AWS Create Policy Version to allow all resources
Cloud Accounts , Valid Accounts
Defense Evasion
AWS Create Policy Version to allow all resources
Cloud Accounts , Valid Accounts
Cobalt Strike Named Pipes
Process Injection
Linux Kworker Process In Writable Process Path
Masquerade Task or Service , Masquerading
Linux Kworker Process In Writable Process Path
Masquerade Task or Service , Masquerading
Linux Iptables Firewall Modification
Disable or Modify System Firewall , Impair Defenses
Linux Iptables Firewall Modification
Disable or Modify System Firewall , Impair Defenses
Splunk User Enumeration Attempt
Valid Accounts
Linux High Frequency Of File Deletion In Boot Folder
Data Destruction , File Deletion , Indicator Removal on Host
Linux High Frequency Of File Deletion In Boot Folder
Data Destruction , File Deletion , Indicator Removal on Host
Windows Registry Delete Task SD
Scheduled Task , Impair Defenses
Linux High Frequency Of File Deletion In Etc Folder
Data Destruction , File Deletion , Indicator Removal on Host
Linux High Frequency Of File Deletion In Etc Folder
Data Destruction , File Deletion , Indicator Removal on Host
Linux Deletion of SSL Certificate
Data Destruction , File Deletion , Indicator Removal on Host
Linux Deletion of SSL Certificate
Data Destruction , File Deletion , Indicator Removal on Host
Linux deletion Of SSH Key
Data Destruction , File Deletion , Indicator Removal on Host
Linux deletion Of SSH Key
Data Destruction , File Deletion , Indicator Removal on Host
Linux deletion Of SSH Hash Conf
Data Destruction , File Deletion , Indicator Removal on Host
Linux deletion Of SSH Hash Conf
Data Destruction , File Deletion , Indicator Removal on Host
Linux Deletion Of Services
Data Destruction , File Deletion , Indicator Removal on Host
Linux Deletion Of Services
Data Destruction , File Deletion , Indicator Removal on Host
Linux Deletion Of Init Daemon Script
Data Destruction , File Deletion , Indicator Removal on Host
Linux Deletion Of Init Daemon Script
Data Destruction , File Deletion , Indicator Removal on Host
Linux Deletion Of Cron Jobs
Data Destruction , File Deletion , Indicator Removal on Host
Linux Deletion Of Cron Jobs
Data Destruction , File Deletion , Indicator Removal on Host
Linux Account Manipulation Of SSH Config and Keys
Data Destruction , File Deletion , Indicator Removal on Host
Linux Account Manipulation Of SSH Config and Keys
Data Destruction , File Deletion , Indicator Removal on Host
Suspicious Rundll32 Rename
Signed Binary Proxy Execution , Masquerading , Rundll32 , Rename System Utilities
Suspicious Rundll32 Rename
Signed Binary Proxy Execution , Masquerading , Rundll32 , Rename System Utilities
Suspicious Rundll32 Rename
Signed Binary Proxy Execution , Masquerading , Rundll32 , Rename System Utilities
Suspicious Rundll32 Rename
Signed Binary Proxy Execution , Masquerading , Rundll32 , Rename System Utilities
Suspicious MSBuild Rename
Masquerading , Trusted Developer Utilities Proxy Execution , Rename System Utilities , MSBuild
Suspicious MSBuild Rename
Masquerading , Trusted Developer Utilities Proxy Execution , Rename System Utilities , MSBuild
Suspicious MSBuild Rename
Masquerading , Trusted Developer Utilities Proxy Execution , Rename System Utilities , MSBuild
Suspicious MSBuild Rename
Masquerading , Trusted Developer Utilities Proxy Execution , Rename System Utilities , MSBuild
Suspicious microsoft workflow compiler rename
Masquerading , Trusted Developer Utilities Proxy Execution , Rename System Utilities
Suspicious microsoft workflow compiler rename
Masquerading , Trusted Developer Utilities Proxy Execution , Rename System Utilities
Suspicious microsoft workflow compiler rename
Masquerading , Trusted Developer Utilities Proxy Execution , Rename System Utilities
Detect mshta renamed
Signed Binary Proxy Execution , Mshta
Detect mshta renamed
Signed Binary Proxy Execution , Mshta
Detect HTML Help Renamed
Signed Binary Proxy Execution , Compiled HTML File
Detect HTML Help Renamed
Signed Binary Proxy Execution , Compiled HTML File
Windows Indirect Command Execution Via pcalua
Indirect Command Execution
Windows Indirect Command Execution Via forfiles
Indirect Command Execution
Linux Stdout Redirection To Dev Null File
Disable or Modify System Firewall , Impair Defenses
Linux Stdout Redirection To Dev Null File
Disable or Modify System Firewall , Impair Defenses
Linux Kworker Process CommandLine
Masquerade Task or Service , Masquerading
Linux Kworker Process CommandLine
Masquerade Task or Service , Masquerading
Linux Iptables Firewall Modification
Disable or Modify System Firewall , Impair Defenses
Linux Iptables Firewall Modification
Disable or Modify System Firewall , Impair Defenses
Windows Event For Service Disabled
Disable or Modify Tools , Impair Defenses
Windows Event For Service Disabled
Disable or Modify Tools , Impair Defenses
Windows Registry Certificate Added
Install Root Certificate , Subvert Trust Controls
Windows Registry Certificate Added
Install Root Certificate , Subvert Trust Controls
Windows Drivers Loaded by Signature
Rootkit , Exploitation for Privilege Escalation
Windows Terminating Lsass Process
Disable or Modify Tools , Impair Defenses
Windows Terminating Lsass Process
Disable or Modify Tools , Impair Defenses
Windows Deleted Registry By A Non Critical Process File Path
Modify Registry
Modify ACL permission To Files Or Folder
File and Directory Permissions Modification
Windows InstallUtil Uninstall Option with Network
InstallUtil , Signed Binary Proxy Execution
Windows InstallUtil Uninstall Option with Network
InstallUtil , Signed Binary Proxy Execution
Windows InstallUtil Remote Network Connection
InstallUtil , Signed Binary Proxy Execution
Windows InstallUtil Remote Network Connection
InstallUtil , Signed Binary Proxy Execution
Suspicious SearchProtocolHost no Command Line Arguments
Process Injection
Suspicious Rundll32 no Command Line Arguments
Signed Binary Proxy Execution , Rundll32
Suspicious Rundll32 no Command Line Arguments
Signed Binary Proxy Execution , Rundll32
Suspicious GPUpdate no Command Line Arguments
Process Injection
Suspicious DLLHost no Command Line Arguments
Process Injection
SearchProtocolHost with no Command Line with Network
Process Injection
Rundll32 with no Command Line Arguments with Network
Signed Binary Proxy Execution , Rundll32
Rundll32 with no Command Line Arguments with Network
Signed Binary Proxy Execution , Rundll32
GPUpdate with no Command Line Arguments with Network
Process Injection
DLLHost with no Command Line Arguments with Network
Process Injection
Detect Regsvcs with No Command Line Arguments
Signed Binary Proxy Execution , Regsvcs/Regasm
Detect Regsvcs with No Command Line Arguments
Signed Binary Proxy Execution , Regsvcs/Regasm
Detect Regasm with no Command Line Arguments
Signed Binary Proxy Execution , Regsvcs/Regasm
Detect Regasm with no Command Line Arguments
Signed Binary Proxy Execution , Regsvcs/Regasm
Unknown Process Using The Kerberos Protocol
Use Alternate Authentication Material
Windows Hide Notification Features Through Registry
Modify Registry
Windows Disable Windows Group Policy Features Through Registry
Modify Registry
Windows Disable Shutdown Button Through Registry
Modify Registry
Windows Disable LogOff Button Through Registry
Modify Registry
Windows Disable Lock Workstation Feature Through Registry
Modify Registry
Windows Disable Change Password Through Registry
Modify Registry
Suspicious msbuild path
Masquerading , Trusted Developer Utilities Proxy Execution , Rename System Utilities , MSBuild
Suspicious msbuild path
Masquerading , Trusted Developer Utilities Proxy Execution , Rename System Utilities , MSBuild
Suspicious msbuild path
Masquerading , Trusted Developer Utilities Proxy Execution , Rename System Utilities , MSBuild
Suspicious msbuild path
Masquerading , Trusted Developer Utilities Proxy Execution , Rename System Utilities , MSBuild
Kerberos TGT Request Using RC4 Encryption
Use Alternate Authentication Material
Windows Modify Show Compress Color And Info Tip Registry
Modify Registry
Windows Service Creation Using Registry Entry
Services Registry Permissions Weakness
Windows Rundll32 Inline HTA Execution
Signed Binary Proxy Execution, Mshta
Windows Rundll32 Inline HTA Execution
Signed Binary Proxy Execution, Mshta
Windows Process With NamedPipe CommandLine
Process Injection
Windows MSHTA Inline HTA Execution
Mshta, Signed Binary Proxy Execution
Windows MSHTA Inline HTA Execution
Mshta, Signed Binary Proxy Execution
Windows MSHTA Command-Line URL
Mshta, Signed Binary Proxy Execution
Windows MSHTA Command-Line URL
Mshta, Signed Binary Proxy Execution
Windows MSHTA Child Process
Mshta, Signed Binary Proxy Execution
Windows MSHTA Child Process
Mshta, Signed Binary Proxy Execution
Windows Excessive Disabled Services Event
Disable or Modify Tools , Impair Defenses
Windows Excessive Disabled Services Event
Disable or Modify Tools , Impair Defenses
Windows Event For Service Disabled
Disable or Modify Tools , Impair Defenses
Windows Event For Service Disabled
Disable or Modify Tools , Impair Defenses
Windows WSReset UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Windows WSReset UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Windows Eventvwr UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Windows Eventvwr UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Rundll32 DNSQuery
Signed Binary Proxy Execution , Rundll32
Rundll32 DNSQuery
Signed Binary Proxy Execution , Rundll32
Process Deleting Its Process File Path
Indicator Removal on Host
NET Profiler UAC bypass
Bypass User Account Control , Abuse Elevation Control Mechanism
NET Profiler UAC bypass
Bypass User Account Control , Abuse Elevation Control Mechanism
Detect Regsvcs with Network Connection
Signed Binary Proxy Execution , Regsvcs/Regasm
Detect Regsvcs with Network Connection
Signed Binary Proxy Execution , Regsvcs/Regasm
Detect Regasm with Network Connection
Signed Binary Proxy Execution , Regsvcs/Regasm
Detect Regasm with Network Connection
Signed Binary Proxy Execution , Regsvcs/Regasm
Windows Diskshadow Proxy Execution
Signed Binary Proxy Execution
Windows Disable Notification Center
Modify Registry
Windows PowerShell Start-BitsTransfer
BITS Jobs, Ingress Tool Transfer
Windows CertUtil Decode File
Deobfuscate/Decode Files or Information
Windows Bitsadmin Download File
BITS Jobs, Ingress Tool Transfer
Windows Rasautou DLL Execution
Dynamic-link Library Injection , Signed Binary Proxy Execution , Process Injection
Windows Rasautou DLL Execution
Dynamic-link Library Injection , Signed Binary Proxy Execution , Process Injection
Windows Rasautou DLL Execution
Dynamic-link Library Injection , Signed Binary Proxy Execution , Process Injection
Windows Diskshadow Proxy Execution
Signed Binary Proxy Execution
Windows Bits Job Persistence
BITS Jobs
RunDLL Loading DLL By Ordinal
Signed Binary Proxy Execution , Rundll32
RunDLL Loading DLL By Ordinal
Signed Binary Proxy Execution , Rundll32
Windows Remote Assistance Spawning Process
Process Injection
Rubeus Kerberos Ticket Exports Through Winlogon Access
Use Alternate Authentication Material , Pass the Ticket
Rubeus Kerberos Ticket Exports Through Winlogon Access
Use Alternate Authentication Material , Pass the Ticket
O365 Disable MFA
Modify Authentication Process
O365 Bypass MFA via Trusted IP
Disable or Modify Cloud Firewall , Impair Defenses
O365 Bypass MFA via Trusted IP
Disable or Modify Cloud Firewall , Impair Defenses
Suspicious Rundll32 Rename
Signed Binary Proxy Execution , Masquerading , Rundll32 , Rename System Utilities
Suspicious Rundll32 Rename
Signed Binary Proxy Execution , Masquerading , Rundll32 , Rename System Utilities
Suspicious Rundll32 Rename
Signed Binary Proxy Execution , Masquerading , Rundll32 , Rename System Utilities
Suspicious Rundll32 Rename
Signed Binary Proxy Execution , Masquerading , Rundll32 , Rename System Utilities
Rubeus Command Line Parameters
Use Alternate Authentication Material , Pass the Ticket , Steal or Forge Kerberos Tickets , Kerberoasting , AS-REP Roasting
Rubeus Command Line Parameters
Use Alternate Authentication Material , Pass the Ticket , Steal or Forge Kerberos Tickets , Kerberoasting , AS-REP Roasting
Mimikatz PassTheTicket CommandLine Parameters
Use Alternate Authentication Material , Pass the Ticket
Mimikatz PassTheTicket CommandLine Parameters
Use Alternate Authentication Material , Pass the Ticket
Hide User Account From Sign-In Screen
Disable or Modify Tools , Impair Defenses
Hide User Account From Sign-In Screen
Disable or Modify Tools , Impair Defenses
Eventvwr UAC Bypass
Bypass User Account Control , Abuse Elevation Control Mechanism
Eventvwr UAC Bypass
Bypass User Account Control , Abuse Elevation Control Mechanism
ETW Registry Disabled
Indicator Blocking , Trusted Developer Utilities Proxy Execution , Impair Defenses
ETW Registry Disabled
Indicator Blocking , Trusted Developer Utilities Proxy Execution , Impair Defenses
ETW Registry Disabled
Indicator Blocking , Trusted Developer Utilities Proxy Execution , Impair Defenses
Enable WDigest UseLogonCredential Registry
Modify Registry , OS Credential Dumping
Disabling Task Manager
Disable or Modify Tools , Impair Defenses
Disabling Task Manager
Disable or Modify Tools , Impair Defenses
Disabling NoRun Windows App
Disable or Modify Tools , Impair Defenses
Disabling NoRun Windows App
Disable or Modify Tools , Impair Defenses
Disabling FolderOptions Windows Feature
Disable or Modify Tools , Impair Defenses
Disabling FolderOptions Windows Feature
Disable or Modify Tools , Impair Defenses
Disabling Defender Services
Disable or Modify Tools , Impair Defenses
Disabling Defender Services
Disable or Modify Tools , Impair Defenses
Disabling ControlPanel
Disable or Modify Tools , Impair Defenses
Disabling ControlPanel
Disable or Modify Tools , Impair Defenses
Disabling CMD Application
Disable or Modify Tools , Impair Defenses
Disabling CMD Application
Disable or Modify Tools , Impair Defenses
Disable Windows SmartScreen Protection
Disable or Modify Tools , Impair Defenses
Disable Windows SmartScreen Protection
Disable or Modify Tools , Impair Defenses
Disable Windows Behavior Monitoring
Disable or Modify Tools , Impair Defenses
Disable Windows Behavior Monitoring
Disable or Modify Tools , Impair Defenses
Disable Windows App Hotkeys
Disable or Modify Tools , Impair Defenses
Disable Windows App Hotkeys
Disable or Modify Tools , Impair Defenses
Disable UAC Remote Restriction
Bypass User Account Control , Abuse Elevation Control Mechanism
Disable UAC Remote Restriction
Bypass User Account Control , Abuse Elevation Control Mechanism
Disable Show Hidden Files
Hidden Files and Directories , Disable or Modify Tools , Hide Artifacts , Impair Defenses
Disable Show Hidden Files
Hidden Files and Directories , Disable or Modify Tools , Hide Artifacts , Impair Defenses
Disable Show Hidden Files
Hidden Files and Directories , Disable or Modify Tools , Hide Artifacts , Impair Defenses
Disable Show Hidden Files
Hidden Files and Directories , Disable or Modify Tools , Hide Artifacts , Impair Defenses
Disable Security Logs Using MiniNt Registry
Modify Registry
Disable Registry Tool
Disable or Modify Tools , Impair Defenses
Disable Registry Tool
Disable or Modify Tools , Impair Defenses
Disable ETW Through Registry
Disable or Modify Tools , Impair Defenses
Disable ETW Through Registry
Disable or Modify Tools , Impair Defenses
Remcos client registry install entry
Modify Registry
Disable Defender Submit Samples Consent Feature
Disable or Modify Tools , Impair Defenses
Disable Defender Submit Samples Consent Feature
Disable or Modify Tools , Impair Defenses
Disable Defender Spynet Reporting
Disable or Modify Tools , Impair Defenses
Disable Defender Spynet Reporting
Disable or Modify Tools , Impair Defenses
Disable Defender MpEngine Registry
Disable or Modify Tools , Impair Defenses
Disable Defender MpEngine Registry
Disable or Modify Tools , Impair Defenses
Disable Defender Enhanced Notification
Disable or Modify Tools , Impair Defenses
Disable Defender Enhanced Notification
Disable or Modify Tools , Impair Defenses
Disable Defender BlockAtFirstSeen Feature
Disable or Modify Tools , Impair Defenses
Disable Defender BlockAtFirstSeen Feature
Disable or Modify Tools , Impair Defenses
Disable Defender AntiVirus Registry
Disable or Modify Tools , Impair Defenses
Disable Defender AntiVirus Registry
Disable or Modify Tools , Impair Defenses
Disable AMSI Through Registry
Disable or Modify Tools , Impair Defenses
Disable AMSI Through Registry
Disable or Modify Tools , Impair Defenses
Allow Operation with Consent Admin
Abuse Elevation Control Mechanism
Ping Sleep Batch Command
Virtualization/Sandbox Evasion , Time Based Evasion
Ping Sleep Batch Command
Virtualization/Sandbox Evasion , Time Based Evasion
Windows InstallUtil in Non Standard Path
Masquerading , Rename System Utilities , Signed Binary Proxy Execution , InstallUtil
Windows InstallUtil in Non Standard Path
Masquerading , Rename System Utilities , Signed Binary Proxy Execution , InstallUtil
Windows InstallUtil in Non Standard Path
Masquerading , Rename System Utilities , Signed Binary Proxy Execution , InstallUtil
Windows InstallUtil in Non Standard Path
Masquerading , Rename System Utilities , Signed Binary Proxy Execution , InstallUtil
Windows DotNet Binary in Non Standard Path
Masquerading , Rename System Utilities , Signed Binary Proxy Execution , InstallUtil
Windows DotNet Binary in Non Standard Path
Masquerading , Rename System Utilities , Signed Binary Proxy Execution , InstallUtil
Windows DotNet Binary in Non Standard Path
Masquerading , Rename System Utilities , Signed Binary Proxy Execution , InstallUtil
Windows DotNet Binary in Non Standard Path
Masquerading , Rename System Utilities , Signed Binary Proxy Execution , InstallUtil
Powershell Remove Windows Defender Directory
Disable or Modify Tools , Impair Defenses
Powershell Remove Windows Defender Directory
Disable or Modify Tools , Impair Defenses
Malicious PowerShell Process - Encoded Command
Obfuscated Files or Information
Linux Possible Access To Sudoers File
Sudo and Sudo Caching , Abuse Elevation Control Mechanism
Linux Possible Access To Sudoers File
Sudo and Sudo Caching , Abuse Elevation Control Mechanism
Linux Doas Tool Execution
Sudo and Sudo Caching , Abuse Elevation Control Mechanism
Linux Doas Tool Execution
Sudo and Sudo Caching , Abuse Elevation Control Mechanism
Linux Doas Conf File Creation
Sudo and Sudo Caching , Abuse Elevation Control Mechanism
Linux Doas Conf File Creation
Sudo and Sudo Caching , Abuse Elevation Control Mechanism
Linux Sudo OR Su Execution
Sudo and Sudo Caching , Abuse Elevation Control Mechanism
Linux Sudo OR Su Execution
Sudo and Sudo Caching , Abuse Elevation Control Mechanism
Linux Sudoers Tmp File Creation
Sudo and Sudo Caching , Abuse Elevation Control Mechanism
Linux Sudoers Tmp File Creation
Sudo and Sudo Caching , Abuse Elevation Control Mechanism
Linux Common Process For Elevation Control
Setuid and Setgid , Abuse Elevation Control Mechanism
Linux Common Process For Elevation Control
Setuid and Setgid , Abuse Elevation Control Mechanism
Linux Preload Hijack Library Calls
Dynamic Linker Hijacking , Hijack Execution Flow
Linux Preload Hijack Library Calls
Dynamic Linker Hijacking , Hijack Execution Flow
Suspicious Ticket Granting Ticket Request
Valid Accounts , Domain Accounts
Suspicious Ticket Granting Ticket Request
Valid Accounts , Domain Accounts
Linux Visudo Utility Execution
Sudo and Sudo Caching , Abuse Elevation Control Mechanism
Linux Visudo Utility Execution
Sudo and Sudo Caching , Abuse Elevation Control Mechanism
Linux Setuid Using Setcap Utility
Setuid and Setgid , Abuse Elevation Control Mechanism
Linux Setuid Using Setcap Utility
Setuid and Setgid , Abuse Elevation Control Mechanism
Linux Setuid Using Chmod Utility
Setuid and Setgid , Abuse Elevation Control Mechanism
Linux Setuid Using Chmod Utility
Setuid and Setgid , Abuse Elevation Control Mechanism
Linux NOPASSWD Entry In Sudoers File
Sudo and Sudo Caching , Abuse Elevation Control Mechanism
Linux NOPASSWD Entry In Sudoers File
Sudo and Sudo Caching , Abuse Elevation Control Mechanism
Linux Change File Owner To Root
Linux and Mac File and Directory Permissions Modification , File and Directory Permissions Modification
Linux Change File Owner To Root
Linux and Mac File and Directory Permissions Modification , File and Directory Permissions Modification
Suspicious Kerberos Service Ticket Request
Valid Accounts , Domain Accounts
Suspicious Kerberos Service Ticket Request
Valid Accounts , Domain Accounts
Suspicious Computer Account Name Change
Valid Accounts , Domain Accounts
Suspicious Computer Account Name Change
Valid Accounts , Domain Accounts
Hiding Files And Directories With Attrib exe
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
Hiding Files And Directories With Attrib exe
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
Clear Unallocated Sector Using Cipher App
File Deletion, Indicator Removal on Host
Clear Unallocated Sector Using Cipher App
File Deletion, Indicator Removal on Host
MSI Module Loaded by Non-System Binary
DLL Side-Loading , Hijack Execution Flow
MSI Module Loaded by Non-System Binary
DLL Side-Loading , Hijack Execution Flow
Disable Defender AntiVirus Registry
Disable or Modify Tools, Impair Defenses
Disable Defender AntiVirus Registry
Disable or Modify Tools, Impair Defenses
Windows Raccine Scheduled Task Deletion
Disable or Modify Tools
Fsutil Zeroing File
Indicator Removal on Host
Anomalous Usage of Account Credentials
Domain Accounts
Unusual Number of Remote Endpoint Authentication Events
Valid Accounts
Unusual Number of Computer Service Tickets Requested
Valid Accounts
Potential Pass the Token or Hash Observed at the Destination Device
Use Alternate Authentication Material, Pass the Hash
Potential Pass the Token or Hash Observed at the Destination Device
Use Alternate Authentication Material, Pass the Hash
Modify ACLs Permission Of Files Or Folders
File and Directory Permissions Modification
Grant Permission Using Cacls Utility
File and Directory Permissions Modification
First time seen command line argument
Command and Scripting Interpreter, Indirect Command Execution
Disable Net User Account
Service Stop, Valid Accounts
Deny Permission using Cacls Utility
File and Directory Permissions Modification
Windows Defender Exclusion Registry Entry
Disable or Modify Tools , Impair Defenses
Windows Defender Exclusion Registry Entry
Disable or Modify Tools , Impair Defenses
Powershell Windows Defender Exclusion Commands
Disable or Modify Tools , Impair Defenses
Powershell Windows Defender Exclusion Commands
Disable or Modify Tools , Impair Defenses
Add or Set Windows Defender Exclusion
Disable or Modify Tools , Impair Defenses
Add or Set Windows Defender Exclusion
Disable or Modify Tools , Impair Defenses
Loading Of Dynwrapx Module
Process Injection , Dynamic-link Library Injection
Loading Of Dynwrapx Module
Process Injection , Dynamic-link Library Injection
Windows DISM Remove Defender
Disable or Modify Tools , Impair Defenses
Windows DISM Remove Defender
Disable or Modify Tools , Impair Defenses
Sdelete Application Execution
Data Destruction, File Deletion, Indicator Removal on Host
Sdelete Application Execution
Data Destruction, File Deletion, Indicator Removal on Host
Windows InstallUtil URL in Command Line
InstallUtil , Signed Binary Proxy Execution
Windows InstallUtil URL in Command Line
InstallUtil , Signed Binary Proxy Execution
Windows InstallUtil Uninstall Option with Network
InstallUtil , Signed Binary Proxy Execution
Windows InstallUtil Uninstall Option with Network
InstallUtil , Signed Binary Proxy Execution
Windows InstallUtil Uninstall Option
InstallUtil , Signed Binary Proxy Execution
Windows InstallUtil Uninstall Option
InstallUtil , Signed Binary Proxy Execution
Windows InstallUtil Remote Network Connection
InstallUtil , Signed Binary Proxy Execution
Windows InstallUtil Remote Network Connection
InstallUtil , Signed Binary Proxy Execution
Windows InstallUtil Credential Theft
InstallUtil , Signed Binary Proxy Execution
Windows InstallUtil Credential Theft
InstallUtil , Signed Binary Proxy Execution
Runas Execution in CommandLine
Access Token Manipulation , Token Impersonation/Theft
Runas Execution in CommandLine
Access Token Manipulation , Token Impersonation/Theft
Firewall Allowed Program Enable
Disable or Modify System Firewall , Impair Defenses
Firewall Allowed Program Enable
Disable or Modify System Firewall , Impair Defenses
CSC Net On The Fly Compilation
Compile After Delivery , Obfuscated Files or Information
CSC Net On The Fly Compilation
Compile After Delivery , Obfuscated Files or Information
WMIC XSL Execution via URL
XSL Script Processing
Potential Pass the Token or Hash Observed by an Event Collecting Device
Use Alternate Authentication Material, Pass the Hash
Potential Pass the Token or Hash Observed by an Event Collecting Device
Use Alternate Authentication Material, Pass the Hash
Attacker Tools On Endpoint
Match Legitimate Name or Location , Masquerading , OS Credential Dumping , Active Scanning
Attacker Tools On Endpoint
Match Legitimate Name or Location , Masquerading , OS Credential Dumping , Active Scanning
Wmic NonInteractive App Uninstallation
Disable or Modify Tools , Impair Defenses
Wmic NonInteractive App Uninstallation
Disable or Modify Tools , Impair Defenses
Disable Schedule Task
Disable or Modify Tools , Impair Defenses
Disable Schedule Task
Disable or Modify Tools , Impair Defenses
SearchProtocolHost with no Command Line with Network
Process Injection
Rundll32 with no Command Line Arguments with Network
Signed Binary Proxy Execution , Rundll32
Rundll32 with no Command Line Arguments with Network
Signed Binary Proxy Execution , Rundll32
DLLHost with no Command Line Arguments with Network
Process Injection
Suspicious wevtutil Usage
Clear Windows Event Logs , Indicator Removal on Host
Suspicious wevtutil Usage
Clear Windows Event Logs , Indicator Removal on Host
Wscript Or Cscript Suspicious Child Process
Process Injection , Create or Modify System Process , Parent PID Spoofing , Access Token Manipulation
Wscript Or Cscript Suspicious Child Process
Process Injection , Create or Modify System Process , Parent PID Spoofing , Access Token Manipulation
Wscript Or Cscript Suspicious Child Process
Process Injection , Create or Modify System Process , Parent PID Spoofing , Access Token Manipulation
Sdelete Application Execution
Data Destruction , File Deletion , Indicator Removal on Host
Sdelete Application Execution
Data Destruction , File Deletion , Indicator Removal on Host
Winhlp32 Spawning a Process
Process Injection
Suspicious Copy on System32
Rename System Utilities , Masquerading
Suspicious Copy on System32
Rename System Utilities , Masquerading
Rundll32 Shimcache Flush
Modify Registry
Malicious InProcServer32 Modification
Regsvr32 , Modify Registry
Malicious InProcServer32 Modification
Regsvr32 , Modify Registry
Regsvr32 Silent and Install Param Dll Loading
Signed Binary Proxy Execution , Regsvr32
Regsvr32 Silent and Install Param Dll Loading
Signed Binary Proxy Execution , Regsvr32
MSBuild Suspicious Spawned By Script Process
MSBuild , Trusted Developer Utilities Proxy Execution
MSBuild Suspicious Spawned By Script Process
MSBuild , Trusted Developer Utilities Proxy Execution
Verclsid CLSID Execution
Verclsid , Signed Binary Proxy Execution
Verclsid CLSID Execution
Verclsid , Signed Binary Proxy Execution
Suspicious SearchProtocolHost no Command Line Arguments
Process Injection
Suspicious Rundll32 no Command Line Arguments
Signed Binary Proxy Execution , Rundll32
Suspicious Rundll32 no Command Line Arguments
Signed Binary Proxy Execution , Rundll32
Suspicious microsoft workflow compiler rename
Masquerading , Trusted Developer Utilities Proxy Execution , Rename System Utilities
Suspicious microsoft workflow compiler rename
Masquerading , Trusted Developer Utilities Proxy Execution , Rename System Utilities
Suspicious microsoft workflow compiler rename
Masquerading , Trusted Developer Utilities Proxy Execution , Rename System Utilities
Suspicious GPUpdate no Command Line Arguments
Process Injection
Suspicious DLLHost no Command Line Arguments
Process Injection
Detect Regsvcs with No Command Line Arguments
Signed Binary Proxy Execution , Regsvcs/Regasm
Detect Regsvcs with No Command Line Arguments
Signed Binary Proxy Execution , Regsvcs/Regasm
Detect Regasm with no Command Line Arguments
Signed Binary Proxy Execution , Regsvcs/Regasm
Detect Regasm with no Command Line Arguments
Signed Binary Proxy Execution , Regsvcs/Regasm
Processes launching netsh
Disable or Modify System Firewall , Impair Defenses
Processes launching netsh
Disable or Modify System Firewall , Impair Defenses
Detect MSHTA Url in Command Line
Signed Binary Proxy Execution , Mshta
Detect MSHTA Url in Command Line
Signed Binary Proxy Execution , Mshta
Detect mshta renamed
Signed Binary Proxy Execution , Mshta
Detect mshta renamed
Signed Binary Proxy Execution , Mshta
Detect mshta inline hta execution
Signed Binary Proxy Execution , Mshta
Detect mshta inline hta execution
Signed Binary Proxy Execution , Mshta
Detect HTML Help Using InfoTech Storage Handlers
Signed Binary Proxy Execution , Compiled HTML File
Detect HTML Help Using InfoTech Storage Handlers
Signed Binary Proxy Execution , Compiled HTML File
Detect HTML Help URL in Command Line
Signed Binary Proxy Execution , Compiled HTML File
Detect HTML Help URL in Command Line
Signed Binary Proxy Execution , Compiled HTML File
Detect HTML Help Renamed
Signed Binary Proxy Execution , Compiled HTML File
Detect HTML Help Renamed
Signed Binary Proxy Execution , Compiled HTML File
BITSAdmin Download File
BITS Jobs , Ingress Tool Transfer
BITS Job Persistence
BITS Jobs
Attempt To Add Certificate To Untrusted Store
Install Root Certificate , Subvert Trust Controls
Attempt To Add Certificate To Untrusted Store
Install Root Certificate , Subvert Trust Controls
XSL Script Execution With WMIC
XSL Script Processing
Rundll32 Control RunDLL World Writable Directory
Signed Binary Proxy Execution , Rundll32
Rundll32 Control RunDLL World Writable Directory
Signed Binary Proxy Execution , Rundll32
Rundll32 Control RunDLL Hunt
Signed Binary Proxy Execution , Rundll32
Rundll32 Control RunDLL Hunt
Signed Binary Proxy Execution , Rundll32
Control Loading from World Writable Directory
Signed Binary Proxy Execution , Control Panel
Control Loading from World Writable Directory
Signed Binary Proxy Execution , Control Panel
UAC Bypass With Colorui COM Object
Signed Binary Proxy Execution , CMSTP
UAC Bypass With Colorui COM Object
Signed Binary Proxy Execution , CMSTP
Fsutil Zeroing File
Indicator Removal on Host
Uninstall App Using MsiExec
Msiexec , Signed Binary Proxy Execution
Uninstall App Using MsiExec
Msiexec , Signed Binary Proxy Execution
Create Remote Thread In Shell Application
Process Injection
Rundll32 Create Remote Thread To A Process
Process Injection
Regsvr32 with Known Silent Switch Cmdline
Signed Binary Proxy Execution , Regsvr32
Regsvr32 with Known Silent Switch Cmdline
Signed Binary Proxy Execution , Regsvr32
Suspicious Rundll32 PluginInit
Signed Binary Proxy Execution , Rundll32
Suspicious Rundll32 PluginInit
Signed Binary Proxy Execution , Rundll32
Suspicious IcedID Rundll32 Cmdline
Signed Binary Proxy Execution , Rundll32
Suspicious IcedID Rundll32 Cmdline
Signed Binary Proxy Execution , Rundll32
Rundll32 Process Creating Exe Dll Files
Signed Binary Proxy Execution , Rundll32
Rundll32 Process Creating Exe Dll Files
Signed Binary Proxy Execution , Rundll32
Rundll32 CreateRemoteThread In Browser
Process Injection
Office Product Spawn CMD Process
Signed Binary Proxy Execution , Mshta
Office Product Spawn CMD Process
Signed Binary Proxy Execution , Mshta
Mshta spawning Rundll32 OR Regsvr32 Process
Signed Binary Proxy Execution , Mshta
Mshta spawning Rundll32 OR Regsvr32 Process
Signed Binary Proxy Execution , Mshta
Cloud Compute Instance Created By Previously Unseen User
Cloud Accounts , Valid Accounts
Cloud Compute Instance Created By Previously Unseen User
Cloud Accounts , Valid Accounts
UAC Bypass MMC Load Unsigned Dll
Bypass User Account Control , Abuse Elevation Control Mechanism
UAC Bypass MMC Load Unsigned Dll
Bypass User Account Control , Abuse Elevation Control Mechanism
Powershell Disable Security Monitoring
Disable or Modify Tools , Impair Defenses
Powershell Disable Security Monitoring
Disable or Modify Tools , Impair Defenses
Msmpeng Application DLL Side Loading
DLL Side-Loading , Hijack Execution Flow
Msmpeng Application DLL Side Loading
DLL Side-Loading , Hijack Execution Flow
Excessive number of service control start as disabled
Disable or Modify Tools , Impair Defenses
Excessive number of service control start as disabled
Disable or Modify Tools , Impair Defenses
Allow Network Discovery In Firewall
Disable or Modify Cloud Firewall , Impair Defenses
Allow Network Discovery In Firewall
Disable or Modify Cloud Firewall , Impair Defenses
Allow File And Printing Sharing In Firewall
Disable or Modify Cloud Firewall , Impair Defenses
Allow File And Printing Sharing In Firewall
Disable or Modify Cloud Firewall , Impair Defenses
Recursive Delete of Directory In Batch CMD
File Deletion , Indicator Removal on Host
Recursive Delete of Directory In Batch CMD
File Deletion , Indicator Removal on Host
Powershell Enable SMB1Protocol Feature
Obfuscated Files or Information , Indicator Removal from Tools
Powershell Enable SMB1Protocol Feature
Obfuscated Files or Information , Indicator Removal from Tools
Suspicious Event Log Service Behavior
Indicator Removal on Host , Clear Windows Event Logs
Suspicious Event Log Service Behavior
Indicator Removal on Host , Clear Windows Event Logs
Wevtutil Usage To Disable Logs
Indicator Removal on Host, Clear Windows Event Logs
Wevtutil Usage To Disable Logs
Indicator Removal on Host, Clear Windows Event Logs
WevtUtil Usage To Clear Logs
Indicator Removal on Host, Clear Windows Event Logs
WevtUtil Usage To Clear Logs
Indicator Removal on Host, Clear Windows Event Logs
Powershell Using memory As Backing Store
Deobfuscate/Decode Files or Information
Powershell Creating Thread Mutex
Obfuscated Files or Information , Indicator Removal from Tools
Powershell Creating Thread Mutex
Obfuscated Files or Information , Indicator Removal from Tools
Permission Modification using Takeown App
File and Directory Permissions Modification
Disable Logs Using WevtUtil
Indicator Removal on Host , Clear Windows Event Logs
Disable Logs Using WevtUtil
Indicator Removal on Host , Clear Windows Event Logs
Clear Unallocated Sector Using Cipher App
File Deletion , Indicator Removal on Host
Clear Unallocated Sector Using Cipher App
File Deletion , Indicator Removal on Host
Unloading AMSI via Reflection
Impair Defenses , PowerShell , Command and Scripting Interpreter
Powershell Fileless Script Contains Base64 Encoded Content
Command and Scripting Interpreter , Obfuscated Files or Information , PowerShell
Powershell Fileless Process Injection via GetProcAddress
Command and Scripting Interpreter , Process Injection , PowerShell
Wbemprox COM Object Execution
Signed Binary Proxy Execution , CMSTP
Wbemprox COM Object Execution
Signed Binary Proxy Execution , CMSTP
Services Escalate Exe
Abuse Elevation Control Mechanism
SLUI Spawning a Process
Bypass User Account Control , Abuse Elevation Control Mechanism
SLUI Spawning a Process
Bypass User Account Control , Abuse Elevation Control Mechanism
SLUI RunAs Elevated
Bypass User Account Control , Abuse Elevation Control Mechanism
SLUI RunAs Elevated
Bypass User Account Control , Abuse Elevation Control Mechanism
CMLUA Or CMSTPLUA UAC Bypass
Signed Binary Proxy Execution , CMSTP
CMLUA Or CMSTPLUA UAC Bypass
Signed Binary Proxy Execution , CMSTP
Excessive Usage Of Cacls App
File and Directory Permissions Modification
Executables Or Script Creation In Suspicious Path
Masquerading
Process Kill Base On File Path
Disable or Modify Tools , Impair Defenses
Process Kill Base On File Path
Disable or Modify Tools , Impair Defenses
Modify ACL permission To Files Or Folder
File and Directory Permissions Modification
ICACLS Grant Command
File and Directory Permissions Modification
Excessive Usage Of Taskkill
Disable or Modify Tools , Impair Defenses
Excessive Usage Of Taskkill
Disable or Modify Tools , Impair Defenses
Icacls Deny Command
File and Directory Permissions Modification
Trickbot Named Pipe
Process Injection
Wermgr Process Create Executable File
Obfuscated Files or Information
Powershell Remote Thread To Known Windows Process
Process Injection
GPUpdate with no Command Line Arguments with Network
Process Injection
Disabling Firewall with Netsh
Disable or Modify Tools , Impair Defenses
Disabling Firewall with Netsh
Disable or Modify Tools , Impair Defenses
PowerShell Start-BitsTransfer
BITS Jobs
CertUtil With Decode Argument
Deobfuscate/Decode Files or Information
Windows DisableAntiSpyware Registry
Disable or Modify Tools , Impair Defenses
Windows DisableAntiSpyware Registry
Disable or Modify Tools , Impair Defenses
AWS SetDefaultPolicyVersion
Cloud Accounts , Valid Accounts
AWS SetDefaultPolicyVersion
Cloud Accounts , Valid Accounts
FodHelper UAC Bypass
Modify Registry , Bypass User Account Control , Abuse Elevation Control Mechanism
FodHelper UAC Bypass
Modify Registry , Bypass User Account Control , Abuse Elevation Control Mechanism
FodHelper UAC Bypass
Modify Registry , Bypass User Account Control , Abuse Elevation Control Mechanism
Cobalt Strike Named Pipes
Process Injection
AWS Create Policy Version to allow all resources
Cloud Accounts , Valid Accounts
AWS Create Policy Version to allow all resources
Cloud Accounts , Valid Accounts
Detect Regsvcs Spawning a Process
Signed Binary Proxy Execution , Regsvcs/Regasm
Detect Regsvcs Spawning a Process
Signed Binary Proxy Execution , Regsvcs/Regasm
Detect Regasm Spawning a Process
Signed Binary Proxy Execution , Regsvcs/Regasm
Detect Regasm Spawning a Process
Signed Binary Proxy Execution , Regsvcs/Regasm
Detect HTML Help Spawn Child Process
Signed Binary Proxy Execution , Compiled HTML File
Detect HTML Help Spawn Child Process
Signed Binary Proxy Execution , Compiled HTML File
Suspicious Rundll32 dllregisterserver
Signed Binary Proxy Execution , Rundll32
Suspicious Rundll32 dllregisterserver
Signed Binary Proxy Execution , Rundll32
Suspicious Rundll32 StartW
Signed Binary Proxy Execution , Rundll32
Suspicious Rundll32 StartW
Signed Binary Proxy Execution , Rundll32
Detect Rundll32 Application Control Bypass - syssetup
Signed Binary Proxy Execution , Rundll32
Detect Rundll32 Application Control Bypass - syssetup
Signed Binary Proxy Execution , Rundll32
Detect Rundll32 Application Control Bypass - setupapi
Signed Binary Proxy Execution , Rundll32
Detect Rundll32 Application Control Bypass - setupapi
Signed Binary Proxy Execution , Rundll32
Detect Rundll32 Application Control Bypass - advpack
Signed Binary Proxy Execution , Rundll32
Detect Rundll32 Application Control Bypass - advpack
Signed Binary Proxy Execution , Rundll32
Suspicious Regsvr32 Register Suspicious Path
Signed Binary Proxy Execution , Regsvr32
Suspicious Regsvr32 Register Suspicious Path
Signed Binary Proxy Execution , Regsvr32
Detect Regsvr32 Application Control Bypass
Signed Binary Proxy Execution , Regsvr32
Detect Regsvr32 Application Control Bypass
Signed Binary Proxy Execution , Regsvr32
Revil Registry Entry
Modify Registry
O365 Excessive SSO logon errors
Modify Authentication Process
AWS SAML Update identity provider
Valid Accounts
AWS SAML Access by Provider User and Principal
Valid Accounts
Suspicious mshta spawn
Signed Binary Proxy Execution , Mshta
Suspicious mshta spawn
Signed Binary Proxy Execution , Mshta
Detect Rundll32 Inline HTA Execution
Signed Binary Proxy Execution , Mshta
Detect Rundll32 Inline HTA Execution
Signed Binary Proxy Execution , Mshta
Suspicious mshta child process
Signed Binary Proxy Execution , Mshta
Suspicious mshta child process
Signed Binary Proxy Execution , Mshta
Suspicious MSBuild Spawn
Trusted Developer Utilities Proxy Execution , MSBuild
Suspicious MSBuild Spawn
Trusted Developer Utilities Proxy Execution , MSBuild
Suspicious MSBuild Rename
Masquerading , Trusted Developer Utilities Proxy Execution , Rename System Utilities , MSBuild
Suspicious MSBuild Rename
Masquerading , Trusted Developer Utilities Proxy Execution , Rename System Utilities , MSBuild
Suspicious MSBuild Rename
Masquerading , Trusted Developer Utilities Proxy Execution , Rename System Utilities , MSBuild
Suspicious MSBuild Rename
Masquerading , Trusted Developer Utilities Proxy Execution , Rename System Utilities , MSBuild
Suspicious msbuild path
Masquerading , Trusted Developer Utilities Proxy Execution , Rename System Utilities , MSBuild
Suspicious msbuild path
Masquerading , Trusted Developer Utilities Proxy Execution , Rename System Utilities , MSBuild
Suspicious msbuild path
Masquerading , Trusted Developer Utilities Proxy Execution , Rename System Utilities , MSBuild
Suspicious msbuild path
Masquerading , Trusted Developer Utilities Proxy Execution , Rename System Utilities , MSBuild
Suspicious microsoft workflow compiler usage
Trusted Developer Utilities Proxy Execution
AWS Network Access Control List Deleted
Disable or Modify Cloud Firewall , Impair Defenses
AWS Network Access Control List Deleted
Disable or Modify Cloud Firewall , Impair Defenses
AWS Network Access Control List Created with All Open Ports
Disable or Modify Cloud Firewall , Impair Defenses
AWS Network Access Control List Created with All Open Ports
Disable or Modify Cloud Firewall , Impair Defenses
System Processes Run From Unexpected Locations
Masquerading , Rename System Utilities
System Processes Run From Unexpected Locations
Masquerading , Rename System Utilities
Reg exe Manipulating Windows Services Registry Keys
Services Registry Permissions Weakness , Hijack Execution Flow
Reg exe Manipulating Windows Services Registry Keys
Services Registry Permissions Weakness , Hijack Execution Flow
Processes created by netsh
Disable or Modify System Firewall
Execution of File With Spaces Before Extension
Rename System Utilities
Execution of File with Multiple Extensions
Masquerading , Rename System Utilities
Execution of File with Multiple Extensions
Masquerading , Rename System Utilities
Disabling Remote User Account Control
Bypass User Account Control , Abuse Elevation Control Mechanism
Disabling Remote User Account Control
Bypass User Account Control , Abuse Elevation Control Mechanism
Detect Excessive Account Lockouts From Endpoint
Valid Accounts , Domain Accounts
Detect Excessive Account Lockouts From Endpoint
Valid Accounts , Domain Accounts
Detect Software Download To Network Device
TFTP Boot , Pre-OS Boot
Detect Software Download To Network Device
TFTP Boot , Pre-OS Boot
Detect Activity Related to Pass the Hash Attacks
Use Alternate Authentication Material , Pass the Hash
Detect Activity Related to Pass the Hash Attacks
Use Alternate Authentication Material , Pass the Hash
GCP Detect high risk permissions by resource and account
Valid Accounts
GCP Detect accounts with high risk roles by project
Valid Accounts
Cloud Provisioning Activity From Previously Unseen Country
Valid Accounts
Cloud Provisioning Activity From Previously Unseen City
Valid Accounts
GCP Detect gcploit framework
Valid Accounts
Detect AWS Console Login by User from New Region
Unused/Unsupported Cloud Regions
Detect AWS Console Login by User from New Country
Unused/Unsupported Cloud Regions
Detect AWS Console Login by User from New City
Unused/Unsupported Cloud Regions
Create or delete windows shares using net exe
Indicator Removal on Host , Network Share Connection Removal
Create or delete windows shares using net exe
Indicator Removal on Host , Network Share Connection Removal
Abnormally High Number Of Cloud Security Group API Calls
Cloud Accounts , Valid Accounts
Abnormally High Number Of Cloud Security Group API Calls
Cloud Accounts , Valid Accounts
Abnormally High Number Of Cloud Infrastructure API Calls
Cloud Accounts , Valid Accounts
Abnormally High Number Of Cloud Infrastructure API Calls
Cloud Accounts , Valid Accounts
Cloud API Calls From Previously Unseen User Roles
Valid Accounts
Cloud Compute Instance Created In Previously Unused Region
Unused/Unsupported Cloud Regions
gcp detect oauth token abuse
Valid Accounts
System Process Running from Unexpected Location
Masquerading
Abnormally High Number Of Cloud Instances Launched
Cloud Accounts , Valid Accounts
Abnormally High Number Of Cloud Instances Launched
Cloud Accounts , Valid Accounts
Abnormally High Number Of Cloud Instances Destroyed
Cloud Accounts , Valid Accounts
Abnormally High Number Of Cloud Instances Destroyed
Cloud Accounts , Valid Accounts
Cloud Provisioning Activity From Previously Unseen Region
Valid Accounts
Cloud Instance Modified By Previously Unseen User
Cloud Accounts , Valid Accounts
Cloud Instance Modified By Previously Unseen User
Cloud Accounts , Valid Accounts
aws detect sts get session token abuse
Use Alternate Authentication Material
aws detect sts assume role abuse
Valid Accounts
aws detect role creation
Valid Accounts
aws detect permanent key creation
Valid Accounts
aws detect attach to role policy
Valid Accounts
Unload Sysmon Filter Driver
Disable or Modify Tools , Impair Defenses
Unload Sysmon Filter Driver
Disable or Modify Tools , Impair Defenses
Suspicious writes to windows Recycle Bin
Masquerading
Suspicious writes to System Volume Information
Masquerading
Suspicious Reg exe Process
Modify Registry
Okta User Logins From Multiple Cities
Valid Accounts , Default Accounts
Okta User Logins From Multiple Cities
Valid Accounts , Default Accounts
Okta Failed SSO Attempts
Valid Accounts , Default Accounts
Okta Failed SSO Attempts
Valid Accounts , Default Accounts
Okta Account Lockout Events
Valid Accounts , Default Accounts
Okta Account Lockout Events
Valid Accounts , Default Accounts
Multiple Okta Users With Invalid Credentials From The Same IP
Valid Accounts , Default Accounts
Multiple Okta Users With Invalid Credentials From The Same IP
Valid Accounts , Default Accounts
Hiding Files And Directories With Attrib exe
File and Directory Permissions Modification , Windows File and Directory Permissions Modification
Hiding Files And Directories With Attrib exe
File and Directory Permissions Modification , Windows File and Directory Permissions Modification
EC2 Instance Started With Previously Unseen User
Cloud Accounts
EC2 Instance Modified With Previously Unseen User
Cloud Accounts
Detect Spike in AWS API Activity
Cloud Accounts
Detect new user AWS Console Login
Cloud Accounts
Detect Excessive User Account Lockouts
Valid Accounts , Local Accounts
Detect Excessive User Account Lockouts
Valid Accounts , Local Accounts
Detect AWS API Activities From Unapproved Accounts
Cloud Accounts
Attempt To Stop Security Service
Disable or Modify Tools , Impair Defenses
Attempt To Stop Security Service
Disable or Modify Tools , Impair Defenses
Abnormally High AWS Instances Terminated by User - MLTK
Cloud Accounts
Abnormally High AWS Instances Terminated by User
Cloud Accounts
Abnormally High AWS Instances Launched by User - MLTK
Cloud Accounts
Abnormally High AWS Instances Launched by User
Cloud Accounts
Windows Event Log Cleared
Indicator Removal on Host , Clear Windows Event Logs
Windows Event Log Cleared
Indicator Removal on Host , Clear Windows Event Logs
Detect Path Interception By Creation Of program exe
Path Interception by Unquoted Path , Hijack Execution Flow
Detect Path Interception By Creation Of program exe
Path Interception by Unquoted Path , Hijack Execution Flow
WSReset UAC Bypass
Bypass User Account Control , Abuse Elevation Control Mechanism
WSReset UAC Bypass
Bypass User Account Control , Abuse Elevation Control Mechanism
SilentCleanup UAC Bypass
Bypass User Account Control , Abuse Elevation Control Mechanism
SilentCleanup UAC Bypass
Bypass User Account Control , Abuse Elevation Control Mechanism
Sdclt UAC Bypass
Bypass User Account Control , Abuse Elevation Control Mechanism
Sdclt UAC Bypass
Bypass User Account Control , Abuse Elevation Control Mechanism
Reg exe used to hide files directories via registry keys
Hidden Files and Directories
USN Journal Deletion
Indicator Removal on Host
Web Fraud - Anomalous User Clickspeed
Valid Accounts
Detect Spike in Network ACL Activity
Disable or Modify Cloud Firewall
Detect Spike in Security Group Activity
Cloud Accounts
Detect new API calls from user roles
Cloud Accounts
AWS Cloud Provisioning From Previously Unseen Region
Unused/Unsupported Cloud Regions
AWS Cloud Provisioning From Previously Unseen Country
Unused/Unsupported Cloud Regions
AWS Cloud Provisioning From Previously Unseen City
Unused/Unsupported Cloud Regions
EC2 Instance Started In Previously Unseen Region
Unused/Unsupported Cloud Regions
Identify New User Accounts
Domain Accounts