Detections

Name	Technique	Type
7zip CommandLine To SMB Share Path	Archive via Utility, Archive Collected Data	Hunting
AWS Cloud Provisioning From Previously Unseen City	Unused/Unsupported Cloud Regions	Anomaly
AWS Cloud Provisioning From Previously Unseen Country	Unused/Unsupported Cloud Regions	Anomaly
AWS Cloud Provisioning From Previously Unseen IP Address	None	Anomaly
AWS Cloud Provisioning From Previously Unseen Region	Unused/Unsupported Cloud Regions	Anomaly
AWS Create Policy Version to allow all resources	Cloud Accounts, Valid Accounts	TTP
AWS CreateAccessKey	Cloud Account, Create Account	Hunting
AWS CreateLoginProfile	Cloud Account, Create Account	TTP
AWS Credential Access Failed Login	Password Guessing	TTP
AWS Credential Access GetPasswordData	Unsecured Credentials	Anomaly
AWS Credential Access RDS Password reset	Password Cracking	TTP
AWS Cross Account Activity From Previously Unseen Account	None	Anomaly
AWS Defense Evasion Delete CloudWatch Log Group	Impair Defenses, Disable Cloud Logs	TTP
AWS Defense Evasion Delete Cloudtrail	Disable Cloud Logs, Impair Defenses	TTP
AWS Defense Evasion Impair Security Services	Disable Cloud Logs, Impair Defenses	Hunting
AWS Defense Evasion PutBucketLifecycle	Disable Cloud Logs, Impair Defenses	Hunting
AWS Defense Evasion Stop Logging Cloudtrail	Disable Cloud Logs, Impair Defenses	TTP
AWS Defense Evasion Update Cloudtrail	Impair Defenses, Disable Cloud Logs	TTP
AWS Detect Users creating keys with encrypt policy without MFA	Data Encrypted for Impact	TTP
AWS Detect Users with KMS keys performing encryption S3	Data Encrypted for Impact	Anomaly
AWS ECR Container Scanning Findings High	Malicious Image, User Execution	TTP
AWS ECR Container Scanning Findings Low Informational Unknown	Malicious Image, User Execution	Hunting
AWS ECR Container Scanning Findings Medium	Malicious Image, User Execution	Anomaly
AWS ECR Container Upload Outside Business Hours	Malicious Image, User Execution	Anomaly
AWS ECR Container Upload Unknown User	Malicious Image, User Execution	Anomaly
AWS EKS Kubernetes cluster sensitive object access	None	Hunting
AWS Excessive Security Scanning	Cloud Service Discovery	TTP
AWS IAM AccessDenied Discovery Events	Cloud Infrastructure Discovery	Anomaly
AWS IAM Assume Role Policy Brute Force	Cloud Infrastructure Discovery, Brute Force	TTP
AWS IAM Delete Policy	Account Manipulation	Hunting
AWS IAM Failure Group Deletion	Account Manipulation	Anomaly
AWS IAM Successful Group Deletion	Cloud Groups, Account Manipulation, Permission Groups Discovery	Hunting
AWS Lambda UpdateFunctionCode	User Execution	Hunting
AWS Network Access Control List Created with All Open Ports	Disable or Modify Cloud Firewall, Impair Defenses	TTP
AWS Network Access Control List Deleted	Disable or Modify Cloud Firewall, Impair Defenses	Anomaly
AWS SAML Access by Provider User and Principal	Valid Accounts	Anomaly
AWS SAML Update identity provider	Valid Accounts	TTP
AWS SetDefaultPolicyVersion	Cloud Accounts, Valid Accounts	TTP
AWS UpdateLoginProfile	Cloud Account, Create Account	TTP
Abnormally High AWS Instances Launched by User	Cloud Accounts	Anomaly
Abnormally High AWS Instances Launched by User - MLTK	Cloud Accounts	Anomaly
Abnormally High AWS Instances Terminated by User	Cloud Accounts	Anomaly
Abnormally High AWS Instances Terminated by User - MLTK	Cloud Accounts	Anomaly
Abnormally High Number Of Cloud Infrastructure API Calls	Cloud Accounts, Valid Accounts	Anomaly
Abnormally High Number Of Cloud Instances Destroyed	Cloud Accounts, Valid Accounts	Anomaly
Abnormally High Number Of Cloud Instances Launched	Cloud Accounts, Valid Accounts	Anomaly
Abnormally High Number Of Cloud Security Group API Calls	Cloud Accounts, Valid Accounts	Anomaly
Access LSASS Memory for Dump Creation	LSASS Memory, OS Credential Dumping	TTP
Account Discovery With Net App	Domain Account, Account Discovery	TTP
Active Setup Registry Autostart	Active Setup, Boot or Logon Autostart Execution	TTP
Add DefaultUser And Password In Registry	Credentials in Registry, Unsecured Credentials	Anomaly
Add or Set Windows Defender Exclusion	Disable or Modify Tools, Impair Defenses	TTP
AdsiSearcher Account Discovery	Domain Account, Account Discovery	TTP
Allow File And Printing Sharing In Firewall	Disable or Modify Cloud Firewall, Impair Defenses	TTP
Allow Inbound Traffic By Firewall Rule Registry	Remote Desktop Protocol, Remote Services	TTP
Allow Inbound Traffic In Firewall Rule	Remote Desktop Protocol, Remote Services	TTP
Allow Network Discovery In Firewall	Disable or Modify Cloud Firewall, Impair Defenses	TTP
Allow Operation with Consent Admin	Abuse Elevation Control Mechanism	TTP
Amazon EKS Kubernetes Pod scan detection	Cloud Service Discovery	Hunting
Amazon EKS Kubernetes cluster scan detection	Cloud Service Discovery	Hunting
Anomalous Usage of Account Credentials	Domain Accounts	Anomaly
Anomalous usage of 7zip	Archive via Utility, Archive Collected Data	Anomaly
Anomalous usage of Archive Tools	Archive via Utility, Archive Collected Data	Anomaly
Any Powershell DownloadFile	Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer	TTP
Any Powershell DownloadString	Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer	TTP
Attacker Tools On Endpoint	Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning	TTP
Attempt To Add Certificate To Untrusted Store	Install Root Certificate, Subvert Trust Controls	TTP
Attempt To Delete Services	Service Stop, Create or Modify System Process, Windows Service	TTP
Attempt To Disable Services	Service Stop	TTP
Attempt To Stop Security Service	Disable or Modify Tools, Impair Defenses	TTP
Attempted Credential Dump From Registry via Reg exe	Security Account Manager, OS Credential Dumping	TTP
Attempted Credential Dump From Registry via Reg exe	OS Credential Dumping, Security Account Manager	TTP
Auto Admin Logon Registry Entry	Credentials in Registry, Unsecured Credentials	TTP
Azure AD Authentication Failed During MFA Challenge	Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation	TTP
Azure AD External Guest User Invited	Cloud Account	TTP
Azure AD Global Administrator Role Assigned	Additional Cloud Roles	TTP
Azure AD Multi-Factor Authentication Disabled	Modify Authentication Process	TTP
Azure AD Multiple Failed MFA Requests For User	Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts	Anomaly
Azure AD Multiple Users Failing To Authenticate From Ip	Brute Force, Password Spraying	Anomaly
Azure AD New Custom Domain Added	Domain Policy Modification, Domain Trust Modification	TTP
Azure AD New Federated Domain Added	Domain Policy Modification, Domain Trust Modification	TTP
Azure AD Privileged Role Assigned	Account Manipulation, Additional Cloud Roles	TTP
Azure AD Service Principal Created	Cloud Account	TTP
Azure AD Service Principal New Client Credentials	Account Manipulation, Additional Cloud Credentials	TTP
Azure AD Service Principal Owner Added	Account Manipulation	TTP
Azure AD Successful PowerShell Authentication	Valid Accounts, Cloud Accounts	TTP
Azure AD Successful Single-Factor Authentication	Security Account Manager	TTP
Azure AD Unusual Number of Failed Authentications From Ip	Brute Force, Password Spraying	Anomaly
Azure AD User Enabled And Password Reset	Account Manipulation	TTP
Azure AD User ImmutableId Attribute Updated	Account Manipulation	TTP
Azure Active Directory High Risk Sign-in	Brute Force, Password Spraying	TTP
Azure Automation Account Created	Create Account, Cloud Account	TTP
Azure Automation Runbook Created	Create Account, Cloud Account	TTP
Azure Runbook Webhook Created	Valid Accounts, Cloud Accounts	TTP
BCDEdit Failure Recovery Modification	Inhibit System Recovery	TTP
BCDEdit Failure Recovery Modification	Inhibit System Recovery	TTP
BITS Job Persistence	BITS Jobs	TTP
BITSAdmin Download File	BITS Jobs, Ingress Tool Transfer	TTP
Batch File Write to System32	User Execution, Malicious File	TTP
Bcdedit Command Back To Normal Mode Boot	Inhibit System Recovery	TTP
CHCP Command Execution	Command and Scripting Interpreter	TTP
CMD Carry Out String Command Parameter	Windows Command Shell, Command and Scripting Interpreter	Hunting
CMD Echo Pipe - Escalation	Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process	TTP
CMLUA Or CMSTPLUA UAC Bypass	System Binary Proxy Execution, CMSTP	TTP
CSC Net On The Fly Compilation	Compile After Delivery, Obfuscated Files or Information	Hunting
CertUtil Download With URLCache and Split Arguments	Ingress Tool Transfer	TTP
CertUtil Download With VerifyCtl and Split Arguments	Ingress Tool Transfer	TTP
CertUtil With Decode Argument	Deobfuscate/Decode Files or Information	TTP
Certutil exe certificate extraction	None	TTP
Change Default File Association	Change Default File Association, Event Triggered Execution	TTP
Change To Safe Mode With Network Config	Inhibit System Recovery	TTP
Check Elevated CMD using whoami	System Owner/User Discovery	TTP
Child Processes of Spoolsv exe	Exploitation for Privilege Escalation	TTP
Circle CI Disable Security Job	Compromise Client Software Binary	Anomaly
Circle CI Disable Security Step	Compromise Client Software Binary	Anomaly
Clear Unallocated Sector Using Cipher App	File Deletion, Indicator Removal on Host	TTP
Clear Unallocated Sector Using Cipher App	File Deletion, Indicator Removal on Host	TTP
Clients Connecting to Multiple DNS Servers	Exfiltration Over Unencrypted Non-C2 Protocol	TTP
Clop Common Exec Parameter	User Execution	TTP
Clop Ransomware Known Service Name	Create or Modify System Process	TTP
Cloud API Calls From Previously Unseen User Roles	Valid Accounts	Anomaly
Cloud Compute Instance Created By Previously Unseen User	Cloud Accounts, Valid Accounts	Anomaly
Cloud Compute Instance Created In Previously Unused Region	Unused/Unsupported Cloud Regions	Anomaly
Cloud Compute Instance Created With Previously Unseen Image	None	Anomaly
Cloud Compute Instance Created With Previously Unseen Instance Type	None	Anomaly
Cloud Instance Modified By Previously Unseen User	Cloud Accounts, Valid Accounts	Anomaly
Cloud Network Access Control List Deleted	None	Anomaly
Cloud Provisioning Activity From Previously Unseen City	Valid Accounts	Anomaly
Cloud Provisioning Activity From Previously Unseen Country	Valid Accounts	Anomaly
Cloud Provisioning Activity From Previously Unseen IP Address	Valid Accounts	Anomaly
Cloud Provisioning Activity From Previously Unseen Region	Valid Accounts	Anomaly
Cmdline Tool Not Executed In CMD Shell	Command and Scripting Interpreter, JavaScript	TTP
Cobalt Strike Named Pipes	Process Injection	TTP
Common Ransomware Extensions	Data Destruction	Hunting
Common Ransomware Notes	Data Destruction	Hunting
Confluence Unauthenticated Remote Code Execution CVE-2022-26134	Server Software Component, Exploit Public-Facing Application	TTP
Conti Common Exec parameter	User Execution	TTP
Control Loading from World Writable Directory	System Binary Proxy Execution, Control Panel	TTP
Correlation by Repository and Risk	Malicious Image, User Execution	Correlation
Correlation by User and Risk	Malicious Image, User Execution	Correlation
Create Remote Thread In Shell Application	Process Injection	TTP
Create Remote Thread into LSASS	LSASS Memory, OS Credential Dumping	TTP
Create local admin accounts using net exe	Local Account, Create Account	TTP
Create or delete windows shares using net exe	Indicator Removal on Host, Network Share Connection Removal	TTP
Creation of Shadow Copy	NTDS, OS Credential Dumping	TTP
Creation of Shadow Copy with wmic and powershell	NTDS, OS Credential Dumping	TTP
Creation of lsass Dump with Taskmgr	LSASS Memory, OS Credential Dumping	TTP
Credential Dumping via Copy Command from Shadow Copy	NTDS, OS Credential Dumping	TTP
Credential Dumping via Symlink to Shadow Copy	NTDS, OS Credential Dumping	TTP
Credential ExtractionFGDump and CacheDump	OS Credential Dumping, Security Account Manager	TTP
Curl Download and Bash Execution	Ingress Tool Transfer	TTP
DLLHost with no Command Line Arguments with Network	Process Injection	TTP
DNS Exfiltration Using Nslookup App	Exfiltration Over Alternative Protocol	TTP
DNS Exfiltration Using Nslookup App	Exfiltration Over Alternative Protocol	TTP
DNS Query Length Outliers - MLTK	DNS, Application Layer Protocol	Anomaly
DNS Query Length With High Standard Deviation	Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol	Anomaly
DNS Query Requests Resolved by Unauthorized DNS Servers	DNS	TTP
DNS record changed	DNS	TTP
DSQuery Domain Discovery	Domain Trust Discovery	TTP
Delete A Net User	Account Access Removal	Anomaly
Delete ShadowCopy With PowerShell	Inhibit System Recovery	TTP
Deleting Of Net Users	Account Access Removal	TTP
Deleting Shadow Copies	Inhibit System Recovery	TTP
Deny Permission using Cacls Utility	File and Directory Permissions Modification	TTP
Detect API activity from users without MFA	None	Hunting
Detect ARP Poisoning	Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning	TTP
Detect AWS API Activities From Unapproved Accounts	Cloud Accounts	Hunting
Detect AWS Console Login by New User	None	Hunting
Detect AWS Console Login by User from New City	Unused/Unsupported Cloud Regions	Hunting
Detect AWS Console Login by User from New Country	Unused/Unsupported Cloud Regions	Hunting
Detect AWS Console Login by User from New Region	Unused/Unsupported Cloud Regions	Hunting
Detect Activity Related to Pass the Hash Attacks	Use Alternate Authentication Material, Pass the Hash	TTP
Detect AzureHound Command-Line Arguments	Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery	TTP
Detect AzureHound File Modifications	Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery	TTP
Detect Baron Samedit CVE-2021-3156	Exploitation for Privilege Escalation	TTP
Detect Baron Samedit CVE-2021-3156 Segfault	Exploitation for Privilege Escalation	TTP
Detect Baron Samedit CVE-2021-3156 via OSQuery	Exploitation for Privilege Escalation	TTP
Detect Computer Changed with Anonymous Account	Exploitation of Remote Services	Hunting
Detect Copy of ShadowCopy with Script Block Logging	Security Account Manager, OS Credential Dumping	TTP
Detect Credential Dumping through LSASS access	LSASS Memory, OS Credential Dumping	TTP
Detect DNS requests to Phishing Sites leveraging EvilGinx2	Spearphishing via Service	TTP
Detect Empire with PowerShell Script Block Logging	Command and Scripting Interpreter, PowerShell	TTP
Detect Excessive Account Lockouts From Endpoint	Valid Accounts, Domain Accounts	Anomaly
Detect Excessive User Account Lockouts	Valid Accounts, Local Accounts	Anomaly
Detect Exchange Web Shell	Server Software Component, Web Shell, Exploit Public-Facing Application	TTP
Detect F5 TMUI RCE CVE-2020-5902	Exploit Public-Facing Application	TTP
Detect GCP Storage access from a new IP	Data from Cloud Storage Object	Anomaly
Detect HTML Help Renamed	System Binary Proxy Execution, Compiled HTML File	Hunting
Detect HTML Help Spawn Child Process	System Binary Proxy Execution, Compiled HTML File	TTP
Detect HTML Help URL in Command Line	System Binary Proxy Execution, Compiled HTML File	TTP
Detect HTML Help Using InfoTech Storage Handlers	System Binary Proxy Execution, Compiled HTML File	TTP
Detect IPv6 Network Infrastructure Threats	Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning	TTP
Detect Kerberoasting	Kerberoasting, Steal or Forge Kerberos Tickets	TTP
Detect Large Outbound ICMP Packets	Non-Application Layer Protocol	TTP
Detect Long DNS TXT Record Response	Exfiltration Over Unencrypted Non-C2 Protocol	TTP
Detect MSHTA Url in Command Line	System Binary Proxy Execution, Mshta	TTP
Detect Mimikatz Using Loaded Images	LSASS Memory, OS Credential Dumping	TTP
Detect Mimikatz Via PowerShell And EventCode 4703	LSASS Memory	TTP
Detect Mimikatz With PowerShell Script Block Logging	OS Credential Dumping, PowerShell	TTP
Detect New Local Admin account	Local Account, Create Account	TTP
Detect New Login Attempts to Routers	None	TTP
Detect New Open GCP Storage Buckets	Data from Cloud Storage Object	TTP
Detect New Open S3 Buckets over AWS CLI	Data from Cloud Storage Object	TTP
Detect New Open S3 buckets	Data from Cloud Storage Object	TTP
Detect Outbound LDAP Traffic	Exploit Public-Facing Application, Command and Scripting Interpreter	Hunting
Detect Outbound SMB Traffic	File Transfer Protocols, Application Layer Protocol	TTP
Detect Outlook exe writing a zip file	Phishing, Spearphishing Attachment	TTP
Detect Path Interception By Creation Of program exe	Path Interception by Unquoted Path, Hijack Execution Flow	TTP
Detect Port Security Violation	Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning	TTP
Detect Prohibited Applications Spawning cmd exe	Command and Scripting Interpreter	Anomaly
Detect Prohibited Applications Spawning cmd exe	Command and Scripting Interpreter, Windows Command Shell	Hunting
Detect PsExec With accepteula Flag	Remote Services, SMB/Windows Admin Shares	TTP
Detect RClone Command-Line Usage	Automated Exfiltration	TTP
Detect RClone Command-Line Usage	Automated Exfiltration	TTP
Detect Rare Executables	None	Anomaly
Detect Regasm Spawning a Process	System Binary Proxy Execution, Regsvcs/Regasm	TTP
Detect Regasm with Network Connection	System Binary Proxy Execution, Regsvcs/Regasm	TTP
Detect Regasm with no Command Line Arguments	System Binary Proxy Execution, Regsvcs/Regasm	TTP
Detect Regsvcs Spawning a Process	System Binary Proxy Execution, Regsvcs/Regasm	TTP
Detect Regsvcs with Network Connection	System Binary Proxy Execution, Regsvcs/Regasm	TTP
Detect Regsvcs with No Command Line Arguments	System Binary Proxy Execution, Regsvcs/Regasm	TTP
Detect Regsvr32 Application Control Bypass	System Binary Proxy Execution, Regsvr32	TTP
Detect Renamed 7-Zip	Archive via Utility, Archive Collected Data	Hunting
Detect Renamed PSExec	System Services, Service Execution	Hunting
Detect Renamed RClone	Automated Exfiltration	Hunting
Detect Renamed WinRAR	Archive via Utility, Archive Collected Data	Hunting
Detect Risky SPL using Pretrained ML Model	Command and Scripting Interpreter	Anomaly
Detect Rogue DHCP Server	Hardware Additions, Network Denial of Service, Adversary-in-the-Middle	TTP
Detect Rundll32 Application Control Bypass - advpack	System Binary Proxy Execution, Rundll32	TTP
Detect Rundll32 Application Control Bypass - setupapi	System Binary Proxy Execution, Rundll32	TTP
Detect Rundll32 Application Control Bypass - syssetup	System Binary Proxy Execution, Rundll32	TTP
Detect Rundll32 Inline HTA Execution	System Binary Proxy Execution, Mshta	TTP
Detect S3 access from a new IP	Data from Cloud Storage Object	Anomaly
Detect SNICat SNI Exfiltration	Exfiltration Over C2 Channel	TTP
Detect SharpHound Command-Line Arguments	Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery	TTP
Detect SharpHound File Modifications	Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery	TTP
Detect SharpHound Usage	Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery	TTP
Detect Software Download To Network Device	TFTP Boot, Pre-OS Boot	TTP
Detect Spike in AWS API Activity	Cloud Accounts	Anomaly
Detect Spike in AWS Security Hub Alerts for EC2 Instance	None	Anomaly
Detect Spike in AWS Security Hub Alerts for User	None	Anomaly
Detect Spike in Network ACL Activity	Disable or Modify Cloud Firewall	Anomaly
Detect Spike in S3 Bucket deletion	Data from Cloud Storage Object	Anomaly
Detect Spike in Security Group Activity	Cloud Accounts	Anomaly
Detect Spike in blocked Outbound Traffic from your AWS	None	Anomaly
Detect Traffic Mirroring	Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication	TTP
Detect USB device insertion	None	TTP
Detect Unauthorized Assets by MAC address	None	TTP
Detect Use of cmd exe to Launch Script Interpreters	Command and Scripting Interpreter, Windows Command Shell	TTP
Detect WMI Event Subscription Persistence	Windows Management Instrumentation Event Subscription, Event Triggered Execution	TTP
Detect Windows DNS SIGRed via Splunk Stream	Exploitation for Client Execution	TTP
Detect Windows DNS SIGRed via Zeek	Exploitation for Client Execution	TTP
Detect Zerologon via Zeek	Exploit Public-Facing Application	TTP
Detect attackers scanning for vulnerable JBoss servers	System Information Discovery	TTP
Detect hosts connecting to dynamic domain providers	Drive-by Compromise	TTP
Detect malicious requests to exploit JBoss servers	None	TTP
Detect mshta inline hta execution	System Binary Proxy Execution, Mshta	TTP
Detect mshta renamed	System Binary Proxy Execution, Mshta	Hunting
Detect new API calls from user roles	Cloud Accounts	Anomaly
Detect new user AWS Console Login	Cloud Accounts	Hunting
Detect processes used for System Network Configuration Discovery	System Network Configuration Discovery	TTP
Detect shared ec2 snapshot	Transfer Data to Cloud Account	TTP
Detect web traffic to dynamic domain providers	Web Protocols	TTP
Detection of DNS Tunnels	Exfiltration Over Unencrypted Non-C2 Protocol	TTP
Detection of tools built by NirSoft	Software Deployment Tools	TTP
Disable AMSI Through Registry	Disable or Modify Tools, Impair Defenses	TTP
Disable Defender AntiVirus Registry	Disable or Modify Tools, Impair Defenses	TTP
Disable Defender AntiVirus Registry	Disable or Modify Tools, Impair Defenses	TTP
Disable Defender BlockAtFirstSeen Feature	Disable or Modify Tools, Impair Defenses	TTP
Disable Defender Enhanced Notification	Disable or Modify Tools, Impair Defenses	TTP
Disable Defender MpEngine Registry	Disable or Modify Tools, Impair Defenses	TTP
Disable Defender Spynet Reporting	Disable or Modify Tools, Impair Defenses	TTP
Disable Defender Submit Samples Consent Feature	Disable or Modify Tools, Impair Defenses	TTP
Disable ETW Through Registry	Disable or Modify Tools, Impair Defenses	TTP
Disable Logs Using WevtUtil	Indicator Removal on Host, Clear Windows Event Logs	TTP
Disable Net User Account	Service Stop, Valid Accounts	TTP
Disable Registry Tool	Disable or Modify Tools, Impair Defenses	TTP
Disable Schedule Task	Disable or Modify Tools, Impair Defenses	TTP
Disable Security Logs Using MiniNt Registry	Modify Registry	TTP
Disable Show Hidden Files	Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses	TTP
Disable UAC Remote Restriction	Bypass User Account Control, Abuse Elevation Control Mechanism	TTP
Disable Windows App Hotkeys	Disable or Modify Tools, Impair Defenses	TTP
Disable Windows Behavior Monitoring	Disable or Modify Tools, Impair Defenses	TTP
Disable Windows SmartScreen Protection	Disable or Modify Tools, Impair Defenses	TTP
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser	Steal or Forge Kerberos Tickets, AS-REP Roasting	TTP
Disabled Kerberos Pre-Authentication Discovery With PowerView	Steal or Forge Kerberos Tickets, AS-REP Roasting	TTP
Disabling CMD Application	Disable or Modify Tools, Impair Defenses	TTP
Disabling ControlPanel	Disable or Modify Tools, Impair Defenses	TTP
Disabling Defender Services	Disable or Modify Tools, Impair Defenses	TTP
Disabling Firewall with Netsh	Disable or Modify Tools, Impair Defenses	TTP
Disabling FolderOptions Windows Feature	Disable or Modify Tools, Impair Defenses	TTP
Disabling Net User Account	Account Access Removal	TTP
Disabling NoRun Windows App	Disable or Modify Tools, Impair Defenses	TTP
Disabling Remote User Account Control	Bypass User Account Control, Abuse Elevation Control Mechanism	TTP
Disabling SystemRestore In Registry	Inhibit System Recovery	TTP
Disabling Task Manager	Disable or Modify Tools, Impair Defenses	TTP
Domain Account Discovery With Net App	Domain Account, Account Discovery	TTP
Domain Account Discovery with Dsquery	Domain Account, Account Discovery	Hunting
Domain Account Discovery with Wmic	Domain Account, Account Discovery	TTP
Domain Controller Discovery with Nltest	Remote System Discovery	TTP
Domain Controller Discovery with Wmic	Remote System Discovery	Hunting
Domain Group Discovery With Dsquery	Permission Groups Discovery, Domain Groups	Hunting
Domain Group Discovery With Net	Permission Groups Discovery, Domain Groups	Hunting
Domain Group Discovery With Wmic	Permission Groups Discovery, Domain Groups	Hunting
Domain Group Discovery with Adsisearcher	Permission Groups Discovery, Domain Groups	TTP
Download Files Using Telegram	Ingress Tool Transfer	TTP
Drop IcedID License dat	User Execution, Malicious File	Hunting
Dump LSASS via comsvcs DLL	LSASS Memory, OS Credential Dumping	TTP
Dump LSASS via procdump	LSASS Memory, OS Credential Dumping	TTP
Dump LSASS via procdump Rename	LSASS Memory	Hunting
EC2 Instance Modified With Previously Unseen User	Cloud Accounts	Anomaly
EC2 Instance Started In Previously Unseen Region	Unused/Unsupported Cloud Regions	Anomaly
EC2 Instance Started With Previously Unseen AMI	None	Anomaly
EC2 Instance Started With Previously Unseen Instance Type	None	Anomaly
EC2 Instance Started With Previously Unseen User	Cloud Accounts	Anomaly
ETW Registry Disabled	Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses	TTP
Elevated Group Discovery With Net	Permission Groups Discovery, Domain Groups	TTP
Elevated Group Discovery With Wmic	Permission Groups Discovery, Domain Groups	TTP
Elevated Group Discovery with PowerView	Permission Groups Discovery, Domain Groups	Hunting
Email Attachments With Lots Of Spaces	None	Anomaly
Email files written outside of the Outlook directory	Email Collection, Local Email Collection	TTP
Email servers sending high volume traffic to hosts	Email Collection, Remote Email Collection	Anomaly
Enable RDP In Other Port Number	Remote Services	TTP
Enable WDigest UseLogonCredential Registry	Modify Registry, OS Credential Dumping	TTP
Enumerate Users Local Group Using Telegram	Account Discovery	TTP
Esentutl SAM Copy	Security Account Manager, OS Credential Dumping	Hunting
Eventvwr UAC Bypass	Bypass User Account Control, Abuse Elevation Control Mechanism	TTP
Excel Spawning PowerShell	Security Account Manager, OS Credential Dumping	TTP
Excel Spawning Windows Script Host	Security Account Manager, OS Credential Dumping	TTP
Excessive Attempt To Disable Services	Service Stop	Anomaly
Excessive DNS Failures	DNS, Application Layer Protocol	Anomaly
Excessive File Deletion In WinDefender Folder	Data Destruction	TTP
Excessive Number of Office Files Copied	Exfiltration Over Unencrypted Non-C2 Protocol	Anomaly
Excessive Service Stop Attempt	Service Stop	Anomaly
Excessive Usage Of Cacls App	File and Directory Permissions Modification	Anomaly
Excessive Usage Of Net App	Account Access Removal	Anomaly
Excessive Usage Of SC Service Utility	System Services, Service Execution	Anomaly
Excessive Usage Of Taskkill	Disable or Modify Tools, Impair Defenses	Anomaly
Excessive Usage of NSLOOKUP App	Exfiltration Over Alternative Protocol	Anomaly
Excessive distinct processes from Windows Temp	Command and Scripting Interpreter	Anomaly
Excessive number of service control start as disabled	Disable or Modify Tools, Impair Defenses	Anomaly
Excessive number of taskhost processes	Command and Scripting Interpreter	Anomaly
Exchange PowerShell Abuse via SSRF	Exploit Public-Facing Application	TTP
Exchange PowerShell Module Usage	Command and Scripting Interpreter, PowerShell	TTP
Executable File Written in Administrative SMB Share	Remote Services, SMB/Windows Admin Shares	TTP
Executables Or Script Creation In Suspicious Path	Masquerading	TTP
Execute Javascript With Jscript COM CLSID	Command and Scripting Interpreter, Visual Basic	TTP
Execution of File With Spaces Before Extension	Rename System Utilities	TTP
Execution of File with Multiple Extensions	Masquerading, Rename System Utilities	TTP
Extended Period Without Successful Netbackup Backups	None	Hunting
Extraction of Registry Hives	Security Account Manager, OS Credential Dumping	TTP
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388	Exploit Public-Facing Application	TTP
File with Samsam Extension	None	TTP
Firewall Allowed Program Enable	Disable or Modify System Firewall, Impair Defenses	Anomaly
First Time Seen Child Process of Zoom	Exploitation for Privilege Escalation	Anomaly
First Time Seen Running Windows Service	System Services, Service Execution	Anomaly
First time seen command line argument	Command and Scripting Interpreter, Indirect Command Execution	Anomaly
First time seen command line argument	PowerShell, Windows Command Shell	Hunting
FodHelper UAC Bypass	Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism	TTP
Fsutil Zeroing File	Indicator Removal on Host	TTP
Fsutil Zeroing File	Indicator Removal on Host	TTP
GCP Detect accounts with high risk roles by project	Valid Accounts	Hunting
GCP Detect gcploit framework	Valid Accounts	TTP
GCP Detect high risk permissions by resource and account	Valid Accounts	Hunting
GCP Kubernetes cluster pod scan detection	Cloud Service Discovery	Hunting
GCP Kubernetes cluster scan detection	Cloud Service Discovery	TTP
GPUpdate with no Command Line Arguments with Network	Process Injection	TTP
GSuite Email Suspicious Attachment	Spearphishing Attachment, Phishing	Anomaly
Gdrive suspicious file sharing	Phishing	Hunting
Get ADDefaultDomainPasswordPolicy with Powershell	Password Policy Discovery	Hunting
Get ADDefaultDomainPasswordPolicy with Powershell Script Block	Password Policy Discovery	Hunting
Get ADUser with PowerShell	Domain Account, Account Discovery	Hunting
Get ADUser with PowerShell Script Block	Domain Account, Account Discovery	Hunting
Get ADUserResultantPasswordPolicy with Powershell	Password Policy Discovery	TTP
Get ADUserResultantPasswordPolicy with Powershell Script Block	Password Policy Discovery	TTP
Get DomainPolicy with Powershell	Password Policy Discovery	TTP
Get DomainPolicy with Powershell Script Block	Password Policy Discovery	TTP
Get DomainUser with PowerShell	Domain Account, Account Discovery	TTP
Get DomainUser with PowerShell Script Block	Domain Account, Account Discovery	TTP
Get WMIObject Group Discovery	Permission Groups Discovery, Local Groups	Hunting
Get WMIObject Group Discovery with Script Block Logging	Permission Groups Discovery, Local Groups	Hunting
Get-DomainTrust with PowerShell	Domain Trust Discovery	TTP
Get-DomainTrust with PowerShell Script Block	Domain Trust Discovery	TTP
Get-ForestTrust with PowerShell	Domain Trust Discovery	TTP
Get-ForestTrust with PowerShell Script Block	Domain Trust Discovery, PowerShell	TTP
GetAdComputer with PowerShell	Remote System Discovery	Hunting
GetAdComputer with PowerShell Script Block	Remote System Discovery	Hunting
GetAdGroup with PowerShell	Permission Groups Discovery, Domain Groups	Hunting
GetAdGroup with PowerShell Script Block	Permission Groups Discovery, Domain Groups	Hunting
GetCurrent User with PowerShell	System Owner/User Discovery	Hunting
GetCurrent User with PowerShell Script Block	System Owner/User Discovery	Hunting
GetDomainComputer with PowerShell	Remote System Discovery	TTP
GetDomainComputer with PowerShell Script Block	Remote System Discovery	TTP
GetDomainController with PowerShell	Remote System Discovery	Hunting
GetDomainController with PowerShell Script Block	Remote System Discovery	TTP
GetDomainGroup with PowerShell	Permission Groups Discovery, Domain Groups	TTP
GetDomainGroup with PowerShell Script Block	Permission Groups Discovery, Domain Groups	TTP
GetLocalUser with PowerShell	Account Discovery, Local Account	Hunting
GetLocalUser with PowerShell Script Block	Account Discovery, Local Account, PowerShell	Hunting
GetNetTcpconnection with PowerShell	System Network Connections Discovery	Hunting
GetNetTcpconnection with PowerShell Script Block	System Network Connections Discovery	Hunting
GetWmiObject DS User with PowerShell	Domain Account, Account Discovery	TTP
GetWmiObject DS User with PowerShell Script Block	Domain Account, Account Discovery	TTP
GetWmiObject Ds Computer with PowerShell	Remote System Discovery	TTP
GetWmiObject Ds Computer with PowerShell Script Block	Remote System Discovery	TTP
GetWmiObject Ds Group with PowerShell	Permission Groups Discovery, Domain Groups	TTP
GetWmiObject Ds Group with PowerShell Script Block	Permission Groups Discovery, Domain Groups	TTP
GetWmiObject User Account with PowerShell	Account Discovery, Local Account	Hunting
GetWmiObject User Account with PowerShell Script Block	Account Discovery, Local Account, PowerShell	Hunting
GitHub Actions Disable Security Workflow	Compromise Software Supply Chain, Supply Chain Compromise	Anomaly
GitHub Dependabot Alert	Compromise Software Dependencies and Development Tools, Supply Chain Compromise	Anomaly
GitHub Pull Request from Unknown User	Compromise Software Dependencies and Development Tools, Supply Chain Compromise	Anomaly
Github Commit Changes In Master	Trusted Relationship	Anomaly
Github Commit In Develop	Trusted Relationship	Anomaly
Grant Permission Using Cacls Utility	File and Directory Permissions Modification	TTP
Gsuite Drive Share In External Email	Exfiltration to Cloud Storage, Exfiltration Over Web Service	Anomaly
Gsuite Email Suspicious Subject With Attachment	Spearphishing Attachment, Phishing	Anomaly
Gsuite Email With Known Abuse Web Service Link	Spearphishing Attachment, Phishing	Anomaly
Gsuite Outbound Email With Attachment To External Domain	Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol	Anomaly
Gsuite Suspicious Shared File Name	Spearphishing Attachment, Phishing	Anomaly
Gsuite suspicious calendar invite	Phishing	Hunting
Hide User Account From Sign-In Screen	Disable or Modify Tools, Impair Defenses	TTP
Hiding Files And Directories With Attrib exe	File and Directory Permissions Modification, Windows File and Directory Permissions Modification	TTP
Hiding Files And Directories With Attrib exe	Windows File and Directory Permissions Modification, File and Directory Permissions Modification	TTP
High File Deletion Frequency	Data Destruction	Anomaly
High Frequency Copy Of Files In Network Share	Transfer Data to Cloud Account	Anomaly
High Number of Login Failures from a single source	Password Guessing, Brute Force	Anomaly
High Process Termination Frequency	Data Encrypted for Impact	Anomaly
Hosts receiving high volume of network traffic from email server	Remote Email Collection, Email Collection	Anomaly
Hunting for Log4Shell	Exploit Public-Facing Application	Hunting
ICACLS Grant Command	File and Directory Permissions Modification	TTP
Icacls Deny Command	File and Directory Permissions Modification	TTP
IcedID Exfiltrated Archived File Creation	Archive via Utility, Archive Collected Data	Hunting
Identify New User Accounts	Domain Accounts	Hunting
Impacket Lateral Movement Commandline Parameters	Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service	TTP
Interactive Session on Remote Endpoint with PowerShell	Remote Services, Windows Remote Management	TTP
Java Class File download by Java User Agent	Exploit Public-Facing Application	TTP
Java Writing JSP File	Exploit Public-Facing Application	TTP
Jscript Execution Using Cscript App	Command and Scripting Interpreter, JavaScript	TTP
Kerberoasting spn request with RC4 encryption	Steal or Forge Kerberos Tickets, Kerberoasting	TTP
Kerberos Pre-Authentication Flag Disabled in UserAccountControl	Steal or Forge Kerberos Tickets, AS-REP Roasting	TTP
Kerberos Pre-Authentication Flag Disabled with PowerShell	Steal or Forge Kerberos Tickets, AS-REP Roasting	TTP
Kerberos Service Ticket Request Using RC4 Encryption	Steal or Forge Kerberos Tickets, Golden Ticket	TTP
Kerberos TGT Request Using RC4 Encryption	Use Alternate Authentication Material	TTP
Kerberos User Enumeration	Gather Victim Identity Information, Email Addresses	Anomaly
Known Services Killed by Ransomware	Inhibit System Recovery	TTP
Kubernetes AWS detect RBAC authorization by account	None	Hunting
Kubernetes AWS detect most active service accounts by pod	None	Hunting
Kubernetes AWS detect sensitive role access	None	Hunting
Kubernetes AWS detect service accounts forbidden failure access	None	Hunting
Kubernetes AWS detect suspicious kubectl calls	None	Hunting
Kubernetes Azure active service accounts by pod namespace	None	Hunting
Kubernetes Azure detect RBAC authorization by account	None	Hunting
Kubernetes Azure detect sensitive object access	None	Hunting
Kubernetes Azure detect sensitive role access	None	Hunting
Kubernetes Azure detect service accounts forbidden failure access	None	Hunting
Kubernetes Azure detect suspicious kubectl calls	None	Hunting
Kubernetes Azure pod scan fingerprint	None	Hunting
Kubernetes Azure scan fingerprint	Cloud Service Discovery	Hunting
Kubernetes GCP detect RBAC authorizations by account	None	Hunting
Kubernetes GCP detect most active service accounts by pod	None	Hunting
Kubernetes GCP detect sensitive object access	None	Hunting
Kubernetes GCP detect sensitive role access	None	Hunting
Kubernetes GCP detect service accounts forbidden failure access	None	Hunting
Kubernetes GCP detect suspicious kubectl calls	None	Hunting
Kubernetes Nginx Ingress LFI	Exploitation for Credential Access	TTP
Kubernetes Nginx Ingress RFI	Exploitation for Credential Access	TTP
Kubernetes Scanner Image Pulling	Cloud Service Discovery	TTP
Large Volume of DNS ANY Queries	Network Denial of Service, Reflection Amplification	Anomaly
Linux APT Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux AWK Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Account Manipulation Of SSH Config and Keys	Data Destruction, File Deletion, Indicator Removal on Host	Anomaly
Linux Add Files In Known Crontab Directories	Cron, Scheduled Task/Job	Anomaly
Linux Add User Account	Local Account, Create Account	Hunting
Linux Adding Crontab Using List Parameter	Cron, Scheduled Task/Job	Hunting
Linux At Allow Config File Creation	Cron, Scheduled Task/Job	Anomaly
Linux At Application Execution	At, Scheduled Task/Job	Anomaly
Linux Busybox Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Change File Owner To Root	Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification	Anomaly
Linux Clipboard Data Copy	Clipboard Data	Anomaly
Linux Common Process For Elevation Control	Setuid and Setgid, Abuse Elevation Control Mechanism	Hunting
Linux Composer Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Cpulimit Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Csvtool Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Curl Upload File	Ingress Tool Transfer	TTP
Linux DD File Overwrite	Data Destruction	TTP
Linux Decode Base64 to Shell	Obfuscated Files or Information, Unix Shell	TTP
Linux Deleting Critical Directory Using RM Command	Data Destruction	TTP
Linux Deletion Of Cron Jobs	Data Destruction, File Deletion, Indicator Removal on Host	Anomaly
Linux Deletion Of Init Daemon Script	Data Destruction, File Deletion, Indicator Removal on Host	TTP
Linux Deletion Of Services	Data Destruction, File Deletion, Indicator Removal on Host	TTP
Linux Deletion of SSL Certificate	Data Destruction, File Deletion, Indicator Removal on Host	Anomaly
Linux Disable Services	Service Stop	TTP
Linux Doas Conf File Creation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Doas Tool Execution	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Docker Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Edit Cron Table Parameter	Cron, Scheduled Task/Job	Hunting
Linux Emacs Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux File Created In Kernel Driver Directory	Kernel Modules and Extensions, Boot or Logon Autostart Execution	Anomaly
Linux File Creation In Init Boot Directory	RC Scripts, Boot or Logon Initialization Scripts	Anomaly
Linux File Creation In Profile Directory	Unix Shell Configuration Modification, Event Triggered Execution	Anomaly
Linux Find Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux GDB Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux GNU Awk Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Gem Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux High Frequency Of File Deletion In Boot Folder	Data Destruction, File Deletion, Indicator Removal on Host	TTP
Linux High Frequency Of File Deletion In Etc Folder	Data Destruction, File Deletion, Indicator Removal on Host	Anomaly
Linux Ingress Tool Transfer Hunting	Ingress Tool Transfer	Hunting
Linux Ingress Tool Transfer with Curl	Ingress Tool Transfer	Anomaly
Linux Insert Kernel Module Using Insmod Utility	Kernel Modules and Extensions, Boot or Logon Autostart Execution	Anomaly
Linux Install Kernel Module Using Modprobe Utility	Kernel Modules and Extensions, Boot or Logon Autostart Execution	Anomaly
Linux Iptables Firewall Modification	Disable or Modify System Firewall, Impair Defenses	Anomaly
Linux Java Spawning Shell	Exploit Public-Facing Application	TTP
Linux Kernel Module Enumeration	System Information Discovery, Rootkit	Anomaly
Linux Kworker Process In Writable Process Path	Masquerade Task or Service, Masquerading	Hunting
Linux Make Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux MySQL Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux NOPASSWD Entry In Sudoers File	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Node Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Obfuscated Files or Information Base64 Decode	Obfuscated Files or Information	Anomaly
Linux Octave Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux OpenVPN Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux PHP Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Persistence and Privilege Escalation Risk Behavior	Abuse Elevation Control Mechanism	Correlation
Linux Possible Access Or Modification Of sshd Config File	SSH Authorized Keys, Account Manipulation	Anomaly
Linux Possible Access To Credential Files	/etc/passwd and /etc/shadow, OS Credential Dumping	Anomaly
Linux Possible Access To Sudoers File	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Possible Append Command To At Allow Config File	At, Scheduled Task/Job	Anomaly
Linux Possible Append Command To Profile Config File	Unix Shell Configuration Modification, Event Triggered Execution	Anomaly
Linux Possible Append Cronjob Entry on Existing Cronjob File	Cron, Scheduled Task/Job	Hunting
Linux Possible Cronjob Modification With Editor	Cron, Scheduled Task/Job	Hunting
Linux Possible Ssh Key File Creation	SSH Authorized Keys, Account Manipulation	Anomaly
Linux Preload Hijack Library Calls	Dynamic Linker Hijacking, Hijack Execution Flow	TTP
Linux Proxy Socks Curl	Proxy, Non-Application Layer Protocol	TTP
Linux Puppet Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux RPM Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Ruby Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux SSH Authorized Keys Modification	SSH Authorized Keys	Anomaly
Linux SSH Remote Services Script Execute	SSH	TTP
Linux Service File Created In Systemd Directory	Systemd Timers, Scheduled Task/Job	Anomaly
Linux Service Restarted	Systemd Timers, Scheduled Task/Job	Anomaly
Linux Service Started Or Enabled	Systemd Timers, Scheduled Task/Job	Anomaly
Linux Setuid Using Chmod Utility	Setuid and Setgid, Abuse Elevation Control Mechanism	Anomaly
Linux Setuid Using Setcap Utility	Setuid and Setgid, Abuse Elevation Control Mechanism	Anomaly
Linux Shred Overwrite Command	Data Destruction	TTP
Linux Sqlite3 Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Stdout Redirection To Dev Null File	Disable or Modify System Firewall, Impair Defenses	Anomaly
Linux Stop Services	Service Stop	TTP
Linux Sudo OR Su Execution	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Hunting
Linux Sudoers Tmp File Creation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux System Network Discovery	System Network Configuration Discovery	Anomaly
Linux Visudo Utility Execution	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux apt-get Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux c89 Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux c99 Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux pkexec Privilege Escalation	Exploitation for Privilege Escalation	TTP
Living Off The Land	Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter	Correlation
Loading Of Dynwrapx Module	Process Injection, Dynamic-link Library Injection	TTP
Local Account Discovery With Wmic	Account Discovery, Local Account	Hunting
Local Account Discovery with Net	Account Discovery, Local Account	Hunting
Log4Shell CVE-2021-44228 Exploitation	Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter	Correlation
Log4Shell JNDI Payload Injection Attempt	Exploit Public-Facing Application	Anomaly
Log4Shell JNDI Payload Injection with Outbound Connection	Exploit Public-Facing Application	Anomaly
Logon Script Event Trigger Execution	Boot or Logon Initialization Scripts, Logon Script (Windows)	TTP
MS Exchange Mailbox Replication service writing Active Server Pages	Server Software Component, Web Shell, Exploit Public-Facing Application	TTP
MS Scripting Process Loading Ldap Module	Command and Scripting Interpreter, JavaScript	Anomaly
MS Scripting Process Loading WMI Module	Command and Scripting Interpreter, JavaScript	Anomaly
MSBuild Suspicious Spawned By Script Process	MSBuild, Trusted Developer Utilities Proxy Execution	TTP
MSHTML Module Load in Office Product	Phishing, Spearphishing Attachment	TTP
MSI Module Loaded by Non-System Binary	DLL Side-Loading, Hijack Execution Flow	Hunting
MacOS - Re-opened Applications	None	TTP
MacOS LOLbin	Unix Shell, Command and Scripting Interpreter	TTP
MacOS plutil	Plist File Modification	TTP
Mailsniper Invoke functions	Email Collection, Local Email Collection	TTP
Malicious InProcServer32 Modification	Regsvr32, Modify Registry	TTP
Malicious PowerShell Process - Encoded Command	Obfuscated Files or Information	Hunting
Malicious PowerShell Process - Execution Policy Bypass	Command and Scripting Interpreter, PowerShell	TTP
Malicious PowerShell Process With Obfuscation Techniques	Command and Scripting Interpreter, PowerShell	TTP
Malicious Powershell Executed As A Service	System Services, Service Execution	TTP
Mimikatz PassTheTicket CommandLine Parameters	Use Alternate Authentication Material, Pass the Ticket	TTP
Mmc LOLBAS Execution Process Spawn	Remote Services, Distributed Component Object Model, MMC	TTP
Modification Of Wallpaper	Defacement	TTP
Modify ACL permission To Files Or Folder	File and Directory Permissions Modification	Anomaly
Modify ACLs Permission Of Files Or Folders	File and Directory Permissions Modification	Anomaly
Monitor DNS For Brand Abuse	None	TTP
Monitor Email For Brand Abuse	None	TTP
Monitor Registry Keys for Print Monitors	Port Monitors, Boot or Logon Autostart Execution	TTP
Monitor Web Traffic For Brand Abuse	None	TTP
Mshta spawning Rundll32 OR Regsvr32 Process	System Binary Proxy Execution, Mshta	TTP
Msmpeng Application DLL Side Loading	DLL Side-Loading, Hijack Execution Flow	TTP
Multiple Archive Files Http Post Traffic	Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol	TTP
Multiple Invalid Users Failing To Authenticate From Host Using NTLM	Password Spraying, Brute Force	Anomaly
Multiple Okta Users With Invalid Credentials From The Same IP	Valid Accounts, Default Accounts	TTP
Multiple Users Failing To Authenticate From Host Using Kerberos	Password Spraying, Brute Force	Anomaly
Multiple Users Failing To Authenticate From Host Using NTLM	Password Spraying, Brute Force	Anomaly
Multiple Users Failing To Authenticate From Process	Password Spraying, Brute Force	Anomaly
Multiple Users Remotely Failing To Authenticate From Host	Password Spraying, Brute Force	Anomaly
NET Profiler UAC bypass	Bypass User Account Control, Abuse Elevation Control Mechanism	TTP
NLTest Domain Trust Discovery	Domain Trust Discovery	TTP
Net Localgroup Discovery	Permission Groups Discovery, Local Groups	Hunting
Network Connection Discovery With Arp	System Network Connections Discovery	Hunting
Network Connection Discovery With Net	System Network Connections Discovery	Hunting
Network Connection Discovery With Netstat	System Network Connections Discovery	Hunting
Network Discovery Using Route Windows App	System Network Configuration Discovery, Internet Connection Discovery	Hunting
Nishang PowershellTCPOneLine	Command and Scripting Interpreter, PowerShell	TTP
No Windows Updates in a time frame	None	Hunting
Non Chrome Process Accessing Chrome Default Dir	Credentials from Password Stores, Credentials from Web Browsers	Anomaly
Non Firefox Process Access Firefox Profile Dir	Credentials from Password Stores, Credentials from Web Browsers	Anomaly
Ntdsutil Export NTDS	NTDS, OS Credential Dumping	TTP
O365 Add App Role Assignment Grant User	Cloud Account, Create Account	TTP
O365 Added Service Principal	Cloud Account, Create Account	TTP
O365 Bypass MFA via Trusted IP	Disable or Modify Cloud Firewall, Impair Defenses	TTP
O365 Disable MFA	Modify Authentication Process	TTP
O365 Excessive Authentication Failures Alert	Brute Force	Anomaly
O365 Excessive SSO logon errors	Modify Authentication Process	Anomaly
O365 New Federated Domain Added	Cloud Account, Create Account	TTP
O365 PST export alert	Email Collection	TTP
O365 Suspicious Admin Email Forwarding	Email Forwarding Rule, Email Collection	Anomaly
O365 Suspicious Rights Delegation	Remote Email Collection, Email Collection	TTP
O365 Suspicious User Email Forwarding	Email Forwarding Rule, Email Collection	Anomaly
Office Application Drop Executable	Phishing, Spearphishing Attachment	TTP
Office Application Spawn Regsvr32 process	Phishing, Spearphishing Attachment	TTP
Office Application Spawn rundll32 process	Phishing, Spearphishing Attachment	TTP
Office Document Creating Schedule Task	Phishing, Spearphishing Attachment	TTP
Office Document Executing Macro Code	Phishing, Spearphishing Attachment	TTP
Office Document Spawned Child Process To Download	Phishing, Spearphishing Attachment	TTP
Office Product Spawn CMD Process	System Binary Proxy Execution, Mshta	TTP
Office Product Spawning BITSAdmin	Phishing, Spearphishing Attachment	TTP
Office Product Spawning CertUtil	Phishing, Spearphishing Attachment	TTP
Office Product Spawning MSHTA	Phishing, Spearphishing Attachment	TTP
Office Product Spawning Rundll32 with no DLL	Phishing, Spearphishing Attachment	TTP
Office Product Spawning Wmic	Phishing, Spearphishing Attachment	TTP
Office Product Writing cab or inf	Phishing, Spearphishing Attachment	TTP
Office Spawning Control	Phishing, Spearphishing Attachment	TTP
Okta Account Lockout Events	Valid Accounts, Default Accounts	Anomaly
Okta Failed SSO Attempts	Valid Accounts, Default Accounts	Anomaly
Okta User Logins From Multiple Cities	Valid Accounts, Default Accounts	Anomaly
Open Redirect in Splunk Web	None	TTP
Osquery pack - ColdRoot detection	None	TTP
Outbound Network Connection from Java Using Default Ports	Exploit Public-Facing Application	TTP
Overwriting Accessibility Binaries	Event Triggered Execution, Accessibility Features	TTP
Password Policy Discovery with Net	Password Policy Discovery	Hunting
Path traversal SPL injection	File and Directory Discovery	TTP
Permission Modification using Takeown App	File and Directory Permissions Modification	TTP
PetitPotam Network Share Access Request	Forced Authentication	TTP
PetitPotam Suspicious Kerberos TGT Request	OS Credential Dumping	TTP
Ping Sleep Batch Command	Virtualization/Sandbox Evasion, Time Based Evasion	Anomaly
Plain HTTP POST Exfiltrated Data	Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol	TTP
Possible Browser Pass View Parameter	Credentials from Web Browsers, Credentials from Password Stores	Hunting
Possible Lateral Movement PowerShell Spawn	Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShell, MMC	TTP
Potential Pass the Token or Hash Observed at the Destination Device	Use Alternate Authentication Material, Pass the Hash	TTP
Potential Pass the Token or Hash Observed by an Event Collecting Device	Use Alternate Authentication Material, Pass the Hash	TTP
Potential password in username	Local Accounts, Credentials In Files	Hunting
Potentially malicious code on commandline	Windows Command Shell	Anomaly
PowerShell - Connect To Internet With Hidden Window	PowerShell, Command and Scripting Interpreter	Hunting
PowerShell 4104 Hunting	Command and Scripting Interpreter, PowerShell	Hunting
PowerShell Domain Enumeration	Command and Scripting Interpreter, PowerShell	TTP
PowerShell Get LocalGroup Discovery	Permission Groups Discovery, Local Groups	Hunting
PowerShell Loading DotNET into Memory via Reflection	Command and Scripting Interpreter, PowerShell	TTP
PowerShell Start-BitsTransfer	BITS Jobs	TTP
Powershell Creating Thread Mutex	Obfuscated Files or Information, Indicator Removal from Tools, PowerShell	TTP
Powershell Disable Security Monitoring	Disable or Modify Tools, Impair Defenses	TTP
Powershell Enable SMB1Protocol Feature	Obfuscated Files or Information, Indicator Removal from Tools	TTP
Powershell Execute COM Object	Component Object Model Hijacking, Event Triggered Execution, PowerShell	TTP
Powershell Fileless Process Injection via GetProcAddress	Command and Scripting Interpreter, Process Injection, PowerShell	TTP
Powershell Fileless Script Contains Base64 Encoded Content	Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell	TTP
Powershell Get LocalGroup Discovery with Script Block Logging	Permission Groups Discovery, Local Groups	Hunting
Powershell Processing Stream Of Data	Command and Scripting Interpreter, PowerShell	TTP
Powershell Remote Thread To Known Windows Process	Process Injection	TTP
Powershell Remove Windows Defender Directory	Disable or Modify Tools, Impair Defenses	TTP
Powershell Using memory As Backing Store	PowerShell, Command and Scripting Interpreter	TTP
Powershell Windows Defender Exclusion Commands	Disable or Modify Tools, Impair Defenses	TTP
Prevent Automatic Repair Mode using Bcdedit	Inhibit System Recovery	TTP
Print Processor Registry Autostart	Print Processors, Boot or Logon Autostart Execution	TTP
Print Spooler Adding A Printer Driver	Print Processors, Boot or Logon Autostart Execution	TTP
Print Spooler Failed to Load a Plug-in	Print Processors, Boot or Logon Autostart Execution	TTP
Process Creating LNK file in Suspicious Location	Phishing, Spearphishing Link	TTP
Process Deleting Its Process File Path	Indicator Removal on Host	TTP
Process Execution via WMI	Windows Management Instrumentation	TTP
Process Kill Base On File Path	Disable or Modify Tools, Impair Defenses	TTP
Process Writing DynamicWrapperX	Command and Scripting Interpreter, Component Object Model	Hunting
Processes Tapping Keyboard Events	None	TTP
Processes created by netsh	Disable or Modify System Firewall	TTP
Processes launching netsh	Disable or Modify System Firewall, Impair Defenses	TTP
Prohibited Network Traffic Allowed	Exfiltration Over Alternative Protocol	TTP
Prohibited Software On Endpoint	None	Hunting
Protocol or Port Mismatch	Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol	Anomaly
Protocols passing authentication in cleartext	None	TTP
Randomly Generated Scheduled Task Name	Scheduled Task/Job, Scheduled Task	Hunting
Randomly Generated Windows Service Name	Create or Modify System Process, Windows Service	Hunting
Ransomware Notes bulk creation	Data Encrypted for Impact	Anomaly
Rare Parent-Child Process Relationship	Exploitation for Client Execution, Command and Scripting Interpreter, Scheduled Task/Job, Software Deployment Tools	Anomaly
Recon AVProduct Through Pwh or WMI	Gather Victim Host Information	TTP
Recon Using WMI Class	Gather Victim Host Information, PowerShell	TTP
Recursive Delete of Directory In Batch CMD	File Deletion, Indicator Removal on Host	TTP
Reg exe Manipulating Windows Services Registry Keys	Services Registry Permissions Weakness, Hijack Execution Flow	TTP
Reg exe used to hide files directories via registry keys	Hidden Files and Directories	TTP
Registry Keys Used For Persistence	Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution	TTP
Registry Keys Used For Privilege Escalation	Image File Execution Options Injection, Event Triggered Execution	TTP
Registry Keys for Creating SHIM Databases	Application Shimming, Event Triggered Execution	TTP
Regsvr32 Silent and Install Param Dll Loading	System Binary Proxy Execution, Regsvr32	Anomaly
Regsvr32 with Known Silent Switch Cmdline	System Binary Proxy Execution, Regsvr32	Anomaly
Remcos RAT File Creation in Remcos Folder	Screen Capture	TTP
Remcos client registry install entry	Modify Registry	TTP
Remote Desktop Network Bruteforce	Remote Desktop Protocol, Remote Services	TTP
Remote Desktop Network Traffic	Remote Desktop Protocol, Remote Services	Anomaly
Remote Desktop Process Running On System	Remote Desktop Protocol, Remote Services	Hunting
Remote Process Instantiation via DCOM and PowerShell	Remote Services, Distributed Component Object Model	TTP
Remote Process Instantiation via DCOM and PowerShell Script Block	Remote Services, Distributed Component Object Model	TTP
Remote Process Instantiation via WMI	Windows Management Instrumentation	TTP
Remote Process Instantiation via WMI and PowerShell	Windows Management Instrumentation	TTP
Remote Process Instantiation via WMI and PowerShell Script Block	Windows Management Instrumentation	TTP
Remote Process Instantiation via WinRM and PowerShell	Remote Services, Windows Remote Management	TTP
Remote Process Instantiation via WinRM and PowerShell Script Block	Remote Services, Windows Remote Management	TTP
Remote Process Instantiation via WinRM and Winrs	Remote Services, Windows Remote Management	TTP
Remote Registry Key modifications	None	TTP
Remote System Discovery with Adsisearcher	Remote System Discovery	TTP
Remote System Discovery with Dsquery	Remote System Discovery	Hunting
Remote System Discovery with Net	Remote System Discovery	Hunting
Remote System Discovery with Wmic	Remote System Discovery	TTP
Remote WMI Command Attempt	Windows Management Instrumentation	TTP
Resize ShadowStorage volume	Inhibit System Recovery	TTP
Resize Shadowstorage Volume	Service Stop	TTP
Revil Common Exec Parameter	User Execution	TTP
Revil Registry Entry	Modify Registry	TTP
Rubeus Command Line Parameters	Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting	TTP
Rubeus Kerberos Ticket Exports Through Winlogon Access	Use Alternate Authentication Material, Pass the Ticket	TTP
RunDLL Loading DLL By Ordinal	System Binary Proxy Execution, Rundll32	TTP
Runas Execution in CommandLine	Access Token Manipulation, Token Impersonation/Theft	Hunting
Rundll32 Control RunDLL Hunt	System Binary Proxy Execution, Rundll32	Hunting
Rundll32 Control RunDLL World Writable Directory	System Binary Proxy Execution, Rundll32	TTP
Rundll32 Create Remote Thread To A Process	Process Injection	TTP
Rundll32 CreateRemoteThread In Browser	Process Injection	TTP
Rundll32 DNSQuery	System Binary Proxy Execution, Rundll32	TTP
Rundll32 LockWorkStation	System Binary Proxy Execution, Rundll32	Anomaly
Rundll32 Process Creating Exe Dll Files	System Binary Proxy Execution, Rundll32	TTP
Rundll32 Shimcache Flush	Modify Registry	TTP
Rundll32 with no Command Line Arguments with Network	System Binary Proxy Execution, Rundll32	TTP
Ryuk Test Files Detected	Data Encrypted for Impact	TTP
Ryuk Wake on LAN Command	Command and Scripting Interpreter, Windows Command Shell	TTP
SAM Database File Access Attempt	Security Account Manager, OS Credential Dumping	Hunting
SLUI RunAs Elevated	Bypass User Account Control, Abuse Elevation Control Mechanism	TTP
SLUI Spawning a Process	Bypass User Account Control, Abuse Elevation Control Mechanism	TTP
SMB Traffic Spike	SMB/Windows Admin Shares, Remote Services	Anomaly
SMB Traffic Spike - MLTK	SMB/Windows Admin Shares, Remote Services	Anomaly
SQL Injection with Long URLs	Exploit Public-Facing Application	TTP
Samsam Test File Write	Data Encrypted for Impact	TTP
Sc exe Manipulating Windows Services	Windows Service, Create or Modify System Process	TTP
SchCache Change By App Connect And Create ADSI Object	Domain Account, Account Discovery	Anomaly
Schedule Task with HTTP Command Arguments	Scheduled Task/Job	TTP
Schedule Task with Rundll32 Command Trigger	Scheduled Task/Job	TTP
Scheduled Task Creation on Remote Endpoint using At	Scheduled Task/Job, At	TTP
Scheduled Task Deleted Or Created via CMD	Scheduled Task, Scheduled Task/Job	TTP
Scheduled Task Initiation on Remote Endpoint	Scheduled Task/Job, Scheduled Task	TTP
Scheduled tasks used in BadRabbit ransomware	Scheduled Task	TTP
Schtasks Run Task On Demand	Scheduled Task/Job	TTP
Schtasks scheduling job on remote system	Scheduled Task, Scheduled Task/Job	TTP
Schtasks used for forcing a reboot	Scheduled Task, Scheduled Task/Job	TTP
Screensaver Event Trigger Execution	Event Triggered Execution, Screensaver	TTP
Script Execution via WMI	Windows Management Instrumentation	TTP
Sdclt UAC Bypass	Bypass User Account Control, Abuse Elevation Control Mechanism	TTP
Sdelete Application Execution	Data Destruction, File Deletion, Indicator Removal on Host	Anomaly
Sdelete Application Execution	Data Destruction, File Deletion, Indicator Removal on Host	TTP
SearchProtocolHost with no Command Line with Network	Process Injection	TTP
SecretDumps Offline NTDS Dumping Tool	NTDS, OS Credential Dumping	TTP
ServicePrincipalNames Discovery with PowerShell	Kerberoasting	TTP
ServicePrincipalNames Discovery with SetSPN	Kerberoasting	TTP
Services Escalate Exe	Abuse Elevation Control Mechanism	TTP
Services LOLBAS Execution Process Spawn	Create or Modify System Process, Windows Service	TTP
Set Default PowerShell Execution Policy To Unrestricted or Bypass	Command and Scripting Interpreter, PowerShell	TTP
Shim Database File Creation	Application Shimming, Event Triggered Execution	TTP
Shim Database Installation With Suspicious Parameters	Application Shimming, Event Triggered Execution	TTP
Short Lived Scheduled Task	Scheduled Task	TTP
Short Lived Windows Accounts	Local Account, Create Account	TTP
SilentCleanup UAC Bypass	Bypass User Account Control, Abuse Elevation Control Mechanism	TTP
Single Letter Process On Endpoint	User Execution, Malicious File	TTP
Spectre and Meltdown Vulnerable Systems	None	TTP
Spike in File Writes	None	Anomaly
Splunk Account Discovery Drilldown Dashboard Disclosure	Account Discovery	TTP
Splunk Command and Scripting Interpreter Delete Usage	Command and Scripting Interpreter	Anomaly
Splunk Command and Scripting Interpreter Risky Commands	Command and Scripting Interpreter	Hunting
Splunk Command and Scripting Interpreter Risky SPL MLTK	Command and Scripting Interpreter	Anomaly
Splunk Digital Certificates Infrastructure Version	Digital Certificates	Hunting
Splunk Digital Certificates Lack of Encryption	Digital Certificates	Anomaly
Splunk DoS via Malformed S2S Request	Network Denial of Service	TTP
Splunk Endpoint Denial of Service DoS Zip Bomb	Endpoint Denial of Service	TTP
Splunk Enterprise Information Disclosure	None	TTP
Splunk Identified SSL TLS Certificates	Network Sniffing	Hunting
Splunk Process Injection Forwarder Bundle Downloads	Process Injection	Hunting
Splunk Protocol Impersonation Weak Encryption Configuration	Protocol Impersonation	Hunting
Splunk User Enumeration Attempt	Valid Accounts	TTP
Splunk XSS in Monitoring Console	Drive-by Compromise	TTP
Splunk protocol impersonation weak encryption selfsigned	Digital Certificates	Hunting
Splunk protocol impersonation weak encryption simplerequest	Digital Certificates	Hunting
Spoolsv Spawning Rundll32	Print Processors, Boot or Logon Autostart Execution	TTP
Spoolsv Suspicious Loaded Modules	Print Processors, Boot or Logon Autostart Execution	TTP
Spoolsv Suspicious Process Access	Exploitation for Privilege Escalation	TTP
Spoolsv Writing a DLL	Print Processors, Boot or Logon Autostart Execution	TTP
Spoolsv Writing a DLL - Sysmon	Print Processors, Boot or Logon Autostart Execution	TTP
Spring4Shell Payload URL Request	Web Shell, Server Software Component, Exploit Public-Facing Application	TTP
Sqlite Module In Temp Folder	Data from Local System	TTP
Sunburst Correlation DLL and Network Event	Exploitation for Client Execution	TTP
Supernova Webshell	Web Shell	TTP
Suspicious Changes to File Associations	Change Default File Association	TTP
Suspicious Computer Account Name Change	Valid Accounts, Domain Accounts	TTP
Suspicious Copy on System32	Rename System Utilities, Masquerading	TTP
Suspicious Curl Network Connection	Ingress Tool Transfer	TTP
Suspicious DLLHost no Command Line Arguments	Process Injection	TTP
Suspicious Driver Loaded Path	Windows Service, Create or Modify System Process	TTP
Suspicious Email - UBA Anomaly	Phishing	Anomaly
Suspicious Email Attachment Extensions	Spearphishing Attachment, Phishing	Anomaly
Suspicious Event Log Service Behavior	Indicator Removal on Host, Clear Windows Event Logs	TTP
Suspicious File Write	None	Hunting
Suspicious GPUpdate no Command Line Arguments	Process Injection	TTP
Suspicious IcedID Rundll32 Cmdline	System Binary Proxy Execution, Rundll32	TTP
Suspicious Image Creation In Appdata Folder	Screen Capture	TTP
Suspicious Java Classes	None	Anomaly
Suspicious Kerberos Service Ticket Request	Valid Accounts, Domain Accounts	TTP
Suspicious Linux Discovery Commands	Unix Shell	TTP
Suspicious MSBuild Rename	Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild	Hunting
Suspicious MSBuild Spawn	Trusted Developer Utilities Proxy Execution, MSBuild	TTP
Suspicious PlistBuddy Usage	Launch Agent, Create or Modify System Process	TTP
Suspicious PlistBuddy Usage via OSquery	Launch Agent, Create or Modify System Process	TTP
Suspicious Powershell Command-Line Arguments	PowerShell	TTP
Suspicious Process DNS Query Known Abuse Web Services	Visual Basic, Command and Scripting Interpreter	TTP
Suspicious Process File Path	Create or Modify System Process	TTP
Suspicious Process With Discord DNS Query	Visual Basic, Command and Scripting Interpreter	Anomaly
Suspicious Reg exe Process	Modify Registry	TTP
Suspicious Regsvr32 Register Suspicious Path	System Binary Proxy Execution, Regsvr32	TTP
Suspicious Rundll32 PluginInit	System Binary Proxy Execution, Rundll32	TTP
Suspicious Rundll32 Rename	System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities	Hunting
Suspicious Rundll32 StartW	System Binary Proxy Execution, Rundll32	TTP
Suspicious Rundll32 dllregisterserver	System Binary Proxy Execution, Rundll32	TTP
Suspicious Rundll32 no Command Line Arguments	System Binary Proxy Execution, Rundll32	TTP
Suspicious SQLite3 LSQuarantine Behavior	Data Staged	TTP
Suspicious Scheduled Task from Public Directory	Scheduled Task, Scheduled Task/Job	Anomaly
Suspicious SearchProtocolHost no Command Line Arguments	Process Injection	TTP
Suspicious Ticket Granting Ticket Request	Valid Accounts, Domain Accounts	Hunting
Suspicious WAV file in Appdata Folder	Screen Capture	TTP
Suspicious microsoft workflow compiler rename	Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities	Hunting
Suspicious microsoft workflow compiler usage	Trusted Developer Utilities Proxy Execution	TTP
Suspicious msbuild path	Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild	TTP
Suspicious mshta child process	System Binary Proxy Execution, Mshta	TTP
Suspicious mshta spawn	System Binary Proxy Execution, Mshta	TTP
Suspicious wevtutil Usage	Clear Windows Event Logs, Indicator Removal on Host	TTP
Suspicious writes to System Volume Information	Masquerading	Hunting
Suspicious writes to windows Recycle Bin	Masquerading	TTP
Svchost LOLBAS Execution Process Spawn	Scheduled Task/Job, Scheduled Task	TTP
System Info Gathering Using Dxdiag Application	Gather Victim Host Information	Hunting
System Information Discovery Detection	System Information Discovery	TTP
System Process Running from Unexpected Location	Masquerading	Anomaly
System Processes Run From Unexpected Locations	Masquerading, Rename System Utilities	TTP
System User Discovery With Query	System Owner/User Discovery	Hunting
System User Discovery With Whoami	System Owner/User Discovery	Hunting
TCP Command and Scripting Interpreter Outbound LDAP Traffic	Command and Scripting Interpreter	Anomaly
TOR Traffic	Application Layer Protocol, Web Protocols	TTP
Time Provider Persistence Registry	Time Providers, Boot or Logon Autostart Execution	TTP
Trickbot Named Pipe	Process Injection	TTP
UAC Bypass MMC Load Unsigned Dll	Bypass User Account Control, Abuse Elevation Control Mechanism, MMC	TTP
UAC Bypass With Colorui COM Object	System Binary Proxy Execution, CMSTP	TTP
USN Journal Deletion	Indicator Removal on Host	TTP
Uncommon Processes On Endpoint	Malicious File	Hunting
Unified Messaging Service Spawning a Process	Exploit Public-Facing Application	TTP
Uninstall App Using MsiExec	Msiexec, System Binary Proxy Execution	TTP
Unknown Process Using The Kerberos Protocol	Use Alternate Authentication Material	TTP
Unload Sysmon Filter Driver	Disable or Modify Tools, Impair Defenses	TTP
Unloading AMSI via Reflection	Impair Defenses, PowerShell, Command and Scripting Interpreter	TTP
Unsigned Image Loaded by LSASS	LSASS Memory	TTP
Unsuccessful Netbackup backups	None	Hunting
Unusual LOLBAS in short period of time	Command and Scripting Interpreter, Scheduled Task/Job	Anomaly
Unusual Number of Computer Service Tickets Requested	Valid Accounts	Hunting
Unusual Number of Kerberos Service Tickets Requested	Steal or Forge Kerberos Tickets, Kerberoasting	Anomaly
Unusual Number of Remote Endpoint Authentication Events	Valid Accounts	Hunting
Unusual Volume of Data Download from Internal Server Per Entity	Data from Information Repositories, Data from Network Shared Drive	Anomaly
Unusually Long Command Line	None	Anomaly
Unusually Long Command Line	None	Anomaly
Unusually Long Command Line - MLTK	None	Anomaly
Unusually Long Content-Type Length	None	Anomaly
User Discovery With Env Vars PowerShell	System Owner/User Discovery	Hunting
User Discovery With Env Vars PowerShell Script Block	System Owner/User Discovery	Hunting
VMware Server Side Template Injection Hunt	Exploit Public-Facing Application	Hunting
VMware Workspace ONE Freemarker Server-side Template Injection	Exploit Public-Facing Application	Anomaly
Vbscript Execution Using Wscript App	Visual Basic, Command and Scripting Interpreter	TTP
Verclsid CLSID Execution	Verclsid, System Binary Proxy Execution	Hunting
W3WP Spawning Shell	Server Software Component, Web Shell	TTP
WBAdmin Delete System Backups	Inhibit System Recovery	TTP
WBAdmin Delete System Backups	Inhibit System Recovery	TTP
WMI Permanent Event Subscription	Windows Management Instrumentation	TTP
WMI Permanent Event Subscription - Sysmon	Windows Management Instrumentation Event Subscription, Event Triggered Execution	TTP
WMI Recon Running Process Or Services	Gather Victim Host Information	TTP
WMI Temporary Event Subscription	Windows Management Instrumentation	TTP
WMIC XSL Execution via URL	XSL Script Processing	TTP
WSReset UAC Bypass	Bypass User Account Control, Abuse Elevation Control Mechanism	TTP
Wbemprox COM Object Execution	System Binary Proxy Execution, CMSTP	TTP
Web Fraud - Account Harvesting	Create Account	TTP
Web Fraud - Anomalous User Clickspeed	Valid Accounts	Anomaly
Web Fraud - Password Sharing Across Accounts	None	Anomaly
Web JSP Request via URL	Web Shell, Server Software Component, Exploit Public-Facing Application	TTP
Web Servers Executing Suspicious Processes	System Information Discovery	TTP
Web Spring Cloud Function FunctionRouter	Exploit Public-Facing Application	TTP
Web Spring4Shell HTTP Request Class Module	Exploit Public-Facing Application	TTP
Wermgr Process Connecting To IP Check Web Services	Gather Victim Network Information, IP Addresses	TTP
Wermgr Process Create Executable File	Obfuscated Files or Information	TTP
Wermgr Process Spawned CMD Or Powershell Process	Command and Scripting Interpreter	TTP
WevtUtil Usage To Clear Logs	Indicator Removal on Host, Clear Windows Event Logs	TTP
Wevtutil Usage To Disable Logs	Indicator Removal on Host, Clear Windows Event Logs	TTP
Wget Download and Bash Execution	Ingress Tool Transfer	TTP
WinEvent Scheduled Task Created Within Public Path	Scheduled Task, Scheduled Task/Job	TTP
WinEvent Scheduled Task Created to Spawn Shell	Scheduled Task, Scheduled Task/Job	TTP
WinEvent Windows Task Scheduler Event Action Started	Scheduled Task	Hunting
WinRM Spawning a Process	Exploit Public-Facing Application	TTP
Windows Access Token Manipulation SeDebugPrivilege	Create Process with Token, Access Token Manipulation	Anomaly
Windows Access Token Manipulation Winlogon Duplicate Token Handle	Token Impersonation/Theft, Access Token Manipulation	Hunting
Windows Access Token Winlogon Duplicate Handle In Uncommon Path	Token Impersonation/Theft, Access Token Manipulation	Anomaly
Windows AdFind Exe	Remote System Discovery	TTP
Windows Application Layer Protocol RMS Radmin Tool Namedpipe	Application Layer Protocol	TTP
Windows Autostart Execution LSASS Driver Registry Modification	LSASS Driver	TTP
Windows Binary Proxy Execution Mavinject DLL Injection	Mavinject, System Binary Proxy Execution	TTP
Windows Bits Job Persistence	BITS Jobs	TTP
Windows Bitsadmin Download File	BITS Jobs, Ingress Tool Transfer	TTP
Windows CertUtil Decode File	Deobfuscate/Decode Files or Information	TTP
Windows CertUtil URLCache Download	Ingress Tool Transfer	TTP
Windows CertUtil VerifyCtl Download	Ingress Tool Transfer	TTP
Windows Command Shell DCRat ForkBomb Payload	Windows Command Shell, Command and Scripting Interpreter	TTP
Windows Command and Scripting Interpreter Hunting Path Traversal	Command and Scripting Interpreter	Hunting
Windows Command and Scripting Interpreter Path Traversal Exec	Command and Scripting Interpreter	TTP
Windows Computer Account Created by Computer Account	Steal or Forge Kerberos Tickets	TTP
Windows Computer Account Requesting Kerberos Ticket	Steal or Forge Kerberos Tickets	TTP
Windows Computer Account With SPN	Steal or Forge Kerberos Tickets	TTP
Windows Curl Download to Suspicious Path	Ingress Tool Transfer	TTP
Windows Curl Upload to Remote Destination	Ingress Tool Transfer	TTP
Windows Curl Upload to Remote Destination	Ingress Tool Transfer	TTP
Windows DISM Remove Defender	Disable or Modify Tools, Impair Defenses	TTP
Windows DLL Search Order Hijacking Hunt	DLL Search Order Hijacking, Hijack Execution Flow	Hunting
Windows DLL Search Order Hijacking Hunt with Sysmon	DLL Search Order Hijacking, Hijack Execution Flow	Hunting
Windows DLL Search Order Hijacking with iscsicpl	DLL Search Order Hijacking	TTP
Windows Defacement Modify Transcodedwallpaper File	Defacement	Anomaly
Windows Defender Exclusion Registry Entry	Disable or Modify Tools, Impair Defenses	TTP
Windows Defender Tools in Non Standard Path	Masquerading, Rename System Utilities	Anomaly
Windows Deleted Registry By A Non Critical Process File Path	Modify Registry	Anomaly
Windows Disable Change Password Through Registry	Modify Registry	Anomaly
Windows Disable Lock Workstation Feature Through Registry	Modify Registry	Anomaly
Windows Disable LogOff Button Through Registry	Modify Registry	Anomaly
Windows Disable Memory Crash Dump	Data Destruction	TTP
Windows Disable Notification Center	Modify Registry	Anomaly
Windows Disable Shutdown Button Through Registry	Modify Registry	Anomaly
Windows Disable Windows Group Policy Features Through Registry	Modify Registry	Anomaly
Windows DisableAntiSpyware Registry	Disable or Modify Tools, Impair Defenses	TTP
Windows Disabled Users Failing To Authenticate Kerberos	Password Spraying, Brute Force	Anomaly
Windows DiskCryptor Usage	Data Encrypted for Impact	Hunting
Windows Diskshadow Proxy Execution	System Binary Proxy Execution	TTP
Windows Diskshadow Proxy Execution	System Binary Proxy Execution	Anomaly
Windows DotNet Binary in Non Standard Path	Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil	Anomaly
Windows DotNet Binary in Non Standard Path	Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil	TTP
Windows Driver Load Non-Standard Path	Rootkit	TTP
Windows Drivers Loaded by Signature	Rootkit, Exploitation for Privilege Escalation	Hunting
Windows Event For Service Disabled	Disable or Modify Tools, Impair Defenses	Hunting
Windows Event Log Cleared	Indicator Removal on Host, Clear Windows Event Logs	TTP
Windows Event Triggered Image File Execution Options Injection	Image File Execution Options Injection	Hunting
Windows Eventvwr UAC Bypass	Bypass User Account Control, Abuse Elevation Control Mechanism	Anomaly
Windows Excessive Disabled Services Event	Disable or Modify Tools, Impair Defenses	TTP
Windows Execute Arbitrary Commands with MSDT	System Binary Proxy Execution	TTP
Windows Execute Arbitrary Commands with MSDT	System Binary Proxy Execution	TTP
Windows File Without Extension In Critical Folder	Data Destruction	TTP
Windows Gather Victim Host Information Camera	Hardware, Gather Victim Host Information	Anomaly
Windows Gather Victim Identity SAM Info	Credentials, Gather Victim Identity Information	Hunting
Windows Gather Victim Network Info Through Ip Check Web Services	IP Addresses, Gather Victim Network Information	Hunting
Windows Get-AdComputer Unconstrained Delegation Discovery	Remote System Discovery	TTP
Windows Hidden Schedule Task Settings	Scheduled Task/Job	TTP
Windows Hide Notification Features Through Registry	Modify Registry	Anomaly
Windows High File Deletion Frequency	Data Destruction	Anomaly
Windows Hijack Execution Flow Version Dll Side Load	DLL Search Order Hijacking, Hijack Execution Flow	Anomaly
Windows Hunting System Account Targeting Lsass	LSASS Memory, OS Credential Dumping	Hunting
Windows ISO LNK File Creation	Spearphishing Attachment, Phishing, Malicious Link, User Execution	Hunting
Windows Identify Protocol Handlers	Command and Scripting Interpreter	Hunting
Windows Impair Defense Add Xml Applocker Rules	Disable or Modify Tools, Impair Defenses	Hunting
Windows Impair Defense Delete Win Defender Context Menu	Disable or Modify Tools, Impair Defenses	Hunting
Windows Impair Defense Delete Win Defender Profile Registry	Disable or Modify Tools, Impair Defenses	Anomaly
Windows Impair Defense Deny Security Software With Applocker	Disable or Modify Tools, Impair Defenses	TTP
Windows Impair Defenses Disable Win Defender Auto Logging	Disable or Modify Tools, Impair Defenses	Anomaly
Windows Indirect Command Execution Via forfiles	Indirect Command Execution	TTP
Windows Indirect Command Execution Via pcalua	Indirect Command Execution	TTP
Windows Ingress Tool Transfer Using Explorer	Ingress Tool Transfer	Anomaly
Windows Ingress Tool Transfer Using Explorer	Ingress Tool Transfer	TTP
Windows Input Capture Using Credential UI Dll	GUI Input Capture, Input Capture	Hunting
Windows InstallUtil Credential Theft	InstallUtil, System Binary Proxy Execution	TTP
Windows InstallUtil Remote Network Connection	InstallUtil, System Binary Proxy Execution	TTP
Windows InstallUtil URL in Command Line	InstallUtil, System Binary Proxy Execution	TTP
Windows InstallUtil Uninstall Option	InstallUtil, System Binary Proxy Execution	TTP
Windows InstallUtil Uninstall Option with Network	InstallUtil, System Binary Proxy Execution	TTP
Windows InstallUtil in Non Standard Path	Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil	TTP
Windows Invalid Users Failed Authentication via Kerberos	Password Spraying, Brute Force	Anomaly
Windows Java Spawning Shells	Exploit Public-Facing Application	TTP
Windows Kerberos Local Successful Logon	Steal or Forge Kerberos Tickets	TTP
Windows KrbRelayUp Service Creation	Windows Service	TTP
Windows LOLBin Binary in Non Standard Path	Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil	Anomaly
Windows Linked Policies In ADSI Discovery	Domain Account, Account Discovery	Anomaly
Windows MOF Event Triggered Execution via WMI	Windows Management Instrumentation Event Subscription	TTP
Windows MSHTA Child Process	Mshta, System Binary Proxy Execution	TTP
Windows MSHTA Command-Line URL	Mshta, System Binary Proxy Execution	TTP
Windows MSHTA Inline HTA Execution	Mshta, System Binary Proxy Execution	TTP
Windows MSIExec DLLRegisterServer	Msiexec	TTP
Windows MSIExec Remote Download	Msiexec	TTP
Windows MSIExec Spawn Discovery Command	Msiexec	TTP
Windows MSIExec Unregister DLLRegisterServer	Msiexec	TTP
Windows MSIExec With Network Connections	Msiexec	TTP
Windows Modify Registry DisAllow Windows App	Modify Registry	TTP
Windows Modify Registry Disable Toast Notifications	Modify Registry	Anomaly
Windows Modify Registry Disable Win Defender Raw Write Notif	Modify Registry	Anomaly
Windows Modify Registry Disable Windows Security Center Notif	Modify Registry	Anomaly
Windows Modify Registry Disabling WER Settings	Modify Registry	TTP
Windows Modify Registry Regedit Silent Reg Import	Modify Registry	Anomaly
Windows Modify Registry Suppress Win Defender Notif	Modify Registry	Anomaly
Windows Modify Show Compress Color And Info Tip Registry	Modify Registry	TTP
Windows NirSoft AdvancedRun	Tool	TTP
Windows NirSoft Utilities	Tool	Hunting
Windows Non-System Account Targeting Lsass	LSASS Memory, OS Credential Dumping	TTP
Windows OS Credential Dumping with Ntdsutil Export NTDS	NTDS, OS Credential Dumping	TTP
Windows OS Credential Dumping with Procdump	LSASS Memory, OS Credential Dumping	TTP
Windows Odbcconf Hunting	Odbcconf	Hunting
Windows Odbcconf Load DLL	Odbcconf	TTP
Windows Odbcconf Load Response File	Odbcconf	TTP
Windows Odbcconf Load Response File	Odbcconf, System Binary Proxy Execution	TTP
Windows Office Product Spawning MSDT	Phishing, Spearphishing Attachment	TTP
Windows Phishing Recent ISO Exec Registry	Spearphishing Attachment, Phishing	Hunting
Windows Possible Credential Dumping	LSASS Memory, OS Credential Dumping	TTP
Windows PowerShell Start-BitsTransfer	BITS Jobs, Ingress Tool Transfer	TTP
Windows PowerView Constrained Delegation Discovery	Remote System Discovery	TTP
Windows PowerView Kerberos Service Ticket Request	Steal or Forge Kerberos Tickets, Kerberoasting	TTP
Windows PowerView SPN Discovery	Steal or Forge Kerberos Tickets, Kerberoasting	TTP
Windows PowerView Unconstrained Delegation Discovery	Remote System Discovery	TTP
Windows Powershell Connect to Internet With Hidden Window	Automated Exfiltration	Anomaly
Windows Powershell DownloadFile	Automated Exfiltration	Anomaly
Windows Powershell Import Applocker Policy	PowerShell	TTP
Windows Process Injection With Public Source Path	Process Injection, Portable Executable Injection	Hunting
Windows Process With NamedPipe CommandLine	Process Injection	Anomaly
Windows Processes Killed By Industroyer2 Malware	Service Stop	Anomaly
Windows Protocol Tunneling with Plink	Protocol Tunneling, SSH	TTP
Windows Raccine Scheduled Task Deletion	Disable or Modify Tools	TTP
Windows Rasautou DLL Execution	Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection	TTP
Windows Rasautou DLL Execution	Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection	TTP
Windows Raw Access To Disk Volume Partition	Disk Structure Wipe, Disk Wipe	Anomaly
Windows Raw Access To Master Boot Record Drive	Disk Structure Wipe, Disk Wipe	TTP
Windows Registry Certificate Added	Install Root Certificate, Subvert Trust Controls	TTP
Windows Registry Delete Task SD	Scheduled Task, Impair Defenses	TTP
Windows Registry Modification for Safe Mode Persistence	Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution	TTP
Windows Remote Access Software BRC4 Loaded Dll	Remote Access Software, OS Credential Dumping	Anomaly
Windows Remote Access Software Hunt	Remote Access Software	Hunting
Windows Remote Access Software RMS Registry	Remote Access Software	TTP
Windows Remote Assistance Spawning Process	Process Injection	TTP
Windows Remote Service Rdpwinst Tool Execution	Remote Desktop Protocol, Remote Services	TTP
Windows Remote Services Allow Rdp In Firewall	Remote Desktop Protocol, Remote Services	Anomaly
Windows Remote Services Allow Remote Assistance	Remote Desktop Protocol, Remote Services	Anomaly
Windows Remote Services Rdp Enable	Remote Desktop Protocol, Remote Services	TTP
Windows Root Domain linked policies Discovery	Domain Account, Account Discovery	Anomaly
Windows Rundll32 Comsvcs Memory Dump	NTDS, OS Credential Dumping	TTP
Windows Rundll32 Inline HTA Execution	System Binary Proxy Execution, Mshta	TTP
Windows Schtasks Create Run As System	Scheduled Task, Scheduled Task/Job	TTP
Windows Script Host Spawn MSBuild	MSBuild, Trusted Developer Utilities Proxy Execution	TTP
Windows Security Account Manager Stopped	Service Stop	TTP
Windows Service Create Kernel Mode Driver	Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation	TTP
Windows Service Created Within Public Path	Create or Modify System Process, Windows Service	TTP
Windows Service Created with Suspicious Service Path	System Services, Service Execution	TTP
Windows Service Creation Using Registry Entry	Services Registry Permissions Weakness	TTP
Windows Service Creation on Remote Endpoint	Create or Modify System Process, Windows Service	TTP
Windows Service Deletion In Registry	Service Stop	Anomaly
Windows Service Initiation on Remote Endpoint	Create or Modify System Process, Windows Service	TTP
Windows Service Stop By Deletion	Service Stop	TTP
Windows System Binary Proxy Execution Compiled HTML File Decompile	Compiled HTML File, System Binary Proxy Execution	TTP
Windows System Binary Proxy Execution Compiled HTML File Decompile	Compiled HTML File, System Binary Proxy Execution	TTP
Windows System Binary Proxy Execution Compiled HTML File URL In Command Line	Compiled HTML File, System Binary Proxy Execution	TTP
Windows System Binary Proxy Execution Compiled HTML File Using InfoTech Storage Handlers	Compiled HTML File, System Binary Proxy Execution	TTP
Windows System Binary Proxy Execution MSIExec DLLRegisterServer	Msiexec	TTP
Windows System Binary Proxy Execution MSIExec Remote Download	Msiexec	TTP
Windows System Binary Proxy Execution MSIExec Unregister DLL	Msiexec	TTP
Windows System File on Disk	Exploitation for Privilege Escalation	Hunting
Windows System LogOff Commandline	System Shutdown/Reboot	Anomaly
Windows System Reboot CommandLine	System Shutdown/Reboot	Anomaly
Windows System Shutdown CommandLine	System Shutdown/Reboot	Anomaly
Windows System Time Discovery W32tm Delay	System Time Discovery	Anomaly
Windows Terminating Lsass Process	Disable or Modify Tools, Impair Defenses	Anomaly
Windows Users Authenticate Using Explicit Credentials	Password Spraying, Brute Force	Anomaly
Windows Valid Account With Never Expires Password	Service Stop	TTP
Windows WMI Process Call Create	Windows Management Instrumentation	Hunting
Windows WMIPrvse Spawn MSBuild	Trusted Developer Utilities Proxy Execution, MSBuild	TTP
Windows WSReset UAC Bypass	Bypass User Account Control, Abuse Elevation Control Mechanism	Anomaly
Windows connhost exe started forcefully	Windows Command Shell	TTP
Windows hosts file modification	None	TTP
Winhlp32 Spawning a Process	Process Injection	TTP
Winword Spawning Cmd	Phishing, Spearphishing Attachment	TTP
Winword Spawning PowerShell	Phishing, Spearphishing Attachment	TTP
Winword Spawning Windows Script Host	Phishing, Spearphishing Attachment	TTP
Wmic Group Discovery	Permission Groups Discovery, Local Groups	Hunting
Wmic NonInteractive App Uninstallation	Disable or Modify Tools, Impair Defenses	Hunting
Wmiprsve LOLBAS Execution Process Spawn	Windows Management Instrumentation	TTP
Wscript Or Cscript Suspicious Child Process	Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation	TTP
Wsmprovhost LOLBAS Execution Process Spawn	Remote Services, Windows Remote Management	TTP
XMRIG Driver Loaded	Windows Service, Create or Modify System Process	TTP
XSL Script Execution With WMIC	XSL Script Processing	TTP
aws detect attach to role policy	Valid Accounts	Hunting
aws detect permanent key creation	Valid Accounts	Hunting
aws detect role creation	Valid Accounts	Hunting
aws detect sts assume role abuse	Valid Accounts	Hunting
aws detect sts get session token abuse	Use Alternate Authentication Material	Hunting
gcp detect oauth token abuse	Valid Accounts	Hunting

• Endpoint 811
• Cloud 124
• Deprecated 87
• Network 35
• Application 29
• Web 15

Endpoint

Windows Execute Arbitrary Commands with MSDT

System Binary Proxy Execution

Windows Protocol Tunneling with Plink

Protocol Tunneling, SSH

Windows Odbcconf Load Response File

Odbcconf, System Binary Proxy Execution

High Process Termination Frequency

Data Encrypted for Impact

Windows Identify Protocol Handlers

Command and Scripting Interpreter

Windows Ingress Tool Transfer Using Explorer

Ingress Tool Transfer

Get ADUser with PowerShell Script Block

Domain Account, Account Discovery

Log4Shell CVE-2021-44228 Exploitation

Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter

Living Off The Land

Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter

Windows Event Triggered Image File Execution Options Injection

Image File Execution Options Injection

Windows System Binary Proxy Execution Compiled HTML File Using InfoTech Storage Handlers

Compiled HTML File, System Binary Proxy Execution

Windows System Binary Proxy Execution Compiled HTML File Decompile

Compiled HTML File, System Binary Proxy Execution

Windows System Binary Proxy Execution Compiled HTML File URL In Command Line

Compiled HTML File, System Binary Proxy Execution

Windows OS Credential Dumping with Procdump

LSASS Memory, OS Credential Dumping

Windows System Binary Proxy Execution MSIExec Unregister DLL

Msiexec

Windows OS Credential Dumping with Ntdsutil Export NTDS

NTDS, OS Credential Dumping

Windows System Binary Proxy Execution MSIExec Remote Download

Msiexec

Windows System Binary Proxy Execution MSIExec DLLRegisterServer

Msiexec

Dump LSASS via procdump

LSASS Memory, OS Credential Dumping

Windows System Binary Proxy Execution Compiled HTML File Decompile

Compiled HTML File, System Binary Proxy Execution

Windows LOLBin Binary in Non Standard Path

Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil

Linux Persistence and Privilege Escalation Risk Behavior

Abuse Elevation Control Mechanism

Windows Ingress Tool Transfer Using Explorer

Ingress Tool Transfer

Windows Service Created with Suspicious Service Path

System Services, Service Execution

Powershell Remote Thread To Known Windows Process

Process Injection

Windows Defacement Modify Transcodedwallpaper File

Defacement

Windows InstallUtil Credential Theft

InstallUtil, System Binary Proxy Execution

Office Document Creating Schedule Task

Phishing, Spearphishing Attachment

Detect Excessive Account Lockouts From Endpoint

Valid Accounts, Domain Accounts

Detect Excessive User Account Lockouts

Valid Accounts, Local Accounts

MSHTML Module Load in Office Product

Phishing, Spearphishing Attachment

Windows Possible Credential Dumping

LSASS Memory, OS Credential Dumping

Windows Access Token Manipulation Winlogon Duplicate Token Handle

Token Impersonation/Theft, Access Token Manipulation

Windows Service Deletion In Registry

Service Stop

Windows Phishing Recent ISO Exec Registry

Spearphishing Attachment, Phishing

Windows Access Token Winlogon Duplicate Handle In Uncommon Path

Token Impersonation/Theft, Access Token Manipulation

Windows Gather Victim Identity SAM Info

Credentials, Gather Victim Identity Information

Windows Hijack Execution Flow Version Dll Side Load

DLL Search Order Hijacking, Hijack Execution Flow

Windows Remote Access Software BRC4 Loaded Dll

Remote Access Software, OS Credential Dumping

Windows Access Token Manipulation SeDebugPrivilege

Create Process with Token, Access Token Manipulation

Windows Process Injection With Public Source Path

Process Injection, Portable Executable Injection

Windows Input Capture Using Credential UI Dll

GUI Input Capture, Input Capture

Windows Remote Access Software Hunt

Remote Access Software

Windows Autostart Execution LSASS Driver Registry Modification

LSASS Driver

Windows DLL Search Order Hijacking Hunt with Sysmon

DLL Search Order Hijacking, Hijack Execution Flow

Windows DLL Search Order Hijacking Hunt

DLL Search Order Hijacking, Hijack Execution Flow

Linux Csvtool Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux c99 Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux apt-get Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Cpulimit Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux OpenVPN Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Sqlite3 Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Composer Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Octave Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux c89 Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux APT Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Busybox Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Puppet Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux RPM Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux MySQL Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Emacs Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Make Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux PHP Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux GDB Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Find Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux GNU Awk Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Ruby Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Gem Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux AWK Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Docker Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Node Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Windows Non-System Account Targeting Lsass

LSASS Memory, OS Credential Dumping

Windows DLL Search Order Hijacking with iscsicpl

DLL Search Order Hijacking

Linux Curl Upload File

Ingress Tool Transfer

Linux Proxy Socks Curl

Proxy, Non-Application Layer Protocol

Linux Ingress Tool Transfer with Curl

Ingress Tool Transfer

Linux Ingress Tool Transfer Hunting

Ingress Tool Transfer

Windows Gather Victim Host Information Camera

Hardware, Gather Victim Host Information

Windows System Time Discovery W32tm Delay

System Time Discovery

Linux Clipboard Data Copy

Clipboard Data

Windows Command Shell DCRat ForkBomb Payload

Windows Command Shell, Command and Scripting Interpreter

Linux SSH Authorized Keys Modification

SSH Authorized Keys

Linux SSH Remote Services Script Execute

SSH

Windows System Reboot CommandLine

System Shutdown/Reboot

Windows System LogOff Commandline

System Shutdown/Reboot

Linux Kernel Module Enumeration

System Information Discovery, Rootkit

Linux Decode Base64 to Shell

Obfuscated Files or Information, Unix Shell

Windows System Shutdown CommandLine

System Shutdown/Reboot

Linux Obfuscated Files or Information Base64 Decode

Obfuscated Files or Information

Registry Keys Used For Persistence

Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution

Wmic NonInteractive App Uninstallation

Disable or Modify Tools, Impair Defenses

Allow Inbound Traffic By Firewall Rule Registry

Remote Desktop Protocol, Remote Services

Windows Defender Tools in Non Standard Path

Masquerading, Rename System Utilities

Windows MOF Event Triggered Execution via WMI

Windows Management Instrumentation Event Subscription

Powershell Disable Security Monitoring

Disable or Modify Tools, Impair Defenses

Certutil exe certificate extraction

Suspicious Image Creation In Appdata Folder

Screen Capture

Office Product Writing cab or inf

Phishing, Spearphishing Attachment

Windows Binary Proxy Execution Mavinject DLL Injection

Mavinject, System Binary Proxy Execution

Suspicious WAV file in Appdata Folder

Screen Capture

Windows Odbcconf Load Response File

Odbcconf

Windows Powershell Import Applocker Policy

PowerShell

Windows Odbcconf Hunting

Odbcconf

Windows Execute Arbitrary Commands with MSDT

System Binary Proxy Execution

Remote System Discovery with Adsisearcher

Remote System Discovery

Outbound Network Connection from Java Using Default Ports

Exploit Public-Facing Application

Windows Odbcconf Load DLL

Odbcconf

Windows Impair Defense Deny Security Software With Applocker

Disable or Modify Tools, Impair Defenses

Windows Remote Service Rdpwinst Tool Execution

Remote Desktop Protocol, Remote Services

Windows Application Layer Protocol RMS Radmin Tool Namedpipe

Application Layer Protocol

Windows Modify Registry Regedit Silent Reg Import

Modify Registry

Windows Impair Defense Add Xml Applocker Rules

Disable or Modify Tools, Impair Defenses

Windows Valid Account With Never Expires Password

Service Stop

Windows Modify Registry Disable Win Defender Raw Write Notif

Modify Registry

Windows Modify Registry Disable Toast Notifications

Modify Registry

Windows Remote Access Software RMS Registry

Remote Access Software

Windows Modify Registry Suppress Win Defender Notif

Modify Registry

Windows PowerView SPN Discovery

Steal or Forge Kerberos Tickets, Kerberoasting

Windows PowerView Kerberos Service Ticket Request

Steal or Forge Kerberos Tickets, Kerberoasting

Windows Modify Registry DisAllow Windows App

Modify Registry

Windows Modify Registry Disable Windows Security Center Notif

Modify Registry

Windows Modify Registry Disabling WER Settings

Modify Registry

Windows Remote Services Allow Remote Assistance

Remote Desktop Protocol, Remote Services

Windows Remote Services Allow Rdp In Firewall

Remote Desktop Protocol, Remote Services

Windows Remote Services Rdp Enable

Remote Desktop Protocol, Remote Services

Windows Gather Victim Network Info Through Ip Check Web Services

IP Addresses, Gather Victim Network Information

Windows Service Stop By Deletion

Service Stop

Windows MSIExec With Network Connections

Msiexec

Windows MSIExec Remote Download

Msiexec

Windows MSIExec DLLRegisterServer

Msiexec

Windows MSIExec Unregister DLLRegisterServer

Msiexec

Windows MSIExec Spawn Discovery Command

Msiexec

Windows Impair Defenses Disable Win Defender Auto Logging

Disable or Modify Tools, Impair Defenses

Windows Impair Defense Delete Win Defender Profile Registry

Disable or Modify Tools, Impair Defenses

Windows Impair Defense Delete Win Defender Context Menu

Disable or Modify Tools, Impair Defenses

Java Writing JSP File

Exploit Public-Facing Application

Linux Iptables Firewall Modification

Disable or Modify System Firewall, Impair Defenses

Excessive Usage of NSLOOKUP App

Exfiltration Over Alternative Protocol

Wermgr Process Connecting To IP Check Web Services

Gather Victim Network Information, IP Addresses

Unload Sysmon Filter Driver

Disable or Modify Tools, Impair Defenses

Windows Command and Scripting Interpreter Hunting Path Traversal

Command and Scripting Interpreter

Windows Command and Scripting Interpreter Path Traversal Exec

Command and Scripting Interpreter

Suspicious Process With Discord DNS Query

Visual Basic, Command and Scripting Interpreter

Windows Office Product Spawning MSDT

Phishing, Spearphishing Attachment

MacOS plutil

Plist File Modification

Linux At Application Execution

At, Scheduled Task/Job

Linux Possible Append Command To At Allow Config File

At, Scheduled Task/Job

Schtasks scheduling job on remote system

Scheduled Task, Scheduled Task/Job

Windows System File on Disk

Exploitation for Privilege Escalation

Cobalt Strike Named Pipes

Process Injection

Potential password in username

Local Accounts, Credentials In Files

Windows Service Create Kernel Mode Driver

Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation

Disabled Kerberos Pre-Authentication Discovery With PowerView

Steal or Forge Kerberos Tickets, AS-REP Roasting

Disabled Kerberos Pre-Authentication Discovery With Get-ADUser

Steal or Forge Kerberos Tickets, AS-REP Roasting

GetWmiObject DS User with PowerShell Script Block

Domain Account, Account Discovery

GetDomainComputer with PowerShell Script Block

Remote System Discovery

Windows KrbRelayUp Service Creation

Windows Service

PowerShell 4104 Hunting

Command and Scripting Interpreter, PowerShell

WMI Recon Running Process Or Services

Gather Victim Host Information

Powershell Remove Windows Defender Directory

Disable or Modify Tools, Impair Defenses

GetAdComputer with PowerShell Script Block

Remote System Discovery

Mailsniper Invoke functions

Email Collection, Local Email Collection

Get DomainPolicy with Powershell Script Block

Password Policy Discovery

Get-DomainTrust with PowerShell Script Block

Domain Trust Discovery

PowerShell Loading DotNET into Memory via Reflection

Command and Scripting Interpreter, PowerShell

Get ADUserResultantPasswordPolicy with Powershell Script Block

Password Policy Discovery

GetWmiObject Ds Group with PowerShell Script Block

Permission Groups Discovery, Domain Groups

GetDomainController with PowerShell Script Block

Remote System Discovery

GetWmiObject User Account with PowerShell Script Block

Account Discovery, Local Account, PowerShell

Powershell Creating Thread Mutex

Obfuscated Files or Information, Indicator Removal from Tools, PowerShell

Delete ShadowCopy With PowerShell

Inhibit System Recovery

Exchange PowerShell Module Usage

Command and Scripting Interpreter, PowerShell

GetWmiObject Ds Computer with PowerShell Script Block

Remote System Discovery

GetDomainGroup with PowerShell Script Block

Permission Groups Discovery, Domain Groups

Linux Kworker Process In Writable Process Path

Masquerade Task or Service, Masquerading

Windows Computer Account With SPN

Steal or Forge Kerberos Tickets

Windows Computer Account Requesting Kerberos Ticket

Steal or Forge Kerberos Tickets

Windows Computer Account Created by Computer Account

Steal or Forge Kerberos Tickets

Windows Kerberos Local Successful Logon

Steal or Forge Kerberos Tickets

Powershell Get LocalGroup Discovery with Script Block Logging

Permission Groups Discovery, Local Groups

Powershell Fileless Script Contains Base64 Encoded Content

Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell

Windows Hidden Schedule Task Settings

Scheduled Task/Job

Windows Root Domain linked policies Discovery

Domain Account, Account Discovery

Windows Linked Policies In ADSI Discovery

Domain Account, Account Discovery

Linux Disable Services

Service Stop

Linux High Frequency Of File Deletion In Boot Folder

Data Destruction, File Deletion, Indicator Removal on Host

Windows Processes Killed By Industroyer2 Malware

Service Stop

Linux Stop Services

Service Stop

Linux Shred Overwrite Command

Data Destruction

Linux Adding Crontab Using List Parameter

Cron, Scheduled Task/Job

Linux Deleting Critical Directory Using RM Command

Data Destruction

NLTest Domain Trust Discovery

Domain Trust Discovery

Windows Rundll32 Comsvcs Memory Dump

NTDS, OS Credential Dumping

Windows Registry Delete Task SD

Scheduled Task, Impair Defenses

Linux Deletion Of Services

Data Destruction, File Deletion, Indicator Removal on Host

Linux High Frequency Of File Deletion In Etc Folder

Data Destruction, File Deletion, Indicator Removal on Host

Linux Deletion of SSL Certificate

Data Destruction, File Deletion, Indicator Removal on Host

Linux Account Manipulation Of SSH Config and Keys

Data Destruction, File Deletion, Indicator Removal on Host

Linux Deletion Of Init Daemon Script

Data Destruction, File Deletion, Indicator Removal on Host

Linux Deletion Of Cron Jobs

Data Destruction, File Deletion, Indicator Removal on Host

Suspicious microsoft workflow compiler rename

Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities

Detect mshta renamed

System Binary Proxy Execution, Mshta

Detect Renamed PSExec

System Services, Service Execution

Detect HTML Help Renamed

System Binary Proxy Execution, Compiled HTML File

Any Powershell DownloadString

Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer

Suspicious MSBuild Rename

Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild

Any Powershell DownloadFile

Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer

Linux Stdout Redirection To Dev Null File

Disable or Modify System Firewall, Impair Defenses

Windows Indirect Command Execution Via pcalua

Indirect Command Execution

Windows Indirect Command Execution Via forfiles

Indirect Command Execution

Windows Event For Service Disabled

Disable or Modify Tools, Impair Defenses

Windows Driver Load Non-Standard Path

Rootkit

GetNetTcpconnection with PowerShell Script Block

System Network Connections Discovery

Windows Registry Modification for Safe Mode Persistence

Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution

Windows PowerView Constrained Delegation Discovery

Remote System Discovery

Windows Registry Certificate Added

Install Root Certificate, Subvert Trust Controls

Windows Drivers Loaded by Signature

Rootkit, Exploitation for Privilege Escalation

Windows ISO LNK File Creation

Spearphishing Attachment, Phishing, Malicious Link, User Execution

Windows PowerView Unconstrained Delegation Discovery

Remote System Discovery

Windows Get-AdComputer Unconstrained Delegation Discovery

Remote System Discovery

Windows Terminating Lsass Process

Disable or Modify Tools, Impair Defenses

Windows Deleted Registry By A Non Critical Process File Path

Modify Registry

System Process Running from Unexpected Location

Masquerading

Remote Process Instantiation via DCOM and PowerShell Script Block

Remote Services, Distributed Component Object Model

GetAdGroup with PowerShell Script Block

Permission Groups Discovery, Domain Groups

Powershell Using memory As Backing Store

PowerShell, Command and Scripting Interpreter

Interactive Session on Remote Endpoint with PowerShell

Remote Services, Windows Remote Management

GetCurrent User with PowerShell Script Block

System Owner/User Discovery

Remote Process Instantiation via WinRM and PowerShell Script Block

Remote Services, Windows Remote Management

User Discovery With Env Vars PowerShell Script Block

System Owner/User Discovery

Get WMIObject Group Discovery with Script Block Logging

Permission Groups Discovery, Local Groups

Powershell Execute COM Object

Component Object Model Hijacking, Event Triggered Execution, PowerShell

Kerberos Pre-Authentication Flag Disabled with PowerShell

Steal or Forge Kerberos Tickets, AS-REP Roasting

GetLocalUser with PowerShell Script Block

Account Discovery, Local Account, PowerShell

Recon AVProduct Through Pwh or WMI

Gather Victim Host Information

Get ADDefaultDomainPasswordPolicy with Powershell Script Block

Password Policy Discovery

Modify ACLs Permission Of Files Or Folders

File and Directory Permissions Modification

Delete A Net User

Account Access Removal

Modify ACL permission To Files Or Folder

File and Directory Permissions Modification

Windows DotNet Binary in Non Standard Path

Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil

Windows InstallUtil Remote Network Connection

InstallUtil, System Binary Proxy Execution

Windows InstallUtil Uninstall Option with Network

InstallUtil, System Binary Proxy Execution

Suspicious DLLHost no Command Line Arguments

Process Injection

Suspicious SearchProtocolHost no Command Line Arguments

Process Injection

Suspicious GPUpdate no Command Line Arguments

Process Injection

DLLHost with no Command Line Arguments with Network

Process Injection

Suspicious Rundll32 no Command Line Arguments

System Binary Proxy Execution, Rundll32

Detect Regasm with no Command Line Arguments

System Binary Proxy Execution, Regsvcs/Regasm

SearchProtocolHost with no Command Line with Network

Process Injection

Kerberos Service Ticket Request Using RC4 Encryption

Steal or Forge Kerberos Tickets, Golden Ticket

Detect Regsvcs with No Command Line Arguments

System Binary Proxy Execution, Regsvcs/Regasm

Rundll32 with no Command Line Arguments with Network

System Binary Proxy Execution, Rundll32

GPUpdate with no Command Line Arguments with Network

Process Injection

Kerberos User Enumeration

Gather Victim Identity Information, Email Addresses

Unknown Process Using The Kerberos Protocol

Use Alternate Authentication Material

Suspicious msbuild path

Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild

Windows Hide Notification Features Through Registry

Modify Registry

Windows Disable Lock Workstation Feature Through Registry

Modify Registry

Windows Disable LogOff Button Through Registry

Modify Registry

Windows Disable Windows Group Policy Features Through Registry

Modify Registry

Windows Disable Shutdown Button Through Registry

Modify Registry

Windows Disable Change Password Through Registry

Modify Registry

MacOS LOLbin

Unix Shell, Command and Scripting Interpreter

Kerberos TGT Request Using RC4 Encryption

Use Alternate Authentication Material

Windows Script Host Spawn MSBuild

MSBuild, Trusted Developer Utilities Proxy Execution

Windows WMIPrvse Spawn MSBuild

Trusted Developer Utilities Proxy Execution, MSBuild

Windows Modify Show Compress Color And Info Tip Registry

Modify Registry

Detect Prohibited Applications Spawning cmd exe

Command and Scripting Interpreter

Excessive distinct processes from Windows Temp

Command and Scripting Interpreter

ServicePrincipalNames Discovery with PowerShell

Kerberoasting

PowerShell Domain Enumeration

Command and Scripting Interpreter, PowerShell

Powershell Enable SMB1Protocol Feature

Obfuscated Files or Information, Indicator Removal from Tools

Windows Raw Access To Disk Volume Partition

Disk Structure Wipe, Disk Wipe

Powershell Fileless Process Injection via GetProcAddress

Command and Scripting Interpreter, Process Injection, PowerShell

Windows Disable Memory Crash Dump

Data Destruction

Windows File Without Extension In Critical Folder

Data Destruction

Powershell Processing Stream Of Data

Command and Scripting Interpreter, PowerShell

Recon Using WMI Class

Gather Victim Host Information, PowerShell

Detect Empire with PowerShell Script Block Logging

Command and Scripting Interpreter, PowerShell

Detect Mimikatz With PowerShell Script Block Logging

OS Credential Dumping, PowerShell

Get-ForestTrust with PowerShell Script Block

Domain Trust Discovery, PowerShell

Windows MSHTA Child Process

Mshta, System Binary Proxy Execution

Windows Process With NamedPipe CommandLine

Process Injection

Windows Excessive Disabled Services Event

Disable or Modify Tools, Impair Defenses

Windows MSHTA Command-Line URL

Mshta, System Binary Proxy Execution

Windows Service Creation Using Registry Entry

Services Registry Permissions Weakness

Windows MSHTA Inline HTA Execution

Mshta, System Binary Proxy Execution

Windows Rundll32 Inline HTA Execution

System Binary Proxy Execution, Mshta

Scheduled Task Deleted Or Created via CMD

Scheduled Task, Scheduled Task/Job

Kerberos Pre-Authentication Flag Disabled in UserAccountControl

Steal or Forge Kerberos Tickets, AS-REP Roasting

Windows WMI Process Call Create

Windows Management Instrumentation

Process Deleting Its Process File Path

Indicator Removal on Host

Rundll32 DNSQuery

System Binary Proxy Execution, Rundll32

Detect Regsvcs with Network Connection

System Binary Proxy Execution, Regsvcs/Regasm

Set Default PowerShell Execution Policy To Unrestricted or Bypass

Command and Scripting Interpreter, PowerShell

Windows Eventvwr UAC Bypass

Bypass User Account Control, Abuse Elevation Control Mechanism

Windows WSReset UAC Bypass

Bypass User Account Control, Abuse Elevation Control Mechanism

Detect Regasm with Network Connection

System Binary Proxy Execution, Regsvcs/Regasm

NET Profiler UAC bypass

Bypass User Account Control, Abuse Elevation Control Mechanism

Windows Diskshadow Proxy Execution

System Binary Proxy Execution

Windows Raw Access To Master Boot Record Drive

Disk Structure Wipe, Disk Wipe

Windows Disable Notification Center

Modify Registry

Windows Bitsadmin Download File

BITS Jobs, Ingress Tool Transfer

Windows CertUtil Decode File

Deobfuscate/Decode Files or Information

Windows CertUtil VerifyCtl Download

Ingress Tool Transfer

Windows CertUtil URLCache Download

Ingress Tool Transfer

Windows PowerShell Start-BitsTransfer

BITS Jobs, Ingress Tool Transfer

Windows Rasautou DLL Execution

Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection

Windows Rasautou DLL Execution

Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection

Windows Diskshadow Proxy Execution

System Binary Proxy Execution

Windows Bits Job Persistence

BITS Jobs

Linux DD File Overwrite

Data Destruction

Linux System Network Discovery

System Network Configuration Discovery

Windows Powershell Connect to Internet With Hidden Window

Automated Exfiltration

Windows Powershell DownloadFile

Automated Exfiltration

Kerberoasting spn request with RC4 encryption

Steal or Forge Kerberos Tickets, Kerberoasting

Unusual Number of Kerberos Service Tickets Requested

Steal or Forge Kerberos Tickets, Kerberoasting

RunDLL Loading DLL By Ordinal

System Binary Proxy Execution, Rundll32

Windows Remote Assistance Spawning Process

Process Injection

Rubeus Kerberos Ticket Exports Through Winlogon Access

Use Alternate Authentication Material, Pass the Ticket

Windows Schtasks Create Run As System

Scheduled Task, Scheduled Task/Job

CertUtil Download With VerifyCtl and Split Arguments

Ingress Tool Transfer

CertUtil Download With URLCache and Split Arguments

Ingress Tool Transfer

Rubeus Command Line Parameters

Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting

Mimikatz PassTheTicket CommandLine Parameters

Use Alternate Authentication Material, Pass the Ticket

Disabling SystemRestore In Registry

Inhibit System Recovery

Disabling NoRun Windows App

Disable or Modify Tools, Impair Defenses

Disabling Task Manager

Disable or Modify Tools, Impair Defenses

Eventvwr UAC Bypass

Bypass User Account Control, Abuse Elevation Control Mechanism

Enable RDP In Other Port Number

Remote Services

Disabling Defender Services

Disable or Modify Tools, Impair Defenses

ETW Registry Disabled

Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses

Disabling FolderOptions Windows Feature

Disable or Modify Tools, Impair Defenses

Hide User Account From Sign-In Screen

Disable or Modify Tools, Impair Defenses

Enable WDigest UseLogonCredential Registry

Modify Registry, OS Credential Dumping

Linux pkexec Privilege Escalation

Exploitation for Privilege Escalation

Disabling CMD Application

Disable or Modify Tools, Impair Defenses

Disable ETW Through Registry

Disable or Modify Tools, Impair Defenses

Disable Registry Tool

Disable or Modify Tools, Impair Defenses

Disable UAC Remote Restriction

Bypass User Account Control, Abuse Elevation Control Mechanism

Disable Windows Behavior Monitoring

Disable or Modify Tools, Impair Defenses

Disable Show Hidden Files

Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses

Disabling ControlPanel

Disable or Modify Tools, Impair Defenses

Disable Windows SmartScreen Protection

Disable or Modify Tools, Impair Defenses

Disable Security Logs Using MiniNt Registry

Modify Registry

Disable Windows App Hotkeys

Disable or Modify Tools, Impair Defenses

Active Setup Registry Autostart

Active Setup, Boot or Logon Autostart Execution

Remcos client registry install entry

Modify Registry

Disable Defender Enhanced Notification

Disable or Modify Tools, Impair Defenses

Add DefaultUser And Password In Registry

Credentials in Registry, Unsecured Credentials

Disable Defender MpEngine Registry

Disable or Modify Tools, Impair Defenses

Registry Keys Used For Privilege Escalation

Image File Execution Options Injection, Event Triggered Execution

Disable Defender AntiVirus Registry

Disable or Modify Tools, Impair Defenses

Disable AMSI Through Registry

Disable or Modify Tools, Impair Defenses

Disable Defender Spynet Reporting

Disable or Modify Tools, Impair Defenses

Allow Operation with Consent Admin

Abuse Elevation Control Mechanism

Disable Defender Submit Samples Consent Feature

Disable or Modify Tools, Impair Defenses

Time Provider Persistence Registry

Time Providers, Boot or Logon Autostart Execution

Disable Defender BlockAtFirstSeen Feature

Disable or Modify Tools, Impair Defenses

Windows NirSoft Utilities

Tool

Windows NirSoft AdvancedRun

Tool

Ping Sleep Batch Command

Virtualization/Sandbox Evasion, Time Based Evasion

Excessive File Deletion In WinDefender Folder

Data Destruction

Windows DotNet Binary in Non Standard Path

Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil

Windows InstallUtil in Non Standard Path

Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil

Malicious PowerShell Process - Encoded Command

Obfuscated Files or Information

Impacket Lateral Movement Commandline Parameters

Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service

CMD Carry Out String Command Parameter

Windows Command Shell, Command and Scripting Interpreter

Suspicious Process DNS Query Known Abuse Web Services

Visual Basic, Command and Scripting Interpreter

Potentially malicious code on commandline

Windows Command Shell

PowerShell - Connect To Internet With Hidden Window

PowerShell, Command and Scripting Interpreter

Windows Hunting System Account Targeting Lsass

LSASS Memory, OS Credential Dumping

Linux Possible Ssh Key File Creation

SSH Authorized Keys, Account Manipulation

Linux Possible Access Or Modification Of sshd Config File

SSH Authorized Keys, Account Manipulation

Linux Possible Access To Sudoers File

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Possible Access To Credential Files

/etc/passwd and /etc/shadow, OS Credential Dumping

Linux Doas Conf File Creation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Doas Tool Execution

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Sudo OR Su Execution

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Sudoers Tmp File Creation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Common Process For Elevation Control

Setuid and Setgid, Abuse Elevation Control Mechanism

Linux Preload Hijack Library Calls

Dynamic Linker Hijacking, Hijack Execution Flow

Linux File Created In Kernel Driver Directory

Kernel Modules and Extensions, Boot or Logon Autostart Execution

Linux Install Kernel Module Using Modprobe Utility

Kernel Modules and Extensions, Boot or Logon Autostart Execution

Linux Insert Kernel Module Using Insmod Utility

Kernel Modules and Extensions, Boot or Logon Autostart Execution

Suspicious Ticket Granting Ticket Request

Valid Accounts, Domain Accounts

Linux Change File Owner To Root

Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification

Linux Setuid Using Chmod Utility

Setuid and Setgid, Abuse Elevation Control Mechanism

Linux NOPASSWD Entry In Sudoers File

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Setuid Using Setcap Utility

Setuid and Setgid, Abuse Elevation Control Mechanism

Linux Add User Account

Local Account, Create Account

Linux Visudo Utility Execution

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Service Started Or Enabled

Systemd Timers, Scheduled Task/Job

Linux Service File Created In Systemd Directory

Systemd Timers, Scheduled Task/Job

Linux Possible Append Command To Profile Config File

Unix Shell Configuration Modification, Event Triggered Execution

Linux File Creation In Init Boot Directory

RC Scripts, Boot or Logon Initialization Scripts

Clear Unallocated Sector Using Cipher App

File Deletion, Indicator Removal on Host

Suspicious Kerberos Service Ticket Request

Valid Accounts, Domain Accounts

Linux File Creation In Profile Directory

Unix Shell Configuration Modification, Event Triggered Execution

Suspicious Computer Account Name Change

Valid Accounts, Domain Accounts

Linux Service Restarted

Systemd Timers, Scheduled Task/Job

Hiding Files And Directories With Attrib exe

Windows File and Directory Permissions Modification, File and Directory Permissions Modification

Linux Possible Cronjob Modification With Editor

Cron, Scheduled Task/Job

Linux Possible Append Cronjob Entry on Existing Cronjob File

Cron, Scheduled Task/Job

Linux At Allow Config File Creation

Cron, Scheduled Task/Job

Linux Edit Cron Table Parameter

Cron, Scheduled Task/Job

Linux Add Files In Known Crontab Directories

Cron, Scheduled Task/Job

Hunting for Log4Shell

Exploit Public-Facing Application

Java Class File download by Java User Agent

Exploit Public-Facing Application

Linux Java Spawning Shell

Exploit Public-Facing Application

Windows Java Spawning Shells

Exploit Public-Facing Application

Wget Download and Bash Execution

Ingress Tool Transfer

Curl Download and Bash Execution

Ingress Tool Transfer

MSI Module Loaded by Non-System Binary

DLL Side-Loading, Hijack Execution Flow

Disable Defender AntiVirus Registry

Disable or Modify Tools, Impair Defenses

Fsutil Zeroing File

Indicator Removal on Host

Windows Raccine Scheduled Task Deletion

Disable or Modify Tools

High File Deletion Frequency

Data Destruction

MS Exchange Mailbox Replication service writing Active Server Pages

Server Software Component, Web Shell, Exploit Public-Facing Application

BCDEdit Failure Recovery Modification

Inhibit System Recovery

WBAdmin Delete System Backups

Inhibit System Recovery

Anomalous Usage of Account Credentials

Domain Accounts

Excessive Number of Office Files Copied

Exfiltration Over Unencrypted Non-C2 Protocol

DNS Exfiltration Using Nslookup App

Exfiltration Over Alternative Protocol

Suspicious Linux Discovery Commands

Unix Shell

Detect RClone Command-Line Usage

Automated Exfiltration

Windows Curl Upload to Remote Destination

Ingress Tool Transfer

Short Lived Scheduled Task

Scheduled Task

Unusual Number of Remote Endpoint Authentication Events

Valid Accounts

Unusual Number of Computer Service Tickets Requested

Valid Accounts

First time seen command line argument

Command and Scripting Interpreter, Indirect Command Execution

Resize Shadowstorage Volume

Service Stop

Rare Parent-Child Process Relationship

Exploitation for Client Execution, Command and Scripting Interpreter, Scheduled Task/Job, Software Deployment Tools

Grant Permission Using Cacls Utility

File and Directory Permissions Modification

Disable Net User Account

Service Stop, Valid Accounts

Possible Lateral Movement PowerShell Spawn

Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...

Deny Permission using Cacls Utility

File and Directory Permissions Modification

Randomly Generated Scheduled Task Name

Scheduled Task/Job, Scheduled Task

Detect RClone Command-Line Usage

Automated Exfiltration

Randomly Generated Windows Service Name

Create or Modify System Process, Windows Service

Attempted Credential Dump From Registry via Reg exe

OS Credential Dumping, Security Account Manager

Powershell Windows Defender Exclusion Commands

Disable or Modify Tools, Impair Defenses

Add or Set Windows Defender Exclusion

Disable or Modify Tools, Impair Defenses

Windows Defender Exclusion Registry Entry

Disable or Modify Tools, Impair Defenses

Attempt To Disable Services

Service Stop

Attempt To Delete Services

Service Stop, Create or Modify System Process, Windows Service

Mmc LOLBAS Execution Process Spawn

Remote Services, Distributed Component Object Model, MMC

Services LOLBAS Execution Process Spawn

Create or Modify System Process, Windows Service

Wmiprsve LOLBAS Execution Process Spawn

Windows Management Instrumentation

Possible Browser Pass View Parameter

Credentials from Web Browsers, Credentials from Password Stores

Anomalous usage of Archive Tools

Archive via Utility, Archive Collected Data

Windows Service Created Within Public Path

Create or Modify System Process, Windows Service

Wsmprovhost LOLBAS Execution Process Spawn

Remote Services, Windows Remote Management

Svchost LOLBAS Execution Process Spawn

Scheduled Task/Job, Scheduled Task

System Info Gathering Using Dxdiag Application

Gather Victim Host Information

Executable File Written in Administrative SMB Share

Remote Services, SMB/Windows Admin Shares

Loading Of Dynwrapx Module

Process Injection, Dynamic-link Library Injection

Windows DISM Remove Defender

Disable or Modify Tools, Impair Defenses

Remote Process Instantiation via WinRM and PowerShell

Remote Services, Windows Remote Management

High Frequency Copy Of Files In Network Share

Transfer Data to Cloud Account

Sdelete Application Execution

Data Destruction, File Deletion, Indicator Removal on Host

Windows DiskCryptor Usage

Data Encrypted for Impact

Remote Process Instantiation via DCOM and PowerShell

Remote Services, Distributed Component Object Model

Remote Process Instantiation via WMI and PowerShell

Windows Management Instrumentation

CSC Net On The Fly Compilation

Compile After Delivery, Obfuscated Files or Information

Network Discovery Using Route Windows App

System Network Configuration Discovery, Internet Connection Discovery

Remote Process Instantiation via WMI

Windows Management Instrumentation

Windows InstallUtil Uninstall Option

InstallUtil, System Binary Proxy Execution

Firewall Allowed Program Enable

Disable or Modify System Firewall, Impair Defenses

Runas Execution in CommandLine

Access Token Manipulation, Token Impersonation/Theft

Windows InstallUtil URL in Command Line

InstallUtil, System Binary Proxy Execution

Scheduled Task Initiation on Remote Endpoint

Scheduled Task/Job, Scheduled Task

WMIC XSL Execution via URL

XSL Script Processing

Scheduled Task Creation on Remote Endpoint using At

Scheduled Task/Job, At

Remote Process Instantiation via WinRM and Winrs

Remote Services, Windows Remote Management

Windows Service Creation on Remote Endpoint

Create or Modify System Process, Windows Service

Windows Curl Upload to Remote Destination

Ingress Tool Transfer

Windows Service Initiation on Remote Endpoint

Create or Modify System Process, Windows Service

Attacker Tools On Endpoint

Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning

Windows AdFind Exe

Remote System Discovery

Windows Curl Download to Suspicious Path

Ingress Tool Transfer

WinEvent Windows Task Scheduler Event Action Started

Scheduled Task

Disable Schedule Task

Disable or Modify Tools, Impair Defenses

ServicePrincipalNames Discovery with SetSPN

Kerberoasting

Suspicious wevtutil Usage

Clear Windows Event Logs, Indicator Removal on Host

Sdelete Application Execution

Data Destruction, File Deletion, Indicator Removal on Host

Wscript Or Cscript Suspicious Child Process

Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation

Winhlp32 Spawning a Process

Process Injection

Suspicious Copy on System32

Rename System Utilities, Masquerading

Process Writing DynamicWrapperX

Command and Scripting Interpreter, Component Object Model

Rundll32 Shimcache Flush

Modify Registry

Detect Exchange Web Shell

Server Software Component, Web Shell, Exploit Public-Facing Application

Malicious InProcServer32 Modification

Regsvr32, Modify Registry

Regsvr32 Silent and Install Param Dll Loading

System Binary Proxy Execution, Regsvr32

MSBuild Suspicious Spawned By Script Process

MSBuild, Trusted Developer Utilities Proxy Execution

Vbscript Execution Using Wscript App

Visual Basic, Command and Scripting Interpreter

Verclsid CLSID Execution

Verclsid, System Binary Proxy Execution

Print Processor Registry Autostart

Print Processors, Boot or Logon Autostart Execution

Screensaver Event Trigger Execution

Event Triggered Execution, Screensaver

Logon Script Event Trigger Execution

Boot or Logon Initialization Scripts, Logon Script (Windows)

Change Default File Association

Change Default File Association, Event Triggered Execution

Remcos RAT File Creation in Remcos Folder

Screen Capture

Office Document Spawned Child Process To Download

Phishing, Spearphishing Attachment

Office Product Spawning Wmic

Phishing, Spearphishing Attachment

Attempted Credential Dump From Registry via Reg exe

Security Account Manager, OS Credential Dumping

BITS Job Persistence

BITS Jobs

Credential Dumping via Copy Command from Shadow Copy

NTDS, OS Credential Dumping

Credential Dumping via Symlink to Shadow Copy

NTDS, OS Credential Dumping

Processes launching netsh

Disable or Modify System Firewall, Impair Defenses

Detect mshta inline hta execution

System Binary Proxy Execution, Mshta

Detect MSHTA Url in Command Line

System Binary Proxy Execution, Mshta

Detect HTML Help URL in Command Line

System Binary Proxy Execution, Compiled HTML File

BITSAdmin Download File

BITS Jobs, Ingress Tool Transfer

Detect Renamed RClone

Automated Exfiltration

Attempt To Add Certificate To Untrusted Store

Install Root Certificate, Subvert Trust Controls

Local Account Discovery with Net

Account Discovery, Local Account

Batch File Write to System32

User Execution, Malicious File

Local Account Discovery With Wmic

Account Discovery, Local Account

Detect Renamed 7-Zip

Archive via Utility, Archive Collected Data

Account Discovery With Net App

Domain Account, Account Discovery

Creation of Shadow Copy with wmic and powershell

NTDS, OS Credential Dumping

Detect PsExec With accepteula Flag

Remote Services, SMB/Windows Admin Shares

Detect Renamed WinRAR

Archive via Utility, Archive Collected Data

Detect HTML Help Using InfoTech Storage Handlers

System Binary Proxy Execution, Compiled HTML File

Non Firefox Process Access Firefox Profile Dir

Credentials from Password Stores, Credentials from Web Browsers

Check Elevated CMD using whoami

System Owner/User Discovery

Non Chrome Process Accessing Chrome Default Dir

Credentials from Password Stores, Credentials from Web Browsers

PowerShell Get LocalGroup Discovery

Permission Groups Discovery, Local Groups

Wmic Group Discovery

Permission Groups Discovery, Local Groups

Cmdline Tool Not Executed In CMD Shell

Command and Scripting Interpreter, JavaScript

Net Localgroup Discovery

Permission Groups Discovery, Local Groups

Get WMIObject Group Discovery

Permission Groups Discovery, Local Groups

System User Discovery With Query

System Owner/User Discovery

System User Discovery With Whoami

System Owner/User Discovery

GetCurrent User with PowerShell

System Owner/User Discovery

Office Application Drop Executable

Phishing, Spearphishing Attachment

MS Scripting Process Loading WMI Module

Command and Scripting Interpreter, JavaScript

User Discovery With Env Vars PowerShell

System Owner/User Discovery

MS Scripting Process Loading Ldap Module

Command and Scripting Interpreter, JavaScript

XSL Script Execution With WMIC

XSL Script Processing

Jscript Execution Using Cscript App

Command and Scripting Interpreter, JavaScript

Network Connection Discovery With Arp

System Network Connections Discovery

Network Connection Discovery With Net

System Network Connections Discovery

Network Connection Discovery With Netstat

System Network Connections Discovery

Extraction of Registry Hives

Security Account Manager, OS Credential Dumping

Rundll32 Control RunDLL Hunt

System Binary Proxy Execution, Rundll32

Create local admin accounts using net exe

Local Account, Create Account

Rundll32 Control RunDLL World Writable Directory

System Binary Proxy Execution, Rundll32

Control Loading from World Writable Directory

System Binary Proxy Execution, Control Panel

Office Spawning Control

Phishing, Spearphishing Attachment

GetDomainComputer with PowerShell

Remote System Discovery

GetAdComputer with PowerShell

Remote System Discovery

SchCache Change By App Connect And Create ADSI Object

Domain Account, Account Discovery

System Information Discovery Detection

System Information Discovery

GetDomainController with PowerShell

Remote System Discovery

GetWmiObject Ds Computer with PowerShell

Remote System Discovery

Bcdedit Command Back To Normal Mode Boot

Inhibit System Recovery

Change To Safe Mode With Network Config

Inhibit System Recovery

Get-ForestTrust with PowerShell

Domain Trust Discovery

Domain Group Discovery With Dsquery

Permission Groups Discovery, Domain Groups

Remote System Discovery with Wmic

Remote System Discovery

Domain Controller Discovery with Wmic

Remote System Discovery

PetitPotam Suspicious Kerberos TGT Request

OS Credential Dumping

Remote System Discovery with Dsquery

Remote System Discovery

PetitPotam Network Share Access Request

Forced Authentication

Remote System Discovery with Net

Remote System Discovery

Domain Controller Discovery with Nltest

Remote System Discovery

Exchange PowerShell Abuse via SSRF

Exploit Public-Facing Application

Get DomainPolicy with Powershell

Password Policy Discovery

Get ADUserResultantPasswordPolicy with Powershell

Password Policy Discovery

Process Creating LNK file in Suspicious Location

Phishing, Spearphishing Link

Get ADDefaultDomainPasswordPolicy with Powershell

Password Policy Discovery

Password Policy Discovery with Net

Password Policy Discovery

Domain Group Discovery With Net

Permission Groups Discovery, Domain Groups

GetNetTcpconnection with PowerShell

System Network Connections Discovery

GetWmiObject Ds Group with PowerShell

Permission Groups Discovery, Domain Groups

Domain Group Discovery With Wmic

Permission Groups Discovery, Domain Groups

Elevated Group Discovery With Net

Permission Groups Discovery, Domain Groups

GetDomainGroup with PowerShell

Permission Groups Discovery, Domain Groups

GetAdGroup with PowerShell

Permission Groups Discovery, Domain Groups

Elevated Group Discovery With Wmic

Permission Groups Discovery, Domain Groups

Elevated Group Discovery with PowerView

Permission Groups Discovery, Domain Groups

Domain Group Discovery with Adsisearcher

Permission Groups Discovery, Domain Groups

Domain Account Discovery with Dsquery

Domain Account, Account Discovery

Get DomainUser with PowerShell

Domain Account, Account Discovery

Domain Account Discovery With Net App

Domain Account, Account Discovery

Get-DomainTrust with PowerShell

Domain Trust Discovery

Domain Account Discovery with Wmic

Domain Account, Account Discovery

GetWmiObject DS User with PowerShell

Domain Account, Account Discovery

Get ADUser with PowerShell

Domain Account, Account Discovery

GetWmiObject User Account with PowerShell

Account Discovery, Local Account

GetLocalUser with PowerShell

Account Discovery, Local Account

Esentutl SAM Copy

Security Account Manager, OS Credential Dumping

7zip CommandLine To SMB Share Path

Archive via Utility, Archive Collected Data

UAC Bypass With Colorui COM Object

System Binary Proxy Execution, CMSTP

Fsutil Zeroing File

Indicator Removal on Host

Rundll32 LockWorkStation

System Binary Proxy Execution, Rundll32

Uninstall App Using MsiExec

Msiexec, System Binary Proxy Execution

Create Remote Thread In Shell Application

Process Injection

Sqlite Module In Temp Folder

Data from Local System

Drop IcedID License dat

User Execution, Malicious File

Office Application Spawn Regsvr32 process

Phishing, Spearphishing Attachment

IcedID Exfiltrated Archived File Creation

Archive via Utility, Archive Collected Data

Rundll32 Create Remote Thread To A Process

Process Injection

Regsvr32 with Known Silent Switch Cmdline

System Binary Proxy Execution, Regsvr32

CHCP Command Execution

Command and Scripting Interpreter

Rundll32 CreateRemoteThread In Browser

Process Injection

Suspicious IcedID Rundll32 Cmdline

System Binary Proxy Execution, Rundll32

Suspicious Rundll32 PluginInit

System Binary Proxy Execution, Rundll32

Rundll32 Process Creating Exe Dll Files

System Binary Proxy Execution, Rundll32

SAM Database File Access Attempt

Security Account Manager, OS Credential Dumping

Detect Copy of ShadowCopy with Script Block Logging

Security Account Manager, OS Credential Dumping

Office Product Spawn CMD Process

System Binary Proxy Execution, Mshta

Mshta spawning Rundll32 OR Regsvr32 Process

System Binary Proxy Execution, Mshta

UAC Bypass MMC Load Unsigned Dll

Bypass User Account Control, Abuse Elevation Control Mechanism, MMC

Msmpeng Application DLL Side Loading

DLL Side-Loading, Hijack Execution Flow

Spoolsv Writing a DLL

Print Processors, Boot or Logon Autostart Execution

Spoolsv Suspicious Loaded Modules

Print Processors, Boot or Logon Autostart Execution

Spoolsv Suspicious Process Access

Exploitation for Privilege Escalation

Spoolsv Writing a DLL - Sysmon

Print Processors, Boot or Logon Autostart Execution

Print Spooler Adding A Printer Driver

Print Processors, Boot or Logon Autostart Execution

Print Spooler Failed to Load a Plug-in

Print Processors, Boot or Logon Autostart Execution

Spoolsv Spawning Rundll32

Print Processors, Boot or Logon Autostart Execution

Excessive number of service control start as disabled

Disable or Modify Tools, Impair Defenses

Excessive Usage Of SC Service Utility

System Services, Service Execution

Allow File And Printing Sharing In Firewall

Disable or Modify Cloud Firewall, Impair Defenses

Allow Network Discovery In Firewall

Disable or Modify Cloud Firewall, Impair Defenses

Execute Javascript With Jscript COM CLSID

Command and Scripting Interpreter, Visual Basic

Suspicious Event Log Service Behavior

Indicator Removal on Host, Clear Windows Event Logs

Detect WMI Event Subscription Persistence

Windows Management Instrumentation Event Subscription, Event Triggered Execution

Wevtutil Usage To Disable Logs

Indicator Removal on Host, Clear Windows Event Logs

WevtUtil Usage To Clear Logs

Indicator Removal on Host, Clear Windows Event Logs

Permission Modification using Takeown App

File and Directory Permissions Modification

Clear Unallocated Sector Using Cipher App

File Deletion, Indicator Removal on Host

Prevent Automatic Repair Mode using Bcdedit

Inhibit System Recovery

Disable Logs Using WevtUtil

Indicator Removal on Host, Clear Windows Event Logs

Unloading AMSI via Reflection

Impair Defenses, PowerShell, Command and Scripting Interpreter

Excessive number of taskhost processes

Command and Scripting Interpreter

Known Services Killed by Ransomware

Inhibit System Recovery

Modification Of Wallpaper

Defacement

Wbemprox COM Object Execution

System Binary Proxy Execution, CMSTP

Revil Common Exec Parameter

User Execution

Conti Common Exec parameter

User Execution

Detect SharpHound Command-Line Arguments

Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery

Detect AzureHound Command-Line Arguments

Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery

Detect AzureHound File Modifications

Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery

Detect SharpHound Usage

Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery

Detect SharpHound File Modifications

Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery

SecretDumps Offline NTDS Dumping Tool

NTDS, OS Credential Dumping

WinRM Spawning a Process

Exploit Public-Facing Application

CMD Echo Pipe - Escalation

Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process

Allow Inbound Traffic In Firewall Rule

Remote Desktop Protocol, Remote Services

Services Escalate Exe

Abuse Elevation Control Mechanism

CMLUA Or CMSTPLUA UAC Bypass

System Binary Proxy Execution, CMSTP

SLUI RunAs Elevated

Bypass User Account Control, Abuse Elevation Control Mechanism

SLUI Spawning a Process

Bypass User Account Control, Abuse Elevation Control Mechanism

Schtasks Run Task On Demand

Scheduled Task/Job

Excessive Usage Of Cacls App

File and Directory Permissions Modification

Enumerate Users Local Group Using Telegram

Account Discovery

Executables Or Script Creation In Suspicious Path

Masquerading

Download Files Using Telegram

Ingress Tool Transfer

Excessive Usage Of Net App

Account Access Removal

Suspicious Process File Path

Create or Modify System Process

Excessive Usage Of Taskkill

Disable or Modify Tools, Impair Defenses

Disabling Net User Account

Account Access Removal

ICACLS Grant Command

File and Directory Permissions Modification

Excessive Service Stop Attempt

Service Stop

Excessive Attempt To Disable Services

Service Stop

Process Kill Base On File Path

Disable or Modify Tools, Impair Defenses

Deleting Of Net Users

Account Access Removal

Suspicious Driver Loaded Path

Windows Service, Create or Modify System Process

Icacls Deny Command

File and Directory Permissions Modification

XMRIG Driver Loaded

Windows Service, Create or Modify System Process

Office Product Spawning BITSAdmin

Phishing, Spearphishing Attachment

Office Product Spawning CertUtil

Phishing, Spearphishing Attachment

Office Product Spawning MSHTA

Phishing, Spearphishing Attachment

Trickbot Named Pipe

Process Injection

Office Product Spawning Rundll32 with no DLL

Phishing, Spearphishing Attachment

Anomalous usage of 7zip

Archive via Utility, Archive Collected Data

Winword Spawning Cmd

Phishing, Spearphishing Attachment

Wermgr Process Spawned CMD Or Powershell Process

Command and Scripting Interpreter

Wermgr Process Create Executable File

Obfuscated Files or Information

Schedule Task with Rundll32 Command Trigger

Scheduled Task/Job

Schedule Task with HTTP Command Arguments

Scheduled Task/Job

Multiple Invalid Users Failing To Authenticate From Host Using NTLM

Password Spraying, Brute Force

DNS Exfiltration Using Nslookup App

Exfiltration Over Alternative Protocol

Office Document Executing Macro Code

Phishing, Spearphishing Attachment

Windows Disabled Users Failing To Authenticate Kerberos

Password Spraying, Brute Force

Windows Invalid Users Failed Authentication via Kerberos

Password Spraying, Brute Force

Windows Users Authenticate Using Explicit Credentials

Password Spraying, Brute Force

Office Application Spawn rundll32 process

Phishing, Spearphishing Attachment

Multiple Users Failing To Authenticate From Process

Password Spraying, Brute Force

Multiple Users Remotely Failing To Authenticate From Host

Password Spraying, Brute Force

Multiple Users Failing To Authenticate From Host Using NTLM

Password Spraying, Brute Force

Winword Spawning PowerShell

Phishing, Spearphishing Attachment

Winword Spawning Windows Script Host

Phishing, Spearphishing Attachment

Excel Spawning Windows Script Host

Security Account Manager, OS Credential Dumping

Excel Spawning PowerShell

Security Account Manager, OS Credential Dumping

WinEvent Scheduled Task Created to Spawn Shell

Scheduled Task, Scheduled Task/Job

WinEvent Scheduled Task Created Within Public Path

Scheduled Task, Scheduled Task/Job

Multiple Users Failing To Authenticate From Host Using Kerberos

Password Spraying, Brute Force

Malicious Powershell Executed As A Service

System Services, Service Execution

DSQuery Domain Discovery

Domain Trust Discovery

Disabling Firewall with Netsh

Disable or Modify Tools, Impair Defenses

PowerShell Start-BitsTransfer

BITS Jobs

CertUtil With Decode Argument

Deobfuscate/Decode Files or Information

Clop Common Exec Parameter

User Execution

Clop Ransomware Known Service Name

Create or Modify System Process

Windows High File Deletion Frequency

Data Destruction

Ransomware Notes bulk creation

Data Encrypted for Impact

Resize ShadowStorage volume

Inhibit System Recovery

Nishang PowershellTCPOneLine

Command and Scripting Interpreter, PowerShell

W3WP Spawning Shell

Server Software Component, Web Shell

Unified Messaging Service Spawning a Process

Exploit Public-Facing Application

Windows DisableAntiSpyware Registry

Disable or Modify Tools, Impair Defenses

FodHelper UAC Bypass

Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism

Suspicious Scheduled Task from Public Directory

Scheduled Task, Scheduled Task/Job

Ryuk Wake on LAN Command

Command and Scripting Interpreter, Windows Command Shell

Suspicious SQLite3 LSQuarantine Behavior

Data Staged

Suspicious PlistBuddy Usage

Launch Agent, Create or Modify System Process

Suspicious Curl Network Connection

Ingress Tool Transfer

Suspicious PlistBuddy Usage via OSquery

Launch Agent, Create or Modify System Process

Detect Regsvcs Spawning a Process

System Binary Proxy Execution, Regsvcs/Regasm

Detect Regasm Spawning a Process

System Binary Proxy Execution, Regsvcs/Regasm

Detect HTML Help Spawn Child Process

System Binary Proxy Execution, Compiled HTML File

Suspicious Rundll32 dllregisterserver

System Binary Proxy Execution, Rundll32

Suspicious Rundll32 StartW

System Binary Proxy Execution, Rundll32

Detect Rundll32 Application Control Bypass - syssetup

System Binary Proxy Execution, Rundll32

Detect Rundll32 Application Control Bypass - setupapi

System Binary Proxy Execution, Rundll32

Detect Rundll32 Application Control Bypass - advpack

System Binary Proxy Execution, Rundll32

Detect Baron Samedit CVE-2021-3156 Segfault

Exploitation for Privilege Escalation

Ntdsutil Export NTDS

NTDS, OS Credential Dumping

Suspicious Regsvr32 Register Suspicious Path

System Binary Proxy Execution, Regsvr32

Detect Baron Samedit CVE-2021-3156 via OSQuery

Exploitation for Privilege Escalation

Detect Regsvr32 Application Control Bypass

System Binary Proxy Execution, Regsvr32

Detect Baron Samedit CVE-2021-3156

Exploitation for Privilege Escalation

Revil Registry Entry

Modify Registry

WBAdmin Delete System Backups

Inhibit System Recovery

Detect Rundll32 Inline HTA Execution

System Binary Proxy Execution, Mshta

Suspicious mshta spawn

System Binary Proxy Execution, Mshta

Malicious PowerShell Process With Obfuscation Techniques

Command and Scripting Interpreter, PowerShell

Suspicious MSBuild Spawn

Trusted Developer Utilities Proxy Execution, MSBuild

Suspicious microsoft workflow compiler usage

Trusted Developer Utilities Proxy Execution

Suspicious mshta child process

System Binary Proxy Execution, Mshta

BCDEdit Failure Recovery Modification

Inhibit System Recovery

Sunburst Correlation DLL and Network Event

Exploitation for Client Execution

Unusually Long Command Line

WMI Permanent Event Subscription - Sysmon

Windows Management Instrumentation Event Subscription, Event Triggered Execution

Single Letter Process On Endpoint

User Execution, Malicious File

System Processes Run From Unexpected Locations

Masquerading, Rename System Utilities

Shim Database File Creation

Application Shimming, Event Triggered Execution

Schtasks used for forcing a reboot

Scheduled Task, Scheduled Task/Job

Reg exe Manipulating Windows Services Registry Keys

Services Registry Permissions Weakness, Hijack Execution Flow

Shim Database Installation With Suspicious Parameters

Application Shimming, Event Triggered Execution

Disabling Remote User Account Control

Bypass User Account Control, Abuse Elevation Control Mechanism

Execution of File with Multiple Extensions

Masquerading, Rename System Utilities

Detect Prohibited Applications Spawning cmd exe

Command and Scripting Interpreter, Windows Command Shell

Detect processes used for System Network Configuration Discovery

System Network Configuration Discovery

Deleting Shadow Copies

Inhibit System Recovery

Common Ransomware Notes

Data Destruction

Common Ransomware Extensions

Data Destruction

Windows Security Account Manager Stopped

Service Stop

Ryuk Test Files Detected

Data Encrypted for Impact

Detect Kerberoasting

Kerberoasting, Steal or Forge Kerberos Tickets

Detect Activity Related to Pass the Hash Attacks

Use Alternate Authentication Material, Pass the Hash

Detect Computer Changed with Anonymous Account

Exploitation of Remote Services

Create or delete windows shares using net exe

Indicator Removal on Host, Network Share Connection Removal

Suspicious writes to windows Recycle Bin

Masquerading

Suspicious Reg exe Process

Modify Registry

Remote Desktop Process Running On System

Remote Desktop Protocol, Remote Services

Sc exe Manipulating Windows Services

Windows Service, Create or Modify System Process

Attempt To Stop Security Service

Disable or Modify Tools, Impair Defenses

Detect Use of cmd exe to Launch Script Interpreters

Command and Scripting Interpreter, Windows Command Shell

Detect Outlook exe writing a zip file

Phishing, Spearphishing Attachment

Malicious PowerShell Process - Execution Policy Bypass

Command and Scripting Interpreter, PowerShell

First Time Seen Running Windows Service

System Services, Service Execution

Hiding Files And Directories With Attrib exe

File and Directory Permissions Modification, Windows File and Directory Permissions Modification

Detection of tools built by NirSoft

Software Deployment Tools

Overwriting Accessibility Binaries

Event Triggered Execution, Accessibility Features

Detect New Local Admin account

Local Account, Create Account

Short Lived Windows Accounts

Local Account, Create Account

Windows Event Log Cleared

Indicator Removal on Host, Clear Windows Event Logs

Detect Path Interception By Creation Of program exe

Path Interception by Unquoted Path, Hijack Execution Flow

First Time Seen Child Process of Zoom

Exploitation for Privilege Escalation

Spike in File Writes

Script Execution via WMI

Windows Management Instrumentation

Child Processes of Spoolsv exe

Exploitation for Privilege Escalation

Detect Rare Executables

Process Execution via WMI

Windows Management Instrumentation

Dump LSASS via comsvcs DLL

LSASS Memory, OS Credential Dumping

MacOS - Re-opened Applications

Creation of lsass Dump with Taskmgr

LSASS Memory, OS Credential Dumping

Monitor Registry Keys for Print Monitors

Port Monitors, Boot or Logon Autostart Execution

Registry Keys for Creating SHIM Databases

Application Shimming, Event Triggered Execution

Sdclt UAC Bypass

Bypass User Account Control, Abuse Elevation Control Mechanism

WSReset UAC Bypass

Bypass User Account Control, Abuse Elevation Control Mechanism

SilentCleanup UAC Bypass

Bypass User Account Control, Abuse Elevation Control Mechanism

Auto Admin Logon Registry Entry

Credentials in Registry, Unsecured Credentials

Creation of Shadow Copy

NTDS, OS Credential Dumping

Access LSASS Memory for Dump Creation

LSASS Memory, OS Credential Dumping

Create Remote Thread into LSASS

LSASS Memory, OS Credential Dumping

Detect Credential Dumping through LSASS access

LSASS Memory, OS Credential Dumping

Detect Mimikatz Using Loaded Images

LSASS Memory, OS Credential Dumping

Unusually Long Command Line - MLTK

Processes Tapping Keyboard Events

Samsam Test File Write

Data Encrypted for Impact

File with Samsam Extension

USN Journal Deletion

Indicator Removal on Host

Remote WMI Command Attempt

Windows Management Instrumentation

WMI Permanent Event Subscription

Windows Management Instrumentation

WMI Temporary Event Subscription

Windows Management Instrumentation

Back to Top ↑

Cloud

Azure AD New Federated Domain Added

Domain Policy Modification, Domain Trust Modification

Azure AD New Custom Domain Added

Domain Policy Modification, Domain Trust Modification

Azure AD User ImmutableId Attribute Updated

Account Manipulation

Azure AD Service Principal Owner Added

Account Manipulation

Azure AD Privileged Role Assigned

Account Manipulation, Additional Cloud Roles

Azure AD User Enabled And Password Reset

Account Manipulation

AWS ECR Container Scanning Findings Low Informational Unknown

Malicious Image, User Execution

Detect AWS Console Login by User from New Region

Unused/Unsupported Cloud Regions

Detect AWS Console Login by User from New Country

Unused/Unsupported Cloud Regions

Azure AD Multiple Failed MFA Requests For User

Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts

Detect AWS Console Login by User from New City

Unused/Unsupported Cloud Regions

Azure Runbook Webhook Created

Valid Accounts, Cloud Accounts

Azure Automation Runbook Created

Create Account, Cloud Account

Azure AD External Guest User Invited

Cloud Account

Azure Automation Account Created

Create Account, Cloud Account

Azure AD Service Principal Created

Cloud Account

Azure AD Service Principal New Client Credentials

Account Manipulation, Additional Cloud Credentials

Azure AD Global Administrator Role Assigned

Additional Cloud Roles

AWS Credential Access GetPasswordData

Unsecured Credentials

Azure AD Multi-Factor Authentication Disabled

Modify Authentication Process

AWS Credential Access Failed Login

Password Guessing

AWS Credential Access RDS Password reset

Password Cracking

AWS Defense Evasion Impair Security Services

Disable Cloud Logs, Impair Defenses

AWS Defense Evasion PutBucketLifecycle

Disable Cloud Logs, Impair Defenses

AWS Defense Evasion Delete CloudWatch Log Group

Impair Defenses, Disable Cloud Logs

AWS Defense Evasion Update Cloudtrail

Impair Defenses, Disable Cloud Logs

Azure AD Authentication Failed During MFA Challenge

Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation

AWS Defense Evasion Delete Cloudtrail

Disable Cloud Logs, Impair Defenses

Azure AD Successful PowerShell Authentication

Valid Accounts, Cloud Accounts

Azure AD Successful Single-Factor Authentication

Security Account Manager

Azure AD Multiple Users Failing To Authenticate From Ip

Brute Force, Password Spraying

AWS Defense Evasion Stop Logging Cloudtrail

Disable Cloud Logs, Impair Defenses

Azure AD Unusual Number of Failed Authentications From Ip

Brute Force, Password Spraying

Azure Active Directory High Risk Sign-in

Brute Force, Password Spraying

AWS ECR Container Scanning Findings High

Malicious Image, User Execution

AWS Create Policy Version to allow all resources

Cloud Accounts, Valid Accounts

Detect AWS Console Login by New User

GitHub Actions Disable Security Workflow

Compromise Software Supply Chain, Supply Chain Compromise

AWS UpdateLoginProfile

Cloud Account, Create Account

AWS CreateAccessKey

Cloud Account, Create Account

AWS Lambda UpdateFunctionCode

User Execution

O365 Excessive Authentication Failures Alert

Brute Force

O365 Bypass MFA via Trusted IP

Disable or Modify Cloud Firewall, Impair Defenses

O365 Disable MFA

Modify Authentication Process

O365 Added Service Principal

Cloud Account, Create Account

AWS IAM AccessDenied Discovery Events

Cloud Infrastructure Discovery

Gdrive suspicious file sharing

Phishing

Gsuite suspicious calendar invite

Phishing

Correlation by Repository and Risk

Malicious Image, User Execution

Correlation by User and Risk

Malicious Image, User Execution

Circle CI Disable Security Job

Compromise Client Software Binary

Github Commit In Develop

Trusted Relationship

GitHub Pull Request from Unknown User

Compromise Software Dependencies and Development Tools, Supply Chain Compromise

Circle CI Disable Security Step

Compromise Client Software Binary

GitHub Dependabot Alert

Compromise Software Dependencies and Development Tools, Supply Chain Compromise

Kubernetes Scanner Image Pulling

Cloud Service Discovery

Kubernetes Nginx Ingress RFI

Exploitation for Credential Access

Gsuite Email With Known Abuse Web Service Link

Spearphishing Attachment, Phishing

Gsuite Suspicious Shared File Name

Spearphishing Attachment, Phishing

Github Commit Changes In Master

Trusted Relationship

Kubernetes Nginx Ingress LFI

Exploitation for Credential Access

AWS ECR Container Upload Outside Business Hours

Malicious Image, User Execution

Gsuite Email Suspicious Subject With Attachment

Spearphishing Attachment, Phishing

AWS ECR Container Upload Unknown User

Malicious Image, User Execution

Gsuite Outbound Email With Attachment To External Domain

Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol

AWS ECR Container Scanning Findings Medium

Malicious Image, User Execution

Gsuite Drive Share In External Email

Exfiltration to Cloud Storage, Exfiltration Over Web Service

GSuite Email Suspicious Attachment

Spearphishing Attachment, Phishing

Detect shared ec2 snapshot

Transfer Data to Cloud Account

Detect New Open S3 Buckets over AWS CLI

Data from Cloud Storage Object

Detect New Open S3 buckets

Data from Cloud Storage Object

AWS CreateLoginProfile

Cloud Account, Create Account

Cloud Compute Instance Created By Previously Unseen User

Cloud Accounts, Valid Accounts

AWS Excessive Security Scanning

Cloud Service Discovery

AWS IAM Assume Role Policy Brute Force

Cloud Infrastructure Discovery, Brute Force

AWS IAM Delete Policy

Account Manipulation

AWS IAM Failure Group Deletion

Account Manipulation

AWS IAM Successful Group Deletion

Cloud Groups, Account Manipulation, Permission Groups Discovery

AWS SetDefaultPolicyVersion

Cloud Accounts, Valid Accounts

O365 New Federated Domain Added

Cloud Account, Create Account

AWS SAML Access by Provider User and Principal

Valid Accounts

O365 Add App Role Assignment Grant User

Cloud Account, Create Account

O365 Excessive SSO logon errors

Modify Authentication Process

AWS SAML Update identity provider

Valid Accounts

Detect Spike in AWS Security Hub Alerts for EC2 Instance

Detect Spike in AWS Security Hub Alerts for User

AWS Network Access Control List Deleted

Disable or Modify Cloud Firewall, Impair Defenses

AWS Detect Users creating keys with encrypt policy without MFA

Data Encrypted for Impact

AWS Network Access Control List Created with All Open Ports

Disable or Modify Cloud Firewall, Impair Defenses

AWS Detect Users with KMS keys performing encryption S3

Data Encrypted for Impact

O365 Suspicious User Email Forwarding

Email Forwarding Rule, Email Collection

O365 Suspicious Admin Email Forwarding

Email Forwarding Rule, Email Collection

High Number of Login Failures from a single source

Password Guessing, Brute Force

O365 PST export alert

Email Collection

O365 Suspicious Rights Delegation

Remote Email Collection, Email Collection

Cloud Provisioning Activity From Previously Unseen City

Valid Accounts

Cloud Provisioning Activity From Previously Unseen Country

Valid Accounts

GCP Detect gcploit framework

Valid Accounts

Cloud Compute Instance Created With Previously Unseen Instance Type

Abnormally High Number Of Cloud Security Group API Calls

Cloud Accounts, Valid Accounts

Abnormally High Number Of Cloud Infrastructure API Calls

Cloud Accounts, Valid Accounts

Cloud API Calls From Previously Unseen User Roles

Valid Accounts

Cloud Compute Instance Created In Previously Unused Region

Unused/Unsupported Cloud Regions

Abnormally High Number Of Cloud Instances Launched

Cloud Accounts, Valid Accounts

Abnormally High Number Of Cloud Instances Destroyed

Cloud Accounts, Valid Accounts

Cloud Provisioning Activity From Previously Unseen IP Address

Valid Accounts

Cloud Provisioning Activity From Previously Unseen Region

Valid Accounts

Detect GCP Storage access from a new IP

Data from Cloud Storage Object

Detect New Open GCP Storage Buckets

Data from Cloud Storage Object

Cloud Instance Modified By Previously Unseen User

Cloud Accounts, Valid Accounts

aws detect sts assume role abuse

Valid Accounts

aws detect attach to role policy

Valid Accounts

aws detect sts get session token abuse

Use Alternate Authentication Material

aws detect role creation

Valid Accounts

aws detect permanent key creation

Valid Accounts

GCP Kubernetes cluster pod scan detection

Cloud Service Discovery

Kubernetes AWS detect suspicious kubectl calls

AWS Cross Account Activity From Previously Unseen Account

Amazon EKS Kubernetes Pod scan detection

Cloud Service Discovery

Amazon EKS Kubernetes cluster scan detection

Cloud Service Discovery

Detect Spike in S3 Bucket deletion

Data from Cloud Storage Object

Cloud Compute Instance Created With Previously Unseen Image

Detect S3 access from a new IP

Data from Cloud Storage Object

Detect Spike in blocked Outbound Traffic from your AWS

Back to Top ↑

Deprecated

Suspicious Rundll32 Rename

System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities

Detection of DNS Tunnels

Exfiltration Over Unencrypted Non-C2 Protocol

Potential Pass the Token or Hash Observed at the Destination Device

Use Alternate Authentication Material, Pass the Hash

Credential ExtractionFGDump and CacheDump

OS Credential Dumping, Security Account Manager

Potential Pass the Token or Hash Observed by an Event Collecting Device

Use Alternate Authentication Material, Pass the Hash

Dump LSASS via procdump Rename

LSASS Memory

Suspicious Powershell Command-Line Arguments

PowerShell

Processes created by netsh

Disable or Modify System Firewall

Execution of File With Spaces Before Extension

Rename System Utilities

Windows connhost exe started forcefully

Windows Command Shell

GCP Detect high risk permissions by resource and account

Valid Accounts

GCP Detect accounts with high risk roles by project

Valid Accounts

Unusually Long Command Line

Cloud Network Access Control List Deleted

gcp detect oauth token abuse

Valid Accounts

Unusual LOLBAS in short period of time

Command and Scripting Interpreter, Scheduled Task/Job

Suspicious writes to System Volume Information

Masquerading

Suspicious Email - UBA Anomaly

Phishing

Uncommon Processes On Endpoint

Malicious File

Suspicious Changes to File Associations

Change Default File Association

Abnormally High AWS Instances Launched by User - MLTK

Cloud Accounts

Detect new user AWS Console Login

Cloud Accounts

Detect AWS API Activities From Unapproved Accounts

Cloud Accounts

Detect Spike in AWS API Activity

Cloud Accounts

First time seen command line argument

PowerShell, Windows Command Shell

Abnormally High AWS Instances Terminated by User

Cloud Accounts

Clients Connecting to Multiple DNS Servers

Exfiltration Over Unencrypted Non-C2 Protocol

EC2 Instance Modified With Previously Unseen User

Cloud Accounts

DNS record changed

DNS

Abnormally High AWS Instances Launched by User

Cloud Accounts

Detect DNS requests to Phishing Sites leveraging EvilGinx2

Spearphishing via Service

EC2 Instance Started With Previously Unseen User

Cloud Accounts

Abnormally High AWS Instances Terminated by User - MLTK

Cloud Accounts

DNS Query Requests Resolved by Unauthorized DNS Servers

DNS

Detect web traffic to dynamic domain providers

Web Protocols

Scheduled tasks used in BadRabbit ransomware

Scheduled Task

Detect Long DNS TXT Record Response

Exfiltration Over Unencrypted Non-C2 Protocol

Kubernetes GCP detect sensitive object access

Kubernetes GCP detect suspicious kubectl calls

Kubernetes GCP detect sensitive role access

Kubernetes GCP detect RBAC authorizations by account

Kubernetes GCP detect most active service accounts by pod

Kubernetes AWS detect RBAC authorization by account

Kubernetes AWS detect sensitive role access

Kubernetes AWS detect service accounts forbidden failure access

AWS EKS Kubernetes cluster sensitive object access

Kubernetes GCP detect service accounts forbidden failure access

Kubernetes AWS detect most active service accounts by pod

Kubernetes Azure active service accounts by pod namespace

Kubernetes Azure detect suspicious kubectl calls

Kubernetes Azure detect RBAC authorization by account

Kubernetes Azure detect sensitive role access

Kubernetes Azure pod scan fingerprint

Kubernetes Azure detect sensitive object access

Kubernetes Azure detect service accounts forbidden failure access

Kubernetes Azure scan fingerprint

Cloud Service Discovery

GCP Kubernetes cluster scan detection

Cloud Service Discovery

Remote Registry Key modifications

EC2 Instance Started With Previously Unseen Instance Type

Unsigned Image Loaded by LSASS

LSASS Memory

Prohibited Software On Endpoint

Suspicious File Write

Detect Mimikatz Via PowerShell And EventCode 4703

LSASS Memory

Reg exe used to hide files directories via registry keys

Hidden Files and Directories

Osquery pack - ColdRoot detection

Windows hosts file modification

Web Fraud - Account Harvesting

Create Account

Web Fraud - Anomalous User Clickspeed

Valid Accounts

Web Fraud - Password Sharing Across Accounts

Splunk Enterprise Information Disclosure

Detect Spike in Network ACL Activity

Disable or Modify Cloud Firewall

Detect API activity from users without MFA

Detect Spike in Security Group Activity

Cloud Accounts

Detect new API calls from user roles

Cloud Accounts

AWS Cloud Provisioning From Previously Unseen Country

Unused/Unsupported Cloud Regions

AWS Cloud Provisioning From Previously Unseen Region

Unused/Unsupported Cloud Regions

AWS Cloud Provisioning From Previously Unseen IP Address

AWS Cloud Provisioning From Previously Unseen City

Unused/Unsupported Cloud Regions

EC2 Instance Started With Previously Unseen AMI

EC2 Instance Started In Previously Unseen Region

Unused/Unsupported Cloud Regions

Detect USB device insertion

Monitor DNS For Brand Abuse

Open Redirect in Splunk Web

Extended Period Without Successful Netbackup Backups

Unsuccessful Netbackup backups

Identify New User Accounts

Domain Accounts

Spectre and Meltdown Vulnerable Systems

Back to Top ↑

Network

Splunk Identified SSL TLS Certificates

Network Sniffing

F5 BIG-IP iControl REST Vulnerability CVE-2022-1388

Exploit Public-Facing Application

TCP Command and Scripting Interpreter Outbound LDAP Traffic

Command and Scripting Interpreter

Unusual Volume of Data Download from Internal Server Per Entity

Data from Information Repositories, Data from Network Shared Drive

Detect Outbound LDAP Traffic

Exploit Public-Facing Application, Command and Scripting Interpreter

DNS Query Length With High Standard Deviation

Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol

Protocols passing authentication in cleartext

Plain HTTP POST Exfiltrated Data

Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol

Multiple Archive Files Http Post Traffic

Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol

Detect hosts connecting to dynamic domain providers

Drive-by Compromise

Detect Software Download To Network Device

TFTP Boot, Pre-OS Boot

Detect IPv6 Network Infrastructure Threats

Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning

Detect Traffic Mirroring

Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication

Detect Port Security Violation

Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning

Detect SNICat SNI Exfiltration

Exfiltration Over C2 Channel

Detect Zerologon via Zeek

Exploit Public-Facing Application

Detect ARP Poisoning

Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning

Detect Rogue DHCP Server

Hardware Additions, Network Denial of Service, Adversary-in-the-Middle

Detect Windows DNS SIGRed via Zeek

Exploitation for Client Execution

Detect Windows DNS SIGRed via Splunk Stream

Exploitation for Client Execution

TOR Traffic

Application Layer Protocol, Web Protocols

SMB Traffic Spike - MLTK

SMB/Windows Admin Shares, Remote Services

SMB Traffic Spike

SMB/Windows Admin Shares, Remote Services

Prohibited Network Traffic Allowed

Exfiltration Over Alternative Protocol

Remote Desktop Network Bruteforce

Remote Desktop Protocol, Remote Services

Hosts receiving high volume of network traffic from email server

Remote Email Collection, Email Collection

Protocol or Port Mismatch

Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol

Detect Outbound SMB Traffic

File Transfer Protocols, Application Layer Protocol

Excessive DNS Failures

DNS, Application Layer Protocol

Remote Desktop Network Traffic

Remote Desktop Protocol, Remote Services

DNS Query Length Outliers - MLTK

DNS, Application Layer Protocol

Detect Large Outbound ICMP Packets

Non-Application Layer Protocol

Unusually Long Content-Type Length

Large Volume of DNS ANY Queries

Network Denial of Service, Reflection Amplification

Detect Unauthorized Assets by MAC address

Back to Top ↑

Application

Splunk Account Discovery Drilldown Dashboard Disclosure

Account Discovery

Splunk Endpoint Denial of Service DoS Zip Bomb

Endpoint Denial of Service

Detect Risky SPL using Pretrained ML Model

Command and Scripting Interpreter

Splunk Command and Scripting Interpreter Delete Usage

Command and Scripting Interpreter

Splunk Command and Scripting Interpreter Risky SPL MLTK

Command and Scripting Interpreter

Splunk protocol impersonation weak encryption selfsigned

Digital Certificates

Splunk Process Injection Forwarder Bundle Downloads

Process Injection

Splunk Digital Certificates Infrastructure Version

Digital Certificates

Splunk Digital Certificates Lack of Encryption

Digital Certificates

Splunk Protocol Impersonation Weak Encryption Configuration

Protocol Impersonation

Splunk protocol impersonation weak encryption simplerequest

Digital Certificates

Splunk Command and Scripting Interpreter Risky Commands

Command and Scripting Interpreter

Path traversal SPL injection

File and Directory Discovery

Splunk User Enumeration Attempt

Valid Accounts

Splunk XSS in Monitoring Console

Drive-by Compromise

Splunk DoS via Malformed S2S Request

Network Denial of Service

Suspicious Email Attachment Extensions

Spearphishing Attachment, Phishing

Email files written outside of the Outlook directory

Email Collection, Local Email Collection

Email servers sending high volume traffic to hosts

Email Collection, Remote Email Collection

Okta User Logins From Multiple Cities

Valid Accounts, Default Accounts

Okta Account Lockout Events

Valid Accounts, Default Accounts

Okta Failed SSO Attempts

Valid Accounts, Default Accounts

Multiple Okta Users With Invalid Credentials From The Same IP

Valid Accounts, Default Accounts

Web Servers Executing Suspicious Processes

System Information Discovery

Suspicious Java Classes

Monitor Email For Brand Abuse

Email Attachments With Lots Of Spaces

No Windows Updates in a time frame

Detect New Login Attempts to Routers

Back to Top ↑

Web

Spring4Shell Payload URL Request

Web Shell, Server Software Component, Exploit Public-Facing Application

Confluence Unauthenticated Remote Code Execution CVE-2022-26134

Server Software Component, Exploit Public-Facing Application

VMware Workspace ONE Freemarker Server-side Template Injection

Exploit Public-Facing Application

VMware Server Side Template Injection Hunt

Exploit Public-Facing Application

Web Spring4Shell HTTP Request Class Module

Exploit Public-Facing Application