Headless Browser Mockbin or Mocky Request
Hidden Window
Defense Evasion
Headless Browser Usage
Hidden Window
Splunk risky Command Abuse disclosed february 2023
Abuse Elevation Control Mechanism
Suspicious Copy on System32
Rename System Utilities, Masquerading
Suspicious Copy on System32
Rename System Utilities, Masquerading
Windows Mark Of The Web Bypass
Mark-of-the-Web Bypass
O365 Excessive SSO logon errors
Modify Authentication Process
Windows Bypass UAC via Pkgmgr Tool
Bypass User Account Control
Windows Unsigned DLL Side-Loading
DLL Side-Loading
Windows Modify Registry MaxConnectionPerServer
Modify Registry
Suspicious DLLHost no Command Line Arguments
Process Injection
Suspicious SearchProtocolHost no Command Line Arguments
Process Injection
Suspicious msbuild path
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious msbuild path
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious msbuild path
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious msbuild path
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious GPUpdate no Command Line Arguments
Process Injection
DLLHost with no Command Line Arguments with Network
Process Injection
Suspicious microsoft workflow compiler rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Suspicious microsoft workflow compiler rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Suspicious microsoft workflow compiler rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities
Suspicious Rundll32 no Command Line Arguments
System Binary Proxy Execution, Rundll32
Suspicious Rundll32 no Command Line Arguments
System Binary Proxy Execution, Rundll32
Services Escalate Exe
Abuse Elevation Control Mechanism
SearchProtocolHost with no Command Line with Network
Process Injection
Suspicious Rundll32 StartW
System Binary Proxy Execution, Rundll32
Suspicious Rundll32 StartW
System Binary Proxy Execution, Rundll32
Windows Modify Registry EnableLinkedConnections
Modify Registry
Cobalt Strike Named Pipes
Process Injection
Suspicious MSBuild Rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious MSBuild Rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious MSBuild Rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Suspicious MSBuild Rename
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild
Windows Modify Registry LongPathsEnabled
Modify Registry
Rundll32 with no Command Line Arguments with Network
System Binary Proxy Execution, Rundll32
Rundll32 with no Command Line Arguments with Network
System Binary Proxy Execution, Rundll32
GPUpdate with no Command Line Arguments with Network
Process Injection
Detect Regsvr32 Application Control Bypass
System Binary Proxy Execution, Regsvr32
Detect Regsvr32 Application Control Bypass
System Binary Proxy Execution, Regsvr32
Windows Registry Payload Injection
Obfuscated Files or Information, Fileless Storage
Windows Registry Payload Injection
Obfuscated Files or Information, Fileless Storage
Windows Process Injection Remote Thread
Process Injection, Portable Executable Injection
Windows Process Injection Remote Thread
Process Injection, Portable Executable Injection
Windows Modify Registry Risk Behavior
Modify Registry
Windows Common Abused Cmd Shell Risk Behavior
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Config...
Suspicious Process Executed From Container File
Malicious File, Masquerade File Type
Attempt To Stop Security Service
Disable or Modify Tools, Impair Defenses
Attempt To Stop Security Service
Disable or Modify Tools, Impair Defenses
Executables Or Script Creation In Suspicious Path
Masquerading
PowerShell WebRequest Using Memory Stream
PowerShell, Ingress Tool Transfer, Fileless Storage
Icacls Deny Command
File and Directory Permissions Modification
Windows Files and Dirs Access Rights Modification Via Icacls
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
Windows Files and Dirs Access Rights Modification Via Icacls
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
ICACLS Grant Command
File and Directory Permissions Modification
ASL AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
ASL AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
ASL AWS Defense Evasion Impair Security Services
Disable Cloud Logs, Impair Defenses
ASL AWS Defense Evasion Impair Security Services
Disable Cloud Logs, Impair Defenses
ASL AWS Defense Evasion Delete Cloudtrail
Disable Cloud Logs, Impair Defenses
ASL AWS Defense Evasion Delete Cloudtrail
Disable Cloud Logs, Impair Defenses
ASL AWS Defense Evasion Delete CloudWatch Log Group
Impair Defenses, Disable Cloud Logs
ASL AWS Defense Evasion Delete CloudWatch Log Group
Impair Defenses, Disable Cloud Logs
Windows Steal Authentication Certificates - ESC1 Authentication
Steal or Forge Authentication Certificates, Use Alternate Authentication Material
Splunk HTTP Response Splitting Via Rest SPL Command
HTML Smuggling
Active Directory Privilege Escalation Identified
Domain Policy Modification
Splunk Edit User Privilege Escalation
Abuse Elevation Control Mechanism
ASL AWS New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
ASL AWS New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
Splunk RBAC Bypass On Indexing Preview REST Endpoint
Access Token Manipulation
Windows Snake Malware File Modification Crmlog
Obfuscated Files or Information
Windows Snake Malware Registry Modification wav OpenWithProgIds
Modify Registry
Windows Registry BootExecute Modification
Pre-OS Boot, Registry Run Keys / Startup Folder
Windows Default Group Policy Object Modified with GPME
Domain Policy Modification, Group Policy Modification
Windows Default Group Policy Object Modified with GPME
Domain Policy Modification, Group Policy Modification
Disabling CMD Application
Disable or Modify Tools, Impair Defenses, Modify Registry
Disabling CMD Application
Disable or Modify Tools, Impair Defenses, Modify Registry
Disabling CMD Application
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable ETW Through Registry
Disable or Modify Tools, Impair Defenses
Disable ETW Through Registry
Disable or Modify Tools, Impair Defenses
Linux High Frequency Of File Deletion In Boot Folder
Data Destruction, File Deletion, Indicator Removal
Linux High Frequency Of File Deletion In Boot Folder
Data Destruction, File Deletion, Indicator Removal
Disabling NoRun Windows App
Disable or Modify Tools, Impair Defenses, Modify Registry
Disabling NoRun Windows App
Disable or Modify Tools, Impair Defenses, Modify Registry
Disabling NoRun Windows App
Disable or Modify Tools, Impair Defenses, Modify Registry
Disabling Task Manager
Disable or Modify Tools, Impair Defenses
Disabling Task Manager
Disable or Modify Tools, Impair Defenses
Disable Registry Tool
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable Registry Tool
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable Registry Tool
Disable or Modify Tools, Impair Defenses, Modify Registry
Windows Hide Notification Features Through Registry
Modify Registry
Windows Disable Lock Workstation Feature Through Registry
Modify Registry
Windows Modify Show Compress Color And Info Tip Registry
Modify Registry
Linux Deletion Of Services
Data Destruction, File Deletion, Indicator Removal
Linux Deletion Of Services
Data Destruction, File Deletion, Indicator Removal
Windows Disable LogOff Button Through Registry
Modify Registry
Linux High Frequency Of File Deletion In Etc Folder
Data Destruction, File Deletion, Indicator Removal
Linux High Frequency Of File Deletion In Etc Folder
Data Destruction, File Deletion, Indicator Removal
Disable UAC Remote Restriction
Bypass User Account Control, Abuse Elevation Control Mechanism
Disable UAC Remote Restriction
Bypass User Account Control, Abuse Elevation Control Mechanism
Disabling Defender Services
Disable or Modify Tools, Impair Defenses
Disabling Defender Services
Disable or Modify Tools, Impair Defenses
ETW Registry Disabled
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
ETW Registry Disabled
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
ETW Registry Disabled
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses
Disable Defender Spynet Reporting
Disable or Modify Tools, Impair Defenses
Disable Defender Spynet Reporting
Disable or Modify Tools, Impair Defenses
Linux Deletion of SSL Certificate
Data Destruction, File Deletion, Indicator Removal
Linux Deletion of SSL Certificate
Data Destruction, File Deletion, Indicator Removal
Disabling FolderOptions Windows Feature
Disable or Modify Tools, Impair Defenses
Disabling FolderOptions Windows Feature
Disable or Modify Tools, Impair Defenses
Hide User Account From Sign-In Screen
Disable or Modify Tools, Impair Defenses
Hide User Account From Sign-In Screen
Disable or Modify Tools, Impair Defenses
Disable Windows Behavior Monitoring
Disable or Modify Tools, Impair Defenses
Disable Windows Behavior Monitoring
Disable or Modify Tools, Impair Defenses
Linux Account Manipulation Of SSH Config and Keys
Data Destruction, File Deletion, Indicator Removal
Linux Account Manipulation Of SSH Config and Keys
Data Destruction, File Deletion, Indicator Removal
Disable Defender Submit Samples Consent Feature
Disable or Modify Tools, Impair Defenses
Disable Defender Submit Samples Consent Feature
Disable or Modify Tools, Impair Defenses
Linux Deletion Of Init Daemon Script
Data Destruction, File Deletion, Indicator Removal
Linux Deletion Of Init Daemon Script
Data Destruction, File Deletion, Indicator Removal
Disable Show Hidden Files
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Disable Show Hidden Files
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Disable Show Hidden Files
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Disable Show Hidden Files
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Disable Show Hidden Files
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry
Disabling ControlPanel
Disable or Modify Tools, Impair Defenses, Modify Registry
Disabling ControlPanel
Disable or Modify Tools, Impair Defenses, Modify Registry
Disabling ControlPanel
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable Windows SmartScreen Protection
Disable or Modify Tools, Impair Defenses
Disable Windows SmartScreen Protection
Disable or Modify Tools, Impair Defenses
Windows Disable Windows Group Policy Features Through Registry
Modify Registry
Windows Registry Certificate Added
Install Root Certificate, Subvert Trust Controls
Windows Registry Certificate Added
Install Root Certificate, Subvert Trust Controls
Windows Disable Shutdown Button Through Registry
Modify Registry
Linux Deletion Of Cron Jobs
Data Destruction, File Deletion, Indicator Removal
Linux Deletion Of Cron Jobs
Data Destruction, File Deletion, Indicator Removal
Disable Security Logs Using MiniNt Registry
Modify Registry
Windows Service Creation Using Registry Entry
Services Registry Permissions Weakness
Windows Disable Notification Center
Modify Registry
Disable Windows App Hotkeys
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable Windows App Hotkeys
Disable or Modify Tools, Impair Defenses, Modify Registry
Disable Windows App Hotkeys
Disable or Modify Tools, Impair Defenses, Modify Registry
Windows Defender Exclusion Registry Entry
Disable or Modify Tools, Impair Defenses
Windows Defender Exclusion Registry Entry
Disable or Modify Tools, Impair Defenses
Windows Disable Change Password Through Registry
Modify Registry
Enable WDigest UseLogonCredential Registry
Modify Registry, OS Credential Dumping
Detect RTLO In File Name
Right-to-Left Override, Masquerading
Detect RTLO In File Name
Right-to-Left Override, Masquerading
Detect RTLO In Process
Right-to-Left Override, Masquerading
Detect RTLO In Process
Right-to-Left Override, Masquerading
Windows Event For Service Disabled
Disable or Modify Tools, Impair Defenses
Windows Event For Service Disabled
Disable or Modify Tools, Impair Defenses
Windows DisableAntiSpyware Registry
Disable or Modify Tools, Impair Defenses
Windows DisableAntiSpyware Registry
Disable or Modify Tools, Impair Defenses
Windows Default Group Policy Object Modified with GPME
Domain Policy Modification, Group Policy Modification
Windows Default Group Policy Object Modified with GPME
Domain Policy Modification, Group Policy Modification
Windows Modify Registry No Auto Update
Modify Registry
Windows Modify Registry Do Not Connect To Win Update
Modify Registry
Windows Modify Registry UpdateServiceUrlAlternate
Modify Registry
Windows Modify Registry USeWuServer
Modify Registry
Windows Modify Registry Auto Minor Updates
Modify Registry
Windows Modify Registry WuServer
Modify Registry
Windows Modify Registry Disable WinDefender Notifications
Modify Registry
Windows Modify Registry No Auto Reboot With Logon User
Modify Registry
Windows Modify Registry Auto Update Notif
Modify Registry
Windows Modify Registry Tamper Protection
Modify Registry
Windows Modify Registry wuStatusServer
Modify Registry
Windows PowerView AD Access Control List Enumeration
Domain Accounts, Permission Groups Discovery
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Process Deleting Its Process File Path
Indicator Removal
Regsvr32 Silent and Install Param Dll Loading
System Binary Proxy Execution, Regsvr32
Regsvr32 Silent and Install Param Dll Loading
System Binary Proxy Execution, Regsvr32
Linux Indicator Removal Clear Cache
Indicator Removal
Linux Stdout Redirection To Dev Null File
Disable or Modify System Firewall, Impair Defenses
Linux Stdout Redirection To Dev Null File
Disable or Modify System Firewall, Impair Defenses
Windows InstallUtil in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows InstallUtil in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows InstallUtil in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows InstallUtil in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Ping Sleep Batch Command
Virtualization/Sandbox Evasion, Time Based Evasion
Ping Sleep Batch Command
Virtualization/Sandbox Evasion, Time Based Evasion
MSI Module Loaded by Non-System Binary
DLL Side-Loading, Hijack Execution Flow
MSI Module Loaded by Non-System Binary
DLL Side-Loading, Hijack Execution Flow
Possible Lateral Movement PowerShell Spawn
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShe...
Powershell Enable SMB1Protocol Feature
Obfuscated Files or Information, Indicator Removal from Tools
Powershell Enable SMB1Protocol Feature
Obfuscated Files or Information, Indicator Removal from Tools
Powershell Remove Windows Defender Directory
Disable or Modify Tools, Impair Defenses
Powershell Remove Windows Defender Directory
Disable or Modify Tools, Impair Defenses
Powershell Fileless Process Injection via GetProcAddress
Command and Scripting Interpreter, Process Injection, PowerShell
Unloading AMSI via Reflection
Impair Defenses, PowerShell, Command and Scripting Interpreter
Powershell Windows Defender Exclusion Commands
Disable or Modify Tools, Impair Defenses
Powershell Windows Defender Exclusion Commands
Disable or Modify Tools, Impair Defenses
Windows Terminating Lsass Process
Disable or Modify Tools, Impair Defenses
Windows Terminating Lsass Process
Disable or Modify Tools, Impair Defenses
Add or Set Windows Defender Exclusion
Disable or Modify Tools, Impair Defenses
Add or Set Windows Defender Exclusion
Disable or Modify Tools, Impair Defenses
Linux Indicator Removal Service File Deletion
File Deletion, Indicator Removal
Linux Indicator Removal Service File Deletion
File Deletion, Indicator Removal
Windows BootLoader Inventory
System Firmware, Pre-OS Boot
Windows BootLoader Inventory
System Firmware, Pre-OS Boot
Runas Execution in CommandLine
Access Token Manipulation, Token Impersonation/Theft
Runas Execution in CommandLine
Access Token Manipulation, Token Impersonation/Theft
Linux Impair Defenses Process Kill
Disable or Modify Tools, Impair Defenses
Linux Impair Defenses Process Kill
Disable or Modify Tools, Impair Defenses
Wscript Or Cscript Suspicious Child Process
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Wscript Or Cscript Suspicious Child Process
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Wscript Or Cscript Suspicious Child Process
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation
Windows Deleted Registry By A Non Critical Process File Path
Modify Registry
Windows Impair Defenses Disable HVCI
Disable or Modify Tools, Impair Defenses
Windows Impair Defenses Disable HVCI
Disable or Modify Tools, Impair Defenses
Linux Iptables Firewall Modification
Disable or Modify System Firewall, Impair Defenses
Linux Iptables Firewall Modification
Disable or Modify System Firewall, Impair Defenses
Linux Kworker Process In Writable Process Path
Masquerade Task or Service, Masquerading
Linux Kworker Process In Writable Process Path
Masquerade Task or Service, Masquerading
Disable Defender MpEngine Registry
Disable or Modify Tools, Impair Defenses
Disable Defender MpEngine Registry
Disable or Modify Tools, Impair Defenses
Disable Defender AntiVirus Registry
Disable or Modify Tools, Impair Defenses
Disable Defender AntiVirus Registry
Disable or Modify Tools, Impair Defenses
Disable AMSI Through Registry
Disable or Modify Tools, Impair Defenses
Disable AMSI Through Registry
Disable or Modify Tools, Impair Defenses
Disable Defender BlockAtFirstSeen Feature
Disable or Modify Tools, Impair Defenses
Disable Defender BlockAtFirstSeen Feature
Disable or Modify Tools, Impair Defenses
Windows Admon Group Policy Object Created
Domain Policy Modification, Group Policy Modification
Windows Admon Group Policy Object Created
Domain Policy Modification, Group Policy Modification
Powershell Fileless Script Contains Base64 Encoded Content
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell
Windows Admon Default Group Policy Object Modified
Domain Policy Modification, Group Policy Modification
Windows Admon Default Group Policy Object Modified
Domain Policy Modification, Group Policy Modification
Allow Operation with Consent Admin
Abuse Elevation Control Mechanism
Windows Default Group Policy Object Modified
Domain Policy Modification, Group Policy Modification
Windows Default Group Policy Object Modified
Domain Policy Modification, Group Policy Modification
Windows Group Policy Object Created
Domain Policy Modification, Group Policy Modification, Domain Accounts
Windows Group Policy Object Created
Domain Policy Modification, Group Policy Modification, Domain Accounts
Windows Group Policy Object Created
Domain Policy Modification, Group Policy Modification, Domain Accounts
Windows Large Number of Computer Service Tickets Requested
Network Share Discovery, Valid Accounts
Okta Multiple Failed Requests to Access Applications
Web Session Cookie, Cloud Service Dashboard
Msmpeng Application DLL Side Loading
DLL Side-Loading, Hijack Execution Flow
Msmpeng Application DLL Side Loading
DLL Side-Loading, Hijack Execution Flow
Okta Phishing Detection with FastPass Origin Check
Valid Accounts, Default Accounts, Modify Authentication Process
Okta Phishing Detection with FastPass Origin Check
Valid Accounts, Default Accounts, Modify Authentication Process
Okta Phishing Detection with FastPass Origin Check
Valid Accounts, Default Accounts, Modify Authentication Process
Okta ThreatInsight Login Failure with High Unknown users
Valid Accounts, Default Accounts, Credential Stuffing
Okta ThreatInsight Login Failure with High Unknown users
Valid Accounts, Default Accounts, Credential Stuffing
Okta ThreatInsight Suspected PasswordSpray Attack
Valid Accounts, Default Accounts, Password Spraying
Okta ThreatInsight Suspected PasswordSpray Attack
Valid Accounts, Default Accounts, Password Spraying
Suspicious Regsvr32 Register Suspicious Path
System Binary Proxy Execution, Regsvr32
Suspicious Regsvr32 Register Suspicious Path
System Binary Proxy Execution, Regsvr32
Windows Driver Load Non-Standard Path
Rootkit, Exploitation for Privilege Escalation
Windows Process Injection into Notepad
Process Injection, Portable Executable Injection
Windows Process Injection into Notepad
Process Injection, Portable Executable Injection
Notepad with no Command Line Arguments
Process Injection
AWS New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
AWS New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
Azure AD New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
Azure AD New MFA Method Registered For User
Modify Authentication Process, Multi-Factor Authentication
Windows AD Domain Controller Audit Policy Disabled
Disable or Modify Tools
Windows AD Domain Controller Promotion
Rogue Domain Controller
AWS Successful Console Authentication From Multiple IPs
Compromise Accounts, Unused/Unsupported Cloud Regions
Windows Modify Registry Default Icon Setting
Modify Registry
Windows DLL Search Order Hijacking Hunt with Sysmon
DLL Search Order Hijacking, Hijack Execution Flow
Windows DLL Search Order Hijacking Hunt with Sysmon
DLL Search Order Hijacking, Hijack Execution Flow
Windows DLL Search Order Hijacking Hunt
DLL Search Order Hijacking, Hijack Execution Flow
Windows DLL Search Order Hijacking Hunt
DLL Search Order Hijacking, Hijack Execution Flow
Windows PowerShell Disable HTTP Logging
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
Windows PowerShell Disable HTTP Logging
Impair Defenses, Disable Windows Event Logging, Server Software Component, IIS Components
Windows Disable Windows Event Logging Disable HTTP Logging
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Windows Disable Windows Event Logging Disable HTTP Logging
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components
Windows Indirect Command Execution Via Series Of Forfiles
Indirect Command Execution
BITSAdmin Download File
BITS Jobs, Ingress Tool Transfer
Windows AD Replication Service Traffic
OS Credential Dumping, DCSync, Rogue Domain Controller
Windows AD Domain Replication ACL Addition
Domain Policy Modification
Windows AD Cross Domain SID History Addition
SID-History Injection, Access Token Manipulation
Windows AD Cross Domain SID History Addition
SID-History Injection, Access Token Manipulation
Windows AD SID History Attribute Modified
Access Token Manipulation, SID-History Injection
Windows AD SID History Attribute Modified
Access Token Manipulation, SID-History Injection
Remcos client registry install entry
Modify Registry
Revil Registry Entry
Modify Registry
Disable Defender Enhanced Notification
Disable or Modify Tools, Impair Defenses
Disable Defender Enhanced Notification
Disable or Modify Tools, Impair Defenses
Sdclt UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Sdclt UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Eventvwr UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Eventvwr UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
WSReset UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
WSReset UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
SilentCleanup UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
SilentCleanup UAC Bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Recursive Delete of Directory In Batch CMD
File Deletion, Indicator Removal
Recursive Delete of Directory In Batch CMD
File Deletion, Indicator Removal
Windows Modify Registry Qakbot Binary Data Registry
Modify Registry
Windows Process Injection Of Wermgr to Known Browser
Dynamic-link Library Injection, Process Injection
Windows Process Injection Of Wermgr to Known Browser
Dynamic-link Library Injection, Process Injection
Windows Regsvr32 Renamed Binary
Regsvr32, System Binary Proxy Execution
Windows Regsvr32 Renamed Binary
Regsvr32, System Binary Proxy Execution
Windows Process Injection Wermgr Child Process
Process Injection
Windows Command Shell Fetch Env Variables
Process Injection
Windows DLL Side-Loading In Calc
DLL Side-Loading, Hijack Execution Flow
Windows DLL Side-Loading In Calc
DLL Side-Loading, Hijack Execution Flow
Windows Masquerading Explorer As Child Process
DLL Side-Loading, Hijack Execution Flow
Windows Masquerading Explorer As Child Process
DLL Side-Loading, Hijack Execution Flow
Windows DLL Side-Loading Process Child Of Calc
DLL Side-Loading, Hijack Execution Flow
Windows DLL Side-Loading Process Child Of Calc
DLL Side-Loading, Hijack Execution Flow
Windows Rename System Utilities Adplus exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Adplus exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Agentexecutor exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Agentexecutor exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Aspnet compiler exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Aspnet compiler exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Acccheckconsole exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Acccheckconsole exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Atbroker exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Atbroker exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Appvlp exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Appvlp exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities At exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities At exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Advpack dll LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Advpack dll LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Appinstaller exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows Rename System Utilities Appinstaller exe LOLBAS in Non Standard Path
Masquerading, Rename System Utilities
Windows AD Short Lived Server Object
Rogue Domain Controller
GCP Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
GCP Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
GCP Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
GCP Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
GCP Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
GCP Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
GCP Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
GCP Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
AWS Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
AWS Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
AWS Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Modify Authentication Process, Multi-Factor Authentication
Okta Risk Threshold Exceeded
Valid Accounts, Brute Force
Windows System Script Proxy Execution Syncappvpublishingserver
System Script Proxy Execution, System Binary Proxy Execution
Windows System Script Proxy Execution Syncappvpublishingserver
System Script Proxy Execution, System Binary Proxy Execution
Okta New API Token Created
Valid Accounts, Default Accounts
Okta New API Token Created
Valid Accounts, Default Accounts
Okta Suspicious Activity Reported
Valid Accounts, Default Accounts
Okta Suspicious Activity Reported
Valid Accounts, Default Accounts
Okta New Device Enrolled on Account
Valid Accounts, Default Accounts
Okta New Device Enrolled on Account
Valid Accounts, Default Accounts
Okta Failed SSO Attempts
Valid Accounts, Default Accounts
Okta Failed SSO Attempts
Valid Accounts, Default Accounts
Multiple Okta Users With Invalid Credentials From The Same IP
Valid Accounts, Default Accounts
Multiple Okta Users With Invalid Credentials From The Same IP
Valid Accounts, Default Accounts
Okta ThreatInsight Threat Detected
Valid Accounts, Default Accounts
Okta ThreatInsight Threat Detected
Valid Accounts, Default Accounts
Okta Account Lockout Events
Valid Accounts, Default Accounts
Okta Account Lockout Events
Valid Accounts, Default Accounts
Windows Execute Arbitrary Commands with MSDT
System Binary Proxy Execution
Windows Odbcconf Load Response File
Odbcconf, System Binary Proxy Execution
Windows Odbcconf Load Response File
Odbcconf, System Binary Proxy Execution
Windows AD Privileged Account SID History Addition
SID-History Injection, Access Token Manipulation
Windows AD Privileged Account SID History Addition
SID-History Injection, Access Token Manipulation
Windows AD Same Domain SID History Addition
SID-History Injection, Access Token Manipulation
Windows AD Same Domain SID History Addition
SID-History Injection, Access Token Manipulation
Disabling Windows Local Security Authority Defences via Registry
Modify Authentication Process
Windows AD Rogue Domain Controller Network Activity
Rogue Domain Controller
Windows System Binary Proxy Execution Compiled HTML File Using InfoTech Storage Handlers
Compiled HTML File, System Binary Proxy Execution
Windows System Binary Proxy Execution Compiled HTML File Using InfoTech Storage Handlers
Compiled HTML File, System Binary Proxy Execution
Azure AD New Federated Domain Added
Domain Policy Modification, Domain Trust Modification
Azure AD New Federated Domain Added
Domain Policy Modification, Domain Trust Modification
Windows AD Short Lived Domain Controller SPN Attribute
Rogue Domain Controller
Azure AD New Custom Domain Added
Domain Policy Modification, Domain Trust Modification
Azure AD New Custom Domain Added
Domain Policy Modification, Domain Trust Modification
Windows System Binary Proxy Execution Compiled HTML File Decompile
Compiled HTML File, System Binary Proxy Execution
Windows System Binary Proxy Execution Compiled HTML File Decompile
Compiled HTML File, System Binary Proxy Execution
Windows System Binary Proxy Execution Compiled HTML File URL In Command Line
Compiled HTML File, System Binary Proxy Execution
Windows System Binary Proxy Execution Compiled HTML File URL In Command Line
Compiled HTML File, System Binary Proxy Execution
Windows System Binary Proxy Execution Compiled HTML File Decompile
Compiled HTML File, System Binary Proxy Execution
Windows System Binary Proxy Execution Compiled HTML File Decompile
Compiled HTML File, System Binary Proxy Execution
Windows LOLBin Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows LOLBin Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows LOLBin Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows LOLBin Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Linux Persistence and Privilege Escalation Risk Behavior
Abuse Elevation Control Mechanism
Powershell Remote Thread To Known Windows Process
Process Injection
Windows InstallUtil Credential Theft
InstallUtil, System Binary Proxy Execution
Windows InstallUtil Credential Theft
InstallUtil, System Binary Proxy Execution
Detect Excessive Account Lockouts From Endpoint
Valid Accounts, Domain Accounts
Detect Excessive Account Lockouts From Endpoint
Valid Accounts, Domain Accounts
Detect AWS Console Login by User from New Region
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Detect Excessive User Account Lockouts
Valid Accounts, Local Accounts
Detect Excessive User Account Lockouts
Valid Accounts, Local Accounts
Detect AWS Console Login by User from New Country
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Azure AD Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Azure AD Multiple Failed MFA Requests For User
Compromise Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation, Valid Accounts, Cloud Accounts
Detect AWS Console Login by User from New City
Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions
Windows Access Token Manipulation Winlogon Duplicate Token Handle
Token Impersonation/Theft, Access Token Manipulation
Windows Access Token Manipulation Winlogon Duplicate Token Handle
Token Impersonation/Theft, Access Token Manipulation
Windows Access Token Winlogon Duplicate Handle In Uncommon Path
Token Impersonation/Theft, Access Token Manipulation
Windows Access Token Winlogon Duplicate Handle In Uncommon Path
Token Impersonation/Theft, Access Token Manipulation
Windows Hijack Execution Flow Version Dll Side Load
DLL Search Order Hijacking, Hijack Execution Flow
Windows Hijack Execution Flow Version Dll Side Load
DLL Search Order Hijacking, Hijack Execution Flow
Windows Access Token Manipulation SeDebugPrivilege
Create Process with Token, Access Token Manipulation
Windows Access Token Manipulation SeDebugPrivilege
Create Process with Token, Access Token Manipulation
Windows Process Injection With Public Source Path
Process Injection, Portable Executable Injection
Windows Process Injection With Public Source Path
Process Injection, Portable Executable Injection
Azure Runbook Webhook Created
Valid Accounts, Cloud Accounts
Azure Runbook Webhook Created
Valid Accounts, Cloud Accounts
Linux Csvtool Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Csvtool Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux c99 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux c99 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux apt-get Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux apt-get Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Cpulimit Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Cpulimit Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux OpenVPN Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux OpenVPN Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sqlite3 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sqlite3 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Composer Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Composer Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Octave Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Octave Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux c89 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux c89 Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux APT Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux APT Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Busybox Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Busybox Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Puppet Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Puppet Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Azure AD Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Azure AD Multi-Factor Authentication Disabled
Compromise Accounts, Cloud Accounts, Modify Authentication Process, Multi-Factor Authentication
Linux RPM Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux RPM Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux MySQL Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux MySQL Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Emacs Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Emacs Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Make Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Make Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux PHP Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux PHP Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux GDB Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux GDB Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Find Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Find Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux GNU Awk Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux GNU Awk Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Ruby Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Ruby Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Gem Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Gem Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux AWK Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux AWK Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Docker Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Docker Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Node Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Node Privilege Escalation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Windows DLL Search Order Hijacking with iscsicpl
DLL Search Order Hijacking
Linux Kernel Module Enumeration
System Information Discovery, Rootkit
Linux Decode Base64 to Shell
Obfuscated Files or Information, Unix Shell
Linux Obfuscated Files or Information Base64 Decode
Obfuscated Files or Information
AWS Defense Evasion Impair Security Services
Disable Cloud Logs, Impair Defenses
AWS Defense Evasion Impair Security Services
Disable Cloud Logs, Impair Defenses
AWS Defense Evasion PutBucketLifecycle
Disable Cloud Logs, Impair Defenses
AWS Defense Evasion PutBucketLifecycle
Disable Cloud Logs, Impair Defenses
Wmic NonInteractive App Uninstallation
Disable or Modify Tools, Impair Defenses
Wmic NonInteractive App Uninstallation
Disable or Modify Tools, Impair Defenses
Windows Defender Tools in Non Standard Path
Masquerading, Rename System Utilities
Windows Defender Tools in Non Standard Path
Masquerading, Rename System Utilities
AWS Defense Evasion Delete CloudWatch Log Group
Impair Defenses, Disable Cloud Logs
AWS Defense Evasion Delete CloudWatch Log Group
Impair Defenses, Disable Cloud Logs
AWS Defense Evasion Update Cloudtrail
Impair Defenses, Disable Cloud Logs
AWS Defense Evasion Update Cloudtrail
Impair Defenses, Disable Cloud Logs
Powershell Disable Security Monitoring
Disable or Modify Tools, Impair Defenses
Powershell Disable Security Monitoring
Disable or Modify Tools, Impair Defenses
Azure AD Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
Azure AD Authentication Failed During MFA Challenge
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation
AWS Defense Evasion Delete Cloudtrail
Disable Cloud Logs, Impair Defenses
AWS Defense Evasion Delete Cloudtrail
Disable Cloud Logs, Impair Defenses
Azure AD Successful PowerShell Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Successful PowerShell Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
Azure AD Successful Single-Factor Authentication
Compromise Accounts, Cloud Accounts, Valid Accounts, Cloud Accounts
AWS Defense Evasion Stop Logging Cloudtrail
Disable Cloud Logs, Impair Defenses
AWS Defense Evasion Stop Logging Cloudtrail
Disable Cloud Logs, Impair Defenses
Windows Binary Proxy Execution Mavinject DLL Injection
Mavinject, System Binary Proxy Execution
Windows Binary Proxy Execution Mavinject DLL Injection
Mavinject, System Binary Proxy Execution
Windows Odbcconf Load Response File
Odbcconf
Windows Powershell Import Applocker Policy
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
Windows Powershell Import Applocker Policy
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses
Windows Odbcconf Hunting
Odbcconf
Windows Execute Arbitrary Commands with MSDT
System Binary Proxy Execution
Windows Odbcconf Load DLL
Odbcconf
Windows Impair Defense Deny Security Software With Applocker
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Deny Security Software With Applocker
Disable or Modify Tools, Impair Defenses
Windows Modify Registry Regedit Silent Reg Import
Modify Registry
Windows Impair Defense Add Xml Applocker Rules
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Add Xml Applocker Rules
Disable or Modify Tools, Impair Defenses
Windows Modify Registry Disable Win Defender Raw Write Notif
Modify Registry
Windows Modify Registry Disable Toast Notifications
Modify Registry
Windows Modify Registry Suppress Win Defender Notif
Modify Registry
Windows Modify Registry DisAllow Windows App
Modify Registry
Windows Modify Registry Disable Windows Security Center Notif
Modify Registry
Windows Modify Registry Disabling WER Settings
Modify Registry
Windows MSIExec Remote Download
Msiexec
Windows Impair Defenses Disable Win Defender Auto Logging
Disable or Modify Tools, Impair Defenses
Windows Impair Defenses Disable Win Defender Auto Logging
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Delete Win Defender Profile Registry
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Delete Win Defender Profile Registry
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Delete Win Defender Context Menu
Disable or Modify Tools, Impair Defenses
Windows Impair Defense Delete Win Defender Context Menu
Disable or Modify Tools, Impair Defenses
Unload Sysmon Filter Driver
Disable or Modify Tools, Impair Defenses
Unload Sysmon Filter Driver
Disable or Modify Tools, Impair Defenses
MacOS plutil
Plist File Modification
Splunk Process Injection Forwarder Bundle Downloads
Process Injection
ASL AWS CreateAccessKey
Valid Accounts
AWS Create Policy Version to allow all resources
Cloud Accounts, Valid Accounts
AWS Create Policy Version to allow all resources
Cloud Accounts, Valid Accounts
Potential password in username
Local Accounts, Credentials In Files
Powershell Creating Thread Mutex
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell
Powershell Creating Thread Mutex
Obfuscated Files or Information, Indicator Removal from Tools, PowerShell
Splunk User Enumeration Attempt
Valid Accounts
Windows Registry Delete Task SD
Scheduled Task, Impair Defenses
Detect mshta renamed
System Binary Proxy Execution, Mshta
Detect mshta renamed
System Binary Proxy Execution, Mshta
Suspicious Rundll32 Rename
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Suspicious Rundll32 Rename
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Suspicious Rundll32 Rename
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Suspicious Rundll32 Rename
System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities
Detect HTML Help Renamed
System Binary Proxy Execution, Compiled HTML File
Detect HTML Help Renamed
System Binary Proxy Execution, Compiled HTML File
Windows Indirect Command Execution Via pcalua
Indirect Command Execution
Windows Indirect Command Execution Via forfiles
Indirect Command Execution
Windows Drivers Loaded by Signature
Rootkit, Exploitation for Privilege Escalation
System Process Running from Unexpected Location
Masquerading
Modify ACLs Permission Of Files Or Folders
File and Directory Permissions Modification
Modify ACL permission To Files Or Folder
File and Directory Permissions Modification
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows DotNet Binary in Non Standard Path
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil
Windows InstallUtil Remote Network Connection
InstallUtil, System Binary Proxy Execution
Windows InstallUtil Remote Network Connection
InstallUtil, System Binary Proxy Execution
Windows InstallUtil Uninstall Option with Network
InstallUtil, System Binary Proxy Execution
Windows InstallUtil Uninstall Option with Network
InstallUtil, System Binary Proxy Execution
Detect Regasm with no Command Line Arguments
System Binary Proxy Execution, Regsvcs/Regasm
Detect Regasm with no Command Line Arguments
System Binary Proxy Execution, Regsvcs/Regasm
Detect Regsvcs with No Command Line Arguments
System Binary Proxy Execution, Regsvcs/Regasm
Detect Regsvcs with No Command Line Arguments
System Binary Proxy Execution, Regsvcs/Regasm
Unknown Process Using The Kerberos Protocol
Use Alternate Authentication Material
Kerberos TGT Request Using RC4 Encryption
Use Alternate Authentication Material
Windows Script Host Spawn MSBuild
MSBuild, Trusted Developer Utilities Proxy Execution
Windows Script Host Spawn MSBuild
MSBuild, Trusted Developer Utilities Proxy Execution
Windows WMIPrvse Spawn MSBuild
Trusted Developer Utilities Proxy Execution, MSBuild
Windows WMIPrvse Spawn MSBuild
Trusted Developer Utilities Proxy Execution, MSBuild
Windows MSHTA Child Process
Mshta, System Binary Proxy Execution
Windows MSHTA Child Process
Mshta, System Binary Proxy Execution
Windows Process With NamedPipe CommandLine
Process Injection
Windows Excessive Disabled Services Event
Disable or Modify Tools, Impair Defenses
Windows Excessive Disabled Services Event
Disable or Modify Tools, Impair Defenses
Windows MSHTA Command-Line URL
Mshta, System Binary Proxy Execution
Windows MSHTA Command-Line URL
Mshta, System Binary Proxy Execution
Windows MSHTA Inline HTA Execution
Mshta, System Binary Proxy Execution
Windows MSHTA Inline HTA Execution
Mshta, System Binary Proxy Execution
Windows Rundll32 Inline HTA Execution
System Binary Proxy Execution, Mshta
Windows Rundll32 Inline HTA Execution
System Binary Proxy Execution, Mshta
Rundll32 DNSQuery
System Binary Proxy Execution, Rundll32
Rundll32 DNSQuery
System Binary Proxy Execution, Rundll32
Detect Regsvcs with Network Connection
System Binary Proxy Execution, Regsvcs/Regasm
Detect Regsvcs with Network Connection
System Binary Proxy Execution, Regsvcs/Regasm
Detect Regasm with Network Connection
System Binary Proxy Execution, Regsvcs/Regasm
Detect Regasm with Network Connection
System Binary Proxy Execution, Regsvcs/Regasm
NET Profiler UAC bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
NET Profiler UAC bypass
Bypass User Account Control, Abuse Elevation Control Mechanism
Windows Diskshadow Proxy Execution
System Binary Proxy Execution
Windows Bitsadmin Download File
BITS Jobs, Ingress Tool Transfer
Windows CertUtil Decode File
Deobfuscate/Decode Files or Information
Windows PowerShell Start-BitsTransfer
BITS Jobs, Ingress Tool Transfer
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Windows Rasautou DLL Execution
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection
Windows Diskshadow Proxy Execution
System Binary Proxy Execution
Windows Bits Job Persistence
BITS Jobs
RunDLL Loading DLL By Ordinal
System Binary Proxy Execution, Rundll32
RunDLL Loading DLL By Ordinal
System Binary Proxy Execution, Rundll32
Windows Remote Assistance Spawning Process
Process Injection
Rubeus Kerberos Ticket Exports Through Winlogon Access
Use Alternate Authentication Material, Pass the Ticket
Rubeus Kerberos Ticket Exports Through Winlogon Access
Use Alternate Authentication Material, Pass the Ticket
O365 Bypass MFA via Trusted IP
Disable or Modify Cloud Firewall, Impair Defenses
O365 Bypass MFA via Trusted IP
Disable or Modify Cloud Firewall, Impair Defenses
O365 Disable MFA
Modify Authentication Process
Rubeus Command Line Parameters
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Rubeus Command Line Parameters
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting
Mimikatz PassTheTicket CommandLine Parameters
Use Alternate Authentication Material, Pass the Ticket
Mimikatz PassTheTicket CommandLine Parameters
Use Alternate Authentication Material, Pass the Ticket
Malicious PowerShell Process - Encoded Command
Obfuscated Files or Information
Linux Possible Access To Sudoers File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Possible Access To Sudoers File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Doas Conf File Creation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Doas Conf File Creation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Doas Tool Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Doas Tool Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sudo OR Su Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sudo OR Su Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sudoers Tmp File Creation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Sudoers Tmp File Creation
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Common Process For Elevation Control
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux Common Process For Elevation Control
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux Preload Hijack Library Calls
Dynamic Linker Hijacking, Hijack Execution Flow
Linux Preload Hijack Library Calls
Dynamic Linker Hijacking, Hijack Execution Flow
Suspicious Ticket Granting Ticket Request
Valid Accounts, Domain Accounts
Suspicious Ticket Granting Ticket Request
Valid Accounts, Domain Accounts
Linux Change File Owner To Root
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification
Linux Change File Owner To Root
Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification
Linux Setuid Using Chmod Utility
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux Setuid Using Chmod Utility
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux NOPASSWD Entry In Sudoers File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux NOPASSWD Entry In Sudoers File
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Setuid Using Setcap Utility
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux Setuid Using Setcap Utility
Setuid and Setgid, Abuse Elevation Control Mechanism
Linux Visudo Utility Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Linux Visudo Utility Execution
Sudo and Sudo Caching, Abuse Elevation Control Mechanism
Clear Unallocated Sector Using Cipher App
File Deletion, Indicator Removal
Clear Unallocated Sector Using Cipher App
File Deletion, Indicator Removal
Suspicious Kerberos Service Ticket Request
Valid Accounts, Domain Accounts
Suspicious Kerberos Service Ticket Request
Valid Accounts, Domain Accounts
Suspicious Computer Account Name Change
Valid Accounts, Domain Accounts
Suspicious Computer Account Name Change
Valid Accounts, Domain Accounts
Hiding Files And Directories With Attrib exe
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
Hiding Files And Directories With Attrib exe
Windows File and Directory Permissions Modification, File and Directory Permissions Modification
LOLBAS With Network Traffic
Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution
Fsutil Zeroing File
Indicator Removal
Windows Raccine Scheduled Task Deletion
Disable or Modify Tools
Unusual Number of Remote Endpoint Authentication Events
Valid Accounts
Unusual Number of Computer Service Tickets Requested
Valid Accounts
Grant Permission Using Cacls Utility
File and Directory Permissions Modification
Disable Net User Account
Service Stop, Valid Accounts
Deny Permission using Cacls Utility
File and Directory Permissions Modification
Mmc LOLBAS Execution Process Spawn
Remote Services, Distributed Component Object Model, MMC
Loading Of Dynwrapx Module
Process Injection, Dynamic-link Library Injection
Loading Of Dynwrapx Module
Process Injection, Dynamic-link Library Injection
Windows DISM Remove Defender
Disable or Modify Tools, Impair Defenses
Windows DISM Remove Defender
Disable or Modify Tools, Impair Defenses
Sdelete Application Execution
Data Destruction, File Deletion, Indicator Removal
Sdelete Application Execution
Data Destruction, File Deletion, Indicator Removal
CSC Net On The Fly Compilation
Compile After Delivery, Obfuscated Files or Information
CSC Net On The Fly Compilation
Compile After Delivery, Obfuscated Files or Information
Windows InstallUtil Uninstall Option
InstallUtil, System Binary Proxy Execution
Windows InstallUtil Uninstall Option
InstallUtil, System Binary Proxy Execution
Firewall Allowed Program Enable
Disable or Modify System Firewall, Impair Defenses
Firewall Allowed Program Enable
Disable or Modify System Firewall, Impair Defenses
Windows InstallUtil URL in Command Line
InstallUtil, System Binary Proxy Execution
Windows InstallUtil URL in Command Line
InstallUtil, System Binary Proxy Execution
WMIC XSL Execution via URL
XSL Script Processing
Attacker Tools On Endpoint
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Attacker Tools On Endpoint
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning
Disable Schedule Task
Disable or Modify Tools, Impair Defenses
Disable Schedule Task
Disable or Modify Tools, Impair Defenses
Suspicious wevtutil Usage
Clear Windows Event Logs, Indicator Removal
Suspicious wevtutil Usage
Clear Windows Event Logs, Indicator Removal
Sdelete Application Execution
Data Destruction, File Deletion, Indicator Removal
Sdelete Application Execution
Data Destruction, File Deletion, Indicator Removal
Winhlp32 Spawning a Process
Process Injection
Rundll32 Shimcache Flush
Modify Registry
Malicious InProcServer32 Modification
Regsvr32, Modify Registry
Malicious InProcServer32 Modification
Regsvr32, Modify Registry
MSBuild Suspicious Spawned By Script Process
MSBuild, Trusted Developer Utilities Proxy Execution
MSBuild Suspicious Spawned By Script Process
MSBuild, Trusted Developer Utilities Proxy Execution
Verclsid CLSID Execution
Verclsid, System Binary Proxy Execution
Verclsid CLSID Execution
Verclsid, System Binary Proxy Execution
BITS Job Persistence
BITS Jobs
Processes launching netsh
Disable or Modify System Firewall, Impair Defenses
Processes launching netsh
Disable or Modify System Firewall, Impair Defenses
Detect mshta inline hta execution
System Binary Proxy Execution, Mshta
Detect mshta inline hta execution
System Binary Proxy Execution, Mshta
Detect MSHTA Url in Command Line
System Binary Proxy Execution, Mshta
Detect MSHTA Url in Command Line
System Binary Proxy Execution, Mshta
Detect HTML Help URL in Command Line
System Binary Proxy Execution, Compiled HTML File
Detect HTML Help URL in Command Line
System Binary Proxy Execution, Compiled HTML File
Attempt To Add Certificate To Untrusted Store
Install Root Certificate, Subvert Trust Controls
Attempt To Add Certificate To Untrusted Store
Install Root Certificate, Subvert Trust Controls
Detect HTML Help Using InfoTech Storage Handlers
System Binary Proxy Execution, Compiled HTML File
Detect HTML Help Using InfoTech Storage Handlers
System Binary Proxy Execution, Compiled HTML File
XSL Script Execution With WMIC
XSL Script Processing
Rundll32 Control RunDLL Hunt
System Binary Proxy Execution, Rundll32
Rundll32 Control RunDLL Hunt
System Binary Proxy Execution, Rundll32
Rundll32 Control RunDLL World Writable Directory
System Binary Proxy Execution, Rundll32
Rundll32 Control RunDLL World Writable Directory
System Binary Proxy Execution, Rundll32
Control Loading from World Writable Directory
System Binary Proxy Execution, Control Panel
Control Loading from World Writable Directory
System Binary Proxy Execution, Control Panel
UAC Bypass With Colorui COM Object
System Binary Proxy Execution, CMSTP
UAC Bypass With Colorui COM Object
System Binary Proxy Execution, CMSTP
Fsutil Zeroing File
Indicator Removal
Rundll32 LockWorkStation
System Binary Proxy Execution, Rundll32
Rundll32 LockWorkStation
System Binary Proxy Execution, Rundll32
Uninstall App Using MsiExec
Msiexec, System Binary Proxy Execution
Uninstall App Using MsiExec
Msiexec, System Binary Proxy Execution
Create Remote Thread In Shell Application
Process Injection
Rundll32 Create Remote Thread To A Process
Process Injection
Regsvr32 with Known Silent Switch Cmdline
System Binary Proxy Execution, Regsvr32
Regsvr32 with Known Silent Switch Cmdline
System Binary Proxy Execution, Regsvr32
Rundll32 CreateRemoteThread In Browser
Process Injection
Suspicious IcedID Rundll32 Cmdline
System Binary Proxy Execution, Rundll32
Suspicious IcedID Rundll32 Cmdline
System Binary Proxy Execution, Rundll32
Suspicious Rundll32 PluginInit
System Binary Proxy Execution, Rundll32
Suspicious Rundll32 PluginInit
System Binary Proxy Execution, Rundll32
Rundll32 Process Creating Exe Dll Files
System Binary Proxy Execution, Rundll32
Rundll32 Process Creating Exe Dll Files
System Binary Proxy Execution, Rundll32
Mshta spawning Rundll32 OR Regsvr32 Process
System Binary Proxy Execution, Mshta
Mshta spawning Rundll32 OR Regsvr32 Process
System Binary Proxy Execution, Mshta
Cloud Compute Instance Created By Previously Unseen User
Cloud Accounts, Valid Accounts
Cloud Compute Instance Created By Previously Unseen User
Cloud Accounts, Valid Accounts
UAC Bypass MMC Load Unsigned Dll
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
UAC Bypass MMC Load Unsigned Dll
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
UAC Bypass MMC Load Unsigned Dll
Bypass User Account Control, Abuse Elevation Control Mechanism, MMC
Excessive number of service control start as disabled
Disable or Modify Tools, Impair Defenses
Excessive number of service control start as disabled
Disable or Modify Tools, Impair Defenses
Allow File And Printing Sharing In Firewall
Disable or Modify Cloud Firewall, Impair Defenses
Allow File And Printing Sharing In Firewall
Disable or Modify Cloud Firewall, Impair Defenses
Allow Network Discovery In Firewall
Disable or Modify Cloud Firewall, Impair Defenses
Allow Network Discovery In Firewall
Disable or Modify Cloud Firewall, Impair Defenses
Suspicious Event Log Service Behavior
Indicator Removal, Clear Windows Event Logs
Suspicious Event Log Service Behavior
Indicator Removal, Clear Windows Event Logs
Wevtutil Usage To Disable Logs
Indicator Removal, Clear Windows Event Logs
Wevtutil Usage To Disable Logs
Indicator Removal, Clear Windows Event Logs
WevtUtil Usage To Clear Logs
Indicator Removal, Clear Windows Event Logs
WevtUtil Usage To Clear Logs
Indicator Removal, Clear Windows Event Logs
Permission Modification using Takeown App
File and Directory Permissions Modification
Clear Unallocated Sector Using Cipher App
File Deletion, Indicator Removal
Clear Unallocated Sector Using Cipher App
File Deletion, Indicator Removal
Disable Logs Using WevtUtil
Indicator Removal, Clear Windows Event Logs
Disable Logs Using WevtUtil
Indicator Removal, Clear Windows Event Logs
Wbemprox COM Object Execution
System Binary Proxy Execution, CMSTP
Wbemprox COM Object Execution
System Binary Proxy Execution, CMSTP
CMLUA Or CMSTPLUA UAC Bypass
System Binary Proxy Execution, CMSTP
CMLUA Or CMSTPLUA UAC Bypass
System Binary Proxy Execution, CMSTP
SLUI RunAs Elevated
Bypass User Account Control, Abuse Elevation Control Mechanism
SLUI RunAs Elevated
Bypass User Account Control, Abuse Elevation Control Mechanism
SLUI Spawning a Process
Bypass User Account Control, Abuse Elevation Control Mechanism
SLUI Spawning a Process
Bypass User Account Control, Abuse Elevation Control Mechanism
Excessive Usage Of Cacls App
File and Directory Permissions Modification
Excessive Usage Of Taskkill
Disable or Modify Tools, Impair Defenses
Excessive Usage Of Taskkill
Disable or Modify Tools, Impair Defenses
Process Kill Base On File Path
Disable or Modify Tools, Impair Defenses
Process Kill Base On File Path
Disable or Modify Tools, Impair Defenses
Trickbot Named Pipe
Process Injection
Wermgr Process Create Executable File
Obfuscated Files or Information
Disabling Firewall with Netsh
Disable or Modify Tools, Impair Defenses
Disabling Firewall with Netsh
Disable or Modify Tools, Impair Defenses
PowerShell Start-BitsTransfer
BITS Jobs
CertUtil With Decode Argument
Deobfuscate/Decode Files or Information
AWS SetDefaultPolicyVersion
Cloud Accounts, Valid Accounts
AWS SetDefaultPolicyVersion
Cloud Accounts, Valid Accounts
FodHelper UAC Bypass
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
FodHelper UAC Bypass
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
FodHelper UAC Bypass
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism
Detect Regsvcs Spawning a Process
System Binary Proxy Execution, Regsvcs/Regasm
Detect Regsvcs Spawning a Process
System Binary Proxy Execution, Regsvcs/Regasm
Detect Regasm Spawning a Process
System Binary Proxy Execution, Regsvcs/Regasm
Detect Regasm Spawning a Process
System Binary Proxy Execution, Regsvcs/Regasm
Detect HTML Help Spawn Child Process
System Binary Proxy Execution, Compiled HTML File
Detect HTML Help Spawn Child Process
System Binary Proxy Execution, Compiled HTML File
Suspicious Rundll32 dllregisterserver
System Binary Proxy Execution, Rundll32
Suspicious Rundll32 dllregisterserver
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - syssetup
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - syssetup
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - setupapi
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - setupapi
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - advpack
System Binary Proxy Execution, Rundll32
Detect Rundll32 Application Control Bypass - advpack
System Binary Proxy Execution, Rundll32
AWS SAML Access by Provider User and Principal
Valid Accounts
AWS SAML Update identity provider
Valid Accounts
Detect Rundll32 Inline HTA Execution
System Binary Proxy Execution, Mshta
Detect Rundll32 Inline HTA Execution
System Binary Proxy Execution, Mshta
Suspicious mshta spawn
System Binary Proxy Execution, Mshta
Suspicious mshta spawn
System Binary Proxy Execution, Mshta
AWS Network Access Control List Deleted
Disable or Modify Cloud Firewall, Impair Defenses
AWS Network Access Control List Deleted
Disable or Modify Cloud Firewall, Impair Defenses
Suspicious MSBuild Spawn
Trusted Developer Utilities Proxy Execution, MSBuild
Suspicious MSBuild Spawn
Trusted Developer Utilities Proxy Execution, MSBuild
Suspicious microsoft workflow compiler usage
Trusted Developer Utilities Proxy Execution
Suspicious mshta child process
System Binary Proxy Execution, Mshta
Suspicious mshta child process
System Binary Proxy Execution, Mshta
AWS Network Access Control List Created with All Open Ports
Disable or Modify Cloud Firewall, Impair Defenses
AWS Network Access Control List Created with All Open Ports
Disable or Modify Cloud Firewall, Impair Defenses
System Processes Run From Unexpected Locations
Masquerading, Rename System Utilities
System Processes Run From Unexpected Locations
Masquerading, Rename System Utilities
Reg exe Manipulating Windows Services Registry Keys
Services Registry Permissions Weakness, Hijack Execution Flow
Reg exe Manipulating Windows Services Registry Keys
Services Registry Permissions Weakness, Hijack Execution Flow
Processes created by netsh
Disable or Modify System Firewall
Execution of File With Spaces Before Extension
Rename System Utilities
Disabling Remote User Account Control
Bypass User Account Control, Abuse Elevation Control Mechanism
Disabling Remote User Account Control
Bypass User Account Control, Abuse Elevation Control Mechanism
Execution of File with Multiple Extensions
Masquerading, Rename System Utilities
Execution of File with Multiple Extensions
Masquerading, Rename System Utilities
Detect Software Download To Network Device
TFTP Boot, Pre-OS Boot
Detect Software Download To Network Device
TFTP Boot, Pre-OS Boot
Detect Activity Related to Pass the Hash Attacks
Use Alternate Authentication Material, Pass the Hash
Detect Activity Related to Pass the Hash Attacks
Use Alternate Authentication Material, Pass the Hash
Cloud Provisioning Activity From Previously Unseen City
Valid Accounts
Cloud Provisioning Activity From Previously Unseen Country
Valid Accounts
GCP Detect high risk permissions by resource and account
Valid Accounts
GCP Detect accounts with high risk roles by project
Valid Accounts
GCP Detect gcploit framework
Valid Accounts
Create or delete windows shares using net exe
Indicator Removal, Network Share Connection Removal
Create or delete windows shares using net exe
Indicator Removal, Network Share Connection Removal
Abnormally High Number Of Cloud Security Group API Calls
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Security Group API Calls
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Infrastructure API Calls
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Infrastructure API Calls
Cloud Accounts, Valid Accounts
Cloud API Calls From Previously Unseen User Roles
Valid Accounts
Cloud Compute Instance Created In Previously Unused Region
Unused/Unsupported Cloud Regions
gcp detect oauth token abuse
Valid Accounts
Abnormally High Number Of Cloud Instances Launched
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Instances Launched
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Instances Destroyed
Cloud Accounts, Valid Accounts
Abnormally High Number Of Cloud Instances Destroyed
Cloud Accounts, Valid Accounts
Cloud Provisioning Activity From Previously Unseen Region
Valid Accounts
Cloud Instance Modified By Previously Unseen User
Cloud Accounts, Valid Accounts
Cloud Instance Modified By Previously Unseen User
Cloud Accounts, Valid Accounts
aws detect sts assume role abuse
Valid Accounts
aws detect attach to role policy
Valid Accounts
aws detect sts get session token abuse
Use Alternate Authentication Material
aws detect role creation
Valid Accounts
aws detect permanent key creation
Valid Accounts
Suspicious writes to System Volume Information
Masquerading
Suspicious writes to windows Recycle Bin
Masquerading
Suspicious Reg exe Process
Modify Registry
Abnormally High AWS Instances Launched by User - MLTK
Cloud Accounts
Detect new user AWS Console Login
Cloud Accounts
Detect AWS API Activities From Unapproved Accounts
Cloud Accounts
Detect Spike in AWS API Activity
Cloud Accounts
Abnormally High AWS Instances Terminated by User
Cloud Accounts
Okta User Logins From Multiple Cities
Valid Accounts, Default Accounts
Okta User Logins From Multiple Cities
Valid Accounts, Default Accounts
Hiding Files And Directories With Attrib exe
File and Directory Permissions Modification, Windows File and Directory Permissions Modification
Hiding Files And Directories With Attrib exe
File and Directory Permissions Modification, Windows File and Directory Permissions Modification
EC2 Instance Modified With Previously Unseen User
Cloud Accounts
Abnormally High AWS Instances Launched by User
Cloud Accounts
EC2 Instance Started With Previously Unseen User
Cloud Accounts
Abnormally High AWS Instances Terminated by User - MLTK
Cloud Accounts
Windows Event Log Cleared
Indicator Removal, Clear Windows Event Logs
Windows Event Log Cleared
Indicator Removal, Clear Windows Event Logs
Detect Path Interception By Creation Of program exe
Path Interception by Unquoted Path, Hijack Execution Flow
Detect Path Interception By Creation Of program exe
Path Interception by Unquoted Path, Hijack Execution Flow
Reg exe used to hide files directories via registry keys
Hidden Files and Directories
USN Journal Deletion
Indicator Removal
Web Fraud - Anomalous User Clickspeed
Valid Accounts
Detect Spike in Network ACL Activity
Disable or Modify Cloud Firewall
Detect Spike in Security Group Activity
Cloud Accounts
Detect new API calls from user roles
Cloud Accounts
AWS Cloud Provisioning From Previously Unseen Country
Unused/Unsupported Cloud Regions
AWS Cloud Provisioning From Previously Unseen Region
Unused/Unsupported Cloud Regions
AWS Cloud Provisioning From Previously Unseen City
Unused/Unsupported Cloud Regions
EC2 Instance Started In Previously Unseen Region
Unused/Unsupported Cloud Regions
Identify New User Accounts
Domain Accounts