Allow Inbound Traffic By Firewall Rule Registry |
Remote Desktop Protocol, Remote Services |
TTP |
Allow Operation with Consent Admin |
Abuse Elevation Control Mechanism |
TTP |
Attempted Credential Dump From Registry via Reg exe |
Security Account Manager, OS Credential Dumping |
TTP |
Auto Admin Logon Registry Entry |
Credentials in Registry, Unsecured Credentials |
TTP |
Change Default File Association |
Change Default File Association, Event Triggered Execution |
TTP |
Disable AMSI Through Registry |
Disable or Modify Tools, Impair Defenses |
TTP |
Disable Defender AntiVirus Registry |
Disable or Modify Tools, Impair Defenses |
TTP |
Disable Defender BlockAtFirstSeen Feature |
Disable or Modify Tools, Impair Defenses |
TTP |
Disable Defender Enhanced Notification |
Disable or Modify Tools, Impair Defenses |
TTP |
Disable Defender MpEngine Registry |
Disable or Modify Tools, Impair Defenses |
TTP |
Disable Defender Spynet Reporting |
Disable or Modify Tools, Impair Defenses |
TTP |
Disable Defender Submit Samples Consent Feature |
Disable or Modify Tools, Impair Defenses |
TTP |
Disable ETW Through Registry |
Disable or Modify Tools, Impair Defenses |
TTP |
Disable Registry Tool |
Disable or Modify Tools, Impair Defenses, Modify Registry |
TTP |
Disable Security Logs Using MiniNt Registry |
Modify Registry |
TTP |
Disable Show Hidden Files |
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry |
Anomaly |
Disable UAC Remote Restriction |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
Disable Windows App Hotkeys |
Disable or Modify Tools, Impair Defenses, Modify Registry |
TTP |
Disable Windows Behavior Monitoring |
Disable or Modify Tools, Impair Defenses |
TTP |
Disable Windows SmartScreen Protection |
Disable or Modify Tools, Impair Defenses |
TTP |
Disabling CMD Application |
Disable or Modify Tools, Impair Defenses, Modify Registry |
TTP |
Disabling ControlPanel |
Disable or Modify Tools, Impair Defenses, Modify Registry |
TTP |
Disabling Defender Services |
Disable or Modify Tools, Impair Defenses |
TTP |
Disabling FolderOptions Windows Feature |
Disable or Modify Tools, Impair Defenses |
TTP |
Disabling NoRun Windows App |
Disable or Modify Tools, Impair Defenses, Modify Registry |
TTP |
Disabling Remote User Account Control |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
Disabling SystemRestore In Registry |
Inhibit System Recovery |
TTP |
Disabling Task Manager |
Disable or Modify Tools, Impair Defenses |
TTP |
Disabling Windows Local Security Authority Defences via Registry |
Modify Authentication Process |
TTP |
Enable RDP In Other Port Number |
Remote Services |
TTP |
Enable WDigest UseLogonCredential Registry |
Modify Registry, OS Credential Dumping |
TTP |
ETW Registry Disabled |
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses |
TTP |
Eventvwr UAC Bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
Hide User Account From Sign-In Screen |
Disable or Modify Tools, Impair Defenses |
TTP |
Modification Of Wallpaper |
Defacement |
TTP |
Monitor Registry Keys for Print Monitors |
Port Monitors, Boot or Logon Autostart Execution |
TTP |
Registry Keys for Creating SHIM Databases |
Application Shimming, Event Triggered Execution |
TTP |
Registry Keys Used For Persistence |
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution |
TTP |
Registry Keys Used For Privilege Escalation |
Image File Execution Options Injection, Event Triggered Execution |
TTP |
Remcos client registry install entry |
Modify Registry |
TTP |
Revil Registry Entry |
Modify Registry |
TTP |
Screensaver Event Trigger Execution |
Event Triggered Execution, Screensaver |
TTP |
Sdclt UAC Bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
SilentCleanup UAC Bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
Time Provider Persistence Registry |
Time Providers, Boot or Logon Autostart Execution |
TTP |
Windows AD DSRM Account Changes |
Account Manipulation |
TTP |
Windows Autostart Execution LSASS Driver Registry Modification |
LSASS Driver |
TTP |
Windows Disable Lock Workstation Feature Through Registry |
Modify Registry |
Anomaly |
Windows Disable LogOff Button Through Registry |
Modify Registry |
Anomaly |
Windows Disable Memory Crash Dump |
Data Destruction |
TTP |
Windows Disable Notification Center |
Modify Registry |
Anomaly |
Windows Disable Shutdown Button Through Registry |
Modify Registry |
Anomaly |
Windows Disable Windows Group Policy Features Through Registry |
Modify Registry |
Anomaly |
Windows DisableAntiSpyware Registry |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Hide Notification Features Through Registry |
Modify Registry |
Anomaly |
Windows Impair Defense Change Win Defender Health Check Intervals |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Change Win Defender Quick Scan Interval |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Change Win Defender Throttle Rate |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Change Win Defender Tracing Level |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Configure App Install Control |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Define Win Defender Threat Action |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Delete Win Defender Context Menu |
Disable or Modify Tools, Impair Defenses |
Hunting |
Windows Impair Defense Delete Win Defender Profile Registry |
Disable or Modify Tools, Impair Defenses |
Anomaly |
Windows Impair Defense Disable Controlled Folder Access |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Disable Defender Firewall And Network |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Disable Defender Protocol Recognition |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Disable PUA Protection |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Disable Realtime Signature Delivery |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Disable Web Evaluation |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Disable Win Defender App Guard |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Disable Win Defender Compute File Hashes |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Disable Win Defender Gen reports |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Disable Win Defender Network Protection |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Disable Win Defender Report Infection |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Disable Win Defender Scan On Update |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Disable Win Defender Signature Retirement |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Overide Win Defender Phishing Filter |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Override SmartScreen Prompt |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defense Set Win Defender Smart Screen Level To Warn |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defenses Disable HVCI |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Impair Defenses Disable Win Defender Auto Logging |
Disable or Modify Tools, Impair Defenses |
Anomaly |
Windows Modify Show Compress Color And Info Tip Registry |
Modify Registry |
TTP |
Windows Registry Certificate Added |
Install Root Certificate, Subvert Trust Controls |
Anomaly |
Windows Registry Delete Task SD |
Scheduled Task, Impair Defenses |
Anomaly |
Windows Registry Modification for Safe Mode Persistence |
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution |
TTP |
Windows Service Creation Using Registry Entry |
Services Registry Permissions Weakness |
TTP |
WSReset UAC Bypass |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |