| Windows DLL Search Order Hijacking Hunt |
DLL Search Order Hijacking, Hijack Execution Flow |
Hunting |
| BITS Job Persistence |
BITS Jobs |
TTP |
| BITSAdmin Download File |
BITS Jobs, Ingress Tool Transfer |
TTP |
| CertUtil Download With URLCache and Split Arguments |
Ingress Tool Transfer |
TTP |
| CertUtil Download With VerifyCtl and Split Arguments |
Ingress Tool Transfer |
TTP |
| Certutil exe certificate extraction |
None |
TTP |
| CertUtil With Decode Argument |
Deobfuscate/Decode Files or Information |
TTP |
| CMD Carry Out String Command Parameter |
Windows Command Shell, Command and Scripting Interpreter |
Hunting |
| Control Loading from World Writable Directory |
System Binary Proxy Execution, Control Panel |
TTP |
| Creation of Shadow Copy with wmic and powershell |
NTDS, OS Credential Dumping |
TTP |
| Detect HTML Help Renamed |
System Binary Proxy Execution, Compiled HTML File |
Hunting |
| Detect HTML Help Spawn Child Process |
System Binary Proxy Execution, Compiled HTML File |
TTP |
| Detect HTML Help URL in Command Line |
System Binary Proxy Execution, Compiled HTML File |
TTP |
| Detect HTML Help Using InfoTech Storage Handlers |
System Binary Proxy Execution, Compiled HTML File |
TTP |
| Detect mshta inline hta execution |
System Binary Proxy Execution, Mshta |
TTP |
| Detect mshta renamed |
System Binary Proxy Execution, Mshta |
Hunting |
| Detect MSHTA Url in Command Line |
System Binary Proxy Execution, Mshta |
TTP |
| Detect Regasm Spawning a Process |
System Binary Proxy Execution, Regsvcs/Regasm |
TTP |
| Detect Regasm with Network Connection |
System Binary Proxy Execution, Regsvcs/Regasm |
TTP |
| Detect Regasm with no Command Line Arguments |
System Binary Proxy Execution, Regsvcs/Regasm |
TTP |
| Detect Regsvcs Spawning a Process |
System Binary Proxy Execution, Regsvcs/Regasm |
TTP |
| Detect Regsvcs with Network Connection |
System Binary Proxy Execution, Regsvcs/Regasm |
TTP |
| Detect Regsvcs with No Command Line Arguments |
System Binary Proxy Execution, Regsvcs/Regasm |
TTP |
| Detect Regsvr32 Application Control Bypass |
System Binary Proxy Execution, Regsvr32 |
TTP |
| Detect Rundll32 Application Control Bypass - advpack |
System Binary Proxy Execution, Rundll32 |
TTP |
| Detect Rundll32 Application Control Bypass - setupapi |
System Binary Proxy Execution, Rundll32 |
TTP |
| Detect Rundll32 Application Control Bypass - syssetup |
System Binary Proxy Execution, Rundll32 |
TTP |
| Detect Rundll32 Inline HTA Execution |
System Binary Proxy Execution, Mshta |
TTP |
| Disable Schedule Task |
Disable or Modify Tools, Impair Defenses |
TTP |
| Dump LSASS via comsvcs DLL |
LSASS Memory, OS Credential Dumping |
TTP |
| Esentutl SAM Copy |
Security Account Manager, OS Credential Dumping |
Hunting |
| Eventvwr UAC Bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
| LOLBAS With Network Traffic |
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution |
TTP |
| MacOS LOLbin |
Unix Shell, Command and Scripting Interpreter |
TTP |
| MacOS plutil |
Plist File Modification |
TTP |
| Mmc LOLBAS Execution Process Spawn |
Remote Services, Distributed Component Object Model, MMC |
TTP |
| Mshta spawning Rundll32 OR Regsvr32 Process |
System Binary Proxy Execution, Mshta |
TTP |
| Ntdsutil Export NTDS |
NTDS, OS Credential Dumping |
TTP |
| Reg exe Manipulating Windows Services Registry Keys |
Services Registry Permissions Weakness, Hijack Execution Flow |
TTP |
| Regsvr32 Silent and Install Param Dll Loading |
System Binary Proxy Execution, Regsvr32 |
Anomaly |
| Regsvr32 with Known Silent Switch Cmdline |
System Binary Proxy Execution, Regsvr32 |
Anomaly |
| Remote WMI Command Attempt |
Windows Management Instrumentation |
TTP |
| Rundll32 Control RunDLL Hunt |
System Binary Proxy Execution, Rundll32 |
Hunting |
| Rundll32 Control RunDLL World Writable Directory |
System Binary Proxy Execution, Rundll32 |
TTP |
| Rundll32 Create Remote Thread To A Process |
Process Injection |
TTP |
| Rundll32 CreateRemoteThread In Browser |
Process Injection |
TTP |
| Rundll32 DNSQuery |
System Binary Proxy Execution, Rundll32 |
TTP |
| Rundll32 Process Creating Exe Dll Files |
System Binary Proxy Execution, Rundll32 |
TTP |
| Rundll32 Shimcache Flush |
Modify Registry |
TTP |
| RunDLL Loading DLL By Ordinal |
System Binary Proxy Execution, Rundll32 |
TTP |
| Schedule Task with HTTP Command Arguments |
Scheduled Task/Job |
TTP |
| Schedule Task with Rundll32 Command Trigger |
Scheduled Task/Job |
TTP |
| Scheduled Task Creation on Remote Endpoint using At |
Scheduled Task/Job, At |
TTP |
| Scheduled Task Deleted Or Created via CMD |
Scheduled Task, Scheduled Task/Job |
TTP |
| Scheduled Task Initiation on Remote Endpoint |
Scheduled Task/Job, Scheduled Task |
TTP |
| Schtasks scheduling job on remote system |
Scheduled Task, Scheduled Task/Job |
TTP |
| Services LOLBAS Execution Process Spawn |
Create or Modify System Process, Windows Service |
TTP |
| Suspicious IcedID Rundll32 Cmdline |
System Binary Proxy Execution, Rundll32 |
TTP |
| Suspicious microsoft workflow compiler rename |
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities |
Hunting |
| Suspicious microsoft workflow compiler usage |
Trusted Developer Utilities Proxy Execution |
TTP |
| Suspicious msbuild path |
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild |
TTP |
| Suspicious MSBuild Rename |
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild |
Hunting |
| Suspicious MSBuild Spawn |
Trusted Developer Utilities Proxy Execution, MSBuild |
TTP |
| Suspicious mshta child process |
System Binary Proxy Execution, Mshta |
TTP |
| Suspicious mshta spawn |
System Binary Proxy Execution, Mshta |
TTP |
| Suspicious Regsvr32 Register Suspicious Path |
System Binary Proxy Execution, Regsvr32 |
TTP |
| Suspicious Rundll32 dllregisterserver |
System Binary Proxy Execution, Rundll32 |
TTP |
| Suspicious Scheduled Task from Public Directory |
Scheduled Task, Scheduled Task/Job |
Anomaly |
| Svchost LOLBAS Execution Process Spawn |
Scheduled Task/Job, Scheduled Task |
TTP |
| Windows Binary Proxy Execution Mavinject DLL Injection |
Mavinject, System Binary Proxy Execution |
TTP |
| Windows COM Hijacking InprocServer32 Modification |
Component Object Model Hijacking, Event Triggered Execution |
TTP |
| Windows Diskshadow Proxy Execution |
System Binary Proxy Execution |
TTP |
| Windows DLL Search Order Hijacking Hunt with Sysmon |
DLL Search Order Hijacking, Hijack Execution Flow |
Hunting |
| Windows DLL Search Order Hijacking with iscsicpl |
DLL Search Order Hijacking |
TTP |
| Windows Identify Protocol Handlers |
Command and Scripting Interpreter |
Hunting |
| Windows Indirect Command Execution Via forfiles |
Indirect Command Execution |
TTP |
| Windows Indirect Command Execution Via pcalua |
Indirect Command Execution |
TTP |
| Windows InstallUtil in Non Standard Path |
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil |
TTP |
| Windows InstallUtil Remote Network Connection |
InstallUtil, System Binary Proxy Execution |
TTP |
| Windows InstallUtil Uninstall Option |
InstallUtil, System Binary Proxy Execution |
TTP |
| Windows InstallUtil Uninstall Option with Network |
InstallUtil, System Binary Proxy Execution |
TTP |
| Windows InstallUtil URL in Command Line |
InstallUtil, System Binary Proxy Execution |
TTP |
| Windows Known Abused DLL Created |
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow |
Anomaly |
| Windows Known Abused DLL Loaded Suspiciously |
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow |
TTP |
| Windows LOLBAS Executed As Renamed File |
Masquerading, Rename System Utilities, Rundll32 |
TTP |
| Windows LOLBAS Executed Outside Expected Path |
Masquerading, Match Legitimate Name or Location, Rundll32 |
TTP |
| Windows MOF Event Triggered Execution via WMI |
Windows Management Instrumentation Event Subscription |
TTP |
| Windows Odbcconf Hunting |
Odbcconf |
Hunting |
| Windows Odbcconf Load DLL |
Odbcconf |
TTP |
| Windows Odbcconf Load Response File |
Odbcconf |
TTP |
| Windows System Binary Proxy Execution Compiled HTML File Decompile |
Compiled HTML File, System Binary Proxy Execution |
TTP |
| Windows System Script Proxy Execution Syncappvpublishingserver |
System Script Proxy Execution, System Binary Proxy Execution |
TTP |
| Windows UAC Bypass Suspicious Child Process |
Abuse Elevation Control Mechanism, Bypass User Account Control |
TTP |
| Windows UAC Bypass Suspicious Escalation Behavior |
Abuse Elevation Control Mechanism, Bypass User Account Control |
TTP |
| WSReset UAC Bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
Windows