BITS Job Persistence |
BITS Jobs |
TTP |
BITSAdmin Download File |
BITS Jobs, Ingress Tool Transfer |
TTP |
CertUtil Download With URLCache and Split Arguments |
Ingress Tool Transfer |
TTP |
CertUtil Download With VerifyCtl and Split Arguments |
Ingress Tool Transfer |
TTP |
Certutil exe certificate extraction |
None |
TTP |
CertUtil With Decode Argument |
Deobfuscate/Decode Files or Information |
TTP |
CMD Carry Out String Command Parameter |
Windows Command Shell, Command and Scripting Interpreter |
Hunting |
Control Loading from World Writable Directory |
Signed Binary Proxy Execution, Control Panel |
TTP |
Creation of Shadow Copy with wmic and powershell |
NTDS, OS Credential Dumping |
TTP |
Detect HTML Help Renamed |
Signed Binary Proxy Execution, Compiled HTML File |
Hunting |
Detect HTML Help Spawn Child Process |
Signed Binary Proxy Execution, Compiled HTML File |
TTP |
Detect HTML Help URL in Command Line |
Signed Binary Proxy Execution, Compiled HTML File |
TTP |
Detect HTML Help Using InfoTech Storage Handlers |
Signed Binary Proxy Execution, Compiled HTML File |
TTP |
Detect mshta inline hta execution |
Signed Binary Proxy Execution, Mshta |
TTP |
Detect mshta renamed |
Signed Binary Proxy Execution, Mshta |
Hunting |
Detect MSHTA Url in Command Line |
Signed Binary Proxy Execution, Mshta |
TTP |
Detect Regasm Spawning a Process |
Signed Binary Proxy Execution, Regsvcs/Regasm |
TTP |
Detect Regasm with Network Connection |
Signed Binary Proxy Execution, Regsvcs/Regasm |
TTP |
Detect Regasm with no Command Line Arguments |
Signed Binary Proxy Execution, Regsvcs/Regasm |
TTP |
Detect Regsvcs Spawning a Process |
Signed Binary Proxy Execution, Regsvcs/Regasm |
TTP |
Detect Regsvcs with Network Connection |
Signed Binary Proxy Execution, Regsvcs/Regasm |
TTP |
Detect Regsvcs with No Command Line Arguments |
Signed Binary Proxy Execution, Regsvcs/Regasm |
TTP |
Detect Regsvr32 Application Control Bypass |
Signed Binary Proxy Execution, Regsvr32 |
TTP |
Detect Rundll32 Application Control Bypass - advpack |
Signed Binary Proxy Execution, Rundll32 |
TTP |
Detect Rundll32 Application Control Bypass - setupapi |
Signed Binary Proxy Execution, Rundll32 |
TTP |
Detect Rundll32 Application Control Bypass - syssetup |
Signed Binary Proxy Execution, Rundll32 |
TTP |
Detect Rundll32 Inline HTA Execution |
Signed Binary Proxy Execution, Mshta |
TTP |
Disable Schedule Task |
Disable or Modify Tools, Impair Defenses |
TTP |
Dump LSASS via comsvcs DLL |
LSASS Memory, OS Credential Dumping |
TTP |
Esentutl SAM Copy |
Security Account Manager, OS Credential Dumping |
Hunting |
Eventvwr UAC Bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
MacOS LOLbin |
Unix Shell, Command and Scripting Interpreter |
TTP |
MacOS plutil |
Plist Modification |
TTP |
Mmc LOLBAS Execution Process Spawn |
Remote Services, Distributed Component Object Model |
TTP |
Mshta spawning Rundll32 OR Regsvr32 Process |
Signed Binary Proxy Execution, Mshta |
TTP |
Ntdsutil Export NTDS |
NTDS, OS Credential Dumping |
TTP |
Reg exe Manipulating Windows Services Registry Keys |
Services Registry Permissions Weakness, Hijack Execution Flow |
TTP |
Regsvr32 Silent and Install Param Dll Loading |
Signed Binary Proxy Execution, Regsvr32 |
Anomaly |
Regsvr32 with Known Silent Switch Cmdline |
Signed Binary Proxy Execution, Regsvr32 |
Anomaly |
Remote WMI Command Attempt |
Windows Management Instrumentation |
TTP |
Rundll32 Control RunDLL Hunt |
Signed Binary Proxy Execution, Rundll32 |
Hunting |
Rundll32 Control RunDLL World Writable Directory |
Signed Binary Proxy Execution, Rundll32 |
TTP |
Rundll32 Create Remote Thread To A Process |
Process Injection |
TTP |
Rundll32 CreateRemoteThread In Browser |
Process Injection |
TTP |
Rundll32 DNSQuery |
Signed Binary Proxy Execution, Rundll32 |
TTP |
Rundll32 Process Creating Exe Dll Files |
Signed Binary Proxy Execution, Rundll32 |
TTP |
Rundll32 Shimcache Flush |
Modify Registry |
TTP |
RunDLL Loading DLL By Ordinal |
Signed Binary Proxy Execution, Rundll32 |
TTP |
Schedule Task with HTTP Command Arguments |
Scheduled Task/Job |
TTP |
Schedule Task with Rundll32 Command Trigger |
Scheduled Task/Job |
TTP |
Scheduled Task Creation on Remote Endpoint using At |
Scheduled Task/Job, At (Windows) |
TTP |
Scheduled Task Deleted Or Created via CMD |
Scheduled Task, Scheduled Task/Job |
TTP |
Scheduled Task Initiation on Remote Endpoint |
Scheduled Task/Job, Scheduled Task |
TTP |
Schtasks scheduling job on remote system |
Scheduled Task, Scheduled Task/Job |
TTP |
Services LOLBAS Execution Process Spawn |
Create or Modify System Process, Windows Service |
TTP |
Suspicious IcedID Rundll32 Cmdline |
Signed Binary Proxy Execution, Rundll32 |
TTP |
Suspicious microsoft workflow compiler rename |
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities |
Hunting |
Suspicious microsoft workflow compiler usage |
Trusted Developer Utilities Proxy Execution |
TTP |
Suspicious msbuild path |
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild |
TTP |
Suspicious MSBuild Rename |
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild |
Hunting |
Suspicious MSBuild Spawn |
Trusted Developer Utilities Proxy Execution, MSBuild |
TTP |
Suspicious mshta child process |
Signed Binary Proxy Execution, Mshta |
TTP |
Suspicious mshta spawn |
Signed Binary Proxy Execution, Mshta |
TTP |
Suspicious Regsvr32 Register Suspicious Path |
Signed Binary Proxy Execution, Regsvr32 |
TTP |
Suspicious Rundll32 dllregisterserver |
Signed Binary Proxy Execution, Rundll32 |
TTP |
Suspicious Scheduled Task from Public Directory |
Scheduled Task, Scheduled Task/Job |
Anomaly |
Svchost LOLBAS Execution Process Spawn |
Scheduled Task/Job, Scheduled Task |
TTP |
Windows Diskshadow Proxy Execution |
Signed Binary Proxy Execution |
TTP |
Windows Indirect Command Execution Via forfiles |
Indirect Command Execution |
TTP |
Windows Indirect Command Execution Via pcalua |
Indirect Command Execution |
TTP |
Windows InstallUtil in Non Standard Path |
Masquerading, Rename System Utilities, Signed Binary Proxy Execution, InstallUtil |
TTP |
Windows InstallUtil Remote Network Connection |
InstallUtil, Signed Binary Proxy Execution |
TTP |
Windows InstallUtil Uninstall Option |
InstallUtil, Signed Binary Proxy Execution |
TTP |
Windows InstallUtil Uninstall Option with Network |
InstallUtil, Signed Binary Proxy Execution |
TTP |
Windows InstallUtil URL in Command Line |
InstallUtil, Signed Binary Proxy Execution |
TTP |
WSReset UAC Bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |