| Detect HTML Help Spawn Child Process |
Compiled HTML File |
TTP |
| Potentially malicious code on commandline |
Windows Command Shell |
Anomaly |
| Unusually Long Command Line - MLTK |
None |
Anomaly |
| 7zip CommandLine To SMB Share Path |
Archive via Utility |
Hunting |
| Add or Set Windows Defender Exclusion |
Disable or Modify Tools |
TTP |
| Advanced IP or Port Scanner Execution |
Network Service Discovery, Network Share Discovery |
Anomaly |
| Allow File And Printing Sharing In Firewall |
Disable or Modify Cloud Firewall |
TTP |
| Allow Network Discovery In Firewall |
Disable or Modify Cloud Firewall |
TTP |
| Anomalous usage of 7zip |
Archive via Utility |
Anomaly |
| Attacker Tools On Endpoint |
OS Credential Dumping, Match Legitimate Resource Name or Location, Active Scanning |
TTP |
| Attempt To Add Certificate To Untrusted Store |
Install Root Certificate |
Anomaly |
| Bcdedit Command Back To Normal Mode Boot |
Inhibit System Recovery |
TTP |
| BCDEdit Failure Recovery Modification |
Inhibit System Recovery |
TTP |
| BITS Job Persistence |
BITS Jobs |
TTP |
| BITSAdmin Download File |
BITS Jobs, Ingress Tool Transfer |
TTP |
| Certutil exe certificate extraction |
None |
TTP |
| CertUtil With Decode Argument |
Deobfuscate/Decode Files or Information |
TTP |
| Change To Safe Mode With Network Config |
Inhibit System Recovery |
TTP |
| CHCP Command Execution |
Command and Scripting Interpreter |
Anomaly |
| Check Elevated CMD using whoami |
System Owner/User Discovery |
TTP |
| Child Processes of Spoolsv exe |
Exploitation for Privilege Escalation |
TTP |
| Clear Unallocated Sector Using Cipher App |
File Deletion |
TTP |
| Clop Common Exec Parameter |
User Execution |
TTP |
| CMD Carry Out String Command Parameter |
Windows Command Shell |
Hunting |
| CMD Echo Pipe - Escalation |
Windows Command Shell, Windows Service |
TTP |
| Conti Common Exec parameter |
User Execution |
TTP |
| Control Loading from World Writable Directory |
Control Panel |
TTP |
| Create or delete windows shares using net exe |
Network Share Connection Removal |
TTP |
| Creation of Shadow Copy |
NTDS |
TTP |
| Creation of Shadow Copy with wmic and powershell |
NTDS |
TTP |
| Credential Dumping via Copy Command from Shadow Copy |
NTDS |
TTP |
| Credential Dumping via Symlink to Shadow Copy |
NTDS |
TTP |
| CSC Net On The Fly Compilation |
Compile After Delivery |
Hunting |
| Curl Execution with Percent Encoded URL |
Obfuscated Files or Information, Ingress Tool Transfer |
Anomaly |
| Deleting Shadow Copies |
Inhibit System Recovery |
TTP |
| Detect AzureHound Command-Line Arguments |
Local Groups, Domain Groups, Local Account, Domain Account, Domain Trust Discovery |
TTP |
| Detect Certify Command Line Arguments |
Steal or Forge Authentication Certificates, Ingress Tool Transfer |
TTP |
| Detect HTML Help Renamed |
Compiled HTML File |
Hunting |
| Detect HTML Help URL in Command Line |
Compiled HTML File |
TTP |
| Detect HTML Help Using InfoTech Storage Handlers |
Compiled HTML File |
TTP |
| Detect mshta inline hta execution |
Mshta |
TTP |
| Detect mshta renamed |
Mshta |
Hunting |
| Detect MSHTA Url in Command Line |
Mshta |
TTP |
| Detect Path Interception By Creation Of program exe |
Path Interception by Unquoted Path |
TTP |
| Detect Prohibited Applications Spawning cmd exe |
Windows Command Shell |
Hunting |
| Detect PsExec With accepteula Flag |
SMB/Windows Admin Shares |
TTP |
| Detect Rare Executables |
User Execution |
Anomaly |
| Detect RClone Command-Line Usage |
Automated Exfiltration |
TTP |
| Detect Regasm Spawning a Process |
Regsvcs/Regasm |
TTP |
| Detect Regasm with no Command Line Arguments |
Regsvcs/Regasm |
TTP |
| Detect Regsvcs Spawning a Process |
Regsvcs/Regasm |
TTP |
| Detect Regsvcs with No Command Line Arguments |
Regsvcs/Regasm |
TTP |
| Detect Regsvr32 Application Control Bypass |
Regsvr32 |
TTP |
| Detect Remote Access Software Usage Process |
Remote Access Tools |
Anomaly |
| Detect Renamed 7-Zip |
Archive via Utility |
Hunting |
| Detect Renamed PSExec |
Service Execution |
Hunting |
| Detect Renamed RClone |
Automated Exfiltration |
Hunting |
| Detect Renamed WinRAR |
Archive via Utility |
Hunting |
| Detect RTLO In Process |
Right-to-Left Override |
TTP |
| Detect Rundll32 Inline HTA Execution |
Mshta |
TTP |
| Detect SharpHound Command-Line Arguments |
Local Groups, Domain Groups, Local Account, Domain Account, Domain Trust Discovery |
TTP |
| Detect SharpHound Usage |
Local Groups, Domain Groups, Local Account, Domain Account, Domain Trust Discovery |
TTP |
| Detect Use of cmd exe to Launch Script Interpreters |
Windows Command Shell |
TTP |
| Detection of tools built by NirSoft |
Software Deployment Tools |
Anomaly |
| Disable Logs Using WevtUtil |
Clear Windows Event Logs |
TTP |
| Disable Schedule Task |
Disable or Modify Tools |
TTP |
| Disabling Firewall with Netsh |
Disable or Modify Tools |
Anomaly |
| DNS Exfiltration Using Nslookup App |
Exfiltration Over Alternative Protocol |
TTP |
| Domain Account Discovery with Dsquery |
Domain Account |
Anomaly |
| Domain Account Discovery with Wmic |
Domain Account |
TTP |
| Domain Controller Discovery with Nltest |
Remote System Discovery |
TTP |
| Domain Controller Discovery with Wmic |
Remote System Discovery |
Hunting |
| Domain Group Discovery With Dsquery |
Domain Groups |
Anomaly |
| Domain Group Discovery With Wmic |
Domain Groups |
Hunting |
| DSQuery Domain Discovery |
Domain Trust Discovery |
TTP |
| Dump LSASS via comsvcs DLL |
LSASS Memory |
TTP |
| Dump LSASS via procdump |
LSASS Memory |
TTP |
| Elevated Group Discovery With Wmic |
Domain Groups |
TTP |
| Esentutl SAM Copy |
Security Account Manager |
Hunting |
| Excessive Attempt To Disable Services |
Service Stop |
Anomaly |
| Excessive distinct processes from Windows Temp |
Command and Scripting Interpreter |
Anomaly |
| Excessive number of service control start as disabled |
Disable or Modify Tools |
Anomaly |
| Excessive number of taskhost processes |
Command and Scripting Interpreter |
Anomaly |
| Excessive Usage Of Cacls App |
File and Directory Permissions Modification |
Anomaly |
| Excessive Usage of NSLOOKUP App |
Exfiltration Over Alternative Protocol |
Anomaly |
| Excessive Usage Of Taskkill |
Disable or Modify Tools |
Anomaly |
| Execute Javascript With Jscript COM CLSID |
Visual Basic |
TTP |
| Execution of File with Multiple Extensions |
Rename Legitimate Utilities |
TTP |
| File Download or Read to Pipe Execution |
Ingress Tool Transfer |
TTP |
| Firewall Allowed Program Enable |
Disable or Modify System Firewall |
Anomaly |
| First Time Seen Child Process of Zoom |
Exploitation for Privilege Escalation |
Anomaly |
| FodHelper UAC Bypass |
Modify Registry, Bypass User Account Control |
TTP |
| Fsutil Zeroing File |
Indicator Removal |
TTP |
| Get ADDefaultDomainPasswordPolicy with Powershell |
Password Policy Discovery |
Hunting |
| Get ADUser with PowerShell |
Domain Account |
Hunting |
| Get ADUserResultantPasswordPolicy with Powershell |
Password Policy Discovery |
TTP |
| Get DomainPolicy with Powershell |
Password Policy Discovery |
TTP |
| Get-DomainTrust with PowerShell |
Domain Trust Discovery |
TTP |
| Get DomainUser with PowerShell |
Domain Account |
TTP |
| Get-ForestTrust with PowerShell |
Domain Trust Discovery |
TTP |
| Get WMIObject Group Discovery |
Local Groups |
Hunting |
| GetAdComputer with PowerShell |
Remote System Discovery |
Hunting |
| GetAdGroup with PowerShell |
Domain Groups |
Hunting |
| GetCurrent User with PowerShell |
System Owner/User Discovery |
Hunting |
| GetDomainComputer with PowerShell |
Remote System Discovery |
TTP |
| GetDomainController with PowerShell |
Remote System Discovery |
Hunting |
| GetDomainGroup with PowerShell |
Domain Groups |
TTP |
| GetLocalUser with PowerShell |
Local Account |
Hunting |
| GetNetTcpconnection with PowerShell |
System Network Connections Discovery |
Hunting |
| GetWmiObject Ds Computer with PowerShell |
Remote System Discovery |
TTP |
| GetWmiObject Ds Group with PowerShell |
Domain Groups |
TTP |
| GetWmiObject DS User with PowerShell |
Domain Account |
TTP |
| GetWmiObject User Account with PowerShell |
Local Account |
Hunting |
| Headless Browser Mockbin or Mocky Request |
Hidden Window |
TTP |
| Headless Browser Usage |
Virtualization/Sandbox Evasion, Hidden Window |
Anomaly |
| Hiding Files And Directories With Attrib exe |
Windows File and Directory Permissions Modification |
TTP |
| Hunting 3CXDesktopApp Software |
Compromise Software Supply Chain |
Hunting |
| Icacls Deny Command |
File and Directory Permissions Modification |
Anomaly |
| ICACLS Grant Command |
File and Directory Permissions Modification |
Anomaly |
| Impacket Lateral Movement Commandline Parameters |
SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
| Impacket Lateral Movement smbexec CommandLine Parameters |
SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
| Impacket Lateral Movement WMIExec Commandline Parameters |
SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
| Jscript Execution Using Cscript App |
JavaScript |
TTP |
| Local Account Discovery With Wmic |
Local Account |
Hunting |
| Malicious PowerShell Process - Encoded Command |
Obfuscated Files or Information |
Hunting |
| Malicious PowerShell Process - Execution Policy Bypass |
PowerShell |
Anomaly |
| Mimikatz PassTheTicket CommandLine Parameters |
Pass the Ticket |
TTP |
| Mmc LOLBAS Execution Process Spawn |
Distributed Component Object Model, MMC |
TTP |
| Modify ACL permission To Files Or Folder |
File and Directory Permissions Modification |
Anomaly |
| MSBuild Suspicious Spawned By Script Process |
MSBuild |
TTP |
| Mshta spawning Rundll32 OR Regsvr32 Process |
Mshta |
TTP |
| Network Connection Discovery With Arp |
System Network Connections Discovery |
Hunting |
| Network Connection Discovery With Netstat |
System Network Connections Discovery |
Hunting |
| Network Discovery Using Route Windows App |
Internet Connection Discovery |
Hunting |
| Nishang PowershellTCPOneLine |
PowerShell |
TTP |
| NLTest Domain Trust Discovery |
Domain Trust Discovery |
TTP |
| Notepad with no Command Line Arguments |
Process Injection |
TTP |
| Ntdsutil Export NTDS |
NTDS |
TTP |
| Permission Modification using Takeown App |
File and Directory Permissions Modification |
Anomaly |
| Ping Sleep Batch Command |
Time Based Checks |
Anomaly |
| Possible Browser Pass View Parameter |
Credentials from Web Browsers |
Hunting |
| Possible Lateral Movement PowerShell Spawn |
Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, PowerShell, MMC, Windows Service |
TTP |
| Potential System Network Configuration Discovery Activity |
System Network Configuration Discovery |
Anomaly |
| Potential Telegram API Request Via CommandLine |
Bidirectional Communication, Exfiltration Over C2 Channel |
Anomaly |
| PowerShell - Connect To Internet With Hidden Window |
PowerShell |
Hunting |
| Powershell Disable Security Monitoring |
Disable or Modify Tools |
TTP |
| PowerShell Get LocalGroup Discovery |
Local Groups |
Hunting |
| PowerShell Start-BitsTransfer |
BITS Jobs |
TTP |
| Prevent Automatic Repair Mode using Bcdedit |
Inhibit System Recovery |
TTP |
| Process Execution via WMI |
Windows Management Instrumentation |
TTP |
| Process Kill Base On File Path |
Disable or Modify Tools |
TTP |
| Processes launching netsh |
Disable or Modify System Firewall |
Anomaly |
| Recursive Delete of Directory In Batch CMD |
File Deletion |
TTP |
| Reg exe Manipulating Windows Services Registry Keys |
Services Registry Permissions Weakness |
TTP |
| Regsvr32 Silent and Install Param Dll Loading |
Regsvr32 |
Anomaly |
| Regsvr32 with Known Silent Switch Cmdline |
Regsvr32 |
Anomaly |
| Remote Desktop Process Running On System |
Remote Desktop Protocol |
Hunting |
| Remote Process Instantiation via DCOM and PowerShell |
Distributed Component Object Model |
TTP |
| Remote Process Instantiation via WinRM and PowerShell |
Windows Remote Management |
TTP |
| Remote Process Instantiation via WinRM and Winrs |
Windows Remote Management |
TTP |
| Remote Process Instantiation via WMI |
Windows Management Instrumentation |
TTP |
| Remote Process Instantiation via WMI and PowerShell |
Windows Management Instrumentation |
TTP |
| Remote System Discovery with Dsquery |
Remote System Discovery |
Anomaly |
| Remote System Discovery with Wmic |
Remote System Discovery |
TTP |
| Remote WMI Command Attempt |
Windows Management Instrumentation |
TTP |
| Resize ShadowStorage volume |
Inhibit System Recovery |
TTP |
| Revil Common Exec Parameter |
User Execution |
TTP |
| Rubeus Command Line Parameters |
Pass the Ticket, Kerberoasting, AS-REP Roasting |
TTP |
| Runas Execution in CommandLine |
Token Impersonation/Theft |
Hunting |
| Rundll32 Control RunDLL Hunt |
Rundll32 |
Hunting |
| Rundll32 Control RunDLL World Writable Directory |
Rundll32 |
TTP |
| Rundll32 LockWorkStation |
Rundll32 |
Anomaly |
| Rundll32 Shimcache Flush |
Modify Registry |
TTP |
| RunDLL Loading DLL By Ordinal |
Rundll32 |
TTP |
| Ryuk Wake on LAN Command |
Windows Command Shell |
TTP |
| Sc exe Manipulating Windows Services |
Windows Service |
TTP |
| Scheduled Task Creation on Remote Endpoint using At |
At |
TTP |
| Scheduled Task Deleted Or Created via CMD |
Scheduled Task |
TTP |
| Scheduled Task Initiation on Remote Endpoint |
Scheduled Task |
TTP |
| Schtasks Run Task On Demand |
Scheduled Task/Job |
TTP |
| Schtasks scheduling job on remote system |
Scheduled Task |
TTP |
| Schtasks used for forcing a reboot |
Scheduled Task |
TTP |
| Script Execution via WMI |
Windows Management Instrumentation |
TTP |
| Sdelete Application Execution |
File Deletion, Data Destruction |
TTP |
| SecretDumps Offline NTDS Dumping Tool |
NTDS |
TTP |
| ServicePrincipalNames Discovery with SetSPN |
Kerberoasting |
TTP |
| Services Escalate Exe |
Abuse Elevation Control Mechanism |
TTP |
| Services LOLBAS Execution Process Spawn |
Windows Service |
TTP |
| Shim Database Installation With Suspicious Parameters |
Application Shimming |
TTP |
| Single Letter Process On Endpoint |
Malicious File |
TTP |
| SLUI RunAs Elevated |
Bypass User Account Control |
TTP |
| SLUI Spawning a Process |
Bypass User Account Control |
TTP |
| Spoolsv Spawning Rundll32 |
Print Processors |
TTP |
| Suspicious Copy on System32 |
Rename Legitimate Utilities |
Anomaly |
| Suspicious Curl Network Connection |
Ingress Tool Transfer |
TTP |
| Suspicious DLLHost no Command Line Arguments |
Process Injection |
TTP |
| Suspicious GPUpdate no Command Line Arguments |
Process Injection |
TTP |
| Suspicious IcedID Rundll32 Cmdline |
Rundll32 |
TTP |
| Suspicious microsoft workflow compiler rename |
Rename Legitimate Utilities, Trusted Developer Utilities Proxy Execution |
Hunting |
| Suspicious microsoft workflow compiler usage |
Trusted Developer Utilities Proxy Execution |
TTP |
| Suspicious msbuild path |
Rename Legitimate Utilities, MSBuild |
TTP |
| Suspicious MSBuild Rename |
Rename Legitimate Utilities, MSBuild |
Hunting |
| Suspicious MSBuild Spawn |
MSBuild |
TTP |
| Suspicious mshta child process |
Mshta |
TTP |
| Suspicious mshta spawn |
Mshta |
TTP |
| Suspicious PlistBuddy Usage |
Launch Agent |
TTP |
| Suspicious Process Executed From Container File |
Malicious File, Masquerade File Type |
TTP |
| Suspicious Reg exe Process |
Modify Registry |
Anomaly |
| Suspicious Regsvr32 Register Suspicious Path |
Regsvr32 |
TTP |
| Suspicious Rundll32 dllregisterserver |
Rundll32 |
TTP |
| Suspicious Rundll32 no Command Line Arguments |
Rundll32 |
TTP |
| Suspicious Rundll32 PluginInit |
Rundll32 |
TTP |
| Suspicious Rundll32 StartW |
Rundll32 |
TTP |
| Suspicious Scheduled Task from Public Directory |
Scheduled Task |
Anomaly |
| Suspicious SearchProtocolHost no Command Line Arguments |
Process Injection |
TTP |
| Suspicious SQLite3 LSQuarantine Behavior |
Data Staged |
TTP |
| Suspicious wevtutil Usage |
Clear Windows Event Logs |
TTP |
| Svchost LOLBAS Execution Process Spawn |
Scheduled Task |
TTP |
| System Info Gathering Using Dxdiag Application |
Gather Victim Host Information |
Hunting |
| System Information Discovery Detection |
System Information Discovery |
TTP |
| System Processes Run From Unexpected Locations |
Rename Legitimate Utilities |
Anomaly |
| System User Discovery With Query |
System Owner/User Discovery |
Hunting |
| System User Discovery With Whoami |
System Owner/User Discovery |
Anomaly |
| Uninstall App Using MsiExec |
Msiexec |
TTP |
| Unload Sysmon Filter Driver |
Disable or Modify Tools |
TTP |
| Unusually Long Command Line |
None |
Anomaly |
| User Discovery With Env Vars PowerShell |
System Owner/User Discovery |
Hunting |
| USN Journal Deletion |
Indicator Removal |
TTP |
| Vbscript Execution Using Wscript App |
Visual Basic |
TTP |
| Verclsid CLSID Execution |
Verclsid |
Hunting |
| WBAdmin Delete System Backups |
Inhibit System Recovery |
TTP |
| Wermgr Process Spawned CMD Or Powershell Process |
Command and Scripting Interpreter |
TTP |
| Windows AdFind Exe |
Remote System Discovery |
TTP |
| Windows Advanced Installer MSIX with AI_STUBS Execution |
System Binary Proxy Execution, Mark-of-the-Web Bypass, Malicious File |
TTP |
| Windows Apache Benchmark Binary |
Command and Scripting Interpreter |
Anomaly |
| Windows Application Whitelisting Bypass Attempt via Rundll32 |
Rundll32 |
TTP |
| Windows Archive Collected Data via Rar |
Archive via Utility |
Anomaly |
| Windows Attempt To Stop Security Service |
Disable or Modify Tools |
TTP |
| Windows Audit Policy Auditing Option Disabled via Auditpol |
Disable Windows Event Logging |
TTP |
| Windows Audit Policy Cleared via Auditpol |
Disable Windows Event Logging |
TTP |
| Windows Audit Policy Disabled via Auditpol |
Disable Windows Event Logging |
Anomaly |
| Windows Audit Policy Disabled via Legacy Auditpol |
Disable Windows Event Logging |
Anomaly |
| Windows Audit Policy Excluded Category via Auditpol |
Disable Windows Event Logging |
Anomaly |
| Windows Audit Policy Restored via Auditpol |
Disable Windows Event Logging |
Anomaly |
| Windows Audit Policy Security Descriptor Tampering via Auditpol |
Disable Windows Event Logging |
Anomaly |
| Windows AutoIt3 Execution |
Command and Scripting Interpreter |
TTP |
| Windows Binary Proxy Execution Mavinject DLL Injection |
Mavinject |
TTP |
| Windows BitLocker Suspicious Command Usage |
Data Encrypted for Impact, Inhibit System Recovery |
TTP |
| Windows Bypass UAC via Pkgmgr Tool |
Bypass User Account Control |
Anomaly |
| Windows Cabinet File Extraction Via Expand |
Ingress Tool Transfer |
TTP |
| Windows Cached Domain Credentials Reg Query |
Cached Domain Credentials |
Anomaly |
| Windows Certutil Root Certificate Addition |
Digital Certificates |
TTP |
| Windows Change File Association Command To Notepad |
Change Default File Association |
TTP |
| Windows Chrome Enable Extension Loading via Command-Line |
Browser Session Hijacking |
Anomaly |
| Windows Chromium Browser Launched with Small Window Size |
Virtualization/Sandbox Evasion |
TTP |
| Windows Chromium Browser No Security Sandbox Process |
Virtualization/Sandbox Evasion |
TTP |
| Windows Chromium Browser with Custom User Data Directory |
Virtualization/Sandbox Evasion |
Anomaly |
| Windows Chromium process Launched with Disable Popup Blocking |
Virtualization/Sandbox Evasion |
Anomaly |
| Windows Chromium Process Launched with Logging Disabled |
Virtualization/Sandbox Evasion |
Anomaly |
| Windows Chromium Process Loaded Extension via Command-Line |
Browser Session Hijacking |
Anomaly |
| Windows Chromium Process with Disabled Extensions |
Virtualization/Sandbox Evasion |
Anomaly |
| Windows Cisco Secure Endpoint Stop Immunet Service Via Sfc |
Disable or Modify Tools |
Anomaly |
| Windows Cisco Secure Endpoint Unblock File Via Sfc |
Disable or Modify Tools |
Anomaly |
| Windows Cisco Secure Endpoint Uninstall Immunet Service Via Sfc |
Disable or Modify Tools |
Anomaly |
| Windows Cmdline Tool Execution From Non-Shell Process |
JavaScript |
Anomaly |
| Windows COM Hijacking InprocServer32 Modification |
Component Object Model Hijacking |
TTP |
| Windows Command and Scripting Interpreter Hunting Path Traversal |
Command and Scripting Interpreter |
Hunting |
| Windows Command and Scripting Interpreter Path Traversal Exec |
Command and Scripting Interpreter |
TTP |
| Windows Command Shell DCRat ForkBomb Payload |
Windows Command Shell |
TTP |
| Windows Compatibility Telemetry Suspicious Child Process |
Event Triggered Execution, Scheduled Task |
TTP |
| Windows ConHost with Headless Argument |
Hidden Window, Run Virtual Instance |
TTP |
| Windows Create Local Administrator Account Via Net |
Local Account |
Anomaly |
| Windows Credential Dumping LSASS Memory Createdump |
LSASS Memory |
TTP |
| Windows Credentials from Password Stores Creation |
Credentials from Password Stores |
TTP |
| Windows Credentials from Password Stores Deletion |
Credentials from Password Stores |
TTP |
| Windows Credentials from Password Stores Query |
Credentials from Password Stores |
Anomaly |
| Windows Credentials in Registry Reg Query |
Credentials in Registry |
Anomaly |
| Windows Curl Download to Suspicious Path |
Ingress Tool Transfer |
TTP |
| Windows Curl Upload to Remote Destination |
Ingress Tool Transfer |
TTP |
| Windows Debugger Tool Execution |
Masquerading |
Hunting |
| Windows Default Group Policy Object Modified with GPME |
Group Policy Modification |
TTP |
| Windows Defender ASR or Threat Configuration Tamper |
Disable or Modify Tools |
TTP |
| Windows Delete or Modify System Firewall |
Disable or Modify System Firewall |
Anomaly |
| Windows Disable Internet Explorer Addons |
Browser Extensions |
Anomaly |
| Windows Disable or Modify Tools Via Taskkill |
Disable or Modify Tools |
Anomaly |
| Windows Disable Windows Event Logging Disable HTTP Logging |
IIS Components, Disable Windows Event Logging |
TTP |
| Windows DiskCryptor Usage |
Data Encrypted for Impact |
Hunting |
| Windows Diskshadow Proxy Execution |
System Binary Proxy Execution |
TTP |
| Windows DISM Remove Defender |
Disable or Modify Tools |
TTP |
| Windows DLL Search Order Hijacking with iscsicpl |
DLL |
TTP |
| Windows DLL Side-Loading Process Child Of Calc |
DLL |
Anomaly |
| Windows DNS Gather Network Info |
DNS |
Anomaly |
| Windows DotNet Binary in Non Standard Path |
Rename Legitimate Utilities, InstallUtil |
TTP |
| Windows ESX Admins Group Creation via Net |
Domain Account, Local Account |
TTP |
| Windows Eventlog Cleared Via Wevtutil |
Clear Windows Event Logs |
Anomaly |
| Windows EventLog Recon Activity Using Log Query Utilities |
Log Enumeration |
Anomaly |
| Windows Excel Spawning Microsoft Project Application |
Distributed Component Object Model |
Anomaly |
| Windows Excessive Service Stop Attempt |
Service Stop |
TTP |
| Windows Excessive Usage Of Net App |
Account Access Removal |
Anomaly |
| Windows Execute Arbitrary Commands with MSDT |
System Binary Proxy Execution |
TTP |
| Windows Execution of Microsoft MSC File In Suspicious Path |
MMC |
Anomaly |
| Windows File Collection Via Copy Utilities |
Automated Collection |
Anomaly |
| Windows File Download Via CertUtil |
Ingress Tool Transfer |
TTP |
| Windows File Download Via PowerShell |
PowerShell, Ingress Tool Transfer |
Anomaly |
| Windows Files and Dirs Access Rights Modification Via Icacls |
Windows File and Directory Permissions Modification |
TTP |
| Windows Findstr GPP Discovery |
Group Policy Preferences |
TTP |
| Windows Gdrive Binary Activity |
Exfiltration Over Web Service |
TTP |
| Windows Global Object Access Audit List Cleared Via Auditpol |
Disable Windows Event Logging |
TTP |
| Windows Group Discovery Via Net |
Local Groups, Domain Groups |
Hunting |
| Windows Identify Protocol Handlers |
Command and Scripting Interpreter |
Hunting |
| Windows IIS Components Add New Module |
IIS Components |
Anomaly |
| Windows Impair Defense Add Xml Applocker Rules |
Disable or Modify Tools |
Hunting |
| Windows Indicator Removal Via Rmdir |
Indicator Removal |
Anomaly |
| Windows Indirect Command Execution Via forfiles |
Indirect Command Execution |
TTP |
| Windows Indirect Command Execution Via pcalua |
Indirect Command Execution |
TTP |
| Windows Indirect Command Execution Via Series Of Forfiles |
Indirect Command Execution |
Anomaly |
| Windows Information Discovery Fsutil |
System Information Discovery |
Anomaly |
| Windows Ingress Tool Transfer Using Explorer |
Ingress Tool Transfer |
Anomaly |
| Windows InstallUtil in Non Standard Path |
Rename Legitimate Utilities, InstallUtil |
TTP |
| Windows InstallUtil Uninstall Option |
InstallUtil |
TTP |
| Windows InstallUtil URL in Command Line |
InstallUtil |
TTP |
| Windows Ldifde Directory Object Behavior |
Ingress Tool Transfer, Domain Groups |
TTP |
| Windows List ENV Variables Via SET Command From Uncommon Parent |
Process Injection |
Anomaly |
| Windows Local LLM Framework Execution |
Create or Modify System Process |
Hunting |
| Windows LOLBAS Executed As Renamed File |
Rename Legitimate Utilities, Rundll32 |
TTP |
| Windows Masquerading Explorer As Child Process |
DLL |
TTP |
| Windows Masquerading Msdtc Process |
Masquerading |
TTP |
| Windows Mimikatz Binary Execution |
OS Credential Dumping |
TTP |
| Windows Modify Registry Regedit Silent Reg Import |
Modify Registry |
Anomaly |
| Windows Modify System Firewall with Notable Process Path |
Disable or Modify System Firewall |
TTP |
| Windows MOF Event Triggered Execution via WMI |
Windows Management Instrumentation Event Subscription |
TTP |
| Windows MpCmdRun RemoveDefinitions Execution |
Disable or Modify Tools |
Anomaly |
| Windows MSC EvilTwin Directory Path Manipulation |
System Binary Proxy Execution, Match Legitimate Resource Name or Location, Exploitation for Client Execution |
TTP |
| Windows MSIExec DLLRegisterServer |
Msiexec |
TTP |
| Windows MsiExec HideWindow Rundll32 Execution |
Msiexec |
TTP |
| Windows MSIExec Remote Download |
Msiexec |
TTP |
| Windows MSIExec Spawn Discovery Command |
Msiexec |
TTP |
| Windows MSIExec Spawn WinDBG |
Msiexec |
TTP |
| Windows MSIExec Unregister DLLRegisterServer |
Msiexec |
TTP |
| Windows MSTSC RDP Commandline |
Remote Desktop Protocol |
Anomaly |
| Windows Net System Service Discovery |
System Service Discovery |
Anomaly |
| Windows Network Connection Discovery Via Net |
System Network Connections Discovery |
Hunting |
| Windows Network Share Interaction Via Net |
Network Share Discovery, Data from Network Shared Drive |
Anomaly |
| Windows New Deny Permission Set On Service SD Via Sc.EXE |
Hide Artifacts |
Anomaly |
| Windows New Service Security Descriptor Set Via Sc.EXE |
Hide Artifacts |
Anomaly |
| Windows Ngrok Reverse Proxy Usage |
Protocol Tunneling, Proxy, Web Service |
Anomaly |
| Windows NirSoft AdvancedRun |
Tool |
TTP |
| Windows NirSoft Utilities |
Tool |
Hunting |
| Windows Odbcconf Hunting |
Odbcconf |
Hunting |
| Windows Odbcconf Load DLL |
Odbcconf |
TTP |
| Windows Odbcconf Load Response File |
Odbcconf |
TTP |
| Windows Office Product Spawned Child Process For Download |
Spearphishing Attachment |
TTP |
| Windows Office Product Spawned Control |
Spearphishing Attachment |
TTP |
| Windows Office Product Spawned MSDT |
Spearphishing Attachment |
TTP |
| Windows Office Product Spawned Rundll32 With No DLL |
Spearphishing Attachment |
TTP |
| Windows Office Product Spawned Uncommon Process |
Spearphishing Attachment |
TTP |
| Windows PaperCut NG Spawn Shell |
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services |
TTP |
| Windows Parent PID Spoofing with Explorer |
Parent PID Spoofing |
TTP |
| Windows Password Managers Discovery |
Password Managers |
Anomaly |
| Windows Password Policy Discovery with Net |
Password Policy Discovery |
Hunting |
| Windows Phishing PDF File Executes URL Link |
Spearphishing Attachment |
Anomaly |
| Windows PowerShell FakeCAPTCHA Clipboard Execution |
PowerShell, Malicious Link, Windows Command Shell |
TTP |
| Windows PowerShell Process Implementing Manual Base64 Decoder |
Command Obfuscation, PowerShell |
Anomaly |
| Windows PowerShell Process With Malicious String |
PowerShell |
TTP |
| Windows Powershell RemoteSigned File |
PowerShell |
Anomaly |
| Windows PowerShell Script From WindowsApps Directory |
PowerShell, Malicious File |
TTP |
| Windows Private Keys Discovery |
Private Keys |
Anomaly |
| Windows Process Commandline Discovery |
Process Discovery |
Hunting |
| Windows Process Execution From ProgramData |
Match Legitimate Resource Name or Location |
Hunting |
| Windows Process Execution From RDP Share |
Remote Desktop Protocol, Ingress Tool Transfer, Command and Scripting Interpreter |
Anomaly |
| Windows Process Execution in Temp Dir |
Create or Modify System Process, Match Legitimate Resource Name or Location |
Anomaly |
| Windows Process Injection In Non-Service SearchIndexer |
Process Injection |
TTP |
| Windows Process Injection Wermgr Child Process |
Process Injection |
Anomaly |
| Windows Process With NamedPipe CommandLine |
Process Injection |
Anomaly |
| Windows Process With NetExec Command Line Parameters |
Pass the Ticket, Kerberoasting, AS-REP Roasting |
TTP |
| Windows Protocol Tunneling with Plink |
Protocol Tunneling, SSH |
TTP |
| Windows Proxy Via Netsh |
Internal Proxy |
Anomaly |
| Windows PsTools Recon Usage |
System Information Discovery, Network Service Discovery, Remote System Discovery |
Anomaly |
| Windows Raccine Scheduled Task Deletion |
Disable or Modify Tools |
TTP |
| Windows Rasautou DLL Execution |
Dynamic-link Library Injection, System Binary Proxy Execution |
TTP |
| Windows RDP File Execution |
Spearphishing Attachment, Remote Desktop Protocol |
TTP |
| Windows Registry Entries Exported Via Reg |
Query Registry |
Hunting |
| Windows Registry Entries Restored Via Reg |
Query Registry |
Hunting |
| Windows Regsvr32 Renamed Binary |
Regsvr32 |
TTP |
| Windows Remote Assistance Spawning Process |
Process Injection |
TTP |
| Windows Remote Create Service |
Windows Service |
Anomaly |
| Windows Remote Service Rdpwinst Tool Execution |
Remote Desktop Protocol |
TTP |
| Windows Remote Services Allow Rdp In Firewall |
Remote Desktop Protocol |
Anomaly |
| Windows Rundll32 Apply User Settings Changes |
Rundll32 |
Anomaly |
| Windows Rundll32 Execution With Log.DLL |
Hijack Execution Flow |
Anomaly |
| Windows Rundll32 WebDAV Request |
Exfiltration Over Unencrypted Non-C2 Protocol |
TTP |
| Windows Scheduled Task Created Via XML |
Scheduled Task |
Anomaly |
| Windows Scheduled Task Service Spawned Shell |
Scheduled Task, Command and Scripting Interpreter |
TTP |
| Windows Scheduled Task with Highest Privileges |
Scheduled Task |
TTP |
| Windows Schtasks Create Run As System |
Scheduled Task |
TTP |
| Windows ScManager Security Descriptor Tampering Via Sc.EXE |
Service Execution |
TTP |
| Windows Security Account Manager Stopped |
Service Stop |
TTP |
| Windows Security Support Provider Reg Query |
Security Support Provider |
Anomaly |
| Windows Sensitive Group Discovery With Net |
Domain Groups |
Anomaly |
| Windows Sensitive Registry Hive Dump Via CommandLine |
Security Account Manager |
TTP |
| Windows Server Software Component GACUtil Install to GAC |
IIS Components |
TTP |
| Windows Service Create Kernel Mode Driver |
Exploitation for Privilege Escalation, Windows Service |
TTP |
| Windows Service Create with Tscon |
Windows Service, RDP Hijacking |
TTP |
| Windows Service Creation on Remote Endpoint |
Windows Service |
TTP |
| Windows Service Execution RemCom |
Service Execution |
TTP |
| Windows Service Initiation on Remote Endpoint |
Windows Service |
TTP |
| Windows Service Stop Attempt |
Service Stop |
Hunting |
| Windows Service Stop By Deletion |
Service Stop |
TTP |
| Windows Set Account Password Policy To Unlimited Via Net |
Service Stop |
Anomaly |
| Windows Shell Process from CrushFTP |
PowerShell, Windows Command Shell, Exploit Public-Facing Application, Server Software Component |
TTP |
| Windows SOAPHound Binary Execution |
Local Groups, Domain Groups, Local Account, Domain Account, Domain Trust Discovery |
TTP |
| Windows Spearphishing Attachment Onenote Spawn Mshta |
Spearphishing Attachment |
TTP |
| Windows SpeechRuntime Suspicious Child Process |
Distributed Component Object Model |
TTP |
| Windows SQL Spawning CertUtil |
Ingress Tool Transfer |
TTP |
| Windows SQLCMD Execution |
Windows Command Shell |
Hunting |
| Windows Steal Authentication Certificates CertUtil Backup |
Steal or Forge Authentication Certificates |
Anomaly |
| Windows Steal Authentication Certificates Export Certificate |
Steal or Forge Authentication Certificates |
Anomaly |
| Windows Steal Authentication Certificates Export PfxCertificate |
Steal or Forge Authentication Certificates |
Anomaly |
| Windows Steal or Forge Kerberos Tickets Klist |
Steal or Forge Kerberos Tickets |
Hunting |
| Windows SubInAcl Execution |
Windows File and Directory Permissions Modification |
Anomaly |
| Windows Suspicious Child Process Spawned From WebServer |
Web Shell |
TTP |
| Windows Suspicious Process File Path |
Create or Modify System Process, Match Legitimate Resource Name or Location |
TTP |
| Windows Suspicious React or Next.js Child Process |
Exploit Public-Facing Application, Windows Command Shell, PowerShell |
TTP |
| Windows Suspicious VMWare Tools Child Process |
Command and Scripting Interpreter |
TTP |
| Windows Symlink Evaluation Change via Fsutil |
Windows File and Directory Permissions Modification |
Anomaly |
| Windows System Binary Proxy Execution Compiled HTML File Decompile |
Compiled HTML File |
TTP |
| Windows System Discovery Using ldap Nslookup |
System Owner/User Discovery |
Anomaly |
| Windows System Discovery Using Qwinsta |
System Owner/User Discovery |
Hunting |
| Windows System LogOff Commandline |
System Shutdown/Reboot |
Anomaly |
| Windows System Network Config Discovery Display DNS |
System Network Configuration Discovery |
Anomaly |
| Windows System Network Connections Discovery Netsh |
System Network Connections Discovery |
Anomaly |
| Windows System Reboot CommandLine |
System Shutdown/Reboot |
Anomaly |
| Windows System Remote Discovery With Query |
System Owner/User Discovery |
Anomaly |
| Windows System Script Proxy Execution Syncappvpublishingserver |
System Script Proxy Execution, System Binary Proxy Execution |
TTP |
| Windows System Shutdown CommandLine |
System Shutdown/Reboot |
Anomaly |
| Windows System Time Discovery W32tm Delay |
System Time Discovery |
Anomaly |
| Windows System User Discovery Via Quser |
System Owner/User Discovery |
Hunting |
| Windows System User Privilege Discovery |
System Owner/User Discovery |
Hunting |
| Windows Time Based Evasion |
Time Based Checks |
TTP |
| Windows Time Based Evasion via Choice Exec |
Time Based Checks |
Anomaly |
| Windows TOR Client Execution |
Multi-hop Proxy |
Anomaly |
| Windows UAC Bypass Suspicious Child Process |
Bypass User Account Control |
TTP |
| Windows User Deletion Via Net |
Account Access Removal |
Anomaly |
| Windows User Disabled Via Net |
Account Access Removal |
Anomaly |
| Windows User Discovery Via Net |
Local Account |
Hunting |
| Windows WBAdmin File Recovery From Backup |
Inhibit System Recovery, Stored Data Manipulation |
Anomaly |
| Windows WinDBG Spawning AutoIt3 |
Command and Scripting Interpreter |
TTP |
| Windows WinRAR Launched Outside Default Installation Directory |
Windows Management Instrumentation |
Anomaly |
| Windows WMI Process And Service List |
Windows Management Instrumentation |
Anomaly |
| Windows WMI Process Call Create |
Windows Management Instrumentation |
Hunting |
| Windows WMI Reconnaissance Class Query |
Windows Management Instrumentation |
Anomaly |
| Windows Wmic CPU Discovery |
System Information Discovery |
Anomaly |
| Windows Wmic DiskDrive Discovery |
System Information Discovery |
Anomaly |
| Windows Wmic Memory Chip Discovery |
System Information Discovery |
Anomaly |
| Windows Wmic Network Discovery |
System Information Discovery |
Anomaly |
| Windows Wmic Systeminfo Discovery |
System Information Discovery |
Anomaly |
| Windows WSUS Spawning Shell |
Exploit Public-Facing Application, Web Shell |
TTP |
| Winhlp32 Spawning a Process |
Process Injection |
TTP |
| WinRAR Spawning Shell Application |
Ingress Tool Transfer |
TTP |
| WinRM Spawning a Process |
Exploit Public-Facing Application |
TTP |
| Wmic Group Discovery |
Local Groups |
Anomaly |
| Wmic NonInteractive App Uninstallation |
Disable or Modify Tools |
Hunting |
| WMIC XSL Execution via URL |
XSL Script Processing |
TTP |
| Wmiprvse LOLBAS Execution Process Spawn |
Windows Management Instrumentation |
TTP |
| Wscript Or Cscript Suspicious Child Process |
Process Injection, Parent PID Spoofing, Create or Modify System Process |
TTP |
| Wsmprovhost LOLBAS Execution Process Spawn |
Windows Remote Management |
TTP |
| XSL Script Execution With WMIC |
XSL Script Processing |
TTP |
