Okta Risk Threshold Exceeded
Valid Accounts, Brute Force
Defense Evasion
Windows System Script Proxy Execution Syncappvpublishingserver
System Script Proxy Execution, System Binary Proxy Execution
Windows System Script Proxy Execution Syncappvpublishingserver
System Script Proxy Execution, System Binary Proxy Execution
Okta New API Token Created
Valid Accounts, Default Accounts
Okta New API Token Created
Valid Accounts, Default Accounts
Okta Suspicious Activity Reported
Valid Accounts, Default Accounts
Okta Suspicious Activity Reported
Valid Accounts, Default Accounts
Okta New Device Enrolled on Account
Valid Accounts, Default Accounts
Okta New Device Enrolled on Account
Valid Accounts, Default Accounts
Okta Failed SSO Attempts
Valid Accounts, Default Accounts
Okta Failed SSO Attempts
Valid Accounts, Default Accounts
Multiple Okta Users With Invalid Credentials From The Same IP
Valid Accounts, Default Accounts
Multiple Okta Users With Invalid Credentials From The Same IP
Valid Accounts, Default Accounts
Okta ThreatInsight Threat Detected
Valid Accounts, Default Accounts
Okta ThreatInsight Threat Detected
Valid Accounts, Default Accounts
Okta Account Lockout Events
Valid Accounts, Default Accounts
Okta Account Lockout Events
Valid Accounts, Default Accounts
Windows Execute Arbitrary Commands with MSDT
System Binary Proxy Execution
Windows Odbcconf Load Response File
Odbcconf, System Binary Proxy Execution
Windows Odbcconf Load Response File
Odbcconf, System Binary Proxy Execution
Windows System Binary Proxy Execution Compiled HTML File Using InfoTech Storage Handlers
Compiled HTML File, System Binary Proxy Execution
Windows System Binary Proxy Execution Compiled HTML File Using InfoTech Storage Handlers
Compiled HTML File, System Binary Proxy Execution
Azure AD New Federated Domain Added
Domain Policy Modification, Domain Trust Modification
Azure AD New Federated Domain Added
Domain Policy Modification, Domain Trust Modification
Azure AD New Custom Domain Added
Domain Policy Modification, Domain Trust Modification
Azure AD New Custom Domain Added
Domain Policy Modification, Domain Trust Modification
Windows System Binary Proxy Execution Compiled HTML File Decompile
Compiled HTML File, System Binary Proxy Execution
Windows System Binary Proxy Execution Compiled HTML File Decompile
Compiled HTML File, System Binary Proxy Execution
Windows System Binary Proxy Execution Compiled HTML File URL In Command Line
Compiled HTML File, System Binary Proxy Execution
Windows System Binary Proxy Execution Compiled HTML File URL In Command Line
Compiled HTML File, System Binary Proxy Execution
Windows System Binary Proxy Execution Compiled HTML File Decompile
Compiled HTML File, System Binary Proxy Execution
Windows System Binary Proxy Execution Compiled HTML File Decompile
Compiled HTML File, System Binary Proxy Execution
Windows LOLBin Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows LOLBin Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows LOLBin Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows LOLBin Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Linux Persistence and Privilege Escalation Risk Behavior
Abuse Elevation Control Mechanism
Powershell Remote Thread To Known Windows Process
Process Injection
Windows InstallUtil Credential Theft
InstallUtil, System Binary Proxy Execution
Windows InstallUtil Credential Theft
InstallUtil, System Binary Proxy Execution
Detect Excessive Account Lockouts From Endpoint
Valid Accounts, Domain Accounts
Detect Excessive Account Lockouts From Endpoint
Valid Accounts, Domain Accounts
Detect AWS Console Login by User from New Region
Unused/Unsupported Cloud Regions
Detect Excessive User Account Lockouts
Valid Accounts, Local Accounts
Detect Excessive User Account Lockouts
Valid Accounts, Local Accounts
Detect AWS Console Login by User from New Country
Unused/Unsupported Cloud Regions
Azure AD Multiple Failed MFA Requests For User
Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Azure AD Multiple Failed MFA Requests For User
Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Detect AWS Console Login by User from New City
Unused/Unsupported Cloud Regions
Windows Access Token Manipulation Winlogon Duplicate Token Handle
Token Impersonation/Theft, Access Token Manipulation
Windows Access Token Manipulation Winlogon Duplicate Token Handle
Token Impersonation/Theft, Access Token Manipulation
Windows Access Token Winlogon Duplicate Handle In Uncommon Path
Token Impersonation/Theft, Access Token Manipulation
Windows Access Token Winlogon Duplicate Handle In Uncommon Path
Token Impersonation/Theft, Access Token Manipulation
Windows Hijack Execution Flow Version Dll Side Load
DLL Search Order Hijacking, Hijack Execution Flow
Windows Hijack Execution Flow Version Dll Side Load
DLL Search Order Hijacking, Hijack Execution Flow
Windows Access Token Manipulation SeDebugPrivilege
Create Process with Token, Access Token Manipulation
Windows Access Token Manipulation SeDebugPrivilege
Create Process with Token, Access Token Manipulation
Windows Process Injection With Public Source Path
Process Injection, Portable Executable Injection
Windows Process Injection With Public Source Path
Process Injection, Portable Executable Injection
Azure Runbook Webhook Created
Valid Accounts, Cloud Accounts
Azure Runbook Webhook Created
Valid Accounts, Cloud Accounts
Windows DLL Search Order Hijacking Hunt with Sysmon
DLL Search Order Hijacking, Hijack Execution Flow
Windows DLL Search Order Hijacking Hunt with Sysmon
DLL Search Order Hijacking, Hijack Execution Flow
Windows DLL Search Order Hijacking Hunt
DLL Search Order Hijacking, Hijack Execution Flow
Windows DLL Search Order Hijacking Hunt
DLL Search Order Hijacking, Hijack Execution Flow
Linux Csvtool Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Csvtool Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux c99 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux c99 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux apt-get Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux apt-get Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Cpulimit Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Cpulimit Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux OpenVPN Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux OpenVPN Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sqlite3 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sqlite3 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Composer Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Composer Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Octave Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Octave Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux c89 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux c89 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux APT Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux APT Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Busybox Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Busybox Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Puppet Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Puppet Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Azure AD Multi-Factor Authentication Disabled
Modify Authentication Process
Linux RPM Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux RPM Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux MySQL Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux MySQL Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Emacs Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Emacs Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Make Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Make Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux PHP Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux PHP Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux GDB Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux GDB Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Find Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Find Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux GNU Awk Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux GNU Awk Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Ruby Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Ruby Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Gem Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Gem Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux AWK Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux AWK Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Docker Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Docker Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Node Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Node Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Windows DLL Search Order Hijacking with iscsicpl
DLL Search Order Hijacking
Linux Kernel Module Enumeration
System Information Discovery, Rootkit
Linux Decode Base64 to Shell
Obfuscated Files or Information, Unix Shell
Linux Obfuscated Files or Information Base64 Decode
Obfuscated Files or Information
AWS Defense Evasion Impair Security Services
Disable Cloud Logs, Impair Defenses
AWS Defense Evasion Impair Security Services
Disable Cloud Logs, Impair Defenses
AWS Defense Evasion PutBucketLifecycle
Disable Cloud Logs, Impair Defenses
AWS Defense Evasion PutBucketLifecycle
Disable Cloud Logs, Impair Defenses
Wmic NonInteractive App Uninstallation
Disable or Modify Tools, Impair Defenses
Wmic NonInteractive App Uninstallation
Disable or Modify Tools, Impair Defenses
Windows Defender Tools in Non Standard Path
Masquerading, Rename System Utilities
Windows Defender Tools in Non Standard Path
Masquerading, Rename System Utilities
AWS Defense Evasion Delete CloudWatch Log Group
Impair Defenses, Disable Cloud Logs
AWS Defense Evasion Delete CloudWatch Log Group
Impair Defenses, Disable Cloud Logs
AWS Defense Evasion Update Cloudtrail
Impair Defenses, Disable Cloud Logs
AWS Defense Evasion Update Cloudtrail
Impair Defenses, Disable Cloud Logs
Powershell Disable Security Monitoring
Disable or Modify Tools, Impair Defenses
Powershell Disable Security Monitoring
Disable or Modify Tools, Impair Defenses
Azure AD Authentication Failed During MFA Challenge
Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Azure AD Authentication Failed During MFA Challenge
Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
AWS Defense Evasion Delete Cloudtrail
Disable Cloud Logs, Impair Defenses
AWS Defense Evasion Delete Cloudtrail
Disable Cloud Logs, Impair Defenses
Azure AD Successful PowerShell Authentication
Valid Accounts, Cloud Accounts
Azure AD Successful PowerShell Authentication
Valid Accounts, Cloud Accounts
AWS Defense Evasion Stop Logging Cloudtrail
Disable Cloud Logs, Impair Defenses
AWS Defense Evasion Stop Logging Cloudtrail
Disable Cloud Logs, Impair Defenses
Windows Binary Proxy Execution Mavinject DLL Injection
Mavinject, System Binary Proxy Execution
Windows Binary Proxy Execution Mavinject DLL Injection
Mavinject, System Binary Proxy Execution
Windows Odbcconf Load Response File
Odbcconf
Windows Odbcconf Hunting
Odbcconf
Windows Execute Arbitrary Commands with MSDT
System Binary Proxy Execution
Windows Odbcconf Load DLL
Odbcconf
Windows Impair Defense Deny Security Software With Applocker
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Deny Security Software With Applocker
Disable or Modify Tools, Impair Defenses
Windows Modify Registry Regedit Silent Reg Import
Modify Registry
Windows Impair Defense Add Xml Applocker Rules
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Add Xml Applocker Rules
Disable or Modify Tools, Impair Defenses
Windows Modify Registry Disable Win Defender Raw Write Notif
Modify Registry
Windows Modify Registry Disable Toast Notifications
Modify Registry
Windows Modify Registry Suppress Win Defender Notif
Modify Registry
Windows Modify Registry DisAllow Windows App
Modify Registry
Windows Modify Registry Disable Windows Security Center Notif
Modify Registry
Windows Modify Registry Disabling WER Settings
Modify Registry
Windows MSIExec Remote Download
Msiexec
Windows Impair Defenses Disable Win Defender Auto Logging
Disable or Modify Tools, Impair Defenses
Windows Impair Defenses Disable Win Defender Auto Logging
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Delete Win Defender Profile Registry
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Delete Win Defender Profile Registry
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Delete Win Defender Context Menu
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Delete Win Defender Context Menu
Disable or Modify Tools, Impair Defenses
Linux Iptables Firewall Modification
Disable or Modify System Firewall, Impair Defenses
Linux Iptables Firewall Modification
Disable or Modify System Firewall, Impair Defenses
Unload Sysmon Filter Driver
Disable or Modify Tools, Impair Defenses
Unload Sysmon Filter Driver
Disable or Modify Tools, Impair Defenses
MacOS plutil
Plist File Modification
Splunk Process Injection Forwarder Bundle Downloads
Process Injection
AWS Create Policy Version to allow all resources
Cloud Accounts, Valid Accounts
AWS Create Policy Version to allow all resources
Cloud Accounts, Valid Accounts
Cobalt Strike Named Pipes
Process Injection
Potential password in username
Local Accounts, Credentials In Files
Powershell Remove Windows Defender Directory
Disable or Modify Tools, Impair Defenses
Powershell Remove Windows Defender Directory
Disable or Modify Tools, Impair Defenses
Powershell Creating Thread Mutex
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell
Powershell Creating Thread Mutex
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell
Linux Kworker Process In Writable Process Path
Masquerade Task or Service, Masquerading
Linux Kworker Process In Writable Process Path
Masquerade Task or Service, Masquerading
Splunk User Enumeration Attempt
Valid Accounts
Powershell Fileless Script Contains Base64 Encoded Content
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell
Linux High Frequency Of File Deletion In Boot Folder
Data Destruction, File Deletion, Indicator Removal on Host
Linux High Frequency Of File Deletion In Boot Folder
Data Destruction, File Deletion, Indicator Removal on Host
Windows Registry Delete Task SD
Scheduled Task, Impair Defenses
Linux Deletion Of Services
Data Destruction, File Deletion, Indicator Removal on Host
Linux Deletion Of Services
Data Destruction, File Deletion, Indicator Removal on Host
Linux High Frequency Of File Deletion In Etc Folder
Data Destruction, File Deletion, Indicator Removal on Host
Linux High Frequency Of File Deletion In Etc Folder
Data Destruction, File Deletion, Indicator Removal on Host
Linux Deletion of SSL Certificate
Data Destruction, File Deletion, Indicator Removal on Host
Linux Deletion of SSL Certificate
Data Destruction, File Deletion, Indicator Removal on Host
Linux Account Manipulation Of SSH Config and Keys
Data Destruction, File Deletion, Indicator Removal on Host
Linux Account Manipulation Of SSH Config and Keys
Data Destruction, File Deletion, Indicator Removal on Host
Linux Deletion Of Init Daemon Script
Data Destruction, File Deletion, Indicator Removal on Host
Linux Deletion Of Init Daemon Script
Data Destruction, File Deletion, Indicator Removal on Host
Linux Deletion Of Cron Jobs
Data Destruction, File Deletion, Indicator Removal on Host
Linux Deletion Of Cron Jobs
Data Destruction, File Deletion, Indicator Removal on Host
Suspicious microsoft workflow compiler rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Suspicious microsoft workflow compiler rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Suspicious microsoft workflow compiler rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Detect mshta renamed
System Binary Proxy Execution, Mshta
Detect mshta renamed
System Binary Proxy Execution, Mshta
Suspicious Rundll32 Rename
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Suspicious Rundll32 Rename
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Suspicious Rundll32 Rename
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Suspicious Rundll32 Rename
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Detect HTML Help Renamed
System Binary Proxy Execution, Compiled HTML File
Detect HTML Help Renamed
System Binary Proxy Execution, Compiled HTML File
Suspicious MSBuild Rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious MSBuild Rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious MSBuild Rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious MSBuild Rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Linux Stdout Redirection To Dev Null File
Disable or Modify System Firewall, Impair Defenses
Linux Stdout Redirection To Dev Null File
Disable or Modify System Firewall, Impair Defenses
Windows Indirect Command Execution Via pcalua
Indirect Command Execution
Windows Indirect Command Execution Via forfiles
Indirect Command Execution
Windows Event For Service Disabled
Disable or Modify Tools, Impair Defenses
Windows Event For Service Disabled
Disable or Modify Tools, Impair Defenses
Windows Registry Certificate Added
Install Root Certificate, Subvert Trust Controls
Windows Registry Certificate Added
Install Root Certificate, Subvert Trust Controls
Windows Drivers Loaded by Signature
Rootkit, Exploitation for Privilege Escalation
Windows Terminating Lsass Process
Disable or Modify Tools, Impair Defenses
Windows Terminating Lsass Process
Disable or Modify Tools, Impair Defenses
Windows Deleted Registry By A Non Critical Process File Path
Modify Registry
System Process Running from Unexpected Location
Masquerading
Modify ACLs Permission Of Files Or Folders
File and Directory Permissions Modification
Modify ACL permission To Files Or Folder
File and Directory Permissions Modification
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows InstallUtil Remote Network Connection
InstallUtil, System Binary Proxy Execution
Windows InstallUtil Remote Network Connection
InstallUtil, System Binary Proxy Execution
Windows InstallUtil Uninstall Option with Network
InstallUtil, System Binary Proxy Execution
Windows InstallUtil Uninstall Option with Network
InstallUtil, System Binary Proxy Execution
Suspicious DLLHost no Command Line Arguments
Process Injection
Suspicious SearchProtocolHost no Command Line Arguments
Process Injection
Suspicious GPUpdate no Command Line Arguments
Process Injection
DLLHost with no Command Line Arguments with Network
Process Injection
Suspicious Rundll32 no Command Line Arguments
System Binary Proxy Execution, Rundll32
Suspicious Rundll32 no Command Line Arguments
System Binary Proxy Execution, Rundll32
Detect Regasm with no Command Line Arguments
System Binary Proxy Execution, Regsvcs/Regasm
Detect Regasm with no Command Line Arguments
System Binary Proxy Execution, Regsvcs/Regasm
SearchProtocolHost with no Command Line with Network
Process Injection
Detect Regsvcs with No Command Line Arguments
System Binary Proxy Execution, Regsvcs/Regasm
Detect Regsvcs with No Command Line Arguments
System Binary Proxy Execution, Regsvcs/Regasm
Rundll32 with no Command Line Arguments with Network
System Binary Proxy Execution, Rundll32
Rundll32 with no Command Line Arguments with Network
System Binary Proxy Execution, Rundll32
GPUpdate with no Command Line Arguments with Network
Process Injection
Unknown Process Using The Kerberos Protocol
Use Alternate Authentication Material
Suspicious msbuild path
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious msbuild path
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious msbuild path
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious msbuild path
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Windows Hide Notification Features Through Registry
Modify Registry
Windows Disable Lock Workstation Feature Through Registry
Modify Registry
Windows Disable LogOff Button Through Registry
Modify Registry
Windows Disable Windows Group Policy Features Through Registry
Modify Registry
Windows Disable Shutdown Button Through Registry
Modify Registry
Windows Disable Change Password Through Registry
Modify Registry
Kerberos TGT Request Using RC4 Encryption
Use Alternate Authentication Material
Windows Script Host Spawn MSBuild
MSBuild, Trusted Developer Utilities Proxy Execution
Windows Script Host Spawn MSBuild
MSBuild, Trusted Developer Utilities Proxy Execution
Windows WMIPrvse Spawn MSBuild
Trusted Developer Utilities Proxy Execution, MSBuild
Windows WMIPrvse Spawn MSBuild
Trusted Developer Utilities Proxy Execution, MSBuild
Windows Modify Show Compress Color And Info Tip Registry
Modify Registry
Powershell Enable SMB1Protocol Feature
Obfuscated Files or Information, Indicator Removal from Tools
Powershell Enable SMB1Protocol Feature
Obfuscated Files or Information, Indicator Removal from Tools
Powershell Fileless Process Injection via GetProcAddress
Command and Scripting Interpreter, Process Injection, PowerShell
Windows MSHTA Child Process
Mshta, System Binary Proxy Execution
Windows MSHTA Child Process
Mshta, System Binary Proxy Execution
Windows Process With NamedPipe CommandLine
Process Injection
Windows Excessive Disabled Services Event
Disable or Modify Tools, Impair Defenses
Windows Excessive Disabled Services Event
Disable or Modify Tools, Impair Defenses
Windows MSHTA Command-Line URL
Mshta, System Binary Proxy Execution
Windows MSHTA Command-Line URL
Mshta, System Binary Proxy Execution
Windows Service Creation Using Registry Entry
Services Registry Permissions Weakness
Windows MSHTA Inline HTA Execution
Mshta, System Binary Proxy Execution
Windows MSHTA Inline HTA Execution
Mshta, System Binary Proxy Execution
Windows Rundll32 Inline HTA Execution
System Binary Proxy Execution, Mshta
Windows Rundll32 Inline HTA Execution
System Binary Proxy Execution, Mshta
Process Deleting Its Process File Path
Indicator Removal on Host
Rundll32 DNSQuery
System Binary Proxy Execution, Rundll32
Rundll32 DNSQuery
System Binary Proxy Execution, Rundll32
Detect Regsvcs with Network Connection
System Binary Proxy Execution, Regsvcs/Regasm
Detect Regsvcs with Network Connection
System Binary Proxy Execution, Regsvcs/Regasm
Windows Eventvwr UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Windows Eventvwr UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Windows WSReset UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Windows WSReset UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Detect Regasm with Network Connection
System Binary Proxy Execution, Regsvcs/Regasm
Detect Regasm with Network Connection
System Binary Proxy Execution, Regsvcs/Regasm
NET Profiler UAC bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
NET Profiler UAC bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Windows Diskshadow Proxy Execution
System Binary Proxy Execution
Windows Disable Notification Center
Modify Registry
Windows Bitsadmin Download File
BITS Jobs, Ingress Tool Transfer
Windows CertUtil Decode File
Deobfuscate/Decode Files or Information
Windows PowerShell Start-BitsTransfer
BITS Jobs, Ingress Tool Transfer
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Windows Diskshadow Proxy Execution
System Binary Proxy Execution
Windows Bits Job Persistence
BITS Jobs
RunDLL Loading DLL By Ordinal
System Binary Proxy Execution, Rundll32
RunDLL Loading DLL By Ordinal
System Binary Proxy Execution, Rundll32
Windows Remote Assistance Spawning Process
Process Injection
Rubeus Kerberos Ticket Exports Through Winlogon Access
Use Alternate Authentication Material, Pass the Ticket
Rubeus Kerberos Ticket Exports Through Winlogon Access
Use Alternate Authentication Material, Pass the Ticket
O365 Bypass MFA via Trusted IP
Disable or Modify Cloud Firewall, Impair Defenses
O365 Bypass MFA via Trusted IP
Disable or Modify Cloud Firewall, Impair Defenses
O365 Disable MFA
Modify Authentication Process
Rubeus Command Line Parameters
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Rubeus Command Line Parameters
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Mimikatz PassTheTicket CommandLine Parameters
Use Alternate Authentication Material, Pass the Ticket
Mimikatz PassTheTicket CommandLine Parameters
Use Alternate Authentication Material, Pass the Ticket
Disabling NoRun Windows App
Disable or Modify Tools, Impair Defenses
Disabling NoRun Windows App
Disable or Modify Tools, Impair Defenses
Disabling Task Manager
Disable or Modify Tools, Impair Defenses
Disabling Task Manager
Disable or Modify Tools, Impair Defenses
Eventvwr UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Eventvwr UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Disabling Defender Services
Disable or Modify Tools, Impair Defenses
Disabling Defender Services
Disable or Modify Tools, Impair Defenses
ETW Registry Disabled
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
ETW Registry Disabled
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
ETW Registry Disabled
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
Disabling FolderOptions Windows Feature
Disable or Modify Tools, Impair Defenses
Disabling FolderOptions Windows Feature
Disable or Modify Tools, Impair Defenses
Hide User Account From Sign-In Screen
Disable or Modify Tools, Impair Defenses
Hide User Account From Sign-In Screen
Disable or Modify Tools, Impair Defenses
Enable WDigest UseLogonCredential Registry
Modify Registry, OS Credential Dumping
Disabling CMD Application
Disable or Modify Tools, Impair Defenses
Disabling CMD Application
Disable or Modify Tools, Impair Defenses
Disable ETW Through Registry
Disable or Modify Tools, Impair Defenses
Disable ETW Through Registry
Disable or Modify Tools, Impair Defenses
Disable Registry Tool
Disable or Modify Tools, Impair Defenses
Disable Registry Tool
Disable or Modify Tools, Impair Defenses
Disable UAC Remote Restriction
Bypass User Account Control, Abuse Elevation Control Mechanism
Disable UAC Remote Restriction
Bypass User Account Control, Abuse Elevation Control Mechanism
Disable Windows Behavior Monitoring
Disable or Modify Tools, Impair Defenses
Disable Windows Behavior Monitoring
Disable or Modify Tools, Impair Defenses
Disable Show Hidden Files
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses
Disable Show Hidden Files
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses
Disable Show Hidden Files
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses
Disable Show Hidden Files
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses
Disabling ControlPanel
Disable or Modify Tools, Impair Defenses
Disabling ControlPanel
Disable or Modify Tools, Impair Defenses
Disable Windows SmartScreen Protection
Disable or Modify Tools, Impair Defenses
Disable Windows SmartScreen Protection
Disable or Modify Tools, Impair Defenses
Disable Security Logs Using MiniNt Registry
Modify Registry
Disable Windows App Hotkeys
Disable or Modify Tools, Impair Defenses
Disable Windows App Hotkeys
Disable or Modify Tools, Impair Defenses
Remcos client registry install entry
Modify Registry
Disable Defender Enhanced Notification
Disable or Modify Tools, Impair Defenses
Disable Defender Enhanced Notification
Disable or Modify Tools, Impair Defenses
Disable Defender MpEngine Registry
Disable or Modify Tools, Impair Defenses
Disable Defender MpEngine Registry
Disable or Modify Tools, Impair Defenses
Disable Defender AntiVirus Registry
Disable or Modify Tools, Impair Defenses
Disable Defender AntiVirus Registry
Disable or Modify Tools, Impair Defenses
Disable AMSI Through Registry
Disable or Modify Tools, Impair Defenses
Disable AMSI Through Registry
Disable or Modify Tools, Impair Defenses
Disable Defender Spynet Reporting
Disable or Modify Tools, Impair Defenses
Disable Defender Spynet Reporting
Disable or Modify Tools, Impair Defenses
Allow Operation with Consent Admin
Abuse Elevation Control Mechanism
Disable Defender Submit Samples Consent Feature
Disable or Modify Tools, Impair Defenses
Disable Defender Submit Samples Consent Feature
Disable or Modify Tools, Impair Defenses
Disable Defender BlockAtFirstSeen Feature
Disable or Modify Tools, Impair Defenses
Disable Defender BlockAtFirstSeen Feature
Disable or Modify Tools, Impair Defenses
Ping Sleep Batch Command
Virtualization/Sandbox Evasion, Time Based Evasion
Ping Sleep Batch Command
Virtualization/Sandbox Evasion, Time Based Evasion
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows InstallUtil in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows InstallUtil in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows InstallUtil in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows InstallUtil in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Malicious PowerShell Process - Encoded Command
Obfuscated Files or Information
Linux Possible Access To Sudoers File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Possible Access To Sudoers File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Doas Conf File Creation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Doas Conf File Creation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Doas Tool Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Doas Tool Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sudo OR Su Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sudo OR Su Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sudoers Tmp File Creation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sudoers Tmp File Creation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Common Process For Elevation Control
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux Common Process For Elevation Control
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux Preload Hijack Library Calls
Dynamic Linker Hijacking, Hijack Execution Flow
Linux Preload Hijack Library Calls
Dynamic Linker Hijacking, Hijack Execution Flow
Suspicious Ticket Granting Ticket Request
Valid Accounts, Domain Accounts
Suspicious Ticket Granting Ticket Request
Valid Accounts, Domain Accounts
Linux Change File Owner To Root
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification
Linux Change File Owner To Root
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification
Linux Setuid Using Chmod Utility
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux Setuid Using Chmod Utility
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux NOPASSWD Entry In Sudoers File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux NOPASSWD Entry In Sudoers File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Setuid Using Setcap Utility
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux Setuid Using Setcap Utility
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux Visudo Utility Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Visudo Utility Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Clear Unallocated Sector Using Cipher App
File Deletion, Indicator Removal on Host
Clear Unallocated Sector Using Cipher App
File Deletion, Indicator Removal on Host
Suspicious Kerberos Service Ticket Request
Valid Accounts, Domain Accounts
Suspicious Kerberos Service Ticket Request
Valid Accounts, Domain Accounts
Suspicious Computer Account Name Change
Valid Accounts, Domain Accounts
Suspicious Computer Account Name Change
Valid Accounts, Domain Accounts
Hiding Files And Directories With Attrib exe
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
Hiding Files And Directories With Attrib exe
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
MSI Module Loaded by Non-System Binary
DLL Side-Loading, Hijack Execution Flow
MSI Module Loaded by Non-System Binary
DLL Side-Loading, Hijack Execution Flow
Disable Defender AntiVirus Registry
Disable or Modify Tools, Impair Defenses
Disable Defender AntiVirus Registry
Disable or Modify Tools, Impair Defenses
Fsutil Zeroing File
Indicator Removal on Host
Windows Raccine Scheduled Task Deletion
Disable or Modify Tools
Anomalous Usage of Account Credentials
Domain Accounts
Unusual Number of Remote Endpoint Authentication Events
Valid Accounts
Unusual Number of Computer Service Tickets Requested
Valid Accounts
First time seen command line argument
Command and Scripting Interpreter, Indirect Command Execution
Grant Permission Using Cacls Utility
File and Directory Permissions Modification
Disable Net User Account
Service Stop, Valid Accounts
Potential Pass the Token or Hash Observed at the Destination Device
Use Alternate Authentication Material, Pass the Hash
Potential Pass the Token or Hash Observed at the Destination Device
Use Alternate Authentication Material, Pass the Hash
Possible Lateral Movement PowerShell Spawn
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Deny Permission using Cacls Utility
File and Directory Permissions Modification
Powershell Windows Defender Exclusion Commands
Disable or Modify Tools, Impair Defenses
Powershell Windows Defender Exclusion Commands
Disable or Modify Tools, Impair Defenses
Add or Set Windows Defender Exclusion
Disable or Modify Tools, Impair Defenses
Add or Set Windows Defender Exclusion
Disable or Modify Tools, Impair Defenses
Windows Defender Exclusion Registry Entry
Disable or Modify Tools, Impair Defenses
Windows Defender Exclusion Registry Entry
Disable or Modify Tools, Impair Defenses
Mmc LOLBAS Execution Process Spawn
Remote Services, Distributed Component Object Model, MMC
Loading Of Dynwrapx Module
Process Injection, Dynamic-link Library Injection
Loading Of Dynwrapx Module
Process Injection, Dynamic-link Library Injection
Windows DISM Remove Defender
Disable or Modify Tools, Impair Defenses
Windows DISM Remove Defender
Disable or Modify Tools, Impair Defenses
Sdelete Application Execution
Data Destruction, File Deletion, Indicator Removal on Host
Sdelete Application Execution
Data Destruction, File Deletion, Indicator Removal on Host
CSC Net On The Fly Compilation
Compile After Delivery, Obfuscated Files or Information
CSC Net On The Fly Compilation
Compile After Delivery, Obfuscated Files or Information
Windows InstallUtil Uninstall Option
InstallUtil, System Binary Proxy Execution
Windows InstallUtil Uninstall Option
InstallUtil, System Binary Proxy Execution
Firewall Allowed Program Enable
Disable or Modify System Firewall, Impair Defenses
Firewall Allowed Program Enable
Disable or Modify System Firewall, Impair Defenses
Runas Execution in CommandLine
Access Token Manipulation, Token Impersonation/Theft
Runas Execution in CommandLine
Access Token Manipulation, Token Impersonation/Theft
Windows InstallUtil URL in Command Line
InstallUtil, System Binary Proxy Execution
Windows InstallUtil URL in Command Line
InstallUtil, System Binary Proxy Execution
WMIC XSL Execution via URL
XSL Script Processing
Potential Pass the Token or Hash Observed by an Event Collecting Device
Use Alternate Authentication Material, Pass the Hash
Potential Pass the Token or Hash Observed by an Event Collecting Device
Use Alternate Authentication Material, Pass the Hash
Attacker Tools On Endpoint
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Attacker Tools On Endpoint
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Disable Schedule Task
Disable or Modify Tools, Impair Defenses
Disable Schedule Task
Disable or Modify Tools, Impair Defenses
Suspicious wevtutil Usage
Clear Windows Event Logs, Indicator Removal on Host
Suspicious wevtutil Usage
Clear Windows Event Logs, Indicator Removal on Host
Sdelete Application Execution
Data Destruction, File Deletion, Indicator Removal on Host
Sdelete Application Execution
Data Destruction, File Deletion, Indicator Removal on Host
Wscript Or Cscript Suspicious Child Process
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Wscript Or Cscript Suspicious Child Process
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Wscript Or Cscript Suspicious Child Process
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Winhlp32 Spawning a Process
Process Injection
Suspicious Copy on System32
Rename System Utilities, Masquerading
Suspicious Copy on System32
Rename System Utilities, Masquerading
Rundll32 Shimcache Flush
Modify Registry
Malicious InProcServer32 Modification
Regsvr32, Modify Registry
Malicious InProcServer32 Modification
Regsvr32, Modify Registry
Regsvr32 Silent and Install Param Dll Loading
System Binary Proxy Execution, Regsvr32
Regsvr32 Silent and Install Param Dll Loading
System Binary Proxy Execution, Regsvr32
MSBuild Suspicious Spawned By Script Process
MSBuild, Trusted Developer Utilities Proxy Execution
MSBuild Suspicious Spawned By Script Process
MSBuild, Trusted Developer Utilities Proxy Execution
Verclsid CLSID Execution
Verclsid, System Binary Proxy Execution
Verclsid CLSID Execution
Verclsid, System Binary Proxy Execution
BITS Job Persistence
BITS Jobs
Processes launching netsh
Disable or Modify System Firewall, Impair Defenses
Processes launching netsh
Disable or Modify System Firewall, Impair Defenses
Detect mshta inline hta execution
System Binary Proxy Execution, Mshta
Detect mshta inline hta execution
System Binary Proxy Execution, Mshta
Detect MSHTA Url in Command Line
System Binary Proxy Execution, Mshta
Detect MSHTA Url in Command Line
System Binary Proxy Execution, Mshta
Detect HTML Help URL in Command Line
System Binary Proxy Execution, Compiled HTML File
Detect HTML Help URL in Command Line
System Binary Proxy Execution, Compiled HTML File
BITSAdmin Download File
BITS Jobs, Ingress Tool Transfer
Attempt To Add Certificate To Untrusted Store
Install Root Certificate, Subvert Trust Controls
Attempt To Add Certificate To Untrusted Store
Install Root Certificate, Subvert Trust Controls
Detect HTML Help Using InfoTech Storage Handlers
System Binary Proxy Execution, Compiled HTML File
Detect HTML Help Using InfoTech Storage Handlers
System Binary Proxy Execution, Compiled HTML File
XSL Script Execution With WMIC
XSL Script Processing
Rundll32 Control RunDLL Hunt
System Binary Proxy Execution, Rundll32
Rundll32 Control RunDLL Hunt
System Binary Proxy Execution, Rundll32
Rundll32 Control RunDLL World Writable Directory
System Binary Proxy Execution, Rundll32
Rundll32 Control RunDLL World Writable Directory
System Binary Proxy Execution, Rundll32
Control Loading from World Writable Directory
System Binary Proxy Execution, Control Panel
Control Loading from World Writable Directory
System Binary Proxy Execution, Control Panel
UAC Bypass With Colorui COM Object
System Binary Proxy Execution, CMSTP
UAC Bypass With Colorui COM Object
System Binary Proxy Execution, CMSTP
Fsutil Zeroing File
Indicator Removal on Host
Rundll32 LockWorkStation
System Binary Proxy Execution, Rundll32
Rundll32 LockWorkStation
System Binary Proxy Execution, Rundll32
Uninstall App Using MsiExec
Msiexec, System Binary Proxy Execution
Uninstall App Using MsiExec
Msiexec, System Binary Proxy Execution
Create Remote Thread In Shell Application
Process Injection
Rundll32 Create Remote Thread To A Process
Process Injection
Regsvr32 with Known Silent Switch Cmdline
System Binary Proxy Execution, Regsvr32
Regsvr32 with Known Silent Switch Cmdline
System Binary Proxy Execution, Regsvr32
Rundll32 CreateRemoteThread In Browser
Process Injection
Suspicious IcedID Rundll32 Cmdline
System Binary Proxy Execution, Rundll32
Suspicious IcedID Rundll32 Cmdline
System Binary Proxy Execution, Rundll32
Suspicious Rundll32 PluginInit
System Binary Proxy Execution, Rundll32
Suspicious Rundll32 PluginInit
System Binary Proxy Execution, Rundll32
Rundll32 Process Creating Exe Dll Files
System Binary Proxy Execution, Rundll32
Rundll32 Process Creating Exe Dll Files
System Binary Proxy Execution, Rundll32
Office Product Spawn CMD Process
System Binary Proxy Execution, Mshta
Office Product Spawn CMD Process
System Binary Proxy Execution, Mshta
Mshta spawning Rundll32 OR Regsvr32 Process
System Binary Proxy Execution, Mshta
Mshta spawning Rundll32 OR Regsvr32 Process
System Binary Proxy Execution, Mshta
Cloud Compute Instance Created By Previously Unseen User
Cloud Accounts, Valid Accounts
Cloud Compute Instance Created By Previously Unseen User
Cloud Accounts, Valid Accounts
UAC Bypass MMC Load Unsigned Dll
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
UAC Bypass MMC Load Unsigned Dll
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
UAC Bypass MMC Load Unsigned Dll
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
Msmpeng Application DLL Side Loading
DLL Side-Loading, Hijack Execution Flow
Msmpeng Application DLL Side Loading
DLL Side-Loading, Hijack Execution Flow
Excessive number of service control start as disabled
Disable or Modify Tools, Impair Defenses
Excessive number of service control start as disabled
Disable or Modify Tools, Impair Defenses
Allow File And Printing Sharing In Firewall
Disable or Modify Cloud Firewall, Impair Defenses
Allow File And Printing Sharing In Firewall
Disable or Modify Cloud Firewall, Impair Defenses
Allow Network Discovery In Firewall
Disable or Modify Cloud Firewall, Impair Defenses
Allow Network Discovery In Firewall
Disable or Modify Cloud Firewall, Impair Defenses
Suspicious Event Log Service Behavior
Indicator Removal on Host, Clear Windows Event Logs
Suspicious Event Log Service Behavior
Indicator Removal on Host, Clear Windows Event Logs
Wevtutil Usage To Disable Logs
Indicator Removal on Host, Clear Windows Event Logs
Wevtutil Usage To Disable Logs
Indicator Removal on Host, Clear Windows Event Logs
WevtUtil Usage To Clear Logs
Indicator Removal on Host, Clear Windows Event Logs
WevtUtil Usage To Clear Logs
Indicator Removal on Host, Clear Windows Event Logs
Permission Modification using Takeown App
File and Directory Permissions Modification
Clear Unallocated Sector Using Cipher App
File Deletion, Indicator Removal on Host
Clear Unallocated Sector Using Cipher App
File Deletion, Indicator Removal on Host
Disable Logs Using WevtUtil
Indicator Removal on Host, Clear Windows Event Logs
Disable Logs Using WevtUtil
Indicator Removal on Host, Clear Windows Event Logs
Unloading AMSI via Reflection
Impair Defenses, PowerShell, Command and Scripting Interpreter
Wbemprox COM Object Execution
System Binary Proxy Execution, CMSTP
Wbemprox COM Object Execution
System Binary Proxy Execution, CMSTP
Services Escalate Exe
Abuse Elevation Control Mechanism
CMLUA Or CMSTPLUA UAC Bypass
System Binary Proxy Execution, CMSTP
CMLUA Or CMSTPLUA UAC Bypass
System Binary Proxy Execution, CMSTP
SLUI RunAs Elevated
Bypass User Account Control, Abuse Elevation Control Mechanism
SLUI RunAs Elevated
Bypass User Account Control, Abuse Elevation Control Mechanism
SLUI Spawning a Process
Bypass User Account Control, Abuse Elevation Control Mechanism
SLUI Spawning a Process
Bypass User Account Control, Abuse Elevation Control Mechanism
Excessive Usage Of Cacls App
File and Directory Permissions Modification
Executables Or Script Creation In Suspicious Path
Masquerading
Excessive Usage Of Taskkill
Disable or Modify Tools, Impair Defenses
Excessive Usage Of Taskkill
Disable or Modify Tools, Impair Defenses
ICACLS Grant Command
File and Directory Permissions Modification
Process Kill Base On File Path
Disable or Modify Tools, Impair Defenses
Process Kill Base On File Path
Disable or Modify Tools, Impair Defenses
Icacls Deny Command
File and Directory Permissions Modification
Trickbot Named Pipe
Process Injection
Wermgr Process Create Executable File
Obfuscated Files or Information
Disabling Firewall with Netsh
Disable or Modify Tools, Impair Defenses
Disabling Firewall with Netsh
Disable or Modify Tools, Impair Defenses
PowerShell Start-BitsTransfer
BITS Jobs
CertUtil With Decode Argument
Deobfuscate/Decode Files or Information
AWS SetDefaultPolicyVersion
Cloud Accounts, Valid Accounts
AWS SetDefaultPolicyVersion
Cloud Accounts, Valid Accounts
Windows DisableAntiSpyware Registry
Disable or Modify Tools, Impair Defenses
Windows DisableAntiSpyware Registry
Disable or Modify Tools, Impair Defenses
FodHelper UAC Bypass
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
FodHelper UAC Bypass
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
FodHelper UAC Bypass
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Detect Regsvcs Spawning a Process
System Binary Proxy Execution, Regsvcs/Regasm
Detect Regsvcs Spawning a Process
System Binary Proxy Execution, Regsvcs/Regasm
Detect Regasm Spawning a Process
System Binary Proxy Execution, Regsvcs/Regasm
Detect Regasm Spawning a Process
System Binary Proxy Execution, Regsvcs/Regasm
Detect HTML Help Spawn Child Process
System Binary Proxy Execution, Compiled HTML File
Detect HTML Help Spawn Child Process
System Binary Proxy Execution, Compiled HTML File
Suspicious Rundll32 dllregisterserver
System Binary Proxy Execution, Rundll32
Suspicious Rundll32 dllregisterserver
System Binary Proxy Execution, Rundll32
Suspicious Rundll32 StartW
System Binary Proxy Execution, Rundll32
Suspicious Rundll32 StartW
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - syssetup
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - syssetup
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - setupapi
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - setupapi
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - advpack
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - advpack
System Binary Proxy Execution, Rundll32
Suspicious Regsvr32 Register Suspicious Path
System Binary Proxy Execution, Regsvr32
Suspicious Regsvr32 Register Suspicious Path
System Binary Proxy Execution, Regsvr32
Detect Regsvr32 Application Control Bypass
System Binary Proxy Execution, Regsvr32
Detect Regsvr32 Application Control Bypass
System Binary Proxy Execution, Regsvr32
Revil Registry Entry
Modify Registry
AWS SAML Access by Provider User and Principal
Valid Accounts
O365 Excessive SSO logon errors
Modify Authentication Process
AWS SAML Update identity provider
Valid Accounts
Detect Rundll32 Inline HTA Execution
System Binary Proxy Execution, Mshta
Detect Rundll32 Inline HTA Execution
System Binary Proxy Execution, Mshta
Suspicious mshta spawn
System Binary Proxy Execution, Mshta
Suspicious mshta spawn
System Binary Proxy Execution, Mshta
AWS Network Access Control List Deleted
Disable or Modify Cloud Firewall, Impair Defenses
AWS Network Access Control List Deleted
Disable or Modify Cloud Firewall, Impair Defenses
Suspicious MSBuild Spawn
Trusted Developer Utilities Proxy Execution, MSBuild
Suspicious MSBuild Spawn
Trusted Developer Utilities Proxy Execution, MSBuild
Suspicious microsoft workflow compiler usage
Trusted Developer Utilities Proxy Execution
Suspicious mshta child process
System Binary Proxy Execution, Mshta
Suspicious mshta child process
System Binary Proxy Execution, Mshta
AWS Network Access Control List Created with All Open Ports
Disable or Modify Cloud Firewall, Impair Defenses
AWS Network Access Control List Created with All Open Ports
Disable or Modify Cloud Firewall, Impair Defenses
System Processes Run From Unexpected Locations
Masquerading, Rename System Utilities
System Processes Run From Unexpected Locations
Masquerading, Rename System Utilities
Reg exe Manipulating Windows Services Registry Keys
Services Registry Permissions Weakness, Hijack Execution Flow
Reg exe Manipulating Windows Services Registry Keys
Services Registry Permissions Weakness, Hijack Execution Flow
Processes created by netsh
Disable or Modify System Firewall
Execution of File With Spaces Before Extension
Rename System Utilities
Disabling Remote User Account Control
Bypass User Account Control, Abuse Elevation Control Mechanism
Disabling Remote User Account Control
Bypass User Account Control, Abuse Elevation Control Mechanism
Execution of File with Multiple Extensions
Masquerading, Rename System Utilities
Execution of File with Multiple Extensions
Masquerading, Rename System Utilities
Detect Software Download To Network Device
TFTP Boot, Pre-OS Boot
Detect Software Download To Network Device
TFTP Boot, Pre-OS Boot
Detect Activity Related to Pass the Hash Attacks
Use Alternate Authentication Material, Pass the Hash
Detect Activity Related to Pass the Hash Attacks
Use Alternate Authentication Material, Pass the Hash
Cloud Provisioning Activity From Previously Unseen City
Valid Accounts
Cloud Provisioning Activity From Previously Unseen Country
Valid Accounts
GCP Detect high risk permissions by resource and account
Valid Accounts
GCP Detect accounts with high risk roles by project
Valid Accounts
GCP Detect gcploit framework
Valid Accounts
Create or delete windows shares using net exe
Indicator Removal on Host, Network Share Connection Removal
Create or delete windows shares using net exe
Indicator Removal on Host, Network Share Connection Removal
Abnormally High Number Of Cloud Security Group API Calls
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Security Group API Calls
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Infrastructure API Calls
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Infrastructure API Calls
Cloud Accounts, Valid Accounts
Cloud API Calls From Previously Unseen User Roles
Valid Accounts
Cloud Compute Instance Created In Previously Unused Region
Unused/Unsupported Cloud Regions
gcp detect oauth token abuse
Valid Accounts
Abnormally High Number Of Cloud Instances Launched
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Instances Launched
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Instances Destroyed
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Instances Destroyed
Cloud Accounts, Valid Accounts
Cloud Provisioning Activity From Previously Unseen Region
Valid Accounts
Cloud Instance Modified By Previously Unseen User
Cloud Accounts, Valid Accounts
Cloud Instance Modified By Previously Unseen User
Cloud Accounts, Valid Accounts
aws detect sts assume role abuse
Valid Accounts
aws detect attach to role policy
Valid Accounts
aws detect sts get session token abuse
Use Alternate Authentication Material
aws detect role creation
Valid Accounts
aws detect permanent key creation
Valid Accounts
Suspicious writes to System Volume Information
Masquerading
Suspicious writes to windows Recycle Bin
Masquerading
Suspicious Reg exe Process
Modify Registry
Abnormally High AWS Instances Launched by User - MLTK
Cloud Accounts
Attempt To Stop Security Service
Disable or Modify Tools, Impair Defenses
Attempt To Stop Security Service
Disable or Modify Tools, Impair Defenses
Detect new user AWS Console Login
Cloud Accounts
Detect AWS API Activities From Unapproved Accounts
Cloud Accounts
Detect Spike in AWS API Activity
Cloud Accounts
Abnormally High AWS Instances Terminated by User
Cloud Accounts
Okta User Logins From Multiple Cities
Valid Accounts, Default Accounts
Okta User Logins From Multiple Cities
Valid Accounts, Default Accounts
Hiding Files And Directories With Attrib exe
File and Directory Permissions Modification, Windows File and Directory Permissions Modification
Hiding Files And Directories With Attrib exe
File and Directory Permissions Modification, Windows File and Directory Permissions Modification
EC2 Instance Modified With Previously Unseen User
Cloud Accounts
Abnormally High AWS Instances Launched by User
Cloud Accounts
EC2 Instance Started With Previously Unseen User
Cloud Accounts
Abnormally High AWS Instances Terminated by User - MLTK
Cloud Accounts
Windows Event Log Cleared
Indicator Removal on Host, Clear Windows Event Logs
Windows Event Log Cleared
Indicator Removal on Host, Clear Windows Event Logs
Detect Path Interception By Creation Of program exe
Path Interception by Unquoted Path, Hijack Execution Flow
Detect Path Interception By Creation Of program exe
Path Interception by Unquoted Path, Hijack Execution Flow
Sdclt UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Sdclt UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
WSReset UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
WSReset UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
SilentCleanup UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
SilentCleanup UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Reg exe used to hide files directories via registry keys
Hidden Files and Directories
USN Journal Deletion
Indicator Removal on Host
Web Fraud - Anomalous User Clickspeed
Valid Accounts
Detect Spike in Network ACL Activity
Disable or Modify Cloud Firewall
Detect Spike in Security Group Activity
Cloud Accounts
Detect new API calls from user roles
Cloud Accounts
AWS Cloud Provisioning From Previously Unseen Country
Unused/Unsupported Cloud Regions
AWS Cloud Provisioning From Previously Unseen Region
Unused/Unsupported Cloud Regions
AWS Cloud Provisioning From Previously Unseen City
Unused/Unsupported Cloud Regions
EC2 Instance Started In Previously Unseen Region
Unused/Unsupported Cloud Regions
Identify New User Accounts
Domain Accounts