Detections

Sigma Rules

Search Sigma Rules mapped to MITRE ATT&CK techniques to detect potentially malicious activities across a range of log sources.

Test Name MITRE ATT&CK ID Source
Github Self Hosted Runner Changes Detected T1213.003, T1526, T1078.004 github
Github Delete Action Invoked T1213.003 github
Github Push Protection Bypass Detected T1562.001 github
Github Secret Scanning Feature Disabled T1562.001 github
Github New Secret Created T1078.004 github
Github Push Protection Disabled T1562.001 github
Github High Risk Configuration Disabled T1556 github
New Github Organization Member Added T1136.003 github
Outdated Dependency Or Vulnerability Alert Disabled T1195.001 github
Github Outside Collaborator Detected T1213.003, T1098.003, T1098.001 github
OneLogin User Account Locked onelogin
OneLogin User Assumed Another User onelogin
Bitbucket Secret Scanning Exempt Repository Added T1562.001 bitbucket
Bitbucket Audit Log Configuration Updated T1562.001 bitbucket
Bitbucket Global Secret Scanning Rule Deleted T1562.001 bitbucket
Bitbucket User Login Failure Via SSH T1021.004, T1110 bitbucket
Bitbucket User Permissions Export Attempt T1082, T1213, T1591.004 bitbucket
Bitbucket Secret Scanning Rule Deleted T1562.001 bitbucket
Bitbucket Unauthorized Full Data Export Triggered T1586, T1213.003 bitbucket
Bitbucket Full Data Export Triggered T1213.003 bitbucket
Bitbucket Unauthorized Access To A Resource T1586 bitbucket
Bitbucket User Login Failure T1110, T1078.004 bitbucket
Bitbucket Global Permission Changed T1098 bitbucket
Bitbucket Project Secret Scanning Allowlist Added T1562.001 bitbucket
Bitbucket Global SSH Settings Changed T1562.001, T1021.004 bitbucket
Bitbucket User Details Export Attempt Detected T1213, T1591.004, T1082 bitbucket
Okta Security Threat Detected okta
Okta Admin Functions Access Through Proxy okta
Okta User Session Start Via An Anonymising Proxy Service T1562.006 okta
Okta MFA Reset or Deactivated T1556.006 okta
Okta Suspicious Activity Reported by End-user T1586.003 okta
Okta Admin Role Assignment Created okta
Okta API Token Revoked okta
Okta Policy Rule Modified or Deleted okta
Okta Admin Role Assigned to an User or Group T1098.003 okta
New Okta User Created okta
Okta API Token Created okta
Okta New Admin Console Behaviours T1078.004 okta
Okta Unauthorized Access to App okta
Okta Application Sign-On Policy Modified or Deleted okta
Okta Application Modified or Deleted okta
Okta Policy Modified or Deleted okta
Okta User Account Locked Out T1531 okta
Potential Okta Password in AlternateID Field T1552 okta
Okta Network Zone Deactivated or Deleted okta
Okta FastPass Phishing Detection T1566 okta
Okta Identity Provider Created T1098.001 okta
Logon from a Risky IP Address T1078 m365
Microsoft 365 - Unusual Volume of File Deletion T1485 m365
PST Export Alert Using eDiscovery Alert T1114 m365
Microsoft 365 - Potential Ransomware Activity T1486 m365
Activity Performed by Terminated User m365
Microsoft 365 - User Restricted from Sending Email T1199 m365
Activity from Anonymous IP Addresses T1573 m365
PST Export Alert Using New-ComplianceSearchAction T1114 m365
Activity from Infrequent Country T1573 m365
Suspicious Inbox Forwarding T1020 m365
Suspicious OAuth App File Download Activities m365
Data Exfiltration to Unsanctioned Apps T1537 m365
Microsoft 365 - Impossible Travel Activity T1078 m365
New Federated Domain Added - Exchange T1136.003 m365
New Federated Domain Added T1136.003 m365
Disabling Multi Factor Authentication T1556 m365
Activity from Suspicious IP Addresses T1573 m365
Granting Of Permissions To An Account T1098.003 azure
Azure Kubernetes Cluster Created or Deleted azure
Azure Firewall Rule Configuration Modified or Deleted azure
Azure Network Security Configuration Modified or Deleted azure
Azure Container Registry Created or Deleted azure
Azure New CloudShell Created T1059 azure
Azure Firewall Rule Collection Modified or Deleted T1562.004 azure
Azure Service Principal Removed azure
Azure Virtual Network Modified or Deleted azure
Azure Point-to-site VPN Modified or Deleted azure
Azure Kubernetes Sensitive Role Access azure
Azure Application Deleted T1489 azure
Azure Kubernetes Secret or Config Object Access azure
Azure VPN Connection Modified or Deleted azure
Disabled MFA to Bypass Authentication Mechanisms T1556 azure
Azure Service Principal Created azure
Azure Active Directory Hybrid Health AD FS New Server T1578 azure
Azure Application Gateway Modified or Deleted azure
Azure Kubernetes Events Deleted T1562, T1562.001 azure
Azure Application Credential Modified azure
Azure Application Security Group Modified or Deleted azure
Azure DNS Zone Modified or Deleted T1565.001 azure
Azure Keyvault Key Modified or Deleted T1552, T1552.001 azure
Azure Network Firewall Policy Modified or Deleted T1562.007 azure
Azure Suppression Rule Created azure
Rare Subscription-level Operations In Azure T1003 azure
User Added to an Administrator's Azure AD Role T1098.003, T1078 azure
Azure Kubernetes Service Account Modified or Deleted T1531 azure
Azure Device or Configuration Modified or Deleted T1565.001, T1485 azure
Number Of Resource Creation Or Deployment Activities T1098 azure
Azure Owner Removed From Application or Service Principal azure
Azure Kubernetes CronJob T1053.003 azure
Azure Device No Longer Managed or Compliant azure
Azure Key Vault Modified or Deleted T1552, T1552.001 azure
Azure Kubernetes Network Policy Change azure
Azure Subscription Permission Elevation Via ActivityLogs T1078.004 azure
Azure Firewall Modified or Deleted T1562.004 azure
Azure Kubernetes Pods Deleted azure
Azure Keyvault Secrets Modified or Deleted T1552.001, T1552 azure
Azure Virtual Network Device Modified or Deleted azure
Azure Kubernetes Admission Controller T1552, T1552.007, T1078 azure
Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted azure
Azure Active Directory Hybrid Health AD FS Service Delete T1578.003 azure
Roles Are Not Being Used T1078 azure
Roles Assigned Outside PIM T1078 azure
Too Many Global Admins T1078 azure
Stale Accounts In A Privileged Role T1078 azure
Invalid PIM License T1078 azure
Roles Activated Too Frequently T1078 azure
Roles Activation Doesn't Require MFA T1078 azure
Suspicious Inbox Forwarding Identity Protection T1140 azure
Atypical Travel T1078 azure
Primary Refresh Token Access Attempt T1528 azure
Activity From Anonymous IP Address T1078 azure
Password Spray Activity T1110 azure
Azure AD Account Credential Leaked T1589 azure
Malicious IP Address Sign-In Failure Rate T1090 azure
Anonymous IP Address T1528 azure
Sign-In From Malware Infected IP T1090 azure
Anomalous Token T1528 azure
Suspicious Inbox Manipulation Rules T1140 azure
Malicious IP Address Sign-In Suspicious T1090 azure
Azure AD Threat Intelligence T1078 azure
Anomalous User Activity T1098 azure
Suspicious Browser Activity T1078 azure
New Country T1078 azure
SAML Token Issuer Anomaly T1606 azure
Unfamiliar Sign-In Properties T1078 azure
Impossible Travel T1078 azure
Discovery Using AzureHound T1087.004, T1526 azure
Authentications To Important Apps Using Single Factor Authentication T1078 azure
Users Authenticating To Other Azure AD Tenants T1078.004 azure
Application Using Device Code Authentication Flow T1078 azure
Sign-ins from Non-Compliant Devices T1078.004 azure
Failed Authentications From Countries You Do Not Operate Out Of T1110, T1078.004 azure
Login to Disabled Account T1078.004 azure
Azure Unusual Authentication Interruption T1078 azure
Suspicious SignIns From A Non Registered Device T1078 azure
Sign-ins by Unknown Devices T1078.004 azure
Sign-in Failure Due to Conditional Access Requirements Not Met T1078.004, T1110 azure
Multifactor Authentication Denied T1621, T1110, T1078.004 azure
Successful Authentications From Countries You Do Not Operate Out Of T1078.004, T1110 azure
Measurable Increase Of Successful Authentications T1078 azure
Multifactor Authentication Interrupted T1621, T1078.004, T1110 azure
Increased Failed Authentications Of Any Type T1078 azure
User Access Blocked by Azure Conditional Access T1110, T1078.004 azure
Potential MFA Bypass Using Legacy Client Authentication T1110, T1078.004 azure
Azure AD Only Single Factor Authentication Required T1556.006, T1078.004 azure
Device Registration or Join Without MFA T1078.004 azure
Account Lockout T1110 azure
Account Disabled or Blocked for Sign in Attempts T1078.004 azure
Applications That Are Using ROPC Authentication Flow T1078 azure
Use of Legacy Authentication Protocols T1078.004, T1110 azure
User Removed From Group With CA Policy Modification Access T1556, T1548 azure
Temporary Access Pass Added To An Account T1078.004 azure
Changes to Device Registration Policy T1484 azure
Guest Users Invited To Tenant By Non Approved Inviters T1078 azure
CA Policy Removed by Non Approved Actor T1556, T1548 azure
User Added To Privilege Role T1078.004 azure
Azure Subscription Permission Elevation Via AuditLogs T1078 azure
New CA Policy by Non-approved Actor T1548 azure
Certificate-Based Authentication Enabled T1556 azure
Bulk Deletion Changes To Privileged Account Permissions T1098 azure
Users Added to Global or Device Admin Roles T1078.004 azure
Change to Authentication Method T1098, T1556 azure
PIM Approvals And Deny Elevation T1078.004 azure
App Granted Microsoft Permissions T1528 azure
Application URI Configuration Changes T1528, T1078.004 azure
New Root Certificate Authority Added T1556 azure
Password Reset By User Account T1078.004 azure
PIM Alert Setting Changes To Disabled T1078 azure
User State Changed From Guest To Member T1078.004 azure
Privileged Account Creation T1078.004 azure
Added Owner To Application T1552 azure
Guest User Invited By Non Approved Inviters T1078.004 azure
Changes To PIM Settings T1078.004 azure
App Role Added T1098.003 azure
App Granted Privileged Delegated Or App Permissions T1098.003 azure
End User Consent T1528 azure
Account Created And Deleted Within A Close Time Frame T1078 azure
Bitlocker Key Retrieval T1078.004 azure
End User Consent Blocked T1528 azure
Application AppID Uri Configuration Changes T1552, T1078.004 azure
Added Credentials to Existing Application T1098.001 azure
Delegated Permissions Granted For All Users T1528 azure
CA Policy Updated by Non Approved Actor T1556, T1548 azure
Azure Domain Federation Settings Modified T1078 azure
User Added To Group With CA Policy Modification Access T1556, T1548 azure
AWS Root Credentials T1078.004 aws
AWS IAM S3Browser User or AccessKey Creation T1078.004, T1059.009 aws
AWS STS AssumeRole Misuse T1548, T1550.001, T1550 aws
AWS IAM Backdoor Users Keys T1098 aws
AWS EC2 Startup Shell Script Change T1059.001, T1059.004, T1059.003 aws
AWS EKS Cluster Created or Deleted T1485 aws
SES Identity Has Been Deleted T1070 aws
AWS GuardDuty Important Change T1562.001 aws
AWS EC2 Disable EBS Encryption T1565, T1486 aws
Potential Bucket Enumeration on AWS T1580 aws
AWS S3 Data Management Tampering T1537 aws
AWS IAM S3Browser LoginProfile Creation T1059.009, T1078.004 aws
Restore Public AWS RDS Instance T1020 aws
AWS EFS Fileshare Mount Modified or Deleted T1485 aws
AWS Attached Malicious Lambda Layer aws
AWS STS GetSessionToken Misuse T1550.001, T1548, T1550 aws
AWS Glue Development Endpoint Activity aws
AWS ElastiCache Security Group Modified or Deleted T1531 aws
AWS EFS Fileshare Modified or Deleted aws
AWS EC2 VM Export Failure T1537, T1005 aws
AWS RDS Master Password Change T1020 aws
AWS Snapshot Backup Exfiltration T1537 aws
AWS IAM S3Browser Templated S3 Bucket Policy Creation T1078.004, T1059.009 aws
AWS Console GetSigninToken Potential Abuse T1021.007, T1550.001 aws
AWS SecurityHub Findings Evasion T1562 aws
AWS ElastiCache Security Group Created T1136, T1136.003 aws
AWS ECS Task Definition That Queries The Credential Endpoint T1525 aws
AWS CloudTrail Important Change T1562.001 aws
AWS Route 53 Domain Transferred to Another Account T1098 aws
AWS User Login Profile Was Modified T1098 aws
AWS Identity Center Identity Provider Change T1556 aws
AWS S3 Bucket Versioning Disable T1490 aws
AWS Suspicious SAML Activity T1078, T1550, T1550.001, T1548 aws
AWS Config Disabling Channel/Recorder T1562.001 aws
AWS Route 53 Domain Transfer Lock Disabled T1098 aws
Google Workspace MFA Disabled gcp
Google Workspace Role Modified or Deleted gcp
Google Workspace User Granted Admin Privileges T1098 gcp
Google Workspace Granted Domain API Access T1098 gcp
Google Workspace Application Removed gcp
Google Workspace Role Privilege Deleted gcp
Google Workspace Application Access Level Modified T1098.003 gcp
Google Cloud Re-identifies Sensitive Information T1565 gcp
Google Cloud VPN Tunnel Modified or Deleted gcp
Google Full Network Traffic Packet Capture T1074 gcp
Google Cloud Service Account Modified gcp
Google Cloud Storage Buckets Modified or Deleted gcp
Google Cloud Kubernetes Secrets Modified or Deleted gcp
Google Cloud Kubernetes CronJob gcp
Google Cloud DNS Zone Modified or Deleted gcp
Google Cloud Service Account Disabled or Deleted T1531 gcp
GCP Break-glass Container Workload Deployed T1548 gcp
Google Cloud Kubernetes RoleBinding gcp
GCP Access Policy Deleted T1098 gcp
Google Cloud SQL Database Modified or Deleted gcp
Google Cloud Firewall Modified or Deleted T1562 gcp
Google Cloud Kubernetes Admission Controller T1552.007, T1078, T1552 gcp
Google Cloud Storage Buckets Enumeration gcp
Suspicious Reverse Shell Command Line T1059.004 linux
Suspicious Log Entries linux
Symlink Etc Passwd T1204.001 linux
Code Injection by ld.so Preload T1574.006 linux
Commands to Clear or Remove the Syslog - Builtin T1565.001 linux
Privileged User Has Been Created T1136.001, T1098 linux
Buffer Overflow Attempts T1068 linux
JexBoss Command Sequence T1059.004 linux
Suspicious Use of /dev/tcp linux
Equation Group Indicators T1059.004 linux
Remote File Copy T1105 linux
Suspicious Activity in Shell Commands T1059.004 linux
Nimbuspwn Exploitation T1068 linux
Potential Suspicious BPF Activity - Linux linux
Shellshock Expression T1505.003 linux
Space After Filename linux
Clear Command History T1070.003 linux
PwnKit Local Privilege Escalation T1548.001 linux
Relevant ClamAV Message T1588.001 linux
Disabling Security Tools - Builtin T1562.004 linux
Suspicious Named Error T1190 linux
Sudo Privilege Escalation CVE-2019-14287 - Builtin T1548.003, T1068 linux
Modifying Crontab T1053.003 linux
Guacamole Two Users Sharing Session Anomaly T1212 linux
Suspicious VSFTPD Error Messages T1190 linux
Suspicious OpenSSH Daemon Error T1190 linux
SSHD Error Message CVE-2018-15473 T1589 linux
User Added To Root/Sudoers Group Using Usermod linux, process_creation
Suspicious Nohup Execution linux, process_creation
Commands to Clear or Remove the Syslog T1070.002 linux, process_creation
Linux Remote System Discovery T1018 linux, process_creation
Triple Cross eBPF Rootkit Install Commands T1014 linux, process_creation
Vim GTFOBin Abuse - Linux T1083 linux, process_creation
Potential Python Reverse Shell linux, process_creation
ESXi VM List Discovery Via ESXCLI T1033, T1007 linux, process_creation
Sudo Privilege Escalation CVE-2019-14287 T1548.003, T1068 linux, process_creation
Linux Shell Pipe to Shell T1140 linux, process_creation
Python Spawning Pretty TTY T1059 linux, process_creation
Linux Base64 Encoded Shebang In CLI T1140 linux, process_creation
Security Software Discovery - Linux T1518.001 linux, process_creation
Disable Or Stop Services linux, process_creation
OS Architecture Discovery Via Grep T1082 linux, process_creation
Touch Suspicious Service File T1070.006 linux, process_creation
Linux Crypto Mining Indicators T1496 linux, process_creation
Potential Ruby Reverse Shell linux, process_creation
Docker Container Discovery Via Dockerenv Listing T1082 linux, process_creation
OMIGOD SCX RunAsProvider ExecuteScript T1068, T1203, T1190 linux, process_creation
Potential GobRAT File Discovery Via Grep T1082 linux, process_creation
ESXi VM Kill Via ESXCLI linux, process_creation
Flush Iptables Ufw Chain T1562.004 linux, process_creation
Print History File Contents T1592.004 linux, process_creation
Potential PHP Reverse Shell linux, process_creation
Curl Usage on Linux T1105 linux, process_creation
Linux Package Uninstall T1070 linux, process_creation
Chmod Suspicious Directory T1222.002 linux, process_creation
Setuid and Setgid T1548.001 linux, process_creation
Potential Container Discovery Via Inodes Listing T1082 linux, process_creation
ESXi VSAN Information Discovery Via ESXCLI T1033, T1007 linux, process_creation
Mount Execution With Hidepid Parameter T1564 linux, process_creation
ESXi Syslog Configuration Change Via ESXCLI T1562.003, T1562.001 linux, process_creation
ESXi Account Creation Via ESXCLI T1136 linux, process_creation
Linux HackTool Execution T1587 linux, process_creation
Linux Recon Indicators T1552.001, T1592.004 linux, process_creation
Decode Base64 Encoded Text T1027 linux, process_creation
Potentially Suspicious Execution From Tmp Folder T1036 linux, process_creation
Group Has Been Deleted Via Groupdel T1531 linux, process_creation
Potential Perl Reverse Shell Execution linux, process_creation
Execution Of Script Located In Potentially Suspicious Directory linux, process_creation
ESXi Admin Permission Assigned To Account Via ESXCLI linux, process_creation
Crontab Enumeration T1007 linux, process_creation
Suspicious Curl Change User Agents - Linux T1071.001 linux, process_creation
Remove Scheduled Cron Task/Job linux, process_creation
Potential Xterm Reverse Shell T1059 linux, process_creation
Enable BPF Kprobes Tracing linux, process_creation
Atlassian Confluence CVE-2022-26134 T1190, T1059 linux, process_creation
History File Deletion T1565.001 linux, process_creation
Remote Access Tool - Team Viewer Session Started On Linux Host T1133 linux, process_creation
Copy Passwd Or Shadow From TMP Path T1552.001 linux, process_creation
Disabling Security Tools T1562.004 linux, process_creation
ESXi Network Configuration Discovery Via ESXCLI T1033, T1007 linux, process_creation
Linux Doas Tool Execution T1548 linux, process_creation
Potentially Suspicious Named Pipe Created Via Mkfifo linux, process_creation
Suspicious Curl File Upload - Linux T1567, T1105 linux, process_creation
Container Residence Discovery Via Proc Virtual FS T1082 linux, process_creation
Bash Interactive Shell linux, process_creation
Potential Netcat Reverse Shell Execution T1059 linux, process_creation
Process Discovery T1057 linux, process_creation
Scheduled Task/Job At T1053.002 linux, process_creation
OMIGOD SCX RunAsProvider ExecuteShellCommand T1068, T1203, T1190 linux, process_creation
Named Pipe Created Via Mkfifo linux, process_creation
Scheduled Cron Task/Job - Linux T1053.003 linux, process_creation
System Network Connections Discovery - Linux T1049 linux, process_creation
Linux Network Service Scanning Tools Execution T1046 linux, process_creation
System Network Discovery - Linux T1016 linux, process_creation
Capabilities Discovery - Linux T1083 linux, process_creation
Potential Discovery Activity Using Find - Linux T1083 linux, process_creation
User Has Been Deleted Via Userdel T1531 linux, process_creation
Apache Spark Shell Command Injection - ProcessCreation T1190 linux, process_creation
DD File Overwrite T1485 linux, process_creation
Local Groups Discovery - Linux T1069.001 linux, process_creation
Clipboard Collection with Xclip Tool T1115 linux, process_creation
File and Directory Discovery - Linux T1083 linux, process_creation
Terminate Linux Process Via Kill T1562 linux, process_creation
Clear Linux Logs T1070.002 linux, process_creation
Nohup Execution T1059.004 linux, process_creation
Potential Linux Amazon SSM Agent Hijacking T1219 linux, process_creation
Suspicious Java Children Processes T1059 linux, process_creation
Suspicious Package Installed - Linux T1553.004 linux, process_creation
Cat Sudoers T1592.004 linux, process_creation
Interactive Bash Suspicious Children T1036, T1059.004 linux, process_creation
Download File To Potentially Suspicious Directory Via Wget T1105 linux, process_creation
Linux Webshell Indicators T1505.003 linux, process_creation
Connection Proxy T1090 linux, process_creation
Install Root Certificate T1553.004 linux, process_creation
BPFtrace Unsafe Option Usage T1059.004 linux, process_creation
System Information Discovery T1082 linux, process_creation
Ufw Force Stop Using Ufw-Init T1562.004 linux, process_creation
Remove Immutable File Attribute T1222.002 linux, process_creation
Potential Linux Process Code Injection Via DD Utility T1055.009 linux, process_creation
Suspicious Git Clone - Linux T1593.003 linux, process_creation
File Deletion T1070.004 linux, process_creation
Potential Suspicious Change To Sensitive/Critical Files T1565.001 linux, process_creation
ESXi System Information Discovery Via ESXCLI T1033, T1007 linux, process_creation
Triple Cross eBPF Rootkit Execve Hijack linux, process_creation
Local System Accounts Discovery - Linux T1087.001 linux, process_creation
ESXi Storage Information Discovery Via ESXCLI T1007, T1033 linux, process_creation
Shell Execution Of Process Located In Tmp Directory linux, process_creation
Apt GTFOBin Abuse - Linux T1083 linux, process_creation
Linux Base64 Encoded Pipe to Shell T1140 linux, process_creation
Linux Crypto Mining Pool Connections T1496 linux, network_connection
Communication To Ngrok Tunneling Service - Linux T1572, T1090, T1102, T1567, T1568.002 linux, network_connection
Linux Reverse Shell Indicator T1059.004 linux, network_connection
Steganography Hide Zip Information in Picture File T1027.003 linux
System Information Discovery - Auditd T1082 linux
Suspicious Commands Linux T1059.004 linux
Suspicious C2 Activities linux
Screen Capture with Import Tool T1113 linux
Bpfdoor TCP Ports Redirect T1562.004 linux
Hidden Files and Directories T1564.001 linux
OMIGOD SCX RunAsProvider ExecuteShellCommand - Auditd T1190, T1203, T1068 linux
BPFDoor Abnormal Process ID or Lock File Accessed T1106, T1059 linux
System Owner or User Discovery T1033 linux
Possible Coin Miner CPU Priority Param T1068 linux
Loading of Kernel Module via Insmod T1547.006 linux
Steganography Extract Files with Steghide T1027.003 linux
System and Hardware Information Discovery T1082 linux
Program Executions in Suspicious Folders T1587, T1584 linux
Password Policy Discovery T1201 linux
Logging Configuration Changes on Linux Host T1562.006 linux
Data Compressed T1560.001 linux
Modification of ld.so.preload T1574.006 linux
File or Folder Permissions Change T1222.002 linux
Audio Capture T1123 linux
Masquerading as Linux Crond Process T1036.003 linux
Linux Capabilities Discovery T1123, T1548 linux
Credentials In Files - Linux T1552.001 linux
Modify System Firewall T1562.004 linux
Suspicious History File Operations - Linux T1552.003 linux
Systemd Service Creation T1543.002 linux
File Time Attribute Change - Linux T1070.006 linux
Remove Immutable File Attribute - Auditd T1222.002 linux
System Shutdown/Reboot - Linux T1529 linux
Webshell Remote Command Execution T1505.003 linux
Unix Shell Configuration Modification T1546.004 linux
Data Exfiltration with Wget T1048.003 linux
Auditing Configuration Changes on Linux Host T1562.006 linux
Split A File Into Pieces - Linux T1030 linux
Clipboard Collection of Image Data with Xclip Tool T1115 linux
Steganography Hide Files with Steghide T1027.003 linux
Binary Padding - Linux T1027.001 linux
Clipboard Collection with Xclip Tool - Auditd T1115 linux
Use Of Hidden Paths Or Files T1574.001 linux
Creation Of An User Account T1136.001 linux
Linux Network Service Scanning - Auditd T1046 linux
Linux Keylogging with Pam.d T1056.001, T1003 linux
Network Sniffing - Linux T1040 linux
Overwriting the File with Dev Zero or Null T1485 linux
Systemd Service Reload or Start T1543.002 linux
Disable System Firewall T1562.004 linux
Screen Capture with Xwd T1113 linux
Steganography Unzip Hidden Information From Picture File T1027.003 linux
Wget Creating Files in Tmp Directory T1105 linux, file_event
Persistence Via Sudoers Files T1053.003 linux, file_event
Triple Cross eBPF Rootkit Default LockFile linux, file_event
Triple Cross eBPF Rootkit Default Persistence T1053.003 linux, file_event
Potentially Suspicious Shell Script Creation in Profile Folder linux, file_event
Linux Doas Conf File Creation T1548 linux, file_event
Persistence Via Cron Files T1053.003 linux, file_event
Default Credentials Usage qualys
Host Without Firewall qualys
Cleartext Protocol Usage Via Netflow netflow
Apache Segmentation Fault T1499.004 apache
Apache Threading Error T1190, T1210 apache
Nginx Core Dump T1499.004 nginx
Suspicious User Agent T1071.001 proxy
Potential Base64 Encoded User-Agent T1071.001 proxy
Download From Suspicious TLD - Blacklist T1566, T1204.002, T1203 proxy
Download From Suspicious TLD - Whitelist T1566, T1204.002, T1203 proxy
Raw Paste Service Access T1102.003, T1102.001, T1071.001 proxy
Crypto Miner User Agent T1071.001 proxy
Windows PowerShell User Agent T1071.001 proxy
Bitsadmin to Uncommon IP Server Address T1071.001, T1197 proxy
F5 BIG-IP iControl Rest API Command Execution - Proxy T1190 proxy
Search-ms and WebDAV Suspicious Indicators in URL T1584, T1566 proxy
HackTool - BabyShark Agent Default URL Pattern T1071.001 proxy
Hack Tool User Agent T1110, T1190 proxy
HackTool - Empire UserAgent URI Combo T1071.001 proxy
Bitsadmin to Uncommon TLD T1071.001, T1197 proxy
PUA - Advanced IP/Port Scanner Update Check T1590 proxy
HackTool - CobaltStrike Malleable Profile Patterns - Proxy T1071.001 proxy
Flash Player Update from Suspicious Location T1204.002, T1189, T1036.005 proxy
APT User Agent T1071.001 proxy
HTTP Request With Empty User Agent T1071.001 proxy
Suspicious Base64 Encoded User-Agent T1071.001 proxy
PwnDrp Access T1102.003, T1071.001, T1102.001 proxy
Exploit Framework User Agent T1071.001 proxy
Telegram API Access T1102.002, T1071.001 proxy
Windows WebDAV User Agent T1071.001 proxy
Suspicious Network Communication With IPFS T1056 proxy
Malware User Agent T1071.001 proxy
Rclone Activity via Proxy T1567.002 proxy
Download from Suspicious Dyndns Hosts T1568, T1105 proxy
SQL Injection Strings In URI T1190 webserver
JNDIExploit Pattern T1190 webserver
Webshell ReGeorg Detection Via Web Logs T1505.003 webserver
Path Traversal Exploitation Attempts T1190 webserver
Windows Webshell Strings T1505.003 webserver
F5 BIG-IP iControl Rest API Command Execution - Webserver T1190 webserver
Server Side Template Injection Strings T1221 webserver
Suspicious User-Agents Related To Recon Tools T1190 webserver
Successful IIS Shortname Fuzzing Scan T1190 webserver
Cross Site Scripting Strings T1189 webserver
Suspicious Windows Strings In URI T1505.003 webserver
Java Payload Strings T1190 webserver
Source Code Enumeration Detection by Keyword T1083 webserver
Potential Persistence Via PlistBuddy T1543.001, T1543.004 macos, process_creation
Credentials In Files T1552.001 macos, process_creation
JXA In-memory Execution Via OSAScript T1059.002, T1059.007 macos, process_creation
Local Groups Discovery - MacOs T1069.001 macos, process_creation
User Added To Admin Group Via Dscl T1078.003 macos, process_creation
Hidden User Creation T1564.002 macos, process_creation
Suspicious MacOS Firmware Activity macos, process_creation
JAMF MDM Potential Suspicious Child Process macos, process_creation
MacOS Scripting Interpreter AppleScript T1059.002 macos, process_creation
System Information Discovery Using Ioreg T1082 macos, process_creation
Clipboard Data Collection Via OSAScript T1115, T1059.002 macos, process_creation
Space After Filename - macOS T1036.006 macos, process_creation
Remote Access Tool - Team Viewer Session Started On MacOS Host T1133 macos, process_creation
System Information Discovery Using sw_vers T1082 macos, process_creation
Suspicious History File Operations T1552.003 macos, process_creation
Indicator Removal on Host - Clear Mac System Logs T1070.002 macos, process_creation
Suspicious Microsoft Office Child Process - MacOS T1059.002, T1137.002, T1204.002 macos, process_creation
System Network Connections Discovery - MacOs T1049 macos, process_creation
Creation Of A Local User Account T1136.001 macos, process_creation
MacOS Network Service Scanning T1046 macos, process_creation
Suspicious Execution via macOS Script Editor T1059, T1566.002, T1059.002, T1204.001, T1566, T1204, T1553 macos, process_creation
Network Sniffing - MacOs T1040 macos, process_creation
System Shutdown/Reboot - MacOs T1529 macos, process_creation
Macos Remote System Discovery T1018 macos, process_creation
Binary Padding - MacOS T1027.001 macos, process_creation
System Network Discovery - macOS T1016 macos, process_creation
System Integrity Protection (SIP) Enumeration T1518.001 macos, process_creation
Security Software Discovery - MacOs T1518.001 macos, process_creation
Credentials from Password Stores - Keychain T1555.001 macos, process_creation
Suspicious Browser Child Process - MacOS T1059, T1189, T1203 macos, process_creation
Local System Accounts Discovery - MacOs T1087.001 macos, process_creation
Suspicious Installer Package Child Process T1059, T1071, T1071.001, T1059.007 macos, process_creation
GUI Input Capture - macOS T1056.002 macos, process_creation
Screen Capture - macOS T1113 macos, process_creation
Potential Base64 Decoded From Images T1140 macos, process_creation
User Added To Admin Group Via DseditGroup T1078.003 macos, process_creation
Decode Base64 Encoded Text -MacOs T1027 macos, process_creation
Payload Decoded and Decrypted via Built-in Utilities T1059, T1204, T1140 macos, process_creation
JAMF MDM Execution macos, process_creation
Potential In-Memory Download And Compile Of Payloads T1059.007, T1105 macos, process_creation
Disable Security Tools T1562.001 macos, process_creation
Root Account Enable Via Dsenableroot T1078.001, T1078, T1078.003 macos, process_creation
Guest Account Enabled Via Sysadminctl T1078, T1078.001 macos, process_creation
Gatekeeper Bypass via Xattr T1553.001 macos, process_creation
User Added To Admin Group Via Sysadminctl T1078.003 macos, process_creation
OSACompile Run-Only Execution T1059.002 macos, process_creation
System Information Discovery Using System_Profiler T1497.001, T1082 macos, process_creation
Potential XCSSET Malware Infection macos, process_creation
File and Directory Discovery - MacOS T1083 macos, process_creation
Split A File Into Pieces T1030 macos, process_creation
Osacompile Execution By Potentially Suspicious Applet/Osascript T1059.002 macos, process_creation
File Time Attribute Change T1070.006 macos, process_creation
Potential Discovery Activity Using Find - MacOS T1083 macos, process_creation
System Integrity Protection (SIP) Disabled T1518.001 macos, process_creation
Scheduled Cron Task/Job - MacOs T1053.003 macos, process_creation
Potential WizardUpdate Malware Infection macos, process_creation
Startup Items T1037.005 macos, file_event
MacOS Emond Launch Daemon T1546.014 macos, file_event
Suspicious SQL Query T1190, T1505.001 database
Antivirus Hacktool Detection T1204 antivirus
Antivirus Exploitation Framework Detection T1203, T1219 antivirus
Antivirus Ransomware Detection T1486 antivirus
Antivirus Web Shell Detection T1505.003 antivirus
Antivirus Password Dumper Detection T1003, T1003.002, T1558, T1003.001 antivirus
Antivirus Relevant File Paths Alerts T1588 antivirus
Sysmon Blocked Executable windows
Sysmon File Executable Creation Detected windows
Sysmon Configuration Modification T1564 windows, sysmon_status
Sysmon Configuration Change windows
Sysmon Blocked File Shredding windows
Sysmon Configuration Error T1564 windows, sysmon_error
Potential Defense Evasion Via Raw Disk Access By Uncommon Tools T1006 windows, raw_access_thread
Vulnerable Driver Load By Name T1068, T1543.003 windows, driver_load
WinDivert Driver Load T1557.001, T1599.001 windows, driver_load
Vulnerable HackSys Extreme Vulnerable Driver Load T1543.003 windows, driver_load
PUA - System Informer Driver Load T1543 windows, driver_load
Vulnerable WinRing0 Driver Load T1543.003 windows, driver_load
PUA - Process Hacker Driver Load T1543 windows, driver_load
Malicious Driver Load By Name T1068, T1543.003 windows, driver_load
Malicious Driver Load T1543.003, T1068 windows, driver_load
Driver Load From A Temporary Directory T1543.003 windows, driver_load
Vulnerable Driver Load T1068, T1543.003 windows, driver_load
DNS HybridConnectionManager Service Bus T1554 windows, dns_query
DNS Query To Ufile.io T1567.002 windows, dns_query
Suspicious DNS Query for IP Lookup Service APIs T1590 windows, dns_query
DNS Server Discovery Via LDAP Query T1482 windows, dns_query
AppX Package Installation Attempts Via AppInstaller.EXE T1105 windows, dns_query
Suspicious Cobalt Strike DNS Beaconing - Sysmon T1071.004 windows, dns_query
DNS Query To Devtunnels Domain T1071.001 windows, dns_query
DNS Query To Remote Access Software Domain From Non-Browser App T1219 windows, dns_query
DNS Query Request To OneLaunch Update Service T1056 windows, dns_query
Cloudflared Tunnels Related DNS Requests T1071.001 windows, dns_query
DNS Query Request By Regsvr32.EXE T1559.001, T1218.010 windows, dns_query
DNS Query Tor .Onion Address - Sysmon T1090.003 windows, dns_query
DNS Query for Anonfiles.com Domain - Sysmon T1567.002 windows, dns_query
DNS Query To MEGA Hosting Website T1567.002 windows, dns_query
DNS Query To Visual Studio Code Tunnels Domain T1071.001 windows, dns_query
TeamViewer Domain Query By Non-TeamViewer Application T1219 windows, dns_query
Potentially Suspicious File Download From ZIP TLD windows, create_stream_hash
Exports Registry Key To an Alternate Data Stream T1564.004 windows, create_stream_hash
HackTool Named File Stream Created T1564.004 windows, create_stream_hash
Unusual File Download From File Sharing Websites T1564.004 windows, create_stream_hash
Unusual File Download from Direct IP Address T1564.004 windows, create_stream_hash
Creation Of a Suspicious ADS File Outside a Browser Download windows, create_stream_hash
Suspicious File Download From File Sharing Websites T1564.004 windows, create_stream_hash
Hidden Executable In NTFS Alternate Data Stream T1564.004 windows, create_stream_hash
Potential Suspicious Winget Package Installation windows, create_stream_hash
UAC Bypass Using Iscsicpl - ImageLoad T1548.002 windows, image_load
Active Directory Kerberos DLL Loaded Via Office Application T1204.002 windows, image_load
Unsigned Mfdetours.DLL Sideloading T1574.001, T1574.002 windows, image_load
Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded T1003.001 windows, image_load
Microsoft Office DLL Sideload T1574.001, T1574.002 windows, image_load
Unsigned Image Loaded Into LSASS Process T1003.001 windows, image_load
Potential DLL Sideloading Via VMware Xfer T1574.002 windows, image_load
Potential CCleanerDU.DLL Sideloading T1574.001, T1574.002 windows, image_load
Potential DCOM InternetExplorer.Application DLL Hijack - Image Load T1021.002, T1021.003 windows, image_load
Suspicious WSMAN Provider Image Loads T1059.001, T1021.003 windows, image_load
CredUI.DLL Loaded By Uncommon Process T1056.002 windows, image_load
HackTool - SILENTTRINITY Stager DLL Load T1071 windows, image_load
Load Of RstrtMgr.DLL By An Uncommon Process T1486, T1562.001 windows, image_load
VMMap Signed Dbghelp.DLL Potential Sideloading T1574.002, T1574.001 windows, image_load
WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load T1546.003 windows, image_load
HackTool - SharpEvtMute DLL Load T1562.002 windows, image_load
Potential RoboForm.DLL Sideloading T1574.001, T1574.002 windows, image_load
Potential 7za.DLL Sideloading T1574.002, T1574.001 windows, image_load
Suspicious Volume Shadow Copy Vssapi.dll Load T1490 windows, image_load
Potential Antivirus Software DLL Sideloading T1574.002, T1574.001 windows, image_load
Suspicious Volume Shadow Copy Vsstrace.dll Load T1490 windows, image_load
Potential appverifUI.DLL Sideloading T1574.001, T1574.002 windows, image_load
Potential Waveedit.DLL Sideloading T1574.002, T1574.001 windows, image_load
Potential Mfdetours.DLL Sideloading T1574.001, T1574.002 windows, image_load
DLL Loaded From Suspicious Location Via Cmspt.EXE T1218.003 windows, image_load
GAC DLL Loaded Via Office Applications T1204.002 windows, image_load
Potential ShellDispatch.DLL Sideloading T1574.002, T1574.001 windows, image_load
Potential EACore.DLL Sideloading T1574.001, T1574.002 windows, image_load
Windows Spooler Service Suspicious Binary Load T1574 windows, image_load
Third Party Software DLL Sideloading T1574.002, T1574.001 windows, image_load
Potential DLL Sideloading Of DBGCORE.DLL T1574.001, T1574.002 windows, image_load
VMMap Unsigned Dbghelp.DLL Potential Sideloading T1574.002, T1574.001 windows, image_load
PowerShell Core DLL Loaded Via Office Application windows, image_load
CLR DLL Loaded Via Office Applications T1204.002 windows, image_load
Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE T1574.001, T1574.002 windows, image_load
Potential DLL Sideloading Via comctl32.dll T1574.002, T1574.001 windows, image_load
Fax Service DLL Search Order Hijack T1574.002, T1574.001 windows, image_load
Unsigned Module Loaded by ClickOnce Application T1574.002 windows, image_load
Aruba Network Service Potential DLL Sideloading T1574.002, T1574.001 windows, image_load
Potential System DLL Sideloading From Non System Locations T1574.002, T1574.001 windows, image_load
Time Travel Debugging Utility Usage - Image T1003.001, T1218 windows, image_load
Microsoft Excel Add-In Loaded From Uncommon Location T1204.002 windows, image_load
Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE T1202 windows, image_load
Potential DLL Sideloading Of Non-Existent DLLs From System Folders T1574.002, T1574.001 windows, image_load
WMI Persistence - Command Line Event Consumer T1546.003 windows, image_load
Potential Chrome Frame Helper DLL Sideloading T1574.002, T1574.001 windows, image_load
Abusable DLL Potential Sideloading From Suspicious Location T1059 windows, image_load
VMGuestLib DLL Sideload T1574.001, T1574.002 windows, image_load
PowerShell Core DLL Loaded By Non PowerShell Process T1059.001 windows, image_load
Python Image Load By Non-Python Process T1027.002 windows, image_load
UAC Bypass With Fake DLL T1548.002, T1574.002 windows, image_load
Potential Rcdll.DLL Sideloading T1574.002, T1574.001 windows, image_load
Potential RjvPlatform.DLL Sideloading From Non-Default Location T1574.001, T1574.002 windows, image_load
Amsi.DLL Loaded Via LOLBIN Process windows, image_load
Potential WWlib.DLL Sideloading T1574.001, T1574.002 windows, image_load
Potential DLL Sideloading Via ClassicExplorer32.dll T1574.001, T1574.002 windows, image_load
WMIC Loading Scripting Libraries T1220 windows, image_load
Potential Goopdate.DLL Sideloading T1574.001, T1574.002 windows, image_load
Potential Edputil.DLL Sideloading T1574.001, T1574.002 windows, image_load
Remote DLL Load Via Rundll32.EXE T1204.002 windows, image_load
Potential Vivaldi_elf.DLL Sideloading T1574.001, T1574.002 windows, image_load
Potential Azure Browser SSO Abuse T1574.002 windows, image_load
DLL Sideloading Of ShellChromeAPI.DLL T1574.001, T1574.002 windows, image_load
Potential AVKkid.DLL Sideloading T1574.002, T1574.001 windows, image_load
Active Directory Parsing DLL Loaded Via Office Application T1204.002 windows, image_load
VBA DLL Loaded Via Office Application T1204.002 windows, image_load
Microsoft VBA For Outlook Addin Loaded Via Outlook T1204.002 windows, image_load
Potential Mpclient.DLL Sideloading T1574.002 windows, image_load
Potential Libvlc.DLL Sideloading T1574.001, T1574.002 windows, image_load
Wmiprvse Wbemcomn DLL Hijack T1021.002, T1047 windows, image_load
Suspicious Unsigned Thor Scanner Execution T1574.002 windows, image_load
Potential DLL Sideloading Of DBGHELP.DLL T1574.002, T1574.001 windows, image_load
Load Of RstrtMgr.DLL By A Suspicious Process T1486, T1562.001 windows, image_load
Suspicious Renamed Comsvcs DLL Loaded By Rundll32 T1003.001 windows, image_load
Potential SmadHook.DLL Sideloading T1574.001, T1574.002 windows, image_load
Potential RjvPlatform.DLL Sideloading From Default Location T1574.001, T1574.002 windows, image_load
Unsigned DLL Loaded by Windows Utility T1218.011, T1218.010 windows, image_load
Potential CCleanerReactivator.DLL Sideloading T1574.002, T1574.001 windows, image_load
DotNet CLR DLL Loaded By Scripting Applications T1055 windows, image_load
Potential DLL Sideloading Via JsSchHlp T1574.001, T1574.002 windows, image_load
Potential SolidPDFCreator.DLL Sideloading T1574.002, T1574.001 windows, image_load
PCRE.NET Package Image Load T1059 windows, image_load
Potential Wazuh Security Platform DLL Sideloading T1574.002, T1574.001 windows, image_load
DotNET Assembly DLL Loaded Via Office Application T1204.002 windows, image_load
Suspicious Volume Shadow Copy VSS_PS.dll Load T1490 windows, image_load
System Control Panel Item Loaded From Uncommon Location T1036 windows, image_load
Potential Iviewers.DLL Sideloading T1574.001, T1574.002 windows, image_load
Potential DLL Sideloading Using Coregen.exe T1218, T1055 windows, image_load
DLL Load By System Process From Suspicious Locations T1070 windows, image_load
Remote Thread Created In KeePass.EXE T1555.005 windows, create_remote_thread
Remote Thread Creation By Uncommon Source Image T1055 windows, create_remote_thread
Password Dumper Remote Thread in LSASS T1003.001 windows, create_remote_thread
Remote Thread Creation Ttdinject.exe Proxy T1127 windows, create_remote_thread
HackTool - CACTUSTORCH Remote Thread Creation T1059.005, T1055.012, T1059.007, T1218.005 windows, create_remote_thread
Remote Thread Creation In Uncommon Target Image T1055.003 windows, create_remote_thread
Remote Thread Creation Via PowerShell In Uncommon Target T1059.001, T1218.011 windows, create_remote_thread
Rare Remote Thread Creation By Uncommon Source Image T1055 windows, create_remote_thread
HackTool - Potential CobaltStrike Process Injection T1055.001 windows, create_remote_thread
Remote Thread Creation In Mstsc.Exe From Suspicious Location windows, create_remote_thread
Potential Credential Dumping Attempt Via PowerShell Remote Thread T1003.001 windows, create_remote_thread
Mimikatz Use T1003.006, T1003.004, T1003.002, T1003.001 windows
Certificate Exported From Local Certificate Store T1649 windows
Uncommon New Firewall Rule Added In Windows Firewall Exception List T1562.004 windows
The Windows Defender Firewall Service Failed To Load Group Policy T1562.004 windows
Windows Defender Firewall Has Been Reset To Its Default Configuration T1562.004 windows
New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application T1562.004 windows
All Rules Have Been Deleted From The Windows Firewall Configuration T1562.004 windows
A Rule Has Been Deleted From The Windows Firewall Exception List T1562.004 windows
Windows Firewall Settings Have Been Changed T1562.004 windows
Suspicious Rejected SMB Guest Logon From IP T1110.001 windows
Failed DNS Zone Transfer T1590.002 windows
DNS Server Error Failed Loading the ServerLevelPluginDLL T1574.002 windows
Certificate Private Key Acquired T1649 windows
Unsigned Binary Loaded From Suspicious Location T1574.002 windows
Microsoft Defender Blocked from Loading Unsigned DLL T1574.002 windows
Loading Diagcab Package From Remote Path windows
WMI Persistence T1546.003 windows
Sysmon Application Crashed T1562 windows
Vulnerable Netlogon Secure Channel Connection Allowed T1548 windows
Zerologon Exploitation Using Well-known Tools T1210 windows
Volume Shadow Copy Mount T1003.002 windows
NTLMv1 Logon Between Client and Server T1550.002 windows
DHCP Server Loaded the CallOut DLL T1574.002 windows
DHCP Server Error Failed Loading the CallOut DLL T1574.002 windows
Windows Update Error T1584 windows
Critical Hive In Suspicious Location Access Bits Cleared T1003.002 windows
Certificate Use With No Strong Mapping windows
KDC RC4-HMAC Downgrade CVE-2022-37966 windows
No Suitable Encryption Key Found For Generating Kerberos Ticket T1558.003 windows
Potential RDP Exploit CVE-2019-0708 T1210 windows
Suspicious Usage of CVE_2021_34484 or CVE 2022_21919 windows
Local Privilege Escalation Indicator TabTip T1557.001 windows
Potential CVE-2021-42287 Exploitation Attempt T1558.003 windows
ProcessHacker Privilege Elevation T1543.003, T1569.002 windows
Important Windows Service Terminated With Error windows
Remote Utilities Host Service Install windows
RemCom Service Installation T1569.002 windows
New PDQDeploy Service - Client Side T1543.003 windows
PsExec Service Installation T1569.002 windows
PowerShell Scripts Installed as Services T1569.002 windows
Invoke-Obfuscation RUNDLL LAUNCHER - System T1027, T1059.001 windows
Sliver C2 Default Service Installation T1543.003, T1569.002 windows
HackTool Service Registration or Execution T1569.002 windows
Windows Service Terminated With Error windows
Service Installation with Suspicious Folder Pattern T1543.003 windows
Service Installed By Unusual Client - System T1543 windows
Tap Driver Installation T1048 windows
Uncommon Service Installation Image Path T1543.003 windows
Invoke-Obfuscation Via Use MSHTA - System T1027, T1059.001 windows
TacticalRMM Service Installation T1219 windows
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System T1027, T1059.001 windows
Invoke-Obfuscation CLIP+ Launcher - System T1027, T1059.001 windows
RTCore Suspicious Service Installation windows
smbexec.py Service Installation T1569.002, T1021.002 windows
Service Installation in Suspicious Folder T1543.003 windows
CSExec Service Installation T1569.002 windows
Anydesk Remote Access Software Service Installation windows
KrbRelayUp Service Installation T1543 windows
Important Windows Service Terminated Unexpectedly windows
Invoke-Obfuscation Obfuscated IEX Invocation - System T1027 windows
Suspicious Service Installation T1543.003 windows
Remote Access Tool Services Have Been Installed - System T1569.002, T1543.003 windows
Invoke-Obfuscation Via Use Clip - System T1059.001, T1027 windows
CobaltStrike Service Installations - System T1569.002, T1543.003, T1021.002 windows
Invoke-Obfuscation COMPRESS OBFUSCATION - System T1027, T1059.001 windows
New PDQDeploy Service - Server Side T1543.003 windows
Invoke-Obfuscation VAR+ Launcher - System T1059.001, T1027 windows
Invoke-Obfuscation Via Stdin - System T1059.001, T1027 windows
PAExec Service Installation T1569.002 windows
Invoke-Obfuscation STDIN+ Launcher - System T1059.001, T1027 windows
Invoke-Obfuscation Via Use Rundll32 - System T1059.001, T1027 windows
NetSupport Manager Service Install windows
Meterpreter or Cobalt Strike Getsystem Service Installation - System T1134.002, T1134.001 windows
Mesh Agent Service Installation T1219 windows
Moriya Rootkit - System T1543.003 windows
Suspicious Service Installation Script T1543.003 windows
Windows Defender Threat Detection Disabled - Service T1562.001 windows
Credential Dumping Tools Service Execution - System T1003.002, T1003.006, T1003.001, T1569.002, T1003.005, T1003.004 windows
NTFS Vulnerability Exploitation T1499.001 windows
Active Directory Certificate Services Denied Certificate Enrollment Request T1553.004 windows
Eventlog Cleared T1070.001 windows
Important Windows Eventlog Cleared T1070.001 windows
Suspicious Digital Signature Of AppX Package windows
Uncommon AppX Package Locations windows
Suspicious Remote AppX Package Locations windows
Deployment AppX Package Was Blocked By AppLocker windows
Suspicious AppX Package Locations windows
Suspicious AppX Package Installation Attempt windows
Deployment Of The AppX Package Was Blocked By The Policy windows
Potential Malicious AppX Package Installation Attempts windows
HybridConnectionManager Service Running T1554 windows
Suspicious Application Installed windows
Potential Active Directory Reconnaissance/Enumeration Via LDAP T1069.002, T1482, T1087.002 windows
Potential Remote Desktop Connection to Non-Domain Host T1219 windows
NTLM Brute Force T1110 windows
NTLM Logon T1550.002 windows
Windows Defender Exclusion List Modified T1562.001 windows
Denied Access To Remote Desktop T1021.001 windows
Suspicious Teams Application Related ObjectAcess Event T1528 windows
T1047 Wmiprvse Wbemcomn DLL Hijack T1047, T1021.002 windows
Addition of SID History to Active Directory Object T1134.005 windows
Potentially Suspicious AccessMask Requested From LSASS T1003.001 windows
Invoke-Obfuscation VAR+ Launcher - Security T1059.001, T1027 windows
User Logoff Event T1531 windows
Powerview Add-DomainObjectAcl DCSync AD Extend Right T1098 windows
Suspicious PsExec Execution T1021.002 windows
Hacktool Ruler T1114, T1550.002, T1087, T1059 windows
AD Object WriteDAC Access T1222.001 windows
DPAPI Domain Backup Key Extraction T1003.004 windows
WCE wceaux.dll Access T1003 windows
SysKey Registry Keys Access T1012 windows
Kerberos Manipulation T1212 windows
Weak Encryption Enabled and Kerberoast T1562.001 windows
Azure AD Health Service Agents Registry Keys Access T1012 windows
DPAPI Domain Master Key Backup Attempt T1003.004 windows
Potential Privileged System Service Operation - SeLoadDriverPrivilege T1562.001 windows
Unauthorized System Time Modification T1070.006 windows
VSSAudit Security Event Source Registration T1003.002 windows
Windows Network Access Suspicious desktop.ini Action T1547.009 windows
Windows Defender Exclusion Reigstry Key - Write Access Requested T1562.001 windows
Local User Creation T1136.001 windows
Invoke-Obfuscation Via Use Rundll32 - Security T1027, T1059.001 windows
Reconnaissance Activity T1087.002, T1069.002 windows
Active Directory User Backdoors T1098 windows
Win Susp Computer Name Containing Samtheadmin T1078 windows
Failed Code Integrity Checks T1027.001 windows
External Disk Drive Or USB Storage Device Was Recognized By The System T1091, T1200 windows
CobaltStrike Service Installations - Security T1543.003, T1021.002, T1569.002 windows
Meterpreter or Cobalt Strike Getsystem Service Installation - Security T1134.001, T1134.002 windows
Password Change on Directory Service Restore Mode (DSRM) Account T1098 windows
Suspicious Scheduled Task Creation T1053.005 windows
User Added to Local Administrator Group T1098, T1078 windows
HackTool - EDRSilencer Execution - Filter Added T1562 windows
Service Installed By Unusual Client - Security T1543 windows
Possible Impacket SecretDump Remote Activity T1003.003, T1003.002, T1003.004 windows
Invoke-Obfuscation COMPRESS OBFUSCATION - Security T1059.001, T1027 windows
ADCS Certificate Template Configuration Vulnerability windows
Transferring Files with Credential Data via Network Shares T1003.002, T1003.003, T1003.001 windows
Malicious Service Installations T1543.003, T1003, T1569.002 windows
WMI Persistence - Security T1546.003 windows
ISO Image Mounted T1566.001 windows
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security T1027, T1059.001 windows
Suspicious Kerberos RC4 Ticket Encryption T1558.003 windows
Remote Service Activity via SVCCTL Named Pipe T1021.002 windows
PowerShell Scripts Installed as Services - Security T1569.002 windows
Locked Workstation windows
Uncommon Outbound Kerberos Connection - Security T1558.003 windows
Potential AD User Enumeration From Non-Machine Account T1087.002 windows
Account Tampering - Suspicious Failed Logon Reasons T1078 windows
Secure Deletion with SDelete T1070.004, T1553.002, T1027.005, T1485 windows
Password Policy Enumerated T1201 windows
RDP over Reverse SSH Tunnel WFP T1021.001, T1090.002, T1090.001 windows
Service Registry Key Read Access Request T1574.011 windows
Important Windows Event Auditing Disabled T1562.002 windows
Suspicious Remote Logon with Explicit Credentials T1078 windows
HackTool - NoFilter Execution T1134.001, T1134 windows
Remote Task Creation via ATSVC Named Pipe T1053.002 windows
Possible Shadow Credentials Added T1556 windows
Sysmon Channel Reference Deletion T1112 windows
Password Dumper Activity on LSASS T1003.001 windows
LSASS Access From Non System Account T1003.001 windows
ADCS Certificate Template Configuration Vulnerability with Risky EKU windows
AD Privileged Users or Groups Reconnaissance T1087.002 windows
Hidden Local User Creation T1136.001 windows
Remote PowerShell Sessions Network Connections (WinRM) T1059.001 windows
Suspicious Scheduled Task Update T1053.005 windows
Azure AD Health Monitoring Agent Registry Keys Access T1012 windows
Replay Attack Detected T1558 windows
Persistence and Execution at Scale via GPO Scheduled Task T1053.005 windows
Processes Accessing the Microphone and Webcam T1123 windows
Password Protected ZIP File Opened T1027 windows
SAM Registry Hive Handle Request T1552.002, T1012 windows
Important Scheduled Task Deleted/Disabled T1053.005 windows
Security Eventlog Cleared T1070.001 windows
SCM Database Privileged Operation T1548 windows
Invoke-Obfuscation STDIN+ Launcher - Security T1027, T1059.001 windows
ETW Logging Disabled In .NET Processes - Registry T1562, T1112 windows
Password Protected ZIP File Opened (Suspicious Filenames) T1105, T1027, T1036 windows
Invoke-Obfuscation Via Stdin - Security T1027, T1059.001 windows
Add or Remove Computer from DC T1207 windows
User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess' T1558.003 windows
Device Installation Blocked T1200 windows
A New Trust Was Created To A Domain T1098 windows
Access To ADMIN$ Network Share T1021.002 windows
Active Directory Replication from Non Machine Account T1003.006 windows
DCERPC SMB Spoolss Named Pipe T1021.002 windows
Invoke-Obfuscation Obfuscated IEX Invocation - Security T1027 windows
Protected Storage Service Access T1021.002 windows
Windows Defender Exclusion Deleted T1562.001 windows
Possible DC Shadow Attack T1207 windows
SMB Create Remote File Admin Share T1021.002 windows
Windows Pcap Drivers T1040 windows
Invoke-Obfuscation Via Use Clip - Security T1027, T1059.001 windows
Tap Driver Installation - Security T1048 windows
Suspicious Access to Sensitive File Extensions T1039 windows
New or Renamed User Account with '$' Character T1036 windows
Invoke-Obfuscation RUNDLL LAUNCHER - Security T1027, T1059.001 windows
Suspicious LDAP-Attributes Used T1001.003 windows
DCOM InternetExplorer.Application Iertutil DLL Hijack - Security T1021.002, T1021.003 windows
Enabled User Right in AD to Control User Objects T1098 windows
NetNTLM Downgrade Attack T1112, T1562.001 windows
Windows Event Auditing Disabled T1562.002 windows
Password Protected ZIP File Opened (Email Attachment) T1027, T1566.001 windows
Mimikatz DC Sync T1003.006 windows
PetitPotam Suspicious Kerberos TGT Request T1187 windows
Suspicious Windows ANONYMOUS LOGON Local Account Created T1136.001, T1136.002 windows
Invoke-Obfuscation Via Use MSHTA - Security T1059.001, T1027 windows
Metasploit Or Impacket Service Installation Via SMB PsExec T1570, T1569.002, T1021.002 windows
Impacket PsExec Execution T1021.002 windows
Register new Logon Process by Rubeus T1558.003 windows
HybridConnectionManager Service Installation T1554 windows
Invoke-Obfuscation CLIP+ Launcher - Security T1027, T1059.001 windows
Credential Dumping Tools Service Execution - Security T1003.004, T1003.005, T1003.002, T1003.006, T1569.002, T1003.001 windows
First Time Seen Remote Named Pipe T1021.002 windows
SCM Database Handle Failure T1010 windows
Possible PetitPotam Coerce Authentication Attempt T1187 windows
Remote Access Tool Services Have Been Installed - Security T1543.003, T1569.002 windows
Metasploit SMB Authentication T1021.002 windows
Remote WMI ActiveScriptEventConsumers T1546.003 windows
A Member Was Removed From a Security-Enabled Global Group T1098 windows
RDP Login from Localhost T1021.001 windows
A Security-Enabled Global Group Was Deleted T1098 windows
Pass the Hash Activity 2 T1550.002 windows
External Remote RDP Logon from Public IP T1133, T1110, T1078 windows
Potential Access Token Abuse T1134.001 windows
RottenPotato Like Attack Pattern T1557.001 windows
External Remote SMB Logon from Public IP T1133, T1110, T1078 windows
Outgoing Logon with New Credentials T1550 windows
Failed Logon From Public IP T1133, T1078, T1190 windows
Admin User Remote Logon T1078.003, T1078.002, T1078.001 windows
Successful Overpass the Hash Attempt T1550.002 windows
A Member Was Added to a Security-Enabled Global Group T1098 windows
Successful Account Login Via WMI T1047 windows
Scanner PoC for CVE-2019-0708 RDP RCE Vuln T1210 windows
KrbRelayUp Attack Pattern windows
DiagTrackEoP Default Login Username windows
Windows Filtering Platform Blocked Connection From EDR Agent Binary T1562 windows
Important Scheduled Task Deleted T1489 windows
Scheduled Task Executed Uncommon LOLBIN T1053.005 windows
Scheduled Task Executed From A Suspicious Location T1053.005 windows
Standard User In High Privileged Group windows
New BITS Job Created Via PowerShell T1197 windows
BITS Transfer Job With Uncommon Or Suspicious Remote TLD T1197 windows
BITS Transfer Job Download From Direct IP T1197 windows
New BITS Job Created Via Bitsadmin T1197 windows
BITS Transfer Job Download From File Sharing Domains T1197 windows
BITS Transfer Job Downloading File Potential Suspicious Extension T1197 windows
BITS Transfer Job Download To Potential Suspicious Folder T1197 windows
CodeIntegrity - Revoked Image Loaded windows
CodeIntegrity - Revoked Kernel Driver Loaded windows
CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked windows
CodeIntegrity - Blocked Image/Driver Load For Policy Violation T1543 windows
CodeIntegrity - Unmet Signing Level Requirements By File Under Validation windows
CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module windows
CodeIntegrity - Unsigned Kernel Module Loaded windows
CodeIntegrity - Unsigned Image Loaded windows
CodeIntegrity - Blocked Driver Load With Revoked Certificate T1543 windows
CodeIntegrity - Blocked Image Load With Revoked Certificate windows
OpenSSH Server Listening On Socket T1021.004 windows
DNS Query for Anonfiles.com Domain - DNS Client T1567.002 windows
Suspicious Cobalt Strike DNS Beaconing - DNS Client T1071.004 windows
Query Tor Onion Address - DNS Client T1090.003 windows
DNS Query To MEGA Hosting Website - DNS Client T1567.002 windows
DNS Query To Ufile.io - DNS Client T1567.002 windows
Sysinternals Tools AppX Versions Execution windows
Windows Defender Configuration Changes T1562.001 windows
Microsoft Defender Tamper Protection Trigger T1562.001 windows
Windows Defender Exploit Guard Tamper T1562.001 windows
Windows Defender Submit Sample Feature Disabled T1562.001 windows
PSExec and WMI Process Creations Block T1569.002, T1047 windows
Windows Defender Exclusions Added T1562.001 windows
Windows Defender Threat Detected T1059 windows
Windows Defender Grace Period Expired T1562.001 windows
Windows Defender Malware Detection History Deletion windows
LSASS Access Detected via Attack Surface Reduction T1003.001 windows
Windows Defender Virus Scanning Feature Disabled T1562.001 windows
Windows Defender Real-Time Protection Failure/Restart T1562.001 windows
Windows Defender AMSI Trigger Detected T1059 windows
Win Defender Restored Quarantine File T1562.001 windows
Windows Defender Real-time Protection Disabled T1562.001 windows
Windows Defender Malware And PUA Scanning Disabled T1562.001 windows
Ngrok Usage with Remote Desktop Service T1090 windows
Failed MSExchange Transport Agent Installation T1505.002 windows
Remove Exported Mailbox from Exchange Webserver T1070 windows
Exchange Set OabVirtualDirectory ExternalUrl Property T1505.003 windows
ProxyLogon MSExchange OabVirtualDirectory T1587.001 windows
MSExchange Transport Agent Installation - Builtin T1505.002 windows
Mailbox Export to Exchange Webserver T1505.003 windows
Certificate Request Export to Exchange Webserver T1505.003 windows
File Was Not Allowed To Run T1059.006, T1059.001, T1059.003, T1059.007, T1204.002, T1059.005 windows
USB Device Plugged T1200 windows
MSSQL Server Failed Logon T1110 windows
MSSQL Server Failed Logon From External Network T1110 windows
MSSQL Add Account To Sysadmin Role windows
MSSQL XPCmdshell Option Change windows
MSSQL XPCmdshell Suspicious Execution windows
MSSQL SPProcoption Set windows
MSSQL Disable Audit Settings windows
Microsoft Malware Protection Engine Crash - WER T1562.001, T1211 windows
Audit CVE Event T1203, T1068, T1211, T1499.004, T1212, T1210 windows
Remote Access Tool - ScreenConnect Command Execution T1059.003 windows
Remote Access Tool - ScreenConnect File Transfer T1059.003 windows
Ntdsutil Abuse T1003.003 windows
Dump Ntds.dit To Suspicious Location windows
Relevant Anti-Virus Signature Keywords In Application Log T1588 windows
Microsoft Malware Protection Engine Crash T1211, T1562.001 windows
Potential Credential Dumping Via WER - Application T1003.001 windows
Atera Agent Installation T1219 windows
MSI Installation From Suspicious Locations windows
Application Uninstalled T1489 windows
MSI Installation From Web T1218.007, T1218 windows
Backup Catalog Deleted T1070.004 windows
Restricted Software Access By SRP T1072 windows
Suspicious PowerShell WindowStyle Option T1564.003 windows, ps_script
Security Software Discovery Via Powershell Script T1518.001 windows, ps_script
Powershell Local Email Collection T1114.001 windows, ps_script
PowerShell Deleted Mounted Share T1070.005 windows, ps_script
Potential Keylogger Activity T1056.001 windows, ps_script
PowerShell Hotfix Enumeration windows, ps_script
Suspicious Get Information for SMB Share T1069.001 windows, ps_script
Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell T1033 windows, ps_script
Powershell Sensitive File Discovery T1083 windows, ps_script
Clearing Windows Console History T1070, T1070.003 windows, ps_script
PowerShell Script Change Permission Via Set-Acl - PsScript T1222 windows, ps_script
Powershell Keylogging T1056.001 windows, ps_script
Powershell Create Scheduled Task T1053.005 windows, ps_script
Invoke-Obfuscation STDIN+ Launcher - Powershell T1027, T1059.001 windows, ps_script
Potential Data Exfiltration Via Audio File windows, ps_script
Suspicious Service DACL Modification Via Set-Service Cmdlet - PS T1574.011 windows, ps_script
PowerShell Remote Session Creation T1059.001 windows, ps_script
Invoke-Obfuscation VAR+ Launcher - PowerShell T1027, T1059.001 windows, ps_script
Get-ADUser Enumeration Using UserAccountControl Flags T1033 windows, ps_script
Silence.EDA Detection T1529, T1059.001, T1071.004, T1572 windows, ps_script
Disable of ETW Trace - Powershell T1562.006, T1070 windows, ps_script
Suspicious PowerShell Download - Powershell Script T1059.001 windows, ps_script
Suspicious Unblock-File T1553.005 windows, ps_script
Powershell Install a DLL in System Directory T1556.002 windows, ps_script
Veeam Backup Servers Credential Dumping Script Execution windows, ps_script
Suspicious Start-Process PassThru T1036.003 windows, ps_script
Powershell XML Execute Command T1059.001 windows, ps_script
Windows Firewall Profile Disabled T1562.004 windows, ps_script
Enable Windows Remote Management T1021.006 windows, ps_script
PowerShell ICMP Exfiltration T1048.003 windows, ps_script
Malicious PowerShell Commandlets - ScriptBlock T1069.002, T1087.002, T1069.001, T1059.001, T1087, T1069, T1482, T1087.001 windows, ps_script
Automated Collection Bookmarks Using Get-ChildItem PowerShell T1217 windows, ps_script
Powershell WMI Persistence T1546.003 windows, ps_script
HackTool - WinPwn Execution - ScriptBlock T1082, T1555, T1518, T1106, T1046, T1548.002, T1552.001, T1555.003 windows, ps_script
Suspicious Get Local Groups Information - PowerShell T1069.001 windows, ps_script
Modify Group Policy Settings - ScriptBlockLogging T1484.001 windows, ps_script
Import PowerShell Modules From Suspicious Directories T1059.001 windows, ps_script
User Discovery And Export Via Get-ADUser Cmdlet - PowerShell T1033 windows, ps_script
Automated Collection Command PowerShell T1119 windows, ps_script
Suspicious PowerShell Mailbox Export to Share - PS windows, ps_script
Delete Volume Shadow Copies via WMI with PowerShell - PS Script T1490 windows, ps_script
Tamper Windows Defender - ScriptBlockLogging T1562.001 windows, ps_script
Suspicious TCP Tunnel Via PowerShell Script T1090 windows, ps_script
Access to Browser Login Data T1555.003 windows, ps_script
WMIC Unquoted Services Path Lookup - PowerShell T1047 windows, ps_script
Powershell Exfiltration Over SMTP T1048.003 windows, ps_script
Powershell Store File In Alternate Data Stream T1564.004 windows, ps_script
PowerShell ADRecon Execution T1059.001 windows, ps_script
Code Executed Via Office Add-in XLL File T1137.006 windows, ps_script
Malicious PowerShell Keywords T1059.001 windows, ps_script
Powershell MsXml COM Object T1059.001 windows, ps_script
WMImplant Hack Tool T1047, T1059.001 windows, ps_script
AMSI Bypass Pattern Assembly GetType T1562.001 windows, ps_script
Potential PowerShell Obfuscation Using Alias Cmdlets T1027, T1059.001 windows, ps_script
PowerShell Create Local User T1059.001, T1136.001 windows, ps_script
NTFS Alternate Data Stream T1059.001, T1564.004 windows, ps_script
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell T1059.001, T1027 windows, ps_script
HackTool - Rubeus Execution - ScriptBlock T1003, T1550.003, T1558.003 windows, ps_script
Suspicious IO.FileStream T1070.003 windows, ps_script
PowerShell WMI Win32_Product Install MSI T1218.007 windows, ps_script
Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging T1562.001 windows, ps_script
Suspicious Get-ADReplAccount T1003.006 windows, ps_script
Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy T1201 windows, ps_script
Dump Credentials from Windows Credential Manager With PowerShell T1555 windows, ps_script
Potential AMSI Bypass Script Using NULL Bits T1562.001 windows, ps_script
Suspicious PowerShell Invocations - Specific T1059.001 windows, ps_script
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell T1027, T1059.001 windows, ps_script
PowerView PowerShell Cmdlets - ScriptBlock T1059.001 windows, ps_script
Active Directory Computers Enumeration With Get-AdComputer T1018, T1087.002 windows, ps_script
Powershell Execute Batch Script T1059.003 windows, ps_script
Add Windows Capability Via PowerShell Script windows, ps_script
Abuse of Service Permissions to Hide Services Via Set-Service - PS T1574.011 windows, ps_script
Request A Single Ticket via PowerShell T1558.003 windows, ps_script
Windows Screen Capture with CopyFromScreen T1113 windows, ps_script
Detected Windows Software Discovery - PowerShell T1518 windows, ps_script
Suspicious GetTypeFromCLSID ShellExecute T1546.015 windows, ps_script
Enumerate Credentials from Windows Credential Manager With PowerShell T1555 windows, ps_script
Malicious Nishang PowerShell Commandlets T1059.001 windows, ps_script
Certificate Exported Via PowerShell - ScriptBlock T1552.004 windows, ps_script
Powershell Timestomp T1070.006 windows, ps_script
Malicious ShellIntel PowerShell Commandlets T1059.001 windows, ps_script
Disable Powershell Command History T1070.003 windows, ps_script
Suspicious Eventlog Clear T1070.001 windows, ps_script
PowerShell PSAttack T1059.001 windows, ps_script
Powershell Suspicious Win32_PnPEntity T1120 windows, ps_script
Suspicious GPO Discovery With Get-GPO T1615 windows, ps_script
Suspicious SSL Connection T1573 windows, ps_script
PSAsyncShell - Asynchronous TCP Reverse Shell T1059.001 windows, ps_script
Execute Invoke-command on Remote Host T1021.006 windows, ps_script
Recon Information for Export with PowerShell T1119 windows, ps_script
Disable-WindowsOptionalFeature Command PowerShell T1562.001 windows, ps_script
Potential PowerShell Obfuscation Using Character Join T1027, T1059.001 windows, ps_script
Potential In-Memory Execution Using Reflection.Assembly T1620 windows, ps_script
Potential COM Objects Download Cradles Usage - PS Script T1105 windows, ps_script
Powershell DNSExfiltration T1048 windows, ps_script
Root Certificate Installed - PowerShell T1553.004 windows, ps_script
Winlogon Helper DLL T1547.004 windows, ps_script
Replace Desktop Wallpaper by Powershell T1491.001 windows, ps_script
Windows Defender Exclusions Added - PowerShell T1059, T1562 windows, ps_script
Create Volume Shadow Copy with Powershell T1003.003 windows, ps_script
PowerShell ShellCode T1059.001, T1055 windows, ps_script
Service Registry Permissions Weakness Check T1574.011 windows, ps_script
Suspicious New-PSDrive to Admin Share T1021.002 windows, ps_script
Potential Suspicious Windows Feature Enabled windows, ps_script
Suspicious Hyper-V Cmdlets T1564.006 windows, ps_script
Zip A Folder With PowerShell For Staging In Temp - PowerShell Script T1074.001 windows, ps_script
Change User Agents with WebRequest T1071.001 windows, ps_script
AD Groups Or Users Enumeration Using PowerShell - ScriptBlock T1069.001 windows, ps_script
Invoke-Obfuscation Via Use MSHTA - PowerShell T1027, T1059.001 windows, ps_script
Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script T1490 windows, ps_script
PowerShell Set-Acl On Windows Folder - PsScript T1222 windows, ps_script
Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript windows, ps_script
Remove Account From Domain Admin Group T1531 windows, ps_script
Invoke-Obfuscation CLIP+ Launcher - PowerShell T1027, T1059.001 windows, ps_script
Invoke-Obfuscation Via Stdin - Powershell T1027, T1059.001 windows, ps_script
Suspicious Process Discovery With Get-Process T1057 windows, ps_script
Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript windows, ps_script
PowerShell Script With File Hostname Resolving Capabilities T1020 windows, ps_script
PowerShell Get-Process LSASS in ScriptBlock T1003.001 windows, ps_script
PowerShell Write-EventLog Usage windows, ps_script
Suspicious Connection to Remote Account T1110.001 windows, ps_script
Extracting Information with PowerShell T1552.001 windows, ps_script
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell T1059.001, T1027 windows, ps_script
Powershell Detect Virtualization Environment T1497.001 windows, ps_script
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock T1218 windows, ps_script
Suspicious Mount-DiskImage T1553.005 windows, ps_script
Usage Of Web Request Commands And Cmdlets - ScriptBlock T1059.001 windows, ps_script
Suspicious PowerShell Mailbox SMTP Forward Rule windows, ps_script
Suspicious Invoke-Item From Mount-DiskImage T1553.005 windows, ps_script
Powershell LocalAccount Manipulation T1098 windows, ps_script
Suspicious FromBase64String Usage On Gzip Archive - Ps Script T1132.001 windows, ps_script
Potential WinAPI Calls Via PowerShell Scripts T1059.001, T1106 windows, ps_script
AADInternals PowerShell Cmdlets Execution - PsScript windows, ps_script
Invoke-Obfuscation Via Use Rundll32 - PowerShell T1059.001, T1027 windows, ps_script
Registry-Free Process Scope COR_PROFILER T1574.012 windows, ps_script
Potential Active Directory Enumeration Using AD Module - PsScript windows, ps_script
Change PowerShell Policies to an Insecure Level - PowerShell T1059.001 windows, ps_script
Powershell Token Obfuscation - Powershell T1027.009 windows, ps_script
Suspicious PowerShell Get Current User T1033 windows, ps_script
PowerShell Credential Prompt T1059.001 windows, ps_script
Potential Invoke-Mimikatz PowerShell Script T1003 windows, ps_script
Potential Persistence Via PowerShell User Profile Using Add-Content T1546.013 windows, ps_script
Troubleshooting Pack Cmdlet Execution T1202 windows, ps_script
Potential Persistence Via Security Descriptors - ScriptBlock windows, ps_script
Potential Suspicious PowerShell Keywords T1059.001 windows, ps_script
Powershell Add Name Resolution Policy Table Rule T1565 windows, ps_script
Suspicious X509Enrollment - Ps Script T1553.004 windows, ps_script
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell T1027, T1059.001 windows, ps_script
Invoke-Obfuscation Via Use Clip - Powershell T1059.001, T1027 windows, ps_script
Manipulation of User Computer or Group Security Principals Across AD T1136.002 windows, ps_script
Live Memory Dump Using Powershell T1003 windows, ps_script
Active Directory Group Enumeration With Get-AdGroup T1069.002 windows, ps_script
PowerShell Script With File Upload Capabilities T1020 windows, ps_script
Suspicious PowerShell Invocations - Generic T1059.001 windows, ps_script
Testing Usage of Uncommonly Used Port T1571 windows, ps_script
DirectorySearcher Powershell Exploitation T1018 windows, ps_script
SyncAppvPublishingServer Execution to Bypass Powershell Restriction T1218 windows, ps_script
Powershell Directory Enumeration T1083 windows, ps_script
Clear PowerShell History - PowerShell T1070.003 windows, ps_script
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module T1059.001, T1027 windows, ps_module
Zip A Folder With PowerShell For Staging In Temp - PowerShell Module T1074.001 windows, ps_module
Suspicious Get Local Groups Information T1069.001 windows, ps_module
Invoke-Obfuscation Via Use MSHTA - PowerShell Module T1027, T1059.001 windows, ps_module
PowerShell Decompress Commands T1140 windows, ps_module
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module T1027, T1059.001 windows, ps_module
Invoke-Obfuscation Via Use Clip - PowerShell Module T1059.001, T1027 windows, ps_module
Bad Opsec Powershell Code Artifacts T1059.001 windows, ps_module
Invoke-Obfuscation Via Stdin - PowerShell Module T1027, T1059.001 windows, ps_module
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module T1059.001, T1027 windows, ps_module
Invoke-Obfuscation VAR+ Launcher - PowerShell Module T1059.001, T1027 windows, ps_module
Use Get-NetTCPConnection - PowerShell Module T1049 windows, ps_module
Suspicious PowerShell Invocations - Generic - PowerShell Module T1059.001 windows, ps_module
Potential Active Directory Enumeration Using AD Module - PsModule windows, ps_module
PowerShell Get Clipboard T1115 windows, ps_module
AD Groups Or Users Enumeration Using PowerShell - PoshModule T1069.001 windows, ps_module
Malicious PowerShell Scripts - PoshModule T1059.001 windows, ps_module
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module T1218 windows, ps_module
Invoke-Obfuscation Via Use Rundll32 - PowerShell Module T1059.001, T1027 windows, ps_module
Invoke-Obfuscation STDIN+ Launcher - PowerShell Module T1059.001, T1027 windows, ps_module
Suspicious PowerShell Download - PoshModule T1059.001 windows, ps_module
Suspicious Computer Machine Password by PowerShell T1078 windows, ps_module
Alternate PowerShell Hosts - PowerShell Module T1059.001 windows, ps_module
Suspicious Get Information for SMB Share - PowerShell Module T1069.001 windows, ps_module
Invoke-Obfuscation CLIP+ Launcher - PowerShell Module T1059.001, T1027 windows, ps_module
Suspicious PowerShell Invocations - Specific - PowerShell Module T1059.001 windows, ps_module
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module T1059.001, T1027 windows, ps_module
Remote PowerShell Session (PS Module) T1021.006, T1059.001 windows, ps_module
Clear PowerShell History - PowerShell Module T1070.003 windows, ps_module
Suspicious Get-ADDBAccount Usage T1003.003 windows, ps_module
SyncAppvPublishingServer Bypass Powershell Restriction - PS Module T1218 windows, ps_module
Malicious PowerShell Commandlets - PoshModule T1482, T1087, T1069.001, T1087.001, T1087.002, T1069, T1059.001, T1069.002 windows, ps_module
Suspicious PowerShell Download T1059.001 windows, ps_classic_start
Tamper Windows Defender - PSClassic T1562.001 windows, ps_classic_provider_start
PowerShell Called from an Executable Version Mismatch T1059.001 windows, ps_classic_start
Suspicious XOR Encoded PowerShell Command Line - PowerShell T1059.001 windows, ps_classic_start
Remote PowerShell Session (PS Classic) T1021.006, T1059.001 windows, ps_classic_start
Suspicious Non PowerShell WSMAN COM Provider T1021.003, T1059.001 windows
Nslookup PowerShell Download Cradle T1059.001 windows, ps_classic_start
Zip A Folder With PowerShell For Staging In Temp - PowerShell T1074.001 windows
Potential RemoteFXvGPUDisablement.EXE Abuse T1218 windows
PowerShell Downgrade Attack - PowerShell T1059.001 windows, ps_classic_start
Renamed Powershell Under Powershell Channel T1059.001 windows, ps_classic_start
Netcat The Powershell Version T1095 windows, ps_classic_start
Delete Volume Shadow Copies Via WMI With PowerShell T1490 windows, ps_classic_start
Use Get-NetTCPConnection T1049 windows, ps_classic_start
Potential Process Hollowing Activity T1055.012 windows, process_tampering
HackTool - CobaltStrike BOF Injection Pattern T1562.001, T1106 windows, process_access
Credential Dumping Attempt Via WerFault T1003.001 windows, process_access
Credential Dumping Activity By Python Based Tool T1003.001 windows, process_access
HackTool - HandleKatz Duplicating LSASS Handle T1003.001, T1106 windows, process_access
UAC Bypass Using WOW64 Logger DLL Hijack T1548.002 windows, process_access
Credential Dumping Attempt Via Svchost T1548 windows, process_access
Suspicious Svchost Process Access T1562.002 windows, process_access
Function Call From Undocumented COM Interface EditionUpgradeManager T1548.002 windows, process_access
HackTool - LittleCorporal Generated Maldoc Injection T1204.002, T1055.003 windows, process_access
CMSTP Execution Process Access T1218.003, T1559.001 windows, process_access
Remote LSASS Process Access Through Windows Remote Management T1003.001, T1059.001, T1021.006 windows, process_access
Potentially Suspicious GrantedAccess Flags On LSASS T1003.001 windows, process_access
HackTool - Generic Process Access T1003.001 windows, process_access
Potential Direct Syscall of NtOpenProcess T1106 windows, process_access
Potential Credential Dumping Activity Via LSASS T1003.001 windows, process_access
Lsass Memory Dump via Comsvcs DLL T1003.001 windows, process_access
LSASS Access From Potentially White-Listed Processes T1003.001 windows, process_access
Potential NT API Stub Patching T1562.002 windows, process_access
Potential Shellcode Injection T1055 windows, process_access
Suspicious LSASS Access Via MalSecLogon T1003.001 windows, process_access
HackTool - SysmonEnte Execution T1562.002 windows, process_access
LSASS Memory Access by Tool With Dump Keyword In Name T1003.001 windows, process_access
Execute Code with Pester.bat as Parent T1216, T1059.001 windows, process_creation
Suspicious Scheduled Task Name As GUID T1053.005 windows, process_creation
HackTool - Certify Execution T1649 windows, process_creation
Invoke-Obfuscation CLIP+ Launcher T1059.001, T1027 windows, process_creation
HackTool - Quarks PwDump Execution T1003.002 windows, process_creation
Deleted Data Overwritten Via Cipher.EXE T1485 windows, process_creation
UAC Bypass Using Consent and Comctl32 - Process T1548.002 windows, process_creation
Potentially Suspicious Electron Application CommandLine windows, process_creation
DNS Exfiltration and Tunneling Tools Execution T1132.001, T1071.004, T1048.001 windows, process_creation
File With Suspicious Extension Downloaded Via Bitsadmin T1197, T1036.003 windows, process_creation
Schtasks Creation Or Modification With SYSTEM Privileges T1053.005 windows, process_creation
Potentially Suspicious Child Process Of VsCode T1202, T1218 windows, process_creation
Firewall Rule Update Via Netsh.EXE windows, process_creation
Suspicious DumpMinitool Execution T1003.001, T1036 windows, process_creation
Potential Tampering With RDP Related Registry Keys Via Reg.EXE T1021.001, T1112 windows, process_creation
Suspicious Cabinet File Execution Via Msdt.EXE T1202 windows, process_creation
Scheduled Task Creation Via Schtasks.EXE T1053.005 windows, process_creation
Suspicious PowerShell Encoded Command Patterns T1059.001 windows, process_creation
Sensitive File Access Via Volume Shadow Copy Backup T1490 windows, process_creation
Regsvr32 DLL Execution With Uncommon Extension T1574 windows, process_creation
Add Insecure Download Source To Winget T1059 windows, process_creation
Firewall Disabled via Netsh.EXE T1562.004 windows, process_creation
Arbitrary File Download Via MSEDGE_PROXY.EXE T1218 windows, process_creation
Potential Reconnaissance Activity Via GatherNetworkInfo.VBS T1615, T1059.005 windows, process_creation
Conhost Spawned By Uncommon Parent Process T1059 windows, process_creation
Active Directory Structure Export Via Csvde.EXE windows, process_creation
IIS Native-Code Module Command Line Installation T1505.003 windows, process_creation
Potential Crypto Mining Activity T1496 windows, process_creation
System Disk And Volume Reconnaissance Via Wmic.EXE T1082, T1047 windows, process_creation
Rundll32 Spawned Via Explorer.EXE windows, process_creation
PUA - Advanced Port Scanner Execution T1135, T1046 windows, process_creation
Directory Removal Via Rmdir T1070.004 windows, process_creation
Forfiles Command Execution T1059 windows, process_creation
Renamed CreateDump Utility Execution T1003.001, T1036 windows, process_creation
Suspicious GUP Usage T1574.002 windows, process_creation
Renamed Sysinternals Sdelete Execution T1485 windows, process_creation
WSL Child Process Anomaly T1202, T1218 windows, process_creation
SafeBoot Registry Key Deleted Via Reg.EXE T1562.001 windows, process_creation
Malicious PE Execution by Microsoft Visual Studio Debugger T1218 windows, process_creation
Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe) T1003.003 windows, process_creation
ConvertTo-SecureString Cmdlet Usage Via CommandLine T1059.001, T1027 windows, process_creation
OpenWith.exe Executes Specified Binary T1218 windows, process_creation
Suspicious PowerShell Download and Execute Pattern T1059.001 windows, process_creation
File Download Via Bitsadmin To A Suspicious Target Folder T1197, T1036.003 windows, process_creation
Use of TTDInject.exe T1127 windows, process_creation
Suspicious SysAidServer Child T1210 windows, process_creation
Potential Manage-bde.wsf Abuse To Proxy Execution T1216 windows, process_creation
Suspicious Reg Add BitLocker T1486 windows, process_creation
Parent in Public Folder Suspicious Process T1059, T1564 windows, process_creation
HackTool - Stracciatella Execution T1059, T1562.001 windows, process_creation
File Decryption Using Gpg4win windows, process_creation
HackTool - UACMe Akagi Execution T1548.002 windows, process_creation
Suspicious AddinUtil.EXE CommandLine Execution T1218 windows, process_creation
Copy From VolumeShadowCopy Via Cmd.EXE T1490 windows, process_creation
Abuse of Service Permissions to Hide Services Via Set-Service T1574.011 windows, process_creation
Renamed CURL.EXE Execution T1202, T1059 windows, process_creation
Deletion of Volume Shadow Copies via WMI with PowerShell T1490 windows, process_creation
Suspicious File Download From File Sharing Domain Via Wget.EXE windows, process_creation
Non Interactive PowerShell Process Spawned T1059.001 windows, process_creation
Use of OpenConsole T1059 windows, process_creation
Use of FSharp Interpreters T1059 windows, process_creation
Suspicious Msiexec Quiet Install From Remote Location T1218.007 windows, process_creation
Disable Windows Defender AV Security Monitoring T1562.001 windows, process_creation
Remote Code Execute via Winrm.vbs T1216 windows, process_creation
Potential RDP Tunneling Via Plink T1572 windows, process_creation
Schtasks From Suspicious Folders T1053.005 windows, process_creation
Service DACL Abuse To Hide Services Via Sc.EXE T1574.011 windows, process_creation
Suspicious Extrac32 Alternate Data Stream Execution T1564.004 windows, process_creation
Suspicious Runscripthelper.exe T1202, T1059 windows, process_creation
Suspicious Curl.EXE Download T1105 windows, process_creation
PUA - System Informer Execution T1543, T1082, T1564 windows, process_creation
Regsvr32 Execution From Highly Suspicious Location T1218.010 windows, process_creation
Potential PowerShell Execution Policy Tampering - ProcCreation windows, process_creation
Remote Access Tool - ScreenConnect Remote Command Execution T1059.003 windows, process_creation
Use of VSIISExeLauncher.exe T1127 windows, process_creation
Detected Windows Software Discovery T1518 windows, process_creation
Renamed PsExec Service Execution windows, process_creation
Start Windows Service Via Net.EXE T1569.002 windows, process_creation
Potential Meterpreter/CobaltStrike Activity T1134.001, T1134.002 windows, process_creation
Potential Download/Upload Activity Using Type Command T1105 windows, process_creation
Suspicious CodePage Switch Via CHCP T1036 windows, process_creation
Potentially Suspicious DLL Registered Via Odbcconf.EXE T1218.008 windows, process_creation
Copying Sensitive Files with Credential Data T1003.002, T1003.003 windows, process_creation
Renamed Cloudflared.EXE Execution T1090.001 windows, process_creation
Potential Obfuscated Ordinal Call Via Rundll32 windows, process_creation
Suspicious SYSTEM User Process Creation T1003, T1027, T1134 windows, process_creation
Shadow Copies Deletion Using Operating Systems Utilities T1070, T1490 windows, process_creation
Whoami.EXE Execution With Output Option T1033 windows, process_creation
Unmount Share Via Net.EXE T1070.005 windows, process_creation
VeeamBackup Database Credentials Dump Via Sqlcmd.EXE T1005 windows, process_creation
File Download Via Bitsadmin T1036.003, T1197 windows, process_creation
Forfiles.EXE Child Process Masquerading T1036 windows, process_creation
Suspicious ZipExec Execution T1218, T1202 windows, process_creation
Uncommon Extension Shim Database Installation Via Sdbinst.EXE T1546.011 windows, process_creation
Microsoft Workflow Compiler Execution T1218, T1127 windows, process_creation
HackTool - Rubeus Execution T1558.003, T1550.003, T1003 windows, process_creation
Gzip Archive Decode Via PowerShell T1132.001 windows, process_creation
Compressed File Extraction Via Tar.EXE T1560, T1560.001 windows, process_creation
Suspicious Eventlog Clear or Configuration Change T1070.001, T1562.002 windows, process_creation
Wlrmdr.EXE Uncommon Argument Or Child Process T1218 windows, process_creation
HackTool - CrackMapExec Process Patterns T1003.001 windows, process_creation
Devtoolslauncher.exe Executes Specified Binary T1218 windows, process_creation
Potential Adplus.EXE Abuse T1003.001 windows, process_creation
Suspicious Git Clone T1593.003 windows, process_creation
Suspicious Windows Trace ETW Session Tamper Via Logman.EXE T1070.001, T1562.001 windows, process_creation
HackTool - Htran/NATBypass Execution T1090 windows, process_creation
HackTool - SharpUp PrivEsc Tool Execution T1574.005, T1569.002, T1615 windows, process_creation
Scheduled Task Executing Payload from Registry T1053.005, T1059.001 windows, process_creation
New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE T1112, T1574.002 windows, process_creation
Suspicious TSCON Start as SYSTEM T1219 windows, process_creation
HackTool - SharpChisel Execution T1090.001 windows, process_creation
Suspicious Processes Spawned by WinRM T1190 windows, process_creation
Remote Access Tool - RURAT Execution From Unusual Location windows, process_creation
Potentially Suspicious EventLog Recon Activity Using Log Query Utilities T1552 windows, process_creation
PowerShell Base64 Encoded IEX Cmdlet T1059.001 windows, process_creation
Veeam Backup Database Suspicious Query T1005 windows, process_creation
Execute MSDT Via Answer File T1218 windows, process_creation
Potential Fake Instance Of Hxtsr.EXE Executed T1036 windows, process_creation
Suspicious HWP Sub Processes T1059.003, T1566.001, T1203 windows, process_creation
HackTool - Koadic Execution T1059.005, T1059.003, T1059.007 windows, process_creation
Suspicious Spool Service Child Process T1068, T1203 windows, process_creation
PowerShell Base64 Encoded WMI Classes T1027, T1059.001 windows, process_creation
Suspicious Download from Office Domain T1105, T1608 windows, process_creation
Shadow Copies Creation Using Operating Systems Utilities T1003, T1003.003, T1003.002 windows, process_creation
Network Reconnaissance Activity T1087, T1082 windows, process_creation
Renamed BrowserCore.EXE Execution T1036.003, T1528 windows, process_creation
Local File Read Using Curl.EXE windows, process_creation
Potential Amazon SSM Agent Hijacking T1219 windows, process_creation
DirLister Execution T1083 windows, process_creation
Execute Files with Msdeploy.exe T1218 windows, process_creation
WMI Persistence - Script Event Consumer T1546.003 windows, process_creation
Enable LM Hash Storage - ProcCreation T1112 windows, process_creation
HH.EXE Execution T1218.001 windows, process_creation
Sysprep on AppData Folder T1059 windows, process_creation
Powershell Defender Disable Scan Feature T1562.001 windows, process_creation
CodePage Modification Via MODE.COM To Russian Language T1036 windows, process_creation
Suspicious HH.EXE Execution T1218.010, T1047, T1059.007, T1566, T1566.001, T1059.005, T1218.001, T1059.001, T1218, T1059.003, T1218.011 windows, process_creation
Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI T1564.004 windows, process_creation
Wab/Wabmig Unusual Parent Or Child Processes windows, process_creation
HackTool - CrackMapExec Execution T1201, T1059.003, T1059.001, T1110, T1047, T1053 windows, process_creation
HackTool - SecurityXploded Execution T1555 windows, process_creation
HTML Help HH.EXE Suspicious Child Process T1566, T1218.010, T1059.007, T1059.005, T1218.001, T1059.003, T1059.001, T1218, T1047, T1218.011, T1566.001 windows, process_creation
Persistence Via TypedPaths - CommandLine windows, process_creation
Change Default File Association Via Assoc T1546.001 windows, process_creation
Potential Persistence Attempt Via Existing Service Tampering T1543.003, T1574.011 windows, process_creation
HackTool - Dumpert Process Dumper Execution T1003.001 windows, process_creation
Service Started/Stopped Via Wmic.EXE T1047 windows, process_creation
File Decoded From Base64/Hex Via Certutil.EXE T1027 windows, process_creation
Execution from Suspicious Folder T1036 windows, process_creation
Suspicious File Download From File Sharing Domain Via Curl.EXE windows, process_creation
Suspicious Double Extension File Execution T1566.001 windows, process_creation
Suspicious Extexport Execution T1218 windows, process_creation
Suspicious Shells Spawn by Java Utility Keytool windows, process_creation
Potentially Suspicious Windows App Activity windows, process_creation
Potentially Suspicious Ping/Copy Command Combination T1070.004 windows, process_creation
PUA - Nimgrab Execution T1105 windows, process_creation
Lolbin Ssh.exe Use As Proxy T1202 windows, process_creation
Unusual Parent Process For Cmd.EXE T1059 windows, process_creation
Windows Credential Manager Access via VaultCmd T1555.004 windows, process_creation
Visual Basic Command Line Compiler Usage T1027.004 windows, process_creation
Suspicious Copy From or To System Directory T1036.003 windows, process_creation
Visual Studio Code Tunnel Execution T1071.001 windows, process_creation
Base64 MZ Header In CommandLine windows, process_creation
Curl Web Request With Potential Custom User-Agent windows, process_creation
HackTool - GMER Rootkit Detector and Remover Execution windows, process_creation
WhoAmI as Parameter T1033 windows, process_creation
Lolbin Defaultpack.exe Use As Proxy T1218 windows, process_creation
Read Contents From Stdin Via Cmd.EXE T1059.003 windows, process_creation
Potential Binary Impersonating Sysinternals Tools T1218, T1202 windows, process_creation
PUA - AdvancedRun Suspicious Execution T1134.002 windows, process_creation
Suspicious Download From Direct IP Via Bitsadmin T1197, T1036.003 windows, process_creation
Security Service Disabled Via Reg.EXE T1562.001 windows, process_creation
Potentially Suspicious GoogleUpdate Child Process windows, process_creation
Suspicious UltraVNC Execution T1021.005 windows, process_creation
PowerShell Set-Acl On Windows Folder windows, process_creation
Potential Tampering With Security Products Via WMIC T1562.001 windows, process_creation
Renamed SysInternals DebugView Execution T1588.002 windows, process_creation
Enumerate All Information With Whoami.EXE T1033 windows, process_creation
Potential Command Line Path Traversal Evasion Attempt T1036 windows, process_creation
Suspicious Schtasks Schedule Types T1053.005 windows, process_creation
Potential Privilege Escalation To LOCAL SYSTEM T1587.001 windows, process_creation
Remote Access Tool - Anydesk Execution From Suspicious Folder T1219 windows, process_creation
PsExec Service Execution windows, process_creation
Suspicious Greedy Compression Using Rar.EXE T1059 windows, process_creation
SQL Client Tools PowerShell Session Detection T1059.001, T1127 windows, process_creation
PUA - Rclone Execution T1567.002 windows, process_creation
Wscript Shell Run In CommandLine T1059 windows, process_creation
Powershell Base64 Encoded MpPreference Cmdlet T1562.001 windows, process_creation
Browser Execution In Headless Mode T1105 windows, process_creation
Automated Collection Command Prompt T1552.001, T1119 windows, process_creation
Suspicious MSHTA Child Process T1218.005 windows, process_creation
Remote Access Tool - Team Viewer Session Started On Windows Host T1133 windows, process_creation
Potential Arbitrary Command Execution Using Msdt.EXE T1202 windows, process_creation
Chromium Browser Headless Execution To Mockbin Like Site windows, process_creation
DriverQuery.EXE Execution windows, process_creation
Obfuscated IP Download Activity windows, process_creation
PUA - Netcat Suspicious Execution T1095 windows, process_creation
Suspicious ScreenSave Change by Reg.exe T1546.002 windows, process_creation
Suspicious AgentExecutor PowerShell Execution T1218 windows, process_creation
Netsh Allow Group Policy on Microsoft Defender Firewall T1562.004 windows, process_creation
PUA - Radmin Viewer Utility Execution T1072 windows, process_creation
Sideloading Link.EXE T1218 windows, process_creation
Suspicious WmiPrvSE Child Process T1218.010, T1204.002, T1047 windows, process_creation
Tap Installer Execution T1048 windows, process_creation
Audio Capture via PowerShell T1123 windows, process_creation
Suspicious Rundll32 Setupapi.dll Activity T1218.011 windows, process_creation
Change PowerShell Policies to an Insecure Level T1059.001 windows, process_creation
Invoke-Obfuscation Via Use MSHTA T1059.001, T1027 windows, process_creation
Suspicious Extrac32 Execution T1105 windows, process_creation
New ActiveScriptEventConsumer Created Via Wmic.EXE T1546.003 windows, process_creation
Start of NT Virtual DOS Machine windows, process_creation
Potentially Suspicious WebDAV LNK Execution T1059.001, T1204 windows, process_creation
Suspicious Child Process Of Wermgr.EXE T1055, T1036 windows, process_creation
Bad Opsec Defaults Sacrificial Processes With Improper Arguments T1218.011 windows, process_creation
Console CodePage Lookup Via CHCP T1614.001 windows, process_creation
Computer Password Change Via Ksetup.EXE windows, process_creation
PktMon.EXE Execution T1040 windows, process_creation
Capture Credentials with Rpcping.exe T1003 windows, process_creation
Visual Studio NodejsTools PressAnyKey Renamed Execution T1218 windows, process_creation
Browser Started with Remote Debugging T1185 windows, process_creation
TrustedPath UAC Bypass Pattern T1548.002 windows, process_creation
Potential Mpclient.DLL Sideloading Via Defender Binaries T1574.002 windows, process_creation
New Kernel Driver Via SC.EXE T1543.003 windows, process_creation
Time Travel Debugging Utility Usage T1003.001, T1218 windows, process_creation
Add SafeBoot Keys Via Reg Utility T1562.001 windows, process_creation
Potential Renamed Rundll32 Execution windows, process_creation
Suspicious Advpack Call Via Rundll32.EXE windows, process_creation
Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution T1218 windows, process_creation
Add Potential Suspicious New Download Source To Winget T1059 windows, process_creation
HackTool - Mimikatz Execution T1003.005, T1003.004, T1003.006, T1003.001, T1003.002 windows, process_creation
Suspicious Plink Port Forwarding T1572, T1021.001 windows, process_creation
Suspicious Response File Execution Via Odbcconf.EXE T1218.008 windows, process_creation
Suspicious Execution From Outlook Temporary Folder T1566.001 windows, process_creation
Suspicious Processes Spawned by Java.EXE windows, process_creation
Windows Processes Suspicious Parent Directory T1036.003, T1036.005 windows, process_creation
Run PowerShell Script from ADS T1564.004 windows, process_creation
UAC Bypass Using IDiagnostic Profile T1548.002 windows, process_creation
Regsvr32 DLL Execution With Suspicious File Extension T1218.010 windows, process_creation
Permission Misconfiguration Reconnaissance Via Findstr.EXE T1552.006 windows, process_creation
Insecure Proxy/DOH Transfer Via Curl.EXE windows, process_creation
Dumping of Sensitive Hives Via Reg.EXE T1003.002, T1003.005, T1003.004 windows, process_creation
File Download via CertOC.EXE T1105 windows, process_creation
Wusa.EXE Executed By Parent Process Located In Suspicious Location windows, process_creation
Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp T1021.003 windows, process_creation
Potential PowerShell Command Line Obfuscation T1059.001, T1027 windows, process_creation
CreateDump Process Dump T1003.001, T1036 windows, process_creation
Remote Access Tool - NetSupport Execution From Unusual Location windows, process_creation
Potential DLL File Download Via PowerShell Invoke-WebRequest T1105, T1059.001 windows, process_creation
Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE T1562.001 windows, process_creation
PUA - NirCmd Execution As LOCAL SYSTEM T1569.002 windows, process_creation
REGISTER_APP.VBS Proxy Execution T1218 windows, process_creation
Suspicious Scheduled Task Creation via Masqueraded XML File T1036.005, T1053.005 windows, process_creation
Remote Access Tool - ScreenConnect Execution T1219 windows, process_creation
Process Reconnaissance Via Wmic.EXE T1047 windows, process_creation
WebDav Client Execution Via Rundll32.EXE T1048.003 windows, process_creation
Potential Defense Evasion Via Binary Rename T1036.003 windows, process_creation
Use of UltraVNC Remote Access Software T1219 windows, process_creation
Renamed Gpg.EXE Execution T1486 windows, process_creation
Compress Data and Lock With Password for Exfiltration With WINZIP T1560.001 windows, process_creation
Renamed Mavinject.EXE Execution T1218.013, T1055.001 windows, process_creation
Potential Persistence Via Netsh Helper DLL T1546.007 windows, process_creation
Suspicious Execution of Systeminfo T1082 windows, process_creation
LOLBAS Data Exfiltration by DataSvcUtil.exe T1567 windows, process_creation
Potentially Suspicious PowerShell Child Processes T1059.001 windows, process_creation
Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension T1218.009 windows, process_creation
Suspicious New Service Creation T1543.003 windows, process_creation
Suspicious Scheduled Task Creation Involving Temp Folder T1053.005 windows, process_creation
Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE T1003.005 windows, process_creation
DLL Loaded via CertOC.EXE T1218 windows, process_creation
XBAP Execution From Uncommon Locations Via PresentationHost.EXE T1218 windows, process_creation
Exchange PowerShell Snap-Ins Usage T1059.001, T1114 windows, process_creation
Renamed PingCastle Binary Execution T1059, T1202 windows, process_creation
Suspicious Provlaunch.EXE Child Process T1218 windows, process_creation
Mshtml.DLL RunHTMLApplication Suspicious Usage windows, process_creation
Dllhost.EXE Execution Anomaly T1055 windows, process_creation
Portable Gpg.EXE Execution T1486 windows, process_creation
PowerShell Get-Clipboard Cmdlet Via CLI T1115 windows, process_creation
UAC Bypass Using NTFS Reparse Point - Process T1548.002 windows, process_creation
Potentially Suspicious Rundll32 Activity T1218.011 windows, process_creation
Suspicious Userinit Child Process T1055 windows, process_creation
PUA - Crassus Execution T1590.001 windows, process_creation
Potential ShellDispatch.DLL Functionality Abuse windows, process_creation
Potential UAC Bypass Via Sdclt.EXE T1548.002 windows, process_creation
HackTool - Hashcat Password Cracker Execution T1110.002 windows, process_creation
Insecure Transfer Via Curl.EXE windows, process_creation
Suspicious MsiExec Embedding Parent T1218.007 windows, process_creation
Suspicious Active Directory Database Snapshot Via ADExplorer T1003.003, T1552.001 windows, process_creation
User Added To Highly Privileged Group T1098 windows, process_creation
Potential Process Injection Via Msra.EXE T1055 windows, process_creation
Suspicious Cmdl32 Execution T1202, T1218 windows, process_creation
Renamed AdFind Execution T1069.002, T1087.002, T1482, T1018 windows, process_creation
Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE windows, process_creation
Suspicious X509Enrollment - Process Creation T1553.004 windows, process_creation
Privilege Escalation via Named Pipe Impersonation T1021 windows, process_creation
Password Provided In Command Line Of Net.EXE T1078, T1021.002 windows, process_creation
Delete Important Scheduled Task T1489 windows, process_creation
Process Creation Using Sysnative Folder T1055 windows, process_creation
Potentially Suspicious Child Process Of ClickOnce Application windows, process_creation
Potentially Suspicious Child Process Of Regsvr32 T1218.010 windows, process_creation
Shell32 DLL Execution in Suspicious Directory T1218.011 windows, process_creation
Psexec Execution T1021, T1569 windows, process_creation
File Download And Execution Via IEExec.EXE T1105 windows, process_creation
Potential Privilege Escalation via Service Permissions Weakness T1574.011 windows, process_creation
Renamed PAExec Execution T1202 windows, process_creation
Potential Unquoted Service Path Reconnaissance Via Wmic.EXE T1047 windows, process_creation
Suspicious Query of MachineGUID T1082 windows, process_creation
Suspicious Child Process Of SQL Server T1190, T1505.003 windows, process_creation
Execution of Suspicious File Type Extension windows, process_creation
ETW Logging Tamper In .NET Processes T1562 windows, process_creation
Suspicious Workstation Locking via Rundll32 windows, process_creation
Suspicious Microsoft OneNote Child Process T1566, T1566.001 windows, process_creation
UAC Bypass Using PkgMgr and DISM T1548.002 windows, process_creation
Suspicious PowerShell IEX Execution Patterns T1059.001 windows, process_creation
Invoke-Obfuscation VAR+ Launcher T1059.001, T1027 windows, process_creation
Response File Execution Via Odbcconf.EXE T1218.008 windows, process_creation
Stop Windows Service Via Sc.EXE T1489 windows, process_creation
Potential Product Reconnaissance Via Wmic.EXE T1047 windows, process_creation
PUA - WebBrowserPassView Execution T1555.003 windows, process_creation
Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call T1059.001, T1027 windows, process_creation
Disabled IE Security Features T1562.001 windows, process_creation
Arbitrary File Download Via MSOHTMED.EXE T1218 windows, process_creation
PowerShell SAM Copy T1003.002 windows, process_creation
Tasks Folder Evasion T1574.002 windows, process_creation
HackTool - Inveigh Execution T1003.001 windows, process_creation
Uncommon Child Process Of BgInfo.EXE T1059.005, T1218, T1202 windows, process_creation
HackTool - Certipy Execution T1649 windows, process_creation
Suspicious Usage Of ShellExec_RunDLL windows, process_creation
HackTool - CoercedPotato Execution T1055 windows, process_creation
LOL-Binary Copied From System Directory T1036.003 windows, process_creation
Potential Commandline Obfuscation Using Unicode Characters T1027 windows, process_creation
Dumping Process via Sqldumper.exe T1003.001 windows, process_creation
Change Default File Association To Executable Via Assoc T1546.001 windows, process_creation
Port Forwarding Activity Via SSH.EXE T1021.004, T1021.001, T1572 windows, process_creation
Harvesting Of Wifi Credentials Via Netsh.EXE T1040 windows, process_creation
HackTool - XORDump Execution T1036, T1003.001 windows, process_creation
Certificate Exported Via Certutil.EXE T1027 windows, process_creation
PowerShell Script Change Permission Via Set-Acl windows, process_creation
Winrar Execution in Non-Standard Folder T1560.001 windows, process_creation
Suspicious GrpConv Execution T1547 windows, process_creation
Suspicious Child Process Created as System T1134.002 windows, process_creation
Suspicious Program Names T1059 windows, process_creation
Potentially Suspicious Call To Win32_NTEventlogFile Class windows, process_creation
PUA - Adidnsdump Execution T1018 windows, process_creation
HackTool - Hydra Password Bruteforce Execution T1110, T1110.001 windows, process_creation
Suspicious Diantz Alternate Data Stream Execution T1564.004 windows, process_creation
Suspicious Invoke-WebRequest Execution T1105 windows, process_creation
Abusing Print Executable T1218 windows, process_creation
Fsutil Drive Enumeration T1120 windows, process_creation
Suspicious Splwow64 Without Params T1202 windows, process_creation
SQLite Chromium Profile Data DB Access T1539, T1555.003, T1005 windows, process_creation
Potential Browser Data Stealing T1555.003 windows, process_creation
Mavinject Inject DLL Into Running Process T1218.013, T1055.001 windows, process_creation
Firewall Rule Deleted Via Netsh.EXE T1562.004 windows, process_creation
HackTool - PurpleSharp Execution T1587 windows, process_creation
Hardware Model Reconnaissance Via Wmic.EXE T1047 windows, process_creation
Wusa.EXE Extracting Cab Files From Suspicious Paths windows, process_creation
Uncommon Child Process Spawned By Odbcconf.EXE T1218.008 windows, process_creation
Suspicious Rundll32 Activity Invoking Sys File T1218.011 windows, process_creation
Mstsc.EXE Execution From Uncommon Parent windows, process_creation
Proxy Execution Via Wuauclt.EXE T1218 windows, process_creation
Renamed Plink Execution T1036 windows, process_creation
Suspicious Schtasks Execution AppData Folder T1053.005, T1059.001 windows, process_creation
Regedit as Trusted Installer T1548 windows, process_creation
AspNetCompiler Execution T1127 windows, process_creation
PUA - Potential PE Metadata Tamper Using Rcedit T1036, T1027.005, T1036.003, T1027 windows, process_creation
Suspicious Powercfg Execution To Change Lock Screen Timeout windows, process_creation
HackTool - PCHunter Execution T1057, T1083, T1012, T1007, T1082 windows, process_creation
Suspicious Schtasks Schedule Type With High Privileges T1053.005 windows, process_creation
Suspicious Child Process Of BgInfo.EXE T1218, T1059.005, T1202 windows, process_creation
Diskshadow Script Mode - Uncommon Script Extension Execution T1218 windows, process_creation
Potentially Suspicious Regsvr32 HTTP/FTP Pattern T1218.010 windows, process_creation
Invoke-Obfuscation Obfuscated IEX Invocation T1059.001, T1027 windows, process_creation
System Network Connections Discovery Via Net.EXE T1049 windows, process_creation
ShimCache Flush T1112 windows, process_creation
Suspicious Download From File-Sharing Website Via Bitsadmin T1036.003, T1197 windows, process_creation
Potential Persistence Via Powershell Search Order Hijacking - Task T1059.001, T1053.005 windows, process_creation
Renamed Visual Studio Code Tunnel Execution T1071.001 windows, process_creation
Renamed Vmnat.exe Execution T1574.002 windows, process_creation
File Deletion Via Del T1070.004 windows, process_creation
Rundll32 Execution Without Parameters T1021.002, T1570, T1569.002 windows, process_creation
Hacktool Execution - Imphash T1003, T1588.002 windows, process_creation
Arbitrary File Download Via MSPUB.EXE T1218 windows, process_creation
Potential Arbitrary File Download Using Office Application T1202 windows, process_creation
Potentially Suspicious Child Process Of DiskShadow.EXE T1218 windows, process_creation
Monitoring For Persistence Via BITS T1197 windows, process_creation
Application Whitelisting Bypass via Dxcap.exe T1218 windows, process_creation
HackTool - Potential Impacket Lateral Movement Activity T1021.003, T1047 windows, process_creation
Run Once Task Execution as Configured in Registry T1112 windows, process_creation
PowerShell Base64 Encoded FromBase64String Cmdlet T1140, T1059.001 windows, process_creation
Findstr Launching .lnk File T1202, T1027.003, T1036 windows, process_creation
New Generic Credentials Added Via Cmdkey.EXE T1003.005 windows, process_creation
Security Tools Keyword Lookup Via Findstr.EXE T1518.001 windows, process_creation
Potential MSTSC Shadowing Activity T1563.002 windows, process_creation
Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell T1059.001, T1047 windows, process_creation
Potentially Suspicious Regsvr32 HTTP IP Pattern T1218.010 windows, process_creation
Copy From Or To Admin Share Or Sysvol Folder T1039, T1021.002, T1048 windows, process_creation
RunDLL32 Spawning Explorer T1218.011 windows, process_creation
Remote Access Tool - GoToAssist Execution T1219 windows, process_creation
Stop Windows Service Via PowerShell Stop-Service T1489 windows, process_creation
Dropping Of Password Filter DLL T1556.002 windows, process_creation
PowerShell Execution With Potential Decryption Capabilities windows, process_creation
Use Short Name Path in Command Line T1564.004 windows, process_creation
Hiding Files with Attrib.exe T1564.001 windows, process_creation
HackTool - SILENTTRINITY Stager Execution T1071 windows, process_creation
Scheduled Task Executing Encoded Payload from Registry T1059.001, T1053.005 windows, process_creation
Suspicious Reg Add Open Command T1003 windows, process_creation
Arbitrary File Download Via GfxDownloadWrapper.EXE T1105 windows, process_creation
Suspicious JavaScript Execution Via Mshta.EXE T1218.005 windows, process_creation
Uncommon Child Process Of Conhost.EXE T1202 windows, process_creation
Diskshadow Script Mode - Execution From Potential Suspicious Location T1218 windows, process_creation
HackTool - Impersonate Execution T1134.003, T1134.001 windows, process_creation
Potential Signing Bypass Via Windows Developer Features windows, process_creation
Computer System Reconnaissance Via Wmic.EXE T1047 windows, process_creation
HackTool - PowerTool Execution T1562.001 windows, process_creation
PrintBrm ZIP Creation of Extraction T1564.004, T1105 windows, process_creation
Potential Arbitrary DLL Load Using Winword T1202 windows, process_creation
Execution Of Non-Existing File windows, process_creation
Suspicious Rundll32 Invoking Inline VBScript T1055 windows, process_creation
Always Install Elevated MSI Spawned Cmd And Powershell T1548.002 windows, process_creation
UEFI Persistence Via Wpbbin - ProcessCreation T1542.001 windows, process_creation
DumpMinitool Execution T1003.001, T1036 windows, process_creation
Suspicious Process Created Via Wmic.EXE T1047 windows, process_creation
Potentially Suspicious Command Targeting Teams Sensitive Files T1528 windows, process_creation
Visual Studio Code Tunnel Service Installation T1071.001 windows, process_creation
Potential PowerShell Downgrade Attack T1059.001 windows, process_creation
Allow Service Access Using Security Descriptor Tampering Via Sc.EXE T1543.003 windows, process_creation
Potential Commandline Obfuscation Using Escape Characters T1140 windows, process_creation
Xwizard DLL Sideloading T1574.002 windows, process_creation
Security Privileges Enumeration Via Whoami.EXE T1033 windows, process_creation
Renamed NirCmd.EXE Execution T1059, T1202 windows, process_creation
Potential Credential Dumping Attempt Using New NetworkProvider - CLI T1003 windows, process_creation
HackTool - Impacket Tools Execution T1557.001 windows, process_creation
Suspicious Manipulation Of Default Accounts Via Net.EXE T1560.001 windows, process_creation
Esentutl Gather Credentials T1003, T1003.003 windows, process_creation
MMC20 Lateral Movement T1021.003 windows, process_creation
Suspicious Download Via Certutil.EXE T1027 windows, process_creation
New Process Created Via Wmic.EXE T1047 windows, process_creation
Imports Registry Key From a File T1112 windows, process_creation
Suspicious Service Binary Directory T1202 windows, process_creation
VMToolsd Suspicious Child Process T1059 windows, process_creation
Potential NTLM Coercion Via Certutil.EXE T1218 windows, process_creation
Proxy Execution Via Explorer.exe T1218 windows, process_creation
File Download From IP Based URL Via CertOC.EXE T1105 windows, process_creation
Potential Dropper Script Execution Via WScript/CScript T1059.007, T1059.005 windows, process_creation
Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE T1070, T1542.003 windows, process_creation
Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) T1003.003 windows, process_creation
Operator Bloopers Cobalt Strike Modules T1059.003 windows, process_creation
Suspicious RDP Redirect Using TSCON T1021.001, T1563.002 windows, process_creation
Potentially Suspicious Office Document Executed From Trusted Location T1202 windows, process_creation
Changing Existing Service ImagePath Value Via Reg.EXE T1574.011 windows, process_creation
Detection of PowerShell Execution via Sqlps.exe T1059.001, T1127 windows, process_creation
Suspicious Kernel Dump Using Dtrace T1082 windows, process_creation
Service Reconnaissance Via Wmic.EXE T1047 windows, process_creation
Rundll32 UNC Path Execution T1021.002, T1218.011 windows, process_creation
Scripting/CommandLine Process Spawned Regsvr32 T1218.010 windows, process_creation
Rebuild Performance Counter Values Via Lodctr.EXE windows, process_creation
Root Certificate Installed From Susp Locations T1553.004 windows, process_creation
Potential SMB Relay Attack Tool Execution T1557.001 windows, process_creation
Potential Password Spraying Attempt Using Dsacls.EXE T1218 windows, process_creation
RDP Connection Allowed Via Netsh.EXE T1562.004 windows, process_creation
Suspicious DLL Loaded via CertOC.EXE T1218 windows, process_creation
HackTool - SharpLdapWhoami Execution T1033 windows, process_creation
Suspicious Use of CSharp Interactive Console T1127 windows, process_creation
Process Memory Dump Via Dotnet-Dump T1218 windows, process_creation
AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl T1216 windows, process_creation
Phishing Pattern ISO in Archive T1566 windows, process_creation
PUA - CleanWipe Execution T1562.001 windows, process_creation
Sticky Key Like Backdoor Execution T1546.008 windows, process_creation
HackTool - SysmonEOP Execution T1068 windows, process_creation
PDQ Deploy Remote Adminstartion Tool Execution T1072 windows, process_creation
New Remote Desktop Connection Initiated Via Mstsc.EXE T1021.001 windows, process_creation
Cloudflared Tunnel Connections Cleanup T1090, T1102, T1572 windows, process_creation
Cloudflared Tunnel Execution T1572, T1102, T1090 windows, process_creation
Files Added To An Archive Using Rar.EXE T1560.001 windows, process_creation
Remote Access Tool - AnyDesk Piped Password Via CLI T1219 windows, process_creation
Potential PowerShell Execution Via DLL T1218.011 windows, process_creation
WmiPrvSE Spawned A Process T1047 windows, process_creation
Suspicious File Characteristics Due to Missing Fields T1059.006 windows, process_creation
Gpresult Display Group Policy Information T1615 windows, process_creation
Use Icacls to Hide File to Everyone T1564.001 windows, process_creation
Suspicious Scan Loop Network T1018, T1059 windows, process_creation
PowerShell Base64 Encoded Invoke Keyword T1059.001, T1027 windows, process_creation
HackTool - EDRSilencer Execution T1562 windows, process_creation
Reg Add Suspicious Paths T1562.001, T1112 windows, process_creation
Use Short Name Path in Image T1564.004 windows, process_creation
Perl Inline Command Execution T1059 windows, process_creation
System File Execution Location Anomaly T1036 windows, process_creation
Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet T1074.001 windows, process_creation
Run PowerShell Script from Redirected Input Stream T1059 windows, process_creation
Email Exifiltration Via Powershell windows, process_creation
Terminal Service Process Spawn T1190, T1210 windows, process_creation
Potential PsExec Remote Execution T1587.001 windows, process_creation
Application Removed Via Wmic.EXE T1047 windows, process_creation
Suspicious Execution From GUID Like Folder Names T1027 windows, process_creation
Enumeration for Credentials in Registry T1552.002 windows, process_creation
LSASS Dump Keyword In CommandLine T1003.001 windows, process_creation
Potential Arbitrary Code Execution Via Node.EXE T1127 windows, process_creation
Windows Share Mount Via Net.EXE T1021.002 windows, process_creation
Uninstall Sysinternals Sysmon T1562.001 windows, process_creation
Ruby Inline Command Execution T1059 windows, process_creation
Suspicious Windows Service Tampering T1489 windows, process_creation
Execution of Powershell Script in Public Folder T1059.001 windows, process_creation
Process Proxy Execution Via Squirrel.EXE T1218 windows, process_creation
Suspicious RunAs-Like Flag Combination windows, process_creation
Suspicious XOR Encoded PowerShell Command T1027, T1059.001, T1140 windows, process_creation
Unusual Child Process of dns.exe T1133 windows, process_creation
HackTool - ADCSPwn Execution T1557.001 windows, process_creation
Local Groups Reconnaissance Via Wmic.EXE T1069.001 windows, process_creation
File Encryption/Decryption Via Gpg4win From Suspicious Locations windows, process_creation
HackTool - Default PowerSploit/Empire Scheduled Task Creation T1059.001, T1053.005 windows, process_creation
Base64 Encoded PowerShell Command Detected T1140, T1059.001, T1027 windows, process_creation
Discovery of a System Time T1124 windows, process_creation
Suspicious Call by Ordinal T1218.011 windows, process_creation
Hacktool Execution - PE Metadata T1003, T1588.002 windows, process_creation
PUA - NPS Tunneling Tool Execution T1090 windows, process_creation
Windows Shell/Scripting Processes Spawning Suspicious Programs T1059.005, T1218, T1059.001 windows, process_creation
UtilityFunctions.ps1 Proxy Dll T1216 windows, process_creation
Wusa Extracting Cab Files windows, process_creation
Detect Virtualbox Driver Installation OR Starting Of VMs T1564, T1564.006 windows, process_creation
Uncommon Child Processes Of SndVol.exe windows, process_creation
Shell Process Spawned by Java.EXE windows, process_creation
Suspicious PowerShell Parent Process T1059.001 windows, process_creation
PUA - NSudo Execution T1569.002 windows, process_creation
ZOHO Dctask64 Process Injection T1055.001 windows, process_creation
Verclsid.exe Runs COM Object T1218 windows, process_creation
Potential Recon Activity Via Nltest.EXE T1482, T1016 windows, process_creation
PUA - Process Hacker Execution T1622, T1543, T1564 windows, process_creation
Query Usage To Exfil Data windows, process_creation
Suspicious Msbuild Execution By Uncommon Parent Process windows, process_creation
Potential ReflectDebugger Content Execution Via WerFault.EXE T1036 windows, process_creation
PUA - Wsudo Suspicious Execution T1059 windows, process_creation
LOLBIN Execution Of The FTP.EXE Binary T1059, T1202 windows, process_creation
Suspicious Redirection to Local Admin Share T1048 windows, process_creation
Odbcconf.EXE Suspicious DLL Location T1218.008 windows, process_creation
Sysmon Driver Unloaded Via Fltmc.EXE T1562, T1070, T1562.002 windows, process_creation
HackTool - TruffleSnout Execution T1482 windows, process_creation
File Encryption Using Gpg4win windows, process_creation
Greedy File Deletion Using Del T1070.004 windows, process_creation
PowerShell Web Download T1059.001, T1105 windows, process_creation
Indirect Command Execution From Script File Via Bash.EXE T1202 windows, process_creation
Powershell Defender Exclusion T1562.001 windows, process_creation
File Encoded To Base64 Via Certutil.EXE T1027 windows, process_creation
Import PowerShell Modules From Suspicious Directories - ProcCreation T1059.001 windows, process_creation
Lolbin Unregmp2.exe Use As Proxy T1218 windows, process_creation
Malicious PowerShell Commandlets - ProcessCreation T1069.001, T1059.001, T1087.002, T1087.001, T1069, T1087, T1069.002, T1482 windows, process_creation
Suspicious Execution of Shutdown to Log Out T1529 windows, process_creation
Suspicious Execution of Powershell with Base64 T1059.001 windows, process_creation
HackTool - LocalPotato Execution windows, process_creation
UAC Bypass Using Event Viewer RecentViews windows, process_creation
Sysmon Configuration Update T1562.001 windows, process_creation
HackTool - Bloodhound/Sharphound Execution T1059.001, T1069.002, T1069.001, T1087.001, T1087.002, T1482 windows, process_creation
Invoke-Obfuscation COMPRESS OBFUSCATION T1027, T1059.001 windows, process_creation
HackTool - HandleKatz LSASS Dumper Execution T1003.001 windows, process_creation
Uncommon Child Process Of AddinUtil.EXE T1218 windows, process_creation
Disabled Volume Snapshots T1562.001 windows, process_creation
Disable Important Scheduled Task T1489 windows, process_creation
Malicious Windows Script Components File Execution by TAEF Detection T1218 windows, process_creation
Potential Recon Activity Using DriverQuery.EXE windows, process_creation
Usage Of Web Request Commands And Cmdlets T1059.001 windows, process_creation
HackTool - SharPersist Execution T1053 windows, process_creation
PowerShell Base64 Encoded Reflective Assembly Load T1620, T1059.001, T1027 windows, process_creation
Php Inline Command Execution T1059 windows, process_creation
Suspicious Obfuscated PowerShell Code windows, process_creation
RDP Port Forwarding Rule Added Via Netsh.EXE T1090 windows, process_creation
Use NTFS Short Name in Image T1564.004 windows, process_creation
Potential Encoded PowerShell Patterns In CommandLine T1059.001, T1027 windows, process_creation
Potential Dosfuscation Activity T1059 windows, process_creation
Command Line Execution with Suspicious URL and AppData Strings T1105, T1059.003, T1059.001 windows, process_creation
Remote Access Tool - AnyDesk Silent Installation T1219 windows, process_creation
Cscript/Wscript Potentially Suspicious Child Process windows, process_creation
Potential Binary Proxy Execution Via VSDiagnostics.EXE T1218 windows, process_creation
Logged-On User Password Change Via Ksetup.EXE windows, process_creation
SystemStateBackup Deleted Using Wbadmin.EXE T1490 windows, process_creation
XSL Script Execution Via WMIC.EXE T1220 windows, process_creation
Renamed Msdt.EXE Execution T1036.003 windows, process_creation
PowerShell Script Run in AppData T1059.001 windows, process_creation
Suspicious Control Panel DLL Load T1218.011 windows, process_creation
Potential Powershell ReverseShell Connection T1059.001 windows, process_creation
Screen Capture Activity Via Psr.EXE T1113 windows, process_creation
Recon Information for Export with Command Prompt T1119 windows, process_creation
Remote Access Tool - AnyDesk Execution T1219 windows, process_creation
Suspicious MSDT Parent Process T1218, T1036 windows, process_creation
Rundll32 Execution Without CommandLine Parameters T1202 windows, process_creation
Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script T1059 windows, process_creation
Kernel Memory Dump Via LiveKD windows, process_creation
Suspicious Process Execution From Fake Recycle.Bin Folder windows, process_creation
Renamed ZOHO Dctask64 Execution T1218, T1202, T1055.001, T1036 windows, process_creation
Suspicious Windows Defender Registry Key Tampering Via Reg.EXE T1562.001 windows, process_creation
Bypass UAC via CMSTP T1218.003, T1548.002 windows, process_creation
LSA PPL Protection Disabled Via Reg.EXE T1562.010 windows, process_creation
DLL Sideloading by VMware Xfer Utility T1574.002 windows, process_creation
Suspicious Recursive Takeown T1222.001 windows, process_creation
Suspicious PowerShell Invocation From Script Engines T1059.001 windows, process_creation
Potential File Overwrite Via Sysinternals SDelete T1485 windows, process_creation
Suspicious SYSVOL Domain Group Policy Access T1552.006 windows, process_creation
Remote PowerShell Session Host Process (WinRM) T1021.006, T1059.001 windows, process_creation
Whoami.EXE Execution From Privileged Process T1033 windows, process_creation
New Root Certificate Installed Via Certutil.EXE T1553.004 windows, process_creation
Gpscript Execution T1218 windows, process_creation
AADInternals PowerShell Cmdlets Execution - ProccessCreation windows, process_creation
Potential Persistence Via Microsoft Compatibility Appraiser T1053.005 windows, process_creation
Potentially Suspicious Cabinet File Expansion T1218 windows, process_creation
RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses T1218 windows, process_creation
Lolbin Runexehelper Use As Proxy T1218 windows, process_creation
Renamed Office Binary Execution windows, process_creation
Suspicious CustomShellHost Execution T1216 windows, process_creation
Insensitive Subfolder Search Via Findstr.EXE T1552.001, T1218, T1564.004, T1105 windows, process_creation
UAC Bypass Using Disk Cleanup T1548.002 windows, process_creation
Potential Persistence Via Logon Scripts - CommandLine T1037.001 windows, process_creation
Potential Discovery Activity Via Dnscmd.EXE T1543.003 windows, process_creation
Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE T1518.001 windows, process_creation
Suspicious Dump64.exe Execution T1003.001 windows, process_creation
Suspicious Sigverif Execution T1216 windows, process_creation
Remote Access Tool - NetSupport Execution T1219 windows, process_creation
Arbitrary Binary Execution Using GUP Utility windows, process_creation
UAC Bypass Using Windows Media Player - Process T1548.002 windows, process_creation
User Added to Remote Desktop Users Group T1133, T1136.001, T1021.001 windows, process_creation
Service Registry Key Deleted Via Reg.EXE T1562.001 windows, process_creation
PUA - CsExec Execution T1587.001, T1569.002 windows, process_creation
Uncommon Child Process Of Appvlp.EXE T1218 windows, process_creation
Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE T1027 windows, process_creation
PUA - Fast Reverse Proxy (FRP) Execution T1090 windows, process_creation
Suspicious Chromium Browser Instance Executed With Custom Extension T1176 windows, process_creation
Uncommon Assistive Technology Applications Execution Via AtBroker.EXE T1218 windows, process_creation
HackTool - Empire PowerShell UAC Bypass T1548.002 windows, process_creation
Password Protected Compressed File Extraction Via 7Zip T1560.001 windows, process_creation
Process Memory Dump Via Comsvcs.DLL T1036, T1003.001 windows, process_creation
Invoke-Obfuscation Via Stdin T1059.001, T1027 windows, process_creation
HackTool - SharpMove Tool Execution T1021.002 windows, process_creation
Suspicious Execution of InstallUtil Without Log windows, process_creation
Suspicious Driver/DLL Installation Via Odbcconf.EXE T1218.008 windows, process_creation
Cscript/Wscript Uncommon Script Extension Execution T1059.005, T1059.007 windows, process_creation
HackTool - SharpImpersonation Execution T1134.001, T1134.003 windows, process_creation
Microsoft IIS Connection Strings Decryption T1003 windows, process_creation
File Download From Browser Process Via Inline URL T1105 windows, process_creation
Renamed Remote Utilities RAT (RURAT) Execution windows, process_creation
Execute Pcwrun.EXE To Leverage Follina T1218 windows, process_creation
HackTool - CrackMapExec PowerShell Obfuscation T1027.005, T1059.001 windows, process_creation
Use of Wfc.exe T1127 windows, process_creation
VolumeShadowCopy Symlink Creation Via Mklink T1003.003, T1003.002 windows, process_creation
Explorer Process Tree Break T1036 windows, process_creation
Use of W32tm as Timer T1124 windows, process_creation
File In Suspicious Location Encoded To Base64 Via Certutil.EXE T1027 windows, process_creation
Non-privileged Usage of Reg or Powershell T1112 windows, process_creation
Format.com FileSystem LOLBIN windows, process_creation
PUA - Ngrok Execution T1572 windows, process_creation
Potentially Suspicious ASP.NET Compilation Via AspNetCompiler T1127 windows, process_creation
Potential Credential Dumping Via WER T1003.001 windows, process_creation
Loaded Module Enumeration Via Tasklist.EXE T1003 windows, process_creation
PUA - Seatbelt Execution T1526, T1083, T1087 windows, process_creation
Remote Access Tool - UltraViewer Execution T1219 windows, process_creation
PUA - Nmap/Zenmap Execution T1046 windows, process_creation
Suspicious Service DACL Modification Via Set-Service Cmdlet T1543.003 windows, process_creation
Code Execution via Pcwutl.dll T1218.011 windows, process_creation
Windows Defender Definition Files Removed T1562.001 windows, process_creation
Elevated System Shell Spawned From Uncommon Parent Location T1059 windows, process_creation
Deny Service Access Using Security Descriptor Tampering Via Sc.EXE T1543.003 windows, process_creation
Potential Script Proxy Execution Via CL_Mutexverifiers.ps1 T1216 windows, process_creation
Sdclt Child Processes T1548.002 windows, process_creation
Windows Admin Share Mount Via Net.EXE T1021.002 windows, process_creation
Csc.EXE Execution Form Potentially Suspicious Parent T1218.005, T1059.005, T1027.004, T1059.007 windows, process_creation
Sysinternals PsService Execution T1543.003 windows, process_creation
Fsutil Behavior Set SymlinkEvaluation T1059 windows, process_creation
Direct Autorun Keys Modification T1547.001 windows, process_creation
Sysinternals PsSuspend Execution T1543.003 windows, process_creation
PUA - DefenderCheck Execution T1027.005 windows, process_creation
PUA - AdFind Suspicious Execution T1069.002, T1087.002, T1482, T1018 windows, process_creation
Obfuscated IP Via CLI windows, process_creation
Potential MsiExec Masquerading T1036.005 windows, process_creation
Possible Privilege Escalation via Weak Service Permissions T1574.011 windows, process_creation
Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location T1218.009 windows, process_creation
DLL Execution via Rasautou.exe T1218 windows, process_creation
Suspicious Execution Of PDQDeployRunner windows, process_creation
Powershell Token Obfuscation - Process Creation T1027.009 windows, process_creation
Finger.exe Suspicious Invocation T1105 windows, process_creation
Application Terminated Via Wmic.EXE T1047 windows, process_creation
7Zip Compressing Dump Files T1560.001 windows, process_creation
Suspicious NTLM Authentication on the Printer Spooler Service T1212 windows, process_creation
Process Access via TrolleyExpress Exclusion T1218.011, T1003.001 windows, process_creation
SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code T1218, T1216 windows, process_creation
Hidden Powershell in Link File Pattern T1059.001 windows, process_creation
Potential LSASS Process Dump Via Procdump T1003.001, T1036 windows, process_creation
Arbitrary Command Execution Using WSL T1202, T1218 windows, process_creation
Suspicious Ping/Del Command Combination T1070.004 windows, process_creation
Nltest.EXE Execution T1016, T1018, T1482 windows, process_creation
Renamed Whoami Execution T1033 windows, process_creation
Potential Suspicious Windows Feature Enabled - ProcCreation windows, process_creation
Enumeration for 3rd Party Creds From CLI T1552.002 windows, process_creation
Uncommon System Information Discovery Via Wmic.EXE T1082 windows, process_creation
Potential Homoglyph Attack Using Lookalike Characters T1036, T1036.003 windows, process_creation
Potential Rundll32 Execution With DLL Stored In ADS T1564.004 windows, process_creation
Suspicious Driver Install by pnputil.exe T1547 windows, process_creation
Renamed MegaSync Execution T1218 windows, process_creation
Exports Critical Registry Keys To a File T1012 windows, process_creation
Rundll32 Execution With Uncommon DLL Extension T1218.011 windows, process_creation
Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate windows, process_creation
Suspicious Network Command T1016 windows, process_creation
Potentially Over Permissive Permissions Granted Using Dsacls.EXE T1218 windows, process_creation
Potential SquiblyTwo Technique Execution T1220, T1047, T1059.007, T1059.005 windows, process_creation
PsExec/PAExec Escalation to LOCAL SYSTEM T1587.001 windows, process_creation
Potential Process Execution Proxy Via CL_Invocation.ps1 T1216 windows, process_creation
PUA- IOX Tunneling Tool Execution T1090 windows, process_creation
HackTool - SharpLDAPmonitor Execution windows, process_creation
Suspicious File Download From IP Via Wget.EXE - Paths windows, process_creation
Potential Defense Evasion Via Right-to-Left Override T1036.002 windows, process_creation
Suspicious IIS URL GlobalRules Rewrite Via AppCmd windows, process_creation
Potentially Suspicious Event Viewer Child Process T1548.002 windows, process_creation
Imports Registry Key From an ADS T1112 windows, process_creation
PowerShell Download Pattern T1059.001 windows, process_creation
Audit Policy Tampering Via NT Resource Kit Auditpol T1562.002 windows, process_creation
Suspicious PowerShell Mailbox Export to Share windows, process_creation
Sysinternals PsSuspend Suspicious Execution T1562.001 windows, process_creation
CMSTP Execution Process Creation T1218.003 windows, process_creation
Suspicious WebDav Client Execution Via Rundll32.EXE T1048.003 windows, process_creation
Interactive AT Job T1053.002 windows, process_creation
Suspicious Serv-U Process Pattern T1555 windows, process_creation
SyncAppvPublishingServer Execute Arbitrary PowerShell Code T1218 windows, process_creation
File Enumeration Via Dir Command T1217 windows, process_creation
PUA - DIT Snapshot Viewer T1003.003 windows, process_creation
PUA - NirCmd Execution T1569.002 windows, process_creation
PUA - RunXCmd Execution T1569.002 windows, process_creation
Suspicious Where Execution T1217 windows, process_creation
Potential CobaltStrike Process Patterns T1059 windows, process_creation
Service StartupType Change Via PowerShell Set-Service T1562.001 windows, process_creation
Potential Data Exfiltration Activity Via CommandLine Tools T1059.001 windows, process_creation
HackTool - PPID Spoofing SelectMyParent Tool Execution T1134.004 windows, process_creation
Pubprn.vbs Proxy Execution T1216.001 windows, process_creation
PUA - 3Proxy Execution T1572 windows, process_creation
File Download Via InstallUtil.EXE T1218 windows, process_creation
PUA - Advanced IP Scanner Execution T1135, T1046 windows, process_creation
Bypass UAC via Fodhelper.exe T1548.002 windows, process_creation
Renamed ProcDump Execution T1036.003 windows, process_creation
Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution T1218 windows, process_creation
HackTool - KrbRelay Execution T1558.003 windows, process_creation
Remote Access Tool - ScreenConnect Installation Execution T1133 windows, process_creation
HackTool - CreateMiniDump Execution T1003.001 windows, process_creation
Java Running with Remote Debugging T1203 windows, process_creation
Potential File Download Via MS-AppInstaller Protocol Handler T1218 windows, process_creation
Suspicious Script Execution From Temp Folder T1059 windows, process_creation
Visual Studio Code Tunnel Shell Execution T1071.001 windows, process_creation
HackTool - KrbRelayUp Execution T1550.003, T1558.003 windows, process_creation
Potential CommandLine Path Traversal Via Cmd.EXE T1059.003 windows, process_creation
Whoami.EXE Execution Anomaly T1033 windows, process_creation
Suspicious Invoke-WebRequest Execution With DirectIP T1105 windows, process_creation
Disable of ETW Trace T1070, T1562.006 windows, process_creation
Share And Session Enumeration Using Net.EXE T1018 windows, process_creation
Potential Remote Desktop Tunneling T1021 windows, process_creation
Uncommon Userinit Child Process T1037.001 windows, process_creation
Potential Active Directory Enumeration Using AD Module - ProcCreation windows, process_creation
Use of Remote.exe T1127 windows, process_creation
Webshell Tool Reconnaissance Activity T1505.003 windows, process_creation
CobaltStrike Load by Rundll32 T1218.011 windows, process_creation
JSC Convert Javascript To Executable T1127 windows, process_creation
Launch-VsDevShell.PS1 Proxy Execution T1216.001 windows, process_creation
Suspicious Outlook Child Process T1204.002 windows, process_creation
UAC Bypass via Windows Firewall Snap-In Hijack T1548 windows, process_creation
Set Suspicious Files as System Files Using Attrib.EXE T1564.001 windows, process_creation
Suspicious Desktopimgdownldr Command T1105 windows, process_creation
Chromium Browser Instance Executed With Custom Extension T1176 windows, process_creation
Audio Capture via SoundRecorder T1123 windows, process_creation
Suspicious File Download From IP Via Curl.EXE windows, process_creation
Suspicious Use of PsLogList T1087, T1087.001, T1087.002 windows, process_creation
MMC Spawning Windows Shell T1021.003 windows, process_creation
Suspicious Binary In User Directory Spawned From Office Application T1204.002 windows, process_creation
UAC Bypass Using ChangePK and SLUI T1548.002 windows, process_creation
Local Accounts Discovery T1087.001, T1033 windows, process_creation
Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE T1562.004 windows, process_creation
Group Membership Reconnaissance Via Whoami.EXE T1033 windows, process_creation
Potential Regsvr32 Commandline Flag Anomaly T1218.010 windows, process_creation
Cmd.EXE Missing Space Characters Execution Anomaly T1059.001 windows, process_creation
Suspicious Service Path Modification T1543.003 windows, process_creation
File Download Using Notepad++ GUP Utility T1105 windows, process_creation
Suspicious VBoxDrvInst.exe Parameters T1112 windows, process_creation
Data Copied To Clipboard Via Clip.EXE T1115 windows, process_creation
File Download Using ProtocolHandler.exe T1218 windows, process_creation
Domain Trust Discovery Via Dsquery T1482 windows, process_creation
Suspicious Debugger Registration Cmdline T1546.008 windows, process_creation
AddinUtil.EXE Execution From Uncommon Directory T1218 windows, process_creation
Compressed File Creation Via Tar.EXE T1560, T1560.001 windows, process_creation
Always Install Elevated Windows Installer T1548.002 windows, process_creation
Ie4uinit Lolbin Use From Invalid Path T1218 windows, process_creation
UAC Bypass via ICMLuaUtil T1548.002 windows, process_creation
MpiExec Lolbin T1218 windows, process_creation
Suspicious Certreq Command to Download T1105 windows, process_creation
Suspicious Diantz Download and Compress Into a CAB File T1105 windows, process_creation
HackTool - winPEAS Execution T1046, T1082, T1087 windows, process_creation
Suspicious Child Process Of Manage Engine ServiceDesk T1102 windows, process_creation
Suspicious File Download From IP Via Wget.EXE windows, process_creation
DumpStack.log Defender Evasion windows, process_creation
New Root Certificate Installed Via CertMgr.EXE T1553.004 windows, process_creation
PUA - Mouse Lock Execution T1056.002 windows, process_creation
Uncommon One Time Only Scheduled Task At 00:00 T1053.005 windows, process_creation
Compress Data and Lock With Password for Exfiltration With 7-ZIP T1560.001 windows, process_creation
Node Process Executions T1127, T1059.007 windows, process_creation
UAC Bypass Using MSConfig Token Modification - Process T1548.002 windows, process_creation
HackTool - Windows Credential Editor (WCE) Execution T1003.001 windows, process_creation
Potential LethalHTA Technique Execution T1218.005 windows, process_creation
Certificate Exported Via PowerShell T1059.001, T1552.004 windows, process_creation
Wab Execution From Non Default Location windows, process_creation
HackTool - DInjector PowerShell Cradle Execution T1055 windows, process_creation
Potential Mftrace.EXE Abuse T1127 windows, process_creation
Findstr GPP Passwords T1552.006 windows, process_creation
Remote Access Tool - LogMeIn Execution T1219 windows, process_creation
Suspicious Add Scheduled Task Parent T1053.005 windows, process_creation
Potential Suspicious Activity Using SeCEdit T1546.008, T1562, T1556.002, T1546.007, T1557, T1564.002, T1562.002, T1547.001, T1505.005, T1574.007, T1547.010, T1082, T1547.002, T1547.014 windows, process_creation
File Download Via Bitsadmin To An Uncommon Target Folder T1197, T1036.003 windows, process_creation
Potential Suspicious Mofcomp Execution T1218 windows, process_creation
Potential Data Stealing Via Chromium Headless Debugging T1185 windows, process_creation
Active Directory Database Snapshot Via ADExplorer T1552.001, T1003.003 windows, process_creation
User Discovery And Export Via Get-ADUser Cmdlet T1033 windows, process_creation
Procdump Execution T1003.001, T1036 windows, process_creation
Windows Kernel Debugger Execution windows, process_creation
Potential SPN Enumeration Via Setspn.EXE T1558.003 windows, process_creation
Potential WinAPI Calls Via CommandLine T1106 windows, process_creation
Potential DLL Sideloading Via DeviceEnroller.EXE T1574.002 windows, process_creation
Potential PowerShell Obfuscation Via Reversed Commands T1059.001, T1027 windows, process_creation
HackTool - SharpView Execution T1069.002, T1482, T1135, T1033, T1049 windows, process_creation
Arbitrary File Download Via Squirrel.EXE T1218 windows, process_creation
Suspicious LOLBIN AccCheckConsole windows, process_creation
Potential Product Class Reconnaissance Via Wmic.EXE T1047 windows, process_creation
Suspicious Parent Double Extension File Execution T1036.007 windows, process_creation
Potential AMSI Bypass Via .NET Reflection T1562.001 windows, process_creation
Suspicious Execution of Shutdown T1529 windows, process_creation
Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS T1059.005, T1615 windows, process_creation
Set Files as System Files Using Attrib.EXE T1564.001 windows, process_creation
PUA - PingCastle Execution From Potentially Suspicious Parent T1595 windows, process_creation
LSASS Process Reconnaissance Via Findstr.EXE T1552.006 windows, process_creation
Taskkill Symantec Endpoint Protection T1562.001 windows, process_creation
HackTool - Sliver C2 Implant Activity Pattern T1059 windows, process_creation
Remote File Download Via Findstr.EXE T1105, T1564.004, T1218, T1552.001 windows, process_creation
Potential Configuration And Service Reconnaissance Via Reg.EXE T1007, T1012 windows, process_creation
Bypass UAC via WSReset.exe T1548.002 windows, process_creation
MsiExec Web Install T1218.007, T1105 windows, process_creation
HackTool - WinRM Access Via Evil-WinRM T1021.006 windows, process_creation
Python Spawning Pretty TTY on Windows T1059 windows, process_creation
Registry Modification Via Regini.EXE T1112 windows, process_creation
Potential Provlaunch.EXE Binary Proxy Execution Abuse T1218 windows, process_creation
New User Created Via Net.EXE T1136.001 windows, process_creation
Suspect Svchost Activity T1055 windows, process_creation
Renamed AutoIt Execution T1027 windows, process_creation
Potential Persistence Attempt Via Run Keys Using Reg.EXE T1547.001 windows, process_creation
MSHTA Suspicious Execution 01 T1059.007, T1218.005, T1140 windows, process_creation
Dism Remove Online Package T1562.001 windows, process_creation
Suspicious Windows Update Agent Empty Cmdline T1036 windows, process_creation
Malicious Base64 Encoded PowerShell Keywords in Command Lines T1059.001 windows, process_creation
Msxsl.EXE Execution T1220 windows, process_creation
Suspicious WMIC Execution Via Office Process T1218.010, T1204.002, T1047 windows, process_creation
Powershell Inline Execution From A File T1059.001 windows, process_creation
Cloudflared Quick Tunnel Execution T1090.001 windows, process_creation
PowerShell Download and Execution Cradles T1059 windows, process_creation
PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE T1087.002 windows, process_creation
Delete All Scheduled Tasks T1489 windows, process_creation
Potential RDP Tunneling Via SSH T1572 windows, process_creation
Assembly Loading Via CL_LoadAssembly.ps1 T1216 windows, process_creation
Dynamic .NET Compilation Via Csc.EXE T1027.004 windows, process_creation
PowerShell Get-Process LSASS T1552.004 windows, process_creation
Potential Shim Database Persistence via Sdbinst.EXE T1546.011 windows, process_creation
Windows Hotfix Updates Reconnaissance Via Wmic.EXE T1047 windows, process_creation
Potential Credential Dumping Via LSASS Process Clone T1003, T1003.001 windows, process_creation
DLL Execution Via Register-cimprovider.exe T1574 windows, process_creation
Custom Class Execution via Xwizard T1218 windows, process_creation
Potential AMSI Bypass Using NULL Bits T1562.001 windows, process_creation
Use Of The SFTP.EXE Binary As A LOLBIN T1218 windows, process_creation
Suspicious IIS Module Registration T1505.004 windows, process_creation
Suspicious Process Patterns NTDS.DIT Exfil T1003.003 windows, process_creation
New Network Trace Capture Started Via Netsh.EXE T1040 windows, process_creation
ImagingDevices Unusual Parent/Child Processes windows, process_creation
Disable Windows IIS HTTP Logging T1562.002 windows, process_creation
Potential SysInternals ProcDump Evasion T1003.001, T1036 windows, process_creation
Suspicious FromBase64String Usage On Gzip Archive - Process Creation T1132.001 windows, process_creation
Use of Scriptrunner.exe T1218 windows, process_creation
Suspicious Regsvr32 Execution From Remote Share T1218.010 windows, process_creation
Modify Group Policy Settings T1484.001 windows, process_creation
Suspicious WindowsTerminal Child Processes windows, process_creation
Private Keys Reconnaissance Via CommandLine Tools T1552.004 windows, process_creation
New Process Created Via Taskmgr.EXE T1036 windows, process_creation
PsExec Service Child Process Execution as LOCAL SYSTEM windows, process_creation
Renamed Jusched.EXE Execution T1036.003 windows, process_creation
WMI Backdoor Exchange Transport Agent T1546.003 windows, process_creation
Remote Access Tool - Simple Help Execution T1219 windows, process_creation
Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution T1219 windows, process_creation
PowerShell DownloadFile T1105, T1104, T1059.001 windows, process_creation
PUA - AdvancedRun Execution T1134.002, T1564.003, T1059.003 windows, process_creation
UAC Bypass Using DismHost T1548.002 windows, process_creation
HackTool - Empire PowerShell Launch Parameters T1059.001 windows, process_creation
Suspicious Office Token Search Via CLI T1528 windows, process_creation
Remote File Download Via Desktopimgdownldr Utility T1105 windows, process_creation
Webshell Detection With Command Line Keywords T1018, T1033, T1505.003, T1087 windows, process_creation
Using SettingSyncHost.exe as LOLBin T1574.008 windows, process_creation
Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location T1218 windows, process_creation
Invoke-Obfuscation Via Use Clip T1027, T1059.001 windows, process_creation
New Virtual Smart Card Created Via TpmVscMgr.EXE windows, process_creation
Service Security Descriptor Tampering Via Sc.EXE T1574.011 windows, process_creation
HackTool - RedMimicry Winnti Playbook Execution T1059.003, T1106, T1218.011 windows, process_creation
Potential Network Sniffing Activity Using Network Tools T1040 windows, process_creation
Raccine Uninstall T1562.001 windows, process_creation
InfDefaultInstall.exe .inf Execution T1218 windows, process_creation
HackTool - F-Secure C3 Load by Rundll32 T1218.011 windows, process_creation
Suspicious Process Parents T1036 windows, process_creation
Use of VisualUiaVerifyNative.exe T1218 windows, process_creation
Abused Debug Privilege by Arbitrary Parent Processes T1548 windows, process_creation
Add New Download Source To Winget T1059 windows, process_creation
Potential Execution of Sysinternals Tools T1588.002 windows, process_creation
Conhost.exe CommandLine Path Traversal T1059.003 windows, process_creation
MSExchange Transport Agent Installation T1505.002 windows, process_creation
Suspicious PowerShell Invocations - Specific - ProcessCreation windows, process_creation
HackTool - SafetyKatz Execution T1003.001 windows, process_creation
Potentially Suspicious CMD Shell Output Redirect T1218 windows, process_creation
Exports Registry Key To a File T1012 windows, process_creation
Rundll32 InstallScreenSaver Execution T1218.011 windows, process_creation
Sdiagnhost Calling Suspicious Child Process T1036, T1218 windows, process_creation
Arbitrary Shell Command Execution Via Settingcontent-Ms T1204, T1566.001 windows, process_creation
RestrictedAdminMode Registry Value Tampering - ProcCreation T1112 windows, process_creation
Outlook EnableUnsafeClientMailRules Setting Enabled T1059, T1202 windows, process_creation
Potential Provisioning Registry Key Abuse For Binary Proxy Execution T1218 windows, process_creation
Suspicious Execution Location Of Wermgr.EXE windows, process_creation
Process Memory Dump via RdrLeakDiag.EXE T1003.001 windows, process_creation
Use of Setres.exe T1202, T1218 windows, process_creation
HackTool - SharpEvtMute Execution T1562.002 windows, process_creation
HackTool - Pypykatz Credentials Dumping Activity T1003.002 windows, process_creation
File Download From IP URL Via Curl.EXE windows, process_creation
Suspicious Key Manager Access T1555.004 windows, process_creation
Computer Discovery And Export Via Get-ADComputer Cmdlet T1033 windows, process_creation
Invoke-Obfuscation STDIN+ Launcher T1027, T1059.001 windows, process_creation
Execution via WorkFolders.exe T1218 windows, process_creation
Potential Windows Defender Tampering Via Wmic.EXE T1546.008 windows, process_creation
New Firewall Rule Added Via Netsh.EXE T1562.004 windows, process_creation
Suspicious Process By Web Server Process T1505.003, T1190 windows, process_creation
Persistence Via Sticky Key Backdoor T1546.008 windows, process_creation
HackTool - Covenant PowerShell Launcher T1564.003, T1059.001 windows, process_creation
Suspicious Group And Account Reconnaissance Activity Using Net.EXE T1087.001, T1087.002 windows, process_creation
AgentExecutor PowerShell Execution T1218 windows, process_creation
Audit Policy Tampering Via Auditpol T1562.002 windows, process_creation
Suspicious Mshta.EXE Execution Patterns T1106 windows, process_creation
Write Protect For Storage Disabled T1562 windows, process_creation
Potentially Suspicious Child Process Of WinRAR.EXE T1203 windows, process_creation
Remotely Hosted HTA File Executed Via Mshta.EXE T1218.005 windows, process_creation
Arbitrary File Download Via PresentationHost.EXE T1218 windows, process_creation
UAC Bypass Using IEInstal - Process T1548.002 windows, process_creation
Active Directory Structure Export Via Ldifde.EXE windows, process_creation
Winrar Compressing Dump Files T1560.001 windows, process_creation
Suspicious Execution of Hostname T1082 windows, process_creation
Control Panel Items T1546, T1218.002 windows, process_creation
Regsvr32 Execution From Potential Suspicious Location T1218.010 windows, process_creation
Use of Pcalua For Execution T1059 windows, process_creation
Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script T1059 windows, process_creation
New Service Creation Using PowerShell T1543.003 windows, process_creation
Suspicious Microsoft Office Child Process T1047, T1204.002, T1218.010 windows, process_creation
Webshell Hacking Activity Patterns T1087, T1033, T1018, T1505.003 windows, process_creation
Indirect Inline Command Execution Via Bash.EXE T1202 windows, process_creation
Rar Usage with Password and Compression Level T1560.001 windows, process_creation
Tor Client/Browser Execution T1090.003 windows, process_creation
Script Event Consumer Spawning Process T1047 windows, process_creation
Replace.exe Usage T1105 windows, process_creation
Potentially Suspicious Desktop Background Change Using Reg.EXE T1491.001, T1112 windows, process_creation
New Service Creation Using Sc.EXE T1543.003 windows, process_creation
Interesting Service Enumeration Via Sc.EXE T1003 windows, process_creation
LOLBIN Execution From Abnormal Drive windows, process_creation
CMSTP UAC Bypass via COM Object Access T1218.003, T1548.002 windows, process_creation
Uninstall Crowdstrike Falcon Sensor T1562.001 windows, process_creation
Arbitrary MSI Download Via Devinit.EXE T1218 windows, process_creation
User Added to Local Administrators Group T1098 windows, process_creation
Potential Memory Dumping Activity Via LiveKD windows, process_creation
Mstsc.EXE Execution With Local RDP File T1219 windows, process_creation
Script Interpreter Execution From Suspicious Folder T1059 windows, process_creation
Suspicious Remote Child Process From Outlook T1202, T1059 windows, process_creation
UAC Bypass WSReset T1548.002 windows, process_creation
IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI windows, process_creation
Binary Proxy Execution Via Dotnet-Trace.EXE T1218 windows, process_creation
Application Whitelisting Bypass via Dnx.exe T1218, T1027.004 windows, process_creation
Suspicious Vsls-Agent Command With AgentExtensionPath Load T1218 windows, process_creation
Arbitrary File Download Via IMEWDBLD.EXE T1218 windows, process_creation
Suspicious Encoded PowerShell Command Line T1059.001 windows, process_creation
Uncommon AddinUtil.EXE CommandLine Execution T1218 windows, process_creation
Suspicious Rundll32 Execution With Image Extension T1218.011 windows, process_creation
UAC Bypass Abusing Winsat Path Parsing - Process T1548.002 windows, process_creation
Whoami Utility Execution T1033 windows, process_creation
Suspicious Process Start Locations T1036 windows, process_creation
Potential PowerShell Obfuscation Via WCHAR T1027, T1059.001 windows, process_creation
Indirect Command Execution By Program Compatibility Wizard T1218 windows, process_creation
Stop Windows Service Via Net.EXE T1489 windows, process_creation
Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE windows, process_creation
Windows Internet Hosted WebDav Share Mount Via Net.EXE T1021.002 windows, process_creation
Suspicious File Downloaded From Direct IP Via Certutil.EXE T1027 windows, process_creation
Remote XSL Execution Via Msxsl.EXE T1220 windows, process_creation
Potential Register_App.Vbs LOLScript Abuse T1218 windows, process_creation
Kavremover Dropped Binary LOLBIN Usage T1127 windows, process_creation
Suspicious File Encoded To Base64 Via Certutil.EXE T1027 windows, process_creation
Unsigned AppX Installation Attempt Using Add-AppxPackage windows, process_creation
Suspicious Command Patterns In Scheduled Task Creation T1053.005 windows, process_creation
Suspicious PowerShell Parameter Substring T1059.001 windows, process_creation
Renamed AutoHotkey.EXE Execution windows, process_creation
Chopper Webshell Process Pattern T1033, T1018, T1087, T1505.003 windows, process_creation
Nslookup PowerShell Download Cradle - ProcessCreation windows, process_creation
Curl Download And Execute Combination T1218, T1105 windows, process_creation
HackTool - CrackMapExec Execution Patterns T1059.003, T1047, T1053, T1059.001 windows, process_creation
Recon Command Output Piped To Findstr.EXE T1057 windows, process_creation
Service StartupType Change Via Sc.EXE T1562.001 windows, process_creation
Renamed NetSupport RAT Execution windows, process_creation
Potential Defense Evasion Via Rename Of Highly Relevant Binaries T1036.003 windows, process_creation
File Download with Headless Browser T1105 windows, process_creation
Firewall Configuration Discovery Via Netsh.EXE T1016 windows, process_creation
Weak or Abused Passwords In CLI windows, process_creation
Windows Firewall Disabled via PowerShell T1562 windows, process_creation
Execute Code with Pester.bat T1216, T1059.001 windows, process_creation
Suspicious Child Process Of Veeam Dabatase windows, process_creation
Suspicious Child Process of AspNetCompiler T1127 windows, process_creation
Suspicious Modification Of Scheduled Tasks T1053.005 windows, process_creation
Tamper Windows Defender Remove-MpPreference T1562.001 windows, process_creation
SQLite Firefox Profile Data DB Access T1005, T1539 windows, process_creation
Permission Check Via Accesschk.EXE T1069.001 windows, process_creation
WinDbg/CDB LOLBIN Usage T1127, T1106, T1218 windows, process_creation
Suspicious Calculator Usage T1036 windows, process_creation
Suspicious ConfigSecurityPolicy Execution T1567 windows, process_creation
Potential Privilege Escalation Using Symlink Between Osk and Cmd T1546.008 windows, process_creation
UAC Bypass Tools Using ComputerDefaults T1548.002 windows, process_creation
Suspicious Msiexec Execute Arbitrary DLL T1218.007 windows, process_creation
Filter Driver Unloaded Via Fltmc.EXE T1562.002, T1562, T1070 windows, process_creation
Ilasm Lolbin Use Compile C-Sharp T1127 windows, process_creation
Writing Of Malicious Files To The Fonts Folder T1059, T1211 windows, process_creation
Potential RDP Session Hijacking Activity windows, process_creation
Potential Cookies Session Hijacking windows, process_creation
DeviceCredentialDeployment Execution T1218 windows, process_creation
Execution via stordiag.exe T1218 windows, process_creation
Suspicious RASdial Activity T1059 windows, process_creation
HackTool - WinPwn Execution T1548.002, T1518, T1555, T1106, T1046, T1552.001, T1555.003, T1082 windows, process_creation
Msiexec Quiet Installation T1218.007 windows, process_creation
Rundll32 Registered COM Objects T1546.015 windows, process_creation
Fsutil Suspicious Invocation T1485, T1070 windows, process_creation
Install New Package Via Winget Local Manifest T1059 windows, process_creation
PUA - Chisel Tunneling Tool Execution T1090.001 windows, process_creation
Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet T1087.001 windows, process_creation
New DLL Registered Via Odbcconf.EXE T1218.008 windows, process_creation
Add Windows Capability Via PowerShell Cmdlet windows, process_creation
Suspicious Electron Application Child Processes windows, process_creation
NtdllPipe Like Activity Execution windows, process_creation
Esentutl Steals Browser Information T1005 windows, process_creation
Taskmgr as LOCAL_SYSTEM T1036 windows, process_creation
Ping Hex IP T1140, T1027 windows, process_creation
HackTool - Jlaive In-Memory Assembly Execution T1059.003 windows, process_creation
Windows Binary Executed From WSL T1202 windows, process_creation
Microsoft IIS Service Account Password Dumped T1003 windows, process_creation
Remote CHM File Download/Execution Via HH.EXE T1218.001 windows, process_creation
Potential COM Objects Download Cradles Usage - Process Creation T1105 windows, process_creation
Driver/DLL Installation Via Odbcconf.EXE T1218.008 windows, process_creation
File Download Via Windows Defender MpCmpRun.EXE T1218, T1105 windows, process_creation
New User Created Via Net.EXE With Never Expire Option T1136.001 windows, process_creation
Explorer NOUACCHECK Flag T1548.002 windows, process_creation
Net WebClient Casing Anomalies T1059.001 windows, process_creation
New Port Forwarding Rule Added Via Netsh.EXE T1090 windows, process_creation
Potential Suspicious Registry File Imported Via Reg.EXE T1112 windows, process_creation
Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN T1218 windows, process_creation
PUA - PingCastle Execution T1595 windows, process_creation
HackTool - Wmiexec Default Powershell Command windows, process_creation
Potential DLL Injection Or Execution Using Tracker.exe T1055.001 windows, process_creation
Suspicious Mstsc.EXE Execution With Local RDP File T1219 windows, process_creation
WMIC Remote Command Execution T1047 windows, process_creation
Execute From Alternate Data Streams T1564.004 windows, process_creation
Use NTFS Short Name in Command Line T1564.004 windows, process_creation
Python Inline Command Execution T1059 windows, process_creation
Suspicious Registry Modification From ADS Via Regini.EXE T1112 windows, process_creation
DllUnregisterServer Function Call Via Msiexec.EXE T1218.007 windows, process_creation
Renamed FTP.EXE Execution T1059, T1202 windows, process_creation
Cloudflared Portable Execution T1090.001 windows, process_creation
Boot Configuration Tampering Via Bcdedit.EXE T1490 windows, process_creation
Suspicious Schtasks From Env Var Folder T1053.005 windows, process_creation
Suspicious File Execution From Internet Hosted WebDav Share T1059.001 windows, process_creation
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION T1059.001, T1027 windows, process_creation
Suspicious High IntegrityLevel Conhost Legacy Option T1202 windows, process_creation
Remote Access Tool - ScreenConnect Server Web Shell Execution T1190 windows, process_creation
Suspicious Csi.exe Usage T1218, T1072 windows, process_creation
Uncommon Svchost Parent Process T1036.005 windows, process_creation
Operator Bloopers Cobalt Strike Commands T1059.003 windows, process_creation
Import LDAP Data Interchange Format File Via Ldifde.EXE T1218, T1105 windows, process_creation
Access To Browser Credential Files By Uncommon Application T1003 windows, file_access
Credential Manager Access By Uncommon Application T1003 windows, file_access
Access To .Reg/.Hive Files By Uncommon Application T1112 windows, file_access
Access To Potentially Sensitive Sysvol Files By Uncommon Application T1552.006 windows, file_access
Access To Windows DPAPI Master Keys By Uncommon Application T1555.004 windows, file_access
Access To Windows Credential History File By Uncommon Application T1555.004 windows, file_access
Suspicious Appended Extension T1486 windows, file_rename
Unusual File Modification by dns.exe T1133 windows, file_change
File Creation Date Changed to Another Year T1070.006 windows, file_change
Potentially Suspicious Self Extraction Directive File Created T1218 windows, file_executable_detected
PowerShell Console History Logs Deleted T1070 windows, file_delete
Tomcat WebServer Logs Deleted T1070 windows, file_delete
TeamViewer Log File Deleted T1070.004 windows, file_delete
File Deleted Via Sysinternals SDelete T1070.004 windows, file_delete
Exchange PowerShell Cmdlet History Deleted T1070 windows, file_delete
ADS Zone.Identifier Deleted By Uncommon Application T1070.004 windows, file_delete
Unusual File Deletion by Dns.exe T1133 windows, file_delete
Backup Files Deleted T1490 windows, file_delete
EventLog EVTX File Deleted T1070 windows, file_delete
IIS WebServer Access Logs Deleted T1070 windows, file_delete
Prefetch File Deleted T1070.004 windows, file_delete
Potential PrintNightmare Exploitation Attempt T1574 windows, file_delete
ISO or Image Mount Indicator in Recent Files T1566.001 windows, file_event
Office Macro File Creation T1566.001 windows, file_event
Potential Persistence Via Outlook Form T1137.003 windows, file_event
Office Macro File Download T1566.001 windows, file_event
Suspicious PFX File Creation T1552.004 windows, file_event
Inveigh Execution Artefacts T1219 windows, file_event
Suspicious File Created In PerfLogs T1059 windows, file_event
Legitimate Application Dropped Executable T1218 windows, file_event
NTDS.DIT Creation By Uncommon Parent Process T1003.003 windows, file_event
PsExec Service File Creation T1569.002 windows, file_event
BloodHound Collection Files T1069.001, T1087.002, T1059.001, T1087.001, T1069.002, T1482 windows, file_event
Windows Terminal Profile Settings Modification By Uncommon Process T1547.015 windows, file_event
HackTool - Dumpert Process Dumper Default File T1003.001 windows, file_event
Potential Persistence Via Microsoft Office Add-In T1137.006 windows, file_event
UAC Bypass Using EventVwr windows, file_event
Remote Access Tool - ScreenConnect Temporary File T1059.003 windows, file_event
Writing Local Admin Share T1546.002 windows, file_event
File Creation In Suspicious Directory By Msdt.EXE T1547.001 windows, file_event
LiveKD Driver Creation windows, file_event
Potential Persistence Via Microsoft Office Startup Folder T1137 windows, file_event
VHD Image Download Via Browser T1587.001 windows, file_event
Suspicious Creation with Colorcpl T1564 windows, file_event
Creation of an WerFault.exe in Unusual Folder T1574.001 windows, file_event
Legitimate Application Dropped Archive T1218 windows, file_event
WerFault LSASS Process Memory Dump T1003.001 windows, file_event
ADSI-Cache File Creation By Uncommon Tool T1001.003 windows, file_event
Potential Privilege Escalation Attempt Via .Exe.Local Technique windows, file_event
New Custom Shim Database Created T1547.009 windows, file_event
Uncommon File Created In Office Startup Folder T1587.001 windows, file_event
UAC Bypass Abusing Winsat Path Parsing - File T1548.002 windows, file_event
Process Monitor Driver Creation By Non-Sysinternals Binary T1068 windows, file_event
WinSxS Executable File Creation By Non-System Process windows, file_event
Office Macro File Creation From Suspicious Process T1566.001 windows, file_event
Creation Exe for Service with Unquoted Path T1547.009 windows, file_event
Suspicious PROCEXP152.sys File Created In TMP T1562.001 windows, file_event
Potential Webshell Creation On Static Website T1505.003 windows, file_event
Files With System Process Name In Unsuspected Locations T1036.005 windows, file_event
Suspicious desktop.ini Action T1547.009 windows, file_event
GoToAssist Temporary Installation Artefact T1219 windows, file_event
PSEXEC Remote Execution File Artefact T1543.003, T1570, T1136.002 windows, file_event
PowerShell Profile Modification T1546.013 windows, file_event
CSExec Service File Creation T1569.002 windows, file_event
Suspicious File Event With Teams Objects T1528 windows, file_event
PowerShell Script Dropped Via PowerShell.EXE windows, file_event
UAC Bypass Using IDiagnostic Profile - File T1548.002 windows, file_event
Suspicious Creation TXT File in User Desktop T1486 windows, file_event
Suspicious File Creation In Uncommon AppData Folder windows, file_event
ISO File Created Within Temp Folders T1566.001 windows, file_event
Creation of a Diagcab windows, file_event
Suspicious Unattend.xml File Access T1552.001 windows, file_event
Malicious DLL File Dropped in the Teams or OneDrive Folder T1574.002 windows, file_event
CrackMapExec File Indicators T1003.001 windows, file_event
Suspicious File Creation Activity From Fake Recycle.Bin Folder windows, file_event
UAC Bypass Using Consent and Comctl32 - File T1548.002 windows, file_event
Hijack Legit RDP Session to Move Laterally T1219 windows, file_event
LSASS Process Memory Dump Files T1003.001 windows, file_event
LiveKD Kernel Memory Dump File Created windows, file_event
Windows Binaries Write Suspicious Extensions T1036 windows, file_event
Potential Startup Shortcut Persistence Via PowerShell.EXE T1547.001 windows, file_event
ScreenConnect Temporary Installation Artefact T1219 windows, file_event
SCR File Write Event T1218.011 windows, file_event
Visual Studio Code Tunnel Remote File Creation windows, file_event
NTDS.DIT Creation By Uncommon Process T1003.003, T1003.002 windows, file_event
Potential Remote Credential Dumping Activity T1003 windows, file_event
UAC Bypass Using NTFS Reparse Point - File T1548.002 windows, file_event
GatherNetworkInfo.VBS Reconnaissance Script Output windows, file_event
Startup Folder File Write T1547.001 windows, file_event
SafetyKatz Default Dump Filename T1003.001 windows, file_event
Legitimate Application Dropped Script T1218 windows, file_event
Suspicious Desktopimgdownldr Target File T1105 windows, file_event
Cred Dump Tools Dropped Files T1003.003, T1003.001, T1003.002, T1003.005, T1003.004 windows, file_event
Potential Persistence Attempt Via ErrorHandler.Cmd windows, file_event
Drop Binaries Into Spool Drivers Color Folder windows, file_event
Suspicious Outlook Macro Created T1546, T1008, T1137 windows, file_event
Malicious PowerShell Scripts - FileCreation T1059.001 windows, file_event
Potentially Suspicious DMP/HDMP File Creation windows, file_event
Assembly DLL Creation Via AspNetCompiler windows, file_event
QuarksPwDump Dump File T1003.002 windows, file_event
Anydesk Temporary Artefact T1219 windows, file_event
Windows Shell/Scripting Application File Write to Suspicious Folder T1059 windows, file_event
Suspicious Startup Folder Persistence T1547.001 windows, file_event
Suspicious Screensaver Binary File Creation T1546.002 windows, file_event
Potential Suspicious PowerShell Module File Created windows, file_event
VsCode Powershell Profile Modification T1546.013 windows, file_event
Process Explorer Driver Creation By Non-Sysinternals Binary T1068 windows, file_event
Potential Homoglyph Attack Using Lookalike Characters in Filename T1036, T1036.003 windows, file_event
Potential Binary Or Script Dropper Via PowerShell windows, file_event
Suspicious Scheduled Task Write to System32 Tasks T1053 windows, file_event
EVTX Created In Uncommon Location T1562.002 windows, file_event
Dynamic CSharp Compile Artefact T1027.004 windows, file_event
PowerShell Module File Created By Non-PowerShell Process windows, file_event
Suspicious LNK Double Extension File Created T1036.007 windows, file_event
NTDS.DIT Created T1003.003 windows, file_event
Potential SAM Database Dump T1003.002 windows, file_event
Suspicious Double Extension Files T1036.007 windows, file_event
Suspicious DotNET CLR Usage Log Artifact T1218 windows, file_event
RemCom Service File Creation T1569.002 windows, file_event
Installation of TeamViewer Desktop T1219 windows, file_event
LSASS Process Memory Dump Creation Via Taskmgr.EXE T1003.001 windows, file_event
Suspicious Get-Variable.exe Creation T1027, T1546 windows, file_event
NTDS Exfiltration Filename Patterns T1003.003 windows, file_event
Potential Persistence Via Notepad++ Plugins windows, file_event
Renamed VsCode Code Tunnel Execution - File Indicator windows, file_event
Suspicious File Created Via OneNote Application windows, file_event
Potential RipZip Attack on Startup Folder T1547 windows, file_event
WMI Persistence - Script Event Consumer File Write T1546.003 windows, file_event
Suspicious Files in Default GPO Folder T1036.005 windows, file_event
PCRE.NET Package Temp Files T1059 windows, file_event
UAC Bypass Using IEInstal - File T1548.002 windows, file_event
LiveKD Driver Creation By Uncommon Process windows, file_event
Suspicious Interactive PowerShell as SYSTEM T1059.001 windows, file_event
Self Extraction Directive File Created In Potentially Suspicious Location T1218 windows, file_event
Rclone Config File Creation T1567.002 windows, file_event
OneNote Attachment File Dropped In Suspicious Location windows, file_event
PSScriptPolicyTest Creation By Uncommon Process windows, file_event
UAC Bypass Using Windows Media Player - File T1548.002 windows, file_event
Publisher Attachment File Dropped In Suspicious Location windows, file_event
NPPSpy Hacktool Usage windows, file_event
Advanced IP Scanner - File Event T1046 windows, file_event
UEFI Persistence Via Wpbbin - FileCreation T1542.001 windows, file_event
TeamViewer Remote Session T1219 windows, file_event
Suspicious Binary Writes Via AnyDesk T1219 windows, file_event
Creation Of Non-Existent System DLL T1574.001, T1574.002 windows, file_event
Created Files by Microsoft Sync Center T1055, T1218 windows, file_event
UAC Bypass Using .NET Code Profiler on MMC T1548.002 windows, file_event
Suspicious MSExchangeMailboxReplication ASPX Write T1190, T1505.003 windows, file_event
New Outlook Macro Created T1546, T1137, T1008 windows, file_event
Potential Initial Access via DLL Search Order Hijacking T1566, T1574, T1574.001, T1566.001 windows, file_event
WScript or CScript Dropper - File T1059.007, T1059.005 windows, file_event
DLL Search Order Hijackig Via Additional Space in Path T1574.002 windows, file_event
Potential DCOM InternetExplorer.Application DLL Hijack T1021.002, T1021.003 windows, file_event
Wmiprvse Wbemcomn DLL Hijack - File T1047, T1021.002 windows, file_event
Adwind RAT / JRAT File Artifact T1059.007, T1059.005 windows, file_event
Octopus Scanner Malware T1195.001, T1195 windows, file_event
File With Uncommon Extension Created By An Office Application T1204.002 windows, file_event
PowerShell Module File Created windows, file_event
Mimikatz Kirbi File Creation T1558 windows, file_event
Potential Winnti Dropper Activity T1027 windows, file_event
RDP File Creation From Suspicious Application windows, file_event
Wmiexec Default Output File T1047 windows, file_event
UAC Bypass Using MSConfig Token Modification - File T1548.002 windows, file_event
Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream T1564.004 windows, file_event
Suspicious Executable File Creation T1564 windows, file_event
Typical HiveNightmare SAM File Export T1552.001 windows, file_event
AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File T1216 windows, file_event
LSASS Process Dump Artefact In CrashDumps Folder T1003.001 windows, file_event
Suspicious ASPX File Drop by Exchange T1505.003 windows, file_event
Powerup Write Hijack DLL T1574.001 windows, file_event
Suspicious File Drop by Exchange T1505.003, T1190 windows, file_event
New DLL Added to AppInit_DLLs Registry Key T1546.010 windows, registry_event
Pandemic Registry Key T1105 windows, registry_event
HybridConnectionManager Service Installation - Registry T1608 windows, registry_event
Suspicious Camera and Microphone Access T1125, T1123 windows, registry_event
Path To Screensaver Binary Modified T1546.002 windows, registry_event
Registry Entries For Azorult Malware T1112 windows, registry_event
Narrator's Feedback-Hub Persistence T1547.001 windows, registry_event
OilRig APT Registry Persistence T1053.005, T1112, T1071.004, T1543.003 windows, registry_event
Registry Persistence Mechanisms in Recycle Bin T1547 windows, registry_event
Leviathan Registry Key Activity T1547.001 windows, registry_event
Suspicious Run Key from Download T1547.001 windows, registry_event
New PortProxy Registry Entry Added T1090 windows, registry_event
Security Support Provider (SSP) Added to LSA Configuration T1547.005 windows, registry_event
Potential Credential Dumping Via LSASS SilentProcessExit Technique T1003.001 windows, registry_event
DLL Load via LSASS T1547.008 windows, registry_event
Wdigest CredGuard Registry Modification T1112 windows, registry_event
Sticky Key Like Backdoor Usage - Registry T1546.008 windows, registry_event
CMSTP Execution Registry Event T1218.003 windows, registry_event
Potential Qakbot Registry Activity T1112 windows, registry_event
Disable Security Events Logging Adding Reg Key MiniNt T1562.001, T1112 windows, registry_event
New DLL Added to AppCertDlls Registry Key T1546.009 windows, registry_event
Windows Credential Editor Registry T1003.001 windows, registry_event
OceanLotus Registry Activity T1112 windows, registry_event
UAC Bypass Via Wsreset T1548.002 windows, registry_event
Windows Registry Trust Record Modification T1566.001 windows, registry_event
Esentutl Volume Shadow Copy Service Keys T1003.002 windows, registry_event
NetNTLM Downgrade Attack - Registry T1112, T1562.001 windows, registry_event
RedMimicry Winnti Playbook Registry Manipulation T1112 windows, registry_event
PrinterNightmare Mimikatz Driver Name T1204 windows, registry_event
Shell Open Registry Keys Manipulation T1546.001, T1548.002 windows, registry_event
Creation of a Local Hidden User Account by Registry T1136.001 windows, registry_event
Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback T1562.001 windows, registry_set
Office Application Startup - Office Test T1137.002 windows, registry_event
Atbroker Registry Change T1218, T1547 windows, registry_event
WINEKEY Registry Modification T1547 windows, registry_event
Run Once Task Configuration in Registry T1112 windows, registry_event
Removal of Potential COM Hijacking Registry Keys T1112 windows, registry_delete
Removal Of Index Value to Hide Schedule Task - Registry T1562 windows, registry_delete
Folder Removed From Exploit Guard ProtectedFolders List - Registry T1562.001 windows, registry_delete
Removal Of AMSI Provider Registry Keys T1562.001 windows, registry_delete
Removal Of SD Value to Hide Schedule Task - Registry T1562 windows, registry_delete
Terminal Server Client Connection History Cleared - Registry T1112, T1070 windows, registry_delete
Potential Ursnif Malware Activity - Registry T1112 windows, registry_add
Potential COM Object Hijacking Via TreatAs Subkey - Registry T1546.015 windows, registry_add
Potential Persistence Via Logon Scripts - Registry T1037.001 windows, registry_add
PUA - Sysinternals Tools Execution - Registry T1588.002 windows, registry_add
Potential Persistence Via New AMSI Providers - Registry windows, registry_add
Suspicious Execution Of Renamed Sysinternals Tools - Registry T1588.002 windows, registry_add
Potential NetWire RAT Activity - Registry T1112 windows, registry_add
Potential Persistence Via Disk Cleanup Handler - Registry windows, registry_add
PUA - Sysinternal Tool Execution - Registry T1588.002 windows, registry_add
New DNS ServerLevelPluginDll Installed T1112, T1574.002 windows, registry_set
Potential Registry Persistence Attempt Via DbgManagedDebugger T1574 windows, registry_set
Enable LM Hash Storage T1112 windows, registry_set
Hiding User Account Via SpecialAccounts Registry Key T1564.002 windows, registry_set
COM Hijacking via TreatAs T1546.015 windows, registry_set
ETW Logging Disabled For rpcrt4.dll T1112, T1562 windows, registry_set
Trust Access Disable For VBApplications T1112 windows, registry_set
Add Port Monitor Persistence in Registry T1547.010 windows, registry_set
Usage of Renamed Sysinternals Tools - RegistrySet T1588.002 windows, registry_set
Potential Ransomware Activity Using LegalNotice Message T1491.001 windows, registry_set
Potential SentinelOne Shell Context Menu Scan Command Tampering windows, registry_set
Add DisallowRun Execution to Registry T1112 windows, registry_set
Enabling COR Profiler Environment Variables T1574.012 windows, registry_set
Suspicious Keyboard Layout Load T1588.002 windows, registry_set
Potential CobaltStrike Service Installations - Registry T1021.002, T1543.003, T1569.002 windows, registry_set
Potential Attachment Manager Settings Attachments Tamper windows, registry_set
Disable Microsoft Defender Firewall via Registry T1562.004 windows, registry_set
Registry Persistence via Explorer Run Key T1547.001 windows, registry_set
Internet Explorer DisableFirstRunCustomize Enabled windows, registry_set
Potential Persistence Via Event Viewer Events.asp T1112 windows, registry_set
Classes Autorun Keys Modification T1547.001 windows, registry_set
Outlook Macro Execution Without Warning Setting Enabled T1008, T1546, T1137 windows, registry_set
PowerShell as a Service in Registry T1569.002 windows, registry_set
New TimeProviders Registered With Uncommon DLL Name T1547.003 windows, registry_set
Scheduled TaskCache Change by Uncommon Program T1053, T1053.005 windows, registry_set
New ODBC Driver Registered windows, registry_set
VBScript Payload Stored in Registry T1547.001 windows, registry_set
Running Chrome VPN Extensions via the Registry 2 VPN Extension T1133 windows, registry_set
Suspicious Shim Database Patching Activity T1546.011 windows, registry_set
Suspicious Service Installed T1562.001 windows, registry_set
Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting T1137, T1546, T1008 windows, registry_set
Wdigest Enable UseLogonCredential T1112 windows, registry_set
Change Winevt Channel Access Permission Via Registry T1562.002 windows, registry_set
Bypass UAC Using SilentCleanup Task T1548.002 windows, registry_set
Potentially Suspicious ODBC Driver Registered T1003 windows, registry_set
Potential EventLog File Location Tampering T1562.002 windows, registry_set
Potential Persistence Via Excel Add-in - Registry T1137.006 windows, registry_set
Potential Persistence Via MyComputer Registry Keys windows, registry_set
Registry Explorer Policy Modification T1112 windows, registry_set
Suspicious Powershell In Registry Run Keys T1547.001 windows, registry_set
Potential Persistence Via App Paths Default Property T1546.012 windows, registry_set
Persistence Via Hhctrl.ocx windows, registry_set
Potential Persistence Via TypedPaths windows, registry_set
Persistence Via Disk Cleanup Handler - Autorun windows, registry_set
New BgInfo.EXE Custom VBScript Registry Configuration T1112 windows, registry_set
New Application in AppCompat T1204.002 windows, registry_set
Suspicious Application Allowed Through Exploit Guard T1562.001 windows, registry_set
Potential Persistence Via Shim Database In Uncommon Location T1546.011 windows, registry_set
Disable PUA Protection on Windows Defender T1562.001 windows, registry_set
Add Debugger Entry To AeDebug For Persistence windows, registry_set
MaxMpxCt Registry Value Changed T1070.005 windows, registry_set
Winlogon Notify Key Logon Persistence T1547.004 windows, registry_set
Potential Persistence Via COM Search Order Hijacking T1546.015 windows, registry_set
Lsass Full Dump Request Via DumpType Registry Settings T1003.001 windows, registry_set
COM Hijack via Sdclt T1546, T1548 windows, registry_set
Bypass UAC Using DelegateExecute T1548.002 windows, registry_set
Tamper With Sophos AV Registry Keys T1562.001 windows, registry_set
CurrentControlSet Autorun Keys Modification T1547.001 windows, registry_set
CurrentVersion Autorun Keys Modification T1547.001 windows, registry_set
Disable Internal Tools or Feature in Registry T1112 windows, registry_set
RestrictedAdminMode Registry Value Tampering T1112 windows, registry_set
Disable Windows Security Center Notifications T1112 windows, registry_set
Potential Persistence Via Scrobj.dll COM Hijacking T1546.015 windows, registry_set
Outlook Security Settings Updated - Registry T1137 windows, registry_set
CrashControl CrashDump Disabled T1112, T1564 windows, registry_set
Registry Persistence via Service in Safe Mode T1564.001 windows, registry_set
Potential Persistence Via Custom Protocol Handler T1112 windows, registry_set
Suspicious Path In Keyboard Layout IME File Registry Value T1562.001 windows, registry_set
Winlogon AllowMultipleTSSessions Enable T1112 windows, registry_set
Registry Hide Function from User T1112 windows, registry_set
Potential Registry Persistence Attempt Via Windows Telemetry T1053.005 windows, registry_set
Potential PowerShell Execution Policy Tampering windows, registry_set
Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG T1218 windows, registry_set
Office Autorun Keys Modification T1547.001 windows, registry_set
New BgInfo.EXE Custom WMI Query Registry Configuration T1112 windows, registry_set
Add Debugger Entry To Hangs Key For Persistence windows, registry_set
PowerShell Logging Disabled Via Registry Key Tampering T1564.001 windows, registry_set
Bypass UAC Using Event Viewer T1547.010 windows, registry_set
Potential Persistence Via CHM Helper DLL windows, registry_set
WinSock2 Autorun Keys Modification T1547.001 windows, registry_set
Modify User Shell Folders Startup Value T1547.001 windows, registry_set
Session Manager Autorun Keys Modification T1547.001, T1546.009 windows, registry_set
RDP Sensitive Settings Changed T1112 windows, registry_set
Sysmon Driver Altitude Change T1562.001 windows, registry_set
UAC Bypass via Event Viewer T1548.002 windows, registry_set
Potential WerFault ReflectDebugger Registry Value Abuse T1036.003 windows, registry_set
Activate Suppression of Windows Security Center Notifications T1112 windows, registry_set
Potential PendingFileRenameOperations Tamper T1036.003 windows, registry_set
Potential Persistence Via COM Hijacking From Suspicious Locations T1546.015 windows, registry_set
Disable Macro Runtime Scan Scope windows, registry_set
Potential PSFactoryBuffer COM Hijacking T1546.015 windows, registry_set
ETW Logging Disabled For SCM T1562, T1112 windows, registry_set
Potential Persistence Via Visual Studio Tools for Office T1137.006 windows, registry_set
Windows Defender Exclusions Added - Registry T1562.001 windows, registry_set
Disabled Windows Defender Eventlog T1562.001 windows, registry_set
System Scripts Autorun Keys Modification T1547.001 windows, registry_set
Potential Persistence Via Outlook Today Pages T1112 windows, registry_set
Register New IFiltre For Persistence windows, registry_set
New File Association Using Exefile windows, registry_set
DHCP Callout DLL Installation T1574.002, T1112 windows, registry_set
Registry Disable System Restore T1490 windows, registry_set
Blue Mockingbird - Registry T1112, T1047 windows, registry_set
Disable UAC Using Registry T1548.002 windows, registry_set
Potential Persistence Via AutodialDLL windows, registry_set
PowerShell Script Execution Policy Enabled windows, registry_set
Macro Enabled In A Potentially Suspicious Document T1112 windows, registry_set
Hide Schedule Task Via Index Value Tamper T1562 windows, registry_set
Disable Administrative Share Creation at Startup T1070.005 windows, registry_set
Scripted Diagnostics Turn Off Check Enabled - Registry T1562.001 windows, registry_set
Modification of IE Registry Settings T1112 windows, registry_set
Enable Local Manifest Installation With Winget windows, registry_set
New BgInfo.EXE Custom DB Path Registry Configuration T1112 windows, registry_set
Disable Windows Firewall by Registry T1562.004 windows, registry_set
Disable Privacy Settings Experience in Registry T1562.001 windows, registry_set
Potential Persistence Via LSA Extensions windows, registry_set
Old TLS1.0/TLS1.1 Protocol Version Enabled windows, registry_set
Potential AutoLogger Sessions Tampering windows, registry_set
Potential Persistence Via DLLPathOverride windows, registry_set
Uncommon Microsoft Office Trusted Location Added T1112 windows, registry_set
UAC Bypass Using Windows Media Player - Registry T1548.002 windows, registry_set
Service Binary in Suspicious Folder T1112 windows, registry_set
Wow6432Node CurrentVersion Autorun Keys Modification T1547.001 windows, registry_set
Potential Attachment Manager Settings Associations Tamper windows, registry_set
IE Change Domain Zone T1137 windows, registry_set
Potential Persistence Via Mpnotify windows, registry_set
Uncommon Extension In Keyboard Layout IME File Registry Value T1562.001 windows, registry_set
UAC Bypass via Sdclt T1548.002 windows, registry_set
New Netsh Helper DLL Registered From A Suspicious Location T1546.007 windows, registry_set
ScreenSaver Registry Key Set T1218.011 windows, registry_set
Potential Persistence Via Shim Database Modification T1546.011 windows, registry_set
Wow6432Node Windows NT CurrentVersion Autorun Keys Modification T1547.001 windows, registry_set
Potential AMSI COM Server Hijacking T1562.001 windows, registry_set
Custom File Open Handler Executes PowerShell T1202 windows, registry_set
Microsoft Office Protected View Disabled T1562.001 windows, registry_set
Suspicious Printer Driver Empty Manufacturer T1574 windows, registry_set
Potential Credential Dumping Attempt Using New NetworkProvider - REG T1003 windows, registry_set
Outlook EnableUnsafeClientMailRules Setting Enabled - Registry T1112 windows, registry_set
Common Autorun Keys Modification T1547.001 windows, registry_set
IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols windows, registry_set
Winget Admin Settings Modification windows, registry_set
NET NGenAssemblyUsageLog Registry Key Tamper T1112 windows, registry_set
Blackbyte Ransomware Registry T1112 windows, registry_set
DNS-over-HTTPS Enabled by Registry T1140, T1112 windows, registry_set
Enable Microsoft Dynamic Data Exchange T1559.002 windows, registry_set
ClickOnce Trust Prompt Tampering T1112 windows, registry_set
Disable Exploit Guard Network Protection on Windows Defender T1562.001 windows, registry_set
Potential Persistence Using DebugPath T1546.015 windows, registry_set
Displaying Hidden Files Feature Disabled T1564.001 windows, registry_set
Potential Persistence Via AppCompat RegisterAppRestart Layer T1546.011 windows, registry_set
Office Macros Warning Disabled T1112 windows, registry_set
Lolbas OneDriveStandaloneUpdater.exe Proxy Download T1105 windows, registry_set
ServiceDll Hijack T1543.003 windows, registry_set
Registry Modification to Hidden File Extension T1137 windows, registry_set
Suspicious Environment Variable Has Been Registered windows, registry_set
Hypervisor Enforced Code Integrity Disabled T1562.001 windows, registry_set
Potentially Suspicious Desktop Background Change Via Registry T1112, T1491.001 windows, registry_set
Potential Persistence Via Netsh Helper DLL - Registry T1546.007 windows, registry_set
UAC Bypass Abusing Winsat Path Parsing - Registry T1548.002 windows, registry_set
Change the Fax Dll T1112 windows, registry_set
Default RDP Port Changed to Non Standard Port T1547.010 windows, registry_set
New Root or CA or AuthRoot Certificate to Store T1490 windows, registry_set
Change User Account Associated with the FAX Service T1112 windows, registry_set
Internet Explorer Autorun Keys Modification T1547.001 windows, registry_set
CurrentVersion NT Autorun Keys Modification T1547.001 windows, registry_set
ETW Logging Disabled In .NET Processes - Sysmon Registry T1562, T1112 windows, registry_set
Potential Signing Bypass Via Windows Developer Features - Registry windows, registry_set
Disable Tamper Protection on Windows Defender T1562.001 windows, registry_set
Disable Windows Event Logging Via Registry T1562.002 windows, registry_set
RDP Sensitive Settings Changed to Zero T1112 windows, registry_set
Wow6432Node Classes Autorun Keys Modification T1547.001 windows, registry_set
Execution DLL of Choice Using WAB.EXE T1218 windows, registry_set
Potential Persistence Via GlobalFlags T1546.012 windows, registry_set
Disable Windows Defender Functionalities Via Registry Keys T1562.001 windows, registry_set
New RUN Key Pointing to Suspicious Folder T1547.001 windows, registry_set
Allow RDP Remote Assistance Feature T1112 windows, registry_set
Potential Persistence Via Outlook Home Page T1112 windows, registry_set
Persistence Via New SIP Provider T1553.003 windows, registry_set
Windows Defender Service Disabled - Registry T1562.001 windows, registry_set
Suspicious Network Connection to IP Lookup Service APIs T1016 windows, network_connection
Equation Editor Network Connection T1203 windows, network_connection
Network Communication With Crypto Mining Pool T1496 windows, network_connection
Outbound Network Connection To Public IP Via Winlogon T1218.011 windows, network_connection
Potentially Suspicious Malware Callback Communication T1571 windows, network_connection
Potentially Suspicious Wuauclt Network Connection T1218 windows, network_connection
Network Connection Initiated By IMEWDBLD.EXE T1105 windows, network_connection
Potentially Suspicious Network Connection To Notion API T1102 windows, network_connection
Uncommon Outbound Kerberos Connection T1558, T1550.003 windows, network_connection
Suspicious Program Location with Network Connections T1105 windows, network_connection
Office Application Initiated Network Connection To Non-Local IP T1203 windows, network_connection
Outbound RDP Connections Over Non-Standard Tools T1021.001 windows, network_connection
Suspicious Non-Browser Network Communication With Telegram API T1102 windows, network_connection
Office Application Initiated Network Connection Over Uncommon Ports windows, network_connection
Network Connection Initiated To DevTunnels Domain T1567.001 windows, network_connection
Script Initiated Connection T1105 windows, network_connection
Dllhost.EXE Initiated Network Connection To Non-Local IP Address T1559.001, T1218 windows, network_connection
Network Connection Initiated To Visual Studio Code Tunnels Domain T1567.001 windows, network_connection
Silenttrinity Stager Msbuild Activity T1127.001 windows, network_connection
RDP to HTTP or HTTPS Target Ports T1021.001, T1572 windows, network_connection
Rundll32 Internet Connection T1218.011 windows, network_connection
Suspicious Wordpad Outbound Connections windows, network_connection
Potential Remote PowerShell Session Initiated T1021.006, T1059.001 windows, network_connection
Network Connection Initiated To Mega.nz T1567.001 windows, network_connection
Communication To Ngrok Tunneling Service Initiated T1102, T1567, T1090, T1568.002, T1572 windows, network_connection
Potential Dead Drop Resolvers T1102, T1102.001 windows, network_connection
Msiexec.EXE Initiated Network Connection Over HTTP T1218.007 windows, network_connection
Suspicious Network Connection Binary No CommandLine windows, network_connection
Network Connection Initiated By Regsvr32.EXE T1559.001, T1218.010 windows, network_connection
Microsoft Sync Center Suspicious Network Connections T1218, T1055 windows, network_connection
Connection Initiated Via Certutil.EXE T1105 windows, network_connection
Communication To Uncommon Destination Ports T1571 windows, network_connection
RDP Over Reverse SSH Tunnel T1021.001, T1572 windows, network_connection
Process Initiated Network Connection To Ngrok Domain T1567.001 windows, network_connection
Network Connection Initiated Via Notepad.EXE T1055 windows, network_connection
Microsoft Binary Suspicious Communication Endpoint T1105 windows, network_connection
Suspicious Outbound SMTP Connections T1048.003 windows, network_connection
Python Initiated Connection T1046 windows, network_connection
Script Initiated Connection to Non-Local Network T1105 windows, network_connection
Cmstp Making Network Connection T1218.003 windows, network_connection
Suspicious Dropbox API Usage T1105 windows, network_connection
Network Connection Initiated By AddinUtil.EXE T1218 windows, network_connection
Suspicious Non-Browser Network Communication With Google API T1102 windows, network_connection
Suspicious Encoded Scripts in a WMI Consumer T1546.003, T1047 windows, wmi_event
WMI Event Subscription T1546.003 windows, wmi_event
Suspicious Scripting in a WMI Consumer T1059.005 windows, wmi_event
Malicious Named Pipe Created T1055 windows, pipe_created
Alternate PowerShell Hosts Pipe T1059.001 windows, pipe_created
CobaltStrike Named Pipe T1055 windows, pipe_created
HackTool - EfsPotato Named Pipe Creation T1055 windows, pipe_created
PUA - PAExec Default Named Pipe T1569.002 windows, pipe_created
HackTool - CoercedPotato Named Pipe Creation T1055 windows, pipe_created
HackTool - Credential Dumping Tools Named Pipe Created T1003.001, T1003.004, T1003.002, T1003.005 windows, pipe_created
PUA - RemCom Default Named Pipe T1021.002, T1569.002 windows, pipe_created
CobaltStrike Named Pipe Patterns T1055 windows, pipe_created
HackTool - DiagTrackEoP Default Named Pipe windows, pipe_created
HackTool - Koh Default Named Pipe T1134.001, T1528 windows, pipe_created
PsExec Tool Execution From Suspicious Locations - PipeName T1569.002 windows, pipe_created
ADFS Database Named Pipe Connection By Uncommon Tool T1005 windows, pipe_created
New PowerShell Instance Created T1059.001 windows, pipe_created
PUA - CSExec Default Named Pipe T1569.002, T1021.002 windows, pipe_created
WMI Event Consumer Created Named Pipe T1047 windows, pipe_created
CobaltStrike Named Pipe Pattern Regex T1055 windows, pipe_created
Juniper BGP Missing MD5 T1110, T1078, T1557 juniper
Huawei BGP Authentication Failures T1078, T1110, T1557 huawei
Cisco BGP Authentication Failures T1110, T1078, T1557 cisco
Cisco LDP Authentication Failures T1078, T1110, T1557 cisco
Cisco Disabling Logging T1562.001 cisco
Cisco Discovery T1082, T1201, T1018, T1016, T1124, T1049, T1057, T1033, T1083 cisco
Cisco Stage Data T1560.001, T1074, T1105 cisco
Cisco Local Accounts T1098, T1136.001 cisco
Cisco Clear Logs T1070.003 cisco
Cisco Denial of Service T1529, T1495, T1565.001 cisco
Cisco Sniffing T1040 cisco
Cisco Modify Configuration T1565.002, T1505, T1490, T1053 cisco
Cisco Crypto Commands T1552.004, T1553.004 cisco
Cisco Show Commands Input T1552.003 cisco
Cisco Collect Data T1005, T1087.001, T1552.001 cisco
Cisco File Deletion T1561.002, T1561.001, T1070.004 cisco
DNS Query to External Service Interaction Domains T1595.002, T1190 dns
Cobalt Strike DNS Beaconing T1071.004 dns
Telegram Bot API Request T1102.002 dns
Monero Crypto Coin Mining Pool Lookup T1496, T1567 dns
Suspicious DNS Query with B64 Encoded String T1071.004, T1048.003 dns
Wannacry Killswitch Domain T1071.001 dns
DNS TXT Answer with Possible Execution Strings T1071.004 dns
Suspicious PsExec Execution - Zeek T1021.002 zeek
SMB Spoolss Name Piped Usage T1021.002 zeek
Possible Impacket SecretDump Remote Activity - Zeek T1003.003, T1003.004, T1003.002 zeek
First Time Seen Remote Named Pipe - Zeek T1021.002 zeek
Default Cobalt Strike Certificate zeek
MITRE BZAR Indicators for Execution T1053.002, T1047, T1569.002 zeek
Executable from Webdav T1105 zeek
DNS Events Related To Mining Pools T1569.002, T1496 zeek
Suspicious Access to Sensitive File Extensions - Zeek zeek
WebDav Put Request T1048.003 zeek
DNS TOR Proxies T1048 zeek
OMIGOD HTTP No Authentication RCE T1210, T1068, T1190, T1203, T1021.006 zeek
MITRE BZAR Indicators for Persistence T1547.004 zeek
Remote Task Creation via ATSVC Named Pipe - Zeek T1053.002 zeek
Possible PrintNightmare Print Driver Install zeek
Potential PetitPotam Attack Via EFS RPC Calls T1557.001, T1187 zeek
Suspicious DNS Z Flag Bit Set T1095, T1571 zeek
New Kind of Network (NKN) Detection zeek
Kerberos Network Traffic RC4 Ticket Encryption T1558.003 zeek
Publicly Accessible RDP Service T1021.001 zeek
Transferring Files with Credential Data via Network Shares - Zeek T1003.002, T1003.001, T1003.003 zeek
Cleartext Protocol Usage firewall
Potential Server Side Template Injection In Velocity T1190 velocity, application
Ruby on Rails Framework Exceptions T1190 ruby_on_rails, application
Recon Activity via SASec rpc_firewall, application
Remote Schedule Task Lateral Movement via ITaskSchedulerService T1053, T1053.002 rpc_firewall, application
SharpHound Recon Account Discovery T1087 rpc_firewall, application
Remote Registry Recon rpc_firewall, application
Remote Encrypting File System Abuse rpc_firewall, application
Remote Server Service Abuse rpc_firewall, application
SharpHound Recon Sessions T1033 rpc_firewall, application
Remote Schedule Task Lateral Movement via ATSvc T1053, T1053.002 rpc_firewall, application
Remote Schedule Task Recon via AtScv rpc_firewall, application
Remote Schedule Task Lateral Movement via SASec T1053.002, T1053 rpc_firewall, application
Remote Event Log Recon rpc_firewall, application
Remote DCOM/WMI Lateral Movement T1021.003, T1047 rpc_firewall, application
Remote Registry Lateral Movement T1112 rpc_firewall, application
Possible DCSync Attack T1033 rpc_firewall, application
Remote Schedule Task Recon via ITaskSchedulerService rpc_firewall, application
Remote Server Service Abuse for Lateral Movement T1569.002 rpc_firewall, application
Remote Printing Abuse for Lateral Movement rpc_firewall, application
OpenCanary - SMB File Open Request T1005, T1021 opencanary, application
OpenCanary - GIT Clone Request T1213 opencanary, application
OpenCanary - SSH Login Attempt T1021, T1078, T1133 opencanary, application
OpenCanary - SIP Request T1123 opencanary, application
OpenCanary - HTTPPROXY Login Attempt T1090 opencanary, application
OpenCanary - MSSQL Login Attempt Via Windows Authentication T1213, T1003 opencanary, application
OpenCanary - VNC Connection Attempt T1021 opencanary, application
OpenCanary - MySQL Login Attempt T1003, T1213 opencanary, application
OpenCanary - Telnet Login Attempt T1078, T1133 opencanary, application
OpenCanary - SNMP OID Request T1021, T1016 opencanary, application
OpenCanary - SSH New Connection Attempt T1133, T1021, T1078 opencanary, application
OpenCanary - FTP Login Attempt T1190, T1021 opencanary, application
OpenCanary - HTTP POST Login Attempt T1190 opencanary, application
OpenCanary - HTTP GET Request T1190 opencanary, application
OpenCanary - REDIS Action Command Attempt T1003, T1213 opencanary, application
OpenCanary - NTP Monlist Request T1498 opencanary, application
OpenCanary - TFTP Request T1041 opencanary, application
OpenCanary - MSSQL Login Attempt Via SQLAuth T1003, T1213 opencanary, application
Potential Sidecar Injection Into Running Deployment T1609 kubernetes, application
Creation Of Pod In System Namespace T1036.005 kubernetes, application
Potential Remote Command Execution In Pod Container T1609 kubernetes, application
Deployment Deleted From Kubernetes Cluster T1498 kubernetes, application
Privileged Container Deployed T1611 kubernetes, application
RBAC Permission Enumeration Attempt T1087.004, T1069.003 kubernetes, application
Kubernetes Events Deleted T1070 kubernetes, application
Kubernetes Secrets Enumeration T1552.007 kubernetes, application
Container With A hostPath Mount Created T1611 kubernetes, application
New Kubernetes Service Account Created T1136 kubernetes, application
Potential SpEL Injection In Spring Framework T1190 spring, application
Spring Framework Exceptions T1190 spring, application
Suspicious SQL Error Messages T1190 sql, application
Potential RCE Exploitation Attempt In NodeJS T1190 nodejs, application
Potential XXE Exploitation Attempt In JVM Based Application T1190 jvm, application
Potential OGNL Injection Exploitation In JVM Based Application T1190 jvm, application
Potential Local File Read Vulnerability In JVM Based Application T1190 jvm, application
Potential JNDI Injection Exploitation In JVM Based Application T1190 jvm, application
Process Execution Error In JVM Based Application T1190 jvm, application
Python SQL Exceptions T1190 python, application
Django Framework Exceptions T1190 django, application