Lateral Movement

Name	Data Source	Technique	Type
Name	Data Source	Technique	Type
[Path traversal SPL injection](/application/dfe55688-82ed-4d24-a21b-ed8f0e0fda99/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1083	TTP
[Splunk User Enumeration Attempt](/application/25625cb4-1c4d-4463-b0f9-7cb462699cde/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1078	TTP
[Splunk XSS in Monitoring Console](/application/b11accac-6fa3-4103-8a1a-7210f1a67087/)	N/A	T1189	TTP
[Okta Multi-Factor Authentication Disabled](/application/7c0348ce-bdf9-45f6-8a57-c18b5976f00a/)	[Okta](/sources/ec26febe-e760-4981-bbee-72e107c7b9d2)	T1556, T1556.006	TTP
[Okta Multiple Failed MFA Requests For User](/application/826dbaae-a1e6-4c8c-b384-d16898956e73/)	[Okta](/sources/ec26febe-e760-4981-bbee-72e107c7b9d2)	T1621	Anomaly
[Okta Multiple Users Failing To Authenticate From Ip](/application/de365ffa-42f5-46b5-b43f-fa72290b8218/)	[Okta](/sources/ec26febe-e760-4981-bbee-72e107c7b9d2)	T1110.003	Anomaly
[Okta New API Token Created](/application/c3d22720-35d3-4da4-bd0a-740d37192bd4/)	[Okta](/sources/ec26febe-e760-4981-bbee-72e107c7b9d2)	T1078, T1078.001	TTP
[Okta New Device Enrolled on Account](/application/bb27cbce-d4de-432c-932f-2e206e9130fb/)	[Okta](/sources/ec26febe-e760-4981-bbee-72e107c7b9d2)	T1098, T1098.005	TTP
[Windows AD Object Owner Updated](/application/4af01f6b-d8d4-4f96-8635-758a01557130/)	N/A	T1484, T1222, T1222.001	TTP
[ASL AWS Concurrent Sessions From Different Ips](/cloud/b3424bbe-3204-4469-887b-ec144483a336/)	N/A	T1185	Anomaly
[ASL AWS New MFA Method Registered For User](/cloud/33ae0931-2a03-456b-b1d7-b016c5557fbd/)	N/A	T1556, T1556.006	TTP
[AWS Concurrent Sessions From Different Ips](/cloud/51c04fdb-2746-465a-b86e-b413a09c9085/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail DescribeEventAggregates](/sources/7efe4afe-62ae-4f96-81d1-76598ea37fc2)	T1185	TTP
[AWS New MFA Method Registered For User](/cloud/4e3c26f2-4fb9-4bd7-ab46-1b76ffa2a23b/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail CreateVirtualMFADevice](/sources/13e6e952-0dad-4190-865c-fb5911725f7a)	T1556, T1556.006	TTP
[AWS Successful Console Authentication From Multiple IPs](/cloud/395e50e1-2b87-4fa3-8632-0dfbdcbcd2cb/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail ConsoleLogin](/sources/b68b3f26-bd21-4fa8-b593-616fe75ac0ae)	T1586, T1535	Anomaly
[AWS UpdateLoginProfile](/cloud/2a9b80d3-6a40-4115-11ad-212bf3d0d111/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail UpdateLoginProfile](/sources/1db79158-e5d3-4d35-9d3c-586e44e09f1c)	T1136.003, T1136	TTP
[Azure Active Directory High Risk Sign-in](/cloud/1ecff169-26d7-4161-9a7b-2ac4c8e61bea/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory](/sources/51ca21e5-bda2-4652-bb29-27c7bc18a81c)	T1586, T1586.003, T1110, T1110.003	TTP
[Azure AD Application Administrator Role Assigned](/cloud/eac4de87-7a56-4538-a21b-277897af6d8d/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory Add member to role](/sources/1660d196-127f-4678-81b2-472d51711b07)	T1098, T1098.003	TTP
[Azure AD Authentication Failed During MFA Challenge](/cloud/e62c9c2e-bf51-4719-906c-3074618fcc1c/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory](/sources/51ca21e5-bda2-4652-bb29-27c7bc18a81c)	T1586, T1586.003, T1078, T1078.004, T1621	TTP
[Azure AD Concurrent Sessions From Different Ips](/cloud/a9126f73-9a9b-493d-96ec-0dd06695490d/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory](/sources/51ca21e5-bda2-4652-bb29-27c7bc18a81c)	T1185	TTP
[Azure AD High Number Of Failed Authentications For User](/cloud/630b1694-210a-48ee-a450-6f79e7679f2c/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory](/sources/51ca21e5-bda2-4652-bb29-27c7bc18a81c)	T1110, T1110.001	TTP
[Azure AD High Number Of Failed Authentications From Ip](/cloud/e5ab41bf-745d-4f72-a393-2611151afd8e/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory](/sources/51ca21e5-bda2-4652-bb29-27c7bc18a81c)	T1110, T1110.001, T1110.003	TTP
[Azure AD Multi-Source Failed Authentications Spike](/cloud/116e11a9-63ea-41eb-a66a-6a13bdc7d2c7/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory](/sources/51ca21e5-bda2-4652-bb29-27c7bc18a81c)	T1586, T1586.003, T1110, T1110.003, T1110.004	Hunting
[Azure AD Multiple AppIDs and UserAgents Authentication Spike](/cloud/5d8bb1f0-f65a-4b4e-af2e-fcdb88276314/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory Sign-in activity](/sources/f9ed0a3a-9e20-4198-a035-d0a29593fbe0)	T1078	Anomaly
[Azure AD Multiple Failed MFA Requests For User](/cloud/264ea131-ab1f-41b8-90e0-33ad1a1888ea/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory Sign-in activity](/sources/f9ed0a3a-9e20-4198-a035-d0a29593fbe0)	T1586, T1586.003, T1621, T1078, T1078.004	TTP
[Azure AD Multiple Service Principals Created by SP](/cloud/66cb378f-234d-4fe1-bb4c-e7878ff6b017/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory Add service principal](/sources/fd89d337-e4c0-4162-ad13-bca36f096fe6)	T1136.003	Anomaly
[Azure AD Multiple Service Principals Created by User](/cloud/32880707-f512-414e-bd7f-204c0c85b758/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory Add service principal](/sources/fd89d337-e4c0-4162-ad13-bca36f096fe6)	T1136.003	Anomaly
[Azure AD Multiple Users Failing To Authenticate From Ip](/cloud/94481a6a-8f59-4c86-957f-55a71e3612a6/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory](/sources/51ca21e5-bda2-4652-bb29-27c7bc18a81c)	T1586, T1586.003, T1110, T1110.003, T1110.004	Anomaly
[Azure AD New Custom Domain Added](/cloud/30c47f45-dd6a-4720-9963-0bca6c8686ef/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory Add unverified domain](/sources/d4c01fb1-3b88-46d3-bd12-9b9e256450f7)	T1484, T1484.002	TTP
[Azure AD New Federated Domain Added](/cloud/a87cd633-076d-4ab2-9047-977751a3c1a0/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory Set domain authentication](/sources/e7bcdab9-908c-40ab-ba38-5db54fa87750)	T1484, T1484.002	TTP
[Azure AD New MFA Method Registered For User](/cloud/2628b087-4189-403f-9044-87403f777a1b/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory User registered security info](/sources/b63240de-8a01-4ba8-8987-89d18d4b375d)	T1556, T1556.006	TTP
[Azure AD PIM Role Assigned](/cloud/fcd6dfeb-191c-46a0-a29c-c306382145ab/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory](/sources/51ca21e5-bda2-4652-bb29-27c7bc18a81c)	T1098, T1098.003	TTP
[Azure AD PIM Role Assignment Activated](/cloud/952e80d0-e343-439b-83f4-808c3e6fbf2e/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory](/sources/51ca21e5-bda2-4652-bb29-27c7bc18a81c)	T1098, T1098.003	TTP
[Azure AD Privileged Authentication Administrator Role Assigned](/cloud/a7da845d-6fae-41cf-b823-6c0b8c55814a/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory Add member to role](/sources/1660d196-127f-4678-81b2-472d51711b07)	T1003.002	TTP
[Azure AD Privileged Role Assigned](/cloud/a28f0bc3-3400-4a6e-a2da-89b9e95f0d2a/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory Add member to role](/sources/1660d196-127f-4678-81b2-472d51711b07)	T1098, T1098.003	TTP
[Azure AD Privileged Role Assigned to Service Principal](/cloud/5dfaa3d3-e2e4-4053-8252-16d9ee528c41/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory Add member to role](/sources/1660d196-127f-4678-81b2-472d51711b07)	T1098, T1098.003	TTP
[Azure AD Service Principal Authentication](/cloud/5a2ec401-60bb-474e-b936-1e66e7aa4060/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory Sign-in activity](/sources/f9ed0a3a-9e20-4198-a035-d0a29593fbe0)	T1078.004	TTP
[Azure AD Service Principal New Client Credentials](/cloud/e3adc0d3-9e4b-4b5d-b662-12cec1adff2a/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory](/sources/51ca21e5-bda2-4652-bb29-27c7bc18a81c)	T1098, T1098.001	TTP
[Azure AD Service Principal Owner Added](/cloud/7ddf2084-6cf3-4a44-be83-474f7b73c701/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory Add owner to application](/sources/e895ed56-7be4-4b3a-b782-ecd0f594ec4c)	T1098	TTP
[Azure AD Successful Authentication From Different Ips](/cloud/be6d868d-33b6-4aaa-912e-724fb555b11a/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory](/sources/51ca21e5-bda2-4652-bb29-27c7bc18a81c)	T1110, T1110.001, T1110.003	TTP
[Azure AD Successful PowerShell Authentication](/cloud/62f10052-d7b3-4e48-b57b-56f8e3ac7ceb/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory](/sources/51ca21e5-bda2-4652-bb29-27c7bc18a81c)	T1586, T1586.003, T1078, T1078.004	TTP
[Azure AD Successful Single-Factor Authentication](/cloud/a560e7f6-1711-4353-885b-40be53101fcd/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory](/sources/51ca21e5-bda2-4652-bb29-27c7bc18a81c)	T1586, T1586.003, T1078, T1078.004	TTP
[Azure AD Unusual Number of Failed Authentications From Ip](/cloud/3d8d3a36-93b8-42d7-8d91-c5f24cec223d/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory](/sources/51ca21e5-bda2-4652-bb29-27c7bc18a81c)	T1586, T1586.003, T1110, T1110.003, T1110.004	Anomaly
[Azure AD User Consent Denied for OAuth Application](/cloud/bb093c30-d860-4858-a56e-cd0895d5b49c/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory Sign-in activity](/sources/f9ed0a3a-9e20-4198-a035-d0a29593fbe0)	T1528	TTP
[Azure AD User Enabled And Password Reset](/cloud/1347b9e8-2daa-4a6f-be73-b421d3d9e268/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory Enable account](/sources/cb49f3cd-04ad-415c-a5ed-9b27b2829fa7), <img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory Reset password (by admin)](/sources/dcd0e4dc-68f8-4b77-a66f-89c57b3afa6b), <img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory Update user](/sources/5495c90a-047c-4b8e-b2fe-1db6282d3872)	T1098	TTP
[Azure AD User ImmutableId Attribute Updated](/cloud/0c0badad-4536-4a84-a561-5ff760f3c00e/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory Update user](/sources/5495c90a-047c-4b8e-b2fe-1db6282d3872)	T1098	TTP
[Azure Automation Account Created](/cloud/860902fd-2e76-46b3-b050-ba548dab576c/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Audit Create or Update an Azure Automation account](/sources/2ab182e7-feda-4249-9418-32710b55a885)	T1136, T1136.003	TTP
[Azure Automation Runbook Created](/cloud/178d696d-6dc6-4ee8-9d25-93fee34eaf5b/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Audit Create or Update an Azure Automation Runbook](/sources/2bd83221-7a8b-436f-9b2b-efa1d44d009e)	T1136, T1136.003	TTP
[Azure Runbook Webhook Created](/cloud/e98944a9-92e4-443c-81b8-a322e33ce75a/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Audit Create or Update an Azure Automation webhook](/sources/575faeb2-09d0-4849-b1f6-eae241f26ff2)	T1078, T1078.004	TTP
[GCP Authentication Failed During MFA Challenge](/cloud/345f7e1d-a3fe-4158-abd8-e630f9878323/)	[Google Workspace login_failure](/sources/cabec7cf-4008-4899-b47e-39c34a9a1255)	T1586, T1586.003, T1078, T1078.004, T1621	TTP
[Kubernetes Anomalous Inbound Outbound Network IO](/cloud/4f3b0c97-657e-4547-a89a-9a50c656e3cd/)	N/A	T1204	Anomaly
[Kubernetes Anomalous Inbound to Outbound Network IO Ratio](/cloud/9d8f6e3f-39df-46d8-a9d4-96173edc501f/)	N/A	T1204	Anomaly
[Kubernetes Previously Unseen Container Image Name](/cloud/fea515a4-b1d8-4cd6-80d6-e0d71397b891/)	N/A	T1204	Anomaly
[Kubernetes Previously Unseen Process](/cloud/c8119b2f-d7f7-40be-940a-1c582870e8e2/)	N/A	T1204	Anomaly
[Kubernetes Process Running From New Path](/cloud/454076fb-0e9e-4adf-b93a-da132621c5e6/)	N/A	T1204	Anomaly
[Kubernetes Process with Anomalous Resource Utilisation](/cloud/25ca9594-7a0d-4a95-a5e5-3228d7398ec8/)	N/A	T1204	Anomaly
[Kubernetes Process with Resource Ratio Anomalies](/cloud/0d42b295-0f1f-4183-b75e-377975f47c65/)	N/A	T1204	Anomaly
[Kubernetes Shell Running on Worker Node](/cloud/efebf0c4-dcf4-496f-85a2-5ab7ad8fa876/)	N/A	T1204	Anomaly
[Kubernetes Shell Running on Worker Node with CPU Activity](/cloud/cc1448e3-cc7a-4518-bc9f-2fa48f61a22b/)	N/A	T1204	Anomaly
[O365 Application Available To Other Tenants](/cloud/942548a3-0273-47a4-8dbd-e5202437395c/)	N/A	T1098.003, T1098	TTP
[O365 Compliance Content Search Exported](/cloud/2ce9f31d-ab4f-4179-b2b7-c77a9652e1d8/)	N/A	T1114, T1114.002	TTP
[O365 Compliance Content Search Started](/cloud/f4cabbc7-c19a-4e41-8be5-98daeaccbb50/)	N/A	T1114, T1114.002	TTP
[O365 Concurrent Sessions From Different Ips](/cloud/58e034de-1f87-4812-9dc3-a4f68c7db930/)	[O365 UserLoggedIn](/sources/ed29c8c4-4053-419c-b133-16abf2a1c4c9)	T1185	TTP
[O365 Cross-Tenant Access Change](/cloud/7c0fa490-12b0-4d0b-b9f5-e101d1e0e06f/)	N/A	T1484.002	TTP
[O365 DLP Rule Triggered](/cloud/63a8a537-36fd-4aac-a3ea-1a96afd2c871/)	N/A	T1048, T1567	Anomaly
[O365 Elevated Mailbox Permission Assigned](/cloud/2246c142-a678-45f8-8546-aaed7e0efd30/)	N/A	T1098, T1098.002	TTP
[O365 External Guest User Invited](/cloud/8c6d52ec-d5f2-4b2f-8ba1-f32c047a71fa/)	N/A	T1136.003	TTP
[O365 External Identity Policy Changed](/cloud/29af1725-7a72-4d2d-8a18-e697e79a62d3/)	N/A	T1136.003	TTP
[O365 High Number Of Failed Authentications for User](/cloud/31641378-2fa9-42b1-948e-25e281cb98f7/)	[O365 UserLoginFailed](/sources/6099b33d-d581-43ed-8401-911862590361)	T1110, T1110.001	TTP
[O365 Mailbox Folder Read Permission Granted](/cloud/cd15c0a8-470e-4b12-9517-046e4927db30/)	N/A	T1098, T1098.002	TTP
[O365 Multi-Source Failed Authentications Spike](/cloud/ea4e2c41-dbfb-4f5f-a7b6-9ac1b7f104aa/)	[O365 UserLoginFailed](/sources/6099b33d-d581-43ed-8401-911862590361)	T1586, T1586.003, T1110, T1110.003, T1110.004	Hunting
[O365 Multiple AppIDs and UserAgents Authentication Spike](/cloud/66adc486-224d-45c1-8e4d-9e7eeaba988f/)	[O365 UserLoggedIn](/sources/ed29c8c4-4053-419c-b133-16abf2a1c4c9), [O365 UserLoginFailed](/sources/6099b33d-d581-43ed-8401-911862590361)	T1078	Anomaly
[O365 Multiple Failed MFA Requests For User](/cloud/fd22124e-dbac-4744-a8ce-be10d8ec3e26/)	[O365 UserLoginFailed](/sources/6099b33d-d581-43ed-8401-911862590361)	T1621	TTP
[O365 Multiple Mailboxes Accessed via API](/cloud/7cd853e9-d370-412f-965d-a2bcff2a2908/)	[O365 MailItemsAccessed](/sources/3d5188eb-341a-4b46-9caa-aade4047d027)	T1114.002	TTP
[O365 Multiple Users Failing To Authenticate From Ip](/cloud/8d486e2e-3235-4cfe-ac35-0d042e24ecb4/)	[O365 UserLoginFailed](/sources/6099b33d-d581-43ed-8401-911862590361)	T1586, T1586.003, T1110, T1110.003, T1110.004	TTP
[O365 OAuth App Mailbox Access via EWS](/cloud/e600cf1a-0bef-4426-b42e-00176d610a4d/)	[O365 MailItemsAccessed](/sources/3d5188eb-341a-4b46-9caa-aade4047d027)	T1114.002	TTP
[O365 OAuth App Mailbox Access via Graph API](/cloud/9db0d5b0-4058-4cb7-baaf-77d8143539a2/)	[O365 MailItemsAccessed](/sources/3d5188eb-341a-4b46-9caa-aade4047d027)	T1114.002	TTP
[O365 Privileged Role Assigned](/cloud/db435700-4ddc-4c23-892e-49e7525d7d39/)	N/A	T1098, T1098.003	TTP
[O365 Privileged Role Assigned To Service Principal](/cloud/80f3fc1b-705f-4080-bf08-f61bf013b900/)	N/A	T1098, T1098.003	TTP
[O365 Security And Compliance Alert Triggered](/cloud/5b367cdd-8dfc-49ac-a9b7-6406cf27f33e/)	N/A	T1078, T1078.004	TTP
[O365 Service Principal New Client Credentials](/cloud/a1b229e9-d962-4222-8c62-905a8a010453/)	[O365](/sources/b32de97d-0074-4cca-853c-db22c392b6c0)	T1098, T1098.001	TTP
[O365 SharePoint Allowed Domains Policy Changed](/cloud/b0cc6fa8-39b1-49ac-a4fe-f2f2a668e06c/)	N/A	T1136.003	TTP
[O365 User Consent Denied for OAuth Application](/cloud/2d8679ef-b075-46be-8059-c25116cb1072/)	[O365](/sources/b32de97d-0074-4cca-853c-db22c392b6c0)	T1528	TTP
[AWS Cloud Provisioning From Previously Unseen City](/deprecated/344a1778-0b25-490c-adb1-de8beddf59cd/)	N/A	T1535	Anomaly
[AWS Cloud Provisioning From Previously Unseen Country](/deprecated/ceb8d3d8-06cb-49eb-beaf-829526e33ff0/)	N/A	T1535	Anomaly
[AWS Cloud Provisioning From Previously Unseen IP Address](/deprecated/42e15012-ac14-4801-94f4-f1acbe64880b/)	N/A		Anomaly
[Kubernetes AWS detect sensitive role access](/deprecated/b6013a7b-85e0-4a45-b051-10b252d69569/)	N/A		Hunting
[Kubernetes Azure detect sensitive role access](/deprecated/f27349e5-1641-4f6a-9e68-30402be0ad4c/)	N/A		Hunting
[Kubernetes GCP detect sensitive role access](/deprecated/a46923f6-36b9-4806-a681-31f314907c30/)	N/A		Hunting
[Windows connhost exe started forcefully](/deprecated/c114aaca-68ee-41c2-ad8c-32bf21db8769/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17)	T1059.003	TTP
[Add or Set Windows Defender Exclusion](/endpoint/773b66fe-4dd9-11ec-8289-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1562.001, T1562	TTP
[CMLUA Or CMSTPLUA UAC Bypass](/endpoint/f87b5062-b405-11eb-a889-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 7](/sources/45512fa5-4d55-4088-9d51-f4dedc16fdff)	T1218, T1218.003	TTP
[Disabled Kerberos Pre-Authentication Discovery With Get-ADUser](/endpoint/114c6bfe-9406-11ec-bcce-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1558, T1558.004	TTP
[Disabled Kerberos Pre-Authentication Discovery With PowerView](/endpoint/b0b34e2c-90de-11ec-baeb-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1558, T1558.004	TTP
[Eventvwr UAC Bypass](/endpoint/9cf8fe08-7ad8-11eb-9819-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1548.002, T1548	TTP
[Executables Or Script Creation In Suspicious Path](/endpoint/a7e3f0f0-ae42-11eb-b245-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1036	Anomaly
[FodHelper UAC Bypass](/endpoint/909f8fd8-7ac8-11eb-a1f3-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1112, T1548.002, T1548	TTP
[Kerberos Pre-Authentication Flag Disabled in UserAccountControl](/endpoint/0cb847ee-9423-11ec-b2df-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4738](/sources/cb85709b-101e-41a9-bb60-d2108f79dfbd)	T1558, T1558.004	TTP
[Kerberos Service Ticket Request Using RC4 Encryption](/endpoint/7d90f334-a482-11ec-908c-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4769](/sources/358d5520-f40b-4fa2-b799-966c030cb731)	T1558, T1558.001	TTP
[Kerberos TGT Request Using RC4 Encryption](/endpoint/18916468-9c04-11ec-bdc6-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4768](/sources/4a5fd6ed-66bd-4f34-bc74-51c00c73c298)	T1550	TTP
[Kerberos User Enumeration](/endpoint/d82d4af4-a0bd-11ec-9445-3e22fbd008af/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4768](/sources/4a5fd6ed-66bd-4f34-bc74-51c00c73c298)	T1589, T1589.002	Anomaly
[Linux Auditd Add User Account Type](/endpoint/f8c325ea-506e-4105-8ccf-da1492e90115/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Add User](/sources/30f79353-e1d2-4585-8735-1e0359559f3f)	T1136, T1136.001	Anomaly
[Linux Auditd Database File And Directory Discovery](/endpoint/f616c4f3-bde9-41cf-856c-019b65f668bb/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Execve](/sources/9ef6364d-cc67-480e-8448-3306829a6a24)	T1083	Anomaly
[Linux Auditd Find Private Keys](/endpoint/80bb9988-190b-4ee0-a3c3-509545a8f678/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Execve](/sources/9ef6364d-cc67-480e-8448-3306829a6a24)	T1552.004, T1552	TTP
[Linux Auditd Hidden Files And Directories Creation](/endpoint/555cc358-bf16-4e05-9b3a-0f89c73b7261/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Execve](/sources/9ef6364d-cc67-480e-8448-3306829a6a24)	T1083	TTP
[Linux Auditd Virtual Disk File And Directory Discovery](/endpoint/eec78cef-d4c8-4b35-8f5b-6922102a4a41/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Execve](/sources/9ef6364d-cc67-480e-8448-3306829a6a24)	T1083	Anomaly
[LOLBAS With Network Traffic](/endpoint/2820f032-19eb-497e-8642-25b04a880359/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 3](/sources/01d84dff-4e26-422c-9389-6a579ee6e75b)	T1105, T1567, T1218	TTP
[Malicious Powershell Executed As A Service](/endpoint/8e204dfd-cae0-4ea8-a61d-e972a1ff2ff8/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log System 7045](/sources/614dedc8-8a14-4393-ba9b-6f093cbcd293)	T1569, T1569.002	TTP
[Malicious PowerShell Process With Obfuscation Techniques](/endpoint/cde75cf6-3c7a-4dd6-af01-27cdb4511fd4/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17)	T1059, T1059.001	TTP
[Randomly Generated Scheduled Task Name](/endpoint/9d22a780-5165-11ec-ad4f-3e22fbd008af/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4698](/sources/32c06703-02d3-47ec-8856-b0dc3045866c)	T1053, T1053.005	Hunting
[Randomly Generated Windows Service Name](/endpoint/2032a95a-5165-11ec-a2c3-3e22fbd008af/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log System 7045](/sources/614dedc8-8a14-4393-ba9b-6f093cbcd293)	T1543, T1543.003	Hunting
[Rubeus Kerberos Ticket Exports Through Winlogon Access](/endpoint/5ed8c50a-8869-11ec-876f-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 10](/sources/659cd5a8-148a-4c59-ade1-05f41ac1b096)	T1550, T1550.003	TTP
[Short Lived Scheduled Task](/endpoint/6fa31414-546e-11ec-adfa-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4698](/sources/32c06703-02d3-47ec-8856-b0dc3045866c), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4699](/sources/4727dead-d063-4333-9ddd-59823a416aff)	T1053.005	TTP
[Suspicious Kerberos Service Ticket Request](/endpoint/8b1297bc-6204-11ec-b7c4-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4769](/sources/358d5520-f40b-4fa2-b799-966c030cb731)	T1078, T1078.002	TTP
[Suspicious Process File Path](/endpoint/9be25988-ad82-11eb-a14f-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1543	TTP
[Suspicious Ticket Granting Ticket Request](/endpoint/d77d349e-6269-11ec-9cfe-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4768](/sources/4a5fd6ed-66bd-4f34-bc74-51c00c73c298), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4781](/sources/9732ffe7-ebce-4557-865c-1725a0f633cb)	T1078, T1078.002	Hunting
[Unusual Number of Computer Service Tickets Requested](/endpoint/ac3b81c0-52f4-11ec-ac44-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4769](/sources/358d5520-f40b-4fa2-b799-966c030cb731)	T1078	Hunting
[Unusual Number of Kerberos Service Tickets Requested](/endpoint/eb3e6702-8936-11ec-98fe-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4769](/sources/358d5520-f40b-4fa2-b799-966c030cb731)	T1558, T1558.003	Anomaly
[Unusual Number of Remote Endpoint Authentication Events](/endpoint/acb5dc74-5324-11ec-a36d-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4624](/sources/08682968-0366-4882-9559-fe4fe018a846)	T1078	Hunting
[Windows Access Token Manipulation SeDebugPrivilege](/endpoint/6ece9ed0-5f92-4315-889d-48560472b188/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4703](/sources/e256673b-16e8-4b74-b7aa-9eed6ce67072)	T1134.002, T1134	Anomaly
[Windows AD ServicePrincipalName Added To Domain Account](/endpoint/8a1259cb-0ea7-409c-8bfe-74bad89259f9/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 5136](/sources/7ba3737e-231e-455d-824e-cd077749f835)	T1098	TTP
[Windows AD Short Lived Domain Account ServicePrincipalName](/endpoint/b681977c-d90c-4efc-81a5-c58f945fb541/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 5136](/sources/7ba3737e-231e-455d-824e-cd077749f835)	T1098	TTP
[Windows AD Short Lived Server Object](/endpoint/193769d3-1e33-43a9-970e-ad4a88256cdb/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 5137](/sources/64ed7bb1-9c3c-4355-ac08-b506ec3b053e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 5141](/sources/eafb35fa-f034-4be3-8508-d9173a73c0a1)	T1207	TTP
[Windows AD SID History Attribute Modified](/endpoint/1155e47d-307f-4247-beab-71071e3a458c/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 5136](/sources/7ba3737e-231e-455d-824e-cd077749f835)	T1134, T1134.005	TTP
[Windows Administrative Shares Accessed On Multiple Hosts](/endpoint/d92f2d95-05fb-48a7-910f-4d3d61ab8655/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 5140](/sources/93e0ca09-e4b8-4da6-872a-d0127c4d2b22), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 5145](/sources/0746479b-7b82-4d7e-8811-0b35da00f798)	T1135	TTP
[Windows Admon Default Group Policy Object Modified](/endpoint/83458004-db60-4170-857d-8572f16f070b/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Active Directory Admon](/sources/22bbf4e4-d313-43c1-98ee-808b8775519d)	T1484, T1484.001	TTP
[Windows Admon Group Policy Object Created](/endpoint/69201633-30d9-48ef-b1b6-e680805f0582/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Active Directory Admon](/sources/22bbf4e4-d313-43c1-98ee-808b8775519d)	T1484, T1484.001	TTP
[Windows Default Group Policy Object Modified](/endpoint/fe6a6cc4-9e0d-4d66-bcf4-2c7f44860876/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 5136](/sources/7ba3737e-231e-455d-824e-cd077749f835)	T1484, T1484.001	TTP
[Windows Defender Exclusion Registry Entry](/endpoint/13395a44-4dd9-11ec-9df7-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Windows DISM Install PowerShell Web Access](/endpoint/fa6142a7-c364-4d11-9954-895dd9efb2d4/)	N/A	T1548.002	TTP
[Windows DnsAdmins New Member Added](/endpoint/27e600aa-77f8-4614-bc80-2662a67e2f48/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4732](/sources/b0d61c5d-aefe-486a-9152-de45cc10fbb4)	T1098	TTP
[Windows Domain Admin Impersonation Indicator](/endpoint/10381f93-6d38-470a-9c30-d25478e3bd3f/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4627](/sources/e35c7b9a-b451-4084-95a5-43b7f8965cac)	T1558	TTP
[Windows ESX Admins Group Creation Security Event](/endpoint/53b4c927-5ec4-47cd-8aed-d4b303304f87/)	N/A	T1136.001, T1136.002	TTP
[Windows Get-AdComputer Unconstrained Delegation Discovery](/endpoint/c8640777-469f-4638-ab44-c34a3233ffac/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1018	TTP
[Windows Group Policy Object Created](/endpoint/23add2a8-ea22-4fd4-8bc0-8c0b822373a1/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 5136](/sources/7ba3737e-231e-455d-824e-cd077749f835), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 5137](/sources/64ed7bb1-9c3c-4355-ac08-b506ec3b053e)	T1484, T1484.001, T1078.002	TTP
[Windows Large Number of Computer Service Tickets Requested](/endpoint/386ad394-c9a7-4b4f-b66f-586252de20f0/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4769](/sources/358d5520-f40b-4fa2-b799-966c030cb731)	T1135, T1078	Anomaly
[Windows Local Administrator Credential Stuffing](/endpoint/09555511-aca6-484a-b6ab-72cd03d73c34/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4624](/sources/08682968-0366-4882-9559-fe4fe018a846), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4625](/sources/365a02c2-7d18-4baf-b76e-d90c20bbe6ed)	T1110, T1110.004	TTP
[Windows Multiple Account Passwords Changed](/endpoint/faefb681-14be-4f0d-9cac-0bc0160c7280/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4724](/sources/117fe51f-93f8-4589-8e8b-c6b7b7154c7d)	T1098, T1078	TTP
[Windows Multiple Accounts Deleted](/endpoint/49c0d4d6-c55d-4d3a-b3d5-7709fafed70d/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4726](/sources/0b56dcd7-0f72-4a05-9226-d6059781737b)	T1098, T1078	TTP
[Windows Multiple Accounts Disabled](/endpoint/5d93894e-befa-4429-abde-7fc541020b7b/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4725](/sources/31fd887d-0d14-44cc-bb64-80063a9f2968)	T1098, T1078	TTP
[Windows Multiple Invalid Users Failed To Authenticate Using NTLM](/endpoint/57ad5a64-9df7-11eb-a290-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4776](/sources/1da9092a-c795-4a26-ace8-d43855524e96)	T1110.003, T1110	TTP
[Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials](/endpoint/e61918fa-9ca4-11eb-836c-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4648](/sources/6a367f8b-1ee0-463d-94a7-029757c6cd02)	T1110.003, T1110	TTP
[Windows Multiple Users Failed To Authenticate From Host Using NTLM](/endpoint/7ed272a4-9c77-11eb-af22-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4776](/sources/1da9092a-c795-4a26-ace8-d43855524e96)	T1110.003, T1110	TTP
[Windows Multiple Users Failed To Authenticate From Process](/endpoint/9015385a-9c84-11eb-bef2-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4625](/sources/365a02c2-7d18-4baf-b76e-d90c20bbe6ed)	T1110.003, T1110	TTP
[Windows Multiple Users Remotely Failed To Authenticate From Host](/endpoint/80f9d53e-9ca1-11eb-b0d6-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4625](/sources/365a02c2-7d18-4baf-b76e-d90c20bbe6ed)	T1110.003, T1110	TTP
[Windows PowerSploit GPP Discovery](/endpoint/0130a0df-83a1-4647-9011-841e950ff302/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1552, T1552.006	TTP
[Windows PowerView AD Access Control List Enumeration](/endpoint/39405650-c364-4e1e-a740-32a63ef042a6/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1078.002, T1069	TTP
[Windows Rapid Authentication On Multiple Hosts](/endpoint/62606c77-d53d-4182-9371-b02cdbbbcef7/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4624](/sources/08682968-0366-4882-9559-fe4fe018a846)	T1003.002	TTP
[Windows Service Created with Suspicious Service Path](/endpoint/429141be-8311-11eb-adb6-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log System 7045](/sources/614dedc8-8a14-4393-ba9b-6f093cbcd293)	T1569, T1569.002	TTP
[Windows Special Privileged Logon On Multiple Hosts](/endpoint/4c461f5a-c2cc-4e86-b132-c262fc9edca7/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4672](/sources/43f189b6-369d-4a32-a34c-57e0d38d92f1)	T1087, T1021.002, T1135	TTP
[Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM](/endpoint/15603165-147d-4a6e-9778-bd0ff39e668f/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4776](/sources/1da9092a-c795-4a26-ace8-d43855524e96)	T1110.003, T1110	Anomaly
[Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials](/endpoint/14f414cf-3080-4b9b-aaf6-55a4ce947b93/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4648](/sources/6a367f8b-1ee0-463d-94a7-029757c6cd02)	T1110.003, T1110	Anomaly
[Windows Unusual Count Of Users Failed To Authenticate From Process](/endpoint/25bdb6cb-2e49-4d34-a93c-d6c567c122fe/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4625](/sources/365a02c2-7d18-4baf-b76e-d90c20bbe6ed)	T1110.003, T1110	Anomaly
[Windows Unusual Count Of Users Failed To Authenticate Using NTLM](/endpoint/6f6c8fd7-6a6b-4af9-a0e9-57cfc47a58b4/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4776](/sources/1da9092a-c795-4a26-ace8-d43855524e96)	T1110.003, T1110	Anomaly
[Windows Unusual Count Of Users Remotely Failed To Auth From Host](/endpoint/cf06a0ee-ffa9-4ed3-be77-0670ed9bab52/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4625](/sources/365a02c2-7d18-4baf-b76e-d90c20bbe6ed)	T1110.003, T1110	Anomaly
[WinEvent Windows Task Scheduler Event Action Started](/endpoint/b3632472-310b-11ec-9aab-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log TaskScheduler 200](/sources/f8c777f8-e88a-4bba-ae8a-79b250212f23)	T1053.005	Hunting
[Detect Windows DNS SIGRed via Zeek](/network/c5c622e4-d073-11ea-87d0-0242ac130003/)	N/A	T1203	TTP
[Windows Modify Registry Utilize ProgIDs](/endpoint/64fa82dd-fd11-472a-9e94-c221fffa591d/)	N/A	T1112	Anomaly
[Windows Impair Defenses Disable AV AutoStart via Registry](/endpoint/31a13f43-812e-4752-a6ca-c6c87bf03e83/)	N/A	T1112	TTP
[Windows Modify Registry ValleyRAT C2 Config](/endpoint/ac59298a-8d81-4c02-8c9b-ffdac993891f/)	N/A	T1112	TTP
[Windows Modify Registry ValleyRat PWN Reg Entry](/endpoint/6947c44e-be1f-4dd9-b198-bc42be5be196/)	N/A	T1112	TTP
[Windows Scheduled Task DLL Module Loaded](/endpoint/bc5b2304-f241-419b-874a-e927f667b7b6/)	N/A	T1053	TTP
[Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr](/endpoint/feb43b86-8c38-46cd-865e-20ce8a96c26c/)	N/A	T1053	TTP
[Linux Auditd Add User Account](/endpoint/aae66dc0-74b4-4807-b480-b35f8027abb4/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Proctitle](/sources/5a25984a-2789-400a-858b-d75c923e06b1)	T1136.001, T1136	Anomaly
[Linux Auditd At Application Execution](/endpoint/9f306e0a-1c36-469e-8892-968ca12470dd/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Syscall](/sources/4dff7047-0d43-4096-bb3f-b756c889bbad)	T1053.002, T1053	Anomaly
[Linux Auditd Auditd Service Stop](/endpoint/6cb9d0e1-eabe-41de-a11a-5efade354e9d/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Service Stop](/sources/0643483c-bc62-455c-8d6e-1630e5f0e00d)	T1489	Anomaly
[Linux Auditd Base64 Decode Files](/endpoint/5890ba10-4e48-4dc0-8a40-3e1ebe75e737/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Execve](/sources/9ef6364d-cc67-480e-8448-3306829a6a24)	T1140	Anomaly
[Linux Auditd Change File Owner To Root](/endpoint/7b87c556-0ca4-47e0-b84c-6cd62a0a3e90/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Proctitle](/sources/5a25984a-2789-400a-858b-d75c923e06b1)	T1222.002, T1222	TTP
[Linux Auditd Clipboard Data Copy](/endpoint/9ddfe470-c4d0-4e60-8668-7337bd699edd/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Execve](/sources/9ef6364d-cc67-480e-8448-3306829a6a24)	T1115	Anomaly
[Linux Auditd Data Destruction Command](/endpoint/4da5ce1a-f71b-4e71-bb73-c0a3c73f3c3c/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Execve](/sources/9ef6364d-cc67-480e-8448-3306829a6a24)	T1485	TTP
[Linux Auditd Data Transfer Size Limits Via Split](/endpoint/4669561d-3bbd-44e3-857c-0e3c6ef2120c/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Execve](/sources/9ef6364d-cc67-480e-8448-3306829a6a24)	T1030	Anomaly
[Linux Auditd Data Transfer Size Limits Via Split Syscall](/endpoint/c03d4a49-cf9d-435b-86e9-c6f8c9b6c42e/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Syscall](/sources/4dff7047-0d43-4096-bb3f-b756c889bbad)	T1030	Anomaly
[Linux Auditd Dd File Overwrite](/endpoint/d1b74420-4cea-4752-a123-9b40dfcca49a/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Proctitle](/sources/5a25984a-2789-400a-858b-d75c923e06b1)	T1485	TTP
[Linux Auditd Disable Or Modify System Firewall](/endpoint/07052556-d4b5-4bae-89aa-cbdc1bb11250/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Service Stop](/sources/0643483c-bc62-455c-8d6e-1630e5f0e00d)	T1562.004, T1562	Anomaly
[Linux Auditd Doas Conf File Creation](/endpoint/61059783-574b-40d2-ac2f-69b898afd6b4/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Path](/sources/3d86125c-0496-4a5a-aae3-0d355a4f3d7d)	T1548.003, T1548	TTP
[Linux Auditd Doas Tool Execution](/endpoint/91b8ca78-f205-4826-a3ef-cd8d6b24e97b/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Syscall](/sources/4dff7047-0d43-4096-bb3f-b756c889bbad)	T1548.003, T1548	Anomaly
[Linux Auditd Edit Cron Table Parameter](/endpoint/f4bb7321-7e64-4d1e-b1aa-21f8b019a91f/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Syscall](/sources/4dff7047-0d43-4096-bb3f-b756c889bbad)	T1053.003, T1053	TTP
[Linux Auditd File And Directory Discovery](/endpoint/0bbfb79c-a755-49a5-a38a-1128d0a452f1/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Execve](/sources/9ef6364d-cc67-480e-8448-3306829a6a24)	T1083	Anomaly
[Linux Auditd File Permission Modification Via Chmod](/endpoint/5f1d2ea7-eec0-4790-8b24-6875312ad492/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Proctitle](/sources/5a25984a-2789-400a-858b-d75c923e06b1)	T1222.002, T1222	Anomaly
[Linux Auditd File Permissions Modification Via Chattr](/endpoint/f2d1110d-b01c-4a58-9975-90a9edeb083a/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Execve](/sources/9ef6364d-cc67-480e-8448-3306829a6a24)	T1222.002, T1222	TTP
[Linux Auditd Find Credentials From Password Managers](/endpoint/784241aa-85a5-4782-a503-d071bd3446f9/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Execve](/sources/9ef6364d-cc67-480e-8448-3306829a6a24)	T1555.005, T1555	TTP
[Linux Auditd Find Credentials From Password Stores](/endpoint/4de73044-9a1d-4a51-a1c2-85267d8dcab3/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Execve](/sources/9ef6364d-cc67-480e-8448-3306829a6a24)	T1555.005, T1555	TTP
[Linux Auditd Find Ssh Private Keys](/endpoint/e2d2bd10-dcd1-4b2f-8a76-0198eab32ba5/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Execve](/sources/9ef6364d-cc67-480e-8448-3306829a6a24)	T1552.004, T1552	Anomaly
[Linux Auditd Hardware Addition Swapoff](/endpoint/5728bb16-1a0b-4b66-bce2-0074ac839770/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Execve](/sources/9ef6364d-cc67-480e-8448-3306829a6a24)	T1200	Anomaly
[Linux Auditd Insert Kernel Module Using Insmod Utility](/endpoint/bc0ca53f-dea6-4906-9b12-09c396fdf1d3/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Syscall](/sources/4dff7047-0d43-4096-bb3f-b756c889bbad)	T1547.006, T1547	Anomaly
[Linux Auditd Install Kernel Module Using Modprobe Utility](/endpoint/95165985-ace5-4d42-9c42-93a89a5af901/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Syscall](/sources/4dff7047-0d43-4096-bb3f-b756c889bbad)	T1547.006, T1547	Anomaly
[Linux Auditd Kernel Module Enumeration](/endpoint/d1b088de-c47a-4572-9339-bdcc26493b32/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Syscall](/sources/4dff7047-0d43-4096-bb3f-b756c889bbad)	T1082, T1014	Anomaly
[Linux Auditd Kernel Module Using Rmmod Utility](/endpoint/31810b7a-0abe-42be-a210-0dec8106afee/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Syscall](/sources/4dff7047-0d43-4096-bb3f-b756c889bbad)	T1547.006, T1547	TTP
[Linux Auditd Nopasswd Entry In Sudoers File](/endpoint/651df959-ad17-4b73-a323-90cb96d5fa1b/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Proctitle](/sources/5a25984a-2789-400a-858b-d75c923e06b1)	T1548.003, T1548	Anomaly
[Linux Auditd Osquery Service Stop](/endpoint/0c320fea-6e87-4b99-a884-74d09d4b655d/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Service Stop](/sources/0643483c-bc62-455c-8d6e-1630e5f0e00d)	T1489	TTP
[Linux Auditd Possible Access Or Modification Of Sshd Config File](/endpoint/acb3ea33-70f7-47aa-b335-643b3aebcb2f/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Path](/sources/3d86125c-0496-4a5a-aae3-0d355a4f3d7d)	T1098.004, T1098	Anomaly
[Linux Auditd Possible Access To Credential Files](/endpoint/0419cb7a-57ea-467b-974f-77c303dfe2a3/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Proctitle](/sources/5a25984a-2789-400a-858b-d75c923e06b1)	T1003.008, T1003	Anomaly
[Linux Auditd Possible Access To Sudoers File](/endpoint/8be88f46-f7e8-4ae6-b15e-cf1b13392834/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Path](/sources/3d86125c-0496-4a5a-aae3-0d355a4f3d7d)	T1548.003, T1548	Anomaly
[Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File](/endpoint/fea71cf0-fa10-4ef6-9202-9682b2e0c477/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Path](/sources/3d86125c-0496-4a5a-aae3-0d355a4f3d7d)	T1053.003, T1053	Hunting
[Linux Auditd Preload Hijack Library Calls](/endpoint/35c50572-a70b-452f-afa9-bebdf3c3ce36/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Execve](/sources/9ef6364d-cc67-480e-8448-3306829a6a24)	T1574.006, T1574	TTP
[Linux Auditd Preload Hijack Via Preload File](/endpoint/c1b7abca-55cb-4a39-bdfb-e28c1c12745f/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Path](/sources/3d86125c-0496-4a5a-aae3-0d355a4f3d7d)	T1574.006, T1574	TTP
[Linux Auditd Service Restarted](/endpoint/8eb3e858-18d3-44a4-a514-52cfa39f154a/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Proctitle](/sources/5a25984a-2789-400a-858b-d75c923e06b1)	T1053.006, T1053	Anomaly
[Linux Auditd Service Started](/endpoint/b5eed06d-5c97-4092-a3a1-fa4b7e77c71a/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Proctitle](/sources/5a25984a-2789-400a-858b-d75c923e06b1)	T1569.002, T1569	TTP
[Linux Auditd Setuid Using Chmod Utility](/endpoint/8230c407-1b47-4d95-ac2e-718bd6381386/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Proctitle](/sources/5a25984a-2789-400a-858b-d75c923e06b1)	T1548.001, T1548	Anomaly
[Linux Auditd Setuid Using Setcap Utility](/endpoint/1474459a-302b-4255-8add-d82f96d14cd9/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Execve](/sources/9ef6364d-cc67-480e-8448-3306829a6a24)	T1548.001, T1548	TTP
[Linux Auditd Shred Overwrite Command](/endpoint/ce2bde4d-a1d4-4452-8c87-98440e5adfb3/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Proctitle](/sources/5a25984a-2789-400a-858b-d75c923e06b1)	T1485	TTP
[Linux Auditd Stop Services](/endpoint/43bc9281-753b-4743-b4b7-60af84f085f3/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Service Stop](/sources/0643483c-bc62-455c-8d6e-1630e5f0e00d)	T1489	TTP
[Linux Auditd Sudo Or Su Execution](/endpoint/817a5c89-5b92-4818-a22d-aa35e1361afe/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Proctitle](/sources/5a25984a-2789-400a-858b-d75c923e06b1)	T1548.003, T1548	Anomaly
[Linux Auditd Sysmon Service Stop](/endpoint/20901256-633a-40de-8753-7b88811a460f/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Service Stop](/sources/0643483c-bc62-455c-8d6e-1630e5f0e00d)	T1489	TTP
[Linux Auditd System Network Configuration Discovery](/endpoint/5db16825-81bd-4923-a8d6-d6a13a59832a/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Syscall](/sources/4dff7047-0d43-4096-bb3f-b756c889bbad)	T1016	Anomaly
[Linux Auditd Unix Shell Configuration Modification](/endpoint/66f737c6-3f7f-46ed-8e9b-cc0e5bf01f04/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Path](/sources/3d86125c-0496-4a5a-aae3-0d355a4f3d7d)	T1546.004, T1546	TTP
[Linux Auditd Unload Module Via Modprobe](/endpoint/90964d6a-4b5f-409a-85bd-95e261e03fe9/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Execve](/sources/9ef6364d-cc67-480e-8448-3306829a6a24)	T1547.006, T1547	TTP
[Linux Auditd Whoami User Discovery](/endpoint/d1ff2e22-310d-446a-80b3-faedaa7b3b52/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Auditd Syscall](/sources/4dff7047-0d43-4096-bb3f-b756c889bbad)	T1033	Anomaly
[Windows Enable PowerShell Web Access](/endpoint/175bb2de-6227-416b-9678-9b61999cd21f/)	N/A	T1059.001	TTP
[Ivanti VTM New Account Creation](/application/b04be6e5-2002-4349-8742-52285635b8f5/)	[Ivanti VTM Audit](/sources/b04be6e5-2002-4a49-8722-52285635b8f5)	T1190	TTP
[AWS SAML Update identity provider](/cloud/2f0604c6-6030-11eb-ae93-0242ac130002/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail UpdateSAMLProvider](/sources/e5eb628d-711e-499c-87d9-8fa5dee419ec)	T1078	TTP
[Detect new API calls from user roles](/deprecated/22773e84-bac0-4595-b086-20d3f335b4f1/)	N/A	T1078.004	Anomaly
[Dump LSASS via procdump Rename](/deprecated/21276daa-663d-11eb-ae93-0242ac130002/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17)	T1003.001	Hunting
[GCP Detect accounts with high risk roles by project](/deprecated/27af8c15-38b0-4408-b339-920170724adb/)	N/A	T1078	Hunting
[Cobalt Strike Named Pipes](/endpoint/5876d429-0240-4709-8b93-ea8330b411b5/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 17](/sources/08924246-c8e8-4c95-a9fc-633c43cc82df), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 18](/sources/37eb3554-214e-4e66-af10-c3ffc5b8ca82)	T1055	TTP
[Detect mshta renamed](/endpoint/8f45fcf0-5b68-11eb-ae93-0242ac130002/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218, T1218.005	Hunting
[Detect Renamed 7-Zip](/endpoint/4057291a-b8cf-11eb-95fe-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1560.001, T1560	Hunting
[Detect Renamed PSExec](/endpoint/683e6196-b8e8-11eb-9a79-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1569, T1569.002	Hunting
[Detect Renamed RClone](/endpoint/6dca1124-b3ec-11eb-9328-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1020	Hunting
[Detect Renamed WinRAR](/endpoint/1b7bfb2c-b8e6-11eb-99ac-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1560.001, T1560	Hunting
[First Time Seen Child Process of Zoom](/endpoint/e91bd102-d630-4e76-ab73-7e3ba22c5961/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1068	Anomaly
[ServicePrincipalNames Discovery with SetSPN](/endpoint/ae8b3efc-2d2e-11ec-8b57-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1558.003	TTP
[Windows Default Group Policy Object Modified with GPME](/endpoint/eaf688b3-bb8f-454d-b105-920a862cd8cb/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1484, T1484.001	TTP
[Windows Ingress Tool Transfer Using Explorer](/endpoint/76753bab-f116-4ea3-8fb9-89b638be58a9/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1105	Anomaly
[Abnormally High Number Of Cloud Infrastructure API Calls](/cloud/0840ddf1-8c89-46ff-b730-c8d6722478c0/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail](/sources/e8ace6db-1dbd-4c72-a1fb-334684619a38)	T1078.004, T1078	Anomaly
[Abnormally High Number Of Cloud Security Group API Calls](/cloud/d4dfb7f3-7a37-498a-b5df-f19334e871af/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail](/sources/e8ace6db-1dbd-4c72-a1fb-334684619a38)	T1078.004, T1078	Anomaly
[Cloud Instance Modified By Previously Unseen User](/cloud/7fb15084-b14e-405a-bd61-a6de15a40722/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail](/sources/e8ace6db-1dbd-4c72-a1fb-334684619a38)	T1078.004, T1078	Anomaly
[ASL AWS Excessive Security Scanning](/deprecated/ff2bfdbc-65b7-4434-8f08-d55761d1d446/)	N/A	T1526	Anomaly
[Detect DNS requests to Phishing Sites leveraging EvilGinx2](/deprecated/24dd17b1-e2fb-4c31-878c-d4f226595bfa/)	N/A	T1566.003	TTP
[Detect Spike in Security Group Activity](/deprecated/ada0f478-84a8-4641-a3f1-e32372d4bd53/)	N/A	T1078.004	Anomaly
[DNS Query Requests Resolved by Unauthorized DNS Servers](/deprecated/1a67f15a-f4ff-4170-84e9-08cf6f75d6f6/)	N/A	T1071.004	TTP
[EC2 Instance Modified With Previously Unseen User](/deprecated/56f91724-cf3f-4666-84e1-e3712fb41e76/)	N/A	T1078.004	Anomaly
[EC2 Instance Started In Previously Unseen Region](/deprecated/ada0f478-84a8-4641-a3f3-d82362d6fd75/)	N/A	T1535	Anomaly
[EC2 Instance Started With Previously Unseen Instance Type](/deprecated/65541c80-03c7-4e05-83c8-1dcd57a2e1ad/)	N/A		Anomaly
[EC2 Instance Started With Previously Unseen User](/deprecated/22773e84-bac0-4595-b086-20d3f735b4f1/)	N/A	T1078.004	Anomaly
[Execution of File With Spaces Before Extension](/deprecated/ab0353e6-a956-420b-b724-a8b4846d5d5a/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17)	T1036.003	TTP
[GCP Detect high risk permissions by resource and account](/deprecated/2e70ef35-2187-431f-aedc-4503dc9b06ba/)	N/A	T1078	Hunting
[Identify New User Accounts](/deprecated/475b9e27-17e4-46e2-b7e2-648221be3b89/)	N/A	T1078.002	Hunting
[Kubernetes AWS detect most active service accounts by pod](/deprecated/5b30b25d-7d32-42d8-95ca-64dfcd9076e6/)	N/A		Hunting
[Kubernetes AWS detect service accounts forbidden failure access](/deprecated/a6959c57-fa8f-4277-bb86-7c32fba579d5/)	N/A		Hunting
[Kubernetes GCP detect most active service accounts by pod](/deprecated/7f5c2779-88a0-4824-9caa-0f606c8f260f/)	N/A		Hunting
[Kubernetes GCP detect service accounts forbidden failure access](/deprecated/7094808d-432a-48e7-bb3c-77e96c894f3b/)	N/A		Hunting
[Kubernetes GCP detect suspicious kubectl calls](/deprecated/a5bed417-070a-41f2-a1e4-82b6aa281557/)	N/A		Hunting
[Monitor DNS For Brand Abuse](/deprecated/24dd17b1-e2fb-4c31-878c-d4f746595bfa/)	N/A		TTP
[Okta ThreatInsight Login Failure with High Unknown users](/deprecated/632663b0-4562-4aad-abe9-9f621a049738/)	N/A	T1078, T1078.001, T1110.004	TTP
[Okta ThreatInsight Suspected PasswordSpray Attack](/deprecated/25dbad05-6682-4dd5-9ce9-8adecf0d9ae2/)	N/A	T1078, T1078.001, T1110.003	TTP
[Okta Two or More Rejected Okta Pushes](/deprecated/d93f785e-4c2c-4262-b8c7-12b77a13fd39/)	N/A	T1110	TTP
[Suspicious Changes to File Associations](/deprecated/1b989a0e-0129-4446-a695-f193a5b746fc/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17)	T1546.001	TTP
[Suspicious Email - UBA Anomaly](/deprecated/56e877a6-1455-4479-ad16-0550dc1e33f8/)	N/A	T1566	Anomaly
[Suspicious File Write](/deprecated/57f76b8a-32f0-42ed-b358-d9fa3ca7bac8/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)		Hunting
[Web Fraud - Account Harvesting](/deprecated/bf1d7b5c-df2f-4249-a401-c09fdc221ddf/)	N/A	T1136	TTP
[Web Fraud - Anomalous User Clickspeed](/deprecated/31337bbb-bc22-4752-b599-ef192df2dc7a/)	N/A	T1078	Anomaly
[Windows hosts file modification](/deprecated/06a6fc63-a72d-41dc-8736-7e3dd9612116/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)		TTP
[Detect Baron Samedit CVE-2021-3156](/endpoint/93fbec4e-0375-440c-8db3-4508eca470c4/)	N/A	T1068	TTP
[Detect Baron Samedit CVE-2021-3156 Segfault](/endpoint/10f2bae0-bbe6-4984-808c-37dc1c67980d/)	N/A	T1068	TTP
[Detect Baron Samedit CVE-2021-3156 via OSQuery](/endpoint/1de31d5d-8fa6-4ee0-af89-17069134118a/)	N/A	T1068	TTP
[Known Services Killed by Ransomware](/endpoint/3070f8e0-c528-11eb-b2a0-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log System 7036](/sources/a6e9b34f-1507-4fa1-a4ba-684d1b676a34)	T1490	TTP
[Linux SSH Authorized Keys Modification](/endpoint/f5ab595e-28e5-4327-8077-5008ba97c850/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1098.004	Anomaly
[Linux SSH Remote Services Script Execute](/endpoint/aa1748dd-4a5c-457a-9cf6-ca7b4eb711b3/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1021.004	TTP
[Windows Curl Upload to Remote Destination](/endpoint/42f8f1a2-4228-11ec-aade-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1105	TTP
[Windows Service Created Within Public Path](/endpoint/3abb2eda-4bb8-11ec-9ae4-3e22fbd008af/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log System 7045](/sources/614dedc8-8a14-4393-ba9b-6f093cbcd293)	T1543, T1543.003	TTP
[Detect Port Security Violation](/network/2de3d5b8-a4fa-45c5-8540-6d071c194d24/)	N/A	T1200, T1498, T1557, T1557.002	TTP
[Detect F5 TMUI RCE CVE-2020-5902](/web/810e4dbc-d46e-11ea-87d0-0242ac130003/)	N/A	T1190	TTP
[JetBrains TeamCity RCE Attempt](/web/89a58e5f-1365-4793-b45c-770abbb32b6c/)	[Suricata](/sources/64b245d4-a4d1-4865-a718-c83d3b939f2e)	T1190	TTP
[WS FTP Remote Code Execution](/web/b84e8f39-4e7b-4d4f-9e7c-fcd29a227845/)	[Suricata](/sources/64b245d4-a4d1-4865-a718-c83d3b939f2e)	T1190	TTP
[Abnormally High AWS Instances Launched by User](/deprecated/2a9b80d3-6340-4345-b5ad-290bf5d0dac4/)	N/A	T1078.004	Anomaly
[Abnormally High AWS Instances Launched by User - MLTK](/deprecated/dec41ad5-d579-42cb-b4c6-f5dbb778bbe5/)	N/A	T1078.004	Anomaly
[Abnormally High AWS Instances Terminated by User](/deprecated/8d301246-fccf-45e2-a8e7-3655fd14379c/)	N/A	T1078.004	Anomaly
[Abnormally High AWS Instances Terminated by User - MLTK](/deprecated/1c02b86a-cd85-473e-a50b-014a9ac8fe3e/)	N/A	T1078.004	Anomaly
[AWS Cloud Provisioning From Previously Unseen Region](/deprecated/7971d3df-da82-4648-a6e5-b5637bea5253/)	N/A	T1535	Anomaly
[AWS EKS Kubernetes cluster sensitive object access](/deprecated/7f227943-2196-4d4d-8d6a-ac8cb308e61c/)	N/A		Hunting
[Clients Connecting to Multiple DNS Servers](/deprecated/74ec6f18-604b-4202-a567-86b2066be3ce/)	N/A	T1048.003	TTP
[Cloud Network Access Control List Deleted](/deprecated/021abc51-1862-41dd-ad43-43c739c0a983/)	N/A		Anomaly
[Detect Activity Related to Pass the Hash Attacks](/deprecated/f5939373-8054-40ad-8c64-cec478a22a4b/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4624](/sources/08682968-0366-4882-9559-fe4fe018a846)	T1550, T1550.002	Hunting
[Detect API activity from users without MFA](/deprecated/4d46e8bd-4072-48e4-92db-0325889ef894/)	N/A		Hunting
[Detect AWS API Activities From Unapproved Accounts](/deprecated/ada0f478-84a8-4641-a3f1-d82362d4bd55/)	N/A	T1078.004	Hunting
[Detect Long DNS TXT Record Response](/deprecated/05437c07-62f5-452e-afdc-04dd44815bb9/)	N/A	T1048.003	TTP
[Detect Mimikatz Via PowerShell And EventCode 4703](/deprecated/98917be2-bfc8-475a-8618-a9bb06575188/)	N/A	T1003.001	TTP
[Detect new user AWS Console Login](/deprecated/ada0f478-84a8-4641-a3f3-d82362dffd75/)	N/A	T1078.004	Hunting
[Detect Spike in AWS API Activity](/deprecated/ada0f478-84a8-4641-a3f1-d32362d4bd55/)	N/A	T1078.004	Anomaly
[Detect Spike in Network ACL Activity](/deprecated/ada0f478-84a8-4641-a1f1-e32372d4bd53/)	N/A	T1562.007	Anomaly
[Detect USB device insertion](/deprecated/104658f4-afdc-499f-9719-17a43f9826f5/)	N/A		TTP
[Detect web traffic to dynamic domain providers](/deprecated/134da869-e264-4a8f-8d7e-fcd01c18f301/)	N/A	T1071.001	TTP
[Detection of DNS Tunnels](/deprecated/104658f4-afdc-499f-9719-17a43f9826f4/)	N/A	T1048.003	TTP
[DNS record changed](/deprecated/44d3a43e-dcd5-49f7-8356-5209bb369065/)	N/A	T1071.004	TTP
[EC2 Instance Started With Previously Unseen AMI](/deprecated/347ec301-601b-48b9-81aa-9ddf9c829dd3/)	N/A		Anomaly
[Extended Period Without Successful Netbackup Backups](/deprecated/a34aae96-ccf8-4aef-952c-3ea214444440/)	N/A		Hunting
[First time seen command line argument](/deprecated/a1b6e73f-98d5-470f-99ac-77aacd578473/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17)	T1059.001, T1059.003	Hunting
[gcp detect oauth token abuse](/deprecated/a7e9f7bb-8901-4ad0-8d88-0a4ab07b1972/)	N/A	T1078	Hunting
[GCP Kubernetes cluster scan detection](/deprecated/db5957ec-0144-4c56-b512-9dccbe7a2d26/)	N/A	T1526	TTP
[Kubernetes AWS detect RBAC authorization by account](/deprecated/de7264ed-3ed9-4fef-bb01-6eefc87cefe8/)	N/A		Hunting
[Kubernetes Azure active service accounts by pod namespace](/deprecated/55a2264a-b7f0-45e5-addd-1e5ab3415c72/)	N/A		Hunting
[Kubernetes Azure detect RBAC authorization by account](/deprecated/47af7d20-0607-4079-97d7-7a29af58b54e/)	N/A		Hunting
[Kubernetes Azure detect sensitive object access](/deprecated/1bba382b-07fd-4ffa-b390-8002739b76e8/)	N/A		Hunting
[Kubernetes Azure detect service accounts forbidden failure access](/deprecated/019690d7-420f-4da0-b320-f27b09961514/)	N/A		Hunting
[Kubernetes Azure detect suspicious kubectl calls](/deprecated/4b6d1ba8-0000-4cec-87e6-6cbbd71651b5/)	N/A		Hunting
[Kubernetes Azure pod scan fingerprint](/deprecated/86aad3e0-732f-4f66-bbbc-70df448e461d/)	N/A		Hunting
[Kubernetes Azure scan fingerprint](/deprecated/c5e5bd5c-1013-4841-8b23-e7b3253c840a/)	N/A	T1526	Hunting
[Kubernetes GCP detect RBAC authorizations by account](/deprecated/99487de3-7192-4b41-939d-fbe9acfb1340/)	N/A		Hunting
[Kubernetes GCP detect sensitive object access](/deprecated/bdb6d596-86a0-4aba-8369-418ae8b9963a/)	N/A		Hunting
[O365 Suspicious User Email Forwarding](/deprecated/f8dfe015-dbb3-4569-ba75-b13787e06aa4/)	N/A	T1114.003, T1114	Anomaly
[Osquery pack - ColdRoot detection](/deprecated/a6fffe5e-05c3-4c04-badc-887607fbb8dc/)	N/A		TTP
[Processes created by netsh](/deprecated/b89919ed-fe5f-492c-b139-95dbb162041e/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17)	T1562.004	TTP
[Prohibited Software On Endpoint](/deprecated/a51bfe1a-94f0-48cc-b4e4-b6ae50145893/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17)		Hunting
[Reg exe used to hide files directories via registry keys](/deprecated/61a7d1e6-f5d4-41d9-a9be-39a1ffe69459/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17)	T1564.001	TTP
[Remote Registry Key modifications](/deprecated/c9f4b923-f8af-4155-b697-1354f5dcbc5e/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)		TTP
[Scheduled tasks used in BadRabbit ransomware](/deprecated/1297fb80-f42a-4b4a-9c8b-78c066437cf6/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17)	T1053.005	TTP
[Spectre and Meltdown Vulnerable Systems](/deprecated/354be8e0-32cd-4da0-8c47-796de13b60ea/)	N/A		TTP
[Suspicious Powershell Command-Line Arguments](/deprecated/2cdb91d2-542c-497f-b252-be495e71f38c/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17)	T1059.001	TTP
[Suspicious writes to System Volume Information](/deprecated/cd6297cd-2bdd-4aa1-84aa-5d2f84228fac/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17)	T1036	Hunting
[Uncommon Processes On Endpoint](/deprecated/29ccce64-a10c-4389-a45f-337cb29ba1f7/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17)	T1204.002	Hunting
[Unsigned Image Loaded by LSASS](/deprecated/56ef054c-76ef-45f9-af4a-a634695dcd65/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 7](/sources/45512fa5-4d55-4088-9d51-f4dedc16fdff)	T1003.001	TTP
[Unsuccessful Netbackup backups](/deprecated/a34aae96-ccf8-4aaa-952c-3ea21444444f/)	N/A		Hunting
[Web Fraud - Password Sharing Across Accounts](/deprecated/31337a1a-53b9-4e05-96e9-55c934cb71d3/)	N/A		Anomaly
[Account Discovery With Net App](/endpoint/339805ce-ac30-11eb-b87d-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1087.002, T1087	TTP
[Anomalous usage of 7zip](/endpoint/9364ee8e-a39a-11eb-8f1d-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1560.001, T1560	Anomaly
[Attempt To Add Certificate To Untrusted Store](/endpoint/6bc5243e-ef36-45dc-9b12-f4a6be131159/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1553.004, T1553	TTP
[BITSAdmin Download File](/endpoint/80630ff4-8e4c-11eb-aab5-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1197, T1105	TTP
[CertUtil Download With VerifyCtl and Split Arguments](/endpoint/801ad9e4-8bfb-11eb-8b31-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1105	TTP
[CertUtil With Decode Argument](/endpoint/bfe94226-8c10-11eb-a4b3-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1140	TTP
[Clear Unallocated Sector Using Cipher App](/endpoint/cd80a6ac-c9d9-11eb-8839-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1070.004, T1070	TTP
[CMD Echo Pipe - Escalation](/endpoint/eb277ba0-b96b-11eb-b00e-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1059, T1059.003, T1543.003, T1543	TTP
[Conti Common Exec parameter](/endpoint/624919bc-c382-11eb-adcc-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1204	TTP
[Control Loading from World Writable Directory](/endpoint/10423ac4-10c9-11ec-8dc4-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218, T1218.002	TTP
[Create or delete windows shares using net exe](/endpoint/743a322c-9a68-4a0f-9c17-85d9cce2a27c/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1070, T1070.005	TTP
[Deleting Of Net Users](/endpoint/1c8c6f66-acce-11eb-aafb-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1531	TTP
[Deleting Shadow Copies](/endpoint/b89919ed-ee5f-492c-b139-95dbb162039e/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1490	TTP
[Detect HTML Help Renamed](/endpoint/62fed254-513b-460e-953d-79771493a9f3/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218, T1218.001	Hunting
[Detect HTML Help Spawn Child Process](/endpoint/723716de-ee55-4cd4-9759-c44e7e55ba4b/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218, T1218.001	TTP
[Detect HTML Help URL in Command Line](/endpoint/8c5835b9-39d9-438b-817c-95f14c69a31e/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218, T1218.001	TTP
[Detect mshta inline hta execution](/endpoint/a0873b32-5b68-11eb-ae93-0242ac130002/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218, T1218.005	TTP
[Detect MSHTA Url in Command Line](/endpoint/9b3af1e6-5b68-11eb-ae93-0242ac130002/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218, T1218.005	TTP
[Detect Path Interception By Creation Of program exe](/endpoint/cbef820c-e1ff-407f-887f-0a9240a2d477/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1574.009, T1574	TTP
[Detect PsExec With accepteula Flag](/endpoint/27c3a83d-cada-47c6-9042-67baf19d2574/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1021, T1021.002	TTP
[Detect RClone Command-Line Usage](/endpoint/32e0baea-b3f1-11eb-a2ce-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1020	TTP
[Disabling Net User Account](/endpoint/c0325326-acd6-11eb-98c2-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1531	TTP
[DNS Exfiltration Using Nslookup App](/endpoint/2452e632-9e0d-11eb-bacd-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1048	TTP
[DSQuery Domain Discovery](/endpoint/cc316032-924a-11eb-91a2-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1482	TTP
[Excessive number of service control start as disabled](/endpoint/77592bec-d5cc-11eb-9e60-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1562.001, T1562	Anomaly
[GPUpdate with no Command Line Arguments with Network](/endpoint/2c853856-a140-11eb-a5b5-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 3](/sources/01d84dff-4e26-422c-9389-6a579ee6e75b)	T1055	TTP
[Hunting 3CXDesktopApp Software](/endpoint/553d0429-1a1c-44bf-b3f5-a8513deb9ee5/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1195.002	Hunting
[Java Class File download by Java User Agent](/endpoint/8281ce42-5c50-11ec-82d2-acde48001122/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk Stream HTTP](/sources/b0070a33-92ed-49e5-8f38-576cdf300710)	T1190	TTP
[Malicious InProcServer32 Modification](/endpoint/127c8d08-25ff-11ec-9223-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1218.010, T1112	TTP
[Mimikatz PassTheTicket CommandLine Parameters](/endpoint/13bbd574-83ac-11ec-99d4-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1550, T1550.003	TTP
[Office Spawning Control](/endpoint/053e027c-10c7-11ec-8437-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1566, T1566.001	TTP
[Password Policy Discovery with Net](/endpoint/09336538-065a-11ec-8665-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1201	Hunting
[Process Writing DynamicWrapperX](/endpoint/b0a078e4-2601-11ec-9aec-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1059, T1559.001	Hunting
[Regsvr32 Silent and Install Param Dll Loading](/endpoint/f421c250-24e7-11ec-bc43-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218, T1218.010	Anomaly
[Rubeus Command Line Parameters](/endpoint/cca37478-8377-11ec-b59a-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1550, T1550.003, T1558, T1558.003, T1558.004	TTP
[Rundll32 Control RunDLL World Writable Directory](/endpoint/1adffe86-10c3-11ec-8ce6-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218, T1218.011	TTP
[Suspicious Reg exe Process](/endpoint/a6b3ab4e-dd77-4213-95fa-fc94701995e0/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1112	Anomaly
[Wget Download and Bash Execution](/endpoint/35682718-5a85-11ec-b8f7-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1105	TTP
[Windows Access Token Manipulation Winlogon Duplicate Token Handle](/endpoint/dda126d7-1d99-4f0b-b72a-4c14031f9398/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 10](/sources/659cd5a8-148a-4c59-ade1-05f41ac1b096)	T1134.001, T1134	Hunting
[Windows Access Token Winlogon Duplicate Handle In Uncommon Path](/endpoint/b8f7ed6b-0556-4c84-bffd-839c262b0278/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 10](/sources/659cd5a8-148a-4c59-ade1-05f41ac1b096)	T1134.001, T1134	Anomaly
[Windows Binary Proxy Execution Mavinject DLL Injection](/endpoint/ccf4b61b-1b26-4f2e-a089-f2009c569c57/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218.013, T1218	TTP
[Windows COM Hijacking InprocServer32 Modification](/endpoint/b7bd83c0-92b5-4fc7-b286-23eccfa2c561/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1546.015, T1546	TTP
[Windows Curl Download to Suspicious Path](/endpoint/c32f091e-30db-11ec-8738-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1105	TTP
[Windows Defender ASR Block Events](/endpoint/026f5f4e-e99f-4155-9e63-911ba587300b/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Defender 1121](/sources/84a254c5-7900-4b52-a324-a176adb7c11d), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Defender 1129](/sources/0572e119-a48a-4c70-bc58-90e453edacd2)	T1059, T1566.001, T1566.002	Anomaly
[Windows Defender ASR Rule Disabled](/endpoint/429d611b-3183-49a7-b235-fc4203c4e1cb/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Defender 5007](/sources/27f18792-8d95-4871-8853-874b7faf023f)	T1112	TTP
[Windows Defender ASR Rules Stacking](/endpoint/425a6657-c5e4-4cbb-909e-fc9e5d326f01/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Defender 1121](/sources/84a254c5-7900-4b52-a324-a176adb7c11d), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Defender 1122](/sources/4a2d0499-f489-4557-82f4-f357025cf3e7), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Defender 1129](/sources/0572e119-a48a-4c70-bc58-90e453edacd2), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Defender 5007](/sources/27f18792-8d95-4871-8853-874b7faf023f)	T1566.001, T1566.002, T1059	Hunting
[Windows DiskCryptor Usage](/endpoint/d56fe0c8-4650-11ec-a8fa-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1486	Hunting
[Windows DLL Search Order Hijacking with iscsicpl](/endpoint/f39ee679-3b1e-4f47-841c-5c3c580acda2/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1574.001	TTP
[Windows Execute Arbitrary Commands with MSDT](/endpoint/e1d5145f-38fe-42b9-a5d5-457796715f97/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218	TTP
[Windows Java Spawning Shells](/endpoint/28c81306-5c47-11ec-bfea-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1190, T1133	TTP
[Windows Lateral Tool Transfer RemCom](/endpoint/e373a840-5bdc-47ef-b2fd-9cc7aaf387f0/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1570	TTP
[Windows Ldifde Directory Object Behavior](/endpoint/35cd29ca-f08c-4489-8815-f715c45460d3/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1105, T1069.002	TTP
[Windows Mimikatz Binary Execution](/endpoint/a9e0d6d3-9676-4e26-994d-4e0406bb4467/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1003	TTP
[Windows MOF Event Triggered Execution via WMI](/endpoint/e59b5a73-32bf-4467-a585-452c36ae10c1/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1546.003	TTP
[Windows Ngrok Reverse Proxy Usage](/endpoint/e2549f2c-0aef-408a-b0c1-e0f270623436/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1572, T1090, T1102	Anomaly
[Windows NirSoft AdvancedRun](/endpoint/bb4f3090-7ae4-11ec-897f-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1588.002	TTP
[Windows NirSoft Utilities](/endpoint/5b2f4596-7d4c-11ec-88a7-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1588.002	Hunting
[Windows Non-System Account Targeting Lsass](/endpoint/b1ce9a72-73cf-11ec-981b-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 10](/sources/659cd5a8-148a-4c59-ade1-05f41ac1b096)	T1003.001, T1003	TTP
[Windows Odbcconf Load Response File](/endpoint/1acafff9-1347-4b40-abae-f35aa4ba85c1/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218.008	TTP
[Windows PaperCut NG Spawn Shell](/endpoint/a602d9a2-aaea-45f8-bf0f-d851168d61ca/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1059, T1190, T1133	TTP
[Windows Privileged Group Modification](/endpoint/b8cbef2c-2cc3-4550-b0fc-9715b7852df9/)	N/A	T1136.001, T1136.002	TTP
[Windows Raccine Scheduled Task Deletion](/endpoint/c9f010da-57ab-11ec-82bd-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1562.001	TTP
[Windows Rasautou DLL Execution](/endpoint/6f42b8be-8e96-11ec-ad5a-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1055.001, T1218, T1055	TTP
[Windows Remote Create Service](/endpoint/0dc44d03-8c00-482d-ba7c-796ba7ab18c9/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1543, T1543.003	Anomaly
[Windows Rundll32 WebDAV Request](/endpoint/320099b7-7eb1-4153-a2b4-decb53267de2/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1048.003	TTP
[Windows Rundll32 WebDav With Network Connection](/endpoint/f03355e0-28b5-4e9b-815a-6adffc63b38c/)	N/A	T1048.003	TTP
[Windows Schtasks Create Run As System](/endpoint/41a0e58e-884c-11ec-9976-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1053.005, T1053	TTP
[Windows System Script Proxy Execution Syncappvpublishingserver](/endpoint/8dd73f89-682d-444c-8b41-8e679966ad3c/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1216, T1218	TTP
[Windows Terminating Lsass Process](/endpoint/7ab3c319-a4e7-4211-9e8c-40a049d0dba6/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 10](/sources/659cd5a8-148a-4c59-ade1-05f41ac1b096)	T1562.001, T1562	Anomaly
[Windows Vulnerable 3CX Software](/endpoint/f2cc1584-46ee-485b-b905-977c067f36de/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1195.002	TTP
[Winhlp32 Spawning a Process](/endpoint/d17dae9e-2618-11ec-b9f5-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1055	TTP
[Winword Spawning Cmd](/endpoint/6fcbaedc-a37b-11eb-956b-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1566, T1566.001	TTP
[WMI Temporary Event Subscription](/endpoint/38cbd42c-1098-41bb-99cf-9d6d2b296d83/)	N/A	T1047	TTP
[Wmic NonInteractive App Uninstallation](/endpoint/bff0e7a0-317f-11ec-ab4e-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1562.001, T1562	Hunting
[Access LSASS Memory for Dump Creation](/endpoint/fb4c31b0-13e8-4155-8aa5-24de4b8d6717/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 10](/sources/659cd5a8-148a-4c59-ade1-05f41ac1b096)	T1003.001, T1003	TTP
[Any Powershell DownloadFile](/endpoint/1a93b7ea-7af7-11eb-adb5-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1059, T1059.001, T1105	TTP
[Any Powershell DownloadString](/endpoint/4d015ef2-7adf-11eb-95da-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1059, T1059.001, T1105	TTP
[Attempt To Stop Security Service](/endpoint/c8e349c6-b97c-486e-8949-bd7bcd1f3910/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1562.001, T1562	TTP
[Attempted Credential Dump From Registry via Reg exe](/endpoint/e9fb4a59-c5fb-440a-9f24-191fbc6b2911/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1003.002, T1003	TTP
[BCDEdit Failure Recovery Modification](/endpoint/809b31d2-5462-11eb-ae93-0242ac130002/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1490	TTP
[BITS Job Persistence](/endpoint/e97a5ffe-90bf-11eb-928a-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1197	TTP
[CertUtil Download With URLCache and Split Arguments](/endpoint/415b4306-8bfb-11eb-85c4-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1105	TTP
[Certutil exe certificate extraction](/endpoint/337a46be-600f-11eb-ae93-0242ac130002/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)		TTP
[Clop Common Exec Parameter](/endpoint/5a8a2a72-8322-11eb-9ee9-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1204	TTP
[Cmdline Tool Not Executed In CMD Shell](/endpoint/6c3f7dd8-153c-11ec-ac2d-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1059, T1059.007	TTP
[Create local admin accounts using net exe](/endpoint/b89919ed-fe5f-492c-b139-151bb162040e/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1136.001, T1136	TTP
[Create Remote Thread into LSASS](/endpoint/67d4dbef-9564-4699-8da8-03a151529edc/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 8](/sources/df7a786c-ade0-48f0-8596-26f10d169f7d)	T1003.001, T1003	TTP
[Curl Download and Bash Execution](/endpoint/900bc324-59f3-11ec-9fb4-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1105	TTP
[Detect AzureHound Command-Line Arguments](/endpoint/26f02e96-c300-11eb-b611-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1087.002, T1069.001, T1482, T1087.001, T1087, T1069.002, T1069	TTP
[Detect Computer Changed with Anonymous Account](/endpoint/1400624a-d42d-484d-8843-e6753e6e3645/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4624](/sources/08682968-0366-4882-9559-fe4fe018a846), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4742](/sources/ea830adf-5450-489a-bcdc-fb8d2cbe674c)	T1210	Hunting
[Detect HTML Help Using InfoTech Storage Handlers](/endpoint/0b2eefa5-5508-450d-b970-3dd2fb761aec/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218, T1218.001	TTP
[Detect processes used for System Network Configuration Discovery](/endpoint/a51bfe1a-94f0-48cc-b1e4-16ae10145893/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1016	TTP
[Detect Prohibited Applications Spawning cmd exe](/endpoint/dcfd6b40-42f9-469d-a433-2e53f7486664/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1059, T1059.003	Hunting
[Detect Regasm Spawning a Process](/endpoint/72170ec5-f7d2-42f5-aefb-2b8be6aad15f/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218, T1218.009	TTP
[Detect Regasm with Network Connection](/endpoint/07921114-6db4-4e2e-ae58-3ea8a52ae93f/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 3](/sources/01d84dff-4e26-422c-9389-6a579ee6e75b)	T1218, T1218.009	TTP
[Detect Regasm with no Command Line Arguments](/endpoint/c3bc1430-04e7-4178-835f-047d8e6e97df/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218, T1218.009	TTP
[Detect Regsvcs Spawning a Process](/endpoint/bc477b57-5c21-4ab6-9c33-668772e7f114/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218, T1218.009	TTP
[Detect Regsvcs with Network Connection](/endpoint/e3e7a1c0-f2b9-445c-8493-f30a63522d1a/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 3](/sources/01d84dff-4e26-422c-9389-6a579ee6e75b)	T1218, T1218.009	TTP
[Detect Regsvcs with No Command Line Arguments](/endpoint/6b74d578-a02e-4e94-a0d1-39440d0bf254/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218, T1218.009	TTP
[Detect Regsvr32 Application Control Bypass](/endpoint/070e9b80-6252-11eb-ae93-0242ac130002/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218, T1218.010	TTP
[Detect Rundll32 Application Control Bypass - advpack](/endpoint/4aefadfe-9abd-4bf8-b3fd-867e9ef95bf8/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218, T1218.011	TTP
[Detect Rundll32 Application Control Bypass - setupapi](/endpoint/61e7b44a-6088-4f26-b788-9a96ba13b37a/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218, T1218.011	TTP
[Detect Rundll32 Application Control Bypass - syssetup](/endpoint/71b9bf37-cde1-45fb-b899-1b0aa6fa1183/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218, T1218.011	TTP
[DLLHost with no Command Line Arguments with Network](/endpoint/f1c07594-a141-11eb-8407-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 3](/sources/01d84dff-4e26-422c-9389-6a579ee6e75b)	T1055	TTP
[Domain Account Discovery with Dsquery](/endpoint/b1a8ce04-04c2-11ec-bea7-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1087.002, T1087	Hunting
[Domain Account Discovery With Net App](/endpoint/98f6a534-04c2-11ec-96b2-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1087.002, T1087	TTP
[Domain Account Discovery with Wmic](/endpoint/383572e0-04c5-11ec-bdcc-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1087.002, T1087	TTP
[Dump LSASS via comsvcs DLL](/endpoint/8943b567-f14d-4ee8-a0bb-2121d4ce3184/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1003.001, T1003	TTP
[Dump LSASS via procdump](/endpoint/3742ebfe-64c2-11eb-ae93-0242ac130002/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1003.001, T1003	TTP
[Esentutl SAM Copy](/endpoint/d372f928-ce4f-11eb-a762-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1003.002, T1003	Hunting
[Excel Spawning PowerShell](/endpoint/42d40a22-9be3-11eb-8f08-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1003.002, T1003	TTP
[Excel Spawning Windows Script Host](/endpoint/57fe880a-9be3-11eb-9bf3-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1003.002, T1003	TTP
[Excessive Attempt To Disable Services](/endpoint/8fa2a0f0-acd9-11eb-8994-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1489	Anomaly
[Excessive Service Stop Attempt](/endpoint/ae8d3f4a-acd7-11eb-8846-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1489	Anomaly
[Excessive Usage Of Cacls App](/endpoint/0bdf6092-af17-11eb-939a-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1222	Anomaly
[Excessive Usage Of Taskkill](/endpoint/fe5bca48-accb-11eb-a67c-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1562.001, T1562	Anomaly
[Execution of File with Multiple Extensions](/endpoint/b06a555e-dce0-417d-a2eb-28a5d8d66ef7/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1036, T1036.003	TTP
[File with Samsam Extension](/endpoint/02c6cfc2-ae66-4735-bfc7-6291da834cbf/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)		TTP
[Get ADDefaultDomainPasswordPolicy with Powershell](/endpoint/36e46ebe-065a-11ec-b4c7-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1201	Hunting
[Get ADUser with PowerShell](/endpoint/0b6ee3f4-04e3-11ec-a87d-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1087.002, T1087	Hunting
[Get ADUserResultantPasswordPolicy with Powershell](/endpoint/8b5ef342-065a-11ec-b0fc-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1201	TTP
[Get DomainPolicy with Powershell](/endpoint/b8f9947e-065a-11ec-aafb-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1201	TTP
[Get DomainUser with PowerShell](/endpoint/9a5a41d6-04e7-11ec-923c-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1087.002, T1087	TTP
[GetWmiObject DS User with PowerShell](/endpoint/22d3b118-04df-11ec-8fa3-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1087.002, T1087	TTP
[High Process Termination Frequency](/endpoint/17cd75b2-8666-11eb-9ab4-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 5](/sources/556471bf-44fa-44e6-97e2-eb25416aeb6d)	T1486	Anomaly
[Java Writing JSP File](/endpoint/eb65619c-4f8d-4383-a975-d352765d344b/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1190, T1133	TTP
[Linux apt-get Privilege Escalation](/endpoint/d870ce3b-e796-402f-b2af-cab4da1223f2/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1548.003, T1548	Anomaly
[Linux APT Privilege Escalation](/endpoint/4d5a05fa-77d9-4fd0-af9c-05704f9f9a88/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1548.003, T1548	Anomaly
[Linux AWK Privilege Escalation](/endpoint/4510cae0-96a2-4840-9919-91d262db210a/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1548.003, T1548	Anomaly
[Linux Busybox Privilege Escalation](/endpoint/387c4e78-f4a4-413d-ad44-e9f7bc4642c9/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1548.003, T1548	Anomaly
[Linux c89 Privilege Escalation](/endpoint/54c95f4d-3e5d-44be-9521-ea19ba62f7a8/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1548.003, T1548	Anomaly
[Linux c99 Privilege Escalation](/endpoint/e1c6dec5-2249-442d-a1f9-99a4bd228183/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1548.003, T1548	Anomaly
[Linux Clipboard Data Copy](/endpoint/7173b2ad-6146-418f-85ae-c3479e4515fc/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1115	Anomaly
[Linux Composer Privilege Escalation](/endpoint/a3bddf71-6ba3-42ab-a6b2-396929b16d92/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1548.003, T1548	Anomaly
[Linux Cpulimit Privilege Escalation](/endpoint/d4e40b7e-aad3-4a7d-aac8-550ea5222be5/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1548.003, T1548	Anomaly
[Linux Csvtool Privilege Escalation](/endpoint/f8384f9e-1a5c-4c3a-96d6-8a7e5a38a8b8/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1548.003, T1548	Anomaly
[Linux Curl Upload File](/endpoint/c1de2d9a-0c02-4bb4-a49a-510c6e9cf2bf/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1105	TTP
[Linux Decode Base64 to Shell](/endpoint/637b603e-1799-40fd-bf87-47ecbd551b66/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1027, T1059.004	TTP
[Linux Docker Privilege Escalation](/endpoint/2e7bfb78-85f6-47b5-bc2f-15813a4ef2b3/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1548.003, T1548	Anomaly
[Linux Emacs Privilege Escalation](/endpoint/92033cab-1871-483d-a03b-a7ce98665cfc/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1548.003, T1548	Anomaly
[Linux Find Privilege Escalation](/endpoint/2ff4e0c2-8256-4143-9c07-1e39c7231111/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1548.003, T1548	Anomaly
[Linux GDB Privilege Escalation](/endpoint/310b7da2-ab52-437f-b1bf-0bd458674308/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1548.003, T1548	Anomaly
[Linux Gem Privilege Escalation](/endpoint/0115482a-5dcb-4bb0-bcca-5d095d224236/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1548.003, T1548	Anomaly
[Linux GNU Awk Privilege Escalation](/endpoint/0dcf43b9-50d8-42a6-acd9-d1c9201fe6ae/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1548.003, T1548	Anomaly
[Linux Ingress Tool Transfer Hunting](/endpoint/52fd468b-cb6d-48f5-b16a-92f1c9bb10cf/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1105	Hunting
[Linux Ingress Tool Transfer with Curl](/endpoint/8c1de57d-abc1-4b41-a727-a7a8fc5e0857/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1105	Anomaly
[Linux Java Spawning Shell](/endpoint/7b09db8a-5c20-11ec-9945-acde48001122/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1190, T1133	TTP
[Linux Kernel Module Enumeration](/endpoint/6df99886-0e04-4c11-8b88-325747419278/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1082, T1014	Anomaly
[Linux Make Privilege Escalation](/endpoint/80b22836-5091-4944-80ee-f733ac443f4f/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1548.003, T1548	Anomaly
[Linux MySQL Privilege Escalation](/endpoint/c0d810f4-230c-44ea-b703-989da02ff145/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1548.003, T1548	Anomaly
[Linux Ngrok Reverse Proxy Usage](/endpoint/bc84d574-708c-467d-b78a-4c1e20171f97/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1572, T1090, T1102	Anomaly
[Linux Node Privilege Escalation](/endpoint/2e58a4ff-398f-42f4-8fd0-e01ebfe2a8ce/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1548.003, T1548	Anomaly
[Linux Obfuscated Files or Information Base64 Decode](/endpoint/303b38b2-c03f-44e2-8f41-4594606fcfc7/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1027	Anomaly
[Linux Octave Privilege Escalation](/endpoint/78f7487d-42ce-4f7f-8685-2159b25fb477/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1548.003, T1548	Anomaly
[Linux OpenVPN Privilege Escalation](/endpoint/d25feebe-fa1c-4754-8a1e-afb03bedc0f2/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1548.003, T1548	Anomaly
[Linux PHP Privilege Escalation](/endpoint/4fc4c031-e5be-4cc0-8cf9-49f9f507bcb5/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1548.003, T1548	Anomaly
[Linux pkexec Privilege Escalation](/endpoint/03e22c1c-8086-11ec-ac2e-acde48001122/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1068	TTP
[Linux Proxy Socks Curl](/endpoint/bd596c22-ad1e-44fc-b242-817253ce8b08/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1090, T1095	TTP
[Linux Puppet Privilege Escalation](/endpoint/1d19037f-466e-4d56-8d87-36fafd9aa3ce/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1548.003, T1548	Anomaly
[Linux RPM Privilege Escalation](/endpoint/f8e58a23-cecd-495f-9c65-6c76b4cb9774/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1548.003, T1548	Anomaly
[Linux Ruby Privilege Escalation](/endpoint/097b28b5-7004-4d40-a715-7e390501788b/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1548.003, T1548	Anomaly
[Linux Sqlite3 Privilege Escalation](/endpoint/ab75dbb7-c3ba-4689-9c1b-8d2717bdcba1/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1548.003, T1548	Anomaly
[MSI Module Loaded by Non-System Binary](/endpoint/ccb98a66-5851-11ec-b91c-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 7](/sources/45512fa5-4d55-4088-9d51-f4dedc16fdff)	T1574.002, T1574	Hunting
[Notepad with no Command Line Arguments](/endpoint/5adbc5f1-9a2f-41c1-a810-f37e015f8179/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1055	TTP
[Office Product Spawning Windows Script Host](/endpoint/b3628a5b-8d02-42fa-a891-eebf2351cbe1/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1566, T1566.001	TTP
[Office Product Writing cab or inf](/endpoint/f48cd1d4-125a-11ec-a447-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1566, T1566.001	TTP
[Processes Tapping Keyboard Events](/endpoint/2a371608-331d-4034-ae2c-21dda8f1d0ec/)	N/A		TTP
[Regsvr32 with Known Silent Switch Cmdline](/endpoint/c9ef7dc4-eeaf-11eb-b2b6-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218, T1218.010	Anomaly
[Rundll32 Control RunDLL Hunt](/endpoint/c8e7ced0-10c5-11ec-8b03-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218, T1218.011	Hunting
[Schtasks scheduling job on remote system](/endpoint/1297fb80-f42a-4b4a-9c8a-88c066237cf6/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1053.005, T1053	TTP
[Set Default PowerShell Execution Policy To Unrestricted or Bypass](/endpoint/c2590137-0b08-4985-9ec5-6ae23d92f63d/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1059, T1059.001	TTP
[Shim Database File Creation](/endpoint/6e4c4588-ba2f-42fa-97e6-9f6f548eaa33/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1546.011, T1546	TTP
[Spoolsv Suspicious Process Access](/endpoint/799b606e-da81-11eb-93f8-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 10](/sources/659cd5a8-148a-4c59-ade1-05f41ac1b096)	T1068	TTP
[Suspicious PlistBuddy Usage via OSquery](/endpoint/20ba6c32-c733-4a32-b64e-2688cf231399/)	N/A	T1543.001, T1543	TTP
[Suspicious Regsvr32 Register Suspicious Path](/endpoint/62732736-6250-11eb-ae93-0242ac130002/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218, T1218.010	TTP
[Suspicious Rundll32 dllregisterserver](/endpoint/8c00a385-9b86-4ac0-8932-c9ec3713b159/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218, T1218.011	TTP
[UAC Bypass With Colorui COM Object](/endpoint/2bcccd20-fc2b-11eb-8d22-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 7](/sources/45512fa5-4d55-4088-9d51-f4dedc16fdff)	T1218, T1218.003	TTP
[Windows Apache Benchmark Binary](/endpoint/894f48ea-8d85-4dcd-9132-c66cdb407c9b/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1059	Anomaly
[Windows AutoIt3 Execution](/endpoint/0ecb40d9-492b-4a57-9f87-515dd742794c/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1059	TTP
[Windows Credential Dumping LSASS Memory Createdump](/endpoint/b3b7ce35-fce5-4c73-85f4-700aeada81a9/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1003.001	TTP
[Windows Defender ASR Registry Modification](/endpoint/6a1b6cbe-6612-44c3-92b9-1a1bd77412eb/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Defender 5007](/sources/27f18792-8d95-4871-8853-874b7faf023f)	T1112	Hunting
[Windows Disable or Modify Tools Via Taskkill](/endpoint/a43ae66f-c410-4b3d-8741-9ce1ad17ddb0/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1562, T1562.001	Anomaly
[Windows Disable Windows Event Logging Disable HTTP Logging](/endpoint/23fb6787-255f-4d5b-9a66-9fd7504032b5/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1562.002, T1562, T1505, T1505.004	TTP
[Windows DISM Remove Defender](/endpoint/8567da9e-47f0-11ec-99a9-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1562.001, T1562	TTP
[Windows DotNet Binary in Non Standard Path](/endpoint/fddf3b56-7933-11ec-98a6-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1036, T1036.003, T1218, T1218.004	TTP
[Windows Hunting System Account Targeting Lsass](/endpoint/1c6abb08-73d1-11ec-9ca0-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 10](/sources/659cd5a8-148a-4c59-ade1-05f41ac1b096)	T1003.001, T1003	Hunting
[Windows Identify Protocol Handlers](/endpoint/bd5c311e-a6ea-48ae-a289-19a3398e3648/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1059	Hunting
[Windows IIS Components Add New Module](/endpoint/38fe731c-1f13-43d4-b878-a5bbe44807e3/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1505, T1505.004	Anomaly
[Windows InstallUtil in Non Standard Path](/endpoint/dcf74b22-7933-11ec-857c-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1036, T1036.003, T1218, T1218.004	TTP
[Windows InstallUtil Remote Network Connection](/endpoint/4fbf9270-43da-11ec-9486-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 3](/sources/01d84dff-4e26-422c-9389-6a579ee6e75b)	T1218.004, T1218	TTP
[Windows InstallUtil Uninstall Option](/endpoint/cfa7b9ac-43f0-11ec-9b48-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218.004, T1218	TTP
[Windows InstallUtil Uninstall Option with Network](/endpoint/1a52c836-43ef-11ec-a36c-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 3](/sources/01d84dff-4e26-422c-9389-6a579ee6e75b)	T1218.004, T1218	TTP
[Windows InstallUtil URL in Command Line](/endpoint/28e06670-43df-11ec-a569-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218.004, T1218	TTP
[Windows MSIExec DLLRegisterServer](/endpoint/fdb59aef-d88f-4909-8369-ec2afbd2c398/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218.007	TTP
[Windows MSIExec Remote Download](/endpoint/6aa49ff2-3c92-4586-83e0-d83eb693dfda/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218.007	TTP
[Windows MSIExec Spawn Discovery Command](/endpoint/e9d05aa2-32f0-411b-930c-5b8ca5c4fcee/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218.007	TTP
[Windows MSIExec Spawn WinDBG](/endpoint/9a18f7c2-1fe3-47b8-9467-8b3976770a30/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218.007	TTP
[Windows MSIExec Unregister DLLRegisterServer](/endpoint/a27db3c5-1a9a-46df-a577-765d3f1a3c24/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218.007	TTP
[Windows MSIExec With Network Connections](/endpoint/827409a1-5393-4d8d-8da4-bbb297c262a7/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 3](/sources/01d84dff-4e26-422c-9389-6a579ee6e75b)	T1218.007	TTP
[Windows Odbcconf Hunting](/endpoint/0562ad4b-fdaa-4882-b12f-7b8e0034cd72/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218.008	Hunting
[Windows Odbcconf Load DLL](/endpoint/141e7fca-a9f0-40fd-a539-9aac8be41f1b/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218.008	TTP
[Windows Office Product Spawning MSDT](/endpoint/127eba64-c981-40bf-8589-1830638864a7/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1566, T1566.001	TTP
[Windows Possible Credential Dumping](/endpoint/e4723b92-7266-11ec-af45-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 10](/sources/659cd5a8-148a-4c59-ade1-05f41ac1b096)	T1003.001, T1003	TTP
[Windows Process Injection into Notepad](/endpoint/b8340d0f-ba48-4391-bea7-9e793c5aae36/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 10](/sources/659cd5a8-148a-4c59-ade1-05f41ac1b096)	T1055, T1055.002	Anomaly
[Windows Process Injection With Public Source Path](/endpoint/492f09cf-5d60-4d87-99dd-0bc325532dda/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 8](/sources/df7a786c-ade0-48f0-8596-26f10d169f7d)	T1055, T1055.002	Hunting
[Windows Protocol Tunneling with Plink](/endpoint/8aac5e1e-0fab-4437-af0b-c6e60af23eed/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1572, T1021.004	TTP
[Windows Remote Access Software Hunt](/endpoint/8bd22c9f-05a2-4db1-b131-29271f28cb0a/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1219	Hunting
[Windows Remote Assistance Spawning Process](/endpoint/ced50492-8849-11ec-9f68-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1055	TTP
[Windows Server Software Component GACUtil Install to GAC](/endpoint/7c025ef0-9e65-4c57-be39-1c13dbb1613e/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1505, T1505.004	TTP
[Windows Service Create with Tscon](/endpoint/c13b3d74-6b63-4db5-a841-4206f0370077/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1563.002, T1563, T1543.003	TTP
[Windows SQL Spawning CertUtil](/endpoint/dfc18a5a-946e-44ee-a373-c0f60d06e676/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1105	TTP
[Windows Steal Authentication Certificates CertUtil Backup](/endpoint/bac85b56-0b65-4ce5-aad5-d94880df0967/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1649	Anomaly
[Windows Steal Authentication Certificates Export Certificate](/endpoint/e39dc429-c2a5-4f1f-9c3c-6b211af6b332/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1649	Anomaly
[Windows Steal Authentication Certificates Export PfxCertificate](/endpoint/391329f3-c14b-4b8d-8b37-ac5012637360/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1649	Anomaly
[Windows System Binary Proxy Execution Compiled HTML File Decompile](/endpoint/2acf0e19-4149-451c-a3f3-39cd3c77e37d/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218.001, T1218	TTP
[Windows WinDBG Spawning AutoIt3](/endpoint/7aec015b-cd69-46c3-85ed-dac152056aa4/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1059	TTP
[WinRAR Spawning Shell Application](/endpoint/d2f36034-37fa-4bd4-8801-26807c15540f/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1105	TTP
[Winword Spawning PowerShell](/endpoint/b2c950b8-9be2-11eb-8658-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1566, T1566.001	TTP
[Winword Spawning Windows Script Host](/endpoint/637e1b5c-9be1-11eb-9c32-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1566, T1566.001	TTP
[WMIC XSL Execution via URL](/endpoint/787e9dd0-4328-11ec-a029-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1220	TTP
[XSL Script Execution With WMIC](/endpoint/004e32e2-146d-11ec-a83f-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1220	TTP
[Detect ARP Poisoning](/network/b44bebd6-bd39-467b-9321-73971bcd1aac/)	N/A	T1200, T1498, T1557, T1557.002	TTP
[Detect Rogue DHCP Server](/network/6e1ada88-7a0d-4ac1-92c6-03d354686079/)	N/A	T1200, T1498, T1557	TTP
[Detect Traffic Mirroring](/network/42b3b753-5925-49c5-9742-36fa40a73990/)	N/A	T1200, T1020, T1498, T1020.001	TTP
[Detect Windows DNS SIGRed via Splunk Stream](/network/babd8d10-d073-11ea-87d0-0242ac130003/)	N/A	T1203	TTP
[Hunting for Log4Shell](/web/158b68fa-5d1a-11ec-aac8-acde48001122/)	[Nginx Access](/sources/c716a418-eab3-4df5-9dff-5420174e3068)	T1190, T1133	Hunting
[Windows AD Domain Replication ACL Addition](/endpoint/8c372853-f459-4995-afdc-280c114d33ab/)	N/A	T1484	TTP
[Powershell Windows Defender Exclusion Commands](/endpoint/907ac95c-4dd9-11ec-ba2c-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1562.001, T1562	TTP
[Windows Vulnerable Driver Installed](/endpoint/1dda7586-57be-4a1b-8de1-a9ad802b9a7f/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log System 7045](/sources/614dedc8-8a14-4393-ba9b-6f093cbcd293)	T1543.003	TTP
[Internal Horizontal Port Scan](/network/1ff9eb9a-7d72-4993-a55e-59a839e607f1/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudWatchLogs VPCflow](/sources/38a34fc4-e128-4478-a8f4-7835d51d5135)	T1046	TTP
[Windows Gather Victim Network Info Through Ip Check Web Services](/endpoint/70f7c952-0758-46d6-9148-d8969c4481d1/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 22](/sources/911538b2-eba7-4d3e-85e8-d82d380c37bf)	T1590.005, T1590	Hunting
[Windows ESX Admins Group Creation via Net](/endpoint/3d7df60b-3332-4667-8090-afe03e08dce0/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17)	T1136.002, T1136.001	TTP
[Windows ESX Admins Group Creation via PowerShell](/endpoint/f48a5557-be06-4b96-b8e8-be563e387620/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1136.002, T1136.001	TTP
[Windows Outlook WebView Registry Modification](/endpoint/6e1ad5d4-d9af-496a-96ec-f31c11cd09f2/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	Anomaly
[Malicious PowerShell Process - Encoded Command](/endpoint/c4db14d9-7909-48b4-a054-aa14d89dbb19/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1027	Hunting
[MOVEit Certificate Store Access Failure](/endpoint/d61292d5-46e4-49ea-b23b-8049ea70b525/)	N/A	T1190	Hunting
[MOVEit Empty Key Fingerprint Authentication Attempt](/endpoint/1a537acc-199f-4713-b5d7-3d98c05ab932/)	N/A	T1190	Hunting
[Windows Event Log Cleared](/endpoint/ad517544-aff9-4c96-bd99-d6eb43bfbb6a/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 1102](/sources/8db7b91a-6d7a-40e7-bfac-06f8e901a9cb)	T1070, T1070.001	TTP
[Splunk risky Command Abuse disclosed february 2023](/application/ee69374a-d27e-4136-adac-956a96ff60fd/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1548, T1202	Hunting
[Disable Logs Using WevtUtil](/endpoint/236e7c8e-c9d9-11eb-a824-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1070, T1070.001	TTP
[Disable Windows Behavior Monitoring](/endpoint/79439cae-9200-11eb-a4d3-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Remote Process Instantiation via DCOM and PowerShell](/endpoint/d4f42098-4680-11ec-ad07-3e22fbd008af/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1021, T1021.003	TTP
[Remote Process Instantiation via WinRM and PowerShell](/endpoint/ba24cda8-4716-11ec-8009-3e22fbd008af/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1021, T1021.006	TTP
[Remote Process Instantiation via WinRM and Winrs](/endpoint/0dd296a2-4338-11ec-ba02-3e22fbd008af/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1021, T1021.006	TTP
[Scheduled Task Creation on Remote Endpoint using At](/endpoint/4be54858-432f-11ec-8209-3e22fbd008af/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1053, T1053.002	TTP
[Scheduled Task Initiation on Remote Endpoint](/endpoint/95cf4608-4302-11ec-8194-3e22fbd008af/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1053, T1053.005	TTP
[Windows New InProcServer32 Added](/endpoint/0fa86e31-0f73-4ec7-9ca3-dc88e117f1db/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	Hunting
[Windows Service Creation on Remote Endpoint](/endpoint/e0eea4fa-4274-11ec-882b-3e22fbd008af/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1543, T1543.003	TTP
[Windows Service Initiation on Remote Endpoint](/endpoint/3f519894-4276-11ec-ab02-3e22fbd008af/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1543, T1543.003	TTP
[Crowdstrike High Identity Risk Severity](/endpoint/0df524ad-6d78-4883-9987-d29418928103/)	N/A	T1110	TTP
[Crowdstrike Multiple LOW Severity Alerts](/endpoint/5c2c02d8-bee7-4f5c-9dea-e3e1012daddb/)	N/A	T1110	Anomaly
[Crowdstrike Admin Weak Password Policy](/endpoint/bb1481fd-23c0-4195-b6a0-94d746c9637c/)	N/A	T1110	TTP
[Crowdstrike Admin With Duplicate Password](/endpoint/b8bccfbf-6ac2-40f2-83b6-e72b7efaa7d4/)	N/A	T1110	TTP
[Crowdstrike Medium Identity Risk Severity](/endpoint/c23b425c-9024-4bd7-b526-c18a4a51d93e/)	N/A	T1110	TTP
[Crowdstrike Medium Severity Alert](/endpoint/7e80d92a-6ec3-4eb1-a444-1480acfe2d14/)	N/A	T1110	Anomaly
[Crowdstrike Privilege Escalation For Non-Admin User](/endpoint/69e2860c-0e4b-40ae-9dc4-bf9e3bf2a548/)	N/A	T1110	Anomaly
[Crowdstrike User Weak Password Policy](/endpoint/b49b6ef4-57cd-4d42-bd7e-64e00f11cc87/)	N/A	T1110	Anomaly
[Crowdstrike User with Duplicate Password](/endpoint/386dd914-16e5-400b-9bf6-25572cc4415a/)	N/A	T1110	Anomaly
[Windows Delete or Modify System Firewall](/endpoint/b188d11a-eba7-419d-b8b6-cc265b4f2c4f/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1562, T1562.004	Anomaly
[Wscript Or Cscript Suspicious Child Process](/endpoint/1f35e1da-267b-11ec-90a9-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1055, T1543, T1134.004, T1134	TTP
[Detect Remote Access Software Usage File](/endpoint/3bf5541a-6a45-4fdc-b01d-59b899fff961/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1219	Anomaly
[Detect Remote Access Software Usage FileInfo](/endpoint/ccad96d7-a48c-4f13-8b9c-9f6a31cba454/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1219	Anomaly
[Detect Remote Access Software Usage Process](/endpoint/ffd5e001-2e34-48f4-97a2-26dc4bb08178/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1219	Anomaly
[Detect Remote Access Software Usage DNS](/network/a16b797d-e309-41bd-8ba0-5067dae2e4be/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 22](/sources/911538b2-eba7-4d3e-85e8-d82d380c37bf)	T1219	Anomaly
[Detect Remote Access Software Usage Traffic](/network/885ea672-07ee-475a-879e-60d28aa5dd42/)	<img src="/icons/network.svg" alt="Network icon" class="icon-tiny"> [Palo Alto Network Traffic](/sources/182a83bc-c31a-4817-8c7a-263744cec52a)	T1219	Anomaly
[Detect Remote Access Software Usage URL](/web/9296f515-073c-43a5-88ec-eda5a4626654/)	<img src="/icons/network.svg" alt="Network icon" class="icon-tiny"> [Palo Alto Network Threat](/sources/375c2b0e-d216-41ad-9406-200464595209)	T1219	Anomaly
[Azure AD Admin Consent Bypassed by Service Principal](/cloud/9d4fea43-9182-4c5a-ada8-13701fd5615d/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory Add app role assignment to service principal](/sources/8b2e84cd-6db0-47e9-badc-75c17df1995f)	T1098.003	TTP
[Windows AD AdminSDHolder ACL Modified](/endpoint/00d877c3-7b7b-443d-9562-6b231e2abab9/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 5136](/sources/7ba3737e-231e-455d-824e-cd077749f835)	T1546	TTP
[Splunk CSRF in the SSG kvstore Client Endpoint](/application/4742d5f7-ce00-45ce-9c79-5e98b43b4410/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1189	TTP
[Splunk DoS via POST Request Datamodel Endpoint](/application/45766810-dbb2-44d4-b889-b4ba3ee0d1f5/)	N/A	T1499	Hunting
[Splunk Enterprise Windows Deserialization File Partition](/application/947d4d2e-1b64-41fc-b32a-736ddb88ce97/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1190	TTP
[Splunk Information Disclosure on Account Login](/application/2bae5d19-6d1b-4db0-82ab-0af5ac5f836c/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1087	Hunting
[Splunk RCE PDFgen Render](/application/bc2b7437-0400-438b-9537-21ab5b7d2d53/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1210	TTP
[Splunk RCE via External Lookup Copybuckets](/application/8598f9de-bba8-42a4-8ef0-12e1adda4131/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1210	Hunting
[Splunk Stored XSS conf-web Settings on Premises](/application/ed1209ef-228d-4dab-9856-be9369925a5c/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1189	Hunting
[Splunk Stored XSS via Data Model objectName Field](/application/062bff76-5f9c-496e-a386-cb1adcf69871/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1189	Hunting
[Splunk Stored XSS via Specially Crafted Bulletin Message](/application/fd852b27-1882-4505-9f2c-64dfb96f4fc1/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1189	Hunting
[Splunk Unauthenticated DoS via Null Pointer References](/application/d67594fe-c317-41b8-9319-ec8428d5c2ea/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1499	Hunting
[Splunk Unauthenticated Path Traversal Modules Messaging](/application/e7c2b064-524e-4d65-8002-efce808567aa/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1083	Hunting
[Splunk Unauthorized Experimental Items Creation](/application/84afda04-0cd6-466b-869e-70d6407d0a34/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1189	Hunting
[Splunk Unauthorized Notification Input by User](/application/4b7f368f-4322-47f8-8363-2c466f0b7030/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1548	Hunting
[Splunk XSS in Highlighted JSON Events](/application/1030bc63-0b37-4ac9-9ae0-9361c955a3cc/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1189	Hunting
[Splunk XSS in Save table dialog header in search page](/application/a974d1ee-ddca-4837-b6ad-d55a8a239c20/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1189	Hunting
[Splunk XSS Privilege Escalation via Custom Urls in Dashboard](/application/01e1e386-7656-4f36-a55a-52fe39b04a96/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1189	Hunting
[Splunk XSS Via External Urls in Dashboards SSRF](/application/b0a67520-ae82-4cf6-b04e-9f6cce56830d/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1189	Hunting
[Windows Modify Registry Delete Firewall Rules](/endpoint/41c61539-98ca-4750-b3ec-7c29a2f06343/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33)	T1112	TTP
[Windows Modify Registry to Add or Modify Firewall Rule](/endpoint/43254751-e2ce-409a-b6b4-4f851e8dcc26/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	Anomaly
[Suspicious wevtutil Usage](/endpoint/2827c0fd-e1be-4868-ae25-59d28e0f9d4f/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1070.001, T1070	TTP
[Windows Modify Registry Configure BitLocker](/endpoint/bd1c770f-1b55-411e-b49e-20d07bcac5f8/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	TTP
[Windows Modify Registry Disable RDP](/endpoint/11ed764f-eb9c-4be7-bdad-2209b9d33ee1/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	Anomaly
[Windows Modify Registry on Smart Card Group Policy](/endpoint/1522145a-8e86-4f83-89a8-baf62a8f489d/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	Anomaly
[Possible Lateral Movement PowerShell Spawn](/endpoint/cb909b3e-512b-11ec-aa31-3e22fbd008af/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1021, T1021.003, T1021.006, T1047, T1053.005, T1543.003, T1059.001, T1218.014	TTP
[Ivanti EPM SQL Injection Remote Code Execution](/web/e20564ca-c86c-4e30-acdb-a8486673426f/)	[Suricata](/sources/64b245d4-a4d1-4865-a718-c83d3b939f2e)	T1190	TTP
[Elevated Group Discovery with PowerView](/endpoint/10d62950-0de5-4199-a710-cff9ea79b413/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1069, T1069.002	Hunting
[Windows Debugger Tool Execution](/endpoint/e14d94a3-07fb-4b47-8406-f5e37180d422/)	N/A	T1036	Hunting
[Windows Unsigned DLL Side-Loading In Same Process Path](/endpoint/3cf85c02-f9d6-4186-bf3c-e70ee99fbc7f/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 7](/sources/45512fa5-4d55-4088-9d51-f4dedc16fdff)	T1574.002, T1574	TTP
[AWS Multiple Failed MFA Requests For User](/cloud/1fece617-e614-4329-9e61-3ba228c0f353/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail ConsoleLogin](/sources/b68b3f26-bd21-4fa8-b593-616fe75ac0ae)	T1586, T1586.003, T1621	Anomaly
[Detect Copy of ShadowCopy with Script Block Logging](/endpoint/9251299c-ea5b-11eb-a8de-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1003.002, T1003	TTP
[Exchange PowerShell Module Usage](/endpoint/2d10095e-05ae-11ec-8fdf-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1059, T1059.001	TTP
[PowerShell Invoke CIMMethod CIMSession](/endpoint/651ee958-a433-471c-b264-39725b788b83/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1047	Anomaly
[Services Escalate Exe](/endpoint/c448488c-b7ec-11eb-8253-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1548	TTP
[Windows Event Triggered Image File Execution Options Injection](/endpoint/f7abfab9-12ea-44e8-8745-475f9ca6e0a4/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Application 3000](/sources/3911945d-9222-408d-b851-9b1bce4c2d24)	T1546.012	Hunting
[Windows Impair Defense Define Win Defender Threat Action](/endpoint/7215831c-8252-4ae3-8d43-db588e82f952/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Windows Impair Defense Disable Win Defender Signature Retirement](/endpoint/7567a72f-bada-489d-aef1-59743fb64a66/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Windows Impair Defense Override SmartScreen Prompt](/endpoint/08058866-7987-486f-b042-275715ef6e9d/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Windows Modify Registry Disable Restricted Admin](/endpoint/cee573a0-7587-48e6-ae99-10e8c657e89a/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	TTP
[Windows Modify Registry wuStatusServer](/endpoint/073e69d0-68b2-4142-aa90-a7ee6f590676/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	Hunting
[Windows Post Exploitation Risk Behavior](/endpoint/edb930df-64c2-4bb7-9b5c-889ed53fb973/)	N/A	T1012, T1049, T1069, T1016, T1003, T1082, T1115, T1552	Correlation
[Windows PowerView Kerberos Service Ticket Request](/endpoint/970455a1-4ac2-47e1-a9a5-9e75443ddcb9/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1558, T1558.003	TTP
[Windows Query Registry UnInstall Program List](/endpoint/535fd4fc-7151-4062-9d7e-e896bea77bf6/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4663](/sources/5d6dca8c-dad9-494f-a321-ef2b0b92fbf4)	T1012	Anomaly
[Windows Remote Services Allow Rdp In Firewall](/endpoint/9170cb54-ea15-41e1-9dfc-9f3363ce9b02/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1021.001, T1021	Anomaly
[Windows Unsigned DLL Side-Loading](/endpoint/5a83ce44-8e0f-4786-a775-8249a525c879/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 7](/sources/45512fa5-4d55-4088-9d51-f4dedc16fdff)	T1574.002	Anomaly
[Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos](/endpoint/f122cb2e-d773-4f11-8399-62a3572d8dd7/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4768](/sources/4a5fd6ed-66bd-4f34-bc74-51c00c73c298)	T1110.003, T1110	Anomaly
[Okta Multiple Failed Requests to Access Applications](/application/1c21fed1-7000-4a2e-9105-5aaafa437247/)	[Okta](/sources/ec26febe-e760-4981-bbee-72e107c7b9d2)	T1550.004, T1538	Hunting
[Azure AD Service Principal Created](/cloud/f8ba49e7-ffd3-4b53-8f61-e73974583c5d/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory Add service principal](/sources/fd89d337-e4c0-4162-ad13-bca36f096fe6)	T1136.003	TTP
[Azure AD User Consent Blocked for Risky Application](/cloud/06b8ec9a-d3b5-4882-8f16-04b4d10f5eab/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory Consent to application](/sources/4c5d6c49-53e3-4980-a4de-c63e26291ed0)	T1528	TTP
[Cloud Compute Instance Created With Previously Unseen Image](/cloud/bc24922d-987c-4645-b288-f8c73ec194c4/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail](/sources/e8ace6db-1dbd-4c72-a1fb-334684619a38)		Anomaly
[Credential Dumping via Copy Command from Shadow Copy](/endpoint/d8c406fe-23d2-45f3-a983-1abe7b83ff3b/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1003.003, T1003	TTP
[Impacket Lateral Movement Commandline Parameters](/endpoint/8ce07472-496f-11ec-ab3b-3e22fbd008af/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1021, T1021.002, T1021.003, T1047, T1543.003	TTP
[Linux DD File Overwrite](/endpoint/9b6aae5e-8d85-11ec-b2ae-acde48001122/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1485	TTP
[Linux File Creation In Init Boot Directory](/endpoint/97d9cfb2-61ad-11ec-bb2d-acde48001122/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 11](/sources/14672fed-235a-411f-8062-ace9696fb2af)	T1037.004, T1037	Anomaly
[Linux Indicator Removal Clear Cache](/endpoint/e0940505-0b73-4719-84e6-cb94c44a5245/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1070	TTP
[Linux Possible Append Command To Profile Config File](/endpoint/9c94732a-61af-11ec-91e3-acde48001122/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1546.004, T1546	Anomaly
[Ntdsutil Export NTDS](/endpoint/da63bc76-61ae-11eb-ae93-0242ac130002/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1003.003, T1003	TTP
[PaperCut NG Suspicious Behavior Debug Log](/endpoint/395163b8-689b-444b-86c7-9fe9ad624734/)	N/A	T1190, T1133	Hunting
[PetitPotam Suspicious Kerberos TGT Request](/endpoint/e3ef244e-0a67-11ec-abf2-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4768](/sources/4a5fd6ed-66bd-4f34-bc74-51c00c73c298)	T1003	TTP
[Ping Sleep Batch Command](/endpoint/ce058d6c-79f2-11ec-b476-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1497, T1497.003	Anomaly
[PowerShell Script Block With URL Chain](/endpoint/4a3f2a7d-6402-4e64-a76a-869588ec3b57/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1059.001, T1105	TTP
[Runas Execution in CommandLine](/endpoint/4807e716-43a4-11ec-a0e7-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1134, T1134.001	Hunting
[Suspicious MSBuild Spawn](/endpoint/a115fba6-5514-11eb-ae93-0242ac130002/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1127, T1127.001	TTP
[Suspicious Rundll32 StartW](/endpoint/9319dda5-73f2-4d43-a85a-67ce961bddb7/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218, T1218.011	TTP
[Windows Account Discovery for Sam Account Name](/endpoint/69934363-e1dd-4c49-8651-9d7663dd4d2f/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1087	Anomaly
[Windows Admin Permission Discovery](/endpoint/e08620cb-9488-4052-832d-97bcc0afd414/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1069.001	Anomaly
[Windows Alternate DataStream - Executable Content](/endpoint/a258bf2a-34fd-4986-8086-78f506e00206/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 15](/sources/95785e02-93b4-47e2-81f1-be326295348e)	T1564, T1564.004	TTP
[Windows AppLocker Rare Application Launch Detection](/endpoint/9556f7b7-285f-4f18-8eeb-963d989f9d27/)	N/A	T1218	Hunting
[Windows Disable LogOff Button Through Registry](/endpoint/b2fb6830-9ed1-11ec-9fcb-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	Anomaly
[Windows DNS Gather Network Info](/endpoint/347e0892-e8f3-4512-afda-dc0e3fa996f3/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1590.002	Anomaly
[Windows Domain Account Discovery Via Get-NetComputer](/endpoint/a7fbbc4e-4571-424a-b627-6968e1c939e4/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1087, T1087.002	Anomaly
[Windows Modify Registry NoChangingWallPaper](/endpoint/a2276412-e254-4e9a-9082-4d92edb6a3e0/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	TTP
[Windows Phishing Recent ISO Exec Registry](/endpoint/cb38ee66-8ae5-47de-bd66-231c7bbc0b2c/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1566.001, T1566	Hunting
[Windows Private Keys Discovery](/endpoint/5c1c2877-06c0-40ee-a1a2-db71f1372b5b/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1552.004, T1552	Anomaly
[Windows Service Creation Using Registry Entry](/endpoint/25212358-948e-11ec-ad47-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1574.011	TTP
[Zeek x509 Certificate with Punycode](/network/029d6fe4-a5fe-43af-827e-c78c50e81d81/)	N/A	T1573	Hunting
[Confluence Unauthenticated Remote Code Execution CVE-2022-26134](/web/fcf4bd3f-a79f-4b7a-83bf-2692d60b859c/)	<img src="/icons/network.svg" alt="Network icon" class="icon-tiny"> [Palo Alto Network Threat](/sources/375c2b0e-d216-41ad-9406-200464595209)	T1505, T1190, T1133	TTP
[Okta Authentication Failed During MFA Challenge](/application/e2b99e7d-d956-411a-a120-2b14adfdde93/)	[Okta](/sources/ec26febe-e760-4981-bbee-72e107c7b9d2)	T1586, T1586.003, T1078, T1078.004, T1621	TTP
[Okta Suspicious Use of a Session Cookie](/application/71ad47d1-d6bd-4e0a-b35c-020ad9a6959e/)	[Okta](/sources/ec26febe-e760-4981-bbee-72e107c7b9d2)	T1539	Anomaly
[PingID Multiple Failed MFA Requests For User](/application/c1bc706a-0025-4814-ad30-288f38865036/)	[PingID](/sources/17890675-61c1-40bd-a88e-6a8e9e246b43)	T1621, T1078, T1110	TTP
[Splunk DoS Using Malformed SAML Request](/application/8e8a86d5-f323-4567-95be-8e817e2baee6/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1498	Hunting
[Splunk ES DoS Through Investigation Attachments](/application/bb85b25e-2d6b-4e39-bd27-50db42edcb8f/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1499	TTP
[Splunk Low Privilege User Can View Hashed Splunk Password](/application/a1be424d-e59c-4583-b6f9-2dcc23be4875/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1212	Hunting
[Suspicious Email Attachment Extensions](/application/473bd65f-06ca-4dfe-a2b8-ba04ab4a0084/)	N/A	T1566.001, T1566	Anomaly
[Amazon EKS Kubernetes Pod scan detection](/cloud/dbfca1dd-b8e5-4ba4-be0e-e565e5d62002/)	N/A	T1526	Hunting
[ASL AWS Defense Evasion Delete Cloudtrail](/cloud/1f0b47e5-0134-43eb-851c-e3258638945e/)	N/A	T1562.008, T1562	TTP
[AWS Console Login Failed During MFA Challenge](/cloud/55349868-5583-466f-98ab-d3beb321961e/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail ConsoleLogin](/sources/b68b3f26-bd21-4fa8-b593-616fe75ac0ae)	T1586, T1586.003, T1621	TTP
[AWS IAM Successful Group Deletion](/cloud/e776d06c-9267-11eb-819b-acde48001122/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail DeleteGroup](/sources/c95308a4-a943-42ca-b112-f90a05c21bd3)	T1069.003, T1098, T1069	Hunting
[Azure AD Global Administrator Role Assigned](/cloud/825fed20-309d-4fd1-8aaf-cd49c1bb093c/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory Add member to role](/sources/1660d196-127f-4678-81b2-472d51711b07)	T1098.003	TTP
[O365 Multiple Service Principals Created by SP](/cloud/ef4c3f20-d1ad-4ad1-a3f4-d5f391c005fe/)	[O365 Add service principal.](/sources/9c1ef9f5-bc30-4a47-a1bd-cb34484ee778)	T1136.003	Anomaly
[O365 New Email Forwarding Rule Created](/cloud/68469fd0-1315-44ba-b7e4-e92847bb76d6/)	N/A	T1114, T1114.003	TTP
[O365 New Forwarding Mailflow Rule Created](/cloud/289ed0a1-4c78-4a43-9321-44ea2e089c14/)	N/A	T1114	TTP
[O365 Tenant Wide Admin Consent Granted](/cloud/50eaabf8-5180-4e86-bfb2-011472c359fc/)	[O365 Consent to application.](/sources/0a15a464-ef51-4614-9a07-a216eb9817db)	T1098, T1098.003	TTP
[Attacker Tools On Endpoint](/endpoint/a51bfe1a-94f0-48cc-b4e4-16a110145893/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1036.005, T1036, T1003, T1595	TTP
[Detect RTLO In Process](/endpoint/22ac27b4-7189-4a4f-9375-b9017c9620d7/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1036.002, T1036	TTP
[Disable AMSI Through Registry](/endpoint/9c27ec42-d338-11eb-9044-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Disable Security Logs Using MiniNt Registry](/endpoint/39ebdc68-25b9-11ec-aec7-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	TTP
[Enable RDP In Other Port Number](/endpoint/99495452-b899-11eb-96dc-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1021	TTP
[Excessive distinct processes from Windows Temp](/endpoint/23587b6a-c479-11eb-b671-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1059	Anomaly
[Get ADUser with PowerShell Script Block](/endpoint/21432e40-04f4-11ec-b7e6-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1087.002, T1087	Hunting
[GetWmiObject Ds Computer with PowerShell Script Block](/endpoint/29b99201-723c-4118-847a-db2b3d3fb8ea/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1018	TTP
[Headless Browser Mockbin or Mocky Request](/endpoint/94fc85a1-e55b-4265-95e1-4b66730e05c0/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1564.003	TTP
[Linux Common Process For Elevation Control](/endpoint/66ab15c0-63d0-11ec-9e70-acde48001122/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1548.001, T1548	Hunting
[Linux Possible Access To Sudoers File](/endpoint/4479539c-71fc-11ec-b2e2-acde48001122/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1548.003, T1548	Anomaly
[Linux Service Started Or Enabled](/endpoint/e0428212-61b7-11ec-88a3-acde48001122/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1053.006, T1053	Anomaly
[Local Account Discovery with Net](/endpoint/5d0d4830-0133-11ec-bae3-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1087, T1087.001	Hunting
[Monitor Registry Keys for Print Monitors](/endpoint/f5f6af30-7ba7-4295-bfe9-07de87c01bbc/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1547.010, T1547	TTP
[Rundll32 Create Remote Thread To A Process](/endpoint/2dbeee3a-f067-11eb-96c0-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 8](/sources/df7a786c-ade0-48f0-8596-26f10d169f7d)	T1055	TTP
[Suspicious Curl Network Connection](/endpoint/3f613dc0-21f2-4063-93b1-5d3c15eef22f/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1105	TTP
[Windows Credential Access From Browser Password Store](/endpoint/72013a8e-5cea-408a-9d51-5585386b4d69/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4663](/sources/5d6dca8c-dad9-494f-a321-ef2b0b92fbf4)	T1012	Anomaly
[Windows Findstr GPP Discovery](/endpoint/1631ac2d-f2a9-42fa-8a59-d6e210d472f5/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1552, T1552.006	TTP
[Windows Impair Defense Disable Controlled Folder Access](/endpoint/3032741c-d6fc-4c69-8988-be8043d6478c/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Windows Impair Defense Disable Win Defender Network Protection](/endpoint/8b6c15c7-5556-463d-83c7-986326c21f12/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Windows Information Discovery Fsutil](/endpoint/2181f261-93e6-4166-a5a9-47deac58feff/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1082	Anomaly
[Windows MsiExec HideWindow Rundll32 Execution](/endpoint/9683271d-92e4-43b5-a907-1983bfb9f7fd/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218.007, T1218	TTP
[Windows Powershell Import Applocker Policy](/endpoint/102af98d-0ca3-4aa4-98d6-7ab2b98b955a/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1059.001, T1059, T1562.001, T1562	TTP
[Windows Registry BootExecute Modification](/endpoint/eabbac3a-45aa-4659-920f-6b8cff383fb8/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1542, T1547.001	TTP
[Windows Registry Certificate Added](/endpoint/5ee98b2f-8b9e-457a-8bdc-dd41aaba9e87/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1553.004, T1553	Anomaly
[Windows Rundll32 Apply User Settings Changes](/endpoint/b9fb8d97-dbc9-4a09-804c-ff0e3862bb2d/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218, T1218.011	TTP
[Windows Screen Capture Via Powershell](/endpoint/5e0b1936-8f99-4399-8ee2-9edc5b32e170/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1113	TTP
[Windows WMI Impersonate Token](/endpoint/cf192860-2d94-40db-9a51-c04a2e8a8f8b/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 10](/sources/659cd5a8-148a-4c59-ade1-05f41ac1b096)	T1047	Anomaly
[Detect DGA domains using pretrained model in DSDL](/network/92e24f32-9b9a-4060-bba2-2a0eb31f3493/)	N/A	T1568.002	Anomaly
[Protocol or Port Mismatch](/network/54dc1265-2f74-4b6d-b30d-49eb506a31b3/)	N/A	T1048.003, T1048	Anomaly
[Protocols passing authentication in cleartext](/network/6923cd64-17a0-453c-b945-81ac2d8c6db9/)	N/A		TTP
[Remote Desktop Network Traffic](/network/272b8407-842d-4b3d-bead-a704584003d3/)	N/A	T1021.001, T1021	Anomaly
[SSL Certificates with Punycode](/network/696694df-5706-495a-81f2-79501fa11b90/)	N/A	T1573	Hunting
[TOR Traffic](/network/ea688274-9c06-4473-b951-e4cb7a5d7a45/)	<img src="/icons/network.svg" alt="Network icon" class="icon-tiny"> [Palo Alto Network Traffic](/sources/182a83bc-c31a-4817-8c7a-263744cec52a)	T1090, T1090.003	TTP
[Adobe ColdFusion Access Control Bypass](/web/d6821c0b-fcdc-4c95-a77f-e10752fae41a/)	[Suricata](/sources/64b245d4-a4d1-4865-a718-c83d3b939f2e)	T1190	TTP
[Citrix ShareFile Exploitation CVE-2023-24489](/web/172c59f2-5fae-45e5-8e51-94445143e93f/)	[Suricata](/sources/64b245d4-a4d1-4865-a718-c83d3b939f2e)	T1190	Hunting
[Ivanti Connect Secure SSRF in SAML Component](/web/8e6ca490-7af3-4299-9a24-39fb69759925/)	[Suricata](/sources/64b245d4-a4d1-4865-a718-c83d3b939f2e)	T1190	TTP
[Okta IDP Lifecycle Modifications](/application/e0be2c83-5526-4219-a14f-c3db2e763d15/)	[Okta](/sources/ec26febe-e760-4981-bbee-72e107c7b9d2)	T1087.004	Anomaly
[Okta Risk Threshold Exceeded](/application/d8b967dd-657f-4d88-93b5-c588bcd7218c/)	[Okta](/sources/ec26febe-e760-4981-bbee-72e107c7b9d2)	T1078, T1110	Correlation
[Splunk Protocol Impersonation Weak Encryption Configuration](/application/900892bf-70a9-4787-8c99-546dd98ce461/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1001.003	Hunting
[Splunk unnecessary file extensions allowed by lookup table uploads](/application/b7d1293f-e78f-415e-b5f6-443df3480082/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1189	TTP
[AWS Defense Evasion PutBucketLifecycle](/cloud/ce1c0e2b-9303-4903-818b-0d9002fc6ea4/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail PutBucketLifecycle](/sources/1c73e954-87b6-4bd7-ac6a-5db7c4082b22)	T1562.008, T1562	Hunting
[AWS Detect Users creating keys with encrypt policy without MFA](/cloud/c79c164f-4b21-4847-98f9-cf6a9f49179e/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail CreateKey](/sources/fcfc1593-b6b5-4a0f-91c5-3c395116a8b9), <img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail PutKeyPolicy](/sources/9c54c86b-43b9-4bb8-915d-6838beb7f07c)	T1486	TTP
[AWS ECR Container Upload Unknown User](/cloud/300688e4-365c-4486-a065-7c884462b31d/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail PutImage](/sources/bb13f10d-0d8c-4fde-9136-b7cfd930e87c)	T1204.003, T1204	Anomaly
[AWS Exfiltration via DataSync Task](/cloud/05c4b09f-ea28-4c7c-a7aa-a246f665c8a2/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail CreateTask](/sources/6501e4fe-05b2-45f1-bd51-9e06a94fa7d9)	T1119	TTP
[Azure AD Device Code Authentication](/cloud/d68d8732-6f7e-4ee5-a6eb-737f2b990b91/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory](/sources/51ca21e5-bda2-4652-bb29-27c7bc18a81c)	T1528, T1566, T1566.002	TTP
[Detect AWS Console Login by New User](/cloud/bc91a8cd-35e7-4bb2-6140-e756cc46fd71/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail](/sources/e8ace6db-1dbd-4c72-a1fb-334684619a38)	T1586, T1586.003, T1552	Hunting
[Kubernetes Create or Update Privileged Pod](/cloud/3c6bd734-334d-4818-ae7c-5234313fc5da/)	<img src="/icons/kubernetes.svg" alt="Kubernetes icon" class="icon-tiny"> [Kubernetes Audit](/sources/6c25181a-0c07-4aaf-90e6-77ab1f0e6699)	T1204	Anomaly
[Kubernetes Cron Job Creation](/cloud/5984dbe8-572f-47d7-9251-3dff6c3f0c0d/)	<img src="/icons/kubernetes.svg" alt="Kubernetes icon" class="icon-tiny"> [Kubernetes Audit](/sources/6c25181a-0c07-4aaf-90e6-77ab1f0e6699)	T1053.007	Anomaly
[O365 New Federated Domain Added](/cloud/e155876a-6048-11eb-ae93-0242ac130002/)	[O365](/sources/b32de97d-0074-4cca-853c-db22c392b6c0)	T1136.003, T1136	TTP
[Add DefaultUser And Password In Registry](/endpoint/d4a3eb62-0f1e-11ec-a971-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1552.002, T1552	Anomaly
[Detect Credential Dumping through LSASS access](/endpoint/2c365e57-4414-4540-8dc0-73ab10729996/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 10](/sources/659cd5a8-148a-4c59-ade1-05f41ac1b096)	T1003.001, T1003	TTP
[Disable Defender AntiVirus Registry](/endpoint/aa4f695a-3024-11ec-9987-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Domain Group Discovery With Net](/endpoint/f2f14ac7-fa81-471a-80d5-7eb65c3c7349/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1069, T1069.002	Hunting
[GetAdComputer with PowerShell Script Block](/endpoint/a9a1da02-8e27-4bf7-a348-f4389c9da487/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1018	Hunting
[GetWmiObject Ds Group with PowerShell](/endpoint/df275a44-4527-443b-b884-7600e066e3eb/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1069, T1069.002	TTP
[Linux Iptables Firewall Modification](/endpoint/309d59dc-1e1b-49b2-9800-7cf18d12f7b7/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1562.004, T1562	Anomaly
[Linux Unix Shell Enable All SysRq Functions](/endpoint/e7a96937-3b58-4962-8dce-538e4763cf15/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1059.004, T1059	Anomaly
[Modification Of Wallpaper](/endpoint/accb0712-c381-11eb-8e5b-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1491	TTP
[Network Connection Discovery With Net](/endpoint/640337e5-6e41-4b7f-af06-9d9eab5e1e2d/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1049	Hunting
[Print Spooler Failed to Load a Plug-in](/endpoint/1adc9548-da7c-11eb-8f13-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Printservice 808](/sources/e3a26785-4389-4830-8d7b-3dad4252719e)	T1547.012, T1547	TTP
[Remcos client registry install entry](/endpoint/f2a1615a-1d63-11ec-97d2-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1112	TTP
[Schtasks Run Task On Demand](/endpoint/bb37061e-af1f-11eb-a159-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1053	TTP
[Suspicious SQLite3 LSQuarantine Behavior](/endpoint/e1997b2e-655f-4561-82fd-aeba8e1c1a86/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1074	TTP
[Windows Alternate DataStream - Base64 Content](/endpoint/683f48de-982f-4a7e-9aac-9cec550da498/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 15](/sources/95785e02-93b4-47e2-81f1-be326295348e)	T1564, T1564.004	TTP
[Windows CAB File on Disk](/endpoint/622f08d0-69ef-42c2-8139-66088bc25acd/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1566.001	Anomaly
[Windows Command Shell Fetch Env Variables](/endpoint/048839e4-1eaa-43ff-8a22-86d17f6fcc13/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1055	TTP
[Windows Disable Notification Center](/endpoint/1cd983c8-8fd6-11ec-a09d-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	Anomaly
[Windows DisableAntiSpyware Registry](/endpoint/23150a40-9301-4195-b802-5bb4f43067fb/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Windows Find Interesting ACL with FindInterestingDomainAcl](/endpoint/e4a96dfd-667a-4487-b942-ccef5a1e81e8/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1087, T1087.002	TTP
[Windows Hidden Schedule Task Settings](/endpoint/0b730470-5fe8-4b13-93a7-fe0ad014d0cc/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4698](/sources/32c06703-02d3-47ec-8856-b0dc3045866c)	T1053	TTP
[Windows Impair Defense Disable Win Defender App Guard](/endpoint/8b700d7e-54ad-4d7d-81cc-1456c4703306/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Windows Impair Defense Disable Win Defender Scan On Update](/endpoint/0418e72f-e710-4867-b656-0688e1523e09/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Windows Indirect Command Execution Via forfiles](/endpoint/1fdf31c9-ff4d-4c48-b799-0e8666e08787/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1202	TTP
[Windows Mail Protocol In Non-Common Process Path](/endpoint/ac3311f5-661d-4e99-bd1f-3ec665b05441/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 3](/sources/01d84dff-4e26-422c-9389-6a579ee6e75b)	T1071.003, T1071	Anomaly
[Windows Modify Registry AuthenticationLevelOverride](/endpoint/6410a403-36bb-490f-a06a-11c3be7d2a41/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	Anomaly
[Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos](/endpoint/98f22d82-9d62-11eb-9fcf-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4768](/sources/4a5fd6ed-66bd-4f34-bc74-51c00c73c298)	T1110.003, T1110	TTP
[Windows Password Managers Discovery](/endpoint/a3b3bc96-1c4f-4eba-8218-027cac739a48/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1555.005	Anomaly
[Windows Privilege Escalation System Process Without System Parent](/endpoint/5a5351cd-ba7e-499e-ad82-2ce160ffa637/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1068, T1548, T1134	TTP
[Windows Process Injection Wermgr Child Process](/endpoint/360ae6b0-38b5-4328-9e2b-bc9436cddb17/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1055	Anomaly
[Windows Query Registry Browser List Application](/endpoint/45ebd21c-f4bf-4ced-bd49-d25b6526cebb/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4663](/sources/5d6dca8c-dad9-494f-a321-ef2b0b92fbf4)	T1012	Anomaly
[Windows Raw Access To Disk Volume Partition](/endpoint/a85aa37e-9647-11ec-90c5-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 9](/sources/ae4a6a24-9b8c-4386-a7ac-677d7ad5bf09)	T1561.002, T1561	Anomaly
[Windows Registry SIP Provider Modification](/endpoint/3b4e18cb-497f-4073-85ad-1ada7c2107ab/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1553.003	TTP
[Windows Security Support Provider Reg Query](/endpoint/31302468-93c9-4eca-9ae3-2d41f53a4e2b/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1547.005, T1547	Anomaly
[Windows Spearphishing Attachment Onenote Spawn Mshta](/endpoint/35aeb0e7-7de5-444a-ac45-24d6788796ec/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1566.001, T1566	TTP
[Windows System Discovery Using ldap Nslookup](/endpoint/2418780f-7c3e-4c45-b8b4-996ea850cd49/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1033	Anomaly
[Windows System Reboot CommandLine](/endpoint/97fc2b60-c8eb-4711-93f7-d26fade3686f/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1529	Anomaly
[Windows Time Based Evasion via Choice Exec](/endpoint/d5f54b38-10bf-4b3a-b6fc-85949862ed50/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1497.003, T1497	Anomaly
[Windows Unusual Count Of Users Failed To Auth Using Kerberos](/endpoint/bc9cb715-08ba-40c3-9758-6e2b26e455cb/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4771](/sources/418debbb-adf3-48ec-9efd-59d45f8861e5)	T1110.003, T1110	Anomaly
[Windows Valid Account With Never Expires Password](/endpoint/73a931db-1830-48b3-8296-cd9cfa09c3c8/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1489	TTP
[Detect Zerologon via Zeek](/network/bf7a06ec-f703-11ea-adc1-0242ac120002/)	N/A	T1190	TTP
[F5 BIG-IP iControl REST Vulnerability CVE-2022-1388](/network/bb1c2c30-107a-4e56-a4b9-1f7022867bfe/)	<img src="/icons/network.svg" alt="Network icon" class="icon-tiny"> [Palo Alto Network Threat](/sources/375c2b0e-d216-41ad-9406-200464595209)	T1190, T1133	TTP
[Confluence Data Center and Server Privilege Escalation](/web/115bebac-0976-4f7d-a3ec-d1fb45a39a11/)	[Nginx Access](/sources/c716a418-eab3-4df5-9dff-5420174e3068)	T1190	TTP
[Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527](/web/f56936c0-ae6f-4eeb-91ff-ecc1448c6105/)	[Suricata](/sources/64b245d4-a4d1-4865-a718-c83d3b939f2e)	T1190	TTP
[Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082](/web/e03edeba-4942-470c-a664-27253f3ad351/)	[Suricata](/sources/64b245d4-a4d1-4865-a718-c83d3b939f2e)	T1190, T1133	TTP
[Web Spring4Shell HTTP Request Class Module](/web/fcdfd69d-0ca3-4476-920e-9b633cb4593e/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk Stream HTTP](/sources/b0070a33-92ed-49e5-8f38-576cdf300710)	T1190, T1133	TTP
[Splunk Digital Certificates Infrastructure Version](/application/3c162281-7edb-4ebc-b9a4-5087aaf28fa7/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1587.003	Hunting
[Splunk DoS via Malformed S2S Request](/application/fc246e56-953b-40c1-8634-868f9e474cbd/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1498	TTP
[Splunk Endpoint Denial of Service DoS Zip Bomb](/application/b237d393-2f57-4531-aad7-ad3c17c8b041/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1499	TTP
[Splunk HTTP Response Splitting Via Rest SPL Command](/application/e615a0e1-a1b2-4196-9865-8aa646e1708c/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1027.006	Hunting
[Abnormally High Number Of Cloud Instances Destroyed](/cloud/ef629fc9-1583-4590-b62a-f2247fbf7bbf/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail](/sources/e8ace6db-1dbd-4c72-a1fb-334684619a38)	T1078.004, T1078	Anomaly
[AWS IAM Delete Policy](/cloud/ec3a9362-92fe-11eb-99d0-acde48001122/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail DeletePolicy](/sources/d190d23a-2c59-4a0e-9c55-a53ebef28ee5)	T1098	Hunting
[GitHub Dependabot Alert](/cloud/05032b04-4469-4034-9df7-05f607d75cba/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [GitHub](/sources/88aa4632-3c3e-43f6-a00a-998d71f558e3)	T1195.001, T1195	Anomaly
[Kubernetes Abuse of Secret by Unusual User Name](/cloud/df6e9cae-5257-4a34-8f3a-df49fa0f5c46/)	<img src="/icons/kubernetes.svg" alt="Kubernetes icon" class="icon-tiny"> [Kubernetes Audit](/sources/6c25181a-0c07-4aaf-90e6-77ab1f0e6699)	T1552.007	Anomaly
[Kubernetes newly seen UDP edge](/cloud/49b7daca-4e3c-4899-ba15-9a175e056fa9/)	N/A	T1204	Anomaly
[O365 Added Service Principal](/cloud/1668812a-6047-11eb-ae93-0242ac130002/)	[O365](/sources/b32de97d-0074-4cca-853c-db22c392b6c0)	T1136.003, T1136	TTP
[O365 File Permissioned Application Consent Granted by User](/cloud/6c382336-22b8-4023-9b80-1689e799f21f/)	[O365 Consent to application.](/sources/0a15a464-ef51-4614-9a07-a216eb9817db)	T1528	TTP
[Active Setup Registry Autostart](/endpoint/f64579c0-203f-11ec-abcc-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1547.014, T1547	TTP
[Allow Network Discovery In Firewall](/endpoint/ccd6a38c-d40b-11eb-85a5-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1562.007, T1562	TTP
[Detect Certipy File Modifications](/endpoint/7e3df743-b1d8-4631-8fa8-bd5819688876/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1649, T1560	TTP
[Detect suspicious processnames using pretrained model in DSDL](/endpoint/a15f8977-ad7d-4669-92ef-b59b97219bf5/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17)	T1059	Anomaly
[Disable Show Hidden Files](/endpoint/6f3ccfa2-91fe-11eb-8f9b-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1564.001, T1562.001, T1564, T1562, T1112	Anomaly
[Get ADDefaultDomainPasswordPolicy with Powershell Script Block](/endpoint/1ff7ccc8-065a-11ec-91e4-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1201	Hunting
[Get-DomainTrust with PowerShell Script Block](/endpoint/89275e7e-0548-11ec-bf75-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1482	TTP
[GetWmiObject Ds Computer with PowerShell](/endpoint/7141122c-3bc2-4aaa-ab3b-7a85a0bbefc3/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1018	TTP
[Icacls Deny Command](/endpoint/cf8d753e-a8fe-11eb-8f58-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1222	TTP
[Linux Adding Crontab Using List Parameter](/endpoint/52f6d751-1fd4-4c74-a4c9-777ecfeb5c58/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1053.003, T1053	Hunting
[Linux Data Destruction Command](/endpoint/b11d3979-b2f7-411b-bb1a-bd00e642173b/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1485	TTP
[Linux Service File Created In Systemd Directory](/endpoint/c7495048-61b6-11ec-9a37-acde48001122/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 11](/sources/14672fed-235a-411f-8062-ace9696fb2af)	T1053.006, T1053	Anomaly
[Linux Visudo Utility Execution](/endpoint/08c41040-624c-11ec-a71f-acde48001122/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1548.003, T1548	Anomaly
[MS Exchange Mailbox Replication service writing Active Server Pages](/endpoint/985f322c-57a5-11ec-b9ac-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1505, T1505.003, T1190, T1133	TTP
[Office Product Spawning MSHTA](/endpoint/6078fa20-a6d2-11eb-b662-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1566, T1566.001	TTP
[Possible Browser Pass View Parameter](/endpoint/8ba484e8-4b97-11ec-b19a-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1555.003, T1555	Hunting
[Process Deleting Its Process File Path](/endpoint/f7eda4bc-871c-11eb-b110-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1070	TTP
[Single Letter Process On Endpoint](/endpoint/a4214f0b-e01c-41bc-8cc4-d2b71e3056b4/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1204, T1204.002	TTP
[Spoolsv Writing a DLL](/endpoint/d5bf5cf2-da71-11eb-92c2-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1547.012, T1547	TTP
[Suspicious Rundll32 no Command Line Arguments](/endpoint/e451bd16-e4c5-4109-8eb1-c4c6ecf048b4/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218, T1218.011	TTP
[UAC Bypass MMC Load Unsigned Dll](/endpoint/7f04349c-e30d-11eb-bc7f-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 7](/sources/45512fa5-4d55-4088-9d51-f4dedc16fdff)	T1548.002, T1548, T1218.014	TTP
[Wermgr Process Connecting To IP Check Web Services](/endpoint/ed313326-a0f9-11eb-a89c-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 22](/sources/911538b2-eba7-4d3e-85e8-d82d380c37bf)	T1590, T1590.005	TTP
[Windows Account Discovery With NetUser PreauthNotRequire](/endpoint/cf056b65-44b2-4d32-9172-d6b6f081a376/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1087	Hunting
[Windows Archive Collected Data via Powershell](/endpoint/74c5a3b0-27a7-463c-9d00-1a5bb12cb7b5/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1560	Anomaly
[Windows Credentials from Password Stores Query](/endpoint/db02d6b4-5d5b-4c33-8d8f-f0577516a8c7/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1555	Anomaly
[Windows Disable Windows Group Policy Features Through Registry](/endpoint/63a449ae-9f04-11ec-945e-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	Anomaly
[Windows Exfiltration Over C2 Via Powershell UploadString](/endpoint/59e8bf41-7472-412a-90d3-00f3afa452e9/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1041	TTP
[Windows Impair Defense Change Win Defender Quick Scan Interval](/endpoint/783f0798-f679-4c17-b3b3-187febf0b9b8/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Windows Impair Defense Change Win Defender Throttle Rate](/endpoint/f7da5fca-9261-43de-a4d0-130dad1e4f4d/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Windows Impair Defense Disable Web Evaluation](/endpoint/e234970c-dcf5-4f80-b6a9-3a562544ca5b/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Windows Modify Show Compress Color And Info Tip Registry](/endpoint/b7548c2e-9a10-11ec-99e3-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	TTP
[Windows Non Discord App Access Discord LevelDB](/endpoint/1166360c-d495-45ac-87a6-8948aac1fa07/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4663](/sources/5d6dca8c-dad9-494f-a321-ef2b0b92fbf4)	T1012	Anomaly
[Windows Powershell Cryptography Namespace](/endpoint/f8b482f4-6d62-49fa-a905-dfa15698317b/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1059.001, T1059	Anomaly
[Windows Proxy Via Registry](/endpoint/0270455b-1385-4579-9ac5-e77046c508ae/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1090.001, T1090	Anomaly
[Windows UAC Bypass Suspicious Escalation Behavior](/endpoint/00d050d3-a5b4-4565-a6a5-a31f69681dc3/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1548, T1548.002	TTP
[Windows Unsigned MS DLL Side-Loading](/endpoint/8d9e0e06-ba71-4dc5-be16-c1a46d58728c/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 7](/sources/45512fa5-4d55-4088-9d51-f4dedc16fdff)	T1574.002, T1547	Anomaly
[SMB Traffic Spike](/network/7f5fb3e1-4209-4914-90db-0ec21b936378/)	N/A	T1021.002, T1021	Anomaly
[Zscaler Scam Destinations Threat Blocked](/web/a0c21379-f4ba-4bac-a958-897e260f964a/)	N/A	T1566	Anomaly
[Detect Risky SPL using Pretrained ML Model](/application/b4aefb5f-1037-410d-a149-1e091288ba33/)	N/A	T1059	Anomaly
[Okta Successful Single Factor Authentication](/application/98f6ad4f-4325-4096-9d69-45dc8e638e82/)	[Okta](/sources/ec26febe-e760-4981-bbee-72e107c7b9d2)	T1586, T1586.003, T1078, T1078.004, T1621	Anomaly
[Splunk RCE via Serialized Session Payload](/application/d1d8fda6-874a-400f-82cf-dcbb59d8e4db/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1190	Hunting
[AWS Defense Evasion Delete CloudWatch Log Group](/cloud/d308b0f1-edb7-4a62-a614-af321160710f/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail DeleteLogGroup](/sources/60cf6a69-fa43-4a6c-8808-e9fb46bf387f)	T1562, T1562.008	TTP
[AWS Defense Evasion Impair Security Services](/cloud/b28c4957-96a6-47e0-a965-6c767aac1458/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail DeleteAlarms](/sources/b0730ac8-0992-4de8-b000-2c7d0fc7a61f), <img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail DeleteDetector](/sources/5d8bd475-c8bc-4447-b27f-efa508728b90), <img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail DeleteIPSet](/sources/ebdeeb63-77a0-4808-a6fe-549956731377), <img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail DeleteLogStream](/sources/6f8bb808-89f8-465e-a34d-229df2f46402), <img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail DeleteRule](/sources/b5760623-f3ca-492d-a372-d5c2b3567dfc), <img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail DeleteWebACL](/sources/90da5f08-7961-4c29-8de8-01364982aadf)	T1562.008, T1562	Hunting
[O365 Block User Consent For Risky Apps Disabled](/cloud/12a23592-e3da-4344-8545-205d3290647c/)	[O365 Update authorization policy.](/sources/d40e6a20-4d64-404c-8351-2caae8228d34)	T1562	TTP
[O365 User Consent Blocked for Risky Application](/cloud/242e4d30-cb59-4051-b0cf-58895e218f40/)	[O365 Consent to application.](/sources/0a15a464-ef51-4614-9a07-a216eb9817db)	T1528	TTP
[Active Directory Privilege Escalation Identified](/endpoint/583e8a68-f2f7-45be-8fc9-bf725f0e22fd/)	N/A	T1484	Correlation
[Change To Safe Mode With Network Config](/endpoint/81f1dce0-0f18-11ec-a5d7-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1490	TTP
[Common Ransomware Extensions](/endpoint/a9e5c5db-db11-43ca-86a8-c852d1b2c0ec/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1485	Hunting
[Detect Mimikatz With PowerShell Script Block Logging](/endpoint/8148c29c-c952-11eb-9255-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1003, T1059.001	TTP
[Disable Schedule Task](/endpoint/db596056-3019-11ec-a9ff-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1562.001, T1562	TTP
[Disable Windows SmartScreen Protection](/endpoint/664f0fd0-91ff-11eb-a56f-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Headless Browser Usage](/endpoint/869ba261-c272-47d7-affe-5c0aa85c93d6/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1564.003	Hunting
[High Frequency Copy Of Files In Network Share](/endpoint/40925f12-4709-11ec-bb43-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 5145](/sources/0746479b-7b82-4d7e-8811-0b35da00f798)	T1537	Anomaly
[Impacket Lateral Movement WMIExec Commandline Parameters](/endpoint/d6e464e4-5c6a-474e-82d2-aed616a3a492/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1021, T1021.002, T1021.003, T1047, T1543.003	TTP
[Linux At Allow Config File Creation](/endpoint/977b3082-5f3d-11ec-b954-acde48001122/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 11](/sources/14672fed-235a-411f-8062-ace9696fb2af)	T1053.003, T1053	Anomaly
[Loading Of Dynwrapx Module](/endpoint/eac5e8ba-4857-11ec-9371-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 7](/sources/45512fa5-4d55-4088-9d51-f4dedc16fdff)	T1055, T1055.001	TTP
[Log4Shell CVE-2021-44228 Exploitation](/endpoint/9be30d80-3a39-4df9-9102-64a467b24eac/)	N/A	T1105, T1190, T1059, T1133	Correlation
[Outbound Network Connection from Java Using Default Ports](/endpoint/d2c14d28-5c47-11ec-9892-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 3](/sources/01d84dff-4e26-422c-9389-6a579ee6e75b)	T1190, T1133	TTP
[PetitPotam Network Share Access Request](/endpoint/95b8061a-0a67-11ec-85ec-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 5145](/sources/0746479b-7b82-4d7e-8811-0b35da00f798)	T1187	TTP
[Powershell Using memory As Backing Store](/endpoint/c396a0c4-c9f2-11eb-b4f5-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1059.001, T1059	TTP
[SLUI RunAs Elevated](/endpoint/8d124810-b3e4-11eb-96c7-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1548.002, T1548	TTP
[Steal or Forge Authentication Certificates Behavior Identified](/endpoint/87ac670e-bbfd-44ca-b566-44e9f835518d/)	N/A	T1649	Correlation
[Unusually Long Command Line - MLTK](/endpoint/57edaefa-a73b-45e5-bbae-f39c1473f941/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)		Anomaly
[Wermgr Process Spawned CMD Or Powershell Process](/endpoint/e8fc95bc-a107-11eb-a978-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1059	TTP
[Windows Account Discovery for None Disable User Account](/endpoint/eddbf5ba-b89e-47ca-995e-2d259804e55e/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1087, T1087.001	Hunting
[Windows AD Privileged Account SID History Addition](/endpoint/6b521149-b91c-43aa-ba97-c2cac59ec830/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4738](/sources/cb85709b-101e-41a9-bb60-d2108f79dfbd), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4742](/sources/ea830adf-5450-489a-bcdc-fb8d2cbe674c)	T1134.005, T1134	TTP
[Windows Hide Notification Features Through Registry](/endpoint/cafa4bce-9f06-11ec-a7b2-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	Anomaly
[Windows Modify Registry No Auto Reboot With Logon User](/endpoint/6a12fa9f-580d-4627-8c7f-313e359bdc6a/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	Anomaly
[Windows MSHTA Writing to World Writable Path](/endpoint/efbcf8ee-bc75-47f1-8985-a5c638c4faf0/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1218.005	TTP
[Windows Powershell RemoteSigned File](/endpoint/f7f7456b-470d-4a95-9703-698250645ff4/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1059.001, T1059	Anomaly
[Windows Query Registry Reg Save](/endpoint/cbee60c1-b776-456f-83c2-faa56bdbe6c6/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1012	Hunting
[Windows Root Domain linked policies Discovery](/endpoint/80ffaede-1f12-49d5-a86e-b4b599b68b3c/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1087.002, T1087	Anomaly
[WMI Permanent Event Subscription](/endpoint/71bfdb13-f200-4c6c-b2c9-a2e07adf437d/)	N/A	T1047	TTP
[Plain HTTP POST Exfiltrated Data](/network/e2b36208-a364-11eb-8909-acde48001122/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk Stream HTTP](/sources/b0070a33-92ed-49e5-8f38-576cdf300710)	T1048.003, T1048	TTP
[JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199](/web/a1e68dcd-2e24-4434-bd0e-b3d4de139d58/)	[Suricata](/sources/64b245d4-a4d1-4865-a718-c83d3b939f2e)	T1190	TTP
[Spring4Shell Payload URL Request](/web/9d44d649-7d67-4559-95c1-8022ff49420b/)	[Nginx Access](/sources/c716a418-eab3-4df5-9dff-5420174e3068)	T1505.003, T1505, T1190, T1133	TTP
[Supernova Webshell](/web/2ec08a09-9ff1-4dac-b59f-1efd57972ec1/)	N/A	T1505.003, T1133	TTP
[Splunk Authentication Token Exposure in Debug Log](/application/9a67e749-d291-40dd-8376-d422e7ecf8b5/)	N/A	T1654	TTP
[Splunk Data exfiltration from Analytics Workspace using sid query](/application/b6d77c6c-f011-4b03-8650-8f10edb7c4a8/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1567	Hunting
[Splunk DOS via printf search function](/application/78b48d08-075c-4eac-bd07-e364c3780867/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1499.004	Hunting
[Splunk ES DoS Investigations Manager via Investigation Creation](/application/7f6a07bd-82ef-46b8-8eba-802278abd00e/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1499	TTP
[ASL AWS Defense Evasion Delete CloudWatch Log Group](/cloud/0f701b38-a0fb-43fd-a83d-d12265f71f33/)	N/A	T1562, T1562.008	TTP
[AWS ECR Container Upload Outside Business Hours](/cloud/d4c4d4eb-3994-41ca-a25e-a82d64e125bb/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail PutImage](/sources/bb13f10d-0d8c-4fde-9136-b7cfd930e87c)	T1204.003, T1204	Anomaly
[AWS High Number Of Failed Authentications For User](/cloud/e3236f49-daf3-4b70-b808-9290912ac64d/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail ConsoleLogin](/sources/b68b3f26-bd21-4fa8-b593-616fe75ac0ae)	T1201	Anomaly
[Circle CI Disable Security Step](/cloud/72cb9de9-e98b-4ac9-80b2-5331bba6ea97/)	[CircleCI](/sources/34ad06fc-a296-4ab5-8315-2f07714948e3)	T1554	Anomaly
[Detect AWS Console Login by User from New City](/cloud/121b0b11-f8ac-4ed6-a132-3800ca4fc07a/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail](/sources/e8ace6db-1dbd-4c72-a1fb-334684619a38)	T1586, T1586.003, T1535	Hunting
[GCP Multi-Factor Authentication Disabled](/cloud/b9bc5513-6fc1-4821-85a3-e1d81e451c83/)	N/A	T1586, T1586.003, T1556, T1556.006	TTP
[GCP Successful Single-Factor Authentication](/cloud/40e17d88-87da-414e-b253-8dc1e4f9555b/)	[Google Workspace login_success](/sources/bffe8013-9cdf-4fe6-9c1b-6784391a4951)	T1586, T1586.003, T1078, T1078.004	TTP
[High Number of Login Failures from a single source](/cloud/7f398cfb-918d-41f4-8db8-2e2474e02222/)	[O365 UserLoginFailed](/sources/6099b33d-d581-43ed-8401-911862590361)	T1110.001, T1110	Anomaly
[Kubernetes Abuse of Secret by Unusual User Group](/cloud/b6f45bbc-4ea9-4068-b3bc-0477f6997ae2/)	<img src="/icons/kubernetes.svg" alt="Kubernetes icon" class="icon-tiny"> [Kubernetes Audit](/sources/6c25181a-0c07-4aaf-90e6-77ab1f0e6699)	T1552.007	Anomaly
[Kubernetes Anomalous Outbound Network Activity from Process](/cloud/dd6afee6-e0a3-4028-a089-f47dd2842c22/)	N/A	T1204	Anomaly
[Kubernetes Falco Shell Spawned](/cloud/d2feef92-d54a-4a19-8306-b47c6ceba5b2/)	<img src="/icons/kubernetes.svg" alt="Kubernetes icon" class="icon-tiny"> [Kubernetes Falco](/sources/23c0eeed-840a-4711-a41b-6819c1ffbba5)	T1204	Anomaly
[Detect Certify Command Line Arguments](/endpoint/e6d2dc61-a8b9-4b03-906c-da0ca75d71b8/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1649, T1105	TTP
[Domain Controller Discovery with Wmic](/endpoint/64c7adaa-48ee-483c-b0d6-7175bc65e6cc/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1018	Hunting
[Drop IcedID License dat](/endpoint/b7a045fc-f14a-11eb-8e79-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1204, T1204.002	Hunting
[GetDomainController with PowerShell](/endpoint/868ee0e4-52ab-484a-833a-6d85b7c028d0/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1018	Hunting
[Linux Edit Cron Table Parameter](/endpoint/0d370304-5f26-11ec-a4bb-acde48001122/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1053.003, T1053	Hunting
[Linux Hardware Addition SwapOff](/endpoint/c1eea697-99ed-44c2-9b70-d8935464c499/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1200	Anomaly
[Linux Possible Access To Credential Files](/endpoint/16107e0e-71fc-11ec-b862-acde48001122/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1003.008, T1003	Anomaly
[Linux Possible Append Command To At Allow Config File](/endpoint/7bc20606-5f40-11ec-a586-acde48001122/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1053.002, T1053	Anomaly
[Local Account Discovery With Wmic](/endpoint/4902d7aa-0134-11ec-9d65-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1087, T1087.001	Hunting
[Non Chrome Process Accessing Chrome Default Dir](/endpoint/81263de4-160a-11ec-944f-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4663](/sources/5d6dca8c-dad9-494f-a321-ef2b0b92fbf4)	T1555, T1555.003	Anomaly
[Office Application Spawn rundll32 process](/endpoint/958751e4-9c5f-11eb-b103-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1566, T1566.001	TTP
[Overwriting Accessibility Binaries](/endpoint/13c2f6c3-10c5-4deb-9ba1-7c4460ebe4ae/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1546, T1546.008	TTP
[Print Processor Registry Autostart](/endpoint/1f5b68aa-2037-11ec-898e-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1547.012, T1547	TTP
[Ransomware Notes bulk creation](/endpoint/eff7919a-8330-11eb-83f8-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1486	Anomaly
[Registry Keys Used For Persistence](/endpoint/f5f6af30-7aa7-4295-bfe9-07fe87c01a4b/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1547.001, T1547	TTP
[Remote Process Instantiation via WinRM and PowerShell Script Block](/endpoint/7d4c618e-4716-11ec-951c-3e22fbd008af/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1021, T1021.006	TTP
[Suspicious SearchProtocolHost no Command Line Arguments](/endpoint/f52d2db8-31f9-4aa7-a176-25779effe55c/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1055	TTP
[System Processes Run From Unexpected Locations](/endpoint/a34aae96-ccf8-4aef-952c-3ea21444444d/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1036, T1036.003	Anomaly
[Windows AppLocker Execution from Uncommon Locations](/endpoint/d57ce957-151a-4aec-ada5-5fb1eb555b6b/)	N/A	T1218	Hunting
[Windows Disable Lock Workstation Feature Through Registry](/endpoint/c82adbc6-9f00-11ec-a81f-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	Anomaly
[Windows InProcServer32 New Outlook Form](/endpoint/fedb49c4-4bd7-4d42-8fd9-f8c8538c73c4/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1566, T1112	Anomaly
[Windows Modify Registry With MD5 Reg Key Name](/endpoint/4662c6b1-0754-455e-b9ff-3ee730af3ba8/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	TTP
[Windows Parent PID Spoofing with Explorer](/endpoint/17f8f69c-5d00-4c88-9c6f-493bbdef20a1/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1134.004, T1134	TTP
[Windows Service Create SliverC2](/endpoint/89dad3ee-57ec-43dc-9044-131c4edd663f/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log System 7045](/sources/614dedc8-8a14-4393-ba9b-6f093cbcd293)	T1569, T1569.002	TTP
[Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos](/endpoint/f65aa026-b811-42ab-b4b9-d9088137648f/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4768](/sources/4a5fd6ed-66bd-4f34-bc74-51c00c73c298)	T1110.003, T1110	Anomaly
[Detect Outbound SMB Traffic](/network/1bed7774-304a-4e8f-9d72-d80e45ff492b/)	N/A	T1071.002, T1071	TTP
[Citrix ADC Exploitation CVE-2023-3519](/web/76ac2dcb-333c-4a77-8ae9-2720cfae47a8/)	<img src="/icons/network.svg" alt="Network icon" class="icon-tiny"> [Palo Alto Network Threat](/sources/375c2b0e-d216-41ad-9406-200464595209)	T1190	Hunting
[Log4Shell JNDI Payload Injection Attempt](/web/c184f12e-5c90-11ec-bf1f-497c9a704a72/)	[Nginx Access](/sources/c716a418-eab3-4df5-9dff-5420174e3068)	T1190, T1133	Anomaly
[Persistent XSS in RapidDiag through User Interface Views](/application/ce6e1268-e01c-4df2-a617-0f034ed49a43/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1189	TTP
[Splunk Code Injection via custom dashboard leading to RCE](/application/b06b41d7-9570-4985-8137-0784f582a1b3/)	N/A	T1210	Hunting
[AWS Disable Bucket Versioning](/cloud/657902a9-987d-4879-a1b2-e7a65512824b/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail PutBucketVersioning](/sources/17b2fc7d-c8ce-487c-8815-f9a65a09e980)	T1490	Anomaly
[AWS Unusual Number of Failed Authentications From Ip](/cloud/0b5c9c2b-e2cb-4831-b4f1-af125ceb1386/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail ConsoleLogin](/sources/b68b3f26-bd21-4fa8-b593-616fe75ac0ae)	T1586, T1586.003, T1110, T1110.003, T1110.004	Anomaly
[Azure AD OAuth Application Consent Granted By User](/cloud/10ec9031-015b-4617-b453-c0c1ab729007/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory Consent to application](/sources/4c5d6c49-53e3-4980-a4de-c63e26291ed0)	T1528	TTP
[GCP Unusual Number of Failed Authentications From Ip](/cloud/bd8097ed-958a-4873-87d9-44f2b4d85705/)	[Google Workspace login_failure](/sources/cabec7cf-4008-4899-b47e-39c34a9a1255)	T1586, T1586.003, T1110, T1110.003, T1110.004	Anomaly
[Github Commit In Develop](/cloud/f3030cb6-0b02-11ec-8f22-acde48001122/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [GitHub](/sources/88aa4632-3c3e-43f6-a00a-998d71f558e3)	T1199	Anomaly
[Kubernetes Anomalous Traffic on Network Edge](/cloud/886c7e51-2ea1-425d-8705-faaca5a64cc6/)	N/A	T1204	Anomaly
[O365 Mailbox Email Forwarding Enabled](/cloud/0b6bc75c-05d1-4101-9fc3-97e706168f24/)	N/A	T1114, T1114.003	TTP
[Risk Rule for Dev Sec Ops by Repository](/cloud/161bc0ca-4651-4c13-9c27-27770660cf67/)	N/A	T1204.003, T1204	Correlation
[AdsiSearcher Account Discovery](/endpoint/de7fcadc-04f3-11ec-a241-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1087.002, T1087	TTP
[Detect RTLO In File Name](/endpoint/468b7e11-d362-43b8-b6ec-7a2d3b246678/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1036.002, T1036	TTP
[Disable Defender Enhanced Notification](/endpoint/dc65678c-301f-11ec-8e30-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Disable ETW Through Registry](/endpoint/f0eacfa4-d33f-11eb-8f9d-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Disable UAC Remote Restriction](/endpoint/9928b732-210e-11ec-b65e-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1548.002, T1548	TTP
[Elevated Group Discovery With Wmic](/endpoint/3f6bbf22-093e-4cb4-9641-83f47b8444b6/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1069, T1069.002	TTP
[Linux Disable Services](/endpoint/f2e08a38-6689-4df4-ad8c-b51c16262316/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1489	TTP
[Linux Persistence and Privilege Escalation Risk Behavior](/endpoint/ad5ac21b-3b1e-492c-8e19-ea5d5e8e5cf1/)	N/A	T1548	Correlation
[Linux Possible Access Or Modification Of sshd Config File](/endpoint/7a85eb24-72da-11ec-ac76-acde48001122/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1098.004, T1098	Anomaly
[Linux Setuid Using Setcap Utility](/endpoint/9d96022e-6250-11ec-9a19-acde48001122/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1548.001, T1548	Anomaly
[Linux System Network Discovery](/endpoint/535cb214-8b47-11ec-a2c7-acde48001122/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1016	Anomaly
[Office Product Spawn CMD Process](/endpoint/b8b19420-e892-11eb-9244-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1566, T1566.001	TTP
[Powershell Fileless Script Contains Base64 Encoded Content](/endpoint/8acbc04c-c882-11eb-b060-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1059, T1027, T1059.001	TTP
[Powershell Get LocalGroup Discovery with Script Block Logging](/endpoint/d7c6ad22-155c-11ec-bb64-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1069, T1069.001	Hunting
[Processes launching netsh](/endpoint/b89919ed-fe5f-492c-b139-95dbb162040e/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1562.004, T1562	Anomaly
[Remcos RAT File Creation in Remcos Folder](/endpoint/25ae862a-1ac3-11ec-94a1-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1113	TTP
[Remote Desktop Process Running On System](/endpoint/f5939373-8054-40ad-8c64-cec478a22a4a/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1021.001, T1021	Hunting
[Remote System Discovery with Wmic](/endpoint/d82eced3-b1dc-42ab-859e-a2fc98827359/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1018	TTP
[Revil Registry Entry](/endpoint/e3d3f57a-c381-11eb-9e35-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1112	TTP
[Suspicious mshta child process](/endpoint/60023bb6-5500-11eb-ae93-0242ac130002/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218, T1218.005	TTP
[Unloading AMSI via Reflection](/endpoint/a21e3484-c94d-11eb-b55b-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1562, T1059.001, T1059	TTP
[Windows AD DSRM Account Changes](/endpoint/08cb291e-ea77-48e8-a95a-0799319bf056/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1098	TTP
[Windows App Layer Protocol Wermgr Connect To NamedPipe](/endpoint/2f3a4092-548b-421c-9caa-84918e1787ef/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 17](/sources/08924246-c8e8-4c95-a9fc-633c43cc82df), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 18](/sources/37eb3554-214e-4e66-af10-c3ffc5b8ca82)	T1071	Anomaly
[Windows Command Shell DCRat ForkBomb Payload](/endpoint/2bb1a362-7aa8-444a-92ed-1987e8da83e1/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1059.003, T1059	TTP
[Windows Data Destruction Recursive Exec Files Deletion](/endpoint/3596a799-6320-4a2f-8772-a9e98ddb2960/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 23](/sources/5ea2721d-f60c-4f48-a047-47d514e327c3)	T1485	TTP
[Windows Impair Defense Disable Defender Protocol Recognition](/endpoint/b2215bfb-6171-4137-af17-1a02fdd8d043/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Windows Impair Defense Disable PUA Protection](/endpoint/fbfef407-cfee-4866-88c1-f8de1c16147c/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Windows Impair Defenses Disable HVCI](/endpoint/b061dfcc-f0aa-42cc-a6d4-a87f172acb79/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Windows LSA Secrets NoLMhash Registry](/endpoint/48cc1605-538c-4223-8382-e36bee5b540d/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1003.004	TTP
[Windows Masquerading Explorer As Child Process](/endpoint/61490da9-52a1-4855-a0c5-28233c88c481/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1574.002, T1574	TTP
[Windows Process Injection Remote Thread](/endpoint/8a618ade-ca8f-4d04-b972-2d526ba59924/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 8](/sources/df7a786c-ade0-48f0-8596-26f10d169f7d)	T1055, T1055.002	TTP
[Windows Steal Authentication Certificates - ESC1 Authentication](/endpoint/f0306acf-a6ab-437a-bbc6-8628f8d5c97e/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4768](/sources/4a5fd6ed-66bd-4f34-bc74-51c00c73c298), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4887](/sources/994c7b19-a623-4231-9818-f00e453b9a75)	T1649, T1550	TTP
[Windows Steal Authentication Certificates Certificate Request](/endpoint/747d7800-2eaa-422d-b994-04d8bb9e06d0/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4886](/sources/c5abd97d-b468-451f-bd65-b4f97efa4ecc)	T1649	Anomaly
[Windows System File on Disk](/endpoint/993ce99d-9cdd-42c7-a2cf-733d5954e5a6/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1068	Hunting
[Windows Time Based Evasion](/endpoint/34502357-deb1-499a-8261-ffe144abf561/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1497, T1497.003	TTP
[Detect Large Outbound ICMP Packets](/network/e9c102de-4d43-42a7-b1c8-8062ea297419/)	N/A	T1095	TTP
[High Volume of Bytes Out to Url](/network/c8a6b56d-16dd-4e9c-b4bd-527742ead98d/)	[Nginx Access](/sources/c716a418-eab3-4df5-9dff-5420174e3068)	T1567	Anomaly
[Ngrok Reverse Proxy on Network](/network/5790a766-53b8-40d3-a696-3547b978fcf0/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 22](/sources/911538b2-eba7-4d3e-85e8-d82d380c37bf)	T1572, T1090, T1102	Anomaly
[ConnectWise ScreenConnect Authentication Bypass](/web/d3f7a803-e802-448b-8eb2-e796b223bfff/)	[Suricata](/sources/64b245d4-a4d1-4865-a718-c83d3b939f2e)	T1190	TTP
[F5 TMUI Authentication Bypass](/web/88bf127c-613e-4579-99e4-c4d4b02f3840/)	[Suricata](/sources/64b245d4-a4d1-4865-a718-c83d3b939f2e)		TTP
[Jenkins Arbitrary File Read CVE-2024-23897](/web/c641260d-2b48-4eb1-b1e8-2cc5b8b99ab1/)	[Nginx Access](/sources/c716a418-eab3-4df5-9dff-5420174e3068)	T1190	TTP
[Zscaler Privacy Risk Destinations Threat Blocked](/web/5456bdef-d765-4565-8e1f-61ca027bc50d/)	N/A	T1566	Anomaly
[Splunk Process Injection Forwarder Bundle Downloads](/application/8ea57d78-1aac-45d2-a913-0cd603fb6e9e/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1055	Hunting
[Splunk protocol impersonation weak encryption simplerequest](/application/839d12a6-b119-4d44-ac4f-13eed95412c8/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1588.004	Hunting
[Splunk Reflected XSS in the templates lists radio](/application/d532d105-c63f-4049-a8c4-e249127ca425/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1189	Hunting
[Splunk Reflected XSS on App Search Table Endpoint](/application/182f9080-4137-4629-94ac-cb1083ac981a/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1189	Hunting
[aws detect permanent key creation](/cloud/12d6d713-3cb4-4ffc-a064-1dca3d1cca01/)	N/A	T1078	Hunting
[AWS Exfiltration via Batch Service](/cloud/04455dd3-ced7-480f-b8e6-5469b99e98e2/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail JobCreated](/sources/6473289b-d097-4c86-a837-3cc5ae408155)	T1119	TTP
[AWS High Number Of Failed Authentications From Ip](/cloud/f75b7f1a-b8eb-4975-a214-ff3e0a944757/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail ConsoleLogin](/sources/b68b3f26-bd21-4fa8-b593-616fe75ac0ae)	T1110, T1110.003, T1110.004	Anomaly
[AWS IAM Assume Role Policy Brute Force](/cloud/f19e09b0-9308-11eb-b7ec-acde48001122/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail](/sources/e8ace6db-1dbd-4c72-a1fb-334684619a38)	T1580, T1110	TTP
[AWS SAML Access by Provider User and Principal](/cloud/bbe23980-6019-11eb-ae93-0242ac130002/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail AssumeRoleWithSAML](/sources/1e28f2a6-2db9-405f-b298-18734a293f77)	T1078	Anomaly
[Azure AD Block User Consent For Risky Apps Disabled](/cloud/875de3d7-09bc-4916-8c0a-0929f4ced3d8/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory Update authorization policy](/sources/c5b7ffcd-73d8-4fe5-afd8-b1218d715c0c)	T1562	TTP
[Azure AD Multi-Factor Authentication Disabled](/cloud/482dd42a-acfa-486b-a0bb-d6fcda27318e/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory Disable Strong Authentication](/sources/8f31966d-c496-496d-8837-f7fd11f31255)	T1586, T1586.003, T1556, T1556.006	TTP
[Azure AD Tenant Wide Admin Consent Granted](/cloud/dc02c0ee-6ac0-4c7f-87ba-8ce43a4e4418/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory Consent to application](/sources/4c5d6c49-53e3-4980-a4de-c63e26291ed0)	T1098, T1098.003	TTP
[GCP Multiple Failed MFA Requests For User](/cloud/cbb3cb84-c06f-4393-adcc-5cb6195621f1/)	[Google Workspace login_failure](/sources/cabec7cf-4008-4899-b47e-39c34a9a1255)	T1586, T1586.003, T1621, T1078, T1078.004	TTP
[O365 ApplicationImpersonation Role Assigned](/cloud/49cdce75-f814-4d56-a7a4-c64ec3a481f2/)	[O365](/sources/b32de97d-0074-4cca-853c-db22c392b6c0)	T1098, T1098.002	TTP
[O365 New Email Forwarding Rule Enabled](/cloud/ac7c4d0a-06a3-4278-aa59-88a5e537f981/)	N/A	T1114, T1114.003	TTP
[Allow Inbound Traffic In Firewall Rule](/endpoint/a5d85486-b89c-11eb-8267-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1021.001, T1021	TTP
[Delete ShadowCopy With PowerShell](/endpoint/5ee2bcd0-b2ff-11eb-bb34-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1490	TTP
[Download Files Using Telegram](/endpoint/58194e28-ae5e-11eb-8912-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 15](/sources/95785e02-93b4-47e2-81f1-be326295348e)	T1105	TTP
[Excessive Usage Of Net App](/endpoint/45e52536-ae42-11eb-b5c6-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1531	Anomaly
[Extraction of Registry Hives](/endpoint/8bbb7d58-b360-11eb-ba21-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1003.002, T1003	TTP
[Get WMIObject Group Discovery with Script Block Logging](/endpoint/69df7f7c-155d-11ec-a055-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1069, T1069.001	Hunting
[GetLocalUser with PowerShell](/endpoint/85fae8fa-0427-11ec-8b78-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1087, T1087.001	Hunting
[Linux Account Manipulation Of SSH Config and Keys](/endpoint/73a56508-1cf5-4df7-b8d9-5737fbdc27d2/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 11](/sources/14672fed-235a-411f-8062-ace9696fb2af)	T1485, T1070.004, T1070	Anomaly
[Linux Add User Account](/endpoint/51fbcaf2-6259-11ec-b0f3-acde48001122/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1136.001, T1136	Hunting
[Network Connection Discovery With Netstat](/endpoint/2cf5cc25-f39a-436d-a790-4857e5995ede/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1049	Hunting
[Remote Process Instantiation via WMI](/endpoint/d25d2c3d-d9d8-40ec-8fdf-e86fe155a3da/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1047	TTP
[Sdelete Application Execution](/endpoint/31702fc0-2682-11ec-85c3-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1485, T1070.004, T1070	TTP
[Spoolsv Suspicious Loaded Modules](/endpoint/a5e451f8-da81-11eb-b245-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 7](/sources/45512fa5-4d55-4088-9d51-f4dedc16fdff)	T1547.012, T1547	TTP
[Suspicious Rundll32 PluginInit](/endpoint/92d51712-ee29-11eb-b1ae-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218, T1218.011	TTP
[System User Discovery With Query](/endpoint/ad03bfcf-8a91-4bc2-a500-112993deba87/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1033	Hunting
[Wermgr Process Create Executable File](/endpoint/ab3bcce0-a105-11eb-973c-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1027	TTP
[Windows Driver Inventory](/endpoint/f87aa96b-369b-4a3e-9021-1bbacbfcb8fb/)	N/A	T1068	Hunting
[Windows File Transfer Protocol In Non-Common Process Path](/endpoint/0f43758f-1fe9-470a-a9e4-780acc4d5407/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 3](/sources/01d84dff-4e26-422c-9389-6a579ee6e75b)	T1071.003, T1071	Anomaly
[Windows Impair Defense Add Xml Applocker Rules](/endpoint/467ed9d9-8035-470e-ad5e-ae5189283033/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1562.001, T1562	Hunting
[Windows Impair Defense Disable Win Defender Report Infection](/endpoint/201946c6-b1d5-42bb-a7e0-5f7123f47fc4/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Windows Modify Registry MaxConnectionPerServer](/endpoint/064cd09f-1ff4-4823-97e0-45c2f5b087ec/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	Anomaly
[Windows Njrat Fileless Storage via Registry](/endpoint/a5fffbbd-271f-4980-94ed-4fbf17f0af1c/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1027.011, T1027	TTP
[Windows Phishing PDF File Executes URL Link](/endpoint/2fa9dec8-9d8e-46d3-96c1-202c06f0e6e1/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1566.001, T1566	Anomaly
[Windows PowerShell Get CIMInstance Remote Computer](/endpoint/d8c972eb-ed84-431a-8869-ca4bd83257d1/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1059.001	Anomaly
[Windows Privilege Escalation Suspicious Process Elevation](/endpoint/6a80300a-9f8a-4f22-bd3e-09ca577cfdfc/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1068, T1548, T1134	TTP
[Windows Process Writing File to World Writable Path](/endpoint/c051b68c-60f7-4022-b3ad-773bec7a225b/)	N/A	T1218.005	Hunting
[Windows Remote Service Rdpwinst Tool Execution](/endpoint/c8127f87-c7c9-4036-89ed-8fe4b30e678c/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1021.001, T1021	TTP
[Windows Spearphishing Attachment Connect To None MS Office Domain](/endpoint/1cb40e15-cffa-45cc-abbd-e35884a49766/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 22](/sources/911538b2-eba7-4d3e-85e8-d82d380c37bf)	T1566.001, T1566	Hunting
[Windows System User Privilege Discovery](/endpoint/8c9a06bc-9939-4425-9bb9-be2371f7fb7e/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1033	Hunting
[Windows WinLogon with Public Network Connection](/endpoint/65615b3a-62ea-4d65-bb9f-6f07c17df4ea/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 3](/sources/01d84dff-4e26-422c-9389-6a579ee6e75b)	T1542.003	Hunting
[Splunk Identified SSL TLS Certificates](/network/620fbb89-86fd-4e2e-925f-738374277586/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk Stream TCP](/sources/4b1233d1-f80a-4da1-ab27-a5b10ea8a4ce)	T1040	Hunting
[PaperCut NG Remote Web Access Attempt](/web/9fcb214a-dc42-4ce7-a650-f1d2cab16a6a/)	[Suricata](/sources/64b245d4-a4d1-4865-a718-c83d3b939f2e)	T1190, T1133	TTP
[Zscaler Legal Liability Threat Blocked](/web/bbf55ebf-c416-4f62-94d9-4064f2a28014/)	N/A	T1566	Anomaly
[PingID Mismatch Auth Source and Verification Response](/application/15b0694e-caa2-4009-8d83-a1f98b86d086/)	[PingID](/sources/17890675-61c1-40bd-a88e-6a8e9e246b43)	T1621, T1556.006, T1098.005	TTP
[Splunk Path Traversal In Splunk App For Lookup File Edit](/application/8ed58987-738d-4917-9e44-b8ef6ab948a6/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1083	Hunting
[ASL AWS IAM Delete Policy](/cloud/609ced68-d420-4ff7-8164-ae98b4b4018c/)	N/A	T1098	Hunting
[ASL AWS Multi-Factor Authentication Disabled](/cloud/4d2df5e0-1092-4817-88a8-79c7fa054668/)	N/A	T1586, T1586.003, T1621, T1556, T1556.006	TTP
[Cloud Provisioning Activity From Previously Unseen Country](/cloud/94994255-3acf-4213-9b3f-0494df03bb31/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail](/sources/e8ace6db-1dbd-4c72-a1fb-334684619a38)	T1078	Anomaly
[GCP Multiple Users Failing To Authenticate From Ip](/cloud/da20828e-d6fb-4ee5-afb7-d0ac200923d5/)	[Google Workspace login_failure](/sources/cabec7cf-4008-4899-b47e-39c34a9a1255)	T1586, T1586.003, T1110, T1110.003, T1110.004	Anomaly
[Github Commit Changes In Master](/cloud/c9d2bfe2-019f-11ec-a8eb-acde48001122/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [GitHub](/sources/88aa4632-3c3e-43f6-a00a-998d71f558e3)	T1199	Anomaly
[Kubernetes Abuse of Secret by Unusual User Agent](/cloud/096ab390-05ca-462c-884e-343acd5b9240/)	<img src="/icons/kubernetes.svg" alt="Kubernetes icon" class="icon-tiny"> [Kubernetes Audit](/sources/6c25181a-0c07-4aaf-90e6-77ab1f0e6699)	T1552.007	Anomaly
[Allow Inbound Traffic By Firewall Rule Registry](/endpoint/0a46537c-be02-11eb-92ca-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1021.001, T1021	TTP
[Bcdedit Command Back To Normal Mode Boot](/endpoint/dc7a8004-0f18-11ec-8c54-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1490	TTP
[Common Ransomware Notes](/endpoint/ada0f478-84a8-4641-a3f1-d82362d6bd71/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1485	Hunting
[Creation of lsass Dump with Taskmgr](/endpoint/b2fbe95a-9c62-4c12-8a29-24b97e84c0cd/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1003.001, T1003	TTP
[Detect Rundll32 Inline HTA Execution](/endpoint/91c79f14-5b41-11eb-ae93-0242ac130002/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218, T1218.005	TTP
[Disable Defender BlockAtFirstSeen Feature](/endpoint/2dd719ac-3021-11ec-97b4-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Disabling SystemRestore In Registry](/endpoint/f4f837e2-91fb-11eb-8bf6-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1490	TTP
[Domain Group Discovery With Dsquery](/endpoint/f0c9d62f-a232-4edd-b17e-bc409fb133d4/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1069, T1069.002	Hunting
[Elevated Group Discovery With Net](/endpoint/a23a0e20-0b1b-4a07-82e5-ec5f70811e7a/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1069, T1069.002	TTP
[Get WMIObject Group Discovery](/endpoint/5434f670-155d-11ec-8cca-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1069, T1069.001	Hunting
[GetAdGroup with PowerShell Script Block](/endpoint/e4c73d68-794b-468d-b4d0-dac1772bbae7/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1069, T1069.002	Hunting
[GetNetTcpconnection with PowerShell Script Block](/endpoint/091712ff-b02a-4d43-82ed-34765515d95d/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1049	Hunting
[GetWmiObject User Account with PowerShell](/endpoint/b44f6ac6-0429-11ec-87e9-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1087, T1087.001	Hunting
[Linux Change File Owner To Root](/endpoint/c1400ea2-6257-11ec-ad49-acde48001122/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1222.002, T1222	Anomaly
[Linux Doas Tool Execution](/endpoint/d5a62490-6e09-11ec-884e-acde48001122/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1548.003, T1548	Anomaly
[Linux Shred Overwrite Command](/endpoint/c1952cf1-643c-4965-82de-11c067cbae76/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1485	TTP
[MacOS plutil](/endpoint/c11f2b57-92c1-4cd2-b46c-064eafb833ac/)	[osquery](/sources/7ec4d7c8-c1d0-423a-9169-261f6adb74c0)	T1647	TTP
[Process Execution via WMI](/endpoint/24869767-8579-485d-9a4f-d9ddfd8f0cac/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1047	TTP
[Rundll32 Process Creating Exe Dll Files](/endpoint/6338266a-ee2a-11eb-bf68-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1218, T1218.011	TTP
[Ryuk Wake on LAN Command](/endpoint/538d0152-7aaa-11eb-beaa-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1059, T1059.003	TTP
[SAM Database File Access Attempt](/endpoint/57551656-ebdb-11eb-afdf-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4663](/sources/5d6dca8c-dad9-494f-a321-ef2b0b92fbf4)	T1003.002, T1003	Hunting
[Suspicious IcedID Rundll32 Cmdline](/endpoint/bed761f8-ee29-11eb-8bf3-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218, T1218.011	TTP
[Suspicious MSBuild Rename](/endpoint/4006adac-5937-11eb-ae93-0242ac130002/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1036, T1127, T1036.003, T1127.001	Hunting
[Windows Abused Web Services](/endpoint/01f0aef4-8591-4daa-a53d-0ed49823b681/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 22](/sources/911538b2-eba7-4d3e-85e8-d82d380c37bf)	T1102	TTP
[Windows AD Same Domain SID History Addition](/endpoint/5fde0b7c-df7a-40b1-9b3a-294c00f0289d/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4738](/sources/cb85709b-101e-41a9-bb60-d2108f79dfbd), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4742](/sources/ea830adf-5450-489a-bcdc-fb8d2cbe674c)	T1134.005, T1134	TTP
[Windows App Layer Protocol Qakbot NamedPipe](/endpoint/63a2c15e-9448-43c5-a4a8-9852266aaada/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 17](/sources/08924246-c8e8-4c95-a9fc-633c43cc82df), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 18](/sources/37eb3554-214e-4e66-af10-c3ffc5b8ca82)	T1071	Anomaly
[Windows Archive Collected Data via Rar](/endpoint/2015de95-fe91-413d-9d62-2fe011b67e82/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1560.001, T1560	Anomaly
[Windows DLL Side-Loading Process Child Of Calc](/endpoint/295ca9ed-e97b-4520-90f7-dfb6469902e1/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1574.002, T1574	Anomaly
[Windows Driver Load Non-Standard Path](/endpoint/9216ef3d-066a-4958-8f27-c84589465e62/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log System 7045](/sources/614dedc8-8a14-4393-ba9b-6f093cbcd293)	T1014, T1068	TTP
[Windows File Without Extension In Critical Folder](/endpoint/0dbcac64-963c-11ec-bf04-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1485	TTP
[Windows Get Local Admin with FindLocalAdminAccess](/endpoint/d2988160-3ce9-4310-b59d-905334920cdd/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1087, T1087.002	TTP
[Windows Impair Defense Configure App Install Control](/endpoint/c54b7439-cfb1-44c3-bb35-b0409553077c/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Windows Modify Registry Auto Update Notif](/endpoint/4d1409df-40c7-4b11-aec4-bd0e709dfc12/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	Anomaly
[Windows Modify Registry DisAllow Windows App](/endpoint/4bc788d3-c83a-48c5-a4e2-e0c6dba57889/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	TTP
[Windows Modify Registry ProxyEnable](/endpoint/b27f20bd-ef20-41d1-a1e9-25dedd5bf2f5/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	Anomaly
[Windows MSExchange Management Mailbox Cmdlet Usage](/endpoint/396de86f-25e7-4b0e-be09-a330be35249d/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1059, T1059.001	Anomaly
[Windows Multi hop Proxy TOR Website Query](/endpoint/4c2d198b-da58-48d7-ba27-9368732d0054/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 22](/sources/911538b2-eba7-4d3e-85e8-d82d380c37bf)	T1071.003, T1071	Anomaly
[Windows Phishing Outlook Drop Dll In FORM Dir](/endpoint/fca01769-5163-4b3a-ae44-de874adfc9bc/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1566	TTP
[Windows PowerShell Add Module to Global Assembly Cache](/endpoint/3fc16961-97e5-4a5b-a079-e4ab0d9763eb/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1505, T1505.004	TTP
[Windows Remote Services Allow Remote Assistance](/endpoint/9bce3a97-bc97-4e89-a1aa-ead151c82fbb/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1021.001, T1021	Anomaly
[Windows Service Create RemComSvc](/endpoint/0be4b5d6-c449-4084-b945-2392b519c33b/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log System 7045](/sources/614dedc8-8a14-4393-ba9b-6f093cbcd293)	T1543.003, T1543	Anomaly
[Windows System LogOff Commandline](/endpoint/74a8133f-93e7-4b71-9bd3-13a66124fd57/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1529	Anomaly
[Windows UAC Bypass Suspicious Child Process](/endpoint/453a6b0f-b0ea-48fa-9cf4-20537ffdd22c/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1548, T1548.002	TTP
[Windows Unsecured Outlook Credentials Access In Registry](/endpoint/36334123-077d-47a2-b70c-6c7b3cc85049/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4663](/sources/5d6dca8c-dad9-494f-a321-ef2b0b92fbf4)	T1552	Anomaly
[Detect DNS Data Exfiltration using pretrained model in DSDL](/network/92f65c3a-168c-11ed-71eb-0242ac120012/)	N/A	T1048.003	Anomaly
[DNS Query Length Outliers - MLTK](/network/85fbcfe8-9718-4911-adf6-7000d077a3a9/)	N/A	T1071.004, T1071	Anomaly
[Confluence CVE-2023-22515 Trigger Vulnerability](/web/630ea8b2-2800-4f5d-9cbc-d65c567349b0/)	[Suricata](/sources/64b245d4-a4d1-4865-a718-c83d3b939f2e)	T1190	TTP
[Web Spring Cloud Function FunctionRouter](/web/89dddbad-369a-4f8a-ace2-2439218735bc/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk Stream HTTP](/sources/b0070a33-92ed-49e5-8f38-576cdf300710)	T1190, T1133	TTP
[Zscaler CryptoMiner Downloaded Threat Blocked](/web/ed76ce37-bab9-4ec0-bf3e-9c6a6cf43365/)	N/A	T1566	Anomaly
[Zscaler Potentially Abused File Download](/web/b0c21379-f4ba-4bac-a958-897e260f964a/)	N/A	T1566	Anomaly
[Okta ThreatInsight Threat Detected](/application/140504ae-5fe2-4d65-b2bc-a211813fbca6/)	[Okta](/sources/ec26febe-e760-4981-bbee-72e107c7b9d2)	T1078, T1078.004	Anomaly
[PingID New MFA Method After Credential Reset](/application/2fcbce12-cffa-4c84-b70c-192604d201d0/)	[PingID](/sources/17890675-61c1-40bd-a88e-6a8e9e246b43)	T1621, T1556.006, T1098.005	TTP
[Splunk Command and Scripting Interpreter Delete Usage](/application/8d3d5d5e-ca43-42be-aa1f-bc64375f6b04/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1059	Anomaly
[Splunk list all nonstandard admin accounts](/application/401d689c-8596-4c6b-a710-7b6fdca296d3/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1189	Hunting
[Splunk protocol impersonation weak encryption selfsigned](/application/c76c7a2e-df49-414a-bb36-dce2683770de/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1588.004	Hunting
[AWS Credential Access GetPasswordData](/cloud/4d347c4a-306e-41db-8d10-b46baf71b3e2/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail GetPasswordData](/sources/6ff2ce99-85b1-4c17-888a-56dbc3570671)	T1586, T1586.003, T1110, T1110.001	Anomaly
[Gsuite Drive Share In External Email](/cloud/f6ee02d6-fea0-11eb-b2c2-acde48001122/)	[G Suite Drive](/sources/5f79120f-a235-4468-bd0d-55203758ac22)	T1567.002, T1567	Anomaly
[Gsuite suspicious calendar invite](/cloud/03cdd68a-34fb-11ec-9bd3-acde48001122/)	N/A	T1566	Hunting
[Kubernetes Unauthorized Access](/cloud/9b5f1832-e8b9-453f-93df-07a3d6a72a45/)	<img src="/icons/kubernetes.svg" alt="Kubernetes icon" class="icon-tiny"> [Kubernetes Audit](/sources/6c25181a-0c07-4aaf-90e6-77ab1f0e6699)	T1204	Anomaly
[O365 Multiple Service Principals Created by User](/cloud/a34e65d0-54de-4b02-9db8-5a04522067f6/)	[O365 Add service principal.](/sources/9c1ef9f5-bc30-4a47-a1bd-cb34484ee778)	T1136.003	Anomaly
[3CX Supply Chain Attack Network Indicators](/endpoint/791b727c-deec-4fbe-a732-756131b3c5a1/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 22](/sources/911538b2-eba7-4d3e-85e8-d82d380c37bf)	T1195.002	TTP
[Clop Ransomware Known Service Name](/endpoint/07e08a12-870c-11eb-b5f9-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log System 7045](/sources/614dedc8-8a14-4393-ba9b-6f093cbcd293)	T1543	TTP
[Create Remote Thread In Shell Application](/endpoint/10399c1e-f51e-11eb-b920-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 8](/sources/df7a786c-ade0-48f0-8596-26f10d169f7d)	T1055	TTP
[Detect Exchange Web Shell](/endpoint/8c14eeee-2af1-4a4b-bda8-228da0f4862a/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1505, T1505.003, T1190, T1133	TTP
[Detect Rare Executables](/endpoint/44fddcb2-8d3b-454c-874e-7c6de5a4f7ac/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1204	Anomaly
[Disable Defender MpEngine Registry](/endpoint/cc391750-3024-11ec-955a-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Exchange PowerShell Abuse via SSRF](/endpoint/29228ab4-0762-11ec-94aa-acde48001122/)	N/A	T1190, T1133	TTP
[First Time Seen Running Windows Service](/endpoint/823136f2-d755-4b6d-ae04-372b486a5808/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log System 7036](/sources/a6e9b34f-1507-4fa1-a4ba-684d1b676a34)	T1569, T1569.002	Anomaly
[Get-DomainTrust with PowerShell](/endpoint/4fa7f846-054a-11ec-a836-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1482	TTP
[GetCurrent User with PowerShell Script Block](/endpoint/80879283-c30f-44f7-8471-d1381f6d437a/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1033	Hunting
[Linux Deletion Of Cron Jobs](/endpoint/3b132a71-9335-4f33-9932-00bb4f6ac7e8/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 11](/sources/14672fed-235a-411f-8062-ace9696fb2af)	T1485, T1070.004, T1070	Anomaly
[Linux Stdout Redirection To Dev Null File](/endpoint/de62b809-a04d-46b5-9a15-8298d330f0c8/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1562.004, T1562	Anomaly
[Living Off The Land Detection](/endpoint/1be30d80-3a39-4df9-9102-64a467b24abc/)	N/A	T1105, T1190, T1059, T1133	Correlation
[MS Scripting Process Loading WMI Module](/endpoint/2eba3d36-14a6-11ec-a682-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 7](/sources/45512fa5-4d55-4088-9d51-f4dedc16fdff)	T1059, T1059.007	Anomaly
[Net Localgroup Discovery](/endpoint/54f5201e-155b-11ec-a6e2-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1069, T1069.001	Hunting
[Powershell COM Hijacking InprocServer32 Modification](/endpoint/ea61e291-af05-4716-932a-67faddb6ae6f/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1546.015, T1059, T1059.001	TTP
[Powershell Disable Security Monitoring](/endpoint/c148a894-dd93-11eb-bf2a-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1562.001, T1562	TTP
[PowerShell Domain Enumeration](/endpoint/e1866ce2-ca22-11eb-8e44-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1059, T1059.001	TTP
[PowerShell Get LocalGroup Discovery](/endpoint/b71adfcc-155b-11ec-9413-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1069, T1069.001	Hunting
[Recon AVProduct Through Pwh or WMI](/endpoint/28077620-c9f6-11eb-8785-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1592	TTP
[Rundll32 with no Command Line Arguments with Network](/endpoint/35307032-a12d-11eb-835f-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 3](/sources/01d84dff-4e26-422c-9389-6a579ee6e75b)	T1218, T1218.011	TTP
[Suspicious WAV file in Appdata Folder](/endpoint/5be109e6-1ac5-11ec-b421-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1113	TTP
[System Info Gathering Using Dxdiag Application](/endpoint/f92d74f2-4921-11ec-b685-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1592	Hunting
[Verclsid CLSID Execution](/endpoint/61e9a56a-20fa-11ec-8ba3-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218.012, T1218	Hunting
[Windows AD Abnormal Object Access Activity](/endpoint/71b289db-5f2c-4c43-8256-8bf26ae7324a/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4662](/sources/f3c2cd64-0b5f-4013-8201-35dc03828ec6)	T1087, T1087.002	Anomaly
[Windows Change Default File Association For No File Ext](/endpoint/dbdf52ad-d6a1-4b68-975f-0a10939d8e38/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1546.001, T1546	TTP
[Windows Defacement Modify Transcodedwallpaper File](/endpoint/e11c3d90-5bc7-42ad-94cd-ba75db10d897/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1491	Anomaly
[Windows Executable in Loaded Modules](/endpoint/3e27af56-fcf0-4113-988d-24969b062be7/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 7](/sources/45512fa5-4d55-4088-9d51-f4dedc16fdff)	T1129	TTP
[Windows Exfiltration Over C2 Via Invoke RestMethod](/endpoint/06ade821-f6fa-40d0-80af-15bc1d45b3ba/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1041	TTP
[Windows Files and Dirs Access Rights Modification Via Icacls](/endpoint/c76b796c-27e1-4520-91c4-4a58695c749e/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1222.001, T1222	TTP
[Windows Impair Defense Set Win Defender Smart Screen Level To Warn](/endpoint/cc2a3425-2703-47e7-818f-3dca1b0bc56f/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Windows Modify Registry Disable Toast Notifications](/endpoint/ed4eeacb-8d5a-488e-bc97-1ce6ded63b84/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	Anomaly
[Windows Modify Registry Disable Windows Security Center Notif](/endpoint/27ed3e79-6d86-44dd-b9ab-524451c97a7b/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	Anomaly
[Windows Modify Registry Do Not Connect To Win Update](/endpoint/e09c598e-8dd0-4e73-b740-4b96b689199e/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	Anomaly
[Windows Modify Registry LongPathsEnabled](/endpoint/36f9626c-4272-4808-aadd-267acce681c0/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	Anomaly
[Windows Multiple Invalid Users Fail To Authenticate Using Kerberos](/endpoint/001266a6-9d5b-11eb-829b-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4768](/sources/4a5fd6ed-66bd-4f34-bc74-51c00c73c298)	T1110.003, T1110	TTP
[Windows PowerShell Export PfxCertificate](/endpoint/ed06725f-6da6-439f-9dcc-ab30e891297c/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1552.004, T1552, T1649	Anomaly
[Windows Process Injection Of Wermgr to Known Browser](/endpoint/aec755a5-3a2c-4be0-ab34-6540e68644e9/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 8](/sources/df7a786c-ade0-48f0-8596-26f10d169f7d)	T1055.001, T1055	TTP
[Windows Remote Access Software BRC4 Loaded Dll](/endpoint/73cf5dcb-cf36-4167-8bbe-384fe5384d05/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 7](/sources/45512fa5-4d55-4088-9d51-f4dedc16fdff)	T1219, T1003	Anomaly
[Windows SOAPHound Binary Execution](/endpoint/8e53f839-e127-4d6d-a54d-a2f67044a57f/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1087.002, T1069.001, T1482, T1087.001, T1087, T1069.002, T1069	TTP
[Windows System Time Discovery W32tm Delay](/endpoint/b2cc69e7-11ba-42dc-a269-59c069a48870/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1124	Anomaly
[Windows WMI Process And Service List](/endpoint/ef3c5ef2-3f6d-4087-aa75-49bf746dc907/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1047	Anomaly
[Detect Outbound LDAP Traffic](/network/5e06e262-d7cd-4216-b2f8-27b437e18458/)	[Bro](/sources/c5d9612b-0ffd-44d3-8247-3cf3486ec5e2)	T1190, T1059	Hunting
[Detect SNICat SNI Exfiltration](/network/82d06410-134c-11eb-adc1-0242ac120002/)	N/A	T1041	TTP
[SMB Traffic Spike - MLTK](/network/d25773ba-9ad8-48d1-858e-07ad0bbeb828/)	N/A	T1021.002, T1021	Anomaly
[Exploit Public Facing Application via Apache Commons Text](/web/19a481e0-c97c-4d14-b1db-75a708eb592e/)	[Nginx Access](/sources/c716a418-eab3-4df5-9dff-5420174e3068)	T1505.003, T1505, T1190, T1133	Anomaly
[ProxyShell ProxyNotShell Behavior Detected](/web/c32fab32-6aaf-492d-bfaf-acbed8e50cdf/)	N/A	T1190, T1133	Correlation
[Splunk Information Disclosure in Splunk Add-on Builder](/application/b7b82980-4a3e-412e-8661-4531d8758735/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1082	Hunting
[Splunk Persistent XSS Via URL Validation Bypass W Dashboard](/application/8a43558f-a53c-4ee4-86c1-30b1e8ef3606/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1189	Hunting
[aws detect sts assume role abuse](/cloud/8e565314-b6a2-46d8-9f05-1a34a176a662/)	N/A	T1078	Hunting
[AWS IAM AccessDenied Discovery Events](/cloud/3e1f1568-9633-11eb-a69c-acde48001122/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail](/sources/e8ace6db-1dbd-4c72-a1fb-334684619a38)	T1580	Anomaly
[Circle CI Disable Security Job](/cloud/4a2fdd41-c578-4cd4-9ef7-980e352517f2/)	[CircleCI](/sources/34ad06fc-a296-4ab5-8315-2f07714948e3)	T1554	Anomaly
[Kubernetes Scanner Image Pulling](/cloud/4890cd6b-0112-4974-a272-c5c153aee551/)	N/A	T1526	TTP
[Active Directory Lateral Movement Identified](/endpoint/6aa6f9dd-adfe-45a8-8f74-c4c7a0d7d037/)	N/A	T1210	Correlation
[Allow Operation with Consent Admin](/endpoint/7de17d7a-c9d8-11eb-a812-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1548	TTP
[CMD Carry Out String Command Parameter](/endpoint/54a6ed00-3256-11ec-b031-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1059.003, T1059	Hunting
[ConnectWise ScreenConnect Path Traversal Windows SACL](/endpoint/4e127857-1fc9-4c95-9d69-ba24c91d52d7/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4663](/sources/5d6dca8c-dad9-494f-a321-ef2b0b92fbf4)	T1190	TTP
[Credential Dumping via Symlink to Shadow Copy](/endpoint/c5eac648-fae0-4263-91a6-773df1f4c903/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1003.003, T1003	TTP
[CSC Net On The Fly Compilation](/endpoint/ea73128a-43ab-11ec-9753-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1027.004, T1027	Hunting
[Detect Excessive User Account Lockouts](/endpoint/95a7f9a5-6096-437e-a19e-86f42ac609bd/)	N/A	T1078, T1078.003	Anomaly
[Detect Use of cmd exe to Launch Script Interpreters](/endpoint/b89919ed-fe5f-492c-b139-95dbb162039e/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1059, T1059.003	TTP
[Detect Webshell Exploit Behavior](/endpoint/22597426-6dbd-49bd-bcdc-4ec19857192f/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1505, T1505.003	TTP
[Detection of tools built by NirSoft](/endpoint/3d8d201c-aa03-422d-b0ee-2e5ecf9718c0/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1072	TTP
[Excessive number of taskhost processes](/endpoint/f443dac2-c7cf-11eb-ab51-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1059	Anomaly
[Fsutil Zeroing File](/endpoint/4e5e024e-fabb-11eb-8b8f-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1070	TTP
[GetAdGroup with PowerShell](/endpoint/872e3063-0fc4-4e68-b2f3-f2b99184a708/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1069, T1069.002	Hunting
[GetDomainGroup with PowerShell](/endpoint/93c94be3-bead-4a60-860f-77ca3fe59903/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1069, T1069.002	TTP
[Linux At Application Execution](/endpoint/bf0a378e-5f3c-11ec-a6de-acde48001122/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1053.002, T1053	Anomaly
[Linux System Reboot Via System Request Key](/endpoint/e1912b58-ed9c-422c-bbb0-2dbc70398345/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1529	TTP
[Office Application Spawn Regsvr32 process](/endpoint/2d9fc90c-f11f-11eb-9300-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1566, T1566.001	TTP
[Powershell Remote Services Add TrustedHost](/endpoint/bef21d24-297e-45e3-9b9a-c6ac45450474/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1021.006, T1021	TTP
[RunDLL Loading DLL By Ordinal](/endpoint/6c135f8d-5e60-454e-80b7-c56eed739833/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218, T1218.011	TTP
[Ryuk Test Files Detected](/endpoint/57d44d70-28d9-4ed1-acf5-1c80ae2bbce3/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1486	TTP
[Sc exe Manipulating Windows Services](/endpoint/f0c693d8-2a89-4ce7-80b4-98fea4c3ea6d/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1543.003, T1543	TTP
[SearchProtocolHost with no Command Line with Network](/endpoint/b690df8c-a145-11eb-a38b-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 3](/sources/01d84dff-4e26-422c-9389-6a579ee6e75b)	T1055	TTP
[SecretDumps Offline NTDS Dumping Tool](/endpoint/5672819c-be09-11eb-bbfb-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1003.003, T1003	TTP
[Services LOLBAS Execution Process Spawn](/endpoint/ba9e1954-4c04-11ec-8b74-3e22fbd008af/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1543, T1543.003	TTP
[Sqlite Module In Temp Folder](/endpoint/0f216a38-f45f-11eb-b09c-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1005	TTP
[Suspicious Scheduled Task from Public Directory](/endpoint/7feb7972-7ac3-11eb-bac8-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1053.005, T1053	Anomaly
[Unusually Long Command Line](/endpoint/c77162d3-f93c-45cc-80c8-22f6a4264e7f/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)		Anomaly
[Windows AD Replication Request Initiated from Unsanctioned Location](/endpoint/50998483-bb15-457b-a870-965080d9e3d3/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4624](/sources/08682968-0366-4882-9559-fe4fe018a846), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4662](/sources/f3c2cd64-0b5f-4013-8201-35dc03828ec6)	T1003.006, T1003	TTP
[Windows Bypass UAC via Pkgmgr Tool](/endpoint/cce58e2c-988a-4319-9390-0daa9eefa3cd/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1548.002	Anomaly
[Windows Computer Account Created by Computer Account](/endpoint/97a8dc5f-8a7c-4fed-9e3e-ec407fd0268a/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4741](/sources/ef87257f-e7d1-4856-abae-097b2cfdcdb4)	T1558	TTP
[Windows Impair Defense Overide Win Defender Phishing Filter](/endpoint/10ca081c-57b1-4a78-ba56-14a40a7e116a/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Windows Modify Registry Auto Minor Updates](/endpoint/be498b9f-d804-4bbf-9fc0-d5448466b313/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	Hunting
[Windows Modify Registry Reg Restore](/endpoint/d0072bd2-6d73-4c1b-bc77-ded6d2da3a4e/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1012	Hunting
[Windows Modify Registry UpdateServiceUrlAlternate](/endpoint/ca4e94fb-7969-4d63-8630-3625809a1f70/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	Anomaly
[Windows Process Commandline Discovery](/endpoint/67d2a52e-a7e2-4a5d-ae44-a21212048bc2/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1057	Hunting
[Windows Process Injection In Non-Service SearchIndexer](/endpoint/d131673f-ede1-47f2-93a1-0108d3e7fafd/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1055	TTP
[Windows RDP Connection Successful](/endpoint/ceaed840-56b3-4a70-b8e1-d762b1c5c08c/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log RemoteConnectionManager 1149](/sources/08f9edb4-f95f-40be-b1dd-bc3a1cd95aaf)	T1563.002	Hunting
[Windows Registry Modification for Safe Mode Persistence](/endpoint/c6149154-c9d8-11eb-9da7-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1547.001, T1547	TTP
[Windows Scheduled Task with Highest Privileges](/endpoint/2f15e1a4-0fc2-49dd-919e-cbbe60699218/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1053, T1053.005	TTP
[Windows Security Account Manager Stopped](/endpoint/69c12d59-d951-431e-ab77-ec426b8d65e6/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1489	TTP
[Windows Service Stop Win Updates](/endpoint/0dc25c24-6fcf-456f-b08b-dd55a183e4de/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log System 7040](/sources/91738e9e-d112-41c9-b91b-e5868d8993d9)	T1489	Anomaly
[Windows Snake Malware Kernel Driver Comadmin](/endpoint/628d9c7c-3242-43b5-9620-7234c080a726/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1547.006	TTP
[Windows System Shutdown CommandLine](/endpoint/4fee57b8-d825-4bf3-9ea8-bf405cdb614c/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1529	Anomaly
[Windows System User Discovery Via Quser](/endpoint/0c3f3e09-e47a-410e-856f-a02a5c5fafb0/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1033	Hunting
[WinRM Spawning a Process](/endpoint/a081836a-ba4d-11eb-8593-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1190	TTP
[WMI Permanent Event Subscription - Sysmon](/endpoint/ad05aae6-3b2a-4f73-af97-57bd26cee3b9/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 21](/sources/304384bc-715e-4958-988b-a8051a91349a)	T1546.003, T1546	TTP
[Wmic Group Discovery](/endpoint/83317b08-155b-11ec-8e00-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1069, T1069.001	Hunting
[Detect Software Download To Network Device](/network/cc590c66-f65f-48f2-986a-4797244762f8/)	N/A	T1542.005, T1542	TTP
[Excessive DNS Failures](/network/104658f4-afdc-499e-9719-17243f9826f1/)	N/A	T1071.004, T1071	Anomaly
[Ivanti Connect Secure Command Injection Attempts](/web/1f32a7e0-a060-4545-b7de-73fcf9ad536e/)	[Suricata](/sources/64b245d4-a4d1-4865-a718-c83d3b939f2e)	T1190	TTP
[JetBrains TeamCity Authentication Bypass CVE-2024-27198](/web/fbcc04c7-8a79-453c-b3a9-c232c423bdd4/)	[Suricata](/sources/64b245d4-a4d1-4865-a718-c83d3b939f2e)	T1190	TTP
[Monitor Web Traffic For Brand Abuse](/web/134da869-e264-4a8f-8d7e-fcd0ec88f301/)	N/A		TTP
[Okta Mismatch Between Source and Response for Verify Push Request](/application/8085b79b-9b85-4e67-ad63-351c9e9a5e9a/)	[Okta](/sources/ec26febe-e760-4981-bbee-72e107c7b9d2)	T1621	TTP
[Splunk Command and Scripting Interpreter Risky Commands](/application/1cf58ae1-9177-40b8-a26c-8966040f11ae/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1059	Hunting
[Splunk Unauthenticated Log Injection Web Service Log](/application/de3908dc-1298-446d-84b9-fa81d37e959b/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1190	Hunting
[Suspicious Java Classes](/application/6ed33786-5e87-4f55-b62c-cb5f1168b831/)	N/A		Anomaly
[Detect New Open S3 buckets](/cloud/2a9b80d3-6340-4345-b5ad-290bf3d0dac4/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail](/sources/e8ace6db-1dbd-4c72-a1fb-334684619a38)	T1530	TTP
[Detect New Open S3 Buckets over AWS CLI](/cloud/39c61d09-8b30-4154-922b-2d0a694ecc22/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail](/sources/e8ace6db-1dbd-4c72-a1fb-334684619a38)	T1530	TTP
[Detect S3 access from a new IP](/cloud/e6f1bb1b-f441-492b-9126-902acda217da/)	N/A	T1530	Anomaly
[Detect Spike in AWS Security Hub Alerts for EC2 Instance](/cloud/2a9b80d3-6340-4345-b5ad-290bf5d0d222/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS Security Hub](/sources/b02bfbf3-294f-478e-99a1-e24b8c692d7e)		Anomaly
[Kubernetes Nginx Ingress LFI](/cloud/0f83244b-425b-4528-83db-7a88c5f66e48/)	N/A	T1212	TTP
[Kubernetes Nginx Ingress RFI](/cloud/fc5531ae-62fd-4de6-9c36-b4afdae8ca95/)	N/A	T1212	TTP
[Kubernetes Pod With Host Network Attachment](/cloud/cce357cf-43a4-494a-814b-67cea90fe990/)	<img src="/icons/kubernetes.svg" alt="Kubernetes icon" class="icon-tiny"> [Kubernetes Audit](/sources/6c25181a-0c07-4aaf-90e6-77ab1f0e6699)	T1204	Anomaly
[O365 Add App Role Assignment Grant User](/cloud/b2c81cc6-6040-11eb-ae93-0242ac130002/)	[O365 Add app role assignment grant to user.](/sources/ce1d7849-a1d2-47fd-b6eb-d7ef854a860c)	T1136.003, T1136	TTP
[Batch File Write to System32](/endpoint/503d17cb-9eab-4cf8-a20e-01d5c6987ae3/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1204, T1204.002	TTP
[Creation of Shadow Copy](/endpoint/eb120f5f-b879-4a63-97c1-93352b5df844/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1003.003, T1003	TTP
[Detect Excessive Account Lockouts From Endpoint](/endpoint/c026e3dd-7e18-4abb-8f41-929e836efe74/)	N/A	T1078, T1078.002	Anomaly
[Detect Outlook exe writing a zip file](/endpoint/a51bfe1a-94f0-4822-b1e4-16ae10145893/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1566, T1566.001	TTP
[Disabling Defender Services](/endpoint/911eacdc-317f-11ec-ad30-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Disabling Windows Local Security Authority Defences via Registry](/endpoint/45cd08f8-a2c9-4f4e-baab-e1a0c624b0ab/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1556	TTP
[Excessive Usage Of SC Service Utility](/endpoint/cb6b339e-d4c6-11eb-a026-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1569, T1569.002	Anomaly
[GetNetTcpconnection with PowerShell](/endpoint/e02af35c-1de5-4afe-b4be-f45aba57272b/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1049	Hunting
[Linux High Frequency Of File Deletion In Boot Folder](/endpoint/e27fbc5d-0445-4c4a-bc39-87f060d5c602/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 11](/sources/14672fed-235a-411f-8062-ace9696fb2af)	T1485, T1070.004, T1070	TTP
[Linux Possible Append Cronjob Entry on Existing Cronjob File](/endpoint/b5b91200-5f27-11ec-bb4e-acde48001122/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1053.003, T1053	Hunting
[Linux Sudoers Tmp File Creation](/endpoint/be254a5c-63e7-11ec-89da-acde48001122/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 11](/sources/14672fed-235a-411f-8062-ace9696fb2af)	T1548.003, T1548	Anomaly
[Modify ACL permission To Files Or Folder](/endpoint/7e8458cc-acca-11eb-9e3f-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1222	Anomaly
[MS Scripting Process Loading Ldap Module](/endpoint/0b0c40dc-14a6-11ec-b267-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 7](/sources/45512fa5-4d55-4088-9d51-f4dedc16fdff)	T1059, T1059.007	Anomaly
[Network Discovery Using Route Windows App](/endpoint/dd83407e-439f-11ec-ab8e-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1016, T1016.001	Hunting
[Network Share Discovery Via Dir Command](/endpoint/dc1457d0-1d9b-422e-b5a7-db46c184d9aa/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 5140](/sources/93e0ca09-e4b8-4da6-872a-d0127c4d2b22)	T1135	Hunting
[Non Firefox Process Access Firefox Profile Dir](/endpoint/e6fc13b0-1609-11ec-b533-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4663](/sources/5d6dca8c-dad9-494f-a321-ef2b0b92fbf4)	T1555, T1555.003	Anomaly
[Powershell Load Module in Meterpreter](/endpoint/d5905da5-d050-48db-9259-018d8f034fcf/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1059, T1059.001	TTP
[Rundll32 LockWorkStation](/endpoint/fa90f372-f91d-11eb-816c-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218, T1218.011	Anomaly
[Unknown Process Using The Kerberos Protocol](/endpoint/c91a0852-9fbb-11ec-af44-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 3](/sources/01d84dff-4e26-422c-9389-6a579ee6e75b)	T1550	TTP
[User Discovery With Env Vars PowerShell](/endpoint/0cdf318b-a0dd-47d7-b257-c621c0247de8/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1033	Hunting
[Windows Boot or Logon Autostart Execution In Startup Folder](/endpoint/99d157cb-923f-4a00-aee9-1f385412146f/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1547.001, T1547	Anomaly
[Windows Create Local Account](/endpoint/3fb2e8e3-7bc0-4567-9722-c5ab9f8595eb/)	N/A	T1136.001, T1136	Anomaly
[Windows Credentials from Password Stores Chrome LocalState Access](/endpoint/3b1d09a8-a26f-473e-a510-6c6613573657/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4663](/sources/5d6dca8c-dad9-494f-a321-ef2b0b92fbf4)	T1012	Anomaly
[Windows Disable Change Password Through Registry](/endpoint/0df33e1a-9ef6-11ec-a1ad-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	Anomaly
[Windows Disable Shutdown Button Through Registry](/endpoint/55fb2958-9ecd-11ec-a06a-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	Anomaly
[Windows Excessive Disabled Services Event](/endpoint/c3f85976-94a5-11ec-9a58-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log System 7040](/sources/91738e9e-d112-41c9-b91b-e5868d8993d9)	T1562.001, T1562	TTP
[Windows Impair Defense Disable Defender Firewall And Network](/endpoint/8467d8cd-b0f9-46fa-ac84-a30ad138983e/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Windows Indirect Command Execution Via Series Of Forfiles](/endpoint/bfdaabe7-3db8-48c5-80c1-220f9b8f22be/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1202	Anomaly
[Windows Masquerading Msdtc Process](/endpoint/238f3a07-8440-480b-b26f-462f41d9a47c/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1036	TTP
[Windows PowerShell ScheduleTask](/endpoint/ddf82fcb-e9ee-40e3-8712-a50b5bf323fc/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1053.005, T1059.001, T1059	Anomaly
[WSReset UAC Bypass](/endpoint/8b5901bc-da63-11eb-be43-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1548.002, T1548	TTP
[Windows AD Replication Service Traffic](/network/c6e24183-a5f4-4b2a-ad01-2eb456d09b67/)	N/A	T1003, T1003.006, T1207	TTP
[Detect attackers scanning for vulnerable JBoss servers](/web/104658f4-afdc-499e-9719-17243f982681/)	N/A	T1082, T1133	TTP
[Detect malicious requests to exploit JBoss servers](/web/c8bff7a4-11ea-4416-a27d-c5bca472913d/)	N/A		TTP
[Microsoft SharePoint Server Elevation of Privilege](/web/fcf4bd3f-a79f-4b7a-83bf-2692d60b859d/)	[Suricata](/sources/64b245d4-a4d1-4865-a718-c83d3b939f2e)	T1068	TTP
[VMWare Aria Operations Exploit Attempt](/web/d5d865e4-03e6-43da-98f4-28a4f42d4df7/)	<img src="/icons/network.svg" alt="Network icon" class="icon-tiny"> [Palo Alto Network Threat](/sources/375c2b0e-d216-41ad-9406-200464595209)	T1133, T1190, T1210, T1068	TTP
[VMware Workspace ONE Freemarker Server-side Template Injection](/web/9e5726fe-8fde-460e-bd74-cddcf6c86113/)	<img src="/icons/network.svg" alt="Network icon" class="icon-tiny"> [Palo Alto Network Threat](/sources/375c2b0e-d216-41ad-9406-200464595209)	T1190, T1133	Anomaly
[Web Remote ShellServlet Access](/web/c2a332c3-24a2-4e24-9455-0e80332e6746/)	[Nginx Access](/sources/c716a418-eab3-4df5-9dff-5420174e3068)	T1190	TTP
[Email servers sending high volume traffic to hosts](/application/7f5fb3e1-4209-4914-90db-0ec21b556378/)	N/A	T1114, T1114.002	Anomaly
[Okta MFA Exhaustion Hunt](/application/97e2fe57-3740-402c-988a-76b64ce04b8d/)	[Okta](/sources/ec26febe-e760-4981-bbee-72e107c7b9d2)	T1110	Hunting
[Splunk Digital Certificates Lack of Encryption](/application/386a7ebc-737b-48cf-9ca8-5405459ed508/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1587.003	Anomaly
[AWS Detect Users with KMS keys performing encryption S3](/cloud/884a5f59-eec7-4f4a-948b-dbde18225fdc/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail](/sources/e8ace6db-1dbd-4c72-a1fb-334684619a38)	T1486	Anomaly
[Azure AD Multiple Denied MFA Requests For User](/cloud/d0895c20-de71-4fd2-b56c-3fcdb888eba1/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory Sign-in activity](/sources/f9ed0a3a-9e20-4198-a035-d0a29593fbe0)	T1621	TTP
[Cloud Compute Instance Created By Previously Unseen User](/cloud/37a0ec8d-827e-4d6d-8025-cedf31f3a149/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail](/sources/e8ace6db-1dbd-4c72-a1fb-334684619a38)	T1078.004, T1078	Anomaly
[Cloud Security Groups Modifications by User](/cloud/cfe7cca7-2746-4bdf-b712-b01ed819b9de/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail](/sources/e8ace6db-1dbd-4c72-a1fb-334684619a38)	T1578.005	Anomaly
[Detect AWS Console Login by User from New Region](/cloud/9f31aa8e-e37c-46bc-bce1-8b3be646d026/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail](/sources/e8ace6db-1dbd-4c72-a1fb-334684619a38)	T1586, T1586.003, T1535	Hunting
[Detect Spike in AWS Security Hub Alerts for User](/cloud/2a9b80d3-6220-4345-b5ad-290bf5d0d222/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS Security Hub](/sources/b02bfbf3-294f-478e-99a1-e24b8c692d7e)		Anomaly
[GCP Kubernetes cluster pod scan detection](/cloud/19b53215-4a16-405b-8087-9e6acf619842/)	N/A	T1526	Hunting
[Kubernetes AWS detect suspicious kubectl calls](/cloud/042a3d32-8318-4763-9679-09db2644a8f2/)	<img src="/icons/kubernetes.svg" alt="Kubernetes icon" class="icon-tiny"> [Kubernetes Audit](/sources/6c25181a-0c07-4aaf-90e6-77ab1f0e6699)		Anomaly
[O365 Admin Consent Bypassed by Service Principal](/cloud/8a1b22eb-50ce-4e26-a691-97ff52349569/)	[O365 Add app role assignment to service principal.](/sources/785ba57a-ba7b-474e-97c8-9474e6e00b3a)	T1098.003	TTP
[O365 Excessive Authentication Failures Alert](/cloud/d441364c-349c-453b-b55f-12eccab67cf9/)	N/A	T1110	Anomaly
[O365 Mailbox Inbox Folder Shared with All Users](/cloud/21421896-a692-4594-9888-5faeb8a53106/)	[O365 ModifyFolderPermissions](/sources/0a8c1080-68c2-46d7-8324-2e7d97bb6e2f)	T1114, T1114.002	TTP
[Creation of Shadow Copy with wmic and powershell](/endpoint/2ed8b538-d284-449a-be1d-82ad1dbd186b/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1003.003, T1003	TTP
[Disabling ControlPanel](/endpoint/6ae0148e-9215-11eb-a94a-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562, T1112	TTP
[Disabling Remote User Account Control](/endpoint/bbc644bc-37df-4e1a-9c88-ec9a53e2038c/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1548.002, T1548	TTP
[Get-ForestTrust with PowerShell](/endpoint/584f4884-0bf1-11ec-a5ec-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1482	TTP
[GetWmiObject Ds Group with PowerShell Script Block](/endpoint/67740bd3-1506-469c-b91d-effc322cc6e5/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1069, T1069.002	TTP
[IcedID Exfiltrated Archived File Creation](/endpoint/0db4da70-f14b-11eb-8043-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1560.001, T1560	Hunting
[Linux Deletion Of Init Daemon Script](/endpoint/729aab57-d26f-4156-b97f-ab8dda8f44b1/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 11](/sources/14672fed-235a-411f-8062-ace9696fb2af)	T1485, T1070.004, T1070	TTP
[Linux Deletion of SSL Certificate](/endpoint/839ab790-a60a-4f81-bfb3-02567063f615/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 11](/sources/14672fed-235a-411f-8062-ace9696fb2af)	T1485, T1070.004, T1070	Anomaly
[Linux Service Restarted](/endpoint/084275ba-61b8-11ec-8d64-acde48001122/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1053.006, T1053	Anomaly
[Linux Setuid Using Chmod Utility](/endpoint/bf0304b6-6250-11ec-9d7c-acde48001122/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1548.001, T1548	Anomaly
[Network Traffic to Active Directory Web Services Protocol](/endpoint/68a0056c-34cb-455f-b03d-df935ea62c4f/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 3](/sources/01d84dff-4e26-422c-9389-6a579ee6e75b)	T1087.002, T1069.001, T1482, T1087.001, T1087, T1069.002, T1069	Hunting
[Nishang PowershellTCPOneLine](/endpoint/1a382c6c-7c2e-11eb-ac69-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1059, T1059.001	TTP
[Office Product Spawning Rundll32 with no DLL](/endpoint/c661f6be-a38c-11eb-be57-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1566, T1566.001	TTP
[Powershell Fileless Process Injection via GetProcAddress](/endpoint/a26d9db4-c883-11eb-9d75-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1059, T1055, T1059.001	TTP
[PowerShell Loading DotNET into Memory via Reflection](/endpoint/85bc3f30-ca28-11eb-bd21-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1059, T1059.001	TTP
[Powershell Remove Windows Defender Directory](/endpoint/adf47620-79fa-11ec-b248-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1562.001, T1562	TTP
[PowerShell Start or Stop Service](/endpoint/04207f8a-e08d-4ee6-be26-1e0c4488b04a/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1059.001	Anomaly
[Print Spooler Adding A Printer Driver](/endpoint/313681a2-da8e-11eb-adad-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Printservice 316](/sources/12f0be8b-22c0-4fdf-9468-b7ccca824d1d)	T1547.012, T1547	TTP
[Process Kill Base On File Path](/endpoint/5ffaa42c-acdb-11eb-9ad3-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1562.001, T1562	TTP
[Recon Using WMI Class](/endpoint/018c1972-ca07-11eb-9473-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1592, T1059.001	Anomaly
[Registry Keys Used For Privilege Escalation](/endpoint/c9f4b923-f8af-4155-b697-1354f5bcbc5e/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1546.012, T1546	TTP
[SilentCleanup UAC Bypass](/endpoint/56d7cfcc-da63-11eb-92d4-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1548.002, T1548	TTP
[SLUI Spawning a Process](/endpoint/879c4330-b3e0-11eb-b1b1-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1548.002, T1548	TTP
[Suspicious writes to windows Recycle Bin](/endpoint/b5541828-8ffd-4070-9d95-b3da4de924cb/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1036	TTP
[Windows AD Domain Controller Promotion](/endpoint/e633a0ef-2a6e-4ed7-b925-5ff999e5d1f0/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4742](/sources/ea830adf-5450-489a-bcdc-fb8d2cbe674c)	T1207	TTP
[Windows AD Privileged Object Access Activity](/endpoint/dc2f58bc-8cd2-4e51-962a-694b963acde0/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4662](/sources/f3c2cd64-0b5f-4013-8201-35dc03828ec6)	T1087, T1087.002	TTP
[Windows Application Layer Protocol RMS Radmin Tool Namedpipe](/endpoint/b62a6040-49f4-47c8-b3f6-fc1adb952a33/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 17](/sources/08924246-c8e8-4c95-a9fc-633c43cc82df), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 18](/sources/37eb3554-214e-4e66-af10-c3ffc5b8ca82)	T1071	TTP
[Windows Common Abused Cmd Shell Risk Behavior](/endpoint/e99fcc4f-c6b0-4443-aa2a-e3c85126ec9a/)	N/A	T1222, T1049, T1033, T1529, T1016, T1059	Correlation
[Windows Computer Account With SPN](/endpoint/9a3e57e7-33f4-470e-b25d-165baa6e8357/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4741](/sources/ef87257f-e7d1-4856-abae-097b2cfdcdb4)	T1558	TTP
[Windows Credentials from Password Stores Chrome Extension Access](/endpoint/2e65afe0-9a75-4487-bd87-ada9a9f1b9af/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4663](/sources/5d6dca8c-dad9-494f-a321-ef2b0b92fbf4)	T1012	Anomaly
[Windows Credentials from Password Stores Creation](/endpoint/c0c5a479-bf57-4ca0-af3a-4c7081e5ba05/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1555	TTP
[Windows Diskshadow Proxy Execution](/endpoint/58adae9e-8ea3-11ec-90f6-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218	TTP
[Windows File Share Discovery With Powerview](/endpoint/a44c0be1-d7ab-41e4-92fd-aa9af4fe232c/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1135	TTP
[Windows High File Deletion Frequency](/endpoint/45b125c4-866f-11eb-a95a-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 23](/sources/5ea2721d-f60c-4f48-a047-47d514e327c3)	T1485	Anomaly
[Windows Impair Defenses Disable Win Defender Auto Logging](/endpoint/76406a0f-f5e0-4167-8e1f-337fdc0f1b0c/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	Anomaly
[Windows InstallUtil Credential Theft](/endpoint/ccfeddec-43ec-11ec-b494-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 7](/sources/45512fa5-4d55-4088-9d51-f4dedc16fdff)	T1218.004, T1218	TTP
[Windows Linked Policies In ADSI Discovery](/endpoint/510ea428-4731-4d2f-8829-a28293e427aa/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1087.002, T1087	Anomaly
[Windows PowerShell Export Certificate](/endpoint/5e38ded4-c964-41f4-8cb6-4a1a53c6929f/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1552.004, T1552, T1649	Anomaly
[Windows Vulnerable Driver Loaded](/endpoint/a2b1f1ef-221f-4187-b2a4-d4b08ec745f4/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 6](/sources/eadc297a-c20c-45a1-8fac-74ad54019767)	T1543.003	Hunting
[WinEvent Scheduled Task Created to Spawn Shell](/endpoint/203ef0ea-9bd8-11eb-8201-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4698](/sources/32c06703-02d3-47ec-8856-b0dc3045866c)	T1053.005, T1053	TTP
[Detect hosts connecting to dynamic domain providers](/network/a1e761ac-1344-4dbd-88b2-3f34c912d359/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 22](/sources/911538b2-eba7-4d3e-85e8-d82d380c37bf)	T1189	TTP
[Windows AD Rogue Domain Controller Network Activity](/network/c4aeeeef-da7f-4338-b3ba-553cbcbe2138/)	N/A	T1207	TTP
[Ivanti Connect Secure System Information Access via Auth Bypass](/web/d51c13dd-a232-4c83-a2bb-72ab36233c5d/)	[Suricata](/sources/64b245d4-a4d1-4865-a718-c83d3b939f2e)	T1190	Anomaly
[Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078](/web/66b9c9ba-7fb2-4e80-a3a2-496e5e078167/)	[Suricata](/sources/64b245d4-a4d1-4865-a718-c83d3b939f2e)	T1190, T1133	TTP
[Splunk Absolute Path Traversal Using runshellscript](/application/356bd3fe-f59b-4f64-baa1-51495411b7ad/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1083	Hunting
[AWS Defense Evasion Update Cloudtrail](/cloud/7c921d28-ef48-4f1b-85b3-0af8af7697db/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail UpdateTrail](/sources/d5b7a1eb-711a-4c96-aa93-235fe3c8a939)	T1562, T1562.008	TTP
[Cloud Provisioning Activity From Previously Unseen Region](/cloud/5aba1860-9617-4af9-b19d-aecac16fe4f2/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail](/sources/e8ace6db-1dbd-4c72-a1fb-334684619a38)	T1078	Anomaly
[Detect New Open GCP Storage Buckets](/cloud/f6ea3466-d6bb-11ea-87d0-0242ac130003/)	N/A	T1530	TTP
[GitHub Actions Disable Security Workflow](/cloud/0459f1a5-c0ac-4987-82d6-65081209f854/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [GitHub](/sources/88aa4632-3c3e-43f6-a00a-998d71f558e3)	T1195.002, T1195	Anomaly
[Kubernetes Anomalous Inbound Network Activity from Process](/cloud/10442d8b-0701-4c25-911d-d67b906e713c/)	N/A	T1204	Anomaly
[O365 Advanced Audit Disabled](/cloud/49862dd4-9cb2-4c48-a542-8c8a588d9361/)	[O365 Change user license.](/sources/1029a20d-3d0d-4fb9-b5e2-22ac5380b20a)	T1562, T1562.008	TTP
[O365 Excessive SSO logon errors](/cloud/8158ccc4-6038-11eb-ae93-0242ac130002/)	[O365 UserLoginFailed](/sources/6099b33d-d581-43ed-8401-911862590361)	T1556	Anomaly
[7zip CommandLine To SMB Share Path](/endpoint/01d29b48-ff6f-11eb-b81e-acde48001123/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1560.001, T1560	Hunting
[Allow File And Printing Sharing In Firewall](/endpoint/ce27646e-d411-11eb-8a00-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1562.007, T1562	TTP
[Change Default File Association](/endpoint/462d17d8-1f71-11ec-ad07-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1546.001, T1546	TTP
[Hide User Account From Sign-In Screen](/endpoint/834ba832-ad89-11eb-937d-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Linux Deletion Of Services](/endpoint/b509bbd3-0331-4aaa-8e4a-d2affe100af6/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 11](/sources/14672fed-235a-411f-8062-ace9696fb2af)	T1485, T1070.004, T1070	TTP
[Linux Doas Conf File Creation](/endpoint/f6343e86-6e09-11ec-9376-acde48001122/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 11](/sources/14672fed-235a-411f-8062-ace9696fb2af)	T1548.003, T1548	Anomaly
[Linux NOPASSWD Entry In Sudoers File](/endpoint/ab1e0d52-624a-11ec-8e0b-acde48001122/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1548.003, T1548	Anomaly
[Linux Possible Cronjob Modification With Editor](/endpoint/dcc89bde-5f24-11ec-87ca-acde48001122/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1053.003, T1053	Hunting
[Linux Sudo OR Su Execution](/endpoint/4b00f134-6d6a-11ec-a90c-acde48001122/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1548.003, T1548	Hunting
[MacOS LOLbin](/endpoint/58d270fb-5b39-418e-a855-4b8ac046805e/)	N/A	T1059.004, T1059	TTP
[NLTest Domain Trust Discovery](/endpoint/c3e05466-5f22-11eb-ae93-0242ac130002/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1482	TTP
[Office Product Spawning CertUtil](/endpoint/6925fe72-a6d5-11eb-9e17-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1566, T1566.001	TTP
[PowerShell Enable PowerShell Remoting](/endpoint/40e3b299-19a5-4460-96e9-e1467f714f8e/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1059.001, T1059	Anomaly
[PowerShell Start-BitsTransfer](/endpoint/39e2605a-90d8-11eb-899e-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1197	TTP
[Reg exe Manipulating Windows Services Registry Keys](/endpoint/8470d755-0c13-45b3-bd63-387a373c10cf/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1574.011, T1574	TTP
[Registry Keys for Creating SHIM Databases](/endpoint/f5f6af30-7aa7-4295-bfe9-07fe87c01bbb/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1546.011, T1546	TTP
[Remote Process Instantiation via WMI and PowerShell](/endpoint/112638b4-4634-11ec-b9ab-3e22fbd008af/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1047	TTP
[Remote WMI Command Attempt](/endpoint/272df6de-61f1-4784-877c-1fbc3e2d0838/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1047	TTP
[Scheduled Task Deleted Or Created via CMD](/endpoint/d5af132c-7c17-439c-9d31-13d55340f36c/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1053.005, T1053	TTP
[Spoolsv Writing a DLL - Sysmon](/endpoint/347fd388-da87-11eb-836d-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1547.012, T1547	TTP
[Suspicious Computer Account Name Change](/endpoint/35a61ed8-61c4-11ec-bc1e-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4781](/sources/9732ffe7-ebce-4557-865c-1725a0f633cb)	T1078, T1078.002	TTP
[Windows ConHost with Headless Argument](/endpoint/d5039508-998d-4cfc-8b5e-9dcd679d9a62/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1564.003, T1564.006	TTP
[Windows Defender ASR Audit Events](/endpoint/0e4d46b1-22bd-4f0e-8337-ca6f60ad4bea/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Defender 1122](/sources/4a2d0499-f489-4557-82f4-f357025cf3e7)	T1059, T1566.001, T1566.002	Anomaly
[Windows Find Domain Organizational Units with GetDomainOU](/endpoint/0ada2f82-b7af-40cc-b1d7-1e5985afcb4e/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1087, T1087.002	TTP
[Windows Known Abused DLL Created](/endpoint/ea91651a-772a-4b02-ac3d-985b364a5f07/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1574.001, T1574.002, T1574	Anomaly
[Windows Modify Registry Suppress Win Defender Notif](/endpoint/e3b42daf-fff4-429d-bec8-2a199468cea9/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	Anomaly
[Windows PowerShell WMI Win32 ScheduledJob](/endpoint/47c69803-2c09-408b-b40a-063c064cbb16/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1059.001, T1059	TTP
[Windows Scheduled Task Created Via XML](/endpoint/7e03b682-3965-4598-8e91-a60a40a3f7e4/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1053.005, T1053	TTP
[Windows SqlWriter SQLDumper DLL Sideload](/endpoint/2ed89ba9-c6c7-46aa-9f08-a2a1c2955aa3/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 7](/sources/45512fa5-4d55-4088-9d51-f4dedc16fdff)	T1574.002	TTP
[Windows System Discovery Using Qwinsta](/endpoint/2e765c1b-144a-49f0-93d0-1df4287cca04/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1033	Hunting
[Windows System Network Config Discovery Display DNS](/endpoint/e24f0a0e-41a9-419f-9999-eacab15efc36/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1016	Anomaly
[Windows System Network Connections Discovery Netsh](/endpoint/abfb7cc5-c275-4a97-9029-62cd8d4ffeca/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1049	Anomaly
[Remote Desktop Network Bruteforce](/network/a98727cc-286b-4ff2-b898-41df64695923/)	N/A	T1021.001, T1021	TTP
[Adobe ColdFusion Unauthenticated Arbitrary File Read](/web/695aceae-21db-4e7f-93ac-a52e39d02b93/)	[Suricata](/sources/64b245d4-a4d1-4865-a718-c83d3b939f2e)	T1190	TTP
[Ivanti Sentry Authentication Bypass](/web/b8e0d1cf-e6a8-4d46-a5ae-aebe18ead8f8/)	[Suricata](/sources/64b245d4-a4d1-4865-a718-c83d3b939f2e)	T1190	TTP
[WordPress Bricks Builder plugin RCE](/web/56a8771a-3fda-4959-b81d-2f266e2f679f/)	[Nginx Access](/sources/c716a418-eab3-4df5-9dff-5420174e3068)	T1190	TTP
[Zscaler Behavior Analysis Threat Blocked](/web/289ad59f-8939-4331-b805-f2bd51d36fb8/)	N/A	T1566	Anomaly
[Zscaler Virus Download threat blocked](/web/aa19e627-d448-4a31-85cd-82068dec5691/)	N/A	T1566	Anomaly
[CrushFTP Server Side Template Injection](/application/ccf6b7a3-bd39-4bc9-a949-143a8d640dbc/)	[CrushFTP](/sources/8a42ace5-e4c8-4653-80cf-1b8e7e6024ef)	T1190	TTP
[Email Attachments With Lots Of Spaces](/application/56e877a6-1455-4479-ada6-0550dc1e22f8/)	N/A		Anomaly
[Splunk App for Lookup File Editing RCE via User XSLT](/application/a053e6a6-2146-483a-9798-2d43652f3299/)	N/A	T1210	Hunting
[Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature](/application/baa41f09-df48-4375-8991-520beea161be/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1210	Hunting
[Splunk RCE via User XSLT](/application/6cb7e011-55fb-48e3-a98d-164fa854e37e/)	N/A	T1210	Hunting
[Abnormally High Number Of Cloud Instances Launched](/cloud/f2361e9f-3928-496c-a556-120cd4223a65/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail](/sources/e8ace6db-1dbd-4c72-a1fb-334684619a38)	T1078.004, T1078	Anomaly
[AWS CreateLoginProfile](/cloud/2a9b80d3-6340-4345-11ad-212bf444d111/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail ConsoleLogin](/sources/b68b3f26-bd21-4fa8-b593-616fe75ac0ae), <img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail CreateLoginProfile](/sources/0024fdb1-0d62-4449-970a-746952cf80b6)	T1136.003, T1136	TTP
[AWS Credential Access Failed Login](/cloud/a19b354d-0d7f-47f3-8ea6-1a7c36434968/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail](/sources/e8ace6db-1dbd-4c72-a1fb-334684619a38)	T1586, T1586.003, T1110, T1110.001	TTP
[AWS Cross Account Activity From Previously Unseen Account](/cloud/21193641-cb96-4a2c-a707-d9b9a7f7792b/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail](/sources/e8ace6db-1dbd-4c72-a1fb-334684619a38)		Anomaly
[AWS SetDefaultPolicyVersion](/cloud/2a9b80d3-6340-4345-11ad-212bf3d0dac4/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail SetDefaultPolicyVersion](/sources/06e0b5a0-8d36-485e-befc-4ae79d77ef6c)	T1078.004, T1078	TTP
[Azure AD New MFA Method Registered](/cloud/0488e814-eb81-42c3-9f1f-b2244973e3a3/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory Update user](/sources/5495c90a-047c-4b8e-b2fe-1db6282d3872)	T1098, T1098.005	TTP
[Cloud Provisioning Activity From Previously Unseen City](/cloud/e7ecc5e0-88df-48b9-91af-51104c68f02f/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail](/sources/e8ace6db-1dbd-4c72-a1fb-334684619a38)	T1078	Anomaly
[Cloud Provisioning Activity From Previously Unseen IP Address](/cloud/f86a8ec9-b042-45eb-92f4-e9ed1d781078/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail](/sources/e8ace6db-1dbd-4c72-a1fb-334684619a38)	T1078	Anomaly
[Detect AWS Console Login by User from New Country](/cloud/67bd3def-c41c-4bf6-837b-ae196b4257c6/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail](/sources/e8ace6db-1dbd-4c72-a1fb-334684619a38)	T1586, T1586.003, T1535	Hunting
[GSuite Email Suspicious Attachment](/cloud/6d663014-fe92-11eb-ab07-acde48001122/)	[G Suite Gmail](/sources/706c3978-41de-406b-b6e0-75bd01e12a5d)	T1566.001, T1566	Anomaly
[Kubernetes DaemonSet Deployed](/cloud/bf39c3a3-b191-4d42-8738-9d9797bd0c3a/)	<img src="/icons/kubernetes.svg" alt="Kubernetes icon" class="icon-tiny"> [Kubernetes Audit](/sources/6c25181a-0c07-4aaf-90e6-77ab1f0e6699)	T1204	Anomaly
[O365 PST export alert](/cloud/5f694cc4-a678-4a60-9410-bffca1b647dc/)	[O365](/sources/b32de97d-0074-4cca-853c-db22c392b6c0)	T1114	TTP
[Disabling CMD Application](/endpoint/ff86077c-9212-11eb-a1e6-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562, T1112	TTP
[Executable File Written in Administrative SMB Share](/endpoint/f63c34fe-a435-11eb-935a-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 5145](/sources/0746479b-7b82-4d7e-8811-0b35da00f798)	T1021, T1021.002	TTP
[Kerberoasting spn request with RC4 encryption](/endpoint/5cc67381-44fa-4111-8a37-7a230943f027/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4769](/sources/358d5520-f40b-4fa2-b799-966c030cb731)	T1558, T1558.003	TTP
[Linux Deleting Critical Directory Using RM Command](/endpoint/33f89303-cc6f-49ad-921d-2eaea38a6f7a/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1485	TTP
[Linux File Creation In Profile Directory](/endpoint/46ba0082-61af-11ec-9826-acde48001122/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 11](/sources/14672fed-235a-411f-8062-ace9696fb2af)	T1546.004, T1546	Anomaly
[Msmpeng Application DLL Side Loading](/endpoint/8bb3f280-dd9b-11eb-84d5-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1574.002, T1574	TTP
[NET Profiler UAC bypass](/endpoint/0252ca80-e30d-11eb-8aa3-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1548.002, T1548	TTP
[Network Connection Discovery With Arp](/endpoint/ae008c0f-83bd-4ed4-9350-98d4328e15d2/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1049	Hunting
[Office Document Creating Schedule Task](/endpoint/cc8b7b74-9d0f-11eb-8342-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 7](/sources/45512fa5-4d55-4088-9d51-f4dedc16fdff)	T1566, T1566.001	TTP
[Powershell Processing Stream Of Data](/endpoint/0d718b52-c9f1-11eb-bc61-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1059, T1059.001	TTP
[Prevent Automatic Repair Mode using Bcdedit](/endpoint/7742aa92-c9d9-11eb-bbfc-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1490	TTP
[Spike in File Writes](/endpoint/fdb0f805-74e4-4539-8c00-618927333aae/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)		Anomaly
[Suspicious Copy on System32](/endpoint/ce633e56-25b2-11ec-9e76-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1036.003, T1036	TTP
[Suspicious Driver Loaded Path](/endpoint/f880acd4-a8f1-11eb-a53b-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 6](/sources/eadc297a-c20c-45a1-8fac-74ad54019767)	T1543.003, T1543	TTP
[Suspicious PlistBuddy Usage](/endpoint/c3194009-e0eb-4f84-87a9-4070f8688f00/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1543.001, T1543	TTP
[Suspicious Process With Discord DNS Query](/endpoint/4d4332ae-792c-11ec-89c1-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 22](/sources/911538b2-eba7-4d3e-85e8-d82d380c37bf)	T1059.005, T1059	Anomaly
[Trickbot Named Pipe](/endpoint/1804b0a4-a682-11eb-8f68-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 17](/sources/08924246-c8e8-4c95-a9fc-633c43cc82df), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 18](/sources/37eb3554-214e-4e66-af10-c3ffc5b8ca82)	T1055	TTP
[W3WP Spawning Shell](/endpoint/0f03423c-7c6a-11eb-bc47-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1505, T1505.003	TTP
[Windows AD Replication Request Initiated by User Account](/endpoint/51307514-1236-49f6-8686-d46d93cc2821/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4662](/sources/f3c2cd64-0b5f-4013-8201-35dc03828ec6)	T1003.006, T1003	TTP
[Windows Alternate DataStream - Process Execution](/endpoint/30c32c5c-41fe-45db-84fe-275e4320da3f/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1564, T1564.004	TTP
[Windows Autostart Execution LSASS Driver Registry Modification](/endpoint/57fb8656-141e-4d8a-9f51-62cff4ecb82a/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1547.008	TTP
[Windows Computer Account Requesting Kerberos Ticket](/endpoint/fb3b2bb3-75a4-4279-848a-165b42624770/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4768](/sources/4a5fd6ed-66bd-4f34-bc74-51c00c73c298)	T1558	TTP
[Windows Credentials from Password Stores Deletion](/endpoint/46d676aa-40c6-4fe6-b917-d23b621f0f89/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1555	TTP
[Windows Credentials in Registry Reg Query](/endpoint/a8b3124e-2278-4b73-ae9c-585117079fb2/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1552.002, T1552	Anomaly
[Windows Deleted Registry By A Non Critical Process File Path](/endpoint/15e70689-f55b-489e-8a80-6d0cd6d8aad2/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	Anomaly
[Windows Enable Win32 ScheduledJob via Registry](/endpoint/12c80db8-ef62-4456-92df-b23e1b3219f6/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1053.005	Anomaly
[Windows Export Certificate](/endpoint/d8ddfa9b-b724-4df9-9dbe-f34cc0936714/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log CertificateServicesClient 1007](/sources/c51444e3-479d-4c4a-b111-e8276a3acf39)	T1552.004, T1552, T1649	Anomaly
[Windows Forest Discovery with GetForestDomain](/endpoint/a14803b2-4bd9-4c08-8b57-c37980edebe8/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1087, T1087.002	TTP
[Windows Modify Registry DisableRemoteDesktopAntiAlias](/endpoint/4927c6f1-4667-42e6-bd7a-f5222116386b/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	TTP
[Windows Modify Registry DontShowUI](/endpoint/4ff9767b-fdf2-489c-83a5-c6c34412d72e/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	TTP
[Windows Modify Registry USeWuServer](/endpoint/c427bafb-0b2c-4b18-ad85-c03c6fed9e75/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	Hunting
[Windows Multiple Users Failed To Authenticate Using Kerberos](/endpoint/3a91a212-98a9-11eb-b86a-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4771](/sources/418debbb-adf3-48ec-9efd-59d45f8861e5)	T1110.003, T1110	TTP
[Windows Processes Killed By Industroyer2 Malware](/endpoint/d8bea5ca-9d4a-4249-8b56-64a619109835/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 5](/sources/556471bf-44fa-44e6-97e2-eb25416aeb6d)	T1489	Anomaly
[Windows Service Stop By Deletion](/endpoint/196ff536-58d9-4d1b-9686-b176b04e430b/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1489	TTP
[Windows Service Stop Via Net and SC Application](/endpoint/827af04b-0d08-479b-9b84-b7d4644e4b80/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1489	Anomaly
[Windows Steal Authentication Certificates CryptoAPI](/endpoint/905d5692-6d7c-432f-bc7e-a6b4f464d40e/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log CAPI2 70](/sources/821de0a6-c5b4-491b-a27e-187552792817)	T1649	Anomaly
[Windows User Execution Malicious URL Shortcut File](/endpoint/5c7ee6ad-baf4-44fb-b2f0-0cfeddf82dbc/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1204.002, T1204	TTP
[Windows WMI Process Call Create](/endpoint/0661c2de-93de-11ec-9833-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1047	Hunting
[WinEvent Scheduled Task Created Within Public Path](/endpoint/5d9c6eee-988c-11eb-8253-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4698](/sources/32c06703-02d3-47ec-8856-b0dc3045866c)	T1053.005, T1053	TTP
[Multiple Archive Files Http Post Traffic](/network/4477f3ea-a28f-11eb-b762-acde48001122/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk Stream HTTP](/sources/b0070a33-92ed-49e5-8f38-576cdf300710)	T1048.003, T1048	TTP
[Cisco IOS XE Implant Access](/web/07c36cda-6567-43c3-bc1a-89dff61e2cd9/)	[Suricata](/sources/64b245d4-a4d1-4865-a718-c83d3b939f2e)	T1190	TTP
[JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198](/web/fbcc04c7-8a79-453c-b3a9-c232c423bdd3/)	[Suricata](/sources/64b245d4-a4d1-4865-a718-c83d3b939f2e)	T1190	TTP
[Log4Shell JNDI Payload Injection with Outbound Connection](/web/69afee44-5c91-11ec-bf1f-497c9a704a72/)	N/A	T1190, T1133	Anomaly
[Nginx ConnectWise ScreenConnect Authentication Bypass](/web/b3f7a803-e802-448b-8eb2-e796b223bccc/)	[Nginx Access](/sources/c716a418-eab3-4df5-9dff-5420174e3068)	T1190	TTP
[Windows Exchange Autodiscover SSRF Abuse](/web/d436f9e7-0ee7-4a47-864b-6dea2c4e2752/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows IIS](/sources/469335b3-b6ad-49e2-bbe6-47e15c1464a7)	T1190, T1133	TTP
[Email files written outside of the Outlook directory](/application/8d52cf03-ba25-4101-aa78-07994aed4f74/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1114, T1114.001	TTP
[No Windows Updates in a time frame](/application/1a77c08c-2f56-409c-a2d3-7d64617edd4f/)	N/A		Hunting
[Okta Phishing Detection with FastPass Origin Check](/application/f4ca0057-cbf3-44f8-82ea-4e330ee901d3/)	[Okta](/sources/ec26febe-e760-4981-bbee-72e107c7b9d2)	T1078, T1078.001, T1556	TTP
[Splunk Account Discovery Drilldown Dashboard Disclosure](/application/f844c3f6-fd99-43a2-ba24-93e35fe84be6/)	N/A	T1087	TTP
[Splunk Command and Scripting Interpreter Risky SPL MLTK](/application/19d0146c-2eae-4e53-8d39-1198a78fa9ca/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1059	Anomaly
[Splunk Edit User Privilege Escalation](/application/39e1c326-67d7-4c0d-8584-8056354f6593/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1548	Hunting
[Splunk RBAC Bypass On Indexing Preview REST Endpoint](/application/bbe26f95-1655-471d-8abd-3d32fafa86f8/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1134	Hunting
[Amazon EKS Kubernetes cluster scan detection](/cloud/294c4686-63dd-4fe6-93a2-ca807626704a/)	N/A	T1526	Hunting
[AWS Defense Evasion Stop Logging Cloudtrail](/cloud/8a2f3ca2-4eb5-4389-a549-14063882e537/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail StopLogging](/sources/c5de7c54-4809-4659-bf9f-3bacf8bdfd35)	T1562.008, T1562	TTP
[aws detect role creation](/cloud/5f04081e-ddee-4353-afe4-504f288de9ad/)	N/A	T1078	Hunting
[AWS ECR Container Scanning Findings Low Informational Unknown](/cloud/cbc95e44-7c22-443f-88fd-0424478f5589/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail DescribeImageScanFindings](/sources/688ea789-9ba2-4970-90a2-17e541e273c9)	T1204.003, T1204	Anomaly
[AWS Exfiltration via Anomalous GetObject API Activity](/cloud/e4384bbf-5835-4831-8d85-694de6ad2cc6/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail GetObject](/sources/5063cb10-84c0-44af-ade4-ab9ecad11dfe)	T1119	Anomaly
[AWS Multi-Factor Authentication Disabled](/cloud/374832b1-3603-420c-b456-b373e24d34c0/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail DeactivateMFADevice](/sources/7397a10b-1150-4de9-8062-a96454ae53b2), <img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail DeleteVirtualMFADevice](/sources/84a08d6b-3d59-4260-8cab-84278ada262f)	T1586, T1586.003, T1621, T1556, T1556.006	TTP
[AWS Network Access Control List Deleted](/cloud/ada0f478-84a8-4641-a3f1-d82362d6fd75/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail DeleteNetworkAclEntry](/sources/a0dd0f10-cc03-425d-bd5a-e1e0d954b856)	T1562.007, T1562	Anomaly
[Cloud API Calls From Previously Unseen User Roles](/cloud/2181ad1f-1e73-4d0c-9780-e8880482a08f/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail](/sources/e8ace6db-1dbd-4c72-a1fb-334684619a38)	T1078	Anomaly
[Gsuite Email Suspicious Subject With Attachment](/cloud/8ef3971e-00f2-11ec-b54f-acde48001122/)	[G Suite Gmail](/sources/706c3978-41de-406b-b6e0-75bd01e12a5d)	T1566.001, T1566	Anomaly
[Kubernetes newly seen TCP edge](/cloud/13f081d6-7052-428a-bbb0-892c79ca7c65/)	N/A	T1204	Anomaly
[O365 Bypass MFA via Trusted IP](/cloud/c783dd98-c703-4252-9e8a-f19d9f66949e/)	[O365 Set Company Information.](/sources/06c6d576-f032-41e3-b15d-80a434ce13d8)	T1562.007, T1562	TTP
[O365 New MFA Method Registered](/cloud/4e12db1f-f7c7-486d-8152-a221cad6ac2b/)	[O365 Update user.](/sources/a05fd01e-34d9-4233-9089-11272416b531)	T1098, T1098.005	TTP
[Child Processes of Spoolsv exe](/endpoint/aa0c4aeb-5b18-41c4-8c07-f1442d7599df/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1068	TTP
[Detect New Local Admin account](/endpoint/b25f6f62-0712-43c1-b203-083231ffd97d/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4720](/sources/7ef1c9e5-691b-48c2-811b-eba91d2d2f1d), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4732](/sources/b0d61c5d-aefe-486a-9152-de45cc10fbb4)	T1136.001, T1136	TTP
[Detect SharpHound Command-Line Arguments](/endpoint/a0bdd2f6-c2ff-11eb-b918-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1087.002, T1069.001, T1482, T1087.001, T1087, T1069.002, T1069	TTP
[Detect SharpHound File Modifications](/endpoint/42b4b438-beed-11eb-ba1d-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1087.002, T1069.001, T1482, T1087.001, T1087, T1069.002, T1069	TTP
[Detect WMI Event Subscription Persistence](/endpoint/01d9a0c2-cece-11eb-ab46-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 20](/sources/aeee5374-3203-4286-b744-a8cc4ad1cd7e)	T1546.003, T1546	TTP
[Disabling Task Manager](/endpoint/dac279bc-9202-11eb-b7fb-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Domain Controller Discovery with Nltest](/endpoint/41243735-89a7-4c83-bcdd-570aa78f00a1/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1018	TTP
[Enumerate Users Local Group Using Telegram](/endpoint/fcd74532-ae54-11eb-a5ab-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4798](/sources/29e97f72-eb2e-400e-b0c9-81277547e43b)	T1087	TTP
[Excessive Usage of NSLOOKUP App](/endpoint/0a69fdaa-a2b8-11eb-b16d-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1048	Anomaly
[GetDomainGroup with PowerShell Script Block](/endpoint/09725404-a44f-4ed3-9efa-8ed5d69e4c53/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1069, T1069.002	TTP
[GetWmiObject User Account with PowerShell Script Block](/endpoint/640b0eda-0429-11ec-accd-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1087, T1087.001, T1059.001	Hunting
[ICACLS Grant Command](/endpoint/b1b1e316-accc-11eb-a9b4-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1222	TTP
[Linux Add Files In Known Crontab Directories](/endpoint/023f3452-5f27-11ec-bf00-acde48001122/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 11](/sources/14672fed-235a-411f-8062-ace9696fb2af)	T1053.003, T1053	Anomaly
[Linux Insert Kernel Module Using Insmod Utility](/endpoint/18b5a1a0-6326-11ec-943a-acde48001122/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1547.006, T1547	Anomaly
[Linux Install Kernel Module Using Modprobe Utility](/endpoint/387b278a-6326-11ec-aa2c-acde48001122/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1547.006, T1547	Anomaly
[Linux Possible Ssh Key File Creation](/endpoint/c04ef40c-72da-11ec-8eac-acde48001122/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 11](/sources/14672fed-235a-411f-8062-ace9696fb2af)	T1098.004, T1098	Anomaly
[Process Creating LNK file in Suspicious Location](/endpoint/5d814af1-1041-47b5-a9ac-d754e82e9a26/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1566, T1566.002	TTP
[Schedule Task with HTTP Command Arguments](/endpoint/523c2684-a101-11eb-916b-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4698](/sources/32c06703-02d3-47ec-8856-b0dc3045866c)	T1053	TTP
[Schedule Task with Rundll32 Command Trigger](/endpoint/75b00fd8-a0ff-11eb-8b31-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4698](/sources/32c06703-02d3-47ec-8856-b0dc3045866c)	T1053	TTP
[System User Discovery With Whoami](/endpoint/894fc43e-6f50-47d5-a68b-ee9ee23e18f4/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1033	Hunting
[Unload Sysmon Filter Driver](/endpoint/e5928ff3-23eb-4d8b-b8a4-dcbc844fdfbe/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1562.001, T1562	TTP
[Windows AppLocker Block Events](/endpoint/e369afe8-cd35-47a3-9c1e-d813efc1f7dd/)	N/A	T1218	Anomaly
[Windows BootLoader Inventory](/endpoint/4f7e3913-4db3-4ccd-afe4-31198982305d/)	N/A	T1542.001, T1542	Hunting
[Windows Command and Scripting Interpreter Hunting Path Traversal](/endpoint/d0026380-b3c4-4da0-ac8e-02790063ff6b/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1059	Hunting
[Windows Hijack Execution Flow Version Dll Side Load](/endpoint/8351340b-ac0e-41ec-8b07-dd01bf32d6ea/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 7](/sources/45512fa5-4d55-4088-9d51-f4dedc16fdff)	T1574.001, T1574	Anomaly
[Windows IIS Components Module Failed to Load](/endpoint/40c2ba5b-dd6a-496b-9e6e-c9524d0be167/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Application 2282](/sources/4490537e-5e0c-46f7-9209-f56f852aa237)	T1505, T1505.004	Anomaly
[Windows Impair Defense Change Win Defender Health Check Intervals](/endpoint/5211c260-820e-4366-b983-84bbfb5c263a/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Windows Modify Registry Default Icon Setting](/endpoint/a7a7afdb-3c58-45b6-9bff-63e5acfd9d40/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	Anomaly
[Windows Modify Registry No Auto Update](/endpoint/fbd4f333-17bb-4eab-89cb-860fa2e0600e/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	Anomaly
[Windows Modify Registry Risk Behavior](/endpoint/5eb479b1-a5ea-4e01-8365-780078613776/)	N/A	T1112	Correlation
[Windows Modify Registry WuServer](/endpoint/a02ad386-e26d-44ce-aa97-6a46cee31439/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	Hunting
[Windows Suspect Process With Authentication Traffic](/endpoint/953322db-128a-4ce9-8e89-56e039e33d98/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 3](/sources/01d84dff-4e26-422c-9389-6a579ee6e75b)	T1087, T1087.002, T1204, T1204.002	Anomaly
[WMI Recon Running Process Or Services](/endpoint/b5cd5526-cce7-11eb-b3bd-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1592	Anomaly
[DNS Query Length With High Standard Deviation](/network/1a67f15a-f4ff-4170-84e9-08cf6f75d6f5/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 22](/sources/911538b2-eba7-4d3e-85e8-d82d380c37bf)	T1048.003, T1048	Anomaly
[Hosts receiving high volume of network traffic from email server](/network/7f5fb3e1-4209-4914-90db-0ec21b556368/)	N/A	T1114.002, T1114	Anomaly
[Large Volume of DNS ANY Queries](/network/8fa891f7-a533-4b3c-af85-5aa2e7c1f1eb/)	N/A	T1498, T1498.002	Anomaly
[Web JSP Request via URL](/web/2850c734-2d44-4431-8139-1a56f6f54c01/)	[Nginx Access](/sources/c716a418-eab3-4df5-9dff-5420174e3068)	T1505.003, T1505, T1190, T1133	TTP
[Zscaler Adware Activities Threat Blocked](/web/3407b250-345a-4d71-80db-c91e555a3ece/)	N/A	T1566	Anomaly
[Detect New Login Attempts to Routers](/application/bce3ed7c-9b1f-42a0-abdf-d8b123a34836/)	N/A		TTP
[Splunk Improperly Formatted Parameter Crashes splunkd](/application/08978eca-caff-44c1-84dc-53f17def4e14/)	N/A	T1499	TTP
[AWS Defense Evasion Delete Cloudtrail](/cloud/82092925-9ca1-4e06-98b8-85a2d3889552/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail DeleteTrail](/sources/a5af09ff-07b6-4df6-92a0-2146bfe402c8)	T1562.008, T1562	TTP
[aws detect sts get session token abuse](/cloud/85d7b35f-b8b5-4b01-916f-29b81e7a0551/)	N/A	T1550	Hunting
[AWS Network Access Control List Created with All Open Ports](/cloud/ada0f478-84a8-4641-a3f1-d82362d6bd75/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail CreateNetworkAclEntry](/sources/45934028-10ec-4ab5-a7b1-a6349b833e67), <img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail ReplaceNetworkAclEntry](/sources/db0c240e-3754-40e4-86ef-cde018ee9f65)	T1562.007, T1562	TTP
[Cloud Compute Instance Created With Previously Unseen Instance Type](/cloud/c6ddbf53-9715-49f3-bb4c-fb2e8a309cda/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail](/sources/e8ace6db-1dbd-4c72-a1fb-334684619a38)		Anomaly
[Detect GCP Storage access from a new IP](/cloud/ccc3246a-daa1-11ea-87d0-0242ac130022/)	N/A	T1530	Anomaly
[GCP Detect gcploit framework](/cloud/a1c5a85e-a162-410c-a5d9-99ff639e5a52/)	N/A	T1078	TTP
[Gsuite Suspicious Shared File Name](/cloud/07eed200-03f5-11ec-98fb-acde48001122/)	[G Suite Drive](/sources/5f79120f-a235-4468-bd0d-55203758ac22)	T1566.001, T1566	Anomaly
[O365 Mail Permissioned Application Consent Granted by User](/cloud/fddad083-cdf5-419d-83c6-baa85e329595/)	[O365 Consent to application.](/sources/0a15a464-ef51-4614-9a07-a216eb9817db)	T1528	TTP
[O365 Mailbox Folder Read Permission Assigned](/cloud/1435475e-2128-4417-a34f-59770733b0d5/)	N/A	T1098, T1098.002	TTP
[O365 Mailbox Read Access Granted to Application](/cloud/27ab61c5-f08a-438a-b4d3-325e666490b3/)	[O365 Update application.](/sources/62159133-911b-4c63-9e30-a6a8c89195ca)	T1114.002, T1114, T1098, T1098.003	TTP
[O365 Privileged Graph API Permission Assigned](/cloud/868f3131-d5e1-4bf1-af5b-9b0fbaaaedbb/)	[O365 Update application.](/sources/62159133-911b-4c63-9e30-a6a8c89195ca)	T1003.002	TTP
[Detect SharpHound Usage](/endpoint/dd04b29a-beed-11eb-87bc-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1087.002, T1069.001, T1482, T1087.001, T1087, T1069.002, T1069	TTP
[Disable Defender Submit Samples Consent Feature](/endpoint/73922ff8-3022-11ec-bf5e-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Disable Registry Tool](/endpoint/cd2cf33c-9201-11eb-a10a-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562, T1112	TTP
[Get-ForestTrust with PowerShell Script Block](/endpoint/70fac80e-0bf1-11ec-9ba0-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1482, T1059.001	TTP
[Interactive Session on Remote Endpoint with PowerShell](/endpoint/a4e8f3a4-48b2-11ec-bcfc-3e22fbd008af/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1021, T1021.006	TTP
[Linux Indicator Removal Service File Deletion](/endpoint/6c077f81-2a83-4537-afbc-0e62e3215d55/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1070.004, T1070	Anomaly
[Linux Kworker Process In Writable Process Path](/endpoint/1cefb270-74a5-4e27-aa0c-2b6fa7c5b4ed/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1036.004, T1036	Hunting
[Linux Preload Hijack Library Calls](/endpoint/cbe2ca30-631e-11ec-8670-acde48001122/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1574.006, T1574	TTP
[Linux Stop Services](/endpoint/d05204a5-9f1c-4946-a7f3-4fa58d76d5fd/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1489	TTP
[MacOS - Re-opened Applications](/endpoint/40bb64f9-f619-4e3d-8732-328d40377c4b/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17)		TTP
[MSHTML Module Load in Office Product](/endpoint/5f1c168e-118b-11ec-84ff-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 7](/sources/45512fa5-4d55-4088-9d51-f4dedc16fdff)	T1566, T1566.001	TTP
[Office Application Drop Executable](/endpoint/73ce70c4-146d-11ec-9184-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1566, T1566.001	TTP
[Powershell Creating Thread Mutex](/endpoint/637557ec-ca08-11eb-bd0a-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1027, T1027.005, T1059.001	TTP
[PowerShell Invoke WmiExec Usage](/endpoint/0734bd21-2769-4972-a5f1-78bb1e011224/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1047	TTP
[Remote Process Instantiation via WMI and PowerShell Script Block](/endpoint/2a048c14-4634-11ec-a618-3e22fbd008af/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1047	TTP
[Rundll32 DNSQuery](/endpoint/f1483f5e-ee29-11eb-9d23-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 22](/sources/911538b2-eba7-4d3e-85e8-d82d380c37bf)	T1218, T1218.011	TTP
[Samsam Test File Write](/endpoint/493a879d-519d-428f-8f57-a06a0fdc107e/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1486	TTP
[Short Lived Windows Accounts](/endpoint/b25f6f62-0782-43c1-b403-083231ffd97d/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log System 4720](/sources/f01d4758-05c8-4ac4-a9a5-33500dd5eb6c), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log System 4726](/sources/05e6b2df-b50e-441b-8ac8-565f2e80d62f)	T1136.001, T1136	TTP
[Spoolsv Spawning Rundll32](/endpoint/15d905f6-da6b-11eb-ab82-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1547.012, T1547	TTP
[Suspicious Event Log Service Behavior](/endpoint/2b85aa3d-f5f6-4c2e-a081-a09f6e1c2e40/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 1100](/sources/2a25dafa-691e-4cb2-ae59-07a48867ed9a)	T1070, T1070.001	Hunting
[Suspicious mshta spawn](/endpoint/4d33a488-5b5f-11eb-ae93-0242ac130002/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218, T1218.005	TTP
[Svchost LOLBAS Execution Process Spawn](/endpoint/09e5c72a-4c0d-11ec-aa29-3e22fbd008af/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1053, T1053.005	TTP
[System Information Discovery Detection](/endpoint/8e99f89e-ae58-4ebc-bf52-ae0b1a277e72/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1082	TTP
[Uninstall App Using MsiExec](/endpoint/1fca2b28-f922-11eb-b2dd-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218.007, T1218	TTP
[Vbscript Execution Using Wscript App](/endpoint/35159940-228f-11ec-8a49-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1059.005, T1059	TTP
[Windows Impair Defense Disable Realtime Signature Delivery](/endpoint/ffd99aea-542f-448e-b737-091c1b417274/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Windows Impair Defense Disable Win Defender Gen reports](/endpoint/93f114f6-cb1e-419b-ac3f-9e11a3045e70/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Windows Kerberos Local Successful Logon](/endpoint/8309c3a8-4d34-48ae-ad66-631658214653/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4624](/sources/08682968-0366-4882-9559-fe4fe018a846)	T1558	TTP
[Windows Modify Registry Regedit Silent Reg Import](/endpoint/824dd598-71be-4203-bc3b-024f4cda340e/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1112	Anomaly
[Windows PowerShell IIS Components WebGlobalModule Usage](/endpoint/33fc9f6f-0ce7-4696-924e-a69ec61a3d57/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1505, T1505.004	Anomaly
[Windows Proxy Via Netsh](/endpoint/c137bfe8-6036-4cff-b77b-4e327dd0a1cf/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1090.001, T1090	Anomaly
[Windows Regsvr32 Renamed Binary](/endpoint/7349a9e9-3cf6-4171-bb0c-75607a8dcd1a/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218.010, T1218	TTP
[Windows Remote Access Software RMS Registry](/endpoint/e5b7b5a9-e471-4be8-8c5d-4083983ba329/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1219	TTP
[Windows Replication Through Removable Media](/endpoint/60df805d-4605-41c8-bbba-57baa6a4eb97/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1091	TTP
[Windows Scheduled Task Service Spawned Shell](/endpoint/d8120352-3b62-4e3c-8cb6-7b47584dd5e8/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1053.005, T1059	TTP
[Windows Service Deletion In Registry](/endpoint/daed6823-b51c-4843-a6ad-169708f1323e/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1489	Anomaly
[Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint](/web/15838756-f425-43fa-9d88-a7f88063e81a/)	[Suricata](/sources/64b245d4-a4d1-4865-a718-c83d3b939f2e)	T1190	TTP
[Juniper Networks Remote Code Execution Exploit Detection](/web/6cc4cc3d-b10a-4fac-be1e-55d384fc690e/)	[Suricata](/sources/64b245d4-a4d1-4865-a718-c83d3b939f2e)	T1190, T1105, T1059	TTP
[Okta Suspicious Activity Reported](/application/bfc840f5-c9c6-454c-aa13-b46fd0bf1e79/)	[Okta](/sources/ec26febe-e760-4981-bbee-72e107c7b9d2)	T1078, T1078.001	TTP
[Splunk XSS via View](/application/9ac2bfea-a234-4a18-9d37-6d747e85c2e4/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1189	Hunting
[ASL AWS Defense Evasion Impair Security Services](/cloud/5029b681-0462-47b7-82e7-f7e3d37f5a2d/)	N/A	T1562.008, T1562	Hunting
[AWS Lambda UpdateFunctionCode](/cloud/211b80d3-6340-4345-11ad-212bf3d0d111/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail](/sources/e8ace6db-1dbd-4c72-a1fb-334684619a38)	T1204	Hunting
[AWS S3 Exfiltration Behavior Identified](/cloud/85096389-a443-42df-b89d-200efbb1b560/)	N/A	T1537	Correlation
[Gdrive suspicious file sharing](/cloud/a7131dae-34e3-11ec-a2de-acde48001122/)	N/A	T1566	Hunting
[GitHub Pull Request from Unknown User](/cloud/9d7b9100-8878-4404-914e-ca5e551a641e/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [GitHub](/sources/88aa4632-3c3e-43f6-a00a-998d71f558e3)	T1195.001, T1195	Anomaly
[Kubernetes Suspicious Image Pulling](/cloud/4d3a17b3-0a6d-4ae0-9421-46623a69c122/)	<img src="/icons/kubernetes.svg" alt="Kubernetes icon" class="icon-tiny"> [Kubernetes Audit](/sources/6c25181a-0c07-4aaf-90e6-77ab1f0e6699)	T1526	Anomaly
[ConnectWise ScreenConnect Path Traversal](/endpoint/56a3ac65-e747-41f7-b014-dff7423c1dda/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1190	TTP
[Disabling NoRun Windows App](/endpoint/de81bc46-9213-11eb-adc9-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562, T1112	TTP
[GetDomainController with PowerShell Script Block](/endpoint/676b600a-a94d-4951-b346-11329431e6c1/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1018	TTP
[GetLocalUser with PowerShell Script Block](/endpoint/2e891cbe-0426-11ec-9c9c-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1087, T1087.001, T1059.001	Hunting
[Hiding Files And Directories With Attrib exe](/endpoint/6e5a3ae4-90a3-462d-9aa6-0119f638c0f1/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1222, T1222.001	TTP
[Malicious PowerShell Process - Execution Policy Bypass](/endpoint/9be56c82-b1cc-4318-87eb-d138afaaca39/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1059, T1059.001	TTP
[MSBuild Suspicious Spawned By Script Process](/endpoint/213b3148-24ea-11ec-93a2-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1127.001, T1127	TTP
[Office Product Spawning Wmic](/endpoint/ffc236d6-a6c9-11eb-95f1-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1566, T1566.001	TTP
[Powershell Enable SMB1Protocol Feature](/endpoint/afed80b2-d34b-11eb-a952-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1027, T1027.005	TTP
[Powershell Remote Thread To Known Windows Process](/endpoint/ec102cb2-a0f5-11eb-9b38-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 8](/sources/df7a786c-ade0-48f0-8596-26f10d169f7d)	T1055	TTP
[Remote System Discovery with Dsquery](/endpoint/9fb562f4-42f8-4139-8e11-a82edf7ed718/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1018	Hunting
[Resize ShadowStorage volume](/endpoint/bc760ca6-8336-11eb-bcbb-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1490	TTP
[Rundll32 Shimcache Flush](/endpoint/a913718a-25b6-11ec-96d3-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1112	TTP
[SchCache Change By App Connect And Create ADSI Object](/endpoint/991eb510-0fc6-11ec-82d3-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1087.002, T1087	Anomaly
[Screensaver Event Trigger Execution](/endpoint/58cea3ec-1f6d-11ec-8560-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1546, T1546.002	TTP
[Suspicious microsoft workflow compiler rename](/endpoint/f0db4464-55d9-11eb-ae93-0242ac130002/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1036, T1127, T1036.003	Hunting
[Suspicious Process DNS Query Known Abuse Web Services](/endpoint/3cf0dc36-484d-11ec-a6bc-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 22](/sources/911538b2-eba7-4d3e-85e8-d82d380c37bf)	T1059.005, T1059	TTP
[Time Provider Persistence Registry](/endpoint/5ba382c4-2105-11ec-8d8f-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1547.003, T1547	TTP
[WBAdmin Delete System Backups](/endpoint/cd5aed7e-5cea-11eb-ae93-0242ac130002/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1490	TTP
[Wbemprox COM Object Execution](/endpoint/9d911ce0-c3be-11eb-b177-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 7](/sources/45512fa5-4d55-4088-9d51-f4dedc16fdff)	T1218, T1218.003	TTP
[Windows AdFind Exe](/endpoint/bd3b0187-189b-46c0-be45-f52da2bae67f/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1018	TTP
[Windows Command and Scripting Interpreter Path Traversal Exec](/endpoint/58fcdeb1-728d-415d-b0d7-3ab18a275ec2/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1059	TTP
[Windows Credentials from Password Stores Chrome Login Data Access](/endpoint/0d32ba37-80fc-4429-809c-0ba15801aeaf/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4663](/sources/5d6dca8c-dad9-494f-a321-ef2b0b92fbf4)	T1012	Anomaly
[Windows Impair Defense Change Win Defender Tracing Level](/endpoint/fe9391cd-952a-4c64-8f56-727cb0d4f2d4/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Windows Impair Defense Delete Win Defender Profile Registry](/endpoint/65d4b105-ec52-48ec-ac46-289d0fbf7d96/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	Anomaly
[Windows Indicator Removal Via Rmdir](/endpoint/c4566d2c-b094-48a1-9c59-d66e22065560/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1070	Anomaly
[Windows Modify Registry DisableSecuritySettings](/endpoint/989019b4-b7aa-418a-9a17-2293e91288b6/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	TTP
[Windows Modify Registry EnableLinkedConnections](/endpoint/93048164-3358-4af0-8680-aa5f38440516/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	TTP
[Windows Modify Registry Tamper Protection](/endpoint/12094335-88fc-4c3a-b55f-e62dd8c93c23/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	TTP
[Windows PowerView SPN Discovery](/endpoint/a7093c28-796c-4ebb-9997-e2c18b870837/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1558, T1558.003	TTP
[Windows Privilege Escalation User Process Spawn System Process](/endpoint/c9687a28-39ad-43c6-8bcf-eaf061ba0cbe/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1068, T1548, T1134	TTP
[Windows Process With NamedPipe CommandLine](/endpoint/e64399d4-94a8-11ec-a9da-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1055	Anomaly
[Windows Remote Services Rdp Enable](/endpoint/8fbd2e88-4ea5-40b9-9217-fd0855e08cc0/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1021.001, T1021	TTP
[Windows Service Create Kernel Mode Driver](/endpoint/0b4e3b06-1b2b-4885-b752-cf06d12a90cb/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1543.003, T1543, T1068	TTP
[Windows SIP WinVerifyTrust Failed Trust Validation](/endpoint/6ffc7f88-415b-4278-a80d-b957d6539e1a/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log CAPI2 81](/sources/463ff898-8135-4c0e-811e-f8629dfc5027)	T1553.003	Anomaly
[Windows Snake Malware Registry Modification wav OpenWithProgIds](/endpoint/13cf8b79-805d-443c-bf52-f55bd7610dfd/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	TTP
[Windows Snake Malware Service Create](/endpoint/64eb091f-8cab-4b41-9b09-8fb4942377df/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log System 7045](/sources/614dedc8-8a14-4393-ba9b-6f093cbcd293)	T1547.006, T1569.002	TTP
[Windows Steal or Forge Kerberos Tickets Klist](/endpoint/09d88404-1e29-46cb-806c-1eedbc85ad5d/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1558	Hunting
[Detect suspicious DNS TXT records using pretrained model in DSDL](/network/92f65c3a-968c-11ed-a1eb-0242ac120002/)	N/A	T1568.002	Anomaly
[Unusually Long Content-Type Length](/network/57a0a2bf-353f-40c1-84dc-29293f3c35b7/)	N/A		Anomaly
[Zscaler Exploit Threat Blocked](/web/94665d8c-b841-4ff4-acb4-34d613e2cbfe/)	N/A	T1566	TTP
[Okta Unauthorized Access to Application](/application/5f661629-9750-4cb9-897c-1f05d6db8727/)	[Okta](/sources/ec26febe-e760-4981-bbee-72e107c7b9d2)	T1087.004	Anomaly
[AWS CreateAccessKey](/cloud/2a9b80d3-6340-4345-11ad-212bf3d0d111/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail CreateAccessKey](/sources/0460f7da-3254-4d90-b8c0-2ca657d0cea0)	T1136.003, T1136	Hunting
[aws detect attach to role policy](/cloud/88fc31dd-f331-448c-9856-d3d51dd5d3a1/)	N/A	T1078	Hunting
[AWS ECR Container Scanning Findings High](/cloud/30a0e9f8-f1dd-4f9d-8fc2-c622461d781c/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail DescribeImageScanFindings](/sources/688ea789-9ba2-4970-90a2-17e541e273c9)	T1204.003, T1204	TTP
[AWS Successful Single-Factor Authentication](/cloud/a520b1fe-cc9e-4f56-b762-18354594c52f/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail ConsoleLogin](/sources/b68b3f26-bd21-4fa8-b593-616fe75ac0ae)	T1586, T1586.003, T1078, T1078.004	TTP
[Azure AD FullAccessAsApp Permission Assigned](/cloud/ae286126-f2ad-421c-b240-4ea83bd1c43a/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory Update application](/sources/2c08188a-ba25-496e-87c7-803cf28b6c90)	T1098.002, T1098.003	TTP
[Detect Spike in blocked Outbound Traffic from your AWS](/cloud/d3fffa37-492f-487b-a35d-c60fcb2acf01/)	N/A		Anomaly
[Kubernetes Access Scanning](/cloud/2f4abe6d-5991-464d-8216-f90f42999764/)	<img src="/icons/kubernetes.svg" alt="Kubernetes icon" class="icon-tiny"> [Kubernetes Audit](/sources/6c25181a-0c07-4aaf-90e6-77ab1f0e6699)	T1046	Anomaly
[Kubernetes Node Port Creation](/cloud/d7fc865e-b8a1-4029-a960-cf4403b821b6/)	<img src="/icons/kubernetes.svg" alt="Kubernetes icon" class="icon-tiny"> [Kubernetes Audit](/sources/6c25181a-0c07-4aaf-90e6-77ab1f0e6699)	T1204	Anomaly
[Kubernetes Pod Created in Default Namespace](/cloud/3d6b1a81-367b-42d5-a925-6ef90b6b9f1e/)	<img src="/icons/kubernetes.svg" alt="Kubernetes icon" class="icon-tiny"> [Kubernetes Audit](/sources/6c25181a-0c07-4aaf-90e6-77ab1f0e6699)	T1204	Anomaly
[O365 High Privilege Role Granted](/cloud/e78a1037-4548-4072-bb1b-ad99ae416426/)	[O365 Add member to role.](/sources/8b949f7c-4b5d-404f-9694-d7403c4ec096)	T1098, T1098.003	TTP
[Detect AzureHound File Modifications](/endpoint/1c34549e-c31b-11eb-996b-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1087.002, T1069.001, T1482, T1087.001, T1087, T1069.002, T1069	TTP
[Detect Certify With PowerShell Script Block Logging](/endpoint/f533ca6c-9440-4686-80cb-7f294c07812a/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1649, T1059, T1059.001	TTP
[Domain Group Discovery with Adsisearcher](/endpoint/089c862f-5f83-49b5-b1c8-7e4ff66560c7/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1069, T1069.002	TTP
[Domain Group Discovery With Wmic](/endpoint/a87736a6-95cd-4728-8689-3c64d5026b3e/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1069, T1069.002	Hunting
[Enable WDigest UseLogonCredential Registry](/endpoint/0c7d8ffe-25b1-11ec-9f39-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112, T1003	TTP
[Excessive File Deletion In WinDefender Folder](/endpoint/b5baa09a-7a05-11ec-8da4-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 23](/sources/5ea2721d-f60c-4f48-a047-47d514e327c3)	T1485	TTP
[Execute Javascript With Jscript COM CLSID](/endpoint/dc64d064-d346-11eb-8588-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1059, T1059.005	TTP
[GetDomainComputer with PowerShell Script Block](/endpoint/f64da023-b988-4775-8d57-38e512beb56e/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1018	TTP
[Impacket Lateral Movement smbexec CommandLine Parameters](/endpoint/bb3c1bac-6bdf-4aa0-8dc9-068b8b712a76/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1021, T1021.002, T1021.003, T1047, T1543.003	TTP
[Jscript Execution Using Cscript App](/endpoint/002f1e24-146e-11ec-a470-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1059, T1059.007	TTP
[Kerberos Pre-Authentication Flag Disabled with PowerShell](/endpoint/59b51620-94c9-11ec-b3d5-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1558, T1558.004	TTP
[Mmc LOLBAS Execution Process Spawn](/endpoint/f6601940-4c74-11ec-b9b7-3e22fbd008af/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1021, T1021.003, T1218.014	TTP
[Office Document Executing Macro Code](/endpoint/b12c89bc-9d06-11eb-a592-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 7](/sources/45512fa5-4d55-4088-9d51-f4dedc16fdff)	T1566, T1566.001	TTP
[Office Document Spawned Child Process To Download](/endpoint/6fed27d2-9ec7-11eb-8fe4-aa665a019aa3/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1566, T1566.001	TTP
[Potentially malicious code on commandline](/endpoint/9c53c446-757e-11ec-871d-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1059.003	Anomaly
[PowerShell - Connect To Internet With Hidden Window](/endpoint/ee18ed37-0802-4268-9435-b3b91aaa18db/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1059.001, T1059	Hunting
[PowerShell WebRequest Using Memory Stream](/endpoint/103affa6-924a-4b53-aff4-1d5075342aab/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1059.001, T1105, T1027.011	TTP
[Remote Process Instantiation via DCOM and PowerShell Script Block](/endpoint/fa1c3040-4680-11ec-a618-3e22fbd008af/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1021, T1021.003	TTP
[Remote System Discovery with Net](/endpoint/9df16706-04a2-41e2-bbfe-9b38b34409d3/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1018	Hunting
[Revil Common Exec Parameter](/endpoint/85facebe-c382-11eb-9c3e-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1204	TTP
[Sdclt UAC Bypass](/endpoint/d71efbf6-da63-11eb-8c6e-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1548.002, T1548	TTP
[Suspicious DLLHost no Command Line Arguments](/endpoint/ff61e98c-0337-4593-a78f-72a676c56f26/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1055	TTP
[Suspicious Image Creation In Appdata Folder](/endpoint/f6f904c4-1ac0-11ec-806b-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1113	TTP
[USN Journal Deletion](/endpoint/b6e0ff70-b122-4227-9368-4cf322ab43c3/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1070	TTP
[Windows AD Domain Controller Audit Policy Disabled](/endpoint/fc3ccef1-60a4-4239-bd66-b279511b4d14/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4719](/sources/954033e6-dd05-4775-a1f2-1f19632f4420)	T1562.001	TTP
[Windows AD DSRM Password Reset](/endpoint/d1ab841c-36a6-46cf-b50f-b2b04b31182a/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4794](/sources/ec7da74f-274a-4bde-aa0e-15c68aca0426)	T1098	TTP
[Windows ClipBoard Data via Get-ClipBoard](/endpoint/ab73289e-2246-4de0-a14b-67006c72a893/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1115	Anomaly
[Windows Disable Memory Crash Dump](/endpoint/59e54602-9680-11ec-a8a6-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1485	TTP
[Windows IIS Components New Module Added](/endpoint/55f22929-cfd3-4388-ba5c-4d01fac7ee7e/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows IIS 29](/sources/1d99ddd7-7fec-4dea-bf4f-1f4906142328)	T1505, T1505.004	TTP
[Windows Modify Registry Disabling WER Settings](/endpoint/21cbcaf1-b51f-496d-a0c1-858ff3070452/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	TTP
[Windows Modify Registry Qakbot Binary Data Registry](/endpoint/2e768497-04e0-4188-b800-70dd2be0e30d/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	Anomaly
[Windows Mshta Execution In Registry](/endpoint/e13ceade-b673-4d34-adc4-4d9c01729753/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1218.005	TTP
[Windows Registry Delete Task SD](/endpoint/ffeb7893-ff06-446f-815b-33ca73224e92/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1053.005, T1562	Anomaly
[Wsmprovhost LOLBAS Execution Process Spawn](/endpoint/2eed004c-4c0d-11ec-93e8-3e22fbd008af/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1021, T1021.006	TTP
[Detect IPv6 Network Infrastructure Threats](/network/c3be767e-7959-44c5-8976-0e9c12a91ad2/)	N/A	T1200, T1498, T1557, T1557.002	TTP
[Fortinet Appliance Auth bypass](/web/a83122f2-fa09-4868-a230-544dbc54bc1c/)	<img src="/icons/network.svg" alt="Network icon" class="icon-tiny"> [Palo Alto Network Threat](/sources/375c2b0e-d216-41ad-9406-200464595209)	T1190, T1133	TTP
[SQL Injection with Long URLs](/web/e0aad4cf-0790-423b-8328-7564d0d938f9/)	N/A	T1190	TTP
[VMware Server Side Template Injection Hunt](/web/5796b570-ad12-44df-b1b5-b7e6ae3aabb0/)	<img src="/icons/network.svg" alt="Network icon" class="icon-tiny"> [Palo Alto Network Threat](/sources/375c2b0e-d216-41ad-9406-200464595209)	T1190, T1133	Hunting
[Zscaler Malware Activity Threat Blocked](/web/ae874ad8-e353-40a7-87d4-420cdfb27d1a/)	N/A	T1566	Anomaly
[Zscaler Phishing Activity Threat Blocked](/web/68d3e2c1-e97f-4310-b080-dea180b48aa9/)	N/A	T1566	Anomaly
[Okta Multiple Accounts Locked Out](/application/a511426e-184f-4de6-8711-cfd2af29d1e1/)	[Okta](/sources/ec26febe-e760-4981-bbee-72e107c7b9d2)	T1110	Anomaly
[Web Servers Executing Suspicious Processes](/application/ec3b7601-689a-4463-94e0-c9f45638efb9/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17)	T1082	TTP
[AWS Exfiltration via Bucket Replication](/cloud/eeb432d6-2212-43b6-9e89-fcd753f7da4c/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail PutBucketReplication](/sources/0e1362eb-e592-419f-8fa5-556d3a122417)	T1537	TTP
[AWS IAM Failure Group Deletion](/cloud/723b861a-92eb-11eb-93b8-acde48001122/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail DeleteGroup](/sources/c95308a4-a943-42ca-b112-f90a05c21bd3)	T1098	Anomaly
[Azure AD External Guest User Invited](/cloud/c1fb4edb-cab1-4359-9b40-925ffd797fb5/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory Invite external user](/sources/d3818bd5-f283-4518-8b67-df19240c3e40)	T1136.003	TTP
[Azure AD Privileged Graph API Permission Assigned](/cloud/5521f8c5-1aa3-473c-9eb7-853701924a06/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory Update application](/sources/2c08188a-ba25-496e-87c7-803cf28b6c90)	T1003.002	TTP
[Gsuite Email With Known Abuse Web Service Link](/cloud/8630aa22-042b-11ec-af39-acde48001122/)	[G Suite Gmail](/sources/706c3978-41de-406b-b6e0-75bd01e12a5d)	T1566.001, T1566	Anomaly
[Kubernetes Abuse of Secret by Unusual Location](/cloud/40a064c1-4ec1-4381-9e35-61192ba8ef82/)	<img src="/icons/kubernetes.svg" alt="Kubernetes icon" class="icon-tiny"> [Kubernetes Audit](/sources/6c25181a-0c07-4aaf-90e6-77ab1f0e6699)	T1552.007	Anomaly
[O365 Application Registration Owner Added](/cloud/c068d53f-6aaa-4558-8011-3734df878266/)	[O365 Add owner to application.](/sources/da012cbf-af6e-40ee-a1ba-32a5f8da8f8a)	T1098	TTP
[O365 Disable MFA](/cloud/c783dd98-c703-4252-9e8a-f19d9f5c949e/)	[O365 Disable Strong Authentication.](/sources/235381c4-382a-4183-b818-a51c3ce12187)	T1556	TTP
[O365 FullAccessAsApp Permission Assigned](/cloud/01a510b3-a6ac-4d50-8812-7e8a3cde3d79/)	[O365 Update application.](/sources/62159133-911b-4c63-9e30-a6a8c89195ca)	T1098.002, T1098.003	TTP
[Check Elevated CMD using whoami](/endpoint/a9079b18-1633-11ec-859c-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1033	TTP
[Detect Empire with PowerShell Script Block Logging](/endpoint/bc1dc6b8-c954-11eb-bade-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1059, T1059.001	TTP
[Disable Windows App Hotkeys](/endpoint/1490f224-ad8b-11eb-8c4f-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562, T1112	TTP
[Disabling FolderOptions Windows Feature](/endpoint/83776de4-921a-11eb-868a-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Firewall Allowed Program Enable](/endpoint/9a8f63a8-43ac-11ec-904c-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1562.004, T1562	Anomaly
[Get DomainPolicy with Powershell Script Block](/endpoint/a360d2b2-065a-11ec-b0bf-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1201	TTP
[GetWmiObject DS User with PowerShell Script Block](/endpoint/fabd364e-04f3-11ec-b34b-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1087.002, T1087	TTP
[Linux File Created In Kernel Driver Directory](/endpoint/b85bbeec-6326-11ec-9311-acde48001122/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 11](/sources/14672fed-235a-411f-8062-ace9696fb2af)	T1547.006, T1547	Anomaly
[Linux Impair Defenses Process Kill](/endpoint/435c6b33-adf9-47fe-be87-8e29fd6654f5/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 1](/sources/93643652-30fe-4941-a1f7-6454f2948660)	T1562.001, T1562	Hunting
[Office Product Spawning BITSAdmin](/endpoint/e8c591f4-a6d7-11eb-8cf7-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1566, T1566.001	TTP
[Permission Modification using Takeown App](/endpoint/fa7ca5c6-c9d8-11eb-bce9-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1222	TTP
[Potential password in username](/endpoint/5ced34b4-ab32-4bb0-8f22-3b8f186f0a38/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Linux Secure](/sources/9a47d88b-1b17-49ce-a0ef-b440ddbd98bb)	T1078.003, T1552.001	Hunting
[PowerShell 4104 Hunting](/endpoint/d6f2b006-0041-11ec-8885-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1059, T1059.001	Hunting
[Rundll32 CreateRemoteThread In Browser](/endpoint/f8a22586-ee2d-11eb-a193-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 8](/sources/df7a786c-ade0-48f0-8596-26f10d169f7d)	T1055	TTP
[Schtasks used for forcing a reboot](/endpoint/1297fb80-f42a-4b4a-9c8a-88c066437cf6/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1053.005, T1053	TTP
[Script Execution via WMI](/endpoint/aa73f80d-d728-4077-b226-81ea0c8be589/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1047	TTP
[ServicePrincipalNames Discovery with PowerShell](/endpoint/13243068-2d38-11ec-8908-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1558.003	TTP
[Sunburst Correlation DLL and Network Event](/endpoint/701a8740-e8db-40df-9190-5516d3819787/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 22](/sources/911538b2-eba7-4d3e-85e8-d82d380c37bf), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 7](/sources/45512fa5-4d55-4088-9d51-f4dedc16fdff)	T1203	TTP
[Suspicious GPUpdate no Command Line Arguments](/endpoint/f308490a-473a-40ef-ae64-dd7a6eba284a/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1055	TTP
[Suspicious Linux Discovery Commands](/endpoint/0edd5112-56c9-11ec-b990-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1059.004	TTP
[Suspicious msbuild path](/endpoint/f5198224-551c-11eb-ae93-0242ac130002/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1036, T1127, T1036.003, T1127.001	TTP
[Windows AD Cross Domain SID History Addition](/endpoint/41bbb371-28ba-439c-bb5c-d9930c28365d/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4738](/sources/cb85709b-101e-41a9-bb60-d2108f79dfbd), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4742](/sources/ea830adf-5450-489a-bcdc-fb8d2cbe674c)	T1134.005, T1134	TTP
[Windows AD Short Lived Domain Controller SPN Attribute](/endpoint/57e27f27-369c-4df8-af08-e8c7ee8373d4/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4624](/sources/08682968-0366-4882-9559-fe4fe018a846), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 5136](/sources/7ba3737e-231e-455d-824e-cd077749f835)	T1207	TTP
[Windows Cached Domain Credentials Reg Query](/endpoint/40ccb8e0-1785-466e-901e-6a8b75c04ecd/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1003.005, T1003	Anomaly
[Windows DLL Search Order Hijacking Hunt with Sysmon](/endpoint/79c7d1fc-64c7-91be-a616-ccda752efe81/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 7](/sources/45512fa5-4d55-4088-9d51-f4dedc16fdff)	T1574.001, T1574	Hunting
[Windows Event For Service Disabled](/endpoint/9c2620a8-94a1-11ec-b40c-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log System 7040](/sources/91738e9e-d112-41c9-b91b-e5868d8993d9)	T1562.001, T1562	Hunting
[Windows Impair Defense Delete Win Defender Context Menu](/endpoint/395ed5fe-ad13-4366-9405-a228427bdd91/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	Hunting
[Windows Input Capture Using Credential UI Dll](/endpoint/406c21d6-6c75-4e9f-9ca9-48049a1dd90e/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 7](/sources/45512fa5-4d55-4088-9d51-f4dedc16fdff)	T1056.002, T1056	Hunting
[Windows Known GraphicalProton Loaded Modules](/endpoint/bf471c94-0324-4b19-a113-d02749b969bc/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 7](/sources/45512fa5-4d55-4088-9d51-f4dedc16fdff)	T1574.002, T1574	Anomaly
[Windows Mark Of The Web Bypass](/endpoint/8ca13343-7405-4916-a2d1-ae34ce0c28ae/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 23](/sources/5ea2721d-f60c-4f48-a047-47d514e327c3)	T1553.005	TTP
[Windows Modify Registry Disable Win Defender Raw Write Notif](/endpoint/0e5e25c3-32f4-46f7-ba4a-5b95c3b90f5b/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	Anomaly
[Windows Modify Registry ProxyServer](/endpoint/12bdaa0b-3c59-4489-aae1-bff6d67746ef/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	Anomaly
[Windows MOVEit Transfer Writing ASPX](/endpoint/c0ed2aca-5666-45b3-813f-ddfac3f3eda0/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1190, T1133	TTP
[Windows Raw Access To Master Boot Record Drive](/endpoint/7b83f666-900c-11ec-a2d9-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 9](/sources/ae4a6a24-9b8c-4386-a7ac-677d7ad5bf09)	T1561.002, T1561	TTP
[Windows Steal Authentication Certificates - ESC1 Abuse](/endpoint/cbe761fc-d945-4c8c-a71d-e26d12255d32/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4886](/sources/c5abd97d-b468-451f-bd65-b4f97efa4ecc), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4887](/sources/994c7b19-a623-4231-9818-f00e453b9a75)	T1649	TTP
[Windows Steal Authentication Certificates Certificate Issued](/endpoint/9b1a5385-0c31-4c39-9753-dc26b8ce64c2/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4887](/sources/994c7b19-a623-4231-9818-f00e453b9a75)	T1649	Anomaly
[Windows Steal Authentication Certificates CS Backup](/endpoint/a2f4cc7f-6503-4078-b206-f83a29f408a7/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4876](/sources/4a78722a-9cd9-44e8-b010-dffad5c7f170)	T1649	Anomaly
[Prohibited Network Traffic Allowed](/network/ce5a0962-849f-4720-a678-753fe6674479/)	N/A	T1048	TTP
[Citrix ADC and Gateway Unauthorized Data Disclosure](/web/b593cac5-dd20-4358-972a-d945fefdaf17/)	[Suricata](/sources/64b245d4-a4d1-4865-a718-c83d3b939f2e)	T1190	TTP
[Zscaler Employment Search Web Activity](/web/5456bdef-d765-4565-8e1f-61ca027bc50e/)	N/A	T1566	Anomaly
[Splunk Enterprise KV Store Incorrect Authorization](/application/8f0e8380-a835-4f2b-b749-9ce119364df0/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1548	Hunting
[AWS Create Policy Version to allow all resources](/cloud/2a9b80d3-6340-4345-b5ad-212bf3d0dac4/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail CreatePolicyVersion](/sources/f9f0f3da-37ec-4164-9ea0-0ae46645a86b)	T1078.004, T1078	TTP
[AWS Exfiltration via EC2 Snapshot](/cloud/ac90b339-13fc-4f29-a18c-4abbba1f2171/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail CreateSnapshot](/sources/514135a2-f4b2-4d32-8f31-d87824887f9f), <img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail DeleteSnapshot](/sources/b0731ac8-0992-4de8-b000-2c7d0fc2a61f), <img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail ModifySnapshotAttribute](/sources/7e5aa947-3a0d-4ee5-b800-0c10b555da05)	T1537	TTP
[AWS Multiple Users Failing To Authenticate From Ip](/cloud/71e1fb89-dd5f-4691-8523-575420de4630/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail ConsoleLogin](/sources/b68b3f26-bd21-4fa8-b593-616fe75ac0ae)	T1110, T1110.003, T1110.004	Anomaly
[AWS Password Policy Changes](/cloud/aee4a575-7064-4e60-b511-246f9baf9895/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail DeleteAccountPasswordPolicy](/sources/b0730ac8-0992-4de8-b000-2c7d0fc7a67f), <img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail GetAccountPasswordPolicy](/sources/439bdc53-6e4b-4cd7-b326-86c7317fd396), <img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail UpdateAccountPasswordPolicy](/sources/35a8cc97-3600-40e1-a5d1-1c2ad5060be0)	T1201	Hunting
[Cloud Compute Instance Created In Previously Unused Region](/cloud/fa4089e2-50e3-40f7-8469-d2cc1564ca59/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail](/sources/e8ace6db-1dbd-4c72-a1fb-334684619a38)	T1535	Anomaly
[Gsuite Outbound Email With Attachment To External Domain](/cloud/dc4dc3a8-ff54-11eb-8bf7-acde48001122/)	[G Suite Gmail](/sources/706c3978-41de-406b-b6e0-75bd01e12a5d)	T1048.003, T1048	Hunting
[Kubernetes Scanning by Unauthenticated IP Address](/cloud/f9cadf4e-df22-4f4e-a08f-9d3344c2165d/)	<img src="/icons/kubernetes.svg" alt="Kubernetes icon" class="icon-tiny"> [Kubernetes Audit](/sources/6c25181a-0c07-4aaf-90e6-77ab1f0e6699)	T1046	Anomaly
[Auto Admin Logon Registry Entry](/endpoint/1379d2b8-0f18-11ec-8ca3-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1552.002, T1552	TTP
[ETW Registry Disabled](/endpoint/8ed523ac-276b-11ec-ac39-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.006, T1127, T1562	TTP
[GetAdComputer with PowerShell](/endpoint/c5a31f80-5888-4d81-9f78-1cc65026316e/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1018	Hunting
[GetCurrent User with PowerShell](/endpoint/7eb9c3d5-c98c-4088-acc5-8240bad15379/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1033	Hunting
[GetDomainComputer with PowerShell](/endpoint/ed550c19-712e-43f6-bd19-6f58f61b3a5e/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1018	TTP
[Linux High Frequency Of File Deletion In Etc Folder](/endpoint/9d867448-2aff-4d07-876c-89409a752ff8/)	<img src="/icons/linux.svg" alt="Linux icon" class="icon-tiny"> [Sysmon for Linux EventID 11](/sources/14672fed-235a-411f-8062-ace9696fb2af)	T1485, T1070.004, T1070	Anomaly
[Logon Script Event Trigger Execution](/endpoint/4c38c264-1f74-11ec-b5fa-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1037, T1037.001	TTP
[Recursive Delete of Directory In Batch CMD](/endpoint/ba570b3a-d356-11eb-8358-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1070.004, T1070	TTP
[User Discovery With Env Vars PowerShell Script Block](/endpoint/77f41d9e-b8be-47e3-ab35-5776f5ec1d20/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1033	Hunting
[Windows DLL Side-Loading In Calc](/endpoint/af01f6db-26ac-440e-8d89-2793e303f137/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 7](/sources/45512fa5-4d55-4088-9d51-f4dedc16fdff)	T1574.002, T1574	TTP
[Windows Drivers Loaded by Signature](/endpoint/d2d4af6a-6c2b-4d79-80c5-fc2cf12a2f68/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 6](/sources/eadc297a-c20c-45a1-8fac-74ad54019767)	T1014, T1068	Hunting
[Windows Gather Victim Host Information Camera](/endpoint/e4df4676-ea41-4397-b160-3ee0140dc332/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1592.001, T1592	Anomaly
[Windows Gather Victim Identity SAM Info](/endpoint/a18e85d7-8b98-4399-820c-d46a1ca3516f/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 7](/sources/45512fa5-4d55-4088-9d51-f4dedc16fdff)	T1589.001, T1589	Hunting
[Windows Impair Defense Disable Win Defender Compute File Hashes](/endpoint/fe52c280-98bd-4596-b6f6-a13bbf8ac7c6/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Windows Indirect Command Execution Via pcalua](/endpoint/3428ac18-a410-4823-816c-ce697d26f7a8/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1202	TTP
[Windows Modify System Firewall with Notable Process Path](/endpoint/cd6d7410-9146-4471-a418-49edba6dadc4/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1562.004, T1562	TTP
[Windows PowerView Constrained Delegation Discovery](/endpoint/86dc8176-6e6c-42d6-9684-5444c6557ab3/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1018	TTP
[Windows PowerView Unconstrained Delegation Discovery](/endpoint/fbf9e47f-e531-4fea-942d-5c95af7ed4d6/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1018	TTP
[Windows Registry Payload Injection](/endpoint/c6b2d80f-179a-41a1-b95e-ce5601d7427a/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1027, T1027.011	TTP
[Wmiprsve LOLBAS Execution Process Spawn](/endpoint/95a455f0-4c04-11ec-b8ac-3e22fbd008af/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1047	TTP
[Detect Unauthorized Assets by MAC address](/network/dcfd6b40-42f9-469d-a433-2e53f7489ff4/)	N/A		TTP
[Okta User Logins from Multiple Cities](/application/a3d1df37-c2a9-41d0-aa8f-59f82d6192a8/)	[Okta](/sources/ec26febe-e760-4981-bbee-72e107c7b9d2)	T1586.003	Anomaly
[AWS AMI Attribute Modification for Exfiltration](/cloud/f2132d74-cf81-4c5e-8799-ab069e67dc9f/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail ModifyImageAttribute](/sources/667c2115-8082-419e-b541-8150066bda4d)	T1537	TTP
[AWS Credential Access RDS Password reset](/cloud/6153c5ea-ed30-4878-81e6-21ecdb198189/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail ModifyDBInstance](/sources/bfa2912d-1a33-4b05-be46-543874d68241)	T1586, T1586.003, T1110	TTP
[CHCP Command Execution](/endpoint/21d236ec-eec1-11eb-b23e-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1059	TTP
[Get ADUserResultantPasswordPolicy with Powershell Script Block](/endpoint/737e1eb0-065a-11ec-921a-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1201	TTP
[Get DomainUser with PowerShell Script Block](/endpoint/61994268-04f4-11ec-865c-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1087.002, T1087	TTP
[Mshta spawning Rundll32 OR Regsvr32 Process](/endpoint/4aa5d062-e893-11eb-9eb2-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1218, T1218.005	TTP
[Powershell Execute COM Object](/endpoint/65711630-f9bf-11eb-8d72-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1546.015, T1546, T1059.001	TTP
[Remote System Discovery with Adsisearcher](/endpoint/70803451-0047-4e12-9d63-77fa7eb8649c/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1018	TTP
[Shim Database Installation With Suspicious Parameters](/endpoint/404620de-46d8-48b6-90cc-8a8d7b0876a3/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1546.011, T1546	TTP
[Suspicious Process Executed From Container File](/endpoint/d8120352-3b62-411c-8cb6-7b47584dd5e8/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1204.002, T1036.008	TTP
[Windows Impair Defense Deny Security Software With Applocker](/endpoint/e0b6ca60-9e29-4450-b51a-bba0abae2313/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Windows ISO LNK File Creation](/endpoint/d7c2c09b-9569-4a9e-a8b6-6a39a99c1d32/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1566.001, T1566, T1204.001, T1204	Hunting
[Windows KrbRelayUp Service Creation](/endpoint/e40ef542-8241-4419-9af4-6324582ea60a/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log System 7045](/sources/614dedc8-8a14-4393-ba9b-6f093cbcd293)	T1543.003	TTP
[Windows Mimikatz Crypto Export File Extensions](/endpoint/3a9a6806-16a8-4cda-8d73-b49d10a05b16/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1649	Anomaly
[Windows Modify Registry Disable WinDefender Notifications](/endpoint/8e207707-ad40-4eb3-b865-3a52aec91f26/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1112	TTP
[Windows SIP Provider Inventory](/endpoint/21c5af91-1a4a-4511-8603-64fb41df3fad/)	N/A	T1553.003	Hunting
[Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952](/web/2038f5c6-5aba-4221-8ae2-ca76e2ca8b97/)	<img src="/icons/network.svg" alt="Network icon" class="icon-tiny"> [Palo Alto Network Threat](/sources/375c2b0e-d216-41ad-9406-200464595209)	T1190, T1133	TTP
[AWS Excessive Security Scanning](/cloud/1fdd164a-def8-4762-83a9-9ffe24e74d5a/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail](/sources/e8ace6db-1dbd-4c72-a1fb-334684619a38)	T1526	TTP
[PingID New MFA Method Registered For User](/application/892dfeaf-461d-4a78-aac8-b07e185c9bce/)	[PingID](/sources/17890675-61c1-40bd-a88e-6a8e9e246b43)	T1621, T1556.006, T1098.005	TTP
[AWS EC2 Snapshot Shared Externally](/cloud/2a9b80d3-6340-4345-b5ad-290bf3d222c4/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail ModifySnapshotAttribute](/sources/7e5aa947-3a0d-4ee5-b800-0c10b555da05)	T1537	TTP
[Disable Defender Spynet Reporting](/endpoint/898debf4-3021-11ec-ba7c-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 12](/sources/3ef28798-8eaa-4fd2-b074-6f36d08a1b33), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 13](/sources/19cd00ee-f65f-48ca-bb08-64aac28638ce)	T1562.001, T1562	TTP
[Mailsniper Invoke functions](/endpoint/a36972c8-b894-11eb-9f78-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1114, T1114.001	TTP
[Windows Snake Malware File Modification Crmlog](/endpoint/27187e0e-c221-471d-a7bd-04f698985ff6/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 11](/sources/f3db9179-f4f5-416d-bc03-39f4d4ff699e)	T1027	TTP
[AWS ECR Container Scanning Findings Medium](/cloud/0b80e2c8-c746-4ddb-89eb-9efd892220cf/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail DescribeImageScanFindings](/sources/688ea789-9ba2-4970-90a2-17e541e273c9)	T1204.003, T1204	Anomaly
[XMRIG Driver Loaded](/endpoint/90080fa6-a8df-11eb-91e4-acde48001122/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 6](/sources/eadc297a-c20c-45a1-8fac-74ad54019767)	T1543.003, T1543	TTP
[Windows PowerShell Disable HTTP Logging](/endpoint/27958de0-2857-43ca-9d4c-b255cf59dcab/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Script Block Logging 4104](/sources/5cfd0c72-d989-47a0-92f9-6edc6f8d3564)	T1562, T1562.002, T1505, T1505.004	TTP
[Disabling Firewall with Netsh](/endpoint/6860a62c-9203-11eb-9e05-acde48001122/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1562.001, T1562	Anomaly
[Splunk DOS Via Dump SPL Command](/application/fb0e6823-365f-48ed-b09e-272ac4c1dad6/)	<img src="/icons/splunk.svg" alt="Splunk icon" class="icon-tiny"> [Splunk](/sources/d8a2c791-460b-4756-a8e5-ecade77b21e3)	T1499.004	Hunting
[Detect Spike in S3 Bucket deletion](/cloud/e733a326-59d2-446d-b8db-14a17151aa68/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudTrail](/sources/e8ace6db-1dbd-4c72-a1fb-334684619a38)	T1530	Anomaly
[Suspicious microsoft workflow compiler usage](/endpoint/9bbc62e8-55d8-11eb-ae93-0242ac130002/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1127	TTP
[Windows IIS Components Get-WebGlobalModule Module Query](/endpoint/20db5f70-34b4-4e83-8926-fa26119de173/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Powershell Installed IIS Modules](/sources/4f2ccf42-3503-4417-a684-bfccf7f0d7b4)	T1505.004, T1505	Hunting
[Windows LOLBAS Executed As Renamed File](/endpoint/fd496996-7d9e-4894-8d40-bb85b6192dc6/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1036, T1036.003, T1218.011	TTP
[Windows LOLBAS Executed Outside Expected Path](/endpoint/326fdf44-b90c-4d2e-adca-1fd140b10536/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1036, T1036.005, T1218.011	TTP
[Monitor Email For Brand Abuse](/application/b2ea1f38-3a3e-4b8a-9cf1-82760d86a6b8/)	N/A		TTP
[Windows Known Abused DLL Loaded Suspiciously](/endpoint/dd6d1f16-adc0-4e87-9c34-06189516b803/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 7](/sources/45512fa5-4d55-4088-9d51-f4dedc16fdff)	T1574.001, T1574.002, T1574	TTP
[O365 Email Access By Security Administrator](/cloud/c6998a30-fef4-4e89-97ac-3bb0123719b4/)	N/A	T1567, T1114, T1114.002	TTP
[O365 Email Reported By Admin Found Malicious](/cloud/94396c3e-7728-422a-9956-e4b77b53dbdf/)	N/A	T1566, T1566.001, T1566.002	TTP
[O365 Email Reported By User Found Malicious](/cloud/7698b945-238e-4bb9-b172-81f5ca1685a1/)	N/A	T1566, T1566.001, T1566.002	TTP
[O365 Email Security Feature Changed](/cloud/4d28013d-3a0f-4d65-a33f-4e8009fee0ae/)	N/A	T1562, T1562.008, T1562.001	TTP
[O365 Email Suspicious Behavior Alert](/cloud/85c7555a-05af-4322-81aa-76b4ddf52baa/)	N/A	T1114, T1114.003	TTP
[O365 SharePoint Malware Detection](/cloud/583c5de3-7709-44cb-abfc-0e828d301b59/)	N/A	T1204.002, T1204	TTP
[O365 Threat Intelligence Suspicious Email Delivered](/cloud/605cc93a-70e4-4ee3-9a3d-1a62e8c9b6c2/)	N/A	T1566, T1566.001, T1566.002	Anomaly
[O365 Threat Intelligence Suspicious File Detected](/cloud/00958c7b-35db-4e7a-ad13-31550a7a7c64/)	N/A	T1204.002, T1204	TTP
[O365 ZAP Activity Detection](/cloud/4df275fd-a0e5-4246-8b92-d3201edaef7a/)	N/A	T1566, T1566.001, T1566.002	Anomaly
[O365 Safe Links Detection](/cloud/711d9e8c-2cb0-45cf-8813-5f191ecb9b26/)	N/A	T1566, T1566.001	TTP
[Windows AppLocker Privilege Escalation via Unauthorized Bypass](/endpoint/bca48629-7fa2-40d3-9e5d-807564504e28/)	N/A	T1218	TTP
[Windows Multiple NTLM Null Domain Authentications](/endpoint/c187ce2c-c88e-4cec-8a1c-607ca0dedd78/)	N/A	T1110, T1110.003	TTP
[Windows Unusual NTLM Authentication Destinations By Source](/endpoint/ae9b0df5-5fb0-477f-abc9-47faf42aa91d/)	N/A	T1110, T1110.003	Anomaly
[Windows Unusual NTLM Authentication Destinations By User](/endpoint/a4d86702-402b-4a4f-8d06-9d61e6c39cad/)	N/A	T1110, T1110.003	Anomaly
[Windows Unusual NTLM Authentication Users By Destination](/endpoint/1120a204-8444-428b-8657-6ea4e1f3e840/)	N/A	T1110, T1110.003	Anomaly
[Windows Unusual NTLM Authentication Users By Source](/endpoint/80fcc4d4-fd90-488e-b55a-4e7190ae6ce2/)	N/A	T1110, T1110.003	Anomaly
[Multiple Okta Users With Invalid Credentials From The Same IP](/deprecated/19cba45f-cad3-4032-8911-0c09e0444552/)	N/A	T1110.003, T1078, T1078.001	TTP
[ASL AWS ECR Container Upload Outside Business Hours](/cloud/739ed682-27e9-4ba0-80e5-a91b97698213/)	N/A	T1204.003, T1204	Anomaly
[ASL AWS ECR Container Upload Unknown User](/cloud/886a8f46-d7e2-4439-b9ba-aec238e31732/)	N/A	T1204.003, T1204	Anomaly
[ASL AWS IAM Failure Group Deletion](/cloud/8d12f268-c567-4557-9813-f8389e235c06/)	N/A	T1098	Anomaly
[ASL AWS IAM Successful Group Deletion](/cloud/1bbe54f1-93d7-4764-8a01-ddaa12ece7ac/)	N/A	T1069.003, T1098, T1069	Hunting
[ASL AWS Defense Evasion Stop Logging Cloudtrail](/cloud/0b78a8f9-1d31-4d23-85c8-56ad13d5b4c1/)	N/A	T1562.008, T1562	TTP
[ASL AWS Defense Evasion Update Cloudtrail](/cloud/f3eb471c-16d0-404d-897c-7653f0a78cba/)	N/A	T1562, T1562.008	TTP
[Windows AD Suspicious GPO Modification](/application/0a2afc18-a3b5-4452-b60a-2e774214f9bf/)	N/A	T1484, T1484.001, T1222, T1222.001	TTP
[Windows AD add Self to Group](/application/065f2701-b7ea-42f5-9ec4-fbc2261165f9/)	N/A	T1098	TTP
[Windows AD Self DACL Assignment](/application/16132445-da9f-4d03-ad44-56d717dcd67d/)	N/A	T1484, T1098	TTP
[Windows AD GPO Deleted](/application/0d41772b-35ab-4e1c-a2ba-d0b455481aee/)	N/A	T1562.001, T1484.001	TTP
[Windows AD GPO Disabled](/application/72793bc0-c0cd-400e-9e60-fdf36f278917/)	N/A	T1562.001, T1484.001	TTP
[Windows AD GPO New CSE Addition](/application/700c11d1-da09-47b2-81aa-358c143c7986/)	N/A	T1484, T1484.001, T1222, T1222.001	TTP
[Windows AD Dangerous Deny ACL Modification](/application/8e897153-2ebd-4cb2-85d3-09ad57db2fb7/)	N/A	T1484, T1222, T1222.001	TTP
[Windows AD Hidden OU Creation](/application/66b6ad5e-339a-40af-b721-dacefc7bdb75/)	N/A	T1484, T1222, T1222.001	TTP
[Windows AD Dangerous User ACL Modification](/application/ec5b6790-595a-4fb8-ad43-56e5b55a9617/)	N/A	T1484, T1222, T1222.001	TTP
[Windows AD Dangerous Group ACL Modification](/application/59b0fc85-7a0d-4585-97ec-06a382801990/)	N/A	T1484, T1222, T1222.001	TTP
[Windows AD Domain Root ACL Deletion](/application/3cb56e57-5642-4638-907f-8dfde9afb889/)	N/A	T1484, T1222, T1222.001	TTP
[Windows AD Suspicious Attribute Modification](/application/5682052e-ce55-4f9f-8d28-59191420b7e0/)	N/A	T1550, T1222, T1222.001	TTP
[Windows AD Domain Root ACL Modification](/application/4981e2db-1372-440d-816e-3e7e2ed74433/)	N/A	T1484, T1222, T1222.001	TTP
[Windows AD DCShadow Privileges ACL Addition](/application/ae915743-1aa8-4a94-975c-8062ebc8b723/)	N/A	T1484, T1207, T1222.001	TTP
[Windows DLL Search Order Hijacking Hunt](/deprecated/79c7d0fc-60c7-41be-a616-ccda752efe89/)	[CrowdStrike ProcessRollup2](/sources/cbb06880-9dd9-4542-ac60-bd6e5d3c3e4e), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17), <img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4688](/sources/d195eb26-a81c-45ed-aeb3-25792e8a985a)	T1574.001, T1574	Hunting
[Detect Distributed Password Spray Attempts](/application/b1a82fc8-8a9f-4344-9ec2-bde5c5331b57/)	<img src="/icons/azure.svg" alt="Azure icon" class="icon-tiny"> [Azure Active Directory Sign-in activity](/sources/f9ed0a3a-9e20-4198-a035-d0a29593fbe0)	T1110.003, T1110	Hunting
[Detect Password Spray Attempts](/application/086ab581-8877-42b3-9aee-4a7ecb0923af/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4625](/sources/365a02c2-7d18-4baf-b76e-d90c20bbe6ed)	T1110.003, T1110	TTP
[Detect Password Spray Attack Behavior From Source](/endpoint/b6391b15-e913-4c2c-8949-9eecc06efacc/)	N/A	T1110.003, T1110	TTP
[Detect Password Spray Attack Behavior On User](/endpoint/a7539705-7183-4a12-9b6a-b6eef645a6d7/)	N/A	T1110.003, T1110	TTP
[Internal Vulnerability Scan](/network/46f946ed-1c78-4e96-9906-c7a4be15e39b/)	N/A	T1595.002, T1046	TTP
[Internal Vertical Port Scan](/network/40d2dc41-9bbf-421a-a34b-8611271a6770/)	<img src="/icons/aws.svg" alt="AWS icon" class="icon-tiny"> [AWS CloudWatchLogs VPCflow](/sources/38a34fc4-e128-4478-a8f4-7835d51d5135)	T1046	TTP
[Windows Increase in Group or Object Modification Activity](/application/4f9564dd-a204-4f22-b375-4dfca3a68731/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4663](/sources/5d6dca8c-dad9-494f-a321-ef2b0b92fbf4)	T1098, T1562	TTP
[Windows Increase in User Modification Activity](/application/0995fca1-f346-432f-b0bf-a66d14e6b428/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Windows Event Log Security 4720](/sources/7ef1c9e5-691b-48c2-811b-eba91d2d2f1d)	T1098, T1562	TTP
[Windows AD Privileged Group Modification](/application/187bf937-c436-4c65-bbcb-7539ffe02da1/)	N/A	T1098	TTP
[ASL AWS Password Policy Changes](/deprecated/5ade5937-11a2-4363-ba6b-39a3ee8d5b1a/)	N/A	T1201	Hunting
[Windows Network Share Interaction With Net](/endpoint/4dc3951f-b3f8-4f46-b412-76a483f72277/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17)	T1135, T1039	TTP
[Okta Account Locked Out](/deprecated/d650c0ae-bdc5-400e-9f0f-f7aa0a010ef1/)	N/A	T1110	Anomaly
[Okta Failed SSO Attempts](/deprecated/371a6545-2618-4032-ad84-93386b8698c5/)	N/A	T1078, T1078.001	Anomaly
[Okta Account Lockout Events](/deprecated/62b70968-a0a5-4724-8ac4-67871e6f544d/)	N/A	T1078, T1078.001	Anomaly
[ASL AWS CreateAccessKey](/deprecated/ccb3e4af-23d6-407f-9842-a26212816c9e/)	N/A	T1078	Hunting
[Suspicious Rundll32 Rename](/deprecated/7360137f-abad-473e-8189-acbdaa34d114/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 1](/sources/b375f4d1-d7ca-4bc0-9103-294825c0af17)	T1218, T1036, T1218.011, T1036.003	Hunting
[Correlation by Repository and Risk](/deprecated/8da9fdd9-6a1b-4ae0-8a34-8c25e6be9687/)	N/A	T1204.003, T1204	Correlation
[Correlation by User and Risk](/deprecated/610e12dc-b6fa-4541-825e-4a0b3b6f6773/)	N/A	T1204.003, T1204	Correlation
[O365 Suspicious Admin Email Forwarding](/deprecated/7f398cfb-918d-41f4-8db8-2e2474e02c28/)	N/A	T1114.003, T1114	Anomaly
[O365 Suspicious Rights Delegation](/deprecated/b25d2973-303e-47c8-bacd-52b61604c6a7/)	N/A	T1114.002, T1114, T1098.002, T1098	TTP
[Detect Mimikatz Using Loaded Images](/deprecated/29e307ba-40af-4ab2-91b2-3c6b392bbba0/)	<img src="/icons/windows.svg" alt="Windows icon" class="icon-tiny"> [Sysmon EventID 7](/sources/45512fa5-4d55-4088-9d51-f4dedc16fdff)	T1003.001, T1003	TTP
[Splunk Enterprise Information Disclosure](/deprecated/f6a26b7b-7e80-4963-a9a8-d836e7534ebd/)	N/A		TTP
[Open Redirect in Splunk Web](/deprecated/d199fb99-2312-451a-9daa-e5efa6ed76a7/)	N/A		TTP