Detections

Name Technique Type
7zip CommandLine To SMB Share Path Archive via Utility, Archive Collected Data Hunting
AWS Create Policy Version to allow all resources Cloud Accounts, Valid Accounts TTP
AWS CreateAccessKey Cloud Account, Create Account Hunting
AWS CreateLoginProfile Cloud Account, Create Account TTP
AWS Cross Account Activity From Previously Unseen Account None Anomaly
AWS Detect Users creating keys with encrypt policy without MFA Data Encrypted for Impact TTP
AWS Detect Users with KMS keys performing encryption S3 Data Encrypted for Impact Anomaly
AWS ECR Container Scanning Findings High Malicious Image, User Execution TTP
AWS ECR Container Scanning Findings Low Informational Unknown Malicious Image, User Execution Hunting
AWS ECR Container Scanning Findings Medium Malicious Image, User Execution Anomaly
AWS ECR Container Upload Outside Business Hours Malicious Image, User Execution Anomaly
AWS ECR Container Upload Unknown User Malicious Image, User Execution Anomaly
AWS Excessive Security Scanning Cloud Service Discovery TTP
AWS IAM AccessDenied Discovery Events Cloud Infrastructure Discovery Anomaly
AWS IAM Assume Role Policy Brute Force Cloud Infrastructure Discovery, Brute Force TTP
AWS IAM Delete Policy Account Manipulation Hunting
AWS IAM Failure Group Deletion Account Manipulation Anomaly
AWS IAM Successful Group Deletion Cloud Groups, Account Manipulation, Permission Groups Discovery Hunting
AWS Network Access Control List Created with All Open Ports Disable or Modify Cloud Firewall, Impair Defenses TTP
AWS Network Access Control List Deleted Disable or Modify Cloud Firewall, Impair Defenses Anomaly
AWS SAML Access by Provider User and Principal Valid Accounts Anomaly
AWS SAML Update identity provider Valid Accounts TTP
AWS SetDefaultPolicyVersion Cloud Accounts, Valid Accounts TTP
AWS UpdateLoginProfile Cloud Account, Create Account TTP
Abnormally High Number Of Cloud Infrastructure API Calls Cloud Accounts, Valid Accounts Anomaly
Abnormally High Number Of Cloud Instances Destroyed Cloud Accounts, Valid Accounts Anomaly
Abnormally High Number Of Cloud Instances Launched Cloud Accounts, Valid Accounts Anomaly
Abnormally High Number Of Cloud Security Group API Calls Cloud Accounts, Valid Accounts Anomaly
Access LSASS Memory for Dump Creation LSASS Memory, OS Credential Dumping TTP
Account Discovery With Net App Domain Account, Account Discovery TTP
Active Setup Registry Autostart Active Setup, Boot or Logon Autostart Execution TTP
Add DefaultUser And Password In Registry Credentials in Registry, Unsecured Credentials Anomaly
AdsiSearcher Account Discovery Domain Account, Account Discovery TTP
Allow File And Printing Sharing In Firewall Disable or Modify Cloud Firewall, Impair Defenses TTP
Allow Inbound Traffic By Firewall Rule Registry Remote Desktop Protocol, Remote Services TTP
Allow Inbound Traffic In Firewall Rule Remote Desktop Protocol, Remote Services TTP
Allow Network Discovery In Firewall Disable or Modify Cloud Firewall, Impair Defenses TTP
Allow Operation with Consent Admin Abuse Elevation Control Mechanism TTP
Amazon EKS Kubernetes Pod scan detection Cloud Service Discovery Hunting
Amazon EKS Kubernetes cluster scan detection Cloud Service Discovery Hunting
Anomalous usage of 7zip Archive via Utility, Archive Collected Data Anomaly
Any Powershell DownloadFile Command and Scripting Interpreter, PowerShell TTP
Any Powershell DownloadString Command and Scripting Interpreter, PowerShell TTP
Applying Stolen Credentials via Mimikatz modules Process Injection, Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation, Access Token Manipulation, Create or Modify System Process, Boot or Logon Autostart Execution, Abuse Elevation Control Mechanism, Compromise Client Software Binary, Modify Authentication Process, Steal or Forge Kerberos Tickets TTP
Applying Stolen Credentials via PowerSploit modules Process Injection, Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation, Access Token Manipulation, Create or Modify System Process, Boot or Logon Autostart Execution, Abuse Elevation Control Mechanism, Compromise Client Software Binary, Credentials from Password Stores, Steal or Forge Kerberos Tickets TTP
Assessment of Credential Strength via DSInternals modules Valid Accounts, Account Manipulation, Account Discovery, Password Policy Discovery, Unsecured Credentials, Credentials from Password Stores TTP
Attacker Tools On Endpoint Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning TTP
Attempt To Add Certificate To Untrusted Store Install Root Certificate, Subvert Trust Controls TTP
Attempt To Disable Services Service Stop TTP
Attempt To Stop Security Service Disable or Modify Tools, Impair Defenses TTP
Attempt To delete Services Service Stop TTP
Attempted Credential Dump From Registry via Reg exe Security Account Manager, OS Credential Dumping TTP
Attempted Credential Dump From Registry via Reg exe OS Credential Dumping TTP
Auto Admin Logon Registry Entry Credentials in Registry, Unsecured Credentials TTP
BCDEdit Failure Recovery Modification Inhibit System Recovery TTP
BITS Job Persistence BITS Jobs TTP
BITSAdmin Download File BITS Jobs, Ingress Tool Transfer TTP
Batch File Write to System32 User Execution, Malicious File TTP
Bcdedit Command Back To Normal Mode Boot Inhibit System Recovery TTP
CHCP Command Execution Command and Scripting Interpreter TTP
CMD Carry Out String Command Parameter Windows Command Shell, Command and Scripting Interpreter Hunting
CMD Echo Pipe - Escalation Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process TTP
CMLUA Or CMSTPLUA UAC Bypass Signed Binary Proxy Execution, CMSTP TTP
CertUtil Download With URLCache and Split Arguments Ingress Tool Transfer TTP
CertUtil Download With VerifyCtl and Split Arguments Ingress Tool Transfer TTP
CertUtil With Decode Argument Deobfuscate/Decode Files or Information TTP
Certutil exe certificate extraction None TTP
Change Default File Association Change Default File Association, Event Triggered Execution TTP
Change To Safe Mode With Network Config Inhibit System Recovery TTP
Check Elevated CMD using whoami System Owner/User Discovery TTP
Child Processes of Spoolsv exe Exploitation for Privilege Escalation TTP
Circle CI Disable Security Job Compromise Client Software Binary Anomaly
Circle CI Disable Security Step Compromise Client Software Binary Anomaly
Clear Unallocated Sector Using Cipher App File Deletion, Indicator Removal on Host TTP
Clop Common Exec Parameter User Execution TTP
Clop Ransomware Known Service Name Create or Modify System Process TTP
Cloud API Calls From Previously Unseen User Roles Valid Accounts Anomaly
Cloud Compute Instance Created By Previously Unseen User Cloud Accounts, Valid Accounts Anomaly
Cloud Compute Instance Created In Previously Unused Region Unused/Unsupported Cloud Regions Anomaly
Cloud Compute Instance Created With Previously Unseen Image None Anomaly
Cloud Compute Instance Created With Previously Unseen Instance Type None Anomaly
Cloud Instance Modified By Previously Unseen User Cloud Accounts, Valid Accounts Anomaly
Cloud Provisioning Activity From Previously Unseen City Valid Accounts Anomaly
Cloud Provisioning Activity From Previously Unseen Country Valid Accounts Anomaly
Cloud Provisioning Activity From Previously Unseen IP Address Valid Accounts Anomaly
Cloud Provisioning Activity From Previously Unseen Region Valid Accounts Anomaly
Cmdline Tool Not Executed In CMD Shell Command and Scripting Interpreter, JavaScript TTP
Cobalt Strike Named Pipes Process Injection TTP
Common Ransomware Extensions Data Destruction Hunting
Common Ransomware Notes Data Destruction Hunting
Conti Common Exec parameter User Execution TTP
Control Loading from World Writable Directory Signed Binary Proxy Execution, Control Panel TTP
Correlation by Repository and Risk Malicious Image, User Execution Correlation
Correlation by User and Risk Malicious Image, User Execution Correlation
Create Remote Thread In Shell Application Process Injection TTP
Create Remote Thread into LSASS LSASS Memory, OS Credential Dumping TTP
Create Service In Suspicious File Path System Services, Service Execution TTP
Create local admin accounts using net exe Local Account, Create Account TTP
Create or delete windows shares using net exe Indicator Removal on Host, Network Share Connection Removal TTP
Creation of Shadow Copy NTDS, OS Credential Dumping TTP
Creation of Shadow Copy with wmic and powershell NTDS, OS Credential Dumping TTP
Creation of lsass Dump with Taskmgr LSASS Memory, OS Credential Dumping TTP
Credential Dumping via Copy Command from Shadow Copy NTDS, OS Credential Dumping TTP
Credential Dumping via Symlink to Shadow Copy NTDS, OS Credential Dumping TTP
Credential Extraction indicative of FGDump and CacheDump with s option OS Credential Dumping TTP
Credential Extraction indicative of FGDump and CacheDump with v option OS Credential Dumping TTP
Credential Extraction indicative of Lazagne command line options OS Credential Dumping, Credentials from Password Stores TTP
Credential Extraction indicative of use of DSInternals credential conversion modules OS Credential Dumping TTP
Credential Extraction indicative of use of DSInternals modules OS Credential Dumping TTP
Credential Extraction indicative of use of Mimikatz modules OS Credential Dumping TTP
Credential Extraction indicative of use of PowerSploit modules OS Credential Dumping TTP
Credential Extraction native Microsoft debuggers peek into the kernel OS Credential Dumping TTP
Credential Extraction native Microsoft debuggers via z command line option OS Credential Dumping TTP
Credential Extraction via Get-ADDBAccount module present in PowerSploit and DSInternals OS Credential Dumping TTP
DLLHost with no Command Line Arguments with Network Process Injection TTP
DNS Exfiltration Using Nslookup App Exfiltration Over Alternative Protocol TTP
DNS Query Length Outliers - MLTK DNS, Application Layer Protocol Anomaly
DNS Query Length With High Standard Deviation Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Exfiltration Over Alternative Protocol Anomaly
DSQuery Domain Discovery Domain Trust Discovery TTP
Delete A Net User Service Stop Anomaly
Delete ShadowCopy With PowerShell Inhibit System Recovery TTP
Deleting Of Net Users Account Access Removal TTP
Deleting Shadow Copies Inhibit System Recovery TTP
Deny Permission using Cacls Utility File and Directory Permissions Modification TTP
Detect ARP Poisoning Hardware Additions, Network Denial of Service, Man-in-the-Middle, ARP Cache Poisoning TTP
Detect AWS Console Login by New User None Hunting
Detect AWS Console Login by User from New City Unused/Unsupported Cloud Regions Hunting
Detect AWS Console Login by User from New Country Unused/Unsupported Cloud Regions Hunting
Detect AWS Console Login by User from New Region Unused/Unsupported Cloud Regions Hunting
Detect Activity Related to Pass the Hash Attacks Use Alternate Authentication Material, Pass the Hash TTP
Detect AzureHound Command-Line Arguments Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery TTP
Detect AzureHound File Modifications Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery TTP
Detect Baron Samedit CVE-2021-3156 Exploitation for Privilege Escalation TTP
Detect Baron Samedit CVE-2021-3156 Segfault Exploitation for Privilege Escalation TTP
Detect Baron Samedit CVE-2021-3156 via OSQuery Exploitation for Privilege Escalation TTP
Detect Computer Changed with Anonymous Account Exploitation of Remote Services Hunting
Detect Copy of ShadowCopy with Script Block Logging Security Account Manager, OS Credential Dumping TTP
Detect Credential Dumping through LSASS access LSASS Memory, OS Credential Dumping TTP
Detect Dump LSASS Memory using comsvcs NTDS, OS Credential Dumping TTP
Detect Empire with PowerShell Script Block Logging Command and Scripting Interpreter, PowerShell TTP
Detect Excessive Account Lockouts From Endpoint Valid Accounts, Domain Accounts Anomaly
Detect Excessive User Account Lockouts Valid Accounts, Local Accounts Anomaly
Detect Exchange Web Shell Server Software Component, Web Shell TTP
Detect F5 TMUI RCE CVE-2020-5902 Exploit Public-Facing Application TTP
Detect GCP Storage access from a new IP Data from Cloud Storage Object Anomaly
Detect HTML Help Renamed Signed Binary Proxy Execution, Compiled HTML File Hunting
Detect HTML Help Spawn Child Process Signed Binary Proxy Execution, Compiled HTML File TTP
Detect HTML Help URL in Command Line Signed Binary Proxy Execution, Compiled HTML File TTP
Detect HTML Help Using InfoTech Storage Handlers Signed Binary Proxy Execution, Compiled HTML File TTP
Detect IPv6 Network Infrastructure Threats Hardware Additions, Network Denial of Service, Man-in-the-Middle, ARP Cache Poisoning TTP
Detect Kerberoasting Kerberoasting, Steal or Forge Kerberos Tickets TTP
Detect Large Outbound ICMP Packets Non-Application Layer Protocol TTP
Detect MSHTA Url in Command Line Signed Binary Proxy Execution, Mshta TTP
Detect Mimikatz Using Loaded Images LSASS Memory, OS Credential Dumping TTP
Detect Mimikatz With PowerShell Script Block Logging OS Credential Dumping TTP
Detect New Local Admin account Local Account, Create Account TTP
Detect New Login Attempts to Routers None TTP
Detect New Open GCP Storage Buckets Data from Cloud Storage Object TTP
Detect New Open S3 Buckets over AWS CLI Data from Cloud Storage Object TTP
Detect New Open S3 buckets Data from Cloud Storage Object TTP
Detect Outbound SMB Traffic File Transfer Protocols, Application Layer Protocol TTP
Detect Outlook exe writing a zip file Phishing, Spearphishing Attachment TTP
Detect Pass the Hash Use Alternate Authentication Material, Pass the Hash TTP
Detect Path Interception By Creation Of program exe Path Interception by Unquoted Path, Hijack Execution Flow TTP
Detect Port Security Violation Hardware Additions, Network Denial of Service, Man-in-the-Middle, ARP Cache Poisoning TTP
Detect Prohibited Applications Spawning cmd exe Command and Scripting Interpreter, Windows Command Shell Hunting
Detect Prohibited Applications Spawning cmd exe Command and Scripting Interpreter Anomaly
Detect PsExec With accepteula Flag Remote Services, SMB/Windows Admin Shares TTP
Detect RClone Command-Line Usage Automated Exfiltration TTP
Detect Rare Executables None Anomaly
Detect Regasm Spawning a Process Signed Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regasm with Network Connection Signed Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regasm with no Command Line Arguments Signed Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regsvcs Spawning a Process Signed Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regsvcs with Network Connection Signed Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regsvcs with No Command Line Arguments Signed Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regsvr32 Application Control Bypass Signed Binary Proxy Execution, Regsvr32 TTP
Detect Renamed 7-Zip Archive via Utility, Archive Collected Data Hunting
Detect Renamed PSExec System Services, Service Execution Hunting
Detect Renamed RClone Automated Exfiltration Hunting
Detect Renamed WinRAR Archive via Utility, Archive Collected Data Hunting
Detect Rogue DHCP Server Hardware Additions, Network Denial of Service, Man-in-the-Middle TTP
Detect Rundll32 Application Control Bypass - advpack Signed Binary Proxy Execution, Rundll32 TTP
Detect Rundll32 Application Control Bypass - setupapi Signed Binary Proxy Execution, Rundll32 TTP
Detect Rundll32 Application Control Bypass - syssetup Signed Binary Proxy Execution, Rundll32 TTP
Detect Rundll32 Inline HTA Execution Signed Binary Proxy Execution, Mshta TTP
Detect S3 access from a new IP Data from Cloud Storage Object Anomaly
Detect SNICat SNI Exfiltration Exfiltration Over C2 Channel TTP
Detect SharpHound Command-Line Arguments Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery TTP
Detect SharpHound File Modifications Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery TTP
Detect SharpHound Usage Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery TTP
Detect Software Download To Network Device TFTP Boot, Pre-OS Boot TTP
Detect Spike in AWS Security Hub Alerts for EC2 Instance None Anomaly
Detect Spike in AWS Security Hub Alerts for User None Anomaly
Detect Spike in S3 Bucket deletion Data from Cloud Storage Object Anomaly
Detect Spike in blocked Outbound Traffic from your AWS None Anomaly
Detect Traffic Mirroring Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication TTP
Detect Unauthorized Assets by MAC address None TTP
Detect Use of cmd exe to Launch Script Interpreters Command and Scripting Interpreter, Windows Command Shell TTP
Detect WMI Event Subscription Persistence Windows Management Instrumentation Event Subscription, Event Triggered Execution TTP
Detect Windows DNS SIGRed via Splunk Stream Exploitation for Client Execution TTP
Detect Windows DNS SIGRed via Zeek Exploitation for Client Execution TTP
Detect Zerologon via Zeek Exploit Public-Facing Application TTP
Detect attackers scanning for vulnerable JBoss servers System Information Discovery TTP
Detect hosts connecting to dynamic domain providers Drive-by Compromise TTP
Detect malicious requests to exploit JBoss servers None TTP
Detect mshta inline hta execution Signed Binary Proxy Execution, Mshta TTP
Detect mshta renamed Signed Binary Proxy Execution, Mshta Hunting
Detect processes used for System Network Configuration Discovery System Network Configuration Discovery TTP
Detect shared ec2 snapshot Transfer Data to Cloud Account TTP
Detection of tools built by NirSoft Software Deployment Tools TTP
Disable AMSI Through Registry Disable or Modify Tools, Impair Defenses TTP
Disable Defender AntiVirus Registry Disable or Modify Tools, Impair Defenses TTP
Disable Defender BlockAtFirstSeen Feature Disable or Modify Tools, Impair Defenses TTP
Disable Defender Enhanced Notification Disable or Modify Tools, Impair Defenses TTP
Disable Defender MpEngine Registry Disable or Modify Tools, Impair Defenses TTP
Disable Defender Spynet Reporting Disable or Modify Tools, Impair Defenses TTP
Disable Defender Submit Samples Consent Feature Disable or Modify Tools, Impair Defenses TTP
Disable ETW Through Registry Disable or Modify Tools, Impair Defenses TTP
Disable Logs Using WevtUtil Indicator Removal on Host, Clear Windows Event Logs TTP
Disable Net User Account Service Stop TTP
Disable Registry Tool Disable or Modify Tools, Impair Defenses TTP
Disable Schedule Task Disable or Modify Tools, Impair Defenses TTP
Disable Security Logs Using MiniNt Registry Modify Registry TTP
Disable Show Hidden Files Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses TTP
Disable UAC Remote Restriction Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Disable Windows App Hotkeys Disable or Modify Tools, Impair Defenses TTP
Disable Windows Behavior Monitoring Disable or Modify Tools, Impair Defenses TTP
Disable Windows SmartScreen Protection Disable or Modify Tools, Impair Defenses TTP
Disabling CMD Application Disable or Modify Tools, Impair Defenses TTP
Disabling ControlPanel Disable or Modify Tools, Impair Defenses TTP
Disabling Defender Services Disable or Modify Tools, Impair Defenses TTP
Disabling Firewall with Netsh Disable or Modify Tools, Impair Defenses TTP
Disabling FolderOptions Windows Feature Disable or Modify Tools, Impair Defenses TTP
Disabling Net User Account Account Access Removal TTP
Disabling NoRun Windows App Disable or Modify Tools, Impair Defenses TTP
Disabling Remote User Account Control Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Disabling SystemRestore In Registry Disable or Modify Tools, Impair Defenses TTP
Disabling Task Manager Disable or Modify Tools, Impair Defenses TTP
Domain Account Discovery With Net App Domain Account, Account Discovery TTP
Domain Account Discovery with Dsquery Domain Account, Account Discovery Hunting
Domain Account Discovery with Wmic Domain Account, Account Discovery TTP
Domain Controller Discovery with Nltest Remote System Discovery TTP
Domain Controller Discovery with Wmic Remote System Discovery Hunting
Domain Group Discovery With Dsquery Permission Groups Discovery, Domain Groups Hunting
Domain Group Discovery With Net Permission Groups Discovery, Domain Groups Hunting
Domain Group Discovery With Wmic Permission Groups Discovery, Domain Groups Hunting
Domain Group Discovery with Adsisearcher Permission Groups Discovery, Domain Groups TTP
Download Files Using Telegram Ingress Tool Transfer TTP
Drop IcedID License dat User Execution, Malicious File Hunting
Dump LSASS via comsvcs DLL LSASS Memory, OS Credential Dumping TTP
Dump LSASS via procdump LSASS Memory, OS Credential Dumping TTP
ETW Registry Disabled Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses TTP
Elevated Group Discovery With Net Permission Groups Discovery, Domain Groups TTP
Elevated Group Discovery With Wmic Permission Groups Discovery, Domain Groups TTP
Elevated Group Discovery with PowerView Permission Groups Discovery, Domain Groups Hunting
Email Attachments With Lots Of Spaces None Anomaly
Email files written outside of the Outlook directory Email Collection, Local Email Collection TTP
Email servers sending high volume traffic to hosts Email Collection, Remote Email Collection Anomaly
Enable RDP In Other Port Number Remote Services TTP
Enable WDigest UseLogonCredential Registry Modify Registry, OS Credential Dumping TTP
Enumerate Users Local Group Using Telegram Account Discovery TTP
Esentutl SAM Copy Security Account Manager, OS Credential Dumping Hunting
Eventvwr UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Excel Spawning PowerShell Security Account Manager, OS Credential Dumping TTP
Excel Spawning Windows Script Host Security Account Manager, OS Credential Dumping TTP
Excessive Attempt To Disable Services Service Stop Anomaly
Excessive DNS Failures DNS, Application Layer Protocol Anomaly
Excessive Service Stop Attempt Service Stop Anomaly
Excessive Usage Of Cacls App File and Directory Permissions Modification Anomaly
Excessive Usage Of Net App Account Access Removal Anomaly
Excessive Usage Of SC Service Utility System Services, Service Execution Anomaly
Excessive Usage Of Taskkill Disable or Modify Tools, Impair Defenses Anomaly
Excessive Usage of NSLOOKUP App Exfiltration Over Alternative Protocol Anomaly
Excessive number of distinct processes created in Windows Temp folder Command and Scripting Interpreter Anomaly
Excessive number of service control start as disabled Disable or Modify Tools, Impair Defenses Anomaly
Excessive number of taskhost processes System Owner/User Discovery Anomaly
Exchange PowerShell Abuse via SSRF Exploit Public-Facing Application TTP
Exchange PowerShell Module Usage Command and Scripting Interpreter, PowerShell TTP
Executables Or Script Creation In Suspicious Path Masquerading TTP
Execute Javascript With Jscript COM CLSID Command and Scripting Interpreter, Visual Basic TTP
Execution of File with Multiple Extensions Masquerading, Rename System Utilities TTP
Extraction of Registry Hives Security Account Manager, OS Credential Dumping TTP
File with Samsam Extension None TTP
First Time Seen Child Process of Zoom Exploitation for Privilege Escalation Anomaly
First Time Seen Running Windows Service System Services, Service Execution Anomaly
First time seen command line argument Command and Scripting Interpreter, Regsvr32, Indirect Command Execution Anomaly
FodHelper UAC Bypass Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Fsutil Zeroing File Indicator Removal on Host TTP
GCP Detect gcploit framework Valid Accounts TTP
GCP Kubernetes cluster pod scan detection Cloud Service Discovery Hunting
GPUpdate with no Command Line Arguments with Network Process Injection TTP
GSuite Email Suspicious Attachment Spearphishing Attachment, Phishing Anomaly
Gdrive suspicious file sharing Phishing Hunting
Get ADDefaultDomainPasswordPolicy with Powershell Password Policy Discovery Hunting
Get ADDefaultDomainPasswordPolicy with Powershell Script Block Password Policy Discovery Hunting
Get ADUser with PowerShell Domain Account, Account Discovery Hunting
Get ADUser with PowerShell Script Block Domain Account, Account Discovery Hunting
Get ADUserResultantPasswordPolicy with Powershell Password Policy Discovery TTP
Get ADUserResultantPasswordPolicy with Powershell Script Block Password Policy Discovery TTP
Get DomainPolicy with Powershell Password Policy Discovery TTP
Get DomainPolicy with Powershell Script Block Password Policy Discovery TTP
Get DomainUser with PowerShell Domain Account, Account Discovery TTP
Get DomainUser with PowerShell Script Block Domain Account, Account Discovery TTP
Get WMIObject Group Discovery Permission Groups Discovery, Local Groups Hunting
Get WMIObject Group Discovery with Script Block Logging Permission Groups Discovery, Local Groups Hunting
Get-DomainTrust with PowerShell Domain Trust Discovery TTP
Get-DomainTrust with PowerShell Script Block Domain Trust Discovery TTP
Get-ForestTrust with PowerShell Domain Trust Discovery TTP
Get-ForestTrust with PowerShell Script Block Domain Trust Discovery TTP
GetAdComputer with PowerShell Remote System Discovery Hunting
GetAdComputer with PowerShell Script Block Remote System Discovery Hunting
GetAdGroup with PowerShell Permission Groups Discovery, Domain Groups Hunting
GetAdGroup with PowerShell Script Block Permission Groups Discovery, Domain Groups Hunting
GetCurrent User with PowerShell System Owner/User Discovery Hunting
GetCurrent User with PowerShell Script Block System Owner/User Discovery Hunting
GetDomainComputer with PowerShell Remote System Discovery TTP
GetDomainComputer with PowerShell Script Block Remote System Discovery TTP
GetDomainController with PowerShell Remote System Discovery Hunting
GetDomainController with PowerShell Script Block Remote System Discovery TTP
GetDomainGroup with PowerShell Permission Groups Discovery, Domain Groups TTP
GetDomainGroup with PowerShell Script Block Permission Groups Discovery, Domain Groups TTP
GetLocalUser with PowerShell Account Discovery, Local Account Hunting
GetLocalUser with PowerShell Script Block Account Discovery, Local Account Hunting
GetNetTcpconnection with PowerShell System Network Connections Discovery Hunting
GetNetTcpconnection with PowerShell Script Block System Network Connections Discovery Hunting
GetWmiObject DS User with PowerShell Domain Account, Account Discovery TTP
GetWmiObject DS User with PowerShell Script Block Domain Account, Account Discovery TTP
GetWmiObject Ds Computer with PowerShell Remote System Discovery TTP
GetWmiObject Ds Computer with PowerShell Script Block Remote System Discovery TTP
GetWmiObject Ds Group with PowerShell Permission Groups Discovery, Domain Groups TTP
GetWmiObject Ds Group with PowerShell Script Block Permission Groups Discovery, Domain Groups TTP
GetWmiObject User Account with PowerShell Account Discovery, Local Account Hunting
GetWmiObject User Account with PowerShell Script Block Account Discovery, Local Account Hunting
GitHub Dependabot Alert Compromise Software Dependencies and Development Tools, Supply Chain Compromise Anomaly
GitHub Pull Request from Unknown User Compromise Software Dependencies and Development Tools, Supply Chain Compromise Anomaly
Github Commit Changes In Master Trusted Relationship Anomaly
Github Commit In Develop Trusted Relationship Anomaly
Grant Permission Using Cacls Utility File and Directory Permissions Modification TTP
Gsuite Drive Share In External Email Exfiltration to Cloud Storage, Exfiltration Over Web Service Anomaly
Gsuite Email Suspicious Subject With Attachment Spearphishing Attachment, Phishing Anomaly
Gsuite Email With Known Abuse Web Service Link Spearphishing Attachment, Phishing Anomaly
Gsuite Outbound Email With Attachment To External Domain Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Exfiltration Over Alternative Protocol Anomaly
Gsuite Suspicious Shared File Name Spearphishing Attachment, Phishing Anomaly
Gsuite suspicious calendar invite Phishing Hunting
Hide User Account From Sign-In Screen Disable or Modify Tools, Impair Defenses TTP
Hiding Files And Directories With Attrib exe File and Directory Permissions Modification, Windows File and Directory Permissions Modification TTP
High File Deletion Frequency Data Destruction Anomaly
High Number of Login Failures from a single source Password Guessing, Brute Force Anomaly
High Process Termination Frequency Data Encrypted for Impact Anomaly
Hosts receiving high volume of network traffic from email server Remote Email Collection, Email Collection Anomaly
ICACLS Grant Command File and Directory Permissions Modification TTP
Icacls Deny Command File and Directory Permissions Modification TTP
IcedID Exfiltrated Archived File Creation Archive via Utility, Archive Collected Data Hunting
Illegal Access To User Content via PowerSploit modules Remote Services, Screen Capture, Audio Capture, Remote Service Session Hijacking TTP
Illegal Account Creation via PowerSploit modules Establish Accounts TTP
Illegal Deletion of Logs via Mimikatz modules Indicator Removal on Host TTP
Illegal Enabling or Disabling of Accounts via DSInternals modules Valid Accounts, Account Manipulation TTP
Illegal Management of Active Directory Elements and Policies via DSInternals modules Account Manipulation, Rogue Domain Controller, Domain Policy Modification TTP
Illegal Management of Computers and Active Directory Elements via PowerSploit modules Account Manipulation, Rogue Domain Controller, Domain Policy Modification TTP
Illegal Privilege Elevation and Persistence via PowerSploit modules Scheduled Task/Job, Access Token Manipulation, Abuse Elevation Control Mechanism TTP
Illegal Privilege Elevation via Mimikatz modules Access Token Manipulation, Abuse Elevation Control Mechanism TTP
Illegal Service and Process Control via Mimikatz modules Process Injection, Native API, System Services TTP
Illegal Service and Process Control via PowerSploit modules Process Injection, Native API, System Services TTP
Jscript Execution Using Cscript App Command and Scripting Interpreter, JavaScript TTP
Kerberoasting spn request with RC4 encryption Kerberoasting, Steal or Forge Kerberos Tickets TTP
Known Services Killed by Ransomware Inhibit System Recovery TTP
Kubernetes AWS detect suspicious kubectl calls None Hunting
Kubernetes Nginx Ingress LFI Exploitation for Credential Access TTP
Kubernetes Nginx Ingress RFI Exploitation for Credential Access TTP
Kubernetes Scanner Image Pulling Cloud Service Discovery TTP
Large Volume of DNS ANY Queries Network Denial of Service, Reflection Amplification Anomaly
Local Account Discovery With Wmic Account Discovery, Local Account Hunting
Local Account Discovery with Net Account Discovery, Local Account Hunting
Logon Script Event Trigger Execution Boot or Logon Initialization Scripts, Logon Script (Windows) TTP
MS Scripting Process Loading Ldap Module Command and Scripting Interpreter, JavaScript Anomaly
MS Scripting Process Loading WMI Module Command and Scripting Interpreter, JavaScript Anomaly
MSBuild Suspicious Spawned By Script Process MSBuild, Trusted Developer Utilities Proxy Execution TTP
MSHTML Module Load in Office Product Phishing, Spearphishing Attachment TTP
MacOS - Re-opened Applications None TTP
Mailsniper Invoke functions Email Collection, Local Email Collection TTP
Malicious InProcServer32 Modification Regsvr32, Modify Registry TTP
Malicious PowerShell Process - Connect To Internet With Hidden Window PowerShell, Command and Scripting Interpreter Hunting
Malicious PowerShell Process - Encoded Command Obfuscated Files or Information Hunting
Malicious PowerShell Process - Execution Policy Bypass Command and Scripting Interpreter, PowerShell TTP
Malicious PowerShell Process With Obfuscation Techniques Command and Scripting Interpreter, PowerShell TTP
Malicious Powershell Executed As A Service System Services, Service Execution TTP
Modification Of Wallpaper Defacement TTP
Modify ACL permission To Files Or Folder File and Directory Permissions Modification TTP
Modify ACLs Permission Of Files Or Folders File and Directory Permissions Modification Anomaly
Monitor Email For Brand Abuse None TTP
Monitor Registry Keys for Print Monitors Port Monitors, Boot or Logon Autostart Execution TTP
Monitor Web Traffic For Brand Abuse None TTP
More than usual number of LOLBAS applications in short time period Command and Scripting Interpreter, Scheduled Task/Job Anomaly
Mshta spawning Rundll32 OR Regsvr32 Process Signed Binary Proxy Execution, Mshta TTP
Msmpeng Application DLL Side Loading DLL Side-Loading, Hijack Execution Flow TTP
Multiple Archive Files Http Post Traffic Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Exfiltration Over Alternative Protocol TTP
Multiple Disabled Users Failing To Authenticate From Host Using Kerberos Password Spraying, Brute Force Anomaly
Multiple Invalid Users Failing To Authenticate From Host Using Kerberos Password Spraying, Brute Force Anomaly
Multiple Invalid Users Failing To Authenticate From Host Using NTLM Password Spraying, Brute Force Anomaly
Multiple Okta Users With Invalid Credentials From The Same IP Valid Accounts, Default Accounts TTP
Multiple Users Attempting To Authenticate Using Explicit Credentials Password Spraying, Brute Force Anomaly
Multiple Users Failing To Authenticate From Host Using Kerberos Password Spraying, Brute Force Anomaly
Multiple Users Failing To Authenticate From Host Using NTLM Password Spraying, Brute Force Anomaly
Multiple Users Failing To Authenticate From Process Password Spraying, Brute Force Anomaly
Multiple Users Remotely Failing To Authenticate From Host Password Spraying, Brute Force Anomaly
NET Profiler UAC bypass Bypass User Account Control, Abuse Elevation Control Mechanism TTP
NLTest Domain Trust Discovery Domain Trust Discovery TTP
Net Localgroup Discovery Permission Groups Discovery, Local Groups Hunting
Network Connection Discovery With Arp System Network Connections Discovery Hunting
Network Connection Discovery With Net System Network Connections Discovery Hunting
Network Connection Discovery With Netstat System Network Connections Discovery Hunting
New container uploaded to AWS ECR Implant Internal Image Hunting
Nishang PowershellTCPOneLine Command and Scripting Interpreter, PowerShell TTP
No Windows Updates in a time frame None Hunting
Non Chrome Process Accessing Chrome Default Dir Credentials from Password Stores, Credentials from Web Browsers Anomaly
Non Firefox Process Access Firefox Profile Dir Credentials from Password Stores, Credentials from Web Browsers Anomaly
Ntdsutil Export NTDS NTDS, OS Credential Dumping TTP
O365 Add App Role Assignment Grant User Cloud Account, Create Account TTP
O365 Added Service Principal Cloud Account, Create Account TTP
O365 Bypass MFA via Trusted IP Disable or Modify Cloud Firewall, Impair Defenses TTP
O365 Disable MFA Modify Authentication Process TTP
O365 Excessive Authentication Failures Alert Brute Force Anomaly
O365 Excessive SSO logon errors Modify Authentication Process Anomaly
O365 New Federated Domain Added Cloud Account, Create Account TTP
O365 PST export alert Email Collection TTP
O365 Suspicious Admin Email Forwarding Email Forwarding Rule, Email Collection Anomaly
O365 Suspicious Rights Delegation Remote Email Collection, Email Collection TTP
O365 Suspicious User Email Forwarding Email Forwarding Rule, Email Collection Anomaly
Office Application Drop Executable Phishing, Spearphishing Attachment TTP
Office Application Spawn Regsvr32 process Phishing, Spearphishing Attachment TTP
Office Application Spawn rundll32 process Phishing, Spearphishing Attachment TTP
Office Document Creating Schedule Task Phishing, Spearphishing Attachment TTP
Office Document Executing Macro Code Phishing, Spearphishing Attachment TTP
Office Document Spawned Child Process To Download Phishing, Spearphishing Attachment TTP
Office Product Spawn CMD Process Signed Binary Proxy Execution, Mshta TTP
Office Product Spawning BITSAdmin Phishing, Spearphishing Attachment TTP
Office Product Spawning CertUtil Phishing, Spearphishing Attachment TTP
Office Product Spawning MSHTA Phishing, Spearphishing Attachment TTP
Office Product Spawning Rundll32 with no DLL Phishing, Spearphishing Attachment TTP
Office Product Spawning Wmic Phishing, Spearphishing Attachment TTP
Office Product Writing cab or inf Phishing, Spearphishing Attachment TTP
Office Spawning Control Phishing, Spearphishing Attachment TTP
Okta Account Lockout Events Valid Accounts, Default Accounts Anomaly
Okta Failed SSO Attempts Valid Accounts, Default Accounts Anomaly
Okta User Logins From Multiple Cities Valid Accounts, Default Accounts Anomaly
Overwriting Accessibility Binaries Event Triggered Execution, Accessibility Features TTP
Password Policy Discovery with Net Password Policy Discovery Hunting
Permission Modification using Takeown App File and Directory Permissions Modification TTP
PetitPotam Network Share Access Request Forced Authentication TTP
PetitPotam Suspicious Kerberos TGT Request OS Credential Dumping TTP
Phishing Email Detection by Machine Learning Method - SSA Phishing Anomaly
Plain HTTP POST Exfiltrated Data Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Exfiltration Over Alternative Protocol TTP
Potential Pass the Token or Hash Observed at the Destination Device Use Alternate Authentication Material, Pass the Hash TTP
Potential Pass the Token or Hash Observed by an Event Collecting Device Use Alternate Authentication Material, Pass the Hash TTP
PowerShell 4104 Hunting Command and Scripting Interpreter, PowerShell Hunting
PowerShell Domain Enumeration Command and Scripting Interpreter, PowerShell TTP
PowerShell Get LocalGroup Discovery Permission Groups Discovery, Local Groups Hunting
PowerShell Loading DotNET into Memory via System Reflection Assembly Command and Scripting Interpreter, PowerShell TTP
PowerShell Start-BitsTransfer BITS Jobs TTP
Powershell Creating Thread Mutex Obfuscated Files or Information, Indicator Removal from Tools TTP
Powershell Disable Security Monitoring Disable or Modify Tools, Impair Defenses TTP
Powershell Enable SMB1Protocol Feature Obfuscated Files or Information, Indicator Removal from Tools TTP
Powershell Execute COM Object Component Object Model Hijacking, Event Triggered Execution TTP
Powershell Fileless Process Injection via GetProcAddress Command and Scripting Interpreter, Process Injection, PowerShell TTP
Powershell Fileless Script Contains Base64 Encoded Content Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell TTP
Powershell Get LocalGroup Discovery with Script Block Logging Permission Groups Discovery, Local Groups Hunting
Powershell Processing Stream Of Data Command and Scripting Interpreter, PowerShell TTP
Powershell Remote Thread To Known Windows Process Process Injection TTP
Powershell Using memory As Backing Store Deobfuscate/Decode Files or Information TTP
Prevent Automatic Repair Mode using Bcdedit Inhibit System Recovery TTP
Print Processor Registry Autostart Print Processors, Boot or Logon Autostart Execution TTP
Print Spooler Adding A Printer Driver Print Processors, Boot or Logon Autostart Execution TTP
Print Spooler Failed to Load a Plug-in Print Processors, Boot or Logon Autostart Execution TTP
Probing Access with Stolen Credentials via PowerSploit modules Valid Accounts, Account Manipulation TTP
Process Creating LNK file in Suspicious Location Phishing, Spearphishing Link TTP
Process Deleting Its Process File Path Indicator Removal on Host TTP
Process Execution via WMI Windows Management Instrumentation TTP
Process Kill Base On File Path Disable or Modify Tools, Impair Defenses TTP
Process Writing DynamicWrapperX Command and Scripting Interpreter, Component Object Model Hunting
Processes Tapping Keyboard Events None TTP
Processes launching netsh Disable or Modify System Firewall, Impair Defenses TTP
Prohibited Network Traffic Allowed Exfiltration Over Alternative Protocol TTP
Protocol or Port Mismatch Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Exfiltration Over Alternative Protocol Anomaly
Protocols passing authentication in cleartext None TTP
Ransomware Notes bulk creation Data Encrypted for Impact Anomaly
Rare Parent-Child Process Relationship Exploitation for Client Execution, Command and Scripting Interpreter, Scheduled Task/Job, Software Deployment Tools Anomaly
Recon AVProduct Through Pwh or WMI Gather Victim Host Information TTP
Recon Using WMI Class Gather Victim Host Information TTP
Reconnaissance and Access to Accounts Groups and Policies via PowerSploit modules Valid Accounts, Account Discovery, Domain Policy Modification TTP
Reconnaissance and Access to Accounts and Groups via Mimikatz modules Valid Accounts, Account Discovery, Domain Policy Modification TTP
Reconnaissance and Access to Active Directoty Infrastructure via PowerSploit modules Trusted Relationship, Domain Trust Discovery, Gather Victim Network Information, Gather Victim Org Information, Active Scanning TTP
Reconnaissance and Access to Computers and Domains via PowerSploit modules Gather Victim Host Information, Gather Victim Network Information, Account Discovery TTP
Reconnaissance and Access to Computers via Mimikatz modules Gather Victim Host Information TTP
Reconnaissance and Access to Operating System Elements via PowerSploit modules Process Discovery, File and Directory Discovery, Software, Network Service Scanning, Query Registry, System Service Discovery, Windows Management Instrumentation, Gather Victim Host Information, Software Discovery TTP
Reconnaissance and Access to Processes and Services via Mimikatz modules System Service Discovery, Network Service Scanning, Process Discovery TTP
Reconnaissance and Access to Shared Resources via Mimikatz modules Remote Services, Data from Network Shared Drive, Network Share Discovery, SMB/Windows Admin Shares TTP
Reconnaissance and Access to Shared Resources via PowerSploit modules Remote Services, Data from Network Shared Drive, Network Share Discovery, SMB/Windows Admin Shares TTP
Reconnaissance of Access and Persistence Opportunities via PowerSploit modules Scheduled Task/Job, Exploitation for Privilege Escalation, Valid Accounts, Create or Modify System Process, Boot or Logon Autostart Execution, Hijack Execution Flow TTP
Reconnaissance of Connectivity via PowerSploit modules Remote Services, Data from Network Shared Drive, Network Share Discovery, SMB/Windows Admin Shares TTP
Reconnaissance of Credential Stores and Services via Mimikatz modules Account Manipulation, Domain Properties, Valid Accounts, Credentials, Gather Victim Network Information, Exploitation for Privilege Escalation, Gather Victim Identity Information, Network Trust Dependencies TTP
Reconnaissance of Defensive Tools via PowerSploit modules Software, Vulnerability Scanning, Gather Victim Host Information, Active Scanning TTP
Reconnaissance of Privilege Escalation Opportunities via PowerSploit modules Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation TTP
Reconnaissance of Process or Service Hijacking Opportunities via Mimikatz modules Create or Modify System Process, Process Injection, Hijack Execution Flow TTP
Recursive Delete of Directory In Batch CMD File Deletion, Indicator Removal on Host TTP
Reg exe Manipulating Windows Services Registry Keys Services Registry Permissions Weakness, Hijack Execution Flow TTP
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Registry Keys Used For Privilege Escalation Image File Execution Options Injection, Event Triggered Execution TTP
Registry Keys for Creating SHIM Databases Application Shimming, Event Triggered Execution TTP
Regsvr32 Silent Param Dll Loading Signed Binary Proxy Execution, Regsvr32 TTP
Remcos RAT File Creation in Remcos Folder Screen Capture TTP
Remcos client registry install entry Modify Registry TTP
Remote Desktop Network Bruteforce Remote Desktop Protocol, Remote Services TTP
Remote Desktop Network Traffic Remote Desktop Protocol, Remote Services Anomaly
Remote Desktop Process Running On System Remote Desktop Protocol, Remote Services Hunting
Remote Process Instantiation via WMI Windows Management Instrumentation TTP
Remote System Discovery with Adsisearcher Remote System Discovery TTP
Remote System Discovery with Dsquery Remote System Discovery Hunting
Remote System Discovery with Net Remote System Discovery Hunting
Remote System Discovery with Wmic Remote System Discovery TTP
Remote WMI Command Attempt Windows Management Instrumentation TTP
Resize ShadowStorage volume Inhibit System Recovery TTP
Resize Shadowstorage Volume Service Stop TTP
Revil Common Exec Parameter User Execution TTP
Revil Registry Entry Modify Registry TTP
RunDLL Loading DLL By Ordinal Signed Binary Proxy Execution, Rundll32 TTP
Rundll32 Control RunDLL Hunt Signed Binary Proxy Execution, Rundll32 Hunting
Rundll32 Control RunDLL World Writable Directory Signed Binary Proxy Execution, Rundll32 TTP
Rundll32 Create Remote Thread To A Process Process Injection TTP
Rundll32 CreateRemoteThread In Browser Process Injection TTP
Rundll32 DNSQuery Signed Binary Proxy Execution, Rundll32 TTP
Rundll32 Process Creating Exe Dll Files Signed Binary Proxy Execution, Rundll32 TTP
Rundll32 Shimcache Flush Modify Registry TTP
Rundll32 with no Command Line Arguments with Network Signed Binary Proxy Execution, Rundll32 TTP
Ryuk Test Files Detected Data Encrypted for Impact TTP
Ryuk Wake on LAN Command Command and Scripting Interpreter, Windows Command Shell TTP
SAM Database File Access Attempt Security Account Manager, OS Credential Dumping Hunting
SLUI RunAs Elevated Bypass User Account Control, Abuse Elevation Control Mechanism TTP
SLUI Spawning a Process Bypass User Account Control, Abuse Elevation Control Mechanism TTP
SMB Traffic Spike SMB/Windows Admin Shares, Remote Services Anomaly
SMB Traffic Spike - MLTK SMB/Windows Admin Shares, Remote Services Anomaly
SQL Injection with Long URLs Exploit Public-Facing Application TTP
Samsam Test File Write Data Encrypted for Impact TTP
Sc exe Manipulating Windows Services Windows Service, Create or Modify System Process TTP
SchCache Change By App Connect And Create ADSI Object Domain Account, Account Discovery Anomaly
Schedule Task with HTTP Command Arguments Scheduled Task/Job TTP
Schedule Task with Rundll32 Command Trigger Scheduled Task/Job TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task, Scheduled Task/Job TTP
Schtasks Run Task On Demand Scheduled Task/Job TTP
Schtasks scheduling job on remote system Scheduled Task, Scheduled Task/Job TTP
Schtasks used for forcing a reboot Scheduled Task, Scheduled Task/Job TTP
Screensaver Event Trigger Execution Event Triggered Execution, Screensaver TTP
Script Execution via WMI Windows Management Instrumentation TTP
Sdclt UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Sdelete Application Execution Data Destruction, File Deletion, Indicator Removal on Host TTP
SearchProtocolHost with no Command Line with Network Process Injection TTP
SecretDumps Offline NTDS Dumping Tool NTDS, OS Credential Dumping TTP
ServicePrincipalNames Discovery with PowerShell Kerberoasting TTP
ServicePrincipalNames Discovery with SetSPN Kerberoasting TTP
Services Escalate Exe Abuse Elevation Control Mechanism TTP
Set Default PowerShell Execution Policy To Unrestricted or Bypass Command and Scripting Interpreter, PowerShell TTP
Setting Credentials via DSInternals modules Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation TTP
Setting Credentials via Mimikatz modules Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation TTP
Setting Credentials via PowerSploit modules Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation TTP
Shim Database File Creation Application Shimming, Event Triggered Execution TTP
Shim Database Installation With Suspicious Parameters Application Shimming, Event Triggered Execution TTP
Short Lived Windows Accounts Local Account, Create Account TTP
SilentCleanup UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Single Letter Process On Endpoint User Execution, Malicious File TTP
Spike in File Writes None Anomaly
Spoolsv Spawning Rundll32 Print Processors, Boot or Logon Autostart Execution TTP
Spoolsv Suspicious Loaded Modules Print Processors, Boot or Logon Autostart Execution TTP
Spoolsv Suspicious Process Access Exploitation for Privilege Escalation TTP
Spoolsv Writing a DLL Print Processors, Boot or Logon Autostart Execution TTP
Spoolsv Writing a DLL - Sysmon Print Processors, Boot or Logon Autostart Execution TTP
Sqlite Module In Temp Folder Data from Local System TTP
Start Up During Safe Mode Boot Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Sunburst Correlation DLL and Network Event Exploitation for Client Execution TTP
Supernova Webshell Web Shell TTP
Suspicious Copy on System32 Rename System Utilities, Masquerading TTP
Suspicious Curl Network Connection Ingress Tool Transfer TTP
Suspicious DLLHost no Command Line Arguments Process Injection TTP
Suspicious Driver Loaded Path Windows Service, Create or Modify System Process TTP
Suspicious Email Attachment Extensions Spearphishing Attachment, Phishing Anomaly
Suspicious Event Log Service Behavior Indicator Removal on Host, Clear Windows Event Logs TTP
Suspicious GPUpdate no Command Line Arguments Process Injection TTP
Suspicious IcedID Regsvr32 Cmdline Signed Binary Proxy Execution, Regsvr32 TTP
Suspicious IcedID Rundll32 Cmdline Signed Binary Proxy Execution, Rundll32 TTP
Suspicious Image Creation In Appdata Folder Screen Capture TTP
Suspicious Java Classes None Anomaly
Suspicious MSBuild Rename Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild TTP
Suspicious MSBuild Spawn Trusted Developer Utilities Proxy Execution, MSBuild TTP
Suspicious PlistBuddy Usage Launch Agent, Create or Modify System Process TTP
Suspicious PlistBuddy Usage via OSquery Launch Agent, Create or Modify System Process TTP
Suspicious Process File Path Create or Modify System Process TTP
Suspicious Reg exe Process Modify Registry TTP
Suspicious Regsvr32 Register Suspicious Path Signed Binary Proxy Execution, Regsvr32 TTP
Suspicious Rundll32 PluginInit Signed Binary Proxy Execution, Rundll32 TTP
Suspicious Rundll32 Rename Signed Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities Hunting
Suspicious Rundll32 StartW Signed Binary Proxy Execution, Rundll32 TTP
Suspicious Rundll32 dllregisterserver Signed Binary Proxy Execution, Rundll32 TTP
Suspicious Rundll32 no Command Line Arguments Signed Binary Proxy Execution, Rundll32 TTP
Suspicious SQLite3 LSQuarantine Behavior Data Staged TTP
Suspicious Scheduled Task from Public Directory Scheduled Task, Scheduled Task/Job Anomaly
Suspicious SearchProtocolHost no Command Line Arguments Process Injection TTP
Suspicious WAV file in Appdata Folder Screen Capture TTP
Suspicious microsoft workflow compiler rename Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities Hunting
Suspicious microsoft workflow compiler usage Trusted Developer Utilities Proxy Execution TTP
Suspicious msbuild path Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild TTP
Suspicious mshta child process Signed Binary Proxy Execution, Mshta TTP
Suspicious mshta spawn Signed Binary Proxy Execution, Mshta TTP
Suspicious wevtutil Usage Clear Windows Event Logs, Indicator Removal on Host TTP
Suspicious writes to windows Recycle Bin Masquerading TTP
System Information Discovery Detection System Information Discovery TTP
System Process Running from Unexpected Location Masquerading Anomaly
System Processes Run From Unexpected Locations Masquerading, Rename System Utilities TTP
System User Discovery With Query System Owner/User Discovery Hunting
System User Discovery With Whoami System Owner/User Discovery Hunting
TOR Traffic Application Layer Protocol, Web Protocols TTP
Time Provider Persistence Registry Time Providers, Boot or Logon Autostart Execution TTP
Trickbot Named Pipe Process Injection TTP
UAC Bypass MMC Load Unsigned Dll Bypass User Account Control, Abuse Elevation Control Mechanism TTP
UAC Bypass With Colorui COM Object Signed Binary Proxy Execution, CMSTP TTP
USN Journal Deletion Indicator Removal on Host TTP
Unified Messaging Service Spawning a Process Exploit Public-Facing Application TTP
Uninstall App Using MsiExec Msiexec, Signed Binary Proxy Execution TTP
Unload Sysmon Filter Driver Disable or Modify Tools, Impair Defenses TTP
Unloading AMSI via Reflection Impair Defenses TTP
Unusually Long Command Line None Anomaly
Unusually Long Command Line None Anomaly
Unusually Long Command Line - MLTK None Anomaly
Unusually Long Content-Type Length None Anomaly
User Discovery With Env Vars PowerShell System Owner/User Discovery Hunting
User Discovery With Env Vars PowerShell Script Block System Owner/User Discovery Hunting
Vbscript Execution Using Wscript App Visual Basic, Command and Scripting Interpreter TTP
Verclsid CLSID Execution Verclsid, Signed Binary Proxy Execution Hunting
W3WP Spawning Shell Server Software Component, Web Shell TTP
WBAdmin Delete System Backups Inhibit System Recovery TTP
WMI Permanent Event Subscription Windows Management Instrumentation TTP
WMI Permanent Event Subscription - Sysmon Windows Management Instrumentation Event Subscription, Event Triggered Execution TTP
WMI Recon Running Process Or Services Gather Victim Host Information TTP
WMI Temporary Event Subscription Windows Management Instrumentation TTP
WSReset UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Wbemprox COM Object Execution Signed Binary Proxy Execution, CMSTP TTP
Web Servers Executing Suspicious Processes System Information Discovery TTP
Wermgr Process Connecting To IP Check Web Services Gather Victim Network Information, IP Addresses TTP
Wermgr Process Create Executable File Obfuscated Files or Information TTP
Wermgr Process Spawned CMD Or Powershell Process Command and Scripting Interpreter TTP
WevtUtil Usage To Clear Logs Indicator Removal on Host, Clear Windows Event Logs TTP
Wevtutil Usage To Disable Logs Indicator Removal on Host, Clear Windows Event Logs TTP
WinEvent Scheduled Task Created Within Public Path Scheduled Task, Scheduled Task/Job TTP
WinEvent Scheduled Task Created to Spawn Shell Scheduled Task, Scheduled Task/Job TTP
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting
WinRM Spawning a Process Exploit Public-Facing Application TTP
Windows AdFind Exe Remote System Discovery TTP
Windows Curl Download to Suspicious Path Ingress Tool Transfer TTP
Windows Curl Upload to Remote Destination Ingress Tool Transfer TTP
Windows DisableAntiSpyware Registry Disable or Modify Tools, Impair Defenses TTP
Windows Event Log Cleared Indicator Removal on Host, Clear Windows Event Logs TTP
Windows Security Account Manager Stopped Service Stop TTP
Winhlp32 Spawning a Process Process Injection TTP
Winword Spawning Cmd Phishing, Spearphishing Attachment TTP
Winword Spawning PowerShell Phishing, Spearphishing Attachment TTP
Winword Spawning Windows Script Host Phishing, Spearphishing Attachment TTP
Wmic Group Discovery Permission Groups Discovery, Local Groups Hunting
Wmic NonInteractive App Uninstallation Disable or Modify Tools, Impair Defenses Hunting
Write Executable in SMB Share Remote Services, SMB/Windows Admin Shares TTP
Wscript Or Cscript Suspicious Child Process Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation TTP
XMRIG Driver Loaded Windows Service, Create or Modify System Process TTP
XSL Script Execution With WMIC XSL Script Processing TTP
aws detect attach to role policy Valid Accounts Hunting
aws detect permanent key creation Valid Accounts Hunting
aws detect role creation Valid Accounts Hunting
aws detect sts assume role abuse Valid Accounts Hunting
aws detect sts get session token abuse Use Alternate Authentication Material Hunting

Endpoint

Detect SharpHound Usage

Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery

CMD Echo Pipe - Escalation

Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process

Back to Top ↑

Cloud

Back to Top ↑

Network

Detect ARP Poisoning

Hardware Additions, Network Denial of Service, Man-in-the-Middle, ARP Cache Poisoning

Back to Top ↑

Application

Back to Top ↑

Web

Back to Top ↑