Windows InProcServer32 New Outlook Form
Phishing, Modify Registry
Endpoint
Windows New InProcServer32 Added
Modify Registry
Detect SharpHound Usage
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect SharpHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
System Information Discovery Detection
System Information Discovery
Windows SOAPHound Binary Execution
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Disabling Windows Local Security Authority Defences via Registry
Modify Authentication Process
Detect SharpHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound Command-Line Arguments
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect AzureHound File Modifications
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery
Detect Remote Access Software Usage Process
Remote Access Software
Detect Remote Access Software Usage File
Remote Access Software
ConnectWise ScreenConnect Path Traversal
Exploit Public-Facing Application
Windows Known Abused DLL Created
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow
Disabling SystemRestore In Registry
Inhibit System Recovery
Network Discovery Using Route Windows App
System Network Configuration Discovery, Internet Connection Discovery
Windows Time Based Evasion via Choice Exec
Time Based Evasion, Virtualization/Sandbox Evasion
Disable Show Hidden Files
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Disabling ControlPanel
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable Windows SmartScreen Protection
Disable or Modify Tools, Impair Defenses
Windows Security Account Manager Stopped
Service Stop
Windows Rundll32 WebDav With Network Connection
Exfiltration Over Unencrypted Non-C2 Protocol
Linux Service Started Or Enabled
Systemd Timers, Scheduled Task/Job
Unknown Process Using The Kerberos Protocol
Use Alternate Authentication Material
Windows Impair Defense Disable Realtime Signature Delivery
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Change Win Defender Tracing Level
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Compute File Hashes
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable PUA Protection
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Change Win Defender Throttle Rate
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Web Evaluation
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Set Win Defender Smart Screen Level To Warn
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Configure App Install Control
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Defender Protocol Recognition
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Gen reports
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender App Guard
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Network Protection
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Defender Firewall And Network
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Change Win Defender Quick Scan Interval
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Signature Retirement
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Define Win Defender Threat Action
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Change Win Defender Health Check Intervals
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Controlled Folder Access
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Report Infection
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Overide Win Defender Phishing Filter
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Override SmartScreen Prompt
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Disable Win Defender Scan On Update
Disable or Modify Tools, Impair Defenses
Windows Process Injection In Non-Service SearchIndexer
Process Injection
Windows MsiExec HideWindow Rundll32 Execution
Msiexec, System Binary Proxy Execution
Creation of Shadow Copy
NTDS, OS Credential Dumping
Attacker Tools On Endpoint
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Hiding Files And Directories With Attrib exe
File and Directory Permissions Modification, Windows File and Directory Permissions Modification
Suspicious mshta child process
System Binary Proxy Execution, Mshta
Windows Modify Registry No Auto Update
Modify Registry
Registry Keys Used For Persistence
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Disable ETW Through Registry
Disable or Modify Tools, Impair Defenses
Attempted Credential Dump From Registry via Reg exe
Security Account Manager, OS Credential Dumping
Unload Sysmon Filter Driver
Disable or Modify Tools, Impair Defenses
Windows Modify Registry Suppress Win Defender Notif
Modify Registry
Disable Defender Enhanced Notification
Disable or Modify Tools, Impair Defenses
Scheduled Task Deleted Or Created via CMD
Scheduled Task, Scheduled Task/Job
Remote Process Instantiation via WMI
Windows Management Instrumentation
Rubeus Command Line Parameters
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Windows Query Registry Reg Save
Query Registry
Windows Mimikatz Binary Execution
OS Credential Dumping
Executables Or Script Creation In Suspicious Path
Masquerading
WinRM Spawning a Process
Exploit Public-Facing Application
Disable AMSI Through Registry
Disable or Modify Tools, Impair Defenses
Suspicious Process File Path
Create or Modify System Process
Get DomainUser with PowerShell
Domain Account, Account Discovery
Disable UAC Remote Restriction
Bypass User Account Control, Abuse Elevation Control Mechanism
Windows Modify Registry DisableSecuritySettings
Modify Registry
ETW Registry Disabled
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
Windows Modify Registry Disable WinDefender Notifications
Modify Registry
Extraction of Registry Hives
Security Account Manager, OS Credential Dumping
Get ADUserResultantPasswordPolicy with Powershell
Password Policy Discovery
Disable Defender Spynet Reporting
Disable or Modify Tools, Impair Defenses
System User Discovery With Whoami
System Owner/User Discovery
Windows DISM Remove Defender
Disable or Modify Tools, Impair Defenses
Disabling FolderOptions Windows Feature
Disable or Modify Tools, Impair Defenses
Suspicious Scheduled Task from Public Directory
Scheduled Task, Scheduled Task/Job
Windows Scheduled Task Created Via XML
Scheduled Task, Scheduled Task/Job
Disable Windows Behavior Monitoring
Disable or Modify Tools, Impair Defenses
Windows Impair Defenses Disable Win Defender Auto Logging
Disable or Modify Tools, Impair Defenses
Disable Defender Submit Samples Consent Feature
Disable or Modify Tools, Impair Defenses
Cmdline Tool Not Executed In CMD Shell
Command and Scripting Interpreter, JavaScript
Windows Disable Windows Group Policy Features Through Registry
Modify Registry
CMD Carry Out String Command Parameter
Windows Command Shell, Command and Scripting Interpreter
Domain Controller Discovery with Nltest
Remote System Discovery
Windows Mimikatz Crypto Export File Extensions
Steal or Forge Authentication Certificates
Disable Security Logs Using MiniNt Registry
Modify Registry
Windows Scheduled Task with Highest Privileges
Scheduled Task/Job, Scheduled Task
Disable Defender BlockAtFirstSeen Feature
Disable or Modify Tools, Impair Defenses
Network Connection Discovery With Netstat
System Network Connections Discovery
Suspicious wevtutil Usage
Clear Windows Event Logs, Indicator Removal
Windows Modify Registry Disable Windows Security Center Notif
Modify Registry
Remote WMI Command Attempt
Windows Management Instrumentation
Windows Disable Windows Event Logging Disable HTTP Logging
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Disable Logs Using WevtUtil
Indicator Removal, Clear Windows Event Logs
Windows DisableAntiSpyware Registry
Disable or Modify Tools, Impair Defenses
Windows Modify Registry Disabling WER Settings
Modify Registry
Windows Disable Notification Center
Modify Registry
Mimikatz PassTheTicket CommandLine Parameters
Use Alternate Authentication Material, Pass the Ticket
Windows Modify Registry Disable Win Defender Raw Write Notif
Modify Registry
Get ADUser with PowerShell
Domain Account, Account Discovery
Windows WMI Process Call Create
Windows Management Instrumentation
Windows Modify Registry Disable Restricted Admin
Modify Registry
Allow File And Printing Sharing In Firewall
Disable or Modify Cloud Firewall, Impair Defenses
Windows System User Privilege Discovery
System Owner/User Discovery
Windows Process Commandline Discovery
Process Discovery
Windows LSA Secrets NoLMhash Registry
LSA Secrets
Windows Modify System Firewall with Notable Process Path
Disable or Modify System Firewall, Impair Defenses
Windows Rundll32 Apply User Settings Changes
System Binary Proxy Execution, Rundll32
Windows Modify Registry NoChangingWallPaper
Modify Registry
Detect Use of cmd exe to Launch Script Interpreters
Command and Scripting Interpreter, Windows Command Shell
Windows Privilege Escalation User Process Spawn System Process
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Windows Privilege Escalation Suspicious Process Elevation
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation
Windows Indicator Removal Via Rmdir
Indicator Removal
Windows Credentials from Password Stores Creation
Credentials from Password Stores
Windows Modify Registry ProxyEnable
Modify Registry
Windows Modify Registry AuthenticationLevelOverride
Modify Registry
Windows Modify Registry DontShowUI
Modify Registry
Windows Modify Registry DisableRemoteDesktopAntiAlias
Modify Registry
Windows Credentials from Password Stores Deletion
Credentials from Password Stores
Windows Archive Collected Data via Rar
Archive via Utility, Archive Collected Data
Windows Modify Registry ProxyServer
Modify Registry
Windows Masquerading Msdtc Process
Masquerading
Windows Parent PID Spoofing with Explorer
Parent PID Spoofing, Access Token Manipulation
Windows UAC Bypass Suspicious Child Process
Abuse Elevation Control Mechanism, Bypass User Account Control
Windows UAC Bypass Suspicious Escalation Behavior
Abuse Elevation Control Mechanism, Bypass User Account Control
Windows CAB File on Disk
Spearphishing Attachment
Excessive number of taskhost processes
Command and Scripting Interpreter
Suspicious microsoft workflow compiler rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Spoolsv Writing a DLL
Print Processors, Boot or Logon Autostart Execution
Detect Path Interception By Creation Of program exe
Path Interception by Unquoted Path, Hijack Execution Flow
Services Escalate Exe
Abuse Elevation Control Mechanism
Detect Regsvcs Spawning a Process
System Binary Proxy Execution, Regsvcs/Regasm
Create local admin accounts using net exe
Local Account, Create Account
Suspicious writes to windows Recycle Bin
Masquerading
Office Product Spawning Windows Script Host
Phishing, Spearphishing Attachment
Anomalous usage of 7zip
Archive via Utility, Archive Collected Data
FodHelper UAC Bypass
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Detect Exchange Web Shell
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Windows DLL Search Order Hijacking Hunt
DLL Search Order Hijacking, Hijack Execution Flow
Detect HTML Help Spawn Child Process
System Binary Proxy Execution, Compiled HTML File
Detect Regasm Spawning a Process
System Binary Proxy Execution, Regsvcs/Regasm
Excel Spawning Windows Script Host
Security Account Manager, OS Credential Dumping
Windows InstallUtil Remote Network Connection
InstallUtil, System Binary Proxy Execution
Excel Spawning PowerShell
Security Account Manager, OS Credential Dumping
Suspicious MSBuild Rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Windows Modify Registry Qakbot Binary Data Registry
Modify Registry
Windows Office Product Spawning MSDT
Phishing, Spearphishing Attachment
Windows AD DSRM Account Changes
Account Manipulation
Office Spawning Control
Phishing, Spearphishing Attachment
Windows ConHost with Headless Argument
Hidden Window, Run Virtual Instance
Windows MSIExec Spawn WinDBG
Msiexec
Windows WinDBG Spawning AutoIt3
Command and Scripting Interpreter
Windows AutoIt3 Execution
Command and Scripting Interpreter
Windows Alternate DataStream - Process Execution
Hide Artifacts, NTFS File Attributes
Windows Registry SIP Provider Modification
SIP and Trust Provider Hijacking
Windows Modify Registry With MD5 Reg Key Name
Modify Registry
Windows Admin Permission Discovery
Local Groups
Windows Njrat Fileless Storage via Registry
Fileless Storage, Obfuscated Files or Information
Windows Disable or Modify Tools Via Taskkill
Impair Defenses, Disable or Modify Tools
Headless Browser Mockbin or Mocky Request
Hidden Window
Windows Delete or Modify System Firewall
Impair Defenses, Disable or Modify System Firewall
Headless Browser Usage
Hidden Window
Windows Time Based Evasion
Virtualization/Sandbox Evasion, Time Based Evasion
Windows Replication Through Removable Media
Replication Through Removable Media
WinRAR Spawning Shell Application
Ingress Tool Transfer
Windows SQL Spawning CertUtil
Ingress Tool Transfer
Suspicious Copy on System32
Rename System Utilities, Masquerading
Windows Bypass UAC via Pkgmgr Tool
Bypass User Account Control
Windows Modify Registry MaxConnectionPerServer
Modify Registry
Office Product Spawning Wmic
Phishing, Spearphishing Attachment
Office Product Spawning BITSAdmin
Phishing, Spearphishing Attachment
Office Product Spawning Rundll32 with no DLL
Phishing, Spearphishing Attachment
Office Product Spawn CMD Process
Phishing, Spearphishing Attachment
Office Document Spawned Child Process To Download
Phishing, Spearphishing Attachment
Office Product Spawning CertUtil
Phishing, Spearphishing Attachment
Office Product Spawning MSHTA
Phishing, Spearphishing Attachment
Suspicious DLLHost no Command Line Arguments
Process Injection
Suspicious SearchProtocolHost no Command Line Arguments
Process Injection
Suspicious msbuild path
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious GPUpdate no Command Line Arguments
Process Injection
DLLHost with no Command Line Arguments with Network
Process Injection
CMD Echo Pipe - Escalation
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process
Suspicious Rundll32 no Command Line Arguments
System Binary Proxy Execution, Rundll32
SearchProtocolHost with no Command Line with Network
Process Injection
MS Exchange Mailbox Replication service writing Active Server Pages
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services
Suspicious Rundll32 StartW
System Binary Proxy Execution, Rundll32
Windows Modify Registry EnableLinkedConnections
Modify Registry
Windows Modify Registry LongPathsEnabled
Modify Registry
Rundll32 with no Command Line Arguments with Network
System Binary Proxy Execution, Rundll32
GPUpdate with no Command Line Arguments with Network
Process Injection
Detect Webshell Exploit Behavior
Server Software Component, Web Shell
W3WP Spawning Shell
Server Software Component, Web Shell
Detect Regsvr32 Application Control Bypass
System Binary Proxy Execution, Regsvr32
Detect Certify Command Line Arguments
Steal or Forge Authentication Certificates, Ingress Tool Transfer
Detect Certipy File Modifications
Steal or Forge Authentication Certificates, Archive Collected Data
Windows System Shutdown CommandLine
System Shutdown/Reboot
Windows Powershell RemoteSigned File
PowerShell, Command and Scripting Interpreter
Windows Registry Payload Injection
Obfuscated Files or Information, Fileless Storage
Domain Group Discovery With Net
Permission Groups Discovery, Domain Groups
Windows Scheduled Task Service Spawned Shell
Scheduled Task, Command and Scripting Interpreter
Suspicious Process Executed From Container File
Malicious File, Masquerade File Type
Impacket Lateral Movement WMIExec Commandline Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Attempt To Stop Security Service
Disable or Modify Tools, Impair Defenses
Windows AdFind Exe
Remote System Discovery
Impacket Lateral Movement smbexec CommandLine Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Domain Account Discovery With Net App
Domain Account, Account Discovery
Impacket Lateral Movement Commandline Parameters
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service
Windows Service Stop Via Net and SC Application
Service Stop
SecretDumps Offline NTDS Dumping Tool
NTDS, OS Credential Dumping
Net Localgroup Discovery
Permission Groups Discovery, Local Groups
Excessive Usage Of Net App
Account Access Removal
Deleting Of Net Users
Account Access Removal
Windows Service Stop By Deletion
Service Stop
Icacls Deny Command
File and Directory Permissions Modification
Windows Files and Dirs Access Rights Modification Via Icacls
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
ICACLS Grant Command
File and Directory Permissions Modification
Windows MOVEit Transfer Writing ASPX
Exploit Public-Facing Application, External Remote Services
Windows Proxy Via Netsh
Internal Proxy, Proxy
Windows Ldifde Directory Object Behavior
Ingress Tool Transfer, Domain Groups
Windows Proxy Via Registry
Internal Proxy, Proxy
Windows PaperCut NG Spawn Shell
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services
Windows Snake Malware Kernel Driver Comadmin
Kernel Modules and Extensions
Windows Snake Malware File Modification Crmlog
Obfuscated Files or Information
Windows Snake Malware Registry Modification wav OpenWithProgIds
Modify Registry
Windows Registry BootExecute Modification
Pre-OS Boot, Registry Run Keys / Startup Folder
Disabling CMD Application
Disable or Modify Tools, Impair Defenses, Modify Registry
Active Setup Registry Autostart
Active Setup, Boot or Logon Autostart Execution
Monitor Registry Keys for Print Monitors
Port Monitors, Boot or Logon Autostart Execution
Registry Keys for Creating SHIM Databases
Application Shimming, Event Triggered Execution
Linux High Frequency Of File Deletion In Boot Folder
Data Destruction, File Deletion, Indicator Removal
Disabling NoRun Windows App
Disable or Modify Tools, Impair Defenses, Modify Registry
Disabling Task Manager
Disable or Modify Tools, Impair Defenses
Disable Registry Tool
Disable or Modify Tools, Impair Defenses, Modify Registry
Windows Hide Notification Features Through Registry
Modify Registry
Registry Keys Used For Privilege Escalation
Image File Execution Options Injection, Event Triggered Execution
Windows Disable Lock Workstation Feature Through Registry
Modify Registry
Windows Registry Modification for Safe Mode Persistence
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Windows Modify Show Compress Color And Info Tip Registry
Modify Registry
Linux Deletion Of Services
Data Destruction, File Deletion, Indicator Removal
Windows Disable LogOff Button Through Registry
Modify Registry
Linux High Frequency Of File Deletion In Etc Folder
Data Destruction, File Deletion, Indicator Removal
Enable RDP In Other Port Number
Remote Services
Disabling Defender Services
Disable or Modify Tools, Impair Defenses
Linux Deletion of SSL Certificate
Data Destruction, File Deletion, Indicator Removal
Hide User Account From Sign-In Screen
Disable or Modify Tools, Impair Defenses
Linux Account Manipulation Of SSH Config and Keys
Data Destruction, File Deletion, Indicator Removal
Linux Deletion Of Init Daemon Script
Data Destruction, File Deletion, Indicator Removal
Windows Registry Certificate Added
Install Root Certificate, Subvert Trust Controls
Time Provider Persistence Registry
Time Providers, Boot or Logon Autostart Execution
Windows Disable Memory Crash Dump
Data Destruction
Windows Disable Shutdown Button Through Registry
Modify Registry
Linux Deletion Of Cron Jobs
Data Destruction, File Deletion, Indicator Removal
Windows Service Creation Using Registry Entry
Services Registry Permissions Weakness
Disable Windows App Hotkeys
Disable or Modify Tools, Impair Defenses, Modify Registry
Windows Defender Exclusion Registry Entry
Disable or Modify Tools, Impair Defenses
Windows Disable Change Password Through Registry
Modify Registry
Enable WDigest UseLogonCredential Registry
Modify Registry, OS Credential Dumping
Detect RTLO In File Name
Right-to-Left Override, Masquerading
Detect RTLO In Process
Right-to-Left Override, Masquerading
Windows Default Group Policy Object Modified with GPME
Domain Policy Modification, Group Policy Modification
Windows Modify Registry Do Not Connect To Win Update
Modify Registry
Windows Modify Registry UpdateServiceUrlAlternate
Modify Registry
Windows Modify Registry USeWuServer
Modify Registry
Windows Modify Registry Auto Minor Updates
Modify Registry
Windows Modify Registry WuServer
Modify Registry
Windows Modify Registry No Auto Reboot With Logon User
Modify Registry
Windows Modify Registry Auto Update Notif
Modify Registry
Windows Modify Registry Tamper Protection
Modify Registry
Windows Modify Registry wuStatusServer
Modify Registry
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Regsvr32 Silent and Install Param Dll Loading
System Binary Proxy Execution, Regsvr32
Linux Disable Services
Service Stop
PowerShell - Connect To Internet With Hidden Window
PowerShell, Command and Scripting Interpreter
Linux Unix Shell Enable All SysRq Functions
Unix Shell, Command and Scripting Interpreter
Linux System Reboot Via System Request Key
System Shutdown/Reboot
Linux Indicator Removal Clear Cache
Indicator Removal
Linux Stdout Redirection To Dev Null File
Disable or Modify System Firewall, Impair Defenses
Windows InstallUtil in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Linux Stop Services
Service Stop
Ping Sleep Batch Command
Virtualization/Sandbox Evasion, Time Based Evasion
Malicious PowerShell Process With Obfuscation Techniques
Command and Scripting Interpreter, PowerShell
Possible Lateral Movement PowerShell Spawn
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Set Default PowerShell Execution Policy To Unrestricted or Bypass
Command and Scripting Interpreter, PowerShell
Linux Hardware Addition SwapOff
Hardware Additions
Linux Shred Overwrite Command
Data Destruction
Schtasks Run Task On Demand
Scheduled Task/Job
Linux Data Destruction Command
Data Destruction
Child Processes of Spoolsv exe
Exploitation for Privilege Escalation
Linux DD File Overwrite
Data Destruction
Dump LSASS via comsvcs DLL
LSASS Memory, OS Credential Dumping
Linux Java Spawning Shell
Exploit Public-Facing Application, External Remote Services
Add or Set Windows Defender Exclusion
Disable or Modify Tools, Impair Defenses
Linux Indicator Removal Service File Deletion
File Deletion, Indicator Removal
Screensaver Event Trigger Execution
Event Triggered Execution, Screensaver
Linux System Network Discovery
System Network Configuration Discovery
Linux Adding Crontab Using List Parameter
Cron, Scheduled Task/Job
Logon Script Event Trigger Execution
Boot or Logon Initialization Scripts, Logon Script (Windows)
Runas Execution in CommandLine
Access Token Manipulation, Token Impersonation/Theft
Change Default File Association
Change Default File Association, Event Triggered Execution
Linux Impair Defenses Process Kill
Disable or Modify Tools, Impair Defenses
Linux Deleting Critical Directory Using RM Command
Data Destruction
Print Processor Registry Autostart
Print Processors, Boot or Logon Autostart Execution
Wscript Or Cscript Suspicious Child Process
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Any Powershell DownloadFile
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Windows Deleted Registry By A Non Critical Process File Path
Modify Registry
Overwriting Accessibility Binaries
Event Triggered Execution, Accessibility Features
Windows File Without Extension In Critical Folder
Data Destruction
Linux Service Restarted
Systemd Timers, Scheduled Task/Job
Windows Impair Defenses Disable HVCI
Disable or Modify Tools, Impair Defenses
Linux Iptables Firewall Modification
Disable or Modify System Firewall, Impair Defenses
Linux Kworker Process In Writable Process Path
Masquerade Task or Service, Masquerading
Batch File Write to System32
User Execution, Malicious File
Disable Defender MpEngine Registry
Disable or Modify Tools, Impair Defenses
Disable Defender AntiVirus Registry
Disable or Modify Tools, Impair Defenses
Auto Admin Logon Registry Entry
Credentials in Registry, Unsecured Credentials
GetWmiObject User Account with PowerShell
Account Discovery, Local Account
Any Powershell DownloadString
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer
Hunting 3CXDesktopApp Software
Compromise Software Supply Chain
Add DefaultUser And Password In Registry
Credentials in Registry, Unsecured Credentials
Windows Service Create with Tscon
RDP Hijacking, Remote Service Session Hijacking, Windows Service
Allow Operation with Consent Admin
Abuse Elevation Control Mechanism
Allow Inbound Traffic By Firewall Rule Registry
Remote Desktop Protocol, Remote Services
Windows Enable Win32 ScheduledJob via Registry
Scheduled Task
Windows Lateral Tool Transfer RemCom
Lateral Tool Transfer
Windows Remote Create Service
Create or Modify System Process, Windows Service
Clop Common Exec Parameter
User Execution
Windows Findstr GPP Discovery
Unsecured Credentials, Group Policy Preferences
Msmpeng Application DLL Side Loading
DLL Side-Loading, Hijack Execution Flow
Windows Rundll32 WebDAV Request
Exfiltration Over Unencrypted Non-C2 Protocol
Suspicious Regsvr32 Register Suspicious Path
System Binary Proxy Execution, Regsvr32
Notepad with no Command Line Arguments
Process Injection
Office Product Writing cab or inf
Phishing, Spearphishing Attachment
Office Application Spawn rundll32 process
Phishing, Spearphishing Attachment
Office Application Drop Executable
Phishing, Spearphishing Attachment
Office Application Spawn Regsvr32 process
Phishing, Spearphishing Attachment
Detect Outlook exe writing a zip file
Phishing, Spearphishing Attachment
Windows Steal Authentication Certificates CertUtil Backup
Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates Export Certificate
Steal or Forge Authentication Certificates
Windows Steal Authentication Certificates Export PfxCertificate
Steal or Forge Authentication Certificates
Windows Spearphishing Attachment Onenote Spawn Mshta
Spearphishing Attachment, Phishing
Windows Credential Dumping LSASS Memory Createdump
LSASS Memory
Detect suspicious processnames using pretrained model in DSDL
Command and Scripting Interpreter
Windows Java Spawning Shells
Exploit Public-Facing Application, External Remote Services
Windows Phishing PDF File Executes URL Link
Spearphishing Attachment, Phishing
Windows Server Software Component GACUtil Install to GAC
Server Software Component, IIS Components
Windows Modify Registry Default Icon Setting
Modify Registry
Windows Ngrok Reverse Proxy Usage
Protocol Tunneling, Proxy, Web Service
Linux Ngrok Reverse Proxy Usage
Protocol Tunneling, Proxy, Web Service
Windows Boot or Logon Autostart Execution In Startup Folder
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution
Windows User Execution Malicious URL Shortcut File
Malicious File, User Execution
Account Discovery With Net App
Domain Account, Account Discovery
Windows IIS Components Add New Module
Server Software Component, IIS Components
Windows Modify Registry Reg Restore
Query Registry
Windows WMI Process And Service List
Windows Management Instrumentation
Windows System Network Config Discovery Display DNS
System Network Configuration Discovery
Windows Change Default File Association For No File Ext
Change Default File Association, Event Triggered Execution
Windows Credentials from Password Stores Query
Credentials from Password Stores
Windows Indirect Command Execution Via Series Of Forfiles
Indirect Command Execution
Windows System Network Connections Discovery Netsh
System Network Connections Discovery
Windows Credentials in Registry Reg Query
Credentials in Registry, Unsecured Credentials
Windows Password Managers Discovery
Password Managers
Windows Private Keys Discovery
Private Keys, Unsecured Credentials
Windows Cached Domain Credentials Reg Query
Cached Domain Credentials, OS Credential Dumping
Windows Security Support Provider Reg Query
Security Support Provider, Boot or Logon Autostart Execution
Windows Information Discovery Fsutil
System Information Discovery
Windows System User Discovery Via Quser
System Owner/User Discovery
Windows Steal or Forge Kerberos Tickets Klist
Steal or Forge Kerberos Tickets
BITSAdmin Download File
BITS Jobs, Ingress Tool Transfer
Windows Apache Benchmark Binary
Command and Scripting Interpreter
Remcos client registry install entry
Modify Registry
Revil Registry Entry
Modify Registry
Sdclt UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Eventvwr UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
WSReset UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
SilentCleanup UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Recursive Delete of Directory In Batch CMD
File Deletion, Indicator Removal
Common Ransomware Extensions
Data Destruction
Windows Regsvr32 Renamed Binary
Regsvr32, System Binary Proxy Execution
Windows Process Injection Wermgr Child Process
Process Injection
Windows Command Shell Fetch Env Variables
Process Injection
Windows System Discovery Using Qwinsta
System Owner/User Discovery
Windows System Discovery Using ldap Nslookup
System Owner/User Discovery
Windows Masquerading Explorer As Child Process
DLL Side-Loading, Hijack Execution Flow
Windows DLL Side-Loading Process Child Of Calc
DLL Side-Loading, Hijack Execution Flow
Windows COM Hijacking InprocServer32 Modification
Component Object Model Hijacking, Event Triggered Execution
Windows System Script Proxy Execution Syncappvpublishingserver
System Script Proxy Execution, System Binary Proxy Execution
Windows ISO LNK File Creation
Spearphishing Attachment, Phishing, Malicious Link, User Execution
Windows Phishing Recent ISO Exec Registry
Spearphishing Attachment, Phishing
Windows Protocol Tunneling with Plink
Protocol Tunneling, SSH
Windows Identify Protocol Handlers
Command and Scripting Interpreter
Dump LSASS via procdump
LSASS Memory, OS Credential Dumping
Windows System Binary Proxy Execution Compiled HTML File Decompile
Compiled HTML File, System Binary Proxy Execution
Windows Ingress Tool Transfer Using Explorer
Ingress Tool Transfer
Windows Service Deletion In Registry
Service Stop
Windows Remote Access Software Hunt
Remote Access Software
Linux Csvtool Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux c99 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux apt-get Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Cpulimit Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux OpenVPN Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sqlite3 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Composer Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Octave Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux c89 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux APT Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Busybox Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Puppet Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux RPM Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux MySQL Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Emacs Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Make Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux PHP Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux GDB Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Find Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux GNU Awk Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Ruby Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Gem Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux AWK Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Docker Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Node Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Windows DLL Search Order Hijacking with iscsicpl
DLL Search Order Hijacking
Linux Curl Upload File
Ingress Tool Transfer
Linux Proxy Socks Curl
Proxy, Non-Application Layer Protocol
Linux Ingress Tool Transfer with Curl
Ingress Tool Transfer
Linux Ingress Tool Transfer Hunting
Ingress Tool Transfer
Windows System Time Discovery W32tm Delay
System Time Discovery
Linux Clipboard Data Copy
Clipboard Data
Windows Command Shell DCRat ForkBomb Payload
Windows Command Shell, Command and Scripting Interpreter
Linux SSH Authorized Keys Modification
SSH Authorized Keys
Windows System Reboot CommandLine
System Shutdown/Reboot
Windows System LogOff Commandline
System Shutdown/Reboot
Linux Kernel Module Enumeration
System Information Discovery, Rootkit
Linux Decode Base64 to Shell
Obfuscated Files or Information, Unix Shell
Linux Obfuscated Files or Information Base64 Decode
Obfuscated Files or Information
Wmic NonInteractive App Uninstallation
Disable or Modify Tools, Impair Defenses
Windows MOF Event Triggered Execution via WMI
Windows Management Instrumentation Event Subscription
Powershell Disable Security Monitoring
Disable or Modify Tools, Impair Defenses
Suspicious Image Creation In Appdata Folder
Screen Capture
Windows Binary Proxy Execution Mavinject DLL Injection
Mavinject, System Binary Proxy Execution
Suspicious WAV file in Appdata Folder
Screen Capture
Windows Odbcconf Load Response File
Odbcconf
Windows Odbcconf Hunting
Odbcconf
Windows Execute Arbitrary Commands with MSDT
System Binary Proxy Execution
Outbound Network Connection from Java Using Default Ports
Exploit Public-Facing Application, External Remote Services
Windows Odbcconf Load DLL
Odbcconf
Windows Impair Defense Deny Security Software With Applocker
Disable or Modify Tools, Impair Defenses
Windows Remote Service Rdpwinst Tool Execution
Remote Desktop Protocol, Remote Services
Windows Modify Registry Regedit Silent Reg Import
Modify Registry
Windows Impair Defense Add Xml Applocker Rules
Disable or Modify Tools, Impair Defenses
Windows Valid Account With Never Expires Password
Service Stop
Windows Modify Registry Disable Toast Notifications
Modify Registry
Windows Remote Access Software RMS Registry
Remote Access Software
Windows Modify Registry DisAllow Windows App
Modify Registry
Windows Remote Services Allow Remote Assistance
Remote Desktop Protocol, Remote Services
Windows Remote Services Allow Rdp In Firewall
Remote Desktop Protocol, Remote Services
Windows Remote Services Rdp Enable
Remote Desktop Protocol, Remote Services
Windows MSIExec Remote Download
Msiexec
Windows Impair Defense Delete Win Defender Profile Registry
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Delete Win Defender Context Menu
Disable or Modify Tools, Impair Defenses
Java Writing JSP File
Exploit Public-Facing Application, External Remote Services
Windows Command and Scripting Interpreter Hunting Path Traversal
Command and Scripting Interpreter
Windows Command and Scripting Interpreter Path Traversal Exec
Command and Scripting Interpreter
Linux At Application Execution
At, Scheduled Task/Job
Linux Possible Append Command To At Allow Config File
At, Scheduled Task/Job
Schtasks scheduling job on remote system
Scheduled Task, Scheduled Task/Job
Windows System File on Disk
Exploitation for Privilege Escalation
Windows Service Create Kernel Mode Driver
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation
NLTest Domain Trust Discovery
Domain Trust Discovery
Windows Registry Delete Task SD
Scheduled Task, Impair Defenses
Detect mshta renamed
System Binary Proxy Execution, Mshta
Suspicious Rundll32 Rename
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Detect Renamed PSExec
System Services, Service Execution
Detect HTML Help Renamed
System Binary Proxy Execution, Compiled HTML File
Windows Indirect Command Execution Via pcalua
Indirect Command Execution
Windows Indirect Command Execution Via forfiles
Indirect Command Execution
Modify ACL permission To Files Or Folder
File and Directory Permissions Modification
Windows InstallUtil Uninstall Option with Network
InstallUtil, System Binary Proxy Execution
Detect Regasm with no Command Line Arguments
System Binary Proxy Execution, Regsvcs/Regasm
Detect Regsvcs with No Command Line Arguments
System Binary Proxy Execution, Regsvcs/Regasm
Excessive distinct processes from Windows Temp
Command and Scripting Interpreter
Windows Process With NamedPipe CommandLine
Process Injection
NET Profiler UAC bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Windows Diskshadow Proxy Execution
System Binary Proxy Execution
RunDLL Loading DLL By Ordinal
System Binary Proxy Execution, Rundll32
Windows Remote Assistance Spawning Process
Process Injection
Windows Schtasks Create Run As System
Scheduled Task, Scheduled Task/Job
CertUtil Download With VerifyCtl and Split Arguments
Ingress Tool Transfer
CertUtil Download With URLCache and Split Arguments
Ingress Tool Transfer
Linux pkexec Privilege Escalation
Exploitation for Privilege Escalation
Malicious PowerShell Process - Encoded Command
Obfuscated Files or Information
Potentially malicious code on commandline
Windows Command Shell
Linux Possible Ssh Key File Creation
SSH Authorized Keys, Account Manipulation
Linux Possible Access Or Modification Of sshd Config File
SSH Authorized Keys, Account Manipulation
Linux Possible Access To Sudoers File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Possible Access To Credential Files
/etc/passwd and /etc/shadow, OS Credential Dumping
Linux Doas Conf File Creation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Doas Tool Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sudo OR Su Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sudoers Tmp File Creation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Common Process For Elevation Control
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux Preload Hijack Library Calls
Dynamic Linker Hijacking, Hijack Execution Flow
Linux File Created In Kernel Driver Directory
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Linux Install Kernel Module Using Modprobe Utility
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Linux Insert Kernel Module Using Insmod Utility
Kernel Modules and Extensions, Boot or Logon Autostart Execution
Linux Change File Owner To Root
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification
Linux Setuid Using Chmod Utility
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux NOPASSWD Entry In Sudoers File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Setuid Using Setcap Utility
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux Add User Account
Local Account, Create Account
Linux Visudo Utility Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Service File Created In Systemd Directory
Systemd Timers, Scheduled Task/Job
Linux Possible Append Command To Profile Config File
Unix Shell Configuration Modification, Event Triggered Execution
Linux File Creation In Init Boot Directory
RC Scripts, Boot or Logon Initialization Scripts
Linux File Creation In Profile Directory
Unix Shell Configuration Modification, Event Triggered Execution
Linux Possible Cronjob Modification With Editor
Cron, Scheduled Task/Job
Linux Possible Append Cronjob Entry on Existing Cronjob File
Cron, Scheduled Task/Job
Linux At Allow Config File Creation
Cron, Scheduled Task/Job
Linux Edit Cron Table Parameter
Cron, Scheduled Task/Job
Linux Add Files In Known Crontab Directories
Cron, Scheduled Task/Job
Wget Download and Bash Execution
Ingress Tool Transfer
Curl Download and Bash Execution
Ingress Tool Transfer
Windows Raccine Scheduled Task Deletion
Disable or Modify Tools
Suspicious Linux Discovery Commands
Unix Shell
Detect RClone Command-Line Usage
Automated Exfiltration
Mmc LOLBAS Execution Process Spawn
Remote Services, Distributed Component Object Model, MMC
Services LOLBAS Execution Process Spawn
Create or Modify System Process, Windows Service
Wmiprsve LOLBAS Execution Process Spawn
Windows Management Instrumentation
Possible Browser Pass View Parameter
Credentials from Web Browsers, Credentials from Password Stores
Wsmprovhost LOLBAS Execution Process Spawn
Remote Services, Windows Remote Management
Svchost LOLBAS Execution Process Spawn
Scheduled Task/Job, Scheduled Task
System Info Gathering Using Dxdiag Application
Gather Victim Host Information
Remote Process Instantiation via WinRM and PowerShell
Remote Services, Windows Remote Management
Windows DiskCryptor Usage
Data Encrypted for Impact
Remote Process Instantiation via DCOM and PowerShell
Remote Services, Distributed Component Object Model
Remote Process Instantiation via WMI and PowerShell
Windows Management Instrumentation
CSC Net On The Fly Compilation
Compile After Delivery, Obfuscated Files or Information
Windows InstallUtil Uninstall Option
InstallUtil, System Binary Proxy Execution
Firewall Allowed Program Enable
Disable or Modify System Firewall, Impair Defenses
Windows InstallUtil URL in Command Line
InstallUtil, System Binary Proxy Execution
Scheduled Task Initiation on Remote Endpoint
Scheduled Task/Job, Scheduled Task
WMIC XSL Execution via URL
XSL Script Processing
Scheduled Task Creation on Remote Endpoint using At
Scheduled Task/Job, At
Remote Process Instantiation via WinRM and Winrs
Remote Services, Windows Remote Management
Windows Service Creation on Remote Endpoint
Create or Modify System Process, Windows Service
Windows Curl Upload to Remote Destination
Ingress Tool Transfer
Windows Service Initiation on Remote Endpoint
Create or Modify System Process, Windows Service
Windows Curl Download to Suspicious Path
Ingress Tool Transfer
Disable Schedule Task
Disable or Modify Tools, Impair Defenses
ServicePrincipalNames Discovery with SetSPN
Kerberoasting
Sdelete Application Execution
Data Destruction, File Deletion, Indicator Removal
Winhlp32 Spawning a Process
Process Injection
Process Writing DynamicWrapperX
Command and Scripting Interpreter, Component Object Model
Rundll32 Shimcache Flush
Modify Registry
Malicious InProcServer32 Modification
Regsvr32, Modify Registry
MSBuild Suspicious Spawned By Script Process
MSBuild, Trusted Developer Utilities Proxy Execution
Vbscript Execution Using Wscript App
Visual Basic, Command and Scripting Interpreter
Verclsid CLSID Execution
Verclsid, System Binary Proxy Execution
Remcos RAT File Creation in Remcos Folder
Screen Capture
BITS Job Persistence
BITS Jobs
Credential Dumping via Copy Command from Shadow Copy
NTDS, OS Credential Dumping
Credential Dumping via Symlink to Shadow Copy
NTDS, OS Credential Dumping
Processes launching netsh
Disable or Modify System Firewall, Impair Defenses
Detect mshta inline hta execution
System Binary Proxy Execution, Mshta
Detect MSHTA Url in Command Line
System Binary Proxy Execution, Mshta
Detect HTML Help URL in Command Line
System Binary Proxy Execution, Compiled HTML File
Detect Renamed RClone
Automated Exfiltration
Attempt To Add Certificate To Untrusted Store
Install Root Certificate, Subvert Trust Controls
Local Account Discovery with Net
Account Discovery, Local Account
Local Account Discovery With Wmic
Account Discovery, Local Account
Detect Renamed 7-Zip
Archive via Utility, Archive Collected Data
Creation of Shadow Copy with wmic and powershell
NTDS, OS Credential Dumping
Detect PsExec With accepteula Flag
Remote Services, SMB/Windows Admin Shares
Detect Renamed WinRAR
Archive via Utility, Archive Collected Data
Detect HTML Help Using InfoTech Storage Handlers
System Binary Proxy Execution, Compiled HTML File
Check Elevated CMD using whoami
System Owner/User Discovery
PowerShell Get LocalGroup Discovery
Permission Groups Discovery, Local Groups
Wmic Group Discovery
Permission Groups Discovery, Local Groups
Get WMIObject Group Discovery
Permission Groups Discovery, Local Groups
System User Discovery With Query
System Owner/User Discovery
GetCurrent User with PowerShell
System Owner/User Discovery
User Discovery With Env Vars PowerShell
System Owner/User Discovery
XSL Script Execution With WMIC
XSL Script Processing
Jscript Execution Using Cscript App
Command and Scripting Interpreter, JavaScript
Network Connection Discovery With Arp
System Network Connections Discovery
Network Connection Discovery With Net
System Network Connections Discovery
Rundll32 Control RunDLL Hunt
System Binary Proxy Execution, Rundll32
Rundll32 Control RunDLL World Writable Directory
System Binary Proxy Execution, Rundll32
Control Loading from World Writable Directory
System Binary Proxy Execution, Control Panel
GetDomainComputer with PowerShell
Remote System Discovery
GetAdComputer with PowerShell
Remote System Discovery
GetDomainController with PowerShell
Remote System Discovery
GetWmiObject Ds Computer with PowerShell
Remote System Discovery
Bcdedit Command Back To Normal Mode Boot
Inhibit System Recovery
Change To Safe Mode With Network Config
Inhibit System Recovery
Get-ForestTrust with PowerShell
Domain Trust Discovery
Domain Group Discovery With Dsquery
Permission Groups Discovery, Domain Groups
Remote System Discovery with Wmic
Remote System Discovery
Domain Controller Discovery with Wmic
Remote System Discovery
Remote System Discovery with Dsquery
Remote System Discovery
Remote System Discovery with Net
Remote System Discovery
Get DomainPolicy with Powershell
Password Policy Discovery
Process Creating LNK file in Suspicious Location
Phishing, Spearphishing Link
Get ADDefaultDomainPasswordPolicy with Powershell
Password Policy Discovery
Password Policy Discovery with Net
Password Policy Discovery
GetNetTcpconnection with PowerShell
System Network Connections Discovery
GetWmiObject Ds Group with PowerShell
Permission Groups Discovery, Domain Groups
Domain Group Discovery With Wmic
Permission Groups Discovery, Domain Groups
Elevated Group Discovery With Net
Permission Groups Discovery, Domain Groups
GetDomainGroup with PowerShell
Permission Groups Discovery, Domain Groups
GetAdGroup with PowerShell
Permission Groups Discovery, Domain Groups
Elevated Group Discovery With Wmic
Permission Groups Discovery, Domain Groups
Domain Account Discovery with Dsquery
Domain Account, Account Discovery
Get-DomainTrust with PowerShell
Domain Trust Discovery
Domain Account Discovery with Wmic
Domain Account, Account Discovery
GetWmiObject DS User with PowerShell
Domain Account, Account Discovery
GetLocalUser with PowerShell
Account Discovery, Local Account
Esentutl SAM Copy
Security Account Manager, OS Credential Dumping
7zip CommandLine To SMB Share Path
Archive via Utility, Archive Collected Data
Fsutil Zeroing File
Indicator Removal
Rundll32 LockWorkStation
System Binary Proxy Execution, Rundll32
Uninstall App Using MsiExec
Msiexec, System Binary Proxy Execution
Regsvr32 with Known Silent Switch Cmdline
System Binary Proxy Execution, Regsvr32
CHCP Command Execution
Command and Scripting Interpreter
Suspicious IcedID Rundll32 Cmdline
System Binary Proxy Execution, Rundll32
Suspicious Rundll32 PluginInit
System Binary Proxy Execution, Rundll32
Mshta spawning Rundll32 OR Regsvr32 Process
System Binary Proxy Execution, Mshta
Spoolsv Spawning Rundll32
Print Processors, Boot or Logon Autostart Execution
Excessive number of service control start as disabled
Disable or Modify Tools, Impair Defenses
Allow Network Discovery In Firewall
Disable or Modify Cloud Firewall, Impair Defenses
Execute Javascript With Jscript COM CLSID
Command and Scripting Interpreter, Visual Basic
Permission Modification using Takeown App
File and Directory Permissions Modification
Clear Unallocated Sector Using Cipher App
File Deletion, Indicator Removal
Prevent Automatic Repair Mode using Bcdedit
Inhibit System Recovery
Revil Common Exec Parameter
User Execution
Conti Common Exec parameter
User Execution
SLUI RunAs Elevated
Bypass User Account Control, Abuse Elevation Control Mechanism
SLUI Spawning a Process
Bypass User Account Control, Abuse Elevation Control Mechanism
Excessive Usage Of Cacls App
File and Directory Permissions Modification
Excessive Usage Of Taskkill
Disable or Modify Tools, Impair Defenses
Disabling Net User Account
Account Access Removal
Excessive Service Stop Attempt
Service Stop
Excessive Attempt To Disable Services
Service Stop
Process Kill Base On File Path
Disable or Modify Tools, Impair Defenses
Winword Spawning Cmd
Phishing, Spearphishing Attachment
Wermgr Process Spawned CMD Or Powershell Process
Command and Scripting Interpreter
DNS Exfiltration Using Nslookup App
Exfiltration Over Alternative Protocol
Winword Spawning PowerShell
Phishing, Spearphishing Attachment
Winword Spawning Windows Script Host
Phishing, Spearphishing Attachment
DSQuery Domain Discovery
Domain Trust Discovery
Disabling Firewall with Netsh
Disable or Modify Tools, Impair Defenses
PowerShell Start-BitsTransfer
BITS Jobs
CertUtil With Decode Argument
Deobfuscate/Decode Files or Information
Resize ShadowStorage volume
Inhibit System Recovery
Nishang PowershellTCPOneLine
Command and Scripting Interpreter, PowerShell
Ryuk Wake on LAN Command
Command and Scripting Interpreter, Windows Command Shell
Suspicious SQLite3 LSQuarantine Behavior
Data Staged
Suspicious PlistBuddy Usage
Launch Agent, Create or Modify System Process
Suspicious Curl Network Connection
Ingress Tool Transfer
Suspicious Rundll32 dllregisterserver
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - syssetup
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - setupapi
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - advpack
System Binary Proxy Execution, Rundll32
Ntdsutil Export NTDS
NTDS, OS Credential Dumping
WBAdmin Delete System Backups
Inhibit System Recovery
Detect Rundll32 Inline HTA Execution
System Binary Proxy Execution, Mshta
Suspicious mshta spawn
System Binary Proxy Execution, Mshta
Suspicious Powershell Command-Line Arguments
PowerShell
Suspicious MSBuild Spawn
Trusted Developer Utilities Proxy Execution, MSBuild
Suspicious microsoft workflow compiler usage
Trusted Developer Utilities Proxy Execution
BCDEdit Failure Recovery Modification
Inhibit System Recovery
Single Letter Process On Endpoint
User Execution, Malicious File
System Processes Run From Unexpected Locations
Masquerading, Rename System Utilities
Shim Database File Creation
Application Shimming, Event Triggered Execution
Schtasks used for forcing a reboot
Scheduled Task, Scheduled Task/Job
Reg exe Manipulating Windows Services Registry Keys
Services Registry Permissions Weakness, Hijack Execution Flow
Processes created by netsh
Disable or Modify System Firewall
Shim Database Installation With Suspicious Parameters
Application Shimming, Event Triggered Execution
Execution of File With Spaces Before Extension
Rename System Utilities
Disabling Remote User Account Control
Bypass User Account Control, Abuse Elevation Control Mechanism
Execution of File with Multiple Extensions
Masquerading, Rename System Utilities
Detect Prohibited Applications Spawning cmd exe
Command and Scripting Interpreter, Windows Command Shell
Detect processes used for System Network Configuration Discovery
System Network Configuration Discovery
Deleting Shadow Copies
Inhibit System Recovery
Common Ransomware Notes
Data Destruction
Windows connhost exe started forcefully
Windows Command Shell
Ryuk Test Files Detected
Data Encrypted for Impact
Create or delete windows shares using net exe
Indicator Removal, Network Share Connection Removal
Suspicious Reg exe Process
Modify Registry
Uncommon Processes On Endpoint
Malicious File
Suspicious Changes to File Associations
Change Default File Association
Remote Desktop Process Running On System
Remote Desktop Protocol, Remote Services
Sc exe Manipulating Windows Services
Windows Service, Create or Modify System Process
First time seen command line argument
PowerShell, Windows Command Shell
Malicious PowerShell Process - Execution Policy Bypass
Command and Scripting Interpreter, PowerShell
Email files written outside of the Outlook directory
Email Collection, Local Email Collection
Detection of tools built by NirSoft
Software Deployment Tools
Scheduled tasks used in BadRabbit ransomware
Scheduled Task
First Time Seen Child Process of Zoom
Exploitation for Privilege Escalation
Script Execution via WMI
Windows Management Instrumentation
Process Execution via WMI
Windows Management Instrumentation
Web Servers Executing Suspicious Processes
System Information Discovery
Reg exe used to hide files directories via registry keys
Hidden Files and Directories
Samsam Test File Write
Data Encrypted for Impact
USN Journal Deletion
Indicator Removal