Detections

Name	Technique	Type
3CX Supply Chain Attack Network Indicators	Compromise Software Supply Chain	TTP
7zip CommandLine To SMB Share Path	Archive via Utility, Archive Collected Data	Hunting
AWS AMI Atttribute Modification for Exfiltration	Transfer Data to Cloud Account	TTP
AWS Cloud Provisioning From Previously Unseen City	Unused/Unsupported Cloud Regions	Anomaly
AWS Cloud Provisioning From Previously Unseen Country	Unused/Unsupported Cloud Regions	Anomaly
AWS Cloud Provisioning From Previously Unseen IP Address	None	Anomaly
AWS Cloud Provisioning From Previously Unseen Region	Unused/Unsupported Cloud Regions	Anomaly
AWS Concurrent Sessions From Different Ips	Browser Session Hijacking	TTP
AWS Console Login Failed During MFA Challenge	Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation	TTP
AWS Create Policy Version to allow all resources	Cloud Accounts, Valid Accounts	TTP
AWS CreateAccessKey	Cloud Account, Create Account	Hunting
AWS CreateLoginProfile	Cloud Account, Create Account	TTP
AWS Credential Access Failed Login	Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing	TTP
AWS Credential Access GetPasswordData	Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing	Anomaly
AWS Credential Access RDS Password reset	Compromise Accounts, Cloud Accounts, Brute Force	TTP
AWS Cross Account Activity From Previously Unseen Account	None	Anomaly
AWS Defense Evasion Delete CloudWatch Log Group	Impair Defenses, Disable Cloud Logs	TTP
AWS Defense Evasion Delete Cloudtrail	Disable Cloud Logs, Impair Defenses	TTP
AWS Defense Evasion Impair Security Services	Disable Cloud Logs, Impair Defenses	Hunting
AWS Defense Evasion PutBucketLifecycle	Disable Cloud Logs, Impair Defenses	Hunting
AWS Defense Evasion Stop Logging Cloudtrail	Disable Cloud Logs, Impair Defenses	TTP
AWS Defense Evasion Update Cloudtrail	Impair Defenses, Disable Cloud Logs	TTP
AWS Detect Users creating keys with encrypt policy without MFA	Data Encrypted for Impact	TTP
AWS Detect Users with KMS keys performing encryption S3	Data Encrypted for Impact	Anomaly
AWS Disable Bucket Versioning	Inhibit System Recovery	Anomaly
AWS EC2 Snapshot Shared Externally	Transfer Data to Cloud Account	TTP
AWS ECR Container Scanning Findings High	Malicious Image, User Execution	TTP
AWS ECR Container Scanning Findings Low Informational Unknown	Malicious Image, User Execution	Hunting
AWS ECR Container Scanning Findings Medium	Malicious Image, User Execution	Anomaly
AWS ECR Container Upload Outside Business Hours	Malicious Image, User Execution	Anomaly
AWS ECR Container Upload Unknown User	Malicious Image, User Execution	Anomaly
AWS EKS Kubernetes cluster sensitive object access	None	Hunting
AWS Excessive Security Scanning	Cloud Service Discovery	TTP
AWS Exfiltration via Anomalous GetObject API Activity	Automated Collection	Anomaly
AWS Exfiltration via Batch Service	Automated Collection	TTP
AWS Exfiltration via Bucket Replication	Transfer Data to Cloud Account	TTP
AWS Exfiltration via DataSync Task	Automated Collection	TTP
AWS Exfiltration via EC2 Snapshot	Transfer Data to Cloud Account	TTP
AWS High Number Of Failed Authentications For User	Password Policy Discovery	Anomaly
AWS High Number Of Failed Authentications From Ip	Brute Force, Password Spraying, Credential Stuffing	Anomaly
AWS IAM AccessDenied Discovery Events	Cloud Infrastructure Discovery	Anomaly
AWS IAM Assume Role Policy Brute Force	Cloud Infrastructure Discovery, Brute Force	TTP
AWS IAM Delete Policy	Account Manipulation	Hunting
AWS IAM Failure Group Deletion	Account Manipulation	Anomaly
AWS IAM Successful Group Deletion	Cloud Groups, Account Manipulation, Permission Groups Discovery	Hunting
AWS Lambda UpdateFunctionCode	User Execution	Hunting
AWS Multi-Factor Authentication Disabled	Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication	TTP
AWS Multiple Failed MFA Requests For User	Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation	Anomaly
AWS Multiple Users Failing To Authenticate From Ip	Brute Force, Password Spraying, Credential Stuffing	Anomaly
AWS Network Access Control List Created with All Open Ports	Disable or Modify Cloud Firewall, Impair Defenses	TTP
AWS Network Access Control List Deleted	Disable or Modify Cloud Firewall, Impair Defenses	Anomaly
AWS New MFA Method Registered For User	Modify Authentication Process, Multi-Factor Authentication	TTP
AWS Password Policy Changes	Password Policy Discovery	Hunting
AWS S3 Exfiltration Behavior Identified	Transfer Data to Cloud Account	Correlation
AWS SAML Access by Provider User and Principal	Valid Accounts	Anomaly
AWS SAML Update identity provider	Valid Accounts	TTP
AWS SetDefaultPolicyVersion	Cloud Accounts, Valid Accounts	TTP
AWS Successful Console Authentication From Multiple IPs	Compromise Accounts, Unused/Unsupported Cloud Regions	Anomaly
AWS Successful Single-Factor Authentication	Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts	TTP
AWS Unusual Number of Failed Authentications From Ip	Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing	Anomaly
AWS UpdateLoginProfile	Cloud Account, Create Account	TTP
Abnormally High AWS Instances Launched by User	Cloud Accounts	Anomaly
Abnormally High AWS Instances Launched by User - MLTK	Cloud Accounts	Anomaly
Abnormally High AWS Instances Terminated by User	Cloud Accounts	Anomaly
Abnormally High AWS Instances Terminated by User - MLTK	Cloud Accounts	Anomaly
Abnormally High Number Of Cloud Infrastructure API Calls	Cloud Accounts, Valid Accounts	Anomaly
Abnormally High Number Of Cloud Instances Destroyed	Cloud Accounts, Valid Accounts	Anomaly
Abnormally High Number Of Cloud Instances Launched	Cloud Accounts, Valid Accounts	Anomaly
Abnormally High Number Of Cloud Security Group API Calls	Cloud Accounts, Valid Accounts	Anomaly
Access LSASS Memory for Dump Creation	LSASS Memory, OS Credential Dumping	TTP
Account Discovery With Net App	Domain Account, Account Discovery	TTP
Active Directory Lateral Movement Identified	Exploitation of Remote Services	Correlation
Active Directory Privilege Escalation Identified	Domain Policy Modification	Correlation
Active Setup Registry Autostart	Active Setup, Boot or Logon Autostart Execution	TTP
Add DefaultUser And Password In Registry	Credentials in Registry, Unsecured Credentials	Anomaly
Add or Set Windows Defender Exclusion	Disable or Modify Tools, Impair Defenses	TTP
AdsiSearcher Account Discovery	Domain Account, Account Discovery	TTP
Allow File And Printing Sharing In Firewall	Disable or Modify Cloud Firewall, Impair Defenses	TTP
Allow Inbound Traffic By Firewall Rule Registry	Remote Desktop Protocol, Remote Services	TTP
Allow Inbound Traffic In Firewall Rule	Remote Desktop Protocol, Remote Services	TTP
Allow Network Discovery In Firewall	Disable or Modify Cloud Firewall, Impair Defenses	TTP
Allow Operation with Consent Admin	Abuse Elevation Control Mechanism	TTP
Amazon EKS Kubernetes Pod scan detection	Cloud Service Discovery	Hunting
Amazon EKS Kubernetes cluster scan detection	Cloud Service Discovery	Hunting
Anomalous usage of 7zip	Archive via Utility, Archive Collected Data	Anomaly
Anomalous usage of Archive Tools	Archive via Utility, Archive Collected Data	Anomaly
Any Powershell DownloadFile	Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer	TTP
Any Powershell DownloadString	Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer	TTP
Attacker Tools On Endpoint	Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning	TTP
Attempt To Add Certificate To Untrusted Store	Install Root Certificate, Subvert Trust Controls	TTP
Attempt To Delete Services	Service Stop, Create or Modify System Process, Windows Service	TTP
Attempt To Disable Services	Service Stop	TTP
Attempt To Stop Security Service	Disable or Modify Tools, Impair Defenses	TTP
Attempted Credential Dump From Registry via Reg exe	Security Account Manager, OS Credential Dumping	TTP
Attempted Credential Dump From Registry via Reg exe	OS Credential Dumping, Security Account Manager	TTP
Auto Admin Logon Registry Entry	Credentials in Registry, Unsecured Credentials	TTP
Azure AD Application Administrator Role Assigned	Account Manipulation, Additional Cloud Roles	TTP
Azure AD Authentication Failed During MFA Challenge	Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation	TTP
Azure AD Concurrent Sessions From Different Ips	Browser Session Hijacking	TTP
Azure AD External Guest User Invited	Cloud Account	TTP
Azure AD Global Administrator Role Assigned	Additional Cloud Roles	TTP
Azure AD High Number Of Failed Authentications For User	Brute Force, Password Guessing	TTP
Azure AD High Number Of Failed Authentications From Ip	Brute Force, Password Guessing, Password Spraying	TTP
Azure AD Multi-Factor Authentication Disabled	Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication	TTP
Azure AD Multiple Failed MFA Requests For User	Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts	TTP
Azure AD Multiple Users Failing To Authenticate From Ip	Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing	Anomaly
Azure AD New Custom Domain Added	Domain Policy Modification, Domain Trust Modification	TTP
Azure AD New Federated Domain Added	Domain Policy Modification, Domain Trust Modification	TTP
Azure AD New MFA Method Registered For User	Modify Authentication Process, Multi-Factor Authentication	TTP
Azure AD PIM Role Assigned	Account Manipulation, Additional Cloud Roles	TTP
Azure AD PIM Role Assignment Activated	Account Manipulation, Additional Cloud Roles	TTP
Azure AD Privileged Authentication Administrator Role Assigned	Security Account Manager	TTP
Azure AD Privileged Role Assigned	Account Manipulation, Additional Cloud Roles	TTP
Azure AD Privileged Role Assigned to Service Principal	Account Manipulation, Additional Cloud Roles	TTP
Azure AD Service Principal Created	Cloud Account	TTP
Azure AD Service Principal New Client Credentials	Account Manipulation, Additional Cloud Credentials	TTP
Azure AD Service Principal Owner Added	Account Manipulation	TTP
Azure AD Successful Authentication From Different Ips	Brute Force, Password Guessing, Password Spraying	TTP
Azure AD Successful PowerShell Authentication	Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts	TTP
Azure AD Successful Single-Factor Authentication	Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts	TTP
Azure AD Unusual Number of Failed Authentications From Ip	Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing	Anomaly
Azure AD User Enabled And Password Reset	Account Manipulation	TTP
Azure AD User ImmutableId Attribute Updated	Account Manipulation	TTP
Azure Active Directory High Risk Sign-in	Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying	TTP
Azure Automation Account Created	Create Account, Cloud Account	TTP
Azure Automation Runbook Created	Create Account, Cloud Account	TTP
Azure Runbook Webhook Created	Valid Accounts, Cloud Accounts	TTP
BCDEdit Failure Recovery Modification	Inhibit System Recovery	TTP
BCDEdit Failure Recovery Modification	Inhibit System Recovery	TTP
BITS Job Persistence	BITS Jobs	TTP
BITSAdmin Download File	BITS Jobs, Ingress Tool Transfer	TTP
Batch File Write to System32	User Execution, Malicious File	TTP
Bcdedit Command Back To Normal Mode Boot	Inhibit System Recovery	TTP
CHCP Command Execution	Command and Scripting Interpreter	TTP
CMD Carry Out String Command Parameter	Windows Command Shell, Command and Scripting Interpreter	Hunting
CMD Echo Pipe - Escalation	Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process	TTP
CMLUA Or CMSTPLUA UAC Bypass	System Binary Proxy Execution, CMSTP	TTP
CSC Net On The Fly Compilation	Compile After Delivery, Obfuscated Files or Information	Hunting
CertUtil Download With URLCache and Split Arguments	Ingress Tool Transfer	TTP
CertUtil Download With VerifyCtl and Split Arguments	Ingress Tool Transfer	TTP
CertUtil With Decode Argument	Deobfuscate/Decode Files or Information	TTP
Certutil exe certificate extraction	None	TTP
Change Default File Association	Change Default File Association, Event Triggered Execution	TTP
Change To Safe Mode With Network Config	Inhibit System Recovery	TTP
Check Elevated CMD using whoami	System Owner/User Discovery	TTP
Child Processes of Spoolsv exe	Exploitation for Privilege Escalation	TTP
Circle CI Disable Security Job	Compromise Client Software Binary	Anomaly
Circle CI Disable Security Step	Compromise Client Software Binary	Anomaly
Clear Unallocated Sector Using Cipher App	File Deletion, Indicator Removal	TTP
Clear Unallocated Sector Using Cipher App	File Deletion, Indicator Removal	TTP
Clients Connecting to Multiple DNS Servers	Exfiltration Over Unencrypted Non-C2 Protocol	TTP
Clop Common Exec Parameter	User Execution	TTP
Clop Ransomware Known Service Name	Create or Modify System Process	TTP
Cloud API Calls From Previously Unseen User Roles	Valid Accounts	Anomaly
Cloud Compute Instance Created By Previously Unseen User	Cloud Accounts, Valid Accounts	Anomaly
Cloud Compute Instance Created In Previously Unused Region	Unused/Unsupported Cloud Regions	Anomaly
Cloud Compute Instance Created With Previously Unseen Image	None	Anomaly
Cloud Compute Instance Created With Previously Unseen Instance Type	None	Anomaly
Cloud Instance Modified By Previously Unseen User	Cloud Accounts, Valid Accounts	Anomaly
Cloud Network Access Control List Deleted	None	Anomaly
Cloud Provisioning Activity From Previously Unseen City	Valid Accounts	Anomaly
Cloud Provisioning Activity From Previously Unseen Country	Valid Accounts	Anomaly
Cloud Provisioning Activity From Previously Unseen IP Address	Valid Accounts	Anomaly
Cloud Provisioning Activity From Previously Unseen Region	Valid Accounts	Anomaly
Cmdline Tool Not Executed In CMD Shell	Command and Scripting Interpreter, JavaScript	TTP
Cobalt Strike Named Pipes	Process Injection	TTP
Common Ransomware Extensions	Data Destruction	Hunting
Common Ransomware Notes	Data Destruction	Hunting
Confluence Unauthenticated Remote Code Execution CVE-2022-26134	Server Software Component, Exploit Public-Facing Application	TTP
Conti Common Exec parameter	User Execution	TTP
Control Loading from World Writable Directory	System Binary Proxy Execution, Control Panel	TTP
Correlation by Repository and Risk	Malicious Image, User Execution	Correlation
Correlation by User and Risk	Malicious Image, User Execution	Correlation
Create Remote Thread In Shell Application	Process Injection	TTP
Create Remote Thread into LSASS	LSASS Memory, OS Credential Dumping	TTP
Create local admin accounts using net exe	Local Account, Create Account	TTP
Create or delete windows shares using net exe	Indicator Removal, Network Share Connection Removal	TTP
Creation of Shadow Copy	NTDS, OS Credential Dumping	TTP
Creation of Shadow Copy with wmic and powershell	NTDS, OS Credential Dumping	TTP
Creation of lsass Dump with Taskmgr	LSASS Memory, OS Credential Dumping	TTP
Credential Dumping via Copy Command from Shadow Copy	NTDS, OS Credential Dumping	TTP
Credential Dumping via Symlink to Shadow Copy	NTDS, OS Credential Dumping	TTP
Curl Download and Bash Execution	Ingress Tool Transfer	TTP
DLLHost with no Command Line Arguments with Network	Process Injection	TTP
DNS Exfiltration Using Nslookup App	Exfiltration Over Alternative Protocol	TTP
DNS Exfiltration Using Nslookup App	Exfiltration Over Alternative Protocol	TTP
DNS Query Length Outliers - MLTK	DNS, Application Layer Protocol	Anomaly
DNS Query Length With High Standard Deviation	Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol	Anomaly
DNS Query Requests Resolved by Unauthorized DNS Servers	DNS	TTP
DNS record changed	DNS	TTP
DSQuery Domain Discovery	Domain Trust Discovery	TTP
Delete A Net User	Account Access Removal	Anomaly
Delete ShadowCopy With PowerShell	Inhibit System Recovery	TTP
Deleting Of Net Users	Account Access Removal	TTP
Deleting Shadow Copies	Inhibit System Recovery	TTP
Deny Permission using Cacls Utility	File and Directory Permissions Modification	TTP
Detect API activity from users without MFA	None	Hunting
Detect ARP Poisoning	Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning	TTP
Detect AWS API Activities From Unapproved Accounts	Cloud Accounts	Hunting
Detect AWS Console Login by New User	Compromise Accounts, Cloud Accounts, Unsecured Credentials	Hunting
Detect AWS Console Login by User from New City	Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions	Hunting
Detect AWS Console Login by User from New Country	Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions	Hunting
Detect AWS Console Login by User from New Region	Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions	Hunting
Detect Activity Related to Pass the Hash Attacks	Use Alternate Authentication Material, Pass the Hash	Hunting
Detect AzureHound Command-Line Arguments	Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery	TTP
Detect AzureHound File Modifications	Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery	TTP
Detect Baron Samedit CVE-2021-3156	Exploitation for Privilege Escalation	TTP
Detect Baron Samedit CVE-2021-3156 Segfault	Exploitation for Privilege Escalation	TTP
Detect Baron Samedit CVE-2021-3156 via OSQuery	Exploitation for Privilege Escalation	TTP
Detect Computer Changed with Anonymous Account	Exploitation of Remote Services	Hunting
Detect Copy of ShadowCopy with Script Block Logging	Security Account Manager, OS Credential Dumping	TTP
Detect Credential Dumping through LSASS access	LSASS Memory, OS Credential Dumping	TTP
Detect DGA domains using pretrained model in DSDL	Domain Generation Algorithms	Anomaly
Detect DNS requests to Phishing Sites leveraging EvilGinx2	Spearphishing via Service	TTP
Detect Empire with PowerShell Script Block Logging	Command and Scripting Interpreter, PowerShell	TTP
Detect Excessive Account Lockouts From Endpoint	Valid Accounts, Domain Accounts	Anomaly
Detect Excessive User Account Lockouts	Valid Accounts, Local Accounts	Anomaly
Detect Exchange Web Shell	Server Software Component, Web Shell, Exploit Public-Facing Application	TTP
Detect F5 TMUI RCE CVE-2020-5902	Exploit Public-Facing Application	TTP
Detect GCP Storage access from a new IP	Data from Cloud Storage	Anomaly
Detect HTML Help Renamed	System Binary Proxy Execution, Compiled HTML File	Hunting
Detect HTML Help Spawn Child Process	System Binary Proxy Execution, Compiled HTML File	TTP
Detect HTML Help URL in Command Line	System Binary Proxy Execution, Compiled HTML File	TTP
Detect HTML Help Using InfoTech Storage Handlers	System Binary Proxy Execution, Compiled HTML File	TTP
Detect IPv6 Network Infrastructure Threats	Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning	TTP
Detect Large Outbound ICMP Packets	Non-Application Layer Protocol	TTP
Detect Long DNS TXT Record Response	Exfiltration Over Unencrypted Non-C2 Protocol	TTP
Detect MSHTA Url in Command Line	System Binary Proxy Execution, Mshta	TTP
Detect Mimikatz Using Loaded Images	LSASS Memory, OS Credential Dumping	TTP
Detect Mimikatz Via PowerShell And EventCode 4703	LSASS Memory	TTP
Detect Mimikatz With PowerShell Script Block Logging	OS Credential Dumping, PowerShell	TTP
Detect New Local Admin account	Local Account, Create Account	TTP
Detect New Login Attempts to Routers	None	TTP
Detect New Open GCP Storage Buckets	Data from Cloud Storage	TTP
Detect New Open S3 Buckets over AWS CLI	Data from Cloud Storage	TTP
Detect New Open S3 buckets	Data from Cloud Storage	TTP
Detect Outbound LDAP Traffic	Exploit Public-Facing Application, Command and Scripting Interpreter	Hunting
Detect Outbound SMB Traffic	File Transfer Protocols, Application Layer Protocol	TTP
Detect Outlook exe writing a zip file	Phishing, Spearphishing Attachment	TTP
Detect Path Interception By Creation Of program exe	Path Interception by Unquoted Path, Hijack Execution Flow	TTP
Detect Port Security Violation	Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning	TTP
Detect Prohibited Applications Spawning cmd exe	Command and Scripting Interpreter, Windows Command Shell	Hunting
Detect Prohibited Applications Spawning cmd exe	Command and Scripting Interpreter	Anomaly
Detect PsExec With accepteula Flag	Remote Services, SMB/Windows Admin Shares	TTP
Detect RClone Command-Line Usage	Automated Exfiltration	TTP
Detect RClone Command-Line Usage	Automated Exfiltration	TTP
Detect Rare Executables	None	Anomaly
Detect Regasm Spawning a Process	System Binary Proxy Execution, Regsvcs/Regasm	TTP
Detect Regasm with Network Connection	System Binary Proxy Execution, Regsvcs/Regasm	TTP
Detect Regasm with no Command Line Arguments	System Binary Proxy Execution, Regsvcs/Regasm	TTP
Detect Regsvcs Spawning a Process	System Binary Proxy Execution, Regsvcs/Regasm	TTP
Detect Regsvcs with Network Connection	System Binary Proxy Execution, Regsvcs/Regasm	TTP
Detect Regsvcs with No Command Line Arguments	System Binary Proxy Execution, Regsvcs/Regasm	TTP
Detect Regsvr32 Application Control Bypass	System Binary Proxy Execution, Regsvr32	TTP
Detect Renamed 7-Zip	Archive via Utility, Archive Collected Data	Hunting
Detect Renamed PSExec	System Services, Service Execution	Hunting
Detect Renamed RClone	Automated Exfiltration	Hunting
Detect Renamed WinRAR	Archive via Utility, Archive Collected Data	Hunting
Detect Risky SPL using Pretrained ML Model	Command and Scripting Interpreter	Anomaly
Detect Rogue DHCP Server	Hardware Additions, Network Denial of Service, Adversary-in-the-Middle	TTP
Detect Rundll32 Application Control Bypass - advpack	System Binary Proxy Execution, Rundll32	TTP
Detect Rundll32 Application Control Bypass - setupapi	System Binary Proxy Execution, Rundll32	TTP
Detect Rundll32 Application Control Bypass - syssetup	System Binary Proxy Execution, Rundll32	TTP
Detect Rundll32 Inline HTA Execution	System Binary Proxy Execution, Mshta	TTP
Detect S3 access from a new IP	Data from Cloud Storage	Anomaly
Detect SNICat SNI Exfiltration	Exfiltration Over C2 Channel	TTP
Detect SharpHound Command-Line Arguments	Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery	TTP
Detect SharpHound File Modifications	Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery	TTP
Detect SharpHound Usage	Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery	TTP
Detect Software Download To Network Device	TFTP Boot, Pre-OS Boot	TTP
Detect Spike in AWS API Activity	Cloud Accounts	Anomaly
Detect Spike in AWS Security Hub Alerts for EC2 Instance	None	Anomaly
Detect Spike in AWS Security Hub Alerts for User	None	Anomaly
Detect Spike in Network ACL Activity	Disable or Modify Cloud Firewall	Anomaly
Detect Spike in S3 Bucket deletion	Data from Cloud Storage	Anomaly
Detect Spike in Security Group Activity	Cloud Accounts	Anomaly
Detect Spike in blocked Outbound Traffic from your AWS	None	Anomaly
Detect Traffic Mirroring	Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication	TTP
Detect USB device insertion	None	TTP
Detect Unauthorized Assets by MAC address	None	TTP
Detect Use of cmd exe to Launch Script Interpreters	Command and Scripting Interpreter, Windows Command Shell	TTP
Detect WMI Event Subscription Persistence	Windows Management Instrumentation Event Subscription, Event Triggered Execution	TTP
Detect Windows DNS SIGRed via Splunk Stream	Exploitation for Client Execution	TTP
Detect Windows DNS SIGRed via Zeek	Exploitation for Client Execution	TTP
Detect Zerologon via Zeek	Exploit Public-Facing Application	TTP
Detect attackers scanning for vulnerable JBoss servers	System Information Discovery	TTP
Detect hosts connecting to dynamic domain providers	Drive-by Compromise	TTP
Detect malicious requests to exploit JBoss servers	None	TTP
Detect mshta inline hta execution	System Binary Proxy Execution, Mshta	TTP
Detect mshta renamed	System Binary Proxy Execution, Mshta	Hunting
Detect new API calls from user roles	Cloud Accounts	Anomaly
Detect new user AWS Console Login	Cloud Accounts	Hunting
Detect processes used for System Network Configuration Discovery	System Network Configuration Discovery	TTP
Detect suspicious DNS TXT records using pretrained model in DSDL	Domain Generation Algorithms	Anomaly
Detect suspicious processnames using pretrained model in DSDL	Command and Scripting Interpreter	Anomaly
Detect web traffic to dynamic domain providers	Web Protocols	TTP
Detection of DNS Tunnels	Exfiltration Over Unencrypted Non-C2 Protocol	TTP
Detection of tools built by NirSoft	Software Deployment Tools	TTP
Disable AMSI Through Registry	Disable or Modify Tools, Impair Defenses	TTP
Disable Defender AntiVirus Registry	Disable or Modify Tools, Impair Defenses	TTP
Disable Defender BlockAtFirstSeen Feature	Disable or Modify Tools, Impair Defenses	TTP
Disable Defender Enhanced Notification	Disable or Modify Tools, Impair Defenses	TTP
Disable Defender MpEngine Registry	Disable or Modify Tools, Impair Defenses	TTP
Disable Defender Spynet Reporting	Disable or Modify Tools, Impair Defenses	TTP
Disable Defender Submit Samples Consent Feature	Disable or Modify Tools, Impair Defenses	TTP
Disable ETW Through Registry	Disable or Modify Tools, Impair Defenses	TTP
Disable Logs Using WevtUtil	Indicator Removal, Clear Windows Event Logs	TTP
Disable Net User Account	Service Stop, Valid Accounts	TTP
Disable Registry Tool	Disable or Modify Tools, Impair Defenses	TTP
Disable Schedule Task	Disable or Modify Tools, Impair Defenses	TTP
Disable Security Logs Using MiniNt Registry	Modify Registry	TTP
Disable Show Hidden Files	Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses	TTP
Disable UAC Remote Restriction	Bypass User Account Control, Abuse Elevation Control Mechanism	TTP
Disable Windows App Hotkeys	Disable or Modify Tools, Impair Defenses	TTP
Disable Windows Behavior Monitoring	Disable or Modify Tools, Impair Defenses	TTP
Disable Windows SmartScreen Protection	Disable or Modify Tools, Impair Defenses	TTP
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser	Steal or Forge Kerberos Tickets, AS-REP Roasting	TTP
Disabled Kerberos Pre-Authentication Discovery With PowerView	Steal or Forge Kerberos Tickets, AS-REP Roasting	TTP
Disabling CMD Application	Disable or Modify Tools, Impair Defenses	TTP
Disabling ControlPanel	Disable or Modify Tools, Impair Defenses	TTP
Disabling Defender Services	Disable or Modify Tools, Impair Defenses	TTP
Disabling Firewall with Netsh	Disable or Modify Tools, Impair Defenses	Anomaly
Disabling FolderOptions Windows Feature	Disable or Modify Tools, Impair Defenses	TTP
Disabling Net User Account	Account Access Removal	TTP
Disabling NoRun Windows App	Disable or Modify Tools, Impair Defenses	TTP
Disabling Remote User Account Control	Bypass User Account Control, Abuse Elevation Control Mechanism	TTP
Disabling SystemRestore In Registry	Inhibit System Recovery	TTP
Disabling Task Manager	Disable or Modify Tools, Impair Defenses	TTP
Disabling Windows Local Security Authority Defences via Registry	Modify Authentication Process	TTP
Domain Account Discovery With Net App	Domain Account, Account Discovery	TTP
Domain Account Discovery with Dsquery	Domain Account, Account Discovery	Hunting
Domain Account Discovery with Wmic	Domain Account, Account Discovery	TTP
Domain Controller Discovery with Nltest	Remote System Discovery	TTP
Domain Controller Discovery with Wmic	Remote System Discovery	Hunting
Domain Group Discovery With Dsquery	Permission Groups Discovery, Domain Groups	Hunting
Domain Group Discovery With Net	Permission Groups Discovery, Domain Groups	Hunting
Domain Group Discovery With Wmic	Permission Groups Discovery, Domain Groups	Hunting
Domain Group Discovery with Adsisearcher	Permission Groups Discovery, Domain Groups	TTP
Download Files Using Telegram	Ingress Tool Transfer	TTP
Drop IcedID License dat	User Execution, Malicious File	Hunting
Dump LSASS via comsvcs DLL	LSASS Memory, OS Credential Dumping	TTP
Dump LSASS via procdump	LSASS Memory, OS Credential Dumping	TTP
Dump LSASS via procdump Rename	LSASS Memory	Hunting
EC2 Instance Modified With Previously Unseen User	Cloud Accounts	Anomaly
EC2 Instance Started In Previously Unseen Region	Unused/Unsupported Cloud Regions	Anomaly
EC2 Instance Started With Previously Unseen AMI	None	Anomaly
EC2 Instance Started With Previously Unseen Instance Type	None	Anomaly
EC2 Instance Started With Previously Unseen User	Cloud Accounts	Anomaly
ETW Registry Disabled	Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses	TTP
Elevated Group Discovery With Net	Permission Groups Discovery, Domain Groups	TTP
Elevated Group Discovery With Wmic	Permission Groups Discovery, Domain Groups	TTP
Elevated Group Discovery with PowerView	Permission Groups Discovery, Domain Groups	Hunting
Email Attachments With Lots Of Spaces	None	Anomaly
Email files written outside of the Outlook directory	Email Collection, Local Email Collection	TTP
Email servers sending high volume traffic to hosts	Email Collection, Remote Email Collection	Anomaly
Enable RDP In Other Port Number	Remote Services	TTP
Enable WDigest UseLogonCredential Registry	Modify Registry, OS Credential Dumping	TTP
Enumerate Users Local Group Using Telegram	Account Discovery	TTP
Esentutl SAM Copy	Security Account Manager, OS Credential Dumping	Hunting
Eventvwr UAC Bypass	Bypass User Account Control, Abuse Elevation Control Mechanism	TTP
Excel Spawning PowerShell	Security Account Manager, OS Credential Dumping	TTP
Excel Spawning Windows Script Host	Security Account Manager, OS Credential Dumping	TTP
Excessive Attempt To Disable Services	Service Stop	Anomaly
Excessive DNS Failures	DNS, Application Layer Protocol	Anomaly
Excessive File Deletion In WinDefender Folder	Data Destruction	TTP
Excessive Service Stop Attempt	Service Stop	Anomaly
Excessive Usage Of Cacls App	File and Directory Permissions Modification	Anomaly
Excessive Usage Of Net App	Account Access Removal	Anomaly
Excessive Usage Of SC Service Utility	System Services, Service Execution	Anomaly
Excessive Usage Of Taskkill	Disable or Modify Tools, Impair Defenses	Anomaly
Excessive Usage of NSLOOKUP App	Exfiltration Over Alternative Protocol	Anomaly
Excessive distinct processes from Windows Temp	Command and Scripting Interpreter	Anomaly
Excessive number of service control start as disabled	Disable or Modify Tools, Impair Defenses	Anomaly
Excessive number of taskhost processes	Command and Scripting Interpreter	Anomaly
Exchange PowerShell Abuse via SSRF	Exploit Public-Facing Application	TTP
Exchange PowerShell Module Usage	Command and Scripting Interpreter, PowerShell	TTP
Executable File Written in Administrative SMB Share	Remote Services, SMB/Windows Admin Shares	TTP
Executables Or Script Creation In Suspicious Path	Masquerading	Anomaly
Execute Javascript With Jscript COM CLSID	Command and Scripting Interpreter, Visual Basic	TTP
Execution of File With Spaces Before Extension	Rename System Utilities	TTP
Execution of File with Multiple Extensions	Masquerading, Rename System Utilities	TTP
Exploit Public Facing Application via Apache Commons Text	Web Shell, Server Software Component, Exploit Public-Facing Application	Anomaly
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952	Exploit Public-Facing Application	TTP
Extended Period Without Successful Netbackup Backups	None	Hunting
Extraction of Registry Hives	Security Account Manager, OS Credential Dumping	TTP
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388	Exploit Public-Facing Application	TTP
File with Samsam Extension	None	TTP
Firewall Allowed Program Enable	Disable or Modify System Firewall, Impair Defenses	Anomaly
First Time Seen Child Process of Zoom	Exploitation for Privilege Escalation	Anomaly
First Time Seen Running Windows Service	System Services, Service Execution	Anomaly
First time seen command line argument	PowerShell, Windows Command Shell	Hunting
FodHelper UAC Bypass	Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism	TTP
Fortinet Appliance Auth bypass	Exploit Public-Facing Application	TTP
Fsutil Zeroing File	Indicator Removal	TTP
Fsutil Zeroing File	Indicator Removal	TTP
GCP Authentication Failed During MFA Challenge	Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation	TTP
GCP Detect accounts with high risk roles by project	Valid Accounts	Hunting
GCP Detect gcploit framework	Valid Accounts	TTP
GCP Detect high risk permissions by resource and account	Valid Accounts	Hunting
GCP Kubernetes cluster pod scan detection	Cloud Service Discovery	Hunting
GCP Kubernetes cluster scan detection	Cloud Service Discovery	TTP
GCP Multi-Factor Authentication Disabled	Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication	TTP
GCP Multiple Failed MFA Requests For User	Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts	TTP
GCP Multiple Users Failing To Authenticate From Ip	Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing	Anomaly
GCP Successful Single-Factor Authentication	Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts	TTP
GCP Unusual Number of Failed Authentications From Ip	Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing	Anomaly
GPUpdate with no Command Line Arguments with Network	Process Injection	TTP
GSuite Email Suspicious Attachment	Spearphishing Attachment, Phishing	Anomaly
Gdrive suspicious file sharing	Phishing	Hunting
Get ADDefaultDomainPasswordPolicy with Powershell	Password Policy Discovery	Hunting
Get ADDefaultDomainPasswordPolicy with Powershell Script Block	Password Policy Discovery	Hunting
Get ADUser with PowerShell	Domain Account, Account Discovery	Hunting
Get ADUser with PowerShell Script Block	Domain Account, Account Discovery	Hunting
Get ADUserResultantPasswordPolicy with Powershell	Password Policy Discovery	TTP
Get ADUserResultantPasswordPolicy with Powershell Script Block	Password Policy Discovery	TTP
Get DomainPolicy with Powershell	Password Policy Discovery	TTP
Get DomainPolicy with Powershell Script Block	Password Policy Discovery	TTP
Get DomainUser with PowerShell	Domain Account, Account Discovery	TTP
Get DomainUser with PowerShell Script Block	Domain Account, Account Discovery	TTP
Get WMIObject Group Discovery	Permission Groups Discovery, Local Groups	Hunting
Get WMIObject Group Discovery with Script Block Logging	Permission Groups Discovery, Local Groups	Hunting
Get-DomainTrust with PowerShell	Domain Trust Discovery	TTP
Get-DomainTrust with PowerShell Script Block	Domain Trust Discovery	TTP
Get-ForestTrust with PowerShell	Domain Trust Discovery	TTP
Get-ForestTrust with PowerShell Script Block	Domain Trust Discovery, PowerShell	TTP
GetAdComputer with PowerShell	Remote System Discovery	Hunting
GetAdComputer with PowerShell Script Block	Remote System Discovery	Hunting
GetAdGroup with PowerShell	Permission Groups Discovery, Domain Groups	Hunting
GetAdGroup with PowerShell Script Block	Permission Groups Discovery, Domain Groups	Hunting
GetCurrent User with PowerShell	System Owner/User Discovery	Hunting
GetCurrent User with PowerShell Script Block	System Owner/User Discovery	Hunting
GetDomainComputer with PowerShell	Remote System Discovery	TTP
GetDomainComputer with PowerShell Script Block	Remote System Discovery	TTP
GetDomainController with PowerShell	Remote System Discovery	Hunting
GetDomainController with PowerShell Script Block	Remote System Discovery	TTP
GetDomainGroup with PowerShell	Permission Groups Discovery, Domain Groups	TTP
GetDomainGroup with PowerShell Script Block	Permission Groups Discovery, Domain Groups	TTP
GetLocalUser with PowerShell	Account Discovery, Local Account	Hunting
GetLocalUser with PowerShell Script Block	Account Discovery, Local Account, PowerShell	Hunting
GetNetTcpconnection with PowerShell	System Network Connections Discovery	Hunting
GetNetTcpconnection with PowerShell Script Block	System Network Connections Discovery	Hunting
GetWmiObject DS User with PowerShell	Domain Account, Account Discovery	TTP
GetWmiObject DS User with PowerShell Script Block	Domain Account, Account Discovery	TTP
GetWmiObject Ds Computer with PowerShell	Remote System Discovery	TTP
GetWmiObject Ds Computer with PowerShell Script Block	Remote System Discovery	TTP
GetWmiObject Ds Group with PowerShell	Permission Groups Discovery, Domain Groups	TTP
GetWmiObject Ds Group with PowerShell Script Block	Permission Groups Discovery, Domain Groups	TTP
GetWmiObject User Account with PowerShell	Account Discovery, Local Account	Hunting
GetWmiObject User Account with PowerShell Script Block	Account Discovery, Local Account, PowerShell	Hunting
GitHub Actions Disable Security Workflow	Compromise Software Supply Chain, Supply Chain Compromise	Anomaly
GitHub Dependabot Alert	Compromise Software Dependencies and Development Tools, Supply Chain Compromise	Anomaly
GitHub Pull Request from Unknown User	Compromise Software Dependencies and Development Tools, Supply Chain Compromise	Anomaly
Github Commit Changes In Master	Trusted Relationship	Anomaly
Github Commit In Develop	Trusted Relationship	Anomaly
Grant Permission Using Cacls Utility	File and Directory Permissions Modification	TTP
Gsuite Drive Share In External Email	Exfiltration to Cloud Storage, Exfiltration Over Web Service	Anomaly
Gsuite Email Suspicious Subject With Attachment	Spearphishing Attachment, Phishing	Anomaly
Gsuite Email With Known Abuse Web Service Link	Spearphishing Attachment, Phishing	Anomaly
Gsuite Outbound Email With Attachment To External Domain	Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol	Anomaly
Gsuite Suspicious Shared File Name	Spearphishing Attachment, Phishing	Anomaly
Gsuite suspicious calendar invite	Phishing	Hunting
Hide User Account From Sign-In Screen	Disable or Modify Tools, Impair Defenses	TTP
Hiding Files And Directories With Attrib exe	File and Directory Permissions Modification, Windows File and Directory Permissions Modification	TTP
Hiding Files And Directories With Attrib exe	Windows File and Directory Permissions Modification, File and Directory Permissions Modification	TTP
High Frequency Copy Of Files In Network Share	Transfer Data to Cloud Account	Anomaly
High Number of Login Failures from a single source	Password Guessing, Brute Force	Anomaly
High Process Termination Frequency	Data Encrypted for Impact	Anomaly
Hosts receiving high volume of network traffic from email server	Remote Email Collection, Email Collection	Anomaly
Hunting 3CXDesktopApp Software	Compromise Software Supply Chain	Hunting
Hunting for Log4Shell	Exploit Public-Facing Application	Hunting
ICACLS Grant Command	File and Directory Permissions Modification	TTP
Icacls Deny Command	File and Directory Permissions Modification	TTP
IcedID Exfiltrated Archived File Creation	Archive via Utility, Archive Collected Data	Hunting
Identify New User Accounts	Domain Accounts	Hunting
Impacket Lateral Movement Commandline Parameters	Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service	TTP
Impacket Lateral Movement WMIExec Commandline Parameters	Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service	TTP
Impacket Lateral Movement smbexec CommandLine Parameters	Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service	TTP
Interactive Session on Remote Endpoint with PowerShell	Remote Services, Windows Remote Management	TTP
Java Class File download by Java User Agent	Exploit Public-Facing Application	TTP
Java Writing JSP File	Exploit Public-Facing Application	TTP
Jscript Execution Using Cscript App	Command and Scripting Interpreter, JavaScript	TTP
Kerberoasting spn request with RC4 encryption	Steal or Forge Kerberos Tickets, Kerberoasting	TTP
Kerberos Pre-Authentication Flag Disabled in UserAccountControl	Steal or Forge Kerberos Tickets, AS-REP Roasting	TTP
Kerberos Pre-Authentication Flag Disabled with PowerShell	Steal or Forge Kerberos Tickets, AS-REP Roasting	TTP
Kerberos Service Ticket Request Using RC4 Encryption	Steal or Forge Kerberos Tickets, Golden Ticket	TTP
Kerberos TGT Request Using RC4 Encryption	Use Alternate Authentication Material	TTP
Kerberos User Enumeration	Gather Victim Identity Information, Email Addresses	Anomaly
Known Services Killed by Ransomware	Inhibit System Recovery	TTP
Kubernetes AWS detect RBAC authorization by account	None	Hunting
Kubernetes AWS detect most active service accounts by pod	None	Hunting
Kubernetes AWS detect sensitive role access	None	Hunting
Kubernetes AWS detect service accounts forbidden failure access	None	Hunting
Kubernetes AWS detect suspicious kubectl calls	None	Hunting
Kubernetes Azure active service accounts by pod namespace	None	Hunting
Kubernetes Azure detect RBAC authorization by account	None	Hunting
Kubernetes Azure detect sensitive object access	None	Hunting
Kubernetes Azure detect sensitive role access	None	Hunting
Kubernetes Azure detect service accounts forbidden failure access	None	Hunting
Kubernetes Azure detect suspicious kubectl calls	None	Hunting
Kubernetes Azure pod scan fingerprint	None	Hunting
Kubernetes Azure scan fingerprint	Cloud Service Discovery	Hunting
Kubernetes GCP detect RBAC authorizations by account	None	Hunting
Kubernetes GCP detect most active service accounts by pod	None	Hunting
Kubernetes GCP detect sensitive object access	None	Hunting
Kubernetes GCP detect sensitive role access	None	Hunting
Kubernetes GCP detect service accounts forbidden failure access	None	Hunting
Kubernetes GCP detect suspicious kubectl calls	None	Hunting
Kubernetes Nginx Ingress LFI	Exploitation for Credential Access	TTP
Kubernetes Nginx Ingress RFI	Exploitation for Credential Access	TTP
Kubernetes Scanner Image Pulling	Cloud Service Discovery	TTP
LOLBAS With Network Traffic	Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution	TTP
Large Volume of DNS ANY Queries	Network Denial of Service, Reflection Amplification	Anomaly
Linux APT Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux AWK Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Account Manipulation Of SSH Config and Keys	Data Destruction, File Deletion, Indicator Removal	Anomaly
Linux Add Files In Known Crontab Directories	Cron, Scheduled Task/Job	Anomaly
Linux Add User Account	Local Account, Create Account	Hunting
Linux Adding Crontab Using List Parameter	Cron, Scheduled Task/Job	Hunting
Linux At Allow Config File Creation	Cron, Scheduled Task/Job	Anomaly
Linux At Application Execution	At, Scheduled Task/Job	Anomaly
Linux Busybox Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Change File Owner To Root	Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification	Anomaly
Linux Clipboard Data Copy	Clipboard Data	Anomaly
Linux Common Process For Elevation Control	Setuid and Setgid, Abuse Elevation Control Mechanism	Hunting
Linux Composer Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Cpulimit Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Csvtool Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Curl Upload File	Ingress Tool Transfer	TTP
Linux DD File Overwrite	Data Destruction	TTP
Linux Data Destruction Command	Data Destruction	TTP
Linux Decode Base64 to Shell	Obfuscated Files or Information, Unix Shell	TTP
Linux Deleting Critical Directory Using RM Command	Data Destruction	TTP
Linux Deletion Of Cron Jobs	Data Destruction, File Deletion, Indicator Removal	Anomaly
Linux Deletion Of Init Daemon Script	Data Destruction, File Deletion, Indicator Removal	TTP
Linux Deletion Of Services	Data Destruction, File Deletion, Indicator Removal	TTP
Linux Deletion of SSL Certificate	Data Destruction, File Deletion, Indicator Removal	Anomaly
Linux Disable Services	Service Stop	TTP
Linux Doas Conf File Creation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Doas Tool Execution	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Docker Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Edit Cron Table Parameter	Cron, Scheduled Task/Job	Hunting
Linux Emacs Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux File Created In Kernel Driver Directory	Kernel Modules and Extensions, Boot or Logon Autostart Execution	Anomaly
Linux File Creation In Init Boot Directory	RC Scripts, Boot or Logon Initialization Scripts	Anomaly
Linux File Creation In Profile Directory	Unix Shell Configuration Modification, Event Triggered Execution	Anomaly
Linux Find Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux GDB Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux GNU Awk Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Gem Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Hardware Addition SwapOff	Hardware Additions	Anomaly
Linux High Frequency Of File Deletion In Boot Folder	Data Destruction, File Deletion, Indicator Removal	TTP
Linux High Frequency Of File Deletion In Etc Folder	Data Destruction, File Deletion, Indicator Removal	Anomaly
Linux Impair Defenses Process Kill	Disable or Modify Tools, Impair Defenses	Hunting
Linux Indicator Removal Clear Cache	Indicator Removal	TTP
Linux Indicator Removal Service File Deletion	File Deletion, Indicator Removal	Anomaly
Linux Ingress Tool Transfer Hunting	Ingress Tool Transfer	Hunting
Linux Ingress Tool Transfer with Curl	Ingress Tool Transfer	Anomaly
Linux Insert Kernel Module Using Insmod Utility	Kernel Modules and Extensions, Boot or Logon Autostart Execution	Anomaly
Linux Install Kernel Module Using Modprobe Utility	Kernel Modules and Extensions, Boot or Logon Autostart Execution	Anomaly
Linux Iptables Firewall Modification	Disable or Modify System Firewall, Impair Defenses	Anomaly
Linux Java Spawning Shell	Exploit Public-Facing Application	TTP
Linux Kernel Module Enumeration	System Information Discovery, Rootkit	Anomaly
Linux Kworker Process In Writable Process Path	Masquerade Task or Service, Masquerading	Hunting
Linux Make Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux MySQL Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux NOPASSWD Entry In Sudoers File	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Ngrok Reverse Proxy Usage	Protocol Tunneling, Proxy, Web Service	Anomaly
Linux Node Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Obfuscated Files or Information Base64 Decode	Obfuscated Files or Information	Anomaly
Linux Octave Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux OpenVPN Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux PHP Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Persistence and Privilege Escalation Risk Behavior	Abuse Elevation Control Mechanism	Correlation
Linux Possible Access Or Modification Of sshd Config File	SSH Authorized Keys, Account Manipulation	Anomaly
Linux Possible Access To Credential Files	/etc/passwd and /etc/shadow, OS Credential Dumping	Anomaly
Linux Possible Access To Sudoers File	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Possible Append Command To At Allow Config File	At, Scheduled Task/Job	Anomaly
Linux Possible Append Command To Profile Config File	Unix Shell Configuration Modification, Event Triggered Execution	Anomaly
Linux Possible Append Cronjob Entry on Existing Cronjob File	Cron, Scheduled Task/Job	Hunting
Linux Possible Cronjob Modification With Editor	Cron, Scheduled Task/Job	Hunting
Linux Possible Ssh Key File Creation	SSH Authorized Keys, Account Manipulation	Anomaly
Linux Preload Hijack Library Calls	Dynamic Linker Hijacking, Hijack Execution Flow	TTP
Linux Proxy Socks Curl	Proxy, Non-Application Layer Protocol	TTP
Linux Puppet Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux RPM Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Ruby Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux SSH Authorized Keys Modification	SSH Authorized Keys	Anomaly
Linux SSH Remote Services Script Execute	SSH	TTP
Linux Service File Created In Systemd Directory	Systemd Timers, Scheduled Task/Job	Anomaly
Linux Service Restarted	Systemd Timers, Scheduled Task/Job	Anomaly
Linux Service Started Or Enabled	Systemd Timers, Scheduled Task/Job	Anomaly
Linux Setuid Using Chmod Utility	Setuid and Setgid, Abuse Elevation Control Mechanism	Anomaly
Linux Setuid Using Setcap Utility	Setuid and Setgid, Abuse Elevation Control Mechanism	Anomaly
Linux Shred Overwrite Command	Data Destruction	TTP
Linux Sqlite3 Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux Stdout Redirection To Dev Null File	Disable or Modify System Firewall, Impair Defenses	Anomaly
Linux Stop Services	Service Stop	TTP
Linux Sudo OR Su Execution	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Hunting
Linux Sudoers Tmp File Creation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux System Network Discovery	System Network Configuration Discovery	Anomaly
Linux System Reboot Via System Request Key	System Shutdown/Reboot	TTP
Linux Unix Shell Enable All SysRq Functions	Unix Shell, Command and Scripting Interpreter	Anomaly
Linux Visudo Utility Execution	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux apt-get Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux c89 Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux c99 Privilege Escalation	Sudo and Sudo Caching, Abuse Elevation Control Mechanism	Anomaly
Linux pkexec Privilege Escalation	Exploitation for Privilege Escalation	TTP
Living Off The Land	Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter	Correlation
Loading Of Dynwrapx Module	Process Injection, Dynamic-link Library Injection	TTP
Local Account Discovery With Wmic	Account Discovery, Local Account	Hunting
Local Account Discovery with Net	Account Discovery, Local Account	Hunting
Log4Shell CVE-2021-44228 Exploitation	Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter	Correlation
Log4Shell JNDI Payload Injection Attempt	Exploit Public-Facing Application	Anomaly
Log4Shell JNDI Payload Injection with Outbound Connection	Exploit Public-Facing Application	Anomaly
Logon Script Event Trigger Execution	Boot or Logon Initialization Scripts, Logon Script (Windows)	TTP
MS Exchange Mailbox Replication service writing Active Server Pages	Server Software Component, Web Shell, Exploit Public-Facing Application	TTP
MS Scripting Process Loading Ldap Module	Command and Scripting Interpreter, JavaScript	Anomaly
MS Scripting Process Loading WMI Module	Command and Scripting Interpreter, JavaScript	Anomaly
MSBuild Suspicious Spawned By Script Process	MSBuild, Trusted Developer Utilities Proxy Execution	TTP
MSHTML Module Load in Office Product	Phishing, Spearphishing Attachment	TTP
MSI Module Loaded by Non-System Binary	DLL Side-Loading, Hijack Execution Flow	Hunting
MacOS - Re-opened Applications	None	TTP
MacOS LOLbin	Unix Shell, Command and Scripting Interpreter	TTP
MacOS plutil	Plist File Modification	TTP
Mailsniper Invoke functions	Email Collection, Local Email Collection	TTP
Malicious InProcServer32 Modification	Regsvr32, Modify Registry	TTP
Malicious PowerShell Process - Encoded Command	Obfuscated Files or Information	Hunting
Malicious PowerShell Process - Execution Policy Bypass	Command and Scripting Interpreter, PowerShell	TTP
Malicious PowerShell Process With Obfuscation Techniques	Command and Scripting Interpreter, PowerShell	TTP
Malicious Powershell Executed As A Service	System Services, Service Execution	TTP
Mimikatz PassTheTicket CommandLine Parameters	Use Alternate Authentication Material, Pass the Ticket	TTP
Mmc LOLBAS Execution Process Spawn	Remote Services, Distributed Component Object Model, MMC	TTP
Modification Of Wallpaper	Defacement	TTP
Modify ACL permission To Files Or Folder	File and Directory Permissions Modification	Anomaly
Modify ACLs Permission Of Files Or Folders	File and Directory Permissions Modification	Anomaly
Monitor DNS For Brand Abuse	None	TTP
Monitor Email For Brand Abuse	None	TTP
Monitor Registry Keys for Print Monitors	Port Monitors, Boot or Logon Autostart Execution	TTP
Monitor Web Traffic For Brand Abuse	None	TTP
Mshta spawning Rundll32 OR Regsvr32 Process	System Binary Proxy Execution, Mshta	TTP
Msmpeng Application DLL Side Loading	DLL Side-Loading, Hijack Execution Flow	TTP
Multiple Archive Files Http Post Traffic	Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol	TTP
Multiple Okta Users With Invalid Credentials From The Same IP	Valid Accounts, Default Accounts	Hunting
NET Profiler UAC bypass	Bypass User Account Control, Abuse Elevation Control Mechanism	TTP
NLTest Domain Trust Discovery	Domain Trust Discovery	TTP
Net Localgroup Discovery	Permission Groups Discovery, Local Groups	Hunting
Network Connection Discovery With Arp	System Network Connections Discovery	Hunting
Network Connection Discovery With Net	System Network Connections Discovery	Hunting
Network Connection Discovery With Netstat	System Network Connections Discovery	Hunting
Network Discovery Using Route Windows App	System Network Configuration Discovery, Internet Connection Discovery	Hunting
Network Share Discovery Via Dir Command	Network Share Discovery	Hunting
Ngrok Reverse Proxy on Network	Protocol Tunneling, Proxy, Web Service	Anomaly
Nishang PowershellTCPOneLine	Command and Scripting Interpreter, PowerShell	TTP
No Windows Updates in a time frame	None	Hunting
Non Chrome Process Accessing Chrome Default Dir	Credentials from Password Stores, Credentials from Web Browsers	Anomaly
Non Firefox Process Access Firefox Profile Dir	Credentials from Password Stores, Credentials from Web Browsers	Anomaly
Notepad with no Command Line Arguments	Process Injection	TTP
Ntdsutil Export NTDS	NTDS, OS Credential Dumping	TTP
O365 Add App Role Assignment Grant User	Cloud Account, Create Account	TTP
O365 Added Service Principal	Cloud Account, Create Account	TTP
O365 Bypass MFA via Trusted IP	Disable or Modify Cloud Firewall, Impair Defenses	TTP
O365 Disable MFA	Modify Authentication Process	TTP
O365 Excessive Authentication Failures Alert	Brute Force	Anomaly
O365 Excessive SSO logon errors	Modify Authentication Process	Anomaly
O365 New Federated Domain Added	Cloud Account, Create Account	TTP
O365 PST export alert	Email Collection	TTP
O365 Suspicious Admin Email Forwarding	Email Forwarding Rule, Email Collection	Anomaly
O365 Suspicious Rights Delegation	Remote Email Collection, Email Collection	TTP
O365 Suspicious User Email Forwarding	Email Forwarding Rule, Email Collection	Anomaly
Office Application Drop Executable	Phishing, Spearphishing Attachment	TTP
Office Application Spawn Regsvr32 process	Phishing, Spearphishing Attachment	TTP
Office Application Spawn rundll32 process	Phishing, Spearphishing Attachment	TTP
Office Document Creating Schedule Task	Phishing, Spearphishing Attachment	TTP
Office Document Executing Macro Code	Phishing, Spearphishing Attachment	TTP
Office Document Spawned Child Process To Download	Phishing, Spearphishing Attachment	TTP
Office Product Spawn CMD Process	Phishing, Spearphishing Attachment	TTP
Office Product Spawning BITSAdmin	Phishing, Spearphishing Attachment	TTP
Office Product Spawning CertUtil	Phishing, Spearphishing Attachment	TTP
Office Product Spawning MSHTA	Phishing, Spearphishing Attachment	TTP
Office Product Spawning Rundll32 with no DLL	Phishing, Spearphishing Attachment	TTP
Office Product Spawning Windows Script Host	Phishing, Spearphishing Attachment	TTP
Office Product Spawning Windows Script Host	Phishing, Spearphishing Attachment	TTP
Office Product Spawning Wmic	Phishing, Spearphishing Attachment	TTP
Office Product Writing cab or inf	Phishing, Spearphishing Attachment	TTP
Office Spawning Control	Phishing, Spearphishing Attachment	TTP
Okta Account Locked Out	Brute Force	Anomaly
Okta Account Lockout Events	Valid Accounts, Default Accounts	Anomaly
Okta Failed SSO Attempts	Valid Accounts, Default Accounts	Anomaly
Okta MFA Exhaustion Hunt	Brute Force	Hunting
Okta Mismatch Between Source and Response for Verify Push Request	Multi-Factor Authentication Request Generation	TTP
Okta Multiple Failed Requests to Access Applications	Web Session Cookie, Cloud Service Dashboard	Hunting
Okta New API Token Created	Valid Accounts, Default Accounts	TTP
Okta New Device Enrolled on Account	Valid Accounts, Default Accounts	Anomaly
Okta Phishing Detection with FastPass Origin Check	Valid Accounts, Default Accounts, Modify Authentication Process	TTP
Okta Risk Threshold Exceeded	Valid Accounts, Brute Force	Correlation
Okta Suspicious Activity Reported	Valid Accounts, Default Accounts	TTP
Okta Suspicious Use of a Session Cookie	Steal Web Session Cookie	Hunting
Okta ThreatInsight Login Failure with High Unknown users	Valid Accounts, Default Accounts, Credential Stuffing	TTP
Okta ThreatInsight Suspected PasswordSpray Attack	Valid Accounts, Default Accounts, Password Spraying	TTP
Okta ThreatInsight Threat Detected	Valid Accounts, Default Accounts	Anomaly
Okta Two or More Rejected Okta Pushes	Brute Force	TTP
Okta User Logins From Multiple Cities	Valid Accounts, Default Accounts	Anomaly
Open Redirect in Splunk Web	None	TTP
Osquery pack - ColdRoot detection	None	TTP
Outbound Network Connection from Java Using Default Ports	Exploit Public-Facing Application	TTP
Overwriting Accessibility Binaries	Event Triggered Execution, Accessibility Features	TTP
PaperCut NG Remote Web Access Attempt	Exploit Public-Facing Application	TTP
PaperCut NG Suspicious Behavior Debug Log	Exploit Public-Facing Application	Hunting
Password Policy Discovery with Net	Password Policy Discovery	Hunting
Path traversal SPL injection	File and Directory Discovery	TTP
Permission Modification using Takeown App	File and Directory Permissions Modification	TTP
Persistent XSS in RapidDiag through User Interface Views	Drive-by Compromise	TTP
PetitPotam Network Share Access Request	Forced Authentication	TTP
PetitPotam Suspicious Kerberos TGT Request	OS Credential Dumping	TTP
Ping Sleep Batch Command	Virtualization/Sandbox Evasion, Time Based Evasion	Anomaly
Plain HTTP POST Exfiltrated Data	Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol	TTP
Possible Browser Pass View Parameter	Credentials from Web Browsers, Credentials from Password Stores	Hunting
Possible Lateral Movement PowerShell Spawn	Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShell, MMC	TTP
Potential password in username	Local Accounts, Credentials In Files	Hunting
Potentially malicious code on commandline	Windows Command Shell	Anomaly
PowerShell - Connect To Internet With Hidden Window	PowerShell, Command and Scripting Interpreter	Hunting
PowerShell 4104 Hunting	Command and Scripting Interpreter, PowerShell	Hunting
PowerShell Domain Enumeration	Command and Scripting Interpreter, PowerShell	TTP
PowerShell Enable PowerShell Remoting	PowerShell, Command and Scripting Interpreter	Anomaly
PowerShell Get LocalGroup Discovery	Permission Groups Discovery, Local Groups	Hunting
PowerShell Invoke CIMMethod CIMSession	Windows Management Instrumentation	Anomaly
PowerShell Invoke WmiExec Usage	Windows Management Instrumentation	TTP
PowerShell Loading DotNET into Memory via Reflection	Command and Scripting Interpreter, PowerShell	TTP
PowerShell Start or Stop Service	PowerShell	Anomaly
PowerShell Start-BitsTransfer	BITS Jobs	TTP
Powershell COM Hijacking InprocServer32 Modification	Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell	TTP
Powershell Creating Thread Mutex	Obfuscated Files or Information, Indicator Removal from Tools, PowerShell	TTP
Powershell Disable Security Monitoring	Disable or Modify Tools, Impair Defenses	TTP
Powershell Enable SMB1Protocol Feature	Obfuscated Files or Information, Indicator Removal from Tools	TTP
Powershell Execute COM Object	Component Object Model Hijacking, Event Triggered Execution, PowerShell	TTP
Powershell Fileless Process Injection via GetProcAddress	Command and Scripting Interpreter, Process Injection, PowerShell	TTP
Powershell Fileless Script Contains Base64 Encoded Content	Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell	TTP
Powershell Get LocalGroup Discovery with Script Block Logging	Permission Groups Discovery, Local Groups	Hunting
Powershell Load Module in Meterpreter	Command and Scripting Interpreter, PowerShell	TTP
Powershell Processing Stream Of Data	Command and Scripting Interpreter, PowerShell	TTP
Powershell Remote Thread To Known Windows Process	Process Injection	TTP
Powershell Remove Windows Defender Directory	Disable or Modify Tools, Impair Defenses	TTP
Powershell Using memory As Backing Store	PowerShell, Command and Scripting Interpreter	TTP
Powershell Windows Defender Exclusion Commands	Disable or Modify Tools, Impair Defenses	TTP
Prevent Automatic Repair Mode using Bcdedit	Inhibit System Recovery	TTP
Print Processor Registry Autostart	Print Processors, Boot or Logon Autostart Execution	TTP
Print Spooler Adding A Printer Driver	Print Processors, Boot or Logon Autostart Execution	TTP
Print Spooler Failed to Load a Plug-in	Print Processors, Boot or Logon Autostart Execution	TTP
Process Creating LNK file in Suspicious Location	Phishing, Spearphishing Link	TTP
Process Deleting Its Process File Path	Indicator Removal	TTP
Process Execution via WMI	Windows Management Instrumentation	TTP
Process Kill Base On File Path	Disable or Modify Tools, Impair Defenses	TTP
Process Writing DynamicWrapperX	Command and Scripting Interpreter, Component Object Model	Hunting
Processes Tapping Keyboard Events	None	TTP
Processes created by netsh	Disable or Modify System Firewall	TTP
Processes launching netsh	Disable or Modify System Firewall, Impair Defenses	Anomaly
Prohibited Network Traffic Allowed	Exfiltration Over Alternative Protocol	TTP
Prohibited Software On Endpoint	None	Hunting
Protocol or Port Mismatch	Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol	Anomaly
Protocols passing authentication in cleartext	None	TTP
ProxyShell ProxyNotShell Behavior Detected	Exploit Public-Facing Application	Correlation
Randomly Generated Scheduled Task Name	Scheduled Task/Job, Scheduled Task	Hunting
Randomly Generated Windows Service Name	Create or Modify System Process, Windows Service	Hunting
Ransomware Notes bulk creation	Data Encrypted for Impact	Anomaly
Recon AVProduct Through Pwh or WMI	Gather Victim Host Information	TTP
Recon Using WMI Class	Gather Victim Host Information, PowerShell	Anomaly
Recursive Delete of Directory In Batch CMD	File Deletion, Indicator Removal	TTP
Reg exe Manipulating Windows Services Registry Keys	Services Registry Permissions Weakness, Hijack Execution Flow	TTP
Reg exe used to hide files directories via registry keys	Hidden Files and Directories	TTP
Registry Keys Used For Persistence	Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution	TTP
Registry Keys Used For Privilege Escalation	Image File Execution Options Injection, Event Triggered Execution	TTP
Registry Keys for Creating SHIM Databases	Application Shimming, Event Triggered Execution	TTP
Regsvr32 Silent and Install Param Dll Loading	System Binary Proxy Execution, Regsvr32	Anomaly
Regsvr32 with Known Silent Switch Cmdline	System Binary Proxy Execution, Regsvr32	Anomaly
Remcos RAT File Creation in Remcos Folder	Screen Capture	TTP
Remcos client registry install entry	Modify Registry	TTP
Remote Desktop Network Bruteforce	Remote Desktop Protocol, Remote Services	TTP
Remote Desktop Network Traffic	Remote Desktop Protocol, Remote Services	Anomaly
Remote Desktop Process Running On System	Remote Desktop Protocol, Remote Services	Hunting
Remote Process Instantiation via DCOM and PowerShell	Remote Services, Distributed Component Object Model	TTP
Remote Process Instantiation via DCOM and PowerShell Script Block	Remote Services, Distributed Component Object Model	TTP
Remote Process Instantiation via WMI	Windows Management Instrumentation	TTP
Remote Process Instantiation via WMI and PowerShell	Windows Management Instrumentation	TTP
Remote Process Instantiation via WMI and PowerShell Script Block	Windows Management Instrumentation	TTP
Remote Process Instantiation via WinRM and PowerShell	Remote Services, Windows Remote Management	TTP
Remote Process Instantiation via WinRM and PowerShell Script Block	Remote Services, Windows Remote Management	TTP
Remote Process Instantiation via WinRM and Winrs	Remote Services, Windows Remote Management	TTP
Remote Registry Key modifications	None	TTP
Remote System Discovery with Adsisearcher	Remote System Discovery	TTP
Remote System Discovery with Dsquery	Remote System Discovery	Hunting
Remote System Discovery with Net	Remote System Discovery	Hunting
Remote System Discovery with Wmic	Remote System Discovery	TTP
Remote WMI Command Attempt	Windows Management Instrumentation	TTP
Resize ShadowStorage volume	Inhibit System Recovery	TTP
Resize Shadowstorage Volume	Service Stop	TTP
Revil Common Exec Parameter	User Execution	TTP
Revil Registry Entry	Modify Registry	TTP
Rubeus Command Line Parameters	Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting	TTP
Rubeus Kerberos Ticket Exports Through Winlogon Access	Use Alternate Authentication Material, Pass the Ticket	TTP
RunDLL Loading DLL By Ordinal	System Binary Proxy Execution, Rundll32	TTP
Runas Execution in CommandLine	Access Token Manipulation, Token Impersonation/Theft	Hunting
Rundll32 Control RunDLL Hunt	System Binary Proxy Execution, Rundll32	Hunting
Rundll32 Control RunDLL World Writable Directory	System Binary Proxy Execution, Rundll32	TTP
Rundll32 Create Remote Thread To A Process	Process Injection	TTP
Rundll32 CreateRemoteThread In Browser	Process Injection	TTP
Rundll32 DNSQuery	System Binary Proxy Execution, Rundll32	TTP
Rundll32 LockWorkStation	System Binary Proxy Execution, Rundll32	Anomaly
Rundll32 Process Creating Exe Dll Files	System Binary Proxy Execution, Rundll32	TTP
Rundll32 Shimcache Flush	Modify Registry	TTP
Rundll32 with no Command Line Arguments with Network	System Binary Proxy Execution, Rundll32	TTP
Ryuk Test Files Detected	Data Encrypted for Impact	TTP
Ryuk Wake on LAN Command	Command and Scripting Interpreter, Windows Command Shell	TTP
SAM Database File Access Attempt	Security Account Manager, OS Credential Dumping	Hunting
SLUI RunAs Elevated	Bypass User Account Control, Abuse Elevation Control Mechanism	TTP
SLUI Spawning a Process	Bypass User Account Control, Abuse Elevation Control Mechanism	TTP
SMB Traffic Spike	SMB/Windows Admin Shares, Remote Services	Anomaly
SMB Traffic Spike - MLTK	SMB/Windows Admin Shares, Remote Services	Anomaly
SQL Injection with Long URLs	Exploit Public-Facing Application	TTP
SSL Certificates with Punycode	Encrypted Channel	Hunting
Samsam Test File Write	Data Encrypted for Impact	TTP
Sc exe Manipulating Windows Services	Windows Service, Create or Modify System Process	TTP
SchCache Change By App Connect And Create ADSI Object	Domain Account, Account Discovery	Anomaly
Schedule Task with HTTP Command Arguments	Scheduled Task/Job	TTP
Schedule Task with Rundll32 Command Trigger	Scheduled Task/Job	TTP
Scheduled Task Creation on Remote Endpoint using At	Scheduled Task/Job, At	TTP
Scheduled Task Deleted Or Created via CMD	Scheduled Task, Scheduled Task/Job	TTP
Scheduled Task Initiation on Remote Endpoint	Scheduled Task/Job, Scheduled Task	TTP
Scheduled tasks used in BadRabbit ransomware	Scheduled Task	TTP
Schtasks Run Task On Demand	Scheduled Task/Job	TTP
Schtasks scheduling job on remote system	Scheduled Task, Scheduled Task/Job	TTP
Schtasks used for forcing a reboot	Scheduled Task, Scheduled Task/Job	TTP
Screensaver Event Trigger Execution	Event Triggered Execution, Screensaver	TTP
Script Execution via WMI	Windows Management Instrumentation	TTP
Sdclt UAC Bypass	Bypass User Account Control, Abuse Elevation Control Mechanism	TTP
Sdelete Application Execution	Data Destruction, File Deletion, Indicator Removal	TTP
Sdelete Application Execution	Data Destruction, File Deletion, Indicator Removal	Anomaly
SearchProtocolHost with no Command Line with Network	Process Injection	TTP
SecretDumps Offline NTDS Dumping Tool	NTDS, OS Credential Dumping	TTP
ServicePrincipalNames Discovery with PowerShell	Kerberoasting	TTP
ServicePrincipalNames Discovery with SetSPN	Kerberoasting	TTP
Services Escalate Exe	Abuse Elevation Control Mechanism	TTP
Services LOLBAS Execution Process Spawn	Create or Modify System Process, Windows Service	TTP
Set Default PowerShell Execution Policy To Unrestricted or Bypass	Command and Scripting Interpreter, PowerShell	TTP
Shim Database File Creation	Application Shimming, Event Triggered Execution	TTP
Shim Database Installation With Suspicious Parameters	Application Shimming, Event Triggered Execution	TTP
Short Lived Scheduled Task	Scheduled Task	TTP
Short Lived Windows Accounts	Local Account, Create Account	TTP
SilentCleanup UAC Bypass	Bypass User Account Control, Abuse Elevation Control Mechanism	TTP
Single Letter Process On Endpoint	User Execution, Malicious File	TTP
Spectre and Meltdown Vulnerable Systems	None	TTP
Spike in File Writes	None	Anomaly
Splunk Account Discovery Drilldown Dashboard Disclosure	Account Discovery	TTP
Splunk Code Injection via custom dashboard leading to RCE	Exploitation of Remote Services	Hunting
Splunk Command and Scripting Interpreter Delete Usage	Command and Scripting Interpreter	Anomaly
Splunk Command and Scripting Interpreter Risky Commands	Command and Scripting Interpreter	Hunting
Splunk Command and Scripting Interpreter Risky SPL MLTK	Command and Scripting Interpreter	Anomaly
Splunk Data exfiltration from Analytics Workspace using sid query	Exfiltration Over Web Service	Hunting
Splunk Digital Certificates Infrastructure Version	Digital Certificates	Hunting
Splunk Digital Certificates Lack of Encryption	Digital Certificates	Anomaly
Splunk DoS via Malformed S2S Request	Network Denial of Service	TTP
Splunk Endpoint Denial of Service DoS Zip Bomb	Endpoint Denial of Service	TTP
Splunk Enterprise Information Disclosure	None	TTP
Splunk Identified SSL TLS Certificates	Network Sniffing	Hunting
Splunk Improperly Formatted Parameter Crashes splunkd	Endpoint Denial of Service	TTP
Splunk Process Injection Forwarder Bundle Downloads	Process Injection	Hunting
Splunk Protocol Impersonation Weak Encryption Configuration	Protocol Impersonation	Hunting
Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature	Exploitation of Remote Services	Hunting
Splunk Reflected XSS in the templates lists radio	Drive-by Compromise	Hunting
Splunk Stored XSS via Data Model objectName field	Drive-by Compromise	Hunting
Splunk User Enumeration Attempt	Valid Accounts	TTP
Splunk XSS in Monitoring Console	Drive-by Compromise	TTP
Splunk XSS in Save table dialog header in search page	Drive-by Compromise	Hunting
Splunk XSS via View	Drive-by Compromise	Hunting
Splunk csrf in the ssg kvstore client endpoint	Drive-by Compromise	TTP
Splunk list all nonstandard admin accounts	Drive-by Compromise	Hunting
Splunk protocol impersonation weak encryption selfsigned	Digital Certificates	Hunting
Splunk protocol impersonation weak encryption simplerequest	Digital Certificates	Hunting
Splunk risky Command Abuse disclosed february 2023	Abuse Elevation Control Mechanism	Hunting
Splunk unnecessary file extensions allowed by lookup table uploads	Drive-by Compromise	TTP
Spoolsv Spawning Rundll32	Print Processors, Boot or Logon Autostart Execution	TTP
Spoolsv Suspicious Loaded Modules	Print Processors, Boot or Logon Autostart Execution	TTP
Spoolsv Suspicious Process Access	Exploitation for Privilege Escalation	TTP
Spoolsv Writing a DLL	Print Processors, Boot or Logon Autostart Execution	TTP
Spoolsv Writing a DLL - Sysmon	Print Processors, Boot or Logon Autostart Execution	TTP
Spring4Shell Payload URL Request	Web Shell, Server Software Component, Exploit Public-Facing Application	TTP
Sqlite Module In Temp Folder	Data from Local System	TTP
Steal or Forge Authentication Certificates Behavior Identified	Steal or Forge Authentication Certificates	Correlation
Sunburst Correlation DLL and Network Event	Exploitation for Client Execution	TTP
Supernova Webshell	Web Shell	TTP
Suspicious Changes to File Associations	Change Default File Association	TTP
Suspicious Computer Account Name Change	Valid Accounts, Domain Accounts	TTP
Suspicious Copy on System32	Rename System Utilities, Masquerading	TTP
Suspicious Curl Network Connection	Ingress Tool Transfer	TTP
Suspicious DLLHost no Command Line Arguments	Process Injection	TTP
Suspicious Driver Loaded Path	Windows Service, Create or Modify System Process	TTP
Suspicious Email - UBA Anomaly	Phishing	Anomaly
Suspicious Email Attachment Extensions	Spearphishing Attachment, Phishing	Anomaly
Suspicious Event Log Service Behavior	Indicator Removal, Clear Windows Event Logs	TTP
Suspicious File Write	None	Hunting
Suspicious GPUpdate no Command Line Arguments	Process Injection	TTP
Suspicious IcedID Rundll32 Cmdline	System Binary Proxy Execution, Rundll32	TTP
Suspicious Image Creation In Appdata Folder	Screen Capture	TTP
Suspicious Java Classes	None	Anomaly
Suspicious Kerberos Service Ticket Request	Valid Accounts, Domain Accounts	TTP
Suspicious Linux Discovery Commands	Unix Shell	TTP
Suspicious MSBuild Rename	Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild	Hunting
Suspicious MSBuild Spawn	Trusted Developer Utilities Proxy Execution, MSBuild	TTP
Suspicious PlistBuddy Usage	Launch Agent, Create or Modify System Process	TTP
Suspicious PlistBuddy Usage via OSquery	Launch Agent, Create or Modify System Process	TTP
Suspicious Powershell Command-Line Arguments	PowerShell	TTP
Suspicious Process DNS Query Known Abuse Web Services	Visual Basic, Command and Scripting Interpreter	TTP
Suspicious Process File Path	Create or Modify System Process	TTP
Suspicious Process With Discord DNS Query	Visual Basic, Command and Scripting Interpreter	Anomaly
Suspicious Reg exe Process	Modify Registry	Anomaly
Suspicious Regsvr32 Register Suspicious Path	System Binary Proxy Execution, Regsvr32	TTP
Suspicious Rundll32 PluginInit	System Binary Proxy Execution, Rundll32	TTP
Suspicious Rundll32 Rename	System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities	Hunting
Suspicious Rundll32 StartW	System Binary Proxy Execution, Rundll32	TTP
Suspicious Rundll32 dllregisterserver	System Binary Proxy Execution, Rundll32	TTP
Suspicious Rundll32 no Command Line Arguments	System Binary Proxy Execution, Rundll32	TTP
Suspicious SQLite3 LSQuarantine Behavior	Data Staged	TTP
Suspicious Scheduled Task from Public Directory	Scheduled Task, Scheduled Task/Job	Anomaly
Suspicious SearchProtocolHost no Command Line Arguments	Process Injection	TTP
Suspicious Ticket Granting Ticket Request	Valid Accounts, Domain Accounts	Hunting
Suspicious WAV file in Appdata Folder	Screen Capture	TTP
Suspicious microsoft workflow compiler rename	Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities	Hunting
Suspicious microsoft workflow compiler usage	Trusted Developer Utilities Proxy Execution	TTP
Suspicious msbuild path	Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild	TTP
Suspicious mshta child process	System Binary Proxy Execution, Mshta	TTP
Suspicious mshta spawn	System Binary Proxy Execution, Mshta	TTP
Suspicious wevtutil Usage	Clear Windows Event Logs, Indicator Removal	TTP
Suspicious writes to System Volume Information	Masquerading	Hunting
Suspicious writes to windows Recycle Bin	Masquerading	TTP
Svchost LOLBAS Execution Process Spawn	Scheduled Task/Job, Scheduled Task	TTP
System Info Gathering Using Dxdiag Application	Gather Victim Host Information	Hunting
System Information Discovery Detection	System Information Discovery	TTP
System Process Running from Unexpected Location	Masquerading	Anomaly
System Processes Run From Unexpected Locations	Masquerading, Rename System Utilities	Anomaly
System User Discovery With Query	System Owner/User Discovery	Hunting
System User Discovery With Whoami	System Owner/User Discovery	Hunting
TOR Traffic	Application Layer Protocol, Web Protocols	TTP
Time Provider Persistence Registry	Time Providers, Boot or Logon Autostart Execution	TTP
Trickbot Named Pipe	Process Injection	TTP
UAC Bypass MMC Load Unsigned Dll	Bypass User Account Control, Abuse Elevation Control Mechanism, MMC	TTP
UAC Bypass With Colorui COM Object	System Binary Proxy Execution, CMSTP	TTP
USN Journal Deletion	Indicator Removal	TTP
Uncommon Processes On Endpoint	Malicious File	Hunting
Uninstall App Using MsiExec	Msiexec, System Binary Proxy Execution	TTP
Unknown Process Using The Kerberos Protocol	Use Alternate Authentication Material	TTP
Unload Sysmon Filter Driver	Disable or Modify Tools, Impair Defenses	TTP
Unloading AMSI via Reflection	Impair Defenses, PowerShell, Command and Scripting Interpreter	TTP
Unsigned Image Loaded by LSASS	LSASS Memory	TTP
Unsuccessful Netbackup backups	None	Hunting
Unusual Number of Computer Service Tickets Requested	Valid Accounts	Hunting
Unusual Number of Kerberos Service Tickets Requested	Steal or Forge Kerberos Tickets, Kerberoasting	Anomaly
Unusual Number of Remote Endpoint Authentication Events	Valid Accounts	Hunting
Unusually Long Command Line	None	Anomaly
Unusually Long Command Line - MLTK	None	Anomaly
Unusually Long Content-Type Length	None	Anomaly
User Discovery With Env Vars PowerShell	System Owner/User Discovery	Hunting
User Discovery With Env Vars PowerShell Script Block	System Owner/User Discovery	Hunting
VMware Server Side Template Injection Hunt	Exploit Public-Facing Application	Hunting
VMware Workspace ONE Freemarker Server-side Template Injection	Exploit Public-Facing Application	Anomaly
Vbscript Execution Using Wscript App	Visual Basic, Command and Scripting Interpreter	TTP
Verclsid CLSID Execution	Verclsid, System Binary Proxy Execution	Hunting
W3WP Spawning Shell	Server Software Component, Web Shell	TTP
WBAdmin Delete System Backups	Inhibit System Recovery	TTP
WBAdmin Delete System Backups	Inhibit System Recovery	TTP
WMI Permanent Event Subscription	Windows Management Instrumentation	TTP
WMI Permanent Event Subscription - Sysmon	Windows Management Instrumentation Event Subscription, Event Triggered Execution	TTP
WMI Recon Running Process Or Services	Gather Victim Host Information	Anomaly
WMI Temporary Event Subscription	Windows Management Instrumentation	TTP
WMIC XSL Execution via URL	XSL Script Processing	TTP
WSReset UAC Bypass	Bypass User Account Control, Abuse Elevation Control Mechanism	TTP
Wbemprox COM Object Execution	System Binary Proxy Execution, CMSTP	TTP
Web Fraud - Account Harvesting	Create Account	TTP
Web Fraud - Anomalous User Clickspeed	Valid Accounts	Anomaly
Web Fraud - Password Sharing Across Accounts	None	Anomaly
Web JSP Request via URL	Web Shell, Server Software Component, Exploit Public-Facing Application	TTP
Web Servers Executing Suspicious Processes	System Information Discovery	TTP
Web Spring Cloud Function FunctionRouter	Exploit Public-Facing Application	TTP
Web Spring4Shell HTTP Request Class Module	Exploit Public-Facing Application	TTP
Wermgr Process Connecting To IP Check Web Services	Gather Victim Network Information, IP Addresses	TTP
Wermgr Process Create Executable File	Obfuscated Files or Information	TTP
Wermgr Process Spawned CMD Or Powershell Process	Command and Scripting Interpreter	TTP
WevtUtil Usage To Clear Logs	Indicator Removal, Clear Windows Event Logs	TTP
Wevtutil Usage To Disable Logs	Indicator Removal, Clear Windows Event Logs	TTP
Wget Download and Bash Execution	Ingress Tool Transfer	TTP
WinEvent Scheduled Task Created Within Public Path	Scheduled Task, Scheduled Task/Job	TTP
WinEvent Scheduled Task Created to Spawn Shell	Scheduled Task, Scheduled Task/Job	TTP
WinEvent Windows Task Scheduler Event Action Started	Scheduled Task	Hunting
WinRM Spawning a Process	Exploit Public-Facing Application	TTP
Windows AD AdminSDHolder ACL Modified	Event Triggered Execution	TTP
Windows AD Cross Domain SID History Addition	SID-History Injection, Access Token Manipulation	TTP
Windows AD DSRM Account Changes	Account Manipulation	TTP
Windows AD DSRM Password Reset	Account Manipulation	TTP
Windows AD Domain Controller Audit Policy Disabled	Disable or Modify Tools	TTP
Windows AD Domain Controller Promotion	Rogue Domain Controller	TTP
Windows AD Domain Replication ACL Addition	Domain Policy Modification	TTP
Windows AD Privileged Account SID History Addition	SID-History Injection, Access Token Manipulation	TTP
Windows AD Replication Request Initiated by User Account	DCSync, OS Credential Dumping	TTP
Windows AD Replication Request Initiated from Unsanctioned Location	DCSync, OS Credential Dumping	TTP
Windows AD Replication Service Traffic	OS Credential Dumping, DCSync, Rogue Domain Controller	TTP
Windows AD Rogue Domain Controller Network Activity	Rogue Domain Controller	TTP
Windows AD SID History Attribute Modified	Access Token Manipulation, SID-History Injection	TTP
Windows AD Same Domain SID History Addition	SID-History Injection, Access Token Manipulation	TTP
Windows AD ServicePrincipalName Added To Domain Account	Account Manipulation	TTP
Windows AD Short Lived Domain Account ServicePrincipalName	Account Manipulation	TTP
Windows AD Short Lived Domain Controller SPN Attribute	Rogue Domain Controller	TTP
Windows AD Short Lived Server Object	Rogue Domain Controller	TTP
Windows Access Token Manipulation SeDebugPrivilege	Create Process with Token, Access Token Manipulation	Anomaly
Windows Access Token Manipulation Winlogon Duplicate Token Handle	Token Impersonation/Theft, Access Token Manipulation	Hunting
Windows Access Token Winlogon Duplicate Handle In Uncommon Path	Token Impersonation/Theft, Access Token Manipulation	Anomaly
Windows AdFind Exe	Remote System Discovery	TTP
Windows Administrative Shares Accessed On Multiple Hosts	Network Share Discovery	TTP
Windows Admon Default Group Policy Object Modified	Domain Policy Modification, Group Policy Modification	TTP
Windows Admon Group Policy Object Created	Domain Policy Modification, Group Policy Modification	TTP
Windows Apache Benchmark Binary	Command and Scripting Interpreter	Anomaly
Windows App Layer Protocol Qakbot NamedPipe	Application Layer Protocol	Anomaly
Windows App Layer Protocol Wermgr Connect To NamedPipe	Application Layer Protocol	Anomaly
Windows Application Layer Protocol RMS Radmin Tool Namedpipe	Application Layer Protocol	TTP
Windows Autostart Execution LSASS Driver Registry Modification	LSASS Driver	TTP
Windows Binary Proxy Execution Mavinject DLL Injection	Mavinject, System Binary Proxy Execution	TTP
Windows Bits Job Persistence	BITS Jobs	TTP
Windows Bitsadmin Download File	BITS Jobs, Ingress Tool Transfer	TTP
Windows Boot or Logon Autostart Execution In Startup Folder	Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution	Anomaly
Windows BootLoader Inventory	System Firmware, Pre-OS Boot	Hunting
Windows COM Hijacking InprocServer32 Modification	Component Object Model Hijacking, Event Triggered Execution	TTP
Windows COM Hijacking InprocServer32 Modification	Component Object Model Hijacking, Event Triggered Execution	TTP
Windows Cached Domain Credentials Reg Query	Cached Domain Credentials, OS Credential Dumping	Anomaly
Windows CertUtil Decode File	Deobfuscate/Decode Files or Information	TTP
Windows CertUtil URLCache Download	Ingress Tool Transfer	TTP
Windows CertUtil VerifyCtl Download	Ingress Tool Transfer	TTP
Windows Change Default File Association For No File Ext	Change Default File Association, Event Triggered Execution	TTP
Windows ClipBoard Data via Get-ClipBoard	Clipboard Data	Anomaly
Windows Command Shell DCRat ForkBomb Payload	Windows Command Shell, Command and Scripting Interpreter	TTP
Windows Command Shell Fetch Env Variables	Process Injection	TTP
Windows Command and Scripting Interpreter Hunting Path Traversal	Command and Scripting Interpreter	Hunting
Windows Command and Scripting Interpreter Path Traversal Exec	Command and Scripting Interpreter	TTP
Windows Computer Account Created by Computer Account	Steal or Forge Kerberos Tickets	TTP
Windows Computer Account Requesting Kerberos Ticket	Steal or Forge Kerberos Tickets	TTP
Windows Computer Account With SPN	Steal or Forge Kerberos Tickets	TTP
Windows Create Local Account	Local Account, Create Account	Anomaly
Windows Credential Dumping LSASS Memory Createdump	LSASS Memory	TTP
Windows Credentials from Password Stores Chrome Extension Access	Query Registry	Anomaly
Windows Credentials from Password Stores Chrome LocalState Access	Query Registry	Anomaly
Windows Credentials from Password Stores Chrome Login Data Access	Query Registry	Anomaly
Windows Credentials from Password Stores Query	Credentials from Password Stores	Anomaly
Windows Credentials in Registry Reg Query	Credentials in Registry, Unsecured Credentials	Anomaly
Windows Curl Download to Suspicious Path	Ingress Tool Transfer	TTP
Windows Curl Upload to Remote Destination	Ingress Tool Transfer	TTP
Windows Curl Upload to Remote Destination	Ingress Tool Transfer	TTP
Windows DISM Remove Defender	Disable or Modify Tools, Impair Defenses	TTP
Windows DLL Search Order Hijacking Hunt	DLL Search Order Hijacking, Hijack Execution Flow	Hunting
Windows DLL Search Order Hijacking Hunt with Sysmon	DLL Search Order Hijacking, Hijack Execution Flow	Hunting
Windows DLL Search Order Hijacking with iscsicpl	DLL Search Order Hijacking	TTP
Windows DLL Side-Loading In Calc	DLL Side-Loading, Hijack Execution Flow	TTP
Windows DLL Side-Loading Process Child Of Calc	DLL Side-Loading, Hijack Execution Flow	Anomaly
Windows DNS Gather Network Info	DNS	Anomaly
Windows Data Destruction Recursive Exec Files Deletion	Data Destruction	TTP
Windows Defacement Modify Transcodedwallpaper File	Defacement	Anomaly
Windows Default Group Policy Object Modified	Domain Policy Modification, Group Policy Modification	TTP
Windows Default Group Policy Object Modified with GPME	Domain Policy Modification, Group Policy Modification	TTP
Windows Default Group Policy Object Modified with GPME	Domain Policy Modification, Group Policy Modification	TTP
Windows Defender Exclusion Registry Entry	Disable or Modify Tools, Impair Defenses	TTP
Windows Defender Tools in Non Standard Path	Masquerading, Rename System Utilities	Anomaly
Windows Deleted Registry By A Non Critical Process File Path	Modify Registry	Anomaly
Windows Disable Change Password Through Registry	Modify Registry	Anomaly
Windows Disable Lock Workstation Feature Through Registry	Modify Registry	Anomaly
Windows Disable LogOff Button Through Registry	Modify Registry	Anomaly
Windows Disable Memory Crash Dump	Data Destruction	TTP
Windows Disable Notification Center	Modify Registry	Anomaly
Windows Disable Shutdown Button Through Registry	Modify Registry	Anomaly
Windows Disable Windows Event Logging Disable HTTP Logging	Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components	TTP
Windows Disable Windows Group Policy Features Through Registry	Modify Registry	Anomaly
Windows DisableAntiSpyware Registry	Disable or Modify Tools, Impair Defenses	TTP
Windows DiskCryptor Usage	Data Encrypted for Impact	Hunting
Windows Diskshadow Proxy Execution	System Binary Proxy Execution	TTP
Windows Diskshadow Proxy Execution	System Binary Proxy Execution	Anomaly
Windows DnsAdmins New Member Added	Account Manipulation	TTP
Windows DotNet Binary in Non Standard Path	Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil	TTP
Windows DotNet Binary in Non Standard Path	Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil	Anomaly
Windows Driver Inventory	Exploitation for Privilege Escalation	Hunting
Windows Driver Load Non-Standard Path	Rootkit, Exploitation for Privilege Escalation	TTP
Windows Drivers Loaded by Signature	Rootkit, Exploitation for Privilege Escalation	Hunting
Windows Enable Win32 ScheduledJob via Registry	Scheduled Task	Anomaly
Windows Event For Service Disabled	Disable or Modify Tools, Impair Defenses	Hunting
Windows Event Log Cleared	Indicator Removal, Clear Windows Event Logs	TTP
Windows Event Triggered Image File Execution Options Injection	Image File Execution Options Injection	Hunting
Windows Excessive Disabled Services Event	Disable or Modify Tools, Impair Defenses	TTP
Windows Exchange Autodiscover SSRF Abuse	Exploit Public-Facing Application	TTP
Windows Exchange PowerShell Module Usage	Command and Scripting Interpreter, PowerShell	TTP
Windows Execute Arbitrary Commands with MSDT	System Binary Proxy Execution	TTP
Windows Execute Arbitrary Commands with MSDT	System Binary Proxy Execution	TTP
Windows Exfiltration Over C2 Via Invoke RestMethod	Exfiltration Over C2 Channel	TTP
Windows Exfiltration Over C2 Via Powershell UploadString	Exfiltration Over C2 Channel	TTP
Windows Export Certificate	Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates	Anomaly
Windows File Share Discovery With Powerview	Network Share Discovery	TTP
Windows File Share Discovery With Powerview	Unsecured Credentials, Group Policy Preferences	TTP
Windows File Transfer Protocol In Non-Common Process Path	Mail Protocols, Application Layer Protocol	Anomaly
Windows File Without Extension In Critical Folder	Data Destruction	TTP
Windows Findstr GPP Discovery	Unsecured Credentials, Group Policy Preferences	TTP
Windows Findstr GPP Discovery	Unsecured Credentials, Group Policy Preferences	TTP
Windows Gather Victim Host Information Camera	Hardware, Gather Victim Host Information	Anomaly
Windows Gather Victim Identity SAM Info	Credentials, Gather Victim Identity Information	Hunting
Windows Gather Victim Network Info Through Ip Check Web Services	IP Addresses, Gather Victim Network Information	Hunting
Windows Get-AdComputer Unconstrained Delegation Discovery	Remote System Discovery	TTP
Windows Group Policy Object Created	Domain Policy Modification, Group Policy Modification, Domain Accounts	TTP
Windows Hidden Schedule Task Settings	Scheduled Task/Job	TTP
Windows Hide Notification Features Through Registry	Modify Registry	Anomaly
Windows High File Deletion Frequency	Data Destruction	Anomaly
Windows Hijack Execution Flow Version Dll Side Load	DLL Search Order Hijacking, Hijack Execution Flow	Anomaly
Windows Hunting System Account Targeting Lsass	LSASS Memory, OS Credential Dumping	Hunting
Windows IIS Components Add New Module	Server Software Component, IIS Components	Anomaly
Windows IIS Components Get-WebGlobalModule Module Query	IIS Components, Server Software Component	Hunting
Windows IIS Components Module Failed to Load	Server Software Component, IIS Components	Anomaly
Windows IIS Components New Module Added	Server Software Component, IIS Components	TTP
Windows ISO LNK File Creation	Spearphishing Attachment, Phishing, Malicious Link, User Execution	Hunting
Windows Identify Protocol Handlers	Command and Scripting Interpreter	Hunting
Windows Impair Defense Add Xml Applocker Rules	Disable or Modify Tools, Impair Defenses	Hunting
Windows Impair Defense Delete Win Defender Context Menu	Disable or Modify Tools, Impair Defenses	Hunting
Windows Impair Defense Delete Win Defender Profile Registry	Disable or Modify Tools, Impair Defenses	Anomaly
Windows Impair Defense Deny Security Software With Applocker	Disable or Modify Tools, Impair Defenses	TTP
Windows Impair Defenses Disable HVCI	Disable or Modify Tools, Impair Defenses	TTP
Windows Impair Defenses Disable Win Defender Auto Logging	Disable or Modify Tools, Impair Defenses	Anomaly
Windows Indirect Command Execution Via Series Of Forfiles	Indirect Command Execution	Anomaly
Windows Indirect Command Execution Via forfiles	Indirect Command Execution	TTP
Windows Indirect Command Execution Via pcalua	Indirect Command Execution	TTP
Windows Information Discovery Fsutil	System Information Discovery	Hunting
Windows Ingress Tool Transfer Using Explorer	Ingress Tool Transfer	Anomaly
Windows Ingress Tool Transfer Using Explorer	Ingress Tool Transfer	TTP
Windows Input Capture Using Credential UI Dll	GUI Input Capture, Input Capture	Hunting
Windows InstallUtil Credential Theft	InstallUtil, System Binary Proxy Execution	TTP
Windows InstallUtil Remote Network Connection	InstallUtil, System Binary Proxy Execution	TTP
Windows InstallUtil URL in Command Line	InstallUtil, System Binary Proxy Execution	TTP
Windows InstallUtil Uninstall Option	InstallUtil, System Binary Proxy Execution	TTP
Windows InstallUtil Uninstall Option with Network	InstallUtil, System Binary Proxy Execution	TTP
Windows InstallUtil in Non Standard Path	Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil	TTP
Windows Java Spawning Shells	Exploit Public-Facing Application	TTP
Windows Kerberos Local Successful Logon	Steal or Forge Kerberos Tickets	TTP
Windows KrbRelayUp Service Creation	Windows Service	TTP
Windows LOLBin Binary in Non Standard Path	Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil	Anomaly
Windows Large Number of Computer Service Tickets Requested	Network Share Discovery, Valid Accounts	Anomaly
Windows Lateral Tool Transfer RemCom	Lateral Tool Transfer	TTP
Windows Ldifde Directory Object Behavior	Ingress Tool Transfer, Domain Groups	TTP
Windows Linked Policies In ADSI Discovery	Domain Account, Account Discovery	Anomaly
Windows Local Administrator Credential Stuffing	Brute Force, Credential Stuffing	TTP
Windows MOF Event Triggered Execution via WMI	Windows Management Instrumentation Event Subscription	TTP
Windows MSExchange Management Mailbox Cmdlet Usage	Command and Scripting Interpreter, PowerShell	Anomaly
Windows MSHTA Child Process	Mshta, System Binary Proxy Execution	TTP
Windows MSHTA Command-Line URL	Mshta, System Binary Proxy Execution	TTP
Windows MSHTA Inline HTA Execution	Mshta, System Binary Proxy Execution	TTP
Windows MSIExec DLLRegisterServer	Msiexec	TTP
Windows MSIExec Remote Download	Msiexec	TTP
Windows MSIExec Spawn Discovery Command	Msiexec	TTP
Windows MSIExec Unregister DLLRegisterServer	Msiexec	TTP
Windows MSIExec With Network Connections	Msiexec	TTP
Windows Mail Protocol In Non-Common Process Path	Mail Protocols, Application Layer Protocol	Anomaly
Windows Masquerading Explorer As Child Process	DLL Side-Loading, Hijack Execution Flow	TTP
Windows Mimikatz Binary Execution	OS Credential Dumping	TTP
Windows Mimikatz Crypto Export File Extensions	Steal or Forge Authentication Certificates	Anomaly
Windows Modify Registry Auto Minor Updates	Modify Registry	Hunting
Windows Modify Registry Auto Update Notif	Modify Registry	Anomaly
Windows Modify Registry Default Icon Setting	Modify Registry	Anomaly
Windows Modify Registry DisAllow Windows App	Modify Registry	TTP
Windows Modify Registry Disable Toast Notifications	Modify Registry	Anomaly
Windows Modify Registry Disable Win Defender Raw Write Notif	Modify Registry	Anomaly
Windows Modify Registry Disable WinDefender Notifications	Modify Registry	TTP
Windows Modify Registry Disable Windows Security Center Notif	Modify Registry	Anomaly
Windows Modify Registry Disabling WER Settings	Modify Registry	TTP
Windows Modify Registry Do Not Connect To Win Update	Modify Registry	Anomaly
Windows Modify Registry No Auto Reboot With Logon User	Modify Registry	Anomaly
Windows Modify Registry No Auto Update	Modify Registry	Anomaly
Windows Modify Registry Qakbot Binary Data Registry	Modify Registry	Anomaly
Windows Modify Registry Reg Restore	Query Registry	Hunting
Windows Modify Registry Regedit Silent Reg Import	Modify Registry	Anomaly
Windows Modify Registry Suppress Win Defender Notif	Modify Registry	Anomaly
Windows Modify Registry Tamper Protection	Modify Registry	TTP
Windows Modify Registry USeWuServer	Modify Registry	Hunting
Windows Modify Registry UpdateServiceUrlAlternate	Modify Registry	Anomaly
Windows Modify Registry WuServer	Modify Registry	Hunting
Windows Modify Registry wuStatusServer	Modify Registry	Hunting
Windows Modify Show Compress Color And Info Tip Registry	Modify Registry	TTP
Windows Mshta Execution In Registry	Mshta	TTP
Windows Multi hop Proxy TOR Website Query	Mail Protocols, Application Layer Protocol	Anomaly
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos	Password Spraying, Brute Force	TTP
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos	Password Spraying, Brute Force	TTP
Windows Multiple Invalid Users Failed To Authenticate Using NTLM	Password Spraying, Brute Force	TTP
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials	Password Spraying, Brute Force	TTP
Windows Multiple Users Failed To Authenticate From Host Using NTLM	Password Spraying, Brute Force	TTP
Windows Multiple Users Failed To Authenticate From Process	Password Spraying, Brute Force	TTP
Windows Multiple Users Failed To Authenticate Using Kerberos	Password Spraying, Brute Force	TTP
Windows Multiple Users Remotely Failed To Authenticate From Host	Password Spraying, Brute Force	TTP
Windows Ngrok Reverse Proxy Usage	Protocol Tunneling, Proxy, Web Service	Anomaly
Windows NirSoft AdvancedRun	Tool	TTP
Windows NirSoft Utilities	Tool	Hunting
Windows Non-System Account Targeting Lsass	LSASS Memory, OS Credential Dumping	TTP
Windows OS Credential Dumping with Ntdsutil Export NTDS	NTDS, OS Credential Dumping	TTP
Windows OS Credential Dumping with Procdump	LSASS Memory, OS Credential Dumping	TTP
Windows Odbcconf Hunting	Odbcconf	Hunting
Windows Odbcconf Load DLL	Odbcconf	TTP
Windows Odbcconf Load Response File	Odbcconf	TTP
Windows Odbcconf Load Response File	Odbcconf, System Binary Proxy Execution	TTP
Windows Office Product Spawning MSDT	Phishing, Spearphishing Attachment	TTP
Windows PaperCut NG Spawn Shell	Command and Scripting Interpreter, Exploit Public-Facing Application	TTP
Windows Password Managers Discovery	Password Managers	Hunting
Windows Phishing PDF File Executes URL Link	Spearphishing Attachment, Phishing	Anomaly
Windows Phishing Recent ISO Exec Registry	Spearphishing Attachment, Phishing	Hunting
Windows Possible Credential Dumping	LSASS Memory, OS Credential Dumping	TTP
Windows PowerShell Add Module to Global Assembly Cache	Server Software Component, IIS Components	TTP
Windows PowerShell Disable HTTP Logging	Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components	TTP
Windows PowerShell Disabled Kerberos Pre-Authentication Discovery Get-ADUser	Steal or Forge Kerberos Tickets, AS-REP Roasting	TTP
Windows PowerShell Disabled Kerberos Pre-Authentication Discovery With PowerView	Steal or Forge Kerberos Tickets, AS-REP Roasting	TTP
Windows PowerShell Export Certificate	Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates	Anomaly
Windows PowerShell Export PfxCertificate	Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates	Anomaly
Windows PowerShell Get CIMInstance Remote Computer	PowerShell	Anomaly
Windows PowerShell IIS Components WebGlobalModule Usage	Server Software Component, IIS Components	Anomaly
Windows PowerShell Start-BitsTransfer	BITS Jobs, Ingress Tool Transfer	TTP
Windows PowerShell WMI Win32 ScheduledJob	PowerShell, Command and Scripting Interpreter	TTP
Windows PowerSploit GPP Discovery	Unsecured Credentials, Group Policy Preferences	TTP
Windows PowerSploit GPP Discovery	Unsecured Credentials, Group Policy Preferences	TTP
Windows PowerView AD Access Control List Enumeration	Domain Accounts, Permission Groups Discovery	TTP
Windows PowerView AD Access Control List Enumeration	Domain Accounts, Permission Groups Discovery	TTP
Windows PowerView Constrained Delegation Discovery	Remote System Discovery	TTP
Windows PowerView Kerberos Service Ticket Request	Steal or Forge Kerberos Tickets, Kerberoasting	TTP
Windows PowerView SPN Discovery	Steal or Forge Kerberos Tickets, Kerberoasting	TTP
Windows PowerView Unconstrained Delegation Discovery	Remote System Discovery	TTP
Windows Powershell Connect to Internet With Hidden Window	Automated Exfiltration	Anomaly
Windows Powershell Cryptography Namespace	PowerShell, Command and Scripting Interpreter	Anomaly
Windows Powershell DownloadFile	Automated Exfiltration	Anomaly
Windows Powershell Import Applocker Policy	PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses	TTP
Windows Private Keys Discovery	Private Keys, Unsecured Credentials	Anomaly
Windows Process Injection Of Wermgr to Known Browser	Dynamic-link Library Injection, Process Injection	TTP
Windows Process Injection Remote Thread	Process Injection, Portable Executable Injection	TTP
Windows Process Injection Wermgr Child Process	Process Injection	Anomaly
Windows Process Injection With Public Source Path	Process Injection, Portable Executable Injection	Hunting
Windows Process Injection into Notepad	Process Injection, Portable Executable Injection	Anomaly
Windows Process With NamedPipe CommandLine	Process Injection	Anomaly
Windows Processes Killed By Industroyer2 Malware	Service Stop	Anomaly
Windows Protocol Tunneling with Plink	Protocol Tunneling, SSH	TTP
Windows Proxy Via Netsh	Internal Proxy, Proxy	Anomaly
Windows Proxy Via Registry	Internal Proxy, Proxy	Anomaly
Windows Query Registry Browser List Application	Query Registry	Anomaly
Windows Query Registry Reg Save	Query Registry	Hunting
Windows Query Registry UnInstall Program List	Query Registry	Anomaly
Windows RDP Connection Successful	RDP Hijacking	Hunting
Windows Raccine Scheduled Task Deletion	Disable or Modify Tools	TTP
Windows Rapid Authentication On Multiple Hosts	Security Account Manager	TTP
Windows Rasautou DLL Execution	Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection	TTP
Windows Rasautou DLL Execution	Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection	TTP
Windows Raw Access To Disk Volume Partition	Disk Structure Wipe, Disk Wipe	Anomaly
Windows Raw Access To Master Boot Record Drive	Disk Structure Wipe, Disk Wipe	TTP
Windows Registry BootExecute Modification	Pre-OS Boot, Registry Run Keys / Startup Folder	TTP
Windows Registry Certificate Added	Install Root Certificate, Subvert Trust Controls	Anomaly
Windows Registry Delete Task SD	Scheduled Task, Impair Defenses	Anomaly
Windows Registry Modification for Safe Mode Persistence	Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution	TTP
Windows Regsvr32 Renamed Binary	Regsvr32, System Binary Proxy Execution	TTP
Windows Remote Access Software BRC4 Loaded Dll	Remote Access Software, OS Credential Dumping	Anomaly
Windows Remote Access Software Hunt	Remote Access Software	Hunting
Windows Remote Access Software RMS Registry	Remote Access Software	TTP
Windows Remote Assistance Spawning Process	Process Injection	TTP
Windows Remote Create Service	Create or Modify System Process, Windows Service	Anomaly
Windows Remote Service Rdpwinst Tool Execution	Remote Desktop Protocol, Remote Services	TTP
Windows Remote Services Allow Rdp In Firewall	Remote Desktop Protocol, Remote Services	Anomaly
Windows Remote Services Allow Remote Assistance	Remote Desktop Protocol, Remote Services	Anomaly
Windows Remote Services Rdp Enable	Remote Desktop Protocol, Remote Services	TTP
Windows Rename System Utilities Acccheckconsole exe LOLBAS in Non Standard Path	Masquerading, Rename System Utilities	Anomaly
Windows Rename System Utilities Adplus exe LOLBAS in Non Standard Path	Masquerading, Rename System Utilities	Anomaly
Windows Rename System Utilities Advpack dll LOLBAS in Non Standard Path	Masquerading, Rename System Utilities	Anomaly
Windows Rename System Utilities Agentexecutor exe LOLBAS in Non Standard Path	Masquerading, Rename System Utilities	Anomaly
Windows Rename System Utilities Appinstaller exe LOLBAS in Non Standard Path	Masquerading, Rename System Utilities	Anomaly
Windows Rename System Utilities Appvlp exe LOLBAS in Non Standard Path	Masquerading, Rename System Utilities	Anomaly
Windows Rename System Utilities Aspnet compiler exe LOLBAS in Non Standard Path	Masquerading, Rename System Utilities	Anomaly
Windows Rename System Utilities At exe LOLBAS in Non Standard Path	Masquerading, Rename System Utilities	Anomaly
Windows Rename System Utilities Atbroker exe LOLBAS in Non Standard Path	Masquerading, Rename System Utilities	Anomaly
Windows Replication Through Removable Media	Replication Through Removable Media	TTP
Windows Root Domain linked policies Discovery	Domain Account, Account Discovery	Anomaly
Windows Rundll32 Comsvcs Memory Dump	NTDS, OS Credential Dumping	TTP
Windows Rundll32 Inline HTA Execution	System Binary Proxy Execution, Mshta	TTP
Windows Rundll32 WebDAV Request	Exfiltration Over Unencrypted Non-C2 Protocol	TTP
Windows Rundll32 WebDav With Network Connection	Exfiltration Over Unencrypted Non-C2 Protocol	TTP
Windows Scheduled Task Created Via XML	Scheduled Task, Scheduled Task/Job	TTP
Windows Scheduled Task with Highest Privileges	Scheduled Task/Job, Scheduled Task	TTP
Windows Schtasks Create Run As System	Scheduled Task, Scheduled Task/Job	TTP
Windows Screen Capture Via Powershell	Screen Capture	TTP
Windows Script Host Spawn MSBuild	MSBuild, Trusted Developer Utilities Proxy Execution	TTP
Windows Security Account Manager Stopped	Service Stop	TTP
Windows Security Support Provider Reg Query	Security Support Provider, Boot or Logon Autostart Execution	Anomaly
Windows Server Software Component GACUtil Install to GAC	Server Software Component, IIS Components	TTP
Windows Service Create Kernel Mode Driver	Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation	TTP
Windows Service Create RemComSvc	Windows Service, Create or Modify System Process	Anomaly
Windows Service Create SliverC2	System Services, Service Execution	TTP
Windows Service Create with Tscon	RDP Hijacking, Remote Service Session Hijacking, Windows Service	TTP
Windows Service Created Within Public Path	Create or Modify System Process, Windows Service	TTP
Windows Service Created with Suspicious Service Path	System Services, Service Execution	TTP
Windows Service Creation Using Registry Entry	Services Registry Permissions Weakness	TTP
Windows Service Creation on Remote Endpoint	Create or Modify System Process, Windows Service	TTP
Windows Service Deletion In Registry	Service Stop	Anomaly
Windows Service Initiation on Remote Endpoint	Create or Modify System Process, Windows Service	TTP
Windows Service Stop By Deletion	Service Stop	TTP
Windows Service Stop Via Net and SC Application	Service Stop	Anomaly
Windows Service Stop Win Updates	Service Stop	Anomaly
Windows Snake Malware File Modification Crmlog	Obfuscated Files or Information	TTP
Windows Snake Malware Kernel Driver Comadmin	Kernel Modules and Extensions	TTP
Windows Snake Malware Registry Modification wav OpenWithProgIds	Modify Registry	TTP
Windows Snake Malware Service Create	Kernel Modules and Extensions, Service Execution	TTP
Windows Spearphishing Attachment Connect To None MS Office Domain	Spearphishing Attachment, Phishing	Hunting
Windows Spearphishing Attachment Onenote Spawn Mshta	Spearphishing Attachment, Phishing	TTP
Windows Special Privileged Logon On Multiple Hosts	Account Discovery, SMB/Windows Admin Shares, Network Share Discovery	TTP
Windows Steal Authentication Certificates CS Backup	Steal or Forge Authentication Certificates	Anomaly
Windows Steal Authentication Certificates CertUtil Backup	Steal or Forge Authentication Certificates	Anomaly
Windows Steal Authentication Certificates Certificate Issued	Steal or Forge Authentication Certificates	Anomaly
Windows Steal Authentication Certificates Certificate Request	Steal or Forge Authentication Certificates	Anomaly
Windows Steal Authentication Certificates CryptoAPI	Steal or Forge Authentication Certificates	Anomaly
Windows Steal Authentication Certificates Export Certificate	Steal or Forge Authentication Certificates	Anomaly
Windows Steal Authentication Certificates Export PfxCertificate	Steal or Forge Authentication Certificates	Anomaly
Windows Steal or Forge Kerberos Tickets Klist	Steal or Forge Kerberos Tickets	Hunting
Windows System Binary Proxy Execution Compiled HTML File Decompile	Compiled HTML File, System Binary Proxy Execution	TTP
Windows System Binary Proxy Execution Compiled HTML File Decompile	Compiled HTML File, System Binary Proxy Execution	TTP
Windows System Binary Proxy Execution Compiled HTML File URL In Command Line	Compiled HTML File, System Binary Proxy Execution	TTP
Windows System Binary Proxy Execution Compiled HTML File Using InfoTech Storage Handlers	Compiled HTML File, System Binary Proxy Execution	TTP
Windows System Binary Proxy Execution MSIExec DLLRegisterServer	Msiexec	TTP
Windows System Binary Proxy Execution MSIExec Remote Download	Msiexec	TTP
Windows System Binary Proxy Execution MSIExec Unregister DLL	Msiexec	TTP
Windows System Discovery Using Qwinsta	System Owner/User Discovery	Hunting
Windows System Discovery Using ldap Nslookup	System Owner/User Discovery	Hunting
Windows System File on Disk	Exploitation for Privilege Escalation	Hunting
Windows System LogOff Commandline	System Shutdown/Reboot	Anomaly
Windows System Network Config Discovery Display DNS	System Network Configuration Discovery	Hunting
Windows System Network Connections Discovery Netsh	System Network Connections Discovery	Hunting
Windows System Reboot CommandLine	System Shutdown/Reboot	Anomaly
Windows System Script Proxy Execution Syncappvpublishingserver	System Script Proxy Execution, System Binary Proxy Execution	TTP
Windows System Shutdown CommandLine	System Shutdown/Reboot	Anomaly
Windows System Time Discovery W32tm Delay	System Time Discovery	Anomaly
Windows System User Discovery Via Quser	System Owner/User Discovery	Hunting
Windows Terminating Lsass Process	Disable or Modify Tools, Impair Defenses	Anomaly
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos	Password Spraying, Brute Force	Anomaly
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos	Password Spraying, Brute Force	Anomaly
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM	Password Spraying, Brute Force	Anomaly
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials	Password Spraying, Brute Force	Anomaly
Windows Unusual Count Of Users Failed To Auth Using Kerberos	Password Spraying, Brute Force	Anomaly
Windows Unusual Count Of Users Failed To Authenticate From Process	Password Spraying, Brute Force	Anomaly
Windows Unusual Count Of Users Failed To Authenticate Using NTLM	Password Spraying, Brute Force	Anomaly
Windows Unusual Count Of Users Remotely Failed To Auth From Host	Password Spraying, Brute Force	Anomaly
Windows User Execution Malicious URL Shortcut File	Malicious File, User Execution	TTP
Windows Valid Account With Never Expires Password	Service Stop	TTP
Windows Vulnerable 3CX Software	Compromise Software Supply Chain	TTP
Windows Vulnerable Driver Loaded	Windows Service	Hunting
Windows WMI Impersonate Token	Windows Management Instrumentation	Anomaly
Windows WMI Process And Service List	Windows Management Instrumentation	Anomaly
Windows WMI Process Call Create	Windows Management Instrumentation	Hunting
Windows WMIPrvse Spawn MSBuild	Trusted Developer Utilities Proxy Execution, MSBuild	TTP
Windows WinLogon with Public Network Connection	Bootkit	Hunting
Windows connhost exe started forcefully	Windows Command Shell	TTP
Windows hosts file modification	None	TTP
Winhlp32 Spawning a Process	Process Injection	TTP
Winword Spawning Cmd	Phishing, Spearphishing Attachment	TTP
Winword Spawning PowerShell	Phishing, Spearphishing Attachment	TTP
Winword Spawning Windows Script Host	Phishing, Spearphishing Attachment	TTP
Wmic Group Discovery	Permission Groups Discovery, Local Groups	Hunting
Wmic NonInteractive App Uninstallation	Disable or Modify Tools, Impair Defenses	Hunting
Wmiprsve LOLBAS Execution Process Spawn	Windows Management Instrumentation	TTP
Wscript Or Cscript Suspicious Child Process	Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation	TTP
Wsmprovhost LOLBAS Execution Process Spawn	Remote Services, Windows Remote Management	TTP
XMRIG Driver Loaded	Windows Service, Create or Modify System Process	TTP
XSL Script Execution With WMIC	XSL Script Processing	TTP
Zeek x509 Certificate with Punycode	Encrypted Channel	Hunting
aws detect attach to role policy	Valid Accounts	Hunting
aws detect permanent key creation	Valid Accounts	Hunting
aws detect role creation	Valid Accounts	Hunting
aws detect sts assume role abuse	Valid Accounts	Hunting
aws detect sts get session token abuse	Use Alternate Authentication Material	Hunting
gcp detect oauth token abuse	Valid Accounts	Hunting

• Endpoint 1010
• Cloud 160
• Deprecated 84
• Application 57
• Network 40
• Web 22

Endpoint

Windows Proxy Via Netsh

Internal Proxy, Proxy

Windows Ldifde Directory Object Behavior

Ingress Tool Transfer, Domain Groups

Windows Proxy Via Registry

Internal Proxy, Proxy

Network Share Discovery Via Dir Command

Network Share Discovery

Active Directory Privilege Escalation Identified

Domain Policy Modification

Windows AdFind Exe

Remote System Discovery

Windows PaperCut NG Spawn Shell

Command and Scripting Interpreter, Exploit Public-Facing Application

Windows Snake Malware Service Create

Kernel Modules and Extensions, Service Execution

Windows Snake Malware Kernel Driver Comadmin

Kernel Modules and Extensions

Windows Snake Malware File Modification Crmlog

Obfuscated Files or Information

Windows Snake Malware Registry Modification wav OpenWithProgIds

Modify Registry

Windows Registry BootExecute Modification

Pre-OS Boot, Registry Run Keys / Startup Folder

Windows WinLogon with Public Network Connection

Bootkit

Windows PowerSploit GPP Discovery

Unsecured Credentials, Group Policy Preferences

Windows File Share Discovery With Powerview

Unsecured Credentials, Group Policy Preferences

Windows Default Group Policy Object Modified with GPME

Domain Policy Modification, Group Policy Modification

Windows Findstr GPP Discovery

Unsecured Credentials, Group Policy Preferences

Windows PowerView AD Access Control List Enumeration

Domain Accounts, Permission Groups Discovery

Steal or Forge Authentication Certificates Behavior Identified

Steal or Forge Authentication Certificates

Disabling CMD Application

Disable or Modify Tools, Impair Defenses

Active Setup Registry Autostart

Active Setup, Boot or Logon Autostart Execution

Monitor Registry Keys for Print Monitors

Port Monitors, Boot or Logon Autostart Execution

Registry Keys for Creating SHIM Databases

Application Shimming, Event Triggered Execution

Disabling SystemRestore In Registry

Inhibit System Recovery

Disable ETW Through Registry

Disable or Modify Tools, Impair Defenses

Linux High Frequency Of File Deletion In Boot Folder

Data Destruction, File Deletion, Indicator Removal

Disabling NoRun Windows App

Disable or Modify Tools, Impair Defenses

Disabling Task Manager

Disable or Modify Tools, Impair Defenses

Disable Registry Tool

Disable or Modify Tools, Impair Defenses

Windows Hide Notification Features Through Registry

Modify Registry

Registry Keys Used For Privilege Escalation

Image File Execution Options Injection, Event Triggered Execution

Windows Disable Lock Workstation Feature Through Registry

Modify Registry

Windows Registry Modification for Safe Mode Persistence

Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution

Windows Modify Show Compress Color And Info Tip Registry

Modify Registry

Linux Deletion Of Services

Data Destruction, File Deletion, Indicator Removal

Windows Disable LogOff Button Through Registry

Modify Registry

Linux High Frequency Of File Deletion In Etc Folder

Data Destruction, File Deletion, Indicator Removal

Enable RDP In Other Port Number

Remote Services

Disable UAC Remote Restriction

Bypass User Account Control, Abuse Elevation Control Mechanism

Disabling Defender Services

Disable or Modify Tools, Impair Defenses

ETW Registry Disabled

Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses

Disable Defender Spynet Reporting

Disable or Modify Tools, Impair Defenses

Linux Deletion of SSL Certificate

Data Destruction, File Deletion, Indicator Removal

Disabling FolderOptions Windows Feature

Disable or Modify Tools, Impair Defenses

Hide User Account From Sign-In Screen

Disable or Modify Tools, Impair Defenses

Disable Windows Behavior Monitoring

Disable or Modify Tools, Impair Defenses

Linux Account Manipulation Of SSH Config and Keys

Data Destruction, File Deletion, Indicator Removal

Disable Defender Submit Samples Consent Feature

Disable or Modify Tools, Impair Defenses

Linux Deletion Of Init Daemon Script

Data Destruction, File Deletion, Indicator Removal

Disable Show Hidden Files

Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses

Disabling ControlPanel

Disable or Modify Tools, Impair Defenses

Disable Windows SmartScreen Protection

Disable or Modify Tools, Impair Defenses

Windows Disable Windows Group Policy Features Through Registry

Modify Registry

Windows Registry Certificate Added

Install Root Certificate, Subvert Trust Controls

Time Provider Persistence Registry

Time Providers, Boot or Logon Autostart Execution

Windows Disable Memory Crash Dump

Data Destruction

Windows Disable Shutdown Button Through Registry

Modify Registry

Linux Deletion Of Cron Jobs

Data Destruction, File Deletion, Indicator Removal

Disable Security Logs Using MiniNt Registry

Modify Registry

Windows Service Creation Using Registry Entry

Services Registry Permissions Weakness

Windows Disable Notification Center

Modify Registry

Disable Windows App Hotkeys

Disable or Modify Tools, Impair Defenses

Windows Defender Exclusion Registry Entry

Disable or Modify Tools, Impair Defenses

Windows Disable Change Password Through Registry

Modify Registry

Windows Credentials from Password Stores Chrome Login Data Access

Query Registry

Enable WDigest UseLogonCredential Registry

Modify Registry, OS Credential Dumping

Windows Credentials from Password Stores Chrome LocalState Access

Query Registry

Windows Credentials from Password Stores Chrome Extension Access

Query Registry

Non Firefox Process Access Firefox Profile Dir

Credentials from Password Stores, Credentials from Web Browsers

Impacket Lateral Movement smbexec CommandLine Parameters

Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service

Executables Or Script Creation In Suspicious Path

Masquerading

Windows Event For Service Disabled

Disable or Modify Tools, Impair Defenses

Suspicious Process File Path

Create or Modify System Process

Non Chrome Process Accessing Chrome Default Dir

Credentials from Password Stores, Credentials from Web Browsers

Windows Query Registry UnInstall Program List

Query Registry

Windows Query Registry Browser List Application

Query Registry

Windows DisableAntiSpyware Registry

Disable or Modify Tools, Impair Defenses

Windows Default Group Policy Object Modified with GPME

Domain Policy Modification, Group Policy Modification

Windows Modify Registry No Auto Update

Modify Registry

Windows Modify Registry Do Not Connect To Win Update

Modify Registry

Impacket Lateral Movement WMIExec Commandline Parameters

Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service

Windows Modify Registry UpdateServiceUrlAlternate

Modify Registry

Windows Modify Registry USeWuServer

Modify Registry

Windows Modify Registry Auto Minor Updates

Modify Registry

Windows Modify Registry WuServer

Modify Registry

Windows Modify Registry Disable WinDefender Notifications

Modify Registry

Windows Modify Registry No Auto Reboot With Logon User

Modify Registry

Windows Modify Registry Auto Update Notif

Modify Registry

Windows Modify Registry Tamper Protection

Modify Registry

Windows Service Stop Win Updates

Service Stop

Windows Modify Registry wuStatusServer

Modify Registry

Windows PowerView AD Access Control List Enumeration

Domain Accounts, Permission Groups Discovery

Active Directory Lateral Movement Identified

Exploitation of Remote Services

Windows RDP Connection Successful

RDP Hijacking

Windows DotNet Binary in Non Standard Path

Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil

Process Deleting Its Process File Path

Indicator Removal

Executable File Written in Administrative SMB Share

Remote Services, SMB/Windows Admin Shares

Regsvr32 Silent and Install Param Dll Loading

System Binary Proxy Execution, Regsvr32

Linux Disable Services

Service Stop

PowerShell - Connect To Internet With Hidden Window

PowerShell, Command and Scripting Interpreter

Attempted Credential Dump From Registry via Reg exe

Security Account Manager, OS Credential Dumping

Linux Unix Shell Enable All SysRq Functions

Unix Shell, Command and Scripting Interpreter

Linux System Reboot Via System Request Key

System Shutdown/Reboot

PowerShell Domain Enumeration

Command and Scripting Interpreter, PowerShell

Linux Indicator Removal Clear Cache

Indicator Removal

AdsiSearcher Account Discovery

Domain Account, Account Discovery

Linux Stdout Redirection To Dev Null File

Disable or Modify System Firewall, Impair Defenses

Windows InstallUtil in Non Standard Path

Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil

Windows Processes Killed By Industroyer2 Malware

Service Stop

PowerShell 4104 Hunting

Command and Scripting Interpreter, PowerShell

Linux Stop Services

Service Stop

Ping Sleep Batch Command

Virtualization/Sandbox Evasion, Time Based Evasion

Malicious PowerShell Process With Obfuscation Techniques

Command and Scripting Interpreter, PowerShell

MSI Module Loaded by Non-System Binary

DLL Side-Loading, Hijack Execution Flow

Possible Lateral Movement PowerShell Spawn

Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...

Attempt To Stop Security Service

Disable or Modify Tools, Impair Defenses

Powershell Using memory As Backing Store

PowerShell, Command and Scripting Interpreter

Set Default PowerShell Execution Policy To Unrestricted or Bypass

Command and Scripting Interpreter, PowerShell

Linux Hardware Addition SwapOff

Hardware Additions

Linux Shred Overwrite Command

Data Destruction

Detect Empire with PowerShell Script Block Logging

Command and Scripting Interpreter, PowerShell

Windows NirSoft AdvancedRun

Tool

Schtasks Run Task On Demand

Scheduled Task/Job

WMI Recon Running Process Or Services

Gather Victim Host Information

Excessive File Deletion In WinDefender Folder

Data Destruction

Linux Data Destruction Command

Data Destruction

Powershell Enable SMB1Protocol Feature

Obfuscated Files or Information, Indicator Removal from Tools

Powershell Remove Windows Defender Directory

Disable or Modify Tools, Impair Defenses

Child Processes of Spoolsv exe

Exploitation for Privilege Escalation

Windows Raw Access To Disk Volume Partition

Disk Structure Wipe, Disk Wipe

Powershell Fileless Process Injection via GetProcAddress

Command and Scripting Interpreter, Process Injection, PowerShell

Unloading AMSI via Reflection

Impair Defenses, PowerShell, Command and Scripting Interpreter

Linux DD File Overwrite

Data Destruction

Powershell Windows Defender Exclusion Commands

Disable or Modify Tools, Impair Defenses

Impacket Lateral Movement Commandline Parameters

Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service

Dump LSASS via comsvcs DLL

LSASS Memory, OS Credential Dumping

Windows Root Domain linked policies Discovery

Domain Account, Account Discovery

Windows Raw Access To Master Boot Record Drive

Disk Structure Wipe, Disk Wipe

Linux Java Spawning Shell

Exploit Public-Facing Application

Windows Terminating Lsass Process

Disable or Modify Tools, Impair Defenses

Add or Set Windows Defender Exclusion

Disable or Modify Tools, Impair Defenses

Linux Indicator Removal Service File Deletion

File Deletion, Indicator Removal

Powershell Execute COM Object

Component Object Model Hijacking, Event Triggered Execution, PowerShell

Kerberoasting spn request with RC4 encryption

Steal or Forge Kerberos Tickets, Kerberoasting

Windows NirSoft Utilities

Tool

Screensaver Event Trigger Execution

Event Triggered Execution, Screensaver

Linux System Network Discovery

System Network Configuration Discovery

Linux Adding Crontab Using List Parameter

Cron, Scheduled Task/Job

Windows Linked Policies In ADSI Discovery

Domain Account, Account Discovery

Windows BootLoader Inventory

System Firmware, Pre-OS Boot

Suspicious Process With Discord DNS Query

Visual Basic, Command and Scripting Interpreter

Logon Script Event Trigger Execution

Boot or Logon Initialization Scripts, Logon Script (Windows)

Runas Execution in CommandLine

Access Token Manipulation, Token Impersonation/Theft

Change Default File Association

Change Default File Association, Event Triggered Execution

Windows High File Deletion Frequency

Data Destruction

Linux Impair Defenses Process Kill

Disable or Modify Tools, Impair Defenses

Suspicious Process DNS Query Known Abuse Web Services

Visual Basic, Command and Scripting Interpreter

Windows Data Destruction Recursive Exec Files Deletion

Data Destruction

Linux Deleting Critical Directory Using RM Command

Data Destruction

Recon AVProduct Through Pwh or WMI

Gather Victim Host Information

Print Processor Registry Autostart

Print Processors, Boot or Logon Autostart Execution

Wscript Or Cscript Suspicious Child Process

Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation

Any Powershell DownloadFile

Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer

Windows Deleted Registry By A Non Critical Process File Path

Modify Registry

Overwriting Accessibility Binaries

Event Triggered Execution, Accessibility Features

W3WP Spawning Shell

Server Software Component, Web Shell

Windows File Without Extension In Critical Folder

Data Destruction

Powershell Processing Stream Of Data

Command and Scripting Interpreter, PowerShell

Windows Hidden Schedule Task Settings

Scheduled Task/Job

Linux Service Restarted

Systemd Timers, Scheduled Task/Job

Recon Using WMI Class

Gather Victim Host Information, PowerShell

Windows Impair Defenses Disable HVCI

Disable or Modify Tools, Impair Defenses

Linux Iptables Firewall Modification

Disable or Modify System Firewall, Impair Defenses

Linux Kworker Process In Writable Process Path

Masquerade Task or Service, Masquerading

Batch File Write to System32

User Execution, Malicious File

Disable Defender MpEngine Registry

Disable or Modify Tools, Impair Defenses

Disable Defender AntiVirus Registry

Disable or Modify Tools, Impair Defenses

Disable AMSI Through Registry

Disable or Modify Tools, Impair Defenses

Disable Defender BlockAtFirstSeen Feature

Disable or Modify Tools, Impair Defenses

Auto Admin Logon Registry Entry

Credentials in Registry, Unsecured Credentials

Windows Admon Group Policy Object Created

Domain Policy Modification, Group Policy Modification

Windows DnsAdmins New Member Added

Account Manipulation

Scheduled Task Deleted Or Created via CMD

Scheduled Task, Scheduled Task/Job

GetWmiObject User Account with PowerShell

Account Discovery, Local Account

WinEvent Windows Task Scheduler Event Action Started

Scheduled Task

Powershell Fileless Script Contains Base64 Encoded Content

Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell

System User Discovery With Whoami

System Owner/User Discovery

PowerShell Loading DotNET into Memory via Reflection

Command and Scripting Interpreter, PowerShell

Windows Scheduled Task Created Via XML

Scheduled Task, Scheduled Task/Job

GetWmiObject User Account with PowerShell Script Block

Account Discovery, Local Account, PowerShell

Windows Screen Capture Via Powershell

Screen Capture

WinEvent Scheduled Task Created Within Public Path

Scheduled Task, Scheduled Task/Job

Windows Exfiltration Over C2 Via Powershell UploadString

Exfiltration Over C2 Channel

CMD Carry Out String Command Parameter

Windows Command Shell, Command and Scripting Interpreter

Schedule Task with HTTP Command Arguments

Scheduled Task/Job

Any Powershell DownloadString

Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer

Windows DNS Gather Network Info

DNS

WinEvent Scheduled Task Created to Spawn Shell

Scheduled Task, Scheduled Task/Job

Windows Exfiltration Over C2 Via Invoke RestMethod

Exfiltration Over C2 Channel

Windows Vulnerable 3CX Software

Compromise Software Supply Chain

3CX Supply Chain Attack Network Indicators

Compromise Software Supply Chain

Hunting 3CXDesktopApp Software

Compromise Software Supply Chain

Add DefaultUser And Password In Registry

Credentials in Registry, Unsecured Credentials

Windows Service Create with Tscon

RDP Hijacking, Remote Service Session Hijacking, Windows Service

Windows Admon Default Group Policy Object Modified

Domain Policy Modification, Group Policy Modification

Allow Operation with Consent Admin

Abuse Elevation Control Mechanism

Allow Inbound Traffic By Firewall Rule Registry

Remote Desktop Protocol, Remote Services

Windows Default Group Policy Object Modified

Domain Policy Modification, Group Policy Modification

Windows PowerShell Get CIMInstance Remote Computer

PowerShell

Windows Special Privileged Logon On Multiple Hosts

Account Discovery, SMB/Windows Admin Shares, Network Share Discovery

Windows PowerShell WMI Win32 ScheduledJob

PowerShell, Command and Scripting Interpreter

Windows Group Policy Object Created

Domain Policy Modification, Group Policy Modification, Domain Accounts

Windows Enable Win32 ScheduledJob via Registry

Scheduled Task

PowerShell Start or Stop Service

PowerShell

Windows Administrative Shares Accessed On Multiple Hosts

Network Share Discovery

Windows Rapid Authentication On Multiple Hosts

Security Account Manager

PowerShell Invoke CIMMethod CIMSession

Windows Management Instrumentation

PowerShell Enable PowerShell Remoting

PowerShell, Command and Scripting Interpreter

Windows Local Administrator Credential Stuffing

Brute Force, Credential Stuffing

PowerShell Invoke WmiExec Usage

Windows Management Instrumentation

Windows Lateral Tool Transfer RemCom

Lateral Tool Transfer

Windows File Share Discovery With Powerview

Network Share Discovery

Windows Large Number of Computer Service Tickets Requested

Network Share Discovery, Valid Accounts

Windows Remote Create Service

Create or Modify System Process, Windows Service

Windows Service Create RemComSvc

Windows Service, Create or Modify System Process

Windows Rundll32 WebDav With Network Connection

Exfiltration Over Unencrypted Non-C2 Protocol

Windows Findstr GPP Discovery

Unsecured Credentials, Group Policy Preferences

Windows PowerSploit GPP Discovery

Unsecured Credentials, Group Policy Preferences

Msmpeng Application DLL Side Loading

DLL Side-Loading, Hijack Execution Flow

Windows Rundll32 WebDAV Request

Exfiltration Over Unencrypted Non-C2 Protocol

Suspicious DLLHost no Command Line Arguments

Process Injection

Linux SSH Remote Services Script Execute

SSH

Windows Service Create SliverC2

System Services, Service Execution

Suspicious Regsvr32 Register Suspicious Path

System Binary Proxy Execution, Regsvr32

Windows Driver Load Non-Standard Path

Rootkit, Exploitation for Privilege Escalation

Windows Process Injection into Notepad

Process Injection, Portable Executable Injection

Notepad with no Command Line Arguments

Process Injection

Office Product Spawning Wmic

Phishing, Spearphishing Attachment

Office Product Writing cab or inf

Phishing, Spearphishing Attachment

Office Product Spawning BITSAdmin

Phishing, Spearphishing Attachment

Office Document Creating Schedule Task

Phishing, Spearphishing Attachment

Office Product Spawning Rundll32 with no DLL

Phishing, Spearphishing Attachment

Office Product Spawning Windows Script Host

Phishing, Spearphishing Attachment

Office Application Spawn rundll32 process

Phishing, Spearphishing Attachment

Office Application Drop Executable

Phishing, Spearphishing Attachment

Office Document Spawned Child Process To Download

Phishing, Spearphishing Attachment

Office Product Spawning CertUtil

Phishing, Spearphishing Attachment

Office Product Spawning MSHTA

Phishing, Spearphishing Attachment

MSHTML Module Load in Office Product

Phishing, Spearphishing Attachment

Office Application Spawn Regsvr32 process

Phishing, Spearphishing Attachment

Windows Spearphishing Attachment Connect To None MS Office Domain

Spearphishing Attachment, Phishing

Windows Office Product Spawning MSDT

Phishing, Spearphishing Attachment

Office Spawning Control

Phishing, Spearphishing Attachment

Windows Export Certificate

Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates

Windows Steal Authentication Certificates CryptoAPI

Steal or Forge Authentication Certificates

Detect Outlook exe writing a zip file

Phishing, Spearphishing Attachment

Windows Mimikatz Crypto Export File Extensions

Steal or Forge Authentication Certificates

Windows Steal Authentication Certificates CertUtil Backup

Steal or Forge Authentication Certificates

Windows Steal Authentication Certificates CS Backup

Steal or Forge Authentication Certificates

Windows Steal Authentication Certificates Certificate Issued

Steal or Forge Authentication Certificates

Windows Steal Authentication Certificates Certificate Request

Steal or Forge Authentication Certificates

Windows Driver Inventory

Exploitation for Privilege Escalation

Windows PowerShell Export PfxCertificate

Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates

Windows Steal Authentication Certificates Export Certificate

Steal or Forge Authentication Certificates

Windows PowerShell Export Certificate

Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates

Windows Steal Authentication Certificates Export PfxCertificate

Steal or Forge Authentication Certificates

Windows AD Domain Controller Audit Policy Disabled

Disable or Modify Tools

Windows Powershell Cryptography Namespace

PowerShell, Command and Scripting Interpreter

Windows AD Domain Controller Promotion

Rogue Domain Controller

Windows Scheduled Task with Highest Privileges

Scheduled Task/Job, Scheduled Task

Office Document Executing Macro Code

Phishing, Spearphishing Attachment

Windows Spearphishing Attachment Onenote Spawn Mshta

Spearphishing Attachment, Phishing

Windows Credential Dumping LSASS Memory Createdump

LSASS Memory

Detect suspicious processnames using pretrained model in DSDL

Command and Scripting Interpreter

Windows Java Spawning Shells

Exploit Public-Facing Application

Windows PowerShell Add Module to Global Assembly Cache

Server Software Component, IIS Components

Windows Phishing PDF File Executes URL Link

Spearphishing Attachment, Phishing

Windows Server Software Component GACUtil Install to GAC

Server Software Component, IIS Components

Windows Replication Through Removable Media

Replication Through Removable Media

Windows Modify Registry Default Icon Setting

Modify Registry

Windows Ngrok Reverse Proxy Usage

Protocol Tunneling, Proxy, Web Service

Linux Ngrok Reverse Proxy Usage

Protocol Tunneling, Proxy, Web Service

Windows Boot or Logon Autostart Execution In Startup Folder

Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution

Windows User Execution Malicious URL Shortcut File

Malicious File, User Execution

Account Discovery With Net App

Domain Account, Account Discovery

Windows DLL Search Order Hijacking Hunt with Sysmon

DLL Search Order Hijacking, Hijack Execution Flow

Windows DLL Search Order Hijacking Hunt

DLL Search Order Hijacking, Hijack Execution Flow

Windows PowerShell IIS Components WebGlobalModule Usage

Server Software Component, IIS Components

Windows PowerShell Disable HTTP Logging

Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components

Windows Disable Windows Event Logging Disable HTTP Logging

Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components

Windows IIS Components Module Failed to Load

Server Software Component, IIS Components

Windows IIS Components Get-WebGlobalModule Module Query

IIS Components, Server Software Component

Windows IIS Components New Module Added

Server Software Component, IIS Components

Windows IIS Components Add New Module

Server Software Component, IIS Components

Windows Modify Registry Reg Restore

Query Registry

Windows Query Registry Reg Save

Query Registry

Windows Vulnerable Driver Loaded

Windows Service

Windows WMI Process And Service List

Windows Management Instrumentation

Windows System Network Config Discovery Display DNS

System Network Configuration Discovery

Windows Change Default File Association For No File Ext

Change Default File Association, Event Triggered Execution

Windows Credentials from Password Stores Query

Credentials from Password Stores

Windows Indirect Command Execution Via Series Of Forfiles

Indirect Command Execution

Windows System Network Connections Discovery Netsh

System Network Connections Discovery

Windows ClipBoard Data via Get-ClipBoard

Clipboard Data

Windows Credentials in Registry Reg Query

Credentials in Registry, Unsecured Credentials

Windows Password Managers Discovery

Password Managers

Windows Service Stop Via Net and SC Application

Service Stop

Windows Private Keys Discovery

Private Keys, Unsecured Credentials

Windows Cached Domain Credentials Reg Query

Cached Domain Credentials, OS Credential Dumping

Windows Security Support Provider Reg Query

Security Support Provider, Boot or Logon Autostart Execution

Windows Information Discovery Fsutil

System Information Discovery

Windows System User Discovery Via Quser

System Owner/User Discovery

Windows Steal or Forge Kerberos Tickets Klist

Steal or Forge Kerberos Tickets

BITSAdmin Download File

BITS Jobs, Ingress Tool Transfer

Powershell Load Module in Meterpreter

Command and Scripting Interpreter, PowerShell

Windows Apache Benchmark Binary

Command and Scripting Interpreter

Windows MSExchange Management Mailbox Cmdlet Usage

Command and Scripting Interpreter, PowerShell

Exchange PowerShell Module Usage

Command and Scripting Interpreter, PowerShell

Windows AD Short Lived Domain Account ServicePrincipalName

Account Manipulation

Windows AD Domain Replication ACL Addition

Domain Policy Modification

Windows AD ServicePrincipalName Added To Domain Account

Account Manipulation

Windows AD Replication Request Initiated from Unsanctioned Location

DCSync, OS Credential Dumping

Windows AD Cross Domain SID History Addition

SID-History Injection, Access Token Manipulation

Windows Mimikatz Binary Execution

OS Credential Dumping

Windows AD SID History Attribute Modified

Access Token Manipulation, SID-History Injection

Remote Process Instantiation via WMI and PowerShell Script Block

Windows Management Instrumentation

Windows AD AdminSDHolder ACL Modified

Event Triggered Execution

Remcos client registry install entry

Modify Registry

Revil Registry Entry

Modify Registry

Disable Defender Enhanced Notification

Disable or Modify Tools, Impair Defenses

Windows PowerShell Disabled Kerberos Pre-Authentication Discovery With PowerView

Steal or Forge Kerberos Tickets, AS-REP Roasting

Sdclt UAC Bypass

Bypass User Account Control, Abuse Elevation Control Mechanism

Windows PowerShell Disabled Kerberos Pre-Authentication Discovery Get-ADUser

Steal or Forge Kerberos Tickets, AS-REP Roasting

Eventvwr UAC Bypass

Bypass User Account Control, Abuse Elevation Control Mechanism

WSReset UAC Bypass

Bypass User Account Control, Abuse Elevation Control Mechanism

SilentCleanup UAC Bypass

Bypass User Account Control, Abuse Elevation Control Mechanism

Windows Service Created with Suspicious Service Path

System Services, Service Execution

Get DomainUser with PowerShell Script Block

Domain Account, Account Discovery

Recursive Delete of Directory In Batch CMD

File Deletion, Indicator Removal

Common Ransomware Extensions

Data Destruction

Windows Process Injection Remote Thread

Process Injection, Portable Executable Injection

Windows App Layer Protocol Qakbot NamedPipe

Application Layer Protocol

Detect Rare Executables

Windows Modify Registry Qakbot Binary Data Registry

Modify Registry

Windows Process Injection Of Wermgr to Known Browser

Dynamic-link Library Injection, Process Injection

Windows App Layer Protocol Wermgr Connect To NamedPipe

Application Layer Protocol

Windows Regsvr32 Renamed Binary

Regsvr32, System Binary Proxy Execution

Cmdline Tool Not Executed In CMD Shell

Command and Scripting Interpreter, JavaScript

Windows Process Injection Wermgr Child Process

Process Injection

Windows Command Shell Fetch Env Variables

Process Injection

Windows WMI Impersonate Token

Windows Management Instrumentation

Windows DLL Side-Loading In Calc

DLL Side-Loading, Hijack Execution Flow

Windows System Discovery Using Qwinsta

System Owner/User Discovery

Windows System Discovery Using ldap Nslookup

System Owner/User Discovery

Windows Masquerading Explorer As Child Process

DLL Side-Loading, Hijack Execution Flow

Windows DLL Side-Loading Process Child Of Calc

DLL Side-Loading, Hijack Execution Flow

Windows Rename System Utilities Adplus exe LOLBAS in Non Standard Path

Masquerading, Rename System Utilities

Windows Rename System Utilities Agentexecutor exe LOLBAS in Non Standard Path

Masquerading, Rename System Utilities

Windows Rename System Utilities Aspnet compiler exe LOLBAS in Non Standard Path

Masquerading, Rename System Utilities

Windows Rename System Utilities Acccheckconsole exe LOLBAS in Non Standard Path

Masquerading, Rename System Utilities

Windows Rename System Utilities Atbroker exe LOLBAS in Non Standard Path

Masquerading, Rename System Utilities

Windows Rename System Utilities Appvlp exe LOLBAS in Non Standard Path

Masquerading, Rename System Utilities

Windows Rename System Utilities At exe LOLBAS in Non Standard Path

Masquerading, Rename System Utilities

Windows Rename System Utilities Advpack dll LOLBAS in Non Standard Path

Masquerading, Rename System Utilities

Windows Rename System Utilities Appinstaller exe LOLBAS in Non Standard Path

Masquerading, Rename System Utilities

Windows AD Short Lived Server Object

Rogue Domain Controller

Windows Mshta Execution In Registry

Mshta

Office Product Spawning Windows Script Host

Phishing, Spearphishing Attachment

Windows Exchange PowerShell Module Usage

Command and Scripting Interpreter, PowerShell

Windows COM Hijacking InprocServer32 Modification

Component Object Model Hijacking, Event Triggered Execution

Detect SharpHound File Modifications

Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery

Windows Create Local Account

Local Account, Create Account

Exchange PowerShell Abuse via SSRF

Exploit Public-Facing Application

Detect Exchange Web Shell

Server Software Component, Web Shell, Exploit Public-Facing Application

Powershell COM Hijacking InprocServer32 Modification

Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell

Windows COM Hijacking InprocServer32 Modification

Component Object Model Hijacking, Event Triggered Execution

Windows System Script Proxy Execution Syncappvpublishingserver

System Script Proxy Execution, System Binary Proxy Execution

Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos

Password Spraying, Brute Force

Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos

Password Spraying, Brute Force

Windows Unusual Count Of Users Remotely Failed To Auth From Host

Password Spraying, Brute Force

Windows Unusual Count Of Users Failed To Auth Using Kerberos

Password Spraying, Brute Force

Windows Unusual Count Of Users Failed To Authenticate Using NTLM

Password Spraying, Brute Force

Windows Unusual Count Of Users Failed To Authenticate From Process

Password Spraying, Brute Force

Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM

Password Spraying, Brute Force

Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials

Password Spraying, Brute Force

Registry Keys Used For Persistence

Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution

Windows ISO LNK File Creation

Spearphishing Attachment, Phishing, Malicious Link, User Execution

Windows Phishing Recent ISO Exec Registry

Spearphishing Attachment, Phishing

Windows Mail Protocol In Non-Common Process Path

Mail Protocols, Application Layer Protocol

Windows Multi hop Proxy TOR Website Query

Mail Protocols, Application Layer Protocol

Windows File Transfer Protocol In Non-Common Process Path

Mail Protocols, Application Layer Protocol

Windows Execute Arbitrary Commands with MSDT

System Binary Proxy Execution

Windows Protocol Tunneling with Plink

Protocol Tunneling, SSH

Windows Odbcconf Load Response File

Odbcconf, System Binary Proxy Execution

High Process Termination Frequency

Data Encrypted for Impact

Windows Identify Protocol Handlers

Command and Scripting Interpreter

Windows Ingress Tool Transfer Using Explorer

Ingress Tool Transfer

Get ADUser with PowerShell Script Block

Domain Account, Account Discovery

Windows AD Privileged Account SID History Addition

SID-History Injection, Access Token Manipulation

Log4Shell CVE-2021-44228 Exploitation

Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter

Windows AD Same Domain SID History Addition

SID-History Injection, Access Token Manipulation

Disabling Windows Local Security Authority Defences via Registry

Modify Authentication Process

Living Off The Land

Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter

Windows Event Triggered Image File Execution Options Injection

Image File Execution Options Injection

Windows AD DSRM Password Reset

Account Manipulation

Windows AD Replication Request Initiated by User Account

DCSync, OS Credential Dumping

Windows AD DSRM Account Changes

Account Manipulation

Windows System Binary Proxy Execution Compiled HTML File Using InfoTech Storage Handlers

Compiled HTML File, System Binary Proxy Execution

Windows AD Short Lived Domain Controller SPN Attribute

Rogue Domain Controller

Windows System Binary Proxy Execution Compiled HTML File Decompile

Compiled HTML File, System Binary Proxy Execution

Windows System Binary Proxy Execution Compiled HTML File URL In Command Line

Compiled HTML File, System Binary Proxy Execution

Windows OS Credential Dumping with Procdump

LSASS Memory, OS Credential Dumping

Windows System Binary Proxy Execution MSIExec Unregister DLL

Msiexec

Windows OS Credential Dumping with Ntdsutil Export NTDS

NTDS, OS Credential Dumping

Windows System Binary Proxy Execution MSIExec Remote Download

Msiexec

Windows System Binary Proxy Execution MSIExec DLLRegisterServer

Msiexec

Dump LSASS via procdump

LSASS Memory, OS Credential Dumping

Windows System Binary Proxy Execution Compiled HTML File Decompile

Compiled HTML File, System Binary Proxy Execution

Windows LOLBin Binary in Non Standard Path

Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil

Linux Persistence and Privilege Escalation Risk Behavior

Abuse Elevation Control Mechanism

Windows Ingress Tool Transfer Using Explorer

Ingress Tool Transfer

Powershell Remote Thread To Known Windows Process

Process Injection

Windows Defacement Modify Transcodedwallpaper File

Defacement

Windows InstallUtil Credential Theft

InstallUtil, System Binary Proxy Execution

Detect Excessive Account Lockouts From Endpoint

Valid Accounts, Domain Accounts

Detect Excessive User Account Lockouts

Valid Accounts, Local Accounts

Windows Possible Credential Dumping

LSASS Memory, OS Credential Dumping

Windows Access Token Manipulation Winlogon Duplicate Token Handle

Token Impersonation/Theft, Access Token Manipulation

Windows Service Deletion In Registry

Service Stop

Windows Access Token Winlogon Duplicate Handle In Uncommon Path

Token Impersonation/Theft, Access Token Manipulation

Windows Gather Victim Identity SAM Info

Credentials, Gather Victim Identity Information

Windows Hijack Execution Flow Version Dll Side Load

DLL Search Order Hijacking, Hijack Execution Flow

Windows Remote Access Software BRC4 Loaded Dll

Remote Access Software, OS Credential Dumping

Windows Access Token Manipulation SeDebugPrivilege

Create Process with Token, Access Token Manipulation

Windows Process Injection With Public Source Path

Process Injection, Portable Executable Injection

Windows Input Capture Using Credential UI Dll

GUI Input Capture, Input Capture

Windows Remote Access Software Hunt

Remote Access Software

Windows Autostart Execution LSASS Driver Registry Modification

LSASS Driver

Linux Csvtool Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux c99 Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux apt-get Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Cpulimit Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux OpenVPN Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Sqlite3 Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Composer Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Octave Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux c89 Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux APT Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Busybox Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Puppet Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux RPM Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux MySQL Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Emacs Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Make Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux PHP Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux GDB Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Find Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux GNU Awk Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Ruby Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Gem Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux AWK Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Docker Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Node Privilege Escalation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Windows Non-System Account Targeting Lsass

LSASS Memory, OS Credential Dumping

Windows DLL Search Order Hijacking with iscsicpl

DLL Search Order Hijacking

Linux Curl Upload File

Ingress Tool Transfer

Linux Proxy Socks Curl

Proxy, Non-Application Layer Protocol

Linux Ingress Tool Transfer with Curl

Ingress Tool Transfer

Linux Ingress Tool Transfer Hunting

Ingress Tool Transfer

Windows Gather Victim Host Information Camera

Hardware, Gather Victim Host Information

Windows System Time Discovery W32tm Delay

System Time Discovery

Linux Clipboard Data Copy

Clipboard Data

Windows Command Shell DCRat ForkBomb Payload

Windows Command Shell, Command and Scripting Interpreter

Linux SSH Authorized Keys Modification

SSH Authorized Keys

Windows System Reboot CommandLine

System Shutdown/Reboot

Windows System LogOff Commandline

System Shutdown/Reboot

Linux Kernel Module Enumeration

System Information Discovery, Rootkit

Linux Decode Base64 to Shell

Obfuscated Files or Information, Unix Shell

Windows System Shutdown CommandLine

System Shutdown/Reboot

Linux Obfuscated Files or Information Base64 Decode

Obfuscated Files or Information

Wmic NonInteractive App Uninstallation

Disable or Modify Tools, Impair Defenses

Windows Defender Tools in Non Standard Path

Masquerading, Rename System Utilities

Windows MOF Event Triggered Execution via WMI

Windows Management Instrumentation Event Subscription

Powershell Disable Security Monitoring

Disable or Modify Tools, Impair Defenses

Certutil exe certificate extraction

Suspicious Image Creation In Appdata Folder

Screen Capture

Windows Binary Proxy Execution Mavinject DLL Injection

Mavinject, System Binary Proxy Execution

Suspicious WAV file in Appdata Folder

Screen Capture

Windows Odbcconf Load Response File

Odbcconf

Windows Powershell Import Applocker Policy

PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses

Windows Odbcconf Hunting

Odbcconf

Windows Execute Arbitrary Commands with MSDT

System Binary Proxy Execution

Remote System Discovery with Adsisearcher

Remote System Discovery

Outbound Network Connection from Java Using Default Ports

Exploit Public-Facing Application

Windows Odbcconf Load DLL

Odbcconf

Windows Impair Defense Deny Security Software With Applocker

Disable or Modify Tools, Impair Defenses

Windows Remote Service Rdpwinst Tool Execution

Remote Desktop Protocol, Remote Services

Windows Application Layer Protocol RMS Radmin Tool Namedpipe

Application Layer Protocol

Windows Modify Registry Regedit Silent Reg Import

Modify Registry

Windows Impair Defense Add Xml Applocker Rules

Disable or Modify Tools, Impair Defenses

Windows Valid Account With Never Expires Password

Service Stop

Windows Modify Registry Disable Win Defender Raw Write Notif

Modify Registry

Windows Modify Registry Disable Toast Notifications

Modify Registry

Windows Remote Access Software RMS Registry

Remote Access Software

Windows Modify Registry Suppress Win Defender Notif

Modify Registry

Windows PowerView SPN Discovery

Steal or Forge Kerberos Tickets, Kerberoasting

Windows PowerView Kerberos Service Ticket Request

Steal or Forge Kerberos Tickets, Kerberoasting

Windows Modify Registry DisAllow Windows App

Modify Registry

Windows Modify Registry Disable Windows Security Center Notif

Modify Registry

Windows Modify Registry Disabling WER Settings

Modify Registry

Windows Remote Services Allow Remote Assistance

Remote Desktop Protocol, Remote Services

Windows Remote Services Allow Rdp In Firewall

Remote Desktop Protocol, Remote Services

Windows Remote Services Rdp Enable

Remote Desktop Protocol, Remote Services

Windows Gather Victim Network Info Through Ip Check Web Services

IP Addresses, Gather Victim Network Information

Windows Service Stop By Deletion

Service Stop

Windows MSIExec With Network Connections

Msiexec

Windows MSIExec Remote Download

Msiexec

Windows MSIExec DLLRegisterServer

Msiexec

Windows MSIExec Unregister DLLRegisterServer

Msiexec

Windows MSIExec Spawn Discovery Command

Msiexec

Windows Impair Defenses Disable Win Defender Auto Logging

Disable or Modify Tools, Impair Defenses

Windows Impair Defense Delete Win Defender Profile Registry

Disable or Modify Tools, Impair Defenses

Windows Impair Defense Delete Win Defender Context Menu

Disable or Modify Tools, Impair Defenses

Java Writing JSP File

Exploit Public-Facing Application

Excessive Usage of NSLOOKUP App

Exfiltration Over Alternative Protocol

Wermgr Process Connecting To IP Check Web Services

Gather Victim Network Information, IP Addresses

Unload Sysmon Filter Driver

Disable or Modify Tools, Impair Defenses

Windows Command and Scripting Interpreter Hunting Path Traversal

Command and Scripting Interpreter

Windows Command and Scripting Interpreter Path Traversal Exec

Command and Scripting Interpreter

MacOS plutil

Plist File Modification

Linux At Application Execution

At, Scheduled Task/Job

Linux Possible Append Command To At Allow Config File

At, Scheduled Task/Job

Schtasks scheduling job on remote system

Scheduled Task, Scheduled Task/Job

Windows System File on Disk

Exploitation for Privilege Escalation

Cobalt Strike Named Pipes

Process Injection

Potential password in username

Local Accounts, Credentials In Files

Windows Service Create Kernel Mode Driver

Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation

Disabled Kerberos Pre-Authentication Discovery With PowerView

Steal or Forge Kerberos Tickets, AS-REP Roasting

Disabled Kerberos Pre-Authentication Discovery With Get-ADUser

Steal or Forge Kerberos Tickets, AS-REP Roasting

GetWmiObject DS User with PowerShell Script Block

Domain Account, Account Discovery

GetDomainComputer with PowerShell Script Block

Remote System Discovery

Windows KrbRelayUp Service Creation

Windows Service

GetAdComputer with PowerShell Script Block

Remote System Discovery

Mailsniper Invoke functions

Email Collection, Local Email Collection

Get DomainPolicy with Powershell Script Block

Password Policy Discovery

Get-DomainTrust with PowerShell Script Block

Domain Trust Discovery

Get ADUserResultantPasswordPolicy with Powershell Script Block

Password Policy Discovery

GetWmiObject Ds Group with PowerShell Script Block

Permission Groups Discovery, Domain Groups

GetDomainController with PowerShell Script Block

Remote System Discovery

Powershell Creating Thread Mutex

Obfuscated Files or Information, Indicator Removal from Tools, PowerShell

Delete ShadowCopy With PowerShell

Inhibit System Recovery

GetWmiObject Ds Computer with PowerShell Script Block

Remote System Discovery

GetDomainGroup with PowerShell Script Block

Permission Groups Discovery, Domain Groups

Windows Computer Account With SPN

Steal or Forge Kerberos Tickets

Windows Computer Account Requesting Kerberos Ticket

Steal or Forge Kerberos Tickets

Windows Computer Account Created by Computer Account

Steal or Forge Kerberos Tickets

Windows Kerberos Local Successful Logon

Steal or Forge Kerberos Tickets

Powershell Get LocalGroup Discovery with Script Block Logging

Permission Groups Discovery, Local Groups

NLTest Domain Trust Discovery

Domain Trust Discovery

Windows Rundll32 Comsvcs Memory Dump

NTDS, OS Credential Dumping

Windows Registry Delete Task SD

Scheduled Task, Impair Defenses

Suspicious microsoft workflow compiler rename

Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities

Detect mshta renamed

System Binary Proxy Execution, Mshta

Detect Renamed PSExec

System Services, Service Execution

Detect HTML Help Renamed

System Binary Proxy Execution, Compiled HTML File

Suspicious MSBuild Rename

Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild

Windows Indirect Command Execution Via pcalua

Indirect Command Execution

Windows Indirect Command Execution Via forfiles

Indirect Command Execution

GetNetTcpconnection with PowerShell Script Block

System Network Connections Discovery

Windows PowerView Constrained Delegation Discovery

Remote System Discovery

Windows Drivers Loaded by Signature

Rootkit, Exploitation for Privilege Escalation

Windows PowerView Unconstrained Delegation Discovery

Remote System Discovery

Windows Get-AdComputer Unconstrained Delegation Discovery

Remote System Discovery

System Process Running from Unexpected Location

Masquerading

Remote Process Instantiation via DCOM and PowerShell Script Block

Remote Services, Distributed Component Object Model

GetAdGroup with PowerShell Script Block

Permission Groups Discovery, Domain Groups

Interactive Session on Remote Endpoint with PowerShell

Remote Services, Windows Remote Management

GetCurrent User with PowerShell Script Block

System Owner/User Discovery

Remote Process Instantiation via WinRM and PowerShell Script Block

Remote Services, Windows Remote Management

User Discovery With Env Vars PowerShell Script Block

System Owner/User Discovery

Get WMIObject Group Discovery with Script Block Logging

Permission Groups Discovery, Local Groups

Kerberos Pre-Authentication Flag Disabled with PowerShell

Steal or Forge Kerberos Tickets, AS-REP Roasting

GetLocalUser with PowerShell Script Block

Account Discovery, Local Account, PowerShell

Get ADDefaultDomainPasswordPolicy with Powershell Script Block

Password Policy Discovery

Modify ACLs Permission Of Files Or Folders

File and Directory Permissions Modification

Delete A Net User

Account Access Removal

Modify ACL permission To Files Or Folder

File and Directory Permissions Modification

Windows DotNet Binary in Non Standard Path

Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil

Windows InstallUtil Remote Network Connection

InstallUtil, System Binary Proxy Execution

Windows InstallUtil Uninstall Option with Network

InstallUtil, System Binary Proxy Execution

Suspicious SearchProtocolHost no Command Line Arguments

Process Injection

Suspicious GPUpdate no Command Line Arguments

Process Injection

DLLHost with no Command Line Arguments with Network

Process Injection

Suspicious Rundll32 no Command Line Arguments

System Binary Proxy Execution, Rundll32

Detect Regasm with no Command Line Arguments

System Binary Proxy Execution, Regsvcs/Regasm

SearchProtocolHost with no Command Line with Network

Process Injection

Kerberos Service Ticket Request Using RC4 Encryption

Steal or Forge Kerberos Tickets, Golden Ticket

Detect Regsvcs with No Command Line Arguments

System Binary Proxy Execution, Regsvcs/Regasm

Rundll32 with no Command Line Arguments with Network

System Binary Proxy Execution, Rundll32

GPUpdate with no Command Line Arguments with Network

Process Injection

Kerberos User Enumeration

Gather Victim Identity Information, Email Addresses

Unknown Process Using The Kerberos Protocol

Use Alternate Authentication Material

Suspicious msbuild path

Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild

MacOS LOLbin

Unix Shell, Command and Scripting Interpreter

Kerberos TGT Request Using RC4 Encryption

Use Alternate Authentication Material

Windows Script Host Spawn MSBuild

MSBuild, Trusted Developer Utilities Proxy Execution

Windows WMIPrvse Spawn MSBuild

Trusted Developer Utilities Proxy Execution, MSBuild

Detect Prohibited Applications Spawning cmd exe

Command and Scripting Interpreter

Excessive distinct processes from Windows Temp

Command and Scripting Interpreter

ServicePrincipalNames Discovery with PowerShell

Kerberoasting

Detect Mimikatz With PowerShell Script Block Logging

OS Credential Dumping, PowerShell

Get-ForestTrust with PowerShell Script Block

Domain Trust Discovery, PowerShell

Windows MSHTA Child Process

Mshta, System Binary Proxy Execution

Windows Process With NamedPipe CommandLine

Process Injection

Windows Excessive Disabled Services Event

Disable or Modify Tools, Impair Defenses

Windows MSHTA Command-Line URL

Mshta, System Binary Proxy Execution

Windows MSHTA Inline HTA Execution

Mshta, System Binary Proxy Execution

Windows Rundll32 Inline HTA Execution

System Binary Proxy Execution, Mshta

Kerberos Pre-Authentication Flag Disabled in UserAccountControl

Steal or Forge Kerberos Tickets, AS-REP Roasting

Windows WMI Process Call Create

Windows Management Instrumentation

Rundll32 DNSQuery

System Binary Proxy Execution, Rundll32

Detect Regsvcs with Network Connection

System Binary Proxy Execution, Regsvcs/Regasm

Detect Regasm with Network Connection

System Binary Proxy Execution, Regsvcs/Regasm

NET Profiler UAC bypass

Bypass User Account Control, Abuse Elevation Control Mechanism

Windows Diskshadow Proxy Execution

System Binary Proxy Execution

Windows Bitsadmin Download File

BITS Jobs, Ingress Tool Transfer

Windows CertUtil Decode File

Deobfuscate/Decode Files or Information

Windows CertUtil VerifyCtl Download

Ingress Tool Transfer

Windows CertUtil URLCache Download

Ingress Tool Transfer

Windows PowerShell Start-BitsTransfer

BITS Jobs, Ingress Tool Transfer

Office Product Spawn CMD Process

Phishing, Spearphishing Attachment

Windows Rasautou DLL Execution

Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection

Windows Rasautou DLL Execution

Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection

Windows Diskshadow Proxy Execution

System Binary Proxy Execution

Windows Bits Job Persistence

BITS Jobs

Windows Powershell Connect to Internet With Hidden Window

Automated Exfiltration

Windows Powershell DownloadFile

Automated Exfiltration

Unusual Number of Kerberos Service Tickets Requested

Steal or Forge Kerberos Tickets, Kerberoasting

RunDLL Loading DLL By Ordinal

System Binary Proxy Execution, Rundll32

Windows Remote Assistance Spawning Process

Process Injection

Rubeus Kerberos Ticket Exports Through Winlogon Access

Use Alternate Authentication Material, Pass the Ticket

Windows Schtasks Create Run As System

Scheduled Task, Scheduled Task/Job

CertUtil Download With VerifyCtl and Split Arguments

Ingress Tool Transfer

CertUtil Download With URLCache and Split Arguments

Ingress Tool Transfer

Rubeus Command Line Parameters

Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting

Mimikatz PassTheTicket CommandLine Parameters

Use Alternate Authentication Material, Pass the Ticket

Linux pkexec Privilege Escalation

Exploitation for Privilege Escalation

Malicious PowerShell Process - Encoded Command

Obfuscated Files or Information

Potentially malicious code on commandline

Windows Command Shell

Windows Hunting System Account Targeting Lsass

LSASS Memory, OS Credential Dumping

Linux Possible Ssh Key File Creation

SSH Authorized Keys, Account Manipulation

Linux Possible Access Or Modification Of sshd Config File

SSH Authorized Keys, Account Manipulation

Linux Possible Access To Sudoers File

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Possible Access To Credential Files

/etc/passwd and /etc/shadow, OS Credential Dumping

Linux Doas Conf File Creation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Doas Tool Execution

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Sudo OR Su Execution

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Sudoers Tmp File Creation

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Common Process For Elevation Control

Setuid and Setgid, Abuse Elevation Control Mechanism

Linux Preload Hijack Library Calls

Dynamic Linker Hijacking, Hijack Execution Flow

Linux File Created In Kernel Driver Directory

Kernel Modules and Extensions, Boot or Logon Autostart Execution

Linux Install Kernel Module Using Modprobe Utility

Kernel Modules and Extensions, Boot or Logon Autostart Execution

Linux Insert Kernel Module Using Insmod Utility

Kernel Modules and Extensions, Boot or Logon Autostart Execution

Suspicious Ticket Granting Ticket Request

Valid Accounts, Domain Accounts

Linux Change File Owner To Root

Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification

Linux Setuid Using Chmod Utility

Setuid and Setgid, Abuse Elevation Control Mechanism

Linux NOPASSWD Entry In Sudoers File

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Setuid Using Setcap Utility

Setuid and Setgid, Abuse Elevation Control Mechanism

Linux Add User Account

Local Account, Create Account

Linux Visudo Utility Execution

Sudo and Sudo Caching, Abuse Elevation Control Mechanism

Linux Service Started Or Enabled

Systemd Timers, Scheduled Task/Job

Linux Service File Created In Systemd Directory

Systemd Timers, Scheduled Task/Job

Linux Possible Append Command To Profile Config File

Unix Shell Configuration Modification, Event Triggered Execution

Linux File Creation In Init Boot Directory

RC Scripts, Boot or Logon Initialization Scripts

Clear Unallocated Sector Using Cipher App

File Deletion, Indicator Removal

Suspicious Kerberos Service Ticket Request

Valid Accounts, Domain Accounts

Linux File Creation In Profile Directory

Unix Shell Configuration Modification, Event Triggered Execution

Suspicious Computer Account Name Change

Valid Accounts, Domain Accounts

Hiding Files And Directories With Attrib exe

Windows File and Directory Permissions Modification, File and Directory Permissions Modification

Linux Possible Cronjob Modification With Editor

Cron, Scheduled Task/Job

Linux Possible Append Cronjob Entry on Existing Cronjob File

Cron, Scheduled Task/Job

Linux At Allow Config File Creation

Cron, Scheduled Task/Job

Linux Edit Cron Table Parameter

Cron, Scheduled Task/Job

Linux Add Files In Known Crontab Directories

Cron, Scheduled Task/Job

Java Class File download by Java User Agent

Exploit Public-Facing Application

Wget Download and Bash Execution

Ingress Tool Transfer

Curl Download and Bash Execution

Ingress Tool Transfer

LOLBAS With Network Traffic

Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution

Fsutil Zeroing File

Indicator Removal

Windows Raccine Scheduled Task Deletion

Disable or Modify Tools

MS Exchange Mailbox Replication service writing Active Server Pages

Server Software Component, Web Shell, Exploit Public-Facing Application

BCDEdit Failure Recovery Modification

Inhibit System Recovery

WBAdmin Delete System Backups

Inhibit System Recovery

DNS Exfiltration Using Nslookup App

Exfiltration Over Alternative Protocol

Suspicious Linux Discovery Commands

Unix Shell

Detect RClone Command-Line Usage

Automated Exfiltration

Windows Curl Upload to Remote Destination

Ingress Tool Transfer

Short Lived Scheduled Task

Scheduled Task

Unusual Number of Remote Endpoint Authentication Events

Valid Accounts

Unusual Number of Computer Service Tickets Requested

Valid Accounts

Resize Shadowstorage Volume

Service Stop

Grant Permission Using Cacls Utility

File and Directory Permissions Modification

Disable Net User Account

Service Stop, Valid Accounts

Deny Permission using Cacls Utility

File and Directory Permissions Modification

Randomly Generated Scheduled Task Name

Scheduled Task/Job, Scheduled Task

Detect RClone Command-Line Usage

Automated Exfiltration

Randomly Generated Windows Service Name

Create or Modify System Process, Windows Service

Attempted Credential Dump From Registry via Reg exe

OS Credential Dumping, Security Account Manager

Attempt To Disable Services

Service Stop

Attempt To Delete Services

Service Stop, Create or Modify System Process, Windows Service

Mmc LOLBAS Execution Process Spawn

Remote Services, Distributed Component Object Model, MMC

Services LOLBAS Execution Process Spawn

Create or Modify System Process, Windows Service

Wmiprsve LOLBAS Execution Process Spawn

Windows Management Instrumentation

Possible Browser Pass View Parameter

Credentials from Web Browsers, Credentials from Password Stores

Anomalous usage of Archive Tools

Archive via Utility, Archive Collected Data

Windows Service Created Within Public Path

Create or Modify System Process, Windows Service

Wsmprovhost LOLBAS Execution Process Spawn

Remote Services, Windows Remote Management

Svchost LOLBAS Execution Process Spawn

Scheduled Task/Job, Scheduled Task

System Info Gathering Using Dxdiag Application

Gather Victim Host Information

Loading Of Dynwrapx Module

Process Injection, Dynamic-link Library Injection

Windows DISM Remove Defender

Disable or Modify Tools, Impair Defenses

Remote Process Instantiation via WinRM and PowerShell

Remote Services, Windows Remote Management

High Frequency Copy Of Files In Network Share

Transfer Data to Cloud Account

Sdelete Application Execution

Data Destruction, File Deletion, Indicator Removal

Windows DiskCryptor Usage

Data Encrypted for Impact

Remote Process Instantiation via DCOM and PowerShell

Remote Services, Distributed Component Object Model

Remote Process Instantiation via WMI and PowerShell

Windows Management Instrumentation

CSC Net On The Fly Compilation

Compile After Delivery, Obfuscated Files or Information

Network Discovery Using Route Windows App

System Network Configuration Discovery, Internet Connection Discovery

Remote Process Instantiation via WMI

Windows Management Instrumentation

Windows InstallUtil Uninstall Option

InstallUtil, System Binary Proxy Execution

Firewall Allowed Program Enable

Disable or Modify System Firewall, Impair Defenses

Windows InstallUtil URL in Command Line

InstallUtil, System Binary Proxy Execution

Scheduled Task Initiation on Remote Endpoint

Scheduled Task/Job, Scheduled Task

WMIC XSL Execution via URL

XSL Script Processing

Scheduled Task Creation on Remote Endpoint using At

Scheduled Task/Job, At

Remote Process Instantiation via WinRM and Winrs

Remote Services, Windows Remote Management

Windows Service Creation on Remote Endpoint

Create or Modify System Process, Windows Service

Windows Curl Upload to Remote Destination

Ingress Tool Transfer

Windows Service Initiation on Remote Endpoint

Create or Modify System Process, Windows Service

Attacker Tools On Endpoint

Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning

Windows Curl Download to Suspicious Path

Ingress Tool Transfer

Disable Schedule Task

Disable or Modify Tools, Impair Defenses

ServicePrincipalNames Discovery with SetSPN

Kerberoasting

Suspicious wevtutil Usage

Clear Windows Event Logs, Indicator Removal

Sdelete Application Execution

Data Destruction, File Deletion, Indicator Removal

Winhlp32 Spawning a Process

Process Injection

Suspicious Copy on System32

Rename System Utilities, Masquerading

Process Writing DynamicWrapperX

Command and Scripting Interpreter, Component Object Model

Rundll32 Shimcache Flush

Modify Registry

Malicious InProcServer32 Modification

Regsvr32, Modify Registry

MSBuild Suspicious Spawned By Script Process

MSBuild, Trusted Developer Utilities Proxy Execution

Vbscript Execution Using Wscript App

Visual Basic, Command and Scripting Interpreter

Verclsid CLSID Execution

Verclsid, System Binary Proxy Execution

Remcos RAT File Creation in Remcos Folder

Screen Capture

BITS Job Persistence

BITS Jobs

Credential Dumping via Copy Command from Shadow Copy

NTDS, OS Credential Dumping

Credential Dumping via Symlink to Shadow Copy

NTDS, OS Credential Dumping

Processes launching netsh

Disable or Modify System Firewall, Impair Defenses

Detect mshta inline hta execution

System Binary Proxy Execution, Mshta

Detect MSHTA Url in Command Line

System Binary Proxy Execution, Mshta

Detect HTML Help URL in Command Line

System Binary Proxy Execution, Compiled HTML File

Detect Renamed RClone

Automated Exfiltration

Attempt To Add Certificate To Untrusted Store

Install Root Certificate, Subvert Trust Controls

Local Account Discovery with Net

Account Discovery, Local Account

Local Account Discovery With Wmic

Account Discovery, Local Account

Detect Renamed 7-Zip

Archive via Utility, Archive Collected Data

Creation of Shadow Copy with wmic and powershell

NTDS, OS Credential Dumping

Detect PsExec With accepteula Flag

Remote Services, SMB/Windows Admin Shares

Detect Renamed WinRAR

Archive via Utility, Archive Collected Data

Detect HTML Help Using InfoTech Storage Handlers

System Binary Proxy Execution, Compiled HTML File

Check Elevated CMD using whoami

System Owner/User Discovery

PowerShell Get LocalGroup Discovery

Permission Groups Discovery, Local Groups

Wmic Group Discovery

Permission Groups Discovery, Local Groups

Net Localgroup Discovery

Permission Groups Discovery, Local Groups

Get WMIObject Group Discovery

Permission Groups Discovery, Local Groups

System User Discovery With Query

System Owner/User Discovery

GetCurrent User with PowerShell

System Owner/User Discovery

MS Scripting Process Loading WMI Module

Command and Scripting Interpreter, JavaScript

User Discovery With Env Vars PowerShell

System Owner/User Discovery

MS Scripting Process Loading Ldap Module

Command and Scripting Interpreter, JavaScript

XSL Script Execution With WMIC

XSL Script Processing

Jscript Execution Using Cscript App

Command and Scripting Interpreter, JavaScript

Network Connection Discovery With Arp

System Network Connections Discovery

Network Connection Discovery With Net

System Network Connections Discovery

Network Connection Discovery With Netstat

System Network Connections Discovery

Extraction of Registry Hives

Security Account Manager, OS Credential Dumping

Rundll32 Control RunDLL Hunt

System Binary Proxy Execution, Rundll32

Create local admin accounts using net exe

Local Account, Create Account

Rundll32 Control RunDLL World Writable Directory

System Binary Proxy Execution, Rundll32

Control Loading from World Writable Directory

System Binary Proxy Execution, Control Panel

GetDomainComputer with PowerShell

Remote System Discovery

GetAdComputer with PowerShell

Remote System Discovery

SchCache Change By App Connect And Create ADSI Object

Domain Account, Account Discovery

System Information Discovery Detection

System Information Discovery

GetDomainController with PowerShell

Remote System Discovery

GetWmiObject Ds Computer with PowerShell

Remote System Discovery

Bcdedit Command Back To Normal Mode Boot

Inhibit System Recovery

Change To Safe Mode With Network Config

Inhibit System Recovery

Get-ForestTrust with PowerShell

Domain Trust Discovery

Domain Group Discovery With Dsquery

Permission Groups Discovery, Domain Groups

Remote System Discovery with Wmic

Remote System Discovery

Domain Controller Discovery with Wmic

Remote System Discovery

PetitPotam Suspicious Kerberos TGT Request

OS Credential Dumping

Remote System Discovery with Dsquery

Remote System Discovery

PetitPotam Network Share Access Request

Forced Authentication

Remote System Discovery with Net

Remote System Discovery

Domain Controller Discovery with Nltest

Remote System Discovery

Get DomainPolicy with Powershell

Password Policy Discovery

Get ADUserResultantPasswordPolicy with Powershell

Password Policy Discovery

Process Creating LNK file in Suspicious Location

Phishing, Spearphishing Link

Get ADDefaultDomainPasswordPolicy with Powershell

Password Policy Discovery

Password Policy Discovery with Net

Password Policy Discovery

Domain Group Discovery With Net

Permission Groups Discovery, Domain Groups

GetNetTcpconnection with PowerShell

System Network Connections Discovery

GetWmiObject Ds Group with PowerShell

Permission Groups Discovery, Domain Groups

Domain Group Discovery With Wmic

Permission Groups Discovery, Domain Groups

Elevated Group Discovery With Net

Permission Groups Discovery, Domain Groups

GetDomainGroup with PowerShell

Permission Groups Discovery, Domain Groups

GetAdGroup with PowerShell

Permission Groups Discovery, Domain Groups

Elevated Group Discovery With Wmic

Permission Groups Discovery, Domain Groups

Elevated Group Discovery with PowerView

Permission Groups Discovery, Domain Groups

Domain Group Discovery with Adsisearcher

Permission Groups Discovery, Domain Groups

Domain Account Discovery with Dsquery

Domain Account, Account Discovery

Get DomainUser with PowerShell

Domain Account, Account Discovery

Domain Account Discovery With Net App

Domain Account, Account Discovery

Get-DomainTrust with PowerShell

Domain Trust Discovery

Domain Account Discovery with Wmic

Domain Account, Account Discovery

GetWmiObject DS User with PowerShell

Domain Account, Account Discovery

Get ADUser with PowerShell

Domain Account, Account Discovery

GetLocalUser with PowerShell

Account Discovery, Local Account

Esentutl SAM Copy

Security Account Manager, OS Credential Dumping

7zip CommandLine To SMB Share Path

Archive via Utility, Archive Collected Data

UAC Bypass With Colorui COM Object

System Binary Proxy Execution, CMSTP

Fsutil Zeroing File

Indicator Removal

Rundll32 LockWorkStation

System Binary Proxy Execution, Rundll32

Uninstall App Using MsiExec

Msiexec, System Binary Proxy Execution

Create Remote Thread In Shell Application

Process Injection

Sqlite Module In Temp Folder

Data from Local System

Drop IcedID License dat

User Execution, Malicious File

IcedID Exfiltrated Archived File Creation

Archive via Utility, Archive Collected Data

Rundll32 Create Remote Thread To A Process

Process Injection

Regsvr32 with Known Silent Switch Cmdline

System Binary Proxy Execution, Regsvr32

CHCP Command Execution

Command and Scripting Interpreter

Rundll32 CreateRemoteThread In Browser

Process Injection

Suspicious IcedID Rundll32 Cmdline

System Binary Proxy Execution, Rundll32

Suspicious Rundll32 PluginInit

System Binary Proxy Execution, Rundll32

Rundll32 Process Creating Exe Dll Files

System Binary Proxy Execution, Rundll32

SAM Database File Access Attempt

Security Account Manager, OS Credential Dumping

Detect Copy of ShadowCopy with Script Block Logging

Security Account Manager, OS Credential Dumping

Mshta spawning Rundll32 OR Regsvr32 Process

System Binary Proxy Execution, Mshta

UAC Bypass MMC Load Unsigned Dll

Bypass User Account Control, Abuse Elevation Control Mechanism, MMC

Spoolsv Writing a DLL

Print Processors, Boot or Logon Autostart Execution

Spoolsv Suspicious Loaded Modules

Print Processors, Boot or Logon Autostart Execution

Spoolsv Suspicious Process Access

Exploitation for Privilege Escalation

Spoolsv Writing a DLL - Sysmon

Print Processors, Boot or Logon Autostart Execution

Print Spooler Adding A Printer Driver

Print Processors, Boot or Logon Autostart Execution

Print Spooler Failed to Load a Plug-in

Print Processors, Boot or Logon Autostart Execution

Spoolsv Spawning Rundll32

Print Processors, Boot or Logon Autostart Execution

Excessive number of service control start as disabled

Disable or Modify Tools, Impair Defenses

Excessive Usage Of SC Service Utility

System Services, Service Execution

Allow File And Printing Sharing In Firewall

Disable or Modify Cloud Firewall, Impair Defenses

Allow Network Discovery In Firewall

Disable or Modify Cloud Firewall, Impair Defenses

Execute Javascript With Jscript COM CLSID

Command and Scripting Interpreter, Visual Basic

Suspicious Event Log Service Behavior

Indicator Removal, Clear Windows Event Logs

Detect WMI Event Subscription Persistence

Windows Management Instrumentation Event Subscription, Event Triggered Execution

Wevtutil Usage To Disable Logs

Indicator Removal, Clear Windows Event Logs

WevtUtil Usage To Clear Logs

Indicator Removal, Clear Windows Event Logs

Permission Modification using Takeown App

File and Directory Permissions Modification

Clear Unallocated Sector Using Cipher App

File Deletion, Indicator Removal

Prevent Automatic Repair Mode using Bcdedit

Inhibit System Recovery

Disable Logs Using WevtUtil

Indicator Removal, Clear Windows Event Logs

Excessive number of taskhost processes

Command and Scripting Interpreter

Known Services Killed by Ransomware

Inhibit System Recovery

Modification Of Wallpaper

Defacement

Wbemprox COM Object Execution

System Binary Proxy Execution, CMSTP

Revil Common Exec Parameter

User Execution

Conti Common Exec parameter

User Execution

Detect SharpHound Command-Line Arguments

Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery

Detect AzureHound Command-Line Arguments

Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery

Detect AzureHound File Modifications

Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery

Detect SharpHound Usage

Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery

SecretDumps Offline NTDS Dumping Tool

NTDS, OS Credential Dumping

WinRM Spawning a Process

Exploit Public-Facing Application

CMD Echo Pipe - Escalation

Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process

Allow Inbound Traffic In Firewall Rule

Remote Desktop Protocol, Remote Services

Services Escalate Exe

Abuse Elevation Control Mechanism

CMLUA Or CMSTPLUA UAC Bypass

System Binary Proxy Execution, CMSTP

SLUI RunAs Elevated

Bypass User Account Control, Abuse Elevation Control Mechanism

SLUI Spawning a Process

Bypass User Account Control, Abuse Elevation Control Mechanism

Excessive Usage Of Cacls App

File and Directory Permissions Modification

Enumerate Users Local Group Using Telegram

Account Discovery

Download Files Using Telegram

Ingress Tool Transfer

Excessive Usage Of Net App

Account Access Removal

Excessive Usage Of Taskkill

Disable or Modify Tools, Impair Defenses

Disabling Net User Account

Account Access Removal

ICACLS Grant Command

File and Directory Permissions Modification

Excessive Service Stop Attempt

Service Stop

Excessive Attempt To Disable Services

Service Stop

Process Kill Base On File Path

Disable or Modify Tools, Impair Defenses

Deleting Of Net Users

Account Access Removal

Suspicious Driver Loaded Path

Windows Service, Create or Modify System Process

Icacls Deny Command

File and Directory Permissions Modification

XMRIG Driver Loaded

Windows Service, Create or Modify System Process

Trickbot Named Pipe

Process Injection

Anomalous usage of 7zip

Archive via Utility, Archive Collected Data

Winword Spawning Cmd

Phishing, Spearphishing Attachment

Wermgr Process Spawned CMD Or Powershell Process

Command and Scripting Interpreter

Wermgr Process Create Executable File

Obfuscated Files or Information

Schedule Task with Rundll32 Command Trigger

Scheduled Task/Job

Windows Multiple Invalid Users Failed To Authenticate Using NTLM

Password Spraying, Brute Force

DNS Exfiltration Using Nslookup App

Exfiltration Over Alternative Protocol

Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos

Password Spraying, Brute Force

Windows Multiple Invalid Users Fail To Authenticate Using Kerberos

Password Spraying, Brute Force

Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials

Password Spraying, Brute Force

Windows Multiple Users Failed To Authenticate From Process

Password Spraying, Brute Force

Windows Multiple Users Remotely Failed To Authenticate From Host

Password Spraying, Brute Force

Windows Multiple Users Failed To Authenticate From Host Using NTLM

Password Spraying, Brute Force

Winword Spawning PowerShell

Phishing, Spearphishing Attachment

Winword Spawning Windows Script Host

Phishing, Spearphishing Attachment

Excel Spawning Windows Script Host

Security Account Manager, OS Credential Dumping

Excel Spawning PowerShell

Security Account Manager, OS Credential Dumping

Windows Multiple Users Failed To Authenticate Using Kerberos

Password Spraying, Brute Force

Malicious Powershell Executed As A Service

System Services, Service Execution

DSQuery Domain Discovery

Domain Trust Discovery

Disabling Firewall with Netsh

Disable or Modify Tools, Impair Defenses

PowerShell Start-BitsTransfer

BITS Jobs

CertUtil With Decode Argument

Deobfuscate/Decode Files or Information