Detections

Name Technique Type
3CX Supply Chain Attack Network Indicators Compromise Software Supply Chain TTP
7zip CommandLine To SMB Share Path Archive via Utility, Archive Collected Data Hunting
ASL AWS Concurrent Sessions From Different Ips Browser Session Hijacking Anomaly
ASL AWS CreateAccessKey Valid Accounts Hunting
ASL AWS Defense Evasion Delete CloudWatch Log Group Impair Defenses, Disable or Modify Cloud Logs TTP
ASL AWS Defense Evasion Delete Cloudtrail Disable or Modify Cloud Logs, Impair Defenses TTP
ASL AWS Defense Evasion Impair Security Services Disable or Modify Cloud Logs, Impair Defenses Hunting
ASL AWS Excessive Security Scanning Cloud Service Discovery Anomaly
ASL AWS IAM Delete Policy Account Manipulation Hunting
ASL AWS Multi-Factor Authentication Disabled Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication TTP
ASL AWS New MFA Method Registered For User Modify Authentication Process, Multi-Factor Authentication TTP
ASL AWS Password Policy Changes Password Policy Discovery Hunting
AWS AMI Attribute Modification for Exfiltration Transfer Data to Cloud Account TTP
AWS Cloud Provisioning From Previously Unseen City Unused/Unsupported Cloud Regions Anomaly
AWS Cloud Provisioning From Previously Unseen Country Unused/Unsupported Cloud Regions Anomaly
AWS Cloud Provisioning From Previously Unseen IP Address None Anomaly
AWS Cloud Provisioning From Previously Unseen Region Unused/Unsupported Cloud Regions Anomaly
AWS Concurrent Sessions From Different Ips Browser Session Hijacking TTP
AWS Console Login Failed During MFA Challenge Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation TTP
AWS Create Policy Version to allow all resources Cloud Accounts, Valid Accounts TTP
AWS CreateAccessKey Cloud Account, Create Account Hunting
AWS CreateLoginProfile Cloud Account, Create Account TTP
AWS Credential Access Failed Login Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing TTP
AWS Credential Access GetPasswordData Compromise Accounts, Cloud Accounts, Brute Force, Password Guessing Anomaly
AWS Credential Access RDS Password reset Compromise Accounts, Cloud Accounts, Brute Force TTP
AWS Cross Account Activity From Previously Unseen Account None Anomaly
AWS Defense Evasion Delete CloudWatch Log Group Impair Defenses, Disable or Modify Cloud Logs TTP
AWS Defense Evasion Delete Cloudtrail Disable or Modify Cloud Logs, Impair Defenses TTP
AWS Defense Evasion Impair Security Services Disable or Modify Cloud Logs, Impair Defenses Hunting
AWS Defense Evasion PutBucketLifecycle Disable or Modify Cloud Logs, Impair Defenses Hunting
AWS Defense Evasion Stop Logging Cloudtrail Disable or Modify Cloud Logs, Impair Defenses TTP
AWS Defense Evasion Update Cloudtrail Impair Defenses, Disable or Modify Cloud Logs TTP
AWS Detect Users creating keys with encrypt policy without MFA Data Encrypted for Impact TTP
AWS Detect Users with KMS keys performing encryption S3 Data Encrypted for Impact Anomaly
AWS Disable Bucket Versioning Inhibit System Recovery Anomaly
AWS EC2 Snapshot Shared Externally Transfer Data to Cloud Account TTP
AWS ECR Container Scanning Findings High Malicious Image, User Execution TTP
AWS ECR Container Scanning Findings Low Informational Unknown Malicious Image, User Execution Anomaly
AWS ECR Container Scanning Findings Medium Malicious Image, User Execution Anomaly
AWS ECR Container Upload Outside Business Hours Malicious Image, User Execution Anomaly
AWS ECR Container Upload Unknown User Malicious Image, User Execution Anomaly
AWS EKS Kubernetes cluster sensitive object access None Hunting
AWS Excessive Security Scanning Cloud Service Discovery TTP
AWS Exfiltration via Anomalous GetObject API Activity Automated Collection Anomaly
AWS Exfiltration via Batch Service Automated Collection TTP
AWS Exfiltration via Bucket Replication Transfer Data to Cloud Account TTP
AWS Exfiltration via DataSync Task Automated Collection TTP
AWS Exfiltration via EC2 Snapshot Transfer Data to Cloud Account TTP
AWS High Number Of Failed Authentications For User Password Policy Discovery Anomaly
AWS High Number Of Failed Authentications From Ip Brute Force, Password Spraying, Credential Stuffing Anomaly
AWS IAM AccessDenied Discovery Events Cloud Infrastructure Discovery Anomaly
AWS IAM Assume Role Policy Brute Force Cloud Infrastructure Discovery, Brute Force TTP
AWS IAM Delete Policy Account Manipulation Hunting
AWS IAM Failure Group Deletion Account Manipulation Anomaly
AWS IAM Successful Group Deletion Cloud Groups, Account Manipulation, Permission Groups Discovery Hunting
AWS Lambda UpdateFunctionCode User Execution Hunting
AWS Multi-Factor Authentication Disabled Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication TTP
AWS Multiple Failed MFA Requests For User Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation Anomaly
AWS Multiple Users Failing To Authenticate From Ip Brute Force, Password Spraying, Credential Stuffing Anomaly
AWS Network Access Control List Created with All Open Ports Disable or Modify Cloud Firewall, Impair Defenses TTP
AWS Network Access Control List Deleted Disable or Modify Cloud Firewall, Impair Defenses Anomaly
AWS New MFA Method Registered For User Modify Authentication Process, Multi-Factor Authentication TTP
AWS Password Policy Changes Password Policy Discovery Hunting
AWS S3 Exfiltration Behavior Identified Transfer Data to Cloud Account Correlation
AWS SAML Access by Provider User and Principal Valid Accounts Anomaly
AWS SAML Update identity provider Valid Accounts TTP
AWS SetDefaultPolicyVersion Cloud Accounts, Valid Accounts TTP
AWS Successful Console Authentication From Multiple IPs Compromise Accounts, Unused/Unsupported Cloud Regions Anomaly
AWS Successful Single-Factor Authentication Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts TTP
AWS Unusual Number of Failed Authentications From Ip Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing Anomaly
AWS UpdateLoginProfile Cloud Account, Create Account TTP
Abnormally High AWS Instances Launched by User Cloud Accounts Anomaly
Abnormally High AWS Instances Launched by User - MLTK Cloud Accounts Anomaly
Abnormally High AWS Instances Terminated by User Cloud Accounts Anomaly
Abnormally High AWS Instances Terminated by User - MLTK Cloud Accounts Anomaly
Abnormally High Number Of Cloud Infrastructure API Calls Cloud Accounts, Valid Accounts Anomaly
Abnormally High Number Of Cloud Instances Destroyed Cloud Accounts, Valid Accounts Anomaly
Abnormally High Number Of Cloud Instances Launched Cloud Accounts, Valid Accounts Anomaly
Abnormally High Number Of Cloud Security Group API Calls Cloud Accounts, Valid Accounts Anomaly
Access LSASS Memory for Dump Creation LSASS Memory, OS Credential Dumping TTP
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint Exploit Public-Facing Application TTP
Account Discovery With Net App Domain Account, Account Discovery TTP
Active Directory Lateral Movement Identified Exploitation of Remote Services Correlation
Active Directory Privilege Escalation Identified Domain Policy Modification Correlation
Active Setup Registry Autostart Active Setup, Boot or Logon Autostart Execution TTP
Add DefaultUser And Password In Registry Credentials in Registry, Unsecured Credentials Anomaly
Add or Set Windows Defender Exclusion Disable or Modify Tools, Impair Defenses TTP
Adobe ColdFusion Access Control Bypass Exploit Public-Facing Application TTP
Adobe ColdFusion Unauthenticated Arbitrary File Read Exploit Public-Facing Application TTP
AdsiSearcher Account Discovery Domain Account, Account Discovery TTP
Allow File And Printing Sharing In Firewall Disable or Modify Cloud Firewall, Impair Defenses TTP
Allow Inbound Traffic By Firewall Rule Registry Remote Desktop Protocol, Remote Services TTP
Allow Inbound Traffic In Firewall Rule Remote Desktop Protocol, Remote Services TTP
Allow Network Discovery In Firewall Disable or Modify Cloud Firewall, Impair Defenses TTP
Allow Operation with Consent Admin Abuse Elevation Control Mechanism TTP
Amazon EKS Kubernetes Pod scan detection Cloud Service Discovery Hunting
Amazon EKS Kubernetes cluster scan detection Cloud Service Discovery Hunting
Anomalous usage of 7zip Archive via Utility, Archive Collected Data Anomaly
Anomalous usage of Archive Tools Archive via Utility, Archive Collected Data Anomaly
Any Powershell DownloadFile Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer TTP
Any Powershell DownloadString Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer TTP
Attacker Tools On Endpoint Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning TTP
Attempt To Add Certificate To Untrusted Store Install Root Certificate, Subvert Trust Controls TTP
Attempt To Delete Services Service Stop, Create or Modify System Process, Windows Service TTP
Attempt To Disable Services Service Stop TTP
Attempt To Stop Security Service Disable or Modify Tools, Impair Defenses TTP
Attempted Credential Dump From Registry via Reg exe Security Account Manager, OS Credential Dumping TTP
Attempted Credential Dump From Registry via Reg exe OS Credential Dumping, Security Account Manager TTP
Auto Admin Logon Registry Entry Credentials in Registry, Unsecured Credentials TTP
Azure AD Admin Consent Bypassed by Service Principal Additional Cloud Roles TTP
Azure AD Application Administrator Role Assigned Account Manipulation, Additional Cloud Roles TTP
Azure AD Authentication Failed During MFA Challenge Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation TTP
Azure AD Block User Consent For Risky Apps Disabled Impair Defenses TTP
Azure AD Concurrent Sessions From Different Ips Browser Session Hijacking TTP
Azure AD Device Code Authentication Steal Application Access Token, Phishing, Spearphishing Link TTP
Azure AD External Guest User Invited Cloud Account TTP
Azure AD FullAccessAsApp Permission Assigned Additional Email Delegate Permissions, Additional Cloud Roles TTP
Azure AD Global Administrator Role Assigned Additional Cloud Roles TTP
Azure AD High Number Of Failed Authentications For User Brute Force, Password Guessing TTP
Azure AD High Number Of Failed Authentications From Ip Brute Force, Password Guessing, Password Spraying TTP
Azure AD Multi-Factor Authentication Disabled Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication TTP
Azure AD Multi-Source Failed Authentications Spike Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing Hunting
Azure AD Multiple AppIDs and UserAgents Authentication Spike Valid Accounts Anomaly
Azure AD Multiple Denied MFA Requests For User Multi-Factor Authentication Request Generation TTP
Azure AD Multiple Failed MFA Requests For User Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts TTP
Azure AD Multiple Service Principals Created by SP Cloud Account Anomaly
Azure AD Multiple Service Principals Created by User Cloud Account Anomaly
Azure AD Multiple Users Failing To Authenticate From Ip Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing Anomaly
Azure AD New Custom Domain Added Domain Policy Modification, Domain Trust Modification TTP
Azure AD New Federated Domain Added Domain Policy Modification, Domain Trust Modification TTP
Azure AD New MFA Method Registered Account Manipulation, Device Registration TTP
Azure AD New MFA Method Registered For User Modify Authentication Process, Multi-Factor Authentication TTP
Azure AD OAuth Application Consent Granted By User Steal Application Access Token TTP
Azure AD PIM Role Assigned Account Manipulation, Additional Cloud Roles TTP
Azure AD PIM Role Assignment Activated Account Manipulation, Additional Cloud Roles TTP
Azure AD Privileged Authentication Administrator Role Assigned Security Account Manager TTP
Azure AD Privileged Graph API Permission Assigned Security Account Manager TTP
Azure AD Privileged Role Assigned Account Manipulation, Additional Cloud Roles TTP
Azure AD Privileged Role Assigned to Service Principal Account Manipulation, Additional Cloud Roles TTP
Azure AD Service Principal Authentication Cloud Accounts TTP
Azure AD Service Principal Created Cloud Account TTP
Azure AD Service Principal New Client Credentials Account Manipulation, Additional Cloud Credentials TTP
Azure AD Service Principal Owner Added Account Manipulation TTP
Azure AD Successful Authentication From Different Ips Brute Force, Password Guessing, Password Spraying TTP
Azure AD Successful PowerShell Authentication Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts TTP
Azure AD Successful Single-Factor Authentication Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts TTP
Azure AD Tenant Wide Admin Consent Granted Account Manipulation, Additional Cloud Roles TTP
Azure AD Unusual Number of Failed Authentications From Ip Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing Anomaly
Azure AD User Consent Blocked for Risky Application Steal Application Access Token TTP
Azure AD User Consent Denied for OAuth Application Steal Application Access Token TTP
Azure AD User Enabled And Password Reset Account Manipulation TTP
Azure AD User ImmutableId Attribute Updated Account Manipulation TTP
Azure Active Directory High Risk Sign-in Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying TTP
Azure Automation Account Created Create Account, Cloud Account TTP
Azure Automation Runbook Created Create Account, Cloud Account TTP
Azure Runbook Webhook Created Valid Accounts, Cloud Accounts TTP
BCDEdit Failure Recovery Modification Inhibit System Recovery TTP
BCDEdit Failure Recovery Modification Inhibit System Recovery TTP
BITS Job Persistence BITS Jobs TTP
BITSAdmin Download File BITS Jobs, Ingress Tool Transfer TTP
Batch File Write to System32 User Execution, Malicious File TTP
Bcdedit Command Back To Normal Mode Boot Inhibit System Recovery TTP
CHCP Command Execution Command and Scripting Interpreter TTP
CMD Carry Out String Command Parameter Windows Command Shell, Command and Scripting Interpreter Hunting
CMD Echo Pipe - Escalation Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process TTP
CMLUA Or CMSTPLUA UAC Bypass System Binary Proxy Execution, CMSTP TTP
CSC Net On The Fly Compilation Compile After Delivery, Obfuscated Files or Information Hunting
CertUtil Download With URLCache and Split Arguments Ingress Tool Transfer TTP
CertUtil Download With VerifyCtl and Split Arguments Ingress Tool Transfer TTP
CertUtil With Decode Argument Deobfuscate/Decode Files or Information TTP
Certutil exe certificate extraction None TTP
Change Default File Association Change Default File Association, Event Triggered Execution TTP
Change To Safe Mode With Network Config Inhibit System Recovery TTP
Check Elevated CMD using whoami System Owner/User Discovery TTP
Child Processes of Spoolsv exe Exploitation for Privilege Escalation TTP
Circle CI Disable Security Job Compromise Client Software Binary Anomaly
Circle CI Disable Security Step Compromise Client Software Binary Anomaly
Cisco IOS XE Implant Access Exploit Public-Facing Application TTP
Citrix ADC Exploitation CVE-2023-3519 Exploit Public-Facing Application Hunting
Citrix ADC and Gateway Unauthorized Data Disclosure Exploit Public-Facing Application TTP
Citrix ShareFile Exploitation CVE-2023-24489 Exploit Public-Facing Application Hunting
Clear Unallocated Sector Using Cipher App File Deletion, Indicator Removal TTP
Clear Unallocated Sector Using Cipher App File Deletion, Indicator Removal TTP
Clients Connecting to Multiple DNS Servers Exfiltration Over Unencrypted Non-C2 Protocol TTP
Clop Common Exec Parameter User Execution TTP
Clop Ransomware Known Service Name Create or Modify System Process TTP
Cloud API Calls From Previously Unseen User Roles Valid Accounts Anomaly
Cloud Compute Instance Created By Previously Unseen User Cloud Accounts, Valid Accounts Anomaly
Cloud Compute Instance Created In Previously Unused Region Unused/Unsupported Cloud Regions Anomaly
Cloud Compute Instance Created With Previously Unseen Image None Anomaly
Cloud Compute Instance Created With Previously Unseen Instance Type None Anomaly
Cloud Instance Modified By Previously Unseen User Cloud Accounts, Valid Accounts Anomaly
Cloud Network Access Control List Deleted None Anomaly
Cloud Provisioning Activity From Previously Unseen City Valid Accounts Anomaly
Cloud Provisioning Activity From Previously Unseen Country Valid Accounts Anomaly
Cloud Provisioning Activity From Previously Unseen IP Address Valid Accounts Anomaly
Cloud Provisioning Activity From Previously Unseen Region Valid Accounts Anomaly
Cloud Security Groups Modifications by User Modify Cloud Compute Configurations Anomaly
Cmdline Tool Not Executed In CMD Shell Command and Scripting Interpreter, JavaScript TTP
Cobalt Strike Named Pipes Process Injection TTP
Common Ransomware Extensions Data Destruction Hunting
Common Ransomware Notes Data Destruction Hunting
Confluence CVE-2023-22515 Trigger Vulnerability Exploit Public-Facing Application TTP
Confluence Data Center and Server Privilege Escalation Exploit Public-Facing Application TTP
Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527 Exploit Public-Facing Application TTP
Confluence Unauthenticated Remote Code Execution CVE-2022-26134 Server Software Component, Exploit Public-Facing Application, External Remote Services TTP
ConnectWise ScreenConnect Authentication Bypass Exploit Public-Facing Application TTP
ConnectWise ScreenConnect Path Traversal Exploit Public-Facing Application TTP
ConnectWise ScreenConnect Path Traversal Windows SACL Exploit Public-Facing Application TTP
Conti Common Exec parameter User Execution TTP
Control Loading from World Writable Directory System Binary Proxy Execution, Control Panel TTP
Correlation by Repository and Risk Malicious Image, User Execution Correlation
Correlation by User and Risk Malicious Image, User Execution Correlation
Create Remote Thread In Shell Application Process Injection TTP
Create Remote Thread into LSASS LSASS Memory, OS Credential Dumping TTP
Create local admin accounts using net exe Local Account, Create Account TTP
Create or delete windows shares using net exe Indicator Removal, Network Share Connection Removal TTP
Creation of Shadow Copy NTDS, OS Credential Dumping TTP
Creation of Shadow Copy with wmic and powershell NTDS, OS Credential Dumping TTP
Creation of lsass Dump with Taskmgr LSASS Memory, OS Credential Dumping TTP
Credential Dumping via Copy Command from Shadow Copy NTDS, OS Credential Dumping TTP
Credential Dumping via Symlink to Shadow Copy NTDS, OS Credential Dumping TTP
Curl Download and Bash Execution Ingress Tool Transfer TTP
DLLHost with no Command Line Arguments with Network Process Injection TTP
DNS Exfiltration Using Nslookup App Exfiltration Over Alternative Protocol TTP
DNS Exfiltration Using Nslookup App Exfiltration Over Alternative Protocol TTP
DNS Query Length Outliers - MLTK DNS, Application Layer Protocol Anomaly
DNS Query Length With High Standard Deviation Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol Anomaly
DNS Query Requests Resolved by Unauthorized DNS Servers DNS TTP
DNS record changed DNS TTP
DSQuery Domain Discovery Domain Trust Discovery TTP
Delete A Net User Account Access Removal Anomaly
Delete ShadowCopy With PowerShell Inhibit System Recovery TTP
Deleting Of Net Users Account Access Removal TTP
Deleting Shadow Copies Inhibit System Recovery TTP
Deny Permission using Cacls Utility File and Directory Permissions Modification TTP
Detect API activity from users without MFA None Hunting
Detect ARP Poisoning Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning TTP
Detect AWS API Activities From Unapproved Accounts Cloud Accounts Hunting
Detect AWS Console Login by New User Compromise Accounts, Cloud Accounts, Unsecured Credentials Hunting
Detect AWS Console Login by User from New City Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions Hunting
Detect AWS Console Login by User from New Country Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions Hunting
Detect AWS Console Login by User from New Region Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions Hunting
Detect Activity Related to Pass the Hash Attacks Use Alternate Authentication Material, Pass the Hash Hunting
Detect AzureHound Command-Line Arguments Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery TTP
Detect AzureHound File Modifications Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery TTP
Detect Baron Samedit CVE-2021-3156 Exploitation for Privilege Escalation TTP
Detect Baron Samedit CVE-2021-3156 Segfault Exploitation for Privilege Escalation TTP
Detect Baron Samedit CVE-2021-3156 via OSQuery Exploitation for Privilege Escalation TTP
Detect Certify Command Line Arguments Steal or Forge Authentication Certificates, Ingress Tool Transfer TTP
Detect Certify With PowerShell Script Block Logging Steal or Forge Authentication Certificates, Command and Scripting Interpreter, PowerShell TTP
Detect Certipy File Modifications Steal or Forge Authentication Certificates, Archive Collected Data TTP
Detect Computer Changed with Anonymous Account Exploitation of Remote Services Hunting
Detect Copy of ShadowCopy with Script Block Logging Security Account Manager, OS Credential Dumping TTP
Detect Credential Dumping through LSASS access LSASS Memory, OS Credential Dumping TTP
Detect DGA domains using pretrained model in DSDL Domain Generation Algorithms Anomaly
Detect DNS Data Exfiltration using pretrained model in DSDL Exfiltration Over Unencrypted Non-C2 Protocol Anomaly
Detect DNS requests to Phishing Sites leveraging EvilGinx2 Spearphishing via Service TTP
Detect Empire with PowerShell Script Block Logging Command and Scripting Interpreter, PowerShell TTP
Detect Excessive Account Lockouts From Endpoint Valid Accounts, Domain Accounts Anomaly
Detect Excessive User Account Lockouts Valid Accounts, Local Accounts Anomaly
Detect Exchange Web Shell Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services TTP
Detect F5 TMUI RCE CVE-2020-5902 Exploit Public-Facing Application TTP
Detect GCP Storage access from a new IP Data from Cloud Storage Anomaly
Detect HTML Help Renamed System Binary Proxy Execution, Compiled HTML File Hunting
Detect HTML Help Spawn Child Process System Binary Proxy Execution, Compiled HTML File TTP
Detect HTML Help URL in Command Line System Binary Proxy Execution, Compiled HTML File TTP
Detect HTML Help Using InfoTech Storage Handlers System Binary Proxy Execution, Compiled HTML File TTP
Detect IPv6 Network Infrastructure Threats Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning TTP
Detect Large Outbound ICMP Packets Non-Application Layer Protocol TTP
Detect Long DNS TXT Record Response Exfiltration Over Unencrypted Non-C2 Protocol TTP
Detect MSHTA Url in Command Line System Binary Proxy Execution, Mshta TTP
Detect Mimikatz Using Loaded Images LSASS Memory, OS Credential Dumping TTP
Detect Mimikatz Via PowerShell And EventCode 4703 LSASS Memory TTP
Detect Mimikatz With PowerShell Script Block Logging OS Credential Dumping, PowerShell TTP
Detect New Local Admin account Local Account, Create Account TTP
Detect New Login Attempts to Routers None TTP
Detect New Open GCP Storage Buckets Data from Cloud Storage TTP
Detect New Open S3 Buckets over AWS CLI Data from Cloud Storage TTP
Detect New Open S3 buckets Data from Cloud Storage TTP
Detect Outbound LDAP Traffic Exploit Public-Facing Application, Command and Scripting Interpreter Hunting
Detect Outbound SMB Traffic File Transfer Protocols, Application Layer Protocol TTP
Detect Outlook exe writing a zip file Phishing, Spearphishing Attachment TTP
Detect Path Interception By Creation Of program exe Path Interception by Unquoted Path, Hijack Execution Flow TTP
Detect Port Security Violation Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning TTP
Detect PowerShell Applications Spawning cmd exe Command and Scripting Interpreter Anomaly
Detect Prohibited Applications Spawning cmd exe Command and Scripting Interpreter, Windows Command Shell Hunting
Detect Prohibited Browsers Spawning cmd exe Command and Scripting Interpreter Anomaly
Detect Prohibited Office Applications Spawning cmd exe Command and Scripting Interpreter Anomaly
Detect PsExec With accepteula Flag Remote Services, SMB/Windows Admin Shares TTP
Detect RClone Command-Line Usage Automated Exfiltration TTP
Detect RClone Command-Line Usage Automated Exfiltration TTP
Detect RTLO In File Name Right-to-Left Override, Masquerading TTP
Detect RTLO In Process Right-to-Left Override, Masquerading TTP
Detect Rare Executables None Anomaly
Detect Regasm Spawning a Process System Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regasm with Network Connection System Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regasm with no Command Line Arguments System Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regsvcs Spawning a Process System Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regsvcs with Network Connection System Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regsvcs with No Command Line Arguments System Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regsvr32 Application Control Bypass System Binary Proxy Execution, Regsvr32 TTP
Detect Remote Access Software Usage DNS Remote Access Software Anomaly
Detect Remote Access Software Usage File Remote Access Software Anomaly
Detect Remote Access Software Usage FileInfo Remote Access Software Anomaly
Detect Remote Access Software Usage Process Remote Access Software Anomaly
Detect Remote Access Software Usage Traffic Remote Access Software Anomaly
Detect Remote Access Software Usage URL Remote Access Software Anomaly
Detect Renamed 7-Zip Archive via Utility, Archive Collected Data Hunting
Detect Renamed PSExec System Services, Service Execution Hunting
Detect Renamed RClone Automated Exfiltration Hunting
Detect Renamed WinRAR Archive via Utility, Archive Collected Data Hunting
Detect Risky SPL using Pretrained ML Model Command and Scripting Interpreter Anomaly
Detect Rogue DHCP Server Hardware Additions, Network Denial of Service, Adversary-in-the-Middle TTP
Detect Rundll32 Application Control Bypass - advpack System Binary Proxy Execution, Rundll32 TTP
Detect Rundll32 Application Control Bypass - setupapi System Binary Proxy Execution, Rundll32 TTP
Detect Rundll32 Application Control Bypass - syssetup System Binary Proxy Execution, Rundll32 TTP
Detect Rundll32 Inline HTA Execution System Binary Proxy Execution, Mshta TTP
Detect S3 access from a new IP Data from Cloud Storage Anomaly
Detect SNICat SNI Exfiltration Exfiltration Over C2 Channel TTP
Detect SharpHound Command-Line Arguments Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery TTP
Detect SharpHound File Modifications Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery TTP
Detect SharpHound Usage Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery TTP
Detect Software Download To Network Device TFTP Boot, Pre-OS Boot TTP
Detect Spike in AWS API Activity Cloud Accounts Anomaly
Detect Spike in AWS Security Hub Alerts for EC2 Instance None Anomaly
Detect Spike in AWS Security Hub Alerts for User None Anomaly
Detect Spike in Network ACL Activity Disable or Modify Cloud Firewall Anomaly
Detect Spike in S3 Bucket deletion Data from Cloud Storage Anomaly
Detect Spike in Security Group Activity Cloud Accounts Anomaly
Detect Spike in blocked Outbound Traffic from your AWS None Anomaly
Detect Traffic Mirroring Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication TTP
Detect USB device insertion None TTP
Detect Unauthorized Assets by MAC address None TTP
Detect Use of cmd exe to Launch Script Interpreters Command and Scripting Interpreter, Windows Command Shell TTP
Detect WMI Event Subscription Persistence Windows Management Instrumentation Event Subscription, Event Triggered Execution TTP
Detect Webshell Exploit Behavior Server Software Component, Web Shell TTP
Detect Windows DNS SIGRed via Splunk Stream Exploitation for Client Execution TTP
Detect Windows DNS SIGRed via Zeek Exploitation for Client Execution TTP
Detect Zerologon via Zeek Exploit Public-Facing Application TTP
Detect attackers scanning for vulnerable JBoss servers System Information Discovery, External Remote Services TTP
Detect hosts connecting to dynamic domain providers Drive-by Compromise TTP
Detect malicious requests to exploit JBoss servers None TTP
Detect mshta inline hta execution System Binary Proxy Execution, Mshta TTP
Detect mshta renamed System Binary Proxy Execution, Mshta Hunting
Detect new API calls from user roles Cloud Accounts Anomaly
Detect new user AWS Console Login Cloud Accounts Hunting
Detect processes used for System Network Configuration Discovery System Network Configuration Discovery TTP
Detect suspicious DNS TXT records using pretrained model in DSDL Domain Generation Algorithms Anomaly
Detect suspicious processnames using pretrained model in DSDL Command and Scripting Interpreter Anomaly
Detect web traffic to dynamic domain providers Web Protocols TTP
Detection of DNS Tunnels Exfiltration Over Unencrypted Non-C2 Protocol TTP
Detection of tools built by NirSoft Software Deployment Tools TTP
Disable AMSI Through Registry Disable or Modify Tools, Impair Defenses TTP
Disable Defender AntiVirus Registry Disable or Modify Tools, Impair Defenses TTP
Disable Defender BlockAtFirstSeen Feature Disable or Modify Tools, Impair Defenses TTP
Disable Defender Enhanced Notification Disable or Modify Tools, Impair Defenses TTP
Disable Defender MpEngine Registry Disable or Modify Tools, Impair Defenses TTP
Disable Defender Spynet Reporting Disable or Modify Tools, Impair Defenses TTP
Disable Defender Submit Samples Consent Feature Disable or Modify Tools, Impair Defenses TTP
Disable ETW Through Registry Disable or Modify Tools, Impair Defenses TTP
Disable Logs Using WevtUtil Indicator Removal, Clear Windows Event Logs TTP
Disable Net User Account Service Stop, Valid Accounts TTP
Disable Registry Tool Disable or Modify Tools, Impair Defenses, Modify Registry TTP
Disable Schedule Task Disable or Modify Tools, Impair Defenses TTP
Disable Security Logs Using MiniNt Registry Modify Registry TTP
Disable Show Hidden Files Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry Anomaly
Disable UAC Remote Restriction Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Disable Windows App Hotkeys Disable or Modify Tools, Impair Defenses, Modify Registry TTP
Disable Windows Behavior Monitoring Disable or Modify Tools, Impair Defenses TTP
Disable Windows SmartScreen Protection Disable or Modify Tools, Impair Defenses TTP
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser Steal or Forge Kerberos Tickets, AS-REP Roasting TTP
Disabled Kerberos Pre-Authentication Discovery With PowerView Steal or Forge Kerberos Tickets, AS-REP Roasting TTP
Disabling CMD Application Disable or Modify Tools, Impair Defenses, Modify Registry TTP
Disabling ControlPanel Disable or Modify Tools, Impair Defenses, Modify Registry TTP
Disabling Defender Services Disable or Modify Tools, Impair Defenses TTP
Disabling Firewall with Netsh Disable or Modify Tools, Impair Defenses Anomaly
Disabling FolderOptions Windows Feature Disable or Modify Tools, Impair Defenses TTP
Disabling Net User Account Account Access Removal TTP
Disabling NoRun Windows App Disable or Modify Tools, Impair Defenses, Modify Registry TTP
Disabling Remote User Account Control Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Disabling SystemRestore In Registry Inhibit System Recovery TTP
Disabling Task Manager Disable or Modify Tools, Impair Defenses TTP
Disabling Windows Local Security Authority Defences via Registry Modify Authentication Process TTP
Domain Account Discovery With Net App Domain Account, Account Discovery TTP
Domain Account Discovery with Dsquery Domain Account, Account Discovery Hunting
Domain Account Discovery with Wmic Domain Account, Account Discovery TTP
Domain Controller Discovery with Nltest Remote System Discovery TTP
Domain Controller Discovery with Wmic Remote System Discovery Hunting
Domain Group Discovery With Dsquery Permission Groups Discovery, Domain Groups Hunting
Domain Group Discovery With Net Permission Groups Discovery, Domain Groups Hunting
Domain Group Discovery With Wmic Permission Groups Discovery, Domain Groups Hunting
Domain Group Discovery with Adsisearcher Permission Groups Discovery, Domain Groups TTP
Download Files Using Telegram Ingress Tool Transfer TTP
Drop IcedID License dat User Execution, Malicious File Hunting
Dump LSASS via comsvcs DLL LSASS Memory, OS Credential Dumping TTP
Dump LSASS via procdump LSASS Memory, OS Credential Dumping TTP
Dump LSASS via procdump Rename LSASS Memory Hunting
EC2 Instance Modified With Previously Unseen User Cloud Accounts Anomaly
EC2 Instance Started In Previously Unseen Region Unused/Unsupported Cloud Regions Anomaly
EC2 Instance Started With Previously Unseen AMI None Anomaly
EC2 Instance Started With Previously Unseen Instance Type None Anomaly
EC2 Instance Started With Previously Unseen User Cloud Accounts Anomaly
ETW Registry Disabled Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses TTP
Elevated Group Discovery With Net Permission Groups Discovery, Domain Groups TTP
Elevated Group Discovery With Wmic Permission Groups Discovery, Domain Groups TTP
Elevated Group Discovery with PowerView Permission Groups Discovery, Domain Groups Hunting
Email Attachments With Lots Of Spaces None Anomaly
Email files written outside of the Outlook directory Email Collection, Local Email Collection TTP
Email servers sending high volume traffic to hosts Email Collection, Remote Email Collection Anomaly
Enable RDP In Other Port Number Remote Services TTP
Enable WDigest UseLogonCredential Registry Modify Registry, OS Credential Dumping TTP
Enumerate Users Local Group Using Telegram Account Discovery TTP
Esentutl SAM Copy Security Account Manager, OS Credential Dumping Hunting
Eventvwr UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Excel Spawning PowerShell Security Account Manager, OS Credential Dumping TTP
Excel Spawning Windows Script Host Security Account Manager, OS Credential Dumping TTP
Excessive Attempt To Disable Services Service Stop Anomaly
Excessive DNS Failures DNS, Application Layer Protocol Anomaly
Excessive File Deletion In WinDefender Folder Data Destruction TTP
Excessive Service Stop Attempt Service Stop Anomaly
Excessive Usage Of Cacls App File and Directory Permissions Modification Anomaly
Excessive Usage Of Net App Account Access Removal Anomaly
Excessive Usage Of SC Service Utility System Services, Service Execution Anomaly
Excessive Usage Of Taskkill Disable or Modify Tools, Impair Defenses Anomaly
Excessive Usage of NSLOOKUP App Exfiltration Over Alternative Protocol Anomaly
Excessive distinct processes from Windows Temp Command and Scripting Interpreter Anomaly
Excessive number of service control start as disabled Disable or Modify Tools, Impair Defenses Anomaly
Excessive number of taskhost processes Command and Scripting Interpreter Anomaly
Exchange PowerShell Abuse via SSRF Exploit Public-Facing Application, External Remote Services TTP
Exchange PowerShell Module Usage Command and Scripting Interpreter, PowerShell TTP
Executable File Written in Administrative SMB Share Remote Services, SMB/Windows Admin Shares TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Execute Javascript With Jscript COM CLSID Command and Scripting Interpreter, Visual Basic TTP
Execution of File With Spaces Before Extension Rename System Utilities TTP
Execution of File with Multiple Extensions Masquerading, Rename System Utilities TTP
Exploit Public Facing Application via Apache Commons Text Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services Anomaly
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 Exploit Public-Facing Application, External Remote Services TTP
Extended Period Without Successful Netbackup Backups None Hunting
Extraction of Registry Hives Security Account Manager, OS Credential Dumping TTP
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 Exploit Public-Facing Application, External Remote Services TTP
F5 TMUI Authentication Bypass None TTP
File with Samsam Extension None TTP
Firewall Allowed Program Enable Disable or Modify System Firewall, Impair Defenses Anomaly
First Time Seen Child Process of Zoom Exploitation for Privilege Escalation Anomaly
First Time Seen Running Windows Service System Services, Service Execution Anomaly
First time seen command line argument PowerShell, Windows Command Shell Hunting
FodHelper UAC Bypass Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Fortinet Appliance Auth bypass Exploit Public-Facing Application, External Remote Services TTP
Fsutil Zeroing File Indicator Removal TTP
Fsutil Zeroing File Indicator Removal TTP
GCP Authentication Failed During MFA Challenge Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation TTP
GCP Detect accounts with high risk roles by project Valid Accounts Hunting
GCP Detect gcploit framework Valid Accounts TTP
GCP Detect high risk permissions by resource and account Valid Accounts Hunting
GCP Kubernetes cluster pod scan detection Cloud Service Discovery Hunting
GCP Kubernetes cluster scan detection Cloud Service Discovery TTP
GCP Multi-Factor Authentication Disabled Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication TTP
GCP Multiple Failed MFA Requests For User Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts TTP
GCP Multiple Users Failing To Authenticate From Ip Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing Anomaly
GCP Successful Single-Factor Authentication Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts TTP
GCP Unusual Number of Failed Authentications From Ip Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing Anomaly
GPUpdate with no Command Line Arguments with Network Process Injection TTP
GSuite Email Suspicious Attachment Spearphishing Attachment, Phishing Anomaly
Gdrive suspicious file sharing Phishing Hunting
Get ADDefaultDomainPasswordPolicy with Powershell Password Policy Discovery Hunting
Get ADDefaultDomainPasswordPolicy with Powershell Script Block Password Policy Discovery Hunting
Get ADUser with PowerShell Domain Account, Account Discovery Hunting
Get ADUser with PowerShell Script Block Domain Account, Account Discovery Hunting
Get ADUserResultantPasswordPolicy with Powershell Password Policy Discovery TTP
Get ADUserResultantPasswordPolicy with Powershell Script Block Password Policy Discovery TTP
Get DomainPolicy with Powershell Password Policy Discovery TTP
Get DomainPolicy with Powershell Script Block Password Policy Discovery TTP
Get DomainUser with PowerShell Domain Account, Account Discovery TTP
Get DomainUser with PowerShell Script Block Domain Account, Account Discovery TTP
Get WMIObject Group Discovery Permission Groups Discovery, Local Groups Hunting
Get WMIObject Group Discovery with Script Block Logging Permission Groups Discovery, Local Groups Hunting
Get-DomainTrust with PowerShell Domain Trust Discovery TTP
Get-DomainTrust with PowerShell Script Block Domain Trust Discovery TTP
Get-ForestTrust with PowerShell Domain Trust Discovery TTP
Get-ForestTrust with PowerShell Script Block Domain Trust Discovery, PowerShell TTP
GetAdComputer with PowerShell Remote System Discovery Hunting
GetAdComputer with PowerShell Script Block Remote System Discovery Hunting
GetAdGroup with PowerShell Permission Groups Discovery, Domain Groups Hunting
GetAdGroup with PowerShell Script Block Permission Groups Discovery, Domain Groups Hunting
GetCurrent User with PowerShell System Owner/User Discovery Hunting
GetCurrent User with PowerShell Script Block System Owner/User Discovery Hunting
GetDomainComputer with PowerShell Remote System Discovery TTP
GetDomainComputer with PowerShell Script Block Remote System Discovery TTP
GetDomainController with PowerShell Remote System Discovery Hunting
GetDomainController with PowerShell Script Block Remote System Discovery TTP
GetDomainGroup with PowerShell Permission Groups Discovery, Domain Groups TTP
GetDomainGroup with PowerShell Script Block Permission Groups Discovery, Domain Groups TTP
GetLocalUser with PowerShell Account Discovery, Local Account Hunting
GetLocalUser with PowerShell Script Block Account Discovery, Local Account, PowerShell Hunting
GetNetTcpconnection with PowerShell System Network Connections Discovery Hunting
GetNetTcpconnection with PowerShell Script Block System Network Connections Discovery Hunting
GetWmiObject DS User with PowerShell Domain Account, Account Discovery TTP
GetWmiObject DS User with PowerShell Script Block Domain Account, Account Discovery TTP
GetWmiObject Ds Computer with PowerShell Remote System Discovery TTP
GetWmiObject Ds Computer with PowerShell Script Block Remote System Discovery TTP
GetWmiObject Ds Group with PowerShell Permission Groups Discovery, Domain Groups TTP
GetWmiObject Ds Group with PowerShell Script Block Permission Groups Discovery, Domain Groups TTP
GetWmiObject User Account with PowerShell Account Discovery, Local Account Hunting
GetWmiObject User Account with PowerShell Script Block Account Discovery, Local Account, PowerShell Hunting
GitHub Actions Disable Security Workflow Compromise Software Supply Chain, Supply Chain Compromise Anomaly
GitHub Dependabot Alert Compromise Software Dependencies and Development Tools, Supply Chain Compromise Anomaly
GitHub Pull Request from Unknown User Compromise Software Dependencies and Development Tools, Supply Chain Compromise Anomaly
Github Commit Changes In Master Trusted Relationship Anomaly
Github Commit In Develop Trusted Relationship Anomaly
Grant Permission Using Cacls Utility File and Directory Permissions Modification TTP
Gsuite Drive Share In External Email Exfiltration to Cloud Storage, Exfiltration Over Web Service Anomaly
Gsuite Email Suspicious Subject With Attachment Spearphishing Attachment, Phishing Anomaly
Gsuite Email With Known Abuse Web Service Link Spearphishing Attachment, Phishing Anomaly
Gsuite Outbound Email With Attachment To External Domain Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol Anomaly
Gsuite Suspicious Shared File Name Spearphishing Attachment, Phishing Anomaly
Gsuite suspicious calendar invite Phishing Hunting
Headless Browser Mockbin or Mocky Request Hidden Window TTP
Headless Browser Usage Hidden Window Hunting
Hide User Account From Sign-In Screen Disable or Modify Tools, Impair Defenses TTP
Hiding Files And Directories With Attrib exe File and Directory Permissions Modification, Windows File and Directory Permissions Modification TTP
Hiding Files And Directories With Attrib exe Windows File and Directory Permissions Modification, File and Directory Permissions Modification TTP
High Frequency Copy Of Files In Network Share Transfer Data to Cloud Account Anomaly
High Number of Login Failures from a single source Password Guessing, Brute Force Anomaly
High Process Termination Frequency Data Encrypted for Impact Anomaly
High Volume of Bytes Out to Url Exfiltration Over Web Service Anomaly
Hosts receiving high volume of network traffic from email server Remote Email Collection, Email Collection Anomaly
Hunting 3CXDesktopApp Software Compromise Software Supply Chain Hunting
Hunting for Log4Shell Exploit Public-Facing Application, External Remote Services Hunting
ICACLS Grant Command File and Directory Permissions Modification TTP
Icacls Deny Command File and Directory Permissions Modification TTP
IcedID Exfiltrated Archived File Creation Archive via Utility, Archive Collected Data Hunting
Identify New User Accounts Domain Accounts Hunting
Impacket Lateral Movement Commandline Parameters Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Impacket Lateral Movement WMIExec Commandline Parameters Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Impacket Lateral Movement smbexec CommandLine Parameters Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Interactive Session on Remote Endpoint with PowerShell Remote Services, Windows Remote Management TTP
Ivanti Connect Secure Command Injection Attempts Exploit Public-Facing Application TTP
Ivanti Connect Secure SSRF in SAML Component Exploit Public-Facing Application TTP
Ivanti Connect Secure System Information Access via Auth Bypass Exploit Public-Facing Application Anomaly
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 Exploit Public-Facing Application, External Remote Services TTP
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082 Exploit Public-Facing Application, External Remote Services TTP
Ivanti Sentry Authentication Bypass Exploit Public-Facing Application TTP
Java Class File download by Java User Agent Exploit Public-Facing Application TTP
Java Writing JSP File Exploit Public-Facing Application, External Remote Services TTP
Jenkins Arbitrary File Read CVE-2024-23897 Exploit Public-Facing Application TTP
JetBrains TeamCity Authentication Bypass CVE-2024-27198 Exploit Public-Facing Application TTP
JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198 Exploit Public-Facing Application TTP
JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199 Exploit Public-Facing Application TTP
JetBrains TeamCity RCE Attempt Exploit Public-Facing Application TTP
Jscript Execution Using Cscript App Command and Scripting Interpreter, JavaScript TTP
Juniper Networks Remote Code Execution Exploit Detection Exploit Public-Facing Application, Ingress Tool Transfer, Command and Scripting Interpreter TTP
Kerberoasting spn request with RC4 encryption Steal or Forge Kerberos Tickets, Kerberoasting TTP
Kerberos Pre-Authentication Flag Disabled in UserAccountControl Steal or Forge Kerberos Tickets, AS-REP Roasting TTP
Kerberos Pre-Authentication Flag Disabled with PowerShell Steal or Forge Kerberos Tickets, AS-REP Roasting TTP
Kerberos Service Ticket Request Using RC4 Encryption Steal or Forge Kerberos Tickets, Golden Ticket TTP
Kerberos TGT Request Using RC4 Encryption Use Alternate Authentication Material TTP
Kerberos User Enumeration Gather Victim Identity Information, Email Addresses Anomaly
Known Services Killed by Ransomware Inhibit System Recovery TTP
Kubernetes AWS detect RBAC authorization by account None Hunting
Kubernetes AWS detect most active service accounts by pod None Hunting
Kubernetes AWS detect sensitive role access None Hunting
Kubernetes AWS detect service accounts forbidden failure access None Hunting
Kubernetes AWS detect suspicious kubectl calls None Anomaly
Kubernetes Abuse of Secret by Unusual Location Container API Anomaly
Kubernetes Abuse of Secret by Unusual User Agent Container API Anomaly
Kubernetes Abuse of Secret by Unusual User Group Container API Anomaly
Kubernetes Abuse of Secret by Unusual User Name Container API Anomaly
Kubernetes Access Scanning Network Service Discovery Anomaly
Kubernetes Anomalous Inbound Network Activity from Process User Execution Anomaly
Kubernetes Anomalous Inbound Outbound Network IO User Execution Anomaly
Kubernetes Anomalous Inbound to Outbound Network IO Ratio User Execution Anomaly
Kubernetes Anomalous Outbound Network Activity from Process User Execution Anomaly
Kubernetes Anomalous Traffic on Network Edge User Execution Anomaly
Kubernetes Azure active service accounts by pod namespace None Hunting
Kubernetes Azure detect RBAC authorization by account None Hunting
Kubernetes Azure detect sensitive object access None Hunting
Kubernetes Azure detect sensitive role access None Hunting
Kubernetes Azure detect service accounts forbidden failure access None Hunting
Kubernetes Azure detect suspicious kubectl calls None Hunting
Kubernetes Azure pod scan fingerprint None Hunting
Kubernetes Azure scan fingerprint Cloud Service Discovery Hunting
Kubernetes Create or Update Privileged Pod User Execution Anomaly
Kubernetes Cron Job Creation Container Orchestration Job Anomaly
Kubernetes DaemonSet Deployed User Execution Anomaly
Kubernetes Falco Shell Spawned User Execution Anomaly
Kubernetes GCP detect RBAC authorizations by account None Hunting
Kubernetes GCP detect most active service accounts by pod None Hunting
Kubernetes GCP detect sensitive object access None Hunting
Kubernetes GCP detect sensitive role access None Hunting
Kubernetes GCP detect service accounts forbidden failure access None Hunting
Kubernetes GCP detect suspicious kubectl calls None Hunting
Kubernetes Nginx Ingress LFI Exploitation for Credential Access TTP
Kubernetes Nginx Ingress RFI Exploitation for Credential Access TTP
Kubernetes Node Port Creation User Execution Anomaly
Kubernetes Pod Created in Default Namespace User Execution Anomaly
Kubernetes Pod With Host Network Attachment User Execution Anomaly
Kubernetes Previously Unseen Container Image Name User Execution Anomaly
Kubernetes Previously Unseen Process User Execution Anomaly
Kubernetes Process Running From New Path User Execution Anomaly
Kubernetes Process with Anomalous Resource Utilisation User Execution Anomaly
Kubernetes Process with Resource Ratio Anomalies User Execution Anomaly
Kubernetes Scanner Image Pulling Cloud Service Discovery TTP
Kubernetes Scanning by Unauthenticated IP Address Network Service Discovery Anomaly
Kubernetes Shell Running on Worker Node User Execution Anomaly
Kubernetes Shell Running on Worker Node with CPU Activity User Execution Anomaly
Kubernetes Suspicious Image Pulling Cloud Service Discovery Anomaly
Kubernetes Unauthorized Access User Execution Anomaly
Kubernetes newly seen TCP edge User Execution Anomaly
Kubernetes newly seen UDP edge User Execution Anomaly
LOLBAS With Network Traffic Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution TTP
Large Volume of DNS ANY Queries Network Denial of Service, Reflection Amplification Anomaly
Linux APT Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux AWK Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Account Manipulation Of SSH Config and Keys Data Destruction, File Deletion, Indicator Removal Anomaly
Linux Add Files In Known Crontab Directories Cron, Scheduled Task/Job Anomaly
Linux Add User Account Local Account, Create Account Hunting
Linux Adding Crontab Using List Parameter Cron, Scheduled Task/Job Hunting
Linux At Allow Config File Creation Cron, Scheduled Task/Job Anomaly
Linux At Application Execution At, Scheduled Task/Job Anomaly
Linux Busybox Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Change File Owner To Root Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification Anomaly
Linux Clipboard Data Copy Clipboard Data Anomaly
Linux Common Process For Elevation Control Setuid and Setgid, Abuse Elevation Control Mechanism Hunting
Linux Composer Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Cpulimit Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Csvtool Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Curl Upload File Ingress Tool Transfer TTP
Linux DD File Overwrite Data Destruction TTP
Linux Data Destruction Command Data Destruction TTP
Linux Decode Base64 to Shell Obfuscated Files or Information, Unix Shell TTP
Linux Deleting Critical Directory Using RM Command Data Destruction TTP
Linux Deletion Of Cron Jobs Data Destruction, File Deletion, Indicator Removal Anomaly
Linux Deletion Of Init Daemon Script Data Destruction, File Deletion, Indicator Removal TTP
Linux Deletion Of Services Data Destruction, File Deletion, Indicator Removal TTP
Linux Deletion of SSL Certificate Data Destruction, File Deletion, Indicator Removal Anomaly
Linux Disable Services Service Stop TTP
Linux Doas Conf File Creation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Doas Tool Execution Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Docker Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Edit Cron Table Parameter Cron, Scheduled Task/Job Hunting
Linux Emacs Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux File Created In Kernel Driver Directory Kernel Modules and Extensions, Boot or Logon Autostart Execution Anomaly
Linux File Creation In Init Boot Directory RC Scripts, Boot or Logon Initialization Scripts Anomaly
Linux File Creation In Profile Directory Unix Shell Configuration Modification, Event Triggered Execution Anomaly
Linux Find Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux GDB Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux GNU Awk Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Gem Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Hardware Addition SwapOff Hardware Additions Anomaly
Linux High Frequency Of File Deletion In Boot Folder Data Destruction, File Deletion, Indicator Removal TTP
Linux High Frequency Of File Deletion In Etc Folder Data Destruction, File Deletion, Indicator Removal Anomaly
Linux Impair Defenses Process Kill Disable or Modify Tools, Impair Defenses Hunting
Linux Indicator Removal Clear Cache Indicator Removal TTP
Linux Indicator Removal Service File Deletion File Deletion, Indicator Removal Anomaly
Linux Ingress Tool Transfer Hunting Ingress Tool Transfer Hunting
Linux Ingress Tool Transfer with Curl Ingress Tool Transfer Anomaly
Linux Insert Kernel Module Using Insmod Utility Kernel Modules and Extensions, Boot or Logon Autostart Execution Anomaly
Linux Install Kernel Module Using Modprobe Utility Kernel Modules and Extensions, Boot or Logon Autostart Execution Anomaly
Linux Iptables Firewall Modification Disable or Modify System Firewall, Impair Defenses Anomaly
Linux Java Spawning Shell Exploit Public-Facing Application, External Remote Services TTP
Linux Kernel Module Enumeration System Information Discovery, Rootkit Anomaly
Linux Kworker Process In Writable Process Path Masquerade Task or Service, Masquerading Hunting
Linux Make Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux MySQL Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux NOPASSWD Entry In Sudoers File Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Ngrok Reverse Proxy Usage Protocol Tunneling, Proxy, Web Service Anomaly
Linux Node Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Obfuscated Files or Information Base64 Decode Obfuscated Files or Information Anomaly
Linux Octave Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux OpenVPN Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux PHP Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Persistence and Privilege Escalation Risk Behavior Abuse Elevation Control Mechanism Correlation
Linux Possible Access Or Modification Of sshd Config File SSH Authorized Keys, Account Manipulation Anomaly
Linux Possible Access To Credential Files /etc/passwd and /etc/shadow, OS Credential Dumping Anomaly
Linux Possible Access To Sudoers File Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Possible Append Command To At Allow Config File At, Scheduled Task/Job Anomaly
Linux Possible Append Command To Profile Config File Unix Shell Configuration Modification, Event Triggered Execution Anomaly
Linux Possible Append Cronjob Entry on Existing Cronjob File Cron, Scheduled Task/Job Hunting
Linux Possible Cronjob Modification With Editor Cron, Scheduled Task/Job Hunting
Linux Possible Ssh Key File Creation SSH Authorized Keys, Account Manipulation Anomaly
Linux Preload Hijack Library Calls Dynamic Linker Hijacking, Hijack Execution Flow TTP
Linux Proxy Socks Curl Proxy, Non-Application Layer Protocol TTP
Linux Puppet Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux RPM Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Ruby Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux SSH Authorized Keys Modification SSH Authorized Keys Anomaly
Linux SSH Remote Services Script Execute SSH TTP
Linux Service File Created In Systemd Directory Systemd Timers, Scheduled Task/Job Anomaly
Linux Service Restarted Systemd Timers, Scheduled Task/Job Anomaly
Linux Service Started Or Enabled Systemd Timers, Scheduled Task/Job Anomaly
Linux Setuid Using Chmod Utility Setuid and Setgid, Abuse Elevation Control Mechanism Anomaly
Linux Setuid Using Setcap Utility Setuid and Setgid, Abuse Elevation Control Mechanism Anomaly
Linux Shred Overwrite Command Data Destruction TTP
Linux Sqlite3 Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux Stdout Redirection To Dev Null File Disable or Modify System Firewall, Impair Defenses Anomaly
Linux Stop Services Service Stop TTP
Linux Sudo OR Su Execution Sudo and Sudo Caching, Abuse Elevation Control Mechanism Hunting
Linux Sudoers Tmp File Creation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux System Network Discovery System Network Configuration Discovery Anomaly
Linux System Reboot Via System Request Key System Shutdown/Reboot TTP
Linux Unix Shell Enable All SysRq Functions Unix Shell, Command and Scripting Interpreter Anomaly
Linux Visudo Utility Execution Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux apt-get Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux c89 Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux c99 Privilege Escalation Sudo and Sudo Caching, Abuse Elevation Control Mechanism Anomaly
Linux pkexec Privilege Escalation Exploitation for Privilege Escalation TTP
Living Off The Land Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services Correlation
Loading Of Dynwrapx Module Process Injection, Dynamic-link Library Injection TTP
Local Account Discovery With Wmic Account Discovery, Local Account Hunting
Local Account Discovery with Net Account Discovery, Local Account Hunting
Log4Shell CVE-2021-44228 Exploitation Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services Correlation
Log4Shell JNDI Payload Injection Attempt Exploit Public-Facing Application, External Remote Services Anomaly
Log4Shell JNDI Payload Injection with Outbound Connection Exploit Public-Facing Application, External Remote Services Anomaly
Logon Script Event Trigger Execution Boot or Logon Initialization Scripts, Logon Script (Windows) TTP
MS Exchange Mailbox Replication service writing Active Server Pages Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services TTP
MS Scripting Process Loading Ldap Module Command and Scripting Interpreter, JavaScript Anomaly
MS Scripting Process Loading WMI Module Command and Scripting Interpreter, JavaScript Anomaly
MSBuild Suspicious Spawned By Script Process MSBuild, Trusted Developer Utilities Proxy Execution TTP
MSHTML Module Load in Office Product Phishing, Spearphishing Attachment TTP
MSI Module Loaded by Non-System Binary DLL Side-Loading, Hijack Execution Flow Hunting
MacOS - Re-opened Applications None TTP
MacOS LOLbin Unix Shell, Command and Scripting Interpreter TTP
MacOS plutil Plist File Modification TTP
Mailsniper Invoke functions Email Collection, Local Email Collection TTP
Malicious InProcServer32 Modification Regsvr32, Modify Registry TTP
Malicious PowerShell Process - Encoded Command Obfuscated Files or Information Hunting
Malicious PowerShell Process - Execution Policy Bypass Command and Scripting Interpreter, PowerShell TTP
Malicious PowerShell Process With Obfuscation Techniques Command and Scripting Interpreter, PowerShell TTP
Malicious Powershell Executed As A Service System Services, Service Execution TTP
Microsoft SharePoint Server Elevation of Privilege Exploitation for Privilege Escalation TTP
Mimikatz PassTheTicket CommandLine Parameters Use Alternate Authentication Material, Pass the Ticket TTP
Mmc LOLBAS Execution Process Spawn Remote Services, Distributed Component Object Model, MMC TTP
Modification Of Wallpaper Defacement TTP
Modify ACL permission To Files Or Folder File and Directory Permissions Modification Anomaly
Modify ACLs Permission Of Files Or Folders File and Directory Permissions Modification Anomaly
Monitor DNS For Brand Abuse None TTP
Monitor Email For Brand Abuse None TTP
Monitor Registry Keys for Print Monitors Port Monitors, Boot or Logon Autostart Execution TTP
Monitor Web Traffic For Brand Abuse None TTP
Mshta spawning Rundll32 OR Regsvr32 Process System Binary Proxy Execution, Mshta TTP
Msmpeng Application DLL Side Loading DLL Side-Loading, Hijack Execution Flow TTP
Multiple Archive Files Http Post Traffic Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol TTP
Multiple Okta Users With Invalid Credentials From The Same IP Valid Accounts, Default Accounts Hunting
NET Profiler UAC bypass Bypass User Account Control, Abuse Elevation Control Mechanism TTP
NLTest Domain Trust Discovery Domain Trust Discovery TTP
Net Localgroup Discovery Permission Groups Discovery, Local Groups Hunting
Network Connection Discovery With Arp System Network Connections Discovery Hunting
Network Connection Discovery With Net System Network Connections Discovery Hunting
Network Connection Discovery With Netstat System Network Connections Discovery Hunting
Network Discovery Using Route Windows App System Network Configuration Discovery, Internet Connection Discovery Hunting
Network Share Discovery Via Dir Command Network Share Discovery Hunting
Network Traffic to Active Directory Web Services Protocol Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery Hunting
Nginx ConnectWise ScreenConnect Authentication Bypass Exploit Public-Facing Application TTP
Ngrok Reverse Proxy on Network Protocol Tunneling, Proxy, Web Service Anomaly
Nishang PowershellTCPOneLine Command and Scripting Interpreter, PowerShell TTP
No Windows Updates in a time frame None Hunting
Non Chrome Process Accessing Chrome Default Dir Credentials from Password Stores, Credentials from Web Browsers Anomaly
Non Firefox Process Access Firefox Profile Dir Credentials from Password Stores, Credentials from Web Browsers Anomaly
Notepad with no Command Line Arguments Process Injection TTP
Ntdsutil Export NTDS NTDS, OS Credential Dumping TTP
O365 Add App Role Assignment Grant User Cloud Account, Create Account TTP
O365 Added Service Principal Cloud Account, Create Account TTP
O365 Admin Consent Bypassed by Service Principal Security Account Manager TTP
O365 Advanced Audit Disabled Impair Defenses, Disable or Modify Cloud Logs TTP
O365 Application Registration Owner Added Account Manipulation TTP
O365 ApplicationImpersonation Role Assigned Account Manipulation, Additional Email Delegate Permissions TTP
O365 Block User Consent For Risky Apps Disabled Impair Defenses TTP
O365 Bypass MFA via Trusted IP Disable or Modify Cloud Firewall, Impair Defenses TTP
O365 Concurrent Sessions From Different Ips Browser Session Hijacking TTP
O365 Disable MFA Modify Authentication Process TTP
O365 Excessive Authentication Failures Alert Brute Force Anomaly
O365 Excessive SSO logon errors Modify Authentication Process Anomaly
O365 File Permissioned Application Consent Granted by User Steal Application Access Token TTP
O365 FullAccessAsApp Permission Assigned Additional Email Delegate Permissions, Additional Cloud Roles TTP
O365 High Number Of Failed Authentications for User Brute Force, Password Guessing TTP
O365 High Privilege Role Granted Account Manipulation, Additional Cloud Roles TTP
O365 Mail Permissioned Application Consent Granted by User Steal Application Access Token TTP
O365 Mailbox Inbox Folder Shared with All Users Email Collection, Remote Email Collection TTP
O365 Mailbox Read Access Granted to Application Remote Email Collection, Email Collection, Account Manipulation, Additional Cloud Roles TTP
O365 Multi-Source Failed Authentications Spike Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing Hunting
O365 Multiple AppIDs and UserAgents Authentication Spike Valid Accounts Anomaly
O365 Multiple Failed MFA Requests For User Multi-Factor Authentication Request Generation TTP
O365 Multiple Mailboxes Accessed via API Remote Email Collection TTP
O365 Multiple Service Principals Created by SP Cloud Account Anomaly
O365 Multiple Service Principals Created by User Cloud Account Anomaly
O365 Multiple Users Failing To Authenticate From Ip Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing TTP
O365 New Federated Domain Added Cloud Account, Create Account TTP
O365 New MFA Method Registered Account Manipulation, Device Registration TTP
O365 OAuth App Mailbox Access via EWS Remote Email Collection TTP
O365 OAuth App Mailbox Access via Graph API Remote Email Collection TTP
O365 PST export alert Email Collection TTP
O365 Privileged Graph API Permission Assigned Security Account Manager TTP
O365 Service Principal New Client Credentials Account Manipulation, Additional Cloud Credentials TTP
O365 Suspicious Admin Email Forwarding Email Forwarding Rule, Email Collection Anomaly
O365 Suspicious Rights Delegation Remote Email Collection, Email Collection, Additional Email Delegate Permissions, Account Manipulation TTP
O365 Suspicious User Email Forwarding Email Forwarding Rule, Email Collection Anomaly
O365 Tenant Wide Admin Consent Granted Account Manipulation, Additional Cloud Roles TTP
O365 User Consent Blocked for Risky Application Steal Application Access Token TTP
O365 User Consent Denied for OAuth Application Steal Application Access Token TTP
Office Application Drop Executable Phishing, Spearphishing Attachment TTP
Office Application Spawn Regsvr32 process Phishing, Spearphishing Attachment TTP
Office Application Spawn rundll32 process Phishing, Spearphishing Attachment TTP
Office Document Creating Schedule Task Phishing, Spearphishing Attachment TTP
Office Document Executing Macro Code Phishing, Spearphishing Attachment TTP
Office Document Spawned Child Process To Download Phishing, Spearphishing Attachment TTP
Office Product Spawn CMD Process Phishing, Spearphishing Attachment TTP
Office Product Spawning BITSAdmin Phishing, Spearphishing Attachment TTP
Office Product Spawning CertUtil Phishing, Spearphishing Attachment TTP
Office Product Spawning MSHTA Phishing, Spearphishing Attachment TTP
Office Product Spawning Rundll32 with no DLL Phishing, Spearphishing Attachment TTP
Office Product Spawning Windows Script Host Phishing, Spearphishing Attachment TTP
Office Product Spawning Windows Script Host Phishing, Spearphishing Attachment TTP
Office Product Spawning Wmic Phishing, Spearphishing Attachment TTP
Office Product Writing cab or inf Phishing, Spearphishing Attachment TTP
Office Spawning Control Phishing, Spearphishing Attachment TTP
Okta Account Locked Out Brute Force Anomaly
Okta Account Lockout Events Valid Accounts, Default Accounts Anomaly
Okta Failed SSO Attempts Valid Accounts, Default Accounts Anomaly
Okta MFA Exhaustion Hunt Brute Force Hunting
Okta Mismatch Between Source and Response for Verify Push Request Multi-Factor Authentication Request Generation TTP
Okta Multiple Failed Requests to Access Applications Web Session Cookie, Cloud Service Dashboard Hunting
Okta New API Token Created Valid Accounts, Default Accounts TTP
Okta New Device Enrolled on Account Valid Accounts, Default Accounts Anomaly
Okta Phishing Detection with FastPass Origin Check Valid Accounts, Default Accounts, Modify Authentication Process TTP
Okta Risk Threshold Exceeded Valid Accounts, Brute Force Correlation
Okta Suspicious Activity Reported Valid Accounts, Default Accounts TTP
Okta Suspicious Use of a Session Cookie Steal Web Session Cookie Hunting
Okta ThreatInsight Login Failure with High Unknown users Valid Accounts, Default Accounts, Credential Stuffing TTP
Okta ThreatInsight Suspected PasswordSpray Attack Valid Accounts, Default Accounts, Password Spraying TTP
Okta ThreatInsight Threat Detected Valid Accounts, Default Accounts Anomaly
Okta Two or More Rejected Okta Pushes Brute Force TTP
Okta User Logins From Multiple Cities Valid Accounts, Default Accounts Anomaly
Open Redirect in Splunk Web None TTP
Osquery pack - ColdRoot detection None TTP
Outbound Network Connection from Java Using Default Ports Exploit Public-Facing Application, External Remote Services TTP
Overwriting Accessibility Binaries Event Triggered Execution, Accessibility Features TTP
PaperCut NG Remote Web Access Attempt Exploit Public-Facing Application, External Remote Services TTP
PaperCut NG Suspicious Behavior Debug Log Exploit Public-Facing Application, External Remote Services Hunting
Password Policy Discovery with Net Password Policy Discovery Hunting
Path traversal SPL injection File and Directory Discovery TTP
Permission Modification using Takeown App File and Directory Permissions Modification TTP
Persistent XSS in RapidDiag through User Interface Views Drive-by Compromise TTP
PetitPotam Network Share Access Request Forced Authentication TTP
PetitPotam Suspicious Kerberos TGT Request OS Credential Dumping TTP
Ping Sleep Batch Command Virtualization/Sandbox Evasion, Time Based Evasion Anomaly
PingID Mismatch Auth Source and Verification Response Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration TTP
PingID Multiple Failed MFA Requests For User Multi-Factor Authentication Request Generation, Valid Accounts, Brute Force TTP
PingID New MFA Method After Credential Reset Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration TTP
PingID New MFA Method Registered For User Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration TTP
Plain HTTP POST Exfiltrated Data Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol TTP
Possible Browser Pass View Parameter Credentials from Web Browsers, Credentials from Password Stores Hunting
Possible Lateral Movement PowerShell Spawn Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShell, MMC TTP
Potential password in username Local Accounts, Credentials In Files Hunting
Potentially malicious code on commandline Windows Command Shell Anomaly
PowerShell - Connect To Internet With Hidden Window PowerShell, Command and Scripting Interpreter Hunting
PowerShell 4104 Hunting Command and Scripting Interpreter, PowerShell Hunting
PowerShell Domain Enumeration Command and Scripting Interpreter, PowerShell TTP
PowerShell Enable PowerShell Remoting PowerShell, Command and Scripting Interpreter Anomaly
PowerShell Get LocalGroup Discovery Permission Groups Discovery, Local Groups Hunting
PowerShell Invoke CIMMethod CIMSession Windows Management Instrumentation Anomaly
PowerShell Invoke WmiExec Usage Windows Management Instrumentation TTP
PowerShell Loading DotNET into Memory via Reflection Command and Scripting Interpreter, PowerShell TTP
PowerShell Script Block With URL Chain PowerShell, Ingress Tool Transfer TTP
PowerShell Start or Stop Service PowerShell Anomaly
PowerShell Start-BitsTransfer BITS Jobs TTP
PowerShell WebRequest Using Memory Stream PowerShell, Ingress Tool Transfer, Fileless Storage TTP
Powershell COM Hijacking InprocServer32 Modification Component Object Model Hijacking, Command and Scripting Interpreter, PowerShell TTP
Powershell Creating Thread Mutex Obfuscated Files or Information, Indicator Removal from Tools, PowerShell TTP
Powershell Disable Security Monitoring Disable or Modify Tools, Impair Defenses TTP
Powershell Enable SMB1Protocol Feature Obfuscated Files or Information, Indicator Removal from Tools TTP
Powershell Execute COM Object Component Object Model Hijacking, Event Triggered Execution, PowerShell TTP
Powershell Fileless Process Injection via GetProcAddress Command and Scripting Interpreter, Process Injection, PowerShell TTP
Powershell Fileless Script Contains Base64 Encoded Content Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell TTP
Powershell Get LocalGroup Discovery with Script Block Logging Permission Groups Discovery, Local Groups Hunting
Powershell Load Module in Meterpreter Command and Scripting Interpreter, PowerShell TTP
Powershell Processing Stream Of Data Command and Scripting Interpreter, PowerShell TTP
Powershell Remote Services Add TrustedHost Windows Remote Management, Remote Services TTP
Powershell Remote Thread To Known Windows Process Process Injection TTP
Powershell Remove Windows Defender Directory Disable or Modify Tools, Impair Defenses TTP
Powershell Using memory As Backing Store PowerShell, Command and Scripting Interpreter TTP
Powershell Windows Defender Exclusion Commands Disable or Modify Tools, Impair Defenses TTP
Prevent Automatic Repair Mode using Bcdedit Inhibit System Recovery TTP
Print Processor Registry Autostart Print Processors, Boot or Logon Autostart Execution TTP
Print Spooler Adding A Printer Driver Print Processors, Boot or Logon Autostart Execution TTP
Print Spooler Failed to Load a Plug-in Print Processors, Boot or Logon Autostart Execution TTP
Process Creating LNK file in Suspicious Location Phishing, Spearphishing Link TTP
Process Deleting Its Process File Path Indicator Removal TTP
Process Execution via WMI Windows Management Instrumentation TTP
Process Kill Base On File Path Disable or Modify Tools, Impair Defenses TTP
Process Writing DynamicWrapperX Command and Scripting Interpreter, Component Object Model Hunting
Processes Tapping Keyboard Events None TTP
Processes created by netsh Disable or Modify System Firewall TTP
Processes launching netsh Disable or Modify System Firewall, Impair Defenses Anomaly
Prohibited Network Traffic Allowed Exfiltration Over Alternative Protocol TTP
Prohibited Software On Endpoint None Hunting
Protocol or Port Mismatch Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol Anomaly
Protocols passing authentication in cleartext None TTP
ProxyShell ProxyNotShell Behavior Detected Exploit Public-Facing Application, External Remote Services Correlation
Randomly Generated Scheduled Task Name Scheduled Task/Job, Scheduled Task Hunting
Randomly Generated Windows Service Name Create or Modify System Process, Windows Service Hunting
Ransomware Notes bulk creation Data Encrypted for Impact Anomaly
Recon AVProduct Through Pwh or WMI Gather Victim Host Information TTP
Recon Using WMI Class Gather Victim Host Information, PowerShell Anomaly
Recursive Delete of Directory In Batch CMD File Deletion, Indicator Removal TTP
Reg exe Manipulating Windows Services Registry Keys Services Registry Permissions Weakness, Hijack Execution Flow TTP
Reg exe used to hide files directories via registry keys Hidden Files and Directories TTP
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Registry Keys Used For Privilege Escalation Image File Execution Options Injection, Event Triggered Execution TTP
Registry Keys for Creating SHIM Databases Application Shimming, Event Triggered Execution TTP
Regsvr32 Silent and Install Param Dll Loading System Binary Proxy Execution, Regsvr32 Anomaly
Regsvr32 with Known Silent Switch Cmdline System Binary Proxy Execution, Regsvr32 Anomaly
Remcos RAT File Creation in Remcos Folder Screen Capture TTP
Remcos client registry install entry Modify Registry TTP
Remote Desktop Network Bruteforce Remote Desktop Protocol, Remote Services TTP
Remote Desktop Network Traffic Remote Desktop Protocol, Remote Services Anomaly
Remote Desktop Process Running On System Remote Desktop Protocol, Remote Services Hunting
Remote Process Instantiation via DCOM and PowerShell Remote Services, Distributed Component Object Model TTP
Remote Process Instantiation via DCOM and PowerShell Script Block Remote Services, Distributed Component Object Model TTP
Remote Process Instantiation via WMI Windows Management Instrumentation TTP
Remote Process Instantiation via WMI and PowerShell Windows Management Instrumentation TTP
Remote Process Instantiation via WMI and PowerShell Script Block Windows Management Instrumentation TTP
Remote Process Instantiation via WinRM and PowerShell Remote Services, Windows Remote Management TTP
Remote Process Instantiation via WinRM and PowerShell Script Block Remote Services, Windows Remote Management TTP
Remote Process Instantiation via WinRM and Winrs Remote Services, Windows Remote Management TTP
Remote Registry Key modifications None TTP
Remote System Discovery with Adsisearcher Remote System Discovery TTP
Remote System Discovery with Dsquery Remote System Discovery Hunting
Remote System Discovery with Net Remote System Discovery Hunting
Remote System Discovery with Wmic Remote System Discovery TTP
Remote WMI Command Attempt Windows Management Instrumentation TTP
Resize ShadowStorage volume Inhibit System Recovery TTP
Resize Shadowstorage Volume Service Stop TTP
Revil Common Exec Parameter User Execution TTP
Revil Registry Entry Modify Registry TTP
Risk Rule for Dev Sec Ops by Repository Malicious Image, User Execution Correlation
Rubeus Command Line Parameters Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting TTP
Rubeus Kerberos Ticket Exports Through Winlogon Access Use Alternate Authentication Material, Pass the Ticket TTP
RunDLL Loading DLL By Ordinal System Binary Proxy Execution, Rundll32 TTP
Runas Execution in CommandLine Access Token Manipulation, Token Impersonation/Theft Hunting
Rundll32 Control RunDLL Hunt System Binary Proxy Execution, Rundll32 Hunting
Rundll32 Control RunDLL World Writable Directory System Binary Proxy Execution, Rundll32 TTP
Rundll32 Create Remote Thread To A Process Process Injection TTP
Rundll32 CreateRemoteThread In Browser Process Injection TTP
Rundll32 DNSQuery System Binary Proxy Execution, Rundll32 TTP
Rundll32 LockWorkStation System Binary Proxy Execution, Rundll32 Anomaly
Rundll32 Process Creating Exe Dll Files System Binary Proxy Execution, Rundll32 TTP
Rundll32 Shimcache Flush Modify Registry TTP
Rundll32 with no Command Line Arguments with Network System Binary Proxy Execution, Rundll32 TTP
Ryuk Test Files Detected Data Encrypted for Impact TTP
Ryuk Wake on LAN Command Command and Scripting Interpreter, Windows Command Shell TTP
SAM Database File Access Attempt Security Account Manager, OS Credential Dumping Hunting
SLUI RunAs Elevated Bypass User Account Control, Abuse Elevation Control Mechanism TTP
SLUI Spawning a Process Bypass User Account Control, Abuse Elevation Control Mechanism TTP
SMB Traffic Spike SMB/Windows Admin Shares, Remote Services Anomaly
SMB Traffic Spike - MLTK SMB/Windows Admin Shares, Remote Services Anomaly
SQL Injection with Long URLs Exploit Public-Facing Application TTP
SSL Certificates with Punycode Encrypted Channel Hunting
Samsam Test File Write Data Encrypted for Impact TTP
Sc exe Manipulating Windows Services Windows Service, Create or Modify System Process TTP
SchCache Change By App Connect And Create ADSI Object Domain Account, Account Discovery Anomaly
Schedule Task with HTTP Command Arguments Scheduled Task/Job TTP
Schedule Task with Rundll32 Command Trigger Scheduled Task/Job TTP
Scheduled Task Creation on Remote Endpoint using At Scheduled Task/Job, At TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task, Scheduled Task/Job TTP
Scheduled Task Initiation on Remote Endpoint Scheduled Task/Job, Scheduled Task TTP
Scheduled tasks used in BadRabbit ransomware Scheduled Task TTP
Schtasks Run Task On Demand Scheduled Task/Job TTP
Schtasks scheduling job on remote system Scheduled Task, Scheduled Task/Job TTP
Schtasks used for forcing a reboot Scheduled Task, Scheduled Task/Job TTP
Screensaver Event Trigger Execution Event Triggered Execution, Screensaver TTP
Script Execution via WMI Windows Management Instrumentation TTP
Sdclt UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Sdelete Application Execution Data Destruction, File Deletion, Indicator Removal TTP
Sdelete Application Execution Data Destruction, File Deletion, Indicator Removal Anomaly
SearchProtocolHost with no Command Line with Network Process Injection TTP
SecretDumps Offline NTDS Dumping Tool NTDS, OS Credential Dumping TTP
ServicePrincipalNames Discovery with PowerShell Kerberoasting TTP
ServicePrincipalNames Discovery with SetSPN Kerberoasting TTP
Services Escalate Exe Abuse Elevation Control Mechanism TTP
Services LOLBAS Execution Process Spawn Create or Modify System Process, Windows Service TTP
Set Default PowerShell Execution Policy To Unrestricted or Bypass Command and Scripting Interpreter, PowerShell TTP
Shim Database File Creation Application Shimming, Event Triggered Execution TTP
Shim Database Installation With Suspicious Parameters Application Shimming, Event Triggered Execution TTP
Short Lived Scheduled Task Scheduled Task TTP
Short Lived Windows Accounts Local Account, Create Account TTP
SilentCleanup UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Single Letter Process On Endpoint User Execution, Malicious File TTP
Spectre and Meltdown Vulnerable Systems None TTP
Spike in File Writes None Anomaly
Splunk Absolute Path Traversal Using runshellscript File and Directory Discovery Hunting
Splunk Account Discovery Drilldown Dashboard Disclosure Account Discovery TTP
Splunk App for Lookup File Editing RCE via User XSLT Exploitation of Remote Services Hunting
Splunk Code Injection via custom dashboard leading to RCE Exploitation of Remote Services Hunting
Splunk Command and Scripting Interpreter Delete Usage Command and Scripting Interpreter Anomaly
Splunk Command and Scripting Interpreter Risky Commands Command and Scripting Interpreter Hunting
Splunk Command and Scripting Interpreter Risky SPL MLTK Command and Scripting Interpreter Anomaly
Splunk DOS Via Dump SPL Command Application or System Exploitation Hunting
Splunk DOS via printf search function Application or System Exploitation Hunting
Splunk Data exfiltration from Analytics Workspace using sid query Exfiltration Over Web Service Hunting
Splunk Digital Certificates Infrastructure Version Digital Certificates Hunting
Splunk Digital Certificates Lack of Encryption Digital Certificates Anomaly
Splunk DoS Using Malformed SAML Request Network Denial of Service Hunting
Splunk DoS via Malformed S2S Request Network Denial of Service TTP
Splunk ES DoS Investigations Manager via Investigation Creation Endpoint Denial of Service TTP
Splunk ES DoS Through Investigation Attachments Endpoint Denial of Service TTP
Splunk Edit User Privilege Escalation Abuse Elevation Control Mechanism Hunting
Splunk Endpoint Denial of Service DoS Zip Bomb Endpoint Denial of Service TTP
Splunk Enterprise Information Disclosure None TTP
Splunk Enterprise KV Store Incorrect Authorization Abuse Elevation Control Mechanism Hunting
Splunk Enterprise Windows Deserialization File Partition Exploit Public-Facing Application TTP
Splunk HTTP Response Splitting Via Rest SPL Command HTML Smuggling Hunting
Splunk Identified SSL TLS Certificates Network Sniffing Hunting
Splunk Improperly Formatted Parameter Crashes splunkd Endpoint Denial of Service TTP
Splunk Information Disclosure in Splunk Add-on Builder System Information Discovery Hunting
Splunk Low Privilege User Can View Hashed Splunk Password Exploitation for Credential Access Hunting
Splunk Path Traversal In Splunk App For Lookup File Edit File and Directory Discovery Hunting
Splunk Persistent XSS Via URL Validation Bypass W Dashboard Drive-by Compromise Hunting
Splunk Process Injection Forwarder Bundle Downloads Process Injection Hunting
Splunk Protocol Impersonation Weak Encryption Configuration Protocol Impersonation Hunting
Splunk RBAC Bypass On Indexing Preview REST Endpoint Access Token Manipulation Hunting
Splunk RCE via Serialized Session Payload Exploit Public-Facing Application Hunting
Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature Exploitation of Remote Services Hunting
Splunk RCE via User XSLT Exploitation of Remote Services Hunting
Splunk Reflected XSS in the templates lists radio Drive-by Compromise Hunting
Splunk Reflected XSS on App Search Table Endpoint Drive-by Compromise Hunting
Splunk Stored XSS via Data Model objectName field Drive-by Compromise Hunting
Splunk Unauthenticated Log Injection Web Service Log Exploit Public-Facing Application Hunting
Splunk User Enumeration Attempt Valid Accounts TTP
Splunk XSS in Highlighted JSON Events Drive-by Compromise Hunting
Splunk XSS in Monitoring Console Drive-by Compromise TTP
Splunk XSS in Save table dialog header in search page Drive-by Compromise Hunting
Splunk XSS via View Drive-by Compromise Hunting
Splunk csrf in the ssg kvstore client endpoint Drive-by Compromise TTP
Splunk list all nonstandard admin accounts Drive-by Compromise Hunting
Splunk protocol impersonation weak encryption selfsigned Digital Certificates Hunting
Splunk protocol impersonation weak encryption simplerequest Digital Certificates Hunting
Splunk risky Command Abuse disclosed february 2023 Abuse Elevation Control Mechanism, Indirect Command Execution Hunting
Splunk unnecessary file extensions allowed by lookup table uploads Drive-by Compromise TTP
Spoolsv Spawning Rundll32 Print Processors, Boot or Logon Autostart Execution TTP
Spoolsv Suspicious Loaded Modules Print Processors, Boot or Logon Autostart Execution TTP
Spoolsv Suspicious Process Access Exploitation for Privilege Escalation TTP
Spoolsv Writing a DLL Print Processors, Boot or Logon Autostart Execution TTP
Spoolsv Writing a DLL - Sysmon Print Processors, Boot or Logon Autostart Execution TTP
Spring4Shell Payload URL Request Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services TTP
Sqlite Module In Temp Folder Data from Local System TTP
Steal or Forge Authentication Certificates Behavior Identified Steal or Forge Authentication Certificates Correlation
Sunburst Correlation DLL and Network Event Exploitation for Client Execution TTP
Supernova Webshell Web Shell, External Remote Services TTP
Suspicious Changes to File Associations Change Default File Association TTP
Suspicious Computer Account Name Change Valid Accounts, Domain Accounts TTP
Suspicious Copy on System32 Rename System Utilities, Masquerading TTP
Suspicious Curl Network Connection Ingress Tool Transfer TTP
Suspicious DLLHost no Command Line Arguments Process Injection TTP
Suspicious Driver Loaded Path Windows Service, Create or Modify System Process TTP
Suspicious Email - UBA Anomaly Phishing Anomaly
Suspicious Email Attachment Extensions Spearphishing Attachment, Phishing Anomaly
Suspicious Event Log Service Behavior Indicator Removal, Clear Windows Event Logs TTP
Suspicious File Write None Hunting
Suspicious GPUpdate no Command Line Arguments Process Injection TTP
Suspicious IcedID Rundll32 Cmdline System Binary Proxy Execution, Rundll32 TTP
Suspicious Image Creation In Appdata Folder Screen Capture TTP
Suspicious Java Classes None Anomaly
Suspicious Kerberos Service Ticket Request Valid Accounts, Domain Accounts TTP
Suspicious Linux Discovery Commands Unix Shell TTP
Suspicious MSBuild Rename Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild Hunting
Suspicious MSBuild Spawn Trusted Developer Utilities Proxy Execution, MSBuild TTP
Suspicious PlistBuddy Usage Launch Agent, Create or Modify System Process TTP
Suspicious PlistBuddy Usage via OSquery Launch Agent, Create or Modify System Process TTP
Suspicious Powershell Command-Line Arguments PowerShell TTP
Suspicious Process DNS Query Known Abuse Web Services Visual Basic, Command and Scripting Interpreter TTP
Suspicious Process Executed From Container File Malicious File, Masquerade File Type TTP
Suspicious Process File Path Create or Modify System Process TTP
Suspicious Process With Discord DNS Query Visual Basic, Command and Scripting Interpreter Anomaly
Suspicious Reg exe Process Modify Registry Anomaly
Suspicious Regsvr32 Register Suspicious Path System Binary Proxy Execution, Regsvr32 TTP
Suspicious Rundll32 PluginInit System Binary Proxy Execution, Rundll32 TTP
Suspicious Rundll32 Rename System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities Hunting
Suspicious Rundll32 StartW System Binary Proxy Execution, Rundll32 TTP
Suspicious Rundll32 dllregisterserver System Binary Proxy Execution, Rundll32 TTP
Suspicious Rundll32 no Command Line Arguments System Binary Proxy Execution, Rundll32 TTP
Suspicious SQLite3 LSQuarantine Behavior Data Staged TTP
Suspicious Scheduled Task from Public Directory Scheduled Task, Scheduled Task/Job Anomaly
Suspicious SearchProtocolHost no Command Line Arguments Process Injection TTP
Suspicious Ticket Granting Ticket Request Valid Accounts, Domain Accounts Hunting
Suspicious WAV file in Appdata Folder Screen Capture TTP
Suspicious microsoft workflow compiler rename Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities Hunting
Suspicious microsoft workflow compiler usage Trusted Developer Utilities Proxy Execution TTP
Suspicious msbuild path Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild TTP
Suspicious mshta child process System Binary Proxy Execution, Mshta TTP
Suspicious mshta spawn System Binary Proxy Execution, Mshta TTP
Suspicious wevtutil Usage Clear Windows Event Logs, Indicator Removal TTP
Suspicious writes to System Volume Information Masquerading Hunting
Suspicious writes to windows Recycle Bin Masquerading TTP
Svchost LOLBAS Execution Process Spawn Scheduled Task/Job, Scheduled Task TTP
System Info Gathering Using Dxdiag Application Gather Victim Host Information Hunting
System Information Discovery Detection System Information Discovery TTP
System Process Running from Unexpected Location Masquerading Anomaly
System Processes Run From Unexpected Locations Masquerading, Rename System Utilities Anomaly
System User Discovery With Query System Owner/User Discovery Hunting
System User Discovery With Whoami System Owner/User Discovery Hunting
TOR Traffic Proxy, Multi-hop Proxy TTP
Time Provider Persistence Registry Time Providers, Boot or Logon Autostart Execution TTP
Trickbot Named Pipe Process Injection TTP
UAC Bypass MMC Load Unsigned Dll Bypass User Account Control, Abuse Elevation Control Mechanism, MMC TTP
UAC Bypass With Colorui COM Object System Binary Proxy Execution, CMSTP TTP
USN Journal Deletion Indicator Removal TTP
Uncommon Processes On Endpoint Malicious File Hunting
Uninstall App Using MsiExec Msiexec, System Binary Proxy Execution TTP
Unknown Process Using The Kerberos Protocol Use Alternate Authentication Material TTP
Unload Sysmon Filter Driver Disable or Modify Tools, Impair Defenses TTP
Unloading AMSI via Reflection Impair Defenses, PowerShell, Command and Scripting Interpreter TTP
Unsigned Image Loaded by LSASS LSASS Memory TTP
Unsuccessful Netbackup backups None Hunting
Unusual Number of Computer Service Tickets Requested Valid Accounts Hunting
Unusual Number of Kerberos Service Tickets Requested Steal or Forge Kerberos Tickets, Kerberoasting Anomaly
Unusual Number of Remote Endpoint Authentication Events Valid Accounts Hunting
Unusually Long Command Line None Anomaly
Unusually Long Command Line - MLTK None Anomaly
Unusually Long Content-Type Length None Anomaly
User Discovery With Env Vars PowerShell System Owner/User Discovery Hunting
User Discovery With Env Vars PowerShell Script Block System Owner/User Discovery Hunting
VMWare Aria Operations Exploit Attempt External Remote Services, Exploit Public-Facing Application, Exploitation of Remote Services, Exploitation for Privilege Escalation TTP
VMware Server Side Template Injection Hunt Exploit Public-Facing Application, External Remote Services Hunting
VMware Workspace ONE Freemarker Server-side Template Injection Exploit Public-Facing Application, External Remote Services Anomaly
Vbscript Execution Using Wscript App Visual Basic, Command and Scripting Interpreter TTP
Verclsid CLSID Execution Verclsid, System Binary Proxy Execution Hunting
W3WP Spawning Shell Server Software Component, Web Shell TTP
WBAdmin Delete System Backups Inhibit System Recovery TTP
WBAdmin Delete System Backups Inhibit System Recovery TTP
WMI Permanent Event Subscription Windows Management Instrumentation TTP
WMI Permanent Event Subscription - Sysmon Windows Management Instrumentation Event Subscription, Event Triggered Execution TTP
WMI Recon Running Process Or Services Gather Victim Host Information Anomaly
WMI Temporary Event Subscription Windows Management Instrumentation TTP
WMIC XSL Execution via URL XSL Script Processing TTP
WS FTP Remote Code Execution Exploit Public-Facing Application TTP
WSReset UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Wbemprox COM Object Execution System Binary Proxy Execution, CMSTP TTP
Web Fraud - Account Harvesting Create Account TTP
Web Fraud - Anomalous User Clickspeed Valid Accounts Anomaly
Web Fraud - Password Sharing Across Accounts None Anomaly
Web JSP Request via URL Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services TTP
Web Remote ShellServlet Access Exploit Public-Facing Application TTP
Web Servers Executing Suspicious Processes System Information Discovery TTP
Web Spring Cloud Function FunctionRouter Exploit Public-Facing Application, External Remote Services TTP
Web Spring4Shell HTTP Request Class Module Exploit Public-Facing Application, External Remote Services TTP
Wermgr Process Connecting To IP Check Web Services Gather Victim Network Information, IP Addresses TTP
Wermgr Process Create Executable File Obfuscated Files or Information TTP
Wermgr Process Spawned CMD Or Powershell Process Command and Scripting Interpreter TTP
WevtUtil Usage To Clear Logs Indicator Removal, Clear Windows Event Logs TTP
Wevtutil Usage To Disable Logs Indicator Removal, Clear Windows Event Logs TTP
Wget Download and Bash Execution Ingress Tool Transfer TTP
WinEvent Scheduled Task Created Within Public Path Scheduled Task, Scheduled Task/Job TTP
WinEvent Scheduled Task Created to Spawn Shell Scheduled Task, Scheduled Task/Job TTP
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting
WinRAR Spawning Shell Application Ingress Tool Transfer TTP
WinRM Spawning a Process Exploit Public-Facing Application TTP
Windows AD Abnormal Object Access Activity Account Discovery, Domain Account Anomaly
Windows AD AdminSDHolder ACL Modified Event Triggered Execution TTP
Windows AD Cross Domain SID History Addition SID-History Injection, Access Token Manipulation TTP
Windows AD DSRM Account Changes Account Manipulation TTP
Windows AD DSRM Password Reset Account Manipulation TTP
Windows AD Domain Controller Audit Policy Disabled Disable or Modify Tools TTP
Windows AD Domain Controller Promotion Rogue Domain Controller TTP
Windows AD Domain Replication ACL Addition Domain Policy Modification TTP
Windows AD Privileged Account SID History Addition SID-History Injection, Access Token Manipulation TTP
Windows AD Privileged Object Access Activity Account Discovery, Domain Account TTP
Windows AD Replication Request Initiated by User Account DCSync, OS Credential Dumping TTP
Windows AD Replication Request Initiated from Unsanctioned Location DCSync, OS Credential Dumping TTP
Windows AD Replication Service Traffic OS Credential Dumping, DCSync, Rogue Domain Controller TTP
Windows AD Rogue Domain Controller Network Activity Rogue Domain Controller TTP
Windows AD SID History Attribute Modified Access Token Manipulation, SID-History Injection TTP
Windows AD Same Domain SID History Addition SID-History Injection, Access Token Manipulation TTP
Windows AD ServicePrincipalName Added To Domain Account Account Manipulation TTP
Windows AD Short Lived Domain Account ServicePrincipalName Account Manipulation TTP
Windows AD Short Lived Domain Controller SPN Attribute Rogue Domain Controller TTP
Windows AD Short Lived Server Object Rogue Domain Controller TTP
Windows Abused Web Services Web Service TTP
Windows Access Token Manipulation SeDebugPrivilege Create Process with Token, Access Token Manipulation Anomaly
Windows Access Token Manipulation Winlogon Duplicate Token Handle Token Impersonation/Theft, Access Token Manipulation Hunting
Windows Access Token Winlogon Duplicate Handle In Uncommon Path Token Impersonation/Theft, Access Token Manipulation Anomaly
Windows Account Discovery With NetUser PreauthNotRequire Account Discovery Hunting
Windows Account Discovery for None Disable User Account Account Discovery, Local Account Hunting
Windows Account Discovery for Sam Account Name Account Discovery Anomaly
Windows AdFind Exe Remote System Discovery TTP
Windows Admin Permission Discovery Local Groups Anomaly
Windows Administrative Shares Accessed On Multiple Hosts Network Share Discovery TTP
Windows Admon Default Group Policy Object Modified Domain Policy Modification, Group Policy Modification TTP
Windows Admon Group Policy Object Created Domain Policy Modification, Group Policy Modification TTP
Windows Alternate DataStream - Base64 Content Hide Artifacts, NTFS File Attributes TTP
Windows Alternate DataStream - Executable Content Hide Artifacts, NTFS File Attributes TTP
Windows Alternate DataStream - Process Execution Hide Artifacts, NTFS File Attributes TTP
Windows Apache Benchmark Binary Command and Scripting Interpreter Anomaly
Windows App Layer Protocol Qakbot NamedPipe Application Layer Protocol Anomaly
Windows App Layer Protocol Wermgr Connect To NamedPipe Application Layer Protocol Anomaly
Windows Application Layer Protocol RMS Radmin Tool Namedpipe Application Layer Protocol TTP
Windows Archive Collected Data via Powershell Archive Collected Data Anomaly
Windows Archive Collected Data via Rar Archive via Utility, Archive Collected Data Anomaly
Windows AutoIt3 Execution Command and Scripting Interpreter TTP
Windows Autostart Execution LSASS Driver Registry Modification LSASS Driver TTP
Windows Binary Proxy Execution Mavinject DLL Injection Mavinject, System Binary Proxy Execution TTP
Windows Bits Job Persistence BITS Jobs TTP
Windows Bitsadmin Download File BITS Jobs, Ingress Tool Transfer TTP
Windows Boot or Logon Autostart Execution In Startup Folder Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution Anomaly
Windows BootLoader Inventory System Firmware, Pre-OS Boot Hunting
Windows Bypass UAC via Pkgmgr Tool Bypass User Account Control Anomaly
Windows CAB File on Disk Spearphishing Attachment Anomaly
Windows COM Hijacking InprocServer32 Modification Component Object Model Hijacking, Event Triggered Execution TTP
Windows COM Hijacking InprocServer32 Modification Component Object Model Hijacking, Event Triggered Execution TTP
Windows Cached Domain Credentials Reg Query Cached Domain Credentials, OS Credential Dumping Anomaly
Windows CertUtil Decode File Deobfuscate/Decode Files or Information TTP
Windows CertUtil URLCache Download Ingress Tool Transfer TTP
Windows CertUtil VerifyCtl Download Ingress Tool Transfer TTP
Windows Change Default File Association For No File Ext Change Default File Association, Event Triggered Execution TTP
Windows ClipBoard Data via Get-ClipBoard Clipboard Data Anomaly
Windows Command Shell DCRat ForkBomb Payload Windows Command Shell, Command and Scripting Interpreter TTP
Windows Command Shell Fetch Env Variables Process Injection TTP
Windows Command and Scripting Interpreter Hunting Path Traversal Command and Scripting Interpreter Hunting
Windows Command and Scripting Interpreter Path Traversal Exec Command and Scripting Interpreter TTP
Windows Common Abused Cmd Shell Risk Behavior File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Configuration Discovery, Command and Scripting Interpreter Correlation
Windows Computer Account Created by Computer Account Steal or Forge Kerberos Tickets TTP
Windows Computer Account Requesting Kerberos Ticket Steal or Forge Kerberos Tickets TTP
Windows Computer Account With SPN Steal or Forge Kerberos Tickets TTP
Windows ConHost with Headless Argument Hidden Window, Run Virtual Instance TTP
Windows Create Local Account Local Account, Create Account Anomaly
Windows Credential Dumping LSASS Memory Createdump LSASS Memory TTP
Windows Credentials from Password Stores Chrome Extension Access Query Registry Anomaly
Windows Credentials from Password Stores Chrome LocalState Access Query Registry Anomaly
Windows Credentials from Password Stores Chrome Login Data Access Query Registry Anomaly
Windows Credentials from Password Stores Creation Credentials from Password Stores TTP
Windows Credentials from Password Stores Deletion Credentials from Password Stores TTP
Windows Credentials from Password Stores Query Credentials from Password Stores Anomaly
Windows Credentials in Registry Reg Query Credentials in Registry, Unsecured Credentials Anomaly
Windows Curl Download to Suspicious Path Ingress Tool Transfer TTP
Windows Curl Upload to Remote Destination Ingress Tool Transfer TTP
Windows Curl Upload to Remote Destination Ingress Tool Transfer TTP
Windows DISM Remove Defender Disable or Modify Tools, Impair Defenses TTP
Windows DLL Search Order Hijacking Hunt DLL Search Order Hijacking, Hijack Execution Flow Hunting
Windows DLL Search Order Hijacking Hunt with Sysmon DLL Search Order Hijacking, Hijack Execution Flow Hunting
Windows DLL Search Order Hijacking with iscsicpl DLL Search Order Hijacking TTP
Windows DLL Side-Loading In Calc DLL Side-Loading, Hijack Execution Flow TTP
Windows DLL Side-Loading Process Child Of Calc DLL Side-Loading, Hijack Execution Flow Anomaly
Windows DNS Gather Network Info DNS Anomaly
Windows Data Destruction Recursive Exec Files Deletion Data Destruction TTP
Windows Defacement Modify Transcodedwallpaper File Defacement Anomaly
Windows Default Group Policy Object Modified Domain Policy Modification, Group Policy Modification TTP
Windows Default Group Policy Object Modified with GPME Domain Policy Modification, Group Policy Modification TTP
Windows Default Group Policy Object Modified with GPME Domain Policy Modification, Group Policy Modification TTP
Windows Defender ASR Audit Events Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link Anomaly
Windows Defender ASR Block Events Command and Scripting Interpreter, Spearphishing Attachment, Spearphishing Link Anomaly
Windows Defender ASR Registry Modification Modify Registry Hunting
Windows Defender ASR Rule Disabled Modify Registry TTP
Windows Defender ASR Rules Stacking Spearphishing Attachment, Spearphishing Link, Command and Scripting Interpreter Hunting
Windows Defender Exclusion Registry Entry Disable or Modify Tools, Impair Defenses TTP
Windows Defender Tools in Non Standard Path Masquerading, Rename System Utilities Anomaly
Windows Delete or Modify System Firewall Impair Defenses, Disable or Modify System Firewall Anomaly
Windows Deleted Registry By A Non Critical Process File Path Modify Registry Anomaly
Windows Disable Change Password Through Registry Modify Registry Anomaly
Windows Disable Lock Workstation Feature Through Registry Modify Registry Anomaly
Windows Disable LogOff Button Through Registry Modify Registry Anomaly
Windows Disable Memory Crash Dump Data Destruction TTP
Windows Disable Notification Center Modify Registry Anomaly
Windows Disable Shutdown Button Through Registry Modify Registry Anomaly
Windows Disable Windows Event Logging Disable HTTP Logging Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components TTP
Windows Disable Windows Group Policy Features Through Registry Modify Registry Anomaly
Windows Disable or Modify Tools Via Taskkill Impair Defenses, Disable or Modify Tools Anomaly
Windows DisableAntiSpyware Registry Disable or Modify Tools, Impair Defenses TTP
Windows DiskCryptor Usage Data Encrypted for Impact Hunting
Windows Diskshadow Proxy Execution System Binary Proxy Execution TTP
Windows Diskshadow Proxy Execution System Binary Proxy Execution Anomaly
Windows DnsAdmins New Member Added Account Manipulation TTP
Windows Domain Account Discovery Via Get-NetComputer Account Discovery, Domain Account Anomaly
Windows Domain Admin Impersonation Indicator Steal or Forge Kerberos Tickets TTP
Windows DotNet Binary in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil TTP
Windows DotNet Binary in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil Anomaly
Windows Driver Inventory Exploitation for Privilege Escalation Hunting
Windows Driver Load Non-Standard Path Rootkit, Exploitation for Privilege Escalation TTP
Windows Drivers Loaded by Signature Rootkit, Exploitation for Privilege Escalation Hunting
Windows Enable Win32 ScheduledJob via Registry Scheduled Task Anomaly
Windows Event For Service Disabled Disable or Modify Tools, Impair Defenses Hunting
Windows Event Log Cleared Indicator Removal, Clear Windows Event Logs TTP
Windows Event Triggered Image File Execution Options Injection Image File Execution Options Injection Hunting
Windows Excessive Disabled Services Event Disable or Modify Tools, Impair Defenses TTP
Windows Exchange Autodiscover SSRF Abuse Exploit Public-Facing Application, External Remote Services TTP
Windows Exchange PowerShell Module Usage Command and Scripting Interpreter, PowerShell TTP
Windows Executable in Loaded Modules Shared Modules TTP
Windows Execute Arbitrary Commands with MSDT System Binary Proxy Execution TTP
Windows Execute Arbitrary Commands with MSDT System Binary Proxy Execution TTP
Windows Exfiltration Over C2 Via Invoke RestMethod Exfiltration Over C2 Channel TTP
Windows Exfiltration Over C2 Via Powershell UploadString Exfiltration Over C2 Channel TTP
Windows Export Certificate Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates Anomaly
Windows File Share Discovery With Powerview Network Share Discovery TTP
Windows File Share Discovery With Powerview Unsecured Credentials, Group Policy Preferences TTP
Windows File Transfer Protocol In Non-Common Process Path Mail Protocols, Application Layer Protocol Anomaly
Windows File Without Extension In Critical Folder Data Destruction TTP
Windows Files and Dirs Access Rights Modification Via Icacls Windows File and Directory Permissions Modification, File and Directory Permissions Modification TTP
Windows Find Domain Organizational Units with GetDomainOU Account Discovery, Domain Account TTP
Windows Find Interesting ACL with FindInterestingDomainAcl Account Discovery, Domain Account TTP
Windows Findstr GPP Discovery Unsecured Credentials, Group Policy Preferences TTP
Windows Findstr GPP Discovery Unsecured Credentials, Group Policy Preferences TTP
Windows Forest Discovery with GetForestDomain Account Discovery, Domain Account TTP
Windows Gather Victim Host Information Camera Hardware, Gather Victim Host Information Anomaly
Windows Gather Victim Identity SAM Info Credentials, Gather Victim Identity Information Hunting
Windows Gather Victim Network Info Through Ip Check Web Services IP Addresses, Gather Victim Network Information Hunting
Windows Get Local Admin with FindLocalAdminAccess Account Discovery, Domain Account TTP
Windows Get-AdComputer Unconstrained Delegation Discovery Remote System Discovery TTP
Windows Group Policy Object Created Domain Policy Modification, Group Policy Modification, Domain Accounts TTP
Windows Hidden Schedule Task Settings Scheduled Task/Job TTP
Windows Hide Notification Features Through Registry Modify Registry Anomaly
Windows High File Deletion Frequency Data Destruction Anomaly
Windows Hijack Execution Flow Version Dll Side Load DLL Search Order Hijacking, Hijack Execution Flow Anomaly
Windows Hunting System Account Targeting Lsass LSASS Memory, OS Credential Dumping Hunting
Windows IIS Components Add New Module Server Software Component, IIS Components Anomaly
Windows IIS Components Get-WebGlobalModule Module Query IIS Components, Server Software Component Hunting
Windows IIS Components Module Failed to Load Server Software Component, IIS Components Anomaly
Windows IIS Components New Module Added Server Software Component, IIS Components TTP
Windows ISO LNK File Creation Spearphishing Attachment, Phishing, Malicious Link, User Execution Hunting
Windows Identify Protocol Handlers Command and Scripting Interpreter Hunting
Windows Impair Defense Add Xml Applocker Rules Disable or Modify Tools, Impair Defenses Hunting
Windows Impair Defense Change Win Defender Health Check Intervals Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Change Win Defender Quick Scan Interval Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Change Win Defender Throttle Rate Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Change Win Defender Tracing Level Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Configure App Install Control Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Define Win Defender Threat Action Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Delete Win Defender Context Menu Disable or Modify Tools, Impair Defenses Hunting
Windows Impair Defense Delete Win Defender Profile Registry Disable or Modify Tools, Impair Defenses Anomaly
Windows Impair Defense Deny Security Software With Applocker Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Disable Controlled Folder Access Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Disable Defender Firewall And Network Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Disable Defender Protocol Recognition Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Disable PUA Protection Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Disable Realtime Signature Delivery Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Disable Web Evaluation Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Disable Win Defender App Guard Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Disable Win Defender Compute File Hashes Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Disable Win Defender Gen reports Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Disable Win Defender Network Protection Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Disable Win Defender Report Infection Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Disable Win Defender Scan On Update Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Disable Win Defender Signature Retirement Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Overide Win Defender Phishing Filter Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Override SmartScreen Prompt Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defense Set Win Defender Smart Screen Level To Warn Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defenses Disable HVCI Disable or Modify Tools, Impair Defenses TTP
Windows Impair Defenses Disable Win Defender Auto Logging Disable or Modify Tools, Impair Defenses Anomaly
Windows Indicator Removal Via Rmdir Indicator Removal Anomaly
Windows Indirect Command Execution Via Series Of Forfiles Indirect Command Execution Anomaly
Windows Indirect Command Execution Via forfiles Indirect Command Execution TTP
Windows Indirect Command Execution Via pcalua Indirect Command Execution TTP
Windows Information Discovery Fsutil System Information Discovery Anomaly
Windows Ingress Tool Transfer Using Explorer Ingress Tool Transfer Anomaly
Windows Ingress Tool Transfer Using Explorer Ingress Tool Transfer TTP
Windows Input Capture Using Credential UI Dll GUI Input Capture, Input Capture Hunting
Windows InstallUtil Credential Theft InstallUtil, System Binary Proxy Execution TTP
Windows InstallUtil Remote Network Connection InstallUtil, System Binary Proxy Execution TTP
Windows InstallUtil URL in Command Line InstallUtil, System Binary Proxy Execution TTP
Windows InstallUtil Uninstall Option InstallUtil, System Binary Proxy Execution TTP
Windows InstallUtil Uninstall Option with Network InstallUtil, System Binary Proxy Execution TTP
Windows InstallUtil in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil TTP
Windows Java Spawning Shells Exploit Public-Facing Application, External Remote Services TTP
Windows Kerberos Local Successful Logon Steal or Forge Kerberos Tickets TTP
Windows Known GraphicalProton Loaded Modules DLL Side-Loading, Hijack Execution Flow Anomaly
Windows KrbRelayUp Service Creation Windows Service TTP
Windows LOLBin Binary in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil Anomaly
Windows LSA Secrets NoLMhash Registry LSA Secrets TTP
Windows Large Number of Computer Service Tickets Requested Network Share Discovery, Valid Accounts Anomaly
Windows Lateral Tool Transfer RemCom Lateral Tool Transfer TTP
Windows Ldifde Directory Object Behavior Ingress Tool Transfer, Domain Groups TTP
Windows Linked Policies In ADSI Discovery Domain Account, Account Discovery Anomaly
Windows Local Administrator Credential Stuffing Brute Force, Credential Stuffing TTP
Windows MOF Event Triggered Execution via WMI Windows Management Instrumentation Event Subscription TTP
Windows MOVEit Transfer Writing ASPX Exploit Public-Facing Application, External Remote Services TTP
Windows MSExchange Management Mailbox Cmdlet Usage Command and Scripting Interpreter, PowerShell Anomaly
Windows MSHTA Child Process Mshta, System Binary Proxy Execution TTP
Windows MSHTA Command-Line URL Mshta, System Binary Proxy Execution TTP
Windows MSHTA Inline HTA Execution Mshta, System Binary Proxy Execution TTP
Windows MSIExec DLLRegisterServer Msiexec TTP
Windows MSIExec Remote Download Msiexec TTP
Windows MSIExec Spawn Discovery Command Msiexec TTP
Windows MSIExec Spawn WinDBG Msiexec TTP
Windows MSIExec Unregister DLLRegisterServer Msiexec TTP
Windows MSIExec With Network Connections Msiexec TTP
Windows Mail Protocol In Non-Common Process Path Mail Protocols, Application Layer Protocol Anomaly
Windows Mark Of The Web Bypass Mark-of-the-Web Bypass TTP
Windows Masquerading Explorer As Child Process DLL Side-Loading, Hijack Execution Flow TTP
Windows Masquerading Msdtc Process Masquerading TTP
Windows Mimikatz Binary Execution OS Credential Dumping TTP
Windows Mimikatz Crypto Export File Extensions Steal or Forge Authentication Certificates Anomaly
Windows Modify Registry AuthenticationLevelOverride Modify Registry Anomaly
Windows Modify Registry Auto Minor Updates Modify Registry Hunting
Windows Modify Registry Auto Update Notif Modify Registry Anomaly
Windows Modify Registry Default Icon Setting Modify Registry Anomaly
Windows Modify Registry DisAllow Windows App Modify Registry TTP
Windows Modify Registry Disable Restricted Admin Modify Registry TTP
Windows Modify Registry Disable Toast Notifications Modify Registry Anomaly
Windows Modify Registry Disable Win Defender Raw Write Notif Modify Registry Anomaly
Windows Modify Registry Disable WinDefender Notifications Modify Registry TTP
Windows Modify Registry Disable Windows Security Center Notif Modify Registry Anomaly
Windows Modify Registry DisableRemoteDesktopAntiAlias Modify Registry TTP
Windows Modify Registry DisableSecuritySettings Modify Registry TTP
Windows Modify Registry Disabling WER Settings Modify Registry TTP
Windows Modify Registry Do Not Connect To Win Update Modify Registry Anomaly
Windows Modify Registry DontShowUI Modify Registry TTP
Windows Modify Registry EnableLinkedConnections Modify Registry TTP
Windows Modify Registry LongPathsEnabled Modify Registry Anomaly
Windows Modify Registry MaxConnectionPerServer Modify Registry Anomaly
Windows Modify Registry No Auto Reboot With Logon User Modify Registry Anomaly
Windows Modify Registry No Auto Update Modify Registry Anomaly
Windows Modify Registry NoChangingWallPaper Modify Registry TTP
Windows Modify Registry ProxyEnable Modify Registry Anomaly
Windows Modify Registry ProxyServer Modify Registry Anomaly
Windows Modify Registry Qakbot Binary Data Registry Modify Registry Anomaly
Windows Modify Registry Reg Restore Query Registry Hunting
Windows Modify Registry Regedit Silent Reg Import Modify Registry Anomaly
Windows Modify Registry Risk Behavior Modify Registry Correlation
Windows Modify Registry Suppress Win Defender Notif Modify Registry Anomaly
Windows Modify Registry Tamper Protection Modify Registry TTP
Windows Modify Registry USeWuServer Modify Registry Hunting
Windows Modify Registry UpdateServiceUrlAlternate Modify Registry Anomaly
Windows Modify Registry With MD5 Reg Key Name Modify Registry TTP
Windows Modify Registry WuServer Modify Registry Hunting
Windows Modify Registry wuStatusServer Modify Registry Hunting
Windows Modify Show Compress Color And Info Tip Registry Modify Registry TTP
Windows Modify System Firewall with Notable Process Path Disable or Modify System Firewall, Impair Defenses TTP
Windows Mshta Execution In Registry Mshta TTP
Windows MsiExec HideWindow Rundll32 Execution Msiexec, System Binary Proxy Execution TTP
Windows Multi hop Proxy TOR Website Query Mail Protocols, Application Layer Protocol Anomaly
Windows Multiple Account Passwords Changed Account Manipulation, Valid Accounts TTP
Windows Multiple Accounts Deleted Account Manipulation, Valid Accounts TTP
Windows Multiple Accounts Disabled Account Manipulation, Valid Accounts TTP
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos Password Spraying, Brute Force TTP
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos Password Spraying, Brute Force TTP
Windows Multiple Invalid Users Failed To Authenticate Using NTLM Password Spraying, Brute Force TTP
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials Password Spraying, Brute Force TTP
Windows Multiple Users Failed To Authenticate From Host Using NTLM Password Spraying, Brute Force TTP
Windows Multiple Users Failed To Authenticate From Process Password Spraying, Brute Force TTP
Windows Multiple Users Failed To Authenticate Using Kerberos Password Spraying, Brute Force TTP
Windows Multiple Users Remotely Failed To Authenticate From Host Password Spraying, Brute Force TTP
Windows Ngrok Reverse Proxy Usage Protocol Tunneling, Proxy, Web Service Anomaly
Windows NirSoft AdvancedRun Tool TTP
Windows NirSoft Utilities Tool Hunting
Windows Njrat Fileless Storage via Registry Fileless Storage, Obfuscated Files or Information TTP
Windows Non Discord App Access Discord LevelDB Query Registry Anomaly
Windows Non-System Account Targeting Lsass LSASS Memory, OS Credential Dumping TTP
Windows OS Credential Dumping with Ntdsutil Export NTDS NTDS, OS Credential Dumping TTP
Windows OS Credential Dumping with Procdump LSASS Memory, OS Credential Dumping TTP
Windows Odbcconf Hunting Odbcconf Hunting
Windows Odbcconf Load DLL Odbcconf TTP
Windows Odbcconf Load Response File Odbcconf TTP
Windows Odbcconf Load Response File Odbcconf, System Binary Proxy Execution TTP
Windows Office Product Spawning MSDT Phishing, Spearphishing Attachment TTP
Windows PaperCut NG Spawn Shell Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services TTP
Windows Parent PID Spoofing with Explorer Parent PID Spoofing, Access Token Manipulation TTP
Windows Password Managers Discovery Password Managers Anomaly
Windows Phishing PDF File Executes URL Link Spearphishing Attachment, Phishing Anomaly
Windows Phishing Recent ISO Exec Registry Spearphishing Attachment, Phishing Hunting
Windows Possible Credential Dumping LSASS Memory, OS Credential Dumping TTP
Windows Post Exploitation Risk Behavior Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Information Discovery, Clipboard Data, Unsecured Credentials Correlation
Windows PowerShell Add Module to Global Assembly Cache Server Software Component, IIS Components TTP
Windows PowerShell Disable HTTP Logging Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components TTP
Windows PowerShell Disabled Kerberos Pre-Authentication Discovery Get-ADUser Steal or Forge Kerberos Tickets, AS-REP Roasting TTP
Windows PowerShell Disabled Kerberos Pre-Authentication Discovery With PowerView Steal or Forge Kerberos Tickets, AS-REP Roasting TTP
Windows PowerShell Export Certificate Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates Anomaly
Windows PowerShell Export PfxCertificate Private Keys, Unsecured Credentials, Steal or Forge Authentication Certificates Anomaly
Windows PowerShell Get CIMInstance Remote Computer PowerShell Anomaly
Windows PowerShell IIS Components WebGlobalModule Usage Server Software Component, IIS Components Anomaly
Windows PowerShell ScheduleTask Scheduled Task, PowerShell, Command and Scripting Interpreter Anomaly
Windows PowerShell Start-BitsTransfer BITS Jobs, Ingress Tool Transfer TTP
Windows PowerShell WMI Win32 ScheduledJob PowerShell, Command and Scripting Interpreter TTP
Windows PowerSploit GPP Discovery Unsecured Credentials, Group Policy Preferences TTP
Windows PowerSploit GPP Discovery Unsecured Credentials, Group Policy Preferences TTP
Windows PowerView AD Access Control List Enumeration Domain Accounts, Permission Groups Discovery TTP
Windows PowerView Constrained Delegation Discovery Remote System Discovery TTP
Windows PowerView Kerberos Service Ticket Request Steal or Forge Kerberos Tickets, Kerberoasting TTP
Windows PowerView SPN Discovery Steal or Forge Kerberos Tickets, Kerberoasting TTP
Windows PowerView Unconstrained Delegation Discovery Remote System Discovery TTP
Windows Powershell Connect to Internet With Hidden Window Automated Exfiltration Anomaly
Windows Powershell Cryptography Namespace PowerShell, Command and Scripting Interpreter Anomaly
Windows Powershell DownloadFile Automated Exfiltration Anomaly
Windows Powershell Import Applocker Policy PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses TTP
Windows Powershell RemoteSigned File PowerShell, Command and Scripting Interpreter Anomaly
Windows Private Keys Discovery Private Keys, Unsecured Credentials Anomaly
Windows Privilege Escalation Suspicious Process Elevation Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation TTP
Windows Privilege Escalation System Process Without System Parent Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation TTP
Windows Privilege Escalation User Process Spawn System Process Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation TTP
Windows Process Commandline Discovery Process Discovery Hunting
Windows Process Injection In Non-Service SearchIndexer Process Injection TTP
Windows Process Injection Of Wermgr to Known Browser Dynamic-link Library Injection, Process Injection TTP
Windows Process Injection Remote Thread Process Injection, Portable Executable Injection TTP
Windows Process Injection Wermgr Child Process Process Injection Anomaly
Windows Process Injection With Public Source Path Process Injection, Portable Executable Injection Hunting
Windows Process Injection into Notepad Process Injection, Portable Executable Injection Anomaly
Windows Process With NamedPipe CommandLine Process Injection Anomaly
Windows Processes Killed By Industroyer2 Malware Service Stop Anomaly
Windows Protocol Tunneling with Plink Protocol Tunneling, SSH TTP
Windows Proxy Via Netsh Internal Proxy, Proxy Anomaly
Windows Proxy Via Registry Internal Proxy, Proxy Anomaly
Windows Query Registry Browser List Application Query Registry Anomaly
Windows Query Registry Reg Save Query Registry Hunting
Windows Query Registry UnInstall Program List Query Registry Anomaly
Windows RDP Connection Successful RDP Hijacking Hunting
Windows Raccine Scheduled Task Deletion Disable or Modify Tools TTP
Windows Rapid Authentication On Multiple Hosts Security Account Manager TTP
Windows Rasautou DLL Execution Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection TTP
Windows Rasautou DLL Execution Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection TTP
Windows Raw Access To Disk Volume Partition Disk Structure Wipe, Disk Wipe Anomaly
Windows Raw Access To Master Boot Record Drive Disk Structure Wipe, Disk Wipe TTP
Windows Registry BootExecute Modification Pre-OS Boot, Registry Run Keys / Startup Folder TTP
Windows Registry Certificate Added Install Root Certificate, Subvert Trust Controls Anomaly
Windows Registry Delete Task SD Scheduled Task, Impair Defenses Anomaly
Windows Registry Modification for Safe Mode Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Windows Registry Payload Injection Obfuscated Files or Information, Fileless Storage TTP
Windows Registry SIP Provider Modification SIP and Trust Provider Hijacking TTP
Windows Regsvr32 Renamed Binary Regsvr32, System Binary Proxy Execution TTP
Windows Remote Access Software BRC4 Loaded Dll Remote Access Software, OS Credential Dumping Anomaly
Windows Remote Access Software Hunt Remote Access Software Hunting
Windows Remote Access Software RMS Registry Remote Access Software TTP
Windows Remote Assistance Spawning Process Process Injection TTP
Windows Remote Create Service Create or Modify System Process, Windows Service Anomaly
Windows Remote Service Rdpwinst Tool Execution Remote Desktop Protocol, Remote Services TTP
Windows Remote Services Allow Rdp In Firewall Remote Desktop Protocol, Remote Services Anomaly
Windows Remote Services Allow Remote Assistance Remote Desktop Protocol, Remote Services Anomaly
Windows Remote Services Rdp Enable Remote Desktop Protocol, Remote Services TTP
Windows Rename System Utilities Acccheckconsole exe LOLBAS in Non Standard Path Masquerading, Rename System Utilities Anomaly
Windows Rename System Utilities Adplus exe LOLBAS in Non Standard Path Masquerading, Rename System Utilities Anomaly
Windows Rename System Utilities Advpack dll LOLBAS in Non Standard Path Masquerading, Rename System Utilities Anomaly
Windows Rename System Utilities Agentexecutor exe LOLBAS in Non Standard Path Masquerading, Rename System Utilities Anomaly
Windows Rename System Utilities Appinstaller exe LOLBAS in Non Standard Path Masquerading, Rename System Utilities Anomaly
Windows Rename System Utilities Appvlp exe LOLBAS in Non Standard Path Masquerading, Rename System Utilities Anomaly
Windows Rename System Utilities Aspnet compiler exe LOLBAS in Non Standard Path Masquerading, Rename System Utilities Anomaly
Windows Rename System Utilities At exe LOLBAS in Non Standard Path Masquerading, Rename System Utilities Anomaly
Windows Rename System Utilities Atbroker exe LOLBAS in Non Standard Path Masquerading, Rename System Utilities Anomaly
Windows Replication Through Removable Media Replication Through Removable Media TTP
Windows Root Domain linked policies Discovery Domain Account, Account Discovery Anomaly
Windows Rundll32 Apply User Settings Changes System Binary Proxy Execution, Rundll32 TTP
Windows Rundll32 Comsvcs Memory Dump NTDS, OS Credential Dumping TTP
Windows Rundll32 Inline HTA Execution System Binary Proxy Execution, Mshta TTP
Windows Rundll32 WebDAV Request Exfiltration Over Unencrypted Non-C2 Protocol TTP
Windows Rundll32 WebDav With Network Connection Exfiltration Over Unencrypted Non-C2 Protocol TTP
Windows SIP Provider Inventory SIP and Trust Provider Hijacking Hunting
Windows SIP WinVerifyTrust Failed Trust Validation SIP and Trust Provider Hijacking Anomaly
Windows SOAPHound Binary Execution Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery TTP
Windows SQL Spawning CertUtil Ingress Tool Transfer TTP
Windows Scheduled Task Created Via XML Scheduled Task, Scheduled Task/Job TTP
Windows Scheduled Task Service Spawned Shell Scheduled Task, Command and Scripting Interpreter TTP
Windows Scheduled Task with Highest Privileges Scheduled Task/Job, Scheduled Task TTP
Windows Schtasks Create Run As System Scheduled Task, Scheduled Task/Job TTP
Windows Screen Capture Via Powershell Screen Capture TTP
Windows Script Host Spawn MSBuild MSBuild, Trusted Developer Utilities Proxy Execution TTP
Windows Security Account Manager Stopped Service Stop TTP
Windows Security Support Provider Reg Query Security Support Provider, Boot or Logon Autostart Execution Anomaly
Windows Server Software Component GACUtil Install to GAC Server Software Component, IIS Components TTP
Windows Service Create Kernel Mode Driver Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation TTP
Windows Service Create RemComSvc Windows Service, Create or Modify System Process Anomaly
Windows Service Create SliverC2 System Services, Service Execution TTP
Windows Service Create with Tscon RDP Hijacking, Remote Service Session Hijacking, Windows Service TTP
Windows Service Created Within Public Path Create or Modify System Process, Windows Service TTP
Windows Service Created with Suspicious Service Path System Services, Service Execution TTP
Windows Service Creation Using Registry Entry Services Registry Permissions Weakness TTP
Windows Service Creation on Remote Endpoint Create or Modify System Process, Windows Service TTP
Windows Service Deletion In Registry Service Stop Anomaly
Windows Service Initiation on Remote Endpoint Create or Modify System Process, Windows Service TTP
Windows Service Stop By Deletion Service Stop TTP
Windows Service Stop Via Net and SC Application Service Stop Anomaly
Windows Service Stop Win Updates Service Stop Anomaly
Windows Snake Malware File Modification Crmlog Obfuscated Files or Information TTP
Windows Snake Malware Kernel Driver Comadmin Kernel Modules and Extensions TTP
Windows Snake Malware Registry Modification wav OpenWithProgIds Modify Registry TTP
Windows Snake Malware Service Create Kernel Modules and Extensions, Service Execution TTP
Windows Spearphishing Attachment Connect To None MS Office Domain Spearphishing Attachment, Phishing Hunting
Windows Spearphishing Attachment Onenote Spawn Mshta Spearphishing Attachment, Phishing TTP
Windows Special Privileged Logon On Multiple Hosts Account Discovery, SMB/Windows Admin Shares, Network Share Discovery TTP
Windows Steal Authentication Certificates - ESC1 Abuse Steal or Forge Authentication Certificates TTP
Windows Steal Authentication Certificates - ESC1 Authentication Steal or Forge Authentication Certificates, Use Alternate Authentication Material TTP
Windows Steal Authentication Certificates CS Backup Steal or Forge Authentication Certificates Anomaly
Windows Steal Authentication Certificates CertUtil Backup Steal or Forge Authentication Certificates Anomaly
Windows Steal Authentication Certificates Certificate Issued Steal or Forge Authentication Certificates Anomaly
Windows Steal Authentication Certificates Certificate Request Steal or Forge Authentication Certificates Anomaly
Windows Steal Authentication Certificates CryptoAPI Steal or Forge Authentication Certificates Anomaly
Windows Steal Authentication Certificates Export Certificate Steal or Forge Authentication Certificates Anomaly
Windows Steal Authentication Certificates Export PfxCertificate Steal or Forge Authentication Certificates Anomaly
Windows Steal or Forge Kerberos Tickets Klist Steal or Forge Kerberos Tickets Hunting
Windows Suspect Process With Authentication Traffic Account Discovery, Domain Account, User Execution, Malicious File Anomaly
Windows System Binary Proxy Execution Compiled HTML File Decompile Compiled HTML File, System Binary Proxy Execution TTP
Windows System Binary Proxy Execution Compiled HTML File Decompile Compiled HTML File, System Binary Proxy Execution TTP
Windows System Binary Proxy Execution Compiled HTML File URL In Command Line Compiled HTML File, System Binary Proxy Execution TTP
Windows System Binary Proxy Execution Compiled HTML File Using InfoTech Storage Handlers Compiled HTML File, System Binary Proxy Execution TTP
Windows System Binary Proxy Execution MSIExec DLLRegisterServer Msiexec TTP
Windows System Binary Proxy Execution MSIExec Remote Download Msiexec TTP
Windows System Binary Proxy Execution MSIExec Unregister DLL Msiexec TTP
Windows System Discovery Using Qwinsta System Owner/User Discovery Hunting
Windows System Discovery Using ldap Nslookup System Owner/User Discovery Anomaly
Windows System File on Disk Exploitation for Privilege Escalation Hunting
Windows System LogOff Commandline System Shutdown/Reboot Anomaly
Windows System Network Config Discovery Display DNS System Network Configuration Discovery Anomaly
Windows System Network Connections Discovery Netsh System Network Connections Discovery Anomaly
Windows System Reboot CommandLine System Shutdown/Reboot Anomaly
Windows System Script Proxy Execution Syncappvpublishingserver System Script Proxy Execution, System Binary Proxy Execution TTP
Windows System Shutdown CommandLine System Shutdown/Reboot Anomaly
Windows System Time Discovery W32tm Delay System Time Discovery Anomaly
Windows System User Discovery Via Quser System Owner/User Discovery Hunting
Windows System User Privilege Discovery System Owner/User Discovery Hunting
Windows Terminating Lsass Process Disable or Modify Tools, Impair Defenses Anomaly
Windows Time Based Evasion Virtualization/Sandbox Evasion, Time Based Evasion TTP
Windows Time Based Evasion via Choice Exec Time Based Evasion, Virtualization/Sandbox Evasion Anomaly
Windows UAC Bypass Suspicious Child Process Abuse Elevation Control Mechanism, Bypass User Account Control TTP
Windows UAC Bypass Suspicious Escalation Behavior Abuse Elevation Control Mechanism, Bypass User Account Control TTP
Windows Unsecured Outlook Credentials Access In Registry Unsecured Credentials Anomaly
Windows Unsigned DLL Side-Loading DLL Side-Loading Anomaly
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos Password Spraying, Brute Force Anomaly
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos Password Spraying, Brute Force Anomaly
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM Password Spraying, Brute Force Anomaly
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials Password Spraying, Brute Force Anomaly
Windows Unusual Count Of Users Failed To Auth Using Kerberos Password Spraying, Brute Force Anomaly
Windows Unusual Count Of Users Failed To Authenticate From Process Password Spraying, Brute Force Anomaly
Windows Unusual Count Of Users Failed To Authenticate Using NTLM Password Spraying, Brute Force Anomaly
Windows Unusual Count Of Users Remotely Failed To Auth From Host Password Spraying, Brute Force Anomaly
Windows User Execution Malicious URL Shortcut File Malicious File, User Execution TTP
Windows Valid Account With Never Expires Password Service Stop TTP
Windows Vulnerable 3CX Software Compromise Software Supply Chain TTP
Windows Vulnerable Driver Loaded Windows Service Hunting
Windows WMI Impersonate Token Windows Management Instrumentation Anomaly
Windows WMI Process And Service List Windows Management Instrumentation Anomaly
Windows WMI Process Call Create Windows Management Instrumentation Hunting
Windows WMIPrvse Spawn MSBuild Trusted Developer Utilities Proxy Execution, MSBuild TTP
Windows WinDBG Spawning AutoIt3 Command and Scripting Interpreter TTP
Windows WinLogon with Public Network Connection Bootkit Hunting
Windows connhost exe started forcefully Windows Command Shell TTP
Windows hosts file modification None TTP
Winhlp32 Spawning a Process Process Injection TTP
Winword Spawning Cmd Phishing, Spearphishing Attachment TTP
Winword Spawning PowerShell Phishing, Spearphishing Attachment TTP
Winword Spawning Windows Script Host Phishing, Spearphishing Attachment TTP
Wmic Group Discovery Permission Groups Discovery, Local Groups Hunting
Wmic NonInteractive App Uninstallation Disable or Modify Tools, Impair Defenses Hunting
Wmiprsve LOLBAS Execution Process Spawn Windows Management Instrumentation TTP
WordPress Bricks Builder plugin RCE Exploit Public-Facing Application TTP
Wscript Or Cscript Suspicious Child Process Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation TTP
Wsmprovhost LOLBAS Execution Process Spawn Remote Services, Windows Remote Management TTP
XMRIG Driver Loaded Windows Service, Create or Modify System Process TTP
XSL Script Execution With WMIC XSL Script Processing TTP
Zeek x509 Certificate with Punycode Encrypted Channel Hunting
aws detect attach to role policy Valid Accounts Hunting
aws detect permanent key creation Valid Accounts Hunting
aws detect role creation Valid Accounts Hunting
aws detect sts assume role abuse Valid Accounts Hunting
aws detect sts get session token abuse Use Alternate Authentication Material Hunting
gcp detect oauth token abuse Valid Accounts Hunting

Endpoint

Disable Show Hidden Files

Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry

CMD Echo Pipe - Escalation

Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process

Windows Post Exploitation Risk Behavior

Query Registry, System Network Connections Discovery, Permission Groups Discovery, System Network Configuration Discovery, OS Credential Dumping, System Info...

Living Off The Land

Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services

Detect SharpHound Usage

Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery

Back to Top ↑

Cloud

Back to Top ↑

Deprecated

Back to Top ↑

Application

Back to Top ↑

Web

Web JSP Request via URL

Web Shell, Server Software Component, Exploit Public-Facing Application, External Remote Services

Back to Top ↑

Network

Detect ARP Poisoning

Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning

Back to Top ↑