| Email Attachments With Lots Of Spaces |
None |
Anomaly |
| Suspicious Email Attachment Extensions |
Spearphishing Attachment, Phishing |
Anomaly |
| Active Setup Registry Autostart |
Active Setup, Boot or Logon Autostart Execution |
TTP |
| Add or Set Windows Defender Exclusion |
Disable or Modify Tools, Impair Defenses |
TTP |
| AdsiSearcher Account Discovery |
Domain Account, Account Discovery |
TTP |
| Any Powershell DownloadFile |
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer |
TTP |
| Any Powershell DownloadString |
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer |
TTP |
| Attempt To Stop Security Service |
Disable or Modify Tools, Impair Defenses |
TTP |
| Attempted Credential Dump From Registry via Reg exe |
Security Account Manager, OS Credential Dumping |
TTP |
| Change Default File Association |
Change Default File Association, Event Triggered Execution |
TTP |
| Child Processes of Spoolsv exe |
Exploitation for Privilege Escalation |
TTP |
| CMD Carry Out String Command Parameter |
Windows Command Shell, Command and Scripting Interpreter |
Hunting |
| Detect Empire with PowerShell Script Block Logging |
Command and Scripting Interpreter, PowerShell |
TTP |
| Detect Mimikatz With PowerShell Script Block Logging |
OS Credential Dumping, PowerShell |
TTP |
| Dump LSASS via comsvcs DLL |
LSASS Memory, OS Credential Dumping |
TTP |
| ETW Registry Disabled |
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses |
TTP |
| Excessive File Deletion In WinDefender Folder |
Data Destruction |
TTP |
| Executable File Written in Administrative SMB Share |
Remote Services, SMB/Windows Admin Shares |
TTP |
| Executables Or Script Creation In Suspicious Path |
Masquerading |
Anomaly |
| Impacket Lateral Movement Commandline Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
| Impacket Lateral Movement smbexec CommandLine Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
| Impacket Lateral Movement WMIExec Commandline Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
| Kerberoasting spn request with RC4 encryption |
Steal or Forge Kerberos Tickets, Kerberoasting |
TTP |
| Linux Adding Crontab Using List Parameter |
Cron, Scheduled Task/Job |
Hunting |
| Linux Auditd Data Destruction Command |
Data Destruction |
TTP |
| Linux Auditd Dd File Overwrite |
Data Destruction |
TTP |
| Linux Auditd Hardware Addition Swapoff |
Hardware Additions |
Anomaly |
| Linux Auditd Service Restarted |
Systemd Timers, Scheduled Task/Job |
Anomaly |
| Linux Auditd Shred Overwrite Command |
Data Destruction |
TTP |
| Linux Auditd Stop Services |
Service Stop |
TTP |
| Linux Data Destruction Command |
Data Destruction |
TTP |
| Linux DD File Overwrite |
Data Destruction |
TTP |
| Linux Deleting Critical Directory Using RM Command |
Data Destruction |
TTP |
| Linux Deletion Of Cron Jobs |
Data Destruction, File Deletion, Indicator Removal |
Anomaly |
| Linux Deletion Of Init Daemon Script |
Data Destruction, File Deletion, Indicator Removal |
TTP |
| Linux Deletion Of Services |
Data Destruction, File Deletion, Indicator Removal |
TTP |
| Linux Disable Services |
Service Stop |
TTP |
| Linux Hardware Addition SwapOff |
Hardware Additions |
Anomaly |
| Linux High Frequency Of File Deletion In Boot Folder |
Data Destruction, File Deletion, Indicator Removal |
TTP |
| Linux High Frequency Of File Deletion In Etc Folder |
Data Destruction, File Deletion, Indicator Removal |
Anomaly |
| Linux Impair Defenses Process Kill |
Disable or Modify Tools, Impair Defenses |
Hunting |
| Linux Indicator Removal Clear Cache |
Indicator Removal |
TTP |
| Linux Indicator Removal Service File Deletion |
File Deletion, Indicator Removal |
Anomaly |
| Linux Java Spawning Shell |
Exploit Public-Facing Application, External Remote Services |
TTP |
| Linux Service Restarted |
Systemd Timers, Scheduled Task/Job |
Anomaly |
| Linux Shred Overwrite Command |
Data Destruction |
TTP |
| Linux Stdout Redirection To Dev Null File |
Disable or Modify System Firewall, Impair Defenses |
Anomaly |
| Linux Stop Services |
Service Stop |
TTP |
| Linux System Network Discovery |
System Network Configuration Discovery |
Anomaly |
| Linux System Reboot Via System Request Key |
System Shutdown/Reboot |
TTP |
| Linux Unix Shell Enable All SysRq Functions |
Unix Shell, Command and Scripting Interpreter |
Anomaly |
| Logon Script Event Trigger Execution |
Boot or Logon Initialization Scripts, Logon Script (Windows) |
TTP |
| Malicious PowerShell Process - Encoded Command |
Obfuscated Files or Information |
Hunting |
| Malicious PowerShell Process With Obfuscation Techniques |
Command and Scripting Interpreter, PowerShell |
TTP |
| MSI Module Loaded by Non-System Binary |
DLL Side-Loading, Hijack Execution Flow |
Hunting |
| Overwriting Accessibility Binaries |
Event Triggered Execution, Accessibility Features |
TTP |
| Ping Sleep Batch Command |
Virtualization/Sandbox Evasion, Time Based Evasion |
Anomaly |
| Possible Lateral Movement PowerShell Spawn |
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShell, MMC |
TTP |
| PowerShell 4104 Hunting |
Command and Scripting Interpreter, PowerShell |
Hunting |
| PowerShell - Connect To Internet With Hidden Window |
PowerShell, Command and Scripting Interpreter |
Hunting |
| PowerShell Domain Enumeration |
Command and Scripting Interpreter, PowerShell |
TTP |
| Powershell Enable SMB1Protocol Feature |
Obfuscated Files or Information, Indicator Removal from Tools |
TTP |
| Powershell Execute COM Object |
Component Object Model Hijacking, Event Triggered Execution, PowerShell |
TTP |
| Powershell Fileless Process Injection via GetProcAddress |
Command and Scripting Interpreter, Process Injection, PowerShell |
TTP |
| Powershell Fileless Script Contains Base64 Encoded Content |
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell |
TTP |
| PowerShell Loading DotNET into Memory via Reflection |
Command and Scripting Interpreter, PowerShell |
TTP |
| Powershell Processing Stream Of Data |
Command and Scripting Interpreter, PowerShell |
TTP |
| Powershell Remove Windows Defender Directory |
Disable or Modify Tools, Impair Defenses |
TTP |
| Powershell Using memory As Backing Store |
PowerShell, Command and Scripting Interpreter |
TTP |
| Powershell Windows Defender Exclusion Commands |
Disable or Modify Tools, Impair Defenses |
TTP |
| Print Processor Registry Autostart |
Print Processors, Boot or Logon Autostart Execution |
TTP |
| Process Deleting Its Process File Path |
Indicator Removal |
TTP |
| Recon AVProduct Through Pwh or WMI |
Gather Victim Host Information |
TTP |
| Recon Using WMI Class |
Gather Victim Host Information, PowerShell |
Anomaly |
| Registry Keys Used For Privilege Escalation |
Image File Execution Options Injection, Event Triggered Execution |
TTP |
| Regsvr32 Silent and Install Param Dll Loading |
System Binary Proxy Execution, Regsvr32 |
Anomaly |
| Runas Execution in CommandLine |
Access Token Manipulation, Token Impersonation/Theft |
Hunting |
| Schtasks Run Task On Demand |
Scheduled Task/Job |
TTP |
| Screensaver Event Trigger Execution |
Event Triggered Execution, Screensaver |
TTP |
| Set Default PowerShell Execution Policy To Unrestricted or Bypass |
Command and Scripting Interpreter, PowerShell |
TTP |
| Suspicious Process DNS Query Known Abuse Web Services |
Visual Basic, Command and Scripting Interpreter |
TTP |
| Suspicious Process File Path |
Create or Modify System Process |
TTP |
| Suspicious Process With Discord DNS Query |
Visual Basic, Command and Scripting Interpreter |
Anomaly |
| Time Provider Persistence Registry |
Time Providers, Boot or Logon Autostart Execution |
TTP |
| Unloading AMSI via Reflection |
Impair Defenses, PowerShell, Command and Scripting Interpreter |
TTP |
| W3WP Spawning Shell |
Server Software Component, Web Shell |
TTP |
| Windows Data Destruction Recursive Exec Files Deletion |
Data Destruction |
TTP |
| Windows Deleted Registry By A Non Critical Process File Path |
Modify Registry |
Anomaly |
| Windows Disable Memory Crash Dump |
Data Destruction |
TTP |
| Windows DotNet Binary in Non Standard Path |
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil |
TTP |
| Windows File Without Extension In Critical Folder |
Data Destruction |
TTP |
| Windows Hidden Schedule Task Settings |
Scheduled Task/Job |
TTP |
| Windows High File Deletion Frequency |
Data Destruction |
Anomaly |
| Windows InstallUtil in Non Standard Path |
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil |
TTP |
| Windows Linked Policies In ADSI Discovery |
Domain Account, Account Discovery |
Anomaly |
| Windows Modify Show Compress Color And Info Tip Registry |
Modify Registry |
TTP |
| Windows NirSoft AdvancedRun |
Tool |
TTP |
| Windows NirSoft Utilities |
Tool |
Hunting |
| Windows Processes Killed By Industroyer2 Malware |
Service Stop |
Anomaly |
| Windows Raw Access To Disk Volume Partition |
Disk Structure Wipe, Disk Wipe |
Anomaly |
| Windows Raw Access To Master Boot Record Drive |
Disk Structure Wipe, Disk Wipe |
TTP |
| Windows Root Domain linked policies Discovery |
Domain Account, Account Discovery |
Anomaly |
| Windows Terminating Lsass Process |
Disable or Modify Tools, Impair Defenses |
Anomaly |
| WinEvent Scheduled Task Created Within Public Path |
Scheduled Task, Scheduled Task/Job |
TTP |
| WinEvent Windows Task Scheduler Event Action Started |
Scheduled Task |
Hunting |
| WMI Recon Running Process Or Services |
Gather Victim Host Information |
Anomaly |
| Wscript Or Cscript Suspicious Child Process |
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation |
TTP |
Linux
Windows