Detect Prohibited Applications Spawning cmd exe
Command and Scripting Interpreter
Endpoint_Processes
Office Product Spawning Windows Script Host
Phishing, Spearphishing Attachment
Windows PowerShell Disabled Kerberos Pre-Authentication Discovery With PowerView
Steal or Forge Kerberos Tickets, AS-REP Roasting
Windows PowerShell Disabled Kerberos Pre-Authentication Discovery Get-ADUser
Steal or Forge Kerberos Tickets, AS-REP Roasting
Windows Rename System Utilities Adplus exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Agentexecutor exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Aspnet compiler exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Acccheckconsole exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Atbroker exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Appvlp exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities At exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Advpack dll LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Appinstaller exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Exchange PowerShell Module Usage
Command and Scripting Interpreter, PowerShell
Windows COM Hijacking InprocServer32 Modification
Component Object Model Hijacking, Event Triggered Execution
Windows Execute Arbitrary Commands with MSDT
System Binary Proxy Execution
Windows Odbcconf Load Response File
Odbcconf, System Binary Proxy Execution
Windows Ingress Tool Transfer Using Explorer
Ingress Tool Transfer
Windows System Binary Proxy Execution Compiled HTML File Using InfoTech Storage Handlers
Compiled HTML File, System Binary Proxy Execution
Windows System Binary Proxy Execution Compiled HTML File Decompile
Compiled HTML File, System Binary Proxy Execution
Windows System Binary Proxy Execution Compiled HTML File URL In Command Line
Compiled HTML File, System Binary Proxy Execution
Windows OS Credential Dumping with Procdump
LSASS Memory, OS Credential Dumping
Windows OS Credential Dumping with Ntdsutil Export NTDS
NTDS, OS Credential Dumping
Windows LOLBin Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows Defender Tools in Non Standard Path
Masquerading, Rename System Utilities
Windows Rundll32 Comsvcs Memory Dump
NTDS, OS Credential Dumping
System Process Running from Unexpected Location
Masquerading
Modify ACLs Permission Of Files Or Folders
File and Directory Permissions Modification
Delete A Net User
Account Access Removal
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows Script Host Spawn MSBuild
MSBuild, Trusted Developer Utilities Proxy Execution
Windows WMIPrvse Spawn MSBuild
Trusted Developer Utilities Proxy Execution, MSBuild
Windows MSHTA Child Process
Mshta, System Binary Proxy Execution
Windows MSHTA Command-Line URL
Mshta, System Binary Proxy Execution
Windows MSHTA Inline HTA Execution
Mshta, System Binary Proxy Execution
Windows Rundll32 Inline HTA Execution
System Binary Proxy Execution, Mshta
Windows Diskshadow Proxy Execution
System Binary Proxy Execution
Windows Bitsadmin Download File
BITS Jobs, Ingress Tool Transfer
Windows CertUtil Decode File
Deobfuscate/Decode Files or Information
Windows CertUtil VerifyCtl Download
Ingress Tool Transfer
Windows CertUtil URLCache Download
Ingress Tool Transfer
Windows PowerShell Start-BitsTransfer
BITS Jobs, Ingress Tool Transfer
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Windows Bits Job Persistence
BITS Jobs
Windows Powershell Connect to Internet With Hidden Window
Automated Exfiltration
Windows Powershell DownloadFile
Automated Exfiltration
Clear Unallocated Sector Using Cipher App
File Deletion, Indicator Removal
Hiding Files And Directories With Attrib exe
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
Fsutil Zeroing File
Indicator Removal
BCDEdit Failure Recovery Modification
Inhibit System Recovery
WBAdmin Delete System Backups
Inhibit System Recovery
DNS Exfiltration Using Nslookup App
Exfiltration Over Alternative Protocol
Detect RClone Command-Line Usage
Automated Exfiltration
Windows Curl Upload to Remote Destination
Ingress Tool Transfer
Resize Shadowstorage Volume
Service Stop
Grant Permission Using Cacls Utility
File and Directory Permissions Modification
Disable Net User Account
Service Stop, Valid Accounts
Deny Permission using Cacls Utility
File and Directory Permissions Modification
Attempted Credential Dump From Registry via Reg exe
OS Credential Dumping, Security Account Manager
Attempt To Disable Services
Service Stop
Attempt To Delete Services
Service Stop, Create or Modify System Process, Windows Service
Anomalous usage of Archive Tools
Archive via Utility, Archive Collected Data
Sdelete Application Execution
Data Destruction, File Deletion, Indicator Removal
Wevtutil Usage To Disable Logs
Indicator Removal, Clear Windows Event Logs
WevtUtil Usage To Clear Logs
Indicator Removal, Clear Windows Event Logs