Windows Defender Exclusion Registry Entry
Disable or Modify Tools, Impair Defenses
Defense Evasion
Windows Defender Exclusion Registry Entry
Disable or Modify Tools, Impair Defenses
Powershell Windows Defender Exclusion Commands
Disable or Modify Tools, Impair Defenses
Powershell Windows Defender Exclusion Commands
Disable or Modify Tools, Impair Defenses
Add or Set Windows Defender Exclusion
Disable or Modify Tools, Impair Defenses
Add or Set Windows Defender Exclusion
Disable or Modify Tools, Impair Defenses
Loading Of Dynwrapx Module
Process Injection, Dynamic-link Library Injection
Loading Of Dynwrapx Module
Process Injection, Dynamic-link Library Injection
Sdelete Application Execution
Data Destruction, File Deletion, Indicator Removal on Host
Sdelete Application Execution
Data Destruction, File Deletion, Indicator Removal on Host
Windows InstallUtil URL in Command Line
InstallUtil, Signed Binary Proxy Execution
Windows InstallUtil URL in Command Line
InstallUtil, Signed Binary Proxy Execution
Windows InstallUtil Uninstall Option with Network
InstallUtil, Signed Binary Proxy Execution
Windows InstallUtil Uninstall Option with Network
InstallUtil, Signed Binary Proxy Execution
Windows InstallUtil Uninstall Option
InstallUtil, Signed Binary Proxy Execution
Windows InstallUtil Uninstall Option
InstallUtil, Signed Binary Proxy Execution
Windows InstallUtil Remote Network Connection
InstallUtil, Signed Binary Proxy Execution
Windows InstallUtil Remote Network Connection
InstallUtil, Signed Binary Proxy Execution
Windows InstallUtil Credential Theft
InstallUtil, Signed Binary Proxy Execution
Windows InstallUtil Credential Theft
InstallUtil, Signed Binary Proxy Execution
Runas Execution in CommandLine
Access Token Manipulation, Token Impersonation/Theft
Runas Execution in CommandLine
Access Token Manipulation, Token Impersonation/Theft
Firewall Allowed Program Enable
Disable or Modify System Firewall, Impair Defenses
Firewall Allowed Program Enable
Disable or Modify System Firewall, Impair Defenses
CSC Net On The Fly Compilation
Compile After Delivery, Obfuscated Files or Information
CSC Net On The Fly Compilation
Compile After Delivery, Obfuscated Files or Information
WMIC XSL Execution via URL
XSL Script Processing
Potential Pass the Token or Hash Observed by an Event Collecting Device
Use Alternate Authentication Material, Pass the Hash
Potential Pass the Token or Hash Observed by an Event Collecting Device
Use Alternate Authentication Material, Pass the Hash
Potential Pass the Token or Hash Observed at the Destination Device
Use Alternate Authentication Material, Pass the Hash
Potential Pass the Token or Hash Observed at the Destination Device
Use Alternate Authentication Material, Pass the Hash
Attacker Tools On Endpoint
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Attacker Tools On Endpoint
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Wmic NonInteractive App Uninstallation
Disable or Modify Tools, Impair Defenses
Wmic NonInteractive App Uninstallation
Disable or Modify Tools, Impair Defenses
Disabling Defender Services
Disable or Modify Tools, Impair Defenses
Disabling Defender Services
Disable or Modify Tools, Impair Defenses
Disable Schedule Task
Disable or Modify Tools, Impair Defenses
Disable Schedule Task
Disable or Modify Tools, Impair Defenses
Disable Defender Submit Samples Consent Feature
Disable or Modify Tools, Impair Defenses
Disable Defender Submit Samples Consent Feature
Disable or Modify Tools, Impair Defenses
Disable Defender Spynet Reporting
Disable or Modify Tools, Impair Defenses
Disable Defender Spynet Reporting
Disable or Modify Tools, Impair Defenses
Disable Defender MpEngine Registry
Disable or Modify Tools, Impair Defenses
Disable Defender MpEngine Registry
Disable or Modify Tools, Impair Defenses
Disable Defender Enhanced Notification
Disable or Modify Tools, Impair Defenses
Disable Defender Enhanced Notification
Disable or Modify Tools, Impair Defenses
Disable Defender BlockAtFirstSeen Feature
Disable or Modify Tools, Impair Defenses
Disable Defender BlockAtFirstSeen Feature
Disable or Modify Tools, Impair Defenses
Disable Defender AntiVirus Registry
Disable or Modify Tools, Impair Defenses
Disable Defender AntiVirus Registry
Disable or Modify Tools, Impair Defenses
SearchProtocolHost with no Command Line with Network
Process Injection
Rundll32 with no Command Line Arguments with Network
Signed Binary Proxy Execution, Rundll32
Rundll32 with no Command Line Arguments with Network
Signed Binary Proxy Execution, Rundll32
DLLHost with no Command Line Arguments with Network
Process Injection
Suspicious wevtutil Usage
Clear Windows Event Logs, Indicator Removal on Host
Suspicious wevtutil Usage
Clear Windows Event Logs, Indicator Removal on Host
ETW Registry Disabled
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
ETW Registry Disabled
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
ETW Registry Disabled
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
Wscript Or Cscript Suspicious Child Process
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Wscript Or Cscript Suspicious Child Process
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Wscript Or Cscript Suspicious Child Process
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Sdelete Application Execution
Data Destruction, File Deletion, Indicator Removal on Host
Sdelete Application Execution
Data Destruction, File Deletion, Indicator Removal on Host
Winhlp32 Spawning a Process
Process Injection
Suspicious Copy on System32
Rename System Utilities, Masquerading
Suspicious Copy on System32
Rename System Utilities, Masquerading
Rundll32 Shimcache Flush
Modify Registry
Malicious PowerShell Process - Encoded Command
Obfuscated Files or Information
Malicious InProcServer32 Modification
Regsvr32, Modify Registry
Malicious InProcServer32 Modification
Regsvr32, Modify Registry
Enable WDigest UseLogonCredential Registry
Modify Registry, OS Credential Dumping
Disable Security Logs Using MiniNt Registry
Modify Registry
Regsvr32 Silent and Install Param Dll Loading
Signed Binary Proxy Execution, Regsvr32
Regsvr32 Silent and Install Param Dll Loading
Signed Binary Proxy Execution, Regsvr32
MSBuild Suspicious Spawned By Script Process
MSBuild, Trusted Developer Utilities Proxy Execution
MSBuild Suspicious Spawned By Script Process
MSBuild, Trusted Developer Utilities Proxy Execution
Verclsid CLSID Execution
Verclsid, Signed Binary Proxy Execution
Verclsid CLSID Execution
Verclsid, Signed Binary Proxy Execution
Disable UAC Remote Restriction
Bypass User Account Control, Abuse Elevation Control Mechanism
Disable UAC Remote Restriction
Bypass User Account Control, Abuse Elevation Control Mechanism
Remcos client registry install entry
Modify Registry
Suspicious SearchProtocolHost no Command Line Arguments
Process Injection
Suspicious Rundll32 no Command Line Arguments
Signed Binary Proxy Execution, Rundll32
Suspicious Rundll32 no Command Line Arguments
Signed Binary Proxy Execution, Rundll32
Suspicious microsoft workflow compiler rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Suspicious microsoft workflow compiler rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Suspicious microsoft workflow compiler rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Suspicious GPUpdate no Command Line Arguments
Process Injection
Suspicious DLLHost no Command Line Arguments
Process Injection
Detect Regsvcs with No Command Line Arguments
Signed Binary Proxy Execution, Regsvcs/Regasm
Detect Regsvcs with No Command Line Arguments
Signed Binary Proxy Execution, Regsvcs/Regasm
Detect Regasm with no Command Line Arguments
Signed Binary Proxy Execution, Regsvcs/Regasm
Detect Regasm with no Command Line Arguments
Signed Binary Proxy Execution, Regsvcs/Regasm
Processes launching netsh
Disable or Modify System Firewall, Impair Defenses
Processes launching netsh
Disable or Modify System Firewall, Impair Defenses
Detect MSHTA Url in Command Line
Signed Binary Proxy Execution, Mshta
Detect MSHTA Url in Command Line
Signed Binary Proxy Execution, Mshta
Detect mshta renamed
Signed Binary Proxy Execution, Mshta
Detect mshta renamed
Signed Binary Proxy Execution, Mshta
Detect mshta inline hta execution
Signed Binary Proxy Execution, Mshta
Detect mshta inline hta execution
Signed Binary Proxy Execution, Mshta
Detect HTML Help Using InfoTech Storage Handlers
Signed Binary Proxy Execution, Compiled HTML File
Detect HTML Help Using InfoTech Storage Handlers
Signed Binary Proxy Execution, Compiled HTML File
Detect HTML Help URL in Command Line
Signed Binary Proxy Execution, Compiled HTML File
Detect HTML Help URL in Command Line
Signed Binary Proxy Execution, Compiled HTML File
Detect HTML Help Renamed
Signed Binary Proxy Execution, Compiled HTML File
Detect HTML Help Renamed
Signed Binary Proxy Execution, Compiled HTML File
BITSAdmin Download File
BITS Jobs, Ingress Tool Transfer
BITS Job Persistence
BITS Jobs
Attempt To Add Certificate To Untrusted Store
Install Root Certificate, Subvert Trust Controls
Attempt To Add Certificate To Untrusted Store
Install Root Certificate, Subvert Trust Controls
XSL Script Execution With WMIC
XSL Script Processing
Rundll32 Control RunDLL World Writable Directory
Signed Binary Proxy Execution, Rundll32
Rundll32 Control RunDLL World Writable Directory
Signed Binary Proxy Execution, Rundll32
Rundll32 Control RunDLL Hunt
Signed Binary Proxy Execution, Rundll32
Rundll32 Control RunDLL Hunt
Signed Binary Proxy Execution, Rundll32
Control Loading from World Writable Directory
Signed Binary Proxy Execution, Control Panel
Control Loading from World Writable Directory
Signed Binary Proxy Execution, Control Panel
UAC Bypass With Colorui COM Object
Signed Binary Proxy Execution, CMSTP
UAC Bypass With Colorui COM Object
Signed Binary Proxy Execution, CMSTP
Fsutil Zeroing File
Indicator Removal on Host
Uninstall App Using MsiExec
Msiexec, Signed Binary Proxy Execution
Uninstall App Using MsiExec
Msiexec, Signed Binary Proxy Execution
Create Remote Thread In Shell Application
Process Injection
Rundll32 Create Remote Thread To A Process
Process Injection
Regsvr32 with Known Silent Switch Cmdline
Signed Binary Proxy Execution, Regsvr32
Regsvr32 with Known Silent Switch Cmdline
Signed Binary Proxy Execution, Regsvr32
Suspicious Rundll32 PluginInit
Signed Binary Proxy Execution, Rundll32
Suspicious Rundll32 PluginInit
Signed Binary Proxy Execution, Rundll32
Suspicious IcedID Rundll32 Cmdline
Signed Binary Proxy Execution, Rundll32
Suspicious IcedID Rundll32 Cmdline
Signed Binary Proxy Execution, Rundll32
Rundll32 Process Creating Exe Dll Files
Signed Binary Proxy Execution, Rundll32
Rundll32 Process Creating Exe Dll Files
Signed Binary Proxy Execution, Rundll32
Rundll32 DNSQuery
Signed Binary Proxy Execution, Rundll32
Rundll32 DNSQuery
Signed Binary Proxy Execution, Rundll32
Rundll32 CreateRemoteThread In Browser
Process Injection
Office Product Spawn CMD Process
Signed Binary Proxy Execution, Mshta
Office Product Spawn CMD Process
Signed Binary Proxy Execution, Mshta
O365 Bypass MFA via Trusted IP
Disable or Modify Cloud Firewall, Impair Defenses
O365 Bypass MFA via Trusted IP
Disable or Modify Cloud Firewall, Impair Defenses
Mshta spawning Rundll32 OR Regsvr32 Process
Signed Binary Proxy Execution, Mshta
Mshta spawning Rundll32 OR Regsvr32 Process
Signed Binary Proxy Execution, Mshta
Cloud Compute Instance Created By Previously Unseen User
Cloud Accounts, Valid Accounts
Cloud Compute Instance Created By Previously Unseen User
Cloud Accounts, Valid Accounts
UAC Bypass MMC Load Unsigned Dll
Bypass User Account Control, Abuse Elevation Control Mechanism
UAC Bypass MMC Load Unsigned Dll
Bypass User Account Control, Abuse Elevation Control Mechanism
NET Profiler UAC bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
NET Profiler UAC bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Powershell Disable Security Monitoring
Disable or Modify Tools, Impair Defenses
Powershell Disable Security Monitoring
Disable or Modify Tools, Impair Defenses
Msmpeng Application DLL Side Loading
DLL Side-Loading, Hijack Execution Flow
Msmpeng Application DLL Side Loading
DLL Side-Loading, Hijack Execution Flow
WSReset UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
WSReset UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
SilentCleanup UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
SilentCleanup UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Sdclt UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Sdclt UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Excessive number of service control start as disabled
Disable or Modify Tools, Impair Defenses
Excessive number of service control start as disabled
Disable or Modify Tools, Impair Defenses
Allow Network Discovery In Firewall
Disable or Modify Cloud Firewall, Impair Defenses
Allow Network Discovery In Firewall
Disable or Modify Cloud Firewall, Impair Defenses
Allow File And Printing Sharing In Firewall
Disable or Modify Cloud Firewall, Impair Defenses
Allow File And Printing Sharing In Firewall
Disable or Modify Cloud Firewall, Impair Defenses
Recursive Delete of Directory In Batch CMD
File Deletion, Indicator Removal on Host
Recursive Delete of Directory In Batch CMD
File Deletion, Indicator Removal on Host
Powershell Enable SMB1Protocol Feature
Obfuscated Files or Information, Indicator Removal from Tools
Powershell Enable SMB1Protocol Feature
Obfuscated Files or Information, Indicator Removal from Tools
Disable ETW Through Registry
Disable or Modify Tools, Impair Defenses
Disable ETW Through Registry
Disable or Modify Tools, Impair Defenses
Disable AMSI Through Registry
Disable or Modify Tools, Impair Defenses
Disable AMSI Through Registry
Disable or Modify Tools, Impair Defenses
Suspicious Event Log Service Behavior
Indicator Removal on Host, Clear Windows Event Logs
Suspicious Event Log Service Behavior
Indicator Removal on Host, Clear Windows Event Logs
Wevtutil Usage To Disable Logs
Indicator Removal on Host, Clear Windows Event Logs
Wevtutil Usage To Disable Logs
Indicator Removal on Host, Clear Windows Event Logs
WevtUtil Usage To Clear Logs
Indicator Removal on Host, Clear Windows Event Logs
WevtUtil Usage To Clear Logs
Indicator Removal on Host, Clear Windows Event Logs
Modify ACLs Permission Of Files Or Folders
File and Directory Permissions Modification
Grant Permission Using Cacls Utility
File and Directory Permissions Modification
Deny Permission using Cacls Utility
File and Directory Permissions Modification
Powershell Using memory As Backing Store
Deobfuscate/Decode Files or Information
Powershell Creating Thread Mutex
Obfuscated Files or Information, Indicator Removal from Tools
Powershell Creating Thread Mutex
Obfuscated Files or Information, Indicator Removal from Tools
Permission Modification using Takeown App
File and Directory Permissions Modification
Disable Logs Using WevtUtil
Indicator Removal on Host, Clear Windows Event Logs
Disable Logs Using WevtUtil
Indicator Removal on Host, Clear Windows Event Logs
Clear Unallocated Sector Using Cipher App
File Deletion, Indicator Removal on Host
Clear Unallocated Sector Using Cipher App
File Deletion, Indicator Removal on Host
Allow Operation with Consent Admin
Abuse Elevation Control Mechanism
Unloading AMSI via Reflection
Impair Defenses
Powershell Fileless Script Contains Base64 Encoded Content
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell
Powershell Fileless Process Injection via GetProcAddress
Command and Scripting Interpreter, Process Injection, PowerShell
Wbemprox COM Object Execution
Signed Binary Proxy Execution, CMSTP
Wbemprox COM Object Execution
Signed Binary Proxy Execution, CMSTP
Revil Registry Entry
Modify Registry
Services Escalate Exe
Abuse Elevation Control Mechanism
SLUI Spawning a Process
Bypass User Account Control, Abuse Elevation Control Mechanism
SLUI Spawning a Process
Bypass User Account Control, Abuse Elevation Control Mechanism
SLUI RunAs Elevated
Bypass User Account Control, Abuse Elevation Control Mechanism
SLUI RunAs Elevated
Bypass User Account Control, Abuse Elevation Control Mechanism
CMLUA Or CMSTPLUA UAC Bypass
Signed Binary Proxy Execution, CMSTP
CMLUA Or CMSTPLUA UAC Bypass
Signed Binary Proxy Execution, CMSTP
Excessive Usage Of Cacls App
File and Directory Permissions Modification
Executables Or Script Creation In Suspicious Path
Masquerading
Hide User Account From Sign-In Screen
Disable or Modify Tools, Impair Defenses
Hide User Account From Sign-In Screen
Disable or Modify Tools, Impair Defenses
Disable Windows App Hotkeys
Disable or Modify Tools, Impair Defenses
Disable Windows App Hotkeys
Disable or Modify Tools, Impair Defenses
Process Kill Base On File Path
Disable or Modify Tools, Impair Defenses
Process Kill Base On File Path
Disable or Modify Tools, Impair Defenses
Modify ACL permission To Files Or Folder
File and Directory Permissions Modification
ICACLS Grant Command
File and Directory Permissions Modification
Excessive Usage Of Taskkill
Disable or Modify Tools, Impair Defenses
Excessive Usage Of Taskkill
Disable or Modify Tools, Impair Defenses
Icacls Deny Command
File and Directory Permissions Modification
Trickbot Named Pipe
Process Injection
Wermgr Process Create Executable File
Obfuscated Files or Information
Powershell Remote Thread To Known Windows Process
Process Injection
GPUpdate with no Command Line Arguments with Network
Process Injection
Disabling Task Manager
Disable or Modify Tools, Impair Defenses
Disabling Task Manager
Disable or Modify Tools, Impair Defenses
Disabling SystemRestore In Registry
Disable or Modify Tools, Impair Defenses
Disabling SystemRestore In Registry
Disable or Modify Tools, Impair Defenses
Disabling NoRun Windows App
Disable or Modify Tools, Impair Defenses
Disabling NoRun Windows App
Disable or Modify Tools, Impair Defenses
Disabling FolderOptions Windows Feature
Disable or Modify Tools, Impair Defenses
Disabling FolderOptions Windows Feature
Disable or Modify Tools, Impair Defenses
Disabling Firewall with Netsh
Disable or Modify Tools, Impair Defenses
Disabling Firewall with Netsh
Disable or Modify Tools, Impair Defenses
Disabling ControlPanel
Disable or Modify Tools, Impair Defenses
Disabling ControlPanel
Disable or Modify Tools, Impair Defenses
Disabling CMD Application
Disable or Modify Tools, Impair Defenses
Disabling CMD Application
Disable or Modify Tools, Impair Defenses
Disable Windows SmartScreen Protection
Disable or Modify Tools, Impair Defenses
Disable Windows SmartScreen Protection
Disable or Modify Tools, Impair Defenses
Disable Windows Behavior Monitoring
Disable or Modify Tools, Impair Defenses
Disable Windows Behavior Monitoring
Disable or Modify Tools, Impair Defenses
Disable Show Hidden Files
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses
Disable Show Hidden Files
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses
Disable Show Hidden Files
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses
Disable Show Hidden Files
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses
Disable Registry Tool
Disable or Modify Tools, Impair Defenses
Disable Registry Tool
Disable or Modify Tools, Impair Defenses
PowerShell Start-BitsTransfer
BITS Jobs
CertUtil With Decode Argument
Deobfuscate/Decode Files or Information
Process Deleting Its Process File Path
Indicator Removal on Host
Windows DisableAntiSpyware Registry
Disable or Modify Tools, Impair Defenses
Windows DisableAntiSpyware Registry
Disable or Modify Tools, Impair Defenses
AWS SetDefaultPolicyVersion
Cloud Accounts, Valid Accounts
AWS SetDefaultPolicyVersion
Cloud Accounts, Valid Accounts
FodHelper UAC Bypass
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
FodHelper UAC Bypass
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
FodHelper UAC Bypass
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Eventvwr UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Eventvwr UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Cobalt Strike Named Pipes
Process Injection
AWS Create Policy Version to allow all resources
Cloud Accounts, Valid Accounts
AWS Create Policy Version to allow all resources
Cloud Accounts, Valid Accounts
Detect Regsvcs with Network Connection
Signed Binary Proxy Execution, Regsvcs/Regasm
Detect Regsvcs with Network Connection
Signed Binary Proxy Execution, Regsvcs/Regasm
Detect Regasm with Network Connection
Signed Binary Proxy Execution, Regsvcs/Regasm
Detect Regasm with Network Connection
Signed Binary Proxy Execution, Regsvcs/Regasm
Detect Regsvcs Spawning a Process
Signed Binary Proxy Execution, Regsvcs/Regasm
Detect Regsvcs Spawning a Process
Signed Binary Proxy Execution, Regsvcs/Regasm
Detect Regasm Spawning a Process
Signed Binary Proxy Execution, Regsvcs/Regasm
Detect Regasm Spawning a Process
Signed Binary Proxy Execution, Regsvcs/Regasm
Detect HTML Help Spawn Child Process
Signed Binary Proxy Execution, Compiled HTML File
Detect HTML Help Spawn Child Process
Signed Binary Proxy Execution, Compiled HTML File
Suspicious Rundll32 dllregisterserver
Signed Binary Proxy Execution, Rundll32
Suspicious Rundll32 dllregisterserver
Signed Binary Proxy Execution, Rundll32
Suspicious Rundll32 StartW
Signed Binary Proxy Execution, Rundll32
Suspicious Rundll32 StartW
Signed Binary Proxy Execution, Rundll32
Suspicious Rundll32 Rename
Signed Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Suspicious Rundll32 Rename
Signed Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Suspicious Rundll32 Rename
Signed Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Suspicious Rundll32 Rename
Signed Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Detect Rundll32 Application Control Bypass - syssetup
Signed Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - syssetup
Signed Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - setupapi
Signed Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - setupapi
Signed Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - advpack
Signed Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - advpack
Signed Binary Proxy Execution, Rundll32
First time seen command line argument
Command and Scripting Interpreter, Regsvr32, Indirect Command Execution
Suspicious Regsvr32 Register Suspicious Path
Signed Binary Proxy Execution, Regsvr32
Suspicious Regsvr32 Register Suspicious Path
Signed Binary Proxy Execution, Regsvr32
Detect Regsvr32 Application Control Bypass
Signed Binary Proxy Execution, Regsvr32
Detect Regsvr32 Application Control Bypass
Signed Binary Proxy Execution, Regsvr32
O365 Excessive SSO logon errors
Modify Authentication Process
AWS SAML Update identity provider
Valid Accounts
AWS SAML Access by Provider User and Principal
Valid Accounts
Suspicious mshta spawn
Signed Binary Proxy Execution, Mshta
Suspicious mshta spawn
Signed Binary Proxy Execution, Mshta
Detect Rundll32 Inline HTA Execution
Signed Binary Proxy Execution, Mshta
Detect Rundll32 Inline HTA Execution
Signed Binary Proxy Execution, Mshta
Suspicious mshta child process
Signed Binary Proxy Execution, Mshta
Suspicious mshta child process
Signed Binary Proxy Execution, Mshta
Suspicious MSBuild Spawn
Trusted Developer Utilities Proxy Execution, MSBuild
Suspicious MSBuild Spawn
Trusted Developer Utilities Proxy Execution, MSBuild
Suspicious MSBuild Rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious MSBuild Rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious MSBuild Rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious MSBuild Rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious msbuild path
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious msbuild path
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious msbuild path
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious msbuild path
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious microsoft workflow compiler usage
Trusted Developer Utilities Proxy Execution
AWS Network Access Control List Deleted
Disable or Modify Cloud Firewall, Impair Defenses
AWS Network Access Control List Deleted
Disable or Modify Cloud Firewall, Impair Defenses
AWS Network Access Control List Created with All Open Ports
Disable or Modify Cloud Firewall, Impair Defenses
AWS Network Access Control List Created with All Open Ports
Disable or Modify Cloud Firewall, Impair Defenses
O365 Disable MFA
Modify Authentication Process
System Processes Run From Unexpected Locations
Masquerading, Rename System Utilities
System Processes Run From Unexpected Locations
Masquerading, Rename System Utilities
RunDLL Loading DLL By Ordinal
Signed Binary Proxy Execution, Rundll32
RunDLL Loading DLL By Ordinal
Signed Binary Proxy Execution, Rundll32
Reg exe Manipulating Windows Services Registry Keys
Services Registry Permissions Weakness, Hijack Execution Flow
Reg exe Manipulating Windows Services Registry Keys
Services Registry Permissions Weakness, Hijack Execution Flow
Execution of File with Multiple Extensions
Masquerading, Rename System Utilities
Execution of File with Multiple Extensions
Masquerading, Rename System Utilities
Disabling Remote User Account Control
Bypass User Account Control, Abuse Elevation Control Mechanism
Disabling Remote User Account Control
Bypass User Account Control, Abuse Elevation Control Mechanism
Illegal Service and Process Control via PowerSploit modules
Process Injection, Native API, System Services
Illegal Service and Process Control via Mimikatz modules
Process Injection, Native API, System Services
Illegal Privilege Elevation via Mimikatz modules
Access Token Manipulation, Abuse Elevation Control Mechanism
Illegal Privilege Elevation via Mimikatz modules
Access Token Manipulation, Abuse Elevation Control Mechanism
Illegal Privilege Elevation and Persistence via PowerSploit modules
Scheduled Task/Job, Access Token Manipulation, Abuse Elevation Control Mechanism
Illegal Privilege Elevation and Persistence via PowerSploit modules
Scheduled Task/Job, Access Token Manipulation, Abuse Elevation Control Mechanism
Illegal Management of Computers and Active Directory Elements via PowerSploit modules
Account Manipulation, Rogue Domain Controller, Domain Policy Modification
Illegal Management of Computers and Active Directory Elements via PowerSploit modules
Account Manipulation, Rogue Domain Controller, Domain Policy Modification
Illegal Management of Active Directory Elements and Policies via DSInternals modules
Account Manipulation, Rogue Domain Controller, Domain Policy Modification
Illegal Management of Active Directory Elements and Policies via DSInternals modules
Account Manipulation, Rogue Domain Controller, Domain Policy Modification
Illegal Enabling or Disabling of Accounts via DSInternals modules
Valid Accounts, Account Manipulation
Illegal Deletion of Logs via Mimikatz modules
Indicator Removal on Host
Detect Excessive Account Lockouts From Endpoint
Valid Accounts, Domain Accounts
Detect Excessive Account Lockouts From Endpoint
Valid Accounts, Domain Accounts
Reconnaissance of Process or Service Hijacking Opportunities via Mimikatz modules
Create or Modify System Process, Process Injection, Hijack Execution Flow
Reconnaissance of Process or Service Hijacking Opportunities via Mimikatz modules
Create or Modify System Process, Process Injection, Hijack Execution Flow
Reconnaissance of Privilege Escalation Opportunities via PowerSploit modules
Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation
Reconnaissance of Access and Persistence Opportunities via PowerSploit modules
Scheduled Task/Job, Exploitation for Privilege Escalation, Valid Accounts, Create or Modify System Process, Boot or Logon Autostart Execution, Hijack Executi...
Reconnaissance of Access and Persistence Opportunities via PowerSploit modules
Scheduled Task/Job, Exploitation for Privilege Escalation, Valid Accounts, Create or Modify System Process, Boot or Logon Autostart Execution, Hijack Executi...
Reconnaissance and Access to Accounts Groups and Policies via PowerSploit modules
Valid Accounts, Account Discovery, Domain Policy Modification
Reconnaissance and Access to Accounts Groups and Policies via PowerSploit modules
Valid Accounts, Account Discovery, Domain Policy Modification
Reconnaissance and Access to Accounts and Groups via Mimikatz modules
Valid Accounts, Account Discovery, Domain Policy Modification
Reconnaissance and Access to Accounts and Groups via Mimikatz modules
Valid Accounts, Account Discovery, Domain Policy Modification
Probing Access with Stolen Credentials via PowerSploit modules
Valid Accounts, Account Manipulation
Setting Credentials via PowerSploit modules
Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation
Setting Credentials via Mimikatz modules
Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation
Setting Credentials via DSInternals modules
Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation
Reconnaissance of Credential Stores and Services via Mimikatz modules
Account Manipulation, Domain Properties, Valid Accounts, Credentials, Gather Victim Network Information, Exploitation for Privilege Escalation, Gather Victim...
Assessment of Credential Strength via DSInternals modules
Valid Accounts, Account Manipulation, Account Discovery, Password Policy Discovery, Unsecured Credentials, Credentials from Password Stores
Applying Stolen Credentials via PowerSploit modules
Process Injection, Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation, Access Token Manipulation, Create or Modify System Process, B...
Applying Stolen Credentials via PowerSploit modules
Process Injection, Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation, Access Token Manipulation, Create or Modify System Process, B...
Applying Stolen Credentials via PowerSploit modules
Process Injection, Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation, Access Token Manipulation, Create or Modify System Process, B...
Applying Stolen Credentials via PowerSploit modules
Process Injection, Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation, Access Token Manipulation, Create or Modify System Process, B...
Applying Stolen Credentials via Mimikatz modules
Process Injection, Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation, Access Token Manipulation, Create or Modify System Process, B...
Applying Stolen Credentials via Mimikatz modules
Process Injection, Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation, Access Token Manipulation, Create or Modify System Process, B...
Applying Stolen Credentials via Mimikatz modules
Process Injection, Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation, Access Token Manipulation, Create or Modify System Process, B...
Applying Stolen Credentials via Mimikatz modules
Process Injection, Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation, Access Token Manipulation, Create or Modify System Process, B...
Applying Stolen Credentials via Mimikatz modules
Process Injection, Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation, Access Token Manipulation, Create or Modify System Process, B...
Detect Software Download To Network Device
TFTP Boot, Pre-OS Boot
Detect Software Download To Network Device
TFTP Boot, Pre-OS Boot
Detect Activity Related to Pass the Hash Attacks
Use Alternate Authentication Material, Pass the Hash
Detect Activity Related to Pass the Hash Attacks
Use Alternate Authentication Material, Pass the Hash
Cloud Provisioning Activity From Previously Unseen Country
Valid Accounts
Cloud Provisioning Activity From Previously Unseen City
Valid Accounts
GCP Detect gcploit framework
Valid Accounts
Detect AWS Console Login by User from New Region
Unused/Unsupported Cloud Regions
Detect AWS Console Login by User from New Country
Unused/Unsupported Cloud Regions
Detect AWS Console Login by User from New City
Unused/Unsupported Cloud Regions
Create or delete windows shares using net exe
Indicator Removal on Host, Network Share Connection Removal
Create or delete windows shares using net exe
Indicator Removal on Host, Network Share Connection Removal
Abnormally High Number Of Cloud Security Group API Calls
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Security Group API Calls
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Infrastructure API Calls
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Infrastructure API Calls
Cloud Accounts, Valid Accounts
Cloud API Calls From Previously Unseen User Roles
Valid Accounts
Cloud Compute Instance Created In Previously Unused Region
Unused/Unsupported Cloud Regions
System Process Running from Unexpected Location
Masquerading
Abnormally High Number Of Cloud Instances Launched
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Instances Launched
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Instances Destroyed
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Instances Destroyed
Cloud Accounts, Valid Accounts
Cloud Provisioning Activity From Previously Unseen Region
Valid Accounts
Cloud Instance Modified By Previously Unseen User
Cloud Accounts, Valid Accounts
Cloud Instance Modified By Previously Unseen User
Cloud Accounts, Valid Accounts
aws detect sts get session token abuse
Use Alternate Authentication Material
aws detect sts assume role abuse
Valid Accounts
aws detect role creation
Valid Accounts
aws detect permanent key creation
Valid Accounts
aws detect attach to role policy
Valid Accounts
Unload Sysmon Filter Driver
Disable or Modify Tools, Impair Defenses
Unload Sysmon Filter Driver
Disable or Modify Tools, Impair Defenses
Suspicious writes to windows Recycle Bin
Masquerading
Suspicious Reg exe Process
Modify Registry
Okta User Logins From Multiple Cities
Valid Accounts, Default Accounts
Okta User Logins From Multiple Cities
Valid Accounts, Default Accounts
Okta Failed SSO Attempts
Valid Accounts, Default Accounts
Okta Failed SSO Attempts
Valid Accounts, Default Accounts
Okta Account Lockout Events
Valid Accounts, Default Accounts
Okta Account Lockout Events
Valid Accounts, Default Accounts
Multiple Okta Users With Invalid Credentials From The Same IP
Valid Accounts, Default Accounts
Multiple Okta Users With Invalid Credentials From The Same IP
Valid Accounts, Default Accounts
Hiding Files And Directories With Attrib exe
File and Directory Permissions Modification, Windows File and Directory Permissions Modification
Hiding Files And Directories With Attrib exe
File and Directory Permissions Modification, Windows File and Directory Permissions Modification
Detect Excessive User Account Lockouts
Valid Accounts, Local Accounts
Detect Excessive User Account Lockouts
Valid Accounts, Local Accounts
Attempt To Stop Security Service
Disable or Modify Tools, Impair Defenses
Attempt To Stop Security Service
Disable or Modify Tools, Impair Defenses
Windows Event Log Cleared
Indicator Removal on Host, Clear Windows Event Logs
Windows Event Log Cleared
Indicator Removal on Host, Clear Windows Event Logs
Detect Path Interception By Creation Of program exe
Path Interception by Unquoted Path, Hijack Execution Flow
Detect Path Interception By Creation Of program exe
Path Interception by Unquoted Path, Hijack Execution Flow
USN Journal Deletion
Indicator Removal on Host