| Change Default File Association |
Change Default File Association, Event Triggered Execution |
TTP |
| Domain Group Discovery With Net |
Permission Groups Discovery, Domain Groups |
Hunting |
| Excessive Usage Of Net App |
Account Access Removal |
Anomaly |
| Net Localgroup Discovery |
Permission Groups Discovery, Local Groups |
Hunting |
| Network Connection Discovery With Net |
System Network Connections Discovery |
Hunting |
| Windows Modify Registry Reg Restore |
Query Registry |
Hunting |
| Windows Query Registry Reg Save |
Query Registry |
Hunting |
| Windows Service Stop Via Net and SC Application |
Service Stop |
Anomaly |
| Common Ransomware Extensions |
Data Destruction |
TTP |
| Create or delete windows shares using net exe |
Indicator Removal, Network Share Connection Removal |
TTP |
| Deleting Shadow Copies |
Inhibit System Recovery |
TTP |
| Dump LSASS via comsvcs DLL |
LSASS Memory, OS Credential Dumping |
TTP |
| Excessive Usage Of Cacls App |
File and Directory Permissions Modification |
Anomaly |
| Executable File Written in Administrative SMB Share |
Remote Services, SMB/Windows Admin Shares |
TTP |
| Impacket Lateral Movement Commandline Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
| Impacket Lateral Movement smbexec CommandLine Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
| Impacket Lateral Movement WMIExec Commandline Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
| Network Connection Discovery With Arp |
System Network Connections Discovery |
Hunting |
| Network Connection Discovery With Netstat |
System Network Connections Discovery |
Hunting |
| Network Discovery Using Route Windows App |
System Network Configuration Discovery, Internet Connection Discovery |
Hunting |
| Ntdsutil Export NTDS |
NTDS, OS Credential Dumping |
TTP |
| Recon AVProduct Through Pwh or WMI |
Gather Victim Host Information |
TTP |
| Scheduled Task Deleted Or Created via CMD |
Scheduled Task, Scheduled Task/Job |
TTP |
| Schtasks scheduling job on remote system |
Scheduled Task, Scheduled Task/Job |
TTP |
| Suspicious Process File Path |
Create or Modify System Process |
TTP |
| WBAdmin Delete System Backups |
Inhibit System Recovery |
TTP |
| Windows Cached Domain Credentials Reg Query |
Cached Domain Credentials, OS Credential Dumping |
Anomaly |
| Windows Change Default File Association For No File Ext |
Change Default File Association, Event Triggered Execution |
TTP |
| Windows ClipBoard Data via Get-ClipBoard |
Clipboard Data |
Anomaly |
| Windows Credentials from Password Stores Query |
Credentials from Password Stores |
Anomaly |
| Windows Credentials in Registry Reg Query |
Credentials in Registry, Unsecured Credentials |
Anomaly |
| Windows Excessive Usage Of Net App |
Account Access Removal |
Anomaly |
| Windows Group Discovery Via Net |
Permission Groups Discovery, Local Groups, Domain Groups |
Hunting |
| Windows Indirect Command Execution Via Series Of Forfiles |
Indirect Command Execution |
Anomaly |
| Windows Information Discovery Fsutil |
System Information Discovery |
Anomaly |
| Windows Network Connection Discovery Via Net |
System Network Connections Discovery |
Hunting |
| Windows New Default File Association Value Set |
Change Default File Association, Event Triggered Execution |
Hunting |
| Windows Office Product Spawned Rundll32 With No DLL |
Phishing, Spearphishing Attachment |
TTP |
| Windows Password Managers Discovery |
Password Managers |
Anomaly |
| Windows Private Keys Discovery |
Private Keys, Unsecured Credentials |
Anomaly |
| Windows Registry Entries Exported Via Reg |
Query Registry |
Hunting |
| Windows Registry Entries Restored Via Reg |
Query Registry |
Hunting |
| Windows Security Support Provider Reg Query |
Security Support Provider, Boot or Logon Autostart Execution |
Anomaly |
| Windows Service Stop Attempt |
Service Stop |
Hunting |
| Windows Steal or Forge Kerberos Tickets Klist |
Steal or Forge Kerberos Tickets |
Hunting |
| Windows System Network Config Discovery Display DNS |
System Network Configuration Discovery |
Anomaly |
| Windows System Network Connections Discovery Netsh |
System Network Connections Discovery |
Anomaly |
| Windows System User Discovery Via Quser |
System Owner/User Discovery |
Hunting |
| Windows WMI Process And Service List |
Windows Management Instrumentation |
Anomaly |
| WinEvent Scheduled Task Created Within Public Path |
Scheduled Task, Scheduled Task/Job |
TTP |
| WinEvent Windows Task Scheduler Event Action Started |
Scheduled Task |
Hunting |
Windows