3CX Supply Chain Attack Network Indicators |
Compromise Software Supply Chain |
TTP |
7zip CommandLine To SMB Share Path |
Archive via Utility, Archive Collected Data |
Hunting |
ASL AWS Concurrent Sessions From Different Ips |
Browser Session Hijacking |
Anomaly |
ASL AWS CreateAccessKey |
Valid Accounts |
Hunting |
ASL AWS Defense Evasion Delete CloudWatch Log Group |
Impair Defenses, Disable or Modify Cloud Logs |
TTP |
ASL AWS Defense Evasion Delete Cloudtrail |
Disable or Modify Cloud Logs, Impair Defenses |
TTP |
ASL AWS Defense Evasion Impair Security Services |
Disable or Modify Cloud Logs, Impair Defenses |
Hunting |
ASL AWS Defense Evasion Stop Logging Cloudtrail |
Disable or Modify Cloud Logs, Impair Defenses |
TTP |
ASL AWS Defense Evasion Update Cloudtrail |
Impair Defenses, Disable or Modify Cloud Logs |
TTP |
ASL AWS ECR Container Upload Outside Business Hours |
Malicious Image, User Execution |
Anomaly |
ASL AWS ECR Container Upload Unknown User |
Malicious Image, User Execution |
Anomaly |
ASL AWS Excessive Security Scanning |
Cloud Service Discovery |
Anomaly |
ASL AWS IAM Delete Policy |
Account Manipulation |
Hunting |
ASL AWS IAM Failure Group Deletion |
Account Manipulation |
Anomaly |
ASL AWS IAM Successful Group Deletion |
Cloud Groups, Account Manipulation, Permission Groups Discovery |
Hunting |
ASL AWS Multi-Factor Authentication Disabled |
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication |
TTP |
ASL AWS New MFA Method Registered For User |
Modify Authentication Process, Multi-Factor Authentication |
TTP |
ASL AWS Password Policy Changes |
Password Policy Discovery |
Hunting |
AWS AMI Attribute Modification for Exfiltration |
Transfer Data to Cloud Account |
TTP |
AWS Cloud Provisioning From Previously Unseen City |
Unused/Unsupported Cloud Regions |
Anomaly |
AWS Cloud Provisioning From Previously Unseen Country |
Unused/Unsupported Cloud Regions |
Anomaly |
AWS Cloud Provisioning From Previously Unseen IP Address |
None |
Anomaly |
AWS Cloud Provisioning From Previously Unseen Region |
Unused/Unsupported Cloud Regions |
Anomaly |
AWS Concurrent Sessions From Different Ips |
Browser Session Hijacking |
TTP |
AWS Console Login Failed During MFA Challenge |
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation |
TTP |
AWS Create Policy Version to allow all resources |
Cloud Accounts, Valid Accounts |
TTP |
AWS CreateAccessKey |
Cloud Account, Create Account |
Hunting |
AWS CreateLoginProfile |
Cloud Account, Create Account |
TTP |
AWS Credential Access Failed Login |
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing |
TTP |
AWS Credential Access GetPasswordData |
Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing |
Anomaly |
AWS Credential Access RDS Password reset |
Compromise Accounts, Cloud Accounts, Brute Force |
TTP |
AWS Cross Account Activity From Previously Unseen Account |
None |
Anomaly |
AWS Defense Evasion Delete CloudWatch Log Group |
Impair Defenses, Disable or Modify Cloud Logs |
TTP |
AWS Defense Evasion Delete Cloudtrail |
Disable or Modify Cloud Logs, Impair Defenses |
TTP |
AWS Defense Evasion Impair Security Services |
Disable or Modify Cloud Logs, Impair Defenses |
Hunting |
AWS Defense Evasion PutBucketLifecycle |
Disable or Modify Cloud Logs, Impair Defenses |
Hunting |
AWS Defense Evasion Stop Logging Cloudtrail |
Disable or Modify Cloud Logs, Impair Defenses |
TTP |
AWS Defense Evasion Update Cloudtrail |
Impair Defenses, Disable or Modify Cloud Logs |
TTP |
AWS Detect Users creating keys with encrypt policy without MFA |
Data Encrypted for Impact |
TTP |
AWS Detect Users with KMS keys performing encryption S3 |
Data Encrypted for Impact |
Anomaly |
AWS Disable Bucket Versioning |
Inhibit System Recovery |
Anomaly |
AWS EC2 Snapshot Shared Externally |
Transfer Data to Cloud Account |
TTP |
AWS ECR Container Scanning Findings High |
Malicious Image, User Execution |
TTP |
AWS ECR Container Scanning Findings Low Informational Unknown |
Malicious Image, User Execution |
Anomaly |
AWS ECR Container Scanning Findings Medium |
Malicious Image, User Execution |
Anomaly |
AWS ECR Container Upload Outside Business Hours |
Malicious Image, User Execution |
Anomaly |
AWS ECR Container Upload Unknown User |
Malicious Image, User Execution |
Anomaly |
AWS EKS Kubernetes cluster sensitive object access |
None |
Hunting |
AWS Excessive Security Scanning |
Cloud Service Discovery |
TTP |
AWS Exfiltration via Anomalous GetObject API Activity |
Automated Collection |
Anomaly |
AWS Exfiltration via Batch Service |
Automated Collection |
TTP |
AWS Exfiltration via Bucket Replication |
Transfer Data to Cloud Account |
TTP |
AWS Exfiltration via DataSync Task |
Automated Collection |
TTP |
AWS Exfiltration via EC2 Snapshot |
Transfer Data to Cloud Account |
TTP |
AWS High Number Of Failed Authentications For User |
Password Policy Discovery |
Anomaly |
AWS High Number Of Failed Authentications From Ip |
Brute Force, Password Spraying, Credential Stuffing |
Anomaly |
AWS IAM AccessDenied Discovery Events |
Cloud Infrastructure Discovery |
Anomaly |
AWS IAM Assume Role Policy Brute Force |
Cloud Infrastructure Discovery, Brute Force |
TTP |
AWS IAM Delete Policy |
Account Manipulation |
Hunting |
AWS IAM Failure Group Deletion |
Account Manipulation |
Anomaly |
AWS IAM Successful Group Deletion |
Cloud Groups, Account Manipulation, Permission Groups Discovery |
Hunting |
AWS Lambda UpdateFunctionCode |
User Execution |
Hunting |
AWS Multi-Factor Authentication Disabled |
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication |
TTP |
AWS Multiple Failed MFA Requests For User |
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation |
Anomaly |
AWS Multiple Users Failing To Authenticate From Ip |
Brute Force, Password Spraying, Credential Stuffing |
Anomaly |
AWS Network Access Control List Created with All Open Ports |
Disable or Modify Cloud Firewall, Impair Defenses |
TTP |
AWS Network Access Control List Deleted |
Disable or Modify Cloud Firewall, Impair Defenses |
Anomaly |
AWS New MFA Method Registered For User |
Modify Authentication Process, Multi-Factor Authentication |
TTP |
AWS Password Policy Changes |
Password Policy Discovery |
Hunting |
AWS S3 Exfiltration Behavior Identified |
Transfer Data to Cloud Account |
Correlation |
AWS SAML Access by Provider User and Principal |
Valid Accounts |
Anomaly |
AWS SAML Update identity provider |
Valid Accounts |
TTP |
AWS SetDefaultPolicyVersion |
Cloud Accounts, Valid Accounts |
TTP |
AWS Successful Console Authentication From Multiple IPs |
Compromise Accounts, Unused/Unsupported Cloud Regions |
Anomaly |
AWS Successful Single-Factor Authentication |
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts |
TTP |
AWS Unusual Number of Failed Authentications From Ip |
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing |
Anomaly |
AWS UpdateLoginProfile |
Cloud Account, Create Account |
TTP |
Abnormally High AWS Instances Launched by User |
Cloud Accounts |
Anomaly |
Abnormally High AWS Instances Launched by User - MLTK |
Cloud Accounts |
Anomaly |
Abnormally High AWS Instances Terminated by User |
Cloud Accounts |
Anomaly |
Abnormally High AWS Instances Terminated by User - MLTK |
Cloud Accounts |
Anomaly |
Abnormally High Number Of Cloud Infrastructure API Calls |
Cloud Accounts, Valid Accounts |
Anomaly |
Abnormally High Number Of Cloud Instances Destroyed |
Cloud Accounts, Valid Accounts |
Anomaly |
Abnormally High Number Of Cloud Instances Launched |
Cloud Accounts, Valid Accounts |
Anomaly |
Abnormally High Number Of Cloud Security Group API Calls |
Cloud Accounts, Valid Accounts |
Anomaly |
Access LSASS Memory for Dump Creation |
LSASS Memory, OS Credential Dumping |
TTP |
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint |
Exploit Public-Facing Application |
TTP |
Account Discovery With Net App |
Domain Account, Account Discovery |
TTP |
Active Directory Lateral Movement Identified |
Exploitation of Remote Services |
Correlation |
Active Directory Privilege Escalation Identified |
Domain or Tenant Policy Modification |
Correlation |
Active Setup Registry Autostart |
Active Setup, Boot or Logon Autostart Execution |
TTP |
Add DefaultUser And Password In Registry |
Credentials in Registry, Unsecured Credentials |
Anomaly |
Add or Set Windows Defender Exclusion |
Disable or Modify Tools, Impair Defenses |
TTP |
Adobe ColdFusion Access Control Bypass |
Exploit Public-Facing Application |
TTP |
Adobe ColdFusion Unauthenticated Arbitrary File Read |
Exploit Public-Facing Application |
TTP |
AdsiSearcher Account Discovery |
Domain Account, Account Discovery |
TTP |
Allow File And Printing Sharing In Firewall |
Disable or Modify Cloud Firewall, Impair Defenses |
TTP |
Allow Inbound Traffic By Firewall Rule Registry |
Remote Desktop Protocol, Remote Services |
TTP |
Allow Inbound Traffic In Firewall Rule |
Remote Desktop Protocol, Remote Services |
TTP |
Allow Network Discovery In Firewall |
Disable or Modify Cloud Firewall, Impair Defenses |
TTP |
Allow Operation with Consent Admin |
Abuse Elevation Control Mechanism |
TTP |
Amazon EKS Kubernetes Pod scan detection |
Cloud Service Discovery |
Hunting |
Amazon EKS Kubernetes cluster scan detection |
Cloud Service Discovery |
Hunting |
Anomalous usage of 7zip |
Archive via Utility, Archive Collected Data |
Anomaly |
Anomalous usage of Archive Tools |
Archive via Utility, Archive Collected Data |
Anomaly |
Any Powershell DownloadFile |
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer |
TTP |
Any Powershell DownloadString |
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer |
TTP |
Attacker Tools On Endpoint |
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning |
TTP |
Attempt To Add Certificate To Untrusted Store |
Install Root Certificate, Subvert Trust Controls |
TTP |
Attempt To Delete Services |
Service Stop, Create or Modify System Process, Windows Service |
TTP |
Attempt To Disable Services |
Service Stop |
TTP |
Attempt To Stop Security Service |
Disable or Modify Tools, Impair Defenses |
TTP |
Attempted Credential Dump From Registry via Reg exe |
Security Account Manager, OS Credential Dumping |
TTP |
Attempted Credential Dump From Registry via Reg exe |
OS Credential Dumping, Security Account Manager |
TTP |
Auto Admin Logon Registry Entry |
Credentials in Registry, Unsecured Credentials |
TTP |
Azure AD Admin Consent Bypassed by Service Principal |
Additional Cloud Roles |
TTP |
Azure AD Application Administrator Role Assigned |
Account Manipulation, Additional Cloud Roles |
TTP |
Azure AD Authentication Failed During MFA Challenge |
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation |
TTP |
Azure AD Block User Consent For Risky Apps Disabled |
Impair Defenses |
TTP |
Azure AD Concurrent Sessions From Different Ips |
Browser Session Hijacking |
TTP |
Azure AD Device Code Authentication |
Steal Application Access Token, Phishing, Spearphishing Link |
TTP |
Azure AD External Guest User Invited |
Cloud Account |
TTP |
Azure AD FullAccessAsApp Permission Assigned |
Additional Email Delegate Permissions, Additional Cloud Roles |
TTP |
Azure AD Global Administrator Role Assigned |
Additional Cloud Roles |
TTP |
Azure AD High Number Of Failed Authentications For User |
Brute Force, Password Guessing |
TTP |
Azure AD High Number Of Failed Authentications From Ip |
Brute Force, Password Guessing, Password Spraying |
TTP |
Azure AD Multi-Factor Authentication Disabled |
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication |
TTP |
Azure AD Multi-Source Failed Authentications Spike |
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing |
Hunting |
Azure AD Multiple AppIDs and UserAgents Authentication Spike |
Valid Accounts |
Anomaly |
Azure AD Multiple Denied MFA Requests For User |
Multi-Factor Authentication Request Generation |
TTP |
Azure AD Multiple Failed MFA Requests For User |
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts |
TTP |
Azure AD Multiple Service Principals Created by SP |
Cloud Account |
Anomaly |
Azure AD Multiple Service Principals Created by User |
Cloud Account |
Anomaly |
Azure AD Multiple Users Failing To Authenticate From Ip |
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing |
Anomaly |
Azure AD New Custom Domain Added |
Domain or Tenant Policy Modification, Trust Modification |
TTP |
Azure AD New Federated Domain Added |
Domain or Tenant Policy Modification, Trust Modification |
TTP |
Azure AD New MFA Method Registered |
Account Manipulation, Device Registration |
TTP |
Azure AD New MFA Method Registered For User |
Modify Authentication Process, Multi-Factor Authentication |
TTP |
Azure AD OAuth Application Consent Granted By User |
Steal Application Access Token |
TTP |
Azure AD PIM Role Assigned |
Account Manipulation, Additional Cloud Roles |
TTP |
Azure AD PIM Role Assignment Activated |
Account Manipulation, Additional Cloud Roles |
TTP |
Azure AD Privileged Authentication Administrator Role Assigned |
Security Account Manager |
TTP |
Azure AD Privileged Graph API Permission Assigned |
Security Account Manager |
TTP |
Azure AD Privileged Role Assigned |
Account Manipulation, Additional Cloud Roles |
TTP |
Azure AD Privileged Role Assigned to Service Principal |
Account Manipulation, Additional Cloud Roles |
TTP |
Azure AD Service Principal Authentication |
Cloud Accounts |
TTP |
Azure AD Service Principal Created |
Cloud Account |
TTP |
Azure AD Service Principal New Client Credentials |
Account Manipulation, Additional Cloud Credentials |
TTP |
Azure AD Service Principal Owner Added |
Account Manipulation |
TTP |
Azure AD Successful Authentication From Different Ips |
Brute Force, Password Guessing, Password Spraying |
TTP |
Azure AD Successful PowerShell Authentication |
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts |
TTP |
Azure AD Successful Single-Factor Authentication |
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts |
TTP |
Azure AD Tenant Wide Admin Consent Granted |
Account Manipulation, Additional Cloud Roles |
TTP |
Azure AD Unusual Number of Failed Authentications From Ip |
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing |
Anomaly |
Azure AD User Consent Blocked for Risky Application |
Steal Application Access Token |
TTP |
Azure AD User Consent Denied for OAuth Application |
Steal Application Access Token |
TTP |
Azure AD User Enabled And Password Reset |
Account Manipulation |
TTP |
Azure AD User ImmutableId Attribute Updated |
Account Manipulation |
TTP |
Azure Active Directory High Risk Sign-in |
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying |
TTP |
Azure Automation Account Created |
Create Account, Cloud Account |
TTP |
Azure Automation Runbook Created |
Create Account, Cloud Account |
TTP |
Azure Runbook Webhook Created |
Valid Accounts, Cloud Accounts |
TTP |
BCDEdit Failure Recovery Modification |
Inhibit System Recovery |
TTP |
BCDEdit Failure Recovery Modification |
Inhibit System Recovery |
TTP |
BITS Job Persistence |
BITS Jobs |
TTP |
BITSAdmin Download File |
BITS Jobs, Ingress Tool Transfer |
TTP |
Batch File Write to System32 |
User Execution, Malicious File |
TTP |
Bcdedit Command Back To Normal Mode Boot |
Inhibit System Recovery |
TTP |
CHCP Command Execution |
Command and Scripting Interpreter |
TTP |
CMD Carry Out String Command Parameter |
Windows Command Shell, Command and Scripting Interpreter |
Hunting |
CMD Echo Pipe - Escalation |
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process |
TTP |
CMLUA Or CMSTPLUA UAC Bypass |
System Binary Proxy Execution, CMSTP |
TTP |
CSC Net On The Fly Compilation |
Compile After Delivery, Obfuscated Files or Information |
Hunting |
CertUtil Download With URLCache and Split Arguments |
Ingress Tool Transfer |
TTP |
CertUtil Download With VerifyCtl and Split Arguments |
Ingress Tool Transfer |
TTP |
CertUtil With Decode Argument |
Deobfuscate/Decode Files or Information |
TTP |
Certutil exe certificate extraction |
None |
TTP |
Change Default File Association |
Change Default File Association, Event Triggered Execution |
TTP |
Change To Safe Mode With Network Config |
Inhibit System Recovery |
TTP |
Check Elevated CMD using whoami |
System Owner/User Discovery |
TTP |
Child Processes of Spoolsv exe |
Exploitation for Privilege Escalation |
TTP |
Circle CI Disable Security Job |
Compromise Host Software Binary |
Anomaly |
Circle CI Disable Security Step |
Compromise Host Software Binary |
Anomaly |
Cisco IOS XE Implant Access |
Exploit Public-Facing Application |
TTP |
Citrix ADC Exploitation CVE-2023-3519 |
Exploit Public-Facing Application |
Hunting |
Citrix ADC and Gateway Unauthorized Data Disclosure |
Exploit Public-Facing Application |
TTP |
Citrix ShareFile Exploitation CVE-2023-24489 |
Exploit Public-Facing Application |
Hunting |
Clear Unallocated Sector Using Cipher App |
File Deletion, Indicator Removal |
TTP |
Clear Unallocated Sector Using Cipher App |
File Deletion, Indicator Removal |
TTP |
Clients Connecting to Multiple DNS Servers |
Exfiltration Over Unencrypted Non-C2 Protocol |
TTP |
Clop Common Exec Parameter |
User Execution |
TTP |
Clop Ransomware Known Service Name |
Create or Modify System Process |
TTP |
Cloud API Calls From Previously Unseen User Roles |
Valid Accounts |
Anomaly |
Cloud Compute Instance Created By Previously Unseen User |
Cloud Accounts, Valid Accounts |
Anomaly |
Cloud Compute Instance Created In Previously Unused Region |
Unused/Unsupported Cloud Regions |
Anomaly |
Cloud Compute Instance Created With Previously Unseen Image |
None |
Anomaly |
Cloud Compute Instance Created With Previously Unseen Instance Type |
None |
Anomaly |
Cloud Instance Modified By Previously Unseen User |
Cloud Accounts, Valid Accounts |
Anomaly |
Cloud Network Access Control List Deleted |
None |
Anomaly |
Cloud Provisioning Activity From Previously Unseen City |
Valid Accounts |
Anomaly |
Cloud Provisioning Activity From Previously Unseen Country |
Valid Accounts |
Anomaly |
Cloud Provisioning Activity From Previously Unseen IP Address |
Valid Accounts |
Anomaly |
Cloud Provisioning Activity From Previously Unseen Region |
Valid Accounts |
Anomaly |
Cloud Security Groups Modifications by User |
Modify Cloud Compute Configurations |
Anomaly |
Cmdline Tool Not Executed In CMD Shell |
Command and Scripting Interpreter, JavaScript |
TTP |
Cobalt Strike Named Pipes |
Process Injection |
TTP |
Common Ransomware Extensions |
Data Destruction |
Hunting |
Common Ransomware Notes |
Data Destruction |
Hunting |
Confluence CVE-2023-22515 Trigger Vulnerability |
Exploit Public-Facing Application |
TTP |
Confluence Data Center and Server Privilege Escalation |
Exploit Public-Facing Application |
TTP |
Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527 |
Exploit Public-Facing Application |
TTP |
Confluence Unauthenticated Remote Code Execution CVE-2022-26134 |
Server Software Component, Exploit Public-Facing Application, External Remote Services |
TTP |
ConnectWise ScreenConnect Authentication Bypass |
Exploit Public-Facing Application |
TTP |
ConnectWise ScreenConnect Path Traversal |
Exploit Public-Facing Application |
TTP |
ConnectWise ScreenConnect Path Traversal Windows SACL |
Exploit Public-Facing Application |
TTP |
Conti Common Exec parameter |
User Execution |
TTP |
Control Loading from World Writable Directory |
System Binary Proxy Execution, Control Panel |
TTP |
Correlation by Repository and Risk |
Malicious Image, User Execution |
Correlation |
Correlation by User and Risk |
Malicious Image, User Execution |
Correlation |
Create Local Admin Accounts Using Net Exe |
Local Account, Create Account |
Anomaly |
Create Local User Accounts Using Net Exe |
Local Account, Create Account |
Anomaly |
Create Remote Thread In Shell Application |
Process Injection |
TTP |
Create Remote Thread into LSASS |
LSASS Memory, OS Credential Dumping |
TTP |
Create local admin accounts using net exe |
Local Account, Create Account |
TTP |
Create or delete windows shares using net exe |
Indicator Removal, Network Share Connection Removal |
TTP |
Creation of Shadow Copy |
NTDS, OS Credential Dumping |
TTP |
Creation of Shadow Copy with wmic and powershell |
NTDS, OS Credential Dumping |
TTP |
Creation of lsass Dump with Taskmgr |
LSASS Memory, OS Credential Dumping |
TTP |
Credential Dumping via Copy Command from Shadow Copy |
NTDS, OS Credential Dumping |
TTP |
Credential Dumping via Symlink to Shadow Copy |
NTDS, OS Credential Dumping |
TTP |
Crowdstrike Admin Weak Password Policy |
Brute Force |
TTP |
Crowdstrike Admin With Duplicate Password |
Brute Force |
TTP |
Crowdstrike High Identity Risk Severity |
Brute Force |
TTP |
Crowdstrike Medium Identity Risk Severity |
Brute Force |
TTP |
Crowdstrike Medium Severity Alert |
Brute Force |
Anomaly |
Crowdstrike Multiple LOW Severity Alerts |
Brute Force |
Anomaly |
Crowdstrike Privilege Escalation For Non-Admin User |
Brute Force |
Anomaly |
Crowdstrike User Weak Password Policy |
Brute Force |
Anomaly |
Crowdstrike User with Duplicate Password |
Brute Force |
Anomaly |
CrushFTP Server Side Template Injection |
Exploit Public-Facing Application |
TTP |
Curl Download and Bash Execution |
Ingress Tool Transfer |
TTP |
DLLHost with no Command Line Arguments with Network |
Process Injection |
TTP |
DNS Exfiltration Using Nslookup App |
Exfiltration Over Alternative Protocol |
TTP |
DNS Exfiltration Using Nslookup App |
Exfiltration Over Alternative Protocol |
TTP |
DNS Query Length Outliers - MLTK |
DNS, Application Layer Protocol |
Anomaly |
DNS Query Length With High Standard Deviation |
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol |
Anomaly |
DNS Query Requests Resolved by Unauthorized DNS Servers |
DNS |
TTP |
DNS record changed |
DNS |
TTP |
DSQuery Domain Discovery |
Domain Trust Discovery |
TTP |
Delete A Net User |
Account Access Removal |
Anomaly |
Delete ShadowCopy With PowerShell |
Inhibit System Recovery |
TTP |
Deleting Of Net Users |
Account Access Removal |
TTP |
Deleting Shadow Copies |
Inhibit System Recovery |
TTP |
Deleting Shadow Copies |
Inhibit System Recovery |
TTP |
Deny Permission using Cacls Utility |
File and Directory Permissions Modification |
TTP |
Detect API activity from users without MFA |
None |
Hunting |
Detect ARP Poisoning |
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning |
TTP |
Detect AWS API Activities From Unapproved Accounts |
Cloud Accounts |
Hunting |
Detect AWS Console Login by New User |
Compromise Accounts, Cloud Accounts, Unsecured Credentials |
Hunting |
Detect AWS Console Login by User from New City |
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions |
Hunting |
Detect AWS Console Login by User from New Country |
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions |
Hunting |
Detect AWS Console Login by User from New Region |
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions |
Hunting |
Detect Activity Related to Pass the Hash Attacks |
Use Alternate Authentication Material, Pass the Hash |
Hunting |
Detect AzureHound Command-Line Arguments |
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery |
TTP |
Detect AzureHound File Modifications |
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery |
TTP |
Detect Baron Samedit CVE-2021-3156 |
Exploitation for Privilege Escalation |
TTP |
Detect Baron Samedit CVE-2021-3156 Segfault |
Exploitation for Privilege Escalation |
TTP |
Detect Baron Samedit CVE-2021-3156 via OSQuery |
Exploitation for Privilege Escalation |
TTP |
Detect Certify Command Line Arguments |
Steal or Forge Authentication Certificates, Ingress Tool Transfer |
TTP |
Detect Certify With PowerShell Script Block Logging |
Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell |
TTP |
Detect Certipy File Modifications |
Steal or Forge Authentication Certificates, Archive Collected Data |
TTP |
Detect Computer Changed with Anonymous Account |
Exploitation of Remote Services |
Hunting |
Detect Copy of ShadowCopy with Script Block Logging |
Security Account Manager, OS Credential Dumping |
TTP |
Detect Credential Dumping through LSASS access |
LSASS Memory, OS Credential Dumping |
TTP |
Detect DGA domains using pretrained model in DSDL |
Domain Generation Algorithms |
Anomaly |
Detect DNS Data Exfiltration using pretrained model in DSDL |
Exfiltration Over Unencrypted Non-C2 Protocol |
Anomaly |
Detect DNS requests to Phishing Sites leveraging EvilGinx2 |
Spearphishing via Service |
TTP |
Detect Distributed Password Spray Attempts |
Password Spraying, Brute Force |
Hunting |
Detect Empire with PowerShell Script Block Logging |
Command and Scripting Interpreter, PowerShell |
TTP |
Detect Excessive Account Lockouts From Endpoint |
Valid Accounts, Domain Accounts |
Anomaly |
Detect Excessive User Account Lockouts |
Valid Accounts, Local Accounts |
Anomaly |
Detect Exchange Web Shell |
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services |
TTP |
Detect F5 TMUI RCE CVE-2020-5902 |
Exploit Public-Facing Application |
TTP |
Detect GCP Storage access from a new IP |
Data from Cloud Storage |
Anomaly |
Detect HTML Help Renamed |
System Binary Proxy Execution, Compiled HTML File |
Hunting |
Detect HTML Help Spawn Child Process |
System Binary Proxy Execution, Compiled HTML File |
TTP |
Detect HTML Help URL in Command Line |
System Binary Proxy Execution, Compiled HTML File |
TTP |
Detect HTML Help Using InfoTech Storage Handlers |
System Binary Proxy Execution, Compiled HTML File |
TTP |
Detect IPv6 Network Infrastructure Threats |
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning |
TTP |
Detect Large Outbound ICMP Packets |
Non-Application Layer Protocol |
TTP |
Detect Long DNS TXT Record Response |
Exfiltration Over Unencrypted Non-C2 Protocol |
TTP |
Detect MSHTA Url in Command Line |
System Binary Proxy Execution, Mshta |
TTP |
Detect Mimikatz Using Loaded Images |
LSASS Memory, OS Credential Dumping |
TTP |
Detect Mimikatz Via PowerShell And EventCode 4703 |
LSASS Memory |
TTP |
Detect Mimikatz With PowerShell Script Block Logging |
OS Credential Dumping, PowerShell |
TTP |
Detect New Local Admin account |
Local Account, Create Account |
TTP |
Detect New Login Attempts to Routers |
None |
TTP |
Detect New Open GCP Storage Buckets |
Data from Cloud Storage |
TTP |
Detect New Open S3 Buckets over AWS CLI |
Data from Cloud Storage |
TTP |
Detect New Open S3 buckets |
Data from Cloud Storage |
TTP |
Detect Outbound LDAP Traffic |
Exploit Public-Facing Application, Command and Scripting Interpreter |
Hunting |
Detect Outbound SMB Traffic |
File Transfer Protocols, Application Layer Protocol |
TTP |
Detect Outlook exe writing a zip file |
Phishing, Spearphishing Attachment |
TTP |
Detect Password Spray Attack Behavior From Source |
Password Spraying, Brute Force |
TTP |
Detect Password Spray Attack Behavior On User |
Password Spraying, Brute Force |
TTP |
Detect Password Spray Attempts |
Password Spraying, Brute Force |
TTP |
Detect Path Interception By Creation Of program exe |
Path Interception by Unquoted Path, Hijack Execution Flow |
TTP |
Detect Port Security Violation |
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning |
TTP |
Detect PowerShell Applications Spawning cmd exe |
Command and Scripting Interpreter |
Anomaly |
Detect Prohibited Applications Spawning cmd exe |
Command and Scripting Interpreter, Windows Command Shell |
Hunting |
Detect Prohibited Browsers Spawning cmd exe |
Command and Scripting Interpreter |
Anomaly |
Detect Prohibited Office Applications Spawning cmd exe |
Command and Scripting Interpreter |
Anomaly |
Detect PsExec With accepteula Flag |
Remote Services, SMB/Windows Admin Shares |
TTP |
Detect RClone Command-Line Usage |
Automated Exfiltration |
TTP |
Detect RClone Command-Line Usage |
Automated Exfiltration |
TTP |
Detect RTLO In File Name |
Right-to-Left Override, Masquerading |
TTP |
Detect RTLO In Process |
Right-to-Left Override, Masquerading |
TTP |
Detect Rare Executables |
User Execution |
Anomaly |
Detect Regasm Spawning a Process |
System Binary Proxy Execution, Regsvcs/Regasm |
TTP |
Detect Regasm with Network Connection |
System Binary Proxy Execution, Regsvcs/Regasm |
TTP |
Detect Regasm with no Command Line Arguments |
System Binary Proxy Execution, Regsvcs/Regasm |
TTP |
Detect Regsvcs Spawning a Process |
System Binary Proxy Execution, Regsvcs/Regasm |
TTP |
Detect Regsvcs with Network Connection |
System Binary Proxy Execution, Regsvcs/Regasm |
TTP |
Detect Regsvcs with No Command Line Arguments |
System Binary Proxy Execution, Regsvcs/Regasm |
TTP |
Detect Regsvr32 Application Control Bypass |
System Binary Proxy Execution, Regsvr32 |
TTP |
Detect Remote Access Software Usage DNS |
Remote Access Software |
Anomaly |
Detect Remote Access Software Usage File |
Remote Access Software |
Anomaly |
Detect Remote Access Software Usage FileInfo |
Remote Access Software |
Anomaly |
Detect Remote Access Software Usage Process |
Remote Access Software |
Anomaly |
Detect Remote Access Software Usage Traffic |
Remote Access Software |
Anomaly |
Detect Remote Access Software Usage URL |
Remote Access Software |
Anomaly |
Detect Renamed 7-Zip |
Archive via Utility, Archive Collected Data |
Hunting |
Detect Renamed PSExec |
System Services, Service Execution |
Hunting |
Detect Renamed RClone |
Automated Exfiltration |
Hunting |
Detect Renamed WinRAR |
Archive via Utility, Archive Collected Data |
Hunting |
Detect Risky SPL using Pretrained ML Model |
Command and Scripting Interpreter |
Anomaly |
Detect Rogue DHCP Server |
Hardware Additions, Network Denial of Service, Adversary-in-the-Middle |
TTP |
Detect Rundll32 Application Control Bypass - advpack |
System Binary Proxy Execution, Rundll32 |
TTP |
Detect Rundll32 Application Control Bypass - setupapi |
System Binary Proxy Execution, Rundll32 |
TTP |
Detect Rundll32 Application Control Bypass - syssetup |
System Binary Proxy Execution, Rundll32 |
TTP |
Detect Rundll32 Inline HTA Execution |
System Binary Proxy Execution, Mshta |
TTP |
Detect S3 access from a new IP |
Data from Cloud Storage |
Anomaly |
Detect SNICat SNI Exfiltration |
Exfiltration Over C2 Channel |
TTP |
Detect SharpHound Command-Line Arguments |
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery |
TTP |
Detect SharpHound File Modifications |
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery |
TTP |
Detect SharpHound Usage |
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery |
TTP |
Detect Software Download To Network Device |
TFTP Boot, Pre-OS Boot |
TTP |
Detect Spike in AWS API Activity |
Cloud Accounts |
Anomaly |
Detect Spike in AWS Security Hub Alerts for EC2 Instance |
None |
Anomaly |
Detect Spike in AWS Security Hub Alerts for User |
None |
Anomaly |
Detect Spike in Network ACL Activity |
Disable or Modify Cloud Firewall |
Anomaly |
Detect Spike in S3 Bucket deletion |
Data from Cloud Storage |
Anomaly |
Detect Spike in Security Group Activity |
Cloud Accounts |
Anomaly |
Detect Spike in blocked Outbound Traffic from your AWS |
None |
Anomaly |
Detect Traffic Mirroring |
Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication |
TTP |
Detect USB device insertion |
None |
TTP |
Detect Unauthorized Assets by MAC address |
None |
TTP |
Detect Use of cmd exe to Launch Script Interpreters |
Command and Scripting Interpreter, Windows Command Shell |
TTP |
Detect WMI Event Subscription Persistence |
Windows Management Instrumentation Event Subscription, Event Triggered Execution |
TTP |
Detect Webshell Exploit Behavior |
Server Software Component, Web Shell |
TTP |
Detect Windows DNS SIGRed via Splunk Stream |
Exploitation for Client Execution |
TTP |
Detect Windows DNS SIGRed via Zeek |
Exploitation for Client Execution |
TTP |
Detect Zerologon via Zeek |
Exploit Public-Facing Application |
TTP |
Detect attackers scanning for vulnerable JBoss servers |
System Information Discovery, External Remote Services |
TTP |
Detect hosts connecting to dynamic domain providers |
Drive-by Compromise |
TTP |
Detect malicious requests to exploit JBoss servers |
None |
TTP |
Detect mshta inline hta execution |
System Binary Proxy Execution, Mshta |
TTP |
Detect mshta renamed |
System Binary Proxy Execution, Mshta |
Hunting |
Detect new API calls from user roles |
Cloud Accounts |
Anomaly |
Detect new user AWS Console Login |
Cloud Accounts |
Hunting |
Detect processes used for System Network Configuration Discovery |
System Network Configuration Discovery |
TTP |
Detect suspicious DNS TXT records using pretrained model in DSDL |
Domain Generation Algorithms |
Anomaly |
Detect suspicious processnames using pretrained model in DSDL |
Command and Scripting Interpreter |
Anomaly |
Detect web traffic to dynamic domain providers |
Web Protocols |
TTP |
Detection of DNS Tunnels |
Exfiltration Over Unencrypted Non-C2 Protocol |
TTP |
Detection of tools built by NirSoft |
Software Deployment Tools |
TTP |
Disable AMSI Through Registry |
Disable or Modify Tools, Impair Defenses |
TTP |
Disable Defender AntiVirus Registry |
Disable or Modify Tools, Impair Defenses |
TTP |
Disable Defender BlockAtFirstSeen Feature |
Disable or Modify Tools, Impair Defenses |
TTP |
Disable Defender Enhanced Notification |
Disable or Modify Tools, Impair Defenses |
TTP |
Disable Defender MpEngine Registry |
Disable or Modify Tools, Impair Defenses |
TTP |
Disable Defender Spynet Reporting |
Disable or Modify Tools, Impair Defenses |
TTP |
Disable Defender Submit Samples Consent Feature |
Disable or Modify Tools, Impair Defenses |
TTP |
Disable ETW Through Registry |
Disable or Modify Tools, Impair Defenses |
TTP |
Disable Logs Using WevtUtil |
Indicator Removal, Clear Windows Event Logs |
TTP |
Disable Net User Account |
Service Stop, Valid Accounts |
TTP |
Disable Registry Tool |
Disable or Modify Tools, Impair Defenses, Modify Registry |
TTP |
Disable Schedule Task |
Disable or Modify Tools, Impair Defenses |
TTP |
Disable Security Logs Using MiniNt Registry |
Modify Registry |
TTP |
Disable Show Hidden Files |
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry |
Anomaly |
Disable UAC Remote Restriction |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
Disable Windows App Hotkeys |
Disable or Modify Tools, Impair Defenses, Modify Registry |
TTP |
Disable Windows Behavior Monitoring |
Disable or Modify Tools, Impair Defenses |
TTP |
Disable Windows SmartScreen Protection |
Disable or Modify Tools, Impair Defenses |
TTP |
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser |
Steal or Forge Kerberos Tickets, AS-REP Roasting |
TTP |
Disabled Kerberos Pre-Authentication Discovery With PowerView |
Steal or Forge Kerberos Tickets, AS-REP Roasting |
TTP |
Disabling CMD Application |
Disable or Modify Tools, Impair Defenses, Modify Registry |
TTP |
Disabling ControlPanel |
Disable or Modify Tools, Impair Defenses, Modify Registry |
TTP |
Disabling Defender Services |
Disable or Modify Tools, Impair Defenses |
TTP |
Disabling Firewall with Netsh |
Disable or Modify Tools, Impair Defenses |
Anomaly |
Disabling FolderOptions Windows Feature |
Disable or Modify Tools, Impair Defenses |
TTP |
Disabling Net User Account |
Account Access Removal |
TTP |
Disabling NoRun Windows App |
Disable or Modify Tools, Impair Defenses, Modify Registry |
TTP |
Disabling Remote User Account Control |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
Disabling SystemRestore In Registry |
Inhibit System Recovery |
TTP |
Disabling Task Manager |
Disable or Modify Tools, Impair Defenses |
TTP |
Disabling Windows Local Security Authority Defences via Registry |
Modify Authentication Process |
TTP |
Domain Account Discovery With Net App |
Domain Account, Account Discovery |
TTP |
Domain Account Discovery with Dsquery |
Domain Account, Account Discovery |
Hunting |
Domain Account Discovery with Wmic |
Domain Account, Account Discovery |
TTP |
Domain Controller Discovery with Nltest |
Remote System Discovery |
TTP |
Domain Controller Discovery with Wmic |
Remote System Discovery |
Hunting |
Domain Group Discovery With Dsquery |
Permission Groups Discovery, Domain Groups |
Hunting |
Domain Group Discovery With Net |
Permission Groups Discovery, Domain Groups |
Hunting |
Domain Group Discovery With Wmic |
Permission Groups Discovery, Domain Groups |
Hunting |
Domain Group Discovery with Adsisearcher |
Permission Groups Discovery, Domain Groups |
TTP |
Download Files Using Telegram |
Ingress Tool Transfer |
TTP |
Drop IcedID License dat |
User Execution, Malicious File |
Hunting |
Dump LSASS via comsvcs DLL |
LSASS Memory, OS Credential Dumping |
TTP |
Dump LSASS via procdump |
LSASS Memory, OS Credential Dumping |
TTP |
Dump LSASS via procdump Rename |
LSASS Memory |
Hunting |
EC2 Instance Modified With Previously Unseen User |
Cloud Accounts |
Anomaly |
EC2 Instance Started In Previously Unseen Region |
Unused/Unsupported Cloud Regions |
Anomaly |
EC2 Instance Started With Previously Unseen AMI |
None |
Anomaly |
EC2 Instance Started With Previously Unseen Instance Type |
None |
Anomaly |
EC2 Instance Started With Previously Unseen User |
Cloud Accounts |
Anomaly |
ETW Registry Disabled |
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses |
TTP |
Elevated Group Discovery With Net |
Permission Groups Discovery, Domain Groups |
TTP |
Elevated Group Discovery With Wmic |
Permission Groups Discovery, Domain Groups |
TTP |
Elevated Group Discovery with PowerView |
Permission Groups Discovery, Domain Groups |
Hunting |
Email Attachments With Lots Of Spaces |
None |
Anomaly |
Email files written outside of the Outlook directory |
Email Collection, Local Email Collection |
TTP |
Email servers sending high volume traffic to hosts |
Email Collection, Remote Email Collection |
Anomaly |
Enable RDP In Other Port Number |
Remote Services |
TTP |
Enable WDigest UseLogonCredential Registry |
Modify Registry, OS Credential Dumping |
TTP |
Enumerate Users Local Group Using Telegram |
Account Discovery |
TTP |
Esentutl SAM Copy |
Security Account Manager, OS Credential Dumping |
Hunting |
Eventvwr UAC Bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
Excel Spawning PowerShell |
Security Account Manager, OS Credential Dumping |
TTP |
Excel Spawning Windows Script Host |
Security Account Manager, OS Credential Dumping |
TTP |
Excessive Attempt To Disable Services |
Service Stop |
Anomaly |
Excessive DNS Failures |
DNS, Application Layer Protocol |
Anomaly |
Excessive File Deletion In WinDefender Folder |
Data Destruction |
TTP |
Excessive Service Stop Attempt |
Service Stop |
Anomaly |
Excessive Usage Of Cacls App |
File and Directory Permissions Modification |
Anomaly |
Excessive Usage Of Net App |
Account Access Removal |
Anomaly |
Excessive Usage Of SC Service Utility |
System Services, Service Execution |
Anomaly |
Excessive Usage Of Taskkill |
Disable or Modify Tools, Impair Defenses |
Anomaly |
Excessive Usage of NSLOOKUP App |
Exfiltration Over Alternative Protocol |
Anomaly |
Excessive distinct processes from Windows Temp |
Command and Scripting Interpreter |
Anomaly |
Excessive number of service control start as disabled |
Disable or Modify Tools, Impair Defenses |
Anomaly |
Excessive number of taskhost processes |
Command and Scripting Interpreter |
Anomaly |
Exchange PowerShell Abuse via SSRF |
Exploit Public-Facing Application, External Remote Services |
TTP |
Exchange PowerShell Module Usage |
Command and Scripting Interpreter, PowerShell |
TTP |
Executable File Written in Administrative SMB Share |
Remote Services, SMB/Windows Admin Shares |
TTP |
Executables Or Script Creation In Suspicious Path |
Masquerading |
Anomaly |
Execute Javascript With Jscript COM CLSID |
Command and Scripting Interpreter, Visual Basic |
TTP |
Execution of File With Spaces Before Extension |
Rename System Utilities |
TTP |
Execution of File with Multiple Extensions |
Masquerading, Rename System Utilities |
TTP |
Exploit Public Facing Application via Apache Commons Text |
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services |
Anomaly |
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 |
Exploit Public-Facing Application, External Remote Services |
TTP |
Extended Period Without Successful Netbackup Backups |
None |
Hunting |
Extraction of Registry Hives |
Security Account Manager, OS Credential Dumping |
TTP |
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 |
Exploit Public-Facing Application, External Remote Services |
TTP |
F5 TMUI Authentication Bypass |
None |
TTP |
File with Samsam Extension |
None |
TTP |
Firewall Allowed Program Enable |
Disable or Modify System Firewall, Impair Defenses |
Anomaly |
First Time Seen Child Process of Zoom |
Exploitation for Privilege Escalation |
Anomaly |
First Time Seen Running Windows Service |
System Services, Service Execution |
Anomaly |
First time seen command line argument |
PowerShell, Windows Command Shell |
Hunting |
FodHelper UAC Bypass |
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
Fortinet Appliance Auth bypass |
Exploit Public-Facing Application, External Remote Services |
TTP |
Fsutil Zeroing File |
Indicator Removal |
TTP |
Fsutil Zeroing File |
Indicator Removal |
TTP |
GCP Authentication Failed During MFA Challenge |
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation |
TTP |
GCP Detect accounts with high risk roles by project |
Valid Accounts |
Hunting |
GCP Detect gcploit framework |
Valid Accounts |
TTP |
GCP Detect high risk permissions by resource and account |
Valid Accounts |
Hunting |
GCP Kubernetes cluster pod scan detection |
Cloud Service Discovery |
Hunting |
GCP Kubernetes cluster scan detection |
Cloud Service Discovery |
TTP |
GCP Multi-Factor Authentication Disabled |
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication |
TTP |
GCP Multiple Failed MFA Requests For User |
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts |
TTP |
GCP Multiple Users Failing To Authenticate From Ip |
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing |
Anomaly |
GCP Successful Single-Factor Authentication |
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts |
TTP |
GCP Unusual Number of Failed Authentications From Ip |
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing |
Anomaly |
GPUpdate with no Command Line Arguments with Network |
Process Injection |
TTP |
GSuite Email Suspicious Attachment |
Spearphishing Attachment, Phishing |
Anomaly |
Gdrive suspicious file sharing |
Phishing |
Hunting |
Get ADDefaultDomainPasswordPolicy with Powershell |
Password Policy Discovery |
Hunting |
Get ADDefaultDomainPasswordPolicy with Powershell Script Block |
Password Policy Discovery |
Hunting |
Get ADUser with PowerShell |
Domain Account, Account Discovery |
Hunting |
Get ADUser with PowerShell Script Block |
Domain Account, Account Discovery |
Hunting |
Get ADUserResultantPasswordPolicy with Powershell |
Password Policy Discovery |
TTP |
Get ADUserResultantPasswordPolicy with Powershell Script Block |
Password Policy Discovery |
TTP |
Get DomainPolicy with Powershell |
Password Policy Discovery |
TTP |
Get DomainPolicy with Powershell Script Block |
Password Policy Discovery |
TTP |
Get DomainUser with PowerShell |
Domain Account, Account Discovery |
TTP |
Get DomainUser with PowerShell Script Block |
Domain Account, Account Discovery |
TTP |
Get WMIObject Group Discovery |
Permission Groups Discovery, Local Groups |
Hunting |
Get WMIObject Group Discovery with Script Block Logging |
Permission Groups Discovery, Local Groups |
Hunting |
Get-DomainTrust with PowerShell |
Domain Trust Discovery |
TTP |
Get-DomainTrust with PowerShell Script Block |
Domain Trust Discovery |
TTP |
Get-ForestTrust with PowerShell |
Domain Trust Discovery |
TTP |
Get-ForestTrust with PowerShell Script Block |
Domain Trust Discovery, PowerShell |
TTP |
GetAdComputer with PowerShell |
Remote System Discovery |
Hunting |
GetAdComputer with PowerShell Script Block |
Remote System Discovery |
Hunting |
GetAdGroup with PowerShell |
Permission Groups Discovery, Domain Groups |
Hunting |
GetAdGroup with PowerShell Script Block |
Permission Groups Discovery, Domain Groups |
Hunting |
GetCurrent User with PowerShell |
System Owner/User Discovery |
Hunting |
GetCurrent User with PowerShell Script Block |
System Owner/User Discovery |
Hunting |
GetDomainComputer with PowerShell |
Remote System Discovery |
TTP |
GetDomainComputer with PowerShell Script Block |
Remote System Discovery |
TTP |
GetDomainController with PowerShell |
Remote System Discovery |
Hunting |
GetDomainController with PowerShell Script Block |
Remote System Discovery |
TTP |
GetDomainGroup with PowerShell |
Permission Groups Discovery, Domain Groups |
TTP |
GetDomainGroup with PowerShell Script Block |
Permission Groups Discovery, Domain Groups |
TTP |
GetLocalUser with PowerShell |
Account Discovery, Local Account |
Hunting |
GetLocalUser with PowerShell Script Block |
Account Discovery, Local Account, PowerShell |
Hunting |
GetNetTcpconnection with PowerShell |
System Network Connections Discovery |
Hunting |
GetNetTcpconnection with PowerShell Script Block |
System Network Connections Discovery |
Hunting |
GetWmiObject DS User with PowerShell |
Domain Account, Account Discovery |
TTP |
GetWmiObject DS User with PowerShell Script Block |
Domain Account, Account Discovery |
TTP |
GetWmiObject Ds Computer with PowerShell |
Remote System Discovery |
TTP |
GetWmiObject Ds Computer with PowerShell Script Block |
Remote System Discovery |
TTP |
GetWmiObject Ds Group with PowerShell |
Permission Groups Discovery, Domain Groups |
TTP |
GetWmiObject Ds Group with PowerShell Script Block |
Permission Groups Discovery, Domain Groups |
TTP |
GetWmiObject User Account with PowerShell |
Account Discovery, Local Account |
Hunting |
GetWmiObject User Account with PowerShell Script Block |
Account Discovery, Local Account, PowerShell |
Hunting |
GitHub Actions Disable Security Workflow |
Compromise Software Supply Chain, Supply Chain Compromise |
Anomaly |
GitHub Dependabot Alert |
Compromise Software Dependencies and Development Tools, Supply Chain Compromise |
Anomaly |
GitHub Pull Request from Unknown User |
Compromise Software Dependencies and Development Tools, Supply Chain Compromise |
Anomaly |
Github Commit Changes In Master |
Trusted Relationship |
Anomaly |
Github Commit In Develop |
Trusted Relationship |
Anomaly |
Grant Permission Using Cacls Utility |
File and Directory Permissions Modification |
TTP |
Gsuite Drive Share In External Email |
Exfiltration to Cloud Storage, Exfiltration Over Web Service |
Anomaly |
Gsuite Email Suspicious Subject With Attachment |
Spearphishing Attachment, Phishing |
Anomaly |
Gsuite Email With Known Abuse Web Service Link |
Spearphishing Attachment, Phishing |
Anomaly |
Gsuite Outbound Email With Attachment To External Domain |
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol |
Hunting |
Gsuite Suspicious Shared File Name |
Spearphishing Attachment, Phishing |
Anomaly |
Gsuite suspicious calendar invite |
Phishing |
Hunting |
Headless Browser Mockbin or Mocky Request |
Hidden Window |
TTP |
Headless Browser Usage |
Hidden Window |
Hunting |
Hide User Account From Sign-In Screen |
Disable or Modify Tools, Impair Defenses |
TTP |
Hiding Files And Directories With Attrib exe |
File and Directory Permissions Modification, Windows File and Directory Permissions Modification |
TTP |
Hiding Files And Directories With Attrib exe |
Windows File and Directory Permissions Modification, File and Directory Permissions Modification |
TTP |
High Frequency Copy Of Files In Network Share |
Transfer Data to Cloud Account |
Anomaly |
High Number of Login Failures from a single source |
Password Guessing, Brute Force |
Anomaly |
High Process Termination Frequency |
Data Encrypted for Impact |
Anomaly |
High Volume of Bytes Out to Url |
Exfiltration Over Web Service |
Anomaly |
Hosts receiving high volume of network traffic from email server |
Remote Email Collection, Email Collection |
Anomaly |
Hunting 3CXDesktopApp Software |
Compromise Software Supply Chain |
Hunting |
Hunting for Log4Shell |
Exploit Public-Facing Application, External Remote Services |
Hunting |
ICACLS Grant Command |
File and Directory Permissions Modification |
TTP |
Icacls Deny Command |
File and Directory Permissions Modification |
TTP |
IcedID Exfiltrated Archived File Creation |
Archive via Utility, Archive Collected Data |
Hunting |
Identify New User Accounts |
Domain Accounts |
Hunting |
Impacket Lateral Movement Commandline Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
Impacket Lateral Movement WMIExec Commandline Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
Impacket Lateral Movement WMIExec Commandline Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
Impacket Lateral Movement smbexec CommandLine Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
Impacket Lateral Movement smbexec CommandLine Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
Interactive Session on Remote Endpoint with PowerShell |
Remote Services, Windows Remote Management |
TTP |
Internal Horizontal Port Scan |
Network Service Discovery |
TTP |
Internal Vertical Port Scan |
Network Service Discovery |
TTP |
Internal Vulnerability Scan |
Vulnerability Scanning, Network Service Discovery |
TTP |
Ivanti Connect Secure Command Injection Attempts |
Exploit Public-Facing Application |
TTP |
Ivanti Connect Secure SSRF in SAML Component |
Exploit Public-Facing Application |
TTP |
Ivanti Connect Secure System Information Access via Auth Bypass |
Exploit Public-Facing Application |
Anomaly |
Ivanti EPM SQL Injection Remote Code Execution |
Exploit Public-Facing Application |
TTP |
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 |
Exploit Public-Facing Application, External Remote Services |
TTP |
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082 |
Exploit Public-Facing Application, External Remote Services |
TTP |
Ivanti Sentry Authentication Bypass |
Exploit Public-Facing Application |
TTP |
Ivanti VTM New Account Creation |
Exploit Public-Facing Application |
TTP |
Java Class File download by Java User Agent |
Exploit Public-Facing Application |
TTP |
Java Writing JSP File |
Exploit Public-Facing Application, External Remote Services |
TTP |
Jenkins Arbitrary File Read CVE-2024-23897 |
Exploit Public-Facing Application |
TTP |
JetBrains TeamCity Authentication Bypass CVE-2024-27198 |
Exploit Public-Facing Application |
TTP |
JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198 |
Exploit Public-Facing Application |
TTP |
JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199 |
Exploit Public-Facing Application |
TTP |
JetBrains TeamCity RCE Attempt |
Exploit Public-Facing Application |
TTP |
Jscript Execution Using Cscript App |
Command and Scripting Interpreter, JavaScript |
TTP |
Juniper Networks Remote Code Execution Exploit Detection |
Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter |
TTP |
Kerberoasting spn request with RC4 encryption |
Steal or Forge Kerberos Tickets, Kerberoasting |
TTP |
Kerberos Pre-Authentication Flag Disabled in UserAccountControl |
Steal or Forge Kerberos Tickets, AS-REP Roasting |
TTP |
Kerberos Pre-Authentication Flag Disabled with PowerShell |
Steal or Forge Kerberos Tickets, AS-REP Roasting |
TTP |
Kerberos Service Ticket Request Using RC4 Encryption |
Steal or Forge Kerberos Tickets, Golden Ticket |
TTP |
Kerberos TGT Request Using RC4 Encryption |
Use Alternate Authentication Material |
TTP |
Kerberos User Enumeration |
Gather Victim Identity Information, Email Addresses |
Anomaly |
Known Services Killed by Ransomware |
Inhibit System Recovery |
TTP |
Kubernetes AWS detect RBAC authorization by account |
None |
Hunting |
Kubernetes AWS detect most active service accounts by pod |
None |
Hunting |
Kubernetes AWS detect sensitive role access |
None |
Hunting |
Kubernetes AWS detect service accounts forbidden failure access |
None |
Hunting |
Kubernetes AWS detect suspicious kubectl calls |
None |
Anomaly |
Kubernetes Abuse of Secret by Unusual Location |
Container API |
Anomaly |
Kubernetes Abuse of Secret by Unusual User Agent |
Container API |
Anomaly |
Kubernetes Abuse of Secret by Unusual User Group |
Container API |
Anomaly |
Kubernetes Abuse of Secret by Unusual User Name |
Container API |
Anomaly |
Kubernetes Access Scanning |
Network Service Discovery |
Anomaly |
Kubernetes Anomalous Inbound Network Activity from Process |
User Execution |
Anomaly |
Kubernetes Anomalous Inbound Outbound Network IO |
User Execution |
Anomaly |
Kubernetes Anomalous Inbound to Outbound Network IO Ratio |
User Execution |
Anomaly |
Kubernetes Anomalous Outbound Network Activity from Process |
User Execution |
Anomaly |
Kubernetes Anomalous Traffic on Network Edge |
User Execution |
Anomaly |
Kubernetes Azure active service accounts by pod namespace |
None |
Hunting |
Kubernetes Azure detect RBAC authorization by account |
None |
Hunting |
Kubernetes Azure detect sensitive object access |
None |
Hunting |
Kubernetes Azure detect sensitive role access |
None |
Hunting |
Kubernetes Azure detect service accounts forbidden failure access |
None |
Hunting |
Kubernetes Azure detect suspicious kubectl calls |
None |
Hunting |
Kubernetes Azure pod scan fingerprint |
None |
Hunting |
Kubernetes Azure scan fingerprint |
Cloud Service Discovery |
Hunting |
Kubernetes Create or Update Privileged Pod |
User Execution |
Anomaly |
Kubernetes Cron Job Creation |
Container Orchestration Job |
Anomaly |
Kubernetes DaemonSet Deployed |
User Execution |
Anomaly |
Kubernetes Falco Shell Spawned |
User Execution |
Anomaly |
Kubernetes GCP detect RBAC authorizations by account |
None |
Hunting |
Kubernetes GCP detect most active service accounts by pod |
None |
Hunting |
Kubernetes GCP detect sensitive object access |
None |
Hunting |
Kubernetes GCP detect sensitive role access |
None |
Hunting |
Kubernetes GCP detect service accounts forbidden failure access |
None |
Hunting |
Kubernetes GCP detect suspicious kubectl calls |
None |
Hunting |
Kubernetes Nginx Ingress LFI |
Exploitation for Credential Access |
TTP |
Kubernetes Nginx Ingress RFI |
Exploitation for Credential Access |
TTP |
Kubernetes Node Port Creation |
User Execution |
Anomaly |
Kubernetes Pod Created in Default Namespace |
User Execution |
Anomaly |
Kubernetes Pod With Host Network Attachment |
User Execution |
Anomaly |
Kubernetes Previously Unseen Container Image Name |
User Execution |
Anomaly |
Kubernetes Previously Unseen Process |
User Execution |
Anomaly |
Kubernetes Process Running From New Path |
User Execution |
Anomaly |
Kubernetes Process with Anomalous Resource Utilisation |
User Execution |
Anomaly |
Kubernetes Process with Resource Ratio Anomalies |
User Execution |
Anomaly |
Kubernetes Scanner Image Pulling |
Cloud Service Discovery |
TTP |
Kubernetes Scanning by Unauthenticated IP Address |
Network Service Discovery |
Anomaly |
Kubernetes Shell Running on Worker Node |
User Execution |
Anomaly |
Kubernetes Shell Running on Worker Node with CPU Activity |
User Execution |
Anomaly |
Kubernetes Suspicious Image Pulling |
Cloud Service Discovery |
Anomaly |
Kubernetes Unauthorized Access |
User Execution |
Anomaly |
Kubernetes newly seen TCP edge |
User Execution |
Anomaly |
Kubernetes newly seen UDP edge |
User Execution |
Anomaly |
LOLBAS With Network Traffic |
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution |
TTP |
Large Volume of DNS ANY Queries |
Network Denial of Service, Reflection Amplification |
Anomaly |
Linux APT Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux AWK Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Account Manipulation Of SSH Config and Keys |
Data Destruction, File Deletion, Indicator Removal |
Anomaly |
Linux Add Files In Known Crontab Directories |
Cron, Scheduled Task/Job |
Anomaly |
Linux Add User Account |
Local Account, Create Account |
Hunting |
Linux Adding Crontab Using List Parameter |
Cron, Scheduled Task/Job |
Hunting |
Linux At Allow Config File Creation |
Cron, Scheduled Task/Job |
Anomaly |
Linux At Application Execution |
At, Scheduled Task/Job |
Anomaly |
Linux Auditd Add User Account |
Local Account, Create Account |
Anomaly |
Linux Auditd Add User Account Type |
Create Account, Local Account |
Anomaly |
Linux Auditd At Application Execution |
At, Scheduled Task/Job |
Anomaly |
Linux Auditd Auditd Service Stop |
Service Stop |
Anomaly |
Linux Auditd Base64 Decode Files |
Deobfuscate/Decode Files or Information |
Anomaly |
Linux Auditd Change File Owner To Root |
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification |
TTP |
Linux Auditd Clipboard Data Copy |
Clipboard Data |
Anomaly |
Linux Auditd Data Destruction Command |
Data Destruction |
TTP |
Linux Auditd Data Transfer Size Limits Via Split |
Data Transfer Size Limits |
Anomaly |
Linux Auditd Data Transfer Size Limits Via Split Syscall |
Data Transfer Size Limits |
Anomaly |
Linux Auditd Database File And Directory Discovery |
File and Directory Discovery |
Anomaly |
Linux Auditd Dd File Overwrite |
Data Destruction |
TTP |
Linux Auditd Disable Or Modify System Firewall |
Disable or Modify System Firewall, Impair Defenses |
Anomaly |
Linux Auditd Doas Conf File Creation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
TTP |
Linux Auditd Doas Tool Execution |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Auditd Edit Cron Table Parameter |
Cron, Scheduled Task/Job |
TTP |
Linux Auditd File And Directory Discovery |
File and Directory Discovery |
Anomaly |
Linux Auditd File Permission Modification Via Chmod |
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification |
Anomaly |
Linux Auditd File Permissions Modification Via Chattr |
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification |
TTP |
Linux Auditd Find Credentials From Password Managers |
Password Managers, Credentials from Password Stores |
TTP |
Linux Auditd Find Credentials From Password Stores |
Password Managers, Credentials from Password Stores |
TTP |
Linux Auditd Find Private Keys |
Private Keys, Unsecured Credentials |
TTP |
Linux Auditd Find Ssh Private Keys |
Private Keys, Unsecured Credentials |
Anomaly |
Linux Auditd Hardware Addition Swapoff |
Hardware Additions |
Anomaly |
Linux Auditd Hidden Files And Directories Creation |
File and Directory Discovery |
TTP |
Linux Auditd Insert Kernel Module Using Insmod Utility |
Kernel Modules and Extensions, Boot or Logon Autostart Execution |
Anomaly |
Linux Auditd Install Kernel Module Using Modprobe Utility |
Kernel Modules and Extensions, Boot or Logon Autostart Execution |
Anomaly |
Linux Auditd Kernel Module Enumeration |
System Information Discovery, Rootkit |
Anomaly |
Linux Auditd Kernel Module Using Rmmod Utility |
Kernel Modules and Extensions, Boot or Logon Autostart Execution |
TTP |
Linux Auditd Nopasswd Entry In Sudoers File |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Auditd Osquery Service Stop |
Service Stop |
TTP |
Linux Auditd Possible Access Or Modification Of Sshd Config File |
SSH Authorized Keys, Account Manipulation |
Anomaly |
Linux Auditd Possible Access To Credential Files |
/etc/passwd and /etc/shadow, OS Credential Dumping |
Anomaly |
Linux Auditd Possible Access To Sudoers File |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File |
Cron, Scheduled Task/Job |
Hunting |
Linux Auditd Preload Hijack Library Calls |
Dynamic Linker Hijacking, Hijack Execution Flow |
TTP |
Linux Auditd Preload Hijack Via Preload File |
Dynamic Linker Hijacking, Hijack Execution Flow |
TTP |
Linux Auditd Service Restarted |
Systemd Timers, Scheduled Task/Job |
Anomaly |
Linux Auditd Service Started |
Service Execution, System Services |
TTP |
Linux Auditd Setuid Using Chmod Utility |
Setuid and Setgid, Abuse Elevation Control Mechanism |
Anomaly |
Linux Auditd Setuid Using Setcap Utility |
Setuid and Setgid, Abuse Elevation Control Mechanism |
TTP |
Linux Auditd Shred Overwrite Command |
Data Destruction |
TTP |
Linux Auditd Stop Services |
Service Stop |
TTP |
Linux Auditd Sudo Or Su Execution |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Auditd Sysmon Service Stop |
Service Stop |
TTP |
Linux Auditd System Network Configuration Discovery |
System Network Configuration Discovery |
Anomaly |
Linux Auditd Unix Shell Configuration Modification |
Unix Shell Configuration Modification, Event Triggered Execution |
TTP |
Linux Auditd Unload Module Via Modprobe |
Kernel Modules and Extensions, Boot or Logon Autostart Execution |
TTP |
Linux Auditd Virtual Disk File And Directory Discovery |
File and Directory Discovery |
Anomaly |
Linux Auditd Whoami User Discovery |
System Owner/User Discovery |
Anomaly |
Linux Busybox Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Change File Owner To Root |
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification |
Anomaly |
Linux Clipboard Data Copy |
Clipboard Data |
Anomaly |
Linux Common Process For Elevation Control |
Setuid and Setgid, Abuse Elevation Control Mechanism |
Hunting |
Linux Composer Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Cpulimit Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Csvtool Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Curl Upload File |
Ingress Tool Transfer |
TTP |
Linux DD File Overwrite |
Data Destruction |
TTP |
Linux Data Destruction Command |
Data Destruction |
TTP |
Linux Decode Base64 to Shell |
Obfuscated Files or Information, Unix Shell |
TTP |
Linux Deleting Critical Directory Using RM Command |
Data Destruction |
TTP |
Linux Deletion Of Cron Jobs |
Data Destruction, File Deletion, Indicator Removal |
Anomaly |
Linux Deletion Of Init Daemon Script |
Data Destruction, File Deletion, Indicator Removal |
TTP |
Linux Deletion Of Services |
Data Destruction, File Deletion, Indicator Removal |
TTP |
Linux Deletion of SSL Certificate |
Data Destruction, File Deletion, Indicator Removal |
Anomaly |
Linux Disable Services |
Service Stop |
TTP |
Linux Doas Conf File Creation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Doas Tool Execution |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Docker Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Edit Cron Table Parameter |
Cron, Scheduled Task/Job |
Hunting |
Linux Emacs Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux File Created In Kernel Driver Directory |
Kernel Modules and Extensions, Boot or Logon Autostart Execution |
Anomaly |
Linux File Creation In Init Boot Directory |
RC Scripts, Boot or Logon Initialization Scripts |
Anomaly |
Linux File Creation In Profile Directory |
Unix Shell Configuration Modification, Event Triggered Execution |
Anomaly |
Linux Find Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux GDB Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux GNU Awk Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Gem Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Hardware Addition SwapOff |
Hardware Additions |
Anomaly |
Linux High Frequency Of File Deletion In Boot Folder |
Data Destruction, File Deletion, Indicator Removal |
TTP |
Linux High Frequency Of File Deletion In Etc Folder |
Data Destruction, File Deletion, Indicator Removal |
Anomaly |
Linux Impair Defenses Process Kill |
Disable or Modify Tools, Impair Defenses |
Hunting |
Linux Indicator Removal Clear Cache |
Indicator Removal |
TTP |
Linux Indicator Removal Service File Deletion |
File Deletion, Indicator Removal |
Anomaly |
Linux Ingress Tool Transfer Hunting |
Ingress Tool Transfer |
Hunting |
Linux Ingress Tool Transfer with Curl |
Ingress Tool Transfer |
Anomaly |
Linux Insert Kernel Module Using Insmod Utility |
Kernel Modules and Extensions, Boot or Logon Autostart Execution |
Anomaly |
Linux Install Kernel Module Using Modprobe Utility |
Kernel Modules and Extensions, Boot or Logon Autostart Execution |
Anomaly |
Linux Iptables Firewall Modification |
Disable or Modify System Firewall, Impair Defenses |
Anomaly |
Linux Java Spawning Shell |
Exploit Public-Facing Application, External Remote Services |
TTP |
Linux Kernel Module Enumeration |
System Information Discovery, Rootkit |
Anomaly |
Linux Kworker Process In Writable Process Path |
Masquerade Task or Service, Masquerading |
Hunting |
Linux Make Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux MySQL Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux NOPASSWD Entry In Sudoers File |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Ngrok Reverse Proxy Usage |
Protocol Tunneling, Proxy, Web Service |
Anomaly |
Linux Node Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Obfuscated Files or Information Base64 Decode |
Obfuscated Files or Information |
Anomaly |
Linux Octave Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux OpenVPN Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux PHP Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Persistence and Privilege Escalation Risk Behavior |
Abuse Elevation Control Mechanism |
Correlation |
Linux Possible Access Or Modification Of sshd Config File |
SSH Authorized Keys, Account Manipulation |
Anomaly |
Linux Possible Access To Credential Files |
/etc/passwd and /etc/shadow, OS Credential Dumping |
Anomaly |
Linux Possible Access To Sudoers File |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Possible Append Command To At Allow Config File |
At, Scheduled Task/Job |
Anomaly |
Linux Possible Append Command To Profile Config File |
Unix Shell Configuration Modification, Event Triggered Execution |
Anomaly |
Linux Possible Append Cronjob Entry on Existing Cronjob File |
Cron, Scheduled Task/Job |
Hunting |
Linux Possible Cronjob Modification With Editor |
Cron, Scheduled Task/Job |
Hunting |
Linux Possible Ssh Key File Creation |
SSH Authorized Keys, Account Manipulation |
Anomaly |
Linux Preload Hijack Library Calls |
Dynamic Linker Hijacking, Hijack Execution Flow |
TTP |
Linux Proxy Socks Curl |
Proxy, Non-Application Layer Protocol |
TTP |
Linux Puppet Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux RPM Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Ruby Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux SSH Authorized Keys Modification |
SSH Authorized Keys |
Anomaly |
Linux SSH Remote Services Script Execute |
SSH |
TTP |
Linux Service File Created In Systemd Directory |
Systemd Timers, Scheduled Task/Job |
Anomaly |
Linux Service Restarted |
Systemd Timers, Scheduled Task/Job |
Anomaly |
Linux Service Started Or Enabled |
Systemd Timers, Scheduled Task/Job |
Anomaly |
Linux Setuid Using Chmod Utility |
Setuid and Setgid, Abuse Elevation Control Mechanism |
Anomaly |
Linux Setuid Using Setcap Utility |
Setuid and Setgid, Abuse Elevation Control Mechanism |
Anomaly |
Linux Shred Overwrite Command |
Data Destruction |
TTP |
Linux Sqlite3 Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux Stdout Redirection To Dev Null File |
Disable or Modify System Firewall, Impair Defenses |
Anomaly |
Linux Stop Services |
Service Stop |
TTP |
Linux Sudo OR Su Execution |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Hunting |
Linux Sudoers Tmp File Creation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux System Network Discovery |
System Network Configuration Discovery |
Anomaly |
Linux System Reboot Via System Request Key |
System Shutdown/Reboot |
TTP |
Linux Unix Shell Enable All SysRq Functions |
Unix Shell, Command and Scripting Interpreter |
Anomaly |
Linux Visudo Utility Execution |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux apt-get Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux c89 Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux c99 Privilege Escalation |
Sudo and Sudo Caching, Abuse Elevation Control Mechanism |
Anomaly |
Linux pkexec Privilege Escalation |
Exploitation for Privilege Escalation |
TTP |
Living Off The Land Detection |
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services |
Correlation |
Loading Of Dynwrapx Module |
Process Injection, Dynamic-link Library Injection |
TTP |
Local Account Discovery With Wmic |
Account Discovery, Local Account |
Hunting |
Local Account Discovery with Net |
Account Discovery, Local Account |
Hunting |
Log4Shell CVE-2021-44228 Exploitation |
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services |
Correlation |
Log4Shell JNDI Payload Injection Attempt |
Exploit Public-Facing Application, External Remote Services |
Anomaly |
Log4Shell JNDI Payload Injection with Outbound Connection |
Exploit Public-Facing Application, External Remote Services |
Anomaly |
Logon Script Event Trigger Execution |
Boot or Logon Initialization Scripts, Logon Script (Windows) |
TTP |
MOVEit Certificate Store Access Failure |
Exploit Public-Facing Application |
Hunting |
MOVEit Empty Key Fingerprint Authentication Attempt |
Exploit Public-Facing Application |
Hunting |
MS Exchange Mailbox Replication service writing Active Server Pages |
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services |
TTP |
MS Scripting Process Loading Ldap Module |
Command and Scripting Interpreter, JavaScript |
Anomaly |
MS Scripting Process Loading WMI Module |
Command and Scripting Interpreter, JavaScript |
Anomaly |
MSBuild Suspicious Spawned By Script Process |
MSBuild, Trusted Developer Utilities Proxy Execution |
TTP |
MSHTML Module Load in Office Product |
Phishing, Spearphishing Attachment |
TTP |
MSI Module Loaded by Non-System Binary |
DLL Side-Loading, Hijack Execution Flow |
Hunting |
MacOS - Re-opened Applications |
None |
TTP |
MacOS LOLbin |
Unix Shell, Command and Scripting Interpreter |
TTP |
MacOS plutil |
Plist File Modification |
TTP |
Mailsniper Invoke functions |
Email Collection, Local Email Collection |
TTP |
Malicious InProcServer32 Modification |
Regsvr32, Modify Registry |
TTP |
Malicious PowerShell Process - Encoded Command |
Obfuscated Files or Information |
Hunting |
Malicious PowerShell Process - Execution Policy Bypass |
Command and Scripting Interpreter, PowerShell |
TTP |
Malicious PowerShell Process With Obfuscation Techniques |
Command and Scripting Interpreter, PowerShell |
TTP |
Malicious Powershell Executed As A Service |
System Services, Service Execution |
TTP |
Microsoft SharePoint Server Elevation of Privilege |
Exploitation for Privilege Escalation |
TTP |
Mimikatz PassTheTicket CommandLine Parameters |
Use Alternate Authentication Material, Pass the Ticket |
TTP |
Mmc LOLBAS Execution Process Spawn |
Remote Services, Distributed Component Object Model, MMC |
TTP |
Modification Of Wallpaper |
Defacement |
TTP |
Modify ACL permission To Files Or Folder |
File and Directory Permissions Modification |
Anomaly |
Modify ACLs Permission Of Files Or Folders |
File and Directory Permissions Modification |
Anomaly |
Monitor DNS For Brand Abuse |
None |
TTP |
Monitor Email For Brand Abuse |
None |
TTP |
Monitor Registry Keys for Print Monitors |
Port Monitors, Boot or Logon Autostart Execution |
TTP |
Monitor Web Traffic For Brand Abuse |
None |
TTP |
Mshta spawning Rundll32 OR Regsvr32 Process |
System Binary Proxy Execution, Mshta |
TTP |
Msmpeng Application DLL Side Loading |
DLL Side-Loading, Hijack Execution Flow |
TTP |
Multiple Archive Files Http Post Traffic |
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol |
TTP |
Multiple Okta Users With Invalid Credentials From The Same IP |
Password Spraying, Valid Accounts, Default Accounts |
TTP |
NET Profiler UAC bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
NLTest Domain Trust Discovery |
Domain Trust Discovery |
TTP |
Net Localgroup Discovery |
Permission Groups Discovery, Local Groups |
Hunting |
Network Connection Discovery With Arp |
System Network Connections Discovery |
Hunting |
Network Connection Discovery With Net |
System Network Connections Discovery |
Hunting |
Network Connection Discovery With Netstat |
System Network Connections Discovery |
Hunting |
Network Discovery Using Route Windows App |
System Network Configuration Discovery, Internet Connection Discovery |
Hunting |
Network Share Discovery Via Dir Command |
Network Share Discovery |
Hunting |
Network Traffic to Active Directory Web Services Protocol |
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery |
Hunting |
Nginx ConnectWise ScreenConnect Authentication Bypass |
Exploit Public-Facing Application |
TTP |
Ngrok Reverse Proxy on Network |
Protocol Tunneling, Proxy, Web Service |
Anomaly |
Nishang PowershellTCPOneLine |
Command and Scripting Interpreter, PowerShell |
TTP |
No Windows Updates in a time frame |
None |
Hunting |
Non Chrome Process Accessing Chrome Default Dir |
Credentials from Password Stores, Credentials from Web Browsers |
Anomaly |
Non Firefox Process Access Firefox Profile Dir |
Credentials from Password Stores, Credentials from Web Browsers |
Anomaly |
Notepad with no Command Line Arguments |
Process Injection |
TTP |
Ntdsutil Export NTDS |
NTDS, OS Credential Dumping |
TTP |
O365 Add App Role Assignment Grant User |
Cloud Account, Create Account |
TTP |
O365 Added Service Principal |
Cloud Account, Create Account |
TTP |
O365 Admin Consent Bypassed by Service Principal |
Additional Cloud Roles |
TTP |
O365 Advanced Audit Disabled |
Impair Defenses, Disable or Modify Cloud Logs |
TTP |
O365 Application Available To Other Tenants |
Additional Cloud Roles, Account Manipulation |
TTP |
O365 Application Registration Owner Added |
Account Manipulation |
TTP |
O365 ApplicationImpersonation Role Assigned |
Account Manipulation, Additional Email Delegate Permissions |
TTP |
O365 Block User Consent For Risky Apps Disabled |
Impair Defenses |
TTP |
O365 Bypass MFA via Trusted IP |
Disable or Modify Cloud Firewall, Impair Defenses |
TTP |
O365 Compliance Content Search Exported |
Email Collection, Remote Email Collection |
TTP |
O365 Compliance Content Search Started |
Email Collection, Remote Email Collection |
TTP |
O365 Concurrent Sessions From Different Ips |
Browser Session Hijacking |
TTP |
O365 Cross-Tenant Access Change |
Trust Modification |
TTP |
O365 DLP Rule Triggered |
Exfiltration Over Alternative Protocol, Exfiltration Over Web Service |
Anomaly |
O365 Disable MFA |
Modify Authentication Process |
TTP |
O365 Elevated Mailbox Permission Assigned |
Account Manipulation, Additional Email Delegate Permissions |
TTP |
O365 Email Access By Security Administrator |
Exfiltration Over Web Service, Email Collection, Remote Email Collection |
TTP |
O365 Email Reported By Admin Found Malicious |
Phishing, Spearphishing Attachment, Spearphishing Link |
TTP |
O365 Email Reported By User Found Malicious |
Phishing, Spearphishing Attachment, Spearphishing Link |
TTP |
O365 Email Security Feature Changed |
Impair Defenses, Disable or Modify Cloud Logs, Disable or Modify Tools |
TTP |
O365 Email Suspicious Behavior Alert |
Email Collection, Email Forwarding Rule |
TTP |
O365 Excessive Authentication Failures Alert |
Brute Force |
Anomaly |
O365 Excessive SSO logon errors |
Modify Authentication Process |
Anomaly |
O365 External Guest User Invited |
Cloud Account |
TTP |
O365 External Identity Policy Changed |
Cloud Account |
TTP |
O365 File Permissioned Application Consent Granted by User |
Steal Application Access Token |
TTP |
O365 FullAccessAsApp Permission Assigned |
Additional Email Delegate Permissions, Additional Cloud Roles |
TTP |
O365 High Number Of Failed Authentications for User |
Brute Force, Password Guessing |
TTP |
O365 High Privilege Role Granted |
Account Manipulation, Additional Cloud Roles |
TTP |
O365 Mail Permissioned Application Consent Granted by User |
Steal Application Access Token |
TTP |
O365 Mailbox Email Forwarding Enabled |
Email Collection, Email Forwarding Rule |
TTP |
O365 Mailbox Folder Read Permission Assigned |
Account Manipulation, Additional Email Delegate Permissions |
TTP |
O365 Mailbox Folder Read Permission Granted |
Account Manipulation, Additional Email Delegate Permissions |
TTP |
O365 Mailbox Inbox Folder Shared with All Users |
Email Collection, Remote Email Collection |
TTP |
O365 Mailbox Read Access Granted to Application |
Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles |
TTP |
O365 Multi-Source Failed Authentications Spike |
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing |
Hunting |
O365 Multiple AppIDs and UserAgents Authentication Spike |
Valid Accounts |
Anomaly |
O365 Multiple Failed MFA Requests For User |
Multi-Factor Authentication Request Generation |
TTP |
O365 Multiple Mailboxes Accessed via API |
Remote Email Collection |
TTP |
O365 Multiple Service Principals Created by SP |
Cloud Account |
Anomaly |
O365 Multiple Service Principals Created by User |
Cloud Account |
Anomaly |
O365 Multiple Users Failing To Authenticate From Ip |
Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing |
TTP |
O365 New Email Forwarding Rule Created |
Email Collection, Email Forwarding Rule |
TTP |
O365 New Email Forwarding Rule Enabled |
Email Collection, Email Forwarding Rule |
TTP |
O365 New Federated Domain Added |
Cloud Account, Create Account |
TTP |
O365 New Forwarding Mailflow Rule Created |
Email Collection |
TTP |
O365 New MFA Method Registered |
Account Manipulation, Device Registration |
TTP |
O365 OAuth App Mailbox Access via EWS |
Remote Email Collection |
TTP |
O365 OAuth App Mailbox Access via Graph API |
Remote Email Collection |
TTP |
O365 PST export alert |
Email Collection |
TTP |
O365 Privileged Graph API Permission Assigned |
Security Account Manager |
TTP |
O365 Privileged Role Assigned |
Account Manipulation, Additional Cloud Roles |
TTP |
O365 Privileged Role Assigned To Service Principal |
Account Manipulation, Additional Cloud Roles |
TTP |
O365 Safe Links Detection |
Phishing, Spearphishing Attachment |
TTP |
O365 Security And Compliance Alert Triggered |
Valid Accounts, Cloud Accounts |
TTP |
O365 Service Principal New Client Credentials |
Account Manipulation, Additional Cloud Credentials |
TTP |
O365 SharePoint Allowed Domains Policy Changed |
Cloud Account |
TTP |
O365 SharePoint Malware Detection |
Malicious File, User Execution |
TTP |
O365 Suspicious Admin Email Forwarding |
Email Forwarding Rule, Email Collection |
Anomaly |
O365 Suspicious Rights Delegation |
Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation |
TTP |
O365 Suspicious User Email Forwarding |
Email Forwarding Rule, Email Collection |
Anomaly |
O365 Tenant Wide Admin Consent Granted |
Account Manipulation, Additional Cloud Roles |
TTP |
O365 Threat Intelligence Suspicious Email Delivered |
Phishing, Spearphishing Attachment, Spearphishing Link |
Anomaly |
O365 Threat Intelligence Suspicious File Detected |
Malicious File, User Execution |
TTP |
O365 User Consent Blocked for Risky Application |
Steal Application Access Token |
TTP |
O365 User Consent Denied for OAuth Application |
Steal Application Access Token |
TTP |
O365 ZAP Activity Detection |
Phishing, Spearphishing Attachment, Spearphishing Link |
Anomaly |
Office Application Drop Executable |
Phishing, Spearphishing Attachment |
TTP |
Office Application Spawn Regsvr32 process |
Phishing, Spearphishing Attachment |
TTP |
Office Application Spawn rundll32 process |
Phishing, Spearphishing Attachment |
TTP |
Office Document Creating Schedule Task |
Phishing, Spearphishing Attachment |
TTP |
Office Document Executing Macro Code |
Phishing, Spearphishing Attachment |
TTP |
Office Document Spawned Child Process To Download |
Phishing, Spearphishing Attachment |
TTP |
Office Product Spawn CMD Process |
Phishing, Spearphishing Attachment |
TTP |
Office Product Spawning BITSAdmin |
Phishing, Spearphishing Attachment |
TTP |
Office Product Spawning CertUtil |
Phishing, Spearphishing Attachment |
TTP |
Office Product Spawning MSHTA |
Phishing, Spearphishing Attachment |
TTP |
Office Product Spawning Rundll32 with no DLL |
Phishing, Spearphishing Attachment |
TTP |
Office Product Spawning Windows Script Host |
Phishing, Spearphishing Attachment |
TTP |
Office Product Spawning Windows Script Host |
Phishing, Spearphishing Attachment |
TTP |
Office Product Spawning Wmic |
Phishing, Spearphishing Attachment |
TTP |
Office Product Writing cab or inf |
Phishing, Spearphishing Attachment |
TTP |
Office Spawning Control |
Phishing, Spearphishing Attachment |
TTP |
Okta Account Locked Out |
Brute Force |
Anomaly |
Okta Account Lockout Events |
Valid Accounts, Default Accounts |
Anomaly |
Okta Authentication Failed During MFA Challenge |
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation |
TTP |
Okta Failed SSO Attempts |
Valid Accounts, Default Accounts |
Anomaly |
Okta IDP Lifecycle Modifications |
Cloud Account |
Anomaly |
Okta MFA Exhaustion Hunt |
Brute Force |
Hunting |
Okta Mismatch Between Source and Response for Verify Push Request |
Multi-Factor Authentication Request Generation |
TTP |
Okta Multi-Factor Authentication Disabled |
Modify Authentication Process, Multi-Factor Authentication |
TTP |
Okta Multiple Accounts Locked Out |
Brute Force |
Anomaly |
Okta Multiple Failed MFA Requests For User |
Multi-Factor Authentication Request Generation |
Anomaly |
Okta Multiple Failed Requests to Access Applications |
Web Session Cookie, Cloud Service Dashboard |
Hunting |
Okta Multiple Users Failing To Authenticate From Ip |
Password Spraying |
Anomaly |
Okta New API Token Created |
Valid Accounts, Default Accounts |
TTP |
Okta New Device Enrolled on Account |
Account Manipulation, Device Registration |
TTP |
Okta Phishing Detection with FastPass Origin Check |
Valid Accounts, Default Accounts, Modify Authentication Process |
TTP |
Okta Risk Threshold Exceeded |
Valid Accounts, Brute Force |
Correlation |
Okta Successful Single Factor Authentication |
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation |
Anomaly |
Okta Suspicious Activity Reported |
Valid Accounts, Default Accounts |
TTP |
Okta Suspicious Use of a Session Cookie |
Steal Web Session Cookie |
Anomaly |
Okta ThreatInsight Login Failure with High Unknown users |
Valid Accounts, Default Accounts, Credential Stuffing |
TTP |
Okta ThreatInsight Suspected PasswordSpray Attack |
Valid Accounts, Default Accounts, Password Spraying |
TTP |
Okta ThreatInsight Threat Detected |
Valid Accounts, Cloud Accounts |
Anomaly |
Okta Two or More Rejected Okta Pushes |
Brute Force |
TTP |
Okta Unauthorized Access to Application |
Cloud Account |
Anomaly |
Okta User Logins from Multiple Cities |
Cloud Accounts |
Anomaly |
Open Redirect in Splunk Web |
None |
TTP |
Osquery pack - ColdRoot detection |
None |
TTP |
Outbound Network Connection from Java Using Default Ports |
Exploit Public-Facing Application, External Remote Services |
TTP |
Overwriting Accessibility Binaries |
Event Triggered Execution, Accessibility Features |
TTP |
PaperCut NG Remote Web Access Attempt |
Exploit Public-Facing Application, External Remote Services |
TTP |
PaperCut NG Suspicious Behavior Debug Log |
Exploit Public-Facing Application, External Remote Services |
Hunting |
Password Policy Discovery with Net |
Password Policy Discovery |
Hunting |
Path traversal SPL injection |
File and Directory Discovery |
TTP |
Permission Modification using Takeown App |
File and Directory Permissions Modification |
TTP |
Persistent XSS in RapidDiag through User Interface Views |
Drive-by Compromise |
TTP |
PetitPotam Network Share Access Request |
Forced Authentication |
TTP |
PetitPotam Suspicious Kerberos TGT Request |
OS Credential Dumping |
TTP |
Ping Sleep Batch Command |
Virtualization/Sandbox Evasion, Time Based Evasion |
Anomaly |
PingID Mismatch Auth Source and Verification Response |
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration |
TTP |
PingID Multiple Failed MFA Requests For User |
Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force |
TTP |
PingID New MFA Method After Credential Reset |
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration |
TTP |
PingID New MFA Method Registered For User |
Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration |
TTP |
Plain HTTP POST Exfiltrated Data |
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol |
TTP |
Possible Browser Pass View Parameter |
Credentials from Web Browsers, Credentials from Password Stores |
Hunting |
Possible Lateral Movement PowerShell Spawn |
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShell, MMC |
TTP |
Possible Lateral Movement PowerShell Spawn |
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShell, MMC |
TTP |
Potential password in username |
Local Accounts, Credentials In Files |
Hunting |
Potentially malicious code on commandline |
Windows Command Shell |
Anomaly |
PowerShell - Connect To Internet With Hidden Window |
PowerShell, Command and Scripting Interpreter |
Hunting |
PowerShell 4104 Hunting |
Command and Scripting Interpreter, PowerShell |
Hunting |
PowerShell Domain Enumeration |
Command and Scripting Interpreter, PowerShell |
TTP |
PowerShell Enable PowerShell Remoting |
PowerShell, Command and Scripting Interpreter |
Anomaly |
PowerShell Get LocalGroup Discovery |
Permission Groups Discovery, Local Groups |
Hunting |
PowerShell Invoke CIMMethod CIMSession |
Windows Management Instrumentation |
Anomaly |
PowerShell Invoke WmiExec Usage |
Windows Management Instrumentation |
TTP |
PowerShell Loading DotNET into Memory via Reflection |
Command and Scripting Interpreter, PowerShell |
TTP |
PowerShell Script Block With URL Chain |
PowerShell, Ingress Tool Transfer |
TTP |
PowerShell Start or Stop Service |
PowerShell |
Anomaly |
PowerShell Start-BitsTransfer |
BITS Jobs |
TTP |
PowerShell WebRequest Using Memory Stream |
PowerShell, Ingress Tool Transfer, Fileless Storage |
TTP |
Powershell COM Hijacking InprocServer32 Modification |
Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell |
TTP |
Powershell Creating Thread Mutex |
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell |
TTP |
Powershell Disable Security Monitoring |
Disable or Modify Tools, Impair Defenses |
TTP |
Powershell Enable SMB1Protocol Feature |
Obfuscated Files or Information, Indicator Removal from Tools |
TTP |
Powershell Execute COM Object |
Component Object Model Hijacking, Event Triggered Execution, PowerShell |
TTP |
Powershell Fileless Process Injection via GetProcAddress |
Command and Scripting Interpreter, Process Injection, PowerShell |
TTP |
Powershell Fileless Script Contains Base64 Encoded Content |
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell |
TTP |
Powershell Get LocalGroup Discovery with Script Block Logging |
Permission Groups Discovery, Local Groups |
Hunting |
Powershell Load Module in Meterpreter |
Command and Scripting Interpreter, PowerShell |
TTP |
Powershell Processing Stream Of Data |
Command and Scripting Interpreter, PowerShell |
TTP |
Powershell Remote Services Add TrustedHost |
Windows Remote Management, Remote Services |
TTP |
Powershell Remote Thread To Known Windows Process |
Process Injection |
TTP |
Powershell Remove Windows Defender Directory |
Disable or Modify Tools, Impair Defenses |
TTP |
Powershell Using memory As Backing Store |
PowerShell, Command and Scripting Interpreter |
TTP |
Powershell Windows Defender Exclusion Commands |
Disable or Modify Tools, Impair Defenses |
TTP |
Prevent Automatic Repair Mode using Bcdedit |
Inhibit System Recovery |
TTP |
Print Processor Registry Autostart |
Print Processors, Boot or Logon Autostart Execution |
TTP |
Print Spooler Adding A Printer Driver |
Print Processors, Boot or Logon Autostart Execution |
TTP |
Print Spooler Failed to Load a Plug-in |
Print Processors, Boot or Logon Autostart Execution |
TTP |
Process Creating LNK file in Suspicious Location |
Phishing, Spearphishing Link |
TTP |
Process Deleting Its Process File Path |
Indicator Removal |
TTP |
Process Execution via WMI |
Windows Management Instrumentation |
TTP |
Process Kill Base On File Path |
Disable or Modify Tools, Impair Defenses |
TTP |
Process Writing DynamicWrapperX |
Command and Scripting Interpreter, Component Object Model |
Hunting |
Processes Tapping Keyboard Events |
None |
TTP |
Processes created by netsh |
Disable or Modify System Firewall |
TTP |
Processes launching netsh |
Disable or Modify System Firewall, Impair Defenses |
Anomaly |
Prohibited Network Traffic Allowed |
Exfiltration Over Alternative Protocol |
TTP |
Prohibited Software On Endpoint |
None |
Hunting |
Protocol or Port Mismatch |
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol |
Anomaly |
Protocols passing authentication in cleartext |
None |
TTP |
ProxyShell ProxyNotShell Behavior Detected |
Exploit Public-Facing Application, External Remote Services |
Correlation |
Randomly Generated Scheduled Task Name |
Scheduled Task/Job, Scheduled Task |
Hunting |
Randomly Generated Windows Service Name |
Create or Modify System Process, Windows Service |
Hunting |
Ransomware Notes bulk creation |
Data Encrypted for Impact |
Anomaly |
Recon AVProduct Through Pwh or WMI |
Gather Victim Host Information |
TTP |
Recon Using WMI Class |
Gather Victim Host Information, PowerShell |
Anomaly |
Recursive Delete of Directory In Batch CMD |
File Deletion, Indicator Removal |
TTP |
Reg exe Manipulating Windows Services Registry Keys |
Services Registry Permissions Weakness, Hijack Execution Flow |
TTP |
Reg exe used to hide files directories via registry keys |
Hidden Files and Directories |
TTP |
Registry Keys Used For Persistence |
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution |
TTP |
Registry Keys Used For Privilege Escalation |
Image File Execution Options Injection, Event Triggered Execution |
TTP |
Registry Keys for Creating SHIM Databases |
Application Shimming, Event Triggered Execution |
TTP |
Regsvr32 Silent and Install Param Dll Loading |
System Binary Proxy Execution, Regsvr32 |
Anomaly |
Regsvr32 with Known Silent Switch Cmdline |
System Binary Proxy Execution, Regsvr32 |
Anomaly |
Remcos RAT File Creation in Remcos Folder |
Screen Capture |
TTP |
Remcos client registry install entry |
Modify Registry |
TTP |
Remote Desktop Network Bruteforce |
Remote Desktop Protocol, Remote Services |
TTP |
Remote Desktop Network Traffic |
Remote Desktop Protocol, Remote Services |
Anomaly |
Remote Desktop Process Running On System |
Remote Desktop Protocol, Remote Services |
Hunting |
Remote Process Instantiation via DCOM and PowerShell |
Remote Services, Distributed Component Object Model |
TTP |
Remote Process Instantiation via DCOM and PowerShell Script Block |
Remote Services, Distributed Component Object Model |
TTP |
Remote Process Instantiation via WMI |
Windows Management Instrumentation |
TTP |
Remote Process Instantiation via WMI and PowerShell |
Windows Management Instrumentation |
TTP |
Remote Process Instantiation via WMI and PowerShell Script Block |
Windows Management Instrumentation |
TTP |
Remote Process Instantiation via WinRM and PowerShell |
Remote Services, Windows Remote Management |
TTP |
Remote Process Instantiation via WinRM and PowerShell Script Block |
Remote Services, Windows Remote Management |
TTP |
Remote Process Instantiation via WinRM and Winrs |
Remote Services, Windows Remote Management |
TTP |
Remote Registry Key modifications |
None |
TTP |
Remote System Discovery with Adsisearcher |
Remote System Discovery |
TTP |
Remote System Discovery with Dsquery |
Remote System Discovery |
Hunting |
Remote System Discovery with Net |
Remote System Discovery |
Hunting |
Remote System Discovery with Wmic |
Remote System Discovery |
TTP |
Remote WMI Command Attempt |
Windows Management Instrumentation |
TTP |
Resize ShadowStorage volume |
Inhibit System Recovery |
TTP |
Resize Shadowstorage Volume |
Service Stop |
TTP |
Revil Common Exec Parameter |
User Execution |
TTP |
Revil Registry Entry |
Modify Registry |
TTP |
Risk Rule for Dev Sec Ops by Repository |
Malicious Image, User Execution |
Correlation |
Rubeus Command Line Parameters |
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting |
TTP |
Rubeus Kerberos Ticket Exports Through Winlogon Access |
Use Alternate Authentication Material, Pass the Ticket |
TTP |
RunDLL Loading DLL By Ordinal |
System Binary Proxy Execution, Rundll32 |
TTP |
Runas Execution in CommandLine |
Access Token Manipulation, Token Impersonation/Theft |
Hunting |
Rundll32 Control RunDLL Hunt |
System Binary Proxy Execution, Rundll32 |
Hunting |
Rundll32 Control RunDLL World Writable Directory |
System Binary Proxy Execution, Rundll32 |
TTP |
Rundll32 Create Remote Thread To A Process |
Process Injection |
TTP |
Rundll32 CreateRemoteThread In Browser |
Process Injection |
TTP |
Rundll32 DNSQuery |
System Binary Proxy Execution, Rundll32 |
TTP |
Rundll32 LockWorkStation |
System Binary Proxy Execution, Rundll32 |
Anomaly |
Rundll32 Process Creating Exe Dll Files |
System Binary Proxy Execution, Rundll32 |
TTP |
Rundll32 Shimcache Flush |
Modify Registry |
TTP |
Rundll32 with no Command Line Arguments with Network |
System Binary Proxy Execution, Rundll32 |
TTP |
Ryuk Test Files Detected |
Data Encrypted for Impact |
TTP |
Ryuk Wake on LAN Command |
Command and Scripting Interpreter, Windows Command Shell |
TTP |
SAM Database File Access Attempt |
Security Account Manager, OS Credential Dumping |
Hunting |
SLUI RunAs Elevated |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
SLUI Spawning a Process |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
SMB Traffic Spike |
SMB/Windows Admin Shares, Remote Services |
Anomaly |
SMB Traffic Spike - MLTK |
SMB/Windows Admin Shares, Remote Services |
Anomaly |
SQL Injection with Long URLs |
Exploit Public-Facing Application |
TTP |
SSL Certificates with Punycode |
Encrypted Channel |
Hunting |
Samsam Test File Write |
Data Encrypted for Impact |
TTP |
Sc exe Manipulating Windows Services |
Windows Service, Create or Modify System Process |
TTP |
SchCache Change By App Connect And Create ADSI Object |
Domain Account, Account Discovery |
Anomaly |
Schedule Task with HTTP Command Arguments |
Scheduled Task/Job |
TTP |
Schedule Task with Rundll32 Command Trigger |
Scheduled Task/Job |
TTP |
Scheduled Task Creation on Remote Endpoint using At |
Scheduled Task/Job, At |
TTP |
Scheduled Task Deleted Or Created via CMD |
Scheduled Task, Scheduled Task/Job |
TTP |
Scheduled Task Initiation on Remote Endpoint |
Scheduled Task/Job, Scheduled Task |
TTP |
Scheduled tasks used in BadRabbit ransomware |
Scheduled Task |
TTP |
Schtasks Run Task On Demand |
Scheduled Task/Job |
TTP |
Schtasks scheduling job on remote system |
Scheduled Task, Scheduled Task/Job |
TTP |
Schtasks used for forcing a reboot |
Scheduled Task, Scheduled Task/Job |
TTP |
Screensaver Event Trigger Execution |
Event Triggered Execution, Screensaver |
TTP |
Script Execution via WMI |
Windows Management Instrumentation |
TTP |
Sdclt UAC Bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
Sdelete Application Execution |
Data Destruction, File Deletion, Indicator Removal |
TTP |
Sdelete Application Execution |
Data Destruction, File Deletion, Indicator Removal |
Anomaly |
SearchProtocolHost with no Command Line with Network |
Process Injection |
TTP |
SecretDumps Offline NTDS Dumping Tool |
NTDS, OS Credential Dumping |
TTP |
ServicePrincipalNames Discovery with PowerShell |
Kerberoasting |
TTP |
ServicePrincipalNames Discovery with PowerShell |
Kerberoasting |
TTP |
ServicePrincipalNames Discovery with SetSPN |
Kerberoasting |
TTP |
Services Escalate Exe |
Abuse Elevation Control Mechanism |
TTP |
Services LOLBAS Execution Process Spawn |
Create or Modify System Process, Windows Service |
TTP |
Set Default PowerShell Execution Policy To Unrestricted or Bypass |
Command and Scripting Interpreter, PowerShell |
TTP |
Shim Database File Creation |
Application Shimming, Event Triggered Execution |
TTP |
Shim Database Installation With Suspicious Parameters |
Application Shimming, Event Triggered Execution |
TTP |
Short Lived Scheduled Task |
Scheduled Task |
TTP |
Short Lived Windows Accounts |
Local Account, Create Account |
TTP |
SilentCleanup UAC Bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
Single Letter Process On Endpoint |
User Execution, Malicious File |
TTP |
Spectre and Meltdown Vulnerable Systems |
None |
TTP |
Spike in File Writes |
None |
Anomaly |
Splunk Absolute Path Traversal Using runshellscript |
File and Directory Discovery |
Hunting |
Splunk Account Discovery Drilldown Dashboard Disclosure |
Account Discovery |
TTP |
Splunk App for Lookup File Editing RCE via User XSLT |
Exploitation of Remote Services |
Hunting |
Splunk Authentication Token Exposure in Debug Log |
Log Enumeration |
TTP |
Splunk CSRF in the SSG kvstore Client Endpoint |
Drive-by Compromise |
TTP |
Splunk Code Injection via custom dashboard leading to RCE |
Exploitation of Remote Services |
Hunting |
Splunk Command and Scripting Interpreter Delete Usage |
Command and Scripting Interpreter |
Anomaly |
Splunk Command and Scripting Interpreter Risky Commands |
Command and Scripting Interpreter |
Hunting |
Splunk Command and Scripting Interpreter Risky SPL MLTK |
Command and Scripting Interpreter |
Anomaly |
Splunk DOS Via Dump SPL Command |
Application or System Exploitation |
Hunting |
Splunk DOS via printf search function |
Application or System Exploitation |
Hunting |
Splunk Data exfiltration from Analytics Workspace using sid query |
Exfiltration Over Web Service |
Hunting |
Splunk Digital Certificates Infrastructure Version |
Digital Certificates |
Hunting |
Splunk Digital Certificates Lack of Encryption |
Digital Certificates |
Anomaly |
Splunk DoS Using Malformed SAML Request |
Network Denial of Service |
Hunting |
Splunk DoS via Malformed S2S Request |
Network Denial of Service |
TTP |
Splunk DoS via POST Request Datamodel Endpoint |
Endpoint Denial of Service |
Hunting |
Splunk ES DoS Investigations Manager via Investigation Creation |
Endpoint Denial of Service |
TTP |
Splunk ES DoS Through Investigation Attachments |
Endpoint Denial of Service |
TTP |
Splunk Edit User Privilege Escalation |
Abuse Elevation Control Mechanism |
Hunting |
Splunk Endpoint Denial of Service DoS Zip Bomb |
Endpoint Denial of Service |
TTP |
Splunk Enterprise Information Disclosure |
None |
TTP |
Splunk Enterprise KV Store Incorrect Authorization |
Abuse Elevation Control Mechanism |
Hunting |
Splunk Enterprise Windows Deserialization File Partition |
Exploit Public-Facing Application |
TTP |
Splunk HTTP Response Splitting Via Rest SPL Command |
HTML Smuggling |
Hunting |
Splunk Identified SSL TLS Certificates |
Network Sniffing |
Hunting |
Splunk Improperly Formatted Parameter Crashes splunkd |
Endpoint Denial of Service |
TTP |
Splunk Information Disclosure in Splunk Add-on Builder |
System Information Discovery |
Hunting |
Splunk Information Disclosure on Account Login |
Account Discovery |
Hunting |
Splunk Low Privilege User Can View Hashed Splunk Password |
Exploitation for Credential Access |
Hunting |
Splunk Path Traversal In Splunk App For Lookup File Edit |
File and Directory Discovery |
Hunting |
Splunk Persistent XSS Via URL Validation Bypass W Dashboard |
Drive-by Compromise |
Hunting |
Splunk Process Injection Forwarder Bundle Downloads |
Process Injection |
Hunting |
Splunk Protocol Impersonation Weak Encryption Configuration |
Protocol Impersonation |
Hunting |
Splunk RBAC Bypass On Indexing Preview REST Endpoint |
Access Token Manipulation |
Hunting |
Splunk RCE PDFgen Render |
Exploitation of Remote Services |
TTP |
Splunk RCE via External Lookup Copybuckets |
Exploitation of Remote Services |
Hunting |
Splunk RCE via Serialized Session Payload |
Exploit Public-Facing Application |
Hunting |
Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature |
Exploitation of Remote Services |
Hunting |
Splunk RCE via User XSLT |
Exploitation of Remote Services |
Hunting |
Splunk Reflected XSS in the templates lists radio |
Drive-by Compromise |
Hunting |
Splunk Reflected XSS on App Search Table Endpoint |
Drive-by Compromise |
Hunting |
Splunk Stored XSS conf-web Settings on Premises |
Drive-by Compromise |
Hunting |
Splunk Stored XSS via Data Model objectName Field |
Drive-by Compromise |
Hunting |
Splunk Stored XSS via Specially Crafted Bulletin Message |
Drive-by Compromise |
Hunting |
Splunk Unauthenticated DoS via Null Pointer References |
Endpoint Denial of Service |
Hunting |
Splunk Unauthenticated Log Injection Web Service Log |
Exploit Public-Facing Application |
Hunting |
Splunk Unauthenticated Path Traversal Modules Messaging |
File and Directory Discovery |
Hunting |
Splunk Unauthorized Experimental Items Creation |
Drive-by Compromise |
Hunting |
Splunk Unauthorized Notification Input by User |
Abuse Elevation Control Mechanism |
Hunting |
Splunk User Enumeration Attempt |
Valid Accounts |
TTP |
Splunk XSS Privilege Escalation via Custom Urls in Dashboard |
Drive-by Compromise |
Hunting |
Splunk XSS Via External Urls in Dashboards SSRF |
Drive-by Compromise |
Hunting |
Splunk XSS in Highlighted JSON Events |
Drive-by Compromise |
Hunting |
Splunk XSS in Monitoring Console |
Drive-by Compromise |
TTP |
Splunk XSS in Save table dialog header in search page |
Drive-by Compromise |
Hunting |
Splunk XSS via View |
Drive-by Compromise |
Hunting |
Splunk list all nonstandard admin accounts |
Drive-by Compromise |
Hunting |
Splunk protocol impersonation weak encryption selfsigned |
Digital Certificates |
Hunting |
Splunk protocol impersonation weak encryption simplerequest |
Digital Certificates |
Hunting |
Splunk risky Command Abuse disclosed february 2023 |
Abuse Elevation Control Mechanism, Indirect Command Execution |
Hunting |
Splunk unnecessary file extensions allowed by lookup table uploads |
Drive-by Compromise |
TTP |
Spoolsv Spawning Rundll32 |
Print Processors, Boot or Logon Autostart Execution |
TTP |
Spoolsv Suspicious Loaded Modules |
Print Processors, Boot or Logon Autostart Execution |
TTP |
Spoolsv Suspicious Process Access |
Exploitation for Privilege Escalation |
TTP |
Spoolsv Writing a DLL |
Print Processors, Boot or Logon Autostart Execution |
TTP |
Spoolsv Writing a DLL - Sysmon |
Print Processors, Boot or Logon Autostart Execution |
TTP |
Spring4Shell Payload URL Request |
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services |
TTP |
Sqlite Module In Temp Folder |
Data from Local System |
TTP |
Steal or Forge Authentication Certificates Behavior Identified |
Steal or Forge Authentication Certificates |
Correlation |
Sunburst Correlation DLL and Network Event |
Exploitation for Client Execution |
TTP |
Supernova Webshell |
Web Shell, External Remote Services |
TTP |
Suspicious Changes to File Associations |
Change Default File Association |
TTP |
Suspicious Computer Account Name Change |
Valid Accounts, Domain Accounts |
TTP |
Suspicious Copy on System32 |
Rename System Utilities, Masquerading |
TTP |
Suspicious Curl Network Connection |
Ingress Tool Transfer |
TTP |
Suspicious DLLHost no Command Line Arguments |
Process Injection |
TTP |
Suspicious Driver Loaded Path |
Windows Service, Create or Modify System Process |
TTP |
Suspicious Email - UBA Anomaly |
Phishing |
Anomaly |
Suspicious Email Attachment Extensions |
Spearphishing Attachment, Phishing |
Anomaly |
Suspicious Event Log Service Behavior |
Indicator Removal, Clear Windows Event Logs |
Hunting |
Suspicious File Write |
None |
Hunting |
Suspicious GPUpdate no Command Line Arguments |
Process Injection |
TTP |
Suspicious IcedID Rundll32 Cmdline |
System Binary Proxy Execution, Rundll32 |
TTP |
Suspicious Image Creation In Appdata Folder |
Screen Capture |
TTP |
Suspicious Java Classes |
None |
Anomaly |
Suspicious Kerberos Service Ticket Request |
Valid Accounts, Domain Accounts |
TTP |
Suspicious Linux Discovery Commands |
Unix Shell |
TTP |
Suspicious MSBuild Rename |
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild |
Hunting |
Suspicious MSBuild Spawn |
Trusted Developer Utilities Proxy Execution, MSBuild |
TTP |
Suspicious PlistBuddy Usage |
Launch Agent, Create or Modify System Process |
TTP |
Suspicious PlistBuddy Usage via OSquery |
Launch Agent, Create or Modify System Process |
TTP |
Suspicious Powershell Command-Line Arguments |
PowerShell |
TTP |
Suspicious Process DNS Query Known Abuse Web Services |
Visual Basic, Command and Scripting Interpreter |
TTP |
Suspicious Process Executed From Container File |
Malicious File, Masquerade File Type |
TTP |
Suspicious Process File Path |
Create or Modify System Process |
TTP |
Suspicious Process With Discord DNS Query |
Visual Basic, Command and Scripting Interpreter |
Anomaly |
Suspicious Reg exe Process |
Modify Registry |
Anomaly |
Suspicious Regsvr32 Register Suspicious Path |
System Binary Proxy Execution, Regsvr32 |
TTP |
Suspicious Rundll32 PluginInit |
System Binary Proxy Execution, Rundll32 |
TTP |
Suspicious Rundll32 Rename |
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities |
Hunting |
Suspicious Rundll32 StartW |
System Binary Proxy Execution, Rundll32 |
TTP |
Suspicious Rundll32 dllregisterserver |
System Binary Proxy Execution, Rundll32 |
TTP |
Suspicious Rundll32 no Command Line Arguments |
System Binary Proxy Execution, Rundll32 |
TTP |
Suspicious SQLite3 LSQuarantine Behavior |
Data Staged |
TTP |
Suspicious Scheduled Task from Public Directory |
Scheduled Task, Scheduled Task/Job |
Anomaly |
Suspicious SearchProtocolHost no Command Line Arguments |
Process Injection |
TTP |
Suspicious Ticket Granting Ticket Request |
Valid Accounts, Domain Accounts |
Hunting |
Suspicious WAV file in Appdata Folder |
Screen Capture |
TTP |
Suspicious microsoft workflow compiler rename |
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities |
Hunting |
Suspicious microsoft workflow compiler usage |
Trusted Developer Utilities Proxy Execution |
TTP |
Suspicious msbuild path |
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild |
TTP |
Suspicious mshta child process |
System Binary Proxy Execution, Mshta |
TTP |
Suspicious mshta spawn |
System Binary Proxy Execution, Mshta |
TTP |
Suspicious wevtutil Usage |
Clear Windows Event Logs, Indicator Removal |
TTP |
Suspicious writes to System Volume Information |
Masquerading |
Hunting |
Suspicious writes to windows Recycle Bin |
Masquerading |
TTP |
Svchost LOLBAS Execution Process Spawn |
Scheduled Task/Job, Scheduled Task |
TTP |
System Info Gathering Using Dxdiag Application |
Gather Victim Host Information |
Hunting |
System Information Discovery Detection |
System Information Discovery |
TTP |
System Process Running from Unexpected Location |
Masquerading |
Anomaly |
System Processes Run From Unexpected Locations |
Masquerading, Rename System Utilities |
Anomaly |
System User Discovery With Query |
System Owner/User Discovery |
Hunting |
System User Discovery With Whoami |
System Owner/User Discovery |
Hunting |
TOR Traffic |
Proxy, Multi-hop Proxy |
TTP |
Time Provider Persistence Registry |
Time Providers, Boot or Logon Autostart Execution |
TTP |
Trickbot Named Pipe |
Process Injection |
TTP |
UAC Bypass MMC Load Unsigned Dll |
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC |
TTP |
UAC Bypass With Colorui COM Object |
System Binary Proxy Execution, CMSTP |
TTP |
USN Journal Deletion |
Indicator Removal |
TTP |
Uncommon Processes On Endpoint |
Malicious File |
Hunting |
Uninstall App Using MsiExec |
Msiexec, System Binary Proxy Execution |
TTP |
Unknown Process Using The Kerberos Protocol |
Use Alternate Authentication Material |
TTP |
Unload Sysmon Filter Driver |
Disable or Modify Tools, Impair Defenses |
TTP |
Unloading AMSI via Reflection |
Impair Defenses, PowerShell, Command and Scripting Interpreter |
TTP |
Unsigned Image Loaded by LSASS |
LSASS Memory |
TTP |
Unsuccessful Netbackup backups |
None |
Hunting |
Unusual Number of Computer Service Tickets Requested |
Valid Accounts |
Hunting |
Unusual Number of Kerberos Service Tickets Requested |
Steal or Forge Kerberos Tickets, Kerberoasting |
Anomaly |
Unusual Number of Remote Endpoint Authentication Events |
Valid Accounts |
Hunting |
Unusually Long Command Line |
None |
Anomaly |
Unusually Long Command Line - MLTK |
None |
Anomaly |
Unusually Long Content-Type Length |
None |
Anomaly |
User Discovery With Env Vars PowerShell |
System Owner/User Discovery |
Hunting |
User Discovery With Env Vars PowerShell Script Block |
System Owner/User Discovery |
Hunting |
VMWare Aria Operations Exploit Attempt |
External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation |
TTP |
VMware Server Side Template Injection Hunt |
Exploit Public-Facing Application, External Remote Services |
Hunting |
VMware Workspace ONE Freemarker Server-side Template Injection |
Exploit Public-Facing Application, External Remote Services |
Anomaly |
Vbscript Execution Using Wscript App |
Visual Basic, Command and Scripting Interpreter |
TTP |
Verclsid CLSID Execution |
Verclsid, System Binary Proxy Execution |
Hunting |
W3WP Spawning Shell |
Server Software Component, Web Shell |
TTP |
WBAdmin Delete System Backups |
Inhibit System Recovery |
TTP |
WBAdmin Delete System Backups |
Inhibit System Recovery |
TTP |
WMI Permanent Event Subscription |
Windows Management Instrumentation |
TTP |
WMI Permanent Event Subscription - Sysmon |
Windows Management Instrumentation Event Subscription, Event Triggered Execution |
TTP |
WMI Recon Running Process Or Services |
Gather Victim Host Information |
Anomaly |
WMI Temporary Event Subscription |
Windows Management Instrumentation |
TTP |
WMIC XSL Execution via URL |
XSL Script Processing |
TTP |
WS FTP Remote Code Execution |
Exploit Public-Facing Application |
TTP |
WSReset UAC Bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
Wbemprox COM Object Execution |
System Binary Proxy Execution, CMSTP |
TTP |
Web Fraud - Account Harvesting |
Create Account |
TTP |
Web Fraud - Anomalous User Clickspeed |
Valid Accounts |
Anomaly |
Web Fraud - Password Sharing Across Accounts |
None |
Anomaly |
Web JSP Request via URL |
Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services |
TTP |
Web Remote ShellServlet Access |
Exploit Public-Facing Application |
TTP |
Web Servers Executing Suspicious Processes |
System Information Discovery |
TTP |
Web Spring Cloud Function FunctionRouter |
Exploit Public-Facing Application, External Remote Services |
TTP |
Web Spring4Shell HTTP Request Class Module |
Exploit Public-Facing Application, External Remote Services |
TTP |
Wermgr Process Connecting To IP Check Web Services |
Gather Victim Network Information, IP Addresses |
TTP |
Wermgr Process Create Executable File |
Obfuscated Files or Information |
TTP |
Wermgr Process Spawned CMD Or Powershell Process |
Command and Scripting Interpreter |
TTP |
WevtUtil Usage To Clear Logs |
Indicator Removal, Clear Windows Event Logs |
TTP |
Wevtutil Usage To Disable Logs |
Indicator Removal, Clear Windows Event Logs |
TTP |
Wget Download and Bash Execution |
Ingress Tool Transfer |
TTP |
WinEvent Scheduled Task Created Within Public Path |
Scheduled Task, Scheduled Task/Job |
TTP |
WinEvent Scheduled Task Created to Spawn Shell |
Scheduled Task, Scheduled Task/Job |
TTP |
WinEvent Windows Task Scheduler Event Action Started |
Scheduled Task |
Hunting |
WinRAR Spawning Shell Application |
Ingress Tool Transfer |
TTP |
WinRM Spawning a Process |
Exploit Public-Facing Application |
TTP |
Windows AD Abnormal Object Access Activity |
Account Discovery, Domain Account |
Anomaly |
Windows AD AdminSDHolder ACL Modified |
Event Triggered Execution |
TTP |
Windows AD Cross Domain SID History Addition |
SID-History Injection, Access Token Manipulation |
TTP |
Windows AD DCShadow Privileges ACL Addition |
Domain or Tenant Policy Modification, Rogue Domain Controller, Windows File and Directory Permissions Modification |
TTP |
Windows AD DSRM Account Changes |
Account Manipulation |
TTP |
Windows AD DSRM Password Reset |
Account Manipulation |
TTP |
Windows AD Dangerous Deny ACL Modification |
Domain or Tenant Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modification |
TTP |
Windows AD Dangerous Group ACL Modification |
Domain or Tenant Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modification |
TTP |
Windows AD Dangerous User ACL Modification |
Domain or Tenant Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modification |
TTP |
Windows AD Domain Controller Audit Policy Disabled |
Disable or Modify Tools |
TTP |
Windows AD Domain Controller Promotion |
Rogue Domain Controller |
TTP |
Windows AD Domain Replication ACL Addition |
Domain or Tenant Policy Modification |
TTP |
Windows AD Domain Root ACL Deletion |
Domain or Tenant Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modification |
TTP |
Windows AD Domain Root ACL Modification |
Domain or Tenant Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modification |
TTP |
Windows AD GPO Deleted |
Disable or Modify Tools, Group Policy Modification |
TTP |
Windows AD GPO Disabled |
Disable or Modify Tools, Group Policy Modification |
TTP |
Windows AD GPO New CSE Addition |
Domain or Tenant Policy Modification, Group Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modification |
TTP |
Windows AD Hidden OU Creation |
Domain or Tenant Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modification |
TTP |
Windows AD Object Owner Updated |
Domain or Tenant Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modification |
TTP |
Windows AD Privileged Account SID History Addition |
SID-History Injection, Access Token Manipulation |
TTP |
Windows AD Privileged Group Modification |
Account Manipulation |
TTP |
Windows AD Privileged Object Access Activity |
Account Discovery, Domain Account |
TTP |
Windows AD Replication Request Initiated by User Account |
DCSync, OS Credential Dumping |
TTP |
Windows AD Replication Request Initiated from Unsanctioned Location |
DCSync, OS Credential Dumping |
TTP |
Windows AD Replication Service Traffic |
OS Credential Dumping, DCSync, Rogue Domain Controller |
TTP |
Windows AD Rogue Domain Controller Network Activity |
Rogue Domain Controller |
TTP |
Windows AD SID History Attribute Modified |
Access Token Manipulation, SID-History Injection |
TTP |
Windows AD Same Domain SID History Addition |
SID-History Injection, Access Token Manipulation |
TTP |
Windows AD Self DACL Assignment |
Domain or Tenant Policy Modification, Account Manipulation |
TTP |
Windows AD ServicePrincipalName Added To Domain Account |
Account Manipulation |
TTP |
Windows AD Short Lived Domain Account ServicePrincipalName |
Account Manipulation |
TTP |
Windows AD Short Lived Domain Controller SPN Attribute |
Rogue Domain Controller |
TTP |
Windows AD Short Lived Server Object |
Rogue Domain Controller |
TTP |
Windows AD Suspicious Attribute Modification |
Use Alternate Authentication Material, File and Directory Permissions Modification, Windows File and Directory Permissions Modification |
TTP |
Windows AD Suspicious GPO Modification |
Domain or Tenant Policy Modification, Group Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modification |
TTP |
Windows AD add Self to Group |
Account Manipulation |
TTP |
Windows Abused Web Services |
Web Service |
TTP |
Windows Access Token Manipulation SeDebugPrivilege |
Create Process with Token, Access Token Manipulation |
Anomaly |
Windows Access Token Manipulation Winlogon Duplicate Token Handle |
Token Impersonation/Theft, Access Token Manipulation |
Hunting |
Windows Access Token Winlogon Duplicate Handle In Uncommon Path |
Token Impersonation/Theft, Access Token Manipulation |
Anomaly |
Windows Account Discovery With NetUser PreauthNotRequire |
Account Discovery |
Hunting |
Windows Account Discovery for None Disable User Account |
Account Discovery, Local Account |
Hunting |
Windows Account Discovery for Sam Account Name |
Account Discovery |
Anomaly |
Windows AdFind Exe |
Remote System Discovery |
TTP |
Windows Admin Permission Discovery |
Local Groups |
Anomaly |
Windows Administrative Shares Accessed On Multiple Hosts |
Network Share Discovery |
TTP |
Windows Admon Default Group Policy Object Modified |
Domain or Tenant Policy Modification, Group Policy Modification |
TTP |
Windows Admon Group Policy Object Created |
Domain or Tenant Policy Modification, Group Policy Modification |
TTP |
Windows Alternate DataStream - Base64 Content |
Hide Artifacts, NTFS File Attributes |
TTP |
Windows Alternate DataStream - Executable Content |
Hide Artifacts, NTFS File Attributes |
TTP |
Windows Alternate DataStream - Process Execution |
Hide Artifacts, NTFS File Attributes |
TTP |
Windows Apache Benchmark Binary |
Command and Scripting Interpreter |
Anomaly |
Windows App Layer Protocol Qakbot NamedPipe |
Application Layer Protocol |
Anomaly |
Windows App Layer Protocol Wermgr Connect To NamedPipe |
Application Layer Protocol |
Anomaly |
Windows AppLocker Block Events |
System Binary Proxy Execution |
Anomaly |
Windows AppLocker Execution from Uncommon Locations |
System Binary Proxy Execution |
Hunting |
Windows AppLocker Privilege Escalation via Unauthorized Bypass |
System Binary Proxy Execution |
TTP |
Windows AppLocker Rare Application Launch Detection |
System Binary Proxy Execution |
Hunting |
Windows Application Layer Protocol RMS Radmin Tool Namedpipe |
Application Layer Protocol |
TTP |
Windows Archive Collected Data via Powershell |
Archive Collected Data |
Anomaly |
Windows Archive Collected Data via Rar |
Archive via Utility, Archive Collected Data |
Anomaly |
Windows AutoIt3 Execution |
Command and Scripting Interpreter |
TTP |
Windows Autostart Execution LSASS Driver Registry Modification |
LSASS Driver |
TTP |
Windows Binary Proxy Execution Mavinject DLL Injection |
Mavinject, System Binary Proxy Execution |
TTP |
Windows Bits Job Persistence |
BITS Jobs |
TTP |
Windows Bitsadmin Download File |
BITS Jobs, Ingress Tool Transfer |
TTP |
Windows Boot or Logon Autostart Execution In Startup Folder |
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution |
Anomaly |
Windows BootLoader Inventory |
System Firmware, Pre-OS Boot |
Hunting |
Windows Bypass UAC via Pkgmgr Tool |
Bypass User Account Control |
Anomaly |
Windows CAB File on Disk |
Spearphishing Attachment |
Anomaly |
Windows COM Hijacking InprocServer32 Modification |
Component Object Model Hijacking, Event Triggered Execution |
TTP |
Windows COM Hijacking InprocServer32 Modification |
Component Object Model Hijacking, Event Triggered Execution |
TTP |
Windows Cached Domain Credentials Reg Query |
Cached Domain Credentials, OS Credential Dumping |
Anomaly |
Windows CertUtil Decode File |
Deobfuscate/Decode Files or Information |
TTP |
Windows CertUtil URLCache Download |
Ingress Tool Transfer |
TTP |
Windows CertUtil VerifyCtl Download |
Ingress Tool Transfer |
TTP |
Windows Change Default File Association For No File Ext |
Change Default File Association, Event Triggered Execution |
TTP |
Windows ClipBoard Data via Get-ClipBoard |
Clipboard Data |
Anomaly |
Windows Command Shell DCRat ForkBomb Payload |
Windows Command Shell, Command and Scripting Interpreter |
TTP |
Windows Command Shell Fetch Env Variables |
Process Injection |
TTP |
Windows Command and Scripting Interpreter Hunting Path Traversal |
Command and Scripting Interpreter |
Hunting |
Windows Command and Scripting Interpreter Path Traversal Exec |
Command and Scripting Interpreter |
TTP |
Windows Common Abused Cmd Shell Risk Behavior |
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Configuration Discovery, Command and Scripting Interpreter |
Correlation |
Windows Computer Account Created by Computer Account |
Steal or Forge Kerberos Tickets |
TTP |
Windows Computer Account Requesting Kerberos Ticket |
Steal or Forge Kerberos Tickets |
TTP |
Windows Computer Account With SPN |
Steal or Forge Kerberos Tickets |
TTP |
Windows ConHost with Headless Argument |
Hidden Window, Run Virtual Instance |
TTP |
Windows Create Local Account |
Local Account, Create Account |
Anomaly |
Windows Credential Access From Browser Password Store |
Query Registry |
Anomaly |
Windows Credential Dumping LSASS Memory Createdump |
LSASS Memory |
TTP |
Windows Credentials from Password Stores Chrome Extension Access |
Query Registry |
Anomaly |
Windows Credentials from Password Stores Chrome LocalState Access |
Query Registry |
Anomaly |
Windows Credentials from Password Stores Chrome Login Data Access |
Query Registry |
Anomaly |
Windows Credentials from Password Stores Creation |
Credentials from Password Stores |
TTP |
Windows Credentials from Password Stores Deletion |
Credentials from Password Stores |
TTP |
Windows Credentials from Password Stores Query |
Credentials from Password Stores |
Anomaly |
Windows Credentials in Registry Reg Query |
Credentials in Registry, Unsecured Credentials |
Anomaly |
Windows Curl Download to Suspicious Path |
Ingress Tool Transfer |
TTP |
Windows Curl Upload to Remote Destination |
Ingress Tool Transfer |
TTP |
Windows Curl Upload to Remote Destination |
Ingress Tool Transfer |
TTP |
Windows DISM Install PowerShell Web Access |
Bypass User Account Control |
TTP |
Windows DISM Remove Defender |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows DLL Search Order Hijacking Hunt |
DLL Search Order Hijacking, Hijack Execution Flow |
Hunting |
Windows DLL Search Order Hijacking Hunt with Sysmon |
DLL Search Order Hijacking, Hijack Execution Flow |
Hunting |
Windows DLL Search Order Hijacking with iscsicpl |
DLL Search Order Hijacking |
TTP |
Windows DLL Side-Loading In Calc |
DLL Side-Loading, Hijack Execution Flow |
TTP |
Windows DLL Side-Loading Process Child Of Calc |
DLL Side-Loading, Hijack Execution Flow |
Anomaly |
Windows DNS Gather Network Info |
DNS |
Anomaly |
Windows Data Destruction Recursive Exec Files Deletion |
Data Destruction |
TTP |
Windows Debugger Tool Execution |
Masquerading |
Hunting |
Windows Defacement Modify Transcodedwallpaper File |
Defacement |
Anomaly |
Windows Default Group Policy Object Modified |
Domain or Tenant Policy Modification, Group Policy Modification |
TTP |
Windows Default Group Policy Object Modified with GPME |
Domain or Tenant Policy Modification, Group Policy Modification |
TTP |
Windows Default Group Policy Object Modified with GPME |
Domain or Tenant Policy Modification, Group Policy Modification |
TTP |
Windows Defender ASR Audit Events |
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link |
Anomaly |
Windows Defender ASR Block Events |
Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link |
Anomaly |
Windows Defender ASR Registry Modification |
Modify Registry |
Hunting |
Windows Defender ASR Rule Disabled |
Modify Registry |
TTP |
Windows Defender ASR Rules Stacking |
Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter |
Hunting |
Windows Defender Exclusion Registry Entry |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Defender Tools in Non Standard Path |
Masquerading, Rename System Utilities |
Anomaly |
Windows Delete or Modify System Firewall |
Impair Defenses, Disable or Modify System Firewall |
Anomaly |
Windows Deleted Registry By A Non Critical Process File Path |
Modify Registry |
Anomaly |
Windows Disable Change Password Through Registry |
Modify Registry |
Anomaly |
Windows Disable Lock Workstation Feature Through Registry |
Modify Registry |
Anomaly |
Windows Disable LogOff Button Through Registry |
Modify Registry |
Anomaly |
Windows Disable Memory Crash Dump |
Data Destruction |
TTP |
Windows Disable Notification Center |
Modify Registry |
Anomaly |
Windows Disable Shutdown Button Through Registry |
Modify Registry |
Anomaly |
Windows Disable Windows Event Logging Disable HTTP Logging |
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components |
TTP |
Windows Disable Windows Group Policy Features Through Registry |
Modify Registry |
Anomaly |
Windows Disable or Modify Tools Via Taskkill |
Impair Defenses, Disable or Modify Tools |
Anomaly |
Windows DisableAntiSpyware Registry |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows DiskCryptor Usage |
Data Encrypted for Impact |
Hunting |
Windows Diskshadow Proxy Execution |
System Binary Proxy Execution |
TTP |
Windows Diskshadow Proxy Execution |
System Binary Proxy Execution |
Anomaly |
Windows DnsAdmins New Member Added |
Account Manipulation |
TTP |
Windows Domain Account Discovery Via Get-NetComputer |
Account Discovery, Domain Account |
Anomaly |
Windows Domain Admin Impersonation Indicator |
Steal or Forge Kerberos Tickets |
TTP |
Windows DotNet Binary in Non Standard Path |
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil |
TTP |
Windows DotNet Binary in Non Standard Path |
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil |
Anomaly |
Windows Driver Inventory |
Exploitation for Privilege Escalation |
Hunting |
Windows Driver Load Non-Standard Path |
Rootkit, Exploitation for Privilege Escalation |
TTP |
Windows Drivers Loaded by Signature |
Rootkit, Exploitation for Privilege Escalation |
Hunting |
Windows ESX Admins Group Creation Security Event |
Local Account, Domain Account |
TTP |
Windows ESX Admins Group Creation via Net |
Domain Account, Local Account |
TTP |
Windows ESX Admins Group Creation via PowerShell |
Domain Account, Local Account |
TTP |
Windows Enable PowerShell Web Access |
PowerShell |
TTP |
Windows Enable Win32 ScheduledJob via Registry |
Scheduled Task |
Anomaly |
Windows Event For Service Disabled |
Disable or Modify Tools, Impair Defenses |
Hunting |
Windows Event Log Cleared |
Indicator Removal, Clear Windows Event Logs |
TTP |
Windows Event Triggered Image File Execution Options Injection |
Image File Execution Options Injection |
Hunting |
Windows Excessive Disabled Services Event |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Exchange Autodiscover SSRF Abuse |
Exploit Public-Facing Application, External Remote Services |
TTP |
Windows Exchange PowerShell Module Usage |
Command and Scripting Interpreter, PowerShell |
TTP |
Windows Executable in Loaded Modules |
Shared Modules |
TTP |
Windows Execute Arbitrary Commands with MSDT |
System Binary Proxy Execution |
TTP |
Windows Execute Arbitrary Commands with MSDT |
System Binary Proxy Execution |
TTP |
Windows Exfiltration Over C2 Via Invoke RestMethod |
Exfiltration Over C2 Channel |
TTP |
Windows Exfiltration Over C2 Via Powershell UploadString |
Exfiltration Over C2 Channel |
TTP |
Windows Export Certificate |
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates |
Anomaly |
Windows File Share Discovery With Powerview |
Network Share Discovery |
TTP |
Windows File Share Discovery With Powerview |
Unsecured Credentials, Group Policy Preferences |
TTP |
Windows File Transfer Protocol In Non-Common Process Path |
Mail Protocols, Application Layer Protocol |
Anomaly |
Windows File Without Extension In Critical Folder |
Data Destruction |
TTP |
Windows Files and Dirs Access Rights Modification Via Icacls |
Windows File and Directory Permissions Modification, File and Directory Permissions Modification |
TTP |
Windows Find Domain Organizational Units with GetDomainOU |
Account Discovery, Domain Account |
TTP |
Windows Find Interesting ACL with FindInterestingDomainAcl |
Account Discovery, Domain Account |
TTP |
Windows Findstr GPP Discovery |
Unsecured Credentials, Group Policy Preferences |
TTP |
Windows Findstr GPP Discovery |
Unsecured Credentials, Group Policy Preferences |
TTP |
Windows Forest Discovery with GetForestDomain |
Account Discovery, Domain Account |
TTP |
Windows Gather Victim Host Information Camera |
Hardware, Gather Victim Host Information |
Anomaly |
Windows Gather Victim Identity SAM Info |
Credentials, Gather Victim Identity Information |
Hunting |
Windows Gather Victim Network Info Through Ip Check Web Services |
IP Addresses, Gather Victim Network Information |
Hunting |
Windows Get Local Admin with FindLocalAdminAccess |
Account Discovery, Domain Account |
TTP |
Windows Get-AdComputer Unconstrained Delegation Discovery |
Remote System Discovery |
TTP |
Windows Group Policy Object Created |
Domain or Tenant Policy Modification, Group Policy Modification, Domain Accounts |
TTP |
Windows Hidden Schedule Task Settings |
Scheduled Task/Job |
TTP |
Windows Hide Notification Features Through Registry |
Modify Registry |
Anomaly |
Windows High File Deletion Frequency |
Data Destruction |
Anomaly |
Windows Hijack Execution Flow Version Dll Side Load |
DLL Search Order Hijacking, Hijack Execution Flow |
Anomaly |
Windows Hunting System Account Targeting Lsass |
LSASS Memory, OS Credential Dumping |
Hunting |
Windows IIS Components Add New Module |
Server Software Component, IIS Components |
Anomaly |
Windows IIS Components Get-WebGlobalModule Module Query |
IIS Components, Server Software Component |
Hunting |
Windows IIS Components Module Failed to Load |
Server Software Component, IIS Components |
Anomaly |
Windows IIS Components New Module Added |
Server Software Component, IIS Components |
TTP |
Windows ISO LNK File Creation |
Spearphishing Attachment, Phishing, Malicious Link, User Execution |
Hunting |
Windows Identify Protocol Handlers |
Command and Scripting Interpreter |
Hunting |
Windows Impair Defense Add Xml Applocker Rules |
Disable or Modify Tools, Impair Defenses |
Hunting |
Windows Impair Defense Change Win Defender Health Check Intervals |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Change Win Defender Quick Scan Interval |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Change Win Defender Throttle Rate |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Change Win Defender Tracing Level |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Configure App Install Control |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Define Win Defender Threat Action |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Delete Win Defender Context Menu |
Disable or Modify Tools, Impair Defenses |
Hunting |
Windows Impair Defense Delete Win Defender Profile Registry |
Disable or Modify Tools, Impair Defenses |
Anomaly |
Windows Impair Defense Deny Security Software With Applocker |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Disable Controlled Folder Access |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Disable Defender Firewall And Network |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Disable Defender Protocol Recognition |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Disable PUA Protection |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Disable Realtime Signature Delivery |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Disable Web Evaluation |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Disable Win Defender App Guard |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Disable Win Defender Compute File Hashes |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Disable Win Defender Gen reports |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Disable Win Defender Network Protection |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Disable Win Defender Report Infection |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Disable Win Defender Scan On Update |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Disable Win Defender Signature Retirement |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Overide Win Defender Phishing Filter |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Override SmartScreen Prompt |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Set Win Defender Smart Screen Level To Warn |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defenses Disable HVCI |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defenses Disable Win Defender Auto Logging |
Disable or Modify Tools, Impair Defenses |
Anomaly |
Windows InProcServer32 New Outlook Form |
Phishing, Modify Registry |
Anomaly |
Windows Increase in Group or Object Modification Activity |
Account Manipulation, Impair Defenses |
TTP |
Windows Increase in User Modification Activity |
Account Manipulation, Impair Defenses |
TTP |
Windows Indicator Removal Via Rmdir |
Indicator Removal |
Anomaly |
Windows Indirect Command Execution Via Series Of Forfiles |
Indirect Command Execution |
Anomaly |
Windows Indirect Command Execution Via forfiles |
Indirect Command Execution |
TTP |
Windows Indirect Command Execution Via pcalua |
Indirect Command Execution |
TTP |
Windows Information Discovery Fsutil |
System Information Discovery |
Anomaly |
Windows Ingress Tool Transfer Using Explorer |
Ingress Tool Transfer |
Anomaly |
Windows Ingress Tool Transfer Using Explorer |
Ingress Tool Transfer |
TTP |
Windows Input Capture Using Credential UI Dll |
GUI Input Capture, Input Capture |
Hunting |
Windows InstallUtil Credential Theft |
InstallUtil, System Binary Proxy Execution |
TTP |
Windows InstallUtil Remote Network Connection |
InstallUtil, System Binary Proxy Execution |
TTP |
Windows InstallUtil URL in Command Line |
InstallUtil, System Binary Proxy Execution |
TTP |
Windows InstallUtil Uninstall Option |
InstallUtil, System Binary Proxy Execution |
TTP |
Windows InstallUtil Uninstall Option with Network |
InstallUtil, System Binary Proxy Execution |
TTP |
Windows InstallUtil in Non Standard Path |
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil |
TTP |
Windows Java Spawning Shells |
Exploit Public-Facing Application, External Remote Services |
TTP |
Windows Kerberos Local Successful Logon |
Steal or Forge Kerberos Tickets |
TTP |
Windows Known Abused DLL Created |
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow |
Anomaly |
Windows Known Abused DLL Loaded Suspiciously |
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow |
TTP |
Windows Known GraphicalProton Loaded Modules |
DLL Side-Loading, Hijack Execution Flow |
Anomaly |
Windows KrbRelayUp Service Creation |
Windows Service |
TTP |
Windows LOLBAS Executed As Renamed File |
Masquerading, Rename System Utilities, Rundll32 |
TTP |
Windows LOLBAS Executed Outside Expected Path |
Masquerading, Match Legitimate Name or Location, Rundll32 |
TTP |
Windows LOLBin Binary in Non Standard Path |
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil |
Anomaly |
Windows LSA Secrets NoLMhash Registry |
LSA Secrets |
TTP |
Windows Large Number of Computer Service Tickets Requested |
Network Share Discovery, Valid Accounts |
Anomaly |
Windows Lateral Tool Transfer RemCom |
Lateral Tool Transfer |
TTP |
Windows Ldifde Directory Object Behavior |
Ingress Tool Transfer, Domain Groups |
TTP |
Windows Linked Policies In ADSI Discovery |
Domain Account, Account Discovery |
Anomaly |
Windows Local Administrator Credential Stuffing |
Brute Force, Credential Stuffing |
TTP |
Windows MOF Event Triggered Execution via WMI |
Windows Management Instrumentation Event Subscription |
TTP |
Windows MOVEit Transfer Writing ASPX |
Exploit Public-Facing Application, External Remote Services |
TTP |
Windows MSExchange Management Mailbox Cmdlet Usage |
Command and Scripting Interpreter, PowerShell |
Anomaly |
Windows MSHTA Child Process |
Mshta, System Binary Proxy Execution |
TTP |
Windows MSHTA Command-Line URL |
Mshta, System Binary Proxy Execution |
TTP |
Windows MSHTA Inline HTA Execution |
Mshta, System Binary Proxy Execution |
TTP |
Windows MSHTA Writing to World Writable Path |
Mshta |
TTP |
Windows MSIExec DLLRegisterServer |
Msiexec |
TTP |
Windows MSIExec Remote Download |
Msiexec |
TTP |
Windows MSIExec Spawn Discovery Command |
Msiexec |
TTP |
Windows MSIExec Spawn WinDBG |
Msiexec |
TTP |
Windows MSIExec Unregister DLLRegisterServer |
Msiexec |
TTP |
Windows MSIExec With Network Connections |
Msiexec |
TTP |
Windows Mail Protocol In Non-Common Process Path |
Mail Protocols, Application Layer Protocol |
Anomaly |
Windows Mark Of The Web Bypass |
Mark-of-the-Web Bypass |
TTP |
Windows Masquerading Explorer As Child Process |
DLL Side-Loading, Hijack Execution Flow |
TTP |
Windows Masquerading Msdtc Process |
Masquerading |
TTP |
Windows Mimikatz Binary Execution |
OS Credential Dumping |
TTP |
Windows Mimikatz Crypto Export File Extensions |
Steal or Forge Authentication Certificates |
Anomaly |
Windows Modify Registry AuthenticationLevelOverride |
Modify Registry |
Anomaly |
Windows Modify Registry Auto Minor Updates |
Modify Registry |
Hunting |
Windows Modify Registry Auto Update Notif |
Modify Registry |
Anomaly |
Windows Modify Registry Configure BitLocker |
Modify Registry |
TTP |
Windows Modify Registry Default Icon Setting |
Modify Registry |
Anomaly |
Windows Modify Registry Delete Firewall Rules |
Modify Registry |
TTP |
Windows Modify Registry DisAllow Windows App |
Modify Registry |
TTP |
Windows Modify Registry Disable RDP |
Modify Registry |
Anomaly |
Windows Modify Registry Disable Restricted Admin |
Modify Registry |
TTP |
Windows Modify Registry Disable Toast Notifications |
Modify Registry |
Anomaly |
Windows Modify Registry Disable Win Defender Raw Write Notif |
Modify Registry |
Anomaly |
Windows Modify Registry Disable WinDefender Notifications |
Modify Registry |
TTP |
Windows Modify Registry Disable Windows Security Center Notif |
Modify Registry |
Anomaly |
Windows Modify Registry DisableRemoteDesktopAntiAlias |
Modify Registry |
TTP |
Windows Modify Registry DisableSecuritySettings |
Modify Registry |
TTP |
Windows Modify Registry Disabling WER Settings |
Modify Registry |
TTP |
Windows Modify Registry Do Not Connect To Win Update |
Modify Registry |
Anomaly |
Windows Modify Registry DontShowUI |
Modify Registry |
TTP |
Windows Modify Registry EnableLinkedConnections |
Modify Registry |
TTP |
Windows Modify Registry LongPathsEnabled |
Modify Registry |
Anomaly |
Windows Modify Registry MaxConnectionPerServer |
Modify Registry |
Anomaly |
Windows Modify Registry No Auto Reboot With Logon User |
Modify Registry |
Anomaly |
Windows Modify Registry No Auto Update |
Modify Registry |
Anomaly |
Windows Modify Registry NoChangingWallPaper |
Modify Registry |
TTP |
Windows Modify Registry ProxyEnable |
Modify Registry |
Anomaly |
Windows Modify Registry ProxyServer |
Modify Registry |
Anomaly |
Windows Modify Registry Qakbot Binary Data Registry |
Modify Registry |
Anomaly |
Windows Modify Registry Reg Restore |
Query Registry |
Hunting |
Windows Modify Registry Regedit Silent Reg Import |
Modify Registry |
Anomaly |
Windows Modify Registry Risk Behavior |
Modify Registry |
Correlation |
Windows Modify Registry Suppress Win Defender Notif |
Modify Registry |
Anomaly |
Windows Modify Registry Tamper Protection |
Modify Registry |
TTP |
Windows Modify Registry USeWuServer |
Modify Registry |
Hunting |
Windows Modify Registry UpdateServiceUrlAlternate |
Modify Registry |
Anomaly |
Windows Modify Registry With MD5 Reg Key Name |
Modify Registry |
TTP |
Windows Modify Registry WuServer |
Modify Registry |
Hunting |
Windows Modify Registry on Smart Card Group Policy |
Modify Registry |
Anomaly |
Windows Modify Registry to Add or Modify Firewall Rule |
Modify Registry |
Anomaly |
Windows Modify Registry wuStatusServer |
Modify Registry |
Hunting |
Windows Modify Show Compress Color And Info Tip Registry |
Modify Registry |
TTP |
Windows Modify System Firewall with Notable Process Path |
Disable or Modify System Firewall, Impair Defenses |
TTP |
Windows Mshta Execution In Registry |
Mshta |
TTP |
Windows MsiExec HideWindow Rundll32 Execution |
Msiexec, System Binary Proxy Execution |
TTP |
Windows Multi hop Proxy TOR Website Query |
Mail Protocols, Application Layer Protocol |
Anomaly |
Windows Multiple Account Passwords Changed |
Account Manipulation, Valid Accounts |
TTP |
Windows Multiple Accounts Deleted |
Account Manipulation, Valid Accounts |
TTP |
Windows Multiple Accounts Disabled |
Account Manipulation, Valid Accounts |
TTP |
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos |
Password Spraying, Brute Force |
TTP |
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos |
Password Spraying, Brute Force |
TTP |
Windows Multiple Invalid Users Failed To Authenticate Using NTLM |
Password Spraying, Brute Force |
TTP |
Windows Multiple NTLM Null Domain Authentications |
Brute Force, Password Spraying |
TTP |
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials |
Password Spraying, Brute Force |
TTP |
Windows Multiple Users Failed To Authenticate From Host Using NTLM |
Password Spraying, Brute Force |
TTP |
Windows Multiple Users Failed To Authenticate From Process |
Password Spraying, Brute Force |
TTP |
Windows Multiple Users Failed To Authenticate Using Kerberos |
Password Spraying, Brute Force |
TTP |
Windows Multiple Users Remotely Failed To Authenticate From Host |
Password Spraying, Brute Force |
TTP |
Windows Network Share Interaction With Net |
Network Share Discovery, Data from Network Shared Drive |
TTP |
Windows New InProcServer32 Added |
Modify Registry |
Hunting |
Windows Ngrok Reverse Proxy Usage |
Protocol Tunneling, Proxy, Web Service |
Anomaly |
Windows NirSoft AdvancedRun |
Tool |
TTP |
Windows NirSoft Utilities |
Tool |
Hunting |
Windows Njrat Fileless Storage via Registry |
Fileless Storage, Obfuscated Files or Information |
TTP |
Windows Non Discord App Access Discord LevelDB |
Query Registry |
Anomaly |
Windows Non-System Account Targeting Lsass |
LSASS Memory, OS Credential Dumping |
TTP |
Windows OS Credential Dumping with Ntdsutil Export NTDS |
NTDS, OS Credential Dumping |
TTP |
Windows OS Credential Dumping with Procdump |
LSASS Memory, OS Credential Dumping |
TTP |
Windows Odbcconf Hunting |
Odbcconf |
Hunting |
Windows Odbcconf Load DLL |
Odbcconf |
TTP |
Windows Odbcconf Load Response File |
Odbcconf |
TTP |
Windows Odbcconf Load Response File |
Odbcconf, System Binary Proxy Execution |
TTP |
Windows Office Product Spawning MSDT |
Phishing, Spearphishing Attachment |
TTP |
Windows Outlook WebView Registry Modification |
Modify Registry |
Anomaly |
Windows PaperCut NG Spawn Shell |
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services |
TTP |
Windows Parent PID Spoofing with Explorer |
Parent PID Spoofing, Access Token Manipulation |
TTP |
Windows Password Managers Discovery |
Password Managers |
Anomaly |
Windows Phishing Outlook Drop Dll In FORM Dir |
Phishing |
TTP |
Windows Phishing PDF File Executes URL Link |
Spearphishing Attachment, Phishing |
Anomaly |
Windows Phishing Recent ISO Exec Registry |
Spearphishing Attachment, Phishing |
Hunting |
Windows Possible Credential Dumping |
LSASS Memory, OS Credential Dumping |
TTP |
Windows Post Exploitation Risk Behavior |
Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Information Discovery, Clipboard Data, Unsecured Credentials |
Correlation |
Windows PowerShell Add Module to Global Assembly Cache |
Server Software Component, IIS Components |
TTP |
Windows PowerShell Disable HTTP Logging |
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components |
TTP |
Windows PowerShell Disabled Kerberos Pre-Authentication Discovery Get-ADUser |
Steal or Forge Kerberos Tickets, AS-REP Roasting |
TTP |
Windows PowerShell Disabled Kerberos Pre-Authentication Discovery With PowerView |
Steal or Forge Kerberos Tickets, AS-REP Roasting |
TTP |
Windows PowerShell Export Certificate |
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates |
Anomaly |
Windows PowerShell Export PfxCertificate |
Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates |
Anomaly |
Windows PowerShell Get CIMInstance Remote Computer |
PowerShell |
Anomaly |
Windows PowerShell IIS Components WebGlobalModule Usage |
Server Software Component, IIS Components |
Anomaly |
Windows PowerShell ScheduleTask |
Scheduled Task, PowerShell, Command and Scripting Interpreter |
Anomaly |
Windows PowerShell Start-BitsTransfer |
BITS Jobs, Ingress Tool Transfer |
TTP |
Windows PowerShell WMI Win32 ScheduledJob |
PowerShell, Command and Scripting Interpreter |
TTP |
Windows PowerSploit GPP Discovery |
Unsecured Credentials, Group Policy Preferences |
TTP |
Windows PowerSploit GPP Discovery |
Unsecured Credentials, Group Policy Preferences |
TTP |
Windows PowerView AD Access Control List Enumeration |
Domain Accounts, Permission Groups Discovery |
TTP |
Windows PowerView Constrained Delegation Discovery |
Remote System Discovery |
TTP |
Windows PowerView Kerberos Service Ticket Request |
Steal or Forge Kerberos Tickets, Kerberoasting |
TTP |
Windows PowerView SPN Discovery |
Steal or Forge Kerberos Tickets, Kerberoasting |
TTP |
Windows PowerView Unconstrained Delegation Discovery |
Remote System Discovery |
TTP |
Windows Powershell Connect to Internet With Hidden Window |
Automated Exfiltration |
Anomaly |
Windows Powershell Cryptography Namespace |
PowerShell, Command and Scripting Interpreter |
Anomaly |
Windows Powershell DownloadFile |
Automated Exfiltration |
Anomaly |
Windows Powershell DownloadString |
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer |
TTP |
Windows Powershell Import Applocker Policy |
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses |
TTP |
Windows Powershell RemoteSigned File |
PowerShell, Command and Scripting Interpreter |
Anomaly |
Windows Private Keys Discovery |
Private Keys, Unsecured Credentials |
Anomaly |
Windows Privilege Escalation Suspicious Process Elevation |
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation |
TTP |
Windows Privilege Escalation System Process Without System Parent |
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation |
TTP |
Windows Privilege Escalation User Process Spawn System Process |
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation |
TTP |
Windows Privileged Group Modification |
Local Account, Domain Account |
TTP |
Windows Process Commandline Discovery |
Process Discovery |
Hunting |
Windows Process Injection In Non-Service SearchIndexer |
Process Injection |
TTP |
Windows Process Injection Of Wermgr to Known Browser |
Dynamic-link Library Injection, Process Injection |
TTP |
Windows Process Injection Remote Thread |
Process Injection, Portable Executable Injection |
TTP |
Windows Process Injection Wermgr Child Process |
Process Injection |
Anomaly |
Windows Process Injection With Public Source Path |
Process Injection, Portable Executable Injection |
Hunting |
Windows Process Injection into Notepad |
Process Injection, Portable Executable Injection |
Anomaly |
Windows Process With NamedPipe CommandLine |
Process Injection |
Anomaly |
Windows Process Writing File to World Writable Path |
Mshta |
Hunting |
Windows Processes Killed By Industroyer2 Malware |
Service Stop |
Anomaly |
Windows Protocol Tunneling with Plink |
Protocol Tunneling, SSH |
TTP |
Windows Proxy Via Netsh |
Internal Proxy, Proxy |
Anomaly |
Windows Proxy Via Registry |
Internal Proxy, Proxy |
Anomaly |
Windows Query Registry Browser List Application |
Query Registry |
Anomaly |
Windows Query Registry Reg Save |
Query Registry |
Hunting |
Windows Query Registry UnInstall Program List |
Query Registry |
Anomaly |
Windows RDP Connection Successful |
RDP Hijacking |
Hunting |
Windows Raccine Scheduled Task Deletion |
Disable or Modify Tools |
TTP |
Windows Rapid Authentication On Multiple Hosts |
Security Account Manager |
TTP |
Windows Rasautou DLL Execution |
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection |
TTP |
Windows Rasautou DLL Execution |
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection |
TTP |
Windows Raw Access To Disk Volume Partition |
Disk Structure Wipe, Disk Wipe |
Anomaly |
Windows Raw Access To Master Boot Record Drive |
Disk Structure Wipe, Disk Wipe |
TTP |
Windows Registry BootExecute Modification |
Pre-OS Boot, Registry Run Keys / Startup Folder |
TTP |
Windows Registry Certificate Added |
Install Root Certificate, Subvert Trust Controls |
Anomaly |
Windows Registry Delete Task SD |
Scheduled Task, Impair Defenses |
Anomaly |
Windows Registry Modification for Safe Mode Persistence |
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution |
TTP |
Windows Registry Payload Injection |
Obfuscated Files or Information, Fileless Storage |
TTP |
Windows Registry SIP Provider Modification |
SIP and Trust Provider Hijacking |
TTP |
Windows Regsvr32 Renamed Binary |
Regsvr32, System Binary Proxy Execution |
TTP |
Windows Remote Access Software BRC4 Loaded Dll |
Remote Access Software, OS Credential Dumping |
Anomaly |
Windows Remote Access Software Hunt |
Remote Access Software |
Hunting |
Windows Remote Access Software RMS Registry |
Remote Access Software |
TTP |
Windows Remote Assistance Spawning Process |
Process Injection |
TTP |
Windows Remote Create Service |
Create or Modify System Process, Windows Service |
Anomaly |
Windows Remote Service Rdpwinst Tool Execution |
Remote Desktop Protocol, Remote Services |
TTP |
Windows Remote Services Allow Rdp In Firewall |
Remote Desktop Protocol, Remote Services |
Anomaly |
Windows Remote Services Allow Remote Assistance |
Remote Desktop Protocol, Remote Services |
Anomaly |
Windows Remote Services Rdp Enable |
Remote Desktop Protocol, Remote Services |
TTP |
Windows Rename System Utilities Acccheckconsole exe LOLBAS in Non Standard Path |
Masquerading, Rename System Utilities |
Anomaly |
Windows Rename System Utilities Adplus exe LOLBAS in Non Standard Path |
Masquerading, Rename System Utilities |
Anomaly |
Windows Rename System Utilities Advpack dll LOLBAS in Non Standard Path |
Masquerading, Rename System Utilities |
Anomaly |
Windows Rename System Utilities Agentexecutor exe LOLBAS in Non Standard Path |
Masquerading, Rename System Utilities |
Anomaly |
Windows Rename System Utilities Appinstaller exe LOLBAS in Non Standard Path |
Masquerading, Rename System Utilities |
Anomaly |
Windows Rename System Utilities Appvlp exe LOLBAS in Non Standard Path |
Masquerading, Rename System Utilities |
Anomaly |
Windows Rename System Utilities Aspnet compiler exe LOLBAS in Non Standard Path |
Masquerading, Rename System Utilities |
Anomaly |
Windows Rename System Utilities At exe LOLBAS in Non Standard Path |
Masquerading, Rename System Utilities |
Anomaly |
Windows Rename System Utilities Atbroker exe LOLBAS in Non Standard Path |
Masquerading, Rename System Utilities |
Anomaly |
Windows Replication Through Removable Media |
Replication Through Removable Media |
TTP |
Windows Root Domain linked policies Discovery |
Domain Account, Account Discovery |
Anomaly |
Windows Rundll32 Apply User Settings Changes |
System Binary Proxy Execution, Rundll32 |
TTP |
Windows Rundll32 Comsvcs Memory Dump |
NTDS, OS Credential Dumping |
TTP |
Windows Rundll32 Inline HTA Execution |
System Binary Proxy Execution, Mshta |
TTP |
Windows Rundll32 WebDAV Request |
Exfiltration Over Unencrypted Non-C2 Protocol |
TTP |
Windows Rundll32 WebDav With Network Connection |
Exfiltration Over Unencrypted Non-C2 Protocol |
TTP |
Windows SIP Provider Inventory |
SIP and Trust Provider Hijacking |
Hunting |
Windows SIP WinVerifyTrust Failed Trust Validation |
SIP and Trust Provider Hijacking |
Anomaly |
Windows SOAPHound Binary Execution |
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery |
TTP |
Windows SQL Spawning CertUtil |
Ingress Tool Transfer |
TTP |
Windows Scheduled Task Created Via XML |
Scheduled Task, Scheduled Task/Job |
TTP |
Windows Scheduled Task Service Spawned Shell |
Scheduled Task, Command and Scripting Interpreter |
TTP |
Windows Scheduled Task with Highest Privileges |
Scheduled Task/Job, Scheduled Task |
TTP |
Windows Schtasks Create Run As System |
Scheduled Task, Scheduled Task/Job |
TTP |
Windows Screen Capture Via Powershell |
Screen Capture |
TTP |
Windows Screen Capture Via Powershell |
Screen Capture |
TTP |
Windows Script Host Spawn MSBuild |
MSBuild, Trusted Developer Utilities Proxy Execution |
TTP |
Windows Security Account Manager Stopped |
Service Stop |
TTP |
Windows Security Support Provider Reg Query |
Security Support Provider, Boot or Logon Autostart Execution |
Anomaly |
Windows Server Software Component GACUtil Install to GAC |
Server Software Component, IIS Components |
TTP |
Windows Service Create Kernel Mode Driver |
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation |
TTP |
Windows Service Create RemComSvc |
Windows Service, Create or Modify System Process |
Anomaly |
Windows Service Create SliverC2 |
System Services, Service Execution |
TTP |
Windows Service Create with Tscon |
RDP Hijacking, Remote Service Session Hijacking, Windows Service |
TTP |
Windows Service Created Within Public Path |
Create or Modify System Process, Windows Service |
TTP |
Windows Service Created with Suspicious Service Path |
System Services, Service Execution |
TTP |
Windows Service Creation Using Registry Entry |
Services Registry Permissions Weakness |
TTP |
Windows Service Creation on Remote Endpoint |
Create or Modify System Process, Windows Service |
TTP |
Windows Service Deletion In Registry |
Service Stop |
Anomaly |
Windows Service Initiation on Remote Endpoint |
Create or Modify System Process, Windows Service |
TTP |
Windows Service Stop By Deletion |
Service Stop |
TTP |
Windows Service Stop Via Net and SC Application |
Service Stop |
Anomaly |
Windows Service Stop Win Updates |
Service Stop |
Anomaly |
Windows Snake Malware File Modification Crmlog |
Obfuscated Files or Information |
TTP |
Windows Snake Malware Kernel Driver Comadmin |
Kernel Modules and Extensions |
TTP |
Windows Snake Malware Registry Modification wav OpenWithProgIds |
Modify Registry |
TTP |
Windows Snake Malware Service Create |
Kernel Modules and Extensions, Service Execution |
TTP |
Windows Spearphishing Attachment Connect To None MS Office Domain |
Spearphishing Attachment, Phishing |
Hunting |
Windows Spearphishing Attachment Onenote Spawn Mshta |
Spearphishing Attachment, Phishing |
TTP |
Windows Special Privileged Logon On Multiple Hosts |
Account Discovery, SMB/Windows Admin Shares, Network Share Discovery |
TTP |
Windows SqlWriter SQLDumper DLL Sideload |
DLL Side-Loading |
TTP |
Windows Steal Authentication Certificates - ESC1 Abuse |
Steal or Forge Authentication Certificates |
TTP |
Windows Steal Authentication Certificates - ESC1 Authentication |
Steal or Forge Authentication Certificates, Use Alternate Authentication Material |
TTP |
Windows Steal Authentication Certificates CS Backup |
Steal or Forge Authentication Certificates |
Anomaly |
Windows Steal Authentication Certificates CertUtil Backup |
Steal or Forge Authentication Certificates |
Anomaly |
Windows Steal Authentication Certificates Certificate Issued |
Steal or Forge Authentication Certificates |
Anomaly |
Windows Steal Authentication Certificates Certificate Request |
Steal or Forge Authentication Certificates |
Anomaly |
Windows Steal Authentication Certificates CryptoAPI |
Steal or Forge Authentication Certificates |
Anomaly |
Windows Steal Authentication Certificates Export Certificate |
Steal or Forge Authentication Certificates |
Anomaly |
Windows Steal Authentication Certificates Export PfxCertificate |
Steal or Forge Authentication Certificates |
Anomaly |
Windows Steal or Forge Kerberos Tickets Klist |
Steal or Forge Kerberos Tickets |
Hunting |
Windows Suspect Process With Authentication Traffic |
Account Discovery, Domain Account, User Execution, Malicious File |
Anomaly |
Windows System Binary Proxy Execution Compiled HTML File Decompile |
Compiled HTML File, System Binary Proxy Execution |
TTP |
Windows System Binary Proxy Execution Compiled HTML File Decompile |
Compiled HTML File, System Binary Proxy Execution |
TTP |
Windows System Binary Proxy Execution Compiled HTML File URL In Command Line |
Compiled HTML File, System Binary Proxy Execution |
TTP |
Windows System Binary Proxy Execution Compiled HTML File Using InfoTech Storage Handlers |
Compiled HTML File, System Binary Proxy Execution |
TTP |
Windows System Binary Proxy Execution MSIExec DLLRegisterServer |
Msiexec |
TTP |
Windows System Binary Proxy Execution MSIExec Remote Download |
Msiexec |
TTP |
Windows System Binary Proxy Execution MSIExec Unregister DLL |
Msiexec |
TTP |
Windows System Discovery Using Qwinsta |
System Owner/User Discovery |
Hunting |
Windows System Discovery Using ldap Nslookup |
System Owner/User Discovery |
Anomaly |
Windows System File on Disk |
Exploitation for Privilege Escalation |
Hunting |
Windows System LogOff Commandline |
System Shutdown/Reboot |
Anomaly |
Windows System Network Config Discovery Display DNS |
System Network Configuration Discovery |
Anomaly |
Windows System Network Connections Discovery Netsh |
System Network Connections Discovery |
Anomaly |
Windows System Reboot CommandLine |
System Shutdown/Reboot |
Anomaly |
Windows System Script Proxy Execution Syncappvpublishingserver |
System Script Proxy Execution, System Binary Proxy Execution |
TTP |
Windows System Shutdown CommandLine |
System Shutdown/Reboot |
Anomaly |
Windows System Time Discovery W32tm Delay |
System Time Discovery |
Anomaly |
Windows System User Discovery Via Quser |
System Owner/User Discovery |
Hunting |
Windows System User Privilege Discovery |
System Owner/User Discovery |
Hunting |
Windows Terminating Lsass Process |
Disable or Modify Tools, Impair Defenses |
Anomaly |
Windows Time Based Evasion |
Virtualization/Sandbox Evasion, Time Based Evasion |
TTP |
Windows Time Based Evasion via Choice Exec |
Time Based Evasion, Virtualization/Sandbox Evasion |
Anomaly |
Windows UAC Bypass Suspicious Child Process |
Abuse Elevation Control Mechanism, Bypass User Account Control |
TTP |
Windows UAC Bypass Suspicious Escalation Behavior |
Abuse Elevation Control Mechanism, Bypass User Account Control |
TTP |
Windows Unsecured Outlook Credentials Access In Registry |
Unsecured Credentials |
Anomaly |
Windows Unsigned DLL Side-Loading |
DLL Side-Loading |
Anomaly |
Windows Unsigned DLL Side-Loading In Same Process Path |
DLL Side-Loading, Hijack Execution Flow |
TTP |
Windows Unsigned MS DLL Side-Loading |
DLL Side-Loading, Boot or Logon Autostart Execution |
Anomaly |
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos |
Password Spraying, Brute Force |
Anomaly |
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos |
Password Spraying, Brute Force |
Anomaly |
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM |
Password Spraying, Brute Force |
Anomaly |
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials |
Password Spraying, Brute Force |
Anomaly |
Windows Unusual Count Of Users Failed To Auth Using Kerberos |
Password Spraying, Brute Force |
Anomaly |
Windows Unusual Count Of Users Failed To Authenticate From Process |
Password Spraying, Brute Force |
Anomaly |
Windows Unusual Count Of Users Failed To Authenticate Using NTLM |
Password Spraying, Brute Force |
Anomaly |
Windows Unusual Count Of Users Remotely Failed To Auth From Host |
Password Spraying, Brute Force |
Anomaly |
Windows Unusual NTLM Authentication Destinations By Source |
Brute Force, Password Spraying |
Anomaly |
Windows Unusual NTLM Authentication Destinations By User |
Brute Force, Password Spraying |
Anomaly |
Windows Unusual NTLM Authentication Users By Destination |
Brute Force, Password Spraying |
Anomaly |
Windows Unusual NTLM Authentication Users By Source |
Brute Force, Password Spraying |
Anomaly |
Windows User Execution Malicious URL Shortcut File |
Malicious File, User Execution |
TTP |
Windows Valid Account With Never Expires Password |
Service Stop |
TTP |
Windows Vulnerable 3CX Software |
Compromise Software Supply Chain |
TTP |
Windows Vulnerable Driver Installed |
Windows Service |
TTP |
Windows Vulnerable Driver Loaded |
Windows Service |
Hunting |
Windows WMI Impersonate Token |
Windows Management Instrumentation |
Anomaly |
Windows WMI Process And Service List |
Windows Management Instrumentation |
Anomaly |
Windows WMI Process Call Create |
Windows Management Instrumentation |
Hunting |
Windows WMIPrvse Spawn MSBuild |
Trusted Developer Utilities Proxy Execution, MSBuild |
TTP |
Windows WinDBG Spawning AutoIt3 |
Command and Scripting Interpreter |
TTP |
Windows WinLogon with Public Network Connection |
Bootkit |
Hunting |
Windows connhost exe started forcefully |
Windows Command Shell |
TTP |
Windows hosts file modification |
None |
TTP |
Winhlp32 Spawning a Process |
Process Injection |
TTP |
Winword Spawning Cmd |
Phishing, Spearphishing Attachment |
TTP |
Winword Spawning PowerShell |
Phishing, Spearphishing Attachment |
TTP |
Winword Spawning Windows Script Host |
Phishing, Spearphishing Attachment |
TTP |
Wmic Group Discovery |
Permission Groups Discovery, Local Groups |
Hunting |
Wmic NonInteractive App Uninstallation |
Disable or Modify Tools, Impair Defenses |
Hunting |
Wmiprsve LOLBAS Execution Process Spawn |
Windows Management Instrumentation |
TTP |
WordPress Bricks Builder plugin RCE |
Exploit Public-Facing Application |
TTP |
Wscript Or Cscript Suspicious Child Process |
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation |
TTP |
Wsmprovhost LOLBAS Execution Process Spawn |
Remote Services, Windows Remote Management |
TTP |
XMRIG Driver Loaded |
Windows Service, Create or Modify System Process |
TTP |
XSL Script Execution With WMIC |
XSL Script Processing |
TTP |
Zeek x509 Certificate with Punycode |
Encrypted Channel |
Hunting |
Zscaler Adware Activities Threat Blocked |
Phishing |
Anomaly |
Zscaler Behavior Analysis Threat Blocked |
Phishing |
Anomaly |
Zscaler CryptoMiner Downloaded Threat Blocked |
Phishing |
Anomaly |
Zscaler Employment Search Web Activity |
Phishing |
Anomaly |
Zscaler Exploit Threat Blocked |
Phishing |
TTP |
Zscaler Legal Liability Threat Blocked |
Phishing |
Anomaly |
Zscaler Malware Activity Threat Blocked |
Phishing |
Anomaly |
Zscaler Phishing Activity Threat Blocked |
Phishing |
Anomaly |
Zscaler Potentially Abused File Download |
Phishing |
Anomaly |
Zscaler Privacy Risk Destinations Threat Blocked |
Phishing |
Anomaly |
Zscaler Scam Destinations Threat Blocked |
Phishing |
Anomaly |
Zscaler Virus Download threat blocked |
Phishing |
Anomaly |
aws detect attach to role policy |
Valid Accounts |
Hunting |
aws detect permanent key creation |
Valid Accounts |
Hunting |
aws detect role creation |
Valid Accounts |
Hunting |
aws detect sts assume role abuse |
Valid Accounts |
Hunting |
aws detect sts get session token abuse |
Use Alternate Authentication Material |
Hunting |
gcp detect oauth token abuse |
Valid Accounts |
Hunting |