ManageEngine Log360

Filter applied :

Platform: Windows × Clear all

1-20 of 1247

No data found

Rule Name

Severity

MITRE ATT&CK

Platform

Last Updated

HackTool - Koh Default Named Pipe

TA0004 TA0006 T1134.001 Windows Named Pipe Metadata

Critical

TA0004, TA0006, T1134.001

Windows

Last updated: September 15, 2025

View details

New PowerShell Instance Created

TA0002 T1059.001 Windows Named Pipe Metadata

Attention

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

PUA - CSExec Default Named Pipe

TA0008 TA0002 T1021.002 Windows Named Pipe Metadata

Trouble

TA0008, TA0002, T1021.002

Windows

Last updated: September 15, 2025

View details

PUA - PAExec Default Named Pipe

TA0002 T1569.002 Windows Named Pipe Metadata

Trouble

TA0002, T1569.002

Windows

Last updated: September 15, 2025

View details

PUA - RemCom Default Named Pipe

TA0008 TA0002 T1021.002 Windows Named Pipe Metadata

Trouble

TA0008, TA0002, T1021.002

Windows

Last updated: September 15, 2025

View details

Sysmon Blocked Executable

TA0005 Windows

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

Sysmon Blocked File Shredding

TA0005 Windows

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

PsExec Default Named Pipe

TA0002 T1569.002 Windows Named Pipe Metadata

Attention

TA0002, T1569.002

Windows

Last updated: September 15, 2025

View details

Cryptocurrency mining software started

TA0040 T1496 Windows Process Creation

Critical

TA0040, T1496

Windows

Last updated: September 15, 2025

View details

Cryptocurrency wallet software started

TA0009 T1005 Windows Process Creation

Critical

TA0009, T1005

Windows

Last updated: September 15, 2025

View details

Mimikatz Detection

TA0006 T1003 Windows Process Creation

Critical

TA0006, T1003

Windows

Last updated: September 15, 2025

View details

SharpShares Detection

TA0007 TA0008 TA0009 T1087 Windows Process Creation

Critical

TA0007, TA0008, TA0009, T1087

Windows

Last updated: September 15, 2025

View details

BloodHound Detection

TA0043 TA0005 T1595 Windows Process Creation

Critical

TA0043, TA0005, T1595

Windows

Last updated: September 15, 2025

View details

VulnRecon Detection

TA0005 TA0004 TA0007 T1036 Windows Process Creation

Critical

TA0005, TA0004, TA0007, T1036

Windows

Last updated: September 15, 2025

View details

PrintSpoofer Detection

TA0004 TA0005 TA0008 TA0002 T1548 Windows Process Creation

Critical

TA0004, TA0005, TA0008, TA0002, T1548

Windows

Last updated: September 15, 2025

View details

SprayKatz Detection

TA0006 T1003 Windows Process Creation

Critical

TA0006, T1003

Windows

Last updated: September 15, 2025

View details

WinPeas Detection

TA0004 TA0006 T1068 Windows Process Creation

Critical

TA0004, TA0006, T1068

Windows

Last updated: September 15, 2025

View details

BadPotato Detection

TA0004 TA0008 T1068 Windows Process Creation

Critical

TA0004, TA0008, T1068

Windows

Last updated: September 15, 2025

View details

SharpView Detection

TA0007 T1087 Windows Process Creation

Critical

TA0007, T1087

Windows

Last updated: September 15, 2025

View details

SafetyKatz Detection

TA0006 TA0004 TA0005 TA0008 T1003 Windows Process Creation

Critical

TA0006, TA0004, TA0005, TA0008, T1003

Windows

Last updated: September 15, 2025

View details

SharPersist Detection

TA0002 TA0003 TA0004 TA0005 T1053 Windows Process Creation

Critical

TA0002, TA0003, TA0004, TA0005, T1053

Windows

Last updated: September 15, 2025

View details

SharpZeroLogon Detection

TA0006 TA0009 TA0001 TA0003 TA0004 TA0005 T1606 Windows Process Creation

Critical

TA0006, TA0009, TA0001, TA0003, TA0004, TA0005, T1606

Windows

Last updated: September 15, 2025

View details

SharpDump Detection

TA0004 TA0005 TA0006 T1548 Windows Process Creation

Critical

TA0004, TA0005, TA0006, T1548

Windows

Last updated: September 15, 2025

View details

SafetyDump Detection

TA0006 T1003 Windows Process Creation

Critical

TA0006, T1003

Windows

Last updated: September 15, 2025

View details

SharpHound Detection

TA0004 TA0007 TA0008 T1068 Windows Process Creation

Critical

TA0004, TA0007, TA0008, T1068

Windows

Last updated: September 15, 2025

View details

SharpUp Detection

TA0007 TA0005 T1069 Windows Process Creation

Critical

TA0007, TA0005, T1069

Windows

Last updated: September 15, 2025

View details

Spoolsv Spawning Rundll32

TA0002 TA0003 TA0004 TA0005 T1204 Windows Process Creation

Critical

TA0002, TA0003, TA0004, TA0005, T1204

Windows

Last updated: September 15, 2025

View details

Excessive Attempt To Disable Services

TA0040 TA0005 T1485 Windows Process Creation

Critical

TA0040, TA0005, T1485

Windows

Last updated: September 15, 2025

View details

Excel Spawning Windows Script Host

TA0002 TA0001 T1059 Windows Process Creation

Critical

TA0002, TA0001, T1059

Windows

Last updated: September 15, 2025

View details

Excessive Usage Of Taskkill

TA0005 TA0040 TA0002 TA0003 TA0004 T1562 Windows Process Creation

Critical

TA0005, TA0040, TA0002, TA0003, TA0004, T1562

Windows

Last updated: September 15, 2025

View details

Detect Regasm Spawning a Process

TA0005 T1218.009 Windows Process Creation

Critical

TA0005, T1218.009

Windows

Last updated: September 15, 2025

View details

Office Product Spawning MSHTA

TA0005 T1218 Windows Process Creation

Critical

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Office Product Spawning Windows Script Host

TA0002 T1059 Windows Process Creation

Critical

TA0002, T1059

Windows

Last updated: September 15, 2025

View details

Windows Masquerading Explorer As Child Process

TA0005 T1036 Windows Process Creation

Critical

TA0005, T1036

Windows

Last updated: September 15, 2025

View details

Wsmprovhost LOLBAS Execution Process Spawn

TA0005 TA0003 TA0004 T1036 Windows Process Creation

Critical

TA0005, TA0003, TA0004, T1036

Windows

Last updated: September 15, 2025

View details

Ryuk Wake on LAN Command

TA0001 TA0003 TA0004 TA0006 T1189 Windows Process Creation

Critical

TA0001, TA0003, TA0004, TA0006, T1189

Windows

Last updated: September 15, 2025

View details

Powershell Disable Security Monitoring

TA0006 TA0002 T1003 Windows Process Creation

Critical

TA0006, TA0002, T1003

Windows

Last updated: September 15, 2025

View details

Add or Set Windows Defender Exclusion

TA0005 TA0003 TA0004 T1562 Windows Process Creation

Critical

TA0005, TA0003, TA0004, T1562

Windows

Last updated: September 15, 2025

View details

Suspicious parent spawning autochk

TA0002 TA0004 TA0005 T1059 Windows Process Creation

Critical

TA0002, TA0004, TA0005, T1059

Windows

Last updated: September 15, 2025

View details

Suspicious parent spawning fontdrvhost

TA0002 TA0004 TA0005 TA0003 TA0006 T1059 Windows Process Creation

Critical

TA0002, TA0004, TA0005, TA0003, TA0006, T1059

Windows

Last updated: September 15, 2025

View details

Suspicious parent spawning dwm

TA0002 TA0004 TA0005 TA0003 TA0011 T1059 Windows Process Creation

Critical

TA0002, TA0004, TA0005, TA0003, TA0011, T1059

Windows

Last updated: September 15, 2025

View details

Suspicious parent spawning Consent

TA0004 TA0005 TA0007 TA0006 T1134 Windows Process Creation

Critical

TA0004, TA0005, TA0007, TA0006, T1134

Windows

Last updated: September 15, 2025

View details

Suspicious parent spawning tiworker

TA0004 TA0005 T1134 Windows Process Creation

Critical

TA0004, TA0005, T1134

Windows

Last updated: September 15, 2025

View details

Suspicious parent spawning runtimebroker

TA0004 TA0005 T1134 Windows Process Creation

Critical

TA0004, TA0005, T1134

Windows

Last updated: September 15, 2025

View details

Suspicious parent spawning searchindexer

TA0004 TA0005 TA0007 T1134 Windows Process Creation

Critical

TA0004, TA0005, TA0007, T1134

Windows

Last updated: September 15, 2025

View details

Suspicious parent spawning searchprotocolhost

TA0004 TA0005 TA0007 TA0006 T1134 Windows Process Creation

Critical

TA0004, TA0005, TA0007, TA0006, T1134

Windows

Last updated: September 15, 2025

View details

Suspicious parent spawning dllhost

TA0004 TA0005 TA0003 T1055 Windows Process Creation

Critical

TA0004, TA0005, TA0003, T1055

Windows

Last updated: September 15, 2025

View details

Suspicious parent spawning smss

TA0004 TA0005 TA0003 T1055 Windows Process Creation

Critical

TA0004, TA0005, TA0003, T1055

Windows

Last updated: September 15, 2025

View details

Suspicious parent spawning csrss

TA0002 TA0005 T1059 Windows Process Creation

Critical

TA0002, TA0005, T1059

Windows

Last updated: September 15, 2025

View details

Suspicious parent spawning wininit

TA0003 TA0004 T1543 Windows Process Creation

Critical

TA0003, TA0004, T1543

Windows

Last updated: September 15, 2025

View details

Suspicious parent spawning winlogon

TA0004 TA0005 T1134 Windows Process Creation

Critical

TA0004, TA0005, T1134

Windows

Last updated: September 15, 2025

View details

Suspicious parent spawning lsass

TA0004 TA0005 T1134 Windows Process Creation

Critical

TA0004, TA0005, T1134

Windows

Last updated: September 15, 2025

View details

Suspicious parent spawning lsaIso

TA0006 T1003 Windows Process Creation

Critical

TA0006, T1003

Windows

Last updated: September 15, 2025

View details

Suspicious parent spawning LogonUI

TA0004 TA0005 TA0002 T1134 Windows Process Creation

Critical

TA0004, TA0005, TA0002, T1134

Windows

Last updated: September 15, 2025

View details

Suspicious parent spawning services

TA0002 TA0004 TA0005 TA0003 T1059 Windows Process Creation

Critical

TA0002, TA0004, TA0005, TA0003, T1059

Windows

Last updated: September 15, 2025

View details

Suspicious parent spawning svchost

TA0004 TA0005 T1134 Windows Process Creation

Critical

TA0004, TA0005, T1134

Windows

Last updated: September 15, 2025

View details

Suspicious parent spawning spoolsv

TA0002 TA0005 T1059 Windows Process Creation

Critical

TA0002, TA0005, T1059

Windows

Last updated: September 15, 2025

View details

Suspicious parent spawning taskhost

TA0006 TA0005 TA0004 TA0002 T1003 Windows Process Creation

Critical

TA0006, TA0005, TA0004, TA0002, T1003

Windows

Last updated: September 15, 2025

View details

Suspicious parent spawning taskhostw

TA0005 T1055 Windows Process Creation

Critical

TA0005, T1055

Windows

Last updated: September 15, 2025

View details

Suspicious parent spawning userinit

TA0005 T1055 Windows Process Creation

Critical

TA0005, T1055

Windows

Last updated: September 15, 2025

View details

Suspicious parent spawning wmiprvse

TA0002 T1047 Windows Process Creation

Critical

TA0002, T1047

Windows

Last updated: September 15, 2025

View details

Suspicious parent spawning wsmprovhost

TA0002 T1047 Windows Process Creation

Critical

TA0002, T1047

Windows

Last updated: September 15, 2025

View details

Suspicious parent spawning winrshost

Windows Process Creation

Critical

Windows

Last updated: September 15, 2025

View details

SearchProtocolHost Spawning Suspicious Child

TA0005 TA0002 T1218 Windows Process Creation

Critical

TA0005, TA0002, T1218

Windows

Last updated: September 15, 2025

View details

taskhost Spawning Suspicious Child

TA0003 TA0004 T1546 Windows Process Creation

Critical

TA0003, TA0004, T1546

Windows

Last updated: September 15, 2025

View details

csrss Spawning Suspicious Child

TA0003 TA0004 T1543 Windows Process Creation

Critical

TA0003, TA0004, T1543

Windows

Last updated: September 15, 2025

View details

autochk Spawning Suspicious Child

TA0003 TA0004 T1543 Windows Process Creation

Critical

TA0003, TA0004, T1543

Windows

Last updated: September 15, 2025

View details

smss Spawning Suspicious Child

TA0003 TA0004 T1546 Windows Process Creation

Critical

TA0003, TA0004, T1546

Windows

Last updated: September 15, 2025

View details

wermgr Spawning Suspicious Child

TA0005 T1218 Windows Process Creation

Critical

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

conhost Spawning Suspicious Child

TA0005 TA0002 T1218 Windows Process Creation

Critical

TA0005, TA0002, T1218

Windows

Last updated: September 15, 2025

View details

Credential theft using Procdump or comsvcs

TA0006 T1003 Windows Process Creation

Critical

TA0006, T1003

Windows

Last updated: September 15, 2025

View details

Suspicious Encoded PowerShell Command Line

TA0002 T1059.001 Windows Process Creation

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

Local privileged account group modification

TA0003 TA0004 T1098 Windows

Critical

TA0003, TA0004, T1098

Windows

Last updated: September 15, 2025

View details

Suspicious execution of CertOC

TA0005 T1218 Windows Process Creation

Critical

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Suspicious file creation with Colorcpl

TA0002 T1059 Windows Process Creation

Critical

TA0002, T1059

Windows

Last updated: September 15, 2025

View details

Suspicious execution of ConfigSecurityPolicy

TA0002 T1204 Windows Process Creation

Critical

TA0002, T1204

Windows

Last updated: September 15, 2025

View details

Metasploit detection

TA0002 TA0005 T1203 Windows Process Creation

Critical

TA0002, TA0005, T1203

Windows

Last updated: September 15, 2025

View details

Hashcat detection

TA0006 T1110 Windows Process Creation

Critical

TA0006, T1110

Windows

Last updated: September 15, 2025

View details

Petitpotam detection

TA0006 T1557.001 Windows Process Creation

Critical

TA0006, T1557.001

Windows

Last updated: September 15, 2025

View details

Rubeus detection

TA0006 T1558.003 Windows Process Creation

Critical

TA0006, T1558.003

Windows

Last updated: September 15, 2025

View details

Crackmapexec detection

TA0007 TA0008 T1046 Windows Process Creation

Critical

TA0007, TA0008, T1046

Windows

Last updated: September 15, 2025

View details

SweetPotato detection

TA0004 T1068 Windows Process Creation

Critical

TA0004, T1068

Windows

Last updated: September 15, 2025

View details

John The Ripper

TA0006 T1003.001 Windows Process Creation

Critical

TA0006, T1003.001

Windows

Last updated: September 15, 2025

View details

Kerbrute detection

TA0006 T1110.003 Windows Process Creation

Critical

TA0006, T1110.003

Windows

Last updated: September 15, 2025

View details

Hydra detection

TA0006 T1110.003 Windows Process Creation

Critical

TA0006, T1110.003

Windows

Last updated: September 15, 2025

View details

Suspicious Certreq command to Download or Upload

TA0005 T1027 Windows Process Creation

Critical

TA0005, T1027

Windows

Last updated: September 15, 2025

View details

Volume Shadow Copy deleted using VSSADMIN or wmic

TA0040 T1490 Windows Process Creation

Critical

TA0040, T1490

Windows

Last updated: September 15, 2025

View details

Suspicious Certutil Command

TA0005 T1140 Windows Process Creation

Critical

TA0005, T1140

Windows

Last updated: September 15, 2025

View details

Bypass UAC via CMSTP

TA0004 TA0005 T1548.002 Windows Process Creation

Trouble

TA0004, TA0005, T1548.002

Windows

Last updated: September 15, 2025

View details

Bypassing Security controls

TA0004 TA0005 T1548 Windows Process Creation

Critical

TA0004, TA0005, T1548

Windows

Last updated: September 15, 2025

View details

Regsvr32 exploitation

Windows Process Creation

Critical

Windows

Last updated: September 15, 2025

View details

Potential Forfiles Misuse

TA0002 T1059.003 Windows Process Creation

Critical

TA0002, T1059.003

Windows

Last updated: September 15, 2025

View details

Pcalua Script Execution

Windows Process Creation

Critical

Windows

Last updated: September 15, 2025

View details

Steganography Malware Creation

TA0005 T1027.003 Windows Process Creation

Critical

TA0005, T1027.003

Windows

Last updated: September 15, 2025

View details

Unauthorized Stream Exploit

TA0005 T1036 Windows Process Creation

Critical

TA0005, T1036

Windows

Last updated: September 15, 2025

View details

Unauthorized Stream Data Transfer

TA0010 T1048 Windows Process Creation

Critical

TA0010, T1048

Windows

Last updated: September 15, 2025

View details

RDP Session Hijacking Using tscon

TA0008 T1563.002 Windows Process Creation

Critical

TA0008, T1563.002

Windows

Last updated: September 15, 2025

View details

Use of Bitsadmin for Download

Windows Process Creation

Critical

Windows

Last updated: September 15, 2025

View details

Potential Defense Evasion via Hidden Files

TA0005 T1564.001 Windows Process Creation

Critical

TA0005, T1564.001

Windows

Last updated: September 15, 2025

View details

Attempt To Tamper the Audit Policy

TA0005 T1562.002 Windows Process Creation

Critical

TA0005, T1562.002

Windows

Last updated: September 15, 2025

View details

Remote Access Tool - AnyDesk Piped Password Via CLI

TA0011 T1219.002 Windows Process Creation

Trouble

TA0011, T1219.002

Windows

Last updated: September 15, 2025

View details

Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate

TA0002 TA0001 Windows Process Creation

Trouble

TA0002, TA0001

Windows

Last updated: September 15, 2025

View details

Remote Access Tool - AnyDesk Silent Installation

TA0011 T1219.002 Windows Process Creation

Trouble

TA0011, T1219.002

Windows

Last updated: September 15, 2025

View details

Remote Access Tool - Anydesk Execution From Suspicious Folder

TA0011 T1219.002 Windows Process Creation

Trouble

TA0011, T1219.002

Windows

Last updated: September 15, 2025

View details

Remote Access Tool - GoToAssist Execution

TA0011 T1219.002 Windows Process Creation

Trouble

TA0011, T1219.002

Windows

Last updated: September 15, 2025

View details

Remote Access Tool - LogMeIn Execution

TA0011 T1219.002 Windows Process Creation

Trouble

TA0011, T1219.002

Windows

Last updated: September 15, 2025

View details

Remote Access Tool - MeshAgent Command Execution via MeshCentral

TA0011 T1219.002 Windows Process Creation

Trouble

TA0011, T1219.002

Windows

Last updated: September 15, 2025

View details

Remote Access Tool - NetSupport Execution

TA0011 T1219.002 Windows Process Creation

Trouble

TA0011, T1219.002

Windows

Last updated: September 15, 2025

View details

Remote Access Tool - RURAT Execution From Unusual Location

TA0005 Windows Process Creation

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

Remote Access Tool - ScreenConnect Execution

TA0011 T1219.002 Windows Process Creation

Trouble

TA0011, T1219.002

Windows

Last updated: September 15, 2025

View details

Remote Access Tool - ScreenConnect Remote Command Execution

TA0002 T1059.003 Windows Process Creation

Attention

TA0002, T1059.003

Windows

Last updated: September 15, 2025

View details

Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution

TA0011 T1219.002 Windows Process Creation

Trouble

TA0011, T1219.002

Windows

Last updated: September 15, 2025

View details

Remote Access Tool - ScreenConnect Server Web Shell Execution

TA0001 T1190 Windows Process Creation

Trouble

TA0001, T1190

Windows

Last updated: September 15, 2025

View details

Remote Access Tool - Simple Help Execution

TA0011 T1219.002 Windows Process Creation

Trouble

TA0011, T1219.002

Windows

Last updated: September 15, 2025

View details

Remote Access Tool - Team Viewer Session Started On Windows Host

TA0001 T1133 Windows Process Creation

Attention

TA0001, T1133

Windows

Last updated: September 15, 2025

View details

Remote Access Tool - UltraViewer Execution

TA0011 T1219.002 Windows Process Creation

Trouble

TA0011, T1219.002

Windows

Last updated: September 15, 2025

View details

Discovery of a System Time

TA0007 T1124 Windows Process Creation

Attention

TA0007, T1124

Windows

Last updated: September 15, 2025

View details

Renamed AutoHotkey.EXE Execution

TA0005 Windows Process Creation

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

Renamed AutoIt Execution

TA0005 T1027 Windows Process Creation

Trouble

TA0005, T1027

Windows

Last updated: September 15, 2025

View details

Potential Defense Evasion Via Binary Rename

TA0005 T1036.003 Windows Process Creation

Trouble

TA0005, T1036.003

Windows

Last updated: September 15, 2025

View details

Potential Defense Evasion Via Rename Of Highly Relevant Binaries

TA0005 T1036.003 Windows Process Creation

Trouble

TA0005, T1036.003

Windows

Last updated: September 15, 2025

View details

Renamed BOINC Client Execution

TA0005 T1553 Windows Process Creation

Trouble

TA0005, T1553

Windows

Last updated: September 15, 2025

View details

Renamed BrowserCore.EXE Execution

TA0006 TA0005 T1528 Windows Process Creation

Trouble

TA0006, TA0005, T1528

Windows

Last updated: September 15, 2025

View details

Renamed Cloudflared.EXE Execution

TA0011 T1090.001 Windows Process Creation

Trouble

TA0011, T1090.001

Windows

Last updated: September 15, 2025

View details

Renamed CreateDump Utility Execution

TA0005 TA0006 T1036 Windows Process Creation

Trouble

TA0005, TA0006, T1036

Windows

Last updated: September 15, 2025

View details

Renamed CURL.EXE Execution

TA0002 TA0005 T1059 Windows Process Creation

Trouble

TA0002, TA0005, T1059

Windows

Last updated: September 15, 2025

View details

Renamed FTP.EXE Execution

TA0002 TA0005 T1059 Windows Process Creation

Trouble

TA0002, TA0005, T1059

Windows

Last updated: September 15, 2025

View details

Renamed Gpg.EXE Execution

TA0040 T1486 Windows Process Creation

Trouble

TA0040, T1486

Windows

Last updated: September 15, 2025

View details

Renamed Jusched.EXE Execution

TA0002 TA0005 T1036.003 Windows Process Creation

Trouble

TA0002, TA0005, T1036.003

Windows

Last updated: September 15, 2025

View details

Renamed Mavinject.EXE Execution

TA0005 TA0004 T1055.001 Windows Process Creation

Trouble

TA0005, TA0004, T1055.001

Windows

Last updated: September 15, 2025

View details

Renamed MegaSync Execution

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Renamed Msdt.EXE Execution

TA0005 T1036.003 Windows Process Creation

Trouble

TA0005, T1036.003

Windows

Last updated: September 15, 2025

View details

Renamed Microsoft Teams Execution

TA0005 Windows Process Creation

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

Renamed NetSupport RAT Execution

TA0005 Windows Process Creation

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

Renamed NirCmd.EXE Execution

TA0002 TA0005 T1059 Windows Process Creation

Trouble

TA0002, TA0005, T1059

Windows

Last updated: September 15, 2025

View details

Renamed Office Binary Execution

TA0005 Windows Process Creation

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

Renamed PAExec Execution

TA0005 T1202 Windows Process Creation

Trouble

TA0005, T1202

Windows

Last updated: September 15, 2025

View details

Renamed PingCastle Binary Execution

TA0002 TA0005 T1059 Windows Process Creation

Trouble

TA0002, TA0005, T1059

Windows

Last updated: September 15, 2025

View details

Renamed Plink Execution

TA0005 T1036 Windows Process Creation

Trouble

TA0005, T1036

Windows

Last updated: September 15, 2025

View details

Visual Studio NodejsTools PressAnyKey Renamed Execution

TA0002 TA0005 T1218 Windows Process Creation

Trouble

TA0002, TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Potential Renamed Rundll32 Execution

TA0002 Windows Process Creation

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

Renamed Remote Utilities RAT (RURAT) Execution

TA0005 TA0009 TA0011 TA0007 Windows Process Creation

Trouble

TA0005, TA0009, TA0011, TA0007

Windows

Last updated: September 15, 2025

View details

Renamed SysInternals DebugView Execution

TA0042 T1588.002 Windows Process Creation

Trouble

TA0042, T1588.002

Windows

Last updated: September 15, 2025

View details

Renamed ProcDump Execution

TA0005 T1036.003 Windows Process Creation

Trouble

TA0005, T1036.003

Windows

Last updated: September 15, 2025

View details

Renamed PsExec Service Execution

TA0002 Windows Process Creation

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

Renamed Sysinternals Sdelete Execution

TA0040 T1485 Windows Process Creation

Trouble

TA0040, T1485

Windows

Last updated: September 15, 2025

View details

Renamed Vmnat.exe Execution

TA0005 T1574.001 Windows Process Creation

Trouble

TA0005, T1574.001

Windows

Last updated: September 15, 2025

View details

Renamed Whoami Execution

TA0007 T1033 Windows Process Creation

Critical

TA0007, T1033

Windows

Last updated: September 15, 2025

View details

Capture Credentials with Rpcping.exe

TA0006 T1003 Windows Process Creation

Trouble

TA0006, T1003

Windows

Last updated: September 15, 2025

View details

Ruby Inline Command Execution

TA0002 T1059 Windows Process Creation

Trouble

TA0002, T1059

Windows

Last updated: September 15, 2025

View details

Suspicious Advpack Call Via Rundll32.EXE

TA0005 Windows Process Creation

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

Suspicious Rundll32 Invoking Inline VBScript

TA0005 T1055 Windows Process Creation

Trouble

TA0005, T1055

Windows

Last updated: September 15, 2025

View details

Rundll32 InstallScreenSaver Execution

TA0005 T1218.011 Windows Process Creation

Trouble

TA0005, T1218.011

Windows

Last updated: September 15, 2025

View details

Suspicious Key Manager Access

TA0006 T1555.004 Windows Process Creation

Trouble

TA0006, T1555.004

Windows

Last updated: September 15, 2025

View details

Mshtml.DLL RunHTMLApplication Suspicious Usage

TA0005 TA0002 Windows Process Creation

Trouble

TA0005, TA0002

Windows

Last updated: September 15, 2025

View details

Rundll32 Execution Without CommandLine Parameters

TA0005 T1202 Windows Process Creation

Trouble

TA0005, T1202

Windows

Last updated: September 15, 2025

View details

Suspicious NTLM Authentication on the Printer Spooler Service

TA0004 TA0006 T1212 Windows Process Creation

Trouble

TA0004, TA0006, T1212

Windows

Last updated: September 15, 2025

View details

Potential Obfuscated Ordinal Call Via Rundll32

TA0005 T1027.010 Windows Process Creation

Trouble

TA0005, T1027.010

Windows

Last updated: September 15, 2025

View details

Rundll32 Spawned Via Explorer.EXE

TA0005 Windows Process Creation

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

Process Memory Dump Via Comsvcs.DLL

TA0005 TA0006 T1036 Windows Process Creation

Trouble

TA0005, TA0006, T1036

Windows

Last updated: September 15, 2025

View details

Rundll32 Registered COM Objects

TA0004 TA0003 T1546.015 Windows Process Creation

Trouble

TA0004, TA0003, T1546.015

Windows

Last updated: September 15, 2025

View details

Suspicious Process Start Locations

TA0005 T1036 Windows Process Creation

Trouble

TA0005, T1036

Windows

Last updated: September 15, 2025

View details

Suspicious Rundll32 Setupapi.dll Activity

TA0005 T1218.011 Windows Process Creation

Trouble

TA0005, T1218.011

Windows

Last updated: September 15, 2025

View details

Shell32 DLL Execution in Suspicious Directory

TA0005 TA0002 T1218.011 Windows Process Creation

Trouble

TA0005, TA0002, T1218.011

Windows

Last updated: September 15, 2025

View details

Potential ShellDispatch.DLL Functionality Abuse

TA0002 TA0005 Windows Process Creation

Trouble

TA0002, TA0005

Windows

Last updated: September 15, 2025

View details

RunDLL32 Spawning Explorer

TA0005 T1218.011 Windows Process Creation

Trouble

TA0005, T1218.011

Windows

Last updated: September 15, 2025

View details

Suspicious Control Panel DLL Load

TA0005 T1218.011 Windows Process Creation

Trouble

TA0005, T1218.011

Windows

Last updated: September 15, 2025

View details

Suspicious Rundll32 Execution With Image Extension

TA0005 T1218.011 Windows Process Creation

Trouble

TA0005, T1218.011

Windows

Last updated: September 15, 2025

View details

Suspicious Usage Of ShellExec_RunDLL

TA0005 Windows Process Creation

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

Suspicious ShellExec_RunDLL Call Via Ordinal

TA0005 T1218.011 Windows Process Creation

Trouble

TA0005, T1218.011

Windows

Last updated: September 15, 2025

View details

ShimCache Flush

TA0005 T1112 Windows Process Creation

Trouble

TA0005, T1112

Windows

Last updated: September 15, 2025

View details

Suspicious Rundll32 Activity Invoking Sys File

TA0005 T1218.011 Windows Process Creation

Trouble

TA0005, T1218.011

Windows

Last updated: September 15, 2025

View details

Rundll32 UNC Path Execution

TA0005 TA0002 TA0008 T1218.011 Windows Process Creation

Trouble

TA0005, TA0002, TA0008, T1218.011

Windows

Last updated: September 15, 2025

View details

Suspicious Workstation Locking via Rundll32

TA0005 Windows Process Creation

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

WebDav Client Execution Via Rundll32.EXE

TA0010 T1048.003 Windows Process Creation

Trouble

TA0010, T1048.003

Windows

Last updated: September 15, 2025

View details

Run Once Task Execution as Configured in Registry

TA0005 T1112 Windows Process Creation

Attention

TA0005, T1112

Windows

Last updated: September 15, 2025

View details

Suspicious Schtasks Execution AppData Folder

TA0002 TA0003 T1053.005 Windows Process Creation

Trouble

TA0002, TA0003, T1053.005

Windows

Last updated: September 15, 2025

View details

Suspicious Modification Of Scheduled Tasks

TA0002 T1053.005 Windows Process Creation

Trouble

TA0002, T1053.005

Windows

Last updated: September 15, 2025

View details

Suspicious Scheduled Task Creation Involving Temp Folder

TA0002 TA0003 T1053.005 Windows Process Creation

Trouble

TA0002, TA0003, T1053.005

Windows

Last updated: September 15, 2025

View details

Delete Important Scheduled Task

TA0040 T1489 Windows Process Creation

Trouble

TA0040, T1489

Windows

Last updated: September 15, 2025

View details

Delete All Scheduled Tasks

TA0040 T1489 Windows Process Creation

Trouble

TA0040, T1489

Windows

Last updated: September 15, 2025

View details

Disable Important Scheduled Task

TA0040 T1489 Windows Process Creation

Trouble

TA0040, T1489

Windows

Last updated: September 15, 2025

View details

Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE

TA0002 T1053.005 Windows Process Creation

Trouble

TA0002, T1053.005

Windows

Last updated: September 15, 2025

View details

Schtasks From Suspicious Folders

TA0002 T1053.005 Windows Process Creation

Trouble

TA0002, T1053.005

Windows

Last updated: September 15, 2025

View details

Uncommon One Time Only Scheduled Task At 00\\:00

TA0002 TA0003 TA0004 T1053.005 Windows Process Creation

Trouble

TA0002, TA0003, TA0004, T1053.005

Windows

Last updated: September 15, 2025

View details

Potential Persistence Via Microsoft Compatibility Appraiser

TA0003 T1053.005 Windows Process Creation

Trouble

TA0003, T1053.005

Windows

Last updated: September 15, 2025

View details

Scheduled Task Executing Payload from Registry

TA0002 TA0003 T1053.005 Windows Process Creation

Trouble

TA0002, TA0003, T1053.005

Windows

Last updated: September 15, 2025

View details

Scheduled Task Executing Encoded Payload from Registry

TA0002 TA0003 T1053.005 Windows Process Creation

Trouble

TA0002, TA0003, T1053.005

Windows

Last updated: September 15, 2025

View details

Suspicious Schtasks Schedule Types

TA0002 T1053.005 Windows Process Creation

Trouble

TA0002, T1053.005

Windows

Last updated: September 15, 2025

View details

Suspicious Schtasks Schedule Type With High Privileges

TA0002 T1053.005 Windows Process Creation

Trouble

TA0002, T1053.005

Windows

Last updated: September 15, 2025

View details

Suspicious Command Patterns In Scheduled Task Creation

TA0002 T1053.005 Windows Process Creation

Trouble

TA0002, T1053.005

Windows

Last updated: September 15, 2025

View details

Schtasks Creation Or Modification With SYSTEM Privileges

TA0002 TA0003 T1053.005 Windows Process Creation

Trouble

TA0002, TA0003, T1053.005

Windows

Last updated: September 15, 2025

View details

Script Event Consumer Spawning Process

TA0002 T1047 Windows Process Creation

Trouble

TA0002, T1047

Windows

Last updated: September 15, 2025

View details

New Service Creation Using Sc.EXE

TA0003 TA0004 T1543.003 Windows Process Creation

Attention

TA0003, TA0004, T1543.003

Windows

Last updated: September 15, 2025

View details

Service StartupType Change Via Sc.EXE

TA0002 TA0005 T1562.001 Windows Process Creation

Trouble

TA0002, TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

New Kernel Driver Via SC.EXE

TA0003 TA0004 T1543.003 Windows Process Creation

Trouble

TA0003, TA0004, T1543.003

Windows

Last updated: September 15, 2025

View details

Interesting Service Enumeration Via Sc.EXE

TA0006 T1003 Windows Process Creation

Attention

TA0006, T1003

Windows

Last updated: September 15, 2025

View details

Allow Service Access Using Security Descriptor Tampering Via Sc.EXE

TA0003 T1543.003 Windows Process Creation

Trouble

TA0003, T1543.003

Windows

Last updated: September 15, 2025

View details

Deny Service Access Using Security Descriptor Tampering Via Sc.EXE

TA0003 T1543.003 Windows Process Creation

Trouble

TA0003, T1543.003

Windows

Last updated: September 15, 2025

View details

Service DACL Abuse To Hide Services Via Sc.EXE

TA0003 TA0005 TA0004 T1574.011 Windows Process Creation

Trouble

TA0003, TA0005, TA0004, T1574.011

Windows

Last updated: September 15, 2025

View details

Service Security Descriptor Tampering Via Sc.EXE

TA0003 TA0005 TA0004 T1574.011 Windows Process Creation

Trouble

TA0003, TA0005, TA0004, T1574.011

Windows

Last updated: September 15, 2025

View details

Suspicious Service Path Modification

TA0003 TA0004 T1543.003 Windows Process Creation

Trouble

TA0003, TA0004, T1543.003

Windows

Last updated: September 15, 2025

View details

Potential Persistence Attempt Via Existing Service Tampering

TA0003 T1543.003 Windows Process Creation

Trouble

TA0003, T1543.003

Windows

Last updated: September 15, 2025

View details

Stop Windows Service Via Sc.EXE

TA0040 T1489 Windows Process Creation

Attention

TA0040, T1489

Windows

Last updated: September 15, 2025

View details

Potential Shim Database Persistence via Sdbinst.EXE

TA0003 TA0004 T1546.011 Windows Process Creation

Trouble

TA0003, TA0004, T1546.011

Windows

Last updated: September 15, 2025

View details

Uncommon Extension Shim Database Installation Via Sdbinst.EXE

TA0003 TA0004 T1546.011 Windows Process Creation

Trouble

TA0003, TA0004, T1546.011

Windows

Last updated: September 15, 2025

View details

Sdclt Child Processes

TA0004 T1548.002 Windows Process Creation

Trouble

TA0004, T1548.002

Windows

Last updated: September 15, 2025

View details

Sdiagnhost Calling Suspicious Child Process

TA0005 T1036 Windows Process Creation

Trouble

TA0005, T1036

Windows

Last updated: September 15, 2025

View details

Potential Suspicious Activity Using SeCEdit

TA0007 TA0003 TA0005 TA0006 TA0004 T1082 Windows Process Creation

Trouble

TA0007, TA0003, TA0005, TA0006, TA0004, T1082

Windows

Last updated: September 15, 2025

View details

Suspicious Serv-U Process Pattern

TA0006 T1555 Windows Process Creation

Trouble

TA0006, T1555

Windows

Last updated: September 15, 2025

View details

Uncommon Child Process Of Setres.EXE

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Potential SPN Enumeration Via Setspn.EXE

TA0006 T1558.003 Windows Process Creation

Trouble

TA0006, T1558.003

Windows

Last updated: September 15, 2025

View details

Suspicious Execution of Shutdown

TA0040 T1529 Windows Process Creation

Trouble

TA0040, T1529

Windows

Last updated: September 15, 2025

View details

Suspicious Execution of Shutdown to Log Out

TA0040 T1529 Windows Process Creation

Trouble

TA0040, T1529

Windows

Last updated: September 15, 2025

View details

Uncommon Sigverif.EXE Child Process

TA0005 T1216 Windows Process Creation

Trouble

TA0005, T1216

Windows

Last updated: September 15, 2025

View details

Uncommon Child Processes Of SndVol.exe

TA0002 Windows Process Creation

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

Audio Capture via SoundRecorder

TA0009 T1123 Windows Process Creation

Trouble

TA0009, T1123

Windows

Last updated: September 15, 2025

View details

Suspicious Splwow64 Without Params

TA0005 T1202 Windows Process Creation

Trouble

TA0005, T1202

Windows

Last updated: September 15, 2025

View details

Veeam Backup Database Suspicious Query

TA0009 T1005 Windows Process Creation

Trouble

TA0009, T1005

Windows

Last updated: September 15, 2025

View details

VeeamBackup Database Credentials Dump Via Sqlcmd.EXE

TA0009 T1005 Windows Process Creation

Trouble

TA0009, T1005

Windows

Last updated: September 15, 2025

View details

SQLite Chromium Profile Data DB Access

TA0006 TA0009 T1539 Windows Process Creation

Trouble

TA0006, TA0009, T1539

Windows

Last updated: September 15, 2025

View details

SQLite Firefox Profile Data DB Access

TA0006 TA0009 T1539 Windows Process Creation

Trouble

TA0006, TA0009, T1539

Windows

Last updated: September 15, 2025

View details

Arbitrary File Download Via Squirrel.EXE

TA0005 TA0002 T1218 Windows Process Creation

Trouble

TA0005, TA0002, T1218

Windows

Last updated: September 15, 2025

View details

Process Proxy Execution Via Squirrel.EXE

TA0005 TA0002 T1218 Windows Process Creation

Trouble

TA0005, TA0002, T1218

Windows

Last updated: September 15, 2025

View details

Port Forwarding Activity Via SSH.EXE

TA0011 TA0008 T1572 Windows Process Creation

Trouble

TA0011, TA0008, T1572

Windows

Last updated: September 15, 2025

View details

Potential RDP Tunneling Via SSH

TA0011 T1572 Windows Process Creation

Trouble

TA0011, T1572

Windows

Last updated: September 15, 2025

View details

Potential Amazon SSM Agent Hijacking

TA0011 TA0003 T1219.002 Windows Process Creation

Trouble

TA0011, TA0003, T1219.002

Windows

Last updated: September 15, 2025

View details

Execution via stordiag.exe

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Start of NT Virtual DOS Machine

TA0005 Windows Process Creation

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

User Added to Local Administrators Group

TA0003 T1098 Windows Process Creation

Trouble

TA0003, T1098

Windows

Last updated: September 15, 2025

View details

User Added To Highly Privileged Group

TA0003 T1098 Windows Process Creation

Trouble

TA0003, T1098

Windows

Last updated: September 15, 2025

View details

User Added to Remote Desktop Users Group

TA0003 TA0008 T1133 Windows Process Creation

Trouble

TA0003, TA0008, T1133

Windows

Last updated: September 15, 2025

View details

Execute From Alternate Data Streams

TA0005 T1564.004 Windows Process Creation

Trouble

TA0005, T1564.004

Windows

Last updated: September 15, 2025

View details

Arbitrary Shell Command Execution Via Settingcontent-Ms

TA0002 TA0001 T1204 Windows Process Creation

Trouble

TA0002, TA0001, T1204

Windows

Last updated: September 15, 2025

View details

Phishing Pattern ISO in Archive

TA0001 T1566 Windows Process Creation

Trouble

TA0001, T1566

Windows

Last updated: September 15, 2025

View details

Automated Collection Command Prompt

TA0009 TA0006 T1119 Windows Process Creation

Trouble

TA0009, TA0006, T1119

Windows

Last updated: September 15, 2025

View details

Bad Opsec Defaults Sacrificial Processes With Improper Arguments

TA0005 T1218.011 Windows Process Creation

Trouble

TA0005, T1218.011

Windows

Last updated: September 15, 2025

View details

Potential Suspicious Browser Launch From Document Reader Process

TA0002 T1204.002 Windows Process Creation

Trouble

TA0002, T1204.002

Windows

Last updated: September 15, 2025

View details

Potential Commandline Obfuscation Using Escape Characters

TA0005 T1140 Windows Process Creation

Trouble

TA0005, T1140

Windows

Last updated: September 15, 2025

View details

Potential Command Line Path Traversal Evasion Attempt

TA0005 T1036 Windows Process Creation

Trouble

TA0005, T1036

Windows

Last updated: September 15, 2025

View details

Potential Browser Data Stealing

TA0006 T1555.003 Windows Process Creation

Trouble

TA0006, T1555.003

Windows

Last updated: September 15, 2025

View details

Copy From Or To Admin Share Or Sysvol Folder

TA0008 TA0009 TA0010 T1021.002 Windows Process Creation

Trouble

TA0008, TA0009, TA0010, T1021.002

Windows

Last updated: September 15, 2025

View details

Suspicious Copy From or To System Directory

TA0005 T1036.003 Windows Process Creation

Trouble

TA0005, T1036.003

Windows

Last updated: September 15, 2025

View details

LOL-Binary Copied From System Directory

TA0005 T1036.003 Windows Process Creation

Trouble

TA0005, T1036.003

Windows

Last updated: September 15, 2025

View details

Potential Crypto Mining Activity

TA0040 T1496 Windows Process Creation

Trouble

TA0040, T1496

Windows

Last updated: September 15, 2025

View details

Potential Data Exfiltration Activity Via CommandLine Tools

TA0002 T1059.001 Windows Process Creation

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

Raccine Uninstall

TA0005 T1562.001 Windows Process Creation

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Suspicious Double Extension File Execution

TA0001 T1566.001 Windows Process Creation

Trouble

TA0001, T1566.001

Windows

Last updated: September 15, 2025

View details

Suspicious Parent Double Extension File Execution

TA0005 T1036.007 Windows Process Creation

Trouble

TA0005, T1036.007

Windows

Last updated: September 15, 2025

View details

DumpStack.log Defender Evasion

TA0005 Windows Process Creation

Critical

TA0005

Windows

Last updated: September 15, 2025

View details

Always Install Elevated MSI Spawned Cmd And Powershell

TA0004 T1548.002 Windows Process Creation

Trouble

TA0004, T1548.002

Windows

Last updated: September 15, 2025

View details

Suspicious Electron Application Child Processes

TA0002 Windows Process Creation

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

Potentially Suspicious Electron Application CommandLine

TA0002 Windows Process Creation

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

ETW Logging Tamper In .NET Processes Via CommandLine

TA0005 T1562 Windows Process Creation

Trouble

TA0005, T1562

Windows

Last updated: September 15, 2025

View details

ETW Trace Evasion Activity

TA0005 T1070 Windows Process Creation

Trouble

TA0005, T1070

Windows

Last updated: September 15, 2025

View details

Suspicious Eventlog Clearing or Configuration Change Activity

TA0005 T1070.001 Windows Process Creation

Trouble

TA0005, T1070.001

Windows

Last updated: September 15, 2025

View details

Potentially Suspicious EventLog Recon Activity Using Log Query Utilities

TA0006 TA0007 T1552 Windows Process Creation

Trouble

TA0006, TA0007, T1552

Windows

Last updated: September 15, 2025

View details

Process Execution From A Potentially Suspicious Folder

TA0005 T1036 Windows Process Creation

Trouble

TA0005, T1036

Windows

Last updated: September 15, 2025

View details

Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS

TA0007 TA0002 T1615 Windows Process Creation

Trouble

TA0007, TA0002, T1615

Windows

Last updated: September 15, 2025

View details

Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI

TA0005 T1564.004 Windows Process Creation

Trouble

TA0005, T1564.004

Windows

Last updated: September 15, 2025

View details

Writing Of Malicious Files To The Fonts Folder

TA0005 TA0003 TA0002 T1211 Windows Process Creation

Trouble

TA0005, TA0003, TA0002, T1211

Windows

Last updated: September 15, 2025

View details

Base64 MZ Header In CommandLine

TA0002 Windows Process Creation

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

Potential WinAPI Calls Via CommandLine

TA0002 T1106 Windows Process Creation

Trouble

TA0002, T1106

Windows

Last updated: September 15, 2025

View details

Local Accounts Discovery

TA0007 T1033 Windows Process Creation

Attention

TA0007, T1033

Windows

Last updated: September 15, 2025

View details

LSASS Dump Keyword In CommandLine

TA0006 T1003.001 Windows Process Creation

Trouble

TA0006, T1003.001

Windows

Last updated: September 15, 2025

View details

Potential File Download Via MS-AppInstaller Protocol Handler

TA0005 TA0002 T1218 Windows Process Creation

Trouble

TA0005, TA0002, T1218

Windows

Last updated: September 15, 2025

View details

Suspicious Network Command

TA0007 T1016 Windows Process Creation

Attention

TA0007, T1016

Windows

Last updated: September 15, 2025

View details

Suspicious Scan Loop Network

TA0002 TA0007 T1059 Windows Process Creation

Trouble

TA0002, TA0007, T1059

Windows

Last updated: September 15, 2025

View details

Potential Network Sniffing Activity Using Network Tools

TA0006 TA0007 T1040 Windows Process Creation

Trouble

TA0006, TA0007, T1040

Windows

Last updated: September 15, 2025

View details

Process Launched Without Image Name

TA0005 Windows Process Creation

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

Potentially Suspicious Call To Win32_NTEventlogFile Class

TA0005 Windows Process Creation

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

Use Short Name Path in Command Line

TA0005 T1564.004 Windows Process Creation

Trouble

TA0005, T1564.004

Windows

Last updated: September 15, 2025

View details

Use Short Name Path in Image

TA0005 T1564.004 Windows Process Creation

Trouble

TA0005, T1564.004

Windows

Last updated: September 15, 2025

View details

Use NTFS Short Name in Command Line

TA0005 T1564.004 Windows Process Creation

Trouble

TA0005, T1564.004

Windows

Last updated: September 15, 2025

View details

Use NTFS Short Name in Image

TA0005 T1564.004 Windows Process Creation

Trouble

TA0005, T1564.004

Windows

Last updated: September 15, 2025

View details

Suspicious Process Parents

TA0005 T1036 Windows Process Creation

Trouble

TA0005, T1036

Windows

Last updated: September 15, 2025

View details

Potential PowerShell Execution Via DLL

TA0005 T1218.011 Windows Process Creation

Trouble

TA0005, T1218.011

Windows

Last updated: September 15, 2025

View details

Private Keys Reconnaissance Via CommandLine Tools

TA0006 T1552.004 Windows Process Creation

Trouble

TA0006, T1552.004

Windows

Last updated: September 15, 2025

View details

Privilege Escalation via Named Pipe Impersonation

TA0008 T1021 Windows Process Creation

Trouble

TA0008, T1021

Windows

Last updated: September 15, 2025

View details

Windows Processes Suspicious Parent Directory

TA0005 T1036.003 Windows Process Creation

Attention

TA0005, T1036.003

Windows

Last updated: September 15, 2025

View details

Suspicious Program Names

TA0002 T1059 Windows Process Creation

Trouble

TA0002, T1059

Windows

Last updated: September 15, 2025

View details

Suspicious Process Execution From Fake Recycle.Bin Folder

TA0003 TA0005 Windows Process Creation

Trouble

TA0003, TA0005

Windows

Last updated: September 15, 2025

View details

Potential Remote Desktop Tunneling

TA0008 T1021 Windows Process Creation

Trouble

TA0008, T1021

Windows

Last updated: September 15, 2025

View details

Script Interpreter Execution From Suspicious Folder

TA0002 T1059 Windows Process Creation

Trouble

TA0002, T1059

Windows

Last updated: September 15, 2025

View details

Suspicious Script Execution From Temp Folder

TA0002 T1059 Windows Process Creation

Trouble

TA0002, T1059

Windows

Last updated: September 15, 2025

View details

Suspicious New Service Creation

TA0003 TA0004 T1543.003 Windows Process Creation

Trouble

TA0003, TA0004, T1543.003

Windows

Last updated: September 15, 2025

View details

Suspicious Service Binary Directory

TA0005 T1202 Windows Process Creation

Trouble

TA0005, T1202

Windows

Last updated: September 15, 2025

View details

Shadow Copies Creation Using Operating Systems Utilities

TA0006 T1003 Windows Process Creation

Trouble

TA0006, T1003

Windows

Last updated: September 15, 2025

View details

Shadow Copies Deletion Using Operating Systems Utilities

TA0005 TA0040 T1070 Windows Process Creation

Trouble

TA0005, TA0040, T1070

Windows

Last updated: September 15, 2025

View details

Windows Shell/Scripting Processes Spawning Suspicious Programs

TA0002 TA0005 T1059.005 Windows Process Creation

Trouble

TA0002, TA0005, T1059.005

Windows

Last updated: September 15, 2025

View details

Process Creation Using Sysnative Folder

TA0005 TA0004 T1055 Windows Process Creation

Trouble

TA0005, TA0004, T1055

Windows

Last updated: September 15, 2025

View details

Tasks Folder Evasion

TA0005 TA0003 TA0002 T1574.001 Windows Process Creation

Trouble

TA0005, TA0003, TA0002, T1574.001

Windows

Last updated: September 15, 2025

View details

Suspicious Userinit Child Process

TA0005 T1055 Windows Process Creation

Trouble

TA0005, T1055

Windows

Last updated: September 15, 2025

View details

Malicious Windows Script Components File Execution by TAEF Detection

TA0005 T1218 Windows Process Creation

Attention

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Weak or Abused Passwords In CLI

TA0005 TA0002 Windows Process Creation

Trouble

TA0005, TA0002

Windows

Last updated: September 15, 2025

View details

Usage Of Web Request Commands And Cmdlets

TA0002 T1059.001 Windows Process Creation

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

WhoAmI as Parameter

TA0007 T1033 Windows Process Creation

Trouble

TA0007, T1033

Windows

Last updated: September 15, 2025

View details

Execution via WorkFolders.exe

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Suspect Svchost Activity

TA0005 TA0004 T1055 Windows Process Creation

Trouble

TA0005, TA0004, T1055

Windows

Last updated: September 15, 2025

View details

Suspicious Process Masquerading As SvcHost.EXE

TA0005 T1036.005 Windows Process Creation

Trouble

TA0005, T1036.005

Windows

Last updated: September 15, 2025

View details

WLAN Credential Leak

TA0006 T1555 Windows Process Creation

Critical

TA0006, T1555

Windows

Last updated: September 15, 2025

View details

SAM SECURITY Hive Dump Possible Credential Theft

TA0006 T1003.002 Windows Process Creation

Critical

TA0006, T1003.002

Windows

Last updated: September 15, 2025

View details

Possible DLL Injection by Regasm activity

TA0005 T1055 Windows Process Creation

Critical

TA0005, T1055

Windows

Last updated: September 15, 2025

View details

Use of InstallUtil for Download

Windows Process Creation

Critical

Windows

Last updated: September 15, 2025

View details

Hidden Local Account Detection

TA0003 T1136.001 Windows

Critical

TA0003, T1136.001

Windows

Last updated: September 15, 2025

View details

Ransomware detections

Windows File Creation

Critical

Windows

Last updated: September 15, 2025

View details

Suspicious file access

TA0009 T1005 Windows File Access File Modification

Critical

TA0009, T1005

Windows

Last updated: September 15, 2025

View details

Excessive file removal

TA0040 T1485 Windows File Deletion

Critical

TA0040, T1485

Windows

Last updated: September 15, 2025

View details

Multiple file permission changes

TA0005 T1222 Windows File Metadata

Critical

TA0005, T1222

Windows

Last updated: September 15, 2025

View details

Repeated object audit policy changes

TA0005 T1562.002 Windows

Critical

TA0005, T1562.002

Windows

Last updated: September 15, 2025

View details

Failed file access attempts

TA0009 TA0005 T1005 Windows File Access

Critical

TA0009, TA0005, T1005

Windows

Last updated: September 15, 2025

View details

Repeated registry entry failures

TA0005 T1112 Windows Windows Registry Key Creation

Critical

TA0005, T1112

Windows

Last updated: September 15, 2025

View details

Multiple system audit policy changes

TA0005 T1562.002 Windows

Critical

TA0005, T1562.002

Windows

Last updated: September 15, 2025

View details

Possible worm activity

TA0008 T1021 Windows

Critical

TA0008, T1021

Windows

Last updated: September 15, 2025

View details

Excessive application crashes

TA0040 T1499 Windows

Critical

TA0040, T1499

Windows

Last updated: September 15, 2025

View details

Windows backup repeated failures

TA0040 T1490 Windows

Critical

TA0040, T1490

Windows

Last updated: September 15, 2025

View details

Eventlogs cleared

TA0005 T1070.001 Windows

Critical

TA0005, T1070.001

Windows

Last updated: September 15, 2025

View details

Notable account lockouts

TA0006 T1110.003 Windows

Critical

TA0006, T1110.003

Windows

Last updated: September 15, 2025

View details

Unexpected shutdowns

TA0040 T1529 Windows

Critical

TA0040, T1529

Windows

Last updated: September 15, 2025

View details

WinRAR Zero-Day vulnerability exploitation

TA0002 T1203 Windows

Critical

TA0002, T1203

Windows

Last updated: September 15, 2025

View details

Windows Search RCE Exploitation

TA0002 T1203 Windows

Critical

TA0002, T1203

Windows

Last updated: September 15, 2025

View details

QueueJumper Vulnerability Exploitation

TA0002 T1203 Windows

Critical

TA0002, T1203

Windows

Last updated: September 15, 2025

View details

Microsoft Outlook Vulnerability Exploitation

TA0002 T1203 Windows

Critical

TA0002, T1203

Windows

Last updated: September 15, 2025

View details

Built-in guest account privilege escalation

TA0004 T1078.001 Windows

Critical

TA0004, T1078.001

Windows

Last updated: September 15, 2025

View details

Suspicious Failed Password Change Activity in Windows

TA0005 TA0004 T1556.001 Windows

Critical

TA0005, TA0004, T1556.001

Windows

Last updated: September 15, 2025

View details

Excessive Software Installation Attempts on Windows

TA0003 TA0004 TA0002 T1547 Windows

Attention

TA0003, TA0004, TA0002, T1547

Windows

Last updated: September 15, 2025

View details

Excessive Software Update Attempts on Windows

TA0005 TA0002 TA0003 TA0004 T1078 Windows

Attention

TA0005, TA0002, TA0003, TA0004, T1078

Windows

Last updated: September 15, 2025

View details

Suspicious Windows Registry Access

TA0005 TA0004 TA0003 TA0002 T1112 Windows Windows Registry Key Access

Attention

TA0005, TA0004, TA0003, TA0002, T1112

Windows

Last updated: September 15, 2025

View details

Unauthorized Group Policy Object Deletion Detected

TA0004 TA0005 TA0006 TA0003 TA0001 T1098 Windows

Attention

TA0004, TA0005, TA0006, TA0003, TA0001, T1098

Windows

Last updated: September 15, 2025

View details

Unauthorized Group Deletion Detected

TA0003 TA0004 TA0005 TA0006 TA0001 T1098 Windows

Attention

TA0003, TA0004, TA0005, TA0006, TA0001, T1098

Windows

Last updated: September 15, 2025

View details

Excessive Windows File Modification

TA0040 T1485 Windows File Creation File Modification

Critical

TA0040, T1485

Windows

Last updated: September 15, 2025

View details

Suspicious Scheduled Tasks created during non-working hours on Windows.

TA0003 TA0002 T1053.005 Windows

Critical

TA0003, TA0002, T1053.005

Windows

Last updated: September 15, 2025

View details

Suspicious Bulk File Modifications or Deletions on Windows

TA0040 TA0002 TA0009 TA0006 T1485 Windows File Deletion

Critical

TA0040, TA0002, TA0009, TA0006, T1485

Windows

Last updated: September 15, 2025

View details

Suspicious successful password change activity in Windows.

TA0005 TA0004 T1556.001 Windows

Critical

TA0005, TA0004, T1556.001

Windows

Last updated: September 15, 2025

View details

Suspicious successful password change activity on a workstation.

TA0006 TA0005 TA0003 TA0004 TA0001 T1556.001 Windows

Attention

TA0006, TA0005, TA0003, TA0004, TA0001, T1556.001

Windows

Last updated: September 15, 2025

View details

Suspicious failed password change activity on a workstation.

TA0006 TA0005 TA0003 TA0004 TA0001 T1556.001 Windows

Attention

TA0006, TA0005, TA0003, TA0004, TA0001, T1556.001

Windows

Last updated: September 15, 2025

View details

Failed DNS Zone Transfer

TA0043 T1590.002 Active Directory

Trouble

TA0043, T1590.002

Active Directory

Last updated: September 15, 2025

View details

DNS Server Error Failed Loading the ServerLevelPluginDLL

TA0005 T1574.001 Active Directory

Trouble

TA0005, T1574.001

Active Directory

Last updated: September 15, 2025

View details

Ntdsutil Abuse

TA0006 T1003.003 Active Directory

Trouble

TA0006, T1003.003

Active Directory

Last updated: September 15, 2025

View details

Dump Ntds.dit To Suspicious Location

TA0002 Active Directory

Trouble

TA0002

Active Directory

Last updated: September 15, 2025

View details

Powerview Add-DomainObjectAcl DCSync AD Extend Right

TA0003 T1098 Active Directory Active Directory Object Modification

Trouble

TA0003, T1098

Active Directory

Last updated: September 15, 2025

View details

AD Privileged Users or Groups Reconnaissance

TA0007 T1087.002 Active Directory Active Directory Object Access

Trouble

TA0007, T1087.002

Active Directory

Last updated: September 15, 2025

View details

Add or Remove Computer from DC

TA0005 T1207 Active Directory

Attention

TA0005, T1207

Active Directory

Last updated: September 15, 2025

View details

Access To ADMIN$ Network Share

TA0008 T1021.002 Active Directory Network Share Access

Attention

TA0008, T1021.002

Active Directory

Last updated: September 15, 2025

View details

AD Object WriteDAC Access

TA0005 T1222.001 Active Directory Active Directory Object Access

Critical

TA0005, T1222.001

Active Directory

Last updated: September 15, 2025

View details

Active Directory Replication from Non Machine Account

TA0006 T1003.006 Active Directory Active Directory Object Access

Critical

TA0006, T1003.006

Active Directory

Last updated: September 15, 2025

View details

Enabled User Right in AD to Control User Objects

TA0003 T1098 Active Directory

Trouble

TA0003, T1098

Active Directory

Last updated: September 15, 2025

View details

Active Directory User Backdoors

TA0003 T1098 Active Directory Active Directory Object Modification User Account Modification

Trouble

TA0003, T1098

Active Directory

Last updated: September 15, 2025

View details

Mimikatz DC Sync

TA0006 T1003.006 Active Directory Active Directory Object Access

Trouble

TA0006, T1003.006

Active Directory

Last updated: September 15, 2025

View details

DPAPI Domain Backup Key Extraction

TA0006 T1003.004 Active Directory Active Directory Object Access

Trouble

TA0006, T1003.004

Active Directory

Last updated: September 15, 2025

View details

Hidden Local User Creation

TA0003 T1136.001 Active Directory Active Directory Object Modification User Account Creation

Trouble

TA0003, T1136.001

Active Directory

Last updated: September 15, 2025

View details

Kerberoasting Activity - Initial Query

TA0006 T1558.003 Active Directory Active Directory Credential Request

Trouble

TA0006, T1558.003

Active Directory

Last updated: September 15, 2025

View details

Credential Dumping Tools Service Execution - Security

TA0006 TA0002 T1003.001 Active Directory Service Creation

Trouble

TA0006, TA0002, T1003.001

Active Directory

Last updated: September 15, 2025

View details

A Member Was Added to a Security-Enabled Global Group

TA0003 T1098 Active Directory Group Modification

Attention

TA0003, T1098

Active Directory

Last updated: September 15, 2025

View details

A Member Was Removed From a Security-Enabled Global Group

TA0003 T1098 Active Directory Group Modification

Attention

TA0003, T1098

Active Directory

Last updated: September 15, 2025

View details

New or Renamed User Account with '$' Character

TA0005 T1036 Active Directory User Account Creation

Trouble

TA0005, T1036

Active Directory

Last updated: September 15, 2025

View details

Password Policy Enumerated

TA0007 T1201 Active Directory Active Directory Object Modification

Trouble

TA0007, T1201

Active Directory

Last updated: September 15, 2025

View details

Pass the Hash Activity 2

TA0008 T1550.002 Active Directory Logon Session Creation

Trouble

TA0008, T1550.002

Active Directory

Last updated: September 15, 2025

View details

Possible DC Shadow Attack

TA0006 TA0005 T1207 Active Directory Active Directory Object Modification

Trouble

TA0006, TA0005, T1207

Active Directory

Last updated: September 15, 2025

View details

A Security-Enabled Global Group Was Deleted

TA0003 T1098 Active Directory

Attention

TA0003, T1098

Active Directory

Last updated: September 15, 2025

View details

A New Trust Was Created To A Domain

TA0003 T1098 Active Directory

Trouble

TA0003, T1098

Active Directory

Last updated: September 15, 2025

View details

Potential Compromise of DSRM Account

TA0003 T1098 Active Directory

Trouble

TA0003, T1098

Active Directory

Last updated: September 15, 2025

View details

Group Policy Abuse for Privilege Addition

TA0004 T1484.001 Active Directory Active Directory Object Modification

Trouble

TA0004, T1484.001

Active Directory

Last updated: September 15, 2025

View details

Potential Discovery Activity Via Dnscmd.EXE

TA0007 TA0002 Active Directory Process Creation

Trouble

TA0007, TA0002

Active Directory

Last updated: September 15, 2025

View details

ADSI-Cache File Creation By Uncommon Tool

TA0011 T1001.003 Active Directory File Creation File Modification

Trouble

TA0011, T1001.003

Active Directory

Last updated: September 15, 2025

View details

NTDS.DIT Created

TA0006 T1003.003 Active Directory File Creation File Modification

Attention

TA0006, T1003.003

Active Directory

Last updated: September 15, 2025

View details

NTDS.DIT Creation By Uncommon Process

TA0006 T1003.002 Active Directory File Creation File Modification

Trouble

TA0006, T1003.002

Active Directory

Last updated: September 15, 2025

View details

NTDS Exfiltration Filename Patterns

TA0006 T1003.003 Active Directory File Creation File Modification

Trouble

TA0006, T1003.003

Active Directory

Last updated: September 15, 2025

View details

DPAPI Backup Keys And Certificate Export Activity IOC

TA0006 T1555 Active Directory File Creation File Modification

Trouble

TA0006, T1555

Active Directory

Last updated: September 15, 2025

View details

Potential Azure Browser SSO Abuse

TA0005 TA0004 T1574.001 Active Directory Module Load

Attention

TA0005, TA0004, T1574.001

Active Directory

Last updated: September 15, 2025

View details

Active Directory Parsing DLL Loaded Via Office Application

TA0002 T1204.002 Active Directory Module Load

Trouble

TA0002, T1204.002

Active Directory

Last updated: September 15, 2025

View details

Active Directory Kerberos DLL Loaded Via Office Application

TA0002 T1204.002 Active Directory Module Load

Trouble

TA0002, T1204.002

Active Directory

Last updated: September 15, 2025

View details

Uncommon Connection to Active Directory Web Services

TA0007 T1087 Active Directory Network Connection Creation

Trouble

TA0007, T1087

Active Directory

Last updated: September 15, 2025

View details

AADInternals PowerShell Cmdlets Execution - PsScript

TA0002 TA0043 TA0007 TA0006 TA0040 Active Directory Script Execution

Trouble

TA0002, TA0043, TA0007, TA0006, TA0040

Active Directory

Last updated: September 15, 2025

View details

Potential Active Directory Enumeration Using AD Module - PsScript

TA0043 TA0007 TA0040 Active Directory Script Execution

Trouble

TA0043, TA0007, TA0040

Active Directory

Last updated: September 15, 2025

View details

PowerShell ADRecon Execution

TA0007 TA0002 T1059.001 Active Directory Script Execution

Trouble

TA0007, TA0002, T1059.001

Active Directory

Last updated: September 15, 2025

View details

Get-ADUser Enumeration Using UserAccountControl Flags

TA0007 T1033 Active Directory Script Execution

Trouble

TA0007, T1033

Active Directory

Last updated: September 15, 2025

View details

Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell

TA0007 T1033 Active Directory Script Execution

Trouble

TA0007, T1033

Active Directory

Last updated: September 15, 2025

View details

Create Volume Shadow Copy with Powershell

TA0006 T1003.003 Active Directory Script Execution

Trouble

TA0006, T1003.003

Active Directory

Last updated: September 15, 2025

View details

DirectorySearcher Powershell Exploitation

TA0007 T1018 Active Directory Script Execution

Trouble

TA0007, T1018

Active Directory

Last updated: September 15, 2025

View details

Manipulation of User Computer or Group Security Principals Across AD

TA0003 T1136.002 Active Directory Script Execution

Trouble

TA0003, T1136.002

Active Directory

Last updated: September 15, 2025

View details

DSInternals Suspicious PowerShell Cmdlets - ScriptBlock

TA0002 T1059.001 Active Directory Script Execution

Trouble

TA0002, T1059.001

Active Directory

Last updated: September 15, 2025

View details

Active Directory Computers Enumeration With Get-AdComputer

TA0007 T1018 Active Directory Script Execution

Attention

TA0007, T1018

Active Directory

Last updated: September 15, 2025

View details

Active Directory Group Enumeration With Get-AdGroup

TA0007 T1069.002 Active Directory Script Execution

Attention

TA0007, T1069.002

Active Directory

Last updated: September 15, 2025

View details

Suspicious Get-ADReplAccount

TA0006 T1003.006 Active Directory Script Execution

Trouble

TA0006, T1003.006

Active Directory

Last updated: September 15, 2025

View details

HackTool - WinPwn Execution - ScriptBlock

TA0006 TA0005 TA0007 TA0002 TA0004 T1552.001 Active Directory Script Execution

Trouble

TA0006, TA0005, TA0007, TA0002, TA0004, T1552.001

Active Directory

Last updated: September 15, 2025

View details

Modify Group Policy Settings - ScriptBlockLogging

TA0005 TA0004 T1484.001 Active Directory Script Execution

Trouble

TA0005, TA0004, T1484.001

Active Directory

Last updated: September 15, 2025

View details

Request A Single Ticket via PowerShell

TA0006 T1558.003 Active Directory Script Execution

Trouble

TA0006, T1558.003

Active Directory

Last updated: September 15, 2025

View details

AD Groups Or Users Enumeration Using PowerShell - ScriptBlock

TA0007 T1069.001 Active Directory Script Execution

Attention

TA0007, T1069.001

Active Directory

Last updated: September 15, 2025

View details

Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy

TA0007 T1201 Active Directory Script Execution

Attention

TA0007, T1201

Active Directory

Last updated: September 15, 2025

View details

Suspicious GPO Discovery With Get-GPO

TA0007 T1615 Active Directory Script Execution

Attention

TA0007, T1615

Active Directory

Last updated: September 15, 2025

View details

Suspicious Connection to Remote Account

TA0006 T1110.001 Active Directory Script Execution

Attention

TA0006, T1110.001

Active Directory

Last updated: September 15, 2025

View details

Remove Account From Domain Admin Group

TA0040 T1531 Active Directory Script Execution

Trouble

TA0040, T1531

Active Directory

Last updated: September 15, 2025

View details

User Discovery And Export Via Get-ADUser Cmdlet - PowerShell

TA0007 T1033 Active Directory Script Execution

Trouble

TA0007, T1033

Active Directory

Last updated: September 15, 2025

View details

New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE

TA0005 T1574.001 Active Directory Process Creation

Trouble

TA0005, T1574.001

Active Directory

Last updated: September 15, 2025

View details

Potentially Over Permissive Permissions Granted Using Dsacls.EXE

TA0005 T1218 Active Directory Process Creation

Trouble

TA0005, T1218

Active Directory

Last updated: September 15, 2025

View details

Potential Password Spraying Attempt Using Dsacls.EXE

TA0005 T1218 Active Directory Process Creation

Trouble

TA0005, T1218

Active Directory

Last updated: September 15, 2025

View details

Domain Trust Discovery Via Dsquery

TA0007 T1482 Active Directory Process Creation

Trouble

TA0007, T1482

Active Directory

Last updated: September 15, 2025

View details

Esentutl Gather Credentials

TA0006 T1003 Active Directory Process Creation

Trouble

TA0006, T1003

Active Directory

Last updated: September 15, 2025

View details

HackTool - ADCSPwn Execution

TA0006 T1557.001 Active Directory Process Creation

Trouble

TA0006, T1557.001

Active Directory

Last updated: September 15, 2025

View details

Terminal Service Process Spawn

TA0001 TA0008 T1190 Windows Process Creation

Trouble

TA0001, TA0008, T1190

Windows

Last updated: September 15, 2025

View details

Uncommon Svchost Parent Process

TA0005 T1036.005 Windows Process Creation

Trouble

TA0005, T1036.005

Windows

Last updated: September 15, 2025

View details

Permission Check Via Accesschk.EXE

TA0007 T1069.001 Windows Process Creation

Trouble

TA0007, T1069.001

Windows

Last updated: September 15, 2025

View details

Potential Execution of Sysinternals Tools

TA0042 T1588.002 Windows Process Creation

Attention

TA0042, T1588.002

Windows

Last updated: September 15, 2025

View details

Potential Memory Dumping Activity Via LiveKD

TA0005 Windows Process Creation

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

Kernel Memory Dump Via LiveKD

TA0005 Windows Process Creation

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

Procdump Execution

TA0005 TA0006 T1036 Windows Process Creation

Trouble

TA0005, TA0006, T1036

Windows

Last updated: September 15, 2025

View details

Potential SysInternals ProcDump Evasion

TA0005 TA0006 T1036 Windows Process Creation

Trouble

TA0005, TA0006, T1036

Windows

Last updated: September 15, 2025

View details

Potential LSASS Process Dump Via Procdump

TA0005 TA0006 T1036 Windows Process Creation

Trouble

TA0005, TA0006, T1036

Windows

Last updated: September 15, 2025

View details

Psexec Execution

TA0002 TA0008 T1569 Windows Process Creation

Trouble

TA0002, TA0008, T1569

Windows

Last updated: September 15, 2025

View details

PsExec/PAExec Escalation to LOCAL SYSTEM

TA0042 T1587.001 Windows Process Creation

Trouble

TA0042, T1587.001

Windows

Last updated: September 15, 2025

View details

Potential PsExec Remote Execution

TA0042 T1587.001 Windows Process Creation

Trouble

TA0042, T1587.001

Windows

Last updated: September 15, 2025

View details

PsExec Service Execution

TA0002 Windows Process Creation

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

Suspicious Use of PsLogList

TA0007 T1087 Windows Process Creation

Trouble

TA0007, T1087

Windows

Last updated: September 15, 2025

View details

Sysinternals PsService Execution

TA0007 TA0003 T1543.003 Windows Process Creation

Trouble

TA0007, TA0003, T1543.003

Windows

Last updated: September 15, 2025

View details

Sysinternals PsSuspend Execution

TA0007 TA0003 T1543.003 Windows Process Creation

Trouble

TA0007, TA0003, T1543.003

Windows

Last updated: September 15, 2025

View details

Sysinternals PsSuspend Suspicious Execution

TA0005 T1562.001 Windows Process Creation

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Potential File Overwrite Via Sysinternals SDelete

TA0040 T1485 Windows Process Creation

Trouble

TA0040, T1485

Windows

Last updated: September 15, 2025

View details

Potential Privilege Escalation To LOCAL SYSTEM

TA0042 T1587.001 Windows Process Creation

Trouble

TA0042, T1587.001

Windows

Last updated: September 15, 2025

View details

Sysmon Configuration Update

TA0005 T1562.001 Windows Process Creation

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Uninstall Sysinternals Sysmon

TA0005 T1562.001 Windows Process Creation

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Sysprep on AppData Folder

TA0002 T1059 Windows Process Creation

Trouble

TA0002, T1059

Windows

Last updated: September 15, 2025

View details

Suspicious Execution of Systeminfo

TA0007 T1082 Windows Process Creation

Attention

TA0007, T1082

Windows

Last updated: September 15, 2025

View details

Potential Signing Bypass Via Windows Developer Features

TA0005 Windows Process Creation

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

Suspicious Recursive Takeown

TA0005 T1222.001 Windows Process Creation

Trouble

TA0005, T1222.001

Windows

Last updated: September 15, 2025

View details

Tap Installer Execution

TA0010 T1048 Windows Process Creation

Trouble

TA0010, T1048

Windows

Last updated: September 15, 2025

View details

Compressed File Creation Via Tar.EXE

TA0009 TA0010 T1560 Windows Process Creation

Attention

TA0009, TA0010, T1560

Windows

Last updated: September 15, 2025

View details

Compressed File Extraction Via Tar.EXE

TA0009 TA0010 T1560 Windows Process Creation

Attention

TA0009, TA0010, T1560

Windows

Last updated: September 15, 2025

View details

Taskkill Symantec Endpoint Protection

TA0005 T1562.001 Windows Process Creation

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Loaded Module Enumeration Via Tasklist.EXE

TA0006 T1003 Windows Process Creation

Trouble

TA0006, T1003

Windows

Last updated: September 15, 2025

View details

New Process Created Via Taskmgr.EXE

TA0005 T1036 Windows Process Creation

Attention

TA0005, T1036

Windows

Last updated: September 15, 2025

View details

Potentially Suspicious Command Targeting Teams Sensitive Files

TA0006 T1528 Windows Process Creation

Trouble

TA0006, T1528

Windows

Last updated: September 15, 2025

View details

New Virtual Smart Card Created Via TpmVscMgr.EXE

TA0002 Windows Process Creation

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

Suspicious RDP Redirect Using TSCON

TA0008 T1563.002 Windows Process Creation

Trouble

TA0008, T1563.002

Windows

Last updated: September 15, 2025

View details

Bypass UAC via Fodhelper.exe

TA0004 T1548.002 Windows Process Creation

Trouble

TA0004, T1548.002

Windows

Last updated: September 15, 2025

View details

UAC Bypass via Windows Firewall Snap-In Hijack

TA0004 T1548 Windows Process Creation

Trouble

TA0004, T1548

Windows

Last updated: September 15, 2025

View details

UAC Bypass via ICMLuaUtil

TA0005 TA0004 T1548.002 Windows Process Creation

Trouble

TA0005, TA0004, T1548.002

Windows

Last updated: September 15, 2025

View details

Bypass UAC via WSReset.exe

TA0004 TA0005 T1548.002 Windows Process Creation

Trouble

TA0004, TA0005, T1548.002

Windows

Last updated: September 15, 2025

View details

Use of UltraVNC Remote Access Software

TA0011 T1219.002 Windows Process Creation

Trouble

TA0011, T1219.002

Windows

Last updated: September 15, 2025

View details

Suspicious UltraVNC Execution

TA0008 T1021.005 Windows Process Creation

Trouble

TA0008, T1021.005

Windows

Last updated: September 15, 2025

View details

Uninstall Crowdstrike Falcon Sensor

TA0005 T1562.001 Windows Process Creation

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Uncommon Userinit Child Process

TA0003 T1037.001 Windows Process Creation

Trouble

TA0003, T1037.001

Windows

Last updated: September 15, 2025

View details

Windows Credential Manager Access via VaultCmd

TA0006 T1555.004 Windows Process Creation

Trouble

TA0006, T1555.004

Windows

Last updated: September 15, 2025

View details

Verclsid.exe Runs COM Object

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Detect Virtualbox Driver Installation OR Starting Of VMs

TA0005 TA0005 T1564 Windows Process Creation

Attention

TA0005, TA0005, T1564

Windows

Last updated: September 15, 2025

View details

Suspicious VBoxDrvInst.exe Parameters

TA0005 T1112 Windows Process Creation

Trouble

TA0005, T1112

Windows

Last updated: September 15, 2025

View details

Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script

TA0002 TA0003 T1059 Windows Process Creation

Trouble

TA0002, TA0003, T1059

Windows

Last updated: September 15, 2025

View details

Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script

TA0002 TA0003 T1059 Windows Process Creation

Trouble

TA0002, TA0003, T1059

Windows

Last updated: September 15, 2025

View details

VMToolsd Suspicious Child Process

TA0002 TA0003 T1059 Windows Process Creation

Trouble

TA0002, TA0003, T1059

Windows

Last updated: September 15, 2025

View details

Potentially Suspicious Child Process Of VsCode

TA0002 TA0005 T1218 Windows Process Creation

Trouble

TA0002, TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Visual Studio Code Tunnel Execution

TA0011 T1071.001 Windows Process Creation

Trouble

TA0011, T1071.001

Windows

Last updated: September 15, 2025

View details

Visual Studio Code Tunnel Shell Execution

TA0011 T1071.001 Windows Process Creation

Trouble

TA0011, T1071.001

Windows

Last updated: September 15, 2025

View details

Renamed Visual Studio Code Tunnel Execution

TA0011 T1071.001 Windows Process Creation

Trouble

TA0011, T1071.001

Windows

Last updated: September 15, 2025

View details

Visual Studio Code Tunnel Service Installation

TA0011 T1071.001 Windows Process Creation

Trouble

TA0011, T1071.001

Windows

Last updated: September 15, 2025

View details

Potential Binary Proxy Execution Via VSDiagnostics.EXE

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Suspicious Vsls-Agent Command With AgentExtensionPath Load

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Use of W32tm as Timer

TA0007 T1124 Windows Process Creation

Trouble

TA0007, T1124

Windows

Last updated: September 15, 2025

View details

Wab Execution From Non Default Location

TA0005 TA0002 Windows Process Creation

Trouble

TA0005, TA0002

Windows

Last updated: September 15, 2025

View details

Wab/Wabmig Unusual Parent Or Child Processes

TA0005 TA0002 Windows Process Creation

Trouble

TA0005, TA0002

Windows

Last updated: September 15, 2025

View details

All Backups Deleted Via Wbadmin.EXE

TA0040 T1490 Windows Process Creation

Trouble

TA0040, T1490

Windows

Last updated: September 15, 2025

View details

Windows Backup Deleted Via Wbadmin.EXE

TA0040 T1490 Windows Process Creation

Trouble

TA0040, T1490

Windows

Last updated: September 15, 2025

View details

Sensitive File Dump Via Wbadmin.EXE

TA0006 T1003.003 Windows Process Creation

Trouble

TA0006, T1003.003

Windows

Last updated: September 15, 2025

View details

File Recovery From Backup Via Wbadmin.EXE

TA0040 T1490 Windows Process Creation

Trouble

TA0040, T1490

Windows

Last updated: September 15, 2025

View details

Sensitive File Recovery From Backup Via Wbadmin.EXE

TA0006 T1003.003 Windows Process Creation

Trouble

TA0006, T1003.003

Windows

Last updated: September 15, 2025

View details

Potentially Suspicious WebDAV LNK Execution

TA0002 T1059.001 Windows Process Creation

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

Webshell Hacking Activity Patterns

TA0003 TA0007 T1505.003 Windows Process Creation

Trouble

TA0003, TA0007, T1505.003

Windows

Last updated: September 15, 2025

View details

Webshell Detection With Command Line Keywords

TA0003 TA0007 T1505.003 Windows Process Creation

Trouble

TA0003, TA0007, T1505.003

Windows

Last updated: September 15, 2025

View details

Suspicious Process By Web Server Process

TA0003 TA0001 T1505.003 Windows Process Creation

Trouble

TA0003, TA0001, T1505.003

Windows

Last updated: September 15, 2025

View details

Webshell Tool Reconnaissance Activity

TA0003 T1505.003 Windows Process Creation

Trouble

TA0003, T1505.003

Windows

Last updated: September 15, 2025

View details

Potential ReflectDebugger Content Execution Via WerFault.EXE

TA0002 TA0005 T1036 Windows Process Creation

Trouble

TA0002, TA0005, T1036

Windows

Last updated: September 15, 2025

View details

Suspicious Child Process Of Wermgr.EXE

TA0005 TA0004 T1055 Windows Process Creation

Trouble

TA0005, TA0004, T1055

Windows

Last updated: September 15, 2025

View details

Suspicious Execution Location Of Wermgr.EXE

TA0002 Windows Process Creation

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

Suspicious Where Execution

TA0007 T1217 Windows Process Creation

Attention

TA0007, T1217

Windows

Last updated: September 15, 2025

View details

Suspicious WindowsTerminal Child Processes

TA0002 TA0003 Windows Process Creation

Trouble

TA0002, TA0003

Windows

Last updated: September 15, 2025

View details

Add New Download Source To Winget

TA0005 TA0002 T1059 Windows Process Creation

Trouble

TA0005, TA0002, T1059

Windows

Last updated: September 15, 2025

View details

Add Insecure Download Source To Winget

TA0005 TA0002 T1059 Windows Process Creation

Trouble

TA0005, TA0002, T1059

Windows

Last updated: September 15, 2025

View details

Install New Package Via Winget Local Manifest

TA0005 TA0002 T1059 Windows Process Creation

Trouble

TA0005, TA0002, T1059

Windows

Last updated: September 15, 2025

View details

Winrar Compressing Dump Files

TA0009 T1560.001 Windows Process Creation

Trouble

TA0009, T1560.001

Windows

Last updated: September 15, 2025

View details

Potentially Suspicious Child Process Of WinRAR.EXE

TA0002 T1203 Windows Process Creation

Trouble

TA0002, T1203

Windows

Last updated: September 15, 2025

View details

Winrar Execution in Non-Standard Folder

TA0009 T1560.001 Windows Process Creation

Trouble

TA0009, T1560.001

Windows

Last updated: September 15, 2025

View details

AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl

TA0005 T1216 Windows Process Creation

Trouble

TA0005, T1216

Windows

Last updated: September 15, 2025

View details

Remote Code Execute via Winrm.vbs

TA0005 T1216 Windows Process Creation

Trouble

TA0005, T1216

Windows

Last updated: September 15, 2025

View details

Remote PowerShell Session Host Process (WinRM)

TA0002 TA0008 T1059.001 Windows Process Creation

Trouble

TA0002, TA0008, T1059.001

Windows

Last updated: September 15, 2025

View details

Suspicious Processes Spawned by WinRM

TA0001 TA0003 TA0004 T1190 Windows Process Creation

Trouble

TA0001, TA0003, TA0004, T1190

Windows

Last updated: September 15, 2025

View details

Wlrmdr.EXE Uncommon Argument Or Child Process

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

New ActiveScriptEventConsumer Created Via Wmic.EXE

TA0003 T1546.003 Windows Process Creation

Trouble

TA0003, T1546.003

Windows

Last updated: September 15, 2025

View details

Potential Windows Defender Tampering Via Wmic.EXE

TA0005 TA0002 T1562 Windows Process Creation

Trouble

TA0005, TA0002, T1562

Windows

Last updated: September 15, 2025

View details

New Process Created Via Wmic.EXE

TA0002 T1047 Windows Process Creation

Trouble

TA0002, T1047

Windows

Last updated: September 15, 2025

View details

Computer System Reconnaissance Via Wmic.EXE

TA0007 TA0002 T1047 Windows Process Creation

Trouble

TA0007, TA0002, T1047

Windows

Last updated: September 15, 2025

View details

Hardware Model Reconnaissance Via Wmic.EXE

TA0002 T1047 Windows Process Creation

Trouble

TA0002, T1047

Windows

Last updated: September 15, 2025

View details

Local Groups Reconnaissance Via Wmic.EXE

TA0007 T1069.001 Windows Process Creation

Attention

TA0007, T1069.001

Windows

Last updated: September 15, 2025

View details

Windows Hotfix Updates Reconnaissance Via Wmic.EXE

TA0002 T1047 Windows Process Creation

Trouble

TA0002, T1047

Windows

Last updated: September 15, 2025

View details

Process Reconnaissance Via Wmic.EXE

TA0002 T1047 Windows Process Creation

Trouble

TA0002, T1047

Windows

Last updated: September 15, 2025

View details

Potential Product Reconnaissance Via Wmic.EXE

TA0002 T1047 Windows Process Creation

Trouble

TA0002, T1047

Windows

Last updated: September 15, 2025

View details

Potential Product Class Reconnaissance Via Wmic.EXE

TA0002 TA0007 T1047 Windows Process Creation

Trouble

TA0002, TA0007, T1047

Windows

Last updated: September 15, 2025

View details

Service Reconnaissance Via Wmic.EXE

TA0002 T1047 Windows Process Creation

Trouble

TA0002, T1047

Windows

Last updated: September 15, 2025

View details

Uncommon System Information Discovery Via Wmic.EXE

TA0007 T1082 Windows Process Creation

Trouble

TA0007, T1082

Windows

Last updated: September 15, 2025

View details

Potential Unquoted Service Path Reconnaissance Via Wmic.EXE

TA0002 T1047 Windows Process Creation

Trouble

TA0002, T1047

Windows

Last updated: September 15, 2025

View details

System Disk And Volume Reconnaissance Via Wmic.EXE

TA0002 TA0007 T1047 Windows Process Creation

Trouble

TA0002, TA0007, T1047

Windows

Last updated: September 15, 2025

View details

WMIC Remote Command Execution

TA0002 T1047 Windows Process Creation

Trouble

TA0002, T1047

Windows

Last updated: September 15, 2025

View details

Lace Tempest PowerShell Evidence Eraser

TA0002 T1059.001 Windows Script Execution

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

Lace Tempest PowerShell Launcher

TA0002 T1059.001 Windows Script Execution

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

Access to Browser Login Data

TA0006 T1555.003 Windows Script Execution

Trouble

TA0006, T1555.003

Windows

Last updated: September 15, 2025

View details

Powershell Add Name Resolution Policy Table Rule

TA0040 T1565 Windows Script Execution

Trouble

TA0040, T1565

Windows

Last updated: September 15, 2025

View details

Add Windows Capability Via PowerShell Script

TA0002 Windows Script Execution

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

AMSI Bypass Pattern Assembly GetType

TA0005 TA0002 T1562.001 Windows Script Execution

Trouble

TA0005, TA0002, T1562.001

Windows

Last updated: September 15, 2025

View details

Silence.EDA Detection

TA0002 TA0011 TA0040 T1059.001 Windows Script Execution

Critical

TA0002, TA0011, TA0040, T1059.001

Windows

Last updated: September 15, 2025

View details

Potential Data Exfiltration Via Audio File

TA0010 Windows Script Execution

Trouble

TA0010

Windows

Last updated: September 15, 2025

View details

Automated Collection Command PowerShell

TA0009 T1119 Windows Script Execution

Trouble

TA0009, T1119

Windows

Last updated: September 15, 2025

View details

Windows Screen Capture with CopyFromScreen

TA0009 T1113 Windows Script Execution

Trouble

TA0009, T1113

Windows

Last updated: September 15, 2025

View details

Clearing Windows Console History

TA0005 T1070 Windows Script Execution

Trouble

TA0005, T1070

Windows

Last updated: September 15, 2025

View details

Clear PowerShell History - PowerShell

TA0005 T1070.003 Windows Script Execution

Trouble

TA0005, T1070.003

Windows

Last updated: September 15, 2025

View details

Powershell Create Scheduled Task

TA0003 T1053.005 Windows Script Execution

Trouble

TA0003, T1053.005

Windows

Last updated: September 15, 2025

View details

Registry-Free Process Scope COR_PROFILER

TA0003 T1574.012 Windows Script Execution

Trouble

TA0003, T1574.012

Windows

Last updated: September 15, 2025

View details

Powershell Detect Virtualization Environment

TA0005 T1497.001 Windows Script Execution

Trouble

TA0005, T1497.001

Windows

Last updated: September 15, 2025

View details

Disable Powershell Command History

TA0005 T1070.003 Windows Script Execution

Trouble

TA0005, T1070.003

Windows

Last updated: September 15, 2025

View details

Disable-WindowsOptionalFeature Command PowerShell

TA0005 T1562.001 Windows Script Execution

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Potential In-Memory Execution Using Reflection.Assembly

TA0005 T1620 Windows Script Execution

Trouble

TA0005, T1620

Windows

Last updated: September 15, 2025

View details

Potential COM Objects Download Cradles Usage - PS Script

TA0011 T1105 Windows Script Execution

Trouble

TA0011, T1105

Windows

Last updated: September 15, 2025

View details

Dump Credentials from Windows Credential Manager With PowerShell

TA0006 T1555 Windows Script Execution

Trouble

TA0006, T1555

Windows

Last updated: September 15, 2025

View details

Potential Suspicious Windows Feature Enabled

TA0005 Windows Script Execution

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

Enumerate Credentials from Windows Credential Manager With PowerShell

TA0006 T1555 Windows Script Execution

Trouble

TA0006, T1555

Windows

Last updated: September 15, 2025

View details

Disable of ETW Trace - Powershell

TA0005 T1070 Windows Script Execution

Trouble

TA0005, T1070

Windows

Last updated: September 15, 2025

View details

Suspicious PowerShell Mailbox SMTP Forward Rule

TA0010 Windows Script Execution

Trouble

TA0010

Windows

Last updated: September 15, 2025

View details

Certificate Exported Via PowerShell - ScriptBlock

TA0006 T1552.004 Windows Script Execution

Trouble

TA0006, T1552.004

Windows

Last updated: September 15, 2025

View details

Suspicious FromBase64String Usage On Gzip Archive - Ps Script

TA0011 T1132.001 Windows Script Execution

Trouble

TA0011, T1132.001

Windows

Last updated: September 15, 2025

View details

Service Registry Permissions Weakness Check

TA0003 T1574.011 Windows Script Execution

Trouble

TA0003, T1574.011

Windows

Last updated: September 15, 2025

View details

Automated Collection Bookmarks Using Get-ChildItem PowerShell

TA0007 T1217 Windows Script Execution

Attention

TA0007, T1217

Windows

Last updated: September 15, 2025

View details

HackTool - Rubeus Execution - ScriptBlock

TA0006 TA0008 T1003 Windows Script Execution

Trouble

TA0006, TA0008, T1003

Windows

Last updated: September 15, 2025

View details

PowerShell Hotfix Enumeration

TA0007 Windows Script Execution

Trouble

TA0007

Windows

Last updated: September 15, 2025

View details

PowerShell ICMP Exfiltration

TA0010 T1048.003 Windows Script Execution

Trouble

TA0010, T1048.003

Windows

Last updated: September 15, 2025

View details

Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript

TA0003 TA0005 Windows Script Execution

Trouble

TA0003, TA0005

Windows

Last updated: September 15, 2025

View details

Execute Invoke-command on Remote Host

TA0008 T1021.006 Windows Script Execution

Trouble

TA0008, T1021.006

Windows

Last updated: September 15, 2025

View details

Powershell DNSExfiltration

TA0010 T1048 Windows Script Execution

Trouble

TA0010, T1048

Windows

Last updated: September 15, 2025

View details

Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell

TA0005 TA0002 T1027 Windows Script Execution

Trouble

TA0005, TA0002, T1027

Windows

Last updated: September 15, 2025

View details

Invoke-Obfuscation Via Use MSHTA - PowerShell

TA0005 TA0002 T1027 Windows Script Execution

Trouble

TA0005, TA0002, T1027

Windows

Last updated: September 15, 2025

View details

Invoke-Obfuscation Via Use Rundll32 - PowerShell

TA0005 TA0002 T1027 Windows Script Execution

Trouble

TA0005, TA0002, T1027

Windows

Last updated: September 15, 2025

View details

Powershell Keylogging

TA0009 T1056.001 Windows Script Execution

Trouble

TA0009, T1056.001

Windows

Last updated: September 15, 2025

View details

Powershell LocalAccount Manipulation

TA0003 T1098 Windows Script Execution

Trouble

TA0003, T1098

Windows

Last updated: September 15, 2025

View details

Suspicious PowerShell Mailbox Export to Share - PS

TA0010 Windows Script Execution

Critical

TA0010

Windows

Last updated: September 15, 2025

View details

Malicious PowerShell Keywords

TA0002 T1059.001 Windows Script Execution

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

Live Memory Dump Using Powershell

TA0006 T1003 Windows Script Execution

Trouble

TA0006, T1003

Windows

Last updated: September 15, 2025

View details

Powershell MsXml COM Object

TA0002 T1059.001 Windows Script Execution

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

Malicious Nishang PowerShell Commandlets

TA0002 T1059.001 Windows Script Execution

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

NTFS Alternate Data Stream

TA0005 TA0002 T1564.004 Windows Script Execution

Trouble

TA0005, TA0002, T1564.004

Windows

Last updated: September 15, 2025

View details

Code Executed Via Office Add-in XLL File

TA0003 T1137.006 Windows Script Execution

Trouble

TA0003, T1137.006

Windows

Last updated: September 15, 2025

View details

Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock

TA0006 TA0007 T1040 Windows Script Execution

Trouble

TA0006, TA0007, T1040

Windows

Last updated: September 15, 2025

View details

Potential Invoke-Mimikatz PowerShell Script

TA0006 T1003 Windows Script Execution

Trouble

TA0006, T1003

Windows

Last updated: September 15, 2025

View details

PowerShell Web Access Installation - PsScript

TA0003 TA0002 T1059.001 Windows Script Execution

Trouble

TA0003, TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

PowerShell Credential Prompt

TA0006 TA0002 T1059.001 Windows Script Execution

Trouble

TA0006, TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

PSAsyncShell - Asynchronous TCP Reverse Shell

TA0002 T1059.001 Windows Script Execution

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock

TA0005 T1218 Windows Script Execution

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

PowerShell Remote Session Creation

TA0002 T1059.001 Windows Script Execution

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

PowerShell Script With File Hostname Resolving Capabilities

TA0010 T1020 Windows Script Execution

Trouble

TA0010, T1020

Windows

Last updated: September 15, 2025

View details

Root Certificate Installed - PowerShell

TA0005 T1553.004 Windows Script Execution

Trouble

TA0005, T1553.004

Windows

Last updated: September 15, 2025

View details

Suspicious Invoke-Item From Mount-DiskImage

TA0005 T1553.005 Windows Script Execution

Trouble

TA0005, T1553.005

Windows

Last updated: September 15, 2025

View details

PowerShell Script With File Upload Capabilities

TA0010 T1020 Windows Script Execution

Attention

TA0010, T1020

Windows

Last updated: September 15, 2025

View details

Powershell Sensitive File Discovery

TA0007 T1083 Windows Script Execution

Trouble

TA0007, T1083

Windows

Last updated: September 15, 2025

View details

PowerShell Script Change Permission Via Set-Acl - PsScript

TA0005 T1222 Windows Script Execution

Attention

TA0005, T1222

Windows

Last updated: September 15, 2025

View details

PowerShell ShellCode

TA0005 TA0004 TA0002 T1055 Windows Script Execution

Trouble

TA0005, TA0004, TA0002, T1055

Windows

Last updated: September 15, 2025

View details

Malicious ShellIntel PowerShell Commandlets

TA0002 T1059.001 Windows Script Execution

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

Detected Windows Software Discovery - PowerShell

TA0007 T1518 Windows Script Execution

Trouble

TA0007, T1518

Windows

Last updated: September 15, 2025

View details

Powershell Store File In Alternate Data Stream

TA0005 T1564.004 Windows Script Execution

Trouble

TA0005, T1564.004

Windows

Last updated: September 15, 2025

View details

Potential Persistence Via Security Descriptors - ScriptBlock

TA0003 TA0005 TA0004 Windows Script Execution

Trouble

TA0003, TA0005, TA0004

Windows

Last updated: September 15, 2025

View details

Potential PowerShell Obfuscation Using Character Join

TA0005 TA0002 T1027 Windows Script Execution

Attention

TA0005, TA0002, T1027

Windows

Last updated: September 15, 2025

View details

Suspicious Eventlog Clear

TA0005 T1070.001 Windows Script Execution

Trouble

TA0005, T1070.001

Windows

Last updated: September 15, 2025

View details

Powershell Directory Enumeration

TA0007 T1083 Windows Script Execution

Trouble

TA0007, T1083

Windows

Last updated: September 15, 2025

View details

Suspicious PowerShell Download - Powershell Script

TA0002 T1059.001 Windows Script Execution

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

Powershell Execute Batch Script

TA0002 T1059.003 Windows Script Execution

Trouble

TA0002, T1059.003

Windows

Last updated: September 15, 2025

View details

Extracting Information with PowerShell

TA0006 T1552.001 Windows Script Execution

Trouble

TA0006, T1552.001

Windows

Last updated: September 15, 2025

View details

Troubleshooting Pack Cmdlet Execution

TA0005 T1202 Windows Script Execution

Trouble

TA0005, T1202

Windows

Last updated: September 15, 2025

View details

PowerShell Get-Process LSASS in ScriptBlock

TA0006 T1003.001 Windows Script Execution

Trouble

TA0006, T1003.001

Windows

Last updated: September 15, 2025

View details

Suspicious GetTypeFromCLSID ShellExecute

TA0004 TA0003 T1546.015 Windows Script Execution

Trouble

TA0004, TA0003, T1546.015

Windows

Last updated: September 15, 2025

View details

Suspicious PowerShell Get Current User

TA0007 T1033 Windows Script Execution

Attention

TA0007, T1033

Windows

Last updated: September 15, 2025

View details

Suspicious Process Discovery With Get-Process

TA0007 T1057 Windows Script Execution

Attention

TA0007, T1057

Windows

Last updated: September 15, 2025

View details

Suspicious Hyper-V Cmdlets

TA0005 T1564.006 Windows Script Execution

Trouble

TA0005, T1564.006

Windows

Last updated: September 15, 2025

View details

Change User Agents with WebRequest

TA0011 T1071.001 Windows Script Execution

Trouble

TA0011, T1071.001

Windows

Last updated: September 15, 2025

View details

Suspicious IO.FileStream

TA0005 T1070.003 Windows Script Execution

Trouble

TA0005, T1070.003

Windows

Last updated: September 15, 2025

View details

Potential Keylogger Activity

TA0009 TA0006 T1056.001 Windows Script Execution

Trouble

TA0009, TA0006, T1056.001

Windows

Last updated: September 15, 2025

View details

Potential Suspicious PowerShell Keywords

TA0002 T1059.001 Windows Script Execution

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

Suspicious Get Local Groups Information - PowerShell

TA0007 T1069.001 Windows Script Execution

Attention

TA0007, T1069.001

Windows

Last updated: September 15, 2025

View details

Powershell Local Email Collection

TA0009 T1114.001 Windows Script Execution

Trouble

TA0009, T1114.001

Windows

Last updated: September 15, 2025

View details

PowerShell Deleted Mounted Share

TA0005 T1070.005 Windows Script Execution

Trouble

TA0005, T1070.005

Windows

Last updated: September 15, 2025

View details

Suspicious Mount-DiskImage

TA0005 T1553.005 Windows Script Execution

Attention

TA0005, T1553.005

Windows

Last updated: September 15, 2025

View details

Suspicious New-PSDrive to Admin Share

TA0008 T1021.002 Windows Script Execution

Trouble

TA0008, T1021.002

Windows

Last updated: September 15, 2025

View details

Suspicious TCP Tunnel Via PowerShell Script

TA0011 T1090 Windows Script Execution

Trouble

TA0011, T1090

Windows

Last updated: September 15, 2025

View details

Recon Information for Export with PowerShell

TA0009 T1119 Windows Script Execution

Trouble

TA0009, T1119

Windows

Last updated: September 15, 2025

View details

Suspicious Service DACL Modification Via Set-Service Cmdlet - PS

TA0003 TA0005 TA0004 T1574.011 Windows Script Execution

Trouble

TA0003, TA0005, TA0004, T1574.011

Windows

Last updated: September 15, 2025

View details

Potential PowerShell Obfuscation Using Alias Cmdlets

TA0005 TA0002 T1027 Windows Script Execution

Attention

TA0005, TA0002, T1027

Windows

Last updated: September 15, 2025

View details

Suspicious Get Information for SMB Share

TA0007 T1069.001 Windows Script Execution

Attention

TA0007, T1069.001

Windows

Last updated: September 15, 2025

View details

Suspicious SSL Connection

TA0011 T1573 Windows Script Execution

Attention

TA0011, T1573

Windows

Last updated: September 15, 2025

View details

Suspicious Start-Process PassThru

TA0005 T1036.003 Windows Script Execution

Trouble

TA0005, T1036.003

Windows

Last updated: September 15, 2025

View details

Suspicious Unblock-File

TA0005 T1553.005 Windows Script Execution

Trouble

TA0005, T1553.005

Windows

Last updated: September 15, 2025

View details

Replace Desktop Wallpaper by Powershell

TA0040 T1491.001 Windows Script Execution

Attention

TA0040, T1491.001

Windows

Last updated: September 15, 2025

View details

Powershell Suspicious Win32_PnPEntity

TA0007 T1120 Windows Script Execution

Attention

TA0007, T1120

Windows

Last updated: September 15, 2025

View details

Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script

TA0040 T1490 Windows Script Execution

Trouble

TA0040, T1490

Windows

Last updated: September 15, 2025

View details

Suspicious PowerShell WindowStyle Option

TA0005 T1564.003 Windows Script Execution

Trouble

TA0005, T1564.003

Windows

Last updated: September 15, 2025

View details

PowerShell Write-EventLog Usage

TA0005 Windows Script Execution

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging

TA0005 T1562.001 Windows Script Execution

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Tamper Windows Defender - ScriptBlockLogging

TA0005 T1562.001 Windows Script Execution

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

HackTool - Certify Execution

TA0007 TA0006 T1649 Active Directory Process Creation

Trouble

TA0007, TA0006, T1649

Active Directory

Last updated: September 15, 2025

View details

HackTool - Certipy Execution

TA0007 TA0006 T1649 Active Directory Process Creation

Trouble

TA0007, TA0006, T1649

Active Directory

Last updated: September 15, 2025

View details

HackTool - SharpLdapWhoami Execution

TA0007 T1033 Active Directory Process Creation

Trouble

TA0007, T1033

Active Directory

Last updated: September 15, 2025

View details

HackTool - SharpView Execution

TA0007 T1049 Active Directory Process Creation

Trouble

TA0007, T1049

Active Directory

Last updated: September 15, 2025

View details

HackTool - SharpLDAPmonitor Execution

TA0007 Active Directory Process Creation

Trouble

TA0007

Active Directory

Last updated: September 15, 2025

View details

HackTool - SOAPHound Execution

TA0007 T1087 Active Directory Process Creation

Trouble

TA0007, T1087

Active Directory

Last updated: September 15, 2025

View details

HackTool - TruffleSnout Execution

TA0007 T1482 Active Directory Process Creation

Trouble

TA0007, T1482

Active Directory

Last updated: September 15, 2025

View details

HackTool - WinPwn Execution

TA0006 TA0005 TA0007 TA0002 TA0004 T1552.001 Active Directory Process Creation

Trouble

TA0006, TA0005, TA0007, TA0002, TA0004, T1552.001

Active Directory

Last updated: September 15, 2025

View details

Active Directory Structure Export Via Ldifde.EXE

TA0010 Active Directory Process Creation

Trouble

TA0010

Active Directory

Last updated: September 15, 2025

View details

Import LDAP Data Interchange Format File Via Ldifde.EXE

TA0011 TA0005 T1105 Active Directory Process Creation

Trouble

TA0011, TA0005, T1105

Active Directory

Last updated: September 15, 2025

View details

Potential Credential Dumping Via LSASS Process Clone

TA0006 T1003 Active Directory Process Creation

Critical

TA0006, T1003

Active Directory

Last updated: September 15, 2025

View details

Suspicious Group And Account Reconnaissance Activity Using Net.EXE

TA0007 T1087.001 Active Directory Process Creation

Trouble

TA0007, T1087.001

Active Directory

Last updated: September 15, 2025

View details

Nltest.EXE Execution

TA0007 T1016 Active Directory Process Creation

Attention

TA0007, T1016

Active Directory

Last updated: September 15, 2025

View details

Potential Recon Activity Via Nltest.EXE

TA0007 T1016 Active Directory Process Creation

Trouble

TA0007, T1016

Active Directory

Last updated: September 15, 2025

View details

Network Reconnaissance Activity

TA0007 T1087 Active Directory Process Creation

Trouble

TA0007, T1087

Active Directory

Last updated: September 15, 2025

View details

Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)

TA0006 T1003.003 Active Directory Process Creation

Trouble

TA0006, T1003.003

Active Directory

Last updated: September 15, 2025

View details

Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)

TA0006 T1003.003 Active Directory Process Creation

Trouble

TA0006, T1003.003

Active Directory

Last updated: September 15, 2025

View details

AADInternals PowerShell Cmdlets Execution - ProccessCreation

TA0002 TA0043 TA0007 TA0006 TA0040 Active Directory Process Creation

Trouble

TA0002, TA0043, TA0007, TA0006, TA0040

Active Directory

Last updated: September 15, 2025

View details

Potential Active Directory Enumeration Using AD Module - ProcCreation

TA0043 TA0007 TA0040 Active Directory Process Creation

Trouble

TA0043, TA0007, TA0040

Active Directory

Last updated: September 15, 2025

View details

Computer Discovery And Export Via Get-ADComputer Cmdlet

TA0007 T1033 Active Directory Process Creation

Trouble

TA0007, T1033

Active Directory

Last updated: September 15, 2025

View details

DSInternals Suspicious PowerShell Cmdlets

TA0002 T1059.001 Active Directory Process Creation

Trouble

TA0002, T1059.001

Active Directory

Last updated: September 15, 2025

View details

User Discovery And Export Via Get-ADUser Cmdlet

TA0007 T1033 Active Directory Process Creation

Trouble

TA0007, T1033

Active Directory

Last updated: September 15, 2025

View details

PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE

TA0007 T1087.002 Active Directory Process Creation

Trouble

TA0007, T1087.002

Active Directory

Last updated: September 15, 2025

View details

PUA - AdFind Suspicious Execution

TA0007 T1018 Active Directory Process Creation

Trouble

TA0007, T1018

Active Directory

Last updated: September 15, 2025

View details

PUA - DIT Snapshot Viewer

TA0006 T1003.003 Active Directory Process Creation

Trouble

TA0006, T1003.003

Active Directory

Last updated: September 15, 2025

View details

PUA - PingCastle Execution From Potentially Suspicious Parent

TA0043 T1595 Active Directory Process Creation

Trouble

TA0043, T1595

Active Directory

Last updated: September 15, 2025

View details

PUA - Adidnsdump Execution

TA0007 T1018 Active Directory Process Creation

Attention

TA0007, T1018

Active Directory

Last updated: September 15, 2025

View details

Modify Group Policy Settings

TA0005 TA0004 T1484.001 Active Directory Process Creation

Trouble

TA0005, TA0004, T1484.001

Active Directory

Last updated: September 15, 2025

View details

Enable LM Hash Storage - ProcCreation

TA0005 T1112 Active Directory Process Creation

Trouble

TA0005, T1112

Active Directory

Last updated: September 15, 2025

View details

Renamed AdFind Execution

TA0007 T1018 Active Directory Process Creation

Trouble

TA0007, T1018

Active Directory

Last updated: September 15, 2025

View details

Suspicious Process Patterns NTDS.DIT Exfil

TA0006 T1003.003 Active Directory Process Creation

Trouble

TA0006, T1003.003

Active Directory

Last updated: September 15, 2025

View details

Suspicious SYSVOL Domain Group Policy Access

TA0006 T1552.006 Active Directory Process Creation

Trouble

TA0006, T1552.006

Active Directory

Last updated: September 15, 2025

View details

Active Directory Database Snapshot Via ADExplorer

TA0007 T1087.002 Active Directory Process Creation

Trouble

TA0007, T1087.002

Active Directory

Last updated: September 15, 2025

View details

Suspicious Active Directory Database Snapshot Via ADExplorer

TA0007 T1087.002 Active Directory Process Creation

Trouble

TA0007, T1087.002

Active Directory

Last updated: September 15, 2025

View details

Directory Service Restore Mode(DSRM) Registry Value Tampering

TA0003 T1556 Active Directory Windows Registry Key Modification

Trouble

TA0003, T1556

Active Directory

Last updated: September 15, 2025

View details

Enable LM Hash Storage

TA0005 T1112 Active Directory Windows Registry Key Modification

Trouble

TA0005, T1112

Active Directory

Last updated: September 15, 2025

View details

DNS Server Discovery Via LDAP Query

TA0007 T1482 Active Directory Network Traffic Content

Attention

TA0007, T1482

Active Directory

Last updated: September 15, 2025

View details

ADFS Database Named Pipe Connection By Uncommon Tool

TA0009 T1005 Active Directory Named Pipe Metadata

Trouble

TA0009, T1005

Active Directory

Last updated: September 15, 2025

View details

Standard User In High Privileged Group

TA0006 TA0004 Active Directory

Trouble

TA0006, TA0004

Active Directory

Last updated: September 15, 2025

View details

ADCS Certificate Template Configuration Vulnerability

TA0004 TA0006 Active Directory Certificate Registration

Attention

TA0004, TA0006

Active Directory

Last updated: September 15, 2025

View details

ADCS Certificate Template Configuration Vulnerability with Risky EKU

TA0004 TA0006 Active Directory Certificate Registration

Trouble

TA0004, TA0006

Active Directory

Last updated: September 15, 2025

View details

Persistence and Execution at Scale via GPO Scheduled Task

TA0003 TA0008 T1053.005 Active Directory Volume Creation Active Directory Object Modification

Trouble

TA0003, TA0008, T1053.005

Active Directory

Last updated: September 15, 2025

View details

Possible Impacket SecretDump Remote Activity

TA0006 T1003.002 Active Directory Volume Creation

Trouble

TA0006, T1003.002

Active Directory

Last updated: September 15, 2025

View details

Startup/Logon Script Added to Group Policy Object

TA0004 T1484.001 Active Directory Volume Creation Active Directory Object Modification

Trouble

TA0004, T1484.001

Active Directory

Last updated: September 15, 2025

View details

Computer Password Change Via Ksetup.EXE

TA0002 Active Directory Process Creation

Trouble

TA0002

Active Directory

Last updated: September 15, 2025

View details

Logged-On User Password Change Via Ksetup.EXE

TA0002 Active Directory Process Creation

Trouble

TA0002

Active Directory

Last updated: September 15, 2025

View details

Anomalous Windows GPO Modification Outside Usual Working Hours

TA0005 TA0004 T1484 Active Directory

Critical

TA0005, TA0004, T1484

Active Directory

Last updated: September 15, 2025

View details

Suspicious Password Change on Directory Service Restore Mode (DSRM) Account

TA0003 T1098 Active Directory

Trouble

TA0003, T1098

Active Directory

Last updated: September 15, 2025

View details

AWS EC2 Deprecated AMI Discovery

TA0007 T1580 AWS Instance Enumeration

Attention

TA0007, T1580

AWS

Last updated: September 15, 2025

View details

AWS EC2 Encryption Disabled

TA0040 T1565.001 AWS Volume Modification

Trouble

TA0040, T1565.001

AWS

Last updated: September 15, 2025

View details

AWS EC2 Full Network Packet Capture Detected

TA0010 TA0009 T1020 AWS Network Connection Creation

Trouble

TA0010, TA0009, T1020

AWS

Last updated: September 15, 2025

View details

AWS EC2 Instance Connect SSH Public Key Uploaded

TA0008 TA0004 T1021.004 AWS Web Credential Creation

Trouble

TA0008, TA0004, T1021.004

AWS

Last updated: September 15, 2025

View details

AWS EC2 Network Access Control List Created

TA0003 T1133 AWS Network Connection Creation

Attention

TA0003, T1133

AWS

Last updated: September 15, 2025

View details

AWS EC2 Network Access Control List Deleted

TA0005 T1562.001 AWS Cloud Service Disable

Trouble

TA0005, T1562.001

AWS

Last updated: September 15, 2025

View details

AWS EC2 Route Table Modified or Deleted

AWS

Attention

AWS

Last updated: September 15, 2025

View details

AWS EC2 Security Group Configuration Changed

TA0005 T1562.007 AWS Firewall Rule Modification

Attention

TA0005, T1562.007

AWS

Last updated: September 15, 2025

View details

AWS EC2 Snapshot Activity

TA0010 T1537 AWS Snapshot Modification

Trouble

TA0010, T1537

AWS

Last updated: September 15, 2025

View details

AWS EC2 User Data Retrieval for EC2 Instance

TA0007 TA0006 T1580 AWS Instance Enumeration

Trouble

TA0007, TA0006, T1580

AWS

Last updated: September 15, 2025

View details

AWS EC2 VM Export Failure

TA0009 TA0010 T1005 AWS Cloud Storage Creation

Attention

TA0009, TA0010, T1005

AWS

Last updated: September 15, 2025

View details

AWS EFS File System or Mount Deleted

TA0040 T1485 AWS Cloud Storage Deletion

Trouble

TA0040, T1485

AWS

Last updated: September 15, 2025

View details

AWS EventBridge Rule Disabled or Deleted

TA0040 T1489 AWS Cloud Service Disable

Attention

TA0040, T1489

AWS

Last updated: September 15, 2025

View details

AWS GuardDuty Detector Deleted

TA0005 T1562.001 AWS Service Metadata

Critical

TA0005, T1562.001

AWS

Last updated: September 15, 2025

View details

AWS IAM Roles Anywhere Profile Created

TA0003 T1098.003 AWS User Account Modification

Attention

TA0003, T1098.003

AWS

Last updated: September 15, 2025

View details

AWS IAM Roles Anywhere Trust Anchor Created with External CA

TA0003 T1098.003 AWS User Account Modification

Trouble

TA0003, T1098.003

AWS

Last updated: September 15, 2025

View details

AWS IAM User Addition to Group

TA0003 T1098 AWS User Account Modification

Attention

TA0003, T1098

AWS

Last updated: September 15, 2025

View details

AWS KMS Customer Managed Key Disabled or Scheduled for Deletion

TA0040 T1485 AWS Cloud Storage Deletion

Trouble

TA0040, T1485

AWS

Last updated: September 15, 2025

View details

AWS Lambda Function Created or Updated

TA0002 T1648 AWS Cloud Service Modification

Attention

TA0002, T1648

AWS

Last updated: September 15, 2025

View details

AWS Lambda Layer Added to Existing Function

TA0002 T1648 AWS Cloud Service Modification

Attention

TA0002, T1648

AWS

Last updated: September 15, 2025

View details

AWS RDS Cluster Creation

TA0003 T1133 AWS Cloud Service Modification

Attention

TA0003, T1133

AWS

Last updated: September 15, 2025

View details

AWS RDS DB Instance or Cluster Restored

TA0005 T1578.004 AWS Cloud Service Modification

Trouble

TA0005, T1578.004

AWS

Last updated: September 15, 2025

View details

AWS RDS DB Instance or Cluster Deletion Protection Disabled

TA0040 T1485 AWS Instance Modification

Trouble

TA0040, T1485

AWS

Last updated: September 15, 2025

View details

AWS RDS DB Instance or Cluster Password Modified

TA0003 T1098.001 AWS User Account Modification

Trouble

TA0003, T1098.001

AWS

Last updated: September 15, 2025

View details

AWS RDS DB Snapshot Created

TA0005 T1578.001 AWS Snapshot Creation

Attention

TA0005, T1578.001

AWS

Last updated: September 15, 2025

View details

AWS RDS DB Snapshot Shared with Another Account

TA0010 T1537 AWS Snapshot Modification

Trouble

TA0010, T1537

AWS

Last updated: September 15, 2025

View details

AWS RDS Instance Creation

AWS

Attention

AWS

Last updated: September 15, 2025

View details

AWS RDS Instance/Cluster Stoppage

TA0040 T1489 AWS Instance Stop

Trouble

TA0040, T1489

AWS

Last updated: September 15, 2025

View details

AWS RDS Security Group Creation

TA0003 T1136.003 AWS User Account Creation

Attention

TA0003, T1136.003

AWS

Last updated: September 15, 2025

View details

AWS RDS Security Group Deletion

TA0040 T1531 AWS User Account Deletion

Attention

TA0040, T1531

AWS

Last updated: September 15, 2025

View details

AWS RDS Snapshot Deleted

TA0040 T1485 AWS Snapshot Deletion

Trouble

TA0040, T1485

AWS

Last updated: September 15, 2025

View details

AWS Redshift Cluster Creation

AWS

Attention

AWS

Last updated: September 15, 2025

View details

AWS Route Table Created

AWS

Attention

AWS

Last updated: September 15, 2025

View details

AWS S3 Bucket Configuration Deletion

TA0005 T1070 AWS Cloud Storage Modification

Attention

TA0005, T1070

AWS

Last updated: September 15, 2025

View details

AWS S3 Bucket Expiration Lifecycle Configuration Added

TA0005 T1070 AWS Cloud Storage Modification

Attention

TA0005, T1070

AWS

Last updated: September 15, 2025

View details

AWS S3 Bucket Server Access Logging Disabled

TA0005 T1562.008 AWS Cloud Storage Access

Trouble

TA0005, T1562.008

AWS

Last updated: September 15, 2025

View details

AWS S3 Object Versioning Suspended

TA0040 T1490 AWS Cloud Storage Modification

Trouble

TA0040, T1490

AWS

Last updated: September 15, 2025

View details

AWS SQS Queue Purge

TA0005 T1562.008 AWS Cloud Service Modification

Trouble

TA0005, T1562.008

AWS

Last updated: September 15, 2025

View details

AWS STS Role Assumption by Service

TA0004 TA0008 T1548 AWS User Account Authentication

Attention

TA0004, TA0008, T1548

AWS

Last updated: September 15, 2025

View details

AWS Systems Manager SecureString Parameter Request with Decryption Flag

TA0006 T1555.006 AWS Cloud Service Enumeration

Trouble

TA0006, T1555.006

AWS

Last updated: September 15, 2025

View details

AWS VPC Flow Logs Deletion

TA0005 T1562.001 AWS Cloud Service Disable

Critical

TA0005, T1562.001

AWS

Last updated: September 15, 2025

View details

AWS WAF Access Control List Deletion

TA0005 T1562.001 AWS Cloud Service Disable

Trouble

TA0005, T1562.001

AWS

Last updated: September 15, 2025

View details

AWS WAF Rule or Rule Group Deletion

TA0005 T1562.001 AWS Cloud Service Modification

Trouble

TA0005, T1562.001

AWS

Last updated: September 15, 2025

View details

AWS CloudTrail Critical Change

TA0005 T1562.008 AWS Cloud Service Disable

Trouble

TA0005, T1562.008

AWS

Last updated: September 15, 2025

View details

LoadBalancer Security Group Modification

TA0001 T1190 AWS Group Modification

Trouble

TA0001, T1190

AWS

Last updated: September 15, 2025

View details

AWS Config Disabling Channel/Recorder

TA0005 T1562.008 AWS Cloud Service Disable

Trouble

TA0005, T1562.008

AWS

Last updated: September 15, 2025

View details

SES Identity Has Been Deleted

TA0005 T1070 AWS Cloud Service Modification

Trouble

TA0005, T1070

AWS

Last updated: September 15, 2025

View details

AWS SAML Provider Deletion Activity

TA0004 TA0040 T1078.004 AWS Cloud Service Metadata

Trouble

TA0004, TA0040, T1078.004

AWS

Last updated: September 15, 2025

View details

AWS Key Pair Import Activity

TA0001 TA0003 TA0004 T1078 AWS Web Credential Creation

Trouble

TA0001, TA0003, TA0004, T1078

AWS

Last updated: September 15, 2025

View details

AWS GuardDuty Critical Change

TA0005 T1562.001 AWS Cloud Service Modification

Trouble

TA0005, T1562.001

AWS

Last updated: September 15, 2025

View details

New AWS Lambda Function URL Configuration Created

TA0001 TA0004 AWS

Trouble

TA0001, TA0004

AWS

Last updated: September 15, 2025

View details

AWS Glue Development Endpoint Activity

TA0004 AWS

Attention

TA0004

AWS

Last updated: September 15, 2025

View details

AWS S3 Data Management Tampering

TA0010 T1537 AWS Cloud Storage Modification

Attention

TA0010, T1537

AWS

Last updated: September 15, 2025

View details

AWS Suspicious SAML Activity

TA0001 TA0008 TA0004 T1078 AWS User Account Metadata

Trouble

TA0001, TA0008, TA0004, T1078

AWS

Last updated: September 15, 2025

View details

AdministratorAccess Policy Attached to User

TA0004 TA0003 T1098.003 AWS User Account Modification

Trouble

TA0004, TA0003, T1098.003

AWS

Last updated: September 15, 2025

View details

AdministratorAccess Policy Attached to Group

TA0004 TA0003 T1098.003 AWS User Account Modification

Trouble

TA0004, TA0003, T1098.003

AWS

Last updated: September 15, 2025

View details

AdministratorAccess Policy Attached to Role

TA0004 TA0003 T1098.003 AWS User Account Modification

Trouble

TA0004, TA0003, T1098.003

AWS

Last updated: September 15, 2025

View details

CloudWatch Alarm Deletion

TA0005 T1562.001 AWS Cloud Service Disable

Trouble

TA0005, T1562.001

AWS

Last updated: September 15, 2025

View details

CloudWatch LogGroup Deletion

TA0040 TA0005 T1485 AWS Cloud Storage Deletion

Trouble

TA0040, TA0005, T1485

AWS

Last updated: September 15, 2025

View details

CloudWatch Log Stream Deletion

TA0040 TA0005 T1485 AWS Cloud Storage Deletion

Trouble

TA0040, TA0005, T1485

AWS

Last updated: September 15, 2025

View details

RDS Instance or Cluster Delete

TA0040 T1485 AWS Instance Deletion

Trouble

TA0040, T1485

AWS

Last updated: September 15, 2025

View details

Publicly Exposed AWS RDS Database

TA0003 T1556.009 AWS Cloud Service Modification

Trouble

TA0003, T1556.009

AWS

Last updated: September 15, 2025

View details

AWS RDS Snapshot Activity

AWS

Attention

AWS

Last updated: September 15, 2025

View details

AWS Config Resources Deletion

TA0005 T1562.001 AWS Service Metadata

Attention

TA0005, T1562.001

AWS

Last updated: September 15, 2025

View details

IAM Group Created

TA0003 T1136.003 AWS User Account Creation

Attention

TA0003, T1136.003

AWS

Last updated: September 15, 2025

View details

IAM Group Deleted

TA0040 T1531 AWS User Account Deletion

Attention

TA0040, T1531

AWS

Last updated: September 15, 2025

View details

Login to Disabled Account

TA0001 T1078.004 Microsoft 365 User Account Authentication

Trouble

TA0001, T1078.004

Microsoft 365

Last updated: September 15, 2025

View details

PowerShell Sign-In Detected

TA0001 T1078.004 Microsoft 365 Logon Session Creation

Attention

TA0001, T1078.004

Microsoft 365

Last updated: September 15, 2025

View details

High Risk Sign-In Detected

TA0042 T1586.003 Microsoft 365 User Account Authentication

Trouble

TA0042, T1586.003

Microsoft 365

Last updated: September 15, 2025

View details

MFA Challenge Failed During Authentication

TA0001 TA0042 TA0006 T1078.004 Microsoft 365 Application Log Content

Trouble

TA0001, TA0042, TA0006, T1078.004

Microsoft 365

Last updated: September 15, 2025

View details

External User Invited

TA0003 T1136.003 Microsoft 365 User Account Creation

Attention

TA0003, T1136.003

Microsoft 365

Last updated: September 15, 2025

View details

User ImmutableId Attribute Updated

TA0003 T1098 Microsoft 365 User Account Modification

Critical

TA0003, T1098

Microsoft 365

Last updated: September 15, 2025

View details

Authentication Method Changed for an User

TA0003 T1098 Microsoft 365 User Account Modification

Trouble

TA0003, T1098

Microsoft 365

Last updated: September 15, 2025

View details

Password Reset on Sensitive Account

TA0040 T1531 Microsoft 365 User Account Modification

Trouble

TA0040, T1531

Microsoft 365

Last updated: September 15, 2025

View details

MFA Disabled for an Account

TA0006 T1556.006 Microsoft 365 User Account Modification

Trouble

TA0006, T1556.006

Microsoft 365

Last updated: September 15, 2025

View details

Temporary Access Pass Added To An Account

TA0001 T1078.004 Microsoft 365 User Account Modification

Critical

TA0001, T1078.004

Microsoft 365

Last updated: September 15, 2025

View details

Entra ID privileged role assigned

TA0003 T1098.003 Microsoft 365 User Account Modification

Trouble

TA0003, T1098.003

Microsoft 365

Last updated: September 15, 2025

View details

Privileged Identity Management Alerts Disabled

TA0005 T1562 Microsoft 365 Cloud Service Disable

Trouble

TA0005, T1562

Microsoft 365

Last updated: September 15, 2025

View details

PIM Role Configuration Changed

TA0001 T1078.004 Microsoft 365 Cloud Service Modification

Attention

TA0001, T1078.004

Microsoft 365

Last updated: September 15, 2025

View details

User Added To Group With CA Policy Modification Access

TA0005 TA0003 T1548 Microsoft 365 Group Modification

Trouble

TA0005, TA0003, T1548

Microsoft 365

Last updated: September 15, 2025

View details

Added Credentials to Existing Application

TA0003 T1098.001 Microsoft 365 User Account Modification

Trouble

TA0003, T1098.001

Microsoft 365

Last updated: September 15, 2025

View details

Application ID URI Modified

TA0001 T1078.004 Microsoft 365 User Account Modification

Critical

TA0001, T1078.004

Microsoft 365

Last updated: September 15, 2025

View details

Consent Granted to Application

TA0006 T1528 Microsoft 365 User Account Modification

Attention

TA0006, T1528

Microsoft 365

Last updated: September 15, 2025

View details

Application Owner Added

TA0003 T1098 Microsoft 365 User Account Modification

Attention

TA0003, T1098

Microsoft 365

Last updated: September 15, 2025

View details

Conditional Access Policy Modified

TA0004 TA0006 T1548 Microsoft 365 Cloud Service Modification

Attention

TA0004, TA0006, T1548

Microsoft 365

Last updated: September 15, 2025

View details

Elevated Mailbox Permission Assigned

TA0003 T1098.002 Microsoft 365 User Account Modification

Trouble

TA0003, T1098.002

Microsoft 365

Last updated: September 15, 2025

View details

Anti-Phishing Policy Removed

TA0001 T1566 Microsoft 365 Application Log Content

Trouble

TA0001, T1566

Microsoft 365

Last updated: September 15, 2025

View details

Anti-Phishing Rule Disabled

TA0001 T1566 Microsoft 365 Application Log Content

Trouble

TA0001, T1566

Microsoft 365

Last updated: September 15, 2025

View details

Safe Attachments Rule Disabled

TA0005 T1562 Microsoft 365 Cloud Service Disable

Trouble

TA0005, T1562

Microsoft 365

Last updated: September 15, 2025

View details

Safe Links Rule Disabled

TA0001 T1566 Microsoft 365 Cloud Service Disable

Trouble

TA0001, T1566

Microsoft 365

Last updated: September 15, 2025

View details

Malware Filter Policy Deleted

TA0005 T1562 Microsoft 365 Cloud Service Disable

Trouble

TA0005, T1562

Microsoft 365

Last updated: September 15, 2025

View details

Malware Filter Rule Disabled

TA0005 T1562 Microsoft 365 Cloud Service Disable

Trouble

TA0005, T1562

Microsoft 365

Last updated: September 15, 2025

View details

Mailbox Mail Forwarding Enabled

TA0009 T1114.003 Microsoft 365 Cloud Service Metadata

Trouble

TA0009, T1114.003

Microsoft 365

Last updated: September 15, 2025

View details

Mail Flow Rule for Forwarding Created

TA0009 T1114.003 Microsoft 365 Cloud Service Metadata

Trouble

TA0009, T1114.003

Microsoft 365

Last updated: September 15, 2025

View details

Office Executable File Uploaded

TA0008 TA0011 T1570 Microsoft 365 File Creation

Trouble

TA0008, TA0011, T1570

Microsoft 365

Last updated: September 15, 2025

View details

Anonymous Sharing Link Created

TA0009 T1213.002 Microsoft 365 File Access

Attention

TA0009, T1213.002

Microsoft 365

Last updated: September 15, 2025

View details

Sign-in Brute Force against M365 Accounts

TA0006 T1110 Microsoft 365 User Account Authentication

Critical

TA0006, T1110

Microsoft 365

Last updated: September 15, 2025

View details

Multiple Denied MFA Requests

TA0006 T1621 Microsoft 365 Application Log Content

Critical

TA0006, T1621

Microsoft 365

Last updated: September 15, 2025

View details

M365 Short Lived Accounts

TA0001 T1078.004 Microsoft 365 User Account Creation

Critical

TA0001, T1078.004

Microsoft 365

Last updated: September 15, 2025

View details

Entra ID User Enabled and Password Reset

TA0003 T1098 Microsoft 365 User Account Modification

Critical

TA0003, T1098

Microsoft 365

Last updated: September 15, 2025

View details

Multiple Admin Membership Removals

TA0040 T1531 Microsoft 365 User Account Deletion

Trouble

TA0040, T1531

Microsoft 365

Last updated: September 15, 2025

View details

Global Administrator Role Addition to PIM User

TA0003 T1098 Microsoft 365 User Account Modification

Trouble

TA0003, T1098

Microsoft 365

Last updated: September 15, 2025

View details

Multiple Service Principals Created by User

TA0003 T1136.003 Microsoft 365 User Account Modification

Trouble

TA0003, T1136.003

Microsoft 365

Last updated: September 15, 2025

View details

Risky Sign-in with Device Registration

TA0001 T1078.004 Microsoft 365 User Account Modification

Trouble

TA0001, T1078.004

Microsoft 365

Last updated: September 15, 2025

View details

New Federated Domain Added

TA0005 TA0004 T1484.002 Microsoft 365 Application Log Content

Trouble

TA0005, TA0004, T1484.002

Microsoft 365

Last updated: September 15, 2025

View details

M365 DLP Compliance Policy Removed

TA0005 T1562 Microsoft 365 Cloud Service Disable

Trouble

TA0005, T1562

Microsoft 365

Last updated: September 15, 2025

View details

Multiple Teams Deleted by a Single User

TA0040 T1485 Microsoft 365 Application Log Content

Trouble

TA0040, T1485

Microsoft 365

Last updated: September 15, 2025

View details

External user added in teams

TA0003 T1136 Microsoft 365 User Account Creation

Attention

TA0003, T1136

Microsoft 365

Last updated: September 15, 2025

View details

Office365 Sharepoint File transfer above threshold

TA0010 T1567 Microsoft 365 File Access

Trouble

TA0010, T1567

Microsoft 365

Last updated: September 15, 2025

View details

Files uploaded to Teams

TA0001 T1199 Microsoft 365 File Creation

Attention

TA0001, T1199

Microsoft 365

Last updated: September 15, 2025

View details

Anomalous M365 Account Extended Period Without Password Reset

TA0006 T1110 Microsoft 365

Critical

TA0006, T1110

Microsoft 365

Last updated: September 15, 2025

View details

Unusually Bulk Emails Sent to a Single Recipient

TA0040 T1667 Microsoft 365

Attention

TA0040, T1667

Microsoft 365

Last updated: September 15, 2025

View details

Unusually High Number of M365 Login Failures

TA0006 T1110 Microsoft 365

Attention

TA0006, T1110

Microsoft 365

Last updated: September 15, 2025

View details

Malicious M365 Account Deletion by Unusual Users

TA0040 TA0040 T1485 Microsoft 365

Attention

TA0040, TA0040, T1485

Microsoft 365

Last updated: September 15, 2025

View details

Malicious M365 CA Policy Changes After Business Hours

TA0005 TA0004 T1484 Microsoft 365

Attention

TA0005, TA0004, T1484

Microsoft 365

Last updated: September 15, 2025

View details

Excessive M365 File Deletion at an Unusual Time

TA0040 T1485 Microsoft 365

Attention

TA0040, T1485

Microsoft 365

Last updated: September 15, 2025

View details

Abnormally Excessive M365 Accounts Lockouts

TA0040 T1531 Microsoft 365

Attention

TA0040, T1531

Microsoft 365

Last updated: September 15, 2025

View details

MSSQL Suspicious Successful Password Change Activity

TA0001 TA0003 TA0004 TA0005 TA0006 T1078 SQL Server Application Log Content

Attention

TA0001, TA0003, TA0004, TA0005, TA0006, T1078

SQL Server

Last updated: September 15, 2025

View details

MSSQL Suspicious Failed Password Change Activity

TA0001 TA0003 TA0004 TA0005 TA0006 T1078 SQL Server Application Log Content

Attention

TA0001, TA0003, TA0004, TA0005, TA0006, T1078

SQL Server

Last updated: September 15, 2025

View details

Account Added to Sysadmin Role in MSSQL

TA0003 SQL Server Application Log Content

Trouble

TA0003

SQL Server

Last updated: September 15, 2025

View details

MSSQL Destructive Query

TA0010 TA0040 T1485 SQL Server Application Log Content

Trouble

TA0010, TA0040, T1485

SQL Server

Last updated: September 15, 2025

View details

MSSQL Disable Audit Settings

TA0005 SQL Server Application Log Content

Trouble

TA0005

SQL Server

Last updated: September 15, 2025

View details

MSSQL Failed Logon

TA0006 T1110 SQL Server Application Log Content

Attention

TA0006, T1110

SQL Server

Last updated: September 15, 2025

View details

MSSQL SPProcoption Set

TA0003 SQL Server Application Log Content

Trouble

TA0003

SQL Server

Last updated: September 15, 2025

View details

MSSQL XPCmdshell Suspicious Execution

TA0002 SQL Server Application Log Content

Trouble

TA0002

SQL Server

Last updated: September 15, 2025

View details

MSSQL XPCmdshell Option Change

TA0002 SQL Server Application Log Content

Trouble

TA0002

SQL Server

Last updated: September 15, 2025

View details

DLL Loaded for Extended Procedures

TA0008 SQL Server Application Log Content

Trouble

TA0008

SQL Server

Last updated: September 15, 2025

View details

MSSQL Server Dedicated Admin Connection (DAC) mode activated

TA0003 T1505 SQL Server Application Log Content

Trouble

TA0003, T1505

SQL Server

Last updated: September 15, 2025

View details

MSSQL Server - Connection attempt using a disabled account

TA0005 TA0003 TA0004 TA0001 T1078 SQL Server Application Log Content

Trouble

TA0005, TA0003, TA0004, TA0001, T1078

SQL Server

Last updated: September 15, 2025

View details

SQL Server Lateral Movement with CLR Activation

TA0003 T1505 SQL Server Application Log Content

Trouble

TA0003, T1505

SQL Server

Last updated: September 15, 2025

View details

External Threat

Advanced Threat Analytics Threat Intelligence

Critical

Advanced Threat Analytics

Last updated: September 15, 2025

View details

All Breach Data

Advanced Threat Analytics Darkweb Intelligence

Critical

Advanced Threat Analytics

Last updated: September 15, 2025

View details

Dark Web Breach Data

Advanced Threat Analytics Darkweb Intelligence

Critical

Advanced Threat Analytics

Last updated: September 15, 2025

View details

Botnet Leak Data

Advanced Threat Analytics Darkweb Intelligence

Critical

Advanced Threat Analytics

Last updated: September 15, 2025

View details

Supply Chain Breach

Advanced Threat Analytics Darkweb Intelligence

Critical

Advanced Threat Analytics

Last updated: September 15, 2025

View details

H3c Successive different Location Logons

Network

Critical

Network

Last updated: September 15, 2025

View details

Check Point Privileged Command Execution Anomaly

TA0002 T1059 Network

Critical

TA0002, T1059

Network

Last updated: September 15, 2025

View details

Netscreen Policy deleted during non-working hours

TA0005 T1562 Network

Attention

TA0005, T1562

Network

Last updated: September 15, 2025

View details

Netscreen Policy Added during non-working hours

TA0005 T1562 Network

Attention

TA0005, T1562

Network

Last updated: September 15, 2025

View details

WatchGuard Policy Deleted during non-working hours

TA0005 T1562 Network

Attention

TA0005, T1562

Network

Last updated: September 15, 2025

View details

WatchGuard Policy Added during non-working hours

TA0005 T1562 Network

Attention

TA0005, T1562

Network

Last updated: September 15, 2025

View details

TCP SYN Flood Attack

TA0040 T1499 Network Network Traffic Flow

Trouble

TA0040, T1499

Network

Last updated: September 15, 2025

View details

TCP Flood

TA0040 T1499.001 Network Network Traffic Flow

Trouble

TA0040, T1499.001

Network

Last updated: September 15, 2025

View details

UDP Flood

TA0040 T1499.004 Network Network Traffic Flow

Trouble

TA0040, T1499.004

Network

Last updated: September 15, 2025

View details

ICMP Flood

TA0040 T1499.003 Network Network Traffic Flow

Trouble

TA0040, T1499.003

Network

Last updated: September 15, 2025

View details

Large ICMP

TA0040 T1499.003 Network Network Traffic Flow

Trouble

TA0040, T1499.003

Network

Last updated: September 15, 2025

View details

IP Spoof Attack

TA0005 T1036 Network Network Traffic Flow

Trouble

TA0005, T1036

Network

Last updated: September 15, 2025

View details

Ping of Death

TA0040 T1499.001 Network Network Traffic Flow

Trouble

TA0040, T1499.001

Network

Last updated: September 15, 2025

View details

Teardrop Attack

TA0040 T1499.001 Network Network Traffic Flow

Trouble

TA0040, T1499.001

Network

Last updated: September 15, 2025

View details

TCP Port Scan

TA0043 TA0007 T1595.001 Network Network Traffic Flow

Trouble

TA0043, TA0007, T1595.001

Network

Last updated: September 15, 2025

View details

UDP Port Scan

TA0043 TA0007 T1595.001 Network Network Traffic Flow

Trouble

TA0043, TA0007, T1595.001

Network

Last updated: September 15, 2025

View details

TCP Land Attack

TA0040 T1499.001 Network Network Traffic Flow

Trouble

TA0040, T1499.001

Network

Last updated: September 15, 2025

View details

TCP SYN/FIN Attack

TA0040 T1499.001 Network Network Traffic Flow

Trouble

TA0040, T1499.001

Network

Last updated: September 15, 2025

View details

TCP Null Flag Attack

TA0043 T1595.002 Network Network Traffic Flow

Trouble

TA0043, T1595.002

Network

Last updated: September 15, 2025

View details

DOS Attack Blocked

TA0040 T1498.001 Network Network Traffic Flow

Trouble

TA0040, T1498.001

Network

Last updated: September 15, 2025

View details

Cross Site Scripting Detection

TA0002 T1059.007 Network Network Traffic Content

Trouble

TA0002, T1059.007

Network

Last updated: September 15, 2025

View details

Brute Force Login Violation.

TA0006 T1110 Network Network Connection Creation

Trouble

TA0006, T1110

Network

Last updated: September 15, 2025

View details

Botnet Detection

TA0011 TA0010 T1095 Network Network Traffic Content

Trouble

TA0011, TA0010, T1095

Network

Last updated: September 15, 2025

View details

ICMPv6 flood

TA0040 T1498.001 Network Network Traffic Flow

Trouble

TA0040, T1498.001

Network

Last updated: September 15, 2025

View details

Port Scan Detected

TA0043 TA0007 T1595.001 Network Network Traffic Flow

Trouble

TA0043, TA0007, T1595.001

Network

Last updated: September 15, 2025

View details

IP Fragment Attack

TA0040 T1498.001 Network Network Traffic Flow

Trouble

TA0040, T1498.001

Network

Last updated: September 15, 2025

View details

Virus detected

TA0002 TA0003 TA0005 TA0011 TA0006 TA0007 T1204.002 Network Network Traffic Content

Trouble

TA0002, TA0003, TA0005, TA0011, TA0006, TA0007, T1204.002

Network

Last updated: September 15, 2025

View details

Malformed IP Packet

TA0040 TA0005 T1498.001 Network Network Traffic Flow

Trouble

TA0040, TA0005, T1498.001

Network

Last updated: September 15, 2025

View details

Fragmented ICMP Traffic

TA0040 T1498.001 Network Network Traffic Flow

Trouble

TA0040, T1498.001

Network

Last updated: September 15, 2025

View details

Possible Directory Traversal Attempt

TA0009 T1213 Network Network Traffic Content

Trouble

TA0009, T1213

Network

Last updated: September 15, 2025

View details

SMTP on Port 26/TCP

TA0010 TA0011 T1048 Network Network Connection Creation

Trouble

TA0010, TA0011, T1048

Network

Last updated: September 15, 2025

View details

Interface flapping

TA0008 TA0001 T1021 Network Network Traffic Flow

Trouble

TA0008, TA0001, T1021

Network

Last updated: September 15, 2025

View details

Accepted Default Telnet Port Connection

TA0008 TA0001 T1021 Network Network Connection Creation

Trouble

TA0008, TA0001, T1021

Network

Last updated: September 15, 2025

View details

Abnormal Network Device Reboots

TA0040 T1529 Network Network Traffic Flow

Trouble

TA0040, T1529

Network

Last updated: September 15, 2025

View details

Potential external host enumeration via system ports

TA0007 T1018 Network Network Connection Creation Process Creation File Access Command Execution

Attention

TA0007, T1018

Network

Last updated: September 15, 2025

View details

Abnormal number of connections on SMB or NetBIOS ports

TA0007 T1046 Network Cloud Service Enumeration Network Traffic Flow Command Execution

Trouble

TA0007, T1046

Network

Last updated: September 15, 2025

View details

Potential external port scan via system ports

TA0007 T1046 Network Cloud Service Enumeration Network Traffic Flow Command Execution

Attention

TA0007, T1046

Network

Last updated: September 15, 2025

View details

Connections from a single IP to an abnormal number of external hosts on uncommon ports

TA0011 T1095 Network Network Traffic Content Network Traffic Flow

Attention

TA0011, T1095

Network

Last updated: September 15, 2025

View details

Excessive Inbound or Outbound Connections from same Source

TA0011 TA0008 TA0010 TA0007 T1105 Network Cloud Service Enumeration File Access Command Execution Network Traffic Content Process Creation Network Connection Creation Application Log Content Network Traffic Flow Cloud Storage Access

Trouble

TA0011, TA0008, TA0010, TA0007, T1105

Network

Last updated: September 15, 2025

View details

Abnormal number of Connections on Telnet ports

TA0008 T1021 Network Command Execution Process Creation Network Share Access Module Load Network Connection Creation Logon Session Creation Network Traffic Flow WMI Creation

Trouble

TA0008, T1021

Network

Last updated: September 15, 2025

View details

TCP FIN Only Flags

TA0043 TA0007 T1595 Cisco Network Traffic Flow

Trouble

TA0043, TA0007, T1595

Cisco

Last updated: September 15, 2025

View details

FTP Improper Address Specified

TA0001 TA0040 T1190 Cisco Network Traffic Content

Trouble

TA0001, TA0040, T1190

Cisco

Last updated: September 15, 2025

View details

FTP Improper Port Specified

TA0001 T1190 Cisco Network Traffic Content

Trouble

TA0001, T1190

Cisco

Last updated: September 15, 2025

View details

UDP Bomb Attack

TA0040 T1498 Cisco Network Traffic Flow

Trouble

TA0040, T1498

Cisco

Last updated: September 15, 2025

View details

UDP Snork Attack

TA0040 T1498 Cisco Network Traffic Flow

Trouble

TA0040, T1498

Cisco

Last updated: September 15, 2025

View details

UDP Chargen DoS attack

TA0040 T1498 Cisco Network Traffic Flow

Trouble

TA0040, T1498

Cisco

Last updated: September 15, 2025

View details

Proxied RPC Request

TA0011 TA0008 T1090 Cisco Network Traffic Content

Trouble

TA0011, TA0008, T1090

Cisco

Last updated: September 15, 2025

View details

Statd Buffer Overflow

TA0001 TA0002 T1190 Cisco Network Traffic Content

Trouble

TA0001, TA0002, T1190

Cisco

Last updated: September 15, 2025

View details

Defense Evasion vulnerability by modifying shun list

TA0040 T1565 Cisco

Trouble

TA0040, T1565

Cisco

Last updated: September 15, 2025

View details

MAC Spoofing Attack

TA0005 T1036 Cisco Network Traffic Flow

Trouble

TA0005, T1036

Cisco

Last updated: September 15, 2025

View details

Adversary-in-the-Middle attack

TA0006 TA0040 T1557 Cisco Network Traffic Content

Trouble

TA0006, TA0040, T1557

Cisco

Last updated: September 15, 2025

View details

Cisco FTD Intrusion Event Detected

TA0001 TA0002 T1190 Cisco Network Traffic Content

Trouble

TA0001, TA0002, T1190

Cisco

Last updated: September 15, 2025

View details

Cisco FTD File Malware Event Detected

TA0002 TA0005 T1204 Cisco Network Traffic Content

Trouble

TA0002, TA0005, T1204

Cisco

Last updated: September 15, 2025

View details

Cisco Sniffing

TA0006 TA0007 T1040 Cisco Network Traffic Flow

Trouble

TA0006, TA0007, T1040

Cisco

Last updated: September 15, 2025

View details

Cisco Critical Configurations Modified

TA0040 TA0005 T1565 Cisco Network Connection Creation

Trouble

TA0040, TA0005, T1565

Cisco

Last updated: September 15, 2025

View details

Cisco File Deletion

TA0005 TA0040 T1070.004 Cisco Network Traffic Content

Trouble

TA0005, TA0040, T1070.004

Cisco

Last updated: September 15, 2025

View details

Cisco Show Commands Input

TA0006 T1552.003 Cisco Network Traffic Content

Trouble

TA0006, T1552.003

Cisco

Last updated: September 15, 2025

View details

Cisco Successive different Location Logons

TA0005 T1078.004 Cisco

Critical

TA0005, T1078.004

Cisco

Last updated: September 15, 2025

View details

PaloAlto Other IP Flood

TA0040 T1498 PaloAlto Network Traffic Flow

Trouble

TA0040, T1498

PaloAlto

Last updated: September 15, 2025

View details

PaloAlto SCTP INIT Flood

TA0040 T1498 PaloAlto Network Traffic Flow

Trouble

TA0040, T1498

PaloAlto

Last updated: September 15, 2025

View details

PaloAlto Packet Buffer Protection Packet Drop

TA0040 T1499 PaloAlto Network Traffic Flow

Trouble

TA0040, T1499

PaloAlto

Last updated: September 15, 2025

View details

PBP Packet Discarded

TA0040 T1499 PaloAlto Network Traffic Flow

Trouble

TA0040, T1499

PaloAlto

Last updated: September 15, 2025

View details

PBP IP Blocked

TA0005 T1562 PaloAlto Network Traffic Flow

Trouble

TA0005, T1562

PaloAlto

Last updated: September 15, 2025

View details

PaloAlto Flood Detection

TA0040 T1498 PaloAlto Network Traffic Flow

Trouble

TA0040, T1498

PaloAlto

Last updated: September 15, 2025

View details

PaloAlto Host Sweep

TA0043 TA0007 T1595.001 PaloAlto Network Traffic Flow

Trouble

TA0043, TA0007, T1595.001

PaloAlto

Last updated: September 15, 2025

View details

PaloAlto Scan Detection

TA0043 TA0007 T1595 PaloAlto Network Traffic Flow

Trouble

TA0043, TA0007, T1595

PaloAlto

Last updated: September 15, 2025

View details

PaloAlto FileType Detection

TA0009 TA0005 T1119 PaloAlto Network Traffic Flow

Trouble

TA0009, TA0005, T1119

PaloAlto

Last updated: September 15, 2025

View details

PaloAlto IPv6 Address Violation Detected

TA0007 T1046 PaloAlto Network Traffic Flow

Trouble

TA0007, T1046

PaloAlto

Last updated: September 15, 2025

View details

PaloAlto TCP split handshake

TA0005 T1205 PaloAlto Network Traffic Flow

Trouble

TA0005, T1205

PaloAlto

Last updated: September 15, 2025

View details

PaloAlto TCP SYN packet with payload

TA0005 TA0011 TA0002 T1036.005 PaloAlto Network Traffic Content

Trouble

TA0005, TA0011, TA0002, T1036.005

PaloAlto

Last updated: September 15, 2025

View details

PaloAlto TCP SYN-ACK packet with payload

TA0005 TA0011 TA0002 T1036.005 PaloAlto Network Traffic Content

Trouble

TA0005, TA0011, TA0002, T1036.005

PaloAlto

Last updated: September 15, 2025

View details

PaloAlto TCP Fast Open Abuse

TA0005 TA0040 T1562 PaloAlto Network Traffic Content

Trouble

TA0005, TA0040, T1562

PaloAlto

Last updated: September 15, 2025

View details

ICMP packets with error message

TA0043 TA0007 T1595.001 PaloAlto Network Traffic Content

Trouble

TA0043, TA0007, T1595.001

PaloAlto

Last updated: September 15, 2025

View details

First packets for a TCP session that are not SYN packets

TA0005 TA0043 T1205 PaloAlto Network Traffic Flow

Trouble

TA0005, TA0043, T1205

PaloAlto

Last updated: September 15, 2025

View details

PaloAlto Spyware Phone Home detected

TA0011 T1071.001 PaloAlto Network Traffic Content

Trouble

TA0011, T1071.001

PaloAlto

Last updated: September 15, 2025

View details

PaloAlto Spyware Download detection

TA0011 TA0002 T1105 PaloAlto Network Traffic Content

Trouble

TA0011, TA0002, T1105

PaloAlto

Last updated: September 15, 2025

View details

PaloAlto URL Filtering Detection

TA0011 T1071.001 PaloAlto Network Traffic Content

Trouble

TA0011, T1071.001

PaloAlto

Last updated: September 15, 2025

View details

PaloAlto Vulnerability Exploit Detection

TA0002 T1203 PaloAlto Network Traffic Content

Trouble

TA0002, T1203

PaloAlto

Last updated: September 15, 2025

View details

PaloAlto Wildfire signature detected

TA0005 TA0002 T1027 PaloAlto Network Traffic Content

Trouble

TA0005, TA0002, T1027

PaloAlto

Last updated: September 15, 2025

View details

PaloAlto DNS Botnet Detection

TA0011 TA0010 T1071.004 PaloAlto Network Traffic Content

Trouble

TA0011, TA0010, T1071.004

PaloAlto

Last updated: September 15, 2025

View details

PaloAlto Data Filtering Detection

TA0009 TA0006 T1119 PaloAlto Network Traffic Content

Trouble

TA0009, TA0006, T1119

PaloAlto

Last updated: September 15, 2025

View details

Fortinet policy deleted during non-working hours

TA0005 T1562 Fortinet

Attention

TA0005, T1562

Fortinet

Last updated: September 15, 2025

View details

Fortinet policy added during non-working hours

TA0005 T1562 Fortinet

Attention

TA0005, T1562

Fortinet

Last updated: September 15, 2025

View details

Fortinet Privileged Command Execution Failure Anomaly

TA0002 T1059 Fortinet

Critical

TA0002, T1059

Fortinet

Last updated: September 15, 2025

View details

TCP/UDP Signature Detection

TA0007 TA0011 TA0002 TA0040 T1046 Fortinet Network Traffic Content

Trouble

TA0007, TA0011, TA0002, TA0040, T1046

Fortinet

Last updated: September 15, 2025

View details

ICMP Signature Detection

TA0007 TA0040 TA0011 T1046 Fortinet Network Traffic Content

Trouble

TA0007, TA0040, TA0011, T1046

Fortinet

Last updated: September 15, 2025

View details

Other IPS Signature Detection

TA0007 TA0040 TA0011 TA0001 T1046 Fortinet Network Traffic Content

Trouble

TA0007, TA0040, TA0011, TA0001, T1046

Fortinet

Last updated: September 15, 2025

View details

Malicious URL Detection

TA0011 TA0002 T1071.001 Fortinet Network Traffic Content

Trouble

TA0011, TA0002, T1071.001

Fortinet

Last updated: September 15, 2025

View details

TCP Source Session Flood

TA0040 T1498 Fortinet Network Traffic Flow

Trouble

TA0040, T1498

Fortinet

Last updated: September 15, 2025

View details

TCP Destination Session Flood

TA0040 T1498 Fortinet Network Traffic Flow

Trouble

TA0040, T1498

Fortinet

Last updated: September 15, 2025

View details

UDP Source Session Flood

TA0040 T1498 Fortinet Network Traffic Flow

Trouble

TA0040, T1498

Fortinet

Last updated: September 15, 2025

View details

UDP Destination Session Flood

TA0040 T1498 Fortinet Network Traffic Flow

Trouble

TA0040, T1498

Fortinet

Last updated: September 15, 2025

View details

ICMP Sweep

TA0043 TA0007 T1595.001 Fortinet Network Traffic Flow

Trouble

TA0043, TA0007, T1595.001

Fortinet

Last updated: September 15, 2025

View details

ICMP Source Session Flood

TA0040 T1498 Fortinet Network Traffic Flow

Trouble

TA0040, T1498

Fortinet

Last updated: September 15, 2025

View details

ICMP Destination Session Flood

TA0040 T1498 Fortinet Network Traffic Flow

Trouble

TA0040, T1498

Fortinet

Last updated: September 15, 2025

View details

IP Source Session Flood

TA0040 T1498 Fortinet Network Traffic Flow

Trouble

TA0040, T1498

Fortinet

Last updated: September 15, 2025

View details

IP Destination Session Flood

TA0040 T1498 Fortinet Network Traffic Flow

Trouble

TA0040, T1498

Fortinet

Last updated: September 15, 2025

View details

SCTP Flood

TA0040 T1498 Fortinet Network Traffic Flow

Trouble

TA0040, T1498

Fortinet

Last updated: September 15, 2025

View details

SCTP Scan

TA0043 TA0007 T1595.001 Fortinet Network Traffic Flow

Trouble

TA0043, TA0007, T1595.001

Fortinet

Last updated: September 15, 2025

View details

SCTP Source Session Flood

TA0040 T1498 Fortinet Network Traffic Flow

Trouble

TA0040, T1498

Fortinet

Last updated: September 15, 2025

View details

SCTP Destination Session Flood

TA0040 T1498 Fortinet Network Traffic Flow

Trouble

TA0040, T1498

Fortinet

Last updated: September 15, 2025

View details

Traffic Blocked as ICAP Server Found Infection

TA0002 T1203 Fortinet Network Traffic Content

Trouble

TA0002, T1203

Fortinet

Last updated: September 15, 2025

View details

Suspicious Content Encoding.

TA0005 TA0009 T1140 Fortinet Network Traffic Content

Trouble

TA0005, TA0009, T1140

Fortinet

Last updated: September 15, 2025

View details

Command Blocked

TA0002 TA0005 T1059 Fortinet Network Traffic Content

Trouble

TA0002, TA0005, T1059

Fortinet

Last updated: September 15, 2025

View details

HTTP Flood Detection

TA0040 T1499 Fortinet Network Traffic Flow

Trouble

TA0040, T1499

Fortinet

Last updated: September 15, 2025

View details

Malicious IP Detection

TA0011 T1071 Fortinet Network Traffic Flow

Trouble

TA0011, T1071

Fortinet

Last updated: September 15, 2025

View details

HTTP Access Limit Violation

TA0009 TA0001 T1114 Fortinet Network Traffic Flow

Trouble

TA0009, TA0001, T1114

Fortinet

Last updated: September 15, 2025

View details

Generic Attacks Detection

TA0001 T1190 Fortinet Network Traffic Content

Trouble

TA0001, T1190

Fortinet

Last updated: September 15, 2025

View details

Trojon Detection

TA0002 TA0011 TA0005 T1204 Fortinet Network Traffic Content

Trouble

TA0002, TA0011, TA0005, T1204

Fortinet

Last updated: September 15, 2025

View details

Known Exploits Detection

TA0002 T1203 Fortinet Network Traffic Content

Trouble

TA0002, T1203

Fortinet

Last updated: September 15, 2025

View details

FTP Command Restriction

TA0011 TA0010 T1071.002 Fortinet Network Traffic Content

Trouble

TA0011, TA0010, T1071.002

Fortinet

Last updated: September 15, 2025

View details

SQL Injection Detection

TA0001 TA0009 T1190 Fortinet Network Traffic Content

Trouble

TA0001, TA0009, T1190

Fortinet

Last updated: September 15, 2025

View details

FTP File Security Violation

TA0010 T1048 Fortinet Network Traffic Content

Trouble

TA0010, T1048

Fortinet

Last updated: September 15, 2025

View details

Credential Stuffing Defense Violation

TA0006 T1110.004 Fortinet Network Traffic Content

Trouble

TA0006, T1110.004

Fortinet

Last updated: September 15, 2025

View details

New Connection From A Quarantined IP address

TA0011 T1071 Fortinet Network Traffic Flow

Trouble

TA0011, T1071

Fortinet

Last updated: September 15, 2025

View details

Firewall Violation Detection.

TA0005 TA0002 T1027 Fortinet Network Traffic Content

Trouble

TA0005, TA0002, T1027

Fortinet

Last updated: September 15, 2025

View details

Fortinet Successive different Location Logons

TA0005 T1078.004 Fortinet

Critical

TA0005, T1078.004

Fortinet

Last updated: September 15, 2025

View details

Fortinet Appliance Auth bypass

TA0001 TA0003 T1190 Fortinet Network Traffic Content Logon Session Metadata Network Connection Creation Application Log Content Network Traffic Flow

Critical

TA0001, TA0003, T1190

Fortinet

Last updated: September 15, 2025

View details

ICMP IP Sweep Scan

TA0043 TA0007 T1595.001 Juniper Network Traffic Flow

Trouble

TA0043, TA0007, T1595.001

Juniper

Last updated: September 15, 2025

View details

TCP SYN-ACK-ACK Proxy

TA0011 T1090.003 Juniper Network Traffic Flow

Trouble

TA0011, T1090.003

Juniper

Last updated: September 15, 2025

View details

TCP SYN fragmentation attack

TA0040 T1498 Juniper Network Traffic Flow

Trouble

TA0040, T1498

Juniper

Last updated: September 15, 2025

View details

TCP Winnuke Attack

TA0040 T1499 Juniper Network Traffic Flow

Trouble

TA0040, T1499

Juniper

Last updated: September 15, 2025

View details

TCP FIN without ACK Detection

TA0043 TA0007 T1595.002 Juniper Network Traffic Flow

Trouble

TA0043, TA0007, T1595.002

Juniper

Last updated: September 15, 2025

View details

Unknown IP Protocol Detection

TA0005 TA0043 T1562 Juniper Network Traffic Flow

Trouble

TA0005, TA0043, T1562

Juniper

Last updated: September 15, 2025

View details

IP Stream Option Detection

TA0005 TA0007 T1562 Juniper Network Traffic Flow

Trouble

TA0005, TA0007, T1562

Juniper

Last updated: September 15, 2025

View details

IP Record Route Option Detection

TA0007 T1046 Juniper Network Traffic Flow

Trouble

TA0007, T1046

Juniper

Last updated: September 15, 2025

View details

IP Timestamp Option Detection

TA0007 T1046 Juniper Network Traffic Flow

Trouble

TA0007, T1046

Juniper

Last updated: September 15, 2025

View details

IP Security Option Detection

TA0005 T1562 Juniper Network Traffic Flow

Trouble

TA0005, T1562

Juniper

Last updated: September 15, 2025

View details

Suspicious DHCP Assignment Detected

TA0007 TA0006 T1046 Barracuda Network Traffic Flow

Trouble

TA0007, TA0006, T1046

Barracuda

Last updated: September 15, 2025

View details

Detects DNS Sinkhole address accessed

TA0011 T1071.004 Barracuda Network Traffic Content

Trouble

TA0011, T1071.004

Barracuda

Last updated: September 15, 2025

View details

Detects Virus-Infected File Blocked by Firewall

TA0005 TA0002 T1027 Barracuda Network Traffic Content

Trouble

TA0005, TA0002, T1027

Barracuda

Last updated: September 15, 2025

View details

Detects User added to ATP quarantine

TA0005 T1562 Barracuda Network Traffic Content

Trouble

TA0005, T1562

Barracuda

Last updated: September 15, 2025

View details

Detects ATP and malicious activities

TA0005 TA0011 T1027 Barracuda Network Traffic Content

Trouble

TA0005, TA0011, T1027

Barracuda

Last updated: September 15, 2025

View details

Detects Primary ATP server unreachable

TA0040 T1499 Barracuda Network Traffic Flow

Trouble

TA0040, T1499

Barracuda

Last updated: September 15, 2025

View details

Detects Both ATP servers unreachable

TA0040 T1499 Barracuda Network Traffic Flow

Trouble

TA0040, T1499

Barracuda

Last updated: September 15, 2025

View details

Detects Oversized SYN Packet

TA0005 TA0011 TA0002 T1036.005 Barracuda Network Traffic Flow

Trouble

TA0005, TA0011, TA0002, T1036.005

Barracuda

Last updated: September 15, 2025

View details

Detects Potential SYN Flood with Spoofed IPs

TA0040 TA0043 T1498 Barracuda Network Traffic Flow

Trouble

TA0040, TA0043, T1498

Barracuda

Last updated: September 15, 2025

View details

Duplicate IP Detected

TA0006 TA0005 TA0007 T1557 Barracuda Network Traffic Flow

Trouble

TA0006, TA0005, TA0007, T1557

Barracuda

Last updated: September 15, 2025

View details

Barracuda IPS Log Detection

TA0009 TA0007 T1119 Barracuda Network Traffic Content

Trouble

TA0009, TA0007, T1119

Barracuda

Last updated: September 15, 2025

View details

Detects Log Data Deleted

TA0005 TA0040 T1070.001 Barracuda Network Traffic Content

Trouble

TA0005, TA0040, T1070.001

Barracuda

Last updated: September 15, 2025

View details

Suspicious ARP activity detected - ARP spoofing

TA0006 TA0007 T1557.001 Barracuda Network Traffic Flow

Trouble

TA0006, TA0007, T1557.001

Barracuda

Last updated: September 15, 2025

View details

Sonicwall policy deleted during non-working hours

TA0005 T1562 SonicWall

Attention

TA0005, T1562

SonicWall

Last updated: September 15, 2025

View details

Sonicwall policy added during non-working hours

TA0005 T1562 SonicWall

Attention

TA0005, T1562

SonicWall

Last updated: September 15, 2025

View details

Unauthorized Sophos Firewall Rule Deletion Detected

TA0004 TA0005 TA0008 T1134 SonicWall

Critical

TA0004, TA0005, TA0008, T1134

SonicWall

Last updated: September 15, 2025

View details

Wireless Flood Attack

TA0040 T1498 SonicWall Network Traffic Flow

Trouble

TA0040, T1498

SonicWall

Last updated: September 15, 2025

View details

Invalid SYN Cookie Detected

TA0040 T1498 SonicWall Network Traffic Flow

Trouble

TA0040, T1498

SonicWall

Last updated: September 15, 2025

View details

Probable TCP Fin Scan Detected

TA0043 TA0007 T1595.001 SonicWall Network Traffic Flow

Trouble

TA0043, TA0007, T1595.001

SonicWall

Last updated: September 15, 2025

View details

Probable TCP Xmas Scan Detected

TA0043 TA0007 T1595.001 SonicWall Network Traffic Flow

Trouble

TA0043, TA0007, T1595.001

SonicWall

Last updated: September 15, 2025

View details

Probable TCP Null Scan Detected

TA0043 TA0007 T1595.001 SonicWall Network Traffic Flow

Trouble

TA0043, TA0007, T1595.001

SonicWall

Last updated: September 15, 2025

View details

TCP Xmas Tree Attack

TA0040 T1498 SonicWall Network Traffic Flow

Trouble

TA0040, T1498

SonicWall

Last updated: September 15, 2025

View details

Possible RST Flood

TA0040 T1498 SonicWall Network Traffic Flow

Trouble

TA0040, T1498

SonicWall

Last updated: September 15, 2025

View details

Possible FIN Flood

TA0040 T1498 SonicWall Network Traffic Flow

Trouble

TA0040, T1498

SonicWall

Last updated: September 15, 2025

View details

Possible UDPv6 Flood Attack Detected

TA0040 T1498 SonicWall Network Traffic Flow

Trouble

TA0040, T1498

SonicWall

Last updated: September 15, 2025

View details

Large UDP Fragmented Datagram

TA0040 T1498.001 SonicWall Network Traffic Flow

Trouble

TA0040, T1498.001

SonicWall

Last updated: September 15, 2025

View details

Possible ARP Attack Detected

TA0006 T1557 SonicWall Network Traffic Flow

Trouble

TA0006, T1557

SonicWall

Last updated: September 15, 2025

View details

Invalid IPv6 Packet Length

TA0043 TA0005 TA0040 T1595.002 SonicWall Network Traffic Flow

Trouble

TA0043, TA0005, TA0040, T1595.002

SonicWall

Last updated: September 15, 2025

View details

Spank Attack

TA0040 T1498 SonicWall Network Traffic Flow

Trouble

TA0040, T1498

SonicWall

Last updated: September 15, 2025

View details

Smurf Attack

TA0040 T1498 SonicWall Network Traffic Flow

Trouble

TA0040, T1498

SonicWall

Last updated: September 15, 2025

View details

Possible SHLO replay attack

TA0006 TA0005 T1557 SonicWall Network Traffic Content

Trouble

TA0006, TA0005, T1557

SonicWall

Last updated: September 15, 2025

View details

DHCP IP Spoof detected

TA0006 T1557 SonicWall Network Traffic Flow

Trouble

TA0006, T1557

SonicWall

Last updated: September 15, 2025

View details

DNS Rebind Attack Detected

TA0011 T1071.004 SonicWall Network Traffic Content

Trouble

TA0011, T1071.004

SonicWall

Last updated: September 15, 2025

View details

DNS Rebind Attack Blocked

TA0011 T1071.004 SonicWall Network Traffic Content

Trouble

TA0011, T1071.004

SonicWall

Last updated: September 15, 2025

View details

Illegal Destination

TA0011 TA0010 TA0008 T1071 SonicWall Network Traffic Flow

Trouble

TA0011, TA0010, TA0008, T1071

SonicWall

Last updated: September 15, 2025

View details

Incomplete IGMP Fragment

TA0040 T1498.001 SonicWall Network Traffic Flow

Trouble

TA0040, T1498.001

SonicWall

Last updated: September 15, 2025

View details

Fragmented Packet

TA0040 T1498.001 SonicWall Network Traffic Flow

Trouble

TA0040, T1498.001

SonicWall

Last updated: September 15, 2025

View details

User Login Lockout

TA0006 TA0040 T1110 SonicWall Network Connection Creation

Trouble

TA0006, TA0040, T1110

SonicWall

Last updated: September 15, 2025

View details

User Login Disable

TA0006 TA0040 T1110 SonicWall Network Connection Creation

Trouble

TA0006, TA0040, T1110

SonicWall

Last updated: September 15, 2025

View details

Forbidden Email Attachment Disabled

TA0001 TA0002 T1566.001 SonicWall Network Traffic Content

Trouble

TA0001, TA0002, T1566.001

SonicWall

Last updated: September 15, 2025

View details

Forbidden Email Attachment Deleted

TA0001 TA0002 T1566.001 SonicWall Network Traffic Content

Trouble

TA0001, TA0002, T1566.001

SonicWall

Last updated: September 15, 2025

View details

Email Fragment Dropped

TA0005 TA0001 TA0011 T1027 SonicWall Network Traffic Content

Trouble

TA0005, TA0001, TA0011, T1027

SonicWall

Last updated: September 15, 2025

View details

FTP Passive Attack

TA0011 TA0010 T1071.002 SonicWall Network Traffic Content

Trouble

TA0011, TA0010, T1071.002

SonicWall

Last updated: September 15, 2025

View details

FTP Port Bounce Attack

TA0011 TA0010 T1071.002 SonicWall Network Traffic Content

Trouble

TA0011, TA0010, T1071.002

SonicWall

Last updated: September 15, 2025

View details

FTP Passive Bounce Attack

TA0011 TA0010 T1071.002 SonicWall Network Traffic Content

Trouble

TA0011, TA0010, T1071.002

SonicWall

Last updated: September 15, 2025

View details

FTP Data Port Attack

TA0011 T1071.002 SonicWall Network Traffic Content

Trouble

TA0011, T1071.002

SonicWall

Last updated: September 15, 2025

View details

External IDS

TA0043 T1595.001 SonicWall Network Traffic Content

Trouble

TA0043, T1595.001

SonicWall

Last updated: September 15, 2025

View details

Sonicwall IDP Detection Alert

TA0002 TA0005 T1203 SonicWall Network Traffic Content

Trouble

TA0002, TA0005, T1203

SonicWall

Last updated: September 15, 2025

View details

Sonicwall IDP Prevention Alert

TA0002 TA0005 T1203 SonicWall Network Traffic Content

Trouble

TA0002, TA0005, T1203

SonicWall

Last updated: September 15, 2025

View details

SonicWall IPS Detection Alert

TA0002 TA0005 T1203 SonicWall Network Traffic Content

Trouble

TA0002, TA0005, T1203

SonicWall

Last updated: September 15, 2025

View details

SonicWall IPS Prevention Alert

TA0002 TA0005 T1203 SonicWall Network Traffic Content

Trouble

TA0002, TA0005, T1203

SonicWall

Last updated: September 15, 2025

View details

Sonicwall Anti-Spyware Prevention Alert

TA0009 TA0011 TA0005 T1056.001 SonicWall Network Traffic Content

Trouble

TA0009, TA0011, TA0005, T1056.001

SonicWall

Last updated: September 15, 2025

View details

Sonicwall Anti-Spyware Detection Alert

TA0009 TA0011 TA0005 T1056.001 SonicWall Network Traffic Content

Trouble

TA0009, TA0011, TA0005, T1056.001

SonicWall

Last updated: September 15, 2025

View details

Gateway Anti-virus Alert

TA0002 TA0003 TA0005 T1204.002 SonicWall Network Traffic Content

Trouble

TA0002, TA0003, TA0005, T1204.002

SonicWall

Last updated: September 15, 2025

View details

Sonicwall Successive different Location Logons

TA0005 T1078.004 SonicWall

Critical

TA0005, T1078.004

SonicWall

Last updated: September 15, 2025

View details

Suspicious Sophos Rule Addition

TA0005 TA0008 TA0004 T1562.004 Sophos

Attention

TA0005, TA0008, TA0004, T1562.004

Sophos

Last updated: September 15, 2025

View details

Unusual Denied Traffic Activity on Sophos

TA0007 TA0005 TA0010 T1040 Sophos

Attention

TA0007, TA0005, TA0010, T1040

Sophos

Last updated: September 15, 2025

View details

Unexpected Removal of Sophos Firewall Rule

TA0005 TA0008 TA0004 T1562.004 Sophos

Attention

TA0005, TA0008, TA0004, T1562.004

Sophos

Last updated: September 15, 2025

View details

Unexpected Modification of Sophos Firewall Rule

TA0005 TA0008 TA0004 T1562.004 Sophos

Attention

TA0005, TA0008, TA0004, T1562.004

Sophos

Last updated: September 15, 2025

View details

Firewall IPS Anomaly Detected

TA0005 TA0007 T1027 Sophos Network Traffic Flow

Trouble

TA0005, TA0007, T1027

Sophos

Last updated: September 15, 2025

View details

Firewall IPS Anomaly Blocked

TA0005 TA0040 T1027 Sophos Network Traffic Flow

Trouble

TA0005, TA0040, T1027

Sophos

Last updated: September 15, 2025

View details

Firewall IPS Signature Detected

TA0002 TA0011 T1059 Sophos Network Traffic Flow

Trouble

TA0002, TA0011, T1059

Sophos

Last updated: September 15, 2025

View details

Firewall IPS Signature Blocked

TA0002 TA0011 T1059 Sophos Network Traffic Flow

Trouble

TA0002, TA0011, T1059

Sophos

Last updated: September 15, 2025

View details

Firewall Threat Detected

TA0011 TA0002 T1071 Sophos Network Traffic Flow

Trouble

TA0011, TA0002, T1071

Sophos

Last updated: September 15, 2025

View details

DNS Threat Detected

TA0011 T1071.004 Sophos Network Traffic Flow

Trouble

TA0011, T1071.004

Sophos

Last updated: September 15, 2025

View details

Firewall IPS Threat Detected

TA0005 TA0002 T1027 Sophos Network Traffic Flow

Trouble

TA0005, TA0002, T1027

Sophos

Last updated: September 15, 2025

View details

Web Threat Detected

TA0011 TA0002 T1071.001 Sophos Network Traffic Flow

Trouble

TA0011, TA0002, T1071.001

Sophos

Last updated: September 15, 2025

View details

Firewall Threat Blocked

TA0011 TA0002 T1071 Sophos Network Traffic Flow

Trouble

TA0011, TA0002, T1071

Sophos

Last updated: September 15, 2025

View details

DNS Threat Blocked

TA0011 T1071.004 Sophos Network Traffic Flow

Trouble

TA0011, T1071.004

Sophos

Last updated: September 15, 2025

View details

Firewall IPS Threat Blocked

TA0005 TA0002 T1027 Sophos Network Traffic Flow

Trouble

TA0005, TA0002, T1027

Sophos

Last updated: September 15, 2025

View details

Web Threat Blocked

TA0011 TA0002 T1071.001 Sophos Network Traffic Flow

Trouble

TA0011, TA0002, T1071.001

Sophos

Last updated: September 15, 2025

View details

ICMP Error Message Allowed

TA0043 TA0007 TA0011 T1595.001 Sophos Network Traffic Flow

Trouble

TA0043, TA0007, TA0011, T1595.001

Sophos

Last updated: September 15, 2025

View details

ICMP Error Message Blocked

TA0005 TA0040 T1562.004 Sophos Network Traffic Flow

Trouble

TA0005, TA0040, T1562.004

Sophos

Last updated: September 15, 2025

View details

New systems added in network

ME Applications

Critical

ME Applications

Last updated: September 15, 2025

View details

High machine temperature alerts

TA0040 T1496 ME Applications

Critical

TA0040, T1496

ME Applications

Last updated: September 15, 2025

View details

High CPU usage for a long time

TA0040 T1499 ME Applications

Critical

TA0040, T1499

ME Applications

Last updated: September 15, 2025

View details

Insider threat detection

TA0002 TA0005 T1203 ME Applications

Critical

TA0002, TA0005, T1203

ME Applications

Last updated: September 15, 2025

View details

Role Flooding Attack

TA0006 T1110 ME Applications

Critical

TA0006, T1110

ME Applications

Last updated: September 15, 2025

View details

Insecure forwarding server

TA0010 T1048.003 ME Applications

Critical

TA0010, T1048.003

ME Applications

Last updated: September 15, 2025

View details

Security Evasion-MDM

ME Applications

Critical

ME Applications

Last updated: September 15, 2025

View details

Unusual Mailbox Access

TA0003 T1671 ME Applications

Critical

TA0003, T1671

ME Applications

Last updated: September 15, 2025

View details

Suspicious software installation

TA0003 TA0004 T1546.016 Miscellaneous

Critical

TA0003, TA0004, T1546.016

Miscellaneous

Last updated: September 15, 2025

View details

Suspicious SQL backup activity

TA0009 T1005 Miscellaneous

Critical

TA0009, T1005

Miscellaneous

Last updated: September 15, 2025

View details

Security Interruption-Inventory Management

TA0005 T1562 Miscellaneous

Critical

TA0005, T1562

Miscellaneous

Last updated: September 15, 2025

View details

Security Evasion-Inventory Management

TA0005 T1202 Miscellaneous

Critical

TA0005, T1202

Miscellaneous

Last updated: September 15, 2025

View details

Brute Force

TA0006 T1110 Miscellaneous

Critical

TA0006, T1110

Miscellaneous

Last updated: September 15, 2025

View details

Excessive logon failures

TA0005 T1078.004 Miscellaneous

Critical

TA0005, T1078.004

Miscellaneous

Last updated: September 15, 2025

View details

Excessive VPN Logon Failure

TA0006 T1110 Miscellaneous

Critical

TA0006, T1110

Miscellaneous

Last updated: September 15, 2025

View details

Excessive password change failure

TA0006 T1110.001 Miscellaneous

Critical

TA0006, T1110.001

Miscellaneous

Last updated: September 15, 2025

View details

PowerShell Script Run in AppData

TA0002 T1059.001 Windows Process Creation

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

PowerShell DownloadFile

TA0002 TA0011 T1059.001 Windows Process Creation

Trouble

TA0002, TA0011, T1059.001

Windows

Last updated: September 15, 2025

View details

Suspicious X509Enrollment - Process Creation

TA0005 T1553.004 Windows Process Creation

Trouble

TA0005, T1553.004

Windows

Last updated: September 15, 2025

View details

Arbitrary File Download Via PresentationHost.EXE

TA0005 TA0002 T1218 Windows Process Creation

Trouble

TA0005, TA0002, T1218

Windows

Last updated: September 15, 2025

View details

XBAP Execution From Uncommon Locations Via PresentationHost.EXE

TA0005 TA0002 T1218 Windows Process Creation

Trouble

TA0005, TA0002, T1218

Windows

Last updated: September 15, 2025

View details

Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution

TA0002 TA0005 T1218 Windows Process Creation

Trouble

TA0002, TA0005, T1218

Windows

Last updated: September 15, 2025

View details

File Download Using ProtocolHandler.exe

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Potential Provlaunch.EXE Binary Proxy Execution Abuse

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Suspicious Provlaunch.EXE Child Process

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Screen Capture Activity Via Psr.EXE

TA0009 T1113 Windows Process Creation

Trouble

TA0009, T1113

Windows

Last updated: September 15, 2025

View details

PUA - 3Proxy Execution

TA0011 T1572 Windows Process Creation

Trouble

TA0011, T1572

Windows

Last updated: September 15, 2025

View details

PUA - AdvancedRun Execution

TA0002 TA0005 TA0004 T1059.003 Windows Process Creation

Trouble

TA0002, TA0005, TA0004, T1059.003

Windows

Last updated: September 15, 2025

View details

PUA - AdvancedRun Suspicious Execution

TA0005 TA0004 T1134.002 Windows Process Creation

Trouble

TA0005, TA0004, T1134.002

Windows

Last updated: September 15, 2025

View details

PUA - Advanced IP Scanner Execution

TA0007 T1046 Windows Process Creation

Trouble

TA0007, T1046

Windows

Last updated: September 15, 2025

View details

PUA - Advanced Port Scanner Execution

TA0007 T1046 Windows Process Creation

Trouble

TA0007, T1046

Windows

Last updated: September 15, 2025

View details

PUA - Chisel Tunneling Tool Execution

TA0011 T1090.001 Windows Process Creation

Trouble

TA0011, T1090.001

Windows

Last updated: September 15, 2025

View details

PUA - CleanWipe Execution

TA0005 T1562.001 Windows Process Creation

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

PUA - Crassus Execution

TA0007 TA0043 T1590.001 Windows Process Creation

Trouble

TA0007, TA0043, T1590.001

Windows

Last updated: September 15, 2025

View details

PUA - CsExec Execution

TA0042 TA0002 T1587.001 Windows Process Creation

Trouble

TA0042, TA0002, T1587.001

Windows

Last updated: September 15, 2025

View details

PUA - DefenderCheck Execution

TA0005 T1027.005 Windows Process Creation

Trouble

TA0005, T1027.005

Windows

Last updated: September 15, 2025

View details

PUA - Fast Reverse Proxy (FRP) Execution

TA0011 T1090 Windows Process Creation

Trouble

TA0011, T1090

Windows

Last updated: September 15, 2025

View details

PUA- IOX Tunneling Tool Execution

TA0011 T1090 Windows Process Creation

Trouble

TA0011, T1090

Windows

Last updated: September 15, 2025

View details

PUA - Mouse Lock Execution

TA0006 TA0009 T1056.002 Windows Process Creation

Trouble

TA0006, TA0009, T1056.002

Windows

Last updated: September 15, 2025

View details

PUA - Netcat Suspicious Execution

TA0011 T1095 Windows Process Creation

Trouble

TA0011, T1095

Windows

Last updated: September 15, 2025

View details

PUA - SoftPerfect Netscan Execution

TA0007 T1046 Windows Process Creation

Trouble

TA0007, T1046

Windows

Last updated: September 15, 2025

View details

PUA - Ngrok Execution

TA0011 T1572 Windows Process Creation

Trouble

TA0011, T1572

Windows

Last updated: September 15, 2025

View details

PUA - Nimgrab Execution

TA0011 T1105 Windows Process Creation

Trouble

TA0011, T1105

Windows

Last updated: September 15, 2025

View details

PUA - NirCmd Execution

TA0002 T1569.002 Windows Process Creation

Trouble

TA0002, T1569.002

Windows

Last updated: September 15, 2025

View details

PUA - NirCmd Execution As LOCAL SYSTEM

TA0002 T1569.002 Windows Process Creation

Trouble

TA0002, T1569.002

Windows

Last updated: September 15, 2025

View details

PUA - Nmap/Zenmap Execution

TA0007 T1046 Windows Process Creation

Trouble

TA0007, T1046

Windows

Last updated: September 15, 2025

View details

PUA - NPS Tunneling Tool Execution

TA0011 T1090 Windows Process Creation

Trouble

TA0011, T1090

Windows

Last updated: September 15, 2025

View details

PUA - NSudo Execution

TA0002 T1569.002 Windows Process Creation

Trouble

TA0002, T1569.002

Windows

Last updated: September 15, 2025

View details

PUA - Process Hacker Execution

TA0005 TA0007 TA0003 TA0004 T1622 Windows Process Creation

Trouble

TA0005, TA0007, TA0003, TA0004, T1622

Windows

Last updated: September 15, 2025

View details

PUA - Radmin Viewer Utility Execution

TA0002 TA0008 T1072 Windows Process Creation

Trouble

TA0002, TA0008, T1072

Windows

Last updated: September 15, 2025

View details

PUA - Potential PE Metadata Tamper Using Rcedit

TA0005 T1036.003 Windows Process Creation

Trouble

TA0005, T1036.003

Windows

Last updated: September 15, 2025

View details

PUA - Rclone Execution

TA0010 T1567.002 Windows Process Creation

Trouble

TA0010, T1567.002

Windows

Last updated: September 15, 2025

View details

PUA - RunXCmd Execution

TA0002 T1569.002 Windows Process Creation

Trouble

TA0002, T1569.002

Windows

Last updated: September 15, 2025

View details

PUA - Seatbelt Execution

TA0007 T1526 Windows Process Creation

Trouble

TA0007, T1526

Windows

Last updated: September 15, 2025

View details

PUA - System Informer Execution

TA0003 TA0004 TA0007 TA0005 T1543 Windows Process Creation

Trouble

TA0003, TA0004, TA0007, TA0005, T1543

Windows

Last updated: September 15, 2025

View details

PUA - WebBrowserPassView Execution

TA0006 T1555.003 Windows Process Creation

Trouble

TA0006, T1555.003

Windows

Last updated: September 15, 2025

View details

PUA - Wsudo Suspicious Execution

TA0002 TA0004 T1059 Windows Process Creation

Trouble

TA0002, TA0004, T1059

Windows

Last updated: September 15, 2025

View details

Python Inline Command Execution

TA0002 T1059 Windows Process Creation

Trouble

TA0002, T1059

Windows

Last updated: September 15, 2025

View details

Python Spawning Pretty TTY on Windows

TA0002 T1059 Windows Process Creation

Trouble

TA0002, T1059

Windows

Last updated: September 15, 2025

View details

Potentially Suspicious Usage Of Qemu

TA0011 T1090 Windows Process Creation

Trouble

TA0011, T1090

Windows

Last updated: September 15, 2025

View details

QuickAssist Execution

TA0011 T1219.002 Windows Process Creation

Attention

TA0011, T1219.002

Windows

Last updated: September 15, 2025

View details

Rar Usage with Password and Compression Level

TA0009 T1560.001 Windows Process Creation

Trouble

TA0009, T1560.001

Windows

Last updated: September 15, 2025

View details

Files Added To An Archive Using Rar.EXE

TA0009 T1560.001 Windows Process Creation

Attention

TA0009, T1560.001

Windows

Last updated: September 15, 2025

View details

Suspicious RASdial Activity

TA0005 TA0002 T1059 Windows Process Creation

Trouble

TA0005, TA0002, T1059

Windows

Last updated: September 15, 2025

View details

Process Memory Dump via RdrLeakDiag.EXE

TA0006 T1003.001 Windows Process Creation

Trouble

TA0006, T1003.001

Windows

Last updated: September 15, 2025

View details

Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension

TA0005 T1218.009 Windows Process Creation

Trouble

TA0005, T1218.009

Windows

Last updated: September 15, 2025

View details

Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location

TA0005 T1218.009 Windows Process Creation

Trouble

TA0005, T1218.009

Windows

Last updated: September 15, 2025

View details

Exports Critical Registry Keys To a File

TA0010 TA0007 T1012 Windows Process Creation

Trouble

TA0010, TA0007, T1012

Windows

Last updated: September 15, 2025

View details

Exports Registry Key To a File

TA0010 TA0007 T1012 Windows Process Creation

Attention

TA0010, TA0007, T1012

Windows

Last updated: September 15, 2025

View details

Regedit as Trusted Installer

TA0004 T1548 Windows Process Creation

Trouble

TA0004, T1548

Windows

Last updated: September 15, 2025

View details

DLL Execution Via Register-cimprovider.exe

TA0005 T1574 Windows Process Creation

Trouble

TA0005, T1574

Windows

Last updated: September 15, 2025

View details

Enumeration for 3rd Party Creds From CLI

TA0006 T1552.002 Windows Process Creation

Trouble

TA0006, T1552.002

Windows

Last updated: September 15, 2025

View details

IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI

TA0002 TA0005 Windows Process Creation

Trouble

TA0002, TA0005

Windows

Last updated: September 15, 2025

View details

Suspicious Debugger Registration Cmdline

TA0003 TA0004 T1546.008 Windows Process Creation

Trouble

TA0003, TA0004, T1546.008

Windows

Last updated: September 15, 2025

View details

Potential Persistence Via Logon Scripts - CommandLine

TA0003 T1037.001 Windows Process Creation

Trouble

TA0003, T1037.001

Windows

Last updated: September 15, 2025

View details

Potential Credential Dumping Attempt Using New NetworkProvider - CLI

TA0006 T1003 Windows Process Creation

Trouble

TA0006, T1003

Windows

Last updated: September 15, 2025

View details

Python Function Execution Security Warning Disabled In Excel

TA0005 T1562.001 Windows Process Creation

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Potential Provisioning Registry Key Abuse For Binary Proxy Execution

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Potential PowerShell Execution Policy Tampering - ProcCreation

TA0005 Windows Process Creation

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

Hiding User Account Via SpecialAccounts Registry Key - CommandLine

TA0005 T1564.002 Windows Process Creation

Trouble

TA0005, T1564.002

Windows

Last updated: September 15, 2025

View details

Persistence Via TypedPaths - CommandLine

TA0003 Windows Process Creation

Trouble

TA0003

Windows

Last updated: September 15, 2025

View details

Potential Regsvr32 Commandline Flag Anomaly

TA0005 T1218.010 Windows Process Creation

Trouble

TA0005, T1218.010

Windows

Last updated: September 15, 2025

View details

Potentially Suspicious Regsvr32 HTTP IP Pattern

TA0005 T1218.010 Windows Process Creation

Trouble

TA0005, T1218.010

Windows

Last updated: September 15, 2025

View details

Potentially Suspicious Regsvr32 HTTP/FTP Pattern

TA0005 T1218.010 Windows Process Creation

Trouble

TA0005, T1218.010

Windows

Last updated: September 15, 2025

View details

Suspicious Regsvr32 Execution From Remote Share

TA0005 T1218.010 Windows Process Creation

Trouble

TA0005, T1218.010

Windows

Last updated: September 15, 2025

View details

Potentially Suspicious Child Process Of Regsvr32

TA0005 T1218.010 Windows Process Creation

Trouble

TA0005, T1218.010

Windows

Last updated: September 15, 2025

View details

Regsvr32 Execution From Potential Suspicious Location

TA0005 T1218.010 Windows Process Creation

Trouble

TA0005, T1218.010

Windows

Last updated: September 15, 2025

View details

Regsvr32 DLL Execution With Suspicious File Extension

TA0005 T1218.010 Windows Process Creation

Trouble

TA0005, T1218.010

Windows

Last updated: September 15, 2025

View details

Scripting/CommandLine Process Spawned Regsvr32

TA0005 T1218.010 Windows Process Creation

Trouble

TA0005, T1218.010

Windows

Last updated: September 15, 2025

View details

Regsvr32 DLL Execution With Uncommon Extension

TA0005 TA0002 T1574 Windows Process Creation

Trouble

TA0005, TA0002, T1574

Windows

Last updated: September 15, 2025

View details

Potential Persistence Attempt Via Run Keys Using Reg.EXE

TA0003 T1547.001 Windows Process Creation

Trouble

TA0003, T1547.001

Windows

Last updated: September 15, 2025

View details

Add SafeBoot Keys Via Reg Utility

TA0005 T1562.001 Windows Process Creation

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Suspicious Reg Add BitLocker

TA0040 T1486 Windows Process Creation

Trouble

TA0040, T1486

Windows

Last updated: September 15, 2025

View details

Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE

TA0005 T1562.001 Windows Process Creation

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

SafeBoot Registry Key Deleted Via Reg.EXE

TA0005 T1562.001 Windows Process Creation

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Service Registry Key Deleted Via Reg.EXE

TA0005 T1562.001 Windows Process Creation

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Potentially Suspicious Desktop Background Change Using Reg.EXE

TA0005 TA0040 T1112 Windows Process Creation

Trouble

TA0005, TA0040, T1112

Windows

Last updated: September 15, 2025

View details

Direct Autorun Keys Modification

TA0003 T1547.001 Windows Process Creation

Trouble

TA0003, T1547.001

Windows

Last updated: September 15, 2025

View details

Security Service Disabled Via Reg.EXE

TA0005 T1562.001 Windows Process Creation

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Windows Recall Feature Enabled Via Reg.EXE

TA0009 T1113 Windows Process Creation

Trouble

TA0009, T1113

Windows

Last updated: September 15, 2025

View details

Enumeration for Credentials in Registry

TA0006 T1552.002 Windows Process Creation

Trouble

TA0006, T1552.002

Windows

Last updated: September 15, 2025

View details

Potential Suspicious Registry File Imported Via Reg.EXE

TA0005 T1112 Windows Process Creation

Trouble

TA0005, T1112

Windows

Last updated: September 15, 2025

View details

RestrictedAdminMode Registry Value Tampering - ProcCreation

TA0005 T1112 Windows Process Creation

Trouble

TA0005, T1112

Windows

Last updated: September 15, 2025

View details

LSA PPL Protection Disabled Via Reg.EXE

TA0005 T1562.010 Windows Process Creation

Trouble

TA0005, T1562.010

Windows

Last updated: September 15, 2025

View details

Suspicious Query of MachineGUID

TA0007 T1082 Windows Process Creation

Attention

TA0007, T1082

Windows

Last updated: September 15, 2025

View details

Suspicious Reg Add Open Command

TA0006 T1003 Windows Process Creation

Trouble

TA0006, T1003

Windows

Last updated: September 15, 2025

View details

Potential Configuration And Service Reconnaissance Via Reg.EXE

TA0007 T1012 Windows Process Creation

Trouble

TA0007, T1012

Windows

Last updated: September 15, 2025

View details

Potential Tampering With RDP Related Registry Keys Via Reg.EXE

TA0005 TA0008 T1112 Windows Process Creation

Trouble

TA0005, TA0008, T1112

Windows

Last updated: September 15, 2025

View details

Suspicious ScreenSave Change by Reg.exe

TA0004 T1546.002 Windows Process Creation

Trouble

TA0004, T1546.002

Windows

Last updated: September 15, 2025

View details

Changing Existing Service ImagePath Value Via Reg.EXE

TA0003 T1574.011 Windows Process Creation

Trouble

TA0003, T1574.011

Windows

Last updated: September 15, 2025

View details

Detected Windows Software Discovery

TA0007 T1518 Windows Process Creation

Trouble

TA0007, T1518

Windows

Last updated: September 15, 2025

View details

Reg Add Suspicious Paths

TA0005 T1112 Windows Process Creation

Trouble

TA0005, T1112

Windows

Last updated: September 15, 2025

View details

Disabled Volume Snapshots

TA0005 T1562.001 Windows Process Creation

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Suspicious Windows Defender Registry Key Tampering Via Reg.EXE

TA0005 T1562.001 Windows Process Creation

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Write Protect For Storage Disabled

TA0005 T1562 Windows Process Creation

Trouble

TA0005, T1562

Windows

Last updated: September 15, 2025

View details

Remote Access Tool - AnyDesk Execution

TA0011 T1219.002 Windows Process Creation

Trouble

TA0011, T1219.002

Windows

Last updated: September 15, 2025

View details

Testing Usage of Uncommonly Used Port

TA0011 T1571 Windows Script Execution

Trouble

TA0011, T1571

Windows

Last updated: September 15, 2025

View details

Powershell Timestomp

TA0005 T1070.006 Windows Script Execution

Trouble

TA0005, T1070.006

Windows

Last updated: September 15, 2025

View details

Abuse of Service Permissions to Hide Services Via Set-Service - PS

TA0003 TA0005 TA0004 T1574.011 Windows Script Execution

Trouble

TA0003, TA0005, TA0004, T1574.011

Windows

Last updated: September 15, 2025

View details

Veeam Backup Servers Credential Dumping Script Execution

TA0006 Windows Script Execution

Trouble

TA0006

Windows

Last updated: September 15, 2025

View details

Usage Of Web Request Commands And Cmdlets - ScriptBlock

TA0002 T1059.001 Windows Script Execution

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript

TA0005 Windows Script Execution

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

PowerShell WMI Win32_Product Install MSI

TA0005 T1218.007 Windows Script Execution

Trouble

TA0005, T1218.007

Windows

Last updated: September 15, 2025

View details

Windows Firewall Profile Disabled

TA0005 T1562.004 Windows Script Execution

Trouble

TA0005, T1562.004

Windows

Last updated: September 15, 2025

View details

Winlogon Helper DLL

TA0003 T1547.004 Windows Script Execution

Trouble

TA0003, T1547.004

Windows

Last updated: September 15, 2025

View details

Potential WinAPI Calls Via PowerShell Scripts

TA0002 T1059.001 Windows Script Execution

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

Windows Defender Exclusions Added - PowerShell

TA0005 TA0002 T1562 Windows Script Execution

Trouble

TA0005, TA0002, T1562

Windows

Last updated: September 15, 2025

View details

WMImplant Hack Tool

TA0002 T1047 Windows Script Execution

Trouble

TA0002, T1047

Windows

Last updated: September 15, 2025

View details

Powershell WMI Persistence

TA0004 T1546.003 Windows Script Execution

Trouble

TA0004, T1546.003

Windows

Last updated: September 15, 2025

View details

WMIC Unquoted Services Path Lookup - PowerShell

TA0002 T1047 Windows Script Execution

Trouble

TA0002, T1047

Windows

Last updated: September 15, 2025

View details

Suspicious X509Enrollment - Ps Script

TA0005 T1553.004 Windows Script Execution

Trouble

TA0005, T1553.004

Windows

Last updated: September 15, 2025

View details

Powershell XML Execute Command

TA0002 T1059.001 Windows Script Execution

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

Compress-Archive Cmdlet Execution

TA0010 TA0009 T1560 Windows Script Execution

Attention

TA0010, TA0009, T1560

Windows

Last updated: September 15, 2025

View details

Windows Mail App Mailbox Access Via PowerShell Script

TA0005 T1070.008 Windows Script Execution

Trouble

TA0005, T1070.008

Windows

Last updated: September 15, 2025

View details

SMB over QUIC Via PowerShell Script

TA0008 T1570 Windows Script Execution

Trouble

TA0008, T1570

Windows

Last updated: September 15, 2025

View details

Use Of Remove-Item to Delete File - ScriptBlock

TA0005 T1070.004 Windows Script Execution

Attention

TA0005, T1070.004

Windows

Last updated: September 15, 2025

View details

WinAPI Library Calls Via PowerShell Scripts

TA0002 T1059.001 Windows Script Execution

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

WinAPI Function Calls Via PowerShell Scripts

TA0002 T1059.001 Windows Script Execution

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

Diamond Sleet APT Process Activity Indicators

TA0002 Windows Process Creation

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

Mint Sandstorm - Log4J Wstomcat Process Execution

TA0002 Windows Process Creation

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

Potential APT Mustang Panda Activity Against Australian Gov

TA0002 Windows Process Creation

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)

TA0002 TA0001 T1059 Windows Process Creation

Trouble

TA0002, TA0001, T1059

Windows

Last updated: September 15, 2025

View details

Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE

TA0002 T1059 Windows Process Creation

Trouble

TA0002, T1059

Windows

Last updated: September 15, 2025

View details

Potential Suspicious Child Process Of 3CXDesktopApp

TA0011 TA0002 TA0005 T1218 Windows Process Creation

Trouble

TA0011, TA0002, TA0005, T1218

Windows

Last updated: September 15, 2025

View details

COLDSTEEL RAT Cleanup Command Execution

TA0003 TA0005 Windows Process Creation

Critical

TA0003, TA0005

Windows

Last updated: September 15, 2025

View details

COLDSTEEL RAT Service Persistence Execution

TA0003 TA0005 Windows Process Creation

Critical

TA0003, TA0005

Windows

Last updated: September 15, 2025

View details

DarkGate - Autoit3.EXE Execution Parameters

TA0002 T1059 Windows Process Creation

Trouble

TA0002, T1059

Windows

Last updated: September 15, 2025

View details

DarkGate - User Created Via Net.EXE

TA0003 T1136.001 Windows Process Creation

Trouble

TA0003, T1136.001

Windows

Last updated: September 15, 2025

View details

Griffon Malware Attack Pattern

TA0002 Windows Process Creation

Critical

TA0002

Windows

Last updated: September 15, 2025

View details

Injected Browser Process Spawning Rundll32 - GuLoader Activity

TA0005 T1055 Windows Process Creation

Trouble

TA0005, T1055

Windows

Last updated: September 15, 2025

View details

IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32

TA0005 T1218.011 Windows Process Creation

Trouble

TA0005, T1218.011

Windows

Last updated: September 15, 2025

View details

Potential Pikabot Hollowing Activity

TA0005 T1055.012 Windows Process Creation

Trouble

TA0005, T1055.012

Windows

Last updated: September 15, 2025

View details

Qakbot Regsvr32 Calc Pattern

TA0005 TA0002 Windows Process Creation

Trouble

TA0005, TA0002

Windows

Last updated: September 15, 2025

View details

Potential Qakbot Rundll32 Execution

TA0005 TA0002 Windows Process Creation

Trouble

TA0005, TA0002

Windows

Last updated: September 15, 2025

View details

Qakbot Rundll32 Exports Execution

TA0005 TA0002 Windows Process Creation

Critical

TA0005, TA0002

Windows

Last updated: September 15, 2025

View details

Qakbot Rundll32 Fake DLL Extension Execution

TA0005 TA0002 Windows Process Creation

Critical

TA0005, TA0002

Windows

Last updated: September 15, 2025

View details

Rhadamanthys Stealer Module Launch Via Rundll32.EXE

TA0005 T1218.011 Windows Process Creation

Trouble

TA0005, T1218.011

Windows

Last updated: September 15, 2025

View details

Rorschach Ransomware Execution Activity

TA0002 TA0005 T1059.003 Windows Process Creation

Critical

TA0002, TA0005, T1059.003

Windows

Last updated: September 15, 2025

View details

Potential SNAKE Malware Installation Binary Indicator

TA0002 Windows Process Creation

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

PaperCut MF/NG Exploitation Related Indicators

TA0002 Windows Process Creation

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

PaperCut MF/NG Potential Exploitation

TA0002 Windows Process Creation

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

Potential APT FIN7 Exploitation Activity

TA0002 T1059.001 Windows Process Creation

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

Forest Blizzard APT - Process Creation Activity

TA0005 TA0002 Windows Process Creation

Trouble

TA0005, TA0002

Windows

Last updated: September 15, 2025

View details

Potential Exploitation of CVE-2024-37085 - Suspicious Creation Of ESX Admins Group

TA0002 Windows Process Creation

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

CVE-2024-50623 Exploitation Attempt - Cleo

TA0002 TA0001 T1190 Windows Process Creation

Trouble

TA0002, TA0001, T1190

Windows

Last updated: September 15, 2025

View details

Potential KamiKakaBot Activity - Lure Document Execution

TA0002 T1059 Windows Process Creation

Trouble

TA0002, T1059

Windows

Last updated: September 15, 2025

View details

Kapeka Backdoor Persistence Activity

TA0003 T1053.005 Windows Process Creation

Trouble

TA0003, T1053.005

Windows

Last updated: September 15, 2025

View details

Kapeka Backdoor Execution Via RunDLL32.EXE

TA0005 T1218.011 Windows Process Creation

Trouble

TA0005, T1218.011

Windows

Last updated: September 15, 2025

View details

Lummac Stealer Activity - Execution Of More.com And Vbc.exe

TA0005 T1055 Windows Process Creation

Trouble

TA0005, T1055

Windows

Last updated: September 15, 2025

View details

Potential Raspberry Robin CPL Execution Activity

TA0005 TA0002 T1218.011 Windows Process Creation

Trouble

TA0005, TA0002, T1218.011

Windows

Last updated: September 15, 2025

View details

7Zip Compressing Dump Files

TA0009 T1560.001 Windows Process Creation

Trouble

TA0009, T1560.001

Windows

Last updated: September 15, 2025

View details

Compress Data and Lock With Password for Exfiltration With 7-ZIP

TA0009 T1560.001 Windows Process Creation

Trouble

TA0009, T1560.001

Windows

Last updated: September 15, 2025

View details

Potential DLL Injection Via AccCheckConsole

TA0002 Windows Process Creation

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

Suspicious AddinUtil.EXE CommandLine Execution

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Uncommon Child Process Of AddinUtil.EXE

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Uncommon AddinUtil.EXE CommandLine Execution

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

AddinUtil.EXE Execution From Uncommon Directory

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Potential Adplus.EXE Abuse

TA0005 TA0002 TA0006 T1003.001 Windows Process Creation

Trouble

TA0005, TA0002, TA0006, T1003.001

Windows

Last updated: September 15, 2025

View details

AgentExecutor PowerShell Execution

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Suspicious AgentExecutor PowerShell Execution

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Uncommon Child Process Of Appvlp.EXE

TA0005 TA0002 T1218 Windows Process Creation

Trouble

TA0005, TA0002, T1218

Windows

Last updated: September 15, 2025

View details

AspNetCompiler Execution

TA0005 T1127 Windows Process Creation

Trouble

TA0005, T1127

Windows

Last updated: September 15, 2025

View details

Suspicious Child Process of AspNetCompiler

TA0005 T1127 Windows Process Creation

Trouble

TA0005, T1127

Windows

Last updated: September 15, 2025

View details

Potentially Suspicious ASP.NET Compilation Via AspNetCompiler

TA0005 T1127 Windows Process Creation

Trouble

TA0005, T1127

Windows

Last updated: September 15, 2025

View details

Uncommon Assistive Technology Applications Execution Via AtBroker.EXE

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Set Suspicious Files as System Files Using Attrib.EXE

TA0005 T1564.001 Windows Process Creation

Trouble

TA0005, T1564.001

Windows

Last updated: September 15, 2025

View details

Interactive AT Job

TA0004 T1053.002 Windows Process Creation

Trouble

TA0004, T1053.002

Windows

Last updated: September 15, 2025

View details

Indirect Inline Command Execution Via Bash.EXE

TA0005 T1202 Windows Process Creation

Trouble

TA0005, T1202

Windows

Last updated: September 15, 2025

View details

Indirect Command Execution From Script File Via Bash.EXE

TA0005 T1202 Windows Process Creation

Trouble

TA0005, T1202

Windows

Last updated: September 15, 2025

View details

Boot Configuration Tampering Via Bcdedit.EXE

TA0040 T1490 Windows Process Creation

Trouble

TA0040, T1490

Windows

Last updated: September 15, 2025

View details

Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE

TA0005 TA0003 T1070 Windows Process Creation

Trouble

TA0005, TA0003, T1070

Windows

Last updated: September 15, 2025

View details

Data Export From MSSQL Table Via BCP.EXE

TA0002 TA0010 T1048 Windows Process Creation

Trouble

TA0002, TA0010, T1048

Windows

Last updated: September 15, 2025

View details

Suspicious Child Process Of BgInfo.EXE

TA0002 TA0005 T1059.005 Windows Process Creation

Trouble

TA0002, TA0005, T1059.005

Windows

Last updated: September 15, 2025

View details

Uncommon Child Process Of BgInfo.EXE

TA0002 TA0005 T1059.005 Windows Process Creation

Trouble

TA0002, TA0005, T1059.005

Windows

Last updated: September 15, 2025

View details

BitLockerTogo.EXE Execution

TA0005 T1218 Windows Process Creation

Attention

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

File Download Via Bitsadmin

TA0005 TA0003 T1197 Windows Process Creation

Trouble

TA0005, TA0003, T1197

Windows

Last updated: September 15, 2025

View details

Suspicious Download From Direct IP Via Bitsadmin

TA0005 TA0003 T1197 Windows Process Creation

Trouble

TA0005, TA0003, T1197

Windows

Last updated: September 15, 2025

View details

Suspicious Download From File-Sharing Website Via Bitsadmin

TA0005 TA0003 T1197 Windows Process Creation

Trouble

TA0005, TA0003, T1197

Windows

Last updated: September 15, 2025

View details

File With Suspicious Extension Downloaded Via Bitsadmin

TA0005 TA0003 T1197 Windows Process Creation

Trouble

TA0005, TA0003, T1197

Windows

Last updated: September 15, 2025

View details

File Download Via Bitsadmin To A Suspicious Target Folder

TA0005 TA0003 T1197 Windows Process Creation

Trouble

TA0005, TA0003, T1197

Windows

Last updated: September 15, 2025

View details

File Download Via Bitsadmin To An Uncommon Target Folder

TA0005 TA0003 T1197 Windows Process Creation

Trouble

TA0005, TA0003, T1197

Windows

Last updated: September 15, 2025

View details

Monitoring For Persistence Via BITS

TA0005 T1197 Windows Process Creation

Trouble

TA0005, T1197

Windows

Last updated: September 15, 2025

View details

Potential Data Stealing Via Chromium Headless Debugging

TA0006 TA0009 TA0005 T1185 Windows Process Creation

Trouble

TA0006, TA0009, TA0005, T1185

Windows

Last updated: September 15, 2025

View details

Browser Execution In Headless Mode

TA0011 TA0005 T1105 Windows Process Creation

Trouble

TA0011, TA0005, T1105

Windows

Last updated: September 15, 2025

View details

File Download with Headless Browser

TA0011 TA0005 T1105 Windows Process Creation

Trouble

TA0011, TA0005, T1105

Windows

Last updated: September 15, 2025

View details

Chromium Browser Instance Executed With Custom Extension

TA0003 T1176.001 Windows Process Creation

Trouble

TA0003, T1176.001

Windows

Last updated: September 15, 2025

View details

Chromium Browser Headless Execution To Mockbin Like Site

TA0002 Windows Process Creation

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

Suspicious Chromium Browser Instance Executed With Custom Extension

TA0003 T1176.001 Windows Process Creation

Trouble

TA0003, T1176.001

Windows

Last updated: September 15, 2025

View details

File Download From Browser Process Via Inline URL

TA0011 T1105 Windows Process Creation

Trouble

TA0011, T1105

Windows

Last updated: September 15, 2025

View details

Browser Started with Remote Debugging

TA0006 TA0009 T1185 Windows Process Creation

Trouble

TA0006, TA0009, T1185

Windows

Last updated: September 15, 2025

View details

Tor Client/Browser Execution

TA0011 T1090.003 Windows Process Creation

Trouble

TA0011, T1090.003

Windows

Last updated: September 15, 2025

View details

Suspicious Calculator Usage

TA0005 T1036 Windows Process Creation

Trouble

TA0005, T1036

Windows

Last updated: September 15, 2025

View details

Potential Binary Proxy Execution Via Cdb.EXE

TA0002 TA0005 T1106 Windows Process Creation

Trouble

TA0002, TA0005, T1106

Windows

Last updated: September 15, 2025

View details

New Root Certificate Installed Via CertMgr.EXE

TA0005 T1553.004 Windows Process Creation

Trouble

TA0005, T1553.004

Windows

Last updated: September 15, 2025

View details

File Download via CertOC.EXE

TA0011 T1105 Windows Process Creation

Trouble

TA0011, T1105

Windows

Last updated: September 15, 2025

View details

DLL Loaded via CertOC.EXE

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Potential Arbitrary Command Execution Via FTP.EXE

TA0002 TA0005 T1059 Windows Process Creation

Trouble

TA0002, TA0005, T1059

Windows

Last updated: September 15, 2025

View details

Arbitrary File Download Via GfxDownloadWrapper.EXE

TA0011 T1105 Windows Process Creation

Trouble

TA0011, T1105

Windows

Last updated: September 15, 2025

View details

Suspicious Git Clone

TA0043 T1593.003 Windows Process Creation

Trouble

TA0043, T1593.003

Windows

Last updated: September 15, 2025

View details

Potentially Suspicious GoogleUpdate Child Process

TA0005 Windows Process Creation

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

File Decryption Using Gpg4win

TA0002 Windows Process Creation

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

File Encryption Using Gpg4win

TA0002 Windows Process Creation

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

Portable Gpg.EXE Execution

TA0040 T1486 Windows Process Creation

Trouble

TA0040, T1486

Windows

Last updated: September 15, 2025

View details

File Encryption/Decryption Via Gpg4win From Suspicious Locations

TA0002 Windows Process Creation

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

Gpresult Display Group Policy Information

TA0007 T1615 Windows Process Creation

Trouble

TA0007, T1615

Windows

Last updated: September 15, 2025

View details

Arbitrary Binary Execution Using GUP Utility

TA0002 Windows Process Creation

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

File Download Using Notepad++ GUP Utility

TA0011 T1105 Windows Process Creation

Trouble

TA0011, T1105

Windows

Last updated: September 15, 2025

View details

Suspicious GUP Usage

TA0005 T1574.001 Windows Process Creation

Trouble

TA0005, T1574.001

Windows

Last updated: September 15, 2025

View details

HH.EXE Execution

TA0005 T1218.001 Windows Process Creation

Attention

TA0005, T1218.001

Windows

Last updated: September 15, 2025

View details

Remote CHM File Download/Execution Via HH.EXE

TA0005 T1218.001 Windows Process Creation

Trouble

TA0005, T1218.001

Windows

Last updated: September 15, 2025

View details

HTML Help HH.EXE Suspicious Child Process

TA0005 TA0002 TA0001 T1218 Windows Process Creation

Trouble

TA0005, TA0002, TA0001, T1218

Windows

Last updated: September 15, 2025

View details

Suspicious HH.EXE Execution

TA0005 TA0002 TA0001 T1218 Windows Process Creation

Trouble

TA0005, TA0002, TA0001, T1218

Windows

Last updated: September 15, 2025

View details

HackTool - F-Secure C3 Load by Rundll32

TA0005 T1218.011 Windows Process Creation

Critical

TA0005, T1218.011

Windows

Last updated: September 15, 2025

View details

Operator Bloopers Cobalt Strike Modules

TA0002 T1059.003 Windows Process Creation

Trouble

TA0002, T1059.003

Windows

Last updated: September 15, 2025

View details

CobaltStrike Load by Rundll32

TA0005 T1218.011 Windows Process Creation

Trouble

TA0005, T1218.011

Windows

Last updated: September 15, 2025

View details

HackTool - Covenant PowerShell Launcher

TA0002 TA0005 T1059.001 Windows Process Creation

Trouble

TA0002, TA0005, T1059.001

Windows

Last updated: September 15, 2025

View details

HackTool - DInjector PowerShell Cradle Execution

TA0005 T1055 Windows Process Creation

Critical

TA0005, T1055

Windows

Last updated: September 15, 2025

View details

HackTool - EDRSilencer Execution

TA0005 T1562 Windows Process Creation

Trouble

TA0005, T1562

Windows

Last updated: September 15, 2025

View details

HackTool - Empire PowerShell Launch Parameters

TA0002 T1059.001 Windows Process Creation

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

HackTool - Empire PowerShell UAC Bypass

TA0005 TA0004 T1548.002 Windows Process Creation

Critical

TA0005, TA0004, T1548.002

Windows

Last updated: September 15, 2025

View details

HackTool - WinRM Access Via Evil-WinRM

TA0008 T1021.006 Windows Process Creation

Trouble

TA0008, T1021.006

Windows

Last updated: September 15, 2025

View details

Hacktool Execution - PE Metadata

TA0006 TA0042 T1003 Windows Process Creation

Trouble

TA0006, TA0042, T1003

Windows

Last updated: September 15, 2025

View details

HackTool - GMER Rootkit Detector and Remover Execution

TA0005 Windows Process Creation

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

HackTool - HandleKatz LSASS Dumper Execution

TA0006 T1003.001 Windows Process Creation

Trouble

TA0006, T1003.001

Windows

Last updated: September 15, 2025

View details

HackTool - Hashcat Password Cracker Execution

TA0006 T1110.002 Windows Process Creation

Trouble

TA0006, T1110.002

Windows

Last updated: September 15, 2025

View details

HackTool - Htran/NATBypass Execution

TA0011 T1090 Windows Process Creation

Trouble

TA0011, T1090

Windows

Last updated: September 15, 2025

View details

HackTool - Hydra Password Bruteforce Execution

TA0006 T1110 Windows Process Creation

Trouble

TA0006, T1110

Windows

Last updated: September 15, 2025

View details

HackTool - Impacket Tools Execution

TA0002 TA0006 T1557.001 Windows Process Creation

Trouble

TA0002, TA0006, T1557.001

Windows

Last updated: September 15, 2025

View details

HackTool - Impersonate Execution

TA0004 TA0005 T1134.001 Windows Process Creation

Trouble

TA0004, TA0005, T1134.001

Windows

Last updated: September 15, 2025

View details

HackTool - Inveigh Execution

TA0006 T1003.001 Windows Process Creation

Critical

TA0006, T1003.001

Windows

Last updated: September 15, 2025

View details

Invoke-Obfuscation COMPRESS OBFUSCATION

TA0005 TA0002 T1027 Windows Process Creation

Trouble

TA0005, TA0002, T1027

Windows

Last updated: September 15, 2025

View details

HackTool - Jlaive In-Memory Assembly Execution

TA0002 T1059.003 Windows Process Creation

Trouble

TA0002, T1059.003

Windows

Last updated: September 15, 2025

View details

HackTool - Koadic Execution

TA0002 T1059.003 Windows Process Creation

Trouble

TA0002, T1059.003

Windows

Last updated: September 15, 2025

View details

HackTool - KrbRelay Execution

TA0006 T1558.003 Windows Process Creation

Trouble

TA0006, T1558.003

Windows

Last updated: September 15, 2025

View details

HackTool - KrbRelayUp Execution

TA0006 TA0008 T1558.003 Windows Process Creation

Trouble

TA0006, TA0008, T1558.003

Windows

Last updated: September 15, 2025

View details

HackTool - LaZagne Execution

TA0006 Windows Process Creation

Trouble

TA0006

Windows

Last updated: September 15, 2025

View details

HackTool - LocalPotato Execution

TA0005 TA0004 Windows Process Creation

Trouble

TA0005, TA0004

Windows

Last updated: September 15, 2025

View details

Potential Meterpreter/CobaltStrike Activity

TA0004 T1134.001 Windows Process Creation

Trouble

TA0004, T1134.001

Windows

Last updated: September 15, 2025

View details

HackTool - Mimikatz Execution

TA0006 T1003.001 Windows Process Creation

Trouble

TA0006, T1003.001

Windows

Last updated: September 15, 2025

View details

HackTool - PCHunter Execution

TA0002 TA0007 T1082 Windows Process Creation

Trouble

TA0002, TA0007, T1082

Windows

Last updated: September 15, 2025

View details

HackTool - Default PowerSploit/Empire Scheduled Task Creation

TA0002 TA0003 TA0004 T1053.005 Windows Process Creation

Trouble

TA0002, TA0003, TA0004, T1053.005

Windows

Last updated: September 15, 2025

View details

HackTool - PowerTool Execution

TA0005 T1562.001 Windows Process Creation

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

HackTool - PurpleSharp Execution

TA0042 T1587 Windows Process Creation

Critical

TA0042, T1587

Windows

Last updated: September 15, 2025

View details

HackTool - Pypykatz Credentials Dumping Activity

TA0006 T1003.002 Windows Process Creation

Trouble

TA0006, T1003.002

Windows

Last updated: September 15, 2025

View details

HackTool - RedMimicry Winnti Playbook Execution

TA0002 TA0005 T1106 Windows Process Creation

Trouble

TA0002, TA0005, T1106

Windows

Last updated: September 15, 2025

View details

Potential SMB Relay Attack Tool Execution

TA0002 TA0006 T1557.001 Windows Process Creation

Critical

TA0002, TA0006, T1557.001

Windows

Last updated: September 15, 2025

View details

HackTool - SafetyKatz Execution

TA0006 T1003.001 Windows Process Creation

Critical

TA0006, T1003.001

Windows

Last updated: September 15, 2025

View details

HackTool - SecurityXploded Execution

TA0006 T1555 Windows Process Creation

Critical

TA0006, T1555

Windows

Last updated: September 15, 2025

View details

HackTool - SharPersist Execution

TA0003 T1053 Windows Process Creation

Trouble

TA0003, T1053

Windows

Last updated: September 15, 2025

View details

HackTool - SharpEvtMute Execution

TA0005 T1562.002 Windows Process Creation

Trouble

TA0005, T1562.002

Windows

Last updated: September 15, 2025

View details

HackTool - SharpMove Tool Execution

TA0008 T1021.002 Windows Process Creation

Trouble

TA0008, T1021.002

Windows

Last updated: September 15, 2025

View details

HackTool - SharpUp PrivEsc Tool Execution

TA0004 TA0007 TA0002 T1574.005 Windows Process Creation

Critical

TA0004, TA0007, TA0002, T1574.005

Windows

Last updated: September 15, 2025

View details

HackTool - SharpWSUS/WSUSpendu Execution

TA0002 TA0008 T1210 Windows Process Creation

Trouble

TA0002, TA0008, T1210

Windows

Last updated: September 15, 2025

View details

HackTool - SharpChisel Execution

TA0011 T1090.001 Windows Process Creation

Trouble

TA0011, T1090.001

Windows

Last updated: September 15, 2025

View details

HackTool - SharpDPAPI Execution

TA0004 TA0005 T1134.001 Windows Process Creation

Trouble

TA0004, TA0005, T1134.001

Windows

Last updated: September 15, 2025

View details

HackTool - SharpImpersonation Execution

TA0004 TA0005 T1134.001 Windows Process Creation

Trouble

TA0004, TA0005, T1134.001

Windows

Last updated: September 15, 2025

View details

HackTool - SILENTTRINITY Stager Execution

TA0011 T1071 Windows Process Creation

Trouble

TA0011, T1071

Windows

Last updated: September 15, 2025

View details

HackTool - Sliver C2 Implant Activity Pattern

TA0002 T1059 Windows Process Creation

Critical

TA0002, T1059

Windows

Last updated: September 15, 2025

View details

HackTool - SysmonEOP Execution

TA0004 T1068 Windows Process Creation

Critical

TA0004, T1068

Windows

Last updated: September 15, 2025

View details

HackTool - UACMe Akagi Execution

TA0005 TA0004 T1548.002 Windows Process Creation

Trouble

TA0005, TA0004, T1548.002

Windows

Last updated: September 15, 2025

View details

HackTool - Windows Credential Editor (WCE) Execution

TA0006 T1003.001 Windows Process Creation

Critical

TA0006, T1003.001

Windows

Last updated: September 15, 2025

View details

HackTool - winPEAS Execution

TA0004 TA0007 T1082 Windows Process Creation

Trouble

TA0004, TA0007, T1082

Windows

Last updated: September 15, 2025

View details

HackTool - Wmiexec Default Powershell Command

TA0005 TA0008 Windows Process Creation

Trouble

TA0005, TA0008

Windows

Last updated: September 15, 2025

View details

HackTool - XORDump Execution

TA0005 TA0006 T1036 Windows Process Creation

Trouble

TA0005, TA0006, T1036

Windows

Last updated: September 15, 2025

View details

Suspicious ZipExec Execution

TA0002 TA0005 T1218 Windows Process Creation

Trouble

TA0002, TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Suspicious Execution of Hostname

TA0007 T1082 Windows Process Creation

Attention

TA0007, T1082

Windows

Last updated: September 15, 2025

View details

Suspicious HWP Sub Processes

TA0001 TA0002 T1566.001 Windows Process Creation

Trouble

TA0001, TA0002, T1566.001

Windows

Last updated: September 15, 2025

View details

Potential Fake Instance Of Hxtsr.EXE Executed

TA0005 T1036 Windows Process Creation

Trouble

TA0005, T1036

Windows

Last updated: September 15, 2025

View details

Use Icacls to Hide File to Everyone

TA0005 T1564.001 Windows Process Creation

Trouble

TA0005, T1564.001

Windows

Last updated: September 15, 2025

View details

File Download And Execution Via IEExec.EXE

TA0011 T1105 Windows Process Creation

Trouble

TA0011, T1105

Windows

Last updated: September 15, 2025

View details

Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Disable Windows IIS HTTP Logging

TA0005 T1562.002 Windows Process Creation

Trouble

TA0005, T1562.002

Windows

Last updated: September 15, 2025

View details

Microsoft IIS Service Account Password Dumped

TA0006 T1003 Windows Process Creation

Trouble

TA0006, T1003

Windows

Last updated: September 15, 2025

View details

IIS Native-Code Module Command Line Installation

TA0003 T1505.003 Windows Process Creation

Trouble

TA0003, T1505.003

Windows

Last updated: September 15, 2025

View details

Suspicious IIS URL GlobalRules Rewrite Via AppCmd

TA0005 Windows Process Creation

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

Microsoft IIS Connection Strings Decryption

TA0006 T1003 Windows Process Creation

Trouble

TA0006, T1003

Windows

Last updated: September 15, 2025

View details

Suspicious IIS Module Registration

TA0003 T1505.004 Windows Process Creation

Trouble

TA0003, T1505.004

Windows

Last updated: September 15, 2025

View details

C\\# IL Code Compilation Via Ilasm.EXE

TA0005 T1127 Windows Process Creation

Trouble

TA0005, T1127

Windows

Last updated: September 15, 2025

View details

ImagingDevices Unusual Parent/Child Processes

TA0005 TA0002 Windows Process Creation

Trouble

TA0005, TA0002

Windows

Last updated: September 15, 2025

View details

Arbitrary File Download Via IMEWDBLD.EXE

TA0005 TA0002 T1218 Windows Process Creation

Trouble

TA0005, TA0002, T1218

Windows

Last updated: September 15, 2025

View details

InfDefaultInstall.exe .inf Execution

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

File Download Via InstallUtil.EXE

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Suspicious Execution of InstallUtil Without Log

TA0005 Windows Process Creation

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

Suspicious Shells Spawn by Java Utility Keytool

TA0001 TA0003 TA0004 Windows Process Creation

Trouble

TA0001, TA0003, TA0004

Windows

Last updated: September 15, 2025

View details

Suspicious Child Process Of Manage Engine ServiceDesk

TA0011 T1102 Windows Process Creation

Trouble

TA0011, T1102

Windows

Last updated: September 15, 2025

View details

Java Running with Remote Debugging

TA0002 T1203 Windows Process Creation

Trouble

TA0002, T1203

Windows

Last updated: September 15, 2025

View details

Suspicious Processes Spawned by Java.EXE

TA0001 TA0003 TA0004 Windows Process Creation

Trouble

TA0001, TA0003, TA0004

Windows

Last updated: September 15, 2025

View details

Shell Process Spawned by Java.EXE

TA0001 TA0003 TA0004 Windows Process Creation

Trouble

TA0001, TA0003, TA0004

Windows

Last updated: September 15, 2025

View details

Suspicious SysAidServer Child

TA0008 T1210 Windows Process Creation

Trouble

TA0008, T1210

Windows

Last updated: September 15, 2025

View details

JScript Compiler Execution

TA0005 T1127 Windows Process Creation

Attention

TA0005, T1127

Windows

Last updated: September 15, 2025

View details

Kavremover Dropped Binary LOLBIN Usage

TA0005 T1127 Windows Process Creation

Trouble

TA0005, T1127

Windows

Last updated: September 15, 2025

View details

Windows Kernel Debugger Execution

TA0005 TA0004 Windows Process Creation

Trouble

TA0005, TA0004

Windows

Last updated: September 15, 2025

View details

Potentially Suspicious Child Process of KeyScrambler.exe

TA0002 TA0005 TA0004 T1203 Windows Process Creation

Trouble

TA0002, TA0005, TA0004, T1203

Windows

Last updated: September 15, 2025

View details

Uncommon Link.EXE Parent Process

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Rebuild Performance Counter Values Via Lodctr.EXE

TA0002 Windows Process Creation

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

Suspicious Windows Trace ETW Session Tamper Via Logman.EXE

TA0005 T1562.001 Windows Process Creation

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Narrator's Feedback-Hub Persistence

TA0003 T1547.001 Windows Windows Registry Key Access Windows Registry Key Creation Windows Registry Key Deletion Windows Registry Key Modification

Trouble

TA0003, T1547.001

Windows

Last updated: September 15, 2025

View details

Office Application Startup - Office Test

TA0003 T1137.002 Windows Windows Registry Key Access Windows Registry Key Creation Windows Registry Key Deletion Windows Registry Key Modification

Trouble

TA0003, T1137.002

Windows

Last updated: September 15, 2025

View details

Windows Registry Trust Record Modification

TA0001 T1566.001 Windows Windows Registry Key Access Windows Registry Key Creation Windows Registry Key Deletion Windows Registry Key Modification

Trouble

TA0001, T1566.001

Windows

Last updated: September 15, 2025

View details

New PortProxy Registry Entry Added

TA0008 TA0005 TA0011 T1090 Windows Windows Registry Key Access Windows Registry Key Creation Windows Registry Key Deletion Windows Registry Key Modification

Trouble

TA0008, TA0005, TA0011, T1090

Windows

Last updated: September 15, 2025

View details

WINEKEY Registry Modification

TA0003 T1547 Windows Windows Registry Key Access Windows Registry Key Creation Windows Registry Key Deletion Windows Registry Key Modification

Trouble

TA0003, T1547

Windows

Last updated: September 15, 2025

View details

Shell Open Registry Keys Manipulation

TA0005 TA0004 T1548.002 Windows Windows Registry Key Access Windows Registry Key Creation Windows Registry Key Deletion Windows Registry Key Modification

Trouble

TA0005, TA0004, T1548.002

Windows

Last updated: September 15, 2025

View details

Potential Credential Dumping Via LSASS SilentProcessExit Technique

TA0006 T1003.001 Windows Windows Registry Key Access Windows Registry Key Creation Windows Registry Key Deletion Windows Registry Key Modification

Critical

TA0006, T1003.001

Windows

Last updated: September 15, 2025

View details

Security Support Provider (SSP) Added to LSA Configuration

TA0003 T1547.005 Windows Windows Registry Key Access Windows Registry Key Creation Windows Registry Key Deletion Windows Registry Key Modification

Trouble

TA0003, T1547.005

Windows

Last updated: September 15, 2025

View details

Sticky Key Like Backdoor Usage - Registry

TA0004 TA0003 T1546.008 Windows Windows Registry Key Access Windows Registry Key Creation Windows Registry Key Deletion Windows Registry Key Modification

Critical

TA0004, TA0003, T1546.008

Windows

Last updated: September 15, 2025

View details

DLL Load via LSASS

TA0002 TA0003 T1547.008 Windows Windows Registry Key Access Windows Registry Key Creation Windows Registry Key Deletion Windows Registry Key Modification

Trouble

TA0002, TA0003, T1547.008

Windows

Last updated: September 15, 2025

View details

Enable Remote Connection Between Anonymous Computer - AllowAnonymousCallback

TA0005 T1562.001 Windows Windows Registry Key Modification

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Registry Persistence via Service in Safe Mode

TA0005 T1564.001 Windows Windows Registry Key Modification

Trouble

TA0005, T1564.001

Windows

Last updated: September 15, 2025

View details

Add Debugger Entry To AeDebug For Persistence

TA0003 Windows Windows Registry Key Modification

Trouble

TA0003

Windows

Last updated: September 15, 2025

View details

Allow RDP Remote Assistance Feature

TA0005 T1112 Windows Windows Registry Key Modification

Trouble

TA0005, T1112

Windows

Last updated: September 15, 2025

View details

Potential AMSI COM Server Hijacking

TA0005 T1562.001 Windows Windows Registry Key Modification

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Classes Autorun Keys Modification

TA0003 T1547.001 Windows Windows Registry Key Modification

Trouble

TA0003, T1547.001

Windows

Last updated: September 15, 2025

View details

Internet Explorer Autorun Keys Modification

TA0003 T1547.001 Windows Windows Registry Key Modification

Trouble

TA0003, T1547.001

Windows

Last updated: September 15, 2025

View details

Session Manager Autorun Keys Modification

TA0003 T1547.001 Windows Windows Registry Key Modification

Trouble

TA0003, T1547.001

Windows

Last updated: September 15, 2025

View details

System Scripts Autorun Keys Modification

TA0003 T1547.001 Windows Windows Registry Key Modification

Trouble

TA0003, T1547.001

Windows

Last updated: September 15, 2025

View details

WinSock2 Autorun Keys Modification

TA0003 T1547.001 Windows Windows Registry Key Modification

Trouble

TA0003, T1547.001

Windows

Last updated: September 15, 2025

View details

Wow6432Node Classes Autorun Keys Modification

TA0003 T1547.001 Windows Windows Registry Key Modification

Trouble

TA0003, T1547.001

Windows

Last updated: September 15, 2025

View details

New BgInfo.EXE Custom DB Path Registry Configuration

TA0005 T1112 Windows Windows Registry Key Modification

Trouble

TA0005, T1112

Windows

Last updated: September 15, 2025

View details

New BgInfo.EXE Custom VBScript Registry Configuration

TA0005 T1112 Windows Windows Registry Key Modification

Trouble

TA0005, T1112

Windows

Last updated: September 15, 2025

View details

New BgInfo.EXE Custom WMI Query Registry Configuration

TA0005 T1112 Windows Windows Registry Key Modification

Trouble

TA0005, T1112

Windows

Last updated: September 15, 2025

View details

Bypass UAC Using DelegateExecute

TA0004 TA0005 T1548.002 Windows Windows Registry Key Modification

Trouble

TA0004, TA0005, T1548.002

Windows

Last updated: September 15, 2025

View details

Bypass UAC Using Event Viewer

TA0003 T1547.010 Windows Windows Registry Key Modification

Trouble

TA0003, T1547.010

Windows

Last updated: September 15, 2025

View details

Bypass UAC Using SilentCleanup Task

TA0004 TA0005 T1548.002 Windows Windows Registry Key Modification

Trouble

TA0004, TA0005, T1548.002

Windows

Last updated: September 15, 2025

View details

Default RDP Port Changed to Non Standard Port

TA0003 T1547.010 Windows Windows Registry Key Modification

Trouble

TA0003, T1547.010

Windows

Last updated: September 15, 2025

View details

Sysmon Driver Altitude Change

TA0005 T1562.001 Windows Windows Registry Key Modification

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Change Winevt Channel Access Permission Via Registry

TA0005 T1562.002 Windows Windows Registry Key Modification

Trouble

TA0005, T1562.002

Windows

Last updated: September 15, 2025

View details

Potential CobaltStrike Service Installations - Registry

TA0002 TA0004 TA0008 T1569.002 Windows Windows Registry Key Modification

Trouble

TA0002, TA0004, TA0008, T1569.002

Windows

Last updated: September 15, 2025

View details

COM Hijack via Sdclt

TA0004 T1546 Windows Windows Registry Key Modification

Trouble

TA0004, T1546

Windows

Last updated: September 15, 2025

View details

CrashControl CrashDump Disabled

TA0005 T1564 Windows Windows Registry Key Modification

Trouble

TA0005, T1564

Windows

Last updated: September 15, 2025

View details

Service Binary in Suspicious Folder

TA0005 T1112 Windows Windows Registry Key Modification

Trouble

TA0005, T1112

Windows

Last updated: September 15, 2025

View details

Custom File Open Handler Executes PowerShell

TA0005 T1202 Windows Windows Registry Key Modification

Trouble

TA0005, T1202

Windows

Last updated: September 15, 2025

View details

Potential Registry Persistence Attempt Via DbgManagedDebugger

TA0003 T1574 Windows Windows Registry Key Modification

Trouble

TA0003, T1574

Windows

Last updated: September 15, 2025

View details

Windows Defender Exclusions Added - Registry

TA0005 T1562.001 Windows Windows Registry Key Modification

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Potentially Suspicious Desktop Background Change Via Registry

TA0005 TA0040 T1112 Windows Windows Registry Key Modification

Trouble

TA0005, TA0040, T1112

Windows

Last updated: September 15, 2025

View details

Antivirus Filter Driver Disallowed On Dev Drive - Registry

TA0005 T1562.001 Windows Windows Registry Key Modification

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Hypervisor Enforced Code Integrity Disabled

TA0005 T1562.001 Windows Windows Registry Key Modification

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Hypervisor Enforced Paging Translation Disabled

TA0005 T1562.001 Windows Windows Registry Key Modification

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

DHCP Callout DLL Installation

TA0005 T1574.001 Windows Windows Registry Key Modification

Trouble

TA0005, T1574.001

Windows

Last updated: September 15, 2025

View details

Disabled Windows Defender Eventlog

TA0005 T1562.001 Windows Windows Registry Key Modification

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Disable PUA Protection on Windows Defender

TA0005 T1562.001 Windows Windows Registry Key Modification

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Disable Tamper Protection on Windows Defender

TA0005 T1562.001 Windows Windows Registry Key Modification

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Disable Administrative Share Creation at Startup

TA0005 T1070.005 Windows Windows Registry Key Modification

Trouble

TA0005, T1070.005

Windows

Last updated: September 15, 2025

View details

Potential AutoLogger Sessions Tampering

TA0005 Windows Windows Registry Key Modification

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

Disable Microsoft Defender Firewall via Registry

TA0005 T1562.004 Windows Windows Registry Key Modification

Trouble

TA0005, T1562.004

Windows

Last updated: September 15, 2025

View details

Disable Internal Tools or Feature in Registry

TA0005 T1112 Windows Windows Registry Key Modification

Trouble

TA0005, T1112

Windows

Last updated: September 15, 2025

View details

Disable Macro Runtime Scan Scope

TA0005 Windows Windows Registry Key Modification

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

Disable Privacy Settings Experience in Registry

TA0005 T1562.001 Windows Windows Registry Key Modification

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Disable Windows Security Center Notifications

TA0005 T1112 Windows Windows Registry Key Modification

Trouble

TA0005, T1112

Windows

Last updated: September 15, 2025

View details

Registry Disable System Restore

TA0040 T1490 Windows Windows Registry Key Modification

Trouble

TA0040, T1490

Windows

Last updated: September 15, 2025

View details

Windows Defender Service Disabled - Registry

TA0005 T1562.001 Windows Windows Registry Key Modification

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Disable Windows Firewall by Registry

TA0005 T1562.004 Windows Windows Registry Key Modification

Trouble

TA0005, T1562.004

Windows

Last updated: September 15, 2025

View details

Add DisallowRun Execution to Registry

TA0005 T1112 Windows Windows Registry Key Modification

Trouble

TA0005, T1112

Windows

Last updated: September 15, 2025

View details

Persistence Via Disk Cleanup Handler - Autorun

TA0003 Windows Windows Registry Key Modification

Trouble

TA0003

Windows

Last updated: September 15, 2025

View details

DNS-over-HTTPS Enabled by Registry

TA0005 T1140 Windows Windows Registry Key Modification

Trouble

TA0005, T1140

Windows

Last updated: September 15, 2025

View details

New DNS ServerLevelPluginDll Installed

TA0005 T1574.001 Windows Windows Registry Key Modification

Trouble

TA0005, T1574.001

Windows

Last updated: September 15, 2025

View details

ETW Logging Disabled In .NET Processes - Sysmon Registry

TA0005 T1112 Windows Windows Registry Key Modification

Trouble

TA0005, T1112

Windows

Last updated: September 15, 2025

View details

Periodic Backup For System Registry Hives Enabled

TA0009 T1113 Windows Windows Registry Key Modification

Trouble

TA0009, T1113

Windows

Last updated: September 15, 2025

View details

Windows Recall Feature Enabled - Registry

TA0009 T1113 Windows Windows Registry Key Modification

Trouble

TA0009, T1113

Windows

Last updated: September 15, 2025

View details

Enabling COR Profiler Environment Variables

TA0003 TA0004 TA0005 T1574.012 Windows Windows Registry Key Modification

Trouble

TA0003, TA0004, TA0005, T1574.012

Windows

Last updated: September 15, 2025

View details

Scripted Diagnostics Turn Off Check Enabled - Registry

TA0005 T1562.001 Windows Windows Registry Key Modification

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Potential EventLog File Location Tampering

TA0005 T1562.002 Windows Windows Registry Key Modification

Trouble

TA0005, T1562.002

Windows

Last updated: September 15, 2025

View details

Suspicious Application Allowed Through Exploit Guard

TA0005 T1562.001 Windows Windows Registry Key Modification

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Change the Fax Dll

TA0005 T1112 Windows Windows Registry Key Modification

Trouble

TA0005, T1112

Windows

Last updated: September 15, 2025

View details

New File Association Using Exefile

TA0005 Windows Windows Registry Key Modification

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

Add Debugger Entry To Hangs Key For Persistence

TA0003 Windows Windows Registry Key Modification

Trouble

TA0003

Windows

Last updated: September 15, 2025

View details

Persistence Via Hhctrl.ocx

TA0003 Windows Windows Registry Key Modification

Trouble

TA0003

Windows

Last updated: September 15, 2025

View details

Registry Modification to Hidden File Extension

TA0003 T1137 Windows Windows Registry Key Modification

Trouble

TA0003, T1137

Windows

Last updated: September 15, 2025

View details

Displaying Hidden Files Feature Disabled

TA0005 T1564.001 Windows Windows Registry Key Modification

Trouble

TA0005, T1564.001

Windows

Last updated: September 15, 2025

View details

Registry Hide Function from User

TA0005 T1112 Windows Windows Registry Key Modification

Trouble

TA0005, T1112

Windows

Last updated: September 15, 2025

View details

Hide Schedule Task Via Index Value Tamper

TA0005 T1562 Windows Windows Registry Key Modification

Trouble

TA0005, T1562

Windows

Last updated: September 15, 2025

View details

Driver Added To Disallowed Images In HVCI - Registry

TA0005 Windows Windows Registry Key Modification

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols

TA0005 Windows Windows Registry Key Modification

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

Uncommon Extension In Keyboard Layout IME File Registry Value

TA0005 T1562.001 Windows Windows Registry Key Modification

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Suspicious Path In Keyboard Layout IME File Registry Value

TA0005 T1562.001 Windows Windows Registry Key Modification

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

New Root or CA or AuthRoot Certificate to Store

TA0040 T1490 Windows Windows Registry Key Modification

Trouble

TA0040, T1490

Windows

Last updated: September 15, 2025

View details

Internet Explorer DisableFirstRunCustomize Enabled

TA0005 Windows Windows Registry Key Modification

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

Potential Ransomware Activity Using LegalNotice Message

TA0040 T1491.001 Windows Windows Registry Key Modification

Trouble

TA0040, T1491.001

Windows

Last updated: September 15, 2025

View details

Lolbas OneDriveStandaloneUpdater.exe Proxy Download

TA0011 T1105 Windows Windows Registry Key Modification

Trouble

TA0011, T1105

Windows

Last updated: September 15, 2025

View details

Lsass Full Dump Request Via DumpType Registry Settings

TA0006 T1003.001 Windows Windows Registry Key Modification

Trouble

TA0006, T1003.001

Windows

Last updated: September 15, 2025

View details

RestrictedAdminMode Registry Value Tampering

TA0005 T1112 Windows Windows Registry Key Modification

Trouble

TA0005, T1112

Windows

Last updated: September 15, 2025

View details

Blue Mockingbird - Registry

TA0002 TA0003 T1047 Windows Windows Registry Key Modification

Trouble

TA0002, TA0003, T1047

Windows

Last updated: September 15, 2025

View details

Potential Persistence Via Netsh Helper DLL - Registry

TA0003 T1546.007 Windows Windows Registry Key Modification

Trouble

TA0003, T1546.007

Windows

Last updated: September 15, 2025

View details

New Netsh Helper DLL Registered From A Suspicious Location

TA0003 T1546.007 Windows Windows Registry Key Modification

Trouble

TA0003, T1546.007

Windows

Last updated: September 15, 2025

View details

NET NGenAssemblyUsageLog Registry Key Tamper

TA0005 T1112 Windows Windows Registry Key Modification

Trouble

TA0005, T1112

Windows

Last updated: September 15, 2025

View details

New Application in AppCompat

TA0002 T1204.002 Windows Windows Registry Key Modification

Attention

TA0002, T1204.002

Windows

Last updated: September 15, 2025

View details

Potential Credential Dumping Attempt Using New NetworkProvider - REG

TA0006 T1003 Windows Windows Registry Key Modification

Trouble

TA0006, T1003

Windows

Last updated: September 15, 2025

View details

Potentially Suspicious ODBC Driver Registered

TA0006 TA0003 T1003 Windows Windows Registry Key Modification

Trouble

TA0006, TA0003, T1003

Windows

Last updated: September 15, 2025

View details

Trust Access Disable For VBApplications

TA0005 T1112 Windows Windows Registry Key Modification

Trouble

TA0005, T1112

Windows

Last updated: September 15, 2025

View details

Microsoft Office Protected View Disabled

TA0005 T1562.001 Windows Windows Registry Key Modification

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Python Function Execution Security Warning Disabled In Excel - Registry

TA0005 T1562.001 Windows Windows Registry Key Modification

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Enable Microsoft Dynamic Data Exchange

TA0002 T1559.002 Windows Windows Registry Key Modification

Trouble

TA0002, T1559.002

Windows

Last updated: September 15, 2025

View details

Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting

TA0003 TA0011 T1137 Windows Windows Registry Key Modification

Trouble

TA0003, TA0011, T1137

Windows

Last updated: September 15, 2025

View details

Outlook Macro Execution Without Warning Setting Enabled

TA0003 TA0011 T1137 Windows Windows Registry Key Modification

Trouble

TA0003, TA0011, T1137

Windows

Last updated: September 15, 2025

View details

Outlook EnableUnsafeClientMailRules Setting Enabled - Registry

TA0005 T1112 Windows Windows Registry Key Modification

Trouble

TA0005, T1112

Windows

Last updated: September 15, 2025

View details

Outlook Security Settings Updated - Registry

TA0003 T1137 Windows Windows Registry Key Modification

Trouble

TA0003, T1137

Windows

Last updated: September 15, 2025

View details

Uncommon Microsoft Office Trusted Location Added

TA0005 T1112 Windows Windows Registry Key Modification

Trouble

TA0005, T1112

Windows

Last updated: September 15, 2025

View details

Anomalous user account change

TA0003 TA0004 T1098 Miscellaneous

Critical

TA0003, TA0004, T1098

Miscellaneous

Last updated: September 15, 2025

View details

Multiple tables dropped

TA0040 T1485 Miscellaneous

Critical

TA0040, T1485

Miscellaneous

Last updated: September 15, 2025

View details

Repeated SQL injection attempts in DB

TA0001 T1190 Miscellaneous

Critical

TA0001, T1190

Miscellaneous

Last updated: September 15, 2025

View details

Malicious URL requests

TA0011 T1071.001 Miscellaneous

Critical

TA0011, T1071.001

Miscellaneous

Last updated: September 15, 2025

View details

Repeated SQL injection attempts

TA0001 T1190 Miscellaneous

Critical

TA0001, T1190

Miscellaneous

Last updated: September 15, 2025

View details

Repeated failed SUDO commands

TA0004 T1548.003 Miscellaneous

Critical

TA0004, T1548.003

Miscellaneous

Last updated: September 15, 2025

View details

Syslog service restarts

TA0005 T1562.002 Miscellaneous

Critical

TA0005, T1562.002

Miscellaneous

Last updated: September 15, 2025

View details

Connected App Integration Activity during non-working hours in Salesforce

TA0003 T1671 Miscellaneous

Attention

TA0003, T1671

Miscellaneous

Last updated: September 15, 2025

View details

Suspicious Bulk Data Transfer Activity in Salesforce

TA0010 T1567 Miscellaneous

Attention

TA0010, T1567

Miscellaneous

Last updated: September 15, 2025

View details

Salesforce User Management Settings Modification

TA0003 TA0004 TA0005 T1136 Miscellaneous

Attention

TA0003, TA0004, TA0005, T1136

Miscellaneous

Last updated: September 15, 2025

View details

Unix Privileged Command Execution Anomaly

TA0002 T1059 Miscellaneous Linux

Attention

TA0002, T1059

Miscellaneous

Last updated: September 15, 2025

View details

Unix Privileged Command Execution Failure Anomaly

TA0002 T1059 Miscellaneous Linux

Attention

TA0002, T1059

Miscellaneous

Last updated: September 15, 2025

View details

Anomalous Unix Password Change Activity

TA0006 T1110 Miscellaneous Linux

Critical

TA0006, T1110

Miscellaneous

Last updated: September 15, 2025

View details

Meraki Successive different Location Logons

TA0005 T1078.004 Miscellaneous

Critical

TA0005, T1078.004

Miscellaneous

Last updated: September 15, 2025

View details

Huawei Successive different Location Logons

TA0005 T1078.004 Miscellaneous

Critical

TA0005, T1078.004

Miscellaneous

Last updated: September 15, 2025

View details

IIS FTP server Privileged Command Execution Anomaly

TA0011 TA0002 T1071.002 Miscellaneous Software Development

Attention

TA0011, TA0002, T1071.002

Miscellaneous

Last updated: September 15, 2025

View details

Suspicious Password Change Activity on IIS FTP Server

TA0006 TA0005 TA0003 TA0004 TA0001 T1556.001 Miscellaneous

Attention

TA0006, TA0005, TA0003, TA0004, TA0001, T1556.001

Miscellaneous

Last updated: September 15, 2025

View details

Office Macros Warning Disabled

TA0005 T1112 Windows Windows Registry Key Modification

Trouble

TA0005, T1112

Windows

Last updated: September 15, 2025

View details

MaxMpxCt Registry Value Changed

TA0005 T1070.005 Windows Windows Registry Key Modification

Attention

TA0005, T1070.005

Windows

Last updated: September 15, 2025

View details

Potential Persistence Using DebugPath

TA0003 T1546.015 Windows Windows Registry Key Modification

Trouble

TA0003, T1546.015

Windows

Last updated: September 15, 2025

View details

Potential Persistence Via AppCompat RegisterAppRestart Layer

TA0003 T1546.011 Windows Windows Registry Key Modification

Trouble

TA0003, T1546.011

Windows

Last updated: September 15, 2025

View details

Potential Persistence Via App Paths Default Property

TA0003 T1546.012 Windows Windows Registry Key Modification

Trouble

TA0003, T1546.012

Windows

Last updated: September 15, 2025

View details

Potential Persistence Via AutodialDLL

TA0003 Windows Windows Registry Key Modification

Trouble

TA0003

Windows

Last updated: September 15, 2025

View details

Potential Persistence Via CHM Helper DLL

TA0003 Windows Windows Registry Key Modification

Trouble

TA0003

Windows

Last updated: September 15, 2025

View details

Potential PSFactoryBuffer COM Hijacking

TA0003 T1546.015 Windows Windows Registry Key Modification

Trouble

TA0003, T1546.015

Windows

Last updated: September 15, 2025

View details

COM Object Hijacking Via Modification Of Default System CLSID Default Value

TA0003 T1546.015 Windows Windows Registry Key Modification

Trouble

TA0003, T1546.015

Windows

Last updated: September 15, 2025

View details

Potential Persistence Via Event Viewer Events.asp

TA0003 TA0005 T1112 Windows Windows Registry Key Modification

Trouble

TA0003, TA0005, T1112

Windows

Last updated: September 15, 2025

View details

Potential Persistence Via GlobalFlags

TA0004 TA0003 TA0005 T1546.012 Windows Windows Registry Key Modification

Trouble

TA0004, TA0003, TA0005, T1546.012

Windows

Last updated: September 15, 2025

View details

Potential Persistence Via LSA Extensions

TA0003 Windows Windows Registry Key Modification

Trouble

TA0003

Windows

Last updated: September 15, 2025

View details

Potential Persistence Via Mpnotify

TA0003 Windows Windows Registry Key Modification

Trouble

TA0003

Windows

Last updated: September 15, 2025

View details

Potential Persistence Via MyComputer Registry Keys

TA0003 Windows Windows Registry Key Modification

Trouble

TA0003

Windows

Last updated: September 15, 2025

View details

Potential Persistence Via DLLPathOverride

TA0003 Windows Windows Registry Key Modification

Trouble

TA0003

Windows

Last updated: September 15, 2025

View details

Potential Persistence Via Visual Studio Tools for Office

TA0003 T1137.006 Windows Windows Registry Key Modification

Trouble

TA0003, T1137.006

Windows

Last updated: September 15, 2025

View details

Potential Persistence Via Outlook Home Page

TA0003 T1112 Windows Windows Registry Key Modification

Trouble

TA0003, T1112

Windows

Last updated: September 15, 2025

View details

Potential Persistence Via Outlook Today Page

TA0003 T1112 Windows Windows Registry Key Modification

Trouble

TA0003, T1112

Windows

Last updated: September 15, 2025

View details

Potential WerFault ReflectDebugger Registry Value Abuse

TA0005 T1036.003 Windows Windows Registry Key Modification

Trouble

TA0005, T1036.003

Windows

Last updated: September 15, 2025

View details

Potential Persistence Via Scrobj.dll COM Hijacking

TA0003 T1546.015 Windows Windows Registry Key Modification

Trouble

TA0003, T1546.015

Windows

Last updated: September 15, 2025

View details

Potential Persistence Via Shim Database Modification

TA0003 T1546.011 Windows Windows Registry Key Modification

Trouble

TA0003, T1546.011

Windows

Last updated: September 15, 2025

View details

Suspicious Shim Database Patching Activity

TA0003 T1546.011 Windows Windows Registry Key Modification

Trouble

TA0003, T1546.011

Windows

Last updated: September 15, 2025

View details

Potential Persistence Via Shim Database In Uncommon Location

TA0003 T1546.011 Windows Windows Registry Key Modification

Trouble

TA0003, T1546.011

Windows

Last updated: September 15, 2025

View details

Potential Persistence Via TypedPaths

TA0003 Windows Windows Registry Key Modification

Trouble

TA0003

Windows

Last updated: September 15, 2025

View details

Potential Persistence Via Excel Add-in - Registry

TA0003 T1137.006 Windows Windows Registry Key Modification

Trouble

TA0003, T1137.006

Windows

Last updated: September 15, 2025

View details

Potential Attachment Manager Settings Associations Tamper

TA0005 Windows Windows Registry Key Modification

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

PowerShell as a Service in Registry

TA0002 T1569.002 Windows Windows Registry Key Modification

Trouble

TA0002, T1569.002

Windows

Last updated: September 15, 2025

View details

PowerShell Script Execution Policy Enabled

TA0002 Windows Windows Registry Key Modification

Attention

TA0002

Windows

Last updated: September 15, 2025

View details

Suspicious PowerShell In Registry Run Keys

TA0003 T1547.001 Windows Windows Registry Key Modification

Trouble

TA0003, T1547.001

Windows

Last updated: September 15, 2025

View details

PowerShell Logging Disabled Via Registry Key Tampering

TA0005 T1564.001 Windows Windows Registry Key Modification

Trouble

TA0005, T1564.001

Windows

Last updated: September 15, 2025

View details

Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG

TA0005 T1218 Windows Windows Registry Key Modification

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

ETW Logging Disabled For rpcrt4.dll

TA0005 T1112 Windows Windows Registry Key Modification

Attention

TA0005, T1112

Windows

Last updated: September 15, 2025

View details

Potentially Suspicious Command Executed Via Run Dialog Box - Registry

TA0002 T1059.001 Windows Windows Registry Key Modification

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

Potential SentinelOne Shell Context Menu Scan Command Tampering

TA0003 Windows Windows Registry Key Modification

Trouble

TA0003

Windows

Last updated: September 15, 2025

View details

ServiceDll Hijack

TA0003 TA0004 T1543.003 Windows Windows Registry Key Modification

Trouble

TA0003, TA0004, T1543.003

Windows

Last updated: September 15, 2025

View details

ETW Logging Disabled For SCM

TA0005 T1112 Windows Windows Registry Key Modification

Attention

TA0005, T1112

Windows

Last updated: September 15, 2025

View details

Registry Explorer Policy Modification

TA0005 T1112 Windows Windows Registry Key Modification

Trouble

TA0005, T1112

Windows

Last updated: September 15, 2025

View details

Persistence Via New SIP Provider

TA0003 TA0005 T1553.003 Windows Windows Registry Key Modification

Trouble

TA0003, TA0005, T1553.003

Windows

Last updated: September 15, 2025

View details

Tamper With Sophos AV Registry Keys

TA0005 T1562.001 Windows Windows Registry Key Modification

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Hiding User Account Via SpecialAccounts Registry Key

TA0005 T1564.002 Windows Windows Registry Key Modification

Trouble

TA0005, T1564.002

Windows

Last updated: September 15, 2025

View details

Activate Suppression of Windows Security Center Notifications

TA0005 T1112 Windows Windows Registry Key Modification

Trouble

TA0005, T1112

Windows

Last updated: September 15, 2025

View details

Suspicious Environment Variable Has Been Registered

TA0005 TA0003 Windows Windows Registry Key Modification

Trouble

TA0005, TA0003

Windows

Last updated: September 15, 2025

View details

Suspicious Keyboard Layout Load

TA0042 T1588.002 Windows Windows Registry Key Modification

Trouble

TA0042, T1588.002

Windows

Last updated: September 15, 2025

View details

Potential PendingFileRenameOperations Tampering

TA0005 T1036.003 Windows Windows Registry Key Modification

Trouble

TA0005, T1036.003

Windows

Last updated: September 15, 2025

View details

Suspicious Printer Driver Empty Manufacturer

TA0004 T1574 Windows Windows Registry Key Modification

Trouble

TA0004, T1574

Windows

Last updated: September 15, 2025

View details

Registry Persistence via Explorer Run Key

TA0003 T1547.001 Windows Windows Registry Key Modification

Trouble

TA0003, T1547.001

Windows

Last updated: September 15, 2025

View details

New RUN Key Pointing to Suspicious Folder

TA0003 T1547.001 Windows Windows Registry Key Modification

Trouble

TA0003, T1547.001

Windows

Last updated: September 15, 2025

View details

Modify User Shell Folders Startup Value

TA0003 TA0004 T1547.001 Windows Windows Registry Key Modification

Trouble

TA0003, TA0004, T1547.001

Windows

Last updated: September 15, 2025

View details

Potential Registry Persistence Attempt Via Windows Telemetry

TA0003 T1053.005 Windows Windows Registry Key Modification

Trouble

TA0003, T1053.005

Windows

Last updated: September 15, 2025

View details

RDP Sensitive Settings Changed to Zero

TA0005 TA0003 T1112 Windows Windows Registry Key Modification

Trouble

TA0005, TA0003, T1112

Windows

Last updated: September 15, 2025

View details

New TimeProviders Registered With Uncommon DLL Name

TA0003 TA0004 T1547.003 Windows Windows Registry Key Modification

Trouble

TA0003, TA0004, T1547.003

Windows

Last updated: September 15, 2025

View details

Old TLS1.0/TLS1.1 Protocol Version Enabled

TA0005 Windows Windows Registry Key Modification

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

COM Hijacking via TreatAs

TA0003 T1546.015 Windows Windows Registry Key Modification

Trouble

TA0003, T1546.015

Windows

Last updated: September 15, 2025

View details

Potential Signing Bypass Via Windows Developer Features - Registry

TA0005 Windows Windows Registry Key Modification

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

UAC Bypass via Event Viewer

TA0005 TA0004 T1548.002 Windows Windows Registry Key Modification

Trouble

TA0005, TA0004, T1548.002

Windows

Last updated: September 15, 2025

View details

UAC Bypass Abusing Winsat Path Parsing - Registry

TA0005 TA0004 T1548.002 Windows Windows Registry Key Modification

Trouble

TA0005, TA0004, T1548.002

Windows

Last updated: September 15, 2025

View details

UAC Bypass Using Windows Media Player - Registry

TA0005 TA0004 T1548.002 Windows Windows Registry Key Modification

Trouble

TA0005, TA0004, T1548.002

Windows

Last updated: September 15, 2025

View details

UAC Disabled

TA0004 TA0005 T1548.002 Windows Windows Registry Key Modification

Trouble

TA0004, TA0005, T1548.002

Windows

Last updated: September 15, 2025

View details

UAC Notification Disabled

TA0004 TA0005 T1548.002 Windows Windows Registry Key Modification

Trouble

TA0004, TA0005, T1548.002

Windows

Last updated: September 15, 2025

View details

UAC Secure Desktop Prompt Disabled

TA0004 TA0005 T1548.002 Windows Windows Registry Key Modification

Trouble

TA0004, TA0005, T1548.002

Windows

Last updated: September 15, 2025

View details

VBScript Payload Stored in Registry

TA0003 T1547.001 Windows Windows Registry Key Modification

Trouble

TA0003, T1547.001

Windows

Last updated: September 15, 2025

View details

Execution DLL of Choice Using WAB.EXE

TA0005 T1218 Windows Windows Registry Key Modification

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Wdigest Enable UseLogonCredential

TA0005 T1112 Windows Windows Registry Key Modification

Trouble

TA0005, T1112

Windows

Last updated: September 15, 2025

View details

Disable Windows Defender Functionalities Via Registry Keys

TA0005 T1562.001 Windows Windows Registry Key Modification

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Enable Local Manifest Installation With Winget

TA0005 TA0003 Windows Windows Registry Key Modification

Trouble

TA0005, TA0003

Windows

Last updated: September 15, 2025

View details

Winlogon AllowMultipleTSSessions Enable

TA0003 TA0005 T1112 Windows Windows Registry Key Modification

Trouble

TA0003, TA0005, T1112

Windows

Last updated: September 15, 2025

View details

Winlogon Notify Key Logon Persistence

TA0003 T1547.004 Windows Windows Registry Key Modification

Trouble

TA0003, T1547.004

Windows

Last updated: September 15, 2025

View details

Scheduled Task Created - Registry

TA0002 TA0003 TA0004 T1053.005 Windows Windows Registry Key Access Windows Registry Key Creation Windows Registry Key Deletion Windows Registry Key Modification

Attention

TA0002, TA0003, TA0004, T1053.005

Windows

Last updated: September 15, 2025

View details

Microsoft Office Trusted Location Updated

TA0005 T1112 Windows Windows Registry Key Modification

Trouble

TA0005, T1112

Windows

Last updated: September 15, 2025

View details

Command Executed Via Run Dialog Box - Registry

TA0002 Windows Windows Registry Key Modification

Attention

TA0002

Windows

Last updated: September 15, 2025

View details

Shell Context Menu Command Tampering

TA0003 Windows Windows Registry Key Modification

Attention

TA0003

Windows

Last updated: September 15, 2025

View details

Remote Thread Created In KeePass.EXE

TA0006 T1555.005 Windows Process Modification

Trouble

TA0006, T1555.005

Windows

Last updated: September 15, 2025

View details

Remote Thread Creation In Mstsc.Exe From Suspicious Location

TA0006 Windows Process Modification

Trouble

TA0006

Windows

Last updated: September 15, 2025

View details

Potential Credential Dumping Attempt Via PowerShell Remote Thread

TA0006 T1003.001 Windows Process Modification

Trouble

TA0006, T1003.001

Windows

Last updated: September 15, 2025

View details

Remote Thread Creation Via PowerShell In Uncommon Target

TA0005 TA0002 T1218.011 Windows Process Modification

Trouble

TA0005, TA0002, T1218.011

Windows

Last updated: September 15, 2025

View details

Rare Remote Thread Creation By Uncommon Source Image

TA0004 TA0005 T1055 Windows Process Modification

Trouble

TA0004, TA0005, T1055

Windows

Last updated: September 15, 2025

View details

Remote Thread Created In Shell Application

TA0005 T1055 Windows Process Modification

Trouble

TA0005, T1055

Windows

Last updated: September 15, 2025

View details

Remote Thread Creation In Uncommon Target Image

TA0005 TA0004 T1055.003 Windows Process Modification

Trouble

TA0005, TA0004, T1055.003

Windows

Last updated: September 15, 2025

View details

Remote Thread Creation Ttdinject.exe Proxy

TA0005 T1127 Windows Process Modification

Trouble

TA0005, T1127

Windows

Last updated: September 15, 2025

View details

DNS Query for Anonfiles.com Domain - Sysmon

TA0010 T1567.002 Windows Network Traffic Content

Trouble

TA0010, T1567.002

Windows

Last updated: September 15, 2025

View details

AppX Package Installation Attempts Via AppInstaller.EXE

TA0011 T1105 Windows Network Traffic Content

Trouble

TA0011, T1105

Windows

Last updated: September 15, 2025

View details

Cloudflared Tunnels Related DNS Requests

TA0011 T1071.001 Windows Network Traffic Content

Trouble

TA0011, T1071.001

Windows

Last updated: September 15, 2025

View details

DNS Query To Devtunnels Domain

TA0011 T1071.001 Windows Network Traffic Content

Trouble

TA0011, T1071.001

Windows

Last updated: September 15, 2025

View details

DNS HybridConnectionManager Service Bus

TA0003 T1554 Windows Network Traffic Content

Trouble

TA0003, T1554

Windows

Last updated: September 15, 2025

View details

Suspicious Cobalt Strike DNS Beaconing - Sysmon

TA0011 T1071.004 Windows Network Traffic Content

Critical

TA0011, T1071.004

Windows

Last updated: September 15, 2025

View details

DNS Query To MEGA Hosting Website

TA0010 T1567.002 Windows Network Traffic Content

Trouble

TA0010, T1567.002

Windows

Last updated: September 15, 2025

View details

DNS Query Request To OneLaunch Update Service

TA0009 T1056 Windows Network Traffic Content

Attention

TA0009, T1056

Windows

Last updated: September 15, 2025

View details

DNS Query Request By QuickAssist.EXE

TA0011 TA0001 TA0008 T1071.001 Windows Network Traffic Content

Attention

TA0011, TA0001, TA0008, T1071.001

Windows

Last updated: September 15, 2025

View details

DNS Query Request By Regsvr32.EXE

TA0002 TA0005 T1559.001 Windows Network Traffic Content

Trouble

TA0002, TA0005, T1559.001

Windows

Last updated: September 15, 2025

View details

Suspicious DNS Query for IP Lookup Service APIs

TA0043 T1590 Windows Network Traffic Content

Trouble

TA0043, T1590

Windows

Last updated: September 15, 2025

View details

TeamViewer Domain Query By Non-TeamViewer Application

TA0011 T1219.002 Windows Network Traffic Content

Trouble

TA0011, T1219.002

Windows

Last updated: September 15, 2025

View details

DNS Query Tor .Onion Address - Sysmon

TA0011 T1090.003 Windows Network Traffic Content

Trouble

TA0011, T1090.003

Windows

Last updated: September 15, 2025

View details

DNS Query To Ufile.io

TA0010 T1567.002 Windows Network Traffic Content

Attention

TA0010, T1567.002

Windows

Last updated: September 15, 2025

View details

DNS Query To Visual Studio Code Tunnels Domain

TA0011 T1071.001 Windows Network Traffic Content

Trouble

TA0011, T1071.001

Windows

Last updated: September 15, 2025

View details

CobaltStrike Named Pipe

TA0005 TA0004 T1055 Windows Named Pipe Metadata

Critical

TA0005, TA0004, T1055

Windows

Last updated: September 15, 2025

View details

CobaltStrike Named Pipe Patterns

TA0005 TA0004 T1055 Windows Named Pipe Metadata

Trouble

TA0005, TA0004, T1055

Windows

Last updated: September 15, 2025

View details

HackTool - CoercedPotato Named Pipe Creation

TA0005 TA0004 T1055 Windows Named Pipe Metadata

Trouble

TA0005, TA0004, T1055

Windows

Last updated: September 15, 2025

View details

HackTool - DiagTrackEoP Default Named Pipe

TA0004 Windows Named Pipe Metadata

Critical

TA0004

Windows

Last updated: September 15, 2025

View details

HackTool - EfsPotato Named Pipe Creation

TA0005 TA0004 T1055 Windows Named Pipe Metadata

Trouble

TA0005, TA0004, T1055

Windows

Last updated: September 15, 2025

View details

HackTool - Credential Dumping Tools Named Pipe Created

TA0006 T1003.001 Windows Named Pipe Metadata

Critical

TA0006, T1003.001

Windows

Last updated: September 15, 2025

View details

Service Started/Stopped Via Wmic.EXE

TA0002 T1047 Windows Process Creation

Trouble

TA0002, T1047

Windows

Last updated: September 15, 2025

View details

Potential SquiblyTwo Technique Execution

TA0005 TA0002 T1220 Windows Process Creation

Trouble

TA0005, TA0002, T1220

Windows

Last updated: September 15, 2025

View details

Suspicious WMIC Execution Via Office Process

TA0002 TA0005 T1204.002 Windows Process Creation

Trouble

TA0002, TA0005, T1204.002

Windows

Last updated: September 15, 2025

View details

Suspicious Process Created Via Wmic.EXE

TA0002 T1047 Windows Process Creation

Trouble

TA0002, T1047

Windows

Last updated: September 15, 2025

View details

Application Terminated Via Wmic.EXE

TA0002 T1047 Windows Process Creation

Trouble

TA0002, T1047

Windows

Last updated: September 15, 2025

View details

Application Removed Via Wmic.EXE

TA0002 T1047 Windows Process Creation

Trouble

TA0002, T1047

Windows

Last updated: September 15, 2025

View details

Potential Tampering With Security Products Via WMIC

TA0005 T1562.001 Windows Process Creation

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

XSL Script Execution Via WMIC.EXE

TA0005 T1220 Windows Process Creation

Trouble

TA0005, T1220

Windows

Last updated: September 15, 2025

View details

Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell

TA0002 T1047 Windows Process Creation

Trouble

TA0002, T1047

Windows

Last updated: September 15, 2025

View details

Suspicious WmiPrvSE Child Process

TA0002 TA0005 T1047 Windows Process Creation

Trouble

TA0002, TA0005, T1047

Windows

Last updated: September 15, 2025

View details

WMI Backdoor Exchange Transport Agent

TA0003 T1546.003 Windows Process Creation

Critical

TA0003, T1546.003

Windows

Last updated: September 15, 2025

View details

UEFI Persistence Via Wpbbin - ProcessCreation

TA0003 TA0005 T1542.001 Windows Process Creation

Trouble

TA0003, TA0005, T1542.001

Windows

Last updated: September 15, 2025

View details

Potential Dropper Script Execution Via WScript/CScript

TA0002 T1059.005 Windows Process Creation

Trouble

TA0002, T1059.005

Windows

Last updated: September 15, 2025

View details

Cscript/Wscript Potentially Suspicious Child Process

TA0002 Windows Process Creation

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

Cscript/Wscript Uncommon Script Extension Execution

TA0002 T1059.005 Windows Process Creation

Trouble

TA0002, T1059.005

Windows

Last updated: September 15, 2025

View details

WSL Child Process Anomaly

TA0002 TA0005 T1218 Windows Process Creation

Trouble

TA0002, TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Proxy Execution Via Wuauclt.EXE

TA0005 TA0002 T1218 Windows Process Creation

Trouble

TA0005, TA0002, T1218

Windows

Last updated: September 15, 2025

View details

Suspicious Windows Update Agent Empty Cmdline

TA0005 T1036 Windows Process Creation

Trouble

TA0005, T1036

Windows

Last updated: September 15, 2025

View details

Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths

TA0002 Windows Process Creation

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

Wusa.EXE Executed By Parent Process Located In Suspicious Location

TA0002 Windows Process Creation

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

Xwizard.EXE Execution From Non-Default Location

TA0005 T1574.001 Windows Process Creation

Trouble

TA0005, T1574.001

Windows

Last updated: September 15, 2025

View details

Password Protected Compressed File Extraction Via 7Zip

TA0009 T1560.001 Windows Process Creation

Attention

TA0009, T1560.001

Windows

Last updated: September 15, 2025

View details

Set Files as System Files Using Attrib.EXE

TA0005 T1564.001 Windows Process Creation

Attention

TA0005, T1564.001

Windows

Last updated: September 15, 2025

View details

Potential BOINC Software Execution (UC-Berkeley Signature)

TA0002 TA0005 T1553 Windows Process Creation

Attention

TA0002, TA0005, T1553

Windows

Last updated: September 15, 2025

View details

CMD Shell Output Redirect

TA0007 T1082 Windows Process Creation

Attention

TA0007, T1082

Windows

Last updated: September 15, 2025

View details

Potential File Override/Append Via SET Command

TA0002 TA0005 Windows Process Creation

Attention

TA0002, TA0005

Windows

Last updated: September 15, 2025

View details

Headless Process Launched Via Conhost.EXE

TA0005 TA0002 T1059.001 Windows Process Creation

Trouble

TA0005, TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

Dynamic .NET Compilation Via Csc.EXE - Hunting

TA0005 T1027.004 Windows Process Creation

Trouble

TA0005, T1027.004

Windows

Last updated: September 15, 2025

View details

File Download Via Curl.EXE

TA0011 T1105 Windows Process Creation

Trouble

TA0011, T1105

Windows

Last updated: September 15, 2025

View details

Curl.EXE Execution

TA0011 T1105 Windows Process Creation

Attention

TA0011, T1105

Windows

Last updated: September 15, 2025

View details

Curl.EXE Execution With Custom UserAgent

TA0011 T1071.001 Windows Process Creation

Trouble

TA0011, T1071.001

Windows

Last updated: September 15, 2025

View details

Diskshadow Child Process Spawned

TA0005 TA0002 T1218 Windows Process Creation

Trouble

TA0005, TA0002, T1218

Windows

Last updated: September 15, 2025

View details

Diskshadow Script Mode Execution

TA0005 TA0002 T1218 Windows Process Creation

Trouble

TA0005, TA0002, T1218

Windows

Last updated: September 15, 2025

View details

Potential Proxy Execution Via Explorer.EXE From Shell Process

TA0005 T1218 Windows Process Creation

Attention

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Potential DLL Sideloading Activity Via ExtExport.EXE

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Potential Password Reconnaissance Via Findstr.EXE

TA0006 T1552.001 Windows Process Creation

Trouble

TA0006, T1552.001

Windows

Last updated: September 15, 2025

View details

New Self Extracting Package Created Via IExpress.EXE

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Microsoft Workflow Compiler Execution

TA0005 TA0002 T1127 Windows Process Creation

Trouble

TA0005, TA0002, T1127

Windows

Last updated: September 15, 2025

View details

Net.EXE Execution

TA0007 TA0008 T1007 Windows Process Creation

Attention

TA0007, TA0008, T1007

Windows

Last updated: September 15, 2025

View details

SMB over QUIC Via Net.EXE

TA0008 T1570 Windows Process Creation

Trouble

TA0008, T1570

Windows

Last updated: September 15, 2025

View details

Suspicious New Instance Of An Office COM Object

TA0002 TA0005 Windows Process Creation

Trouble

TA0002, TA0005

Windows

Last updated: September 15, 2025

View details

Invocation Of Crypto-Classes From The Cryptography PowerShell Namespace

TA0002 TA0005 T1059.001 Windows Process Creation

Trouble

TA0002, TA0005, T1059.001

Windows

Last updated: September 15, 2025

View details

Import New Module Via PowerShell CommandLine

TA0002 Windows Process Creation

Attention

TA0002

Windows

Last updated: September 15, 2025

View details

New Windows Firewall Rule Added Via New-NetFirewallRule Cmdlet

TA0005 T1562.004 Windows Process Creation

Attention

TA0005, T1562.004

Windows

Last updated: September 15, 2025

View details

Potentially Suspicious PowerShell Child Processes

TA0002 T1059.001 Windows Process Creation

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

Regsvr32.EXE Calling of DllRegisterServer Export Function Implicitly

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions

TA0011 T1219.002 Windows Process Creation

Trouble

TA0011, T1219.002

Windows

Last updated: September 15, 2025

View details

Remote Access Tool - Cmd.EXE Execution via AnyViewer

TA0002 TA0003 Windows Process Creation

Trouble

TA0002, TA0003

Windows

Last updated: September 15, 2025

View details

Remote Access Tool - ScreenConnect Remote Command Execution - Hunting

TA0002 Windows Process Creation

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

DLL Call by Ordinal Via Rundll32.EXE

TA0005 T1218.011 Windows Process Creation

Trouble

TA0005, T1218.011

Windows

Last updated: September 15, 2025

View details

Rundll32.EXE Calling DllRegisterServer Export Function Explicitly

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Scheduled Task Creation From Potential Suspicious Parent Location

TA0002 T1053.005 Windows Process Creation

Trouble

TA0002, T1053.005

Windows

Last updated: September 15, 2025

View details

SC.EXE Query Execution

TA0007 T1007 Windows Process Creation

Attention

TA0007, T1007

Windows

Last updated: September 15, 2025

View details

Potential CommandLine Obfuscation Using Unicode Characters

TA0005 T1027 Windows Process Creation

Trouble

TA0005, T1027

Windows

Last updated: September 15, 2025

View details

EventLog Query Requests By Builtin Utilities

TA0006 T1552 Windows Process Creation

Trouble

TA0006, T1552

Windows

Last updated: September 15, 2025

View details

Potential Suspicious Execution From GUID Like Folder Names

TA0005 T1027 Windows Process Creation

Attention

TA0005, T1027

Windows

Last updated: September 15, 2025

View details

Execution From Webserver Root Folder

TA0003 T1505.003 Windows Process Creation

Trouble

TA0003, T1505.003

Windows

Last updated: September 15, 2025

View details

Tunneling Tool Execution

TA0010 TA0011 T1041 Windows Process Creation

Trouble

TA0010, TA0011, T1041

Windows

Last updated: September 15, 2025

View details

File or Folder Permissions Modifications

TA0005 T1222.001 Windows Process Creation

Trouble

TA0005, T1222.001

Windows

Last updated: September 15, 2025

View details

Process Terminated Via Taskkill

TA0040 T1489 Windows Process Creation

Attention

TA0040, T1489

Windows

Last updated: September 15, 2025

View details

Suspicious Tasklist Discovery Command

TA0007 T1057 Windows Process Creation

Attention

TA0007, T1057

Windows

Last updated: September 15, 2025

View details

System Information Discovery Via Wmic.EXE

TA0007 T1082 Windows Process Creation

Attention

TA0007, T1082

Windows

Last updated: September 15, 2025

View details

WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

TA0002 T1059.005 Windows Process Creation

Trouble

TA0002, T1059.005

Windows

Last updated: September 15, 2025

View details

Arbitrary Command Execution Using WSL

TA0002 TA0005 T1218 Windows Process Creation

Trouble

TA0002, TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Cab File Extraction Via Wusa.EXE

TA0002 Windows Process Creation

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

LSASS Memory Access by Tool With Dump Keyword In Name

TA0006 T1003.001 Windows Process Access

Trouble

TA0006, T1003.001

Windows

Last updated: September 15, 2025

View details

Remote LSASS Process Access Through Windows Remote Management

TA0006 TA0002 TA0008 T1003.001 Windows Process Access

Trouble

TA0006, TA0002, TA0008, T1003.001

Windows

Last updated: September 15, 2025

View details

Suspicious LSASS Access Via MalSecLogon

TA0006 T1003.001 Windows Process Access

Trouble

TA0006, T1003.001

Windows

Last updated: September 15, 2025

View details

Credential Dumping Attempt Via WerFault

TA0006 T1003.001 Windows Process Access

Trouble

TA0006, T1003.001

Windows

Last updated: September 15, 2025

View details

Uncommon Process Access Rights For Target Image

TA0005 TA0004 T1055.011 Windows Process Access

Attention

TA0005, TA0004, T1055.011

Windows

Last updated: September 15, 2025

View details

Potential Credential Dumping Attempt Via PowerShell

TA0006 T1003.001 Windows Process Access

Trouble

TA0006, T1003.001

Windows

Last updated: September 15, 2025

View details

Diamond Sleet APT Scheduled Task Creation - Registry

TA0005 T1562 Windows Windows Registry Key Access Windows Registry Key Creation Windows Registry Key Deletion Windows Registry Key Modification

Trouble

TA0005, T1562

Windows

Last updated: September 15, 2025

View details

SNAKE Malware Covert Store Registry Key

TA0003 Windows Windows Registry Key Access Windows Registry Key Creation Windows Registry Key Deletion Windows Registry Key Modification

Trouble

TA0003

Windows

Last updated: September 15, 2025

View details

Outlook Task/Note Reminder Received

TA0003 T1137 Windows Windows Registry Key Modification

Attention

TA0003, T1137

Windows

Last updated: September 15, 2025

View details

Potential COLDSTEEL RAT Windows User Creation

TA0003 Windows Windows Registry Key Modification

Trouble

TA0003

Windows

Last updated: September 15, 2025

View details

Potential Encrypted Registry Blob Related To SNAKE Malware

TA0003 Windows Windows Registry Key Modification

Trouble

TA0003

Windows

Last updated: September 15, 2025

View details

Forest Blizzard APT - Custom Protocol Handler Creation

TA0003 T1547.001 Windows Windows Registry Key Modification

Trouble

TA0003, T1547.001

Windows

Last updated: September 15, 2025

View details

Forest Blizzard APT - Custom Protocol Handler DLL Registry Set

TA0003 T1547.001 Windows Windows Registry Key Modification

Trouble

TA0003, T1547.001

Windows

Last updated: September 15, 2025

View details

Potential KamiKakaBot Activity - Winlogon Shell Persistence

TA0003 T1547.001 Windows Windows Registry Key Modification

Trouble

TA0003, T1547.001

Windows

Last updated: September 15, 2025

View details

Kapeka Backdoor Configuration Persistence

TA0003 TA0005 T1553.003 Windows Windows Registry Key Modification

Trouble

TA0003, TA0005, T1553.003

Windows

Last updated: September 15, 2025

View details

Potential NetWire RAT Activity - Registry

TA0005 T1112 Windows Windows Registry Key Creation

Trouble

TA0005, T1112

Windows

Last updated: September 15, 2025

View details

Potential COM Object Hijacking Via TreatAs Subkey - Registry

TA0003 T1546.015 Windows Windows Registry Key Creation

Trouble

TA0003, T1546.015

Windows

Last updated: September 15, 2025

View details

Potential Persistence Via Disk Cleanup Handler - Registry

TA0003 Windows Windows Registry Key Creation

Trouble

TA0003

Windows

Last updated: September 15, 2025

View details

Potential Persistence Via Logon Scripts - Registry

TA0003 TA0008 T1037.001 Windows Windows Registry Key Creation

Trouble

TA0003, TA0008, T1037.001

Windows

Last updated: September 15, 2025

View details

PUA - Sysinternal Tool Execution - Registry

TA0042 T1588.002 Windows Windows Registry Key Creation

Attention

TA0042, T1588.002

Windows

Last updated: September 15, 2025

View details

Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted

TA0009 T1113 Windows Windows Registry Key Deletion

Trouble

TA0009, T1113

Windows

Last updated: September 15, 2025

View details

Folder Removed From Exploit Guard ProtectedFolders List - Registry

TA0005 T1562.001 Windows Windows Registry Key Deletion

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Terminal Server Client Connection History Cleared - Registry

TA0005 T1070 Windows Windows Registry Key Deletion

Trouble

TA0005, T1070

Windows

Last updated: September 15, 2025

View details

Removal Of AMSI Provider Registry Keys

TA0005 T1562.001 Windows Windows Registry Key Deletion

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Removal Of Index Value to Hide Schedule Task - Registry

TA0005 T1562 Windows Windows Registry Key Deletion

Trouble

TA0005, T1562

Windows

Last updated: September 15, 2025

View details

Removal Of SD Value to Hide Schedule Task - Registry

TA0005 T1562 Windows Windows Registry Key Deletion

Trouble

TA0005, T1562

Windows

Last updated: September 15, 2025

View details

Pandemic Registry Key

TA0011 T1105 Windows Windows Registry Key Access Windows Registry Key Creation Windows Registry Key Deletion Windows Registry Key Modification

Critical

TA0011, T1105

Windows

Last updated: September 15, 2025

View details

UAC Bypass Via Wsreset

TA0005 TA0004 T1548.002 Windows Windows Registry Key Access Windows Registry Key Creation Windows Registry Key Deletion Windows Registry Key Modification

Trouble

TA0005, TA0004, T1548.002

Windows

Last updated: September 15, 2025

View details

CMSTP Execution Registry Event

TA0005 TA0002 T1218.003 Windows Windows Registry Key Access Windows Registry Key Creation Windows Registry Key Deletion Windows Registry Key Modification

Trouble

TA0005, TA0002, T1218.003

Windows

Last updated: September 15, 2025

View details

Wdigest CredGuard Registry Modification

TA0005 T1112 Windows Windows Registry Key Access Windows Registry Key Creation Windows Registry Key Deletion Windows Registry Key Modification

Trouble

TA0005, T1112

Windows

Last updated: September 15, 2025

View details

Windows Credential Editor Registry

TA0006 T1003.001 Windows Windows Registry Key Access Windows Registry Key Creation Windows Registry Key Deletion Windows Registry Key Modification

Critical

TA0006, T1003.001

Windows

Last updated: September 15, 2025

View details

HybridConnectionManager Service Installation - Registry

TA0042 T1608 Windows Windows Registry Key Access Windows Registry Key Creation Windows Registry Key Deletion Windows Registry Key Modification

Trouble

TA0042, T1608

Windows

Last updated: September 15, 2025

View details

Potential Qakbot Registry Activity

TA0005 T1112 Windows Windows Registry Key Access Windows Registry Key Creation Windows Registry Key Deletion Windows Registry Key Modification

Trouble

TA0005, T1112

Windows

Last updated: September 15, 2025

View details

Registry Entries For Azorult Malware

TA0003 TA0002 T1112 Windows Windows Registry Key Access Windows Registry Key Creation Windows Registry Key Deletion Windows Registry Key Modification

Critical

TA0003, TA0002, T1112

Windows

Last updated: September 15, 2025

View details

Path To Screensaver Binary Modified

TA0003 TA0004 T1546.002 Windows Windows Registry Key Access Windows Registry Key Creation Windows Registry Key Deletion Windows Registry Key Modification

Trouble

TA0003, TA0004, T1546.002

Windows

Last updated: September 15, 2025

View details

WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load

TA0008 TA0004 TA0003 T1546.003 Windows Module Load

Trouble

TA0008, TA0004, TA0003, T1546.003

Windows

Last updated: September 15, 2025

View details

Potential 7za.DLL Sideloading

TA0005 TA0003 TA0004 T1574.001 Windows Module Load

Attention

TA0005, TA0003, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

Abusable DLL Potential Sideloading From Suspicious Location

TA0002 T1059 Windows Module Load

Trouble

TA0002, T1059

Windows

Last updated: September 15, 2025

View details

Potential Antivirus Software DLL Sideloading

TA0005 TA0003 TA0004 T1574.001 Windows Module Load

Trouble

TA0005, TA0003, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

Potential appverifUI.DLL Sideloading

TA0005 TA0004 T1574.001 Windows Module Load

Trouble

TA0005, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

Aruba Network Service Potential DLL Sideloading

TA0004 TA0003 T1574.001 Windows Module Load

Trouble

TA0004, TA0003, T1574.001

Windows

Last updated: September 15, 2025

View details

Potential AVKkid.DLL Sideloading

TA0005 TA0004 T1574.001 Windows Module Load

Trouble

TA0005, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

Potential CCleanerDU.DLL Sideloading

TA0005 TA0003 TA0004 T1574.001 Windows Module Load

Trouble

TA0005, TA0003, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

Potential CCleanerReactivator.DLL Sideloading

TA0005 TA0003 TA0004 T1574.001 Windows Module Load

Trouble

TA0005, TA0003, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

Potential Chrome Frame Helper DLL Sideloading

TA0005 TA0003 TA0004 T1574.001 Windows Module Load

Trouble

TA0005, TA0003, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

Potential DLL Sideloading Via ClassicExplorer32.dll

TA0005 TA0003 TA0004 T1574.001 Windows Module Load

Trouble

TA0005, TA0003, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

Potential DLL Sideloading Via comctl32.dll

TA0005 TA0003 TA0004 T1574.001 Windows Module Load

Trouble

TA0005, TA0003, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

Potential DLL Sideloading Using Coregen.exe

TA0005 T1218 Windows Module Load

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

System Control Panel Item Loaded From Uncommon Location

TA0005 T1036 Windows Module Load

Trouble

TA0005, T1036

Windows

Last updated: September 15, 2025

View details

Potential DLL Sideloading Of DBGCORE.DLL

TA0005 TA0003 TA0004 T1574.001 Windows Module Load

Trouble

TA0005, TA0003, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

Potential DLL Sideloading Of DBGHELP.DLL

TA0005 TA0003 TA0004 T1574.001 Windows Module Load

Trouble

TA0005, TA0003, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

Potential DLL Sideloading Of DbgModel.DLL

TA0005 T1574.001 Windows Module Load

Trouble

TA0005, T1574.001

Windows

Last updated: September 15, 2025

View details

Potential EACore.DLL Sideloading

TA0005 TA0004 T1574.001 Windows Module Load

Trouble

TA0005, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

Potential Edputil.DLL Sideloading

TA0005 TA0004 T1574.001 Windows Module Load

Trouble

TA0005, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

Potential Goopdate.DLL Sideloading

TA0005 TA0004 T1574.001 Windows Module Load

Trouble

TA0005, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE

TA0005 TA0003 TA0004 T1574.001 Windows Module Load

Trouble

TA0005, TA0003, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

Potential Iviewers.DLL Sideloading

TA0005 TA0004 T1574.001 Windows Module Load

Trouble

TA0005, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

Potential DLL Sideloading Via JsSchHlp

TA0005 TA0003 TA0004 T1574.001 Windows Module Load

Trouble

TA0005, TA0003, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE

TA0005 TA0004 T1574.001 Windows Module Load

Trouble

TA0005, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

Potential Libvlc.DLL Sideloading

TA0005 TA0003 TA0004 T1574.001 Windows Module Load

Trouble

TA0005, TA0003, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

Potential Mfdetours.DLL Sideloading

TA0005 TA0004 T1574.001 Windows Module Load

Trouble

TA0005, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

Unsigned Mfdetours.DLL Sideloading

TA0005 TA0004 T1574.001 Windows Module Load

Trouble

TA0005, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

Potential DLL Sideloading Of MpSvc.DLL

TA0005 T1574.001 Windows Module Load

Trouble

TA0005, T1574.001

Windows

Last updated: September 15, 2025

View details

Potential DLL Sideloading Of MsCorSvc.DLL

TA0005 T1574.001 Windows Module Load

Trouble

TA0005, T1574.001

Windows

Last updated: September 15, 2025

View details

Potential DLL Sideloading Of Non-Existent DLLs From System Folders

TA0005 TA0003 TA0004 T1574.001 Windows Module Load

Trouble

TA0005, TA0003, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

Microsoft Office DLL Sideload

TA0005 TA0003 TA0004 T1574.001 Windows Module Load

Trouble

TA0005, TA0003, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

Potential Python DLL SideLoading

TA0005 T1574.001 Windows Module Load

Trouble

TA0005, T1574.001

Windows

Last updated: September 15, 2025

View details

Potential Rcdll.DLL Sideloading

TA0005 TA0004 T1574.001 Windows Module Load

Trouble

TA0005, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

Potential RoboForm.DLL Sideloading

TA0005 TA0004 T1574.001 Windows Module Load

Trouble

TA0005, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

Potential ShellDispatch.DLL Sideloading

TA0005 TA0004 T1574.001 Windows Module Load

Trouble

TA0005, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

DLL Sideloading Of ShellChromeAPI.DLL

TA0005 TA0003 TA0004 T1574.001 Windows Module Load

Trouble

TA0005, TA0003, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

Potential SmadHook.DLL Sideloading

TA0005 TA0004 T1574.001 Windows Module Load

Trouble

TA0005, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

Potential SolidPDFCreator.DLL Sideloading

TA0005 TA0004 T1574.001 Windows Module Load

Trouble

TA0005, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

Third Party Software DLL Sideloading

TA0005 TA0003 TA0004 T1574.001 Windows Module Load

Trouble

TA0005, TA0003, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

Fax Service DLL Search Order Hijack

TA0003 TA0005 T1574.001 Windows Module Load

Trouble

TA0003, TA0005, T1574.001

Windows

Last updated: September 15, 2025

View details

Potential Vivaldi_elf.DLL Sideloading

TA0005 TA0004 T1574.001 Windows Module Load

Trouble

TA0005, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

VMGuestLib DLL Sideload

TA0005 TA0003 TA0004 T1574.001 Windows Module Load

Trouble

TA0005, TA0003, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

VMMap Unsigned Dbghelp.DLL Potential Sideloading

TA0005 TA0003 TA0004 T1574.001 Windows Module Load

Trouble

TA0005, TA0003, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

Potential DLL Sideloading Via VMware Xfer

TA0005 T1574.001 Windows Module Load

Trouble

TA0005, T1574.001

Windows

Last updated: September 15, 2025

View details

Potential Waveedit.DLL Sideloading

TA0005 TA0004 T1574.001 Windows Module Load

Trouble

TA0005, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

Potential Wazuh Security Platform DLL Sideloading

TA0005 TA0003 TA0004 T1574.001 Windows Module Load

Trouble

TA0005, TA0003, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

Potential Mpclient.DLL Sideloading

TA0005 T1574.001 Windows Module Load

Trouble

TA0005, T1574.001

Windows

Last updated: September 15, 2025

View details

Potential WWlib.DLL Sideloading

TA0005 TA0004 T1574.001 Windows Module Load

Trouble

TA0005, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

Windows Spooler Service Suspicious Binary Load

TA0003 TA0005 TA0004 T1574 Windows Module Load

Attention

TA0003, TA0005, TA0004, T1574

Windows

Last updated: September 15, 2025

View details

Unsigned Module Loaded by ClickOnce Application

TA0003 T1574.001 Windows Module Load

Trouble

TA0003, T1574.001

Windows

Last updated: September 15, 2025

View details

DLL Load By System Process From Suspicious Locations

TA0005 T1070 Windows Module Load

Trouble

TA0005, T1070

Windows

Last updated: September 15, 2025

View details

Python Image Load By Non-Python Process

TA0005 T1027.002 Windows Module Load

Trouble

TA0005, T1027.002

Windows

Last updated: September 15, 2025

View details

DotNet CLR DLL Loaded By Scripting Applications

TA0002 TA0004 T1055 Windows Module Load

Trouble

TA0002, TA0004, T1055

Windows

Last updated: September 15, 2025

View details

Unsigned DLL Loaded by Windows Utility

TA0005 T1218.011 Windows Module Load

Trouble

TA0005, T1218.011

Windows

Last updated: September 15, 2025

View details

Suspicious Unsigned Thor Scanner Execution

TA0005 T1574.001 Windows Module Load

Trouble

TA0005, T1574.001

Windows

Last updated: September 15, 2025

View details

UAC Bypass With Fake DLL

TA0003 TA0005 TA0004 T1574.001 Windows Module Load

Trouble

TA0003, TA0005, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

WMIC Loading Scripting Libraries

TA0005 T1220 Windows Module Load

Trouble

TA0005, T1220

Windows

Last updated: September 15, 2025

View details

Wmiprvse Wbemcomn DLL Hijack

TA0002 TA0008 T1047 Windows Module Load

Trouble

TA0002, TA0008, T1047

Windows

Last updated: September 15, 2025

View details

Suspicious WSMAN Provider Image Loads

TA0002 TA0008 T1059.001 Windows Module Load

Trouble

TA0002, TA0008, T1059.001

Windows

Last updated: September 15, 2025

View details

Amsi.DLL Load By Uncommon Process

TA0005 TA0040 T1490 Windows Module Load

Attention

TA0005, TA0040, T1490

Windows

Last updated: September 15, 2025

View details

Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process

TA0006 T1003.001 Windows Module Load

Trouble

TA0006, T1003.001

Windows

Last updated: September 15, 2025

View details

System Drawing DLL Load

TA0009 T1113 Windows Module Load

Attention

TA0009, T1113

Windows

Last updated: September 15, 2025

View details

Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location

TA0003 TA0002 T1053.005 Windows Module Load

Attention

TA0003, TA0002, T1053.005

Windows

Last updated: September 15, 2025

View details

Microsoft Excel Add-In Loaded

TA0002 T1204.002 Windows Module Load

Attention

TA0002, T1204.002

Windows

Last updated: September 15, 2025

View details

Microsoft Word Add-In Loaded

TA0002 T1204.002 Windows Module Load

Attention

TA0002, T1204.002

Windows

Last updated: September 15, 2025

View details

WMI Module Loaded By Uncommon Process

TA0002 T1047 Windows Module Load

Attention

TA0002, T1047

Windows

Last updated: September 15, 2025

View details

Potential Compromised 3CXDesktopApp Beaconing Activity - Netcon

TA0011 Windows Network Connection Creation

Trouble

TA0011

Windows

Last updated: September 15, 2025

View details

Network Connection Initiated By AddinUtil.EXE

TA0005 T1218 Windows Network Connection Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Uncommon Network Connection Initiated By Certutil.EXE

TA0011 T1105 Windows Network Connection Creation

Trouble

TA0011, T1105

Windows

Last updated: September 15, 2025

View details

Network Connection Initiated To BTunnels Domains

TA0010 TA0011 T1567 Windows Network Connection Creation

Trouble

TA0010, TA0011, T1567

Windows

Last updated: September 15, 2025

View details

Network Connection Initiated To Cloudflared Tunnels Domains

TA0010 TA0011 T1567 Windows Network Connection Creation

Trouble

TA0010, TA0011, T1567

Windows

Last updated: September 15, 2025

View details

Network Connection Initiated To DevTunnels Domain

TA0010 TA0011 T1567.001 Windows Network Connection Creation

Trouble

TA0010, TA0011, T1567.001

Windows

Last updated: September 15, 2025

View details

Suspicious Dropbox API Usage

TA0011 TA0010 T1105 Windows Network Connection Creation

Trouble

TA0011, TA0010, T1105

Windows

Last updated: September 15, 2025

View details

Suspicious Network Connection to IP Lookup Service APIs

TA0007 T1016 Windows Network Connection Creation

Trouble

TA0007, T1016

Windows

Last updated: September 15, 2025

View details

Communication To LocaltoNet Tunneling Service Initiated

TA0011 T1572 Windows Network Connection Creation

Trouble

TA0011, T1572

Windows

Last updated: September 15, 2025

View details

Network Connection Initiated To Mega.nz

TA0010 T1567.002 Windows Network Connection Creation

Attention

TA0010, T1567.002

Windows

Last updated: September 15, 2025

View details

Process Initiated Network Connection To Ngrok Domain

TA0010 T1567.001 Windows Network Connection Creation

Trouble

TA0010, T1567.001

Windows

Last updated: September 15, 2025

View details

Communication To Ngrok Tunneling Service Initiated

TA0010 TA0011 T1567 Windows Network Connection Creation

Trouble

TA0010, TA0011, T1567

Windows

Last updated: September 15, 2025

View details

Potentially Suspicious Network Connection To Notion API

TA0011 T1102 Windows Network Connection Creation

Attention

TA0011, T1102

Windows

Last updated: September 15, 2025

View details

Network Communication Initiated To Portmap.IO Domain

TA0011 TA0010 T1090.002 Windows Network Connection Creation

Trouble

TA0011, TA0010, T1090.002

Windows

Last updated: September 15, 2025

View details

Suspicious Non-Browser Network Communication With Telegram API

TA0011 TA0010 T1102 Windows Network Connection Creation

Trouble

TA0011, TA0010, T1102

Windows

Last updated: September 15, 2025

View details

Network Connection Initiated To Visual Studio Code Tunnels Domain

TA0010 TA0011 T1567 Windows Network Connection Creation

Trouble

TA0010, TA0011, T1567

Windows

Last updated: September 15, 2025

View details

Network Connection Initiated By Eqnedt32.EXE

TA0002 T1203 Windows Network Connection Creation

Trouble

TA0002, T1203

Windows

Last updated: September 15, 2025

View details

Network Connection Initiated By IMEWDBLD.EXE

TA0011 T1105 Windows Network Connection Creation

Trouble

TA0011, T1105

Windows

Last updated: September 15, 2025

View details

Network Connection Initiated Via Notepad.EXE

TA0011 TA0002 TA0005 T1055 Windows Network Connection Creation

Trouble

TA0011, TA0002, TA0005, T1055

Windows

Last updated: September 15, 2025

View details

Office Application Initiated Network Connection Over Uncommon Ports

TA0005 TA0011 Windows Network Connection Creation

Trouble

TA0005, TA0011

Windows

Last updated: September 15, 2025

View details

Python Initiated Connection

TA0007 T1046 Windows Network Connection Creation

Trouble

TA0007, T1046

Windows

Last updated: September 15, 2025

View details

Outbound RDP Connections Over Non-Standard Tools

TA0008 T1021.001 Windows Network Connection Creation

Trouble

TA0008, T1021.001

Windows

Last updated: September 15, 2025

View details

Network Connection Initiated By Regsvr32.EXE

TA0002 TA0005 T1559.001 Windows Network Connection Creation

Trouble

TA0002, TA0005, T1559.001

Windows

Last updated: September 15, 2025

View details

Silenttrinity Stager Msbuild Activity

TA0002 TA0005 T1127.001 Windows Network Connection Creation

Trouble

TA0002, TA0005, T1127.001

Windows

Last updated: September 15, 2025

View details

Network Communication Initiated To File Sharing Domains From Process Located In Suspicious Folder

TA0011 T1105 Windows Network Connection Creation

Trouble

TA0011, T1105

Windows

Last updated: September 15, 2025

View details

Network Connection Initiated From Process Located In Potentially Suspicious Or Uncommon Location

TA0011 T1105 Windows Network Connection Creation

Trouble

TA0011, T1105

Windows

Last updated: September 15, 2025

View details

Uncommon Outbound Kerberos Connection

TA0006 TA0008 T1558 Windows Network Connection Creation

Trouble

TA0006, TA0008, T1558

Windows

Last updated: September 15, 2025

View details

Suspicious Outbound SMTP Connections

TA0010 T1048.003 Windows Network Connection Creation

Trouble

TA0010, T1048.003

Windows

Last updated: September 15, 2025

View details

Suspicious Wordpad Outbound Connections

TA0005 TA0011 Windows Network Connection Creation

Trouble

TA0005, TA0011

Windows

Last updated: September 15, 2025

View details

HH.EXE Initiated HTTP Network Connection

TA0005 T1218.001 Windows Network Connection Creation

Trouble

TA0005, T1218.001

Windows

Last updated: September 15, 2025

View details

Msiexec.EXE Initiated Network Connection Over HTTP

TA0005 T1218.007 Windows Network Connection Creation

Attention

TA0005, T1218.007

Windows

Last updated: September 15, 2025

View details

Potentially Suspicious Azure Front Door Connection

TA0011 T1102.002 Windows Network Connection Creation

Trouble

TA0011, T1102.002

Windows

Last updated: September 15, 2025

View details

Potential APT FIN7 POWERHOLD Execution

TA0002 T1059.001 Windows Script Execution

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

Potential POWERTRASH Script Execution

TA0002 T1059.001 Windows Script Execution

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

PowerShell Module File Created

TA0003 Windows File Creation File Modification

Attention

TA0003

Windows

Last updated: September 15, 2025

View details

PowerShell Module File Created By Non-PowerShell Process

TA0003 Windows File Creation File Modification

Trouble

TA0003

Windows

Last updated: September 15, 2025

View details

Potential Startup Shortcut Persistence Via PowerShell.EXE

TA0003 T1547.001 Windows File Creation File Modification

Trouble

TA0003, T1547.001

Windows

Last updated: September 15, 2025

View details

PSScriptPolicyTest Creation By Uncommon Process

TA0005 Windows File Creation File Modification

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

Rclone Config File Creation

TA0010 T1567.002 Windows File Creation File Modification

Trouble

TA0010, T1567.002

Windows

Last updated: September 15, 2025

View details

.RDP File Created By Uncommon Application

TA0005 Windows File Creation File Modification

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

Potential Winnti Dropper Activity

TA0005 T1027 Windows File Creation File Modification

Trouble

TA0005, T1027

Windows

Last updated: September 15, 2025

View details

PDF File Created By RegEdit.EXE

TA0005 Windows File Creation File Modification

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

RemCom Service File Creation

TA0002 T1569.002 Windows File Creation File Modification

Trouble

TA0002, T1569.002

Windows

Last updated: September 15, 2025

View details

ScreenConnect Temporary Installation Artefact

TA0011 T1219.002 Windows File Creation File Modification

Trouble

TA0011, T1219.002

Windows

Last updated: September 15, 2025

View details

Remote Access Tool - ScreenConnect Temporary File

TA0002 T1059.003 Windows File Creation File Modification

Attention

TA0002, T1059.003

Windows

Last updated: September 15, 2025

View details

Potential RipZip Attack on Startup Folder

TA0003 T1547 Windows File Creation File Modification

Trouble

TA0003, T1547

Windows

Last updated: September 15, 2025

View details

Potential SAM Database Dump

TA0006 T1003.002 Windows File Creation File Modification

Trouble

TA0006, T1003.002

Windows

Last updated: September 15, 2025

View details

Self Extraction Directive File Created In Potentially Suspicious Location

TA0005 T1218 Windows File Creation File Modification

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Windows Shell/Scripting Application File Write to Suspicious Folder

TA0002 T1059 Windows File Creation File Modification

Trouble

TA0002, T1059

Windows

Last updated: September 15, 2025

View details

Startup Folder File Write

TA0003 T1547.001 Windows File Creation File Modification

Trouble

TA0003, T1547.001

Windows

Last updated: September 15, 2025

View details

Created Files by Microsoft Sync Center

TA0002 TA0005 T1055 Windows File Creation File Modification

Trouble

TA0002, TA0005, T1055

Windows

Last updated: September 15, 2025

View details

Suspicious Files in Default GPO Folder

TA0005 T1036.005 Windows File Creation File Modification

Trouble

TA0005, T1036.005

Windows

Last updated: September 15, 2025

View details

Suspicious Desktopimgdownldr Target File

TA0011 T1105 Windows File Creation File Modification

Trouble

TA0011, T1105

Windows

Last updated: September 15, 2025

View details

Suspicious desktop.ini Action

TA0003 T1547.009 Windows File Creation File Modification

Trouble

TA0003, T1547.009

Windows

Last updated: September 15, 2025

View details

Suspicious Creation TXT File in User Desktop

TA0040 T1486 Windows File Creation File Modification

Trouble

TA0040, T1486

Windows

Last updated: September 15, 2025

View details

Creation of a Diagcab

TA0042 Windows File Creation File Modification

Trouble

TA0042

Windows

Last updated: September 15, 2025

View details

Suspicious Double Extension Files

TA0005 T1036.007 Windows File Creation File Modification

Trouble

TA0005, T1036.007

Windows

Last updated: September 15, 2025

View details

Suspicious MSExchangeMailboxReplication ASPX Write

TA0001 TA0003 T1190 Windows File Creation File Modification

Trouble

TA0001, TA0003, T1190

Windows

Last updated: September 15, 2025

View details

Suspicious Executable File Creation

TA0005 T1564 Windows File Creation File Modification

Trouble

TA0005, T1564

Windows

Last updated: September 15, 2025

View details

Suspicious Get-Variable.exe Creation

TA0003 TA0005 T1546 Windows File Creation File Modification

Trouble

TA0003, TA0005, T1546

Windows

Last updated: September 15, 2025

View details

Legitimate Application Dropped Archive

TA0005 T1218 Windows File Creation File Modification

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Legitimate Application Dropped Executable

TA0005 T1218 Windows File Creation File Modification

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Legitimate Application Dropped Script

TA0005 T1218 Windows File Creation File Modification

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Suspicious PFX File Creation

TA0006 T1552.004 Windows File Creation File Modification

Trouble

TA0006, T1552.004

Windows

Last updated: September 15, 2025

View details

PowerShell Profile Modification

TA0003 TA0004 T1546.013 Windows File Creation File Modification

Trouble

TA0003, TA0004, T1546.013

Windows

Last updated: September 15, 2025

View details

Suspicious PROCEXP152.sys File Created In TMP

TA0005 T1562.001 Windows File Creation File Modification

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Suspicious File Creation Activity From Fake Recycle.Bin Folder

TA0003 TA0005 Windows File Creation File Modification

Trouble

TA0003, TA0005

Windows

Last updated: September 15, 2025

View details

Potential File Extension Spoofing Using Right-to-Left Override

TA0002 TA0005 T1036.002 Windows File Creation File Modification

Trouble

TA0002, TA0005, T1036.002

Windows

Last updated: September 15, 2025

View details

Drop Binaries Into Spool Drivers Color Folder

TA0005 Windows File Creation File Modification

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

Suspicious Startup Folder Persistence

TA0003 T1547.001 Windows File Creation File Modification

Trouble

TA0003, T1547.001

Windows

Last updated: September 15, 2025

View details

Suspicious Interactive PowerShell as SYSTEM

TA0002 T1059.001 Windows File Creation File Modification

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

Suspicious Scheduled Task Write to System32 Tasks

TA0003 TA0002 T1053 Windows File Creation File Modification

Trouble

TA0003, TA0002, T1053

Windows

Last updated: September 15, 2025

View details

TeamViewer Remote Session

TA0011 T1219.002 Windows File Creation File Modification

Trouble

TA0011, T1219.002

Windows

Last updated: September 15, 2025

View details

VsCode Powershell Profile Modification

TA0003 TA0004 T1546.013 Windows File Creation File Modification

Trouble

TA0003, TA0004, T1546.013

Windows

Last updated: September 15, 2025

View details

Windows Terminal Profile Settings Modification By Uncommon Process

TA0003 T1547.015 Windows File Creation File Modification

Trouble

TA0003, T1547.015

Windows

Last updated: September 15, 2025

View details

LiveKD Kernel Memory Dump File Created

TA0005 TA0004 Windows File Creation File Modification

Trouble

TA0005, TA0004

Windows

Last updated: September 15, 2025

View details

LiveKD Driver Creation

TA0005 TA0004 Windows File Creation File Modification

Trouble

TA0005, TA0004

Windows

Last updated: September 15, 2025

View details

Process Explorer Driver Creation By Non-Sysinternals Binary

TA0003 TA0004 T1068 Windows File Creation File Modification

Trouble

TA0003, TA0004, T1068

Windows

Last updated: September 15, 2025

View details

Process Monitor Driver Creation By Non-Sysinternals Binary

TA0003 TA0004 T1068 Windows File Creation File Modification

Trouble

TA0003, TA0004, T1068

Windows

Last updated: September 15, 2025

View details

PsExec Service File Creation

TA0002 T1569.002 Windows File Creation File Modification

Attention

TA0002, T1569.002

Windows

Last updated: September 15, 2025

View details

PSEXEC Remote Execution File Artefact

TA0008 TA0004 TA0002 TA0003 T1570 Windows File Creation File Modification

Trouble

TA0008, TA0004, TA0002, TA0003, T1570

Windows

Last updated: September 15, 2025

View details

Potential Privilege Escalation Attempt Via .Exe.Local Technique

TA0005 TA0003 TA0004 Windows File Creation File Modification

Trouble

TA0005, TA0003, TA0004

Windows

Last updated: September 15, 2025

View details

Hijack Legit RDP Session to Move Laterally

TA0011 T1219.002 Windows File Creation File Modification

Trouble

TA0011, T1219.002

Windows

Last updated: September 15, 2025

View details

UAC Bypass Using Consent and Comctl32 - File

TA0005 TA0004 T1548.002 Windows File Creation File Modification

Trouble

TA0005, TA0004, T1548.002

Windows

Last updated: September 15, 2025

View details

UAC Bypass Using .NET Code Profiler on MMC

TA0005 TA0004 T1548.002 Windows File Creation File Modification

Trouble

TA0005, TA0004, T1548.002

Windows

Last updated: September 15, 2025

View details

UAC Bypass Using IDiagnostic Profile - File

TA0002 TA0005 TA0004 T1548.002 Windows File Creation File Modification

Trouble

TA0002, TA0005, TA0004, T1548.002

Windows

Last updated: September 15, 2025

View details

UAC Bypass Using MSConfig Token Modification - File

TA0005 TA0004 T1548.002 Windows File Creation File Modification

Trouble

TA0005, TA0004, T1548.002

Windows

Last updated: September 15, 2025

View details

UAC Bypass Using NTFS Reparse Point - File

TA0005 TA0004 T1548.002 Windows File Creation File Modification

Trouble

TA0005, TA0004, T1548.002

Windows

Last updated: September 15, 2025

View details

UAC Bypass Abusing Winsat Path Parsing - File

TA0005 TA0004 T1548.002 Windows File Creation File Modification

Trouble

TA0005, TA0004, T1548.002

Windows

Last updated: September 15, 2025

View details

UAC Bypass Using Windows Media Player - File

TA0005 TA0004 T1548.002 Windows File Creation File Modification

Trouble

TA0005, TA0004, T1548.002

Windows

Last updated: September 15, 2025

View details

VHD Image Download Via Browser

TA0042 T1587.001 Windows File Creation File Modification

Trouble

TA0042, T1587.001

Windows

Last updated: September 15, 2025

View details

Visual Studio Code Tunnel Remote File Creation

TA0011 Windows File Creation File Modification

Trouble

TA0011

Windows

Last updated: September 15, 2025

View details

Renamed VsCode Code Tunnel Execution - File Indicator

TA0011 Windows File Creation File Modification

Trouble

TA0011

Windows

Last updated: September 15, 2025

View details

Creation of WerFault.exe/Wer.dll in Unusual Folder

TA0003 TA0005 T1574.001 Windows File Creation File Modification

Trouble

TA0003, TA0005, T1574.001

Windows

Last updated: September 15, 2025

View details

AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File

TA0005 T1216 Windows File Creation File Modification

Trouble

TA0005, T1216

Windows

Last updated: September 15, 2025

View details

UEFI Persistence Via Wpbbin - FileCreation

TA0003 TA0005 T1542.001 Windows File Creation File Modification

Trouble

TA0003, TA0005, T1542.001

Windows

Last updated: September 15, 2025

View details

Potentially Suspicious Self Extraction Directive File Created

TA0005 T1218 Windows File Creation File Modification

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Access To Chromium Browsers Sensitive Files By Uncommon Applications

TA0006 T1003 Windows File Creation File Modification

Attention

TA0006, T1003

Windows

Last updated: September 15, 2025

View details

Access To Browser Credential Files By Uncommon Applications

TA0006 T1003 Windows File Creation File Modification

Attention

TA0006, T1003

Windows

Last updated: September 15, 2025

View details

Access To Windows Outlook Mail Files By Uncommon Applications

TA0005 T1070.008 Windows File Creation File Modification

Attention

TA0005, T1070.008

Windows

Last updated: September 15, 2025

View details

Access To .Reg/.Hive Files By Uncommon Applications

TA0005 T1112 Windows File Creation File Modification

Attention

TA0005, T1112

Windows

Last updated: September 15, 2025

View details

Unattend.XML File Access Attempt

TA0006 T1552.001 Windows File Creation File Modification

Attention

TA0006, T1552.001

Windows

Last updated: September 15, 2025

View details

DMP/HDMP File Creation

TA0005 Windows File Creation File Modification

Attention

TA0005

Windows

Last updated: September 15, 2025

View details

Scheduled Task Created - FileCreation

TA0002 TA0003 TA0004 T1053.005 Windows File Creation File Modification

Attention

TA0002, TA0003, TA0004, T1053.005

Windows

Last updated: September 15, 2025

View details

VsCode Code Tunnel Execution File Indicator

TA0011 Windows File Creation File Modification

Trouble

TA0011

Windows

Last updated: September 15, 2025

View details

WebDAV Temporary Local File Creation

TA0001 TA0042 T1566 Windows File Creation File Modification

Trouble

TA0001, TA0042, T1566

Windows

Last updated: September 15, 2025

View details

DLL Names Used By SVR For GraphicalProton Backdoor

TA0005 T1574.001 Windows Module Load

Trouble

TA0005, T1574.001

Windows

Last updated: September 15, 2025

View details

Diamond Sleet APT DLL Sideloading Indicators

TA0005 T1574.001 Windows Module Load

Trouble

TA0005, T1574.001

Windows

Last updated: September 15, 2025

View details

Lazarus APT DLL Sideloading Activity

TA0005 TA0004 T1574.001 Windows Module Load

Trouble

TA0005, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

Potential COLDSTEEL Persistence Service DLL Load

TA0003 TA0005 Windows Module Load

Trouble

TA0003, TA0005

Windows

Last updated: September 15, 2025

View details

Potential Raspberry Robin Aclui Dll SideLoading

TA0005 TA0004 T1574.001 Windows Module Load

Trouble

TA0005, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

DLL Loaded From Suspicious Location Via Cmspt.EXE

TA0005 T1218.003 Windows Module Load

Trouble

TA0005, T1218.003

Windows

Last updated: September 15, 2025

View details

Amsi.DLL Loaded Via LOLBIN Process

TA0005 Windows Module Load

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

CredUI.DLL Loaded By Uncommon Process

TA0006 TA0009 T1056.002 Windows Module Load

Trouble

TA0006, TA0009, T1056.002

Windows

Last updated: September 15, 2025

View details

Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded

TA0006 T1003.001 Windows Module Load

Trouble

TA0006, T1003.001

Windows

Last updated: September 15, 2025

View details

PCRE.NET Package Image Load

TA0002 T1059 Windows Module Load

Trouble

TA0002, T1059

Windows

Last updated: September 15, 2025

View details

Load Of RstrtMgr.DLL By A Suspicious Process

TA0040 TA0005 T1486 Windows Module Load

Trouble

TA0040, TA0005, T1486

Windows

Last updated: September 15, 2025

View details

Load Of RstrtMgr.DLL By An Uncommon Process

TA0040 TA0005 T1486 Windows Module Load

Attention

TA0040, TA0005, T1486

Windows

Last updated: September 15, 2025

View details

Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE

TA0005 T1202 Windows Module Load

Trouble

TA0005, T1202

Windows

Last updated: September 15, 2025

View details

PowerShell Core DLL Loaded By Non PowerShell Process

TA0002 T1059.001 Windows Module Load

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

Time Travel Debugging Utility Usage - Image

TA0005 TA0006 T1218 Windows Module Load

Trouble

TA0005, TA0006, T1218

Windows

Last updated: September 15, 2025

View details

Suspicious Volume Shadow Copy Vssapi.dll Load

TA0005 TA0040 T1490 Windows Module Load

Trouble

TA0005, TA0040, T1490

Windows

Last updated: September 15, 2025

View details

Suspicious Volume Shadow Copy Vsstrace.dll Load

TA0040 T1490 Windows Module Load

Trouble

TA0040, T1490

Windows

Last updated: September 15, 2025

View details

Suspicious Volume Shadow Copy VSS_PS.dll Load

TA0005 TA0040 T1490 Windows Module Load

Trouble

TA0005, TA0040, T1490

Windows

Last updated: September 15, 2025

View details

HackTool - SILENTTRINITY Stager DLL Load

TA0011 T1071 Windows Module Load

Trouble

TA0011, T1071

Windows

Last updated: September 15, 2025

View details

Potential DCOM InternetExplorer.Application DLL Hijack - Image Load

TA0008 T1021.002 Windows Module Load

Critical

TA0008, T1021.002

Windows

Last updated: September 15, 2025

View details

Unsigned Image Loaded Into LSASS Process

TA0006 T1003.001 Windows Module Load

Trouble

TA0006, T1003.001

Windows

Last updated: September 15, 2025

View details

DotNET Assembly DLL Loaded Via Office Application

TA0002 T1204.002 Windows Module Load

Trouble

TA0002, T1204.002

Windows

Last updated: September 15, 2025

View details

CLR DLL Loaded Via Office Applications

TA0002 T1204.002 Windows Module Load

Trouble

TA0002, T1204.002

Windows

Last updated: September 15, 2025

View details

GAC DLL Loaded Via Office Applications

TA0002 T1204.002 Windows Module Load

Trouble

TA0002, T1204.002

Windows

Last updated: September 15, 2025

View details

Microsoft Excel Add-In Loaded From Uncommon Location

TA0002 T1204.002 Windows Module Load

Trouble

TA0002, T1204.002

Windows

Last updated: September 15, 2025

View details

Microsoft VBA For Outlook Addin Loaded Via Outlook

TA0002 T1204.002 Windows Module Load

Trouble

TA0002, T1204.002

Windows

Last updated: September 15, 2025

View details

PowerShell Core DLL Loaded Via Office Application

TA0005 Windows Module Load

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

VBA DLL Loaded Via Office Application

TA0002 T1204.002 Windows Module Load

Trouble

TA0002, T1204.002

Windows

Last updated: September 15, 2025

View details

Suspicious CustomShellHost Execution

TA0005 T1216 Windows Process Creation

Trouble

TA0005, T1216

Windows

Last updated: September 15, 2025

View details

LOLBAS Data Exfiltration by DataSvcUtil.exe

TA0010 T1567 Windows Process Creation

Trouble

TA0010, T1567

Windows

Last updated: September 15, 2025

View details

DeviceCredentialDeployment Execution

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Devtoolslauncher.exe Executes Specified Binary

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Suspicious Diantz Download and Compress Into a CAB File

TA0011 T1105 Windows Process Creation

Trouble

TA0011, T1105

Windows

Last updated: September 15, 2025

View details

Suspicious Extrac32 Execution

TA0011 T1105 Windows Process Creation

Trouble

TA0011, T1105

Windows

Last updated: September 15, 2025

View details

Potential Reconnaissance Activity Via GatherNetworkInfo.VBS

TA0007 TA0002 T1615 Windows Process Creation

Trouble

TA0007, TA0002, T1615

Windows

Last updated: September 15, 2025

View details

Gpscript Execution

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Ie4uinit Lolbin Use From Invalid Path

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Launch-VsDevShell.PS1 Proxy Execution

TA0005 T1216.001 Windows Process Creation

Trouble

TA0005, T1216.001

Windows

Last updated: September 15, 2025

View details

Potential Manage-bde.wsf Abuse To Proxy Execution

TA0005 T1216 Windows Process Creation

Trouble

TA0005, T1216

Windows

Last updated: September 15, 2025

View details

Mavinject Inject DLL Into Running Process

TA0005 TA0004 T1055.001 Windows Process Creation

Trouble

TA0005, TA0004, T1055.001

Windows

Last updated: September 15, 2025

View details

Execute Files with Msdeploy.exe

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Execute MSDT Via Answer File

TA0005 TA0002 T1218 Windows Process Creation

Trouble

TA0005, TA0002, T1218

Windows

Last updated: September 15, 2025

View details

Use of OpenConsole

TA0002 T1059 Windows Process Creation

Trouble

TA0002, T1059

Windows

Last updated: September 15, 2025

View details

OpenWith.exe Executes Specified Binary

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Use of Pcalua For Execution

TA0002 T1059 Windows Process Creation

Trouble

TA0002, T1059

Windows

Last updated: September 15, 2025

View details

Indirect Command Execution By Program Compatibility Wizard

TA0005 TA0002 T1218 Windows Process Creation

Attention

TA0005, TA0002, T1218

Windows

Last updated: September 15, 2025

View details

Execute Pcwrun.EXE To Leverage Follina

TA0005 TA0002 T1218 Windows Process Creation

Trouble

TA0005, TA0002, T1218

Windows

Last updated: September 15, 2025

View details

Code Execution via Pcwutl.dll

TA0005 T1218.011 Windows Process Creation

Trouble

TA0005, T1218.011

Windows

Last updated: September 15, 2025

View details

Execute Code with Pester.bat

TA0002 TA0005 T1059.001 Windows Process Creation

Trouble

TA0002, TA0005, T1059.001

Windows

Last updated: September 15, 2025

View details

PrintBrm ZIP Creation of Extraction

TA0011 TA0005 T1105 Windows Process Creation

Trouble

TA0011, TA0005, T1105

Windows

Last updated: September 15, 2025

View details

Pubprn.vbs Proxy Execution

TA0005 T1216.001 Windows Process Creation

Trouble

TA0005, T1216.001

Windows

Last updated: September 15, 2025

View details

DLL Execution via Rasautou.exe

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

REGISTER_APP.VBS Proxy Execution

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Use of Remote.exe

TA0005 T1127 Windows Process Creation

Trouble

TA0005, T1127

Windows

Last updated: September 15, 2025

View details

Replace.exe Usage

TA0011 T1105 Windows Process Creation

Trouble

TA0011, T1105

Windows

Last updated: September 15, 2025

View details

Lolbin Runexehelper Use As Proxy

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Suspicious Runscripthelper.exe

TA0002 TA0005 T1059 Windows Process Creation

Trouble

TA0002, TA0005, T1059

Windows

Last updated: September 15, 2025

View details

Use of Scriptrunner.exe

TA0005 TA0002 T1218 Windows Process Creation

Trouble

TA0005, TA0002, T1218

Windows

Last updated: September 15, 2025

View details

Using SettingSyncHost.exe as LOLBin

TA0002 TA0005 T1574.008 Windows Process Creation

Trouble

TA0002, TA0005, T1574.008

Windows

Last updated: September 15, 2025

View details

Use Of The SFTP.EXE Binary As A LOLBIN

TA0005 TA0002 T1218 Windows Process Creation

Trouble

TA0005, TA0002, T1218

Windows

Last updated: September 15, 2025

View details

Suspicious Certreq Command to Download

TA0011 T1105 Windows Process Creation

Trouble

TA0011, T1105

Windows

Last updated: September 15, 2025

View details

Suspicious Driver Install by pnputil.exe

TA0003 T1547 Windows Process Creation

Trouble

TA0003, T1547

Windows

Last updated: September 15, 2025

View details

Suspicious GrpConv Execution

TA0003 T1547 Windows Process Creation

Trouble

TA0003, T1547

Windows

Last updated: September 15, 2025

View details

Dumping Process via Sqldumper.exe

TA0006 T1003.001 Windows Process Creation

Trouble

TA0006, T1003.001

Windows

Last updated: September 15, 2025

View details

SyncAppvPublishingServer Execute Arbitrary PowerShell Code

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Potential DLL Injection Or Execution Using Tracker.exe

TA0005 T1055.001 Windows Process Creation

Trouble

TA0005, T1055.001

Windows

Last updated: September 15, 2025

View details

Use of TTDInject.exe

TA0005 T1127 Windows Process Creation

Trouble

TA0005, T1127

Windows

Last updated: September 15, 2025

View details

Time Travel Debugging Utility Usage

TA0005 TA0006 T1218 Windows Process Creation

Trouble

TA0005, TA0006, T1218

Windows

Last updated: September 15, 2025

View details

Lolbin Unregmp2.exe Use As Proxy

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

UtilityFunctions.ps1 Proxy Dll

TA0005 T1216 Windows Process Creation

Trouble

TA0005, T1216

Windows

Last updated: September 15, 2025

View details

Use of VisualUiaVerifyNative.exe

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Visual Basic Command Line Compiler Usage

TA0005 T1027.004 Windows Process Creation

Trouble

TA0005, T1027.004

Windows

Last updated: September 15, 2025

View details

Use of VSIISExeLauncher.exe

TA0005 T1127 Windows Process Creation

Trouble

TA0005, T1127

Windows

Last updated: September 15, 2025

View details

Use of Wfc.exe

TA0005 T1127 Windows Process Creation

Trouble

TA0005, T1127

Windows

Last updated: September 15, 2025

View details

Potential Register_App.Vbs LOLScript Abuse

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Potential Mftrace.EXE Abuse

TA0005 T1127 Windows Process Creation

Trouble

TA0005, T1127

Windows

Last updated: September 15, 2025

View details

MMC20 Lateral Movement

TA0002 TA0008 T1021.003 Windows Process Creation

Trouble

TA0002, TA0008, T1021.003

Windows

Last updated: September 15, 2025

View details

MMC Spawning Windows Shell

TA0008 T1021.003 Windows Process Creation

Trouble

TA0008, T1021.003

Windows

Last updated: September 15, 2025

View details

CodePage Modification Via MODE.COM To Russian Language

TA0005 T1036 Windows Process Creation

Trouble

TA0005, T1036

Windows

Last updated: September 15, 2025

View details

Potential Suspicious Mofcomp Execution

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Potential Mpclient.DLL Sideloading Via Defender Binaries

TA0005 T1574.001 Windows Process Creation

Trouble

TA0005, T1574.001

Windows

Last updated: September 15, 2025

View details

File Download Via Windows Defender MpCmpRun.EXE

TA0005 TA0011 T1218 Windows Process Creation

Trouble

TA0005, TA0011, T1218

Windows

Last updated: September 15, 2025

View details

Windows Defender Definition Files Removed

TA0005 T1562.001 Windows Process Creation

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Suspicious Msbuild Execution By Uncommon Parent Process

TA0005 Windows Process Creation

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

Potential Arbitrary Command Execution Using Msdt.EXE

TA0005 T1202 Windows Process Creation

Trouble

TA0005, T1202

Windows

Last updated: September 15, 2025

View details

Suspicious Cabinet File Execution Via Msdt.EXE

TA0005 T1202 Windows Process Creation

Trouble

TA0005, T1202

Windows

Last updated: September 15, 2025

View details

Suspicious MSDT Parent Process

TA0005 T1036 Windows Process Creation

Trouble

TA0005, T1036

Windows

Last updated: September 15, 2025

View details

Arbitrary File Download Via MSEDGE_PROXY.EXE

TA0005 TA0002 T1218 Windows Process Creation

Trouble

TA0005, TA0002, T1218

Windows

Last updated: September 15, 2025

View details

Remotely Hosted HTA File Executed Via Mshta.EXE

TA0005 TA0002 T1218.005 Windows Process Creation

Trouble

TA0005, TA0002, T1218.005

Windows

Last updated: September 15, 2025

View details

Wscript Shell Run In CommandLine

TA0002 T1059 Windows Process Creation

Trouble

TA0002, T1059

Windows

Last updated: September 15, 2025

View details

Suspicious JavaScript Execution Via Mshta.EXE

TA0005 T1218.005 Windows Process Creation

Trouble

TA0005, T1218.005

Windows

Last updated: September 15, 2025

View details

Potential LethalHTA Technique Execution

TA0005 T1218.005 Windows Process Creation

Trouble

TA0005, T1218.005

Windows

Last updated: September 15, 2025

View details

Suspicious MSHTA Child Process

TA0005 T1218.005 Windows Process Creation

Trouble

TA0005, T1218.005

Windows

Last updated: September 15, 2025

View details

MSHTA Suspicious Execution 01

TA0002 TA0005 TA0005 T1059.007 Windows Process Creation

Trouble

TA0002, TA0005, TA0005, T1059.007

Windows

Last updated: September 15, 2025

View details

Suspicious Mshta.EXE Execution Patterns

TA0002 T1106 Windows Process Creation

Trouble

TA0002, T1106

Windows

Last updated: September 15, 2025

View details

DllUnregisterServer Function Call Via Msiexec.EXE

TA0005 T1218.007 Windows Process Creation

Trouble

TA0005, T1218.007

Windows

Last updated: September 15, 2025

View details

Suspicious MsiExec Embedding Parent

TA0005 T1218.007 Windows Process Creation

Trouble

TA0005, T1218.007

Windows

Last updated: September 15, 2025

View details

Suspicious Msiexec Execute Arbitrary DLL

TA0005 T1218.007 Windows Process Creation

Trouble

TA0005, T1218.007

Windows

Last updated: September 15, 2025

View details

Msiexec Quiet Installation

TA0005 T1218.007 Windows Process Creation

Trouble

TA0005, T1218.007

Windows

Last updated: September 15, 2025

View details

Suspicious Msiexec Quiet Install From Remote Location

TA0005 T1218.007 Windows Process Creation

Trouble

TA0005, T1218.007

Windows

Last updated: September 15, 2025

View details

Potential MsiExec Masquerading

TA0005 T1036.005 Windows Process Creation

Trouble

TA0005, T1036.005

Windows

Last updated: September 15, 2025

View details

MsiExec Web Install

TA0005 TA0011 T1218.007 Windows Process Creation

Trouble

TA0005, TA0011, T1218.007

Windows

Last updated: September 15, 2025

View details

Arbitrary File Download Via MSOHTMED.EXE

TA0005 TA0002 T1218 Windows Process Creation

Trouble

TA0005, TA0002, T1218

Windows

Last updated: September 15, 2025

View details

Arbitrary File Download Via MSPUB.EXE

TA0005 TA0002 T1218 Windows Process Creation

Trouble

TA0005, TA0002, T1218

Windows

Last updated: September 15, 2025

View details

Potential Process Injection Via Msra.EXE

TA0005 T1055 Windows Process Creation

Trouble

TA0005, T1055

Windows

Last updated: September 15, 2025

View details

Detection of PowerShell Execution via Sqlps.exe

TA0002 TA0005 T1059.001 Windows Process Creation

Trouble

TA0002, TA0005, T1059.001

Windows

Last updated: September 15, 2025

View details

SQL Client Tools PowerShell Session Detection

TA0002 TA0005 T1059.001 Windows Process Creation

Trouble

TA0002, TA0005, T1059.001

Windows

Last updated: September 15, 2025

View details

Suspicious Child Process Of SQL Server

TA0001 TA0003 TA0004 T1190 Windows Process Creation

Trouble

TA0001, TA0003, TA0004, T1190

Windows

Last updated: September 15, 2025

View details

Suspicious Child Process Of Veeam Dabatase

TA0001 TA0003 TA0004 Windows Process Creation

Critical

TA0001, TA0003, TA0004

Windows

Last updated: September 15, 2025

View details

Potential MSTSC Shadowing Activity

TA0008 T1563.002 Windows Process Creation

Trouble

TA0008, T1563.002

Windows

Last updated: September 15, 2025

View details

New Remote Desktop Connection Initiated Via Mstsc.EXE

TA0008 T1021.001 Windows Process Creation

Trouble

TA0008, T1021.001

Windows

Last updated: September 15, 2025

View details

Mstsc.EXE Execution With Local RDP File

TA0011 T1219.002 Windows Process Creation

Attention

TA0011, T1219.002

Windows

Last updated: September 15, 2025

View details

Suspicious Mstsc.EXE Execution With Local RDP File

TA0011 T1219.002 Windows Process Creation

Trouble

TA0011, T1219.002

Windows

Last updated: September 15, 2025

View details

Mstsc.EXE Execution From Uncommon Parent

TA0008 Windows Process Creation

Trouble

TA0008

Windows

Last updated: September 15, 2025

View details

Msxsl.EXE Execution

TA0005 T1220 Windows Process Creation

Trouble

TA0005, T1220

Windows

Last updated: September 15, 2025

View details

Remote XSL Execution Via Msxsl.EXE

TA0005 T1220 Windows Process Creation

Trouble

TA0005, T1220

Windows

Last updated: September 15, 2025

View details

New Firewall Rule Added Via Netsh.EXE

TA0005 T1562.004 Windows Process Creation

Trouble

TA0005, T1562.004

Windows

Last updated: September 15, 2025

View details

Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE

TA0005 T1562.004 Windows Process Creation

Trouble

TA0005, T1562.004

Windows

Last updated: September 15, 2025

View details

RDP Connection Allowed Via Netsh.EXE

TA0005 T1562.004 Windows Process Creation

Trouble

TA0005, T1562.004

Windows

Last updated: September 15, 2025

View details

Firewall Rule Deleted Via Netsh.EXE

TA0005 T1562.004 Windows Process Creation

Trouble

TA0005, T1562.004

Windows

Last updated: September 15, 2025

View details

Firewall Disabled via Netsh.EXE

TA0005 T1562.004 Windows Process Creation

Trouble

TA0005, T1562.004

Windows

Last updated: September 15, 2025

View details

Netsh Allow Group Policy on Microsoft Defender Firewall

TA0005 T1562.004 Windows Process Creation

Trouble

TA0005, T1562.004

Windows

Last updated: September 15, 2025

View details

Firewall Configuration Discovery Via Netsh.EXE

TA0007 T1016 Windows Process Creation

Attention

TA0007, T1016

Windows

Last updated: September 15, 2025

View details

Firewall Rule Update Via Netsh.EXE

TA0005 Windows Process Creation

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

Potential Persistence Via Netsh Helper DLL

TA0004 TA0003 T1546.007 Windows Process Creation

Trouble

TA0004, TA0003, T1546.007

Windows

Last updated: September 15, 2025

View details

New Network Trace Capture Started Via Netsh.EXE

TA0007 TA0006 T1040 Windows Process Creation

Trouble

TA0007, TA0006, T1040

Windows

Last updated: September 15, 2025

View details

New Port Forwarding Rule Added Via Netsh.EXE

TA0008 TA0005 TA0011 T1090 Windows Process Creation

Trouble

TA0008, TA0005, TA0011, T1090

Windows

Last updated: September 15, 2025

View details

RDP Port Forwarding Rule Added Via Netsh.EXE

TA0008 TA0005 TA0011 T1090 Windows Process Creation

Trouble

TA0008, TA0005, TA0011, T1090

Windows

Last updated: September 15, 2025

View details

Harvesting Of Wifi Credentials Via Netsh.EXE

TA0007 TA0006 T1040 Windows Process Creation

Trouble

TA0007, TA0006, T1040

Windows

Last updated: September 15, 2025

View details

Start Windows Service Via Net.EXE

TA0002 T1569.002 Windows Process Creation

Attention

TA0002, T1569.002

Windows

Last updated: September 15, 2025

View details

Stop Windows Service Via Net.EXE

TA0040 T1489 Windows Process Creation

Attention

TA0040, T1489

Windows

Last updated: September 15, 2025

View details

Windows Internet Hosted WebDav Share Mount Via Net.EXE

TA0008 T1021.002 Windows Process Creation

Trouble

TA0008, T1021.002

Windows

Last updated: September 15, 2025

View details

Windows Share Mount Via Net.EXE

TA0008 T1021.002 Windows Process Creation

Attention

TA0008, T1021.002

Windows

Last updated: September 15, 2025

View details

System Network Connections Discovery Via Net.EXE

TA0007 T1049 Windows Process Creation

Attention

TA0007, T1049

Windows

Last updated: September 15, 2025

View details

Share And Session Enumeration Using Net.EXE

TA0007 T1018 Windows Process Creation

Attention

TA0007, T1018

Windows

Last updated: September 15, 2025

View details

Potential Arbitrary Code Execution Via Node.EXE

TA0005 T1127 Windows Process Creation

Trouble

TA0005, T1127

Windows

Last updated: September 15, 2025

View details

Node Process Executions

TA0005 TA0002 T1127 Windows Process Creation

Trouble

TA0005, TA0002, T1127

Windows

Last updated: September 15, 2025

View details

Nslookup PowerShell Download Cradle - ProcessCreation

TA0005 Windows Process Creation

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

Driver/DLL Installation Via Odbcconf.EXE

TA0005 T1218.008 Windows Process Creation

Trouble

TA0005, T1218.008

Windows

Last updated: September 15, 2025

View details

Suspicious Driver/DLL Installation Via Odbcconf.EXE

TA0005 T1218.008 Windows Process Creation

Trouble

TA0005, T1218.008

Windows

Last updated: September 15, 2025

View details

Odbcconf.EXE Suspicious DLL Location

TA0005 T1218.008 Windows Process Creation

Trouble

TA0005, T1218.008

Windows

Last updated: September 15, 2025

View details

New DLL Registered Via Odbcconf.EXE

TA0005 T1218.008 Windows Process Creation

Trouble

TA0005, T1218.008

Windows

Last updated: September 15, 2025

View details

Potentially Suspicious DLL Registered Via Odbcconf.EXE

TA0005 T1218.008 Windows Process Creation

Trouble

TA0005, T1218.008

Windows

Last updated: September 15, 2025

View details

Response File Execution Via Odbcconf.EXE

TA0005 T1218.008 Windows Process Creation

Trouble

TA0005, T1218.008

Windows

Last updated: September 15, 2025

View details

Suspicious Response File Execution Via Odbcconf.EXE

TA0005 T1218.008 Windows Process Creation

Trouble

TA0005, T1218.008

Windows

Last updated: September 15, 2025

View details

Uncommon Child Process Spawned By Odbcconf.EXE

TA0005 T1218.008 Windows Process Creation

Trouble

TA0005, T1218.008

Windows

Last updated: September 15, 2025

View details

Potential Arbitrary File Download Using Office Application

TA0005 T1202 Windows Process Creation

Trouble

TA0005, T1202

Windows

Last updated: September 15, 2025

View details

Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp

TA0008 T1021.003 Windows Process Creation

Trouble

TA0008, T1021.003

Windows

Last updated: September 15, 2025

View details

OneNote.EXE Execution of Malicious Embedded Scripts

TA0005 T1218.001 Windows Process Creation

Trouble

TA0005, T1218.001

Windows

Last updated: September 15, 2025

View details

Suspicious Microsoft OneNote Child Process

TA0001 T1566 Windows Process Creation

Trouble

TA0001, T1566

Windows

Last updated: September 15, 2025

View details

Suspicious Execution From Outlook Temporary Folder

TA0001 T1566.001 Windows Process Creation

Trouble

TA0001, T1566.001

Windows

Last updated: September 15, 2025

View details

Suspicious Outlook Child Process

TA0002 T1204.002 Windows Process Creation

Trouble

TA0002, T1204.002

Windows

Last updated: September 15, 2025

View details

Suspicious Microsoft Office Child Process

TA0005 TA0002 T1218.010 Windows Process Creation

Trouble

TA0005, TA0002, T1218.010

Windows

Last updated: September 15, 2025

View details

Potential Arbitrary DLL Load Using Winword

TA0005 T1202 Windows Process Creation

Trouble

TA0005, T1202

Windows

Last updated: September 15, 2025

View details

Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

PDQ Deploy Remote Adminstartion Tool Execution

TA0002 TA0008 T1072 Windows Process Creation

Trouble

TA0002, TA0008, T1072

Windows

Last updated: September 15, 2025

View details

Potentially Suspicious Execution Of PDQDeployRunner

TA0002 Windows Process Creation

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

Perl Inline Command Execution

TA0002 T1059 Windows Process Creation

Trouble

TA0002, T1059

Windows

Last updated: September 15, 2025

View details

Php Inline Command Execution

TA0002 T1059 Windows Process Creation

Trouble

TA0002, T1059

Windows

Last updated: September 15, 2025

View details

Ping Hex IP

TA0005 T1140 Windows Process Creation

Trouble

TA0005, T1140

Windows

Last updated: September 15, 2025

View details

PktMon.EXE Execution

TA0006 T1040 Windows Process Creation

Trouble

TA0006, T1040

Windows

Last updated: September 15, 2025

View details

Suspicious Plink Port Forwarding

TA0011 TA0008 T1572 Windows Process Creation

Trouble

TA0011, TA0008, T1572

Windows

Last updated: September 15, 2025

View details

Potential RDP Tunneling Via Plink

TA0011 T1572 Windows Process Creation

Trouble

TA0011, T1572

Windows

Last updated: September 15, 2025

View details

Suspicious Powercfg Execution To Change Lock Screen Timeout

TA0005 Windows Process Creation

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

Add Windows Capability Via PowerShell Cmdlet

TA0002 Windows Process Creation

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

Potential AMSI Bypass Via .NET Reflection

TA0005 T1562.001 Windows Process Creation

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Audio Capture via PowerShell

TA0009 T1123 Windows Process Creation

Trouble

TA0009, T1123

Windows

Last updated: September 15, 2025

View details

Suspicious PowerShell Encoded Command Patterns

TA0002 T1059.001 Windows Process Creation

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

Suspicious Obfuscated PowerShell Code

TA0005 Windows Process Creation

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

PowerShell Base64 Encoded FromBase64String Cmdlet

TA0005 TA0002 T1140 Windows Process Creation

Trouble

TA0005, TA0002, T1140

Windows

Last updated: September 15, 2025

View details

Malicious Base64 Encoded PowerShell Keywords in Command Lines

TA0002 T1059.001 Windows Process Creation

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

PowerShell Base64 Encoded IEX Cmdlet

TA0002 T1059.001 Windows Process Creation

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

PowerShell Base64 Encoded Invoke Keyword

TA0002 TA0005 T1059.001 Windows Process Creation

Trouble

TA0002, TA0005, T1059.001

Windows

Last updated: September 15, 2025

View details

Powershell Base64 Encoded MpPreference Cmdlet

TA0005 T1562.001 Windows Process Creation

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

PowerShell Base64 Encoded Reflective Assembly Load

TA0002 TA0005 T1059.001 Windows Process Creation

Trouble

TA0002, TA0005, T1059.001

Windows

Last updated: September 15, 2025

View details

Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call

TA0002 TA0005 T1059.001 Windows Process Creation

Trouble

TA0002, TA0005, T1059.001

Windows

Last updated: September 15, 2025

View details

PowerShell Base64 Encoded WMI Classes

TA0002 TA0005 T1059.001 Windows Process Creation

Trouble

TA0002, TA0005, T1059.001

Windows

Last updated: September 15, 2025

View details

Potential Process Execution Proxy Via CL_Invocation.ps1

TA0005 T1216 Windows Process Creation

Trouble

TA0005, T1216

Windows

Last updated: September 15, 2025

View details

Assembly Loading Via CL_LoadAssembly.ps1

TA0005 T1216 Windows Process Creation

Trouble

TA0005, T1216

Windows

Last updated: September 15, 2025

View details

Potential Script Proxy Execution Via CL_Mutexverifiers.ps1

TA0005 T1216 Windows Process Creation

Trouble

TA0005, T1216

Windows

Last updated: September 15, 2025

View details

ConvertTo-SecureString Cmdlet Usage Via CommandLine

TA0005 TA0002 T1027 Windows Process Creation

Trouble

TA0005, TA0002, T1027

Windows

Last updated: September 15, 2025

View details

Potential PowerShell Obfuscation Via Reversed Commands

TA0005 TA0002 T1027 Windows Process Creation

Trouble

TA0005, TA0002, T1027

Windows

Last updated: September 15, 2025

View details

New Service Creation Using PowerShell

TA0003 TA0004 T1543.003 Windows Process Creation

Attention

TA0003, TA0004, T1543.003

Windows

Last updated: September 15, 2025

View details

Gzip Archive Decode Via PowerShell

TA0011 T1132.001 Windows Process Creation

Trouble

TA0011, T1132.001

Windows

Last updated: September 15, 2025

View details

Powershell Defender Disable Scan Feature

TA0005 T1562.001 Windows Process Creation

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Powershell Defender Exclusion

TA0005 T1562.001 Windows Process Creation

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Disable Windows Defender AV Security Monitoring

TA0005 T1562.001 Windows Process Creation

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Windows Firewall Disabled via PowerShell

TA0005 T1562 Windows Process Creation

Trouble

TA0005, T1562

Windows

Last updated: September 15, 2025

View details

Disabled IE Security Features

TA0005 T1562.001 Windows Process Creation

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Potential PowerShell Downgrade Attack

TA0005 TA0002 T1059.001 Windows Process Creation

Trouble

TA0005, TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

Potential COM Objects Download Cradles Usage - Process Creation

TA0011 T1105 Windows Process Creation

Trouble

TA0011, T1105

Windows

Last updated: September 15, 2025

View details

Potential DLL File Download Via PowerShell Invoke-WebRequest

TA0011 TA0002 T1105 Windows Process Creation

Trouble

TA0011, TA0002, T1105

Windows

Last updated: September 15, 2025

View details

PowerShell Download and Execution Cradles

TA0002 T1059 Windows Process Creation

Trouble

TA0002, T1059

Windows

Last updated: September 15, 2025

View details

PowerShell Download Pattern

TA0002 T1059.001 Windows Process Creation

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

Email Exifiltration Via Powershell

TA0010 Windows Process Creation

Trouble

TA0010

Windows

Last updated: September 15, 2025

View details

Potential Suspicious Windows Feature Enabled - ProcCreation

TA0005 Windows Process Creation

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

Suspicious Execution of Powershell with Base64

TA0002 T1059.001 Windows Process Creation

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

Powershell Inline Execution From A File

TA0002 T1059.001 Windows Process Creation

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

Certificate Exported Via PowerShell

TA0006 TA0002 T1552.004 Windows Process Creation

Trouble

TA0006, TA0002, T1552.004

Windows

Last updated: September 15, 2025

View details

Base64 Encoded PowerShell Command Detected

TA0005 TA0002 T1027 Windows Process Creation

Trouble

TA0005, TA0002, T1027

Windows

Last updated: September 15, 2025

View details

Suspicious FromBase64String Usage On Gzip Archive - Process Creation

TA0011 T1132.001 Windows Process Creation

Trouble

TA0011, T1132.001

Windows

Last updated: September 15, 2025

View details

PowerShell Get-Clipboard Cmdlet Via CLI

TA0009 T1115 Windows Process Creation

Trouble

TA0009, T1115

Windows

Last updated: September 15, 2025

View details

Abuse of Service Permissions to Hide Services Via Set-Service

TA0003 TA0005 TA0004 T1574.011 Windows Process Creation

Trouble

TA0003, TA0005, TA0004, T1574.011

Windows

Last updated: September 15, 2025

View details

Suspicious PowerShell IEX Execution Patterns

TA0002 T1059.001 Windows Process Creation

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

Root Certificate Installed From Susp Locations

TA0005 T1553.004 Windows Process Creation

Trouble

TA0005, T1553.004

Windows

Last updated: September 15, 2025

View details

Unsigned AppX Installation Attempt Using Add-AppxPackage

TA0003 TA0005 Windows Process Creation

Trouble

TA0003, TA0005

Windows

Last updated: September 15, 2025

View details

Suspicious Invoke-WebRequest Execution With DirectIP

TA0011 T1105 Windows Process Creation

Trouble

TA0011, T1105

Windows

Last updated: September 15, 2025

View details

Suspicious Invoke-WebRequest Execution

TA0011 T1105 Windows Process Creation

Trouble

TA0011, T1105

Windows

Last updated: September 15, 2025

View details

Suspicious PowerShell Mailbox Export to Share

TA0010 Windows Process Creation

Critical

TA0010

Windows

Last updated: September 15, 2025

View details

MSExchange Transport Agent Installation

TA0003 T1505.002 Windows Process Creation

Trouble

TA0003, T1505.002

Windows

Last updated: September 15, 2025

View details

Non Interactive PowerShell Process Spawned

TA0002 T1059.001 Windows Process Creation

Attention

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

Potential PowerShell Obfuscation Via WCHAR

TA0002 TA0005 T1059.001 Windows Process Creation

Trouble

TA0002, TA0005, T1059.001

Windows

Last updated: September 15, 2025

View details

Execution of Powershell Script in Public Folder

TA0002 T1059.001 Windows Process Creation

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Tamper Windows Defender Remove-MpPreference

TA0005 T1562.001 Windows Process Creation

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Potential Powershell ReverseShell Connection

TA0002 T1059.001 Windows Process Creation

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

Run PowerShell Script from ADS

TA0005 T1564.004 Windows Process Creation

Trouble

TA0005, T1564.004

Windows

Last updated: September 15, 2025

View details

Suspicious PowerShell Invocation From Script Engines

TA0002 T1059.001 Windows Process Creation

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

Suspicious Service DACL Modification Via Set-Service Cmdlet

TA0003 T1543.003 Windows Process Creation

Trouble

TA0003, T1543.003

Windows

Last updated: September 15, 2025

View details

PowerShell Script Change Permission Via Set-Acl

TA0005 Windows Process Creation

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

Change PowerShell Policies to an Insecure Level

TA0002 T1059.001 Windows Process Creation

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

Service StartupType Change Via PowerShell Set-Service

TA0002 TA0005 T1562.001 Windows Process Creation

Trouble

TA0002, TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Deletion of Volume Shadow Copies via WMI with PowerShell

TA0040 T1490 Windows Process Creation

Trouble

TA0040, T1490

Windows

Last updated: September 15, 2025

View details

Exchange PowerShell Snap-Ins Usage

TA0002 TA0009 T1059.001 Windows Process Creation

Trouble

TA0002, TA0009, T1059.001

Windows

Last updated: September 15, 2025

View details

Stop Windows Service Via PowerShell Stop-Service

TA0040 T1489 Windows Process Creation

Attention

TA0040, T1489

Windows

Last updated: September 15, 2025

View details

Suspicious PowerShell Download and Execute Pattern

TA0002 T1059.001 Windows Process Creation

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

Suspicious PowerShell Parent Process

TA0002 T1059.001 Windows Process Creation

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

Suspicious Service Installed

TA0005 T1562.001 Windows

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

Coronavirus ransomware detections

TA0040 TA0040 T1486 Windows File Creation Process Creation File Deletion

Critical

TA0040, TA0040, T1486

Windows

Last updated: September 15, 2025

View details

Mailto ransomware detections

TA0040 TA0040 T1486 Windows Process Creation File Creation File Deletion

Critical

TA0040, TA0040, T1486

Windows

Last updated: September 15, 2025

View details

Ragnar Locker ransomware detections

TA0040 TA0040 T1486 Windows Process Creation File Creation

Critical

TA0040, TA0040, T1486

Windows

Last updated: September 15, 2025

View details

Possible ransomware activities

TA0040 TA0040 T1486 Windows Process Creation File Modification

Critical

TA0040, TA0040, T1486

Windows

Last updated: September 15, 2025

View details

USB Device Plugged

TA0001 T1200 Windows

Attention

TA0001, T1200

Windows

Last updated: September 15, 2025

View details

Uncommon New Firewall Rule Added In Windows Firewall Exception List

TA0005 T1562.004 Windows

Trouble

TA0005, T1562.004

Windows

Last updated: September 15, 2025

View details

New Firewall Rule Added In Windows Firewall Exception List For Potential Suspicious Application

TA0005 T1562.004 Windows

Trouble

TA0005, T1562.004

Windows

Last updated: September 15, 2025

View details

New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE

TA0005 T1562.004 Windows

Trouble

TA0005, T1562.004

Windows

Last updated: September 15, 2025

View details

A Rule Has Been Deleted From The Windows Firewall Exception List

TA0005 T1562.004 Windows

Trouble

TA0005, T1562.004

Windows

Last updated: September 15, 2025

View details

Windows Defender Firewall Has Been Reset To Its Default Configuration

TA0005 T1562.004 Windows

Attention

TA0005, T1562.004

Windows

Last updated: September 15, 2025

View details

Windows Firewall Settings Have Been Changed

TA0005 T1562.004 Windows

Attention

TA0005, T1562.004

Windows

Last updated: September 15, 2025

View details

Security Eventlog Cleared

TA0005 T1070.001 Windows

Trouble

TA0005, T1070.001

Windows

Last updated: September 15, 2025

View details

Processes Accessing the Microphone and Webcam

TA0009 T1123 Windows Windows Registry Key Access Windows Registry Key Creation Windows Registry Key Deletion Windows Registry Key Modification

Trouble

TA0009, T1123

Windows

Last updated: September 15, 2025

View details

Outgoing Logon with New Credentials

TA0005 TA0008 T1550 Windows

Attention

TA0005, TA0008, T1550

Windows

Last updated: September 15, 2025

View details

COLDSTEEL Persistence Service Creation

TA0005 TA0003 Windows

Trouble

TA0005, TA0003

Windows

Last updated: September 15, 2025

View details

SNAKE Malware Service Persistence

TA0003 Windows

Critical

TA0003

Windows

Last updated: September 15, 2025

View details

NTLMv1 Logon Between Client and Server

TA0005 TA0008 T1550.002 Windows

Trouble

TA0005, TA0008, T1550.002

Windows

Last updated: September 15, 2025

View details

Important Windows Eventlog Cleared

TA0005 T1070.001 Windows

Trouble

TA0005, T1070.001

Windows

Last updated: September 15, 2025

View details

Critical Hive In Suspicious Location Access Bits Cleared

TA0006 T1003.002 Windows

Trouble

TA0006, T1003.002

Windows

Last updated: September 15, 2025

View details

Diamond Sleet APT File Creation Indicators

TA0002 Windows File Creation File Modification

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

Potential APT FIN7 Related PowerShell Script Created

TA0002 Windows File Creation File Modification

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

Lace Tempest File Indicators

TA0002 Windows File Creation File Modification

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

Onyx Sleet APT File Creation Indicators

TA0002 Windows File Creation File Modification

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader

TA0003 T1505.001 Windows File Creation File Modification

Trouble

TA0003, T1505.001

Windows

Last updated: September 15, 2025

View details

Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity

TA0001 T1190 Windows File Creation File Modification

Trouble

TA0001, T1190

Windows

Last updated: September 15, 2025

View details

Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location

TA0002 Windows File Creation File Modification

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation

TA0002 Windows File Creation File Modification

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

Potential CVE-2023-36884 Exploitation Dropped File

TA0003 TA0005 Windows File Creation File Modification

Trouble

TA0003, TA0005

Windows

Last updated: September 15, 2025

View details

CVE-2023-40477 Potential Exploitation - .REV File Creation

TA0002 Windows File Creation File Modification

Attention

TA0002

Windows

Last updated: September 15, 2025

View details

Potential COLDSTEEL RAT File Indicators

TA0003 TA0005 Windows File Creation File Modification

Trouble

TA0003, TA0005

Windows

Last updated: September 15, 2025

View details

Potential COLDSTEEL Persistence Service DLL Creation

TA0003 TA0005 Windows File Creation File Modification

Trouble

TA0003, TA0005

Windows

Last updated: September 15, 2025

View details

DarkGate - Autoit3.EXE File Creation By Uncommon Process

TA0011 TA0002 T1105 Windows File Creation File Modification

Trouble

TA0011, TA0002, T1105

Windows

Last updated: September 15, 2025

View details

SNAKE Malware Kernel Driver File Indicator

TA0002 Windows File Creation File Modification

Critical

TA0002

Windows

Last updated: September 15, 2025

View details

SNAKE Malware Installer Name Indicators

TA0002 Windows File Creation File Modification

Attention

TA0002

Windows

Last updated: September 15, 2025

View details

Forest Blizzard APT - File Creation Activity

TA0005 T1562.002 Windows File Creation File Modification

Trouble

TA0005, T1562.002

Windows

Last updated: September 15, 2025

View details

ScreenConnect - SlashAndGrab Exploitation Indicators

TA0005 Windows File Creation File Modification

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

ScreenConnect User Database Modification

TA0003 Windows File Creation File Modification

Trouble

TA0003

Windows

Last updated: September 15, 2025

View details

File Creation Related To RAT Clients

TA0002 Windows File Creation File Modification

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

EventLog EVTX File Deleted

TA0005 T1070 Windows File Deletion

Trouble

TA0005, T1070

Windows

Last updated: September 15, 2025

View details

IIS WebServer Access Logs Deleted

TA0005 T1070 Windows File Deletion

Trouble

TA0005, T1070

Windows

Last updated: September 15, 2025

View details

PowerShell Console History Logs Deleted

TA0005 T1070 Windows File Deletion

Trouble

TA0005, T1070

Windows

Last updated: September 15, 2025

View details

TeamViewer Log File Deleted

TA0005 T1070.004 Windows File Deletion

Attention

TA0005, T1070.004

Windows

Last updated: September 15, 2025

View details

Tomcat WebServer Logs Deleted

TA0005 T1070 Windows File Deletion

Trouble

TA0005, T1070

Windows

Last updated: September 15, 2025

View details

File Deleted Via Sysinternals SDelete

TA0005 T1070.004 Windows File Deletion

Trouble

TA0005, T1070.004

Windows

Last updated: September 15, 2025

View details

Unusual File Deletion by Dns.exe

TA0001 T1133 Windows File Deletion

Trouble

TA0001, T1133

Windows

Last updated: September 15, 2025

View details

Advanced IP Scanner - File Event

TA0007 T1046 Windows File Creation File Modification

Trouble

TA0007, T1046

Windows

Last updated: September 15, 2025

View details

Anydesk Temporary Artefact

TA0011 T1219.002 Windows File Creation File Modification

Trouble

TA0011, T1219.002

Windows

Last updated: September 15, 2025

View details

Suspicious Binary Writes Via AnyDesk

TA0011 T1219.002 Windows File Creation File Modification

Trouble

TA0011, T1219.002

Windows

Last updated: September 15, 2025

View details

Assembly DLL Creation Via AspNetCompiler

TA0002 Windows File Creation File Modification

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

EVTX Created In Uncommon Location

TA0005 T1562.002 Windows File Creation File Modification

Trouble

TA0005, T1562.002

Windows

Last updated: September 15, 2025

View details

Creation Of Non-Existent System DLL

TA0005 TA0003 TA0004 T1574.001 Windows File Creation File Modification

Trouble

TA0005, TA0003, TA0004, T1574.001

Windows

Last updated: September 15, 2025

View details

New Custom Shim Database Created

TA0003 T1547.009 Windows File Creation File Modification

Trouble

TA0003, T1547.009

Windows

Last updated: September 15, 2025

View details

Suspicious Screensaver Binary File Creation

TA0003 T1546.002 Windows File Creation File Modification

Trouble

TA0003, T1546.002

Windows

Last updated: September 15, 2025

View details

Files With System DLL Name In Unsuspected Locations

TA0005 T1036.005 Windows File Creation File Modification

Trouble

TA0005, T1036.005

Windows

Last updated: September 15, 2025

View details

Creation Exe for Service with Unquoted Path

TA0003 T1547.009 Windows File Creation File Modification

Trouble

TA0003, T1547.009

Windows

Last updated: September 15, 2025

View details

WScript or CScript Dropper - File

TA0002 T1059.005 Windows File Creation File Modification

Trouble

TA0002, T1059.005

Windows

Last updated: September 15, 2025

View details

CSExec Service File Creation

TA0002 T1569.002 Windows File Creation File Modification

Trouble

TA0002, T1569.002

Windows

Last updated: September 15, 2025

View details

Dynamic CSharp Compile Artefact

TA0005 T1027.004 Windows File Creation File Modification

Attention

TA0005, T1027.004

Windows

Last updated: September 15, 2025

View details

DLL Search Order Hijackig Via Additional Space in Path

TA0003 TA0004 TA0005 T1574.001 Windows File Creation File Modification

Trouble

TA0003, TA0004, TA0005, T1574.001

Windows

Last updated: September 15, 2025

View details

Potentially Suspicious DMP/HDMP File Creation

TA0005 Windows File Creation File Modification

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

Potential Persistence Attempt Via ErrorHandler.Cmd

TA0003 Windows File Creation File Modification

Trouble

TA0003

Windows

Last updated: September 15, 2025

View details

GoToAssist Temporary Installation Artefact

TA0011 T1219.002 Windows File Creation File Modification

Trouble

TA0011, T1219.002

Windows

Last updated: September 15, 2025

View details

HackTool - Dumpert Process Dumper Default File

TA0006 T1003.001 Windows File Creation File Modification

Critical

TA0006, T1003.001

Windows

Last updated: September 15, 2025

View details

HackTool - Typical HiveNightmare SAM File Export

TA0006 T1552.001 Windows File Creation File Modification

Trouble

TA0006, T1552.001

Windows

Last updated: September 15, 2025

View details

HackTool - Inveigh Execution Artefacts

TA0011 T1219.002 Windows File Creation File Modification

Critical

TA0011, T1219.002

Windows

Last updated: September 15, 2025

View details

HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators

TA0011 T1219.002 Windows File Creation File Modification

Trouble

TA0011, T1219.002

Windows

Last updated: September 15, 2025

View details

HackTool - Mimikatz Kirbi File Creation

TA0006 T1558 Windows File Creation File Modification

Critical

TA0006, T1558

Windows

Last updated: September 15, 2025

View details

HackTool - NPPSpy Hacktool Usage

TA0006 Windows File Creation File Modification

Trouble

TA0006

Windows

Last updated: September 15, 2025

View details

HackTool - Powerup Write Hijack DLL

TA0003 TA0004 TA0005 T1574.001 Windows File Creation File Modification

Trouble

TA0003, TA0004, TA0005, T1574.001

Windows

Last updated: September 15, 2025

View details

HackTool - QuarksPwDump Dump File

TA0006 T1003.002 Windows File Creation File Modification

Critical

TA0006, T1003.002

Windows

Last updated: September 15, 2025

View details

HackTool - SafetyKatz Dump Indicator

TA0006 T1003.001 Windows File Creation File Modification

Trouble

TA0006, T1003.001

Windows

Last updated: September 15, 2025

View details

Potential Initial Access via DLL Search Order Hijacking

TA0001 TA0005 T1566 Windows File Creation File Modification

Trouble

TA0001, TA0005, T1566

Windows

Last updated: September 15, 2025

View details

Installation of TeamViewer Desktop

TA0011 T1219.002 Windows File Creation File Modification

Trouble

TA0011, T1219.002

Windows

Last updated: September 15, 2025

View details

Malicious DLL File Dropped in the Teams or OneDrive Folder

TA0003 TA0004 TA0005 T1574.001 Windows File Creation File Modification

Trouble

TA0003, TA0004, TA0005, T1574.001

Windows

Last updated: September 15, 2025

View details

ISO File Created Within Temp Folders

TA0001 T1566.001 Windows File Creation File Modification

Trouble

TA0001, T1566.001

Windows

Last updated: September 15, 2025

View details

ISO or Image Mount Indicator in Recent Files

TA0001 T1566.001 Windows File Creation File Modification

Trouble

TA0001, T1566.001

Windows

Last updated: September 15, 2025

View details

GatherNetworkInfo.VBS Reconnaissance Script Output

TA0007 Windows File Creation File Modification

Trouble

TA0007

Windows

Last updated: September 15, 2025

View details

LSASS Process Memory Dump Files

TA0006 T1003.001 Windows File Creation File Modification

Trouble

TA0006, T1003.001

Windows

Last updated: September 15, 2025

View details

LSASS Process Dump Artefact In CrashDumps Folder

TA0006 T1003.001 Windows File Creation File Modification

Trouble

TA0006, T1003.001

Windows

Last updated: September 15, 2025

View details

Adwind RAT / JRAT File Artifact

TA0002 T1059.005 Windows File Creation File Modification

Trouble

TA0002, T1059.005

Windows

Last updated: September 15, 2025

View details

Octopus Scanner Malware

TA0001 T1195 Windows File Creation File Modification

Trouble

TA0001, T1195

Windows

Last updated: September 15, 2025

View details

File Creation In Suspicious Directory By Msdt.EXE

TA0003 T1547.001 Windows File Creation File Modification

Trouble

TA0003, T1547.001

Windows

Last updated: September 15, 2025

View details

Uncommon File Creation By Mysql Daemon Process

TA0005 Windows File Creation File Modification

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

Suspicious DotNET CLR Usage Log Artifact

TA0005 T1218 Windows File Creation File Modification

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Suspicious File Creation In Uncommon AppData Folder

TA0005 TA0002 Windows File Creation File Modification

Trouble

TA0005, TA0002

Windows

Last updated: September 15, 2025

View details

SCR File Write Event

TA0005 T1218.011 Windows File Creation File Modification

Trouble

TA0005, T1218.011

Windows

Last updated: September 15, 2025

View details

Potential Persistence Via Notepad++ Plugins

TA0003 Windows File Creation File Modification

Trouble

TA0003

Windows

Last updated: September 15, 2025

View details

Potential Persistence Via Microsoft Office Add-In

TA0003 T1137.006 Windows File Creation File Modification

Trouble

TA0003, T1137.006

Windows

Last updated: September 15, 2025

View details

Office Macro File Creation

TA0001 T1566.001 Windows File Creation File Modification

Attention

TA0001, T1566.001

Windows

Last updated: September 15, 2025

View details

Office Macro File Download

TA0001 T1566.001 Windows File Creation File Modification

Trouble

TA0001, T1566.001

Windows

Last updated: September 15, 2025

View details

Office Macro File Creation From Suspicious Process

TA0001 T1566.001 Windows File Creation File Modification

Trouble

TA0001, T1566.001

Windows

Last updated: September 15, 2025

View details

OneNote Attachment File Dropped In Suspicious Location

TA0005 Windows File Creation File Modification

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

Suspicious File Created Via OneNote Application

TA0005 Windows File Creation File Modification

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

New Outlook Macro Created

TA0003 TA0011 T1137 Windows File Creation File Modification

Trouble

TA0003, TA0011, T1137

Windows

Last updated: September 15, 2025

View details

Potential Persistence Via Outlook Form

TA0003 T1137.003 Windows File Creation File Modification

Trouble

TA0003, T1137.003

Windows

Last updated: September 15, 2025

View details

Suspicious Outlook Macro Created

TA0003 TA0011 T1137 Windows File Creation File Modification

Trouble

TA0003, TA0011, T1137

Windows

Last updated: September 15, 2025

View details

Publisher Attachment File Dropped In Suspicious Location

TA0005 Windows File Creation File Modification

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

PCRE.NET Package Temp Files

TA0002 T1059 Windows File Creation File Modification

Trouble

TA0002, T1059

Windows

Last updated: September 15, 2025

View details

Suspicious File Created In PerfLogs

TA0002 T1059 Windows File Creation File Modification

Trouble

TA0002, T1059

Windows

Last updated: September 15, 2025

View details

Suspicious DLL Loaded via CertOC.EXE

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

New Root Certificate Installed Via Certutil.EXE

TA0005 T1553.004 Windows Process Creation

Trouble

TA0005, T1553.004

Windows

Last updated: September 15, 2025

View details

File Decoded From Base64/Hex Via Certutil.EXE

TA0005 T1027 Windows Process Creation

Trouble

TA0005, T1027

Windows

Last updated: September 15, 2025

View details

Suspicious Download Via Certutil.EXE

TA0005 T1027 Windows Process Creation

Trouble

TA0005, T1027

Windows

Last updated: September 15, 2025

View details

Suspicious File Downloaded From Direct IP Via Certutil.EXE

TA0005 T1027 Windows Process Creation

Trouble

TA0005, T1027

Windows

Last updated: September 15, 2025

View details

Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE

TA0005 T1027 Windows Process Creation

Trouble

TA0005, T1027

Windows

Last updated: September 15, 2025

View details

File Encoded To Base64 Via Certutil.EXE

TA0005 T1027 Windows Process Creation

Trouble

TA0005, T1027

Windows

Last updated: September 15, 2025

View details

Suspicious File Encoded To Base64 Via Certutil.EXE

TA0005 T1027 Windows Process Creation

Trouble

TA0005, T1027

Windows

Last updated: September 15, 2025

View details

File In Suspicious Location Encoded To Base64 Via Certutil.EXE

TA0005 T1027 Windows Process Creation

Trouble

TA0005, T1027

Windows

Last updated: September 15, 2025

View details

Certificate Exported Via Certutil.EXE

TA0005 T1027 Windows Process Creation

Trouble

TA0005, T1027

Windows

Last updated: September 15, 2025

View details

Potential NTLM Coercion Via Certutil.EXE

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Deleted Data Overwritten Via Cipher.EXE

TA0040 T1485 Windows Process Creation

Trouble

TA0040, T1485

Windows

Last updated: September 15, 2025

View details

Process Access via TrolleyExpress Exclusion

TA0005 TA0006 T1218.011 Windows Process Creation

Trouble

TA0005, TA0006, T1218.011

Windows

Last updated: September 15, 2025

View details

Data Copied To Clipboard Via Clip.EXE

TA0009 T1115 Windows Process Creation

Attention

TA0009, T1115

Windows

Last updated: September 15, 2025

View details

Cloudflared Portable Execution

TA0011 T1090.001 Windows Process Creation

Trouble

TA0011, T1090.001

Windows

Last updated: September 15, 2025

View details

Cloudflared Quick Tunnel Execution

TA0011 T1090.001 Windows Process Creation

Trouble

TA0011, T1090.001

Windows

Last updated: September 15, 2025

View details

Cloudflared Tunnel Connections Cleanup

TA0011 T1102 Windows Process Creation

Trouble

TA0011, T1102

Windows

Last updated: September 15, 2025

View details

Cloudflared Tunnel Execution

TA0011 T1102 Windows Process Creation

Trouble

TA0011, T1102

Windows

Last updated: September 15, 2025

View details

New Generic Credentials Added Via Cmdkey.EXE

TA0006 T1003.005 Windows Process Creation

Trouble

TA0006, T1003.005

Windows

Last updated: September 15, 2025

View details

Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE

TA0006 T1003.005 Windows Process Creation

Trouble

TA0006, T1003.005

Windows

Last updated: September 15, 2025

View details

Potential Arbitrary File Download Via Cmdl32.EXE

TA0002 TA0005 T1218 Windows Process Creation

Trouble

TA0002, TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Change Default File Association Via Assoc

TA0003 T1546.001 Windows Process Creation

Attention

TA0003, T1546.001

Windows

Last updated: September 15, 2025

View details

Change Default File Association To Executable Via Assoc

TA0003 T1546.001 Windows Process Creation

Trouble

TA0003, T1546.001

Windows

Last updated: September 15, 2025

View details

Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE

TA0006 Windows Process Creation

Trouble

TA0006

Windows

Last updated: September 15, 2025

View details

Curl Download And Execute Combination

TA0005 TA0011 T1218 Windows Process Creation

Trouble

TA0005, TA0011, T1218

Windows

Last updated: September 15, 2025

View details

File Deletion Via Del

TA0005 T1070.004 Windows Process Creation

Attention

TA0005, T1070.004

Windows

Last updated: September 15, 2025

View details

Greedy File Deletion Using Del

TA0005 T1070.004 Windows Process Creation

Trouble

TA0005, T1070.004

Windows

Last updated: September 15, 2025

View details

File And SubFolder Enumeration Via Dir Command

TA0007 T1217 Windows Process Creation

Attention

TA0007, T1217

Windows

Last updated: September 15, 2025

View details

Command Line Execution with Suspicious URL and AppData Strings

TA0002 TA0011 T1059.003 Windows Process Creation

Trouble

TA0002, TA0011, T1059.003

Windows

Last updated: September 15, 2025

View details

Potential Privilege Escalation Using Symlink Between Osk and Cmd

TA0004 TA0003 T1546.008 Windows Process Creation

Trouble

TA0004, TA0003, T1546.008

Windows

Last updated: September 15, 2025

View details

VolumeShadowCopy Symlink Creation Via Mklink

TA0006 T1003.002 Windows Process Creation

Trouble

TA0006, T1003.002

Windows

Last updated: September 15, 2025

View details

Suspicious File Execution From Internet Hosted WebDav Share

TA0002 T1059.001 Windows Process Creation

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

Cmd.EXE Missing Space Characters Execution Anomaly

TA0002 T1059.001 Windows Process Creation

Trouble

TA0002, T1059.001

Windows

Last updated: September 15, 2025

View details

NtdllPipe Like Activity Execution

TA0005 Windows Process Creation

Trouble

TA0005

Windows

Last updated: September 15, 2025

View details

Potential CommandLine Path Traversal Via Cmd.EXE

TA0002 T1059.003 Windows Process Creation

Trouble

TA0002, T1059.003

Windows

Last updated: September 15, 2025

View details

Potentially Suspicious Ping/Copy Command Combination

TA0005 T1070.004 Windows Process Creation

Trouble

TA0005, T1070.004

Windows

Last updated: September 15, 2025

View details

Suspicious Ping/Del Command Combination

TA0005 T1070.004 Windows Process Creation

Trouble

TA0005, T1070.004

Windows

Last updated: September 15, 2025

View details

Directory Removal Via Rmdir

TA0005 T1070.004 Windows Process Creation

Attention

TA0005, T1070.004

Windows

Last updated: September 15, 2025

View details

Copy From VolumeShadowCopy Via Cmd.EXE

TA0040 T1490 Windows Process Creation

Trouble

TA0040, T1490

Windows

Last updated: September 15, 2025

View details

Persistence Via Sticky Key Backdoor

TA0004 T1546.008 Windows Process Creation

Critical

TA0004, T1546.008

Windows

Last updated: September 15, 2025

View details

Sticky Key Like Backdoor Execution

TA0004 TA0003 T1546.008 Windows Process Creation

Critical

TA0004, TA0003, T1546.008

Windows

Last updated: September 15, 2025

View details

Unusual Parent Process For Cmd.EXE

TA0002 T1059 Windows Process Creation

Trouble

TA0002, T1059

Windows

Last updated: September 15, 2025

View details

CMSTP Execution Process Creation

TA0005 TA0002 T1218.003 Windows Process Creation

Trouble

TA0005, TA0002, T1218.003

Windows

Last updated: September 15, 2025

View details

Arbitrary File Download Via ConfigSecurityPolicy.EXE

TA0010 T1567 Windows Process Creation

Trouble

TA0010, T1567

Windows

Last updated: September 15, 2025

View details

Powershell Executed From Headless ConHost Process

TA0005 TA0002 T1564.003 Windows Process Creation

Trouble

TA0005, TA0002, T1564.003

Windows

Last updated: September 15, 2025

View details

Conhost.exe CommandLine Path Traversal

TA0002 T1059.003 Windows Process Creation

Trouble

TA0002, T1059.003

Windows

Last updated: September 15, 2025

View details

Uncommon Child Process Of Conhost.EXE

TA0005 T1202 Windows Process Creation

Trouble

TA0005, T1202

Windows

Last updated: September 15, 2025

View details

Conhost Spawned By Uncommon Parent Process

TA0002 T1059 Windows Process Creation

Trouble

TA0002, T1059

Windows

Last updated: September 15, 2025

View details

Control Panel Items

TA0002 TA0005 TA0003 T1218.002 Windows Process Creation

Trouble

TA0002, TA0005, TA0003, T1218.002

Windows

Last updated: September 15, 2025

View details

CreateDump Process Dump

TA0005 TA0006 T1036 Windows Process Creation

Trouble

TA0005, TA0006, T1036

Windows

Last updated: September 15, 2025

View details

Suspicious Csi.exe Usage

TA0002 TA0005 T1072 Windows Process Creation

Trouble

TA0002, TA0005, T1072

Windows

Last updated: September 15, 2025

View details

Suspicious Use of CSharp Interactive Console

TA0002 TA0005 T1127 Windows Process Creation

Trouble

TA0002, TA0005, T1127

Windows

Last updated: September 15, 2025

View details

Active Directory Structure Export Via Csvde.EXE

TA0010 TA0007 T1087.002 Windows Process Creation

Trouble

TA0010, TA0007, T1087.002

Windows

Last updated: September 15, 2025

View details

Insecure Proxy/DOH Transfer Via Curl.EXE

TA0002 Windows Process Creation

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

Local File Read Using Curl.EXE

TA0002 Windows Process Creation

Trouble

TA0002

Windows

Last updated: September 15, 2025

View details

Suspicious Curl.EXE Download

TA0011 T1105 Windows Process Creation

Trouble

TA0011, T1105

Windows

Last updated: September 15, 2025

View details

ManageEngine Endpoint Central Dctask64.EXE Potential Abuse

TA0005 T1055.001 Windows Process Creation

Trouble

TA0005, T1055.001

Windows

Last updated: September 15, 2025

View details

Uncommon Child Process Of Defaultpack.EXE

TA0005 TA0002 T1218 Windows Process Creation

Trouble

TA0005, TA0002, T1218

Windows

Last updated: September 15, 2025

View details

Remote File Download Via Desktopimgdownldr Utility

TA0011 T1105 Windows Process Creation

Trouble

TA0011, T1105

Windows

Last updated: September 15, 2025

View details

Suspicious Desktopimgdownldr Command

TA0011 T1105 Windows Process Creation

Trouble

TA0011, T1105

Windows

Last updated: September 15, 2025

View details

Potential DLL Sideloading Via DeviceEnroller.EXE

TA0005 T1574.001 Windows Process Creation

Trouble

TA0005, T1574.001

Windows

Last updated: September 15, 2025

View details

Potentially Suspicious Child Process Of ClickOnce Application

TA0002 TA0005 Windows Process Creation

Trouble

TA0002, TA0005

Windows

Last updated: September 15, 2025

View details

DirLister Execution

TA0007 T1083 Windows Process Creation

Attention

TA0007, T1083

Windows

Last updated: September 15, 2025

View details

Potentially Suspicious Child Process Of DiskShadow.EXE

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Diskshadow Script Mode - Uncommon Script Extension Execution

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Diskshadow Script Mode - Execution From Potential Suspicious Location

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

PowerShell Web Access Feature Enabled Via DISM

TA0003 TA0004 TA0005 T1548.002 Windows Process Creation

Trouble

TA0003, TA0004, TA0005, T1548.002

Windows

Last updated: September 15, 2025

View details

Dism Remove Online Package

TA0005 T1562.001 Windows Process Creation

Trouble

TA0005, T1562.001

Windows

Last updated: September 15, 2025

View details

DLL Sideloading by VMware Xfer Utility

TA0005 T1574.001 Windows Process Creation

Trouble

TA0005, T1574.001

Windows

Last updated: September 15, 2025

View details

DNS Exfiltration and Tunneling Tools Execution

TA0010 TA0011 T1048.001 Windows Process Creation

Trouble

TA0010, TA0011, T1048.001

Windows

Last updated: September 15, 2025

View details

Unusual Child Process of dns.exe

TA0001 T1133 Windows Process Creation

Trouble

TA0001, T1133

Windows

Last updated: September 15, 2025

View details

Potential Application Whitelisting Bypass via Dnx.EXE

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Process Memory Dump Via Dotnet-Dump

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Binary Proxy Execution Via Dotnet-Trace.EXE

TA0002 TA0005 T1218 Windows Process Creation

Trouble

TA0002, TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Potential Recon Activity Using DriverQuery.EXE

TA0007 Windows Process Creation

Trouble

TA0007

Windows

Last updated: September 15, 2025

View details

DriverQuery.EXE Execution

TA0007 Windows Process Creation

Trouble

TA0007

Windows

Last updated: September 15, 2025

View details

Suspicious Kernel Dump Using Dtrace

TA0007 T1082 Windows Process Creation

Trouble

TA0007, T1082

Windows

Last updated: September 15, 2025

View details

DumpMinitool Execution

TA0005 TA0006 T1036 Windows Process Creation

Trouble

TA0005, TA0006, T1036

Windows

Last updated: September 15, 2025

View details

Suspicious DumpMinitool Execution

TA0005 TA0006 T1036 Windows Process Creation

Trouble

TA0005, TA0006, T1036

Windows

Last updated: September 15, 2025

View details

New Capture Session Launched Via DXCap.EXE

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Copying Sensitive Files with Credential Data

TA0006 T1003.002 Windows Process Creation

Trouble

TA0006, T1003.002

Windows

Last updated: September 15, 2025

View details

Esentutl Steals Browser Information

TA0009 T1005 Windows Process Creation

Trouble

TA0009, T1005

Windows

Last updated: September 15, 2025

View details

Potentially Suspicious Event Viewer Child Process

TA0005 TA0004 T1548.002 Windows Process Creation

Trouble

TA0005, TA0004, T1548.002

Windows

Last updated: September 15, 2025

View details

Potentially Suspicious Cabinet File Expansion

TA0005 T1218 Windows Process Creation

Trouble

TA0005, T1218

Windows

Last updated: September 15, 2025

View details

Explorer Process Tree Break

TA0005 T1036 Windows Process Creation

Trouble

TA0005, T1036

Windows

Last updated: September 15, 2025

View details

File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell

TA0007 T1135 Windows Process Creation

Trouble

TA0007, T1135

Windows

Last updated: September 15, 2025

View details

Remote File Download Via Findstr.EXE

TA0005 TA0006 TA0011 T1218 Windows Process Creation

Trouble

TA0005, TA0006, TA0011, T1218

Windows

Last updated: September 15, 2025

View details

LSASS Process Reconnaissance Via Findstr.EXE

TA0006 T1552.006 Windows Process Creation

Trouble

TA0006, T1552.006

Windows

Last updated: September 15, 2025

View details

Recon Command Output Piped To Findstr.EXE

TA0007 T1057 Windows Process Creation

Trouble

TA0007, T1057

Windows

Last updated: September 15, 2025

View details

Security Tools Keyword Lookup Via Findstr.EXE

TA0007 T1518.001 Windows Process Creation

Trouble

TA0007, T1518.001

Windows

Last updated: September 15, 2025

View details

Insensitive Subfolder Search Via Findstr.EXE

TA0005 TA0006 TA0011 T1218 Windows Process Creation

Attention

TA0005, TA0006, TA0011, T1218

Windows

Last updated: September 15, 2025

View details

Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE

TA0007 T1518.001 Windows Process Creation

Trouble

TA0007, T1518.001

Windows

Last updated: September 15, 2025

View details

Finger.EXE Execution

TA0011 T1105 Windows Process Creation

Trouble

TA0011, T1105

Windows

Last updated: September 15, 2025

View details

Filter Driver Unloaded Via Fltmc.EXE

TA0005 T1070 Windows Process Creation

Trouble

TA0005, T1070

Windows

Last updated: September 15, 2025

View details

Sysmon Driver Unloaded Via Fltmc.EXE

TA0005 T1070 Windows Process Creation

Trouble

TA0005, T1070

Windows

Last updated: September 15, 2025

View details

Forfiles Command Execution

TA0002 T1059 Windows Process Creation

Trouble

TA0002, T1059

Windows

Last updated: September 15, 2025

View details

Use of FSharp Interpreters

TA0002 T1059 Windows Process Creation

Trouble

TA0002, T1059

Windows

Last updated: September 15, 2025

View details

Fsutil Drive Enumeration

TA0007 T1120 Windows Process Creation

Attention

TA0007, T1120

Windows

Last updated: September 15, 2025

View details

Fsutil Behavior Set SymlinkEvaluation

TA0002 T1059 Windows Process Creation

Trouble

TA0002, T1059

Windows

Last updated: September 15, 2025

View details

Fsutil Suspicious Invocation

TA0005 TA0040 T1070 Windows Process Creation

Trouble

TA0005, TA0040, T1070

Windows

Last updated: September 15, 2025

View details

Rule Library

Filter Rules

Severity

Platform

Rule Type

MITRE ATT&CK

Data Components

HackTool - Koh Default Named Pipe

New PowerShell Instance Created

PUA - CSExec Default Named Pipe

PUA - PAExec Default Named Pipe

PUA - RemCom Default Named Pipe

Sysmon Blocked Executable

Sysmon Blocked File Shredding

PsExec Default Named Pipe

Cryptocurrency mining software started

Cryptocurrency wallet software started

Mimikatz Detection

SharpShares Detection

BloodHound Detection

VulnRecon Detection

PrintSpoofer Detection

SprayKatz Detection

WinPeas Detection

BadPotato Detection

SharpView Detection

SafetyKatz Detection

SharPersist Detection

SharpZeroLogon Detection

SharpDump Detection

SafetyDump Detection

SharpHound Detection

SharpUp Detection

Spoolsv Spawning Rundll32

Excessive Attempt To Disable Services

Excel Spawning Windows Script Host

Excessive Usage Of Taskkill

Detect Regasm Spawning a Process

Office Product Spawning MSHTA

Office Product Spawning Windows Script Host

Windows Masquerading Explorer As Child Process

Wsmprovhost LOLBAS Execution Process Spawn

Ryuk Wake on LAN Command

Powershell Disable Security Monitoring

Add or Set Windows Defender Exclusion

Suspicious parent spawning autochk

Suspicious parent spawning fontdrvhost

Suspicious parent spawning dwm

Suspicious parent spawning Consent

Suspicious parent spawning tiworker

Suspicious parent spawning runtimebroker

Suspicious parent spawning searchindexer

Suspicious parent spawning searchprotocolhost

Suspicious parent spawning dllhost

Suspicious parent spawning smss

Suspicious parent spawning csrss

Suspicious parent spawning wininit

Suspicious parent spawning winlogon

Suspicious parent spawning lsass

Suspicious parent spawning lsaIso

Suspicious parent spawning LogonUI

Suspicious parent spawning services

Suspicious parent spawning svchost

Suspicious parent spawning spoolsv

Suspicious parent spawning taskhost

Suspicious parent spawning taskhostw

Suspicious parent spawning userinit

Suspicious parent spawning wmiprvse

Suspicious parent spawning wsmprovhost

Suspicious parent spawning winrshost

SearchProtocolHost Spawning Suspicious Child

taskhost Spawning Suspicious Child

csrss Spawning Suspicious Child

autochk Spawning Suspicious Child

smss Spawning Suspicious Child

wermgr Spawning Suspicious Child

conhost Spawning Suspicious Child

Credential theft using Procdump or comsvcs

Suspicious Encoded PowerShell Command Line

Local privileged account group modification