diff --git a/config/security_rules.json b/config/security_rules.json index eb5f3284..770619a3 100644 --- a/config/security_rules.json +++ b/config/security_rules.json @@ -35,7 +35,8 @@ "tags": [ "TA0003", "TA0004", - "T1546.003" + "T1546.003", + "T1546" ], "title": "WMI Persistence" }, @@ -241,7 +242,8 @@ "tags": [ "TA0005", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "PowerShell Called from an Executable Version Mismatch" }, @@ -260,7 +262,8 @@ "subcategory_guids": [], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Nslookup PowerShell Download Cradle" }, @@ -281,7 +284,9 @@ "TA0002", "TA0005", "T1059.001", - "T1036.003" + "T1036.003", + "T1036", + "T1059" ], "title": "Renamed Powershell Under Powershell Channel" }, @@ -336,7 +341,9 @@ "TA0002", "T1059.001", "TA0008", - "T1021.003" + "T1021.003", + "T1059", + "T1021" ], "title": "Suspicious Non PowerShell WSMAN COM Provider" }, @@ -353,7 +360,8 @@ "subcategory_guids": [], "tags": [ "TA0009", - "T1074.001" + "T1074.001", + "T1074" ], "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell" }, @@ -372,7 +380,8 @@ "subcategory_guids": [], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Suspicious PowerShell Download" }, @@ -412,7 +421,9 @@ "TA0002", "T1059.001", "TA0008", - "T1021.006" + "T1021.006", + "T1059", + "T1021" ], "title": "Remote PowerShell Session (PS Classic)" }, @@ -431,7 +442,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Tamper Windows Defender - PSClassic" }, @@ -451,7 +463,8 @@ "tags": [ "TA0005", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "PowerShell Downgrade Attack - PowerShell" }, @@ -510,7 +523,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1553.004" + "T1553.004", + "T1553" ], "title": "Suspicious X509Enrollment - Ps Script" }, @@ -552,7 +566,8 @@ "TA0005", "TA0002", "T1027", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Potential PowerShell Obfuscation Using Alias Cmdlets" }, @@ -593,7 +608,8 @@ "tags": [ "TA0005", "T1562.001", - "TA0002" + "TA0002", + "T1562" ], "title": "AMSI Bypass Pattern Assembly GetType" }, @@ -694,7 +710,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1553.005" + "T1553.005", + "T1553" ], "title": "Suspicious Mount-DiskImage" }, @@ -714,7 +731,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1070.003" + "T1070.003", + "T1070" ], "title": "Disable Powershell Command History" }, @@ -734,7 +752,8 @@ "subcategory_guids": [], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Suspicious PowerShell Invocations - Generic" }, @@ -754,7 +773,8 @@ "subcategory_guids": [], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Powershell XML Execute Command" }, @@ -782,7 +802,8 @@ "T1069.001", "T1069.002", "T1069", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Malicious PowerShell Commandlets - ScriptBlock" }, @@ -802,7 +823,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1218.007" + "T1218.007", + "T1218" ], "title": "PowerShell WMI Win32_Product Install MSI" }, @@ -822,7 +844,8 @@ "subcategory_guids": [], "tags": [ "TA0004", - "T1546.003" + "T1546.003", + "T1546" ], "title": "Powershell WMI Persistence" }, @@ -842,7 +865,8 @@ "subcategory_guids": [], "tags": [ "TA0003", - "T1137.006" + "T1137.006", + "T1137" ], "title": "Code Executed Via Office Add-in XLL File" }, @@ -862,7 +886,8 @@ "subcategory_guids": [], "tags": [ "TA0008", - "T1021.006" + "T1021.006", + "T1021" ], "title": "Enable Windows Remote Management" }, @@ -901,7 +926,8 @@ "subcategory_guids": [], "tags": [ "TA0009", - "T1074.001" + "T1074.001", + "T1074" ], "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Script" }, @@ -921,7 +947,8 @@ "subcategory_guids": [], "tags": [ "TA0006", - "T1555.003" + "T1555.003", + "T1555" ], "title": "Access to Browser Login Data" }, @@ -941,7 +968,8 @@ "subcategory_guids": [], "tags": [ "TA0002", - "T1059.003" + "T1059.003", + "T1059" ], "title": "Powershell Execute Batch Script" }, @@ -981,7 +1009,8 @@ "subcategory_guids": [], "tags": [ "TA0007", - "T1069.002" + "T1069.002", + "T1069" ], "title": "Active Directory Group Enumeration With Get-AdGroup" }, @@ -1001,7 +1030,8 @@ "subcategory_guids": [], "tags": [ "TA0006", - "T1003.001" + "T1003.001", + "T1003" ], "title": "PowerShell Get-Process LSASS in ScriptBlock" }, @@ -1023,7 +1053,8 @@ "TA0005", "T1070", "T1562.006", - "car.2016-04-002" + "car.2016-04-002", + "T1562" ], "title": "Disable of ETW Trace - Powershell" }, @@ -1066,7 +1097,8 @@ "TA0004", "T1055", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "PowerShell ShellCode" }, @@ -1113,7 +1145,9 @@ "TA0040", "T1529", "attack.g0091", - "attack.s0363" + "attack.s0363", + "T1059", + "T1071" ], "title": "Silence.EDA Detection" }, @@ -1135,7 +1169,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell" }, @@ -1196,7 +1231,8 @@ "TA0005", "TA0002", "T1027", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Potential PowerShell Obfuscation Using Character Join" }, @@ -1216,7 +1252,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1553.004" + "T1553.004", + "T1553" ], "title": "Root Certificate Installed - PowerShell" }, @@ -1256,7 +1293,8 @@ "subcategory_guids": [], "tags": [ "TA0040", - "T1491.001" + "T1491.001", + "T1491" ], "title": "Replace Desktop Wallpaper by Powershell" }, @@ -1278,7 +1316,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation Via Stdin - Powershell" }, @@ -1300,7 +1339,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell" }, @@ -1320,7 +1360,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1564.004" + "T1564.004", + "T1564" ], "title": "Powershell Store File In Alternate Data Stream" }, @@ -1361,7 +1402,8 @@ "tags": [ "TA0007", "T1018", - "T1087.002" + "T1087.002", + "T1087" ], "title": "Active Directory Computers Enumeration With Get-AdComputer" }, @@ -1381,7 +1423,8 @@ "subcategory_guids": [], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "DSInternals Suspicious PowerShell Cmdlets - ScriptBlock" }, @@ -1432,7 +1475,9 @@ "T1548.002", "T1552.001", "T1555", - "T1555.003" + "T1555.003", + "T1548", + "T1552" ], "title": "HackTool - WinPwn Execution - ScriptBlock" }, @@ -1452,7 +1497,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1497.001" + "T1497.001", + "T1497" ], "title": "Powershell Detect Virtualization Environment" }, @@ -1472,7 +1518,8 @@ "subcategory_guids": [], "tags": [ "TA0003", - "T1053.005" + "T1053.005", + "T1053" ], "title": "Powershell Create Scheduled Task" }, @@ -1492,7 +1539,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1070.003" + "T1070.003", + "T1070" ], "title": "Suspicious IO.FileStream" }, @@ -1534,7 +1582,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell" }, @@ -1555,7 +1604,8 @@ "tags": [ "TA0009", "TA0006", - "T1056.001" + "T1056.001", + "T1056" ], "title": "Potential Keylogger Activity" }, @@ -1594,7 +1644,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1553.005" + "T1553.005", + "T1553" ], "title": "Suspicious Unblock-File" }, @@ -1614,7 +1665,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1553.005" + "T1553.005", + "T1553" ], "title": "Suspicious Invoke-Item From Mount-DiskImage" }, @@ -1654,7 +1706,8 @@ "subcategory_guids": [], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Malicious Nishang PowerShell Commandlets" }, @@ -1674,7 +1727,8 @@ "subcategory_guids": [], "tags": [ "TA0011", - "T1132.001" + "T1132.001", + "T1132" ], "title": "Suspicious FromBase64String Usage On Gzip Archive - Ps Script" }, @@ -1694,7 +1748,8 @@ "subcategory_guids": [], "tags": [ "TA0010", - "T1048.003" + "T1048.003", + "T1048" ], "title": "PowerShell ICMP Exfiltration" }, @@ -1817,7 +1872,8 @@ "subcategory_guids": [], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Potential Suspicious PowerShell Keywords" }, @@ -1839,7 +1895,9 @@ "TA0002", "T1059.001", "TA0003", - "T1136.001" + "T1136.001", + "T1059", + "T1136" ], "title": "PowerShell Create Local User" }, @@ -1859,7 +1917,8 @@ "subcategory_guids": [], "tags": [ "TA0009", - "T1114.001" + "T1114.001", + "T1114" ], "title": "Powershell Local Email Collection" }, @@ -1879,7 +1938,8 @@ "subcategory_guids": [], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "PSAsyncShell - Asynchronous TCP Reverse Shell" }, @@ -1939,7 +1999,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1070.006" + "T1070.006", + "T1070" ], "title": "Powershell Timestomp" }, @@ -1978,7 +2039,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1070.003" + "T1070.003", + "T1070" ], "title": "Clear PowerShell History - PowerShell" }, @@ -1998,7 +2060,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Tamper Windows Defender - ScriptBlockLogging" }, @@ -2059,7 +2122,8 @@ "tags": [ "TA0006", "T1003.003", - "attack.ds0005" + "attack.ds0005", + "T1003" ], "title": "Create Volume Shadow Copy with Powershell" }, @@ -2098,7 +2162,8 @@ "subcategory_guids": [], "tags": [ "TA0006", - "T1552.004" + "T1552.004", + "T1552" ], "title": "Certificate Exported Via PowerShell - ScriptBlock" }, @@ -2121,7 +2186,9 @@ "T1003", "T1558.003", "TA0008", - "T1550.003" + "T1550.003", + "T1558", + "T1550" ], "title": "HackTool - Rubeus Execution - ScriptBlock" }, @@ -2163,7 +2230,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell" }, @@ -2203,7 +2271,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1564.006" + "T1564.006", + "T1564" ], "title": "Suspicious Hyper-V Cmdlets" }, @@ -2223,7 +2292,8 @@ "subcategory_guids": [], "tags": [ "TA0006", - "T1552.001" + "T1552.001", + "T1552" ], "title": "Extracting Information with PowerShell" }, @@ -2243,7 +2313,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Disable-WindowsOptionalFeature Command PowerShell" }, @@ -2324,7 +2395,8 @@ "tags": [ "TA0002", "T1059.001", - "T1106" + "T1106", + "T1059" ], "title": "Potential WinAPI Calls Via PowerShell Scripts" }, @@ -2364,7 +2436,8 @@ "subcategory_guids": [], "tags": [ "TA0011", - "T1071.001" + "T1071.001", + "T1071" ], "title": "Change User Agents with WebRequest" }, @@ -2403,7 +2476,8 @@ "subcategory_guids": [], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Malicious ShellIntel PowerShell Commandlets" }, @@ -2423,7 +2497,8 @@ "subcategory_guids": [], "tags": [ "TA0006", - "T1558.003" + "T1558.003", + "T1558" ], "title": "Request A Single Ticket via PowerShell" }, @@ -2484,7 +2559,8 @@ "tags": [ "TA0004", "TA0003", - "T1546.015" + "T1546.015", + "T1546" ], "title": "Suspicious GetTypeFromCLSID ShellExecute" }, @@ -2505,7 +2581,8 @@ "tags": [ "TA0002", "T1047", - "T1059.001" + "T1059.001", + "T1059" ], "title": "WMImplant Hack Tool" }, @@ -2526,7 +2603,8 @@ "tags": [ "TA0003", "T1574.011", - "stp.2a" + "stp.2a", + "T1574" ], "title": "Service Registry Permissions Weakness Check" }, @@ -2548,7 +2626,9 @@ "TA0005", "T1564.004", "TA0002", - "T1059.001" + "T1059.001", + "T1059", + "T1564" ], "title": "NTFS Alternate Data Stream" }, @@ -2568,7 +2648,8 @@ "subcategory_guids": [], "tags": [ "TA0006", - "T1003.006" + "T1003.006", + "T1003" ], "title": "Suspicious Get-ADReplAccount" }, @@ -2648,7 +2729,8 @@ "subcategory_guids": [], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Malicious PowerShell Keywords" }, @@ -2711,7 +2793,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell" }, @@ -2731,7 +2814,8 @@ "subcategory_guids": [], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Suspicious PowerShell Invocations - Specific" }, @@ -2751,7 +2835,8 @@ "subcategory_guids": [], "tags": [ "TA0009", - "T1056.001" + "T1056.001", + "T1056" ], "title": "Powershell Keylogging" }, @@ -2772,7 +2857,8 @@ "tags": [ "TA0003", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "PowerShell Web Access Installation - PsScript" }, @@ -2794,7 +2880,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell" }, @@ -2814,7 +2901,8 @@ "subcategory_guids": [], "tags": [ "TA0007", - "T1069.001" + "T1069.001", + "T1069" ], "title": "Suspicious Get Local Groups Information - PowerShell" }, @@ -2856,7 +2944,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1070.001" + "T1070.001", + "T1070" ], "title": "Suspicious Eventlog Clear" }, @@ -2876,7 +2965,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1070.005" + "T1070.005", + "T1070" ], "title": "PowerShell Deleted Mounted Share" }, @@ -2897,7 +2987,8 @@ "tags": [ "TA0006", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "PowerShell Credential Prompt" }, @@ -2919,7 +3010,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation STDIN+ Launcher - Powershell" }, @@ -2959,7 +3051,8 @@ "subcategory_guids": [], "tags": [ "TA0003", - "T1574.012" + "T1574.012", + "T1574" ], "title": "Registry-Free Process Scope COR_PROFILER" }, @@ -2979,7 +3072,8 @@ "subcategory_guids": [], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Suspicious PowerShell Download - Powershell Script" }, @@ -2999,7 +3093,8 @@ "subcategory_guids": [], "tags": [ "TA0006", - "T1556.002" + "T1556.002", + "T1556" ], "title": "Powershell Install a DLL in System Directory" }, @@ -3019,7 +3114,8 @@ "subcategory_guids": [], "tags": [ "TA0006", - "T1110.001" + "T1110.001", + "T1110" ], "title": "Suspicious Connection to Remote Account" }, @@ -3039,7 +3135,8 @@ "subcategory_guids": [], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "PowerShell Remote Session Creation" }, @@ -3059,7 +3156,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Potential AMSI Bypass Script Using NULL Bits" }, @@ -3101,7 +3199,8 @@ "tags": [ "TA0005", "TA0004", - "T1484.001" + "T1484.001", + "T1484" ], "title": "Modify Group Policy Settings - ScriptBlockLogging" }, @@ -3143,7 +3242,8 @@ "TA0003", "TA0005", "TA0004", - "T1574.011" + "T1574.011", + "T1574" ], "title": "Abuse of Service Permissions to Hide Services Via Set-Service - PS" }, @@ -3163,7 +3263,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging" }, @@ -3204,7 +3305,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation Via Use Clip - Powershell" }, @@ -3224,7 +3326,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1036.003" + "T1036.003", + "T1036" ], "title": "Suspicious Start-Process PassThru" }, @@ -3244,7 +3347,8 @@ "subcategory_guids": [], "tags": [ "TA0008", - "T1021.002" + "T1021.002", + "T1021" ], "title": "Suspicious New-PSDrive to Admin Share" }, @@ -3264,7 +3368,8 @@ "subcategory_guids": [], "tags": [ "TA0003", - "T1136.002" + "T1136.002", + "T1136" ], "title": "Manipulation of User Computer or Group Security Principals Across AD" }, @@ -3303,7 +3408,8 @@ "subcategory_guids": [], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "PowerShell PSAttack" }, @@ -3324,7 +3430,8 @@ "tags": [ "TA0003", "TA0004", - "T1546.013" + "T1546.013", + "T1546" ], "title": "Potential Persistence Via PowerShell User Profile Using Add-Content" }, @@ -3363,7 +3470,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1562.004" + "T1562.004", + "T1562" ], "title": "Windows Firewall Profile Disabled" }, @@ -3383,7 +3491,8 @@ "subcategory_guids": [], "tags": [ "TA0007", - "T1069.001" + "T1069.001", + "T1069" ], "title": "AD Groups Or Users Enumeration Using PowerShell - ScriptBlock" }, @@ -3426,7 +3535,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell" }, @@ -3448,7 +3558,8 @@ "TA0003", "TA0005", "TA0004", - "T1574.011" + "T1574.011", + "T1574" ], "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet - PS" }, @@ -3488,7 +3599,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1027.009" + "T1027.009", + "T1027" ], "title": "Powershell Token Obfuscation - Powershell" }, @@ -3508,7 +3620,8 @@ "subcategory_guids": [], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Powershell MsXml COM Object" }, @@ -3528,7 +3641,8 @@ "subcategory_guids": [], "tags": [ "TA0007", - "T1069.001" + "T1069.001", + "T1069" ], "title": "Suspicious Get Information for SMB Share" }, @@ -3548,7 +3662,8 @@ "subcategory_guids": [], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Usage Of Web Request Commands And Cmdlets - ScriptBlock" }, @@ -3568,7 +3683,8 @@ "subcategory_guids": [], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Change PowerShell Policies to an Insecure Level - PowerShell" }, @@ -3592,7 +3708,8 @@ "TA0006", "T1018", "T1558", - "T1589.002" + "T1589.002", + "T1589" ], "title": "Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock" }, @@ -3612,7 +3729,8 @@ "subcategory_guids": [], "tags": [ "TA0008", - "T1021.006" + "T1021.006", + "T1021" ], "title": "Execute Invoke-command on Remote Host" }, @@ -3633,7 +3751,8 @@ "tags": [ "TA0007", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "PowerShell ADRecon Execution" }, @@ -3653,7 +3772,8 @@ "subcategory_guids": [], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "PowerView PowerShell Cmdlets - ScriptBlock" }, @@ -3673,7 +3793,8 @@ "subcategory_guids": [], "tags": [ "TA0003", - "T1547.004" + "T1547.004", + "T1547" ], "title": "Winlogon Helper DLL" }, @@ -3695,7 +3816,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell" }, @@ -3715,7 +3837,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1564.003" + "T1564.003", + "T1564" ], "title": "Suspicious PowerShell WindowStyle Option" }, @@ -3735,7 +3858,8 @@ "subcategory_guids": [], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Import PowerShell Modules From Suspicious Directories" }, @@ -3775,7 +3899,8 @@ "subcategory_guids": [], "tags": [ "TA0007", - "T1518.001" + "T1518.001", + "T1518" ], "title": "Security Software Discovery Via Powershell Script" }, @@ -3797,7 +3922,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation Via Stdin - PowerShell Module" }, @@ -3839,7 +3965,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation STDIN+ Launcher - PowerShell Module" }, @@ -3859,7 +3986,8 @@ "subcategory_guids": [], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Suspicious PowerShell Invocations - Specific - PowerShell Module" }, @@ -3881,7 +4009,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module" }, @@ -3924,7 +4053,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation Via Use Clip - PowerShell Module" }, @@ -3944,7 +4074,8 @@ "subcategory_guids": [], "tags": [ "TA0006", - "T1003.003" + "T1003.003", + "T1003" ], "title": "Suspicious Get-ADDBAccount Usage" }, @@ -3964,7 +4095,8 @@ "subcategory_guids": [], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Alternate PowerShell Hosts - PowerShell Module" }, @@ -3984,7 +4116,8 @@ "subcategory_guids": [], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Suspicious PowerShell Invocations - Generic - PowerShell Module" }, @@ -4004,7 +4137,8 @@ "subcategory_guids": [], "tags": [ "TA0007", - "T1069.001" + "T1069.001", + "T1069" ], "title": "Suspicious Get Local Groups Information" }, @@ -4066,7 +4200,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module" }, @@ -4108,7 +4243,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell Module" }, @@ -4148,7 +4284,8 @@ "subcategory_guids": [], "tags": [ "TA0007", - "T1069.001" + "T1069.001", + "T1069" ], "title": "AD Groups Or Users Enumeration Using PowerShell - PoshModule" }, @@ -4168,7 +4305,8 @@ "subcategory_guids": [], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Malicious PowerShell Scripts - PoshModule" }, @@ -4190,7 +4328,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module" }, @@ -4212,7 +4351,9 @@ "TA0002", "T1059.001", "TA0008", - "T1021.006" + "T1021.006", + "T1021", + "T1059" ], "title": "Remote PowerShell Session (PS Module)" }, @@ -4234,7 +4375,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell Module" }, @@ -4256,7 +4398,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell Module" }, @@ -4276,7 +4419,8 @@ "subcategory_guids": [], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Suspicious PowerShell Download - PoshModule" }, @@ -4304,7 +4448,8 @@ "T1069.001", "T1069.002", "T1069", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Malicious PowerShell Commandlets - PoshModule" }, @@ -4326,7 +4471,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module" }, @@ -4346,7 +4492,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1070.003" + "T1070.003", + "T1070" ], "title": "Clear PowerShell History - PowerShell Module" }, @@ -4366,7 +4513,8 @@ "subcategory_guids": [], "tags": [ "TA0007", - "T1069.001" + "T1069.001", + "T1069" ], "title": "Suspicious Get Information for SMB Share - PowerShell Module" }, @@ -4406,7 +4554,8 @@ "subcategory_guids": [], "tags": [ "TA0009", - "T1074.001" + "T1074.001", + "T1074" ], "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Module" }, @@ -4428,7 +4577,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell Module" }, @@ -4467,7 +4617,8 @@ "subcategory_guids": [], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Bad Opsec Powershell Code Artifacts" }, @@ -4535,7 +4686,8 @@ "attack.s0075", "T1012", "T1112", - "T1552.002" + "T1552.002", + "T1552" ], "title": "Remote Registry Management Using Reg Utility" }, @@ -4610,7 +4762,8 @@ "tags": [ "TA0008", "T1550.002", - "car.2016-04-004" + "car.2016-04-004", + "T1550" ], "title": "Potential Pass the Hash Activity" }, @@ -4680,7 +4833,9 @@ "T1059.003", "T1059.005", "T1059.006", - "T1059.007" + "T1059.007", + "T1204", + "T1059" ], "title": "File Was Not Allowed To Run" }, @@ -4700,7 +4855,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1574.001" + "T1574.001", + "T1574" ], "title": "Microsoft Defender Blocked from Loading Unsigned DLL" }, @@ -4720,7 +4876,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1574.001" + "T1574.001", + "T1574" ], "title": "Unsigned Binary Loaded From Suspicious Location" }, @@ -4742,7 +4899,8 @@ "tags": [ "TA0003", "TA0004", - "T1546.011" + "T1546.011", + "T1546" ], "title": "Potential Shim Database Persistence via Sdbinst.EXE" }, @@ -4795,7 +4953,9 @@ "T1548.002", "T1552.001", "T1555", - "T1555.003" + "T1555.003", + "T1552", + "T1548" ], "title": "HackTool - WinPwn Execution" }, @@ -4820,7 +4980,9 @@ "TA0002", "T1615", "T1569.002", - "T1574.005" + "T1574.005", + "T1569", + "T1574" ], "title": "HackTool - SharpUp PrivEsc Tool Execution" }, @@ -4841,7 +5003,8 @@ ], "tags": [ "TA0005", - "T1564.004" + "T1564.004", + "T1564" ], "title": "Potential Rundll32 Execution With DLL Stored In ADS" }, @@ -4926,7 +5089,8 @@ ], "tags": [ "TA0003", - "T1136.001" + "T1136.001", + "T1136" ], "title": "New User Created Via Net.EXE" }, @@ -4947,7 +5111,8 @@ ], "tags": [ "TA0005", - "T1562.004" + "T1562.004", + "T1562" ], "title": "Firewall Rule Deleted Via Netsh.EXE" }, @@ -4968,7 +5133,8 @@ ], "tags": [ "TA0006", - "T1003.001" + "T1003.001", + "T1003" ], "title": "HackTool - CreateMiniDump Execution" }, @@ -4991,7 +5157,8 @@ "TA0002", "T1059.003", "T1059.005", - "T1059.007" + "T1059.007", + "T1059" ], "title": "HackTool - Koadic Execution" }, @@ -5057,7 +5224,8 @@ "TA0005", "T1218.002", "TA0003", - "T1546" + "T1546", + "T1218" ], "title": "Control Panel Items" }, @@ -5083,7 +5251,8 @@ "TA0004", "TA0008", "T1021.002", - "T1078" + "T1078", + "T1021" ], "title": "Password Provided In Command Line Of Net.EXE" }, @@ -5169,7 +5338,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "PUA - CleanWipe Execution" }, @@ -5214,7 +5384,8 @@ "TA0008", "T1572", "T1021.001", - "T1021.004" + "T1021.004", + "T1021" ], "title": "Port Forwarding Activity Via SSH.EXE" }, @@ -5237,7 +5408,8 @@ "TA0005", "T1036", "T1003.001", - "TA0006" + "TA0006", + "T1003" ], "title": "HackTool - XORDump Execution" }, @@ -5347,7 +5519,10 @@ "T1027.010", "T1218.007", "TA0002", - "T1059.001" + "T1059.001", + "T1059", + "T1218", + "T1027" ], "title": "Obfuscated PowerShell MSI Install via WindowsInstaller COM" }, @@ -5368,7 +5543,8 @@ ], "tags": [ "TA0005", - "T1564.002" + "T1564.002", + "T1564" ], "title": "Hiding User Account Via SpecialAccounts Registry Key - CommandLine" }, @@ -5455,7 +5631,8 @@ ], "tags": [ "T1037.001", - "TA0003" + "TA0003", + "T1037" ], "title": "Uncommon Userinit Child Process" }, @@ -5520,7 +5697,8 @@ ], "tags": [ "TA0002", - "T1053.005" + "T1053.005", + "T1053" ], "title": "Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE" }, @@ -5563,7 +5741,8 @@ ], "tags": [ "TA0008", - "T1021.002" + "T1021.002", + "T1021" ], "title": "Windows Internet Hosted WebDav Share Mount Via Net.EXE" }, @@ -5585,7 +5764,8 @@ "tags": [ "TA0005", "TA0004", - "T1548.002" + "T1548.002", + "T1548" ], "title": "UAC Bypass Using Windows Media Player - Process" }, @@ -5626,7 +5806,8 @@ ], "tags": [ "TA0005", - "T1218.011" + "T1218.011", + "T1218" ], "title": "Potentially Suspicious Rundll32 Activity" }, @@ -5647,7 +5828,8 @@ ], "tags": [ "TA0005", - "T1218.008" + "T1218.008", + "T1218" ], "title": "New DLL Registered Via Odbcconf.EXE" }, @@ -5713,7 +5895,8 @@ "TA0005", "T1036", "T1003.001", - "TA0006" + "TA0006", + "T1003" ], "title": "Procdump Execution" }, @@ -5777,7 +5960,8 @@ "tags": [ "TA0002", "T1569.002", - "attack.s0029" + "attack.s0029", + "T1569" ], "title": "PUA - NSudo Execution" }, @@ -5799,7 +5983,8 @@ "tags": [ "TA0005", "TA0004", - "T1548.002" + "T1548.002", + "T1548" ], "title": "UAC Bypass WSReset" }, @@ -5841,7 +6026,8 @@ ], "tags": [ "TA0005", - "T1218.011" + "T1218.011", + "T1218" ], "title": "Suspicious Rundll32 Execution With Image Extension" }, @@ -5951,7 +6137,8 @@ "tags": [ "TA0005", "TA0004", - "T1134.002" + "T1134.002", + "T1134" ], "title": "PUA - AdvancedRun Suspicious Execution" }, @@ -5976,7 +6163,9 @@ "T1218.005", "TA0002", "T1059.007", - "cve.2020-1599" + "cve.2020-1599", + "T1218", + "T1059" ], "title": "MSHTA Execution with Suspicious File Extensions" }, @@ -6000,7 +6189,8 @@ "T1003.002", "T1003.004", "T1003.005", - "car.2013-07-001" + "car.2013-07-001", + "T1003" ], "title": "Dumping of Sensitive Hives Via Reg.EXE" }, @@ -6063,7 +6253,8 @@ ], "tags": [ "TA0005", - "T1218.008" + "T1218.008", + "T1218" ], "title": "Suspicious Driver/DLL Installation Via Odbcconf.EXE" }, @@ -6084,7 +6275,8 @@ ], "tags": [ "TA0005", - "T1218.010" + "T1218.010", + "T1218" ], "title": "Potentially Suspicious Child Process Of Regsvr32" }, @@ -6127,7 +6319,8 @@ "tags": [ "TA0005", "T1562.004", - "attack.s0108" + "attack.s0108", + "T1562" ], "title": "Firewall Disabled via Netsh.EXE" }, @@ -6214,7 +6407,8 @@ "TA0009", "T1119", "TA0006", - "T1552.001" + "T1552.001", + "T1552" ], "title": "Automated Collection Command Prompt" }, @@ -6238,7 +6432,8 @@ "TA0003", "T1197", "attack.s0190", - "T1036.003" + "T1036.003", + "T1036" ], "title": "File Download Via Bitsadmin" }, @@ -6303,7 +6498,9 @@ "TA0008", "T1563.002", "T1021.001", - "car.2013-07-002" + "car.2013-07-002", + "T1021", + "T1563" ], "title": "Suspicious RDP Redirect Using TSCON" }, @@ -6346,7 +6543,8 @@ ], "tags": [ "TA0005", - "T1222.001" + "T1222.001", + "T1222" ], "title": "Suspicious Recursive Takeown" }, @@ -6370,7 +6568,8 @@ "T1218.005", "car.2013-02-003", "car.2013-03-001", - "car.2014-04-003" + "car.2014-04-003", + "T1218" ], "title": "Suspicious MSHTA Child Process" }, @@ -6391,7 +6590,8 @@ ], "tags": [ "TA0008", - "T1021.002" + "T1021.002", + "T1021" ], "title": "Windows Admin Share Mount Via Net.EXE" }, @@ -6476,7 +6676,8 @@ "T1539", "T1555.003", "TA0009", - "T1005" + "T1005", + "T1555" ], "title": "SQLite Chromium Profile Data DB Access" }, @@ -6501,7 +6702,8 @@ "TA0005", "T1218", "TA0011", - "T1105" + "T1105", + "T1053" ], "title": "Scheduled Task Creation with Curl and PowerShell Execution Combo" }, @@ -6524,7 +6726,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation Via Stdin" }, @@ -6567,7 +6770,8 @@ "tags": [ "TA0006", "T1003.002", - "T1003.003" + "T1003.003", + "T1003" ], "title": "VolumeShadowCopy Symlink Creation Via Mklink" }, @@ -6611,7 +6815,8 @@ "tags": [ "TA0002", "TA0003", - "T1053.005" + "T1053.005", + "T1053" ], "title": "Suspicious Scheduled Task Creation Involving Temp Folder" }, @@ -6633,7 +6838,8 @@ "tags": [ "TA0005", "T1036.003", - "T1036.005" + "T1036.005", + "T1036" ], "title": "Windows Processes Suspicious Parent Directory" }, @@ -6655,7 +6861,8 @@ "tags": [ "TA0005", "T1562.004", - "attack.s0246" + "attack.s0246", + "T1562" ], "title": "New Firewall Rule Added Via Netsh.EXE" }, @@ -6717,7 +6924,8 @@ ], "tags": [ "TA0005", - "T1218.009" + "T1218.009", + "T1218" ], "title": "Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension" }, @@ -6759,7 +6967,8 @@ ], "tags": [ "TA0002", - "T1204.004" + "T1204.004", + "T1204" ], "title": "FileFix - Suspicious Child Process from Browser File Upload Abuse" }, @@ -6844,7 +7053,8 @@ "TA0004", "TA0005", "T1134.001", - "T1134.003" + "T1134.003", + "T1134" ], "title": "HackTool - SharpImpersonation Execution" }, @@ -6866,7 +7076,8 @@ "tags": [ "TA0002", "T1059.003", - "stp.1u" + "stp.1u", + "T1059" ], "title": "Operator Bloopers Cobalt Strike Commands" }, @@ -6887,7 +7098,8 @@ ], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Import PowerShell Modules From Suspicious Directories - ProcCreation" }, @@ -6908,7 +7120,8 @@ ], "tags": [ "TA0009", - "T1560.001" + "T1560.001", + "T1560" ], "title": "Compress Data and Lock With Password for Exfiltration With WINZIP" }, @@ -6996,7 +7209,8 @@ "TA0005", "T1562.002", "T1112", - "car.2022-03-001" + "car.2022-03-001", + "T1562" ], "title": "Security Event Logging Disabled via MiniNt Registry Key - Process" }, @@ -7041,7 +7255,8 @@ "T1220", "TA0002", "T1059.005", - "T1059.007" + "T1059.007", + "T1059" ], "title": "Potential SquiblyTwo Technique Execution" }, @@ -7087,7 +7302,9 @@ "T1087.002", "T1482", "T1069.002", - "stp.1u" + "stp.1u", + "T1087", + "T1069" ], "title": "PUA - AdFind Suspicious Execution" }, @@ -7130,7 +7347,8 @@ "tags": [ "TA0002", "T1047", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell" }, @@ -7172,7 +7390,8 @@ ], "tags": [ "TA0004", - "T1548.002" + "T1548.002", + "T1548" ], "title": "Bypass UAC via Fodhelper.exe" }, @@ -7195,7 +7414,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation Obfuscated IEX Invocation" }, @@ -7217,7 +7437,8 @@ "tags": [ "TA0005", "T1574.001", - "T1112" + "T1112", + "T1574" ], "title": "New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE" }, @@ -7240,7 +7461,9 @@ "TA0002", "TA0003", "T1053.005", - "T1059.001" + "T1059.001", + "T1053", + "T1059" ], "title": "Scheduled Task Executing Encoded Payload from Registry" }, @@ -7282,7 +7505,8 @@ ], "tags": [ "TA0006", - "T1558.003" + "T1558.003", + "T1558" ], "title": "HackTool - RemoteKrbRelay Execution" }, @@ -7326,7 +7550,8 @@ "TA0002", "TA0005", "T1059", - "T1562.001" + "T1562.001", + "T1562" ], "title": "HackTool - Stracciatella Execution" }, @@ -7410,7 +7635,8 @@ ], "tags": [ "TA0011", - "T1132.001" + "T1132.001", + "T1132" ], "title": "Gzip Archive Decode Via PowerShell" }, @@ -7472,7 +7698,8 @@ ], "tags": [ "TA0011", - "T1219.002" + "T1219.002", + "T1219" ], "title": "Suspicious Mstsc.EXE Execution With Local RDP File" }, @@ -7493,7 +7720,8 @@ ], "tags": [ "TA0006", - "T1003.002" + "T1003.002", + "T1003" ], "title": "HackTool - Pypykatz Credentials Dumping Activity" }, @@ -7556,7 +7784,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Python Function Execution Security Warning Disabled In Excel" }, @@ -7601,7 +7830,9 @@ "T1053.005", "TA0005", "T1036.004", - "T1036.005" + "T1036.005", + "T1036", + "T1053" ], "title": "Scheduled Task Creation Masquerading as System Processes" }, @@ -7642,7 +7873,8 @@ ], "tags": [ "TA0011", - "T1219.002" + "T1219.002", + "T1219" ], "title": "Remote Access Tool - AnyDesk Execution" }, @@ -7684,7 +7916,8 @@ ], "tags": [ "TA0042", - "T1587.001" + "T1587.001", + "T1587" ], "title": "Potential Privilege Escalation To LOCAL SYSTEM" }, @@ -7705,7 +7938,8 @@ ], "tags": [ "TA0003", - "T1505.003" + "T1505.003", + "T1505" ], "title": "Webshell Tool Reconnaissance Activity" }, @@ -7795,7 +8029,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Uninstall Sysinternals Sysmon" }, @@ -7816,7 +8051,8 @@ ], "tags": [ "TA0002", - "T1204.002" + "T1204.002", + "T1204" ], "title": "Potential Suspicious Browser Launch From Document Reader Process" }, @@ -7837,7 +8073,8 @@ ], "tags": [ "TA0005", - "T1553.004" + "T1553.004", + "T1553" ], "title": "New Root Certificate Installed Via CertMgr.EXE" }, @@ -7858,7 +8095,8 @@ ], "tags": [ "TA0006", - "T1552.002" + "T1552.002", + "T1552" ], "title": "Enumeration for Credentials in Registry" }, @@ -7880,7 +8118,8 @@ "tags": [ "TA0002", "T1569.002", - "attack.s0029" + "attack.s0029", + "T1569" ], "title": "PUA - NirCmd Execution As LOCAL SYSTEM" }, @@ -7903,7 +8142,8 @@ "TA0002", "TA0003", "TA0004", - "T1053.005" + "T1053.005", + "T1053" ], "title": "Uncommon One Time Only Scheduled Task At 00:00" }, @@ -7924,7 +8164,8 @@ ], "tags": [ "TA0005", - "T1553.004" + "T1553.004", + "T1553" ], "title": "Suspicious X509Enrollment - Process Creation" }, @@ -7947,7 +8188,8 @@ "TA0005", "TA0002", "TA0006", - "T1003.001" + "T1003.001", + "T1003" ], "title": "Potential Adplus.EXE Abuse" }, @@ -7968,7 +8210,8 @@ ], "tags": [ "TA0011", - "T1090.001" + "T1090.001", + "T1090" ], "title": "PUA - Chisel Tunneling Tool Execution" }, @@ -8012,7 +8255,8 @@ "TA0002", "T1204.002", "attack.g0046", - "car.2013-05-002" + "car.2013-05-002", + "T1204" ], "title": "Suspicious Binary In User Directory Spawned From Office Application" }, @@ -8036,7 +8280,8 @@ "TA0003", "T1197", "attack.s0190", - "T1036.003" + "T1036.003", + "T1036" ], "title": "Suspicious Download From File-Sharing Website Via Bitsadmin" }, @@ -8077,7 +8322,8 @@ ], "tags": [ "TA0006", - "T1555.003" + "T1555.003", + "T1555" ], "title": "Potential Browser Data Stealing" }, @@ -8098,7 +8344,8 @@ ], "tags": [ "TA0002", - "T1569.002" + "T1569.002", + "T1569" ], "title": "Start Windows Service Via Net.EXE" }, @@ -8122,7 +8369,8 @@ "TA0005", "TA0004", "T1203", - "T1574.001" + "T1574.001", + "T1574" ], "title": "Potentially Suspicious Child Process of KeyScrambler.exe" }, @@ -8164,7 +8412,8 @@ ], "tags": [ "TA0003", - "T1543.003" + "T1543.003", + "T1543" ], "title": "Deny Service Access Using Security Descriptor Tampering Via Sc.EXE" }, @@ -8186,7 +8435,8 @@ "tags": [ "TA0003", "TA0004", - "T1546.011" + "T1546.011", + "T1546" ], "title": "Uncommon Extension Shim Database Installation Via Sdbinst.EXE" }, @@ -8230,7 +8480,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Disabled IE Security Features" }, @@ -8253,7 +8504,8 @@ "TA0005", "TA0006", "T1218", - "T1003.001" + "T1003.001", + "T1003" ], "title": "Time Travel Debugging Utility Usage" }, @@ -8276,7 +8528,9 @@ "TA0002", "TA0003", "T1053.005", - "T1059.001" + "T1059.001", + "T1059", + "T1053" ], "title": "Suspicious Schtasks Execution AppData Folder" }, @@ -8339,7 +8593,8 @@ ], "tags": [ "TA0011", - "T1090.001" + "T1090.001", + "T1090" ], "title": "Renamed Cloudflared.EXE Execution" }, @@ -8360,7 +8615,8 @@ ], "tags": [ "TA0005", - "T1218.010" + "T1218.010", + "T1218" ], "title": "Potentially Suspicious Regsvr32 HTTP/FTP Pattern" }, @@ -8403,7 +8659,8 @@ ], "tags": [ "TA0004", - "T1548.002" + "T1548.002", + "T1548" ], "title": "Always Install Elevated MSI Spawned Cmd And Powershell" }, @@ -8554,7 +8811,8 @@ "tags": [ "TA0010", "TA0007", - "T1087.002" + "T1087.002", + "T1087" ], "title": "Active Directory Structure Export Via Csvde.EXE" }, @@ -8575,7 +8833,8 @@ ], "tags": [ "TA0011", - "T1219.002" + "T1219.002", + "T1219" ], "title": "Suspicious TSCON Start as SYSTEM" }, @@ -8596,7 +8855,8 @@ ], "tags": [ "TA0006", - "T1003.001" + "T1003.001", + "T1003" ], "title": "HackTool - SafetyKatz Execution" }, @@ -8618,7 +8878,8 @@ "tags": [ "TA0011", "T1071.001", - "T1219" + "T1219", + "T1071" ], "title": "Renamed Visual Studio Code Tunnel Execution" }, @@ -8639,7 +8900,8 @@ ], "tags": [ "TA0009", - "T1074.001" + "T1074.001", + "T1074" ], "title": "Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet" }, @@ -8680,7 +8942,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Raccine Uninstall" }, @@ -8722,7 +8985,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Security Service Disabled Via Reg.EXE" }, @@ -8744,7 +9008,8 @@ "tags": [ "TA0011", "T1105", - "T1564.003" + "T1564.003", + "T1564" ], "title": "Browser Execution In Headless Mode" }, @@ -8765,7 +9030,8 @@ ], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Suspicious PowerShell Download and Execute Pattern" }, @@ -8786,7 +9052,8 @@ ], "tags": [ "TA0005", - "T1218.010" + "T1218.010", + "T1218" ], "title": "Regsvr32 Execution From Highly Suspicious Location" }, @@ -8807,7 +9074,8 @@ ], "tags": [ "TA0005", - "T1564.001" + "T1564.001", + "T1564" ], "title": "Hiding Files with Attrib.exe" }, @@ -8828,7 +9096,8 @@ ], "tags": [ "TA0005", - "T1564.004" + "T1564.004", + "T1564" ], "title": "Use NTFS Short Name in Image" }, @@ -8849,7 +9118,8 @@ ], "tags": [ "TA0007", - "T1518.001" + "T1518.001", + "T1518" ], "title": "Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE" }, @@ -8998,7 +9268,8 @@ ], "tags": [ "TA0005", - "T1548.002" + "T1548.002", + "T1548" ], "title": "Explorer NOUACCHECK Flag" }, @@ -9042,7 +9313,8 @@ ], "tags": [ "TA0003", - "T1505.003" + "T1505.003", + "T1505" ], "title": "IIS Native-Code Module Command Line Installation" }, @@ -9064,7 +9336,8 @@ "tags": [ "TA0011", "T1071.001", - "T1219" + "T1219", + "T1071" ], "title": "Visual Studio Code Tunnel Execution" }, @@ -9110,7 +9383,9 @@ "T1218", "T1564.004", "T1552.001", - "T1105" + "T1105", + "T1564", + "T1552" ], "title": "Remote File Download Via Findstr.EXE" }, @@ -9131,7 +9406,8 @@ ], "tags": [ "TA0005", - "T1564.004" + "T1564.004", + "T1564" ], "title": "Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI" }, @@ -9156,7 +9432,8 @@ "T1053", "T1059.003", "T1059.001", - "attack.s0106" + "attack.s0106", + "T1059" ], "title": "HackTool - CrackMapExec Execution Patterns" }, @@ -9177,7 +9454,8 @@ ], "tags": [ "TA0005", - "T1574.001" + "T1574.001", + "T1574" ], "title": "Potential DLL Sideloading Via DeviceEnroller.EXE" }, @@ -9198,7 +9476,8 @@ ], "tags": [ "TA0010", - "T1048.003" + "T1048.003", + "T1048" ], "title": "WebDav Client Execution Via Rundll32.EXE" }, @@ -9248,7 +9527,8 @@ "T1069.001", "T1069.002", "T1069", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Malicious PowerShell Commandlets - ProcessCreation" }, @@ -9381,7 +9661,8 @@ ], "tags": [ "TA0042", - "T1588.002" + "T1588.002", + "T1588" ], "title": "Potential Execution of Sysinternals Tools" }, @@ -9406,7 +9687,8 @@ "T1069.002", "T1482", "T1135", - "T1033" + "T1033", + "T1069" ], "title": "HackTool - SharpView Execution" }, @@ -9448,7 +9730,8 @@ ], "tags": [ "TA0011", - "T1219.002" + "T1219.002", + "T1219" ], "title": "QuickAssist Execution" }, @@ -9491,7 +9774,8 @@ ], "tags": [ "TA0005", - "T1218.010" + "T1218.010", + "T1218" ], "title": "Regsvr32 Execution From Potential Suspicious Location" }, @@ -9556,7 +9840,8 @@ ], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "PowerShell Base64 Encoded IEX Cmdlet" }, @@ -9598,7 +9883,8 @@ ], "tags": [ "TA0002", - "T1059.003" + "T1059.003", + "T1059" ], "title": "Operator Bloopers Cobalt Strike Modules" }, @@ -9619,7 +9905,8 @@ ], "tags": [ "TA0006", - "T1003.001" + "T1003.001", + "T1003" ], "title": "HackTool - CrackMapExec Process Patterns" }, @@ -9640,7 +9927,8 @@ ], "tags": [ "TA0003", - "T1574.011" + "T1574.011", + "T1574" ], "title": "Changing Existing Service ImagePath Value Via Reg.EXE" }, @@ -9661,7 +9949,8 @@ ], "tags": [ "TA0005", - "T1218.001" + "T1218.001", + "T1218" ], "title": "HH.EXE Execution" }, @@ -9682,7 +9971,8 @@ ], "tags": [ "TA0006", - "T1003.002" + "T1003.002", + "T1003" ], "title": "PowerShell SAM Copy" }, @@ -9725,7 +10015,9 @@ "TA0007", "T1087.002", "T1069.002", - "T1482" + "T1482", + "T1069", + "T1087" ], "title": "Suspicious Active Directory Database Snapshot Via ADExplorer" }, @@ -9768,7 +10060,8 @@ ], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Potential Data Exfiltration Activity Via CommandLine Tools" }, @@ -9791,7 +10084,8 @@ "TA0005", "TA0002", "T1127", - "T1059.007" + "T1059.007", + "T1059" ], "title": "Node Process Executions" }, @@ -9834,7 +10128,8 @@ ], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Suspicious File Execution From Internet Hosted WebDav Share" }, @@ -9917,7 +10212,8 @@ "tags": [ "TA0006", "T1003.001", - "attack.s0005" + "attack.s0005", + "T1003" ], "title": "HackTool - Windows Credential Editor (WCE) Execution" }, @@ -9960,7 +10256,8 @@ "tags": [ "TA0002", "T1059.005", - "T1059.007" + "T1059.007", + "T1059" ], "title": "Potential Dropper Script Execution Via WScript/CScript" }, @@ -10022,7 +10319,8 @@ ], "tags": [ "TA0005", - "T1553.004" + "T1553.004", + "T1553" ], "title": "New Root Certificate Installed Via Certutil.EXE" }, @@ -10043,7 +10341,8 @@ ], "tags": [ "TA0005", - "T1562.004" + "T1562.004", + "T1562" ], "title": "RDP Connection Allowed Via Netsh.EXE" }, @@ -10064,7 +10363,8 @@ ], "tags": [ "TA0002", - "T1053.005" + "T1053.005", + "T1053" ], "title": "Suspicious Schtasks Schedule Types" }, @@ -10128,7 +10428,8 @@ ], "tags": [ "TA0005", - "T1218.007" + "T1218.007", + "T1218" ], "title": "Suspicious Msiexec Quiet Install From Remote Location" }, @@ -10150,7 +10451,8 @@ "tags": [ "TA0005", "TA0004", - "T1548.002" + "T1548.002", + "T1548" ], "title": "UAC Bypass Using NTFS Reparse Point - Process" }, @@ -10171,7 +10473,8 @@ ], "tags": [ "TA0004", - "T1548.002" + "T1548.002", + "T1548" ], "title": "Always Install Elevated Windows Installer" }, @@ -10213,7 +10516,8 @@ ], "tags": [ "TA0011", - "T1219.002" + "T1219.002", + "T1219" ], "title": "Remote Access Tool - AnyDesk Piped Password Via CLI" }, @@ -10235,7 +10539,8 @@ "tags": [ "TA0002", "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Service StartupType Change Via PowerShell Set-Service" }, @@ -10278,7 +10583,8 @@ "tags": [ "TA0005", "TA0004", - "T1548.002" + "T1548.002", + "T1548" ], "title": "UAC Bypass Using MSConfig Token Modification - Process" }, @@ -10302,7 +10608,8 @@ "T1059.001", "TA0005", "T1027", - "T1620" + "T1620", + "T1059" ], "title": "PowerShell Base64 Encoded Reflective Assembly Load" }, @@ -10335,7 +10642,8 @@ "T1218.010", "T1218.011", "T1566", - "T1566.001" + "T1566.001", + "T1059" ], "title": "Suspicious HH.EXE Execution" }, @@ -10379,7 +10687,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation Via Use Clip" }, @@ -10401,7 +10710,8 @@ "tags": [ "TA0005", "TA0004", - "T1548.002" + "T1548.002", + "T1548" ], "title": "UAC Bypass Using Consent and Comctl32 - Process" }, @@ -10445,7 +10755,9 @@ "TA0004", "TA0005", "T1548.002", - "T1218.003" + "T1218.003", + "T1548", + "T1218" ], "title": "Bypass UAC via CMSTP" }, @@ -10592,7 +10904,8 @@ ], "tags": [ "TA0006", - "T1552.004" + "T1552.004", + "T1552" ], "title": "PowerShell Get-Process LSASS" }, @@ -10635,7 +10948,8 @@ ], "tags": [ "TA0005", - "T1070.005" + "T1070.005", + "T1070" ], "title": "Unmount Share Via Net.EXE" }, @@ -10659,7 +10973,9 @@ "T1047", "T1218.010", "TA0002", - "TA0005" + "TA0005", + "T1204", + "T1218" ], "title": "Suspicious WMIC Execution Via Office Process" }, @@ -10689,7 +11005,8 @@ "T1059.003", "T1059.001", "T1110", - "T1201" + "T1201", + "T1059" ], "title": "HackTool - CrackMapExec Execution" }, @@ -10752,7 +11069,8 @@ ], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Suspicious Encoded PowerShell Command Line" }, @@ -10774,7 +11092,8 @@ "tags": [ "TA0005", "TA0004", - "T1548.002" + "T1548.002", + "T1548" ], "title": "HackTool - UACMe Akagi Execution" }, @@ -10796,7 +11115,8 @@ "tags": [ "TA0004", "TA0003", - "T1546.015" + "T1546.015", + "T1546" ], "title": "Rundll32 Registered COM Objects" }, @@ -10819,7 +11139,8 @@ "TA0005", "TA0003", "TA0002", - "T1574.001" + "T1574.001", + "T1574" ], "title": "Tasks Folder Evasion" }, @@ -10843,7 +11164,10 @@ "T1048.001", "TA0011", "T1071.004", - "T1132.001" + "T1132.001", + "T1132", + "T1071", + "T1048" ], "title": "DNS Exfiltration and Tunneling Tools Execution" }, @@ -10864,7 +11188,8 @@ ], "tags": [ "TA0005", - "T1574.001" + "T1574.001", + "T1574" ], "title": "DLL Sideloading by VMware Xfer Utility" }, @@ -10886,7 +11211,8 @@ "tags": [ "TA0003", "TA0005", - "T1542.001" + "T1542.001", + "T1542" ], "title": "UEFI Persistence Via Wpbbin - ProcessCreation" }, @@ -10907,7 +11233,8 @@ ], "tags": [ "TA0006", - "T1555.004" + "T1555.004", + "T1555" ], "title": "Suspicious Key Manager Access" }, @@ -10928,7 +11255,8 @@ ], "tags": [ "TA0005", - "T1564.001" + "T1564.001", + "T1564" ], "title": "Use Icacls to Hide File to Everyone" }, @@ -10973,7 +11301,8 @@ "TA0005", "TA0006", "T1036", - "T1003.001" + "T1003.001", + "T1003" ], "title": "Suspicious DumpMinitool Execution" }, @@ -11014,7 +11343,8 @@ ], "tags": [ "TA0007", - "T1069.001" + "T1069.001", + "T1069" ], "title": "Local Groups Reconnaissance Via Wmic.EXE" }, @@ -11036,7 +11366,8 @@ "tags": [ "TA0005", "T1112", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Reg Add Suspicious Paths" }, @@ -11079,7 +11410,8 @@ "tags": [ "TA0002", "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Service StartupType Change Via Sc.EXE" }, @@ -11100,7 +11432,8 @@ ], "tags": [ "TA0005", - "T1218.007" + "T1218.007", + "T1218" ], "title": "DllUnregisterServer Function Call Via Msiexec.EXE" }, @@ -11171,7 +11504,9 @@ "attack.g0060", "car.2013-08-001", "T1053.005", - "T1059.001" + "T1059.001", + "T1053", + "T1059" ], "title": "HackTool - Default PowerSploit/Empire Scheduled Task Creation" }, @@ -11234,7 +11569,8 @@ ], "tags": [ "TA0006", - "T1110.002" + "T1110.002", + "T1110" ], "title": "HackTool - Hashcat Password Cracker Execution" }, @@ -11255,7 +11591,8 @@ ], "tags": [ "TA0005", - "T1027.004" + "T1027.004", + "T1027" ], "title": "Dynamic .NET Compilation Via Csc.EXE" }, @@ -11301,7 +11638,8 @@ "T1505.003", "T1018", "T1033", - "T1087" + "T1087", + "T1505" ], "title": "Webshell Detection With Command Line Keywords" }, @@ -11346,7 +11684,8 @@ "TA0002", "T1059.001", "TA0009", - "T1114" + "T1114", + "T1059" ], "title": "Exchange PowerShell Snap-Ins Usage" }, @@ -11370,7 +11709,9 @@ "TA0005", "T1047", "T1204.002", - "T1218.010" + "T1218.010", + "T1204", + "T1218" ], "title": "Suspicious WmiPrvSE Child Process" }, @@ -11413,7 +11754,8 @@ ], "tags": [ "TA0011", - "T1132.001" + "T1132.001", + "T1132" ], "title": "Suspicious FromBase64String Usage On Gzip Archive - Process Creation" }, @@ -11436,7 +11778,9 @@ "TA0005", "TA0002", "T1059.001", - "T1562.001" + "T1562.001", + "T1562", + "T1059" ], "title": "Obfuscated PowerShell OneLiner Execution" }, @@ -11478,7 +11822,8 @@ ], "tags": [ "TA0006", - "T1552.001" + "T1552.001", + "T1552" ], "title": "Potential PowerShell Console History Access Attempt via History File" }, @@ -11520,7 +11865,8 @@ ], "tags": [ "TA0006", - "T1552.002" + "T1552.002", + "T1552" ], "title": "Registry Export of Third-Party Credentials" }, @@ -11541,7 +11887,8 @@ ], "tags": [ "TA0003", - "T1546.003" + "T1546.003", + "T1546" ], "title": "WMI Backdoor Exchange Transport Agent" }, @@ -11712,7 +12059,8 @@ ], "tags": [ "TA0005", - "T1218.008" + "T1218.008", + "T1218" ], "title": "Response File Execution Via Odbcconf.EXE" }, @@ -11733,7 +12081,8 @@ ], "tags": [ "TA0009", - "T1560.001" + "T1560.001", + "T1560" ], "title": "Files Added To An Archive Using Rar.EXE" }, @@ -11754,7 +12103,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Tamper Windows Defender Remove-MpPreference" }, @@ -11821,7 +12171,9 @@ "TA0002", "TA0005", "T1059.001", - "T1564.003" + "T1564.003", + "T1059", + "T1564" ], "title": "HackTool - Covenant PowerShell Launcher" }, @@ -11864,7 +12216,8 @@ ], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Suspicious PowerShell Encoded Command Patterns" }, @@ -11909,7 +12262,8 @@ "T1505.003", "T1018", "T1033", - "T1087" + "T1087", + "T1505" ], "title": "Chopper Webshell Process Pattern" }, @@ -11953,7 +12307,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "ConvertTo-SecureString Cmdlet Usage Via CommandLine" }, @@ -11974,7 +12329,8 @@ ], "tags": [ "TA0001", - "T1566.001" + "T1566.001", + "T1566" ], "title": "Suspicious Double Extension File Execution" }, @@ -12245,7 +12601,8 @@ ], "tags": [ "TA0005", - "T1070.004" + "T1070.004", + "T1070" ], "title": "File Deletion Via Del" }, @@ -12288,7 +12645,8 @@ "tags": [ "TA0003", "TA0004", - "T1546.008" + "T1546.008", + "T1546" ], "title": "Suspicious Debugger Registration Cmdline" }, @@ -12309,7 +12667,8 @@ ], "tags": [ "TA0003", - "T1505.002" + "T1505.002", + "T1505" ], "title": "MSExchange Transport Agent Installation" }, @@ -12350,7 +12709,8 @@ ], "tags": [ "TA0011", - "T1219.002" + "T1219.002", + "T1219" ], "title": "Remote Access Tool - Simple Help Execution" }, @@ -12371,7 +12731,8 @@ ], "tags": [ "TA0006", - "T1556.002" + "T1556.002", + "T1556" ], "title": "Dropping Of Password Filter DLL" }, @@ -12414,7 +12775,8 @@ "tags": [ "TA0003", "TA0004", - "T1543.003" + "T1543.003", + "T1543" ], "title": "Suspicious New Service Creation" }, @@ -12437,7 +12799,8 @@ "TA0005", "TA0040", "T1489", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Suspicious Windows Service Tampering" }, @@ -12521,7 +12884,8 @@ ], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Net WebClient Casing Anomalies" }, @@ -12542,7 +12906,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Suspicious Uninstall of Windows Defender Feature via PowerShell" }, @@ -12563,7 +12928,8 @@ ], "tags": [ "TA0003", - "T1548.002" + "T1548.002", + "T1548" ], "title": "PowerShell Web Access Feature Enabled Via DISM" }, @@ -12629,7 +12995,8 @@ ], "tags": [ "TA0005", - "T1216.001" + "T1216.001", + "T1216" ], "title": "Pubprn.vbs Proxy Execution" }, @@ -12673,7 +13040,8 @@ "T1204", "T1566.001", "TA0002", - "TA0001" + "TA0001", + "T1566" ], "title": "Arbitrary Shell Command Execution Via Settingcontent-Ms" }, @@ -12694,7 +13062,8 @@ ], "tags": [ "TA0005", - "T1562.002" + "T1562.002", + "T1562" ], "title": "Disable Windows IIS HTTP Logging" }, @@ -12756,7 +13125,8 @@ ], "tags": [ "TA0006", - "T1552.006" + "T1552.006", + "T1552" ], "title": "Permission Misconfiguration Reconnaissance Via Findstr.EXE" }, @@ -12798,7 +13168,8 @@ ], "tags": [ "TA0005", - "T1218.005" + "T1218.005", + "T1218" ], "title": "Potential LethalHTA Technique Execution" }, @@ -12819,7 +13190,8 @@ ], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Malicious Base64 Encoded PowerShell Keywords in Command Lines" }, @@ -12840,7 +13212,8 @@ ], "tags": [ "TA0005", - "T1070.004" + "T1070.004", + "T1070" ], "title": "Suspicious Ping/Del Command Combination" }, @@ -12884,7 +13257,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation VAR+ Launcher" }, @@ -12908,7 +13282,9 @@ "T1018", "T1087.002", "T1482", - "T1069.002" + "T1069.002", + "T1087", + "T1069" ], "title": "Renamed AdFind Execution" }, @@ -12974,7 +13350,8 @@ "tags": [ "TA0005", "TA0002", - "T1218.005" + "T1218.005", + "T1218" ], "title": "Remotely Hosted HTA File Executed Via Mshta.EXE" }, @@ -12997,7 +13374,8 @@ "TA0002", "TA0003", "T1547.001", - "T1047" + "T1047", + "T1547" ], "title": "Suspicious Autorun Registry Modified via WMI" }, @@ -13060,7 +13438,8 @@ ], "tags": [ "TA0005", - "T1027.005" + "T1027.005", + "T1027" ], "title": "PUA - DefenderCheck Execution" }, @@ -13103,7 +13482,8 @@ ], "tags": [ "TA0005", - "T1036.005" + "T1036.005", + "T1036" ], "title": "Potential MsiExec Masquerading" }, @@ -13126,7 +13506,8 @@ "TA0005", "T1036", "T1003.001", - "TA0006" + "TA0006", + "T1003" ], "title": "Potential SysInternals ProcDump Evasion" }, @@ -13148,7 +13529,8 @@ "tags": [ "TA0002", "TA0008", - "T1021.003" + "T1021.003", + "T1021" ], "title": "MMC20 Lateral Movement" }, @@ -13172,7 +13554,9 @@ "T1021.002", "T1570", "TA0002", - "T1569.002" + "T1569.002", + "T1569", + "T1021" ], "title": "Rundll32 Execution Without Parameters" }, @@ -13215,7 +13599,9 @@ "TA0042", "T1587.001", "TA0002", - "T1569.002" + "T1569.002", + "T1587", + "T1569" ], "title": "PUA - CsExec Execution" }, @@ -13236,7 +13622,8 @@ ], "tags": [ "TA0005", - "T1553.004" + "T1553.004", + "T1553" ], "title": "Root Certificate Installed From Susp Locations" }, @@ -13280,7 +13667,8 @@ "TA0002", "T1059.001", "TA0005", - "T1127" + "T1127", + "T1059" ], "title": "SQL Client Tools PowerShell Session Detection" }, @@ -13301,7 +13689,8 @@ ], "tags": [ "TA0011", - "T1090.001" + "T1090.001", + "T1090" ], "title": "Cloudflared Portable Execution" }, @@ -13469,7 +13858,8 @@ ], "tags": [ "TA0003", - "T1176.001" + "T1176.001", + "T1176" ], "title": "Chromium Browser Instance Executed With Custom Extension" }, @@ -13554,7 +13944,8 @@ ], "tags": [ "TA0002", - "T1053.005" + "T1053.005", + "T1053" ], "title": "Suspicious Schtasks Schedule Type With High Privileges" }, @@ -13575,7 +13966,8 @@ ], "tags": [ "TA0011", - "T1219.002" + "T1219.002", + "T1219" ], "title": "Mstsc.EXE Execution With Local RDP File" }, @@ -13596,7 +13988,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Disable Windows Defender AV Security Monitoring" }, @@ -13679,7 +14072,8 @@ ], "tags": [ "T1218.011", - "TA0005" + "TA0005", + "T1218" ], "title": "Rundll32 InstallScreenSaver Execution" }, @@ -13724,7 +14118,8 @@ "T1505.003", "T1018", "T1033", - "T1087" + "T1087", + "T1505" ], "title": "Webshell Hacking Activity Patterns" }, @@ -13767,7 +14162,8 @@ ], "tags": [ "TA0003", - "T1547.001" + "T1547.001", + "T1547" ], "title": "Direct Autorun Keys Modification" }, @@ -13788,7 +14184,8 @@ ], "tags": [ "TA0005", - "T1562.002" + "T1562.002", + "T1562" ], "title": "HackTool - SharpEvtMute Execution" }, @@ -13852,7 +14249,8 @@ ], "tags": [ "TA0006", - "T1003.001" + "T1003.001", + "T1003" ], "title": "Dumping Process via Sqldumper.exe" }, @@ -13897,7 +14295,8 @@ "TA0005", "TA0004", "T1548.002", - "car.2019-04-001" + "car.2019-04-001", + "T1548" ], "title": "Potentially Suspicious Event Viewer Child Process" }, @@ -13940,7 +14339,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "SafeBoot Registry Key Deleted Via Reg.EXE" }, @@ -13961,7 +14361,8 @@ ], "tags": [ "TA0005", - "T1218.011" + "T1218.011", + "T1218" ], "title": "Suspicious Control Panel DLL Load" }, @@ -13982,7 +14383,8 @@ ], "tags": [ "TA0005", - "T1036.007" + "T1036.007", + "T1036" ], "title": "Suspicious Parent Double Extension File Execution" }, @@ -14024,7 +14426,8 @@ ], "tags": [ "TA0007", - "T1087.002" + "T1087.002", + "T1087" ], "title": "PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE" }, @@ -14087,7 +14490,8 @@ ], "tags": [ "TA0006", - "T1557.001" + "T1557.001", + "T1557" ], "title": "HackTool - ADCSPwn Execution" }, @@ -14149,7 +14553,8 @@ ], "tags": [ "TA0005", - "T1562.002" + "T1562.002", + "T1562" ], "title": "Audit Policy Tampering Via Auditpol" }, @@ -14170,7 +14575,8 @@ ], "tags": [ "TA0005", - "T1027.009" + "T1027.009", + "T1027" ], "title": "Powershell Token Obfuscation - Process Creation" }, @@ -14193,7 +14599,8 @@ "TA0002", "T1059.001", "TA0005", - "T1027" + "T1027", + "T1059" ], "title": "PowerShell Base64 Encoded WMI Classes" }, @@ -14216,7 +14623,8 @@ "TA0005", "T1036", "T1003.001", - "TA0006" + "TA0006", + "T1003" ], "title": "Renamed CreateDump Utility Execution" }, @@ -14240,7 +14648,8 @@ "TA0003", "TA0004", "T1557.001", - "T1187" + "T1187", + "T1557" ], "title": "Attempts of Kerberos Coercion Via DNS SPN Spoofing" }, @@ -14261,7 +14670,8 @@ ], "tags": [ "TA0005", - "T1564.004" + "T1564.004", + "T1564" ], "title": "Suspicious Extrac32 Alternate Data Stream Execution" }, @@ -14282,7 +14692,8 @@ ], "tags": [ "TA0043", - "T1593.003" + "T1593.003", + "T1593" ], "title": "Suspicious Git Clone" }, @@ -14303,7 +14714,8 @@ ], "tags": [ "TA0005", - "T1218.011" + "T1218.011", + "T1218" ], "title": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments" }, @@ -14345,7 +14757,8 @@ ], "tags": [ "TA0005", - "T1218.011" + "T1218.011", + "T1218" ], "title": "Code Execution via Pcwutl.dll" }, @@ -14388,7 +14801,8 @@ "TA0003", "TA0002", "T1053.005", - "TA0011" + "TA0011", + "T1053" ], "title": "Potential SSH Tunnel Persistence Install Using A Scheduled Task" }, @@ -14411,7 +14825,8 @@ "TA0002", "T1059.001", "TA0005", - "T1027" + "T1027", + "T1059" ], "title": "PowerShell Base64 Encoded Invoke Keyword" }, @@ -14433,7 +14848,8 @@ "tags": [ "TA0005", "T1218", - "T1027.004" + "T1027.004", + "T1027" ], "title": "Potential Application Whitelisting Bypass via Dnx.EXE" }, @@ -14454,7 +14870,8 @@ ], "tags": [ "TA0007", - "T1069.001" + "T1069.001", + "T1069" ], "title": "Permission Check Via Accesschk.EXE" }, @@ -14475,7 +14892,8 @@ ], "tags": [ "TA0008", - "T1021.003" + "T1021.003", + "T1021" ], "title": "MMC Spawning Windows Shell" }, @@ -14497,7 +14915,8 @@ "tags": [ "TA0011", "TA0003", - "T1219.002" + "T1219.002", + "T1219" ], "title": "Potential Amazon SSM Agent Hijacking" }, @@ -14540,7 +14959,8 @@ "tags": [ "TA0001", "TA0002", - "T1204.002" + "T1204.002", + "T1204" ], "title": "Suspicious LNK Command-Line Padding with Whitespace Characters" }, @@ -14605,7 +15025,8 @@ ], "tags": [ "TA0006", - "T1003.001" + "T1003.001", + "T1003" ], "title": "LSASS Dump Keyword In CommandLine" }, @@ -14710,7 +15131,8 @@ ], "tags": [ "TA0005", - "T1036.003" + "T1036.003", + "T1036" ], "title": "LOL-Binary Copied From System Directory" }, @@ -14755,7 +15177,8 @@ ], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Usage Of Web Request Commands And Cmdlets" }, @@ -14776,7 +15199,8 @@ ], "tags": [ "TA0005", - "T1218.008" + "T1218.008", + "T1218" ], "title": "Driver/DLL Installation Via Odbcconf.EXE" }, @@ -14904,7 +15328,8 @@ "TA0004", "TA0005", "T1134.001", - "T1134.003" + "T1134.003", + "T1134" ], "title": "HackTool - SharpDPAPI Execution" }, @@ -14925,7 +15350,8 @@ ], "tags": [ "TA0006", - "T1003.003" + "T1003.003", + "T1003" ], "title": "PUA - DIT Snapshot Viewer" }, @@ -15032,7 +15458,8 @@ ], "tags": [ "TA0002", - "T1053.005" + "T1053.005", + "T1053" ], "title": "Suspicious Command Patterns In Scheduled Task Creation" }, @@ -15055,7 +15482,8 @@ "TA0002", "TA0005", "T1059.001", - "T1027" + "T1027", + "T1059" ], "title": "Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call" }, @@ -15101,7 +15529,8 @@ "TA0005", "T1218", "TA0011", - "T1105" + "T1105", + "T1059" ], "title": "PowerShell MSI Install via WindowsInstaller COM From Remote Location" }, @@ -15144,7 +15573,8 @@ ], "tags": [ "TA0005", - "T1027.010" + "T1027.010", + "T1027" ], "title": "Potential Obfuscated Ordinal Call Via Rundll32" }, @@ -15168,7 +15598,8 @@ "TA0005", "TA0002", "T1140", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Base64 Encoded PowerShell Command Detected" }, @@ -15216,7 +15647,9 @@ "TA0002", "T1203", "T1059.003", - "attack.g0032" + "attack.g0032", + "T1566", + "T1059" ], "title": "Suspicious HWP Sub Processes" }, @@ -15258,7 +15691,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE" }, @@ -15364,7 +15798,8 @@ ], "tags": [ "TA0006", - "T1003.005" + "T1003.005", + "T1003" ], "title": "New Generic Credentials Added Via Cmdkey.EXE" }, @@ -15409,7 +15844,8 @@ "T1059.001", "TA0011", "T1104", - "T1105" + "T1105", + "T1059" ], "title": "PowerShell DownloadFile" }, @@ -15451,7 +15887,8 @@ ], "tags": [ "TA0009", - "T1560.001" + "T1560.001", + "T1560" ], "title": "7Zip Compressing Dump Files" }, @@ -15473,7 +15910,8 @@ "tags": [ "TA0002", "T1569.002", - "attack.s0029" + "attack.s0029", + "T1569" ], "title": "PUA - RunXCmd Execution" }, @@ -15494,7 +15932,8 @@ ], "tags": [ "TA0005", - "T1027.004" + "T1027.004", + "T1027" ], "title": "Visual Basic Command Line Compiler Usage" }, @@ -15515,7 +15954,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Windows Defender Definition Files Removed" }, @@ -15536,7 +15976,8 @@ ], "tags": [ "TA0005", - "T1218.010" + "T1218.010", + "T1218" ], "title": "Potential Regsvr32 Commandline Flag Anomaly" }, @@ -15558,7 +15999,8 @@ "tags": [ "TA0003", "TA0004", - "T1546.003" + "T1546.003", + "T1546" ], "title": "WMI Persistence - Script Event Consumer" }, @@ -15601,7 +16043,8 @@ ], "tags": [ "TA0005", - "T1548.002" + "T1548.002", + "T1548" ], "title": "TrustedPath UAC Bypass Pattern" }, @@ -15624,7 +16067,8 @@ "TA0002", "T1059.001", "TA0005", - "T1216" + "T1216", + "T1059" ], "title": "Execute Code with Pester.bat as Parent" }, @@ -15648,7 +16092,8 @@ "TA0005", "T1059.005", "T1059.001", - "T1218" + "T1218", + "T1059" ], "title": "Windows Shell/Scripting Processes Spawning Suspicious Programs" }, @@ -15712,7 +16157,8 @@ "TA0007", "TA0002", "T1615", - "T1059.005" + "T1059.005", + "T1059" ], "title": "Potential Reconnaissance Activity Via GatherNetworkInfo.VBS" }, @@ -15736,7 +16182,8 @@ "TA0002", "T1218.003", "attack.g0069", - "car.2019-04-001" + "car.2019-04-001", + "T1218" ], "title": "CMSTP Execution Process Creation" }, @@ -15757,7 +16204,8 @@ ], "tags": [ "TA0011", - "T1090.001" + "T1090.001", + "T1090" ], "title": "Cloudflared Quick Tunnel Execution" }, @@ -15780,7 +16228,9 @@ "TA0002", "T1059.001", "TA0005", - "T1027.005" + "T1027.005", + "T1059", + "T1027" ], "title": "HackTool - CrackMapExec PowerShell Obfuscation" }, @@ -15801,7 +16251,8 @@ ], "tags": [ "TA0005", - "T1218.008" + "T1218.008", + "T1218" ], "title": "Potentially Suspicious DLL Registered Via Odbcconf.EXE" }, @@ -15822,7 +16273,8 @@ ], "tags": [ "TA0005", - "T1218.008" + "T1218.008", + "T1218" ], "title": "Odbcconf.EXE Suspicious DLL Location" }, @@ -15868,7 +16320,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation STDIN+ Launcher" }, @@ -15889,7 +16342,8 @@ ], "tags": [ "TA0005", - "T1055.001" + "T1055.001", + "T1055" ], "title": "ManageEngine Endpoint Central Dctask64.EXE Potential Abuse" }, @@ -15931,7 +16385,8 @@ ], "tags": [ "TA0005", - "T1218.010" + "T1218.010", + "T1218" ], "title": "Potentially Suspicious Regsvr32 HTTP IP Pattern" }, @@ -15973,7 +16428,8 @@ ], "tags": [ "TA0005", - "T1564.004" + "T1564.004", + "T1564" ], "title": "Run PowerShell Script from ADS" }, @@ -15995,7 +16451,8 @@ "tags": [ "TA0003", "TA0004", - "T1543.003" + "T1543.003", + "T1543" ], "title": "New Service Creation Using Sc.EXE" }, @@ -16081,7 +16538,9 @@ "TA0007", "T1087.002", "T1069.002", - "T1482" + "T1482", + "T1087", + "T1069" ], "title": "Active Directory Database Snapshot Via ADExplorer" }, @@ -16102,7 +16561,8 @@ ], "tags": [ "TA0002", - "T1059.003" + "T1059.003", + "T1059" ], "title": "Read Contents From Stdin Via Cmd.EXE" }, @@ -16123,7 +16583,8 @@ ], "tags": [ "TA0005", - "T1562.004" + "T1562.004", + "T1562" ], "title": "Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE" }, @@ -16145,7 +16606,8 @@ "tags": [ "TA0002", "TA0006", - "T1557.001" + "T1557.001", + "T1557" ], "title": "Potential SMB Relay Attack Tool Execution" }, @@ -16166,7 +16628,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Sysinternals PsSuspend Suspicious Execution" }, @@ -16230,7 +16693,9 @@ "TA0005", "TA0004", "T1055.001", - "T1218.013" + "T1218.013", + "T1055", + "T1218" ], "title": "Mavinject Inject DLL Into Running Process" }, @@ -16272,7 +16737,8 @@ ], "tags": [ "TA0004", - "T1548.002" + "T1548.002", + "T1548" ], "title": "Sdclt Child Processes" }, @@ -16441,7 +16907,8 @@ ], "tags": [ "TA0005", - "T1564.004" + "T1564.004", + "T1564" ], "title": "Suspicious Diantz Alternate Data Stream Execution" }, @@ -16462,7 +16929,8 @@ ], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Execution of Powershell Script in Public Folder" }, @@ -16484,7 +16952,8 @@ "tags": [ "TA0002", "T1059.005", - "T1059.007" + "T1059.007", + "T1059" ], "title": "Cscript/Wscript Uncommon Script Extension Execution" }, @@ -16508,7 +16977,8 @@ "TA0003", "T1197", "attack.s0190", - "T1036.003" + "T1036.003", + "T1036" ], "title": "File With Suspicious Extension Downloaded Via Bitsadmin" }, @@ -16572,7 +17042,8 @@ ], "tags": [ "TA0005", - "T1564.004" + "T1564.004", + "T1564" ], "title": "Execute From Alternate Data Streams" }, @@ -16594,7 +17065,8 @@ "tags": [ "TA0005", "TA0004", - "T1484.001" + "T1484.001", + "T1484" ], "title": "Modify Group Policy Settings" }, @@ -16661,7 +17133,8 @@ "T1036", "TA0006", "T1003.001", - "car.2013-05-009" + "car.2013-05-009", + "T1003" ], "title": "Potential LSASS Process Dump Via Procdump" }, @@ -16684,7 +17157,8 @@ "TA0004", "TA0005", "T1134.001", - "T1134.003" + "T1134.003", + "T1134" ], "title": "HackTool - Impersonate Execution" }, @@ -16705,7 +17179,8 @@ ], "tags": [ "TA0007", - "T1518.001" + "T1518.001", + "T1518" ], "title": "Security Tools Keyword Lookup Via Findstr.EXE" }, @@ -16727,7 +17202,8 @@ "tags": [ "TA0002", "T1059.001", - "T1204" + "T1204", + "T1059" ], "title": "Potentially Suspicious WebDAV LNK Execution" }, @@ -16748,7 +17224,8 @@ ], "tags": [ "TA0005", - "T1218.011" + "T1218.011", + "T1218" ], "title": "Rundll32 Execution With Uncommon DLL Extension" }, @@ -16771,7 +17248,8 @@ "TA0011", "T1105", "TA0005", - "T1564.004" + "T1564.004", + "T1564" ], "title": "PrintBrm ZIP Creation of Extraction" }, @@ -16795,7 +17273,8 @@ "TA0011", "T1059.003", "T1059.001", - "T1105" + "T1105", + "T1059" ], "title": "Command Line Execution with Suspicious URL and AppData Strings" }, @@ -16859,7 +17338,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Powershell Defender Disable Scan Feature" }, @@ -16900,7 +17380,8 @@ ], "tags": [ "TA0009", - "T1560.001" + "T1560.001", + "T1560" ], "title": "Winrar Compressing Dump Files" }, @@ -16962,7 +17443,8 @@ ], "tags": [ "TA0005", - "T1564.001" + "T1564.001", + "T1564" ], "title": "Set Suspicious Files as System Files Using Attrib.EXE" }, @@ -17004,7 +17486,8 @@ ], "tags": [ "TA0005", - "T1574.001" + "T1574.001", + "T1574" ], "title": "Xwizard.EXE Execution From Non-Default Location" }, @@ -17025,7 +17508,8 @@ ], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Cmd.EXE Missing Space Characters Execution Anomaly" }, @@ -17088,7 +17572,8 @@ ], "tags": [ "TA0011", - "T1219.002" + "T1219.002", + "T1219" ], "title": "Remote Access Tool - Anydesk Execution From Suspicious Folder" }, @@ -17153,7 +17638,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation Via Use MSHTA" }, @@ -17200,7 +17686,8 @@ "T1053.005", "attack.s0111", "car.2013-08-001", - "stp.1u" + "stp.1u", + "T1053" ], "title": "Scheduled Task Creation Via Schtasks.EXE" }, @@ -17262,7 +17749,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Disabled Volume Snapshots" }, @@ -17345,7 +17833,8 @@ ], "tags": [ "TA0006", - "T1003.001" + "T1003.001", + "T1003" ], "title": "HackTool - Inveigh Execution" }, @@ -17369,7 +17858,8 @@ "TA0002", "TA0011", "T1218.011", - "T1071" + "T1071", + "T1218" ], "title": "Potentially Suspicious Rundll32.EXE Execution of UDL File" }, @@ -17392,7 +17882,9 @@ "TA0006", "TA0002", "T1552.004", - "T1059.001" + "T1059.001", + "T1552", + "T1059" ], "title": "Certificate Exported Via PowerShell" }, @@ -17434,7 +17926,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Service Registry Key Deleted Via Reg.EXE" }, @@ -17457,7 +17950,9 @@ "TA0005", "T1218.011", "TA0006", - "T1003.001" + "T1003.001", + "T1003", + "T1218" ], "title": "Process Access via TrolleyExpress Exclusion" }, @@ -17478,7 +17973,8 @@ ], "tags": [ "TA0005", - "T1218.008" + "T1218.008", + "T1218" ], "title": "Suspicious Response File Execution Via Odbcconf.EXE" }, @@ -17500,7 +17996,8 @@ "tags": [ "TA0005", "TA0004", - "T1548.002" + "T1548.002", + "T1548" ], "title": "UAC Bypass Using DismHost" }, @@ -17523,7 +18020,8 @@ "TA0004", "TA0003", "T1546.007", - "attack.s0108" + "attack.s0108", + "T1546" ], "title": "Potential Persistence Via Netsh Helper DLL" }, @@ -17635,7 +18133,9 @@ "tags": [ "TA0003", "T1543.003", - "T1574.011" + "T1574.011", + "T1543", + "T1574" ], "title": "Potential Persistence Attempt Via Existing Service Tampering" }, @@ -17699,7 +18199,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'" }, @@ -17783,7 +18284,8 @@ ], "tags": [ "TA0005", - "T1070.004" + "T1070.004", + "T1070" ], "title": "Potentially Suspicious Ping/Copy Command Combination" }, @@ -17804,7 +18306,8 @@ ], "tags": [ "TA0005", - "T1564.004" + "T1564.004", + "T1564" ], "title": "Use NTFS Short Name in Command Line" }, @@ -17825,7 +18328,8 @@ ], "tags": [ "TA0005", - "T1070.004" + "T1070.004", + "T1070" ], "title": "Greedy File Deletion Using Del" }, @@ -17846,7 +18350,8 @@ ], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Hidden Powershell in Link File Pattern" }, @@ -17888,7 +18393,8 @@ ], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Suspicious PowerShell Invocation From Script Engines" }, @@ -17973,7 +18479,8 @@ ], "tags": [ "TA0009", - "T1560.001" + "T1560.001", + "T1560" ], "title": "Rar Usage with Password and Compression Level" }, @@ -17997,7 +18504,8 @@ "TA0003", "T1197", "attack.s0190", - "T1036.003" + "T1036.003", + "T1036" ], "title": "File Download Via Bitsadmin To An Uncommon Target Folder" }, @@ -18018,7 +18526,8 @@ ], "tags": [ "TA0006", - "T1003.003" + "T1003.003", + "T1003" ], "title": "Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)" }, @@ -18061,7 +18570,8 @@ ], "tags": [ "TA0008", - "T1021.002" + "T1021.002", + "T1021" ], "title": "Windows Share Mount Via Net.EXE" }, @@ -18082,7 +18592,8 @@ ], "tags": [ "T1546.008", - "TA0004" + "TA0004", + "T1546" ], "title": "Persistence Via Sticky Key Backdoor" }, @@ -18105,7 +18616,8 @@ "TA0006", "TA0009", "T1185", - "T1564.003" + "T1564.003", + "T1564" ], "title": "Potential Data Stealing Via Chromium Headless Debugging" }, @@ -18127,7 +18639,9 @@ "tags": [ "TA0005", "T1562.001", - "T1070.001" + "T1070.001", + "T1562", + "T1070" ], "title": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE" }, @@ -18181,7 +18695,8 @@ "T1218.010", "T1218.011", "T1566", - "T1566.001" + "T1566.001", + "T1059" ], "title": "HTML Help HH.EXE Suspicious Child Process" }, @@ -18202,7 +18717,8 @@ ], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Suspicious PowerShell IEX Execution Patterns" }, @@ -18244,7 +18760,8 @@ "tags": [ "TA0007", "T1087.001", - "T1087.002" + "T1087.002", + "T1087" ], "title": "Suspicious Group And Account Reconnaissance Activity Using Net.EXE" }, @@ -18375,7 +18892,8 @@ "TA0003", "TA0001", "T1505.003", - "T1190" + "T1190", + "T1505" ], "title": "Suspicious Process By Web Server Process" }, @@ -18478,7 +18996,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Suspicious Process Suspension via WERFaultSecure through EDR-Freeze" }, @@ -18499,7 +19018,8 @@ ], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "DSInternals Suspicious PowerShell Cmdlets" }, @@ -18520,7 +19040,8 @@ ], "tags": [ "TA0003", - "T1543.003" + "T1543.003", + "T1543" ], "title": "Allow Service Access Using Security Descriptor Tampering Via Sc.EXE" }, @@ -18563,7 +19084,8 @@ ], "tags": [ "TA0002", - "T1059.007" + "T1059.007", + "T1059" ], "title": "NodeJS Execution of JavaScript File" }, @@ -18691,7 +19213,8 @@ ], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Powershell Inline Execution From A File" }, @@ -18775,7 +19298,8 @@ ], "tags": [ "TA0003", - "T1505.004" + "T1505.004", + "T1505" ], "title": "Suspicious IIS Module Registration" }, @@ -18799,7 +19323,9 @@ "TA0002", "T1059.001", "T1059.003", - "T1564.003" + "T1564.003", + "T1059", + "T1564" ], "title": "Powershell Executed From Headless ConHost Process" }, @@ -18822,7 +19348,8 @@ "TA0011", "TA0002", "T1059.001", - "T1105" + "T1105", + "T1059" ], "title": "Potential DLL File Download Via PowerShell Invoke-WebRequest" }, @@ -18887,7 +19414,8 @@ "TA0005", "TA0008", "T1021.001", - "T1112" + "T1112", + "T1021" ], "title": "Potential Tampering With RDP Related Registry Keys Via Reg.EXE" }, @@ -18908,7 +19436,8 @@ ], "tags": [ "TA0003", - "T1546.003" + "T1546.003", + "T1546" ], "title": "New ActiveScriptEventConsumer Created Via Wmic.EXE" }, @@ -18950,7 +19479,8 @@ ], "tags": [ "TA0011", - "T1090.003" + "T1090.003", + "T1090" ], "title": "Tor Client/Browser Execution" }, @@ -19036,7 +19566,8 @@ ], "tags": [ "TA0002", - "T1059.003" + "T1059.003", + "T1059" ], "title": "Remote Access Tool - ScreenConnect Remote Command Execution" }, @@ -19058,7 +19589,8 @@ "tags": [ "TA0003", "TA0004", - "T1543.003" + "T1543.003", + "T1543" ], "title": "New Kernel Driver Via SC.EXE" }, @@ -19189,7 +19721,8 @@ "TA0005", "T1218", "T1202", - "T1036.005" + "T1036.005", + "T1036" ], "title": "Potential Binary Impersonating Sysinternals Tools" }, @@ -19213,7 +19746,9 @@ "TA0002", "TA0008", "T1021.002", - "T1218.011" + "T1218.011", + "T1021", + "T1218" ], "title": "Rundll32 UNC Path Execution" }, @@ -19280,7 +19815,8 @@ "tags": [ "TA0007", "TA0003", - "T1543.003" + "T1543.003", + "T1543" ], "title": "Sysinternals PsService Execution" }, @@ -19301,7 +19837,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Sysmon Configuration Update" }, @@ -19411,7 +19948,8 @@ "tags": [ "TA0005", "TA0004", - "T1548.002" + "T1548.002", + "T1548" ], "title": "UAC Bypass Using PkgMgr and DISM" }, @@ -19475,7 +20013,8 @@ ], "tags": [ "TA0006", - "T1003.005" + "T1003.005", + "T1003" ], "title": "Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE" }, @@ -19623,7 +20162,8 @@ ], "tags": [ "TA0005", - "T1218.007" + "T1218.007", + "T1218" ], "title": "Msiexec Quiet Installation" }, @@ -19669,7 +20209,8 @@ ], "tags": [ "TA0007", - "T1087.002" + "T1087.002", + "T1087" ], "title": "PUA - AdFind.EXE Execution" }, @@ -19690,7 +20231,8 @@ ], "tags": [ "TA0004", - "T1574.011" + "T1574.011", + "T1574" ], "title": "Potential Privilege Escalation via Service Permissions Weakness" }, @@ -19711,7 +20253,8 @@ ], "tags": [ "TA0008", - "T1021.001" + "T1021.001", + "T1021" ], "title": "New Remote Desktop Connection Initiated Via Mstsc.EXE" }, @@ -19733,7 +20276,8 @@ "tags": [ "TA0005", "TA0004", - "T1548.002" + "T1548.002", + "T1548" ], "title": "UAC Bypass Using IEInstal - Process" }, @@ -19776,7 +20320,8 @@ "tags": [ "TA0004", "TA0005", - "T1548.002" + "T1548.002", + "T1548" ], "title": "Potential UAC Bypass Via Sdclt.EXE" }, @@ -19799,7 +20344,8 @@ "TA0005", "T1218.007", "TA0011", - "T1105" + "T1105", + "T1218" ], "title": "MsiExec Web Install" }, @@ -19840,7 +20386,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "HackTool - PowerTool Execution" }, @@ -19945,7 +20492,8 @@ ], "tags": [ "TA0005", - "T1055.001" + "T1055.001", + "T1055" ], "title": "Potential DLL Injection Or Execution Using Tracker.exe" }, @@ -19991,7 +20539,8 @@ "TA0003", "T1546.008", "car.2014-11-003", - "car.2014-11-008" + "car.2014-11-008", + "T1546" ], "title": "Sticky Key Like Backdoor Execution" }, @@ -20012,7 +20561,8 @@ ], "tags": [ "TA0006", - "T1003.001" + "T1003.001", + "T1003" ], "title": "HackTool - Doppelanger LSASS Dumper Execution" }, @@ -20035,7 +20585,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation CLIP+ Launcher" }, @@ -20057,7 +20608,8 @@ "tags": [ "TA0004", "TA0003", - "T1546.008" + "T1546.008", + "T1546" ], "title": "Potential Privilege Escalation Using Symlink Between Osk and Cmd" }, @@ -20100,7 +20652,8 @@ ], "tags": [ "TA0005", - "T1055.012" + "T1055.012", + "T1055" ], "title": "HackTool - HollowReaper Execution" }, @@ -20163,7 +20716,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Add SafeBoot Keys Via Reg Utility" }, @@ -20184,7 +20738,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Disabling Windows Defender WMI Autologger Session via Reg.exe" }, @@ -20208,7 +20763,10 @@ "T1204.002", "TA0005", "T1218.014", - "T1036.002" + "T1036.002", + "T1218", + "T1204", + "T1036" ], "title": "MMC Executing Files with Reversed Extensions Using RTLO Abuse" }, @@ -20251,7 +20809,8 @@ "tags": [ "TA0003", "TA0004", - "T1543.003" + "T1543.003", + "T1543" ], "title": "Suspicious Service Path Modification" }, @@ -20335,7 +20894,9 @@ "TA0011", "TA0005", "T1219.002", - "T1036.003" + "T1036.003", + "T1219", + "T1036" ], "title": "Remote Access Tool - Renamed MeshAgent Execution - Windows" }, @@ -20358,7 +20919,8 @@ "TA0007", "TA0002", "T1615", - "T1059.005" + "T1059.005", + "T1059" ], "title": "Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS" }, @@ -20404,7 +20966,8 @@ "TA0002", "T1059.001", "T1140", - "T1027" + "T1027", + "T1059" ], "title": "Suspicious XOR Encoded PowerShell Command" }, @@ -20427,7 +20990,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION" }, @@ -20449,7 +21013,8 @@ "tags": [ "TA0003", "TA0004", - "T1543.003" + "T1543.003", + "T1543" ], "title": "New Service Creation Using PowerShell" }, @@ -20470,7 +21035,8 @@ ], "tags": [ "TA0006", - "T1003.003" + "T1003.003", + "T1003" ], "title": "Sensitive File Dump Via Wbadmin.EXE" }, @@ -20649,7 +21215,9 @@ "TA0002", "T1047", "T1204.002", - "T1218.010" + "T1218.010", + "T1218", + "T1204" ], "title": "Suspicious Microsoft Office Child Process" }, @@ -20690,7 +21258,8 @@ ], "tags": [ "TA0006", - "T1555.003" + "T1555.003", + "T1555" ], "title": "PUA - WebBrowserPassView Execution" }, @@ -20728,7 +21297,13 @@ "T1547.010", "T1547.002", "T1557", - "T1082" + "T1082", + "T1546", + "T1505", + "T1556", + "T1564", + "T1574", + "T1547" ], "title": "Potential Suspicious Activity Using SeCEdit" }, @@ -20749,7 +21324,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Dism Remove Online Package" }, @@ -20770,7 +21346,8 @@ ], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Suspicious Execution of Powershell with Base64" }, @@ -20793,7 +21370,8 @@ "TA0005", "T1140", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "PowerShell Base64 Encoded FromBase64String Cmdlet" }, @@ -20880,7 +21458,8 @@ ], "tags": [ "TA0003", - "T1547.001" + "T1547.001", + "T1547" ], "title": "Potential Persistence Attempt Via Run Keys Using Reg.EXE" }, @@ -20903,7 +21482,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation COMPRESS OBFUSCATION" }, @@ -20966,7 +21546,8 @@ ], "tags": [ "TA0006", - "T1552.002" + "T1552.002", + "T1552" ], "title": "Enumeration for 3rd Party Creds From CLI" }, @@ -21032,7 +21613,8 @@ "TA0005", "T1036", "T1003.001", - "TA0006" + "TA0006", + "T1003" ], "title": "DumpMinitool Execution" }, @@ -21094,7 +21676,8 @@ ], "tags": [ "TA0008", - "T1021.006" + "T1021.006", + "T1021" ], "title": "HackTool - WinRM Access Via Evil-WinRM" }, @@ -21264,7 +21847,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Potential AMSI Bypass Via .NET Reflection" }, @@ -21285,7 +21869,8 @@ ], "tags": [ "TA0003", - "T1176.001" + "T1176.001", + "T1176" ], "title": "Suspicious Chromium Browser Instance Executed With Custom Extension" }, @@ -21327,7 +21912,8 @@ "tags": [ "TA0007", "TA0043", - "T1590.001" + "T1590.001", + "T1590" ], "title": "PUA - Crassus Execution" }, @@ -21389,7 +21975,8 @@ ], "tags": [ "TA0002", - "T1204.002" + "T1204.002", + "T1204" ], "title": "Suspicious Outlook Child Process" }, @@ -21453,7 +22040,8 @@ ], "tags": [ "TA0006", - "T1555.004" + "T1555.004", + "T1555" ], "title": "Windows Credential Manager Access via VaultCmd" }, @@ -21494,7 +22082,8 @@ ], "tags": [ "TA0002", - "T1059.007" + "T1059.007", + "T1059" ], "title": "Potentially Suspicious Inline JavaScript Execution via NodeJS Binary" }, @@ -21538,7 +22127,9 @@ "TA0002", "TA0008", "T1059.001", - "T1021.006" + "T1021.006", + "T1059", + "T1021" ], "title": "Remote PowerShell Session Host Process (WinRM)" }, @@ -21561,7 +22152,8 @@ "TA0003", "TA0005", "TA0004", - "T1574.011" + "T1574.011", + "T1574" ], "title": "Abuse of Service Permissions to Hide Services Via Set-Service" }, @@ -21582,7 +22174,8 @@ ], "tags": [ "TA0006", - "T1552.004" + "T1552.004", + "T1552" ], "title": "Private Keys Reconnaissance Via CommandLine Tools" }, @@ -21605,7 +22198,8 @@ "TA0005", "TA0004", "T1548.002", - "car.2019-04-001" + "car.2019-04-001", + "T1548" ], "title": "HackTool - Empire PowerShell UAC Bypass" }, @@ -21651,7 +22245,8 @@ "TA0010", "T1039", "T1048", - "T1021.002" + "T1021.002", + "T1021" ], "title": "Copy From Or To Admin Share Or Sysvol Folder" }, @@ -21695,7 +22290,8 @@ "TA0002", "TA0005", "T1027", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Potential PowerShell Command Line Obfuscation" }, @@ -21781,7 +22377,8 @@ ], "tags": [ "TA0005", - "T1036.005" + "T1036.005", + "T1036" ], "title": "Uncommon Svchost Parent Process" }, @@ -21802,7 +22399,8 @@ ], "tags": [ "TA0002", - "T1059.003" + "T1059.003", + "T1059" ], "title": "Potential CommandLine Path Traversal Via Cmd.EXE" }, @@ -21827,7 +22425,10 @@ "T1059.007", "TA0005", "T1218.005", - "T1027.004" + "T1027.004", + "T1027", + "T1059", + "T1218" ], "title": "Csc.EXE Execution Form Potentially Suspicious Parent" }, @@ -21869,7 +22470,8 @@ ], "tags": [ "TA0003", - "T1543.003" + "T1543.003", + "T1543" ], "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet" }, @@ -21893,7 +22495,8 @@ "T1003.002", "T1003.003", "car.2013-07-001", - "attack.s0404" + "attack.s0404", + "T1003" ], "title": "Copying Sensitive Files with Credential Data" }, @@ -21935,7 +22538,8 @@ ], "tags": [ "TA0011", - "T1219.002" + "T1219.002", + "T1219" ], "title": "Remote Access Tool - MeshAgent Command Execution via MeshCentral" }, @@ -21959,7 +22563,8 @@ "T1059.005", "TA0005", "T1218", - "T1202" + "T1202", + "T1059" ], "title": "Uncommon Child Process Of BgInfo.EXE" }, @@ -21980,7 +22585,8 @@ ], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Change PowerShell Policies to an Insecure Level" }, @@ -22021,7 +22627,8 @@ ], "tags": [ "TA0005", - "T1218.001" + "T1218.001", + "T1218" ], "title": "Remote CHM File Download/Execution Via HH.EXE" }, @@ -22042,7 +22649,8 @@ ], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "PowerShell Script Run in AppData" }, @@ -22083,7 +22691,8 @@ ], "tags": [ "TA0005", - "T1218.011" + "T1218.011", + "T1218" ], "title": "Potential PowerShell Execution Via DLL" }, @@ -22125,7 +22734,8 @@ ], "tags": [ "TA0005", - "T1218.001" + "T1218.001", + "T1218" ], "title": "OneNote.EXE Execution of Malicious Embedded Scripts" }, @@ -22167,7 +22777,8 @@ ], "tags": [ "TA0003", - "T1546.001" + "T1546.001", + "T1546" ], "title": "Change Default File Association To Executable Via Assoc" }, @@ -22314,7 +22925,8 @@ ], "tags": [ "TA0006", - "T1558.003" + "T1558.003", + "T1558" ], "title": "Potential SPN Enumeration Via Setspn.EXE" }, @@ -22378,7 +22990,8 @@ ], "tags": [ "TA0005", - "T1218.009" + "T1218.009", + "T1218" ], "title": "Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location" }, @@ -22460,7 +23073,8 @@ ], "tags": [ "TA0005", - "T1564.004" + "T1564.004", + "T1564" ], "title": "Use Short Name Path in Command Line" }, @@ -22482,7 +23096,8 @@ "tags": [ "TA0002", "TA0006", - "T1557.001" + "T1557.001", + "T1557" ], "title": "HackTool - Impacket Tools Execution" }, @@ -22524,7 +23139,8 @@ ], "tags": [ "TA0005", - "T1574.001" + "T1574.001", + "T1574" ], "title": "Potential Mpclient.DLL Sideloading Via Defender Binaries" }, @@ -22588,7 +23204,8 @@ ], "tags": [ "TA0005", - "T1070.004" + "T1070.004", + "T1070" ], "title": "Directory Removal Via Rmdir" }, @@ -22631,7 +23248,8 @@ "tags": [ "TA0005", "TA0004", - "T1548.002" + "T1548.002", + "T1548" ], "title": "UAC Bypass Using ChangePK and SLUI" }, @@ -22696,7 +23314,8 @@ "T1190", "TA0001", "TA0003", - "TA0004" + "TA0004", + "T1505" ], "title": "Suspicious Child Process Of SQL Server" }, @@ -22737,7 +23356,8 @@ ], "tags": [ "TA0003", - "T1136.001" + "T1136.001", + "T1136" ], "title": "New User Created Via Net.EXE With Never Expire Option" }, @@ -22758,7 +23378,8 @@ ], "tags": [ "TA0004", - "T1053.002" + "T1053.002", + "T1053" ], "title": "Interactive AT Job" }, @@ -22800,7 +23421,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Powershell Base64 Encoded MpPreference Cmdlet" }, @@ -22842,7 +23464,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Uninstall Crowdstrike Falcon Sensor" }, @@ -22863,7 +23486,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Potential AMSI Bypass Using NULL Bits" }, @@ -22905,7 +23529,8 @@ ], "tags": [ "TA0006", - "T1003.003" + "T1003.003", + "T1003" ], "title": "Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)" }, @@ -22928,7 +23553,8 @@ "TA0003", "TA0005", "TA0004", - "T1574.011" + "T1574.011", + "T1574" ], "title": "Service DACL Abuse To Hide Services Via Sc.EXE" }, @@ -22949,7 +23575,8 @@ ], "tags": [ "TA0005", - "T1036.005" + "T1036.005", + "T1036" ], "title": "Suspicious Process Masquerading As SvcHost.EXE" }, @@ -23055,7 +23682,8 @@ "tags": [ "TA0008", "attack.g0047", - "T1021.005" + "T1021.005", + "T1021" ], "title": "Suspicious UltraVNC Execution" }, @@ -23077,7 +23705,8 @@ "tags": [ "TA0002", "TA0003", - "T1053.005" + "T1053.005", + "T1053" ], "title": "Schtasks Creation Or Modification With SYSTEM Privileges" }, @@ -23119,7 +23748,8 @@ "tags": [ "TA0005", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Potential PowerShell Downgrade Attack" }, @@ -23143,7 +23773,8 @@ "TA0006", "T1036", "T1003.001", - "car.2013-05-009" + "car.2013-05-009", + "T1003" ], "title": "Process Memory Dump Via Comsvcs.DLL" }, @@ -23185,7 +23816,8 @@ ], "tags": [ "T1021.003", - "TA0008" + "TA0008", + "T1021" ], "title": "Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp" }, @@ -23229,7 +23861,9 @@ "TA0006", "T1558.003", "TA0008", - "T1550.003" + "T1550.003", + "T1558", + "T1550" ], "title": "HackTool - KrbRelayUp Execution" }, @@ -23318,7 +23952,8 @@ ], "tags": [ "TA0002", - "T1053.005" + "T1053.005", + "T1053" ], "title": "Suspicious Scheduled Task Name As GUID" }, @@ -23405,7 +24040,9 @@ "TA0002", "TA0003", "T1053.005", - "T1059.001" + "T1059.001", + "T1059", + "T1053" ], "title": "Scheduled Task Executing Payload from Registry" }, @@ -23469,7 +24106,8 @@ ], "tags": [ "TA0005", - "T1036.003" + "T1036.003", + "T1036" ], "title": "Renamed ProcDump Execution" }, @@ -23514,7 +24152,8 @@ ], "tags": [ "TA0005", - "T1216.001" + "T1216.001", + "T1216" ], "title": "Launch-VsDevShell.PS1 Proxy Execution" }, @@ -23556,7 +24195,8 @@ ], "tags": [ "TA0011", - "T1219.002" + "T1219.002", + "T1219" ], "title": "Remote Access Tool - Potential MeshAgent Execution - Windows" }, @@ -23643,7 +24283,8 @@ ], "tags": [ "TA0005", - "T1218.010" + "T1218.010", + "T1218" ], "title": "Scripting/CommandLine Process Spawned Regsvr32" }, @@ -23686,7 +24327,8 @@ ], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Suspicious PowerShell Parent Process" }, @@ -23707,7 +24349,8 @@ ], "tags": [ "TA0005", - "T1562.002" + "T1562.002", + "T1562" ], "title": "Audit Policy Tampering Via NT Resource Kit Auditpol" }, @@ -23752,7 +24395,9 @@ "TA0008", "T1133", "T1136.001", - "T1021.001" + "T1021.001", + "T1021", + "T1136" ], "title": "User Added to Remote Desktop Users Group" }, @@ -23776,7 +24421,8 @@ "TA0003", "T1197", "attack.s0190", - "T1036.003" + "T1036.003", + "T1036" ], "title": "Suspicious Download From Direct IP Via Bitsadmin" }, @@ -23881,7 +24527,8 @@ ], "tags": [ "TA0005", - "T1218.011" + "T1218.011", + "T1218" ], "title": "Suspicious ShellExec_RunDLL Call Via Ordinal" }, @@ -23902,7 +24549,8 @@ ], "tags": [ "TA0042", - "T1587.001" + "T1587.001", + "T1587" ], "title": "Potential PsExec Remote Execution" }, @@ -23946,7 +24594,8 @@ "TA0002", "T1047", "TA0008", - "T1021.003" + "T1021.003", + "T1021" ], "title": "HackTool - Potential Impacket Lateral Movement Activity" }, @@ -24114,7 +24763,8 @@ ], "tags": [ "TA0006", - "T1558.003" + "T1558.003", + "T1558" ], "title": "HackTool - KrbRelay Execution" }, @@ -24135,7 +24785,8 @@ ], "tags": [ "TA0008", - "T1021.002" + "T1021.002", + "T1021" ], "title": "HackTool - SharpMove Tool Execution" }, @@ -24178,7 +24829,8 @@ ], "tags": [ "TA0006", - "T1003.003" + "T1003.003", + "T1003" ], "title": "Sensitive File Recovery From Backup Via Wbadmin.EXE" }, @@ -24243,7 +24895,8 @@ ], "tags": [ "TA0005", - "T1036.002" + "T1036.002", + "T1036" ], "title": "Potential Defense Evasion Via Right-to-Left Override" }, @@ -24264,7 +24917,8 @@ ], "tags": [ "TA0002", - "T1053.005" + "T1053.005", + "T1053" ], "title": "Suspicious Modification Of Scheduled Tasks" }, @@ -24305,7 +24959,8 @@ ], "tags": [ "TA0009", - "T1560.001" + "T1560.001", + "T1560" ], "title": "Compress Data and Lock With Password for Exfiltration With 7-ZIP" }, @@ -24346,7 +25001,8 @@ ], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Non Interactive PowerShell Process Spawned" }, @@ -24372,7 +25028,9 @@ "T1218", "T1564.004", "T1552.001", - "T1105" + "T1105", + "T1564", + "T1552" ], "title": "Insensitive Subfolder Search Via Findstr.EXE" }, @@ -24414,7 +25072,8 @@ ], "tags": [ "TA0006", - "T1003.002" + "T1003.002", + "T1003" ], "title": "HackTool - Quarks PwDump Execution" }, @@ -24456,7 +25115,8 @@ ], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "HackTool - Empire PowerShell Launch Parameters" }, @@ -24479,7 +25139,8 @@ "TA0005", "T1070", "T1562.006", - "car.2016-04-002" + "car.2016-04-002", + "T1562" ], "title": "ETW Trace Evasion Activity" }, @@ -24500,7 +25161,8 @@ ], "tags": [ "TA0005", - "T1218.011" + "T1218.011", + "T1218" ], "title": "CobaltStrike Load by Rundll32" }, @@ -24521,7 +25183,8 @@ ], "tags": [ "TA0011", - "T1219.002" + "T1219.002", + "T1219" ], "title": "Remote Access Tool - AnyDesk Silent Installation" }, @@ -24542,7 +25205,8 @@ ], "tags": [ "TA0005", - "T1562.010" + "T1562.010", + "T1562" ], "title": "LSA PPL Protection Disabled Via Reg.EXE" }, @@ -24606,7 +25270,8 @@ ], "tags": [ "TA0009", - "T1560.001" + "T1560.001", + "T1560" ], "title": "Winrar Execution in Non-Standard Folder" }, @@ -24668,7 +25333,8 @@ ], "tags": [ "TA0005", - "T1218.010" + "T1218.010", + "T1218" ], "title": "Regsvr32 DLL Execution With Suspicious File Extension" }, @@ -24689,7 +25355,8 @@ ], "tags": [ "TA0005", - "T1218.011" + "T1218.011", + "T1218" ], "title": "Suspicious Rundll32 Activity Invoking Sys File" }, @@ -24771,7 +25438,8 @@ ], "tags": [ "TA0006", - "T1552.006" + "T1552.006", + "T1552" ], "title": "Findstr GPP Passwords" }, @@ -24792,7 +25460,8 @@ ], "tags": [ "TA0005", - "T1574.001" + "T1574.001", + "T1574" ], "title": "Suspicious GUP Usage" }, @@ -24834,7 +25503,8 @@ ], "tags": [ "TA0006", - "T1003.001" + "T1003.001", + "T1003" ], "title": "Potential Credential Dumping Via WER" }, @@ -24876,7 +25546,8 @@ ], "tags": [ "TA0005", - "T1218.008" + "T1218.008", + "T1218" ], "title": "Uncommon Child Process Spawned By Odbcconf.EXE" }, @@ -24918,7 +25589,8 @@ ], "tags": [ "TA0011", - "T1090.001" + "T1090.001", + "T1090" ], "title": "HackTool - SharpChisel Execution" }, @@ -24964,7 +25636,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Potential PowerShell Obfuscation Via Reversed Commands" }, @@ -24985,7 +25658,8 @@ ], "tags": [ "TA0011", - "T1071.001" + "T1071.001", + "T1071" ], "title": "Visual Studio Code Tunnel Service Installation" }, @@ -25028,7 +25702,8 @@ "tags": [ "TA0002", "T1569.002", - "attack.s0029" + "attack.s0029", + "T1569" ], "title": "PUA - NirCmd Execution" }, @@ -25050,7 +25725,8 @@ "tags": [ "TA0004", "TA0005", - "T1548.002" + "T1548.002", + "T1548" ], "title": "Bypass UAC via WSReset.exe" }, @@ -25094,7 +25770,8 @@ "TA0005", "T1036", "T1003.001", - "TA0006" + "TA0006", + "T1003" ], "title": "CreateDump Process Dump" }, @@ -25177,7 +25854,8 @@ ], "tags": [ "TA0005", - "T1564.004" + "T1564.004", + "T1564" ], "title": "Use Short Name Path in Image" }, @@ -25199,7 +25877,8 @@ "tags": [ "TA0005", "TA0004", - "T1548.002" + "T1548.002", + "T1548" ], "title": "UAC Bypass Tools Using ComputerDefaults" }, @@ -25222,7 +25901,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Potential Encoded PowerShell Patterns In CommandLine" }, @@ -25245,7 +25925,8 @@ "TA0005", "TA0040", "T1112", - "T1491.001" + "T1491.001", + "T1491" ], "title": "Potentially Suspicious Desktop Background Change Using Reg.EXE" }, @@ -25293,7 +25974,10 @@ "T1069.001", "T1069.002", "TA0002", - "T1059.001" + "T1059.001", + "T1069", + "T1087", + "T1059" ], "title": "HackTool - Bloodhound/Sharphound Execution" }, @@ -25314,7 +25998,8 @@ ], "tags": [ "TA0002", - "T1059.003" + "T1059.003", + "T1059" ], "title": "HackTool - Jlaive In-Memory Assembly Execution" }, @@ -25381,7 +26066,8 @@ "TA0005", "T1036", "T1202", - "T1027.003" + "T1027.003", + "T1027" ], "title": "Findstr Launching .lnk File" }, @@ -25402,7 +26088,8 @@ ], "tags": [ "TA0006", - "T1003.001" + "T1003.001", + "T1003" ], "title": "Potential Windows Defender AV Bypass Via Dump64.EXE Rename" }, @@ -25423,7 +26110,8 @@ ], "tags": [ "TA0001", - "T1566.001" + "T1566.001", + "T1566" ], "title": "Suspicious Execution From Outlook Temporary Folder" }, @@ -25465,7 +26153,8 @@ ], "tags": [ "TA0005", - "T1218.005" + "T1218.005", + "T1218" ], "title": "Suspicious JavaScript Execution Via Mshta.EXE" }, @@ -25486,7 +26175,8 @@ ], "tags": [ "TA0005", - "T1036.003" + "T1036.003", + "T1036" ], "title": "Suspicious Copy From or To System Directory" }, @@ -25549,7 +26239,8 @@ ], "tags": [ "TA0006", - "T1003.001" + "T1003.001", + "T1003" ], "title": "HackTool - HandleKatz LSASS Dumper Execution" }, @@ -25591,7 +26282,8 @@ ], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Suspicious PowerShell Parameter Substring" }, @@ -25653,7 +26345,8 @@ ], "tags": [ "TA0003", - "T1053.005" + "T1053.005", + "T1053" ], "title": "Potential Persistence Via Microsoft Compatibility Appraiser" }, @@ -25718,7 +26411,8 @@ "TA0003", "TA0005", "TA0004", - "T1574.011" + "T1574.011", + "T1574" ], "title": "Service Security Descriptor Tampering Via Sc.EXE" }, @@ -25784,7 +26478,8 @@ "TA0002", "T1059.001", "TA0005", - "T1027" + "T1027", + "T1059" ], "title": "Potential PowerShell Obfuscation Via WCHAR/CHAR" }, @@ -25849,7 +26544,8 @@ ], "tags": [ "TA0006", - "T1552.006" + "T1552.006", + "T1552" ], "title": "LSASS Process Reconnaissance Via Findstr.EXE" }, @@ -25892,7 +26588,8 @@ "tags": [ "TA0007", "TA0003", - "T1543.003" + "T1543.003", + "T1543" ], "title": "Sysinternals PsSuspend Execution" }, @@ -25936,7 +26633,8 @@ "TA0003", "TA0005", "TA0004", - "T1574.011" + "T1574.011", + "T1574" ], "title": "Possible Privilege Escalation via Weak Service Permissions" }, @@ -25979,7 +26677,8 @@ "tags": [ "TA0011", "T1105", - "T1564.003" + "T1564.003", + "T1564" ], "title": "File Download with Headless Browser" }, @@ -26000,7 +26699,8 @@ ], "tags": [ "TA0005", - "T1218.010" + "T1218.010", + "T1218" ], "title": "Suspicious Regsvr32 Execution From Remote Share" }, @@ -26107,7 +26807,8 @@ ], "tags": [ "TA0042", - "T1587.001" + "T1587.001", + "T1587" ], "title": "PsExec/PAExec Escalation to LOCAL SYSTEM" }, @@ -26151,7 +26852,9 @@ "TA0005", "T1070.001", "T1562.002", - "car.2016-04-002" + "car.2016-04-002", + "T1070", + "T1562" ], "title": "Suspicious Eventlog Clearing or Configuration Change Activity" }, @@ -26236,7 +26939,8 @@ ], "tags": [ "TA0009", - "T1560.001" + "T1560.001", + "T1560" ], "title": "Suspicious Manipulation Of Default Accounts Via Net.EXE" }, @@ -26257,7 +26961,8 @@ ], "tags": [ "TA0005", - "T1218.009" + "T1218.009", + "T1218" ], "title": "RegAsm.EXE Execution Without CommandLine Flags or Files" }, @@ -26281,7 +26986,8 @@ "T1059.005", "TA0005", "T1218", - "T1202" + "T1202", + "T1059" ], "title": "Suspicious Child Process Of BgInfo.EXE" }, @@ -26305,7 +27011,9 @@ "TA0005", "T1106", "T1059.003", - "T1218.011" + "T1218.011", + "T1059", + "T1218" ], "title": "HackTool - RedMimicry Winnti Playbook Execution" }, @@ -26328,7 +27036,8 @@ "TA0002", "T1059.001", "TA0005", - "T1216" + "T1216", + "T1059" ], "title": "Execute Code with Pester.bat" }, @@ -26390,7 +27099,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Suspicious Windows Defender Registry Key Tampering Via Reg.EXE" }, @@ -26474,7 +27184,8 @@ ], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "PowerShell Download Pattern" }, @@ -26598,7 +27309,8 @@ "tags": [ "TA0007", "T1033", - "T1087.001" + "T1087.001", + "T1087" ], "title": "Local Accounts Discovery" }, @@ -26641,7 +27353,8 @@ ], "tags": [ "TA0002", - "T1053.005" + "T1053.005", + "T1053" ], "title": "Schtasks From Suspicious Folders" }, @@ -26665,7 +27378,9 @@ "T1003", "T1558.003", "TA0008", - "T1550.003" + "T1550.003", + "T1558", + "T1550" ], "title": "HackTool - Rubeus Execution" }, @@ -26686,7 +27401,8 @@ ], "tags": [ "TA0007", - "T1087.001" + "T1087.001", + "T1087" ], "title": "Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet" }, @@ -26771,7 +27487,8 @@ ], "tags": [ "TA0004", - "T1546.002" + "T1546.002", + "T1546" ], "title": "Suspicious ScreenSave Change by Reg.exe" }, @@ -26815,7 +27532,8 @@ ], "tags": [ "TA0005", - "T1218.011" + "T1218.011", + "T1218" ], "title": "HackTool - F-Secure C3 Load by Rundll32" }, @@ -26858,7 +27576,8 @@ ], "tags": [ "TA0006", - "T1003.001" + "T1003.001", + "T1003" ], "title": "Process Memory Dump via RdrLeakDiag.EXE" }, @@ -26879,7 +27598,8 @@ ], "tags": [ "TA0006", - "T1552.006" + "T1552.006", + "T1552" ], "title": "Suspicious SYSVOL Domain Group Policy Access" }, @@ -26986,7 +27706,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Windows Defender Context Menu Removed" }, @@ -27007,7 +27728,8 @@ ], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Potential Powershell ReverseShell Connection" }, @@ -27049,7 +27771,8 @@ ], "tags": [ "TA0005", - "T1562.004" + "T1562.004", + "T1562" ], "title": "Netsh Allow Group Policy on Microsoft Defender Firewall" }, @@ -27072,7 +27795,9 @@ "TA0005", "TA0003", "T1036.005", - "T1053.005" + "T1053.005", + "T1053", + "T1036" ], "title": "Suspicious Scheduled Task Creation via Masqueraded XML File" }, @@ -27114,7 +27839,8 @@ ], "tags": [ "TA0005", - "T1134.004" + "T1134.004", + "T1134" ], "title": "HackTool - PPID Spoofing SelectMyParent Tool Execution" }, @@ -27135,7 +27861,8 @@ ], "tags": [ "TA0005", - "T1218.007" + "T1218.007", + "T1218" ], "title": "Suspicious Msiexec Execute Arbitrary DLL" }, @@ -27156,7 +27883,8 @@ ], "tags": [ "TA0010", - "T1567.002" + "T1567.002", + "T1567" ], "title": "PUA - Rclone Execution" }, @@ -27177,7 +27905,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Potential Tampering With Security Products Via WMIC" }, @@ -27286,7 +28015,8 @@ "TA0002", "T1059.001", "TA0005", - "T1127" + "T1127", + "T1059" ], "title": "Detection of PowerShell Execution via Sqlps.exe" }, @@ -27332,7 +28062,8 @@ "T1003.002", "T1003.004", "T1003.005", - "T1003.006" + "T1003.006", + "T1003" ], "title": "HackTool - Mimikatz Execution" }, @@ -27353,7 +28084,8 @@ ], "tags": [ "TA0003", - "T1037.001" + "T1037.001", + "T1037" ], "title": "Potential Persistence Via Logon Scripts - CommandLine" }, @@ -27417,7 +28149,8 @@ "tags": [ "TA0005", "TA0002", - "T1218.011" + "T1218.011", + "T1218" ], "title": "Shell32 DLL Execution in Suspicious Directory" }, @@ -27460,7 +28193,8 @@ "tags": [ "TA0004", "T1134.001", - "T1134.002" + "T1134.002", + "T1134" ], "title": "Potential Meterpreter/CobaltStrike Activity" }, @@ -27483,7 +28217,8 @@ "TA0005", "T1070", "TA0003", - "T1542.003" + "T1542.003", + "T1542" ], "title": "Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE" }, @@ -27507,7 +28242,8 @@ "TA0003", "T1197", "attack.s0190", - "T1036.003" + "T1036.003", + "T1036" ], "title": "File Download Via Bitsadmin To A Suspicious Target Folder" }, @@ -27571,7 +28307,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Taskkill Symantec Endpoint Protection" }, @@ -27613,7 +28350,8 @@ ], "tags": [ "TA0008", - "T1563.002" + "T1563.002", + "T1563" ], "title": "Potential MSTSC Shadowing Activity" }, @@ -27634,7 +28372,8 @@ ], "tags": [ "TA0006", - "T1003.003" + "T1003.003", + "T1003" ], "title": "Suspicious Process Patterns NTDS.DIT Exfil" }, @@ -27655,7 +28394,8 @@ ], "tags": [ "TA0011", - "T1071.001" + "T1071.001", + "T1071" ], "title": "Visual Studio Code Tunnel Shell Execution" }, @@ -27697,7 +28437,8 @@ ], "tags": [ "TA0003", - "T1546.001" + "T1546.001", + "T1546" ], "title": "Change Default File Association Via Assoc" }, @@ -27780,7 +28521,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Powershell Defender Exclusion" }, @@ -27863,7 +28605,8 @@ "subcategory_guids": [], "tags": [ "TA0006", - "T1110.001" + "T1110.001", + "T1110" ], "title": "Suspicious Rejected SMB Guest Logon From IP" }, @@ -27883,7 +28626,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1562.004" + "T1562.004", + "T1562" ], "title": "Windows Defender Firewall Has Been Reset To Its Default Configuration" }, @@ -27903,7 +28647,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1562.004" + "T1562.004", + "T1562" ], "title": "All Rules Have Been Deleted From The Windows Firewall Configuration" }, @@ -27922,7 +28667,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1562.004" + "T1562.004", + "T1562" ], "title": "The Windows Defender Firewall Service Failed To Load Group Policy" }, @@ -27943,7 +28689,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1562.004" + "T1562.004", + "T1562" ], "title": "New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE" }, @@ -27964,7 +28711,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1562.004" + "T1562.004", + "T1562" ], "title": "New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application" }, @@ -27984,7 +28732,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1562.004" + "T1562.004", + "T1562" ], "title": "A Rule Has Been Deleted From The Windows Firewall Exception List" }, @@ -28005,7 +28754,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1562.004" + "T1562.004", + "T1562" ], "title": "Uncommon New Firewall Rule Added In Windows Firewall Exception List" }, @@ -28028,7 +28778,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1562.004" + "T1562.004", + "T1562" ], "title": "Windows Firewall Settings Have Been Changed" }, @@ -28090,7 +28841,8 @@ "TA0002", "T1203", "TA0011", - "T1219.002" + "T1219.002", + "T1219" ], "title": "Antivirus Exploitation Framework Detection" }, @@ -28183,7 +28935,8 @@ "subcategory_guids": [], "tags": [ "TA0003", - "T1505.003" + "T1505.003", + "T1505" ], "title": "Antivirus Web Shell Detection" }, @@ -28251,7 +29004,8 @@ "subcategory_guids": [], "tags": [ "TA0011", - "T1219.002" + "T1219.002", + "T1219" ], "title": "Atera Agent Installation" }, @@ -28311,7 +29065,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1070.004" + "T1070.004", + "T1070" ], "title": "Backup Catalog Deleted" }, @@ -28522,7 +29277,8 @@ "subcategory_guids": [], "tags": [ "TA0006", - "T1003.003" + "T1003.003", + "T1003" ], "title": "Ntdsutil Abuse" }, @@ -28541,7 +29297,8 @@ "subcategory_guids": [], "tags": [ "TA0002", - "T1059.003" + "T1059.003", + "T1059" ], "title": "Remote Access Tool - ScreenConnect File Transfer" }, @@ -28560,7 +29317,8 @@ "subcategory_guids": [], "tags": [ "TA0002", - "T1059.003" + "T1059.003", + "T1059" ], "title": "Remote Access Tool - ScreenConnect Command Execution" }, @@ -28589,7 +29347,8 @@ "TA0008", "T1210", "TA0040", - "T1499.004" + "T1499.004", + "T1499" ], "title": "Audit CVE Event" }, @@ -28625,7 +29384,8 @@ "subcategory_guids": [], "tags": [ "TA0006", - "T1003.001" + "T1003.001", + "T1003" ], "title": "Potential Credential Dumping Via WER - Application" }, @@ -28645,7 +29405,8 @@ "tags": [ "TA0005", "T1211", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Microsoft Malware Protection Engine Crash" }, @@ -28666,7 +29427,8 @@ ], "tags": [ "TA0005", - "T1218.009" + "T1218.009", + "T1218" ], "title": "RegAsm.EXE Initiating Network Connection To Public IP" }, @@ -28710,7 +29472,8 @@ "TA0005", "TA0002", "TA0011", - "T1218.011" + "T1218.011", + "T1218" ], "title": "Outbound Network Connection To Public IP Via Winlogon" }, @@ -28732,7 +29495,8 @@ "tags": [ "TA0002", "TA0005", - "T1127.001" + "T1127.001", + "T1127" ], "title": "Silenttrinity Stager Msbuild Activity" }, @@ -28816,7 +29580,8 @@ ], "tags": [ "TA0005", - "T1218.003" + "T1218.003", + "T1218" ], "title": "Outbound Network Connection Initiated By Cmstp.EXE" }, @@ -28838,7 +29603,8 @@ "tags": [ "TA0005", "T1218.011", - "TA0002" + "TA0002", + "T1218" ], "title": "Rundll32 Internet Connection" }, @@ -28947,7 +29713,8 @@ "T1572", "TA0008", "T1021.001", - "car.2013-07-002" + "car.2013-07-002", + "T1021" ], "title": "RDP to HTTP or HTTPS Target Ports" }, @@ -28992,7 +29759,8 @@ "T1572", "TA0008", "T1021.001", - "car.2013-07-002" + "car.2013-07-002", + "T1021" ], "title": "RDP Over Reverse SSH Tunnel" }, @@ -29034,7 +29802,8 @@ ], "tags": [ "TA0010", - "T1048.003" + "T1048.003", + "T1048" ], "title": "Suspicious Outbound SMTP Connections" }, @@ -29057,7 +29826,9 @@ "TA0002", "T1559.001", "TA0005", - "T1218.010" + "T1218.010", + "T1559", + "T1218" ], "title": "Network Connection Initiated By Regsvr32.EXE" }, @@ -29121,7 +29892,8 @@ "tags": [ "TA0003", "TA0011", - "T1219.002" + "T1219.002", + "T1219" ], "title": "Remote Access Tool - AnyDesk Incoming Connection" }, @@ -29143,7 +29915,8 @@ "tags": [ "TA0008", "T1021.001", - "car.2013-07-002" + "car.2013-07-002", + "T1021" ], "title": "Outbound RDP Connections Over Non-Standard Tools" }, @@ -29165,7 +29938,8 @@ "tags": [ "TA0002", "TA0011", - "T1071.001" + "T1071.001", + "T1071" ], "title": "Outbound Network Connection Initiated By Microsoft Dialer" }, @@ -29188,7 +29962,8 @@ "TA0006", "T1558", "TA0008", - "T1550.003" + "T1550.003", + "T1550" ], "title": "Uncommon Outbound Kerberos Connection" }, @@ -29338,7 +30113,8 @@ "subcategory_guids": [], "tags": [ "TA0003", - "T1053.005" + "T1053.005", + "T1053" ], "title": "Scheduled Task Executed Uncommon LOLBIN" }, @@ -29357,7 +30133,8 @@ "subcategory_guids": [], "tags": [ "TA0003", - "T1053.005" + "T1053.005", + "T1053" ], "title": "Scheduled Task Executed From A Suspicious Location" }, @@ -29396,7 +30173,8 @@ "tags": [ "TA0002", "T1059.001", - "detection.threat-hunting" + "detection.threat-hunting", + "T1059" ], "title": "Uncommon PowerShell Hosts" }, @@ -29416,7 +30194,8 @@ "tags": [ "TA0002", "T1059.001", - "detection.threat-hunting" + "detection.threat-hunting", + "T1059" ], "title": "bXOR Operator Usage In PowerShell Command Line - PowerShell Classic" }, @@ -29437,7 +30216,8 @@ "tags": [ "TA0010", "T1048.003", - "detection.threat-hunting" + "detection.threat-hunting", + "T1048" ], "title": "Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet" }, @@ -29480,7 +30260,8 @@ "TA0002", "T1059.001", "T1106", - "detection.threat-hunting" + "detection.threat-hunting", + "T1059" ], "title": "WinAPI Function Calls Via PowerShell Scripts" }, @@ -29502,7 +30283,8 @@ "TA0002", "T1059.001", "T1106", - "detection.threat-hunting" + "detection.threat-hunting", + "T1059" ], "title": "WinAPI Library Calls Via PowerShell Scripts" }, @@ -29523,7 +30305,8 @@ "tags": [ "TA0005", "T1070.008", - "detection.threat-hunting" + "detection.threat-hunting", + "T1070" ], "title": "Windows Mail App Mailbox Access Via PowerShell Script" }, @@ -29587,7 +30370,8 @@ "tags": [ "TA0005", "T1070.004", - "detection.threat-hunting" + "detection.threat-hunting", + "T1070" ], "title": "Use Of Remove-Item to Delete File - ScriptBlock" }, @@ -29608,7 +30392,8 @@ "tags": [ "TA0005", "T1562.004", - "detection.threat-hunting" + "detection.threat-hunting", + "T1562" ], "title": "New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock" }, @@ -29630,7 +30415,8 @@ "detection.threat-hunting", "TA0007", "T1518.001", - "T1016" + "T1016", + "T1518" ], "title": "Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet" }, @@ -29652,7 +30438,8 @@ "tags": [ "TA0002", "T1059.001", - "detection.threat-hunting" + "detection.threat-hunting", + "T1059" ], "title": "Unusually Long PowerShell CommandLine" }, @@ -29720,7 +30507,8 @@ "tags": [ "TA0005", "T1222.001", - "detection.threat-hunting" + "detection.threat-hunting", + "T1222" ], "title": "File or Folder Permissions Modifications" }, @@ -29785,7 +30573,8 @@ "tags": [ "TA0005", "T1218.011", - "detection.threat-hunting" + "detection.threat-hunting", + "T1218" ], "title": "DLL Call by Ordinal Via Rundll32.EXE" }, @@ -29808,7 +30597,9 @@ "TA0005", "T1059.001", "T1027.010", - "detection.threat-hunting" + "detection.threat-hunting", + "T1027", + "T1059" ], "title": "Invocation Of Crypto-Classes From The \"Cryptography\" PowerShell Namespace" }, @@ -29962,7 +30753,8 @@ "tags": [ "TA0002", "T1053.005", - "detection.threat-hunting" + "detection.threat-hunting", + "T1053" ], "title": "Scheduled Task Creation From Potential Suspicious Parent Location" }, @@ -30163,7 +30955,8 @@ "T1041", "T1572", "T1071.001", - "detection.threat-hunting" + "detection.threat-hunting", + "T1071" ], "title": "Tunneling Tool Execution" }, @@ -30230,7 +31023,8 @@ "tags": [ "TA0006", "T1552.001", - "detection.threat-hunting" + "detection.threat-hunting", + "T1552" ], "title": "Potential Password Reconnaissance Via Findstr.EXE" }, @@ -30276,7 +31070,8 @@ "tags": [ "TA0005", "T1564.001", - "detection.threat-hunting" + "detection.threat-hunting", + "T1564" ], "title": "Set Files as System Files Using Attrib.EXE" }, @@ -30332,7 +31127,10 @@ "TA0008", "T1021.002", "attack.s0039", - "detection.threat-hunting" + "detection.threat-hunting", + "T1021", + "T1069", + "T1087" ], "title": "Net.EXE Execution" }, @@ -30376,7 +31174,8 @@ "tags": [ "TA0009", "T1560.001", - "detection.threat-hunting" + "detection.threat-hunting", + "T1560" ], "title": "Password Protected Compressed File Extraction Via 7Zip" }, @@ -30421,7 +31220,8 @@ "tags": [ "TA0003", "T1505.003", - "detection.threat-hunting" + "detection.threat-hunting", + "T1505" ], "title": "Execution From Webserver Root Folder" }, @@ -30443,7 +31243,8 @@ "tags": [ "TA0011", "T1219.002", - "detection.threat-hunting" + "detection.threat-hunting", + "T1219" ], "title": "Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions" }, @@ -30466,7 +31267,8 @@ "TA0002", "T1059.005", "T1059.007", - "detection.threat-hunting" + "detection.threat-hunting", + "T1059" ], "title": "WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript" }, @@ -30488,7 +31290,8 @@ "tags": [ "TA0005", "T1027.004", - "detection.threat-hunting" + "detection.threat-hunting", + "T1027" ], "title": "Dynamic .NET Compilation Via Csc.EXE - Hunting" }, @@ -30533,7 +31336,8 @@ "tags": [ "TA0011", "T1071.001", - "detection.threat-hunting" + "detection.threat-hunting", + "T1071" ], "title": "Curl.EXE Execution With Custom UserAgent" }, @@ -30599,7 +31403,8 @@ "tags": [ "TA0002", "T1059.001", - "detection.threat-hunting" + "detection.threat-hunting", + "T1059" ], "title": "Potentially Suspicious PowerShell Child Processes" }, @@ -30642,7 +31447,8 @@ ], "tags": [ "T1562.004", - "detection.threat-hunting" + "detection.threat-hunting", + "T1562" ], "title": "New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet" }, @@ -30751,7 +31557,8 @@ "tags": [ "TA0005", "T1562.004", - "detection.threat-hunting" + "detection.threat-hunting", + "T1562" ], "title": "Firewall Rule Modified In The Windows Firewall Exception List" }, @@ -30795,7 +31602,8 @@ "tags": [ "TA0002", "T1059.001", - "detection.threat-hunting" + "detection.threat-hunting", + "T1059" ], "title": "Network Connection Initiated By PowerShell Process" }, @@ -30839,7 +31647,8 @@ "tags": [ "TA0005", "T1218.007", - "detection.threat-hunting" + "detection.threat-hunting", + "T1218" ], "title": "Msiexec.EXE Initiated Network Connection Over HTTP" }, @@ -30885,7 +31694,8 @@ "T1218", "TA0002", "T1559.001", - "detection.threat-hunting" + "detection.threat-hunting", + "T1559" ], "title": "Dllhost.EXE Initiated Network Connection To Non-Local IP Address" }, @@ -30907,7 +31717,8 @@ "tags": [ "TA0005", "T1218.001", - "detection.threat-hunting" + "detection.threat-hunting", + "T1218" ], "title": "HH.EXE Initiated HTTP Network Connection" }, @@ -30933,7 +31744,8 @@ "attack.s0111", "T1053.005", "car.2013-08-001", - "detection.threat-hunting" + "detection.threat-hunting", + "T1053" ], "title": "Scheduled Task Created - Registry" }, @@ -31022,7 +31834,10 @@ "T1059.001", "T1027.010", "T1547.001", - "detection.threat-hunting" + "detection.threat-hunting", + "T1059", + "T1547", + "T1027" ], "title": "Registry Set With Crypto-Classes From The \"Cryptography\" PowerShell Namespace" }, @@ -31068,7 +31883,8 @@ "TA0004", "car.2013-08-001", "T1053.005", - "detection.threat-hunting" + "detection.threat-hunting", + "T1053" ], "title": "Scheduled Task Deletion" }, @@ -31093,7 +31909,8 @@ "tags": [ "TA0006", "T1555.003", - "detection.threat-hunting" + "detection.threat-hunting", + "T1555" ], "title": "Access To Browser Credential Files By Uncommon Applications - Security" }, @@ -31117,7 +31934,8 @@ "TA0004", "detection.threat-hunting", "TA0003", - "T1546.003" + "T1546.003", + "T1546" ], "title": "Potential Remote WMI ActiveScriptEventConsumers Activity" }, @@ -31136,7 +31954,8 @@ "subcategory_guids": [], "tags": [ "TA0008", - "T1021.004" + "T1021.004", + "T1021" ], "title": "OpenSSH Server Listening On Socket" }, @@ -31179,7 +31998,8 @@ "TA0002", "T1218.003", "attack.g0069", - "car.2019-04-001" + "car.2019-04-001", + "T1218" ], "title": "CMSTP Execution Registry Event" }, @@ -31200,7 +32020,8 @@ ], "tags": [ "TA0003", - "T1137.002" + "T1137.002", + "T1137" ], "title": "Office Application Startup - Office Test" }, @@ -31245,7 +32066,8 @@ ], "tags": [ "TA0006", - "T1003.002" + "T1003.002", + "T1003" ], "title": "Esentutl Volume Shadow Copy Service Keys" }, @@ -31266,7 +32088,8 @@ ], "tags": [ "TA0003", - "T1547.001" + "T1547.001", + "T1547" ], "title": "Narrator's Feedback-Hub Persistence" }, @@ -31287,7 +32110,8 @@ ], "tags": [ "TA0003", - "T1546.009" + "T1546.009", + "T1546" ], "title": "New DLL Added to AppCertDlls Registry Key" }, @@ -31331,7 +32155,8 @@ ], "tags": [ "TA0001", - "T1566.001" + "T1566.001", + "T1566" ], "title": "Windows Registry Trust Record Modification" }, @@ -31373,7 +32198,8 @@ ], "tags": [ "TA0006", - "T1003.001" + "T1003.001", + "T1003" ], "title": "Potential Credential Dumping Via LSASS SilentProcessExit Technique" }, @@ -31415,7 +32241,8 @@ ], "tags": [ "TA0003", - "T1547.001" + "T1547.001", + "T1547" ], "title": "Suspicious Run Key from Download" }, @@ -31480,7 +32307,8 @@ "tags": [ "TA0005", "TA0004", - "T1548.002" + "T1548.002", + "T1548" ], "title": "UAC Bypass Via Wsreset" }, @@ -31501,7 +32329,8 @@ ], "tags": [ "TA0003", - "T1547.005" + "T1547.005", + "T1547" ], "title": "Security Support Provider (SSP) Added to LSA Configuration" }, @@ -31524,7 +32353,9 @@ "TA0005", "TA0004", "T1548.002", - "T1546.001" + "T1546.001", + "T1546", + "T1548" ], "title": "Shell Open Registry Keys Manipulation" }, @@ -31588,7 +32419,8 @@ "tags": [ "TA0005", "T1562.001", - "T1112" + "T1112", + "T1562" ], "title": "NetNTLM Downgrade Attack - Registry" }, @@ -31611,7 +32443,8 @@ "TA0005", "T1562.002", "T1112", - "car.2022-03-001" + "car.2022-03-001", + "T1562" ], "title": "Disable Security Events Logging Adding Reg Key MiniNt" }, @@ -31632,7 +32465,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback" }, @@ -31676,7 +32510,8 @@ ], "tags": [ "TA0003", - "T1136.001" + "T1136.001", + "T1136" ], "title": "Creation of a Local Hidden User Account by Registry" }, @@ -31698,7 +32533,8 @@ "tags": [ "TA0003", "TA0004", - "T1546.002" + "T1546.002", + "T1546" ], "title": "Path To Screensaver Binary Modified" }, @@ -31762,7 +32598,8 @@ "tags": [ "TA0002", "TA0003", - "T1547.008" + "T1547.008", + "T1547" ], "title": "DLL Load via LSASS" }, @@ -31783,7 +32620,8 @@ ], "tags": [ "TA0003", - "T1546.010" + "T1546.010", + "T1546" ], "title": "New DLL Added to AppInit_DLLs Registry Key" }, @@ -31804,7 +32642,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Windows Defender Threat Severity Default Action Modified" }, @@ -31849,7 +32688,8 @@ "tags": [ "TA0006", "T1003.001", - "attack.s0005" + "attack.s0005", + "T1003" ], "title": "Windows Credential Editor Registry" }, @@ -31894,7 +32734,8 @@ "TA0003", "T1546.008", "car.2014-11-003", - "car.2014-11-008" + "car.2014-11-008", + "T1546" ], "title": "Sticky Key Like Backdoor Usage - Registry" }, @@ -31915,7 +32756,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Microsoft Office Protected View Disabled" }, @@ -31936,7 +32778,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Disable Privacy Settings Experience in Registry" }, @@ -32040,7 +32883,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Windows Defender Service Disabled - Registry" }, @@ -32061,7 +32905,8 @@ ], "tags": [ "TA0005", - "T1562.004" + "T1562.004", + "T1562" ], "title": "Disable Windows Firewall by Registry" }, @@ -32082,7 +32927,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Sysmon Driver Altitude Change" }, @@ -32125,7 +32971,8 @@ "TA0005", "TA0004", "T1548.002", - "car.2019-04-001" + "car.2019-04-001", + "T1548" ], "title": "UAC Bypass via Event Viewer" }, @@ -32166,7 +33013,8 @@ ], "tags": [ "TA0003", - "T1547.001" + "T1547.001", + "T1547" ], "title": "CurrentVersion NT Autorun Keys Modification" }, @@ -32187,7 +33035,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Hypervisor Enforced Code Integrity Disabled" }, @@ -32208,7 +33057,8 @@ ], "tags": [ "TA0002", - "T1204.001" + "T1204.001", + "T1204" ], "title": "Potential ClickFix Execution Pattern - Registry" }, @@ -32229,7 +33079,8 @@ ], "tags": [ "TA0003", - "T1547.001" + "T1547.001", + "T1547" ], "title": "Classes Autorun Keys Modification" }, @@ -32251,7 +33102,8 @@ "tags": [ "TA0004", "TA0005", - "T1548.002" + "T1548.002", + "T1548" ], "title": "Bypass UAC Using SilentCleanup Task" }, @@ -32272,7 +33124,8 @@ ], "tags": [ "TA0040", - "T1491.001" + "T1491.001", + "T1491" ], "title": "Potential Ransomware Activity Using LegalNotice Message" }, @@ -32293,7 +33146,8 @@ ], "tags": [ "TA0003", - "T1546.011" + "T1546.011", + "T1546" ], "title": "Potential Persistence Via Shim Database In Uncommon Location" }, @@ -32334,7 +33188,8 @@ ], "tags": [ "TA0003", - "T1546.015" + "T1546.015", + "T1546" ], "title": "Potential PSFactoryBuffer COM Hijacking" }, @@ -32356,7 +33211,8 @@ "tags": [ "TA0004", "TA0005", - "T1548.002" + "T1548.002", + "T1548" ], "title": "UAC Notification Disabled" }, @@ -32377,7 +33233,8 @@ ], "tags": [ "TA0042", - "T1588.002" + "T1588.002", + "T1588" ], "title": "Usage of Renamed Sysinternals Tools - RegistrySet" }, @@ -32418,7 +33275,8 @@ ], "tags": [ "TA0003", - "T1137.006" + "T1137.006", + "T1137" ], "title": "Potential Persistence Via Excel Add-in - Registry" }, @@ -32502,7 +33360,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Uncommon Extension In Keyboard Layout IME File Registry Value" }, @@ -32543,7 +33402,8 @@ ], "tags": [ "TA0003", - "T1053.005" + "T1053.005", + "T1053" ], "title": "Potential Registry Persistence Attempt Via Windows Telemetry" }, @@ -32564,7 +33424,8 @@ ], "tags": [ "TA0003", - "T1546.015" + "T1546.015", + "T1546" ], "title": "COM Hijacking via TreatAs" }, @@ -32607,7 +33468,8 @@ ], "tags": [ "TA0003", - "T1547.001" + "T1547.001", + "T1547" ], "title": "CurrentControlSet Autorun Keys Modification" }, @@ -32649,7 +33511,8 @@ ], "tags": [ "TA0003", - "T1547.001" + "T1547.001", + "T1547" ], "title": "CurrentVersion Autorun Keys Modification" }, @@ -32715,7 +33578,8 @@ ], "tags": [ "TA0002", - "T1204.004" + "T1204.004", + "T1204" ], "title": "FileFix - Command Evidence in TypedPaths from Browser File Upload Abuse" }, @@ -32757,7 +33621,8 @@ ], "tags": [ "TA0003", - "T1547.001" + "T1547.001", + "T1547" ], "title": "Wow6432Node Classes Autorun Keys Modification" }, @@ -32799,7 +33664,8 @@ ], "tags": [ "TA0003", - "T1547.001" + "T1547.001", + "T1547" ], "title": "Wow6432Node Windows NT CurrentVersion Autorun Keys Modification" }, @@ -32820,7 +33686,8 @@ ], "tags": [ "T1137.006", - "TA0003" + "TA0003", + "T1137" ], "title": "Potential Persistence Via Visual Studio Tools for Office" }, @@ -32862,7 +33729,8 @@ ], "tags": [ "TA0003", - "T1546.011" + "T1546.011", + "T1546" ], "title": "Potential Persistence Via AppCompat RegisterAppRestart Layer" }, @@ -32904,7 +33772,8 @@ ], "tags": [ "TA0002", - "T1204.002" + "T1204.002", + "T1204" ], "title": "New Application in AppCompat" }, @@ -32926,7 +33795,8 @@ "tags": [ "TA0003", "TA0005", - "T1553.003" + "T1553.003", + "T1553" ], "title": "Persistence Via New SIP Provider" }, @@ -32947,7 +33817,8 @@ ], "tags": [ "TA0005", - "T1564.001" + "T1564.001", + "T1564" ], "title": "Displaying Hidden Files Feature Disabled" }, @@ -32968,7 +33839,8 @@ ], "tags": [ "TA0005", - "T1562.002" + "T1562.002", + "T1562" ], "title": "Change Winevt Channel Access Permission Via Registry" }, @@ -33011,7 +33883,8 @@ ], "tags": [ "TA0003", - "T1546.015" + "T1546.015", + "T1546" ], "title": "Potential Persistence Using DebugPath" }, @@ -33095,7 +33968,8 @@ ], "tags": [ "TA0003", - "T1546.015" + "T1546.015", + "T1546" ], "title": "COM Object Hijacking Via Modification Of Default System CLSID Default Value" }, @@ -33137,7 +34011,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Disable Windows Defender Functionalities Via Registry Keys" }, @@ -33178,7 +34053,8 @@ ], "tags": [ "TA0003", - "T1547.001" + "T1547.001", + "T1547" ], "title": "System Scripts Autorun Keys Modification" }, @@ -33199,7 +34075,8 @@ ], "tags": [ "TA0005", - "T1036.003" + "T1036.003", + "T1036" ], "title": "Potential PendingFileRenameOperations Tampering" }, @@ -33220,7 +34097,8 @@ ], "tags": [ "TA0005", - "T1562.002" + "T1562.002", + "T1562" ], "title": "Disable Windows Event Logging Via Registry" }, @@ -33262,7 +34140,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Disable PUA Protection on Windows Defender" }, @@ -33303,7 +34182,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Suspicious Path In Keyboard Layout IME File Registry Value" }, @@ -33344,7 +34224,8 @@ ], "tags": [ "TA0005", - "T1564.002" + "T1564.002", + "T1564" ], "title": "Hiding User Account Via SpecialAccounts Registry Key" }, @@ -33365,7 +34246,8 @@ ], "tags": [ "TA0005", - "T1564.001" + "T1564.001", + "T1564" ], "title": "Registry Persistence via Service in Safe Mode" }, @@ -33408,7 +34290,8 @@ ], "tags": [ "TA0005", - "T1218.011" + "T1218.011", + "T1218" ], "title": "ScreenSaver Registry Key Set" }, @@ -33429,7 +34312,8 @@ ], "tags": [ "TA0003", - "T1547.001" + "T1547.001", + "T1547" ], "title": "Registry Persistence via Explorer Run Key" }, @@ -33450,7 +34334,8 @@ ], "tags": [ "TA0003", - "T1547.001" + "T1547.001", + "T1547" ], "title": "Suspicious PowerShell In Registry Run Keys" }, @@ -33535,7 +34420,8 @@ "tags": [ "TA0003", "TA0004", - "T1547.003" + "T1547.003", + "T1547" ], "title": "New TimeProviders Registered With Uncommon DLL Name" }, @@ -33558,7 +34444,8 @@ "TA0003", "TA0004", "TA0005", - "T1574.012" + "T1574.012", + "T1574" ], "title": "Enabling COR Profiler Environment Variables" }, @@ -33579,7 +34466,8 @@ ], "tags": [ "TA0005", - "T1564.001" + "T1564.001", + "T1564" ], "title": "PowerShell Logging Disabled Via Registry Key Tampering" }, @@ -33640,7 +34528,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Disable Tamper Protection on Windows Defender" }, @@ -33747,7 +34636,8 @@ "TA0005", "TA0004", "T1548.002", - "car.2019-04-001" + "car.2019-04-001", + "T1548" ], "title": "UAC Bypass via Sdclt" }, @@ -33811,7 +34701,8 @@ ], "tags": [ "TA0003", - "T1547.010" + "T1547.010", + "T1547" ], "title": "Add Port Monitor Persistence in Registry" }, @@ -33832,7 +34723,8 @@ ], "tags": [ "TA0003", - "T1547.004" + "T1547.004", + "T1547" ], "title": "Winlogon Notify Key Logon Persistence" }, @@ -33853,7 +34745,8 @@ ], "tags": [ "TA0006", - "T1003.001" + "T1003.001", + "T1003" ], "title": "Lsass Full Dump Request Via DumpType Registry Settings" }, @@ -33876,7 +34769,8 @@ "TA0005", "TA0040", "T1112", - "T1491.001" + "T1491.001", + "T1491" ], "title": "Potentially Suspicious Desktop Background Change Via Registry" }, @@ -33897,7 +34791,8 @@ ], "tags": [ "TA0003", - "T1547.001" + "T1547.001", + "T1547" ], "title": "Wow6432Node CurrentVersion Autorun Keys Modification" }, @@ -33981,7 +34876,8 @@ ], "tags": [ "TA0003", - "T1546.007" + "T1546.007", + "T1546" ], "title": "Potential Persistence Via Netsh Helper DLL - Registry" }, @@ -34002,7 +34898,8 @@ ], "tags": [ "TA0002", - "T1559.002" + "T1559.002", + "T1559" ], "title": "Enable Microsoft Dynamic Data Exchange" }, @@ -34068,7 +34965,8 @@ ], "tags": [ "TA0005", - "T1070.005" + "T1070.005", + "T1070" ], "title": "MaxMpxCt Registry Value Changed" }, @@ -34090,7 +34988,8 @@ "tags": [ "TA0004", "TA0005", - "T1548.002" + "T1548.002", + "T1548" ], "title": "UAC Secure Desktop Prompt Disabled" }, @@ -34153,7 +35052,8 @@ ], "tags": [ "TA0003", - "T1546.015" + "T1546.015", + "T1546" ], "title": "Potential Persistence Via Scrobj.dll COM Hijacking" }, @@ -34175,7 +35075,8 @@ "tags": [ "TA0005", "TA0004", - "T1548.002" + "T1548.002", + "T1548" ], "title": "UAC Bypass Abusing Winsat Path Parsing - Registry" }, @@ -34257,7 +35158,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Disable Exploit Guard Network Protection on Windows Defender" }, @@ -34300,7 +35202,8 @@ "tags": [ "TA0005", "T1547.001", - "T1112" + "T1112", + "T1547" ], "title": "Windows Event Log Access Tampering Via Registry" }, @@ -34406,7 +35309,8 @@ "tags": [ "TA0005", "T1574.001", - "T1112" + "T1112", + "T1574" ], "title": "New DNS ServerLevelPluginDll Installed" }, @@ -34448,7 +35352,8 @@ ], "tags": [ "TA0003", - "T1547.010" + "T1547.010", + "T1547" ], "title": "Default RDP Port Changed to Non Standard Port" }, @@ -34491,7 +35396,8 @@ "TA0005", "T1562.002", "T1112", - "car.2022-03-001" + "car.2022-03-001", + "T1562" ], "title": "Security Event Logging Disabled via MiniNt Registry Key - Registry Set" }, @@ -34512,7 +35418,8 @@ ], "tags": [ "TA0003", - "T1546.007" + "T1546.007", + "T1546" ], "title": "New Netsh Helper DLL Registered From A Suspicious Location" }, @@ -34554,7 +35461,8 @@ ], "tags": [ "TA0002", - "T1569.002" + "T1569.002", + "T1569" ], "title": "PowerShell as a Service in Registry" }, @@ -34575,7 +35483,8 @@ ], "tags": [ "TA0003", - "T1547.001" + "T1547.001", + "T1547" ], "title": "VBScript Payload Stored in Registry" }, @@ -34596,7 +35505,8 @@ ], "tags": [ "TA0003", - "T1547.001" + "T1547.001", + "T1547" ], "title": "WinSock2 Autorun Keys Modification" }, @@ -34638,7 +35548,8 @@ ], "tags": [ "T1562.001", - "TA0005" + "TA0005", + "T1562" ], "title": "Suspicious Service Installed" }, @@ -34659,7 +35570,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Tamper With Sophos AV Registry Keys" }, @@ -34681,7 +35593,8 @@ "tags": [ "TA0003", "TA0004", - "T1547.001" + "T1547.001", + "T1547" ], "title": "Modify User Shell Folders Startup Value" }, @@ -34723,7 +35636,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Potential AMSI COM Server Hijacking" }, @@ -34787,7 +35701,8 @@ ], "tags": [ "TA0003", - "T1547.001" + "T1547.001", + "T1547" ], "title": "Internet Explorer Autorun Keys Modification" }, @@ -34869,7 +35784,8 @@ ], "tags": [ "TA0003", - "T1547.001" + "T1547.001", + "T1547" ], "title": "New RUN Key Pointing to Suspicious Folder" }, @@ -34913,7 +35829,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Windows Defender Exclusions Added - Registry" }, @@ -34955,7 +35872,8 @@ ], "tags": [ "TA0003", - "T1547.001" + "T1547.001", + "T1547" ], "title": "Common Autorun Keys Modification" }, @@ -34997,7 +35915,8 @@ ], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Potentially Suspicious Command Executed Via Run Dialog Box - Registry" }, @@ -35039,7 +35958,8 @@ ], "tags": [ "TA0005", - "T1036.003" + "T1036.003", + "T1036" ], "title": "Potential WerFault ReflectDebugger Registry Value Abuse" }, @@ -35063,7 +35983,8 @@ "TA0003", "TA0005", "T1546.012", - "car.2013-01-002" + "car.2013-01-002", + "T1546" ], "title": "Potential Persistence Via GlobalFlags" }, @@ -35084,7 +36005,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Python Function Execution Security Warning Disabled In Excel - Registry" }, @@ -35147,7 +36069,8 @@ ], "tags": [ "TA0003", - "T1546.011" + "T1546.011", + "T1546" ], "title": "Potential Persistence Via Shim Database Modification" }, @@ -35193,7 +36116,10 @@ "TA0008", "T1021.002", "T1543.003", - "T1569.002" + "T1569.002", + "T1021", + "T1569", + "T1543" ], "title": "Potential CobaltStrike Service Installations - Registry" }, @@ -35256,7 +36182,8 @@ "tags": [ "TA0005", "T1574.001", - "T1112" + "T1112", + "T1574" ], "title": "DHCP Callout DLL Installation" }, @@ -35318,7 +36245,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Suspicious Application Allowed Through Exploit Guard" }, @@ -35361,7 +36289,8 @@ "tags": [ "TA0004", "TA0005", - "T1548.002" + "T1548.002", + "T1548" ], "title": "Bypass UAC Using DelegateExecute" }, @@ -35382,7 +36311,8 @@ ], "tags": [ "TA0005", - "T1562.004" + "T1562.004", + "T1562" ], "title": "Disable Microsoft Defender Firewall via Registry" }, @@ -35403,7 +36333,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Hypervisor Enforced Paging Translation Disabled" }, @@ -35425,7 +36356,8 @@ "tags": [ "TA0004", "TA0005", - "T1548.002" + "T1548.002", + "T1548" ], "title": "UAC Disabled" }, @@ -35467,7 +36399,8 @@ ], "tags": [ "TA0042", - "T1588.002" + "T1588.002", + "T1588" ], "title": "Suspicious Keyboard Layout Load" }, @@ -35488,7 +36421,8 @@ ], "tags": [ "TA0003", - "T1546.011" + "T1546.011", + "T1546" ], "title": "Suspicious Shim Database Patching Activity" }, @@ -35509,7 +36443,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Disabled Windows Defender Eventlog" }, @@ -35530,7 +36465,8 @@ ], "tags": [ "TA0005", - "T1562.002" + "T1562.002", + "T1562" ], "title": "Potential EventLog File Location Tampering" }, @@ -35615,7 +36551,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Scripted Diagnostics Turn Off Check Enabled - Registry" }, @@ -35657,7 +36594,8 @@ ], "tags": [ "TA0005", - "T1070.005" + "T1070.005", + "T1070" ], "title": "Disable Administrative Share Creation at Startup" }, @@ -35741,7 +36679,8 @@ ], "tags": [ "TA0003", - "T1547.010" + "T1547.010", + "T1547" ], "title": "Bypass UAC Using Event Viewer" }, @@ -35763,7 +36702,9 @@ "tags": [ "TA0003", "T1547.001", - "T1546.009" + "T1546.009", + "T1546", + "T1547" ], "title": "Session Manager Autorun Keys Modification" }, @@ -35785,7 +36726,8 @@ "tags": [ "TA0005", "TA0004", - "T1548.002" + "T1548.002", + "T1548" ], "title": "UAC Bypass Using Windows Media Player - Registry" }, @@ -35806,7 +36748,8 @@ ], "tags": [ "TA0003", - "T1546.012" + "T1546.012", + "T1546" ], "title": "Potential Persistence Via App Paths Default Property" }, @@ -35848,7 +36791,8 @@ "tags": [ "TA0003", "TA0004", - "T1543.003" + "T1543.003", + "T1543" ], "title": "ServiceDll Hijack" }, @@ -35891,7 +36835,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Antivirus Filter Driver Disallowed On Dev Drive - Registry" }, @@ -35912,7 +36857,8 @@ ], "tags": [ "TA0003", - "T1547.001" + "T1547.001", + "T1547" ], "title": "Office Autorun Keys Modification" }, @@ -35953,7 +36899,8 @@ ], "tags": [ "TA0003", - "T1546.015" + "T1546.015", + "T1546" ], "title": "Potential COM Object Hijacking Via TreatAs Subkey - Registry" }, @@ -36015,7 +36962,8 @@ ], "tags": [ "TA0042", - "T1588.002" + "T1588.002", + "T1588" ], "title": "Suspicious Execution Of Renamed Sysinternals Tools - Registry" }, @@ -36036,7 +36984,8 @@ ], "tags": [ "TA0042", - "T1588.002" + "T1588.002", + "T1588" ], "title": "PUA - Sysinternals Tools Execution - Registry" }, @@ -36058,7 +37007,8 @@ "tags": [ "T1037.001", "TA0003", - "TA0008" + "TA0008", + "T1037" ], "title": "Potential Persistence Via Logon Scripts - Registry" }, @@ -36079,7 +37029,8 @@ ], "tags": [ "TA0042", - "T1588.002" + "T1588.002", + "T1588" ], "title": "PUA - Sysinternal Tool Execution - Registry" }, @@ -36287,7 +37238,8 @@ "TA0005", "TA0002", "T1218.011", - "detection.emerging-threats" + "detection.emerging-threats", + "T1218" ], "title": "Potential Raspberry Robin CPL Execution Activity" }, @@ -36331,7 +37283,8 @@ "tags": [ "TA0003", "T1547.001", - "detection.emerging-threats" + "detection.emerging-threats", + "T1547" ], "title": "Kapeka Backdoor Autorun Persistence" }, @@ -36353,7 +37306,8 @@ "tags": [ "TA0003", "T1053.005", - "detection.emerging-threats" + "detection.emerging-threats", + "T1053" ], "title": "Kapeka Backdoor Persistence Activity" }, @@ -36378,7 +37332,8 @@ "TA0004", "TA0003", "T1053.005", - "detection.emerging-threats" + "detection.emerging-threats", + "T1053" ], "title": "Kapeka Backdoor Scheduled Task Creation" }, @@ -36400,7 +37355,8 @@ "tags": [ "TA0005", "T1218.011", - "detection.emerging-threats" + "detection.emerging-threats", + "T1218" ], "title": "Kapeka Backdoor Execution Via RunDLL32.EXE" }, @@ -36423,7 +37379,8 @@ "TA0003", "TA0005", "T1553.003", - "detection.emerging-threats" + "detection.emerging-threats", + "T1553" ], "title": "Kapeka Backdoor Configuration Persistence" }, @@ -36488,7 +37445,8 @@ "tags": [ "TA0003", "T1547.001", - "detection.emerging-threats" + "detection.emerging-threats", + "T1547" ], "title": "Potential KamiKakaBot Activity - Winlogon Shell Persistence" }, @@ -36510,7 +37468,8 @@ "tags": [ "TA0003", "T1547.001", - "detection.emerging-threats" + "detection.emerging-threats", + "T1547" ], "title": "Forest Blizzard APT - Custom Protocol Handler Creation" }, @@ -36532,7 +37491,8 @@ "tags": [ "TA0003", "T1547.001", - "detection.emerging-threats" + "detection.emerging-threats", + "T1547" ], "title": "Forest Blizzard APT - Custom Protocol Handler DLL Registry Set" }, @@ -36577,7 +37537,8 @@ "TA0002", "T1059.001", "T1059.003", - "detection.emerging-threats" + "detection.emerging-threats", + "T1059" ], "title": "Potential APT FIN7 Exploitation Activity" }, @@ -36603,7 +37564,9 @@ "TA0001", "T1566.001", "cve.2017-8759", - "detection.emerging-threats" + "detection.emerging-threats", + "T1566", + "T1204" ], "title": "Exploit for CVE-2017-8759" }, @@ -36629,7 +37592,9 @@ "TA0001", "T1566.001", "cve.2017-11882", - "detection.emerging-threats" + "detection.emerging-threats", + "T1204", + "T1566" ], "title": "Droppers Exploiting CVE-2017-11882" }, @@ -36655,7 +37620,9 @@ "TA0001", "T1566.001", "cve.2017-0261", - "detection.emerging-threats" + "detection.emerging-threats", + "T1566", + "T1204" ], "title": "Exploit for CVE-2017-0261" }, @@ -36684,7 +37651,8 @@ "TA0040", "T1486", "T1490", - "detection.emerging-threats" + "detection.emerging-threats", + "T1222" ], "title": "WannaCry Ransomware Activity" }, @@ -36710,7 +37678,10 @@ "TA0006", "T1003.001", "car.2016-04-002", - "detection.emerging-threats" + "detection.emerging-threats", + "T1218", + "T1003", + "T1070" ], "title": "NotPetya Ransomware Activity" }, @@ -36733,7 +37704,9 @@ "TA0003", "T1543.003", "T1569.002", - "detection.emerging-threats" + "detection.emerging-threats", + "T1543", + "T1569" ], "title": "CosmicDuke Service Installation" }, @@ -36756,7 +37729,8 @@ "TA0002", "T1059.005", "T1059.007", - "detection.emerging-threats" + "detection.emerging-threats", + "T1059" ], "title": "Adwind RAT / JRAT" }, @@ -36779,7 +37753,8 @@ "TA0002", "TA0005", "T1218.011", - "detection.emerging-threats" + "detection.emerging-threats", + "T1218" ], "title": "Fireball Archer Install" }, @@ -36800,7 +37775,8 @@ "TA0003", "attack.g0064", "T1543.003", - "detection.emerging-threats" + "detection.emerging-threats", + "T1543" ], "title": "StoneDrill Service Install" }, @@ -36823,7 +37799,8 @@ "attack.s0013", "TA0005", "T1574.001", - "detection.emerging-threats" + "detection.emerging-threats", + "T1574" ], "title": "Potential PlugX Activity" }, @@ -36847,7 +37824,8 @@ "attack.g0035", "T1036.003", "car.2013-05-009", - "detection.emerging-threats" + "detection.emerging-threats", + "T1036" ], "title": "Ps.exe Renamed SysInternals Tool" }, @@ -36868,7 +37846,8 @@ "TA0003", "attack.g0010", "T1543.003", - "detection.emerging-threats" + "detection.emerging-threats", + "T1543" ], "title": "Turla PNG Dropper Service" }, @@ -36889,7 +37868,8 @@ "TA0003", "attack.g0010", "T1543.003", - "detection.emerging-threats" + "detection.emerging-threats", + "T1543" ], "title": "Turla Service Install" }, @@ -36911,7 +37891,8 @@ "tags": [ "TA0005", "T1036.005", - "detection.emerging-threats" + "detection.emerging-threats", + "T1036" ], "title": "Lazarus System Binary Masquerading" }, @@ -36934,7 +37915,8 @@ "TA0002", "attack.g0045", "T1059.005", - "detection.emerging-threats" + "detection.emerging-threats", + "T1059" ], "title": "Potential APT10 Cloud Hopper Activity" }, @@ -36959,7 +37941,8 @@ "attack.s0081", "TA0002", "T1059.003", - "detection.emerging-threats" + "detection.emerging-threats", + "T1059" ], "title": "Elise Backdoor Activity" }, @@ -36989,7 +37972,10 @@ "T1112", "TA0011", "T1071.004", - "detection.emerging-threats" + "detection.emerging-threats", + "T1071", + "T1053", + "T1543" ], "title": "OilRig APT Schedule Task Persistence - Security" }, @@ -37018,7 +38004,10 @@ "T1112", "TA0011", "T1071.004", - "detection.emerging-threats" + "detection.emerging-threats", + "T1053", + "T1071", + "T1543" ], "title": "OilRig APT Registry Persistence" }, @@ -37047,7 +38036,10 @@ "T1112", "TA0011", "T1071.004", - "detection.emerging-threats" + "detection.emerging-threats", + "T1053", + "T1071", + "T1543" ], "title": "OilRig APT Activity" }, @@ -37074,7 +38066,10 @@ "T1112", "TA0011", "T1071.004", - "detection.emerging-threats" + "detection.emerging-threats", + "T1071", + "T1543", + "T1053" ], "title": "OilRig APT Schedule Task Persistence - System" }, @@ -37097,7 +38092,8 @@ "TA0005", "TA0002", "T1218.011", - "detection.emerging-threats" + "detection.emerging-threats", + "T1218" ], "title": "APT29 2018 Phishing Campaign CommandLine Indicators" }, @@ -37166,7 +38162,8 @@ "TA0003", "T1053.005", "attack.s0111", - "detection.emerging-threats" + "detection.emerging-threats", + "T1053" ], "title": "Defrag Deactivation" }, @@ -37192,7 +38189,9 @@ "T1059.003", "T1218.011", "car.2013-10-002", - "detection.emerging-threats" + "detection.emerging-threats", + "T1059", + "T1218" ], "title": "Sofacy Trojan Loader Activity" }, @@ -37238,7 +38237,8 @@ "TA0005", "T1574.001", "attack.g0027", - "detection.emerging-threats" + "detection.emerging-threats", + "T1574" ], "title": "APT27 - Emissary Panda Activity" }, @@ -37260,7 +38260,8 @@ "tags": [ "TA0002", "T1059.001", - "detection.emerging-threats" + "detection.emerging-threats", + "T1059" ], "title": "TropicTrooper Campaign November 2018" }, @@ -37330,7 +38331,8 @@ "TA0002", "T1569.002", "cve.2020-1350", - "detection.emerging-threats" + "detection.emerging-threats", + "T1569" ], "title": "DNS RCE CVE-2020-1350" }, @@ -37354,7 +38356,8 @@ "TA0002", "T1059.001", "cve.2020-1048", - "detection.emerging-threats" + "detection.emerging-threats", + "T1059" ], "title": "Suspicious PrinterPorts Creation (CVE-2020-1048)" }, @@ -37406,7 +38409,8 @@ "T1059.003", "attack.s0190", "cve.2020-10189", - "detection.emerging-threats" + "detection.emerging-threats", + "T1059" ], "title": "Exploited CVE-2020-10189 Zoho ManageEngine" }, @@ -37452,7 +38456,8 @@ "attack.g0004", "TA0005", "T1562.001", - "detection.emerging-threats" + "detection.emerging-threats", + "T1562" ], "title": "Potential Ke3chang/TidePool Malware Activity" }, @@ -37496,7 +38501,8 @@ "tags": [ "TA0005", "T1218.011", - "detection.emerging-threats" + "detection.emerging-threats", + "T1218" ], "title": "Potential Emotet Rundll32 Execution" }, @@ -37521,7 +38527,8 @@ "T1047", "TA0040", "T1490", - "detection.emerging-threats" + "detection.emerging-threats", + "T1204" ], "title": "Potential Maze Ransomware Activity" }, @@ -37544,7 +38551,8 @@ "TA0002", "T1059.001", "T1047", - "detection.emerging-threats" + "detection.emerging-threats", + "T1059" ], "title": "UNC2452 PowerShell Pattern" }, @@ -37566,7 +38574,8 @@ "tags": [ "TA0002", "T1059.001", - "detection.emerging-threats" + "detection.emerging-threats", + "T1059" ], "title": "UNC2452 Process Creation Patterns" }, @@ -37588,7 +38597,8 @@ "tags": [ "TA0003", "T1547.001", - "detection.emerging-threats" + "detection.emerging-threats", + "T1547" ], "title": "Suspicious VBScript UN2452 Pattern" }, @@ -37610,7 +38620,8 @@ "tags": [ "TA0005", "T1218.011", - "detection.emerging-threats" + "detection.emerging-threats", + "T1218" ], "title": "EvilNum APT Golden Chickens Deployment Via OCX Files" }, @@ -37632,7 +38643,8 @@ "tags": [ "TA0003", "T1547.001", - "detection.emerging-threats" + "detection.emerging-threats", + "T1547" ], "title": "Leviathan Registry Key Activity" }, @@ -37659,7 +38671,9 @@ "T1105", "TA0005", "T1036.005", - "detection.emerging-threats" + "detection.emerging-threats", + "T1036", + "T1059" ], "title": "Greenbug Espionage Group Indicators" }, @@ -37705,7 +38719,8 @@ "TA0005", "T1574.001", "attack.g0044", - "detection.emerging-threats" + "detection.emerging-threats", + "T1574" ], "title": "Winnti Malware HK University Campaign" }, @@ -37728,7 +38743,8 @@ "TA0005", "T1574.001", "attack.g0044", - "detection.emerging-threats" + "detection.emerging-threats", + "T1574" ], "title": "Winnti Pipemon Characteristics" }, @@ -37750,7 +38766,8 @@ "tags": [ "TA0002", "T1055.001", - "detection.emerging-threats" + "detection.emerging-threats", + "T1055" ], "title": "TAIDOOR RAT DLL Load" }, @@ -37796,7 +38813,8 @@ "T1059.006", "T1190", "cve.2022-22954", - "detection.emerging-threats" + "detection.emerging-threats", + "T1059" ], "title": "Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution" }, @@ -37908,7 +38926,8 @@ "tags": [ "TA0002", "T1059.001", - "detection.emerging-threats" + "detection.emerging-threats", + "T1059" ], "title": "Raspberry Robin Subsequent Execution of Commands" }, @@ -37930,7 +38949,8 @@ "tags": [ "TA0002", "T1059.001", - "detection.emerging-threats" + "detection.emerging-threats", + "T1059" ], "title": "Raspberry Robin Initial Execution From External Drive" }, @@ -38003,7 +39023,9 @@ "TA0003", "T1053.005", "T1059.006", - "detection.emerging-threats" + "detection.emerging-threats", + "T1059", + "T1053" ], "title": "Serpent Backdoor Payload Execution Via Scheduled Task" }, @@ -38025,7 +39047,8 @@ "tags": [ "TA0002", "T1059.006", - "detection.emerging-threats" + "detection.emerging-threats", + "T1059" ], "title": "Emotet Loader Execution Via .LNK File" }, @@ -38048,7 +39071,8 @@ "TA0002", "TA0008", "T1021.001", - "detection.emerging-threats" + "detection.emerging-threats", + "T1021" ], "title": "Hermetic Wiper TG Process Patterns" }, @@ -38114,7 +39138,8 @@ "TA0002", "T1059.001", "attack.g0069", - "detection.emerging-threats" + "detection.emerging-threats", + "T1059" ], "title": "MERCURY APT Activity" }, @@ -38139,7 +39164,9 @@ "T1059.001", "T1053.005", "T1027", - "detection.emerging-threats" + "detection.emerging-threats", + "T1059", + "T1053" ], "title": "Turla Group Commands May 2020" }, @@ -38167,7 +39194,8 @@ "TA0007", "T1083", "T1135", - "detection.emerging-threats" + "detection.emerging-threats", + "T1021" ], "title": "Turla Group Lateral Movement" }, @@ -38193,7 +39221,9 @@ "T1218.011", "attack.s0412", "attack.g0001", - "detection.emerging-threats" + "detection.emerging-threats", + "T1218", + "T1059" ], "title": "ZxShell Malware" }, @@ -38336,7 +39366,8 @@ "TA0006", "T1558.003", "cve.2021-42278", - "detection.emerging-threats" + "detection.emerging-threats", + "T1558" ], "title": "Potential CVE-2021-42278 Exploitation Attempt" }, @@ -38424,7 +39455,8 @@ "TA0003", "T1136.001", "cve.2021-35211", - "detection.emerging-threats" + "detection.emerging-threats", + "T1136" ], "title": "Serv-U Exploitation CVE-2021-35211 by DEV-0322" }, @@ -38701,7 +39733,8 @@ "tags": [ "T1587.001", "TA0042", - "detection.emerging-threats" + "detection.emerging-threats", + "T1587" ], "title": "Conti Volume Shadow Listing" }, @@ -38750,7 +39783,8 @@ "T1498", "T1059.001", "T1140", - "detection.emerging-threats" + "detection.emerging-threats", + "T1059" ], "title": "Potential BlackByte Ransomware Activity" }, @@ -38794,7 +39828,8 @@ "tags": [ "TA0003", "T1574.001", - "detection.emerging-threats" + "detection.emerging-threats", + "T1574" ], "title": "Pingback Backdoor Activity" }, @@ -38898,7 +39933,8 @@ "tags": [ "TA0003", "T1574.001", - "detection.emerging-threats" + "detection.emerging-threats", + "T1574" ], "title": "Small Sieve Malware CommandLine Indicator" }, @@ -39015,7 +40051,8 @@ "TA0004", "T1053.005", "car.2013-08-001", - "detection.emerging-threats" + "detection.emerging-threats", + "T1053" ], "title": "Potential BearLPE Exploitation" }, @@ -39042,7 +40079,9 @@ "T1059.003", "T1059.001", "T1218.005", - "detection.emerging-threats" + "detection.emerging-threats", + "T1059", + "T1218" ], "title": "Potential Baby Shark Malware Activity" }, @@ -39064,7 +40103,8 @@ "tags": [ "TA0002", "T1059.005", - "detection.emerging-threats" + "detection.emerging-threats", + "T1059" ], "title": "Potential QBot Activity" }, @@ -39086,7 +40126,8 @@ "tags": [ "TA0042", "T1587.001", - "detection.emerging-threats" + "detection.emerging-threats", + "T1587" ], "title": "Formbook Process Creation" }, @@ -39202,7 +40243,8 @@ "T1059.001", "TA0005", "T1027", - "detection.emerging-threats" + "detection.emerging-threats", + "T1059" ], "title": "Potential Emotet Activity" }, @@ -39246,7 +40288,8 @@ "tags": [ "TA0003", "T1547.001", - "detection.emerging-threats" + "detection.emerging-threats", + "T1547" ], "title": "Potential Ryuk Ransomware Activity" }, @@ -39268,7 +40311,8 @@ "tags": [ "TA0005", "T1218.010", - "detection.emerging-threats" + "detection.emerging-threats", + "T1218" ], "title": "Potential EmpireMonkey Activity" }, @@ -39291,7 +40335,8 @@ "attack.g0020", "TA0005", "T1218.011", - "detection.emerging-threats" + "detection.emerging-threats", + "T1218" ], "title": "Equation Group DLL_U Export Function Load" }, @@ -39313,7 +40358,8 @@ "tags": [ "T1587.001", "TA0042", - "detection.emerging-threats" + "detection.emerging-threats", + "T1587" ], "title": "Mustang Panda Dropper" }, @@ -39336,7 +40382,9 @@ "TA0006", "T1552.001", "T1003.003", - "detection.emerging-threats" + "detection.emerging-threats", + "T1552", + "T1003" ], "title": "Potential Russian APT Credential Theft Activity" }, @@ -39361,7 +40409,9 @@ "attack.g0128", "T1003.001", "T1560.001", - "detection.emerging-threats" + "detection.emerging-threats", + "T1560", + "T1003" ], "title": "APT31 Judgement Panda Activity" }, @@ -39389,7 +40439,10 @@ "TA0002", "T1053.005", "T1059.001", - "detection.emerging-threats" + "detection.emerging-threats", + "T1059", + "T1036", + "T1053" ], "title": "Operation Wocao Activity" }, @@ -39417,7 +40470,10 @@ "TA0002", "T1053.005", "T1059.001", - "detection.emerging-threats" + "detection.emerging-threats", + "T1036", + "T1059", + "T1053" ], "title": "Operation Wocao Activity - Security" }, @@ -39439,7 +40495,8 @@ "tags": [ "TA0005", "T1218.010", - "detection.emerging-threats" + "detection.emerging-threats", + "T1218" ], "title": "Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32" }, @@ -39514,7 +40571,8 @@ "T1059.003", "T1190", "cve.2025-31161", - "detection.emerging-threats" + "detection.emerging-threats", + "T1059" ], "title": "Suspicious CrushFTP Child Process" }, @@ -39541,7 +40599,8 @@ "T1068", "T1190", "cve.2025-54309", - "detection.emerging-threats" + "detection.emerging-threats", + "T1059" ], "title": "Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)" }, @@ -39565,7 +40624,8 @@ "TA0005", "T1574.008", "cve.2025-49144", - "detection.emerging-threats" + "detection.emerging-threats", + "T1574" ], "title": "Potential Notepad++ CVE-2025-49144 Exploitation" }, @@ -39591,7 +40651,9 @@ "T1071.001", "T1059.001", "attack.s0183", - "detection.emerging-threats" + "detection.emerging-threats", + "T1071", + "T1059" ], "title": "Kalambur Backdoor Curl TOR SOCKS Proxy Execution" }, @@ -39614,7 +40676,8 @@ "TA0005", "T1036.005", "cve.2015-1641", - "detection.emerging-threats" + "detection.emerging-threats", + "T1036" ], "title": "Exploit for CVE-2015-1641" }, @@ -39819,7 +40882,8 @@ "T1059.003", "T1059.001", "TA0005", - "detection.emerging-threats" + "detection.emerging-threats", + "T1059" ], "title": "Rorschach Ransomware Execution Activity" }, @@ -39841,7 +40905,8 @@ "tags": [ "TA0005", "T1055.012", - "detection.emerging-threats" + "detection.emerging-threats", + "T1055" ], "title": "Potential Pikabot Hollowing Activity" }, @@ -39911,7 +40976,8 @@ "T1059.003", "T1105", "T1218", - "detection.emerging-threats" + "detection.emerging-threats", + "T1059" ], "title": "Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE" }, @@ -39955,7 +41021,8 @@ "tags": [ "TA0005", "T1218.011", - "detection.emerging-threats" + "detection.emerging-threats", + "T1218" ], "title": "IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32" }, @@ -40253,7 +41320,8 @@ "tags": [ "TA0003", "T1136.001", - "detection.emerging-threats" + "detection.emerging-threats", + "T1136" ], "title": "DarkGate - User Created Via Net.EXE" }, @@ -40382,7 +41450,8 @@ "tags": [ "TA0005", "T1218.011", - "detection.emerging-threats" + "detection.emerging-threats", + "T1218" ], "title": "Rhadamanthys Stealer Module Launch Via Rundll32.EXE" }, @@ -40495,7 +41564,8 @@ "TA0004", "TA0003", "T1053.005", - "detection.emerging-threats" + "detection.emerging-threats", + "T1053" ], "title": "Diamond Sleet APT Scheduled Task Creation" }, @@ -40602,7 +41672,8 @@ "TA0002", "T1059.001", "attack.g0046", - "detection.emerging-threats" + "detection.emerging-threats", + "T1059" ], "title": "Potential POWERTRASH Script Execution" }, @@ -40624,7 +41695,8 @@ "TA0002", "T1059.001", "attack.g0046", - "detection.emerging-threats" + "detection.emerging-threats", + "T1059" ], "title": "Potential APT FIN7 POWERHOLD Execution" }, @@ -40736,7 +41808,8 @@ "tags": [ "TA0002", "T1059.001", - "detection.emerging-threats" + "detection.emerging-threats", + "T1059" ], "title": "Lace Tempest PowerShell Launcher" }, @@ -40757,7 +41830,8 @@ "tags": [ "TA0002", "T1059.001", - "detection.emerging-threats" + "detection.emerging-threats", + "T1059" ], "title": "Lace Tempest PowerShell Evidence Eraser" }, @@ -40882,7 +41956,8 @@ "tags": [ "TA0005", "T1211", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Microsoft Malware Protection Engine Crash - WER" }, @@ -40937,7 +42012,8 @@ "subcategory_guids": [], "tags": [ "TA0006", - "T1003.001" + "T1003.001", + "T1003" ], "title": "LSASS Access Detected via Attack Surface Reduction" }, @@ -40956,7 +42032,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Windows Defender Real-time Protection Disabled" }, @@ -40997,7 +42074,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Windows Defender Grace Period Expired" }, @@ -41016,7 +42094,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Win Defender Restored Quarantine File" }, @@ -41036,7 +42115,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Windows Defender Real-Time Protection Failure/Restart" }, @@ -41076,7 +42156,8 @@ "TA0002", "TA0008", "T1047", - "T1569.002" + "T1569.002", + "T1569" ], "title": "PSExec and WMI Process Creations Block" }, @@ -41095,7 +42176,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Windows Defender Exclusions Added" }, @@ -41114,7 +42196,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Windows Defender Configuration Changes" }, @@ -41133,7 +42216,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Windows Defender Exploit Guard Tamper" }, @@ -41152,7 +42236,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Windows Defender Malware And PUA Scanning Disabled" }, @@ -41171,7 +42256,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Windows Defender Submit Sample Feature Disabled" }, @@ -41190,7 +42276,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Microsoft Defender Tamper Protection Trigger" }, @@ -41209,7 +42296,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Windows Defender Virus Scanning Feature Disabled" }, @@ -41360,7 +42448,8 @@ ], "tags": [ "TA0004", - "T1484.001" + "T1484.001", + "T1484" ], "title": "Group Policy Abuse for Privilege Addition" }, @@ -41381,7 +42470,8 @@ ], "tags": [ "TA0008", - "T1021.002" + "T1021.002", + "T1021" ], "title": "Suspicious PsExec Execution" }, @@ -41412,7 +42502,8 @@ "T1087", "T1114", "T1059", - "T1550.002" + "T1550.002", + "T1550" ], "title": "Hacktool Ruler" }, @@ -41437,7 +42528,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Windows Defender Exclusion Registry Key - Write Access Requested" }, @@ -41458,7 +42550,8 @@ ], "tags": [ "TA0002", - "T1569.002" + "T1569.002", + "T1569" ], "title": "PowerShell Scripts Installed as Services - Security" }, @@ -41480,7 +42573,8 @@ ], "tags": [ "TA0007", - "T1087.002" + "T1087.002", + "T1087" ], "title": "AD Privileged Users or Groups Reconnaissance" }, @@ -41502,7 +42596,8 @@ "tags": [ "TA0004", "T1134.001", - "T1134.002" + "T1134.002", + "T1134" ], "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security" }, @@ -41548,7 +42643,8 @@ "TA0002", "TA0004", "TA0003", - "T1053.005" + "T1053.005", + "T1053" ], "title": "Suspicious Scheduled Task Creation" }, @@ -41590,7 +42686,8 @@ "TA0005", "TA0001", "T1027", - "T1566.001" + "T1566.001", + "T1566" ], "title": "Password Protected ZIP File Opened (Email Attachment)" }, @@ -41613,7 +42710,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation CLIP+ Launcher - Security" }, @@ -41658,7 +42756,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Windows Defender Exclusion List Modified" }, @@ -41743,7 +42842,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation STDIN+ Launcher - Security" }, @@ -41764,7 +42864,8 @@ ], "tags": [ "TA0006", - "T1558.003" + "T1558.003", + "T1558" ], "title": "Kerberoasting Activity - Initial Query" }, @@ -41788,7 +42889,8 @@ "tags": [ "TA0004", "T1484.001", - "T1547" + "T1547", + "T1484" ], "title": "Startup/Logon Script Added to Group Policy Object" }, @@ -41814,7 +42916,8 @@ "TA0006", "T1557.003", "TA0003", - "TA0004" + "TA0004", + "T1557" ], "title": "Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation" }, @@ -41863,7 +42966,8 @@ ], "tags": [ "TA0001", - "T1566.001" + "T1566.001", + "T1566" ], "title": "ISO Image Mounted" }, @@ -41931,7 +43035,8 @@ "tags": [ "TA0006", "attack.s0002", - "T1003.006" + "T1003.006", + "T1003" ], "title": "Mimikatz DC Sync" }, @@ -41952,7 +43057,8 @@ ], "tags": [ "TA0008", - "T1021.002" + "T1021.002", + "T1021" ], "title": "Access To ADMIN$ Network Share" }, @@ -42019,7 +43125,8 @@ "TA0002", "TA0004", "TA0003", - "T1053.005" + "T1053.005", + "T1053" ], "title": "Important Scheduled Task Deleted/Disabled" }, @@ -42061,7 +43168,8 @@ ], "tags": [ "TA0008", - "T1021.002" + "T1021.002", + "T1021" ], "title": "DCERPC SMB Spoolss Named Pipe" }, @@ -42082,7 +43190,8 @@ ], "tags": [ "TA0008", - "T1021.002" + "T1021.002", + "T1021" ], "title": "First Time Seen Remote Named Pipe" }, @@ -42126,7 +43235,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation Via Stdin - Security" }, @@ -42172,7 +43282,8 @@ "tags": [ "TA0003", "TA0004", - "T1546.003" + "T1546.003", + "T1546" ], "title": "WMI Persistence - Security" }, @@ -42220,7 +43331,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation RUNDLL LAUNCHER - Security" }, @@ -42262,7 +43374,8 @@ ], "tags": [ "TA0005", - "T1562.002" + "T1562.002", + "T1562" ], "title": "Important Windows Event Auditing Disabled" }, @@ -42283,7 +43396,8 @@ ], "tags": [ "TA0006", - "T1003.004" + "T1003.004", + "T1003" ], "title": "DPAPI Domain Backup Key Extraction" }, @@ -42306,7 +43420,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation Via Use Rundll32 - Security" }, @@ -42328,7 +43443,8 @@ "tags": [ "TA0008", "TA0003", - "T1021.002" + "T1021.002", + "T1021" ], "title": "Remote Service Activity via SVCCTL Named Pipe" }, @@ -42374,7 +43490,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation VAR+ Launcher - Security" }, @@ -42483,7 +43600,8 @@ ], "tags": [ "TA0006", - "T1003.002" + "T1003.002", + "T1003" ], "title": "VSSAudit Security Event Source Registration" }, @@ -42504,7 +43622,8 @@ ], "tags": [ "TA0003", - "T1136.001" + "T1136.001", + "T1136" ], "title": "Local User Creation" }, @@ -42526,7 +43645,8 @@ "tags": [ "TA0008", "TA0006", - "T1558.003" + "T1558.003", + "T1558" ], "title": "Uncommon Outbound Kerberos Connection - Security" }, @@ -42547,7 +43667,8 @@ ], "tags": [ "TA0006", - "T1003.006" + "T1003.006", + "T1003" ], "title": "Active Directory Replication from Non Machine Account" }, @@ -42570,7 +43691,9 @@ "TA0003", "TA0002", "T1543.003", - "T1569.002" + "T1569.002", + "T1543", + "T1569" ], "title": "Remote Access Tool Services Have Been Installed - Security" }, @@ -42591,7 +43714,8 @@ ], "tags": [ "TA0005", - "T1562.002" + "T1562.002", + "T1562" ], "title": "Windows Event Auditing Disabled" }, @@ -42616,7 +43740,8 @@ ], "tags": [ "TA0008", - "T1021.002" + "T1021.002", + "T1021" ], "title": "Metasploit SMB Authentication" }, @@ -42685,7 +43810,8 @@ "TA0005", "TA0003", "TA0004", - "T1574.011" + "T1574.011", + "T1574" ], "title": "Service Registry Key Read Access Request" }, @@ -42706,7 +43832,8 @@ ], "tags": [ "TA0006", - "T1558.003" + "T1558.003", + "T1558" ], "title": "Suspicious Kerberos RC4 Ticket Encryption" }, @@ -42731,7 +43858,10 @@ "TA0008", "T1021.002", "T1543.003", - "T1569.002" + "T1569.002", + "T1021", + "T1543", + "T1569" ], "title": "CobaltStrike Service Installations - Security" }, @@ -42792,7 +43922,8 @@ ], "tags": [ "TA0006", - "T1003.004" + "T1003.004", + "T1003" ], "title": "DPAPI Domain Master Key Backup Attempt" }, @@ -42813,7 +43944,8 @@ ], "tags": [ "TA0003", - "T1547.009" + "T1547.009", + "T1547" ], "title": "Windows Network Access Suspicious desktop.ini Action" }, @@ -42837,7 +43969,8 @@ "tags": [ "TA0003", "TA0008", - "T1053.005" + "T1053.005", + "T1053" ], "title": "Persistence and Execution at Scale via GPO Scheduled Task" }, @@ -42856,7 +43989,8 @@ "subcategory_guids": [], "tags": [ "TA0008", - "T1021.001" + "T1021.001", + "T1021" ], "title": "Denied Access To Remote Desktop" }, @@ -42877,7 +44011,8 @@ ], "tags": [ "TA0003", - "T1136.001" + "T1136.001", + "T1136" ], "title": "Hidden Local User Creation" }, @@ -42900,7 +44035,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation Via Use Clip - Security" }, @@ -42921,7 +44057,8 @@ ], "tags": [ "T1001.003", - "TA0011" + "TA0011", + "T1001" ], "title": "Suspicious LDAP-Attributes Used" }, @@ -42947,7 +44084,8 @@ "tags": [ "TA0006", "car.2019-04-004", - "T1003.001" + "T1003.001", + "T1003" ], "title": "Potentially Suspicious AccessMask Requested From LSASS" }, @@ -43033,7 +44171,8 @@ ], "tags": [ "TA0008", - "T1021.002" + "T1021.002", + "T1021" ], "title": "Impacket PsExec Execution" }, @@ -43080,7 +44219,8 @@ "tags": [ "TA0008", "TA0004", - "T1558.003" + "T1558.003", + "T1558" ], "title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'" }, @@ -43101,7 +44241,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Weak Encryption Enabled and Kerberoast" }, @@ -43122,7 +44263,8 @@ "tags": [ "TA0005", "T1070.001", - "car.2016-04-002" + "car.2016-04-002", + "T1070" ], "title": "Security Eventlog Cleared" }, @@ -43146,7 +44288,8 @@ "TA0002", "TA0004", "TA0003", - "T1053.005" + "T1053.005", + "T1053" ], "title": "Suspicious Scheduled Task Update" }, @@ -43190,7 +44333,8 @@ "tags": [ "TA0005", "T1562.001", - "T1112" + "T1112", + "T1562" ], "title": "NetNTLM Downgrade Attack" }, @@ -43214,7 +44358,9 @@ "T1021.002", "T1570", "TA0002", - "T1569.002" + "T1569.002", + "T1021", + "T1569" ], "title": "Metasploit Or Impacket Service Installation Via SMB PsExec" }, @@ -43237,7 +44383,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation Via Use MSHTA - Security" }, @@ -43263,7 +44410,9 @@ "T1090.001", "T1090.002", "T1021.001", - "car.2013-07-002" + "car.2013-07-002", + "T1090", + "T1021" ], "title": "RDP over Reverse SSH Tunnel WFP" }, @@ -43310,7 +44459,8 @@ ], "tags": [ "TA0006", - "T1003.001" + "T1003.001", + "T1003" ], "title": "Password Dumper Activity on LSASS" }, @@ -43338,7 +44488,9 @@ "T1003.005", "T1003.006", "T1569.002", - "attack.s0005" + "attack.s0005", + "T1003", + "T1569" ], "title": "Credential Dumping Tools Service Execution - Security" }, @@ -43385,7 +44537,8 @@ ], "tags": [ "TA0008", - "T1021.002" + "T1021.002", + "T1021" ], "title": "Protected Storage Service Access" }, @@ -43408,7 +44561,8 @@ "TA0006", "T1003.002", "T1003.004", - "T1003.003" + "T1003.003", + "T1003" ], "title": "Possible Impacket SecretDump Remote Activity" }, @@ -43431,7 +44585,8 @@ "TA0008", "TA0004", "TA0006", - "T1558.003" + "T1558.003", + "T1558" ], "title": "Register new Logon Process by Rubeus" }, @@ -43563,7 +44718,8 @@ "tags": [ "TA0008", "car.2013-07-002", - "T1021.001" + "T1021.001", + "T1021" ], "title": "RDP Login from Localhost" }, @@ -43609,7 +44765,8 @@ "TA0005", "TA0004", "T1134.001", - "stp.4u" + "stp.4u", + "T1134" ], "title": "Potential Access Token Abuse" }, @@ -43631,7 +44788,8 @@ "tags": [ "TA0008", "attack.s0002", - "T1550.002" + "T1550.002", + "T1550" ], "title": "Successful Overpass the Hash Attempt" }, @@ -43698,7 +44856,8 @@ ], "tags": [ "TA0008", - "T1550.002" + "T1550.002", + "T1550" ], "title": "Pass the Hash Activity 2" }, @@ -43791,7 +44950,8 @@ "T1078.001", "T1078.002", "T1078.003", - "car.2016-04-005" + "car.2016-04-005", + "T1078" ], "title": "Admin User Remote Logon" }, @@ -43813,7 +44973,8 @@ "tags": [ "TA0004", "TA0006", - "T1557.001" + "T1557.001", + "T1557" ], "title": "RottenPotato Like Attack Pattern" }, @@ -43835,7 +44996,8 @@ ], "tags": [ "TA0005", - "T1027.001" + "T1027.001", + "T1027" ], "title": "Failed Code Integrity Checks" }, @@ -43856,7 +45018,8 @@ ], "tags": [ "TA0005", - "T1222.001" + "T1222.001", + "T1222" ], "title": "AD Object WriteDAC Access" }, @@ -43922,7 +45085,8 @@ ], "tags": [ "TA0008", - "T1021.002" + "T1021.002", + "T1021" ], "title": "SMB Create Remote File Admin Share" }, @@ -44035,7 +45199,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - Security" }, @@ -44057,7 +45222,8 @@ ], "tags": [ "TA0005", - "T1070.006" + "T1070.006", + "T1070" ], "title": "Unauthorized System Time Modification" }, @@ -44079,7 +45245,8 @@ "tags": [ "TA0008", "T1021.002", - "T1021.003" + "T1021.003", + "T1021" ], "title": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security" }, @@ -44122,7 +45289,8 @@ "tags": [ "TA0003", "T1136.001", - "T1136.002" + "T1136.002", + "T1136" ], "title": "Suspicious Windows ANONYMOUS LOGON Local Account Created" }, @@ -44144,7 +45312,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Potential Privileged System Service Operation - SeLoadDriverPrivilege" }, @@ -44190,7 +45359,8 @@ ], "tags": [ "TA0007", - "T1087.002" + "T1087.002", + "T1087" ], "title": "Potential AD User Enumeration From Non-Machine Account" }, @@ -44213,7 +45383,8 @@ "TA0006", "T1003.002", "T1003.001", - "T1003.003" + "T1003.003", + "T1003" ], "title": "Transferring Files with Credential Data via Network Shares" }, @@ -44259,7 +45430,8 @@ "TA0003", "car.2013-05-004", "car.2015-04-001", - "T1053.002" + "T1053.002", + "T1053" ], "title": "Remote Task Creation via ATSVC Named Pipe" }, @@ -44309,7 +45481,8 @@ ], "tags": [ "TA0006", - "T1003.001" + "T1003.001", + "T1003" ], "title": "LSASS Access From Non System Account" }, @@ -44341,7 +45514,10 @@ "T1027.005", "T1485", "T1553.002", - "attack.s0195" + "attack.s0195", + "T1027", + "T1070", + "T1553" ], "title": "Potential Secure Deletion with SDelete" }, @@ -44386,7 +45562,9 @@ "TA0007", "T1087.002", "T1069.002", - "attack.s0039" + "attack.s0039", + "T1087", + "T1069" ], "title": "Reconnaissance Activity" }, @@ -44407,7 +45585,8 @@ ], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Remote PowerShell Sessions Network Connections (WinRM)" }, @@ -44430,7 +45609,8 @@ "TA0002", "T1047", "TA0008", - "T1021.002" + "T1021.002", + "T1021" ], "title": "T1047 Wmiprvse Wbemcomn DLL Hijack" }, @@ -44499,7 +45679,8 @@ "tags": [ "TA0003", "TA0004", - "T1134.005" + "T1134.005", + "T1134" ], "title": "Addition of SID History to Active Directory Object" }, @@ -44522,7 +45703,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security" }, @@ -44571,7 +45753,8 @@ "TA0007", "T1012", "TA0006", - "T1552.002" + "T1552.002", + "T1552" ], "title": "SAM Registry Hive Handle Request" }, @@ -44590,7 +45773,8 @@ "subcategory_guids": [], "tags": [ "TA0011", - "T1219.002" + "T1219.002", + "T1219" ], "title": "Potential Remote Desktop Connection to Non-Domain Host" }, @@ -44609,7 +45793,8 @@ "subcategory_guids": [], "tags": [ "TA0008", - "T1550.002" + "T1550.002", + "T1550" ], "title": "NTLM Logon" }, @@ -44730,7 +45915,8 @@ ], "tags": [ "TA0003", - "T1546.012" + "T1546.012", + "T1546" ], "title": "SilentProcessExit Monitor Registration" }, @@ -44773,7 +45959,8 @@ "tags": [ "TA0002", "attack.g0016", - "T1059.001" + "T1059.001", + "T1059" ], "title": "APT29" }, @@ -44818,7 +46005,9 @@ "T1218", "T1564.004", "T1552.001", - "T1105" + "T1105", + "T1564", + "T1552" ], "title": "Abusing Findstr for Defense Evasion" }, @@ -44865,7 +46054,9 @@ "T1047", "T1218.010", "TA0002", - "TA0005" + "TA0005", + "T1204", + "T1218" ], "title": "Excel Proxy Executing Regsvr32 With Payload" }, @@ -44887,7 +46078,8 @@ "tags": [ "TA0002", "attack.s0029", - "T1569.002" + "T1569.002", + "T1569" ], "title": "PsExec Service Start" }, @@ -44909,7 +46101,8 @@ "tags": [ "TA0002", "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Suspicious Execution of Sc to Delete AV Services" }, @@ -44953,7 +46146,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Potential Xor Encoded PowerShell Command" }, @@ -44997,7 +46191,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Windows Defender Exclusion Deleted" }, @@ -45019,7 +46214,8 @@ "TA0010", "T1048", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Dnscat Execution" }, @@ -45040,7 +46236,8 @@ ], "tags": [ "TA0003", - "T1546.015" + "T1546.015", + "T1546" ], "title": "Potential Persistence Via COM Search Order Hijacking" }, @@ -45061,7 +46258,8 @@ ], "tags": [ "TA0005", - "T1553.004" + "T1553.004", + "T1553" ], "title": "Root Certificate Installed" }, @@ -45103,7 +46301,8 @@ ], "tags": [ "TA0002", - "T1059.005" + "T1059.005", + "T1059" ], "title": "Visual Basic Script Execution" }, @@ -45221,7 +46420,8 @@ ], "tags": [ "TA0002", - "T1059.003" + "T1059.003", + "T1059" ], "title": "Read and Execute a File Via Cmd.exe" }, @@ -45245,7 +46445,9 @@ "T1047", "T1218.010", "TA0002", - "TA0005" + "TA0005", + "T1204", + "T1218" ], "title": "Excel Proxy Executing Regsvr32 With Payload Alternate" }, @@ -45268,7 +46470,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation RUNDLL LAUNCHER" }, @@ -45288,7 +46491,8 @@ "subcategory_guids": [], "tags": [ "TA0006", - "T1555.003" + "T1555.003", + "T1555" ], "title": "Accessing Encrypted Credentials from Google Chrome Login Database" }, @@ -45311,7 +46515,8 @@ "TA0011", "TA0002", "T1059.001", - "T1105" + "T1105", + "T1059" ], "title": "PowerShell Web Download" }, @@ -45375,7 +46580,8 @@ ], "tags": [ "TA0002", - "T1053.005" + "T1053.005", + "T1053" ], "title": "Suspicious Add Scheduled Task From User AppData Temp" }, @@ -45399,7 +46605,9 @@ "T1047", "T1218.010", "TA0002", - "TA0005" + "TA0005", + "T1204", + "T1218" ], "title": "Office Applications Spawning Wmi Cli Alternate" }, @@ -45483,7 +46691,8 @@ "TA0002", "T1059.001", "TA0005", - "T1027" + "T1027", + "T1059" ], "title": "Malicious Base64 Encoded Powershell Invoke Cmdlets" }, @@ -45534,7 +46743,8 @@ "T1218.009", "T1127.001", "T1218.005", - "T1218" + "T1218", + "T1127" ], "title": "Possible Applocker Bypass" }, @@ -45579,7 +46789,9 @@ "T1047", "T1218.010", "TA0002", - "TA0005" + "TA0005", + "T1218", + "T1204" ], "title": "New Lolbin Process by Office Applications" }, @@ -45683,7 +46895,8 @@ ], "tags": [ "TA0005", - "T1218.011" + "T1218.011", + "T1218" ], "title": "Suspicious Rundll32 Script in CommandLine" }, @@ -45704,7 +46917,8 @@ ], "tags": [ "TA0006", - "T1003.002" + "T1003.002", + "T1003" ], "title": "Registry Dump of SAM Creds and Secrets" }, @@ -45770,7 +46984,9 @@ "T1047", "T1218.010", "TA0002", - "TA0005" + "TA0005", + "T1218", + "T1204" ], "title": "WMI Execution Via Office Process" }, @@ -45814,7 +47030,8 @@ "TA0005", "T1218.010", "car.2019-04-002", - "car.2019-04-003" + "car.2019-04-003", + "T1218" ], "title": "Regsvr32 Anomaly" }, @@ -45835,7 +47052,8 @@ ], "tags": [ "TA0005", - "T1564.002" + "T1564.002", + "T1564" ], "title": "User Account Hidden By Registry" }, @@ -45856,7 +47074,8 @@ ], "tags": [ "TA0003", - "T1546.015" + "T1546.015", + "T1546" ], "title": "Potential Persistence Via COM Hijacking From Suspicious Locations" }, @@ -45877,7 +47096,8 @@ ], "tags": [ "TA0005", - "T1564.004" + "T1564.004", + "T1564" ], "title": "Cmd Stream Redirection" }, @@ -45895,7 +47115,8 @@ "service": "security", "subcategory_guids": [], "tags": [ - "T1070.001" + "T1070.001", + "T1070" ], "title": "Security Event Log Cleared" }, @@ -45914,7 +47135,8 @@ "subcategory_guids": [], "tags": [ "TA0006", - "T1003.002" + "T1003.002", + "T1003" ], "title": "SAM Dump to AppData" }, @@ -45979,7 +47201,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation Via Use Rundll32" }, @@ -45997,7 +47220,8 @@ "subcategory_guids": [], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Suspicious PowerShell Download" }, @@ -46019,7 +47243,8 @@ "tags": [ "TA0005", "T1036", - "T1003.001" + "T1003.001", + "T1003" ], "title": "Process Memory Dumped Via RdrLeakDiag.EXE" }, @@ -46061,7 +47286,8 @@ ], "tags": [ "TA0005", - "T1218.008" + "T1218.008", + "T1218" ], "title": "Application Whitelisting Bypass via DLL Loaded by odbcconf.exe" }, @@ -46104,7 +47330,8 @@ ], "tags": [ "TA0003", - "T1547.001" + "T1547.001", + "T1547" ], "title": "Autorun Keys Modification" }, @@ -46186,7 +47413,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Disable Microsoft Office Security Features" }, @@ -46208,7 +47436,8 @@ "tags": [ "TA0002", "T1059.005", - "T1059.007" + "T1059.007", + "T1059" ], "title": "Adwind RAT / JRAT - Registry" }, @@ -46353,7 +47582,8 @@ ], "tags": [ "T1055.001", - "T1218" + "T1218", + "T1055" ], "title": "MavInject Process Injection" }, @@ -46463,7 +47693,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Windows Defender Threat Detection Disabled" }, @@ -46484,7 +47715,8 @@ ], "tags": [ "TA0010", - "T1567.002" + "T1567.002", + "T1567" ], "title": "RClone Execution" }, @@ -46506,7 +47738,8 @@ "tags": [ "TA0003", "TA0004", - "T1543.003" + "T1543.003", + "T1543" ], "title": "New Service Creation" }, @@ -46527,7 +47760,8 @@ ], "tags": [ "TA0011", - "T1071.004" + "T1071.004", + "T1071" ], "title": "DNS Tunnel Technique from MuddyWater" }, @@ -46590,7 +47824,8 @@ "subcategory_guids": [], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Suspicious PowerShell Invocations - Specific" }, @@ -46612,7 +47847,8 @@ "tags": [ "TA0011", "T1105", - "T1071.004" + "T1071.004", + "T1071" ], "title": "Nslookup PwSh Download Cradle" }, @@ -46633,7 +47869,8 @@ ], "tags": [ "TA0005", - "T1070.004" + "T1070.004", + "T1070" ], "title": "Sysinternals SDelete Registry Keys" }, @@ -46655,7 +47892,8 @@ "tags": [ "TA0005", "T1562.001", - "TA0002" + "TA0002", + "T1562" ], "title": "PowerShell AMSI Bypass Pattern" }, @@ -46695,7 +47933,8 @@ "subcategory_guids": [], "tags": [ "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Suspicious PowerShell Invocations - Generic" }, @@ -46737,7 +47976,8 @@ ], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Stop Or Remove Antivirus Service" }, @@ -46759,7 +47999,8 @@ "tags": [ "TA0002", "T1569.002", - "attack.s0029" + "attack.s0029", + "T1569" ], "title": "PsExec Tool Execution" }, @@ -46782,7 +48023,8 @@ "TA0002", "T1059.001", "TA0005", - "T1027" + "T1027", + "T1059" ], "title": "Base64 Encoded Listing of Shadowcopy" }, @@ -46924,7 +48166,8 @@ "subcategory_guids": [], "tags": [ "TA0043", - "T1590.002" + "T1590.002", + "T1590" ], "title": "Failed DNS Zone Transfer" }, @@ -46945,7 +48188,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1574.001" + "T1574.001", + "T1574" ], "title": "DNS Server Error Failed Loading the ServerLevelPluginDLL" }, @@ -46964,7 +48208,8 @@ "subcategory_guids": [], "tags": [ "TA0002", - "T1059.005" + "T1059.005", + "T1059" ], "title": "Suspicious Scripting in a WMI Consumer" }, @@ -46985,7 +48230,8 @@ "TA0002", "T1047", "TA0003", - "T1546.003" + "T1546.003", + "T1546" ], "title": "Suspicious Encoded Scripts in a WMI Consumer" }, @@ -47004,7 +48250,8 @@ "subcategory_guids": [], "tags": [ "TA0011", - "T1071.004" + "T1071.004", + "T1071" ], "title": "Suspicious Cobalt Strike DNS Beaconing - DNS Client" }, @@ -47023,7 +48270,8 @@ "subcategory_guids": [], "tags": [ "TA0011", - "T1090.003" + "T1090.003", + "T1090" ], "title": "Query Tor Onion Address - DNS Client" }, @@ -47042,7 +48290,8 @@ "subcategory_guids": [], "tags": [ "TA0010", - "T1567.002" + "T1567.002", + "T1567" ], "title": "DNS Query To Ufile.io - DNS Client" }, @@ -47061,7 +48310,8 @@ "subcategory_guids": [], "tags": [ "TA0010", - "T1567.002" + "T1567.002", + "T1567" ], "title": "DNS Query To MEGA Hosting Website - DNS Client" }, @@ -47080,7 +48330,8 @@ "subcategory_guids": [], "tags": [ "TA0010", - "T1567.002" + "T1567.002", + "T1567" ], "title": "DNS Query for Anonfiles.com Domain - DNS Client" }, @@ -47115,7 +48366,8 @@ "subcategory_guids": [], "tags": [ "T1587.001", - "TA0042" + "TA0042", + "T1587" ], "title": "ProxyLogon MSExchange OabVirtualDirectory" }, @@ -47132,7 +48384,8 @@ "subcategory_guids": [], "tags": [ "TA0003", - "T1505.003" + "T1505.003", + "T1505" ], "title": "Exchange Set OabVirtualDirectory ExternalUrl Property" }, @@ -47166,7 +48419,8 @@ "subcategory_guids": [], "tags": [ "TA0003", - "T1505.002" + "T1505.002", + "T1505" ], "title": "MSExchange Transport Agent Installation - Builtin" }, @@ -47183,7 +48437,8 @@ "subcategory_guids": [], "tags": [ "TA0003", - "T1505.003" + "T1505.003", + "T1505" ], "title": "Certificate Request Export to Exchange Webserver" }, @@ -47200,7 +48455,8 @@ "subcategory_guids": [], "tags": [ "TA0003", - "T1505.003" + "T1505.003", + "T1505" ], "title": "Mailbox Export to Exchange Webserver" }, @@ -47219,7 +48475,8 @@ "subcategory_guids": [], "tags": [ "TA0003", - "T1505.002" + "T1505.002", + "T1505" ], "title": "Failed MSExchange Transport Agent Installation" }, @@ -47258,7 +48515,8 @@ "subcategory_guids": [], "tags": [ "TA0006", - "T1558.003" + "T1558.003", + "T1558" ], "title": "Potential CVE-2021-42287 Exploitation Attempt" }, @@ -47277,7 +48535,8 @@ "subcategory_guids": [], "tags": [ "TA0006", - "T1003.002" + "T1003.002", + "T1003" ], "title": "Critical Hive In Suspicious Location Access Bits Cleared" }, @@ -47335,7 +48594,8 @@ "subcategory_guids": [], "tags": [ "TA0002", - "T1569.002" + "T1569.002", + "T1569" ], "title": "CSExec Service Installation" }, @@ -47356,7 +48616,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation Via Stdin - System" }, @@ -47377,7 +48638,8 @@ "TA0003", "TA0004", "car.2013-09-005", - "T1543.003" + "T1543.003", + "T1543" ], "title": "Uncommon Service Installation Image Path" }, @@ -47396,7 +48658,8 @@ "subcategory_guids": [], "tags": [ "TA0011", - "T1219.002" + "T1219.002", + "T1219" ], "title": "TacticalRMM Service Installation" }, @@ -47417,7 +48680,9 @@ "TA0002", "TA0004", "T1543.003", - "T1569.002" + "T1569.002", + "T1569", + "T1543" ], "title": "Sliver C2 Default Service Installation" }, @@ -47436,7 +48701,8 @@ "subcategory_guids": [], "tags": [ "TA0002", - "T1569.002" + "T1569.002", + "T1569" ], "title": "RemCom Service Installation" }, @@ -47455,7 +48721,8 @@ "subcategory_guids": [], "tags": [ "TA0011", - "T1219.002" + "T1219.002", + "T1219" ], "title": "Mesh Agent Service Installation" }, @@ -47494,7 +48761,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation Via Use Rundll32 - System" }, @@ -47514,7 +48782,8 @@ "tags": [ "TA0003", "TA0004", - "T1543.003" + "T1543.003", + "T1543" ], "title": "Moriya Rootkit - System" }, @@ -47535,7 +48804,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System" }, @@ -47575,7 +48845,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation RUNDLL LAUNCHER - System" }, @@ -47594,7 +48865,8 @@ "subcategory_guids": [], "tags": [ "TA0002", - "T1569.002" + "T1569.002", + "T1569" ], "title": "PowerShell Scripts Installed as Services" }, @@ -47615,7 +48887,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - System" }, @@ -47671,7 +48944,8 @@ "subcategory_guids": [], "tags": [ "TA0002", - "T1569.002" + "T1569.002", + "T1569" ], "title": "PAExec Service Installation" }, @@ -47693,7 +48967,9 @@ "TA0003", "TA0002", "T1543.003", - "T1569.002" + "T1569.002", + "T1569", + "T1543" ], "title": "Remote Access Tool Services Have Been Installed - System" }, @@ -47730,7 +49006,8 @@ "subcategory_guids": [], "tags": [ "TA0004", - "T1543.003" + "T1543.003", + "T1543" ], "title": "New PDQDeploy Service - Server Side" }, @@ -47751,7 +49028,8 @@ "TA0003", "TA0004", "car.2013-09-005", - "T1543.003" + "T1543.003", + "T1543" ], "title": "Service Installation with Suspicious Folder Pattern" }, @@ -47772,7 +49050,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation Via Use MSHTA - System" }, @@ -47793,7 +49072,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation Via Use Clip - System" }, @@ -47814,7 +49094,8 @@ "TA0003", "TA0004", "car.2013-09-005", - "T1543.003" + "T1543.003", + "T1543" ], "title": "Suspicious Service Installation" }, @@ -47833,7 +49114,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1562.001" + "T1562.001", + "T1562" ], "title": "Windows Defender Threat Detection Service Disabled" }, @@ -47854,7 +49136,8 @@ "TA0003", "TA0004", "car.2013-09-005", - "T1543.003" + "T1543.003", + "T1543" ], "title": "Service Installation in Suspicious Folder" }, @@ -47899,7 +49182,9 @@ "T1003.005", "T1003.006", "T1569.002", - "attack.s0005" + "attack.s0005", + "T1569", + "T1003" ], "title": "Credential Dumping Tools Service Execution - System" }, @@ -47919,7 +49204,8 @@ "tags": [ "TA0002", "T1569.002", - "attack.s0029" + "attack.s0029", + "T1569" ], "title": "PsExec Service Installation" }, @@ -47960,7 +49246,10 @@ "TA0008", "T1021.002", "T1543.003", - "T1569.002" + "T1569.002", + "T1021", + "T1543", + "T1569" ], "title": "CobaltStrike Service Installations - System" }, @@ -47981,7 +49270,8 @@ "tags": [ "TA0002", "T1569.002", - "attack.s0029" + "attack.s0029", + "T1569" ], "title": "HackTool Service Registration or Execution" }, @@ -48002,7 +49292,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation VAR+ Launcher - System" }, @@ -48041,7 +49332,9 @@ "TA0002", "TA0004", "T1543.003", - "T1569.002" + "T1569.002", + "T1569", + "T1543" ], "title": "ProcessHacker Privilege Elevation" }, @@ -48060,7 +49353,8 @@ "subcategory_guids": [], "tags": [ "TA0004", - "T1543.003" + "T1543.003", + "T1543" ], "title": "New PDQDeploy Service - Client Side" }, @@ -48081,7 +49375,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation STDIN+ Launcher - System" }, @@ -48120,7 +49415,9 @@ "TA0008", "TA0002", "T1021.002", - "T1569.002" + "T1569.002", + "T1569", + "T1021" ], "title": "smbexec.py Service Installation" }, @@ -48159,7 +49456,8 @@ "TA0005", "T1027", "TA0002", - "T1059.001" + "T1059.001", + "T1059" ], "title": "Invoke-Obfuscation CLIP+ Launcher - System" }, @@ -48180,7 +49478,8 @@ "TA0003", "TA0004", "car.2013-09-005", - "T1543.003" + "T1543.003", + "T1543" ], "title": "Suspicious Service Installation Script" }, @@ -48200,7 +49499,8 @@ "tags": [ "TA0004", "T1134.001", - "T1134.002" + "T1134.002", + "T1134" ], "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - System" }, @@ -48240,7 +49540,8 @@ "tags": [ "TA0005", "TA0008", - "T1550.002" + "T1550.002", + "T1550" ], "title": "NTLMv1 Logon Between Client and Server" }, @@ -48280,7 +49581,8 @@ "subcategory_guids": [], "tags": [ "TA0040", - "T1499.001" + "T1499.001", + "T1499" ], "title": "NTFS Vulnerability Exploitation" }, @@ -48337,7 +49639,8 @@ "subcategory_guids": [], "tags": [ "TA0006", - "T1558.003" + "T1558.003", + "T1558" ], "title": "No Suitable Encryption Key Found For Generating Kerberos Ticket" }, @@ -48357,7 +49660,8 @@ "tags": [ "TA0005", "T1070.001", - "car.2016-04-002" + "car.2016-04-002", + "T1070" ], "title": "Important Windows Eventlog Cleared" }, @@ -48377,7 +49681,8 @@ "tags": [ "TA0005", "T1070.001", - "car.2016-04-002" + "car.2016-04-002", + "T1070" ], "title": "Eventlog Cleared" }, @@ -48398,7 +49703,8 @@ "TA0006", "TA0009", "T1003.002", - "T1005" + "T1005", + "T1003" ], "title": "Crash Dump Created By Operating System" }, @@ -48418,7 +49724,8 @@ "tags": [ "TA0002", "TA0006", - "T1557.001" + "T1557.001", + "T1557" ], "title": "Local Privilege Escalation Indicator TabTip" }, @@ -48438,7 +49745,8 @@ "tags": [ "TA0006", "TA0005", - "T1553.004" + "T1553.004", + "T1553" ], "title": "Active Directory Certificate Services Denied Certificate Enrollment Request" }, @@ -48500,7 +49808,8 @@ "subcategory_guids": [], "tags": [ "TA0006", - "T1003.002" + "T1003.002", + "T1003" ], "title": "Volume Shadow Copy Mount" }, @@ -48521,7 +49830,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1574.001" + "T1574.001", + "T1574" ], "title": "DHCP Server Error Failed Loading the CallOut DLL" }, @@ -48540,7 +49850,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1574.001" + "T1574.001", + "T1574" ], "title": "DHCP Server Loaded the CallOut DLL" }, @@ -48580,7 +49891,8 @@ "tags": [ "T1110.003", "TA0001", - "TA0004" + "TA0004", + "T1110" ], "title": "Valid Users Failing to Authenticate From Single Source Using Kerberos" }, @@ -48604,7 +49916,8 @@ "T1071", "T1071.004", "T1001.003", - "T1041" + "T1041", + "T1001" ], "title": "DNSCat2 Powershell Implementation Detection Via Process Creation" }, @@ -48647,7 +49960,8 @@ "subcategory_guids": [], "tags": [ "T1021.002", - "TA0008" + "TA0008", + "T1021" ], "title": "Failed Mounting of Hidden Share" }, @@ -48670,7 +49984,8 @@ "tags": [ "T1110.003", "TA0001", - "TA0004" + "TA0004", + "T1110" ], "title": "Multiple Users Remotely Failing To Authenticate From Single Source" }, @@ -48692,7 +50007,8 @@ "tags": [ "T1110.003", "TA0001", - "TA0004" + "TA0004", + "T1110" ], "title": "Invalid Users Failing To Authenticate From Single Source Using NTLM" }, @@ -48741,7 +50057,8 @@ "TA0008", "TA0003", "TA0002", - "T1053.005" + "T1053.005", + "T1053" ], "title": "Remote Schtasks Creation" }, @@ -48810,7 +50127,8 @@ "tags": [ "T1110.003", "TA0001", - "TA0004" + "TA0004", + "T1110" ], "title": "Invalid Users Failing To Authenticate From Source Using Kerberos" }, @@ -48856,7 +50174,8 @@ "TA0004", "TA0003", "car.2013-08-001", - "T1053.005" + "T1053.005", + "T1053" ], "title": "Rare Schtasks Creations" }, @@ -48878,7 +50197,8 @@ "tags": [ "T1110.003", "TA0001", - "TA0004" + "TA0004", + "T1110" ], "title": "Valid Users Failing to Authenticate from Single Source Using NTLM" }, @@ -48899,7 +50219,8 @@ "TA0003", "TA0004", "car.2013-09-005", - "T1543.003" + "T1543.003", + "T1543" ], "title": "Rare Service Installations" }, @@ -48924,7 +50245,9 @@ "T1050", "car.2013-09-005", "T1543.003", - "T1569.002" + "T1569.002", + "T1569", + "T1543" ], "title": "Malicious Service Installations" }, @@ -49011,7 +50334,8 @@ "tags": [ "T1110.003", "TA0001", - "TA0004" + "TA0004", + "T1110" ], "title": "Multiple Users Failing to Authenticate from Single Process" }, @@ -49033,7 +50357,9 @@ "T1021.002", "T1570", "TA0002", - "T1569.002" + "T1569.002", + "T1569", + "T1021" ], "title": "Metasploit Or Impacket Service Installation Via SMB PsExec" }, @@ -49055,7 +50381,8 @@ "tags": [ "T1110.003", "TA0001", - "TA0004" + "TA0004", + "T1110" ], "title": "Password Spraying via Explicit Credentials" }, @@ -49075,7 +50402,8 @@ "tags": [ "TA0003", "attack.s0111", - "T1053.005" + "T1053.005", + "T1053" ], "title": "Rare Scheduled Task Creations" }, @@ -49118,7 +50446,8 @@ ], "tags": [ "TA0007", - "T1087.002" + "T1087.002", + "T1087" ], "title": "Enumeration via the Global Catalog" }, @@ -49140,7 +50469,8 @@ "tags": [ "T1110.003", "TA0001", - "TA0004" + "TA0004", + "T1110" ], "title": "Disabled Users Failing To Authenticate From Source Using Kerberos" }, @@ -49161,7 +50491,8 @@ ], "tags": [ "TA0004", - "T1548.002" + "T1548.002", + "T1548" ], "title": "MSI Spawned Cmd and Powershell Spawned Processes" }, @@ -49745,7 +51076,9 @@ "tags": [ "TA0008", "T1563.002", - "T1021.001" + "T1021.001", + "T1563", + "T1021" ], "title": "Possible RDP Hijacking" }, @@ -49951,7 +51284,8 @@ ], "tags": [ "T1110.003", - "TA0006" + "TA0006", + "T1110" ], "title": "PW Guessing" }, @@ -50008,7 +51342,8 @@ ], "tags": [ "T1110.003", - "TA0006" + "TA0006", + "T1110" ], "title": "PW Spray" }, @@ -50270,7 +51605,8 @@ ], "tags": [ "T1110.003", - "TA0006" + "TA0006", + "T1110" ], "title": "User Guessing" }, @@ -50443,7 +51779,8 @@ "subcategory_guids": [], "tags": [ "TA0006", - "T1555.004" + "T1555.004", + "T1555" ], "title": "Credential Manager Enumerated" }, @@ -50462,7 +51799,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1070.001" + "T1070.001", + "T1070" ], "title": "Log Cleared" }, @@ -50481,7 +51819,8 @@ "subcategory_guids": [], "tags": [ "TA0006", - "T1555.004" + "T1555.004", + "T1555" ], "title": "Credential Manager Accessed" }, @@ -50839,7 +52178,8 @@ ], "tags": [ "TA0003", - "T1543.003" + "T1543.003", + "T1543" ], "title": "Possible Hidden Service Created" }, @@ -50863,7 +52203,8 @@ "TA0006", "T1003.001", "T1561", - "TA0040" + "TA0040", + "T1003" ], "title": "Process Ran With High Privilege" }, @@ -50884,7 +52225,8 @@ ], "tags": [ "TA0006", - "T1558.004" + "T1558.004", + "T1558" ], "title": "Possible AS-REP Roasting (RC4 Kerberos Ticket Req)" }, @@ -50923,7 +52265,8 @@ ], "tags": [ "TA0006", - "T1558.003" + "T1558.003", + "T1558" ], "title": "Possible Kerberoasting (RC4 Kerberos Ticket Req)" }, @@ -51069,7 +52412,8 @@ "tags": [ "TA0005", "T1562.010", - "lolbas" + "lolbas", + "T1562" ], "title": "PwSh 2.0 Downgrade Attack" }, @@ -51142,7 +52486,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1562.002" + "T1562.002", + "T1562" ], "title": "Event Log Service Startup Type Changed To Disabled" }, @@ -51161,7 +52506,8 @@ "subcategory_guids": [], "tags": [ "TA0003", - "T1543.003" + "T1543.003", + "T1543" ], "title": "Suspicious Service Name" }, @@ -51263,7 +52609,8 @@ "subcategory_guids": [], "tags": [ "TA0003", - "T1543.003" + "T1543.003", + "T1543" ], "title": "Suspicious Service Path" }, @@ -51287,7 +52634,11 @@ "T1543.003", "T1570", "T1021.002", - "T1569.002" + "T1569.002", + "T1136", + "T1543", + "T1021", + "T1569" ], "title": "PSExec Lateral Movement" }, @@ -51338,7 +52689,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1070.001" + "T1070.001", + "T1070" ], "title": "Log File Cleared" }, @@ -51429,7 +52781,8 @@ "subcategory_guids": [], "tags": [ "TA0005", - "T1070.001" + "T1070.001", + "T1070" ], "title": "Important Log File Cleared" }, @@ -51464,7 +52817,8 @@ "subcategory_guids": [], "tags": [ "TA0003", - "T1543.003" + "T1543.003", + "T1543" ], "title": "Possible Metasploit Svc Installed" },