From 605bc7ef68f8366d0f538a152aed8c45e7dfff91 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 8 Oct 2025 22:41:40 +0000 Subject: [PATCH] Sigma Rule Update (2025-10-08 22:41:33) (#106) Co-authored-by: fukusuket --- config/security_rules.json | 11690 +++++++++++++++++------------------ 1 file changed, 5845 insertions(+), 5845 deletions(-) diff --git a/config/security_rules.json b/config/security_rules.json index 4efcf2b2..eb5f3284 100644 --- a/config/security_rules.json +++ b/config/security_rules.json @@ -13,8 +13,8 @@ "service": "appmodel-runtime", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.execution" + "TA0005", + "TA0002" ], "title": "Sysinternals Tools AppX Versions Execution" }, @@ -33,9 +33,9 @@ "service": "wmi", "subcategory_guids": [], "tags": [ - "attack.persistence", - "attack.privilege-escalation", - "attack.t1546.003" + "TA0003", + "TA0004", + "T1546.003" ], "title": "WMI Persistence" }, @@ -53,7 +53,7 @@ "service": "codeintegrity-operational", "subcategory_guids": [], "tags": [ - "attack.privilege-escalation" + "TA0004" ], "title": "CodeIntegrity - Unsigned Kernel Module Loaded" }, @@ -72,7 +72,7 @@ "service": "codeintegrity-operational", "subcategory_guids": [], "tags": [ - "attack.privilege-escalation" + "TA0004" ], "title": "CodeIntegrity - Revoked Image Loaded" }, @@ -90,7 +90,7 @@ "service": "codeintegrity-operational", "subcategory_guids": [], "tags": [ - "attack.privilege-escalation" + "TA0004" ], "title": "CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked" }, @@ -108,8 +108,8 @@ "service": "codeintegrity-operational", "subcategory_guids": [], "tags": [ - "attack.privilege-escalation", - "attack.t1543" + "TA0004", + "T1543" ], "title": "CodeIntegrity - Blocked Driver Load With Revoked Certificate" }, @@ -128,7 +128,7 @@ "service": "codeintegrity-operational", "subcategory_guids": [], "tags": [ - "attack.privilege-escalation" + "TA0004" ], "title": "CodeIntegrity - Revoked Kernel Driver Loaded" }, @@ -146,7 +146,7 @@ "service": "codeintegrity-operational", "subcategory_guids": [], "tags": [ - "attack.privilege-escalation" + "TA0004" ], "title": "CodeIntegrity - Blocked Image Load With Revoked Certificate" }, @@ -164,7 +164,7 @@ "service": "codeintegrity-operational", "subcategory_guids": [], "tags": [ - "attack.privilege-escalation" + "TA0004" ], "title": "CodeIntegrity - Unsigned Image Loaded" }, @@ -182,8 +182,8 @@ "service": "codeintegrity-operational", "subcategory_guids": [], "tags": [ - "attack.privilege-escalation", - "attack.t1543" + "TA0004", + "T1543" ], "title": "CodeIntegrity - Blocked Image/Driver Load For Policy Violation" }, @@ -202,7 +202,7 @@ "service": "codeintegrity-operational", "subcategory_guids": [], "tags": [ - "attack.privilege-escalation" + "TA0004" ], "title": "CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module" }, @@ -221,7 +221,7 @@ "service": "codeintegrity-operational", "subcategory_guids": [], "tags": [ - "attack.execution" + "TA0002" ], "title": "CodeIntegrity - Unmet Signing Level Requirements By File Under Validation" }, @@ -239,9 +239,9 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1059.001" + "TA0005", + "TA0002", + "T1059.001" ], "title": "PowerShell Called from an Executable Version Mismatch" }, @@ -259,8 +259,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Nslookup PowerShell Download Cradle" }, @@ -278,10 +278,10 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.defense-evasion", - "attack.t1059.001", - "attack.t1036.003" + "TA0002", + "TA0005", + "T1059.001", + "T1036.003" ], "title": "Renamed Powershell Under Powershell Channel" }, @@ -299,8 +299,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.discovery", - "attack.t1049" + "TA0007", + "T1049" ], "title": "Use Get-NetTCPConnection" }, @@ -316,8 +316,8 @@ "service": "powershell-classic", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Potential RemoteFXvGPUDisablement.EXE Abuse" }, @@ -333,10 +333,10 @@ "service": "powershell-classic", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.lateral-movement", - "attack.t1021.003" + "TA0002", + "T1059.001", + "TA0008", + "T1021.003" ], "title": "Suspicious Non PowerShell WSMAN COM Provider" }, @@ -352,8 +352,8 @@ "service": "powershell-classic", "subcategory_guids": [], "tags": [ - "attack.collection", - "attack.t1074.001" + "TA0009", + "T1074.001" ], "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell" }, @@ -371,8 +371,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Suspicious PowerShell Download" }, @@ -390,8 +390,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.command-and-control", - "attack.t1095" + "TA0011", + "T1095" ], "title": "Netcat The Powershell Version" }, @@ -409,10 +409,10 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.lateral-movement", - "attack.t1021.006" + "TA0002", + "T1059.001", + "TA0008", + "T1021.006" ], "title": "Remote PowerShell Session (PS Classic)" }, @@ -430,8 +430,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Tamper Windows Defender - PSClassic" }, @@ -449,9 +449,9 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1059.001" + "TA0005", + "TA0002", + "T1059.001" ], "title": "PowerShell Downgrade Attack - PowerShell" }, @@ -469,8 +469,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.impact", - "attack.t1490" + "TA0040", + "T1490" ], "title": "Delete Volume Shadow Copies Via WMI With PowerShell" }, @@ -489,8 +489,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock" }, @@ -509,8 +509,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1553.004" + "TA0005", + "T1553.004" ], "title": "Suspicious X509Enrollment - Ps Script" }, @@ -529,8 +529,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.discovery", - "attack.t1083" + "TA0007", + "T1083" ], "title": "Powershell Sensitive File Discovery" }, @@ -549,10 +549,10 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1027", - "attack.t1059.001" + "TA0005", + "TA0002", + "T1027", + "T1059.001" ], "title": "Potential PowerShell Obfuscation Using Alias Cmdlets" }, @@ -571,8 +571,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.discovery", - "attack.t1033" + "TA0007", + "T1033" ], "title": "Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell" }, @@ -591,9 +591,9 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1562.001", - "attack.execution" + "TA0005", + "T1562.001", + "TA0002" ], "title": "AMSI Bypass Pattern Assembly GetType" }, @@ -612,8 +612,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.impact", - "attack.t1565" + "TA0040", + "T1565" ], "title": "Powershell Add Name Resolution Policy Table Rule" }, @@ -632,9 +632,9 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.reconnaissance", - "attack.discovery", - "attack.impact" + "TA0043", + "TA0007", + "TA0040" ], "title": "Potential Active Directory Enumeration Using AD Module - PsScript" }, @@ -653,8 +653,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.discovery", - "attack.t1518" + "TA0007", + "T1518" ], "title": "Detected Windows Software Discovery - PowerShell" }, @@ -673,8 +673,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.discovery", - "attack.t1018" + "TA0007", + "T1018" ], "title": "DirectorySearcher Powershell Exploitation" }, @@ -693,8 +693,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1553.005" + "TA0005", + "T1553.005" ], "title": "Suspicious Mount-DiskImage" }, @@ -713,8 +713,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1070.003" + "TA0005", + "T1070.003" ], "title": "Disable Powershell Command History" }, @@ -733,8 +733,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Suspicious PowerShell Invocations - Generic" }, @@ -753,8 +753,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Powershell XML Execute Command" }, @@ -773,16 +773,16 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.discovery", - "attack.t1482", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1069", - "attack.t1059.001" + "TA0002", + "TA0007", + "T1482", + "T1087", + "T1087.001", + "T1087.002", + "T1069.001", + "T1069.002", + "T1069", + "T1059.001" ], "title": "Malicious PowerShell Commandlets - ScriptBlock" }, @@ -801,8 +801,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1218.007" + "TA0005", + "T1218.007" ], "title": "PowerShell WMI Win32_Product Install MSI" }, @@ -821,8 +821,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.privilege-escalation", - "attack.t1546.003" + "TA0004", + "T1546.003" ], "title": "Powershell WMI Persistence" }, @@ -841,8 +841,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.persistence", - "attack.t1137.006" + "TA0003", + "T1137.006" ], "title": "Code Executed Via Office Add-in XLL File" }, @@ -861,8 +861,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.lateral-movement", - "attack.t1021.006" + "TA0008", + "T1021.006" ], "title": "Enable Windows Remote Management" }, @@ -881,7 +881,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "PowerShell Write-EventLog Usage" }, @@ -900,8 +900,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.collection", - "attack.t1074.001" + "TA0009", + "T1074.001" ], "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Script" }, @@ -920,8 +920,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.t1555.003" + "TA0006", + "T1555.003" ], "title": "Access to Browser Login Data" }, @@ -940,8 +940,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.003" + "TA0002", + "T1059.003" ], "title": "Powershell Execute Batch Script" }, @@ -960,8 +960,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1620" + "TA0005", + "T1620" ], "title": "Potential In-Memory Execution Using Reflection.Assembly" }, @@ -980,8 +980,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.discovery", - "attack.t1069.002" + "TA0007", + "T1069.002" ], "title": "Active Directory Group Enumeration With Get-AdGroup" }, @@ -1000,8 +1000,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.t1003.001" + "TA0006", + "T1003.001" ], "title": "PowerShell Get-Process LSASS in ScriptBlock" }, @@ -1020,9 +1020,9 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1070", - "attack.t1562.006", + "TA0005", + "T1070", + "T1562.006", "car.2016-04-002" ], "title": "Disable of ETW Trace - Powershell" @@ -1042,8 +1042,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.persistence", - "attack.defense-evasion" + "TA0003", + "TA0005" ], "title": "Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript" }, @@ -1062,11 +1062,11 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1055", - "attack.execution", - "attack.t1059.001" + "TA0005", + "TA0004", + "T1055", + "TA0002", + "T1059.001" ], "title": "PowerShell ShellCode" }, @@ -1085,8 +1085,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.exfiltration", - "attack.t1020" + "TA0010", + "T1020" ], "title": "PowerShell Script With File Upload Capabilities" }, @@ -1105,13 +1105,13 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.command-and-control", - "attack.t1071.004", - "attack.t1572", - "attack.impact", - "attack.t1529", + "TA0002", + "T1059.001", + "TA0011", + "T1071.004", + "T1572", + "TA0040", + "T1529", "attack.g0091", "attack.s0363" ], @@ -1132,10 +1132,10 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell" }, @@ -1154,8 +1154,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.discovery", - "attack.t1033" + "TA0007", + "T1033" ], "title": "User Discovery And Export Via Get-ADUser Cmdlet - PowerShell" }, @@ -1174,7 +1174,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.exfiltration" + "TA0010" ], "title": "Potential Data Exfiltration Via Audio File" }, @@ -1193,10 +1193,10 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1027", - "attack.t1059.001" + "TA0005", + "TA0002", + "T1027", + "T1059.001" ], "title": "Potential PowerShell Obfuscation Using Character Join" }, @@ -1215,8 +1215,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1553.004" + "TA0005", + "T1553.004" ], "title": "Root Certificate Installed - PowerShell" }, @@ -1235,8 +1235,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1202" + "TA0005", + "T1202" ], "title": "Troubleshooting Pack Cmdlet Execution" }, @@ -1255,8 +1255,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.impact", - "attack.t1491.001" + "TA0040", + "T1491.001" ], "title": "Replace Desktop Wallpaper by Powershell" }, @@ -1275,10 +1275,10 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation Via Stdin - Powershell" }, @@ -1297,10 +1297,10 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell" }, @@ -1319,8 +1319,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1564.004" + "TA0005", + "T1564.004" ], "title": "Powershell Store File In Alternate Data Stream" }, @@ -1339,8 +1339,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.discovery", - "attack.t1033" + "TA0007", + "T1033" ], "title": "Suspicious PowerShell Get Current User" }, @@ -1359,9 +1359,9 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.discovery", - "attack.t1018", - "attack.t1087.002" + "TA0007", + "T1018", + "T1087.002" ], "title": "Active Directory Computers Enumeration With Get-AdComputer" }, @@ -1380,8 +1380,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "DSInternals Suspicious PowerShell Cmdlets - ScriptBlock" }, @@ -1400,8 +1400,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.discovery", - "attack.t1083" + "TA0007", + "T1083" ], "title": "Powershell Directory Enumeration" }, @@ -1420,19 +1420,19 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.defense-evasion", - "attack.discovery", - "attack.execution", - "attack.privilege-escalation", - "attack.t1046", - "attack.t1082", - "attack.t1106", - "attack.t1518", - "attack.t1548.002", - "attack.t1552.001", - "attack.t1555", - "attack.t1555.003" + "TA0006", + "TA0005", + "TA0007", + "TA0002", + "TA0004", + "T1046", + "T1082", + "T1106", + "T1518", + "T1548.002", + "T1552.001", + "T1555", + "T1555.003" ], "title": "HackTool - WinPwn Execution - ScriptBlock" }, @@ -1451,8 +1451,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1497.001" + "TA0005", + "T1497.001" ], "title": "Powershell Detect Virtualization Environment" }, @@ -1471,8 +1471,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.persistence", - "attack.t1053.005" + "TA0003", + "T1053.005" ], "title": "Powershell Create Scheduled Task" }, @@ -1491,8 +1491,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1070.003" + "TA0005", + "T1070.003" ], "title": "Suspicious IO.FileStream" }, @@ -1511,8 +1511,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1222" + "TA0005", + "T1222" ], "title": "PowerShell Script Change Permission Via Set-Acl - PsScript" }, @@ -1531,10 +1531,10 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell" }, @@ -1553,9 +1553,9 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.collection", - "attack.credential-access", - "attack.t1056.001" + "TA0009", + "TA0006", + "T1056.001" ], "title": "Potential Keylogger Activity" }, @@ -1574,7 +1574,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.discovery" + "TA0007" ], "title": "PowerShell Hotfix Enumeration" }, @@ -1593,8 +1593,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1553.005" + "TA0005", + "T1553.005" ], "title": "Suspicious Unblock-File" }, @@ -1613,8 +1613,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1553.005" + "TA0005", + "T1553.005" ], "title": "Suspicious Invoke-Item From Mount-DiskImage" }, @@ -1633,8 +1633,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.t1555" + "TA0006", + "T1555" ], "title": "Dump Credentials from Windows Credential Manager With PowerShell" }, @@ -1653,8 +1653,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Malicious Nishang PowerShell Commandlets" }, @@ -1673,8 +1673,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.command-and-control", - "attack.t1132.001" + "TA0011", + "T1132.001" ], "title": "Suspicious FromBase64String Usage On Gzip Archive - Ps Script" }, @@ -1693,8 +1693,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.exfiltration", - "attack.t1048.003" + "TA0010", + "T1048.003" ], "title": "PowerShell ICMP Exfiltration" }, @@ -1713,8 +1713,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.command-and-control", - "attack.t1090" + "TA0011", + "T1090" ], "title": "Suspicious TCP Tunnel Via PowerShell Script" }, @@ -1733,8 +1733,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.discovery", - "attack.t1217" + "TA0007", + "T1217" ], "title": "Automated Collection Bookmarks Using Get-ChildItem PowerShell" }, @@ -1753,8 +1753,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.t1003" + "TA0006", + "T1003" ], "title": "Live Memory Dump Using Powershell" }, @@ -1773,11 +1773,11 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.reconnaissance", - "attack.discovery", - "attack.credential-access", - "attack.impact" + "TA0002", + "TA0043", + "TA0007", + "TA0006", + "TA0040" ], "title": "AADInternals PowerShell Cmdlets Execution - PsScript" }, @@ -1796,8 +1796,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.collection", - "attack.t1119" + "TA0009", + "T1119" ], "title": "Automated Collection Command PowerShell" }, @@ -1816,8 +1816,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Potential Suspicious PowerShell Keywords" }, @@ -1836,10 +1836,10 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.persistence", - "attack.t1136.001" + "TA0002", + "T1059.001", + "TA0003", + "T1136.001" ], "title": "PowerShell Create Local User" }, @@ -1858,8 +1858,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.collection", - "attack.t1114.001" + "TA0009", + "T1114.001" ], "title": "Powershell Local Email Collection" }, @@ -1878,8 +1878,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "PSAsyncShell - Asynchronous TCP Reverse Shell" }, @@ -1898,8 +1898,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.impact", - "attack.t1490" + "TA0040", + "T1490" ], "title": "Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script" }, @@ -1918,8 +1918,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1222" + "TA0005", + "T1222" ], "title": "PowerShell Set-Acl On Windows Folder - PsScript" }, @@ -1938,8 +1938,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1070.006" + "TA0005", + "T1070.006" ], "title": "Powershell Timestomp" }, @@ -1958,7 +1958,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript" }, @@ -1977,8 +1977,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1070.003" + "TA0005", + "T1070.003" ], "title": "Clear PowerShell History - PowerShell" }, @@ -1997,8 +1997,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Tamper Windows Defender - ScriptBlockLogging" }, @@ -2017,8 +2017,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.exfiltration", - "attack.t1020" + "TA0010", + "T1020" ], "title": "PowerShell Script With File Hostname Resolving Capabilities" }, @@ -2037,8 +2037,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.discovery", - "attack.t1057" + "TA0007", + "T1057" ], "title": "Suspicious Process Discovery With Get-Process" }, @@ -2057,8 +2057,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.t1003.003", + "TA0006", + "T1003.003", "attack.ds0005" ], "title": "Create Volume Shadow Copy with Powershell" @@ -2078,7 +2078,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.credential-access" + "TA0006" ], "title": "Veeam Backup Servers Credential Dumping Script Execution" }, @@ -2097,8 +2097,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.t1552.004" + "TA0006", + "T1552.004" ], "title": "Certificate Exported Via PowerShell - ScriptBlock" }, @@ -2117,11 +2117,11 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.t1003", - "attack.t1558.003", - "attack.lateral-movement", - "attack.t1550.003" + "TA0006", + "T1003", + "T1558.003", + "TA0008", + "T1550.003" ], "title": "HackTool - Rubeus Execution - ScriptBlock" }, @@ -2140,8 +2140,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1047" + "TA0002", + "T1047" ], "title": "WMIC Unquoted Services Path Lookup - PowerShell" }, @@ -2160,10 +2160,10 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell" }, @@ -2182,8 +2182,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.discovery", - "attack.t1615" + "TA0007", + "T1615" ], "title": "Suspicious GPO Discovery With Get-GPO" }, @@ -2202,8 +2202,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1564.006" + "TA0005", + "T1564.006" ], "title": "Suspicious Hyper-V Cmdlets" }, @@ -2222,8 +2222,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.t1552.001" + "TA0006", + "T1552.001" ], "title": "Extracting Information with PowerShell" }, @@ -2242,8 +2242,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Disable-WindowsOptionalFeature Command PowerShell" }, @@ -2262,8 +2262,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.persistence", - "attack.t1098" + "TA0003", + "T1098" ], "title": "Powershell LocalAccount Manipulation" }, @@ -2282,8 +2282,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.command-and-control", - "attack.t1105" + "TA0011", + "T1105" ], "title": "Potential COM Objects Download Cradles Usage - PS Script" }, @@ -2302,8 +2302,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.command-and-control", - "attack.t1573" + "TA0011", + "T1573" ], "title": "Suspicious SSL Connection" }, @@ -2322,9 +2322,9 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.t1106" + "TA0002", + "T1059.001", + "T1106" ], "title": "Potential WinAPI Calls Via PowerShell Scripts" }, @@ -2343,8 +2343,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction" }, @@ -2363,8 +2363,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.command-and-control", - "attack.t1071.001" + "TA0011", + "T1071.001" ], "title": "Change User Agents with WebRequest" }, @@ -2383,7 +2383,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.exfiltration" + "TA0010" ], "title": "Suspicious PowerShell Mailbox SMTP Forward Rule" }, @@ -2402,8 +2402,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Malicious ShellIntel PowerShell Commandlets" }, @@ -2422,8 +2422,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.t1558.003" + "TA0006", + "T1558.003" ], "title": "Request A Single Ticket via PowerShell" }, @@ -2442,8 +2442,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.t1003" + "TA0006", + "T1003" ], "title": "Potential Invoke-Mimikatz PowerShell Script" }, @@ -2462,8 +2462,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.collection", - "attack.t1119" + "TA0009", + "T1119" ], "title": "Recon Information for Export with PowerShell" }, @@ -2482,9 +2482,9 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.privilege-escalation", - "attack.persistence", - "attack.t1546.015" + "TA0004", + "TA0003", + "T1546.015" ], "title": "Suspicious GetTypeFromCLSID ShellExecute" }, @@ -2503,9 +2503,9 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1047", - "attack.t1059.001" + "TA0002", + "T1047", + "T1059.001" ], "title": "WMImplant Hack Tool" }, @@ -2524,8 +2524,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.persistence", - "attack.t1574.011", + "TA0003", + "T1574.011", "stp.2a" ], "title": "Service Registry Permissions Weakness Check" @@ -2545,10 +2545,10 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1564.004", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1564.004", + "TA0002", + "T1059.001" ], "title": "NTFS Alternate Data Stream" }, @@ -2567,8 +2567,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.t1003.006" + "TA0006", + "T1003.006" ], "title": "Suspicious Get-ADReplAccount" }, @@ -2587,8 +2587,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.t1555" + "TA0006", + "T1555" ], "title": "Enumerate Credentials from Windows Credential Manager With PowerShell" }, @@ -2607,8 +2607,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.discovery", - "attack.t1120" + "TA0007", + "T1120" ], "title": "Powershell Suspicious Win32_PnPEntity" }, @@ -2627,8 +2627,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.discovery", - "attack.t1033" + "TA0007", + "T1033" ], "title": "Get-ADUser Enumeration Using UserAccountControl Flags" }, @@ -2647,8 +2647,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Malicious PowerShell Keywords" }, @@ -2667,9 +2667,9 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1070", - "attack.t1070.003" + "TA0005", + "T1070", + "T1070.003" ], "title": "Clearing Windows Console History" }, @@ -2688,8 +2688,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.collection", - "attack.t1113" + "TA0009", + "T1113" ], "title": "Windows Screen Capture with CopyFromScreen" }, @@ -2708,10 +2708,10 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell" }, @@ -2730,8 +2730,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Suspicious PowerShell Invocations - Specific" }, @@ -2750,8 +2750,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.collection", - "attack.t1056.001" + "TA0009", + "T1056.001" ], "title": "Powershell Keylogging" }, @@ -2770,9 +2770,9 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.persistence", - "attack.execution", - "attack.t1059.001" + "TA0003", + "TA0002", + "T1059.001" ], "title": "PowerShell Web Access Installation - PsScript" }, @@ -2791,10 +2791,10 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell" }, @@ -2813,8 +2813,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.discovery", - "attack.t1069.001" + "TA0007", + "T1069.001" ], "title": "Suspicious Get Local Groups Information - PowerShell" }, @@ -2833,10 +2833,10 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1562", - "attack.execution", - "attack.t1059" + "TA0005", + "T1562", + "TA0002", + "T1059" ], "title": "Windows Defender Exclusions Added - PowerShell" }, @@ -2855,8 +2855,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1070.001" + "TA0005", + "T1070.001" ], "title": "Suspicious Eventlog Clear" }, @@ -2875,8 +2875,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1070.005" + "TA0005", + "T1070.005" ], "title": "PowerShell Deleted Mounted Share" }, @@ -2895,9 +2895,9 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.execution", - "attack.t1059.001" + "TA0006", + "TA0002", + "T1059.001" ], "title": "PowerShell Credential Prompt" }, @@ -2916,10 +2916,10 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation STDIN+ Launcher - Powershell" }, @@ -2938,8 +2938,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.exfiltration", - "attack.t1048" + "TA0010", + "T1048" ], "title": "Powershell DNSExfiltration" }, @@ -2958,8 +2958,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.persistence", - "attack.t1574.012" + "TA0003", + "T1574.012" ], "title": "Registry-Free Process Scope COR_PROFILER" }, @@ -2978,8 +2978,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Suspicious PowerShell Download - Powershell Script" }, @@ -2998,8 +2998,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.t1556.002" + "TA0006", + "T1556.002" ], "title": "Powershell Install a DLL in System Directory" }, @@ -3018,8 +3018,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.t1110.001" + "TA0006", + "T1110.001" ], "title": "Suspicious Connection to Remote Account" }, @@ -3038,8 +3038,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "PowerShell Remote Session Creation" }, @@ -3058,8 +3058,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Potential AMSI Bypass Script Using NULL Bits" }, @@ -3078,9 +3078,9 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.discovery", - "attack.t1040" + "TA0006", + "TA0007", + "T1040" ], "title": "Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock" }, @@ -3099,9 +3099,9 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1484.001" + "TA0005", + "TA0004", + "T1484.001" ], "title": "Modify Group Policy Settings - ScriptBlockLogging" }, @@ -3120,8 +3120,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.command-and-control", - "attack.t1571" + "TA0011", + "T1571" ], "title": "Testing Usage of Uncommonly Used Port" }, @@ -3140,10 +3140,10 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.persistence", - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1574.011" + "TA0003", + "TA0005", + "TA0004", + "T1574.011" ], "title": "Abuse of Service Permissions to Hide Services Via Set-Service - PS" }, @@ -3162,8 +3162,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging" }, @@ -3182,7 +3182,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.exfiltration" + "TA0010" ], "title": "Suspicious PowerShell Mailbox Export to Share - PS" }, @@ -3201,10 +3201,10 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation Via Use Clip - Powershell" }, @@ -3223,8 +3223,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1036.003" + "TA0005", + "T1036.003" ], "title": "Suspicious Start-Process PassThru" }, @@ -3243,8 +3243,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.lateral-movement", - "attack.t1021.002" + "TA0008", + "T1021.002" ], "title": "Suspicious New-PSDrive to Admin Share" }, @@ -3263,8 +3263,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.persistence", - "attack.t1136.002" + "TA0003", + "T1136.002" ], "title": "Manipulation of User Computer or Group Security Principals Across AD" }, @@ -3283,7 +3283,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution" + "TA0002" ], "title": "Add Windows Capability Via PowerShell Script" }, @@ -3302,8 +3302,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "PowerShell PSAttack" }, @@ -3322,9 +3322,9 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.persistence", - "attack.privilege-escalation", - "attack.t1546.013" + "TA0003", + "TA0004", + "T1546.013" ], "title": "Potential Persistence Via PowerShell User Profile Using Add-Content" }, @@ -3343,7 +3343,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Potential Suspicious Windows Feature Enabled" }, @@ -3362,8 +3362,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1562.004" + "TA0005", + "T1562.004" ], "title": "Windows Firewall Profile Disabled" }, @@ -3382,8 +3382,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.discovery", - "attack.t1069.001" + "TA0007", + "T1069.001" ], "title": "AD Groups Or Users Enumeration Using PowerShell - ScriptBlock" }, @@ -3402,9 +3402,9 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.persistence", - "attack.defense-evasion", - "attack.privilege-escalation" + "TA0003", + "TA0005", + "TA0004" ], "title": "Potential Persistence Via Security Descriptors - ScriptBlock" }, @@ -3423,10 +3423,10 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell" }, @@ -3445,10 +3445,10 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.persistence", - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1574.011" + "TA0003", + "TA0005", + "TA0004", + "T1574.011" ], "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet - PS" }, @@ -3467,8 +3467,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.impact", - "attack.t1531" + "TA0040", + "T1531" ], "title": "Remove Account From Domain Admin Group" }, @@ -3487,8 +3487,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1027.009" + "TA0005", + "T1027.009" ], "title": "Powershell Token Obfuscation - Powershell" }, @@ -3507,8 +3507,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Powershell MsXml COM Object" }, @@ -3527,8 +3527,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.discovery", - "attack.t1069.001" + "TA0007", + "T1069.001" ], "title": "Suspicious Get Information for SMB Share" }, @@ -3547,8 +3547,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Usage Of Web Request Commands And Cmdlets - ScriptBlock" }, @@ -3567,8 +3567,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Change PowerShell Policies to an Insecure Level - PowerShell" }, @@ -3587,12 +3587,12 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.reconnaissance", - "attack.discovery", - "attack.credential-access", - "attack.t1018", - "attack.t1558", - "attack.t1589.002" + "TA0043", + "TA0007", + "TA0006", + "T1018", + "T1558", + "T1589.002" ], "title": "Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock" }, @@ -3611,8 +3611,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.lateral-movement", - "attack.t1021.006" + "TA0008", + "T1021.006" ], "title": "Execute Invoke-command on Remote Host" }, @@ -3631,9 +3631,9 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.discovery", - "attack.execution", - "attack.t1059.001" + "TA0007", + "TA0002", + "T1059.001" ], "title": "PowerShell ADRecon Execution" }, @@ -3652,8 +3652,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "PowerView PowerShell Cmdlets - ScriptBlock" }, @@ -3672,8 +3672,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.persistence", - "attack.t1547.004" + "TA0003", + "T1547.004" ], "title": "Winlogon Helper DLL" }, @@ -3692,10 +3692,10 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell" }, @@ -3714,8 +3714,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1564.003" + "TA0005", + "T1564.003" ], "title": "Suspicious PowerShell WindowStyle Option" }, @@ -3734,8 +3734,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Import PowerShell Modules From Suspicious Directories" }, @@ -3754,8 +3754,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.discovery", - "attack.t1201" + "TA0007", + "T1201" ], "title": "Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy" }, @@ -3774,8 +3774,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.discovery", - "attack.t1518.001" + "TA0007", + "T1518.001" ], "title": "Security Software Discovery Via Powershell Script" }, @@ -3794,10 +3794,10 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation Via Stdin - PowerShell Module" }, @@ -3816,8 +3816,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.collection", - "attack.t1115" + "TA0009", + "T1115" ], "title": "PowerShell Get Clipboard" }, @@ -3836,10 +3836,10 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation STDIN+ Launcher - PowerShell Module" }, @@ -3858,8 +3858,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Suspicious PowerShell Invocations - Specific - PowerShell Module" }, @@ -3878,10 +3878,10 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module" }, @@ -3900,9 +3900,9 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.reconnaissance", - "attack.discovery", - "attack.impact" + "TA0043", + "TA0007", + "TA0040" ], "title": "Potential Active Directory Enumeration Using AD Module - PsModule" }, @@ -3921,10 +3921,10 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation Via Use Clip - PowerShell Module" }, @@ -3943,8 +3943,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.t1003.003" + "TA0006", + "T1003.003" ], "title": "Suspicious Get-ADDBAccount Usage" }, @@ -3963,8 +3963,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Alternate PowerShell Hosts - PowerShell Module" }, @@ -3983,8 +3983,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Suspicious PowerShell Invocations - Generic - PowerShell Module" }, @@ -4003,8 +4003,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.discovery", - "attack.t1069.001" + "TA0007", + "T1069.001" ], "title": "Suspicious Get Local Groups Information" }, @@ -4023,8 +4023,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.initial-access", - "attack.t1078" + "TA0001", + "T1078" ], "title": "Suspicious Computer Machine Password by PowerShell" }, @@ -4043,8 +4043,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "SyncAppvPublishingServer Bypass Powershell Restriction - PS Module" }, @@ -4063,10 +4063,10 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module" }, @@ -4085,8 +4085,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.discovery", - "attack.t1049" + "TA0007", + "T1049" ], "title": "Use Get-NetTCPConnection - PowerShell Module" }, @@ -4105,10 +4105,10 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation VAR+ Launcher - PowerShell Module" }, @@ -4127,8 +4127,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1140" + "TA0005", + "T1140" ], "title": "PowerShell Decompress Commands" }, @@ -4147,8 +4147,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.discovery", - "attack.t1069.001" + "TA0007", + "T1069.001" ], "title": "AD Groups Or Users Enumeration Using PowerShell - PoshModule" }, @@ -4167,8 +4167,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Malicious PowerShell Scripts - PoshModule" }, @@ -4187,10 +4187,10 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module" }, @@ -4209,10 +4209,10 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.lateral-movement", - "attack.t1021.006" + "TA0002", + "T1059.001", + "TA0008", + "T1021.006" ], "title": "Remote PowerShell Session (PS Module)" }, @@ -4231,10 +4231,10 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation Via Use Rundll32 - PowerShell Module" }, @@ -4253,10 +4253,10 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation Via Use MSHTA - PowerShell Module" }, @@ -4275,8 +4275,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Suspicious PowerShell Download - PoshModule" }, @@ -4295,16 +4295,16 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.discovery", - "attack.t1482", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1069", - "attack.t1059.001" + "TA0002", + "TA0007", + "T1482", + "T1087", + "T1087.001", + "T1087.002", + "T1069.001", + "T1069.002", + "T1069", + "T1059.001" ], "title": "Malicious PowerShell Commandlets - PoshModule" }, @@ -4323,10 +4323,10 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module" }, @@ -4345,8 +4345,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1070.003" + "TA0005", + "T1070.003" ], "title": "Clear PowerShell History - PowerShell Module" }, @@ -4365,8 +4365,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.discovery", - "attack.t1069.001" + "TA0007", + "T1069.001" ], "title": "Suspicious Get Information for SMB Share - PowerShell Module" }, @@ -4385,8 +4385,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module" }, @@ -4405,8 +4405,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.collection", - "attack.t1074.001" + "TA0009", + "T1074.001" ], "title": "Zip A Folder With PowerShell For Staging In Temp - PowerShell Module" }, @@ -4425,10 +4425,10 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation CLIP+ Launcher - PowerShell Module" }, @@ -4447,7 +4447,7 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.lateral-movement" + "TA0008" ], "title": "HackTool - Evil-WinRm Execution - PowerShell Module" }, @@ -4466,8 +4466,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Bad Opsec Powershell Code Artifacts" }, @@ -4487,8 +4487,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1016" + "TA0007", + "T1016" ], "title": "Userdomain Variable Enumeration" }, @@ -4508,8 +4508,8 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.t1021" + "TA0008", + "T1021" ], "title": "New RDP Connection Initiated From Domain Controller" }, @@ -4529,13 +4529,13 @@ "0CCE9244-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.defense-evasion", - "attack.discovery", + "TA0006", + "TA0005", + "TA0007", "attack.s0075", - "attack.t1012", - "attack.t1112", - "attack.t1552.002" + "T1012", + "T1112", + "T1552.002" ], "title": "Remote Registry Management Using Reg Utility" }, @@ -4559,8 +4559,8 @@ "0CCE9217-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.t1078" + "TA0008", + "T1078" ], "title": "Interactive Logon to Server Systems" }, @@ -4581,12 +4581,12 @@ "0CCE921B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.lateral-movement", - "attack.credential-access", - "attack.t1558", - "attack.t1649", - "attack.t1550" + "TA0005", + "TA0008", + "TA0006", + "T1558", + "T1649", + "T1550" ], "title": "User with Privileges Logon" }, @@ -4608,8 +4608,8 @@ "0CCE9217-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.t1550.002", + "TA0008", + "T1550.002", "car.2016-04-004" ], "title": "Potential Pass the Hash Activity" @@ -4630,8 +4630,8 @@ "0CCE9236-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.t1068", + "TA0004", + "T1068", "cve.2020-1472" ], "title": "Potential Zerologon (CVE-2020-1472) Exploitation" @@ -4650,7 +4650,7 @@ "service": "shell-core", "subcategory_guids": [], "tags": [ - "attack.execution" + "TA0002" ], "title": "Suspicious Application Installed" }, @@ -4674,13 +4674,13 @@ "service": "applocker", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1204.002", - "attack.t1059.001", - "attack.t1059.003", - "attack.t1059.005", - "attack.t1059.006", - "attack.t1059.007" + "TA0002", + "T1204.002", + "T1059.001", + "T1059.003", + "T1059.005", + "T1059.006", + "T1059.007" ], "title": "File Was Not Allowed To Run" }, @@ -4699,8 +4699,8 @@ "service": "security-mitigations", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1574.001" + "TA0005", + "T1574.001" ], "title": "Microsoft Defender Blocked from Loading Unsigned DLL" }, @@ -4719,8 +4719,8 @@ "service": "security-mitigations", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1574.001" + "TA0005", + "T1574.001" ], "title": "Unsigned Binary Loaded From Suspicious Location" }, @@ -4740,9 +4740,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.privilege-escalation", - "attack.t1546.011" + "TA0003", + "TA0004", + "T1546.011" ], "title": "Potential Shim Database Persistence via Sdbinst.EXE" }, @@ -4762,8 +4762,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003" + "TA0006", + "T1003" ], "title": "Suspicious Reg Add Open Command" }, @@ -4783,19 +4783,19 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.defense-evasion", - "attack.discovery", - "attack.execution", - "attack.privilege-escalation", - "attack.t1046", - "attack.t1082", - "attack.t1106", - "attack.t1518", - "attack.t1548.002", - "attack.t1552.001", - "attack.t1555", - "attack.t1555.003" + "TA0006", + "TA0005", + "TA0007", + "TA0002", + "TA0004", + "T1046", + "T1082", + "T1106", + "T1518", + "T1548.002", + "T1552.001", + "T1555", + "T1555.003" ], "title": "HackTool - WinPwn Execution" }, @@ -4815,12 +4815,12 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.discovery", - "attack.execution", - "attack.t1615", - "attack.t1569.002", - "attack.t1574.005" + "TA0004", + "TA0007", + "TA0002", + "T1615", + "T1569.002", + "T1574.005" ], "title": "HackTool - SharpUp PrivEsc Tool Execution" }, @@ -4840,8 +4840,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1564.004" + "TA0005", + "T1564.004" ], "title": "Potential Rundll32 Execution With DLL Stored In ADS" }, @@ -4861,8 +4861,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.impact", - "attack.t1489" + "TA0040", + "T1489" ], "title": "Disable Important Scheduled Task" }, @@ -4882,7 +4882,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.exfiltration" + "TA0010" ], "title": "Active Directory Structure Export Via Ldifde.EXE" }, @@ -4902,10 +4902,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059", - "attack.defense-evasion", - "attack.t1202" + "TA0002", + "T1059", + "TA0005", + "T1202" ], "title": "Suspicious Runscripthelper.exe" }, @@ -4925,8 +4925,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1136.001" + "TA0003", + "T1136.001" ], "title": "New User Created Via Net.EXE" }, @@ -4946,8 +4946,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.004" + "TA0005", + "T1562.004" ], "title": "Firewall Rule Deleted Via Netsh.EXE" }, @@ -4967,8 +4967,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.001" + "TA0006", + "T1003.001" ], "title": "HackTool - CreateMiniDump Execution" }, @@ -4988,10 +4988,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.003", - "attack.t1059.005", - "attack.t1059.007" + "TA0002", + "T1059.003", + "T1059.005", + "T1059.007" ], "title": "HackTool - Koadic Execution" }, @@ -5011,7 +5011,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery" + "TA0007" ], "title": "Obfuscated IP Via CLI" }, @@ -5031,9 +5031,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.credential-access", - "attack.t1649" + "TA0007", + "TA0006", + "T1649" ], "title": "HackTool - Certify Execution" }, @@ -5053,11 +5053,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion", - "attack.t1218.002", - "attack.persistence", - "attack.t1546" + "TA0002", + "TA0005", + "T1218.002", + "TA0003", + "T1546" ], "title": "Control Panel Items" }, @@ -5077,13 +5077,13 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.initial-access", - "attack.persistence", - "attack.privilege-escalation", - "attack.lateral-movement", - "attack.t1021.002", - "attack.t1078" + "TA0005", + "TA0001", + "TA0003", + "TA0004", + "TA0008", + "T1021.002", + "T1078" ], "title": "Password Provided In Command Line Of Net.EXE" }, @@ -5103,8 +5103,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1090" + "TA0011", + "T1090" ], "title": "PUA - Fast Reverse Proxy (FRP) Execution" }, @@ -5124,10 +5124,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.lateral-movement", - "attack.t1569", - "attack.t1021" + "TA0002", + "TA0008", + "T1569", + "T1021" ], "title": "Psexec Execution" }, @@ -5147,8 +5147,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1105" + "TA0011", + "T1105" ], "title": "Potential COM Objects Download Cradles Usage - Process Creation" }, @@ -5168,8 +5168,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "PUA - CleanWipe Execution" }, @@ -5189,8 +5189,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1127" + "TA0005", + "T1127" ], "title": "Use of Wfc.exe" }, @@ -5210,11 +5210,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.lateral-movement", - "attack.t1572", - "attack.t1021.001", - "attack.t1021.004" + "TA0011", + "TA0008", + "T1572", + "T1021.001", + "T1021.004" ], "title": "Port Forwarding Activity Via SSH.EXE" }, @@ -5234,10 +5234,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036", - "attack.t1003.001", - "attack.credential-access" + "TA0005", + "T1036", + "T1003.001", + "TA0006" ], "title": "HackTool - XORDump Execution" }, @@ -5257,9 +5257,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1202", - "attack.defense-evasion", - "attack.t1218" + "T1202", + "TA0005", + "T1218" ], "title": "Potentially Suspicious Child Processes Spawned by ConHost" }, @@ -5279,8 +5279,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Potentially Suspicious CMD Shell Output Redirect" }, @@ -5300,9 +5300,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1012", - "attack.t1007" + "TA0007", + "T1012", + "T1007" ], "title": "Potential Configuration And Service Reconnaissance Via Reg.EXE" }, @@ -5322,8 +5322,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1482" + "TA0007", + "T1482" ], "title": "HackTool - TruffleSnout Execution" }, @@ -5343,11 +5343,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027.010", - "attack.t1218.007", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027.010", + "T1218.007", + "TA0002", + "T1059.001" ], "title": "Obfuscated PowerShell MSI Install via WindowsInstaller COM" }, @@ -5367,8 +5367,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1564.002" + "TA0005", + "T1564.002" ], "title": "Hiding User Account Via SpecialAccounts Registry Key - CommandLine" }, @@ -5388,10 +5388,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1047", - "attack.t1562" + "TA0005", + "TA0002", + "T1047", + "T1562" ], "title": "Potential Windows Defender Tampering Via Wmic.EXE" }, @@ -5411,8 +5411,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.collection", - "attack.t1005" + "TA0009", + "T1005" ], "title": "VeeamBackup Database Credentials Dump Via Sqlcmd.EXE" }, @@ -5432,9 +5432,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1218" + "TA0005", + "TA0002", + "T1218" ], "title": "Potential File Download Via MS-AppInstaller Protocol Handler" }, @@ -5454,8 +5454,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1037.001", - "attack.persistence" + "T1037.001", + "TA0003" ], "title": "Uncommon Userinit Child Process" }, @@ -5475,10 +5475,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218", - "attack.command-and-control", - "attack.t1105" + "TA0005", + "T1218", + "TA0011", + "T1105" ], "title": "Curl Download And Execute Combination" }, @@ -5498,8 +5498,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036" + "TA0005", + "T1036" ], "title": "Suspicious Windows Update Agent Empty Cmdline" }, @@ -5519,8 +5519,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1053.005" + "TA0002", + "T1053.005" ], "title": "Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE" }, @@ -5540,9 +5540,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1218" + "TA0005", + "TA0002", + "T1218" ], "title": "Arbitrary File Download Via IMEWDBLD.EXE" }, @@ -5562,8 +5562,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.t1021.002" + "TA0008", + "T1021.002" ], "title": "Windows Internet Hosted WebDav Share Mount Via Net.EXE" }, @@ -5583,9 +5583,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1548.002" + "TA0005", + "TA0004", + "T1548.002" ], "title": "UAC Bypass Using Windows Media Player - Process" }, @@ -5605,7 +5605,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "Computer Password Change Via Ksetup.EXE" }, @@ -5625,8 +5625,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.011" + "TA0005", + "T1218.011" ], "title": "Potentially Suspicious Rundll32 Activity" }, @@ -5646,8 +5646,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.008" + "TA0005", + "T1218.008" ], "title": "New DLL Registered Via Odbcconf.EXE" }, @@ -5667,9 +5667,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218", - "attack.t1216" + "TA0005", + "T1218", + "T1216" ], "title": "SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code" }, @@ -5689,8 +5689,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "DLL Execution via Rasautou.exe" }, @@ -5710,10 +5710,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036", - "attack.t1003.001", - "attack.credential-access" + "TA0005", + "T1036", + "T1003.001", + "TA0006" ], "title": "Procdump Execution" }, @@ -5733,8 +5733,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.t1548" + "TA0004", + "T1548" ], "title": "Regedit as Trusted Installer" }, @@ -5754,8 +5754,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1518" + "TA0007", + "T1518" ], "title": "Detected Windows Software Discovery" }, @@ -5775,8 +5775,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1569.002", + "TA0002", + "T1569.002", "attack.s0029" ], "title": "PUA - NSudo Execution" @@ -5797,9 +5797,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1548.002" + "TA0005", + "TA0004", + "T1548.002" ], "title": "UAC Bypass WSReset" }, @@ -5819,8 +5819,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1105" + "TA0011", + "T1105" ], "title": "Replace.exe Usage" }, @@ -5840,8 +5840,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.011" + "TA0005", + "T1218.011" ], "title": "Suspicious Rundll32 Execution With Image Extension" }, @@ -5861,9 +5861,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.collection", - "attack.t1185" + "TA0006", + "TA0009", + "T1185" ], "title": "Browser Started with Remote Debugging" }, @@ -5883,9 +5883,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.privilege-escalation", - "attack.t1059" + "TA0002", + "TA0004", + "T1059" ], "title": "PUA - Wsudo Suspicious Execution" }, @@ -5905,10 +5905,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion", - "attack.t1218", - "attack.t1202" + "TA0002", + "TA0005", + "T1218", + "T1202" ], "title": "Potentially Suspicious Child Process Of VsCode" }, @@ -5928,8 +5928,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.impact", - "attack.t1529" + "TA0040", + "T1529" ], "title": "Suspicious Execution of Shutdown to Log Out" }, @@ -5949,9 +5949,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1134.002" + "TA0005", + "TA0004", + "T1134.002" ], "title": "PUA - AdvancedRun Suspicious Execution" }, @@ -5971,11 +5971,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1140", - "attack.t1218.005", - "attack.execution", - "attack.t1059.007", + "TA0005", + "T1140", + "T1218.005", + "TA0002", + "T1059.007", "cve.2020-1599" ], "title": "MSHTA Execution with Suspicious File Extensions" @@ -5996,10 +5996,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", + "TA0006", + "T1003.002", + "T1003.004", + "T1003.005", "car.2013-07-001" ], "title": "Dumping of Sensitive Hives Via Reg.EXE" @@ -6020,8 +6020,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1047" + "TA0002", + "T1047" ], "title": "WMIC Remote Command Execution" }, @@ -6041,8 +6041,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "AddinUtil.EXE Execution From Uncommon Directory" }, @@ -6062,8 +6062,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.008" + "TA0005", + "T1218.008" ], "title": "Suspicious Driver/DLL Installation Via Odbcconf.EXE" }, @@ -6083,8 +6083,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.010" + "TA0005", + "T1218.010" ], "title": "Potentially Suspicious Child Process Of Regsvr32" }, @@ -6104,8 +6104,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "COM Object Execution via Xwizard.EXE" }, @@ -6125,8 +6125,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.004", + "TA0005", + "T1562.004", "attack.s0108" ], "title": "Firewall Disabled via Netsh.EXE" @@ -6147,8 +6147,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059" + "TA0002", + "T1059" ], "title": "Use of Pcalua For Execution" }, @@ -6168,8 +6168,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Process Memory Dump Via Dotnet-Dump" }, @@ -6189,9 +6189,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.credential-access", - "attack.t1212" + "TA0004", + "TA0006", + "T1212" ], "title": "Suspicious NTLM Authentication on the Printer Spooler Service" }, @@ -6211,10 +6211,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.collection", - "attack.t1119", - "attack.credential-access", - "attack.t1552.001" + "TA0009", + "T1119", + "TA0006", + "T1552.001" ], "title": "Automated Collection Command Prompt" }, @@ -6234,11 +6234,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.persistence", - "attack.t1197", + "TA0005", + "TA0003", + "T1197", "attack.s0190", - "attack.t1036.003" + "T1036.003" ], "title": "File Download Via Bitsadmin" }, @@ -6258,8 +6258,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1083" + "TA0007", + "T1083" ], "title": "DirLister Execution" }, @@ -6279,8 +6279,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Execution via WorkFolders.exe" }, @@ -6300,9 +6300,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.t1563.002", - "attack.t1021.001", + "TA0008", + "T1563.002", + "T1021.001", "car.2013-07-002" ], "title": "Suspicious RDP Redirect Using TSCON" @@ -6323,9 +6323,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1059" + "TA0005", + "TA0002", + "T1059" ], "title": "Add Insecure Download Source To Winget" }, @@ -6345,8 +6345,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1222.001" + "TA0005", + "T1222.001" ], "title": "Suspicious Recursive Takeown" }, @@ -6366,8 +6366,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.005", + "TA0005", + "T1218.005", "car.2013-02-003", "car.2013-03-001", "car.2014-04-003" @@ -6390,8 +6390,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.t1021.002" + "TA0008", + "T1021.002" ], "title": "Windows Admin Share Mount Via Net.EXE" }, @@ -6411,7 +6411,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery" + "TA0007" ], "title": "HackTool - SharpLDAPmonitor Execution" }, @@ -6431,8 +6431,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562" + "TA0005", + "T1562" ], "title": "ETW Logging Tamper In .NET Processes Via CommandLine" }, @@ -6452,7 +6452,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Execution Of Non-Existing File" }, @@ -6472,11 +6472,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1539", - "attack.t1555.003", - "attack.collection", - "attack.t1005" + "TA0006", + "T1539", + "T1555.003", + "TA0009", + "T1005" ], "title": "SQLite Chromium Profile Data DB Access" }, @@ -6496,12 +6496,12 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1053.005", - "attack.defense-evasion", - "attack.t1218", - "attack.command-and-control", - "attack.t1105" + "TA0003", + "T1053.005", + "TA0005", + "T1218", + "TA0011", + "T1105" ], "title": "Scheduled Task Creation with Curl and PowerShell Execution Combo" }, @@ -6521,10 +6521,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation Via Stdin" }, @@ -6544,8 +6544,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059" + "TA0002", + "T1059" ], "title": "Potential Dosfuscation Activity" }, @@ -6565,9 +6565,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.002", - "attack.t1003.003" + "TA0006", + "T1003.002", + "T1003.003" ], "title": "VolumeShadowCopy Symlink Creation Via Mklink" }, @@ -6587,9 +6587,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036", - "attack.t1218" + "TA0005", + "T1036", + "T1218" ], "title": "Sdiagnhost Calling Suspicious Child Process" }, @@ -6609,9 +6609,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005" + "TA0002", + "TA0003", + "T1053.005" ], "title": "Suspicious Scheduled Task Creation Involving Temp Folder" }, @@ -6631,9 +6631,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036.003", - "attack.t1036.005" + "TA0005", + "T1036.003", + "T1036.005" ], "title": "Windows Processes Suspicious Parent Directory" }, @@ -6653,8 +6653,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.004", + "TA0005", + "T1562.004", "attack.s0246" ], "title": "New Firewall Rule Added Via Netsh.EXE" @@ -6675,7 +6675,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "PsExec Service Child Process Execution as LOCAL SYSTEM" }, @@ -6695,8 +6695,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1202" + "TA0005", + "T1202" ], "title": "Potentially Suspicious Office Document Executed From Trusted Location" }, @@ -6716,8 +6716,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.009" + "TA0005", + "T1218.009" ], "title": "Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension" }, @@ -6737,8 +6737,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1202" + "TA0005", + "T1202" ], "title": "Suspicious Splwow64 Without Params" }, @@ -6758,8 +6758,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1204.004" + "TA0002", + "T1204.004" ], "title": "FileFix - Suspicious Child Process from Browser File Upload Abuse" }, @@ -6779,8 +6779,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1127" + "TA0005", + "T1127" ], "title": "Use of TTDInject.exe" }, @@ -6800,7 +6800,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE" }, @@ -6820,8 +6820,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1046" + "TA0007", + "T1046" ], "title": "PUA - Nmap/Zenmap Execution" }, @@ -6841,10 +6841,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.defense-evasion", - "attack.t1134.001", - "attack.t1134.003" + "TA0004", + "TA0005", + "T1134.001", + "T1134.003" ], "title": "HackTool - SharpImpersonation Execution" }, @@ -6864,8 +6864,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.003", + "TA0002", + "T1059.003", "stp.1u" ], "title": "Operator Bloopers Cobalt Strike Commands" @@ -6886,8 +6886,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Import PowerShell Modules From Suspicious Directories - ProcCreation" }, @@ -6907,8 +6907,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.collection", - "attack.t1560.001" + "TA0009", + "T1560.001" ], "title": "Compress Data and Lock With Password for Exfiltration With WINZIP" }, @@ -6928,9 +6928,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.execution", - "attack.t1047" + "TA0007", + "TA0002", + "T1047" ], "title": "Computer System Reconnaissance Via Wmic.EXE" }, @@ -6950,8 +6950,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027" + "TA0005", + "T1027" ], "title": "Suspicious File Encoded To Base64 Via Certutil.EXE" }, @@ -6971,9 +6971,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1059" + "TA0005", + "TA0002", + "T1059" ], "title": "Suspicious RASdial Activity" }, @@ -6993,9 +6993,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.002", - "attack.t1112", + "TA0005", + "T1562.002", + "T1112", "car.2022-03-001" ], "title": "Security Event Logging Disabled via MiniNt Registry Key - Process" @@ -7016,7 +7016,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "File Decryption Using Gpg4win" }, @@ -7036,12 +7036,12 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1047", - "attack.t1220", - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "TA0005", + "T1047", + "T1220", + "TA0002", + "T1059.005", + "T1059.007" ], "title": "Potential SquiblyTwo Technique Execution" }, @@ -7061,8 +7061,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.impact", - "attack.t1490" + "TA0040", + "T1490" ], "title": "Deletion of Volume Shadow Copies via WMI with PowerShell" }, @@ -7082,11 +7082,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1018", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.002", + "TA0007", + "T1018", + "T1087.002", + "T1482", + "T1069.002", "stp.1u" ], "title": "PUA - AdFind Suspicious Execution" @@ -7107,8 +7107,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1217" + "TA0007", + "T1217" ], "title": "Suspicious Where Execution" }, @@ -7128,9 +7128,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1047", - "attack.t1059.001" + "TA0002", + "T1047", + "T1059.001" ], "title": "Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell" }, @@ -7150,8 +7150,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "InfDefaultInstall.exe .inf Execution" }, @@ -7171,8 +7171,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.t1548.002" + "TA0004", + "T1548.002" ], "title": "Bypass UAC via Fodhelper.exe" }, @@ -7192,10 +7192,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation Obfuscated IEX Invocation" }, @@ -7215,9 +7215,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1574.001", - "attack.t1112" + "TA0005", + "T1574.001", + "T1112" ], "title": "New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE" }, @@ -7237,10 +7237,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005", - "attack.t1059.001" + "TA0002", + "TA0003", + "T1053.005", + "T1059.001" ], "title": "Scheduled Task Executing Encoded Payload from Registry" }, @@ -7260,8 +7260,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.impact", - "attack.t1490" + "TA0040", + "T1490" ], "title": "All Backups Deleted Via Wbadmin.EXE" }, @@ -7281,8 +7281,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1558.003" + "TA0006", + "T1558.003" ], "title": "HackTool - RemoteKrbRelay Execution" }, @@ -7302,8 +7302,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1127" + "TA0005", + "T1127" ], "title": "Potentially Suspicious ASP.NET Compilation Via AspNetCompiler" }, @@ -7323,10 +7323,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion", - "attack.t1059", - "attack.t1562.001" + "TA0002", + "TA0005", + "T1059", + "T1562.001" ], "title": "HackTool - Stracciatella Execution" }, @@ -7346,8 +7346,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1105" + "TA0011", + "T1105" ], "title": "Suspicious Curl.EXE Download" }, @@ -7367,8 +7367,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE" }, @@ -7388,8 +7388,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Diskshadow Script Mode - Uncommon Script Extension Execution" }, @@ -7409,8 +7409,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1132.001" + "TA0011", + "T1132.001" ], "title": "Gzip Archive Decode Via PowerShell" }, @@ -7430,7 +7430,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Suspicious Obfuscated PowerShell Code" }, @@ -7450,8 +7450,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1105" + "TA0011", + "T1105" ], "title": "PUA - Nimgrab Execution" }, @@ -7471,8 +7471,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1219.002" + "TA0011", + "T1219.002" ], "title": "Suspicious Mstsc.EXE Execution With Local RDP File" }, @@ -7492,8 +7492,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.002" + "TA0006", + "T1003.002" ], "title": "HackTool - Pypykatz Credentials Dumping Activity" }, @@ -7513,8 +7513,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.initial-access", - "attack.t1566" + "TA0001", + "T1566" ], "title": "Phishing Pattern ISO in Archive" }, @@ -7534,8 +7534,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Ie4uinit Lolbin Use From Invalid Path" }, @@ -7555,8 +7555,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Python Function Execution Security Warning Disabled In Excel" }, @@ -7576,8 +7576,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1082" + "TA0007", + "T1082" ], "title": "Uncommon System Information Discovery Via Wmic.EXE" }, @@ -7597,11 +7597,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1053.005", - "attack.defense-evasion", - "attack.t1036.004", - "attack.t1036.005" + "TA0003", + "T1053.005", + "TA0005", + "T1036.004", + "T1036.005" ], "title": "Scheduled Task Creation Masquerading as System Processes" }, @@ -7621,7 +7621,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Suspicious PowerShell Invocations - Specific - ProcessCreation" }, @@ -7641,8 +7641,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1219.002" + "TA0011", + "T1219.002" ], "title": "Remote Access Tool - AnyDesk Execution" }, @@ -7662,8 +7662,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.initial-access", - "attack.t1133" + "TA0001", + "T1133" ], "title": "Unusual Child Process of dns.exe" }, @@ -7683,8 +7683,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.resource-development", - "attack.t1587.001" + "TA0042", + "T1587.001" ], "title": "Potential Privilege Escalation To LOCAL SYSTEM" }, @@ -7704,8 +7704,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1505.003" + "TA0003", + "T1505.003" ], "title": "Webshell Tool Reconnaissance Activity" }, @@ -7725,8 +7725,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1033", + "TA0007", + "T1033", "car.2016-03-001" ], "title": "HackTool - SharpLdapWhoami Execution" @@ -7747,12 +7747,12 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1134", - "attack.t1003", - "attack.t1027" + "TA0006", + "TA0005", + "TA0004", + "T1134", + "T1003", + "T1027" ], "title": "Suspicious SYSTEM User Process Creation" }, @@ -7772,9 +7772,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.discovery", - "attack.t1033" + "TA0004", + "TA0007", + "T1033" ], "title": "Whoami.EXE Execution From Privileged Process" }, @@ -7794,8 +7794,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Uninstall Sysinternals Sysmon" }, @@ -7815,8 +7815,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1204.002" + "TA0002", + "T1204.002" ], "title": "Potential Suspicious Browser Launch From Document Reader Process" }, @@ -7836,8 +7836,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1553.004" + "TA0005", + "T1553.004" ], "title": "New Root Certificate Installed Via CertMgr.EXE" }, @@ -7857,8 +7857,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1552.002" + "TA0006", + "T1552.002" ], "title": "Enumeration for Credentials in Registry" }, @@ -7878,8 +7878,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1569.002", + "TA0002", + "T1569.002", "attack.s0029" ], "title": "PUA - NirCmd Execution As LOCAL SYSTEM" @@ -7900,10 +7900,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.persistence", - "attack.privilege-escalation", - "attack.t1053.005" + "TA0002", + "TA0003", + "TA0004", + "T1053.005" ], "title": "Uncommon One Time Only Scheduled Task At 00:00" }, @@ -7923,8 +7923,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1553.004" + "TA0005", + "T1553.004" ], "title": "Suspicious X509Enrollment - Process Creation" }, @@ -7944,10 +7944,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.credential-access", - "attack.t1003.001" + "TA0005", + "TA0002", + "TA0006", + "T1003.001" ], "title": "Potential Adplus.EXE Abuse" }, @@ -7967,8 +7967,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1090.001" + "TA0011", + "T1090.001" ], "title": "PUA - Chisel Tunneling Tool Execution" }, @@ -7988,8 +7988,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.defense-evasion" + "TA0003", + "TA0005" ], "title": "Suspicious Process Execution From Fake Recycle.Bin Folder" }, @@ -8009,8 +8009,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1204.002", + "TA0002", + "T1204.002", "attack.g0046", "car.2013-05-002" ], @@ -8032,11 +8032,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.persistence", - "attack.t1197", + "TA0005", + "TA0003", + "T1197", "attack.s0190", - "attack.t1036.003" + "T1036.003" ], "title": "Suspicious Download From File-Sharing Website Via Bitsadmin" }, @@ -8056,7 +8056,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "Add Windows Capability Via PowerShell Cmdlet" }, @@ -8076,8 +8076,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1555.003" + "TA0006", + "T1555.003" ], "title": "Potential Browser Data Stealing" }, @@ -8097,8 +8097,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1569.002" + "TA0002", + "T1569.002" ], "title": "Start Windows Service Via Net.EXE" }, @@ -8118,11 +8118,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1203", - "attack.t1574.001" + "TA0002", + "TA0005", + "TA0004", + "T1203", + "T1574.001" ], "title": "Potentially Suspicious Child Process of KeyScrambler.exe" }, @@ -8142,8 +8142,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Malicious Windows Script Components File Execution by TAEF Detection" }, @@ -8163,8 +8163,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1543.003" + "TA0003", + "T1543.003" ], "title": "Deny Service Access Using Security Descriptor Tampering Via Sc.EXE" }, @@ -8184,9 +8184,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.privilege-escalation", - "attack.t1546.011" + "TA0003", + "TA0004", + "T1546.011" ], "title": "Uncommon Extension Shim Database Installation Via Sdbinst.EXE" }, @@ -8206,10 +8206,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.defense-evasion", - "attack.execution", - "attack.t1059" + "TA0004", + "TA0005", + "TA0002", + "T1059" ], "title": "Elevated System Shell Spawned From Uncommon Parent Location" }, @@ -8229,8 +8229,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Disabled IE Security Features" }, @@ -8250,10 +8250,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.credential-access", - "attack.t1218", - "attack.t1003.001" + "TA0005", + "TA0006", + "T1218", + "T1003.001" ], "title": "Time Travel Debugging Utility Usage" }, @@ -8273,10 +8273,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005", - "attack.t1059.001" + "TA0002", + "TA0003", + "T1053.005", + "T1059.001" ], "title": "Suspicious Schtasks Execution AppData Folder" }, @@ -8296,7 +8296,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.exfiltration" + "TA0010" ], "title": "Suspicious PowerShell Mailbox Export to Share" }, @@ -8316,9 +8316,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1059" + "TA0002", + "TA0003", + "T1059" ], "title": "Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script" }, @@ -8338,8 +8338,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1090.001" + "TA0011", + "T1090.001" ], "title": "Renamed Cloudflared.EXE Execution" }, @@ -8359,8 +8359,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.010" + "TA0005", + "T1218.010" ], "title": "Potentially Suspicious Regsvr32 HTTP/FTP Pattern" }, @@ -8380,9 +8380,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1566", - "attack.t1566.001", - "attack.initial-access" + "T1566", + "T1566.001", + "TA0001" ], "title": "Suspicious Microsoft OneNote Child Process" }, @@ -8402,8 +8402,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.t1548.002" + "TA0004", + "T1548.002" ], "title": "Always Install Elevated MSI Spawned Cmd And Powershell" }, @@ -8423,7 +8423,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "PowerShell Execution With Potential Decryption Capabilities" }, @@ -8443,10 +8443,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059", - "attack.discovery", - "attack.t1018" + "TA0002", + "T1059", + "TA0007", + "T1018" ], "title": "Suspicious Scan Loop Network" }, @@ -8466,9 +8466,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1046", - "attack.t1135" + "TA0007", + "T1046", + "T1135" ], "title": "PUA - Advanced Port Scanner Execution" }, @@ -8488,8 +8488,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1016" + "TA0007", + "T1016" ], "title": "Firewall Configuration Discovery Via Netsh.EXE" }, @@ -8509,9 +8509,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1218" + "TA0005", + "TA0002", + "T1218" ], "title": "Arbitrary File Download Via MSEDGE_PROXY.EXE" }, @@ -8531,8 +8531,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1070" + "TA0005", + "T1070" ], "title": "IIS WebServer Log Deletion via CommandLine Utilities" }, @@ -8552,9 +8552,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.exfiltration", - "attack.discovery", - "attack.t1087.002" + "TA0010", + "TA0007", + "T1087.002" ], "title": "Active Directory Structure Export Via Csvde.EXE" }, @@ -8574,8 +8574,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1219.002" + "TA0011", + "T1219.002" ], "title": "Suspicious TSCON Start as SYSTEM" }, @@ -8595,8 +8595,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.001" + "TA0006", + "T1003.001" ], "title": "HackTool - SafetyKatz Execution" }, @@ -8616,9 +8616,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1071.001", - "attack.t1219" + "TA0011", + "T1071.001", + "T1219" ], "title": "Renamed Visual Studio Code Tunnel Execution" }, @@ -8638,8 +8638,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.collection", - "attack.t1074.001" + "TA0009", + "T1074.001" ], "title": "Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet" }, @@ -8659,7 +8659,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "Suspicious File Download From IP Via Wget.EXE" }, @@ -8679,8 +8679,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Raccine Uninstall" }, @@ -8700,8 +8700,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.collection", - "attack.t1113" + "TA0009", + "T1113" ], "title": "Windows Recall Feature Enabled Via Reg.EXE" }, @@ -8721,8 +8721,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Security Service Disabled Via Reg.EXE" }, @@ -8742,9 +8742,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1105", - "attack.t1564.003" + "TA0011", + "T1105", + "T1564.003" ], "title": "Browser Execution In Headless Mode" }, @@ -8764,8 +8764,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Suspicious PowerShell Download and Execute Pattern" }, @@ -8785,8 +8785,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.010" + "TA0005", + "T1218.010" ], "title": "Regsvr32 Execution From Highly Suspicious Location" }, @@ -8806,8 +8806,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1564.001" + "TA0005", + "T1564.001" ], "title": "Hiding Files with Attrib.exe" }, @@ -8827,8 +8827,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1564.004" + "TA0005", + "T1564.004" ], "title": "Use NTFS Short Name in Image" }, @@ -8848,8 +8848,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1518.001" + "TA0007", + "T1518.001" ], "title": "Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE" }, @@ -8869,8 +8869,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1047" + "TA0002", + "T1047" ], "title": "Potential Unquoted Service Path Reconnaissance Via Wmic.EXE" }, @@ -8890,8 +8890,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1047" + "TA0002", + "T1047" ], "title": "Service Started/Stopped Via Wmic.EXE" }, @@ -8911,8 +8911,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.initial-access" + "TA0002", + "TA0001" ], "title": "Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate" }, @@ -8932,8 +8932,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1216" + "TA0005", + "T1216" ], "title": "AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl" }, @@ -8953,9 +8953,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1218" + "TA0005", + "TA0002", + "T1218" ], "title": "Arbitrary File Download Via PresentationHost.EXE" }, @@ -8975,8 +8975,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1033", + "TA0007", + "T1033", "car.2016-03-001" ], "title": "WhoAmI as Parameter" @@ -8997,8 +8997,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1548.002" + "TA0005", + "T1548.002" ], "title": "Explorer NOUACCHECK Flag" }, @@ -9018,10 +9018,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002" + "TA0007", + "T1087", + "T1087.001", + "T1087.002" ], "title": "Suspicious Use of PsLogList" }, @@ -9041,8 +9041,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1505.003" + "TA0003", + "T1505.003" ], "title": "IIS Native-Code Module Command Line Installation" }, @@ -9062,9 +9062,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1071.001", - "attack.t1219" + "TA0011", + "T1071.001", + "T1219" ], "title": "Visual Studio Code Tunnel Execution" }, @@ -9084,7 +9084,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "Base64 MZ Header In CommandLine" }, @@ -9104,13 +9104,13 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.credential-access", - "attack.command-and-control", - "attack.t1218", - "attack.t1564.004", - "attack.t1552.001", - "attack.t1105" + "TA0005", + "TA0006", + "TA0011", + "T1218", + "T1564.004", + "T1552.001", + "T1105" ], "title": "Remote File Download Via Findstr.EXE" }, @@ -9130,8 +9130,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1564.004" + "TA0005", + "T1564.004" ], "title": "Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI" }, @@ -9151,11 +9151,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1047", - "attack.t1053", - "attack.t1059.003", - "attack.t1059.001", + "TA0002", + "T1047", + "T1053", + "T1059.003", + "T1059.001", "attack.s0106" ], "title": "HackTool - CrackMapExec Execution Patterns" @@ -9176,8 +9176,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1574.001" + "TA0005", + "T1574.001" ], "title": "Potential DLL Sideloading Via DeviceEnroller.EXE" }, @@ -9197,8 +9197,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.exfiltration", - "attack.t1048.003" + "TA0010", + "T1048.003" ], "title": "WebDav Client Execution Via Rundll32.EXE" }, @@ -9218,8 +9218,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1016" + "TA0007", + "T1016" ], "title": "Suspicious Network Command" }, @@ -9239,16 +9239,16 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.discovery", - "attack.t1482", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1069", - "attack.t1059.001" + "TA0002", + "TA0007", + "T1482", + "T1087", + "T1087.001", + "T1087.002", + "T1069.001", + "T1069.002", + "T1069", + "T1059.001" ], "title": "Malicious PowerShell Commandlets - ProcessCreation" }, @@ -9268,8 +9268,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1033", + "TA0007", + "T1033", "car.2016-03-001" ], "title": "Whoami Utility Execution" @@ -9290,8 +9290,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "OpenWith.exe Executes Specified Binary" }, @@ -9311,13 +9311,13 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.discovery", - "attack.t1082", - "attack.t1057", - "attack.t1012", - "attack.t1083", - "attack.t1007" + "TA0002", + "TA0007", + "T1082", + "T1057", + "T1012", + "T1083", + "T1007" ], "title": "HackTool - PCHunter Execution" }, @@ -9337,9 +9337,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218", - "attack.t1202" + "TA0005", + "T1218", + "T1202" ], "title": "Uncommon Child Process Of Setres.EXE" }, @@ -9359,8 +9359,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.t1068" + "TA0004", + "T1068" ], "title": "HKTL - SharpSuccessor Privilege Escalation Tool Execution" }, @@ -9380,8 +9380,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.resource-development", - "attack.t1588.002" + "TA0042", + "T1588.002" ], "title": "Potential Execution of Sysinternals Tools" }, @@ -9401,12 +9401,12 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1049", - "attack.t1069.002", - "attack.t1482", - "attack.t1135", - "attack.t1033" + "TA0007", + "T1049", + "T1069.002", + "T1482", + "T1135", + "T1033" ], "title": "HackTool - SharpView Execution" }, @@ -9426,8 +9426,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion" + "TA0002", + "TA0005" ], "title": "IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI" }, @@ -9447,8 +9447,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1219.002" + "TA0011", + "T1219.002" ], "title": "QuickAssist Execution" }, @@ -9468,9 +9468,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1218" + "TA0005", + "TA0002", + "T1218" ], "title": "Arbitrary File Download Via MSOHTMED.EXE" }, @@ -9490,8 +9490,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.010" + "TA0005", + "T1218.010" ], "title": "Regsvr32 Execution From Potential Suspicious Location" }, @@ -9511,8 +9511,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547" + "TA0003", + "T1547" ], "title": "Suspicious GrpConv Execution" }, @@ -9532,10 +9532,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1047", - "attack.discovery", - "attack.t1082" + "TA0002", + "T1047", + "TA0007", + "T1082" ], "title": "Potential Product Class Reconnaissance Via Wmic.EXE" }, @@ -9555,8 +9555,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "PowerShell Base64 Encoded IEX Cmdlet" }, @@ -9576,8 +9576,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003" + "TA0006", + "T1003" ], "title": "Capture Credentials with Rpcping.exe" }, @@ -9597,8 +9597,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.003" + "TA0002", + "T1059.003" ], "title": "Operator Bloopers Cobalt Strike Modules" }, @@ -9618,8 +9618,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.001" + "TA0006", + "T1003.001" ], "title": "HackTool - CrackMapExec Process Patterns" }, @@ -9639,8 +9639,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1574.011" + "TA0003", + "T1574.011" ], "title": "Changing Existing Service ImagePath Value Via Reg.EXE" }, @@ -9660,8 +9660,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.001" + "TA0005", + "T1218.001" ], "title": "HH.EXE Execution" }, @@ -9681,8 +9681,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.002" + "TA0006", + "T1003.002" ], "title": "PowerShell SAM Copy" }, @@ -9702,7 +9702,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "Potentially Suspicious Execution Of PDQDeployRunner" }, @@ -9722,10 +9722,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1087.002", - "attack.t1069.002", - "attack.t1482" + "TA0007", + "T1087.002", + "T1069.002", + "T1482" ], "title": "Suspicious Active Directory Database Snapshot Via ADExplorer" }, @@ -9745,9 +9745,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1016", - "attack.t1482" + "TA0007", + "T1016", + "T1482" ], "title": "Potential Recon Activity Via Nltest.EXE" }, @@ -9767,8 +9767,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Potential Data Exfiltration Activity Via CommandLine Tools" }, @@ -9788,10 +9788,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1127", - "attack.t1059.007" + "TA0005", + "TA0002", + "T1127", + "T1059.007" ], "title": "Node Process Executions" }, @@ -9811,9 +9811,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.exfiltration", - "attack.discovery", - "attack.t1012" + "TA0010", + "TA0007", + "T1012" ], "title": "Exports Critical Registry Keys To a File" }, @@ -9833,8 +9833,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Suspicious File Execution From Internet Hosted WebDav Share" }, @@ -9854,7 +9854,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "NtdllPipe Like Activity Execution" }, @@ -9874,7 +9874,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "Insecure Transfer Via Curl.EXE" }, @@ -9894,8 +9894,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.initial-access", - "attack.t1133" + "TA0001", + "T1133" ], "title": "Remote Access Tool - Team Viewer Session Started On Windows Host" }, @@ -9915,8 +9915,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.001", + "TA0006", + "T1003.001", "attack.s0005" ], "title": "HackTool - Windows Credential Editor (WCE) Execution" @@ -9937,8 +9937,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027" + "TA0005", + "T1027" ], "title": "Suspicious Download Via Certutil.EXE" }, @@ -9958,9 +9958,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "TA0002", + "T1059.005", + "T1059.007" ], "title": "Potential Dropper Script Execution Via WScript/CScript" }, @@ -9980,8 +9980,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1105" + "TA0011", + "T1105" ], "title": "Suspicious Diantz Download and Compress Into a CAB File" }, @@ -10001,7 +10001,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "File Download From IP URL Via Curl.EXE" }, @@ -10021,8 +10021,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1553.004" + "TA0005", + "T1553.004" ], "title": "New Root Certificate Installed Via Certutil.EXE" }, @@ -10042,8 +10042,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.004" + "TA0005", + "T1562.004" ], "title": "RDP Connection Allowed Via Netsh.EXE" }, @@ -10063,8 +10063,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1053.005" + "TA0002", + "T1053.005" ], "title": "Suspicious Schtasks Schedule Types" }, @@ -10084,8 +10084,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003" + "TA0006", + "T1003" ], "title": "Potential Credential Dumping Attempt Using New NetworkProvider - CLI" }, @@ -10105,9 +10105,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.initial-access", - "attack.persistence", - "attack.privilege-escalation" + "TA0001", + "TA0003", + "TA0004" ], "title": "Suspicious Child Process Of Veeam Dabatase" }, @@ -10127,8 +10127,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.007" + "TA0005", + "T1218.007" ], "title": "Suspicious Msiexec Quiet Install From Remote Location" }, @@ -10148,9 +10148,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1548.002" + "TA0005", + "TA0004", + "T1548.002" ], "title": "UAC Bypass Using NTFS Reparse Point - Process" }, @@ -10170,8 +10170,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.t1548.002" + "TA0004", + "T1548.002" ], "title": "Always Install Elevated Windows Installer" }, @@ -10191,8 +10191,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.impact", - "attack.t1485" + "TA0040", + "T1485" ], "title": "Deleted Data Overwritten Via Cipher.EXE" }, @@ -10212,8 +10212,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1219.002" + "TA0011", + "T1219.002" ], "title": "Remote Access Tool - AnyDesk Piped Password Via CLI" }, @@ -10233,9 +10233,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion", - "attack.t1562.001" + "TA0002", + "TA0005", + "T1562.001" ], "title": "Service StartupType Change Via PowerShell Set-Service" }, @@ -10255,8 +10255,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1036", - "attack.defense-evasion" + "T1036", + "TA0005" ], "title": "Suspicious CodePage Switch Via CHCP" }, @@ -10276,9 +10276,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1548.002" + "TA0005", + "TA0004", + "T1548.002" ], "title": "UAC Bypass Using MSConfig Token Modification - Process" }, @@ -10298,11 +10298,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense-evasion", - "attack.t1027", - "attack.t1620" + "TA0002", + "T1059.001", + "TA0005", + "T1027", + "T1620" ], "title": "PowerShell Base64 Encoded Reflective Assembly Load" }, @@ -10322,20 +10322,20 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.initial-access", - "attack.t1047", - "attack.t1059.001", - "attack.t1059.003", - "attack.t1059.005", - "attack.t1059.007", - "attack.t1218", - "attack.t1218.001", - "attack.t1218.010", - "attack.t1218.011", - "attack.t1566", - "attack.t1566.001" + "TA0005", + "TA0002", + "TA0001", + "T1047", + "T1059.001", + "T1059.003", + "T1059.005", + "T1059.007", + "T1218", + "T1218.001", + "T1218.010", + "T1218.011", + "T1566", + "T1566.001" ], "title": "Suspicious HH.EXE Execution" }, @@ -10355,8 +10355,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059" + "TA0002", + "T1059" ], "title": "Potential CobaltStrike Process Patterns" }, @@ -10376,10 +10376,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation Via Use Clip" }, @@ -10399,9 +10399,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1548.002" + "TA0005", + "TA0004", + "T1548.002" ], "title": "UAC Bypass Using Consent and Comctl32 - Process" }, @@ -10421,8 +10421,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.impact", - "attack.t1489" + "TA0040", + "T1489" ], "title": "Stop Windows Service Via Net.EXE" }, @@ -10442,10 +10442,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.defense-evasion", - "attack.t1548.002", - "attack.t1218.003" + "TA0004", + "TA0005", + "T1548.002", + "T1218.003" ], "title": "Bypass UAC via CMSTP" }, @@ -10465,8 +10465,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036" + "TA0005", + "T1036" ], "title": "Suspicious Process Parents" }, @@ -10486,8 +10486,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1220" + "TA0005", + "T1220" ], "title": "XSL Script Execution Via WMIC.EXE" }, @@ -10507,8 +10507,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Lolbin Unregmp2.exe Use As Proxy" }, @@ -10528,8 +10528,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1105" + "TA0011", + "T1105" ], "title": "File Download Using Notepad++ GUP Utility" }, @@ -10549,8 +10549,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1047" + "TA0002", + "T1047" ], "title": "Potential Product Reconnaissance Via Wmic.EXE" }, @@ -10570,8 +10570,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "RestrictedAdminMode Registry Value Tampering - ProcCreation" }, @@ -10591,8 +10591,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1552.004" + "TA0006", + "T1552.004" ], "title": "PowerShell Get-Process LSASS" }, @@ -10612,9 +10612,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1059" + "TA0005", + "TA0002", + "T1059" ], "title": "Add Potential Suspicious New Download Source To Winget" }, @@ -10634,8 +10634,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1070.005" + "TA0005", + "T1070.005" ], "title": "Unmount Share Via Net.EXE" }, @@ -10655,11 +10655,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1204.002", - "attack.t1047", - "attack.t1218.010", - "attack.execution", - "attack.defense-evasion" + "T1204.002", + "T1047", + "T1218.010", + "TA0002", + "TA0005" ], "title": "Suspicious WMIC Execution Via Office Process" }, @@ -10679,17 +10679,17 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.persistence", - "attack.privilege-escalation", - "attack.credential-access", - "attack.discovery", - "attack.t1047", - "attack.t1053", - "attack.t1059.003", - "attack.t1059.001", - "attack.t1110", - "attack.t1201" + "TA0002", + "TA0003", + "TA0004", + "TA0006", + "TA0007", + "T1047", + "T1053", + "T1059.003", + "T1059.001", + "T1110", + "T1201" ], "title": "HackTool - CrackMapExec Execution" }, @@ -10709,8 +10709,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1216" + "TA0005", + "T1216" ], "title": "UtilityFunctions.ps1 Proxy Dll" }, @@ -10730,8 +10730,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547" + "TA0003", + "T1547" ], "title": "Suspicious Driver Install by pnputil.exe" }, @@ -10751,8 +10751,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Suspicious Encoded PowerShell Command Line" }, @@ -10772,9 +10772,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1548.002" + "TA0005", + "TA0004", + "T1548.002" ], "title": "HackTool - UACMe Akagi Execution" }, @@ -10794,9 +10794,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.persistence", - "attack.t1546.015" + "TA0004", + "TA0003", + "T1546.015" ], "title": "Rundll32 Registered COM Objects" }, @@ -10816,10 +10816,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.persistence", - "attack.execution", - "attack.t1574.001" + "TA0005", + "TA0003", + "TA0002", + "T1574.001" ], "title": "Tasks Folder Evasion" }, @@ -10839,11 +10839,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.exfiltration", - "attack.t1048.001", - "attack.command-and-control", - "attack.t1071.004", - "attack.t1132.001" + "TA0010", + "T1048.001", + "TA0011", + "T1071.004", + "T1132.001" ], "title": "DNS Exfiltration and Tunneling Tools Execution" }, @@ -10863,8 +10863,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1574.001" + "TA0005", + "T1574.001" ], "title": "DLL Sideloading by VMware Xfer Utility" }, @@ -10884,9 +10884,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.defense-evasion", - "attack.t1542.001" + "TA0003", + "TA0005", + "T1542.001" ], "title": "UEFI Persistence Via Wpbbin - ProcessCreation" }, @@ -10906,8 +10906,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1555.004" + "TA0006", + "T1555.004" ], "title": "Suspicious Key Manager Access" }, @@ -10927,8 +10927,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1564.001" + "TA0005", + "T1564.001" ], "title": "Use Icacls to Hide File to Everyone" }, @@ -10948,9 +10948,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1059" + "TA0005", + "TA0002", + "T1059" ], "title": "Run PowerShell Script from Redirected Input Stream" }, @@ -10970,10 +10970,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.credential-access", - "attack.t1036", - "attack.t1003.001" + "TA0005", + "TA0006", + "T1036", + "T1003.001" ], "title": "Suspicious DumpMinitool Execution" }, @@ -10993,7 +10993,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "Potential RDP Session Hijacking Activity" }, @@ -11013,8 +11013,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1069.001" + "TA0007", + "T1069.001" ], "title": "Local Groups Reconnaissance Via Wmic.EXE" }, @@ -11034,9 +11034,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112", - "attack.t1562.001" + "TA0005", + "T1112", + "T1562.001" ], "title": "Reg Add Suspicious Paths" }, @@ -11056,8 +11056,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1202" + "TA0005", + "T1202" ], "title": "Indirect Inline Command Execution Via Bash.EXE" }, @@ -11077,9 +11077,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion", - "attack.t1562.001" + "TA0002", + "TA0005", + "T1562.001" ], "title": "Service StartupType Change Via Sc.EXE" }, @@ -11099,8 +11099,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.007" + "TA0005", + "T1218.007" ], "title": "DllUnregisterServer Function Call Via Msiexec.EXE" }, @@ -11120,9 +11120,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1218" + "TA0005", + "TA0002", + "T1218" ], "title": "Arbitrary File Download Via Squirrel.EXE" }, @@ -11142,8 +11142,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Potentially Suspicious Cabinet File Expansion" }, @@ -11163,15 +11163,15 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.persistence", - "attack.privilege-escalation", + "TA0002", + "TA0003", + "TA0004", "attack.s0111", "attack.g0022", "attack.g0060", "car.2013-08-001", - "attack.t1053.005", - "attack.t1059.001" + "T1053.005", + "T1059.001" ], "title": "HackTool - Default PowerSploit/Empire Scheduled Task Creation" }, @@ -11191,8 +11191,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059" + "TA0002", + "T1059" ], "title": "Script Interpreter Execution From Suspicious Folder" }, @@ -11212,8 +11212,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Uncommon Link.EXE Parent Process" }, @@ -11233,8 +11233,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1110.002" + "TA0006", + "T1110.002" ], "title": "HackTool - Hashcat Password Cracker Execution" }, @@ -11254,8 +11254,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027.004" + "TA0005", + "T1027.004" ], "title": "Dynamic .NET Compilation Via Csc.EXE" }, @@ -11275,8 +11275,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "File Download Using ProtocolHandler.exe" }, @@ -11296,12 +11296,12 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.discovery", - "attack.t1505.003", - "attack.t1018", - "attack.t1033", - "attack.t1087" + "TA0003", + "TA0007", + "T1505.003", + "T1018", + "T1033", + "T1087" ], "title": "Webshell Detection With Command Line Keywords" }, @@ -11321,8 +11321,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036", + "TA0005", + "T1036", "car.2013-05-002" ], "title": "Suspicious Process Start Locations" @@ -11343,10 +11343,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.collection", - "attack.t1114" + "TA0002", + "T1059.001", + "TA0009", + "T1114" ], "title": "Exchange PowerShell Snap-Ins Usage" }, @@ -11366,11 +11366,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion", - "attack.t1047", - "attack.t1204.002", - "attack.t1218.010" + "TA0002", + "TA0005", + "T1047", + "T1204.002", + "T1218.010" ], "title": "Suspicious WmiPrvSE Child Process" }, @@ -11390,9 +11390,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.discovery", - "attack.t1552" + "TA0006", + "TA0007", + "T1552" ], "title": "Potentially Suspicious EventLog Recon Activity Using Log Query Utilities" }, @@ -11412,8 +11412,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1132.001" + "TA0011", + "T1132.001" ], "title": "Suspicious FromBase64String Usage On Gzip Archive - Process Creation" }, @@ -11433,10 +11433,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1059.001", - "attack.t1562.001" + "TA0005", + "TA0002", + "T1059.001", + "T1562.001" ], "title": "Obfuscated PowerShell OneLiner Execution" }, @@ -11456,8 +11456,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059" + "TA0002", + "T1059" ], "title": "HackTool - Sliver C2 Implant Activity Pattern" }, @@ -11477,8 +11477,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1552.001" + "TA0006", + "T1552.001" ], "title": "Potential PowerShell Console History Access Attempt via History File" }, @@ -11498,8 +11498,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.collection", - "attack.t1123" + "TA0009", + "T1123" ], "title": "Audio Capture via PowerShell" }, @@ -11519,8 +11519,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1552.002" + "TA0006", + "T1552.002" ], "title": "Registry Export of Third-Party Credentials" }, @@ -11540,8 +11540,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1546.003" + "TA0003", + "T1546.003" ], "title": "WMI Backdoor Exchange Transport Agent" }, @@ -11561,8 +11561,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Gpscript Execution" }, @@ -11582,10 +11582,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1016", - "attack.t1018", - "attack.t1482" + "TA0007", + "T1016", + "T1018", + "T1482" ], "title": "Nltest.EXE Execution" }, @@ -11605,8 +11605,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Suspicious Vsls-Agent Command With AgentExtensionPath Load" }, @@ -11626,8 +11626,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1555", + "TA0006", + "T1555", "cve.2021-35211" ], "title": "Suspicious Serv-U Process Pattern" @@ -11648,8 +11648,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.initial-access", - "attack.t1133" + "TA0001", + "T1133" ], "title": "Remote Access Tool - ScreenConnect Installation Execution" }, @@ -11669,8 +11669,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059" + "TA0002", + "T1059" ], "title": "Forfiles Command Execution" }, @@ -11690,8 +11690,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1105" + "TA0011", + "T1105" ], "title": "File Download via CertOC.EXE" }, @@ -11711,8 +11711,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.008" + "TA0005", + "T1218.008" ], "title": "Response File Execution Via Odbcconf.EXE" }, @@ -11732,8 +11732,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.collection", - "attack.t1560.001" + "TA0009", + "T1560.001" ], "title": "Files Added To An Archive Using Rar.EXE" }, @@ -11753,8 +11753,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Tamper Windows Defender Remove-MpPreference" }, @@ -11774,10 +11774,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1526", - "attack.t1087", - "attack.t1083" + "TA0007", + "T1526", + "T1087", + "T1083" ], "title": "PUA - Seatbelt Execution" }, @@ -11797,8 +11797,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1105" + "TA0011", + "T1105" ], "title": "File Download From Browser Process Via Inline URL" }, @@ -11818,10 +11818,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion", - "attack.t1059.001", - "attack.t1564.003" + "TA0002", + "TA0005", + "T1059.001", + "T1564.003" ], "title": "HackTool - Covenant PowerShell Launcher" }, @@ -11841,9 +11841,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218", - "attack.execution" + "TA0005", + "T1218", + "TA0002" ], "title": "Execute Pcwrun.EXE To Leverage Follina" }, @@ -11863,8 +11863,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Suspicious PowerShell Encoded Command Patterns" }, @@ -11884,7 +11884,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "File Encryption/Decryption Via Gpg4win From Suspicious Locations" }, @@ -11904,12 +11904,12 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.discovery", - "attack.t1505.003", - "attack.t1018", - "attack.t1033", - "attack.t1087" + "TA0003", + "TA0007", + "T1505.003", + "T1018", + "T1033", + "T1087" ], "title": "Chopper Webshell Process Pattern" }, @@ -11929,8 +11929,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Execute Files with Msdeploy.exe" }, @@ -11950,10 +11950,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "ConvertTo-SecureString Cmdlet Usage Via CommandLine" }, @@ -11973,8 +11973,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.initial-access", - "attack.t1566.001" + "TA0001", + "T1566.001" ], "title": "Suspicious Double Extension File Execution" }, @@ -11994,8 +11994,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1105" + "TA0011", + "T1105" ], "title": "Suspicious Invoke-WebRequest Execution With DirectIP" }, @@ -12015,7 +12015,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Suspicious Advpack Call Via Rundll32.EXE" }, @@ -12035,8 +12035,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.privilege-escalation", + "TA0005", + "TA0004", "cve.2023-21746" ], "title": "HackTool - LocalPotato Execution" @@ -12057,8 +12057,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1202" + "TA0005", + "T1202" ], "title": "Potential Arbitrary Command Execution Using Msdt.EXE" }, @@ -12078,7 +12078,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Remote Access Tool - NetSupport Execution From Unusual Location" }, @@ -12098,8 +12098,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Uncommon AddinUtil.EXE CommandLine Execution" }, @@ -12119,8 +12119,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1615" + "TA0007", + "T1615" ], "title": "Gpresult Display Group Policy Information" }, @@ -12140,8 +12140,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1047" + "TA0002", + "T1047" ], "title": "Windows Hotfix Updates Reconnaissance Via Wmic.EXE" }, @@ -12161,8 +12161,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution" + "TA0005", + "TA0002" ], "title": "Wab/Wabmig Unusual Parent Or Child Processes" }, @@ -12182,8 +12182,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.impact", - "attack.t1486" + "TA0040", + "T1486" ], "title": "Suspicious Reg Add BitLocker" }, @@ -12203,7 +12203,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Potential Suspicious Windows Feature Enabled - ProcCreation" }, @@ -12223,8 +12223,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1202" + "TA0005", + "T1202" ], "title": "Potential Arbitrary File Download Using Office Application" }, @@ -12244,8 +12244,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1070.004" + "TA0005", + "T1070.004" ], "title": "File Deletion Via Del" }, @@ -12265,8 +12265,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059" + "TA0002", + "T1059" ], "title": "Suspicious Program Names" }, @@ -12286,9 +12286,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.privilege-escalation", - "attack.t1546.008" + "TA0003", + "TA0004", + "T1546.008" ], "title": "Suspicious Debugger Registration Cmdline" }, @@ -12308,8 +12308,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1505.002" + "TA0003", + "T1505.002" ], "title": "MSExchange Transport Agent Installation" }, @@ -12329,7 +12329,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "Wusa.EXE Executed By Parent Process Located In Suspicious Location" }, @@ -12349,8 +12349,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1219.002" + "TA0011", + "T1219.002" ], "title": "Remote Access Tool - Simple Help Execution" }, @@ -12370,8 +12370,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1556.002" + "TA0006", + "T1556.002" ], "title": "Dropping Of Password Filter DLL" }, @@ -12391,8 +12391,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Uncommon Child Process Of AddinUtil.EXE" }, @@ -12412,9 +12412,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.privilege-escalation", - "attack.t1543.003" + "TA0003", + "TA0004", + "T1543.003" ], "title": "Suspicious New Service Creation" }, @@ -12434,10 +12434,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.impact", - "attack.t1489", - "attack.t1562.001" + "TA0005", + "TA0040", + "T1489", + "T1562.001" ], "title": "Suspicious Windows Service Tampering" }, @@ -12457,8 +12457,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059" + "TA0002", + "T1059" ], "title": "Suspicious Script Execution From Temp Folder" }, @@ -12478,8 +12478,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036" + "TA0005", + "T1036" ], "title": "Taskmgr as LOCAL_SYSTEM" }, @@ -12499,8 +12499,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Potential Password Spraying Attempt Using Dsacls.EXE" }, @@ -12520,8 +12520,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Net WebClient Casing Anomalies" }, @@ -12541,8 +12541,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Suspicious Uninstall of Windows Defender Feature via PowerShell" }, @@ -12562,8 +12562,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1548.002" + "TA0003", + "T1548.002" ], "title": "PowerShell Web Access Feature Enabled Via DISM" }, @@ -12583,10 +12583,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1072", - "attack.defense-evasion", - "attack.t1218" + "TA0002", + "T1072", + "TA0005", + "T1218" ], "title": "Suspicious Csi.exe Usage" }, @@ -12606,9 +12606,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.initial-access", - "attack.persistence", - "attack.privilege-escalation" + "TA0001", + "TA0003", + "TA0004" ], "title": "Suspicious Processes Spawned by Java.EXE" }, @@ -12628,8 +12628,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1216.001" + "TA0005", + "T1216.001" ], "title": "Pubprn.vbs Proxy Execution" }, @@ -12649,8 +12649,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.collection", - "attack.t1123" + "TA0009", + "T1123" ], "title": "Audio Capture via SoundRecorder" }, @@ -12670,10 +12670,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1204", - "attack.t1566.001", - "attack.execution", - "attack.initial-access" + "T1204", + "T1566.001", + "TA0002", + "TA0001" ], "title": "Arbitrary Shell Command Execution Via Settingcontent-Ms" }, @@ -12693,8 +12693,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.002" + "TA0005", + "T1562.002" ], "title": "Disable Windows IIS HTTP Logging" }, @@ -12714,7 +12714,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "Suspicious File Download From File Sharing Domain Via Wget.EXE" }, @@ -12734,8 +12734,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036" + "TA0005", + "T1036" ], "title": "Explorer Process Tree Break" }, @@ -12755,8 +12755,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1552.006" + "TA0006", + "T1552.006" ], "title": "Permission Misconfiguration Reconnaissance Via Findstr.EXE" }, @@ -12776,8 +12776,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1528" + "TA0006", + "T1528" ], "title": "Potentially Suspicious Command Targeting Teams Sensitive Files" }, @@ -12797,8 +12797,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.005" + "TA0005", + "T1218.005" ], "title": "Potential LethalHTA Technique Execution" }, @@ -12818,8 +12818,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Malicious Base64 Encoded PowerShell Keywords in Command Lines" }, @@ -12839,8 +12839,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1070.004" + "TA0005", + "T1070.004" ], "title": "Suspicious Ping/Del Command Combination" }, @@ -12860,8 +12860,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1098" + "TA0003", + "T1098" ], "title": "User Added to Local Administrators Group" }, @@ -12881,10 +12881,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation VAR+ Launcher" }, @@ -12904,11 +12904,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1018", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.002" + "TA0007", + "T1018", + "T1087.002", + "T1482", + "T1069.002" ], "title": "Renamed AdFind Execution" }, @@ -12928,8 +12928,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "DLL Loaded via CertOC.EXE" }, @@ -12949,10 +12949,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1190", - "attack.initial-access", - "attack.persistence", - "attack.privilege-escalation" + "T1190", + "TA0001", + "TA0003", + "TA0004" ], "title": "Suspicious Processes Spawned by WinRM" }, @@ -12972,9 +12972,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1218.005" + "TA0005", + "TA0002", + "T1218.005" ], "title": "Remotely Hosted HTA File Executed Via Mshta.EXE" }, @@ -12994,10 +12994,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1547.001", - "attack.t1047" + "TA0002", + "TA0003", + "T1547.001", + "T1047" ], "title": "Suspicious Autorun Registry Modified via WMI" }, @@ -13017,8 +13017,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1120" + "TA0007", + "T1120" ], "title": "Fsutil Drive Enumeration" }, @@ -13038,8 +13038,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059" + "TA0002", + "T1059" ], "title": "Python Inline Command Execution" }, @@ -13059,8 +13059,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027.005" + "TA0005", + "T1027.005" ], "title": "PUA - DefenderCheck Execution" }, @@ -13080,9 +13080,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.execution", - "attack.t1105" + "TA0011", + "TA0002", + "T1105" ], "title": "File Download From IP Based URL Via CertOC.EXE" }, @@ -13102,8 +13102,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036.005" + "TA0005", + "T1036.005" ], "title": "Potential MsiExec Masquerading" }, @@ -13123,10 +13123,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036", - "attack.t1003.001", - "attack.credential-access" + "TA0005", + "T1036", + "T1003.001", + "TA0006" ], "title": "Potential SysInternals ProcDump Evasion" }, @@ -13146,9 +13146,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.lateral-movement", - "attack.t1021.003" + "TA0002", + "TA0008", + "T1021.003" ], "title": "MMC20 Lateral Movement" }, @@ -13168,11 +13168,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.t1021.002", - "attack.t1570", - "attack.execution", - "attack.t1569.002" + "TA0008", + "T1021.002", + "T1570", + "TA0002", + "T1569.002" ], "title": "Rundll32 Execution Without Parameters" }, @@ -13192,7 +13192,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Suspicious IIS URL GlobalRules Rewrite Via AppCmd" }, @@ -13212,10 +13212,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.resource-development", - "attack.t1587.001", - "attack.execution", - "attack.t1569.002" + "TA0042", + "T1587.001", + "TA0002", + "T1569.002" ], "title": "PUA - CsExec Execution" }, @@ -13235,8 +13235,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1553.004" + "TA0005", + "T1553.004" ], "title": "Root Certificate Installed From Susp Locations" }, @@ -13256,8 +13256,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1528" + "TA0006", + "T1528" ], "title": "Potentially Suspicious JWT Token Search Via CLI" }, @@ -13277,10 +13277,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense-evasion", - "attack.t1127" + "TA0002", + "T1059.001", + "TA0005", + "T1127" ], "title": "SQL Client Tools PowerShell Session Detection" }, @@ -13300,8 +13300,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1090.001" + "TA0011", + "T1090.001" ], "title": "Cloudflared Portable Execution" }, @@ -13321,8 +13321,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036" + "TA0005", + "T1036" ], "title": "Process Execution From A Potentially Suspicious Folder" }, @@ -13342,8 +13342,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion" + "TA0002", + "TA0005" ], "title": "Potentially Suspicious Child Process Of ClickOnce Application" }, @@ -13363,8 +13363,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1216" + "TA0005", + "T1216" ], "title": "Potential Process Execution Proxy Via CL_Invocation.ps1" }, @@ -13384,8 +13384,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1202" + "TA0005", + "T1202" ], "title": "Uncommon Child Process Of Conhost.EXE" }, @@ -13405,8 +13405,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1105" + "TA0011", + "T1105" ], "title": "Suspicious Invoke-WebRequest Execution" }, @@ -13426,8 +13426,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.impact", - "attack.t1529" + "TA0040", + "T1529" ], "title": "Suspicious Execution of Shutdown" }, @@ -13447,8 +13447,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Potentially Over Permissive Permissions Granted Using Dsacls.EXE" }, @@ -13468,8 +13468,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1176.001" + "TA0003", + "T1176.001" ], "title": "Chromium Browser Instance Executed With Custom Extension" }, @@ -13489,8 +13489,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027" + "TA0005", + "T1027" ], "title": "Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image" }, @@ -13510,8 +13510,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059" + "TA0002", + "T1059" ], "title": "Suspicious Greedy Compression Using Rar.EXE" }, @@ -13531,9 +13531,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.defense-evasion", - "attack.t1219" + "TA0003", + "TA0005", + "T1219" ], "title": "Suspicious Velociraptor Child Process" }, @@ -13553,8 +13553,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1053.005" + "TA0002", + "T1053.005" ], "title": "Suspicious Schtasks Schedule Type With High Privileges" }, @@ -13574,8 +13574,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1219.002" + "TA0011", + "T1219.002" ], "title": "Mstsc.EXE Execution With Local RDP File" }, @@ -13595,8 +13595,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Disable Windows Defender AV Security Monitoring" }, @@ -13616,8 +13616,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1112", - "attack.defense-evasion" + "T1112", + "TA0005" ], "title": "Registry Modification Via Regini.EXE" }, @@ -13637,8 +13637,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution" + "TA0005", + "TA0002" ], "title": "Weak or Abused Passwords In CLI" }, @@ -13658,7 +13658,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths" }, @@ -13678,8 +13678,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1218.011", - "attack.defense-evasion" + "T1218.011", + "TA0005" ], "title": "Rundll32 InstallScreenSaver Execution" }, @@ -13699,7 +13699,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "Rebuild Performance Counter Values Via Lodctr.EXE" }, @@ -13719,12 +13719,12 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.discovery", - "attack.t1505.003", - "attack.t1018", - "attack.t1033", - "attack.t1087" + "TA0003", + "TA0007", + "T1505.003", + "T1018", + "T1033", + "T1087" ], "title": "Webshell Hacking Activity Patterns" }, @@ -13744,9 +13744,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1055" + "TA0005", + "TA0004", + "T1055" ], "title": "HackTool - CoercedPotato Execution" }, @@ -13766,8 +13766,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547.001" + "TA0003", + "T1547.001" ], "title": "Direct Autorun Keys Modification" }, @@ -13787,8 +13787,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.002" + "TA0005", + "T1562.002" ], "title": "HackTool - SharpEvtMute Execution" }, @@ -13808,10 +13808,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1102", - "attack.t1090", - "attack.t1572" + "TA0011", + "T1102", + "T1090", + "T1572" ], "title": "Cloudflared Tunnel Execution" }, @@ -13831,7 +13831,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Potentially Suspicious GoogleUpdate Child Process" }, @@ -13851,8 +13851,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.001" + "TA0006", + "T1003.001" ], "title": "Dumping Process via Sqldumper.exe" }, @@ -13872,8 +13872,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1033", + "TA0007", + "T1033", "car.2016-03-001" ], "title": "Whoami.EXE Execution With Output Option" @@ -13894,9 +13894,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1548.002", + "TA0005", + "TA0004", + "T1548.002", "car.2019-04-001" ], "title": "Potentially Suspicious Event Viewer Child Process" @@ -13917,8 +13917,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1033", + "TA0007", + "T1033", "car.2016-03-001" ], "title": "Whoami.EXE Execution Anomaly" @@ -13939,8 +13939,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "SafeBoot Registry Key Deleted Via Reg.EXE" }, @@ -13960,8 +13960,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.011" + "TA0005", + "T1218.011" ], "title": "Suspicious Control Panel DLL Load" }, @@ -13981,8 +13981,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036.007" + "TA0005", + "T1036.007" ], "title": "Suspicious Parent Double Extension File Execution" }, @@ -14002,8 +14002,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1112", - "attack.defense-evasion" + "T1112", + "TA0005" ], "title": "Suspicious Registry Modification From ADS Via Regini.EXE" }, @@ -14023,8 +14023,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1087.002" + "TA0007", + "T1087.002" ], "title": "PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE" }, @@ -14044,8 +14044,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.impact", - "attack.t1489" + "TA0040", + "T1489" ], "title": "Stop Windows Service Via PowerShell Stop-Service" }, @@ -14065,8 +14065,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.reconnaissance", - "attack.t1595" + "TA0043", + "T1595" ], "title": "PUA - PingCastle Execution From Potentially Suspicious Parent" }, @@ -14086,8 +14086,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1557.001" + "TA0006", + "T1557.001" ], "title": "HackTool - ADCSPwn Execution" }, @@ -14107,8 +14107,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution" + "TA0005", + "TA0002" ], "title": "Mshtml.DLL RunHTMLApplication Suspicious Usage" }, @@ -14128,7 +14128,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Potential Memory Dumping Activity Via LiveKD" }, @@ -14148,8 +14148,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.002" + "TA0005", + "T1562.002" ], "title": "Audit Policy Tampering Via Auditpol" }, @@ -14169,8 +14169,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027.009" + "TA0005", + "T1027.009" ], "title": "Powershell Token Obfuscation - Process Creation" }, @@ -14190,10 +14190,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense-evasion", - "attack.t1027" + "TA0002", + "T1059.001", + "TA0005", + "T1027" ], "title": "PowerShell Base64 Encoded WMI Classes" }, @@ -14213,10 +14213,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036", - "attack.t1003.001", - "attack.credential-access" + "TA0005", + "T1036", + "T1003.001", + "TA0006" ], "title": "Renamed CreateDump Utility Execution" }, @@ -14236,11 +14236,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.persistence", - "attack.privilege-escalation", - "attack.t1557.001", - "attack.t1187" + "TA0006", + "TA0003", + "TA0004", + "T1557.001", + "T1187" ], "title": "Attempts of Kerberos Coercion Via DNS SPN Spoofing" }, @@ -14260,8 +14260,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1564.004" + "TA0005", + "T1564.004" ], "title": "Suspicious Extrac32 Alternate Data Stream Execution" }, @@ -14281,8 +14281,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.reconnaissance", - "attack.t1593.003" + "TA0043", + "T1593.003" ], "title": "Suspicious Git Clone" }, @@ -14302,8 +14302,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.011" + "TA0005", + "T1218.011" ], "title": "Bad Opsec Defaults Sacrificial Processes With Improper Arguments" }, @@ -14323,8 +14323,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.t1548" + "TA0004", + "T1548" ], "title": "Abused Debug Privilege by Arbitrary Parent Processes" }, @@ -14344,8 +14344,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.011" + "TA0005", + "T1218.011" ], "title": "Code Execution via Pcwutl.dll" }, @@ -14365,7 +14365,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Execution of Suspicious File Type Extension" }, @@ -14385,10 +14385,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.execution", - "attack.t1053.005", - "attack.command-and-control" + "TA0003", + "TA0002", + "T1053.005", + "TA0011" ], "title": "Potential SSH Tunnel Persistence Install Using A Scheduled Task" }, @@ -14408,10 +14408,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense-evasion", - "attack.t1027" + "TA0002", + "T1059.001", + "TA0005", + "T1027" ], "title": "PowerShell Base64 Encoded Invoke Keyword" }, @@ -14431,9 +14431,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218", - "attack.t1027.004" + "TA0005", + "T1218", + "T1027.004" ], "title": "Potential Application Whitelisting Bypass via Dnx.EXE" }, @@ -14453,8 +14453,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1069.001" + "TA0007", + "T1069.001" ], "title": "Permission Check Via Accesschk.EXE" }, @@ -14474,8 +14474,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.t1021.003" + "TA0008", + "T1021.003" ], "title": "MMC Spawning Windows Shell" }, @@ -14495,9 +14495,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.persistence", - "attack.t1219.002" + "TA0011", + "TA0003", + "T1219.002" ], "title": "Potential Amazon SSM Agent Hijacking" }, @@ -14517,8 +14517,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.collection", - "attack.t1115" + "TA0009", + "T1115" ], "title": "PowerShell Get-Clipboard Cmdlet Via CLI" }, @@ -14538,9 +14538,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.initial-access", - "attack.execution", - "attack.t1204.002" + "TA0001", + "TA0002", + "T1204.002" ], "title": "Suspicious LNK Command-Line Padding with Whitespace Characters" }, @@ -14560,9 +14560,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1140", - "attack.t1027" + "TA0005", + "T1140", + "T1027" ], "title": "Ping Hex IP" }, @@ -14582,9 +14582,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.discovery", - "attack.t1040" + "TA0006", + "TA0007", + "T1040" ], "title": "Potential Network Sniffing Activity Using Network Tools" }, @@ -14604,8 +14604,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.001" + "TA0006", + "T1003.001" ], "title": "LSASS Dump Keyword In CommandLine" }, @@ -14625,8 +14625,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562" + "TA0005", + "T1562" ], "title": "Windows Firewall Disabled via PowerShell" }, @@ -14646,8 +14646,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "SyncAppvPublishingServer Execute Arbitrary PowerShell Code" }, @@ -14667,7 +14667,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "Potential Renamed Rundll32 Execution" }, @@ -14687,9 +14687,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.exfiltration", - "attack.t1048" + "TA0002", + "TA0010", + "T1048" ], "title": "Data Export From MSSQL Table Via BCP.EXE" }, @@ -14709,8 +14709,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036.003" + "TA0005", + "T1036.003" ], "title": "LOL-Binary Copied From System Directory" }, @@ -14730,11 +14730,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1211", - "attack.t1059", - "attack.defense-evasion", - "attack.persistence", - "attack.execution" + "T1211", + "T1059", + "TA0005", + "TA0003", + "TA0002" ], "title": "Writing Of Malicious Files To The Fonts Folder" }, @@ -14754,8 +14754,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Usage Of Web Request Commands And Cmdlets" }, @@ -14775,8 +14775,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.008" + "TA0005", + "T1218.008" ], "title": "Driver/DLL Installation Via Odbcconf.EXE" }, @@ -14796,7 +14796,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "Uncommon Child Processes Of SndVol.exe" }, @@ -14816,8 +14816,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1105" + "TA0011", + "T1105" ], "title": "Arbitrary File Download Via GfxDownloadWrapper.EXE" }, @@ -14837,8 +14837,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Diskshadow Script Mode - Execution From Potential Suspicious Location" }, @@ -14858,9 +14858,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion", - "attack.t1218" + "TA0002", + "TA0005", + "T1218" ], "title": "MpiExec Lolbin" }, @@ -14880,8 +14880,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036" + "TA0005", + "T1036" ], "title": "New Process Created Via Taskmgr.EXE" }, @@ -14901,10 +14901,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.defense-evasion", - "attack.t1134.001", - "attack.t1134.003" + "TA0004", + "TA0005", + "T1134.001", + "T1134.003" ], "title": "HackTool - SharpDPAPI Execution" }, @@ -14924,8 +14924,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.003" + "TA0006", + "T1003.003" ], "title": "PUA - DIT Snapshot Viewer" }, @@ -14945,8 +14945,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Uncommon Assistive Technology Applications Execution Via AtBroker.EXE" }, @@ -14966,8 +14966,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1047" + "TA0002", + "T1047" ], "title": "Service Reconnaissance Via Wmic.EXE" }, @@ -14987,8 +14987,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.exfiltration", - "attack.t1567" + "TA0010", + "T1567" ], "title": "Arbitrary File Download Via ConfigSecurityPolicy.EXE" }, @@ -15008,10 +15008,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1564", - "attack.t1059" + "TA0005", + "TA0002", + "T1564", + "T1059" ], "title": "Potentially Suspicious Execution From Parent Process In Public Folder" }, @@ -15031,8 +15031,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1053.005" + "TA0002", + "T1053.005" ], "title": "Suspicious Command Patterns In Scheduled Task Creation" }, @@ -15052,10 +15052,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion", - "attack.t1059.001", - "attack.t1027" + "TA0002", + "TA0005", + "T1059.001", + "T1027" ], "title": "Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call" }, @@ -15075,8 +15075,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.impact", - "attack.t1490" + "TA0040", + "T1490" ], "title": "Sensitive File Access Via Volume Shadow Copy Backup" }, @@ -15096,12 +15096,12 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense-evasion", - "attack.t1218", - "attack.command-and-control", - "attack.t1105" + "TA0002", + "T1059.001", + "TA0005", + "T1218", + "TA0011", + "T1105" ], "title": "PowerShell MSI Install via WindowsInstaller COM From Remote Location" }, @@ -15121,9 +15121,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036", - "attack.t1036.003" + "TA0005", + "T1036", + "T1036.003" ], "title": "Potential Homoglyph Attack Using Lookalike Characters" }, @@ -15143,8 +15143,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027.010" + "TA0005", + "T1027.010" ], "title": "Potential Obfuscated Ordinal Call Via Rundll32" }, @@ -15164,11 +15164,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1027", - "attack.defense-evasion", - "attack.execution", - "attack.t1140", - "attack.t1059.001" + "T1027", + "TA0005", + "TA0002", + "T1140", + "T1059.001" ], "title": "Base64 Encoded PowerShell Command Detected" }, @@ -15188,10 +15188,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.resource-development", - "attack.t1105", - "attack.t1608" + "TA0011", + "TA0042", + "T1105", + "T1608" ], "title": "Suspicious Download from Office Domain" }, @@ -15211,11 +15211,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.initial-access", - "attack.t1566.001", - "attack.execution", - "attack.t1203", - "attack.t1059.003", + "TA0001", + "T1566.001", + "TA0002", + "T1203", + "T1059.003", "attack.g0032" ], "title": "Suspicious HWP Sub Processes" @@ -15236,7 +15236,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", + "TA0002", "detection.threat-hunting" ], "title": "Potential DLL Injection Via AccCheckConsole" @@ -15257,8 +15257,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE" }, @@ -15278,8 +15278,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "Run Once Task Execution as Configured in Registry" }, @@ -15299,8 +15299,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1095" + "TA0011", + "T1095" ], "title": "PUA - Netcat Suspicious Execution" }, @@ -15320,10 +15320,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion", - "attack.t1218", - "attack.t1202" + "TA0002", + "TA0005", + "T1218", + "T1202" ], "title": "Potential Arbitrary File Download Via Cmdl32.EXE" }, @@ -15343,7 +15343,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "Curl Web Request With Potential Custom User-Agent" }, @@ -15363,8 +15363,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.005" + "TA0006", + "T1003.005" ], "title": "New Generic Credentials Added Via Cmdkey.EXE" }, @@ -15384,8 +15384,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Potential Provlaunch.EXE Binary Proxy Execution Abuse" }, @@ -15405,11 +15405,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.command-and-control", - "attack.t1104", - "attack.t1105" + "TA0002", + "T1059.001", + "TA0011", + "T1104", + "T1105" ], "title": "PowerShell DownloadFile" }, @@ -15429,8 +15429,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "BitLockerTogo.EXE Execution" }, @@ -15450,8 +15450,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.collection", - "attack.t1560.001" + "TA0009", + "T1560.001" ], "title": "7Zip Compressing Dump Files" }, @@ -15471,8 +15471,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1569.002", + "TA0002", + "T1569.002", "attack.s0029" ], "title": "PUA - RunXCmd Execution" @@ -15493,8 +15493,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027.004" + "TA0005", + "T1027.004" ], "title": "Visual Basic Command Line Compiler Usage" }, @@ -15514,8 +15514,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Windows Defender Definition Files Removed" }, @@ -15535,8 +15535,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.010" + "TA0005", + "T1218.010" ], "title": "Potential Regsvr32 Commandline Flag Anomaly" }, @@ -15556,9 +15556,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.privilege-escalation", - "attack.t1546.003" + "TA0003", + "TA0004", + "T1546.003" ], "title": "WMI Persistence - Script Event Consumer" }, @@ -15578,9 +15578,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion", - "attack.t1218" + "TA0002", + "TA0005", + "T1218" ], "title": "Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution" }, @@ -15600,8 +15600,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1548.002" + "TA0005", + "T1548.002" ], "title": "TrustedPath UAC Bypass Pattern" }, @@ -15621,10 +15621,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense-evasion", - "attack.t1216" + "TA0002", + "T1059.001", + "TA0005", + "T1216" ], "title": "Execute Code with Pester.bat as Parent" }, @@ -15644,11 +15644,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion", - "attack.t1059.005", - "attack.t1059.001", - "attack.t1218" + "TA0002", + "TA0005", + "T1059.005", + "T1059.001", + "T1218" ], "title": "Windows Shell/Scripting Processes Spawning Suspicious Programs" }, @@ -15668,7 +15668,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation" + "TA0004" ], "title": "Suspicious RunAs-Like Flag Combination" }, @@ -15688,8 +15688,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036" + "TA0005", + "T1036" ], "title": "System File Execution Location Anomaly" }, @@ -15709,10 +15709,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.execution", - "attack.t1615", - "attack.t1059.005" + "TA0007", + "TA0002", + "T1615", + "T1059.005" ], "title": "Potential Reconnaissance Activity Via GatherNetworkInfo.VBS" }, @@ -15732,9 +15732,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1218.003", + "TA0005", + "TA0002", + "T1218.003", "attack.g0069", "car.2019-04-001" ], @@ -15756,8 +15756,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1090.001" + "TA0011", + "T1090.001" ], "title": "Cloudflared Quick Tunnel Execution" }, @@ -15777,10 +15777,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense-evasion", - "attack.t1027.005" + "TA0002", + "T1059.001", + "TA0005", + "T1027.005" ], "title": "HackTool - CrackMapExec PowerShell Obfuscation" }, @@ -15800,8 +15800,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.008" + "TA0005", + "T1218.008" ], "title": "Potentially Suspicious DLL Registered Via Odbcconf.EXE" }, @@ -15821,8 +15821,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.008" + "TA0005", + "T1218.008" ], "title": "Odbcconf.EXE Suspicious DLL Location" }, @@ -15842,10 +15842,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059", - "attack.defense-evasion", - "attack.t1202" + "TA0002", + "T1059", + "TA0005", + "T1202" ], "title": "Potential Arbitrary Command Execution Via FTP.EXE" }, @@ -15865,10 +15865,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation STDIN+ Launcher" }, @@ -15888,8 +15888,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1055.001" + "TA0005", + "T1055.001" ], "title": "ManageEngine Endpoint Central Dctask64.EXE Potential Abuse" }, @@ -15909,8 +15909,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1105" + "TA0011", + "T1105" ], "title": "Suspicious Certreq Command to Download" }, @@ -15930,8 +15930,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.010" + "TA0005", + "T1218.010" ], "title": "Potentially Suspicious Regsvr32 HTTP IP Pattern" }, @@ -15951,8 +15951,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Potential Suspicious Mofcomp Execution" }, @@ -15972,8 +15972,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1564.004" + "TA0005", + "T1564.004" ], "title": "Run PowerShell Script from ADS" }, @@ -15993,9 +15993,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.privilege-escalation", - "attack.t1543.003" + "TA0003", + "TA0004", + "T1543.003" ], "title": "New Service Creation Using Sc.EXE" }, @@ -16015,8 +16015,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1127" + "TA0005", + "T1127" ], "title": "Suspicious Child Process of AspNetCompiler" }, @@ -16036,8 +16036,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027" + "TA0005", + "T1027" ], "title": "Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE" }, @@ -16057,8 +16057,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1135" + "TA0007", + "T1135" ], "title": "File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell" }, @@ -16078,10 +16078,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1087.002", - "attack.t1069.002", - "attack.t1482" + "TA0007", + "T1087.002", + "T1069.002", + "T1482" ], "title": "Active Directory Database Snapshot Via ADExplorer" }, @@ -16101,8 +16101,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.003" + "TA0002", + "T1059.003" ], "title": "Read Contents From Stdin Via Cmd.EXE" }, @@ -16122,8 +16122,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.004" + "TA0005", + "T1562.004" ], "title": "Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE" }, @@ -16143,9 +16143,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.credential-access", - "attack.t1557.001" + "TA0002", + "TA0006", + "T1557.001" ], "title": "Potential SMB Relay Attack Tool Execution" }, @@ -16165,8 +16165,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Sysinternals PsSuspend Suspicious Execution" }, @@ -16186,7 +16186,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "New Virtual Smart Card Created Via TpmVscMgr.EXE" }, @@ -16206,8 +16206,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1105" + "TA0011", + "T1105" ], "title": "Finger.EXE Execution" }, @@ -16227,10 +16227,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1055.001", - "attack.t1218.013" + "TA0005", + "TA0004", + "T1055.001", + "T1218.013" ], "title": "Mavinject Inject DLL Into Running Process" }, @@ -16250,8 +16250,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1105" + "TA0011", + "T1105" ], "title": "Remote File Download Via Desktopimgdownldr Utility" }, @@ -16271,8 +16271,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.t1548.002" + "TA0004", + "T1548.002" ], "title": "Sdclt Child Processes" }, @@ -16292,8 +16292,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Potentially Suspicious Child Process Of DiskShadow.EXE" }, @@ -16313,8 +16313,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1047", + "TA0002", + "T1047", "car.2016-03-002" ], "title": "New Process Created Via Wmic.EXE" @@ -16335,8 +16335,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1102" + "TA0011", + "T1102" ], "title": "Suspicious Child Process Of Manage Engine ServiceDesk" }, @@ -16356,8 +16356,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "File Download Via InstallUtil.EXE" }, @@ -16377,8 +16377,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.t1021" + "TA0008", + "T1021" ], "title": "Privilege Escalation via Named Pipe Impersonation" }, @@ -16398,8 +16398,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1482" + "TA0007", + "T1482" ], "title": "Domain Trust Discovery Via Dsquery" }, @@ -16419,8 +16419,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027" + "TA0005", + "T1027" ], "title": "File Encoded To Base64 Via Certutil.EXE" }, @@ -16440,8 +16440,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1564.004" + "TA0005", + "T1564.004" ], "title": "Suspicious Diantz Alternate Data Stream Execution" }, @@ -16461,8 +16461,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Execution of Powershell Script in Public Folder" }, @@ -16482,9 +16482,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "TA0002", + "T1059.005", + "T1059.007" ], "title": "Cscript/Wscript Uncommon Script Extension Execution" }, @@ -16504,11 +16504,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.persistence", - "attack.t1197", + "TA0005", + "TA0003", + "T1197", "attack.s0190", - "attack.t1036.003" + "T1036.003" ], "title": "File With Suspicious Extension Downloaded Via Bitsadmin" }, @@ -16528,7 +16528,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery" + "TA0007" ], "title": "DriverQuery.EXE Execution" }, @@ -16548,9 +16548,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003", - "attack.t1003.003", + "TA0006", + "T1003", + "T1003.003", "attack.s0404" ], "title": "Esentutl Gather Credentials" @@ -16571,8 +16571,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1564.004" + "TA0005", + "T1564.004" ], "title": "Execute From Alternate Data Streams" }, @@ -16592,9 +16592,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1484.001" + "TA0005", + "TA0004", + "T1484.001" ], "title": "Modify Group Policy Settings" }, @@ -16614,9 +16614,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.credential-access", - "attack.t1649" + "TA0007", + "TA0006", + "T1649" ], "title": "HackTool - Certipy Execution" }, @@ -16636,8 +16636,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1587", - "attack.resource-development" + "T1587", + "TA0042" ], "title": "HackTool - PurpleSharp Execution" }, @@ -16657,10 +16657,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036", - "attack.credential-access", - "attack.t1003.001", + "TA0005", + "T1036", + "TA0006", + "T1003.001", "car.2013-05-009" ], "title": "Potential LSASS Process Dump Via Procdump" @@ -16681,10 +16681,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.defense-evasion", - "attack.t1134.001", - "attack.t1134.003" + "TA0004", + "TA0005", + "T1134.001", + "T1134.003" ], "title": "HackTool - Impersonate Execution" }, @@ -16704,8 +16704,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1518.001" + "TA0007", + "T1518.001" ], "title": "Security Tools Keyword Lookup Via Findstr.EXE" }, @@ -16725,9 +16725,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.t1204" + "TA0002", + "T1059.001", + "T1204" ], "title": "Potentially Suspicious WebDAV LNK Execution" }, @@ -16747,8 +16747,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.011" + "TA0005", + "T1218.011" ], "title": "Rundll32 Execution With Uncommon DLL Extension" }, @@ -16768,10 +16768,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1105", - "attack.defense-evasion", - "attack.t1564.004" + "TA0011", + "T1105", + "TA0005", + "T1564.004" ], "title": "PrintBrm ZIP Creation of Extraction" }, @@ -16791,11 +16791,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.command-and-control", - "attack.t1059.003", - "attack.t1059.001", - "attack.t1105" + "TA0002", + "TA0011", + "T1059.003", + "T1059.001", + "T1105" ], "title": "Command Line Execution with Suspicious URL and AppData Strings" }, @@ -16815,8 +16815,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1105" + "TA0011", + "T1105" ], "title": "Potential Download/Upload Activity Using Type Command" }, @@ -16836,9 +16836,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.exfiltration", - "attack.discovery", - "attack.t1012" + "TA0010", + "TA0007", + "T1012" ], "title": "Exports Registry Key To a File" }, @@ -16858,8 +16858,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Powershell Defender Disable Scan Feature" }, @@ -16879,7 +16879,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "LOLBIN Execution From Abnormal Drive" }, @@ -16899,8 +16899,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.collection", - "attack.t1560.001" + "TA0009", + "T1560.001" ], "title": "Winrar Compressing Dump Files" }, @@ -16920,7 +16920,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "Query Usage To Exfil Data" }, @@ -16940,8 +16940,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1047" + "TA0002", + "T1047" ], "title": "Suspicious Process Created Via Wmic.EXE" }, @@ -16961,8 +16961,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1564.001" + "TA0005", + "T1564.001" ], "title": "Set Suspicious Files as System Files Using Attrib.EXE" }, @@ -16982,8 +16982,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1082" + "TA0007", + "T1082" ], "title": "Suspicious Kernel Dump Using Dtrace" }, @@ -17003,8 +17003,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1574.001" + "TA0005", + "T1574.001" ], "title": "Xwizard.EXE Execution From Non-Default Location" }, @@ -17024,8 +17024,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Cmd.EXE Missing Space Characters Execution Anomaly" }, @@ -17045,8 +17045,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059" + "TA0002", + "T1059" ], "title": "Use of OpenConsole" }, @@ -17066,8 +17066,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1098" + "TA0003", + "T1098" ], "title": "User Added To Highly Privileged Group" }, @@ -17087,8 +17087,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1219.002" + "TA0011", + "T1219.002" ], "title": "Remote Access Tool - Anydesk Execution From Suspicious Folder" }, @@ -17108,9 +17108,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1055" + "TA0005", + "TA0004", + "T1055" ], "title": "Process Creation Using Sysnative Folder" }, @@ -17130,7 +17130,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access" + "TA0006" ], "title": "Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE" }, @@ -17150,10 +17150,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation Via Use MSHTA" }, @@ -17173,8 +17173,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1112", - "attack.defense-evasion" + "T1112", + "TA0005" ], "title": "Imports Registry Key From an ADS" }, @@ -17194,10 +17194,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.persistence", - "attack.privilege-escalation", - "attack.t1053.005", + "TA0002", + "TA0003", + "TA0004", + "T1053.005", "attack.s0111", "car.2013-08-001", "stp.1u" @@ -17220,7 +17220,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Suspicious Usage Of ShellExec_RunDLL" }, @@ -17240,8 +17240,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1047" + "TA0002", + "T1047" ], "title": "Application Terminated Via Wmic.EXE" }, @@ -17261,8 +17261,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Disabled Volume Snapshots" }, @@ -17282,8 +17282,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1127" + "TA0005", + "T1127" ], "title": "Use of Remote.exe" }, @@ -17303,7 +17303,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence" + "TA0003" ], "title": "Persistence Via TypedPaths - CommandLine" }, @@ -17323,8 +17323,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1055" + "TA0005", + "T1055" ], "title": "HackTool - DInjector PowerShell Cradle Execution" }, @@ -17344,8 +17344,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.001" + "TA0006", + "T1003.001" ], "title": "HackTool - Inveigh Execution" }, @@ -17365,11 +17365,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.command-and-control", - "attack.t1218.011", - "attack.t1071" + "TA0005", + "TA0002", + "TA0011", + "T1218.011", + "T1071" ], "title": "Potentially Suspicious Rundll32.EXE Execution of UDL File" }, @@ -17389,10 +17389,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.execution", - "attack.t1552.004", - "attack.t1059.001" + "TA0006", + "TA0002", + "T1552.004", + "T1059.001" ], "title": "Certificate Exported Via PowerShell" }, @@ -17412,8 +17412,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1105" + "TA0011", + "T1105" ], "title": "Suspicious Extrac32 Execution" }, @@ -17433,8 +17433,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Service Registry Key Deleted Via Reg.EXE" }, @@ -17454,10 +17454,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.011", - "attack.credential-access", - "attack.t1003.001" + "TA0005", + "T1218.011", + "TA0006", + "T1003.001" ], "title": "Process Access via TrolleyExpress Exclusion" }, @@ -17477,8 +17477,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.008" + "TA0005", + "T1218.008" ], "title": "Suspicious Response File Execution Via Odbcconf.EXE" }, @@ -17498,9 +17498,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1548.002" + "TA0005", + "TA0004", + "T1548.002" ], "title": "UAC Bypass Using DismHost" }, @@ -17520,9 +17520,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.persistence", - "attack.t1546.007", + "TA0004", + "TA0003", + "T1546.007", "attack.s0108" ], "title": "Potential Persistence Via Netsh Helper DLL" @@ -17543,8 +17543,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1105" + "TA0011", + "T1105" ], "title": "File Download And Execution Via IEExec.EXE" }, @@ -17564,8 +17564,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.impact", - "attack.t1489" + "TA0040", + "T1489" ], "title": "Delete Important Scheduled Task" }, @@ -17585,13 +17585,13 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.privilege-escalation", - "attack.discovery", - "attack.defense-evasion", - "attack.t1082", - "attack.t1564", - "attack.t1543" + "TA0003", + "TA0004", + "TA0007", + "TA0005", + "T1082", + "T1564", + "T1543" ], "title": "PUA - System Informer Execution" }, @@ -17611,9 +17611,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1059" + "TA0005", + "TA0002", + "T1059" ], "title": "Install New Package Via Winget Local Manifest" }, @@ -17633,9 +17633,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1543.003", - "attack.t1574.011" + "TA0003", + "T1543.003", + "T1574.011" ], "title": "Potential Persistence Attempt Via Existing Service Tampering" }, @@ -17655,9 +17655,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.initial-access", - "attack.persistence", - "attack.privilege-escalation" + "TA0001", + "TA0003", + "TA0004" ], "title": "Suspicious Shells Spawn by Java Utility Keytool" }, @@ -17677,8 +17677,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1082" + "TA0007", + "T1082" ], "title": "Suspicious Execution of Hostname" }, @@ -17698,8 +17698,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'" }, @@ -17719,7 +17719,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Kernel Memory Dump Via LiveKD" }, @@ -17739,8 +17739,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003" + "TA0006", + "T1003" ], "title": "Microsoft IIS Service Account Password Dumped" }, @@ -17760,9 +17760,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1046", - "attack.t1135" + "TA0007", + "T1046", + "T1135" ], "title": "PUA - Advanced IP Scanner Execution" }, @@ -17782,8 +17782,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1070.004" + "TA0005", + "T1070.004" ], "title": "Potentially Suspicious Ping/Copy Command Combination" }, @@ -17803,8 +17803,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1564.004" + "TA0005", + "T1564.004" ], "title": "Use NTFS Short Name in Command Line" }, @@ -17824,8 +17824,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1070.004" + "TA0005", + "T1070.004" ], "title": "Greedy File Deletion Using Del" }, @@ -17845,8 +17845,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Hidden Powershell in Link File Pattern" }, @@ -17866,8 +17866,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1197" + "TA0005", + "T1197" ], "title": "Monitoring For Persistence Via BITS" }, @@ -17887,8 +17887,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Suspicious PowerShell Invocation From Script Engines" }, @@ -17908,10 +17908,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.collection", - "attack.exfiltration", - "attack.t1560", - "attack.t1560.001" + "TA0009", + "TA0010", + "T1560", + "T1560.001" ], "title": "Compressed File Extraction Via Tar.EXE" }, @@ -17931,7 +17931,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "Suspicious File Download From File Sharing Domain Via Curl.EXE" }, @@ -17951,8 +17951,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "REGISTER_APP.VBS Proxy Execution" }, @@ -17972,8 +17972,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.collection", - "attack.t1560.001" + "TA0009", + "T1560.001" ], "title": "Rar Usage with Password and Compression Level" }, @@ -17993,11 +17993,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.persistence", - "attack.t1197", + "TA0005", + "TA0003", + "T1197", "attack.s0190", - "attack.t1036.003" + "T1036.003" ], "title": "File Download Via Bitsadmin To An Uncommon Target Folder" }, @@ -18017,8 +18017,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.003" + "TA0006", + "T1003.003" ], "title": "Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)" }, @@ -18038,9 +18038,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.initial-access", - "attack.persistence", - "attack.privilege-escalation" + "TA0001", + "TA0003", + "TA0004" ], "title": "Shell Process Spawned by Java.EXE" }, @@ -18060,8 +18060,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.t1021.002" + "TA0008", + "T1021.002" ], "title": "Windows Share Mount Via Net.EXE" }, @@ -18081,8 +18081,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1546.008", - "attack.privilege-escalation" + "T1546.008", + "TA0004" ], "title": "Persistence Via Sticky Key Backdoor" }, @@ -18102,10 +18102,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.collection", - "attack.t1185", - "attack.t1564.003" + "TA0006", + "TA0009", + "T1185", + "T1564.003" ], "title": "Potential Data Stealing Via Chromium Headless Debugging" }, @@ -18125,9 +18125,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001", - "attack.t1070.001" + "TA0005", + "T1562.001", + "T1070.001" ], "title": "Suspicious Windows Trace ETW Session Tamper Via Logman.EXE" }, @@ -18147,8 +18147,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1106" + "TA0002", + "T1106" ], "title": "Potential WinAPI Calls Via CommandLine" }, @@ -18168,20 +18168,20 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.initial-access", - "attack.t1047", - "attack.t1059.001", - "attack.t1059.003", - "attack.t1059.005", - "attack.t1059.007", - "attack.t1218", - "attack.t1218.001", - "attack.t1218.010", - "attack.t1218.011", - "attack.t1566", - "attack.t1566.001" + "TA0005", + "TA0002", + "TA0001", + "T1047", + "T1059.001", + "T1059.003", + "T1059.005", + "T1059.007", + "T1218", + "T1218.001", + "T1218.010", + "T1218.011", + "T1566", + "T1566.001" ], "title": "HTML Help HH.EXE Suspicious Child Process" }, @@ -18201,8 +18201,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Suspicious PowerShell IEX Execution Patterns" }, @@ -18222,7 +18222,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery" + "TA0007" ], "title": "Obfuscated IP Download Activity" }, @@ -18242,9 +18242,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1087.001", - "attack.t1087.002" + "TA0007", + "T1087.001", + "T1087.002" ], "title": "Suspicious Group And Account Reconnaissance Activity Using Net.EXE" }, @@ -18264,7 +18264,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.exfiltration" + "TA0010" ], "title": "Email Exifiltration Via Powershell" }, @@ -18284,9 +18284,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1087", - "attack.t1082", + "TA0007", + "T1087", + "T1082", "car.2016-03-001" ], "title": "Network Reconnaissance Activity" @@ -18307,11 +18307,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.discovery", - "attack.t1082", - "attack.t1087", - "attack.t1046" + "TA0004", + "TA0007", + "T1082", + "T1087", + "T1046" ], "title": "HackTool - winPEAS Execution" }, @@ -18331,8 +18331,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1082" + "TA0007", + "T1082" ], "title": "Suspicious Execution of Systeminfo" }, @@ -18352,7 +18352,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Suspicious Execution of InstallUtil Without Log" }, @@ -18372,10 +18372,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.initial-access", - "attack.t1505.003", - "attack.t1190" + "TA0003", + "TA0001", + "T1505.003", + "T1190" ], "title": "Suspicious Process By Web Server Process" }, @@ -18395,7 +18395,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "Cscript/Wscript Potentially Suspicious Child Process" }, @@ -18415,7 +18415,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery" + "TA0007" ], "title": "Potential Recon Activity Using DriverQuery.EXE" }, @@ -18435,7 +18435,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Suspicious Powercfg Execution To Change Lock Screen Timeout" }, @@ -18455,9 +18455,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.credential-access", - "attack.t1040" + "TA0007", + "TA0006", + "T1040" ], "title": "Harvesting Of Wifi Credentials Via Netsh.EXE" }, @@ -18477,8 +18477,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Suspicious Process Suspension via WERFaultSecure through EDR-Freeze" }, @@ -18498,8 +18498,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "DSInternals Suspicious PowerShell Cmdlets" }, @@ -18519,8 +18519,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1543.003" + "TA0003", + "T1543.003" ], "title": "Allow Service Access Using Security Descriptor Tampering Via Sc.EXE" }, @@ -18540,9 +18540,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.lateral-movement", - "attack.t1210" + "TA0002", + "TA0008", + "T1210" ], "title": "HackTool - SharpWSUS/WSUSpendu Execution" }, @@ -18562,8 +18562,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.007" + "TA0002", + "T1059.007" ], "title": "NodeJS Execution of JavaScript File" }, @@ -18583,8 +18583,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1202" + "TA0005", + "T1202" ], "title": "Potential Arbitrary DLL Load Using Winword" }, @@ -18604,8 +18604,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.collection", - "attack.t1005" + "TA0009", + "T1005" ], "title": "Veeam Backup Database Suspicious Query" }, @@ -18625,10 +18625,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.impact", - "attack.t1070", - "attack.t1485" + "TA0005", + "TA0040", + "T1070", + "T1485" ], "title": "Fsutil Suspicious Invocation" }, @@ -18648,8 +18648,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059" + "TA0002", + "T1059" ], "title": "Python Spawning Pretty TTY on Windows" }, @@ -18669,8 +18669,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "AgentExecutor PowerShell Execution" }, @@ -18690,8 +18690,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Powershell Inline Execution From A File" }, @@ -18711,8 +18711,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1049" + "TA0007", + "T1049" ], "title": "System Network Connections Discovery Via Net.EXE" }, @@ -18732,8 +18732,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1047" + "TA0002", + "T1047" ], "title": "Script Event Consumer Spawning Process" }, @@ -18753,8 +18753,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036" + "TA0005", + "T1036" ], "title": "CodePage Modification Via MODE.COM To Russian Language" }, @@ -18774,8 +18774,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1505.004" + "TA0003", + "T1505.004" ], "title": "Suspicious IIS Module Registration" }, @@ -18795,11 +18795,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1059.001", - "attack.t1059.003", - "attack.t1564.003" + "TA0005", + "TA0002", + "T1059.001", + "T1059.003", + "T1564.003" ], "title": "Powershell Executed From Headless ConHost Process" }, @@ -18819,10 +18819,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.execution", - "attack.t1059.001", - "attack.t1105" + "TA0011", + "TA0002", + "T1059.001", + "T1105" ], "title": "Potential DLL File Download Via PowerShell Invoke-WebRequest" }, @@ -18842,8 +18842,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1555" + "TA0006", + "T1555" ], "title": "HackTool - SecurityXploded Execution" }, @@ -18863,8 +18863,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.defense-evasion" + "TA0003", + "TA0005" ], "title": "Unsigned AppX Installation Attempt Using Add-AppxPackage" }, @@ -18884,10 +18884,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.lateral-movement", - "attack.t1021.001", - "attack.t1112" + "TA0005", + "TA0008", + "T1021.001", + "T1112" ], "title": "Potential Tampering With RDP Related Registry Keys Via Reg.EXE" }, @@ -18907,8 +18907,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1546.003" + "TA0003", + "T1546.003" ], "title": "New ActiveScriptEventConsumer Created Via Wmic.EXE" }, @@ -18928,8 +18928,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.impact", - "attack.t1490" + "TA0040", + "T1490" ], "title": "Boot Configuration Tampering Via Bcdedit.EXE" }, @@ -18949,8 +18949,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1090.003" + "TA0011", + "T1090.003" ], "title": "Tor Client/Browser Execution" }, @@ -18970,9 +18970,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003", - "attack.t1003.001" + "TA0006", + "T1003", + "T1003.001" ], "title": "Potential Credential Dumping Via LSASS Process Clone" }, @@ -18992,9 +18992,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1218", - "attack.defense-evasion", - "attack.execution" + "T1218", + "TA0005", + "TA0002" ], "title": "Uncommon Child Process Of Defaultpack.EXE" }, @@ -19014,8 +19014,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.impact", - "attack.t1486" + "TA0040", + "T1486" ], "title": "Portable Gpg.EXE Execution" }, @@ -19035,8 +19035,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.003" + "TA0002", + "T1059.003" ], "title": "Remote Access Tool - ScreenConnect Remote Command Execution" }, @@ -19056,9 +19056,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.privilege-escalation", - "attack.t1543.003" + "TA0003", + "TA0004", + "T1543.003" ], "title": "New Kernel Driver Via SC.EXE" }, @@ -19078,8 +19078,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.impact", - "attack.t1490" + "TA0040", + "T1490" ], "title": "Windows Backup Deleted Via Wbadmin.EXE" }, @@ -19099,8 +19099,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Suspicious DLL Loaded via CertOC.EXE" }, @@ -19120,10 +19120,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1047", - "attack.t1098" + "TA0002", + "TA0003", + "T1047", + "T1098" ], "title": "Password Set to Never Expire via WMI" }, @@ -19143,8 +19143,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Devtoolslauncher.exe Executes Specified Binary" }, @@ -19164,8 +19164,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1217" + "TA0007", + "T1217" ], "title": "File And SubFolder Enumeration Via Dir Command" }, @@ -19185,11 +19185,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion", - "attack.t1218", - "attack.t1202", - "attack.t1036.005" + "TA0002", + "TA0005", + "T1218", + "T1202", + "T1036.005" ], "title": "Potential Binary Impersonating Sysinternals Tools" }, @@ -19209,11 +19209,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.lateral-movement", - "attack.t1021.002", - "attack.t1218.011" + "TA0005", + "TA0002", + "TA0008", + "T1021.002", + "T1218.011" ], "title": "Rundll32 UNC Path Execution" }, @@ -19233,10 +19233,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1070", - "attack.t1562", - "attack.t1562.002" + "TA0005", + "T1070", + "T1562", + "T1562.002" ], "title": "Filter Driver Unloaded Via Fltmc.EXE" }, @@ -19256,9 +19256,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1218" + "TA0005", + "TA0002", + "T1218" ], "title": "Use of Scriptrunner.exe" }, @@ -19278,9 +19278,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.persistence", - "attack.t1543.003" + "TA0007", + "TA0003", + "T1543.003" ], "title": "Sysinternals PsService Execution" }, @@ -19300,8 +19300,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Sysmon Configuration Update" }, @@ -19321,8 +19321,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1053" + "TA0003", + "T1053" ], "title": "HackTool - SharPersist Execution" }, @@ -19342,10 +19342,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.discovery", - "attack.t1047", - "attack.t1082" + "TA0002", + "TA0007", + "T1047", + "T1082" ], "title": "System Disk And Volume Reconnaissance Via Wmic.EXE" }, @@ -19365,8 +19365,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.privilege-escalation" + "TA0005", + "TA0004" ], "title": "UAC Bypass Using Event Viewer RecentViews" }, @@ -19386,10 +19386,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.impact", - "attack.t1070", - "attack.t1490" + "TA0005", + "TA0040", + "T1070", + "T1490" ], "title": "Shadow Copies Deletion Using Operating Systems Utilities" }, @@ -19409,9 +19409,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1548.002" + "TA0005", + "TA0004", + "T1548.002" ], "title": "UAC Bypass Using PkgMgr and DISM" }, @@ -19431,7 +19431,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "Suspicious File Download From IP Via Wget.EXE - Paths" }, @@ -19451,10 +19451,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003", - "attack.t1003.002", - "attack.t1003.003" + "TA0006", + "T1003", + "T1003.002", + "T1003.003" ], "title": "Shadow Copies Creation Using Operating Systems Utilities" }, @@ -19474,8 +19474,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.005" + "TA0006", + "T1003.005" ], "title": "Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE" }, @@ -19495,7 +19495,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement" + "TA0008" ], "title": "Mstsc.EXE Execution From Uncommon Parent" }, @@ -19515,9 +19515,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1218" + "TA0005", + "TA0002", + "T1218" ], "title": "XBAP Execution From Uncommon Locations Via PresentationHost.EXE" }, @@ -19537,8 +19537,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.impact", - "attack.t1489" + "TA0040", + "T1489" ], "title": "Stop Windows Service Via Sc.EXE" }, @@ -19558,8 +19558,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1106" + "TA0002", + "T1106" ], "title": "Suspicious Mshta.EXE Execution Patterns" }, @@ -19579,8 +19579,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Execution via stordiag.exe" }, @@ -19600,9 +19600,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218", - "attack.execution" + "TA0005", + "T1218", + "TA0002" ], "title": "Execute MSDT Via Answer File" }, @@ -19622,8 +19622,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.007" + "TA0005", + "T1218.007" ], "title": "Msiexec Quiet Installation" }, @@ -19643,12 +19643,12 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion", - "attack.discovery", - "attack.t1047", - "attack.t1112", - "attack.t1012" + "TA0002", + "TA0005", + "TA0007", + "T1047", + "T1112", + "T1012" ], "title": "Registry Manipulation via WMI Stdregprov" }, @@ -19668,8 +19668,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1087.002" + "TA0007", + "T1087.002" ], "title": "PUA - AdFind.EXE Execution" }, @@ -19689,8 +19689,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.t1574.011" + "TA0004", + "T1574.011" ], "title": "Potential Privilege Escalation via Service Permissions Weakness" }, @@ -19710,8 +19710,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.t1021.001" + "TA0008", + "T1021.001" ], "title": "New Remote Desktop Connection Initiated Via Mstsc.EXE" }, @@ -19731,9 +19731,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1548.002" + "TA0005", + "TA0004", + "T1548.002" ], "title": "UAC Bypass Using IEInstal - Process" }, @@ -19753,8 +19753,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1087" + "TA0007", + "T1087" ], "title": "HackTool - SOAPHound Execution" }, @@ -19774,9 +19774,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.defense-evasion", - "attack.t1548.002" + "TA0004", + "TA0005", + "T1548.002" ], "title": "Potential UAC Bypass Via Sdclt.EXE" }, @@ -19796,10 +19796,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.007", - "attack.command-and-control", - "attack.t1105" + "TA0005", + "T1218.007", + "TA0011", + "T1105" ], "title": "MsiExec Web Install" }, @@ -19819,7 +19819,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Potential PowerShell Execution Policy Tampering - ProcCreation" }, @@ -19839,8 +19839,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "HackTool - PowerTool Execution" }, @@ -19860,8 +19860,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Suspicious AddinUtil.EXE CommandLine Execution" }, @@ -19881,8 +19881,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027" + "TA0005", + "T1027" ], "title": "Suspicious File Downloaded From Direct IP Via Certutil.EXE" }, @@ -19902,8 +19902,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1202" + "TA0005", + "T1202" ], "title": "Indirect Command Execution From Script File Via Bash.EXE" }, @@ -19923,8 +19923,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location" }, @@ -19944,8 +19944,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1055.001" + "TA0005", + "T1055.001" ], "title": "Potential DLL Injection Or Execution Using Tracker.exe" }, @@ -19965,9 +19965,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218", - "attack.execution" + "TA0005", + "T1218", + "TA0002" ], "title": "Indirect Command Execution By Program Compatibility Wizard" }, @@ -19987,9 +19987,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.persistence", - "attack.t1546.008", + "TA0004", + "TA0003", + "T1546.008", "car.2014-11-003", "car.2014-11-008" ], @@ -20011,8 +20011,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.001" + "TA0006", + "T1003.001" ], "title": "HackTool - Doppelanger LSASS Dumper Execution" }, @@ -20032,10 +20032,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation CLIP+ Launcher" }, @@ -20055,9 +20055,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.persistence", - "attack.t1546.008" + "TA0004", + "TA0003", + "T1546.008" ], "title": "Potential Privilege Escalation Using Symlink Between Osk and Cmd" }, @@ -20077,9 +20077,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036", - "attack.t1218" + "TA0005", + "T1036", + "T1218" ], "title": "Suspicious MSDT Parent Process" }, @@ -20099,8 +20099,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1055.012" + "TA0005", + "T1055.012" ], "title": "HackTool - HollowReaper Execution" }, @@ -20120,8 +20120,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.exfiltration", - "attack.t1048" + "TA0010", + "T1048" ], "title": "Tap Installer Execution" }, @@ -20141,8 +20141,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1216" + "TA0005", + "T1216" ], "title": "Remote Code Execute via Winrm.vbs" }, @@ -20162,8 +20162,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Add SafeBoot Keys Via Reg Utility" }, @@ -20183,8 +20183,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Disabling Windows Defender WMI Autologger Session via Reg.exe" }, @@ -20204,11 +20204,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1204.002", - "attack.defense-evasion", - "attack.t1218.014", - "attack.t1036.002" + "TA0002", + "T1204.002", + "TA0005", + "T1218.014", + "T1036.002" ], "title": "MMC Executing Files with Reversed Extensions Using RTLO Abuse" }, @@ -20228,8 +20228,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.exfiltration", - "attack.t1048" + "TA0010", + "T1048" ], "title": "Suspicious Redirection to Local Admin Share" }, @@ -20249,9 +20249,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.privilege-escalation", - "attack.t1543.003" + "TA0003", + "TA0004", + "T1543.003" ], "title": "Suspicious Service Path Modification" }, @@ -20271,7 +20271,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Potentially Suspicious Call To Win32_NTEventlogFile Class" }, @@ -20291,8 +20291,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Lolbin Runexehelper Use As Proxy" }, @@ -20312,7 +20312,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "HackTool - GMER Rootkit Detector and Remover Execution" }, @@ -20332,10 +20332,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.defense-evasion", - "attack.t1219.002", - "attack.t1036.003" + "TA0011", + "TA0005", + "T1219.002", + "T1036.003" ], "title": "Remote Access Tool - Renamed MeshAgent Execution - Windows" }, @@ -20355,10 +20355,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.execution", - "attack.t1615", - "attack.t1059.005" + "TA0007", + "TA0002", + "T1615", + "T1059.005" ], "title": "Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS" }, @@ -20378,9 +20378,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1055" + "TA0005", + "TA0004", + "T1055" ], "title": "Suspect Svchost Activity" }, @@ -20400,11 +20400,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1059.001", - "attack.t1140", - "attack.t1027" + "TA0005", + "TA0002", + "T1059.001", + "T1140", + "T1027" ], "title": "Suspicious XOR Encoded PowerShell Command" }, @@ -20424,10 +20424,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION" }, @@ -20447,9 +20447,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.privilege-escalation", - "attack.t1543.003" + "TA0003", + "TA0004", + "T1543.003" ], "title": "New Service Creation Using PowerShell" }, @@ -20469,8 +20469,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.003" + "TA0006", + "T1003.003" ], "title": "Sensitive File Dump Via Wbadmin.EXE" }, @@ -20490,8 +20490,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1202" + "TA0005", + "T1202" ], "title": "Rundll32 Execution Without CommandLine Parameters" }, @@ -20511,10 +20511,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1102", - "attack.t1090", - "attack.t1572" + "TA0011", + "T1102", + "T1090", + "T1572" ], "title": "Cloudflared Tunnel Connections Cleanup" }, @@ -20534,8 +20534,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.reconnaissance", - "attack.t1595" + "TA0043", + "T1595" ], "title": "PUA - PingCastle Execution" }, @@ -20555,10 +20555,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1539", - "attack.collection", - "attack.t1005" + "TA0006", + "T1539", + "TA0009", + "T1005" ], "title": "SQLite Firefox Profile Data DB Access" }, @@ -20578,8 +20578,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1090" + "TA0011", + "T1090" ], "title": "PUA- IOX Tunneling Tool Execution" }, @@ -20599,9 +20599,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1219", - "attack.t1105" + "TA0011", + "T1219", + "T1105" ], "title": "Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server" }, @@ -20621,11 +20621,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.reconnaissance", - "attack.discovery", - "attack.credential-access", - "attack.impact" + "TA0002", + "TA0043", + "TA0007", + "TA0006", + "TA0040" ], "title": "AADInternals PowerShell Cmdlets Execution - ProccessCreation" }, @@ -20645,11 +20645,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1047", - "attack.t1204.002", - "attack.t1218.010" + "TA0005", + "TA0002", + "T1047", + "T1204.002", + "T1218.010" ], "title": "Suspicious Microsoft Office Child Process" }, @@ -20669,7 +20669,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access" + "TA0006" ], "title": "HackTool - LaZagne Execution" }, @@ -20689,8 +20689,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1555.003" + "TA0006", + "T1555.003" ], "title": "PUA - WebBrowserPassView Execution" }, @@ -20710,25 +20710,25 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.persistence", - "attack.defense-evasion", - "attack.credential-access", - "attack.privilege-escalation", - "attack.t1562.002", - "attack.t1547.001", - "attack.t1505.005", - "attack.t1556.002", - "attack.t1562", - "attack.t1574.007", - "attack.t1564.002", - "attack.t1546.008", - "attack.t1546.007", - "attack.t1547.014", - "attack.t1547.010", - "attack.t1547.002", - "attack.t1557", - "attack.t1082" + "TA0007", + "TA0003", + "TA0005", + "TA0006", + "TA0004", + "T1562.002", + "T1547.001", + "T1505.005", + "T1556.002", + "T1562", + "T1574.007", + "T1564.002", + "T1546.008", + "T1546.007", + "T1547.014", + "T1547.010", + "T1547.002", + "T1557", + "T1082" ], "title": "Potential Suspicious Activity Using SeCEdit" }, @@ -20748,8 +20748,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Dism Remove Online Package" }, @@ -20769,8 +20769,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Suspicious Execution of Powershell with Base64" }, @@ -20790,10 +20790,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1140", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1140", + "TA0002", + "T1059.001" ], "title": "PowerShell Base64 Encoded FromBase64String Cmdlet" }, @@ -20813,10 +20813,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.collection", - "attack.exfiltration", - "attack.t1560", - "attack.t1560.001" + "TA0009", + "TA0010", + "T1560", + "T1560.001" ], "title": "Compressed File Creation Via Tar.EXE" }, @@ -20836,9 +20836,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1090", - "attack.t1572" + "TA0011", + "T1090", + "T1572" ], "title": "Potentially Suspicious Usage Of Qemu" }, @@ -20858,8 +20858,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "ShimCache Flush" }, @@ -20879,8 +20879,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547.001" + "TA0003", + "T1547.001" ], "title": "Potential Persistence Attempt Via Run Keys Using Reg.EXE" }, @@ -20900,10 +20900,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation COMPRESS OBFUSCATION" }, @@ -20923,8 +20923,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1003", - "attack.credential-access" + "T1003", + "TA0006" ], "title": "Interesting Service Enumeration Via Sc.EXE" }, @@ -20944,8 +20944,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.impact", - "attack.t1496" + "TA0040", + "T1496" ], "title": "Potential Crypto Mining Activity" }, @@ -20965,8 +20965,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1552.002" + "TA0006", + "T1552.002" ], "title": "Enumeration for 3rd Party Creds From CLI" }, @@ -20986,9 +20986,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1218", - "attack.defense-evasion", - "attack.execution" + "T1218", + "TA0005", + "TA0002" ], "title": "Uncommon Child Process Of Appvlp.EXE" }, @@ -21008,8 +21008,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1055" + "TA0005", + "T1055" ], "title": "Dllhost.EXE Execution Anomaly" }, @@ -21029,10 +21029,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036", - "attack.t1003.001", - "attack.credential-access" + "TA0005", + "T1036", + "T1003.001", + "TA0006" ], "title": "DumpMinitool Execution" }, @@ -21052,7 +21052,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Remote Access Tool - RURAT Execution From Unusual Location" }, @@ -21072,8 +21072,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059" + "TA0002", + "T1059" ], "title": "Use of FSharp Interpreters" }, @@ -21093,8 +21093,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.t1021.006" + "TA0008", + "T1021.006" ], "title": "HackTool - WinRM Access Via Evil-WinRM" }, @@ -21114,8 +21114,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1105" + "TA0011", + "T1105" ], "title": "Suspicious Desktopimgdownldr Command" }, @@ -21135,10 +21135,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.defense-evasion", - "attack.command-and-control", - "attack.t1090" + "TA0008", + "TA0005", + "TA0011", + "T1090" ], "title": "New Port Forwarding Rule Added Via Netsh.EXE" }, @@ -21158,8 +21158,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.collection", - "attack.t1113" + "TA0009", + "T1113" ], "title": "Screen Capture Activity Via Psr.EXE" }, @@ -21179,8 +21179,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059" + "TA0002", + "T1059" ], "title": "Wscript Shell Run In CommandLine" }, @@ -21200,8 +21200,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Program Executed Using Proxy/Local Command Via SSH.EXE" }, @@ -21221,8 +21221,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1127" + "TA0005", + "T1127" ], "title": "Potential Mftrace.EXE Abuse" }, @@ -21242,8 +21242,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1216" + "TA0005", + "T1216" ], "title": "Suspicious CustomShellHost Execution" }, @@ -21263,8 +21263,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Potential AMSI Bypass Via .NET Reflection" }, @@ -21284,8 +21284,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1176.001" + "TA0003", + "T1176.001" ], "title": "Suspicious Chromium Browser Instance Executed With Custom Extension" }, @@ -21305,7 +21305,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "Insecure Proxy/DOH Transfer Via Curl.EXE" }, @@ -21325,9 +21325,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.reconnaissance", - "attack.t1590.001" + "TA0007", + "TA0043", + "T1590.001" ], "title": "PUA - Crassus Execution" }, @@ -21347,8 +21347,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1202" + "TA0005", + "T1202" ], "title": "Suspicious Cabinet File Execution Via Msdt.EXE" }, @@ -21368,7 +21368,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "Arbitrary Binary Execution Using GUP Utility" }, @@ -21388,8 +21388,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1204.002" + "TA0002", + "T1204.002" ], "title": "Suspicious Outlook Child Process" }, @@ -21409,8 +21409,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1047" + "TA0002", + "T1047" ], "title": "Application Removed Via Wmic.EXE" }, @@ -21430,8 +21430,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1033", + "TA0007", + "T1033", "car.2016-03-001" ], "title": "Enumerate All Information With Whoami.EXE" @@ -21452,8 +21452,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1555.004" + "TA0006", + "T1555.004" ], "title": "Windows Credential Manager Access via VaultCmd" }, @@ -21473,7 +21473,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Firewall Rule Update Via Netsh.EXE" }, @@ -21493,8 +21493,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.007" + "TA0002", + "T1059.007" ], "title": "Potentially Suspicious Inline JavaScript Execution via NodeJS Binary" }, @@ -21514,8 +21514,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.execution" + "TA0007", + "TA0002" ], "title": "Potential Discovery Activity Via Dnscmd.EXE" }, @@ -21535,10 +21535,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.lateral-movement", - "attack.t1059.001", - "attack.t1021.006" + "TA0002", + "TA0008", + "T1059.001", + "T1021.006" ], "title": "Remote PowerShell Session Host Process (WinRM)" }, @@ -21558,10 +21558,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1574.011" + "TA0003", + "TA0005", + "TA0004", + "T1574.011" ], "title": "Abuse of Service Permissions to Hide Services Via Set-Service" }, @@ -21581,8 +21581,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1552.004" + "TA0006", + "T1552.004" ], "title": "Private Keys Reconnaissance Via CommandLine Tools" }, @@ -21602,9 +21602,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1548.002", + "TA0005", + "TA0004", + "T1548.002", "car.2019-04-001" ], "title": "HackTool - Empire PowerShell UAC Bypass" @@ -21625,8 +21625,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027" + "TA0005", + "T1027" ], "title": "Renamed AutoIt Execution" }, @@ -21646,12 +21646,12 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.collection", - "attack.exfiltration", - "attack.t1039", - "attack.t1048", - "attack.t1021.002" + "TA0008", + "TA0009", + "TA0010", + "T1039", + "T1048", + "T1021.002" ], "title": "Copy From Or To Admin Share Or Sysvol Folder" }, @@ -21671,8 +21671,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Suspicious AgentExecutor PowerShell Execution" }, @@ -21692,10 +21692,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion", - "attack.t1027", - "attack.t1059.001" + "TA0002", + "TA0005", + "T1027", + "T1059.001" ], "title": "Potential PowerShell Command Line Obfuscation" }, @@ -21715,8 +21715,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059" + "TA0002", + "T1059" ], "title": "PowerShell Download and Execution Cradles" }, @@ -21736,10 +21736,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.defense-evasion", - "attack.command-and-control", - "attack.t1090" + "TA0008", + "TA0005", + "TA0011", + "T1090" ], "title": "RDP Port Forwarding Rule Added Via Netsh.EXE" }, @@ -21759,8 +21759,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1003", - "attack.credential-access" + "T1003", + "TA0006" ], "title": "Loaded Module Enumeration Via Tasklist.EXE" }, @@ -21780,8 +21780,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036.005" + "TA0005", + "T1036.005" ], "title": "Uncommon Svchost Parent Process" }, @@ -21801,8 +21801,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.003" + "TA0002", + "T1059.003" ], "title": "Potential CommandLine Path Traversal Via Cmd.EXE" }, @@ -21822,12 +21822,12 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007", - "attack.defense-evasion", - "attack.t1218.005", - "attack.t1027.004" + "TA0002", + "T1059.005", + "T1059.007", + "TA0005", + "T1218.005", + "T1027.004" ], "title": "Csc.EXE Execution Form Potentially Suspicious Parent" }, @@ -21847,8 +21847,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562" + "TA0005", + "T1562" ], "title": "Write Protect For Storage Disabled" }, @@ -21868,8 +21868,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1543.003" + "TA0003", + "T1543.003" ], "title": "Suspicious Service DACL Modification Via Set-Service Cmdlet" }, @@ -21889,9 +21889,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.002", - "attack.t1003.003", + "TA0006", + "T1003.002", + "T1003.003", "car.2013-07-001", "attack.s0404" ], @@ -21913,8 +21913,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Potential Register_App.Vbs LOLScript Abuse" }, @@ -21934,8 +21934,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1219.002" + "TA0011", + "T1219.002" ], "title": "Remote Access Tool - MeshAgent Command Execution via MeshCentral" }, @@ -21955,11 +21955,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.defense-evasion", - "attack.t1218", - "attack.t1202" + "TA0002", + "T1059.005", + "TA0005", + "T1218", + "T1202" ], "title": "Uncommon Child Process Of BgInfo.EXE" }, @@ -21979,8 +21979,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Change PowerShell Policies to an Insecure Level" }, @@ -22000,7 +22000,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "PowerShell Set-Acl On Windows Folder" }, @@ -22020,8 +22020,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.001" + "TA0005", + "T1218.001" ], "title": "Remote CHM File Download/Execution Via HH.EXE" }, @@ -22041,8 +22041,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "PowerShell Script Run in AppData" }, @@ -22062,7 +22062,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Nslookup PowerShell Download Cradle - ProcessCreation" }, @@ -22082,8 +22082,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.011" + "TA0005", + "T1218.011" ], "title": "Potential PowerShell Execution Via DLL" }, @@ -22103,8 +22103,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1572" + "TA0011", + "T1572" ], "title": "Potential RDP Tunneling Via SSH" }, @@ -22124,8 +22124,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.001" + "TA0005", + "T1218.001" ], "title": "OneNote.EXE Execution of Malicious Embedded Scripts" }, @@ -22145,8 +22145,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Potential NTLM Coercion Via Certutil.EXE" }, @@ -22166,8 +22166,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1546.001" + "TA0003", + "T1546.001" ], "title": "Change Default File Association To Executable Via Assoc" }, @@ -22187,8 +22187,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses" }, @@ -22208,8 +22208,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1055" + "TA0005", + "T1055" ], "title": "Suspicious Userinit Child Process" }, @@ -22229,8 +22229,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.impact", - "attack.t1489" + "TA0040", + "T1489" ], "title": "Delete All Scheduled Tasks" }, @@ -22250,8 +22250,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1216" + "TA0005", + "T1216" ], "title": "Uncommon Sigverif.EXE Child Process" }, @@ -22271,8 +22271,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1083" + "TA0007", + "T1083" ], "title": "Notepad Password Files Discovery" }, @@ -22292,8 +22292,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1082" + "TA0007", + "T1082" ], "title": "System Information Discovery via Registry Queries" }, @@ -22313,8 +22313,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1558.003" + "TA0006", + "T1558.003" ], "title": "Potential SPN Enumeration Via Setspn.EXE" }, @@ -22334,9 +22334,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1059" + "TA0005", + "TA0002", + "T1059" ], "title": "Add New Download Source To Winget" }, @@ -22356,8 +22356,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Suspicious Provlaunch.EXE Child Process" }, @@ -22377,8 +22377,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.009" + "TA0005", + "T1218.009" ], "title": "Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location" }, @@ -22398,7 +22398,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Start of NT Virtual DOS Machine" }, @@ -22418,7 +22418,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Uncommon FileSystem Load Attempt By Format.com" }, @@ -22438,8 +22438,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1127" + "TA0005", + "T1127" ], "title": "JScript Compiler Execution" }, @@ -22459,8 +22459,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1564.004" + "TA0005", + "T1564.004" ], "title": "Use Short Name Path in Command Line" }, @@ -22480,9 +22480,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.credential-access", - "attack.t1557.001" + "TA0002", + "TA0006", + "T1557.001" ], "title": "HackTool - Impacket Tools Execution" }, @@ -22502,8 +22502,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059" + "TA0002", + "T1059" ], "title": "Unusual Parent Process For Cmd.EXE" }, @@ -22523,8 +22523,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1574.001" + "TA0005", + "T1574.001" ], "title": "Potential Mpclient.DLL Sideloading Via Defender Binaries" }, @@ -22544,9 +22544,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1059" + "TA0002", + "TA0003", + "T1059" ], "title": "Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script" }, @@ -22566,8 +22566,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.persistence" + "TA0002", + "TA0003" ], "title": "Suspicious WindowsTerminal Child Processes" }, @@ -22587,8 +22587,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1070.004" + "TA0005", + "T1070.004" ], "title": "Directory Removal Via Rmdir" }, @@ -22608,8 +22608,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1203" + "TA0002", + "T1203" ], "title": "Potentially Suspicious Child Process Of WinRAR.EXE" }, @@ -22629,9 +22629,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1548.002" + "TA0005", + "TA0004", + "T1548.002" ], "title": "UAC Bypass Using ChangePK and SLUI" }, @@ -22651,8 +22651,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.impact", - "attack.t1490" + "TA0040", + "T1490" ], "title": "File Recovery From Backup Via Wbadmin.EXE" }, @@ -22672,7 +22672,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "Chromium Browser Headless Execution To Mockbin Like Site" }, @@ -22692,11 +22692,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1505.003", - "attack.t1190", - "attack.initial-access", - "attack.persistence", - "attack.privilege-escalation" + "T1505.003", + "T1190", + "TA0001", + "TA0003", + "TA0004" ], "title": "Suspicious Child Process Of SQL Server" }, @@ -22716,7 +22716,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3" }, @@ -22736,8 +22736,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1136.001" + "TA0003", + "T1136.001" ], "title": "New User Created Via Net.EXE With Never Expire Option" }, @@ -22757,8 +22757,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.t1053.002" + "TA0004", + "T1053.002" ], "title": "Interactive AT Job" }, @@ -22778,8 +22778,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1112", - "attack.defense-evasion" + "T1112", + "TA0005" ], "title": "Potential Suspicious Registry File Imported Via Reg.EXE" }, @@ -22799,8 +22799,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Powershell Base64 Encoded MpPreference Cmdlet" }, @@ -22820,8 +22820,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution" + "TA0005", + "TA0002" ], "title": "Wab Execution From Non Default Location" }, @@ -22841,8 +22841,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Uninstall Crowdstrike Falcon Sensor" }, @@ -22862,8 +22862,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Potential AMSI Bypass Using NULL Bits" }, @@ -22883,8 +22883,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "New Capture Session Launched Via DXCap.EXE" }, @@ -22904,8 +22904,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.003" + "TA0006", + "T1003.003" ], "title": "Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)" }, @@ -22925,10 +22925,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1574.011" + "TA0003", + "TA0005", + "TA0004", + "T1574.011" ], "title": "Service DACL Abuse To Hide Services Via Sc.EXE" }, @@ -22948,8 +22948,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036.005" + "TA0005", + "T1036.005" ], "title": "Suspicious Process Masquerading As SvcHost.EXE" }, @@ -22969,8 +22969,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036" + "TA0005", + "T1036" ], "title": "Potential Command Line Path Traversal Evasion Attempt" }, @@ -22990,8 +22990,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059" + "TA0002", + "T1059" ], "title": "Php Inline Command Execution" }, @@ -23011,8 +23011,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1218", - "attack.defense-evasion" + "T1218", + "TA0005" ], "title": "Malicious PE Execution by Microsoft Visual Studio Debugger" }, @@ -23032,8 +23032,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036" + "TA0005", + "T1036" ], "title": "Potential Fake Instance Of Hxtsr.EXE Executed" }, @@ -23053,9 +23053,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", + "TA0008", "attack.g0047", - "attack.t1021.005" + "T1021.005" ], "title": "Suspicious UltraVNC Execution" }, @@ -23075,9 +23075,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005" + "TA0002", + "TA0003", + "T1053.005" ], "title": "Schtasks Creation Or Modification With SYSTEM Privileges" }, @@ -23097,7 +23097,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4" }, @@ -23117,9 +23117,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1059.001" + "TA0005", + "TA0002", + "T1059.001" ], "title": "Potential PowerShell Downgrade Attack" }, @@ -23139,10 +23139,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.credential-access", - "attack.t1036", - "attack.t1003.001", + "TA0005", + "TA0006", + "T1036", + "T1003.001", "car.2013-05-009" ], "title": "Process Memory Dump Via Comsvcs.DLL" @@ -23163,8 +23163,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036" + "TA0005", + "T1036" ], "title": "Suspicious Calculator Usage" }, @@ -23184,8 +23184,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1021.003", - "attack.lateral-movement" + "T1021.003", + "TA0008" ], "title": "Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp" }, @@ -23205,8 +23205,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1127" + "TA0005", + "T1127" ], "title": "Use of VSIISExeLauncher.exe" }, @@ -23226,10 +23226,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1558.003", - "attack.lateral-movement", - "attack.t1550.003" + "TA0006", + "T1558.003", + "TA0008", + "T1550.003" ], "title": "HackTool - KrbRelayUp Execution" }, @@ -23249,13 +23249,13 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.discovery", - "attack.persistence", - "attack.privilege-escalation", - "attack.t1622", - "attack.t1564", - "attack.t1543" + "TA0005", + "TA0007", + "TA0003", + "TA0004", + "T1622", + "T1564", + "T1543" ], "title": "PUA - Process Hacker Execution" }, @@ -23275,8 +23275,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1203", - "attack.execution" + "T1203", + "TA0002" ], "title": "Java Running with Remote Debugging" }, @@ -23296,8 +23296,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1220" + "TA0005", + "T1220" ], "title": "Remote XSL Execution Via Msxsl.EXE" }, @@ -23317,8 +23317,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1053.005" + "TA0002", + "T1053.005" ], "title": "Suspicious Scheduled Task Name As GUID" }, @@ -23338,8 +23338,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027" + "TA0005", + "T1027" ], "title": "Certificate Exported Via Certutil.EXE" }, @@ -23359,8 +23359,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "DeviceCredentialDeployment Execution" }, @@ -23380,9 +23380,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion", - "attack.t1218" + "TA0002", + "TA0005", + "T1218" ], "title": "Binary Proxy Execution Via Dotnet-Trace.EXE" }, @@ -23402,10 +23402,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005", - "attack.t1059.001" + "TA0002", + "TA0003", + "T1053.005", + "T1059.001" ], "title": "Scheduled Task Executing Payload from Registry" }, @@ -23425,9 +23425,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion", - "attack.t1036" + "TA0002", + "TA0005", + "T1036" ], "title": "Potential ReflectDebugger Content Execution Via WerFault.EXE" }, @@ -23447,8 +23447,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.privilege-escalation" + "TA0005", + "TA0004" ], "title": "Windows Kernel Debugger Execution" }, @@ -23468,8 +23468,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036.003" + "TA0005", + "T1036.003" ], "title": "Renamed ProcDump Execution" }, @@ -23489,11 +23489,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036.003", - "attack.t1036", - "attack.t1027.005", - "attack.t1027" + "TA0005", + "T1036.003", + "T1036", + "T1027.005", + "T1027" ], "title": "PUA - Potential PE Metadata Tamper Using Rcedit" }, @@ -23513,8 +23513,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1216.001" + "TA0005", + "T1216.001" ], "title": "Launch-VsDevShell.PS1 Proxy Execution" }, @@ -23534,8 +23534,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059" + "TA0002", + "T1059" ], "title": "Ruby Inline Command Execution" }, @@ -23555,8 +23555,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1219.002" + "TA0011", + "T1219.002" ], "title": "Remote Access Tool - Potential MeshAgent Execution - Windows" }, @@ -23576,8 +23576,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1057" + "TA0007", + "T1057" ], "title": "Recon Command Output Piped To Findstr.EXE" }, @@ -23597,11 +23597,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1106", - "attack.defense-evasion", - "attack.t1218", - "attack.t1127" + "TA0002", + "T1106", + "TA0005", + "T1218", + "T1127" ], "title": "Potential Binary Proxy Execution Via Cdb.EXE" }, @@ -23621,8 +23621,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562" + "TA0005", + "T1562" ], "title": "HackTool - EDRSilencer Execution" }, @@ -23642,8 +23642,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.010" + "TA0005", + "T1218.010" ], "title": "Scripting/CommandLine Process Spawned Regsvr32" }, @@ -23663,9 +23663,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.reconnaissance", - "attack.discovery", - "attack.impact" + "TA0043", + "TA0007", + "TA0040" ], "title": "Potential Active Directory Enumeration Using AD Module - ProcCreation" }, @@ -23685,8 +23685,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Suspicious PowerShell Parent Process" }, @@ -23706,8 +23706,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.002" + "TA0005", + "T1562.002" ], "title": "Audit Policy Tampering Via NT Resource Kit Auditpol" }, @@ -23727,8 +23727,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059" + "TA0002", + "T1059" ], "title": "Sysprep on AppData Folder" }, @@ -23748,11 +23748,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.lateral-movement", - "attack.t1133", - "attack.t1136.001", - "attack.t1021.001" + "TA0003", + "TA0008", + "T1133", + "T1136.001", + "T1021.001" ], "title": "User Added to Remote Desktop Users Group" }, @@ -23772,11 +23772,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.persistence", - "attack.t1197", + "TA0005", + "TA0003", + "T1197", "attack.s0190", - "attack.t1036.003" + "T1036.003" ], "title": "Suspicious Download From Direct IP Via Bitsadmin" }, @@ -23796,8 +23796,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1202" + "TA0005", + "T1202" ], "title": "Suspicious High IntegrityLevel Conhost Legacy Option" }, @@ -23817,8 +23817,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1112", - "attack.defense-evasion" + "T1112", + "TA0005" ], "title": "Imports Registry Key From a File" }, @@ -23838,8 +23838,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1572" + "TA0011", + "T1572" ], "title": "PUA - Ngrok Execution" }, @@ -23859,8 +23859,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1220" + "TA0005", + "T1220" ], "title": "Msxsl.EXE Execution" }, @@ -23880,8 +23880,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.011" + "TA0005", + "T1218.011" ], "title": "Suspicious ShellExec_RunDLL Call Via Ordinal" }, @@ -23901,8 +23901,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.resource-development", - "attack.t1587.001" + "TA0042", + "T1587.001" ], "title": "Potential PsExec Remote Execution" }, @@ -23922,8 +23922,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.impact", - "attack.t1490" + "TA0040", + "T1490" ], "title": "Windows Recovery Environment Disabled Via Reagentc" }, @@ -23943,10 +23943,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1047", - "attack.lateral-movement", - "attack.t1021.003" + "TA0002", + "T1047", + "TA0008", + "T1021.003" ], "title": "HackTool - Potential Impacket Lateral Movement Activity" }, @@ -23966,8 +23966,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1572" + "TA0011", + "T1572" ], "title": "PUA - 3Proxy Execution" }, @@ -23987,8 +23987,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1216" + "TA0005", + "T1216" ], "title": "Potential Manage-bde.wsf Abuse To Proxy Execution" }, @@ -24008,8 +24008,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.impact", - "attack.t1490" + "TA0040", + "T1490" ], "title": "Copy From VolumeShadowCopy Via Cmd.EXE" }, @@ -24029,8 +24029,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1047" + "TA0002", + "T1047" ], "title": "WmiPrvSE Spawned A Process" }, @@ -24050,8 +24050,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution" }, @@ -24071,8 +24071,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1090" + "TA0011", + "T1090" ], "title": "PUA - NPS Tunneling Tool Execution" }, @@ -24092,8 +24092,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Wlrmdr.EXE Uncommon Argument Or Child Process" }, @@ -24113,8 +24113,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1558.003" + "TA0006", + "T1558.003" ], "title": "HackTool - KrbRelay Execution" }, @@ -24134,8 +24134,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.t1021.002" + "TA0008", + "T1021.002" ], "title": "HackTool - SharpMove Tool Execution" }, @@ -24155,9 +24155,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.discovery", - "attack.t1033" + "TA0004", + "TA0007", + "T1033" ], "title": "Security Privileges Enumeration Via Whoami.EXE" }, @@ -24177,8 +24177,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.003" + "TA0006", + "T1003.003" ], "title": "Sensitive File Recovery From Backup Via Wbadmin.EXE" }, @@ -24198,9 +24198,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1110", - "attack.t1110.001" + "TA0006", + "T1110", + "T1110.001" ], "title": "HackTool - Hydra Password Bruteforce Execution" }, @@ -24220,9 +24220,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1218" + "TA0005", + "TA0002", + "T1218" ], "title": "Process Proxy Execution Via Squirrel.EXE" }, @@ -24242,8 +24242,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036.002" + "TA0005", + "T1036.002" ], "title": "Potential Defense Evasion Via Right-to-Left Override" }, @@ -24263,8 +24263,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1053.005" + "TA0002", + "T1053.005" ], "title": "Suspicious Modification Of Scheduled Tasks" }, @@ -24284,7 +24284,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Process Launched Without Image Name" }, @@ -24304,8 +24304,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.collection", - "attack.t1560.001" + "TA0009", + "T1560.001" ], "title": "Compress Data and Lock With Password for Exfiltration With 7-ZIP" }, @@ -24325,7 +24325,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "Potentially Suspicious Electron Application CommandLine" }, @@ -24345,8 +24345,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Non Interactive PowerShell Process Spawned" }, @@ -24366,13 +24366,13 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.credential-access", - "attack.command-and-control", - "attack.t1218", - "attack.t1564.004", - "attack.t1552.001", - "attack.t1105" + "TA0005", + "TA0006", + "TA0011", + "T1218", + "T1564.004", + "T1552.001", + "T1105" ], "title": "Insensitive Subfolder Search Via Findstr.EXE" }, @@ -24392,8 +24392,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1127" + "TA0005", + "T1127" ], "title": "Kavremover Dropped Binary LOLBIN Usage" }, @@ -24413,8 +24413,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.002" + "TA0006", + "T1003.002" ], "title": "HackTool - Quarks PwDump Execution" }, @@ -24434,8 +24434,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1082" + "TA0007", + "T1082" ], "title": "Suspicious Query of MachineGUID" }, @@ -24455,8 +24455,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "HackTool - Empire PowerShell Launch Parameters" }, @@ -24476,9 +24476,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1070", - "attack.t1562.006", + "TA0005", + "T1070", + "T1562.006", "car.2016-04-002" ], "title": "ETW Trace Evasion Activity" @@ -24499,8 +24499,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.011" + "TA0005", + "T1218.011" ], "title": "CobaltStrike Load by Rundll32" }, @@ -24520,8 +24520,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1219.002" + "TA0011", + "T1219.002" ], "title": "Remote Access Tool - AnyDesk Silent Installation" }, @@ -24541,8 +24541,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.010" + "TA0005", + "T1562.010" ], "title": "LSA PPL Protection Disabled Via Reg.EXE" }, @@ -24562,7 +24562,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "PsExec Service Execution" }, @@ -24582,10 +24582,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion", - "attack.t1218", - "attack.t1202" + "TA0002", + "TA0005", + "T1218", + "T1202" ], "title": "WSL Child Process Anomaly" }, @@ -24605,8 +24605,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.collection", - "attack.t1560.001" + "TA0009", + "T1560.001" ], "title": "Winrar Execution in Non-Standard Folder" }, @@ -24626,7 +24626,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Potentially Suspicious Windows App Activity" }, @@ -24646,8 +24646,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Verclsid.exe Runs COM Object" }, @@ -24667,8 +24667,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.010" + "TA0005", + "T1218.010" ], "title": "Regsvr32 DLL Execution With Suspicious File Extension" }, @@ -24688,8 +24688,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.011" + "TA0005", + "T1218.011" ], "title": "Suspicious Rundll32 Activity Invoking Sys File" }, @@ -24709,7 +24709,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "Logged-On User Password Change Via Ksetup.EXE" }, @@ -24729,8 +24729,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1040" + "TA0006", + "T1040" ], "title": "PktMon.EXE Execution" }, @@ -24750,7 +24750,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "DumpStack.log Defender Evasion" }, @@ -24770,8 +24770,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1552.006" + "TA0006", + "T1552.006" ], "title": "Findstr GPP Passwords" }, @@ -24791,8 +24791,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1574.001" + "TA0005", + "T1574.001" ], "title": "Suspicious GUP Usage" }, @@ -24812,8 +24812,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1046" + "TA0007", + "T1046" ], "title": "PUA - NimScan Execution" }, @@ -24833,8 +24833,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.001" + "TA0006", + "T1003.001" ], "title": "Potential Credential Dumping Via WER" }, @@ -24854,8 +24854,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Abusing Print Executable" }, @@ -24875,8 +24875,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.008" + "TA0005", + "T1218.008" ], "title": "Uncommon Child Process Spawned By Odbcconf.EXE" }, @@ -24896,8 +24896,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1124" + "TA0007", + "T1124" ], "title": "Discovery of a System Time" }, @@ -24917,8 +24917,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1090.001" + "TA0011", + "T1090.001" ], "title": "HackTool - SharpChisel Execution" }, @@ -24938,10 +24938,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1203", - "attack.privilege-escalation", - "attack.t1068" + "TA0002", + "T1203", + "TA0004", + "T1068" ], "title": "Suspicious Spool Service Child Process" }, @@ -24961,10 +24961,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Potential PowerShell Obfuscation Via Reversed Commands" }, @@ -24984,8 +24984,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1071.001" + "TA0011", + "T1071.001" ], "title": "Visual Studio Code Tunnel Service Installation" }, @@ -25005,8 +25005,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "Non-privileged Usage of Reg or Powershell" }, @@ -25026,8 +25026,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1569.002", + "TA0002", + "T1569.002", "attack.s0029" ], "title": "PUA - NirCmd Execution" @@ -25048,9 +25048,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.defense-evasion", - "attack.t1548.002" + "TA0004", + "TA0005", + "T1548.002" ], "title": "Bypass UAC via WSReset.exe" }, @@ -25070,8 +25070,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059" + "TA0002", + "T1059" ], "title": "Perl Inline Command Execution" }, @@ -25091,10 +25091,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036", - "attack.t1003.001", - "attack.credential-access" + "TA0005", + "T1036", + "T1003.001", + "TA0006" ], "title": "CreateDump Process Dump" }, @@ -25114,7 +25114,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "Suspicious Execution Location Of Wermgr.EXE" }, @@ -25134,9 +25134,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218", - "attack.execution" + "TA0005", + "T1218", + "TA0002" ], "title": "Proxy Execution Via Wuauclt.EXE" }, @@ -25156,7 +25156,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2" }, @@ -25176,8 +25176,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1564.004" + "TA0005", + "T1564.004" ], "title": "Use Short Name Path in Image" }, @@ -25197,9 +25197,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1548.002" + "TA0005", + "TA0004", + "T1548.002" ], "title": "UAC Bypass Tools Using ComputerDefaults" }, @@ -25219,10 +25219,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Potential Encoded PowerShell Patterns In CommandLine" }, @@ -25242,10 +25242,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.impact", - "attack.t1112", - "attack.t1491.001" + "TA0005", + "TA0040", + "T1112", + "T1491.001" ], "title": "Potentially Suspicious Desktop Background Change Using Reg.EXE" }, @@ -25265,8 +25265,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.exfiltration", - "attack.t1567" + "TA0010", + "T1567" ], "title": "LOLBAS Data Exfiltration by DataSvcUtil.exe" }, @@ -25286,14 +25286,14 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1482", - "attack.t1069.001", - "attack.t1069.002", - "attack.execution", - "attack.t1059.001" + "TA0007", + "T1087.001", + "T1087.002", + "T1482", + "T1069.001", + "T1069.002", + "TA0002", + "T1059.001" ], "title": "HackTool - Bloodhound/Sharphound Execution" }, @@ -25313,8 +25313,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.003" + "TA0002", + "T1059.003" ], "title": "HackTool - Jlaive In-Memory Assembly Execution" }, @@ -25334,10 +25334,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1070", - "attack.t1562", - "attack.t1562.002" + "TA0005", + "T1070", + "T1562", + "T1562.002" ], "title": "Sysmon Driver Unloaded Via Fltmc.EXE" }, @@ -25357,8 +25357,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution" + "TA0005", + "TA0002" ], "title": "ImagingDevices Unusual Parent/Child Processes" }, @@ -25378,10 +25378,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036", - "attack.t1202", - "attack.t1027.003" + "TA0005", + "T1036", + "T1202", + "T1027.003" ], "title": "Findstr Launching .lnk File" }, @@ -25401,8 +25401,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.001" + "TA0006", + "T1003.001" ], "title": "Potential Windows Defender AV Bypass Via Dump64.EXE Rename" }, @@ -25422,8 +25422,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.initial-access", - "attack.t1566.001" + "TA0001", + "T1566.001" ], "title": "Suspicious Execution From Outlook Temporary Folder" }, @@ -25443,8 +25443,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.t1021" + "TA0008", + "T1021" ], "title": "Potential Remote Desktop Tunneling" }, @@ -25464,8 +25464,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.005" + "TA0005", + "T1218.005" ], "title": "Suspicious JavaScript Execution Via Mshta.EXE" }, @@ -25485,8 +25485,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036.003" + "TA0005", + "T1036.003" ], "title": "Suspicious Copy From or To System Directory" }, @@ -25506,8 +25506,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1018" + "TA0007", + "T1018" ], "title": "Share And Session Enumeration Using Net.EXE" }, @@ -25527,8 +25527,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1047" + "TA0002", + "T1047" ], "title": "Process Reconnaissance Via Wmic.EXE" }, @@ -25548,8 +25548,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.001" + "TA0006", + "T1003.001" ], "title": "HackTool - HandleKatz LSASS Dumper Execution" }, @@ -25569,8 +25569,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1018" + "TA0007", + "T1018" ], "title": "PUA - Adidnsdump Execution" }, @@ -25590,8 +25590,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Suspicious PowerShell Parameter Substring" }, @@ -25611,8 +25611,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1055" + "TA0005", + "T1055" ], "title": "Suspicious Rundll32 Invoking Inline VBScript" }, @@ -25632,7 +25632,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1" }, @@ -25652,8 +25652,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1053.005" + "TA0003", + "T1053.005" ], "title": "Potential Persistence Via Microsoft Compatibility Appraiser" }, @@ -25673,8 +25673,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.initial-access", - "attack.t1190" + "TA0001", + "T1190" ], "title": "Remote Access Tool - ScreenConnect Server Web Shell Execution" }, @@ -25694,8 +25694,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1046" + "TA0007", + "T1046" ], "title": "PUA - SoftPerfect Netscan Execution" }, @@ -25715,10 +25715,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1574.011" + "TA0003", + "TA0005", + "TA0004", + "T1574.011" ], "title": "Service Security Descriptor Tampering Via Sc.EXE" }, @@ -25738,7 +25738,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Suspicious Msbuild Execution By Uncommon Parent Process" }, @@ -25758,10 +25758,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1055", - "attack.t1036" + "TA0005", + "TA0004", + "T1055", + "T1036" ], "title": "Suspicious Child Process Of Wermgr.EXE" }, @@ -25781,10 +25781,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense-evasion", - "attack.t1027" + "TA0002", + "T1059.001", + "TA0005", + "T1027" ], "title": "Potential PowerShell Obfuscation Via WCHAR/CHAR" }, @@ -25804,8 +25804,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1090", + "TA0011", + "T1090", "attack.s0040" ], "title": "HackTool - Htran/NATBypass Execution" @@ -25826,9 +25826,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1574", - "attack.execution" + "TA0005", + "T1574", + "TA0002" ], "title": "Regsvr32 DLL Execution With Uncommon Extension" }, @@ -25848,8 +25848,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1552.006" + "TA0006", + "T1552.006" ], "title": "LSASS Process Reconnaissance Via Findstr.EXE" }, @@ -25869,8 +25869,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1572" + "TA0011", + "T1572" ], "title": "Potential RDP Tunneling Via Plink" }, @@ -25890,9 +25890,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.persistence", - "attack.t1543.003" + "TA0007", + "TA0003", + "T1543.003" ], "title": "Sysinternals PsSuspend Execution" }, @@ -25912,8 +25912,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion" + "TA0002", + "TA0005" ], "title": "Potential ShellDispatch.DLL Functionality Abuse" }, @@ -25933,10 +25933,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1574.011" + "TA0003", + "TA0005", + "TA0004", + "T1574.011" ], "title": "Possible Privilege Escalation via Weak Service Permissions" }, @@ -25956,8 +25956,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.collection", - "attack.t1115" + "TA0009", + "T1115" ], "title": "Data Copied To Clipboard Via Clip.EXE" }, @@ -25977,9 +25977,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1105", - "attack.t1564.003" + "TA0011", + "T1105", + "T1564.003" ], "title": "File Download with Headless Browser" }, @@ -25999,8 +25999,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.010" + "TA0005", + "T1218.010" ], "title": "Suspicious Regsvr32 Execution From Remote Share" }, @@ -26020,9 +26020,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1564.006", - "attack.t1564" + "TA0005", + "T1564.006", + "T1564" ], "title": "Virtualbox Driver Installation or Starting of VMs" }, @@ -26042,7 +26042,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "PowerShell Script Change Permission Via Set-Acl" }, @@ -26062,10 +26062,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218", - "attack.command-and-control", - "attack.t1105" + "TA0005", + "T1218", + "TA0011", + "T1105" ], "title": "File Download Via Windows Defender MpCmpRun.EXE" }, @@ -26085,8 +26085,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1216" + "TA0005", + "T1216" ], "title": "Assembly Loading Via CL_LoadAssembly.ps1" }, @@ -26106,8 +26106,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.resource-development", - "attack.t1587.001" + "TA0042", + "T1587.001" ], "title": "PsExec/PAExec Escalation to LOCAL SYSTEM" }, @@ -26127,8 +26127,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.collection", - "attack.t1119" + "TA0009", + "T1119" ], "title": "Recon Information for Export with Command Prompt" }, @@ -26148,9 +26148,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1070.001", - "attack.t1562.002", + "TA0005", + "T1070.001", + "T1562.002", "car.2016-04-002" ], "title": "Suspicious Eventlog Clearing or Configuration Change Activity" @@ -26171,9 +26171,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.credential-access", - "attack.t1040" + "TA0007", + "TA0006", + "T1040" ], "title": "New Network Trace Capture Started Via Netsh.EXE" }, @@ -26193,8 +26193,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059" + "TA0002", + "T1059" ], "title": "Conhost Spawned By Uncommon Parent Process" }, @@ -26214,8 +26214,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027" + "TA0005", + "T1027" ], "title": "File Decoded From Base64/Hex Via Certutil.EXE" }, @@ -26235,8 +26235,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.collection", - "attack.t1560.001" + "TA0009", + "T1560.001" ], "title": "Suspicious Manipulation Of Default Accounts Via Net.EXE" }, @@ -26256,8 +26256,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.009" + "TA0005", + "T1218.009" ], "title": "RegAsm.EXE Execution Without CommandLine Flags or Files" }, @@ -26277,11 +26277,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.defense-evasion", - "attack.t1218", - "attack.t1202" + "TA0002", + "T1059.005", + "TA0005", + "T1218", + "T1202" ], "title": "Suspicious Child Process Of BgInfo.EXE" }, @@ -26301,11 +26301,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion", - "attack.t1106", - "attack.t1059.003", - "attack.t1218.011" + "TA0002", + "TA0005", + "T1106", + "T1059.003", + "T1218.011" ], "title": "HackTool - RedMimicry Winnti Playbook Execution" }, @@ -26325,10 +26325,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense-evasion", - "attack.t1216" + "TA0002", + "T1059.001", + "TA0005", + "T1216" ], "title": "Execute Code with Pester.bat" }, @@ -26348,8 +26348,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1124" + "TA0007", + "T1124" ], "title": "Use of W32tm as Timer" }, @@ -26369,7 +26369,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "Local File Read Using Curl.EXE" }, @@ -26389,8 +26389,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Suspicious Windows Defender Registry Key Tampering Via Reg.EXE" }, @@ -26410,9 +26410,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion", - "attack.t1218" + "TA0002", + "TA0005", + "T1218" ], "title": "Arbitrary MSI Download Via Devinit.EXE" }, @@ -26432,7 +26432,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "Suspicious File Download From IP Via Curl.EXE" }, @@ -26452,8 +26452,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1216" + "TA0005", + "T1216" ], "title": "Potential Script Proxy Execution Via CL_Mutexverifiers.ps1" }, @@ -26473,8 +26473,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "PowerShell Download Pattern" }, @@ -26494,8 +26494,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1127" + "TA0005", + "T1127" ], "title": "AspNetCompiler Execution" }, @@ -26515,7 +26515,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Rundll32 Spawned Via Explorer.EXE" }, @@ -26535,7 +26535,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "Suspicious Electron Application Child Processes" }, @@ -26555,7 +26555,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Potential Signing Bypass Via Windows Developer Features" }, @@ -26575,8 +26575,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1202" + "TA0005", + "T1202" ], "title": "Proxy Execution via Vshadow" }, @@ -26596,9 +26596,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1033", - "attack.t1087.001" + "TA0007", + "T1033", + "T1087.001" ], "title": "Local Accounts Discovery" }, @@ -26618,9 +26618,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1059" + "TA0002", + "TA0003", + "T1059" ], "title": "VMToolsd Suspicious Child Process" }, @@ -26640,8 +26640,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1053.005" + "TA0002", + "T1053.005" ], "title": "Schtasks From Suspicious Folders" }, @@ -26661,11 +26661,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003", - "attack.t1558.003", - "attack.lateral-movement", - "attack.t1550.003" + "TA0006", + "T1003", + "T1558.003", + "TA0008", + "T1550.003" ], "title": "HackTool - Rubeus Execution" }, @@ -26685,8 +26685,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1087.001" + "TA0007", + "T1087.001" ], "title": "Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet" }, @@ -26706,8 +26706,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Use of VisualUiaVerifyNative.exe" }, @@ -26727,7 +26727,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Suspicious Workstation Locking via Rundll32" }, @@ -26747,10 +26747,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion", - "attack.t1218", - "attack.t1202" + "TA0002", + "TA0005", + "T1218", + "T1202" ], "title": "Suspicious ZipExec Execution" }, @@ -26770,8 +26770,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.t1546.002" + "TA0004", + "T1546.002" ], "title": "Suspicious ScreenSave Change by Reg.exe" }, @@ -26791,10 +26791,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion", - "attack.t1059", - "attack.t1202" + "TA0002", + "TA0005", + "T1059", + "T1202" ], "title": "Outlook EnableUnsafeClientMailRules Setting Enabled" }, @@ -26814,8 +26814,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.011" + "TA0005", + "T1218.011" ], "title": "HackTool - F-Secure C3 Load by Rundll32" }, @@ -26835,8 +26835,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1047", + "TA0002", + "T1047", "car.2016-03-002" ], "title": "Hardware Model Reconnaissance Via Wmic.EXE" @@ -26857,8 +26857,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.001" + "TA0006", + "T1003.001" ], "title": "Process Memory Dump via RdrLeakDiag.EXE" }, @@ -26878,8 +26878,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1552.006" + "TA0006", + "T1552.006" ], "title": "Suspicious SYSVOL Domain Group Policy Access" }, @@ -26899,10 +26899,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion", - "attack.t1059", - "attack.t1202" + "TA0002", + "TA0005", + "T1059", + "T1202" ], "title": "Suspicious Remote Child Process From Outlook" }, @@ -26922,9 +26922,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1218" + "TA0005", + "TA0002", + "T1218" ], "title": "Use Of The SFTP.EXE Binary As A LOLBIN" }, @@ -26944,7 +26944,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "Potential Cookies Session Hijacking" }, @@ -26964,8 +26964,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1140" + "TA0005", + "T1140" ], "title": "Potential Commandline Obfuscation Using Escape Characters" }, @@ -26985,8 +26985,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Windows Defender Context Menu Removed" }, @@ -27006,8 +27006,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Potential Powershell ReverseShell Connection" }, @@ -27027,8 +27027,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Potential Binary Proxy Execution Via VSDiagnostics.EXE" }, @@ -27048,8 +27048,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.004" + "TA0005", + "T1562.004" ], "title": "Netsh Allow Group Policy on Microsoft Defender Firewall" }, @@ -27069,10 +27069,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.persistence", - "attack.t1036.005", - "attack.t1053.005" + "TA0005", + "TA0003", + "T1036.005", + "T1053.005" ], "title": "Suspicious Scheduled Task Creation via Masqueraded XML File" }, @@ -27092,8 +27092,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1127" + "TA0005", + "T1127" ], "title": "Potential Arbitrary Code Execution Via Node.EXE" }, @@ -27113,8 +27113,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1134.004" + "TA0005", + "T1134.004" ], "title": "HackTool - PPID Spoofing SelectMyParent Tool Execution" }, @@ -27134,8 +27134,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.007" + "TA0005", + "T1218.007" ], "title": "Suspicious Msiexec Execute Arbitrary DLL" }, @@ -27155,8 +27155,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "TA0010", + "T1567.002" ], "title": "PUA - Rclone Execution" }, @@ -27176,8 +27176,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Potential Tampering With Security Products Via WMIC" }, @@ -27197,10 +27197,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.defense-evasion", - "attack.t1218", - "attack.t1105" + "TA0011", + "TA0005", + "T1218", + "T1105" ], "title": "Import LDAP Data Interchange Format File Via Ldifde.EXE" }, @@ -27220,8 +27220,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027" + "TA0005", + "T1027" ], "title": "File In Suspicious Location Encoded To Base64 Via Certutil.EXE" }, @@ -27241,8 +27241,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.collection", - "attack.t1005" + "TA0009", + "T1005" ], "title": "Esentutl Steals Browser Information" }, @@ -27262,8 +27262,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "Suspicious VBoxDrvInst.exe Parameters" }, @@ -27283,10 +27283,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense-evasion", - "attack.t1127" + "TA0002", + "T1059.001", + "TA0005", + "T1127" ], "title": "Detection of PowerShell Execution via Sqlps.exe" }, @@ -27306,8 +27306,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "Enable LM Hash Storage - ProcCreation" }, @@ -27327,12 +27327,12 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006" + "TA0006", + "T1003.001", + "T1003.002", + "T1003.004", + "T1003.005", + "T1003.006" ], "title": "HackTool - Mimikatz Execution" }, @@ -27352,8 +27352,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1037.001" + "TA0003", + "T1037.001" ], "title": "Potential Persistence Via Logon Scripts - CommandLine" }, @@ -27373,8 +27373,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003" + "TA0006", + "T1003" ], "title": "Microsoft IIS Connection Strings Decryption" }, @@ -27394,8 +27394,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059" + "TA0002", + "T1059" ], "title": "Fsutil Behavior Set SymlinkEvaluation" }, @@ -27415,9 +27415,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1218.011" + "TA0005", + "TA0002", + "T1218.011" ], "title": "Shell32 DLL Execution in Suspicious Directory" }, @@ -27437,8 +27437,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1033" + "TA0007", + "T1033" ], "title": "Computer Discovery And Export Via Get-ADComputer Cmdlet" }, @@ -27458,9 +27458,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.t1134.001", - "attack.t1134.002" + "TA0004", + "T1134.001", + "T1134.002" ], "title": "Potential Meterpreter/CobaltStrike Activity" }, @@ -27480,10 +27480,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1070", - "attack.persistence", - "attack.t1542.003" + "TA0005", + "T1070", + "TA0003", + "T1542.003" ], "title": "Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE" }, @@ -27503,11 +27503,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.persistence", - "attack.t1197", + "TA0005", + "TA0003", + "T1197", "attack.s0190", - "attack.t1036.003" + "T1036.003" ], "title": "File Download Via Bitsadmin To A Suspicious Target Folder" }, @@ -27528,8 +27528,8 @@ ], "tags": [ "cve.2022-41120", - "attack.t1068", - "attack.privilege-escalation" + "T1068", + "TA0004" ], "title": "HackTool - SysmonEOP Execution" }, @@ -27549,8 +27549,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1202" + "TA0005", + "T1202" ], "title": "Suspicious Service Binary Directory" }, @@ -27570,8 +27570,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Taskkill Symantec Endpoint Protection" }, @@ -27591,8 +27591,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1033" + "TA0007", + "T1033" ], "title": "User Discovery And Export Via Get-ADUser Cmdlet" }, @@ -27612,8 +27612,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.t1563.002" + "TA0008", + "T1563.002" ], "title": "Potential MSTSC Shadowing Activity" }, @@ -27633,8 +27633,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.003" + "TA0006", + "T1003.003" ], "title": "Suspicious Process Patterns NTDS.DIT Exfil" }, @@ -27654,8 +27654,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1071.001" + "TA0011", + "T1071.001" ], "title": "Visual Studio Code Tunnel Shell Execution" }, @@ -27675,8 +27675,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Potential Provisioning Registry Key Abuse For Binary Proxy Execution" }, @@ -27696,8 +27696,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1546.001" + "TA0003", + "T1546.001" ], "title": "Change Default File Association Via Assoc" }, @@ -27717,8 +27717,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1574" + "TA0005", + "T1574" ], "title": "DLL Execution Via Register-cimprovider.exe" }, @@ -27738,7 +27738,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "File Encryption Using Gpg4win" }, @@ -27758,8 +27758,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1127" + "TA0005", + "T1127" ], "title": "C# IL Code Compilation Via Ilasm.EXE" }, @@ -27779,8 +27779,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Powershell Defender Exclusion" }, @@ -27800,8 +27800,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.lateral-movement" + "TA0005", + "TA0008" ], "title": "HackTool - Wmiexec Default Powershell Command" }, @@ -27821,8 +27821,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1033" + "TA0007", + "T1033" ], "title": "Group Membership Reconnaissance Via Whoami.EXE" }, @@ -27842,9 +27842,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1218" + "TA0005", + "TA0002", + "T1218" ], "title": "Arbitrary File Download Via MSPUB.EXE" }, @@ -27862,8 +27862,8 @@ "service": "smbclient-security", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.t1110.001" + "TA0006", + "T1110.001" ], "title": "Suspicious Rejected SMB Guest Logon From IP" }, @@ -27882,8 +27882,8 @@ "service": "firewall-as", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1562.004" + "TA0005", + "T1562.004" ], "title": "Windows Defender Firewall Has Been Reset To Its Default Configuration" }, @@ -27902,8 +27902,8 @@ "service": "firewall-as", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1562.004" + "TA0005", + "T1562.004" ], "title": "All Rules Have Been Deleted From The Windows Firewall Configuration" }, @@ -27921,8 +27921,8 @@ "service": "firewall-as", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1562.004" + "TA0005", + "T1562.004" ], "title": "The Windows Defender Firewall Service Failed To Load Group Policy" }, @@ -27942,8 +27942,8 @@ "service": "firewall-as", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1562.004" + "TA0005", + "T1562.004" ], "title": "New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE" }, @@ -27963,8 +27963,8 @@ "service": "firewall-as", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1562.004" + "TA0005", + "T1562.004" ], "title": "New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application" }, @@ -27983,8 +27983,8 @@ "service": "firewall-as", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1562.004" + "TA0005", + "T1562.004" ], "title": "A Rule Has Been Deleted From The Windows Firewall Exception List" }, @@ -28004,8 +28004,8 @@ "service": "firewall-as", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1562.004" + "TA0005", + "T1562.004" ], "title": "Uncommon New Firewall Rule Added In Windows Firewall Exception List" }, @@ -28027,8 +28027,8 @@ "service": "firewall-as", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1562.004" + "TA0005", + "T1562.004" ], "title": "Windows Firewall Settings Have Been Changed" }, @@ -28057,8 +28057,8 @@ "service": "windefend", "subcategory_guids": [], "tags": [ - "attack.t1486", - "attack.impact" + "T1486", + "TA0040" ], "title": "Antivirus Ransomware Detection" }, @@ -28087,10 +28087,10 @@ "service": "windefend", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1203", - "attack.command-and-control", - "attack.t1219.002" + "TA0002", + "T1203", + "TA0011", + "T1219.002" ], "title": "Antivirus Exploitation Framework Detection" }, @@ -28119,8 +28119,8 @@ "service": "windefend", "subcategory_guids": [], "tags": [ - "attack.resource-development", - "attack.t1588" + "TA0042", + "T1588" ], "title": "Antivirus Relevant File Paths Alerts" }, @@ -28149,11 +28149,11 @@ "service": "windefend", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.t1003", - "attack.t1558", - "attack.t1003.001", - "attack.t1003.002" + "TA0006", + "T1003", + "T1558", + "T1003.001", + "T1003.002" ], "title": "Antivirus Password Dumper Detection" }, @@ -28182,8 +28182,8 @@ "service": "windefend", "subcategory_guids": [], "tags": [ - "attack.persistence", - "attack.t1505.003" + "TA0003", + "T1505.003" ], "title": "Antivirus Web Shell Detection" }, @@ -28212,8 +28212,8 @@ "service": "windefend", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1204" + "TA0002", + "T1204" ], "title": "Antivirus Hacktool Detection" }, @@ -28232,7 +28232,7 @@ "service": "application", "subcategory_guids": [], "tags": [ - "attack.execution" + "TA0002" ], "title": "MSI Installation From Suspicious Locations" }, @@ -28250,8 +28250,8 @@ "service": "application", "subcategory_guids": [], "tags": [ - "attack.command-and-control", - "attack.t1219.002" + "TA0011", + "T1219.002" ], "title": "Atera Agent Installation" }, @@ -28270,9 +28270,9 @@ "service": "application", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1218", - "attack.t1218.007" + "TA0005", + "T1218", + "T1218.007" ], "title": "MSI Installation From Web" }, @@ -28291,8 +28291,8 @@ "service": "application", "subcategory_guids": [], "tags": [ - "attack.impact", - "attack.t1489" + "TA0040", + "T1489" ], "title": "Application Uninstalled" }, @@ -28310,8 +28310,8 @@ "service": "application", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1070.004" + "TA0005", + "T1070.004" ], "title": "Backup Catalog Deleted" }, @@ -28333,8 +28333,8 @@ "service": "application", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1072" + "TA0005", + "T1072" ], "title": "Restricted Software Access By SRP" }, @@ -28352,8 +28352,8 @@ "service": "application", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.t1110" + "TA0006", + "T1110" ], "title": "MSSQL Server Failed Logon From External Network" }, @@ -28371,8 +28371,8 @@ "service": "application", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.t1110" + "TA0006", + "T1110" ], "title": "MSSQL Server Failed Logon" }, @@ -28390,7 +28390,7 @@ "service": "application", "subcategory_guids": [], "tags": [ - "attack.execution" + "TA0002" ], "title": "MSSQL XPCmdshell Option Change" }, @@ -28408,7 +28408,7 @@ "service": "application", "subcategory_guids": [], "tags": [ - "attack.persistence" + "TA0003" ], "title": "MSSQL SPProcoption Set" }, @@ -28426,9 +28426,9 @@ "service": "application", "subcategory_guids": [], "tags": [ - "attack.exfiltration", - "attack.impact", - "attack.t1485" + "TA0010", + "TA0040", + "T1485" ], "title": "MSSQL Destructive Query" }, @@ -28446,7 +28446,7 @@ "service": "application", "subcategory_guids": [], "tags": [ - "attack.persistence" + "TA0003" ], "title": "MSSQL Add Account To Sysadmin Role" }, @@ -28464,7 +28464,7 @@ "service": "application", "subcategory_guids": [], "tags": [ - "attack.execution" + "TA0002" ], "title": "MSSQL XPCmdshell Suspicious Execution" }, @@ -28482,7 +28482,7 @@ "service": "application", "subcategory_guids": [], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "MSSQL Disable Audit Settings" }, @@ -28500,7 +28500,7 @@ "service": "application", "subcategory_guids": [], "tags": [ - "attack.execution" + "TA0002" ], "title": "Dump Ntds.dit To Suspicious Location" }, @@ -28521,8 +28521,8 @@ "service": "application", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.t1003.003" + "TA0006", + "T1003.003" ], "title": "Ntdsutil Abuse" }, @@ -28540,8 +28540,8 @@ "service": "application", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.003" + "TA0002", + "T1059.003" ], "title": "Remote Access Tool - ScreenConnect File Transfer" }, @@ -28559,8 +28559,8 @@ "service": "application", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.003" + "TA0002", + "T1059.003" ], "title": "Remote Access Tool - ScreenConnect Command Execution" }, @@ -28578,18 +28578,18 @@ "service": "application", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1203", - "attack.privilege-escalation", - "attack.t1068", - "attack.defense-evasion", - "attack.t1211", - "attack.credential-access", - "attack.t1212", - "attack.lateral-movement", - "attack.t1210", - "attack.impact", - "attack.t1499.004" + "TA0002", + "T1203", + "TA0004", + "T1068", + "TA0005", + "T1211", + "TA0006", + "T1212", + "TA0008", + "T1210", + "TA0040", + "T1499.004" ], "title": "Audit CVE Event" }, @@ -28605,8 +28605,8 @@ "service": "application", "subcategory_guids": [], "tags": [ - "attack.resource-development", - "attack.t1588" + "TA0042", + "T1588" ], "title": "Relevant Anti-Virus Signature Keywords In Application Log" }, @@ -28624,8 +28624,8 @@ "service": "application", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.t1003.001" + "TA0006", + "T1003.001" ], "title": "Potential Credential Dumping Via WER - Application" }, @@ -28643,9 +28643,9 @@ "service": "application", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1211", - "attack.t1562.001" + "TA0005", + "T1211", + "T1562.001" ], "title": "Microsoft Malware Protection Engine Crash" }, @@ -28665,8 +28665,8 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.009" + "TA0005", + "T1218.009" ], "title": "RegAsm.EXE Initiating Network Connection To Public IP" }, @@ -28686,8 +28686,8 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.command-and-control" + "TA0005", + "TA0011" ], "title": "Office Application Initiated Network Connection Over Uncommon Ports" }, @@ -28707,10 +28707,10 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.command-and-control", - "attack.t1218.011" + "TA0005", + "TA0002", + "TA0011", + "T1218.011" ], "title": "Outbound Network Connection To Public IP Via Winlogon" }, @@ -28730,9 +28730,9 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion", - "attack.t1127.001" + "TA0002", + "TA0005", + "T1127.001" ], "title": "Silenttrinity Stager Msbuild Activity" }, @@ -28752,8 +28752,8 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1105" + "TA0011", + "T1105" ], "title": "Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder" }, @@ -28773,8 +28773,8 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.command-and-control" + "TA0005", + "TA0011" ], "title": "Suspicious Wordpad Outbound Connections" }, @@ -28794,8 +28794,8 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Network Connection Initiated By AddinUtil.EXE" }, @@ -28815,8 +28815,8 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.003" + "TA0005", + "T1218.003" ], "title": "Outbound Network Connection Initiated By Cmstp.EXE" }, @@ -28836,9 +28836,9 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.011", - "attack.execution" + "TA0005", + "T1218.011", + "TA0002" ], "title": "Rundll32 Internet Connection" }, @@ -28858,8 +28858,8 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1105" + "TA0011", + "T1105" ], "title": "Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location" }, @@ -28879,9 +28879,9 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.command-and-control", - "attack.t1571" + "TA0003", + "TA0011", + "T1571" ], "title": "Potentially Suspicious Malware Callback Communication" }, @@ -28901,8 +28901,8 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1087" + "TA0007", + "T1087" ], "title": "Uncommon Connection to Active Directory Web Services" }, @@ -28922,8 +28922,8 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1046" + "TA0007", + "T1046" ], "title": "Python Initiated Connection" }, @@ -28943,10 +28943,10 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1572", - "attack.lateral-movement", - "attack.t1021.001", + "TA0011", + "T1572", + "TA0008", + "T1021.001", "car.2013-07-002" ], "title": "RDP to HTTP or HTTPS Target Ports" @@ -28967,8 +28967,8 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1203" + "TA0002", + "T1203" ], "title": "Office Application Initiated Network Connection To Non-Local IP" }, @@ -28988,10 +28988,10 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1572", - "attack.lateral-movement", - "attack.t1021.001", + "TA0011", + "T1572", + "TA0008", + "T1021.001", "car.2013-07-002" ], "title": "RDP Over Reverse SSH Tunnel" @@ -29012,8 +29012,8 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1105" + "TA0011", + "T1105" ], "title": "Uncommon Network Connection Initiated By Certutil.EXE" }, @@ -29033,8 +29033,8 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.exfiltration", - "attack.t1048.003" + "TA0010", + "T1048.003" ], "title": "Suspicious Outbound SMTP Connections" }, @@ -29054,10 +29054,10 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1559.001", - "attack.defense-evasion", - "attack.t1218.010" + "TA0002", + "T1559.001", + "TA0005", + "T1218.010" ], "title": "Network Connection Initiated By Regsvr32.EXE" }, @@ -29077,8 +29077,8 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1105" + "TA0011", + "T1105" ], "title": "Local Network Connection Initiated By Script Interpreter" }, @@ -29098,8 +29098,8 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1105" + "TA0011", + "T1105" ], "title": "Outbound Network Connection Initiated By Script Interpreter" }, @@ -29119,9 +29119,9 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.command-and-control", - "attack.t1219.002" + "TA0003", + "TA0011", + "T1219.002" ], "title": "Remote Access Tool - AnyDesk Incoming Connection" }, @@ -29141,8 +29141,8 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.t1021.001", + "TA0008", + "T1021.001", "car.2013-07-002" ], "title": "Outbound RDP Connections Over Non-Standard Tools" @@ -29163,9 +29163,9 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.command-and-control", - "attack.t1071.001" + "TA0002", + "TA0011", + "T1071.001" ], "title": "Outbound Network Connection Initiated By Microsoft Dialer" }, @@ -29185,10 +29185,10 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1558", - "attack.lateral-movement", - "attack.t1550.003" + "TA0006", + "T1558", + "TA0008", + "T1550.003" ], "title": "Uncommon Outbound Kerberos Connection" }, @@ -29208,9 +29208,9 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.command-and-control", - "attack.t1571" + "TA0003", + "TA0011", + "T1571" ], "title": "Communication To Uncommon Destination Ports" }, @@ -29230,8 +29230,8 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1203" + "TA0002", + "T1203" ], "title": "Network Connection Initiated By Eqnedt32.EXE" }, @@ -29251,8 +29251,8 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1105" + "TA0011", + "T1105" ], "title": "Network Connection Initiated By IMEWDBLD.EXE" }, @@ -29272,10 +29272,10 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1055", - "attack.t1218", - "attack.execution", - "attack.defense-evasion" + "T1055", + "T1218", + "TA0002", + "TA0005" ], "title": "Microsoft Sync Center Suspicious Network Connections" }, @@ -29295,10 +29295,10 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.execution", - "attack.defense-evasion", - "attack.t1055" + "TA0011", + "TA0002", + "TA0005", + "T1055" ], "title": "Network Connection Initiated Via Notepad.EXE" }, @@ -29318,8 +29318,8 @@ "service": "driver-framework", "subcategory_guids": [], "tags": [ - "attack.initial-access", - "attack.t1200" + "TA0001", + "T1200" ], "title": "USB Device Plugged" }, @@ -29337,8 +29337,8 @@ "service": "taskscheduler", "subcategory_guids": [], "tags": [ - "attack.persistence", - "attack.t1053.005" + "TA0003", + "T1053.005" ], "title": "Scheduled Task Executed Uncommon LOLBIN" }, @@ -29356,8 +29356,8 @@ "service": "taskscheduler", "subcategory_guids": [], "tags": [ - "attack.persistence", - "attack.t1053.005" + "TA0003", + "T1053.005" ], "title": "Scheduled Task Executed From A Suspicious Location" }, @@ -29375,8 +29375,8 @@ "service": "taskscheduler", "subcategory_guids": [], "tags": [ - "attack.impact", - "attack.t1489" + "TA0040", + "T1489" ], "title": "Important Scheduled Task Deleted" }, @@ -29394,8 +29394,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001", + "TA0002", + "T1059.001", "detection.threat-hunting" ], "title": "Uncommon PowerShell Hosts" @@ -29414,8 +29414,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001", + "TA0002", + "T1059.001", "detection.threat-hunting" ], "title": "bXOR Operator Usage In PowerShell Command Line - PowerShell Classic" @@ -29435,8 +29435,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.exfiltration", - "attack.t1048.003", + "TA0010", + "T1048.003", "detection.threat-hunting" ], "title": "Potential Data Exfiltration Over SMTP Via Send-MailMessage Cmdlet" @@ -29456,8 +29456,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.lateral-movement", - "attack.t1570", + "TA0008", + "T1570", "detection.threat-hunting" ], "title": "SMB over QUIC Via PowerShell Script" @@ -29477,9 +29477,9 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.t1106", + "TA0002", + "T1059.001", + "T1106", "detection.threat-hunting" ], "title": "WinAPI Function Calls Via PowerShell Scripts" @@ -29499,9 +29499,9 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.t1106", + "TA0002", + "T1059.001", + "T1106", "detection.threat-hunting" ], "title": "WinAPI Library Calls Via PowerShell Scripts" @@ -29521,8 +29521,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1070.008", + "TA0005", + "T1070.008", "detection.threat-hunting" ], "title": "Windows Mail App Mailbox Access Via PowerShell Script" @@ -29542,9 +29542,9 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.discovery", - "attack.t1012", - "attack.t1007", + "TA0007", + "T1012", + "T1007", "detection.threat-hunting" ], "title": "Potential Registry Reconnaissance Via PowerShell Script" @@ -29564,8 +29564,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.exfiltration", - "attack.t1560", + "TA0010", + "T1560", "detection.threat-hunting" ], "title": "Compress-Archive Cmdlet Execution" @@ -29585,8 +29585,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1070.004", + "TA0005", + "T1070.004", "detection.threat-hunting" ], "title": "Use Of Remove-Item to Delete File - ScriptBlock" @@ -29606,8 +29606,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1562.004", + "TA0005", + "T1562.004", "detection.threat-hunting" ], "title": "New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet - ScriptBlock" @@ -29628,9 +29628,9 @@ "subcategory_guids": [], "tags": [ "detection.threat-hunting", - "attack.discovery", - "attack.t1518.001", - "attack.t1016" + "TA0007", + "T1518.001", + "T1016" ], "title": "Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet" }, @@ -29650,8 +29650,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001", + "TA0002", + "T1059.001", "detection.threat-hunting" ], "title": "Unusually Long PowerShell CommandLine" @@ -29672,8 +29672,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.impact", - "attack.t1489", + "TA0040", + "T1489", "detection.threat-hunting" ], "title": "Process Terminated Via Taskkill" @@ -29694,10 +29694,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.defense-evasion", - "attack.execution", - "attack.t1059", + "TA0004", + "TA0005", + "TA0002", + "T1059", "detection.threat-hunting" ], "title": "Elevated System Shell Spawned" @@ -29718,8 +29718,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1222.001", + "TA0005", + "T1222.001", "detection.threat-hunting" ], "title": "File or Folder Permissions Modifications" @@ -29740,8 +29740,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1105", + "TA0011", + "T1105", "detection.threat-hunting" ], "title": "Curl.EXE Execution" @@ -29762,7 +29762,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", + "TA0002", "detection.threat-hunting" ], "title": "Remote Access Tool - ScreenConnect Remote Command Execution - Hunting" @@ -29783,8 +29783,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.011", + "TA0005", + "T1218.011", "detection.threat-hunting" ], "title": "DLL Call by Ordinal Via Rundll32.EXE" @@ -29805,9 +29805,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1059.001", - "attack.t1027.010", + "TA0005", + "T1059.001", + "T1027.010", "detection.threat-hunting" ], "title": "Invocation Of Crypto-Classes From The \"Cryptography\" PowerShell Namespace" @@ -29828,8 +29828,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218", + "TA0005", + "T1218", "detection.threat-hunting" ], "title": "Potential Proxy Execution Via Explorer.EXE From Shell Process" @@ -29850,8 +29850,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1552", - "attack.credential-access", + "T1552", + "TA0006", "detection.threat-hunting" ], "title": "EventLog Query Requests By Builtin Utilities" @@ -29872,8 +29872,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027", + "TA0005", + "T1027", "detection.threat-hunting" ], "title": "Potential Suspicious Execution From GUID Like Folder Names" @@ -29894,8 +29894,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027", + "TA0005", + "T1027", "detection.threat-hunting" ], "title": "Potential CommandLine Obfuscation Using Unicode Characters" @@ -29916,8 +29916,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218", + "TA0005", + "T1218", "detection.threat-hunting" ], "title": "Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly" @@ -29938,8 +29938,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1082", + "TA0007", + "T1082", "detection.threat-hunting" ], "title": "CMD Shell Output Redirect" @@ -29960,8 +29960,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1053.005", + "TA0002", + "T1053.005", "detection.threat-hunting" ], "title": "Scheduled Task Creation From Potential Suspicious Parent Location" @@ -29982,7 +29982,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", + "TA0002", "detection.threat-hunting" ], "title": "Import New Module Via PowerShell CommandLine" @@ -30003,8 +30003,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.persistence", + "TA0002", + "TA0003", "detection.threat-hunting" ], "title": "Remote Access Tool - Ammy Admin Agent Execution" @@ -30025,10 +30025,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1127", - "attack.t1218", + "TA0005", + "TA0002", + "T1127", + "T1218", "detection.threat-hunting" ], "title": "Microsoft Workflow Compiler Execution" @@ -30049,8 +30049,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036", + "TA0005", + "T1036", "detection.threat-hunting" ], "title": "CodePage Modification Via MODE.COM" @@ -30071,8 +30071,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion", + "TA0002", + "TA0005", "detection.threat-hunting" ], "title": "Potential File Override/Append Via SET Command" @@ -30093,8 +30093,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion", + "TA0002", + "TA0005", "detection.threat-hunting" ], "title": "Suspicious New Instance Of An Office COM Object" @@ -30115,8 +30115,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.t1570", + "TA0008", + "T1570", "detection.threat-hunting" ], "title": "SMB over QUIC Via Net.EXE" @@ -30137,7 +30137,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", + "TA0002", "detection.threat-hunting" ], "title": "Cab File Extraction Via Wusa.EXE" @@ -30158,11 +30158,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.exfiltration", - "attack.command-and-control", - "attack.t1041", - "attack.t1572", - "attack.t1071.001", + "TA0010", + "TA0011", + "T1041", + "T1572", + "T1071.001", "detection.threat-hunting" ], "title": "Tunneling Tool Execution" @@ -30183,9 +30183,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.exfiltration", - "attack.t1567", - "attack.t1105", + "TA0010", + "T1567", + "T1105", "detection.threat-hunting" ], "title": "Potential Data Exfiltration Via Curl.EXE" @@ -30206,8 +30206,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218", + "TA0005", + "T1218", "detection.threat-hunting" ], "title": "New Self Extracting Package Created Via IExpress.EXE" @@ -30228,8 +30228,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1552.001", + "TA0006", + "T1552.001", "detection.threat-hunting" ], "title": "Potential Password Reconnaissance Via Findstr.EXE" @@ -30250,10 +30250,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion", - "attack.t1218", - "attack.t1202", + "TA0002", + "TA0005", + "T1218", + "T1202", "detection.threat-hunting" ], "title": "Arbitrary Command Execution Using WSL" @@ -30274,8 +30274,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1564.001", + "TA0005", + "T1564.001", "detection.threat-hunting" ], "title": "Set Files as System Files Using Attrib.EXE" @@ -30296,9 +30296,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218", - "attack.execution", + "TA0005", + "T1218", + "TA0002", "detection.threat-hunting" ], "title": "Diskshadow Child Process Spawned" @@ -30319,18 +30319,18 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1007", - "attack.t1049", - "attack.t1018", - "attack.t1135", - "attack.t1201", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1087.001", - "attack.t1087.002", - "attack.lateral-movement", - "attack.t1021.002", + "TA0007", + "T1007", + "T1049", + "T1018", + "T1135", + "T1201", + "T1069.001", + "T1069.002", + "T1087.001", + "T1087.002", + "TA0008", + "T1021.002", "attack.s0039", "detection.threat-hunting" ], @@ -30352,8 +30352,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1105", + "TA0011", + "T1105", "detection.threat-hunting" ], "title": "File Download Via Curl.EXE" @@ -30374,8 +30374,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.collection", - "attack.t1560.001", + "TA0009", + "T1560.001", "detection.threat-hunting" ], "title": "Password Protected Compressed File Extraction Via 7Zip" @@ -30396,9 +30396,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218", - "attack.execution", + "TA0005", + "T1218", + "TA0002", "detection.threat-hunting" ], "title": "Diskshadow Script Mode Execution" @@ -30419,8 +30419,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1505.003", + "TA0003", + "T1505.003", "detection.threat-hunting" ], "title": "Execution From Webserver Root Folder" @@ -30441,8 +30441,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1219.002", + "TA0011", + "T1219.002", "detection.threat-hunting" ], "title": "Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions" @@ -30463,9 +30463,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007", + "TA0002", + "T1059.005", + "T1059.007", "detection.threat-hunting" ], "title": "WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript" @@ -30486,8 +30486,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027.004", + "TA0005", + "T1027.004", "detection.threat-hunting" ], "title": "Dynamic .NET Compilation Via Csc.EXE - Hunting" @@ -30508,9 +30508,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.lateral-movement", - "attack.t1105", + "TA0002", + "TA0008", + "T1105", "detection.threat-hunting" ], "title": "Process Execution From WebDAV Share" @@ -30531,8 +30531,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1071.001", + "TA0011", + "T1071.001", "detection.threat-hunting" ], "title": "Curl.EXE Execution With Custom UserAgent" @@ -30553,8 +30553,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1007", + "TA0007", + "T1007", "detection.threat-hunting" ], "title": "SC.EXE Query Execution" @@ -30575,8 +30575,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1057", + "TA0007", + "T1057", "detection.threat-hunting" ], "title": "Suspicious Tasklist Discovery Command" @@ -30597,8 +30597,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001", + "TA0002", + "T1059.001", "detection.threat-hunting" ], "title": "Potentially Suspicious PowerShell Child Processes" @@ -30619,8 +30619,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059", + "TA0002", + "T1059", "detection.threat-hunting" ], "title": "Manual Execution of Script Inside of a Compressed File" @@ -30641,7 +30641,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1562.004", + "T1562.004", "detection.threat-hunting" ], "title": "New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet" @@ -30662,8 +30662,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion", + "TA0002", + "TA0005", "detection.threat-hunting" ], "title": "ClickOnce Deployment Execution - Dfsvc.EXE Child Process" @@ -30684,8 +30684,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218", + "TA0005", + "T1218", "detection.threat-hunting" ], "title": "Potential DLL Sideloading Activity Via ExtExport.EXE" @@ -30706,8 +30706,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218", + "TA0005", + "T1218", "detection.threat-hunting" ], "title": "Rundll32.EXE Calling DllRegisterServer Export Function Explicitly" @@ -30728,8 +30728,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1082", + "TA0007", + "T1082", "detection.threat-hunting" ], "title": "System Information Discovery Via Wmic.EXE" @@ -30749,8 +30749,8 @@ "service": "firewall-as", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1562.004", + "TA0005", + "T1562.004", "detection.threat-hunting" ], "title": "Firewall Rule Modified In The Windows Firewall Exception List" @@ -30771,8 +30771,8 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1203", + "TA0002", + "T1203", "detection.threat-hunting" ], "title": "Dfsvc.EXE Network Connection To Non-Local IPs" @@ -30793,8 +30793,8 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001", + "TA0002", + "T1059.001", "detection.threat-hunting" ], "title": "Network Connection Initiated By PowerShell Process" @@ -30815,8 +30815,8 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1105", + "TA0011", + "T1105", "detection.threat-hunting" ], "title": "Network Connection Initiated From Users\\Public Folder" @@ -30837,8 +30837,8 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.007", + "TA0005", + "T1218.007", "detection.threat-hunting" ], "title": "Msiexec.EXE Initiated Network Connection Over HTTP" @@ -30859,8 +30859,8 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1203", + "TA0002", + "T1203", "detection.threat-hunting" ], "title": "Dfsvc.EXE Initiated Network Connection Over Uncommon Port" @@ -30881,10 +30881,10 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218", - "attack.execution", - "attack.t1559.001", + "TA0005", + "T1218", + "TA0002", + "T1559.001", "detection.threat-hunting" ], "title": "Dllhost.EXE Initiated Network Connection To Non-Local IP Address" @@ -30905,8 +30905,8 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.001", + "TA0005", + "T1218.001", "detection.threat-hunting" ], "title": "HH.EXE Initiated HTTP Network Connection" @@ -30927,11 +30927,11 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.persistence", - "attack.privilege-escalation", + "TA0002", + "TA0003", + "TA0004", "attack.s0111", - "attack.t1053.005", + "T1053.005", "car.2013-08-001", "detection.threat-hunting" ], @@ -30954,7 +30954,7 @@ ], "tags": [ "detection.threat-hunting", - "attack.execution" + "TA0002" ], "title": "Command Executed Via Run Dialog Box - Registry" }, @@ -30974,8 +30974,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112", + "TA0005", + "T1112", "detection.threat-hunting" ], "title": "Service Binary in User Controlled Folder" @@ -30996,8 +30996,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112", + "TA0005", + "T1112", "detection.threat-hunting" ], "title": "Microsoft Office Trusted Location Updated" @@ -31018,10 +31018,10 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1059.001", - "attack.t1027.010", - "attack.t1547.001", + "TA0005", + "T1059.001", + "T1027.010", + "T1547.001", "detection.threat-hunting" ], "title": "Registry Set With Crypto-Classes From The \"Cryptography\" PowerShell Namespace" @@ -31042,7 +31042,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", + "TA0003", "detection.threat-hunting" ], "title": "Shell Context Menu Command Tampering" @@ -31064,10 +31064,10 @@ "0CCE9227-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.privilege-escalation", + "TA0002", + "TA0004", "car.2013-08-001", - "attack.t1053.005", + "T1053.005", "detection.threat-hunting" ], "title": "Scheduled Task Deletion" @@ -31091,8 +31091,8 @@ "0CCE9245-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1555.003", + "TA0006", + "T1555.003", "detection.threat-hunting" ], "title": "Access To Browser Credential Files By Uncommon Applications - Security" @@ -31113,11 +31113,11 @@ "0CCE9215-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.privilege-escalation", + "TA0008", + "TA0004", "detection.threat-hunting", - "attack.persistence", - "attack.t1546.003" + "TA0003", + "T1546.003" ], "title": "Potential Remote WMI ActiveScriptEventConsumers Activity" }, @@ -31135,8 +31135,8 @@ "service": "openssh", "subcategory_guids": [], "tags": [ - "attack.lateral-movement", - "attack.t1021.004" + "TA0008", + "T1021.004" ], "title": "OpenSSH Server Listening On Socket" }, @@ -31154,8 +31154,8 @@ "service": "terminalservices-localsessionmanager", "subcategory_guids": [], "tags": [ - "attack.command-and-control", - "attack.t1090" + "TA0011", + "T1090" ], "title": "Ngrok Usage with Remote Desktop Service" }, @@ -31175,9 +31175,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1218.003", + "TA0005", + "TA0002", + "T1218.003", "attack.g0069", "car.2019-04-001" ], @@ -31199,8 +31199,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1137.002" + "TA0003", + "T1137.002" ], "title": "Office Application Startup - Office Test" }, @@ -31222,9 +31222,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.execution", - "attack.t1112" + "TA0003", + "TA0002", + "T1112" ], "title": "Registry Entries For Azorult Malware" }, @@ -31244,8 +31244,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.002" + "TA0006", + "T1003.002" ], "title": "Esentutl Volume Shadow Copy Service Keys" }, @@ -31265,8 +31265,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547.001" + "TA0003", + "T1547.001" ], "title": "Narrator's Feedback-Hub Persistence" }, @@ -31286,8 +31286,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1546.009" + "TA0003", + "T1546.009" ], "title": "New DLL Added to AppCertDlls Registry Key" }, @@ -31307,10 +31307,10 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.defense-evasion", - "attack.command-and-control", - "attack.t1090" + "TA0008", + "TA0005", + "TA0011", + "T1090" ], "title": "New PortProxy Registry Entry Added" }, @@ -31330,8 +31330,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.initial-access", - "attack.t1566.001" + "TA0001", + "T1566.001" ], "title": "Windows Registry Trust Record Modification" }, @@ -31351,8 +31351,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547" + "TA0003", + "T1547" ], "title": "WINEKEY Registry Modification" }, @@ -31372,8 +31372,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.001" + "TA0006", + "T1003.001" ], "title": "Potential Credential Dumping Via LSASS SilentProcessExit Technique" }, @@ -31393,8 +31393,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "Run Once Task Configuration in Registry" }, @@ -31414,8 +31414,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547.001" + "TA0003", + "T1547.001" ], "title": "Suspicious Run Key from Download" }, @@ -31435,9 +31435,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.collection", - "attack.t1125", - "attack.t1123" + "TA0009", + "T1125", + "T1123" ], "title": "Suspicious Camera and Microphone Access" }, @@ -31457,8 +31457,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1105" + "TA0011", + "T1105" ], "title": "Pandemic Registry Key" }, @@ -31478,9 +31478,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1548.002" + "TA0005", + "TA0004", + "T1548.002" ], "title": "UAC Bypass Via Wsreset" }, @@ -31500,8 +31500,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547.005" + "TA0003", + "T1547.005" ], "title": "Security Support Provider (SSP) Added to LSA Configuration" }, @@ -31521,10 +31521,10 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1548.002", - "attack.t1546.001" + "TA0005", + "TA0004", + "T1548.002", + "T1546.001" ], "title": "Shell Open Registry Keys Manipulation" }, @@ -31544,8 +31544,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "RedMimicry Winnti Playbook Registry Manipulation" }, @@ -31565,8 +31565,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "Potential Qakbot Registry Activity" }, @@ -31586,9 +31586,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001", - "attack.t1112" + "TA0005", + "T1562.001", + "T1112" ], "title": "NetNTLM Downgrade Attack - Registry" }, @@ -31608,9 +31608,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.002", - "attack.t1112", + "TA0005", + "T1562.002", + "T1112", "car.2022-03-001" ], "title": "Disable Security Events Logging Adding Reg Key MiniNt" @@ -31631,8 +31631,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback" }, @@ -31652,8 +31652,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1204", + "TA0002", + "T1204", "cve.2021-1675", "cve.2021-34527" ], @@ -31675,8 +31675,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1136.001" + "TA0003", + "T1136.001" ], "title": "Creation of a Local Hidden User Account by Registry" }, @@ -31696,9 +31696,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.privilege-escalation", - "attack.t1546.002" + "TA0003", + "TA0004", + "T1546.002" ], "title": "Path To Screensaver Binary Modified" }, @@ -31718,8 +31718,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.resource-development", - "attack.t1608" + "TA0042", + "T1608" ], "title": "HybridConnectionManager Service Installation - Registry" }, @@ -31739,8 +31739,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547" + "TA0003", + "T1547" ], "title": "Registry Persistence Mechanisms in Recycle Bin" }, @@ -31760,9 +31760,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1547.008" + "TA0002", + "TA0003", + "T1547.008" ], "title": "DLL Load via LSASS" }, @@ -31782,8 +31782,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1546.010" + "TA0003", + "T1546.010" ], "title": "New DLL Added to AppInit_DLLs Registry Key" }, @@ -31803,8 +31803,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Windows Defender Threat Severity Default Action Modified" }, @@ -31824,10 +31824,10 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218", - "attack.persistence", - "attack.t1547" + "TA0005", + "T1218", + "TA0003", + "T1547" ], "title": "Atbroker Registry Change" }, @@ -31847,8 +31847,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.001", + "TA0006", + "T1003.001", "attack.s0005" ], "title": "Windows Credential Editor Registry" @@ -31869,8 +31869,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "Wdigest CredGuard Registry Modification" }, @@ -31890,9 +31890,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.persistence", - "attack.t1546.008", + "TA0004", + "TA0003", + "T1546.008", "car.2014-11-003", "car.2014-11-008" ], @@ -31914,8 +31914,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Microsoft Office Protected View Disabled" }, @@ -31935,8 +31935,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Disable Privacy Settings Experience in Registry" }, @@ -31956,9 +31956,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.persistence", - "attack.t1112" + "TA0005", + "TA0003", + "T1112" ], "title": "RDP Sensitive Settings Changed to Zero" }, @@ -31978,7 +31978,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence" + "TA0003" ], "title": "New ODBC Driver Registered" }, @@ -31998,7 +31998,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence" + "TA0003" ], "title": "Potential Persistence Via MyComputer Registry Keys" }, @@ -32018,8 +32018,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1137" + "TA0003", + "T1137" ], "title": "Registry Modification to Hidden File Extension" }, @@ -32039,8 +32039,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Windows Defender Service Disabled - Registry" }, @@ -32060,8 +32060,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.004" + "TA0005", + "T1562.004" ], "title": "Disable Windows Firewall by Registry" }, @@ -32081,8 +32081,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Sysmon Driver Altitude Change" }, @@ -32102,7 +32102,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols" }, @@ -32122,9 +32122,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1548.002", + "TA0005", + "TA0004", + "T1548.002", "car.2019-04-001" ], "title": "UAC Bypass via Event Viewer" @@ -32145,7 +32145,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence" + "TA0003" ], "title": "Potential Persistence Via Mpnotify" }, @@ -32165,8 +32165,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547.001" + "TA0003", + "T1547.001" ], "title": "CurrentVersion NT Autorun Keys Modification" }, @@ -32186,8 +32186,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Hypervisor Enforced Code Integrity Disabled" }, @@ -32207,8 +32207,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1204.001" + "TA0002", + "T1204.001" ], "title": "Potential ClickFix Execution Pattern - Registry" }, @@ -32228,8 +32228,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547.001" + "TA0003", + "T1547.001" ], "title": "Classes Autorun Keys Modification" }, @@ -32249,9 +32249,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.defense-evasion", - "attack.t1548.002" + "TA0004", + "TA0005", + "T1548.002" ], "title": "Bypass UAC Using SilentCleanup Task" }, @@ -32271,8 +32271,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.impact", - "attack.t1491.001" + "TA0040", + "T1491.001" ], "title": "Potential Ransomware Activity Using LegalNotice Message" }, @@ -32292,8 +32292,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1546.011" + "TA0003", + "T1546.011" ], "title": "Potential Persistence Via Shim Database In Uncommon Location" }, @@ -32313,7 +32313,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Disable Macro Runtime Scan Scope" }, @@ -32333,8 +32333,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1546.015" + "TA0003", + "T1546.015" ], "title": "Potential PSFactoryBuffer COM Hijacking" }, @@ -32354,9 +32354,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.defense-evasion", - "attack.t1548.002" + "TA0004", + "TA0005", + "T1548.002" ], "title": "UAC Notification Disabled" }, @@ -32376,8 +32376,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.resource-development", - "attack.t1588.002" + "TA0042", + "T1588.002" ], "title": "Usage of Renamed Sysinternals Tools - RegistrySet" }, @@ -32397,7 +32397,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence" + "TA0003" ], "title": "Potential Persistence Via TypedPaths" }, @@ -32417,8 +32417,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1137.006" + "TA0003", + "T1137.006" ], "title": "Potential Persistence Via Excel Add-in - Registry" }, @@ -32438,8 +32438,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "Change User Account Associated with the FAX Service" }, @@ -32459,7 +32459,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution" + "TA0002" ], "title": "PowerShell Script Execution Policy Enabled" }, @@ -32479,9 +32479,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112", - "attack.t1562" + "TA0005", + "T1112", + "T1562" ], "title": "ETW Logging Disabled In .NET Processes - Sysmon Registry" }, @@ -32501,8 +32501,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Uncommon Extension In Keyboard Layout IME File Registry Value" }, @@ -32522,7 +32522,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Potential Attachment Manager Settings Attachments Tamper" }, @@ -32542,8 +32542,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1053.005" + "TA0003", + "T1053.005" ], "title": "Potential Registry Persistence Attempt Via Windows Telemetry" }, @@ -32563,8 +32563,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1546.015" + "TA0003", + "T1546.015" ], "title": "COM Hijacking via TreatAs" }, @@ -32584,9 +32584,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112", - "attack.t1562" + "TA0005", + "T1112", + "T1562" ], "title": "ETW Logging Disabled For SCM" }, @@ -32606,8 +32606,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547.001" + "TA0003", + "T1547.001" ], "title": "CurrentControlSet Autorun Keys Modification" }, @@ -32627,8 +32627,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1105" + "TA0011", + "T1105" ], "title": "Lolbas OneDriveStandaloneUpdater.exe Proxy Download" }, @@ -32648,8 +32648,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547.001" + "TA0003", + "T1547.001" ], "title": "CurrentVersion Autorun Keys Modification" }, @@ -32669,11 +32669,11 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.command-and-control", - "attack.t1137", - "attack.t1008", - "attack.t1546" + "TA0003", + "TA0011", + "T1137", + "T1008", + "T1546" ], "title": "Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting" }, @@ -32693,8 +32693,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1556" + "TA0003", + "T1556" ], "title": "Directory Service Restore Mode(DSRM) Registry Value Tampering" }, @@ -32714,8 +32714,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1204.004" + "TA0002", + "T1204.004" ], "title": "FileFix - Command Evidence in TypedPaths from Browser File Upload Abuse" }, @@ -32735,8 +32735,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.collection", - "attack.t1113" + "TA0009", + "T1113" ], "title": "Periodic Backup For System Registry Hives Enabled" }, @@ -32756,8 +32756,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547.001" + "TA0003", + "T1547.001" ], "title": "Wow6432Node Classes Autorun Keys Modification" }, @@ -32777,8 +32777,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.impact", - "attack.t1490" + "TA0040", + "T1490" ], "title": "Registry Disable System Restore" }, @@ -32798,8 +32798,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547.001" + "TA0003", + "T1547.001" ], "title": "Wow6432Node Windows NT CurrentVersion Autorun Keys Modification" }, @@ -32819,8 +32819,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1137.006", - "attack.persistence" + "T1137.006", + "TA0003" ], "title": "Potential Persistence Via Visual Studio Tools for Office" }, @@ -32840,8 +32840,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "New BgInfo.EXE Custom VBScript Registry Configuration" }, @@ -32861,8 +32861,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1546.011" + "TA0003", + "T1546.011" ], "title": "Potential Persistence Via AppCompat RegisterAppRestart Layer" }, @@ -32882,8 +32882,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.persistence" + "TA0005", + "TA0003" ], "title": "Winget Admin Settings Modification" }, @@ -32903,8 +32903,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1204.002" + "TA0002", + "T1204.002" ], "title": "New Application in AppCompat" }, @@ -32924,9 +32924,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.defense-evasion", - "attack.t1553.003" + "TA0003", + "TA0005", + "T1553.003" ], "title": "Persistence Via New SIP Provider" }, @@ -32946,8 +32946,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1564.001" + "TA0005", + "T1564.001" ], "title": "Displaying Hidden Files Feature Disabled" }, @@ -32967,8 +32967,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.002" + "TA0005", + "T1562.002" ], "title": "Change Winevt Channel Access Permission Via Registry" }, @@ -32988,9 +32988,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.persistence", - "attack.t1112" + "TA0005", + "TA0003", + "T1112" ], "title": "RDP Sensitive Settings Changed" }, @@ -33010,8 +33010,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1546.015" + "TA0003", + "T1546.015" ], "title": "Potential Persistence Using DebugPath" }, @@ -33031,8 +33031,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "Allow RDP Remote Assistance Feature" }, @@ -33052,8 +33052,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1574" + "TA0003", + "T1574" ], "title": "Potential Registry Persistence Attempt Via DbgManagedDebugger" }, @@ -33073,8 +33073,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "NET NGenAssemblyUsageLog Registry Key Tamper" }, @@ -33094,8 +33094,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1546.015" + "TA0003", + "T1546.015" ], "title": "COM Object Hijacking Via Modification Of Default System CLSID Default Value" }, @@ -33115,8 +33115,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Execution DLL of Choice Using WAB.EXE" }, @@ -33136,8 +33136,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Disable Windows Defender Functionalities Via Registry Keys" }, @@ -33157,7 +33157,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Driver Added To Disallowed Images In HVCI - Registry" }, @@ -33177,8 +33177,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547.001" + "TA0003", + "T1547.001" ], "title": "System Scripts Autorun Keys Modification" }, @@ -33198,8 +33198,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036.003" + "TA0005", + "T1036.003" ], "title": "Potential PendingFileRenameOperations Tampering" }, @@ -33219,8 +33219,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.002" + "TA0005", + "T1562.002" ], "title": "Disable Windows Event Logging Via Registry" }, @@ -33240,8 +33240,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "New BgInfo.EXE Custom DB Path Registry Configuration" }, @@ -33261,8 +33261,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Disable PUA Protection on Windows Defender" }, @@ -33282,7 +33282,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence" + "TA0003" ], "title": "Potential Persistence Via CHM Helper DLL" }, @@ -33302,8 +33302,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Suspicious Path In Keyboard Layout IME File Registry Value" }, @@ -33323,7 +33323,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Internet Explorer DisableFirstRunCustomize Enabled" }, @@ -33343,8 +33343,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1564.002" + "TA0005", + "T1564.002" ], "title": "Hiding User Account Via SpecialAccounts Registry Key" }, @@ -33364,8 +33364,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1564.001" + "TA0005", + "T1564.001" ], "title": "Registry Persistence via Service in Safe Mode" }, @@ -33385,9 +33385,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112", - "attack.t1562" + "TA0005", + "T1112", + "T1562" ], "title": "ETW Logging Disabled For rpcrt4.dll" }, @@ -33407,8 +33407,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.011" + "TA0005", + "T1218.011" ], "title": "ScreenSaver Registry Key Set" }, @@ -33428,8 +33428,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547.001" + "TA0003", + "T1547.001" ], "title": "Registry Persistence via Explorer Run Key" }, @@ -33449,8 +33449,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547.001" + "TA0003", + "T1547.001" ], "title": "Suspicious PowerShell In Registry Run Keys" }, @@ -33470,7 +33470,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence" + "TA0003" ], "title": "Add Debugger Entry To AeDebug For Persistence" }, @@ -33490,8 +33490,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1202" + "TA0005", + "T1202" ], "title": "Custom File Open Handler Executes PowerShell" }, @@ -33511,9 +33511,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.defense-evasion", - "attack.t1112" + "TA0003", + "TA0005", + "T1112" ], "title": "Potential Persistence Via Event Viewer Events.asp" }, @@ -33533,9 +33533,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.privilege-escalation", - "attack.t1547.003" + "TA0003", + "TA0004", + "T1547.003" ], "title": "New TimeProviders Registered With Uncommon DLL Name" }, @@ -33555,10 +33555,10 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.privilege-escalation", - "attack.defense-evasion", - "attack.t1574.012" + "TA0003", + "TA0004", + "TA0005", + "T1574.012" ], "title": "Enabling COR Profiler Environment Variables" }, @@ -33578,8 +33578,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1564.001" + "TA0005", + "T1564.001" ], "title": "PowerShell Logging Disabled Via Registry Key Tampering" }, @@ -33599,7 +33599,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence" + "TA0003" ], "title": "Register New IFiltre For Persistence" }, @@ -33619,7 +33619,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence" + "TA0003" ], "title": "Potential Persistence Via DLLPathOverride" }, @@ -33639,8 +33639,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Disable Tamper Protection on Windows Defender" }, @@ -33660,8 +33660,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "New BgInfo.EXE Custom WMI Query Registry Configuration" }, @@ -33681,7 +33681,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Potential Attachment Manager Settings Associations Tamper" }, @@ -33701,9 +33701,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.defense-evasion", - "attack.t1112" + "TA0003", + "TA0005", + "T1112" ], "title": "Winlogon AllowMultipleTSSessions Enable" }, @@ -33723,8 +33723,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "RestrictedAdminMode Registry Value Tampering" }, @@ -33744,9 +33744,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1548.002", + "TA0005", + "TA0004", + "T1548.002", "car.2019-04-001" ], "title": "UAC Bypass via Sdclt" @@ -33767,9 +33767,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1053", - "attack.t1053.005" + "TA0003", + "T1053", + "T1053.005" ], "title": "Scheduled TaskCache Change by Uncommon Program" }, @@ -33789,8 +33789,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "Disable Windows Security Center Notifications" }, @@ -33810,8 +33810,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547.010" + "TA0003", + "T1547.010" ], "title": "Add Port Monitor Persistence in Registry" }, @@ -33831,8 +33831,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547.004" + "TA0003", + "T1547.004" ], "title": "Winlogon Notify Key Logon Persistence" }, @@ -33852,8 +33852,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.001" + "TA0006", + "T1003.001" ], "title": "Lsass Full Dump Request Via DumpType Registry Settings" }, @@ -33873,10 +33873,10 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.impact", - "attack.t1112", - "attack.t1491.001" + "TA0005", + "TA0040", + "T1112", + "T1491.001" ], "title": "Potentially Suspicious Desktop Background Change Via Registry" }, @@ -33896,8 +33896,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547.001" + "TA0003", + "T1547.001" ], "title": "Wow6432Node CurrentVersion Autorun Keys Modification" }, @@ -33917,8 +33917,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "Wdigest Enable UseLogonCredential" }, @@ -33938,8 +33938,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG" }, @@ -33959,8 +33959,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "Uncommon Microsoft Office Trusted Location Added" }, @@ -33980,8 +33980,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1546.007" + "TA0003", + "T1546.007" ], "title": "Potential Persistence Via Netsh Helper DLL - Registry" }, @@ -34001,8 +34001,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1559.002" + "TA0002", + "T1559.002" ], "title": "Enable Microsoft Dynamic Data Exchange" }, @@ -34022,11 +34022,11 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.command-and-control", - "attack.t1137", - "attack.t1008", - "attack.t1546" + "TA0003", + "TA0011", + "T1137", + "T1008", + "T1546" ], "title": "Outlook Macro Execution Without Warning Setting Enabled" }, @@ -34046,8 +34046,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "Disable Internal Tools or Feature in Registry" }, @@ -34067,8 +34067,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1070.005" + "TA0005", + "T1070.005" ], "title": "MaxMpxCt Registry Value Changed" }, @@ -34088,9 +34088,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.defense-evasion", - "attack.t1548.002" + "TA0004", + "TA0005", + "T1548.002" ], "title": "UAC Secure Desktop Prompt Disabled" }, @@ -34110,7 +34110,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence" + "TA0003" ], "title": "Potential Persistence Via LSA Extensions" }, @@ -34130,9 +34130,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1564", - "attack.t1112" + "TA0005", + "T1564", + "T1112" ], "title": "CrashControl CrashDump Disabled" }, @@ -34152,8 +34152,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1546.015" + "TA0003", + "T1546.015" ], "title": "Potential Persistence Via Scrobj.dll COM Hijacking" }, @@ -34173,9 +34173,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1548.002" + "TA0005", + "TA0004", + "T1548.002" ], "title": "UAC Bypass Abusing Winsat Path Parsing - Registry" }, @@ -34195,7 +34195,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Potential Signing Bypass Via Windows Developer Features - Registry" }, @@ -34215,7 +34215,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence" + "TA0003" ], "title": "Persistence Via Hhctrl.ocx" }, @@ -34235,8 +34235,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "Activate Suppression of Windows Security Center Notifications" }, @@ -34256,8 +34256,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Disable Exploit Guard Network Protection on Windows Defender" }, @@ -34277,8 +34277,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "Change the Fax Dll" }, @@ -34298,9 +34298,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1547.001", - "attack.t1112" + "TA0005", + "T1547.001", + "T1112" ], "title": "Windows Event Log Access Tampering Via Registry" }, @@ -34320,8 +34320,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "Service Binary in Suspicious Folder" }, @@ -34341,9 +34341,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.persistence", - "attack.t1003" + "TA0006", + "TA0003", + "T1003" ], "title": "Potentially Suspicious ODBC Driver Registered" }, @@ -34363,7 +34363,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence" + "TA0003" ], "title": "Persistence Via Disk Cleanup Handler - Autorun" }, @@ -34383,8 +34383,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.impact", - "attack.t1490" + "TA0040", + "T1490" ], "title": "New Root or CA or AuthRoot Certificate to Store" }, @@ -34404,9 +34404,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1574.001", - "attack.t1112" + "TA0005", + "T1574.001", + "T1112" ], "title": "New DNS ServerLevelPluginDll Installed" }, @@ -34426,8 +34426,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "Enable LM Hash Storage" }, @@ -34447,8 +34447,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547.010" + "TA0003", + "T1547.010" ], "title": "Default RDP Port Changed to Non Standard Port" }, @@ -34468,7 +34468,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Old TLS1.0/TLS1.1 Protocol Version Enabled" }, @@ -34488,9 +34488,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.002", - "attack.t1112", + "TA0005", + "T1562.002", + "T1112", "car.2022-03-001" ], "title": "Security Event Logging Disabled via MiniNt Registry Key - Registry Set" @@ -34511,8 +34511,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1546.007" + "TA0003", + "T1546.007" ], "title": "New Netsh Helper DLL Registered From A Suspicious Location" }, @@ -34532,8 +34532,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "Registry Hide Function from User" }, @@ -34553,8 +34553,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1569.002" + "TA0002", + "T1569.002" ], "title": "PowerShell as a Service in Registry" }, @@ -34574,8 +34574,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547.001" + "TA0003", + "T1547.001" ], "title": "VBScript Payload Stored in Registry" }, @@ -34595,8 +34595,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547.001" + "TA0003", + "T1547.001" ], "title": "WinSock2 Autorun Keys Modification" }, @@ -34616,8 +34616,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "Trust Access Disable For VBApplications" }, @@ -34637,8 +34637,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1562.001", - "attack.defense-evasion" + "T1562.001", + "TA0005" ], "title": "Suspicious Service Installed" }, @@ -34658,8 +34658,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Tamper With Sophos AV Registry Keys" }, @@ -34679,9 +34679,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.privilege-escalation", - "attack.t1547.001" + "TA0003", + "TA0004", + "T1547.001" ], "title": "Modify User Shell Folders Startup Value" }, @@ -34701,8 +34701,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "Outlook EnableUnsafeClientMailRules Setting Enabled - Registry" }, @@ -34722,8 +34722,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Potential AMSI COM Server Hijacking" }, @@ -34743,8 +34743,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1112" + "TA0003", + "T1112" ], "title": "Potential Persistence Via Outlook Today Page" }, @@ -34764,9 +34764,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.t1546", - "attack.t1548" + "TA0004", + "T1546", + "T1548" ], "title": "COM Hijack via Sdclt" }, @@ -34786,8 +34786,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547.001" + "TA0003", + "T1547.001" ], "title": "Internet Explorer Autorun Keys Modification" }, @@ -34807,7 +34807,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Potential AutoLogger Sessions Tampering" }, @@ -34827,8 +34827,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.persistence" + "TA0005", + "TA0003" ], "title": "Enable Local Manifest Installation With Winget" }, @@ -34848,7 +34848,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence" + "TA0003" ], "title": "Potential Persistence Via AutodialDLL" }, @@ -34868,8 +34868,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547.001" + "TA0003", + "T1547.001" ], "title": "New RUN Key Pointing to Suspicious Folder" }, @@ -34889,10 +34889,10 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1112", - "attack.t1047" + "TA0002", + "TA0003", + "T1112", + "T1047" ], "title": "Blue Mockingbird - Registry" }, @@ -34912,8 +34912,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Windows Defender Exclusions Added - Registry" }, @@ -34933,8 +34933,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1112" + "TA0003", + "T1112" ], "title": "Potential Persistence Via Outlook Home Page" }, @@ -34954,8 +34954,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547.001" + "TA0003", + "T1547.001" ], "title": "Common Autorun Keys Modification" }, @@ -34975,8 +34975,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "Add DisallowRun Execution to Registry" }, @@ -34996,8 +34996,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Potentially Suspicious Command Executed Via Run Dialog Box - Registry" }, @@ -35017,8 +35017,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "Registry Explorer Policy Modification" }, @@ -35038,8 +35038,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036.003" + "TA0005", + "T1036.003" ], "title": "Potential WerFault ReflectDebugger Registry Value Abuse" }, @@ -35059,10 +35059,10 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.persistence", - "attack.defense-evasion", - "attack.t1546.012", + "TA0004", + "TA0003", + "TA0005", + "T1546.012", "car.2013-01-002" ], "title": "Potential Persistence Via GlobalFlags" @@ -35083,8 +35083,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Python Function Execution Security Warning Disabled In Excel - Registry" }, @@ -35104,8 +35104,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1137" + "TA0003", + "T1137" ], "title": "Outlook Security Settings Updated - Registry" }, @@ -35125,8 +35125,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562" + "TA0005", + "T1562" ], "title": "Hide Schedule Task Via Index Value Tamper" }, @@ -35146,8 +35146,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1546.011" + "TA0003", + "T1546.011" ], "title": "Potential Persistence Via Shim Database Modification" }, @@ -35167,8 +35167,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003" + "TA0006", + "T1003" ], "title": "Potential Credential Dumping Attempt Using New NetworkProvider - REG" }, @@ -35188,12 +35188,12 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.privilege-escalation", - "attack.lateral-movement", - "attack.t1021.002", - "attack.t1543.003", - "attack.t1569.002" + "TA0002", + "TA0004", + "TA0008", + "T1021.002", + "T1543.003", + "T1569.002" ], "title": "Potential CobaltStrike Service Installations - Registry" }, @@ -35213,8 +35213,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.persistence" + "TA0005", + "TA0003" ], "title": "Suspicious Environment Variable Has Been Registered" }, @@ -35234,7 +35234,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Potential PowerShell Execution Policy Tampering" }, @@ -35254,9 +35254,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1574.001", - "attack.t1112" + "TA0005", + "T1574.001", + "T1112" ], "title": "DHCP Callout DLL Installation" }, @@ -35276,7 +35276,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence" + "TA0003" ], "title": "Add Debugger Entry To Hangs Key For Persistence" }, @@ -35296,8 +35296,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "ClickOnce Trust Prompt Tampering" }, @@ -35317,8 +35317,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Suspicious Application Allowed Through Exploit Guard" }, @@ -35338,8 +35338,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "Potential Persistence Via Custom Protocol Handler" }, @@ -35359,9 +35359,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.defense-evasion", - "attack.t1548.002" + "TA0004", + "TA0005", + "T1548.002" ], "title": "Bypass UAC Using DelegateExecute" }, @@ -35381,8 +35381,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.004" + "TA0005", + "T1562.004" ], "title": "Disable Microsoft Defender Firewall via Registry" }, @@ -35402,8 +35402,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Hypervisor Enforced Paging Translation Disabled" }, @@ -35423,9 +35423,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.defense-evasion", - "attack.t1548.002" + "TA0004", + "TA0005", + "T1548.002" ], "title": "UAC Disabled" }, @@ -35445,8 +35445,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "Modification of IE Registry Settings" }, @@ -35466,8 +35466,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.resource-development", - "attack.t1588.002" + "TA0042", + "T1588.002" ], "title": "Suspicious Keyboard Layout Load" }, @@ -35487,8 +35487,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1546.011" + "TA0003", + "T1546.011" ], "title": "Suspicious Shim Database Patching Activity" }, @@ -35508,8 +35508,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Disabled Windows Defender Eventlog" }, @@ -35529,8 +35529,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.002" + "TA0005", + "T1562.002" ], "title": "Potential EventLog File Location Tampering" }, @@ -35550,8 +35550,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "Macro Enabled In A Potentially Suspicious Document" }, @@ -35571,8 +35571,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1133" + "TA0003", + "T1133" ], "title": "Running Chrome VPN Extensions via the Registry 2 VPN Extension" }, @@ -35592,9 +35592,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1140", - "attack.t1112" + "TA0005", + "T1140", + "T1112" ], "title": "DNS-over-HTTPS Enabled by Registry" }, @@ -35614,8 +35614,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Scripted Diagnostics Turn Off Check Enabled - Registry" }, @@ -35635,8 +35635,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "Blackbyte Ransomware Registry" }, @@ -35656,8 +35656,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1070.005" + "TA0005", + "T1070.005" ], "title": "Disable Administrative Share Creation at Startup" }, @@ -35677,8 +35677,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.collection", - "attack.t1113" + "TA0009", + "T1113" ], "title": "Windows Recall Feature Enabled - Registry" }, @@ -35698,8 +35698,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1137" + "TA0003", + "T1137" ], "title": "IE Change Domain Zone" }, @@ -35719,8 +35719,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "Office Macros Warning Disabled" }, @@ -35740,8 +35740,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547.010" + "TA0003", + "T1547.010" ], "title": "Bypass UAC Using Event Viewer" }, @@ -35761,9 +35761,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547.001", - "attack.t1546.009" + "TA0003", + "T1547.001", + "T1546.009" ], "title": "Session Manager Autorun Keys Modification" }, @@ -35783,9 +35783,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1548.002" + "TA0005", + "TA0004", + "T1548.002" ], "title": "UAC Bypass Using Windows Media Player - Registry" }, @@ -35805,8 +35805,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1546.012" + "TA0003", + "T1546.012" ], "title": "Potential Persistence Via App Paths Default Property" }, @@ -35826,7 +35826,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence" + "TA0003" ], "title": "Potential SentinelOne Shell Context Menu Scan Command Tampering" }, @@ -35846,9 +35846,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.privilege-escalation", - "attack.t1543.003" + "TA0003", + "TA0004", + "T1543.003" ], "title": "ServiceDll Hijack" }, @@ -35868,8 +35868,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.t1574", + "TA0004", + "T1574", "cve.2021-1675" ], "title": "Suspicious Printer Driver Empty Manufacturer" @@ -35890,8 +35890,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Antivirus Filter Driver Disallowed On Dev Drive - Registry" }, @@ -35911,8 +35911,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547.001" + "TA0003", + "T1547.001" ], "title": "Office Autorun Keys Modification" }, @@ -35932,7 +35932,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "New File Association Using Exefile" }, @@ -35952,8 +35952,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1546.015" + "TA0003", + "T1546.015" ], "title": "Potential COM Object Hijacking Via TreatAs Subkey - Registry" }, @@ -35973,7 +35973,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence" + "TA0003" ], "title": "Potential Persistence Via New AMSI Providers - Registry" }, @@ -35993,8 +35993,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "Potential NetWire RAT Activity - Registry" }, @@ -36014,8 +36014,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.resource-development", - "attack.t1588.002" + "TA0042", + "T1588.002" ], "title": "Suspicious Execution Of Renamed Sysinternals Tools - Registry" }, @@ -36035,8 +36035,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.resource-development", - "attack.t1588.002" + "TA0042", + "T1588.002" ], "title": "PUA - Sysinternals Tools Execution - Registry" }, @@ -36056,9 +36056,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1037.001", - "attack.persistence", - "attack.lateral-movement" + "T1037.001", + "TA0003", + "TA0008" ], "title": "Potential Persistence Via Logon Scripts - Registry" }, @@ -36078,8 +36078,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.resource-development", - "attack.t1588.002" + "TA0042", + "T1588.002" ], "title": "PUA - Sysinternal Tool Execution - Registry" }, @@ -36099,7 +36099,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence" + "TA0003" ], "title": "Potential Persistence Via Disk Cleanup Handler - Registry" }, @@ -36119,8 +36119,8 @@ "service": "microsoft-servicebus-client", "subcategory_guids": [], "tags": [ - "attack.persistence", - "attack.t1554" + "TA0003", + "T1554" ], "title": "HybridConnectionManager Service Running" }, @@ -36138,8 +36138,8 @@ "service": "application", "subcategory_guids": [], "tags": [ - "attack.impact", - "attack.t1499", + "TA0040", + "T1499", "cve.2024-49113", "detection.emerging-threats" ], @@ -36164,8 +36164,8 @@ "0CCE9245-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.initial-access", - "attack.persistence", + "TA0001", + "TA0003", "cve.2024-1708", "detection.emerging-threats" ], @@ -36193,7 +36193,7 @@ "0CCE9237-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", + "TA0002", "cve.2024-37085", "detection.emerging-threats" ], @@ -36215,7 +36215,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", + "TA0002", "cve.2024-37085", "detection.emerging-threats" ], @@ -36240,7 +36240,7 @@ "0CCE9245-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", + "TA0005", "cve.2024-1709", "detection.emerging-threats" ], @@ -36262,8 +36262,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1055", + "TA0005", + "T1055", "detection.emerging-threats" ], "title": "Lummac Stealer Activity - Execution Of More.com And Vbc.exe" @@ -36284,9 +36284,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1218.011", + "TA0005", + "TA0002", + "T1218.011", "detection.emerging-threats" ], "title": "Potential Raspberry Robin CPL Execution Activity" @@ -36307,8 +36307,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1112", - "attack.defense-evasion", + "T1112", + "TA0005", "detection.emerging-threats" ], "title": "Potential Raspberry Robin Registry Set Internet Settings ZoneMap" @@ -36329,8 +36329,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547.001", + "TA0003", + "T1547.001", "detection.emerging-threats" ], "title": "Kapeka Backdoor Autorun Persistence" @@ -36351,8 +36351,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1053.005", + "TA0003", + "T1053.005", "detection.emerging-threats" ], "title": "Kapeka Backdoor Persistence Activity" @@ -36374,10 +36374,10 @@ "0CCE9227-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.privilege-escalation", - "attack.persistence", - "attack.t1053.005", + "TA0002", + "TA0004", + "TA0003", + "T1053.005", "detection.emerging-threats" ], "title": "Kapeka Backdoor Scheduled Task Creation" @@ -36398,8 +36398,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.011", + "TA0005", + "T1218.011", "detection.emerging-threats" ], "title": "Kapeka Backdoor Execution Via RunDLL32.EXE" @@ -36420,9 +36420,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.defense-evasion", - "attack.t1553.003", + "TA0003", + "TA0005", + "T1553.003", "detection.emerging-threats" ], "title": "Kapeka Backdoor Configuration Persistence" @@ -36443,7 +36443,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", + "TA0003", "detection.emerging-threats" ], "title": "Potential KamiKakaBot Activity - Shutdown Schedule Task Creation" @@ -36464,8 +36464,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059", + "TA0002", + "T1059", "detection.emerging-threats" ], "title": "Potential KamiKakaBot Activity - Lure Document Execution" @@ -36486,8 +36486,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547.001", + "TA0003", + "T1547.001", "detection.emerging-threats" ], "title": "Potential KamiKakaBot Activity - Winlogon Shell Persistence" @@ -36508,8 +36508,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547.001", + "TA0003", + "T1547.001", "detection.emerging-threats" ], "title": "Forest Blizzard APT - Custom Protocol Handler Creation" @@ -36530,8 +36530,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547.001", + "TA0003", + "T1547.001", "detection.emerging-threats" ], "title": "Forest Blizzard APT - Custom Protocol Handler DLL Registry Set" @@ -36552,8 +36552,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", + "TA0005", + "TA0002", "detection.emerging-threats" ], "title": "Forest Blizzard APT - Process Creation Activity" @@ -36574,9 +36574,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.t1059.003", + "TA0002", + "T1059.001", + "T1059.003", "detection.emerging-threats" ], "title": "Potential APT FIN7 Exploitation Activity" @@ -36597,11 +36597,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1203", - "attack.t1204.002", - "attack.initial-access", - "attack.t1566.001", + "TA0002", + "T1203", + "T1204.002", + "TA0001", + "T1566.001", "cve.2017-8759", "detection.emerging-threats" ], @@ -36623,11 +36623,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1203", - "attack.t1204.002", - "attack.initial-access", - "attack.t1566.001", + "TA0002", + "T1203", + "T1204.002", + "TA0001", + "T1566.001", "cve.2017-11882", "detection.emerging-threats" ], @@ -36649,11 +36649,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1203", - "attack.t1204.002", - "attack.initial-access", - "attack.t1566.001", + "TA0002", + "T1203", + "T1204.002", + "TA0001", + "T1566.001", "cve.2017-0261", "detection.emerging-threats" ], @@ -36675,15 +36675,15 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.t1210", - "attack.discovery", - "attack.t1083", - "attack.defense-evasion", - "attack.t1222.001", - "attack.impact", - "attack.t1486", - "attack.t1490", + "TA0008", + "T1210", + "TA0007", + "T1083", + "TA0005", + "T1222.001", + "TA0040", + "T1486", + "T1490", "detection.emerging-threats" ], "title": "WannaCry Ransomware Activity" @@ -36704,11 +36704,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.011", - "attack.t1070.001", - "attack.credential-access", - "attack.t1003.001", + "TA0005", + "T1218.011", + "T1070.001", + "TA0006", + "T1003.001", "car.2016-04-002", "detection.emerging-threats" ], @@ -36730,9 +36730,9 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1543.003", - "attack.t1569.002", + "TA0003", + "T1543.003", + "T1569.002", "detection.emerging-threats" ], "title": "CosmicDuke Service Installation" @@ -36753,9 +36753,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007", + "TA0002", + "T1059.005", + "T1059.007", "detection.emerging-threats" ], "title": "Adwind RAT / JRAT" @@ -36776,9 +36776,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion", - "attack.t1218.011", + "TA0002", + "TA0005", + "T1218.011", "detection.emerging-threats" ], "title": "Fireball Archer Install" @@ -36797,9 +36797,9 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.persistence", + "TA0003", "attack.g0064", - "attack.t1543.003", + "T1543.003", "detection.emerging-threats" ], "title": "StoneDrill Service Install" @@ -36821,8 +36821,8 @@ ], "tags": [ "attack.s0013", - "attack.defense-evasion", - "attack.t1574.001", + "TA0005", + "T1574.001", "detection.emerging-threats" ], "title": "Potential PlugX Activity" @@ -36843,9 +36843,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", + "TA0005", "attack.g0035", - "attack.t1036.003", + "T1036.003", "car.2013-05-009", "detection.emerging-threats" ], @@ -36865,9 +36865,9 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.persistence", + "TA0003", "attack.g0010", - "attack.t1543.003", + "T1543.003", "detection.emerging-threats" ], "title": "Turla PNG Dropper Service" @@ -36886,9 +36886,9 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.persistence", + "TA0003", "attack.g0010", - "attack.t1543.003", + "T1543.003", "detection.emerging-threats" ], "title": "Turla Service Install" @@ -36909,8 +36909,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036.005", + "TA0005", + "T1036.005", "detection.emerging-threats" ], "title": "Lazarus System Binary Masquerading" @@ -36931,9 +36931,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", + "TA0002", "attack.g0045", - "attack.t1059.005", + "T1059.005", "detection.emerging-threats" ], "title": "Potential APT10 Cloud Hopper Activity" @@ -36957,8 +36957,8 @@ "attack.g0030", "attack.g0050", "attack.s0081", - "attack.execution", - "attack.t1059.003", + "TA0002", + "T1059.003", "detection.emerging-threats" ], "title": "Elise Backdoor Activity" @@ -36980,15 +36980,15 @@ "0CCE9227-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", + "TA0003", "attack.g0049", - "attack.t1053.005", + "T1053.005", "attack.s0111", - "attack.t1543.003", - "attack.defense-evasion", - "attack.t1112", - "attack.command-and-control", - "attack.t1071.004", + "T1543.003", + "TA0005", + "T1112", + "TA0011", + "T1071.004", "detection.emerging-threats" ], "title": "OilRig APT Schedule Task Persistence - Security" @@ -37009,15 +37009,15 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", + "TA0003", "attack.g0049", - "attack.t1053.005", + "T1053.005", "attack.s0111", - "attack.t1543.003", - "attack.defense-evasion", - "attack.t1112", - "attack.command-and-control", - "attack.t1071.004", + "T1543.003", + "TA0005", + "T1112", + "TA0011", + "T1071.004", "detection.emerging-threats" ], "title": "OilRig APT Registry Persistence" @@ -37038,15 +37038,15 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", + "TA0003", "attack.g0049", - "attack.t1053.005", + "T1053.005", "attack.s0111", - "attack.t1543.003", - "attack.defense-evasion", - "attack.t1112", - "attack.command-and-control", - "attack.t1071.004", + "T1543.003", + "TA0005", + "T1112", + "TA0011", + "T1071.004", "detection.emerging-threats" ], "title": "OilRig APT Activity" @@ -37065,15 +37065,15 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.persistence", + "TA0003", "attack.g0049", - "attack.t1053.005", + "T1053.005", "attack.s0111", - "attack.t1543.003", - "attack.defense-evasion", - "attack.t1112", - "attack.command-and-control", - "attack.t1071.004", + "T1543.003", + "TA0005", + "T1112", + "TA0011", + "T1071.004", "detection.emerging-threats" ], "title": "OilRig APT Schedule Task Persistence - System" @@ -37094,9 +37094,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1218.011", + "TA0005", + "TA0002", + "T1218.011", "detection.emerging-threats" ], "title": "APT29 2018 Phishing Campaign CommandLine Indicators" @@ -37117,8 +37117,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112", + "TA0005", + "T1112", "detection.emerging-threats" ], "title": "OceanLotus Registry Activity" @@ -37140,8 +37140,8 @@ "0CCE9227-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1053", + "TA0003", + "T1053", "attack.s0111", "detection.emerging-threats" ], @@ -37163,8 +37163,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1053.005", + "TA0003", + "T1053.005", "attack.s0111", "detection.emerging-threats" ], @@ -37186,11 +37186,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", + "TA0005", + "TA0002", "attack.g0007", - "attack.t1059.003", - "attack.t1218.011", + "T1059.003", + "T1218.011", "car.2013-10-002", "detection.emerging-threats" ], @@ -37212,8 +37212,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", + "TA0005", + "TA0002", "attack.g0069", "detection.emerging-threats" ], @@ -37235,8 +37235,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1574.001", + "TA0005", + "T1574.001", "attack.g0027", "detection.emerging-threats" ], @@ -37258,8 +37258,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001", + "TA0002", + "T1059.001", "detection.emerging-threats" ], "title": "TropicTrooper Campaign November 2018" @@ -37280,9 +37280,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.lateral-movement", - "attack.t1210", + "TA0002", + "TA0008", + "T1210", "cve.2020-1472", "detection.emerging-threats" ], @@ -37302,8 +37302,8 @@ "service": "application", "subcategory_guids": [], "tags": [ - "attack.initial-access", - "attack.t1190", + "TA0001", + "T1190", "cve.2020-0688", "detection.emerging-threats" ], @@ -37325,10 +37325,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.initial-access", - "attack.t1190", - "attack.execution", - "attack.t1569.002", + "TA0001", + "T1190", + "TA0002", + "T1569.002", "cve.2020-1350", "detection.emerging-threats" ], @@ -37350,9 +37350,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.execution", - "attack.t1059.001", + "TA0003", + "TA0002", + "T1059.001", "cve.2020-1048", "detection.emerging-threats" ], @@ -37374,10 +37374,10 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.execution", - "attack.defense-evasion", - "attack.t1112", + "TA0003", + "TA0002", + "TA0005", + "T1112", "cve.2020-1048", "detection.emerging-threats" ], @@ -37399,11 +37399,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.initial-access", - "attack.t1190", - "attack.execution", - "attack.t1059.001", - "attack.t1059.003", + "TA0001", + "T1190", + "TA0002", + "T1059.001", + "T1059.003", "attack.s0190", "cve.2020-10189", "detection.emerging-threats" @@ -37426,9 +37426,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1112", - "attack.t1047", + "TA0002", + "T1112", + "T1047", "detection.emerging-threats" ], "title": "Blue Mockingbird" @@ -37450,8 +37450,8 @@ ], "tags": [ "attack.g0004", - "attack.defense-evasion", - "attack.t1562.001", + "TA0005", + "T1562.001", "detection.emerging-threats" ], "title": "Potential Ke3chang/TidePool Malware Activity" @@ -37472,8 +37472,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1112", + "TA0003", + "T1112", "detection.emerging-threats" ], "title": "FlowCloud Registry Markers" @@ -37494,8 +37494,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.011", + "TA0005", + "T1218.011", "detection.emerging-threats" ], "title": "Potential Emotet Rundll32 Execution" @@ -37516,11 +37516,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1204.002", - "attack.t1047", - "attack.impact", - "attack.t1490", + "TA0002", + "T1204.002", + "T1047", + "TA0040", + "T1490", "detection.emerging-threats" ], "title": "Potential Maze Ransomware Activity" @@ -37541,9 +37541,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.t1047", + "TA0002", + "T1059.001", + "T1047", "detection.emerging-threats" ], "title": "UNC2452 PowerShell Pattern" @@ -37564,8 +37564,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001", + "TA0002", + "T1059.001", "detection.emerging-threats" ], "title": "UNC2452 Process Creation Patterns" @@ -37586,8 +37586,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547.001", + "TA0003", + "T1547.001", "detection.emerging-threats" ], "title": "Suspicious VBScript UN2452 Pattern" @@ -37608,8 +37608,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.011", + "TA0005", + "T1218.011", "detection.emerging-threats" ], "title": "EvilNum APT Golden Chickens Deployment Via OCX Files" @@ -37630,8 +37630,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547.001", + "TA0003", + "T1547.001", "detection.emerging-threats" ], "title": "Leviathan Registry Key Activity" @@ -37653,12 +37653,12 @@ ], "tags": [ "attack.g0049", - "attack.execution", - "attack.t1059.001", - "attack.command-and-control", - "attack.t1105", - "attack.defense-evasion", - "attack.t1036.005", + "TA0002", + "T1059.001", + "TA0011", + "T1105", + "TA0005", + "T1036.005", "detection.emerging-threats" ], "title": "Greenbug Espionage Group Indicators" @@ -37680,8 +37680,8 @@ ], "tags": [ "attack.g0032", - "attack.execution", - "attack.t1059", + "TA0002", + "T1059", "detection.emerging-threats" ], "title": "Lazarus Group Activity" @@ -37702,8 +37702,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1574.001", + "TA0005", + "T1574.001", "attack.g0044", "detection.emerging-threats" ], @@ -37725,8 +37725,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1574.001", + "TA0005", + "T1574.001", "attack.g0044", "detection.emerging-threats" ], @@ -37748,8 +37748,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1055.001", + "TA0002", + "T1055.001", "detection.emerging-threats" ], "title": "TAIDOOR RAT DLL Load" @@ -37768,9 +37768,9 @@ "service": "dns-server-analytic", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.command-and-control", - "attack.t1071", + "TA0006", + "TA0011", + "T1071", "detection.emerging-threats" ], "title": "GALLIUM Artefacts - Builtin" @@ -37791,10 +37791,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.initial-access", - "attack.t1059.006", - "attack.t1190", + "TA0002", + "TA0001", + "T1059.006", + "T1190", "cve.2022-22954", "detection.emerging-threats" ], @@ -37816,8 +37816,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1221", + "TA0005", + "T1221", "detection.emerging-threats" ], "title": "Suspicious Set Value of MSDT in Registry (CVE-2022-30190)" @@ -37838,7 +37838,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", + "TA0002", "cve.2022-29072", "detection.emerging-threats" ], @@ -37860,8 +37860,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.execution", + "TA0004", + "TA0002", "cve.2023-21554", "detection.emerging-threats" ], @@ -37883,8 +37883,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.t1068", + "TA0004", + "T1068", "cve.2022-41120", "detection.emerging-threats" ], @@ -37906,8 +37906,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001", + "TA0002", + "T1059.001", "detection.emerging-threats" ], "title": "Raspberry Robin Subsequent Execution of Commands" @@ -37928,8 +37928,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001", + "TA0002", + "T1059.001", "detection.emerging-threats" ], "title": "Raspberry Robin Initial Execution From External Drive" @@ -37950,7 +37950,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", + "TA0002", "detection.emerging-threats" ], "title": "Potential Raspberry Robin Dot Ending File" @@ -37977,8 +37977,8 @@ "0CCE9245-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.impact", - "attack.t1486", + "TA0040", + "T1486", "detection.emerging-threats" ], "title": "BlueSky Ransomware Artefacts" @@ -37999,10 +37999,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.persistence", - "attack.t1053.005", - "attack.t1059.006", + "TA0002", + "TA0003", + "T1053.005", + "T1059.006", "detection.emerging-threats" ], "title": "Serpent Backdoor Payload Execution Via Scheduled Task" @@ -38023,8 +38023,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.006", + "TA0002", + "T1059.006", "detection.emerging-threats" ], "title": "Emotet Loader Execution Via .LNK File" @@ -38045,9 +38045,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.lateral-movement", - "attack.t1021.001", + "TA0002", + "TA0008", + "T1021.001", "detection.emerging-threats" ], "title": "Hermetic Wiper TG Process Patterns" @@ -38066,8 +38066,8 @@ "service": "application", "subcategory_guids": [], "tags": [ - "attack.persistence", - "attack.t1546", + "TA0003", + "T1546", "detection.emerging-threats" ], "title": "MSSQL Extended Stored Procedure Backdoor Maggie" @@ -38088,9 +38088,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1053", - "attack.t1053.005", + "TA0003", + "T1053", + "T1053.005", "detection.emerging-threats" ], "title": "Potential ACTINIUM Persistence Activity" @@ -38111,8 +38111,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001", + "TA0002", + "T1059.001", "attack.g0069", "detection.emerging-threats" ], @@ -38135,10 +38135,10 @@ ], "tags": [ "attack.g0010", - "attack.execution", - "attack.t1059.001", - "attack.t1053.005", - "attack.t1027", + "TA0002", + "T1059.001", + "T1053.005", + "T1027", "detection.emerging-threats" ], "title": "Turla Group Commands May 2020" @@ -38160,13 +38160,13 @@ ], "tags": [ "attack.g0010", - "attack.execution", - "attack.t1059", - "attack.lateral-movement", - "attack.t1021.002", - "attack.discovery", - "attack.t1083", - "attack.t1135", + "TA0002", + "T1059", + "TA0008", + "T1021.002", + "TA0007", + "T1083", + "T1135", "detection.emerging-threats" ], "title": "Turla Group Lateral Movement" @@ -38187,10 +38187,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.003", - "attack.defense-evasion", - "attack.t1218.011", + "TA0002", + "T1059.003", + "TA0005", + "T1218.011", "attack.s0412", "attack.g0001", "detection.emerging-threats" @@ -38213,8 +38213,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion", + "TA0002", + "TA0005", "cve.2021-40444", "detection.emerging-threats" ], @@ -38236,8 +38236,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059", + "TA0002", + "T1059", "cve.2021-40444", "detection.emerging-threats" ], @@ -38259,10 +38259,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.initial-access", - "attack.execution", - "attack.t1190", - "attack.t1059", + "TA0001", + "TA0002", + "T1190", + "T1059", "cve.2021-26084", "detection.emerging-threats" ], @@ -38284,9 +38284,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1566", - "attack.t1203", + "TA0006", + "T1566", + "T1203", "cve.2021-33771", "cve.2021-31979", "detection.emerging-threats" @@ -38309,8 +38309,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1203", - "attack.execution", + "T1203", + "TA0002", "cve.2021-26857", "detection.emerging-threats" ], @@ -38333,8 +38333,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.t1558.003", + "TA0006", + "T1558.003", "cve.2021-42278", "detection.emerging-threats" ], @@ -38355,8 +38355,8 @@ "service": "msexchange-management", "subcategory_guids": [], "tags": [ - "attack.lateral-movement", - "attack.t1210", + "TA0008", + "T1210", "detection.emerging-threats" ], "title": "Possible Exploitation of Exchange RCE CVE-2021-42321" @@ -38377,8 +38377,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.t1553", + "TA0004", + "T1553", "detection.emerging-threats" ], "title": "Suspicious RazerInstaller Explorer Subprocess" @@ -38399,8 +38399,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.t1068", + "TA0004", + "T1068", "detection.emerging-threats" ], "title": "Potential SystemNightmare Exploitation Attempt" @@ -38421,8 +38421,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1136.001", + "TA0003", + "T1136.001", "cve.2021-35211", "detection.emerging-threats" ], @@ -38453,8 +38453,8 @@ "service": "windefend", "subcategory_guids": [], "tags": [ - "attack.privilege-escalation", - "attack.t1055", + "TA0004", + "T1055", "detection.emerging-threats" ], "title": "Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection" @@ -38475,8 +38475,8 @@ "0CCE9244-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1569", + "TA0002", + "T1569", "cve.2021-1675", "cve.2021-34527", "detection.emerging-threats" @@ -38497,8 +38497,8 @@ "service": "printservice-admin", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1569", + "TA0002", + "T1569", "cve.2021-1675", "detection.emerging-threats" ], @@ -38518,8 +38518,8 @@ "service": "printservice-operational", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1569", + "TA0002", + "T1569", "cve.2021-1675", "detection.emerging-threats" ], @@ -38541,10 +38541,10 @@ "0CCE9235-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.persistence", - "attack.t1036", - "attack.t1098", + "TA0005", + "TA0003", + "T1036", + "T1098", "cve.2021-42287", "detection.emerging-threats" ], @@ -38566,8 +38566,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.t1068", + "TA0004", + "T1068", "cve.2021-41379", "detection.emerging-threats" ], @@ -38587,8 +38587,8 @@ "service": "application", "subcategory_guids": [], "tags": [ - "attack.initial-access", - "attack.t1190", + "TA0001", + "T1190", "detection.emerging-threats" ], "title": "LPE InstallerFileTakeOver PoC CVE-2021-41379" @@ -38609,8 +38609,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.initial-access", - "attack.t1190", + "TA0001", + "T1190", "cve.2021-44228", "detection.emerging-threats" ], @@ -38632,9 +38632,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.impact", + "TA0040", "attack.s0575", - "attack.t1486", + "T1486", "detection.emerging-threats" ], "title": "Potential Conti Ransomware Activity" @@ -38655,8 +38655,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.collection", - "attack.t1560", + "TA0009", + "T1560", "detection.emerging-threats" ], "title": "Conti NTDS Exfiltration Command" @@ -38677,8 +38677,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.collection", - "attack.t1005", + "TA0009", + "T1005", "detection.emerging-threats" ], "title": "Potential Conti Ransomware Database Dumping Activity Via SQLCmd" @@ -38699,8 +38699,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1587.001", - "attack.resource-development", + "T1587.001", + "TA0042", "detection.emerging-threats" ], "title": "Conti Volume Shadow Listing" @@ -38721,8 +38721,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218", + "TA0005", + "T1218", "detection.emerging-threats" ], "title": "Potential Devil Bait Malware Reconnaissance" @@ -38743,13 +38743,13 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion", - "attack.impact", - "attack.t1485", - "attack.t1498", - "attack.t1059.001", - "attack.t1140", + "TA0002", + "TA0005", + "TA0040", + "T1485", + "T1498", + "T1059.001", + "T1140", "detection.emerging-threats" ], "title": "Potential BlackByte Ransomware Activity" @@ -38770,8 +38770,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1204", + "TA0002", + "T1204", "detection.emerging-threats" ], "title": "DarkSide Ransomware Pattern" @@ -38792,8 +38792,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1574.001", + "TA0003", + "T1574.001", "detection.emerging-threats" ], "title": "Pingback Backdoor Activity" @@ -38814,7 +38814,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", + "TA0002", "detection.emerging-threats" ], "title": "Potential Goofy Guineapig Backdoor Activity" @@ -38833,7 +38833,7 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.persistence", + "TA0003", "detection.emerging-threats" ], "title": "Goofy Guineapig Backdoor Service Creation" @@ -38854,7 +38854,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", + "TA0005", "detection.emerging-threats" ], "title": "Potential Goofy Guineapig GoolgeUpdate Process Anomaly" @@ -38875,7 +38875,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", + "TA0003", "detection.emerging-threats" ], "title": "Small Sieve Malware Registry Persistence" @@ -38896,8 +38896,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1574.001", + "TA0003", + "T1574.001", "detection.emerging-threats" ], "title": "Small Sieve Malware CommandLine Indicator" @@ -38918,9 +38918,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1546", - "attack.t1053", + "TA0003", + "T1546", + "T1053", "attack.g0125", "detection.emerging-threats" ], @@ -38942,8 +38942,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059", + "TA0002", + "T1059", "attack.g0115", "detection.emerging-threats" ], @@ -38965,10 +38965,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1546", - "attack.t1546.015", - "attack.persistence", - "attack.privilege-escalation", + "T1546", + "T1546.015", + "TA0003", + "TA0004", "detection.emerging-threats" ], "title": "SOURGUM Actor Behaviours" @@ -38989,8 +38989,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.t1068", + "TA0004", + "T1068", "cve.2019-1388", "detection.emerging-threats" ], @@ -39012,8 +39012,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.t1053.005", + "TA0004", + "T1053.005", "car.2013-08-001", "detection.emerging-threats" ], @@ -39035,13 +39035,13 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion", - "attack.discovery", - "attack.t1012", - "attack.t1059.003", - "attack.t1059.001", - "attack.t1218.005", + "TA0002", + "TA0005", + "TA0007", + "T1012", + "T1059.003", + "T1059.001", + "T1218.005", "detection.emerging-threats" ], "title": "Potential Baby Shark Malware Activity" @@ -39062,8 +39062,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.005", + "TA0002", + "T1059.005", "detection.emerging-threats" ], "title": "Potential QBot Activity" @@ -39084,8 +39084,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.resource-development", - "attack.t1587.001", + "TA0042", + "T1587.001", "detection.emerging-threats" ], "title": "Formbook Process Creation" @@ -39106,8 +39106,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.impact", - "attack.t1486", + "TA0040", + "T1486", "detection.emerging-threats" ], "title": "LockerGoga Ransomware Activity" @@ -39128,8 +39128,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1204", + "TA0002", + "T1204", "detection.emerging-threats" ], "title": "Potential Snatch Ransomware Activity" @@ -39150,12 +39150,12 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1055", - "attack.discovery", - "attack.t1135", - "attack.t1033", + "TA0005", + "TA0004", + "T1055", + "TA0007", + "T1135", + "T1033", "detection.emerging-threats" ], "title": "Potential Dridex Activity" @@ -39176,8 +39176,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1112", + "TA0002", + "T1112", "detection.emerging-threats" ], "title": "Potential Ursnif Malware Activity - Registry" @@ -39198,10 +39198,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense-evasion", - "attack.t1027", + "TA0002", + "T1059.001", + "TA0005", + "T1027", "detection.emerging-threats" ], "title": "Potential Emotet Activity" @@ -39222,8 +39222,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.impact", - "attack.t1490", + "TA0040", + "T1490", "detection.emerging-threats" ], "title": "Potential Dtrack RAT Activity" @@ -39244,8 +39244,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547.001", + "TA0003", + "T1547.001", "detection.emerging-threats" ], "title": "Potential Ryuk Ransomware Activity" @@ -39266,8 +39266,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.010", + "TA0005", + "T1218.010", "detection.emerging-threats" ], "title": "Potential EmpireMonkey Activity" @@ -39289,8 +39289,8 @@ ], "tags": [ "attack.g0020", - "attack.defense-evasion", - "attack.t1218.011", + "TA0005", + "T1218.011", "detection.emerging-threats" ], "title": "Equation Group DLL_U Export Function Load" @@ -39311,8 +39311,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1587.001", - "attack.resource-development", + "T1587.001", + "TA0042", "detection.emerging-threats" ], "title": "Mustang Panda Dropper" @@ -39333,9 +39333,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1552.001", - "attack.t1003.003", + "TA0006", + "T1552.001", + "T1003.003", "detection.emerging-threats" ], "title": "Potential Russian APT Credential Theft Activity" @@ -39356,11 +39356,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.credential-access", + "TA0008", + "TA0006", "attack.g0128", - "attack.t1003.001", - "attack.t1560.001", + "T1003.001", + "T1560.001", "detection.emerging-threats" ], "title": "APT31 Judgement Panda Activity" @@ -39381,14 +39381,14 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1012", - "attack.defense-evasion", - "attack.t1036.004", - "attack.t1027", - "attack.execution", - "attack.t1053.005", - "attack.t1059.001", + "TA0007", + "T1012", + "TA0005", + "T1036.004", + "T1027", + "TA0002", + "T1053.005", + "T1059.001", "detection.emerging-threats" ], "title": "Operation Wocao Activity" @@ -39409,14 +39409,14 @@ "0CCE9237-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1012", - "attack.defense-evasion", - "attack.t1036.004", - "attack.t1027", - "attack.execution", - "attack.t1053.005", - "attack.t1059.001", + "TA0007", + "T1012", + "TA0005", + "T1036.004", + "T1027", + "TA0002", + "T1053.005", + "T1059.001", "detection.emerging-threats" ], "title": "Operation Wocao Activity - Security" @@ -39437,8 +39437,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.010", + "TA0005", + "T1218.010", "detection.emerging-threats" ], "title": "Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32" @@ -39459,8 +39459,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.initial-access", - "attack.t1190", + "TA0001", + "T1190", "cve.2025-53770", "detection.emerging-threats" ], @@ -39482,11 +39482,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion", - "attack.t1218", - "attack.lateral-movement", - "attack.t1105", + "TA0002", + "TA0005", + "T1218", + "TA0008", + "T1105", "detection.emerging-threats", "cve.2025-33053" ], @@ -39508,11 +39508,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.initial-access", - "attack.execution", - "attack.t1059.001", - "attack.t1059.003", - "attack.t1190", + "TA0001", + "TA0002", + "T1059.001", + "T1059.003", + "T1190", "cve.2025-31161", "detection.emerging-threats" ], @@ -39534,12 +39534,12 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.initial-access", - "attack.execution", - "attack.t1059.001", - "attack.t1059.003", - "attack.t1068", - "attack.t1190", + "TA0001", + "TA0002", + "T1059.001", + "T1059.003", + "T1068", + "T1190", "cve.2025-54309", "detection.emerging-threats" ], @@ -39561,9 +39561,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.defense-evasion", - "attack.t1574.008", + "TA0004", + "TA0005", + "T1574.008", "cve.2025-49144", "detection.emerging-threats" ], @@ -39585,11 +39585,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1090", - "attack.t1573", - "attack.t1071.001", - "attack.t1059.001", + "TA0011", + "T1090", + "T1573", + "T1071.001", + "T1059.001", "attack.s0183", "detection.emerging-threats" ], @@ -39611,8 +39611,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036.005", + "TA0005", + "T1036.005", "cve.2015-1641", "detection.emerging-threats" ], @@ -39634,7 +39634,7 @@ "0CCE9224-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", + "TA0011", "cve.2023-36884", "detection.emerging-threats" ], @@ -39654,7 +39654,7 @@ "service": "application", "subcategory_guids": [], "tags": [ - "attack.execution", + "TA0002", "detection.emerging-threats" ], "title": "MSMQ Corrupted Packet Encountered" @@ -39675,8 +39675,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1137", + "TA0003", + "T1137", "cve.2023-23397", "detection.emerging-threats" ], @@ -39698,7 +39698,7 @@ "service": "smbclient-connectivity", "subcategory_guids": [], "tags": [ - "attack.exfiltration", + "TA0010", "cve.2023-23397", "detection.emerging-threats" ], @@ -39724,8 +39724,8 @@ "0CCE9245-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.initial-access", + "TA0006", + "TA0001", "cve.2023-23397", "detection.emerging-threats" ], @@ -39747,10 +39747,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059", - "attack.initial-access", - "attack.t1190", + "TA0002", + "T1059", + "TA0001", + "T1190", "cve.2023-22518", "detection.emerging-threats" ], @@ -39773,8 +39773,8 @@ ], "tags": [ "detection.emerging-threats", - "attack.execution", - "attack.t1203", + "TA0002", + "T1203", "cve.2023-38331" ], "title": "CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process" @@ -39793,7 +39793,7 @@ "service": "application", "subcategory_guids": [], "tags": [ - "attack.execution", + "TA0002", "cve.2023-40477", "detection.emerging-threats" ], @@ -39815,10 +39815,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.003", - "attack.t1059.001", - "attack.defense-evasion", + "TA0002", + "T1059.003", + "T1059.001", + "TA0005", "detection.emerging-threats" ], "title": "Rorschach Ransomware Execution Activity" @@ -39839,8 +39839,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1055.012", + "TA0005", + "T1055.012", "detection.emerging-threats" ], "title": "Potential Pikabot Hollowing Activity" @@ -39861,8 +39861,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", + "TA0005", + "TA0002", "detection.emerging-threats" ], "title": "Pikabot Fake DLL Extension Execution Via Rundll32.EXE" @@ -39883,10 +39883,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1016", - "attack.t1049", - "attack.t1087", + "TA0007", + "T1016", + "T1049", + "T1087", "detection.emerging-threats" ], "title": "Potential Pikabot Discovery Activity" @@ -39907,10 +39907,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.003", - "attack.t1105", - "attack.t1218", + "TA0002", + "T1059.003", + "T1105", + "T1218", "detection.emerging-threats" ], "title": "Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE" @@ -39931,8 +39931,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1055", + "TA0005", + "T1055", "detection.emerging-threats" ], "title": "Injected Browser Process Spawning Rundll32 - GuLoader Activity" @@ -39953,8 +39953,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.011", + "TA0005", + "T1218.011", "detection.emerging-threats" ], "title": "IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32" @@ -39975,7 +39975,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", + "TA0002", "detection.emerging-threats" ], "title": "Potential SNAKE Malware Installation Binary Indicator" @@ -39996,7 +39996,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", + "TA0003", "detection.emerging-threats" ], "title": "SNAKE Malware Covert Store Registry Key" @@ -40015,7 +40015,7 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.persistence", + "TA0003", "detection.emerging-threats" ], "title": "SNAKE Malware Service Persistence" @@ -40036,7 +40036,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", + "TA0002", "detection.emerging-threats" ], "title": "Potential SNAKE Malware Persistence Service Execution" @@ -40057,7 +40057,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", + "TA0003", "detection.emerging-threats" ], "title": "Potential Encrypted Registry Blob Related To SNAKE Malware" @@ -40078,7 +40078,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", + "TA0002", "detection.emerging-threats" ], "title": "Potential SNAKE Malware Installation CLI Arguments Indicator" @@ -40099,8 +40099,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", + "TA0005", + "TA0002", "detection.emerging-threats" ], "title": "Qakbot Rundll32 Exports Execution" @@ -40121,8 +40121,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", + "TA0005", + "TA0002", "detection.emerging-threats" ], "title": "Potential Qakbot Rundll32 Execution" @@ -40143,8 +40143,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", + "TA0005", + "TA0002", "detection.emerging-threats" ], "title": "Qakbot Regsvr32 Calc Pattern" @@ -40165,7 +40165,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", + "TA0002", "detection.emerging-threats" ], "title": "Qakbot Uninstaller Execution" @@ -40186,8 +40186,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", + "TA0005", + "TA0002", "detection.emerging-threats" ], "title": "Qakbot Rundll32 Fake DLL Extension Execution" @@ -40208,8 +40208,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059", + "TA0002", + "T1059", "detection.emerging-threats" ], "title": "Ursnif Redirection Of Discovery Commands" @@ -40230,7 +40230,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", + "TA0002", "detection.emerging-threats" ], "title": "Griffon Malware Attack Pattern" @@ -40251,8 +40251,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1136.001", + "TA0003", + "T1136.001", "detection.emerging-threats" ], "title": "DarkGate - User Created Via Net.EXE" @@ -40273,8 +40273,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059", + "TA0002", + "T1059", "detection.emerging-threats" ], "title": "DarkGate - Autoit3.EXE Execution Parameters" @@ -40293,8 +40293,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.persistence", + "TA0005", + "TA0003", "detection.emerging-threats" ], "title": "COLDSTEEL Persistence Service Creation" @@ -40315,8 +40315,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.defense-evasion", + "TA0003", + "TA0005", "detection.emerging-threats" ], "title": "COLDSTEEL RAT Anonymous User Process Execution" @@ -40337,8 +40337,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.defense-evasion", + "TA0003", + "TA0005", "detection.emerging-threats" ], "title": "COLDSTEEL RAT Service Persistence Execution" @@ -40359,7 +40359,7 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", + "TA0003", "detection.emerging-threats" ], "title": "Potential COLDSTEEL RAT Windows User Creation" @@ -40380,8 +40380,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.011", + "TA0005", + "T1218.011", "detection.emerging-threats" ], "title": "Rhadamanthys Stealer Module Launch Via Rundll32.EXE" @@ -40405,7 +40405,7 @@ "0CCE9227-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", + "TA0003", "detection.emerging-threats" ], "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor" @@ -40426,7 +40426,7 @@ "service": "taskscheduler", "subcategory_guids": [], "tags": [ - "attack.persistence", + "TA0003", "detection.emerging-threats" ], "title": "Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler" @@ -40447,7 +40447,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", + "TA0002", "attack.g0129", "detection.emerging-threats" ], @@ -40469,7 +40469,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", + "TA0002", "detection.emerging-threats" ], "title": "Peach Sandstorm APT Process Activity Indicators" @@ -40491,10 +40491,10 @@ "0CCE9227-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.privilege-escalation", - "attack.persistence", - "attack.t1053.005", + "TA0002", + "TA0004", + "TA0003", + "T1053.005", "detection.emerging-threats" ], "title": "Diamond Sleet APT Scheduled Task Creation" @@ -40515,7 +40515,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", + "TA0002", "detection.emerging-threats" ], "title": "Diamond Sleet APT Process Activity Indicators" @@ -40536,8 +40536,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562", + "TA0005", + "T1562", "detection.emerging-threats" ], "title": "Diamond Sleet APT Scheduled Task Creation - Registry" @@ -40558,7 +40558,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", + "TA0002", "detection.emerging-threats" ], "title": "PaperCut MF/NG Potential Exploitation" @@ -40579,7 +40579,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", + "TA0002", "detection.emerging-threats" ], "title": "PaperCut MF/NG Exploitation Related Indicators" @@ -40599,8 +40599,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001", + "TA0002", + "T1059.001", "attack.g0046", "detection.emerging-threats" ], @@ -40621,8 +40621,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001", + "TA0002", + "T1059.001", "attack.g0046", "detection.emerging-threats" ], @@ -40644,7 +40644,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", + "TA0002", "attack.g0046", "detection.emerging-threats" ], @@ -40666,9 +40666,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218", - "attack.execution", + "TA0005", + "T1218", + "TA0002", "detection.emerging-threats" ], "title": "Potential Compromised 3CXDesktopApp Update Activity" @@ -40689,9 +40689,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.execution", - "attack.t1218", + "TA0011", + "TA0002", + "T1218", "detection.emerging-threats" ], "title": "Potential Suspicious Child Process Of 3CXDesktopApp" @@ -40712,9 +40712,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218", - "attack.execution", + "TA0005", + "T1218", + "TA0002", "detection.emerging-threats" ], "title": "Potential Compromised 3CXDesktopApp Execution" @@ -40734,8 +40734,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001", + "TA0002", + "T1059.001", "detection.emerging-threats" ], "title": "Lace Tempest PowerShell Launcher" @@ -40755,8 +40755,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001", + "TA0002", + "T1059.001", "detection.emerging-threats" ], "title": "Lace Tempest PowerShell Evidence Eraser" @@ -40777,7 +40777,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", + "TA0002", "detection.emerging-threats" ], "title": "Lace Tempest Cobalt Strike Download" @@ -40798,7 +40798,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", + "TA0002", "detection.emerging-threats" ], "title": "Lace Tempest Malware Loader Execution" @@ -40819,7 +40819,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", + "TA0002", "detection.emerging-threats" ], "title": "Mint Sandstorm - Log4J Wstomcat Process Execution" @@ -40840,7 +40840,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", + "TA0002", "detection.emerging-threats" ], "title": "Mint Sandstorm - ManageEngine Suspicious Process Execution" @@ -40861,7 +40861,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", + "TA0002", "detection.emerging-threats" ], "title": "Mint Sandstorm - AsperaFaspex Suspicious Process Execution" @@ -40880,9 +40880,9 @@ "service": "application", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1211", - "attack.t1562.001" + "TA0005", + "T1211", + "T1562.001" ], "title": "Microsoft Malware Protection Engine Crash - WER" }, @@ -40900,7 +40900,7 @@ "service": "diagnosis-scripted", "subcategory_guids": [], "tags": [ - "attack.execution" + "TA0002" ], "title": "Loading Diagcab Package From Remote Path" }, @@ -40918,7 +40918,7 @@ "service": "windefend", "subcategory_guids": [], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Windows Defender Malware Detection History Deletion" }, @@ -40936,8 +40936,8 @@ "service": "windefend", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.t1003.001" + "TA0006", + "T1003.001" ], "title": "LSASS Access Detected via Attack Surface Reduction" }, @@ -40955,8 +40955,8 @@ "service": "windefend", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Windows Defender Real-time Protection Disabled" }, @@ -40977,8 +40977,8 @@ "service": "windefend", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059" + "TA0002", + "T1059" ], "title": "Windows Defender Threat Detected" }, @@ -40996,8 +40996,8 @@ "service": "windefend", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Windows Defender Grace Period Expired" }, @@ -41015,8 +41015,8 @@ "service": "windefend", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Win Defender Restored Quarantine File" }, @@ -41035,8 +41035,8 @@ "service": "windefend", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Windows Defender Real-Time Protection Failure/Restart" }, @@ -41054,8 +41054,8 @@ "service": "windefend", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059" + "TA0002", + "T1059" ], "title": "Windows Defender AMSI Trigger Detected" }, @@ -41073,10 +41073,10 @@ "service": "windefend", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.lateral-movement", - "attack.t1047", - "attack.t1569.002" + "TA0002", + "TA0008", + "T1047", + "T1569.002" ], "title": "PSExec and WMI Process Creations Block" }, @@ -41094,8 +41094,8 @@ "service": "windefend", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Windows Defender Exclusions Added" }, @@ -41113,8 +41113,8 @@ "service": "windefend", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Windows Defender Configuration Changes" }, @@ -41132,8 +41132,8 @@ "service": "windefend", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Windows Defender Exploit Guard Tamper" }, @@ -41151,8 +41151,8 @@ "service": "windefend", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Windows Defender Malware And PUA Scanning Disabled" }, @@ -41170,8 +41170,8 @@ "service": "windefend", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Windows Defender Submit Sample Feature Disabled" }, @@ -41189,8 +41189,8 @@ "service": "windefend", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Microsoft Defender Tamper Protection Trigger" }, @@ -41208,8 +41208,8 @@ "service": "windefend", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Windows Defender Virus Scanning Feature Disabled" }, @@ -41227,7 +41227,7 @@ "service": "appxdeployment-server", "subcategory_guids": [], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Deployment AppX Package Was Blocked By AppLocker" }, @@ -41245,7 +41245,7 @@ "service": "appxdeployment-server", "subcategory_guids": [], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Suspicious AppX Package Installation Attempt" }, @@ -41263,7 +41263,7 @@ "service": "appxdeployment-server", "subcategory_guids": [], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Suspicious Remote AppX Package Locations" }, @@ -41284,7 +41284,7 @@ "service": "appxdeployment-server", "subcategory_guids": [], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Deployment Of The AppX Package Was Blocked By The Policy" }, @@ -41302,7 +41302,7 @@ "service": "appxdeployment-server", "subcategory_guids": [], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Uncommon AppX Package Locations" }, @@ -41320,7 +41320,7 @@ "service": "appxdeployment-server", "subcategory_guids": [], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Suspicious AppX Package Locations" }, @@ -41339,7 +41339,7 @@ "service": "appxdeployment-server", "subcategory_guids": [], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Potential Malicious AppX Package Installation Attempts" }, @@ -41359,8 +41359,8 @@ "0CCE923C-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.t1484.001" + "TA0004", + "T1484.001" ], "title": "Group Policy Abuse for Privilege Addition" }, @@ -41380,8 +41380,8 @@ "0CCE9244-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.t1021.002" + "TA0008", + "T1021.002" ], "title": "Suspicious PsExec Execution" }, @@ -41405,14 +41405,14 @@ "0CCE923F-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.execution", - "attack.collection", - "attack.lateral-movement", - "attack.t1087", - "attack.t1114", - "attack.t1059", - "attack.t1550.002" + "TA0007", + "TA0002", + "TA0009", + "TA0008", + "T1087", + "T1114", + "T1059", + "T1550.002" ], "title": "Hacktool Ruler" }, @@ -41436,8 +41436,8 @@ "0CCE9245-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Windows Defender Exclusion Registry Key - Write Access Requested" }, @@ -41457,8 +41457,8 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1569.002" + "TA0002", + "T1569.002" ], "title": "PowerShell Scripts Installed as Services - Security" }, @@ -41479,8 +41479,8 @@ "0CCE923B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1087.002" + "TA0007", + "T1087.002" ], "title": "AD Privileged Users or Groups Reconnaissance" }, @@ -41500,9 +41500,9 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.t1134.001", - "attack.t1134.002" + "TA0004", + "T1134.001", + "T1134.002" ], "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - Security" }, @@ -41520,11 +41520,11 @@ "service": "security", "subcategory_guids": [], "tags": [ - "attack.command-and-control", - "attack.defense-evasion", - "attack.t1027", - "attack.t1105", - "attack.t1036" + "TA0011", + "TA0005", + "T1027", + "T1105", + "T1036" ], "title": "Password Protected ZIP File Opened (Suspicious Filenames)" }, @@ -41545,10 +41545,10 @@ "0CCE9227-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.privilege-escalation", - "attack.persistence", - "attack.t1053.005" + "TA0002", + "TA0004", + "TA0003", + "T1053.005" ], "title": "Suspicious Scheduled Task Creation" }, @@ -41568,8 +41568,8 @@ "0CCE923C-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1098" + "TA0003", + "T1098" ], "title": "Powerview Add-DomainObjectAcl DCSync AD Extend Right" }, @@ -41587,10 +41587,10 @@ "service": "security", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.initial-access", - "attack.t1027", - "attack.t1566.001" + "TA0005", + "TA0001", + "T1027", + "T1566.001" ], "title": "Password Protected ZIP File Opened (Email Attachment)" }, @@ -41610,10 +41610,10 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation CLIP+ Launcher - Security" }, @@ -41636,8 +41636,8 @@ "0CCE9245-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1528" + "TA0006", + "T1528" ], "title": "Suspicious Teams Application Related ObjectAcess Event" }, @@ -41657,8 +41657,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Windows Defender Exclusion List Modified" }, @@ -41678,8 +41678,8 @@ "0CCE9215-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1078", - "attack.lateral-movement" + "T1078", + "TA0008" ], "title": "Suspicious Remote Logon with Explicit Credentials" }, @@ -41697,9 +41697,9 @@ "tags": [ "cve.2021-42278", "cve.2021-42287", - "attack.persistence", - "attack.privilege-escalation", - "attack.t1078" + "TA0003", + "TA0004", + "T1078" ], "title": "Win Susp Computer Name Containing Samtheadmin" }, @@ -41719,8 +41719,8 @@ "0CCE9235-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1098" + "TA0003", + "T1098" ], "title": "Password Change on Directory Service Restore Mode (DSRM) Account" }, @@ -41740,10 +41740,10 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation STDIN+ Launcher - Security" }, @@ -41763,8 +41763,8 @@ "0CCE9240-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1558.003" + "TA0006", + "T1558.003" ], "title": "Kerberoasting Activity - Initial Query" }, @@ -41786,9 +41786,9 @@ "0CCE9244-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.t1484.001", - "attack.t1547" + "TA0004", + "T1484.001", + "T1547" ], "title": "Startup/Logon Script Added to Group Policy Object" }, @@ -41811,10 +41811,10 @@ "0CCE923C-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1557.003", - "attack.persistence", - "attack.privilege-escalation" + "TA0006", + "T1557.003", + "TA0003", + "TA0004" ], "title": "Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation" }, @@ -41838,8 +41838,8 @@ "0CCE9245-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1012" + "TA0007", + "T1012" ], "title": "SysKey Registry Keys Access" }, @@ -41862,8 +41862,8 @@ "0CCE9245-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.initial-access", - "attack.t1566.001" + "TA0001", + "T1566.001" ], "title": "ISO Image Mounted" }, @@ -41883,8 +41883,8 @@ "0CCE9242-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1187" + "TA0006", + "T1187" ], "title": "PetitPotam Suspicious Kerberos TGT Request" }, @@ -41908,8 +41908,8 @@ "0CCE9245-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1012" + "TA0007", + "T1012" ], "title": "Azure AD Health Service Agents Registry Keys Access" }, @@ -41929,9 +41929,9 @@ "0CCE923B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", + "TA0006", "attack.s0002", - "attack.t1003.006" + "T1003.006" ], "title": "Mimikatz DC Sync" }, @@ -41951,8 +41951,8 @@ "0CCE9224-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.t1021.002" + "TA0008", + "T1021.002" ], "title": "Access To ADMIN$ Network Share" }, @@ -41972,8 +41972,8 @@ "0CCE9248-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.initial-access", - "attack.t1200" + "TA0001", + "T1200" ], "title": "Device Installation Blocked" }, @@ -41993,8 +41993,8 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.exfiltration", - "attack.t1048" + "TA0010", + "T1048" ], "title": "Tap Driver Installation - Security" }, @@ -42016,10 +42016,10 @@ "0CCE9227-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.privilege-escalation", - "attack.persistence", - "attack.t1053.005" + "TA0002", + "TA0004", + "TA0003", + "T1053.005" ], "title": "Important Scheduled Task Deleted/Disabled" }, @@ -42039,8 +42039,8 @@ "0CCE9244-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1187" + "TA0006", + "T1187" ], "title": "Possible PetitPotam Coerce Authentication Attempt" }, @@ -42060,8 +42060,8 @@ "0CCE9244-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.t1021.002" + "TA0008", + "T1021.002" ], "title": "DCERPC SMB Spoolss Named Pipe" }, @@ -42081,8 +42081,8 @@ "0CCE9244-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.t1021.002" + "TA0008", + "T1021.002" ], "title": "First Time Seen Remote Named Pipe" }, @@ -42102,8 +42102,8 @@ "0CCE9229-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.t1548" + "TA0004", + "T1548" ], "title": "SCM Database Privileged Operation" }, @@ -42123,10 +42123,10 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation Via Stdin - Security" }, @@ -42148,9 +42148,9 @@ "0CCE923C-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.defense-evasion", - "attack.t1207" + "TA0006", + "TA0005", + "T1207" ], "title": "Possible DC Shadow Attack" }, @@ -42170,9 +42170,9 @@ "0CCE923B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.privilege-escalation", - "attack.t1546.003" + "TA0003", + "TA0004", + "T1546.003" ], "title": "WMI Persistence - Security" }, @@ -42196,8 +42196,8 @@ "0CCE9242-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1212" + "TA0006", + "T1212" ], "title": "Kerberos Manipulation" }, @@ -42217,10 +42217,10 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation RUNDLL LAUNCHER - Security" }, @@ -42240,8 +42240,8 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1554" + "TA0003", + "T1554" ], "title": "HybridConnectionManager Service Installation" }, @@ -42261,8 +42261,8 @@ "0CCE922F-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.002" + "TA0005", + "T1562.002" ], "title": "Important Windows Event Auditing Disabled" }, @@ -42282,8 +42282,8 @@ "0CCE923B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.004" + "TA0006", + "T1003.004" ], "title": "DPAPI Domain Backup Key Extraction" }, @@ -42303,10 +42303,10 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation Via Use Rundll32 - Security" }, @@ -42326,9 +42326,9 @@ "0CCE9244-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.persistence", - "attack.t1021.002" + "TA0008", + "TA0003", + "T1021.002" ], "title": "Remote Service Activity via SVCCTL Named Pipe" }, @@ -42348,10 +42348,10 @@ "0CCE9237-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.t1078", - "attack.persistence", - "attack.t1098" + "TA0004", + "T1078", + "TA0003", + "T1098" ], "title": "User Added to Local Administrator Group" }, @@ -42371,10 +42371,10 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation VAR+ Launcher - Security" }, @@ -42394,10 +42394,10 @@ "0CCE9248-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1091", - "attack.t1200", - "attack.lateral-movement", - "attack.initial-access" + "T1091", + "T1200", + "TA0008", + "TA0001" ], "title": "External Disk Drive Or USB Storage Device Was Recognized By The System" }, @@ -42417,8 +42417,8 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562" + "TA0005", + "T1562" ], "title": "Windows Filtering Platform Blocked Connection From EDR Agent Binary" }, @@ -42439,8 +42439,8 @@ "0CCE9221-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.credential-access" + "TA0004", + "TA0006" ], "title": "ADCS Certificate Template Configuration Vulnerability with Risky EKU" }, @@ -42460,8 +42460,8 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.t1543" + "TA0004", + "T1543" ], "title": "Service Installed By Unusual Client - Security" }, @@ -42482,8 +42482,8 @@ "0CCE922F-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.002" + "TA0006", + "T1003.002" ], "title": "VSSAudit Security Event Source Registration" }, @@ -42503,8 +42503,8 @@ "0CCE9235-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1136.001" + "TA0003", + "T1136.001" ], "title": "Local User Creation" }, @@ -42524,9 +42524,9 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.credential-access", - "attack.t1558.003" + "TA0008", + "TA0006", + "T1558.003" ], "title": "Uncommon Outbound Kerberos Connection - Security" }, @@ -42546,8 +42546,8 @@ "0CCE923B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.006" + "TA0006", + "T1003.006" ], "title": "Active Directory Replication from Non Machine Account" }, @@ -42567,10 +42567,10 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.execution", - "attack.t1543.003", - "attack.t1569.002" + "TA0003", + "TA0002", + "T1543.003", + "T1569.002" ], "title": "Remote Access Tool Services Have Been Installed - Security" }, @@ -42590,8 +42590,8 @@ "0CCE922F-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.002" + "TA0005", + "T1562.002" ], "title": "Windows Event Auditing Disabled" }, @@ -42615,8 +42615,8 @@ "0CCE923F-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.t1021.002" + "TA0008", + "T1021.002" ], "title": "Metasploit SMB Authentication" }, @@ -42636,8 +42636,8 @@ "0CCE9230-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1098" + "TA0003", + "T1098" ], "title": "A New Trust Was Created To A Domain" }, @@ -42657,9 +42657,9 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.credential-access", - "attack.t1040" + "TA0007", + "TA0006", + "T1040" ], "title": "Windows Pcap Drivers" }, @@ -42682,10 +42682,10 @@ "0CCE9245-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.persistence", - "attack.privilege-escalation", - "attack.t1574.011" + "TA0005", + "TA0003", + "TA0004", + "T1574.011" ], "title": "Service Registry Key Read Access Request" }, @@ -42705,8 +42705,8 @@ "0CCE9240-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1558.003" + "TA0006", + "T1558.003" ], "title": "Suspicious Kerberos RC4 Ticket Encryption" }, @@ -42726,12 +42726,12 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.privilege-escalation", - "attack.lateral-movement", - "attack.t1021.002", - "attack.t1543.003", - "attack.t1569.002" + "TA0002", + "TA0004", + "TA0008", + "T1021.002", + "T1543.003", + "T1569.002" ], "title": "CobaltStrike Service Installations - Security" }, @@ -42752,8 +42752,8 @@ "0CCE9236-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1207" + "TA0005", + "T1207" ], "title": "Add or Remove Computer from DC" }, @@ -42791,8 +42791,8 @@ "0CCE922D-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.004" + "TA0006", + "T1003.004" ], "title": "DPAPI Domain Master Key Backup Attempt" }, @@ -42812,8 +42812,8 @@ "0CCE9244-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547.009" + "TA0003", + "T1547.009" ], "title": "Windows Network Access Suspicious desktop.ini Action" }, @@ -42835,9 +42835,9 @@ "0CCE9244-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.lateral-movement", - "attack.t1053.005" + "TA0003", + "TA0008", + "T1053.005" ], "title": "Persistence and Execution at Scale via GPO Scheduled Task" }, @@ -42855,8 +42855,8 @@ "service": "security", "subcategory_guids": [], "tags": [ - "attack.lateral-movement", - "attack.t1021.001" + "TA0008", + "T1021.001" ], "title": "Denied Access To Remote Desktop" }, @@ -42876,8 +42876,8 @@ "0CCE9235-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1136.001" + "TA0003", + "T1136.001" ], "title": "Hidden Local User Creation" }, @@ -42897,10 +42897,10 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation Via Use Clip - Security" }, @@ -42920,8 +42920,8 @@ "0CCE923C-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1001.003", - "attack.command-and-control" + "T1001.003", + "TA0011" ], "title": "Suspicious LDAP-Attributes Used" }, @@ -42945,9 +42945,9 @@ "0CCE9245-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", + "TA0006", "car.2019-04-004", - "attack.t1003.001" + "T1003.001" ], "title": "Potentially Suspicious AccessMask Requested From LSASS" }, @@ -42967,8 +42967,8 @@ "0CCE921C-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1558" + "TA0006", + "T1558" ], "title": "Replay Attack Detected" }, @@ -42989,8 +42989,8 @@ "0CCE9216-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.impact", - "attack.t1531" + "TA0040", + "T1531" ], "title": "User Logoff Event" }, @@ -43011,8 +43011,8 @@ "0CCE9235-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036" + "TA0005", + "T1036" ], "title": "New or Renamed User Account with '$' Character" }, @@ -43032,8 +43032,8 @@ "0CCE9244-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.t1021.002" + "TA0008", + "T1021.002" ], "title": "Impacket PsExec Execution" }, @@ -43056,8 +43056,8 @@ "0CCE9245-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1010" + "TA0007", + "T1010" ], "title": "SCM Database Handle Failure" }, @@ -43078,9 +43078,9 @@ "0CCE9229-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.privilege-escalation", - "attack.t1558.003" + "TA0008", + "TA0004", + "T1558.003" ], "title": "User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'" }, @@ -43100,8 +43100,8 @@ "0CCE9235-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Weak Encryption Enabled and Kerberoast" }, @@ -43120,8 +43120,8 @@ "service": "security", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1070.001", + "TA0005", + "T1070.001", "car.2016-04-002" ], "title": "Security Eventlog Cleared" @@ -43143,10 +43143,10 @@ "0CCE9227-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.privilege-escalation", - "attack.persistence", - "attack.t1053.005" + "TA0002", + "TA0004", + "TA0003", + "T1053.005" ], "title": "Suspicious Scheduled Task Update" }, @@ -43166,9 +43166,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112", - "attack.t1562" + "TA0005", + "T1112", + "T1562" ], "title": "ETW Logging Disabled In .NET Processes - Registry" }, @@ -43188,9 +43188,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001", - "attack.t1112" + "TA0005", + "T1562.001", + "T1112" ], "title": "NetNTLM Downgrade Attack" }, @@ -43210,11 +43210,11 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.t1021.002", - "attack.t1570", - "attack.execution", - "attack.t1569.002" + "TA0008", + "T1021.002", + "T1570", + "TA0002", + "T1569.002" ], "title": "Metasploit Or Impacket Service Installation Via SMB PsExec" }, @@ -43234,10 +43234,10 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation Via Use MSHTA - Security" }, @@ -43257,12 +43257,12 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.command-and-control", - "attack.lateral-movement", - "attack.t1090.001", - "attack.t1090.002", - "attack.t1021.001", + "TA0005", + "TA0011", + "TA0008", + "T1090.001", + "T1090.002", + "T1021.001", "car.2013-07-002" ], "title": "RDP over Reverse SSH Tunnel WFP" @@ -43285,8 +43285,8 @@ "0CCE9234-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562" + "TA0005", + "T1562" ], "title": "HackTool - EDRSilencer Execution - Filter Added" }, @@ -43309,8 +43309,8 @@ "0CCE9245-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.001" + "TA0006", + "T1003.001" ], "title": "Password Dumper Activity on LSASS" }, @@ -43330,14 +43330,14 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.execution", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006", - "attack.t1569.002", + "TA0006", + "TA0002", + "T1003.001", + "T1003.002", + "T1003.004", + "T1003.005", + "T1003.006", + "T1569.002", "attack.s0005" ], "title": "Credential Dumping Tools Service Execution - Security" @@ -43363,8 +43363,8 @@ "0CCE9245-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.collection", - "attack.t1123" + "TA0009", + "T1123" ], "title": "Processes Accessing the Microphone and Webcam" }, @@ -43384,8 +43384,8 @@ "0CCE9244-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.t1021.002" + "TA0008", + "T1021.002" ], "title": "Protected Storage Service Access" }, @@ -43405,10 +43405,10 @@ "0CCE9244-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.003" + "TA0006", + "T1003.002", + "T1003.004", + "T1003.003" ], "title": "Possible Impacket SecretDump Remote Activity" }, @@ -43428,10 +43428,10 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.privilege-escalation", - "attack.credential-access", - "attack.t1558.003" + "TA0008", + "TA0004", + "TA0006", + "T1558.003" ], "title": "Register new Logon Process by Rubeus" }, @@ -43452,8 +43452,8 @@ "0CCE9237-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1098" + "TA0003", + "T1098" ], "title": "A Security-Enabled Global Group Was Deleted" }, @@ -43473,7 +43473,7 @@ "0CCE9215-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation" + "TA0004" ], "title": "DiagTrackEoP Default Login Username" }, @@ -43494,11 +43494,11 @@ "0CCE9217-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.initial-access", - "attack.persistence", - "attack.t1078", - "attack.t1190", - "attack.t1133" + "TA0001", + "TA0003", + "T1078", + "T1190", + "T1133" ], "title": "Failed Logon From Public IP" }, @@ -43519,8 +43519,8 @@ "0CCE9237-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1098" + "TA0003", + "T1098" ], "title": "A Member Was Removed From a Security-Enabled Global Group" }, @@ -43540,8 +43540,8 @@ "0CCE9215-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1047" + "TA0002", + "T1047" ], "title": "Successful Account Login Via WMI" }, @@ -43561,9 +43561,9 @@ "0CCE9215-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", + "TA0008", "car.2013-07-002", - "attack.t1021.001" + "T1021.001" ], "title": "RDP Login from Localhost" }, @@ -43584,8 +43584,8 @@ "0CCE9217-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.t1210", + "TA0008", + "T1210", "car.2013-07-002" ], "title": "Scanner PoC for CVE-2019-0708 RDP RCE Vuln" @@ -43606,9 +43606,9 @@ "0CCE9215-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.t1134.001", + "TA0005", + "TA0004", + "T1134.001", "stp.4u" ], "title": "Potential Access Token Abuse" @@ -43629,9 +43629,9 @@ "0CCE9215-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", + "TA0008", "attack.s0002", - "attack.t1550.002" + "T1550.002" ], "title": "Successful Overpass the Hash Attempt" }, @@ -43651,11 +43651,11 @@ "0CCE9215-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.initial-access", - "attack.credential-access", - "attack.t1133", - "attack.t1078", - "attack.t1110" + "TA0001", + "TA0006", + "T1133", + "T1078", + "T1110" ], "title": "External Remote SMB Logon from Public IP" }, @@ -43676,8 +43676,8 @@ "0CCE9237-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1098" + "TA0003", + "T1098" ], "title": "A Member Was Added to a Security-Enabled Global Group" }, @@ -43697,8 +43697,8 @@ "0CCE9215-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.t1550.002" + "TA0008", + "T1550.002" ], "title": "Pass the Hash Activity 2" }, @@ -43718,9 +43718,9 @@ "0CCE9215-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.credential-access", - "attack.t1548" + "TA0004", + "TA0006", + "T1548" ], "title": "Potential Privilege Escalation via Local Kerberos Relay over LDAP" }, @@ -43740,9 +43740,9 @@ "0CCE9215-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.lateral-movement", - "attack.t1550" + "TA0005", + "TA0008", + "T1550" ], "title": "Outgoing Logon with New Credentials" }, @@ -43762,11 +43762,11 @@ "0CCE9215-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.initial-access", - "attack.credential-access", - "attack.t1133", - "attack.t1078", - "attack.t1110" + "TA0001", + "TA0006", + "T1133", + "T1078", + "T1110" ], "title": "External Remote RDP Logon from Public IP" }, @@ -43786,11 +43786,11 @@ "0CCE9215-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.initial-access", - "attack.t1078.001", - "attack.t1078.002", - "attack.t1078.003", + "TA0008", + "TA0001", + "T1078.001", + "T1078.002", + "T1078.003", "car.2016-04-005" ], "title": "Admin User Remote Logon" @@ -43811,9 +43811,9 @@ "0CCE9215-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.credential-access", - "attack.t1557.001" + "TA0004", + "TA0006", + "T1557.001" ], "title": "RottenPotato Like Attack Pattern" }, @@ -43834,8 +43834,8 @@ "0CCE9212-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027.001" + "TA0005", + "T1027.001" ], "title": "Failed Code Integrity Checks" }, @@ -43855,8 +43855,8 @@ "0CCE923B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1222.001" + "TA0005", + "T1222.001" ], "title": "AD Object WriteDAC Access" }, @@ -43876,8 +43876,8 @@ "0CCE9244-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.collection", - "attack.t1039" + "TA0009", + "T1039" ], "title": "Suspicious Access to Sensitive File Extensions" }, @@ -43899,9 +43899,9 @@ "0CCE9234-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.t1134", - "attack.t1134.001" + "TA0004", + "T1134", + "T1134.001" ], "title": "HackTool - NoFilter Execution" }, @@ -43921,8 +43921,8 @@ "0CCE9244-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.t1021.002" + "TA0008", + "T1021.002" ], "title": "SMB Create Remote File Admin Share" }, @@ -43942,8 +43942,8 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027" + "TA0005", + "T1027" ], "title": "Invoke-Obfuscation Obfuscated IEX Invocation - Security" }, @@ -43964,8 +43964,8 @@ "0CCE9221-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.credential-access" + "TA0004", + "TA0006" ], "title": "ADCS Certificate Template Configuration Vulnerability" }, @@ -43988,11 +43988,11 @@ "0CCE923F-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.defense-evasion", - "attack.privilege-escalation", - "attack.initial-access", - "attack.t1078" + "TA0003", + "TA0005", + "TA0004", + "TA0001", + "T1078" ], "title": "Account Tampering - Suspicious Failed Logon Reasons" }, @@ -44012,7 +44012,7 @@ "0CCE921C-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.impact" + "TA0040" ], "title": "Locked Workstation" }, @@ -44032,10 +44032,10 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - Security" }, @@ -44056,8 +44056,8 @@ "69979849-797A-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1070.006" + "TA0005", + "T1070.006" ], "title": "Unauthorized System Time Modification" }, @@ -44077,9 +44077,9 @@ "0CCE9244-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.t1021.002", - "attack.t1021.003" + "TA0008", + "T1021.002", + "T1021.003" ], "title": "DCOM InternetExplorer.Application Iertutil DLL Hijack - Security" }, @@ -44099,8 +44099,8 @@ "0CCE9231-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1098" + "TA0003", + "T1098" ], "title": "Enabled User Right in AD to Control User Objects" }, @@ -44120,9 +44120,9 @@ "0CCE9235-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1136.001", - "attack.t1136.002" + "TA0003", + "T1136.001", + "T1136.002" ], "title": "Suspicious Windows ANONYMOUS LOGON Local Account Created" }, @@ -44143,8 +44143,8 @@ "0CCE9229-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Potential Privileged System Service Operation - SeLoadDriverPrivilege" }, @@ -44168,8 +44168,8 @@ "0CCE9245-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "Sysmon Channel Reference Deletion" }, @@ -44189,8 +44189,8 @@ "0CCE923B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1087.002" + "TA0007", + "T1087.002" ], "title": "Potential AD User Enumeration From Non-Machine Account" }, @@ -44210,10 +44210,10 @@ "0CCE9244-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.002", - "attack.t1003.001", - "attack.t1003.003" + "TA0006", + "T1003.002", + "T1003.001", + "T1003.003" ], "title": "Transferring Files with Credential Data via Network Shares" }, @@ -44234,8 +44234,8 @@ "0CCE923B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1201" + "TA0007", + "T1201" ], "title": "Password Policy Enumerated" }, @@ -44255,11 +44255,11 @@ "0CCE9244-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.persistence", + "TA0008", + "TA0003", "car.2013-05-004", "car.2015-04-001", - "attack.t1053.002" + "T1053.002" ], "title": "Remote Task Creation via ATSVC Named Pipe" }, @@ -44283,8 +44283,8 @@ "0CCE9245-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1012" + "TA0007", + "T1012" ], "title": "Azure AD Health Monitoring Agent Registry Keys Access" }, @@ -44308,8 +44308,8 @@ "0CCE9245-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.001" + "TA0006", + "T1003.001" ], "title": "LSASS Access From Non System Account" }, @@ -44335,12 +44335,12 @@ "0CCE9245-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.impact", - "attack.defense-evasion", - "attack.t1070.004", - "attack.t1027.005", - "attack.t1485", - "attack.t1553.002", + "TA0040", + "TA0005", + "T1070.004", + "T1027.005", + "T1485", + "T1553.002", "attack.s0195" ], "title": "Potential Secure Deletion with SDelete" @@ -44361,8 +44361,8 @@ "0CCE923C-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1556" + "TA0006", + "T1556" ], "title": "Possible Shadow Credentials Added" }, @@ -44383,9 +44383,9 @@ "0CCE923B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1087.002", - "attack.t1069.002", + "TA0007", + "T1087.002", + "T1069.002", "attack.s0039" ], "title": "Reconnaissance Activity" @@ -44406,8 +44406,8 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Remote PowerShell Sessions Network Connections (WinRM)" }, @@ -44427,10 +44427,10 @@ "0CCE9244-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1047", - "attack.lateral-movement", - "attack.t1021.002" + "TA0002", + "T1047", + "TA0008", + "T1021.002" ], "title": "T1047 Wmiprvse Wbemcomn DLL Hijack" }, @@ -44454,8 +44454,8 @@ "0CCE9245-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003", + "TA0006", + "T1003", "attack.s0005" ], "title": "WCE wceaux.dll Access" @@ -44474,8 +44474,8 @@ "service": "security", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1027" + "TA0005", + "T1027" ], "title": "Password Protected ZIP File Opened" }, @@ -44497,9 +44497,9 @@ "0CCE9235-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.privilege-escalation", - "attack.t1134.005" + "TA0003", + "TA0004", + "T1134.005" ], "title": "Addition of SID History to Active Directory Object" }, @@ -44519,10 +44519,10 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security" }, @@ -44544,8 +44544,8 @@ "0CCE923C-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1098", - "attack.persistence" + "T1098", + "TA0003" ], "title": "Active Directory User Backdoors" }, @@ -44568,10 +44568,10 @@ "0CCE9245-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1012", - "attack.credential-access", - "attack.t1552.002" + "TA0007", + "T1012", + "TA0006", + "T1552.002" ], "title": "SAM Registry Hive Handle Request" }, @@ -44589,8 +44589,8 @@ "service": "ntlm", "subcategory_guids": [], "tags": [ - "attack.command-and-control", - "attack.t1219.002" + "TA0011", + "T1219.002" ], "title": "Potential Remote Desktop Connection to Non-Domain Host" }, @@ -44608,8 +44608,8 @@ "service": "ntlm", "subcategory_guids": [], "tags": [ - "attack.lateral-movement", - "attack.t1550.002" + "TA0008", + "T1550.002" ], "title": "NTLM Logon" }, @@ -44627,8 +44627,8 @@ "service": "ntlm", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.t1110" + "TA0006", + "T1110" ], "title": "NTLM Brute Force" }, @@ -44646,8 +44646,8 @@ "service": "certificateservicesclient-lifecycle-system", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.t1649" + "TA0006", + "T1649" ], "title": "Certificate Exported From Local Certificate Store" }, @@ -44665,8 +44665,8 @@ "service": "lsa-server", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.privilege-escalation" + "TA0006", + "TA0004" ], "title": "Standard User In High Privileged Group" }, @@ -44686,8 +44686,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1204" + "TA0002", + "T1204" ], "title": "Ryuk Ransomware Command Line Activity" }, @@ -44707,9 +44707,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.discovery", - "attack.t1033" + "TA0004", + "TA0007", + "T1033" ], "title": "Run Whoami as SYSTEM" }, @@ -44729,8 +44729,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1546.012" + "TA0003", + "T1546.012" ], "title": "SilentProcessExit Monitor Registration" }, @@ -44750,8 +44750,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003" + "TA0006", + "T1003" ], "title": "Credential Acquisition via Registry Hive Dumping" }, @@ -44771,9 +44771,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", + "TA0002", "attack.g0016", - "attack.t1059.001" + "T1059.001" ], "title": "APT29" }, @@ -44793,8 +44793,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003" + "TA0006", + "T1003" ], "title": "Activity Related to NTDS.dit Domain Hash Retrieval" }, @@ -44814,11 +44814,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218", - "attack.t1564.004", - "attack.t1552.001", - "attack.t1105" + "TA0005", + "T1218", + "T1564.004", + "T1552.001", + "T1105" ], "title": "Abusing Findstr for Defense Evasion" }, @@ -44838,10 +44838,10 @@ "0CCE9229-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.execution", - "attack.t1021", - "attack.t1059" + "TA0008", + "TA0002", + "T1021", + "T1059" ], "title": "Lateral Movement Indicator ConDrv" }, @@ -44861,11 +44861,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1204.002", - "attack.t1047", - "attack.t1218.010", - "attack.execution", - "attack.defense-evasion" + "T1204.002", + "T1047", + "T1218.010", + "TA0002", + "TA0005" ], "title": "Excel Proxy Executing Regsvr32 With Payload" }, @@ -44885,9 +44885,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", + "TA0002", "attack.s0029", - "attack.t1569.002" + "T1569.002" ], "title": "PsExec Service Start" }, @@ -44907,9 +44907,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion", - "attack.t1562.001" + "TA0002", + "TA0005", + "T1562.001" ], "title": "Suspicious Execution of Sc to Delete AV Services" }, @@ -44929,8 +44929,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027" + "TA0005", + "T1027" ], "title": "Potential PowerShell Base64 Encoded Shellcode" }, @@ -44950,10 +44950,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Potential Xor Encoded PowerShell Command" }, @@ -44973,8 +44973,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.impact", - "attack.t1489" + "TA0040", + "T1489" ], "title": "Stop Windows Service" }, @@ -44996,8 +44996,8 @@ "0CCE921F-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Windows Defender Exclusion Deleted" }, @@ -45016,10 +45016,10 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.exfiltration", - "attack.t1048", - "attack.execution", - "attack.t1059.001" + "TA0010", + "T1048", + "TA0002", + "T1059.001" ], "title": "Dnscat Execution" }, @@ -45039,8 +45039,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1546.015" + "TA0003", + "T1546.015" ], "title": "Potential Persistence Via COM Search Order Hijacking" }, @@ -45060,8 +45060,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1553.004" + "TA0005", + "T1553.004" ], "title": "Root Certificate Installed" }, @@ -45081,8 +45081,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1047" + "TA0002", + "T1047" ], "title": "WMI Remote Command Execution" }, @@ -45102,8 +45102,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.005" + "TA0002", + "T1059.005" ], "title": "Visual Basic Script Execution" }, @@ -45124,10 +45124,10 @@ ], "tags": [ "attack.g0035", - "attack.credential-access", - "attack.discovery", - "attack.t1110", - "attack.t1087" + "TA0006", + "TA0007", + "T1110", + "T1087" ], "title": "CrackMapExecWin" }, @@ -45146,8 +45146,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.privilege-escalation", - "attack.t1548" + "TA0004", + "T1548" ], "title": "PrintNightmare Powershell Exploitation" }, @@ -45167,10 +45167,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1140", - "attack.command-and-control", - "attack.t1105", + "TA0005", + "T1140", + "TA0011", + "T1105", "attack.s0160", "attack.g0007", "attack.g0010", @@ -45197,10 +45197,10 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.persistence", - "attack.t1112", - "attack.t1053" + "TA0005", + "TA0003", + "T1112", + "T1053" ], "title": "Abusing Windows Telemetry For Persistence - Registry" }, @@ -45220,8 +45220,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.003" + "TA0002", + "T1059.003" ], "title": "Read and Execute a File Via Cmd.exe" }, @@ -45241,11 +45241,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1204.002", - "attack.t1047", - "attack.t1218.010", - "attack.execution", - "attack.defense-evasion" + "T1204.002", + "T1047", + "T1218.010", + "TA0002", + "TA0005" ], "title": "Excel Proxy Executing Regsvr32 With Payload Alternate" }, @@ -45265,10 +45265,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation RUNDLL LAUNCHER" }, @@ -45287,8 +45287,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.t1555.003" + "TA0006", + "T1555.003" ], "title": "Accessing Encrypted Credentials from Google Chrome Login Database" }, @@ -45308,10 +45308,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.execution", - "attack.t1059.001", - "attack.t1105" + "TA0011", + "TA0002", + "T1059.001", + "T1105" ], "title": "PowerShell Web Download" }, @@ -45331,7 +45331,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Rundll32 JS RunHTMLApplication Pattern" }, @@ -45351,10 +45351,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.defense-evasion", - "attack.t1105", - "attack.t1218" + "TA0011", + "TA0005", + "T1105", + "T1218" ], "title": "Windows Update Client LOLBIN" }, @@ -45374,8 +45374,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1053.005" + "TA0002", + "T1053.005" ], "title": "Suspicious Add Scheduled Task From User AppData Temp" }, @@ -45395,11 +45395,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1204.002", - "attack.t1047", - "attack.t1218.010", - "attack.execution", - "attack.defense-evasion" + "T1204.002", + "T1047", + "T1218.010", + "TA0002", + "TA0005" ], "title": "Office Applications Spawning Wmi Cli Alternate" }, @@ -45418,8 +45418,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.discovery", - "attack.t1083" + "TA0007", + "T1083" ], "title": "Powershell File and Directory Discovery" }, @@ -45439,8 +45439,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction" }, @@ -45459,8 +45459,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.impact", - "attack.t1490" + "TA0040", + "T1490" ], "title": "Delete Volume Shadow Copies via WMI with PowerShell - PS Script" }, @@ -45480,10 +45480,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense-evasion", - "attack.t1027" + "TA0002", + "T1059.001", + "TA0005", + "T1027" ], "title": "Malicious Base64 Encoded Powershell Invoke Cmdlets" }, @@ -45502,14 +45502,14 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.discovery", - "attack.t1482", - "attack.t1087", - "attack.t1087.001", - "attack.t1087.002", - "attack.t1069.001", - "attack.t1069.002", - "attack.t1069" + "TA0007", + "T1482", + "T1087", + "T1087.001", + "T1087.002", + "T1069.001", + "T1069.002", + "T1069" ], "title": "AzureHound PowerShell Commands" }, @@ -45529,12 +45529,12 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.004", - "attack.t1218.009", - "attack.t1127.001", - "attack.t1218.005", - "attack.t1218" + "TA0005", + "T1218.004", + "T1218.009", + "T1127.001", + "T1218.005", + "T1218" ], "title": "Possible Applocker Bypass" }, @@ -45554,8 +45554,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1047" + "TA0002", + "T1047" ], "title": "Suspicious Cmd Execution via WMI" }, @@ -45575,11 +45575,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1204.002", - "attack.t1047", - "attack.t1218.010", - "attack.execution", - "attack.defense-evasion" + "T1204.002", + "T1047", + "T1218.010", + "TA0002", + "TA0005" ], "title": "New Lolbin Process by Office Applications" }, @@ -45599,8 +45599,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059" + "TA0002", + "T1059" ], "title": "Execution via MSSQL Xp_cmdshell Stored Procedure" }, @@ -45620,8 +45620,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1204" + "TA0002", + "T1204" ], "title": "Process Start From Suspicious Folder" }, @@ -45641,8 +45641,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.impact", - "attack.t1485" + "TA0040", + "T1485" ], "title": "Run from a Zip File" }, @@ -45662,7 +45662,7 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Suspicious Characters in CommandLine" }, @@ -45682,8 +45682,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.011" + "TA0005", + "T1218.011" ], "title": "Suspicious Rundll32 Script in CommandLine" }, @@ -45703,8 +45703,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.002" + "TA0006", + "T1003.002" ], "title": "Registry Dump of SAM Creds and Secrets" }, @@ -45724,8 +45724,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1105" + "TA0011", + "T1105" ], "title": "Suspicious File Download Using Office Application" }, @@ -45745,8 +45745,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "Office Security Settings Changed" }, @@ -45766,11 +45766,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1204.002", - "attack.t1047", - "attack.t1218.010", - "attack.execution", - "attack.defense-evasion" + "T1204.002", + "T1047", + "T1218.010", + "TA0002", + "TA0005" ], "title": "WMI Execution Via Office Process" }, @@ -45790,8 +45790,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1482" + "TA0007", + "T1482" ], "title": "Domain Trust Discovery" }, @@ -45811,8 +45811,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.010", + "TA0005", + "T1218.010", "car.2019-04-002", "car.2019-04-003" ], @@ -45834,8 +45834,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1564.002" + "TA0005", + "T1564.002" ], "title": "User Account Hidden By Registry" }, @@ -45855,8 +45855,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1546.015" + "TA0003", + "T1546.015" ], "title": "Potential Persistence Via COM Hijacking From Suspicious Locations" }, @@ -45876,8 +45876,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1564.004" + "TA0005", + "T1564.004" ], "title": "Cmd Stream Redirection" }, @@ -45895,7 +45895,7 @@ "service": "security", "subcategory_guids": [], "tags": [ - "attack.t1070.001" + "T1070.001" ], "title": "Security Event Log Cleared" }, @@ -45913,8 +45913,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.t1003.002" + "TA0006", + "T1003.002" ], "title": "SAM Dump to AppData" }, @@ -45934,8 +45934,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059" + "TA0002", + "T1059" ], "title": "Wscript Execution from Non C Drive" }, @@ -45955,8 +45955,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1047" + "TA0002", + "T1047" ], "title": "WMI Reconnaissance List Remote Services" }, @@ -45976,10 +45976,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation Via Use Rundll32" }, @@ -45996,8 +45996,8 @@ "service": "powershell", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Suspicious PowerShell Download" }, @@ -46017,9 +46017,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1036", - "attack.t1003.001" + "TA0005", + "T1036", + "T1003.001" ], "title": "Process Memory Dumped Via RdrLeakDiag.EXE" }, @@ -46039,8 +46039,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1112" + "TA0005", + "T1112" ], "title": "Service Binary in Uncommon Folder" }, @@ -46060,8 +46060,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1218.008" + "TA0005", + "T1218.008" ], "title": "Application Whitelisting Bypass via DLL Loaded by odbcconf.exe" }, @@ -46082,8 +46082,8 @@ ], "tags": [ "attack.g0032", - "attack.execution", - "attack.t1059" + "TA0002", + "T1059" ], "title": "Lazarus Loaders" }, @@ -46103,8 +46103,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1547.001" + "TA0003", + "T1547.001" ], "title": "Autorun Keys Modification" }, @@ -46122,8 +46122,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1027" + "TA0005", + "T1027" ], "title": "New Service Uses Double Ampersand in Path" }, @@ -46143,7 +46143,7 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement" + "TA0008" ], "title": "Suspicious Epmap Connection" }, @@ -46163,9 +46163,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.defense-evasion", - "attack.t1218" + "TA0002", + "TA0005", + "T1218" ], "title": "Squirrel Lolbin" }, @@ -46185,8 +46185,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Disable Microsoft Office Security Features" }, @@ -46206,9 +46206,9 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.005", - "attack.t1059.007" + "TA0002", + "T1059.005", + "T1059.007" ], "title": "Adwind RAT / JRAT - Registry" }, @@ -46228,10 +46228,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", + "TA0005", + "TA0002", "attack.s0404", - "attack.t1218" + "T1218" ], "title": "Suspicious Esentutl Use" }, @@ -46250,8 +46250,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1216" + "TA0005", + "T1216" ], "title": "Execution via CL_Invocation.ps1 - Powershell" }, @@ -46271,9 +46271,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.execution", - "attack.t1218" + "TA0005", + "TA0002", + "T1218" ], "title": "Monitoring Wuauclt.exe For Lolbas Execution Of DLL" }, @@ -46292,8 +46292,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1216" + "TA0005", + "T1216" ], "title": "Execution via CL_Mutexverifiers.ps1" }, @@ -46310,8 +46310,8 @@ "service": "powershell", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1218" + "TA0005", + "T1218" ], "title": "SyncAppvPublishingServer Execution to Bypass Powershell Restriction" }, @@ -46331,8 +46331,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1202" + "TA0005", + "T1202" ], "title": "Indirect Command Exectuion via Forfiles" }, @@ -46352,8 +46352,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1055.001", - "attack.t1218" + "T1055.001", + "T1218" ], "title": "MavInject Process Injection" }, @@ -46373,8 +46373,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1482" + "TA0007", + "T1482" ], "title": "Trickbot Malware Reconnaissance Activity" }, @@ -46395,8 +46395,8 @@ ], "tags": [ "attack.g0032", - "attack.execution", - "attack.t1106" + "TA0002", + "T1106" ], "title": "Lazarus Activity Apr21" }, @@ -46416,10 +46416,10 @@ "0CCE922C-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1482", - "attack.t1018", - "attack.t1016" + "TA0007", + "T1482", + "T1018", + "T1016" ], "title": "Correct Execution of Nltest.exe" }, @@ -46439,9 +46439,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.exfiltration", - "attack.persistence", - "attack.t1197" + "TA0010", + "TA0003", + "T1197" ], "title": "Suspicious Bitstransfer via PowerShell" }, @@ -46462,8 +46462,8 @@ "service": "windefend", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Windows Defender Threat Detection Disabled" }, @@ -46483,8 +46483,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "TA0010", + "T1567.002" ], "title": "RClone Execution" }, @@ -46504,9 +46504,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.privilege-escalation", - "attack.t1543.003" + "TA0003", + "TA0004", + "T1543.003" ], "title": "New Service Creation" }, @@ -46526,8 +46526,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1071.004" + "TA0011", + "T1071.004" ], "title": "DNS Tunnel Technique from MuddyWater" }, @@ -46570,9 +46570,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.persistence", - "attack.t1197" + "TA0005", + "TA0003", + "T1197" ], "title": "Suspicious Bitsadmin Job via PowerShell" }, @@ -46589,8 +46589,8 @@ "service": "powershell", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Suspicious PowerShell Invocations - Specific" }, @@ -46610,9 +46610,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1105", - "attack.t1071.004" + "TA0011", + "T1105", + "T1071.004" ], "title": "Nslookup PwSh Download Cradle" }, @@ -46632,8 +46632,8 @@ "0CCE921E-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1070.004" + "TA0005", + "T1070.004" ], "title": "Sysinternals SDelete Registry Keys" }, @@ -46653,9 +46653,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001", - "attack.execution" + "TA0005", + "T1562.001", + "TA0002" ], "title": "PowerShell AMSI Bypass Pattern" }, @@ -46675,9 +46675,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", + "TA0004", "attack.g0009", - "attack.t1068" + "T1068" ], "title": "Hurricane Panda Activity" }, @@ -46694,8 +46694,8 @@ "service": "powershell", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.001" + "TA0002", + "T1059.001" ], "title": "Suspicious PowerShell Invocations - Generic" }, @@ -46715,8 +46715,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1202" + "TA0005", + "T1202" ], "title": "Execute MSDT.EXE Using Diagcab File" }, @@ -46736,8 +46736,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Stop Or Remove Antivirus Service" }, @@ -46757,8 +46757,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1569.002", + "TA0002", + "T1569.002", "attack.s0029" ], "title": "PsExec Tool Execution" @@ -46779,10 +46779,10 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.t1059.001", - "attack.defense-evasion", - "attack.t1027" + "TA0002", + "T1059.001", + "TA0005", + "T1027" ], "title": "Base64 Encoded Listing of Shadowcopy" }, @@ -46802,9 +46802,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", + "TA0002", "attack.g0092", - "attack.t1106" + "T1106" ], "title": "TA505 Dropper Load Pattern" }, @@ -46824,8 +46824,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1202" + "TA0005", + "T1202" ], "title": "Winword.exe Loads Suspicious DLL" }, @@ -46845,8 +46845,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion", - "attack.t1202" + "TA0005", + "T1202" ], "title": "Indirect Command Execution" }, @@ -46865,8 +46865,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.command-and-control", - "attack.t1095" + "TA0011", + "T1095" ], "title": "Netcat The Powershell Version - PowerShell Module" }, @@ -46885,8 +46885,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.persistence", - "attack.t1546" + "TA0003", + "T1546" ], "title": "Suspicious Get-WmiObject" }, @@ -46904,8 +46904,8 @@ "service": "appxpackaging-om", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.execution" + "TA0005", + "TA0002" ], "title": "Suspicious Digital Signature Of AppX Package" }, @@ -46923,8 +46923,8 @@ "service": "dns-server", "subcategory_guids": [], "tags": [ - "attack.reconnaissance", - "attack.t1590.002" + "TA0043", + "T1590.002" ], "title": "Failed DNS Zone Transfer" }, @@ -46944,8 +46944,8 @@ "service": "dns-server", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1574.001" + "TA0005", + "T1574.001" ], "title": "DNS Server Error Failed Loading the ServerLevelPluginDLL" }, @@ -46963,8 +46963,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1059.005" + "TA0002", + "T1059.005" ], "title": "Suspicious Scripting in a WMI Consumer" }, @@ -46982,10 +46982,10 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1047", - "attack.persistence", - "attack.t1546.003" + "TA0002", + "T1047", + "TA0003", + "T1546.003" ], "title": "Suspicious Encoded Scripts in a WMI Consumer" }, @@ -47003,8 +47003,8 @@ "service": "dns-client", "subcategory_guids": [], "tags": [ - "attack.command-and-control", - "attack.t1071.004" + "TA0011", + "T1071.004" ], "title": "Suspicious Cobalt Strike DNS Beaconing - DNS Client" }, @@ -47022,8 +47022,8 @@ "service": "dns-client", "subcategory_guids": [], "tags": [ - "attack.command-and-control", - "attack.t1090.003" + "TA0011", + "T1090.003" ], "title": "Query Tor Onion Address - DNS Client" }, @@ -47041,8 +47041,8 @@ "service": "dns-client", "subcategory_guids": [], "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "TA0010", + "T1567.002" ], "title": "DNS Query To Ufile.io - DNS Client" }, @@ -47060,8 +47060,8 @@ "service": "dns-client", "subcategory_guids": [], "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "TA0010", + "T1567.002" ], "title": "DNS Query To MEGA Hosting Website - DNS Client" }, @@ -47079,8 +47079,8 @@ "service": "dns-client", "subcategory_guids": [], "tags": [ - "attack.exfiltration", - "attack.t1567.002" + "TA0010", + "T1567.002" ], "title": "DNS Query for Anonfiles.com Domain - DNS Client" }, @@ -47098,7 +47098,7 @@ "service": "dns-client", "subcategory_guids": [], "tags": [ - "attack.command-and-control" + "TA0011" ], "title": "DNS Query To Put.io - DNS Client" }, @@ -47114,8 +47114,8 @@ "service": "msexchange-management", "subcategory_guids": [], "tags": [ - "attack.t1587.001", - "attack.resource-development" + "T1587.001", + "TA0042" ], "title": "ProxyLogon MSExchange OabVirtualDirectory" }, @@ -47131,8 +47131,8 @@ "service": "msexchange-management", "subcategory_guids": [], "tags": [ - "attack.persistence", - "attack.t1505.003" + "TA0003", + "T1505.003" ], "title": "Exchange Set OabVirtualDirectory ExternalUrl Property" }, @@ -47148,8 +47148,8 @@ "service": "msexchange-management", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1070" + "TA0005", + "T1070" ], "title": "Remove Exported Mailbox from Exchange Webserver" }, @@ -47165,8 +47165,8 @@ "service": "msexchange-management", "subcategory_guids": [], "tags": [ - "attack.persistence", - "attack.t1505.002" + "TA0003", + "T1505.002" ], "title": "MSExchange Transport Agent Installation - Builtin" }, @@ -47182,8 +47182,8 @@ "service": "msexchange-management", "subcategory_guids": [], "tags": [ - "attack.persistence", - "attack.t1505.003" + "TA0003", + "T1505.003" ], "title": "Certificate Request Export to Exchange Webserver" }, @@ -47199,8 +47199,8 @@ "service": "msexchange-management", "subcategory_guids": [], "tags": [ - "attack.persistence", - "attack.t1505.003" + "TA0003", + "T1505.003" ], "title": "Mailbox Export to Exchange Webserver" }, @@ -47218,8 +47218,8 @@ "service": "msexchange-management", "subcategory_guids": [], "tags": [ - "attack.persistence", - "attack.t1505.002" + "TA0003", + "T1505.002" ], "title": "Failed MSExchange Transport Agent Installation" }, @@ -47237,8 +47237,8 @@ "service": "capi2", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.t1649" + "TA0006", + "T1649" ], "title": "Certificate Private Key Acquired" }, @@ -47257,8 +47257,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.t1558.003" + "TA0006", + "T1558.003" ], "title": "Potential CVE-2021-42287 Exploitation Attempt" }, @@ -47276,8 +47276,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.t1003.002" + "TA0006", + "T1003.002" ], "title": "Critical Hive In Suspicious Location Access Bits Cleared" }, @@ -47296,8 +47296,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.t1210", - "attack.lateral-movement" + "T1210", + "TA0008" ], "title": "Zerologon Exploitation Using Well-known Tools" }, @@ -47315,8 +47315,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.privilege-escalation", - "attack.t1548" + "TA0004", + "T1548" ], "title": "Vulnerable Netlogon Secure Channel Connection Allowed" }, @@ -47334,8 +47334,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1569.002" + "TA0002", + "T1569.002" ], "title": "CSExec Service Installation" }, @@ -47353,10 +47353,10 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation Via Stdin - System" }, @@ -47374,10 +47374,10 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.persistence", - "attack.privilege-escalation", + "TA0003", + "TA0004", "car.2013-09-005", - "attack.t1543.003" + "T1543.003" ], "title": "Uncommon Service Installation Image Path" }, @@ -47395,8 +47395,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.command-and-control", - "attack.t1219.002" + "TA0011", + "T1219.002" ], "title": "TacticalRMM Service Installation" }, @@ -47414,10 +47414,10 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.privilege-escalation", - "attack.t1543.003", - "attack.t1569.002" + "TA0002", + "TA0004", + "T1543.003", + "T1569.002" ], "title": "Sliver C2 Default Service Installation" }, @@ -47435,8 +47435,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1569.002" + "TA0002", + "T1569.002" ], "title": "RemCom Service Installation" }, @@ -47454,8 +47454,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.command-and-control", - "attack.t1219.002" + "TA0011", + "T1219.002" ], "title": "Mesh Agent Service Installation" }, @@ -47473,7 +47473,7 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Important Windows Service Terminated Unexpectedly" }, @@ -47491,10 +47491,10 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation Via Use Rundll32 - System" }, @@ -47512,9 +47512,9 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.persistence", - "attack.privilege-escalation", - "attack.t1543.003" + "TA0003", + "TA0004", + "T1543.003" ], "title": "Moriya Rootkit - System" }, @@ -47532,10 +47532,10 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System" }, @@ -47553,8 +47553,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1027" + "TA0005", + "T1027" ], "title": "Invoke-Obfuscation Obfuscated IEX Invocation - System" }, @@ -47572,10 +47572,10 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation RUNDLL LAUNCHER - System" }, @@ -47593,8 +47593,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1569.002" + "TA0002", + "T1569.002" ], "title": "PowerShell Scripts Installed as Services" }, @@ -47612,10 +47612,10 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation COMPRESS OBFUSCATION - System" }, @@ -47633,8 +47633,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.privilege-escalation", - "attack.t1543" + "TA0004", + "T1543" ], "title": "KrbRelayUp Service Installation" }, @@ -47652,7 +47652,7 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.persistence" + "TA0003" ], "title": "NetSupport Manager Service Install" }, @@ -47670,8 +47670,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1569.002" + "TA0002", + "T1569.002" ], "title": "PAExec Service Installation" }, @@ -47690,10 +47690,10 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.persistence", - "attack.execution", - "attack.t1543.003", - "attack.t1569.002" + "TA0003", + "TA0002", + "T1543.003", + "T1569.002" ], "title": "Remote Access Tool Services Have Been Installed - System" }, @@ -47711,7 +47711,7 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Windows Service Terminated With Error" }, @@ -47729,8 +47729,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.privilege-escalation", - "attack.t1543.003" + "TA0004", + "T1543.003" ], "title": "New PDQDeploy Service - Server Side" }, @@ -47748,10 +47748,10 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.persistence", - "attack.privilege-escalation", + "TA0003", + "TA0004", "car.2013-09-005", - "attack.t1543.003" + "T1543.003" ], "title": "Service Installation with Suspicious Folder Pattern" }, @@ -47769,10 +47769,10 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation Via Use MSHTA - System" }, @@ -47790,10 +47790,10 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation Via Use Clip - System" }, @@ -47811,10 +47811,10 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.persistence", - "attack.privilege-escalation", + "TA0003", + "TA0004", "car.2013-09-005", - "attack.t1543.003" + "T1543.003" ], "title": "Suspicious Service Installation" }, @@ -47832,8 +47832,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1562.001" + "TA0005", + "T1562.001" ], "title": "Windows Defender Threat Detection Service Disabled" }, @@ -47851,10 +47851,10 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.persistence", - "attack.privilege-escalation", + "TA0003", + "TA0004", "car.2013-09-005", - "attack.t1543.003" + "T1543.003" ], "title": "Service Installation in Suspicious Folder" }, @@ -47872,8 +47872,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.exfiltration", - "attack.t1048" + "TA0010", + "T1048" ], "title": "Tap Driver Installation" }, @@ -47891,14 +47891,14 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.execution", - "attack.t1003.001", - "attack.t1003.002", - "attack.t1003.004", - "attack.t1003.005", - "attack.t1003.006", - "attack.t1569.002", + "TA0006", + "TA0002", + "T1003.001", + "T1003.002", + "T1003.004", + "T1003.005", + "T1003.006", + "T1569.002", "attack.s0005" ], "title": "Credential Dumping Tools Service Execution - System" @@ -47917,8 +47917,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1569.002", + "TA0002", + "T1569.002", "attack.s0029" ], "title": "PsExec Service Installation" @@ -47937,7 +47937,7 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.persistence" + "TA0003" ], "title": "Remote Utilities Host Service Install" }, @@ -47955,12 +47955,12 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.privilege-escalation", - "attack.lateral-movement", - "attack.t1021.002", - "attack.t1543.003", - "attack.t1569.002" + "TA0002", + "TA0004", + "TA0008", + "T1021.002", + "T1543.003", + "T1569.002" ], "title": "CobaltStrike Service Installations - System" }, @@ -47979,8 +47979,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.t1569.002", + "TA0002", + "T1569.002", "attack.s0029" ], "title": "HackTool Service Registration or Execution" @@ -47999,10 +47999,10 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation VAR+ Launcher - System" }, @@ -48020,7 +48020,7 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.persistence" + "TA0003" ], "title": "Anydesk Remote Access Software Service Installation" }, @@ -48038,10 +48038,10 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.privilege-escalation", - "attack.t1543.003", - "attack.t1569.002" + "TA0002", + "TA0004", + "T1543.003", + "T1569.002" ], "title": "ProcessHacker Privilege Elevation" }, @@ -48059,8 +48059,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.privilege-escalation", - "attack.t1543.003" + "TA0004", + "T1543.003" ], "title": "New PDQDeploy Service - Client Side" }, @@ -48078,10 +48078,10 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation STDIN+ Launcher - System" }, @@ -48099,7 +48099,7 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.persistence" + "TA0003" ], "title": "RTCore Suspicious Service Installation" }, @@ -48117,10 +48117,10 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.lateral-movement", - "attack.execution", - "attack.t1021.002", - "attack.t1569.002" + "TA0008", + "TA0002", + "T1021.002", + "T1569.002" ], "title": "smbexec.py Service Installation" }, @@ -48138,7 +48138,7 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Important Windows Service Terminated With Error" }, @@ -48156,10 +48156,10 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1027", - "attack.execution", - "attack.t1059.001" + "TA0005", + "T1027", + "TA0002", + "T1059.001" ], "title": "Invoke-Obfuscation CLIP+ Launcher - System" }, @@ -48177,10 +48177,10 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.persistence", - "attack.privilege-escalation", + "TA0003", + "TA0004", "car.2013-09-005", - "attack.t1543.003" + "T1543.003" ], "title": "Suspicious Service Installation Script" }, @@ -48198,9 +48198,9 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.privilege-escalation", - "attack.t1134.001", - "attack.t1134.002" + "TA0004", + "T1134.001", + "T1134.002" ], "title": "Meterpreter or Cobalt Strike Getsystem Service Installation - System" }, @@ -48218,8 +48218,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.privilege-escalation", - "attack.t1543" + "TA0004", + "T1543" ], "title": "Service Installed By Unusual Client - System" }, @@ -48238,9 +48238,9 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.lateral-movement", - "attack.t1550.002" + "TA0005", + "TA0008", + "T1550.002" ], "title": "NTLMv1 Logon Between Client and Server" }, @@ -48259,8 +48259,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.lateral-movement", - "attack.t1210", + "TA0008", + "T1210", "car.2013-07-002" ], "title": "Potential RDP Exploit CVE-2019-0708" @@ -48279,8 +48279,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.impact", - "attack.t1499.001" + "TA0040", + "T1499.001" ], "title": "NTFS Vulnerability Exploitation" }, @@ -48298,7 +48298,7 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.privilege-escalation" + "TA0004" ], "title": "KDC RC4-HMAC Downgrade CVE-2022-37966" }, @@ -48317,7 +48317,7 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.privilege-escalation" + "TA0004" ], "title": "Certificate Use With No Strong Mapping" }, @@ -48336,8 +48336,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.t1558.003" + "TA0006", + "T1558.003" ], "title": "No Suitable Encryption Key Found For Generating Kerberos Ticket" }, @@ -48355,8 +48355,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1070.001", + "TA0005", + "T1070.001", "car.2016-04-002" ], "title": "Important Windows Eventlog Cleared" @@ -48375,8 +48375,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1070.001", + "TA0005", + "T1070.001", "car.2016-04-002" ], "title": "Eventlog Cleared" @@ -48395,10 +48395,10 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.collection", - "attack.t1003.002", - "attack.t1005" + "TA0006", + "TA0009", + "T1003.002", + "T1005" ], "title": "Crash Dump Created By Operating System" }, @@ -48416,9 +48416,9 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.execution", - "attack.credential-access", - "attack.t1557.001" + "TA0002", + "TA0006", + "T1557.001" ], "title": "Local Privilege Escalation Indicator TabTip" }, @@ -48436,9 +48436,9 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.defense-evasion", - "attack.t1553.004" + "TA0006", + "TA0005", + "T1553.004" ], "title": "Active Directory Certificate Services Denied Certificate Enrollment Request" }, @@ -48460,9 +48460,9 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.impact", - "attack.resource-development", - "attack.t1584" + "TA0040", + "TA0042", + "T1584" ], "title": "Windows Update Error" }, @@ -48480,8 +48480,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1562" + "TA0005", + "T1562" ], "title": "Sysmon Application Crashed" }, @@ -48499,8 +48499,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.t1003.002" + "TA0006", + "T1003.002" ], "title": "Volume Shadow Copy Mount" }, @@ -48520,8 +48520,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1574.001" + "TA0005", + "T1574.001" ], "title": "DHCP Server Error Failed Loading the CallOut DLL" }, @@ -48539,8 +48539,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1574.001" + "TA0005", + "T1574.001" ], "title": "DHCP Server Loaded the CallOut DLL" }, @@ -48558,7 +48558,7 @@ "service": "application", "subcategory_guids": [], "tags": [ - "attack.execution" + "TA0002" ], "title": "Suspicious Usage of CVE_2021_34484 or CVE 2022_21919" }, @@ -48578,9 +48578,9 @@ "0CCE9242-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1110.003", - "attack.initial-access", - "attack.privilege-escalation" + "T1110.003", + "TA0001", + "TA0004" ], "title": "Valid Users Failing to Authenticate From Single Source Using Kerberos" }, @@ -48600,11 +48600,11 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.command-and-control", - "attack.t1071", - "attack.t1071.004", - "attack.t1001.003", - "attack.t1041" + "TA0011", + "T1071", + "T1071.004", + "T1001.003", + "T1041" ], "title": "DNSCat2 Powershell Implementation Detection Via Process Creation" }, @@ -48626,9 +48626,9 @@ "0CCE9217-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.privilege-escalation", - "attack.t1078" + "TA0003", + "TA0004", + "T1078" ], "title": "Failed Logins with Different Accounts from Single Source System" }, @@ -48646,8 +48646,8 @@ "service": "smbclient-security", "subcategory_guids": [], "tags": [ - "attack.t1021.002", - "attack.lateral-movement" + "T1021.002", + "TA0008" ], "title": "Failed Mounting of Hidden Share" }, @@ -48668,9 +48668,9 @@ "0CCE9217-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1110.003", - "attack.initial-access", - "attack.privilege-escalation" + "T1110.003", + "TA0001", + "TA0004" ], "title": "Multiple Users Remotely Failing To Authenticate From Single Source" }, @@ -48690,9 +48690,9 @@ "0CCE923F-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1110.003", - "attack.initial-access", - "attack.privilege-escalation" + "T1110.003", + "TA0001", + "TA0004" ], "title": "Invalid Users Failing To Authenticate From Single Source Using NTLM" }, @@ -48712,9 +48712,9 @@ "0CCE923F-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.privilege-escalation", - "attack.t1078" + "TA0003", + "TA0004", + "T1078" ], "title": "Failed NTLM Logins with Different Accounts from Single Source System" }, @@ -48738,10 +48738,10 @@ "0CCE9227-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.persistence", - "attack.execution", - "attack.t1053.005" + "TA0008", + "TA0003", + "TA0002", + "T1053.005" ], "title": "Remote Schtasks Creation" }, @@ -48761,9 +48761,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1087", - "attack.t1082", + "TA0007", + "T1087", + "T1082", "car.2016-03-001" ], "title": "Reconnaissance Activity Using BuiltIn Commands" @@ -48787,8 +48787,8 @@ "0CCE9245-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1555" + "TA0006", + "T1555" ], "title": "Stored Credentials in Fake Files" }, @@ -48808,9 +48808,9 @@ "0CCE9242-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1110.003", - "attack.initial-access", - "attack.privilege-escalation" + "T1110.003", + "TA0001", + "TA0004" ], "title": "Invalid Users Failing To Authenticate From Source Using Kerberos" }, @@ -48830,8 +48830,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.t1068" + "TA0004", + "T1068" ], "title": "Windows Kernel and 3rd-Party Drivers Exploits Token Stealing" }, @@ -48852,11 +48852,11 @@ "0CCE9227-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.execution", - "attack.privilege-escalation", - "attack.persistence", + "TA0002", + "TA0004", + "TA0003", "car.2013-08-001", - "attack.t1053.005" + "T1053.005" ], "title": "Rare Schtasks Creations" }, @@ -48876,9 +48876,9 @@ "0CCE923F-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1110.003", - "attack.initial-access", - "attack.privilege-escalation" + "T1110.003", + "TA0001", + "TA0004" ], "title": "Valid Users Failing to Authenticate from Single Source Using NTLM" }, @@ -48896,10 +48896,10 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.persistence", - "attack.privilege-escalation", + "TA0003", + "TA0004", "car.2013-09-005", - "attack.t1543.003" + "T1543.003" ], "title": "Rare Service Installations" }, @@ -48917,14 +48917,14 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.persistence", - "attack.privilege-escalation", - "attack.t1003", - "attack.t1035", - "attack.t1050", + "TA0003", + "TA0004", + "T1003", + "T1035", + "T1050", "car.2013-09-005", - "attack.t1543.003", - "attack.t1569.002" + "T1543.003", + "T1569.002" ], "title": "Malicious Service Installations" }, @@ -48947,8 +48947,8 @@ "0CCE9245-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.impact", - "attack.t1486" + "TA0040", + "T1486" ], "title": "Suspicious Multiple File Rename Or Delete Occurred" }, @@ -48967,8 +48967,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1216" + "TA0005", + "T1216" ], "title": "Execution via CL_Invocation.ps1 (2 Lines)" }, @@ -48987,8 +48987,8 @@ "service": "", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1216" + "TA0005", + "T1216" ], "title": "Execution via CL_Mutexverifiers.ps1 (2 Lines)" }, @@ -49009,9 +49009,9 @@ "0CCE9217-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1110.003", - "attack.initial-access", - "attack.privilege-escalation" + "T1110.003", + "TA0001", + "TA0004" ], "title": "Multiple Users Failing to Authenticate from Single Process" }, @@ -49029,11 +49029,11 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.lateral-movement", - "attack.t1021.002", - "attack.t1570", - "attack.execution", - "attack.t1569.002" + "TA0008", + "T1021.002", + "T1570", + "TA0002", + "T1569.002" ], "title": "Metasploit Or Impacket Service Installation Via SMB PsExec" }, @@ -49053,9 +49053,9 @@ "0CCE9215-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1110.003", - "attack.initial-access", - "attack.privilege-escalation" + "T1110.003", + "TA0001", + "TA0004" ], "title": "Password Spraying via Explicit Credentials" }, @@ -49073,9 +49073,9 @@ "service": "taskscheduler", "subcategory_guids": [], "tags": [ - "attack.persistence", + "TA0003", "attack.s0111", - "attack.t1053.005" + "T1053.005" ], "title": "Rare Scheduled Task Creations" }, @@ -49096,8 +49096,8 @@ ], "tags": [ "car.2013-04-002", - "attack.execution", - "attack.t1059" + "TA0002", + "T1059" ], "title": "Quick Execution of a Series of Suspicious Commands" }, @@ -49117,8 +49117,8 @@ "0CCE9226-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.discovery", - "attack.t1087.002" + "TA0007", + "T1087.002" ], "title": "Enumeration via the Global Catalog" }, @@ -49138,9 +49138,9 @@ "0CCE9242-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1110.003", - "attack.initial-access", - "attack.privilege-escalation" + "T1110.003", + "TA0001", + "TA0004" ], "title": "Disabled Users Failing To Authenticate From Source Using Kerberos" }, @@ -49160,8 +49160,8 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.t1548.002" + "TA0004", + "T1548.002" ], "title": "MSI Spawned Cmd and Powershell Spawned Processes" }, @@ -49179,9 +49179,9 @@ "service": "bits-client", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.persistence", - "attack.t1197" + "TA0005", + "TA0003", + "T1197" ], "title": "BITS Transfer Job With Uncommon Or Suspicious Remote TLD" }, @@ -49199,9 +49199,9 @@ "service": "bits-client", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.persistence", - "attack.t1197" + "TA0005", + "TA0003", + "T1197" ], "title": "BITS Transfer Job Downloading File Potential Suspicious Extension" }, @@ -49219,9 +49219,9 @@ "service": "bits-client", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.persistence", - "attack.t1197" + "TA0005", + "TA0003", + "T1197" ], "title": "BITS Transfer Job Download From Direct IP" }, @@ -49239,9 +49239,9 @@ "service": "bits-client", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.persistence", - "attack.t1197" + "TA0005", + "TA0003", + "T1197" ], "title": "BITS Transfer Job Download From File Sharing Domains" }, @@ -49259,9 +49259,9 @@ "service": "bits-client", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.persistence", - "attack.t1197" + "TA0005", + "TA0003", + "T1197" ], "title": "New BITS Job Created Via PowerShell" }, @@ -49279,9 +49279,9 @@ "service": "bits-client", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.persistence", - "attack.t1197" + "TA0005", + "TA0003", + "T1197" ], "title": "New BITS Job Created Via Bitsadmin" }, @@ -49299,9 +49299,9 @@ "service": "bits-client", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.persistence", - "attack.t1197" + "TA0005", + "TA0003", + "T1197" ], "title": "BITS Transfer Job Download To Potential Suspicious Folder" }, @@ -49338,9 +49338,9 @@ "service": "bits-client", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.persistence", - "attack.t1197", + "TA0005", + "TA0003", + "T1197", "lolbas" ], "title": "Bits Job Created" @@ -49396,8 +49396,8 @@ "subcategory_guids": [], "tags": [ "WMI", - "attack.persistence", - "attack.lateral-movement" + "TA0003", + "TA0008" ], "title": "WMI Filter To Consumer Binding_Command Execution" }, @@ -49645,8 +49645,8 @@ "0CCE9244-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1039", - "attack.collection" + "T1039", + "TA0009" ], "title": "NetShare File Access" }, @@ -49666,8 +49666,8 @@ "0CCE9224-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1039", - "attack.collection" + "T1039", + "TA0009" ], "title": "NetShare Access" }, @@ -49743,9 +49743,9 @@ "0CCE922B-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.lateral-movement", - "attack.t1563.002", - "attack.t1021.001" + "TA0008", + "T1563.002", + "T1021.001" ], "title": "Possible RDP Hijacking" }, @@ -49928,8 +49928,8 @@ "0CCE9215-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.lateral-movement" + "TA0004", + "TA0008" ], "title": "Explicit Logon Attempt (Susp Proc) - Possible Mimikatz PrivEsc" }, @@ -49950,8 +49950,8 @@ "0CCE9217-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1110.003", - "attack.credential-access" + "T1110.003", + "TA0006" ], "title": "PW Guessing" }, @@ -50007,8 +50007,8 @@ "0CCE9215-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1110.003", - "attack.credential-access" + "T1110.003", + "TA0006" ], "title": "PW Spray" }, @@ -50229,8 +50229,8 @@ "0CCE9215-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.lateral-movement" + "TA0004", + "TA0008" ], "title": "Explicit Logon Attempt (Noisy)" }, @@ -50269,8 +50269,8 @@ "0CCE9217-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.t1110.003", - "attack.credential-access" + "T1110.003", + "TA0006" ], "title": "User Guessing" }, @@ -50327,8 +50327,8 @@ "0CCE9215-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation", - "attack.lateral-movement" + "TA0004", + "TA0008" ], "title": "Explicit Logon Attempt" }, @@ -50349,7 +50349,7 @@ ], "tags": [ "RDP", - "attack.lateral-movement" + "TA0008" ], "title": "RDP Session Reconnect" }, @@ -50370,7 +50370,7 @@ ], "tags": [ "RDP", - "attack.lateral-movement" + "TA0008" ], "title": "RDP Session Disconnect" }, @@ -50442,8 +50442,8 @@ "service": "security", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.t1555.004" + "TA0006", + "T1555.004" ], "title": "Credential Manager Enumerated" }, @@ -50461,8 +50461,8 @@ "service": "security", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1070.001" + "TA0005", + "T1070.001" ], "title": "Log Cleared" }, @@ -50480,8 +50480,8 @@ "service": "security", "subcategory_guids": [], "tags": [ - "attack.credential-access", - "attack.t1555.004" + "TA0006", + "T1555.004" ], "title": "Credential Manager Accessed" }, @@ -50517,7 +50517,7 @@ "0CCE9212-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Code Integrity Proble (Possible Modification)" }, @@ -50537,7 +50537,7 @@ "0CCE9212-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Code Integrity Error (Invalid Image Page Hash)" }, @@ -50557,7 +50557,7 @@ "0CCE9212-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.defense-evasion" + "TA0005" ], "title": "Code Integrity Error (Invalid Image Hash)" }, @@ -50613,7 +50613,7 @@ "0CCE9211-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence" + "TA0003" ], "title": "Svc Installed" }, @@ -50633,7 +50633,7 @@ "0CCE9235-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation" + "TA0004" ], "title": "User Password Changed" }, @@ -50653,7 +50653,7 @@ "0CCE9235-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", + "TA0003", "attack.1136.001" ], "title": "Local User Account Created" @@ -50674,7 +50674,7 @@ "0CCE9235-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.privilege-escalation" + "TA0004" ], "title": "Password Reset By Admin" }, @@ -50694,7 +50694,7 @@ "0CCE9235-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", + "TA0003", "attack.11136.001" ], "title": "Hidden User Account Created" @@ -50733,8 +50733,8 @@ "0CCE9237-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1098" + "TA0003", + "T1098" ], "title": "User Added To Local Domain Admins Grp" }, @@ -50754,8 +50754,8 @@ "0CCE9237-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1098" + "TA0003", + "T1098" ], "title": "User Added To Local Admin Grp" }, @@ -50775,8 +50775,8 @@ "0CCE9237-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1098" + "TA0003", + "T1098" ], "title": "User Added To Global Security Grp" }, @@ -50796,8 +50796,8 @@ "0CCE9237-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1098" + "TA0003", + "T1098" ], "title": "User Added To Global Domain Admins Grp" }, @@ -50817,8 +50817,8 @@ "0CCE9237-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1098" + "TA0003", + "T1098" ], "title": "User Added To Non-Admin Global Grp" }, @@ -50838,8 +50838,8 @@ "0CCE9229-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.persistence", - "attack.t1543.003" + "TA0003", + "T1543.003" ], "title": "Possible Hidden Service Created" }, @@ -50860,10 +50860,10 @@ "0CCE9229-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1003.001", - "attack.t1561", - "attack.impact" + "TA0006", + "T1003.001", + "T1561", + "TA0040" ], "title": "Process Ran With High Privilege" }, @@ -50883,8 +50883,8 @@ "0CCE9242-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1558.004" + "TA0006", + "T1558.004" ], "title": "Possible AS-REP Roasting (RC4 Kerberos Ticket Req)" }, @@ -50922,8 +50922,8 @@ "0CCE9240-69AE-11D9-BED3-505054503030" ], "tags": [ - "attack.credential-access", - "attack.t1558.003" + "TA0006", + "T1558.003" ], "title": "Possible Kerberoasting (RC4 Kerberos Ticket Req)" }, @@ -50978,8 +50978,8 @@ "subcategory_guids": [], "tags": [ "RDP", - "attack.lateral-movement", - "attack.initial-access" + "TA0008", + "TA0001" ], "title": "RDP Logon" }, @@ -50998,7 +50998,7 @@ "subcategory_guids": [], "tags": [ "RDP", - "attack.lateral-movement" + "TA0008" ], "title": "RDP Conn (Noisy)" }, @@ -51067,8 +51067,8 @@ "service": "powershell-classic", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1562.010", + "TA0005", + "T1562.010", "lolbas" ], "title": "PwSh 2.0 Downgrade Attack" @@ -51088,7 +51088,7 @@ "subcategory_guids": [], "tags": [ "RDP", - "attack.lateral-movement" + "TA0008" ], "title": "RDP Conn Attempt" }, @@ -51107,7 +51107,7 @@ "subcategory_guids": [], "tags": [ "RDP", - "attack.lateral-movement" + "TA0008" ], "title": "RDP Attempt" }, @@ -51141,8 +51141,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1562.002" + "TA0005", + "T1562.002" ], "title": "Event Log Service Startup Type Changed To Disabled" }, @@ -51160,8 +51160,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.persistence", - "attack.t1543.003" + "TA0003", + "T1543.003" ], "title": "Suspicious Service Name" }, @@ -51243,8 +51243,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.impact", - "attack.t1499" + "TA0040", + "T1499" ], "title": "Service Crashed" }, @@ -51262,8 +51262,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.persistence", - "attack.t1543.003" + "TA0003", + "T1543.003" ], "title": "Suspicious Service Path" }, @@ -51281,13 +51281,13 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.lateral-movement", + "TA0008", "attack.s0029", - "attack.t1136.002", - "attack.t1543.003", - "attack.t1570", - "attack.t1021.002", - "attack.t1569.002" + "T1136.002", + "T1543.003", + "T1570", + "T1021.002", + "T1569.002" ], "title": "PSExec Lateral Movement" }, @@ -51337,8 +51337,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1070.001" + "TA0005", + "T1070.001" ], "title": "Log File Cleared" }, @@ -51356,7 +51356,7 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.persistence" + "TA0003" ], "title": "Svc Installed" }, @@ -51374,8 +51374,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.impact", - "attack.t1499" + "TA0040", + "T1499" ], "title": "Service Crashed" }, @@ -51393,8 +51393,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.impact", - "attack.t1499" + "TA0040", + "T1499" ], "title": "Unexpected Shutdown" }, @@ -51428,8 +51428,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.defense-evasion", - "attack.t1070.001" + "TA0005", + "T1070.001" ], "title": "Important Log File Cleared" }, @@ -51463,8 +51463,8 @@ "service": "system", "subcategory_guids": [], "tags": [ - "attack.persistence", - "attack.t1543.003" + "TA0003", + "T1543.003" ], "title": "Possible Metasploit Svc Installed" }, @@ -51588,7 +51588,7 @@ "subcategory_guids": [], "tags": [ "RDP", - "attack.lateral-movement" + "TA0008" ], "title": "RDP Logon" }, @@ -51607,7 +51607,7 @@ "subcategory_guids": [], "tags": [ "RDP", - "attack.lateral-movement" + "TA0008" ], "title": "RDP Logoff" }, @@ -51626,7 +51626,7 @@ "subcategory_guids": [], "tags": [ "RDP", - "attack.lateral-movement" + "TA0008" ], "title": "RDP Disconnect" }, @@ -51645,7 +51645,7 @@ "subcategory_guids": [], "tags": [ "RDP", - "attack.lateral-movement" + "TA0008" ], "title": "RDP Reconnect" }, @@ -51664,7 +51664,7 @@ "subcategory_guids": [], "tags": [ "RDP", - "attack.lateral-movement" + "TA0008" ], "title": "RDP Sess Start (Noisy)" }, @@ -51755,8 +51755,8 @@ "subcategory_guids": [], "tags": [ "RDP", - "attack.lateral-movement", - "attack.initial-access" + "TA0008", + "TA0001" ], "title": "RDS GTW Logoff" }, @@ -51775,8 +51775,8 @@ "subcategory_guids": [], "tags": [ "RDP", - "attack.lateral-movement", - "attack.initial-access" + "TA0008", + "TA0001" ], "title": "RDS GTW Logon" }, @@ -51795,8 +51795,8 @@ "subcategory_guids": [], "tags": [ "RDP", - "attack.lateral-movement", - "attack.initial-access" + "TA0008", + "TA0001" ], "title": "RDS GTW Logon Error" },