| BITS Job Persistence |
BITS Jobs |
TTP |
| BITSAdmin Download File |
BITS Jobs, Ingress Tool Transfer |
TTP |
| CertUtil Download With URLCache and Split Arguments |
Ingress Tool Transfer |
TTP |
| CertUtil Download With VerifyCtl and Split Arguments |
Ingress Tool Transfer |
TTP |
| Certutil exe certificate extraction |
None |
TTP |
| CertUtil With Decode Argument |
Deobfuscate/Decode Files or Information |
TTP |
| CMD Carry Out String Command Parameter |
Windows Command Shell, Command and Scripting Interpreter |
Hunting |
| Control Loading from World Writable Directory |
Signed Binary Proxy Execution, Control Panel |
TTP |
| Creation of Shadow Copy with wmic and powershell |
NTDS, OS Credential Dumping |
TTP |
| Detect HTML Help Renamed |
Signed Binary Proxy Execution, Compiled HTML File |
Hunting |
| Detect HTML Help Spawn Child Process |
Signed Binary Proxy Execution, Compiled HTML File |
TTP |
| Detect HTML Help URL in Command Line |
Signed Binary Proxy Execution, Compiled HTML File |
TTP |
| Detect HTML Help Using InfoTech Storage Handlers |
Signed Binary Proxy Execution, Compiled HTML File |
TTP |
| Detect mshta inline hta execution |
Signed Binary Proxy Execution, Mshta |
TTP |
| Detect mshta renamed |
Signed Binary Proxy Execution, Mshta |
Hunting |
| Detect MSHTA Url in Command Line |
Signed Binary Proxy Execution, Mshta |
TTP |
| Detect Regasm Spawning a Process |
Signed Binary Proxy Execution, Regsvcs/Regasm |
TTP |
| Detect Regasm with Network Connection |
Signed Binary Proxy Execution, Regsvcs/Regasm |
TTP |
| Detect Regasm with no Command Line Arguments |
Signed Binary Proxy Execution, Regsvcs/Regasm |
TTP |
| Detect Regsvcs Spawning a Process |
Signed Binary Proxy Execution, Regsvcs/Regasm |
TTP |
| Detect Regsvcs with Network Connection |
Signed Binary Proxy Execution, Regsvcs/Regasm |
TTP |
| Detect Regsvcs with No Command Line Arguments |
Signed Binary Proxy Execution, Regsvcs/Regasm |
TTP |
| Detect Regsvr32 Application Control Bypass |
Signed Binary Proxy Execution, Regsvr32 |
TTP |
| Detect Rundll32 Application Control Bypass - advpack |
Signed Binary Proxy Execution, Rundll32 |
TTP |
| Detect Rundll32 Application Control Bypass - setupapi |
Signed Binary Proxy Execution, Rundll32 |
TTP |
| Detect Rundll32 Application Control Bypass - syssetup |
Signed Binary Proxy Execution, Rundll32 |
TTP |
| Detect Rundll32 Inline HTA Execution |
Signed Binary Proxy Execution, Mshta |
TTP |
| Disable Schedule Task |
Disable or Modify Tools, Impair Defenses |
TTP |
| Dump LSASS via comsvcs DLL |
LSASS Memory, OS Credential Dumping |
TTP |
| Esentutl SAM Copy |
Security Account Manager, OS Credential Dumping |
Hunting |
| Eventvwr UAC Bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
| MacOS LOLbin |
Unix Shell, Command and Scripting Interpreter |
TTP |
| MacOS plutil |
Plist Modification |
TTP |
| Mmc LOLBAS Execution Process Spawn |
Remote Services, Distributed Component Object Model |
TTP |
| Mshta spawning Rundll32 OR Regsvr32 Process |
Signed Binary Proxy Execution, Mshta |
TTP |
| Ntdsutil Export NTDS |
NTDS, OS Credential Dumping |
TTP |
| Reg exe Manipulating Windows Services Registry Keys |
Services Registry Permissions Weakness, Hijack Execution Flow |
TTP |
| Regsvr32 Silent and Install Param Dll Loading |
Signed Binary Proxy Execution, Regsvr32 |
Anomaly |
| Regsvr32 with Known Silent Switch Cmdline |
Signed Binary Proxy Execution, Regsvr32 |
Anomaly |
| Remote WMI Command Attempt |
Windows Management Instrumentation |
TTP |
| Rundll32 Control RunDLL Hunt |
Signed Binary Proxy Execution, Rundll32 |
Hunting |
| Rundll32 Control RunDLL World Writable Directory |
Signed Binary Proxy Execution, Rundll32 |
TTP |
| Rundll32 Create Remote Thread To A Process |
Process Injection |
TTP |
| Rundll32 CreateRemoteThread In Browser |
Process Injection |
TTP |
| Rundll32 DNSQuery |
Signed Binary Proxy Execution, Rundll32 |
TTP |
| Rundll32 Process Creating Exe Dll Files |
Signed Binary Proxy Execution, Rundll32 |
TTP |
| Rundll32 Shimcache Flush |
Modify Registry |
TTP |
| RunDLL Loading DLL By Ordinal |
Signed Binary Proxy Execution, Rundll32 |
TTP |
| Schedule Task with HTTP Command Arguments |
Scheduled Task/Job |
TTP |
| Schedule Task with Rundll32 Command Trigger |
Scheduled Task/Job |
TTP |
| Scheduled Task Creation on Remote Endpoint using At |
Scheduled Task/Job, At (Windows) |
TTP |
| Scheduled Task Deleted Or Created via CMD |
Scheduled Task, Scheduled Task/Job |
TTP |
| Scheduled Task Initiation on Remote Endpoint |
Scheduled Task/Job, Scheduled Task |
TTP |
| Schtasks scheduling job on remote system |
Scheduled Task, Scheduled Task/Job |
TTP |
| Services LOLBAS Execution Process Spawn |
Create or Modify System Process, Windows Service |
TTP |
| Suspicious IcedID Rundll32 Cmdline |
Signed Binary Proxy Execution, Rundll32 |
TTP |
| Suspicious microsoft workflow compiler rename |
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities |
Hunting |
| Suspicious microsoft workflow compiler usage |
Trusted Developer Utilities Proxy Execution |
TTP |
| Suspicious msbuild path |
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild |
TTP |
| Suspicious MSBuild Rename |
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild |
Hunting |
| Suspicious MSBuild Spawn |
Trusted Developer Utilities Proxy Execution, MSBuild |
TTP |
| Suspicious mshta child process |
Signed Binary Proxy Execution, Mshta |
TTP |
| Suspicious mshta spawn |
Signed Binary Proxy Execution, Mshta |
TTP |
| Suspicious Regsvr32 Register Suspicious Path |
Signed Binary Proxy Execution, Regsvr32 |
TTP |
| Suspicious Rundll32 dllregisterserver |
Signed Binary Proxy Execution, Rundll32 |
TTP |
| Suspicious Scheduled Task from Public Directory |
Scheduled Task, Scheduled Task/Job |
Anomaly |
| Svchost LOLBAS Execution Process Spawn |
Scheduled Task/Job, Scheduled Task |
TTP |
| Windows Diskshadow Proxy Execution |
Signed Binary Proxy Execution |
TTP |
| Windows Indirect Command Execution Via forfiles |
Indirect Command Execution |
TTP |
| Windows Indirect Command Execution Via pcalua |
Indirect Command Execution |
TTP |
| Windows InstallUtil in Non Standard Path |
Masquerading, Rename System Utilities, Signed Binary Proxy Execution, InstallUtil |
TTP |
| Windows InstallUtil Remote Network Connection |
InstallUtil, Signed Binary Proxy Execution |
TTP |
| Windows InstallUtil Uninstall Option |
InstallUtil, Signed Binary Proxy Execution |
TTP |
| Windows InstallUtil Uninstall Option with Network |
InstallUtil, Signed Binary Proxy Execution |
TTP |
| Windows InstallUtil URL in Command Line |
InstallUtil, Signed Binary Proxy Execution |
TTP |
| WSReset UAC Bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |