Email Attachments With Lots Of Spaces |
None |
Anomaly |
Suspicious Email Attachment Extensions |
Spearphishing Attachment, Phishing |
Anomaly |
Active Setup Registry Autostart |
Active Setup, Boot or Logon Autostart Execution |
TTP |
Add or Set Windows Defender Exclusion |
Disable or Modify Tools, Impair Defenses |
TTP |
AdsiSearcher Account Discovery |
Domain Account, Account Discovery |
TTP |
Any Powershell DownloadFile |
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer |
TTP |
Any Powershell DownloadString |
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer |
TTP |
Attempt To Stop Security Service |
Disable or Modify Tools, Impair Defenses |
TTP |
Attempted Credential Dump From Registry via Reg exe |
Security Account Manager, OS Credential Dumping |
TTP |
Change Default File Association |
Change Default File Association, Event Triggered Execution |
TTP |
Child Processes of Spoolsv exe |
Exploitation for Privilege Escalation |
TTP |
CMD Carry Out String Command Parameter |
Windows Command Shell, Command and Scripting Interpreter |
Hunting |
Detect Empire with PowerShell Script Block Logging |
Command and Scripting Interpreter, PowerShell |
TTP |
Detect Mimikatz With PowerShell Script Block Logging |
OS Credential Dumping, PowerShell |
TTP |
Dump LSASS via comsvcs DLL |
LSASS Memory, OS Credential Dumping |
TTP |
ETW Registry Disabled |
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses |
TTP |
Excessive File Deletion In WinDefender Folder |
Data Destruction |
TTP |
Executable File Written in Administrative SMB Share |
Remote Services, SMB/Windows Admin Shares |
TTP |
Executables Or Script Creation In Suspicious Path |
Masquerading |
Anomaly |
Impacket Lateral Movement Commandline Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
Impacket Lateral Movement smbexec CommandLine Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
Impacket Lateral Movement WMIExec Commandline Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
Kerberoasting spn request with RC4 encryption |
Steal or Forge Kerberos Tickets, Kerberoasting |
TTP |
Linux Adding Crontab Using List Parameter |
Cron, Scheduled Task/Job |
Hunting |
Linux Auditd Data Destruction Command |
Data Destruction |
TTP |
Linux Auditd Dd File Overwrite |
Data Destruction |
TTP |
Linux Auditd Hardware Addition Swapoff |
Hardware Additions |
Anomaly |
Linux Auditd Service Restarted |
Systemd Timers, Scheduled Task/Job |
Anomaly |
Linux Auditd Shred Overwrite Command |
Data Destruction |
TTP |
Linux Auditd Stop Services |
Service Stop |
TTP |
Linux Data Destruction Command |
Data Destruction |
TTP |
Linux DD File Overwrite |
Data Destruction |
TTP |
Linux Deleting Critical Directory Using RM Command |
Data Destruction |
TTP |
Linux Deletion Of Cron Jobs |
Data Destruction, File Deletion, Indicator Removal |
Anomaly |
Linux Deletion Of Init Daemon Script |
Data Destruction, File Deletion, Indicator Removal |
TTP |
Linux Deletion Of Services |
Data Destruction, File Deletion, Indicator Removal |
TTP |
Linux Disable Services |
Service Stop |
TTP |
Linux Hardware Addition SwapOff |
Hardware Additions |
Anomaly |
Linux High Frequency Of File Deletion In Boot Folder |
Data Destruction, File Deletion, Indicator Removal |
TTP |
Linux High Frequency Of File Deletion In Etc Folder |
Data Destruction, File Deletion, Indicator Removal |
Anomaly |
Linux Impair Defenses Process Kill |
Disable or Modify Tools, Impair Defenses |
Hunting |
Linux Indicator Removal Clear Cache |
Indicator Removal |
TTP |
Linux Indicator Removal Service File Deletion |
File Deletion, Indicator Removal |
Anomaly |
Linux Java Spawning Shell |
Exploit Public-Facing Application, External Remote Services |
TTP |
Linux Service Restarted |
Systemd Timers, Scheduled Task/Job |
Anomaly |
Linux Shred Overwrite Command |
Data Destruction |
TTP |
Linux Stdout Redirection To Dev Null File |
Disable or Modify System Firewall, Impair Defenses |
Anomaly |
Linux Stop Services |
Service Stop |
TTP |
Linux System Network Discovery |
System Network Configuration Discovery |
Anomaly |
Linux System Reboot Via System Request Key |
System Shutdown/Reboot |
TTP |
Linux Unix Shell Enable All SysRq Functions |
Unix Shell, Command and Scripting Interpreter |
Anomaly |
Logon Script Event Trigger Execution |
Boot or Logon Initialization Scripts, Logon Script (Windows) |
TTP |
Malicious PowerShell Process - Encoded Command |
Obfuscated Files or Information |
Hunting |
Malicious PowerShell Process With Obfuscation Techniques |
Command and Scripting Interpreter, PowerShell |
TTP |
MSI Module Loaded by Non-System Binary |
DLL Side-Loading, Hijack Execution Flow |
Hunting |
Overwriting Accessibility Binaries |
Event Triggered Execution, Accessibility Features |
TTP |
Ping Sleep Batch Command |
Virtualization/Sandbox Evasion, Time Based Evasion |
Anomaly |
Possible Lateral Movement PowerShell Spawn |
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShell, MMC |
TTP |
PowerShell 4104 Hunting |
Command and Scripting Interpreter, PowerShell |
Hunting |
PowerShell - Connect To Internet With Hidden Window |
PowerShell, Command and Scripting Interpreter |
Hunting |
PowerShell Domain Enumeration |
Command and Scripting Interpreter, PowerShell |
TTP |
Powershell Enable SMB1Protocol Feature |
Obfuscated Files or Information, Indicator Removal from Tools |
TTP |
Powershell Execute COM Object |
Component Object Model Hijacking, Event Triggered Execution, PowerShell |
TTP |
Powershell Fileless Process Injection via GetProcAddress |
Command and Scripting Interpreter, Process Injection, PowerShell |
TTP |
Powershell Fileless Script Contains Base64 Encoded Content |
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell |
TTP |
PowerShell Loading DotNET into Memory via Reflection |
Command and Scripting Interpreter, PowerShell |
TTP |
Powershell Processing Stream Of Data |
Command and Scripting Interpreter, PowerShell |
TTP |
Powershell Remove Windows Defender Directory |
Disable or Modify Tools, Impair Defenses |
TTP |
Powershell Using memory As Backing Store |
PowerShell, Command and Scripting Interpreter |
TTP |
Powershell Windows Defender Exclusion Commands |
Disable or Modify Tools, Impair Defenses |
TTP |
Print Processor Registry Autostart |
Print Processors, Boot or Logon Autostart Execution |
TTP |
Process Deleting Its Process File Path |
Indicator Removal |
TTP |
Recon AVProduct Through Pwh or WMI |
Gather Victim Host Information |
TTP |
Recon Using WMI Class |
Gather Victim Host Information, PowerShell |
Anomaly |
Registry Keys Used For Privilege Escalation |
Image File Execution Options Injection, Event Triggered Execution |
TTP |
Regsvr32 Silent and Install Param Dll Loading |
System Binary Proxy Execution, Regsvr32 |
Anomaly |
Runas Execution in CommandLine |
Access Token Manipulation, Token Impersonation/Theft |
Hunting |
Schtasks Run Task On Demand |
Scheduled Task/Job |
TTP |
Screensaver Event Trigger Execution |
Event Triggered Execution, Screensaver |
TTP |
Set Default PowerShell Execution Policy To Unrestricted or Bypass |
Command and Scripting Interpreter, PowerShell |
TTP |
Suspicious Process DNS Query Known Abuse Web Services |
Visual Basic, Command and Scripting Interpreter |
TTP |
Suspicious Process File Path |
Create or Modify System Process |
TTP |
Suspicious Process With Discord DNS Query |
Visual Basic, Command and Scripting Interpreter |
Anomaly |
Time Provider Persistence Registry |
Time Providers, Boot or Logon Autostart Execution |
TTP |
Unloading AMSI via Reflection |
Impair Defenses, PowerShell, Command and Scripting Interpreter |
TTP |
W3WP Spawning Shell |
Server Software Component, Web Shell |
TTP |
Windows Data Destruction Recursive Exec Files Deletion |
Data Destruction |
TTP |
Windows Deleted Registry By A Non Critical Process File Path |
Modify Registry |
Anomaly |
Windows Disable Memory Crash Dump |
Data Destruction |
TTP |
Windows DotNet Binary in Non Standard Path |
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil |
TTP |
Windows File Without Extension In Critical Folder |
Data Destruction |
TTP |
Windows Hidden Schedule Task Settings |
Scheduled Task/Job |
TTP |
Windows High File Deletion Frequency |
Data Destruction |
Anomaly |
Windows InstallUtil in Non Standard Path |
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil |
TTP |
Windows Linked Policies In ADSI Discovery |
Domain Account, Account Discovery |
Anomaly |
Windows Modify Show Compress Color And Info Tip Registry |
Modify Registry |
TTP |
Windows NirSoft AdvancedRun |
Tool |
TTP |
Windows NirSoft Utilities |
Tool |
Hunting |
Windows Processes Killed By Industroyer2 Malware |
Service Stop |
Anomaly |
Windows Raw Access To Disk Volume Partition |
Disk Structure Wipe, Disk Wipe |
Anomaly |
Windows Raw Access To Master Boot Record Drive |
Disk Structure Wipe, Disk Wipe |
TTP |
Windows Root Domain linked policies Discovery |
Domain Account, Account Discovery |
Anomaly |
Windows Terminating Lsass Process |
Disable or Modify Tools, Impair Defenses |
Anomaly |
WinEvent Scheduled Task Created Within Public Path |
Scheduled Task, Scheduled Task/Job |
TTP |
WinEvent Windows Task Scheduler Event Action Started |
Scheduled Task |
Hunting |
WMI Recon Running Process Or Services |
Gather Victim Host Information |
Anomaly |
Wscript Or Cscript Suspicious Child Process |
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation |
TTP |