0:[[["$","link","0",{"rel":"stylesheet","href":"/_next/static/css/1680bd3cfc3c934e.css","precedence":"next","crossOrigin":"$undefined"}]],["$","$L3",null,{"buildId":"hxL7a8Sg1jVa4rb7TThNV","assetPrefix":"","initialCanonicalUrl":"/","initialTree":["",{"children":["__PAGE__",{}]},"$undefined","$undefined",true],"initialSeedData":["",{"children":["__PAGE__",{},[["$L4",["$","main",null,{"className":"min-h-screen p-4 md:p-8 lg:p-12","children":["$","div",null,{"className":"w-full max-w-7xl mx-auto","children":["$","$L5",null,{"allEvents":[{"id":"4608","source":"Windows Security","name":"Windows is starting up.","description":"Windows is starting up.","category":"System"},{"id":"4609","source":"Windows Security","name":"Windows is shutting down.","description":"Windows is shutting down.","category":"System","mitreAttack":[{"id":"T1529","name":"System Shutdown/Reboot","tactic":"impact","url":"https://attack.mitre.org/techniques/T1529","description":"Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) (e.g. reload).(Citation: Microsoft Shutdown Oct 2017)(Citation: alert_TA18_106A)\n\nShutting down or rebooting systems may disrupt access to computer resources for legitimate users while also impeding incident response/recovery.\n\nAdversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)"}]},{"id":"4610","source":"Windows Security","name":"An authentication package has been loaded by the Local Security Authority.","description":"An authentication package has been loaded by the Local Security Authority.","category":"System","mitreAttack":[{"id":"T1547.002","name":"Authentication Package","tactic":"persistence, privilege-escalation","url":"https://attack.mitre.org/techniques/T1547/002","description":"Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system.(Citation: MSDN Authentication Packages)\n\nAdversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\ with the key value of \"Authentication Packages\"=<target binary>. The binary will then be executed by the system when the authentication packages are loaded."}]},{"id":"4611","source":"Windows Security","name":"A trusted logon process has been registered with the Local Security Authority.","description":"A trusted logon process has been registered with the Local Security Authority.","category":"System","mitreAttack":[{"id":"T1098","name":"Account Manipulation","tactic":"persistence, privilege-escalation","url":"https://attack.mitre.org/techniques/T1098","description":"Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups.(Citation: FireEye SMOKEDHAM June 2021) These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. \n\nIn order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. However, account manipulation may also lead to privilege escalation where modifications grant access to additional roles, permissions, or higher-privileged [Valid Accounts](https://attack.mitre.org/techniques/T1078)."},{"id":"T1556","name":"Modify Authentication Process","tactic":"credential-access, defense-evasion, persistence","url":"https://attack.mitre.org/techniques/T1556","description":"$6"}]},{"id":"4612","source":"Windows Security","name":"Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.","description":"Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.","category":"System","mitreAttack":[{"id":"T1498","name":"Network Denial of Service","tactic":"impact","url":"https://attack.mitre.org/techniques/T1498","description":"$7"},{"id":"T1499","name":"Endpoint Denial of Service","tactic":"impact","url":"https://attack.mitre.org/techniques/T1499","description":"$8"},{"id":"T1562","name":"Impair Defenses","tactic":"defense-evasion","url":"https://attack.mitre.org/techniques/T1562","description":"Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.\n\nAdversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Google Cloud Mandiant UNC3886 2024)(Citation: Emotet shutdown)"},{"id":"T1562.002","name":"Disable Windows Event Logging","tactic":"defense-evasion","url":"https://attack.mitre.org/techniques/T1562/002","description":"$9"},{"id":"T1562.006","name":"Indicator Blocking","tactic":"defense-evasion","url":"https://attack.mitre.org/techniques/T1562/006","description":"$a"}]},{"id":"4614","source":"Windows Security","name":"A notification package has been loaded by the Security Account Manager.","description":"A notification package has been loaded by the Security Account Manager.","category":"System","mitreAttack":["$b","$c"]},{"id":"4615","source":"Windows Security","name":"Invalid use of LPC port.","description":"Invalid use of LPC port.","category":"System"},{"id":"4616","source":"Windows Security","name":"The system time was changed.","description":"The system time was changed.","category":"System","mitreAttack":[{"id":"T1070.006","name":"Timestomp","tactic":"defense-evasion","url":"https://attack.mitre.org/techniques/T1070/006","description":"$e"}]},{"id":"4618","source":"Windows Security","name":"A monitored security event pattern has occurred.","description":"A monitored security event pattern has occurred.","category":"System"},{"id":"4621","source":"Windows Security","name":"Administrator recovered system from CrashOnAuditFail.","description":"Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.","category":"System","mitreAttack":["$f","$10","$12"]},{"id":"4622","source":"Windows Security","name":"A security package has been loaded by the Local Security Authority.","description":"A security package has been loaded by the Local Security Authority.","category":"System","mitreAttack":[{"id":"T1547.005","name":"Security Support Provider","tactic":"persistence, privilege-escalation","url":"https://attack.mitre.org/techniques/T1547/005","description":"Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.\n\nThe SSP configuration is stored in two Registry keys: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages and HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)"}]},{"id":"4624","source":"Windows Security","name":"An account was successfully logged on.","description":"An account was successfully logged on.","category":"Authentication","mitreAttack":[{"id":"T1021","name":"Remote Services","tactic":"lateral-movement","url":"https://attack.mitre.org/techniques/T1021","description":"$14"},{"id":"T1021.001","name":"Remote Desktop Protocol","tactic":"lateral-movement","url":"https://attack.mitre.org/techniques/T1021/001","description":"$15"},{"id":"T1021.002","name":"SMB/Windows Admin Shares","tactic":"lateral-movement","url":"https://attack.mitre.org/techniques/T1021/002","description":"$16"},{"id":"T1021.004","name":"SSH","tactic":"lateral-movement","url":"https://attack.mitre.org/techniques/T1021/004","description":"Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.\n\nSSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user."},{"id":"T1021.005","name":"VNC","tactic":"lateral-movement","url":"https://attack.mitre.org/techniques/T1021/005","description":"$17"},{"id":"T1021.006","name":"Windows Remote Management","tactic":"lateral-movement","url":"https://attack.mitre.org/techniques/T1021/006","description":"Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.\n\nWinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the `winrm` command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014) WinRM can be used as a method of remotely interacting with [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).(Citation: MSDN WMI)"},{"id":"T1078","name":"Valid Accounts","tactic":"defense-evasion, initial-access, persistence, privilege-escalation","url":"https://attack.mitre.org/techniques/T1078","description":"$18"},{"id":"T1133","name":"External Remote Services","tactic":"initial-access, persistence","url":"https://attack.mitre.org/techniques/T1133","description":"$19"}],"commonScenarios":["Logon Type 2 (Interactive) & 10 (RemoteInteractive) indicate user console/RDP logins.","Logon Type 3 (Network) often relates to accessing network shares or service auth.","Logon Type 5 (Service) indicates service startup.","Logon Type 7 (Unlock) indicates workstation unlock.","Monitor for unusual Logon Types, high frequency, off-hours activity, or logins from unexpected sources/accounts.","Correlate Logon GUID with 4634 (Logoff) and 4672 (Privilege Assignment)."]},{"id":"4625","source":"Windows Security","name":"An account failed to log on.","description":"An account failed to log on.","category":"Authentication","mitreAttack":["$1a",{"id":"T1110","name":"Brute Force","tactic":"credential-access","url":"https://attack.mitre.org/techniques/T1110","description":"$1c"},{"id":"T1110.001","name":"Password Guessing","tactic":"credential-access","url":"https://attack.mitre.org/techniques/T1110/001","description":"$1d"},{"id":"T1110.003","name":"Password Spraying","tactic":"credential-access","url":"https://attack.mitre.org/techniques/T1110/003","description":"$1e"},{"id":"T1110.004","name":"Credential Stuffing","tactic":"credential-access","url":"https://attack.mitre.org/techniques/T1110/004","description":"$1f"},{"id":"T1550.002","name":"Pass the Hash","tactic":"defense-evasion, lateral-movement","url":"https://attack.mitre.org/techniques/T1550/002","description":"$20"}],"commonScenarios":["High volume of failures from a single source IP may indicate brute force.","Failures across many accounts from one source may indicate password spraying.","Status/Sub Status codes are critical for diagnosis (e.g., 0xC000006A=BadPassword, 0xC000006D=Bad Username/Password, 0xC0000234=Account Locked, 0xC0000071=Password Expired, 0xC000006E=Account restriction).","Legitimate failures occur due to typos, expired passwords, or misconfigurations."]},{"id":"4626","source":"Windows Security","name":"User/Device claims information.","description":"User/Device claims information.","category":"Authentication","mitreAttack":["$1a"]},{"id":"4627","source":"Windows Security","name":"Group membership information.","description":"Group membership information provided when an account successfully logs on.","category":"Authentication","mitreAttack":[{"id":"T1069","name":"Permission Groups Discovery","tactic":"discovery","url":"https://attack.mitre.org/techniques/T1069","description":"Adversaries may attempt to discover group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.\n\nAdversaries may attempt to discover group permission settings in many different ways. This data may provide the adversary with information about the compromised environment that can be used in follow-on activity and targeting.(Citation: CrowdStrike BloodHound April 2018)"},{"id":"T1069.001","name":"Local Groups","tactic":"discovery","url":"https://attack.mitre.org/techniques/T1069/001","description":"Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n\nCommands such as net localgroup of the [Net](https://attack.mitre.org/software/S0039) utility, dscl . -list /Groups on macOS, and groups on Linux can list local groups."},{"id":"T1069.002","name":"Domain Groups","tactic":"discovery","url":"https://attack.mitre.org/techniques/T1069/002","description":"Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.\n\nCommands such as net group /domain of the [Net](https://attack.mitre.org/software/S0039) utility, dscacheutil -q group on macOS, and ldapsearch on Linux can list domain-level groups."},"$1a"]},{"id":"4634","source":"Windows Security","name":"An account was logged off.","description":"An account was logged off.","category":"Authentication"},{"id":"4646","source":"Windows Security","name":"IKE DoS prevention mode started.","description":"Internet Key Exchange (IKE) protocol DoS prevention mode started.","category":"Authentication","mitreAttack":["$21"]},{"id":"4647","source":"Windows Security","name":"User initiated logoff.","description":"User initiated logoff.","category":"Authentication"},{"id":"4648","source":"Windows Security","name":"A logon was attempted using explicit credentials.","description":"A logon was attempted using explicit credentials (e.g., RunAs).","category":"Authentication","mitreAttack":["$1a",{"id":"T1134","name":"Access Token Manipulation","tactic":"defense-evasion, privilege-escalation","url":"https://attack.mitre.org/techniques/T1134","description":"$23"},{"id":"T1548","name":"Abuse Elevation Control Mechanism","tactic":"defense-evasion, privilege-escalation","url":"https://attack.mitre.org/techniques/T1548","description":"Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk.(Citation: TechNet How UAC Works)(Citation: sudo man page 2018) An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.(Citation: OSX Keydnap malware)(Citation: Fortinet Fareit)"},{"id":"T1550","name":"Use Alternate Authentication Material","tactic":"defense-evasion, lateral-movement","url":"https://attack.mitre.org/techniques/T1550","description":"$24"},"$25"]},{"id":"4649","source":"Windows Security","name":"A replay attack was detected.","description":"A replay attack was detected (Kerberos, NTLM, or Digest).","category":"Authentication","mitreAttack":[{"id":"T1212","name":"Exploitation for Credential Access","tactic":"credential-access","url":"https://attack.mitre.org/techniques/T1212","description":"$27"},{"id":"T1550.003","name":"Pass the Ticket","tactic":"defense-evasion, lateral-movement","url":"https://attack.mitre.org/techniques/T1550/003","description":"$28"},{"id":"T1558","name":"Steal or Forge Kerberos Tickets","tactic":"credential-access","url":"https://attack.mitre.org/techniques/T1558","description":"Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.\n\nOn Windows, the built-in klist utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)"}]},{"id":"4650","source":"Windows Security","name":"An IPsec Main Mode security association was established (No Certificate).","description":"An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.","category":"Authentication","mitreAttack":[{"id":"T1071","name":"Application Layer Protocol","tactic":"command-and-control","url":"https://attack.mitre.org/techniques/T1071","description":"Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, DNS, or publishing/subscribing. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.(Citation: Mandiant APT29 Eye Spy Email Nov 22)"},{"id":"T1572","name":"Protocol Tunneling","tactic":"command-and-control","url":"https://attack.mitre.org/techniques/T1572","description":"$29"}]},{"id":"4651","source":"Windows Security","name":"An IPsec Main Mode security association was established (Certificate).","description":"An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.","category":"Authentication","mitreAttack":["$2a","$2b"]},{"id":"4652","source":"Windows Security","name":"An IPsec Main Mode negotiation failed.","description":"An IPsec Main Mode negotiation failed (often includes reason for failure).","category":"Authentication","mitreAttack":["$2a","$2b"]},{"id":"4653","source":"Windows Security","name":"An IPsec Main Mode negotiation failed.","description":"An IPsec Main Mode negotiation failed (often includes reason for failure).","category":"Authentication","mitreAttack":["$2a","$2b"]},{"id":"4654","source":"Windows Security","name":"An IPsec Quick Mode negotiation failed.","description":"An IPsec Quick Mode negotiation failed.","category":"Authentication","mitreAttack":["$2a","$2b"]},{"id":"4655","source":"Windows Security","name":"An IPsec Main Mode security association ended.","description":"An IPsec Main Mode security association ended.","category":"Authentication","mitreAttack":["$2a","$2b"]},{"id":"4656","source":"Windows Security","name":"A handle to an object was requested.","description":"A handle to an object was requested.","category":"Object Access","mitreAttack":[{"id":"T1003","name":"OS Credential Dumping","tactic":"credential-access","url":"https://attack.mitre.org/techniques/T1003","description":"Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.\n\nSeveral of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well."},{"id":"T1003.001","name":"LSASS Memory","tactic":"credential-access","url":"https://attack.mitre.org/techniques/T1003/001","description":"$2d"},{"id":"T1003.002","name":"Security Account Manager","tactic":"credential-access","url":"https://attack.mitre.org/techniques/T1003/002","description":"$2e"},{"id":"T1012","name":"Query Registry","tactic":"discovery","url":"https://attack.mitre.org/techniques/T1012","description":"Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.\n\nThe Registry contains a significant amount of information about the operating system, configuration, software, and security.(Citation: Wikipedia Windows Registry) Information can easily be queried using the [Reg](https://attack.mitre.org/software/S0075) utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from [Query Registry](https://attack.mitre.org/techniques/T1012) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions."},{"id":"T1057","name":"Process Discovery","tactic":"discovery","url":"https://attack.mitre.org/techniques/T1057","description":"$2f"},{"id":"T1083","name":"File and Directory Discovery","tactic":"discovery","url":"https://attack.mitre.org/techniques/T1083","description":"$30"},{"id":"T1552","name":"Unsecured Credentials","tactic":"credential-access","url":"https://attack.mitre.org/techniques/T1552","description":"Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Bash History](https://attack.mitre.org/techniques/T1552/003)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002)), or other specialized files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)).(Citation: Brining MimiKatz to Unix)"},{"id":"T1552.001","name":"Credentials In Files","tactic":"credential-access","url":"https://attack.mitre.org/techniques/T1552/001","description":"$31"},{"id":"T1552.002","name":"Credentials in Registry","tactic":"credential-access","url":"https://attack.mitre.org/techniques/T1552/002","description":"Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.\n\nExample commands to find Registry keys related to password information: (Citation: Pentestlab Stored Credentials)\n\n* Local Machine Hive: reg query HKLM /f password /t REG_SZ /s\n* Current User Hive: reg query HKCU /f password /t REG_SZ /s"}]},{"id":"4657","source":"Windows Security","name":"A registry value was modified.","description":"A registry value was modified.","category":"Object Access","mitreAttack":[{"id":"T1112","name":"Modify Registry","tactic":"defense-evasion","url":"https://attack.mitre.org/techniques/T1112","description":"$32"},{"id":"T1546.003","name":"Windows Management Instrumentation Event Subscription","tactic":"persistence, privilege-escalation","url":"https://attack.mitre.org/techniques/T1546/003","description":"$33"},{"id":"T1546.009","name":"AppCert DLLs","tactic":"persistence, privilege-escalation","url":"https://attack.mitre.org/techniques/T1546/009","description":"Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\ are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. (Citation: Elastic Process Injection July 2017)\n\nSimilar to [Process Injection](https://attack.mitre.org/techniques/T1055), this value can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. Malicious AppCert DLLs may also provide persistence by continuously being triggered by API activity."},{"id":"T1546.010","name":"AppInit DLLs","tactic":"persistence, privilege-escalation","url":"https://attack.mitre.org/techniques/T1546/010","description":"$34"},{"id":"T1546.012","name":"Image File Execution Options Injection","tactic":"persistence, privilege-escalation","url":"https://attack.mitre.org/techniques/T1546/012","description":"$35"},{"id":"T1546.015","name":"Component Object Model Hijacking","tactic":"persistence, privilege-escalation","url":"https://attack.mitre.org/techniques/T1546/015","description":"$36"},{"id":"T1547.001","name":"Registry Run Keys / Startup Folder","tactic":"persistence, privilege-escalation","url":"https://attack.mitre.org/techniques/T1547/001","description":"$37"},{"id":"T1547.004","name":"Winlogon Helper DLL","tactic":"persistence, privilege-escalation","url":"https://attack.mitre.org/techniques/T1547/004","description":"$38"},"$39",{"id":"T1547.010","name":"Port Monitors","tactic":"persistence, privilege-escalation","url":"https://attack.mitre.org/techniques/T1547/010","description":"Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.(Citation: AddMonitor) This DLL can be located in C:\\Windows\\System32 and will be loaded and run by the print spooler service, `spoolsv.exe`, under SYSTEM level permissions on boot.(Citation: Bloxham) \n\nAlternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to the `Driver` value of an existing or new arbitrarily named subkey of HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors. The Registry key contains entries for the following:\n\n* Local Port\n* Standard TCP/IP Port\n* USB Monitor\n* WSD Port"},{"id":"T1547.012","name":"Print Processors","tactic":"persistence, privilege-escalation","url":"https://attack.mitre.org/techniques/T1547/012","description":"$3a"},{"id":"T1553.003","name":"SIP and Trust Provider Hijacking","tactic":"defense-evasion","url":"https://attack.mitre.org/techniques/T1553/003","description":"$3b"},{"id":"T1562.001","name":"Disable or Modify Tools","tactic":"defense-evasion","url":"https://attack.mitre.org/techniques/T1562/001","description":"$3c"},"$10","$12",{"id":"T1574.011","name":"Services Registry Permissions Weakness","tactic":"defense-evasion, persistence, privilege-escalation","url":"https://attack.mitre.org/techniques/T1574/011","description":"$3d"},{"id":"T1574.012","name":"COR_PROFILER","tactic":"defense-evasion, persistence, privilege-escalation","url":"https://attack.mitre.org/techniques/T1574/012","description":"$3e"}]},{"id":"4658","source":"Windows Security","name":"The handle to an object was closed.","description":"The handle to an object was closed.","category":"Object Access"},{"id":"4659","source":"Windows Security","name":"A handle to an object was requested with intent to delete.","description":"A handle to an object was requested with intent to delete (Kernel object or SAM object).","category":"Object Access","mitreAttack":[{"id":"T1070.004","name":"File Deletion","tactic":"defense-evasion","url":"https://attack.mitre.org/techniques/T1070/004","description":"Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105)) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\n\nThere are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well.(Citation: Microsoft SDelete July 2016) Examples of built-in [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) functions include del on Windows and rm or unlink on Linux and macOS."},{"id":"T1485","name":"Data Destruction","tactic":"impact","url":"https://attack.mitre.org/techniques/T1485","description":"$3f"}]},{"id":"4660","source":"Windows Security","name":"An object was deleted.","description":"An object was deleted (Kernel object or SAM object).","category":"Object Access","mitreAttack":["$40","$41"]},{"id":"4661","source":"Windows Security","name":"A handle to an object was requested.","description":"A handle to an object was requested (SAM Server object).","category":"Object Access","mitreAttack":["$43"]},{"id":"4662","source":"Windows Security","name":"An operation was performed on an object.","description":"An operation was performed on an object (e.g., AD object modified).","category":"DS Access","mitreAttack":[{"id":"T1003.006","name":"DCSync","tactic":"credential-access","url":"https://attack.mitre.org/techniques/T1003/006","description":"$45"},"$46",{"id":"T1087.002","name":"Domain Account","tactic":"discovery","url":"https://attack.mitre.org/techniques/T1087/002","description":"Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.\n\nCommands such as net user /domain and net group /domain of the [Net](https://attack.mitre.org/software/S0039) utility, dscacheutil -q group on macOS, and ldapsearch on Linux can list domain users and groups. [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets including Get-ADUser and Get-ADGroupMember may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)"},"$b",{"id":"T1098.007","name":"Additional Local or Domain Groups","tactic":"persistence, privilege-escalation","url":"https://attack.mitre.org/techniques/T1098/007","description":"$47"},{"id":"T1134.005","name":"SID-History Injection","tactic":"defense-evasion, privilege-escalation","url":"https://attack.mitre.org/techniques/T1134/005","description":"$48"},{"id":"T1207","name":"Rogue Domain Controller","tactic":"defense-evasion","url":"https://attack.mitre.org/techniques/T1207","description":"$49"},{"id":"T1482","name":"Domain Trust Discovery","tactic":"discovery","url":"https://attack.mitre.org/techniques/T1482","description":"$4a"},{"id":"T1484","name":"Domain or Tenant Policy Modification","tactic":"defense-evasion, privilege-escalation","url":"https://attack.mitre.org/techniques/T1484","description":"$4b"},{"id":"T1484.001","name":"Group Policy Modification","tactic":"defense-evasion, privilege-escalation","url":"https://attack.mitre.org/techniques/T1484/001","description":"$4c"},{"id":"T1484.002","name":"Trust Modification","tactic":"defense-evasion, privilege-escalation","url":"https://attack.mitre.org/techniques/T1484/002","description":"$4d"}]},{"id":"4663","source":"Windows Security","name":"An attempt was made to access an object.","description":"An attempt was made to access an object (e.g., File System, Registry).","category":"Object Access","mitreAttack":["$4e","$4f","$43",{"id":"T1005","name":"Data from Local System","tactic":"collection","url":"https://attack.mitre.org/techniques/T1005","description":"Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.\n\nAdversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system."},"$51",{"id":"T1039","name":"Data from Network Shared Drive","tactic":"collection","url":"https://attack.mitre.org/techniques/T1039","description":"Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information."},"$52","$54","$55","$57",{"id":"T1555","name":"Credentials from Password Stores","tactic":"credential-access","url":"https://attack.mitre.org/techniques/T1555","description":"Adversaries may search for common password storage locations to obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information."}]},{"id":"4664","source":"Windows Security","name":"An attempt was made to create a hard link.","description":"An attempt was made to create a hard link.","category":"Object Access"},{"id":"4665","source":"Windows Security","name":"An attempt was made to create an application client context.","description":"An attempt was made to create an application client context.","category":"Object Access"},{"id":"4666","source":"Windows Security","name":"An application attempted an operation.","description":"An application attempted an operation.","category":"Object Access"},{"id":"4667","source":"Windows Security","name":"An application client context was deleted.","description":"An application client context was deleted.","category":"Object Access"},{"id":"4668","source":"Windows Security","name":"An application was initialized.","description":"An application was initialized.","category":"Object Access"},{"id":"4670","source":"Windows Security","name":"Permissions on an object were changed.","description":"Permissions on an object were changed.","category":"Policy Change","mitreAttack":[{"id":"T1222","name":"File and Directory Permissions Modification","tactic":"defense-evasion","url":"https://attack.mitre.org/techniques/T1222","description":"$58"},{"id":"T1222.001","name":"Windows File and Directory Permissions Modification","tactic":"defense-evasion","url":"https://attack.mitre.org/techniques/T1222/001","description":"$59"},{"id":"T1222.002","name":"Linux and Mac File and Directory Permissions Modification","tactic":"defense-evasion","url":"https://attack.mitre.org/techniques/T1222/002","description":"$5a"}]},{"id":"4671","source":"Windows Security","name":"An application attempted to access a blocked ordinal through the TBS.","description":"An application attempted to access a blocked ordinal through the Trusted Platform Module Base Services (TBS).","category":"Object Access"},{"id":"4672","source":"Windows Security","name":"Special privileges assigned to new logon.","description":"Special privileges (e.g., SeDebugPrivilege) were assigned to a new logon session.","category":"Privilege Use","mitreAttack":["$5b",{"id":"T1134.001","name":"Token Impersonation/Theft","tactic":"defense-evasion, privilege-escalation","url":"https://attack.mitre.org/techniques/T1134/001","description":"$5d"},{"id":"T1134.002","name":"Create Process with Token","tactic":"defense-evasion, privilege-escalation","url":"https://attack.mitre.org/techniques/T1134/002","description":"Adversaries may create a new process with an existing token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as CreateProcessWithTokenW and runas.(Citation: Microsoft RunAs)\n\nCreating processes with a token not associated with the current user may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used. For example, the token could be duplicated via [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) or created via [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003) before being used to create a process.\n\nWhile this technique is distinct from [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001), the techniques can be used in conjunction where a token is duplicated and then used to create a new process."},"$5e"]},{"id":"4673","source":"Windows Security","name":"A privileged service was called.","description":"A privileged service was called (sensitive privileges used).","category":"Privilege Use","mitreAttack":[{"id":"T1068","name":"Exploitation for Privilege Escalation","tactic":"privilege-escalation","url":"https://attack.mitre.org/techniques/T1068","description":"$5f"},"$1a","$5b"]},{"id":"4674","source":"Windows Security","name":"An operation was attempted on a privileged object.","description":"An operation was attempted on a privileged object.","category":"Privilege Use","mitreAttack":["$1a","$5b"]},{"id":"4675","source":"Windows Security","name":"SIDs were filtered.","description":"SIDs were filtered (logon session).","category":"Authentication"},{"id":"4688","source":"Windows Security","name":"A new process has been created.","description":"A new process has been created.","category":"Process Execution","mitreAttack":["$60",{"id":"T1053.002","name":"At","tactic":"execution, persistence, privilege-escalation","url":"https://attack.mitre.org/techniques/T1053/002","description":"$62"},{"id":"T1053.005","name":"Scheduled Task","tactic":"execution, persistence, privilege-escalation","url":"https://attack.mitre.org/techniques/T1053/005","description":"$63"},{"id":"T1055","name":"Process Injection","tactic":"defense-evasion, privilege-escalation","url":"https://attack.mitre.org/techniques/T1055","description":"Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. \n\nThere are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific. \n\nMore sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel."},{"id":"T1059","name":"Command and Scripting Interpreter","tactic":"execution","url":"https://attack.mitre.org/techniques/T1059","description":"$64"},{"id":"T1059.001","name":"PowerShell","tactic":"execution","url":"https://attack.mitre.org/techniques/T1059/001","description":"$65"},{"id":"T1059.003","name":"Windows Command Shell","tactic":"execution","url":"https://attack.mitre.org/techniques/T1059/003","description":"$66"},{"id":"T1059.005","name":"Visual Basic","tactic":"execution","url":"https://attack.mitre.org/techniques/T1059/005","description":"$67"},{"id":"T1059.007","name":"JavaScript","tactic":"execution","url":"https://attack.mitre.org/techniques/T1059/007","description":"$68"},{"id":"T1072","name":"Software Deployment Tools","tactic":"execution, lateral-movement","url":"https://attack.mitre.org/techniques/T1072","description":"$69"},{"id":"T1105","name":"Ingress Tool Transfer","tactic":"command-and-control","url":"https://attack.mitre.org/techniques/T1105","description":"$6a"},{"id":"T1106","name":"Native API","tactic":"execution","url":"https://attack.mitre.org/techniques/T1106","description":"$6b"},{"id":"T1197","name":"BITS Jobs","tactic":"defense-evasion, persistence","url":"https://attack.mitre.org/techniques/T1197","description":"$6c"},{"id":"T1203","name":"Exploitation for Client Execution","tactic":"execution","url":"https://attack.mitre.org/techniques/T1203","description":"$6d"},{"id":"T1204","name":"User Execution","tactic":"execution","url":"https://attack.mitre.org/techniques/T1204","description":"$6e"},{"id":"T1204.001","name":"Malicious Link","tactic":"execution","url":"https://attack.mitre.org/techniques/T1204/001","description":"An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203). Links may also lead users to download files that require execution via [Malicious File](https://attack.mitre.org/techniques/T1204/002)."},{"id":"T1204.002","name":"Malicious File","tactic":"execution","url":"https://attack.mitre.org/techniques/T1204/002","description":"$6f"},{"id":"T1218","name":"System Binary Proxy Execution","tactic":"defense-evasion","url":"https://attack.mitre.org/techniques/T1218","description":"Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system.(Citation: LOLBAS Project) Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.\n\nSimilarly, on Linux systems adversaries may abuse trusted binaries such as split to proxy execution of malicious commands.(Citation: split man page)(Citation: GTFO split)"},{"id":"T1569","name":"System Services","tactic":"execution","url":"https://attack.mitre.org/techniques/T1569","description":"Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services either locally or remotely. Many services are set to run at boot, which can aid in achieving persistence ([Create or Modify System Process](https://attack.mitre.org/techniques/T1543)), but adversaries can also abuse services for one-time or temporary execution."},{"id":"T1569.002","name":"Service Execution","tactic":"execution","url":"https://attack.mitre.org/techniques/T1569/002","description":"$70"}],"commonScenarios":["Key Fields: NewProcessName/Image, CommandLine, ParentProcessName.","Look for suspicious parent-child relationships (e.g., Office apps spawning cmd.exe/powershell.exe, services spawning unexpected processes like whoami.exe).","Analyze CommandLine for obfuscated/encoded scripts, suspicious flags, network destinations, or sensitive file paths.","Enable 'Include command line in process creation events' group policy.","Can be noisy; requires baseline understanding and potentially filtering."]},{"id":"4689","source":"Windows Security","name":"A process has exited.","description":"A process has exited.","category":"Detailed Tracking"},{"id":"4690","source":"Windows Security","name":"An attempt was made to duplicate a handle to an object.","description":"An attempt was made to duplicate a handle to an object.","category":"Object Access","mitreAttack":["$71"]},{"id":"4691","source":"Windows Security","name":"Indirect access to an object was requested.","description":"Indirect access to an object was requested.","category":"Object Access"},{"id":"4692","source":"Windows Security","name":"Backup of data protection master key was attempted.","description":"Backup of data protection master key was attempted.","category":"Detailed Tracking","mitreAttack":["$72",{"id":"T1555.004","name":"Windows Credential Manager","tactic":"credential-access","url":"https://attack.mitre.org/techniques/T1555/004","description":"$73"}]},{"id":"4693","source":"Windows Security","name":"Recovery of data protection master key was attempted.","description":"Recovery of data protection master key was attempted.","category":"Detailed Tracking","mitreAttack":["$72","$74"]},{"id":"4694","source":"Windows Security","name":"Protection of auditable protected data was attempted.","description":"Protection of auditable protected data was attempted.","category":"Detailed Tracking"},{"id":"4695","source":"Windows Security","name":"Unprotection of auditable protected data was attempted.","description":"Unprotection of auditable protected data was attempted.","category":"Detailed Tracking","mitreAttack":["$72"]},{"id":"4696","source":"Windows Security","name":"A primary token was assigned to process.","description":"A primary token was assigned to process.","category":"Detailed Tracking","mitreAttack":["$5b","$76","$78"]},{"id":"4697","source":"Windows Security","name":"A service was installed in the system.","description":"A service was installed in the system.","category":"System Change","mitreAttack":[{"id":"T1543.003","name":"Windows Service","tactic":"persistence, privilege-escalation","url":"https://attack.mitre.org/techniques/T1543/003","description":"$79"},"$7a"]},{"id":"4698","source":"Windows Security","name":"A scheduled task was created.","description":"A scheduled task was created.","category":"Process Execution","mitreAttack":["$7c"]},{"id":"4699","source":"Windows Security","name":"A scheduled task was deleted.","description":"A scheduled task was deleted.","category":"System Change","mitreAttack":["$7c",{"id":"T1070.009","name":"Clear Persistence","tactic":"defense-evasion","url":"https://attack.mitre.org/techniques/T1070/009","description":"Adversaries may clear artifacts associated with previously established persistence on a host system to remove evidence of their activity. This may involve various actions, such as removing services, deleting executables, [Modify Registry](https://attack.mitre.org/techniques/T1112), [Plist File Modification](https://attack.mitre.org/techniques/T1647), or other methods of cleanup to prevent defenders from collecting evidence of their persistent presence.(Citation: Cylance Dust Storm) Adversaries may also delete accounts previously created to maintain persistence (i.e. [Create Account](https://attack.mitre.org/techniques/T1136)).(Citation: Talos - Cisco Attack 2022)\n\nIn some instances, artifacts of persistence may also be removed once an adversary’s persistence is executed in order to prevent errors with the new instance of the malware.(Citation: NCC Group Team9 June 2020)"}]},{"id":"4700","source":"Windows Security","name":"A scheduled task was enabled.","description":"A scheduled task was enabled.","category":"Process Execution","mitreAttack":["$7c"]},{"id":"4701","source":"Windows Security","name":"A scheduled task was disabled.","description":"A scheduled task was disabled.","category":"System Change","mitreAttack":["$7c","$f"]},{"id":"4702","source":"Windows Security","name":"A scheduled task was updated.","description":"A scheduled task was updated.","category":"Process Execution","mitreAttack":["$7c"]},{"id":"4703","source":"Windows Security","name":"A user right was adjusted.","description":"A user right was adjusted (enabled or disabled).","category":"Policy Change","mitreAttack":["$b","$5e"]},{"id":"4704","source":"Windows Security","name":"A user right was assigned.","description":"A user right was assigned.","category":"Policy Change","mitreAttack":["$b","$5e"]},{"id":"4705","source":"Windows Security","name":"A user right was removed.","description":"A user right was removed.","category":"Policy Change","mitreAttack":["$b","$f"]},{"id":"4706","source":"Windows Security","name":"A new trust was created to a domain.","description":"A new trust was created to a domain.","category":"Policy Change","mitreAttack":["$7e","$80"]},{"id":"4707","source":"Windows Security","name":"A trust to a domain was removed.","description":"A trust to a domain was removed.","category":"Policy Change","mitreAttack":["$7e","$80"]},{"id":"4709","source":"Windows Security","name":"IPsec Services was started.","description":"IPsec Services was started.","category":"Policy Change"},{"id":"4710","source":"Windows Security","name":"IPsec Services was disabled.","description":"IPsec Services was disabled.","category":"Policy Change","mitreAttack":["$f",{"id":"T1562.007","name":"Disable or Modify Cloud Firewall","tactic":"defense-evasion","url":"https://attack.mitre.org/techniques/T1562/007","description":"$82"}]},{"id":"4711","source":"Windows Security","name":"PAStore Engine applied IPsec policy.","description":"Describes application or failure of IPsec policy (local registry, AD cached, or live AD).","category":"Policy Change"},{"id":"4712","source":"Windows Security","name":"IPsec Services encountered a potentially serious failure.","description":"IPsec Services encountered a potentially serious failure.","category":"Policy Change"},{"id":"4713","source":"Windows Security","name":"Kerberos policy was changed.","description":"Kerberos policy was changed.","category":"Policy Change","mitreAttack":["$83"]},{"id":"4714","source":"Windows Security","name":"Encrypted data recovery policy was changed.","description":"Encrypted data recovery policy was changed.","category":"Policy Change"},{"id":"4715","source":"Windows Security","name":"The audit policy (SACL) on an object was changed.","description":"The audit policy (System Access Control List - SACL) on an object was changed.","category":"Policy Change","mitreAttack":["$85","$f","$12"]},{"id":"4716","source":"Windows Security","name":"Trusted domain information was modified.","description":"Trusted domain information was modified.","category":"Policy Change","mitreAttack":["$7e","$80"]},{"id":"4717","source":"Windows Security","name":"System security access was granted to an account.","description":"System security access was granted to an account.","category":"Policy Change","mitreAttack":["$b","$5e"]},{"id":"4718","source":"Windows Security","name":"System security access was removed from an account.","description":"System security access was removed from an account.","category":"Policy Change","mitreAttack":["$b","$f"]},{"id":"4719","source":"Windows Security","name":"System audit policy was changed.","description":"System audit policy was changed.","category":"Policy Change","mitreAttack":["$f","$10","$12"]},{"id":"4720","source":"Windows Security","name":"A user account was created.","description":"A user account was created.","category":"Account Management","mitreAttack":[{"id":"T1136","name":"Create Account","tactic":"persistence","url":"https://attack.mitre.org/techniques/T1136","description":"Adversaries may create an account to maintain access to victim systems.(Citation: Symantec WastedLocker June 2020) With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.\n\nAccounts may be created on the local system or within a domain or cloud tenant. In cloud environments, adversaries may create accounts that only have access to specific services, which can reduce the chance of detection."},{"id":"T1136.001","name":"Local Account","tactic":"persistence","url":"https://attack.mitre.org/techniques/T1136/001","description":"Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. \n\nFor example, with a sufficient level of access, the Windows net user /add command can be used to create a local account. On macOS systems the dscl -create command can be used to create a local account. Local accounts may also be added to network devices, often via common [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as username, or to Kubernetes clusters using the `kubectl` utility.(Citation: cisco_username_cmd)(Citation: Kubernetes Service Accounts Security)\n\nSuch accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system."},{"id":"T1136.002","name":"Domain Account","tactic":"persistence","url":"https://attack.mitre.org/techniques/T1136/002","description":"Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the net user /add /domain command can be used to create a domain account.(Citation: Savill 1999)\n\nSuch accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system."}],"commonScenarios":["Monitor creations outside of standard procedures or by non-admin users.","Check SubjectUserName (who created it) and TargetUserName (what was created).","Often seen during legitimate admin activity, but also by attackers for persistence."]},{"id":"4722","source":"Windows Security","name":"A user account was enabled.","description":"A user account was enabled.","category":"Account Management","mitreAttack":["$b"]},{"id":"4723","source":"Windows Security","name":"An attempt was made to change an account's password.","description":"An attempt was made to change an account's password.","category":"Account Management","mitreAttack":["$b","$87"]},{"id":"4724","source":"Windows Security","name":"An attempt was made to reset an account's password.","description":"An attempt was made to reset an account's password.","category":"Account Management","mitreAttack":["$b"]},{"id":"4725","source":"Windows Security","name":"A user account was disabled.","description":"A user account was disabled.","category":"Account Management","mitreAttack":["$b",{"id":"T1531","name":"Account Access Removal","tactic":"impact","url":"https://attack.mitre.org/techniques/T1531","description":"$89"}]},{"id":"4726","source":"Windows Security","name":"A user account was deleted.","description":"A user account was deleted.","category":"Account Management","mitreAttack":["$8a","$b","$8b"]},{"id":"4727","source":"Windows Security","name":"A security-enabled global group was created.","description":"A security-enabled global group was created.","category":"Account Management","mitreAttack":["$8d","$8e"]},{"id":"4728","source":"Windows Security","name":"A member was added to a security-enabled global group.","description":"A member was added to a security-enabled global group.","category":"Account Management","mitreAttack":["$b","$8f"]},{"id":"4729","source":"Windows Security","name":"A member was removed from a security-enabled global group.","description":"A member was removed from a security-enabled global group.","category":"Account Management","mitreAttack":["$b","$8f"]},{"id":"4730","source":"Windows Security","name":"A security-enabled global group was deleted.","description":"A security-enabled global group was deleted.","category":"Account Management","mitreAttack":["$b","$8b"]},{"id":"4731","source":"Windows Security","name":"A security-enabled local group was created.","description":"A security-enabled local group was created.","category":"Account Management","mitreAttack":["$8d","$91"]},{"id":"4732","source":"Windows Security","name":"A member was added to a security-enabled local group.","description":"A member was added to a security-enabled local group.","category":"Account Management","mitreAttack":["$b","$8f"]},{"id":"4733","source":"Windows Security","name":"A member was removed from a security-enabled local group.","description":"A member was removed from a security-enabled local group.","category":"Account Management","mitreAttack":["$b","$8f"]},{"id":"4734","source":"Windows Security","name":"A security-enabled local group was deleted.","description":"A security-enabled local group was deleted.","category":"Account Management","mitreAttack":["$b","$8b"]},{"id":"4735","source":"Windows Security","name":"A security-enabled local group was changed.","description":"A security-enabled local group was changed.","category":"Account Management","mitreAttack":["$b","$8f"]},{"id":"4737","source":"Windows Security","name":"A security-enabled global group was changed.","description":"A security-enabled global group was changed.","category":"Account Management","mitreAttack":["$b","$8f"]},{"id":"4738","source":"Windows Security","name":"A user account was changed.","description":"A user account was changed.","category":"Account Management","mitreAttack":["$b"]},{"id":"4739","source":"Windows Security","name":"Domain Policy was changed.","description":"Domain Policy was changed (LSA object).","category":"Policy Change","mitreAttack":["$83"]},{"id":"4740","source":"Windows Security","name":"A user account was locked out.","description":"A user account was locked out.","category":"Account Management","mitreAttack":["$87"]},{"id":"4741","source":"Windows Security","name":"A computer account was created.","description":"A computer account was created.","category":"Account Management","mitreAttack":["$8d","$8e"]},{"id":"4742","source":"Windows Security","name":"A computer account was changed.","description":"A computer account was changed.","category":"Account Management","mitreAttack":["$b"]},{"id":"4743","source":"Windows Security","name":"A computer account was deleted.","description":"A computer account was deleted.","category":"Account Management","mitreAttack":["$b","$8b"]},{"id":"4744","source":"Windows Security","name":"A security-disabled local group was created.","description":"A security-disabled local group (distribution group) was created.","category":"Account Management","mitreAttack":["$8d","$91"]},{"id":"4745","source":"Windows Security","name":"A security-disabled local group was changed.","description":"A security-disabled local group (distribution group) was changed.","category":"Account Management","mitreAttack":["$b"]},{"id":"4746","source":"Windows Security","name":"A member was added to a security-disabled local group.","description":"A member was added to a security-disabled local group (distribution group).","category":"Account Management","mitreAttack":["$b"]},{"id":"4747","source":"Windows Security","name":"A member was removed from a security-disabled local group.","description":"A member was removed from a security-disabled local group (distribution group).","category":"Account Management","mitreAttack":["$b"]},{"id":"4748","source":"Windows Security","name":"A security-disabled local group was deleted.","description":"A security-disabled local group (distribution group) was deleted.","category":"Account Management","mitreAttack":["$b"]},{"id":"4749","source":"Windows Security","name":"A security-disabled global group was created.","description":"A security-disabled global group (distribution group) was created.","category":"Account Management","mitreAttack":["$8d","$8e"]},{"id":"4750","source":"Windows Security","name":"A security-disabled global group was changed.","description":"A security-disabled global group (distribution group) was changed.","category":"Account Management","mitreAttack":["$b"]},{"id":"4751","source":"Windows Security","name":"A member was added to a security-disabled global group.","description":"A member was added to a security-disabled global group (distribution group).","category":"Account Management","mitreAttack":["$b"]},{"id":"4752","source":"Windows Security","name":"A member was removed from a security-disabled global group.","description":"A member was removed from a security-disabled global group (distribution group).","category":"Account Management","mitreAttack":["$b"]},{"id":"4753","source":"Windows Security","name":"A security-disabled global group was deleted.","description":"A security-disabled global group (distribution group) was deleted.","category":"Account Management","mitreAttack":["$b"]},{"id":"4754","source":"Windows Security","name":"A security-enabled universal group was created.","description":"A security-enabled universal group was created.","category":"Account Management","mitreAttack":["$8d","$8e"]},{"id":"4755","source":"Windows Security","name":"A security-enabled universal group was changed.","description":"A security-enabled universal group was changed.","category":"Account Management","mitreAttack":["$b","$8f"]},{"id":"4756","source":"Windows Security","name":"A member was added to a security-enabled universal group.","description":"A member was added to a security-enabled universal group.","category":"Account Management","mitreAttack":["$b","$8f"]},{"id":"4757","source":"Windows Security","name":"A member was removed from a security-enabled universal group.","description":"A member was removed from a security-enabled universal group.","category":"Account Management","mitreAttack":["$b","$8f"]},{"id":"4758","source":"Windows Security","name":"A security-enabled universal group was deleted.","description":"A security-enabled universal group was deleted.","category":"Account Management","mitreAttack":["$b","$8b"]},{"id":"4759","source":"Windows Security","name":"A security-disabled universal group was created.","description":"A security-disabled universal group (distribution group) was created.","category":"Account Management","mitreAttack":["$8d","$8e"]},{"id":"4760","source":"Windows Security","name":"A security-disabled universal group was changed.","description":"A security-disabled universal group (distribution group) was changed.","category":"Account Management","mitreAttack":["$b"]},{"id":"4761","source":"Windows Security","name":"A member was added to a security-disabled universal group.","description":"A member was added to a security-disabled universal group (distribution group).","category":"Account Management","mitreAttack":["$b"]},{"id":"4762","source":"Windows Security","name":"A member was removed from a security-disabled universal group.","description":"A member was removed from a security-disabled universal group (distribution group).","category":"Account Management","mitreAttack":["$b"]},{"id":"4763","source":"Windows Security","name":"A security-disabled universal group was deleted.","description":"A security-disabled universal group (distribution group) was deleted.","category":"Account Management","mitreAttack":["$b"]},{"id":"4764","source":"Windows Security","name":"A group’s type was changed.","description":"A group’s type was changed.","category":"Account Management","mitreAttack":["$b"]},{"id":"4765","source":"Windows Security","name":"SID History was added to an account.","description":"SID History was added to an account.","category":"Account Management","mitreAttack":["$92"]},{"id":"4766","source":"Windows Security","name":"An attempt to add SID History to an account failed.","description":"An attempt to add SID History to an account failed.","category":"Account Management","mitreAttack":["$92"]},{"id":"4767","source":"Windows Security","name":"A user account was unlocked.","description":"A user account was unlocked.","category":"Account Management","mitreAttack":["$b"]},{"id":"4768","source":"Windows Security","name":"A Kerberos authentication ticket (TGT) was requested.","description":"A Kerberos authentication ticket (TGT) was requested.","category":"Authentication","mitreAttack":["$1a","$94",{"id":"T1558.001","name":"Golden Ticket","tactic":"credential-access","url":"https://attack.mitre.org/techniques/T1558/001","description":"$95"}]},{"id":"4769","source":"Windows Security","name":"A Kerberos service ticket was requested.","description":"A Kerberos service ticket was requested.","category":"Authentication","mitreAttack":["$60","$1a","$94",{"id":"T1558.003","name":"Kerberoasting","tactic":"credential-access","url":"https://attack.mitre.org/techniques/T1558/003","description":"$96"}]},{"id":"4770","source":"Windows Security","name":"A Kerberos service ticket was renewed.","description":"A Kerberos service ticket was renewed.","category":"Authentication","mitreAttack":["$1a","$94"]},{"id":"4771","source":"Windows Security","name":"Kerberos pre-authentication failed.","description":"Kerberos pre-authentication failed.","category":"Authentication","mitreAttack":["$87",{"id":"T1558.004","name":"AS-REP Roasting","tactic":"credential-access","url":"https://attack.mitre.org/techniques/T1558/004","description":"$97"}]},{"id":"4772","source":"Windows Security","name":"A Kerberos authentication ticket request failed.","description":"A Kerberos authentication ticket request failed.","category":"Authentication","mitreAttack":["$87","$94"]},{"id":"4773","source":"Windows Security","name":"A Kerberos service ticket request failed.","description":"A Kerberos service ticket request failed.","category":"Authentication","mitreAttack":["$87","$94"]},{"id":"4774","source":"Windows Security","name":"An account was mapped for logon.","description":"An account was mapped for logon (typically Kerberos).","category":"Authentication","mitreAttack":["$1a","$94"]},{"id":"4775","source":"Windows Security","name":"An account could not be mapped for logon.","description":"An account could not be mapped for logon (typically Kerberos).","category":"Authentication","mitreAttack":["$1a","$94"]},{"id":"4776","source":"Windows Security","name":"The domain controller attempted to validate the credentials for an account.","description":"The domain controller attempted to validate the credentials for an account (NTLM Authentication).","category":"Authentication","mitreAttack":["$1a","$25",{"id":"T1557.001","name":"LLMNR/NBT-NS Poisoning and SMB Relay","tactic":"collection, credential-access","url":"https://attack.mitre.org/techniques/T1557/001","description":"$98"}],"commonScenarios":["Occurs on Domain Controllers during NTLM authentication attempts.","High volume of failures (Status != 0x0) can indicate brute-force or spraying attacks targeting NTLM.","Success (Status == 0x0) is normal but should be monitored for anomalous patterns (source workstation, account, time)."]},{"id":"4777","source":"Windows Security","name":"The domain controller failed to validate the credentials for an account.","description":"The domain controller failed to validate the credentials for an account (NTLM Authentication).","category":"Authentication","mitreAttack":["$87","$99"]},{"id":"4778","source":"Windows Security","name":"A session was reconnected to a Window Station.","description":"A session was reconnected to a Window Station.","category":"Authentication","mitreAttack":["$60","$9b",{"id":"T1563","name":"Remote Service Session Hijacking","tactic":"lateral-movement","url":"https://attack.mitre.org/techniques/T1563","description":"Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service.\n\nAdversaries may commandeer these sessions to carry out actions on remote systems. [Remote Service Session Hijacking](https://attack.mitre.org/techniques/T1563) differs from use of [Remote Services](https://attack.mitre.org/techniques/T1021) because it hijacks an existing session rather than creating a new session using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: RDP Hijacking Medium)(Citation: Breach Post-mortem SSH Hijack)"},{"id":"T1563.002","name":"RDP Hijacking","tactic":"lateral-movement","url":"https://attack.mitre.org/techniques/T1563/002","description":"$9d"}]},{"id":"4779","source":"Windows Security","name":"A session was disconnected from a Window Station.","description":"A session was disconnected from a Window Station.","category":"Authentication","mitreAttack":["$60","$9b"]},{"id":"4780","source":"Windows Security","name":"The ACL was set on accounts which are members of administrators groups.","description":"The Access Control List (ACL) was set on accounts which are members of administrators groups (AdminSDHolder).","category":"Account Management","mitreAttack":["$b","$83"]},{"id":"4781","source":"Windows Security","name":"The name of an account was changed.","description":"The name of an account was changed (SAM Account Name or UPN).","category":"Account Management","mitreAttack":["$b"]},{"id":"4782","source":"Windows Security","name":"The password hash an account was accessed.","description":"The password hash of an account was accessed.","category":"Account Management","mitreAttack":["$4e","$4f","$43","$9e"]},{"id":"4783","source":"Windows Security","name":"A basic application group was created.","description":"A basic application group was created.","category":"Account Management"},{"id":"4784","source":"Windows Security","name":"A basic application group was changed.","description":"A basic application group was changed.","category":"Account Management"},{"id":"4785","source":"Windows Security","name":"A member was added to a basic application group.","description":"A member was added to a basic application group.","category":"Account Management"},{"id":"4786","source":"Windows Security","name":"A member was removed from a basic application group.","description":"A member was removed from a basic application group.","category":"Account Management"},{"id":"4787","source":"Windows Security","name":"A non-member was added to a basic application group.","description":"A non-member was added to a basic application group.","category":"Account Management"},{"id":"4788","source":"Windows Security","name":"A non-member was removed from a basic application group.","description":"A non-member was removed from a basic application group.","category":"Account Management"},{"id":"4789","source":"Windows Security","name":"A basic application group was deleted.","description":"A basic application group was deleted.","category":"Account Management"},{"id":"4790","source":"Windows Security","name":"An LDAP query group was created.","description":"An LDAP query group was created.","category":"Account Management"},{"id":"4791","source":"Windows Security","name":"An LDAP query group was changed.","description":"An LDAP query group was changed.","category":"Account Management"},{"id":"4792","source":"Windows Security","name":"An LDAP query group was deleted.","description":"An LDAP query group was deleted.","category":"Account Management"},{"id":"4793","source":"Windows Security","name":"The Password Policy Checking API was called.","description":"The Password Policy Checking API was called.","category":"Account Management","mitreAttack":[{"id":"T1201","name":"Password Policy Discovery","tactic":"discovery","url":"https://attack.mitre.org/techniques/T1201","description":"$a0"}]},{"id":"4794","source":"Windows Security","name":"An attempt was made to set the Directory Services Restore Mode administrator password.","description":"An attempt was made to set the Directory Services Restore Mode (DSRM) administrator password.","category":"Account Management","mitreAttack":["$b"]},{"id":"4797","source":"Windows Security","name":"An attempt was made to query the existence of a blank password for an account.","description":"An attempt was made to query the existence of a blank password for an account.","category":"Account Management","mitreAttack":[{"id":"T1087","name":"Account Discovery","tactic":"discovery","url":"https://attack.mitre.org/techniques/T1087","description":"$a1"},{"id":"T1087.001","name":"Local Account","tactic":"discovery","url":"https://attack.mitre.org/techniques/T1087/001","description":"Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.\n\nCommands such as net user and net localgroup of the [Net](https://attack.mitre.org/software/S0039) utility and id and groups on macOS and Linux can list local users and groups.(Citation: Mandiant APT1)(Citation: id man page)(Citation: groups man page) On Linux, local users can also be enumerated through the use of the /etc/passwd file. On macOS the dscl . list /Users command can be used to enumerate local accounts."},"$a2"]},{"id":"4798","source":"Windows Security","name":"A user's local group membership was enumerated.","description":"A user's local group membership was enumerated.","category":"Account Management","mitreAttack":["$a3","$a4","$a5","$a7"]},{"id":"4799","source":"Windows Security","name":"A security-enabled local group membership was enumerated.","description":"A security-enabled local group membership was enumerated.","category":"Account Management","mitreAttack":["$a3","$a4"]},{"id":"4800","source":"Windows Security","name":"The workstation was locked.","description":"The workstation was locked.","category":"Authentication"},{"id":"4801","source":"Windows Security","name":"The workstation was unlocked.","description":"The workstation was unlocked.","category":"Authentication"},{"id":"4802","source":"Windows Security","name":"The screen saver was invoked.","description":"The screen saver was invoked.","category":"Authentication","mitreAttack":[{"id":"T1546.002","name":"Screensaver","tactic":"persistence, privilege-escalation","url":"https://attack.mitre.org/techniques/T1546/002","description":"$a8"}]},{"id":"4803","source":"Windows Security","name":"The screen saver was dismissed.","description":"The screen saver was dismissed.","category":"Authentication"},{"id":"4816","source":"Windows Security","name":"RPC detected an integrity violation while decrypting an incoming message.","description":"RPC detected an integrity violation while decrypting an incoming message.","category":"System","mitreAttack":[{"id":"T1557","name":"Adversary-in-the-Middle","tactic":"collection, credential-access","url":"https://attack.mitre.org/techniques/T1557","description":"$a9"}]},{"id":"4817","source":"Windows Security","name":"Auditing settings on an object were changed.","description":"Auditing settings on an object were changed (Kernel Object).","category":"Policy Change","mitreAttack":["$85","$f"]},{"id":"4818","source":"Windows Security","name":"Proposed Central Access Policy does not grant the same permissions.","description":"Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.","category":"Object Access"},{"id":"4819","source":"Windows Security","name":"Central Access Policies on the machine have been changed.","description":"Central Access Policies on the machine have been changed.","category":"Policy Change"},{"id":"4820","source":"Windows Security","name":"A Kerberos TGT was denied because the device does not meet access control restrictions.","description":"A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions.","category":"Authentication","mitreAttack":["$94"]},{"id":"4821","source":"Windows Security","name":"A Kerberos service ticket was denied because access control restrictions were not met.","description":"A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions.","category":"Authentication","mitreAttack":["$94"]},{"id":"4822","source":"Windows Security","name":"NTLM authentication failed because the account was a member of the Protected User group.","description":"NTLM authentication failed because the account was a member of the Protected User group.","category":"Authentication","mitreAttack":["$1a",{"id":"T1556.006","name":"Multi-Factor Authentication","tactic":"credential-access, defense-evasion, persistence","url":"https://attack.mitre.org/techniques/T1556/006","description":"$aa"}]},{"id":"4823","source":"Windows Security","name":"NTLM authentication failed because access control restrictions are required.","description":"NTLM authentication failed because access control restrictions are required.","category":"Authentication","mitreAttack":["$1a"]},{"id":"4824","source":"Windows Security","name":"Kerberos preauthentication using DES or RC4 failed (Protected User).","description":"Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group.","category":"Authentication","mitreAttack":["$ab","$94"]},{"id":"4825","source":"Windows Security","name":"A user was denied access to Remote Desktop.","description":"A user was denied access to Remote Desktop. Network Level Authentication (NLA) failed.","category":"Authentication","mitreAttack":["$9b","$1a","$87"]},{"id":"4826","source":"Windows Security","name":"Boot Configuration Data loaded.","description":"Boot Configuration Data loaded.","category":"System","mitreAttack":[{"id":"T1542","name":"Pre-OS Boot","tactic":"defense-evasion, persistence","url":"https://attack.mitre.org/techniques/T1542","description":"Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.(Citation: Wikipedia Booting)\n\nAdversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses."},{"id":"T1542.003","name":"Bootkit","tactic":"defense-evasion, persistence","url":"https://attack.mitre.org/techniques/T1542/003","description":"Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.\n\nA bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). (Citation: Mandiant M Trends 2016) The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code. (Citation: Lau 2011)\n\nThe MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code."}]},{"id":"4864","source":"Windows Security","name":"A namespace collision was detected.","description":"A namespace collision was detected.","category":"Policy Change"},{"id":"4865","source":"Windows Security","name":"A trusted forest information entry was added.","description":"A trusted forest information entry was added.","category":"Policy Change","mitreAttack":["$7e","$80"]},{"id":"4866","source":"Windows Security","name":"A trusted forest information entry was removed.","description":"A trusted forest information entry was removed.","category":"Policy Change","mitreAttack":["$7e","$80"]},{"id":"4867","source":"Windows Security","name":"A trusted forest information entry was modified.","description":"A trusted forest information entry was modified.","category":"Policy Change","mitreAttack":["$7e","$80"]},{"id":"4868","source":"Windows Security","name":"The certificate manager denied a pending certificate request.","description":"The certificate manager denied a pending certificate request.","category":"Object Access","mitreAttack":[{"id":"T1553.004","name":"Install Root Certificate","tactic":"defense-evasion","url":"https://attack.mitre.org/techniques/T1553/004","description":"$ad"},{"id":"T1649","name":"Steal or Forge Authentication Certificates","tactic":"credential-access","url":"https://attack.mitre.org/techniques/T1649","description":"$ae"}]},{"id":"4869","source":"Windows Security","name":"Certificate Services received a resubmitted certificate request.","description":"Certificate Services received a resubmitted certificate request.","category":"Object Access","mitreAttack":["$af","$b1"]},{"id":"4870","source":"Windows Security","name":"Certificate Services revoked a certificate.","description":"Certificate Services revoked a certificate.","category":"Object Access","mitreAttack":["$af","$b1"]},{"id":"4871","source":"Windows Security","name":"Certificate Services received a request to publish the CRL.","description":"Certificate Services received a request to publish the certificate revocation list (CRL).","category":"Object Access"},{"id":"4872","source":"Windows Security","name":"Certificate Services published the CRL.","description":"Certificate Services published the certificate revocation list (CRL).","category":"Object Access"},{"id":"4873","source":"Windows Security","name":"A certificate request extension changed.","description":"A certificate request extension changed.","category":"Object Access","mitreAttack":["$af","$b1"]},{"id":"4874","source":"Windows Security","name":"One or more certificate request attributes changed.","description":"One or more certificate request attributes changed.","category":"Object Access","mitreAttack":["$af","$b1"]},{"id":"4875","source":"Windows Security","name":"Certificate Services received a request to shut down.","description":"Certificate Services received a request to shut down.","category":"Object Access","mitreAttack":[{"id":"T1489","name":"Service Stop","tactic":"impact","url":"https://attack.mitre.org/techniques/T1489","description":"$b3"}]},{"id":"4876","source":"Windows Security","name":"Certificate Services backup started.","description":"Certificate Services backup started.","category":"Object Access"},{"id":"4877","source":"Windows Security","name":"Certificate Services backup completed.","description":"Certificate Services backup completed.","category":"Object Access"},{"id":"4878","source":"Windows Security","name":"Certificate Services restore started.","description":"Certificate Services restore started.","category":"Object Access"},{"id":"4879","source":"Windows Security","name":"Certificate Services restore completed.","description":"Certificate Services restore completed.","category":"Object Access"},{"id":"4880","source":"Windows Security","name":"Certificate Services started.","description":"Certificate Services started.","category":"Object Access"},{"id":"4881","source":"Windows Security","name":"Certificate Services stopped.","description":"Certificate Services stopped.","category":"Object Access","mitreAttack":["$b4"]},{"id":"4882","source":"Windows Security","name":"The security permissions for Certificate Services changed.","description":"The security permissions for Certificate Services changed.","category":"Object Access","mitreAttack":["$af","$b1"]},{"id":"4883","source":"Windows Security","name":"Certificate Services retrieved an archived key.","description":"Certificate Services retrieved an archived key.","category":"Object Access","mitreAttack":[{"id":"T1552.004","name":"Private Keys","tactic":"credential-access","url":"https://attack.mitre.org/techniques/T1552/004","description":"$b6"},"$b1"]},{"id":"4884","source":"Windows Security","name":"Certificate Services imported a certificate into its database.","description":"Certificate Services imported a certificate into its database.","category":"Object Access","mitreAttack":["$af","$b1"]},{"id":"4885","source":"Windows Security","name":"The audit filter for Certificate Services changed.","description":"The audit filter for Certificate Services changed.","category":"Object Access","mitreAttack":["$f","$12"]},{"id":"4886","source":"Windows Security","name":"Certificate Services received a certificate request.","description":"Certificate Services received a certificate request.","category":"Object Access","mitreAttack":["$af","$b1"]},{"id":"4887","source":"Windows Security","name":"Certificate Services approved a certificate request and issued a certificate.","description":"Certificate Services approved a certificate request and issued a certificate.","category":"Object Access","mitreAttack":["$af","$b1"]},{"id":"4888","source":"Windows Security","name":"Certificate Services denied a certificate request.","description":"Certificate Services denied a certificate request.","category":"Object Access","mitreAttack":["$af","$b1"]},{"id":"4889","source":"Windows Security","name":"Certificate Services set the status of a certificate request to pending.","description":"Certificate Services set the status of a certificate request to pending.","category":"Object Access","mitreAttack":["$af","$b1"]},{"id":"4890","source":"Windows Security","name":"The certificate manager settings for Certificate Services changed.","description":"The certificate manager settings for Certificate Services changed.","category":"Object Access","mitreAttack":["$af","$b1"]},{"id":"4891","source":"Windows Security","name":"A configuration entry changed in Certificate Services.","description":"A configuration entry changed in Certificate Services.","category":"Object Access","mitreAttack":["$af","$b1"]},{"id":"4892","source":"Windows Security","name":"A property of Certificate Services changed.","description":"A property of Certificate Services changed.","category":"Object Access","mitreAttack":["$af","$b1"]},{"id":"4893","source":"Windows Security","name":"Certificate Services archived a key.","description":"Certificate Services archived a key.","category":"Object Access","mitreAttack":["$b7","$b1"]},{"id":"4894","source":"Windows Security","name":"Certificate Services imported and archived a key.","description":"Certificate Services imported and archived a key.","category":"Object Access","mitreAttack":["$b7","$b1"]},{"id":"4895","source":"Windows Security","name":"Certificate Services published the CA certificate to Active Directory.","description":"Certificate Services published the CA certificate to Active Directory Domain Services.","category":"Object Access","mitreAttack":["$af","$b1"]},{"id":"4896","source":"Windows Security","name":"One or more rows have been deleted from the certificate database.","description":"One or more rows have been deleted from the certificate database.","category":"Object Access","mitreAttack":[{"id":"T1070","name":"Indicator Removal","tactic":"defense-evasion","url":"https://attack.mitre.org/techniques/T1070","description":"Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.\n\nRemoval of these indicators may interfere with event collection, reporting, or other processes used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred."},"$41"]},{"id":"4897","source":"Windows Security","name":"Role separation enabled.","description":"Role separation enabled: Certificate Services.","category":"Object Access","mitreAttack":["$af","$b1"]},{"id":"4898","source":"Windows Security","name":"Certificate Services loaded a template.","description":"Certificate Services loaded a template.","category":"Object Access","mitreAttack":["$af","$b1"]},{"id":"4899","source":"Windows Security","name":"A Certificate Services template was updated.","description":"A Certificate Services template was updated.","category":"Object Access","mitreAttack":["$af","$b1"]},{"id":"4900","source":"Windows Security","name":"Certificate Services template security was updated.","description":"Certificate Services template security was updated.","category":"Object Access","mitreAttack":["$af","$b1"]},{"id":"4902","source":"Windows Security","name":"The Per-user audit policy table was created.","description":"The Per-user audit policy table was created.","category":"Policy Change","mitreAttack":["$f"]},{"id":"4904","source":"Windows Security","name":"An attempt was made to register a security event source.","description":"An attempt was made to register a security event source.","category":"Policy Change","mitreAttack":["$f","$12"]},{"id":"4905","source":"Windows Security","name":"An attempt was made to unregister a security event source.","description":"An attempt was made to unregister a security event source.","category":"Policy Change","mitreAttack":["$f","$12"]},{"id":"4906","source":"Windows Security","name":"The CrashOnAuditFail value has changed.","description":"The CrashOnAuditFail value has changed.","category":"Policy Change","mitreAttack":["$f"]},{"id":"4907","source":"Windows Security","name":"Auditing settings on object were changed.","description":"Auditing settings on object were changed.","category":"Policy Change","mitreAttack":["$85","$f","$12"]},{"id":"4908","source":"Windows Security","name":"Special Groups Logon table modified.","description":"Special Groups Logon table modified.","category":"Policy Change","mitreAttack":["$b","$5e"]},{"id":"4909","source":"Windows Security","name":"The local policy settings for the TBS were changed.","description":"The local policy settings for the Trusted Platform Module Base Services (TBS) were changed.","category":"Policy Change"},{"id":"4910","source":"Windows Security","name":"The group policy settings for the TBS were changed.","description":"The group policy settings for the Trusted Platform Module Base Services (TBS) were changed.","category":"Policy Change"},{"id":"4911","source":"Windows Security","name":"Resource attributes of the object were changed.","description":"Resource attributes of the object were changed.","category":"Policy Change"},{"id":"4912","source":"Windows Security","name":"Per User Audit Policy was changed.","description":"Per User Audit Policy was changed.","category":"Policy Change","mitreAttack":["$f","$12"]},{"id":"4913","source":"Windows Security","name":"Central Access Policy on the object was changed.","description":"Central Access Policy on the object was changed.","category":"Policy Change"},{"id":"4928","source":"Windows Security","name":"An Active Directory replica source naming context was established.","description":"An Active Directory replica source naming context was established.","category":"DS Access","mitreAttack":["$b9"]},{"id":"4929","source":"Windows Security","name":"An Active Directory replica source naming context was removed.","description":"An Active Directory replica source naming context was removed.","category":"DS Access","mitreAttack":["$b9"]},{"id":"4930","source":"Windows Security","name":"An Active Directory replica source naming context was modified.","description":"An Active Directory replica source naming context was modified.","category":"DS Access","mitreAttack":["$b9"]},{"id":"4931","source":"Windows Security","name":"An Active Directory replica destination naming context was modified.","description":"An Active Directory replica destination naming context was modified.","category":"DS Access","mitreAttack":["$b9"]},{"id":"4932","source":"Windows Security","name":"Synchronization of a replica of an Active Directory naming context has begun.","description":"Synchronization of a replica of an Active Directory naming context has begun.","category":"DS Access","mitreAttack":["$9e"]},{"id":"4933","source":"Windows Security","name":"Synchronization of a replica of an Active Directory naming context has ended.","description":"Synchronization of a replica of an Active Directory naming context has ended.","category":"DS Access","mitreAttack":["$9e"]},{"id":"4934","source":"Windows Security","name":"Attributes of an Active Directory object were replicated.","description":"Attributes of an Active Directory object were replicated.","category":"DS Access","mitreAttack":["$9e"]},{"id":"4935","source":"Windows Security","name":"Replication failure begins.","description":"Replication failure begins.","category":"DS Access"},{"id":"4936","source":"Windows Security","name":"Replication failure ends.","description":"Replication failure ends.","category":"DS Access"},{"id":"4937","source":"Windows Security","name":"A lingering object was removed from a replica.","description":"A lingering object was removed from a replica.","category":"DS Access"},{"id":"4944","source":"Windows Security","name":"Windows Firewall policy was active when service started.","description":"The following policy was active when the Windows Firewall started.","category":"Policy Change","mitreAttack":[{"id":"T1562.004","name":"Disable or Modify System Firewall","tactic":"defense-evasion","url":"https://attack.mitre.org/techniques/T1562/004","description":"$bb"}]},{"id":"4945","source":"Windows Security","name":"A rule was listed when the Windows Firewall started.","description":"A rule was listed when the Windows Firewall started.","category":"Policy Change","mitreAttack":["$bc"]},{"id":"4946","source":"Windows Security","name":"A Windows Firewall exception list rule was added.","description":"A change has been made to Windows Firewall exception list. A rule was added.","category":"Policy Change","mitreAttack":["$2a","$bc",{"id":"T1571","name":"Non-Standard Port","tactic":"command-and-control","url":"https://attack.mitre.org/techniques/T1571","description":"Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.\n\nAdversaries may also make changes to victim systems to abuse non-standard ports. For example, Registry keys and other configuration settings can be used to modify protocol and port pairings.(Citation: change_rdp_port_conti)"}]},{"id":"4947","source":"Windows Security","name":"A Windows Firewall exception list rule was modified.","description":"A change has been made to Windows Firewall exception list. A rule was modified.","category":"Policy Change","mitreAttack":["$bc"]},{"id":"4948","source":"Windows Security","name":"A Windows Firewall exception list rule was deleted.","description":"A change has been made to Windows Firewall exception list. A rule was deleted.","category":"Policy Change","mitreAttack":["$bc"]},{"id":"4949","source":"Windows Security","name":"Windows Firewall settings were restored to default values.","description":"Windows Firewall settings were restored to the default values.","category":"Policy Change","mitreAttack":["$be","$bc"]},{"id":"4950","source":"Windows Security","name":"A Windows Firewall setting has changed.","description":"A Windows Firewall setting has changed.","category":"Policy Change","mitreAttack":["$bc"]},{"id":"4951","source":"Windows Security","name":"A rule has been ignored (version mismatch).","description":"A rule has been ignored because its major version number was not recognized by Windows Firewall.","category":"Policy Change"},{"id":"4952","source":"Windows Security","name":"Parts of a rule have been ignored (version mismatch).","description":"Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.","category":"Policy Change"},{"id":"4953","source":"Windows Security","name":"A rule has been ignored (parse error).","description":"A rule has been ignored by Windows Firewall because it could not parse the rule.","category":"Policy Change"},{"id":"4954","source":"Windows Security","name":"Windows Firewall Group Policy settings have changed.","description":"Windows Firewall Group Policy settings have changed. The new settings have been applied.","category":"Policy Change","mitreAttack":["$bc"]},{"id":"4956","source":"Windows Security","name":"Windows Firewall has changed the active profile.","description":"Windows Firewall has changed the active profile.","category":"Policy Change","mitreAttack":["$bc"]},{"id":"4957","source":"Windows Security","name":"Windows Firewall did not apply a rule.","description":"Windows Firewall did not apply the following rule.","category":"Policy Change"},{"id":"4958","source":"Windows Security","name":"Windows Firewall did not apply a rule (missing items).","description":"Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.","category":"Policy Change"},{"id":"4960","source":"Windows Security","name":"IPsec dropped an inbound packet that failed an integrity check.","description":"IPsec dropped an inbound packet that failed an integrity check.","category":"System"},{"id":"4961","source":"Windows Security","name":"IPsec dropped an inbound packet that failed a replay check.","description":"IPsec dropped an inbound packet that failed a replay check.","category":"System","mitreAttack":["$bf"]},{"id":"4962","source":"Windows Security","name":"IPsec dropped an inbound packet that failed a replay check (low sequence number).","description":"IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.","category":"System","mitreAttack":["$bf"]},{"id":"4963","source":"Windows Security","name":"IPsec dropped an inbound clear text packet that should have been secured.","description":"IPsec dropped an inbound clear text packet that should have been secured.","category":"System","mitreAttack":["$bf"]},{"id":"4964","source":"Windows Security","name":"Special groups have been assigned to a new logon.","description":"Special groups have been assigned to a new logon.","category":"Authentication","mitreAttack":["$5b","$5e"]},{"id":"4965","source":"Windows Security","name":"IPsec received a packet from a remote computer with an incorrect SPI.","description":"IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI).","category":"System"},{"id":"4976","source":"Windows Security","name":"IPsec received an invalid Main Mode negotiation packet.","description":"During Main Mode negotiation, IPsec received an invalid negotiation packet.","category":"Authentication"},{"id":"4977","source":"Windows Security","name":"IPsec received an invalid Quick Mode negotiation packet.","description":"During Quick Mode negotiation, IPsec received an invalid negotiation packet.","category":"Authentication"},{"id":"4978","source":"Windows Security","name":"IPsec received an invalid Extended Mode negotiation packet.","description":"During Extended Mode negotiation, IPsec received an invalid negotiation packet.","category":"Authentication"},{"id":"4979","source":"Windows Security","name":"IPsec Main Mode and Extended Mode SAs were established (User).","description":"IPsec Main Mode and Extended Mode security associations were established (User mode).","category":"Authentication","mitreAttack":["$2a","$2b"]},{"id":"4980","source":"Windows Security","name":"IPsec Main Mode and Extended Mode SAs were established (Computer).","description":"IPsec Main Mode and Extended Mode security associations were established (Computer mode).","category":"Authentication","mitreAttack":["$2a","$2b"]},{"id":"4981","source":"Windows Security","name":"IPsec Main Mode and Extended Mode SAs were established (Anonymous).","description":"IPsec Main Mode and Extended Mode security associations were established (Anonymous).","category":"Authentication","mitreAttack":["$2a","$2b"]},{"id":"4982","source":"Windows Security","name":"IPsec Main Mode and Extended Mode SAs were established (No Impersonation).","description":"IPsec Main Mode and Extended Mode security associations were established (No Impersonation).","category":"Authentication","mitreAttack":["$2a","$2b"]},{"id":"4983","source":"Windows Security","name":"An IPsec Extended Mode negotiation failed (User).","description":"An IPsec Extended Mode negotiation failed (User mode).","category":"Authentication","mitreAttack":["$2a","$2b"]},{"id":"4984","source":"Windows Security","name":"An IPsec Extended Mode negotiation failed (Computer).","description":"An IPsec Extended Mode negotiation failed (Computer mode).","category":"Authentication","mitreAttack":["$2a","$2b"]},{"id":"4985","source":"Windows Security","name":"The state of a transaction has changed.","description":"The state of a transaction has changed.","category":"Object Access"},{"id":"5024","source":"Windows Security","name":"The Windows Firewall Service has started successfully.","description":"The Windows Firewall Service has started successfully.","category":"System"},{"id":"5025","source":"Windows Security","name":"The Windows Firewall Service has been stopped.","description":"The Windows Firewall Service has been stopped.","category":"System","mitreAttack":["$b4","$bc"]},{"id":"5027","source":"Windows Security","name":"The Windows Firewall Service was unable to retrieve the security policy from local storage.","description":"The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.","category":"System","mitreAttack":["$bc"]},{"id":"5028","source":"Windows Security","name":"The Windows Firewall Service was unable to parse the new security policy.","description":"The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.","category":"System","mitreAttack":["$bc"]},{"id":"5029","source":"Windows Security","name":"The Windows Firewall Service failed to initialize the driver.","description":"The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.","category":"System","mitreAttack":["$bc"]},{"id":"5030","source":"Windows Security","name":"The Windows Firewall Service failed to start.","description":"The Windows Firewall Service failed to start.","category":"System","mitreAttack":["$bc"]},{"id":"5031","source":"Windows Security","name":"Windows Firewall blocked an application from accepting incoming connections.","description":"The Windows Firewall Service blocked an application from accepting incoming connections on the network.","category":"Network Activity","mitreAttack":["$2a",{"id":"T1090","name":"Proxy","tactic":"command-and-control","url":"https://attack.mitre.org/techniques/T1090","description":"Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.\n\nAdversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic."},"$c1","$2b"]},{"id":"5032","source":"Windows Security","name":"Windows Firewall was unable to notify the user that it blocked an application.","description":"Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.","category":"System"},{"id":"5033","source":"Windows Security","name":"The Windows Firewall Driver has started successfully.","description":"The Windows Firewall Driver has started successfully.","category":"System"},{"id":"5034","source":"Windows Security","name":"The Windows Firewall Driver has been stopped.","description":"The Windows Firewall Driver has been stopped.","category":"System","mitreAttack":["$bc"]},{"id":"5035","source":"Windows Security","name":"The Windows Firewall Driver failed to start.","description":"The Windows Firewall Driver failed to start.","category":"System","mitreAttack":["$bc"]},{"id":"5037","source":"Windows Security","name":"The Windows Firewall Driver detected critical runtime error.","description":"The Windows Firewall Driver detected critical runtime error. Terminating.","category":"System","mitreAttack":["$bc"]},{"id":"5038","source":"Windows Security","name":"Code integrity determined that the image hash of a file is not valid.","description":"Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.","category":"System","mitreAttack":[{"id":"T1036","name":"Masquerading","tactic":"defense-evasion","url":"https://attack.mitre.org/techniques/T1036","description":"Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\n\nRenaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site)"},{"id":"T1553","name":"Subvert Trust Controls","tactic":"defense-evasion","url":"https://attack.mitre.org/techniques/T1553","description":"$c2"}]},{"id":"5039","source":"Windows Security","name":"A registry key was virtualized.","description":"A registry key was virtualized.","category":"Object Access"},{"id":"5040","source":"Windows Security","name":"An IPsec Authentication Set was added.","description":"A change has been made to IPsec settings. An Authentication Set was added.","category":"Policy Change","mitreAttack":["$2a","$2b"]},{"id":"5041","source":"Windows Security","name":"An IPsec Authentication Set was modified.","description":"A change has been made to IPsec settings. An Authentication Set was modified.","category":"Policy Change","mitreAttack":["$2a","$2b"]},{"id":"5042","source":"Windows Security","name":"An IPsec Authentication Set was deleted.","description":"A change has been made to IPsec settings. An Authentication Set was deleted.","category":"Policy Change","mitreAttack":["$2a","$2b"]},{"id":"5043","source":"Windows Security","name":"An IPsec Connection Security Rule was added.","description":"A change has been made to IPsec settings. A Connection Security Rule was added.","category":"Policy Change","mitreAttack":["$2a","$2b"]},{"id":"5044","source":"Windows Security","name":"An IPsec Connection Security Rule was modified.","description":"A change has been made to IPsec settings. A Connection Security Rule was modified.","category":"Policy Change","mitreAttack":["$2a","$2b"]},{"id":"5045","source":"Windows Security","name":"An IPsec Connection Security Rule was deleted.","description":"A change has been made to IPsec settings. A Connection Security Rule was deleted.","category":"Policy Change","mitreAttack":["$2a","$2b"]},{"id":"5046","source":"Windows Security","name":"An IPsec Crypto Set was added.","description":"A change has been made to IPsec settings. A Crypto Set was added.","category":"Policy Change","mitreAttack":["$2a","$2b"]},{"id":"5047","source":"Windows Security","name":"An IPsec Crypto Set was modified.","description":"A change has been made to IPsec settings. A Crypto Set was modified.","category":"Policy Change","mitreAttack":["$2a","$2b"]},{"id":"5048","source":"Windows Security","name":"An IPsec Crypto Set was deleted.","description":"A change has been made to IPsec settings. A Crypto Set was deleted.","category":"Policy Change","mitreAttack":["$2a","$2b"]},{"id":"5049","source":"Windows Security","name":"An IPsec Security Association was deleted.","description":"An IPsec Security Association was deleted.","category":"Authentication","mitreAttack":["$2a","$2b"]},{"id":"5051","source":"Windows Security","name":"A file was virtualized.","description":"A file was virtualized.","category":"Object Access"},{"id":"5056","source":"Windows Security","name":"A cryptographic self-test was performed.","description":"A cryptographic self-test was performed.","category":"System"},{"id":"5057","source":"Windows Security","name":"A cryptographic primitive operation failed.","description":"A cryptographic primitive operation failed.","category":"System"},{"id":"5058","source":"Windows Security","name":"Key file operation.","description":"Key file operation.","category":"System","mitreAttack":["$4e","$b7","$b1"]},{"id":"5059","source":"Windows Security","name":"Key migration operation.","description":"Key migration operation.","category":"System","mitreAttack":["$b7","$b1"]},{"id":"5060","source":"Windows Security","name":"Verification operation failed.","description":"Verification operation failed.","category":"System"},{"id":"5061","source":"Windows Security","name":"Cryptographic operation.","description":"Cryptographic operation.","category":"System","mitreAttack":[{"id":"T1027","name":"Obfuscated Files or Information","tactic":"defense-evasion","url":"https://attack.mitre.org/techniques/T1027","description":"$c3"},{"id":"T1486","name":"Data Encrypted for Impact","tactic":"impact","url":"https://attack.mitre.org/techniques/T1486","description":"$c4"},{"id":"T1560","name":"Archive Collected Data","tactic":"collection","url":"https://attack.mitre.org/techniques/T1560","description":"An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network.(Citation: DOJ GRU Indictment Jul 2018) Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.\n\nBoth compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method."},{"id":"T1573","name":"Encrypted Channel","tactic":"command-and-control","url":"https://attack.mitre.org/techniques/T1573","description":"Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files."}]},{"id":"5062","source":"Windows Security","name":"A kernel-mode cryptographic self-test was performed.","description":"A kernel-mode cryptographic self-test was performed.","category":"System"},{"id":"5063","source":"Windows Security","name":"A cryptographic provider operation was attempted.","description":"A cryptographic provider operation was attempted.","category":"Policy Change","mitreAttack":["$b7","$b1"]},{"id":"5064","source":"Windows Security","name":"A cryptographic context operation was attempted.","description":"A cryptographic context operation was attempted.","category":"Policy Change","mitreAttack":["$b7","$b1"]},{"id":"5065","source":"Windows Security","name":"A cryptographic context modification was attempted.","description":"A cryptographic context modification was attempted.","category":"Policy Change","mitreAttack":["$b7","$f","$b1"]},{"id":"5066","source":"Windows Security","name":"A cryptographic function operation was attempted.","description":"A cryptographic function operation was attempted.","category":"Policy Change","mitreAttack":["$c5","$b7","$c7","$c8","$b1"]},{"id":"5067","source":"Windows Security","name":"A cryptographic function modification was attempted.","description":"A cryptographic function modification was attempted.","category":"Policy Change","mitreAttack":["$b7","$f","$b1"]},{"id":"5068","source":"Windows Security","name":"A cryptographic function provider operation was attempted.","description":"A cryptographic function provider operation was attempted.","category":"Policy Change","mitreAttack":["$b7","$b1"]},{"id":"5069","source":"Windows Security","name":"A cryptographic function property operation was attempted.","description":"A cryptographic function property operation was attempted.","category":"Policy Change","mitreAttack":["$b7","$b1"]},{"id":"5070","source":"Windows Security","name":"A cryptographic function property modification was attempted.","description":"A cryptographic function property modification was attempted.","category":"Policy Change","mitreAttack":["$b7","$f","$b1"]},{"id":"5071","source":"Windows Security","name":"Key access denied by Microsoft key distribution service.","description":"Key access denied by Microsoft key distribution service.","category":"System","mitreAttack":["$b7","$b1"]},{"id":"5120","source":"Windows Security","name":"OCSP Responder Service Started.","description":"OCSP Responder Service Started.","category":"Object Access"},{"id":"5121","source":"Windows Security","name":"OCSP Responder Service Stopped.","description":"OCSP Responder Service Stopped.","category":"Object Access","mitreAttack":["$b4"]},{"id":"5122","source":"Windows Security","name":"A Configuration entry changed in the OCSP Responder Service.","description":"A Configuration entry changed in the OCSP Responder Service.","category":"Object Access"},{"id":"5123","source":"Windows Security","name":"A configuration entry changed in the OCSP Responder Service.","description":"A configuration entry changed in the OCSP Responder Service.","category":"Object Access"},{"id":"5124","source":"Windows Security","name":"A security setting was updated on OCSP Responder Service.","description":"A security setting was updated on OCSP Responder Service.","category":"Object Access"},{"id":"5125","source":"Windows Security","name":"A request was submitted to OCSP Responder Service.","description":"A request was submitted to OCSP Responder Service.","category":"Object Access"},{"id":"5126","source":"Windows Security","name":"Signing Certificate was automatically updated by the OCSP Responder Service.","description":"Signing Certificate was automatically updated by the OCSP Responder Service.","category":"Object Access"},{"id":"5127","source":"Windows Security","name":"The OCSP Revocation Provider successfully updated the revocation information.","description":"The OCSP Revocation Provider successfully updated the revocation information.","category":"Object Access"},{"id":"5136","source":"Windows Security","name":"A directory service object was modified.","description":"A directory service object was modified.","category":"DS Access","mitreAttack":["$b","$83","$c9"]},{"id":"5137","source":"Windows Security","name":"A directory service object was created.","description":"A directory service object was created.","category":"DS Access","mitreAttack":["$8d","$8e"]},{"id":"5138","source":"Windows Security","name":"A directory service object was undeleted.","description":"A directory service object was undeleted.","category":"DS Access"},{"id":"5139","source":"Windows Security","name":"A directory service object was moved.","description":"A directory service object was moved.","category":"DS Access","mitreAttack":["$b"]},{"id":"5140","source":"Windows Security","name":"A network share object was accessed.","description":"A network share object was accessed.","category":"Object Access","mitreAttack":["$cb",{"id":"T1074.002","name":"Remote Data Staging","tactic":"collection","url":"https://attack.mitre.org/techniques/T1074/002","description":"Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.\n\nIn cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)\n\nBy staging data on one system prior to Exfiltration, adversaries can minimize the number of connections made to their C2 server and better evade detection."},{"id":"T1080","name":"Taint Shared Content","tactic":"lateral-movement","url":"https://attack.mitre.org/techniques/T1080","description":"$cc"},{"id":"T1135","name":"Network Share Discovery","tactic":"discovery","url":"https://attack.mitre.org/techniques/T1135","description":"Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. \n\nFile sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the net view \\\\\\\\remotesystem command. It can also be used to query shared drives on the local system using net share. For macOS, the sharing -l command lists all shared points used for smb services."},{"id":"T1570","name":"Lateral Tool Transfer","tactic":"lateral-movement","url":"https://attack.mitre.org/techniques/T1570","description":"$cd"}]},{"id":"5141","source":"Windows Security","name":"A directory service object was deleted.","description":"A directory service object was deleted.","category":"DS Access","mitreAttack":["$b","$8b"]},{"id":"5142","source":"Windows Security","name":"A network share object was added.","description":"A network share object was added.","category":"Object Access","mitreAttack":["$ce","$cf","$d1"]},{"id":"5143","source":"Windows Security","name":"A network share object was modified.","description":"A network share object was modified.","category":"Object Access","mitreAttack":["$cf","$d1"]},{"id":"5144","source":"Windows Security","name":"A network share object was deleted.","description":"A network share object was deleted.","category":"Object Access","mitreAttack":[{"id":"T1070.005","name":"Network Share Connection Removal","tactic":"defense-evasion","url":"https://attack.mitre.org/techniques/T1070/005","description":"Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) connections can be removed when no longer needed. [Net](https://attack.mitre.org/software/S0039) is an example utility that can be used to remove network share connections with the net use \\\\system\\share /delete command. (Citation: Technet Net Use)"}]},{"id":"5145","source":"Windows Security","name":"A network share object access check.","description":"A network share object was checked to see whether the client can be granted desired access.","category":"Object Access","mitreAttack":["$cb","$d3"]},{"id":"5150","source":"Windows Security","name":"The Windows Filtering Platform has blocked a packet.","description":"The Windows Filtering Platform has blocked a packet.","category":"Network Activity","mitreAttack":["$2a","$d4","$bc","$c1"]},{"id":"5151","source":"Windows Security","name":"A more restrictive Windows Filtering Platform filter has blocked a packet.","description":"A more restrictive Windows Filtering Platform filter has blocked a packet.","category":"Network Activity","mitreAttack":["$2a","$d4","$bc","$c1"]},{"id":"5152","source":"Windows Security","name":"The Windows Filtering Platform blocked a packet.","description":"The Windows Filtering Platform blocked a packet.","category":"Network Activity","mitreAttack":["$2a","$d4","$bc","$c1"]},{"id":"5153","source":"Windows Security","name":"A more restrictive Windows Filtering Platform filter has blocked a packet.","description":"A more restrictive Windows Filtering Platform filter has blocked a packet.","category":"Network Activity","mitreAttack":["$2a","$d4","$bc","$c1"]},{"id":"5154","source":"Windows Security","name":"The Windows Filtering Platform has permitted an application to listen on a port.","description":"The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.","category":"Network Activity","mitreAttack":["$2a","$d4","$d5","$2b"]},{"id":"5155","source":"Windows Security","name":"The Windows Filtering Platform has blocked an application from listening on a port.","description":"The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.","category":"Network Activity","mitreAttack":["$2a","$d4","$bc"]},{"id":"5156","source":"Windows Security","name":"The Windows Filtering Platform has allowed a connection.","description":"The Windows Filtering Platform has allowed a connection.","category":"Network Activity","mitreAttack":["$60","$cb",{"id":"T1041","name":"Exfiltration Over C2 Channel","tactic":"exfiltration","url":"https://attack.mitre.org/techniques/T1041","description":"Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications."},{"id":"T1048","name":"Exfiltration Over Alternative Protocol","tactic":"exfiltration","url":"https://attack.mitre.org/techniques/T1048","description":"$d7"},"$2a","$d4","$d5","$d1","$c1","$2b"]},{"id":"5157","source":"Windows Security","name":"The Windows Filtering Platform has blocked a connection.","description":"The Windows Filtering Platform has blocked a connection.","category":"Network Activity","mitreAttack":["$2a","$d4","$bc","$c1"]},{"id":"5158","source":"Windows Security","name":"The Windows Filtering Platform has permitted a bind to a local port.","description":"The Windows Filtering Platform has permitted a bind to a local port.","category":"Network Activity","mitreAttack":["$2a","$d4"]},{"id":"5159","source":"Windows Security","name":"The Windows Filtering Platform has blocked a bind to a local port.","description":"The Windows Filtering Platform has blocked a bind to a local port.","category":"Network Activity","mitreAttack":["$2a","$d4","$bc"]},{"id":"5168","source":"Windows Security","name":"SPN check for SMB/SMB2 failed.","description":"SPN check for SMB/SMB2 failed.","category":"Object Access"},{"id":"5169","source":"Windows Security","name":"A directory service object was modified (Win10+).","description":"A directory service object was modified (alternate ID for 5136 on newer systems).","category":"DS Access","mitreAttack":["$b","$83","$c9"]},{"id":"5376","source":"Windows Security","name":"Credential Manager credentials were backed up.","description":"Credential Manager credentials were backed up.","category":"Account Management","mitreAttack":[{"id":"T1074","name":"Data Staged","tactic":"collection","url":"https://attack.mitre.org/techniques/T1074","description":"Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)\n\nIn cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)\n\nAdversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection."},"$74"]},{"id":"5377","source":"Windows Security","name":"Credential Manager credentials were restored from a backup.","description":"Credential Manager credentials were restored from a backup.","category":"Account Management","mitreAttack":["$1a","$74"]},{"id":"5378","source":"Windows Security","name":"The requested credentials delegation was disallowed by policy.","description":"The requested credentials delegation was disallowed by policy.","category":"Authentication","mitreAttack":["$d8"]},{"id":"5440","source":"Windows Security","name":"A WFP callout was present at boot.","description":"The following callout was present when the Windows Filtering Platform Base Filtering Engine started.","category":"Policy Change","mitreAttack":["$f"]},{"id":"5441","source":"Windows Security","name":"A WFP filter was present at boot.","description":"The following filter was present when the Windows Filtering Platform Base Filtering Engine started.","category":"Policy Change","mitreAttack":["$bc"]},{"id":"5442","source":"Windows Security","name":"A WFP provider was present at boot.","description":"The following provider was present when the Windows Filtering Platform Base Filtering Engine started.","category":"Policy Change"},{"id":"5443","source":"Windows Security","name":"A WFP provider context was present at boot.","description":"The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.","category":"Policy Change"},{"id":"5444","source":"Windows Security","name":"A WFP sub-layer was present at boot.","description":"The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.","category":"Policy Change"},{"id":"5446","source":"Windows Security","name":"A Windows Filtering Platform callout has been changed.","description":"A Windows Filtering Platform callout has been changed.","category":"Policy Change","mitreAttack":["$f"]},{"id":"5447","source":"Windows Security","name":"A Windows Filtering Platform filter has been changed.","description":"A Windows Filtering Platform filter has been changed.","category":"Policy Change","mitreAttack":["$bc"]},{"id":"5448","source":"Windows Security","name":"A Windows Filtering Platform provider has been changed.","description":"A Windows Filtering Platform provider has been changed.","category":"Policy Change"},{"id":"5449","source":"Windows Security","name":"A Windows Filtering Platform provider context has been changed.","description":"A Windows Filtering Platform provider context has been changed.","category":"Policy Change"},{"id":"5450","source":"Windows Security","name":"A Windows Filtering Platform sub-layer has been changed.","description":"A Windows Filtering Platform sub-layer has been changed.","category":"Policy Change"},{"id":"5451","source":"Windows Security","name":"An IPsec Quick Mode security association was established.","description":"An IPsec Quick Mode security association was established.","category":"Authentication","mitreAttack":["$2a","$2b"]},{"id":"5452","source":"Windows Security","name":"An IPsec Quick Mode security association ended.","description":"An IPsec Quick Mode security association ended.","category":"Authentication","mitreAttack":["$2a","$2b"]},{"id":"5453","source":"Windows Security","name":"An IPsec negotiation failed because IKEEXT service stopped.","description":"An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.","category":"Authentication"},{"id":"5456","source":"Windows Security","name":"PAStore Engine applied Active Directory storage IPsec policy.","description":"PAStore Engine applied Active Directory storage IPsec policy on the computer.","category":"Policy Change"},{"id":"5457","source":"Windows Security","name":"PAStore Engine failed to apply Active Directory storage IPsec policy.","description":"PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.","category":"Policy Change"},{"id":"5458","source":"Windows Security","name":"PAStore Engine applied locally cached copy of AD IPsec policy.","description":"PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.","category":"Policy Change"},{"id":"5459","source":"Windows Security","name":"PAStore Engine failed to apply locally cached copy of AD IPsec policy.","description":"PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.","category":"Policy Change"},{"id":"5460","source":"Windows Security","name":"PAStore Engine applied local registry storage IPsec policy.","description":"PAStore Engine applied local registry storage IPsec policy on the computer.","category":"Policy Change"},{"id":"5461","source":"Windows Security","name":"PAStore Engine failed to apply local registry storage IPsec policy.","description":"PAStore Engine failed to apply local registry storage IPsec policy on the computer.","category":"Policy Change"},{"id":"5462","source":"Windows Security","name":"PAStore Engine failed to apply some rules of the active IPsec policy.","description":"PAStore Engine failed to apply some rules of the active IPsec policy on the computer.","category":"Policy Change"},{"id":"5463","source":"Windows Security","name":"PAStore Engine polled for changes to the active IPsec policy and detected no changes.","description":"PAStore Engine polled for changes to the active IPsec policy and detected no changes.","category":"Policy Change"},{"id":"5464","source":"Windows Security","name":"PAStore Engine polled for changes and applied them.","description":"PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.","category":"Policy Change"},{"id":"5465","source":"Windows Security","name":"PAStore Engine received forced reload control.","description":"PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.","category":"Policy Change"},{"id":"5466","source":"Windows Security","name":"PAStore Engine polled, AD unreachable, used cache.","description":"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead.","category":"Policy Change"},{"id":"5467","source":"Windows Security","name":"PAStore Engine polled, AD reachable, no changes.","description":"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy.","category":"Policy Change"},{"id":"5468","source":"Windows Security","name":"PAStore Engine polled, AD reachable, applied changes.","description":"PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes.","category":"Policy Change"},{"id":"5471","source":"Windows Security","name":"PAStore Engine loaded local storage IPsec policy.","description":"PAStore Engine loaded local storage IPsec policy on the computer.","category":"Policy Change"},{"id":"5472","source":"Windows Security","name":"PAStore Engine failed to load local storage IPsec policy.","description":"PAStore Engine failed to load local storage IPsec policy on the computer.","category":"Policy Change"},{"id":"5473","source":"Windows Security","name":"PAStore Engine loaded directory storage IPsec policy.","description":"PAStore Engine loaded directory storage IPsec policy on the computer.","category":"Policy Change"},{"id":"5474","source":"Windows Security","name":"PAStore Engine failed to load directory storage IPsec policy.","description":"PAStore Engine failed to load directory storage IPsec policy on the computer.","category":"Policy Change"},{"id":"5477","source":"Windows Security","name":"PAStore Engine failed to add quick mode filter.","description":"PAStore Engine failed to add quick mode filter.","category":"Policy Change"},{"id":"5478","source":"Windows Security","name":"IPsec Services has started successfully.","description":"IPsec Services has started successfully.","category":"System"},{"id":"5479","source":"Windows Security","name":"IPsec Services has been shut down successfully.","description":"IPsec Services has been shut down successfully.","category":"System","mitreAttack":["$b4"]},{"id":"5480","source":"Windows Security","name":"IPsec Services failed to get the complete list of network interfaces.","description":"IPsec Services failed to get the complete list of network interfaces on the computer.","category":"System"},{"id":"5483","source":"Windows Security","name":"IPsec Services failed to initialize RPC server.","description":"IPsec Services failed to initialize RPC server. IPsec Services could not be started.","category":"System"},{"id":"5484","source":"Windows Security","name":"IPsec Services has experienced a critical failure and has been shut down.","description":"IPsec Services has experienced a critical failure and has been shut down.","category":"System","mitreAttack":["$b4"]},{"id":"5485","source":"Windows Security","name":"IPsec Services failed to process some IPsec filters on a plug-and-play event.","description":"IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces.","category":"System"},{"id":"5632","source":"Windows Security","name":"A request was made to authenticate to a wireless network.","description":"A request was made to authenticate to a wireless network.","category":"Authentication","mitreAttack":[{"id":"T1016.002","name":"Wi-Fi Discovery","tactic":"discovery","url":"https://attack.mitre.org/techniques/T1016/002","description":"$da"}]},{"id":"5633","source":"Windows Security","name":"A request was made to authenticate to a wired network.","description":"A request was made to authenticate to a wired network.","category":"Authentication"},{"id":"5712","source":"Windows Security","name":"A Remote Procedure Call (RPC) was attempted.","description":"A Remote Procedure Call (RPC) was attempted.","category":"Detailed Tracking","mitreAttack":["$60","$db",{"id":"T1021.003","name":"Distributed Component Object Model","tactic":"lateral-movement","url":"https://attack.mitre.org/techniques/T1021/003","description":"$dd"},"$de",{"id":"T1047","name":"Windows Management Instrumentation","tactic":"execution","url":"https://attack.mitre.org/techniques/T1047","description":"$df"}]},{"id":"5888","source":"Windows Security","name":"An object in the COM+ Catalog was modified.","description":"An object in the COM+ Catalog was modified.","category":"Object Access","mitreAttack":["$e0"]},{"id":"5889","source":"Windows Security","name":"An object was deleted from the COM+ Catalog.","description":"An object was deleted from the COM+ Catalog.","category":"Object Access","mitreAttack":["$e0"]},{"id":"5890","source":"Windows Security","name":"An object was added to the COM+ Catalog.","description":"An object was added to the COM+ Catalog.","category":"Object Access","mitreAttack":["$e0"]},{"id":"6144","source":"Windows Security","name":"Security policy in the group policy objects has been applied successfully.","description":"Security policy in the group policy objects has been applied successfully.","category":"Policy Change","mitreAttack":["$c9"]},{"id":"6145","source":"Windows Security","name":"One or more errors occurred while processing security policy in the group policy objects.","description":"One or more errors occurred while processing security policy in the group policy objects.","category":"Policy Change","mitreAttack":["$c9"]},{"id":"6272","source":"Windows Security","name":"Network Policy Server granted access to a user.","description":"Network Policy Server granted access to a user.","category":"Network Policy Server","mitreAttack":["$1a","$e2"]},{"id":"6273","source":"Windows Security","name":"Network Policy Server denied access to a user.","description":"Network Policy Server denied access to a user.","category":"Network Policy Server","mitreAttack":["$1a","$87","$e2"]},{"id":"6274","source":"Windows Security","name":"Network Policy Server discarded the request for a user.","description":"Network Policy Server discarded the request for a user.","category":"Network Policy Server","mitreAttack":["$1a","$87","$e2"]},{"id":"6275","source":"Windows Security","name":"Network Policy Server discarded the accounting request for a user.","description":"Network Policy Server discarded the accounting request for a user.","category":"Network Policy Server"},{"id":"6276","source":"Windows Security","name":"Network Policy Server quarantined a user.","description":"Network Policy Server quarantined a user.","category":"Network Policy Server"},{"id":"6277","source":"Windows Security","name":"Network Policy Server granted probation access to a user.","description":"Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.","category":"Network Policy Server"},{"id":"6278","source":"Windows Security","name":"Network Policy Server granted full access to a user.","description":"Network Policy Server granted full access to a user because the host met the defined health policy.","category":"Network Policy Server"},{"id":"6279","source":"Windows Security","name":"Network Policy Server locked the user account.","description":"Network Policy Server locked the user account due to repeated failed authentication attempts.","category":"Network Policy Server","mitreAttack":["$87"]},{"id":"6280","source":"Windows Security","name":"Network Policy Server unlocked the user account.","description":"Network Policy Server unlocked the user account.","category":"Network Policy Server","mitreAttack":["$b"]},{"id":"6281","source":"Windows Security","name":"Code Integrity determined that the page hashes of an image file are not valid.","description":"Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification.","category":"System","mitreAttack":["$e4","$e5"]},{"id":"6400","source":"Windows Security","name":"BranchCache: Received an incorrectly formatted response discovering content availability.","description":"BranchCache: Received an incorrectly formatted response while discovering availability of content.","category":"System","mitreAttack":["$bf"]},{"id":"6401","source":"Windows Security","name":"BranchCache: Received invalid data from a peer.","description":"BranchCache: Received invalid data from a peer. Data discarded.","category":"System","mitreAttack":["$bf"]},{"id":"6402","source":"Windows Security","name":"BranchCache: The message to the hosted cache offering data is incorrectly formatted.","description":"BranchCache: The message to the hosted cache offering it data is incorrectly formatted.","category":"System","mitreAttack":["$bf"]},{"id":"6403","source":"Windows Security","name":"BranchCache: Hosted cache sent an incorrectly formatted response.","description":"BranchCache: The hosted cache sent an incorrectly formatted response to the client.","category":"System","mitreAttack":["$bf"]},{"id":"6404","source":"Windows Security","name":"BranchCache: Hosted cache could not be authenticated.","description":"BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.","category":"System","mitreAttack":["$bf"]},{"id":"6405","source":"Windows Security","name":"BranchCache: Multiple instances of an event occurred.","description":"BranchCache: Summarizes multiple occurrences of a specific BranchCache event ID.","category":"System"},{"id":"6406","source":"Windows Security","name":"A client registered with Windows Firewall.","description":"A client registered to Windows Firewall to control filtering.","category":"System","mitreAttack":["$e7","$bc"]},{"id":"6407","source":"Windows Security","name":"A client unregistered from Windows Firewall.","description":"A client unregistered from Windows Firewall.","category":"System","mitreAttack":["$e7","$bc"]},{"id":"6408","source":"Windows Security","name":"A registered product failed, Windows Firewall is now controlling filtering.","description":"Registered product failed and Windows Firewall is now controlling the filtering.","category":"System","mitreAttack":["$e7","$bc"]},{"id":"6409","source":"Windows Security","name":"BranchCache: A service connection point object could not be parsed.","description":"BranchCache: A service connection point object could not be parsed.","category":"System"},{"id":"6410","source":"Windows Security","name":"Code integrity determined that a file does not meet security requirements.","description":"Code integrity determined that a file does not meet the security requirements to load into a process.","category":"System","mitreAttack":["$e5",{"id":"T1553.002","name":"Code Signing","tactic":"defense-evasion","url":"https://attack.mitre.org/techniques/T1553/002","description":"Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) The certificates used during an operation may be created, acquired, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates) Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001), this activity will result in a valid signature.\n\nCode signing to verify software on first run can be used on modern Windows and macOS systems. It is not used on Linux due to the decentralized nature of the platform. (Citation: Wikipedia Code Signing)(Citation: EclecticLightChecksonEXECodeSigning)\n\nCode signing certificates may be used to bypass security policies that require signed code to execute on a system."}]},{"id":"6416","source":"Windows Security","name":"A new external device was recognized by the System.","description":"A new external device was recognized by the System.","category":"System","mitreAttack":[{"id":"T1200","name":"Hardware Additions","tactic":"initial-access","url":"https://attack.mitre.org/techniques/T1200","description":"$e9"}]},{"id":"6417","source":"Windows Security","name":"The FIPS mode crypto self-tests succeeded.","description":"The FIPS mode crypto self-tests succeeded.","category":"System"},{"id":"6418","source":"Windows Security","name":"The FIPS mode crypto self-tests failed.","description":"The FIPS mode crypto self-tests failed.","category":"System"},{"id":"6419","source":"Windows Security","name":"A request was made to disable a device.","description":"A request was made to disable a device.","category":"System","mitreAttack":["$b4","$f"]},{"id":"6420","source":"Windows Security","name":"A device was disabled.","description":"A device was disabled.","category":"System Change","mitreAttack":["$b4","$f"]},{"id":"6421","source":"Windows Security","name":"A request was made to enable a device.","description":"A request was made to enable a device.","category":"System Change"},{"id":"6422","source":"Windows Security","name":"A device was enabled.","description":"A device was enabled.","category":"System Change"},{"id":"6423","source":"Windows Security","name":"The installation of this device is forbidden by system policy.","description":"The installation of this device is forbidden by system policy.","mitreAttack":["$ea"]},{"id":"6424","source":"Windows Security","name":"The installation of this device was allowed by system policy.","description":"The installation of this device was allowed, after having previously been forbidden by policy.","mitreAttack":["$ea"]},{"id":"8001","source":"Windows Security","name":"NTLM authentication failed because the SuppressDomainCredentialForwarding registry key was set.","description":"NTLM authentication failed because the SuppressDomainCredentialForwarding registry key was set.","category":"Authentication","mitreAttack":["$25","$bf"]},{"id":"8002","source":"Windows Security","name":"NTLM server blocked NTLM pass-through authentication.","description":"NTLM server blocked NTLM pass-through authentication (due to RestrictSendingNTLMTraffic registry key).","category":"Authentication","mitreAttack":["$25","$bf"]},{"id":"8003","source":"Windows Security","name":"NTLM authentication failed because the NTLM policy audit-only.","description":"NTLM authentication failed because the NTLM policy is set to audit-only mode.","category":"Authentication","mitreAttack":["$25","$f"]},{"id":"8004","source":"Windows Security","name":"NTLM authentication failed because NTLM was blocked in the domain.","description":"NTLM authentication failed because NTLM was blocked in the domain.","category":"Authentication","mitreAttack":["$25","$bf"]},{"id":"8005","source":"Windows Security","name":"NTLM authentication used because the SuppressDomainCredentialForwarding registry key was not set.","description":"NTLM authentication used because the SuppressDomainCredentialForwarding registry key was not set.","category":"Authentication","mitreAttack":["$25","$bf"]},{"id":"8006","source":"Windows Security","name":"NTLM pass-through authentication was not blocked by the NTLM server.","description":"NTLM pass-through authentication was not blocked by the NTLM server.","category":"Authentication","mitreAttack":["$25","$bf"]},{"id":"8007","source":"Windows Security","name":"NTLM authentication used because the NTLM policy audit-only.","description":"NTLM authentication used because the NTLM policy is set to audit-only mode.","category":"Authentication","mitreAttack":["$25","$f"]},{"id":"8193","source":"Windows Security","name":"An error occurred while retrieving the retrieve the certificate revocation list (CRL)","description":"An error occurred while retrieving the retrieve the certificate revocation list (CRL) from %1.","category":"System","mitreAttack":["$2a","$bf","$c8"]},{"id":"8194","source":"Windows Security","name":"The certificate revocation list (CRL) was successfully retrieved","description":"The certificate revocation list (CRL) was successfully retrieved from %1.","category":"System"},{"id":"8195","source":"Windows Security","name":"An error occurred while downloading the certificate revocation list (CRL)","description":"An error occurred while downloading the certificate revocation list (CRL) from %1.","category":"System","mitreAttack":["$2a","$bf","$c8"]},{"id":"8196","source":"Windows Security","name":"An error occurred while retrieving the Online Certificate Status Protocol (OCSP) response","description":"An error occurred while retrieving the Online Certificate Status Protocol (OCSP) response from %1.","category":"System","mitreAttack":["$2a","$bf","$c8"]},{"id":"8197","source":"Windows Security","name":"The Online Certificate Status Protocol (OCSP) response was successfully retrieved","description":"The Online Certificate Status Protocol (OCSP) response was successfully retrieved from %1.","category":"System"},{"id":"8198","source":"Windows Security","name":"An error occurred while downloading the Online Certificate Status Protocol (OCSP) response","description":"An error occurred while downloading the Online Certificate Status Protocol (OCSP) response from %1.","category":"System","mitreAttack":["$2a","$bf","$c8"]},{"id":"8199","source":"Windows Security","name":"An error occurred while retrieving the Authority Information Access (AIA) certificate","description":"An error occurred while retrieving the Authority Information Access (AIA) certificate from %1.","category":"System","mitreAttack":["$2a","$bf","$c8"]},{"id":"8200","source":"Windows Security","name":"The Authority Information Access (AIA) certificate was successfully retrieved","description":"The Authority Information Access (AIA) certificate was successfully retrieved from %1.","category":"System"},{"id":"8201","source":"Windows Security","name":"An error occurred while downloading the Authority Information Access (AIA) certificate","description":"An error occurred while downloading the Authority Information Access (AIA) certificate from %1.","category":"System","mitreAttack":["$2a","$bf","$c8"]},{"id":"8224","source":"Windows Security","name":"The content in the %1 CAB file was modified.","description":"The content in the %1 CAB file was modified.","category":"System Change","mitreAttack":["$e4",{"id":"T1195","name":"Supply Chain Compromise","tactic":"initial-access","url":"https://attack.mitre.org/techniques/T1195","description":"$ec"},{"id":"T1195.002","name":"Compromise Software Supply Chain","tactic":"initial-access","url":"https://attack.mitre.org/techniques/T1195/002","description":"Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.\n\nTargeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018)(Citation: Command Five SK 2011)"},{"id":"T1554","name":"Compromise Host Software Binary","tactic":"persistence","url":"https://attack.mitre.org/techniques/T1554","description":"$ed"}]},{"id":"1102","source":"Windows Security","name":"The audit log was cleared.","description":"The audit log was cleared (typically the security log).","category":"Policy Change","mitreAttack":[{"id":"T1070.001","name":"Clear Windows Event Logs","tactic":"defense-evasion","url":"https://attack.mitre.org/techniques/T1070/001","description":"$ee"}]},{"id":"5050","source":"Windows Security","name":"An attempt to programmatically disable the Windows Firewall was rejected.","description":"An attempt to programmatically disable the Windows Firewall using a call to InetFwProfile.FirewallEnabled(False) was rejected (API not supported on this OS version).","category":"Policy Change","mitreAttack":["$bc"]},{"id":"5827","source":"Windows Security","name":"Netlogon denied vulnerable secure channel connection (Machine Account).","description":"The Netlogon service denied a vulnerable Netlogon secure channel connection from a machine account.","category":"Authentication","mitreAttack":["$c"]},{"id":"5828","source":"Windows Security","name":"Netlogon denied vulnerable secure channel connection (Trust Account).","description":"The Netlogon service denied a vulnerable Netlogon secure channel connection using a trust account.","category":"Authentication","mitreAttack":["$c"]},{"id":"6008","source":"Windows System","name":"The previous system shutdown was unexpected.","description":"The previous system shutdown at time on date was unexpected.","category":"System"},{"id":"24577","source":"BitLocker Driver","name":"Encryption of volume started.","description":"Encryption of volume %1 started.","category":"System","mitreAttack":["$c5"]},{"id":"24578","source":"BitLocker Driver","name":"Encryption of volume stopped.","description":"Encryption of volume %1 stopped.","category":"System","mitreAttack":["$c5"]},{"id":"24579","source":"BitLocker Driver","name":"Encryption of volume completed.","description":"Encryption of volume %1 completed successfully.","category":"System","mitreAttack":["$c5"]},{"id":"24580","source":"BitLocker Driver","name":"Decryption of volume started.","description":"Decryption of volume %1 started.","category":"System","mitreAttack":[{"id":"T1490","name":"Inhibit System Recovery","tactic":"impact","url":"https://attack.mitre.org/techniques/T1490","description":"$ef"}]},{"id":"24581","source":"BitLocker Driver","name":"Decryption of volume stopped.","description":"Decryption of volume %1 stopped.","category":"System"},{"id":"24582","source":"BitLocker Driver","name":"Decryption of volume completed.","description":"Decryption of volume %1 completed successfully.","category":"System"},{"id":"24583","source":"BitLocker Driver","name":"Conversion worker thread for volume started.","description":"Conversion worker thread for volume %1 started.","category":"System"},{"id":"24584","source":"BitLocker Driver","name":"Conversion worker thread for volume temporarily stopped.","description":"Conversion worker thread for volume %1 temporarily stopped.","category":"System"},{"id":"24586","source":"BitLocker Driver","name":"An error was encountered converting volume.","description":"An error was encountered converting volume %1.","category":"System","mitreAttack":["$c5",{"id":"T1561","name":"Disk Wipe","tactic":"impact","url":"https://attack.mitre.org/techniques/T1561","description":"$f0"}]},{"id":"24588","source":"BitLocker Driver","name":"Volume contains bad clusters.","description":"Volume %1 contains bad clusters. These clusters will be skipped during conversion.","category":"System"},{"id":"24592","source":"BitLocker Driver","name":"An attempt to automatically restart conversion on volume failed.","description":"An attempt to automatically restart conversion on volume %1 failed.","category":"System"},{"id":"24593","source":"BitLocker Driver","name":"Metadata write error on volume.","description":"Metadata write: Volume %1 returning errors while trying to modify metadata. If failures continue, decrypt volume.","category":"System","mitreAttack":["$c5","$f1"]},{"id":"24594","source":"BitLocker Driver","name":"Metadata rebuild write copy failed.","description":"Metadata rebuild: An attempt to write a copy of metadata on volume %1 failed and may appear as disk corruption. If failures continue, decrypt volume.","category":"System","mitreAttack":["$c5","$f1"]},{"id":"24595","source":"BitLocker Driver","name":"Volume contains bad clusters.","description":"Volume %1 contains bad clusters. These clusters will be skipped during conversion.","category":"System"},{"id":"24621","source":"BitLocker Driver","name":"Initial state check: Rolling volume conversion transaction.","description":"Initial state check: Rolling volume conversion transaction on %1.","category":"System"},{"id":"1","source":"Sysmon","name":"Process Create","description":"Process creation provides extended information about a newly created process.","category":"Process Execution","mitreAttack":["$db","$de","$f3","$7c","$f5","$f7","$f9",{"id":"T1059.004","name":"Unix Shell","tactic":"execution","url":"https://attack.mitre.org/techniques/T1059/004","description":"$fb"},"$fc",{"id":"T1059.006","name":"Python","tactic":"execution","url":"https://attack.mitre.org/techniques/T1059/006","description":"Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.(Citation: Zscaler APT31 Covid-19 October 2020)\n\nPython comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors."},"$fe","$100","$102",{"id":"T1202","name":"Indirect Command Execution","tactic":"defense-evasion","url":"https://attack.mitre.org/techniques/T1202","description":"$104"},"$105","$107","$109","$10a","$10c","$10d",{"id":"T1559","name":"Inter-Process Communication","tactic":"execution","url":"https://attack.mitre.org/techniques/T1559","description":"$10f"},"$7a",{"id":"T1609","name":"Container Administration Command","tactic":"execution","url":"https://attack.mitre.org/techniques/T1609","description":"Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)\n\nIn Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as docker exec to execute a command within a running container.(Citation: Docker Entrypoint)(Citation: Docker Exec) In Kubernetes, if an adversary has sufficient permissions, they may gain remote execution in a container in the cluster via interaction with the Kubernetes API server, the kubelet, or by running a command such as kubectl exec.(Citation: Kubectl Exec Get Shell)"}],"commonScenarios":["Crucial Fields: Image, CommandLine, ParentImage, ParentCommandLine, User, Hashes, ProcessGuid, ParentProcessGuid.","Look for suspicious parent-child relationships (e.g., Word -> PowerShell, svchost -> cmd).","Analyze CommandLine for encoded scripts, suspicious flags, or network destinations.","Use Hashes for threat intel lookups (VirusTotal, etc.).","Requires careful Sysmon configuration (filtering) to manage volume.","Correlate ProcessGuid with other events (Network, Registry, File)."]},{"id":"2","source":"Sysmon","name":"File Create Time Changed","description":"A process changed a file creation time. This event helps track the real creation time of a file. Attackers may change file time attributes to hide their tracks.","category":"Object Access","mitreAttack":["$110"]},{"id":"3","source":"Sysmon","name":"Network Connection","description":"Logs TCP/UDP connections on the machine. It is disabled by default. Each connection is linked to a process through the ProcessId and ProcessGUID fields.","category":"Network Activity","mitreAttack":["$112","$113","$2a",{"id":"T1071.001","name":"Web Protocols","tactic":"command-and-control","url":"https://attack.mitre.org/techniques/T1071/001","description":"Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as HTTP/S(Citation: CrowdStrike Putter Panda) and WebSocket(Citation: Brazking-Websockets) that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic."},{"id":"T1071.002","name":"File Transfer Protocols","tactic":"command-and-control","url":"https://attack.mitre.org/techniques/T1071/002","description":"Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as SMB(Citation: US-CERT TA18-074A), FTP(Citation: ESET Machete July 2019), FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic."},{"id":"T1071.003","name":"Mail Protocols","tactic":"command-and-control","url":"https://attack.mitre.org/techniques/T1071/003","description":"Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: FireEye APT28)"},{"id":"T1071.004","name":"DNS","tactic":"command-and-control","url":"https://attack.mitre.org/techniques/T1071/004","description":"Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nThe DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: PAN DNS Tunneling)(Citation: Medium DnsTunneling)"},"$d4",{"id":"T1090.001","name":"Internal Proxy","tactic":"command-and-control","url":"https://attack.mitre.org/techniques/T1090/001","description":"Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment.\n\nBy using a compromised internal system as a proxy, adversaries may conceal the true destination of C2 traffic while reducing the need for numerous connections to external systems."},{"id":"T1090.002","name":"External Proxy","tactic":"command-and-control","url":"https://attack.mitre.org/techniques/T1090/002","description":"$115"},{"id":"T1090.003","name":"Multi-hop Proxy","tactic":"command-and-control","url":"https://attack.mitre.org/techniques/T1090/003","description":"$116"},{"id":"T1090.004","name":"Domain Fronting","tactic":"command-and-control","url":"https://attack.mitre.org/techniques/T1090/004","description":"$117"},{"id":"T1095","name":"Non-Application Layer Protocol","tactic":"command-and-control","url":"https://attack.mitre.org/techniques/T1095","description":"Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).\n\nICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts.(Citation: Microsoft ICMP) However, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications."},{"id":"T1102","name":"Web Service","tactic":"command-and-control","url":"https://attack.mitre.org/techniques/T1102","description":"Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for adversaries to hide in expected noise.(Citation: Broadcom BirdyClient Microsoft Graph API 2024) Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.\n\nUse of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed)."},{"id":"T1104","name":"Multi-Stage Channels","tactic":"command-and-control","url":"https://attack.mitre.org/techniques/T1104","description":"$118"},"$d5",{"id":"T1219","name":"Remote Access Software","tactic":"command-and-control","url":"https://attack.mitre.org/techniques/T1219","description":"$119"},{"id":"T1567","name":"Exfiltration Over Web Service","tactic":"exfiltration","url":"https://attack.mitre.org/techniques/T1567","description":"Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.\n\nWeb service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection."},{"id":"T1568","name":"Dynamic Resolution","tactic":"command-and-control","url":"https://attack.mitre.org/techniques/T1568","description":"Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.\n\nAdversaries may use dynamic resolution for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)"},"$d1","$c1","$2b",{"id":"T1665","name":"Hide Infrastructure","tactic":"command-and-control","url":"https://attack.mitre.org/techniques/T1665","description":"$11a"}],"commonScenarios":["Crucial Fields: Image, User, Protocol, SourceIp, DestinationIp, DestinationPort, Initiated.","Monitor connections to known malicious IPs/domains (Threat Intel).","Look for unusual ports or protocols used by standard processes (e.g., svchost to port 80/443, non-browser to 80/443).","Identify beaconing patterns (regular connections to the same external IP).","Filter legitimate/noisy connections in Sysmon config (e.g., browser traffic, internal monitoring tools).","Initiated=false indicates an inbound connection."]},{"id":"4","source":"Sysmon","name":"Sysmon Service State Changed","description":"Reports the state of the Sysmon service (started or stopped).","category":"System Change","mitreAttack":["$e7"]},{"id":"5","source":"Sysmon","name":"Process Terminated","description":"Logs when a process terminates. It provides the UtcTime, ProcessGuid and ProcessId of the process.","category":"Process Execution","mitreAttack":["$b4"]},{"id":"6","source":"Sysmon","name":"Driver Loaded","description":"Logs loading of a driver on the system. The hashes are provided as well as signature information.","category":"System Change","mitreAttack":[{"id":"T1014","name":"Rootkit","tactic":"defense-evasion","url":"https://attack.mitre.org/techniques/T1014","description":"Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits) \n\nRootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)"},"$11b","$11d",{"id":"T1547.006","name":"Kernel Modules and Extensions","tactic":"persistence, privilege-escalation","url":"https://attack.mitre.org/techniques/T1547/006","description":"$11f"}]},{"id":"7","source":"Sysmon","name":"Image Loaded","description":"Logs when a module is loaded in a specific process. This event is disabled by default and needs to be configured with the –l option. It indicates the process in which the module is loaded, hashes and signature information.","category":"System Change","mitreAttack":[{"id":"T1129","name":"Shared Modules","tactic":"execution","url":"https://attack.mitre.org/techniques/T1129","description":"$120"},{"id":"T1218.010","name":"Regsvr32","tactic":"defense-evasion","url":"https://attack.mitre.org/techniques/T1218/010","description":"$121"},{"id":"T1218.011","name":"Rundll32","tactic":"defense-evasion","url":"https://attack.mitre.org/techniques/T1218/011","description":"$122"},{"id":"T1505.002","name":"Transport Agent","tactic":"persistence","url":"https://attack.mitre.org/techniques/T1505/002","description":"$123"},{"id":"T1505.004","name":"IIS Components","tactic":"persistence","url":"https://attack.mitre.org/techniques/T1505/004","description":"$124"},{"id":"T1505.005","name":"Terminal Services DLL","tactic":"persistence","url":"https://attack.mitre.org/techniques/T1505/005","description":"$125"},"$126","$127",{"id":"T1546.011","name":"Application Shimming","tactic":"persistence, privilege-escalation","url":"https://attack.mitre.org/techniques/T1546/011","description":"$129"},"$12a","$e0","$12c","$12e",{"id":"T1547.003","name":"Time Providers","tactic":"persistence, privilege-escalation","url":"https://attack.mitre.org/techniques/T1547/003","description":"$12f"},"$130","$39",{"id":"T1547.008","name":"LSASS Driver","tactic":"persistence, privilege-escalation","url":"https://attack.mitre.org/techniques/T1547/008","description":"Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.(Citation: Microsoft Security Subsystem)\n\nAdversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads."},"$132","$133",{"id":"T1556.002","name":"Password Filter DLL","tactic":"credential-access, defense-evasion, persistence","url":"https://attack.mitre.org/techniques/T1556/002","description":"$135"},{"id":"T1556.008","name":"Network Provider DLL","tactic":"credential-access, defense-evasion, persistence","url":"https://attack.mitre.org/techniques/T1556/008","description":"$136"},{"id":"T1574.001","name":"DLL Search Order Hijacking","tactic":"defense-evasion, persistence, privilege-escalation","url":"https://attack.mitre.org/techniques/T1574/001","description":"$137"},{"id":"T1574.002","name":"DLL Side-Loading","tactic":"defense-evasion, persistence, privilege-escalation","url":"https://attack.mitre.org/techniques/T1574/002","description":"$138"},{"id":"T1574.004","name":"Dylib Hijacking","tactic":"defense-evasion, persistence, privilege-escalation","url":"https://attack.mitre.org/techniques/T1574/004","description":"$139"},{"id":"T1574.006","name":"Dynamic Linker Hijacking","tactic":"defense-evasion, persistence, privilege-escalation","url":"https://attack.mitre.org/techniques/T1574/006","description":"$13a"},"$13b",{"id":"T1574.013","name":"KernelCallbackTable","tactic":"defense-evasion, persistence, privilege-escalation","url":"https://attack.mitre.org/techniques/T1574/013","description":"$13d"},{"id":"T1574.014","name":"AppDomainManager","tactic":"defense-evasion, persistence, privilege-escalation","url":"https://attack.mitre.org/techniques/T1574/014","description":"$13e"}]},{"id":"8","source":"Sysmon","name":"Create Remote Thread","description":"Detects when a process creates a thread in another process. This technique is used by malware to inject code and hide in other processes.","category":"Process Execution","mitreAttack":["$71",{"id":"T1055.001","name":"Dynamic-link Library Injection","tactic":"defense-evasion, privilege-escalation","url":"https://attack.mitre.org/techniques/T1055/001","description":"$13f"},{"id":"T1055.002","name":"Portable Executable Injection","tactic":"defense-evasion, privilege-escalation","url":"https://attack.mitre.org/techniques/T1055/002","description":"$140"},{"id":"T1055.003","name":"Thread Execution Hijacking","tactic":"defense-evasion, privilege-escalation","url":"https://attack.mitre.org/techniques/T1055/003","description":"$141"},{"id":"T1055.004","name":"Asynchronous Procedure Call","tactic":"defense-evasion, privilege-escalation","url":"https://attack.mitre.org/techniques/T1055/004","description":"$142"},{"id":"T1055.012","name":"Process Hollowing","tactic":"defense-evasion, privilege-escalation","url":"https://attack.mitre.org/techniques/T1055/012","description":"$143"}]},{"id":"9","source":"Sysmon","name":"Raw Access Read","description":"Detects when a process conducts reading operations from the drive using \\\\.\\ notation. This technique is often used by malware for data exfiltration of files that are locked for reading, as well as to avoid file access auditing tools.","category":"Object Access","mitreAttack":["$4e",{"id":"T1006","name":"Direct Volume Access","tactic":"defense-evasion","url":"https://attack.mitre.org/techniques/T1006","description":"Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)\n\nUtilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation: Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://attack.mitre.org/software/S0404)) to create shadow copies or backups of data from system volumes.(Citation: LOLBAS Esentutl)"}]},{"id":"10","source":"Sysmon","name":"Process Accessed","description":"Reports when a process opens another process memory. This is often required for reading and writing memory sections, and is used by tools like Mimikatz to access LSASS process memory.","category":"Process Access","mitreAttack":["$4e","$4f","$71","$55","$72",{"id":"T1555.003","name":"Credentials from Web Browsers","tactic":"credential-access","url":"https://attack.mitre.org/techniques/T1555/003","description":"$144"}]},{"id":"11","source":"Sysmon","name":"File Create","description":"Logs when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection.","category":"Object Access","mitreAttack":[{"id":"T1037.005","name":"Startup Items","tactic":"persistence, privilege-escalation","url":"https://attack.mitre.org/techniques/T1037/005","description":"$145"},"$146",{"id":"T1074.001","name":"Local Data Staging","tactic":"collection","url":"https://attack.mitre.org/techniques/T1074/001","description":"Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.\n\nAdversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.(Citation: Prevailion DarkWatchman 2021)"},"$d5","$12c","$c7",{"id":"T1560.001","name":"Archive via Utility","tactic":"collection","url":"https://attack.mitre.org/techniques/T1560/001","description":"$147"},"$d1"]},{"id":"12","source":"Sysmon","name":"Registry Event (Object Create and Delete)","description":"Logs registry key and value create and delete operations. This event is useful for monitoring for changes to Registry persistence locations or specific malware registry modifications.","category":"Object Access","mitreAttack":["$148","$14a",{"id":"T1546","name":"Event Triggered Execution","tactic":"persistence, privilege-escalation","url":"https://attack.mitre.org/techniques/T1546","description":"$14c"},{"id":"T1546.001","name":"Change Default File Association","tactic":"persistence, privilege-escalation","url":"https://attack.mitre.org/techniques/T1546/001","description":"$14d"},"$14e","$150",{"id":"T1546.007","name":"Netsh Helper DLL","tactic":"persistence, privilege-escalation","url":"https://attack.mitre.org/techniques/T1546/007","description":"Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\\SOFTWARE\\Microsoft\\Netsh.\n\nAdversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)"},{"id":"T1546.008","name":"Accessibility Features","tactic":"persistence, privilege-escalation","url":"https://attack.mitre.org/techniques/T1546/008","description":"$152"},"$126","$127","$153","$12a","$e0",{"id":"T1547","name":"Boot or Logon Autostart Execution","tactic":"persistence, privilege-escalation","url":"https://attack.mitre.org/techniques/T1547","description":"Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.\n\nSince some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges."},"$12c","$12e","$155","$130","$39","$132","$133",{"id":"T1547.014","name":"Active Setup","tactic":"persistence, privilege-escalation","url":"https://attack.mitre.org/techniques/T1547/014","description":"$157"},"$f","$e7","$10","$bc","$12","$158","$13b"]},{"id":"13","source":"Sysmon","name":"Registry Event (Value Set)","description":"Logs registry value modifications. This event records the value written for Registry values of type DWORD and QWORD.","category":"Object Access","mitreAttack":["$148","$14a","$15a","$15c","$14e","$150","$15e","$15f","$126","$127","$153","$12a","$e0","$161","$12c","$12e","$155","$130","$39","$132","$133","$162","$f","$e7","$10","$bc","$12","$158","$13b"]},{"id":"14","source":"Sysmon","name":"Registry Event (Key and Value Rename)","description":"Logs registry key and value rename operations. This event is useful for monitoring changes to Registry keys or values that may be used for persistence.","category":"Object Access","mitreAttack":["$e4","$148"]},{"id":"15","source":"Sysmon","name":"File Stream Created","description":"Logs when a named file stream is created. Malware might use file streams to harbor its data or configuration settings.","category":"Object Access","mitreAttack":["$164","$166",{"id":"T1564.004","name":"NTFS File Attributes","tactic":"defense-evasion","url":"https://attack.mitre.org/techniques/T1564/004","description":"$167"}]},{"id":"16","source":"Sysmon","name":"Sysmon Configuration Change","description":"Logs changes in the Sysmon configuration - for example, when the configuration is updated using the -c command line option.","category":"Policy Change","mitreAttack":["$e7"]},{"id":"17","source":"Sysmon","name":"Pipe Created","description":"Generates an event when a named pipe is created. Malware often uses named pipes for interprocess communication.","category":"IPC","mitreAttack":["$71","$168"]},{"id":"18","source":"Sysmon","name":"Pipe Connected","description":"Logs when a named pipe connection is made between a client and a server.","category":"IPC","mitreAttack":["$71","$168"]},{"id":"19","source":"Sysmon","name":"WMI Event Filter Activity Detected","description":"Logs the registration of WMI event filters, which is a method used by malware to execute.","category":"Policy Change","mitreAttack":["$150"]},{"id":"20","source":"Sysmon","name":"WMI Event Consumer Activity Detected","description":"Logs the registration of WMI event consumers.","category":"Policy Change","mitreAttack":["$150"]},{"id":"21","source":"Sysmon","name":"WMI Event Consumer To Filter Activity Detected","description":"Logs the registration of a consumer to a filter.","category":"Policy Change","mitreAttack":["$150"]},{"id":"22","source":"Sysmon","name":"DNS Query","description":"Logs when a process executes a DNS query, whether the result is successful or fails, cached or not.","category":"Network Activity","mitreAttack":["$16a",{"id":"T1568.001","name":"Fast Flux DNS","tactic":"command-and-control","url":"https://attack.mitre.org/techniques/T1568/001","description":"$16b"},{"id":"T1568.002","name":"Domain Generation Algorithms","tactic":"command-and-control","url":"https://attack.mitre.org/techniques/T1568/002","description":"$16c"},{"id":"T1568.003","name":"DNS Calculation","tactic":"command-and-control","url":"https://attack.mitre.org/techniques/T1568/003","description":"Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.(Citation: Meyers Numbered Panda)\n\nOne implementation of [DNS Calculation](https://attack.mitre.org/techniques/T1568/003) is to take the first three octets of an IP address in a DNS response and use those values to calculate the port for command and control traffic.(Citation: Meyers Numbered Panda)(Citation: Moran 2014)(Citation: Rapid7G20Espionage)"}],"commonScenarios":["Crucial Fields: QueryName, QueryStatus, QueryResults, Image.","Look for queries to known malicious/suspicious domains (Threat Intel, DGAs).","Identify high frequency of NXDOMAIN (QueryStatus=0x9003) responses, potentially indicating DGA activity.","Monitor for DNS tunneling patterns (unusual subdomains, large query sizes - though size isn't logged by default).","Filter known good/internal domains in Sysmon config."]},{"id":"23","source":"Sysmon","name":"File Delete","description":"Logs when a file is deleted or archived for deletion. This includes deleting files from the recycle bin.","category":"Object Access","mitreAttack":["$40"]},{"id":"24","source":"Sysmon","name":"Clipboard Change","description":"Logs when the system clipboard contents change. Generates an event when the clipboard text changes.","category":"Object Access","mitreAttack":[{"id":"T1115","name":"Clipboard Data","tactic":"collection","url":"https://attack.mitre.org/techniques/T1115","description":"Adversaries may collect data stored in the clipboard from users copying information within or between applications. \n\nFor example, on Windows adversaries can access clipboard data by using clip.exe or Get-Clipboard.(Citation: MSDN Clipboard)(Citation: clip_win_server)(Citation: CISA_AA21_200B) Additionally, adversaries may monitor then replace users’ clipboard with their data (e.g., [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002)).(Citation: mining_ruby_reversinglabs)\n\nmacOS and Linux also have commands, such as pbpaste, to grab clipboard contents.(Citation: Operating with EmPyre)"}]},{"id":"25","source":"Sysmon","name":"Process Tampering","description":"Logs when process hiding techniques like process hollowing or process herpaderping occur.","category":"Process Execution","mitreAttack":["$16d",{"id":"T1055.013","name":"Process Doppelgänging","tactic":"defense-evasion, privilege-escalation","url":"https://attack.mitre.org/techniques/T1055/013","description":"$16f"}]},{"id":"26","source":"Sysmon","name":"File Delete Detected","description":"Logs when Sysmon detects that a file is deleted (logged on delete).","category":"Object Access","mitreAttack":["$40","$41"]},{"id":"27","source":"Sysmon","name":"File Block Executable","description":"Logs when Sysmon blocks the creation of executable files based on configuration.","category":"Policy Change"},{"id":"28","source":"Sysmon","name":"File Block Shredding","description":"Logs when Sysmon blocks file shredding based on configuration.","category":"Policy Change"},{"id":"255","source":"Sysmon","name":"Error","description":"Logs when an error occurred within Sysmon. Errors may happen if the system is under heavy load and certain tasked could not be performed or a bug exists in the Sysmon service.","category":"System"}]}]}]}]],null],null]},[["$","html",null,{"lang":"en","className":"dark","children":["$","body",null,{"className":"__className_d65c78 bg-gray-900 text-gray-100","children":["$","div",null,{"className":"flex flex-col min-h-screen","children":[["$","$L170",null,{}],["$","main",null,{"className":"flex-grow w-full","children":["$","$L171",null,{"parallelRouterKey":"children","segmentPath":["children"],"error":"$undefined","errorStyles":"$undefined","errorScripts":"$undefined","template":["$","$L172",null,{}],"templateStyles":"$undefined","templateScripts":"$undefined","notFound":[["$","title",null,{"children":"404: This page could not be found."}],["$","div",null,{"style":{"fontFamily":"system-ui,\"Segoe UI\",Roboto,Helvetica,Arial,sans-serif,\"Apple Color Emoji\",\"Segoe UI Emoji\"","height":"100vh","textAlign":"center","display":"flex","flexDirection":"column","alignItems":"center","justifyContent":"center"},"children":["$","div",null,{"children":[["$","style",null,{"dangerouslySetInnerHTML":{"__html":"body{color:#000;background:#fff;margin:0}.next-error-h1{border-right:1px solid rgba(0,0,0,.3)}@media (prefers-color-scheme:dark){body{color:#fff;background:#000}.next-error-h1{border-right:1px solid rgba(255,255,255,.3)}}"}}],["$","h1",null,{"className":"next-error-h1","style":{"display":"inline-block","margin":"0 20px 0 0","padding":"0 23px 0 0","fontSize":24,"fontWeight":500,"verticalAlign":"top","lineHeight":"49px"},"children":"404"}],["$","div",null,{"style":{"display":"inline-block"},"children":["$","h2",null,{"style":{"fontSize":14,"fontWeight":400,"lineHeight":"49px","margin":0},"children":"This page could not be found."}]}]]}]}]],"notFoundStyles":[],"styles":null}]}],["$","footer",null,{"className":"w-full py-4 px-4 sm:px-6 lg:px-8 mt-auto border-t border-slate-700/50 bg-slate-900","children":["$","div",null,{"className":"max-w-7xl mx-auto text-center text-xs text-slate-500 space-y-1","children":[" ",["$","div",null,{"children":[["$","span",null,{"children":["© ",2025," | "]}],["$","$L173",null,{"href":"https://github.com/packetwarden/WETNav","target":"_blank","rel":"noopener noreferrer","className":"hover:text-slate-300 hover:underline focus:outline-none focus:ring-1 focus:ring-blue-500 focus:ring-offset-1 focus:ring-offset-slate-900 rounded","children":"View Project on GitHub"}]]}],["$","div",null,{"children":["Uses ATT&CK® content. ATT&CK® is a registered trademark of The MITRE Corporation.",["$","br",null,{}]," ","\"© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.\""]}]]}]}]]}]}]}],null],null],"couldBeIntercepted":false,"initialHead":[null,"$L174"],"globalErrorComponent":"$175","missingSlots":"$W176"}]]

Events: