

Linux Visudo Utility Execution

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Service Started Or Enabled

Systemd Timers, Scheduled Task/Job

Linux Service File Created In Systemd Directory

Systemd Timers, Scheduled Task/Job

Linux Possible Append Command To Profile Config File

Unix Shell Configuration Modification, Event Triggered Execution

Linux File Creation In Init Boot Directory

RC Scripts, Boot or Logon Initialization Scripts

Clear Unallocated Sector Using Cipher App

File Deletion, Indicator Removal

Suspicious Kerberos Service Ticket Request

Valid Accounts, Domain Accounts

Linux File Creation In Profile Directory

Unix Shell Configuration Modification, Event Triggered Execution

Suspicious Computer Account Name Change

Valid Accounts, Domain Accounts

Hiding Files And Directories With Attrib exe

Windows File and Directory Permissions Modification, File and Directory Permissions Modification

Linux Possible Cronjob Modification With Editor

Cron, Scheduled Task/Job

Linux Possible Append Cronjob Entry on Existing Cronjob File

Cron, Scheduled Task/Job

Linux At Allow Config File Creation

Cron, Scheduled Task/Job

Linux Edit Cron Table Parameter

Cron, Scheduled Task/Job

Linux Add Files In Known Crontab Directories

Cron, Scheduled Task/Job

Java Class File download by Java User Agent

Exploit Public-Facing Application

Wget Download and Bash Execution

Ingress Tool Transfer

Curl Download and Bash Execution

Ingress Tool Transfer

LOLBAS With Network Traffic

Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution

Fsutil Zeroing File

Indicator Removal

Windows Raccine Scheduled Task Deletion

Disable or Modify Tools

BCDEdit Failure Recovery Modification

Inhibit System Recovery

WBAdmin Delete System Backups

Inhibit System Recovery

DNS Exfiltration Using Nslookup App

Exfiltration Over Alternative Protocol

Suspicious Linux Discovery Commands

Unix Shell

Detect RClone Command-Line Usage

Automated Exfiltration

Windows Curl Upload to Remote Destination

Ingress Tool Transfer

Short Lived Scheduled Task

Scheduled Task

Unusual Number of Remote Endpoint Authentication Events

Valid Accounts

Unusual Number of Computer Service Tickets Requested

Valid Accounts

Resize Shadowstorage Volume

Service Stop

Grant Permission Using Cacls Utility

File and Directory Permissions Modification

Disable Net User Account

Service Stop, Valid Accounts

Deny Permission using Cacls Utility

File and Directory Permissions Modification

Randomly Generated Scheduled Task Name

Scheduled Task/Job, Scheduled Task

Detect RClone Command-Line Usage

Automated Exfiltration

Randomly Generated Windows Service Name

Create or Modify System Process, Windows Service

Attempted Credential Dump From Registry via Reg exe

OS Credential Dumping, Security Account Manager

Attempt To Disable Services

Service Stop

Attempt To Delete Services

Service Stop, Create or Modify System Process, Windows Service

Mmc LOLBAS Execution Process Spawn

Remote Services, Distributed Component Object Model, MMC

Services LOLBAS Execution Process Spawn

Create or Modify System Process, Windows Service

Wmiprsve LOLBAS Execution Process Spawn

Windows Management Instrumentation

Possible Browser Pass View Parameter

Credentials from Web Browsers, Credentials from Password Stores

Anomalous usage of Archive Tools

Archive via Utility, Archive Collected Data

Windows Service Created Within Public Path

Create or Modify System Process, Windows Service

Wsmprovhost LOLBAS Execution Process Spawn

Remote Services, Windows Remote Management

Svchost LOLBAS Execution Process Spawn

Scheduled Task/Job, Scheduled Task

System Info Gathering Using Dxdiag Application

Gather Victim Host Information

Loading Of Dynwrapx Module

Process Injection, Dynamic-link Library Injection

Windows DISM Remove Defender

Disable or Modify Tools, Impair Defenses

Remote Process Instantiation via WinRM and PowerShell

Remote Services, Windows Remote Management

High Frequency Copy Of Files In Network Share

Transfer Data to Cloud Account

Sdelete Application Execution

Data Destruction, File Deletion, Indicator Removal

Windows DiskCryptor Usage

Data Encrypted for Impact

Remote Process Instantiation via DCOM and PowerShell

Remote Services, Distributed Component Object Model

Remote Process Instantiation via WMI and PowerShell

Windows Management Instrumentation

CSC Net On The Fly Compilation

Compile After Delivery, Obfuscated Files or Information

Network Discovery Using Route Windows App

System Network Configuration Discovery, Internet Connection Discovery

Remote Process Instantiation via WMI

Windows Management Instrumentation

Windows InstallUtil Uninstall Option

InstallUtil, System Binary Proxy Execution

Firewall Allowed Program Enable

Disable or Modify System Firewall, Impair Defenses

Windows InstallUtil URL in Command Line

InstallUtil, System Binary Proxy Execution

Scheduled Task Initiation on Remote Endpoint

Scheduled Task/Job, Scheduled Task

WMIC XSL Execution via URL

XSL Script Processing

Scheduled Task Creation on Remote Endpoint using At

Scheduled Task/Job, At

Remote Process Instantiation via WinRM and Winrs

Remote Services, Windows Remote Management

Windows Service Creation on Remote Endpoint

Create or Modify System Process, Windows Service

Windows Curl Upload to Remote Destination

Ingress Tool Transfer

Windows Service Initiation on Remote Endpoint

Create or Modify System Process, Windows Service

Attacker Tools On Endpoint

Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning

Windows Curl Download to Suspicious Path

Ingress Tool Transfer

Disable Schedule Task

Disable or Modify Tools, Impair Defenses

ServicePrincipalNames Discovery with SetSPN

Kerberoasting

Suspicious wevtutil Usage

Clear Windows Event Logs, Indicator Removal

Sdelete Application Execution

Data Destruction, File Deletion, Indicator Removal

Winhlp32 Spawning a Process

Process Injection

Process Writing DynamicWrapperX

Command and Scripting Interpreter, Component Object Model

Rundll32 Shimcache Flush

Modify Registry

Malicious InProcServer32 Modification

Regsvr32, Modify Registry

MSBuild Suspicious Spawned By Script Process

MSBuild, Trusted Developer Utilities Proxy Execution

Vbscript Execution Using Wscript App

Visual Basic, Command and Scripting Interpreter

Verclsid CLSID Execution

Verclsid, System Binary Proxy Execution

Remcos RAT File Creation in Remcos Folder

Screen Capture

BITS Job Persistence

BITS Jobs

Credential Dumping via Copy Command from Shadow Copy

NTDS, OS Credential Dumping

Credential Dumping via Symlink to Shadow Copy

NTDS, OS Credential Dumping

Processes launching netsh

Disable or Modify System Firewall, Impair Defenses

Detect mshta inline hta execution

System Binary Proxy Execution, Mshta

Detect MSHTA Url in Command Line

System Binary Proxy Execution, Mshta

Detect HTML Help URL in Command Line

System Binary Proxy Execution, Compiled HTML File

Detect Renamed RClone

Automated Exfiltration

Attempt To Add Certificate To Untrusted Store

Install Root Certificate, Subvert Trust Controls

Local Account Discovery with Net

Account Discovery, Local Account

Local Account Discovery With Wmic

Account Discovery, Local Account

Detect Renamed 7-Zip

Archive via Utility, Archive Collected Data

Creation of Shadow Copy with wmic and powershell

NTDS, OS Credential Dumping

Detect PsExec With accepteula Flag

Remote Services, SMB/Windows Admin Shares

Detect Renamed WinRAR

Archive via Utility, Archive Collected Data

Detect HTML Help Using InfoTech Storage Handlers

System Binary Proxy Execution, Compiled HTML File

Check Elevated CMD using whoami

System Owner/User Discovery

PowerShell Get LocalGroup Discovery

Permission Groups Discovery, Local Groups

Wmic Group Discovery

Permission Groups Discovery, Local Groups

Get WMIObject Group Discovery

Permission Groups Discovery, Local Groups

System User Discovery With Query

System Owner/User Discovery

GetCurrent User with PowerShell

System Owner/User Discovery

MS Scripting Process Loading WMI Module

Command and Scripting Interpreter, JavaScript

User Discovery With Env Vars PowerShell

System Owner/User Discovery

MS Scripting Process Loading Ldap Module

Command and Scripting Interpreter, JavaScript

XSL Script Execution With WMIC

XSL Script Processing

Jscript Execution Using Cscript App

Command and Scripting Interpreter, JavaScript

Network Connection Discovery With Arp

System Network Connections Discovery

Network Connection Discovery With Net

System Network Connections Discovery

Network Connection Discovery With Netstat

System Network Connections Discovery

Extraction of Registry Hives

Security Account Manager, OS Credential Dumping

Rundll32 Control RunDLL Hunt

System Binary Proxy Execution, Rundll32

Create local admin accounts using net exe

Local Account, Create Account

Rundll32 Control RunDLL World Writable Directory

System Binary Proxy Execution, Rundll32

Control Loading from World Writable Directory

System Binary Proxy Execution, Control Panel

GetDomainComputer with PowerShell

Remote System Discovery

GetAdComputer with PowerShell

Remote System Discovery

SchCache Change By App Connect And Create ADSI Object

Domain Account, Account Discovery

System Information Discovery Detection

System Information Discovery

GetDomainController with PowerShell

Remote System Discovery

GetWmiObject Ds Computer with PowerShell

Remote System Discovery

Bcdedit Command Back To Normal Mode Boot

Inhibit System Recovery

Change To Safe Mode With Network Config

Inhibit System Recovery

Get-ForestTrust with PowerShell

Domain Trust Discovery

Domain Group Discovery With Dsquery

Permission Groups Discovery, Domain Groups

Remote System Discovery with Wmic

Remote System Discovery

Domain Controller Discovery with Wmic

Remote System Discovery

PetitPotam Suspicious Kerberos TGT Request

OS Credential Dumping

Remote System Discovery with Dsquery

Remote System Discovery

PetitPotam Network Share Access Request

Forced Authentication

Remote System Discovery with Net

Remote System Discovery

Domain Controller Discovery with Nltest

Remote System Discovery

Get DomainPolicy with Powershell

Password Policy Discovery

Get ADUserResultantPasswordPolicy with Powershell

Password Policy Discovery

Process Creating LNK file in Suspicious Location

Phishing, Spearphishing Link

Get ADDefaultDomainPasswordPolicy with Powershell

Password Policy Discovery

Password Policy Discovery with Net

Password Policy Discovery

GetNetTcpconnection with PowerShell

System Network Connections Discovery

GetWmiObject Ds Group with PowerShell

Permission Groups Discovery, Domain Groups

Domain Group Discovery With Wmic

Permission Groups Discovery, Domain Groups

Elevated Group Discovery With Net

Permission Groups Discovery, Domain Groups

GetDomainGroup with PowerShell

Permission Groups Discovery, Domain Groups

GetAdGroup with PowerShell

Permission Groups Discovery, Domain Groups

Elevated Group Discovery With Wmic

Permission Groups Discovery, Domain Groups

Elevated Group Discovery with PowerView

Permission Groups Discovery, Domain Groups

Domain Group Discovery with Adsisearcher

Permission Groups Discovery, Domain Groups

Domain Account Discovery with Dsquery

Domain Account, Account Discovery

Get DomainUser with PowerShell

Domain Account, Account Discovery

Get-DomainTrust with PowerShell

Domain Trust Discovery

Domain Account Discovery with Wmic

Domain Account, Account Discovery

GetWmiObject DS User with PowerShell

Domain Account, Account Discovery

Get ADUser with PowerShell

Domain Account, Account Discovery

GetLocalUser with PowerShell

Account Discovery, Local Account

Esentutl SAM Copy

Security Account Manager, OS Credential Dumping

7zip CommandLine To SMB Share Path

Archive via Utility, Archive Collected Data

UAC Bypass With Colorui COM Object

System Binary Proxy Execution, CMSTP

Fsutil Zeroing File

Indicator Removal

Rundll32 LockWorkStation

System Binary Proxy Execution, Rundll32

Uninstall App Using MsiExec

Msiexec, System Binary Proxy Execution

Create Remote Thread In Shell Application

Process Injection

Sqlite Module In Temp Folder

Data from Local System

Drop IcedID License dat

User Execution, Malicious File

IcedID Exfiltrated Archived File Creation

Archive via Utility, Archive Collected Data

Rundll32 Create Remote Thread To A Process

Process Injection

Regsvr32 with Known Silent Switch Cmdline

System Binary Proxy Execution, Regsvr32

CHCP Command Execution

Command and Scripting Interpreter

Rundll32 CreateRemoteThread In Browser

Process Injection

Suspicious IcedID Rundll32 Cmdline

System Binary Proxy Execution, Rundll32

Suspicious Rundll32 PluginInit

System Binary Proxy Execution, Rundll32

Rundll32 Process Creating Exe Dll Files

System Binary Proxy Execution, Rundll32

Detect Copy of ShadowCopy with Script Block Logging

Security Account Manager, OS Credential Dumping

Mshta spawning Rundll32 OR Regsvr32 Process

System Binary Proxy Execution, Mshta

UAC Bypass MMC Load Unsigned Dll

Bypass User Account Control, Abuse Elevation Control Mechanism, MMC

Spoolsv Writing a DLL

Print Processors, Boot or Logon Autostart Execution

Spoolsv Suspicious Loaded Modules

Print Processors, Boot or Logon Autostart Execution

Spoolsv Suspicious Process Access

Exploitation for Privilege Escalation

Spoolsv Writing a DLL - Sysmon

Print Processors, Boot or Logon Autostart Execution

Print Spooler Adding A Printer Driver

Print Processors, Boot or Logon Autostart Execution

Print Spooler Failed to Load a Plug-in

Print Processors, Boot or Logon Autostart Execution

Spoolsv Spawning Rundll32

Print Processors, Boot or Logon Autostart Execution

Excessive number of service control start as disabled

Disable or Modify Tools, Impair Defenses

Excessive Usage Of SC Service Utility

System Services, Service Execution

Allow File And Printing Sharing In Firewall

Disable or Modify Cloud Firewall, Impair Defenses

Allow Network Discovery In Firewall

Disable or Modify Cloud Firewall, Impair Defenses

Execute Javascript With Jscript COM CLSID

Command and Scripting Interpreter, Visual Basic

Suspicious Event Log Service Behavior

Indicator Removal, Clear Windows Event Logs

Detect WMI Event Subscription Persistence

Windows Management Instrumentation Event Subscription, Event Triggered Execution

Wevtutil Usage To Disable Logs

Indicator Removal, Clear Windows Event Logs

WevtUtil Usage To Clear Logs

Indicator Removal, Clear Windows Event Logs

Permission Modification using Takeown App

File and Directory Permissions Modification

Clear Unallocated Sector Using Cipher App

File Deletion, Indicator Removal

Prevent Automatic Repair Mode using Bcdedit

Inhibit System Recovery

Disable Logs Using WevtUtil

Indicator Removal, Clear Windows Event Logs

Excessive number of taskhost processes

Command and Scripting Interpreter

Known Services Killed by Ransomware

Inhibit System Recovery

Modification Of Wallpaper

Defacement

Wbemprox COM Object Execution

System Binary Proxy Execution, CMSTP

Revil Common Exec Parameter

User Execution

Conti Common Exec parameter

User Execution

Detect SharpHound Command-Line Arguments

Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery

Detect AzureHound Command-Line Arguments

Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery

Detect AzureHound File Modifications

Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery

Detect SharpHound Usage

Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery

WinRM Spawning a Process

Exploit Public-Facing Application

Allow Inbound Traffic In Firewall Rule

Remote Desktop Protocol, Remote Services

CMLUA Or CMSTPLUA UAC Bypass

System Binary Proxy Execution, CMSTP

SLUI RunAs Elevated

Bypass User Account Control, Abuse Elevation Control Mechanism

SLUI Spawning a Process

Bypass User Account Control, Abuse Elevation Control Mechanism

Excessive Usage Of Cacls App

File and Directory Permissions Modification

Enumerate Users Local Group Using Telegram

Account Discovery

Download Files Using Telegram

Ingress Tool Transfer

Excessive Usage Of Taskkill

Disable or Modify Tools, Impair Defenses

Disabling Net User Account

Account Access Removal

Excessive Service Stop Attempt

Service Stop

Excessive Attempt To Disable Services

Service Stop

Process Kill Base On File Path

Disable or Modify Tools, Impair Defenses

Suspicious Driver Loaded Path

Windows Service, Create or Modify System Process

XMRIG Driver Loaded

Windows Service, Create or Modify System Process

Trickbot Named Pipe

Process Injection

Winword Spawning Cmd

Phishing, Spearphishing Attachment

Wermgr Process Spawned CMD Or Powershell Process

Command and Scripting Interpreter

Wermgr Process Create Executable File

Obfuscated Files or Information

Schedule Task with Rundll32 Command Trigger

Scheduled Task/Job

Windows Multiple Invalid Users Failed To Authenticate Using NTLM

Password Spraying, Brute Force

DNS Exfiltration Using Nslookup App

Exfiltration Over Alternative Protocol

Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos

Password Spraying, Brute Force

Windows Multiple Invalid Users Fail To Authenticate Using Kerberos

Password Spraying, Brute Force

Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials

Password Spraying, Brute Force

Windows Multiple Users Failed To Authenticate From Process

Password Spraying, Brute Force

Windows Multiple Users Remotely Failed To Authenticate From Host

Password Spraying, Brute Force

Windows Multiple Users Failed To Authenticate From Host Using NTLM

Password Spraying, Brute Force

Winword Spawning PowerShell

Phishing, Spearphishing Attachment

Winword Spawning Windows Script Host

Phishing, Spearphishing Attachment

Excel Spawning Windows Script Host

Security Account Manager, OS Credential Dumping

Excel Spawning PowerShell

Security Account Manager, OS Credential Dumping

Windows Multiple Users Failed To Authenticate Using Kerberos

Password Spraying, Brute Force

Malicious Powershell Executed As A Service

System Services, Service Execution

DSQuery Domain Discovery

Domain Trust Discovery

Disabling Firewall with Netsh

Disable or Modify Tools, Impair Defenses

PowerShell Start-BitsTransfer

BITS Jobs

CertUtil With Decode Argument

Deobfuscate/Decode Files or Information

Clop Ransomware Known Service Name

Create or Modify System Process

Ransomware Notes bulk creation

Data Encrypted for Impact

Resize ShadowStorage volume

Inhibit System Recovery

Nishang PowershellTCPOneLine

Command and Scripting Interpreter, PowerShell

FodHelper UAC Bypass

Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism

Suspicious Scheduled Task from Public Directory

Scheduled Task, Scheduled Task/Job

Ryuk Wake on LAN Command

Command and Scripting Interpreter, Windows Command Shell

Suspicious SQLite3 LSQuarantine Behavior

Data Staged

Suspicious PlistBuddy Usage

Launch Agent, Create or Modify System Process

Suspicious Curl Network Connection

Ingress Tool Transfer

Suspicious PlistBuddy Usage via OSquery

Launch Agent, Create or Modify System Process

Detect Regsvcs Spawning a Process

System Binary Proxy Execution, Regsvcs/Regasm

Detect Regasm Spawning a Process

System Binary Proxy Execution, Regsvcs/Regasm

Detect HTML Help Spawn Child Process

System Binary Proxy Execution, Compiled HTML File

Suspicious Rundll32 dllregisterserver

System Binary Proxy Execution, Rundll32

Detect Rundll32 Application Control Bypass - syssetup

System Binary Proxy Execution, Rundll32

Detect Rundll32 Application Control Bypass - setupapi

System Binary Proxy Execution, Rundll32

Detect Rundll32 Application Control Bypass - advpack

System Binary Proxy Execution, Rundll32

Detect Baron Samedit CVE-2021-3156 Segfault

Exploitation for Privilege Escalation

Ntdsutil Export NTDS

NTDS, OS Credential Dumping

Detect Baron Samedit CVE-2021-3156 via OSQuery

Exploitation for Privilege Escalation

Detect Baron Samedit CVE-2021-3156

Exploitation for Privilege Escalation

WBAdmin Delete System Backups

Inhibit System Recovery

Detect Rundll32 Inline HTA Execution

System Binary Proxy Execution, Mshta

Suspicious mshta spawn

System Binary Proxy Execution, Mshta

Suspicious MSBuild Spawn

Trusted Developer Utilities Proxy Execution, MSBuild

Suspicious microsoft workflow compiler usage

Trusted Developer Utilities Proxy Execution

Suspicious mshta child process

System Binary Proxy Execution, Mshta

BCDEdit Failure Recovery Modification

Inhibit System Recovery

Sunburst Correlation DLL and Network Event

Exploitation for Client Execution

Unusually Long Command Line

WMI Permanent Event Subscription - Sysmon

Windows Management Instrumentation Event Subscription, Event Triggered Execution

Single Letter Process On Endpoint

User Execution, Malicious File

System Processes Run From Unexpected Locations

Masquerading, Rename System Utilities

Shim Database File Creation

Application Shimming, Event Triggered Execution

Schtasks used for forcing a reboot

Scheduled Task, Scheduled Task/Job

Reg exe Manipulating Windows Services Registry Keys

Services Registry Permissions Weakness, Hijack Execution Flow

Shim Database Installation With Suspicious Parameters

Application Shimming, Event Triggered Execution

Disabling Remote User Account Control

Bypass User Account Control, Abuse Elevation Control Mechanism

Execution of File with Multiple Extensions

Masquerading, Rename System Utilities

Detect Prohibited Applications Spawning cmd exe

Command and Scripting Interpreter, Windows Command Shell

Detect processes used for System Network Configuration Discovery

System Network Configuration Discovery

Deleting Shadow Copies

Inhibit System Recovery

Common Ransomware Notes

Data Destruction

Windows Security Account Manager Stopped

Service Stop

Ryuk Test Files Detected

Data Encrypted for Impact

Detect Computer Changed with Anonymous Account

Exploitation of Remote Services

Create or delete windows shares using net exe

Indicator Removal, Network Share Connection Removal

Suspicious writes to windows Recycle Bin

Masquerading

Suspicious Reg exe Process

Modify Registry

Remote Desktop Process Running On System

Remote Desktop Protocol, Remote Services

Sc exe Manipulating Windows Services

Windows Service, Create or Modify System Process

Detect Use of cmd exe to Launch Script Interpreters

Command and Scripting Interpreter, Windows Command Shell

Malicious PowerShell Process - Execution Policy Bypass

Command and Scripting Interpreter, PowerShell

First Time Seen Running Windows Service

System Services, Service Execution

Hiding Files And Directories With Attrib exe

File and Directory Permissions Modification, Windows File and Directory Permissions Modification

Detection of tools built by NirSoft

Software Deployment Tools

Detect New Local Admin account

Local Account, Create Account

Short Lived Windows Accounts

Local Account, Create Account

Windows Event Log Cleared

Indicator Removal, Clear Windows Event Logs

Detect Path Interception By Creation Of program exe

Path Interception by Unquoted Path, Hijack Execution Flow

First Time Seen Child Process of Zoom

Exploitation for Privilege Escalation

Spike in File Writes

Script Execution via WMI

Windows Management Instrumentation

Process Execution via WMI

Windows Management Instrumentation

MacOS - Re-opened Applications

Creation of lsass Dump with Taskmgr

LSASS Memory, OS Credential Dumping

Creation of Shadow Copy

NTDS, OS Credential Dumping

Access LSASS Memory for Dump Creation

LSASS Memory, OS Credential Dumping

Create Remote Thread into LSASS

LSASS Memory, OS Credential Dumping

Detect Credential Dumping through LSASS access

LSASS Memory, OS Credential Dumping

Unusually Long Command Line - MLTK

Processes Tapping Keyboard Events

Samsam Test File Write

Data Encrypted for Impact

File with Samsam Extension

USN Journal Deletion

Indicator Removal

WMI Permanent Event Subscription

Windows Management Instrumentation

WMI Temporary Event Subscription

Windows Management Instrumentation