Detect Password Spray Attempts
|
Windows Event Log Security 4625
|
Password Spraying
Brute Force
|
TTP
|
Active Directory Password Spraying, Compromised User Account
|
2024-10-17
|
Email files written outside of the Outlook directory
|
Sysmon EventID 11
|
Email Collection
Local Email Collection
|
TTP
|
Collection and Staging
|
2024-10-17
|
No Windows Updates in a time frame
|
|
N/A
|
Hunting
|
Monitor for Updates
|
2024-10-17
|
Splunk Enterprise Windows Deserialization File Partition
|
Splunk
|
Exploit Public-Facing Application
|
TTP
|
Splunk Vulnerabilities
|
2024-10-16
|
Splunk RCE Through Arbitrary File Write to Windows System Root
|
Splunk
|
Exploitation of Remote Services
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
Web Servers Executing Suspicious Processes
|
Sysmon EventID 1
|
System Information Discovery
|
TTP
|
Apache Struts Vulnerability
|
2024-10-17
|
Windows AD add Self to Group
|
|
Account Manipulation
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows AD Dangerous Deny ACL Modification
|
|
Domain or Tenant Policy Modification
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows AD Dangerous Group ACL Modification
|
|
Domain or Tenant Policy Modification
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows AD Dangerous User ACL Modification
|
|
Domain or Tenant Policy Modification
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows AD DCShadow Privileges ACL Addition
|
|
Domain or Tenant Policy Modification
Rogue Domain Controller
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows AD Domain Root ACL Deletion
|
|
Domain or Tenant Policy Modification
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows AD Domain Root ACL Modification
|
|
Domain or Tenant Policy Modification
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows AD GPO Deleted
|
|
Disable or Modify Tools
Group Policy Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows AD GPO Disabled
|
|
Disable or Modify Tools
Group Policy Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows AD GPO New CSE Addition
|
|
Domain or Tenant Policy Modification
Group Policy Modification
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows AD Hidden OU Creation
|
|
Domain or Tenant Policy Modification
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows AD Object Owner Updated
|
|
Domain or Tenant Policy Modification
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows AD Privileged Group Modification
|
|
Account Manipulation
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2024-10-17
|
Windows AD Self DACL Assignment
|
|
Domain or Tenant Policy Modification
Account Manipulation
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows AD Suspicious Attribute Modification
|
|
Use Alternate Authentication Material
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows AD Suspicious GPO Modification
|
|
Domain or Tenant Policy Modification
Group Policy Modification
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-10-17
|
Windows Increase in Group or Object Modification Activity
|
Windows Event Log Security 4663
|
Account Manipulation
Impair Defenses
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows Increase in User Modification Activity
|
Windows Event Log Security 4720
|
Account Manipulation
Impair Defenses
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Azure AD Successful PowerShell Authentication
|
Azure Active Directory
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2024-09-30
|
Detect Activity Related to Pass the Hash Attacks
|
Windows Event Log Security 4624
|
Use Alternate Authentication Material
Pass the Hash
|
Hunting
|
Active Directory Lateral Movement, BlackSuit Ransomware
|
2024-10-17
|
Detect Mimikatz Using Loaded Images
|
Sysmon EventID 7
|
LSASS Memory
OS Credential Dumping
|
TTP
|
CISA AA22-257A, CISA AA22-264A, CISA AA22-320A, Cloud Federated Credential Abuse, Credential Dumping, DarkSide Ransomware, Detect Zerologon Attack, Sandworm Tools
|
2024-10-17
|
Detect Mimikatz Via PowerShell And EventCode 4703
|
|
LSASS Memory
|
TTP
|
Cloud Federated Credential Abuse
|
2024-10-17
|
Dump LSASS via procdump Rename
|
Sysmon EventID 1
|
LSASS Memory
|
Hunting
|
CISA AA22-257A, Credential Dumping, HAFNIUM Group
|
2024-10-17
|
Execution of File With Spaces Before Extension
|
Sysmon EventID 1
|
Rename System Utilities
|
TTP
|
Masquerading - Rename System Utilities, Windows File Extension and Association Abuse
|
2024-10-17
|
First time seen command line argument
|
Sysmon EventID 1
|
PowerShell
Windows Command Shell
|
Hunting
|
DHS Report TA18-074A, Hidden Cobra Malware, Orangeworm Attack Group, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Suspicious Command-Line Executions
|
2024-10-17
|
Processes created by netsh
|
Sysmon EventID 1
|
Disable or Modify System Firewall
|
TTP
|
Netsh Abuse
|
2024-10-17
|
Prohibited Software On Endpoint
|
Sysmon EventID 1
|
N/A
|
Hunting
|
Emotet Malware DHS Report TA18-201A, Monitor for Unauthorized Software, SamSam Ransomware
|
2024-10-17
|
Reg exe used to hide files directories via registry keys
|
Sysmon EventID 1
|
Hidden Files and Directories
|
TTP
|
Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Persistence Techniques
|
2024-10-17
|
Remote Registry Key modifications
|
Sysmon EventID 13
|
N/A
|
TTP
|
Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Persistence Techniques
|
2024-10-17
|
Scheduled tasks used in BadRabbit ransomware
|
Sysmon EventID 1
|
Scheduled Task
|
TTP
|
Ransomware
|
2024-10-17
|
Suspicious Changes to File Associations
|
Sysmon EventID 1
|
Change Default File Association
|
TTP
|
Suspicious Windows Registry Activities, Windows File Extension and Association Abuse
|
2024-10-17
|
Suspicious File Write
|
Sysmon EventID 11
|
N/A
|
Hunting
|
Hidden Cobra Malware
|
2024-10-17
|
Suspicious Powershell Command-Line Arguments
|
Sysmon EventID 1
|
PowerShell
|
TTP
|
CISA AA22-320A, Hermetic Wiper, Malicious PowerShell
|
2024-10-17
|
Suspicious Rundll32 Rename
|
Sysmon EventID 1
|
System Binary Proxy Execution
Masquerading
Rundll32
Rename System Utilities
|
Hunting
|
Masquerading - Rename System Utilities, Suspicious Rundll32 Activity
|
2024-10-17
|
Suspicious writes to System Volume Information
|
Sysmon EventID 1
|
Masquerading
|
Hunting
|
Collection and Staging
|
2024-10-17
|
Uncommon Processes On Endpoint
|
Sysmon EventID 1
|
Malicious File
|
Hunting
|
Hermetic Wiper, Unusual Processes, Windows Privilege Escalation
|
2024-10-17
|
Unsigned Image Loaded by LSASS
|
Sysmon EventID 7
|
LSASS Memory
|
TTP
|
Credential Dumping
|
2024-10-17
|
Windows connhost exe started forcefully
|
Sysmon EventID 1
|
Windows Command Shell
|
TTP
|
Ryuk Ransomware
|
2024-10-17
|
Windows DLL Search Order Hijacking Hunt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL Search Order Hijacking
Hijack Execution Flow
|
Hunting
|
Living Off The Land, Windows Defense Evasion Tactics
|
2024-10-17
|
Windows hosts file modification
|
Sysmon EventID 11
|
N/A
|
TTP
|
Host Redirection
|
2024-10-17
|
3CX Supply Chain Attack Network Indicators
|
Sysmon EventID 22
|
Compromise Software Supply Chain
|
TTP
|
3CX Supply Chain Attack
|
2024-10-17
|
7zip CommandLine To SMB Share Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Archive via Utility
Archive Collected Data
|
Hunting
|
Ransomware
|
2024-10-17
|
Access LSASS Memory for Dump Creation
|
Sysmon EventID 10
|
LSASS Memory
OS Credential Dumping
|
TTP
|
CISA AA23-347A, Credential Dumping
|
2024-09-30
|
Account Discovery With Net App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
Account Discovery
|
TTP
|
IcedID, Trickbot
|
2024-09-30
|
Active Setup Registry Autostart
|
Sysmon EventID 12, Sysmon EventID 13
|
Active Setup
Boot or Logon Autostart Execution
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation
|
2024-09-30
|
Add DefaultUser And Password In Registry
|
Sysmon EventID 13
|
Credentials in Registry
Unsecured Credentials
|
Anomaly
|
BlackMatter Ransomware
|
2024-09-30
|
Add or Set Windows Defender Exclusion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
AgentTesla, CISA AA22-320A, Data Destruction, Remcos, ValleyRAT, WhisperGate, Windows Defense Evasion Tactics
|
2024-09-30
|
AdsiSearcher Account Discovery
|
Powershell Script Block Logging 4104
|
Domain Account
Account Discovery
|
TTP
|
Active Directory Discovery, CISA AA23-347A, Data Destruction, Industroyer2
|
2024-09-30
|
Allow File And Printing Sharing In Firewall
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Cloud Firewall
Impair Defenses
|
TTP
|
BlackByte Ransomware, Ransomware
|
2024-09-30
|
Allow Inbound Traffic By Firewall Rule Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Remote Desktop Protocol
Remote Services
|
TTP
|
Azorult, NjRAT, PlugX, Prohibited Traffic Allowed or Protocol Mismatch, Windows Registry Abuse
|
2024-09-30
|
Allow Inbound Traffic In Firewall Rule
|
Powershell Script Block Logging 4104
|
Remote Desktop Protocol
Remote Services
|
TTP
|
Prohibited Traffic Allowed or Protocol Mismatch
|
2024-09-30
|
Allow Network Discovery In Firewall
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Cloud Firewall
Impair Defenses
|
TTP
|
BlackByte Ransomware, NjRAT, Ransomware, Revil Ransomware
|
2024-09-30
|
Allow Operation with Consent Admin
|
Sysmon EventID 12, Sysmon EventID 13
|
Abuse Elevation Control Mechanism
|
TTP
|
Azorult, MoonPeak, Ransomware, Windows Registry Abuse
|
2024-09-30
|
Anomalous usage of 7zip
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Archive via Utility
Archive Collected Data
|
Anomaly
|
BlackByte Ransomware, BlackSuit Ransomware, Cobalt Strike, Graceful Wipe Out Attack, NOBELIUM Group
|
2024-09-30
|
Any Powershell DownloadFile
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
PowerShell
Ingress Tool Transfer
|
TTP
|
Braodo Stealer, DarkCrystal RAT, Data Destruction, Hermetic Wiper, Ingress Tool Transfer, Log4Shell CVE-2021-44228, Malicious PowerShell, Phemedrone Stealer
|
2024-09-30
|
Any Powershell DownloadString
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
PowerShell
Ingress Tool Transfer
|
TTP
|
Data Destruction, HAFNIUM Group, Hermetic Wiper, IcedID, Ingress Tool Transfer, Malicious PowerShell, Phemedrone Stealer, SysAid On-Prem Software CVE-2023-47246 Vulnerability, Winter Vivern
|
2024-09-30
|
Attacker Tools On Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Match Legitimate Name or Location
Masquerading
OS Credential Dumping
Active Scanning
|
TTP
|
CISA AA22-264A, Monitor for Unauthorized Software, SamSam Ransomware, Unusual Processes, XMRig
|
2024-09-30
|
Attempt To Add Certificate To Untrusted Store
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Install Root Certificate
Subvert Trust Controls
|
TTP
|
Disabling Security Tools
|
2024-09-30
|
Attempt To Stop Security Service
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Azorult, Data Destruction, Disabling Security Tools, Graceful Wipe Out Attack, Trickbot, WhisperGate
|
2024-09-30
|
Attempted Credential Dump From Registry via Reg exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Security Account Manager
OS Credential Dumping
|
TTP
|
CISA AA23-347A, Credential Dumping, DarkSide Ransomware, Data Destruction, Industroyer2, Windows Registry Abuse
|
2024-09-30
|
Auto Admin Logon Registry Entry
|
Sysmon EventID 12, Sysmon EventID 13
|
Credentials in Registry
Unsecured Credentials
|
TTP
|
BlackMatter Ransomware, Windows Registry Abuse
|
2024-09-30
|
Batch File Write to System32
|
Sysmon EventID 1, Sysmon EventID 11
|
User Execution
Malicious File
|
TTP
|
SamSam Ransomware
|
2024-09-30
|
Bcdedit Command Back To Normal Mode Boot
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Inhibit System Recovery
|
TTP
|
BlackMatter Ransomware
|
2024-09-30
|
BCDEdit Failure Recovery Modification
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Inhibit System Recovery
|
TTP
|
Ransomware, Ryuk Ransomware
|
2024-09-30
|
BITS Job Persistence
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
BITS Jobs
|
TTP
|
BITS Jobs, Living Off The Land
|
2024-09-30
|
BITSAdmin Download File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
BITS Jobs
Ingress Tool Transfer
|
TTP
|
BITS Jobs, DarkSide Ransomware, Flax Typhoon, Gozi Malware, Ingress Tool Transfer, Living Off The Land
|
2024-09-30
|
CertUtil Download With URLCache and Split Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
CISA AA22-277A, DarkSide Ransomware, Flax Typhoon, Forest Blizzard, Ingress Tool Transfer, Living Off The Land, ProxyNotShell
|
2024-09-30
|
CertUtil Download With VerifyCtl and Split Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
DarkSide Ransomware, Ingress Tool Transfer, Living Off The Land
|
2024-09-30
|
Certutil exe certificate extraction
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
N/A
|
TTP
|
Cloud Federated Credential Abuse, Living Off The Land, Windows Certificate Services, Windows Persistence Techniques
|
2024-09-30
|
CertUtil With Decode Argument
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Deobfuscate/Decode Files or Information
|
TTP
|
APT29 Diplomatic Deceptions with WINELOADER, Deobfuscate-Decode Files or Information, Forest Blizzard, Living Off The Land
|
2024-09-30
|
Change Default File Association
|
Sysmon EventID 12, Sysmon EventID 13
|
Change Default File Association
Event Triggered Execution
|
TTP
|
Data Destruction, Hermetic Wiper, Prestige Ransomware, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse
|
2024-09-30
|
Change To Safe Mode With Network Config
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Inhibit System Recovery
|
TTP
|
BlackMatter Ransomware
|
2024-09-30
|
CHCP Command Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
TTP
|
Azorult, Forest Blizzard, IcedID
|
2024-09-30
|
Check Elevated CMD using whoami
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
TTP
|
FIN7
|
2024-09-30
|
Child Processes of Spoolsv exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exploitation for Privilege Escalation
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Privilege Escalation
|
2024-10-17
|
Clear Unallocated Sector Using Cipher App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File Deletion
Indicator Removal
|
TTP
|
Ransomware
|
2024-09-30
|
Clop Common Exec Parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
User Execution
|
TTP
|
Clop Ransomware
|
2024-09-30
|
Clop Ransomware Known Service Name
|
Windows Event Log System 7045
|
Create or Modify System Process
|
TTP
|
Clop Ransomware
|
2024-09-30
|
CMD Carry Out String Command Parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Command Shell
Command and Scripting Interpreter
|
Hunting
|
AsyncRAT, Azorult, CISA AA23-347A, Chaos Ransomware, DarkCrystal RAT, DarkGate Malware, Data Destruction, Hermetic Wiper, IcedID, Living Off The Land, Log4Shell CVE-2021-44228, NjRAT, PlugX, ProxyNotShell, Qakbot, RedLine Stealer, Rhysida Ransomware, Warzone RAT, WhisperGate, Winter Vivern
|
2024-10-17
|
CMD Echo Pipe - Escalation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
Windows Command Shell
Windows Service
Create or Modify System Process
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2024-09-30
|
Cmdline Tool Not Executed In CMD Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
JavaScript
|
TTP
|
CISA AA22-277A, CISA AA23-347A, DarkGate Malware, FIN7, Gozi Malware, Qakbot, Rhysida Ransomware, Volt Typhoon
|
2024-09-30
|
CMLUA Or CMSTPLUA UAC Bypass
|
Sysmon EventID 7
|
System Binary Proxy Execution
CMSTP
|
TTP
|
DarkSide Ransomware, LockBit Ransomware, Ransomware, ValleyRAT
|
2024-09-30
|
Cobalt Strike Named Pipes
|
Sysmon EventID 17, Sysmon EventID 18
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, DarkSide Ransomware, Gozi Malware, Graceful Wipe Out Attack, LockBit Ransomware, Trickbot
|
2024-09-30
|
Common Ransomware Extensions
|
Sysmon EventID 11
|
Data Destruction
|
Hunting
|
Clop Ransomware, LockBit Ransomware, Prestige Ransomware, Ransomware, Rhysida Ransomware, Ryuk Ransomware, SamSam Ransomware
|
2024-10-17
|
Common Ransomware Notes
|
Sysmon EventID 11
|
Data Destruction
|
Hunting
|
Chaos Ransomware, Clop Ransomware, LockBit Ransomware, Ransomware, Rhysida Ransomware, Ryuk Ransomware, SamSam Ransomware
|
2024-10-17
|
ConnectWise ScreenConnect Path Traversal
|
Sysmon EventID 11
|
Exploit Public-Facing Application
|
TTP
|
ConnectWise ScreenConnect Vulnerabilities
|
2024-09-30
|
ConnectWise ScreenConnect Path Traversal Windows SACL
|
Windows Event Log Security 4663
|
Exploit Public-Facing Application
|
TTP
|
ConnectWise ScreenConnect Vulnerabilities
|
2024-09-30
|
Conti Common Exec parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
User Execution
|
TTP
|
Ransomware
|
2024-09-30
|
Control Loading from World Writable Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Control Panel
|
TTP
|
Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444
|
2024-09-30
|
Create local admin accounts using net exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Local Account
Create Account
|
TTP
|
Azorult, CISA AA22-257A, CISA AA24-241A, DHS Report TA18-074A, DarkGate Malware
|
2024-09-30
|
Create or delete windows shares using net exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Indicator Removal
Network Share Connection Removal
|
TTP
|
CISA AA22-277A, DarkGate Malware, Hidden Cobra Malware, Prestige Ransomware, Windows Post-Exploitation
|
2024-09-30
|
Create Remote Thread In Shell Application
|
Sysmon EventID 8
|
Process Injection
|
TTP
|
IcedID, Qakbot, Warzone RAT
|
2024-09-30
|
Create Remote Thread into LSASS
|
Sysmon EventID 8
|
LSASS Memory
OS Credential Dumping
|
TTP
|
BlackSuit Ransomware, Credential Dumping
|
2024-09-30
|
Creation of lsass Dump with Taskmgr
|
Sysmon EventID 11
|
LSASS Memory
OS Credential Dumping
|
TTP
|
CISA AA22-257A, Credential Dumping
|
2024-09-30
|
Creation of Shadow Copy
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
NTDS
OS Credential Dumping
|
TTP
|
Credential Dumping, Volt Typhoon
|
2024-09-30
|
Creation of Shadow Copy with wmic and powershell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
NTDS
OS Credential Dumping
|
TTP
|
Credential Dumping, Living Off The Land, Volt Typhoon
|
2024-09-30
|
Credential Dumping via Copy Command from Shadow Copy
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
NTDS
OS Credential Dumping
|
TTP
|
Credential Dumping
|
2024-09-30
|
Credential Dumping via Symlink to Shadow Copy
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
NTDS
OS Credential Dumping
|
TTP
|
Credential Dumping
|
2024-09-30
|
CSC Net On The Fly Compilation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Compile After Delivery
Obfuscated Files or Information
|
Hunting
|
Windows Defense Evasion Tactics
|
2024-10-17
|
Curl Download and Bash Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
Ingress Tool Transfer, Linux Living Off The Land, Log4Shell CVE-2021-44228
|
2024-09-30
|
Delete ShadowCopy With PowerShell
|
Powershell Script Block Logging 4104
|
Inhibit System Recovery
|
TTP
|
DarkGate Malware, DarkSide Ransomware, Ransomware, Revil Ransomware
|
2024-09-30
|
Deleting Of Net Users
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Account Access Removal
|
TTP
|
DarkGate Malware, Graceful Wipe Out Attack, XMRig
|
2024-09-30
|
Deleting Shadow Copies
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Inhibit System Recovery
|
TTP
|
CISA AA22-264A, Chaos Ransomware, Clop Ransomware, DarkGate Malware, LockBit Ransomware, Prestige Ransomware, Ransomware, Rhysida Ransomware, SamSam Ransomware, Windows Log Manipulation
|
2024-09-30
|
Detect AzureHound Command-Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
Local Groups
Domain Trust Discovery
Local Account
Account Discovery
Domain Groups
Permission Groups Discovery
|
TTP
|
Windows Discovery Techniques
|
2024-09-30
|
Detect AzureHound File Modifications
|
Sysmon EventID 11
|
Domain Account
Local Groups
Domain Trust Discovery
Local Account
Account Discovery
Domain Groups
Permission Groups Discovery
|
TTP
|
Windows Discovery Techniques
|
2024-09-30
|
Detect Certify Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Steal or Forge Authentication Certificates
Ingress Tool Transfer
|
TTP
|
Ingress Tool Transfer, Windows Certificate Services
|
2024-09-30
|
Detect Certify With PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
Steal or Forge Authentication Certificates
Command and Scripting Interpreter
PowerShell
|
TTP
|
Malicious PowerShell, Windows Certificate Services
|
2024-09-30
|
Detect Certipy File Modifications
|
Sysmon EventID 1, Sysmon EventID 11
|
Steal or Forge Authentication Certificates
Archive Collected Data
|
TTP
|
Data Exfiltration, Ingress Tool Transfer, Windows Certificate Services
|
2024-09-30
|
Detect Computer Changed with Anonymous Account
|
Windows Event Log Security 4624, Windows Event Log Security 4742
|
Exploitation of Remote Services
|
Hunting
|
Detect Zerologon Attack
|
2024-10-17
|
Detect Copy of ShadowCopy with Script Block Logging
|
Powershell Script Block Logging 4104
|
Security Account Manager
OS Credential Dumping
|
TTP
|
Credential Dumping
|
2024-09-30
|
Detect Credential Dumping through LSASS access
|
Sysmon EventID 10
|
LSASS Memory
OS Credential Dumping
|
TTP
|
BlackSuit Ransomware, CISA AA23-347A, Credential Dumping, Detect Zerologon Attack
|
2024-09-30
|
Detect Critical Alerts from Security Tools
|
MS365 Defender Incident Alerts, Windows Defender Alerts
|
N/A
|
TTP
|
Critical Alerts
|
2024-10-09
|
Detect Empire with PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
Command and Scripting Interpreter
PowerShell
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2024-09-30
|
Detect Exchange Web Shell
|
Sysmon EventID 1, Sysmon EventID 11
|
Server Software Component
Web Shell
Exploit Public-Facing Application
External Remote Services
|
TTP
|
BlackByte Ransomware, CISA AA22-257A, HAFNIUM Group, ProxyNotShell, ProxyShell
|
2024-09-30
|
Detect HTML Help Renamed
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Compiled HTML File
|
Hunting
|
Living Off The Land, Suspicious Compiled HTML Activity
|
2024-10-17
|
Detect HTML Help Spawn Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Compiled HTML File
|
TTP
|
AgentTesla, Living Off The Land, Suspicious Compiled HTML Activity
|
2024-09-30
|
Detect HTML Help URL in Command Line
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Compiled HTML File
|
TTP
|
Living Off The Land, Suspicious Compiled HTML Activity
|
2024-09-30
|
Detect HTML Help Using InfoTech Storage Handlers
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Compiled HTML File
|
TTP
|
Living Off The Land, Suspicious Compiled HTML Activity
|
2024-09-30
|
Detect Mimikatz With PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
OS Credential Dumping
PowerShell
|
TTP
|
CISA AA22-264A, CISA AA22-320A, CISA AA23-347A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Sandworm Tools
|
2024-09-30
|
Detect mshta inline hta execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Mshta
|
TTP
|
Gozi Malware, Living Off The Land, Suspicious MSHTA Activity
|
2024-09-30
|
Detect mshta renamed
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Mshta
|
Hunting
|
Living Off The Land, Suspicious MSHTA Activity
|
2024-10-17
|
Detect MSHTA Url in Command Line
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Mshta
|
TTP
|
Living Off The Land, Suspicious MSHTA Activity
|
2024-09-30
|
Detect New Local Admin account
|
Windows Event Log Security 4720, Windows Event Log Security 4732
|
Local Account
Create Account
|
TTP
|
CISA AA22-257A, CISA AA24-241A, DHS Report TA18-074A, HAFNIUM Group
|
2024-09-30
|
Detect Outlook exe writing a zip file
|
Sysmon EventID 1, Sysmon EventID 11
|
Phishing
Spearphishing Attachment
|
TTP
|
Amadey, Remcos, Spearphishing Attachments
|
2024-10-17
|
Detect Path Interception By Creation Of program exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Path Interception by Unquoted Path
Hijack Execution Flow
|
TTP
|
Windows Persistence Techniques
|
2024-09-30
|
Detect processes used for System Network Configuration Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Network Configuration Discovery
|
TTP
|
Unusual Processes
|
2024-09-30
|
Detect Prohibited Applications Spawning cmd exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
Windows Command Shell
|
Hunting
|
NOBELIUM Group, Suspicious Command-Line Executions, Suspicious MSHTA Activity, Suspicious Zoom Child Processes
|
2024-10-17
|
Detect PsExec With accepteula Flag
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
SMB/Windows Admin Shares
|
TTP
|
Active Directory Lateral Movement, BlackByte Ransomware, CISA AA22-320A, DHS Report TA18-074A, DarkGate Malware, DarkSide Ransomware, HAFNIUM Group, IcedID, Rhysida Ransomware, SamSam Ransomware, Sandworm Tools, Volt Typhoon
|
2024-09-30
|
Detect Rare Executables
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
User Execution
|
Anomaly
|
Rhysida Ransomware, Unusual Processes
|
2024-09-30
|
Detect RClone Command-Line Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Automated Exfiltration
|
TTP
|
DarkSide Ransomware, Ransomware
|
2024-09-30
|
Detect Regasm Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Regsvcs/Regasm
|
TTP
|
DarkGate Malware, Handala Wiper, Living Off The Land, Snake Keylogger, Suspicious Regsvcs Regasm Activity
|
2024-09-30
|
Detect Regasm with Network Connection
|
Sysmon EventID 3
|
System Binary Proxy Execution
Regsvcs/Regasm
|
TTP
|
Handala Wiper, Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2024-09-30
|
Detect Regasm with no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Regsvcs/Regasm
|
TTP
|
Handala Wiper, Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2024-09-30
|
Detect Regsvcs Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Regsvcs/Regasm
|
TTP
|
Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2024-09-30
|
Detect Regsvcs with Network Connection
|
Sysmon EventID 3
|
System Binary Proxy Execution
Regsvcs/Regasm
|
TTP
|
Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2024-09-30
|
Detect Regsvcs with No Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Regsvcs/Regasm
|
TTP
|
Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2024-09-30
|
Detect Regsvr32 Application Control Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Regsvr32
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Suspicious Regsvr32 Activity
|
2024-09-30
|
Detect Remote Access Software Usage File
|
Sysmon EventID 11
|
Remote Access Software
|
Anomaly
|
CISA AA24-241A, Command And Control, Gozi Malware, Insider Threat, Ransomware
|
2024-09-30
|
Detect Remote Access Software Usage FileInfo
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Access Software
|
Anomaly
|
Command And Control, Gozi Malware, Insider Threat, Ransomware
|
2024-09-30
|
Detect Remote Access Software Usage Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Access Software
|
Anomaly
|
CISA AA24-241A, Command And Control, Gozi Malware, Insider Threat, Ransomware
|
2024-09-30
|
Detect Renamed 7-Zip
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Archive via Utility
Archive Collected Data
|
Hunting
|
Collection and Staging
|
2024-10-17
|
Detect Renamed PSExec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Services
Service Execution
|
Hunting
|
Active Directory Lateral Movement, BlackByte Ransomware, CISA AA22-320A, DHS Report TA18-074A, DarkGate Malware, DarkSide Ransomware, HAFNIUM Group, Rhysida Ransomware, SamSam Ransomware, Sandworm Tools
|
2024-10-17
|
Detect Renamed RClone
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Automated Exfiltration
|
Hunting
|
DarkSide Ransomware, Ransomware
|
2024-10-17
|
Detect Renamed WinRAR
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Archive via Utility
Archive Collected Data
|
Hunting
|
CISA AA22-277A, Collection and Staging
|
2024-10-17
|
Detect RTLO In File Name
|
Sysmon EventID 11
|
Right-to-Left Override
Masquerading
|
TTP
|
Spearphishing Attachments
|
2024-09-30
|
Detect RTLO In Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Right-to-Left Override
Masquerading
|
TTP
|
Spearphishing Attachments
|
2024-09-30
|
Detect Rundll32 Application Control Bypass - advpack
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Rundll32
|
TTP
|
Living Off The Land, Suspicious Rundll32 Activity
|
2024-09-30
|
Detect Rundll32 Application Control Bypass - setupapi
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Rundll32
|
TTP
|
Living Off The Land, Suspicious Rundll32 Activity
|
2024-09-30
|
Detect Rundll32 Application Control Bypass - syssetup
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Rundll32
|
TTP
|
Living Off The Land, Suspicious Rundll32 Activity
|
2024-09-30
|
Detect Rundll32 Inline HTA Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Mshta
|
TTP
|
Living Off The Land, NOBELIUM Group, Suspicious MSHTA Activity
|
2024-09-30
|
Detect SharpHound Command-Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
Local Groups
Domain Trust Discovery
Local Account
Account Discovery
Domain Groups
Permission Groups Discovery
|
TTP
|
BlackSuit Ransomware, Ransomware, Windows Discovery Techniques
|
2024-09-30
|
Detect SharpHound File Modifications
|
Sysmon EventID 11
|
Domain Account
Local Groups
Domain Trust Discovery
Local Account
Account Discovery
Domain Groups
Permission Groups Discovery
|
TTP
|
BlackSuit Ransomware, Ransomware, Windows Discovery Techniques
|
2024-09-30
|
Detect SharpHound Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
Local Groups
Domain Trust Discovery
Local Account
Account Discovery
Domain Groups
Permission Groups Discovery
|
TTP
|
Ransomware, Windows Discovery Techniques
|
2024-09-30
|
Detect suspicious processnames using pretrained model in DSDL
|
Sysmon EventID 1
|
Command and Scripting Interpreter
|
Anomaly
|
Suspicious Command-Line Executions
|
2024-10-17
|
Detect Use of cmd exe to Launch Script Interpreters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
Windows Command Shell
|
TTP
|
Azorult, Emotet Malware DHS Report TA18-201A, Suspicious Command-Line Executions
|
2024-09-30
|
Detect Webshell Exploit Behavior
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Server Software Component
Web Shell
|
TTP
|
BlackByte Ransomware, CISA AA22-257A, CISA AA22-264A, Citrix ShareFile RCE CVE-2023-24489, Flax Typhoon, HAFNIUM Group, ProxyNotShell, ProxyShell, SysAid On-Prem Software CVE-2023-47246 Vulnerability, WS FTP Server Critical Vulnerabilities
|
2024-09-30
|
Detect WMI Event Subscription Persistence
|
Sysmon EventID 20
|
Windows Management Instrumentation Event Subscription
Event Triggered Execution
|
TTP
|
Suspicious WMI Use
|
2024-09-30
|
Detection of tools built by NirSoft
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Software Deployment Tools
|
TTP
|
Emotet Malware DHS Report TA18-201A
|
2024-10-17
|
Disable AMSI Through Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
CISA AA23-347A, Ransomware, Windows Registry Abuse
|
2024-09-30
|
Disable Defender AntiVirus Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
CISA AA24-241A, IcedID, Windows Registry Abuse
|
2024-09-30
|
Disable Defender BlockAtFirstSeen Feature
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse
|
2024-09-30
|
Disable Defender Enhanced Notification
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse
|
2024-09-30
|
Disable Defender MpEngine Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
IcedID, Windows Registry Abuse
|
2024-09-30
|
Disable Defender Spynet Reporting
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Azorult, CISA AA23-347A, IcedID, Qakbot, Windows Registry Abuse
|
2024-09-30
|
Disable Defender Submit Samples Consent Feature
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse
|
2024-09-30
|
Disable ETW Through Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
CISA AA23-347A, Ransomware, Windows Registry Abuse
|
2024-09-30
|
Disable Logs Using WevtUtil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Indicator Removal
Clear Windows Event Logs
|
TTP
|
CISA AA23-347A, Ransomware, Rhysida Ransomware
|
2024-09-30
|
Disable Registry Tool
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
Modify Registry
|
TTP
|
NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
Disable Schedule Task
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
IcedID, Living Off The Land
|
2024-09-30
|
Disable Security Logs Using MiniNt Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
TTP
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
Disable Show Hidden Files
|
Sysmon EventID 12, Sysmon EventID 13
|
Hidden Files and Directories
Disable or Modify Tools
Hide Artifacts
Impair Defenses
Modify Registry
|
Anomaly
|
Azorult, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
Disable UAC Remote Restriction
|
Sysmon EventID 12, Sysmon EventID 13
|
Bypass User Account Control
Abuse Elevation Control Mechanism
|
TTP
|
CISA AA23-347A, Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
Disable Windows App Hotkeys
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
Modify Registry
|
TTP
|
Windows Registry Abuse, XMRig
|
2024-09-30
|
Disable Windows Behavior Monitoring
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Azorult, CISA AA23-347A, Ransomware, RedLine Stealer, Revil Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
Disable Windows SmartScreen Protection
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
CISA AA23-347A, Windows Defense Evasion Tactics, |