MITRE ATT&CK MAPPING DICTIONARY BY

IZZMIER IZZUDDIN
USE CASE / ALERT MITRE TECHNIQUE (ID) SUB-TECHNIQUE (IF
TACTIC ANY)
Multiple failed logins followed by Credential Brute Force (T1110) Password Guessing
success from unusual IP Access (T1110.001)
Suspicious PowerShell with Execution Command & Scripting PowerShell (T1059.001)
encoded command Interpreter (T1059)
mimikatz.exe execution or LSASS Credential OS Credential Dumping LSASS Memory
memory dump Access (T1003) (T1003.001)
User created a new local admin Persistence Create Account (T1136) Local Account
account unexpectedly (T1136.001)
Unusual rundll32.exe execution Execution / Hijack Execution Flow DLL Side-Loading
with unknown DLL Defense (T1574) (T1574.002)
Evasion
File data.zip uploaded to Exfiltration Exfiltration Over Web Exfiltration to Cloud
Dropbox/Google Drive Services (T1567) Storage (T1567.002)
RDP login from external IP not Initial Access Remote Services (T1021) Remote Desktop
allowed Protocol (T1021.001)
Scheduled task created Persistence Scheduled Task/Job Scheduled Task
(schtasks.exe) (T1053) (T1053.005)
Unusual wmic command for Execution / Windows Management —
remote execution Lateral Instrumentation (T1047)
Movement
Registry Run key modification for Persistence Boot or Logon Autostart Registry Run
startup Execution (T1547) Keys/Startup Folder
(T1547.001)
Suspicious outbound traffic to Command & Application Layer Protocol Non-Standard Port
rare IP via port 4444 Control (T1071) (T1071.003)
Phishing email with malicious Initial Access Phishing (T1566) Spearphishing
attachment opened Attachment (T1566.001)
Abnormal net user / net group Discovery Account Discovery (T1087) Local Account
commands run (T1087.001)
vssadmin.exe delete shadows Defense Inhibit System Recovery —
observed Evasion / (T1490)
Impact
Sensitive files staged in unusual Collection Archive Collected Data Local Data Staging
directory (C:\Temp\Finance.zip) (T1560) (T1074.001)
EDR detects unsigned driver Privilege Abuse Elevation Control Exploitation for Privilege
installation Escalation / Mechanism (T1548) Escalation (T1068)
Defense
Evasion
Execution of cmd.exe /c whoami Discovery System Information —
or systeminfo Discovery (T1082)
Outbound DNS tunnelling Command & Application Layer Protocol DNS (T1071.004)
detected (long base64 queries) Control (T1071)
Persistence via Windows service Persistence Create or Modify System Windows Service
creation (sc create) Process (T1543) (T1543.003)
User clicks malicious link leading Initial Access / Phishing (T1566) Spearphishing Link
to credential theft page Credential (T1566.002) + Input
Access Capture (T1056.003)
Unusual SMB traffic between Lateral Remote Services (T1021) SMB/Windows Admin
endpoints Movement Shares (T1021.002)
Suspicious mshta.exe execution Execution Command & Scripting MSHTA (T1059.005)
loading remote script Interpreter (T1059)
Office document spawning Execution / User Execution (T1204) Malicious File
PowerShell or CMD Initial Access (T1204.002)
Browser credential dump Credential Credential from Password Credentials from Web
detected (e.g., Chrome Login Data Access Stores (T1555) Browsers (T1555.003)
access)
Unusual LDAP query for multiple Discovery Account Discovery (T1087) Domain Account
user attributes (T1087.002)
Cobalt Strike beacon traffic Command & Ingress Tool Transfer HTTPS (T1071.001)
identified Control (T1105) / Application Layer
Protocol (T1071)
System time change observed Defense Impair Defenses (T1562) System Time
(time manipulation) Evasion Modification
(T1562.003)
User adding themselves to Privilege Create Account (T1136) Domain Account
Domain Admins group Escalation / (T1136.002)
Persistence
Use of certutil.exe for file Defense Ingress Tool Transfer —
download Evasion / (T1105)
Command &
Control
Unexpected process injection Defense Process Injection (T1055) Remote Thread Injection
detected Evasion (T1055.001)
WMI subscription creation (Event Persistence Event Triggered Execution WMI Event Subscription
Consumer) (T1546) (T1546.003)
Data compressed with rar.exe Collection / Archive Collected Data Compression with Utility
before exfiltration Exfiltration (T1560) (T1560.001)
Suspicious modification of Defense Impair Defenses (T1562) Disable or Modify Tools
security tools (e.g., AV disabled) Evasion (T1562.001)
SMB enumeration from non-admin Discovery Network Service Scanning —
workstation (T1046)
Unusual Kerberos ticket requests Credential Kerberos Attacks (T1558) AS-REP Roasting
(AS-REP Roasting) Access (T1558.004)
Golden Ticket creation detected Credential Kerberos Attacks (T1558) Golden Ticket
Access / (T1558.001)
Persistence
Unusual replication request from Credential OS Credential Dumping DCSync (T1003.006)
non-DC system Access (T1003)
Lateral movement via PsExec Lateral Remote Services (T1021) SMB/Windows Admin
detected Movement Shares (T1021.002)
Abnormal spike in failed VPN Credential Brute Force (T1110) Password Spraying
logins from multiple geographies Access / Initial (T1110.003)
Access
VPN login from new country never Initial Access Valid Accounts (T1078) Remote Access
seen before (T1078.003)
Suspicious process hollowing Defense Process Injection (T1055) Process Hollowing
attempt Evasion (T1055.012)
Use of at.exe for job scheduling Persistence Scheduled Task/Job At (T1053.002)
(T1053)
Abnormal PowerShell download Execution Command & Scripting PowerShell (T1059.001)
cradle detected Interpreter (T1059)
Email forwarding rules created Collection / Exfiltration Over Email Email Forwarding Rule
automatically Exfiltration (T1567) (T1114.003)
Use of LOLBin certutil.exe to Defense Obfuscated Files or Encoding of Files
encode/decode files Evasion Information (T1027) (T1027.002)
Rclone detected transferring files Exfiltration Exfiltration Over Web Cloud Storage
externally Services (T1567) (T1567.002)
Abnormal clipboard access by Collection Input Capture (T1056) Clipboard Data (T1115)
suspicious process
Shadow credential abuse Credential Steal or Forge —
(certificate theft / ADCS abuse) Access / Authentication Certificates
Persistence (T1649)
Pass-the-Hash authentication Credential Use of Valid Accounts Pass-the-Hash
attempt Access / Lateral (T1078) (T1550.002)
Movement
Suspicious access to LSASS via Credential OS Credential Dumping LSASS Memory
comsvcs.dll Access (T1003) (T1003.001)
Command & Control using Command & Application Layer Protocol Web Services
Slack/Telegram API Control (T1071) (T1071.001)
New executable dropped in Persistence Boot or Logon Autostart Startup Folder
Startup folder Execution (T1547) (T1547.001)
Abnormal ARP spoofing detected Credential Network Sniffing (T1040) —
Access /
Collection
Registry change disabling Defense Impair Defenses (T1562) Disable or Modify Tools
Windows Defender Evasion (T1562.001)
Process accessing SAM/NTDS.dit Credential OS Credential Dumping Security Account
file Access (T1003) Manager (T1003.002)
Fileless malware observed via Execution / Fileless Execution WMI Event Subscription
WMI and registry only Persistence (T1059/T1546) (T1546.003)
Abnormal spike in outbound Command & Application Layer Protocol HTTPS (T1071.001)
HTTPS to rare domain Control (T1071)
Legitimate admin tool (7zip, Collection / Archive Collected Data Compression with Utility
WinRAR) abused to compress data Exfiltration (T1560) (T1560.001)
Persistence through malicious Persistence Modify Existing Service Browser Extensions
browser extension (T1543) (T1176)
Abnormal Kerberos delegation Privilege Exploitation for Privilege Kerberos Delegation
use (unconstrained delegation Escalation Escalation (T1068) Abuse (T1558.003)
abuse)
New GPO modified to push startup Persistence Domain Policy GPO Modification
script Modification (T1484) (T1484.001)
Abnormal outbound FTP transfer Exfiltration Exfiltration Over FTP (T1048.003)
from server Unencrypted/Obsolete
Protocol (T1048)
Suspicious DLL injected into Defense Process Injection (T1055) DLL Injection
explorer.exe Evasion (T1055.001)
Detection of “Living off the Land” Execution / Signed Binary Proxy msiexec.exe
binaries (e.g., msiexec.exe Defense Execution (T1218) (T1218.007)
downloading payload) Evasion
Malicious ISO/VHD mounted by Initial Access / User Execution (T1204) Malicious File
user Execution (T1204.002)
Parent/child process anomaly Execution Command & Scripting PowerShell (T1059.001)
(Office spawning PowerShell) Interpreter (T1059)
Suspicious Wscript/Cscript usage Execution Command & Scripting Windows Script Host
Interpreter (T1059) (T1059.005)
Use of regsvr32.exe to execute Execution / Signed Binary Proxy Regsvr32 (T1218.010)
scriptlet Defense Execution (T1218)
Evasion
Unexpected modification of Credential OS Credential Dumping LSASS Registry
LSASS registry keys Access (T1003) (T1003.002)
Suspicious process spawning Defense Port Knocking / Proxy Port Proxy (T1090.001)
“netsh portproxy” Evasion /
Persistence
Abnormal usage of Discovery System Information —
whoami/systeminfo across many Discovery (T1082)
hosts
Mass enumeration of shares via Discovery Network Share Discovery —
net view (T1135)
Abnormal replication traffic to Credential OS Credential Dumping DCSync (T1003.006)
Domain Controller Access (T1003)
WMI launching PowerShell Lateral Remote Services (T1021) WMI (T1047)
remotely Movement
Persistence through AppInit_DLLs Persistence Boot or Logon Autostart Registry Run Keys
registry key Execution (T1547) (T1547.001)
Use of msbuild.exe executing Execution Command & Scripting msbuild.exe (T1127.001)
inline C# code Interpreter (T1059)
Abnormal rundll32 usage to run Execution Command & Scripting JavaScript (T1059.007)
JavaScript Interpreter (T1059)
New service configured with Persistence Create or Modify System Windows Service
suspicious binary Process (T1543) (T1543.003)
Abnormal outbound connection Command & Proxy (T1090) Multi-hop Proxy
on TOR ports (9001, 9050, 9150) Control (T1090.003)
DNS queries to algorithmically Command & Application Layer Protocol DNS (T1071.004)
generated domains Control (T1071)
Scheduled task with hidden flag Persistence Scheduled Task/Job Scheduled Task
(/RU SYSTEM /F) (T1053) (T1053.005)
Abnormal .lnk file execution Initial Access / User Execution (T1204) Malicious File
leading to payload Execution (T1204.002)
Unusual printing service abuse Privilege Exploitation for Privilege Print Spooler Exploit
(PrintNightmare) Escalation Escalation (T1068)
Malicious HTA file opened Execution User Execution (T1204) Malicious File
(T1204.002)
Persistence through Winlogon Persistence Boot or Logon Autostart Winlogon Helper DLL
Helper DLL Execution (T1547) (T1547.004)
Unusual PowerShell module Execution Command & Scripting PowerShell (T1059.001)
import (Invoke-Mimikatz, Interpreter (T1059)
PowerSploit)
Credential dumping attempt using Credential OS Credential Dumping LSASS Memory
procdump.exe Access (T1003) (T1003.001)
Encrypted RAR archive with Collection Archive Collected Data Compression with Utility
sensitive file names created (T1560) (T1560.001)
Suspicious AutoRun registry entry Persistence Boot or Logon Autostart Registry Run Keys
created Execution (T1547) (T1547.001)
Unusual BITSAdmin job Command & Ingress Tool Transfer BITS Jobs (T1197)
downloading payload Control (T1105)
Suspicious OAuth consent grant Persistence / Abuse of Cloud Identity Consent Grant Abuse
by user Credential and Access (T1098)
Access
Mass mail sent from Collection / Exfiltration Over Email —
compromised mailbox Exfiltration (T1567)
Detection of Discovery Permission Groups Domain Groups
BloodHound/SharpHound Discovery (T1069) (T1069.002)
enumeration
Unusual Kerberos “silver ticket” Credential Kerberos Attacks (T1558) Silver Ticket (T1558.002)
usage Access /
Persistence
Abnormal PowerShell using Execution Command & Scripting PowerShell (T1059.001)
Invoke-Expression on encoded Interpreter (T1059)
payload
Suspicious file dropped in Persistence Boot or Logon Autostart Registry Run
%AppData% or %Temp% Execution (T1547) Keys/Startup Folder
(T1547.001)
Detection of MS Office spawning Execution User Execution (T1204) Malicious File
mshta.exe (T1204.002)
Abnormal access to NTDS.dit file Credential OS Credential Dumping NTDS (T1003.003)
Access (T1003)
Use of RDP for lateral movement Lateral Remote Services (T1021) RDP (T1021.001)
inside network Movement
Process spawning schtasks with Persistence Scheduled Task/Job Scheduled Task
suspicious arguments (T1053) (T1053.005)
Suspicious registry modification Persistence Boot or Logon Autostart Registry Run Keys
for hidden startup entries Execution (T1547) (T1547.001)
Unusual execution of msiexec.exe Execution Signed Binary Proxy msiexec.exe
downloading remote payload Execution (T1218) (T1218.007)
Unusual access to clipboard data Collection Input Capture (T1056) Clipboard Data (T1115)
by unknown process
Use of PowerShell for Kerberos Credential Kerberoasting (T1558.003) —
ticket extraction (Invoke- Access
Kerberoast)
Abnormal outbound SMTP traffic Exfiltration Exfiltration Over SMTP (T1048.002)
from non-mail server Unencrypted/Obsolete
Protocol (T1048)
Command-line use of certutil - Defense Obfuscated Files or —
decode Evasion Information (T1027)
User enabled Office macro Execution User Execution (T1204) Malicious File
unexpectedly (T1204.002)
Malicious ISO/VHD containing Initial Access User Execution (T1204) Malicious File
LNK shortcut (T1204.002)
Persistence via COM hijacking Persistence Hijack Execution Flow COM Hijacking
detected (T1574) (T1546.015)
Suspicious abuse of rundll32 with Execution Hijack Execution Flow DLL Side-Loading
Control_RunDLL argument (T1574) (T1574.002)
Large file staged in C:\Recycle.Bin Collection Data Staged (T1074) Local Data Staging
(T1074.001)
New application whitelisting Defense Application Control Bypass —
bypass attempt Evasion (T1562.001)
Suspicious use of bcdedit to Impact / Inhibit System Recovery —
disable recovery options Defense (T1490)
Evasion
Suspicious SMB session from Lateral Remote Services (T1021) SMB (T1021.002)
workstation to workstation Movement
User created forwarding rules to Exfiltration Exfiltration Over Email Auto-Forwarding Rule
external email (T1567) (T1114.003)
Execution of PSEXESVC.exe on Lateral Remote Services (T1021) SMB/Windows Admin
remote hosts Movement Shares (T1021.002)
Suspected Beacon traffic with Command & Application Layer Protocol HTTPS (T1071.001)
sleep/jitter patterns Control (T1071)
Suspicious registry persistence Persistence Boot or Logon Autostart IFEO Injection
via Image File Execution Options Execution (T1547) (T1547.010)
Detection of obfuscated Execution Command & Scripting JavaScript (T1059.007)
JavaScript file (e.g., base64 + eval) Interpreter (T1059)
Anomalous LDAP enumeration of Discovery Permission Groups Domain Groups
group memberships Discovery (T1069) (T1069.002)
Detection of Command & Remote Access Software —
AnyDesk/TeamViewer installed Control / (T1219)
silently Persistence
Suspicious PowerShell remoting Lateral Remote Services (T1021) PowerShell Remoting
(Enter-PSSession) Movement (T1021.006)
Unusual DLL loaded by Defense Hijack Execution Flow DLL Search Order
svchost.exe Evasion (T1574) Hijacking (T1574.001)
Suspicious binary masquerading Defense Masquerading (T1036) Rename System Utilities
as legitimate Windows process Evasion (T1036.005)
(svhost.exe)
New scheduled task with Persistence Scheduled Task/Job Scheduled Task
randomised name in system32 (T1053) (T1053.005)
Unusual WinRM login from Lateral Remote Services (T1021) Windows Remote
unexpected host Movement Management
(T1021.006)
Execution of mshta.exe loading Execution Command & Scripting MSHTA (T1059.005)
content from remote domain Interpreter (T1059)
Credential access attempt via Credential Credentials from Credentials from Web
browser saved passwords Access Password Stores (T1555) Browsers (T1555.003)
(Chrome/Edge)
Abnormal outbound RDP traffic to Command & Remote Services (T1021) RDP (T1021.001)
Internet Control
WMI persistence with permanent Persistence Event Triggered Execution WMI Event Subscription
event consumer (T1546) (T1546.003)
Detection of Invoke-Obfuscation Defense Obfuscated Files or Obfuscated/Encoded
framework Evasion Information (T1027) Commands (T1027.010)
Suspicious registry modification Persistence Boot or Logon Autostart Winlogon Shell
of Winlogon Shell Execution (T1547) (T1547.004)
Detection of beacon-like traffic Command & Application Layer Protocol Web Services
with domain fronting Control (T1071) (T1071.001)
Abnormal ARP spoofing or Credential Network Sniffing (T1040) —
poisoning alerts Access /
Discovery
Mass creation of accounts in AD Persistence Create Account (T1136) Domain Account
within short time (T1136.002)
Suspicious execution of Execution / Hijack Execution Flow DLL Side-Loading
rundll32.exe with Control_RunDLL Defense (T1574) (T1574.002)
parameter Evasion
Malicious ISO with hidden payload Initial Access User Execution (T1204) Malicious File
mounted (T1204.002)
Command execution via msiexec Execution Signed Binary Proxy msiexec.exe
with /i http Execution (T1218) (T1218.007)
Abnormal modification of Group Privilege Domain Policy Group Policy
Policy settings Escalation / Modification (T1484) Modification
Persistence (T1484.001)
Detection of PsExec-style lateral Lateral Remote Services (T1021) SMB/Windows Admin
movement with -s -d flags Movement Shares (T1021.002)
Suspicious installation of browser Persistence Modify Existing Service Browser Extensions
extension with elevated (T1543) (T1176)
permissions
Unusual process attempting to Credential OS Credential Dumping LSASS Memory
access LSASS via Access (T1003) (T1003.001)
MiniDumpWriteDump
Abnormal outbound FTP transfer Exfiltration Exfiltration Over FTP (T1048.003)
to unknown host Unencrypted/Obsolete
Protocol (T1048)
Suspicious scheduled task Persistence Scheduled Task/Job Scheduled Task
created via PowerShell New- (T1053) (T1053.005)
ScheduledTask
User executes malicious .lnk file Initial Access / User Execution (T1204) Malicious File
leading to payload Execution (T1204.002)
Suspicious installation of Command & Remote Access Software —
AnyDesk or TeamViewer Control / (T1219)
Persistence
Detection of Cobalt Strike named Command & Application Layer Protocol Named Pipes
pipe communication Control (T1071) (T1090.001)
Abnormal registry modification to Defense Impair Defenses (T1562) Disable or Modify Tools
disable Windows Security Center Evasion (T1562.001)
Creation of suspicious MSI Persistence Signed Binary Proxy MSI Install (T1218.007)
package for persistence Execution (T1218)
Abnormal Windows service Persistence Create or Modify System Windows Service
created pointing to attacker binary Process (T1543) (T1543.003)
Suspicious RDP lateral movement Lateral Remote Services (T1021) RDP (T1021.001)
inside VLAN Movement
Exfiltration via HTTP POST with Exfiltration Exfiltration Over Web HTTPS POST (T1567.001)
compressed archive Services (T1567)
Abnormal LDAP query volume Discovery Account Discovery (T1087) Domain Account
from single host (T1087.002)
New persistence via Scheduled Persistence Scheduled Task/Job Scheduled Task
Task with hidden XML config (T1053) (T1053.005)
User downloaded executable from Initial Access / Ingress Tool Transfer —
Pastebin/GitHub Gist Execution (T1105)
Abnormal registry modification for Credential Impair Defenses (T1562) Disable Security
LSA protection disabled Access / Features (T1562.001)
Defense
Evasion
Suspicious use of MSBuild Execution Signed Binary Proxy MSBuild (T1127.001)
executing inline code (living-off- Execution (T1218)
the-land)
Credential theft attempt using Credential Use of Access Tokens Token
token impersonation Access (T1134) Impersonation/Theft
(T1134.001)
Abnormal Kerberos service ticket Credential Kerberoasting (T1558.003) —
requests (Kerberoasting) Access
Suspicious WMI persistence using Persistence Event Triggered Execution WMI Event Subscription
ActiveScriptEventConsumer (T1546) (T1546.003)
Execution of rundll32 calling Execution Command & Scripting Script (T1059.007 /
javascript: or vbscript: Interpreter (T1059) T1059.005)
Abnormal PowerShell command Defense Obfuscated Files or Obfuscated/Encoded
with Base64 + XOR encoded Evasion Information (T1027) Commands (T1027.010)
payload
Suspicious use of sc.exe to Persistence Create or Modify System Windows Service
configure new service Process (T1543) (T1543.003)
RDP brute-force attempts from Credential Brute Force (T1110) Password Spraying
multiple geographies Access (T1110.003)
Detection of cobalt strike staging Execution / Ingress Tool Transfer —
via certutil.exe Defense (T1105)
Evasion
Unauthorized mailbox export via Collection / Exfiltration Over Web Email Collection
EWS/Graph API Exfiltration Services (T1567) (T1114.002)
Abnormal OneDrive/SharePoint Collection / Cloud Storage (T1567.002) —
mass file downloads Exfiltration
Detection of registry modification Defense Modify Registry (T1112) —
to hide file extensions Evasion
Multiple abnormal Kerberos Discovery Account Discovery (T1087) Domain Account
failures for nonexistent accounts (T1087.002)
Unusual PowerShell remoting Lateral Remote Services (T1021) PowerShell Remoting
session creation Movement (T1021.006)
Malicious macro downloading Execution User Execution (T1204) Malicious File
payload with URLDownloadToFile (T1204.002)
Suspicious SMB exec traffic Lateral Remote Services (T1021) SMB/Windows Admin
detected between servers Movement Shares (T1021.002)
Persistence via registry Persistence Boot or Logon Autostart AppInit_DLLs
AppInit_DLLs Execution (T1547) (T1547.009)
Suspicious scheduled task using Persistence Scheduled Task/Job Scheduled Task
wscript/cscript as action (T1053) (T1053.005)
User executes malicious shortcut Initial Access User Execution (T1204) Malicious File
(LNK) file from ZIP (T1204.002)
Abnormal modification of SYSTEM Persistence Boot or Logon Initialization Startup Folder / Logon
startup scripts Scripts (T1037) Script (T1037.001)
Use of WinRM to push commands Lateral Remote Services (T1021) WinRM (T1021.006)
across endpoints Movement
Command & Control via DNS TXT Command & Application Layer Protocol DNS (T1071.004)
record queries Control (T1071)
Abnormal outbound SSH from Command & Remote Services (T1021) SSH (T1021.004)
Windows endpoint Control
Suspicious privilege escalation Privilege Abuse Elevation Control Bypass User Account
via UAC bypass (fodhelper.exe) Escalation Mechanism (T1548) Control (T1548.002)
Mass login attempts using default Credential Brute Force (T1110) Password Guessing
credentials Access (T1110.001)
Data exfiltration using base64 Exfiltration Exfiltration Over HTTP (T1048.001)
encoded HTTP traffic Unencrypted Protocol
(T1048)
Suspicious modification of hosts Defense Modify Host File —
file redirecting domains Evasion (T1565.001)
Unauthorized access to BitLocker Credential OS Credential Dumping —
recovery keys Access (T1003)
Suspicious execution of rundll32 Execution Hijack Execution Flow COM Hijacking
invoking COM object (T1574) (T1546.015)
Mass file renaming with unusual Impact Data Encrypted for Impact —
extensions (.locked, .encrypted) (T1486)
Unusual modification of registry Persistence Boot or Logon Autostart Registry Shell
Shell value Execution (T1547) (T1547.007)
Abnormal outbound connection Command & Exfiltration Over ICMP (T1048.003)
using ICMP tunneling Control Unencrypted/Obsolete
Protocol (T1048)
Suspicious modification of Persistence Scheduled Task/Job Scheduled Task
scheduled tasks’ XML files (T1053) (T1053.005)
Use of msiexec.exe for DLL Defense Hijack Execution Flow DLL Side-Loading
sideloading Evasion (T1574) (T1574.002)
Persistence via Startup folder LNK Persistence Boot or Logon Autostart Startup Folder
files Execution (T1547) (T1547.001)
Detection of abnormal DCOM Lateral Remote Services (T1021) Distributed COM
activity (MMC20.Application Movement (T1021.003)
launch)
User enabling Office macros on Execution User Execution (T1204) Malicious File
previously blocked file (T1204.002)
Abnormal scheduled task pointing Persistence Scheduled Task/Job Scheduled Task
to PowerShell one-liner (T1053) (T1053.005)
Use of esentutl.exe to copy Credential OS Credential Dumping SAM (T1003.002)
SAM/SECURITY files Access (T1003)
Registry modification for Persistence Boot or Logon Autostart IFEO (T1547.010)
persistence via IFEO Debugger Execution (T1547)
Suspicious execution of mshta Execution Command & Scripting MSHTA (T1059.005)
with scriptlet.xml Interpreter (T1059)
Exfiltration of data via cloud email Exfiltration Exfiltration Over Web Cloud Storage
draft folder (living off cloud) Services (T1567) (T1567.002)
PowerShell spawning rundll32 Execution / Process Injection (T1055) Reflective DLL Injection
with reflective DLL injection Defense (T1055.012)
Evasion
Suspicious modification of Group Persistence Domain Policy Logon Script
Policy logon scripts Modification (T1484) (T1037.001)
Abnormal use of Windows Task Persistence Scheduled Task/Job COM API (T1053.005)
Scheduler COM object (T1053)
Detection of SharpHound data Discovery Permission Groups Domain Groups
collection Discovery (T1069) (T1069.002)
New local admin account created Persistence Create Account (T1136) Local Account
via net user /add (T1136.001)
Abnormal registry RunOnce entry Persistence Boot or Logon Autostart RunOnce (T1547.001)
created Execution (T1547)
PowerShell Empire agent beacon Command & Application Layer Protocol HTTPS (T1071.001)
detected Control (T1071)
Suspicious SMB brute force Lateral Remote Services (T1021) SMB (T1021.002)
followed by file copy Movement
Use of vssadmin.exe to Impact / Inhibit System Recovery —
resize/delete shadow copies Defense (T1490)
Evasion
Suspicious installation of custom Defense Modify Trusted Certificates —
root certificate Evasion (T1553.004)
Abnormal WMI process creation Lateral Remote Services (T1021) WMI (T1047)
detected remotely Movement
Suspicious browser cookie theft Credential Credentials from Web —
by malware Access Browsers (T1555.003)
Detection of Kerberos ticket Credential Kerberos Attacks Golden Ticket
modification (Golden Ticket) Access (T1558.001)
User executed ISO containing Initial Access / User Execution (T1204) Malicious File
multiple shortcut payloads Execution (T1204.002)
Unusual execution of mshta with Execution Command & Scripting MSHTA (T1059.005)
remote .hta script Interpreter (T1059)
Mass registry modifications to Defense Impair Defenses (T1562) Disable or Modify Tools
disable security features Evasion (T1562.001)
Large outbound data transfer via Exfiltration Exfiltration Over SSH (T1048.004)
SCP from Windows host Alternative Protocol
(T1048)
Persistence via RunOnceEx Persistence Boot or Logon Autostart RunOnceEx (T1547.001)
registry key Execution (T1547)
Suspicious encoded VBScript Execution Command & Scripting VBScript (T1059.005)
launched by cscript.exe Interpreter (T1059)
Abnormal registry modification for Persistence Modify Registry (T1112) —
Terminal Services (RDP settings)
Unauthorized modification of Privilege Permission Groups —
Active Directory ACLs Escalation / Modification (T1484.001)
Persistence
Unusual SMB beacon traffic with Command & Application Layer Protocol SMB (T1071.002)
long sleep intervals Control (T1071)
Suspicious access to cloud OAuth Credential Steal Application Access —
refresh tokens Access Tokens (T1528)
Abnormal AutoRuns persistence Persistence Boot or Logon Autostart Registry Run Keys
entry created in HKCU Execution (T1547) (T1547.001)
Detection of ransomware note file Impact Data Encrypted for Impact —
creation across systems (T1486)
Suspicious usage of PowerShell Execution Command & Scripting PowerShell (T1059.001)
Add-Type with C# inline code Interpreter (T1059)
Abnormal network connection Lateral Remote Services (T1021) WinRM (T1021.006)
attempts on ports 5985/5986 Movement
User downloads executable Defense Masquerading (T1036) Match Legitimate
renamed as .jpg/.png Evasion Name/Extension
(T1036.005)
Large number of failed Kerberos Credential Brute Force (T1110) Kerberos Password
pre-auth attempts Access Cracking (T1110.001)
Abnormal mailbox permissions Persistence Valid Accounts (T1078) Cloud Accounts
granted to external account (T1078.004)
Detection of tools like AdFind or Discovery Account Discovery (T1087) Domain Account
ldapsearch in AD environment (T1087.002)
Suspicious modification of Persistence Boot or Logon Autostart Userinit Key (T1547.004)
Winlogon Userinit key Execution (T1547)
Suspicious child process of Execution Command & Scripting Windows Script Host
explorer.exe executing encoded Interpreter (T1059) (T1059.005)
script
Unusual PowerShell using Execution Command & Scripting PowerShell (T1059.001)
reflection to load assemblies Interpreter (T1059)
Abnormal ICMP echo requests Command & Exfiltration Over ICMP (T1048.003)
with payloads Control Unencrypted/Obsolete
Protocol (T1048)
Credential dumping attempt from Credential OS Credential Dumping LSASS Memory
lsass via comsvcs.dll Access (T1003) (T1003.001)
Persistence through abnormal Persistence Modify Existing Service Browser Extensions
browser extension installs (T1543) (T1176)
Suspicious modification of Persistence Scheduled Task/Job Scheduled Task
scheduled task security (T1053) (T1053.005)
descriptors
Exfiltration via WebDAV protocol Exfiltration Exfiltration Over Web WebDAV (T1567.004)
Services (T1567)
Detection of SharpRDP usage for Lateral Remote Services (T1021) RDP (T1021.001)
lateral movement Movement
Abnormal DCSync replication Credential OS Credential Dumping DCSync (T1003.006)
attempt from non-DC host Access (T1003)
Suspicious PowerShell execution Defense Process Injection (T1055) Reflective DLL Injection
with Invoke-ReflectivePEInjection Evasion (T1055.012)
Unauthorized registry Defense Impair Defenses (T1562) Disable Security Tools
modification disabling AV updates Evasion (T1562.001)
Exfiltration of browser cookies to Exfiltration Exfiltration Over Web Cookies (T1539)
external domain Services (T1567)
Abnormal parent-child process Execution User Execution (T1204) Malicious File
chain (winword.exe → mshta.exe) (T1204.002)
Suspicious modification of SAM Credential OS Credential Dumping Security Account
registry hive Access (T1003) Manager (T1003.002)
Use of PowerShell Invoke- Execution Command & Scripting PowerShell (T1059.001)
WebRequest to pull remote Interpreter (T1059)
payload
Large number of zipped archives Collection Archive Collected Data Compression Utility
in temp folder (T1560) (T1560.001)
Use of nltest.exe /domain_trusts Discovery Domain Trust Discovery —
(T1482)
New scheduled task created with Persistence Scheduled Task/Job Scheduled Task
SYSTEM privileges (T1053) (T1053.005)
Suspicious execution of rundll32 Execution Hijack Execution Flow DLL Side-Loading
calling exported function with (T1574) (T1574.002)
unusual name
Mass file access in file shares Impact Data Encrypted for Impact —
(potential ransomware pre- (T1486)
encryption activity)
Use of certutil.exe to download & Execution / Ingress Tool Transfer —
decode payload Defense (T1105)
Evasion
PowerShell script attempting Credential OS Credential Dumping LSASS Memory
LSASS access via Access (T1003) (T1003.001)
MiniDumpWriteDump
Suspicious registry modification Defense Impair Defenses (T1562) Disable or Modify Tools
disabling Windows Defender Evasion (T1562.001)
services
Unusual access to sensitive files Collection Data from Local System —
by unexpected process (e.g., (T1005)
notepad.exe)
Suspicious PsExec usage with Lateral Remote Services (T1021) SMB/Windows Admin
encoded payloads Movement Shares (T1021.002)
Unauthorized mailbox access via Collection Email Collection (T1114) Local Email Collection
PowerShell (New- (T1114.001)
MailboxExportRequest)
Detection of persistence via Persistence Boot or Logon Autostart AppCert DLLs
abnormal AppCert DLLs Execution (T1547) (T1547.009)
Abnormal outbound SMB traffic to Command & Application Layer Protocol SMB (T1071.002)
Internet IPs Control (T1071)
Suspicious scheduled task Persistence Scheduled Task/Job Scheduled Task
created using schtasks /create /tn (T1053) (T1053.005)
“update”
Detection of PowerShell-based Credential Kerberoasting (T1558.003) —
Kerberoast attack Access
Use of systeminfo.exe / nltest.exe Discovery System and Network —
/ net commands in quick Discovery (T1016)
succession
Unusual registry modification of Persistence Boot or Logon Autostart Registry Run Keys
“Shell Folders” keys Execution (T1547) (T1547.001)
Suspicious powershell.exe - Execution Command & Scripting PowerShell (T1059.001)
EncodedCommand execution Interpreter (T1059)
Unauthorized registry Defense Impair Defenses (T1562) Disable Security Tools
modification of SafeBoot keys Evasion (T1562.001)
Mass creation of .lnk files in Persistence Boot or Logon Autostart Startup Folder
startup directories Execution (T1547) (T1547.001)
Detection of malicious access to Credential Credentials from DPAPI (T1555.004)
DPAPI master keys Access Password Stores (T1555)
Abnormal outbound traffic on Command & Application Layer Protocol Non-Standard Port
uncommon high ports (e.g., 1337, Control (T1071) (T1071.003)
31337)
New abnormal GPO pushed Persistence Domain Policy Group Policy
modifying scripts or registry Modification (T1484) Modification
(T1484.001)
Suspicious browser spawning Execution Command & Scripting PowerShell (T1059.001)
cmd.exe / powershell.exe Interpreter (T1059)
Exfiltration via DNS requests with Command & Application Layer Protocol DNS (T1071.004)
base32/base64 blobs Control (T1071)
Detection of C2 framework traffic Command & Application Layer Protocol HTTPS (T1071.001)
patterns (Cobalt Strike, Sliver, Control (T1071)
Empire)
Detection of lsassy or nanodump Credential OS Credential Dumping LSASS Memory
dumping LSASS Access (T1003) (T1003.001)
Suspicious registry modification Persistence Boot or Logon Autostart Winlogon Helper DLL
of Winlogon Notify key Execution (T1547) (T1547.004)
Abnormal PowerShell Add- Defense Impair Defenses (T1562) Disable or Modify Tools
MpPreference disabling Defender Evasion (T1562.001)
features
Large-scale file encryption activity Impact Data Encrypted for Impact —
detected across shares (T1486)
Unusual execution of cmdkey.exe Credential Credentials from Windows Credentials
storing credentials Access Password Stores (T1555) (T1555.003)
Unauthorized modification of Credential Kerberos Attacks (T1558) —
Kerberos encryption types Access
Abnormal execution of mshta.exe Execution Command & Scripting MSHTA (T1059.005)
with obfuscated scriptlet Interpreter (T1059)
Suspicious process injection via Defense Process Injection (T1055) Remote Thread Injection
CreateRemoteThread API Evasion (T1055.001)
Abnormal modification of LSA Persistence / Modify Registry (T1112) —
configuration Privilege
(DisableRestrictedAdmin) Escalation
Detection of abnormal outbound Discovery / Application Layer Protocol LDAP (T1071.005)
LDAP traffic to Internet Exfiltration (T1071)
Suspicious access to Credential OS Credential Dumping SAM (T1003.002)
SAM/SECURITY/DEFAULT registry Access (T1003)
hives
User executed HTA attachment Initial Access / Phishing (T1566) Spearphishing
from phishing email Execution Attachment (T1566.001)
Exfiltration of sensitive files via Exfiltration Exfiltration Over Web Cloud Storage
MEGA/WeTransfer Services (T1567) (T1567.002)
Suspicious persistence via Print Persistence Create or Modify System Windows Service
Spooler service modification Process (T1543) (T1543.003)
Detection of PsExec /psexecsvc Lateral Remote Services (T1021) SMB/Windows Admin
service installed remotely Movement Shares (T1021.002)
PowerShell downloading script Execution Ingress Tool Transfer —
from Pastebin/GitHub (T1105)
Abnormal registry modification Defense Modify Registry (T1112) —
hiding file extensions Evasion
User granting mailbox delegation Persistence Account Manipulation Additional Cloud
rights unexpectedly (T1098) Permissions (T1098.003)
Suspicious scheduled task Persistence Scheduled Task/Job Scheduled Task
created with rundll32.exe as (T1053) (T1053.005)
action
Detection of netsh interface Defense Proxy (T1090) Port Proxy (T1090.001)
portproxy rules added Evasion /
Persistence
Suspicious creation of LNK files Initial Access User Execution (T1204) Malicious File
pointing to remote payload (T1204.002)
Use of powershell.exe with Credential OS Credential Dumping LSASS Memory
Invoke-Mimikatz keyword Access (T1003) (T1003.001)
Unauthorized GPO modification Persistence Domain Policy Group Policy
for persistence Modification (T1484) Modification
(T1484.001)
Abnormal registry IFEO debugger Persistence Boot or Logon Autostart IFEO Injection
key pointing to attacker binary Execution (T1547) (T1547.010)
Large number of failed VPN logins Credential Brute Force (T1110) Password Spraying
followed by success Access (T1110.003)
Abnormal PowerShell using Execution Command & Scripting PowerShell (T1059.001)
reflection to load PE files Interpreter (T1059)
Detection of DCOM remote Lateral Remote Services (T1021) DCOM (T1021.003)
execution (Excel.Application) Movement
Unusual modification of boot Defense Inhibit System Recovery —
configuration (bcdedit.exe) Evasion / (T1490)
Impact
Detection of non-standard Credential Credentials from Web —
browser extension stealing Access Browsers (T1555.003)
cookies
Unauthorized mailbox forwarding Exfiltration Exfiltration Over Email Auto-Forwarding Rule
rules created (T1567) (T1114.003)
Suspicious process creating raw Collection / Data Staged (T1074) —
disk image (diskshadow, dd.exe) Impact
Suspicious access to clipboard Collection Input Capture (T1056) Clipboard Data (T1115)
contents by malware process
User downloads malicious CHM Initial Access / User Execution (T1204) Malicious File
file and executes it Execution (T1204.002)
Abnormal registry modification of Persistence Boot or Logon Autostart GINA DLL (T1547.006)
Winlogon GINA DLL Execution (T1547)
Large amount of Base64-encoded Defense Obfuscated Files or Obfuscated/Encoded
PowerShell commands Evasion Information (T1027) Commands (T1027.010)
Suspicious OAuth application Persistence Account Manipulation Additional Cloud
consent granted (T1098) Permissions (T1098.003)
Unauthorized export of entire Collection / Email Collection (T1114) Remote Email Collection
mailbox via EWS Exfiltration (T1114.002)
Use of reg.exe to add startup Run Persistence Boot or Logon Autostart Registry Run Keys
keys Execution (T1547) (T1547.001)
Abnormal use of dsquery.exe for Discovery Account Discovery (T1087) Domain Account
AD object enumeration (T1087.002)
Suspicious modification of Persistence Modify Existing Service Windows Service
Windows Error Reporting service (T1543) (T1543.003)
Abnormal usage of PowerShell Credential Credential Dumping —
Get-Credential in scripts Access (T1003)
Ransomware deleting shadow Impact Inhibit System Recovery —
copies with WMIC (T1490)
Detection of PowerShell AMSI Defense Impair Defenses (T1562) Disable or Modify Tools
bypass attempts Evasion (T1562.001)
Mass creation of scheduled tasks Persistence Scheduled Task/Job Scheduled Task
across multiple hosts (T1053) (T1053.005)
Unusual use of dsregcmd.exe with Discovery Cloud Service Discovery —
/status (cloud pivoting) (T1526)
Abnormal modification of Persistence Boot or Logon Autostart RunOnce (T1547.001)
RunOnce registry entries Execution (T1547)
PowerShell downloading encoded Execution Command & Scripting PowerShell (T1059.001)
payload via Invoke-Expression Interpreter (T1059)
Abnormal ICMP packet size / Command & Exfiltration Over ICMP (T1048.003)
covert channel usage Control Unencrypted Protocol
(T1048)
Unauthorized addition of user to Privilege Account Manipulation Domain Account
Enterprise Admins group Escalation / (T1098) (T1098.002)
Persistence
Suspicious WMI ActiveScript Persistence Event Triggered Execution WMI Event Subscription
consumer with obfuscated (T1546) (T1546.003)
VBScript
Detection of SharpChrome Credential Credentials from Web Browsers
dumping browser credentials Access Password Stores (T1555) (T1555.003)
Exfiltration using HTTPS POST Exfiltration Exfiltration Over Web HTTPS (T1567.001)
requests with random padding Services (T1567)
Use of unusual TLD domains in Command & Application Layer Protocol DNS (T1071.004)
DNS queries Control (T1071)
Abnormal msiexec.exe installing Execution Signed Binary Proxy MSIExec (T1218.007)
unsigned MSI from temp path Execution (T1218)
Suspicious net user /domain Discovery Account Discovery (T1087) Domain Account
queries from workstation (T1087.002)
Unauthorized mailbox rules Exfiltration Exfiltration Over Email Auto-Forwarding Rule
forwarding to external domain (T1567) (T1114.003)
Suspicious modification of Persistence Create or Modify System Windows Service
services.exe registry path Process (T1543) (T1543.003)
Abnormal registry changes to Defense Impair Defenses (T1562) Disable Recovery
SafeBoot configuration Evasion (T1490)
Suspicious script execution using Execution Command & Scripting VBScript (T1059.005)
mshta + vbscript: Interpreter (T1059)
Detection of SMB traffic with Credential Network Sniffing / Insecure NTLMv1 Abuse
NTLMv1 authentication Access Protocols (T1557.001)
Large batch of abnormal zip/rar Exfiltration Archive Collected Data Compression Utility
archives transferred externally (T1560) (T1560.001)
Abnormal execution of rundll32 Execution Hijack Execution Flow DLL Side-Loading
calling (T1574) (T1574.002)
shell32.dll,Control_RunDLL
Suspicious registry modification Persistence Boot or Logon Initialization Logon Script
of UserInitMprLogonScript Scripts (T1037) (T1037.001)
Mass file deletion activity prior to Impact Data Destruction (T1485) —
ransomware note creation
Abnormal creation of hidden local Persistence Create Account (T1136) Local Account
admin accounts (T1136.001)
Use of Powershell Add-Type with Execution Command & Scripting PowerShell (T1059.001)
obfuscated C# payload Interpreter (T1059)
Suspicious registry change Defense Impair Defenses (T1562) Disable Security Tools
disabling firewall service Evasion (T1562.001)
Abnormal use of certutil to Defense Obfuscated Files or Encoding of Files
encode/decode PE files Evasion Information (T1027) (T1027.002)
Exfiltration via HTTPS using cloud Exfiltration Exfiltration Over Web Cloud Storage
APIs (Dropbox/Google Drive) Services (T1567) (T1567.002)
Suspicious Office macro creating Persistence Scheduled Task/Job Scheduled Task
scheduled task (T1053) (T1053.005)
Abnormal service creation with Persistence Create or Modify System Windows Service
binary in temp folder Process (T1543) (T1543.003)
Execution of powershell.exe with - Execution / Command & Scripting PowerShell (T1059.001)
nop -w hidden -enc flags Defense Interpreter (T1059)
Evasion
Unauthorized change of registry Persistence Boot or Logon Autostart Registry Shell
Shell value to malicious exe Execution (T1547) (T1547.007)
Suspicious outbound HTTP traffic Command & Application Layer Protocol HTTP (T1071.001)
with XOR-obfuscated payload Control (T1071)
Abnormal LDAP enumeration Discovery Permission Groups Domain Groups
targeting privileged groups Discovery (T1069) (T1069.002)
Unauthorized OAuth token reuse Credential Steal Application Access —
from external IP Access Tokens (T1528)
Detection of persistence via Persistence Boot or Logon Autostart Winlogon Shell
abnormal Winlogon Shell registry Execution (T1547) (T1547.004)
key
Suspicious modification of Impact / Inhibit System Recovery —
bcdedit to disable recovery Defense (T1490)
Evasion
Detection of SharpDump dumping Credential OS Credential Dumping LSASS Memory
LSASS memory Access (T1003) (T1003.001)
Abnormal SMB traffic with Initial Access / Exploit Public-Facing SMB Exploit
overlong commands (EternalBlue Lateral Application (T1190)
style) Movement
Suspicious wmic.exe process call Execution / Windows Management —
create with encoded payload Lateral Instrumentation (T1047)
Movement
Detection of modified hosts file Defense Modify Host File —
redirecting AV update domains Evasion (T1565.001)
Unusual persistence via debugger Persistence Boot or Logon Autostart IFEO Injection
registry keys (IFEO) Execution (T1547) (T1547.010)
Exfiltration of sensitive Exfiltration Exfiltration Over Web Web Services
documents via Telegram API Services (T1567) (T1071.001)
Detection of “living off the land” Execution Signed Binary Proxy Various (T1218.001–
tools like msbuild / regsvr32 Execution (T1218) 010)
Unusual Kerberos ticket request Credential Kerberos Attacks (T1558) Kerberoasting
from service account Access (T1558.003)
Abnormal child process of Execution Command & Scripting Windows Command
explorer.exe launching cmd.exe Interpreter (T1059) Shell (T1059.003)
Detection of abnormal WinRM Lateral Remote Services (T1021) WinRM (T1021.006)
remote shell usage Movement
Suspicious modification of Defense Impair Defenses (T1562) Disable or Modify Tools
security event logging registry Evasion (T1562.001)
keys
User executed malicious ISO Initial Access User Execution (T1204) Malicious File
attachment with embedded LNK (T1204.002)
Exfiltration of browser cookies via Exfiltration Exfiltration Over Web Cookies (T1539)
base64 encoded HTTP traffic Services (T1567)
MFA push fatigue bursts followed Credential Multi-Factor —
by successful login Access Authentication
Interception (T1621)
Adversary-in-the-middle phishing Credential Adversary-in-the-Middle Web Protocols
page stealing session cookies Access / (T1557) (T1557.003)
Collection
HTML smuggling delivers payload Defense Obfuscated/Compressed HTML Smuggling
from user’s browser Evasion / Initial Files & Info (T1027) (T1027.006)
Access
OneNote attachment spawns Execution User Execution (T1204) Malicious File
PowerShell (T1204.002)
Web shell dropped on IIS/Apache Persistence Server Software Web Shell (T1505.003)
after exploit Component (T1505)
Exchange/Confluence/RDP Initial Access Exploit Public-Facing —
exploit from Internet Application (T1190)
Impossible travel cloud sign-ins Initial Access Valid Accounts (T1078) Cloud Accounts
(new geo, short interval) (T1078.004)
OAuth device/consent phishing → Persistence Account Manipulation Additional Cloud
new high-priv app (T1098) Permissions (T1098.003)
Azure AD: MFA disabled for user Defense Modify Authentication Multi-Factor
Evasion Process (T1556) Authentication
(T1556.006)
Conditional Access policy Defense Impair Defenses (T1562) Disable or Modify Cloud
weakened/disabled Evasion Policies (T1562.008)
AWS: CloudTrail/GuardDuty Defense Impair Defenses (T1562) —
disabled Evasion
AWS: New access keys created for Persistence Valid Accounts (T1078) Cloud Accounts
dormant user (T1078.004)
GCP/Azure: Service account key Persistence Valid Accounts (T1078) Cloud Accounts
created unexpectedly (T1078.004)
S3/GCS bucket made public; Collection / Data from Cloud Storage —
mass reads follow Exfiltration (T1530)
Okta: new API token + admin role Persistence / Account Manipulation Additional Cloud
grant Priv. Esc. (T1098) Permissions (T1098.003)
NTLM relay/LLMNR poisoning seen Credential Adversary-in-the-Middle LLMNR/NBT-NS
on LAN Access (T1557) Poisoning (T1557.001)
Windows event logs cleared Defense Indicator Removal (T1070) Clear Windows Event
(wevtutil cl) Evasion Logs (T1070.001)
Bash history wiped (history -c; rm Defense Indicator Removal (T1070) Clear Command History
~/.bash_history) Evasion (T1070.003)
Linux: crontab persistence Persistence Scheduled Task/Job Cron (T1053.003)
(@reboot suspicious cmd) (T1053)
Linux: /etc/sudoers modified to add Privilege Abuse Elevation Control Sudo and Sudo Caching
NOPASSWD Escalation Mechanism (T1548) (T1548.003)
Linux: authorized_keys planted on Persistence Account Manipulation SSH Authorized Keys
target (T1098) (T1098.004)
macOS: Launch Agent/Daemon Persistence Create/Modify System Launch Agent
dropped in ~/Library/LaunchAgents Process (T1543) (T1543.001)
Socat/SSH used for local/remote Defense Proxy (T1090) Port Proxy/Tunneling
port forwarding Evasion / C2 (T1090.001)
WebSocket-based C2 over 443 Command & Application Layer Protocol Web Protocols
Control (T1071) (T1071.001)
Data staged to /tmp or %TEMP% Collection Data Staged (T1074) Local Data Staging
before exfil (T1074.001)
Ransomware wipes Impact Disk Wipe (T1561) Disk Structure Wipe
MBR/partitions (T1561.002)
EDR/AV tamper protection Defense Impair Defenses (T1562) Disable or Modify Tools
bypassed/driver killed Evasion (T1562.001)
QR-code phishing (“quishing”) Initial Access / Phishing (T1566) Spearphishing Link
leading to fake SSO Cred. Access (T1566.002)
Malicious .js inside ZIP executed Execution Command & Scripting JavaScript (T1059.007)
by user Interpreter (T1059)
IIS module backdoor registered in Persistence Server Software Web Shell/Module
config Component (T1505) (T1505.003)
Kubernetes: suspicious cluster- Priv. Esc. / Modify Cloud Compute Permissions Change
admin role binding Persistence Infrastructure (T1578) (T1578.003)
Mass exfil via rclone/megacmd Exfiltration Exfiltration Over Web Cloud Storage
from server Services (T1567) (T1567.002)
Suspicious Invoke-Obfuscation Defense Obfuscated Files or Obfuscated/Encoded
PowerShell patterns Evasion Information (T1027) Commands (T1027.010)
Detection of LOLBAS binary Execution Signed Binary Proxy msxsl.exe (T1218.009)
msxsl.exe executing XSL script Execution (T1218)
Abnormal execution of Execution Signed Binary Proxy InstallUtil (T1218.004)
installutil.exe with custom Execution (T1218)
assembly
Unusual scheduled task with Persistence Scheduled Task/Job Scheduled Task
hidden window style (T1053) (T1053.005)
Browser spawning regsvr32.exe /s Execution Signed Binary Proxy Regsvr32 (T1218.010)
/n /u /i:http:// Execution (T1218)
Suspicious certreq.exe used to Credential Steal or Forge —
request enrollment Access / Authentication Certificates
Persistence (T1649)
Unauthorized modification of AD Persistence Modify Authentication Federated
Federation Service (ADFS) claims Process (T1556) Authentication
(T1556.002)
Anomalous spike in DNS queries Command & Application Layer Protocol DNS (T1071.004)
to algorithmically generated Control (T1071)
domains
RDP clipboard/file transfer usage Exfiltration / Remote Services (T1021) RDP (T1021.001)
flagged on servers Lateral
Movement
Linux kernel module (insmod) Persistence / Modify Existing Service Kernel Modules
loaded unsigned Defense (T1543) (T1543.004)
Evasion
Abnormal execution of mshta Execution Command & Scripting VBScript (T1059.005)
vbscript:Close (LOLBin bypass) Interpreter (T1059)
Unauthorized disabling of Sysmon Defense Impair Defenses (T1562) Disable Security Tools
service Evasion (T1562.001)
Suspicious GPO modification Persistence Domain Policy Group Policy
deploying scripts Modification (T1484) Modification
(T1484.001)
Mass login attempts to OWA/EWS Initial Access / Brute Force (T1110) Password Spraying
with common usernames Credential (T1110.003)
Access
Linux: /etc/shadow read by non- Credential OS Credential Dumping Linux /etc/shadow
root process Access (T1003) (T1003.008)
Abnormal execution of Visual Execution User Execution (T1204) Malicious File
Basic macros with network calls (T1204.002)
Kubernetes: suspicious kubectl Lateral Remote Services (T1021) Kubernetes (T1021.007)
exec into pods Movement
Abnormal GCP service account Privilege Abuse Elevation Control Cloud IAM Abuse
impersonation Escalation Mechanism (T1548)
Unusual beacon traffic using HTTP Command & Application Layer Protocol HTTP/S (T1071.001)
3xx redirects Control (T1071)
AWS CLI mass s3 sync to external Exfiltration Data from Cloud Storage —
bucket (T1530)
Linux: at jobs created with Persistence Scheduled Task/Job At (T1053.002)
obfuscated commands (T1053)
macOS: malicious plist file in Persistence Boot or Logon Autostart Launch Daemon/Agent
LaunchAgents Execution (T1547) (T1547.013)
Suspicious process using Credential Credentials from Windows Credential
Windows Credential Manager APIs Access Password Stores (T1555) Manager (T1555.004)
Exfiltration using Gmail/Outlook Exfiltration Exfiltration Over Web Email (T1567.003)
API from compromised account Services (T1567)
Linux: /tmp/.X11-unix used as Collection Data Staged (T1074) Local Data Staging
staging directory (T1074.001)
Abnormal use of rundll32.exe Execution Command & Scripting JavaScript (T1059.007)
executing Javascript:Eval Interpreter (T1059)
Office document spawns Initial Access / Exploit Public-Facing Office Exploit
eqnedt32.exe exploit Execution Application (T1190)
Detection of C2 via MQTT protocol Command & Application Layer Protocol MQTT (T1071.005)
Control (T1071)
Abuse of legitimate cloud backup Exfiltration Exfiltration Over Web Cloud Storage
tools for exfiltration Services (T1567) (T1567.002)
Kubernetes: kubectl cp transferring Collection / Data from Cloud Storage —
sensitive data Exfiltration (T1530)
Abnormal Kerberos ticket lifetime Credential Kerberos Attacks (T1558) Ticket Granting Tickets
values observed Access / (Golden/Silver)
Persistence
Suspicious WMI process call Execution / Windows Management —
create spawning cmd.exe Lateral Instrumentation (T1047)
Movement
Linux: SSHD config modified to Persistence Modify Authentication SSH Configuration
allow root login Process (T1556) Abuse
macOS: Gatekeeper bypass using Defense Subvert Trust Controls Gatekeeper Bypass
unsigned apps Evasion (T1553) (T1553.001)
Windows Event Forwarding Defense Impair Defenses (T1562) Disable Logging
disabled unexpectedly Evasion (T1562.002)
Detection of Discovery Permission Groups Domain Groups
SharpHound/ADExplorer data Discovery (T1069) (T1069.002)
dumps
Abnormal certificate enrollment Credential Steal or Forge —
(ADCS abuse ESC1–ESC8) Access / Authentication Certificates
Persistence (T1649)
Ransomware terminates Impact Service Stop (T1489) —
processes/services before
encryption
Kubernetes: suspicious creation Privilege Exploit Container Service —
of privileged pod Escalation (T1611)
AWS: CloudTrail logs deleted or Defense Indicator Removal (T1070) Clear Cloud Logs
bucket emptied Evasion (T1070.004)
Abnormal scheduled task Persistence Scheduled Task/Job Scheduled Task
referencing DLL in %AppData% (T1053) (T1053.005)
Linux: suspicious cronjob in Persistence Scheduled Task/Job Cron (T1053.003)
/etc/cron.d/ (T1053)
Unauthorized Azure Conditional Defense Impair Defenses (T1562) Disable or Modify Cloud
Access policy removal Evasion Policies (T1562.008)
Detection of Kerberos service Credential Kerberoasting (T1558.003) —
ticket request anomalies Access
New federation trust added in Persistence Modify Authentication Federated
Azure AD Process (T1556) Authentication
(T1556.002)
Unusual child process of Defense Process Injection (T1055) —
lsass.exe Evasion /
Credential
Access
Suspicious SMB exec with Lateral Remote Services (T1021) SMB/Windows Admin
renamed psexesvc binary Movement Shares (T1021.002)
Malicious ISO file leveraging Initial Access User Execution (T1204) Malicious File
Windows AutoMount (T1204.002)
macOS: persistence via LoginHook Persistence Boot or Logon Autostart macOS Login Hook
Execution (T1547) (T1547.012)
Detection of anomalous Named Command & Application Layer Protocol Named Pipes
Pipe usage (Cobalt Strike) Control (T1071) (T1090.001)
Linux: /etc/ld.so.preload modified Persistence Modify Existing Service Linux Shared Libraries
with malicious lib (T1543) (T1543.006)
Windows registry edited to disable Privilege Abuse Elevation Control Bypass User Account
UAC Escalation / Mechanism (T1548) Control (T1548.002)
Defense
Evasion
Abnormal certificate usage for Persistence / Modify Authentication SAML Tokens
persistence (Golden SAML) Credential Process (T1556) (T1556.002)
Access
Suspicious powershell.exe Execution / Process Injection (T1055) Reflective DLL Injection
spawning rundll32 injection Defense (T1055.012)
Evasion
Linux: suspicious SSH tunnel Command & Exfiltration Over SSH (T1048.004)
established to external host Control Alternative Protocol
(T1048)
Unauthorized mailbox Persistence Account Manipulation Additional Cloud
permissions changed in O365 (T1098) Permissions (T1098.003)
Abnormal GPO settings disabling Defense Impair Defenses (T1562) —
screensaver/password lock Evasion
Kubernetes: suspicious Privilege Modify Cloud Compute Permissions Change
clusterrolebinding *.* to Escalation Infrastructure (T1578) (T1578.003)
serviceaccount
Abnormal spike in SMB Defense Protocol Abuse SMB Signing Disabled
connections with encryption Evasion
disabled
Detection of ransomware Impact Inhibit System Recovery —
encrypting backups first (T1490)
NTFS Alternate Data Streams used Defense Hide Artifacts (T1564) NTFS File Attributes
to hide payload Evasion (T1564.004)
WDigest re-enabled Credential OS Credential Dumping LSASS Memory
(UseLogonCredential=1) enabling Access (T1003) (T1003.001)
cleartext creds
Parent/child anomaly: Office → Execution Exploitation for Client —
msdt.exe (“Follina”-style) Execution (T1203)
Browser downloads executable Defense Masquerading (T1036) —
with double extension (pdf.exe) Evasion
AMSI patching detected in Defense Impair Defenses (T1562) Disable or Modify Tools
PowerShell runspace Evasion (T1562.001)
netsh advfirewall set allprofiles Defense Impair Defenses (T1562) Disable Security Tools
state off Evasion (T1562.001)
Windows Sticky Keys backdoor Persistence Event-Triggered Execution Accessibility Features
(sethc.exe swap) (T1546) (T1546.008)
Rundll32 launching URL handler Execution Signed Binary Proxy Rundll32 (T1218.011)
(url.dll, FileProtocolHandler) Execution (T1218)
PowerShell_ISE used to execute Execution Command & Scripting PowerShell (T1059.001)
encoded commands Interpreter (T1059)
Suspicious procdump -ma lsass.exe Credential OS Credential Dumping LSASS Memory
Access (T1003) (T1003.001)
Explorer spawns cmd → curl to Execution Command & Scripting Windows Command
fetch payload Interpreter (T1059) Shell (T1059.003)
Log files wiped (wevtutil cl, Clear- Defense Indicator Removal (T1070) Clear Windows Event
EventLog) Evasion Logs (T1070.001)
RDP NLA disabled via Defense Modify Registry (T1112) —
registry/policy Evasion
Exfiltration via SMTP/Graph API Exfiltration Exfiltration Over Web Email (T1567.003)
from workstation Services (T1567)
Cloud API key leaked in repo; Credential Unsecured Credentials Credentials In Files
sudden use from new IP Access (T1552) (T1552.001)
GitHub PAT used to Initial Access / Valid Accounts (T1078) Cloud Accounts
enumerate/code-push from Persistence (T1078.004)
foreign ASN
Azure Automation Runbook Persistence Scheduled Task/Job Scheduled Task
scheduled by attacker (T1053) (T1053.005)
Okta/IdP MFA reset for user Defense Modify Authentication Multi-Factor
without ticket Evasion Process (T1556) Authentication
(T1556.006)
Conditional Access policy Defense Impair Defenses (T1562) Disable/Modify Cloud
changed to allow legacy auth Evasion Policies (T1562.008)
Web data staged to IPFS/pinning Exfiltration Exfiltration Over Web Web Services
service Services (T1567) (T1071.001)
Virtualization/sandbox checks Defense Virtualization/Sandbox Virtualization/Sandbox
before payload runs Evasion Evasion (T1497) Evasion (T1497.001)
Windows Accessibility “Utilman” Persistence Event-Triggered Execution Accessibility Features
swap at logon screen (T1546) (T1546.008)
GCP: VPC Flow Logs disabled on Defense Impair Defenses (T1562) Disable or Modify Cloud
critical projects Evasion Logging
Mass file reads from on-prem NAS Collection / Exfiltration Over Web Cloud Storage
then rclone to cloud Exfiltration Services (T1567) (T1567.002)
Azure: Service principal granted Privilege Account Manipulation Additional Cloud
Directory.ReadWrite.All Escalation / (T1098) Permissions (T1098.003)
Persistence
Kubernetes: Suspect CronJob Persistence Scheduled Task/Job Cron (T1053.003)
creates periodic exfil task (T1053)
Windows Defender Tamper Defense Impair Defenses (T1562) Disable or Modify Tools
Protection turned off Evasion (T1562.001)
Data staged in %ProgramData%\ Collection Data Staged (T1074) Local Data Staging
with finance keywords (T1074.001)
DNS over HTTPS (DoH) beacon to Command & Application Layer Protocol Web Protocols
rare resolver Control (T1071) (T1071.001)
Linux: ~/.ssh/config modified for Command & Exfiltration Over SSH (T1048.004)
ProxyCommand tunnel Control Alternative Protocol
(T1048)
Detection of rogue DHCP server Defense Rogue Network Service Network Service
on internal network Evasion / (T1557) Manipulation
Discovery
Unusual SMB traffic with Credential Network Service Scanning —
anonymous logon (null session) Access / (T1046)
Discovery
Suspicious parent-child chain: Execution User Execution (T1204) Malicious File
winword.exe → mshta.exe → (T1204.002)
rundll32.exe
Abnormal scheduled task using Persistence Scheduled Task/Job Scheduled Task
wscript.exe with hidden flags (T1053) (T1053.005)
Linux: /etc/passwd modified to add Privilege Create Account (T1136) Local Account
UID 0 account Escalation / (T1136.001)
Persistence
Linux: LD_PRELOAD used for Persistence Hijack Execution Flow Dynamic Linker
persistence (T1574) Hijacking (T1574.006)
macOS: malicious kernel Persistence / Create or Modify System Kernel Extensions
extension (kextload) Privilege Process (T1543) (T1543.004)
Escalation
New service created with Persistence Create or Modify System Windows Service
suspicious binary path (spaces + Process (T1543) (T1543.003)
quotes trick)
Suspicious modification of Defense Indicator Removal (T1070) Clear Logs (T1070.001)
security log retention policy Evasion
Unusual certificate imported into Defense Subvert Trust Controls Install Root Certificate
Trusted Root CA store Evasion (T1553) (T1553.004)
Large number of ZIP archives with Collection Archive Collected Data Compression Utility
finance keywords staged in Temp (T1560) (T1560.001)
Detection of Initial Access / Exploit Public-Facing SMB Exploit
SMBGhost/EternalBlue exploit Lateral Application (T1190)
traffic Movement
Outbound RDP connection from Command & Remote Services (T1021) RDP (T1021.001)
workstation to Internet Control
Detection of malicious VBS Execution Command & Scripting VBScript (T1059.005)
dropper spawning powershell.exe Interpreter (T1059)
Abnormal mass DNS TXT lookups Command & Application Layer Protocol DNS (T1071.004)
with encoded payloads Control (T1071)
Unauthorized AWS IAM role Privilege Abuse Elevation Control Cloud IAM Abuse
escalation (inline policy injection) Escalation Mechanism (T1548)
Linux: SSH brute force followed by Initial Access / Valid Accounts (T1078) SSH Authorized Keys
new authorized_keys file Persistence (T1098.004)
Exfiltration via SMB over port 445 Exfiltration Exfiltration Over SMB (T1048.003)
to external IP Alternative Protocol
(T1048)
Windows registry persistence via Persistence Boot or Logon Autostart IFEO (T1547.010)
“Debugger” IFEO trick Execution (T1547)
Cloud: API key used from unusual Credential Valid Accounts (T1078) Cloud Accounts
ASN / geography Access (T1078.004)
macOS: malicious profile Persistence Boot or Logon Autostart Configuration Profiles
installed (MDM/Config profile Execution (T1547) (T1547.007)
abuse)
Linux: kernel crash dumps Defense Impair Defenses (T1562) Disable System
disabled to hide activity Evasion Recovery
Suspicious PowerShell script Defense Impair Defenses (T1562) Disable or Modify Tools
disabling AMSI logging Evasion (T1562.001)
Detection of SQL injection exploit Initial Access Exploit Public-Facing SQL Injection
attempt in web logs Application (T1190)
Abnormal WMI subscription Persistence Event-Triggered Execution WMI Event Subscription
persistence using (T1546) (T1546.003)
ActiveScriptConsumer
Linux: suspicious nohup Command & Remote Access Software Reverse Shell
backgrounded reverse shell Control (T1219)
Windows: anomalous process Defense Process Injection (T1055) Process Hollowing
hollowing detected (suspicious Evasion (T1055.012)
memory sections)
Abnormal Azure AD risky sign-in Credential Modify Authentication MFA (T1556.006)
with MFA bypass Access / Process (T1556)
Defense
Evasion
Cloud: attacker enumerates Discovery Cloud Storage —
storage buckets across regions Enumeration (T1619)
Ransomware disables Volume Impact Inhibit System Recovery —
Shadow Copies using PowerShell (T1490)
Suspicious modification of LSASS Defense Impair Defenses (T1562) Disable Security
protections via registry Evasion Features
(RunAsPPL)
Windows Credential Guard Defense Impair Defenses (T1562) Disable or Modify Tools
disabled unexpectedly Evasion (T1562.001)
Unusual DCOM activation of Lateral Remote Services (T1021) DCOM (T1021.003)
Excel/Outlook COM objects Movement
Detection of SMB brute force Credential Brute Force (T1110) Password Guessing
against administrative shares Access (T1110.001)
Unauthorized AD group Privilege Account Manipulation Domain Account
membership changes (Domain Escalation / (T1098) (T1098.002)
Admins) Persistence
PowerShell execution with Execution Command & Scripting PowerShell (T1059.001)
DownloadString → IEX chain Interpreter (T1059)
Detection of suspicious named Command & Application Layer Protocol Named Pipes
pipe (\\.\pipe\msagent_*) Control (T1071) (T1090.001)
Linux: /root/.ssh/authorized_keys Persistence Account Manipulation SSH Authorized Keys
appended unexpectedly (T1098) (T1098.004)
macOS: Persistence via malicious Persistence Boot or Logon Autostart Launch Daemon
LaunchDaemon plist Execution (T1547) (T1547.013)
Exfiltration using DNS tunneling Command & Application Layer Protocol DNS (T1071.004)
tools (iodine, dnscat2) Control / (T1071)
Exfiltration
IIS HTTP module backdoor loaded Persistence Server Software Web Shell/Module
into applicationHost.config Component (T1505) (T1505.003)
New scheduled task with SYSTEM Persistence Scheduled Task/Job Scheduled Task
privileges pointing to malware (T1053) (T1053.005)
Unauthorized OAuth token Persistence Account Manipulation Cloud Permissions
creation with admin privileges (T1098) (T1098.003)
Linux: Suspicious cronjob added Persistence Scheduled Task/Job Cron (T1053.003)
under /var/spool/cron (T1053)
macOS: Persistence using Persistence Boot or Logon Autostart Launch Agent
~/Library/LaunchAgents/com.apple.* Execution (T1547) (T1547.013)
Suspicious registry change Defense Modify Registry (T1112) —
enabling insecure SMBv1 Evasion
Unauthorized AWS IAM role Persistence / Valid Accounts (T1078) Cloud Accounts
assumption from foreign ASN Privilege (T1078.004)
Escalation
Abnormal mailbox rule deleting all Defense Indicator Removal (T1070) Email Deletion
inbound emails Evasion /
Impact
Suspicious parent-child chain: Execution Command & Scripting PowerShell (T1059.001)
outlook.exe → powershell.exe Interpreter (T1059)
Large outbound FTP transfers at Exfiltration Exfiltration Over FTP (T1048.003)
unusual hours Unencrypted Protocol
(T1048)
Unauthorized disabling of Defense Impair Defenses (T1562) Disable Security Tools
endpoint EDR kernel driver Evasion (T1562.001)
Kubernetes: Suspicious exec into Lateral Remote Services (T1021) Kubernetes (T1021.007)
kube-system namespace pods Movement
Azure AD: Consent to malicious Initial Access / Phishing (T1566) OAuth Consent Grant
multi-tenant app Persistence
Linux: /etc/ssh/sshd_config Persistence Modify Authentication SSH Weakening
modified to Process (T1556)
PermitEmptyPasswords
Windows: Execution of at.exe jobs Persistence Scheduled Task/Job At (T1053.002)
for persistence (T1053)
Malicious DLL loaded via Persistence Boot or Logon Autostart AppInit_DLLs
AppInit_DLLs registry key Execution (T1547) (T1547.009)
Browser spawned abnormal child Execution Command & Scripting Windows Command
process (chrome.exe → cmd.exe) Interpreter (T1059) Shell (T1059.003)
Suspicious PowerShell reflective Defense Process Injection (T1055) Reflective DLL Injection
PE injection (Invoke- Evasion (T1055.012)
ReflectivePEInjection)
Mass AD replication requests Credential OS Credential Dumping DCSync (T1003.006)
(DCSync attack) Access (T1003)
Ransomware deletes backups in Impact Inhibit System Recovery —
Veeam or cloud storage (T1490)
Windows Event Forwarding (WEF) Defense Impair Defenses (T1562) Disable Logging
subscription deleted Evasion (T1562.002)
Suspicious child process: Execution Exploitation for Client Office Exploit
winword.exe → eqnedt32.exe Execution (T1203)
exploit
Abnormal PowerShell AMSI Defense Impair Defenses (T1562) Disable Security Tools
bypass using Reflection.Assembly Evasion (T1562.001)
patching
Linux: /etc/ld.so.preload modified Persistence Hijack Execution Flow Dynamic Linker
to include malicious library (T1574) Hijacking (T1574.006)
Azure: Privileged Identity Privilege Account Manipulation Additional Cloud
Management (PIM) role abuse Escalation (T1098) Permissions (T1098.003)
AWS: GuardDuty / SecurityHub Defense Impair Defenses (T1562) Disable Cloud Defenses
findings suppressed Evasion
macOS: Persistence via malicious Persistence Boot or Logon Autostart Login Items (T1547.015)
login item Execution (T1547)
Exfiltration over WebSocket from Command & Application Layer Protocol Web Protocols
internal server Control (T1071) (T1071.001)
Detection of suspicious DLL Defense Hijack Execution Flow DLL Side-Loading
sideloading by signed binary Evasion (T1574) (T1574.002)
Linux: Crontab modified with Persistence Scheduled Task/Job Cron (T1053.003)
reverse shell payload (T1053)
RDP connections established with Lateral Remote Services (T1021) RDP (T1021.001)
stolen credentials Movement
Detection of rogue Wi-Fi access Initial Access Rogue Infrastructure Wireless Access Point
point on internal network
Windows: abnormal use of Persistence Scheduled Task/Job Scheduled Task
schtasks with /create /tn update /ru (T1053) (T1053.005)
system
Abnormal use of PowerShell Credential OS Credential Dumping LSASS Memory
Invoke-Mimikatz Access (T1003) (T1003.001)
Kubernetes: attacker creating Privilege Modify Cloud Compute Permissions Change
ClusterRole with *.* permissions Escalation Infrastructure (T1578) (T1578.003)
Exfiltration of files over HTTPS Exfiltration Exfiltration Over Web HTTPS (T1567.001)
with chunked encoding Services (T1567)
Suspicious registry modification Defense Impair Defenses (T1562) Disable Security Tools
disabling Windows Firewall Evasion (T1562.001)
Linux: /etc/ssh/ssh_config modified Command & Exfiltration Over SSH (T1048.004)
for ProxyCommand backdoor Control Alternative Protocol
(T1048)
macOS: Gatekeeper disabled via Defense Subvert Trust Controls Gatekeeper Bypass
spctl Evasion (T1553) (T1553.001)
Windows: abnormal creation of Defense Data Staged (T1074) —
shadow copies by attacker tool Evasion /
Collection
Detection of PowerShell Empire Command & Application Layer Protocol HTTPS (T1071.001)
agent check-in Control (T1071)
Cloud: sudden spike of data Exfiltration Data from Cloud Storage —
egress from S3/Blob storage (T1530)
Unauthorized Okta MFA bypass Credential Modify Authentication MFA (T1556.006)
through factor reset Access Process (T1556)
Detection of base64+gzip+xor Defense Obfuscated Files or Obfuscated/Encoded
obfuscation in script payloads Evasion Information (T1027) Commands (T1027.010)
Windows: registry Image File Persistence Boot or Logon Autostart IFEO (T1547.010)
Execution Options (IFEO) hijack Execution (T1547)
Linux: attacker deletes bash logs Defense Indicator Removal (T1070) Clear Linux Logs
in /var/log Evasion
Suspicious SMB connections with Defense Impair Defenses (T1562) Protocol Downgrade
disabled signing Evasion
User downloads .iso with Initial Access User Execution (T1204) Malicious File
embedded .lnk → payload (T1204.002)
Unauthorized mailbox forwarding Exfiltration Exfiltration Over Email Auto-Forwarding Rule
to attacker domain (T1567) (T1114.003)
Ransomware terminates Impact Service Stop (T1489) —
backup/DB processes before
encryption
Abnormal registry modification of Persistence Boot or Logon Autostart Registry Shell
Winlogon Shell value Execution (T1547) (T1547.007)
Suspicious PowerShell with -nop - Execution / Command & Scripting PowerShell (T1059.001)
w hidden -enc flags Defense Interpreter (T1059)
Evasion
Linux: attacker modifies /etc/hosts Defense Modify Host File —
for phishing redirection Evasion (T1565.001)
Windows: suspicious service Persistence Create or Modify System Windows Service
created pointing to temp path Process (T1543) (T1543.003)
binary
Unauthorized mailbox export Collection Email Collection (T1114) Local Email Collection
(New-MailboxExportRequest) (T1114.001)
Abnormal DCSync attempt using Credential OS Credential Dumping DCSync (T1003.006)
non-DC host account Access (T1003)
Cloud: MFA disabled for high- Defense Modify Authentication MFA (T1556.006)
privileged account Evasion Process (T1556)
Suspicious scheduled task with Persistence Scheduled Task/Job Scheduled Task
random GUID-like name (T1053) (T1053.005)
Linux: /etc/rc.local modified for Persistence Boot or Logon Initialization rc.local (T1037.004)
persistence Scripts (T1037)
macOS: persistence via malicious Persistence Boot or Logon Autostart Launch Agent
LaunchAgents plist Execution (T1547) (T1547.013)
Detection of obfuscated Execution Command & Scripting JavaScript (T1059.007)
JavaScript using eval(unescape()) Interpreter (T1059)
AWS: CloudTrail logging disabled Defense Impair Defenses (T1562) Disable or Modify Cloud
for region Evasion Logging
Exfiltration via HTTPS with domain Command & Application Layer Protocol Web Protocols
fronting Control (T1071) (T1071.001)
Linux: suspicious nohup curl Execution Command & Scripting Unix Shell (T1059.004)
<attacker_ip> background job Interpreter (T1059)
Windows: anomalous reg.exe Persistence Boot or Logon Autostart RunOnce (T1547.001)
modifying RunOnce keys Execution (T1547)
Ransomware deletes shadow Impact Inhibit System Recovery —
copies with wmic shadowcopy (T1490)
delete
Azure: suspicious consent granted Persistence Account Manipulation Additional Cloud
to external OAuth app (T1098) Permissions (T1098.003)
Kubernetes: attacker creating Persistence Account Manipulation Cloud Service Account
secret with base64 encoded creds (T1098) Abuse
Detection of LOLBin msbuild.exe Execution Signed Binary Proxy MSBuild (T1127.001)
executing inline code Execution (T1218)
Linux: /etc/profile modified to run Persistence Boot or Logon Initialization Shell Config Modification
attacker script Scripts (T1037)
macOS: Gatekeeper disabled via Defense Subvert Trust Controls Gatekeeper Bypass
spctl --master-disable Evasion (T1553) (T1553.001)
Exfiltration of sensitive files using Exfiltration Exfiltration Over Web Cloud Storage
Google Drive client Services (T1567) (T1567.002)
Windows: registry modification Defense Impair Defenses (T1562) Disable Security Tools
disabling Sysmon Evasion (T1562.001)
Cloud: new API token generated Persistence Valid Accounts (T1078) Cloud Accounts
without MFA (T1078.004)
Linux: suspicious SSH tunnel Command & Exfiltration Over SSH (T1048.004)
established using -R or -L flags Control Alternative Protocol
(T1048)
Windows: rundll32.exe executing Execution Command & Scripting PowerShell/Registry
base64 blob from registry Interpreter (T1059)
Cloud: attacker mass-enumerates Discovery Cloud Account Discovery —
IAM users and roles (T1087.004)
Windows: unusual bitsadmin.exe Execution Ingress Tool Transfer BITS Jobs (T1197)
/transfer command (T1105)
Linux: attacker removes Defense Indicator Removal (T1070) Clear Linux Logs
/var/log/auth.log Evasion
Detection of beacon traffic using Command & Application Layer Protocol MQTT (T1071.005)
MQTT over TCP 1883 Control (T1071)