Windows LOLBin Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Endpoint_Processes
Windows Defender Tools in Non Standard Path
Masquerading, Rename System Utilities
Windows Rundll32 Comsvcs Memory Dump
NTDS, OS Credential Dumping
System Process Running from Unexpected Location
Masquerading
Modify ACLs Permission Of Files Or Folders
File and Directory Permissions Modification
Delete A Net User
Account Access Removal
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows Script Host Spawn MSBuild
MSBuild, Trusted Developer Utilities Proxy Execution
Windows WMIPrvse Spawn MSBuild
Trusted Developer Utilities Proxy Execution, MSBuild
Detect Prohibited Applications Spawning cmd exe
Command and Scripting Interpreter
Windows MSHTA Child Process
Mshta, System Binary Proxy Execution
Windows MSHTA Command-Line URL
Mshta, System Binary Proxy Execution
Windows MSHTA Inline HTA Execution
Mshta, System Binary Proxy Execution
Windows Rundll32 Inline HTA Execution
System Binary Proxy Execution, Mshta
Windows Diskshadow Proxy Execution
System Binary Proxy Execution
TCP Command and Scripting Interpreter Outbound LDAP Traffic
Command and Scripting Interpreter
Windows Bitsadmin Download File
BITS Jobs, Ingress Tool Transfer
Windows CertUtil Decode File
Deobfuscate/Decode Files or Information
Windows CertUtil VerifyCtl Download
Ingress Tool Transfer
Windows CertUtil URLCache Download
Ingress Tool Transfer
Windows PowerShell Start-BitsTransfer
BITS Jobs, Ingress Tool Transfer
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Windows Bits Job Persistence
BITS Jobs
Windows Powershell Connect to Internet With Hidden Window
Automated Exfiltration
Windows Powershell DownloadFile
Automated Exfiltration
Clear Unallocated Sector Using Cipher App
File Deletion, Indicator Removal on Host
Hiding Files And Directories With Attrib exe
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
Fsutil Zeroing File
Indicator Removal on Host
BCDEdit Failure Recovery Modification
Inhibit System Recovery
WBAdmin Delete System Backups
Inhibit System Recovery
Anomalous Usage of Account Credentials
Domain Accounts
DNS Exfiltration Using Nslookup App
Exfiltration Over Alternative Protocol
Detect RClone Command-Line Usage
Automated Exfiltration
Windows Curl Upload to Remote Destination
Ingress Tool Transfer
First time seen command line argument
Command and Scripting Interpreter, Indirect Command Execution
Resize Shadowstorage Volume
Service Stop
Rare Parent-Child Process Relationship
Exploitation for Client Execution, Command and Scripting Interpreter, Scheduled Task/Job, Software Deployment Tools
Grant Permission Using Cacls Utility
File and Directory Permissions Modification
Disable Net User Account
Service Stop, Valid Accounts
Deny Permission using Cacls Utility
File and Directory Permissions Modification
Credential ExtractionFGDump and CacheDump
OS Credential Dumping, Security Account Manager
Attempted Credential Dump From Registry via Reg exe
OS Credential Dumping, Security Account Manager
Attempt To Disable Services
Service Stop
Attempt To Delete Services
Service Stop, Create or Modify System Process, Windows Service
Anomalous usage of Archive Tools
Archive via Utility, Archive Collected Data
Sdelete Application Execution
Data Destruction, File Deletion, Indicator Removal on Host
Wevtutil Usage To Disable Logs
Indicator Removal on Host, Clear Windows Event Logs
WevtUtil Usage To Clear Logs
Indicator Removal on Host, Clear Windows Event Logs
Detect Kerberoasting
Kerberoasting, Steal or Forge Kerberos Tickets
Unusual LOLBAS in short period of time
Command and Scripting Interpreter, Scheduled Task/Job