| Add or Set Windows Defender Exclusion |
Disable or Modify Tools, Impair Defenses |
TTP |
| Attacker Tools On Endpoint |
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning |
TTP |
| Attempted Credential Dump From Registry via Reg exe |
Security Account Manager, OS Credential Dumping |
TTP |
| Batch File Write to System32 |
User Execution, Malicious File |
TTP |
| BCDEdit Failure Recovery Modification |
Inhibit System Recovery |
TTP |
| CertUtil Download With URLCache and Split Arguments |
Ingress Tool Transfer |
TTP |
| CertUtil Download With VerifyCtl and Split Arguments |
Ingress Tool Transfer |
TTP |
| Certutil exe certificate extraction |
None |
TTP |
| Clear Unallocated Sector Using Cipher App |
File Deletion, Indicator Removal |
TTP |
| Clop Common Exec Parameter |
User Execution |
TTP |
| Clop Ransomware Known Service Name |
Create or Modify System Process |
TTP |
| CMD Echo Pipe - Escalation |
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process |
TTP |
| ConnectWise ScreenConnect Path Traversal Windows SACL |
Exploit Public-Facing Application |
TTP |
| Conti Common Exec parameter |
User Execution |
TTP |
| Control Loading from World Writable Directory |
System Binary Proxy Execution, Control Panel |
TTP |
| Creation of Shadow Copy |
NTDS, OS Credential Dumping |
TTP |
| Creation of Shadow Copy with wmic and powershell |
NTDS, OS Credential Dumping |
TTP |
| Credential Dumping via Copy Command from Shadow Copy |
NTDS, OS Credential Dumping |
TTP |
| Credential Dumping via Symlink to Shadow Copy |
NTDS, OS Credential Dumping |
TTP |
| Crowdstrike Admin Weak Password Policy |
Brute Force |
TTP |
| Crowdstrike Admin With Duplicate Password |
Brute Force |
TTP |
| Crowdstrike High Identity Risk Severity |
Brute Force |
TTP |
| Crowdstrike Medium Identity Risk Severity |
Brute Force |
TTP |
| Crowdstrike Medium Severity Alert |
Brute Force |
Anomaly |
| Crowdstrike Multiple LOW Severity Alerts |
Brute Force |
Anomaly |
| Crowdstrike Privilege Escalation For Non-Admin User |
Brute Force |
Anomaly |
| Crowdstrike User Weak Password Policy |
Brute Force |
Anomaly |
| Crowdstrike User with Duplicate Password |
Brute Force |
Anomaly |
| Curl Download and Bash Execution |
Ingress Tool Transfer |
TTP |
| Deleting Shadow Copies |
Inhibit System Recovery |
TTP |
| Detect AzureHound Command-Line Arguments |
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery |
TTP |
| Detect Certify Command Line Arguments |
Steal or Forge Authentication Certificates, Ingress Tool Transfer |
TTP |
| Detect Exchange Web Shell |
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services |
TTP |
| Detect HTML Help Spawn Child Process |
System Binary Proxy Execution, Compiled HTML File |
TTP |
| Detect HTML Help URL in Command Line |
System Binary Proxy Execution, Compiled HTML File |
TTP |
| Detect HTML Help Using InfoTech Storage Handlers |
System Binary Proxy Execution, Compiled HTML File |
TTP |
| Detect mshta inline hta execution |
System Binary Proxy Execution, Mshta |
TTP |
| Detect MSHTA Url in Command Line |
System Binary Proxy Execution, Mshta |
TTP |
| Detect Regasm Spawning a Process |
System Binary Proxy Execution, Regsvcs/Regasm |
TTP |
| Detect Regsvcs Spawning a Process |
System Binary Proxy Execution, Regsvcs/Regasm |
TTP |
| Detect Regsvr32 Application Control Bypass |
System Binary Proxy Execution, Regsvr32 |
TTP |
| Detect Rundll32 Application Control Bypass - advpack |
System Binary Proxy Execution, Rundll32 |
TTP |
| Detect Rundll32 Application Control Bypass - setupapi |
System Binary Proxy Execution, Rundll32 |
TTP |
| Detect Rundll32 Application Control Bypass - syssetup |
System Binary Proxy Execution, Rundll32 |
TTP |
| Detect Webshell Exploit Behavior |
Server Software Component, Web Shell |
TTP |
| DNS Exfiltration Using Nslookup App |
Exfiltration Over Alternative Protocol |
TTP |
| DSQuery Domain Discovery |
Domain Trust Discovery |
TTP |
| Dump LSASS via comsvcs DLL |
LSASS Memory, OS Credential Dumping |
TTP |
| Dump LSASS via procdump |
LSASS Memory, OS Credential Dumping |
TTP |
| Enumerate Users Local Group Using Telegram |
Account Discovery |
TTP |
| Excel Spawning PowerShell |
Security Account Manager, OS Credential Dumping |
TTP |
| Excel Spawning Windows Script Host |
Security Account Manager, OS Credential Dumping |
TTP |
| Executable File Written in Administrative SMB Share |
Remote Services, SMB/Windows Admin Shares |
TTP |
| FodHelper UAC Bypass |
Modify Registry, Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
| GPUpdate with no Command Line Arguments with Network |
Process Injection |
TTP |
| Hiding Files And Directories With Attrib exe |
File and Directory Permissions Modification, Windows File and Directory Permissions Modification |
TTP |
| Icacls Deny Command |
File and Directory Permissions Modification |
TTP |
| Impacket Lateral Movement Commandline Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
| Impacket Lateral Movement smbexec CommandLine Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
| Impacket Lateral Movement WMIExec Commandline Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
| Kerberoasting spn request with RC4 encryption |
Steal or Forge Kerberos Tickets, Kerberoasting |
TTP |
| Known Services Killed by Ransomware |
Inhibit System Recovery |
TTP |
| Malicious Powershell Executed As A Service |
System Services, Service Execution |
TTP |
| Office Application Drop Executable |
Phishing, Spearphishing Attachment |
TTP |
| Office Application Spawn Regsvr32 process |
Phishing, Spearphishing Attachment |
TTP |
| Office Application Spawn rundll32 process |
Phishing, Spearphishing Attachment |
TTP |
| Office Product Spawning BITSAdmin |
Phishing, Spearphishing Attachment |
TTP |
| Office Product Spawning CertUtil |
Phishing, Spearphishing Attachment |
TTP |
| Office Product Spawning MSHTA |
Phishing, Spearphishing Attachment |
TTP |
| Office Product Spawning Rundll32 with no DLL |
Phishing, Spearphishing Attachment |
TTP |
| Office Product Spawning Windows Script Host |
Phishing, Spearphishing Attachment |
TTP |
| Office Product Spawning Wmic |
Phishing, Spearphishing Attachment |
TTP |
| Office Product Writing cab or inf |
Phishing, Spearphishing Attachment |
TTP |
| Office Spawning Control |
Phishing, Spearphishing Attachment |
TTP |
| Remote Process Instantiation via DCOM and PowerShell |
Remote Services, Distributed Component Object Model |
TTP |
| Remote Process Instantiation via WMI and PowerShell |
Windows Management Instrumentation |
TTP |
| Resize ShadowStorage volume |
Inhibit System Recovery |
TTP |
| Rundll32 Control RunDLL World Writable Directory |
System Binary Proxy Execution, Rundll32 |
TTP |
| Rundll32 Shimcache Flush |
Modify Registry |
TTP |
| Rundll32 with no Command Line Arguments with Network |
System Binary Proxy Execution, Rundll32 |
TTP |
| Ryuk Wake on LAN Command |
Command and Scripting Interpreter, Windows Command Shell |
TTP |
| Schedule Task with HTTP Command Arguments |
Scheduled Task/Job |
TTP |
| Schedule Task with Rundll32 Command Trigger |
Scheduled Task/Job |
TTP |
| Schtasks scheduling job on remote system |
Scheduled Task, Scheduled Task/Job |
TTP |
| SearchProtocolHost with no Command Line with Network |
Process Injection |
TTP |
| SecretDumps Offline NTDS Dumping Tool |
NTDS, OS Credential Dumping |
TTP |
| ServicePrincipalNames Discovery with SetSPN |
Kerberoasting |
TTP |
| Services Escalate Exe |
Abuse Elevation Control Mechanism |
TTP |
| Shim Database Installation With Suspicious Parameters |
Application Shimming, Event Triggered Execution |
TTP |
| Short Lived Scheduled Task |
Scheduled Task |
TTP |
| Single Letter Process On Endpoint |
User Execution, Malicious File |
TTP |
| SLUI RunAs Elevated |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
| SLUI Spawning a Process |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
| Spoolsv Spawning Rundll32 |
Print Processors, Boot or Logon Autostart Execution |
TTP |
| Spoolsv Writing a DLL |
Print Processors, Boot or Logon Autostart Execution |
TTP |
| Suspicious Computer Account Name Change |
Valid Accounts, Domain Accounts |
TTP |
| Suspicious Copy on System32 |
Rename System Utilities, Masquerading |
TTP |
| Wget Download and Bash Execution |
Ingress Tool Transfer |
TTP |
| Windows AD Cross Domain SID History Addition |
SID-History Injection, Access Token Manipulation |
TTP |
| Windows AD Domain Controller Promotion |
Rogue Domain Controller |
TTP |
| Windows AD Domain Replication ACL Addition |
Domain or Tenant Policy Modification |
TTP |
| Windows AD Privileged Account SID History Addition |
SID-History Injection, Access Token Manipulation |
TTP |
| Windows AD Replication Request Initiated by User Account |
DCSync, OS Credential Dumping |
TTP |
| Windows AD Replication Request Initiated from Unsanctioned Location |
DCSync, OS Credential Dumping |
TTP |
| Windows AD Same Domain SID History Addition |
SID-History Injection, Access Token Manipulation |
TTP |
| Windows AD Short Lived Domain Controller SPN Attribute |
Rogue Domain Controller |
TTP |
| Windows AD Short Lived Server Object |
Rogue Domain Controller |
TTP |
| Windows Alternate DataStream - Process Execution |
Hide Artifacts, NTFS File Attributes |
TTP |
| Windows Change Default File Association For No File Ext |
Change Default File Association, Event Triggered Execution |
TTP |
| Windows COM Hijacking InprocServer32 Modification |
Component Object Model Hijacking, Event Triggered Execution |
TTP |
| Windows Command and Scripting Interpreter Path Traversal Exec |
Command and Scripting Interpreter |
TTP |
| Windows Command Shell DCRat ForkBomb Payload |
Windows Command Shell, Command and Scripting Interpreter |
TTP |
| Windows Computer Account With SPN |
Steal or Forge Kerberos Tickets |
TTP |
| Windows ConHost with Headless Argument |
Hidden Window, Run Virtual Instance |
TTP |
| Windows Credential Dumping LSASS Memory Createdump |
LSASS Memory |
TTP |
| Windows Credentials from Password Stores Creation |
Credentials from Password Stores |
TTP |
| Windows Credentials from Password Stores Deletion |
Credentials from Password Stores |
TTP |
| Windows Curl Download to Suspicious Path |
Ingress Tool Transfer |
TTP |
| Windows Curl Upload to Remote Destination |
Ingress Tool Transfer |
TTP |
| Windows Disable Windows Event Logging Disable HTTP Logging |
Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components |
TTP |
| Windows DISM Remove Defender |
Disable or Modify Tools, Impair Defenses |
TTP |
| Windows DLL Search Order Hijacking with iscsicpl |
DLL Search Order Hijacking |
TTP |
| Windows Domain Admin Impersonation Indicator |
Steal or Forge Kerberos Tickets |
TTP |
| Windows Event Log Cleared |
Indicator Removal, Clear Windows Event Logs |
TTP |
| Windows Excessive Disabled Services Event |
Disable or Modify Tools, Impair Defenses |
TTP |
| Windows Execute Arbitrary Commands with MSDT |
System Binary Proxy Execution |
TTP |
| Windows Hidden Schedule Task Settings |
Scheduled Task/Job |
TTP |
| Windows InstallUtil Remote Network Connection |
InstallUtil, System Binary Proxy Execution |
TTP |
| Windows InstallUtil Uninstall Option |
InstallUtil, System Binary Proxy Execution |
TTP |
| Windows InstallUtil Uninstall Option with Network |
InstallUtil, System Binary Proxy Execution |
TTP |
| Windows InstallUtil URL in Command Line |
InstallUtil, System Binary Proxy Execution |
TTP |
| Windows Kerberos Local Successful Logon |
Steal or Forge Kerberos Tickets |
TTP |
| Windows KrbRelayUp Service Creation |
Windows Service |
TTP |
| Windows Masquerading Explorer As Child Process |
DLL Side-Loading, Hijack Execution Flow |
TTP |
| Windows Masquerading Msdtc Process |
Masquerading |
TTP |
| Windows Mimikatz Binary Execution |
OS Credential Dumping |
TTP |
| Windows Modify System Firewall with Notable Process Path |
Disable or Modify System Firewall, Impair Defenses |
TTP |
| Windows MOF Event Triggered Execution via WMI |
Windows Management Instrumentation Event Subscription |
TTP |
| Windows MSIExec Spawn WinDBG |
Msiexec |
TTP |
| Windows Office Product Spawning MSDT |
Phishing, Spearphishing Attachment |
TTP |
| Windows PaperCut NG Spawn Shell |
Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services |
TTP |
| Windows Parent PID Spoofing with Explorer |
Parent PID Spoofing, Access Token Manipulation |
TTP |
| Windows Privilege Escalation User Process Spawn System Process |
Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation |
TTP |
| Windows Raccine Scheduled Task Deletion |
Disable or Modify Tools |
TTP |
| Windows Rasautou DLL Execution |
Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection |
TTP |
| Windows Regsvr32 Renamed Binary |
Regsvr32, System Binary Proxy Execution |
TTP |
| Windows Remote Assistance Spawning Process |
Process Injection |
TTP |
| Windows Remote Service Rdpwinst Tool Execution |
Remote Desktop Protocol, Remote Services |
TTP |
| Windows Scheduled Task with Highest Privileges |
Scheduled Task/Job, Scheduled Task |
TTP |
| Windows Security Account Manager Stopped |
Service Stop |
TTP |
| Windows Service Create SliverC2 |
System Services, Service Execution |
TTP |
| Windows Service Create with Tscon |
RDP Hijacking, Remote Service Session Hijacking, Windows Service |
TTP |
| Windows Snake Malware Service Create |
Kernel Modules and Extensions, Service Execution |
TTP |
| Windows SOAPHound Binary Execution |
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery |
TTP |
| Windows Spearphishing Attachment Onenote Spawn Mshta |
Spearphishing Attachment, Phishing |
TTP |
| Windows Special Privileged Logon On Multiple Hosts |
Account Discovery, SMB/Windows Admin Shares, Network Share Discovery |
TTP |
| Windows Steal Authentication Certificates - ESC1 Authentication |
Steal or Forge Authentication Certificates, Use Alternate Authentication Material |
TTP |
| Windows System Binary Proxy Execution Compiled HTML File Decompile |
Compiled HTML File, System Binary Proxy Execution |
TTP |
| Windows UAC Bypass Suspicious Escalation Behavior |
Abuse Elevation Control Mechanism, Bypass User Account Control |
TTP |
| Windows Valid Account With Never Expires Password |
Service Stop |
TTP |
| Windows WinDBG Spawning AutoIt3 |
Command and Scripting Interpreter |
TTP |
| WinEvent Scheduled Task Created to Spawn Shell |
Scheduled Task, Scheduled Task/Job |
TTP |
| WinEvent Scheduled Task Created Within Public Path |
Scheduled Task, Scheduled Task/Job |
TTP |
| Winhlp32 Spawning a Process |
Process Injection |
TTP |
| WinRAR Spawning Shell Application |
Ingress Tool Transfer |
TTP |
| Winword Spawning Cmd |
Phishing, Spearphishing Attachment |
TTP |
| Winword Spawning PowerShell |
Phishing, Spearphishing Attachment |
TTP |
| Winword Spawning Windows Script Host |
Phishing, Spearphishing Attachment |
TTP |
| WMIC XSL Execution via URL |
XSL Script Processing |
TTP |
Windows