Endpoint

Remote Services , Distributed Component Object Model , Windows Remote Management , Windows Management Instrumentation , Scheduled Task , Windows Service , Po...

Detect RClone Command-Line Usage

Automated Exfiltration

Windows Defender Exclusion Registry Entry

Disable or Modify Tools , Impair Defenses

Powershell Windows Defender Exclusion Commands

Disable or Modify Tools , Impair Defenses

Add or Set Windows Defender Exclusion

Disable or Modify Tools , Impair Defenses

Mmc LOLBAS Execution Process Spawn

Remote Services , Distributed Component Object Model

Wsmprovhost LOLBAS Execution Process Spawn

Remote Services , Windows Remote Management

Wmiprsve LOLBAS Execution Process Spawn

Windows Management Instrumentation

Svchost LOLBAS Execution Process Spawn

Scheduled Task/Job , Scheduled Task

Services LOLBAS Execution Process Spawn

Create or Modify System Process , Windows Service

Possible Browser Pass View Parameter

Credentials from Web Browsers , Credentials from Password Stores

System Info Gathering Using Dxdiag Application

Gather Victim Host Information

Loading Of Dynwrapx Module

Process Injection , Dynamic-link Library Injection

Windows DISM Remove Defender

Disable or Modify Tools , Impair Defenses

Remote Process Instantiation via WinRM and PowerShell

Remote Services , Windows Remote Management

High Frequency Copy Of Files In Network Share

Transfer Data to Cloud Account

Windows DiskCryptor Usage

Data Encrypted for Impact

Remote Process Instantiation via WMI and PowerShell

Windows Management Instrumentation

Remote Process Instantiation via DCOM and PowerShell

Remote Services , Distributed Component Object Model

Windows InstallUtil URL in Command Line

InstallUtil , Signed Binary Proxy Execution

Windows InstallUtil Uninstall Option with Network

InstallUtil , Signed Binary Proxy Execution

Windows InstallUtil Uninstall Option

InstallUtil , Signed Binary Proxy Execution

Windows InstallUtil Remote Network Connection

InstallUtil , Signed Binary Proxy Execution

Windows InstallUtil Credential Theft

InstallUtil , Signed Binary Proxy Execution

Runas Execution in CommandLine

Access Token Manipulation , Token Impersonation/Theft

Remote Process Instantiation via WMI

Windows Management Instrumentation

Network Discovery Using Route Windows App

System Network Configuration Discovery , Internet Connection Discovery

Firewall Allowed Program Enable

Disable or Modify System Firewall , Impair Defenses

CSC Net On The Fly Compilation

Compile After Delivery , Obfuscated Files or Information

WMIC XSL Execution via URL

XSL Script Processing

Schtasks scheduling job on remote system

Scheduled Task , Scheduled Task/Job

Scheduled Task Initiation on Remote Endpoint

Scheduled Task/Job , Scheduled Task

Scheduled Task Creation on Remote Endpoint using At

Scheduled Task/Job , At (Windows)

Remote Process Instantiation via WinRM and Winrs

Remote Services , Windows Remote Management

Windows Service Initiation on Remote Endpoint

Create or Modify System Process , Windows Service

Windows Service Creation on Remote Endpoint

Create or Modify System Process , Windows Service

Windows Curl Upload to Remote Destination

Ingress Tool Transfer

Attacker Tools On Endpoint

Match Legitimate Name or Location , Masquerading , OS Credential Dumping , Active Scanning

Windows AdFind Exe

Remote System Discovery

Wmic NonInteractive App Uninstallation

Disable or Modify Tools , Impair Defenses

WinEvent Windows Task Scheduler Event Action Started

Scheduled Task

Windows Curl Download to Suspicious Path

Ingress Tool Transfer

Disable Schedule Task

Disable or Modify Tools , Impair Defenses

ServicePrincipalNames Discovery with SetSPN

Kerberoasting

SearchProtocolHost with no Command Line with Network

Process Injection

Rundll32 with no Command Line Arguments with Network

Signed Binary Proxy Execution , Rundll32

DLLHost with no Command Line Arguments with Network

Process Injection

Suspicious wevtutil Usage

Clear Windows Event Logs , Indicator Removal on Host

Wscript Or Cscript Suspicious Child Process

Process Injection , Create or Modify System Process , Parent PID Spoofing , Access Token Manipulation

Sdelete Application Execution

Data Destruction , File Deletion , Indicator Removal on Host

Winhlp32 Spawning a Process

Process Injection

Suspicious Copy on System32

Rename System Utilities , Masquerading

Rundll32 Shimcache Flush

Modify Registry

Process Writing DynamicWrapperX

Command and Scripting Interpreter , Component Object Model

Malicious InProcServer32 Modification

Regsvr32 , Modify Registry

Detect Exchange Web Shell

Server Software Component , Web Shell , Exploit Public-Facing Application

Regsvr32 Silent and Install Param Dll Loading

Signed Binary Proxy Execution , Regsvr32

MSBuild Suspicious Spawned By Script Process

MSBuild , Trusted Developer Utilities Proxy Execution

Vbscript Execution Using Wscript App

Visual Basic , Command and Scripting Interpreter

Verclsid CLSID Execution

Verclsid , Signed Binary Proxy Execution

Print Processor Registry Autostart

Print Processors , Boot or Logon Autostart Execution

Screensaver Event Trigger Execution

Event Triggered Execution , Screensaver

Logon Script Event Trigger Execution

Boot or Logon Initialization Scripts , Logon Script (Windows)

Change Default File Association

Change Default File Association , Event Triggered Execution

Suspicious WAV file in Appdata Folder

Screen Capture

Suspicious Image Creation In Appdata Folder

Screen Capture

Remcos RAT File Creation in Remcos Folder

Screen Capture

Suspicious SearchProtocolHost no Command Line Arguments

Process Injection

Suspicious Rundll32 no Command Line Arguments

Signed Binary Proxy Execution , Rundll32

Suspicious microsoft workflow compiler rename

Masquerading , Trusted Developer Utilities Proxy Execution , Rename System Utilities

Suspicious GPUpdate no Command Line Arguments

Process Injection

Suspicious DLLHost no Command Line Arguments

Process Injection

Office Document Spawned Child Process To Download

Phishing , Spearphishing Attachment

Detect Regsvcs with No Command Line Arguments

Signed Binary Proxy Execution , Regsvcs/Regasm

Detect Regasm with no Command Line Arguments

Signed Binary Proxy Execution , Regsvcs/Regasm

Processes launching netsh

Disable or Modify System Firewall , Impair Defenses

Office Product Spawning Wmic

Phishing , Spearphishing Attachment

Local Account Discovery With Wmic

Account Discovery , Local Account

Local Account Discovery with Net

Account Discovery , Local Account

Dump LSASS via procdump

LSASS Memory , OS Credential Dumping

Detect Renamed WinRAR

Archive via Utility , Archive Collected Data

Detect Renamed PSExec

System Services , Service Execution

Detect Renamed 7-Zip

Archive via Utility , Archive Collected Data

Detect PsExec With accepteula Flag

Remote Services , SMB/Windows Admin Shares

Detect MSHTA Url in Command Line

Signed Binary Proxy Execution , Mshta

Detect mshta renamed

Signed Binary Proxy Execution , Mshta

Detect mshta inline hta execution

Signed Binary Proxy Execution , Mshta

Detect HTML Help Using InfoTech Storage Handlers

Signed Binary Proxy Execution , Compiled HTML File

Detect HTML Help URL in Command Line

Signed Binary Proxy Execution , Compiled HTML File

Detect HTML Help Renamed

Signed Binary Proxy Execution , Compiled HTML File

Credential Dumping via Symlink to Shadow Copy

NTDS , OS Credential Dumping

Credential Dumping via Copy Command from Shadow Copy

NTDS , OS Credential Dumping

Creation of Shadow Copy with wmic and powershell

NTDS , OS Credential Dumping

BITSAdmin Download File

BITS Jobs , Ingress Tool Transfer

BITS Job Persistence

BITS Jobs

Batch File Write to System32

User Execution , Malicious File

Attempted Credential Dump From Registry via Reg exe

Security Account Manager , OS Credential Dumping

Attempt To Add Certificate To Untrusted Store

Install Root Certificate , Subvert Trust Controls

Account Discovery With Net App

Domain Account , Account Discovery

Non Firefox Process Access Firefox Profile Dir

Credentials from Password Stores , Credentials from Web Browsers

Non Chrome Process Accessing Chrome Default Dir

Credentials from Password Stores , Credentials from Web Browsers

Check Elevated CMD using whoami

System Owner/User Discovery

Wmic Group Discovery

Permission Groups Discovery , Local Groups

PowerShell Get LocalGroup Discovery

Permission Groups Discovery , Local Groups

Net Localgroup Discovery

Permission Groups Discovery , Local Groups

Get WMIObject Group Discovery

Permission Groups Discovery , Local Groups

Cmdline Tool Not Executed In CMD Shell

Command and Scripting Interpreter , JavaScript

XSL Script Execution With WMIC

XSL Script Processing

User Discovery With Env Vars PowerShell

System Owner/User Discovery

System User Discovery With Whoami

System Owner/User Discovery

System User Discovery With Query

System Owner/User Discovery

Office Application Drop Executable

Phishing , Spearphishing Attachment

MS Scripting Process Loading WMI Module

Command and Scripting Interpreter , JavaScript

MS Scripting Process Loading Ldap Module

Command and Scripting Interpreter , JavaScript

Jscript Execution Using Cscript App

Command and Scripting Interpreter , JavaScript

GetCurrent User with PowerShell

System Owner/User Discovery

Office Product Writing cab or inf

Phishing , Spearphishing Attachment

Network Connection Discovery With Netstat

System Network Connections Discovery

Network Connection Discovery With Net

System Network Connections Discovery

Network Connection Discovery With Arp

System Network Connections Discovery

MSHTML Module Load in Office Product

Phishing , Spearphishing Attachment

Extraction of Registry Hives

Security Account Manager , OS Credential Dumping

Rundll32 Control RunDLL World Writable Directory

Signed Binary Proxy Execution , Rundll32

Rundll32 Control RunDLL Hunt

Signed Binary Proxy Execution , Rundll32

Office Spawning Control

Phishing , Spearphishing Attachment

Create local admin accounts using net exe

Local Account , Create Account

Control Loading from World Writable Directory

Signed Binary Proxy Execution , Control Panel

System Information Discovery Detection

System Information Discovery

SchCache Change By App Connect And Create ADSI Object

Domain Account , Account Discovery

GetWmiObject Ds Computer with PowerShell

Remote System Discovery

GetDomainController with PowerShell

Remote System Discovery

GetDomainComputer with PowerShell

Remote System Discovery

GetAdComputer with PowerShell

Remote System Discovery

Change To Safe Mode With Network Config

Inhibit System Recovery

Bcdedit Command Back To Normal Mode Boot

Inhibit System Recovery

Get-ForestTrust with PowerShell

Domain Trust Discovery

Remote System Discovery with Wmic

Remote System Discovery

Domain Group Discovery With Dsquery

Permission Groups Discovery , Domain Groups

Domain Controller Discovery with Wmic

Remote System Discovery

Remote System Discovery with Dsquery

Remote System Discovery

Remote System Discovery with Net

Remote System Discovery

Domain Controller Discovery with Nltest

Remote System Discovery

Process Creating LNK file in Suspicious Location

Phishing , Spearphishing Link

Password Policy Discovery with Net

Password Policy Discovery

Get DomainPolicy with Powershell

Password Policy Discovery

Get ADUserResultantPasswordPolicy with Powershell

Password Policy Discovery

Get ADDefaultDomainPasswordPolicy with Powershell

Password Policy Discovery

GetWmiObject Ds Group with PowerShell

Permission Groups Discovery , Domain Groups

GetNetTcpconnection with PowerShell

System Network Connections Discovery

GetDomainGroup with PowerShell

Permission Groups Discovery , Domain Groups

GetAdGroup with PowerShell

Permission Groups Discovery , Domain Groups

Elevated Group Discovery With Wmic

Permission Groups Discovery , Domain Groups

Elevated Group Discovery With Net

Permission Groups Discovery , Domain Groups

Domain Group Discovery With Wmic

Permission Groups Discovery , Domain Groups

Domain Group Discovery With Net

Permission Groups Discovery , Domain Groups

GetWmiObject DS User with PowerShell

Domain Account , Account Discovery

Get DomainUser with PowerShell

Domain Account , Account Discovery

Get ADUser with PowerShell

Domain Account , Account Discovery

Get-DomainTrust with PowerShell

Domain Trust Discovery

Domain Account Discovery with Wmic

Domain Account , Account Discovery

Domain Account Discovery With Net App

Domain Account , Account Discovery

Domain Account Discovery with Dsquery

Domain Account , Account Discovery

GetWmiObject User Account with PowerShell

Account Discovery , Local Account

GetLocalUser with PowerShell

Account Discovery , Local Account

Esentutl SAM Copy

Security Account Manager , OS Credential Dumping

7zip CommandLine To SMB Share Path

Archive via Utility , Archive Collected Data

UAC Bypass With Colorui COM Object

Signed Binary Proxy Execution , CMSTP

Fsutil Zeroing File

Indicator Removal on Host

Powershell Execute COM Object

Component Object Model Hijacking , Event Triggered Execution

Uninstall App Using MsiExec

Msiexec , Signed Binary Proxy Execution

Create Remote Thread In Shell Application

Process Injection

Sqlite Module In Temp Folder

Data from Local System

Office Application Spawn Regsvr32 process

Phishing , Spearphishing Attachment

IcedID Exfiltrated Archived File Creation

Archive via Utility , Archive Collected Data

Drop IcedID License dat

User Execution , Malicious File

Rundll32 Create Remote Thread To A Process

Process Injection

Regsvr32 with Known Silent Switch Cmdline

Signed Binary Proxy Execution , Regsvr32

CHCP Command Execution

Command and Scripting Interpreter

Suspicious Rundll32 PluginInit

Signed Binary Proxy Execution , Rundll32

Suspicious IcedID Rundll32 Cmdline

Signed Binary Proxy Execution , Rundll32

Rundll32 Process Creating Exe Dll Files

Signed Binary Proxy Execution , Rundll32

Rundll32 CreateRemoteThread In Browser

Process Injection

SAM Database File Access Attempt

Security Account Manager , OS Credential Dumping

Office Product Spawn CMD Process

Signed Binary Proxy Execution , Mshta

Mshta spawning Rundll32 OR Regsvr32 Process

Signed Binary Proxy Execution , Mshta

UAC Bypass MMC Load Unsigned Dll

Bypass User Account Control , Abuse Elevation Control Mechanism

Powershell Disable Security Monitoring

Disable or Modify Tools , Impair Defenses

Msmpeng Application DLL Side Loading

DLL Side-Loading , Hijack Execution Flow

Spoolsv Writing a DLL - Sysmon

Print Processors , Boot or Logon Autostart Execution

Spoolsv Writing a DLL

Print Processors , Boot or Logon Autostart Execution

Spoolsv Suspicious Process Access

Exploitation for Privilege Escalation

Spoolsv Suspicious Loaded Modules

Print Processors , Boot or Logon Autostart Execution

Spoolsv Spawning Rundll32

Print Processors , Boot or Logon Autostart Execution

Print Spooler Failed to Load a Plug-in

Print Processors , Boot or Logon Autostart Execution

Print Spooler Adding A Printer Driver

Print Processors , Boot or Logon Autostart Execution

Excessive number of service control start as disabled

Disable or Modify Tools , Impair Defenses

Excessive Usage Of SC Service Utility

System Services , Service Execution

Allow Network Discovery In Firewall

Disable or Modify Cloud Firewall , Impair Defenses

Allow File And Printing Sharing In Firewall

Disable or Modify Cloud Firewall , Impair Defenses

Recursive Delete of Directory In Batch CMD

File Deletion , Indicator Removal on Host

Powershell Enable SMB1Protocol Feature

Obfuscated Files or Information , Indicator Removal from Tools

Execute Javascript With Jscript COM CLSID

Command and Scripting Interpreter , Visual Basic

Prevent Automatic Repair Mode using Bcdedit

Inhibit System Recovery

Permission Modification using Takeown App

File and Directory Permissions Modification

Disable Logs Using WevtUtil

Indicator Removal on Host , Clear Windows Event Logs

Clear Unallocated Sector Using Cipher App

File Deletion , Indicator Removal on Host

Excessive number of taskhost processes

System Owner/User Discovery

Known Services Killed by Ransomware

Inhibit System Recovery

Wbemprox COM Object Execution

Signed Binary Proxy Execution , CMSTP

Revil Common Exec Parameter

User Execution

Modification Of Wallpaper

Defacement

Conti Common Exec parameter

User Execution

Detect SharpHound Command-Line Arguments

Domain Account , Local Groups , Domain Trust Discovery , Local Account , Account Discovery , Domain Groups , Permission Groups Discovery

Detect AzureHound File Modifications

Domain Account , Local Groups , Domain Trust Discovery , Local Account , Account Discovery , Domain Groups , Permission Groups Discovery

Detect AzureHound Command-Line Arguments

Domain Account , Local Groups , Domain Trust Discovery , Local Account , Account Discovery , Domain Groups , Permission Groups Discovery

Detect SharpHound Usage

Domain Account , Local Groups , Domain Trust Discovery , Local Account , Account Discovery , Domain Groups , Permission Groups Discovery

Detect SharpHound File Modifications

Domain Account , Local Groups , Domain Trust Discovery , Local Account , Account Discovery , Domain Groups , Permission Groups Discovery

SecretDumps Offline NTDS Dumping Tool

NTDS , OS Credential Dumping

WinRM Spawning a Process

Exploit Public-Facing Application

CMD Echo Pipe - Escalation

Command and Scripting Interpreter , Windows Command Shell , Windows Service , Create or Modify System Process

Mailsniper Invoke functions

Email Collection , Local Email Collection

Allow Inbound Traffic In Firewall Rule

Remote Desktop Protocol , Remote Services

Services Escalate Exe

Abuse Elevation Control Mechanism

SLUI Spawning a Process

Bypass User Account Control , Abuse Elevation Control Mechanism

SLUI RunAs Elevated

Bypass User Account Control , Abuse Elevation Control Mechanism

CMLUA Or CMSTPLUA UAC Bypass

Signed Binary Proxy Execution , CMSTP

Delete ShadowCopy With PowerShell

Inhibit System Recovery

Schtasks Run Task On Demand

Scheduled Task/Job

Excessive Usage Of Cacls App

File and Directory Permissions Modification

Executables Or Script Creation In Suspicious Path

Masquerading

Excessive Usage Of Net App

Account Access Removal

Enumerate Users Local Group Using Telegram

Account Discovery

Download Files Using Telegram

Ingress Tool Transfer

Suspicious Process File Path

Create or Modify System Process

Process Kill Base On File Path

Disable or Modify Tools , Impair Defenses

Modify ACL permission To Files Or Folder

File and Directory Permissions Modification

ICACLS Grant Command

File and Directory Permissions Modification

Excessive Usage Of Taskkill

Disable or Modify Tools , Impair Defenses

Excessive Service Stop Attempt

Service Stop

Excessive Attempt To Disable Services

Service Stop

Disabling Net User Account

Account Access Removal

Deleting Of Net Users

Account Access Removal

XMRIG Driver Loaded

Windows Service , Create or Modify System Process

Suspicious Driver Loaded Path

Windows Service , Create or Modify System Process

Icacls Deny Command

File and Directory Permissions Modification

Trickbot Named Pipe

Process Injection

Office Product Spawning MSHTA

Phishing , Spearphishing Attachment

Office Product Spawning CertUtil

Phishing , Spearphishing Attachment

Office Product Spawning BITSAdmin

Phishing , Spearphishing Attachment

Winword Spawning Cmd

Phishing , Spearphishing Attachment

Office Product Spawning Rundll32 with no DLL

Phishing , Spearphishing Attachment

Anomalous usage of 7zip

Archive via Utility , Archive Collected Data

Excessive Usage of NSLOOKUP App

Exfiltration Over Alternative Protocol

Wermgr Process Spawned CMD Or Powershell Process

Command and Scripting Interpreter

Wermgr Process Create Executable File

Obfuscated Files or Information

Wermgr Process Connecting To IP Check Web Services

Gather Victim Network Information , IP Addresses

Schedule Task with Rundll32 Command Trigger

Scheduled Task/Job

Schedule Task with HTTP Command Arguments

Scheduled Task/Job

Powershell Remote Thread To Known Windows Process

Process Injection

GPUpdate with no Command Line Arguments with Network

Process Injection

DNS Exfiltration Using Nslookup App

Exfiltration Over Alternative Protocol

Office Document Executing Macro Code

Phishing , Spearphishing Attachment

Office Document Creating Schedule Task

Phishing , Spearphishing Attachment

Office Application Spawn rundll32 process

Phishing , Spearphishing Attachment

Winword Spawning Windows Script Host

Phishing , Spearphishing Attachment

Winword Spawning PowerShell

Phishing , Spearphishing Attachment

Excel Spawning Windows Script Host

Security Account Manager , OS Credential Dumping

Excel Spawning PowerShell

Security Account Manager , OS Credential Dumping

Malicious Powershell Executed As A Service

System Services , Service Execution

DSQuery Domain Discovery

Domain Trust Discovery

Disabling Firewall with Netsh

Disable or Modify Tools , Impair Defenses

PowerShell Start-BitsTransfer

BITS Jobs

CertUtil With Decode Argument

Deobfuscate/Decode Files or Information

Clop Ransomware Known Service Name

Create or Modify System Process

Clop Common Exec Parameter

User Execution

Windows High File Deletion Frequency

Data Destruction

High Process Termination Frequency

Data Encrypted for Impact

Resize ShadowStorage volume

Inhibit System Recovery

Ransomware Notes bulk creation

Data Encrypted for Impact

W3WP Spawning Shell

Server Software Component , Web Shell

Nishang PowershellTCPOneLine

Command and Scripting Interpreter , PowerShell

Windows DisableAntiSpyware Registry

Disable or Modify Tools , Impair Defenses

Unified Messaging Service Spawning a Process

Exploit Public-Facing Application

Suspicious Scheduled Task from Public Directory

Scheduled Task , Scheduled Task/Job

Ryuk Wake on LAN Command

Command and Scripting Interpreter , Windows Command Shell

FodHelper UAC Bypass

Modify Registry , Bypass User Account Control , Abuse Elevation Control Mechanism

Any Powershell DownloadString

Command and Scripting Interpreter , PowerShell

Any Powershell DownloadFile

Command and Scripting Interpreter , PowerShell

Suspicious SQLite3 LSQuarantine Behavior

Data Staged

Suspicious PlistBuddy Usage

Launch Agent , Create or Modify System Process

Suspicious Curl Network Connection

Ingress Tool Transfer

Detect Regsvcs Spawning a Process

Signed Binary Proxy Execution , Regsvcs/Regasm

Detect Regasm Spawning a Process

Signed Binary Proxy Execution , Regsvcs/Regasm

Detect HTML Help Spawn Child Process

Signed Binary Proxy Execution , Compiled HTML File

Suspicious Rundll32 dllregisterserver

Signed Binary Proxy Execution , Rundll32

Suspicious Rundll32 StartW

Signed Binary Proxy Execution , Rundll32

Detect Rundll32 Application Control Bypass - syssetup

Signed Binary Proxy Execution , Rundll32

Detect Rundll32 Application Control Bypass - setupapi

Signed Binary Proxy Execution , Rundll32

Detect Rundll32 Application Control Bypass - advpack

Signed Binary Proxy Execution , Rundll32

Suspicious Regsvr32 Register Suspicious Path

Signed Binary Proxy Execution , Regsvr32

Ntdsutil Export NTDS

NTDS , OS Credential Dumping

Detect Regsvr32 Application Control Bypass

Signed Binary Proxy Execution , Regsvr32

Revil Registry Entry

Modify Registry

Certutil exe certificate extraction

NLTest Domain Trust Discovery

Domain Trust Discovery

WBAdmin Delete System Backups

Inhibit System Recovery

Suspicious mshta spawn

Signed Binary Proxy Execution , Mshta

Detect Rundll32 Inline HTA Execution

Signed Binary Proxy Execution , Mshta

Suspicious Powershell Command-Line Arguments

PowerShell

Malicious PowerShell Process With Obfuscation Techniques

Command and Scripting Interpreter , PowerShell

Malicious PowerShell Process - Multiple Suspicious Command-Line Arguments

PowerShell

Suspicious mshta child process

Signed Binary Proxy Execution , Mshta

Suspicious MSBuild Spawn

Trusted Developer Utilities Proxy Execution , MSBuild

Suspicious MSBuild Rename

Masquerading , Trusted Developer Utilities Proxy Execution , Rename System Utilities , MSBuild

Suspicious msbuild path

Masquerading , Trusted Developer Utilities Proxy Execution , Rename System Utilities , MSBuild

Suspicious microsoft workflow compiler usage

Trusted Developer Utilities Proxy Execution

BCDEdit Failure Recovery Modification

Inhibit System Recovery

System Processes Run From Unexpected Locations

Masquerading , Rename System Utilities

Single Letter Process On Endpoint

User Execution , Malicious File

Schtasks used for forcing a reboot

Scheduled Task , Scheduled Task/Job

Reg exe Manipulating Windows Services Registry Keys

Services Registry Permissions Weakness , Hijack Execution Flow

Shim Database Installation With Suspicious Parameters

Application Shimming , Event Triggered Execution

Processes created by netsh

Disable or Modify System Firewall

Execution of File With Spaces Before Extension

Rename System Utilities

Execution of File with Multiple Extensions

Masquerading , Rename System Utilities

Detect Prohibited Applications Spawning cmd exe

Command and Scripting Interpreter , Windows Command Shell

Detect processes used for System Network Configuration Discovery

System Network Configuration Discovery

Deleting Shadow Copies

Inhibit System Recovery

Common Ransomware Notes

Data Destruction

Common Ransomware Extensions

Data Destruction

Create or delete windows shares using net exe

Indicator Removal on Host , Network Share Connection Removal

Unload Sysmon Filter Driver

Disable or Modify Tools , Impair Defenses

Uncommon Processes On Endpoint

Malicious File

Suspicious Reg exe Process

Modify Registry

Scheduled tasks used in BadRabbit ransomware

Scheduled Task

Sc exe Manipulating Windows Services

Windows Service , Create or Modify System Process

Remote Desktop Process Running On System

Remote Desktop Protocol , Remote Services

Overwriting Accessibility Binaries

Event Triggered Execution , Accessibility Features

Malicious PowerShell Process - Execution Policy Bypass

Command and Scripting Interpreter , PowerShell

Hiding Files And Directories With Attrib exe

File and Directory Permissions Modification , Windows File and Directory Permissions Modification

First time seen command line argument

PowerShell , Windows Command Shell

Email files written outside of the Outlook directory

Email Collection , Local Email Collection

Detection of tools built by NirSoft

Software Deployment Tools

Detect Use of cmd exe to Launch Script Interpreters

Command and Scripting Interpreter , Windows Command Shell

Attempt To Stop Security Service

Disable or Modify Tools , Impair Defenses

Detect Path Interception By Creation Of program exe

Path Interception by Unquoted Path , Hijack Execution Flow

First Time Seen Child Process of Zoom

Exploitation for Privilege Escalation

Script Execution via WMI

Windows Management Instrumentation

Process Execution via WMI

Windows Management Instrumentation

Detect Rare Executables

Child Processes of Spoolsv exe

Exploitation for Privilege Escalation

Dump LSASS via comsvcs DLL

LSASS Memory , OS Credential Dumping

MacOS - Re-opened Applications

WSReset UAC Bypass

Bypass User Account Control , Abuse Elevation Control Mechanism

SilentCleanup UAC Bypass

Bypass User Account Control , Abuse Elevation Control Mechanism

Sdclt UAC Bypass

Bypass User Account Control , Abuse Elevation Control Mechanism

Auto Admin Logon Registry Entry

Credentials in Registry , Unsecured Credentials

Creation of Shadow Copy

NTDS , OS Credential Dumping

Prohibited Software On Endpoint

Web Servers Executing Suspicious Processes

System Information Discovery

Reg exe used to hide files directories via registry keys

Hidden Files and Directories

Samsam Test File Write

Data Encrypted for Impact

File with Samsam Extension

USN Journal Deletion

Indicator Removal on Host

Remote WMI Command Attempt

Windows Management Instrumentation