FortiSIEM Rules

Tactics

Use Cases

Data Sources

Rules by Data Source

Rules by MITRE Tactic

Reconnaissance

Name Tactic Technique Severity
Linux: NMAP Process Activity ReconnaissanceT1592.002,T1595.0017
Linux: Nping Process Activity ReconnaissanceT1595.0017
Phishing attack found but not remediatedReconnaissanceT1598.002,T1598.0039
Windows: PUA - Crassus ExecutionReconnaissanceT1590.0017

Resource Development

Name Tactic Technique Severity
Office365: Abnormal Logon DetectedResource DevelopmentT1586.0029
Office365: Identity Protection Detected a Risky User or SignIn ActivityResource DevelopmentT1586.0029
Office365: Strong Authentication Disabled for a UserResource DevelopmentT1586.0029
Office365: Suspicious File Type UploadedResource DevelopmentT1608.0019
Oracle OCI: User SMTP Credentials CreatedResource DevelopmentT1585.0027
Outbreak: Active Directory Privilege Escalation Exploit Detected on HostResource DevelopmentT1584.0019
Outbreak: Active Directory Privilege Escalation Exploit Detected on NetworkResource DevelopmentT1584.0019
Outbreak: Apache Commons Text RCE Vulnerability Detected on NetworkResource DevelopmentT1586.0029
Outbreak: Microsoft Exchange Autodiscover RCE ProxyNotShell Detected on HostResource DevelopmentT1586.0029
Outbreak: Microsoft Exchange Autodiscover RCE ProxyNotShell Detected on NetworkResource DevelopmentT1586.0029
Outbreak: Microsoft Office Follina Vuln Detected on HostResource DevelopmentT1584.0059
Outbreak: Microsoft Office Follina Vuln Detected on NetworkResource DevelopmentT1584.0059
Outbreak: Prestige Ransomware Detected on HostResource DevelopmentT1586.0029
Outbreak: Prestige Ransomware Detected on NetworkResource DevelopmentT1586.0029
Outbreak: Sysrv-K Botnet Activity Detected on HostResource DevelopmentT1584.0059
Outbreak: Sysrv-K Botnet Activity Detected on NetworkResource DevelopmentT1584.0059
Windows: Creation In User Word Statup FolderResource DevelopmentT1587.0015
Windows: Creation of an Executable by an ExecutableResource DevelopmentT1587.0013
Windows: PUA - CsExec ExecutionResource DevelopmentT1587.0017
Windows: Potential Execution of Sysinternals ToolsResource DevelopmentT1588.0023
Windows: Potential Privilege Escalation To LOCAL SYSTEMResource DevelopmentT1587.0017
Windows: Potential PsExec Remote ExecutionResource DevelopmentT1587.0017
Windows: PsExec/PAExec Escalation to LOCAL SYSTEMResource DevelopmentT1587.0017
Windows: Renamed SysInternals DebugView ExecutionResource DevelopmentT1588.0027
Windows: VHD Image Download Via BrowserResource DevelopmentT1587.0015

Initial Access

Name Tactic Technique Severity
AWS EC2 Network Access Control List Created Initial AccessT1078.0043
AWS IAM Assume Role Policy Update Initial AccessT1078.0046
AWS IAM Group Created Initial AccessT1078.0043
AWS IAM Password Recovery Requested Initial AccessT1078.0049
AWS Management Console Root Login Initial AccessT1078.0049
AWS Root Login Without MFA Initial AccessT1078.00410
AWS SecHub: Tactics: Initial Access DetectedInitial Accessnone7
Azure Automation Account Created Initial AccessT1078.0047
Azure Blob Container Access Level Modification Initial AccessT11907
Azure Event Hub Authorization Rule Created or Updated Initial AccessT1078.0047
Azure External Guest User Invitation Initial AccessT1078.0043
Default password usageInitial Accessnone7
Excessive Rogue or Unsecure APs DetectedInitial Accessnone9
Outbreak: Kaseya REvil Ransomware File Activity Detected on HostInitial AccessT1195.0029
Outbreak: Kaseya REvil Ransomware File Activity Detected on NetworkInitial AccessT1195.0029
Outbreak: Kaseya REvil Suspicious File Hash Found on HostInitial AccessT1195.0029
Outbreak: Kaseya REvil Suspicious File Hash Found on NetworkInitial AccessT1195.0029
Outbreak: Windows HTTP Protocol Stack RCE Detected on HostInitial AccessT11909
Outbreak: Windows HTTP Protocol Stack RCE Detected on NetworkInitial AccessT11909
Outbreak: X.509 Email Address Buffer Overflow in OpenSSL 3.0.0 to 3.0.6 detected on HostInitial AccessT11909
Outbreak: X.509 Email Address Buffer Overflow in OpenSSL 3.0.0 to 3.0.6 detected on NetworkInitial AccessT11909
Rogue or Unsecure AP DetectedInitial Accessnone7
Sudden Increase in Failed Logons To A HostInitial AccessT1078.0037
Sudden Increase in Successful Logons To A HostInitial AccessT1078.0037
Suspicious Database LogonInitial AccessT1078.0037
User Added as Owner for Azure Application Initial AccessT1078.0049
User Added as Owner for Azure Service Principal Initial AccessT1078.0049
Windows: Addition of Domain Trusts Initial AccessT11995
Windows: Arbitrary Shell Command Execution Via Settingcontent-MsInitial AccessT1566.0015
Windows: Execution in Outlook Temp FolderInitial AccessT1566.0017
Windows: External Disk Drive or USB Storage Device Initial AccessT1091,T12003
Windows: External Remote RDP Logon from Public IPInitial AccessT11335
Windows: External Remote SMB Logon from Public IPInitial AccessT11337
Windows: Failed Logon From Public IPInitial AccessT11905
Windows: HTML Help HH.EXE Suspicious Child ProcessInitial AccessT1566.0017
Windows: ISO File Created Within Temp FoldersInitial AccessT1566.0017
Windows: ISO Image MountInitial AccessT1566.0015
Windows: LPE InstallerFileTakeOver PoC CVE-2021-41379Initial AccessT11907
Windows: Octopus Scanner Malware Detected Initial AccessT1195.0017
Windows: Office Macro File CreationInitial AccessT1566.0013
Windows: Office Macro File Creation From Suspicious ProcessInitial AccessT1566.0017
Windows: Office Macro File DownloadInitial AccessT1566.0015
Windows: Remote Access Tool - ScreenConnect Suspicious ExecutionInitial AccessT11337
Windows: Suspicious Double Extension File ExecutionInitial AccessT1566.0019
Windows: Suspicious HH.EXE ExecutionInitial AccessT1566.0017
Windows: Suspicious HWP Sub ProcessesInitial AccessT1566.0017
Windows: Suspicious Microsoft OneNote Child ProcessInitial AccessT1566.0017
Windows: Suspicious Processes Spawned by WinRMInitial AccessT11907
Windows: Unusual Child Process of dns.exeInitial AccessT11337
Windows: Windows Registry Trust Record ModificationInitial AccessT1566.0015

Execution

Name Tactic Technique Severity
AWS Execution via System Manager ExecutionT1059.0063
AWS SecHub: Tactics: Execution DetectedExecutionnone8
AlertLogic IncidentExecutionnone7
Azure Command Execution on Virtual Machine ExecutionT1059.0065
Backdoor Found by Network IPSExecutionT1204.0019
Blocked File ExecutionExecutionnone8
Code Injection Attack detected by NIPSExecutionnone9
Crowdstrike: Blocked ExploitExecutionnone6
Crowdstrike: Drive By Download Executionnone8
Crowdstrike: File Blocked With Matching HashExecutionnone6
Crowdstrike: Overwatch Detection Executionnone9
Cylance Blocked Exploit Executionnone7
Cylance Found Active ScriptExecutionnone7
Cylance Quarantined HostExecutionnone7
Cylance Waived ThreatExecutionnone3
CylanceProtect Threat ChangedExecutionnone7
Excessive WLAN Exploits: Same SourceExecutionnone9
Executable file posting from external sourceExecutionnone9
Execution via local SxS Shared Module ExecutionT11295
FortiEDR: Inconclusive or PUP Process BlockedExecutionT1204.0027
FortiEDR: Inconclusive or PUP Process DetectedExecutionT1204.0028
FortiEDR: Likely Safe Process BlockedExecutionT1204.0022
FortiEDR: Likely Safe Process DetectedExecutionT1204.0024
FortiEDR: Malicious Process BlockedExecutionT1204.0029
FortiEDR: Malicious Process DetectedExecutionT1204.00210
FortiEDR: Safe Process BlockedExecutionT1204.0021
FortiEDR: Safe Process DetectedExecutionT1204.0023
FortiEDR: Suspicious Process BlockedExecutionT1204.0027
FortiEDR: Suspicious Process DetectedExecutionT1204.0028
FortiSandbox detects Network AttackExecutionnone7
High Risk Rating Cisco IPS ExploitExecutionnone9
High Severity Inbound Denied Security ExploitExecutionnone5
High Severity Inbound Permitted IPS ExploitExecutionnone9
High Severity Outbound Denied IPS ExploitExecutionnone9
High Severity Outbound Permitted IPS ExploitExecutionnone9
High Severity Symantec Host IPS Exploit Executionnone9
High Severity WLAN AttackExecutionnone9
Linux: Interactive Terminal Spawned via Perl ExecutionT1059.0045
Linux: Interactive Terminal Spawned via Python ExecutionT1059.0065
Linux: Netcat Process Activity ExecutionT1059.0047
Linux: socat Process Activity ExecutionT1059.0047
MS 365 Defender: Exploit DetectedExecutionnone9
MS 365 Defender: Suspicious PowerShell command line Execution AlertExecutionT1059.0017
Malicious PowerShell Tool: PSAttack DetectedExecutionT1059.0019
Multiple Distinct IPS Events From Same SrcExecutionnone9
PowerShell Commandlet of Well Known Exploitation Framework DetectedExecutionT1059.0019
PowerShell Script Detected Calling a Credential PromptExecutionT1059.0019
Shellshock Expression in Log Files Executionnone9
Spyware Found And CleanedExecutionT1204.0015
Spyware Found by Network IPSExecutionT1204.0019
Spyware found but not remediatedExecutionT1204.0019
Suspicious Linux SSHD Errors Executionnone7
Suspicious Linux VSFTPD ErrorsExecutionnone7
Suspicious Linux log entries Executionnone7
System Exploit Detected by Network IPSExecutionnone7
System Exploit Detected by Network IPS: Likely Success Executionnone9
Unapproved File ExecutionExecutionnone8
Windows process communicating outbound to unusual portsExecutionT11296
Windows: Active Directory Kerberos DLL Loaded Via Office ApplicationExecutionT1204.0025
Windows: Active Directory Parsing DLL Loaded Via Office ApplicationExecutionT1204.0025
Windows: Application Removed Via Wmic.EXEExecutionT10475
Windows: CLR DLL Loaded Via Office ApplicationsExecutionT1204.0025
Windows: CMSTP Execution Process AccessExecutionT1559.0017
Windows: CVE-2021-26858 Exchange ExploitationExecutionT12037
Windows: CVE-2021-31979 CVE-2021-33771 Exploits by SourgumExecutionT12039
Windows: CVE-2022-24527 Microsoft Connected Cache LPEExecutionT1059.0017
Windows: Change PowerShell Policies to an Insecure LevelExecutionT1059.0015
Windows: Cmd.EXE Missing Space Characters Execution AnomalyExecutionT1059.0017
Windows: Cobalt Strike Service Installations: Security LogExecutionT1569.0027
Windows: CobaltStrike Service Installations: System LogExecutionT1569.0029
Windows: Computer System Reconnaissance Via Wmic.EXEExecutionT10475
Windows: Conhost.exe CommandLine Path TraversalExecutionT1059.0037
Windows: ConvertTo-SecureString Cmdlet Usage Via CommandLineExecutionT1059.0015
Windows: Created Files by Office ApplicationsExecutionT1204.0027
Windows: Credential Dumping Tools Service ExecutionExecutionT1569.0029
Windows: Credential Dumping Tools Service Execution - SecurityExecutionT1569.0027
Windows: Credential Dumping Tools Service Execution - SystemExecutionT1569.0027
Windows: Detection of PowerShell Execution via Sqlps.exeExecutionT1059.0015
Windows: Direct Syscall of NtOpenProcessExecutionT11067
Windows: Dllhost Internet ConnectionExecutionT1559.0015
Windows: DotNET Assembly DLL Loaded Via Office ApplicationExecutionT1204.0025
Windows: Equation Editor Network ConnectionExecutionT12037
Windows: Excel Network ConnectionsExecutionT12035
Windows: Exchange PowerShell Snap-Ins UsageExecutionT1059.0017
Windows: Execute Code with Pester.batExecutionT1059.0015
Windows: GAC DLL Loaded Via Office ApplicationsExecutionT1204.0027
Windows: HackTool - CrackMapExec Execution PatternsExecutionT1059.0037
Windows: HackTool - CrackMapExec PowerShell ObfuscationExecutionT1059.0017
Windows: HackTool - Default PowerSploit/Empire Scheduled Task CreationExecutionT1059.0017
Windows: HackTool - Empire PowerShell Launch ParametersExecutionT1059.0017
Windows: HackTool - Koadic ExecutionExecutionT1059.0077
Windows: HackTool - Potential Impacket Lateral Movement ActivityExecutionT10477
Windows: HandleKatz Duplicating LSASS HandleExecutionT11067
Windows: Hardware Model Reconnaissance Via Wmic.EXEExecutionT10475
Windows: Hidden Powershell in Link File PatternExecutionT1059.0015
Windows: Import PowerShell Modules From Suspicious Directories - ProcCreationExecutionT1059.0015
Windows: Important Scheduled Task Deleted/DisabledExecutionT1053.0057
Windows: Interactive AT JobExecutionT1053.0027
Windows: Invoke-Obfuscation CLIP Launcher: SysmonExecutionT1059.0017
Windows: Invoke-Obfuscation COMPRESS OBFUSCATION: Security LogExecutionT1059.0015
Windows: Invoke-Obfuscation COMPRESS OBFUSCATION: SysmonExecutionT1059.0015
Windows: Invoke-Obfuscation COMPRESS OBFUSCATION: System LogExecutionT1059.0015
Windows: Invoke-Obfuscation Obfuscated IEX Invocation: SysmonExecutionT1059.0017
Windows: Invoke-Obfuscation RUNDLL LAUNCHER: System LogExecutionT1059.0015
Windows: Invoke-Obfuscation STDIN Launcher: Security LogExecutionT1059.0017
Windows: Invoke-Obfuscation STDIN Launcher: SysmonExecutionT1059.0017
Windows: Invoke-Obfuscation STDIN Launcher: System LogExecutionT1059.0017
Windows: Invoke-Obfuscation VAR LAUNCHER OBFUSCATION: SysmonExecutionT1059.0017
Windows: Invoke-Obfuscation VAR Launcher: Security LogExecutionT1059.0017
Windows: Invoke-Obfuscation VAR Launcher: SysmonExecutionT1059.0017
Windows: Invoke-Obfuscation Via Stdin: Security LogExecutionT1059.0017
Windows: Invoke-Obfuscation Via Stdin: SysmonExecutionT1059.0017
Windows: Invoke-Obfuscation Via Stdin: System LogExecutionT1059.0017
Windows: Invoke-Obfuscation Via Use Clip: Security Log ExecutionT1059.0017
Windows: Invoke-Obfuscation Via Use Clip: SysmonExecutionT1059.0017
Windows: Invoke-Obfuscation Via Use Clip: System LogExecutionT1059.0017
Windows: Invoke-Obfuscation Via Use MSHTA: Security LogExecutionT1059.0017
Windows: Invoke-Obfuscation Via Use MSHTA: SysmonExecutionT1059.0017
Windows: Invoke-Obfuscation Via Use MSHTA: System LogExecutionT1059.0017
Windows: Invoke-Obfuscation Via Use Rundll32: Security LogExecutionT1059.0017
Windows: Invoke-Obfuscation Via Use Rundll32: System LogExecutionT1059.0017
Windows: Java Running with Remote DebuggingExecutionT12035
Windows: Jlaive Usage For Assembly Execution In-MemoryExecutionT1059.0035
Windows: LittleCorporal Generated Maldoc InjectionExecutionT1204.0027
Windows: Login with WMIExecutionT10473
Windows: Malicious Base64 Encoded PowerShell Keywords in Command LinesExecutionT1059.0017
Windows: Malicious Service InstallationsExecutionT1569.0029
Windows: Microsoft Excel Add-In LoadedExecutionT1204.0023
Windows: Microsoft Excel Add-In Loaded From Uncommon LocationExecutionT1204.0025
Windows: Microsoft VBA For Outlook Addin Loaded Via OutlookExecutionT1204.0027
Windows: Mimikatz through Windows Remote ManagementExecutionT1059.0017
Windows: New Process Created Via Wmic.EXEExecutionT10475
Windows: Node Process ExecutionsExecutionT1059.0075
Windows: Non Interactive PowerShell Process SpawnedExecutionT1059.0013
Windows: Operator Bloopers Cobalt Strike CommandsExecutionT1059.0037
Windows: Operator Bloopers Cobalt Strike ModulesExecutionT1059.0037
Windows: PAExec Service InstallationExecutionT1569.0025
Windows: PDQ Deploy Remote Adminstartion Tool ExecutionExecutionT10725
Windows: PUA - NSudo ExecutionExecutionT1569.0027
Windows: PUA - NirCmd ExecutionExecutionT1569.0025
Windows: PUA - NirCmd Execution As LOCAL SYSTEMExecutionT1569.0027
Windows: PUA - RunXCmd ExecutionExecutionT1569.0027
Windows: Persistence and Execution at Scale via GPO Scheduled TaskExecutionT1053.0057
Windows: Potential CommandLine Path Traversal Via Cmd.EXEExecutionT1059.0037
Windows: Potential Data Exfiltration Activity Via CommandLine ToolsExecutionT1059.0017
Windows: Potential Encoded PowerShell Patterns In CommandLineExecutionT1059.0013
Windows: Potential Persistence Via Microsoft Compatibility AppraiserExecutionT1053.0055
Windows: Potential Persistence Via Powershell Search Order Hijacking - TaskExecutionT1059.0017
Windows: Potential PowerShell Command Line ObfuscationExecutionT1059.0017
Windows: Potential PowerShell Downgrade AttackExecutionT1059.0015
Windows: Potential PowerShell Obfuscation Via Reversed CommandsExecutionT1059.0017
Windows: Potential Powershell ReverseShell ConnectionExecutionT1059.0017
Windows: Potential Product Class Reconnaissance Via Wmic.EXEExecutionT10475
Windows: Potential Product Reconnaissance Via Wmic.EXEExecutionT10475
Windows: Potential Reconnaissance Activity Via GatherNetworkInfo.VBSExecutionT1059.0055
Windows: Potential Unquoted Service Path Reconnaissance Via Wmic.EXEExecutionT10477
Windows: Potential WMI Lateral Movement WmiPrvSE Spawned PowerShellExecutionT1059.0015
Windows: Potential WinAPI Calls Via CommandLineExecutionT11067
Windows: PowerShell Base64 Encoded IEX CmdletExecutionT1059.0017
Windows: PowerShell Base64 Encoded Invoke KeywordExecutionT1059.0017
Windows: PowerShell Base64 Encoded Reflective Assembly LoadExecutionT1059.0017
Windows: PowerShell Base64 Encoded WMI ClassesExecutionT1059.0017
Windows: PowerShell Core DLL Loaded By Non PowerShell ProcessExecutionT1059.0015
Windows: PowerShell Network ConnectionsExecutionT1059.0013
Windows: PowerShell Script Run in AppDataExecutionT1059.0015
Windows: PowerShell Scripts Installed as ServicesExecutionT1569.0027
Windows: PowerShell Scripts Run by a ServicesExecutionT1569.0027
Windows: Process Reconnaissance Via Wmic.EXEExecutionT10475
Windows: ProcessHacker Privilege ElevationExecutionT1569.0027
Windows: PsExec Service File CreationExecutionT1569.0023
Windows: Read Contents From Stdin Via Cmd.EXEExecutionT1059.0035
Windows: Regsvr32 DNS ActivityExecutionT1559.0017
Windows: Regsvr32 Network ActivityExecutionT1559.0017
Windows: Remote Access Tool Services Have Been Installed - SecurityExecutionT1569.0025
Windows: Remote Access Tool Services Have Been Installed - SystemExecutionT1569.0025
Windows: Remote PowerShell Session Host Process WinRM ExecutionT1059.0015
Windows: Remote PowerShell Session Network ExecutionT1059.0017
Windows: Remote PowerShell Sessions ExecutionT1059.0017
Windows: Remote Task Creation via ATSVC Named PipeExecutionT1053.0025
Windows: Restricted Software Access By SRPExecutionT10727
Windows: SQL Client Tools PowerShell Session DetectionExecutionT1059.0015
Windows: Scheduled Task CreationExecutionT1053.0053
Windows: Scheduled Task DeletionExecutionT1053.0053
Windows: Scheduled Task Executing Powershell Encoded Payload from RegistryExecutionT1059.0017
Windows: Schtasks Creation Or Modification With SYSTEM PrivilegesExecutionT1053.0057
Windows: Schtasks From Suspicious FoldersExecutionT1053.0057
Windows: Script Event Consumer Spawning ProcessExecutionT10477
Windows: Service Reconnaissance Via Wmic.EXEExecutionT10475
Windows: Service Started/Stopped Via Wmic.EXEExecutionT10475
Windows: Sliver C2 Default Service InstallationExecutionT1569.0027
Windows: Start Windows Service Via Net.EXEExecutionT1569.0023
Windows: Suspicious Add Scheduled Command PatternExecutionT1053.0057
Windows: Suspicious Add Scheduled Task ParentExecutionT1053.0055
Windows: Suspicious Binary In User Directory Spawned From Office ApplicationExecutionT1204.0027
Windows: Suspicious Csi.exe UsageExecutionT10725
Windows: Suspicious Encoded And Obfuscated Reflection Assembly Load Function CallExecutionT1059.0017
Windows: Suspicious Encoded PowerShell Command LineExecutionT1059.0017
Windows: Suspicious Execution of Powershell with Base64ExecutionT1059.0015
Windows: Suspicious File Characteristics Due to Missing FieldsExecutionT1059.0065
Windows: Suspicious File Execution From Internet Hosted WebDav ShareExecutionT1059.0017
Windows: Suspicious Modification Of Scheduled TasksExecutionT1053.0057
Windows: Suspicious Mshta.EXE Execution PatternsExecutionT11067
Windows: Suspicious Outlook Child ProcessExecutionT1204.0027
Windows: Suspicious PowerShell Download and Execute PatternExecutionT1059.0017
Windows: Suspicious PowerShell Encoded Command PatternsExecutionT1059.0017
Windows: Suspicious PowerShell Invocation From Script EnginesExecutionT1059.0015
Windows: Suspicious PowerShell Parameter SubstringExecutionT1059.0017
Windows: Suspicious PowerShell Parent ProcessExecutionT1059.0017
Windows: Suspicious Process Created Via Wmic.EXEExecutionT10477
Windows: Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBSExecutionT1059.0057
Windows: Suspicious Scheduled Task CreationExecutionT1053.0057
Windows: Suspicious Scheduled Task Creation Involving Temp FolderExecutionT1053.0057
Windows: Suspicious Scheduled Task Creation via Masqueraded XML FileExecutionT1053.0055
Windows: Suspicious Scheduled Task Name As GUIDExecutionT1053.0055
Windows: Suspicious Scheduled Task UpdateExecutionT1053.0057
Windows: Suspicious Schtasks Execution AppData FolderExecutionT1059.0017
Windows: Suspicious Schtasks From Env Var FolderExecutionT1053.0057
Windows: Suspicious Schtasks Schedule Type With High PrivilegesExecutionT1053.0055
Windows: Suspicious Schtasks Schedule TypesExecutionT1053.0057
Windows: Suspicious WSMAN Provider Image LoadsExecutionT1059.0015
Windows: T1047 Wmiprvse Wbemcomn DLL HijackExecutionT10477
Windows: Usage Of Web Request Commands And CmdletsExecutionT1059.0015
Windows: Use Radmin Viewer UtilityExecutionT10727
Windows: VBA DLL Loaded Via Office ApplicationExecutionT1204.0027
Windows: WMI Modules LoadedExecutionT10471
Windows: WMIC Remote Command ExecutionExecutionT10475
Windows: WSF/JSE/JS/VBA/VBE File ExecutionExecutionT1059.0075
Windows: WScript or CScript DropperExecutionT1059.0077
Windows: WinDbg/CDB LOLBIN UsageExecutionT11065
Windows: Windows Hotfix Updates Reconnaissance Via Wmic.EXEExecutionT10475
Windows: Windows Shell/Scripting Processes Spawning Suspicious ProgramsExecutionT1059.0057
Windows: WmiPrvSE Spawned A ProcessExecutionT10475
Windows: Wmiexec Default Output FileExecutionT10479
Windows: Wmiprvse Wbemcomn DLL Hijack: SysmonExecutionT10479
Windows: Wmiprvse Wbemcomn DLL Hijack: Sysmon V2ExecutionT10477

Persistence

Name Tactic Technique Severity
AWS IAM User Added to Group PersistenceT1098.0019
AWS RDS Cluster Created PersistenceT1505.0033
AWS SecHub: Tactics: Persistence DetectedPersistencenone9
Adware process found Persistencenone7
ArubaOS-CX: User AddedPersistenceT1136.0019
Azure Automation Runbook Created or Modified Persistencenone3
Azure Automation Webhook Created Persistencenone3
Azure Conditional Access Policy Modified PersistenceT1098.0018
Azure Global Administrator Role Added to PIM User PersistenceT1098.0019
Azure Privilege Identity Management Role Modified PersistenceT1098.0017
Common Windows process launched by unusual parentPersistenceT1037.0018
Common Windows process launched from unusual pathPersistenceT1037.0018
Compromised Host Detected by Network IPSPersistencenone9
Crowdstrike: Establish Persistence Persistencenone8
Crowdstrike: Excessive suspicious activity on a hostPersistencenone8
Crowdstrike: Exploit Pivot Persistencenone8
Crowdstrike: Intel DetectionPersistencenone9
Crowdstrike: Machine Learning Anomaly DetectedPersistencenone8
Crowdstrike: Malicious Document DetectedPersistencenone8
Crowdstrike: NextGen Antivirus based Malware Persistencenone8
Crowdstrike: RansomwarePersistencenone8
Crowdstrike: Server Compromise LikelyPersistencenone9
Crowdstrike: Suspicious Activity Persistencenone8
Crowdstrike: Suspicious Processes Terminated Persistencenone6
Cylance High Severity Threat Persistencenone9
Cylance Low Severity ThreatPersistencenone3
Cylance Medium Severity Threat Persistencenone7
Database user or group changesPersistenceT1098.0017
Domain Controller User or Group ModificationPersistenceT1098.0016
FireAMP Malicious file executionPersistencenone9
FireEye HX IOC found Persistencenone9
FortiGate: Admin User AddedPersistenceT1136.0019
FortiGate: Admin User Added via ConsolePersistenceT1136.0019
FortiSIEM User CreatedPersistenceT1136.0017
GCP: IAM Custom Role CreatedPersistenceT1078.0049
GCP: IAM Member assigned role of type admin or ownerPersistenceT1098.0019
GCP: Service Account Access Key CreatedPersistenceT1098.0019
GCP: Service Account CreatedPersistenceT1136.0039
Google Workspace: API Access Permitted for OAUTH ClientPersistenceT1098.0017
Google Workspace: Role Assigned to UserPersistenceT1098.0019
Google Workspace: Role Created by UserPersistenceT1098.0019
Google Workspace: Role Modified by UserPersistenceT1098.0019
Linux Account UnlockedPersistenceT1098.0017
Linux User Account Properties ChangedPersistenceT1098.0017
Linux User Added to Administrative GroupsPersistenceT1098.0019
Linux User Added to GroupsPersistenceT1098.0017
Linux User CreatedPersistenceT1136.0018
Linux User DeletedPersistenceT1098.0017
Linux User Deleted from Admin GroupsPersistenceT1098.0019
Linux User Deleted from GroupsPersistenceT1098.0017
Linux User Name ChangedPersistenceT1098.0017
Linux User Password ChangedPersistenceT1098.0017
Linux: Creation of Kernel Module PersistenceT1547.0065
Linux: Creation or Modification of Systemd Service PersistenceT1543.0025
Linux: Job Schedule ModificationPersistenceT1053.0035
Linux: Kernel Module Modification PersistenceT1547.0067
Linux: Modifications of .bash-profile and .bashrc PersistenceT1546.0047
Linux: Potential Shell via Web Server PersistenceT1505.0037
Linux: Scheduled Job ExecutionPersistenceT1053.0035
MS 365 Defender: Persistence DetectedPersistencenone8
MS 365 Defender: Suspicious Activity DetectedPersistencenone7
MS 365 Defender: Suspicious Task Scheduler activity - Persistence AlertPersistenceT1053.0029
MS 365 Defender: Unwanted Software DetectedPersistencenone7
Malware found by firewall but not remediatedPersistencenone9
Meraki New Splash User PersistenceT1098.0017
Oracle OCI: Customer Secret Key CreatedPersistenceT1098.0019
Oracle OCI: Group CreatedPersistenceT1098.0017
Oracle OCI: User API Key Created and UploadedPersistenceT1098.0017
Oracle OCI: User Added to a GroupPersistenceT1098.0019
Oracle OCI: User Auth Token CreatedPersistenceT1098.0017
Oracle OCI: User CreatedPersistenceT1136.0039
Oracle OCI: User Disabled MFAPersistenceT1098.0019
Oracle OCI: User OAuth Client Credential CreatedPersistenceT1098.0019
Rootkit found PersistenceT1014,T1554,T1601.0019
User added to Administrator GroupPersistenceT1136.0019
User added to Backup Operator GroupPersistenceT1136.0016
User added to DNS Admin GroupPersistenceT1136.0019
User added to Domain Admin GroupPersistenceT1136.0019
User added to Remote Desktop User GroupPersistenceT1136.0019
Windows Account UnlockedPersistenceT1098.0017
Windows Groups ChangedPersistenceT1098.0017
Windows Groups CreatedPersistenceT1136.0017
Windows Groups DeletedPersistenceT1098.0017
Windows User Account DisabledPersistenceT1098.0017
Windows User Account EnabledPersistenceT1098.0017
Windows User Account Name ChangedPersistenceT1098.0017
Windows User Account Properties ChangedPersistenceT1098.0017
Windows User Added to GroupsPersistenceT1098.0017
Windows User CreatedPersistenceT1136.0017
Windows User DeletedPersistenceT1098.0017
Windows User Password ChangedPersistenceT1098.0017
Windows User Removed from GroupsPersistenceT1098.0017
Windows: A Member Was Added to a Security-Enabled Global GroupPersistencenone3
Windows: A Member Was Removed From a Security-Enabled Global GroupPersistencenone3
Windows: A Rule Has Been Deleted From The Windows Firewall Exception ListPersistencenone5
Windows: A Security-Enabled Global Group Was DeletedPersistencenone3
Windows: AADInternals PowerShell Cmdlets Execution - ProccessCreationPersistencenone7
Windows: ADCS Certificate Template Configuration VulnerabilityPersistencenone3
Windows: ADCS Certificate Template Configuration Vulnerability with Risky EKUPersistencenone7
Windows: AWL Bypass with Winrm.vbs and WsmPty.xsl/WsmTxt.xsl: SysmonPersistencenone5
Windows: AWL Bypass with Winrm.vbs and WsmPty.xsl/WsmTxt.xsl: Sysmon2Persistencenone5
Windows: Abused Debug Privilege by Arbitrary Parent ProcessesPersistencenone7
Windows: Abusing IEExec To Download PayloadsPersistencenone7
Windows: Abusing Print ExecutablePersistencenone5
Windows: Account Tampering - Suspicious Failed Logon ReasonsPersistencenone5
Windows: Active Directory Structure Export Via Csvde.EXEPersistencenone5
Windows: Active Directory Structure Export Via Ldifde.EXEPersistencenone5
Windows: Active Directory User BackdoorsPersistencenone7
Windows: Add Insecure Download Source To WingetPersistencenone7
Windows: Add New Download Source To WingetPersistencenone5
Windows: Add Potential Suspicious New Download Source To WingetPersistencenone7
Windows: Add User to Local Administrators GroupPersistencenone5
Windows: Add Windows Capability Via PowerShell CmdletPersistencenone5
Windows: Add or Remove Computer from DCPersistencenone3
Windows: AgentExecutor PowerShell ExecutionPersistencenone5
Windows: All Rules Have Been Deleted From The Windows Firewall ConfigurationPersistencenone7
Windows: Allow Service Access Using Security Descriptor Tampering Via Sc.EXEPersistenceT1543.0037
Windows: Anydesk Remote Access Software Service InstallationPersistencenone5
Windows: Application Whitelisting Bypass via Dxcap.exePersistencenone5
Windows: Application Whitelisting Bypass via PresentationHost.exePersistencenone5
Windows: Arbitrary Binary Execution Using GUP UtilityPersistencenone5
Windows: Arbitrary File Download Via MSPUB.EXEPersistencenone5
Windows: Arbitrary MSI Download Via Devinit.EXEPersistencenone5
Windows: Atbroker Registry ChangePersistencenone5
Windows: Base64 MZ Header In CommandLinePersistencenone7
Windows: Block Load Of Revoked DriverPersistencenone7
Windows: CL-LoadAssembly.ps1 Proxy ExecutionPersistencenone5
Windows: CL-Mutexverifiers.ps1 Proxy ExecutionPersistencenone5
Windows: CVE-2021-1675 Print Spooler Exploitation Filename PatternPersistencenone9
Windows: CVE-2021-44077 POC Default Dropped FilePersistencenone7
Windows: Capture Credentials with Rpcping.exePersistencenone5
Windows: Certificate Exported Via Certutil.EXEPersistencenone5
Windows: Change Default File Association To Executable Via AssocPersistenceT1546.0017
Windows: Change Default File Association Via AssocPersistenceT1546.0013
Windows: Chopper Webshell Process PatternPersistenceT1505.0037
Windows: Code Integrity Attempted DLL LoadPersistencenone7
Windows: Code Integrity Blocked Driver LoadPersistencenone7
Windows: Computer Password Change Via Ksetup.EXEPersistencenone5
Windows: Conhost Spawned By Uncommon Parent ProcessPersistencenone5
Windows: Console CodePage Lookup Via CHCPPersistencenone5
Windows: Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXEPersistencenone7
Windows: Created Files by Microsoft Sync CenterPersistencenone5
Windows: Creation Exe for Service with Unquoted PathPersistenceT1547.0097
Windows: Creation of a DiagcabPersistencenone5
Windows: Creation of a Local Hidden User Account by RegistryPersistenceT1136.0017
Windows: Custom Class Execution via XwizardPersistencenone5
Windows: DLL Execution Via Register-cimprovider.exePersistencenone5
Windows: DLL Execution via Rasautou.exePersistencenone5
Windows: DLL Load By System Process From Suspicious LocationsPersistencenone7
Windows: DLL Load via LSASSPersistenceT1547.0087
Windows: DLL Loaded via CertOC.EXEPersistencenone5
Windows: DNS HybridConnectionManager Service BusPersistenceT15547
Windows: Deny Service Access Using Security Descriptor Tampering Via Sc.EXEPersistenceT1543.0037
Windows: Deployment AppX Package Was Blocked By AppLockerPersistencenone5
Windows: Deployment Of The AppX Package Was Blocked By The PolicyPersistencenone5
Windows: Detected Windows Software DiscoveryPersistencenone5
Windows: Detecting Fake Instances Of Hxtsr.exePersistencenone5
Windows: Device Installation BlockedPersistencenone5
Windows: DeviceCredentialDeployment ExecutionPersistencenone5
Windows: Devtoolslauncher.exe Executes Specified BinaryPersistencenone7
Windows: DiagTrackEoP Default Login UsernamePersistencenone9
Windows: Direct Autorun Keys ModificationPersistenceT1547.0015
Windows: Dllhost.EXE Execution AnomalyPersistencenone7
Windows: DotNet CLR DLL Loaded By Scripting ApplicationsPersistencenone7
Windows: Dotnet.exe Exec Dll and Execute Unsigned Code LOLBINPersistencenone5
Windows: Download Arbitrary Files Via MSOHTMED.EXEPersistencenone5
Windows: Download Arbitrary Files Via PresentationHost.exePersistencenone5
Windows: DriverQuery.EXE ExecutionPersistencenone5
Windows: Drop Binaries Into Spool Drivers Color FolderPersistencenone5
Windows: Dump Ntds.dit To Suspicious LocationPersistencenone5
Windows: DumpStack.log Defender EvasionPersistencenone9
Windows: ETW Logging Tamper In .NET ProcessesPersistencenone7
Windows: Email Exifiltration Via PowershellPersistencenone7
Windows: Enabled User Right in AD to Control User ObjectsPersistencenone7
Windows: Execute Files with Msdeploy.exePersistencenone5
Windows: Execute MSDT Via Answer FilePersistencenone7
Windows: Execute Pcwrun.EXE To Leverage FollinaPersistencenone7
Windows: Execution Of Non-Existing FilePersistencenone7
Windows: Execution from Suspicious FolderPersistencenone7
Windows: Execution in Webserver Root FolderPersistenceT1505.0035
Windows: Execution of Powershell Script in Public FolderPersistencenone7
Windows: Execution of Suspicious File Type ExtensionPersistencenone7
Windows: Execution via CL-Invocation.ps1Persistencenone7
Windows: Execution via Diskshadow.exePersistencenone7
Windows: Execution via WorkFolders.exePersistencenone7
Windows: Execution via stordiag.exePersistencenone7
Windows: Explorer Process Tree BreakPersistencenone5
Windows: Failed MSExchange Transport Agent InstallationPersistenceT1505.0027
Windows: File Creation In Suspicious Directory By Msdt.EXEPersistenceT1547.0017
Windows: File Decoded From Base64/Hex Via Certutil.EXEPersistencenone5
Windows: File Download Using ProtocolHandler.exePersistencenone5
Windows: File Encoded To Base64 Via Certutil.EXEPersistencenone5
Windows: Firewall Rule Modified In The Windows Firewall Exception ListPersistencenone3
Windows: FoggyWeb Backdoor DLL LoadingPersistencenone9
Windows: Format.com FileSystem LOLBINPersistencenone7
Windows: Fsutil Behavior Set SymlinkEvaluationPersistencenone5
Windows: Fsutil Suspicious InvocationPersistencenone7
Windows: GALLIUM Artefacts - BuiltinPersistencenone7
Windows: GatherNetworkInfo.VBS Reconnaissance Script OutputPersistencenone5
Windows: Gpresult Display Group Policy InformationPersistencenone5
Windows: Gpscript ExecutionPersistencenone5
Windows: Gzip Archive Decode Via PowerShellPersistencenone5
Windows: HackTool - Certify ExecutionPersistencenone7
Windows: HackTool - Certipy ExecutionPersistencenone7
Windows: HackTool - CrackMapExec ExecutionPersistencenone7
Windows: HackTool - DInjector PowerShell Cradle ExecutionPersistencenone9
Windows: HackTool - GMER Rootkit Detector and Remover ExecutionPersistencenone7
Windows: HackTool - Htran/NATBypass ExecutionPersistencenone7
Windows: HackTool - LocalPotato ExecutionPersistencenone7
Windows: HackTool - PCHunter ExecutionPersistencenone7
Windows: HackTool - PurpleSharp ExecutionPersistencenone9
Windows: HackTool - SILENTTRINITY Stager DLL LoadPersistencenone7
Windows: HackTool - SILENTTRINITY Stager ExecutionPersistencenone7
Windows: HackTool - SecurityXploded ExecutionPersistencenone9
Windows: HackTool - SharPersist ExecutionPersistencenone7
Windows: HackTool - SharpLDAPmonitor ExecutionPersistencenone5
Windows: HackTool - Sliver C2 Implant Activity PatternPersistencenone9
Windows: HackTool - Wmiexec Default Powershell CommandPersistencenone7
Windows: Hidden Local User CreationPersistenceT1136.0017
Windows: HybridConnectionManager Service InstallationPersistenceT15547
Windows: HybridConnectionManager Service Installation: SysmonPersistencenone7
Windows: IIS Native-Code Module Command Line InstallationPersistenceT1505.0035
Windows: ISO or Image Mount Indicator in Recent FilesPersistencenone5
Windows: Ie4uinit Lolbin Use From Invalid PathPersistencenone5
Windows: Ilasm Lolbin Use Compile C-SharpPersistencenone5
Windows: ImagingDevices Unusual Parent/Child ProcessesPersistencenone7
Windows: Important Windows Service Terminated UnexpectedlyPersistencenone7
Windows: Important Windows Service Terminated With ErrorPersistencenone7
Windows: Indirect Command Execution By Program Compatibility WizardPersistencenone3
Windows: InfDefaultInstall.exe .inf ExecutionPersistencenone5
Windows: Install New Package Via Winget Local ManifestPersistencenone5
Windows: Invoke-Obfuscation Obfuscated IEX Invocation: Security LogPersistencenone7
Windows: Invoke-Obfuscation Obfuscated IEX Invocation: System LogPersistencenone7
Windows: JSC Convert Javascript To ExecutablePersistencenone5
Windows: KDC RC4-HMAC Downgrade CVE-2022-37966Persistencenone7
Windows: Kavremover Dropped Binary LOLBIN UsagePersistencenone7
Windows: KrbRelayUp Attack PatternPersistencenone7
Windows: KrbRelayUp Service InstallationPersistencenone7
Windows: LOLBAS Data Exfiltration by DataSvcUtil.exePersistencenone5
Windows: LOLBIN From Abnormal DrivePersistencenone5
Windows: LSA PPL Protection Disabled Via Reg.EXEPersistencenone7
Windows: Legitimate Application Dropped ArchivePersistencenone7
Windows: Legitimate Application Dropped ExecutablePersistencenone7
Windows: Legitimate Application Dropped ScriptPersistencenone7
Windows: Leviathan Registry Key ActivityPersistenceT1547.0019
Windows: Loading Diagcab Package From Remote PathPersistencenone7
Windows: Local User CreationPersistenceT1136.0013
Windows: Locked WorkstationPersistencenone3
Windows: Logged-On User Password Change Via Ksetup.EXEPersistencenone5
Windows: Logon Scripts UserInitMprLogonScript PersistenceT1037.0017
Windows: Lolbin Defaultpack.exe Use As ProxyPersistencenone5
Windows: Lolbin Runexehelper Use As ProxyPersistencenone5
Windows: Lolbin Unregmp2.exe Use As ProxyPersistencenone5
Windows: MSExchange Transport Agent InstallationPersistenceT1505.0025
Windows: MSI Installation From Suspicious LocationsPersistencenone5
Windows: MSMQ Corrupted Packet EncounteredPersistencenone7
Windows: MSSQL Add Account To Sysadmin RolePersistencenone7
Windows: MSSQL Disable Audit SettingsPersistencenone7
Windows: MSSQL Extended Stored Procedure Backdoor MaggiePersistencenone7
Windows: MSSQL SPProcoption SetPersistencenone7
Windows: MSSQL XPCmdshell Option ChangePersistencenone7
Windows: MSSQL XPCmdshell Suspicious ExecutionPersistencenone7
Windows: Malicious PE Execution by Microsoft Visual Studio DebuggerPersistencenone5
Windows: Malicious Windows Script Components File Execution by TAEF DetectionPersistencenone3
Windows: Malware Shellcode in Verclsid Target ProcessPersistencenone7
Windows: Manage Engine Java Suspicious Sub ProcessPersistencenone7
Windows: Microsoft IIS Connection Strings DecryptionPersistencenone7
Windows: Microsoft IIS Service Account Password DumpedPersistencenone7
Windows: Microsoft Sync Center Suspicious Network ConnectionsPersistencenone5
Windows: Microsoft Workflow Compiler ExecutionPersistencenone5
Windows: Mimikatz Kirbi File CreationPersistencenone9
Windows: Moriya Rootkit: System LogPersistenceT1543.0039
Windows: MpiExec LolbinPersistencenone7
Windows: Mshtml DLL RunHTMLApplication AbusePersistencenone7
Windows: Mstsc.EXE Execution From Uncommon ParentPersistencenone7
Windows: NPPSpy Hacktool UsagePersistencenone7
Windows: Narrator s Feedback-Hub Persistence PersistenceT1547.0017
Windows: NetSupport Manager Service InstallPersistencenone5
Windows: New ActiveScriptEventConsumer Created Via Wmic.EXEPersistenceT1546.0037
Windows: New DLL Added to AppCertDlls Registry KeyPersistenceT1546.0095
Windows: New DLL Added to AppInit-DLLs Registry KeyPersistenceT1546.0105
Windows: New Firewall Exception Rule Added For A Suspicious FolderPersistencenone7
Windows: New Firewall Rule Added In Windows Firewall Exception ListPersistencenone5
Windows: New Kernel Driver Via SC.EXEPersistenceT1543.0035
Windows: New PDQDeploy Service - Client SidePersistenceT1543.0035
Windows: New PDQDeploy Service - Server SidePersistenceT1543.0035
Windows: New Port Forwarding Rule Added Via Netsh.EXXPersistencenone5
Windows: New Service Creation Using PowerShellPersistenceT1543.0033
Windows: New Service Creation Using Sc.EXEPersistenceT1543.0033
Windows: New Service Uses Double Ampersand in PathPersistencenone7
Windows: New Shim Database Created in the Default DirectoryPersistenceT1547.0095
Windows: New User Created Via Net.EXEPersistenceT1136.0015
Windows: New User Created Via Net.EXE With Never Expire OptionPersistenceT1136.0017
Windows: New or Renamed User Account with $ in Attribute SamAccountNamePersistencenone7
Windows: Ngrok Usage with Remote Desktop ServicePersistencenone7
Windows: Nslookup PowerShell Download Cradle - ProcessCreationPersistencenone5
Windows: Ntdsutil AbusePersistencenone5
Windows: Obfuscated IP DownloadPersistencenone5
Windows: Obfuscated IP Via CLIPersistencenone5
Windows: Office Application Startup - Office TestPersistenceT1137.0025
Windows: Office Template CreationPersistencenone7
Windows: OilRig APT Registry PersistencePersistenceT1543.0039
Windows: OneNote Attachment File Dropped In Suspicious LocationPersistencenone5
Windows: OpenWith.exe Executes Specified BinaryPersistencenone7
Windows: Outgoing Logon with New CredentialsPersistencenone3
Windows: PCRE.NET Package Image LoadPersistencenone7
Windows: PCRE.NET Package Temp FilesPersistencenone7
Windows: PUA - AdvancedRun ExecutionPersistencenone5
Windows: PUA - AdvancedRun Suspicious ExecutionPersistencenone7
Windows: PUA - Fast Reverse Proxy FRP ExecutionPersistencenone7
Windows: PUA - NPS Tunneling Tool ExecutionPersistencenone7
Windows: PUA - Process Hacker Driver LoadPersistencenone7
Windows: PUA - Process Hacker ExecutionPersistencenone7
Windows: PUA - System Informer Driver LoadPersistencenone5
Windows: PUA - System Informer ExecutionPersistencenone5
Windows: PUA - Wsudo Suspicious ExecutionPersistencenone7
Windows: PUA- IOX Tunneling Tool ExecutionPersistencenone7
Windows: Parent in Public Folder Suspicious ProcessPersistencenone7
Windows: Password Change on Directory Service Restore Mode DSRM Account PersistenceT1098.0037
Windows: Password Protected ZIP File OpenedPersistencenone5
Windows: Password Protected ZIP File Opened Email Attachment Persistencenone7
Windows: Password Protected ZIP File Opened Suspicious Filenames Persistencenone7
Windows: Password Provided In Command Line Of Net.EXEPersistencenone5
Windows: Path To Screensaver Binary ModifiedPersistenceT1546.0025
Windows: Perl Inline Command ExecutionPersistencenone5
Windows: Persistence Via Sticky Key BackdoorPersistenceT1546.0089
Windows: Persistence Via TypedPaths - CommandLinePersistencenone5
Windows: Phishing Pattern ISO in ArchivePersistencenone7
Windows: Php Inline Command ExecutionPersistencenone5
Windows: PortProxy Registry KeyPersistencenone5
Windows: Possible Shadow Credentials AddedPersistencenone7
Windows: Possible Shim Database Persistence via sdbinst.exePersistenceT1546.0117
Windows: Potential Active Directory Enumeration Using AD Module - ProcCreationPersistencenone5
Windows: Potential Arbitrary Code Execution Via Node.EXEPersistencenone7
Windows: Potential Binary Or Script Dropper Via PowerShellPersistencenone5
Windows: Potential COM Objects Download Cradles Usage - Process CreationPersistencenone5
Windows: Potential Cobalt Strike Process PatternsPersistencenone7
Windows: Potential Command Line Path Traversal Evasion AttemptPersistencenone5
Windows: Potential Credential Dumping Attempt Using New NetworkProvider - CLIPersistencenone7
Windows: Potential DLL File Download Via PowerShell Invoke-WebRequestPersistencenone5
Windows: Potential DLL Sideloading Using Coregen.exePersistencenone5
Windows: Potential Discovery Activity Via Dnscmd.EXEPersistenceT1543.0035
Windows: Potential Dosfuscation ActivityPersistencenone5
Windows: Potential Malicious AppX Package Installation AttemptsPersistencenone5
Windows: Potential Manage-bde.wsf Abuse To Proxy ExecutionPersistencenone7
Windows: Potential NTLM Coercion Via Certutil.EXEPersistencenone7
Windows: Potential Password Spraying Attempt Using Dsacls.EXEPersistencenone5
Windows: Potential Persistence Attempt Via ErrorHandler.CmdPersistencenone5
Windows: Potential Persistence Via Microsoft Office Add-InPersistenceT1137.0067
Windows: Potential Persistence Via Netsh Helper DLLPersistenceT1546.0077
Windows: Potential Persistence Via Notepad PluginsPersistencenone5
Windows: Potential Persistence Via Outlook FormPersistenceT1137.0037
Windows: Potential PowerShell Execution Policy Tampering - ProcCreationPersistencenone7
Windows: Potential Privilege Escalation Attempt Via .Exe.Local TechniquePersistencenone7
Windows: Potential Privilege Escalation Using Symlink Between Osk and CmdPersistenceT1546.0087
Windows: Potential Process Injection Via Msra.EXEPersistencenone7
Windows: Potential RDP Session Hijacking ActivityPersistencenone5
Windows: Potential Recon Activity Using DriverQuery.EXEPersistencenone7
Windows: Potential Recon Activity Using WevtutilPersistencenone5
Windows: Potential Remote Credential Dumping ActivityPersistencenone7
Windows: Potential Remote Desktop TunnelingPersistencenone5
Windows: Potential Renamed Rundll32 ExecutionPersistencenone7
Windows: Potential RipZip Attack on Startup FolderPersistencenone7
Windows: Potential Shellcode InjectionPersistencenone7
Windows: Potential Signing Bypass Via Windows Developer FeaturesPersistencenone7
Windows: Potential Suspicious Mofcomp ExecutionPersistencenone7
Windows: Potential Suspicious PowerShell Module File CreatedPersistencenone5
Windows: Potential Suspicious Windows Feature Enabled - ProcCreationPersistencenone5
Windows: Potential Windows Defender Tampering Via Wmic.EXEPersistenceT1546.0087
Windows: Potential Winnti Dropper ActivityPersistencenone7
Windows: Potentially Over Permissive Permissions Granted Using Dsacls.EXEPersistencenone5
Windows: Potentially Suspicious GoogleUpdate Child ProcessPersistencenone7
Windows: Potentially Suspicious Network Connection To Notion APIPersistencenone3
Windows: PowerShell Download and Execution CradlesPersistencenone7
Windows: PowerShell Module File CreatedPersistencenone3
Windows: PowerShell Module File Created By Non-PowerShell ProcessPersistencenone5
Windows: PowerShell Profile ModificationPersistenceT1546.0137
Windows: PowerShell Script Dropped Via PowerShell.EXEPersistencenone3
Windows: PowerShell Web DownloadPersistencenone5
Windows: PowerShell Writing Startup ShortcutsPersistenceT1547.0017
Windows: Powershell Inline Execution From A FilePersistencenone5
Windows: Powershell Token Obfuscation - Process CreationPersistencenone7
Windows: Powerview Add-DomainObjectAcl DCSync AD Extend RightPersistencenone7
Windows: PrinterNightmare Mimimkatz Driver NamePersistencenone9
Windows: Privilege Escalation via Named Pipe ImpersonationPersistencenone7
Windows: Process Creation Using Sysnative FolderPersistencenone5
Windows: Process Memory Dump Via Dotnet-DumpPersistencenone5
Windows: Proxy Execution Via Explorer.exePersistencenone3
Windows: Proxy Execution via WuaucltPersistencenone7
Windows: PsExec Service Child Process Execution as LOCAL SYSTEMPersistencenone7
Windows: PsExec Service ExecutionPersistencenone5
Windows: Psexec ExecutionPersistencenone5
Windows: Publisher Attachment File Dropped In Suspicious LocationPersistencenone5
Windows: Python Inline Command ExecutionPersistencenone5
Windows: Python Spawning Pretty TTY on WindowsPersistencenone7
Windows: Query Usage To Exfil DataPersistencenone5
Windows: RDP File Creation From Suspicious ApplicationPersistencenone7
Windows: RDP Port Forwarding Rule Added Via Netsh.EXEPersistencenone7
Windows: REGISTER-APP.VBS Proxy ExecutionPersistencenone5
Windows: RTCore Suspicious Service InstallationPersistencenone7
Windows: Reg Add RUN KeyPersistenceT1547.0015
Windows: Regedit as Trusted InstallerPersistencenone7
Windows: Registry Persistence Mechanisms in Recycle BinPersistencenone7
Windows: Regsvr32 Command Line Without DLLPersistencenone7
Windows: Remote Access Tool - NetSupport Execution From Unusual LocationPersistencenone5
Windows: Remote Access Tool - RURAT Execution From Unusual LocationPersistencenone5
Windows: Remote Code Execute via Winrm.vbsPersistencenone5
Windows: Remote Utilities Host Service InstallPersistencenone5
Windows: Remote WMI ActiveScriptEventConsumersPersistenceT1546.0037
Windows: RemoteFXvGPUDisablement Abuse Via AtomicTestHarnessesPersistencenone7
Windows: Renamed AutoHotkey.EXE ExecutionPersistencenone5
Windows: Renamed MegaSync ExecutionPersistencenone7
Windows: Renamed NetSupport RAT ExecutionPersistencenone7
Windows: Renamed Office Binary ExecutionPersistencenone7
Windows: Renamed Plink ExecutionPersistencenone7
Windows: Renamed PsExec Service ExecutionPersistencenone7
Windows: Renamed Remote Utilities RAT RURAT ExecutionPersistencenone5
Windows: Replay Attack DetectedPersistencenone7
Windows: Ruby Inline Command ExecutionPersistencenone5
Windows: Run PowerShell Script from Redirected Input StreamPersistencenone7
Windows: Rundll32 Execution Without DLL FilePersistencenone7
Windows: Rundll32 JS RunHTMLApplication PatternPersistencenone7
Windows: Rundll32 Registered COM ObjectsPersistenceT1546.0157
Windows: Rundll32 With Suspicious Parent ProcessPersistencenone5
Windows: SCM Database Privileged OperationPersistencenone5
Windows: SVCHOST Credential DumpPersistencenone7
Windows: Script Interpreter Execution From Suspicious FolderPersistencenone7
Windows: Sdiagnhost Calling Suspicious Child ProcessPersistencenone7
Windows: Security Support Provider SSP Added to LSA ConfigurationPersistenceT1547.0059
Windows: Service Installation in Suspicious FolderPersistenceT1543.0035
Windows: Service Installation with Suspicious Folder PatternPersistenceT1543.0037
Windows: Service Installed By Unusual Client - SecurityPersistencenone7
Windows: Service Installed By Unusual Client - SystemPersistencenone7
Windows: Shells Spawned by JavaPersistencenone5
Windows: Shells Spawned by Web ServersPersistenceT1505.0037
Windows: Sideloading Link.EXEPersistencenone5
Windows: Standard User In High Privileged GroupPersistencenone5
Windows: Start of NT Virtual DOS MachinePersistencenone5
Windows: Startup Folder File WritePersistenceT1547.0015
Windows: Sticky Key Like Backdoor ExecutionPersistenceT1546.0089
Windows: Sticky Key Like Backdoor Usage - RegistryPersistenceT1546.0089
Windows: StoneDrill Service InstallPersistenceT1543.0037
Windows: Suspect Svchost ActivityPersistencenone7
Windows: Suspicious ASPX File Drop by ExchangePersistenceT1505.0037
Windows: Suspicious Add User to Remote Desktop Users GroupPersistenceT1136.0017
Windows: Suspicious AgentExecutor PowerShell ExecutionPersistencenone7
Windows: Suspicious AppX Package Installation AttemptPersistencenone5
Windows: Suspicious AppX Package LocationsPersistencenone7
Windows: Suspicious Application InstalledPersistencenone5
Windows: Suspicious Atbroker ExecutionPersistencenone7
Windows: Suspicious CMD Shell Output RedirectPersistencenone5
Windows: Suspicious Cabinet File ExpansionPersistencenone5
Windows: Suspicious Calculator UsagePersistencenone7
Windows: Suspicious Child Process Of SQL ServerPersistenceT1505.0037
Windows: Suspicious Child Process Of Veeam DabatasePersistencenone9
Windows: Suspicious Chromium Browser Instance Executed With Custom ExtensionsPersistenceT11767
Windows: Suspicious CodePage Switch Via CHCPPersistencenone5
Windows: Suspicious ConfigSecurityPolicy ExecutionPersistencenone5
Windows: Suspicious Creation with ColorcplPersistencenone7
Windows: Suspicious CustomShellHost ExecutionPersistencenone5
Windows: Suspicious DLL Loaded via CertOC.EXEPersistencenone7
Windows: Suspicious DNS Query for IP Lookup Service APIsPersistencenone5
Windows: Suspicious Debugger Registration CmdlinePersistenceT1546.0087
Windows: Suspicious Digital Signature Of AppX PackagePersistencenone5
Windows: Suspicious DotNET CLR Usage Log ArtifactPersistencenone7
Windows: Suspicious Double Extension FilesPersistencenone7
Windows: Suspicious Download Via Certutil.EXEPersistencenone5
Windows: Suspicious Download from Office DomainPersistencenone7
Windows: Suspicious Driver Install by pnputil.exePersistencenone5
Windows: Suspicious Driver Load from Temp PersistenceT1543.0035
Windows: Suspicious Dropbox API UsagePersistencenone7
Windows: Suspicious Electron Application Child ProcessesPersistencenone5
Windows: Suspicious Elevated System ShellPersistencenone7
Windows: Suspicious Epmap ConnectionPersistencenone7
Windows: Suspicious Executable File CreationPersistencenone7
Windows: Suspicious Execution From GUID Like Folder NamesPersistencenone5
Windows: Suspicious Execution Of PDQDeployRunnerPersistencenone5
Windows: Suspicious Execution of InstallUtil To DownloadPersistencenone5
Windows: Suspicious Execution of InstallUtil Without LogPersistencenone5
Windows: Suspicious Extexport ExecutionPersistencenone5
Windows: Suspicious File Created In PerfLogsPersistencenone5
Windows: Suspicious File Created Via OneNote ApplicationPersistencenone7
Windows: Suspicious File Creation In Uncommon AppData FolderPersistencenone7
Windows: Suspicious File Download From File Sharing Domain Via Curl.EXEPersistencenone7
Windows: Suspicious File Downloaded From Direct IP Via Certutil.EXEPersistencenone7
Windows: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXEPersistencenone7
Windows: Suspicious File Drop by ExchangePersistenceT1505.0035
Windows: Suspicious FromBase64String Usage On Gzip Archive - Process CreationPersistencenone5
Windows: Suspicious Get-Variable.exe CreationPersistencenone7
Windows: Suspicious Git ClonePersistencenone5
Windows: Suspicious Greedy Compression Using Rar.EXEPersistencenone7
Windows: Suspicious GrpConv ExecutionPersistencenone7
Windows: Suspicious Hacktool Execution - PE MetadataPersistencenone7
Windows: Suspicious IIS Module RegistrationPersistencenone7
Windows: Suspicious IIS URL GlobalRules Rewrite Via AppCmdPersistencenone5
Windows: Suspicious Interactive PowerShell as SYSTEMPersistencenone7
Windows: Suspicious Kernel Dump Using DtracePersistencenone7
Windows: Suspicious LNK Double Extension FilePersistencenone5
Windows: Suspicious LOLBIN AccCheckConsolePersistencenone7
Windows: Suspicious MSDT Parent ProcessPersistencenone7
Windows: Suspicious MSExchangeMailboxReplication ASPX WritePersistenceT1505.0037
Windows: Suspicious Msbuild Execution By Uncommon Parent ProcessPersistencenone5
Windows: Suspicious Network CommandPersistencenone3
Windows: Suspicious Network Connection Binary No CommandLinePersistencenone7
Windows: Suspicious Network Connection to IP Lookup Service APIsPersistencenone5
Windows: Suspicious New Instance Of An Office COM ObjectPersistencenone5
Windows: Suspicious New Service CreationPersistenceT1543.0037
Windows: Suspicious Non-Browser Network Communication With Google APIPersistencenone5
Windows: Suspicious Non-Browser Network Communication With Reddit APIPersistencenone5
Windows: Suspicious Ntdll Pipe RedirectionPersistencenone7
Windows: Suspicious Obfuscated PowerShell CodePersistencenone7
Windows: Suspicious OfflineScannerShell.exe Execution From Another FolderPersistencenone5
Windows: Suspicious Parent Double Extension File ExecutionPersistencenone7
Windows: Suspicious PowerShell Child ProcessesPersistencenone7
Windows: Suspicious PowerShell IEX Execution PatternsPersistencenone7
Windows: Suspicious PowerShell Invocations - Specific - ProcessCreationPersistencenone5
Windows: Suspicious PowerShell Mailbox Export to SharePersistencenone9
Windows: Suspicious Powercfg Execution To Change Lock Screen TimeoutPersistencenone5
Windows: Suspicious Process ParentsPersistencenone7
Windows: Suspicious Process Start LocationsPersistencenone5
Windows: Suspicious Program NamesPersistencenone7
Windows: Suspicious RASdial ActivityPersistencenone5
Windows: Suspicious Reg Add Open CommandPersistencenone5
Windows: Suspicious Registration via cscript.exePersistencenone5
Windows: Suspicious Remote AppX Package LocationsPersistencenone7
Windows: Suspicious Remote Logon with Explicit CredentialsPersistencenone5
Windows: Suspicious Run Key from DownloadPersistenceT1547.0017
Windows: Suspicious RunAs-Like Flag CombinationPersistencenone5
Windows: Suspicious Rundll32 Invoking Inline VBScriptPersistencenone7
Windows: Suspicious SYSTEM User Process CreationPersistencenone7
Windows: Suspicious Scheduled Task Write to System32 TasksPersistencenone7
Windows: Suspicious ScreenSave Change by Reg.exePersistenceT1546.0025
Windows: Suspicious Screensaver Binary File CreationPersistenceT1546.0025
Windows: Suspicious Script Execution From Temp FolderPersistencenone7
Windows: Suspicious Serv-U Process PatternPersistencenone7
Windows: Suspicious Service Binary DirectoryPersistencenone7
Windows: Suspicious Service DACL Modification Via Set-Service CmdletPersistenceT1543.0037
Windows: Suspicious Service InstallationPersistenceT1543.0037
Windows: Suspicious Service Installation ScriptPersistenceT1543.0037
Windows: Suspicious Service Path ModificationPersistenceT1543.0037
Windows: Suspicious Shells Spawn by Java Utility KeytoolPersistencenone7
Windows: Suspicious Shells Spawned by JavaPersistencenone7
Windows: Suspicious Sigverif ExecutionPersistencenone5
Windows: Suspicious Splwow64 Without ParamsPersistencenone7
Windows: Suspicious Startup Folder PersistencePersistenceT1547.0017
Windows: Suspicious SysAidServer ChildPersistencenone5
Windows: Suspicious Usage Of ShellExec-RunDLLPersistencenone7
Windows: Suspicious Usage of CVE-2021-34484 or CVE 2022-21919Persistencenone3
Windows: Suspicious Use of CSharp Interactive ConsolePersistencenone7
Windows: Suspicious Userinit Child ProcessPersistencenone5
Windows: Suspicious Vsls-Agent Command With AgentExtensionPath LoadPersistencenone5
Windows: Suspicious WERMGR Process PatternsPersistencenone7
Windows: Suspicious Windows ANONYMOUS LOGON Local Account CreatedPersistenceT1136.0027
Windows: Suspicious Windows App ActivityPersistencenone7
Windows: Suspicious Windows Update Agent Empty CmdlinePersistencenone7
Windows: Suspicious WindowsTerminal Child ProcessesPersistencenone5
Windows: Suspicious Word Cab File Write CVE-2021-40444Persistencenone7
Windows: Suspicious Workstation Locking via Rundll32Persistencenone5
Windows: Suspicious X509Enrollment - Process CreationPersistencenone5
Windows: Suspicious aspnet-compiler.exe ExecutionPersistencenone5
Windows: Suspicious desktop.ini ActionPersistenceT1547.0095
Windows: SyncAppvPublishingServer Execute Arbitrary PowerShell CodePersistencenone5
Windows: SyncAppvPublishingServer VBS Execute Arbitrary PowerShell CodePersistencenone5
Windows: Sysinternals PsSuspend ExecutionPersistenceT1543.0035
Windows: Sysinternals Tools AppX Versions ExecutionPersistencenone5
Windows: Sysmon Blocked ExecutablePersistencenone7
Windows: Sysmon Configuration ChangePersistencenone5
Windows: Sysmon CrashPersistencenone7
Windows: Sysprep on AppData FolderPersistencenone5
Windows: System File Execution Location AnomalyPersistencenone7
Windows: Tap Driver InstallationPersistencenone5
Windows: Tap Installer ExecutionPersistencenone5
Windows: Taskmgr as LOCAL-SYSTEMPersistencenone7
Windows: Taskmgr as ParentPersistencenone3
Windows: The Windows Defender Firewall Service Failed To Load Group PolicyPersistencenone3
Windows: Turla PNG Dropper Service PersistenceT1543.0039
Windows: Turla Service Install PersistenceT1543.0037
Windows: UAC Bypass Using Event Viewer RecentViewsPersistencenone7
Windows: UAC Bypass Using EventVwrPersistencenone7
Windows: UAC Bypass via Windows Firewall Snap-In HijackPersistencenone5
Windows: Uncommon AppX Package LocationsPersistencenone5
Windows: Uncommon One Time Only Scheduled Task At 00:00Persistencenone7
Windows: Unsigned AppX Installation Attempt Using Add-AppxPackagePersistencenone5
Windows: Unusual Parent Process For Cmd.EXEPersistencenone5
Windows: Use Of The SFTP.EXE Binary As A LOLBINPersistencenone5
Windows: Use of FSharp InterpretersPersistencenone5
Windows: Use of Forfiles For ExecutionPersistencenone5
Windows: Use of Mftrace.exePersistencenone5
Windows: Use of OpenConsolePersistencenone5
Windows: Use of Pcalua For ExecutionPersistencenone5
Windows: Use of Remote.exePersistencenone5
Windows: Use of Scriptrunner.exePersistencenone5
Windows: Use of Squirrel.exePersistencenone5
Windows: Use of Sysinternals PsServicePersistenceT1543.0035
Windows: Use of TTDInject.exePersistencenone5
Windows: Use of VSIISExeLauncher.exePersistencenone5
Windows: Use of VisualUiaVerifyNative.exePersistencenone5
Windows: Use of Wfc.exePersistencenone5
Windows: User Added to Local AdministratorsPersistencenone5
Windows: User with Privileges LogonPersistencenone3
Windows: Using AppVLP To Circumvent ASR File Path RulePersistencenone5
Windows: UtilityFunctions.ps1 Proxy DllPersistencenone5
Windows: VMToolsd Suspicious Child ProcessPersistencenone7
Windows: Verclsid.exe Runs COM ObjectPersistencenone5
Windows: Visual Studio NodejsTools PressAnyKey Arbitrary Binary ExecutionPersistencenone5
Windows: Visual Studio NodejsTools PressAnyKey Renamed ExecutionPersistencenone5
Windows: VsCode Powershell Profile ModificationPersistenceT1546.0135
Windows: Vulnerable AVAST Anti Rootkit Driver LoadPersistenceT1543.0037
Windows: Vulnerable GIGABYTE Driver LoadPersistenceT1543.0037
Windows: Vulnerable HW Driver LoadPersistenceT1543.0037
Windows: Vulnerable HackSys Extreme Vulnerable Driver LoadPersistenceT1543.0037
Windows: Vulnerable Lenovo Driver LoadPersistencenone7
Windows: Vulnerable Netlogon Secure Channel Connection AllowedPersistencenone7
Windows: Vulnerable WinRing0 Driver LoadPersistenceT1543.0037
Windows: WINEKEY Registry ModificationPersistencenone7
Windows: WMI Backdoor Exchange Transport AgentPersistenceT1546.0039
Windows: WMI Event Subscription PersistenceT1546.0037
Windows: WMI Persistence - Command Line Event Consumer PersistenceT1546.0037
Windows: WMI Persistence - Script Event ConsumerPersistenceT1546.0035
Windows: WMI Persistence - Script Event Consumer File Write PersistenceT1546.0037
Windows: WMI Persistence - SecurityPersistenceT1546.0035
Windows: WMI Script Host Process Image LoadedPersistenceT1546.0037
Windows: WScript or CScript Dropper: Sysmon V1Persistencenone7
Windows: Wab Execution From Non Default LocationPersistencenone7
Windows: Wab/Wabmig Unusual Parent Or Child ProcessesPersistencenone7
Windows: Weak or Abused Passwords In CLIPersistencenone5
Windows: Webshell Detection With Command Line KeywordsPersistenceT1505.0037
Windows: Webshell Hacking Activity PatternsPersistenceT1505.0037
Windows: Webshell Recon Detection Via CommandLine ProcessesPersistenceT1505.0037
Windows: WinSxS Executable File Creation By Non-System ProcessPersistencenone5
Windows: Windows Binaries Write Suspicious ExtensionsPersistencenone7
Windows: Windows Defender Firewall Has Been Reset To Its Default ConfigurationPersistencenone3
Windows: Windows Firewall Disabled via PowerShellPersistencenone5
Windows: Windows Firewall Settings Have Been ChangedPersistencenone3
Windows: Windows Network Access Suspicious desktop.ini ActionPersistenceT1547.0095
Windows: Windows Service Terminated With ErrorPersistencenone3
Windows: Windows Shell/Scripting Application File Write to Suspicious FolderPersistencenone7
Windows: Windows Spooler Service Suspicious Binary LoadPersistencenone1
Windows: Windows Update ErrorPersistencenone3
Windows: Wlrmdr Lolbin Use as LauncherPersistencenone5
Windows: Write Protect For Storage DisabledPersistencenone5
Windows: Writing Local Admin SharePersistenceT1546.0025
Windows: Wscript Execution from Non C DrivePersistencenone5
Windows: Wscript Shell Run In CommandLinePersistencenone7
Windows: Wuauclt Network ConnectionPersistencenone5
Windows: Wusa Extracting Cab FilesPersistencenone5
Windows: Wusa Extracting Cab Files From Suspicious PathsPersistencenone7

Privilege Escalation

Name Tactic Technique Severity
AWS SecHub: Tactics: Privilege Escalation DetectedPrivilege EscalationT1548.0029
Crowdstrike: Authentication BypassPrivilege Escalationnone8
Crowdstrike: Privilege Escalation Privilege EscalationT1548.0048
FortiNDR Cloud: High Severity Detection triggered for a HostPrivilege EscalationT10689
FortiNDR Cloud: Low Severity Detection triggered for a HostPrivilege EscalationT10684
FortiNDR Cloud: Moderate Severity Detection triggered for a HostPrivilege EscalationT10687
Linux Buffer overflow Privilege EscalationT1547.0099
Linux: Setgid Bit Set via chmod Privilege EscalationT1548.0017
Linux: Setuid Bit Set via chmod Privilege EscalationT1548.0017
Linux: Sudoers File Modification Privilege EscalationT1548.0039
Linux: Trap Signals Usage Privilege EscalationT1546.0055
Outbreak: Router Malware Attack Detected on HostPrivilege EscalationT10689
Outbreak: Router Malware Attack Detected on NetworkPrivilege EscalationT10689
Outbreak: VMware ESXi Server Ransomware Attack Detected on NetworkPrivilege EscalationT10689
Outbreak: Win32k Elevation of Privilege Vulnerability Detected on HostPrivilege EscalationT10689
Outbreak: Win32k Elevation of Privilege Vulnerability Detected on NetworkPrivilege EscalationT10689
Outbreak: Zimbra Collaboration Mboximport Vulnerability on HostPrivilege EscalationT10689
Outbreak: Zimbra Collaboration Mboximport Vulnerability on NetworkPrivilege EscalationT10689
Privilege Escalation ExploitsPrivilege EscalationT1548.0047
Privileged Command Execution FailurePrivilege EscalationT1548.0029
Windows Debugger registry key for common Windows accessibility toolsPrivilege EscalationT1574.0028
Windows: Addition of SID History to Active Directory Object Privilege EscalationT1134.0055
Windows: Bypass UAC via Fodhelper.exe Privilege EscalationT1548.0027
Windows: HackTool - SysmonEOP ExecutionPrivilege EscalationT10689
Windows: InstallerFileTakeOver LPE CVE-2021-41379 File Create EventPrivilege EscalationT10689
Windows: Notepad Making Network Connection Privilege EscalationT1055.0027
Windows: Process Explorer Driver Creation By Non-Sysinternals BinaryPrivilege EscalationT10687
Windows: Process Monitor Driver Creation By Non-Sysinternals BinaryPrivilege EscalationT10685
Windows: Usage Of Malicious POORTRY Signed DriverPrivilege EscalationT10687
Windows: Vulnerable Dell BIOS Update Driver LoadPrivilege EscalationT10687

Defense Evasion

Name Tactic Technique Severity
Unusual ICMP Traffic Defense Evasionnone7
Windows Process Tampering Detected Defense EvasionT1055.0099
AWS CloudTrail Important Changes Defense EvasionT1562.0017
AWS CloudTrail Log Deleted Defense EvasionT1562.0089
AWS CloudTrail Log Setting Updated Defense EvasionT1562.0083
AWS CloudTrail Log Suspended Defense EvasionT1562.0089
AWS CloudWatch Alarm Deleted Defense EvasionT1562.0085
AWS CloudWatch Log Group Deleted Defense EvasionT1070.0049
AWS CloudWatch Log Stream Deleted Defense EvasionT1070.0049
AWS Config Service Tampering Defense EvasionT1562.0067
AWS Configuration Recorder Stopped Defense EvasionT1562.0087
AWS EC2 Encryption Disabled Defense EvasionT1600.0019
AWS EC2 Flow Log Deleted Defense EvasionT1562.0087
AWS EC2 Network Access Control List Deleted Defense EvasionT1562.0079
AWS EC2 Snapshot Attribute Modified Defense EvasionT1578.0015
AWS EC2 User Data DownloadDefense EvasionT1562.0016
AWS GuardDuty Detector Deleted Defense EvasionT1562.0087
AWS S3 Bucket Configuration Deleted Defense EvasionT1562.0083
AWS SecHub: Tactics: Defense Evasion DetectedDefense Evasionnone8
AWS WAF Access Control List Deleted Defense EvasionT1562.0079
AWS WAF Rule or Rule Group Deleted Defense EvasionT1562.0078
Agent FIM: Linux Directory Ownership or Permission Changed Defense EvasionT1222.002,T1565.0017
Agent FIM: Linux File Changed From BaselineDefense EvasionT1070.004,T1565.0017
Agent FIM: Linux File Content Modified Defense EvasionT1070.004,T1565.0017
Agent FIM: Linux File Ownership or Permission Changed Defense EvasionT1222.002,T1565.0019
Agent FIM: Linux File or Directory DeletedDefense EvasionT1070.004,T1565.0017
Agent FIM: Windows File Changed From BaselineDefense EvasionT1070.004,T1565.0017
Agent FIM: Windows File Content ModifiedDefense EvasionT1070.004,T1565.0017
Agent FIM: Windows File Ownership ChangedDefense EvasionT1070.004,T1565.0017
Agent FIM: Windows File Permission ChangedDefense EvasionT1222.001,T1565.0017
Agent FIM: Windows File or Directory Archive Bit ChangedDefense EvasionT1070.004,T1565.0017
Agent FIM: Windows File or Directory DeletedDefense EvasionT1070.004,T1565.0017
Agentless FIM: Audited file or directory deletedDefense EvasionT1070.004,T1565.0018
Agentless FIM: Audited file or directory ownership or permission changed Defense EvasionT1222.002,T1565.0019
Agentless FIM: Audited target file content modifiedDefense EvasionT1070.004,T1565.0018
Audited file or directory content modified in SVNDefense EvasionT1070.004,T1565.0018
Azure Automation Runbook Deleted Defense EvasionT1562.0013
Azure Diagnostic Settings Deleted Defense EvasionT1562.0085
Azure Event Hub Deleted Defense EvasionT1562.0089
Azure Firewall Policy Deleted Defense EvasionT1562.0079
Azure Network Watcher Deleted Defense EvasionT1562.0075
Barracuda WAF: Config Change DetectedDefense EvasionT1562.0047
Crowdstrike: Evade Detection Defense Evasionnone8
Crowdstrike: Social Engineering Defense Evasionnone7
CyberArk Vault User History ClearDefense EvasionT1070.0038
GCP: Firewall Rule CreatedDefense EvasionT1562.0074
GCP: Firewall Rule DeletedDefense EvasionT1562.0078
GCP: Firewall Rule UpdatedDefense EvasionT1562.0078
GCP: Logging Sink DeletedDefense EvasionT1562.0088
GCP: Logging Sink UpdatedDefense EvasionT1562.0086
GCP: Pub/Sub Subscription DeletedDefense EvasionT1562.0086
GCP: Pub/Sub Topic DeletedDefense EvasionT1562.0086
GCP: Storage or Logging Bucket DeletedDefense EvasionT1562.0086
Group Policy Object Created Defense EvasionT1484.0017
Group Policy Object Modified Defense EvasionT1484.0017
IPS/AV Evasion attemptsDefense EvasionT12117
Linux: Attempt to Disable CarbonBlack Service Defense EvasionT1562.0049
Linux: Attempt to Disable Crowdstrike Service Defense EvasionT1562.0049
Linux: Attempt to Disable Syslog Service Defense EvasionT1562.0049
Linux: Attempts to Disable IPTables or Firewall Defense EvasionT1562.0049
Linux: Base16/32/64 Encoding/Decoding Activity Defense EvasionT11407
Linux: Clear System Logs Defense EvasionT1070.0029
Linux: Command Line History Deleted Defense EvasionT1070.0039
Linux: File Deletion via Shred Defense EvasionT1070.0049
Linux: File Permission Modification in Writable Absolute Directory By non-root userDefense EvasionT1222.0027
Linux: File Permission Modification in Writable Relative Directory By non-root userDefense EvasionT1222.0027
Linux: Hidden Files and Directories Created Defense EvasionT1564.0017
Linux: Kernel Module Removed Defense EvasionT1562.0017
Linux: Processes with Trailing Spaces Defense EvasionT1036.0067
Linux: SELinux Disabled Defense EvasionT1562.0019
Linux: Timestomping using Touch Command Defense EvasionT1070.0065
Linux: Unusual Process Execution from Temp Defense EvasionT12027
MS 365 Defender: Masquerading - Execution AlertDefense EvasionT1036.0049
MS 365 Defender: Process Injection - Defense Evasion AlertDefense EvasionT1055.0019
Modification of ld.so.preload Defense EvasionT1055.0095
Multiple Windows Accounts Disabled by AdministratorDefense Evasionnone9
Network Installed Software ChangeDefense EvasionT1218.0016
Oracle OCI: Policy CreatedDefense EvasionT1562.0077
Oracle OCI: Policy DeletedDefense EvasionT1562.0077
Outbreak: BURNTCIGAR MS Signed Driver Malware detected on HostDefense EvasionT1036.0019
Outbreak: BURNTCIGAR MS Signed Driver Malware detected on NetworkDefense EvasionT1036.0019
Outbreak: Control Web Panel Login Exploit Detected on HostDefense EvasionT12029
Outbreak: Control Web Panel Login Exploit Detected on NetworkDefense EvasionT12029
Running Config ChangeDefense EvasionT1562.0046
Running Config Change: with login infoDefense EvasionT1562.0046
Server Installed Software ChangeDefense EvasionT1218.0016
Startup Config ChangeDefense EvasionT1562.0046
Startup Config Change: with loginDefense EvasionT1562.0046
Uncommon AWS Console Login Defense EvasionT1484.0017
Uncommon Azure Portal LoginDefense EvasionT1484.0017
Uncommon GSuite Login Defense EvasionT1484.0017
Uncommon Linux SSH Login Defense EvasionT1484.0017
Uncommon Linux process CreatedDefense EvasionT1484.0017
Uncommon Office365 Mail Login Defense EvasionT1484.0017
Uncommon Server LoginDefense EvasionT1484.0017
Uncommon VPN Login Defense EvasionT1484.0017
Uncommon Windows Service Defense EvasionT1484.0017
Uncommon Windows process CreatedDefense EvasionT1484.0017
Uncommon Windows process via Sysmon Defense EvasionT1484.0017
Windows Audit Policy ChangedDefense EvasionT1562.0037
Windows Logging Service ShutdownDefense EvasionT1562.0029
Windows Process with deleted binariesDefense EvasionT1070.0048
Windows Security Log ClearedDefense EvasionT1070.0019
Windows Security Log is FullDefense EvasionT1070.0019
Windows: AD Object WriteDAC AccessDefense EvasionT1222.0019
Windows: Abuse of Service Permissions to Hide Services Via Set-ServiceDefense EvasionT1574.0117
Windows: Abusing Findstr for Defense EvasionDefense EvasionT1564.0045
Windows: Add SafeBoot Keys Via Reg UtilityDefense EvasionT1562.0017
Windows: Admin User Remote LogonDefense EvasionT1078.0033
Windows: Always Install Elevated MSI Spawned Cmd And PowershellDefense EvasionT1548.0025
Windows: Always Install Elevated Windows InstallerDefense EvasionT1548.0025
Windows: Application Whitelisting Bypass via BginfoDefense EvasionT12025
Windows: Application Whitelisting Bypass via DLL Loaded by odbcconf.exeDefense EvasionT1218.0085
Windows: Application Whitelisting Bypass via Dnx.exeDefense EvasionT1027.0045
Windows: Arbitrary Command Execution Using WSLDefense EvasionT12025
Windows: Aruba Network Service Potential DLL SideloadingDefense EvasionT1574.0027
Windows: Audit Policy Tampering Via AuditpolDefense EvasionT1562.0027
Windows: Audit Policy Tampering Via NT Resource Kit AuditpolDefense EvasionT1562.0027
Windows: BITS Transfer Job Download From Direct IPDefense EvasionT11977
Windows: BITS Transfer Job Download From File Sharing DomainsDefense EvasionT11977
Windows: BITS Transfer Job Download To Potential Suspicious FolderDefense EvasionT11977
Windows: BITS Transfer Job Downloading File Potential Suspicious ExtensionDefense EvasionT11975
Windows: BITS Transfer Job With Uncommon Or Suspicious Remote TLDDefense EvasionT11975
Windows: Backup Catalog DeletedDefense EvasionT1070.0045
Windows: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsDefense EvasionT1218.0117
Windows: Bypass UAC via CMSTPDefense EvasionT1548.0027
Windows: Bypass UAC via WSReset.exeDefense EvasionT1548.0027
Windows: CMSTP Execution Process CreationDefense EvasionT1218.0037
Windows: CMSTP Execution Registry EventDefense EvasionT1218.0037
Windows: CMSTP UAC Bypass via COM Object AccessDefense EvasionT1548.0027
Windows: CleanWipe UsageDefense EvasionT1562.0015
Windows: Cmstp Making Network ConnectionDefense EvasionT1218.0037
Windows: Cobalt Strike Load by Rundll32Defense EvasionT1218.0117
Windows: CobaltStrike BOF Injection PatternDefense EvasionT1562.0017
Windows: Code Execution via Pcwutl.dllDefense EvasionT1218.0115
Windows: Conhost Parent Process ExecutionsDefense EvasionT12025
Windows: Control Panel ItemsDefense EvasionT1218.0027
Windows: Creation Of Non-Existent System DLLDefense EvasionT1574.0025
Windows: Creation of an WerFault.exe in Unusual FolderDefense EvasionT1574.0017
Windows: DHCP Server Error Failed Loading the CallOut DLLDefense EvasionT1574.0027
Windows: DHCP Server Loaded the CallOut DLL Defense EvasionT1574.0029
Windows: DLL Loaded From Suspicious Location Via Cmspt.EXEDefense EvasionT1218.0037
Windows: DLL Search Order Hijackig Via Additional Space in PathDefense EvasionT1574.0027
Windows: DLL Sideloading Of ShellChromeAPI.DLLDefense EvasionT1574.0027
Windows: DLL Sideloading by Microsoft DefenderDefense EvasionT1574.0027
Windows: DLL Sideloading by VMware Xfer UtilityDefense EvasionT1574.0027
Windows: Detect Virtualbox Driver Installation OR Starting Of VMsDefense EvasionT1564.0063
Windows: Directory Removal Via RmdirDefense EvasionT1070.0043
Windows: Disable Security Events Logging Adding Reg Key MiniNtDefense EvasionT1562.0017
Windows: Disable Windows Defender AV Security MonitoringDefense EvasionT1562.0017
Windows: Disable Windows IIS HTTP LoggingDefense EvasionT1562.0027
Windows: Disable of ETW TraceDefense EvasionT1562.0067
Windows: Disabled IE Security FeaturesDefense EvasionT1562.0017
Windows: Disabled RestrictedAdminMode For RDS - ProcCreationDefense EvasionT11127
Windows: Disabled Volume SnapshotsDefense EvasionT1562.0017
Windows: Disabling Windows Event AuditingDefense EvasionT1562.0027
Windows: Dism Remove Online PackageDefense EvasionT1562.0015
Windows: DllUnregisterServer Function Call Via Msiexec.EXEDefense EvasionT1218.0075
Windows: Dynamic C Sharp Compile ArtefactDefense EvasionT1027.0043
Windows: EVTX Created In Uncommon LocationDefense EvasionT1562.0025
Windows: Empire PowerShell UAC Bypass Defense EvasionT1548.0029
Windows: Eventlog ClearedDefense EvasionT1070.0015
Windows: Execute Arbitrary Commands Using MSDT.EXE: V1Defense EvasionT12027
Windows: Execute From Alternate Data StreamsDefense EvasionT1564.0045
Windows: Explorer NOUACCHECK FlagDefense EvasionT1548.0027
Windows: F-Secure C3 Load by Rundll32Defense EvasionT1218.0119
Windows: Failed Code Integrity Checks Defense EvasionT1027.0013
Windows: Fax Service DLL Search Order HijackDefense EvasionT1574.0027
Windows: File Deletion Via DelDefense EvasionT1070.0043
Windows: File Download Via BitsadminDefense EvasionT11975
Windows: File Download Via Bitsadmin To A Suspicious Target FolderDefense EvasionT11977
Windows: File Download Via Bitsadmin To An Uncommon Target FolderDefense EvasionT11975
Windows: File With Suspicious Extension Downloaded Via BitsadminDefense EvasionT11977
Windows: File or Folder Permissions ModificationsDefense EvasionT1222.0015
Windows: Files With System Process Name In Unsuspected LocationsDefense EvasionT1036.0057
Windows: Filter Driver Unloaded Via Fltmc.EXEDefense EvasionT1562.0027
Windows: Findstr Launching .lnk FileDefense EvasionT12025
Windows: Firewall Disabled via Netsh.EXEDefense EvasionT1562.0045
Windows: Firewall Rule Deleted Via Netsh.EXEDefense EvasionT1562.0045
Windows: FlowCloud MalwareDefense EvasionT11129
Windows: FromBase64String Command Line Defense EvasionT11407
Windows: Greedy File Deletion Using DelDefense EvasionT1070.0045
Windows: HH.EXE ExecutionDefense EvasionT1218.0015
Windows: HH.EXE Network ConnectionsDefense EvasionT1218.0015
Windows: HackTool - Covenant PowerShell LauncherDefense EvasionT1564.0037
Windows: HackTool - Impersonate ExecutionDefense EvasionT1134.0035
Windows: HackTool - PPID Spoofing SelectMyParent Tool ExecutionDefense EvasionT1134.0047
Windows: HackTool - PowerTool ExecutionDefense EvasionT1562.0017
Windows: HackTool - RedMimicry Winnti Playbook ExecutionDefense EvasionT1218.0117
Windows: HackTool - SharpEvtMute DLL LoadDefense EvasionT1562.0027
Windows: HackTool - SharpEvtMute ExecutionDefense EvasionT1562.0027
Windows: HackTool - SharpImpersonation ExecutionDefense EvasionT1134.0037
Windows: HackTool - SharpUp PrivEsc Tool ExecutionDefense EvasionT1574.0059
Windows: HackTool - Stracciatella ExecutionDefense EvasionT1562.0017
Windows: Hacktool RulerDefense EvasionT1550.0027
Windows: Hiding Files with Attrib.exeDefense EvasionT1564.0015
Windows: High Integrity Sdclt ProcessDefense EvasionT1548.0025
Windows: Imports Registry Key From a FileDefense EvasionT11125
Windows: Imports Registry Key From an ADSDefense EvasionT11127
Windows: LOLBIN Execution Of The FTP.EXE BinaryDefense EvasionT12025
Windows: Launch-VsDevShell.PS1 Proxy ExecutionDefense EvasionT1216.0015
Windows: Load Undocumented Autoelevated COM InterfaceDefense EvasionT1548.0027
Windows: Lolbin Ssh.exe Use As ProxyDefense EvasionT12025
Windows: MSDT.exe Loading Diagnostic LibraryDefense EvasionT12027
Windows: MSHTA Suspicious Execution 01Defense EvasionT1218.0057
Windows: MSI Installation From WebDefense EvasionT1218.0075
Windows: Malicious DLL File Dropped in the Teams or OneDrive FolderDefense EvasionT1574.0027
Windows: Mavinject Inject DLL Into Running ProcessDefense EvasionT1055.0017
Windows: Meterpreter or Cobalt Strike Getsystem Service Installation - SystemDefense EvasionT1134.0029
Windows: Meterpreter or Cobalt Strike Service Installation: Security LogDefense EvasionT1134.0029
Windows: Microsoft Defender Blocked from Loading Unsigned DLLDefense EvasionT1574.0027
Windows: Microsoft Defender Loading DLL from Nondefault PathDefense EvasionT1574.0027
Windows: Microsoft Malware Protection Engine CrashDefense EvasionT1562.0017
Windows: Microsoft Malware Protection Engine Crash - WERDefense EvasionT1562.0017
Windows: Microsoft Office DLL SideloadDefense EvasionT1574.0027
Windows: Modify Group Policy SettingsDefense EvasionT1484.0015
Windows: Monitoring For Persistence Via BITSDefense EvasionT11975
Windows: MsiExec Web InstallDefense EvasionT1218.0075
Windows: Msiexec Initiated ConnectionDefense EvasionT1218.0075
Windows: Msiexec Quiet InstallationDefense EvasionT1218.0075
Windows: NTLMv1 Logon Between Client and ServerDefense EvasionT1550.0023
Windows: NetNTLM Downgrade AttackDefense EvasionT1562.0017
Windows: NetNTLM Downgrade Attack - RegistryDefense EvasionT1562.0017
Windows: Netsh Allow Group Policy on Microsoft Defender FirewallDefense EvasionT1562.0045
Windows: New DNS ServerLevelPluginDll Installed Via Dnscmd.EXEDefense EvasionT1574.0027
Windows: New Firewall Rule Added Via Netsh.EXEDefense EvasionT1562.0045
Windows: New Root Certificate Installed Via CertMgr.EXEDefense EvasionT1553.0045
Windows: New Root Certificate Installed Via Certutil.EXEDefense EvasionT1553.0045
Windows: Non-privileged Usage of Reg or PowershellDefense EvasionT11127
Windows: OceanLotus Registry ActivityDefense EvasionT11129
Windows: Outbound Network Connection To Public IP Via WinlogonDefense EvasionT1218.0115
Windows: Outlook EnableUnsafeClientMailRules Setting EnabledDefense EvasionT12027
Windows: PUA - DefenderCheck ExecutionDefense EvasionT1027.0057
Windows: PUA - Potential PE Metadata Tamper Using RceditDefense EvasionT1036.0035
Windows: Pass the Hash Activity 2Defense EvasionT1550.0025
Windows: Ping Hex IPDefense EvasionT11407
Windows: Pingback Backdoor DLL Loading ActivityDefense EvasionT1574.0017
Windows: Possible DC Shadow AttackDefense EvasionT12075
Windows: Possible Privilege Escalation via Weak Service PermissionsDefense EvasionT1574.0117
Windows: Possible Process Hollowing Image Loading Defense EvasionT1574.0027
Windows: Potential AMSI Bypass Using NULL BitsDefense EvasionT1562.0015
Windows: Potential AMSI Bypass Via .NET ReflectionDefense EvasionT1562.0017
Windows: Potential Access Token AbuseDefense EvasionT1134.0015
Windows: Potential Antivirus Software DLL SideloadingDefense EvasionT1574.0025
Windows: Potential Arbitrary DLL Load Using WinwordDefense EvasionT12025
Windows: Potential Arbitrary File Download Using Office ApplicationDefense EvasionT12025
Windows: Potential Azure Browser SSO AbuseDefense EvasionT1574.0023
Windows: Potential Chrome Frame Helper DLL SideloadingDefense EvasionT1574.0025
Windows: Potential DLL Injection Or Execution Using Tracker.exeDefense EvasionT1055.0015
Windows: Potential DLL Sideloading Of DBGCORE.DLLDefense EvasionT1574.0025
Windows: Potential DLL Sideloading Of DBGHELP.DLLDefense EvasionT1574.0025
Windows: Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXEDefense EvasionT1574.0025
Windows: Potential DLL Sideloading Of Non-Existent DLLs From System FoldersDefense EvasionT1574.0027
Windows: Potential DLL Sideloading Via ClassicExplorer32.dllDefense EvasionT1574.0025
Windows: Potential DLL Sideloading Via DeviceEnroller.EXEDefense EvasionT1574.0025
Windows: Potential DLL Sideloading Via JsSchHlpDefense EvasionT1574.0025
Windows: Potential DLL Sideloading Via VMware XferDefense EvasionT1574.0027
Windows: Potential DLL Sideloading Via comctl32.dllDefense EvasionT1574.0027
Windows: Potential Defense Evasion Via Binary RenameDefense EvasionT1036.0035
Windows: Potential Defense Evasion Via Rename Of Highly Relevant BinariesDefense EvasionT1036.0037
Windows: Potential Defense Evasion Via Right-to-Left OverrideDefense EvasionT1036.0027
Windows: Potential Goopdate.DLL SideloadingDefense EvasionT1574.0025
Windows: Potential Homoglyph Attack Using Lookalike CharactersDefense EvasionT1036.0035
Windows: Potential Homoglyph Attack Using Lookalike Characters in FilenameDefense EvasionT1036.0035
Windows: Potential Initial Access via DLL Search Order HijackingDefense EvasionT1574.0015
Windows: Potential Iviewers.DLL SideloadingDefense EvasionT1574.0027
Windows: Potential LethalHTA Technique ExecutionDefense EvasionT1218.0057
Windows: Potential Libvlc.DLL SideloadingDefense EvasionT1574.0025
Windows: Potential Meterpreter/CobaltStrike ActivityDefense EvasionT1134.0027
Windows: Potential MsiExec MasqueradingDefense EvasionT1036.0057
Windows: Potential NT API Stub PatchingDefense EvasionT1562.0025
Windows: Potential Persistence Attempt Via Existing Service TamperingDefense EvasionT1574.0115
Windows: Potential PowerShell Execution Via DLLDefense EvasionT1218.0117
Windows: Potential Privilege Escalation via Service Permissions WeaknessDefense EvasionT1574.0117
Windows: Potential Privileged System Service Operation - SeLoadDriverPrivilegeDefense EvasionT1562.0015
Windows: Potential Qakbot Registry ActivityDefense EvasionT11127
Windows: Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXEDefense EvasionT1542.0035
Windows: Potential Rcdll.DLL SideloadingDefense EvasionT1574.0027
Windows: Potential RoboForm.DLL SideloadingDefense EvasionT1574.0025
Windows: Potential Rundll32 Execution With DLL Stored In ADSDefense EvasionT1564.0047
Windows: Potential SolidPDFCreator.DLL SideloadingDefense EvasionT1574.0025
Windows: Potential SquiblyTwo Technique ExecutionDefense EvasionT12205
Windows: Potential Suspicious Activity Using SeCEditDefense EvasionT1574.0075
Windows: Potential Suspicious Registry File Imported Via Reg.EXEDefense EvasionT11125
Windows: Potential Svchost Memory AccessDefense EvasionT1562.0027
Windows: Potential Tampering With RDP Related Registry Keys Via Reg.EXEDefense EvasionT11127
Windows: Potential Tampering With Security Products Via WMICDefense EvasionT1562.0017
Windows: Potential Wazuh Security Platform DLL SideloadingDefense EvasionT1574.0025
Windows: PowerShell Base64 Encoded FromBase64String CmdletDefense EvasionT11407
Windows: PowerShell Encoded Character Syntax Defense EvasionT1027.003,T1132.0017
Windows: Powershell Base64 Encoded MpPreference CmdletDefense EvasionT1562.0017
Windows: Powershell Defender Disable Scan FeatureDefense EvasionT1562.0017
Windows: Powershell Defender ExclusionDefense EvasionT1562.0015
Windows: Powerup Write Hijack DLLDefense EvasionT1574.0017
Windows: PrintBrm ZIP Creation of ExtractionDefense EvasionT1564.0047
Windows: Process Access via TrolleyExpress ExclusionDefense EvasionT1218.0117
Windows: Pubprn.vbs Proxy ExecutionDefense EvasionT1216.0015
Windows: Python Py2Exe Image LoadDefense EvasionT1027.0025
Windows: RDP Connection Allowed Via Netsh.EXEDefense EvasionT1562.0047
Windows: Raccine UninstallDefense EvasionT1562.0017
Windows: RedMimicry Winnti Playbook Registry ManipulationDefense EvasionT11127
Windows: Reg Add Suspicious PathsDefense EvasionT1562.0017
Windows: Reg Disable Security ServiceDefense EvasionT1562.0017
Windows: Regasm/Regsvcs Suspicious ExecutionDefense EvasionT1218.0097
Windows: Registry Entries For Azorult MalwareDefense EvasionT11129
Windows: Registry Modification Via Regini.EXEDefense EvasionT11123
Windows: Regsvr32 AnomalyDefense EvasionT1218.0107
Windows: Regsvr32 Flags AnomalyDefense EvasionT1218.0107
Windows: Remote CHM File Download/Execution Via HH.EXEDefense EvasionT1218.0017
Windows: Remotely Hosted HTA File Executed Via Mshta.EXEDefense EvasionT1218.0057
Windows: Renamed FTP.EXE ExecutionDefense EvasionT12025
Windows: Renamed Jusched.EXE ExecutionDefense EvasionT1036.0037
Windows: Renamed Mavinject.EXE ExecutionDefense EvasionT1055.0017
Windows: Renamed Msdt.EXE ExecutionDefense EvasionT1036.0037
Windows: Renamed PAExec ExecutionDefense EvasionT12027
Windows: Renamed ProcDump ExecutionDefense EvasionT1036.0037
Windows: Renamed Vmnat.exe ExecutionDefense EvasionT1574.0027
Windows: Renamed ZOHO Dctask64 ExecutionDefense EvasionT12027
Windows: Root Certificate Installed From Susp LocationsDefense EvasionT1553.0047
Windows: Run Once Task Configuration in RegistryDefense EvasionT11125
Windows: Run Once Task Execution as Configured in RegistryDefense EvasionT11123
Windows: Run PowerShell Script from ADSDefense EvasionT1564.0047
Windows: RunDLL32 Spawning ExplorerDefense EvasionT1218.0117
Windows: Rundll32 InstallScreenSaver ExecutionDefense EvasionT1218.0115
Windows: Rundll32 Internet ConnectionDefense EvasionT1218.0115
Windows: Rundll32 UNC Path ExecutionDefense EvasionT1218.0117
Windows: SCR File Write EventDefense EvasionT1218.0115
Windows: SafeBoot Registry Key Deleted Via Reg.EXEDefense EvasionT1562.0017
Windows: Sdclt Child ProcessesDefense EvasionT1548.0025
Windows: Secure Deletion with SDelete Defense EvasionT1070.004,T1027.0055
Windows: Security Event Log ClearedDefense EvasionT1070.0015
Windows: Service DACL Abuse To Hide Services Via Sc.EXEDefense EvasionT1574.0117
Windows: Service ImagePath Change with Reg.exeDefense EvasionT1574.0115
Windows: Service Registry Key Deleted Via Reg.EXEDefense EvasionT1562.0017
Windows: Service Security Descriptor Tampering Via Sc.EXEDefense EvasionT1574.0115
Windows: Service StartupType Change Via PowerShell Set-ServiceDefense EvasionT1562.0015
Windows: Service StartupType Change Via Sc.EXEDefense EvasionT1562.0015
Windows: Set Files as System Files Using Attrib.EXEDefense EvasionT1564.0013
Windows: Set Suspicious Files as System Files Using Attrib.EXEDefense EvasionT1564.0017
Windows: Shell Open Registry Keys ManipulationDefense EvasionT1548.0027
Windows: Shell32 DLL Execution in Suspicious DirectoryDefense EvasionT1218.0117
Windows: ShimCache FlushDefense EvasionT11127
Windows: Silenttrinity Stager Msbuild ActivityDefense EvasionT1127.0017
Windows: Successful Overpass the Hash AttemptDefense EvasionT1550.0027
Windows: Suspicious Cabinet File Execution Via Msdt.EXEDefense EvasionT12025
Windows: Suspicious Call by OrdinalDefense EvasionT1218.0117
Windows: Suspicious Child Process Created as SystemDefense EvasionT1134.0027
Windows: Suspicious Cmdl32 ExecutionDefense EvasionT12025
Windows: Suspicious Commandline Escape Defense EvasionT11403
Windows: Suspicious Control Panel DLL LoadDefense EvasionT1218.0117
Windows: Suspicious Copy From or To System32Defense EvasionT1036.0035
Windows: Suspicious Csc.exe Source File FolderDefense EvasionT1027.0045
Windows: Suspicious Diantz Alternate Data Stream ExecutionDefense EvasionT1564.0045
Windows: Suspicious Download From Direct IP Via BitsadminDefense EvasionT11977
Windows: Suspicious Download From File-Sharing Website Via BitsadminDefense EvasionT11977
Windows: Suspicious Eventlog Clear or Configuration ChangeDefense EvasionT1562.0027
Windows: Suspicious Explorer Child Of Regsvr32Defense EvasionT1218.0107
Windows: Suspicious Extrac32 Alternate Data Stream ExecutionDefense EvasionT1564.0045
Windows: Suspicious Files in Default GPO FolderDefense EvasionT1036.0055
Windows: Suspicious GUP UsageDefense EvasionT1574.0027
Windows: Suspicious High IntegrityLevel Conhost Legacy OptionDefense EvasionT12021
Windows: Suspicious JavaScript Execution Via Mshta.EXEDefense EvasionT1218.0057
Windows: Suspicious MSHTA Child ProcessDefense EvasionT1218.0057
Windows: Suspicious Microsoft Office Child ProcessDefense EvasionT1218.0107
Windows: Suspicious MsiExec Embedding ParentDefense EvasionT1218.0075
Windows: Suspicious Msiexec Execute Arbitrary DLLDefense EvasionT1218.0075
Windows: Suspicious Msiexec Quiet Install From Remote LocationDefense EvasionT1218.0075
Windows: Suspicious Outbound Kerberos ConnectionDefense EvasionT1550.0037
Windows: Suspicious PROCEXP152.sys File Created In TMPDefense EvasionT1562.0015
Windows: Suspicious Parent of Csc.exeDefense EvasionT1218.0057
Windows: Suspicious Ping/Del Command CombinationDefense EvasionT1070.0047
Windows: Suspicious Program Location Whitelisted In Firewall Via Netsh.EXEDefense EvasionT1562.0047
Windows: Suspicious Recursif TakeownDefense EvasionT1222.0015
Windows: Suspicious Registry Modification From ADS Via Regini.EXEDefense EvasionT11127
Windows: Suspicious Regsvr32 Execution From Remote ShareDefense EvasionT1218.0107
Windows: Suspicious Regsvr32 Execution With Image ExtensionDefense EvasionT1218.0107
Windows: Suspicious Regsvr32 HTTP IP PatternDefense EvasionT1218.0107
Windows: Suspicious Remote Child Process From OutlookDefense EvasionT12027
Windows: Suspicious Rundll32 ActivityDefense EvasionT1218.0115
Windows: Suspicious Rundll32 Activity Invoking Sys FileDefense EvasionT1218.0117
Windows: Suspicious Rundll32 Execution With Image ExtensionDefense EvasionT1218.0117
Windows: Suspicious Rundll32 Setupapi.dll ActivityDefense EvasionT1218.0115
Windows: Suspicious Rundll32 Without Any CommandLine ParamsDefense EvasionT12027
Windows: Suspicious Runscripthelper.exeDefense EvasionT12025
Windows: Suspicious Subsystem for Linux Bash ExecutionDefense EvasionT12025
Windows: Suspicious Svchost ProcessDefense EvasionT1036.0057
Windows: Suspicious Task Added by BitsadminDefense EvasionT11973
Windows: Suspicious Task Added by PowershellDefense EvasionT11973
Windows: Suspicious VBoxDrvInst.exe ParametersDefense EvasionT11125
Windows: Suspicious WMIC Execution Via Office ProcessDefense EvasionT1218.0107
Windows: Suspicious Windows Defender Folder Exclusion Added Via Reg.EXEDefense EvasionT1562.0015
Windows: Suspicious Windows Defender Registry Key Tampering Via Reg.EXEDefense EvasionT1562.0017
Windows: Suspicious Windows Trace ETW Session Tamper Via Logman.EXEDefense EvasionT1562.0017
Windows: Suspicious WmiPrvSE Child ProcessDefense EvasionT1218.0107
Windows: Suspicious XOR Encoded PowerShell CommandDefense EvasionT11405
Windows: Suspicious ZipExec ExecutionDefense EvasionT12025
Windows: Svchost DLL Search Order Hijack Defense EvasionT1574.001,T1574.0027
Windows: Sysinternals PsSuspend Suspicious ExecutionDefense EvasionT1562.0017
Windows: Sysmon Channel Reference DeletionDefense EvasionT11127
Windows: Sysmon Configuration UpdateDefense EvasionT1562.0015
Windows: Sysmon Driver Unloaded Via Fltmc.EXEDefense EvasionT1562.0027
Windows: SysmonEnte UsageDefense EvasionT1562.0027
Windows: System Eventlog ClearedDefense EvasionT1070.0017
Windows: Tamper Windows Defender Remove-MpPreferenceDefense EvasionT1562.0017
Windows: Taskkill Symantec Endpoint ProtectionDefense EvasionT1562.0017
Windows: Tasks Folder Evasion Defense EvasionT1574.0027
Windows: Third Party Software DLL SideloadingDefense EvasionT1574.0025
Windows: TrustedPath UAC Bypass PatternDefense EvasionT1548.0029
Windows: UAC Bypass Abusing Winsat Path Parsing - FileDefense EvasionT1548.0027
Windows: UAC Bypass Tool UACMe AkagiDefense EvasionT1548.0027
Windows: UAC Bypass Using .NET Code Profiler on MMCDefense EvasionT1548.0027
Windows: UAC Bypass Using ChangePK and SLUIDefense EvasionT1548.0027
Windows: UAC Bypass Using ComputerDefaultsDefense EvasionT1548.0027
Windows: UAC Bypass Using Consent and Comctl32 - FileDefense EvasionT1548.0027
Windows: UAC Bypass Using Consent and Comctl32 - ProcessDefense EvasionT1548.0027
Windows: UAC Bypass Using Disk CleanupDefense EvasionT1548.0027
Windows: UAC Bypass Using DismHostDefense EvasionT1548.0027
Windows: UAC Bypass Using IDiagnostic ProfileDefense EvasionT1548.0027
Windows: UAC Bypass Using IDiagnostic Profile - FileDefense EvasionT1548.0027
Windows: UAC Bypass Using IEInstal - FileDefense EvasionT1548.0027
Windows: UAC Bypass Using IEInstal - ProcessDefense EvasionT1548.0027
Windows: UAC Bypass Using Iscsicpl - ImageLoadDefense EvasionT1548.0027
Windows: UAC Bypass Using MSConfig Token Modification - FileDefense EvasionT1548.0027
Windows: UAC Bypass Using MSConfig Token Modification - ProcessDefense EvasionT1548.0027
Windows: UAC Bypass Using NTFS Reparse Point - FileDefense EvasionT1548.0027
Windows: UAC Bypass Using NTFS Reparse Point - ProcessDefense EvasionT1548.0027
Windows: UAC Bypass Using PkgMgr and DISMDefense EvasionT1548.0027
Windows: UAC Bypass Using WOW64 Logger DLL HijackDefense EvasionT1548.0027
Windows: UAC Bypass Using Windows Media Player - FileDefense EvasionT1548.0027
Windows: UAC Bypass Via WsresetDefense EvasionT1548.0027
Windows: UAC Bypass WSResetDefense EvasionT1548.0027
Windows: UAC Bypass With Fake DLLDefense EvasionT1574.0027
Windows: UAC Bypass via Event ViewerDefense EvasionT1548.0027
Windows: UAC Bypass via ICMLuaUtilDefense EvasionT1548.0027
Windows: UEFI Persistence Via Wpbbin - FileCreationDefense EvasionT1542.0017
Windows: UEFI Persistence Via Wpbbin - ProcessCreationDefense EvasionT1542.0017
Windows: Unauthorized System Time ModificationDefense EvasionT1070.0063
Windows: Uninstall Crowdstrike FalconDefense EvasionT1562.0015
Windows: Uninstall Sysinternals SysmonDefense EvasionT1562.0017
Windows: Unmount Share Via Net.EXEDefense EvasionT1070.0053
Windows: Unsigned Binary Loaded From Suspicious LocationDefense EvasionT1574.0027
Windows: Use Icacls to Hide File to EveryoneDefense EvasionT1564.0015
Windows: Use NTFS Short Name in Command LineDefense EvasionT1564.0045
Windows: Use NTFS Short Name in ImageDefense EvasionT1564.0047
Windows: Use Short Name Path in Command LineDefense EvasionT1564.0045
Windows: Use Short Name Path in ImageDefense EvasionT1564.0045
Windows: Use of Setres.exeDefense EvasionT12025
Windows: Using SettingSyncHost.exe as LOLBinDefense EvasionT1574.0087
Windows: VMGuestLib DLL SideloadDefense EvasionT1574.0025
Windows: Visual Basic Command Line Compiler UsageDefense EvasionT1027.0047
Windows: VsCode Child Process AnomalyDefense EvasionT12025
Windows: WMIC Loading Scripting LibrariesDefense EvasionT12207
Windows: WSL Child Process AnomalyDefense EvasionT12025
Windows: Wdigest CredGuard Registry ModificationDefense EvasionT11127
Windows: WinDivert Driver LoadDefense EvasionT1599.0017
Windows: Windows Binary Executed From WSLDefense EvasionT12025
Windows: Windows Defender Definition Files RemovedDefense EvasionT1562.0015
Windows: Windows Defender Download Activity Defense EvasionT1218.0107
Windows: Windows Defender Exclusion Set Defense EvasionT1562.0017
Windows: Windows Defender Threat Detection Disabled - ServiceDefense EvasionT1562.0013
Windows: Windows Processes Suspicious Parent DirectoryDefense EvasionT1036.0053
Windows: Writing Of Malicious Files To The Fonts FolderDefense EvasionT12115
Windows: XSL Script ProcessingDefense EvasionT12205
Windows: Xwizard DLL SideloadingDefense EvasionT1574.0027
Windows: ZOHO Dctask64 Process InjectionDefense EvasionT1055.0017

Credential Access

Name Tactic Technique Severity
Failed VPN Logon From Outside My Country Credential AccessT1110.0017
Logon Time Restriction Violation Credential AccessT1110.0018
Multiple Logon Failures: Same Src and Dest and Multiple Accounts Credential AccessT1110.0019
Multiple Logon Failures: Same Src and Multiple Dest Credential AccessT1110.0019
Multiple Logon Failures: VPN Credential AccessT1110.0016
Repeated Multiple Logon Failures: VPN Credential AccessT1110.0019
Successful VPN Logon From Outside My Country Credential AccessT1110.0017
ARP ExploitCredential AccessT1557.0027
AWS Access Secret in Secrets Manager Credential AccessT15287
AWS IAM Brute Force of Assume Role Policy Credential AccessT1110.0017
AWS Management Console Brute Force of Root User Identity Credential AccessT1110.00110
AWS SecHub: Tactics: Credential Access DetectedCredential Accessnone8
Account Locked: DomainCredential AccessT1110.0016
Account Locked: FortiSIEMCredential AccessT1110.0019
Account Locked: Network DeviceCredential AccessT1110.0019
Account Locked: ServerCredential AccessT1110.0018
Azure Key Vault Modified Credential AccessT1552.0019
Azure Storage Account Key Regenerated Credential AccessT15283
Brute Force App Login Success Credential AccessT1110.0019
Brute Force Host Login Success Credential AccessT1110.0019
Cisco Call Manager EMCC Login FailureCredential AccessT1110.0017
Cisco CallManager Excessive Authentication Failure Credential AccessT1110.0017
Concurrent Failed Authentications To Same Account From Multiple CitiesCredential AccessT1110.0017
Concurrent Failed Authentications To Same Account From Multiple CountriesCredential AccessT1110.0019
Concurrent Successful Authentications To Same Account From Multiple CitiesCredential AccessT1110.0017
Concurrent Successful Authentications To Same Account From Multiple CountriesCredential AccessT1110.0019
Concurrent Successful VPN Authentications To Same Account From Different CountriesCredential AccessT1110.0019
Crowdstrike: Credential Theft DetectedCredential Accessnone8
CyberArk Vault Blocked OperationsCredential Accessnone8
CyberArk Vault CPM Password DisabledCredential Accessnone8
CyberArk Vault Excessive Failed PSM ConnectionsCredential Accessnone8
CyberArk Vault Excessive ImpersonationsCredential Accessnone8
CyberArk Vault Excessive PSM Keystroke Logging FailureCredential Accessnone8
CyberArk Vault Excessive PSM Session Monitoring FailureCredential AccessT1110.0018
CyberArk Vault Excessive Password Release FailureCredential AccessT1110.0018
CyberArk Vault File Operation FailureCredential Accessnone8
CyberArk Vault Object Content Validation FailureCredential Accessnone8
CyberArk Vault Unauthorized User StationsCredential Accessnone8
Disabled Windows Account Logon AttemptsCredential AccessT1110.0019
Failed Account Activity On Prior Disabled AccountCredential AccessT1110.0018
Identity Spoofing ExploitCredential AccessT1557.0027
Inbound insecure protocol traffic detectedCredential AccessT1552.0017
Linux: Network Sniffing via Tcpdump Credential AccessT10405
Linux: Searching for Passwords in Files Credential AccessT1552.0015
MS 365 Defender: LSASS Memory - Credential Access AlertCredential AccessT1003.0019
MS 365 Defender: OS Credential Dumping - Suspicious Activity AlertCredential AccessT1003.0079
Multiple Login Failures: Net DeviceCredential AccessT1110.0019
Multiple Login Failures: Net Device: No Source IPCredential AccessT1110.0019
Multiple Logon Failures: DatabaseCredential AccessT1110.0019
Multiple Logon Failures: DomainCredential AccessT1110.0014
Multiple Logon Failures: Misc AppCredential AccessT1110.0016
Multiple Logon Failures: ServerCredential AccessT1110.0017
Multiple Logon Failures: WLANCredential AccessT1110.0016
Multiple Logon Failures: Web ServerCredential AccessT1110.0017
Multiple Privileged Logon Failures: ServerCredential AccessT1110.0019
Office365: Brute Force Login Attempts - Same SourceCredential AccessT1110.0037
Office365: Brute Force Login Attempts - Same UserCredential AccessT1110.0017
Office365: Brute Force Logon SuccessCredential AccessT1110.0039
Outbound insecure protocol traffic from non guest network detectedCredential AccessT1552.0017
Possible Consent Grant Attack via Azure-Registered Application Credential AccessT15287
Repeated Multiple Login Failures: Net DeviceCredential AccessT1110.0019
Repeated Multiple Logon Failures: DatabaseCredential AccessT1110.0019
Repeated Multiple Logon Failures: DomainCredential AccessT1110.0019
Repeated Multiple Logon Failures: Misc AppCredential AccessT1110.0019
Repeated Multiple Logon Failures: ServerCredential AccessT1110.0019
Repeated Multiple Logon Failures: WLANCredential AccessT1110.0019
Repeated Multiple Logon Failures: Web ServerCredential AccessT1110.0019
Replay ExploitCredential AccessT1557.0027
Session Hijacking ExploitCredential AccessT1557.0027
Successful Account Activity On a Prior Disabled AccountCredential AccessT1110.0018
Successful Windows Dormant Account LogonCredential AccessT1110.0017
Sudden User Location ChangeCredential Accessnone9
Suspicious Logon Failure without following successful loginCredential AccessT1110.0018
Suspicious logon attempt Credential AccessT1110.0019
Windows: Active Directory Database Snapshot Via ADExplorerCredential AccessT1552.0015
Windows: Active Directory Replication from Non Machine AccountCredential AccessT1003.0069
Windows: Automated Collection Command PromptCredential AccessT1552.0015
Windows: Copying Sensitive Files with Credential DataCredential AccessT1003.0037
Windows: CrackMapExec File Creation PatternsCredential AccessT1003.0017
Windows: CreateDump Process DumpCredential AccessT1003.0017
Windows: Cred Dump Tools Dropped FilesCredential AccessT1003.0057
Windows: Credential Dumping Tools Accessing LSASS MemoryCredential AccessT1003.0017
Windows: Credential Dumping by LaZagneCredential AccessT1003.0019
Windows: Credential Dumping by PypykatzCredential AccessT1003.0019
Windows: DPAPI Domain Backup Key ExtractionCredential AccessT1003.0047
Windows: DPAPI Domain Master Key Backup AttemptCredential AccessT1003.0045
Windows: Dropping Of Password Filter DLLCredential AccessT1556.0025
Windows: DumpMinitool ExecutionCredential AccessT1003.0015
Windows: Dumping Process via Sqldumper.exeCredential AccessT1003.0015
Windows: Dumping of Sensitive Hives Via Reg.EXECredential AccessT1003.0057
Windows: Enumeration for 3rd Party Creds From CLICredential AccessT1552.0025
Windows: Enumeration for Credentials in RegistryCredential AccessT1552.0025
Windows: Esentutl Gather CredentialsCredential AccessT1003.0035
Windows: Esentutl Volume Shadow Copy Service KeysCredential AccessT1003.0027
Windows: Failed to execute Privileged Service LsaRegisterLogonProcessCredential AccessT1558.0037
Windows: Findstr GPP PasswordsCredential AccessT1552.0067
Windows: Findstr LSASSCredential AccessT1552.0067
Windows: Generic Password Dumper Activity on LSASSCredential AccessT1003.0017
Windows: HackTool - CrackMapExec Process PatternsCredential AccessT1003.0017
Windows: HackTool - CreateMiniDump ExecutionCredential AccessT1003.0017
Windows: HackTool - Dumpert Process Dumper Default FileCredential AccessT1003.0019
Windows: HackTool - Dumpert Process Dumper ExecutionCredential AccessT1003.0019
Windows: HackTool - HandleKatz LSASS Dumper ExecutionCredential AccessT1003.0017
Windows: HackTool - Inveigh ExecutionCredential AccessT1003.0019
Windows: HackTool - KrbRelay ExecutionCredential AccessT1558.0037
Windows: HackTool - KrbRelayUp ExecutionCredential AccessT1558.0037
Windows: HackTool - Mimikatz ExecutionCredential AccessT1003.0067
Windows: HackTool - Quarks PwDump ExecutionCredential AccessT1003.0027
Windows: HackTool - Rubeus ExecutionCredential AccessT1558.0039
Windows: HackTool - SafetyKatz ExecutionCredential AccessT1003.0019
Windows: HackTool - Windows Credential Editor WCE ExecutionCredential AccessT1003.0019
Windows: Harvesting Of Wifi Credentials Via Netsh.EXECredential AccessT10405
Windows: Hijack Legit RDP Session to Move Laterally Credential AccessT1557.0027
Windows: Hydra Password Guessing Hack ToolCredential AccessT1110.0017
Windows: Invocation of Active Directory Diagnostic Tool ntdsutil.exe Credential AccessT1003.0035
Windows: Kerberos ManipulationCredential AccessT12127
Windows: LSASS Access From Program in Potentially Suspicious FolderCredential AccessT1003.0015
Windows: LSASS Access from Non System AccountCredential AccessT1003.0017
Windows: LSASS Access from White-Listed ProcessesCredential AccessT1003.0017
Windows: LSASS Memory Access by Tool Named DumpCredential AccessT1003.0017
Windows: LSASS Memory DumpCredential AccessT1003.0017
Windows: LSASS Memory Dump File CreationCredential AccessT1003.0017
Windows: LSASS Memory DumpingCredential AccessT1003.0017
Windows: LSASS Process Dump Artefact In CrashDumps FolderCredential AccessT1003.0017
Windows: LSASS Process Memory Dump FilesCredential AccessT1003.0017
Windows: Load Of Dbghelp/Dbgcore DLL From Suspicious ProcessCredential AccessT1003.0017
Windows: Lsass Memory Dump via Comsvcs DLLCredential AccessT1003.0019
Windows: Mimikatz DC SyncCredential AccessT1003.0067
Windows: NTDS.DIT CreatedCredential AccessT1003.0033
Windows: NTDS.DIT Creation By Uncommon Parent ProcessCredential AccessT1003.0037
Windows: NTDS.DIT Creation By Uncommon ProcessCredential AccessT1003.0037
Windows: New Generic Credentials Added Via Cmdkey.EXECredential AccessT1003.0055
Windows: New Network Trace Capture Started Via Netsh.EXECredential AccessT10405
Windows: PUA - DIT Snapshot ViewerCredential AccessT1003.0037
Windows: PUA - WebBrowserPassView ExecutionCredential AccessT1555.0035
Windows: Password Cracking with HashcatCredential AccessT1110.0027
Windows: Password Dumper Activity on LSASSCredential AccessT1003.0017
Windows: Permission Misconfiguration Reconnaissance Via Findstr.EXECredential AccessT1552.0065
Windows: PetitPotam Suspicious Kerberos TGT RequestCredential AccessT11877
Windows: Possible Impacket SecretDump Remote ActivityCredential AccessT1003.0047
Windows: Possible PetitPotam Coerce Authentication AttemptCredential AccessT11877
Windows: Potential Browser Data StealingCredential AccessT1555.0035
Windows: Potential CVE-2021-42287 Exploitation AttemptCredential AccessT1558.0035
Windows: Potential Credential Dumping Attempt Via PowerShellCredential AccessT1003.0017
Windows: Potential Credential Dumping Via WERCredential AccessT1003.0017
Windows: Potential Credential Dumping Via WER - ApplicationCredential AccessT1003.0017
Windows: Potential LSASS Process Dump Via ProcdumpCredential AccessT1003.0017
Windows: Potential Network Sniffing Activity Using Network ToolsCredential AccessT10405
Windows: Potential Reconnaissance For Cached Credentials Via Cmdkey.EXECredential AccessT1003.0057
Windows: Potential SAM Database DumpCredential AccessT1003.0027
Windows: Potential SPN Enumeration Via Setspn.EXECredential AccessT1558.0035
Windows: PowerShell Get-Process LSASSCredential AccessT1552.0047
Windows: PowerShell SAM CopyCredential AccessT1003.0027
Windows: Private Keys Reconnaissance Via CommandLine ToolsCredential AccessT1552.0045
Windows: Procdump EvasionCredential AccessT1003.0017
Windows: Procdump ExecutionCredential AccessT1003.0015
Windows: Process Dumping Via Comsvcs.DLLCredential AccessT1003.0017
Windows: Process Memory Dump via RdrLeakDiag.EXECredential AccessT1003.0017
Windows: QuarksPwDump Clearing Access HistoryCredential AccessT1003.0029
Windows: QuarksPwDump Dump FileCredential AccessT1003.0029
Windows: Rare GrantedAccess Flags on LSASS AccessCredential AccessT1003.0015
Windows: Register new Logon Process by Rubeus Credential AccessT1558.0039
Windows: Registry Parse with PypykatzCredential AccessT1003.0027
Windows: Renamed BrowserCore.EXE ExecutionCredential AccessT15287
Windows: Renamed CreateDump Utility ExecutionCredential AccessT1003.0017
Windows: SAM Dump to AppDataCredential AccessT1003.0027
Windows: SAM Registry Hive Handle Request Credential AccessT1012,T1552.0029
Windows: SQLite Chromium Profile Data DB AccessCredential AccessT1555.0037
Windows: SQLite Firefox Profile Data DB AccessCredential AccessT15397
Windows: SafetyKatz Default Dump FilenameCredential AccessT1003.0017
Windows: Shadow Copies Creation Using Operating Systems UtilitiesCredential AccessT1003.0035
Windows: SilentProcessExit Monitor Registration for LSASSCredential AccessT1003.0079
Windows: Suspicious Active Directory Database Snapshot Via ADExplorerCredential AccessT1552.0017
Windows: Suspicious Command With Teams Objects PathsCredential AccessT15287
Windows: Suspicious Dump64.exe ExecutionCredential AccessT1003.0017
Windows: Suspicious File Event With Teams ObjectsCredential AccessT15287
Windows: Suspicious GrantedAccess Flags on LSASS AccessCredential AccessT1003.0017
Windows: Suspicious Kerberos RC4 Ticket EncryptionCredential AccessT1558.0035
Windows: Suspicious Key Manager AccessCredential AccessT1555.0047
Windows: Suspicious LSASS Access Via MalSecLogonCredential AccessT1003.0017
Windows: Suspicious LSASS Process CloneCredential AccessT1003.0019
Windows: Suspicious NTDS Exfil Filename PatternsCredential AccessT1003.0037
Windows: Suspicious NTLM Authentication on the Printer Spooler ServiceCredential AccessT12127
Windows: Suspicious Office Token Search Via CLICredential AccessT15285
Windows: Suspicious PFX File CreationCredential AccessT1552.0045
Windows: Suspicious Process Patterns NTDS.DIT ExfilCredential AccessT1003.0037
Windows: Suspicious Rejected SMB Guest Logon From IPCredential AccessT1110.0015
Windows: Suspicious Renamed Comsvcs DLL Loaded By Rundll32Credential AccessT1003.0017
Windows: Suspicious SYSVOL Domain Group Policy AccessCredential AccessT1552.0065
Windows: Suspicious Teams Application Related ObjectAcess EventCredential AccessT15287
Windows: Suspicious Unattend.xml File AccessCredential AccessT1552.0015
Windows: Suspicious Unsigned Dbghelp/Dbgcore DLL LoadedCredential AccessT1003.0017
Windows: Suspicious Usage Of Active Directory Diagnostic Tool ntdsutil.exe Credential AccessT1003.0035
Windows: Time Travel Debugging Utility Usage: Sysmon V1Credential AccessT1003.0017
Windows: Time Travel Debugging Utility Usage: Sysmon V2Credential AccessT1003.0017
Windows: Transferring Files with Credential Data via Network Shares Credential AccessT1003.001,T1003.002,T1003.0035
Windows: Typical HiveNightmare SAM File ExportCredential AccessT1552.0017
Windows: Unsigned Image Loaded Into LSASS Process Credential AccessT1003.0015
Windows: Use of Adplus.exeCredential AccessT1003.0015
Windows: Use of PktMon.exeCredential AccessT10405
Windows: VSSAudit Security Event Source RegistrationCredential AccessT1003.0021
Windows: Volume Shadow Copy MountCredential AccessT1003.0023
Windows: VolumeShadowCopy Symlink Creation Via MklinkCredential AccessT1003.0037
Windows: WerFault Accessing LSASSCredential AccessT1003.0017
Windows: WerFault LSASS Process Memory DumpCredential AccessT1003.0017
Windows: Windows Credential Editor Install Via Registry Credential AccessT1003.0019
Windows: Windows Credential Manager Access via VaultCmdCredential AccessT1555.0045
Windows: Windows Pcap DriversCredential AccessT10405
Windows: XORDump UseCredential AccessT1003.0017
Wireless MITM attack detected by Network IPSCredential AccessT1557.0029

Discovery

Name Tactic Technique Severity
Heavy Half Open TCP Host Scan DiscoveryT1018,T1590.003,T1590.004,T1590.005,T1595.0017
Heavy Half Open TCP Host Scan On Fixed Port DiscoveryT1018,T1590.003,T1590.004,T1590.005,T1595.0018
Heavy ICMP Ping sweep DiscoveryT1018,T1590.003,T1590.004,T1590.005,T1595.0017
Heavy TCP Host Scan DiscoveryT1018,T1590.003,T1590.004,T1590.005,T1595.0017
Heavy TCP Host Scan On Fixed Port DiscoveryT1018,T1590.003,T1590.004,T1590.005,T1595.0018
Heavy UDP Host Scan DiscoveryT1018,T1590.003,T1590.004,T1590.005,T1595.0017
Heavy UDP Host Scan On Fixed Port DiscoveryT1018,T1590.003,T1590.004,T1590.005,T1595.0019
AWS Instance or Snapshot DiscoveryDiscoveryT15803
AWS SecHub: Tactics: Discovery DetectedDiscoverynone7
Azure Infrastructure Discovery DiscoveryT15803
Azure Service Discovery DiscoveryT15263
Enumeration of System Information DiscoveryT10825
Heavy Half Open TCP Port Scan: Multiple DestinationsDiscoveryT10468
Heavy Half Open TCP Port Scan: Single DestinationDiscoveryT10467
Heavy TCP Port Scan: Multiple DestinationsDiscoveryT10468
Heavy TCP Port Scan: Single DestinationDiscoveryT10467
Heavy UDP Port Scan: Multiple HostsDiscoveryT10469
Heavy UDP Port Scan: Single HostDiscoveryT10467
Info Leak ExploitsDiscoverynone5
Invalid TCP Flags: High Intensity Discoverynone9
Invalid TCP Flags: Medium Intensity Discoverynone7
Linux Account Discovery via Built-In ToolsDiscoveryT1087.0015
Linux: Discovery of Domain Groups DiscoveryT1069.0025
Linux: Discovery of Network Environment via Built-in Tools DiscoveryT1016.0015
Linux: Hping Process Activity DiscoveryT10187
Linux: Kernel Module Enumeration DiscoveryT1518.0015
Linux: Process Discovery via Built-In Applications DiscoveryT1057,T1518.0015
Linux: System Network Connections Discovery DiscoveryT10495
Linux: User Discovery via Whoami DiscoveryT10335
Linux: Virtual Machine Fingerprinting By non-root User DiscoveryT10825
MS 365 Defender: Suspicious Process Discovery - Discovery AlertDiscoveryT10577
MS 365 Defender: System Network Configuration Discovery - Discovery AlertDiscoveryT1016.0016
MS 365 Defender: System Service Discovery - Discovery AlertDiscoveryT10076
Multiple IPS Detected Scans From Same SrcDiscoveryT10467
Password Policy Enumeration DiscoveryT12015
SQL Server Excessive Full Scan DiscoveryT10467
Stealth Scan using a toolDiscoveryT10469
Sudden Increase in Reported Events From A HostDiscoverynone7
Targeted System/Application Scan DiscoveryT10467
WLAN Scan DiscoveryT10467
Windows: AD Privileged Users or Groups ReconnaissanceDiscoveryT1087.0027
Windows: AD User EnumerationDiscoveryT1087.0025
Windows: Azure AD Health Monitoring Agent Registry Keys AccessDiscoveryT10125
Windows: Azure AD Health Service Agents Registry Keys AccessDiscoveryT10125
Windows: BloodHound Collection FilesDiscoveryT14827
Windows: CMD Shell Output RedirectDiscoveryT10823
Windows: Computer Discovery And Export Via Get-ADComputer CmdletDiscoveryT10335
Windows: DirLister ExecutionDiscoveryT10833
Windows: Discovery of a System TimeDiscoveryT11243
Windows: Domain Trust Discovery Via DsqueryDiscoveryT14825
Windows: Exports Critical Registry Keys To a FileDiscoveryT10127
Windows: Exports Registry Key To a FileDiscoveryT10123
Windows: Files And Subdirectories Listing Using DirDiscoveryT12173
Windows: Fsutil Drive EnumerationDiscoveryT11203
Windows: Group Membership Reconnaissance Via Whoami.EXEDiscoveryT10335
Windows: HackTool - Bloodhound/Sharphound ExecutionDiscoveryT14827
Windows: HackTool - SharpLdapWhoami ExecutionDiscoveryT10337
Windows: HackTool - TruffleSnout ExecutionDiscoveryT14827
Windows: HackTool - winPEAS ExecutionDiscoveryT10827
Windows: Local Accounts DiscoveryDiscoveryT1087.0013
Windows: Local Groups Reconnaissance Via Wmic.EXEDiscoveryT1069.0013
Windows: Net.exe ExecutionDiscoveryT12013
Windows: Network Reconnaissance ActivityDiscoveryT10827
Windows: PUA - AdFind Suspicious ExecutionDiscoveryT14827
Windows: PUA - Advanced IP Scanner ExecutionDiscoveryT11355
Windows: PUA - Advanced Port Scanner ExecutionDiscoveryT11355
Windows: PUA - Nmap/Zenmap ExecutionDiscoveryT10467
Windows: PUA - Seatbelt ExecutionDiscoveryT15267
Windows: PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXEDiscoveryT1087.0027
Windows: Permission Check Via Accesschk.EXEDiscoveryT1069.0015
Windows: Potential Active Directory Reconnaissance/Enumeration Via LDAPDiscoveryT14825
Windows: Potential Configuration And Service Reconnaissance Via Reg.EXEDiscoveryT10125
Windows: Potential Recon Activity Via Nltest.EXEDiscoveryT14827
Windows: Potential System Information Discovery Via Wmic.EXEDiscoveryT10825
Windows: Python Initiated ConnectionDiscoveryT10465
Windows: Reconnaissance ActivityDiscoveryT1087.0027
Windows: Renamed AdFind ExecutionDiscoveryT14827
Windows: Renamed Whoami ExecutionDiscoveryT10339
Windows: SC.EXE Query ExecutionDiscoveryT10073
Windows: SCM Database Handle FailureDiscoveryT10105
Windows: Security Privileges Enumeration Via Whoami.EXEDiscoveryT10337
Windows: Share And Session Enumeration Using Net.EXEDiscoveryT10183
Windows: Suspicious Execution of AdidnsdumpDiscoveryT10183
Windows: Suspicious Execution of HostnameDiscoveryT10823
Windows: Suspicious Execution of SysteminfoDiscoveryT10823
Windows: Suspicious LDAP Domain AccessDiscoveryT14825
Windows: Suspicious Query of MachineGUIDDiscoveryT10823
Windows: Suspicious Reconnaissance Activity Using Get-LocalGroupMember CmdletDiscoveryT1087.0015
Windows: Suspicious Scan Loop NetworkDiscoveryT10185
Windows: Suspicious Tasklist Discovery CommandDiscoveryT10571
Windows: Suspicious Use of PsLogListDiscoveryT1087.0025
Windows: Suspicious Where ExecutionDiscoveryT12173
Windows: Suspicious Whoami.EXE ExecutionDiscoveryT10337
Windows: Suspicious Whoami.EXE Execution From Privileged ProcessDiscoveryT10337
Windows: SysKey Registry Keys Access DiscoveryT10129
Windows: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXEDiscoveryT1518.0017
Windows: System Network Connections Discovery Via Net.EXEDiscoveryT10493
Windows: Use of W32tm as TimerDiscoveryT11247
Windows: User Discovery And Export Via Get-ADUser CmdletDiscoveryT10335
Windows: WhoAmI as ParameterDiscoveryT10337
Windows: Whoami Utility ExecutionDiscoveryT10335
Windows: Whoami.EXE Execution AnomalyDiscoveryT10337

Lateral Movement

Name Tactic Technique Severity
AWS SecHub: Tactics: Lateral Movement DetectedLateral Movementnone8
Exposed Service Detected on HostLateral MovementT12109
FortiDeceptor: IPS Attack to DecoyLateral Movementnone9
FortiRecon: Certificate Issue Found for an AssetLateral MovementT12109
FortiRecon: High Severity Reputation Issue Found for an AssetLateral MovementT12109
FortiSandbox detects multiple attacks from same sourceLateral Movementnone9
FortiWeb: Permitted Inbound Attack DetectedLateral MovementT12109
Lateral Movement DetectedLateral Movementnone9
Linux: Remote Terminal Session StartedLateral MovementT1021.0045
Log4J Exploit Request Detected By RegexLateral MovementT12107
Log4J Exploit Request Detected on Host by Fortinet ProductsLateral MovementT121010
Log4J Exploit Request Detected on Network by Fortinet ProductsLateral MovementT121010
Outbreak: 3CX Supply Chain Attack Detected on HostLateral MovementT12109
Outbreak: 3CX Supply Chain Attack Detected on NetworkLateral MovementT12109
Outbreak: ABB Flow Computer Path Traversal Vulnerability Detected on NetworkLateral MovementT12109
Outbreak: Adobe ColdFusion Deserialization of Untrusted Data Vuln Detected on HostLateral MovementT12109
Outbreak: Adobe ColdFusion Deserialization of Untrusted Data Vuln Detected on NetworkLateral MovementT12109
Outbreak: Agent Tesla Malware Attack Detected on HostLateral MovementT12109
Outbreak: Agent Tesla Malware Attack Detected on NetworkLateral MovementT12109
Outbreak: Apache ActiveMQ Ransomware Attack Detected on HostLateral MovementT121010
Outbreak: Apache ActiveMQ Ransomware Attack Detected on NetworkLateral MovementT121010
Outbreak: Apache Path Traversal Vuln Detected on HostLateral MovementT12109
Outbreak: Apache Path Traversal Vuln Detected on NetworkLateral MovementT12109
Outbreak: Apache RocketMQ RCE Vuln Detected on NetworkLateral MovementT12109
Outbreak: Atlassian Confluence CVE-2022-26134 Vuln Detected on HostLateral MovementT12109
Outbreak: Atlassian Confluence CVE-2022-26134 Vuln Detected on NetworkLateral MovementT12109
Outbreak: Atlassian Pre-Auth Arbitrary File Read Vuln detected on HostLateral MovementT12109
Outbreak: Atlassian Pre-Auth Arbitrary File Read Vuln detected on NetworkLateral MovementT12109
Outbreak: CISA Top 20 Vulnerability detected on HostLateral MovementT12109
Outbreak: Cacti Server Command Injection Attack Detected on NetworkLateral MovementT12109
Outbreak: Cacti Server Command Injection Vulnerability Detected on HostLateral MovementT12109
Outbreak: Cisco IOS XE Web UI Attack Detected on NetworkLateral MovementT1210,T1036.0049
Outbreak: Citrix Bleed Attack Detected on NetworkLateral MovementT12109
Outbreak: CosmicEnergy Malware Detected on HostLateral MovementT12109
Outbreak: CosmicEnergy Malware Detected on NetworkLateral MovementT12109
Outbreak: FortiGate Authentication bypass on Aministrative InterfaceLateral MovementT121010
Outbreak: FortiGate detected CISA Top 20 Vulnerability on NetworkLateral MovementT12109
Outbreak: FortiOS SSLVPN Heap Buffer Overflow attack - CVE-2022-42475 Detected on NetworkLateral MovementT12109
Outbreak: FortiWeb detected CISA Top 20 Vulnerability on NetworkLateral MovementT12109
Outbreak: FortiWeb detected VMware Spring Cloud Func RCE Vulnerability on NetworkLateral MovementT12109
Outbreak: FortiWeb detected Zerobot Botnet Activity on NetworkLateral MovementT12109
Outbreak: Fortra GoAnywhere MFT RCE Vulnerability Detected on HostLateral MovementT12109
Outbreak: Fortra GoAnywhere MFT RCE Vulnerability Detected on NetworkLateral MovementT12109
Outbreak: Google Chromium WebP Vuln Detected on HostLateral MovementT12109
Outbreak: Google Chromium WebP Vuln Detected on NetworkLateral MovementT12109
Outbreak: HTTP2 Rapid Reset Attack Detected on HostLateral MovementT12109
Outbreak: HTTP2 Rapid Reset Attack Detected on NetworkLateral MovementT12109
Outbreak: Hikvision IP Camera Command Injection Vulnerability CVE-2021-36260 on NetworkLateral MovementT12109
Outbreak: Hive Ransomware Detected on HostLateral MovementT12109
Outbreak: Hive Ransomware Detected on NetworkLateral MovementT12109
Outbreak: IBM Aspera Faspex Code Execution Vulnerability Detected on HostLateral MovementT12109
Outbreak: IBM Aspera Faspex Code Execution Vulnerability Detected on NetworkLateral MovementT12109
Outbreak: Ivanti Endpoint Manager Mobile Authentication Bypass Vuln Detected on HostLateral MovementT12109
Outbreak: Ivanti Endpoint Manager Mobile Authentication Bypass Vuln Detected on NetworkLateral MovementT12109
Outbreak: Joomla CMS Improper Access Check Vulnerability Detected on NetworkLateral MovementT12109
Outbreak: Microsoft Driver RCE vulnerability - CVE-2022-26809 Detected on HostLateral MovementT1021.0029
Outbreak: Microsoft Driver RCE vulnerability - CVE-2022-26809 Detected on NetworkLateral MovementT1021.0029
Outbreak: Microsoft Office and Windows HTML RCE Vuln Detected on HostLateral MovementT12109
Outbreak: Microsoft Office and Windows HTML RCE Vuln Detected on NetworkLateral MovementT12109
Outbreak: Microsoft Outlook Elevation of Privilege Vulnerability Detected on HostLateral MovementT12109
Outbreak: Microsoft Outlook Elevation of Privilege Vulnerability Detected on NetworkLateral MovementT12109
Outbreak: Multiple Vendor Camera System Attack Detected on NetworkLateral MovementT12109
Outbreak: Oracle WebLogic Server Vuln Detected on NetworkLateral MovementT12109
Outbreak: PaperCut MF/NG Improper Access Control Vulnerability Detected on HostLateral MovementT12109
Outbreak: PaperCut MF/NG Improper Access Control Vulnerability Detected on NetworkLateral MovementT12109
Outbreak: Progress MOVEit Transfer SQL Injection Vuln Detected on HostLateral MovementT12109
Outbreak: Progress MOVEit Transfer SQL Injection Vuln Detected on NetworkLateral MovementT12109
Outbreak: Progress Telerik UI Attack Detected on HostLateral MovementT12109
Outbreak: Progress Telerik UI Attack Detected on NetworkLateral MovementT12109
Outbreak: Realtek SDK Attack Detected on HostLateral MovementT12109
Outbreak: Realtek SDK Attack Detected on NetworkLateral MovementT12109
Outbreak: Redigo Malware Detected on HostLateral MovementT12109
Outbreak: Redigo Malware Detected on NetworkLateral MovementT12109
Outbreak: Sandbreak vm2 sandbox module RCE Vulnerability Detected on NetworkLateral MovementT12109
Outbreak: SolarView Compact Command Injection Vuln Detected on NetworkLateral MovementT12109
Outbreak: TBK DVR Authentication Bypass Attack Detected on NetworkLateral MovementT12109
Outbreak: TP-Link Archer AX-21 Command Injection Attack Detected on HostLateral MovementT12109
Outbreak: TP-Link Archer AX-21 Command Injection Attack Detected on NetworkLateral MovementT12109
Outbreak: Teclib GLPI Remote Code Execution Vulnerability Detected on NetworkLateral MovementT12109
Outbreak: ThinkPHP Remote Code Execution Vulnerability Detected on HostLateral MovementT12109
Outbreak: ThinkPHP Remote Code Execution Vulnerability Detected on NetworkLateral MovementT12109
Outbreak: VMWare Workspace ONE Vulnerability - CVE-2022-22954 on NetworkLateral MovementT12109
Outbreak: VMware Aria Operations for Networks Command Injection Vuln Detected on NetworkLateral MovementT12109
Outbreak: VMware Spring Cloud Func RCE Vulnerability on NetworkLateral MovementT12109
Outbreak: WooCommerce Payments Improper Authentication Vuln Detected on HostLateral MovementT12109
Outbreak: WooCommerce Payments Improper Authentication Vuln Detected on NetworkLateral MovementT12109
Outbreak: Wordpress WPGateway Plugin Vuln Detected on NetworkLateral MovementT12109
Outbreak: Zerobot Botnet Activity Detected on HostLateral MovementT12109
Outbreak: Zerobot Botnet Activity Detected on NetworkLateral MovementT12109
Outbreak: Zoho ManageEngine RCE Vulnerability Detected on NetworkLateral MovementT12109
Outbreak: Zyxel Multiple Firewall Vuln Detected on HostLateral MovementT12109
Outbreak: Zyxel Multiple Firewall Vuln Detected on NetworkLateral MovementT12109
Outbreak: Zyxel Router Command Injection Attack Detected on NetworkLateral MovementT12109
Permitted Traffic from Dragos Worldview Malware IP ListLateral MovementT12109
PowerShell Downgrade Attack DetectedLateral MovementT12108
Remote Desktop traffic from InternetLateral MovementT1021.001,T1133,T12199
Traffic to Dragos Worldview Malware IP ListLateral MovementT12109
VNC traffic from InternetLateral MovementT1021.005,T1133,T12199
Virus outbreakLateral Movementnone9
Windows: Access to ADMIN$ ShareLateral MovementT1021.0023
Windows: DCERPC SMB Spoolss Named PipeLateral MovementT1021.0025
Windows: DCOM Internet Explorer.Application Iertutil DLL Hijack: Security LogLateral MovementT1021.0037
Windows: Denied Access To Remote DesktopLateral MovementT1021.0015
Windows: First Time Seen Remote Named PipeLateral MovementT1021.0027
Windows: Impacket PsExec ExecutionLateral MovementT1021.0027
Windows: MMC Spawning Windows ShellLateral MovementT1021.0037
Windows: MMC20 Lateral Movement Lateral MovementT1021.0037
Windows: Metasploit Or Impacket Service Installation Via SMB PsExecLateral MovementT15707
Windows: Metasploit SMB AuthenticationLateral MovementT1021.0027
Windows: New Remote Desktop Connection Initiated Via Mstsc.EXELateral MovementT1021.0015
Windows: OpenSSH Server Listening On SocketLateral MovementT1021.0045
Windows: PSEXEC Remote Execution File ArtefactLateral MovementT15707
Windows: Possible Exploitation of Exchange RCE CVE-2021-42321Lateral MovementT12107
Windows: Potential DCOM InternetExplorer.Application DLL HijackLateral MovementT1021.0039
Windows: Potential DCOM InternetExplorer.Application DLL Hijack - Image LoadLateral MovementT1021.0039
Windows: Potential MSTSC Shadowing ActivityLateral MovementT1563.0027
Windows: Potential RDP Exploit CVE-2019-0708Lateral MovementT12105
Windows: Protected Storage Service AccessLateral MovementT1021.0027
Windows: RDP Login from LocalhostLateral MovementT1021.0017
Windows: Remote Service Activity via SVCCTL Named PipeLateral MovementT1021.0025
Windows: Rundll32 Execution Without ParametersLateral MovementT15707
Windows: SMB Create Remote File Admin ShareLateral MovementT1021.0027
Windows: Scanner PoC for CVE-2019-0708 RDP RCE Vuln Lateral MovementT12109
Windows: Suspicious PsExec ExecutionLateral MovementT1021.0027
Windows: Suspicious RDP Redirect Using TSCONLateral MovementT1563.0027
Windows: Suspicious UltraVNC ExecutionLateral MovementT1021.0057
Windows: Terminal Service Process SpawnLateral MovementT12107
Windows: WCE wceaux dll Access Lateral MovementT1550.0029
Windows: WinRM Access with Evil-WinRMLateral MovementT1021.0065
Windows: Windows Admin Share Mount Via Net.EXELateral MovementT1021.0025
Windows: Windows Internet Hosted WebDav Share Mount Via Net.EXELateral MovementT1021.0027
Windows: Windows Share Mount Via Net.EXELateral MovementT1021.0023
Windows: smbexec.py Service Installation Lateral MovementT1021.002,T1569.002,T1021.0029

Collection

Name Tactic Technique Severity
Excessive SNMP Port 161 Traffic from a Source to the same DestinationCollectionT1602.0015
AWS CloudTrail Log Created CollectionT15303
AWS SecHub: Tactics: Collection DetectedCollectionnone8
Agent FIM: Linux File or Directory CreatedCollectionT1074.001,T1565.0017
Agent FIM: Windows File or Directory CreatedCollectionT1074.001,T1565.0017
Agentless FIM: Audited file or directory createdCollectionT1074.001,T1565.0018
Excessive End User MailCollectionT1114.0018
Excessive Postfix mail send latency CollectionT1114.0016
FortiMail: Malicious Spam File Attachment FoundCollectionT1114.0019
FortiMail: Malicious URL foundCollectionT1114.0019
FortiRecon: Leaked Credit or Debit Cards Found OnlineCollectionT11199
GCP: Pub/Sub Subscription CreatedCollectionT11196
GCP: Pub/Sub Topic CreatedCollectionT11196
GCP: Storage Bucket IAM Permissions ModifiedCollectionT15306
GCP: Storage Bucket UpdatedCollectionT15306
Linux: Creation of an Archive with Common Archivers CollectionT1074.0015
Office365: Admin or Delegated User Created Mailbox Forwarding Rule for another UserCollectionT1114.0039
Office365: Delete Message Inbox Rule CreatedCollectionT1114.0039
Office365: Mailbox Login from Outside My CountryCollectionT1114.0029
Office365: Mailbox SendAs or SendOnBehalf has occurredCollectionT1114.0036
Office365: Move To Folder Inbox Rule CreatedCollectionT1114.0036
Office365: Set-Mailbox Forwarding Action CreatedCollectionT1114.0039
Office365: User Mailbox Forwarding Rule CreatedCollectionT1114.0039
Spam/Malicious Mail Attachment found but not remediatedCollectionT1114.0017
UEBA Policy detects email download CollectionT1114.0017
UEBA Policy detects email upload CollectionT1114.0017
UEBA Policy detects file archiver application CollectionT1560.0017
Virus found in mailCollectionT1114.0019
Windows Removable Media InsertsCollectionT10257
Windows failed file accessCollectionT1005,T1565.0017
Windows successful file accessCollectionT1005,T1565.0015
Windows: 7Zip Compressing Dump FilesCollectionT1560.0017
Windows: Audio Capture via PowerShellCollectionT11235
Windows: Audio Capture via SoundRecorderCollectionT11235
Windows: Browser Started with Remote DebuggingCollectionT11855
Windows: Compress Data and Lock With Password for Exfiltration With 7-ZIPCollectionT1560.0015
Windows: Compress Data and Lock With Password for Exfiltration With WINZIPCollectionT1560.0015
Windows: Copy from Admin ShareCollectionT10397
Windows: Data Compressed - rar.exe CollectionT1560.0013
Windows: Esentutl Steals Browser InformationCollectionT10055
Windows: HackTool - ADCSPwn ExecutionCollectionT1557.0017
Windows: Impacket Tool ExecutionCollectionT1557.0017
Windows: Local Privilege Escalation Indicator TabTipCollectionT1557.0017
Windows: PUA - Mouse Lock ExecutionCollectionT1056.0025
Windows: Password Protected Compressed File Extraction Via 7ZipCollectionT1560.0015
Windows: Potential Data Stealing Via Chromium Headless DebuggingCollectionT11857
Windows: Potential SMB Relay Attack Tool ExecutionCollectionT1557.0019
Windows: PowerShell Get-Clipboard Cmdlet Via CLICollectionT11155
Windows: Processes Accessing the Microphone and WebcamCollectionT11235
Windows: Psr.exe Capture ScreenshotsCollectionT11135
Windows: Rar Usage with Password and Compression LevelCollectionT1560.0017
Windows: Recon Information for Export with Command PromptCollectionT11195
Windows: RottenPotato Like Attack PatternCollectionT1557.0017
Windows: Suspicious Access to Sensitive File Extensions CollectionT10395
Windows: Suspicious Camera and Microphone AccessCollectionT11257
Windows: Suspicious Compression Tool Parameters CollectionT1560.0017
Windows: Suspicious Manipulation Of Default Accounts Via Net.EXECollectionT1560.0017
Windows: System Drawing DLL LoadCollectionT11133
Windows: UIPromptForCredentials DLLsCollectionT1056.0025
Windows: Use of CLIPCollectionT11153
Windows: Veeam Backup Database Suspicious QueryCollectionT10055
Windows: VeeamBackup Database Credentials DumpCollectionT10057
Windows: Winrar Compressing Dump FilesCollectionT1560.0017
Windows: Winrar Execution in Non-Standard FolderCollectionT1560.0017
Windows: Zip A Folder With PowerShell For Staging In TempCollectionT1074.0015

Command and Control

Name Tactic Technique Severity
Suspicious Botnet like End host DNS Behavior Command and Controlnone6
Traffic to bogon networks Command and Controlnone8
AWS SecHub: Tactics: Command-and-Control DetectedCommand and Controlnone8
Crowdstrike: User Compromise Command and Controlnone8
FortiGate detects BotnetCommand and Controlnone9
FortiSandbox detects BotnetCommand and Controlnone9
Outbreak: HAFNIUM Exchange OWA Server Authentication BypassCommand and Controlnone9
Outbreak: HAFNIUM FortiGate Permitted IPS EventCommand and Controlnone9
Outbreak: HAFNIUM Infected File Detected by FortiGateCommand and Controlnone9
Outbreak: HAFNIUM Suspicious File hash matchCommand and Controlnone9
Outbreak: SUNBURST Suspicious File CreatedCommand and Controlnone9
Outbreak: SUNBURST Suspicious File Hash MatchCommand and Controlnone9
Permitted Traffic from Emerging Threat IP ListCommand and Controlnone7
Windows: Powershell opening TCP ConnectionCommand and Controlnone7

Exfiltration

Name Tactic Technique Severity
Excessive End User Mail To Unauthorized Mail Gateways ExfiltrationT1020.0018
Excessive Uncommon DNS Queries ExfiltrationT1048.0026
Large Outbound Transfer To Outside My Country ExfiltrationT1048.0018
Blocklist User Agent MatchExfiltrationT10419
Crowdstrike: Known Malware ExfiltrationT10419
DNS Traffic to Anomali ThreatStream Malware DomainsExfiltrationT1048.0019
DNS Traffic to FortiGuard Malware DomainsExfiltrationT1048.0019
FireEye Malware CallbackExfiltrationT10419
FortiSandbox detects file malware with high or medium riskExfiltrationT10419
FortiSandbox detects URL MalwareExfiltrationT10419
FortiSandbox detects malicious file malware from file uploadExfiltrationT10419
FortiSandbox detects multiple hosts with infected files ExfiltrationT10419
FortiSandbox detects unknown risk file malwareExfiltrationT10417
Large Outbound TransferExfiltrationT1048.0018
MS 365 Defender: Malware DetectedExfiltrationT10419
Malware found but not remediatedExfiltrationT10419
Malware hash matchExfiltrationT10419
Outbreak: DARKSIDE Domain Traffic DetectedExfiltrationT10419
Outbreak: DARKSIDE Ransomware File Activity Detected on HostExfiltrationT10419
Outbreak: DARKSIDE Ransomware File Activity Detected on NetworkExfiltrationT10419
Outbreak: DARKSIDE Ransomware Inbound Network Traffic DetectedExfiltrationT10419
Outbreak: DARKSIDE Ransomware Outbound Network Traffic DetectedExfiltrationT10419
Outbreak: DARKSIDE Suspicious File Hash Found on HostExfiltrationT10419
Outbreak: DARKSIDE Suspicious File Hash Found on NetworkExfiltrationT10419
Outbreak: Emotet Malware Activity Detected by FortiClientExfiltrationT10419
Outbreak: Emotet Malware Activity Detected on HostExfiltrationT10419
Outbreak: Emotet Malware Activity Detected on NetworkExfiltrationT10419
Outbreak: Emotet Suspicious File Hash Found by ForticlientExfiltrationT10419
Outbreak: Emotet Suspicious File Hash Found on HostExfiltrationT10419
Outbreak: Emotet Suspicious File Hash Found on NetworkExfiltrationT10419
Permitted Traffic from Anomali ThreatStream Malware IP ListExfiltrationT10419
Permitted Traffic from FortiGuard Malware IP ListExfiltrationT10419
Traffic to Anomali ThreatStream Malware IP ListExfiltrationT10419
Traffic to Emerging Threat IP ListExfiltrationT1048.0017
Traffic to FortiGuard Malware IP ListExfiltrationT10419
Web Traffic to Anomali ThreatStream Malicious URLsExfiltrationT10419
Web Traffic to FortiGuard Malicious URLsExfiltrationT10419
Web Traffic to FortiSandbox Malicious URLsExfiltrationT10419
Windows Server USB File WriteExfiltrationT1052.0017
Windows: Communication To Mega.nzExfiltrationT1567.0017
Windows: Communication To Ngrok.IoExfiltrationT1567.0017
Windows: DNS Query for Anonfiles.com Domain - DNS ClientExfiltrationT1567.0027
Windows: DNS Query for Anonfiles.com Domain - SysmonExfiltrationT1567.0027
Windows: DNS Query for MEGA.io Upload DomainExfiltrationT1567.0027
Windows: DNS Query for Ufile.io Upload Domain - DNS ClientExfiltrationT1567.0027
Windows: DNS Query for Ufile.io Upload Domain - SysmonExfiltrationT1567.0027
Windows: PUA - Rclone ExecutionExfiltrationT1567.0027
Windows: Suspicious Outbound SMTP ConnectionsExfiltrationT1048.0035
Windows: Suspicious WebDav Client ExecutionExfiltrationT1048.0037
Windows: Suspicious WebDav Client Execution: Sysmon V2ExfiltrationT1048.0035

Impact

Name Tactic Technique Severity
Excessive Denied Connections From An External Country ImpactT1498.0017
Excessive Denied Connections From Same Src ImpactT1498.0018
Excessive Denied Connections To A Port ImpactT1498.0017
Excessive Denied Connections To Same Destination ImpactT1498.0018
Half Open TCP DDOS Attack ImpactT1498.0017
High Process CPU: Server ImpactT1499.0038
HyperV Logical Processor Total Run Time Percent CriticalImpactT1499.0015
Sudden Increase In Firewall ConnectionsImpactT1498.0017
TCP DDOS Attack ImpactT1498.0018
AWS EC2 Instance Down ImpactT15294
AWS IAM Group Deleted ImpactT15313
AWS IAM MFA Device Deactivated ImpactT15319
AWS RDS Cluster Deleted ImpactT14855
AWS RDS Instance/Cluster Stopped ImpactT14895
AWS SecHub: Host Vulnerability DetectedImpactT1499.0048
AWS SecHub: Software and Configuration ViolationImpactnone6
AWS SecHub: Tactics: Impact: Data Destruction DetectedImpactnone7
AWS SecHub: Tactics: Impact: Data Exfiltration DetectedImpactnone8
AWS SecHub: Tactics: Impact: Data Exposure DetectedImpactnone8
AWS SecHub: Tactics: Impact: Denial of Service DetectedImpactT1498.0018
AWS SecHub: Unusal Data Behavior DetectedImpactnone7
AWS SecHub: Unusal Database Behavior DetectedImpactnone7
AWS SecHub: Unusal Network Flow Behavior DetectedImpactnone8
AWS SecHub: Unusal Process Behavior DetectedImpactnone8
AWS SecHub: Unusal Serverless Behavior DetectedImpactnone7
AWS SecHub: Unusual Application Behavior DetectedImpactnone7
ArubaOS-CX: Multiple Users DeletedImpactT15319
ArubaOS-CX: User DeletedImpactT15319
Auto Service StoppedImpactT14894
Azure Resource Group Deleted ImpactT14855
BGP Neighbor Down ImpactT15299
Cisco Call Manager DDR DownImpactT14899
Cisco CallManager Cluster Member DownImpactT148910
Cisco CallManager Critical Service DownImpactT14899
Crowdstrike: Data DeletionImpactnone8
Crowdstrike: Data TheftImpactnone8
Cylance Found Corrupt FileImpactnone7
Datastore Space Warning ImpactT1499.0017
Degraded IPSLA DNS TestImpactT1499.0027
Degraded IPSLA ICMP TestImpactT1499.0027
Degraded IPSLA UDP Echo TestImpactT1499.0027
Degraded VoIP Call QualityImpactT1499.0027
Degraded VoIP IPSLA Call QualityImpactT1499.0027
Distributed DoS Attack detected by NIPSImpactT1498.0019
DoS Attack detected by NIPSImpactT1498.0019
DoS Attack on Network Devices by Network IPSImpactT1498.0019
DoS Attack on WLAN Infrastructure by Network IPSImpactT1498.0019
EIGRP Neighbor DownImpactT15299
ESX CPU CriticalImpactT1499.0019
ESX CPU Warning ImpactT1499.0015
ESX Disk I/O Critical ImpactT1499.0019
ESX Disk I/O Warning ImpactT1499.0015
ESX Memory CriticalImpactT1499.0019
ESX Memory Warning ImpactT1499.0015
ESX Network I/O Critical ImpactT1499.0019
ESX Network I/O Warning ImpactT1499.0015
ESX Server Health: Critical ImpactT1499.0019
ESX Server Health: Warning ImpactT1499.0017
EqualLogic Connection Read/Write Latency Critical ImpactT1499.0019
EqualLogic Connection Read/Write Latency Warning ImpactT1499.0015
Excessive FTP Client Side ErrorsImpactT1498.0017
Excessive HTTP Client Side ErrorsImpactT1498.0017
Excessive Postfix gateway connection failures ImpactT1499.0028
Excessive Postfix mail send error ImpactT1499.0028
Exchange Server Mailbox Queue high ImpactT1499.0027
Exchange Server RPC latency high ImpactT1499.0027
Exchange Server RPC request high ImpactT1499.0027
Exchange Server SMTP Queue high ImpactT1499.0027
FortiGate: Admin User DeletedImpactT15319
FortiGate: Admin User Deleted via ConsoleImpactT15319
FortiWeb Connection Limit ReachedImpactT1499.0029
GCP: IAM Custom Role DeletedImpactT15319
GCP: Service Account Access Key DeletedImpactT15316
GCP: Service Account DeletedImpactT15319
GCP: Service Account DisabledImpactT15318
High Process CPU: Network DeviceImpactT1499.0028
High Process Memory: Network DeviceImpactT1499.0028
High Process Memory: ServerImpactT1499.0038
HyperV Disk I/O Warning ImpactT1499.0015
HyperV Disk Latency CriticalImpactT1499.0019
HyperV Guest Critical ImpactT1499.0019
HyperV Guest Hypervisor Run Time Percent WarningImpactT1499.0017
HyperV Logical Processor Total Run Time Percent WarningImpactT1499.0017
HyperV Page fault Critical ImpactT1499.0019
HyperV Page fault Warning ImpactT1499.0017
HyperV Remaining Guest Memory Warning ImpactT1499.0017
ICMP Flood From Same SourceImpactT1498.0017
IIS Virtual Memory Critical ImpactT1499.0039
IPSLA HTTP Test FailureImpactT1499.0027
Important process downImpactT14897
Important process staying DownImpactT14899
Isilon Protocol Latency Critical ImpactT1499.0019
MS 365 Defender: Delivery DetectedImpactnone8
Meraki Device Down ImpactT14899
Microsoft SQL Server Instance DownImpactT14899
Multi-Factor Authentication Disabled for an Azure User ImpactT1531,T1562.0019
MySQL Database Instance DownImpactT14899
NFS Disk space Warning ImpactT1499.0015
NetApp Back to Back Consistency Point ImpactT1499.0019
NetApp CIFS Latency Critical ImpactT1499.0019
NetApp CIFS Read/Write Latency Warning ImpactT1499.0015
NetApp FCP Read/Write Latency Critical ImpactT1499.0019
NetApp FCP Read/Write Latency Warning ImpactT1499.0015
NetApp ISCSI Read/Write Latency Critical ImpactT1499.0019
NetApp ISCSI Read/Write Latency Warning ImpactT1499.0015
NetApp NFS Read/Write Latency Critical ImpactT1499.0019
NetApp NFS Read/Write Latency Warning ImpactT1499.0015
NetApp Volume Read/Write Latency Critical ImpactT1499.0019
NetApp Volume Read/Write Latency Warning ImpactT1499.0015
Network CPU Critical ImpactT1499.0029
Network CPU Warning ImpactT1499.0025
Network Device Degraded: Lossy Ping ResponseImpactT15297
Network Device Down: no ping responseImpactT15297
Network Device FailoverImpactT15299
Network Device Health: CriticalImpactT1499.0029
Network Device Health: WarningImpactT1499.0015
Network Device Interface FlappingImpactT15297
Network IPS Intf Util Critical ImpactT1498.0019
Network IPS Intf Util Warning ImpactT1498.0015
Network Intf Util Critical ImpactT1498.0019
Network Intf Util Warning ImpactT1498.0015
Network Memory Critical ImpactT1499.0029
Network Memory Warning ImpactT1499.0025
OSPF Neighbor Down ImpactT15299
Oracle Database Instance DownImpactT14899
Oracle Database Listener DownImpactT14899
Oracle OCI: User DeletedImpactT15319
Outbreak: HermeticWiper-Foxblade Malware Detected on HostImpactT14859
Outbreak: HermeticWiper-Foxblade Malware Detected on NetworkImpactT14859
Outbreak: Spring4Shell Malware Detected on NetworkImpactT14859
Poor VoIP Call QualityImpactT1499.0029
Poor VoIP IPSLA Call QualityImpactT1499.0029
Radvision Ethernet LossImpactT14897
Radvision Gateway DownImpactT14899
Radvision ISDN LossImpactT14897
Ransomware detected on a hostImpactT14869
Ransomware outbreak detectedImpactT148610
SNMP Service UnavailableImpactT14899
Scanner found medium vulnerabilityImpactT1499.0047
Scanner found severe vulnerabilityImpactT1499.0049
Server CPU Critical ImpactT1499.0019
Server CPU Warning ImpactT1499.0015
Server Degraded: Lossy Ping ResponseImpactT15297
Server Disk Latency Critical ImpactT1499.0019
Server Disk Latency Warning ImpactT1499.0015
Server Disk Space Critical ImpactT1499.0019
Server Disk space Warning ImpactT1499.0015
Server Down: No Ping ResponseImpactT15297
Server Intf Error Critical ImpactT1499.0019
Server Intf Error Warning ImpactT1499.0015
Server Intf Util Critical ImpactT1499.0019
Server Intf Util Warning ImpactT1499.0015
Server Memory Critical ImpactT1499.0019
Server Memory Warning ImpactT1499.0015
Server Network Interface FlappingImpactT15297
Server Swap Memory CriticalImpactT1499.0019
Service Degraded: Slow Response to STMImpactT14897
Service Degraded: Slow Response to STM: Has IPImpactT1499.0037
Service Down: No Response to STMImpactT1499.0039
Service Staying Down: No Response to STMImpactT1499.0038
Storage CPU Warning ImpactT1499.0015
Storage Device CPU CriticalImpactT1499.0019
Storage Device Disk Space CriticalImpactT1499.0019
Storage Port Down ImpactT14899
Sudden Increase In Firewall Denied Inbound Traffic To A Specific TCP/UDP portImpactT1498.0017
Sudden Increase In Firewall Denied Outbound Traffic To A Specific TCP/UDP portImpactT1498.0017
Sudden Increase In Firewall Permitted Outbound Traffic To A Specific TCP/UDP portImpactT1498.0017
Sudden Increase In Permitted Traffic From HostImpactT1498.0017
Sudden Increase In Permitted Traffic To HostImpactT1498.0017
Sudden Increase In System CPU UsageImpactT1499.0017
Sudden Increase in Disk I/O ImpactT1499.0017
Sudden Increase in Firewall Permitted Inbound Traffic To A Specific TCP/UDP portImpactT1498.0017
Sudden Increase in ICMP Requests From A HostImpactT1498.0017
Sudden Increase in Inbound Firewall Aggregate Denies ImpactT1498.0017
Sudden Increase in Network Interface TrafficImpactT1498.0017
Sudden Increase in Outbound Firewall Aggregate Denies ImpactT1498.0017
Sudden Increase in Ping Response TimesImpactT1499.0027
Sudden Increase in SNMP Response TimesImpactT1499.0027
Sudden Increase in STM Response TimesImpactT1499.0027
Sudden Increase in Server Process Count ImpactT1499.0017
Sudden Increase in System Memory UsageImpactT1499.0017
Sudden Increase in WMI or OMI Response TimesImpactT1499.0027
Unix Server Health: CriticalImpactT1499.0019
Unix Server Health: Warning ImpactT1499.0015
Unix System Shutting DownImpactT15296
User deleted from Administrator GroupImpactT15319
User deleted from Backup Operator GroupImpactT15316
User deleted from DNS Admins GroupImpactT15319
User deleted from Domain Admin GroupImpactT15316
User deleted from Remote Desktop User GroupImpactT15319
VCenter Datastore Space CriticalImpactT1499.0019
Virtual Machine CPU Critical ImpactT1499.0019
Virtual Machine CPU Warning ImpactT1499.0015
Virtual Machine Health: Critical ImpactT1499.0019
Virtual Machine Health: Warning ImpactT1499.0015
Virtual Machine Memory Swapping Critical ImpactT1499.0019
Virtual Machine Memory Swapping Warning ImpactT1499.0015
Virtual Machine SCSI Bus Reset ImpactT1499.0019
WMI or OMI Service UnavailableImpactT14899
Website defacement attackImpactT1491.001,T1491.0029
Windows File System Replication DownImpactT14899
Windows Server Health: CriticalImpactT1499.0019
Windows Server Health: WarningImpactT1499.0015
Windows Server Paging File Usage Critical ImpactT1499.0019
Windows Server Shutting DownImpactT14896
Windows: Amsi.DLL Load By Uncommon ProcessImpactT14903
Windows: Application UninstalledImpactT14893
Windows: Audit CVE EventImpactT1499.0049
Windows: Boot Configuration Tampering Via Bcdedit.EXEImpactT14907
Windows: Copy From VolumeShadowCopy Via Cmd.EXEImpactT14907
Windows: Delete All Scheduled TasksImpactT14897
Windows: Delete Important Scheduled TaskImpactT14897
Windows: Deleted Data Overwritten Via Cipher.EXEImpactT14855
Windows: Deletion of Volume Shadow Copies via WMI with PowerShellImpactT14907
Windows: Disable Important Scheduled TaskImpactT14897
Windows: NTFS Vulnerability ExploitationImpactT1499.0017
Windows: Network Communication With Crypto Mining PoolImpactT14967
Windows: Potential Crypto Mining ActivityImpactT14967
Windows: Potential File Overwrite Via Sysinternals SDeleteImpactT14857
Windows: Renamed Sysinternals Sdelete ExecutionImpactT14857
Windows: Sensitive Registry Access via Volume Shadow CopyImpactT14907
Windows: Shadow Copies Deletion Using Operating Systems UtilitiesImpactT14907
Windows: Stop Windows Service Via Net.EXEImpactT14893
Windows: Stop Windows Service Via PowerShell Stop-ServiceImpactT14893
Windows: Stop Windows Service Via Sc.EXEImpactT14893
Windows: Suspicious Creation TXT File in User DesktopImpactT14867
Windows: Suspicious Execution of ShutdownImpactT15295
Windows: Suspicious Execution of Shutdown to Log OutImpactT15295
Windows: Suspicious Execution of TaskkillImpactT14893
Windows: Suspicious Reg Add BitLockerImpactT14867
Windows: Suspicious Volume Shadow Copy VSS-PS.dll LoadImpactT14907
Windows: Suspicious Volume Shadow Copy Vssapi.dll LoadImpactT14907
Windows: Suspicious Volume Shadow Copy Vsstrace.dll LoadImpactT14907
Windows: SystemStateBackup Deleted Using Wbadmin.EXEImpactT14907

Rules by Use Case

Application Performance Issue

Name Tactic Technique Severity
Carbon Black Fatal ErrorsApplicationnone8
Database Server Disk Latency Critical Storage I/Onone8
Excessive Destination Windows DC Replication Failure Domain Controllernone9
Excessive Postfix gateway connection failures ImpactT1499.0028
Excessive Postfix mail send error ImpactT1499.0028
Excessive Postfix mail send latency CollectionT1114.0016
Excessive Source Windows DC Replication Failure Domain Controllernone9
Excessive Web Request FailuresApplicationnone7
Excessively Slow Oracle DB Query Databasenone7
Excessively Slow SQL Server DB Query Databasenone7
Exchange Server Mailbox Queue high ImpactT1499.0027
Exchange Server RPC latency high ImpactT1499.0027
Exchange Server RPC request high ImpactT1499.0027
Exchange Server SMTP Queue high ImpactT1499.0027
Failed Windows DC Diagnostic TestDomain Controllernone9
FortiAnalyzer: No logs received from a device in 4 hoursNetworknone6
FortiMail FailoverMail Servernone7
High Oracle Non-System Table Space UsageDatabasenone7
High Oracle System Table Space Usage Databasenone7
IIS Virtual Memory Critical ImpactT1499.0039
Mail Hard Bounce Delivery FailuresMail Servernone7
Manual Service StartedServernone6
Microsoft SQL Server Instance DownImpactT14899
MySQL Database Instance DownImpactT14899
Oracle DB Alert Log ErrorDatabasenone8
Oracle DB Low Buffer Cache Hit Ratio Databasenone7
Oracle DB Low Library Cache Hit Ratio Databasenone7
Oracle DB Low Row Cache Hit Ratio Databasenone7
Oracle DB Low Row Memory Sorts Ratio Memorynone7
Oracle Database Instance DownImpactT14899
Oracle Database Listener DownImpactT14899
Oracle Database not backed up for 1 dayDatabasenone9
SQL Server Excessive Blocking Databasenone7
SQL Server Excessive Deadlock Databasenone7
SQL Server Excessive Full Scan DiscoveryT10467
SQL Server Excessive Page Read/Write Databasenone7
SQL Server Low Buffer Cache Hit Ratio Databasenone7
SQL Server Low Free Pages in Buffer Pool Databasenone7
SQL Server Low Log Cache Hit Ratio Databasenone7
SQL Server scheduled job failed Databasenone7
Service Degraded: Slow Response to STMImpactT14897
Service Degraded: Slow Response to STM: Has IPImpactT1499.0037
Slow MySQL DB Query Databasenone7
Sudden Increase in STM Response TimesImpactT1499.0027
Windows File System Replication DownImpactT14899

Cloud Performance Issue

Name Tactic Technique Severity
AWS EC2 Instance Down ImpactT15294

Environmental Performance Issue

Name Tactic Technique Severity
Critical APC Trap Environmentalnone9
Critical APC Trap: can be auto cleared Environmentalnone9
FPC Current THD highEnvironmentalnone9
FPC Voltage THD highEnvironmentalnone9
FPC ground current highEnvironmentalnone9
HVAC humidity highHVACnone9
HVAC humidity lowHVACnone9
HVAC temp highHVACnone9
HVAC temp lowHVACnone9
NetBotz camera motion detectedEnvironmentalnone7
NetBotz module door openEnvironmentalnone7
UPS Battery Metrics Critical UPSnone9
UPS Battery Status Critical UPSnone9
Warning APC Trap Environmentalnone7
Warning APC Trap: can be auto cleared Environmentalnone7

Network Performance Issue

Name Tactic Technique Severity
BGP Neighbor Down ImpactT15299
Cisco ACI Cluster Unavailable SDNnone9
Cisco ACI Critical FaultSDNnone9
Cisco ACI Node Health Critical SDNnone9
Cisco ACI Node Health Warning SDNnone7
Cisco ACI System Health Critical SDNnone9
Cisco ACI System Health Warning SDNnone7
Cisco ACI Tenant Health Critical SDNnone9
Cisco ACI Tenant Health Warning SDNnone7
Cisco AVC: Application Flows with QoS Queue Packet DropsApplicationnone5
Cisco AVC: Application Response Time LateApplicationnone7
Cisco AVC: P2P Applications that exceed interface utilizationInterfacenone1
Cisco Call Manager Active Partition Disk Low Storage Spacenone8
Cisco Call Manager CPU HighCPUnone8
Cisco Call Manager Certificate MismatchSuspicious Activitynone9
Cisco Call Manager Core Dump File FoundVoIPnone8
Cisco Call Manager DDR Block PreventionSuspicious Activitynone9
Cisco Call Manager DDR DownImpactT14899
Cisco Call Manager DRF FailedVoIPnone9
Cisco Call Manager EMCC Failed In Local ClusterVoIPnone9
Cisco Call Manager EMCC Failed In Remote ClusterVoIPnone9
Cisco Call Manager EMCC Login FailureCredential AccessT1110.0017
Cisco Call Manager Excessive Active BLF subscriptionsVoIPnone9
Cisco Call Manager Excessive Voice Quality ReportsVoIPnone9
Cisco Call Manager IME Service TLS Connection FailureVoIPnone9
Cisco Call Manager Inactive Partition Disk Low Storage Spacenone7
Cisco Call Manager License Grace Period ExpiredVoIPnone7
Cisco Call Manager Location Out Of BandwidthVoIPnone10
Cisco Call Manager Not Connected To Enterprise License ManagerVoIPnone9
Cisco Call Manager Spare Partition Disk Usage CriticalStorage Spacenone8
Cisco Call Manager Spare Partition Disk Usage WarningStorage Spacenone7
Cisco Call Manager Swap Disk LowStorage Spacenone8
Cisco Call Manager Syslog Pattern MatchVoIPnone7
Cisco Call Manager Syslog Severity MatchVoIPnone7
Cisco Call Manager System In OverageVoIPnone9
Cisco Call Manager System Version MismatchVoIPnone9
Cisco Call Manager User Defined Search String Found In LogVoIPnone5
Cisco Call Manager Virtual Memory LowMemorynone8
Cisco CallManager CDR Agent Send FailedVoIPnone9
Cisco CallManager CDR File Delivery FailedVoIPnone9
Cisco CallManager CDR High Disk UsageStorage Spacenone9
Cisco CallManager CDR Max Disk Usage ExceededStorage Spacenone9
Cisco CallManager Call Route List ExhaustedVoIPnone7
Cisco CallManager Cluster Member DownImpactT148910
Cisco CallManager Critical Service DownImpactT14899
Cisco CallManager DB Replication ErrorVoIPnone7
Cisco CallManager DB Replication FailureVoIPnone9
Cisco CallManager Database Notification FailureVoIPnone8
Cisco CallManager Excessive Authentication Failure Credential AccessT1110.0017
Cisco CallManager Hardware FailureVoIPnone9
Cisco CallManager High Call Latency: Code YellowVoIPnone8
Cisco CallManager IME Distributed Cache InactiveVoIPnone7
Cisco CallManager IME Insufficient Fallback Identifiers: No PSTN FallbackVoIPnone7
Cisco CallManager IME Over QuotaVoIPnone9
Cisco CallManager IME Quality AlertVoIPnone9
Cisco CallManager IME Service Authentication ErrorAuthenticationnone7
Cisco CallManager LogPartition High Water Mark ExceededVoIPnone9
Cisco CallManager LogPartition Low Water Mark ExceededVoIPnone7
Cisco CallManager MGCP DChannel is out of serviceVoIPnone9
Cisco CallManager Malicious Call TraceSuspicious Activitynone9
Cisco CallManager Media List ExhaustedVoIPnone9
Cisco CallManager Node Excessive Process and ThreadVoIPnone7
Cisco CallManager Node High CPUCPUnone8
Cisco CallManager Registered Device Count ExceededVoIPnone7
Cisco CallManager Registered Device Count IncreasedVoIPnone7
Cisco CallManager Registered Media Count IncreasedVoIPnone6
Cisco CallManager Registered Phone DecreasedVoIPnone8
Cisco Local To Remote Call Manager Communication ProblemVoIPnone9
Cisco Local To Remote Call Manager TCP Connection FailedVoIPnone9
Cisco Unified Contact Center Express Autopurging completedVoIPnone7
Cisco Unified Contact Center Express Database Replication FailedVoIPnone8
Cisco Unified Contact Center Express Database Replication StoppedVoIPnone9
Cisco Unified Contact Center Express Database UnavailableVoIPnone9
Cisco Unified Contact Center Express Database Update IssueVoIPnone9
Cisco Unified Contact Center Express JVM heap memory highMemorynone8
Cisco Unified Contact Center Express Report Execution FailedVoIPnone7
Cisco Unified Contact Center Express Report Server Uncoverable ErrorVoIPnone8
Cisco Unity Connection Disk utilization CriticalStorage Spacenone9
Cisco Unity Connection Disk utilization WarningStorage Spacenone7
Cisco Unity Connection Failback FailedVoIPnone10
Cisco Unity Connection Failover FailedVoIPnone10
Cisco Unity Connection Failover SucceededVoIPnone7
Cisco Unity Connection License About To ExpireVoIPnone7
Cisco Unity Connection License ExpiredVoIPnone9
Cisco Unity Connection Split Brain FailedVoIPnone10
Cisco Unity No Connection To PeerVoIPnone9
Critical Network Device Interface Staying DownNetworknone9
Degraded IPSLA DNS TestImpactT1499.0027
Degraded IPSLA ICMP TestImpactT1499.0027
Degraded IPSLA UDP Echo TestImpactT1499.0027
Degraded VoIP Call QualityImpactT1499.0027
Degraded VoIP IPSLA Call QualityImpactT1499.0027
EIGRP Neighbor DownImpactT15299
Excessive ICMP UnreachablesNetworknone6
FortiWeb Connection Limit ReachedImpactT1499.0029
IOS Packet Memory Test Failure Networknone9
IPSLA HTTP Test FailureImpactT1499.0027
Meraki Device Cellular Connection Disconnected Networknone7
Meraki Device Down ImpactT14899
Meraki Device IP Conflict Networknone7
Meraki Device Interface Down Networknone7
Meraki Device Port Cable Error Networknone8
Meraki Device VPN Connectivity Down Networknone9
Meraki Foreign AP Detected Policy Violationnone7
Meraki New DHCP Server Networknone7
Meraki New Splash User PersistenceT1098.0017
Meraki No DHCP lease Networknone7
Meraki Rogue DHCP Server Policy Violationnone7
Meraki Unreachable Device Networknone9
Meraki Unreachable RADIUS Server Networknone9
Meraki VPN Failover Networknone7
Network CPU Critical ImpactT1499.0029
Network CPU Warning ImpactT1499.0025
Network Device Down: no ping responseImpactT15297
Network Device FailoverImpactT15299
Network Device Hardware CriticalHardwarenone9
Network Device Hardware WarningHardwarenone5
Network Device Health: CriticalImpactT1499.0029
Network Device Interface FlappingImpactT15297
Network Device Redundancy Lost Networknone6
Network IPS Intf Util Critical ImpactT1498.0019
Network IPS Intf Util Warning ImpactT1498.0015
Network Interface Duplex MismatchNetworknone7
Network Intf Error Critical Interfacenone9
Network Intf Error Warning Interfacenone5
Network Intf Util Critical ImpactT1498.0019
Network Intf Util Warning ImpactT1498.0015
Network Memory Critical ImpactT1499.0029
Network Memory Warning ImpactT1499.0025
Noncritical Network Device Interface Staying DownNetworknone4
OSPF Neighbor Down ImpactT15299
Poor VoIP Call QualityImpactT1499.0029
Poor VoIP IPSLA Call QualityImpactT1499.0029
Radvision Corrupt video packetsVideo Conferencingnone7
Radvision Ethernet LossImpactT14897
Radvision Gateway DownImpactT14899
Radvision Hardware Removed/SwappedVideo Conferencingnone7
Radvision ISDN LossImpactT14897
Radvision call setup issuesVideo Conferencingnone7
Riverbed Steelhead Service Health Critical WANnone9
Riverbed Steelhead System Health Critical WANnone9
Riverbed Steelhead System Health Degraded WANnone7
Server Intf Util Warning ImpactT1499.0015

Server Performance Issue

Name Tactic Technique Severity
High Process CPU: Server ImpactT1499.0038
HyperV Logical Processor Total Run Time Percent CriticalImpactT1499.0015
Auto Service StoppedImpactT14894
ESX CPU CriticalImpactT1499.0019
ESX CPU Warning ImpactT1499.0015
ESX Disk I/O Critical ImpactT1499.0019
ESX Disk I/O Warning ImpactT1499.0015
ESX Memory CriticalImpactT1499.0019
ESX Memory Warning ImpactT1499.0015
ESX Network I/O Critical ImpactT1499.0019
ESX Network I/O Warning ImpactT1499.0015
ESX Server Health: Critical ImpactT1499.0019
ESX Server Health: Warning ImpactT1499.0017
Excessive FTP Client Side ErrorsImpactT1498.0017
Excessive HTTP Client Side ErrorsImpactT1498.0017
High Process CPU: Network DeviceImpactT1499.0028
High Process Memory: Network DeviceImpactT1499.0028
High Process Memory: ServerImpactT1499.0038
HyperV Disk I/O Warning ImpactT1499.0015
HyperV Disk Latency CriticalImpactT1499.0019
HyperV Guest Critical ImpactT1499.0019
HyperV Guest Hypervisor Run Time Percent WarningImpactT1499.0017
HyperV Logical Processor Total Run Time Percent WarningImpactT1499.0017
HyperV Page fault Critical ImpactT1499.0019
HyperV Page fault Warning ImpactT1499.0017
HyperV Remaining Guest Memory Warning ImpactT1499.0017
Important process downImpactT14897
Important process staying DownImpactT14899
License IssueLicensenone7
SNMP Service UnavailableImpactT14899
Server CPU Critical ImpactT1499.0019
Server CPU Warning ImpactT1499.0015
Server Degraded: Lossy Ping ResponseImpactT15297
Server Disk Latency Critical ImpactT1499.0019
Server Disk Latency Warning ImpactT1499.0015
Server Disk Space Critical ImpactT1499.0019
Server Disk space Warning ImpactT1499.0015
Server Down: No Ping ResponseImpactT15297
Server Hardware CriticalHardwarenone9
Server Hardware WarningHardwarenone5
Server Intf Error Critical ImpactT1499.0019
Server Intf Error Warning ImpactT1499.0015
Server Intf Util Critical ImpactT1499.0019
Server Memory Critical ImpactT1499.0019
Server Memory Warning ImpactT1499.0015
Server Network Interface FlappingImpactT15297
Server Network Interface Staying DownNetworknone4
Server Network Low Port Staying Down Networknone7
Server Swap Memory CriticalImpactT1499.0019
Service Down: No Response to STMImpactT1499.0039
Service Down: No Response to STM: Has IPApplicationnone9
Service Staying Down: No Response to STMImpactT1499.0038
Service Staying Down: No Response to STM: Has IPApplicationnone8
Sudden Decrease in Reported Events From A HostFortiSIEMnone7
Sudden Increase In System CPU UsageImpactT1499.0017
Sudden Increase in Disk I/O ImpactT1499.0017
Sudden Increase in Ping Response TimesImpactT1499.0027
Sudden Increase in Reported Events From A HostDiscoverynone7
Sudden Increase in SNMP Response TimesImpactT1499.0027
Sudden Increase in System Memory UsageImpactT1499.0017
Sudden Increase in WMI or OMI Response TimesImpactT1499.0027
Unix Server Health: CriticalImpactT1499.0019
Unix Server Health: Warning ImpactT1499.0015
Unix System Shutting DownImpactT15296
Virtual Machine CPU Critical ImpactT1499.0019
Virtual Machine CPU Warning ImpactT1499.0015
Virtual Machine Health: Critical ImpactT1499.0019
Virtual Machine Health: Warning ImpactT1499.0015
Virtual Machine Memory Swapping Critical ImpactT1499.0019
Virtual Machine Memory Swapping Warning ImpactT1499.0015
Virtual Machine SCSI Bus Reset ImpactT1499.0019
WMI or OMI Service UnavailableImpactT14899
Windows Cluster Service Membership ErrorWindows Cluster Servicenone9
Windows Cluster Service Quorum ErrorWindows Cluster Servicenone9
Windows Cluster Service Startup ErrorWindows Cluster Servicenone9
Windows Disk controller problemStoragenone9
Windows File System Replication Service Communication Error Windows File System Replicationnone7
Windows File System Replication Service Fatal Internal Error Windows File System Replicationnone9
Windows File System Replication Sharing violation Windows File System Replicationnone7
Windows File System Replication Staging quota too small Windows File System Replicationnone7
Windows Server Health: CriticalImpactT1499.0019
Windows Server Health: WarningImpactT1499.0015
Windows Server Paging File Usage Critical ImpactT1499.0019
Windows Server Shutting DownImpactT14896

Storage Performance Issue

Name Tactic Technique Severity
ES Coordinator Node DownNetworknone7
ES Coordinator Node Staying DownNetworknone9
Critical NetApp Trap Storagenone9
Critical NetApp Trap: can be auto clearedStoragenone9
Datastore Space Warning ImpactT1499.0017
EqualLogic Connection Read/Write Latency Critical ImpactT1499.0019
EqualLogic Connection Read/Write Latency Warning ImpactT1499.0015
Isilon Protocol Latency Critical ImpactT1499.0019
NFS Disk space Warning ImpactT1499.0015
NetApp Back to Back Consistency Point ImpactT1499.0019
NetApp CIFS Latency Critical ImpactT1499.0019
NetApp CIFS Read/Write Latency Warning ImpactT1499.0015
NetApp FCP Read/Write Latency Critical ImpactT1499.0019
NetApp FCP Read/Write Latency Warning ImpactT1499.0015
NetApp ISCSI Read/Write Latency Critical ImpactT1499.0019
NetApp ISCSI Read/Write Latency Warning ImpactT1499.0015
NetApp NFS Read/Write Latency Critical ImpactT1499.0019
NetApp NFS Read/Write Latency Warning ImpactT1499.0015
NetApp Volume Read/Write Latency Critical ImpactT1499.0019
NetApp Volume Read/Write Latency Warning ImpactT1499.0015
Network Device Degraded: Lossy Ping ResponseImpactT15297
Network Device Health: WarningImpactT1499.0015
Storage CPU Warning ImpactT1499.0015
Storage Device CPU CriticalImpactT1499.0019
Storage Device Disk Space CriticalImpactT1499.0019
Storage Hardware CriticalHardwarenone9
Storage Hardware WarningHardwarenone5
Storage Port Down ImpactT14899
Unregistered EMC Clariion HostStoragenone4
VCenter Datastore Space CriticalImpactT1499.0019
Warning NetApp Trap Storagenone7
Warning NetApp Trap: can be auto cleared Storagenone7

FortiSIEM Operational Issue

Name Tactic Technique Severity
ClickHouse Log Integrity System Errors DetectedFortiSIEMnone9
ClickHouse Log Integrity Violation DetectedFortiSIEMnone7
Discovered Device Incorrectly Merged: Overlapping IPFortiSIEMnone5
Elasticsearch Disaster Recovery: Restore FailedFortiSIEMnone9
Elasticsearch Disaster Recovery: Snapshot FailedFortiSIEMnone9
EventDB: Event Retention Policy ErrorFortiSIEMnone9
EventDB: Event Retention Policy ViolationFortiSIEMnone9
EventDB: Excessive Data Retention Policy Execution TimeFortiSIEMnone8
External Event Dropped By LicenseFortiSIEMnone7
FortiSIEM Agent Operational ErrorFortiSIEMnone7
FortiSIEM Archive Purging CompletedFortiSIEMnone4
FortiSIEM Archive Purging FailedFortiSIEMnone9
FortiSIEM Archive Purging StartedFortiSIEMnone10
FortiSIEM CMDB Disk space low - prune failed to keep free disk space above high thresholdFortiSIEMnone9
FortiSIEM CMDB Disk space low - prune successfulFortiSIEMnone4
FortiSIEM ClickHouse Storage Space CriticalFortiSIEMnone9
FortiSIEM ClickHouse Storage Space LowFortiSIEMnone6
FortiSIEM EPS License Exceeded FortiSIEMnone9
FortiSIEM Event Archiving CompletedFortiSIEMnone4
FortiSIEM Event Archiving FailedFortiSIEMnone9
FortiSIEM EventDB event store failedFortiSIEMnone10
FortiSIEM Online Event Successfully PurgedFortiSIEMnone4
FortiSIEM Performance Monitoring Relay Not Working: All Devices delayed FortiSIEMnone9
FortiSIEM Report Server Removed After License ExpiryFortiSIEMnone10
FortiSIEM: Low Available Archive SpaceFortiSIEMnone5
FortiSIEM: Low Available EventDB Storage FortiSIEMnone4
FortiSIEM: Too Many Unknown EventsFortiSIEMnone9
Inbound Incident Integration ErrorFortiSIEMnone7
Incident Notification ErrorFortiSIEMnone9
Large Supervisor JMS Request Queue FortiSIEMnone9
Large Supervisor JMS System Queue FortiSIEMnone9
Large Worker Input Event Queue FortiSIEMnone9
Large Worker Input SVN Queue FortiSIEMnone9
Missing specific performance metric from a device FortiSIEMnone5
No Events Reported From External Apps In Last HourFortiSIEMnone10
No Events Reported From External Devices In Last HourFortiSIEMnone10
No logs from a deviceFortiSIEMnone6
No logs from any device via Collector/WorkerFortiSIEMnone9
No performance metrics from a device FortiSIEMnone5
Outbound Incident Integration ErrorFortiSIEMnone9
Performance Monitoring ErrorFortiSIEMnone5
Performance monitoring jobs deleted by discoveryFortiSIEMnone5
Performance monitoring jobs not picked up for executionFortiSIEMnone5
Scheduled Report Send ErrorFortiSIEMnone9
System Collector Event Delayed FortiSIEMnone6

Host Discovery

Name Tactic Technique Severity
AWS Instance or Snapshot DiscoveryDiscoveryT15803
AWS SecHub: Tactics: Discovery DetectedDiscoverynone7
Azure Service Discovery DiscoveryT15263
Enumeration of System Information DiscoveryT10825
Info Leak ExploitsDiscoverynone5
Linux Account Discovery via Built-In ToolsDiscoveryT1087.0015
Linux: Discovery of Domain Groups DiscoveryT1069.0025
Linux: Discovery of Network Environment via Built-in Tools DiscoveryT1016.0015
Linux: Hping Process Activity DiscoveryT10187
Linux: Kernel Module Enumeration DiscoveryT1518.0015
Linux: Process Discovery via Built-In Applications DiscoveryT1057,T1518.0015
Linux: System Network Connections Discovery DiscoveryT10495
Linux: User Discovery via Whoami DiscoveryT10335
Linux: Virtual Machine Fingerprinting By non-root User DiscoveryT10825
MS 365 Defender: Suspicious Process Discovery - Discovery AlertDiscoveryT10577
MS 365 Defender: System Service Discovery - Discovery AlertDiscoveryT10076
Password Policy Enumeration DiscoveryT12015
Targeted System/Application Scan DiscoveryT10467
Windows: AD Privileged Users or Groups ReconnaissanceDiscoveryT1087.0027
Windows: AD User EnumerationDiscoveryT1087.0025
Windows: Azure AD Health Monitoring Agent Registry Keys AccessDiscoveryT10125
Windows: Azure AD Health Service Agents Registry Keys AccessDiscoveryT10125
Windows: BloodHound Collection FilesDiscoveryT14827
Windows: CMD Shell Output RedirectDiscoveryT10823
Windows: Computer Discovery And Export Via Get-ADComputer CmdletDiscoveryT10335
Windows: Computer System Reconnaissance Via Wmic.EXEExecutionT10475
Windows: DirLister ExecutionDiscoveryT10833
Windows: Discovery of a System TimeDiscoveryT11243
Windows: Domain Trust Discovery Via DsqueryDiscoveryT14825
Windows: Exports Critical Registry Keys To a FileDiscoveryT10127
Windows: Exports Registry Key To a FileDiscoveryT10123
Windows: Files And Subdirectories Listing Using DirDiscoveryT12173
Windows: Fsutil Drive EnumerationDiscoveryT11203
Windows: Group Membership Reconnaissance Via Whoami.EXEDiscoveryT10335
Windows: HackTool - Bloodhound/Sharphound ExecutionDiscoveryT14827
Windows: HackTool - SharpLdapWhoami ExecutionDiscoveryT10337
Windows: HackTool - TruffleSnout ExecutionDiscoveryT14827
Windows: HackTool - winPEAS ExecutionDiscoveryT10827
Windows: Hardware Model Reconnaissance Via Wmic.EXEExecutionT10475
Windows: Local Accounts DiscoveryDiscoveryT1087.0013
Windows: Local Groups Reconnaissance Via Wmic.EXEDiscoveryT1069.0013
Windows: Net.exe ExecutionDiscoveryT12013
Windows: Network Reconnaissance ActivityDiscoveryT10827
Windows: PUA - AdFind Suspicious ExecutionDiscoveryT14827
Windows: PUA - Advanced IP Scanner ExecutionDiscoveryT11355
Windows: PUA - Advanced Port Scanner ExecutionDiscoveryT11355
Windows: PUA - Nmap/Zenmap ExecutionDiscoveryT10467
Windows: PUA - Seatbelt ExecutionDiscoveryT15267
Windows: PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXEDiscoveryT1087.0027
Windows: Permission Check Via Accesschk.EXEDiscoveryT1069.0015
Windows: Potential Active Directory Reconnaissance/Enumeration Via LDAPDiscoveryT14825
Windows: Potential Configuration And Service Reconnaissance Via Reg.EXEDiscoveryT10125
Windows: Potential Product Class Reconnaissance Via Wmic.EXEExecutionT10475
Windows: Potential Product Reconnaissance Via Wmic.EXEExecutionT10475
Windows: Potential Recon Activity Via Nltest.EXEDiscoveryT14827
Windows: Potential Reconnaissance Activity Via GatherNetworkInfo.VBSExecutionT1059.0055
Windows: Potential System Information Discovery Via Wmic.EXEDiscoveryT10825
Windows: Potential Unquoted Service Path Reconnaissance Via Wmic.EXEExecutionT10477
Windows: Process Reconnaissance Via Wmic.EXEExecutionT10475
Windows: Python Initiated ConnectionDiscoveryT10465
Windows: Reconnaissance ActivityDiscoveryT1087.0027
Windows: Renamed AdFind ExecutionDiscoveryT14827
Windows: Renamed Whoami ExecutionDiscoveryT10339
Windows: SC.EXE Query ExecutionDiscoveryT10073
Windows: SCM Database Handle FailureDiscoveryT10105
Windows: Security Privileges Enumeration Via Whoami.EXEDiscoveryT10337
Windows: Service Reconnaissance Via Wmic.EXEExecutionT10475
Windows: Share And Session Enumeration Using Net.EXEDiscoveryT10183
Windows: Suspicious Execution of AdidnsdumpDiscoveryT10183
Windows: Suspicious Execution of HostnameDiscoveryT10823
Windows: Suspicious Execution of SysteminfoDiscoveryT10823
Windows: Suspicious LDAP Domain AccessDiscoveryT14825
Windows: Suspicious Query of MachineGUIDDiscoveryT10823
Windows: Suspicious Reconnaissance Activity Using Get-LocalGroupMember CmdletDiscoveryT1087.0015
Windows: Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBSExecutionT1059.0057
Windows: Suspicious Scan Loop NetworkDiscoveryT10185
Windows: Suspicious Tasklist Discovery CommandDiscoveryT10571
Windows: Suspicious Use of PsLogListDiscoveryT1087.0025
Windows: Suspicious Where ExecutionDiscoveryT12173
Windows: Suspicious Whoami.EXE ExecutionDiscoveryT10337
Windows: Suspicious Whoami.EXE Execution From Privileged ProcessDiscoveryT10337
Windows: SysKey Registry Keys Access DiscoveryT10129
Windows: Sysmon Discovery Via Default Driver Altitude Using Findstr.EXEDiscoveryT1518.0017
Windows: System Network Connections Discovery Via Net.EXEDiscoveryT10493
Windows: Use of W32tm as TimerDiscoveryT11247
Windows: User Discovery And Export Via Get-ADUser CmdletDiscoveryT10335
Windows: WhoAmI as ParameterDiscoveryT10337
Windows: Whoami Utility ExecutionDiscoveryT10335
Windows: Whoami.EXE Execution AnomalyDiscoveryT10337
Windows: Windows Hotfix Updates Reconnaissance Via Wmic.EXEExecutionT10475

Network Discovery

Name Tactic Technique Severity
Excessive Denied Connections From Same Src ImpactT1498.0018
Excessive Denied Connections To A Port ImpactT1498.0017
Excessive Denied Connections To Same Destination ImpactT1498.0018
Excessive SNMP Port 161 Traffic from a Source to the same DestinationCollectionT1602.0015
Heavy Half Open TCP Host Scan DiscoveryT1018,T1590.003,T1590.004,T1590.005,T1595.0017
Heavy Half Open TCP Host Scan On Fixed Port DiscoveryT1018,T1590.003,T1590.004,T1590.005,T1595.0018
Heavy ICMP Ping sweep DiscoveryT1018,T1590.003,T1590.004,T1590.005,T1595.0017
Heavy TCP Host Scan DiscoveryT1018,T1590.003,T1590.004,T1590.005,T1595.0017
Heavy TCP Host Scan On Fixed Port DiscoveryT1018,T1590.003,T1590.004,T1590.005,T1595.0018
Heavy UDP Host Scan DiscoveryT1018,T1590.003,T1590.004,T1590.005,T1595.0017
Heavy UDP Host Scan On Fixed Port DiscoveryT1018,T1590.003,T1590.004,T1590.005,T1595.0019
Azure Infrastructure Discovery DiscoveryT15803
Heavy Half Open TCP Port Scan: Multiple DestinationsDiscoveryT10468
Heavy Half Open TCP Port Scan: Single DestinationDiscoveryT10467
Heavy TCP Port Scan: Multiple DestinationsDiscoveryT10468
Heavy TCP Port Scan: Single DestinationDiscoveryT10467
Heavy UDP Port Scan: Multiple HostsDiscoveryT10469
Heavy UDP Port Scan: Single HostDiscoveryT10467
Linux: NMAP Process Activity ReconnaissanceT1592.002,T1595.0017
Linux: Nping Process Activity ReconnaissanceT1595.0017
MS 365 Defender: System Network Configuration Discovery - Discovery AlertDiscoveryT1016.0016
Multiple IPS Detected Scans From Same SrcDiscoveryT10467
Stealth Scan using a toolDiscoveryT10469
WLAN Scan DiscoveryT10467

Brute Force Logon

Name Tactic Technique Severity
Multiple Logon Failures: Same Src and Dest and Multiple Accounts Credential AccessT1110.0019
Multiple Logon Failures: Same Src and Multiple Dest Credential AccessT1110.0019
Multiple Logon Failures: VPN Credential AccessT1110.0016
Repeated Multiple Logon Failures: VPN Credential AccessT1110.0019
AWS IAM Brute Force of Assume Role Policy Credential AccessT1110.0017
AWS Management Console Brute Force of Root User Identity Credential AccessT1110.00110
Account Locked: DomainCredential AccessT1110.0016
Account Locked: FortiSIEMCredential AccessT1110.0019
Account Locked: Network DeviceCredential AccessT1110.0019
Account Locked: ServerCredential AccessT1110.0018
Brute Force App Login Success Credential AccessT1110.0019
Brute Force Host Login Success Credential AccessT1110.0019
Multiple Login Failures: Net DeviceCredential AccessT1110.0019
Multiple Login Failures: Net Device: No Source IPCredential AccessT1110.0019
Multiple Logon Failures: DatabaseCredential AccessT1110.0019
Multiple Logon Failures: DomainCredential AccessT1110.0014
Multiple Logon Failures: Misc AppCredential AccessT1110.0016
Multiple Logon Failures: ServerCredential AccessT1110.0017
Multiple Logon Failures: WLANCredential AccessT1110.0016
Multiple Logon Failures: Web ServerCredential AccessT1110.0017
Multiple Privileged Logon Failures: ServerCredential AccessT1110.0019
Office365: Brute Force Login Attempts - Same SourceCredential AccessT1110.0037
Office365: Brute Force Login Attempts - Same UserCredential AccessT1110.0017
Office365: Brute Force Logon SuccessCredential AccessT1110.0039
Repeated Multiple Login Failures: Net DeviceCredential AccessT1110.0019
Repeated Multiple Logon Failures: DatabaseCredential AccessT1110.0019
Repeated Multiple Logon Failures: DomainCredential AccessT1110.0019
Repeated Multiple Logon Failures: Misc AppCredential AccessT1110.0019
Repeated Multiple Logon Failures: ServerCredential AccessT1110.0019
Repeated Multiple Logon Failures: WLANCredential AccessT1110.0019
Repeated Multiple Logon Failures: Web ServerCredential AccessT1110.0019
Suspicious Logon Failure without following successful loginCredential AccessT1110.0018

Initial Access

Name Tactic Technique Severity
AWS SecHub: Tactics: Initial Access DetectedInitial Accessnone7
Azure External Guest User Invitation Initial AccessT1078.0043
Windows: External Disk Drive or USB Storage Device Initial AccessT1091,T12003
Windows: ISO Image MountInitial AccessT1566.0015

Botnet Detected

Name Tactic Technique Severity
Suspicious Botnet like End host DNS Behavior Command and Controlnone6
FortiGate detects BotnetCommand and Controlnone9
FortiSandbox detects BotnetCommand and Controlnone9
Outbreak: FortiWeb detected Zerobot Botnet Activity on NetworkLateral MovementT12109
Outbreak: Sysrv-K Botnet Activity Detected on HostResource DevelopmentT1584.0059
Outbreak: Sysrv-K Botnet Activity Detected on NetworkResource DevelopmentT1584.0059
Outbreak: Zerobot Botnet Activity Detected on HostLateral MovementT12109
Outbreak: Zerobot Botnet Activity Detected on NetworkLateral MovementT12109

Correlated IPS Alert

Name Tactic Technique Severity
Code Injection Attack detected by NIPSExecutionnone9
FortiSandbox detects Network AttackExecutionnone7
FortiWeb: Permitted Inbound Attack DetectedLateral MovementT12109
High Risk Rating Cisco IPS ExploitExecutionnone9
High Severity Inbound Denied Security ExploitExecutionnone5
High Severity Inbound Permitted IPS ExploitExecutionnone9
High Severity Outbound Denied IPS ExploitExecutionnone9
High Severity Outbound Permitted IPS ExploitExecutionnone9
High Severity Symantec Host IPS Exploit Executionnone9
Multiple Distinct IPS Events From Same SrcExecutionnone9
System Exploit Detected by Network IPSExecutionnone7
System Exploit Detected by Network IPS: Likely Success Executionnone9

Generic 3rd party Alerts

Name Tactic Technique Severity
AlertLogic IncidentExecutionnone7
Armis Alert DetectedBehavioral Anomalynone9
Cortex XDR Alert DetectedBehavioral Anomalynone9
Cortex XDR Alert PreventedBehavioral Anomalynone7
Cylance Waived ThreatExecutionnone3
FortiNDR Cloud: High Severity Detection triggered for a HostPrivilege EscalationT10689
FortiNDR Cloud: Low Severity Detection triggered for a HostPrivilege EscalationT10684
FortiNDR Cloud: Moderate Severity Detection triggered for a HostPrivilege EscalationT10687
MS 365 Defender: Delivery DetectedImpactnone8
MS 365 Defender: Exploit DetectedExecutionnone9
MS 365 Defender: Generic AlertPH_RULE_SECURITY_Suspicious_Activitynone7
MS 365 Defender: Incident TriggeredSuspicious Activitynone7
Microsoft ATA Center: Security Alert TriggeredBehavioral Anomalynone6
UserGate UTM IDPS Alert DetectedBehavioral Anomalynone8

Malware Detected

Name Tactic Technique Severity
Adware process found Persistencenone7
Backdoor Found by Network IPSExecutionT1204.0019
Cisco Umbrella: Intelligent Proxy Blocked a Malware Request by PolicyCommand And ControlT1071.0049
Crowdstrike: Activity PreventedMalwarenone6
Crowdstrike: Attacker MethodologyMalwarenone8
Crowdstrike: Blocked ExploitExecutionnone6
Crowdstrike: File Blocked With Matching HashExecutionnone6
Crowdstrike: NextGen Antivirus based Malware Persistencenone8
CyberX Detected MalwareBehavioral Anomalynone9
Cylance Blocked Exploit Executionnone7
Dynamically generated host name: malware likelyCommand And ControlT1568.0027
FireAMP Malicious file executionPersistencenone9
FireEye HX IOC found Persistencenone9
FireEye Malware CallbackExfiltrationT10419
FortiMail: Malicious Spam File Attachment FoundCollectionT1114.0019
FortiNDR: Attack Chain BlockedMalwarenone8
FortiNDR: Attack Chain PermittedMalwarenone10
FortiSandbox detects file malware with high or medium riskExfiltrationT10419
FortiSandbox detects URL MalwareExfiltrationT10419
FortiSandbox detects malicious file malware from file uploadExfiltrationT10419
FortiSandbox detects multiple hosts with infected files ExfiltrationT10419
FortiSandbox detects unknown risk file malwareExfiltrationT10417
Host Quarantined by FortiGatePolicy Violationnone9
MS 365 Defender: Malware DetectedExfiltrationT10419
Malware found but not remediatedExfiltrationT10419
Malware found by firewall but not remediatedPersistencenone9
Phishing attack found but not remediatedReconnaissanceT1598.002,T1598.0039
Rootkit found PersistenceT1014,T1554,T1601.0019
Spam/Malicious Mail Attachment found but not remediatedCollectionT1114.0017
Spyware Found And CleanedExecutionT1204.0015
Spyware Found by Network IPSExecutionT1204.0019
Spyware found but not remediatedExecutionT1204.0019
UEBA Policy detects malicious powershell execution UEBAnone7
UEBA Policy detects suspicious applications UEBAnone7
Virus found in mailCollectionT1114.0019
Windows: FlowCloud MalwareDefense EvasionT11129
Windows: Malware Shellcode in Verclsid Target ProcessPersistencenone7
Windows: Microsoft Malware Protection Engine CrashDefense EvasionT1562.0017
Windows: Microsoft Malware Protection Engine Crash - WERDefense EvasionT1562.0017
Windows: Octopus Scanner Malware Detected Initial AccessT1195.0017
Windows: Registry Entries For Azorult MalwareDefense EvasionT11129
Windows: Suspicious Typical Malware Back Connect PortsCommand And ControlT15715

Outbreak Alert

Name Tactic Technique Severity
Crowdstrike: Known Malware ExfiltrationT10419
Log4J Exploit Request Detected By RegexLateral MovementT12107
Log4J Exploit Request Detected on Host by Fortinet ProductsLateral MovementT121010
Log4J Exploit Request Detected on Network by Fortinet ProductsLateral MovementT121010
Outbreak: 3CX Supply Chain Attack Detected on HostLateral MovementT12109
Outbreak: 3CX Supply Chain Attack Detected on NetworkLateral MovementT12109
Outbreak: ABB Flow Computer Path Traversal Vulnerability Detected on NetworkLateral MovementT12109
Outbreak: Active Directory Privilege Escalation Exploit Detected on HostResource DevelopmentT1584.0019
Outbreak: Active Directory Privilege Escalation Exploit Detected on NetworkResource DevelopmentT1584.0019
Outbreak: Adobe ColdFusion Deserialization of Untrusted Data Vuln Detected on HostLateral MovementT12109
Outbreak: Adobe ColdFusion Deserialization of Untrusted Data Vuln Detected on NetworkLateral MovementT12109
Outbreak: Agent Tesla Malware Attack Detected on HostLateral MovementT12109
Outbreak: Agent Tesla Malware Attack Detected on NetworkLateral MovementT12109
Outbreak: Apache Commons Text RCE Vulnerability Detected on NetworkResource DevelopmentT1586.0029
Outbreak: Apache Path Traversal Vuln Detected on HostLateral MovementT12109
Outbreak: Apache Path Traversal Vuln Detected on NetworkLateral MovementT12109
Outbreak: Apache RocketMQ RCE Vuln Detected on NetworkLateral MovementT12109
Outbreak: Atlassian Confluence CVE-2022-26134 Vuln Detected on HostLateral MovementT12109
Outbreak: Atlassian Confluence CVE-2022-26134 Vuln Detected on NetworkLateral MovementT12109
Outbreak: Atlassian Pre-Auth Arbitrary File Read Vuln detected on HostLateral MovementT12109
Outbreak: Atlassian Pre-Auth Arbitrary File Read Vuln detected on NetworkLateral MovementT12109
Outbreak: BURNTCIGAR MS Signed Driver Malware detected on HostDefense EvasionT1036.0019
Outbreak: BURNTCIGAR MS Signed Driver Malware detected on NetworkDefense EvasionT1036.0019
Outbreak: CISA Top 20 Vulnerability detected on HostLateral MovementT12109
Outbreak: Cacti Server Command Injection Attack Detected on NetworkLateral MovementT12109
Outbreak: Cacti Server Command Injection Vulnerability Detected on HostLateral MovementT12109
Outbreak: Control Web Panel Login Exploit Detected on HostDefense EvasionT12029
Outbreak: Control Web Panel Login Exploit Detected on NetworkDefense EvasionT12029
Outbreak: CosmicEnergy Malware Detected on HostLateral MovementT12109
Outbreak: CosmicEnergy Malware Detected on NetworkLateral MovementT12109
Outbreak: DARKSIDE Domain Traffic DetectedExfiltrationT10419
Outbreak: DARKSIDE Suspicious File Hash Found on HostExfiltrationT10419
Outbreak: DARKSIDE Suspicious File Hash Found on NetworkExfiltrationT10419
Outbreak: DEARCRY Infected File Detected on HostExploitnone9
Outbreak: DEARCRY Infected File Detected on NetworkExploitnone9
Outbreak: Emotet Malware Activity Detected by FortiClientExfiltrationT10419
Outbreak: Emotet Malware Activity Detected on HostExfiltrationT10419
Outbreak: Emotet Malware Activity Detected on NetworkExfiltrationT10419
Outbreak: Emotet Suspicious File Hash Found by ForticlientExfiltrationT10419
Outbreak: Emotet Suspicious File Hash Found on HostExfiltrationT10419
Outbreak: Emotet Suspicious File Hash Found on NetworkExfiltrationT10419
Outbreak: F5 BIG-IP TMM Attack - FortiGate IPS Exploit PermittedExploitnone9
Outbreak: FortiGate Authentication bypass on Aministrative InterfaceLateral MovementT121010
Outbreak: FortiGate detected CISA Top 20 Vulnerability on NetworkLateral MovementT12109
Outbreak: FortiOS SSLVPN Heap Buffer Overflow attack - CVE-2022-42475 Detected on NetworkLateral MovementT12109
Outbreak: FortiWeb detected CISA Top 20 Vulnerability on NetworkLateral MovementT12109
Outbreak: FortiWeb detected VMware Spring Cloud Func RCE Vulnerability on NetworkLateral MovementT12109
Outbreak: Fortra GoAnywhere MFT RCE Vulnerability Detected on HostLateral MovementT12109
Outbreak: Fortra GoAnywhere MFT RCE Vulnerability Detected on NetworkLateral MovementT12109
Outbreak: Google Chromium WebP Vuln Detected on HostLateral MovementT12109
Outbreak: Google Chromium WebP Vuln Detected on NetworkLateral MovementT12109
Outbreak: HAFNIUM Exchange OWA Server Authentication BypassCommand and Controlnone9
Outbreak: HAFNIUM FortiGate Permitted IPS EventCommand and Controlnone9
Outbreak: HAFNIUM Inbound Network TrafficCommand And ControlT10959
Outbreak: HAFNIUM Infected File Detected by FortiGateCommand and Controlnone9
Outbreak: HAFNIUM Outbound Network TrafficCommand And ControlT10959
Outbreak: HAFNIUM Suspicious File hash matchCommand and Controlnone9
Outbreak: HTTP2 Rapid Reset Attack Detected on HostLateral MovementT12109
Outbreak: HTTP2 Rapid Reset Attack Detected on NetworkLateral MovementT12109
Outbreak: HermeticWiper-Foxblade Malware Detected on HostImpactT14859
Outbreak: HermeticWiper-Foxblade Malware Detected on NetworkImpactT14859
Outbreak: Hikvision IP Camera Command Injection Vulnerability CVE-2021-36260 on NetworkLateral MovementT12109
Outbreak: IBM Aspera Faspex Code Execution Vulnerability Detected on HostLateral MovementT12109
Outbreak: IBM Aspera Faspex Code Execution Vulnerability Detected on NetworkLateral MovementT12109
Outbreak: Ivanti Endpoint Manager Mobile Authentication Bypass Vuln Detected on HostLateral MovementT12109
Outbreak: Ivanti Endpoint Manager Mobile Authentication Bypass Vuln Detected on NetworkLateral MovementT12109
Outbreak: Joomla CMS Improper Access Check Vulnerability Detected on NetworkLateral MovementT12109
Outbreak: Kaseya REvil Suspicious File Hash Found on HostInitial AccessT1195.0029
Outbreak: Kaseya REvil Suspicious File Hash Found on NetworkInitial AccessT1195.0029
Outbreak: Microsoft Driver RCE vulnerability - CVE-2022-26809 Detected on HostLateral MovementT1021.0029
Outbreak: Microsoft Driver RCE vulnerability - CVE-2022-26809 Detected on NetworkLateral MovementT1021.0029
Outbreak: Microsoft Exchange Autodiscover RCE ProxyNotShell Detected on HostResource DevelopmentT1586.0029
Outbreak: Microsoft Exchange Autodiscover RCE ProxyNotShell Detected on NetworkResource DevelopmentT1586.0029
Outbreak: Microsoft Office Follina Vuln Detected on HostResource DevelopmentT1584.0059
Outbreak: Microsoft Office Follina Vuln Detected on NetworkResource DevelopmentT1584.0059
Outbreak: Microsoft Office and Windows HTML RCE Vuln Detected on HostLateral MovementT12109
Outbreak: Microsoft Office and Windows HTML RCE Vuln Detected on NetworkLateral MovementT12109
Outbreak: Microsoft Outlook Elevation of Privilege Vulnerability Detected on HostLateral MovementT12109
Outbreak: Microsoft Outlook Elevation of Privilege Vulnerability Detected on NetworkLateral MovementT12109
Outbreak: Multiple Vendor Camera System Attack Detected on NetworkLateral MovementT12109
Outbreak: Oracle WebLogic Server Vuln Detected on NetworkLateral MovementT12109
Outbreak: PaperCut MF/NG Improper Access Control Vulnerability Detected on HostLateral MovementT12109
Outbreak: PaperCut MF/NG Improper Access Control Vulnerability Detected on NetworkLateral MovementT12109
Outbreak: Print Nightmare Activity Detected on HostExploitnone9
Outbreak: Print Nightmare Activity Detected on NetworkExploitnone9
Outbreak: Progress MOVEit Transfer SQL Injection Vuln Detected on HostLateral MovementT12109
Outbreak: Progress MOVEit Transfer SQL Injection Vuln Detected on NetworkLateral MovementT12109
Outbreak: Progress Telerik UI Attack Detected on HostLateral MovementT12109
Outbreak: Progress Telerik UI Attack Detected on NetworkLateral MovementT12109
Outbreak: Realtek SDK Attack Detected on HostLateral MovementT12109
Outbreak: Realtek SDK Attack Detected on NetworkLateral MovementT12109
Outbreak: Redigo Malware Detected on HostLateral MovementT12109
Outbreak: Redigo Malware Detected on NetworkLateral MovementT12109
Outbreak: Router Malware Attack Detected on HostPrivilege EscalationT10689
Outbreak: Router Malware Attack Detected on NetworkPrivilege EscalationT10689
Outbreak: SUNBURST Domain TrafficCommand And ControlT1568.0019
Outbreak: SUNBURST Outbound Network TrafficCommand And ControlT10959
Outbreak: SUNBURST Suspicious File CreatedCommand and Controlnone9
Outbreak: SUNBURST Suspicious File Hash MatchCommand and Controlnone9
Outbreak: SUNBURST Suspicious File Hash match by Source and DestinationCommand And ControlT10959
Outbreak: Sandbreak vm2 sandbox module RCE Vulnerability Detected on NetworkLateral MovementT12109
Outbreak: SolarView Compact Command Injection Vuln Detected on NetworkLateral MovementT12109
Outbreak: Spring4Shell Malware Detected on NetworkImpactT14859
Outbreak: TBK DVR Authentication Bypass Attack Detected on NetworkLateral MovementT12109
Outbreak: TP-Link Archer AX-21 Command Injection Attack Detected on HostLateral MovementT12109
Outbreak: TP-Link Archer AX-21 Command Injection Attack Detected on NetworkLateral MovementT12109
Outbreak: Teclib GLPI Remote Code Execution Vulnerability Detected on NetworkLateral MovementT12109
Outbreak: ThinkPHP Remote Code Execution Vulnerability Detected on HostLateral MovementT12109
Outbreak: ThinkPHP Remote Code Execution Vulnerability Detected on NetworkLateral MovementT12109
Outbreak: VMWare Workspace ONE Vulnerability - CVE-2022-22954 on NetworkLateral MovementT12109
Outbreak: VMware Aria Operations for Networks Command Injection Vuln Detected on NetworkLateral MovementT12109
Outbreak: VMware Spring Cloud Func RCE Vulnerability on NetworkLateral MovementT12109
Outbreak: Win32k Elevation of Privilege Vulnerability Detected on HostPrivilege EscalationT10689
Outbreak: Win32k Elevation of Privilege Vulnerability Detected on NetworkPrivilege EscalationT10689
Outbreak: Windows HTTP Protocol Stack RCE Detected on HostInitial AccessT11909
Outbreak: Windows HTTP Protocol Stack RCE Detected on NetworkInitial AccessT11909
Outbreak: WooCommerce Payments Improper Authentication Vuln Detected on HostLateral MovementT12109
Outbreak: WooCommerce Payments Improper Authentication Vuln Detected on NetworkLateral MovementT12109
Outbreak: Wordpress WPGateway Plugin Vuln Detected on NetworkLateral MovementT12109
Outbreak: X.509 Email Address Buffer Overflow in OpenSSL 3.0.0 to 3.0.6 detected on HostInitial AccessT11909
Outbreak: X.509 Email Address Buffer Overflow in OpenSSL 3.0.0 to 3.0.6 detected on NetworkInitial AccessT11909
Outbreak: Zimbra Collaboration Mboximport Vulnerability on HostPrivilege EscalationT10689
Outbreak: Zimbra Collaboration Mboximport Vulnerability on NetworkPrivilege EscalationT10689
Outbreak: Zoho ManageEngine RCE Vulnerability Detected on NetworkLateral MovementT12109
Outbreak: Zyxel Multiple Firewall Vuln Detected on HostLateral MovementT12109
Outbreak: Zyxel Multiple Firewall Vuln Detected on NetworkLateral MovementT12109
Outbreak: Zyxel Router Command Injection Attack Detected on NetworkLateral MovementT12109

Hacking Tool Usage

Name Tactic Technique Severity
UEBA Policy detects hacking tool and footprints UEBAnone7
UEBA Policy detects hacking tool usage UEBAnone7
Windows: HackTool - ADCSPwn ExecutionCollectionT1557.0017
Windows: HackTool - Certify ExecutionPersistencenone7
Windows: HackTool - Certipy ExecutionPersistencenone7
Windows: HackTool - Covenant PowerShell LauncherDefense EvasionT1564.0037
Windows: HackTool - CrackMapExec ExecutionPersistencenone7
Windows: HackTool - CrackMapExec Execution PatternsExecutionT1059.0037
Windows: HackTool - CrackMapExec PowerShell ObfuscationExecutionT1059.0017
Windows: HackTool - DInjector PowerShell Cradle ExecutionPersistencenone9
Windows: HackTool - Default PowerSploit/Empire Scheduled Task CreationExecutionT1059.0017
Windows: HackTool - Empire PowerShell Launch ParametersExecutionT1059.0017
Windows: HackTool - GMER Rootkit Detector and Remover ExecutionPersistencenone7
Windows: HackTool - Htran/NATBypass ExecutionPersistencenone7
Windows: HackTool - Impersonate ExecutionDefense EvasionT1134.0035
Windows: HackTool - Koadic ExecutionExecutionT1059.0077
Windows: HackTool - LocalPotato ExecutionPersistencenone7
Windows: HackTool - PCHunter ExecutionPersistencenone7
Windows: HackTool - PPID Spoofing SelectMyParent Tool ExecutionDefense EvasionT1134.0047
Windows: HackTool - PowerTool ExecutionDefense EvasionT1562.0017
Windows: HackTool - PurpleSharp ExecutionPersistencenone9
Windows: HackTool - RedMimicry Winnti Playbook ExecutionDefense EvasionT1218.0117
Windows: HackTool - SILENTTRINITY Stager DLL LoadPersistencenone7
Windows: HackTool - SILENTTRINITY Stager ExecutionPersistencenone7
Windows: HackTool - SecurityXploded ExecutionPersistencenone9
Windows: HackTool - SharPersist ExecutionPersistencenone7
Windows: HackTool - SharpChisel ExecutionCommand And ControlT1090.0017
Windows: HackTool - SharpEvtMute DLL LoadDefense EvasionT1562.0027
Windows: HackTool - SharpEvtMute ExecutionDefense EvasionT1562.0027
Windows: HackTool - SharpImpersonation ExecutionDefense EvasionT1134.0037
Windows: HackTool - SharpLDAPmonitor ExecutionPersistencenone5
Windows: HackTool - SharpUp PrivEsc Tool ExecutionDefense EvasionT1574.0059
Windows: HackTool - Sliver C2 Implant Activity PatternPersistencenone9
Windows: HackTool - Stracciatella ExecutionDefense EvasionT1562.0017
Windows: HackTool - SysmonEOP ExecutionPrivilege EscalationT10689
Windows: HackTool - Wmiexec Default Powershell CommandPersistencenone7
Windows: Hacktool RulerDefense EvasionT1550.0027
Windows: Impacket Tool ExecutionCollectionT1557.0017
Windows: NPPSpy Hacktool UsagePersistencenone7
Windows: PUA - Crassus ExecutionReconnaissanceT1590.0017
Windows: PUA - Process Hacker Driver LoadPersistencenone7
Windows: PUA - Process Hacker ExecutionPersistencenone7
Windows: ProcessHacker Privilege ElevationExecutionT1569.0027
Windows: Suspicious Hacktool Execution - PE MetadataPersistencenone7
Windows: Vulnerable HackSys Extreme Vulnerable Driver LoadPersistenceT1543.0037
Windows: Webshell Hacking Activity PatternsPersistenceT1505.0037

Honeypot match

Name Tactic Technique Severity
FortiDeceptor: IPS Attack to DecoyLateral Movementnone9
FortiDeceptor: Successful FTP/TFTP Operations to DecoyInitial Access ICST08869
FortiDeceptor: Successful IOT SCADA Operations to DecoyInitial Access ICST08869
FortiDeceptor: Successful RDP Login to DecoyInitial Access ICST08869
FortiDeceptor: Successful SAMBA Operations to DecoyInitial Access ICST08869
FortiDeceptor: Successful SSH Login to DecoyInitial Access ICST08869

IOC Match

Name Tactic Technique Severity
Blocklist User Agent MatchExfiltrationT10419
Cisco Umbrella: Failed DNS Requests to Malware Domains: Same source and Multiple DestinationsCommand And ControlT1071.0049
Cisco Umbrella: Multiple Failed DNS Requests to a Malware Domain: Same Source and DestinationCommand And ControlT1071.0049
Crowdstrike: Intel DetectionPersistencenone9
DNS Traffic to Anomali ThreatStream Malware DomainsExfiltrationT1048.0019
DNS Traffic to FortiGuard Malware DomainsExfiltrationT1048.0019
FortiMail: Malicious URL foundCollectionT1114.0019
Inbound Traffic from Open ProxiesCommand And ControlT1090.0029
Inbound Traffic from Tor NetworkCommand And ControlT1090.0029
Malware hash matchExfiltrationT10419
Outbound Traffic to Open ProxiesCommand And ControlT1090.0029
Outbound Traffic to Tor NetworkCommand And ControlT1090.0029
Permitted Traffic from Anomali ThreatStream Malware IP ListExfiltrationT10419
Permitted Traffic from Dragos Worldview Malware IP ListLateral MovementT12109
Permitted Traffic from Emerging Threat IP ListCommand and Controlnone7
Permitted Traffic from FortiGuard Malware IP ListExfiltrationT10419
Traffic to Anomali ThreatStream Malware IP ListExfiltrationT10419
Traffic to Dragos Worldview Malware IP ListLateral MovementT12109
Traffic to Emerging Threat IP ListExfiltrationT1048.0017
Traffic to FortiGuard Malware IP ListExfiltrationT10419
Web Traffic to Anomali ThreatStream Malicious URLsExfiltrationT10419
Web Traffic to FortiGuard Malicious URLsExfiltrationT10419
Web Traffic to FortiSandbox Malicious URLsExfiltrationT10419

OT Exploit

Name Tactic Technique Severity
FortiGate ICS Alert: Exploitation of Remote ServicesInitial Access ICST08668
ICS Alert: Activate Firmware Update ModeInhibit Response FunctionT08006
ICS Alert: Alarm SuppressionInhibit Response FunctionT08786
ICS Alert: Automated CollectionCollection ICST08028
ICS Alert: Block Reporting MessageInhibit Response FunctionT08048
ICS Alert: Brute Force I/OImpair Process ControlT08068
ICS Alert: Change Operating ModeExecution ICST08588
ICS Alert: Command BlockedInhibit Response FunctionT08038
ICS Alert: Command-Line InterfaceExecution ICST08078
ICS Alert: Commonly Used PortCommand And Control ICST08858
ICS Alert: Connection ProxyCommand And Control ICST08848
ICS Alert: Damage to PropertyImpact ICST08798
ICS Alert: Data DestructionInhibit Response FunctionT08098
ICS Alert: Data from Information RepositoriesCollection ICST08118
ICS Alert: Default CredentialsLateral Movement ICST08128
ICS Alert: Denial of ControlImpact ICST08138
ICS Alert: Denial of ServiceInhibit Response FunctionT08148
ICS Alert: Denial of ViewImpact ICST08158
ICS Alert: Detect Operating ModeCollection ICST08688
ICS Alert: Device Restart/ShutdownInhibit Response FunctionT08168
ICS Alert: Drive-by CompromiseInitial Access ICST08178
ICS Alert: Execution through APIExecution ICST08718
ICS Alert: Exploit Public-Facing ApplicationInitial Access ICST08198
ICS Alert: Exploitation for EvasionEvasion ICST08208
ICS Alert: Exploitation for Privilege EscalationPrivilege Escalation ICST08908
ICS Alert: Exploitation of Remote ServicesLateral Movement ICST08668
ICS Alert: External Remote ServicesInitial Access ICST08228
ICS Alert: Graphical User InterfaceExecution ICST08238
ICS Alert: HookingExecution ICST08748
ICS Alert: I/O ImageCollection ICST08778
ICS Alert: Indicator Removal on HostEvasion ICST08728
ICS Alert: Internet Accessible DeviceInitial Access ICST08838
ICS Alert: Lateral Tool TransferLateral Movement ICST08678
ICS Alert: Loss of AvailabilityImpact ICST08268
ICS Alert: Loss of ControlImpact ICST08278
ICS Alert: Loss of Productivity and RevenueImpact ICST08288
ICS Alert: Loss of ProtectionImpact ICST08378
ICS Alert: Loss of SafetyImpact ICST08808
ICS Alert: Loss of ViewImpact ICST08298
ICS Alert: Man in the MiddleCollection ICST08308
ICS Alert: Manipulate I/O ImageInhibit Response FunctionT08358
ICS Alert: Manipulation of ControlImpact ICST08318
ICS Alert: Manipulation of ViewImpact ICST08328
ICS Alert: MasqueradingEvasion ICST08498
ICS Alert: Modify Alarm SettingsInhibit Response FunctionT08388
ICS Alert: Modify Controller TaskingExecution ICST08218
ICS Alert: Modify ParameterImpair Process ControlT08368
ICS Alert: Modify ProgramPersistence ICST08898
ICS Alert: Module FirmwarePersistence ICST08398
ICS Alert: Monitor Process StateCollection ICST08018
ICS Alert: Native APIExecution ICST08348
ICS Alert: Network Connection EnumerationDiscovery ICST08408
ICS Alert: Network SniffingDiscovery ICST08428
ICS Alert: Point Tag IdentificationCollection ICST08618
ICS Alert: Program DownloadLateral Movement ICST08438
ICS Alert: Program UploadCollection ICST08458
ICS Alert: Project File InfectionPersistence ICST08738
ICS Alert: Remote ServicesLateral Movement ICST08868
ICS Alert: Remote System DiscoveryDiscovery ICST08468
ICS Alert: Remote System Information DiscoveryDiscovery ICST08888
ICS Alert: Replication Through Removable MediaInitial Access ICST08478
ICS Alert: Rogue MasterInitial Access ICST08488
ICS Alert: RootkitEvasion ICST08518
ICS Alert: Screen CaptureCollection ICST08528
ICS Alert: ScriptingExecution ICST08538
ICS Alert: Serial COM BlockedInhibit Response FunctionT08058
ICS Alert: Service StopInhibit Response FunctionT08818
ICS Alert: Spearphishing AttachmentInitial Access ICST08658
ICS Alert: Spoof Reporting MessageEvasion ICST08568
ICS Alert: Standard Application Layer ProtocolCommand And Control ICST08698
ICS Alert: Supply Chain CompromiseInitial Access ICST08628
ICS Alert: System FirmwarePersistence ICST08578
ICS Alert: Theft of Operational InformationImpact ICST08828
ICS Alert: Transient Cyber AssetInitial Access ICST08648
ICS Alert: Unauthorized Command MessageImpair Process ControlT08558
ICS Alert: User ExecutionExecution ICST08638
ICS Alert: Valid AccountsPersistence ICST08598
ICS Alert: Wireless CompromiseInitial Access ICST08608
ICS Alert: Wireless SniffingDiscovery ICST08878
OT Modbus Write Command Initiated outside of Purdue Level 2none7
OT Permited Traffic not from Purdue Level 3 to Level 2none7
OT Permited Traffic not from Purdue Level 3.5 to Level 3none7
OT Permited Traffic not from Purdue Level 4 to Level 3.5none7
OT Permited Traffic not from Purdue Level 5 to Level 4none7
Otorio RAM2 Alert has TriggeredPolicy Violationnone9

Ransomware Detected

Name Tactic Technique Severity
Crowdstrike: RansomwarePersistencenone8
Outbreak: DARKSIDE Ransomware File Activity Detected on HostExfiltrationT10419
Outbreak: DARKSIDE Ransomware File Activity Detected on NetworkExfiltrationT10419
Outbreak: DARKSIDE Ransomware Inbound Network Traffic DetectedExfiltrationT10419
Outbreak: DARKSIDE Ransomware Outbound Network Traffic DetectedExfiltrationT10419
Outbreak: Hive Ransomware Detected on HostLateral MovementT12109
Outbreak: Hive Ransomware Detected on NetworkLateral MovementT12109
Outbreak: Kaseya REvil Ransomware File Activity Detected on HostInitial AccessT1195.0029
Outbreak: Kaseya REvil Ransomware File Activity Detected on NetworkInitial AccessT1195.0029
Outbreak: Prestige Ransomware Detected on HostResource DevelopmentT1586.0029
Outbreak: Prestige Ransomware Detected on NetworkResource DevelopmentT1586.0029
Outbreak: VMware ESXi Server Ransomware Attack Detected on NetworkPrivilege EscalationT10689
Ransomware detected on a hostImpactT14869
Ransomware outbreak detectedImpactT148610
UEBA Policy detects ransomware file typesUEBAnone7
UEBA Policy detects ransomware noteUEBAnone9
Windows: Suspicious Creation TXT File in User DesktopImpactT14867

Suspicious Execution

Name Tactic Technique Severity
AWS Execution via System Manager ExecutionT1059.0063
AWS SecHub: Tactics: Execution DetectedExecutionnone8
AWS SecHub: Unusal Data Behavior DetectedImpactnone7
AWS SecHub: Unusal Database Behavior DetectedImpactnone7
AWS SecHub: Unusal Process Behavior DetectedImpactnone8
AWS SecHub: Unusal Serverless Behavior DetectedImpactnone7
AWS SecHub: Unusual Application Behavior DetectedImpactnone7
Azure Command Execution on Virtual Machine ExecutionT1059.0065
Crowdstrike: Drive By Download Executionnone8
Crowdstrike: Overwatch Detection Executionnone9
Cylance Found Active ScriptExecutionnone7
Cylance Quarantined HostExecutionnone7
CylanceProtect Threat ChangedExecutionnone7
Excessive WLAN Exploits: Same SourceExecutionnone9
Executable file posting from external sourceExecutionnone9
Execution via local SxS Shared Module ExecutionT11295
High Severity WLAN AttackExecutionnone9
Linux: Interactive Terminal Spawned via Perl ExecutionT1059.0045
Linux: Interactive Terminal Spawned via Python ExecutionT1059.0065
Linux: Netcat Process Activity ExecutionT1059.0047
Linux: socat Process Activity ExecutionT1059.0047
Linux: strace Process Activity none7
MS 365 Defender: Suspicious PowerShell command line Execution AlertExecutionT1059.0017
Malicious PowerShell Tool: PSAttack DetectedExecutionT1059.0019
PowerShell Commandlet of Well Known Exploitation Framework DetectedExecutionT1059.0019
PowerShell Downgrade Attack DetectedLateral MovementT12108
PowerShell Script Detected Calling a Credential PromptExecutionT1059.0019
Shellshock Expression in Log Files Executionnone9
Suspicious Linux SSHD Errors Executionnone7
Suspicious Linux VSFTPD ErrorsExecutionnone7
Suspicious Linux log entries Executionnone7
Unapproved File ExecutionExecutionnone8
Windows process communicating outbound to unusual portsExecutionT11296
Windows: Active Directory Kerberos DLL Loaded Via Office ApplicationExecutionT1204.0025
Windows: Active Directory Parsing DLL Loaded Via Office ApplicationExecutionT1204.0025
Windows: Amsi.DLL Load By Uncommon ProcessImpactT14903
Windows: Application Removed Via Wmic.EXEExecutionT10475
Windows: Arbitrary Shell Command Execution Via Settingcontent-MsInitial AccessT1566.0015
Windows: Audit CVE EventImpactT1499.0049
Windows: Boot Configuration Tampering Via Bcdedit.EXEImpactT14907
Windows: CLR DLL Loaded Via Office ApplicationsExecutionT1204.0025
Windows: CMSTP Execution Process AccessExecutionT1559.0017
Windows: CVE-2021-26858 Exchange ExploitationExecutionT12037
Windows: CVE-2021-31979 CVE-2021-33771 Exploits by SourgumExecutionT12039
Windows: CVE-2022-24527 Microsoft Connected Cache LPEExecutionT1059.0017
Windows: Change PowerShell Policies to an Insecure LevelExecutionT1059.0015
Windows: Cmd.EXE Missing Space Characters Execution AnomalyExecutionT1059.0017
Windows: Cobalt Strike Load by Rundll32Defense EvasionT1218.0117
Windows: CobaltStrike BOF Injection PatternDefense EvasionT1562.0017
Windows: Conhost.exe CommandLine Path TraversalExecutionT1059.0037
Windows: ConvertTo-SecureString Cmdlet Usage Via CommandLineExecutionT1059.0015
Windows: Copy From VolumeShadowCopy Via Cmd.EXEImpactT14907
Windows: Created Files by Office ApplicationsExecutionT1204.0027
Windows: Creation In User Word Statup FolderResource DevelopmentT1587.0015
Windows: Creation of an Executable by an ExecutableResource DevelopmentT1587.0013
Windows: Detection of PowerShell Execution via Sqlps.exeExecutionT1059.0015
Windows: Direct Syscall of NtOpenProcessExecutionT11067
Windows: Dllhost Internet ConnectionExecutionT1559.0015
Windows: DotNET Assembly DLL Loaded Via Office ApplicationExecutionT1204.0025
Windows: Equation Editor Network ConnectionExecutionT12037
Windows: Excel Network ConnectionsExecutionT12035
Windows: Exchange PowerShell Snap-Ins UsageExecutionT1059.0017
Windows: Execute Code with Pester.batExecutionT1059.0015
Windows: Execution in Outlook Temp FolderInitial AccessT1566.0017
Windows: GAC DLL Loaded Via Office ApplicationsExecutionT1204.0027
Windows: HTML Help HH.EXE Suspicious Child ProcessInitial AccessT1566.0017
Windows: HandleKatz Duplicating LSASS HandleExecutionT11067
Windows: Hidden Powershell in Link File PatternExecutionT1059.0015
Windows: ISO File Created Within Temp FoldersInitial AccessT1566.0017
Windows: Impacket PsExec ExecutionLateral MovementT1021.0027
Windows: Import PowerShell Modules From Suspicious Directories - ProcCreationExecutionT1059.0015
Windows: Java Running with Remote DebuggingExecutionT12035
Windows: Jlaive Usage For Assembly Execution In-MemoryExecutionT1059.0035
Windows: LPE InstallerFileTakeOver PoC CVE-2021-41379Initial AccessT11907
Windows: LittleCorporal Generated Maldoc InjectionExecutionT1204.0027
Windows: Malicious Base64 Encoded PowerShell Keywords in Command LinesExecutionT1059.0017
Windows: Malicious Service InstallationsExecutionT1569.0029
Windows: Microsoft Excel Add-In LoadedExecutionT1204.0023
Windows: Microsoft VBA For Outlook Addin Loaded Via OutlookExecutionT1204.0027
Windows: NTFS Vulnerability ExploitationImpactT1499.0017
Windows: Network Communication With Crypto Mining PoolImpactT14967
Windows: New Process Created Via Wmic.EXEExecutionT10475
Windows: Node Process ExecutionsExecutionT1059.0075
Windows: Non Interactive PowerShell Process SpawnedExecutionT1059.0013
Windows: Office Macro File CreationInitial AccessT1566.0013
Windows: Office Macro File Creation From Suspicious ProcessInitial AccessT1566.0017
Windows: Office Macro File DownloadInitial AccessT1566.0015
Windows: Operator Bloopers Cobalt Strike CommandsExecutionT1059.0037
Windows: Operator Bloopers Cobalt Strike ModulesExecutionT1059.0037
Windows: PAExec Service InstallationExecutionT1569.0025
Windows: PSEXEC Remote Execution File ArtefactLateral MovementT15707
Windows: PUA - CsExec ExecutionResource DevelopmentT1587.0017
Windows: PUA - NSudo ExecutionExecutionT1569.0027
Windows: PUA - NirCmd ExecutionExecutionT1569.0025
Windows: PUA - NirCmd Execution As LOCAL SYSTEMExecutionT1569.0027
Windows: PUA - RunXCmd ExecutionExecutionT1569.0027
Windows: Persistence and Execution at Scale via GPO Scheduled TaskExecutionT1053.0057
Windows: Possible Process Hollowing Image Loading Defense EvasionT1574.0027
Windows: Potential CommandLine Path Traversal Via Cmd.EXEExecutionT1059.0037
Windows: Potential Encoded PowerShell Patterns In CommandLineExecutionT1059.0013
Windows: Potential Execution of Sysinternals ToolsResource DevelopmentT1588.0023
Windows: Potential Persistence Via Microsoft Compatibility AppraiserExecutionT1053.0055
Windows: Potential Persistence Via Powershell Search Order Hijacking - TaskExecutionT1059.0017
Windows: Potential PowerShell Downgrade AttackExecutionT1059.0015
Windows: Potential Powershell ReverseShell ConnectionExecutionT1059.0017
Windows: Potential Privilege Escalation To LOCAL SYSTEMResource DevelopmentT1587.0017
Windows: Potential PsExec Remote ExecutionResource DevelopmentT1587.0017
Windows: Potential WinAPI Calls Via CommandLineExecutionT11067
Windows: PowerShell Base64 Encoded IEX CmdletExecutionT1059.0017
Windows: PowerShell Base64 Encoded Invoke KeywordExecutionT1059.0017
Windows: PowerShell Base64 Encoded Reflective Assembly LoadExecutionT1059.0017
Windows: PowerShell Base64 Encoded WMI ClassesExecutionT1059.0017
Windows: PowerShell Core DLL Loaded By Non PowerShell ProcessExecutionT1059.0015
Windows: PowerShell Network ConnectionsExecutionT1059.0013
Windows: PowerShell Script Run in AppDataExecutionT1059.0015
Windows: PowerShell Scripts Installed as ServicesExecutionT1569.0027
Windows: PowerShell Scripts Run by a ServicesExecutionT1569.0027
Windows: PsExec/PAExec Escalation to LOCAL SYSTEMResource DevelopmentT1587.0017
Windows: Read Contents From Stdin Via Cmd.EXEExecutionT1059.0035
Windows: Regsvr32 DNS ActivityExecutionT1559.0017
Windows: Regsvr32 Network ActivityExecutionT1559.0017
Windows: Remote Access Tool - ScreenConnect Suspicious ExecutionInitial AccessT11337
Windows: Remote PowerShell Session Host Process WinRM ExecutionT1059.0015
Windows: Remote PowerShell Session Network ExecutionT1059.0017
Windows: Remote PowerShell Sessions ExecutionT1059.0017
Windows: Remote Task Creation via ATSVC Named PipeExecutionT1053.0025
Windows: Renamed PAExec ExecutionDefense EvasionT12027
Windows: Renamed SysInternals DebugView ExecutionResource DevelopmentT1588.0027
Windows: Renamed Sysinternals Sdelete ExecutionImpactT14857
Windows: Restricted Software Access By SRPExecutionT10727
Windows: SQL Client Tools PowerShell Session DetectionExecutionT1059.0015
Windows: Scheduled Task CreationExecutionT1053.0053
Windows: Scheduled Task DeletionExecutionT1053.0053
Windows: Scheduled Task Executing Powershell Encoded Payload from RegistryExecutionT1059.0017
Windows: Schtasks Creation Or Modification With SYSTEM PrivilegesExecutionT1053.0057
Windows: Schtasks From Suspicious FoldersExecutionT1053.0057
Windows: Script Event Consumer Spawning ProcessExecutionT10477
Windows: Service Started/Stopped Via Wmic.EXEExecutionT10475
Windows: Sliver C2 Default Service InstallationExecutionT1569.0027
Windows: Start Windows Service Via Net.EXEExecutionT1569.0023
Windows: Suspicious Add Scheduled Command PatternExecutionT1053.0057
Windows: Suspicious Add Scheduled Task ParentExecutionT1053.0055
Windows: Suspicious Binary In User Directory Spawned From Office ApplicationExecutionT1204.0027
Windows: Suspicious Cobalt Strike DNS BeaconingCommand And ControlT1071.0049
Windows: Suspicious Csi.exe UsageExecutionT10725
Windows: Suspicious Double Extension File ExecutionInitial AccessT1566.0019
Windows: Suspicious Encoded PowerShell Command LineExecutionT1059.0017
Windows: Suspicious Execution of Powershell with Base64ExecutionT1059.0015
Windows: Suspicious File Characteristics Due to Missing FieldsExecutionT1059.0065
Windows: Suspicious File Execution From Internet Hosted WebDav ShareExecutionT1059.0017
Windows: Suspicious HH.EXE ExecutionInitial AccessT1566.0017
Windows: Suspicious HWP Sub ProcessesInitial AccessT1566.0017
Windows: Suspicious Microsoft OneNote Child ProcessInitial AccessT1566.0017
Windows: Suspicious Modification Of Scheduled TasksExecutionT1053.0057
Windows: Suspicious Mshta.EXE Execution PatternsExecutionT11067
Windows: Suspicious Outlook Child ProcessExecutionT1204.0027
Windows: Suspicious PowerShell Download and Execute PatternExecutionT1059.0017
Windows: Suspicious PowerShell Encoded Command PatternsExecutionT1059.0017
Windows: Suspicious PowerShell Invocation From Script EnginesExecutionT1059.0015
Windows: Suspicious PowerShell Parameter SubstringExecutionT1059.0017
Windows: Suspicious PowerShell Parent ProcessExecutionT1059.0017
Windows: Suspicious Process Created Via Wmic.EXEExecutionT10477
Windows: Suspicious Processes Spawned by WinRMInitial AccessT11907
Windows: Suspicious Reg Add BitLockerImpactT14867
Windows: Suspicious Scheduled Task CreationExecutionT1053.0057
Windows: Suspicious Scheduled Task Creation Involving Temp FolderExecutionT1053.0057
Windows: Suspicious Scheduled Task Creation via Masqueraded XML FileExecutionT1053.0055
Windows: Suspicious Scheduled Task Name As GUIDExecutionT1053.0055
Windows: Suspicious Scheduled Task UpdateExecutionT1053.0057
Windows: Suspicious Schtasks From Env Var FolderExecutionT1053.0057
Windows: Suspicious Schtasks Schedule Type With High PrivilegesExecutionT1053.0055
Windows: Suspicious Schtasks Schedule TypesExecutionT1053.0057
Windows: Suspicious Volume Shadow Copy VSS-PS.dll LoadImpactT14907
Windows: Suspicious Volume Shadow Copy Vssapi.dll LoadImpactT14907
Windows: Suspicious Volume Shadow Copy Vsstrace.dll LoadImpactT14907
Windows: Suspicious WSMAN Provider Image LoadsExecutionT1059.0015
Windows: T1047 Wmiprvse Wbemcomn DLL HijackExecutionT10477
Windows: Unusual Child Process of dns.exeInitial AccessT11337
Windows: Usage Of Web Request Commands And CmdletsExecutionT1059.0015
Windows: Use Radmin Viewer UtilityExecutionT10727
Windows: VBA DLL Loaded Via Office ApplicationExecutionT1204.0027
Windows: VHD Image Download Via BrowserResource DevelopmentT1587.0015
Windows: WMI Modules LoadedExecutionT10471
Windows: WMIC Remote Command ExecutionExecutionT10475
Windows: WSF/JSE/JS/VBA/VBE File ExecutionExecutionT1059.0075
Windows: WScript or CScript DropperExecutionT1059.0077
Windows: WinDbg/CDB LOLBIN UsageExecutionT11065
Windows: Windows Registry Trust Record ModificationInitial AccessT1566.0015
Windows: Windows Shell/Scripting Processes Spawning Suspicious ProgramsExecutionT1059.0057
Windows: WmiPrvSE Spawned A ProcessExecutionT10475
Windows: Wmiexec Default Output FileExecutionT10479
Windows: Wmiprvse Wbemcomn DLL Hijack: SysmonExecutionT10479
Windows: Wmiprvse Wbemcomn DLL Hijack: Sysmon V2ExecutionT10477

Credential Harvesting

Name Tactic Technique Severity
ARP ExploitCredential AccessT1557.0027
AWS Access Secret in Secrets Manager Credential AccessT15287
AWS IAM Password Recovery Requested Initial AccessT1078.0049
AWS SecHub: Tactics: Credential Access DetectedCredential Accessnone8
Crowdstrike: Credential Theft DetectedCredential Accessnone8
CyberArk Vault Blocked OperationsCredential Accessnone8
CyberArk Vault Excessive Failed PSM ConnectionsCredential Accessnone8
CyberArk Vault Excessive ImpersonationsCredential Accessnone8
CyberArk Vault Excessive PSM Keystroke Logging FailureCredential Accessnone8
CyberArk Vault Excessive PSM Session Monitoring FailureCredential AccessT1110.0018
CyberArk Vault Excessive Password Release FailureCredential AccessT1110.0018
CyberArk Vault File Operation FailureCredential Accessnone8
CyberArk Vault Object Content Validation FailureCredential Accessnone8
CyberArk Vault Unauthorized User StationsCredential Accessnone8
Identity Spoofing ExploitCredential AccessT1557.0027
Linux: Network Sniffing via Tcpdump Credential AccessT10405
Linux: Searching for Passwords in Files Credential AccessT1552.0015
MS 365 Defender: LSASS Memory - Credential Access AlertCredential AccessT1003.0019
MS 365 Defender: OS Credential Dumping - Suspicious Activity AlertCredential AccessT1003.0079
Possible Consent Grant Attack via Azure-Registered Application Credential AccessT15287
Replay ExploitCredential AccessT1557.0027
Session Hijacking ExploitCredential AccessT1557.0027
Windows: Active Directory Database Snapshot Via ADExplorerCredential AccessT1552.0015
Windows: Active Directory Replication from Non Machine AccountCredential AccessT1003.0069
Windows: Automated Collection Command PromptCredential AccessT1552.0015
Windows: Copying Sensitive Files with Credential DataCredential AccessT1003.0037
Windows: CrackMapExec File Creation PatternsCredential AccessT1003.0017
Windows: CreateDump Process DumpCredential AccessT1003.0017
Windows: Cred Dump Tools Dropped FilesCredential AccessT1003.0057
Windows: Credential Dumping Tools Accessing LSASS MemoryCredential AccessT1003.0017
Windows: Credential Dumping Tools Service ExecutionExecutionT1569.0029
Windows: Credential Dumping Tools Service Execution - SecurityExecutionT1569.0027
Windows: Credential Dumping Tools Service Execution - SystemExecutionT1569.0027
Windows: Credential Dumping by LaZagneCredential AccessT1003.0019
Windows: Credential Dumping by PypykatzCredential AccessT1003.0019
Windows: DPAPI Domain Backup Key ExtractionCredential AccessT1003.0047
Windows: DPAPI Domain Master Key Backup AttemptCredential AccessT1003.0045
Windows: Dropping Of Password Filter DLLCredential AccessT1556.0025
Windows: DumpMinitool ExecutionCredential AccessT1003.0015
Windows: Dumping Process via Sqldumper.exeCredential AccessT1003.0015
Windows: Dumping of Sensitive Hives Via Reg.EXECredential AccessT1003.0057
Windows: Enumeration for 3rd Party Creds From CLICredential AccessT1552.0025
Windows: Enumeration for Credentials in RegistryCredential AccessT1552.0025
Windows: Esentutl Gather CredentialsCredential AccessT1003.0035
Windows: Esentutl Steals Browser InformationCollectionT10055
Windows: Esentutl Volume Shadow Copy Service KeysCredential AccessT1003.0027
Windows: Failed to execute Privileged Service LsaRegisterLogonProcessCredential AccessT1558.0037
Windows: Findstr GPP PasswordsCredential AccessT1552.0067
Windows: Findstr LSASSCredential AccessT1552.0067
Windows: Generic Password Dumper Activity on LSASSCredential AccessT1003.0017
Windows: HackTool - CrackMapExec Process PatternsCredential AccessT1003.0017
Windows: HackTool - CreateMiniDump ExecutionCredential AccessT1003.0017
Windows: HackTool - Dumpert Process Dumper Default FileCredential AccessT1003.0019
Windows: HackTool - Dumpert Process Dumper ExecutionCredential AccessT1003.0019
Windows: HackTool - HandleKatz LSASS Dumper ExecutionCredential AccessT1003.0017
Windows: HackTool - Inveigh ExecutionCredential AccessT1003.0019
Windows: HackTool - KrbRelay ExecutionCredential AccessT1558.0037
Windows: HackTool - KrbRelayUp ExecutionCredential AccessT1558.0037
Windows: HackTool - Mimikatz ExecutionCredential AccessT1003.0067
Windows: HackTool - Quarks PwDump ExecutionCredential AccessT1003.0027
Windows: HackTool - Rubeus ExecutionCredential AccessT1558.0039
Windows: HackTool - SafetyKatz ExecutionCredential AccessT1003.0019
Windows: HackTool - Windows Credential Editor WCE ExecutionCredential AccessT1003.0019
Windows: Harvesting Of Wifi Credentials Via Netsh.EXECredential AccessT10405
Windows: Hijack Legit RDP Session to Move Laterally Credential AccessT1557.0027
Windows: Hydra Password Guessing Hack ToolCredential AccessT1110.0017
Windows: Invocation of Active Directory Diagnostic Tool ntdsutil.exe Credential AccessT1003.0035
Windows: Kerberos ManipulationCredential AccessT12127
Windows: LSASS Access From Program in Potentially Suspicious FolderCredential AccessT1003.0015
Windows: LSASS Access from Non System AccountCredential AccessT1003.0017
Windows: LSASS Access from White-Listed ProcessesCredential AccessT1003.0017
Windows: LSASS Memory Access by Tool Named DumpCredential AccessT1003.0017
Windows: LSASS Memory DumpCredential AccessT1003.0017
Windows: LSASS Memory Dump File CreationCredential AccessT1003.0017
Windows: LSASS Memory DumpingCredential AccessT1003.0017
Windows: LSASS Process Dump Artefact In CrashDumps FolderCredential AccessT1003.0017
Windows: LSASS Process Memory Dump FilesCredential AccessT1003.0017
Windows: Load Of Dbghelp/Dbgcore DLL From Suspicious ProcessCredential AccessT1003.0017
Windows: Lsass Memory Dump via Comsvcs DLLCredential AccessT1003.0019
Windows: Microsoft IIS Service Account Password DumpedPersistencenone7
Windows: Mimikatz DC SyncCredential AccessT1003.0067
Windows: Mimikatz through Windows Remote ManagementExecutionT1059.0017
Windows: NTDS.DIT CreatedCredential AccessT1003.0033
Windows: NTDS.DIT Creation By Uncommon Parent ProcessCredential AccessT1003.0037
Windows: NTDS.DIT Creation By Uncommon ProcessCredential AccessT1003.0037
Windows: New Generic Credentials Added Via Cmdkey.EXECredential AccessT1003.0055
Windows: New Network Trace Capture Started Via Netsh.EXECredential AccessT10405
Windows: PUA - DIT Snapshot ViewerCredential AccessT1003.0037
Windows: PUA - WebBrowserPassView ExecutionCredential AccessT1555.0035
Windows: Password Cracking with HashcatCredential AccessT1110.0027
Windows: Password Dumper Activity on LSASSCredential AccessT1003.0017
Windows: Password Protected Compressed File Extraction Via 7ZipCollectionT1560.0015
Windows: Permission Misconfiguration Reconnaissance Via Findstr.EXECredential AccessT1552.0065
Windows: PetitPotam Suspicious Kerberos TGT RequestCredential AccessT11877
Windows: Possible Impacket SecretDump Remote ActivityCredential AccessT1003.0047
Windows: Possible PetitPotam Coerce Authentication AttemptCredential AccessT11877
Windows: Potential Browser Data StealingCredential AccessT1555.0035
Windows: Potential CVE-2021-42287 Exploitation AttemptCredential AccessT1558.0035
Windows: Potential Credential Dumping Attempt Via PowerShellCredential AccessT1003.0017
Windows: Potential Credential Dumping Via WERCredential AccessT1003.0017
Windows: Potential Credential Dumping Via WER - ApplicationCredential AccessT1003.0017
Windows: Potential LSASS Process Dump Via ProcdumpCredential AccessT1003.0017
Windows: Potential Network Sniffing Activity Using Network ToolsCredential AccessT10405
Windows: Potential Reconnaissance For Cached Credentials Via Cmdkey.EXECredential AccessT1003.0057
Windows: Potential SAM Database DumpCredential AccessT1003.0027
Windows: Potential SPN Enumeration Via Setspn.EXECredential AccessT1558.0035
Windows: PowerShell Get-Process LSASSCredential AccessT1552.0047
Windows: PowerShell SAM CopyCredential AccessT1003.0027
Windows: Private Keys Reconnaissance Via CommandLine ToolsCredential AccessT1552.0045
Windows: Procdump EvasionCredential AccessT1003.0017
Windows: Procdump ExecutionCredential AccessT1003.0015
Windows: Process Dumping Via Comsvcs.DLLCredential AccessT1003.0017
Windows: Process Memory Dump via RdrLeakDiag.EXECredential AccessT1003.0017
Windows: QuarksPwDump Clearing Access HistoryCredential AccessT1003.0029
Windows: QuarksPwDump Dump FileCredential AccessT1003.0029
Windows: Rare GrantedAccess Flags on LSASS AccessCredential AccessT1003.0015
Windows: Register new Logon Process by Rubeus Credential AccessT1558.0039
Windows: Registry Parse with PypykatzCredential AccessT1003.0027
Windows: Renamed BrowserCore.EXE ExecutionCredential AccessT15287
Windows: Renamed CreateDump Utility ExecutionCredential AccessT1003.0017
Windows: SAM Dump to AppDataCredential AccessT1003.0027
Windows: SAM Registry Hive Handle Request Credential AccessT1012,T1552.0029
Windows: SQLite Chromium Profile Data DB AccessCredential AccessT1555.0037
Windows: SQLite Firefox Profile Data DB AccessCredential AccessT15397
Windows: SVCHOST Credential DumpPersistencenone7
Windows: SafetyKatz Default Dump FilenameCredential AccessT1003.0017
Windows: Sensitive Registry Access via Volume Shadow CopyImpactT14907
Windows: Shadow Copies Creation Using Operating Systems UtilitiesCredential AccessT1003.0035
Windows: SilentProcessExit Monitor Registration for LSASSCredential AccessT1003.0079
Windows: Suspicious Active Directory Database Snapshot Via ADExplorerCredential AccessT1552.0017
Windows: Suspicious Command With Teams Objects PathsCredential AccessT15287
Windows: Suspicious Dump64.exe ExecutionCredential AccessT1003.0017
Windows: Suspicious File Event With Teams ObjectsCredential AccessT15287
Windows: Suspicious GrantedAccess Flags on LSASS AccessCredential AccessT1003.0017
Windows: Suspicious Kerberos RC4 Ticket EncryptionCredential AccessT1558.0035
Windows: Suspicious Key Manager AccessCredential AccessT1555.0047
Windows: Suspicious LSASS Access Via MalSecLogonCredential AccessT1003.0017
Windows: Suspicious LSASS Process CloneCredential AccessT1003.0019
Windows: Suspicious NTDS Exfil Filename PatternsCredential AccessT1003.0037
Windows: Suspicious NTLM Authentication on the Printer Spooler ServiceCredential AccessT12127
Windows: Suspicious Office Token Search Via CLICredential AccessT15285
Windows: Suspicious PFX File CreationCredential AccessT1552.0045
Windows: Suspicious Process Patterns NTDS.DIT ExfilCredential AccessT1003.0037
Windows: Suspicious Rejected SMB Guest Logon From IPCredential AccessT1110.0015
Windows: Suspicious Renamed Comsvcs DLL Loaded By Rundll32Credential AccessT1003.0017
Windows: Suspicious SYSVOL Domain Group Policy AccessCredential AccessT1552.0065
Windows: Suspicious Teams Application Related ObjectAcess EventCredential AccessT15287
Windows: Suspicious Unattend.xml File AccessCredential AccessT1552.0015
Windows: Suspicious Unsigned Dbghelp/Dbgcore DLL LoadedCredential AccessT1003.0017
Windows: Suspicious Usage Of Active Directory Diagnostic Tool ntdsutil.exe Credential AccessT1003.0035
Windows: Time Travel Debugging Utility Usage: Sysmon V1Credential AccessT1003.0017
Windows: Time Travel Debugging Utility Usage: Sysmon V2Credential AccessT1003.0017
Windows: Transferring Files with Credential Data via Network Shares Credential AccessT1003.001,T1003.002,T1003.0035
Windows: Typical HiveNightmare SAM File ExportCredential AccessT1552.0017
Windows: UIPromptForCredentials DLLsCollectionT1056.0025
Windows: Unsigned Image Loaded Into LSASS Process Credential AccessT1003.0015
Windows: Use of Adplus.exeCredential AccessT1003.0015
Windows: Use of PktMon.exeCredential AccessT10405
Windows: VSSAudit Security Event Source RegistrationCredential AccessT1003.0021
Windows: VeeamBackup Database Credentials DumpCollectionT10057
Windows: Volume Shadow Copy MountCredential AccessT1003.0023
Windows: VolumeShadowCopy Symlink Creation Via MklinkCredential AccessT1003.0037
Windows: WerFault Accessing LSASSCredential AccessT1003.0017
Windows: WerFault LSASS Process Memory DumpCredential AccessT1003.0017
Windows: Windows Credential Editor Install Via Registry Credential AccessT1003.0019
Windows: Windows Credential Manager Access via VaultCmdCredential AccessT1555.0045
Windows: Windows Pcap DriversCredential AccessT10405
Windows: XORDump UseCredential AccessT1003.0017
Wireless MITM attack detected by Network IPSCredential AccessT1557.0029

Credential Theft

Name Tactic Technique Severity
Concurrent Failed Authentications To Same Account From Multiple CitiesCredential AccessT1110.0017
Concurrent Failed Authentications To Same Account From Multiple CountriesCredential AccessT1110.0019
Concurrent Successful Authentications To Same Account From Multiple CitiesCredential AccessT1110.0017
Concurrent Successful Authentications To Same Account From Multiple CountriesCredential AccessT1110.0019
Concurrent Successful VPN Authentications To Same Account From Different CountriesCredential AccessT1110.0019
Sudden User Location ChangeCredential Accessnone9
Sudden User Login Pattern Change Behavioral Anomalynone7

Notable Activity

Name Tactic Technique Severity
Linux: Creation of Kernel Module PersistenceT1547.0065
Linux: Creation or Modification of Systemd Service PersistenceT1543.0025
Linux: Job Schedule ModificationPersistenceT1053.0035
Linux: Kernel Module Modification PersistenceT1547.0067
Linux: Modifications of .bash-profile and .bashrc PersistenceT1546.0047
Linux: Scheduled Job ExecutionPersistenceT1053.0035
UEBA Policy detects MTP read UEBAnone7
UEBA Policy detects MTP write UEBAnone7
UEBA Policy detects NFS read UEBAnone7
UEBA Policy detects backup applications UEBAnone7
UEBA Policy detects browser download UEBAnone7
UEBA Policy detects browser upload UEBAnone7
UEBA Policy detects file printed UEBAnone7
UEBA Policy detects files copied over remote desktop UEBAT10147
UEBA Policy detects gaming application UEBAnone7
UEBA Policy detects nfs write UEBAnone7
UEBA Policy detects potential leaver editing a CV at work UEBAnone7
UEBA Policy detects removable media read UEBAT10257
UEBA Policy detects removable media write UEBAT10257
UEBA Policy detects software installation UEBAnone7
Windows failed file accessCollectionT1005,T1565.0017
Windows successful file accessCollectionT1005,T1565.0015

Notable File Change

Name Tactic Technique Severity
Agent FIM: Linux Directory Ownership or Permission Changed Defense EvasionT1222.002,T1565.0017
Agent FIM: Linux File Changed From BaselineDefense EvasionT1070.004,T1565.0017
Agent FIM: Linux File Content Modified Defense EvasionT1070.004,T1565.0017
Agent FIM: Linux File Ownership or Permission Changed Defense EvasionT1222.002,T1565.0019
Agent FIM: Linux File or Directory CreatedCollectionT1074.001,T1565.0017
Agent FIM: Linux File or Directory DeletedDefense EvasionT1070.004,T1565.0017
Agent FIM: Windows File Changed From BaselineDefense EvasionT1070.004,T1565.0017
Agent FIM: Windows File Content ModifiedDefense EvasionT1070.004,T1565.0017
Agent FIM: Windows File Ownership ChangedDefense EvasionT1070.004,T1565.0017
Agent FIM: Windows File Permission ChangedDefense EvasionT1222.001,T1565.0017
Agent FIM: Windows File or Directory Archive Bit ChangedDefense EvasionT1070.004,T1565.0017
Agent FIM: Windows File or Directory CreatedCollectionT1074.001,T1565.0017
Agent FIM: Windows File or Directory DeletedDefense EvasionT1070.004,T1565.0017
Agentless FIM: Audited file or directory createdCollectionT1074.001,T1565.0018
Agentless FIM: Audited file or directory deletedDefense EvasionT1070.004,T1565.0018
Agentless FIM: Audited file or directory ownership or permission changed Defense EvasionT1222.002,T1565.0019
Agentless FIM: Audited target file content modifiedDefense EvasionT1070.004,T1565.0018
Audited file or directory content modified in SVNDefense EvasionT1070.004,T1565.0018

Privilege Escalation

Name Tactic Technique Severity
AWS SecHub: Tactics: Privilege Escalation DetectedPrivilege EscalationT1548.0029
Crowdstrike: Authentication BypassPrivilege Escalationnone8
Crowdstrike: Privilege Escalation Privilege EscalationT1548.0048
Linux Buffer overflow Privilege EscalationT1547.0099
Linux: Setgid Bit Set via chmod Privilege EscalationT1548.0017
Linux: Setuid Bit Set via chmod Privilege EscalationT1548.0017
Linux: Trap Signals Usage Privilege EscalationT1546.0055
Privilege Escalation ExploitsPrivilege EscalationT1548.0047
Windows Debugger registry key for common Windows accessibility toolsPrivilege EscalationT1574.0028
Windows: Addition of SID History to Active Directory Object Privilege EscalationT1134.0055
Windows: Bypass UAC via Fodhelper.exe Privilege EscalationT1548.0027
Windows: InstallerFileTakeOver LPE CVE-2021-41379 File Create EventPrivilege EscalationT10689
Windows: Interactive AT JobExecutionT1053.0027
Windows: Notepad Making Network Connection Privilege EscalationT1055.0027
Windows: Process Explorer Driver Creation By Non-Sysinternals BinaryPrivilege EscalationT10687
Windows: Process Monitor Driver Creation By Non-Sysinternals BinaryPrivilege EscalationT10685
Windows: Usage Of Malicious POORTRY Signed DriverPrivilege EscalationT10687
Windows: Vulnerable Dell BIOS Update Driver LoadPrivilege EscalationT10687

Suspicious Collection Activity

Name Tactic Technique Severity
AWS SecHub: Tactics: Collection DetectedCollectionnone8
FortiRecon: Leaked Credit or Debit Cards Found OnlineCollectionT11199
Linux: Creation of an Archive with Common Archivers CollectionT1074.0015
UEBA Policy detects email download CollectionT1114.0017
UEBA Policy detects email upload CollectionT1114.0017
UEBA Policy detects encryption tools UEBAnone7
UEBA Policy detects file archiver application CollectionT1560.0017
UEBA Policy detects snipping tool UEBAnone7
Windows Removable Media InsertsCollectionT10257
Windows: 7Zip Compressing Dump FilesCollectionT1560.0017
Windows: Audio Capture via PowerShellCollectionT11235
Windows: Audio Capture via SoundRecorderCollectionT11235
Windows: Browser Started with Remote DebuggingCollectionT11855
Windows: Compress Data and Lock With Password for Exfiltration With 7-ZIPCollectionT1560.0015
Windows: Copy from Admin ShareCollectionT10397
Windows: Data Compressed - rar.exe CollectionT1560.0013
Windows: Local Privilege Escalation Indicator TabTipCollectionT1557.0017
Windows: PUA - Mouse Lock ExecutionCollectionT1056.0025
Windows: Potential Data Stealing Via Chromium Headless DebuggingCollectionT11857
Windows: Potential SMB Relay Attack Tool ExecutionCollectionT1557.0019
Windows: PowerShell Get-Clipboard Cmdlet Via CLICollectionT11155
Windows: Processes Accessing the Microphone and WebcamCollectionT11235
Windows: Psr.exe Capture ScreenshotsCollectionT11135
Windows: Rar Usage with Password and Compression LevelCollectionT1560.0017
Windows: Recon Information for Export with Command PromptCollectionT11195
Windows: RottenPotato Like Attack PatternCollectionT1557.0017
Windows: Suspicious Access to Sensitive File Extensions CollectionT10395
Windows: Suspicious Camera and Microphone AccessCollectionT11257
Windows: Suspicious Compression Tool Parameters CollectionT1560.0017
Windows: Suspicious Manipulation Of Default Accounts Via Net.EXECollectionT1560.0017
Windows: System Drawing DLL LoadCollectionT11133
Windows: Use of CLIPCollectionT11153
Windows: Veeam Backup Database Suspicious QueryCollectionT10055
Windows: Winrar Compressing Dump FilesCollectionT1560.0017
Windows: Winrar Execution in Non-Standard FolderCollectionT1560.0017
Windows: Zip A Folder With PowerShell For Staging In TempCollectionT1074.0015

Lateral Movement

Name Tactic Technique Severity
AWS SecHub: Tactics: Lateral Movement DetectedLateral Movementnone8
FortiSandbox detects multiple attacks from same sourceLateral Movementnone9
Lateral Movement DetectedLateral Movementnone9
Linux: Remote Terminal Session StartedLateral MovementT1021.0045
Virus outbreakLateral Movementnone9
Windows: Access to ADMIN$ ShareLateral MovementT1021.0023
Windows: DCERPC SMB Spoolss Named PipeLateral MovementT1021.0025
Windows: DCOM Internet Explorer.Application Iertutil DLL Hijack: Security LogLateral MovementT1021.0037
Windows: First Time Seen Remote Named PipeLateral MovementT1021.0027
Windows: HackTool - Potential Impacket Lateral Movement ActivityExecutionT10477
Windows: MMC Spawning Windows ShellLateral MovementT1021.0037
Windows: MMC20 Lateral Movement Lateral MovementT1021.0037
Windows: Metasploit SMB AuthenticationLateral MovementT1021.0027
Windows: New Remote Desktop Connection Initiated Via Mstsc.EXELateral MovementT1021.0015
Windows: OpenSSH Server Listening On SocketLateral MovementT1021.0045
Windows: Pass the Hash Activity 2Defense EvasionT1550.0025
Windows: Possible Exploitation of Exchange RCE CVE-2021-42321Lateral MovementT12107
Windows: Potential DCOM InternetExplorer.Application DLL HijackLateral MovementT1021.0039
Windows: Potential DCOM InternetExplorer.Application DLL Hijack - Image LoadLateral MovementT1021.0039
Windows: Potential MSTSC Shadowing ActivityLateral MovementT1563.0027
Windows: Potential RDP Exploit CVE-2019-0708Lateral MovementT12105
Windows: Potential WMI Lateral Movement WmiPrvSE Spawned PowerShellExecutionT1059.0015
Windows: Protected Storage Service AccessLateral MovementT1021.0027
Windows: Remote Service Activity via SVCCTL Named PipeLateral MovementT1021.0025
Windows: Rundll32 Execution Without ParametersLateral MovementT15707
Windows: SMB Create Remote File Admin ShareLateral MovementT1021.0027
Windows: Scanner PoC for CVE-2019-0708 RDP RCE Vuln Lateral MovementT12109
Windows: Successful Overpass the Hash AttemptDefense EvasionT1550.0027
Windows: Suspicious RDP Redirect Using TSCONLateral MovementT1563.0027
Windows: Suspicious UltraVNC ExecutionLateral MovementT1021.0057
Windows: Terminal Service Process SpawnLateral MovementT12107
Windows: WCE wceaux dll Access Lateral MovementT1550.0029
Windows: WinRM Access with Evil-WinRMLateral MovementT1021.0065
Windows: Windows Admin Share Mount Via Net.EXELateral MovementT1021.0025
Windows: Windows Internet Hosted WebDav Share Mount Via Net.EXELateral MovementT1021.0027
Windows: Windows Share Mount Via Net.EXELateral MovementT1021.0023
Windows: smbexec.py Service Installation Lateral MovementT1021.002,T1569.002,T1021.0029

Command and Control

Name Tactic Technique Severity
AWS SecHub: Tactics: Command-and-Control DetectedCommand and Controlnone8
Crowdstrike: User Compromise Command and Controlnone8
Linux: Mknod Process Activity Command And ControlT1071.0047
MS 365 Defender: Ingress Tool Transfer AlertCommand And ControlT11057
UEBA Policy detects Tor client usage Command And ControlT1090.0027
Windows Torrent ClientCommand And ControlT1090.0027
Windows: AppInstaller Attempts From URL by DNSCommand And ControlT11055
Windows: Atera Agent InstallationCommand And ControlT12197
Windows: Command Line Execution with Suspicious URL and AppData StringsCommand And ControlT11055
Windows: Connection Initiated Via Certutil.EXECommand And ControlT11057
Windows: Curl Download And Execute CombinationCommand And ControlT11057
Windows: Curl.EXE ExecutionCommand And ControlT11053
Windows: Download Files Using Notepad GUP UtilityCommand And ControlT11057
Windows: Download a File with IMEWDBLD.exeCommand And ControlT11057
Windows: File Download Via Curl.EXECommand And ControlT11055
Windows: File Download with Headless BrowserCommand And ControlT11057
Windows: Finger.exe Suspicious InvocationCommand And ControlT11057
Windows: GfxDownloadWrapper.exe Downloads File from Suspicious URLCommand And ControlT11055
Windows: Gpg4Win Decrypt Files From Suspicious LocationsCommand And ControlT12195
Windows: Import LDAP Data Interchange Format File Via Ldifde.EXECommand And ControlT11055
Windows: Inveigh Execution ArtefactsCommand And ControlT12199
Windows: Mesh Agent Service InstallationCommand And ControlT12195
Windows: Microsoft Binary Suspicious Communication EndpointCommand And ControlT11057
Windows: Mstsc.EXE Execution With Local RDP FileCommand And ControlT12193
Windows: New Outlook Macro CreatedCommand And ControlT10085
Windows: PUA - 3Proxy ExecutionCommand And ControlT15727
Windows: PUA - Netcat Suspicious ExecutionCommand And ControlT10957
Windows: PUA - Ngrok ExecutionCommand And ControlT15727
Windows: PUA - Nimgrab ExecutionCommand And ControlT11057
Windows: Pandemic Registry KeyCommand And ControlT11059
Windows: Port Forwarding Attempt Via SSHCommand And ControlT15727
Windows: Potential Arbitrary File Download Via MSEdge.EXECommand And ControlT11055
Windows: Potential Dead Drop ResolversCommand And ControlT1102.0017
Windows: Potential Download/Upload Activity Using Type CommandCommand And ControlT11055
Windows: Potential SocGholish Second Stage C2 DNS QueryCommand And ControlT12197
Windows: PowerShell DownloadFile Command And ControlT1059.001,T1104,T11057
Windows: Powershell opening TCP ConnectionCommand and Controlnone7
Windows: Query Tor Onion AddressCommand And ControlT1090.0037
Windows: RDP to HTTP or HTTPS Target PortsCommand And ControlT15727
Windows: Remote File Download via Desktopimgdownldr UtilityCommand And ControlT11055
Windows: Replace.exe UsageCommand And ControlT11055
Windows: ScreenConnect Temporary Installation ArtefactCommand And ControlT12195
Windows: Script Initiated ConnectionCommand And ControlT11055
Windows: Script Initiated Connection to Non-Local NetworkCommand And ControlT11057
Windows: Suspicious ADSI-Cache Usage By Unknown ToolCommand And ControlT1001.0037
Windows: Suspicious Binary Writes Via AnyDeskCommand And ControlT12197
Windows: Suspicious Certreq Command to DownloadCommand And ControlT11057
Windows: Suspicious Curl Change User AgentsCommand And ControlT1071.0015
Windows: Suspicious Curl.EXE DownloadCommand And ControlT11057
Windows: Suspicious Desktopimgdownldr Command Command And ControlT11057
Windows: Suspicious Desktopimgdownldr Target FileCommand And ControlT11057
Windows: Suspicious Diantz Download and Compress Into a CAB FileCommand And ControlT11055
Windows: Suspicious Extrac32 ExecutionCommand And ControlT11055
Windows: Suspicious File Download Using Office ApplicationCommand And ControlT11057
Windows: Suspicious File Download via CertOC.exeCommand And ControlT11057
Windows: Suspicious Invoke-WebRequest ExecutionCommand And ControlT11057
Windows: Suspicious Invoke-WebRequest Execution With DirectIPCommand And ControlT11055
Windows: Suspicious LDAP-Attributes UsedCommand And ControlT1001.0037
Windows: Suspicious Mstsc.EXE Execution With Local RDP FileCommand And ControlT12197
Windows: Suspicious Outlook Macro CreatedCommand And ControlT10087
Windows: Suspicious Plink Port ForwardingCommand And ControlT15727
Windows: Suspicious Program Location with Network ConnectionsCommand And ControlT11057
Windows: Suspicious TSCON Start as SYSTEMCommand And ControlT12197
Windows: TacticalRMM Service InstallationCommand And ControlT12195
Windows: Tor Client or Tor Browser UseCommand And ControlT1090.0037
Windows: Windows Update Client LOLBINCommand And ControlT11057

Remote Access Software

Name Tactic Technique Severity
Windows: Anydesk Temporary ArtefactCommand And ControlT12195
Windows: GoToAssist Temporary Installation ArtefactCommand And ControlT12195
Windows: Installation of TeamViewer DesktopCommand And ControlT12195
Windows: PDQ Deploy Remote Adminstartion Tool ExecutionExecutionT10725
Windows: Remote Access Tool - AnyDesk ExecutionCommand And ControlT12195
Windows: Remote Access Tool - AnyDesk Piped Password Via CLICommand And ControlT12195
Windows: Remote Access Tool - AnyDesk Silent InstallationCommand And ControlT12197
Windows: Remote Access Tool - ScreenConnect Backstage Mode AnomalyCommand And ControlT12197
Windows: Remote Access Tool Services Have Been Installed - SecurityExecutionT1569.0025
Windows: Remote Access Tool Services Have Been Installed - SystemExecutionT1569.0025
Windows: Suspicious TeamViewer Domain AccessCommand And ControlT12195
Windows: TeamViewer Remote SessionCommand And ControlT12195
Windows: Use of GoToAssist Remote Access SoftwareCommand And ControlT12195
Windows: Use of LogMeIn Remote Access SoftwareCommand And ControlT12195
Windows: Use of ScreenConnect Remote Access SoftwareCommand And ControlT12195
Windows: Use of UltraVNC Remote Access SoftwareCommand And ControlT12195
Windows: Use of UltraViewer Remote Access SoftwareCommand And ControlT12195

Suspicious Persistence Activity

Name Tactic Technique Severity
AWS SecHub: Tactics: Persistence DetectedPersistencenone9
Azure Privilege Identity Management Role Modified PersistenceT1098.0017
Common Windows process launched by unusual parentPersistenceT1037.0018
Common Windows process launched from unusual pathPersistenceT1037.0018
Compromised Host Detected by Network IPSPersistencenone9
Crowdstrike: Establish Persistence Persistencenone8
Crowdstrike: Excessive suspicious activity on a hostPersistencenone8
Crowdstrike: Exploit Pivot Persistencenone8
Crowdstrike: Machine Learning Anomaly DetectedPersistencenone8
Crowdstrike: Malicious Document DetectedPersistencenone8
Crowdstrike: Server Compromise LikelyPersistencenone9
Crowdstrike: Suspicious Activity Persistencenone8
Crowdstrike: Suspicious Processes Terminated Persistencenone6
Cylance High Severity Threat Persistencenone9
Cylance Low Severity ThreatPersistencenone3
Cylance Medium Severity Threat Persistencenone7
Google Workspace: API Access Permitted for OAUTH ClientPersistenceT1098.0017
Linux: Potential Shell via Web Server PersistenceT1505.0037
MS 365 Defender: Persistence DetectedPersistencenone8
MS 365 Defender: Suspicious Activity DetectedPersistencenone7
MS 365 Defender: Suspicious Task Scheduler activity - Persistence AlertPersistenceT1053.0029
MS 365 Defender: Unwanted Software DetectedPersistencenone7
Windows: A Member Was Removed From a Security-Enabled Global GroupPersistencenone3
Windows: AADInternals PowerShell Cmdlets Execution - ProccessCreationPersistencenone7
Windows: ADCS Certificate Template Configuration VulnerabilityPersistencenone3
Windows: ADCS Certificate Template Configuration Vulnerability with Risky EKUPersistencenone7
Windows: AWL Bypass with Winrm.vbs and WsmPty.xsl/WsmTxt.xsl: SysmonPersistencenone5
Windows: AWL Bypass with Winrm.vbs and WsmPty.xsl/WsmTxt.xsl: Sysmon2Persistencenone5
Windows: Abused Debug Privilege by Arbitrary Parent ProcessesPersistencenone7
Windows: Abusing IEExec To Download PayloadsPersistencenone7
Windows: Abusing Print ExecutablePersistencenone5
Windows: Active Directory Structure Export Via Csvde.EXEPersistencenone5
Windows: Active Directory Structure Export Via Ldifde.EXEPersistencenone5
Windows: Active Directory User BackdoorsPersistencenone7
Windows: Add Insecure Download Source To WingetPersistencenone7
Windows: Add New Download Source To WingetPersistencenone5
Windows: Add Potential Suspicious New Download Source To WingetPersistencenone7
Windows: Add User to Local Administrators GroupPersistencenone5
Windows: Add Windows Capability Via PowerShell CmdletPersistencenone5
Windows: Add or Remove Computer from DCPersistencenone3
Windows: AgentExecutor PowerShell ExecutionPersistencenone5
Windows: Allow Service Access Using Security Descriptor Tampering Via Sc.EXEPersistenceT1543.0037
Windows: Anydesk Remote Access Software Service InstallationPersistencenone5
Windows: Application Whitelisting Bypass via Dxcap.exePersistencenone5
Windows: Application Whitelisting Bypass via PresentationHost.exePersistencenone5
Windows: Arbitrary Binary Execution Using GUP UtilityPersistencenone5
Windows: Arbitrary File Download Via MSPUB.EXEPersistencenone5
Windows: Arbitrary MSI Download Via Devinit.EXEPersistencenone5
Windows: Atbroker Registry ChangePersistencenone5
Windows: Base64 MZ Header In CommandLinePersistencenone7
Windows: Block Load Of Revoked DriverPersistencenone7
Windows: CL-LoadAssembly.ps1 Proxy ExecutionPersistencenone5
Windows: CL-Mutexverifiers.ps1 Proxy ExecutionPersistencenone5
Windows: CVE-2021-1675 Print Spooler Exploitation Filename PatternPersistencenone9
Windows: CVE-2021-44077 POC Default Dropped FilePersistencenone7
Windows: Capture Credentials with Rpcping.exePersistencenone5
Windows: Certificate Exported Via Certutil.EXEPersistencenone5
Windows: Change Default File Association To Executable Via AssocPersistenceT1546.0017
Windows: Change Default File Association Via AssocPersistenceT1546.0013
Windows: Chopper Webshell Process PatternPersistenceT1505.0037
Windows: Code Integrity Attempted DLL LoadPersistencenone7
Windows: Code Integrity Blocked Driver LoadPersistencenone7
Windows: Console CodePage Lookup Via CHCPPersistencenone5
Windows: Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXEPersistencenone7
Windows: Created Files by Microsoft Sync CenterPersistencenone5
Windows: Creation Exe for Service with Unquoted PathPersistenceT1547.0097
Windows: Creation of a DiagcabPersistencenone5
Windows: Creation of a Local Hidden User Account by RegistryPersistenceT1136.0017
Windows: Custom Class Execution via XwizardPersistencenone5
Windows: DLL Execution Via Register-cimprovider.exePersistencenone5
Windows: DLL Execution via Rasautou.exePersistencenone5
Windows: DLL Load By System Process From Suspicious LocationsPersistencenone7
Windows: DLL Load via LSASSPersistenceT1547.0087
Windows: DLL Loaded via CertOC.EXEPersistencenone5
Windows: DNS HybridConnectionManager Service BusPersistenceT15547
Windows: Deny Service Access Using Security Descriptor Tampering Via Sc.EXEPersistenceT1543.0037
Windows: Deployment AppX Package Was Blocked By AppLockerPersistencenone5
Windows: Deployment Of The AppX Package Was Blocked By The PolicyPersistencenone5
Windows: Detected Windows Software DiscoveryPersistencenone5
Windows: Detecting Fake Instances Of Hxtsr.exePersistencenone5
Windows: Device Installation BlockedPersistencenone5
Windows: DeviceCredentialDeployment ExecutionPersistencenone5
Windows: Devtoolslauncher.exe Executes Specified BinaryPersistencenone7
Windows: DiagTrackEoP Default Login UsernamePersistencenone9
Windows: Direct Autorun Keys ModificationPersistenceT1547.0015
Windows: Dllhost.EXE Execution AnomalyPersistencenone7
Windows: DotNet CLR DLL Loaded By Scripting ApplicationsPersistencenone7
Windows: Dotnet.exe Exec Dll and Execute Unsigned Code LOLBINPersistencenone5
Windows: Download Arbitrary Files Via MSOHTMED.EXEPersistencenone5
Windows: Download Arbitrary Files Via PresentationHost.exePersistencenone5
Windows: DriverQuery.EXE ExecutionPersistencenone5
Windows: Drop Binaries Into Spool Drivers Color FolderPersistencenone5
Windows: Dump Ntds.dit To Suspicious LocationPersistencenone5
Windows: DumpStack.log Defender EvasionPersistencenone9
Windows: ETW Logging Tamper In .NET ProcessesPersistencenone7
Windows: Email Exifiltration Via PowershellPersistencenone7
Windows: Enabled User Right in AD to Control User ObjectsPersistencenone7
Windows: Execute Files with Msdeploy.exePersistencenone5
Windows: Execute MSDT Via Answer FilePersistencenone7
Windows: Execute Pcwrun.EXE To Leverage FollinaPersistencenone7
Windows: Execution Of Non-Existing FilePersistencenone7
Windows: Execution from Suspicious FolderPersistencenone7
Windows: Execution in Webserver Root FolderPersistenceT1505.0035
Windows: Execution of Powershell Script in Public FolderPersistencenone7
Windows: Execution of Suspicious File Type ExtensionPersistencenone7
Windows: Execution via CL-Invocation.ps1Persistencenone7
Windows: Execution via Diskshadow.exePersistencenone7
Windows: Execution via WorkFolders.exePersistencenone7
Windows: Execution via stordiag.exePersistencenone7
Windows: Explorer Process Tree BreakPersistencenone5
Windows: Failed MSExchange Transport Agent InstallationPersistenceT1505.0027
Windows: File Creation In Suspicious Directory By Msdt.EXEPersistenceT1547.0017
Windows: File Decoded From Base64/Hex Via Certutil.EXEPersistencenone5
Windows: File Download Using ProtocolHandler.exePersistencenone5
Windows: File Encoded To Base64 Via Certutil.EXEPersistencenone5
Windows: FoggyWeb Backdoor DLL LoadingPersistencenone9
Windows: Format.com FileSystem LOLBINPersistencenone7
Windows: Fsutil Behavior Set SymlinkEvaluationPersistencenone5
Windows: Fsutil Suspicious InvocationPersistencenone7
Windows: GALLIUM Artefacts - BuiltinPersistencenone7
Windows: GatherNetworkInfo.VBS Reconnaissance Script OutputPersistencenone5
Windows: Gpresult Display Group Policy InformationPersistencenone5
Windows: Gpscript ExecutionPersistencenone5
Windows: Gzip Archive Decode Via PowerShellPersistencenone5
Windows: Hidden Local User CreationPersistenceT1136.0017
Windows: HybridConnectionManager Service InstallationPersistenceT15547
Windows: HybridConnectionManager Service Installation: SysmonPersistencenone7
Windows: IIS Native-Code Module Command Line InstallationPersistenceT1505.0035
Windows: ISO or Image Mount Indicator in Recent FilesPersistencenone5
Windows: Ie4uinit Lolbin Use From Invalid PathPersistencenone5
Windows: Ilasm Lolbin Use Compile C-SharpPersistencenone5
Windows: ImagingDevices Unusual Parent/Child ProcessesPersistencenone7
Windows: Important Windows Service Terminated UnexpectedlyPersistencenone7
Windows: Important Windows Service Terminated With ErrorPersistencenone7
Windows: Indirect Command Execution By Program Compatibility WizardPersistencenone3
Windows: InfDefaultInstall.exe .inf ExecutionPersistencenone5
Windows: Install New Package Via Winget Local ManifestPersistencenone5
Windows: JSC Convert Javascript To ExecutablePersistencenone5
Windows: KDC RC4-HMAC Downgrade CVE-2022-37966Persistencenone7
Windows: Kavremover Dropped Binary LOLBIN UsagePersistencenone7
Windows: KrbRelayUp Attack PatternPersistencenone7
Windows: KrbRelayUp Service InstallationPersistencenone7
Windows: LOLBAS Data Exfiltration by DataSvcUtil.exePersistencenone5
Windows: LOLBIN From Abnormal DrivePersistencenone5
Windows: Legitimate Application Dropped ArchivePersistencenone7
Windows: Legitimate Application Dropped ExecutablePersistencenone7
Windows: Legitimate Application Dropped ScriptPersistencenone7
Windows: Leviathan Registry Key ActivityPersistenceT1547.0019
Windows: Loading Diagcab Package From Remote PathPersistencenone7
Windows: Locked WorkstationPersistencenone3
Windows: Logon Scripts UserInitMprLogonScript PersistenceT1037.0017
Windows: Lolbin Defaultpack.exe Use As ProxyPersistencenone5
Windows: Lolbin Runexehelper Use As ProxyPersistencenone5
Windows: Lolbin Unregmp2.exe Use As ProxyPersistencenone5
Windows: MSExchange Transport Agent InstallationPersistenceT1505.0025
Windows: MSI Installation From Suspicious LocationsPersistencenone5
Windows: MSMQ Corrupted Packet EncounteredPersistencenone7
Windows: MSSQL Add Account To Sysadmin RolePersistencenone7
Windows: MSSQL Extended Stored Procedure Backdoor MaggiePersistencenone7
Windows: MSSQL SPProcoption SetPersistencenone7
Windows: MSSQL XPCmdshell Option ChangePersistencenone7
Windows: MSSQL XPCmdshell Suspicious ExecutionPersistencenone7
Windows: Malicious PE Execution by Microsoft Visual Studio DebuggerPersistencenone5
Windows: Malicious Windows Script Components File Execution by TAEF DetectionPersistencenone3
Windows: Manage Engine Java Suspicious Sub ProcessPersistencenone7
Windows: Microsoft IIS Connection Strings DecryptionPersistencenone7
Windows: Microsoft Sync Center Suspicious Network ConnectionsPersistencenone5
Windows: Microsoft Workflow Compiler ExecutionPersistencenone5
Windows: Mimikatz Kirbi File CreationPersistencenone9
Windows: Moriya Rootkit: System LogPersistenceT1543.0039
Windows: MpiExec LolbinPersistencenone7
Windows: Mshtml DLL RunHTMLApplication AbusePersistencenone7
Windows: Narrator s Feedback-Hub Persistence PersistenceT1547.0017
Windows: NetSupport Manager Service InstallPersistencenone5
Windows: New ActiveScriptEventConsumer Created Via Wmic.EXEPersistenceT1546.0037
Windows: New DLL Added to AppCertDlls Registry KeyPersistenceT1546.0095
Windows: New DLL Added to AppInit-DLLs Registry KeyPersistenceT1546.0105
Windows: New Kernel Driver Via SC.EXEPersistenceT1543.0035
Windows: New PDQDeploy Service - Client SidePersistenceT1543.0035
Windows: New PDQDeploy Service - Server SidePersistenceT1543.0035
Windows: New Service Creation Using PowerShellPersistenceT1543.0033
Windows: New Service Creation Using Sc.EXEPersistenceT1543.0033
Windows: New Service Uses Double Ampersand in PathPersistencenone7
Windows: New Shim Database Created in the Default DirectoryPersistenceT1547.0095
Windows: New User Created Via Net.EXE With Never Expire OptionPersistenceT1136.0017
Windows: Ngrok Usage with Remote Desktop ServicePersistencenone7
Windows: Nslookup PowerShell Download Cradle - ProcessCreationPersistencenone5
Windows: Ntdsutil AbusePersistencenone5
Windows: Office Application Startup - Office TestPersistenceT1137.0025
Windows: Office Template CreationPersistencenone7
Windows: OilRig APT Registry PersistencePersistenceT1543.0039
Windows: OneNote Attachment File Dropped In Suspicious LocationPersistencenone5
Windows: OpenWith.exe Executes Specified BinaryPersistencenone7
Windows: Outgoing Logon with New CredentialsPersistencenone3
Windows: PCRE.NET Package Image LoadPersistencenone7
Windows: PCRE.NET Package Temp FilesPersistencenone7
Windows: PUA - AdvancedRun ExecutionPersistencenone5
Windows: PUA - AdvancedRun Suspicious ExecutionPersistencenone7
Windows: PUA - Fast Reverse Proxy FRP ExecutionPersistencenone7
Windows: PUA - NPS Tunneling Tool ExecutionPersistencenone7
Windows: PUA - System Informer Driver LoadPersistencenone5
Windows: PUA - System Informer ExecutionPersistencenone5
Windows: PUA - Wsudo Suspicious ExecutionPersistencenone7
Windows: PUA- IOX Tunneling Tool ExecutionPersistencenone7
Windows: Parent in Public Folder Suspicious ProcessPersistencenone7
Windows: Password Change on Directory Service Restore Mode DSRM Account PersistenceT1098.0037
Windows: Password Protected ZIP File OpenedPersistencenone5
Windows: Password Protected ZIP File Opened Email Attachment Persistencenone7
Windows: Password Protected ZIP File Opened Suspicious Filenames Persistencenone7
Windows: Password Provided In Command Line Of Net.EXEPersistencenone5
Windows: Path To Screensaver Binary ModifiedPersistenceT1546.0025
Windows: Perl Inline Command ExecutionPersistencenone5
Windows: Persistence Via Sticky Key BackdoorPersistenceT1546.0089
Windows: Persistence Via TypedPaths - CommandLinePersistencenone5
Windows: Phishing Pattern ISO in ArchivePersistencenone7
Windows: Php Inline Command ExecutionPersistencenone5
Windows: PortProxy Registry KeyPersistencenone5
Windows: Possible Shadow Credentials AddedPersistencenone7
Windows: Possible Shim Database Persistence via sdbinst.exePersistenceT1546.0117
Windows: Potential Active Directory Enumeration Using AD Module - ProcCreationPersistencenone5
Windows: Potential Arbitrary Code Execution Via Node.EXEPersistencenone7
Windows: Potential Binary Or Script Dropper Via PowerShellPersistencenone5
Windows: Potential COM Objects Download Cradles Usage - Process CreationPersistencenone5
Windows: Potential Cobalt Strike Process PatternsPersistencenone7
Windows: Potential Command Line Path Traversal Evasion AttemptPersistencenone5
Windows: Potential Credential Dumping Attempt Using New NetworkProvider - CLIPersistencenone7
Windows: Potential DLL File Download Via PowerShell Invoke-WebRequestPersistencenone5
Windows: Potential DLL Sideloading Using Coregen.exePersistencenone5
Windows: Potential Discovery Activity Via Dnscmd.EXEPersistenceT1543.0035
Windows: Potential Malicious AppX Package Installation AttemptsPersistencenone5
Windows: Potential Manage-bde.wsf Abuse To Proxy ExecutionPersistencenone7
Windows: Potential NTLM Coercion Via Certutil.EXEPersistencenone7
Windows: Potential Password Spraying Attempt Using Dsacls.EXEPersistencenone5
Windows: Potential Persistence Attempt Via ErrorHandler.CmdPersistencenone5
Windows: Potential Persistence Via Microsoft Office Add-InPersistenceT1137.0067
Windows: Potential Persistence Via Netsh Helper DLLPersistenceT1546.0077
Windows: Potential Persistence Via Notepad PluginsPersistencenone5
Windows: Potential Persistence Via Outlook FormPersistenceT1137.0037
Windows: Potential PowerShell Execution Policy Tampering - ProcCreationPersistencenone7
Windows: Potential Privilege Escalation Attempt Via .Exe.Local TechniquePersistencenone7
Windows: Potential Privilege Escalation Using Symlink Between Osk and CmdPersistenceT1546.0087
Windows: Potential Process Injection Via Msra.EXEPersistencenone7
Windows: Potential RDP Session Hijacking ActivityPersistencenone5
Windows: Potential Recon Activity Using DriverQuery.EXEPersistencenone7
Windows: Potential Recon Activity Using WevtutilPersistencenone5
Windows: Potential Remote Credential Dumping ActivityPersistencenone7
Windows: Potential Remote Desktop TunnelingPersistencenone5
Windows: Potential Renamed Rundll32 ExecutionPersistencenone7
Windows: Potential RipZip Attack on Startup FolderPersistencenone7
Windows: Potential Shellcode InjectionPersistencenone7
Windows: Potential Signing Bypass Via Windows Developer FeaturesPersistencenone7
Windows: Potential Suspicious Mofcomp ExecutionPersistencenone7
Windows: Potential Suspicious PowerShell Module File CreatedPersistencenone5
Windows: Potential Suspicious Windows Feature Enabled - ProcCreationPersistencenone5
Windows: Potential Windows Defender Tampering Via Wmic.EXEPersistenceT1546.0087
Windows: Potential Winnti Dropper ActivityPersistencenone7
Windows: Potentially Over Permissive Permissions Granted Using Dsacls.EXEPersistencenone5
Windows: Potentially Suspicious GoogleUpdate Child ProcessPersistencenone7
Windows: Potentially Suspicious Network Connection To Notion APIPersistencenone3
Windows: PowerShell Download and Execution CradlesPersistencenone7
Windows: PowerShell Module File CreatedPersistencenone3
Windows: PowerShell Module File Created By Non-PowerShell ProcessPersistencenone5
Windows: PowerShell Profile ModificationPersistenceT1546.0137
Windows: PowerShell Script Dropped Via PowerShell.EXEPersistencenone3
Windows: PowerShell Web DownloadPersistencenone5
Windows: PowerShell Writing Startup ShortcutsPersistenceT1547.0017
Windows: Powershell Inline Execution From A FilePersistencenone5
Windows: Powerview Add-DomainObjectAcl DCSync AD Extend RightPersistencenone7
Windows: PrinterNightmare Mimimkatz Driver NamePersistencenone9
Windows: Privilege Escalation via Named Pipe ImpersonationPersistencenone7
Windows: Process Creation Using Sysnative FolderPersistencenone5
Windows: Process Memory Dump Via Dotnet-DumpPersistencenone5
Windows: Proxy Execution Via Explorer.exePersistencenone3
Windows: Proxy Execution via WuaucltPersistencenone7
Windows: Psexec ExecutionPersistencenone5
Windows: Publisher Attachment File Dropped In Suspicious LocationPersistencenone5
Windows: Python Inline Command ExecutionPersistencenone5
Windows: Python Spawning Pretty TTY on WindowsPersistencenone7
Windows: Query Usage To Exfil DataPersistencenone5
Windows: RDP File Creation From Suspicious ApplicationPersistencenone7
Windows: REGISTER-APP.VBS Proxy ExecutionPersistencenone5
Windows: RTCore Suspicious Service InstallationPersistencenone7
Windows: Reg Add RUN KeyPersistenceT1547.0015
Windows: Regedit as Trusted InstallerPersistencenone7
Windows: Registry Persistence Mechanisms in Recycle BinPersistencenone7
Windows: Regsvr32 Command Line Without DLLPersistencenone7
Windows: Remote Access Tool - NetSupport Execution From Unusual LocationPersistencenone5
Windows: Remote Access Tool - RURAT Execution From Unusual LocationPersistencenone5
Windows: Remote Code Execute via Winrm.vbsPersistencenone5
Windows: Remote Utilities Host Service InstallPersistencenone5
Windows: Remote WMI ActiveScriptEventConsumersPersistenceT1546.0037
Windows: RemoteFXvGPUDisablement Abuse Via AtomicTestHarnessesPersistencenone7
Windows: Renamed AutoHotkey.EXE ExecutionPersistencenone5
Windows: Renamed MegaSync ExecutionPersistencenone7
Windows: Renamed NetSupport RAT ExecutionPersistencenone7
Windows: Renamed Office Binary ExecutionPersistencenone7
Windows: Renamed Plink ExecutionPersistencenone7
Windows: Renamed Remote Utilities RAT RURAT ExecutionPersistencenone5
Windows: Replay Attack DetectedPersistencenone7
Windows: Ruby Inline Command ExecutionPersistencenone5
Windows: Run PowerShell Script from Redirected Input StreamPersistencenone7
Windows: Rundll32 Execution Without DLL FilePersistencenone7
Windows: Rundll32 JS RunHTMLApplication PatternPersistencenone7
Windows: Rundll32 Registered COM ObjectsPersistenceT1546.0157
Windows: Rundll32 With Suspicious Parent ProcessPersistencenone5
Windows: SCM Database Privileged OperationPersistencenone5
Windows: Script Interpreter Execution From Suspicious FolderPersistencenone7
Windows: Sdiagnhost Calling Suspicious Child ProcessPersistencenone7
Windows: Security Support Provider SSP Added to LSA ConfigurationPersistenceT1547.0059
Windows: Service Installation in Suspicious FolderPersistenceT1543.0035
Windows: Service Installation with Suspicious Folder PatternPersistenceT1543.0037
Windows: Service Installed By Unusual Client - SecurityPersistencenone7
Windows: Service Installed By Unusual Client - SystemPersistencenone7
Windows: Shells Spawned by JavaPersistencenone5
Windows: Shells Spawned by Web ServersPersistenceT1505.0037
Windows: Sideloading Link.EXEPersistencenone5
Windows: Standard User In High Privileged GroupPersistencenone5
Windows: Startup Folder File WritePersistenceT1547.0015
Windows: Sticky Key Like Backdoor ExecutionPersistenceT1546.0089
Windows: Sticky Key Like Backdoor Usage - RegistryPersistenceT1546.0089
Windows: StoneDrill Service InstallPersistenceT1543.0037
Windows: Suspect Svchost ActivityPersistencenone7
Windows: Suspicious ASPX File Drop by ExchangePersistenceT1505.0037
Windows: Suspicious Add User to Remote Desktop Users GroupPersistenceT1136.0017
Windows: Suspicious AgentExecutor PowerShell ExecutionPersistencenone7
Windows: Suspicious AppX Package Installation AttemptPersistencenone5
Windows: Suspicious AppX Package LocationsPersistencenone7
Windows: Suspicious Application InstalledPersistencenone5
Windows: Suspicious Atbroker ExecutionPersistencenone7
Windows: Suspicious CMD Shell Output RedirectPersistencenone5
Windows: Suspicious Cabinet File ExpansionPersistencenone5
Windows: Suspicious Calculator UsagePersistencenone7
Windows: Suspicious Child Process Of SQL ServerPersistenceT1505.0037
Windows: Suspicious Child Process Of Veeam DabatasePersistencenone9
Windows: Suspicious Chromium Browser Instance Executed With Custom ExtensionsPersistenceT11767
Windows: Suspicious CodePage Switch Via CHCPPersistencenone5
Windows: Suspicious ConfigSecurityPolicy ExecutionPersistencenone5
Windows: Suspicious Creation with ColorcplPersistencenone7
Windows: Suspicious CustomShellHost ExecutionPersistencenone5
Windows: Suspicious DLL Loaded via CertOC.EXEPersistencenone7
Windows: Suspicious DNS Query for IP Lookup Service APIsPersistencenone5
Windows: Suspicious Debugger Registration CmdlinePersistenceT1546.0087
Windows: Suspicious Digital Signature Of AppX PackagePersistencenone5
Windows: Suspicious DotNET CLR Usage Log ArtifactPersistencenone7
Windows: Suspicious Double Extension FilesPersistencenone7
Windows: Suspicious Download Via Certutil.EXEPersistencenone5
Windows: Suspicious Download from Office DomainPersistencenone7
Windows: Suspicious Driver Install by pnputil.exePersistencenone5
Windows: Suspicious Driver Load from Temp PersistenceT1543.0035
Windows: Suspicious Dropbox API UsagePersistencenone7
Windows: Suspicious Electron Application Child ProcessesPersistencenone5
Windows: Suspicious Elevated System ShellPersistencenone7
Windows: Suspicious Epmap ConnectionPersistencenone7
Windows: Suspicious Executable File CreationPersistencenone7
Windows: Suspicious Execution From GUID Like Folder NamesPersistencenone5
Windows: Suspicious Execution Of PDQDeployRunnerPersistencenone5
Windows: Suspicious Execution of InstallUtil To DownloadPersistencenone5
Windows: Suspicious Execution of InstallUtil Without LogPersistencenone5
Windows: Suspicious Extexport ExecutionPersistencenone5
Windows: Suspicious File Created In PerfLogsPersistencenone5
Windows: Suspicious File Created Via OneNote ApplicationPersistencenone7
Windows: Suspicious File Download From File Sharing Domain Via Curl.EXEPersistencenone7
Windows: Suspicious File Downloaded From Direct IP Via Certutil.EXEPersistencenone7
Windows: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXEPersistencenone7
Windows: Suspicious File Drop by ExchangePersistenceT1505.0035
Windows: Suspicious FromBase64String Usage On Gzip Archive - Process CreationPersistencenone5
Windows: Suspicious Get-Variable.exe CreationPersistencenone7
Windows: Suspicious Git ClonePersistencenone5
Windows: Suspicious Greedy Compression Using Rar.EXEPersistencenone7
Windows: Suspicious GrpConv ExecutionPersistencenone7
Windows: Suspicious IIS Module RegistrationPersistencenone7
Windows: Suspicious IIS URL GlobalRules Rewrite Via AppCmdPersistencenone5
Windows: Suspicious Interactive PowerShell as SYSTEMPersistencenone7
Windows: Suspicious Kernel Dump Using DtracePersistencenone7
Windows: Suspicious LNK Double Extension FilePersistencenone5
Windows: Suspicious LOLBIN AccCheckConsolePersistencenone7
Windows: Suspicious MSDT Parent ProcessPersistencenone7
Windows: Suspicious MSExchangeMailboxReplication ASPX WritePersistenceT1505.0037
Windows: Suspicious Network CommandPersistencenone3
Windows: Suspicious Network Connection Binary No CommandLinePersistencenone7
Windows: Suspicious Network Connection to IP Lookup Service APIsPersistencenone5
Windows: Suspicious New Instance Of An Office COM ObjectPersistencenone5
Windows: Suspicious New Service CreationPersistenceT1543.0037
Windows: Suspicious Non-Browser Network Communication With Google APIPersistencenone5
Windows: Suspicious Non-Browser Network Communication With Reddit APIPersistencenone5
Windows: Suspicious Ntdll Pipe RedirectionPersistencenone7
Windows: Suspicious OfflineScannerShell.exe Execution From Another FolderPersistencenone5
Windows: Suspicious Parent Double Extension File ExecutionPersistencenone7
Windows: Suspicious PowerShell Child ProcessesPersistencenone7
Windows: Suspicious PowerShell IEX Execution PatternsPersistencenone7
Windows: Suspicious PowerShell Invocations - Specific - ProcessCreationPersistencenone5
Windows: Suspicious PowerShell Mailbox Export to SharePersistencenone9
Windows: Suspicious Powercfg Execution To Change Lock Screen TimeoutPersistencenone5
Windows: Suspicious Process ParentsPersistencenone7
Windows: Suspicious Process Start LocationsPersistencenone5
Windows: Suspicious Program NamesPersistencenone7
Windows: Suspicious RASdial ActivityPersistencenone5
Windows: Suspicious Reg Add Open CommandPersistencenone5
Windows: Suspicious Registration via cscript.exePersistencenone5
Windows: Suspicious Remote AppX Package LocationsPersistencenone7
Windows: Suspicious Remote Logon with Explicit CredentialsPersistencenone5
Windows: Suspicious Run Key from DownloadPersistenceT1547.0017
Windows: Suspicious RunAs-Like Flag CombinationPersistencenone5
Windows: Suspicious Rundll32 Invoking Inline VBScriptPersistencenone7
Windows: Suspicious SYSTEM User Process CreationPersistencenone7
Windows: Suspicious Scheduled Task Write to System32 TasksPersistencenone7
Windows: Suspicious ScreenSave Change by Reg.exePersistenceT1546.0025
Windows: Suspicious Screensaver Binary File CreationPersistenceT1546.0025
Windows: Suspicious Script Execution From Temp FolderPersistencenone7
Windows: Suspicious Serv-U Process PatternPersistencenone7
Windows: Suspicious Service Binary DirectoryPersistencenone7
Windows: Suspicious Service DACL Modification Via Set-Service CmdletPersistenceT1543.0037
Windows: Suspicious Service InstallationPersistenceT1543.0037
Windows: Suspicious Service Installation ScriptPersistenceT1543.0037
Windows: Suspicious Service Path ModificationPersistenceT1543.0037
Windows: Suspicious Shells Spawn by Java Utility KeytoolPersistencenone7
Windows: Suspicious Shells Spawned by JavaPersistencenone7
Windows: Suspicious Sigverif ExecutionPersistencenone5
Windows: Suspicious Splwow64 Without ParamsPersistencenone7
Windows: Suspicious Startup Folder PersistencePersistenceT1547.0017
Windows: Suspicious SysAidServer ChildPersistencenone5
Windows: Suspicious Usage Of ShellExec-RunDLLPersistencenone7
Windows: Suspicious Usage of CVE-2021-34484 or CVE 2022-21919Persistencenone3
Windows: Suspicious Use of CSharp Interactive ConsolePersistencenone7
Windows: Suspicious Userinit Child ProcessPersistencenone5
Windows: Suspicious Vsls-Agent Command With AgentExtensionPath LoadPersistencenone5
Windows: Suspicious WERMGR Process PatternsPersistencenone7
Windows: Suspicious Windows App ActivityPersistencenone7
Windows: Suspicious Windows Update Agent Empty CmdlinePersistencenone7
Windows: Suspicious WindowsTerminal Child ProcessesPersistencenone5
Windows: Suspicious Word Cab File Write CVE-2021-40444Persistencenone7
Windows: Suspicious Workstation Locking via Rundll32Persistencenone5
Windows: Suspicious X509Enrollment - Process CreationPersistencenone5
Windows: Suspicious aspnet-compiler.exe ExecutionPersistencenone5
Windows: Suspicious desktop.ini ActionPersistenceT1547.0095