| Email Attachments With Lots Of Spaces |
None |
Anomaly |
| Suspicious Email Attachment Extensions |
Spearphishing Attachment, Phishing |
Anomaly |
| Suspicious Powershell Command-Line Arguments |
PowerShell |
TTP |
| Uncommon Processes On Endpoint |
Malicious File |
Hunting |
| Active Setup Registry Autostart |
Active Setup, Boot or Logon Autostart Execution |
TTP |
| Any Powershell DownloadFile |
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer |
TTP |
| Any Powershell DownloadString |
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer |
TTP |
| Change Default File Association |
Change Default File Association, Event Triggered Execution |
TTP |
| Child Processes of Spoolsv exe |
Exploitation for Privilege Escalation |
TTP |
| CMD Carry Out String Command Parameter |
Windows Command Shell, Command and Scripting Interpreter |
Hunting |
| Detect Empire with PowerShell Script Block Logging |
Command and Scripting Interpreter, PowerShell |
TTP |
| Detect Mimikatz With PowerShell Script Block Logging |
OS Credential Dumping, PowerShell |
TTP |
| ETW Registry Disabled |
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses |
TTP |
| Executable File Written in Administrative SMB Share |
Remote Services, SMB/Windows Admin Shares |
TTP |
| Executables Or Script Creation In Suspicious Path |
Masquerading |
Anomaly |
| Kerberoasting spn request with RC4 encryption |
Steal or Forge Kerberos Tickets, Kerberoasting |
TTP |
| Linux Java Spawning Shell |
Exploit Public-Facing Application, External Remote Services |
TTP |
| Logon Script Event Trigger Execution |
Boot or Logon Initialization Scripts, Logon Script (Windows) |
TTP |
| Malicious PowerShell Process - Encoded Command |
Obfuscated Files or Information |
Hunting |
| Malicious PowerShell Process With Obfuscation Techniques |
Command and Scripting Interpreter, PowerShell |
TTP |
| MSI Module Loaded by Non-System Binary |
DLL Side-Loading, Hijack Execution Flow |
Hunting |
| Overwriting Accessibility Binaries |
Event Triggered Execution, Accessibility Features |
TTP |
| Possible Lateral Movement PowerShell Spawn |
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShell, MMC |
TTP |
| PowerShell 4104 Hunting |
Command and Scripting Interpreter, PowerShell |
Hunting |
| PowerShell - Connect To Internet With Hidden Window |
PowerShell, Command and Scripting Interpreter |
Hunting |
| PowerShell Domain Enumeration |
Command and Scripting Interpreter, PowerShell |
TTP |
| Powershell Enable SMB1Protocol Feature |
Obfuscated Files or Information, Indicator Removal from Tools |
TTP |
| Powershell Execute COM Object |
Component Object Model Hijacking, Event Triggered Execution, PowerShell |
TTP |
| Powershell Fileless Process Injection via GetProcAddress |
Command and Scripting Interpreter, Process Injection, PowerShell |
TTP |
| Powershell Fileless Script Contains Base64 Encoded Content |
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell |
TTP |
| PowerShell Loading DotNET into Memory via Reflection |
Command and Scripting Interpreter, PowerShell |
TTP |
| Powershell Processing Stream Of Data |
Command and Scripting Interpreter, PowerShell |
TTP |
| Powershell Using memory As Backing Store |
PowerShell, Command and Scripting Interpreter |
TTP |
| Print Processor Registry Autostart |
Print Processors, Boot or Logon Autostart Execution |
TTP |
| Recon AVProduct Through Pwh or WMI |
Gather Victim Host Information |
TTP |
| Recon Using WMI Class |
Gather Victim Host Information, PowerShell |
Anomaly |
| Registry Keys Used For Privilege Escalation |
Image File Execution Options Injection, Event Triggered Execution |
TTP |
| Regsvr32 Silent and Install Param Dll Loading |
System Binary Proxy Execution, Regsvr32 |
Anomaly |
| Runas Execution in CommandLine |
Access Token Manipulation, Token Impersonation/Theft |
Hunting |
| Screensaver Event Trigger Execution |
Event Triggered Execution, Screensaver |
TTP |
| Set Default PowerShell Execution Policy To Unrestricted or Bypass |
Command and Scripting Interpreter, PowerShell |
TTP |
| Suspicious Process File Path |
Create or Modify System Process |
TTP |
| Time Provider Persistence Registry |
Time Providers, Boot or Logon Autostart Execution |
TTP |
| Unloading AMSI via Reflection |
Impair Defenses, PowerShell, Command and Scripting Interpreter |
TTP |
| W3WP Spawning Shell |
Server Software Component, Web Shell |
TTP |
| Windows Disable Memory Crash Dump |
Data Destruction |
TTP |
| Windows File Without Extension In Critical Folder |
Data Destruction |
TTP |
| Windows Modify Show Compress Color And Info Tip Registry |
Modify Registry |
TTP |
| Windows Raw Access To Disk Volume Partition |
Disk Structure Wipe, Disk Wipe |
Anomaly |
| Windows Raw Access To Master Boot Record Drive |
Disk Structure Wipe, Disk Wipe |
TTP |
| WMI Recon Running Process Or Services |
Gather Victim Host Information |
Anomaly |
Windows
Linux