Endpoint

Suspicious msbuild path

Masquerading , Trusted Developer Utilities Proxy Execution , Rename System Utilities , MSBuild

Rubeus Command Line Parameters

Use Alternate Authentication Material , Pass the Ticket , Steal or Forge Kerberos Tickets , Kerberoasting , AS-REP Roasting

Detect SharpHound Usage

Domain Account , Local Groups , Domain Trust Discovery , Local Account , Account Discovery , Domain Groups , Permission Groups Discovery

CMD Echo Pipe - Escalation

Command and Scripting Interpreter , Windows Command Shell , Windows Service , Create or Modify System Process

Suspicious msbuild path

Masquerading , Trusted Developer Utilities Proxy Execution , Rename System Utilities , MSBuild