Add or Set Windows Defender Exclusion |
Disable or Modify Tools, Impair Defenses |
TTP |
CSC Net On The Fly Compilation |
Compile After Delivery, Obfuscated Files or Information |
Hunting |
Disable Registry Tool |
Disable or Modify Tools, Impair Defenses, Modify Registry |
TTP |
Disable Security Logs Using MiniNt Registry |
Modify Registry |
TTP |
Disable Show Hidden Files |
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry |
Anomaly |
Disable UAC Remote Restriction |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
Disable Windows Behavior Monitoring |
Disable or Modify Tools, Impair Defenses |
TTP |
Disable Windows SmartScreen Protection |
Disable or Modify Tools, Impair Defenses |
TTP |
Disabling CMD Application |
Disable or Modify Tools, Impair Defenses, Modify Registry |
TTP |
Disabling ControlPanel |
Disable or Modify Tools, Impair Defenses, Modify Registry |
TTP |
Disabling Firewall with Netsh |
Disable or Modify Tools, Impair Defenses |
Anomaly |
Disabling FolderOptions Windows Feature |
Disable or Modify Tools, Impair Defenses |
TTP |
Disabling NoRun Windows App |
Disable or Modify Tools, Impair Defenses, Modify Registry |
TTP |
Disabling Remote User Account Control |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
Disabling SystemRestore In Registry |
Inhibit System Recovery |
TTP |
Disabling Task Manager |
Disable or Modify Tools, Impair Defenses |
TTP |
Disabling Windows Local Security Authority Defences via Registry |
Modify Authentication Process |
TTP |
Eventvwr UAC Bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
Excessive number of service control start as disabled |
Disable or Modify Tools, Impair Defenses |
Anomaly |
Firewall Allowed Program Enable |
Disable or Modify System Firewall, Impair Defenses |
Anomaly |
FodHelper UAC Bypass |
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
Hiding Files And Directories With Attrib exe |
File and Directory Permissions Modification, Windows File and Directory Permissions Modification |
TTP |
Hiding Files And Directories With Attrib exe |
Windows File and Directory Permissions Modification, File and Directory Permissions Modification |
TTP |
NET Profiler UAC bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
Powershell Windows Defender Exclusion Commands |
Disable or Modify Tools, Impair Defenses |
TTP |
Reg exe used to hide files directories via registry keys |
Hidden Files and Directories |
TTP |
Remote Registry Key modifications |
|
TTP |
SLUI RunAs Elevated |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
SLUI Spawning a Process |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
Sdclt UAC Bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
SilentCleanup UAC Bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
Suspicious Reg exe Process |
Modify Registry |
Anomaly |
System Process Running from Unexpected Location |
Masquerading |
Anomaly |
UAC Bypass MMC Load Unsigned Dll |
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC |
TTP |
WSReset UAC Bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
Windows Alternate DataStream - Base64 Content |
Hide Artifacts, NTFS File Attributes |
TTP |
Windows Alternate DataStream - Executable Content |
Hide Artifacts, NTFS File Attributes |
TTP |
Windows Alternate DataStream - Process Execution |
Hide Artifacts, NTFS File Attributes |
TTP |
Windows Command and Scripting Interpreter Hunting Path Traversal |
Command and Scripting Interpreter |
Hunting |
Windows Command and Scripting Interpreter Path Traversal Exec |
Command and Scripting Interpreter |
TTP |
Windows Common Abused Cmd Shell Risk Behavior |
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Configuration Discovery, Command and Scripting Interpreter |
Correlation |
Windows DISM Remove Defender |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows DLL Search Order Hijacking Hunt |
DLL Search Order Hijacking, Hijack Execution Flow |
Hunting |
Windows DLL Search Order Hijacking Hunt with Sysmon |
DLL Search Order Hijacking, Hijack Execution Flow |
Hunting |
Windows DLL Search Order Hijacking with iscsicpl |
DLL Search Order Hijacking |
TTP |
Windows Defender Exclusion Registry Entry |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Disable Change Password Through Registry |
Modify Registry |
Anomaly |
Windows Disable Lock Workstation Feature Through Registry |
Modify Registry |
Anomaly |
Windows Disable Notification Center |
Modify Registry |
Anomaly |
Windows Disable Windows Event Logging Disable HTTP Logging |
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components |
TTP |
Windows Disable Windows Group Policy Features Through Registry |
Modify Registry |
Anomaly |
Windows DisableAntiSpyware Registry |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Event For Service Disabled |
Disable or Modify Tools, Impair Defenses |
Hunting |
Windows Excessive Disabled Services Event |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Hide Notification Features Through Registry |
Modify Registry |
Anomaly |
Windows Impair Defense Change Win Defender Health Check Intervals |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Change Win Defender Quick Scan Interval |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Change Win Defender Throttle Rate |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Change Win Defender Tracing Level |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Configure App Install Control |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Define Win Defender Threat Action |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Delete Win Defender Context Menu |
Disable or Modify Tools, Impair Defenses |
Hunting |
Windows Impair Defense Delete Win Defender Profile Registry |
Disable or Modify Tools, Impair Defenses |
Anomaly |
Windows Impair Defense Disable Controlled Folder Access |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Disable Defender Firewall And Network |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Disable Defender Protocol Recognition |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Disable PUA Protection |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Disable Realtime Signature Delivery |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Disable Web Evaluation |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Disable Win Defender App Guard |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Disable Win Defender Compute File Hashes |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Disable Win Defender Gen reports |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Disable Win Defender Network Protection |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Disable Win Defender Report Infection |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Disable Win Defender Scan On Update |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Disable Win Defender Signature Retirement |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Overide Win Defender Phishing Filter |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Override SmartScreen Prompt |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Set Win Defender Smart Screen Level To Warn |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defenses Disable HVCI |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defenses Disable Win Defender Auto Logging |
Disable or Modify Tools, Impair Defenses |
Anomaly |
Windows Known Abused DLL Created |
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow |
Anomaly |
Windows Known Abused DLL Loaded Suspiciously |
DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow |
TTP |
Windows LOLBAS Executed As Renamed File |
Masquerading, Rename System Utilities, Rundll32 |
TTP |
Windows LOLBAS Executed Outside Expected Path |
Masquerading, Match Legitimate Name or Location, Rundll32 |
TTP |
Windows Modify Show Compress Color And Info Tip Registry |
Modify Registry |
TTP |
Windows Parent PID Spoofing with Explorer |
Parent PID Spoofing, Access Token Manipulation |
TTP |
Windows PowerShell Disable HTTP Logging |
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components |
TTP |
Windows Process With NamedPipe CommandLine |
Process Injection |
Anomaly |
Windows Rasautou DLL Execution |
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection |
TTP |
Windows Rasautou DLL Execution |
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection |
TTP |
Windows UAC Bypass Suspicious Child Process |
Abuse Elevation Control Mechanism, Bypass User Account Control |
TTP |
Windows UAC Bypass Suspicious Escalation Behavior |
Abuse Elevation Control Mechanism, Bypass User Account Control |
TTP |