Detections

Name Technique Type
7zip CommandLine To SMB Share Path Archive via Utility, Archive Collected Data Hunting
AWS Cloud Provisioning From Previously Unseen City Unused/Unsupported Cloud Regions Anomaly
AWS Cloud Provisioning From Previously Unseen Country Unused/Unsupported Cloud Regions Anomaly
AWS Cloud Provisioning From Previously Unseen IP Address None Anomaly
AWS Cloud Provisioning From Previously Unseen Region Unused/Unsupported Cloud Regions Anomaly
AWS Create Policy Version to allow all resources Cloud Accounts, Valid Accounts TTP
AWS CreateAccessKey Cloud Account, Create Account Hunting
AWS CreateLoginProfile Cloud Account, Create Account TTP
AWS Credential Access Failed Login Password Guessing TTP
AWS Credential Access GetPasswordData Unsecured Credentials Anomaly
AWS Credential Access RDS Password reset Password Cracking TTP
AWS Cross Account Activity From Previously Unseen Account None Anomaly
AWS Defense Evasion Delete CloudWatch Log Group Impair Defenses, Disable Cloud Logs TTP
AWS Defense Evasion Delete Cloudtrail Disable Cloud Logs, Impair Defenses TTP
AWS Defense Evasion Impair Security Services Disable Cloud Logs, Impair Defenses Hunting
AWS Defense Evasion PutBucketLifecycle Disable Cloud Logs, Impair Defenses Hunting
AWS Defense Evasion Stop Logging Cloudtrail Disable Cloud Logs, Impair Defenses TTP
AWS Defense Evasion Update Cloudtrail Impair Defenses, Disable Cloud Logs TTP
AWS Detect Users creating keys with encrypt policy without MFA Data Encrypted for Impact TTP
AWS Detect Users with KMS keys performing encryption S3 Data Encrypted for Impact Anomaly
AWS ECR Container Scanning Findings High Malicious Image, User Execution TTP
AWS ECR Container Scanning Findings Low Informational Unknown Malicious Image, User Execution Hunting
AWS ECR Container Scanning Findings Medium Malicious Image, User Execution Anomaly
AWS ECR Container Upload Outside Business Hours Malicious Image, User Execution Anomaly
AWS ECR Container Upload Unknown User Malicious Image, User Execution Anomaly
AWS EKS Kubernetes cluster sensitive object access None Hunting
AWS Excessive Security Scanning Cloud Service Discovery TTP
AWS IAM AccessDenied Discovery Events Cloud Infrastructure Discovery Anomaly
AWS IAM Assume Role Policy Brute Force Cloud Infrastructure Discovery, Brute Force TTP
AWS IAM Delete Policy Account Manipulation Hunting
AWS IAM Failure Group Deletion Account Manipulation Anomaly
AWS IAM Successful Group Deletion Cloud Groups, Account Manipulation, Permission Groups Discovery Hunting
AWS Lambda UpdateFunctionCode User Execution Hunting
AWS Network Access Control List Created with All Open Ports Disable or Modify Cloud Firewall, Impair Defenses TTP
AWS Network Access Control List Deleted Disable or Modify Cloud Firewall, Impair Defenses Anomaly
AWS SAML Access by Provider User and Principal Valid Accounts Anomaly
AWS SAML Update identity provider Valid Accounts TTP
AWS SetDefaultPolicyVersion Cloud Accounts, Valid Accounts TTP
AWS UpdateLoginProfile Cloud Account, Create Account TTP
Abnormally High AWS Instances Launched by User Cloud Accounts Anomaly
Abnormally High AWS Instances Launched by User - MLTK Cloud Accounts Anomaly
Abnormally High AWS Instances Terminated by User Cloud Accounts Anomaly
Abnormally High AWS Instances Terminated by User - MLTK Cloud Accounts Anomaly
Abnormally High Number Of Cloud Infrastructure API Calls Cloud Accounts, Valid Accounts Anomaly
Abnormally High Number Of Cloud Instances Destroyed Cloud Accounts, Valid Accounts Anomaly
Abnormally High Number Of Cloud Instances Launched Cloud Accounts, Valid Accounts Anomaly
Abnormally High Number Of Cloud Security Group API Calls Cloud Accounts, Valid Accounts Anomaly
Access LSASS Memory for Dump Creation LSASS Memory, OS Credential Dumping TTP
Account Discovery With Net App Domain Account, Account Discovery TTP
Active Setup Registry Autostart Active Setup, Boot or Logon Autostart Execution TTP
Add DefaultUser And Password In Registry Credentials in Registry, Unsecured Credentials Anomaly
Add or Set Windows Defender Exclusion Disable or Modify Tools, Impair Defenses TTP
AdsiSearcher Account Discovery Domain Account, Account Discovery TTP
Allow File And Printing Sharing In Firewall Disable or Modify Cloud Firewall, Impair Defenses TTP
Allow Inbound Traffic By Firewall Rule Registry Remote Desktop Protocol, Remote Services TTP
Allow Inbound Traffic In Firewall Rule Remote Desktop Protocol, Remote Services TTP
Allow Network Discovery In Firewall Disable or Modify Cloud Firewall, Impair Defenses TTP
Allow Operation with Consent Admin Abuse Elevation Control Mechanism TTP
Amazon EKS Kubernetes Pod scan detection Cloud Service Discovery Hunting
Amazon EKS Kubernetes cluster scan detection Cloud Service Discovery Hunting
Anomalous Usage of Account Credentials Domain Accounts Anomaly
Anomalous usage of 7zip Archive via Utility, Archive Collected Data Anomaly
Anomalous usage of Archive Tools Archive via Utility, Archive Collected Data Anomaly
Any Powershell DownloadFile Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer TTP
Any Powershell DownloadString Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer TTP
Attacker Tools On Endpoint Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning TTP
Attempt To Add Certificate To Untrusted Store Install Root Certificate, Subvert Trust Controls TTP
Attempt To Delete Services Service Stop, Create or Modify System Process, Windows Service TTP
Attempt To Disable Services Service Stop TTP
Attempt To Stop Security Service Disable or Modify Tools, Impair Defenses TTP
Attempted Credential Dump From Registry via Reg exe Security Account Manager, OS Credential Dumping TTP
Attempted Credential Dump From Registry via Reg exe OS Credential Dumping, Security Account Manager TTP
Auto Admin Logon Registry Entry Credentials in Registry, Unsecured Credentials TTP
Azure AD Authentication Failed During MFA Challenge Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation TTP
Azure AD External Guest User Invited Cloud Account TTP
Azure AD Global Administrator Role Assigned Additional Cloud Roles TTP
Azure AD Multi-Factor Authentication Disabled Modify Authentication Process TTP
Azure AD Multiple Failed MFA Requests For User Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts Anomaly
Azure AD Multiple Users Failing To Authenticate From Ip Brute Force, Password Spraying Anomaly
Azure AD New Custom Domain Added Domain Policy Modification, Domain Trust Modification TTP
Azure AD New Federated Domain Added Domain Policy Modification, Domain Trust Modification TTP
Azure AD Privileged Role Assigned Account Manipulation, Additional Cloud Roles TTP
Azure AD Service Principal Created Cloud Account TTP
Azure AD Service Principal New Client Credentials Account Manipulation, Additional Cloud Credentials TTP
Azure AD Service Principal Owner Added Account Manipulation TTP
Azure AD Successful PowerShell Authentication Valid Accounts, Cloud Accounts TTP
Azure AD Successful Single-Factor Authentication Security Account Manager TTP
Azure AD Unusual Number of Failed Authentications From Ip Brute Force, Password Spraying Anomaly
Azure AD User Enabled And Password Reset Account Manipulation TTP
Azure AD User ImmutableId Attribute Updated Account Manipulation TTP
Azure Active Directory High Risk Sign-in Brute Force, Password Spraying TTP
Azure Automation Account Created Create Account, Cloud Account TTP
Azure Automation Runbook Created Create Account, Cloud Account TTP
Azure Runbook Webhook Created Valid Accounts, Cloud Accounts TTP
BCDEdit Failure Recovery Modification Inhibit System Recovery TTP
BCDEdit Failure Recovery Modification Inhibit System Recovery TTP
BITS Job Persistence BITS Jobs TTP
BITSAdmin Download File BITS Jobs, Ingress Tool Transfer TTP
Batch File Write to System32 User Execution, Malicious File TTP
Bcdedit Command Back To Normal Mode Boot Inhibit System Recovery TTP
CHCP Command Execution Command and Scripting Interpreter TTP
CMD Carry Out String Command Parameter Windows Command Shell, Command and Scripting Interpreter Hunting
CMD Echo Pipe - Escalation Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process TTP
CMLUA Or CMSTPLUA UAC Bypass System Binary Proxy Execution, CMSTP TTP
CSC Net On The Fly Compilation Compile After Delivery, Obfuscated Files or Information Hunting
CertUtil Download With URLCache and Split Arguments Ingress Tool Transfer TTP
CertUtil Download With VerifyCtl and Split Arguments Ingress Tool Transfer TTP
CertUtil With Decode Argument Deobfuscate/Decode Files or Information TTP
Certutil exe certificate extraction None TTP
Change Default File Association Change Default File Association, Event Triggered Execution TTP
Change To Safe Mode With Network Config Inhibit System Recovery TTP
Check Elevated CMD using whoami System Owner/User Discovery TTP
Child Processes of Spoolsv exe Exploitation for Privilege Escalation TTP
Circle CI Disable Security Job Compromise Client Software Binary Anomaly
Circle CI Disable Security Step Compromise Client Software Binary Anomaly
Clear Unallocated Sector Using Cipher App File Deletion, Indicator Removal on Host TTP
Clear Unallocated Sector Using Cipher App File Deletion, Indicator Removal on Host TTP
Clients Connecting to Multiple DNS Servers Exfiltration Over Unencrypted Non-C2 Protocol TTP
Clop Common Exec Parameter User Execution TTP
Clop Ransomware Known Service Name Create or Modify System Process TTP
Cloud API Calls From Previously Unseen User Roles Valid Accounts Anomaly
Cloud Compute Instance Created By Previously Unseen User Cloud Accounts, Valid Accounts Anomaly
Cloud Compute Instance Created In Previously Unused Region Unused/Unsupported Cloud Regions Anomaly
Cloud Compute Instance Created With Previously Unseen Image None Anomaly
Cloud Compute Instance Created With Previously Unseen Instance Type None Anomaly
Cloud Instance Modified By Previously Unseen User Cloud Accounts, Valid Accounts Anomaly
Cloud Network Access Control List Deleted None Anomaly
Cloud Provisioning Activity From Previously Unseen City Valid Accounts Anomaly
Cloud Provisioning Activity From Previously Unseen Country Valid Accounts Anomaly
Cloud Provisioning Activity From Previously Unseen IP Address Valid Accounts Anomaly
Cloud Provisioning Activity From Previously Unseen Region Valid Accounts Anomaly
Cmdline Tool Not Executed In CMD Shell Command and Scripting Interpreter, JavaScript TTP
Cobalt Strike Named Pipes Process Injection TTP
Common Ransomware Extensions Data Destruction Hunting
Common Ransomware Notes Data Destruction Hunting
Confluence Unauthenticated Remote Code Execution CVE-2022-26134 Server Software Component, Exploit Public-Facing Application TTP
Conti Common Exec parameter User Execution TTP
Control Loading from World Writable Directory System Binary Proxy Execution, Control Panel TTP
Correlation by Repository and Risk Malicious Image, User Execution Correlation
Correlation by User and Risk Malicious Image, User Execution Correlation
Create Remote Thread In Shell Application Process Injection TTP
Create Remote Thread into LSASS LSASS Memory, OS Credential Dumping TTP
Create local admin accounts using net exe Local Account, Create Account TTP
Create or delete windows shares using net exe Indicator Removal on Host, Network Share Connection Removal TTP
Creation of Shadow Copy NTDS, OS Credential Dumping TTP
Creation of Shadow Copy with wmic and powershell NTDS, OS Credential Dumping TTP
Creation of lsass Dump with Taskmgr LSASS Memory, OS Credential Dumping TTP
Credential Dumping via Copy Command from Shadow Copy NTDS, OS Credential Dumping TTP
Credential Dumping via Symlink to Shadow Copy NTDS, OS Credential Dumping TTP
Credential ExtractionFGDump and CacheDump OS Credential Dumping, Security Account Manager TTP
Curl Download and Bash Execution Ingress Tool Transfer TTP
DLLHost with no Command Line Arguments with Network Process Injection TTP
DNS Exfiltration Using Nslookup App Exfiltration Over Alternative Protocol TTP
DNS Exfiltration Using Nslookup App Exfiltration Over Alternative Protocol TTP
DNS Query Length Outliers - MLTK DNS, Application Layer Protocol Anomaly
DNS Query Length With High Standard Deviation Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol Anomaly
DNS Query Requests Resolved by Unauthorized DNS Servers DNS TTP
DNS record changed DNS TTP
DSQuery Domain Discovery Domain Trust Discovery TTP
Delete A Net User Account Access Removal Anomaly
Delete ShadowCopy With PowerShell Inhibit System Recovery TTP
Deleting Of Net Users Account Access Removal TTP
Deleting Shadow Copies Inhibit System Recovery TTP
Deny Permission using Cacls Utility File and Directory Permissions Modification TTP
Detect API activity from users without MFA None Hunting
Detect ARP Poisoning Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning TTP
Detect AWS API Activities From Unapproved Accounts Cloud Accounts Hunting
Detect AWS Console Login by New User None Hunting
Detect AWS Console Login by User from New City Unused/Unsupported Cloud Regions Hunting
Detect AWS Console Login by User from New Country Unused/Unsupported Cloud Regions Hunting
Detect AWS Console Login by User from New Region Unused/Unsupported Cloud Regions Hunting
Detect Activity Related to Pass the Hash Attacks Use Alternate Authentication Material, Pass the Hash TTP
Detect AzureHound Command-Line Arguments Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery TTP
Detect AzureHound File Modifications Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery TTP
Detect Baron Samedit CVE-2021-3156 Exploitation for Privilege Escalation TTP
Detect Baron Samedit CVE-2021-3156 Segfault Exploitation for Privilege Escalation TTP
Detect Baron Samedit CVE-2021-3156 via OSQuery Exploitation for Privilege Escalation TTP
Detect Computer Changed with Anonymous Account Exploitation of Remote Services Hunting
Detect Copy of ShadowCopy with Script Block Logging Security Account Manager, OS Credential Dumping TTP
Detect Credential Dumping through LSASS access LSASS Memory, OS Credential Dumping TTP
Detect DGA domains using pretrained model in DSDL Domain Generation Algorithms Anomaly
Detect DNS requests to Phishing Sites leveraging EvilGinx2 Spearphishing via Service TTP
Detect Empire with PowerShell Script Block Logging Command and Scripting Interpreter, PowerShell TTP
Detect Excessive Account Lockouts From Endpoint Valid Accounts, Domain Accounts Anomaly
Detect Excessive User Account Lockouts Valid Accounts, Local Accounts Anomaly
Detect Exchange Web Shell Server Software Component, Web Shell, Exploit Public-Facing Application TTP
Detect F5 TMUI RCE CVE-2020-5902 Exploit Public-Facing Application TTP
Detect GCP Storage access from a new IP Data from Cloud Storage Object Anomaly
Detect HTML Help Renamed System Binary Proxy Execution, Compiled HTML File Hunting
Detect HTML Help Spawn Child Process System Binary Proxy Execution, Compiled HTML File TTP
Detect HTML Help URL in Command Line System Binary Proxy Execution, Compiled HTML File TTP
Detect HTML Help Using InfoTech Storage Handlers System Binary Proxy Execution, Compiled HTML File TTP
Detect IPv6 Network Infrastructure Threats Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning TTP
Detect Kerberoasting Kerberoasting, Steal or Forge Kerberos Tickets TTP
Detect Large Outbound ICMP Packets Non-Application Layer Protocol TTP
Detect Long DNS TXT Record Response Exfiltration Over Unencrypted Non-C2 Protocol TTP
Detect MSHTA Url in Command Line System Binary Proxy Execution, Mshta TTP
Detect Mimikatz Using Loaded Images LSASS Memory, OS Credential Dumping TTP
Detect Mimikatz Via PowerShell And EventCode 4703 LSASS Memory TTP
Detect Mimikatz With PowerShell Script Block Logging OS Credential Dumping, PowerShell TTP
Detect New Local Admin account Local Account, Create Account TTP
Detect New Login Attempts to Routers None TTP
Detect New Open GCP Storage Buckets Data from Cloud Storage Object TTP
Detect New Open S3 Buckets over AWS CLI Data from Cloud Storage Object TTP
Detect New Open S3 buckets Data from Cloud Storage Object TTP
Detect Outbound LDAP Traffic Exploit Public-Facing Application, Command and Scripting Interpreter Hunting
Detect Outbound SMB Traffic File Transfer Protocols, Application Layer Protocol TTP
Detect Outlook exe writing a zip file Phishing, Spearphishing Attachment TTP
Detect Path Interception By Creation Of program exe Path Interception by Unquoted Path, Hijack Execution Flow TTP
Detect Port Security Violation Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning TTP
Detect Prohibited Applications Spawning cmd exe Command and Scripting Interpreter Anomaly
Detect Prohibited Applications Spawning cmd exe Command and Scripting Interpreter, Windows Command Shell Hunting
Detect PsExec With accepteula Flag Remote Services, SMB/Windows Admin Shares TTP
Detect RClone Command-Line Usage Automated Exfiltration TTP
Detect RClone Command-Line Usage Automated Exfiltration TTP
Detect Rare Executables None Anomaly
Detect Regasm Spawning a Process System Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regasm with Network Connection System Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regasm with no Command Line Arguments System Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regsvcs Spawning a Process System Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regsvcs with Network Connection System Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regsvcs with No Command Line Arguments System Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regsvr32 Application Control Bypass System Binary Proxy Execution, Regsvr32 TTP
Detect Renamed 7-Zip Archive via Utility, Archive Collected Data Hunting
Detect Renamed PSExec System Services, Service Execution Hunting
Detect Renamed RClone Automated Exfiltration Hunting
Detect Renamed WinRAR Archive via Utility, Archive Collected Data Hunting
Detect Risky SPL using Pretrained ML Model Command and Scripting Interpreter Anomaly
Detect Rogue DHCP Server Hardware Additions, Network Denial of Service, Adversary-in-the-Middle TTP
Detect Rundll32 Application Control Bypass - advpack System Binary Proxy Execution, Rundll32 TTP
Detect Rundll32 Application Control Bypass - setupapi System Binary Proxy Execution, Rundll32 TTP
Detect Rundll32 Application Control Bypass - syssetup System Binary Proxy Execution, Rundll32 TTP
Detect Rundll32 Inline HTA Execution System Binary Proxy Execution, Mshta TTP
Detect S3 access from a new IP Data from Cloud Storage Object Anomaly
Detect SNICat SNI Exfiltration Exfiltration Over C2 Channel TTP
Detect SharpHound Command-Line Arguments Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery TTP
Detect SharpHound File Modifications Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery TTP
Detect SharpHound Usage Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery TTP
Detect Software Download To Network Device TFTP Boot, Pre-OS Boot TTP
Detect Spike in AWS API Activity Cloud Accounts Anomaly
Detect Spike in AWS Security Hub Alerts for EC2 Instance None Anomaly
Detect Spike in AWS Security Hub Alerts for User None Anomaly
Detect Spike in Network ACL Activity Disable or Modify Cloud Firewall Anomaly
Detect Spike in S3 Bucket deletion Data from Cloud Storage Object Anomaly
Detect Spike in Security Group Activity Cloud Accounts Anomaly
Detect Spike in blocked Outbound Traffic from your AWS None Anomaly
Detect Traffic Mirroring Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication TTP
Detect USB device insertion None TTP
Detect Unauthorized Assets by MAC address None TTP
Detect Use of cmd exe to Launch Script Interpreters Command and Scripting Interpreter, Windows Command Shell TTP
Detect WMI Event Subscription Persistence Windows Management Instrumentation Event Subscription, Event Triggered Execution TTP
Detect Windows DNS SIGRed via Splunk Stream Exploitation for Client Execution TTP
Detect Windows DNS SIGRed via Zeek Exploitation for Client Execution TTP
Detect Zerologon via Zeek Exploit Public-Facing Application TTP
Detect attackers scanning for vulnerable JBoss servers System Information Discovery TTP
Detect hosts connecting to dynamic domain providers Drive-by Compromise TTP
Detect malicious requests to exploit JBoss servers None TTP
Detect mshta inline hta execution System Binary Proxy Execution, Mshta TTP
Detect mshta renamed System Binary Proxy Execution, Mshta Hunting
Detect new API calls from user roles Cloud Accounts Anomaly
Detect new user AWS Console Login Cloud Accounts Hunting
Detect processes used for System Network Configuration Discovery System Network Configuration Discovery TTP
Detect shared ec2 snapshot Transfer Data to Cloud Account TTP
Detect web traffic to dynamic domain providers Web Protocols TTP
Detection of DNS Tunnels Exfiltration Over Unencrypted Non-C2 Protocol TTP
Detection of tools built by NirSoft Software Deployment Tools TTP
Disable AMSI Through Registry Disable or Modify Tools, Impair Defenses TTP
Disable Defender AntiVirus Registry Disable or Modify Tools, Impair Defenses TTP
Disable Defender AntiVirus Registry Disable or Modify Tools, Impair Defenses TTP
Disable Defender BlockAtFirstSeen Feature Disable or Modify Tools, Impair Defenses TTP
Disable Defender Enhanced Notification Disable or Modify Tools, Impair Defenses TTP
Disable Defender MpEngine Registry Disable or Modify Tools, Impair Defenses TTP
Disable Defender Spynet Reporting Disable or Modify Tools, Impair Defenses TTP
Disable Defender Submit Samples Consent Feature Disable or Modify Tools, Impair Defenses TTP
Disable ETW Through Registry Disable or Modify Tools, Impair Defenses TTP
Disable Logs Using WevtUtil Indicator Removal on Host, Clear Windows Event Logs TTP
Disable Net User Account Service Stop, Valid Accounts TTP
Disable Registry Tool Disable or Modify Tools, Impair Defenses TTP
Disable Schedule Task Disable or Modify Tools, Impair Defenses TTP
Disable Security Logs Using MiniNt Registry Modify Registry TTP
Disable Show Hidden Files Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses TTP
Disable UAC Remote Restriction Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Disable Windows App Hotkeys Disable or Modify Tools, Impair Defenses TTP
Disable Windows Behavior Monitoring Disable or Modify Tools, Impair Defenses TTP
Disable Windows SmartScreen Protection Disable or Modify Tools, Impair Defenses TTP
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser Steal or Forge Kerberos Tickets, AS-REP Roasting TTP
Disabled Kerberos Pre-Authentication Discovery With PowerView Steal or Forge Kerberos Tickets, AS-REP Roasting TTP
Disabling CMD Application Disable or Modify Tools, Impair Defenses TTP
Disabling ControlPanel Disable or Modify Tools, Impair Defenses TTP
Disabling Defender Services Disable or Modify Tools, Impair Defenses TTP
Disabling Firewall with Netsh Disable or Modify Tools, Impair Defenses TTP
Disabling FolderOptions Windows Feature Disable or Modify Tools, Impair Defenses TTP
Disabling Net User Account Account Access Removal TTP
Disabling NoRun Windows App Disable or Modify Tools, Impair Defenses TTP
Disabling Remote User Account Control Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Disabling SystemRestore In Registry Inhibit System Recovery TTP
Disabling Task Manager Disable or Modify Tools, Impair Defenses TTP
Domain Account Discovery With Net App Domain Account, Account Discovery TTP
Domain Account Discovery with Dsquery Domain Account, Account Discovery Hunting
Domain Account Discovery with Wmic Domain Account, Account Discovery TTP
Domain Controller Discovery with Nltest Remote System Discovery TTP
Domain Controller Discovery with Wmic Remote System Discovery Hunting
Domain Group Discovery With Dsquery Permission Groups Discovery, Domain Groups Hunting
Domain Group Discovery With Net Permission Groups Discovery, Domain Groups Hunting
Domain Group Discovery With Wmic Permission Groups Discovery, Domain Groups Hunting
Domain Group Discovery with Adsisearcher Permission Groups Discovery, Domain Groups TTP
Download Files Using Telegram Ingress Tool Transfer TTP
Drop IcedID License dat User Execution, Malicious File Hunting
Dump LSASS via comsvcs DLL LSASS Memory, OS Credential Dumping TTP
Dump LSASS via procdump LSASS Memory, OS Credential Dumping TTP
Dump LSASS via procdump Rename LSASS Memory Hunting
EC2 Instance Modified With Previously Unseen User Cloud Accounts Anomaly
EC2 Instance Started In Previously Unseen Region Unused/Unsupported Cloud Regions Anomaly
EC2 Instance Started With Previously Unseen AMI None Anomaly
EC2 Instance Started With Previously Unseen Instance Type None Anomaly
EC2 Instance Started With Previously Unseen User Cloud Accounts Anomaly
ETW Registry Disabled Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses TTP
Elevated Group Discovery With Net Permission Groups Discovery, Domain Groups TTP
Elevated Group Discovery With Wmic Permission Groups Discovery, Domain Groups TTP
Elevated Group Discovery with PowerView Permission Groups Discovery, Domain Groups Hunting
Email Attachments With Lots Of Spaces None Anomaly
Email files written outside of the Outlook directory Email Collection, Local Email Collection TTP
Email servers sending high volume traffic to hosts Email Collection, Remote Email Collection Anomaly
Enable RDP In Other Port Number Remote Services TTP
Enable WDigest UseLogonCredential Registry Modify Registry, OS Credential Dumping TTP
Enumerate Users Local Group Using Telegram Account Discovery TTP
Esentutl SAM Copy Security Account Manager, OS Credential Dumping Hunting
Eventvwr UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Excel Spawning PowerShell Security Account Manager, OS Credential Dumping TTP
Excel Spawning Windows Script Host Security Account Manager, OS Credential Dumping TTP
Excessive Attempt To Disable Services Service Stop Anomaly
Excessive DNS Failures DNS, Application Layer Protocol Anomaly
Excessive File Deletion In WinDefender Folder Data Destruction TTP
Excessive Number of Office Files Copied Exfiltration Over Unencrypted Non-C2 Protocol Anomaly
Excessive Service Stop Attempt Service Stop Anomaly
Excessive Usage Of Cacls App File and Directory Permissions Modification Anomaly
Excessive Usage Of Net App Account Access Removal Anomaly
Excessive Usage Of SC Service Utility System Services, Service Execution Anomaly
Excessive Usage Of Taskkill Disable or Modify Tools, Impair Defenses Anomaly
Excessive Usage of NSLOOKUP App Exfiltration Over Alternative Protocol Anomaly
Excessive distinct processes from Windows Temp Command and Scripting Interpreter Anomaly
Excessive number of service control start as disabled Disable or Modify Tools, Impair Defenses Anomaly
Excessive number of taskhost processes Command and Scripting Interpreter Anomaly
Exchange PowerShell Abuse via SSRF Exploit Public-Facing Application TTP
Exchange PowerShell Module Usage Command and Scripting Interpreter, PowerShell TTP
Executable File Written in Administrative SMB Share Remote Services, SMB/Windows Admin Shares TTP
Executables Or Script Creation In Suspicious Path Masquerading TTP
Execute Javascript With Jscript COM CLSID Command and Scripting Interpreter, Visual Basic TTP
Execution of File With Spaces Before Extension Rename System Utilities TTP
Execution of File with Multiple Extensions Masquerading, Rename System Utilities TTP
Extended Period Without Successful Netbackup Backups None Hunting
Extraction of Registry Hives Security Account Manager, OS Credential Dumping TTP
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 Exploit Public-Facing Application TTP
File with Samsam Extension None TTP
Firewall Allowed Program Enable Disable or Modify System Firewall, Impair Defenses Anomaly
First Time Seen Child Process of Zoom Exploitation for Privilege Escalation Anomaly
First Time Seen Running Windows Service System Services, Service Execution Anomaly
First time seen command line argument Command and Scripting Interpreter, Indirect Command Execution Anomaly
First time seen command line argument PowerShell, Windows Command Shell Hunting
FodHelper UAC Bypass Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Fsutil Zeroing File Indicator Removal on Host TTP
Fsutil Zeroing File Indicator Removal on Host TTP
GCP Detect accounts with high risk roles by project Valid Accounts Hunting
GCP Detect gcploit framework Valid Accounts TTP
GCP Detect high risk permissions by resource and account Valid Accounts Hunting
GCP Kubernetes cluster pod scan detection Cloud Service Discovery Hunting
GCP Kubernetes cluster scan detection Cloud Service Discovery TTP
GPUpdate with no Command Line Arguments with Network Process Injection TTP
GSuite Email Suspicious Attachment Spearphishing Attachment, Phishing Anomaly
Gdrive suspicious file sharing Phishing Hunting
Get ADDefaultDomainPasswordPolicy with Powershell Password Policy Discovery Hunting
Get ADDefaultDomainPasswordPolicy with Powershell Script Block Password Policy Discovery Hunting
Get ADUser with PowerShell Domain Account, Account Discovery Hunting
Get ADUser with PowerShell Script Block Domain Account, Account Discovery Hunting
Get ADUserResultantPasswordPolicy with Powershell Password Policy Discovery TTP
Get ADUserResultantPasswordPolicy with Powershell Script Block Password Policy Discovery TTP
Get DomainPolicy with Powershell Password Policy Discovery TTP
Get DomainPolicy with Powershell Script Block Password Policy Discovery TTP
Get DomainUser with PowerShell Domain Account, Account Discovery TTP
Get DomainUser with PowerShell Script Block Domain Account, Account Discovery TTP
Get WMIObject Group Discovery Permission Groups Discovery, Local Groups Hunting
Get WMIObject Group Discovery with Script Block Logging Permission Groups Discovery, Local Groups Hunting
Get-DomainTrust with PowerShell Domain Trust Discovery TTP
Get-DomainTrust with PowerShell Script Block Domain Trust Discovery TTP
Get-ForestTrust with PowerShell Domain Trust Discovery TTP
Get-ForestTrust with PowerShell Script Block Domain Trust Discovery, PowerShell TTP
GetAdComputer with PowerShell Remote System Discovery Hunting
GetAdComputer with PowerShell Script Block Remote System Discovery Hunting
GetAdGroup with PowerShell Permission Groups Discovery, Domain Groups Hunting
GetAdGroup with PowerShell Script Block Permission Groups Discovery, Domain Groups Hunting
GetCurrent User with PowerShell System Owner/User Discovery Hunting
GetCurrent User with PowerShell Script Block System Owner/User Discovery Hunting
GetDomainComputer with PowerShell Remote System Discovery TTP
GetDomainComputer with PowerShell Script Block Remote System Discovery TTP
GetDomainController with PowerShell Remote System Discovery Hunting
GetDomainController with PowerShell Script Block Remote System Discovery TTP
GetDomainGroup with PowerShell Permission Groups Discovery, Domain Groups TTP
GetDomainGroup with PowerShell Script Block Permission Groups Discovery, Domain Groups TTP
GetLocalUser with PowerShell Account Discovery, Local Account Hunting
GetLocalUser with PowerShell Script Block Account Discovery, Local Account, PowerShell Hunting
GetNetTcpconnection with PowerShell System Network Connections Discovery Hunting
GetNetTcpconnection with PowerShell Script Block System Network Connections Discovery Hunting
GetWmiObject DS User with PowerShell Domain Account, Account Discovery TTP
GetWmiObject DS User with PowerShell Script Block Domain Account, Account Discovery TTP
GetWmiObject Ds Computer with PowerShell Remote System Discovery TTP
GetWmiObject Ds Computer with PowerShell Script Block Remote System Discovery TTP
GetWmiObject Ds Group with PowerShell Permission Groups Discovery, Domain Groups TTP
GetWmiObject Ds Group with PowerShell Script Block Permission Groups Discovery, Domain Groups TTP
GetWmiObject User Account with PowerShell Account Discovery, Local Account Hunting
GetWmiObject User Account with PowerShell Script Block Account Discovery, Local Account, PowerShell Hunting
GitHub Actions Disable Security Workflow Compromise Software Supply Chain, Supply Chain Compromise Anomaly
GitHub Dependabot Alert Compromise Software Dependencies and Development Tools, Supply Chain Compromise Anomaly
GitHub Pull Request from Unknown User Compromise Software Dependencies and Development Tools, Supply Chain Compromise Anomaly
Github Commit Changes In Master Trusted Relationship Anomaly
Github Commit In Develop Trusted Relationship Anomaly
Grant Permission Using Cacls Utility File and Directory Permissions Modification TTP
Gsuite Drive Share In External Email Exfiltration to Cloud Storage, Exfiltration Over Web Service Anomaly
Gsuite Email Suspicious Subject With Attachment Spearphishing Attachment, Phishing Anomaly
Gsuite Email With Known Abuse Web Service Link Spearphishing Attachment, Phishing Anomaly
Gsuite Outbound Email With Attachment To External Domain Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol Anomaly
Gsuite Suspicious Shared File Name Spearphishing Attachment, Phishing Anomaly
Gsuite suspicious calendar invite Phishing Hunting
Hide User Account From Sign-In Screen Disable or Modify Tools, Impair Defenses TTP
Hiding Files And Directories With Attrib exe File and Directory Permissions Modification, Windows File and Directory Permissions Modification TTP
Hiding Files And Directories With Attrib exe Windows File and Directory Permissions Modification, File and Directory Permissions Modification TTP
High File Deletion Frequency Data Destruction Anomaly
High Frequency Copy Of Files In Network Share Transfer Data to Cloud Account Anomaly
High Number of Login Failures from a single source Password Guessing, Brute Force Anomaly
High Process Termination Frequency Data Encrypted for Impact Anomaly
Hosts receiving high volume of network traffic from email server Remote Email Collection, Email Collection Anomaly
Hunting for Log4Shell Exploit Public-Facing Application Hunting
ICACLS Grant Command File and Directory Permissions Modification TTP
Icacls Deny Command File and Directory Permissions Modification TTP
IcedID Exfiltrated Archived File Creation Archive via Utility, Archive Collected Data Hunting
Identify New User Accounts Domain Accounts Hunting
Impacket Lateral Movement Commandline Parameters Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Interactive Session on Remote Endpoint with PowerShell Remote Services, Windows Remote Management TTP
Java Class File download by Java User Agent Exploit Public-Facing Application TTP
Java Writing JSP File Exploit Public-Facing Application TTP
Jscript Execution Using Cscript App Command and Scripting Interpreter, JavaScript TTP
Kerberoasting spn request with RC4 encryption Steal or Forge Kerberos Tickets, Kerberoasting TTP
Kerberos Pre-Authentication Flag Disabled in UserAccountControl Steal or Forge Kerberos Tickets, AS-REP Roasting TTP
Kerberos Pre-Authentication Flag Disabled with PowerShell Steal or Forge Kerberos Tickets, AS-REP Roasting TTP
Kerberos Service Ticket Request Using RC4 Encryption Steal or Forge Kerberos Tickets, Golden Ticket TTP
Kerberos TGT Request Using RC4 Encryption Use Alternate Authentication Material TTP
Kerberos User Enumeration Gather Victim Identity Information, Email Addresses Anomaly
Known Services Killed by Ransomware Inhibit System Recovery TTP
Kubernetes AWS detect RBAC authorization by account None Hunting
Kubernetes AWS detect most active service accounts by pod None Hunting
Kubernetes AWS detect sensitive role access None Hunting
Kubernetes AWS detect service accounts forbidden failure access None Hunting
Kubernetes AWS detect suspicious kubectl calls None Hunting
Kubernetes Azure active service accounts by pod namespace None Hunting
Kubernetes Azure detect RBAC authorization by account None Hunting
Kubernetes Azure detect sensitive object access None Hunting
Kubernetes Azure detect sensitive role access None Hunting
Kubernetes Azure detect service accounts forbidden failure access None Hunting
Kubernetes Azure detect suspicious kubectl calls None Hunting
Kubernetes Azure pod scan fingerprint None Hunting
Kubernetes Azure scan fingerprint Cloud Service Discovery Hunting
Kubernetes GCP detect RBAC authorizations by account None Hunting
Kubernetes GCP detect most active service accounts by pod None Hunting
Kubernetes GCP detect sensitive object access None Hunting
Kubernetes GCP detect sensitive role access None Hunting
Kubernetes GCP detect service accounts forbidden failure access None Hunting
Kubernetes GCP detect suspicious kubectl calls None Hunting
Kubernetes Nginx Ingress LFI Exploitation for Credential Access TTP
Kubernetes Nginx Ingress RFI Exploitation for Credential Access TTP
Kubernetes Scanner Image Pulling Cloud Service Discovery TTP
Large Volume of DNS ANY Queries Network Denial of Service, Reflection Amplification Anomaly
Linux APT Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux AWK Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Account Manipulation Of SSH Config and Keys Data Destruction, File Deletion, Indicator Removal on Host Anomaly
Linux Add Files In Known Crontab Directories Cron, Scheduled Task/Job Anomaly
Linux Add User Account Local Account, Create Account Hunting
Linux Adding Crontab Using List Parameter Cron, Scheduled Task/Job Hunting
Linux At Allow Config File Creation Cron, Scheduled Task/Job Anomaly
Linux At Application Execution At, Scheduled Task/Job Anomaly
Linux Busybox Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Change File Owner To Root Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification Anomaly
Linux Clipboard Data Copy Clipboard Data Anomaly
Linux Common Process For Elevation Control Setuid and Setgid, Abuse Elevation Control Mechanism Hunting
Linux Composer Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Cpulimit Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Csvtool Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Curl Upload File Ingress Tool Transfer TTP
Linux DD File Overwrite Data Destruction TTP
Linux Decode Base64 to Shell Obfuscated Files or Information, Unix Shell TTP
Linux Deleting Critical Directory Using RM Command Data Destruction TTP
Linux Deletion Of Cron Jobs Data Destruction, File Deletion, Indicator Removal on Host Anomaly
Linux Deletion Of Init Daemon Script Data Destruction, File Deletion, Indicator Removal on Host TTP
Linux Deletion Of Services Data Destruction, File Deletion, Indicator Removal on Host TTP
Linux Deletion of SSL Certificate Data Destruction, File Deletion, Indicator Removal on Host Anomaly
Linux Disable Services Service Stop TTP
Linux Doas Conf File Creation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Doas Tool Execution Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Docker Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Edit Cron Table Parameter Cron, Scheduled Task/Job Hunting
Linux Emacs Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux File Created In Kernel Driver Directory Kernel Modules and Extensions, Boot or Logon Autostart Execution Anomaly
Linux File Creation In Init Boot Directory RC Scripts, Boot or Logon Initialization Scripts Anomaly
Linux File Creation In Profile Directory Unix Shell Configuration Modification, Event Triggered Execution Anomaly
Linux Find Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux GDB Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux GNU Awk Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Gem Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux High Frequency Of File Deletion In Boot Folder Data Destruction, File Deletion, Indicator Removal on Host TTP
Linux High Frequency Of File Deletion In Etc Folder Data Destruction, File Deletion, Indicator Removal on Host Anomaly
Linux Ingress Tool Transfer Hunting Ingress Tool Transfer Hunting
Linux Ingress Tool Transfer with Curl Ingress Tool Transfer Anomaly
Linux Insert Kernel Module Using Insmod Utility Kernel Modules and Extensions, Boot or Logon Autostart Execution Anomaly
Linux Install Kernel Module Using Modprobe Utility Kernel Modules and Extensions, Boot or Logon Autostart Execution Anomaly
Linux Iptables Firewall Modification Disable or Modify System Firewall, Impair Defenses Anomaly
Linux Java Spawning Shell Exploit Public-Facing Application TTP
Linux Kernel Module Enumeration System Information Discovery, Rootkit Anomaly
Linux Kworker Process In Writable Process Path Masquerade Task or Service, Masquerading Hunting
Linux Make Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux MySQL Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux NOPASSWD Entry In Sudoers File Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Node Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Obfuscated Files or Information Base64 Decode Obfuscated Files or Information Anomaly
Linux Octave Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux OpenVPN Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux PHP Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Persistence and Privilege Escalation Risk Behavior Abuse Elevation Control Mechanism Correlation
Linux Possible Access Or Modification Of sshd Config File SSH Authorized Keys, Account Manipulation Anomaly
Linux Possible Access To Credential Files /etc/passwd and /etc/shadow, OS Credential Dumping Anomaly
Linux Possible Access To Sudoers File Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Possible Append Command To At Allow Config File At, Scheduled Task/Job Anomaly
Linux Possible Append Command To Profile Config File Unix Shell Configuration Modification, Event Triggered Execution Anomaly
Linux Possible Append Cronjob Entry on Existing Cronjob File Cron, Scheduled Task/Job Hunting
Linux Possible Cronjob Modification With Editor Cron, Scheduled Task/Job Hunting
Linux Possible Ssh Key File Creation SSH Authorized Keys, Account Manipulation Anomaly
Linux Preload Hijack Library Calls Dynamic Linker Hijacking, Hijack Execution Flow TTP
Linux Proxy Socks Curl Proxy, Non-Application Layer Protocol TTP
Linux Puppet Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux RPM Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Ruby Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux SSH Authorized Keys Modification SSH Authorized Keys Anomaly
Linux SSH Remote Services Script Execute SSH TTP
Linux Service File Created In Systemd Directory Systemd Timers, Scheduled Task/Job Anomaly
Linux Service Restarted Systemd Timers, Scheduled Task/Job Anomaly
Linux Service Started Or Enabled Systemd Timers, Scheduled Task/Job Anomaly
Linux Setuid Using Chmod Utility Setuid and Setgid, Abuse Elevation Control Mechanism Anomaly
Linux Setuid Using Setcap Utility Setuid and Setgid, Abuse Elevation Control Mechanism Anomaly
Linux Shred Overwrite Command Data Destruction TTP
Linux Sqlite3 Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Stdout Redirection To Dev Null File Disable or Modify System Firewall, Impair Defenses Anomaly
Linux Stop Services Service Stop TTP
Linux Sudo OR Su Execution Sudo and Sudo Caching, Abuse Elevation Control Mechanism Hunting
Linux Sudoers Tmp File Creation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux System Network Discovery System Network Configuration Discovery Anomaly
Linux Visudo Utility Execution Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux apt-get Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux c89 Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux c99 Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux pkexec Privilege Escalation Exploitation for Privilege Escalation TTP
Living Off The Land Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter Correlation
Loading Of Dynwrapx Module Process Injection, Dynamic-link Library Injection TTP
Local Account Discovery With Wmic Account Discovery, Local Account Hunting
Local Account Discovery with Net Account Discovery, Local Account Hunting
Log4Shell CVE-2021-44228 Exploitation Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter Correlation
Log4Shell JNDI Payload Injection Attempt Exploit Public-Facing Application Anomaly
Log4Shell JNDI Payload Injection with Outbound Connection Exploit Public-Facing Application Anomaly
Logon Script Event Trigger Execution Boot or Logon Initialization Scripts, Logon Script (Windows) TTP
MS Exchange Mailbox Replication service writing Active Server Pages Server Software Component, Web Shell, Exploit Public-Facing Application TTP
MS Scripting Process Loading Ldap Module Command and Scripting Interpreter, JavaScript Anomaly
MS Scripting Process Loading WMI Module Command and Scripting Interpreter, JavaScript Anomaly
MSBuild Suspicious Spawned By Script Process MSBuild, Trusted Developer Utilities Proxy Execution TTP
MSHTML Module Load in Office Product Phishing, Spearphishing Attachment TTP
MSI Module Loaded by Non-System Binary DLL Side-Loading, Hijack Execution Flow Hunting
MacOS - Re-opened Applications None TTP
MacOS LOLbin Unix Shell, Command and Scripting Interpreter TTP
MacOS plutil Plist File Modification TTP
Mailsniper Invoke functions Email Collection, Local Email Collection TTP
Malicious InProcServer32 Modification Regsvr32, Modify Registry TTP
Malicious PowerShell Process - Encoded Command Obfuscated Files or Information Hunting
Malicious PowerShell Process - Execution Policy Bypass Command and Scripting Interpreter, PowerShell TTP
Malicious PowerShell Process With Obfuscation Techniques Command and Scripting Interpreter, PowerShell TTP
Malicious Powershell Executed As A Service System Services, Service Execution TTP
Mimikatz PassTheTicket CommandLine Parameters Use Alternate Authentication Material, Pass the Ticket TTP
Mmc LOLBAS Execution Process Spawn Remote Services, Distributed Component Object Model, MMC TTP
Modification Of Wallpaper Defacement TTP
Modify ACL permission To Files Or Folder File and Directory Permissions Modification Anomaly
Modify ACLs Permission Of Files Or Folders File and Directory Permissions Modification Anomaly
Monitor DNS For Brand Abuse None TTP
Monitor Email For Brand Abuse None TTP
Monitor Registry Keys for Print Monitors Port Monitors, Boot or Logon Autostart Execution TTP
Monitor Web Traffic For Brand Abuse None TTP
Mshta spawning Rundll32 OR Regsvr32 Process System Binary Proxy Execution, Mshta TTP
Msmpeng Application DLL Side Loading DLL Side-Loading, Hijack Execution Flow TTP
Multiple Archive Files Http Post Traffic Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol TTP
Multiple Invalid Users Failing To Authenticate From Host Using NTLM Password Spraying, Brute Force Anomaly
Multiple Okta Users With Invalid Credentials From The Same IP Valid Accounts, Default Accounts TTP
Multiple Users Failing To Authenticate From Host Using Kerberos Password Spraying, Brute Force Anomaly
Multiple Users Failing To Authenticate From Host Using NTLM Password Spraying, Brute Force Anomaly
Multiple Users Failing To Authenticate From Process Password Spraying, Brute Force Anomaly
Multiple Users Remotely Failing To Authenticate From Host Password Spraying, Brute Force Anomaly
NET Profiler UAC bypass Bypass User Account Control, Abuse Elevation Control Mechanism TTP
NLTest Domain Trust Discovery Domain Trust Discovery TTP
Net Localgroup Discovery Permission Groups Discovery, Local Groups Hunting
Network Connection Discovery With Arp System Network Connections Discovery Hunting
Network Connection Discovery With Net System Network Connections Discovery Hunting
Network Connection Discovery With Netstat System Network Connections Discovery Hunting
Network Discovery Using Route Windows App System Network Configuration Discovery, Internet Connection Discovery Hunting
Nishang PowershellTCPOneLine Command and Scripting Interpreter, PowerShell TTP
No Windows Updates in a time frame None Hunting
Non Chrome Process Accessing Chrome Default Dir Credentials from Password Stores, Credentials from Web Browsers Anomaly
Non Firefox Process Access Firefox Profile Dir Credentials from Password Stores, Credentials from Web Browsers Anomaly
Ntdsutil Export NTDS NTDS, OS Credential Dumping TTP
O365 Add App Role Assignment Grant User Cloud Account, Create Account TTP
O365 Added Service Principal Cloud Account, Create Account TTP
O365 Bypass MFA via Trusted IP Disable or Modify Cloud Firewall, Impair Defenses TTP
O365 Disable MFA Modify Authentication Process TTP
O365 Excessive Authentication Failures Alert Brute Force Anomaly
O365 Excessive SSO logon errors Modify Authentication Process Anomaly
O365 New Federated Domain Added Cloud Account, Create Account TTP
O365 PST export alert Email Collection TTP
O365 Suspicious Admin Email Forwarding Email Forwarding Rule, Email Collection Anomaly
O365 Suspicious Rights Delegation Remote Email Collection, Email Collection TTP
O365 Suspicious User Email Forwarding Email Forwarding Rule, Email Collection Anomaly
Office Application Drop Executable Phishing, Spearphishing Attachment TTP
Office Application Spawn Regsvr32 process Phishing, Spearphishing Attachment TTP
Office Application Spawn rundll32 process Phishing, Spearphishing Attachment TTP
Office Document Creating Schedule Task Phishing, Spearphishing Attachment TTP
Office Document Executing Macro Code Phishing, Spearphishing Attachment TTP
Office Document Spawned Child Process To Download Phishing, Spearphishing Attachment TTP
Office Product Spawn CMD Process System Binary Proxy Execution, Mshta TTP
Office Product Spawning BITSAdmin Phishing, Spearphishing Attachment TTP
Office Product Spawning CertUtil Phishing, Spearphishing Attachment TTP
Office Product Spawning MSHTA Phishing, Spearphishing Attachment TTP
Office Product Spawning Rundll32 with no DLL Phishing, Spearphishing Attachment TTP
Office Product Spawning Wmic Phishing, Spearphishing Attachment TTP
Office Product Writing cab or inf Phishing, Spearphishing Attachment TTP
Office Spawning Control Phishing, Spearphishing Attachment TTP
Okta Account Lockout Events Valid Accounts, Default Accounts Anomaly
Okta Failed SSO Attempts Valid Accounts, Default Accounts Anomaly
Okta User Logins From Multiple Cities Valid Accounts, Default Accounts Anomaly
Open Redirect in Splunk Web None TTP
Osquery pack - ColdRoot detection None TTP
Outbound Network Connection from Java Using Default Ports Exploit Public-Facing Application TTP
Overwriting Accessibility Binaries Event Triggered Execution, Accessibility Features TTP
Password Policy Discovery with Net Password Policy Discovery Hunting
Path traversal SPL injection File and Directory Discovery TTP
Permission Modification using Takeown App File and Directory Permissions Modification TTP
PetitPotam Network Share Access Request Forced Authentication TTP
PetitPotam Suspicious Kerberos TGT Request OS Credential Dumping TTP
Ping Sleep Batch Command Virtualization/Sandbox Evasion, Time Based Evasion Anomaly
Plain HTTP POST Exfiltrated Data Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol TTP
Possible Browser Pass View Parameter Credentials from Web Browsers, Credentials from Password Stores Hunting
Possible Lateral Movement PowerShell Spawn Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShell, MMC TTP
Potential Pass the Token or Hash Observed at the Destination Device Use Alternate Authentication Material, Pass the Hash TTP
Potential Pass the Token or Hash Observed by an Event Collecting Device Use Alternate Authentication Material, Pass the Hash TTP
Potential password in username Local Accounts, Credentials In Files Hunting
Potentially malicious code on commandline Windows Command Shell Anomaly
PowerShell - Connect To Internet With Hidden Window PowerShell, Command and Scripting Interpreter Hunting
PowerShell 4104 Hunting Command and Scripting Interpreter, PowerShell Hunting
PowerShell Domain Enumeration Command and Scripting Interpreter, PowerShell TTP
PowerShell Get LocalGroup Discovery Permission Groups Discovery, Local Groups Hunting
PowerShell Loading DotNET into Memory via Reflection Command and Scripting Interpreter, PowerShell TTP
PowerShell Start-BitsTransfer BITS Jobs TTP
Powershell Creating Thread Mutex Obfuscated Files or Information, Indicator Removal from Tools, PowerShell TTP
Powershell Disable Security Monitoring Disable or Modify Tools, Impair Defenses TTP
Powershell Enable SMB1Protocol Feature Obfuscated Files or Information, Indicator Removal from Tools TTP
Powershell Execute COM Object Component Object Model Hijacking, Event Triggered Execution, PowerShell TTP
Powershell Fileless Process Injection via GetProcAddress Command and Scripting Interpreter, Process Injection, PowerShell TTP
Powershell Fileless Script Contains Base64 Encoded Content Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell TTP
Powershell Get LocalGroup Discovery with Script Block Logging Permission Groups Discovery, Local Groups Hunting
Powershell Processing Stream Of Data Command and Scripting Interpreter, PowerShell TTP
Powershell Remote Thread To Known Windows Process Process Injection TTP
Powershell Remove Windows Defender Directory Disable or Modify Tools, Impair Defenses TTP
Powershell Using memory As Backing Store PowerShell, Command and Scripting Interpreter TTP
Powershell Windows Defender Exclusion Commands Disable or Modify Tools, Impair Defenses TTP
Prevent Automatic Repair Mode using Bcdedit Inhibit System Recovery TTP
Print Processor Registry Autostart Print Processors, Boot or Logon Autostart Execution TTP
Print Spooler Adding A Printer Driver Print Processors, Boot or Logon Autostart Execution TTP
Print Spooler Failed to Load a Plug-in Print Processors, Boot or Logon Autostart Execution TTP
Process Creating LNK file in Suspicious Location Phishing, Spearphishing Link TTP
Process Deleting Its Process File Path Indicator Removal on Host TTP
Process Execution via WMI Windows Management Instrumentation TTP
Process Kill Base On File Path Disable or Modify Tools, Impair Defenses TTP
Process Writing DynamicWrapperX Command and Scripting Interpreter, Component Object Model Hunting
Processes Tapping Keyboard Events None TTP
Processes created by netsh Disable or Modify System Firewall TTP
Processes launching netsh Disable or Modify System Firewall, Impair Defenses TTP
Prohibited Network Traffic Allowed Exfiltration Over Alternative Protocol TTP
Prohibited Software On Endpoint None Hunting
Protocol or Port Mismatch Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol Anomaly
Protocols passing authentication in cleartext None TTP
Randomly Generated Scheduled Task Name Scheduled Task/Job, Scheduled Task Hunting
Randomly Generated Windows Service Name Create or Modify System Process, Windows Service Hunting
Ransomware Notes bulk creation Data Encrypted for Impact Anomaly
Rare Parent-Child Process Relationship Exploitation for Client Execution, Command and Scripting Interpreter, Scheduled Task/Job, Software Deployment Tools Anomaly
Recon AVProduct Through Pwh or WMI Gather Victim Host Information TTP
Recon Using WMI Class Gather Victim Host Information, PowerShell TTP
Recursive Delete of Directory In Batch CMD File Deletion, Indicator Removal on Host TTP
Reg exe Manipulating Windows Services Registry Keys Services Registry Permissions Weakness, Hijack Execution Flow TTP
Reg exe used to hide files directories via registry keys Hidden Files and Directories TTP
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Registry Keys Used For Privilege Escalation Image File Execution Options Injection, Event Triggered Execution TTP
Registry Keys for Creating SHIM Databases Application Shimming, Event Triggered Execution TTP
Regsvr32 Silent and Install Param Dll Loading System Binary Proxy Execution, Regsvr32 Anomaly
Regsvr32 with Known Silent Switch Cmdline System Binary Proxy Execution, Regsvr32 Anomaly
Remcos RAT File Creation in Remcos Folder Screen Capture TTP
Remcos client registry install entry Modify Registry TTP
Remote Desktop Network Bruteforce Remote Desktop Protocol, Remote Services TTP
Remote Desktop Network Traffic Remote Desktop Protocol, Remote Services Anomaly
Remote Desktop Process Running On System Remote Desktop Protocol, Remote Services Hunting
Remote Process Instantiation via DCOM and PowerShell Remote Services, Distributed Component Object Model TTP
Remote Process Instantiation via DCOM and PowerShell Script Block Remote Services, Distributed Component Object Model TTP
Remote Process Instantiation via WMI Windows Management Instrumentation TTP
Remote Process Instantiation via WMI and PowerShell Windows Management Instrumentation TTP
Remote Process Instantiation via WMI and PowerShell Script Block Windows Management Instrumentation TTP
Remote Process Instantiation via WinRM and PowerShell Remote Services, Windows Remote Management TTP
Remote Process Instantiation via WinRM and PowerShell Script Block Remote Services, Windows Remote Management TTP
Remote Process Instantiation via WinRM and Winrs Remote Services, Windows Remote Management TTP
Remote Registry Key modifications None TTP
Remote System Discovery with Adsisearcher Remote System Discovery TTP
Remote System Discovery with Dsquery Remote System Discovery Hunting
Remote System Discovery with Net Remote System Discovery Hunting
Remote System Discovery with Wmic Remote System Discovery TTP
Remote WMI Command Attempt Windows Management Instrumentation TTP
Resize ShadowStorage volume Inhibit System Recovery TTP
Resize Shadowstorage Volume Service Stop TTP
Revil Common Exec Parameter User Execution TTP
Revil Registry Entry Modify Registry TTP
Rubeus Command Line Parameters Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting TTP
Rubeus Kerberos Ticket Exports Through Winlogon Access Use Alternate Authentication Material, Pass the Ticket TTP
RunDLL Loading DLL By Ordinal System Binary Proxy Execution, Rundll32 TTP
Runas Execution in CommandLine Access Token Manipulation, Token Impersonation/Theft Hunting
Rundll32 Control RunDLL Hunt System Binary Proxy Execution, Rundll32 Hunting
Rundll32 Control RunDLL World Writable Directory System Binary Proxy Execution, Rundll32 TTP
Rundll32 Create Remote Thread To A Process Process Injection TTP
Rundll32 CreateRemoteThread In Browser Process Injection TTP
Rundll32 DNSQuery System Binary Proxy Execution, Rundll32 TTP
Rundll32 LockWorkStation System Binary Proxy Execution, Rundll32 Anomaly
Rundll32 Process Creating Exe Dll Files System Binary Proxy Execution, Rundll32 TTP
Rundll32 Shimcache Flush Modify Registry TTP
Rundll32 with no Command Line Arguments with Network System Binary Proxy Execution, Rundll32 TTP
Ryuk Test Files Detected Data Encrypted for Impact TTP
Ryuk Wake on LAN Command Command and Scripting Interpreter, Windows Command Shell TTP
SAM Database File Access Attempt Security Account Manager, OS Credential Dumping Hunting
SLUI RunAs Elevated Bypass User Account Control, Abuse Elevation Control Mechanism TTP
SLUI Spawning a Process Bypass User Account Control, Abuse Elevation Control Mechanism TTP
SMB Traffic Spike SMB/Windows Admin Shares, Remote Services Anomaly
SMB Traffic Spike - MLTK SMB/Windows Admin Shares, Remote Services Anomaly
SQL Injection with Long URLs Exploit Public-Facing Application TTP
Samsam Test File Write Data Encrypted for Impact TTP
Sc exe Manipulating Windows Services Windows Service, Create or Modify System Process TTP
SchCache Change By App Connect And Create ADSI Object Domain Account, Account Discovery Anomaly
Schedule Task with HTTP Command Arguments Scheduled Task/Job TTP
Schedule Task with Rundll32 Command Trigger Scheduled Task/Job TTP
Scheduled Task Creation on Remote Endpoint using At Scheduled Task/Job, At TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task, Scheduled Task/Job TTP
Scheduled Task Initiation on Remote Endpoint Scheduled Task/Job, Scheduled Task TTP
Scheduled tasks used in BadRabbit ransomware Scheduled Task TTP
Schtasks Run Task On Demand Scheduled Task/Job TTP
Schtasks scheduling job on remote system Scheduled Task, Scheduled Task/Job TTP
Schtasks used for forcing a reboot Scheduled Task, Scheduled Task/Job TTP
Screensaver Event Trigger Execution Event Triggered Execution, Screensaver TTP
Script Execution via WMI Windows Management Instrumentation TTP
Sdclt UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Sdelete Application Execution Data Destruction, File Deletion, Indicator Removal on Host Anomaly
Sdelete Application Execution Data Destruction, File Deletion, Indicator Removal on Host TTP
SearchProtocolHost with no Command Line with Network Process Injection TTP
SecretDumps Offline NTDS Dumping Tool NTDS, OS Credential Dumping TTP
ServicePrincipalNames Discovery with PowerShell Kerberoasting TTP
ServicePrincipalNames Discovery with SetSPN Kerberoasting TTP
Services Escalate Exe Abuse Elevation Control Mechanism TTP
Services LOLBAS Execution Process Spawn Create or Modify System Process, Windows Service TTP
Set Default PowerShell Execution Policy To Unrestricted or Bypass Command and Scripting Interpreter, PowerShell TTP
Shim Database File Creation Application Shimming, Event Triggered Execution TTP
Shim Database Installation With Suspicious Parameters Application Shimming, Event Triggered Execution TTP
Short Lived Scheduled Task Scheduled Task TTP
Short Lived Windows Accounts Local Account, Create Account TTP
SilentCleanup UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Single Letter Process On Endpoint User Execution, Malicious File TTP
Spectre and Meltdown Vulnerable Systems None TTP
Spike in File Writes None Anomaly
Splunk Account Discovery Drilldown Dashboard Disclosure Account Discovery TTP
Splunk Command and Scripting Interpreter Delete Usage Command and Scripting Interpreter Anomaly
Splunk Command and Scripting Interpreter Risky Commands Command and Scripting Interpreter Hunting
Splunk Command and Scripting Interpreter Risky SPL MLTK Command and Scripting Interpreter Anomaly
Splunk Digital Certificates Infrastructure Version Digital Certificates Hunting
Splunk Digital Certificates Lack of Encryption Digital Certificates Anomaly
Splunk DoS via Malformed S2S Request Network Denial of Service TTP
Splunk Endpoint Denial of Service DoS Zip Bomb Endpoint Denial of Service TTP
Splunk Enterprise Information Disclosure None TTP
Splunk Identified SSL TLS Certificates Network Sniffing Hunting
Splunk Process Injection Forwarder Bundle Downloads Process Injection Hunting
Splunk Protocol Impersonation Weak Encryption Configuration Protocol Impersonation Hunting
Splunk User Enumeration Attempt Valid Accounts TTP
Splunk XSS in Monitoring Console Drive-by Compromise TTP
Splunk protocol impersonation weak encryption selfsigned Digital Certificates Hunting
Splunk protocol impersonation weak encryption simplerequest Digital Certificates Hunting
Spoolsv Spawning Rundll32 Print Processors, Boot or Logon Autostart Execution TTP
Spoolsv Suspicious Loaded Modules Print Processors, Boot or Logon Autostart Execution TTP
Spoolsv Suspicious Process Access Exploitation for Privilege Escalation TTP
Spoolsv Writing a DLL Print Processors, Boot or Logon Autostart Execution TTP
Spoolsv Writing a DLL - Sysmon Print Processors, Boot or Logon Autostart Execution TTP
Spring4Shell Payload URL Request Web Shell, Server Software Component, Exploit Public-Facing Application TTP
Sqlite Module In Temp Folder Data from Local System TTP
Sunburst Correlation DLL and Network Event Exploitation for Client Execution TTP
Supernova Webshell Web Shell TTP
Suspicious Changes to File Associations Change Default File Association TTP
Suspicious Computer Account Name Change Valid Accounts, Domain Accounts TTP
Suspicious Copy on System32 Rename System Utilities, Masquerading TTP
Suspicious Curl Network Connection Ingress Tool Transfer TTP
Suspicious DLLHost no Command Line Arguments Process Injection TTP
Suspicious Driver Loaded Path Windows Service, Create or Modify System Process TTP
Suspicious Email - UBA Anomaly Phishing Anomaly
Suspicious Email Attachment Extensions Spearphishing Attachment, Phishing Anomaly
Suspicious Event Log Service Behavior Indicator Removal on Host, Clear Windows Event Logs TTP
Suspicious File Write None Hunting
Suspicious GPUpdate no Command Line Arguments Process Injection TTP
Suspicious IcedID Rundll32 Cmdline System Binary Proxy Execution, Rundll32 TTP
Suspicious Image Creation In Appdata Folder Screen Capture TTP
Suspicious Java Classes None Anomaly
Suspicious Kerberos Service Ticket Request Valid Accounts, Domain Accounts TTP
Suspicious Linux Discovery Commands Unix Shell TTP
Suspicious MSBuild Rename Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild Hunting
Suspicious MSBuild Spawn Trusted Developer Utilities Proxy Execution, MSBuild TTP
Suspicious PlistBuddy Usage Launch Agent, Create or Modify System Process TTP
Suspicious PlistBuddy Usage via OSquery Launch Agent, Create or Modify System Process TTP
Suspicious Powershell Command-Line Arguments PowerShell TTP
Suspicious Process DNS Query Known Abuse Web Services Visual Basic, Command and Scripting Interpreter TTP
Suspicious Process File Path Create or Modify System Process TTP
Suspicious Process With Discord DNS Query Visual Basic, Command and Scripting Interpreter Anomaly
Suspicious Reg exe Process Modify Registry TTP
Suspicious Regsvr32 Register Suspicious Path System Binary Proxy Execution, Regsvr32 TTP
Suspicious Rundll32 PluginInit System Binary Proxy Execution, Rundll32 TTP
Suspicious Rundll32 Rename System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities Hunting
Suspicious Rundll32 StartW System Binary Proxy Execution, Rundll32 TTP
Suspicious Rundll32 dllregisterserver System Binary Proxy Execution, Rundll32 TTP
Suspicious Rundll32 no Command Line Arguments System Binary Proxy Execution, Rundll32 TTP
Suspicious SQLite3 LSQuarantine Behavior Data Staged TTP
Suspicious Scheduled Task from Public Directory Scheduled Task, Scheduled Task/Job Anomaly
Suspicious SearchProtocolHost no Command Line Arguments Process Injection TTP
Suspicious Ticket Granting Ticket Request Valid Accounts, Domain Accounts Hunting
Suspicious WAV file in Appdata Folder Screen Capture TTP
Suspicious microsoft workflow compiler rename Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities Hunting
Suspicious microsoft workflow compiler usage Trusted Developer Utilities Proxy Execution TTP
Suspicious msbuild path Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild TTP
Suspicious mshta child process System Binary Proxy Execution, Mshta TTP
Suspicious mshta spawn System Binary Proxy Execution, Mshta TTP
Suspicious wevtutil Usage Clear Windows Event Logs, Indicator Removal on Host TTP
Suspicious writes to System Volume Information Masquerading Hunting
Suspicious writes to windows Recycle Bin Masquerading TTP
Svchost LOLBAS Execution Process Spawn Scheduled Task/Job, Scheduled Task TTP
System Info Gathering Using Dxdiag Application Gather Victim Host Information Hunting
System Information Discovery Detection System Information Discovery TTP
System Process Running from Unexpected Location Masquerading Anomaly
System Processes Run From Unexpected Locations Masquerading, Rename System Utilities TTP
System User Discovery With Query System Owner/User Discovery Hunting
System User Discovery With Whoami System Owner/User Discovery Hunting
TCP Command and Scripting Interpreter Outbound LDAP Traffic Command and Scripting Interpreter Anomaly
TOR Traffic Application Layer Protocol, Web Protocols TTP
Time Provider Persistence Registry Time Providers, Boot or Logon Autostart Execution TTP
Trickbot Named Pipe Process Injection TTP
UAC Bypass MMC Load Unsigned Dll Bypass User Account Control, Abuse Elevation Control Mechanism, MMC TTP
UAC Bypass With Colorui COM Object System Binary Proxy Execution, CMSTP TTP
USN Journal Deletion Indicator Removal on Host TTP
Uncommon Processes On Endpoint Malicious File Hunting
Unified Messaging Service Spawning a Process Exploit Public-Facing Application TTP
Uninstall App Using MsiExec Msiexec, System Binary Proxy Execution TTP
Unknown Process Using The Kerberos Protocol Use Alternate Authentication Material TTP
Unload Sysmon Filter Driver Disable or Modify Tools, Impair Defenses TTP
Unloading AMSI via Reflection Impair Defenses, PowerShell, Command and Scripting Interpreter TTP
Unsigned Image Loaded by LSASS LSASS Memory TTP
Unsuccessful Netbackup backups None Hunting
Unusual LOLBAS in short period of time Command and Scripting Interpreter, Scheduled Task/Job Anomaly
Unusual Number of Computer Service Tickets Requested Valid Accounts Hunting
Unusual Number of Kerberos Service Tickets Requested Steal or Forge Kerberos Tickets, Kerberoasting Anomaly
Unusual Number of Remote Endpoint Authentication Events Valid Accounts Hunting
Unusual Volume of Data Download from Internal Server Per Entity Data from Information Repositories, Data from Network Shared Drive Anomaly
Unusually Long Command Line None Anomaly
Unusually Long Command Line None Anomaly
Unusually Long Command Line - MLTK None Anomaly
Unusually Long Content-Type Length None Anomaly
User Discovery With Env Vars PowerShell System Owner/User Discovery Hunting
User Discovery With Env Vars PowerShell Script Block System Owner/User Discovery Hunting
VMware Server Side Template Injection Hunt Exploit Public-Facing Application Hunting
VMware Workspace ONE Freemarker Server-side Template Injection Exploit Public-Facing Application Anomaly
Vbscript Execution Using Wscript App Visual Basic, Command and Scripting Interpreter TTP
Verclsid CLSID Execution Verclsid, System Binary Proxy Execution Hunting
W3WP Spawning Shell Server Software Component, Web Shell TTP
WBAdmin Delete System Backups Inhibit System Recovery TTP
WBAdmin Delete System Backups Inhibit System Recovery TTP
WMI Permanent Event Subscription Windows Management Instrumentation TTP
WMI Permanent Event Subscription - Sysmon Windows Management Instrumentation Event Subscription, Event Triggered Execution TTP
WMI Recon Running Process Or Services Gather Victim Host Information TTP
WMI Temporary Event Subscription Windows Management Instrumentation TTP
WMIC XSL Execution via URL XSL Script Processing TTP
WSReset UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Wbemprox COM Object Execution System Binary Proxy Execution, CMSTP TTP
Web Fraud - Account Harvesting Create Account TTP
Web Fraud - Anomalous User Clickspeed Valid Accounts Anomaly
Web Fraud - Password Sharing Across Accounts None Anomaly
Web JSP Request via URL Web Shell, Server Software Component, Exploit Public-Facing Application TTP
Web Servers Executing Suspicious Processes System Information Discovery TTP
Web Spring Cloud Function FunctionRouter Exploit Public-Facing Application TTP
Web Spring4Shell HTTP Request Class Module Exploit Public-Facing Application TTP
Wermgr Process Connecting To IP Check Web Services Gather Victim Network Information, IP Addresses TTP
Wermgr Process Create Executable File Obfuscated Files or Information TTP
Wermgr Process Spawned CMD Or Powershell Process Command and Scripting Interpreter TTP
WevtUtil Usage To Clear Logs Indicator Removal on Host, Clear Windows Event Logs TTP
Wevtutil Usage To Disable Logs Indicator Removal on Host, Clear Windows Event Logs TTP
Wget Download and Bash Execution Ingress Tool Transfer TTP
WinEvent Scheduled Task Created Within Public Path Scheduled Task, Scheduled Task/Job TTP
WinEvent Scheduled Task Created to Spawn Shell Scheduled Task, Scheduled Task/Job TTP
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting
WinRM Spawning a Process Exploit Public-Facing Application TTP
Windows Access Token Manipulation SeDebugPrivilege Create Process with Token, Access Token Manipulation Anomaly
Windows Access Token Manipulation Winlogon Duplicate Token Handle Token Impersonation/Theft, Access Token Manipulation Hunting
Windows Access Token Winlogon Duplicate Handle In Uncommon Path Token Impersonation/Theft, Access Token Manipulation Anomaly
Windows AdFind Exe Remote System Discovery TTP
Windows Application Layer Protocol RMS Radmin Tool Namedpipe Application Layer Protocol TTP
Windows Autostart Execution LSASS Driver Registry Modification LSASS Driver TTP
Windows Binary Proxy Execution Mavinject DLL Injection Mavinject, System Binary Proxy Execution TTP
Windows Bits Job Persistence BITS Jobs TTP
Windows Bitsadmin Download File BITS Jobs, Ingress Tool Transfer TTP
Windows CertUtil Decode File Deobfuscate/Decode Files or Information TTP
Windows CertUtil URLCache Download Ingress Tool Transfer TTP
Windows CertUtil VerifyCtl Download Ingress Tool Transfer TTP
Windows Command Shell DCRat ForkBomb Payload Windows Command Shell, Command and Scripting Interpreter TTP
Windows Command and Scripting Interpreter Hunting Path Traversal Command and Scripting Interpreter Hunting
Windows Command and Scripting Interpreter Path Traversal Exec Command and Scripting Interpreter TTP
Windows Computer Account Created by Computer Account Steal or Forge Kerberos Tickets TTP
Windows Computer Account Requesting Kerberos Ticket Steal or Forge Kerberos Tickets TTP
Windows Computer Account With SPN Steal or Forge Kerberos Tickets TTP
Windows Curl Download to Suspicious Path Ingress Tool Transfer TTP
Windows Curl Upload to Remote Destination Ingress Tool Transfer TTP
Windows Curl Upload to Remote Destination Ingress Tool Transfer TTP
Windows DISM Remove Defender Disable or Modify Tools, Impair Defenses TTP
Windows DLL Search Order Hijacking Hunt DLL Search Order Hijacking, Hijack Execution Flow Hunting
Windows DLL Search Order Hijacking Hunt with Sysmon DLL Search Order Hijacking, Hijack Execution Flow Hunting
Windows DLL Search Order Hijacking with iscsicpl DLL Search Order Hijacking TTP
Windows Defacement Modify Transcodedwallpaper File Defacement Anomaly
Windows Defender Exclusion Registry Entry Disable or Modify Tools, Impair Defenses TTP
Windows Defender Tools in Non Standard Path Masquerading, Rename System Utilities Anomaly
Windows Deleted Registry By A Non Critical Process File Path Modify Registry Anomaly
Windows Disable Change Password Through Registry Modify Registry Anomaly
Windows Disable Lock Workstation Feature Through Registry Modify Registry Anomaly
Windows Disable LogOff Button Through Registry Modify Registry Anomaly
Windows Disable Memory Crash Dump Data Destruction TTP
Windows Disable Notification Center Modify Registry Anomaly
Windows Disable Shutdown Button Through Registry Modify Registry Anomaly
Windows Disable Windows Group Policy Features Through Registry Modify Registry Anomaly
Windows DisableAntiSpyware Registry Disable or Modify Tools, Impair Defenses TTP
Windows Disabled Users Failing To Authenticate Kerberos Password Spraying, Brute Force Anomaly
Windows DiskCryptor Usage Data Encrypted for Impact Hunting
Windows Diskshadow Proxy Execution System Binary Proxy Execution TTP
Windows Diskshadow Proxy Execution System Binary Proxy Execution Anomaly
Windows DotNet Binary in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil Anomaly
Windows DotNet Binary in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil TTP
Windows Driver Load Non-Standard Path Rootkit TTP
Windows Drivers Loaded by Signature Rootkit, Exploitation for Privilege Escalation Hunting
Windows Event For Service Disabled Disable or Modify Tools, Impair Defenses Hunting
Windows Event Log Cleared Indicator Removal on Host, Clear Windows Event Logs TTP
Windows Event Triggered Image File Execution Options Injection Image File Execution Options Injection Hunting
Windows Eventvwr UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism Anomaly
Windows Excessive Disabled Services Event Disable or Modify Tools, Impair Defenses TTP
Windows Execute Arbitrary Commands with MSDT System Binary Proxy Execution TTP
Windows Execute Arbitrary Commands with MSDT System Binary Proxy Execution TTP
Windows File Transfer Protocol In Non-Common Process Path Mail Protocols, Application Layer Protocol Anomaly
Windows File Without Extension In Critical Folder Data Destruction TTP
Windows Gather Victim Host Information Camera Hardware, Gather Victim Host Information Anomaly
Windows Gather Victim Identity SAM Info Credentials, Gather Victim Identity Information Hunting
Windows Gather Victim Network Info Through Ip Check Web Services IP Addresses, Gather Victim Network Information Hunting
Windows Get-AdComputer Unconstrained Delegation Discovery Remote System Discovery TTP
Windows Hidden Schedule Task Settings Scheduled Task/Job TTP
Windows Hide Notification Features Through Registry Modify Registry Anomaly
Windows High File Deletion Frequency Data Destruction Anomaly
Windows Hijack Execution Flow Version Dll Side Load DLL Search Order Hijacking, Hijack Execution Flow Anomaly
Windows Hunting System Account Targeting Lsass LSASS Memory, OS Credential Dumping Hunting
Windows ISO LNK File Creation Spearphishing Attachment, Phishing, Malicious Link, User Execution Hunting
Windows Identify Protocol Handlers Command and Scripting Interpreter Hunting
Windows Impair Defense Add Xml Applocker Rules Disable or Modify Tools, Impair Defenses Hunting
Windows Impair Defense Delete Win Defender Context Menu Disable or Modify Tools, Impair Defenses Hunting
Windows Impair Defense Delete Win Defender Profile Registry Disable or Modify Tools, Impair Defenses Anomaly
Windows Impair Defense Deny Security Software With Applocker Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defenses Disable Win Defender Auto Logging Disable or Modify Tools, Impair Defenses Anomaly
Windows Indirect Command Execution Via forfiles Indirect Command Execution TTP
Windows Indirect Command Execution Via pcalua Indirect Command Execution TTP
Windows Ingress Tool Transfer Using Explorer Ingress Tool Transfer Anomaly
Windows Ingress Tool Transfer Using Explorer Ingress Tool Transfer TTP
Windows Input Capture Using Credential UI Dll GUI Input Capture, Input Capture Hunting
Windows InstallUtil Credential Theft InstallUtil, System Binary Proxy Execution TTP
Windows InstallUtil Remote Network Connection InstallUtil, System Binary Proxy Execution TTP
Windows InstallUtil URL in Command Line InstallUtil, System Binary Proxy Execution TTP
Windows InstallUtil Uninstall Option InstallUtil, System Binary Proxy Execution TTP
Windows InstallUtil Uninstall Option with Network InstallUtil, System Binary Proxy Execution TTP
Windows InstallUtil in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil TTP
Windows Invalid Users Failed Authentication via Kerberos Password Spraying, Brute Force Anomaly
Windows Java Spawning Shells Exploit Public-Facing Application TTP
Windows Kerberos Local Successful Logon Steal or Forge Kerberos Tickets TTP
Windows KrbRelayUp Service Creation Windows Service TTP
Windows LOLBin Binary in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil Anomaly
Windows Linked Policies In ADSI Discovery Domain Account, Account Discovery Anomaly
Windows MOF Event Triggered Execution via WMI Windows Management Instrumentation Event Subscription TTP
Windows MSHTA Child Process Mshta, System Binary Proxy Execution TTP
Windows MSHTA Command-Line URL Mshta, System Binary Proxy Execution TTP
Windows MSHTA Inline HTA Execution Mshta, System Binary Proxy Execution TTP
Windows MSIExec DLLRegisterServer Msiexec TTP
Windows MSIExec Remote Download Msiexec TTP
Windows MSIExec Spawn Discovery Command Msiexec TTP
Windows MSIExec Unregister DLLRegisterServer Msiexec TTP
Windows MSIExec With Network Connections Msiexec TTP
Windows Mail Protocol In Non-Common Process Path Mail Protocols, Application Layer Protocol Anomaly
Windows Modify Registry DisAllow Windows App Modify Registry TTP
Windows Modify Registry Disable Toast Notifications Modify Registry Anomaly
Windows Modify Registry Disable Win Defender Raw Write Notif Modify Registry Anomaly
Windows Modify Registry Disable Windows Security Center Notif Modify Registry Anomaly
Windows Modify Registry Disabling WER Settings Modify Registry TTP
Windows Modify Registry Regedit Silent Reg Import Modify Registry Anomaly
Windows Modify Registry Suppress Win Defender Notif Modify Registry Anomaly
Windows Modify Show Compress Color And Info Tip Registry Modify Registry TTP
Windows Multi hop Proxy TOR Website Query Mail Protocols, Application Layer Protocol Anomaly
Windows NirSoft AdvancedRun Tool TTP
Windows NirSoft Utilities Tool Hunting
Windows Non-System Account Targeting Lsass LSASS Memory, OS Credential Dumping TTP
Windows OS Credential Dumping with Ntdsutil Export NTDS NTDS, OS Credential Dumping TTP
Windows OS Credential Dumping with Procdump LSASS Memory, OS Credential Dumping TTP
Windows Odbcconf Hunting Odbcconf Hunting
Windows Odbcconf Load DLL Odbcconf TTP
Windows Odbcconf Load Response File Odbcconf TTP
Windows Odbcconf Load Response File Odbcconf, System Binary Proxy Execution TTP
Windows Office Product Spawning MSDT Phishing, Spearphishing Attachment TTP
Windows Phishing Recent ISO Exec Registry Spearphishing Attachment, Phishing Hunting
Windows Possible Credential Dumping LSASS Memory, OS Credential Dumping TTP
Windows PowerShell Start-BitsTransfer BITS Jobs, Ingress Tool Transfer TTP
Windows PowerView Constrained Delegation Discovery Remote System Discovery TTP
Windows PowerView Kerberos Service Ticket Request Steal or Forge Kerberos Tickets, Kerberoasting TTP
Windows PowerView SPN Discovery Steal or Forge Kerberos Tickets, Kerberoasting TTP
Windows PowerView Unconstrained Delegation Discovery Remote System Discovery TTP
Windows Powershell Connect to Internet With Hidden Window Automated Exfiltration Anomaly
Windows Powershell DownloadFile Automated Exfiltration Anomaly
Windows Powershell Import Applocker Policy PowerShell TTP
Windows Process Injection With Public Source Path Process Injection, Portable Executable Injection Hunting
Windows Process With NamedPipe CommandLine Process Injection Anomaly
Windows Processes Killed By Industroyer2 Malware Service Stop Anomaly
Windows Protocol Tunneling with Plink Protocol Tunneling, SSH TTP
Windows Raccine Scheduled Task Deletion Disable or Modify Tools TTP
Windows Rasautou DLL Execution Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection TTP
Windows Rasautou DLL Execution Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection TTP
Windows Raw Access To Disk Volume Partition Disk Structure Wipe, Disk Wipe Anomaly
Windows Raw Access To Master Boot Record Drive Disk Structure Wipe, Disk Wipe TTP
Windows Registry Certificate Added Install Root Certificate, Subvert Trust Controls TTP
Windows Registry Delete Task SD Scheduled Task, Impair Defenses TTP
Windows Registry Modification for Safe Mode Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Windows Remote Access Software BRC4 Loaded Dll Remote Access Software, OS Credential Dumping Anomaly
Windows Remote Access Software Hunt Remote Access Software Hunting
Windows Remote Access Software RMS Registry Remote Access Software TTP
Windows Remote Assistance Spawning Process Process Injection TTP
Windows Remote Service Rdpwinst Tool Execution Remote Desktop Protocol, Remote Services TTP
Windows Remote Services Allow Rdp In Firewall Remote Desktop Protocol, Remote Services Anomaly
Windows Remote Services Allow Remote Assistance Remote Desktop Protocol, Remote Services Anomaly
Windows Remote Services Rdp Enable Remote Desktop Protocol, Remote Services TTP
Windows Root Domain linked policies Discovery Domain Account, Account Discovery Anomaly
Windows Rundll32 Comsvcs Memory Dump NTDS, OS Credential Dumping TTP
Windows Rundll32 Inline HTA Execution System Binary Proxy Execution, Mshta TTP
Windows Schtasks Create Run As System Scheduled Task, Scheduled Task/Job TTP
Windows Script Host Spawn MSBuild MSBuild, Trusted Developer Utilities Proxy Execution TTP
Windows Security Account Manager Stopped Service Stop TTP
Windows Service Create Kernel Mode Driver Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation TTP
Windows Service Created Within Public Path Create or Modify System Process, Windows Service TTP
Windows Service Created with Suspicious Service Path System Services, Service Execution TTP
Windows Service Creation Using Registry Entry Services Registry Permissions Weakness TTP
Windows Service Creation on Remote Endpoint Create or Modify System Process, Windows Service TTP
Windows Service Deletion In Registry Service Stop Anomaly
Windows Service Initiation on Remote Endpoint Create or Modify System Process, Windows Service TTP
Windows Service Stop By Deletion Service Stop TTP
Windows System Binary Proxy Execution Compiled HTML File Decompile Compiled HTML File, System Binary Proxy Execution TTP
Windows System Binary Proxy Execution Compiled HTML File Decompile Compiled HTML File, System Binary Proxy Execution TTP
Windows System Binary Proxy Execution Compiled HTML File URL In Command Line Compiled HTML File, System Binary Proxy Execution TTP
Windows System Binary Proxy Execution Compiled HTML File Using InfoTech Storage Handlers Compiled HTML File, System Binary Proxy Execution TTP
Windows System Binary Proxy Execution MSIExec DLLRegisterServer Msiexec TTP
Windows System Binary Proxy Execution MSIExec Remote Download Msiexec TTP
Windows System Binary Proxy Execution MSIExec Unregister DLL Msiexec TTP
Windows System File on Disk Exploitation for Privilege Escalation Hunting
Windows System LogOff Commandline System Shutdown/Reboot Anomaly
Windows System Reboot CommandLine System Shutdown/Reboot Anomaly
Windows System Shutdown CommandLine System Shutdown/Reboot Anomaly
Windows System Time Discovery W32tm Delay System Time Discovery Anomaly
Windows Terminating Lsass Process Disable or Modify Tools, Impair Defenses Anomaly
Windows Users Authenticate Using Explicit Credentials Password Spraying, Brute Force Anomaly
Windows Valid Account With Never Expires Password Service Stop TTP
Windows WMI Process Call Create Windows Management Instrumentation Hunting
Windows WMIPrvse Spawn MSBuild Trusted Developer Utilities Proxy Execution, MSBuild TTP
Windows WSReset UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism Anomaly
Windows connhost exe started forcefully Windows Command Shell TTP
Windows hosts file modification None TTP
Winhlp32 Spawning a Process Process Injection TTP
Winword Spawning Cmd Phishing, Spearphishing Attachment TTP
Winword Spawning PowerShell Phishing, Spearphishing Attachment TTP
Winword Spawning Windows Script Host Phishing, Spearphishing Attachment TTP
Wmic Group Discovery Permission Groups Discovery, Local Groups Hunting
Wmic NonInteractive App Uninstallation Disable or Modify Tools, Impair Defenses Hunting
Wmiprsve LOLBAS Execution Process Spawn Windows Management Instrumentation TTP
Wscript Or Cscript Suspicious Child Process Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation TTP
Wsmprovhost LOLBAS Execution Process Spawn Remote Services, Windows Remote Management TTP
XMRIG Driver Loaded Windows Service, Create or Modify System Process TTP
XSL Script Execution With WMIC XSL Script Processing TTP
aws detect attach to role policy Valid Accounts Hunting
aws detect permanent key creation Valid Accounts Hunting
aws detect role creation Valid Accounts Hunting
aws detect sts assume role abuse Valid Accounts Hunting
aws detect sts get session token abuse Use Alternate Authentication Material Hunting
gcp detect oauth token abuse Valid Accounts Hunting

Endpoint

Living Off The Land

Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter

Detect SharpHound Usage

Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery

CMD Echo Pipe - Escalation

Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process

Back to Top ↑

Cloud

Back to Top ↑

Deprecated

Back to Top ↑

Network

Detect ARP Poisoning

Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning

Back to Top ↑

Application