| Detect HTML Help Spawn Child Process |
Compiled HTML File |
TTP |
| Add or Set Windows Defender Exclusion |
Disable or Modify Tools |
TTP |
| Attacker Tools On Endpoint |
OS Credential Dumping, Match Legitimate Resource Name or Location, Active Scanning |
TTP |
| Batch File Write to System32 |
Malicious File |
TTP |
| BCDEdit Failure Recovery Modification |
Inhibit System Recovery |
TTP |
| Certutil exe certificate extraction |
Steal or Forge Authentication Certificates |
TTP |
| Clear Unallocated Sector Using Cipher App |
File Deletion |
TTP |
| Clop Common Exec Parameter |
User Execution |
TTP |
| Clop Ransomware Known Service Name |
Create or Modify System Process |
TTP |
| CMD Echo Pipe - Escalation |
Windows Command Shell, Windows Service |
TTP |
| ConnectWise ScreenConnect Path Traversal Windows SACL |
Exploit Public-Facing Application |
TTP |
| Conti Common Exec parameter |
User Execution |
TTP |
| Control Loading from World Writable Directory |
Control Panel |
TTP |
| Creation of Shadow Copy |
NTDS |
TTP |
| Creation of Shadow Copy with wmic and powershell |
NTDS |
TTP |
| Credential Dumping via Copy Command from Shadow Copy |
NTDS |
TTP |
| Credential Dumping via Symlink to Shadow Copy |
NTDS |
TTP |
| Crowdstrike Admin Weak Password Policy |
Brute Force |
TTP |
| Crowdstrike Admin With Duplicate Password |
Brute Force |
TTP |
| Crowdstrike High Identity Risk Severity |
Brute Force |
TTP |
| Crowdstrike Medium Identity Risk Severity |
Brute Force |
TTP |
| Crowdstrike Medium Severity Alert |
Brute Force |
Anomaly |
| Crowdstrike Multiple LOW Severity Alerts |
Brute Force |
Anomaly |
| Crowdstrike Privilege Escalation For Non-Admin User |
Brute Force |
Anomaly |
| Crowdstrike User Weak Password Policy |
Brute Force |
Anomaly |
| Crowdstrike User with Duplicate Password |
Brute Force |
Anomaly |
| Curl Execution with Percent Encoded URL |
Obfuscated Files or Information, Ingress Tool Transfer |
Anomaly |
| Deleting Shadow Copies |
Inhibit System Recovery |
TTP |
| Detect AzureHound Command-Line Arguments |
Local Groups, Domain Groups, Local Account, Domain Account, Domain Trust Discovery |
TTP |
| Detect Certify Command Line Arguments |
Steal or Forge Authentication Certificates, Ingress Tool Transfer |
TTP |
| Detect Exchange Web Shell |
External Remote Services, Exploit Public-Facing Application, Web Shell |
TTP |
| Detect HTML Help URL in Command Line |
Compiled HTML File |
TTP |
| Detect HTML Help Using InfoTech Storage Handlers |
Compiled HTML File |
TTP |
| Detect mshta inline hta execution |
Mshta |
TTP |
| Detect MSHTA Url in Command Line |
Mshta |
TTP |
| Detect Regasm Spawning a Process |
Regsvcs/Regasm |
TTP |
| Detect Regsvcs Spawning a Process |
Regsvcs/Regasm |
TTP |
| Detect Regsvr32 Application Control Bypass |
Regsvr32 |
TTP |
| DNS Exfiltration Using Nslookup App |
Exfiltration Over Alternative Protocol |
TTP |
| DSQuery Domain Discovery |
Domain Trust Discovery |
TTP |
| Dump LSASS via comsvcs DLL |
LSASS Memory |
TTP |
| Dump LSASS via procdump |
LSASS Memory |
TTP |
| Enumerate Users Local Group Using Telegram |
Account Discovery |
TTP |
| Executable File Written in Administrative SMB Share |
SMB/Windows Admin Shares |
TTP |
| File Download or Read to Pipe Execution |
Ingress Tool Transfer |
TTP |
| FodHelper UAC Bypass |
Modify Registry, Bypass User Account Control |
TTP |
| GPUpdate with no Command Line Arguments with Network |
Process Injection |
TTP |
| Hiding Files And Directories With Attrib exe |
Windows Permissions |
TTP |
| Icacls Deny Command |
File and Directory Permissions Modification |
Anomaly |
| Impacket Lateral Movement Commandline Parameters |
SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
| Impacket Lateral Movement smbexec CommandLine Parameters |
SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
| Impacket Lateral Movement WMIExec Commandline Parameters |
SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
| Kerberoasting spn request with RC4 encryption |
Kerberoasting |
TTP |
| Malicious Powershell Executed As A Service |
Service Execution |
TTP |
| Remote Process Instantiation via DCOM and PowerShell |
Distributed Component Object Model |
TTP |
| Remote Process Instantiation via WMI and PowerShell |
Windows Management Instrumentation |
TTP |
| Resize ShadowStorage volume |
Inhibit System Recovery |
TTP |
| Rundll32 Control RunDLL World Writable Directory |
Rundll32 |
TTP |
| Rundll32 Shimcache Flush |
Modify Registry |
TTP |
| Rundll32 with no Command Line Arguments with Network |
Rundll32 |
TTP |
| Ryuk Wake on LAN Command |
Windows Command Shell |
TTP |
| Schedule Task with HTTP Command Arguments |
Scheduled Task/Job |
TTP |
| Schedule Task with Rundll32 Command Trigger |
Scheduled Task/Job |
TTP |
| Schtasks scheduling job on remote system |
Scheduled Task |
TTP |
| SearchProtocolHost with no Command Line with Network |
Process Injection |
TTP |
| SecretDumps Offline NTDS Dumping Tool |
NTDS |
TTP |
| ServicePrincipalNames Discovery with SetSPN |
Kerberoasting |
TTP |
| Services Escalate Exe |
Abuse Elevation Control Mechanism |
TTP |
| Shim Database Installation With Suspicious Parameters |
Application Shimming |
TTP |
| Short Lived Scheduled Task |
Scheduled Task |
TTP |
| Single Letter Process On Endpoint |
Malicious File |
TTP |
| SLUI RunAs Elevated |
Bypass User Account Control |
TTP |
| SLUI Spawning a Process |
Bypass User Account Control |
TTP |
| Spoolsv Spawning Rundll32 |
Print Processors |
TTP |
| Spoolsv Writing a DLL |
Print Processors |
TTP |
| Suspicious Computer Account Name Change |
Domain Accounts |
TTP |
| Suspicious Copy on System32 |
Rename Legitimate Utilities |
Anomaly |
| Windows AD Cross Domain SID History Addition |
SID-History Injection |
TTP |
| Windows AD Domain Controller Promotion |
Rogue Domain Controller |
TTP |
| Windows AD Domain Replication ACL Addition |
Domain or Tenant Policy Modification |
TTP |
| Windows AD Privileged Account SID History Addition |
SID-History Injection |
TTP |
| Windows AD Replication Request Initiated by User Account |
DCSync |
TTP |
| Windows AD Replication Request Initiated from Unsanctioned Location |
DCSync |
TTP |
| Windows AD Same Domain SID History Addition |
SID-History Injection |
TTP |
| Windows AD Short Lived Domain Controller SPN Attribute |
Rogue Domain Controller |
TTP |
| Windows AD Short Lived Server Object |
Rogue Domain Controller |
TTP |
| Windows Alternate DataStream - Process Execution |
NTFS File Attributes |
TTP |
| Windows Application Whitelisting Bypass Attempt via Rundll32 |
Rundll32 |
TTP |
| Windows Change File Association Command To Notepad |
Change Default File Association |
TTP |
| Windows COM Hijacking InprocServer32 Modification |
Component Object Model Hijacking |
TTP |
| Windows Command and Scripting Interpreter Path Traversal Exec |
Command and Scripting Interpreter |
TTP |
| Windows Command Shell DCRat ForkBomb Payload |
Windows Command Shell |
TTP |
| Windows Computer Account With SPN |
Steal or Forge Kerberos Tickets |
TTP |
| Windows ConHost with Headless Argument |
Hidden Window, Run Virtual Instance |
TTP |
| Windows Credential Dumping LSASS Memory Createdump |
LSASS Memory |
TTP |
| Windows Credential Target Information Structure in Commandline |
Name Resolution Poisoning and SMB Relay, Forced Authentication, DNS |
TTP |
| Windows Credentials from Password Stores Creation |
Credentials from Password Stores |
TTP |
| Windows Credentials from Password Stores Deletion |
Credentials from Password Stores |
TTP |
| Windows Curl Download to Suspicious Path |
Ingress Tool Transfer |
TTP |
| Windows Curl Upload to Remote Destination |
Ingress Tool Transfer |
TTP |
| Windows Disable Windows Event Logging Disable HTTP Logging |
IIS Components, Disable or Modify Windows Event Log |
Anomaly |
| Windows DISM Remove Defender |
Disable or Modify Tools |
TTP |
| Windows DLL Search Order Hijacking with iscsicpl |
DLL |
TTP |
| Windows Domain Admin Impersonation Indicator |
Steal or Forge Kerberos Tickets |
TTP |
| Windows EFI Volume Mount Attempt Via Mountvol |
Malicious File, Pre-OS Boot, Safe Mode Boot |
Anomaly |
| Windows Event Log Cleared |
Clear Windows Event Logs |
TTP |
| Windows Excessive Disabled Services Event |
Disable or Modify Tools |
TTP |
| Windows Execute Arbitrary Commands with MSDT |
System Binary Proxy Execution |
TTP |
| Windows File Download Via CertUtil |
Ingress Tool Transfer |
TTP |
| Windows GrimResource - MMC Process Accessing APDS DLL |
JavaScript, MMC |
TTP |
| Windows Hidden Schedule Task Settings |
Scheduled Task/Job |
TTP |
| Windows InstallUtil Remote Network Connection |
InstallUtil |
Anomaly |
| Windows InstallUtil Uninstall Option |
InstallUtil |
TTP |
| Windows InstallUtil URL in Command Line |
InstallUtil |
TTP |
| Windows IOBit Unlocker Extension DLL Registration via Regsvr32 |
Regsvr32 |
TTP |
| Windows Kerberos Coercion via DNS |
DNS, Name Resolution Poisoning and SMB Relay, Forced Authentication |
TTP |
| Windows Kerberos Local Successful Logon |
Steal or Forge Kerberos Tickets |
TTP |
| Windows KrbRelayUp Service Creation |
Windows Service |
TTP |
| Windows Masquerading Explorer As Child Process |
DLL |
TTP |
| Windows Masquerading Msdtc Process |
Masquerading |
TTP |
| Windows Mimikatz Binary Execution |
OS Credential Dumping |
TTP |
| Windows Modify System Firewall with Notable Process Path |
Disable or Modify System Firewall |
TTP |
| Windows MOF Event Triggered Execution via WMI |
Windows Management Instrumentation Event Subscription |
TTP |
| Windows MSIExec Spawn WinDBG |
Msiexec |
TTP |
| Windows Mustang Panda USB Tool Execution |
DLL, Malicious File, Automated Exfiltration |
TTP |
| Windows Network Connection From Program In Suspect Location |
Exfiltration Over Other Network Medium |
Anomaly |
| Windows NorthStar C2 Agent Execution |
Malicious File, Registry Run Keys / Startup Folder, Stage Capabilities |
TTP |
| Windows Office Product Dropped Cab or Inf File |
Spearphishing Attachment |
TTP |
| Windows Office Product Dropped Uncommon File |
Spearphishing Attachment |
Anomaly |
| Windows Office Product Spawned Control |
Spearphishing Attachment |
TTP |
| Windows Office Product Spawned MSDT |
Spearphishing Attachment |
TTP |
| Windows Office Product Spawned Rundll32 With No DLL |
Spearphishing Attachment |
TTP |
| Windows Office Product Spawned Uncommon Process |
Spearphishing Attachment |
TTP |
| Windows PaperCut NG Spawn Shell |
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services |
TTP |
| Windows Parent PID Spoofing with Explorer |
Parent PID Spoofing |
TTP |
| Windows PowerShell Process Implementing Manual Base64 Decoder |
Command Obfuscation, PowerShell |
Anomaly |
| Windows PowGoop Beacon Decoding |
PowerShell, Data Obfuscation |
TTP |
| Windows Privilege Escalation User Process Spawn System Process |
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation |
TTP |
| Windows PsTools Recon Usage |
System Information Discovery, Network Service Discovery, Remote System Discovery |
Anomaly |
| Windows Raccine Scheduled Task Deletion |
Disable or Modify Tools |
TTP |
| Windows Rasautou DLL Execution |
Dynamic-link Library Injection, System Binary Proxy Execution |
TTP |
| Windows Regsvr32 Renamed Binary |
Regsvr32 |
TTP |
| Windows Remote Assistance Spawning Process |
Process Injection |
TTP |
| Windows Remote Service Rdpwinst Tool Execution |
Remote Desktop Protocol |
TTP |
| Windows Scheduled Task with Highest Privileges |
Scheduled Task |
TTP |
| Windows Security Account Manager Stopped |
Service Stop |
TTP |
| Windows Security And Backup Services Stop |
Inhibit System Recovery |
TTP |
| Windows Sensitive Registry Hive Dump Via CommandLine |
Security Account Manager |
TTP |
| Windows Service Create SliverC2 |
Service Execution |
TTP |
| Windows Service Create with Tscon |
Windows Service, RDP Hijacking |
TTP |
| Windows Short Lived DNS Record |
DNS, Name Resolution Poisoning and SMB Relay, Forced Authentication |
TTP |
| Windows Snake Malware Service Create |
Kernel Modules and Extensions, Service Execution |
TTP |
| Windows SOAPHound Binary Execution |
Local Groups, Domain Groups, Local Account, Domain Account, Domain Trust Discovery |
TTP |
| Windows Spearphishing Attachment Onenote Spawn Mshta |
Spearphishing Attachment |
TTP |
| Windows Special Privileged Logon On Multiple Hosts |
Account Discovery, SMB/Windows Admin Shares, Network Share Discovery |
TTP |
| Windows SpeechRuntime COM Hijacking DLL Load |
Distributed Component Object Model |
TTP |
| Windows SpeechRuntime Suspicious Child Process |
Distributed Component Object Model |
TTP |
| Windows Steal Authentication Certificates - ESC1 Authentication |
Steal or Forge Authentication Certificates, Use Alternate Authentication Material |
TTP |
| Windows Suspicious Child Process Spawned From WebServer |
Web Shell |
Anomaly |
| Windows System Binary Proxy Execution Compiled HTML File Decompile |
Compiled HTML File |
TTP |
| Windows TOR Client Execution |
Multi-hop Proxy |
Anomaly |
| Windows UAC Bypass Suspicious Escalation Behavior |
Bypass User Account Control |
TTP |
| Windows WinDBG Spawning AutoIt3 |
Command and Scripting Interpreter |
TTP |
| WinEvent Scheduled Task Created to Spawn Shell |
Scheduled Task |
TTP |
| WinEvent Scheduled Task Created Within Public Path |
Scheduled Task |
TTP |
| Winhlp32 Spawning a Process |
Process Injection |
TTP |
| WinRAR Spawning Shell Application |
Ingress Tool Transfer |
TTP |
| WMIC XSL Execution via URL |
XSL Script Processing |
TTP |
| DNS Kerberos Coercion |
Name Resolution Poisoning and SMB Relay, Forced Authentication, DNS |
TTP |
Network
Windows
Linux