From 2f228031ffab11510d9819c50144e07ecbb61d20 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Tue, 7 Oct 2025 18:08:01 +0000 Subject: [PATCH] Sigma Rule Update (2025-10-07 18:07:54) (#104) Co-authored-by: fukusuket --- config/security_rules.json | 11180 +++++++++++++++++++++++++++++++++++ 1 file changed, 11180 insertions(+) diff --git a/config/security_rules.json b/config/security_rules.json index 0f8ff1b1..618df70b 100644 --- a/config/security_rules.json +++ b/config/security_rules.json @@ -12,6 +12,10 @@ "level": "low", "service": "appmodel-runtime", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.execution" + ], "title": "Sysinternals Tools AppX Versions Execution" }, { @@ -28,6 +32,11 @@ "level": "medium", "service": "wmi", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.privilege-escalation", + "attack.t1546.003" + ], "title": "WMI Persistence" }, { @@ -43,6 +52,9 @@ "level": "high", "service": "codeintegrity-operational", "subcategory_guids": [], + "tags": [ + "attack.privilege-escalation" + ], "title": "CodeIntegrity - Unsigned Kernel Module Loaded" }, { @@ -59,6 +71,9 @@ "level": "high", "service": "codeintegrity-operational", "subcategory_guids": [], + "tags": [ + "attack.privilege-escalation" + ], "title": "CodeIntegrity - Revoked Image Loaded" }, { @@ -74,6 +89,9 @@ "level": "high", "service": "codeintegrity-operational", "subcategory_guids": [], + "tags": [ + "attack.privilege-escalation" + ], "title": "CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked" }, { @@ -89,6 +107,10 @@ "level": "high", "service": "codeintegrity-operational", "subcategory_guids": [], + "tags": [ + "attack.privilege-escalation", + "attack.t1543" + ], "title": "CodeIntegrity - Blocked Driver Load With Revoked Certificate" }, { @@ -105,6 +127,9 @@ "level": "high", "service": "codeintegrity-operational", "subcategory_guids": [], + "tags": [ + "attack.privilege-escalation" + ], "title": "CodeIntegrity - Revoked Kernel Driver Loaded" }, { @@ -120,6 +145,9 @@ "level": "high", "service": "codeintegrity-operational", "subcategory_guids": [], + "tags": [ + "attack.privilege-escalation" + ], "title": "CodeIntegrity - Blocked Image Load With Revoked Certificate" }, { @@ -135,6 +163,9 @@ "level": "high", "service": "codeintegrity-operational", "subcategory_guids": [], + "tags": [ + "attack.privilege-escalation" + ], "title": "CodeIntegrity - Unsigned Image Loaded" }, { @@ -150,6 +181,10 @@ "level": "high", "service": "codeintegrity-operational", "subcategory_guids": [], + "tags": [ + "attack.privilege-escalation", + "attack.t1543" + ], "title": "CodeIntegrity - Blocked Image/Driver Load For Policy Violation" }, { @@ -166,6 +201,9 @@ "level": "high", "service": "codeintegrity-operational", "subcategory_guids": [], + "tags": [ + "attack.privilege-escalation" + ], "title": "CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module" }, { @@ -182,6 +220,9 @@ "level": "low", "service": "codeintegrity-operational", "subcategory_guids": [], + "tags": [ + "attack.execution" + ], "title": "CodeIntegrity - Unmet Signing Level Requirements By File Under Validation" }, { @@ -197,6 +238,11 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1059.001" + ], "title": "PowerShell Called from an Executable Version Mismatch" }, { @@ -212,6 +258,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Nslookup PowerShell Download Cradle" }, { @@ -227,6 +277,12 @@ "level": "low", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.defense-evasion", + "attack.t1059.001", + "attack.t1036.003" + ], "title": "Renamed Powershell Under Powershell Channel" }, { @@ -242,6 +298,10 @@ "level": "low", "service": "", "subcategory_guids": [], + "tags": [ + "attack.discovery", + "attack.t1049" + ], "title": "Use Get-NetTCPConnection" }, { @@ -255,6 +315,10 @@ "level": "high", "service": "powershell-classic", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Potential RemoteFXvGPUDisablement.EXE Abuse" }, { @@ -268,6 +332,12 @@ "level": "medium", "service": "powershell-classic", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.lateral-movement", + "attack.t1021.003" + ], "title": "Suspicious Non PowerShell WSMAN COM Provider" }, { @@ -281,6 +351,10 @@ "level": "medium", "service": "powershell-classic", "subcategory_guids": [], + "tags": [ + "attack.collection", + "attack.t1074.001" + ], "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell" }, { @@ -296,6 +370,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Suspicious PowerShell Download" }, { @@ -311,6 +389,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.command-and-control", + "attack.t1095" + ], "title": "Netcat The Powershell Version" }, { @@ -326,6 +408,12 @@ "level": "low", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.lateral-movement", + "attack.t1021.006" + ], "title": "Remote PowerShell Session (PS Classic)" }, { @@ -341,6 +429,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Tamper Windows Defender - PSClassic" }, { @@ -356,6 +448,11 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1059.001" + ], "title": "PowerShell Downgrade Attack - PowerShell" }, { @@ -371,6 +468,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.impact", + "attack.t1490" + ], "title": "Delete Volume Shadow Copies Via WMI With PowerShell" }, { @@ -387,6 +488,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock" }, { @@ -403,6 +508,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1553.004" + ], "title": "Suspicious X509Enrollment - Ps Script" }, { @@ -419,6 +528,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.discovery", + "attack.t1083" + ], "title": "Powershell Sensitive File Discovery" }, { @@ -435,6 +548,12 @@ "level": "low", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1027", + "attack.t1059.001" + ], "title": "Potential PowerShell Obfuscation Using Alias Cmdlets" }, { @@ -451,6 +570,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.discovery", + "attack.t1033" + ], "title": "Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell" }, { @@ -467,6 +590,11 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001", + "attack.execution" + ], "title": "AMSI Bypass Pattern Assembly GetType" }, { @@ -483,6 +611,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.impact", + "attack.t1565" + ], "title": "Powershell Add Name Resolution Policy Table Rule" }, { @@ -499,6 +631,11 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.reconnaissance", + "attack.discovery", + "attack.impact" + ], "title": "Potential Active Directory Enumeration Using AD Module - PsScript" }, { @@ -515,6 +652,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.discovery", + "attack.t1518" + ], "title": "Detected Windows Software Discovery - PowerShell" }, { @@ -531,6 +672,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.discovery", + "attack.t1018" + ], "title": "DirectorySearcher Powershell Exploitation" }, { @@ -547,6 +692,10 @@ "level": "low", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1553.005" + ], "title": "Suspicious Mount-DiskImage" }, { @@ -563,6 +712,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1070.003" + ], "title": "Disable Powershell Command History" }, { @@ -579,6 +732,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Suspicious PowerShell Invocations - Generic" }, { @@ -595,6 +752,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Powershell XML Execute Command" }, { @@ -611,6 +772,18 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.discovery", + "attack.t1482", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1069", + "attack.t1059.001" + ], "title": "Malicious PowerShell Commandlets - ScriptBlock" }, { @@ -627,6 +800,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1218.007" + ], "title": "PowerShell WMI Win32_Product Install MSI" }, { @@ -643,6 +820,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.privilege-escalation", + "attack.t1546.003" + ], "title": "Powershell WMI Persistence" }, { @@ -659,6 +840,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.t1137.006" + ], "title": "Code Executed Via Office Add-in XLL File" }, { @@ -675,6 +860,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.lateral-movement", + "attack.t1021.006" + ], "title": "Enable Windows Remote Management" }, { @@ -691,6 +880,9 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion" + ], "title": "PowerShell Write-EventLog Usage" }, { @@ -707,6 +899,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.collection", + "attack.t1074.001" + ], "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Script" }, { @@ -723,6 +919,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.t1555.003" + ], "title": "Access to Browser Login Data" }, { @@ -739,6 +939,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.003" + ], "title": "Powershell Execute Batch Script" }, { @@ -755,6 +959,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1620" + ], "title": "Potential In-Memory Execution Using Reflection.Assembly" }, { @@ -771,6 +979,10 @@ "level": "low", "service": "", "subcategory_guids": [], + "tags": [ + "attack.discovery", + "attack.t1069.002" + ], "title": "Active Directory Group Enumeration With Get-AdGroup" }, { @@ -787,6 +999,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.t1003.001" + ], "title": "PowerShell Get-Process LSASS in ScriptBlock" }, { @@ -803,6 +1019,12 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1070", + "attack.t1562.006", + "car.2016-04-002" + ], "title": "Disable of ETW Trace - Powershell" }, { @@ -819,6 +1041,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.defense-evasion" + ], "title": "Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript" }, { @@ -835,6 +1061,13 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1055", + "attack.execution", + "attack.t1059.001" + ], "title": "PowerShell ShellCode" }, { @@ -851,6 +1084,10 @@ "level": "low", "service": "", "subcategory_guids": [], + "tags": [ + "attack.exfiltration", + "attack.t1020" + ], "title": "PowerShell Script With File Upload Capabilities" }, { @@ -867,6 +1104,17 @@ "level": "critical", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.command-and-control", + "attack.t1071.004", + "attack.t1572", + "attack.impact", + "attack.t1529", + "attack.g0091", + "attack.s0363" + ], "title": "Silence.EDA Detection" }, { @@ -883,6 +1131,12 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell" }, { @@ -899,6 +1153,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.discovery", + "attack.t1033" + ], "title": "User Discovery And Export Via Get-ADUser Cmdlet - PowerShell" }, { @@ -915,6 +1173,9 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.exfiltration" + ], "title": "Potential Data Exfiltration Via Audio File" }, { @@ -931,6 +1192,12 @@ "level": "low", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1027", + "attack.t1059.001" + ], "title": "Potential PowerShell Obfuscation Using Character Join" }, { @@ -947,6 +1214,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1553.004" + ], "title": "Root Certificate Installed - PowerShell" }, { @@ -963,6 +1234,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1202" + ], "title": "Troubleshooting Pack Cmdlet Execution" }, { @@ -979,6 +1254,10 @@ "level": "low", "service": "", "subcategory_guids": [], + "tags": [ + "attack.impact", + "attack.t1491.001" + ], "title": "Replace Desktop Wallpaper by Powershell" }, { @@ -995,6 +1274,12 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation Via Stdin - Powershell" }, { @@ -1011,6 +1296,12 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell" }, { @@ -1027,6 +1318,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1564.004" + ], "title": "Powershell Store File In Alternate Data Stream" }, { @@ -1043,6 +1338,10 @@ "level": "low", "service": "", "subcategory_guids": [], + "tags": [ + "attack.discovery", + "attack.t1033" + ], "title": "Suspicious PowerShell Get Current User" }, { @@ -1059,6 +1358,11 @@ "level": "low", "service": "", "subcategory_guids": [], + "tags": [ + "attack.discovery", + "attack.t1018", + "attack.t1087.002" + ], "title": "Active Directory Computers Enumeration With Get-AdComputer" }, { @@ -1075,6 +1379,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "DSInternals Suspicious PowerShell Cmdlets - ScriptBlock" }, { @@ -1091,6 +1399,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.discovery", + "attack.t1083" + ], "title": "Powershell Directory Enumeration" }, { @@ -1107,6 +1419,21 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.defense-evasion", + "attack.discovery", + "attack.execution", + "attack.privilege-escalation", + "attack.t1046", + "attack.t1082", + "attack.t1106", + "attack.t1518", + "attack.t1548.002", + "attack.t1552.001", + "attack.t1555", + "attack.t1555.003" + ], "title": "HackTool - WinPwn Execution - ScriptBlock" }, { @@ -1123,6 +1450,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1497.001" + ], "title": "Powershell Detect Virtualization Environment" }, { @@ -1139,6 +1470,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.t1053.005" + ], "title": "Powershell Create Scheduled Task" }, { @@ -1155,6 +1490,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1070.003" + ], "title": "Suspicious IO.FileStream" }, { @@ -1171,6 +1510,10 @@ "level": "low", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1222" + ], "title": "PowerShell Script Change Permission Via Set-Acl - PsScript" }, { @@ -1187,6 +1530,12 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell" }, { @@ -1203,6 +1552,11 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.collection", + "attack.credential-access", + "attack.t1056.001" + ], "title": "Potential Keylogger Activity" }, { @@ -1219,6 +1573,9 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.discovery" + ], "title": "PowerShell Hotfix Enumeration" }, { @@ -1235,6 +1592,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1553.005" + ], "title": "Suspicious Unblock-File" }, { @@ -1251,6 +1612,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1553.005" + ], "title": "Suspicious Invoke-Item From Mount-DiskImage" }, { @@ -1267,6 +1632,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.t1555" + ], "title": "Dump Credentials from Windows Credential Manager With PowerShell" }, { @@ -1283,6 +1652,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Malicious Nishang PowerShell Commandlets" }, { @@ -1299,6 +1672,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.command-and-control", + "attack.t1132.001" + ], "title": "Suspicious FromBase64String Usage On Gzip Archive - Ps Script" }, { @@ -1315,6 +1692,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.exfiltration", + "attack.t1048.003" + ], "title": "PowerShell ICMP Exfiltration" }, { @@ -1331,6 +1712,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.command-and-control", + "attack.t1090" + ], "title": "Suspicious TCP Tunnel Via PowerShell Script" }, { @@ -1347,6 +1732,10 @@ "level": "low", "service": "", "subcategory_guids": [], + "tags": [ + "attack.discovery", + "attack.t1217" + ], "title": "Automated Collection Bookmarks Using Get-ChildItem PowerShell" }, { @@ -1363,6 +1752,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.t1003" + ], "title": "Live Memory Dump Using Powershell" }, { @@ -1379,6 +1772,13 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.reconnaissance", + "attack.discovery", + "attack.credential-access", + "attack.impact" + ], "title": "AADInternals PowerShell Cmdlets Execution - PsScript" }, { @@ -1395,6 +1795,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.collection", + "attack.t1119" + ], "title": "Automated Collection Command PowerShell" }, { @@ -1411,6 +1815,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Potential Suspicious PowerShell Keywords" }, { @@ -1427,6 +1835,12 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.persistence", + "attack.t1136.001" + ], "title": "PowerShell Create Local User" }, { @@ -1443,6 +1857,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.collection", + "attack.t1114.001" + ], "title": "Powershell Local Email Collection" }, { @@ -1459,6 +1877,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "PSAsyncShell - Asynchronous TCP Reverse Shell" }, { @@ -1475,6 +1897,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.impact", + "attack.t1490" + ], "title": "Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script" }, { @@ -1491,6 +1917,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1222" + ], "title": "PowerShell Set-Acl On Windows Folder - PsScript" }, { @@ -1507,6 +1937,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1070.006" + ], "title": "Powershell Timestomp" }, { @@ -1523,6 +1957,9 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion" + ], "title": "Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript" }, { @@ -1539,6 +1976,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1070.003" + ], "title": "Clear PowerShell History - PowerShell" }, { @@ -1555,6 +1996,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Tamper Windows Defender - ScriptBlockLogging" }, { @@ -1571,6 +2016,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.exfiltration", + "attack.t1020" + ], "title": "PowerShell Script With File Hostname Resolving Capabilities" }, { @@ -1587,6 +2036,10 @@ "level": "low", "service": "", "subcategory_guids": [], + "tags": [ + "attack.discovery", + "attack.t1057" + ], "title": "Suspicious Process Discovery With Get-Process" }, { @@ -1603,6 +2056,11 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.t1003.003", + "attack.ds0005" + ], "title": "Create Volume Shadow Copy with Powershell" }, { @@ -1619,6 +2077,9 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.credential-access" + ], "title": "Veeam Backup Servers Credential Dumping Script Execution" }, { @@ -1635,6 +2096,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.t1552.004" + ], "title": "Certificate Exported Via PowerShell - ScriptBlock" }, { @@ -1651,6 +2116,13 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.t1003", + "attack.t1558.003", + "attack.lateral-movement", + "attack.t1550.003" + ], "title": "HackTool - Rubeus Execution - ScriptBlock" }, { @@ -1667,6 +2139,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1047" + ], "title": "WMIC Unquoted Services Path Lookup - PowerShell" }, { @@ -1683,6 +2159,12 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell" }, { @@ -1699,6 +2181,10 @@ "level": "low", "service": "", "subcategory_guids": [], + "tags": [ + "attack.discovery", + "attack.t1615" + ], "title": "Suspicious GPO Discovery With Get-GPO" }, { @@ -1715,6 +2201,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1564.006" + ], "title": "Suspicious Hyper-V Cmdlets" }, { @@ -1731,6 +2221,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.t1552.001" + ], "title": "Extracting Information with PowerShell" }, { @@ -1747,6 +2241,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Disable-WindowsOptionalFeature Command PowerShell" }, { @@ -1763,6 +2261,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.t1098" + ], "title": "Powershell LocalAccount Manipulation" }, { @@ -1779,6 +2281,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.command-and-control", + "attack.t1105" + ], "title": "Potential COM Objects Download Cradles Usage - PS Script" }, { @@ -1795,6 +2301,10 @@ "level": "low", "service": "", "subcategory_guids": [], + "tags": [ + "attack.command-and-control", + "attack.t1573" + ], "title": "Suspicious SSL Connection" }, { @@ -1811,6 +2321,11 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.t1106" + ], "title": "Potential WinAPI Calls Via PowerShell Scripts" }, { @@ -1827,6 +2342,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction" }, { @@ -1843,6 +2362,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.command-and-control", + "attack.t1071.001" + ], "title": "Change User Agents with WebRequest" }, { @@ -1859,6 +2382,9 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.exfiltration" + ], "title": "Suspicious PowerShell Mailbox SMTP Forward Rule" }, { @@ -1875,6 +2401,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Malicious ShellIntel PowerShell Commandlets" }, { @@ -1891,6 +2421,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.t1558.003" + ], "title": "Request A Single Ticket via PowerShell" }, { @@ -1907,6 +2441,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.t1003" + ], "title": "Potential Invoke-Mimikatz PowerShell Script" }, { @@ -1923,6 +2461,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.collection", + "attack.t1119" + ], "title": "Recon Information for Export with PowerShell" }, { @@ -1939,6 +2481,11 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.privilege-escalation", + "attack.persistence", + "attack.t1546.015" + ], "title": "Suspicious GetTypeFromCLSID ShellExecute" }, { @@ -1955,6 +2502,11 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1047", + "attack.t1059.001" + ], "title": "WMImplant Hack Tool" }, { @@ -1971,6 +2523,11 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.t1574.011", + "stp.2a" + ], "title": "Service Registry Permissions Weakness Check" }, { @@ -1987,6 +2544,12 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1564.004", + "attack.execution", + "attack.t1059.001" + ], "title": "NTFS Alternate Data Stream" }, { @@ -2003,6 +2566,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.t1003.006" + ], "title": "Suspicious Get-ADReplAccount" }, { @@ -2019,6 +2586,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.t1555" + ], "title": "Enumerate Credentials from Windows Credential Manager With PowerShell" }, { @@ -2035,6 +2606,10 @@ "level": "low", "service": "", "subcategory_guids": [], + "tags": [ + "attack.discovery", + "attack.t1120" + ], "title": "Powershell Suspicious Win32_PnPEntity" }, { @@ -2051,6 +2626,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.discovery", + "attack.t1033" + ], "title": "Get-ADUser Enumeration Using UserAccountControl Flags" }, { @@ -2067,6 +2646,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Malicious PowerShell Keywords" }, { @@ -2083,6 +2666,11 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1070", + "attack.t1070.003" + ], "title": "Clearing Windows Console History" }, { @@ -2099,6 +2687,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.collection", + "attack.t1113" + ], "title": "Windows Screen Capture with CopyFromScreen" }, { @@ -2115,6 +2707,12 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell" }, { @@ -2131,6 +2729,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Suspicious PowerShell Invocations - Specific" }, { @@ -2147,6 +2749,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.collection", + "attack.t1056.001" + ], "title": "Powershell Keylogging" }, { @@ -2163,6 +2769,11 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.execution", + "attack.t1059.001" + ], "title": "PowerShell Web Access Installation - PsScript" }, { @@ -2179,6 +2790,12 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell" }, { @@ -2195,6 +2812,10 @@ "level": "low", "service": "", "subcategory_guids": [], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ], "title": "Suspicious Get Local Groups Information - PowerShell" }, { @@ -2211,6 +2832,12 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1562", + "attack.execution", + "attack.t1059" + ], "title": "Windows Defender Exclusions Added - PowerShell" }, { @@ -2227,6 +2854,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1070.001" + ], "title": "Suspicious Eventlog Clear" }, { @@ -2243,6 +2874,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1070.005" + ], "title": "PowerShell Deleted Mounted Share" }, { @@ -2259,6 +2894,11 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.execution", + "attack.t1059.001" + ], "title": "PowerShell Credential Prompt" }, { @@ -2275,6 +2915,12 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation STDIN+ Launcher - Powershell" }, { @@ -2291,6 +2937,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.exfiltration", + "attack.t1048" + ], "title": "Powershell DNSExfiltration" }, { @@ -2307,6 +2957,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.t1574.012" + ], "title": "Registry-Free Process Scope COR_PROFILER" }, { @@ -2323,6 +2977,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Suspicious PowerShell Download - Powershell Script" }, { @@ -2339,6 +2997,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.t1556.002" + ], "title": "Powershell Install a DLL in System Directory" }, { @@ -2355,6 +3017,10 @@ "level": "low", "service": "", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.t1110.001" + ], "title": "Suspicious Connection to Remote Account" }, { @@ -2371,6 +3037,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "PowerShell Remote Session Creation" }, { @@ -2387,6 +3057,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Potential AMSI Bypass Script Using NULL Bits" }, { @@ -2403,6 +3077,11 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.discovery", + "attack.t1040" + ], "title": "Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock" }, { @@ -2419,6 +3098,11 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1484.001" + ], "title": "Modify Group Policy Settings - ScriptBlockLogging" }, { @@ -2435,6 +3119,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.command-and-control", + "attack.t1571" + ], "title": "Testing Usage of Uncommonly Used Port" }, { @@ -2451,6 +3139,12 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1574.011" + ], "title": "Abuse of Service Permissions to Hide Services Via Set-Service - PS" }, { @@ -2467,6 +3161,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging" }, { @@ -2483,6 +3181,9 @@ "level": "critical", "service": "", "subcategory_guids": [], + "tags": [ + "attack.exfiltration" + ], "title": "Suspicious PowerShell Mailbox Export to Share - PS" }, { @@ -2499,6 +3200,12 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation Via Use Clip - Powershell" }, { @@ -2515,6 +3222,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1036.003" + ], "title": "Suspicious Start-Process PassThru" }, { @@ -2531,6 +3242,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.lateral-movement", + "attack.t1021.002" + ], "title": "Suspicious New-PSDrive to Admin Share" }, { @@ -2547,6 +3262,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.t1136.002" + ], "title": "Manipulation of User Computer or Group Security Principals Across AD" }, { @@ -2563,6 +3282,9 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution" + ], "title": "Add Windows Capability Via PowerShell Script" }, { @@ -2579,6 +3301,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "PowerShell PSAttack" }, { @@ -2595,6 +3321,11 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.privilege-escalation", + "attack.t1546.013" + ], "title": "Potential Persistence Via PowerShell User Profile Using Add-Content" }, { @@ -2611,6 +3342,9 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion" + ], "title": "Potential Suspicious Windows Feature Enabled" }, { @@ -2627,6 +3361,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1562.004" + ], "title": "Windows Firewall Profile Disabled" }, { @@ -2643,6 +3381,10 @@ "level": "low", "service": "", "subcategory_guids": [], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ], "title": "AD Groups Or Users Enumeration Using PowerShell - ScriptBlock" }, { @@ -2659,6 +3401,11 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.defense-evasion", + "attack.privilege-escalation" + ], "title": "Potential Persistence Via Security Descriptors - ScriptBlock" }, { @@ -2675,6 +3422,12 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell" }, { @@ -2691,6 +3444,12 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1574.011" + ], "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet - PS" }, { @@ -2707,6 +3466,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.impact", + "attack.t1531" + ], "title": "Remove Account From Domain Admin Group" }, { @@ -2723,6 +3486,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1027.009" + ], "title": "Powershell Token Obfuscation - Powershell" }, { @@ -2739,6 +3506,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Powershell MsXml COM Object" }, { @@ -2755,6 +3526,10 @@ "level": "low", "service": "", "subcategory_guids": [], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ], "title": "Suspicious Get Information for SMB Share" }, { @@ -2771,6 +3546,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Usage Of Web Request Commands And Cmdlets - ScriptBlock" }, { @@ -2787,6 +3566,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Change PowerShell Policies to an Insecure Level - PowerShell" }, { @@ -2803,6 +3586,14 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.reconnaissance", + "attack.discovery", + "attack.credential-access", + "attack.t1018", + "attack.t1558", + "attack.t1589.002" + ], "title": "Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock" }, { @@ -2819,6 +3610,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.lateral-movement", + "attack.t1021.006" + ], "title": "Execute Invoke-command on Remote Host" }, { @@ -2835,6 +3630,11 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.discovery", + "attack.execution", + "attack.t1059.001" + ], "title": "PowerShell ADRecon Execution" }, { @@ -2851,6 +3651,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "PowerView PowerShell Cmdlets - ScriptBlock" }, { @@ -2867,6 +3671,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.t1547.004" + ], "title": "Winlogon Helper DLL" }, { @@ -2883,6 +3691,12 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell" }, { @@ -2899,6 +3713,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1564.003" + ], "title": "Suspicious PowerShell WindowStyle Option" }, { @@ -2915,6 +3733,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Import PowerShell Modules From Suspicious Directories" }, { @@ -2931,6 +3753,10 @@ "level": "low", "service": "", "subcategory_guids": [], + "tags": [ + "attack.discovery", + "attack.t1201" + ], "title": "Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy" }, { @@ -2947,6 +3773,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.discovery", + "attack.t1518.001" + ], "title": "Security Software Discovery Via Powershell Script" }, { @@ -2963,6 +3793,12 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation Via Stdin - PowerShell Module" }, { @@ -2979,6 +3815,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.collection", + "attack.t1115" + ], "title": "PowerShell Get Clipboard" }, { @@ -2995,6 +3835,12 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation STDIN+ Launcher - PowerShell Module" }, { @@ -3011,6 +3857,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Suspicious PowerShell Invocations - Specific - PowerShell Module" }, { @@ -3027,6 +3877,12 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module" }, { @@ -3043,6 +3899,11 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.reconnaissance", + "attack.discovery", + "attack.impact" + ], "title": "Potential Active Directory Enumeration Using AD Module - PsModule" }, { @@ -3059,6 +3920,12 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation Via Use Clip - PowerShell Module" }, { @@ -3075,6 +3942,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.t1003.003" + ], "title": "Suspicious Get-ADDBAccount Usage" }, { @@ -3091,6 +3962,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Alternate PowerShell Hosts - PowerShell Module" }, { @@ -3107,6 +3982,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Suspicious PowerShell Invocations - Generic - PowerShell Module" }, { @@ -3123,6 +4002,10 @@ "level": "low", "service": "", "subcategory_guids": [], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ], "title": "Suspicious Get Local Groups Information" }, { @@ -3139,6 +4022,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.initial-access", + "attack.t1078" + ], "title": "Suspicious Computer Machine Password by PowerShell" }, { @@ -3155,6 +4042,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "SyncAppvPublishingServer Bypass Powershell Restriction - PS Module" }, { @@ -3171,6 +4062,12 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module" }, { @@ -3187,6 +4084,10 @@ "level": "low", "service": "", "subcategory_guids": [], + "tags": [ + "attack.discovery", + "attack.t1049" + ], "title": "Use Get-NetTCPConnection - PowerShell Module" }, { @@ -3203,6 +4104,12 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell Module" }, { @@ -3219,6 +4126,10 @@ "level": "informational", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1140" + ], "title": "PowerShell Decompress Commands" }, { @@ -3235,6 +4146,10 @@ "level": "low", "service": "", "subcategory_guids": [], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ], "title": "AD Groups Or Users Enumeration Using PowerShell - PoshModule" }, { @@ -3251,6 +4166,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Malicious PowerShell Scripts - PoshModule" }, { @@ -3267,6 +4186,12 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module" }, { @@ -3283,6 +4208,12 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.lateral-movement", + "attack.t1021.006" + ], "title": "Remote PowerShell Session (PS Module)" }, { @@ -3299,6 +4230,12 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell Module" }, { @@ -3315,6 +4252,12 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell Module" }, { @@ -3331,6 +4274,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Suspicious PowerShell Download - PoshModule" }, { @@ -3347,6 +4294,18 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.discovery", + "attack.t1482", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1069", + "attack.t1059.001" + ], "title": "Malicious PowerShell Commandlets - PoshModule" }, { @@ -3363,6 +4322,12 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module" }, { @@ -3379,6 +4344,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1070.003" + ], "title": "Clear PowerShell History - PowerShell Module" }, { @@ -3395,6 +4364,10 @@ "level": "low", "service": "", "subcategory_guids": [], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ], "title": "Suspicious Get Information for SMB Share - PowerShell Module" }, { @@ -3411,6 +4384,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module" }, { @@ -3427,6 +4404,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.collection", + "attack.t1074.001" + ], "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Module" }, { @@ -3443,6 +4424,12 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell Module" }, { @@ -3459,6 +4446,9 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.lateral-movement" + ], "title": "HackTool - Evil-WinRm Execution - PowerShell Module" }, { @@ -3475,6 +4465,10 @@ "level": "critical", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Bad Opsec Powershell Code Artifacts" }, { @@ -3492,6 +4486,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1016" + ], "title": "Userdomain Variable Enumeration" }, { @@ -3509,6 +4507,10 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.t1021" + ], "title": "New RDP Connection Initiated From Domain Controller" }, { @@ -3526,6 +4528,15 @@ "subcategory_guids": [ "0CCE9244-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.defense-evasion", + "attack.discovery", + "attack.s0075", + "attack.t1012", + "attack.t1112", + "attack.t1552.002" + ], "title": "Remote Registry Management Using Reg Utility" }, { @@ -3547,6 +4558,10 @@ "0CCE9215-69AE-11D9-BED3-505054503030", "0CCE9217-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.t1078" + ], "title": "Interactive Logon to Server Systems" }, { @@ -3565,6 +4580,14 @@ "subcategory_guids": [ "0CCE921B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.lateral-movement", + "attack.credential-access", + "attack.t1558", + "attack.t1649", + "attack.t1550" + ], "title": "User with Privileges Logon" }, { @@ -3584,6 +4607,11 @@ "0CCE9215-69AE-11D9-BED3-505054503030", "0CCE9217-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.t1550.002", + "car.2016-04-004" + ], "title": "Potential Pass the Hash Activity" }, { @@ -3601,6 +4629,11 @@ "subcategory_guids": [ "0CCE9236-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.t1068", + "cve.2020-1472" + ], "title": "Potential Zerologon (CVE-2020-1472) Exploitation" }, { @@ -3616,6 +4649,9 @@ "level": "medium", "service": "shell-core", "subcategory_guids": [], + "tags": [ + "attack.execution" + ], "title": "Suspicious Application Installed" }, { @@ -3637,6 +4673,15 @@ "level": "medium", "service": "applocker", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1204.002", + "attack.t1059.001", + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.006", + "attack.t1059.007" + ], "title": "File Was Not Allowed To Run" }, { @@ -3653,6 +4698,10 @@ "level": "high", "service": "security-mitigations", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1574.001" + ], "title": "Microsoft Defender Blocked from Loading Unsigned DLL" }, { @@ -3669,6 +4718,10 @@ "level": "high", "service": "security-mitigations", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1574.001" + ], "title": "Unsigned Binary Loaded From Suspicious Location" }, { @@ -3686,6 +4739,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.privilege-escalation", + "attack.t1546.011" + ], "title": "Potential Shim Database Persistence via Sdbinst.EXE" }, { @@ -3703,6 +4761,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003" + ], "title": "Suspicious Reg Add Open Command" }, { @@ -3720,6 +4782,21 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.defense-evasion", + "attack.discovery", + "attack.execution", + "attack.privilege-escalation", + "attack.t1046", + "attack.t1082", + "attack.t1106", + "attack.t1518", + "attack.t1548.002", + "attack.t1552.001", + "attack.t1555", + "attack.t1555.003" + ], "title": "HackTool - WinPwn Execution" }, { @@ -3737,6 +4814,14 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.discovery", + "attack.execution", + "attack.t1615", + "attack.t1569.002", + "attack.t1574.005" + ], "title": "HackTool - SharpUp PrivEsc Tool Execution" }, { @@ -3754,6 +4839,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1564.004" + ], "title": "Potential Rundll32 Execution With DLL Stored In ADS" }, { @@ -3771,6 +4860,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.impact", + "attack.t1489" + ], "title": "Disable Important Scheduled Task" }, { @@ -3788,6 +4881,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.exfiltration" + ], "title": "Active Directory Structure Export Via Ldifde.EXE" }, { @@ -3805,6 +4901,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059", + "attack.defense-evasion", + "attack.t1202" + ], "title": "Suspicious Runscripthelper.exe" }, { @@ -3822,6 +4924,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1136.001" + ], "title": "New User Created Via Net.EXE" }, { @@ -3839,6 +4945,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.004" + ], "title": "Firewall Rule Deleted Via Netsh.EXE" }, { @@ -3856,6 +4966,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.001" + ], "title": "HackTool - CreateMiniDump Execution" }, { @@ -3873,6 +4987,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.007" + ], "title": "HackTool - Koadic Execution" }, { @@ -3890,6 +5010,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery" + ], "title": "Obfuscated IP Via CLI" }, { @@ -3907,6 +5030,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.credential-access", + "attack.t1649" + ], "title": "HackTool - Certify Execution" }, { @@ -3924,6 +5052,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion", + "attack.t1218.002", + "attack.persistence", + "attack.t1546" + ], "title": "Control Panel Items" }, { @@ -3941,6 +5076,15 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.initial-access", + "attack.persistence", + "attack.privilege-escalation", + "attack.lateral-movement", + "attack.t1021.002", + "attack.t1078" + ], "title": "Password Provided In Command Line Of Net.EXE" }, { @@ -3958,6 +5102,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1090" + ], "title": "PUA - Fast Reverse Proxy (FRP) Execution" }, { @@ -3975,6 +5123,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.lateral-movement", + "attack.t1569", + "attack.t1021" + ], "title": "Psexec Execution" }, { @@ -3992,6 +5146,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1105" + ], "title": "Potential COM Objects Download Cradles Usage - Process Creation" }, { @@ -4009,6 +5167,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "PUA - CleanWipe Execution" }, { @@ -4026,6 +5188,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1127" + ], "title": "Use of Wfc.exe" }, { @@ -4043,6 +5209,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.lateral-movement", + "attack.t1572", + "attack.t1021.001", + "attack.t1021.004" + ], "title": "Port Forwarding Activity Via SSH.EXE" }, { @@ -4060,6 +5233,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036", + "attack.t1003.001", + "attack.credential-access" + ], "title": "HackTool - XORDump Execution" }, { @@ -4077,6 +5256,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1202", + "attack.defense-evasion", + "attack.t1218" + ], "title": "Potentially Suspicious Child Processes Spawned by ConHost" }, { @@ -4094,6 +5278,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Potentially Suspicious CMD Shell Output Redirect" }, { @@ -4111,6 +5299,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1012", + "attack.t1007" + ], "title": "Potential Configuration And Service Reconnaissance Via Reg.EXE" }, { @@ -4128,6 +5321,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1482" + ], "title": "HackTool - TruffleSnout Execution" }, { @@ -4145,6 +5342,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027.010", + "attack.t1218.007", + "attack.execution", + "attack.t1059.001" + ], "title": "Obfuscated PowerShell MSI Install via WindowsInstaller COM" }, { @@ -4162,6 +5366,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1564.002" + ], "title": "Hiding User Account Via SpecialAccounts Registry Key - CommandLine" }, { @@ -4179,6 +5387,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1047", + "attack.t1562" + ], "title": "Potential Windows Defender Tampering Via Wmic.EXE" }, { @@ -4196,6 +5410,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.collection", + "attack.t1005" + ], "title": "VeeamBackup Database Credentials Dump Via Sqlcmd.EXE" }, { @@ -4213,6 +5431,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1218" + ], "title": "Potential File Download Via MS-AppInstaller Protocol Handler" }, { @@ -4230,6 +5453,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1037.001", + "attack.persistence" + ], "title": "Uncommon Userinit Child Process" }, { @@ -4247,6 +5474,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218", + "attack.command-and-control", + "attack.t1105" + ], "title": "Curl Download And Execute Combination" }, { @@ -4264,6 +5497,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036" + ], "title": "Suspicious Windows Update Agent Empty Cmdline" }, { @@ -4281,6 +5518,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ], "title": "Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE" }, { @@ -4298,6 +5539,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1218" + ], "title": "Arbitrary File Download Via IMEWDBLD.EXE" }, { @@ -4315,6 +5561,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.t1021.002" + ], "title": "Windows Internet Hosted WebDav Share Mount Via Net.EXE" }, { @@ -4332,6 +5582,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1548.002" + ], "title": "UAC Bypass Using Windows Media Player - Process" }, { @@ -4349,6 +5604,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "Computer Password Change Via Ksetup.EXE" }, { @@ -4366,6 +5624,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.011" + ], "title": "Potentially Suspicious Rundll32 Activity" }, { @@ -4383,6 +5645,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.008" + ], "title": "New DLL Registered Via Odbcconf.EXE" }, { @@ -4400,6 +5666,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218", + "attack.t1216" + ], "title": "SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code" }, { @@ -4417,6 +5688,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "DLL Execution via Rasautou.exe" }, { @@ -4434,6 +5709,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036", + "attack.t1003.001", + "attack.credential-access" + ], "title": "Procdump Execution" }, { @@ -4451,6 +5732,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.t1548" + ], "title": "Regedit as Trusted Installer" }, { @@ -4468,6 +5753,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1518" + ], "title": "Detected Windows Software Discovery" }, { @@ -4485,6 +5774,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ], "title": "PUA - NSudo Execution" }, { @@ -4502,6 +5796,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1548.002" + ], "title": "UAC Bypass WSReset" }, { @@ -4519,6 +5818,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1105" + ], "title": "Replace.exe Usage" }, { @@ -4536,6 +5839,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.011" + ], "title": "Suspicious Rundll32 Execution With Image Extension" }, { @@ -4553,6 +5860,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.collection", + "attack.t1185" + ], "title": "Browser Started with Remote Debugging" }, { @@ -4570,6 +5882,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.privilege-escalation", + "attack.t1059" + ], "title": "PUA - Wsudo Suspicious Execution" }, { @@ -4587,6 +5904,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion", + "attack.t1218", + "attack.t1202" + ], "title": "Potentially Suspicious Child Process Of VsCode" }, { @@ -4604,6 +5927,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.impact", + "attack.t1529" + ], "title": "Suspicious Execution of Shutdown to Log Out" }, { @@ -4621,6 +5948,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1134.002" + ], "title": "PUA - AdvancedRun Suspicious Execution" }, { @@ -4638,6 +5970,14 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1140", + "attack.t1218.005", + "attack.execution", + "attack.t1059.007", + "cve.2020-1599" + ], "title": "MSHTA Execution with Suspicious File Extensions" }, { @@ -4655,6 +5995,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "car.2013-07-001" + ], "title": "Dumping of Sensitive Hives Via Reg.EXE" }, { @@ -4672,6 +6019,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1047" + ], "title": "WMIC Remote Command Execution" }, { @@ -4689,6 +6040,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "AddinUtil.EXE Execution From Uncommon Directory" }, { @@ -4706,6 +6061,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.008" + ], "title": "Suspicious Driver/DLL Installation Via Odbcconf.EXE" }, { @@ -4723,6 +6082,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.010" + ], "title": "Potentially Suspicious Child Process Of Regsvr32" }, { @@ -4740,6 +6103,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "COM Object Execution via Xwizard.EXE" }, { @@ -4757,6 +6124,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.004", + "attack.s0108" + ], "title": "Firewall Disabled via Netsh.EXE" }, { @@ -4774,6 +6146,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059" + ], "title": "Use of Pcalua For Execution" }, { @@ -4791,6 +6167,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Process Memory Dump Via Dotnet-Dump" }, { @@ -4808,6 +6188,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.credential-access", + "attack.t1212" + ], "title": "Suspicious NTLM Authentication on the Printer Spooler Service" }, { @@ -4825,6 +6210,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.collection", + "attack.t1119", + "attack.credential-access", + "attack.t1552.001" + ], "title": "Automated Collection Command Prompt" }, { @@ -4842,6 +6233,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" + ], "title": "File Download Via Bitsadmin" }, { @@ -4859,6 +6257,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1083" + ], "title": "DirLister Execution" }, { @@ -4876,6 +6278,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Execution via WorkFolders.exe" }, { @@ -4893,6 +6299,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.t1563.002", + "attack.t1021.001", + "car.2013-07-002" + ], "title": "Suspicious RDP Redirect Using TSCON" }, { @@ -4910,6 +6322,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1059" + ], "title": "Add Insecure Download Source To Winget" }, { @@ -4927,6 +6344,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1222.001" + ], "title": "Suspicious Recursive Takeown" }, { @@ -4944,6 +6365,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.005", + "car.2013-02-003", + "car.2013-03-001", + "car.2014-04-003" + ], "title": "Suspicious MSHTA Child Process" }, { @@ -4961,6 +6389,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.t1021.002" + ], "title": "Windows Admin Share Mount Via Net.EXE" }, { @@ -4978,6 +6410,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery" + ], "title": "HackTool - SharpLDAPmonitor Execution" }, { @@ -4995,6 +6430,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562" + ], "title": "ETW Logging Tamper In .NET Processes Via CommandLine" }, { @@ -5012,6 +6451,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Execution Of Non-Existing File" }, { @@ -5029,6 +6471,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1539", + "attack.t1555.003", + "attack.collection", + "attack.t1005" + ], "title": "SQLite Chromium Profile Data DB Access" }, { @@ -5046,6 +6495,14 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1053.005", + "attack.defense-evasion", + "attack.t1218", + "attack.command-and-control", + "attack.t1105" + ], "title": "Scheduled Task Creation with Curl and PowerShell Execution Combo" }, { @@ -5063,6 +6520,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation Via Stdin" }, { @@ -5080,6 +6543,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059" + ], "title": "Potential Dosfuscation Activity" }, { @@ -5097,6 +6564,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.002", + "attack.t1003.003" + ], "title": "VolumeShadowCopy Symlink Creation Via Mklink" }, { @@ -5114,6 +6586,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036", + "attack.t1218" + ], "title": "Sdiagnhost Calling Suspicious Child Process" }, { @@ -5131,6 +6608,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1053.005" + ], "title": "Suspicious Scheduled Task Creation Involving Temp Folder" }, { @@ -5148,6 +6630,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036.003", + "attack.t1036.005" + ], "title": "Windows Processes Suspicious Parent Directory" }, { @@ -5165,6 +6652,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.004", + "attack.s0246" + ], "title": "New Firewall Rule Added Via Netsh.EXE" }, { @@ -5182,6 +6674,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "PsExec Service Child Process Execution as LOCAL SYSTEM" }, { @@ -5199,6 +6694,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1202" + ], "title": "Potentially Suspicious Office Document Executed From Trusted Location" }, { @@ -5216,6 +6715,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.009" + ], "title": "Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension" }, { @@ -5233,6 +6736,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1202" + ], "title": "Suspicious Splwow64 Without Params" }, { @@ -5250,6 +6757,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1204.004" + ], "title": "FileFix - Suspicious Child Process from Browser File Upload Abuse" }, { @@ -5267,6 +6778,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1127" + ], "title": "Use of TTDInject.exe" }, { @@ -5284,6 +6799,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE" }, { @@ -5301,6 +6819,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1046" + ], "title": "PUA - Nmap/Zenmap Execution" }, { @@ -5318,6 +6840,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.defense-evasion", + "attack.t1134.001", + "attack.t1134.003" + ], "title": "HackTool - SharpImpersonation Execution" }, { @@ -5335,6 +6863,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.003", + "stp.1u" + ], "title": "Operator Bloopers Cobalt Strike Commands" }, { @@ -5352,6 +6885,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Import PowerShell Modules From Suspicious Directories - ProcCreation" }, { @@ -5369,6 +6906,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ], "title": "Compress Data and Lock With Password for Exfiltration With WINZIP" }, { @@ -5386,6 +6927,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.execution", + "attack.t1047" + ], "title": "Computer System Reconnaissance Via Wmic.EXE" }, { @@ -5403,6 +6949,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027" + ], "title": "Suspicious File Encoded To Base64 Via Certutil.EXE" }, { @@ -5420,6 +6970,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1059" + ], "title": "Suspicious RASdial Activity" }, { @@ -5437,6 +6992,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.002", + "attack.t1112", + "car.2022-03-001" + ], "title": "Security Event Logging Disabled via MiniNt Registry Key - Process" }, { @@ -5454,6 +7015,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "File Decryption Using Gpg4win" }, { @@ -5471,6 +7035,14 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1047", + "attack.t1220", + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" + ], "title": "Potential SquiblyTwo Technique Execution" }, { @@ -5488,6 +7060,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.impact", + "attack.t1490" + ], "title": "Deletion of Volume Shadow Copies via WMI with PowerShell" }, { @@ -5505,6 +7081,14 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1018", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.002", + "stp.1u" + ], "title": "PUA - AdFind Suspicious Execution" }, { @@ -5522,6 +7106,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1217" + ], "title": "Suspicious Where Execution" }, { @@ -5539,6 +7127,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1047", + "attack.t1059.001" + ], "title": "Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell" }, { @@ -5556,6 +7149,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "InfDefaultInstall.exe .inf Execution" }, { @@ -5573,6 +7170,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.t1548.002" + ], "title": "Bypass UAC via Fodhelper.exe" }, { @@ -5590,6 +7191,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation Obfuscated IEX Invocation" }, { @@ -5607,6 +7214,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1574.001", + "attack.t1112" + ], "title": "New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE" }, { @@ -5624,6 +7236,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1053.005", + "attack.t1059.001" + ], "title": "Scheduled Task Executing Encoded Payload from Registry" }, { @@ -5641,6 +7259,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.impact", + "attack.t1490" + ], "title": "All Backups Deleted Via Wbadmin.EXE" }, { @@ -5658,6 +7280,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1558.003" + ], "title": "HackTool - RemoteKrbRelay Execution" }, { @@ -5675,6 +7301,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1127" + ], "title": "Potentially Suspicious ASP.NET Compilation Via AspNetCompiler" }, { @@ -5692,6 +7322,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion", + "attack.t1059", + "attack.t1562.001" + ], "title": "HackTool - Stracciatella Execution" }, { @@ -5709,6 +7345,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1105" + ], "title": "Suspicious Curl.EXE Download" }, { @@ -5726,6 +7366,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE" }, { @@ -5743,6 +7387,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Diskshadow Script Mode - Uncommon Script Extension Execution" }, { @@ -5760,6 +7408,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1132.001" + ], "title": "Gzip Archive Decode Via PowerShell" }, { @@ -5777,6 +7429,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Suspicious Obfuscated PowerShell Code" }, { @@ -5794,6 +7449,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1105" + ], "title": "PUA - Nimgrab Execution" }, { @@ -5811,6 +7470,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1219.002" + ], "title": "Suspicious Mstsc.EXE Execution With Local RDP File" }, { @@ -5828,6 +7491,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.002" + ], "title": "HackTool - Pypykatz Credentials Dumping Activity" }, { @@ -5845,6 +7512,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.initial-access", + "attack.t1566" + ], "title": "Phishing Pattern ISO in Archive" }, { @@ -5862,6 +7533,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Ie4uinit Lolbin Use From Invalid Path" }, { @@ -5879,6 +7554,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Python Function Execution Security Warning Disabled In Excel" }, { @@ -5896,6 +7575,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1082" + ], "title": "Uncommon System Information Discovery Via Wmic.EXE" }, { @@ -5913,6 +7596,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1053.005", + "attack.defense-evasion", + "attack.t1036.004", + "attack.t1036.005" + ], "title": "Scheduled Task Creation Masquerading as System Processes" }, { @@ -5930,6 +7620,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Suspicious PowerShell Invocations - Specific - ProcessCreation" }, { @@ -5947,6 +7640,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1219.002" + ], "title": "Remote Access Tool - AnyDesk Execution" }, { @@ -5964,6 +7661,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.initial-access", + "attack.t1133" + ], "title": "Unusual Child Process of dns.exe" }, { @@ -5981,6 +7682,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.resource-development", + "attack.t1587.001" + ], "title": "Potential Privilege Escalation To LOCAL SYSTEM" }, { @@ -5998,6 +7703,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ], "title": "Webshell Tool Reconnaissance Activity" }, { @@ -6015,6 +7724,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1033", + "car.2016-03-001" + ], "title": "HackTool - SharpLdapWhoami Execution" }, { @@ -6032,6 +7746,14 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1134", + "attack.t1003", + "attack.t1027" + ], "title": "Suspicious SYSTEM User Process Creation" }, { @@ -6049,6 +7771,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.discovery", + "attack.t1033" + ], "title": "Whoami.EXE Execution From Privileged Process" }, { @@ -6066,6 +7793,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Uninstall Sysinternals Sysmon" }, { @@ -6083,6 +7814,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1204.002" + ], "title": "Potential Suspicious Browser Launch From Document Reader Process" }, { @@ -6100,6 +7835,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1553.004" + ], "title": "New Root Certificate Installed Via CertMgr.EXE" }, { @@ -6117,6 +7856,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1552.002" + ], "title": "Enumeration for Credentials in Registry" }, { @@ -6134,6 +7877,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ], "title": "PUA - NirCmd Execution As LOCAL SYSTEM" }, { @@ -6151,6 +7899,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.privilege-escalation", + "attack.t1053.005" + ], "title": "Uncommon One Time Only Scheduled Task At 00:00" }, { @@ -6168,6 +7922,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1553.004" + ], "title": "Suspicious X509Enrollment - Process Creation" }, { @@ -6185,6 +7943,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.credential-access", + "attack.t1003.001" + ], "title": "Potential Adplus.EXE Abuse" }, { @@ -6202,6 +7966,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1090.001" + ], "title": "PUA - Chisel Tunneling Tool Execution" }, { @@ -6219,6 +7987,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.defense-evasion" + ], "title": "Suspicious Process Execution From Fake Recycle.Bin Folder" }, { @@ -6236,6 +8008,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1204.002", + "attack.g0046", + "car.2013-05-002" + ], "title": "Suspicious Binary In User Directory Spawned From Office Application" }, { @@ -6253,6 +8031,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" + ], "title": "Suspicious Download From File-Sharing Website Via Bitsadmin" }, { @@ -6270,6 +8055,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "Add Windows Capability Via PowerShell Cmdlet" }, { @@ -6287,6 +8075,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1555.003" + ], "title": "Potential Browser Data Stealing" }, { @@ -6304,6 +8096,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1569.002" + ], "title": "Start Windows Service Via Net.EXE" }, { @@ -6321,6 +8117,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1203", + "attack.t1574.001" + ], "title": "Potentially Suspicious Child Process of KeyScrambler.exe" }, { @@ -6338,6 +8141,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Malicious Windows Script Components File Execution by TAEF Detection" }, { @@ -6355,6 +8162,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1543.003" + ], "title": "Deny Service Access Using Security Descriptor Tampering Via Sc.EXE" }, { @@ -6372,6 +8183,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.privilege-escalation", + "attack.t1546.011" + ], "title": "Uncommon Extension Shim Database Installation Via Sdbinst.EXE" }, { @@ -6389,6 +8205,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.defense-evasion", + "attack.execution", + "attack.t1059" + ], "title": "Elevated System Shell Spawned From Uncommon Parent Location" }, { @@ -6406,6 +8228,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Disabled IE Security Features" }, { @@ -6423,6 +8249,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.credential-access", + "attack.t1218", + "attack.t1003.001" + ], "title": "Time Travel Debugging Utility Usage" }, { @@ -6440,6 +8272,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1053.005", + "attack.t1059.001" + ], "title": "Suspicious Schtasks Execution AppData Folder" }, { @@ -6457,6 +8295,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.exfiltration" + ], "title": "Suspicious PowerShell Mailbox Export to Share" }, { @@ -6474,6 +8315,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1059" + ], "title": "Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script" }, { @@ -6491,6 +8337,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1090.001" + ], "title": "Renamed Cloudflared.EXE Execution" }, { @@ -6508,6 +8358,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.010" + ], "title": "Potentially Suspicious Regsvr32 HTTP/FTP Pattern" }, { @@ -6525,6 +8379,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1566", + "attack.t1566.001", + "attack.initial-access" + ], "title": "Suspicious Microsoft OneNote Child Process" }, { @@ -6542,6 +8401,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.t1548.002" + ], "title": "Always Install Elevated MSI Spawned Cmd And Powershell" }, { @@ -6559,6 +8422,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "PowerShell Execution With Potential Decryption Capabilities" }, { @@ -6576,6 +8442,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059", + "attack.discovery", + "attack.t1018" + ], "title": "Suspicious Scan Loop Network" }, { @@ -6593,6 +8465,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1046", + "attack.t1135" + ], "title": "PUA - Advanced Port Scanner Execution" }, { @@ -6610,6 +8487,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1016" + ], "title": "Firewall Configuration Discovery Via Netsh.EXE" }, { @@ -6627,6 +8508,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1218" + ], "title": "Arbitrary File Download Via MSEDGE_PROXY.EXE" }, { @@ -6644,6 +8530,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.exfiltration", + "attack.discovery", + "attack.t1087.002" + ], "title": "Active Directory Structure Export Via Csvde.EXE" }, { @@ -6661,6 +8552,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1219.002" + ], "title": "Suspicious TSCON Start as SYSTEM" }, { @@ -6678,6 +8573,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.001" + ], "title": "HackTool - SafetyKatz Execution" }, { @@ -6695,6 +8594,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1071.001", + "attack.t1219" + ], "title": "Renamed Visual Studio Code Tunnel Execution" }, { @@ -6712,6 +8616,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.collection", + "attack.t1074.001" + ], "title": "Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet" }, { @@ -6729,6 +8637,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "Suspicious File Download From IP Via Wget.EXE" }, { @@ -6746,6 +8657,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Raccine Uninstall" }, { @@ -6763,6 +8678,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.collection", + "attack.t1113" + ], "title": "Windows Recall Feature Enabled Via Reg.EXE" }, { @@ -6780,6 +8699,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Security Service Disabled Via Reg.EXE" }, { @@ -6797,6 +8720,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1105", + "attack.t1564.003" + ], "title": "Browser Execution In Headless Mode" }, { @@ -6814,6 +8742,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Suspicious PowerShell Download and Execute Pattern" }, { @@ -6831,6 +8763,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.010" + ], "title": "Regsvr32 Execution From Highly Suspicious Location" }, { @@ -6848,6 +8784,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1564.001" + ], "title": "Hiding Files with Attrib.exe" }, { @@ -6865,6 +8805,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1564.004" + ], "title": "Use NTFS Short Name in Image" }, { @@ -6882,6 +8826,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1518.001" + ], "title": "Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE" }, { @@ -6899,6 +8847,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1047" + ], "title": "Potential Unquoted Service Path Reconnaissance Via Wmic.EXE" }, { @@ -6916,6 +8868,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1047" + ], "title": "Service Started/Stopped Via Wmic.EXE" }, { @@ -6933,6 +8889,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.initial-access" + ], "title": "Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate" }, { @@ -6950,6 +8910,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1216" + ], "title": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl" }, { @@ -6967,6 +8931,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1218" + ], "title": "Arbitrary File Download Via PresentationHost.EXE" }, { @@ -6984,6 +8953,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1033", + "car.2016-03-001" + ], "title": "WhoAmI as Parameter" }, { @@ -7001,6 +8975,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1548.002" + ], "title": "Explorer NOUACCHECK Flag" }, { @@ -7018,6 +8996,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002" + ], "title": "Suspicious Use of PsLogList" }, { @@ -7035,6 +9019,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ], "title": "IIS Native-Code Module Command Line Installation" }, { @@ -7052,6 +9040,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1071.001", + "attack.t1219" + ], "title": "Visual Studio Code Tunnel Execution" }, { @@ -7069,6 +9062,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "Base64 MZ Header In CommandLine" }, { @@ -7086,6 +9082,15 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.credential-access", + "attack.command-and-control", + "attack.t1218", + "attack.t1564.004", + "attack.t1552.001", + "attack.t1105" + ], "title": "Remote File Download Via Findstr.EXE" }, { @@ -7103,6 +9108,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1564.004" + ], "title": "Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI" }, { @@ -7120,6 +9129,14 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1047", + "attack.t1053", + "attack.t1059.003", + "attack.t1059.001", + "attack.s0106" + ], "title": "HackTool - CrackMapExec Execution Patterns" }, { @@ -7137,6 +9154,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1574.001" + ], "title": "Potential DLL Sideloading Via DeviceEnroller.EXE" }, { @@ -7154,6 +9175,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003" + ], "title": "WebDav Client Execution Via Rundll32.EXE" }, { @@ -7171,6 +9196,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1016" + ], "title": "Suspicious Network Command" }, { @@ -7188,6 +9217,18 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.discovery", + "attack.t1482", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1069", + "attack.t1059.001" + ], "title": "Malicious PowerShell Commandlets - ProcessCreation" }, { @@ -7205,6 +9246,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1033", + "car.2016-03-001" + ], "title": "Whoami Utility Execution" }, { @@ -7222,6 +9268,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "OpenWith.exe Executes Specified Binary" }, { @@ -7239,6 +9289,15 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.discovery", + "attack.t1082", + "attack.t1057", + "attack.t1012", + "attack.t1083", + "attack.t1007" + ], "title": "HackTool - PCHunter Execution" }, { @@ -7256,6 +9315,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218", + "attack.t1202" + ], "title": "Uncommon Child Process Of Setres.EXE" }, { @@ -7273,6 +9337,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.t1068" + ], "title": "HKTL - SharpSuccessor Privilege Escalation Tool Execution" }, { @@ -7290,6 +9358,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.resource-development", + "attack.t1588.002" + ], "title": "Potential Execution of Sysinternals Tools" }, { @@ -7307,6 +9379,14 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1049", + "attack.t1069.002", + "attack.t1482", + "attack.t1135", + "attack.t1033" + ], "title": "HackTool - SharpView Execution" }, { @@ -7324,6 +9404,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion" + ], "title": "IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI" }, { @@ -7341,6 +9425,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1219.002" + ], "title": "QuickAssist Execution" }, { @@ -7358,6 +9446,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1218" + ], "title": "Arbitrary File Download Via MSOHTMED.EXE" }, { @@ -7375,6 +9468,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.010" + ], "title": "Regsvr32 Execution From Potential Suspicious Location" }, { @@ -7392,6 +9489,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547" + ], "title": "Suspicious GrpConv Execution" }, { @@ -7409,6 +9510,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1047", + "attack.discovery", + "attack.t1082" + ], "title": "Potential Product Class Reconnaissance Via Wmic.EXE" }, { @@ -7426,6 +9533,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "PowerShell Base64 Encoded IEX Cmdlet" }, { @@ -7443,6 +9554,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003" + ], "title": "Capture Credentials with Rpcping.exe" }, { @@ -7460,6 +9575,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.003" + ], "title": "Operator Bloopers Cobalt Strike Modules" }, { @@ -7477,6 +9596,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.001" + ], "title": "HackTool - CrackMapExec Process Patterns" }, { @@ -7494,6 +9617,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1574.011" + ], "title": "Changing Existing Service ImagePath Value Via Reg.EXE" }, { @@ -7511,6 +9638,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.001" + ], "title": "HH.EXE Execution" }, { @@ -7528,6 +9659,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.002" + ], "title": "PowerShell SAM Copy" }, { @@ -7545,6 +9680,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "Potentially Suspicious Execution Of PDQDeployRunner" }, { @@ -7562,6 +9700,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1087.002", + "attack.t1069.002", + "attack.t1482" + ], "title": "Suspicious Active Directory Database Snapshot Via ADExplorer" }, { @@ -7579,6 +9723,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1016", + "attack.t1482" + ], "title": "Potential Recon Activity Via Nltest.EXE" }, { @@ -7596,6 +9745,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Potential Data Exfiltration Activity Via CommandLine Tools" }, { @@ -7613,6 +9766,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1127", + "attack.t1059.007" + ], "title": "Node Process Executions" }, { @@ -7630,6 +9789,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.exfiltration", + "attack.discovery", + "attack.t1012" + ], "title": "Exports Critical Registry Keys To a File" }, { @@ -7647,6 +9811,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Suspicious File Execution From Internet Hosted WebDav Share" }, { @@ -7664,6 +9832,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "NtdllPipe Like Activity Execution" }, { @@ -7681,6 +9852,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "Insecure Transfer Via Curl.EXE" }, { @@ -7698,6 +9872,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.initial-access", + "attack.t1133" + ], "title": "Remote Access Tool - Team Viewer Session Started On Windows Host" }, { @@ -7715,6 +9893,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.001", + "attack.s0005" + ], "title": "HackTool - Windows Credential Editor (WCE) Execution" }, { @@ -7732,6 +9915,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027" + ], "title": "Suspicious Download Via Certutil.EXE" }, { @@ -7749,6 +9936,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" + ], "title": "Potential Dropper Script Execution Via WScript/CScript" }, { @@ -7766,6 +9958,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1105" + ], "title": "Suspicious Diantz Download and Compress Into a CAB File" }, { @@ -7783,6 +9979,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "File Download From IP URL Via Curl.EXE" }, { @@ -7800,6 +9999,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1553.004" + ], "title": "New Root Certificate Installed Via Certutil.EXE" }, { @@ -7817,6 +10020,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.004" + ], "title": "RDP Connection Allowed Via Netsh.EXE" }, { @@ -7834,6 +10041,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ], "title": "Suspicious Schtasks Schedule Types" }, { @@ -7851,6 +10062,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003" + ], "title": "Potential Credential Dumping Attempt Using New NetworkProvider - CLI" }, { @@ -7868,6 +10083,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.initial-access", + "attack.persistence", + "attack.privilege-escalation" + ], "title": "Suspicious Child Process Of Veeam Dabatase" }, { @@ -7885,6 +10105,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.007" + ], "title": "Suspicious Msiexec Quiet Install From Remote Location" }, { @@ -7902,6 +10126,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1548.002" + ], "title": "UAC Bypass Using NTFS Reparse Point - Process" }, { @@ -7919,6 +10148,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.t1548.002" + ], "title": "Always Install Elevated Windows Installer" }, { @@ -7936,6 +10169,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.impact", + "attack.t1485" + ], "title": "Deleted Data Overwritten Via Cipher.EXE" }, { @@ -7953,6 +10190,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1219.002" + ], "title": "Remote Access Tool - AnyDesk Piped Password Via CLI" }, { @@ -7970,6 +10211,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Service StartupType Change Via PowerShell Set-Service" }, { @@ -7987,6 +10233,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1036", + "attack.defense-evasion" + ], "title": "Suspicious CodePage Switch Via CHCP" }, { @@ -8004,6 +10254,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1548.002" + ], "title": "UAC Bypass Using MSConfig Token Modification - Process" }, { @@ -8021,6 +10276,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense-evasion", + "attack.t1027", + "attack.t1620" + ], "title": "PowerShell Base64 Encoded Reflective Assembly Load" }, { @@ -8038,6 +10300,22 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.initial-access", + "attack.t1047", + "attack.t1059.001", + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.007", + "attack.t1218", + "attack.t1218.001", + "attack.t1218.010", + "attack.t1218.011", + "attack.t1566", + "attack.t1566.001" + ], "title": "Suspicious HH.EXE Execution" }, { @@ -8055,6 +10333,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059" + ], "title": "Potential CobaltStrike Process Patterns" }, { @@ -8072,6 +10354,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation Via Use Clip" }, { @@ -8089,6 +10377,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1548.002" + ], "title": "UAC Bypass Using Consent and Comctl32 - Process" }, { @@ -8106,6 +10399,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.impact", + "attack.t1489" + ], "title": "Stop Windows Service Via Net.EXE" }, { @@ -8123,6 +10420,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.defense-evasion", + "attack.t1548.002", + "attack.t1218.003" + ], "title": "Bypass UAC via CMSTP" }, { @@ -8140,6 +10443,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036" + ], "title": "Suspicious Process Parents" }, { @@ -8157,6 +10464,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1220" + ], "title": "XSL Script Execution Via WMIC.EXE" }, { @@ -8174,6 +10485,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Lolbin Unregmp2.exe Use As Proxy" }, { @@ -8191,6 +10506,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1105" + ], "title": "File Download Using Notepad++ GUP Utility" }, { @@ -8208,6 +10527,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1047" + ], "title": "Potential Product Reconnaissance Via Wmic.EXE" }, { @@ -8225,6 +10548,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "RestrictedAdminMode Registry Value Tampering - ProcCreation" }, { @@ -8242,6 +10569,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1552.004" + ], "title": "PowerShell Get-Process LSASS" }, { @@ -8259,6 +10590,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1059" + ], "title": "Add Potential Suspicious New Download Source To Winget" }, { @@ -8276,6 +10612,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1070.005" + ], "title": "Unmount Share Via Net.EXE" }, { @@ -8293,6 +10633,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1204.002", + "attack.t1047", + "attack.t1218.010", + "attack.execution", + "attack.defense-evasion" + ], "title": "Suspicious WMIC Execution Via Office Process" }, { @@ -8310,6 +10657,19 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.privilege-escalation", + "attack.credential-access", + "attack.discovery", + "attack.t1047", + "attack.t1053", + "attack.t1059.003", + "attack.t1059.001", + "attack.t1110", + "attack.t1201" + ], "title": "HackTool - CrackMapExec Execution" }, { @@ -8327,6 +10687,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1216" + ], "title": "UtilityFunctions.ps1 Proxy Dll" }, { @@ -8344,6 +10708,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547" + ], "title": "Suspicious Driver Install by pnputil.exe" }, { @@ -8361,6 +10729,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Suspicious Encoded PowerShell Command Line" }, { @@ -8378,6 +10750,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1548.002" + ], "title": "HackTool - UACMe Akagi Execution" }, { @@ -8395,6 +10772,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.persistence", + "attack.t1546.015" + ], "title": "Rundll32 Registered COM Objects" }, { @@ -8412,6 +10794,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.persistence", + "attack.execution", + "attack.t1574.001" + ], "title": "Tasks Folder Evasion" }, { @@ -8429,6 +10817,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.exfiltration", + "attack.t1048.001", + "attack.command-and-control", + "attack.t1071.004", + "attack.t1132.001" + ], "title": "DNS Exfiltration and Tunneling Tools Execution" }, { @@ -8446,6 +10841,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1574.001" + ], "title": "DLL Sideloading by VMware Xfer Utility" }, { @@ -8463,6 +10862,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.defense-evasion", + "attack.t1542.001" + ], "title": "UEFI Persistence Via Wpbbin - ProcessCreation" }, { @@ -8480,6 +10884,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1555.004" + ], "title": "Suspicious Key Manager Access" }, { @@ -8497,6 +10905,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1564.001" + ], "title": "Use Icacls to Hide File to Everyone" }, { @@ -8514,6 +10926,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1059" + ], "title": "Run PowerShell Script from Redirected Input Stream" }, { @@ -8531,6 +10948,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.credential-access", + "attack.t1036", + "attack.t1003.001" + ], "title": "Suspicious DumpMinitool Execution" }, { @@ -8548,6 +10971,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "Potential RDP Session Hijacking Activity" }, { @@ -8565,6 +10991,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ], "title": "Local Groups Reconnaissance Via Wmic.EXE" }, { @@ -8582,6 +11012,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112", + "attack.t1562.001" + ], "title": "Reg Add Suspicious Paths" }, { @@ -8599,6 +11034,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1202" + ], "title": "Indirect Inline Command Execution Via Bash.EXE" }, { @@ -8616,6 +11055,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Service StartupType Change Via Sc.EXE" }, { @@ -8633,6 +11077,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.007" + ], "title": "DllUnregisterServer Function Call Via Msiexec.EXE" }, { @@ -8650,6 +11098,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1218" + ], "title": "Arbitrary File Download Via Squirrel.EXE" }, { @@ -8667,6 +11120,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Potentially Suspicious Cabinet File Expansion" }, { @@ -8684,6 +11141,17 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.privilege-escalation", + "attack.s0111", + "attack.g0022", + "attack.g0060", + "car.2013-08-001", + "attack.t1053.005", + "attack.t1059.001" + ], "title": "HackTool - Default PowerSploit/Empire Scheduled Task Creation" }, { @@ -8701,6 +11169,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059" + ], "title": "Script Interpreter Execution From Suspicious Folder" }, { @@ -8718,6 +11190,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Uncommon Link.EXE Parent Process" }, { @@ -8735,6 +11211,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1110.002" + ], "title": "HackTool - Hashcat Password Cracker Execution" }, { @@ -8752,6 +11232,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027.004" + ], "title": "Dynamic .NET Compilation Via Csc.EXE" }, { @@ -8769,6 +11253,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "File Download Using ProtocolHandler.exe" }, { @@ -8786,6 +11274,14 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.discovery", + "attack.t1505.003", + "attack.t1018", + "attack.t1033", + "attack.t1087" + ], "title": "Webshell Detection With Command Line Keywords" }, { @@ -8803,6 +11299,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036", + "car.2013-05-002" + ], "title": "Suspicious Process Start Locations" }, { @@ -8820,6 +11321,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.collection", + "attack.t1114" + ], "title": "Exchange PowerShell Snap-Ins Usage" }, { @@ -8837,6 +11344,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion", + "attack.t1047", + "attack.t1204.002", + "attack.t1218.010" + ], "title": "Suspicious WmiPrvSE Child Process" }, { @@ -8854,6 +11368,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.discovery", + "attack.t1552" + ], "title": "Potentially Suspicious EventLog Recon Activity Using Log Query Utilities" }, { @@ -8871,6 +11390,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1132.001" + ], "title": "Suspicious FromBase64String Usage On Gzip Archive - Process Creation" }, { @@ -8888,6 +11411,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1059.001", + "attack.t1562.001" + ], "title": "Obfuscated PowerShell OneLiner Execution" }, { @@ -8905,6 +11434,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059" + ], "title": "HackTool - Sliver C2 Implant Activity Pattern" }, { @@ -8922,6 +11455,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1552.001" + ], "title": "Potential PowerShell Console History Access Attempt via History File" }, { @@ -8939,6 +11476,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.collection", + "attack.t1123" + ], "title": "Audio Capture via PowerShell" }, { @@ -8956,6 +11497,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1552.002" + ], "title": "Registry Export of Third-Party Credentials" }, { @@ -8973,6 +11518,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1546.003" + ], "title": "WMI Backdoor Exchange Transport Agent" }, { @@ -8990,6 +11539,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Gpscript Execution" }, { @@ -9007,6 +11560,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1016", + "attack.t1018", + "attack.t1482" + ], "title": "Nltest.EXE Execution" }, { @@ -9024,6 +11583,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Suspicious Vsls-Agent Command With AgentExtensionPath Load" }, { @@ -9041,6 +11604,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1555", + "cve.2021-35211" + ], "title": "Suspicious Serv-U Process Pattern" }, { @@ -9058,6 +11626,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.initial-access", + "attack.t1133" + ], "title": "Remote Access Tool - ScreenConnect Installation Execution" }, { @@ -9075,6 +11647,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059" + ], "title": "Forfiles Command Execution" }, { @@ -9092,6 +11668,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1105" + ], "title": "File Download via CertOC.EXE" }, { @@ -9109,6 +11689,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.008" + ], "title": "Response File Execution Via Odbcconf.EXE" }, { @@ -9126,6 +11710,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ], "title": "Files Added To An Archive Using Rar.EXE" }, { @@ -9143,6 +11731,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Tamper Windows Defender Remove-MpPreference" }, { @@ -9160,6 +11752,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1526", + "attack.t1087", + "attack.t1083" + ], "title": "PUA - Seatbelt Execution" }, { @@ -9177,6 +11775,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1105" + ], "title": "File Download From Browser Process Via Inline URL" }, { @@ -9194,6 +11796,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion", + "attack.t1059.001", + "attack.t1564.003" + ], "title": "HackTool - Covenant PowerShell Launcher" }, { @@ -9211,6 +11819,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218", + "attack.execution" + ], "title": "Execute Pcwrun.EXE To Leverage Follina" }, { @@ -9228,6 +11841,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Suspicious PowerShell Encoded Command Patterns" }, { @@ -9245,6 +11862,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "File Encryption/Decryption Via Gpg4win From Suspicious Locations" }, { @@ -9262,6 +11882,14 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.discovery", + "attack.t1505.003", + "attack.t1018", + "attack.t1033", + "attack.t1087" + ], "title": "Chopper Webshell Process Pattern" }, { @@ -9279,6 +11907,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Execute Files with Msdeploy.exe" }, { @@ -9296,6 +11928,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "ConvertTo-SecureString Cmdlet Usage Via CommandLine" }, { @@ -9313,6 +11951,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.initial-access", + "attack.t1566.001" + ], "title": "Suspicious Double Extension File Execution" }, { @@ -9330,6 +11972,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1105" + ], "title": "Suspicious Invoke-WebRequest Execution With DirectIP" }, { @@ -9347,6 +11993,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Suspicious Advpack Call Via Rundll32.EXE" }, { @@ -9364,6 +12013,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.privilege-escalation", + "cve.2023-21746" + ], "title": "HackTool - LocalPotato Execution" }, { @@ -9381,6 +12035,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1202" + ], "title": "Potential Arbitrary Command Execution Using Msdt.EXE" }, { @@ -9398,6 +12056,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Remote Access Tool - NetSupport Execution From Unusual Location" }, { @@ -9415,6 +12076,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Uncommon AddinUtil.EXE CommandLine Execution" }, { @@ -9432,6 +12097,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1615" + ], "title": "Gpresult Display Group Policy Information" }, { @@ -9449,6 +12118,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1047" + ], "title": "Windows Hotfix Updates Reconnaissance Via Wmic.EXE" }, { @@ -9466,6 +12139,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution" + ], "title": "Wab/Wabmig Unusual Parent Or Child Processes" }, { @@ -9483,6 +12160,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.impact", + "attack.t1486" + ], "title": "Suspicious Reg Add BitLocker" }, { @@ -9500,6 +12181,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Potential Suspicious Windows Feature Enabled - ProcCreation" }, { @@ -9517,6 +12201,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1202" + ], "title": "Potential Arbitrary File Download Using Office Application" }, { @@ -9534,6 +12222,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1070.004" + ], "title": "File Deletion Via Del" }, { @@ -9551,6 +12243,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059" + ], "title": "Suspicious Program Names" }, { @@ -9568,6 +12264,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.privilege-escalation", + "attack.t1546.008" + ], "title": "Suspicious Debugger Registration Cmdline" }, { @@ -9585,6 +12286,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1505.002" + ], "title": "MSExchange Transport Agent Installation" }, { @@ -9602,6 +12307,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "Wusa.EXE Executed By Parent Process Located In Suspicious Location" }, { @@ -9619,6 +12327,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1219.002" + ], "title": "Remote Access Tool - Simple Help Execution" }, { @@ -9636,6 +12348,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1556.002" + ], "title": "Dropping Of Password Filter DLL" }, { @@ -9653,6 +12369,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Uncommon Child Process Of AddinUtil.EXE" }, { @@ -9670,6 +12390,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.privilege-escalation", + "attack.t1543.003" + ], "title": "Suspicious New Service Creation" }, { @@ -9687,6 +12412,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.impact", + "attack.t1489", + "attack.t1562.001" + ], "title": "Suspicious Windows Service Tampering" }, { @@ -9704,6 +12435,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059" + ], "title": "Suspicious Script Execution From Temp Folder" }, { @@ -9721,6 +12456,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036" + ], "title": "Taskmgr as LOCAL_SYSTEM" }, { @@ -9738,6 +12477,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Potential Password Spraying Attempt Using Dsacls.EXE" }, { @@ -9755,6 +12498,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Net WebClient Casing Anomalies" }, { @@ -9772,6 +12519,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Suspicious Uninstall of Windows Defender Feature via PowerShell" }, { @@ -9789,6 +12540,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1548.002" + ], "title": "PowerShell Web Access Feature Enabled Via DISM" }, { @@ -9806,6 +12561,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1072", + "attack.defense-evasion", + "attack.t1218" + ], "title": "Suspicious Csi.exe Usage" }, { @@ -9823,6 +12584,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.initial-access", + "attack.persistence", + "attack.privilege-escalation" + ], "title": "Suspicious Processes Spawned by Java.EXE" }, { @@ -9840,6 +12606,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1216.001" + ], "title": "Pubprn.vbs Proxy Execution" }, { @@ -9857,6 +12627,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.collection", + "attack.t1123" + ], "title": "Audio Capture via SoundRecorder" }, { @@ -9874,6 +12648,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1204", + "attack.t1566.001", + "attack.execution", + "attack.initial-access" + ], "title": "Arbitrary Shell Command Execution Via Settingcontent-Ms" }, { @@ -9891,6 +12671,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.002" + ], "title": "Disable Windows IIS HTTP Logging" }, { @@ -9908,6 +12692,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "Suspicious File Download From File Sharing Domain Via Wget.EXE" }, { @@ -9925,6 +12712,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036" + ], "title": "Explorer Process Tree Break" }, { @@ -9942,6 +12733,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1552.006" + ], "title": "Permission Misconfiguration Reconnaissance Via Findstr.EXE" }, { @@ -9959,6 +12754,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1528" + ], "title": "Potentially Suspicious Command Targeting Teams Sensitive Files" }, { @@ -9976,6 +12775,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.005" + ], "title": "Potential LethalHTA Technique Execution" }, { @@ -9993,6 +12796,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Malicious Base64 Encoded PowerShell Keywords in Command Lines" }, { @@ -10010,6 +12817,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1070.004" + ], "title": "Suspicious Ping/Del Command Combination" }, { @@ -10027,6 +12838,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1098" + ], "title": "User Added to Local Administrators Group" }, { @@ -10044,6 +12859,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation VAR+ Launcher" }, { @@ -10061,6 +12882,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1018", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.002" + ], "title": "Renamed AdFind Execution" }, { @@ -10078,6 +12906,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "DLL Loaded via CertOC.EXE" }, { @@ -10095,6 +12927,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1190", + "attack.initial-access", + "attack.persistence", + "attack.privilege-escalation" + ], "title": "Suspicious Processes Spawned by WinRM" }, { @@ -10112,6 +12950,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1218.005" + ], "title": "Remotely Hosted HTA File Executed Via Mshta.EXE" }, { @@ -10129,6 +12972,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1547.001", + "attack.t1047" + ], "title": "Suspicious Autorun Registry Modified via WMI" }, { @@ -10146,6 +12995,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1120" + ], "title": "Fsutil Drive Enumeration" }, { @@ -10163,6 +13016,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059" + ], "title": "Python Inline Command Execution" }, { @@ -10180,6 +13037,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027.005" + ], "title": "PUA - DefenderCheck Execution" }, { @@ -10197,6 +13058,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.execution", + "attack.t1105" + ], "title": "File Download From IP Based URL Via CertOC.EXE" }, { @@ -10214,6 +13080,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036.005" + ], "title": "Potential MsiExec Masquerading" }, { @@ -10231,6 +13101,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036", + "attack.t1003.001", + "attack.credential-access" + ], "title": "Potential SysInternals ProcDump Evasion" }, { @@ -10248,6 +13124,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.lateral-movement", + "attack.t1021.003" + ], "title": "MMC20 Lateral Movement" }, { @@ -10265,6 +13146,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.t1021.002", + "attack.t1570", + "attack.execution", + "attack.t1569.002" + ], "title": "Rundll32 Execution Without Parameters" }, { @@ -10282,6 +13170,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Suspicious IIS URL GlobalRules Rewrite Via AppCmd" }, { @@ -10299,6 +13190,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.resource-development", + "attack.t1587.001", + "attack.execution", + "attack.t1569.002" + ], "title": "PUA - CsExec Execution" }, { @@ -10316,6 +13213,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1553.004" + ], "title": "Root Certificate Installed From Susp Locations" }, { @@ -10333,6 +13234,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1528" + ], "title": "Potentially Suspicious JWT Token Search Via CLI" }, { @@ -10350,6 +13255,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense-evasion", + "attack.t1127" + ], "title": "SQL Client Tools PowerShell Session Detection" }, { @@ -10367,6 +13278,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1090.001" + ], "title": "Cloudflared Portable Execution" }, { @@ -10384,6 +13299,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036" + ], "title": "Process Execution From A Potentially Suspicious Folder" }, { @@ -10401,6 +13320,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion" + ], "title": "Potentially Suspicious Child Process Of ClickOnce Application" }, { @@ -10418,6 +13341,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1216" + ], "title": "Potential Process Execution Proxy Via CL_Invocation.ps1" }, { @@ -10435,6 +13362,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1202" + ], "title": "Uncommon Child Process Of Conhost.EXE" }, { @@ -10452,6 +13383,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1105" + ], "title": "Suspicious Invoke-WebRequest Execution" }, { @@ -10469,6 +13404,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.impact", + "attack.t1529" + ], "title": "Suspicious Execution of Shutdown" }, { @@ -10486,6 +13425,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Potentially Over Permissive Permissions Granted Using Dsacls.EXE" }, { @@ -10503,6 +13446,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1176.001" + ], "title": "Chromium Browser Instance Executed With Custom Extension" }, { @@ -10520,6 +13467,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027" + ], "title": "Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image" }, { @@ -10537,6 +13488,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059" + ], "title": "Suspicious Greedy Compression Using Rar.EXE" }, { @@ -10554,6 +13509,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.defense-evasion", + "attack.t1219" + ], "title": "Suspicious Velociraptor Child Process" }, { @@ -10571,6 +13531,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ], "title": "Suspicious Schtasks Schedule Type With High Privileges" }, { @@ -10588,6 +13552,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1219.002" + ], "title": "Mstsc.EXE Execution With Local RDP File" }, { @@ -10605,6 +13573,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Disable Windows Defender AV Security Monitoring" }, { @@ -10622,6 +13594,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1112", + "attack.defense-evasion" + ], "title": "Registry Modification Via Regini.EXE" }, { @@ -10639,6 +13615,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution" + ], "title": "Weak or Abused Passwords In CLI" }, { @@ -10656,6 +13636,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths" }, { @@ -10673,6 +13656,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1218.011", + "attack.defense-evasion" + ], "title": "Rundll32 InstallScreenSaver Execution" }, { @@ -10690,6 +13677,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "Rebuild Performance Counter Values Via Lodctr.EXE" }, { @@ -10707,6 +13697,14 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.discovery", + "attack.t1505.003", + "attack.t1018", + "attack.t1033", + "attack.t1087" + ], "title": "Webshell Hacking Activity Patterns" }, { @@ -10724,6 +13722,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1055" + ], "title": "HackTool - CoercedPotato Execution" }, { @@ -10741,6 +13744,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], "title": "Direct Autorun Keys Modification" }, { @@ -10758,6 +13765,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.002" + ], "title": "HackTool - SharpEvtMute Execution" }, { @@ -10775,6 +13786,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1102", + "attack.t1090", + "attack.t1572" + ], "title": "Cloudflared Tunnel Execution" }, { @@ -10792,6 +13809,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Potentially Suspicious GoogleUpdate Child Process" }, { @@ -10809,6 +13829,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.001" + ], "title": "Dumping Process via Sqldumper.exe" }, { @@ -10826,6 +13850,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1033", + "car.2016-03-001" + ], "title": "Whoami.EXE Execution With Output Option" }, { @@ -10843,6 +13872,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1548.002", + "car.2019-04-001" + ], "title": "Potentially Suspicious Event Viewer Child Process" }, { @@ -10860,6 +13895,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1033", + "car.2016-03-001" + ], "title": "Whoami.EXE Execution Anomaly" }, { @@ -10877,6 +13917,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "SafeBoot Registry Key Deleted Via Reg.EXE" }, { @@ -10894,6 +13938,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.011" + ], "title": "Suspicious Control Panel DLL Load" }, { @@ -10911,6 +13959,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036.007" + ], "title": "Suspicious Parent Double Extension File Execution" }, { @@ -10928,6 +13980,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1112", + "attack.defense-evasion" + ], "title": "Suspicious Registry Modification From ADS Via Regini.EXE" }, { @@ -10945,6 +14001,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1087.002" + ], "title": "PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE" }, { @@ -10962,6 +14022,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.impact", + "attack.t1489" + ], "title": "Stop Windows Service Via PowerShell Stop-Service" }, { @@ -10979,6 +14043,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.reconnaissance", + "attack.t1595" + ], "title": "PUA - PingCastle Execution From Potentially Suspicious Parent" }, { @@ -10996,6 +14064,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1557.001" + ], "title": "HackTool - ADCSPwn Execution" }, { @@ -11013,6 +14085,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution" + ], "title": "Mshtml.DLL RunHTMLApplication Suspicious Usage" }, { @@ -11030,6 +14106,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Potential Memory Dumping Activity Via LiveKD" }, { @@ -11047,6 +14126,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.002" + ], "title": "Audit Policy Tampering Via Auditpol" }, { @@ -11064,6 +14147,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027.009" + ], "title": "Powershell Token Obfuscation - Process Creation" }, { @@ -11081,6 +14168,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense-evasion", + "attack.t1027" + ], "title": "PowerShell Base64 Encoded WMI Classes" }, { @@ -11098,6 +14191,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036", + "attack.t1003.001", + "attack.credential-access" + ], "title": "Renamed CreateDump Utility Execution" }, { @@ -11115,6 +14214,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.persistence", + "attack.privilege-escalation", + "attack.t1557.001", + "attack.t1187" + ], "title": "Attempts of Kerberos Coercion Via DNS SPN Spoofing" }, { @@ -11132,6 +14238,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1564.004" + ], "title": "Suspicious Extrac32 Alternate Data Stream Execution" }, { @@ -11149,6 +14259,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.reconnaissance", + "attack.t1593.003" + ], "title": "Suspicious Git Clone" }, { @@ -11166,6 +14280,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.011" + ], "title": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments" }, { @@ -11183,6 +14301,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.t1548" + ], "title": "Abused Debug Privilege by Arbitrary Parent Processes" }, { @@ -11200,6 +14322,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.011" + ], "title": "Code Execution via Pcwutl.dll" }, { @@ -11217,6 +14343,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Execution of Suspicious File Type Extension" }, { @@ -11234,6 +14363,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.execution", + "attack.t1053.005", + "attack.command-and-control" + ], "title": "Potential SSH Tunnel Persistence Install Using A Scheduled Task" }, { @@ -11251,6 +14386,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense-evasion", + "attack.t1027" + ], "title": "PowerShell Base64 Encoded Invoke Keyword" }, { @@ -11268,6 +14409,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218", + "attack.t1027.004" + ], "title": "Potential Application Whitelisting Bypass via Dnx.EXE" }, { @@ -11285,6 +14431,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1069.001" + ], "title": "Permission Check Via Accesschk.EXE" }, { @@ -11302,6 +14452,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.t1021.003" + ], "title": "MMC Spawning Windows Shell" }, { @@ -11319,6 +14473,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.persistence", + "attack.t1219.002" + ], "title": "Potential Amazon SSM Agent Hijacking" }, { @@ -11336,6 +14495,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.collection", + "attack.t1115" + ], "title": "PowerShell Get-Clipboard Cmdlet Via CLI" }, { @@ -11353,6 +14516,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.initial-access", + "attack.execution", + "attack.t1204.002" + ], "title": "Suspicious LNK Command-Line Padding with Whitespace Characters" }, { @@ -11370,6 +14538,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1140", + "attack.t1027" + ], "title": "Ping Hex IP" }, { @@ -11387,6 +14560,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.discovery", + "attack.t1040" + ], "title": "Potential Network Sniffing Activity Using Network Tools" }, { @@ -11404,6 +14582,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.001" + ], "title": "LSASS Dump Keyword In CommandLine" }, { @@ -11421,6 +14603,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562" + ], "title": "Windows Firewall Disabled via PowerShell" }, { @@ -11438,6 +14624,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "SyncAppvPublishingServer Execute Arbitrary PowerShell Code" }, { @@ -11455,6 +14645,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "Potential Renamed Rundll32 Execution" }, { @@ -11472,6 +14665,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.exfiltration", + "attack.t1048" + ], "title": "Data Export From MSSQL Table Via BCP.EXE" }, { @@ -11489,6 +14687,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036.003" + ], "title": "LOL-Binary Copied From System Directory" }, { @@ -11506,6 +14708,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1211", + "attack.t1059", + "attack.defense-evasion", + "attack.persistence", + "attack.execution" + ], "title": "Writing Of Malicious Files To The Fonts Folder" }, { @@ -11523,6 +14732,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Usage Of Web Request Commands And Cmdlets" }, { @@ -11540,6 +14753,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.008" + ], "title": "Driver/DLL Installation Via Odbcconf.EXE" }, { @@ -11557,6 +14774,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "Uncommon Child Processes Of SndVol.exe" }, { @@ -11574,6 +14794,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1105" + ], "title": "Arbitrary File Download Via GfxDownloadWrapper.EXE" }, { @@ -11591,6 +14815,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Diskshadow Script Mode - Execution From Potential Suspicious Location" }, { @@ -11608,6 +14836,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion", + "attack.t1218" + ], "title": "MpiExec Lolbin" }, { @@ -11625,6 +14858,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036" + ], "title": "New Process Created Via Taskmgr.EXE" }, { @@ -11642,6 +14879,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.defense-evasion", + "attack.t1134.001", + "attack.t1134.003" + ], "title": "HackTool - SharpDPAPI Execution" }, { @@ -11659,6 +14902,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.003" + ], "title": "PUA - DIT Snapshot Viewer" }, { @@ -11676,6 +14923,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Uncommon Assistive Technology Applications Execution Via AtBroker.EXE" }, { @@ -11693,6 +14944,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1047" + ], "title": "Service Reconnaissance Via Wmic.EXE" }, { @@ -11710,6 +14965,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.exfiltration", + "attack.t1567" + ], "title": "Arbitrary File Download Via ConfigSecurityPolicy.EXE" }, { @@ -11727,6 +14986,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1564", + "attack.t1059" + ], "title": "Potentially Suspicious Execution From Parent Process In Public Folder" }, { @@ -11744,6 +15009,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ], "title": "Suspicious Command Patterns In Scheduled Task Creation" }, { @@ -11761,6 +15030,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion", + "attack.t1059.001", + "attack.t1027" + ], "title": "Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call" }, { @@ -11778,6 +15053,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.impact", + "attack.t1490" + ], "title": "Sensitive File Access Via Volume Shadow Copy Backup" }, { @@ -11795,6 +15074,14 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense-evasion", + "attack.t1218", + "attack.command-and-control", + "attack.t1105" + ], "title": "PowerShell MSI Install via WindowsInstaller COM From Remote Location" }, { @@ -11812,6 +15099,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036", + "attack.t1036.003" + ], "title": "Potential Homoglyph Attack Using Lookalike Characters" }, { @@ -11829,6 +15121,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027.010" + ], "title": "Potential Obfuscated Ordinal Call Via Rundll32" }, { @@ -11846,6 +15142,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1027", + "attack.defense-evasion", + "attack.execution", + "attack.t1140", + "attack.t1059.001" + ], "title": "Base64 Encoded PowerShell Command Detected" }, { @@ -11863,6 +15166,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.resource-development", + "attack.t1105", + "attack.t1608" + ], "title": "Suspicious Download from Office Domain" }, { @@ -11880,6 +15189,14 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.initial-access", + "attack.t1566.001", + "attack.execution", + "attack.t1203", + "attack.t1059.003", + "attack.g0032" + ], "title": "Suspicious HWP Sub Processes" }, { @@ -11897,6 +15214,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "detection.threat-hunting" + ], "title": "Potential DLL Injection Via AccCheckConsole" }, { @@ -11914,6 +15235,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE" }, { @@ -11931,6 +15256,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "Run Once Task Execution as Configured in Registry" }, { @@ -11948,6 +15277,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1095" + ], "title": "PUA - Netcat Suspicious Execution" }, { @@ -11965,6 +15298,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion", + "attack.t1218", + "attack.t1202" + ], "title": "Potential Arbitrary File Download Via Cmdl32.EXE" }, { @@ -11982,6 +15321,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "Curl Web Request With Potential Custom User-Agent" }, { @@ -11999,6 +15341,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.005" + ], "title": "New Generic Credentials Added Via Cmdkey.EXE" }, { @@ -12016,6 +15362,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Potential Provlaunch.EXE Binary Proxy Execution Abuse" }, { @@ -12033,6 +15383,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.command-and-control", + "attack.t1104", + "attack.t1105" + ], "title": "PowerShell DownloadFile" }, { @@ -12050,6 +15407,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "BitLockerTogo.EXE Execution" }, { @@ -12067,6 +15428,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ], "title": "7Zip Compressing Dump Files" }, { @@ -12084,6 +15449,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ], "title": "PUA - RunXCmd Execution" }, { @@ -12101,6 +15471,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027.004" + ], "title": "Visual Basic Command Line Compiler Usage" }, { @@ -12118,6 +15492,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Windows Defender Definition Files Removed" }, { @@ -12135,6 +15513,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.010" + ], "title": "Potential Regsvr32 Commandline Flag Anomaly" }, { @@ -12152,6 +15534,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.privilege-escalation", + "attack.t1546.003" + ], "title": "WMI Persistence - Script Event Consumer" }, { @@ -12169,6 +15556,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion", + "attack.t1218" + ], "title": "Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution" }, { @@ -12186,6 +15578,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1548.002" + ], "title": "TrustedPath UAC Bypass Pattern" }, { @@ -12203,6 +15599,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense-evasion", + "attack.t1216" + ], "title": "Execute Code with Pester.bat as Parent" }, { @@ -12220,6 +15622,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion", + "attack.t1059.005", + "attack.t1059.001", + "attack.t1218" + ], "title": "Windows Shell/Scripting Processes Spawning Suspicious Programs" }, { @@ -12237,6 +15646,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation" + ], "title": "Suspicious RunAs-Like Flag Combination" }, { @@ -12254,6 +15666,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036" + ], "title": "System File Execution Location Anomaly" }, { @@ -12271,6 +15687,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.execution", + "attack.t1615", + "attack.t1059.005" + ], "title": "Potential Reconnaissance Activity Via GatherNetworkInfo.VBS" }, { @@ -12288,6 +15710,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1218.003", + "attack.g0069", + "car.2019-04-001" + ], "title": "CMSTP Execution Process Creation" }, { @@ -12305,6 +15734,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1090.001" + ], "title": "Cloudflared Quick Tunnel Execution" }, { @@ -12322,6 +15755,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense-evasion", + "attack.t1027.005" + ], "title": "HackTool - CrackMapExec PowerShell Obfuscation" }, { @@ -12339,6 +15778,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.008" + ], "title": "Potentially Suspicious DLL Registered Via Odbcconf.EXE" }, { @@ -12356,6 +15799,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.008" + ], "title": "Odbcconf.EXE Suspicious DLL Location" }, { @@ -12373,6 +15820,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059", + "attack.defense-evasion", + "attack.t1202" + ], "title": "Potential Arbitrary Command Execution Via FTP.EXE" }, { @@ -12390,6 +15843,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation STDIN+ Launcher" }, { @@ -12407,6 +15866,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1055.001" + ], "title": "ManageEngine Endpoint Central Dctask64.EXE Potential Abuse" }, { @@ -12424,6 +15887,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1105" + ], "title": "Suspicious Certreq Command to Download" }, { @@ -12441,6 +15908,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.010" + ], "title": "Potentially Suspicious Regsvr32 HTTP IP Pattern" }, { @@ -12458,6 +15929,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Potential Suspicious Mofcomp Execution" }, { @@ -12475,6 +15950,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1564.004" + ], "title": "Run PowerShell Script from ADS" }, { @@ -12492,6 +15971,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.privilege-escalation", + "attack.t1543.003" + ], "title": "New Service Creation Using Sc.EXE" }, { @@ -12509,6 +15993,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1127" + ], "title": "Suspicious Child Process of AspNetCompiler" }, { @@ -12526,6 +16014,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027" + ], "title": "Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE" }, { @@ -12543,6 +16035,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1135" + ], "title": "File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell" }, { @@ -12560,6 +16056,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1087.002", + "attack.t1069.002", + "attack.t1482" + ], "title": "Active Directory Database Snapshot Via ADExplorer" }, { @@ -12577,6 +16079,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.003" + ], "title": "Read Contents From Stdin Via Cmd.EXE" }, { @@ -12594,6 +16100,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.004" + ], "title": "Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE" }, { @@ -12611,6 +16121,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.credential-access", + "attack.t1557.001" + ], "title": "Potential SMB Relay Attack Tool Execution" }, { @@ -12628,6 +16143,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Sysinternals PsSuspend Suspicious Execution" }, { @@ -12645,6 +16164,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "New Virtual Smart Card Created Via TpmVscMgr.EXE" }, { @@ -12662,6 +16184,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1105" + ], "title": "Finger.EXE Execution" }, { @@ -12679,6 +16205,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1055.001", + "attack.t1218.013" + ], "title": "Mavinject Inject DLL Into Running Process" }, { @@ -12696,6 +16228,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1105" + ], "title": "Remote File Download Via Desktopimgdownldr Utility" }, { @@ -12713,6 +16249,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.t1548.002" + ], "title": "Sdclt Child Processes" }, { @@ -12730,6 +16270,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Potentially Suspicious Child Process Of DiskShadow.EXE" }, { @@ -12747,6 +16291,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1047", + "car.2016-03-002" + ], "title": "New Process Created Via Wmic.EXE" }, { @@ -12764,6 +16313,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1102" + ], "title": "Suspicious Child Process Of Manage Engine ServiceDesk" }, { @@ -12781,6 +16334,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "File Download Via InstallUtil.EXE" }, { @@ -12798,6 +16355,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.t1021" + ], "title": "Privilege Escalation via Named Pipe Impersonation" }, { @@ -12815,6 +16376,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1482" + ], "title": "Domain Trust Discovery Via Dsquery" }, { @@ -12832,6 +16397,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027" + ], "title": "File Encoded To Base64 Via Certutil.EXE" }, { @@ -12849,6 +16418,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1564.004" + ], "title": "Suspicious Diantz Alternate Data Stream Execution" }, { @@ -12866,6 +16439,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Execution of Powershell Script in Public Folder" }, { @@ -12883,6 +16460,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" + ], "title": "Cscript/Wscript Uncommon Script Extension Execution" }, { @@ -12900,6 +16482,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" + ], "title": "File With Suspicious Extension Downloaded Via Bitsadmin" }, { @@ -12917,6 +16506,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery" + ], "title": "DriverQuery.EXE Execution" }, { @@ -12934,6 +16526,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003", + "attack.t1003.003", + "attack.s0404" + ], "title": "Esentutl Gather Credentials" }, { @@ -12951,6 +16549,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1564.004" + ], "title": "Execute From Alternate Data Streams" }, { @@ -12968,6 +16570,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1484.001" + ], "title": "Modify Group Policy Settings" }, { @@ -12985,6 +16592,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.credential-access", + "attack.t1649" + ], "title": "HackTool - Certipy Execution" }, { @@ -13002,6 +16614,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1587", + "attack.resource-development" + ], "title": "HackTool - PurpleSharp Execution" }, { @@ -13019,6 +16635,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036", + "attack.credential-access", + "attack.t1003.001", + "car.2013-05-009" + ], "title": "Potential LSASS Process Dump Via Procdump" }, { @@ -13036,6 +16659,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.defense-evasion", + "attack.t1134.001", + "attack.t1134.003" + ], "title": "HackTool - Impersonate Execution" }, { @@ -13053,6 +16682,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1518.001" + ], "title": "Security Tools Keyword Lookup Via Findstr.EXE" }, { @@ -13070,6 +16703,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.t1204" + ], "title": "Potentially Suspicious WebDAV LNK Execution" }, { @@ -13087,6 +16725,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.011" + ], "title": "Rundll32 Execution With Uncommon DLL Extension" }, { @@ -13104,6 +16746,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1105", + "attack.defense-evasion", + "attack.t1564.004" + ], "title": "PrintBrm ZIP Creation of Extraction" }, { @@ -13121,6 +16769,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.command-and-control", + "attack.t1059.003", + "attack.t1059.001", + "attack.t1105" + ], "title": "Command Line Execution with Suspicious URL and AppData Strings" }, { @@ -13138,6 +16793,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1105" + ], "title": "Potential Download/Upload Activity Using Type Command" }, { @@ -13155,6 +16814,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.exfiltration", + "attack.discovery", + "attack.t1012" + ], "title": "Exports Registry Key To a File" }, { @@ -13172,6 +16836,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Powershell Defender Disable Scan Feature" }, { @@ -13189,6 +16857,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "LOLBIN Execution From Abnormal Drive" }, { @@ -13206,6 +16877,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ], "title": "Winrar Compressing Dump Files" }, { @@ -13223,6 +16898,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "Query Usage To Exfil Data" }, { @@ -13240,6 +16918,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1047" + ], "title": "Suspicious Process Created Via Wmic.EXE" }, { @@ -13257,6 +16939,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1564.001" + ], "title": "Set Suspicious Files as System Files Using Attrib.EXE" }, { @@ -13274,6 +16960,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1082" + ], "title": "Suspicious Kernel Dump Using Dtrace" }, { @@ -13291,6 +16981,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1574.001" + ], "title": "Xwizard.EXE Execution From Non-Default Location" }, { @@ -13308,6 +17002,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Cmd.EXE Missing Space Characters Execution Anomaly" }, { @@ -13325,6 +17023,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059" + ], "title": "Use of OpenConsole" }, { @@ -13342,6 +17044,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1098" + ], "title": "User Added To Highly Privileged Group" }, { @@ -13359,6 +17065,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1219.002" + ], "title": "Remote Access Tool - Anydesk Execution From Suspicious Folder" }, { @@ -13376,6 +17086,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1055" + ], "title": "Process Creation Using Sysnative Folder" }, { @@ -13393,6 +17108,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access" + ], "title": "Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE" }, { @@ -13410,6 +17128,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation Via Use MSHTA" }, { @@ -13427,6 +17151,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1112", + "attack.defense-evasion" + ], "title": "Imports Registry Key From an ADS" }, { @@ -13444,6 +17172,15 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.privilege-escalation", + "attack.t1053.005", + "attack.s0111", + "car.2013-08-001", + "stp.1u" + ], "title": "Scheduled Task Creation Via Schtasks.EXE" }, { @@ -13461,6 +17198,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Suspicious Usage Of ShellExec_RunDLL" }, { @@ -13478,6 +17218,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1047" + ], "title": "Application Terminated Via Wmic.EXE" }, { @@ -13495,6 +17239,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Disabled Volume Snapshots" }, { @@ -13512,6 +17260,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1127" + ], "title": "Use of Remote.exe" }, { @@ -13529,6 +17281,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence" + ], "title": "Persistence Via TypedPaths - CommandLine" }, { @@ -13546,6 +17301,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1055" + ], "title": "HackTool - DInjector PowerShell Cradle Execution" }, { @@ -13563,6 +17322,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.001" + ], "title": "HackTool - Inveigh Execution" }, { @@ -13580,6 +17343,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.command-and-control", + "attack.t1218.011", + "attack.t1071" + ], "title": "Potentially Suspicious Rundll32.EXE Execution of UDL File" }, { @@ -13597,6 +17367,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.execution", + "attack.t1552.004", + "attack.t1059.001" + ], "title": "Certificate Exported Via PowerShell" }, { @@ -13614,6 +17390,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1105" + ], "title": "Suspicious Extrac32 Execution" }, { @@ -13631,6 +17411,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Service Registry Key Deleted Via Reg.EXE" }, { @@ -13648,6 +17432,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.011", + "attack.credential-access", + "attack.t1003.001" + ], "title": "Process Access via TrolleyExpress Exclusion" }, { @@ -13665,6 +17455,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.008" + ], "title": "Suspicious Response File Execution Via Odbcconf.EXE" }, { @@ -13682,6 +17476,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1548.002" + ], "title": "UAC Bypass Using DismHost" }, { @@ -13699,6 +17498,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.persistence", + "attack.t1546.007", + "attack.s0108" + ], "title": "Potential Persistence Via Netsh Helper DLL" }, { @@ -13716,6 +17521,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1105" + ], "title": "File Download And Execution Via IEExec.EXE" }, { @@ -13733,6 +17542,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.impact", + "attack.t1489" + ], "title": "Delete Important Scheduled Task" }, { @@ -13750,6 +17563,15 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.privilege-escalation", + "attack.discovery", + "attack.defense-evasion", + "attack.t1082", + "attack.t1564", + "attack.t1543" + ], "title": "PUA - System Informer Execution" }, { @@ -13767,6 +17589,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1059" + ], "title": "Install New Package Via Winget Local Manifest" }, { @@ -13784,6 +17611,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1543.003", + "attack.t1574.011" + ], "title": "Potential Persistence Attempt Via Existing Service Tampering" }, { @@ -13801,6 +17633,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.initial-access", + "attack.persistence", + "attack.privilege-escalation" + ], "title": "Suspicious Shells Spawn by Java Utility Keytool" }, { @@ -13818,6 +17655,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1082" + ], "title": "Suspicious Execution of Hostname" }, { @@ -13835,6 +17676,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'" }, { @@ -13852,6 +17697,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Kernel Memory Dump Via LiveKD" }, { @@ -13869,6 +17717,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003" + ], "title": "Microsoft IIS Service Account Password Dumped" }, { @@ -13886,6 +17738,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1046", + "attack.t1135" + ], "title": "PUA - Advanced IP Scanner Execution" }, { @@ -13903,6 +17760,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1070.004" + ], "title": "Potentially Suspicious Ping/Copy Command Combination" }, { @@ -13920,6 +17781,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1564.004" + ], "title": "Use NTFS Short Name in Command Line" }, { @@ -13937,6 +17802,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1070.004" + ], "title": "Greedy File Deletion Using Del" }, { @@ -13954,6 +17823,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Hidden Powershell in Link File Pattern" }, { @@ -13971,6 +17844,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1197" + ], "title": "Monitoring For Persistence Via BITS" }, { @@ -13988,6 +17865,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Suspicious PowerShell Invocation From Script Engines" }, { @@ -14005,6 +17886,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.collection", + "attack.exfiltration", + "attack.t1560", + "attack.t1560.001" + ], "title": "Compressed File Extraction Via Tar.EXE" }, { @@ -14022,6 +17909,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "Suspicious File Download From File Sharing Domain Via Curl.EXE" }, { @@ -14039,6 +17929,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "REGISTER_APP.VBS Proxy Execution" }, { @@ -14056,6 +17950,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ], "title": "Rar Usage with Password and Compression Level" }, { @@ -14073,6 +17971,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" + ], "title": "File Download Via Bitsadmin To An Uncommon Target Folder" }, { @@ -14090,6 +17995,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.003" + ], "title": "Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)" }, { @@ -14107,6 +18016,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.initial-access", + "attack.persistence", + "attack.privilege-escalation" + ], "title": "Shell Process Spawned by Java.EXE" }, { @@ -14124,6 +18038,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.t1021.002" + ], "title": "Windows Share Mount Via Net.EXE" }, { @@ -14141,6 +18059,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1546.008", + "attack.privilege-escalation" + ], "title": "Persistence Via Sticky Key Backdoor" }, { @@ -14158,6 +18080,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.collection", + "attack.t1185", + "attack.t1564.003" + ], "title": "Potential Data Stealing Via Chromium Headless Debugging" }, { @@ -14175,6 +18103,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001", + "attack.t1070.001" + ], "title": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE" }, { @@ -14192,6 +18125,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1106" + ], "title": "Potential WinAPI Calls Via CommandLine" }, { @@ -14209,6 +18146,22 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.initial-access", + "attack.t1047", + "attack.t1059.001", + "attack.t1059.003", + "attack.t1059.005", + "attack.t1059.007", + "attack.t1218", + "attack.t1218.001", + "attack.t1218.010", + "attack.t1218.011", + "attack.t1566", + "attack.t1566.001" + ], "title": "HTML Help HH.EXE Suspicious Child Process" }, { @@ -14226,6 +18179,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Suspicious PowerShell IEX Execution Patterns" }, { @@ -14243,6 +18200,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery" + ], "title": "Obfuscated IP Download Activity" }, { @@ -14260,6 +18220,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1087.001", + "attack.t1087.002" + ], "title": "Suspicious Group And Account Reconnaissance Activity Using Net.EXE" }, { @@ -14277,6 +18242,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.exfiltration" + ], "title": "Email Exifiltration Via Powershell" }, { @@ -14294,6 +18262,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1087", + "attack.t1082", + "car.2016-03-001" + ], "title": "Network Reconnaissance Activity" }, { @@ -14311,6 +18285,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.discovery", + "attack.t1082", + "attack.t1087", + "attack.t1046" + ], "title": "HackTool - winPEAS Execution" }, { @@ -14328,6 +18309,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1082" + ], "title": "Suspicious Execution of Systeminfo" }, { @@ -14345,6 +18330,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Suspicious Execution of InstallUtil Without Log" }, { @@ -14362,6 +18350,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.initial-access", + "attack.t1505.003", + "attack.t1190" + ], "title": "Suspicious Process By Web Server Process" }, { @@ -14379,6 +18373,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "Cscript/Wscript Potentially Suspicious Child Process" }, { @@ -14396,6 +18393,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery" + ], "title": "Potential Recon Activity Using DriverQuery.EXE" }, { @@ -14413,6 +18413,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Suspicious Powercfg Execution To Change Lock Screen Timeout" }, { @@ -14430,6 +18433,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.credential-access", + "attack.t1040" + ], "title": "Harvesting Of Wifi Credentials Via Netsh.EXE" }, { @@ -14447,6 +18455,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Suspicious Process Suspension via WERFaultSecure through EDR-Freeze" }, { @@ -14464,6 +18476,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "DSInternals Suspicious PowerShell Cmdlets" }, { @@ -14481,6 +18497,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1543.003" + ], "title": "Allow Service Access Using Security Descriptor Tampering Via Sc.EXE" }, { @@ -14498,6 +18518,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.lateral-movement", + "attack.t1210" + ], "title": "HackTool - SharpWSUS/WSUSpendu Execution" }, { @@ -14515,6 +18540,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.007" + ], "title": "NodeJS Execution of JavaScript File" }, { @@ -14532,6 +18561,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1202" + ], "title": "Potential Arbitrary DLL Load Using Winword" }, { @@ -14549,6 +18582,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.collection", + "attack.t1005" + ], "title": "Veeam Backup Database Suspicious Query" }, { @@ -14566,6 +18603,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.impact", + "attack.t1070", + "attack.t1485" + ], "title": "Fsutil Suspicious Invocation" }, { @@ -14583,6 +18626,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059" + ], "title": "Python Spawning Pretty TTY on Windows" }, { @@ -14600,6 +18647,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "AgentExecutor PowerShell Execution" }, { @@ -14617,6 +18668,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Powershell Inline Execution From A File" }, { @@ -14634,6 +18689,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1049" + ], "title": "System Network Connections Discovery Via Net.EXE" }, { @@ -14651,6 +18710,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1047" + ], "title": "Script Event Consumer Spawning Process" }, { @@ -14668,6 +18731,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036" + ], "title": "CodePage Modification Via MODE.COM To Russian Language" }, { @@ -14685,6 +18752,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1505.004" + ], "title": "Suspicious IIS Module Registration" }, { @@ -14702,6 +18773,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1059.001", + "attack.t1059.003", + "attack.t1564.003" + ], "title": "Powershell Executed From Headless ConHost Process" }, { @@ -14719,6 +18797,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.execution", + "attack.t1059.001", + "attack.t1105" + ], "title": "Potential DLL File Download Via PowerShell Invoke-WebRequest" }, { @@ -14736,6 +18820,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1555" + ], "title": "HackTool - SecurityXploded Execution" }, { @@ -14753,6 +18841,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.defense-evasion" + ], "title": "Unsigned AppX Installation Attempt Using Add-AppxPackage" }, { @@ -14770,6 +18862,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.lateral-movement", + "attack.t1021.001", + "attack.t1112" + ], "title": "Potential Tampering With RDP Related Registry Keys Via Reg.EXE" }, { @@ -14787,6 +18885,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1546.003" + ], "title": "New ActiveScriptEventConsumer Created Via Wmic.EXE" }, { @@ -14804,6 +18906,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.impact", + "attack.t1490" + ], "title": "Boot Configuration Tampering Via Bcdedit.EXE" }, { @@ -14821,6 +18927,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1090.003" + ], "title": "Tor Client/Browser Execution" }, { @@ -14838,6 +18948,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003", + "attack.t1003.001" + ], "title": "Potential Credential Dumping Via LSASS Process Clone" }, { @@ -14855,6 +18970,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1218", + "attack.defense-evasion", + "attack.execution" + ], "title": "Uncommon Child Process Of Defaultpack.EXE" }, { @@ -14872,6 +18992,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.impact", + "attack.t1486" + ], "title": "Portable Gpg.EXE Execution" }, { @@ -14889,6 +19013,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.003" + ], "title": "Remote Access Tool - ScreenConnect Remote Command Execution" }, { @@ -14906,6 +19034,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.privilege-escalation", + "attack.t1543.003" + ], "title": "New Kernel Driver Via SC.EXE" }, { @@ -14923,6 +19056,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.impact", + "attack.t1490" + ], "title": "Windows Backup Deleted Via Wbadmin.EXE" }, { @@ -14940,6 +19077,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Suspicious DLL Loaded via CertOC.EXE" }, { @@ -14957,6 +19098,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1047", + "attack.t1098" + ], "title": "Password Set to Never Expire via WMI" }, { @@ -14974,6 +19121,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Devtoolslauncher.exe Executes Specified Binary" }, { @@ -14991,6 +19142,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1217" + ], "title": "File And SubFolder Enumeration Via Dir Command" }, { @@ -15008,6 +19163,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion", + "attack.t1218", + "attack.t1202", + "attack.t1036.005" + ], "title": "Potential Binary Impersonating Sysinternals Tools" }, { @@ -15025,6 +19187,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.lateral-movement", + "attack.t1021.002", + "attack.t1218.011" + ], "title": "Rundll32 UNC Path Execution" }, { @@ -15042,6 +19211,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1070", + "attack.t1562", + "attack.t1562.002" + ], "title": "Filter Driver Unloaded Via Fltmc.EXE" }, { @@ -15059,6 +19234,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1218" + ], "title": "Use of Scriptrunner.exe" }, { @@ -15076,6 +19256,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.persistence", + "attack.t1543.003" + ], "title": "Sysinternals PsService Execution" }, { @@ -15093,6 +19278,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Sysmon Configuration Update" }, { @@ -15110,6 +19299,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1053" + ], "title": "HackTool - SharPersist Execution" }, { @@ -15127,6 +19320,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.discovery", + "attack.t1047", + "attack.t1082" + ], "title": "System Disk And Volume Reconnaissance Via Wmic.EXE" }, { @@ -15144,6 +19343,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.privilege-escalation" + ], "title": "UAC Bypass Using Event Viewer RecentViews" }, { @@ -15161,6 +19364,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.impact", + "attack.t1070", + "attack.t1490" + ], "title": "Shadow Copies Deletion Using Operating Systems Utilities" }, { @@ -15178,6 +19387,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1548.002" + ], "title": "UAC Bypass Using PkgMgr and DISM" }, { @@ -15195,6 +19409,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "Suspicious File Download From IP Via Wget.EXE - Paths" }, { @@ -15212,6 +19429,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003", + "attack.t1003.002", + "attack.t1003.003" + ], "title": "Shadow Copies Creation Using Operating Systems Utilities" }, { @@ -15229,6 +19452,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.005" + ], "title": "Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE" }, { @@ -15246,6 +19473,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement" + ], "title": "Mstsc.EXE Execution From Uncommon Parent" }, { @@ -15263,6 +19493,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1218" + ], "title": "XBAP Execution From Uncommon Locations Via PresentationHost.EXE" }, { @@ -15280,6 +19515,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.impact", + "attack.t1489" + ], "title": "Stop Windows Service Via Sc.EXE" }, { @@ -15297,6 +19536,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1106" + ], "title": "Suspicious Mshta.EXE Execution Patterns" }, { @@ -15314,6 +19557,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Execution via stordiag.exe" }, { @@ -15331,6 +19578,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218", + "attack.execution" + ], "title": "Execute MSDT Via Answer File" }, { @@ -15348,6 +19600,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.007" + ], "title": "Msiexec Quiet Installation" }, { @@ -15365,6 +19621,14 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion", + "attack.discovery", + "attack.t1047", + "attack.t1112", + "attack.t1012" + ], "title": "Registry Manipulation via WMI Stdregprov" }, { @@ -15382,6 +19646,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1087.002" + ], "title": "PUA - AdFind.EXE Execution" }, { @@ -15399,6 +19667,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.t1574.011" + ], "title": "Potential Privilege Escalation via Service Permissions Weakness" }, { @@ -15416,6 +19688,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.t1021.001" + ], "title": "New Remote Desktop Connection Initiated Via Mstsc.EXE" }, { @@ -15433,6 +19709,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1548.002" + ], "title": "UAC Bypass Using IEInstal - Process" }, { @@ -15450,6 +19731,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1087" + ], "title": "HackTool - SOAPHound Execution" }, { @@ -15467,6 +19752,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.defense-evasion", + "attack.t1548.002" + ], "title": "Potential UAC Bypass Via Sdclt.EXE" }, { @@ -15484,6 +19774,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.007", + "attack.command-and-control", + "attack.t1105" + ], "title": "MsiExec Web Install" }, { @@ -15501,6 +19797,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Potential PowerShell Execution Policy Tampering - ProcCreation" }, { @@ -15518,6 +19817,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "HackTool - PowerTool Execution" }, { @@ -15535,6 +19838,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Suspicious AddinUtil.EXE CommandLine Execution" }, { @@ -15552,6 +19859,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027" + ], "title": "Suspicious File Downloaded From Direct IP Via Certutil.EXE" }, { @@ -15569,6 +19880,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1202" + ], "title": "Indirect Command Execution From Script File Via Bash.EXE" }, { @@ -15586,6 +19901,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location" }, { @@ -15603,6 +19922,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1055.001" + ], "title": "Potential DLL Injection Or Execution Using Tracker.exe" }, { @@ -15620,6 +19943,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218", + "attack.execution" + ], "title": "Indirect Command Execution By Program Compatibility Wizard" }, { @@ -15637,6 +19965,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.persistence", + "attack.t1546.008", + "car.2014-11-003", + "car.2014-11-008" + ], "title": "Sticky Key Like Backdoor Execution" }, { @@ -15654,6 +19989,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.001" + ], "title": "HackTool - Doppelanger LSASS Dumper Execution" }, { @@ -15671,6 +20010,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation CLIP+ Launcher" }, { @@ -15688,6 +20033,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.persistence", + "attack.t1546.008" + ], "title": "Potential Privilege Escalation Using Symlink Between Osk and Cmd" }, { @@ -15705,6 +20055,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036", + "attack.t1218" + ], "title": "Suspicious MSDT Parent Process" }, { @@ -15722,6 +20077,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1055.012" + ], "title": "HackTool - HollowReaper Execution" }, { @@ -15739,6 +20098,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.exfiltration", + "attack.t1048" + ], "title": "Tap Installer Execution" }, { @@ -15756,6 +20119,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1216" + ], "title": "Remote Code Execute via Winrm.vbs" }, { @@ -15773,6 +20140,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Add SafeBoot Keys Via Reg Utility" }, { @@ -15790,6 +20161,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Disabling Windows Defender WMI Autologger Session via Reg.exe" }, { @@ -15807,6 +20182,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1204.002", + "attack.defense-evasion", + "attack.t1218.014", + "attack.t1036.002" + ], "title": "MMC Executing Files with Reversed Extensions Using RTLO Abuse" }, { @@ -15824,6 +20206,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.exfiltration", + "attack.t1048" + ], "title": "Suspicious Redirection to Local Admin Share" }, { @@ -15841,6 +20227,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.privilege-escalation", + "attack.t1543.003" + ], "title": "Suspicious Service Path Modification" }, { @@ -15858,6 +20249,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Potentially Suspicious Call To Win32_NTEventlogFile Class" }, { @@ -15875,6 +20269,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Lolbin Runexehelper Use As Proxy" }, { @@ -15892,6 +20290,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "HackTool - GMER Rootkit Detector and Remover Execution" }, { @@ -15909,6 +20310,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.defense-evasion", + "attack.t1219.002", + "attack.t1036.003" + ], "title": "Remote Access Tool - Renamed MeshAgent Execution - Windows" }, { @@ -15926,6 +20333,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.execution", + "attack.t1615", + "attack.t1059.005" + ], "title": "Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS" }, { @@ -15943,6 +20356,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1055" + ], "title": "Suspect Svchost Activity" }, { @@ -15960,6 +20378,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1059.001", + "attack.t1140", + "attack.t1027" + ], "title": "Suspicious XOR Encoded PowerShell Command" }, { @@ -15977,6 +20402,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION" }, { @@ -15994,6 +20425,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.privilege-escalation", + "attack.t1543.003" + ], "title": "New Service Creation Using PowerShell" }, { @@ -16011,6 +20447,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.003" + ], "title": "Sensitive File Dump Via Wbadmin.EXE" }, { @@ -16028,6 +20468,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1202" + ], "title": "Rundll32 Execution Without CommandLine Parameters" }, { @@ -16045,6 +20489,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1102", + "attack.t1090", + "attack.t1572" + ], "title": "Cloudflared Tunnel Connections Cleanup" }, { @@ -16062,6 +20512,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.reconnaissance", + "attack.t1595" + ], "title": "PUA - PingCastle Execution" }, { @@ -16079,6 +20533,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1539", + "attack.collection", + "attack.t1005" + ], "title": "SQLite Firefox Profile Data DB Access" }, { @@ -16096,6 +20556,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1090" + ], "title": "PUA- IOX Tunneling Tool Execution" }, { @@ -16113,6 +20577,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1219", + "attack.t1105" + ], "title": "Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server" }, { @@ -16130,6 +20599,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.reconnaissance", + "attack.discovery", + "attack.credential-access", + "attack.impact" + ], "title": "AADInternals PowerShell Cmdlets Execution - ProccessCreation" }, { @@ -16147,6 +20623,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1047", + "attack.t1204.002", + "attack.t1218.010" + ], "title": "Suspicious Microsoft Office Child Process" }, { @@ -16164,6 +20647,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access" + ], "title": "HackTool - LaZagne Execution" }, { @@ -16181,6 +20667,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1555.003" + ], "title": "PUA - WebBrowserPassView Execution" }, { @@ -16198,6 +20688,27 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.persistence", + "attack.defense-evasion", + "attack.credential-access", + "attack.privilege-escalation", + "attack.t1562.002", + "attack.t1547.001", + "attack.t1505.005", + "attack.t1556.002", + "attack.t1562", + "attack.t1574.007", + "attack.t1564.002", + "attack.t1546.008", + "attack.t1546.007", + "attack.t1547.014", + "attack.t1547.010", + "attack.t1547.002", + "attack.t1557", + "attack.t1082" + ], "title": "Potential Suspicious Activity Using SeCEdit" }, { @@ -16215,6 +20726,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Dism Remove Online Package" }, { @@ -16232,6 +20747,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Suspicious Execution of Powershell with Base64" }, { @@ -16249,6 +20768,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1140", + "attack.execution", + "attack.t1059.001" + ], "title": "PowerShell Base64 Encoded FromBase64String Cmdlet" }, { @@ -16266,6 +20791,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.collection", + "attack.exfiltration", + "attack.t1560", + "attack.t1560.001" + ], "title": "Compressed File Creation Via Tar.EXE" }, { @@ -16283,6 +20814,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1090", + "attack.t1572" + ], "title": "Potentially Suspicious Usage Of Qemu" }, { @@ -16300,6 +20836,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "ShimCache Flush" }, { @@ -16317,6 +20857,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], "title": "Potential Persistence Attempt Via Run Keys Using Reg.EXE" }, { @@ -16334,6 +20878,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation COMPRESS OBFUSCATION" }, { @@ -16351,6 +20901,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1003", + "attack.credential-access" + ], "title": "Interesting Service Enumeration Via Sc.EXE" }, { @@ -16368,6 +20922,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.impact", + "attack.t1496" + ], "title": "Potential Crypto Mining Activity" }, { @@ -16385,6 +20943,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1552.002" + ], "title": "Enumeration for 3rd Party Creds From CLI" }, { @@ -16402,6 +20964,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1218", + "attack.defense-evasion", + "attack.execution" + ], "title": "Uncommon Child Process Of Appvlp.EXE" }, { @@ -16419,6 +20986,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1055" + ], "title": "Dllhost.EXE Execution Anomaly" }, { @@ -16436,6 +21007,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036", + "attack.t1003.001", + "attack.credential-access" + ], "title": "DumpMinitool Execution" }, { @@ -16453,6 +21030,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Remote Access Tool - RURAT Execution From Unusual Location" }, { @@ -16470,6 +21050,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059" + ], "title": "Use of FSharp Interpreters" }, { @@ -16487,6 +21071,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.t1021.006" + ], "title": "HackTool - WinRM Access Via Evil-WinRM" }, { @@ -16504,6 +21092,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1105" + ], "title": "Suspicious Desktopimgdownldr Command" }, { @@ -16521,6 +21113,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.defense-evasion", + "attack.command-and-control", + "attack.t1090" + ], "title": "New Port Forwarding Rule Added Via Netsh.EXE" }, { @@ -16538,6 +21136,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.collection", + "attack.t1113" + ], "title": "Screen Capture Activity Via Psr.EXE" }, { @@ -16555,6 +21157,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059" + ], "title": "Wscript Shell Run In CommandLine" }, { @@ -16572,6 +21178,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Program Executed Using Proxy/Local Command Via SSH.EXE" }, { @@ -16589,6 +21199,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1127" + ], "title": "Potential Mftrace.EXE Abuse" }, { @@ -16606,6 +21220,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1216" + ], "title": "Suspicious CustomShellHost Execution" }, { @@ -16623,6 +21241,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Potential AMSI Bypass Via .NET Reflection" }, { @@ -16640,6 +21262,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1176.001" + ], "title": "Suspicious Chromium Browser Instance Executed With Custom Extension" }, { @@ -16657,6 +21283,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "Insecure Proxy/DOH Transfer Via Curl.EXE" }, { @@ -16674,6 +21303,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.reconnaissance", + "attack.t1590.001" + ], "title": "PUA - Crassus Execution" }, { @@ -16691,6 +21325,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1202" + ], "title": "Suspicious Cabinet File Execution Via Msdt.EXE" }, { @@ -16708,6 +21346,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "Arbitrary Binary Execution Using GUP Utility" }, { @@ -16725,6 +21366,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1204.002" + ], "title": "Suspicious Outlook Child Process" }, { @@ -16742,6 +21387,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1047" + ], "title": "Application Removed Via Wmic.EXE" }, { @@ -16759,6 +21408,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1033", + "car.2016-03-001" + ], "title": "Enumerate All Information With Whoami.EXE" }, { @@ -16776,6 +21430,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1555.004" + ], "title": "Windows Credential Manager Access via VaultCmd" }, { @@ -16793,6 +21451,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Firewall Rule Update Via Netsh.EXE" }, { @@ -16810,6 +21471,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.007" + ], "title": "Potentially Suspicious Inline JavaScript Execution via NodeJS Binary" }, { @@ -16827,6 +21492,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.execution" + ], "title": "Potential Discovery Activity Via Dnscmd.EXE" }, { @@ -16844,6 +21513,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.lateral-movement", + "attack.t1059.001", + "attack.t1021.006" + ], "title": "Remote PowerShell Session Host Process (WinRM)" }, { @@ -16861,6 +21536,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1574.011" + ], "title": "Abuse of Service Permissions to Hide Services Via Set-Service" }, { @@ -16878,6 +21559,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1552.004" + ], "title": "Private Keys Reconnaissance Via CommandLine Tools" }, { @@ -16895,6 +21580,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1548.002", + "car.2019-04-001" + ], "title": "HackTool - Empire PowerShell UAC Bypass" }, { @@ -16912,6 +21603,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027" + ], "title": "Renamed AutoIt Execution" }, { @@ -16929,6 +21624,14 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.collection", + "attack.exfiltration", + "attack.t1039", + "attack.t1048", + "attack.t1021.002" + ], "title": "Copy From Or To Admin Share Or Sysvol Folder" }, { @@ -16946,6 +21649,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Suspicious AgentExecutor PowerShell Execution" }, { @@ -16963,6 +21670,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion", + "attack.t1027", + "attack.t1059.001" + ], "title": "Potential PowerShell Command Line Obfuscation" }, { @@ -16980,6 +21693,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059" + ], "title": "PowerShell Download and Execution Cradles" }, { @@ -16997,6 +21714,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.defense-evasion", + "attack.command-and-control", + "attack.t1090" + ], "title": "RDP Port Forwarding Rule Added Via Netsh.EXE" }, { @@ -17014,6 +21737,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1003", + "attack.credential-access" + ], "title": "Loaded Module Enumeration Via Tasklist.EXE" }, { @@ -17031,6 +21758,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036.005" + ], "title": "Uncommon Svchost Parent Process" }, { @@ -17048,6 +21779,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.003" + ], "title": "Potential CommandLine Path Traversal Via Cmd.EXE" }, { @@ -17065,6 +21800,14 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007", + "attack.defense-evasion", + "attack.t1218.005", + "attack.t1027.004" + ], "title": "Csc.EXE Execution Form Potentially Suspicious Parent" }, { @@ -17082,6 +21825,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562" + ], "title": "Write Protect For Storage Disabled" }, { @@ -17099,6 +21846,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1543.003" + ], "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet" }, { @@ -17116,6 +21867,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.002", + "attack.t1003.003", + "car.2013-07-001", + "attack.s0404" + ], "title": "Copying Sensitive Files with Credential Data" }, { @@ -17133,6 +21891,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Potential Register_App.Vbs LOLScript Abuse" }, { @@ -17150,6 +21912,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1219.002" + ], "title": "Remote Access Tool - MeshAgent Command Execution via MeshCentral" }, { @@ -17167,6 +21933,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.defense-evasion", + "attack.t1218", + "attack.t1202" + ], "title": "Uncommon Child Process Of BgInfo.EXE" }, { @@ -17184,6 +21957,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Change PowerShell Policies to an Insecure Level" }, { @@ -17201,6 +21978,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "PowerShell Set-Acl On Windows Folder" }, { @@ -17218,6 +21998,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.001" + ], "title": "Remote CHM File Download/Execution Via HH.EXE" }, { @@ -17235,6 +22019,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "PowerShell Script Run in AppData" }, { @@ -17252,6 +22040,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Nslookup PowerShell Download Cradle - ProcessCreation" }, { @@ -17269,6 +22060,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.011" + ], "title": "Potential PowerShell Execution Via DLL" }, { @@ -17286,6 +22081,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1572" + ], "title": "Potential RDP Tunneling Via SSH" }, { @@ -17303,6 +22102,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.001" + ], "title": "OneNote.EXE Execution of Malicious Embedded Scripts" }, { @@ -17320,6 +22123,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Potential NTLM Coercion Via Certutil.EXE" }, { @@ -17337,6 +22144,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1546.001" + ], "title": "Change Default File Association To Executable Via Assoc" }, { @@ -17354,6 +22165,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses" }, { @@ -17371,6 +22186,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1055" + ], "title": "Suspicious Userinit Child Process" }, { @@ -17388,6 +22207,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.impact", + "attack.t1489" + ], "title": "Delete All Scheduled Tasks" }, { @@ -17405,6 +22228,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1216" + ], "title": "Uncommon Sigverif.EXE Child Process" }, { @@ -17422,6 +22249,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1083" + ], "title": "Notepad Password Files Discovery" }, { @@ -17439,6 +22270,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1082" + ], "title": "System Information Discovery via Registry Queries" }, { @@ -17456,6 +22291,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1558.003" + ], "title": "Potential SPN Enumeration Via Setspn.EXE" }, { @@ -17473,6 +22312,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1059" + ], "title": "Add New Download Source To Winget" }, { @@ -17490,6 +22334,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Suspicious Provlaunch.EXE Child Process" }, { @@ -17507,6 +22355,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.009" + ], "title": "Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location" }, { @@ -17524,6 +22376,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Start of NT Virtual DOS Machine" }, { @@ -17541,6 +22396,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Uncommon FileSystem Load Attempt By Format.com" }, { @@ -17558,6 +22416,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1127" + ], "title": "JScript Compiler Execution" }, { @@ -17575,6 +22437,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1564.004" + ], "title": "Use Short Name Path in Command Line" }, { @@ -17592,6 +22458,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.credential-access", + "attack.t1557.001" + ], "title": "HackTool - Impacket Tools Execution" }, { @@ -17609,6 +22480,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059" + ], "title": "Unusual Parent Process For Cmd.EXE" }, { @@ -17626,6 +22501,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1574.001" + ], "title": "Potential Mpclient.DLL Sideloading Via Defender Binaries" }, { @@ -17643,6 +22522,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1059" + ], "title": "Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script" }, { @@ -17660,6 +22544,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.persistence" + ], "title": "Suspicious WindowsTerminal Child Processes" }, { @@ -17677,6 +22565,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1070.004" + ], "title": "Directory Removal Via Rmdir" }, { @@ -17694,6 +22586,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1203" + ], "title": "Potentially Suspicious Child Process Of WinRAR.EXE" }, { @@ -17711,6 +22607,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1548.002" + ], "title": "UAC Bypass Using ChangePK and SLUI" }, { @@ -17728,6 +22629,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.impact", + "attack.t1490" + ], "title": "File Recovery From Backup Via Wbadmin.EXE" }, { @@ -17745,6 +22650,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "Chromium Browser Headless Execution To Mockbin Like Site" }, { @@ -17762,6 +22670,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1505.003", + "attack.t1190", + "attack.initial-access", + "attack.persistence", + "attack.privilege-escalation" + ], "title": "Suspicious Child Process Of SQL Server" }, { @@ -17779,6 +22694,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3" }, { @@ -17796,6 +22714,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1136.001" + ], "title": "New User Created Via Net.EXE With Never Expire Option" }, { @@ -17813,6 +22735,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.t1053.002" + ], "title": "Interactive AT Job" }, { @@ -17830,6 +22756,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1112", + "attack.defense-evasion" + ], "title": "Potential Suspicious Registry File Imported Via Reg.EXE" }, { @@ -17847,6 +22777,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Powershell Base64 Encoded MpPreference Cmdlet" }, { @@ -17864,6 +22798,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution" + ], "title": "Wab Execution From Non Default Location" }, { @@ -17881,6 +22819,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Uninstall Crowdstrike Falcon Sensor" }, { @@ -17898,6 +22840,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Potential AMSI Bypass Using NULL Bits" }, { @@ -17915,6 +22861,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "New Capture Session Launched Via DXCap.EXE" }, { @@ -17932,6 +22882,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.003" + ], "title": "Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)" }, { @@ -17949,6 +22903,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1574.011" + ], "title": "Service DACL Abuse To Hide Services Via Sc.EXE" }, { @@ -17966,6 +22926,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036.005" + ], "title": "Suspicious Process Masquerading As SvcHost.EXE" }, { @@ -17983,6 +22947,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036" + ], "title": "Potential Command Line Path Traversal Evasion Attempt" }, { @@ -18000,6 +22968,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059" + ], "title": "Php Inline Command Execution" }, { @@ -18017,6 +22989,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1218", + "attack.defense-evasion" + ], "title": "Malicious PE Execution by Microsoft Visual Studio Debugger" }, { @@ -18034,6 +23010,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036" + ], "title": "Potential Fake Instance Of Hxtsr.EXE Executed" }, { @@ -18051,6 +23031,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.g0047", + "attack.t1021.005" + ], "title": "Suspicious UltraVNC Execution" }, { @@ -18068,6 +23053,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1053.005" + ], "title": "Schtasks Creation Or Modification With SYSTEM Privileges" }, { @@ -18085,6 +23075,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4" }, { @@ -18102,6 +23095,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1059.001" + ], "title": "Potential PowerShell Downgrade Attack" }, { @@ -18119,6 +23117,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.credential-access", + "attack.t1036", + "attack.t1003.001", + "car.2013-05-009" + ], "title": "Process Memory Dump Via Comsvcs.DLL" }, { @@ -18136,6 +23141,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036" + ], "title": "Suspicious Calculator Usage" }, { @@ -18153,6 +23162,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1021.003", + "attack.lateral-movement" + ], "title": "Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp" }, { @@ -18170,6 +23183,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1127" + ], "title": "Use of VSIISExeLauncher.exe" }, { @@ -18187,6 +23204,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1558.003", + "attack.lateral-movement", + "attack.t1550.003" + ], "title": "HackTool - KrbRelayUp Execution" }, { @@ -18204,6 +23227,15 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.discovery", + "attack.persistence", + "attack.privilege-escalation", + "attack.t1622", + "attack.t1564", + "attack.t1543" + ], "title": "PUA - Process Hacker Execution" }, { @@ -18221,6 +23253,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1203", + "attack.execution" + ], "title": "Java Running with Remote Debugging" }, { @@ -18238,6 +23274,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1220" + ], "title": "Remote XSL Execution Via Msxsl.EXE" }, { @@ -18255,6 +23295,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ], "title": "Suspicious Scheduled Task Name As GUID" }, { @@ -18272,6 +23316,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027" + ], "title": "Certificate Exported Via Certutil.EXE" }, { @@ -18289,6 +23337,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "DeviceCredentialDeployment Execution" }, { @@ -18306,6 +23358,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion", + "attack.t1218" + ], "title": "Binary Proxy Execution Via Dotnet-Trace.EXE" }, { @@ -18323,6 +23380,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1053.005", + "attack.t1059.001" + ], "title": "Scheduled Task Executing Payload from Registry" }, { @@ -18340,6 +23403,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion", + "attack.t1036" + ], "title": "Potential ReflectDebugger Content Execution Via WerFault.EXE" }, { @@ -18357,6 +23425,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.privilege-escalation" + ], "title": "Windows Kernel Debugger Execution" }, { @@ -18374,6 +23446,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036.003" + ], "title": "Renamed ProcDump Execution" }, { @@ -18391,6 +23467,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036.003", + "attack.t1036", + "attack.t1027.005", + "attack.t1027" + ], "title": "PUA - Potential PE Metadata Tamper Using Rcedit" }, { @@ -18408,6 +23491,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1216.001" + ], "title": "Launch-VsDevShell.PS1 Proxy Execution" }, { @@ -18425,6 +23512,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059" + ], "title": "Ruby Inline Command Execution" }, { @@ -18442,6 +23533,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1219.002" + ], "title": "Remote Access Tool - Potential MeshAgent Execution - Windows" }, { @@ -18459,6 +23554,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1057" + ], "title": "Recon Command Output Piped To Findstr.EXE" }, { @@ -18476,6 +23575,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1106", + "attack.defense-evasion", + "attack.t1218", + "attack.t1127" + ], "title": "Potential Binary Proxy Execution Via Cdb.EXE" }, { @@ -18493,6 +23599,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562" + ], "title": "HackTool - EDRSilencer Execution" }, { @@ -18510,6 +23620,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.010" + ], "title": "Scripting/CommandLine Process Spawned Regsvr32" }, { @@ -18527,6 +23641,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.reconnaissance", + "attack.discovery", + "attack.impact" + ], "title": "Potential Active Directory Enumeration Using AD Module - ProcCreation" }, { @@ -18544,6 +23663,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Suspicious PowerShell Parent Process" }, { @@ -18561,6 +23684,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.002" + ], "title": "Audit Policy Tampering Via NT Resource Kit Auditpol" }, { @@ -18578,6 +23705,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059" + ], "title": "Sysprep on AppData Folder" }, { @@ -18595,6 +23726,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.lateral-movement", + "attack.t1133", + "attack.t1136.001", + "attack.t1021.001" + ], "title": "User Added to Remote Desktop Users Group" }, { @@ -18612,6 +23750,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" + ], "title": "Suspicious Download From Direct IP Via Bitsadmin" }, { @@ -18629,6 +23774,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1202" + ], "title": "Suspicious High IntegrityLevel Conhost Legacy Option" }, { @@ -18646,6 +23795,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1112", + "attack.defense-evasion" + ], "title": "Imports Registry Key From a File" }, { @@ -18663,6 +23816,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1572" + ], "title": "PUA - Ngrok Execution" }, { @@ -18680,6 +23837,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1220" + ], "title": "Msxsl.EXE Execution" }, { @@ -18697,6 +23858,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.011" + ], "title": "Suspicious ShellExec_RunDLL Call Via Ordinal" }, { @@ -18714,6 +23879,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.resource-development", + "attack.t1587.001" + ], "title": "Potential PsExec Remote Execution" }, { @@ -18731,6 +23900,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.impact", + "attack.t1490" + ], "title": "Windows Recovery Environment Disabled Via Reagentc" }, { @@ -18748,6 +23921,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1047", + "attack.lateral-movement", + "attack.t1021.003" + ], "title": "HackTool - Potential Impacket Lateral Movement Activity" }, { @@ -18765,6 +23944,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1572" + ], "title": "PUA - 3Proxy Execution" }, { @@ -18782,6 +23965,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1216" + ], "title": "Potential Manage-bde.wsf Abuse To Proxy Execution" }, { @@ -18799,6 +23986,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.impact", + "attack.t1490" + ], "title": "Copy From VolumeShadowCopy Via Cmd.EXE" }, { @@ -18816,6 +24007,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1047" + ], "title": "WmiPrvSE Spawned A Process" }, { @@ -18833,6 +24028,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution" }, { @@ -18850,6 +24049,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1090" + ], "title": "PUA - NPS Tunneling Tool Execution" }, { @@ -18867,6 +24070,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Wlrmdr.EXE Uncommon Argument Or Child Process" }, { @@ -18884,6 +24091,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1558.003" + ], "title": "HackTool - KrbRelay Execution" }, { @@ -18901,6 +24112,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.t1021.002" + ], "title": "HackTool - SharpMove Tool Execution" }, { @@ -18918,6 +24133,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.discovery", + "attack.t1033" + ], "title": "Security Privileges Enumeration Via Whoami.EXE" }, { @@ -18935,6 +24155,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.003" + ], "title": "Sensitive File Recovery From Backup Via Wbadmin.EXE" }, { @@ -18952,6 +24176,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1110", + "attack.t1110.001" + ], "title": "HackTool - Hydra Password Bruteforce Execution" }, { @@ -18969,6 +24198,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1218" + ], "title": "Process Proxy Execution Via Squirrel.EXE" }, { @@ -18986,6 +24220,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036.002" + ], "title": "Potential Defense Evasion Via Right-to-Left Override" }, { @@ -19003,6 +24241,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ], "title": "Suspicious Modification Of Scheduled Tasks" }, { @@ -19020,6 +24262,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Process Launched Without Image Name" }, { @@ -19037,6 +24282,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ], "title": "Compress Data and Lock With Password for Exfiltration With 7-ZIP" }, { @@ -19054,6 +24303,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "Potentially Suspicious Electron Application CommandLine" }, { @@ -19071,6 +24323,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Non Interactive PowerShell Process Spawned" }, { @@ -19088,6 +24344,15 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.credential-access", + "attack.command-and-control", + "attack.t1218", + "attack.t1564.004", + "attack.t1552.001", + "attack.t1105" + ], "title": "Insensitive Subfolder Search Via Findstr.EXE" }, { @@ -19105,6 +24370,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1127" + ], "title": "Kavremover Dropped Binary LOLBIN Usage" }, { @@ -19122,6 +24391,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.002" + ], "title": "HackTool - Quarks PwDump Execution" }, { @@ -19139,6 +24412,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1082" + ], "title": "Suspicious Query of MachineGUID" }, { @@ -19156,6 +24433,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "HackTool - Empire PowerShell Launch Parameters" }, { @@ -19173,6 +24454,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1070", + "attack.t1562.006", + "car.2016-04-002" + ], "title": "ETW Trace Evasion Activity" }, { @@ -19190,6 +24477,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.011" + ], "title": "CobaltStrike Load by Rundll32" }, { @@ -19207,6 +24498,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1219.002" + ], "title": "Remote Access Tool - AnyDesk Silent Installation" }, { @@ -19224,6 +24519,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.010" + ], "title": "LSA PPL Protection Disabled Via Reg.EXE" }, { @@ -19241,6 +24540,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "PsExec Service Execution" }, { @@ -19258,6 +24560,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion", + "attack.t1218", + "attack.t1202" + ], "title": "WSL Child Process Anomaly" }, { @@ -19275,6 +24583,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ], "title": "Winrar Execution in Non-Standard Folder" }, { @@ -19292,6 +24604,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Potentially Suspicious Windows App Activity" }, { @@ -19309,6 +24624,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Verclsid.exe Runs COM Object" }, { @@ -19326,6 +24645,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.010" + ], "title": "Regsvr32 DLL Execution With Suspicious File Extension" }, { @@ -19343,6 +24666,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.011" + ], "title": "Suspicious Rundll32 Activity Invoking Sys File" }, { @@ -19360,6 +24687,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "Logged-On User Password Change Via Ksetup.EXE" }, { @@ -19377,6 +24707,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1040" + ], "title": "PktMon.EXE Execution" }, { @@ -19394,6 +24728,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "DumpStack.log Defender Evasion" }, { @@ -19411,6 +24748,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1552.006" + ], "title": "Findstr GPP Passwords" }, { @@ -19428,6 +24769,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1574.001" + ], "title": "Suspicious GUP Usage" }, { @@ -19445,6 +24790,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1046" + ], "title": "PUA - NimScan Execution" }, { @@ -19462,6 +24811,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.001" + ], "title": "Potential Credential Dumping Via WER" }, { @@ -19479,6 +24832,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Abusing Print Executable" }, { @@ -19496,6 +24853,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.008" + ], "title": "Uncommon Child Process Spawned By Odbcconf.EXE" }, { @@ -19513,6 +24874,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1124" + ], "title": "Discovery of a System Time" }, { @@ -19530,6 +24895,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1090.001" + ], "title": "HackTool - SharpChisel Execution" }, { @@ -19547,6 +24916,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1203", + "attack.privilege-escalation", + "attack.t1068" + ], "title": "Suspicious Spool Service Child Process" }, { @@ -19564,6 +24939,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Potential PowerShell Obfuscation Via Reversed Commands" }, { @@ -19581,6 +24962,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1071.001" + ], "title": "Visual Studio Code Tunnel Service Installation" }, { @@ -19598,6 +24983,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "Non-privileged Usage of Reg or Powershell" }, { @@ -19615,6 +25004,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ], "title": "PUA - NirCmd Execution" }, { @@ -19632,6 +25026,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.defense-evasion", + "attack.t1548.002" + ], "title": "Bypass UAC via WSReset.exe" }, { @@ -19649,6 +25048,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059" + ], "title": "Perl Inline Command Execution" }, { @@ -19666,6 +25069,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036", + "attack.t1003.001", + "attack.credential-access" + ], "title": "CreateDump Process Dump" }, { @@ -19683,6 +25092,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "Suspicious Execution Location Of Wermgr.EXE" }, { @@ -19700,6 +25112,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218", + "attack.execution" + ], "title": "Proxy Execution Via Wuauclt.EXE" }, { @@ -19717,6 +25134,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2" }, { @@ -19734,6 +25154,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1564.004" + ], "title": "Use Short Name Path in Image" }, { @@ -19751,6 +25175,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1548.002" + ], "title": "UAC Bypass Tools Using ComputerDefaults" }, { @@ -19768,6 +25197,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Potential Encoded PowerShell Patterns In CommandLine" }, { @@ -19785,6 +25220,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.impact", + "attack.t1112", + "attack.t1491.001" + ], "title": "Potentially Suspicious Desktop Background Change Using Reg.EXE" }, { @@ -19802,6 +25243,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.exfiltration", + "attack.t1567" + ], "title": "LOLBAS Data Exfiltration by DataSvcUtil.exe" }, { @@ -19819,6 +25264,16 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1482", + "attack.t1069.001", + "attack.t1069.002", + "attack.execution", + "attack.t1059.001" + ], "title": "HackTool - Bloodhound/Sharphound Execution" }, { @@ -19836,6 +25291,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.003" + ], "title": "HackTool - Jlaive In-Memory Assembly Execution" }, { @@ -19853,6 +25312,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1070", + "attack.t1562", + "attack.t1562.002" + ], "title": "Sysmon Driver Unloaded Via Fltmc.EXE" }, { @@ -19870,6 +25335,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution" + ], "title": "ImagingDevices Unusual Parent/Child Processes" }, { @@ -19887,6 +25356,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036", + "attack.t1202", + "attack.t1027.003" + ], "title": "Findstr Launching .lnk File" }, { @@ -19904,6 +25379,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.001" + ], "title": "Potential Windows Defender AV Bypass Via Dump64.EXE Rename" }, { @@ -19921,6 +25400,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.initial-access", + "attack.t1566.001" + ], "title": "Suspicious Execution From Outlook Temporary Folder" }, { @@ -19938,6 +25421,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.t1021" + ], "title": "Potential Remote Desktop Tunneling" }, { @@ -19955,6 +25442,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.005" + ], "title": "Suspicious JavaScript Execution Via Mshta.EXE" }, { @@ -19972,6 +25463,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036.003" + ], "title": "Suspicious Copy From or To System Directory" }, { @@ -19989,6 +25484,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1018" + ], "title": "Share And Session Enumeration Using Net.EXE" }, { @@ -20006,6 +25505,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1047" + ], "title": "Process Reconnaissance Via Wmic.EXE" }, { @@ -20023,6 +25526,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.001" + ], "title": "HackTool - HandleKatz LSASS Dumper Execution" }, { @@ -20040,6 +25547,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1018" + ], "title": "PUA - Adidnsdump Execution" }, { @@ -20057,6 +25568,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Suspicious PowerShell Parameter Substring" }, { @@ -20074,6 +25589,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1055" + ], "title": "Suspicious Rundll32 Invoking Inline VBScript" }, { @@ -20091,6 +25610,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1" }, { @@ -20108,6 +25630,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1053.005" + ], "title": "Potential Persistence Via Microsoft Compatibility Appraiser" }, { @@ -20125,6 +25651,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.initial-access", + "attack.t1190" + ], "title": "Remote Access Tool - ScreenConnect Server Web Shell Execution" }, { @@ -20142,6 +25672,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1046" + ], "title": "PUA - SoftPerfect Netscan Execution" }, { @@ -20159,6 +25693,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1574.011" + ], "title": "Service Security Descriptor Tampering Via Sc.EXE" }, { @@ -20176,6 +25716,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Suspicious Msbuild Execution By Uncommon Parent Process" }, { @@ -20193,6 +25736,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1055", + "attack.t1036" + ], "title": "Suspicious Child Process Of Wermgr.EXE" }, { @@ -20210,6 +25759,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense-evasion", + "attack.t1027" + ], "title": "Potential PowerShell Obfuscation Via WCHAR/CHAR" }, { @@ -20227,6 +25782,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1090", + "attack.s0040" + ], "title": "HackTool - Htran/NATBypass Execution" }, { @@ -20244,6 +25804,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1574", + "attack.execution" + ], "title": "Regsvr32 DLL Execution With Uncommon Extension" }, { @@ -20261,6 +25826,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1552.006" + ], "title": "LSASS Process Reconnaissance Via Findstr.EXE" }, { @@ -20278,6 +25847,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1572" + ], "title": "Potential RDP Tunneling Via Plink" }, { @@ -20295,6 +25868,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.persistence", + "attack.t1543.003" + ], "title": "Sysinternals PsSuspend Execution" }, { @@ -20312,6 +25890,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion" + ], "title": "Potential ShellDispatch.DLL Functionality Abuse" }, { @@ -20329,6 +25911,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1574.011" + ], "title": "Possible Privilege Escalation via Weak Service Permissions" }, { @@ -20346,6 +25934,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.collection", + "attack.t1115" + ], "title": "Data Copied To Clipboard Via Clip.EXE" }, { @@ -20363,6 +25955,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1105", + "attack.t1564.003" + ], "title": "File Download with Headless Browser" }, { @@ -20380,6 +25977,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.010" + ], "title": "Suspicious Regsvr32 Execution From Remote Share" }, { @@ -20397,6 +25998,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1564.006", + "attack.t1564" + ], "title": "Virtualbox Driver Installation or Starting of VMs" }, { @@ -20414,6 +26020,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "PowerShell Script Change Permission Via Set-Acl" }, { @@ -20431,6 +26040,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218", + "attack.command-and-control", + "attack.t1105" + ], "title": "File Download Via Windows Defender MpCmpRun.EXE" }, { @@ -20448,6 +26063,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1216" + ], "title": "Assembly Loading Via CL_LoadAssembly.ps1" }, { @@ -20465,6 +26084,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.resource-development", + "attack.t1587.001" + ], "title": "PsExec/PAExec Escalation to LOCAL SYSTEM" }, { @@ -20482,6 +26105,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.collection", + "attack.t1119" + ], "title": "Recon Information for Export with Command Prompt" }, { @@ -20499,6 +26126,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1070.001", + "attack.t1562.002", + "car.2016-04-002" + ], "title": "Suspicious Eventlog Clearing or Configuration Change Activity" }, { @@ -20516,6 +26149,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.credential-access", + "attack.t1040" + ], "title": "New Network Trace Capture Started Via Netsh.EXE" }, { @@ -20533,6 +26171,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059" + ], "title": "Conhost Spawned By Uncommon Parent Process" }, { @@ -20550,6 +26192,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027" + ], "title": "File Decoded From Base64/Hex Via Certutil.EXE" }, { @@ -20567,6 +26213,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.collection", + "attack.t1560.001" + ], "title": "Suspicious Manipulation Of Default Accounts Via Net.EXE" }, { @@ -20584,6 +26234,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.009" + ], "title": "RegAsm.EXE Execution Without CommandLine Flags or Files" }, { @@ -20601,6 +26255,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.defense-evasion", + "attack.t1218", + "attack.t1202" + ], "title": "Suspicious Child Process Of BgInfo.EXE" }, { @@ -20618,6 +26279,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion", + "attack.t1106", + "attack.t1059.003", + "attack.t1218.011" + ], "title": "HackTool - RedMimicry Winnti Playbook Execution" }, { @@ -20635,6 +26303,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense-evasion", + "attack.t1216" + ], "title": "Execute Code with Pester.bat" }, { @@ -20652,6 +26326,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1124" + ], "title": "Use of W32tm as Timer" }, { @@ -20669,6 +26347,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "Local File Read Using Curl.EXE" }, { @@ -20686,6 +26367,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Suspicious Windows Defender Registry Key Tampering Via Reg.EXE" }, { @@ -20703,6 +26388,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion", + "attack.t1218" + ], "title": "Arbitrary MSI Download Via Devinit.EXE" }, { @@ -20720,6 +26410,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "Suspicious File Download From IP Via Curl.EXE" }, { @@ -20737,6 +26430,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1216" + ], "title": "Potential Script Proxy Execution Via CL_Mutexverifiers.ps1" }, { @@ -20754,6 +26451,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "PowerShell Download Pattern" }, { @@ -20771,6 +26472,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1127" + ], "title": "AspNetCompiler Execution" }, { @@ -20788,6 +26493,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Rundll32 Spawned Via Explorer.EXE" }, { @@ -20805,6 +26513,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "Suspicious Electron Application Child Processes" }, { @@ -20822,6 +26533,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Potential Signing Bypass Via Windows Developer Features" }, { @@ -20839,6 +26553,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1202" + ], "title": "Proxy Execution via Vshadow" }, { @@ -20856,6 +26574,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1033", + "attack.t1087.001" + ], "title": "Local Accounts Discovery" }, { @@ -20873,6 +26596,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1059" + ], "title": "VMToolsd Suspicious Child Process" }, { @@ -20890,6 +26618,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ], "title": "Schtasks From Suspicious Folders" }, { @@ -20907,6 +26639,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003", + "attack.t1558.003", + "attack.lateral-movement", + "attack.t1550.003" + ], "title": "HackTool - Rubeus Execution" }, { @@ -20924,6 +26663,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1087.001" + ], "title": "Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet" }, { @@ -20941,6 +26684,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Use of VisualUiaVerifyNative.exe" }, { @@ -20958,6 +26705,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Suspicious Workstation Locking via Rundll32" }, { @@ -20975,6 +26725,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion", + "attack.t1218", + "attack.t1202" + ], "title": "Suspicious ZipExec Execution" }, { @@ -20992,6 +26748,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.t1546.002" + ], "title": "Suspicious ScreenSave Change by Reg.exe" }, { @@ -21009,6 +26769,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion", + "attack.t1059", + "attack.t1202" + ], "title": "Outlook EnableUnsafeClientMailRules Setting Enabled" }, { @@ -21026,6 +26792,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.011" + ], "title": "HackTool - F-Secure C3 Load by Rundll32" }, { @@ -21043,6 +26813,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1047", + "car.2016-03-002" + ], "title": "Hardware Model Reconnaissance Via Wmic.EXE" }, { @@ -21060,6 +26835,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.001" + ], "title": "Process Memory Dump via RdrLeakDiag.EXE" }, { @@ -21077,6 +26856,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1552.006" + ], "title": "Suspicious SYSVOL Domain Group Policy Access" }, { @@ -21094,6 +26877,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion", + "attack.t1059", + "attack.t1202" + ], "title": "Suspicious Remote Child Process From Outlook" }, { @@ -21111,6 +26900,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1218" + ], "title": "Use Of The SFTP.EXE Binary As A LOLBIN" }, { @@ -21128,6 +26922,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "Potential Cookies Session Hijacking" }, { @@ -21145,6 +26942,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1140" + ], "title": "Potential Commandline Obfuscation Using Escape Characters" }, { @@ -21162,6 +26963,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Windows Defender Context Menu Removed" }, { @@ -21179,6 +26984,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Potential Powershell ReverseShell Connection" }, { @@ -21196,6 +27005,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Potential Binary Proxy Execution Via VSDiagnostics.EXE" }, { @@ -21213,6 +27026,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.004" + ], "title": "Netsh Allow Group Policy on Microsoft Defender Firewall" }, { @@ -21230,6 +27047,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.persistence", + "attack.t1036.005", + "attack.t1053.005" + ], "title": "Suspicious Scheduled Task Creation via Masqueraded XML File" }, { @@ -21247,6 +27070,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1127" + ], "title": "Potential Arbitrary Code Execution Via Node.EXE" }, { @@ -21264,6 +27091,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1134.004" + ], "title": "HackTool - PPID Spoofing SelectMyParent Tool Execution" }, { @@ -21281,6 +27112,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.007" + ], "title": "Suspicious Msiexec Execute Arbitrary DLL" }, { @@ -21298,6 +27133,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.exfiltration", + "attack.t1567.002" + ], "title": "PUA - Rclone Execution" }, { @@ -21315,6 +27154,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Potential Tampering With Security Products Via WMIC" }, { @@ -21332,6 +27175,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.defense-evasion", + "attack.t1218", + "attack.t1105" + ], "title": "Import LDAP Data Interchange Format File Via Ldifde.EXE" }, { @@ -21349,6 +27198,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027" + ], "title": "File In Suspicious Location Encoded To Base64 Via Certutil.EXE" }, { @@ -21366,6 +27219,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.collection", + "attack.t1005" + ], "title": "Esentutl Steals Browser Information" }, { @@ -21383,6 +27240,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "Suspicious VBoxDrvInst.exe Parameters" }, { @@ -21400,6 +27261,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense-evasion", + "attack.t1127" + ], "title": "Detection of PowerShell Execution via Sqlps.exe" }, { @@ -21417,6 +27284,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "Enable LM Hash Storage - ProcCreation" }, { @@ -21434,6 +27305,14 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006" + ], "title": "HackTool - Mimikatz Execution" }, { @@ -21451,6 +27330,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1037.001" + ], "title": "Potential Persistence Via Logon Scripts - CommandLine" }, { @@ -21468,6 +27351,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003" + ], "title": "Microsoft IIS Connection Strings Decryption" }, { @@ -21485,6 +27372,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059" + ], "title": "Fsutil Behavior Set SymlinkEvaluation" }, { @@ -21502,6 +27393,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1218.011" + ], "title": "Shell32 DLL Execution in Suspicious Directory" }, { @@ -21519,6 +27415,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1033" + ], "title": "Computer Discovery And Export Via Get-ADComputer Cmdlet" }, { @@ -21536,6 +27436,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.t1134.001", + "attack.t1134.002" + ], "title": "Potential Meterpreter/CobaltStrike Activity" }, { @@ -21553,6 +27458,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1070", + "attack.persistence", + "attack.t1542.003" + ], "title": "Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE" }, { @@ -21570,6 +27481,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.persistence", + "attack.t1197", + "attack.s0190", + "attack.t1036.003" + ], "title": "File Download Via Bitsadmin To A Suspicious Target Folder" }, { @@ -21587,6 +27505,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "cve.2022-41120", + "attack.t1068", + "attack.privilege-escalation" + ], "title": "HackTool - SysmonEOP Execution" }, { @@ -21604,6 +27527,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1202" + ], "title": "Suspicious Service Binary Directory" }, { @@ -21621,6 +27548,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Taskkill Symantec Endpoint Protection" }, { @@ -21638,6 +27569,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1033" + ], "title": "User Discovery And Export Via Get-ADUser Cmdlet" }, { @@ -21655,6 +27590,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.t1563.002" + ], "title": "Potential MSTSC Shadowing Activity" }, { @@ -21672,6 +27611,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.003" + ], "title": "Suspicious Process Patterns NTDS.DIT Exfil" }, { @@ -21689,6 +27632,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1071.001" + ], "title": "Visual Studio Code Tunnel Shell Execution" }, { @@ -21706,6 +27653,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Potential Provisioning Registry Key Abuse For Binary Proxy Execution" }, { @@ -21723,6 +27674,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1546.001" + ], "title": "Change Default File Association Via Assoc" }, { @@ -21740,6 +27695,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1574" + ], "title": "DLL Execution Via Register-cimprovider.exe" }, { @@ -21757,6 +27716,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "File Encryption Using Gpg4win" }, { @@ -21774,6 +27736,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1127" + ], "title": "C# IL Code Compilation Via Ilasm.EXE" }, { @@ -21791,6 +27757,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Powershell Defender Exclusion" }, { @@ -21808,6 +27778,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.lateral-movement" + ], "title": "HackTool - Wmiexec Default Powershell Command" }, { @@ -21825,6 +27799,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1033" + ], "title": "Group Membership Reconnaissance Via Whoami.EXE" }, { @@ -21842,6 +27820,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1218" + ], "title": "Arbitrary File Download Via MSPUB.EXE" }, { @@ -21857,6 +27840,10 @@ "level": "medium", "service": "smbclient-security", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.t1110.001" + ], "title": "Suspicious Rejected SMB Guest Logon From IP" }, { @@ -21873,6 +27860,10 @@ "level": "low", "service": "firewall-as", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1562.004" + ], "title": "Windows Defender Firewall Has Been Reset To Its Default Configuration" }, { @@ -21889,6 +27880,10 @@ "level": "high", "service": "firewall-as", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1562.004" + ], "title": "All Rules Have Been Deleted From The Windows Firewall Configuration" }, { @@ -21904,6 +27899,10 @@ "level": "low", "service": "firewall-as", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1562.004" + ], "title": "The Windows Defender Firewall Service Failed To Load Group Policy" }, { @@ -21921,6 +27920,10 @@ "level": "medium", "service": "firewall-as", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1562.004" + ], "title": "New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE" }, { @@ -21938,6 +27941,10 @@ "level": "high", "service": "firewall-as", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1562.004" + ], "title": "New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application" }, { @@ -21954,6 +27961,10 @@ "level": "medium", "service": "firewall-as", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1562.004" + ], "title": "A Rule Has Been Deleted From The Windows Firewall Exception List" }, { @@ -21971,6 +27982,10 @@ "level": "medium", "service": "firewall-as", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1562.004" + ], "title": "Uncommon New Firewall Rule Added In Windows Firewall Exception List" }, { @@ -21990,6 +28005,10 @@ "level": "low", "service": "firewall-as", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1562.004" + ], "title": "Windows Firewall Settings Have Been Changed" }, { @@ -22016,6 +28035,10 @@ "level": "critical", "service": "windefend", "subcategory_guids": [], + "tags": [ + "attack.t1486", + "attack.impact" + ], "title": "Antivirus Ransomware Detection" }, { @@ -22042,6 +28065,12 @@ "level": "critical", "service": "windefend", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1203", + "attack.command-and-control", + "attack.t1219.002" + ], "title": "Antivirus Exploitation Framework Detection" }, { @@ -22068,6 +28097,10 @@ "level": "high", "service": "windefend", "subcategory_guids": [], + "tags": [ + "attack.resource-development", + "attack.t1588" + ], "title": "Antivirus Relevant File Paths Alerts" }, { @@ -22094,6 +28127,13 @@ "level": "critical", "service": "windefend", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.t1003", + "attack.t1558", + "attack.t1003.001", + "attack.t1003.002" + ], "title": "Antivirus Password Dumper Detection" }, { @@ -22120,6 +28160,10 @@ "level": "high", "service": "windefend", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ], "title": "Antivirus Web Shell Detection" }, { @@ -22146,6 +28190,10 @@ "level": "high", "service": "windefend", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1204" + ], "title": "Antivirus Hacktool Detection" }, { @@ -22162,6 +28210,9 @@ "level": "medium", "service": "application", "subcategory_guids": [], + "tags": [ + "attack.execution" + ], "title": "MSI Installation From Suspicious Locations" }, { @@ -22177,6 +28228,10 @@ "level": "high", "service": "application", "subcategory_guids": [], + "tags": [ + "attack.command-and-control", + "attack.t1219.002" + ], "title": "Atera Agent Installation" }, { @@ -22193,6 +28248,11 @@ "level": "medium", "service": "application", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1218", + "attack.t1218.007" + ], "title": "MSI Installation From Web" }, { @@ -22209,6 +28269,10 @@ "level": "low", "service": "application", "subcategory_guids": [], + "tags": [ + "attack.impact", + "attack.t1489" + ], "title": "Application Uninstalled" }, { @@ -22224,6 +28288,10 @@ "level": "medium", "service": "application", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1070.004" + ], "title": "Backup Catalog Deleted" }, { @@ -22243,6 +28311,10 @@ "level": "high", "service": "application", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1072" + ], "title": "Restricted Software Access By SRP" }, { @@ -22258,6 +28330,10 @@ "level": "medium", "service": "application", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.t1110" + ], "title": "MSSQL Server Failed Logon From External Network" }, { @@ -22273,6 +28349,10 @@ "level": "low", "service": "application", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.t1110" + ], "title": "MSSQL Server Failed Logon" }, { @@ -22288,6 +28368,9 @@ "level": "high", "service": "application", "subcategory_guids": [], + "tags": [ + "attack.execution" + ], "title": "MSSQL XPCmdshell Option Change" }, { @@ -22303,6 +28386,9 @@ "level": "high", "service": "application", "subcategory_guids": [], + "tags": [ + "attack.persistence" + ], "title": "MSSQL SPProcoption Set" }, { @@ -22318,6 +28404,11 @@ "level": "medium", "service": "application", "subcategory_guids": [], + "tags": [ + "attack.exfiltration", + "attack.impact", + "attack.t1485" + ], "title": "MSSQL Destructive Query" }, { @@ -22333,6 +28424,9 @@ "level": "high", "service": "application", "subcategory_guids": [], + "tags": [ + "attack.persistence" + ], "title": "MSSQL Add Account To Sysadmin Role" }, { @@ -22348,6 +28442,9 @@ "level": "high", "service": "application", "subcategory_guids": [], + "tags": [ + "attack.execution" + ], "title": "MSSQL XPCmdshell Suspicious Execution" }, { @@ -22363,6 +28460,9 @@ "level": "high", "service": "application", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion" + ], "title": "MSSQL Disable Audit Settings" }, { @@ -22378,6 +28478,9 @@ "level": "medium", "service": "application", "subcategory_guids": [], + "tags": [ + "attack.execution" + ], "title": "Dump Ntds.dit To Suspicious Location" }, { @@ -22396,6 +28499,10 @@ "level": "medium", "service": "application", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.t1003.003" + ], "title": "Ntdsutil Abuse" }, { @@ -22411,6 +28518,10 @@ "level": "low", "service": "application", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.003" + ], "title": "Remote Access Tool - ScreenConnect File Transfer" }, { @@ -22426,6 +28537,10 @@ "level": "low", "service": "application", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.003" + ], "title": "Remote Access Tool - ScreenConnect Command Execution" }, { @@ -22441,6 +28556,20 @@ "level": "critical", "service": "application", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1203", + "attack.privilege-escalation", + "attack.t1068", + "attack.defense-evasion", + "attack.t1211", + "attack.credential-access", + "attack.t1212", + "attack.lateral-movement", + "attack.t1210", + "attack.impact", + "attack.t1499.004" + ], "title": "Audit CVE Event" }, { @@ -22454,6 +28583,10 @@ "level": "high", "service": "application", "subcategory_guids": [], + "tags": [ + "attack.resource-development", + "attack.t1588" + ], "title": "Relevant Anti-Virus Signature Keywords In Application Log" }, { @@ -22469,6 +28602,10 @@ "level": "high", "service": "application", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.t1003.001" + ], "title": "Potential Credential Dumping Via WER - Application" }, { @@ -22484,6 +28621,11 @@ "level": "high", "service": "application", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1211", + "attack.t1562.001" + ], "title": "Microsoft Malware Protection Engine Crash" }, { @@ -22501,6 +28643,10 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.009" + ], "title": "RegAsm.EXE Initiating Network Connection To Public IP" }, { @@ -22518,6 +28664,10 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.command-and-control" + ], "title": "Office Application Initiated Network Connection Over Uncommon Ports" }, { @@ -22535,6 +28685,12 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.command-and-control", + "attack.t1218.011" + ], "title": "Outbound Network Connection To Public IP Via Winlogon" }, { @@ -22552,6 +28708,11 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion", + "attack.t1127.001" + ], "title": "Silenttrinity Stager Msbuild Activity" }, { @@ -22569,6 +28730,10 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1105" + ], "title": "Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder" }, { @@ -22586,6 +28751,10 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.command-and-control" + ], "title": "Suspicious Wordpad Outbound Connections" }, { @@ -22603,6 +28772,10 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Network Connection Initiated By AddinUtil.EXE" }, { @@ -22620,6 +28793,10 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.003" + ], "title": "Outbound Network Connection Initiated By Cmstp.EXE" }, { @@ -22637,6 +28814,11 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.011", + "attack.execution" + ], "title": "Rundll32 Internet Connection" }, { @@ -22654,6 +28836,10 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1105" + ], "title": "Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location" }, { @@ -22671,6 +28857,11 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.command-and-control", + "attack.t1571" + ], "title": "Potentially Suspicious Malware Callback Communication" }, { @@ -22688,6 +28879,10 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1087" + ], "title": "Uncommon Connection to Active Directory Web Services" }, { @@ -22705,6 +28900,10 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1046" + ], "title": "Python Initiated Connection" }, { @@ -22722,6 +28921,13 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1572", + "attack.lateral-movement", + "attack.t1021.001", + "car.2013-07-002" + ], "title": "RDP to HTTP or HTTPS Target Ports" }, { @@ -22739,6 +28945,10 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1203" + ], "title": "Office Application Initiated Network Connection To Non-Local IP" }, { @@ -22756,6 +28966,13 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1572", + "attack.lateral-movement", + "attack.t1021.001", + "car.2013-07-002" + ], "title": "RDP Over Reverse SSH Tunnel" }, { @@ -22773,6 +28990,10 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1105" + ], "title": "Uncommon Network Connection Initiated By Certutil.EXE" }, { @@ -22790,6 +29011,10 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.exfiltration", + "attack.t1048.003" + ], "title": "Suspicious Outbound SMTP Connections" }, { @@ -22807,6 +29032,12 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1559.001", + "attack.defense-evasion", + "attack.t1218.010" + ], "title": "Network Connection Initiated By Regsvr32.EXE" }, { @@ -22824,6 +29055,10 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1105" + ], "title": "Local Network Connection Initiated By Script Interpreter" }, { @@ -22841,6 +29076,10 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1105" + ], "title": "Outbound Network Connection Initiated By Script Interpreter" }, { @@ -22858,6 +29097,11 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.command-and-control", + "attack.t1219.002" + ], "title": "Remote Access Tool - AnyDesk Incoming Connection" }, { @@ -22875,6 +29119,11 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.t1021.001", + "car.2013-07-002" + ], "title": "Outbound RDP Connections Over Non-Standard Tools" }, { @@ -22892,6 +29141,11 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.command-and-control", + "attack.t1071.001" + ], "title": "Outbound Network Connection Initiated By Microsoft Dialer" }, { @@ -22909,6 +29163,12 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1558", + "attack.lateral-movement", + "attack.t1550.003" + ], "title": "Uncommon Outbound Kerberos Connection" }, { @@ -22926,6 +29186,11 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.command-and-control", + "attack.t1571" + ], "title": "Communication To Uncommon Destination Ports" }, { @@ -22943,6 +29208,10 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1203" + ], "title": "Network Connection Initiated By Eqnedt32.EXE" }, { @@ -22960,6 +29229,10 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1105" + ], "title": "Network Connection Initiated By IMEWDBLD.EXE" }, { @@ -22977,6 +29250,12 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1055", + "attack.t1218", + "attack.execution", + "attack.defense-evasion" + ], "title": "Microsoft Sync Center Suspicious Network Connections" }, { @@ -22994,6 +29273,12 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.execution", + "attack.defense-evasion", + "attack.t1055" + ], "title": "Network Connection Initiated Via Notepad.EXE" }, { @@ -23011,6 +29296,10 @@ "level": "low", "service": "driver-framework", "subcategory_guids": [], + "tags": [ + "attack.initial-access", + "attack.t1200" + ], "title": "USB Device Plugged" }, { @@ -23026,6 +29315,10 @@ "level": "medium", "service": "taskscheduler", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.t1053.005" + ], "title": "Scheduled Task Executed Uncommon LOLBIN" }, { @@ -23041,6 +29334,10 @@ "level": "medium", "service": "taskscheduler", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.t1053.005" + ], "title": "Scheduled Task Executed From A Suspicious Location" }, { @@ -23056,6 +29353,10 @@ "level": "high", "service": "taskscheduler", "subcategory_guids": [], + "tags": [ + "attack.impact", + "attack.t1489" + ], "title": "Important Scheduled Task Deleted" }, { @@ -23071,6 +29372,11 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001", + "detection.threat-hunting" + ], "title": "Uncommon PowerShell Hosts" }, { @@ -23086,6 +29392,11 @@ "level": "low", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001", + "detection.threat-hunting" + ], "title": "bXOR Operator Usage In PowerShell Command Line - PowerShell Classic" }, { @@ -23102,6 +29413,11 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.exfiltration", + "attack.t1048.003", + "detection.threat-hunting" + ], "title": "Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet" }, { @@ -23118,6 +29434,11 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.lateral-movement", + "attack.t1570", + "detection.threat-hunting" + ], "title": "SMB over QUIC Via PowerShell Script" }, { @@ -23134,6 +29455,12 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.t1106", + "detection.threat-hunting" + ], "title": "WinAPI Function Calls Via PowerShell Scripts" }, { @@ -23150,6 +29477,12 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.t1106", + "detection.threat-hunting" + ], "title": "WinAPI Library Calls Via PowerShell Scripts" }, { @@ -23166,6 +29499,11 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1070.008", + "detection.threat-hunting" + ], "title": "Windows Mail App Mailbox Access Via PowerShell Script" }, { @@ -23182,6 +29520,12 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.discovery", + "attack.t1012", + "attack.t1007", + "detection.threat-hunting" + ], "title": "Potential Registry Reconnaissance Via PowerShell Script" }, { @@ -23198,6 +29542,11 @@ "level": "low", "service": "", "subcategory_guids": [], + "tags": [ + "attack.exfiltration", + "attack.t1560", + "detection.threat-hunting" + ], "title": "Compress-Archive Cmdlet Execution" }, { @@ -23214,6 +29563,11 @@ "level": "low", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1070.004", + "detection.threat-hunting" + ], "title": "Use Of Remove-Item to Delete File - ScriptBlock" }, { @@ -23230,6 +29584,11 @@ "level": "low", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1562.004", + "detection.threat-hunting" + ], "title": "New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock" }, { @@ -23246,6 +29605,12 @@ "level": "low", "service": "", "subcategory_guids": [], + "tags": [ + "detection.threat-hunting", + "attack.discovery", + "attack.t1518.001", + "attack.t1016" + ], "title": "Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet" }, { @@ -23263,6 +29628,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "detection.threat-hunting" + ], "title": "Unusually Long PowerShell CommandLine" }, { @@ -23280,6 +29650,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.impact", + "attack.t1489", + "detection.threat-hunting" + ], "title": "Process Terminated Via Taskkill" }, { @@ -23297,6 +29672,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.defense-evasion", + "attack.execution", + "attack.t1059", + "detection.threat-hunting" + ], "title": "Elevated System Shell Spawned" }, { @@ -23314,6 +29696,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1222.001", + "detection.threat-hunting" + ], "title": "File or Folder Permissions Modifications" }, { @@ -23331,6 +29718,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1105", + "detection.threat-hunting" + ], "title": "Curl.EXE Execution" }, { @@ -23348,6 +29740,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "detection.threat-hunting" + ], "title": "Remote Access Tool - ScreenConnect Remote Command Execution - Hunting" }, { @@ -23365,6 +29761,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.011", + "detection.threat-hunting" + ], "title": "DLL Call by Ordinal Via Rundll32.EXE" }, { @@ -23382,6 +29783,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1059.001", + "attack.t1027.010", + "detection.threat-hunting" + ], "title": "Invocation Of Crypto-Classes From The \"Cryptography\" PowerShell Namespace" }, { @@ -23399,6 +29806,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218", + "detection.threat-hunting" + ], "title": "Potential Proxy Execution Via Explorer.EXE From Shell Process" }, { @@ -23416,6 +29828,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1552", + "attack.credential-access", + "detection.threat-hunting" + ], "title": "EventLog Query Requests By Builtin Utilities" }, { @@ -23433,6 +29850,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "detection.threat-hunting" + ], "title": "Potential Suspicious Execution From GUID Like Folder Names" }, { @@ -23450,6 +29872,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "detection.threat-hunting" + ], "title": "Potential CommandLine Obfuscation Using Unicode Characters" }, { @@ -23467,6 +29894,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218", + "detection.threat-hunting" + ], "title": "Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly" }, { @@ -23484,6 +29916,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1082", + "detection.threat-hunting" + ], "title": "CMD Shell Output Redirect" }, { @@ -23501,6 +29938,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1053.005", + "detection.threat-hunting" + ], "title": "Scheduled Task Creation From Potential Suspicious Parent Location" }, { @@ -23518,6 +29960,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "detection.threat-hunting" + ], "title": "Import New Module Via PowerShell CommandLine" }, { @@ -23535,6 +29981,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.persistence", + "detection.threat-hunting" + ], "title": "Remote Access Tool - Ammy Admin Agent Execution" }, { @@ -23552,6 +30003,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1127", + "attack.t1218", + "detection.threat-hunting" + ], "title": "Microsoft Workflow Compiler Execution" }, { @@ -23569,6 +30027,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036", + "detection.threat-hunting" + ], "title": "CodePage Modification Via MODE.COM" }, { @@ -23586,6 +30049,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion", + "detection.threat-hunting" + ], "title": "Potential File Override/Append Via SET Command" }, { @@ -23603,6 +30071,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion", + "detection.threat-hunting" + ], "title": "Suspicious New Instance Of An Office COM Object" }, { @@ -23620,6 +30093,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.t1570", + "detection.threat-hunting" + ], "title": "SMB over QUIC Via Net.EXE" }, { @@ -23637,6 +30115,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "detection.threat-hunting" + ], "title": "Cab File Extraction Via Wusa.EXE" }, { @@ -23654,6 +30136,14 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.exfiltration", + "attack.command-and-control", + "attack.t1041", + "attack.t1572", + "attack.t1071.001", + "detection.threat-hunting" + ], "title": "Tunneling Tool Execution" }, { @@ -23671,6 +30161,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.exfiltration", + "attack.t1567", + "attack.t1105", + "detection.threat-hunting" + ], "title": "Potential Data Exfiltration Via Curl.EXE" }, { @@ -23688,6 +30184,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218", + "detection.threat-hunting" + ], "title": "New Self Extracting Package Created Via IExpress.EXE" }, { @@ -23705,6 +30206,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1552.001", + "detection.threat-hunting" + ], "title": "Potential Password Reconnaissance Via Findstr.EXE" }, { @@ -23722,6 +30228,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion", + "attack.t1218", + "attack.t1202", + "detection.threat-hunting" + ], "title": "Arbitrary Command Execution Using WSL" }, { @@ -23739,6 +30252,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1564.001", + "detection.threat-hunting" + ], "title": "Set Files as System Files Using Attrib.EXE" }, { @@ -23756,6 +30274,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218", + "attack.execution", + "detection.threat-hunting" + ], "title": "Diskshadow Child Process Spawned" }, { @@ -23773,6 +30297,22 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1007", + "attack.t1049", + "attack.t1018", + "attack.t1135", + "attack.t1201", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1087.001", + "attack.t1087.002", + "attack.lateral-movement", + "attack.t1021.002", + "attack.s0039", + "detection.threat-hunting" + ], "title": "Net.EXE Execution" }, { @@ -23790,6 +30330,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1105", + "detection.threat-hunting" + ], "title": "File Download Via Curl.EXE" }, { @@ -23807,6 +30352,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.collection", + "attack.t1560.001", + "detection.threat-hunting" + ], "title": "Password Protected Compressed File Extraction Via 7Zip" }, { @@ -23824,6 +30374,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218", + "attack.execution", + "detection.threat-hunting" + ], "title": "Diskshadow Script Mode Execution" }, { @@ -23841,6 +30397,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1505.003", + "detection.threat-hunting" + ], "title": "Execution From Webserver Root Folder" }, { @@ -23858,6 +30419,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1219.002", + "detection.threat-hunting" + ], "title": "Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions" }, { @@ -23875,6 +30441,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007", + "detection.threat-hunting" + ], "title": "WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript" }, { @@ -23892,6 +30464,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027.004", + "detection.threat-hunting" + ], "title": "Dynamic .NET Compilation Via Csc.EXE - Hunting" }, { @@ -23909,6 +30486,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.lateral-movement", + "attack.t1105", + "detection.threat-hunting" + ], "title": "Process Execution From WebDAV Share" }, { @@ -23926,6 +30509,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1071.001", + "detection.threat-hunting" + ], "title": "Curl.EXE Execution With Custom UserAgent" }, { @@ -23943,6 +30531,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1007", + "detection.threat-hunting" + ], "title": "SC.EXE Query Execution" }, { @@ -23960,6 +30553,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1057", + "detection.threat-hunting" + ], "title": "Suspicious Tasklist Discovery Command" }, { @@ -23977,6 +30575,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "detection.threat-hunting" + ], "title": "Potentially Suspicious PowerShell Child Processes" }, { @@ -23994,6 +30597,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059", + "detection.threat-hunting" + ], "title": "Manual Execution of Script Inside of a Compressed File" }, { @@ -24011,6 +30619,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1562.004", + "detection.threat-hunting" + ], "title": "New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet" }, { @@ -24028,6 +30640,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion", + "detection.threat-hunting" + ], "title": "ClickOnce Deployment Execution - Dfsvc.EXE Child Process" }, { @@ -24045,6 +30662,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218", + "detection.threat-hunting" + ], "title": "Potential DLL Sideloading Activity Via ExtExport.EXE" }, { @@ -24062,6 +30684,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218", + "detection.threat-hunting" + ], "title": "Rundll32.EXE Calling DllRegisterServer Export Function Explicitly" }, { @@ -24079,6 +30706,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1082", + "detection.threat-hunting" + ], "title": "System Information Discovery Via Wmic.EXE" }, { @@ -24095,6 +30727,11 @@ "level": "low", "service": "firewall-as", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1562.004", + "detection.threat-hunting" + ], "title": "Firewall Rule Modified In The Windows Firewall Exception List" }, { @@ -24112,6 +30749,11 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1203", + "detection.threat-hunting" + ], "title": "Dfsvc.EXE Network Connection To Non-Local IPs" }, { @@ -24129,6 +30771,11 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "detection.threat-hunting" + ], "title": "Network Connection Initiated By PowerShell Process" }, { @@ -24146,6 +30793,11 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1105", + "detection.threat-hunting" + ], "title": "Network Connection Initiated From Users\\Public Folder" }, { @@ -24163,6 +30815,11 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.007", + "detection.threat-hunting" + ], "title": "Msiexec.EXE Initiated Network Connection Over HTTP" }, { @@ -24180,6 +30837,11 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1203", + "detection.threat-hunting" + ], "title": "Dfsvc.EXE Initiated Network Connection Over Uncommon Port" }, { @@ -24197,6 +30859,13 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218", + "attack.execution", + "attack.t1559.001", + "detection.threat-hunting" + ], "title": "Dllhost.EXE Initiated Network Connection To Non-Local IP Address" }, { @@ -24214,6 +30883,11 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.001", + "detection.threat-hunting" + ], "title": "HH.EXE Initiated HTTP Network Connection" }, { @@ -24231,6 +30905,15 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.privilege-escalation", + "attack.s0111", + "attack.t1053.005", + "car.2013-08-001", + "detection.threat-hunting" + ], "title": "Scheduled Task Created - Registry" }, { @@ -24248,6 +30931,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "detection.threat-hunting", + "attack.execution" + ], "title": "Command Executed Via Run Dialog Box - Registry" }, { @@ -24265,6 +30952,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112", + "detection.threat-hunting" + ], "title": "Service Binary in User Controlled Folder" }, { @@ -24282,6 +30974,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112", + "detection.threat-hunting" + ], "title": "Microsoft Office Trusted Location Updated" }, { @@ -24299,6 +30996,13 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1059.001", + "attack.t1027.010", + "attack.t1547.001", + "detection.threat-hunting" + ], "title": "Registry Set With Crypto-Classes From The \"Cryptography\" PowerShell Namespace" }, { @@ -24316,6 +31020,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "detection.threat-hunting" + ], "title": "Shell Context Menu Command Tampering" }, { @@ -24334,6 +31042,13 @@ "0CCE9226-69AE-11D9-BED3-505054503030", "0CCE9227-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.privilege-escalation", + "car.2013-08-001", + "attack.t1053.005", + "detection.threat-hunting" + ], "title": "Scheduled Task Deletion" }, { @@ -24354,6 +31069,11 @@ "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1555.003", + "detection.threat-hunting" + ], "title": "Access To Browser Credential Files By Uncommon Applications - Security" }, { @@ -24371,6 +31091,13 @@ "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.privilege-escalation", + "detection.threat-hunting", + "attack.persistence", + "attack.t1546.003" + ], "title": "Potential Remote WMI ActiveScriptEventConsumers Activity" }, { @@ -24386,6 +31113,10 @@ "level": "medium", "service": "openssh", "subcategory_guids": [], + "tags": [ + "attack.lateral-movement", + "attack.t1021.004" + ], "title": "OpenSSH Server Listening On Socket" }, { @@ -24401,6 +31132,10 @@ "level": "high", "service": "terminalservices-localsessionmanager", "subcategory_guids": [], + "tags": [ + "attack.command-and-control", + "attack.t1090" + ], "title": "Ngrok Usage with Remote Desktop Service" }, { @@ -24418,6 +31153,13 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1218.003", + "attack.g0069", + "car.2019-04-001" + ], "title": "CMSTP Execution Registry Event" }, { @@ -24435,6 +31177,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1137.002" + ], "title": "Office Application Startup - Office Test" }, { @@ -24454,6 +31200,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.execution", + "attack.t1112" + ], "title": "Registry Entries For Azorult Malware" }, { @@ -24471,6 +31222,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.002" + ], "title": "Esentutl Volume Shadow Copy Service Keys" }, { @@ -24488,6 +31243,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], "title": "Narrator's Feedback-Hub Persistence" }, { @@ -24505,6 +31264,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1546.009" + ], "title": "New DLL Added to AppCertDlls Registry Key" }, { @@ -24522,6 +31285,12 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.defense-evasion", + "attack.command-and-control", + "attack.t1090" + ], "title": "New PortProxy Registry Entry Added" }, { @@ -24539,6 +31308,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.initial-access", + "attack.t1566.001" + ], "title": "Windows Registry Trust Record Modification" }, { @@ -24556,6 +31329,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547" + ], "title": "WINEKEY Registry Modification" }, { @@ -24573,6 +31350,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.001" + ], "title": "Potential Credential Dumping Via LSASS SilentProcessExit Technique" }, { @@ -24590,6 +31371,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "Run Once Task Configuration in Registry" }, { @@ -24607,6 +31392,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], "title": "Suspicious Run Key from Download" }, { @@ -24624,6 +31413,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.collection", + "attack.t1125", + "attack.t1123" + ], "title": "Suspicious Camera and Microphone Access" }, { @@ -24641,6 +31435,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1105" + ], "title": "Pandemic Registry Key" }, { @@ -24658,6 +31456,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1548.002" + ], "title": "UAC Bypass Via Wsreset" }, { @@ -24675,6 +31478,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547.005" + ], "title": "Security Support Provider (SSP) Added to LSA Configuration" }, { @@ -24692,6 +31499,12 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1548.002", + "attack.t1546.001" + ], "title": "Shell Open Registry Keys Manipulation" }, { @@ -24709,6 +31522,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "RedMimicry Winnti Playbook Registry Manipulation" }, { @@ -24726,6 +31543,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "Potential Qakbot Registry Activity" }, { @@ -24743,6 +31564,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001", + "attack.t1112" + ], "title": "NetNTLM Downgrade Attack - Registry" }, { @@ -24760,6 +31586,12 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.002", + "attack.t1112", + "car.2022-03-001" + ], "title": "Disable Security Events Logging Adding Reg Key MiniNt" }, { @@ -24777,6 +31609,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback" }, { @@ -24794,6 +31630,12 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1204", + "cve.2021-1675", + "cve.2021-34527" + ], "title": "PrinterNightmare Mimikatz Driver Name" }, { @@ -24811,6 +31653,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1136.001" + ], "title": "Creation of a Local Hidden User Account by Registry" }, { @@ -24828,6 +31674,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.privilege-escalation", + "attack.t1546.002" + ], "title": "Path To Screensaver Binary Modified" }, { @@ -24845,6 +31696,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.resource-development", + "attack.t1608" + ], "title": "HybridConnectionManager Service Installation - Registry" }, { @@ -24862,6 +31717,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547" + ], "title": "Registry Persistence Mechanisms in Recycle Bin" }, { @@ -24879,6 +31738,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1547.008" + ], "title": "DLL Load via LSASS" }, { @@ -24896,6 +31760,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1546.010" + ], "title": "New DLL Added to AppInit_DLLs Registry Key" }, { @@ -24913,6 +31781,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Windows Defender Threat Severity Default Action Modified" }, { @@ -24930,6 +31802,12 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218", + "attack.persistence", + "attack.t1547" + ], "title": "Atbroker Registry Change" }, { @@ -24947,6 +31825,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.001", + "attack.s0005" + ], "title": "Windows Credential Editor Registry" }, { @@ -24964,6 +31847,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "Wdigest CredGuard Registry Modification" }, { @@ -24981,6 +31868,13 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.persistence", + "attack.t1546.008", + "car.2014-11-003", + "car.2014-11-008" + ], "title": "Sticky Key Like Backdoor Usage - Registry" }, { @@ -24998,6 +31892,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Microsoft Office Protected View Disabled" }, { @@ -25015,6 +31913,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Disable Privacy Settings Experience in Registry" }, { @@ -25032,6 +31934,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.persistence", + "attack.t1112" + ], "title": "RDP Sensitive Settings Changed to Zero" }, { @@ -25049,6 +31956,9 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence" + ], "title": "New ODBC Driver Registered" }, { @@ -25066,6 +31976,9 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence" + ], "title": "Potential Persistence Via MyComputer Registry Keys" }, { @@ -25083,6 +31996,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1137" + ], "title": "Registry Modification to Hidden File Extension" }, { @@ -25100,6 +32017,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Windows Defender Service Disabled - Registry" }, { @@ -25117,6 +32038,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.004" + ], "title": "Disable Windows Firewall by Registry" }, { @@ -25134,6 +32059,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Sysmon Driver Altitude Change" }, { @@ -25151,6 +32080,9 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols" }, { @@ -25168,6 +32100,12 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1548.002", + "car.2019-04-001" + ], "title": "UAC Bypass via Event Viewer" }, { @@ -25185,6 +32123,9 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence" + ], "title": "Potential Persistence Via Mpnotify" }, { @@ -25202,6 +32143,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], "title": "CurrentVersion NT Autorun Keys Modification" }, { @@ -25219,6 +32164,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Hypervisor Enforced Code Integrity Disabled" }, { @@ -25236,6 +32185,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1204.001" + ], "title": "Potential ClickFix Execution Pattern - Registry" }, { @@ -25253,6 +32206,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], "title": "Classes Autorun Keys Modification" }, { @@ -25270,6 +32227,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.defense-evasion", + "attack.t1548.002" + ], "title": "Bypass UAC Using SilentCleanup Task" }, { @@ -25287,6 +32249,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.impact", + "attack.t1491.001" + ], "title": "Potential Ransomware Activity Using LegalNotice Message" }, { @@ -25304,6 +32270,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1546.011" + ], "title": "Potential Persistence Via Shim Database In Uncommon Location" }, { @@ -25321,6 +32291,9 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Disable Macro Runtime Scan Scope" }, { @@ -25338,6 +32311,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1546.015" + ], "title": "Potential PSFactoryBuffer COM Hijacking" }, { @@ -25355,6 +32332,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.defense-evasion", + "attack.t1548.002" + ], "title": "UAC Notification Disabled" }, { @@ -25372,6 +32354,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.resource-development", + "attack.t1588.002" + ], "title": "Usage of Renamed Sysinternals Tools - RegistrySet" }, { @@ -25389,6 +32375,9 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence" + ], "title": "Potential Persistence Via TypedPaths" }, { @@ -25406,6 +32395,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1137.006" + ], "title": "Potential Persistence Via Excel Add-in - Registry" }, { @@ -25423,6 +32416,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "Change User Account Associated with the FAX Service" }, { @@ -25440,6 +32437,9 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution" + ], "title": "PowerShell Script Execution Policy Enabled" }, { @@ -25457,6 +32457,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112", + "attack.t1562" + ], "title": "ETW Logging Disabled In .NET Processes - Sysmon Registry" }, { @@ -25474,6 +32479,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Uncommon Extension In Keyboard Layout IME File Registry Value" }, { @@ -25491,6 +32500,9 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Potential Attachment Manager Settings Attachments Tamper" }, { @@ -25508,6 +32520,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1053.005" + ], "title": "Potential Registry Persistence Attempt Via Windows Telemetry" }, { @@ -25525,6 +32541,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1546.015" + ], "title": "COM Hijacking via TreatAs" }, { @@ -25542,6 +32562,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112", + "attack.t1562" + ], "title": "ETW Logging Disabled For SCM" }, { @@ -25559,6 +32584,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], "title": "CurrentControlSet Autorun Keys Modification" }, { @@ -25576,6 +32605,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1105" + ], "title": "Lolbas OneDriveStandaloneUpdater.exe Proxy Download" }, { @@ -25593,6 +32626,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], "title": "CurrentVersion Autorun Keys Modification" }, { @@ -25610,6 +32647,13 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.command-and-control", + "attack.t1137", + "attack.t1008", + "attack.t1546" + ], "title": "Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting" }, { @@ -25627,6 +32671,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1556" + ], "title": "Directory Service Restore Mode(DSRM) Registry Value Tampering" }, { @@ -25644,6 +32692,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1204.004" + ], "title": "FileFix - Command Evidence in TypedPaths from Browser File Upload Abuse" }, { @@ -25661,6 +32713,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.collection", + "attack.t1113" + ], "title": "Periodic Backup For System Registry Hives Enabled" }, { @@ -25678,6 +32734,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], "title": "Wow6432Node Classes Autorun Keys Modification" }, { @@ -25695,6 +32755,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.impact", + "attack.t1490" + ], "title": "Registry Disable System Restore" }, { @@ -25712,6 +32776,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], "title": "Wow6432Node Windows NT CurrentVersion Autorun Keys Modification" }, { @@ -25729,6 +32797,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1137.006", + "attack.persistence" + ], "title": "Potential Persistence Via Visual Studio Tools for Office" }, { @@ -25746,6 +32818,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "New BgInfo.EXE Custom VBScript Registry Configuration" }, { @@ -25763,6 +32839,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1546.011" + ], "title": "Potential Persistence Via AppCompat RegisterAppRestart Layer" }, { @@ -25780,6 +32860,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.persistence" + ], "title": "Winget Admin Settings Modification" }, { @@ -25797,6 +32881,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1204.002" + ], "title": "New Application in AppCompat" }, { @@ -25814,6 +32902,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.defense-evasion", + "attack.t1553.003" + ], "title": "Persistence Via New SIP Provider" }, { @@ -25831,6 +32924,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1564.001" + ], "title": "Displaying Hidden Files Feature Disabled" }, { @@ -25848,6 +32945,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.002" + ], "title": "Change Winevt Channel Access Permission Via Registry" }, { @@ -25865,6 +32966,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.persistence", + "attack.t1112" + ], "title": "RDP Sensitive Settings Changed" }, { @@ -25882,6 +32988,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1546.015" + ], "title": "Potential Persistence Using DebugPath" }, { @@ -25899,6 +33009,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "Allow RDP Remote Assistance Feature" }, { @@ -25916,6 +33030,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1574" + ], "title": "Potential Registry Persistence Attempt Via DbgManagedDebugger" }, { @@ -25933,6 +33051,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "NET NGenAssemblyUsageLog Registry Key Tamper" }, { @@ -25950,6 +33072,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1546.015" + ], "title": "COM Object Hijacking Via Modification Of Default System CLSID Default Value" }, { @@ -25967,6 +33093,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Execution DLL of Choice Using WAB.EXE" }, { @@ -25984,6 +33114,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Disable Windows Defender Functionalities Via Registry Keys" }, { @@ -26001,6 +33135,9 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Driver Added To Disallowed Images In HVCI - Registry" }, { @@ -26018,6 +33155,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], "title": "System Scripts Autorun Keys Modification" }, { @@ -26035,6 +33176,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036.003" + ], "title": "Potential PendingFileRenameOperations Tampering" }, { @@ -26052,6 +33197,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.002" + ], "title": "Disable Windows Event Logging Via Registry" }, { @@ -26069,6 +33218,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "New BgInfo.EXE Custom DB Path Registry Configuration" }, { @@ -26086,6 +33239,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Disable PUA Protection on Windows Defender" }, { @@ -26103,6 +33260,9 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence" + ], "title": "Potential Persistence Via CHM Helper DLL" }, { @@ -26120,6 +33280,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Suspicious Path In Keyboard Layout IME File Registry Value" }, { @@ -26137,6 +33301,9 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Internet Explorer DisableFirstRunCustomize Enabled" }, { @@ -26154,6 +33321,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1564.002" + ], "title": "Hiding User Account Via SpecialAccounts Registry Key" }, { @@ -26171,6 +33342,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1564.001" + ], "title": "Registry Persistence via Service in Safe Mode" }, { @@ -26188,6 +33363,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112", + "attack.t1562" + ], "title": "ETW Logging Disabled For rpcrt4.dll" }, { @@ -26205,6 +33385,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.011" + ], "title": "ScreenSaver Registry Key Set" }, { @@ -26222,6 +33406,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], "title": "Registry Persistence via Explorer Run Key" }, { @@ -26239,6 +33427,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], "title": "Suspicious PowerShell In Registry Run Keys" }, { @@ -26256,6 +33448,9 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence" + ], "title": "Add Debugger Entry To AeDebug For Persistence" }, { @@ -26273,6 +33468,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1202" + ], "title": "Custom File Open Handler Executes PowerShell" }, { @@ -26290,6 +33489,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.defense-evasion", + "attack.t1112" + ], "title": "Potential Persistence Via Event Viewer Events.asp" }, { @@ -26307,6 +33511,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.privilege-escalation", + "attack.t1547.003" + ], "title": "New TimeProviders Registered With Uncommon DLL Name" }, { @@ -26324,6 +33533,12 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.privilege-escalation", + "attack.defense-evasion", + "attack.t1574.012" + ], "title": "Enabling COR Profiler Environment Variables" }, { @@ -26341,6 +33556,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1564.001" + ], "title": "PowerShell Logging Disabled Via Registry Key Tampering" }, { @@ -26358,6 +33577,9 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence" + ], "title": "Register New IFiltre For Persistence" }, { @@ -26375,6 +33597,9 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence" + ], "title": "Potential Persistence Via DLLPathOverride" }, { @@ -26392,6 +33617,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Disable Tamper Protection on Windows Defender" }, { @@ -26409,6 +33638,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "New BgInfo.EXE Custom WMI Query Registry Configuration" }, { @@ -26426,6 +33659,9 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Potential Attachment Manager Settings Associations Tamper" }, { @@ -26443,6 +33679,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.defense-evasion", + "attack.t1112" + ], "title": "Winlogon AllowMultipleTSSessions Enable" }, { @@ -26460,6 +33701,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "RestrictedAdminMode Registry Value Tampering" }, { @@ -26477,6 +33722,12 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1548.002", + "car.2019-04-001" + ], "title": "UAC Bypass via Sdclt" }, { @@ -26494,6 +33745,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1053", + "attack.t1053.005" + ], "title": "Scheduled TaskCache Change by Uncommon Program" }, { @@ -26511,6 +33767,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "Disable Windows Security Center Notifications" }, { @@ -26528,6 +33788,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547.010" + ], "title": "Add Port Monitor Persistence in Registry" }, { @@ -26545,6 +33809,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547.004" + ], "title": "Winlogon Notify Key Logon Persistence" }, { @@ -26562,6 +33830,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.001" + ], "title": "Lsass Full Dump Request Via DumpType Registry Settings" }, { @@ -26579,6 +33851,12 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.impact", + "attack.t1112", + "attack.t1491.001" + ], "title": "Potentially Suspicious Desktop Background Change Via Registry" }, { @@ -26596,6 +33874,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], "title": "Wow6432Node CurrentVersion Autorun Keys Modification" }, { @@ -26613,6 +33895,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "Wdigest Enable UseLogonCredential" }, { @@ -26630,6 +33916,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG" }, { @@ -26647,6 +33937,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "Uncommon Microsoft Office Trusted Location Added" }, { @@ -26664,6 +33958,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1546.007" + ], "title": "Potential Persistence Via Netsh Helper DLL - Registry" }, { @@ -26681,6 +33979,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1559.002" + ], "title": "Enable Microsoft Dynamic Data Exchange" }, { @@ -26698,6 +34000,13 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.command-and-control", + "attack.t1137", + "attack.t1008", + "attack.t1546" + ], "title": "Outlook Macro Execution Without Warning Setting Enabled" }, { @@ -26715,6 +34024,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "Disable Internal Tools or Feature in Registry" }, { @@ -26732,6 +34045,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1070.005" + ], "title": "MaxMpxCt Registry Value Changed" }, { @@ -26749,6 +34066,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.defense-evasion", + "attack.t1548.002" + ], "title": "UAC Secure Desktop Prompt Disabled" }, { @@ -26766,6 +34088,9 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence" + ], "title": "Potential Persistence Via LSA Extensions" }, { @@ -26783,6 +34108,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1564", + "attack.t1112" + ], "title": "CrashControl CrashDump Disabled" }, { @@ -26800,6 +34130,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1546.015" + ], "title": "Potential Persistence Via Scrobj.dll COM Hijacking" }, { @@ -26817,6 +34151,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1548.002" + ], "title": "UAC Bypass Abusing Winsat Path Parsing - Registry" }, { @@ -26834,6 +34173,9 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Potential Signing Bypass Via Windows Developer Features - Registry" }, { @@ -26851,6 +34193,9 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence" + ], "title": "Persistence Via Hhctrl.ocx" }, { @@ -26868,6 +34213,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "Activate Suppression of Windows Security Center Notifications" }, { @@ -26885,6 +34234,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Disable Exploit Guard Network Protection on Windows Defender" }, { @@ -26902,6 +34255,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "Change the Fax Dll" }, { @@ -26919,6 +34276,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1547.001", + "attack.t1112" + ], "title": "Windows Event Log Access Tampering Via Registry" }, { @@ -26936,6 +34298,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "Service Binary in Suspicious Folder" }, { @@ -26953,6 +34319,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.persistence", + "attack.t1003" + ], "title": "Potentially Suspicious ODBC Driver Registered" }, { @@ -26970,6 +34341,9 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence" + ], "title": "Persistence Via Disk Cleanup Handler - Autorun" }, { @@ -26987,6 +34361,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.impact", + "attack.t1490" + ], "title": "New Root or CA or AuthRoot Certificate to Store" }, { @@ -27004,6 +34382,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1574.001", + "attack.t1112" + ], "title": "New DNS ServerLevelPluginDll Installed" }, { @@ -27021,6 +34404,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "Enable LM Hash Storage" }, { @@ -27038,6 +34425,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547.010" + ], "title": "Default RDP Port Changed to Non Standard Port" }, { @@ -27055,6 +34446,9 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Old TLS1.0/TLS1.1 Protocol Version Enabled" }, { @@ -27072,6 +34466,12 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.002", + "attack.t1112", + "car.2022-03-001" + ], "title": "Security Event Logging Disabled via MiniNt Registry Key - Registry Set" }, { @@ -27089,6 +34489,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1546.007" + ], "title": "New Netsh Helper DLL Registered From A Suspicious Location" }, { @@ -27106,6 +34510,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "Registry Hide Function from User" }, { @@ -27123,6 +34531,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1569.002" + ], "title": "PowerShell as a Service in Registry" }, { @@ -27140,6 +34552,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], "title": "VBScript Payload Stored in Registry" }, { @@ -27157,6 +34573,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], "title": "WinSock2 Autorun Keys Modification" }, { @@ -27174,6 +34594,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "Trust Access Disable For VBApplications" }, { @@ -27191,6 +34615,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1562.001", + "attack.defense-evasion" + ], "title": "Suspicious Service Installed" }, { @@ -27208,6 +34636,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Tamper With Sophos AV Registry Keys" }, { @@ -27225,6 +34657,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.privilege-escalation", + "attack.t1547.001" + ], "title": "Modify User Shell Folders Startup Value" }, { @@ -27242,6 +34679,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "Outlook EnableUnsafeClientMailRules Setting Enabled - Registry" }, { @@ -27259,6 +34700,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Potential AMSI COM Server Hijacking" }, { @@ -27276,6 +34721,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1112" + ], "title": "Potential Persistence Via Outlook Today Page" }, { @@ -27293,6 +34742,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.t1546", + "attack.t1548" + ], "title": "COM Hijack via Sdclt" }, { @@ -27310,6 +34764,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], "title": "Internet Explorer Autorun Keys Modification" }, { @@ -27327,6 +34785,9 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Potential AutoLogger Sessions Tampering" }, { @@ -27344,6 +34805,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.persistence" + ], "title": "Enable Local Manifest Installation With Winget" }, { @@ -27361,6 +34826,9 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence" + ], "title": "Potential Persistence Via AutodialDLL" }, { @@ -27378,6 +34846,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], "title": "New RUN Key Pointing to Suspicious Folder" }, { @@ -27395,6 +34867,12 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1112", + "attack.t1047" + ], "title": "Blue Mockingbird - Registry" }, { @@ -27412,6 +34890,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Windows Defender Exclusions Added - Registry" }, { @@ -27429,6 +34911,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1112" + ], "title": "Potential Persistence Via Outlook Home Page" }, { @@ -27446,6 +34932,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], "title": "Common Autorun Keys Modification" }, { @@ -27463,6 +34953,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "Add DisallowRun Execution to Registry" }, { @@ -27480,6 +34974,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Potentially Suspicious Command Executed Via Run Dialog Box - Registry" }, { @@ -27497,6 +34995,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "Registry Explorer Policy Modification" }, { @@ -27514,6 +35016,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036.003" + ], "title": "Potential WerFault ReflectDebugger Registry Value Abuse" }, { @@ -27531,6 +35037,13 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.persistence", + "attack.defense-evasion", + "attack.t1546.012", + "car.2013-01-002" + ], "title": "Potential Persistence Via GlobalFlags" }, { @@ -27548,6 +35061,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Python Function Execution Security Warning Disabled In Excel - Registry" }, { @@ -27565,6 +35082,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1137" + ], "title": "Outlook Security Settings Updated - Registry" }, { @@ -27582,6 +35103,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562" + ], "title": "Hide Schedule Task Via Index Value Tamper" }, { @@ -27599,6 +35124,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1546.011" + ], "title": "Potential Persistence Via Shim Database Modification" }, { @@ -27616,6 +35145,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003" + ], "title": "Potential Credential Dumping Attempt Using New NetworkProvider - REG" }, { @@ -27633,6 +35166,14 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.privilege-escalation", + "attack.lateral-movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" + ], "title": "Potential CobaltStrike Service Installations - Registry" }, { @@ -27650,6 +35191,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.persistence" + ], "title": "Suspicious Environment Variable Has Been Registered" }, { @@ -27667,6 +35212,9 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Potential PowerShell Execution Policy Tampering" }, { @@ -27684,6 +35232,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1574.001", + "attack.t1112" + ], "title": "DHCP Callout DLL Installation" }, { @@ -27701,6 +35254,9 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence" + ], "title": "Add Debugger Entry To Hangs Key For Persistence" }, { @@ -27718,6 +35274,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "ClickOnce Trust Prompt Tampering" }, { @@ -27735,6 +35295,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Suspicious Application Allowed Through Exploit Guard" }, { @@ -27752,6 +35316,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "Potential Persistence Via Custom Protocol Handler" }, { @@ -27769,6 +35337,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.defense-evasion", + "attack.t1548.002" + ], "title": "Bypass UAC Using DelegateExecute" }, { @@ -27786,6 +35359,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.004" + ], "title": "Disable Microsoft Defender Firewall via Registry" }, { @@ -27803,6 +35380,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Hypervisor Enforced Paging Translation Disabled" }, { @@ -27820,6 +35401,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.defense-evasion", + "attack.t1548.002" + ], "title": "UAC Disabled" }, { @@ -27837,6 +35423,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "Modification of IE Registry Settings" }, { @@ -27854,6 +35444,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.resource-development", + "attack.t1588.002" + ], "title": "Suspicious Keyboard Layout Load" }, { @@ -27871,6 +35465,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1546.011" + ], "title": "Suspicious Shim Database Patching Activity" }, { @@ -27888,6 +35486,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Disabled Windows Defender Eventlog" }, { @@ -27905,6 +35507,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.002" + ], "title": "Potential EventLog File Location Tampering" }, { @@ -27922,6 +35528,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "Macro Enabled In A Potentially Suspicious Document" }, { @@ -27939,6 +35549,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1133" + ], "title": "Running Chrome VPN Extensions via the Registry 2 VPN Extension" }, { @@ -27956,6 +35570,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1140", + "attack.t1112" + ], "title": "DNS-over-HTTPS Enabled by Registry" }, { @@ -27973,6 +35592,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Scripted Diagnostics Turn Off Check Enabled - Registry" }, { @@ -27990,6 +35613,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "Blackbyte Ransomware Registry" }, { @@ -28007,6 +35634,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1070.005" + ], "title": "Disable Administrative Share Creation at Startup" }, { @@ -28024,6 +35655,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.collection", + "attack.t1113" + ], "title": "Windows Recall Feature Enabled - Registry" }, { @@ -28041,6 +35676,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1137" + ], "title": "IE Change Domain Zone" }, { @@ -28058,6 +35697,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "Office Macros Warning Disabled" }, { @@ -28075,6 +35718,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547.010" + ], "title": "Bypass UAC Using Event Viewer" }, { @@ -28092,6 +35739,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547.001", + "attack.t1546.009" + ], "title": "Session Manager Autorun Keys Modification" }, { @@ -28109,6 +35761,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1548.002" + ], "title": "UAC Bypass Using Windows Media Player - Registry" }, { @@ -28126,6 +35783,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1546.012" + ], "title": "Potential Persistence Via App Paths Default Property" }, { @@ -28143,6 +35804,9 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence" + ], "title": "Potential SentinelOne Shell Context Menu Scan Command Tampering" }, { @@ -28160,6 +35824,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.privilege-escalation", + "attack.t1543.003" + ], "title": "ServiceDll Hijack" }, { @@ -28177,6 +35846,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.t1574", + "cve.2021-1675" + ], "title": "Suspicious Printer Driver Empty Manufacturer" }, { @@ -28194,6 +35868,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Antivirus Filter Driver Disallowed On Dev Drive - Registry" }, { @@ -28211,6 +35889,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], "title": "Office Autorun Keys Modification" }, { @@ -28228,6 +35910,9 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "New File Association Using Exefile" }, { @@ -28245,6 +35930,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1546.015" + ], "title": "Potential COM Object Hijacking Via TreatAs Subkey - Registry" }, { @@ -28262,6 +35951,9 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence" + ], "title": "Potential Persistence Via New AMSI Providers - Registry" }, { @@ -28279,6 +35971,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "Potential NetWire RAT Activity - Registry" }, { @@ -28296,6 +35992,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.resource-development", + "attack.t1588.002" + ], "title": "Suspicious Execution Of Renamed Sysinternals Tools - Registry" }, { @@ -28313,6 +36013,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.resource-development", + "attack.t1588.002" + ], "title": "PUA - Sysinternals Tools Execution - Registry" }, { @@ -28330,6 +36034,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1037.001", + "attack.persistence", + "attack.lateral-movement" + ], "title": "Potential Persistence Via Logon Scripts - Registry" }, { @@ -28347,6 +36056,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.resource-development", + "attack.t1588.002" + ], "title": "PUA - Sysinternal Tool Execution - Registry" }, { @@ -28364,6 +36077,9 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence" + ], "title": "Potential Persistence Via Disk Cleanup Handler - Registry" }, { @@ -28381,6 +36097,10 @@ "level": "high", "service": "microsoft-servicebus-client", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.t1554" + ], "title": "HybridConnectionManager Service Running" }, { @@ -28396,6 +36116,12 @@ "level": "high", "service": "application", "subcategory_guids": [], + "tags": [ + "attack.impact", + "attack.t1499", + "cve.2024-49113", + "detection.emerging-threats" + ], "title": "CVE-2024-49113 Exploitation Attempt - LDAP Nightmare" }, { @@ -28416,6 +36142,12 @@ "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.initial-access", + "attack.persistence", + "cve.2024-1708", + "detection.emerging-threats" + ], "title": "CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security" }, { @@ -28439,6 +36171,11 @@ "subcategory_guids": [ "0CCE9237-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "cve.2024-37085", + "detection.emerging-threats" + ], "title": "Potential Exploitation of CVE-2024-37085 - Suspicious ESX Admins Group Activity" }, { @@ -28456,6 +36193,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "cve.2024-37085", + "detection.emerging-threats" + ], "title": "Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group" }, { @@ -28476,6 +36218,11 @@ "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "cve.2024-1709", + "detection.emerging-threats" + ], "title": "ScreenConnect User Database Modification - Security" }, { @@ -28493,6 +36240,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1055", + "detection.emerging-threats" + ], "title": "Lummac Stealer Activity - Execution Of More.com And Vbc.exe" }, { @@ -28510,6 +36262,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1218.011", + "detection.emerging-threats" + ], "title": "Potential Raspberry Robin CPL Execution Activity" }, { @@ -28527,6 +36285,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1112", + "attack.defense-evasion", + "detection.emerging-threats" + ], "title": "Potential Raspberry Robin Registry Set Internet Settings ZoneMap" }, { @@ -28544,6 +36307,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547.001", + "detection.emerging-threats" + ], "title": "Kapeka Backdoor Autorun Persistence" }, { @@ -28561,6 +36329,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1053.005", + "detection.emerging-threats" + ], "title": "Kapeka Backdoor Persistence Activity" }, { @@ -28579,6 +36352,13 @@ "0CCE9226-69AE-11D9-BED3-505054503030", "0CCE9227-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.privilege-escalation", + "attack.persistence", + "attack.t1053.005", + "detection.emerging-threats" + ], "title": "Kapeka Backdoor Scheduled Task Creation" }, { @@ -28596,6 +36376,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.011", + "detection.emerging-threats" + ], "title": "Kapeka Backdoor Execution Via RunDLL32.EXE" }, { @@ -28613,6 +36398,12 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.defense-evasion", + "attack.t1553.003", + "detection.emerging-threats" + ], "title": "Kapeka Backdoor Configuration Persistence" }, { @@ -28630,6 +36421,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "detection.emerging-threats" + ], "title": "Potential KamiKakaBot Activity - Shutdown Schedule Task Creation" }, { @@ -28647,6 +36442,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059", + "detection.emerging-threats" + ], "title": "Potential KamiKakaBot Activity - Lure Document Execution" }, { @@ -28664,6 +36464,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547.001", + "detection.emerging-threats" + ], "title": "Potential KamiKakaBot Activity - Winlogon Shell Persistence" }, { @@ -28681,6 +36486,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547.001", + "detection.emerging-threats" + ], "title": "Forest Blizzard APT - Custom Protocol Handler Creation" }, { @@ -28698,6 +36508,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547.001", + "detection.emerging-threats" + ], "title": "Forest Blizzard APT - Custom Protocol Handler DLL Registry Set" }, { @@ -28715,6 +36530,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "detection.emerging-threats" + ], "title": "Forest Blizzard APT - Process Creation Activity" }, { @@ -28732,6 +36552,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.t1059.003", + "detection.emerging-threats" + ], "title": "Potential APT FIN7 Exploitation Activity" }, { @@ -28749,6 +36575,15 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1203", + "attack.t1204.002", + "attack.initial-access", + "attack.t1566.001", + "cve.2017-8759", + "detection.emerging-threats" + ], "title": "Exploit for CVE-2017-8759" }, { @@ -28766,6 +36601,15 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1203", + "attack.t1204.002", + "attack.initial-access", + "attack.t1566.001", + "cve.2017-11882", + "detection.emerging-threats" + ], "title": "Droppers Exploiting CVE-2017-11882" }, { @@ -28783,6 +36627,15 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1203", + "attack.t1204.002", + "attack.initial-access", + "attack.t1566.001", + "cve.2017-0261", + "detection.emerging-threats" + ], "title": "Exploit for CVE-2017-0261" }, { @@ -28800,6 +36653,18 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.t1210", + "attack.discovery", + "attack.t1083", + "attack.defense-evasion", + "attack.t1222.001", + "attack.impact", + "attack.t1486", + "attack.t1490", + "detection.emerging-threats" + ], "title": "WannaCry Ransomware Activity" }, { @@ -28817,6 +36682,15 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.011", + "attack.t1070.001", + "attack.credential-access", + "attack.t1003.001", + "car.2016-04-002", + "detection.emerging-threats" + ], "title": "NotPetya Ransomware Activity" }, { @@ -28834,6 +36708,12 @@ "subcategory_guids": [ "0CCE9211-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1543.003", + "attack.t1569.002", + "detection.emerging-threats" + ], "title": "CosmicDuke Service Installation" }, { @@ -28851,6 +36731,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007", + "detection.emerging-threats" + ], "title": "Adwind RAT / JRAT" }, { @@ -28868,6 +36754,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion", + "attack.t1218.011", + "detection.emerging-threats" + ], "title": "Fireball Archer Install" }, { @@ -28883,6 +36775,12 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.g0064", + "attack.t1543.003", + "detection.emerging-threats" + ], "title": "StoneDrill Service Install" }, { @@ -28900,6 +36798,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.s0013", + "attack.defense-evasion", + "attack.t1574.001", + "detection.emerging-threats" + ], "title": "Potential PlugX Activity" }, { @@ -28917,6 +36821,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.g0035", + "attack.t1036.003", + "car.2013-05-009", + "detection.emerging-threats" + ], "title": "Ps.exe Renamed SysInternals Tool" }, { @@ -28932,6 +36843,12 @@ "level": "critical", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.g0010", + "attack.t1543.003", + "detection.emerging-threats" + ], "title": "Turla PNG Dropper Service" }, { @@ -28947,6 +36864,12 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.g0010", + "attack.t1543.003", + "detection.emerging-threats" + ], "title": "Turla Service Install" }, { @@ -28964,6 +36887,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036.005", + "detection.emerging-threats" + ], "title": "Lazarus System Binary Masquerading" }, { @@ -28981,6 +36909,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.g0045", + "attack.t1059.005", + "detection.emerging-threats" + ], "title": "Potential APT10 Cloud Hopper Activity" }, { @@ -28998,6 +36932,14 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.g0030", + "attack.g0050", + "attack.s0081", + "attack.execution", + "attack.t1059.003", + "detection.emerging-threats" + ], "title": "Elise Backdoor Activity" }, { @@ -29016,6 +36958,18 @@ "0CCE9226-69AE-11D9-BED3-505054503030", "0CCE9227-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.g0049", + "attack.t1053.005", + "attack.s0111", + "attack.t1543.003", + "attack.defense-evasion", + "attack.t1112", + "attack.command-and-control", + "attack.t1071.004", + "detection.emerging-threats" + ], "title": "OilRig APT Schedule Task Persistence - Security" }, { @@ -29033,6 +36987,18 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.g0049", + "attack.t1053.005", + "attack.s0111", + "attack.t1543.003", + "attack.defense-evasion", + "attack.t1112", + "attack.command-and-control", + "attack.t1071.004", + "detection.emerging-threats" + ], "title": "OilRig APT Registry Persistence" }, { @@ -29050,6 +37016,18 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.g0049", + "attack.t1053.005", + "attack.s0111", + "attack.t1543.003", + "attack.defense-evasion", + "attack.t1112", + "attack.command-and-control", + "attack.t1071.004", + "detection.emerging-threats" + ], "title": "OilRig APT Activity" }, { @@ -29065,6 +37043,18 @@ "level": "critical", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.g0049", + "attack.t1053.005", + "attack.s0111", + "attack.t1543.003", + "attack.defense-evasion", + "attack.t1112", + "attack.command-and-control", + "attack.t1071.004", + "detection.emerging-threats" + ], "title": "OilRig APT Schedule Task Persistence - System" }, { @@ -29082,6 +37072,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1218.011", + "detection.emerging-threats" + ], "title": "APT29 2018 Phishing Campaign CommandLine Indicators" }, { @@ -29099,6 +37095,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112", + "detection.emerging-threats" + ], "title": "OceanLotus Registry Activity" }, { @@ -29117,6 +37118,12 @@ "0CCE9226-69AE-11D9-BED3-505054503030", "0CCE9227-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1053", + "attack.s0111", + "detection.emerging-threats" + ], "title": "Defrag Deactivation - Security" }, { @@ -29134,6 +37141,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1053.005", + "attack.s0111", + "detection.emerging-threats" + ], "title": "Defrag Deactivation" }, { @@ -29151,6 +37164,15 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.g0007", + "attack.t1059.003", + "attack.t1218.011", + "car.2013-10-002", + "detection.emerging-threats" + ], "title": "Sofacy Trojan Loader Activity" }, { @@ -29168,6 +37190,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.g0069", + "detection.emerging-threats" + ], "title": "Potential MuddyWater APT Activity" }, { @@ -29185,6 +37213,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1574.001", + "attack.g0027", + "detection.emerging-threats" + ], "title": "APT27 - Emissary Panda Activity" }, { @@ -29202,6 +37236,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "detection.emerging-threats" + ], "title": "TropicTrooper Campaign November 2018" }, { @@ -29219,6 +37258,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.lateral-movement", + "attack.t1210", + "cve.2020-1472", + "detection.emerging-threats" + ], "title": "Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC" }, { @@ -29234,6 +37280,12 @@ "level": "high", "service": "application", "subcategory_guids": [], + "tags": [ + "attack.initial-access", + "attack.t1190", + "cve.2020-0688", + "detection.emerging-threats" + ], "title": "CVE-2020-0688 Exploitation via Eventlog" }, { @@ -29251,6 +37303,14 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.initial-access", + "attack.t1190", + "attack.execution", + "attack.t1569.002", + "cve.2020-1350", + "detection.emerging-threats" + ], "title": "DNS RCE CVE-2020-1350" }, { @@ -29268,6 +37328,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.execution", + "attack.t1059.001", + "cve.2020-1048", + "detection.emerging-threats" + ], "title": "Suspicious PrinterPorts Creation (CVE-2020-1048)" }, { @@ -29285,6 +37352,14 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.execution", + "attack.defense-evasion", + "attack.t1112", + "cve.2020-1048", + "detection.emerging-threats" + ], "title": "CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry" }, { @@ -29302,6 +37377,16 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.initial-access", + "attack.t1190", + "attack.execution", + "attack.t1059.001", + "attack.t1059.003", + "attack.s0190", + "cve.2020-10189", + "detection.emerging-threats" + ], "title": "Exploited CVE-2020-10189 Zoho ManageEngine" }, { @@ -29319,6 +37404,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1112", + "attack.t1047", + "detection.emerging-threats" + ], "title": "Blue Mockingbird" }, { @@ -29336,6 +37427,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.g0004", + "attack.defense-evasion", + "attack.t1562.001", + "detection.emerging-threats" + ], "title": "Potential Ke3chang/TidePool Malware Activity" }, { @@ -29353,6 +37450,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1112", + "detection.emerging-threats" + ], "title": "FlowCloud Registry Markers" }, { @@ -29370,6 +37472,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.011", + "detection.emerging-threats" + ], "title": "Potential Emotet Rundll32 Execution" }, { @@ -29387,6 +37494,14 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1204.002", + "attack.t1047", + "attack.impact", + "attack.t1490", + "detection.emerging-threats" + ], "title": "Potential Maze Ransomware Activity" }, { @@ -29404,6 +37519,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.t1047", + "detection.emerging-threats" + ], "title": "UNC2452 PowerShell Pattern" }, { @@ -29421,6 +37542,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "detection.emerging-threats" + ], "title": "UNC2452 Process Creation Patterns" }, { @@ -29438,6 +37564,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547.001", + "detection.emerging-threats" + ], "title": "Suspicious VBScript UN2452 Pattern" }, { @@ -29455,6 +37586,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.011", + "detection.emerging-threats" + ], "title": "EvilNum APT Golden Chickens Deployment Via OCX Files" }, { @@ -29472,6 +37608,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547.001", + "detection.emerging-threats" + ], "title": "Leviathan Registry Key Activity" }, { @@ -29489,6 +37630,16 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.g0049", + "attack.execution", + "attack.t1059.001", + "attack.command-and-control", + "attack.t1105", + "attack.defense-evasion", + "attack.t1036.005", + "detection.emerging-threats" + ], "title": "Greenbug Espionage Group Indicators" }, { @@ -29506,6 +37657,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.g0032", + "attack.execution", + "attack.t1059", + "detection.emerging-threats" + ], "title": "Lazarus Group Activity" }, { @@ -29523,6 +37680,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1574.001", + "attack.g0044", + "detection.emerging-threats" + ], "title": "Winnti Malware HK University Campaign" }, { @@ -29540,6 +37703,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1574.001", + "attack.g0044", + "detection.emerging-threats" + ], "title": "Winnti Pipemon Characteristics" }, { @@ -29557,6 +37726,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1055.001", + "detection.emerging-threats" + ], "title": "TAIDOOR RAT DLL Load" }, { @@ -29572,6 +37746,12 @@ "level": "high", "service": "dns-server-analytic", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.command-and-control", + "attack.t1071", + "detection.emerging-threats" + ], "title": "GALLIUM Artefacts - Builtin" }, { @@ -29589,6 +37769,14 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.initial-access", + "attack.t1059.006", + "attack.t1190", + "cve.2022-22954", + "detection.emerging-threats" + ], "title": "Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution" }, { @@ -29606,6 +37794,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1221", + "detection.emerging-threats" + ], "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)" }, { @@ -29623,6 +37816,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "cve.2022-29072", + "detection.emerging-threats" + ], "title": "Potential CVE-2022-29072 Exploitation Attempt" }, { @@ -29640,6 +37838,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.execution", + "cve.2023-21554", + "detection.emerging-threats" + ], "title": "Potential CVE-2023-21554 QueueJumper Exploitation" }, { @@ -29657,6 +37861,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.t1068", + "cve.2022-41120", + "detection.emerging-threats" + ], "title": "Suspicious Sysmon as Execution Parent" }, { @@ -29674,6 +37884,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "detection.emerging-threats" + ], "title": "Raspberry Robin Subsequent Execution of Commands" }, { @@ -29691,6 +37906,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "detection.emerging-threats" + ], "title": "Raspberry Robin Initial Execution From External Drive" }, { @@ -29708,6 +37928,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "detection.emerging-threats" + ], "title": "Potential Raspberry Robin Dot Ending File" }, { @@ -29731,6 +37955,11 @@ "0CCE9244-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.impact", + "attack.t1486", + "detection.emerging-threats" + ], "title": "BlueSky Ransomware Artefacts" }, { @@ -29748,6 +37977,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.persistence", + "attack.t1053.005", + "attack.t1059.006", + "detection.emerging-threats" + ], "title": "Serpent Backdoor Payload Execution Via Scheduled Task" }, { @@ -29765,6 +38001,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.006", + "detection.emerging-threats" + ], "title": "Emotet Loader Execution Via .LNK File" }, { @@ -29782,6 +38023,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.lateral-movement", + "attack.t1021.001", + "detection.emerging-threats" + ], "title": "Hermetic Wiper TG Process Patterns" }, { @@ -29797,6 +38044,11 @@ "level": "high", "service": "application", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.t1546", + "detection.emerging-threats" + ], "title": "MSSQL Extended Stored Procedure Backdoor Maggie" }, { @@ -29814,6 +38066,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1053", + "attack.t1053.005", + "detection.emerging-threats" + ], "title": "Potential ACTINIUM Persistence Activity" }, { @@ -29831,6 +38089,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.g0069", + "detection.emerging-threats" + ], "title": "MERCURY APT Activity" }, { @@ -29848,6 +38112,14 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.g0010", + "attack.execution", + "attack.t1059.001", + "attack.t1053.005", + "attack.t1027", + "detection.emerging-threats" + ], "title": "Turla Group Commands May 2020" }, { @@ -29865,6 +38137,17 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.g0010", + "attack.execution", + "attack.t1059", + "attack.lateral-movement", + "attack.t1021.002", + "attack.discovery", + "attack.t1083", + "attack.t1135", + "detection.emerging-threats" + ], "title": "Turla Group Lateral Movement" }, { @@ -29882,6 +38165,15 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.003", + "attack.defense-evasion", + "attack.t1218.011", + "attack.s0412", + "attack.g0001", + "detection.emerging-threats" + ], "title": "ZxShell Malware" }, { @@ -29899,6 +38191,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion", + "cve.2021-40444", + "detection.emerging-threats" + ], "title": "Potential Exploitation Attempt From Office Application" }, { @@ -29916,6 +38214,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059", + "cve.2021-40444", + "detection.emerging-threats" + ], "title": "Potential CVE-2021-40444 Exploitation Attempt" }, { @@ -29933,6 +38237,14 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.initial-access", + "attack.execution", + "attack.t1190", + "attack.t1059", + "cve.2021-26084", + "detection.emerging-threats" + ], "title": "Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt" }, { @@ -29950,6 +38262,14 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1566", + "attack.t1203", + "cve.2021-33771", + "cve.2021-31979", + "detection.emerging-threats" + ], "title": "CVE-2021-31979 CVE-2021-33771 Exploits" }, { @@ -29967,6 +38287,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1203", + "attack.execution", + "cve.2021-26857", + "detection.emerging-threats" + ], "title": "Potential CVE-2021-26857 Exploitation Attempt" }, { @@ -29985,6 +38311,12 @@ "level": "medium", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.t1558.003", + "cve.2021-42278", + "detection.emerging-threats" + ], "title": "Potential CVE-2021-42278 Exploitation Attempt" }, { @@ -30001,6 +38333,11 @@ "level": "high", "service": "msexchange-management", "subcategory_guids": [], + "tags": [ + "attack.lateral-movement", + "attack.t1210", + "detection.emerging-threats" + ], "title": "Possible Exploitation of Exchange RCE CVE-2021-42321" }, { @@ -30018,6 +38355,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.t1553", + "detection.emerging-threats" + ], "title": "Suspicious RazerInstaller Explorer Subprocess" }, { @@ -30035,6 +38377,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.t1068", + "detection.emerging-threats" + ], "title": "Potential SystemNightmare Exploitation Attempt" }, { @@ -30052,6 +38399,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1136.001", + "cve.2021-35211", + "detection.emerging-threats" + ], "title": "Serv-U Exploitation CVE-2021-35211 by DEV-0322" }, { @@ -30078,6 +38431,11 @@ "level": "critical", "service": "windefend", "subcategory_guids": [], + "tags": [ + "attack.privilege-escalation", + "attack.t1055", + "detection.emerging-threats" + ], "title": "Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection" }, { @@ -30095,6 +38453,13 @@ "subcategory_guids": [ "0CCE9244-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1569", + "cve.2021-1675", + "cve.2021-34527", + "detection.emerging-threats" + ], "title": "CVE-2021-1675 Print Spooler Exploitation IPC Access" }, { @@ -30110,6 +38475,12 @@ "level": "high", "service": "printservice-admin", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1569", + "cve.2021-1675", + "detection.emerging-threats" + ], "title": "Possible CVE-2021-1675 Print Spooler Exploitation" }, { @@ -30125,6 +38496,12 @@ "level": "critical", "service": "printservice-operational", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1569", + "cve.2021-1675", + "detection.emerging-threats" + ], "title": "CVE-2021-1675 Print Spooler Exploitation" }, { @@ -30142,6 +38519,14 @@ "subcategory_guids": [ "0CCE9235-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.persistence", + "attack.t1036", + "attack.t1098", + "cve.2021-42287", + "detection.emerging-threats" + ], "title": "Suspicious Computer Account Name Change CVE-2021-42287" }, { @@ -30159,6 +38544,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.t1068", + "cve.2021-41379", + "detection.emerging-threats" + ], "title": "Potential CVE-2021-41379 Exploitation Attempt" }, { @@ -30174,6 +38565,11 @@ "level": "high", "service": "application", "subcategory_guids": [], + "tags": [ + "attack.initial-access", + "attack.t1190", + "detection.emerging-threats" + ], "title": "LPE InstallerFileTakeOver PoC CVE-2021-41379" }, { @@ -30191,6 +38587,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.initial-access", + "attack.t1190", + "cve.2021-44228", + "detection.emerging-threats" + ], "title": "Potential CVE-2021-44228 Exploitation Attempt - VMware Horizon" }, { @@ -30208,6 +38610,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.impact", + "attack.s0575", + "attack.t1486", + "detection.emerging-threats" + ], "title": "Potential Conti Ransomware Activity" }, { @@ -30225,6 +38633,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.collection", + "attack.t1560", + "detection.emerging-threats" + ], "title": "Conti NTDS Exfiltration Command" }, { @@ -30242,6 +38655,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.collection", + "attack.t1005", + "detection.emerging-threats" + ], "title": "Potential Conti Ransomware Database Dumping Activity Via SQLCmd" }, { @@ -30259,6 +38677,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1587.001", + "attack.resource-development", + "detection.emerging-threats" + ], "title": "Conti Volume Shadow Listing" }, { @@ -30276,6 +38699,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218", + "detection.emerging-threats" + ], "title": "Potential Devil Bait Malware Reconnaissance" }, { @@ -30293,6 +38721,16 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion", + "attack.impact", + "attack.t1485", + "attack.t1498", + "attack.t1059.001", + "attack.t1140", + "detection.emerging-threats" + ], "title": "Potential BlackByte Ransomware Activity" }, { @@ -30310,6 +38748,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1204", + "detection.emerging-threats" + ], "title": "DarkSide Ransomware Pattern" }, { @@ -30327,6 +38770,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1574.001", + "detection.emerging-threats" + ], "title": "Pingback Backdoor Activity" }, { @@ -30344,6 +38792,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "detection.emerging-threats" + ], "title": "Potential Goofy Guineapig Backdoor Activity" }, { @@ -30359,6 +38811,10 @@ "level": "critical", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "detection.emerging-threats" + ], "title": "Goofy Guineapig Backdoor Service Creation" }, { @@ -30376,6 +38832,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "detection.emerging-threats" + ], "title": "Potential Goofy Guineapig GoolgeUpdate Process Anomaly" }, { @@ -30393,6 +38853,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "detection.emerging-threats" + ], "title": "Small Sieve Malware Registry Persistence" }, { @@ -30410,6 +38874,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1574.001", + "detection.emerging-threats" + ], "title": "Small Sieve Malware CommandLine Indicator" }, { @@ -30427,6 +38896,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1546", + "attack.t1053", + "attack.g0125", + "detection.emerging-threats" + ], "title": "HAFNIUM Exchange Exploitation Activity" }, { @@ -30444,6 +38920,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059", + "attack.g0115", + "detection.emerging-threats" + ], "title": "REvil Kaseya Incident Malware Patterns" }, { @@ -30461,6 +38943,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1546", + "attack.t1546.015", + "attack.persistence", + "attack.privilege-escalation", + "detection.emerging-threats" + ], "title": "SOURGUM Actor Behaviours" }, { @@ -30478,6 +38967,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.t1068", + "cve.2019-1388", + "detection.emerging-threats" + ], "title": "Exploiting CVE-2019-1388" }, { @@ -30495,6 +38990,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.t1053.005", + "car.2013-08-001", + "detection.emerging-threats" + ], "title": "Potential BearLPE Exploitation" }, { @@ -30512,6 +39013,16 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion", + "attack.discovery", + "attack.t1012", + "attack.t1059.003", + "attack.t1059.001", + "attack.t1218.005", + "detection.emerging-threats" + ], "title": "Potential Baby Shark Malware Activity" }, { @@ -30529,6 +39040,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.005", + "detection.emerging-threats" + ], "title": "Potential QBot Activity" }, { @@ -30546,6 +39062,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.resource-development", + "attack.t1587.001", + "detection.emerging-threats" + ], "title": "Formbook Process Creation" }, { @@ -30563,6 +39084,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.impact", + "attack.t1486", + "detection.emerging-threats" + ], "title": "LockerGoga Ransomware Activity" }, { @@ -30580,6 +39106,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1204", + "detection.emerging-threats" + ], "title": "Potential Snatch Ransomware Activity" }, { @@ -30597,6 +39128,15 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1055", + "attack.discovery", + "attack.t1135", + "attack.t1033", + "detection.emerging-threats" + ], "title": "Potential Dridex Activity" }, { @@ -30614,6 +39154,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1112", + "detection.emerging-threats" + ], "title": "Potential Ursnif Malware Activity - Registry" }, { @@ -30631,6 +39176,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense-evasion", + "attack.t1027", + "detection.emerging-threats" + ], "title": "Potential Emotet Activity" }, { @@ -30648,6 +39200,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.impact", + "attack.t1490", + "detection.emerging-threats" + ], "title": "Potential Dtrack RAT Activity" }, { @@ -30665,6 +39222,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547.001", + "detection.emerging-threats" + ], "title": "Potential Ryuk Ransomware Activity" }, { @@ -30682,6 +39244,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.010", + "detection.emerging-threats" + ], "title": "Potential EmpireMonkey Activity" }, { @@ -30699,6 +39266,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.g0020", + "attack.defense-evasion", + "attack.t1218.011", + "detection.emerging-threats" + ], "title": "Equation Group DLL_U Export Function Load" }, { @@ -30716,6 +39289,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1587.001", + "attack.resource-development", + "detection.emerging-threats" + ], "title": "Mustang Panda Dropper" }, { @@ -30733,6 +39311,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1552.001", + "attack.t1003.003", + "detection.emerging-threats" + ], "title": "Potential Russian APT Credential Theft Activity" }, { @@ -30750,6 +39334,14 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.credential-access", + "attack.g0128", + "attack.t1003.001", + "attack.t1560.001", + "detection.emerging-threats" + ], "title": "APT31 Judgement Panda Activity" }, { @@ -30767,6 +39359,17 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1012", + "attack.defense-evasion", + "attack.t1036.004", + "attack.t1027", + "attack.execution", + "attack.t1053.005", + "attack.t1059.001", + "detection.emerging-threats" + ], "title": "Operation Wocao Activity" }, { @@ -30784,6 +39387,17 @@ "subcategory_guids": [ "0CCE9237-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1012", + "attack.defense-evasion", + "attack.t1036.004", + "attack.t1027", + "attack.execution", + "attack.t1053.005", + "attack.t1059.001", + "detection.emerging-threats" + ], "title": "Operation Wocao Activity - Security" }, { @@ -30801,6 +39415,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.010", + "detection.emerging-threats" + ], "title": "Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32" }, { @@ -30818,6 +39437,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.initial-access", + "attack.t1190", + "cve.2025-53770", + "detection.emerging-threats" + ], "title": "Potential SharePoint ToolShell CVE-2025-53770 Exploitation Indicators" }, { @@ -30835,6 +39460,15 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion", + "attack.t1218", + "attack.lateral-movement", + "attack.t1105", + "detection.emerging-threats", + "cve.2025-33053" + ], "title": "Potential Exploitation of RCE Vulnerability CVE-2025-33053" }, { @@ -30852,6 +39486,15 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.initial-access", + "attack.execution", + "attack.t1059.001", + "attack.t1059.003", + "attack.t1190", + "cve.2025-31161", + "detection.emerging-threats" + ], "title": "Suspicious CrushFTP Child Process" }, { @@ -30869,6 +39512,16 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.initial-access", + "attack.execution", + "attack.t1059.001", + "attack.t1059.003", + "attack.t1068", + "attack.t1190", + "cve.2025-54309", + "detection.emerging-threats" + ], "title": "Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)" }, { @@ -30886,6 +39539,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.defense-evasion", + "attack.t1574.008", + "cve.2025-49144", + "detection.emerging-threats" + ], "title": "Potential Notepad++ CVE-2025-49144 Exploitation" }, { @@ -30903,6 +39563,15 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1090", + "attack.t1573", + "attack.t1071.001", + "attack.t1059.001", + "attack.s0183", + "detection.emerging-threats" + ], "title": "Kalambur Backdoor Curl TOR SOCKS Proxy Execution" }, { @@ -30920,6 +39589,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036.005", + "cve.2015-1641", + "detection.emerging-threats" + ], "title": "Exploit for CVE-2015-1641" }, { @@ -30937,6 +39612,11 @@ "subcategory_guids": [ "0CCE9224-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "cve.2023-36884", + "detection.emerging-threats" + ], "title": "Potential CVE-2023-36884 Exploitation - Share Access" }, { @@ -30952,6 +39632,10 @@ "level": "high", "service": "application", "subcategory_guids": [], + "tags": [ + "attack.execution", + "detection.emerging-threats" + ], "title": "MSMQ Corrupted Packet Encountered" }, { @@ -30969,6 +39653,12 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1137", + "cve.2023-23397", + "detection.emerging-threats" + ], "title": "Outlook Task/Note Reminder Received" }, { @@ -30986,6 +39676,11 @@ "level": "medium", "service": "smbclient-connectivity", "subcategory_guids": [], + "tags": [ + "attack.exfiltration", + "cve.2023-23397", + "detection.emerging-threats" + ], "title": "Potential CVE-2023-23397 Exploitation Attempt - SMB" }, { @@ -31007,6 +39702,12 @@ "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.initial-access", + "cve.2023-23397", + "detection.emerging-threats" + ], "title": "CVE-2023-23397 Exploitation Attempt" }, { @@ -31024,6 +39725,14 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059", + "attack.initial-access", + "attack.t1190", + "cve.2023-22518", + "detection.emerging-threats" + ], "title": "CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)" }, { @@ -31041,6 +39750,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "detection.emerging-threats", + "attack.execution", + "attack.t1203", + "cve.2023-38331" + ], "title": "CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process" }, { @@ -31056,6 +39771,11 @@ "level": "medium", "service": "application", "subcategory_guids": [], + "tags": [ + "attack.execution", + "cve.2023-40477", + "detection.emerging-threats" + ], "title": "CVE-2023-40477 Potential Exploitation - WinRAR Application Crash" }, { @@ -31073,6 +39793,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.003", + "attack.t1059.001", + "attack.defense-evasion", + "detection.emerging-threats" + ], "title": "Rorschach Ransomware Execution Activity" }, { @@ -31090,6 +39817,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1055.012", + "detection.emerging-threats" + ], "title": "Potential Pikabot Hollowing Activity" }, { @@ -31107,6 +39839,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "detection.emerging-threats" + ], "title": "Pikabot Fake DLL Extension Execution Via Rundll32.EXE" }, { @@ -31124,6 +39861,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1016", + "attack.t1049", + "attack.t1087", + "detection.emerging-threats" + ], "title": "Potential Pikabot Discovery Activity" }, { @@ -31141,6 +39885,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.003", + "attack.t1105", + "attack.t1218", + "detection.emerging-threats" + ], "title": "Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE" }, { @@ -31158,6 +39909,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1055", + "detection.emerging-threats" + ], "title": "Injected Browser Process Spawning Rundll32 - GuLoader Activity" }, { @@ -31175,6 +39931,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.011", + "detection.emerging-threats" + ], "title": "IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32" }, { @@ -31192,6 +39953,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "detection.emerging-threats" + ], "title": "Potential SNAKE Malware Installation Binary Indicator" }, { @@ -31209,6 +39974,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "detection.emerging-threats" + ], "title": "SNAKE Malware Covert Store Registry Key" }, { @@ -31224,6 +39993,10 @@ "level": "critical", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "detection.emerging-threats" + ], "title": "SNAKE Malware Service Persistence" }, { @@ -31241,6 +40014,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "detection.emerging-threats" + ], "title": "Potential SNAKE Malware Persistence Service Execution" }, { @@ -31258,6 +40035,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "detection.emerging-threats" + ], "title": "Potential Encrypted Registry Blob Related To SNAKE Malware" }, { @@ -31275,6 +40056,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "detection.emerging-threats" + ], "title": "Potential SNAKE Malware Installation CLI Arguments Indicator" }, { @@ -31292,6 +40077,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "detection.emerging-threats" + ], "title": "Qakbot Rundll32 Exports Execution" }, { @@ -31309,6 +40099,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "detection.emerging-threats" + ], "title": "Potential Qakbot Rundll32 Execution" }, { @@ -31326,6 +40121,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "detection.emerging-threats" + ], "title": "Qakbot Regsvr32 Calc Pattern" }, { @@ -31343,6 +40143,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "detection.emerging-threats" + ], "title": "Qakbot Uninstaller Execution" }, { @@ -31360,6 +40164,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "detection.emerging-threats" + ], "title": "Qakbot Rundll32 Fake DLL Extension Execution" }, { @@ -31377,6 +40186,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059", + "detection.emerging-threats" + ], "title": "Ursnif Redirection Of Discovery Commands" }, { @@ -31394,6 +40208,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "detection.emerging-threats" + ], "title": "Griffon Malware Attack Pattern" }, { @@ -31411,6 +40229,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1136.001", + "detection.emerging-threats" + ], "title": "DarkGate - User Created Via Net.EXE" }, { @@ -31428,6 +40251,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059", + "detection.emerging-threats" + ], "title": "DarkGate - Autoit3.EXE Execution Parameters" }, { @@ -31443,6 +40271,11 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.persistence", + "detection.emerging-threats" + ], "title": "COLDSTEEL Persistence Service Creation" }, { @@ -31460,6 +40293,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.defense-evasion", + "detection.emerging-threats" + ], "title": "COLDSTEEL RAT Anonymous User Process Execution" }, { @@ -31477,6 +40315,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.defense-evasion", + "detection.emerging-threats" + ], "title": "COLDSTEEL RAT Service Persistence Execution" }, { @@ -31494,6 +40337,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "detection.emerging-threats" + ], "title": "Potential COLDSTEEL RAT Windows User Creation" }, { @@ -31511,6 +40358,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.011", + "detection.emerging-threats" + ], "title": "Rhadamanthys Stealer Module Launch Via Rundll32.EXE" }, { @@ -31531,6 +40383,10 @@ "0CCE9226-69AE-11D9-BED3-505054503030", "0CCE9227-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "detection.emerging-threats" + ], "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor" }, { @@ -31548,6 +40404,10 @@ "level": "high", "service": "taskscheduler", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "detection.emerging-threats" + ], "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler" }, { @@ -31565,6 +40425,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.g0129", + "detection.emerging-threats" + ], "title": "Potential APT Mustang Panda Activity Against Australian Gov" }, { @@ -31582,6 +40447,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "detection.emerging-threats" + ], "title": "Peach Sandstorm APT Process Activity Indicators" }, { @@ -31600,6 +40469,13 @@ "0CCE9226-69AE-11D9-BED3-505054503030", "0CCE9227-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.privilege-escalation", + "attack.persistence", + "attack.t1053.005", + "detection.emerging-threats" + ], "title": "Diamond Sleet APT Scheduled Task Creation" }, { @@ -31617,6 +40493,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "detection.emerging-threats" + ], "title": "Diamond Sleet APT Process Activity Indicators" }, { @@ -31634,6 +40514,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562", + "detection.emerging-threats" + ], "title": "Diamond Sleet APT Scheduled Task Creation - Registry" }, { @@ -31651,6 +40536,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "detection.emerging-threats" + ], "title": "PaperCut MF/NG Potential Exploitation" }, { @@ -31668,6 +40557,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "detection.emerging-threats" + ], "title": "PaperCut MF/NG Exploitation Related Indicators" }, { @@ -31684,6 +40577,12 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.g0046", + "detection.emerging-threats" + ], "title": "Potential POWERTRASH Script Execution" }, { @@ -31700,6 +40599,12 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.g0046", + "detection.emerging-threats" + ], "title": "Potential APT FIN7 POWERHOLD Execution" }, { @@ -31717,6 +40622,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.g0046", + "detection.emerging-threats" + ], "title": "Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity" }, { @@ -31734,6 +40644,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218", + "attack.execution", + "detection.emerging-threats" + ], "title": "Potential Compromised 3CXDesktopApp Update Activity" }, { @@ -31751,6 +40667,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.execution", + "attack.t1218", + "detection.emerging-threats" + ], "title": "Potential Suspicious Child Process Of 3CXDesktopApp" }, { @@ -31768,6 +40690,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218", + "attack.execution", + "detection.emerging-threats" + ], "title": "Potential Compromised 3CXDesktopApp Execution" }, { @@ -31784,6 +40712,11 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001", + "detection.emerging-threats" + ], "title": "Lace Tempest PowerShell Launcher" }, { @@ -31800,6 +40733,11 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001", + "detection.emerging-threats" + ], "title": "Lace Tempest PowerShell Evidence Eraser" }, { @@ -31817,6 +40755,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "detection.emerging-threats" + ], "title": "Lace Tempest Cobalt Strike Download" }, { @@ -31834,6 +40776,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "detection.emerging-threats" + ], "title": "Lace Tempest Malware Loader Execution" }, { @@ -31851,6 +40797,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "detection.emerging-threats" + ], "title": "Mint Sandstorm - Log4J Wstomcat Process Execution" }, { @@ -31868,6 +40818,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "detection.emerging-threats" + ], "title": "Mint Sandstorm - ManageEngine Suspicious Process Execution" }, { @@ -31885,6 +40839,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "detection.emerging-threats" + ], "title": "Mint Sandstorm - AsperaFaspex Suspicious Process Execution" }, { @@ -31900,6 +40858,11 @@ "level": "high", "service": "application", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1211", + "attack.t1562.001" + ], "title": "Microsoft Malware Protection Engine Crash - WER" }, { @@ -31915,6 +40878,9 @@ "level": "high", "service": "diagnosis-scripted", "subcategory_guids": [], + "tags": [ + "attack.execution" + ], "title": "Loading Diagcab Package From Remote Path" }, { @@ -31930,6 +40896,9 @@ "level": "informational", "service": "windefend", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion" + ], "title": "Windows Defender Malware Detection History Deletion" }, { @@ -31945,6 +40914,10 @@ "level": "high", "service": "windefend", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.t1003.001" + ], "title": "LSASS Access Detected via Attack Surface Reduction" }, { @@ -31960,6 +40933,10 @@ "level": "high", "service": "windefend", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Windows Defender Real-time Protection Disabled" }, { @@ -31978,6 +40955,10 @@ "level": "high", "service": "windefend", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059" + ], "title": "Windows Defender Threat Detected" }, { @@ -31993,6 +40974,10 @@ "level": "high", "service": "windefend", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Windows Defender Grace Period Expired" }, { @@ -32008,6 +40993,10 @@ "level": "high", "service": "windefend", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Win Defender Restored Quarantine File" }, { @@ -32024,6 +41013,10 @@ "level": "medium", "service": "windefend", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Windows Defender Real-Time Protection Failure/Restart" }, { @@ -32039,6 +41032,10 @@ "level": "high", "service": "windefend", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059" + ], "title": "Windows Defender AMSI Trigger Detected" }, { @@ -32054,6 +41051,12 @@ "level": "high", "service": "windefend", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.lateral-movement", + "attack.t1047", + "attack.t1569.002" + ], "title": "PSExec and WMI Process Creations Block" }, { @@ -32069,6 +41072,10 @@ "level": "medium", "service": "windefend", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Windows Defender Exclusions Added" }, { @@ -32084,6 +41091,10 @@ "level": "high", "service": "windefend", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Windows Defender Configuration Changes" }, { @@ -32099,6 +41110,10 @@ "level": "high", "service": "windefend", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Windows Defender Exploit Guard Tamper" }, { @@ -32114,6 +41129,10 @@ "level": "high", "service": "windefend", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Windows Defender Malware And PUA Scanning Disabled" }, { @@ -32129,6 +41148,10 @@ "level": "low", "service": "windefend", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Windows Defender Submit Sample Feature Disabled" }, { @@ -32144,6 +41167,10 @@ "level": "high", "service": "windefend", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Microsoft Defender Tamper Protection Trigger" }, { @@ -32159,6 +41186,10 @@ "level": "high", "service": "windefend", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Windows Defender Virus Scanning Feature Disabled" }, { @@ -32174,6 +41205,9 @@ "level": "medium", "service": "appxdeployment-server", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion" + ], "title": "Deployment AppX Package Was Blocked By AppLocker" }, { @@ -32189,6 +41223,9 @@ "level": "medium", "service": "appxdeployment-server", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion" + ], "title": "Suspicious AppX Package Installation Attempt" }, { @@ -32204,6 +41241,9 @@ "level": "high", "service": "appxdeployment-server", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion" + ], "title": "Suspicious Remote AppX Package Locations" }, { @@ -32222,6 +41262,9 @@ "level": "medium", "service": "appxdeployment-server", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion" + ], "title": "Deployment Of The AppX Package Was Blocked By The Policy" }, { @@ -32237,6 +41280,9 @@ "level": "medium", "service": "appxdeployment-server", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion" + ], "title": "Uncommon AppX Package Locations" }, { @@ -32252,6 +41298,9 @@ "level": "high", "service": "appxdeployment-server", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion" + ], "title": "Suspicious AppX Package Locations" }, { @@ -32268,6 +41317,9 @@ "level": "medium", "service": "appxdeployment-server", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion" + ], "title": "Potential Malicious AppX Package Installation Attempts" }, { @@ -32285,6 +41337,10 @@ "subcategory_guids": [ "0CCE923C-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.t1484.001" + ], "title": "Group Policy Abuse for Privilege Addition" }, { @@ -32302,6 +41358,10 @@ "subcategory_guids": [ "0CCE9244-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.t1021.002" + ], "title": "Suspicious PsExec Execution" }, { @@ -32323,6 +41383,16 @@ "0CCE9217-69AE-11D9-BED3-505054503030", "0CCE923F-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.execution", + "attack.collection", + "attack.lateral-movement", + "attack.t1087", + "attack.t1114", + "attack.t1059", + "attack.t1550.002" + ], "title": "Hacktool Ruler" }, { @@ -32344,6 +41414,10 @@ "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Windows Defender Exclusion Registry Key - Write Access Requested" }, { @@ -32361,6 +41435,10 @@ "subcategory_guids": [ "0CCE9211-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1569.002" + ], "title": "PowerShell Scripts Installed as Services - Security" }, { @@ -32379,6 +41457,10 @@ "0CCE9220-69AE-11D9-BED3-505054503030", "0CCE923B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1087.002" + ], "title": "AD Privileged Users or Groups Reconnaissance" }, { @@ -32396,6 +41478,11 @@ "subcategory_guids": [ "0CCE9211-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.t1134.001", + "attack.t1134.002" + ], "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security" }, { @@ -32411,6 +41498,13 @@ "level": "high", "service": "security", "subcategory_guids": [], + "tags": [ + "attack.command-and-control", + "attack.defense-evasion", + "attack.t1027", + "attack.t1105", + "attack.t1036" + ], "title": "Password Protected ZIP File Opened (Suspicious Filenames)" }, { @@ -32429,6 +41523,12 @@ "0CCE9226-69AE-11D9-BED3-505054503030", "0CCE9227-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.privilege-escalation", + "attack.persistence", + "attack.t1053.005" + ], "title": "Suspicious Scheduled Task Creation" }, { @@ -32446,6 +41546,10 @@ "subcategory_guids": [ "0CCE923C-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1098" + ], "title": "Powerview Add-DomainObjectAcl DCSync AD Extend Right" }, { @@ -32461,6 +41565,12 @@ "level": "high", "service": "security", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.initial-access", + "attack.t1027", + "attack.t1566.001" + ], "title": "Password Protected ZIP File Opened (Email Attachment)" }, { @@ -32478,6 +41588,12 @@ "subcategory_guids": [ "0CCE9211-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation CLIP+ Launcher - Security" }, { @@ -32498,6 +41614,10 @@ "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1528" + ], "title": "Suspicious Teams Application Related ObjectAcess Event" }, { @@ -32515,6 +41635,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Windows Defender Exclusion List Modified" }, { @@ -32532,6 +41656,10 @@ "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1078", + "attack.lateral-movement" + ], "title": "Suspicious Remote Logon with Explicit Credentials" }, { @@ -32545,6 +41673,13 @@ "level": "critical", "service": "security", "subcategory_guids": [], + "tags": [ + "cve.2021-42278", + "cve.2021-42287", + "attack.persistence", + "attack.privilege-escalation", + "attack.t1078" + ], "title": "Win Susp Computer Name Containing Samtheadmin" }, { @@ -32562,6 +41697,10 @@ "subcategory_guids": [ "0CCE9235-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1098" + ], "title": "Password Change on Directory Service Restore Mode (DSRM) Account" }, { @@ -32579,6 +41718,12 @@ "subcategory_guids": [ "0CCE9211-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation STDIN+ Launcher - Security" }, { @@ -32596,6 +41741,10 @@ "subcategory_guids": [ "0CCE9240-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1558.003" + ], "title": "Kerberoasting Activity - Initial Query" }, { @@ -32615,6 +41764,11 @@ "0CCE923C-69AE-11D9-BED3-505054503030", "0CCE9244-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.t1484.001", + "attack.t1547" + ], "title": "Startup/Logon Script Added to Group Policy Object" }, { @@ -32635,6 +41789,12 @@ "0CCE923B-69AE-11D9-BED3-505054503030", "0CCE923C-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1557.003", + "attack.persistence", + "attack.privilege-escalation" + ], "title": "Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation" }, { @@ -32656,6 +41816,10 @@ "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1012" + ], "title": "SysKey Registry Keys Access" }, { @@ -32676,6 +41840,10 @@ "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.initial-access", + "attack.t1566.001" + ], "title": "ISO Image Mounted" }, { @@ -32693,6 +41861,10 @@ "subcategory_guids": [ "0CCE9242-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1187" + ], "title": "PetitPotam Suspicious Kerberos TGT Request" }, { @@ -32714,6 +41886,10 @@ "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1012" + ], "title": "Azure AD Health Service Agents Registry Keys Access" }, { @@ -32731,6 +41907,11 @@ "subcategory_guids": [ "0CCE923B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.s0002", + "attack.t1003.006" + ], "title": "Mimikatz DC Sync" }, { @@ -32748,6 +41929,10 @@ "subcategory_guids": [ "0CCE9224-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.t1021.002" + ], "title": "Access To ADMIN$ Network Share" }, { @@ -32765,6 +41950,10 @@ "subcategory_guids": [ "0CCE9248-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.initial-access", + "attack.t1200" + ], "title": "Device Installation Blocked" }, { @@ -32782,6 +41971,10 @@ "subcategory_guids": [ "0CCE9211-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.exfiltration", + "attack.t1048" + ], "title": "Tap Driver Installation - Security" }, { @@ -32801,6 +41994,12 @@ "0CCE9226-69AE-11D9-BED3-505054503030", "0CCE9227-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.privilege-escalation", + "attack.persistence", + "attack.t1053.005" + ], "title": "Important Scheduled Task Deleted/Disabled" }, { @@ -32818,6 +42017,10 @@ "subcategory_guids": [ "0CCE9244-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1187" + ], "title": "Possible PetitPotam Coerce Authentication Attempt" }, { @@ -32835,6 +42038,10 @@ "subcategory_guids": [ "0CCE9244-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.t1021.002" + ], "title": "DCERPC SMB Spoolss Named Pipe" }, { @@ -32852,6 +42059,10 @@ "subcategory_guids": [ "0CCE9244-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.t1021.002" + ], "title": "First Time Seen Remote Named Pipe" }, { @@ -32869,6 +42080,10 @@ "subcategory_guids": [ "0CCE9229-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.t1548" + ], "title": "SCM Database Privileged Operation" }, { @@ -32886,6 +42101,12 @@ "subcategory_guids": [ "0CCE9211-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation Via Stdin - Security" }, { @@ -32905,6 +42126,11 @@ "0CCE9236-69AE-11D9-BED3-505054503030", "0CCE923C-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.defense-evasion", + "attack.t1207" + ], "title": "Possible DC Shadow Attack" }, { @@ -32922,6 +42148,11 @@ "subcategory_guids": [ "0CCE923B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.privilege-escalation", + "attack.t1546.003" + ], "title": "WMI Persistence - Security" }, { @@ -32943,6 +42174,10 @@ "0CCE9240-69AE-11D9-BED3-505054503030", "0CCE9242-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1212" + ], "title": "Kerberos Manipulation" }, { @@ -32960,6 +42195,12 @@ "subcategory_guids": [ "0CCE9211-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation RUNDLL LAUNCHER - Security" }, { @@ -32977,6 +42218,10 @@ "subcategory_guids": [ "0CCE9211-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1554" + ], "title": "HybridConnectionManager Service Installation" }, { @@ -32994,6 +42239,10 @@ "subcategory_guids": [ "0CCE922F-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.002" + ], "title": "Important Windows Event Auditing Disabled" }, { @@ -33011,6 +42260,10 @@ "subcategory_guids": [ "0CCE923B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.004" + ], "title": "DPAPI Domain Backup Key Extraction" }, { @@ -33028,6 +42281,12 @@ "subcategory_guids": [ "0CCE9211-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation Via Use Rundll32 - Security" }, { @@ -33045,6 +42304,11 @@ "subcategory_guids": [ "0CCE9244-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.persistence", + "attack.t1021.002" + ], "title": "Remote Service Activity via SVCCTL Named Pipe" }, { @@ -33062,6 +42326,12 @@ "subcategory_guids": [ "0CCE9237-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.t1078", + "attack.persistence", + "attack.t1098" + ], "title": "User Added to Local Administrator Group" }, { @@ -33079,6 +42349,12 @@ "subcategory_guids": [ "0CCE9211-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation VAR+ Launcher - Security" }, { @@ -33096,6 +42372,12 @@ "subcategory_guids": [ "0CCE9248-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1091", + "attack.t1200", + "attack.lateral-movement", + "attack.initial-access" + ], "title": "External Disk Drive Or USB Storage Device Was Recognized By The System" }, { @@ -33113,6 +42395,10 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562" + ], "title": "Windows Filtering Platform Blocked Connection From EDR Agent Binary" }, { @@ -33131,6 +42417,10 @@ "subcategory_guids": [ "0CCE9221-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.credential-access" + ], "title": "ADCS Certificate Template Configuration Vulnerability with Risky EKU" }, { @@ -33148,6 +42438,10 @@ "subcategory_guids": [ "0CCE9211-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.t1543" + ], "title": "Service Installed By Unusual Client - Security" }, { @@ -33166,6 +42460,10 @@ "subcategory_guids": [ "0CCE922F-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.002" + ], "title": "VSSAudit Security Event Source Registration" }, { @@ -33183,6 +42481,10 @@ "subcategory_guids": [ "0CCE9235-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1136.001" + ], "title": "Local User Creation" }, { @@ -33200,6 +42502,11 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.credential-access", + "attack.t1558.003" + ], "title": "Uncommon Outbound Kerberos Connection - Security" }, { @@ -33217,6 +42524,10 @@ "subcategory_guids": [ "0CCE923B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.006" + ], "title": "Active Directory Replication from Non Machine Account" }, { @@ -33234,6 +42545,12 @@ "subcategory_guids": [ "0CCE9211-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.execution", + "attack.t1543.003", + "attack.t1569.002" + ], "title": "Remote Access Tool Services Have Been Installed - Security" }, { @@ -33251,6 +42568,10 @@ "subcategory_guids": [ "0CCE922F-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.002" + ], "title": "Windows Event Auditing Disabled" }, { @@ -33272,6 +42593,10 @@ "0CCE9217-69AE-11D9-BED3-505054503030", "0CCE923F-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.t1021.002" + ], "title": "Metasploit SMB Authentication" }, { @@ -33289,6 +42614,10 @@ "subcategory_guids": [ "0CCE9230-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1098" + ], "title": "A New Trust Was Created To A Domain" }, { @@ -33306,6 +42635,11 @@ "subcategory_guids": [ "0CCE9211-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.credential-access", + "attack.t1040" + ], "title": "Windows Pcap Drivers" }, { @@ -33326,6 +42660,12 @@ "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.persistence", + "attack.privilege-escalation", + "attack.t1574.011" + ], "title": "Service Registry Key Read Access Request" }, { @@ -33343,6 +42683,10 @@ "subcategory_guids": [ "0CCE9240-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1558.003" + ], "title": "Suspicious Kerberos RC4 Ticket Encryption" }, { @@ -33360,6 +42704,14 @@ "subcategory_guids": [ "0CCE9211-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.privilege-escalation", + "attack.lateral-movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" + ], "title": "CobaltStrike Service Installations - Security" }, { @@ -33378,6 +42730,10 @@ "subcategory_guids": [ "0CCE9236-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1207" + ], "title": "Add or Remove Computer from DC" }, { @@ -33395,6 +42751,7 @@ "subcategory_guids": [ "0CCE9242-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Potential AS-REP Roasting via Kerberos TGT Requests" }, { @@ -33412,6 +42769,10 @@ "subcategory_guids": [ "0CCE922D-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.004" + ], "title": "DPAPI Domain Master Key Backup Attempt" }, { @@ -33429,6 +42790,10 @@ "subcategory_guids": [ "0CCE9244-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547.009" + ], "title": "Windows Network Access Suspicious desktop.ini Action" }, { @@ -33448,6 +42813,11 @@ "0CCE923C-69AE-11D9-BED3-505054503030", "0CCE9244-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.lateral-movement", + "attack.t1053.005" + ], "title": "Persistence and Execution at Scale via GPO Scheduled Task" }, { @@ -33463,6 +42833,10 @@ "level": "medium", "service": "security", "subcategory_guids": [], + "tags": [ + "attack.lateral-movement", + "attack.t1021.001" + ], "title": "Denied Access To Remote Desktop" }, { @@ -33480,6 +42854,10 @@ "subcategory_guids": [ "0CCE9235-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1136.001" + ], "title": "Hidden Local User Creation" }, { @@ -33497,6 +42875,12 @@ "subcategory_guids": [ "0CCE9211-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation Via Use Clip - Security" }, { @@ -33514,6 +42898,10 @@ "subcategory_guids": [ "0CCE923C-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1001.003", + "attack.command-and-control" + ], "title": "Suspicious LDAP-Attributes Used" }, { @@ -33535,6 +42923,11 @@ "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "car.2019-04-004", + "attack.t1003.001" + ], "title": "Potentially Suspicious AccessMask Requested From LSASS" }, { @@ -33552,6 +42945,10 @@ "subcategory_guids": [ "0CCE921C-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1558" + ], "title": "Replay Attack Detected" }, { @@ -33570,6 +42967,10 @@ "subcategory_guids": [ "0CCE9216-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.impact", + "attack.t1531" + ], "title": "User Logoff Event" }, { @@ -33588,6 +42989,10 @@ "subcategory_guids": [ "0CCE9235-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036" + ], "title": "New or Renamed User Account with '$' Character" }, { @@ -33605,6 +43010,10 @@ "subcategory_guids": [ "0CCE9244-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.t1021.002" + ], "title": "Impacket PsExec Execution" }, { @@ -33625,6 +43034,10 @@ "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1010" + ], "title": "SCM Database Handle Failure" }, { @@ -33643,6 +43056,11 @@ "0CCE9228-69AE-11D9-BED3-505054503030", "0CCE9229-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.privilege-escalation", + "attack.t1558.003" + ], "title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'" }, { @@ -33660,6 +43078,10 @@ "subcategory_guids": [ "0CCE9235-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Weak Encryption Enabled and Kerberoast" }, { @@ -33676,6 +43098,11 @@ "level": "high", "service": "security", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1070.001", + "car.2016-04-002" + ], "title": "Security Eventlog Cleared" }, { @@ -33694,6 +43121,12 @@ "0CCE9226-69AE-11D9-BED3-505054503030", "0CCE9227-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.privilege-escalation", + "attack.persistence", + "attack.t1053.005" + ], "title": "Suspicious Scheduled Task Update" }, { @@ -33711,6 +43144,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112", + "attack.t1562" + ], "title": "ETW Logging Disabled In .NET Processes - Registry" }, { @@ -33728,6 +43166,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001", + "attack.t1112" + ], "title": "NetNTLM Downgrade Attack" }, { @@ -33745,6 +43188,13 @@ "subcategory_guids": [ "0CCE9211-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.t1021.002", + "attack.t1570", + "attack.execution", + "attack.t1569.002" + ], "title": "Metasploit Or Impacket Service Installation Via SMB PsExec" }, { @@ -33762,6 +43212,12 @@ "subcategory_guids": [ "0CCE9211-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation Via Use MSHTA - Security" }, { @@ -33779,6 +43235,15 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.command-and-control", + "attack.lateral-movement", + "attack.t1090.001", + "attack.t1090.002", + "attack.t1021.001", + "car.2013-07-002" + ], "title": "RDP over Reverse SSH Tunnel WFP" }, { @@ -33798,6 +43263,10 @@ "0CCE9233-69AE-11D9-BED3-505054503030", "0CCE9234-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562" + ], "title": "HackTool - EDRSilencer Execution - Filter Added" }, { @@ -33818,6 +43287,10 @@ "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.001" + ], "title": "Password Dumper Activity on LSASS" }, { @@ -33835,6 +43308,17 @@ "subcategory_guids": [ "0CCE9211-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.execution", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006", + "attack.t1569.002", + "attack.s0005" + ], "title": "Credential Dumping Tools Service Execution - Security" }, { @@ -33857,6 +43341,10 @@ "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.collection", + "attack.t1123" + ], "title": "Processes Accessing the Microphone and Webcam" }, { @@ -33874,6 +43362,10 @@ "subcategory_guids": [ "0CCE9244-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.t1021.002" + ], "title": "Protected Storage Service Access" }, { @@ -33891,6 +43383,12 @@ "subcategory_guids": [ "0CCE9244-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.003" + ], "title": "Possible Impacket SecretDump Remote Activity" }, { @@ -33908,6 +43406,12 @@ "subcategory_guids": [ "0CCE9211-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.privilege-escalation", + "attack.credential-access", + "attack.t1558.003" + ], "title": "Register new Logon Process by Rubeus" }, { @@ -33926,6 +43430,10 @@ "subcategory_guids": [ "0CCE9237-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1098" + ], "title": "A Security-Enabled Global Group Was Deleted" }, { @@ -33943,6 +43451,9 @@ "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation" + ], "title": "DiagTrackEoP Default Login Username" }, { @@ -33961,6 +43472,13 @@ "0CCE9215-69AE-11D9-BED3-505054503030", "0CCE9217-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.initial-access", + "attack.persistence", + "attack.t1078", + "attack.t1190", + "attack.t1133" + ], "title": "Failed Logon From Public IP" }, { @@ -33979,6 +43497,10 @@ "subcategory_guids": [ "0CCE9237-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1098" + ], "title": "A Member Was Removed From a Security-Enabled Global Group" }, { @@ -33996,6 +43518,10 @@ "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1047" + ], "title": "Successful Account Login Via WMI" }, { @@ -34013,6 +43539,11 @@ "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "car.2013-07-002", + "attack.t1021.001" + ], "title": "RDP Login from Localhost" }, { @@ -34031,6 +43562,11 @@ "0CCE9215-69AE-11D9-BED3-505054503030", "0CCE9217-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.t1210", + "car.2013-07-002" + ], "title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln" }, { @@ -34048,6 +43584,12 @@ "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.t1134.001", + "stp.4u" + ], "title": "Potential Access Token Abuse" }, { @@ -34065,6 +43607,11 @@ "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.s0002", + "attack.t1550.002" + ], "title": "Successful Overpass the Hash Attempt" }, { @@ -34082,6 +43629,13 @@ "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.initial-access", + "attack.credential-access", + "attack.t1133", + "attack.t1078", + "attack.t1110" + ], "title": "External Remote SMB Logon from Public IP" }, { @@ -34100,6 +43654,10 @@ "subcategory_guids": [ "0CCE9237-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1098" + ], "title": "A Member Was Added to a Security-Enabled Global Group" }, { @@ -34117,6 +43675,10 @@ "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.t1550.002" + ], "title": "Pass the Hash Activity 2" }, { @@ -34134,6 +43696,11 @@ "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.credential-access", + "attack.t1548" + ], "title": "Potential Privilege Escalation via Local Kerberos Relay over LDAP" }, { @@ -34151,6 +43718,11 @@ "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.lateral-movement", + "attack.t1550" + ], "title": "Outgoing Logon with New Credentials" }, { @@ -34168,6 +43740,13 @@ "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.initial-access", + "attack.credential-access", + "attack.t1133", + "attack.t1078", + "attack.t1110" + ], "title": "External Remote RDP Logon from Public IP" }, { @@ -34185,6 +43764,14 @@ "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.initial-access", + "attack.t1078.001", + "attack.t1078.002", + "attack.t1078.003", + "car.2016-04-005" + ], "title": "Admin User Remote Logon" }, { @@ -34202,6 +43789,11 @@ "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.credential-access", + "attack.t1557.001" + ], "title": "RottenPotato Like Attack Pattern" }, { @@ -34220,6 +43812,10 @@ "subcategory_guids": [ "0CCE9212-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027.001" + ], "title": "Failed Code Integrity Checks" }, { @@ -34237,6 +43833,10 @@ "subcategory_guids": [ "0CCE923B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1222.001" + ], "title": "AD Object WriteDAC Access" }, { @@ -34254,6 +43854,10 @@ "subcategory_guids": [ "0CCE9244-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.collection", + "attack.t1039" + ], "title": "Suspicious Access to Sensitive File Extensions" }, { @@ -34273,6 +43877,11 @@ "0CCE9233-69AE-11D9-BED3-505054503030", "0CCE9234-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.t1134", + "attack.t1134.001" + ], "title": "HackTool - NoFilter Execution" }, { @@ -34290,6 +43899,10 @@ "subcategory_guids": [ "0CCE9244-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.t1021.002" + ], "title": "SMB Create Remote File Admin Share" }, { @@ -34307,6 +43920,10 @@ "subcategory_guids": [ "0CCE9211-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027" + ], "title": "Invoke-Obfuscation Obfuscated IEX Invocation - Security" }, { @@ -34325,6 +43942,10 @@ "subcategory_guids": [ "0CCE9221-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.credential-access" + ], "title": "ADCS Certificate Template Configuration Vulnerability" }, { @@ -34345,6 +43966,13 @@ "0CCE9217-69AE-11D9-BED3-505054503030", "0CCE923F-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.defense-evasion", + "attack.privilege-escalation", + "attack.initial-access", + "attack.t1078" + ], "title": "Account Tampering - Suspicious Failed Logon Reasons" }, { @@ -34362,6 +43990,9 @@ "subcategory_guids": [ "0CCE921C-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.impact" + ], "title": "Locked Workstation" }, { @@ -34379,6 +44010,12 @@ "subcategory_guids": [ "0CCE9211-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - Security" }, { @@ -34397,6 +44034,10 @@ "0CCE9210-69AE-11D9-BED3-505054503030", "69979849-797A-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1070.006" + ], "title": "Unauthorized System Time Modification" }, { @@ -34414,6 +44055,11 @@ "subcategory_guids": [ "0CCE9244-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.t1021.002", + "attack.t1021.003" + ], "title": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security" }, { @@ -34431,6 +44077,10 @@ "subcategory_guids": [ "0CCE9231-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1098" + ], "title": "Enabled User Right in AD to Control User Objects" }, { @@ -34448,6 +44098,11 @@ "subcategory_guids": [ "0CCE9235-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1136.001", + "attack.t1136.002" + ], "title": "Suspicious Windows ANONYMOUS LOGON Local Account Created" }, { @@ -34466,6 +44121,10 @@ "0CCE9228-69AE-11D9-BED3-505054503030", "0CCE9229-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Potential Privileged System Service Operation - SeLoadDriverPrivilege" }, { @@ -34487,6 +44146,10 @@ "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "Sysmon Channel Reference Deletion" }, { @@ -34504,6 +44167,10 @@ "subcategory_guids": [ "0CCE923B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1087.002" + ], "title": "Potential AD User Enumeration From Non-Machine Account" }, { @@ -34521,6 +44188,12 @@ "subcategory_guids": [ "0CCE9244-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.002", + "attack.t1003.001", + "attack.t1003.003" + ], "title": "Transferring Files with Credential Data via Network Shares" }, { @@ -34539,6 +44212,10 @@ "0CCE9220-69AE-11D9-BED3-505054503030", "0CCE923B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1201" + ], "title": "Password Policy Enumerated" }, { @@ -34556,6 +44233,13 @@ "subcategory_guids": [ "0CCE9244-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.persistence", + "car.2013-05-004", + "car.2015-04-001", + "attack.t1053.002" + ], "title": "Remote Task Creation via ATSVC Named Pipe" }, { @@ -34577,6 +44261,10 @@ "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1012" + ], "title": "Azure AD Health Monitoring Agent Registry Keys Access" }, { @@ -34598,6 +44286,10 @@ "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.001" + ], "title": "LSASS Access From Non System Account" }, { @@ -34621,6 +44313,15 @@ "0CCE9223-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.impact", + "attack.defense-evasion", + "attack.t1070.004", + "attack.t1027.005", + "attack.t1485", + "attack.t1553.002", + "attack.s0195" + ], "title": "Potential Secure Deletion with SDelete" }, { @@ -34638,6 +44339,10 @@ "subcategory_guids": [ "0CCE923C-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1556" + ], "title": "Possible Shadow Credentials Added" }, { @@ -34656,6 +44361,12 @@ "0CCE9220-69AE-11D9-BED3-505054503030", "0CCE923B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1087.002", + "attack.t1069.002", + "attack.s0039" + ], "title": "Reconnaissance Activity" }, { @@ -34673,6 +44384,10 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Remote PowerShell Sessions Network Connections (WinRM)" }, { @@ -34690,6 +44405,12 @@ "subcategory_guids": [ "0CCE9244-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1047", + "attack.lateral-movement", + "attack.t1021.002" + ], "title": "T1047 Wmiprvse Wbemcomn DLL Hijack" }, { @@ -34711,6 +44432,11 @@ "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003", + "attack.s0005" + ], "title": "WCE wceaux.dll Access" }, { @@ -34726,6 +44452,10 @@ "level": "medium", "service": "security", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1027" + ], "title": "Password Protected ZIP File Opened" }, { @@ -34745,6 +44475,11 @@ "subcategory_guids": [ "0CCE9235-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.privilege-escalation", + "attack.t1134.005" + ], "title": "Addition of SID History to Active Directory Object" }, { @@ -34762,6 +44497,12 @@ "subcategory_guids": [ "0CCE9211-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security" }, { @@ -34781,6 +44522,10 @@ "0CCE9235-69AE-11D9-BED3-505054503030", "0CCE923C-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1098", + "attack.persistence" + ], "title": "Active Directory User Backdoors" }, { @@ -34801,6 +44546,12 @@ "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1012", + "attack.credential-access", + "attack.t1552.002" + ], "title": "SAM Registry Hive Handle Request" }, { @@ -34816,6 +44567,10 @@ "level": "medium", "service": "ntlm", "subcategory_guids": [], + "tags": [ + "attack.command-and-control", + "attack.t1219.002" + ], "title": "Potential Remote Desktop Connection to Non-Domain Host" }, { @@ -34831,6 +44586,10 @@ "level": "low", "service": "ntlm", "subcategory_guids": [], + "tags": [ + "attack.lateral-movement", + "attack.t1550.002" + ], "title": "NTLM Logon" }, { @@ -34846,6 +44605,10 @@ "level": "medium", "service": "ntlm", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.t1110" + ], "title": "NTLM Brute Force" }, { @@ -34861,6 +44624,10 @@ "level": "medium", "service": "certificateservicesclient-lifecycle-system", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.t1649" + ], "title": "Certificate Exported From Local Certificate Store" }, { @@ -34876,6 +44643,10 @@ "level": "medium", "service": "lsa-server", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.privilege-escalation" + ], "title": "Standard User In High Privileged Group" }, { @@ -34893,6 +44664,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1204" + ], "title": "Ryuk Ransomware Command Line Activity" }, { @@ -34910,6 +44685,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.discovery", + "attack.t1033" + ], "title": "Run Whoami as SYSTEM" }, { @@ -34927,6 +44707,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1546.012" + ], "title": "SilentProcessExit Monitor Registration" }, { @@ -34944,6 +44728,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003" + ], "title": "Credential Acquisition via Registry Hive Dumping" }, { @@ -34961,6 +44749,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.g0016", + "attack.t1059.001" + ], "title": "APT29" }, { @@ -34978,6 +44771,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003" + ], "title": "Activity Related to NTDS.dit Domain Hash Retrieval" }, { @@ -34995,6 +44792,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218", + "attack.t1564.004", + "attack.t1552.001", + "attack.t1105" + ], "title": "Abusing Findstr for Defense Evasion" }, { @@ -35012,6 +44816,12 @@ "subcategory_guids": [ "0CCE9229-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.execution", + "attack.t1021", + "attack.t1059" + ], "title": "Lateral Movement Indicator ConDrv" }, { @@ -35029,6 +44839,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1204.002", + "attack.t1047", + "attack.t1218.010", + "attack.execution", + "attack.defense-evasion" + ], "title": "Excel Proxy Executing Regsvr32 With Payload" }, { @@ -35046,6 +44863,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.s0029", + "attack.t1569.002" + ], "title": "PsExec Service Start" }, { @@ -35063,6 +44885,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Suspicious Execution of Sc to Delete AV Services" }, { @@ -35080,6 +44907,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027" + ], "title": "Potential PowerShell Base64 Encoded Shellcode" }, { @@ -35097,6 +44928,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Potential Xor Encoded PowerShell Command" }, { @@ -35114,6 +44951,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.impact", + "attack.t1489" + ], "title": "Stop Windows Service" }, { @@ -35133,6 +44974,10 @@ "0CCE921E-69AE-11D9-BED3-505054503030", "0CCE921F-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Windows Defender Exclusion Deleted" }, { @@ -35149,6 +44994,12 @@ "level": "critical", "service": "", "subcategory_guids": [], + "tags": [ + "attack.exfiltration", + "attack.t1048", + "attack.execution", + "attack.t1059.001" + ], "title": "Dnscat Execution" }, { @@ -35166,6 +45017,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1546.015" + ], "title": "Potential Persistence Via COM Search Order Hijacking" }, { @@ -35183,6 +45038,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1553.004" + ], "title": "Root Certificate Installed" }, { @@ -35200,6 +45059,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1047" + ], "title": "WMI Remote Command Execution" }, { @@ -35217,6 +45080,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.005" + ], "title": "Visual Basic Script Execution" }, { @@ -35234,6 +45101,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.g0035", + "attack.credential-access", + "attack.discovery", + "attack.t1110", + "attack.t1087" + ], "title": "CrackMapExecWin" }, { @@ -35250,6 +45124,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.privilege-escalation", + "attack.t1548" + ], "title": "PrintNightmare Powershell Exploitation" }, { @@ -35267,6 +45145,19 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1140", + "attack.command-and-control", + "attack.t1105", + "attack.s0160", + "attack.g0007", + "attack.g0010", + "attack.g0045", + "attack.g0049", + "attack.g0075", + "attack.g0096" + ], "title": "Suspicious Certutil Command Usage" }, { @@ -35284,6 +45175,12 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.persistence", + "attack.t1112", + "attack.t1053" + ], "title": "Abusing Windows Telemetry For Persistence - Registry" }, { @@ -35301,6 +45198,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.003" + ], "title": "Read and Execute a File Via Cmd.exe" }, { @@ -35318,6 +45219,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1204.002", + "attack.t1047", + "attack.t1218.010", + "attack.execution", + "attack.defense-evasion" + ], "title": "Excel Proxy Executing Regsvr32 With Payload Alternate" }, { @@ -35335,6 +45243,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation RUNDLL LAUNCHER" }, { @@ -35351,6 +45265,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.t1555.003" + ], "title": "Accessing Encrypted Credentials from Google Chrome Login Database" }, { @@ -35368,6 +45286,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.execution", + "attack.t1059.001", + "attack.t1105" + ], "title": "PowerShell Web Download" }, { @@ -35385,6 +45309,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Rundll32 JS RunHTMLApplication Pattern" }, { @@ -35402,6 +45329,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.defense-evasion", + "attack.t1105", + "attack.t1218" + ], "title": "Windows Update Client LOLBIN" }, { @@ -35419,6 +45352,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1053.005" + ], "title": "Suspicious Add Scheduled Task From User AppData Temp" }, { @@ -35436,6 +45373,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1204.002", + "attack.t1047", + "attack.t1218.010", + "attack.execution", + "attack.defense-evasion" + ], "title": "Office Applications Spawning Wmi Cli Alternate" }, { @@ -35452,6 +45396,10 @@ "level": "low", "service": "", "subcategory_guids": [], + "tags": [ + "attack.discovery", + "attack.t1083" + ], "title": "Powershell File and Directory Discovery" }, { @@ -35469,6 +45417,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction" }, { @@ -35485,6 +45437,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.impact", + "attack.t1490" + ], "title": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script" }, { @@ -35502,6 +45458,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense-evasion", + "attack.t1027" + ], "title": "Malicious Base64 Encoded Powershell Invoke Cmdlets" }, { @@ -35518,6 +45480,16 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.discovery", + "attack.t1482", + "attack.t1087", + "attack.t1087.001", + "attack.t1087.002", + "attack.t1069.001", + "attack.t1069.002", + "attack.t1069" + ], "title": "AzureHound PowerShell Commands" }, { @@ -35535,6 +45507,14 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.004", + "attack.t1218.009", + "attack.t1127.001", + "attack.t1218.005", + "attack.t1218" + ], "title": "Possible Applocker Bypass" }, { @@ -35552,6 +45532,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1047" + ], "title": "Suspicious Cmd Execution via WMI" }, { @@ -35569,6 +45553,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1204.002", + "attack.t1047", + "attack.t1218.010", + "attack.execution", + "attack.defense-evasion" + ], "title": "New Lolbin Process by Office Applications" }, { @@ -35586,6 +45577,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059" + ], "title": "Execution via MSSQL Xp_cmdshell Stored Procedure" }, { @@ -35603,6 +45598,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1204" + ], "title": "Process Start From Suspicious Folder" }, { @@ -35620,6 +45619,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.impact", + "attack.t1485" + ], "title": "Run from a Zip File" }, { @@ -35637,6 +45640,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Suspicious Characters in CommandLine" }, { @@ -35654,6 +45660,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.011" + ], "title": "Suspicious Rundll32 Script in CommandLine" }, { @@ -35671,6 +45681,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.002" + ], "title": "Registry Dump of SAM Creds and Secrets" }, { @@ -35688,6 +45702,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1105" + ], "title": "Suspicious File Download Using Office Application" }, { @@ -35705,6 +45723,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "Office Security Settings Changed" }, { @@ -35722,6 +45744,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1204.002", + "attack.t1047", + "attack.t1218.010", + "attack.execution", + "attack.defense-evasion" + ], "title": "WMI Execution Via Office Process" }, { @@ -35739,6 +45768,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1482" + ], "title": "Domain Trust Discovery" }, { @@ -35756,6 +45789,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.010", + "car.2019-04-002", + "car.2019-04-003" + ], "title": "Regsvr32 Anomaly" }, { @@ -35773,6 +45812,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1564.002" + ], "title": "User Account Hidden By Registry" }, { @@ -35790,6 +45833,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1546.015" + ], "title": "Potential Persistence Via COM Hijacking From Suspicious Locations" }, { @@ -35807,6 +45854,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1564.004" + ], "title": "Cmd Stream Redirection" }, { @@ -35822,6 +45873,9 @@ "level": "medium", "service": "security", "subcategory_guids": [], + "tags": [ + "attack.t1070.001" + ], "title": "Security Event Log Cleared" }, { @@ -35837,6 +45891,10 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.t1003.002" + ], "title": "SAM Dump to AppData" }, { @@ -35854,6 +45912,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059" + ], "title": "Wscript Execution from Non C Drive" }, { @@ -35871,6 +45933,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1047" + ], "title": "WMI Reconnaissance List Remote Services" }, { @@ -35888,6 +45954,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation Via Use Rundll32" }, { @@ -35902,6 +45974,10 @@ "level": "medium", "service": "powershell", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Suspicious PowerShell Download" }, { @@ -35919,6 +45995,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1036", + "attack.t1003.001" + ], "title": "Process Memory Dumped Via RdrLeakDiag.EXE" }, { @@ -35936,6 +46017,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1112" + ], "title": "Service Binary in Uncommon Folder" }, { @@ -35953,6 +46038,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1218.008" + ], "title": "Application Whitelisting Bypass via DLL Loaded by odbcconf.exe" }, { @@ -35970,6 +46059,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.g0032", + "attack.execution", + "attack.t1059" + ], "title": "Lazarus Loaders" }, { @@ -35987,6 +46081,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1547.001" + ], "title": "Autorun Keys Modification" }, { @@ -36002,6 +46100,10 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1027" + ], "title": "New Service Uses Double Ampersand in Path" }, { @@ -36019,6 +46121,9 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement" + ], "title": "Suspicious Epmap Connection" }, { @@ -36036,6 +46141,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.defense-evasion", + "attack.t1218" + ], "title": "Squirrel Lolbin" }, { @@ -36053,6 +46163,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Disable Microsoft Office Security Features" }, { @@ -36070,6 +46184,11 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.005", + "attack.t1059.007" + ], "title": "Adwind RAT / JRAT - Registry" }, { @@ -36087,6 +46206,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.s0404", + "attack.t1218" + ], "title": "Suspicious Esentutl Use" }, { @@ -36103,6 +46228,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1216" + ], "title": "Execution via CL_Invocation.ps1 - Powershell" }, { @@ -36120,6 +46249,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.execution", + "attack.t1218" + ], "title": "Monitoring Wuauclt.exe For Lolbas Execution Of DLL" }, { @@ -36136,6 +46270,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1216" + ], "title": "Execution via CL_Mutexverifiers.ps1" }, { @@ -36150,6 +46288,10 @@ "level": "medium", "service": "powershell", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1218" + ], "title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction" }, { @@ -36167,6 +46309,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1202" + ], "title": "Indirect Command Exectuion via Forfiles" }, { @@ -36184,6 +46330,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1055.001", + "attack.t1218" + ], "title": "MavInject Process Injection" }, { @@ -36201,6 +46351,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1482" + ], "title": "Trickbot Malware Reconnaissance Activity" }, { @@ -36218,6 +46372,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.g0032", + "attack.execution", + "attack.t1106" + ], "title": "Lazarus Activity Apr21" }, { @@ -36235,6 +46394,12 @@ "subcategory_guids": [ "0CCE922C-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1482", + "attack.t1018", + "attack.t1016" + ], "title": "Correct Execution of Nltest.exe" }, { @@ -36252,6 +46417,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.exfiltration", + "attack.persistence", + "attack.t1197" + ], "title": "Suspicious Bitstransfer via PowerShell" }, { @@ -36270,6 +46440,10 @@ "level": "high", "service": "windefend", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Windows Defender Threat Detection Disabled" }, { @@ -36287,6 +46461,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.exfiltration", + "attack.t1567.002" + ], "title": "RClone Execution" }, { @@ -36304,6 +46482,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.privilege-escalation", + "attack.t1543.003" + ], "title": "New Service Creation" }, { @@ -36321,6 +46504,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1071.004" + ], "title": "DNS Tunnel Technique from MuddyWater" }, { @@ -36343,6 +46530,7 @@ "subcategory_guids": [ "0CCE9237-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Group Modification Logging" }, { @@ -36360,6 +46548,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.persistence", + "attack.t1197" + ], "title": "Suspicious Bitsadmin Job via PowerShell" }, { @@ -36374,6 +46567,10 @@ "level": "high", "service": "powershell", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Suspicious PowerShell Invocations - Specific" }, { @@ -36391,6 +46588,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1105", + "attack.t1071.004" + ], "title": "Nslookup PwSh Download Cradle" }, { @@ -36408,6 +46610,10 @@ "subcategory_guids": [ "0CCE921E-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1070.004" + ], "title": "Sysinternals SDelete Registry Keys" }, { @@ -36425,6 +46631,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001", + "attack.execution" + ], "title": "PowerShell AMSI Bypass Pattern" }, { @@ -36442,6 +46653,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.g0009", + "attack.t1068" + ], "title": "Hurricane Panda Activity" }, { @@ -36456,6 +46672,10 @@ "level": "high", "service": "powershell", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.001" + ], "title": "Suspicious PowerShell Invocations - Generic" }, { @@ -36473,6 +46693,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1202" + ], "title": "Execute MSDT.EXE Using Diagcab File" }, { @@ -36490,6 +46714,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Stop Or Remove Antivirus Service" }, { @@ -36507,6 +46735,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ], "title": "PsExec Tool Execution" }, { @@ -36524,6 +46757,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.t1059.001", + "attack.defense-evasion", + "attack.t1027" + ], "title": "Base64 Encoded Listing of Shadowcopy" }, { @@ -36541,6 +46780,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.g0092", + "attack.t1106" + ], "title": "TA505 Dropper Load Pattern" }, { @@ -36558,6 +46802,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1202" + ], "title": "Winword.exe Loads Suspicious DLL" }, { @@ -36575,6 +46823,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion", + "attack.t1202" + ], "title": "Indirect Command Execution" }, { @@ -36591,6 +46843,10 @@ "level": "medium", "service": "", "subcategory_guids": [], + "tags": [ + "attack.command-and-control", + "attack.t1095" + ], "title": "Netcat The Powershell Version - PowerShell Module" }, { @@ -36607,6 +46863,10 @@ "level": "low", "service": "", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.t1546" + ], "title": "Suspicious Get-WmiObject" }, { @@ -36622,6 +46882,10 @@ "level": "medium", "service": "appxpackaging-om", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.execution" + ], "title": "Suspicious Digital Signature Of AppX Package" }, { @@ -36637,6 +46901,10 @@ "level": "medium", "service": "dns-server", "subcategory_guids": [], + "tags": [ + "attack.reconnaissance", + "attack.t1590.002" + ], "title": "Failed DNS Zone Transfer" }, { @@ -36654,6 +46922,10 @@ "level": "high", "service": "dns-server", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1574.001" + ], "title": "DNS Server Error Failed Loading the ServerLevelPluginDLL" }, { @@ -36669,6 +46941,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1059.005" + ], "title": "Suspicious Scripting in a WMI Consumer" }, { @@ -36684,6 +46960,12 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1047", + "attack.persistence", + "attack.t1546.003" + ], "title": "Suspicious Encoded Scripts in a WMI Consumer" }, { @@ -36699,6 +46981,10 @@ "level": "critical", "service": "dns-client", "subcategory_guids": [], + "tags": [ + "attack.command-and-control", + "attack.t1071.004" + ], "title": "Suspicious Cobalt Strike DNS Beaconing - DNS Client" }, { @@ -36714,6 +47000,10 @@ "level": "high", "service": "dns-client", "subcategory_guids": [], + "tags": [ + "attack.command-and-control", + "attack.t1090.003" + ], "title": "Query Tor Onion Address - DNS Client" }, { @@ -36729,6 +47019,10 @@ "level": "low", "service": "dns-client", "subcategory_guids": [], + "tags": [ + "attack.exfiltration", + "attack.t1567.002" + ], "title": "DNS Query To Ufile.io - DNS Client" }, { @@ -36744,6 +47038,10 @@ "level": "medium", "service": "dns-client", "subcategory_guids": [], + "tags": [ + "attack.exfiltration", + "attack.t1567.002" + ], "title": "DNS Query To MEGA Hosting Website - DNS Client" }, { @@ -36759,6 +47057,10 @@ "level": "high", "service": "dns-client", "subcategory_guids": [], + "tags": [ + "attack.exfiltration", + "attack.t1567.002" + ], "title": "DNS Query for Anonfiles.com Domain - DNS Client" }, { @@ -36774,6 +47076,9 @@ "level": "medium", "service": "dns-client", "subcategory_guids": [], + "tags": [ + "attack.command-and-control" + ], "title": "DNS Query To Put.io - DNS Client" }, { @@ -36787,6 +47092,10 @@ "level": "critical", "service": "msexchange-management", "subcategory_guids": [], + "tags": [ + "attack.t1587.001", + "attack.resource-development" + ], "title": "ProxyLogon MSExchange OabVirtualDirectory" }, { @@ -36800,6 +47109,10 @@ "level": "high", "service": "msexchange-management", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ], "title": "Exchange Set OabVirtualDirectory ExternalUrl Property" }, { @@ -36813,6 +47126,10 @@ "level": "high", "service": "msexchange-management", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1070" + ], "title": "Remove Exported Mailbox from Exchange Webserver" }, { @@ -36826,6 +47143,10 @@ "level": "medium", "service": "msexchange-management", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.t1505.002" + ], "title": "MSExchange Transport Agent Installation - Builtin" }, { @@ -36839,6 +47160,10 @@ "level": "critical", "service": "msexchange-management", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ], "title": "Certificate Request Export to Exchange Webserver" }, { @@ -36852,6 +47177,10 @@ "level": "critical", "service": "msexchange-management", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.t1505.003" + ], "title": "Mailbox Export to Exchange Webserver" }, { @@ -36867,6 +47196,10 @@ "level": "high", "service": "msexchange-management", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.t1505.002" + ], "title": "Failed MSExchange Transport Agent Installation" }, { @@ -36882,6 +47215,10 @@ "level": "medium", "service": "capi2", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.t1649" + ], "title": "Certificate Private Key Acquired" }, { @@ -36898,6 +47235,10 @@ "level": "medium", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.t1558.003" + ], "title": "Potential CVE-2021-42287 Exploitation Attempt" }, { @@ -36913,6 +47254,10 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.t1003.002" + ], "title": "Critical Hive In Suspicious Location Access Bits Cleared" }, { @@ -36929,6 +47274,10 @@ "level": "critical", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.t1210", + "attack.lateral-movement" + ], "title": "Zerologon Exploitation Using Well-known Tools" }, { @@ -36944,6 +47293,10 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.privilege-escalation", + "attack.t1548" + ], "title": "Vulnerable Netlogon Secure Channel Connection Allowed" }, { @@ -36959,6 +47312,10 @@ "level": "medium", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1569.002" + ], "title": "CSExec Service Installation" }, { @@ -36974,6 +47331,12 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation Via Stdin - System" }, { @@ -36989,6 +47352,12 @@ "level": "medium", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.privilege-escalation", + "car.2013-09-005", + "attack.t1543.003" + ], "title": "Uncommon Service Installation Image Path" }, { @@ -37004,6 +47373,10 @@ "level": "medium", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.command-and-control", + "attack.t1219.002" + ], "title": "TacticalRMM Service Installation" }, { @@ -37019,6 +47392,12 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.privilege-escalation", + "attack.t1543.003", + "attack.t1569.002" + ], "title": "Sliver C2 Default Service Installation" }, { @@ -37034,6 +47413,10 @@ "level": "medium", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1569.002" + ], "title": "RemCom Service Installation" }, { @@ -37049,6 +47432,10 @@ "level": "medium", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.command-and-control", + "attack.t1219.002" + ], "title": "Mesh Agent Service Installation" }, { @@ -37064,6 +47451,9 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion" + ], "title": "Important Windows Service Terminated Unexpectedly" }, { @@ -37079,6 +47469,12 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation Via Use Rundll32 - System" }, { @@ -37094,6 +47490,11 @@ "level": "critical", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.privilege-escalation", + "attack.t1543.003" + ], "title": "Moriya Rootkit - System" }, { @@ -37109,6 +47510,12 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System" }, { @@ -37124,6 +47531,10 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1027" + ], "title": "Invoke-Obfuscation Obfuscated IEX Invocation - System" }, { @@ -37139,6 +47550,12 @@ "level": "medium", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation RUNDLL LAUNCHER - System" }, { @@ -37154,6 +47571,10 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1569.002" + ], "title": "PowerShell Scripts Installed as Services" }, { @@ -37169,6 +47590,12 @@ "level": "medium", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - System" }, { @@ -37184,6 +47611,10 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.privilege-escalation", + "attack.t1543" + ], "title": "KrbRelayUp Service Installation" }, { @@ -37199,6 +47630,9 @@ "level": "medium", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.persistence" + ], "title": "NetSupport Manager Service Install" }, { @@ -37214,6 +47648,10 @@ "level": "medium", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1569.002" + ], "title": "PAExec Service Installation" }, { @@ -37230,6 +47668,12 @@ "level": "medium", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.execution", + "attack.t1543.003", + "attack.t1569.002" + ], "title": "Remote Access Tool Services Have Been Installed - System" }, { @@ -37245,6 +47689,9 @@ "level": "low", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion" + ], "title": "Windows Service Terminated With Error" }, { @@ -37260,6 +47707,10 @@ "level": "medium", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.privilege-escalation", + "attack.t1543.003" + ], "title": "New PDQDeploy Service - Server Side" }, { @@ -37275,6 +47726,12 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.privilege-escalation", + "car.2013-09-005", + "attack.t1543.003" + ], "title": "Service Installation with Suspicious Folder Pattern" }, { @@ -37290,6 +47747,12 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation Via Use MSHTA - System" }, { @@ -37305,6 +47768,12 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation Via Use Clip - System" }, { @@ -37320,6 +47789,12 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.privilege-escalation", + "car.2013-09-005", + "attack.t1543.003" + ], "title": "Suspicious Service Installation" }, { @@ -37335,6 +47810,10 @@ "level": "medium", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1562.001" + ], "title": "Windows Defender Threat Detection Service Disabled" }, { @@ -37350,6 +47829,12 @@ "level": "medium", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.privilege-escalation", + "car.2013-09-005", + "attack.t1543.003" + ], "title": "Service Installation in Suspicious Folder" }, { @@ -37365,6 +47850,10 @@ "level": "medium", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.exfiltration", + "attack.t1048" + ], "title": "Tap Driver Installation" }, { @@ -37380,6 +47869,17 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.execution", + "attack.t1003.001", + "attack.t1003.002", + "attack.t1003.004", + "attack.t1003.005", + "attack.t1003.006", + "attack.t1569.002", + "attack.s0005" + ], "title": "Credential Dumping Tools Service Execution - System" }, { @@ -37395,6 +47895,11 @@ "level": "medium", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ], "title": "PsExec Service Installation" }, { @@ -37410,6 +47915,9 @@ "level": "medium", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.persistence" + ], "title": "Remote Utilities Host Service Install" }, { @@ -37425,6 +47933,14 @@ "level": "critical", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.privilege-escalation", + "attack.lateral-movement", + "attack.t1021.002", + "attack.t1543.003", + "attack.t1569.002" + ], "title": "CobaltStrike Service Installations - System" }, { @@ -37441,6 +47957,11 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.t1569.002", + "attack.s0029" + ], "title": "HackTool Service Registration or Execution" }, { @@ -37456,6 +47977,12 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation VAR+ Launcher - System" }, { @@ -37471,6 +47998,9 @@ "level": "medium", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.persistence" + ], "title": "Anydesk Remote Access Software Service Installation" }, { @@ -37486,6 +48016,12 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.privilege-escalation", + "attack.t1543.003", + "attack.t1569.002" + ], "title": "ProcessHacker Privilege Elevation" }, { @@ -37501,6 +48037,10 @@ "level": "medium", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.privilege-escalation", + "attack.t1543.003" + ], "title": "New PDQDeploy Service - Client Side" }, { @@ -37516,6 +48056,12 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation STDIN+ Launcher - System" }, { @@ -37531,6 +48077,9 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.persistence" + ], "title": "RTCore Suspicious Service Installation" }, { @@ -37546,6 +48095,12 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.lateral-movement", + "attack.execution", + "attack.t1021.002", + "attack.t1569.002" + ], "title": "smbexec.py Service Installation" }, { @@ -37561,6 +48116,9 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion" + ], "title": "Important Windows Service Terminated With Error" }, { @@ -37576,6 +48134,12 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1027", + "attack.execution", + "attack.t1059.001" + ], "title": "Invoke-Obfuscation CLIP+ Launcher - System" }, { @@ -37591,6 +48155,12 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.privilege-escalation", + "car.2013-09-005", + "attack.t1543.003" + ], "title": "Suspicious Service Installation Script" }, { @@ -37606,6 +48176,11 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.privilege-escalation", + "attack.t1134.001", + "attack.t1134.002" + ], "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - System" }, { @@ -37621,6 +48196,10 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.privilege-escalation", + "attack.t1543" + ], "title": "Service Installed By Unusual Client - System" }, { @@ -37637,6 +48216,11 @@ "level": "medium", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.lateral-movement", + "attack.t1550.002" + ], "title": "NTLMv1 Logon Between Client and Server" }, { @@ -37653,6 +48237,11 @@ "level": "medium", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.lateral-movement", + "attack.t1210", + "car.2013-07-002" + ], "title": "Potential RDP Exploit CVE-2019-0708" }, { @@ -37668,6 +48257,10 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.impact", + "attack.t1499.001" + ], "title": "NTFS Vulnerability Exploitation" }, { @@ -37683,6 +48276,9 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.privilege-escalation" + ], "title": "KDC RC4-HMAC Downgrade CVE-2022-37966" }, { @@ -37699,6 +48295,9 @@ "level": "medium", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.privilege-escalation" + ], "title": "Certificate Use With No Strong Mapping" }, { @@ -37715,6 +48314,10 @@ "level": "low", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.t1558.003" + ], "title": "No Suitable Encryption Key Found For Generating Kerberos Ticket" }, { @@ -37730,6 +48333,11 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1070.001", + "car.2016-04-002" + ], "title": "Important Windows Eventlog Cleared" }, { @@ -37745,6 +48353,11 @@ "level": "medium", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1070.001", + "car.2016-04-002" + ], "title": "Eventlog Cleared" }, { @@ -37760,6 +48373,12 @@ "level": "medium", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.collection", + "attack.t1003.002", + "attack.t1005" + ], "title": "Crash Dump Created By Operating System" }, { @@ -37775,6 +48394,11 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.execution", + "attack.credential-access", + "attack.t1557.001" + ], "title": "Local Privilege Escalation Indicator TabTip" }, { @@ -37790,6 +48414,11 @@ "level": "low", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.defense-evasion", + "attack.t1553.004" + ], "title": "Active Directory Certificate Services Denied Certificate Enrollment Request" }, { @@ -37809,6 +48438,11 @@ "level": "informational", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.impact", + "attack.resource-development", + "attack.t1584" + ], "title": "Windows Update Error" }, { @@ -37824,6 +48458,10 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1562" + ], "title": "Sysmon Application Crashed" }, { @@ -37839,6 +48477,10 @@ "level": "low", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.t1003.002" + ], "title": "Volume Shadow Copy Mount" }, { @@ -37856,6 +48498,10 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1574.001" + ], "title": "DHCP Server Error Failed Loading the CallOut DLL" }, { @@ -37871,6 +48517,10 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1574.001" + ], "title": "DHCP Server Loaded the CallOut DLL" }, { @@ -37886,6 +48536,9 @@ "level": "low", "service": "application", "subcategory_guids": [], + "tags": [ + "attack.execution" + ], "title": "Suspicious Usage of CVE_2021_34484 or CVE 2022_21919" }, { @@ -37903,6 +48556,11 @@ "subcategory_guids": [ "0CCE9242-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1110.003", + "attack.initial-access", + "attack.privilege-escalation" + ], "title": "Valid Users Failing to Authenticate From Single Source Using Kerberos" }, { @@ -37920,6 +48578,13 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.command-and-control", + "attack.t1071", + "attack.t1071.004", + "attack.t1001.003", + "attack.t1041" + ], "title": "DNSCat2 Powershell Implementation Detection Via Process Creation" }, { @@ -37939,6 +48604,11 @@ "0CCE9215-69AE-11D9-BED3-505054503030", "0CCE9217-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.privilege-escalation", + "attack.t1078" + ], "title": "Failed Logins with Different Accounts from Single Source System" }, { @@ -37954,6 +48624,10 @@ "level": "medium", "service": "smbclient-security", "subcategory_guids": [], + "tags": [ + "attack.t1021.002", + "attack.lateral-movement" + ], "title": "Failed Mounting of Hidden Share" }, { @@ -37972,6 +48646,11 @@ "0CCE9215-69AE-11D9-BED3-505054503030", "0CCE9217-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1110.003", + "attack.initial-access", + "attack.privilege-escalation" + ], "title": "Multiple Users Remotely Failing To Authenticate From Single Source" }, { @@ -37989,6 +48668,11 @@ "subcategory_guids": [ "0CCE923F-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1110.003", + "attack.initial-access", + "attack.privilege-escalation" + ], "title": "Invalid Users Failing To Authenticate From Single Source Using NTLM" }, { @@ -38006,6 +48690,11 @@ "subcategory_guids": [ "0CCE923F-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.privilege-escalation", + "attack.t1078" + ], "title": "Failed NTLM Logins with Different Accounts from Single Source System" }, { @@ -38027,6 +48716,12 @@ "0CCE9226-69AE-11D9-BED3-505054503030", "0CCE9227-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.persistence", + "attack.execution", + "attack.t1053.005" + ], "title": "Remote Schtasks Creation" }, { @@ -38044,6 +48739,12 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1087", + "attack.t1082", + "car.2016-03-001" + ], "title": "Reconnaissance Activity Using BuiltIn Commands" }, { @@ -38064,6 +48765,10 @@ "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1555" + ], "title": "Stored Credentials in Fake Files" }, { @@ -38081,6 +48786,11 @@ "subcategory_guids": [ "0CCE9242-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1110.003", + "attack.initial-access", + "attack.privilege-escalation" + ], "title": "Invalid Users Failing To Authenticate From Source Using Kerberos" }, { @@ -38098,6 +48808,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.t1068" + ], "title": "Windows Kernel and 3rd-Party Drivers Exploits Token Stealing" }, { @@ -38116,6 +48830,13 @@ "0CCE9226-69AE-11D9-BED3-505054503030", "0CCE9227-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.execution", + "attack.privilege-escalation", + "attack.persistence", + "car.2013-08-001", + "attack.t1053.005" + ], "title": "Rare Schtasks Creations" }, { @@ -38133,6 +48854,11 @@ "subcategory_guids": [ "0CCE923F-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1110.003", + "attack.initial-access", + "attack.privilege-escalation" + ], "title": "Valid Users Failing to Authenticate from Single Source Using NTLM" }, { @@ -38148,6 +48874,12 @@ "level": "low", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.privilege-escalation", + "car.2013-09-005", + "attack.t1543.003" + ], "title": "Rare Service Installations" }, { @@ -38163,6 +48895,16 @@ "level": "critical", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.privilege-escalation", + "attack.t1003", + "attack.t1035", + "attack.t1050", + "car.2013-09-005", + "attack.t1543.003", + "attack.t1569.002" + ], "title": "Malicious Service Installations" }, { @@ -38183,6 +48925,10 @@ "0CCE921F-69AE-11D9-BED3-505054503030", "0CCE9245-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.impact", + "attack.t1486" + ], "title": "Suspicious Multiple File Rename Or Delete Occurred" }, { @@ -38199,6 +48945,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1216" + ], "title": "Execution via CL_Invocation.ps1 (2 Lines)" }, { @@ -38215,6 +48965,10 @@ "level": "high", "service": "", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1216" + ], "title": "Execution via CL_Mutexverifiers.ps1 (2 Lines)" }, { @@ -38233,6 +48987,11 @@ "0CCE9215-69AE-11D9-BED3-505054503030", "0CCE9217-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1110.003", + "attack.initial-access", + "attack.privilege-escalation" + ], "title": "Multiple Users Failing to Authenticate from Single Process" }, { @@ -38248,6 +49007,13 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.lateral-movement", + "attack.t1021.002", + "attack.t1570", + "attack.execution", + "attack.t1569.002" + ], "title": "Metasploit Or Impacket Service Installation Via SMB PsExec" }, { @@ -38265,6 +49031,11 @@ "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1110.003", + "attack.initial-access", + "attack.privilege-escalation" + ], "title": "Password Spraying via Explicit Credentials" }, { @@ -38280,6 +49051,11 @@ "level": "low", "service": "taskscheduler", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.s0111", + "attack.t1053.005" + ], "title": "Rare Scheduled Task Creations" }, { @@ -38297,6 +49073,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "car.2013-04-002", + "attack.execution", + "attack.t1059" + ], "title": "Quick Execution of a Series of Suspicious Commands" }, { @@ -38314,6 +49095,10 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.discovery", + "attack.t1087.002" + ], "title": "Enumeration via the Global Catalog" }, { @@ -38331,6 +49116,11 @@ "subcategory_guids": [ "0CCE9242-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1110.003", + "attack.initial-access", + "attack.privilege-escalation" + ], "title": "Disabled Users Failing To Authenticate From Source Using Kerberos" }, { @@ -38348,6 +49138,10 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.t1548.002" + ], "title": "MSI Spawned Cmd and Powershell Spawned Processes" }, { @@ -38363,6 +49157,11 @@ "level": "medium", "service": "bits-client", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.persistence", + "attack.t1197" + ], "title": "BITS Transfer Job With Uncommon Or Suspicious Remote TLD" }, { @@ -38378,6 +49177,11 @@ "level": "medium", "service": "bits-client", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.persistence", + "attack.t1197" + ], "title": "BITS Transfer Job Downloading File Potential Suspicious Extension" }, { @@ -38393,6 +49197,11 @@ "level": "high", "service": "bits-client", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.persistence", + "attack.t1197" + ], "title": "BITS Transfer Job Download From Direct IP" }, { @@ -38408,6 +49217,11 @@ "level": "high", "service": "bits-client", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.persistence", + "attack.t1197" + ], "title": "BITS Transfer Job Download From File Sharing Domains" }, { @@ -38423,6 +49237,11 @@ "level": "low", "service": "bits-client", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.persistence", + "attack.t1197" + ], "title": "New BITS Job Created Via PowerShell" }, { @@ -38438,6 +49257,11 @@ "level": "low", "service": "bits-client", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.persistence", + "attack.t1197" + ], "title": "New BITS Job Created Via Bitsadmin" }, { @@ -38453,6 +49277,11 @@ "level": "high", "service": "bits-client", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.persistence", + "attack.t1197" + ], "title": "BITS Transfer Job Download To Potential Suspicious Folder" }, { @@ -38468,6 +49297,10 @@ "level": "informational", "service": "", "subcategory_guids": [], + "tags": [ + "PwSh", + "WinRM" + ], "title": "Win RM Session Created" }, { @@ -38483,6 +49316,12 @@ "level": "informational", "service": "bits-client", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.persistence", + "attack.t1197", + "lolbas" + ], "title": "Bits Job Created" }, { @@ -38498,6 +49337,9 @@ "level": "informational", "service": "wmi", "subcategory_guids": [], + "tags": [ + "WMI" + ], "title": "Temporary WMI Event Consumer" }, { @@ -38513,6 +49355,9 @@ "level": "informational", "service": "wmi", "subcategory_guids": [], + "tags": [ + "WMI" + ], "title": "WMI Provider Started" }, { @@ -38528,6 +49373,11 @@ "level": "medium", "service": "wmi", "subcategory_guids": [], + "tags": [ + "WMI", + "attack.persistence", + "attack.lateral-movement" + ], "title": "WMI Filter To Consumer Binding_Command Execution" }, { @@ -38543,6 +49393,9 @@ "level": "informational", "service": "wmi", "subcategory_guids": [], + "tags": [ + "WMI" + ], "title": "Permanent WMI Event Consumer" }, { @@ -38558,6 +49411,7 @@ "level": "informational", "service": "", "subcategory_guids": [], + "tags": [], "title": "Device Conn" }, { @@ -38573,6 +49427,7 @@ "level": "low", "service": "vhdmp", "subcategory_guids": [], + "tags": [], "title": "ISO Mounted" }, { @@ -38588,6 +49443,7 @@ "level": "low", "service": "vhdmp", "subcategory_guids": [], + "tags": [], "title": "VHDX Mounted" }, { @@ -38603,6 +49459,7 @@ "level": "low", "service": "vhdmp", "subcategory_guids": [], + "tags": [], "title": "VHD Mounted" }, { @@ -38618,6 +49475,9 @@ "level": "high", "service": "windefend", "subcategory_guids": [], + "tags": [ + "malware" + ], "title": "Defender Alert (High)" }, { @@ -38633,6 +49493,9 @@ "level": "medium", "service": "windefend", "subcategory_guids": [], + "tags": [ + "malware" + ], "title": "Defender Alert (Moderate)" }, { @@ -38648,6 +49511,9 @@ "level": "critical", "service": "windefend", "subcategory_guids": [], + "tags": [ + "malware" + ], "title": "Defender Alert (Severe)" }, { @@ -38663,6 +49529,9 @@ "level": "low", "service": "windefend", "subcategory_guids": [], + "tags": [ + "malware" + ], "title": "Defender Alert (Low)" }, { @@ -38680,6 +49549,7 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Net Conn" }, { @@ -38697,6 +49567,7 @@ "subcategory_guids": [ "0CCE9226-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Net Conn Blocked" }, { @@ -38715,6 +49586,7 @@ "0CCE9226-69AE-11D9-BED3-505054503030", "0CCE9227-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Task Deleted" }, { @@ -38733,6 +49605,7 @@ "0CCE9226-69AE-11D9-BED3-505054503030", "0CCE9227-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Task Created" }, { @@ -38750,6 +49623,10 @@ "subcategory_guids": [ "0CCE9244-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1039", + "attack.collection" + ], "title": "NetShare File Access" }, { @@ -38767,6 +49644,10 @@ "subcategory_guids": [ "0CCE9224-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1039", + "attack.collection" + ], "title": "NetShare Access" }, { @@ -38784,6 +49665,7 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Susp CmdLine (Possible Meterpreter getsystem)" }, { @@ -38801,6 +49683,7 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Proc Exec" }, { @@ -38818,6 +49701,9 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "lolbas" + ], "title": "Possible LOLBIN" }, { @@ -38835,6 +49721,11 @@ "subcategory_guids": [ "0CCE922B-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.lateral-movement", + "attack.t1563.002", + "attack.t1021.001" + ], "title": "Possible RDP Hijacking" }, { @@ -38852,6 +49743,7 @@ "subcategory_guids": [ "0CCE923C-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Dir Svc Obj Modified" }, { @@ -38869,6 +49761,7 @@ "subcategory_guids": [ "0CCE921B-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Admin Logon" }, { @@ -38886,6 +49779,7 @@ "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "NewInteractive Logon (Suspicious Process)" }, { @@ -38903,6 +49797,7 @@ "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Logon (NetworkCleartext)" }, { @@ -38920,6 +49815,7 @@ "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Logon (Batch)" }, { @@ -38938,6 +49834,7 @@ "0CCE9215-69AE-11D9-BED3-505054503030", "0CCE9217-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Logon Failure (User Does Not Exist)" }, { @@ -38955,6 +49852,7 @@ "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Logon (Interactive) (Noisy)" }, { @@ -38972,6 +49870,7 @@ "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Logon (NewCredentials) *Creds in memory*" }, { @@ -38989,6 +49888,7 @@ "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Logon (Interactive) *Creds in memory*" }, { @@ -39006,6 +49906,10 @@ "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.lateral-movement" + ], "title": "Explicit Logon Attempt (Susp Proc) - Possible Mimikatz PrivEsc" }, { @@ -39024,6 +49928,10 @@ "0CCE9215-69AE-11D9-BED3-505054503030", "0CCE9217-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1110.003", + "attack.credential-access" + ], "title": "PW Guessing" }, { @@ -39041,6 +49949,7 @@ "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Logon (CachedUnlock) *Creds in memory*" }, { @@ -39058,6 +49967,7 @@ "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Logon (CachedInteractive) *Creds in memory*" }, { @@ -39075,6 +49985,10 @@ "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1110.003", + "attack.credential-access" + ], "title": "PW Spray" }, { @@ -39092,6 +50006,7 @@ "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Logon (Service)" }, { @@ -39109,6 +50024,7 @@ "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Logon (CachedRemoteInteractive) *Creds in memory*" }, { @@ -39126,6 +50042,7 @@ "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Logon (Network) (Noisy)" }, { @@ -39143,6 +50060,7 @@ "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Logon (RemoteInteractive (RDP)) *Creds in memory*" }, { @@ -39161,6 +50079,7 @@ "0CCE9215-69AE-11D9-BED3-505054503030", "0CCE9217-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Failed Logon - Incorrect Password" }, { @@ -39178,6 +50097,7 @@ "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Logon (System) - Bootup" }, { @@ -39195,6 +50115,7 @@ "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Logon (Unlock)" }, { @@ -39213,6 +50134,7 @@ "0CCE9215-69AE-11D9-BED3-505054503030", "0CCE9217-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Logon Failure (Wrong Password)" }, { @@ -39230,6 +50152,7 @@ "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Possible Token Impersonation" }, { @@ -39248,6 +50171,7 @@ "0CCE9215-69AE-11D9-BED3-505054503030", "0CCE9217-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Logon Failure (Unknown Reason)" }, { @@ -39265,6 +50189,7 @@ "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Failed Logon - Incorrect Password" }, { @@ -39282,6 +50207,10 @@ "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.lateral-movement" + ], "title": "Explicit Logon Attempt (Noisy)" }, { @@ -39299,6 +50228,7 @@ "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Logon (Service) (Noisy)" }, { @@ -39317,6 +50247,10 @@ "0CCE9215-69AE-11D9-BED3-505054503030", "0CCE9217-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.t1110.003", + "attack.credential-access" + ], "title": "User Guessing" }, { @@ -39335,6 +50269,7 @@ "0CCE9215-69AE-11D9-BED3-505054503030", "0CCE9217-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Failed Logon - Non-Existent User" }, { @@ -39352,6 +50287,7 @@ "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Logon (Network)" }, { @@ -39369,6 +50305,10 @@ "subcategory_guids": [ "0CCE9215-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation", + "attack.lateral-movement" + ], "title": "Explicit Logon Attempt" }, { @@ -39386,6 +50326,10 @@ "subcategory_guids": [ "0CCE921C-69AE-11D9-BED3-505054503030" ], + "tags": [ + "RDP", + "attack.lateral-movement" + ], "title": "RDP Session Reconnect" }, { @@ -39403,6 +50347,10 @@ "subcategory_guids": [ "0CCE921C-69AE-11D9-BED3-505054503030" ], + "tags": [ + "RDP", + "attack.lateral-movement" + ], "title": "RDP Session Disconnect" }, { @@ -39420,6 +50368,7 @@ "subcategory_guids": [ "0CCE9216-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Logoff (User Initiated)" }, { @@ -39437,6 +50386,7 @@ "subcategory_guids": [ "0CCE9216-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Logoff (Noisy)" }, { @@ -39454,6 +50404,7 @@ "subcategory_guids": [ "0CCE9216-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Logoff" }, { @@ -39469,6 +50420,10 @@ "level": "low", "service": "security", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.t1555.004" + ], "title": "Credential Manager Enumerated" }, { @@ -39484,6 +50439,10 @@ "level": "high", "service": "security", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1070.001" + ], "title": "Log Cleared" }, { @@ -39499,6 +50458,10 @@ "level": "low", "service": "security", "subcategory_guids": [], + "tags": [ + "attack.credential-access", + "attack.t1555.004" + ], "title": "Credential Manager Accessed" }, { @@ -39514,6 +50477,7 @@ "level": "informational", "service": "security", "subcategory_guids": [], + "tags": [], "title": "RDP Denied" }, { @@ -39531,6 +50495,9 @@ "subcategory_guids": [ "0CCE9212-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Code Integrity Proble (Possible Modification)" }, { @@ -39548,6 +50515,9 @@ "subcategory_guids": [ "0CCE9212-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Code Integrity Error (Invalid Image Page Hash)" }, { @@ -39565,6 +50535,9 @@ "subcategory_guids": [ "0CCE9212-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.defense-evasion" + ], "title": "Code Integrity Error (Invalid Image Hash)" }, { @@ -39582,6 +50555,7 @@ "subcategory_guids": [ "0CCE9211-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Abnormal Logon Proc Registered With LSA" }, { @@ -39599,6 +50573,7 @@ "subcategory_guids": [ "0CCE9211-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Logon Proc Registered With LSA" }, { @@ -39616,6 +50591,9 @@ "subcategory_guids": [ "0CCE9211-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence" + ], "title": "Svc Installed" }, { @@ -39633,6 +50611,9 @@ "subcategory_guids": [ "0CCE9235-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation" + ], "title": "User Password Changed" }, { @@ -39650,6 +50631,10 @@ "subcategory_guids": [ "0CCE9235-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.1136.001" + ], "title": "Local User Account Created" }, { @@ -39667,6 +50652,9 @@ "subcategory_guids": [ "0CCE9235-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.privilege-escalation" + ], "title": "Password Reset By Admin" }, { @@ -39684,6 +50672,10 @@ "subcategory_guids": [ "0CCE9235-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.11136.001" + ], "title": "Hidden User Account Created" }, { @@ -39701,6 +50693,7 @@ "subcategory_guids": [ "0CCE9236-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Computer Account Created" }, { @@ -39718,6 +50711,10 @@ "subcategory_guids": [ "0CCE9237-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1098" + ], "title": "User Added To Local Domain Admins Grp" }, { @@ -39735,6 +50732,10 @@ "subcategory_guids": [ "0CCE9237-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1098" + ], "title": "User Added To Local Admin Grp" }, { @@ -39752,6 +50753,10 @@ "subcategory_guids": [ "0CCE9237-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1098" + ], "title": "User Added To Global Security Grp" }, { @@ -39769,6 +50774,10 @@ "subcategory_guids": [ "0CCE9237-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1098" + ], "title": "User Added To Global Domain Admins Grp" }, { @@ -39786,6 +50795,10 @@ "subcategory_guids": [ "0CCE9237-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1098" + ], "title": "User Added To Non-Admin Global Grp" }, { @@ -39803,6 +50816,10 @@ "subcategory_guids": [ "0CCE9229-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.persistence", + "attack.t1543.003" + ], "title": "Possible Hidden Service Created" }, { @@ -39821,6 +50838,12 @@ "0CCE9228-69AE-11D9-BED3-505054503030", "0CCE9229-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1003.001", + "attack.t1561", + "attack.impact" + ], "title": "Process Ran With High Privilege" }, { @@ -39838,6 +50861,10 @@ "subcategory_guids": [ "0CCE9242-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1558.004" + ], "title": "Possible AS-REP Roasting (RC4 Kerberos Ticket Req)" }, { @@ -39855,6 +50882,7 @@ "subcategory_guids": [ "0CCE9242-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Kerberos TGT Requested" }, { @@ -39872,6 +50900,10 @@ "subcategory_guids": [ "0CCE9240-69AE-11D9-BED3-505054503030" ], + "tags": [ + "attack.credential-access", + "attack.t1558.003" + ], "title": "Possible Kerberoasting (RC4 Kerberos Ticket Req)" }, { @@ -39889,6 +50921,7 @@ "subcategory_guids": [ "0CCE9240-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "Kerberos Service Ticket Requested" }, { @@ -39906,6 +50939,7 @@ "subcategory_guids": [ "0CCE923F-69AE-11D9-BED3-505054503030" ], + "tags": [], "title": "NTLM Auth" }, { @@ -39921,6 +50955,11 @@ "level": "informational", "service": "", "subcategory_guids": [], + "tags": [ + "RDP", + "attack.lateral-movement", + "attack.initial-access" + ], "title": "RDP Logon" }, { @@ -39936,6 +50975,10 @@ "level": "informational", "service": "", "subcategory_guids": [], + "tags": [ + "RDP", + "attack.lateral-movement" + ], "title": "RDP Conn (Noisy)" }, { @@ -39951,6 +50994,7 @@ "level": "informational", "service": "", "subcategory_guids": [], + "tags": [], "title": "CryptoDPAPI Decrypt" }, { @@ -39967,6 +51011,7 @@ "level": "informational", "service": "application", "subcategory_guids": [], + "tags": [], "title": "MSI Install" }, { @@ -39982,6 +51027,9 @@ "level": "informational", "service": "powershell-classic", "subcategory_guids": [], + "tags": [ + "PwShClassic" + ], "title": "PwSh Engine Started" }, { @@ -39997,6 +51045,11 @@ "level": "medium", "service": "powershell-classic", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1562.010", + "lolbas" + ], "title": "PwSh 2.0 Downgrade Attack" }, { @@ -40012,6 +51065,10 @@ "level": "informational", "service": "", "subcategory_guids": [], + "tags": [ + "RDP", + "attack.lateral-movement" + ], "title": "RDP Conn Attempt" }, { @@ -40027,6 +51084,10 @@ "level": "informational", "service": "", "subcategory_guids": [], + "tags": [ + "RDP", + "attack.lateral-movement" + ], "title": "RDP Attempt" }, { @@ -40042,6 +51103,7 @@ "level": "informational", "service": "system", "subcategory_guids": [], + "tags": [], "title": "Computer Uptime/Timezone" }, { @@ -40057,6 +51119,10 @@ "level": "medium", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1562.002" + ], "title": "Event Log Service Startup Type Changed To Disabled" }, { @@ -40072,6 +51138,10 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.t1543.003" + ], "title": "Suspicious Service Name" }, { @@ -40087,6 +51157,7 @@ "level": "informational", "service": "system", "subcategory_guids": [], + "tags": [], "title": "New Non-USB PnP Device" }, { @@ -40102,6 +51173,7 @@ "level": "medium", "service": "system", "subcategory_guids": [], + "tags": [], "title": "BSOD" }, { @@ -40117,6 +51189,7 @@ "level": "informational", "service": "system", "subcategory_guids": [], + "tags": [], "title": "New USB PnP Device" }, { @@ -40132,6 +51205,7 @@ "level": "informational", "service": "system", "subcategory_guids": [], + "tags": [], "title": "Computer Startup" }, { @@ -40147,6 +51221,10 @@ "level": "low", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.impact", + "attack.t1499" + ], "title": "Service Crashed" }, { @@ -40162,6 +51240,10 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.t1543.003" + ], "title": "Suspicious Service Path" }, { @@ -40177,6 +51259,15 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.lateral-movement", + "attack.s0029", + "attack.t1136.002", + "attack.t1543.003", + "attack.t1570", + "attack.t1021.002", + "attack.t1569.002" + ], "title": "PSExec Lateral Movement" }, { @@ -40192,6 +51283,7 @@ "level": "medium", "service": "system", "subcategory_guids": [], + "tags": [], "title": "Computer Startup In Safe Mode" }, { @@ -40207,6 +51299,7 @@ "level": "informational", "service": "system", "subcategory_guids": [], + "tags": [], "title": "Computer Startup" }, { @@ -40222,6 +51315,10 @@ "level": "medium", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1070.001" + ], "title": "Log File Cleared" }, { @@ -40237,6 +51334,9 @@ "level": "informational", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.persistence" + ], "title": "Svc Installed" }, { @@ -40252,6 +51352,10 @@ "level": "low", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.impact", + "attack.t1499" + ], "title": "Service Crashed" }, { @@ -40267,6 +51371,10 @@ "level": "low", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.impact", + "attack.t1499" + ], "title": "Unexpected Shutdown" }, { @@ -40282,6 +51390,7 @@ "level": "informational", "service": "system", "subcategory_guids": [], + "tags": [], "title": "Event Log Svc Started" }, { @@ -40297,6 +51406,10 @@ "level": "high", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.defense-evasion", + "attack.t1070.001" + ], "title": "Important Log File Cleared" }, { @@ -40312,6 +51425,7 @@ "level": "informational", "service": "system", "subcategory_guids": [], + "tags": [], "title": "Event Log Svc Stopped" }, { @@ -40327,6 +51441,10 @@ "level": "medium", "service": "system", "subcategory_guids": [], + "tags": [ + "attack.persistence", + "attack.t1543.003" + ], "title": "Possible Metasploit Svc Installed" }, { @@ -40342,6 +51460,7 @@ "level": "informational", "service": "", "subcategory_guids": [], + "tags": [], "title": "Wifi AP Conn" }, { @@ -40357,6 +51476,7 @@ "level": "informational", "service": "ntfs", "subcategory_guids": [], + "tags": [], "title": "NTFS volume mounted" }, { @@ -40372,6 +51492,7 @@ "level": "informational", "service": "driver-framework", "subcategory_guids": [], + "tags": [], "title": "USB Plugged In" }, { @@ -40388,6 +51509,9 @@ "level": "informational", "service": "powershell", "subcategory_guids": [], + "tags": [ + "PwSh" + ], "title": "PwSh Scriptblock" }, { @@ -40404,6 +51528,9 @@ "level": "informational", "service": "powershell", "subcategory_guids": [], + "tags": [ + "PwSh" + ], "title": "PwSh Pipeline Exec" }, { @@ -40420,6 +51547,9 @@ "level": "medium", "service": "powershell", "subcategory_guids": [], + "tags": [ + "PwSh" + ], "title": "Potentially Malicious PwSh" }, { @@ -40435,6 +51565,10 @@ "level": "informational", "service": "terminalservices-localsessionmanager", "subcategory_guids": [], + "tags": [ + "RDP", + "attack.lateral-movement" + ], "title": "RDP Logon" }, { @@ -40450,6 +51584,10 @@ "level": "informational", "service": "terminalservices-localsessionmanager", "subcategory_guids": [], + "tags": [ + "RDP", + "attack.lateral-movement" + ], "title": "RDP Logoff" }, { @@ -40465,6 +51603,10 @@ "level": "informational", "service": "terminalservices-localsessionmanager", "subcategory_guids": [], + "tags": [ + "RDP", + "attack.lateral-movement" + ], "title": "RDP Disconnect" }, { @@ -40480,6 +51622,10 @@ "level": "informational", "service": "terminalservices-localsessionmanager", "subcategory_guids": [], + "tags": [ + "RDP", + "attack.lateral-movement" + ], "title": "RDP Reconnect" }, { @@ -40495,6 +51641,10 @@ "level": "informational", "service": "terminalservices-localsessionmanager", "subcategory_guids": [], + "tags": [ + "RDP", + "attack.lateral-movement" + ], "title": "RDP Sess Start (Noisy)" }, { @@ -40510,6 +51660,9 @@ "level": "informational", "service": "taskscheduler", "subcategory_guids": [], + "tags": [ + "Task" + ], "title": "Task Deleted" }, { @@ -40525,6 +51678,9 @@ "level": "informational", "service": "taskscheduler", "subcategory_guids": [], + "tags": [ + "Task" + ], "title": "Task Created" }, { @@ -40540,6 +51696,9 @@ "level": "informational", "service": "taskscheduler", "subcategory_guids": [], + "tags": [ + "Task" + ], "title": "Task Updated" }, { @@ -40555,6 +51714,9 @@ "level": "informational", "service": "taskscheduler", "subcategory_guids": [], + "tags": [ + "Task" + ], "title": "Task Executed" }, { @@ -40570,6 +51732,11 @@ "level": "informational", "service": "", "subcategory_guids": [], + "tags": [ + "RDP", + "attack.lateral-movement", + "attack.initial-access" + ], "title": "RDS GTW Logoff" }, { @@ -40585,6 +51752,11 @@ "level": "informational", "service": "", "subcategory_guids": [], + "tags": [ + "RDP", + "attack.lateral-movement", + "attack.initial-access" + ], "title": "RDS GTW Logon" }, { @@ -40600,6 +51772,11 @@ "level": "low", "service": "", "subcategory_guids": [], + "tags": [ + "RDP", + "attack.lateral-movement", + "attack.initial-access" + ], "title": "RDS GTW Logon Error" }, { @@ -40615,6 +51792,7 @@ "level": "informational", "service": "dns-server-analytic", "subcategory_guids": [], + "tags": [], "title": "Recursive DNS Request" }, { @@ -40630,6 +51808,7 @@ "level": "informational", "service": "dns-server-analytic", "subcategory_guids": [], + "tags": [], "title": "Recursive DNS Response" }, { @@ -40645,6 +51824,7 @@ "level": "informational", "service": "security", "subcategory_guids": [], + "tags": [], "title": "Office App PopUp" } ] \ No newline at end of file