open-menu
closeme
Account Password Reset Remotely
calendar
Apr 18, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Impact
·
Share on:
twitter
facebook
linkedin
copy
Potential Windows Session Hijacking via CcmExec
calendar
Apr 18, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Command Prompt Network Connection
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Direct Outbound SMB Connection
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Execution from a Removable Media with Network Connection
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Execution of File Written or Modified by Microsoft Office
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Execution of File Written or Modified by PDF Reader
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Host Files System Changes via Windows Subsystem for Linux
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Incoming DCOM Lateral Movement via MSHTA
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Incoming DCOM Lateral Movement with MMC
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Defense Evasion
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindows
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Incoming Execution via PowerShell Remoting
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Execution
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Incoming Execution via WinRM Remote Shell
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
InstallUtil Process Making Network Connections
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
MsBuild Making Network Connections
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Mshta Making Network Connections
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Network Connection via Compiled HTML File
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Network Connection via MsXsl
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Network Connection via Registration Utility
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Network Connection via Signed Binary
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Outbound Scheduled Task Activity via PowerShell
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential Command and Control via Internet Explorer
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Credential Access via Trusted Developer Utility
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential Enumeration via Active Directory Web Service
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Lateral Tool Transfer via SMB Share
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Remote Desktop Shadowing Activity
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential Remote File Execution via MSIEXEC
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential SharpRDP Behavior
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Windows Error Manager Masquerading
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Process Termination followed by Deletion
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
PsExec Network Connection
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Lateral Movement
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Remote Execution via File Shares
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Remote File Download via PowerShell
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Remote File Download via Script Interpreter
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Remote Scheduled Task Creation
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Remote XSL Script Execution via COM
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Remotely Started Services via RPC
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Scheduled Task Created by a Windows Script
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Service Command Lateral Movement
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Startup Folder Persistence via Unsigned Process
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious HTML File Creation
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious WMIC XSL Script Execution
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Unusual Network Activity from a Windows System Binary
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Unusual Network Connection via DllHost
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Unusual Network Connection via RunDLL32
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Command and Control
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Unusual Process Network Connection
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Windows Script Interpreter Executing Process via WMI
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
WMI Incoming Lateral Movement
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
WPAD Service Exploit
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Browser Extension Install
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Delayed Execution via Ping
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Downloaded Shortcut Files
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Downloaded URL Files
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
Rule Type: BBR
·
Share on:
twitter
facebook
linkedin
copy
Mofcomp Activity
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Netsh Helper DLL
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Network-Level Authentication (NLA) Disabled
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
Office Test Registry Persistence
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Exploitation of an Unquoted Service Path Vulnerability
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Werfault ReflectDebugger Persistence
calendar
Apr 16, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Untrusted Driver Loaded
calendar
Apr 15, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Connection to Commonly Abused Web Services
calendar
Apr 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Svchost spawning Cmd
calendar
Apr 8, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
First Time Seen Commonly Abused Remote Access Tool Execution
calendar
Apr 2, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Access to LDAP Attributes
calendar
Apr 2, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Data Source: System
Data Source: Active Directory
Data Source: Windows
·
Share on:
twitter
facebook
linkedin
copy
Potential Application Shimming via Sdbinst
calendar
Apr 2, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Account Discovery Command via SYSTEM Account
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Tactic: Privilege Escalation
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Adding Hidden File Attribute via Attrib
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Persistence
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
AdFind Command Activity
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Adobe Hijack Persistence
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Attempt to Install Kali Linux via WSL
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Bypass UAC via Event Viewer
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Clearing Windows Console History
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Clearing Windows Event Logs
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Code Signing Policy Modification Through Built-in tools
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Code Signing Policy Modification Through Registry
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Command Execution via SolarWinds Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Initial Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Command Shell Activity Started via RunDLL32
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Credential Access
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Component Object Model Hijacking
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
Tactic: Privilege Escalation
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Conhost Spawned By Suspicious Parent Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Defense Evasion
Tactic: Privilege Escalation
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Connection to Commonly Abused Free SSL Certificate Providers
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Control Panel Process with Unusual Arguments
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Creation of a Hidden Local User Account
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Creation or Modification of a new GPO Scheduled Task or Service
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Persistence
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Creation or Modification of Domain Backup DPAPI private key
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Creation or Modification of Root Certificate
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Credential Acquisition via Registry Hive Dumping
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Delete Volume USN Journal with Fsutil
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Deleting Backup Catalogs with Wbadmin
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Impact
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Disable Windows Event and Security Logs Using Built-in Tools
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Disable Windows Firewall Rules via Netsh
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Disabling User Account Control via Registry Modification
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Disabling Windows Defender Security Settings via PowerShell
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
DNS-over-HTTPS Enabled via Registry
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Enable Host Network Discovery via Netsh
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Encoded Executable Stored in the Registry
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Encrypting Files with WinRar or 7z
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Collection
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Enumerating Domain Trusts via DSQUERY.EXE
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Enumerating Domain Trusts via NLTEST.EXE
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Enumeration Command Spawned via WMIPrvSE
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Enumeration of Administrator Accounts
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Executable File Creation with Multiple Extensions
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Execution from Unusual Directory - Command Line
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Execution of COM object via Xwizard
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Execution of Persistent Suspicious Program
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Execution via local SxS Shared Module
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Execution via MSSQL xp_cmdshell Stored Procedure
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Execution via TSClient Mountpoint
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Execution via Windows Subsystem for Linux
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Expired or Revoked Driver Loaded
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Exporting Exchange Mailbox via PowerShell
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Collection
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
First Time Seen Driver Loaded
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Persistence
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
First Time Seen Removable Device
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Exfiltration
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Full User-Mode Dumps Enabled System-Wide
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
Data Source: Elastic Endgame
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Group Policy Discovery via Microsoft GPResult Utility
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
High Number of Process and/or Service Terminations
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Impact
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
IIS HTTP Logging Disabled
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Image File Execution Options Injection
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
ImageLoad via Windows Update Auto Update Client
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Ingress Transfer via Windows BITS
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Command and Control
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Installation of Custom Shim Databases
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Installation of Security Support Provider
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Kerberos Traffic from Unusual Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Kirbi File Creation
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Lateral Movement via Startup Folder
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Local Account TokenFilter Policy Disabled
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Lateral Movement
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Local Scheduled Task Creation
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
LSASS Memory Dump Creation
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
LSASS Process Access via Windows API
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Microsoft Build Engine Started an Unusual Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Microsoft Build Engine Started by a Script Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Microsoft Build Engine Started by a System Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Microsoft Build Engine Started by an Office Application
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Microsoft Build Engine Using an Alternate Name
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Microsoft Exchange Server UM Spawning Suspicious Processes
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Lateral Movement
Data Source: Elastic Endgame
Use Case: Vulnerability
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Microsoft Exchange Server UM Writing Suspicious Files
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Lateral Movement
Data Source: Elastic Endgame
Use Case: Vulnerability
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Microsoft Exchange Worker Spawning Suspicious Processes
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Microsoft IIS Connection Strings Decryption
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Microsoft IIS Service Account Password Dumped
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Microsoft Windows Defender Tampering
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Mimikatz Memssp Log File Detected
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Modification of AmsiEnable Registry Key
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Modification of Boot Configuration
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Impact
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Modification of WDigest Security Provider
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Mounting Hidden or WebDav Remote Shares
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Lateral Movement
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Network Logon Provider Registry Modification
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Credential Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
New ActiveSyncAllowedDeviceID Added via PowerShell
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
NTDS or SAM Database File Copied
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
NullSessionPipe Registry Modification
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Parent Process PID Spoofing
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Privilege Escalation
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Peripheral Device Discovery
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Persistence via BITS Job Notify Cmdline
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Persistence via Hidden Run Key Detected
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Persistence via Microsoft Office AddIns
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Persistence via Microsoft Outlook VBA
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Persistence via PowerShell profile
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Privilege Escalation
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Persistence via Scheduled Job Creation
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Persistence via TelemetryController Scheduled Task Hijack
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Privilege Escalation
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Persistence via Update Orchestrator Service Hijack
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Privilege Escalation
Use Case: Vulnerability
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Persistence via WMI Event Subscription
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Persistence via WMI Standard Registry Provider
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Persistent Scripts in the Startup Directory
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Port Forwarding Rule Addition
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential Credential Access via Windows Utilities
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential DLL Side-Loading via Microsoft Antimalware Service Executable
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Tactic: Execution
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential DLL Side-Loading via Trusted Microsoft Programs
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential DNS Tunneling via NsLookup
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Evasion via Filter Manager
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Evasion via Windows Filtering Platform
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential File Transfer via Certreq
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Command and Control
Tactic: Exfiltration
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Local NTLM Relay via HTTP
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential LSA Authentication Package Abuse
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Masquerading as Business App Installer
calendar
Apr 1, 2024
·
Domain: Endpoint
Data Source: Elastic Defend
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Initial Access
Tactic: Execution
·
Share on:
twitter
facebook
linkedin
copy
Potential Masquerading as Communication Apps
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Modification of Accessibility Binaries
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential Persistence via Time Provider Modification
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Privilege Escalation
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential Port Monitor or Print Processor Registration Abuse
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Privilege Escalation via InstallerFileTakeOver
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Resources: Investigation Guide
Use Case: Vulnerability
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Remote Credential Access via Registry
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Credential Access
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Remote Desktop Tunneling Detected
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Tactic: Lateral Movement
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Secure File Deletion via SDelete Utility
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Impact
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Script Block Logging Disabled
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Privilege Escalation via Named Pipe Impersonation
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Privilege Escalation via Windir Environment Variable
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Privileges Elevation via Parent Process PID Spoofing
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Process Activity via Compiled HTML File
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Process Created with a Duplicated Token
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Process Created with an Elevated Token
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Process Execution from an Unusual Directory
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Program Files Directory Masquerading
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Rare SMB Connection to the Internet
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Exfiltration
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
RDP Enabled via Registry
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Registry Persistence via AppCert DLL
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Privilege Escalation
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Registry Persistence via AppInit DLL
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Remote Desktop Enabled in Windows Firewall by Netsh
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Remote File Copy to a Hidden Share
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Remote File Copy via TeamViewer
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Remote File Download via Desktopimgdownldr Utility
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Remote File Download via MpCmdRun
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Renamed AutoIt Scripts Interpreter
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Renamed Utility Executed with Short Program Name
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Scheduled Tasks AT Command Enabled
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
ScreenConnect Server Spawning Suspicious Processes
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Searching for Saved Credentials via VaultCmd
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Service Control Spawned via Script Interpreter
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
SIP Provider Modification
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
SolarWinds Process Disabling Services via Registry
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Initial Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Startup or Run Key Registry Modification
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Startup Persistence by a Suspicious Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
SUNBURST Command and Control Activity
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious .NET Code Compilation
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Antimalware Scan Interface DLL
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious CertUtil Commands
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Cmd Execution via WMI
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious DLL Loaded for Persistence or Privilege Escalation
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Privilege Escalation
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Endpoint Security Parent Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Execution from a Mounted Device
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Execution from INET Cache
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Command and Control
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Execution via Microsoft Office Add-Ins
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Persistence
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Execution via Scheduled Task
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Execution via Windows Subsystem for Linux
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Explorer Child Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Image Load (taskschd.dll) from MS Office
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious ImagePath Service Creation
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Inter-Process Communication via Outlook
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Collection
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious JetBrains TeamCity Child Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Data Source: Elastic Endgame
Use Case: Vulnerability
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Microsoft Diagnostics Wizard Execution
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Module Loaded by LSASS
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious MS Office Child Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious MS Outlook Child Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious PDF Reader Child Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Initial Access
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious PowerShell Engine ImageLoad
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Print Spooler File Deletion
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Endgame
Use Case: Vulnerability
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Print Spooler Point and Print DLL
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Endgame
Use Case: Vulnerability
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Print Spooler SPL File Created
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Resources: Investigation Guide
Data Source: Elastic Endgame
Use Case: Vulnerability
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious PrintSpooler Service Executable File Creation
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Elastic Endgame
Use Case: Vulnerability
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Process Execution via Renamed PsExec Executable
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Defense Evasion
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious RDP ActiveX Client Loaded
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious ScreenConnect Client Child Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Command and Control
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious SolarWinds Child Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Startup Shell Folder Modification
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious WerFault Child Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Persistence
Tactic: Privilege Escalation
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Suspicious WMI Image Load from MS Office
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Zoom Child Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Symbolic Link to Shadow Copy Created
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
System Shells via Services
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Third-party Backup Files Deleted via Unexpected Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Impact
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
UAC Bypass Attempt via Privileged IFileOperation COM Interface
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
UAC Bypass Attempt via Windows Directory Masquerading
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
UAC Bypass via DiskCleanup Scheduled Task Hijack
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
UAC Bypass via ICMLuaUtil Elevated COM Interface
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
UAC Bypass via Windows Firewall Snap-In Hijack
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Uncommon Registry Persistence Change
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Unsigned DLL Loaded by Svchost
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Unsigned DLL Side-Loading from a Suspicious Folder
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Unusual Child Process from a System Virtual Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Unusual Child Process of dns.exe
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Resources: Investigation Guide
Data Source: Elastic Endgame
Use Case: Vulnerability
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Unusual Child Processes of RunDLL32
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Unusual Executable File Creation by a System Critical Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Unusual File Creation - Alternate Data Stream
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Unusual File Modification by dns.exe
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Data Source: Elastic Endgame
Use Case: Vulnerability
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Unusual Parent Process for cmd.exe
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Unusual Parent-Child Relationship
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Unusual Persistence via Services Registry
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Unusual Print Spooler Child Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Use Case: Vulnerability
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Unusual Process Execution Path - Alternate Data Stream
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Unusual Service Host Child Process - Childless Service
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Privilege Escalation
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
User Account Creation
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Veeam Backup Library Loaded by Unusual Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Volume Shadow Copy Deleted or Resized via VssAdmin
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Impact
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Volume Shadow Copy Deletion via PowerShell
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Impact
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Volume Shadow Copy Deletion via WMIC
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Impact
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Web Shell Detection: Script Process Child of Common Web Processes
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Initial Access
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Whoami Process Activity
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Windows Defender Disabled via Registry Modification
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Windows Defender Exclusions Added via PowerShell
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Windows Firewall Disabled via PowerShell
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Windows Registry File Creation in SMB Share
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Credential Access
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Windows Script Executing PowerShell
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Initial Access
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Windows Subsystem for Linux Distribution Installed
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Windows Subsystem for Linux Enabled via Dism Utility
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Wireless Credential Dumping using Netsh Command
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Discovery
Data Source: Elastic Endgame
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Enumeration of Privileged Local Groups Membership
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Exchange Mailbox Export via PowerShell
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Collection
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
Potential PowerShell HackTool Script by Function Names
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell PSReflect Script
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Suspicious Discovery Related Windows API Functions
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Tactic: Collection
Tactic: Execution
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Suspicious Payload Encoded and Compressed
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Suspicious Script with Clipboard Retrieval Capabilities
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Collection
Data Source: PowerShell Logs
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Suspicious .NET Reflection via PowerShell
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity
calendar
Apr 1, 2024
·
OS: Windows
Data Source: Elastic Endgame
Use Case: Living off the Land Attack Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score
calendar
Apr 1, 2024
·
OS: Windows
Data Source: Elastic Endgame
Use Case: Living off the Land Attack Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Windows Process Cluster Spawned by a Parent Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Living off the Land Attack Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Windows Process Cluster Spawned by a User
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Living off the Land Attack Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Unusual Process Spawned by a Host
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Living off the Land Attack Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Unusual Process Spawned by a Parent Process
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Living off the Land Attack Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Unusual Process Spawned by a User
calendar
Apr 1, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Living off the Land Attack Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Defense Evasion
·
Share on:
twitter
facebook
linkedin
copy
Potential PowerShell Pass-the-Hash/Relay Script
calendar
Mar 28, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
Creation of a DNS-Named Record
calendar
Mar 27, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Active Directory
Use Case: Active Directory Monitoring
·
Share on:
twitter
facebook
linkedin
copy
Potential ADIDNS Poisoning via Wildcard Record Creation
calendar
Mar 27, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Active Directory
Use Case: Active Directory Monitoring
·
Share on:
twitter
facebook
linkedin
copy
Potential Veeam Credential Access Command
calendar
Mar 21, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Credential Access
Data Source: Elastic Endgame
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Script with Veeam Credential Access Capabilities
calendar
Mar 21, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
File Creation Time Changed
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
MS Office Macro Security Registry Modifications
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Multiple Logon Failure Followed by Logon Success
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Multiple Logon Failure from the same Source Address
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Potential Antimalware Scan Interface Bypass via PowerShell
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: PowerShell Logs
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Potential Credential Access via DuplicateHandle in LSASS
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential Credential Access via LSASS Memory Dump
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic:Execution
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential Credential Access via Renamed COM+ Services DLL
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Defense Evasion
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential Invoke-Mimikatz PowerShell Script
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
Potential LSASS Clone Creation via PssCaptureSnapShot
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential LSASS Memory Dump via PssCaptureSnapShot
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Potential Process Injection via PowerShell
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Invoke-NinjaCopy script
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: PowerShell Logs
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Kerberos Ticket Dump
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Kerberos Ticket Request
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Keylogging Script
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Collection
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Mailbox Collection Script
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Collection
Data Source: PowerShell Logs
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
PowerShell MiniDump Script
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Script with Encryption/Decryption Capabilities
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: PowerShell Logs
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Script with Token Impersonation Capabilities
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Script with Webcam Video Capture Capabilities
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Collection
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Share Enumeration Script
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Tactic: Collection
Tactic: Execution
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Suspicious Script with Audio Capture Capabilities
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Collection
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
PowerShell Suspicious Script with Screenshot Capabilities
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Collection
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
Privilege Escalation via Rogue Named Pipe Impersonation
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Privileged Account Brute Force
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Process Injection by the Microsoft Build Engine
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Privilege Escalation
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious LSASS Access via MalSecLogon
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Lsass Process Access
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Managed Code Hosting Process
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Portable Executable Encoded in Powershell Script
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: PowerShell Logs
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Process Access via Direct System Call
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Tactic: Execution
Resources: Investigation Guide
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Process Creation CallTrace
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Script Object Execution
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Suspicious WMI Event Subscription Created
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
WebServer Access Logs Deleted
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Linux
OS: Windows
OS: macOS
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
Data Source: Sysmon
·
Share on:
twitter
facebook
linkedin
copy
Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)
calendar
Mar 13, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Use Case: Vulnerability
·
Share on:
twitter
facebook
linkedin
copy
Access to a Sensitive LDAP Attribute
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Privilege Escalation
Use Case: Active Directory Monitoring
Data Source: Active Directory
·
Share on:
twitter
facebook
linkedin
copy
AdminSDHolder SDProp Exclusion Added
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Data Source: Active Directory
Resources: Investigation Guide
Use Case: Active Directory Monitoring
·
Share on:
twitter
facebook
linkedin
copy
Elastic Agent Service Terminated
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
OS: Windows
OS: macOS
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
FirstTime Seen Account Performing DCSync
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Privilege Escalation
Use Case: Active Directory Monitoring
Data Source: Active Directory
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Group Policy Abuse for Privilege Addition
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Active Directory
Resources: Investigation Guide
Use Case: Active Directory Monitoring
·
Share on:
twitter
facebook
linkedin
copy
Hosts File Modified
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
OS: Windows
OS: macOS
Use Case: Threat Detection
Tactic: Impact
Resources: Investigation Guide
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Interactive Logon by an Unusual Process
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Kerberos Pre-authentication Disabled for User
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Defense Evasion
Tactic: Privilege Escalation
Resources: Investigation Guide
Use Case: Active Directory Monitoring
Data Source: Active Directory
·
Share on:
twitter
facebook
linkedin
copy
KRBTGT Delegation Backdoor
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Use Case: Active Directory Monitoring
Data Source: Active Directory
·
Share on:
twitter
facebook
linkedin
copy
LSASS Memory Dump Handle Access
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Modification of the msPKIAccountCredentials
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Data Source: Active Directory
Tactic: Privilege Escalation
Use Case: Active Directory Monitoring
·
Share on:
twitter
facebook
linkedin
copy
Multiple Vault Web Credentials Read
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Potential Cookies Theft via Browser Debugging
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
OS: Windows
OS: macOS
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Potential Credential Access via DCSync
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Privilege Escalation
Data Source: Active Directory
Resources: Investigation Guide
Use Case: Active Directory Monitoring
·
Share on:
twitter
facebook
linkedin
copy
Potential Privileged Escalation via SamAccountName Spoofing
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Privilege Escalation
Use Case: Active Directory Monitoring
Data Source: Active Directory
Use Case: Vulnerability
·
Share on:
twitter
facebook
linkedin
copy
Potential Shadow Credentials added to AD Object
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Active Directory
Resources: Investigation Guide
Use Case: Active Directory Monitoring
·
Share on:
twitter
facebook
linkedin
copy
Process Creation via Secondary Logon
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Python Script Execution via Command Line
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Linux
OS: macOS
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Scheduled Task Execution at Scale via GPO
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Lateral Movement
Data Source: Active Directory
Resources: Investigation Guide
Use Case: Active Directory Monitoring
·
Share on:
twitter
facebook
linkedin
copy
SeDebugPrivilege Enabled by a Suspicious Process
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Sensitive Privilege SeEnableDelegationPrivilege assigned to a User
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Tactic: Persistence
Data Source: Active Directory
Resources: Investigation Guide
Use Case: Active Directory Monitoring
·
Share on:
twitter
facebook
linkedin
copy
Signed Proxy Execution via MS Work Folders
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
Data Source: Elastic Endgame
·
Share on:
twitter
facebook
linkedin
copy
Startup/Logon Script added to Group Policy Object
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Data Source: Active Directory
Resources: Investigation Guide
Use Case: Active Directory Monitoring
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Remote Registry Access via SeBackupPrivilege
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Credential Access
Resources: Investigation Guide
Use Case: Active Directory Monitoring
Data Source: Active Directory
·
Share on:
twitter
facebook
linkedin
copy
Threat Intel Hash Indicator Match
calendar
Mar 11, 2024
·
OS: Windows
Data Source: Elastic Endgame
Rule Type: Indicator Match
·
Share on:
twitter
facebook
linkedin
copy
Threat Intel IP Address Indicator Match
calendar
Mar 11, 2024
·
OS: Windows
Data Source: Elastic Endgame
Rule Type: Indicator Match
·
Share on:
twitter
facebook
linkedin
copy
Threat Intel URL Indicator Match
calendar
Mar 11, 2024
·
OS: Windows
Data Source: Elastic Endgame
Rule Type: Indicator Match
·
Share on:
twitter
facebook
linkedin
copy
Threat Intel Windows Registry Indicator Match
calendar
Mar 11, 2024
·
OS: Windows
Data Source: Elastic Endgame
Rule Type: Indicator Match
·
Share on:
twitter
facebook
linkedin
copy
User account exposed to Kerberoasting
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Credential Access
Data Source: Active Directory
Resources: Investigation Guide
Use Case: Active Directory Monitoring
·
Share on:
twitter
facebook
linkedin
copy
User Added to Privileged Group
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Resources: Investigation Guide
Use Case: Active Directory Monitoring
Data Source: Active Directory
·
Share on:
twitter
facebook
linkedin
copy
Windows Service Installed via an Unusual Client
calendar
Mar 11, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
First Time Seen NewCredentials Logon Process
calendar
Feb 20, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Remote Scheduled Task Creation via RPC
calendar
Feb 5, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
Suspicious File Downloaded from Google Drive
calendar
Jan 31, 2024
·
Domain: Endpoint
OS: Linux
OS: Windows
OS: macOS
Use Case: Threat Detection
Tactic: Command and Control
·
Share on:
twitter
facebook
linkedin
copy
External Alerts
calendar
Jan 17, 2024
·
OS: Windows
Data Source: APM
OS: macOS
OS: Linux
·
Share on:
twitter
facebook
linkedin
copy
Potential Pass-the-Hash (PtH) Attempt
calendar
Jan 17, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
·
Share on:
twitter
facebook
linkedin
copy
A scheduled task was created
calendar
Jan 17, 2024
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Potential Process Herpaderping Attempt
calendar
Dec 19, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Data Source: Elastic Defend
·
Share on:
twitter
facebook
linkedin
copy
Windows Event Logs Cleared
calendar
Dec 18, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Defense Evasion
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Unusual Discovery Signal Alert with Unusual Process Executable
calendar
Dec 7, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Rule Type: Higher-Order Rule
·
Share on:
twitter
facebook
linkedin
copy
Account Configured with Never-Expiring Password
calendar
Nov 14, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Data Source: Active Directory
Resources: Investigation Guide
Use Case: Active Directory Monitoring
·
Share on:
twitter
facebook
linkedin
copy
AdminSDHolder Backdoor
calendar
Oct 15, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Use Case: Active Directory Monitoring
Data Source: Active Directory
·
Share on:
twitter
facebook
linkedin
copy
Temporarily Scheduled Task Creation
calendar
Oct 15, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Tactic: Execution
·
Share on:
twitter
facebook
linkedin
copy
Unusual Discovery Signal Alert with Unusual Process Command Line
calendar
Oct 11, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Discovery
Rule Type: Higher-Order Rule
·
Share on:
twitter
facebook
linkedin
copy
Anomalous Process For a Windows Population
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Persistence
Tactic: Execution
·
Share on:
twitter
facebook
linkedin
copy
Anomalous Windows Process Creation
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Powershell Script
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Execution
·
Share on:
twitter
facebook
linkedin
copy
Unusual Process For a Windows Host
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Unusual Windows Network Activity
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
·
Share on:
twitter
facebook
linkedin
copy
Unusual Windows Path Activity
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Persistence
Tactic: Execution
·
Share on:
twitter
facebook
linkedin
copy
Unusual Windows Process Calling the Metadata Service
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Unusual Windows Remote User
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Unusual Windows Service
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Unusual Windows User Calling the Metadata Service
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Credential Access
·
Share on:
twitter
facebook
linkedin
copy
Unusual Windows User Privilege Elevation Activity
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Privilege Escalation
·
Share on:
twitter
facebook
linkedin
copy
Unusual Windows Username
calendar
Aug 22, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Initial Access
·
Share on:
twitter
facebook
linkedin
copy
Remote Computer Account DnsHostName Update
calendar
Aug 21, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Use Case: Active Directory Monitoring
Data Source: Active Directory
Use Case: Vulnerability
·
Share on:
twitter
facebook
linkedin
copy
Suspicious Service was Installed in the System
calendar
Aug 8, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Deprecated - Threat Intel Filebeat Module (v8.x) Indicator Match
calendar
Jul 18, 2023
·
OS: Windows
Data Source: Elastic Endgame
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
Deprecated - Threat Intel Indicator Match
calendar
Jul 18, 2023
·
OS: Windows
Data Source: Elastic Endgame
Resources: Investigation Guide
·
Share on:
twitter
facebook
linkedin
copy
A scheduled task was updated
calendar
Jun 30, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Remote Windows Service Installed
calendar
Jun 22, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Lateral Movement
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
Service Creation via Local Kerberos Authentication
calendar
Jun 22, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Privilege Escalation
Tactic: Credential Access
Use Case: Active Directory Monitoring
Data Source: Active Directory
·
Share on:
twitter
facebook
linkedin
copy
Windows User Account Creation
calendar
Jun 22, 2023
·
Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Persistence
·
Share on:
twitter
facebook
linkedin
copy
to-top