{ "access_credential_via_credenumerate": "The process $Image_path has accessed saved Windows credentials via CredEnumerate() API (MITRE: T1555.004 Credentials from Password Stores: Windows Credential Manager).", "access_creds_via_vaultcmd": "The process $Image_path has accessed Windows credentials via VaultCmd: $Command_line (MITRE: T1555.004 Credentials from Password Stores: Windows Credential Manager).", "access_ie_passwords": "The program $Image_path has tried to access passwords saved in Internet Explorer browser (MITRE: T1555.003 Credentials from Web Browsers).", "accessibility_features_anomaly_child_process": "The abnormal child process $Image_path has been launched via Windows Accessibility Features: $Parent_image_path (MITRE: T1546.008 Event Triggered Execution: Accessibility Features).", "accessibility_features_via_command_line": "The process $Image_path has tried to use Windows accessibility features via command line: $Command_line (MITRE: T1546.008 Event Triggered Execution: Accessibility Features).", "accessibility_features_via_powershell": "The process $Image_path has tried to use Windows accessibility features via PowerShell: $Command_line (MITRE: T1546.008 Event Triggered Execution: Accessibility Features).", "accessibility_features_via_powershell_amsi": "The PowerShell script has established persistence via accessibility features by modifying the IFEO Debugger value for the process $Target_image_path (MITRE: T1546.008 Event Triggered Execution: Accessibility Features).", "accessibility_features_via_powershell_ps1l": "The PowerShell script has established persistence by accessibility features modifying the registry value: $Cmdlet $Arguments (MITRE: T1546.008 Event Triggered Execution: Accessibility Features).", "accessibility_features_via_registry": "The process $Image_path has set the $Registry_key registry key to use Windows accessibility features (MITRE: T1546.008 Event Triggered Execution: Accessibility Features).", "accessing_admin_shares_by_standard_tools": "The process $Image_path executed a command line with Windows Admin Shares specified: $Command_line (MITRE: T1219 Remote Access Software).", "account_removing_from_group_via_net": "The process $Image_path has removed a user account from the group: $Command_line (MITRE: T1531 Account Access Removal).", "account_removing_from_group_via_powershell": "The process $Image_path has removed a user from the group using the PowerShell: $Command_line (MITRE: T1531 Account Access Removal).", "ad_ds_check": "The process $Image_path has checked for the presence of AD DS utilities on the computer (MITRE: T1497.001 Virtualization/Sandbox Evasion: System Checks).", "add_cert_via_registry": "The process $Image_path has installed a certificate in the Windows registry: $Registry_key (MITRE: T1553.004 Subvert Trust Controls: Install Root Certificate).", "add_domain_to_trusted_sites_zone": "The process $Image_path has attempted to add a domain to a trust zone: $Command_line (MITRE: T1484.002 Domain Policy Modification: Domain Trust Modification).", "add_domain_to_trusted_sites_zone_via_registry": "The process $Image_path was created $Registry_key to set up a trust zone with the domain (MITRE: T1484.002 Domain Policy Modification: Domain Trust Modification).", "add_trusted_cert": "The process $Image_path tries to add its certificate to the system trusted certificates (MITRE: T1553.004 Subvert Trust Controls: Install Root Certificate).", "addedToFirewallList": "The process $Image_path has added the file/rule to the Firewall exclusions via registry: $Registry_value (MITRE: T1562.004 Impair Defenses: Disable or Modify System Firewall).", "adding_account_to_domain_admin_group_via_net": "An account was added to the domain administrators group via $Image_path: $Command_line (MITRE: T1098 Account Manipulation).", "adding_account_to_domain_admin_group_via_powershell": "The process $Image_path has added an account to the domain administrators group via the PowerShell: $Command_line (MITRE: T1098 Account Manipulation).", "adding_account_to_global_group": "The process $Image_path has added an account to the global group using WinAPI (MITRE: T1098 Account Manipulation).", "adding_account_to_local_admin_group_via_net": "An account was added to the Local admin group via $Image_path: $Command_line (MITRE: T1098 Account Manipulation).", "adding_account_to_local_admin_group_via_powershell": "The process $Image_path has added an account to the Local administrators group via the PowerShell: $Command_line (MITRE: T1098 Account Manipulation).", "adding_account_to_local_admin_group_via_powershell_amsi": "The PowerShell script has added a user account to the Local administrators group using the cmdlet $Cmdlet (MITRE: T1098 Account Manipulation).", "adding_account_to_local_admin_group_via_powershell_ps1l": "The PowerShell script has added a user account to the Local administrators group using the Cmdlet $Cmdlet with the following arguments: $Arguments (MITRE: T1098 Account Manipulation).", "adding_account_to_local_group": "The process $Image_path has added an account to the local group using WinAPI: (MITRE: T1098 Account Manipulation).", "adding_account_to_local_group_via_net": "An account was added to the local group via $Image_path: $Command_line (MITRE: T1098 Account Manipulation).", "adding_account_to_local_group_via_powershell": "The process $Image_path has added an account to the local group via the PowerShell: $Command_line (MITRE: T1098 Account Manipulation).", "adodb_stream_com_object_usage_via_powershell": "The process $Image_path has managed a data stream via PowerShell, using the ADODB COM object: $Command_line (MITRE: T1559.001 Inter-Process Communication: Component Object Model).", "adodb_stream_com_object_usage_via_powershell_amsi": "The PowerShell script has created a new ADODB.Stream object: $AMSI_buffer (MITRE: T1559.001 Inter-Process Communication: Component Object Model).", "adodb_stream_com_object_usage_via_powershell_ps1d": "The PowerShell script has created a new ADODB.Stream object (MITRE: T1559.001 Inter-Process Communication: Component Object Model).", "anomaly_in_the_windows_critical_process_tree": "The critical Windows system process $Image_path was run by an anomalous parent process $Parent_image_path with the command line $Command_line (MITRE: T1036 Masquerading)", "anomaly_parent_process_whoami_exe": "The process $Image_path was run by an anomalous parent process $Parent_image_path using the command line: $Command_line (MITRE: T1033 System Owner/User Discovery).", "apc_injection": "The process $Image_path has injected a code into the process $Target_image_path via an APC (MITRE: T1055.004 Process Injection: Asynchronous Procedure Call).", "appinit_dlls_via_registry": "The process $Image_path has set the registry key $Registry_key\\\\$Registry_value_name: $Registry_value to executing content triggered by AppInit DLLs (MITRE: T1546.010 Event Triggered Execution: AppInit DLLs).", "application_shimming_via_dropped_file_sdb": "The process $Image_path has created shim database to redirect the application code execution: $File_path (MITRE: T1546.011 Event Triggered Execution: Application Shimming).", "archive_file_in_local_users_folders_via_makecab": "The process $Image_path has tried to archive file in local user folder via makecab.exe: $Command_line (MITRE: T1560.001 Archive Collected Data: Archive via Utility).", "archive_via_powershell": "The process $Image_path has tried to archive collected data using PowerShell: $Command_line (MITRE: T1560.001 Archive Collected Data: Archive via Utility).", "archive_via_powershell_amsi": "The PowerShell script has archived data using cmdlet $Cmdlet (MITRE: T1560 Archive Collected Data).", "archive_via_powershell_ps1l": "The PowerShell script has archived data using the cmdlet $Cmdlet with the following arguments: $Arguments (MITRE: T1560 Archive Collected Data).", "archiving_files_in_recycle_via_archive": "The archive utility process $Image_path has been started to archive files in the Recycle Bin with command line: $Command_line (MITRE: T1560.001 Archive Collected Data: Archive via Utility).", "atm_filenames": "The process $Image_path has modified the file $File_path specific to automated teller machine software (MITRE: T1574.001 Hijack Execution Flow: DLL Search Order Hijacking).", "attempt_to_execute_a_powerShell_script_with_a_js_or_vbs_as_ps_host": "The process $Parent_image_path has tried to run $Image_path as a result of executing a script with the command line: $Command_line (MITRE: T1059.001 Command and Scripting Interpreter: PowerShell).", "attempt_to_launch_ntdsutil": "The process $Image_path tried to launch ntdsutil.exe (MITRE: T1003.003 OS Credential Dumping: NTDS).", "autologger_provider_removal_via_registry": "The process $Image_path has disabled Windows Logger by removing the registry key: $Registry_key (MITRE: T1562.006 Impair Defenses: Indicator Blocking).", "autorun": "The process $Image_path has set the file $Registry_value to run on system startup (registry key $Registry_key) (MITRE: T1547.001 Registry Run Keys / Startup Folder).", "autorun_cryptography_keys_modification_via_registry": "The process $Image_path has written $Registry_value in the registry key $Registry_key for persistence (MITRE: T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder).", "autorun_open_dir": "The process $Image_path has set the file $Registry_value, which is located in an open for recording directory, to run on system startup (registry key $Registry_key) (MITRE: T1547.001 Registry Run Keys / Startup Folder).", "autorun_susp_extension": "The process $Image_path has set the file $Registry_value with suspicious extension to run on system startup (registry key $Registry_key) (MITRE: T1547.001 Registry Run Keys / Startup Folder).", "bitsadmin_job_via_powershell": "The process $Image_path has attempted to create a BITS job using the command $Command_line (MITRE: T1197 BITS Jobs).", "browser_launched_in_application_mode_by_office_app": "The parent process $Parent_image_path started the process $Image_path in Application mode: $Command_line (MITRE: T1566.001 Spearphishing Attachment).", "browser_stealer": "The process $Image_path has searched for files that contain credentials from web browsers (MITRE: T1555.003 Credentials from Password Stores: Credentials from Web Browsers).", "brute_password": "The process $Image_path has attempted to guess the user password to access the system (MITRE: T1110.001 Brute Force).", "bypass_ps_execution_policy": "PowerShell script has been started with an argument $Command_line to bypass PowerShell execution policy (MITRE: T1059.001 Command and Scripting Interpreter: PowerShell).", "bypass_ps_execution_policy_ps1l": "The PowerShell script has used the commandlet: $Cmdlet and the argument: $Arguments to bypass PowerShell execution policy (MITRE: T1059.001 Command and Scripting Interpreter: PowerShell).", "bypass_uac": "The process $Image_path has obtained administrator rights, bypassing User Account Control (MITRE: T1548.002 Bypass User Account Control).", "bypassing_application_whitelisting_with_bginfo": "The application whitelisting was bypassed by the process $Image_path via the command line: $Command_line (MITRE: T1059.005 Command and Scripting Interpreter: Visual Basic).", "bypassing_smartscreen_prompt_for_sites_in_msedge_via_registry": "The process $Image_path has disabled SmartScreen warnings for sites in Microsoft Edge via registry: $Registry_value_name (MITRE: T1562.001 Impair Defenses: Disable or Modify Tools).", "certutil_decode": "The process $Image_path has been executed to encode/decode a file to evade defensive measures: $Command_line (Mitre T1140 Deobfuscate/Decode Files or Information).", "certutil_malicious_action": "Process $Image_path has started the system application Certutil.exe with parameters $Command_line (MITRE: T1140 Deobfuscate/Decode Files or Information).", "change_account_password_via_powershell": "The process $Image_path has changed the user account password: $Command_line (MITRE: T1531 Account Access Removal).", "change_account_password_via_powershell_amsi": "The PowerShell script has changed the password of user account using the command $Command_line (MITRE: T1531 Account Access Removal).", "change_account_password_via_powershell_ps1l": "The PowerShell script has changed the password of user account using the Cmdlet $Cmdlet with the following arguments: $Arguments (MITRE: T1531 Account Access Removal).", "change_default_file_association_via_assoc": "The process $Image_path has changed the file type mapping parameters with the extension via command line: $Command_line (MITRE: T1546.001 Change Default File Association).", "change_dns": "The process $Image_path has changed the DNS server address (MITRE: T1562.001 Impair Defenses: Disable or Modify Tools).", "change_mbr": "The process $Image_path has changed Master boot record (MBR). This action is typical of Rootkit malware (MITRE: T1561.002 Disk Wipe: Disk Structure Wipe).", "change_mof_directory": "The process $Image_path has changed the self-install directory for MOF files $Registry_value (MITRE: T1546.003 Windows Management Instrumentation Event Subscription).", "change_path_environment_var": "The process $Image_path has changed the PATH environment variable via registry: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1574.007 Hijack Execution Flow: Path Interception by PATH Environment Variable).", "change_proxy_settings": "The program $Image_path has changed the system proxy settings (MITRE: T1090 Connection Proxy)", "change_reg_via_powershell": "The process $Parent_image_path has changed a registry value via the PowerShell: $Command_line (MITRE: T1112 Modify Registry).", "change_reg_via_powershell_ps1l": "The PowerShell script has modified Windows Registry using the cmdlet $Cmdlet with the following arguments: $Arguments (MITRE: T1112 Modify Registry).", "change_service_binary_location_in_registry": "The process $Image_path has modified a service image path: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1543.003 Create or Modify System Process: Windows Service).", "change_termsrv_dll_binary_permissions_for_further_replacement": "The process $Image_path has changed permissions for termsrv.dll file: $Command_line (MITRE: T1505.005 Server Software Component: Terminal Services DLL).", "changing_session_manager_values_via_registry": "The program $Image_path has replaced the Session Manager value in registry $Registry_key with $Reg_value (MITRE: T1546.009 AppCert DLLs).", "check_code_integrity_param": "The process $Image_path is trying to check integrity of the Operating System code (MITRE: T1082 System Information Discovery).", "check_cpu_number": "The process $Image_path has attempted to detect the sandbox virtual machine by checking the CPU number (MITRE: T1497.001 Virtualization/Sandbox Evasion: System Checks).", "checkremotedebuggerpresent": "The process $Image_path has called CheckRemoteDebuggerPresent() API function (MITRE: T1622 Debugger Evasion).", "clear_event_log_cmd": "The process $Parent_image_path has cleared the Windows Event Log: $Command_line (MITRE: T1070.001 Clear Windows Event Logs).", "clear_eventlog": "The program $Image_path has cleaned the Windows Event Log (MITRE: T1070.001 Indicator Removal on Host)", "clear_pwsh_command_history": "PowerShell command history has been cleared: $Command_line (MITRE: T1070.003 Clear Command History).", "clear_pwsh_command_history_amsi": "PowerShell command history has been cleared: $Command_line (MITRE: T1070.003 Clear Command History).", "clear_pwsh_command_history_ps1l": "The PowerShell script has cleared PowerShell command history: $Cmdlet $Arguments (MITRE: T1070.003 Clear Command History).", "clearing_image_file_execution_options_via_powershell": "A process has started command shell $Image_path with command line $Command_line and deleted a registry value using Remove-Item cmdlet (MITRE: T1070.009 Indicator Removal: Clear Persistence).", "clearing_image_file_execution_options_via_powershell/amsi": "A process has started command shell PowerShell with command line $Cmdlet and deleted a registry value using Remove-Item commandlet (MITRE: T1070.009 Indicator Removal: Clear Persistence).", "clearing_image_file_execution_options_via_powershell/ps1l": "A process has started command shell PowerShell with command line $Cmdlet and deleted a registry value using Remove-Item cmdlet (MITRE: T1070.009 Indicator Removal: Clear Persistence).", "clearing_image_file_execution_options_via_reg": "A process has started command shell $Image_path with command line $Command_line and deleted a registry value using reg.exe (MITRE: T1070.009 Indicator Removal: Clear Persistence).", "clearing_image_file_execution_options_via_registry": "The process $Image_path has deleted the key Image File Execution Options via registry: $Registry_key\\\\$Registry_value_name (MITRE: T1070.009 Indicator Removal: Clear Persistence).", "clearing_rdp_history_via_regisrty": "The process $Image_path has deleted RDP history via registry: $Registry_key (MITRE: T1070.007 Indicator Removal: Clear Network Connection History and Configurations).", "clearing_registry_keys_related_to_proxy_via_powershell": "The process $Parent_image_path has deleted registry keys related to proxy settings via the PowerShell: $Command_line (MITRE: T1070.009 Indicator Removal: Clear Persistence).", "clearing_registry_keys_related_to_proxy_via_powershell/amsi": "PowerShell has deleted registry keys related to proxy settings: $Cmdlet (MITRE: T1070.009 Indicator Removal: Clear Persistence).", "clearing_registry_keys_related_to_proxy_via_powershell/ps1l": "The process PowerShell has deleted registry keys related to proxy settings: $Cmdlet $Arguments (MITRE: T1070.009 Indicator Removal: Clear Persistence).", "clearing_registry_keys_related_to_proxy_via_reg": "A process has started command shell $Image_path with command line $Command_line and deleted a registry value using reg.exe (MITRE: T1070.009 Indicator Removal: Clear Persistence).", "clearing_registry_keys_related_to_proxy_via_registry": "The process $Image_path has deleted registry keys related to proxy via registry: $Registry_key\\\\$Registry_value_name (MITRE: T1070.009 Indicator Removal: Clear Persistence).", "clip_utility_execution": "The process $Image_path has attempted to collect clipboard data via Clip.exe: $Command_line (MITRE: T1115 Clipboard Data).", "closehandle_with_bad_descriptor": "The process $Image_path has called CloseHandle() with bad descriptor. It may be an attempt to track debugger (MITRE: T1622 Debugger Evasion).", "cmstp_susp_arguments": "The syntax of $Command_line executed by $Image_path is suspicious (MITRE: T1218.003 Signed Binary Proxy Execution: CMSTP).", "code_execution_through_change_registry_via_control_panel_or_cpls": "The code was executed by changing the registry via Control Panel/CPLs: $Registry_key\\\\$Registry_value_name: $Registry_value (Mitre T1218.002 Signed Binary Proxy Execution: Control Panel).", "collect_info": "The program $Image_path collects network and system information", "collect_system_info": "The process $Image_path has obtained information about the operating system and hardware configuration of the computer (MITRE: T1082 System Information Discovery).", "collecting_credentials_from_registry_via_powershell": "The process $Image_path has accessed credentials in the registry via PowerShell: $Command_line (MITRE: T1552.002 Unsecured Credentials: Credentials in Registry).", "collecting_credentials_from_registry_via_reg": "The process $Image_path has accessed credentials in the registry: $Command_line (MITRE: T1552.002 Unsecured Credentials: Credentials in Registry).", "com_obj_via_verclsid": "Verclsid.exe with arguments $Command_line may be abused to proxy execution of malicious code (MITRE: T1218.012 Signed Binary Proxy Execution: Verclsid)", "com_object_registration_via_inpocserver_and_localserver": "The process $Image_path has registered COM component via $Registry_key: $Registry_value (MITRE: T1559.001 Inter-Process Communication: Component Object Model).", "com_objects_discovery_via_powershell": "Receiving information about COM objects via $Image_path: $Command_line (MITRE: T1518 Software Discovery).", "com_objects_discovery_via_powershell/amsi": "Receiving information about COM objects via PowerShell: $Cmdlet (MITRE: T1518 Software Discovery).", "com_objects_discovery_via_powershell/ps1l": "Receiving information about COM objects via PowerShell: $Cmdlet $Arguments (MITRE: T1518 Software Discovery).", "com_objects_execution_via_cmd": "The process $Image_path has executed COM methods in command line: $Command_line (MITRE: T1546.015 Event Triggered Execution: Component Object Model Hijacking).", "com_objects_hijack_via_creating_registry_links": "The process $Image_path has created a symbolic link in the registry to potentially COM Hijacking: $Registry_value (MITRE: T1546.015 Event Triggered Execution: Component Object Model Hijacking).", "com_objects_hijack_via_delegateexecute": "COM Hijacking by changing the DelegateExecute registry parameter: $Registry_key (MITRE: T1546.015 Event Triggered Execution: Component Object Model Hijacking).", "com_objects_hijack_via_manage": "The process $Image_path has set a new Manage handler: $Registry_key\\$Registry_value_name = $Registry_value (MITRE: T1546.015 Component Object Model Hijacking).", "com_objects_hijack_via_mscfile": "COM Hijacking by changing open command for mscfile: $Registry_key (MITRE: T1546.015 Event Triggered Execution: Component Object Model Hijacking).", "com_objects_hijack_via_OfficeAntiVirus_clsid": "COM Hijacking by changing in registry the OfficeAntivirus: $Registry_key (MITRE: T1546.015 Event Triggered Execution: Component Object Model Hijacking).", "com_objects_hijack_via_powershell": "COM Hijacking via $Image_path: $Command_line (MITRE: T1546.015 Event Triggered Execution: Component Object Model Hijacking).", "com_objects_hijack_via_powershell_amsi": "The PowerShell script has used a COM object for the shell execution: $AMSI_buffer (MITRE: T1546.015 Event Triggered Execution: Component Object Model Hijacking).", "com_objects_hijack_via_powershell_ps1d": "The PowerShell script has used a COM object for the shell execution: $Script_block (MITRE: T1546.015 Event Triggered Execution: Component Object Model Hijacking).", "com_objects_hijack_via_reg": "The process $Image_path has added or deleted shell command key to COM Hijacking: $Command_line (MITRE: T1546.015 Event Triggered Execution: Component Object Model Hijacking).", "com_objects_hijack_via_rundll": "COM Hijacking by changing $Image_path: $Command_line (MITRE: T1546.015 Event Triggered Execution: Component Object Model Hijacking).", "com_objects_hijack_via_sdclt": "COM Hijacking by changing the isolatedCommand registry parameter: $Registry_key (MITRE: T1546.015 Event Triggered Execution: Component Object Model Hijacking).", "com_objects_hijack_via_threatas": "The process $Image_path has set the $Registry_key registry key to COM Hijacking (MITRE: T1546.015 Event Triggered Execution: Component Object Model Hijacking).", "communication_via_telegram": "The process $Image_path can communicate with C2 via Telegram (MITRE: T1102.002 Web Service: Bidirectional Communication).", "compress_data_for_exfiltration_via_archiver": "The archive utility process $Image_path has been started to compress data with command line $Command_line (MITRE: T1560.001 Archive Collected Data: Archive via Utility).", "computer_name_evasion": "The process $Image_path has attempted to detect the computer name of the sandbox virtual machine according to the predetermined list of computer names. The list is stored in the code of the program running this process (MITRE: T1082 System Information Discovery).", "connection_to_ngrok": "The process $Image_path has connected to the Ngrok Cloud: $URL (MITRE: T1090 Proxy).", "control_panel_item_from_public_directories": "The process $Image_path has executed a Control Panel item from public directories. The command line is $Command_line (MITRE: T1218.002 Signed Binary Proxy Execution: Control Panel).", "cookie_stealer": "The process $Image_path has performed a search of a file containing web session cookies: $File_path (MITRE: T1539 Steal Web Session Cookie).", "copy_file_named_like_system_tool_in_wrong_place": "The process $Image_path has copied system file into another folder: $Command_line (MITRE: T1036.005 Masquerading: Match Legitimate Name or Location).", "copy_lateral_tool_transfer": "The process $Parent_image_path has used standard utility to transfer files laterally: $Command_line (MITRE: T1570 Lateral Tool Transfer).", "copying_from_admin_share_via_default_tools": "The process $Image_path has performed a copy from the administrator's share via default tools: $Command_line (MITRE: T1021.002 Remote Services: SMB/Windows Admin Shares).", "copying_saving_sam_registry_hives": "The process $Image_path has copied/saved the SAM registry hives: $Command_line (MITRE: T1003.002 OS Credential Dumping: Security Account Manager).", "cor_profiler_change": "The process $Image_path has changed the COR_PROFILER environment variable via registry: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1574.012 Hijack Execution Flow: COR_PROFILER).", "cor_profiler_via_pwsh": "The COR_PROFILER environment variable has been changed via PowerShell: $Command_line (MITRE: T1574.012 Hijack Execution Flow: COR_PROFILER).", "cpu_name_check": "The process $Image_path has checked if a CPU name matches $CPU_name (MITRE: T1497.001 Virtualization/Sandbox Evasion: System Checks).", "create_alternate_data_stream_via_powershell": "The process $Image_path has created Alternate Data Stream via PowerShell: $Command_line (MITRE: T1564.004 Hide Artifacts: NTFS File Attributes).", "create_alternate_data_stream_via_powershell_ps1l": "The PowerShell script has created an alternate data stream using the Cmdlet $Cmdlet with the following arguments: $Arguments (MITRE: T1564.004 Hide Artifacts: NTFS File Attributes).", "create_autoruninf": "The process $Image_path has created a file to run another executable: $File_path (MITRE: T1091 Replication Through Removable Media).", "create_file_startup": "The process $Image_path has created a file $File_path in the Startup folder (MITRE: T1547.001 Registry Run Keys / Start Folder).", "create_job": "The process $Image_path has created a job file in the task scheduler folder: $File_path (MITRE: T1053.005 Scheduled Task/Job: Scheduled Task).", "create_job_via_at": "The process $Image_path has created a job in Windows Scheduler via at.exe : $Command_line (MITRE: T1053.002 Scheduled Task/Job: At).", "create_job_via_schtasks": "The process $Image_path has created a job in Windows Scheduler via schtasks.exe : $Command_line (MITRE: T1053.005 Scheduled Task/Job: Scheduled Task).", "create_mof_file": "The process $Image_path has created a new MOF file $File_path (MITRE: T1546.003 Windows Management Instrumentation Event Subscription).", "create_or_copy_file_to_startup_using_standard_tools": "The process $Image_path has created or copied a file to the Startup directory: $Command_line (MITRE: T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder).", "create_process_parameters": "The process $Image_path was created with the use of undocumented API functions. The DLL import directory was changed to $Target_file_path. This action is typical of DLL hijacking (MITRE: T1574.001 DLL Search Order Hijacking).", "create_service": "The process $Image_path has created the Windows service $Service_name based on this file: $Service_path (MITRE: T1543.003 Create or Modify System Process: Windows Service).", "create_shadow_copy": "The process $Image_path has created a shadow copy via $Command_line (MITRE: T1003 OS Credential Dumping).", "create_task_on_remote_host_using_standard_tool": "The process $Parent_image_path has created a task on remote host via standard utility $Image_path: $Command_line (MITRE: T1053 Scheduled Task/Job).", "created_compressed_file_without_archive_utility": "The process $Image_path has created archive $File_path without any archive utility (MITRE: T1560.003 Archive Collected Data: Archive via Custom Method).", "created_windows_shell_from_critical_windows_process": "The Windows Shell ($Image_path) was run by a critical Windows process $Parent_image_path with the command line: $Command_line (MITRE: T1036 Masquerading)", "creation_of_execuatable_or_script_by_certutil": "Certutil $Image_path has copied an executable file $File_path (MITRE: T1027 Obfuscated Files or Information).", "credential_access_via_keymgr": "The process $Image_path has obtained Windows credentials: $Command_line (MITRE: T1555.004 Credentials from Password Stores: Windows Credential Manager).", "credential_dump_pipe": "The process $Image_path has connected to the named pipe $Pipe, which is typical for credential dumping tools (MITRE: T1003.001 OS Credential Dumping: LSASS Memory).", "credentials_dumping_tools_artefacts": "The process $Image_path created a file $File_path related to password dump utilities (MITRE: T1003 OS Credential Dumping).", "credentials_in_file_unattend_xml": "The process $Image_path has accessed to credentials in the file $File_path (MITRE: T1552.001 Unsecured Credentials: Credentials In Files).", "crypto_stealer": "The process $Image_path has checked for the presence of crypto wallets on the system (MITRE: T1005 Data from Local System).", "database_port_scan": "The process $Image_path has scanned the ports typically used for databases (MITRE: T1046 Network Service Scanning).", "dbg_windows_check": "The process $Image_path has checked for known windows classes of debuggers in the system (MITRE: T1622 Debugger Evasion).", "dcsync_in_cmd": "DCSync command was detected: $Command_line (MITRE: T1003.006 OS Credential Dumping: DCSync).", "dcsync_in_dmp": "The process $Image_path has feature to perform DCSync attack (MITRE: T1003.006 OS Credential Dumping: DCSync).", "default_rdp_port_opening_via_netsh": "The process $Image_path has opened default RDP port via Netsh: $Command_line (MITRE: T1021.001 Remote Desktop Protocol).", "delayed_delete": "The process $Image_path has performed a delayed delete operation on the file $Target_file_path (MITRE: T1070.004 File Deletion).", "delayed_move": "The process $Image_path has performed a delayed move operation with the file from $File_path to $Target_file_path (MITRE: T1119 Automated Collection).", "delayed_move_hosts": "The process $Image_path has performed a delayed move operation with the file \"hosts\" of the Windows OS from $File_path to $Target_file_path (MITRE: T1016 System Network Configuration Discovery).", "delete_hosts": "The process $Image_path has deleted the file \"hosts\" of the Windows OS. It may impact DNS name resolution (MITRE: T1070.004 File Deletion).", "delete_restore_point_via_pwsh": "The Windows Restore Point has been deleted via Powershell: $Command_line (MITRE: T1490 Inhibit System Recovery).", "delete_restore_point_via_pwsh_amsi": "The PowerShell script has deleted the system restore point using the cmdlet $Cmdlet with the following arguments: $Arguments (MITRE: T1490 Inhibit System Recovery).", "delete_restore_point_via_pwsh_ps1l": "The PowerShell script has deleted the system restore point using the cmdlet $Cmdlet with the following arguments: $Arguments (MITRE: T1490 Inhibit System Recovery).", "delete_runmru": "The $Image_path process has cleared the MRU (Most Recently Used) list by deleting the registry key $Registry_key (MITRE: T1070 Indicator Removal).", "delete_shadow_copy": "The process $Parent_image_path has deleted shadow copies: $Command_line. This action is typical for the malware of the Trojan-Ransom family. (MITRE: T1490 Inhibit System Recovery)", "delete_shadow_copy_via_ioctl": "The process $Image_path has deleted a shadow copy of $Device by sending the control code IOCTL_VOLSNAP_SET_MAX_DIFF_AREA_SIZE/IOCTL_VOLSNAP_DELETE_SNAPSHOT via DeviceIoControl() (MITRE: T1490 Inhibit System Recovery).", "deleting_default_rdp_connection_file": "The process $Image_path has deleted file $Target_file_path (MITRE: T1070.007 Indicator Removal: Clear Network Connection History and Configurations).", "deleting_rdp_connection_cache": "The process $Image_path has deleted the RDP cache file $Target_file_path (MITRE: T1070.007 Indicator Removal: Clear Network Connection History and Configurations).", "detect_av_by_device": "The process $Image_path has tried to open a virtual device $Device_name specific to anti-virus software (MITRE: T1518.001 Security Software Discovery).", "detect_debugger_by_device": "The process $Image_path has tried to access virtual device $File_path to check for a debugger in the system (MITRE: T1518.001 Software Discovery: Security Software Discovery).", "detect_vm": "The process $Image_path has attempted to detect a virtual environment (MITRE: T1497.001 Virtualization/Sandbox Evasion: System Checks).", "detect_vm_alkhaser": "The process $Image_path tries to detect its execution in a virtual environment (MITRE: T1497 Virtualization/Sandbox Evasion).", "detect_vm_by_hostname": "The process $Image_path has compared the computer name with the list of known Sandbox server names in order to bypass Sandbox scanning (MITRE: T1497.001 Virtualization/Sandbox Evasion: System Checks).", "detected_powershell_execution_without_powershell_exe": "The process $Image_path has loaded the $Loaded_image_path and executed the PowerShell code without launching powershell.exe (MITRE: T1059.001 Command and Scripting Interpreter: PowerShell).", "detected_screensaver_via_scr": "The Windows screensaver application $Image_path was launched by $Parent_image_path (MITRE: T1546.002 Event Triggered Execution: Screensaver).", "detected_winapi_functions_in_powershell": "The process $Image_path has called a WinAPI function (MITRE: T1059.001 Command and Scripting Interpreter: PowerShell).", "device_driver_discovery_via_reg": "The process $Image_path has attempted to access the $Registry_key to enumerate drivers on the local device (MITRE: T1652 Device Driver Discovery).", "Device_driver_enumeration_via_API": "The process $Image_path has attempted to enumerate local device drivers via API (MITRE: T1652 Device Driver Discovery).", "disabing_service_via_registry": "The process $Image_path has disabled Windows service: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1562.001 Impair Defenses: Disable or Modify Tools).", "disable_action_center": "The process $Image_path has disabled the Windows Action Center (MITRE: T1562.001 Disabling Security Tools).", "disable_auto_update": "The process $Image_path has disabled the Windows automatic update option (MITRE: T1562.001 Disabling Security Tools).", "disable_autologger_via_start_parameter": "The process $Image_path has disabled auto-logging by setting the Start parameter to 0. $Registry_key\\$registry_value_name: $Registry_value (MITRE: T1562.002 Impair Defenses: Disable Windows Event Logging).", "disable_av_notify": "The program $Image_path is trying to block the balloon notifications from Security Center indicating that antivirus functionality has been disabled.", "disable_av_via_kernel_driver": "The $Image_path process can terminate $AV_list processes by sending a control code to a created $Driver_name kernel driver (MITRE: T1562.001 Impair Defenses: Disable or Modify Tools).", "disable_cmd": "The process $Image_path has disabled the Windows Command Prompt Interpreter (MITRE: T1562.001 Disabling Security Tools).", "disable_consent_prompt_behavior_admin": "The process $Image_path has disabled the credentials prompt for the User Account Control (MITRE: T1548.002 Bypass User Account Control).", "disable_dep": "The process $Image_path has disabled Data Execution Prevention (MITRE: T1562.001 Disabling Security Tools).", "disable_driver_signature_enforcement": "The process $Image_path has disabled the Driver Signature Enforcement: $Command_line (MITRE: T1553.006 Subvert Trust Controls: Code Signing Policy Modification).", "disable_firewall": "The process $Image_path has disabled the Windows Firewall (MITRE: T1562.004 Impair Defenses: Disable or Modify System Firewall).", "disable_or_modify_system_firewall_via_powershell": "Windows Firewall has been disabled via Powershell: $Command_line (MITRE: T1562.004 Impair Defenses: Disable or Modify System Firewall).", "disable_or_modify_system_firewall_via_powershell_amsi": "The PowerShell script has disabled Windows Firewall using the cmdlet $Cmdlet (MITRE: T1562.004 Impair Defenses: Disable or Modify System Firewall).", "disable_or_modify_system_firewall_via_powershell_ps1l": "The PowerShell script has disabled Windows Firewall using the cmdlet $Cmdlet with the following arguments: $Arguments (MITRE: T1562.004 Impair Defenses: Disable or Modify System Firewall).", "disable_prompt_on_secure_desktop": "The process $Image_path has disabled the Windows secure desktop (MITRE: T1562.002 Impair Defenses: Disable Windows Event Logging).", "disable_registry_tools": "The process $Image_path has disabled Windows Registry Editor (MITRE: T1562.001 Disabling Security Tools).", "disable_safe_boot": "The process $Image_path has disabled the Windows safe boot mode (MITRE: T1562.001 Disabling Security Tools).", "disable_script_block_logging_via_registry": "The process $Image_path has disabled script block logging by setting the ScriptBlockLogging parameter to 0: $Registry_key\\$registry_value_name: $Registry_value (MITRE: T1562.002 Impair Defenses: Disable Windows Event Logging).", "disable_security_center": "The process $Image_path has modified the parameter $Registry_key to disable the Windows Security Center notifications (MITRE: T1562.001 Disabling Security Tools).", "disable_show_super_hidden": "The process $Image_path has disabled the file option \"Show hidden\" (MITRE: T1564.001 Hide Artifacts: Hidden Files and Directories).", "disable_system_restore": "The process $Image_path has disabled Windows System Restore (MITRE: T1562.001 Disabling Security Tools).", "disable_task_manager": "The process $Image_path has disabled Windows Task Manager: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1562.001 Disabling Security Tools).", "disable_uac": "The process $Image_path has disabled User Account Control (MITRE: T1548.002 Bypass User Account Control).", "disable_uac_remote_restrictions": "The process $Image_path has disabled UAC access token filtering via the registry key: $Registry_key (MITRE: T1548.002 Bypass User Account Control).", "disable_update_notify": "The program $Image_path is trying to block the balloon notifications from Security Center indicating that Windows updates have been disabled.", "disabling_admin_share_via_registry": "The process $Image_path has disabled Administrative share autocreation via registry: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1070.005 Network Share Connection Removal).", "disabling_amsi": "The process $Image_path has disabled the AMSI protection: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1562 Impair Defenses).", "disabling_amsi_via_powershell": "The process $Image_path has bypassed the AMSI protection by setting true for the amsiInitFailed field: $Command_line (MITRE: Impair Defenses: Disable or Modify Tools T1562.001).", "disabling_amsi_via_powershell_ps1d": "The PowerShell script has disabled Antimalware Scan Interface from Microsoft (AMSI): $Script_block (MITRE: T1562.001 Impair Defenses: Disable or Modify Tools).", "disabling_data_execution_prevention_via_registry": "The process $Image_path has disabled data execution prevention (DEP) via registry: $Registry_value_name (MITRE: T1556 Modify Authentication Process).", "disabling_etw_via_powershell": "The Event Tracing for Windows (ETW) has been disabled via PowerShell: $Command_line (MITRE: T1562.006 Impair Defenses: Indicator Blocking).", "disabling_etw_via_registry": "The process $Image_path has disabled the Event Tracing for Windows (ETW): $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1562.006 Impair Defenses: Indicator Blocking).", "disabling_event_logging_via_auditpol": "The Windows Event Logging was disabled via AuditPol: $Command_line (MITRE: T1562.002 Impair Defenses: Disable Windows Event Logging).", "disabling_event_logging_via_wevtutil": "The process $Image_path has disabled the Windows Event Logging via Wevtutil: $Command_line (MITRE: T1562.002 Impair Defenses: Disable Windows Event Logging).", "disabling_fw_via_netsh": "The process $Image_path has disabled Microsoft Windows Firewall via Netsh.exe: $Command_line (MITRE: T1562.004 Disable or Modify System Firewall).", "disabling_lsa_protection": "The process $Image_path has disabled the LSA protection: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1562 Impair Defenses).", "disabling_network_adapter_via_registry": "The process $Image_path was modified $Registry_key to disable the network adapter (MITRE: T1489 Service Stop).", "disabling_outlooks_security_policies_via_reg": "The process $Parent_image_path has tried to disable Outlook security policies via reg.exe: $Command_line (MITRE: T1137.001 Office Application Startup: Office Template Macros).", "disabling_outlooks_security_policies_via_registry": "The process $Image_path has set the registry key $Registry_key to disable Outlook security policies (MITRE: T1137.001 Office Application Startup: Office Template Macros).", "disabling_restricted_admin": "The process $Image_path has disabled Restricted Admin Mode: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1562 Impair Defenses).", "disabling_run_win_app": "The process $Image_path has disabled the Run command from the Windows Start Menu (MITRE: T1562.001 Impair Defenses: Disable or Modify Tools).", "disabling_safedllsearchmode_via_registry": "The process $Image_path has disabled the value $Registry_value_name in the registry: $Registry_key (MITRE: T1574.001 Hijack Execution Flow: DLL Search Order Hijacking).", "disabling_smartscreen_filter_for_msedge_via_registry": "The process $Image_path has disabled SmartScreen for Microsoft Edge via registry: $Registry_value_name (MITRE: T1562.001 Impair Defenses: Disable or Modify Tools).", "disabling_smartscreen_for_msstore_apps_via_registry": "The process $Image_path has disabled SmartScreen for Microsoft Store apps via registry: $Registry_value_name (MITRE: T1562.001 Impair Defenses: Disable or Modify Tools).", "disabling_smartscreen_protection": "The process $Image_path has disabled the SmartScreen protection: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1562.001 Impair Defenses: Disable or Modify Tools).", "disabling_smartscreen_protection_2": "The process $Image_path has disabled the SmartScreen protection: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1562.001 Impair Defenses: Disable or Modify Tools).", "disabling_task_via_powershell": "The scheduled task was disabled via the PowerShell: $Command_line (MITRE: T1562.001 Impair Defenses: Disable or Modify Tools).", "disabling_win_defender_via_registry": "The process $Image_path has disabled some of the Windows Defender functions: $Registry_value_name (MITRE: T1562.001 Impair Defenses: Disable or Modify Tools).", "disabling_win_logger_via_registry": "The process $Image_path has disabled a Windows Logger: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1562.002 Impair Defenses: Disable Windows Event Logging).", "disabling_win_task_via_schtask": "The scheduled task was disabled: $Command_line (MITRE: T1562.001 Impair Defenses: Disable or Modify Tools).", "disabling_windefend_via_dism": "The process $Parent_image_path has disabled Windows Defender: $Command_line (MITRE: T1562.001 Disable or Modify Tools).", "disabling_windows_firewall_via_net": "The process $Image_path has disabled Microsoft Windows Firewall via Net.exe: $Command_line (MITRE: T1562.004 Disable or Modify System Firewall).", "discovery_gpp_passwords_via_command_line": "The process $Image_path has discovered GPP passwords via command line: $Command_line (MITRE: T1552.006 Unsecured Credentials: Group Policy Preferences).", "discovery_private_keys_via_command_line": "The $Image_path has discovered private keys via command line: $Command_line (MITRE: T1552.004 Unsecured Credentials: Private Keys).", "discovery_remote_connection_logs_via_powershell": "The process $Image_path has collected the RemoteConnectionManager log data via the PowerShell: $Command_line (MITRE: T1654 Log Enumeration).", "disk_size_check": "The process $Image_path has checked the hard drive size. It can be used to detect virtual machine (MITRE: T1497.001 Virtualization/Sandbox Evasion: System Checks).", "dll_import_table_modified_via_setdll": "The DLL import table of the PE has been modified by the process $Image_path: $Command_line(MITRE: T1574.001 Hijack Execution Flow: DLL Search Order Hijacking).", "dll_injected_via_loadlibrary": "The process $Image_path has injected $DLL_path into the process $Target_image_path via the Loadlibrary (MITRE: T1055.001 Dynamic-link Library Injection).", "dll_injection_via_custom_dotnet_garbage_collector": "A DLL has been injected into a process via a garbage collector: $Command_line (MITRE: T1055.001 Dynamic-link Library Injection).", "dll_injection_via_loadlibrary": "The process $Image_path has injected DLL into the process $Target_image_path via the Loadlibrary (MITRE: T1055.001 Dynamic-link Library Injection).", "dll_loading_from_recycle_bin": "The file $Loaded_image_path:$Image_path has been loaded from the Recycle Bin (MITRE: T1574.002 Hijack Execution Flow: DLL Side-Loading).", "dll_loading_in_lsass_via_undocumented_registry_key": "The process $Image_path has loaded $Registry_value into the address space of the lsass.exe process via registry: $Registry_key (MITRE: T1547.008 Boot or Logon Autostart Execution: LSASS Driver).", "dll_sideloading": "The DLL $Loaded_image_path has been loaded into the address space of the process $Image_path using DLL Side-Loading (MITRE: T1574.002 Hijack Execution Flow: DLL Side-Loading).", "dns_query_rats_domain_from_suspicious_processes": "The process $Image_path has sent DNS request to Remote Access Tool domain: $URL (MITRE: T1219 Remote Access Software).", "dns_scan": "The program $Image_path has sent multiple DNS requests (MITRE: T1016 System Network Configuration Discovery).", "domain_account_creation_via_net": "The process $Image_path has created a domain account: $Command_line (MITRE: T1136.002 Create Account: Domain Account).", "domain_account_creation_via_powershell": "The process $Image_path has created a domain account: $Command_line (MITRE: T1136.002 Create Account: Domain Account).", "domain_group_permition_discovery": "The process $Image_path has tried to discover domain groups permissions: $Command_line (MITRE: T1069.002 Permission Groups Discovery: Domain Groups).", "domain_group_permition_discovery_powershell": "The process $Image_path has tried to discover the domain groups permissions via PowerShell: $Command_line (MITRE: T1069.002 Permission Groups Discovery: Domain Groups).", "domain_group_permition_discovery_powershell_ps1l": "The PowerShell script has tried to discover the domain groups permissions: $Cmdlet $Arguments (MITRE: T1069.002 Permission Groups Discovery: Domain Groups).", "domain_joined_check": "The process $Image_path has checked if computer is domain joined via Win API NetGetJoinInformation() (MITRE: T1497.001 Virtualization/Sandbox Evasion: System Checks).", "domain_trust_discovery_attempt_via_dsquery_or_adfind": "The process $Image_path has tried to discover a domain trust via Dsquery or Adfind (MITRE: T1482 Domain Trust Discovery).", "domain_trust_discovery_via_api": "The signs of the domain trust discovery via API were detected: $Image_path (MITRE: T1482 Domain Trust Discovery).", "domain_trust_discovery_via_nltest_exe": "The signs of the domain trust discovery via $Image_path were detected: $Command_line (MITRE: T1482 Domain Trust Discovery).", "dotnet_copy_self_to_removable_drive": "The $Image_path has copied the file $File_path to removable device: $Target_file_path (MITRE: T1091 Replication Through Removable Media).", "dotnet_set_hidden_attribute": "The process $Image_path has set the attribute \"Hidden\" for the file $File_path (MITRE: T1564.001 Hidden Files and Directories).", "dotnet_socket_connect": "The process $Image_path has connected to a remote host: $URL_host (MITRE: T1095 Non-Application Layer Protocol).", "double_file_extansion_file_created": "The process $Image_path has created a double extension file $File_path (MITRE: T1036.007 Masquerading: Double File Extension).", "double_file_extansion_file_started": "A file with double extension was started: $Image_path (MITRE: T1036.007 Masquerading: Double File Extension).", "download_executable_from_trusted_process": "The trusted process $Image_path has downloaded an executable file $Target_file_path from the following source: $URL (MITRE: T1071.001 Application Layer Protocol: Web Protocols).", "download_from_cloud": "The process $Image_path tried to connect to the cloud service $URL (MITRE: T1102 Web Service).", "download_from_trusted_process": "The trusted process $Image_path has connected to an unknown URL $URL (MITRE: T1071.001 Application Layer Protocol: Web Protocols).", "download_payload_via_installutil": "The process $Parent_image_path has downloaded a file via install.exe: $Command_line (MITRE: T1105 Ingress Tool Transfer).", "download_via_excel_com_object": "The process $Image_path has used an Excel COM object via PowerShell to establish a network connection: $Command_line (MITRE: T1559.001 Inter-Process Communication: Component Object Model).", "download_via_ie_com_object": "The process $Image_path has used an InternetExplorer COM object via PowerShell to establish a network connection: $Command_line (MITRE: T1559.001 Inter-Process Communication: Component Object Model).", "download_via_serverxmlhttp_com_object": "The process $Image_path has used a Msxml2.ServerXmlHttp COM object via PowerShell to establish a network connection: $Command_line (MITRE: T1559.001 Inter-Process Communication: Component Object Model).", "download_via_winhttp_com_object": "The process $Image_path has used a WinHttpRequest COM object via PowerShell to establish a network connection: $Command_line (MITRE: T1559.001 Inter-Process Communication: Component Object Model).", "download_via_word_com_object": "The process $Image_path has used a Word COM object via PowerShell to establish a network connection: $Command_line (MITRE: T1559.001 Inter-Process Communication: Component Object Model).", "downloading_via_curl": "The process $Parent_image_path has downloaded a file via cURL: $Command_line (MITRE: T1071.001 Application Layer Protocol: Web Protocols).", "driver_enumeration_via_pnputil": "The $Image_path process has attempted to enumerate installed drivers: $Command_line (MITRE: T1652 Device Driver Discovery).", "driver_load": "The process $Image_path has loaded a new kernel driver named $Driver_name. The driver path: $Driver_path (MITRE: T1543.003 Create or Modify System Process: Windows Service).", "drop_from_trusted_process": "The trusted process $Image_path has saved the executable file $Drop_path (MITRE: T1204.002 User Execution: Malicious File).", "drop_run_from_trusted_process": "The trusted application $Parent_image_path has run the process $Image_path (MITRE: T1204.002 User Execution: Malicious File).", "dropper": "The process $Image_path has run the file $File_path, which was created by the process $Dropper_image_path. The file was started as follows: $Command_line (MITRE: T1204.002 User Execution: Malicious File).", "dropping_executable_format_file_from_certutil": "The process $Image_path has dropped on a computer an executable file: $Command_line (MITRE: T1105 Ingress Tool Transfer).", "dumping_ntds_via_commandline": "The process $Image_path tried to dump ntds.dit via the command line: $Command_line (MITRE: T1003.003 OS Credential Dumping: NTDS).", "dumping_security_registry_hive": "The process $Parent_image_path has saved the SECURITY registry hive dump: $Command_line (MITRE: T1003.004 OS Credential Dumping: LSA Secrets).", "dyndns_connect": "The process $Image_path has connected to the Internet resource with an automatically generated DNS name (MITRE: T1568 Dynamic Resolution).", "echo_in_file_via_cmd_for_further_execution": "Suspicious command containing \"echo\" was executed: $Command_line (MITRE: T1059.003 Command-Line Interface).", "email_rule_enumeration_via_powershell": "The process $Image_path has enumerated rules for incoming email messages via PowerShell: $Command_line (MITRE: T1114.003 Email Collection: Email Forwarding Rule).", "email_rule_enumeration_via_powershell/amsi": "The process PowerShell has modified rules for incoming email messages: $Cmdlet (MITRE: T1114.003 Email Collection: Email Forwarding Rule).", "email_rule_enumeration_via_powershell/ps1l": "The process PowerShell has modified rules for incoming emails: $Cmdlet $Arguments (MITRE: T1114.003 Email Collection: Email Forwarding Rule).", "email_rule_modification_via_powershell": "The process $Image_path has modified rules for incoming email messages via PowerShell: $Command_line (MITRE: T1114.003 Email Collection: Email Forwarding Rule).", "enable_cor_profiler": "The process $Image_path has enabled the COR_PROFILER: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1574.012 Hijack Execution Flow: COR_PROFILER).", "enable_home_page_tab_in_outlook_ui_registry_artifact": "The $Image_path process has set the registry key $Registry_value (MITRE: T1137.004 Office Application Startup: Outlook Home Page).", "enable_home_page_tab_in_outlook_ui_via_reg": "The process $Parent_image_path has tried to enable display Outlook home page via reg.exe: $Command_line (MITRE: T1137.004 Office Application Startup: Outlook Home Page).", "enable_home_page_tab_in_outlook_ui_via_registry": "The process $Image_path has set the registry key $Registry_value to enable display an Outlook home page (MITRE: T1137.002 Office Application Startup: Office Test).", "enable_ipv6": "IPv6 protocol has been enbaled: $Command_line (MITRE: T1562.004 Disable or Modify System Firewall).", "enable_outlooks_macro_provider_via_reg": "The process $Parent_image_path has tried to enable Outlook provider to run macros via reg.exe: $Command_line (MITRE: T1137.001 Office Application Startup: Office Template Macros).", "enable_outlooks_macro_provider_via_registry": "The process $Image_path has set the registry key $Registry_key to enable an Outlook provider to run macros (MITRE: T1137.001 Office Application Startup: Office Template Macros).", "enable_promiscuous_mode_via_netsh": "The process $Image_path has attempted to enable promiscuous mode: $Command_line (MITRE: T1040 Network Sniffing).", "enable_wdigest_via_powershell": "The process $Parent_image_path has forced the WDigest to store credentials as a plaintext in the LSASS memory via powershell (MITRE: T1556 Modify Authentication Process).", "enable_wdigest_via_powershell/amsi": "The process Powershell has forced the WDigest to store credentials as a plaintext in the LSASS memory via powershell (MITRE: T1556 Modify Authentication Process).", "enable_wdigest_via_powershell/ps1l": "The process PowerShell has forced the WDigest service to store credentials as a plain text in the LSASS memory via PowerShell (MITRE: T1556 Modify Authentication Process).", "enabled_dns_over_https_via_registry": "The process $Image_path has enabled the use of DNS over HTTPS (DoH) via registry: $Registry_key (MITRE: T1572 Protocol Tunneling).", "enabling_anonymous_access_to_named_pipes_and_shares_via_registry": "The process $Image_path has allowed anonymous access to named pipes and network shares via registry: $Registry_value_name (MITRE: T1562 Impair Defenses).", "enabling_anonymous_enumeration_of_shares_via_registry": "The process $Image_path has allowed anonymous enumeration of network shares via registry: $Registry_value_name (MITRE: T1556 Modify Authentication Process).", "enabling_anonymous_SAM_enumeration_via_registry": "The process $Image_path has enabled anonymous enumeration of SAM accounts via registry: $Registry_value_name (MITRE: T1556 Modify Authentication Process).", "enabling_execution_of_rules_from_the_outlook_inbox_via_reg": "The process $Parent_image_path has tried to enable an Outlook rule that runs scripts from emails in the Inbox via reg.exe: $Command_line (MITRE: T1137.005 Office Application Startup: Outlook Rules).", "enabling_execution_of_rules_from_the_outlook_inbox_via_registry": "The $Image_path process has set the registry key $Registry_value to enable an Outlook rule that runs scripts from emails in the Inbox (MITRE: T1137.004 Office Application Startup: Outlook Home Page).", "enabling_powershell_2_0_downgrade_via_dism": "The process $Parent_image_path has enabled PowerShell 2.0 via dism: $Command_line (MITRE: T1562.010 Impair Defenses: Downgrade Attack).", "enabling_storaging_LAN_Manager_password_hashes_via_registry": "The process $Image_path has enabled storing of the LAN Manager hash of passwords via registry: $Registry_value_name (MITRE: T1556 Modify Authentication Process).", "enabling_unsafe_smbv1_protocol_via_dism": "The process $Parent_image_path has enabled unsafe SMBv1 protocol via dism: $Command_line (MITRE: T1562.010 Impair Defenses: Downgrade Attack).", "enabling_wdigest": "The process $Image_path has forced the WDigest to store credentials as a plaintext in the LSASS memory (MITRE: T1556 Modify Authentication Process).", "enabling_winrm_basic_auth_via_registry": "The process $Image_path has enabled basic authentication for WinRM via registry: $Registry_value_name (MITRE: T1556 Modify Authentication Process).", "encoded_decoded_powershell_ps1d": "The PowerShell script has used encoding or decoding operation: $Script_block (MITRE: T1027 Obfuscated Files or Information).", "encoded_decoded_powershell_ps1l": "The PowerShell script has used encoding or decoding operation: $Cmdlet $Arguments (MITRE: T1027 Obfuscated Files or Information).", "enum_modules": "The process $Image_path tries to enumerate modules to detect whether it is running in a virtual environment (MITRE: T1497.001 Virtualization/Sandbox Evasion: System Checks)", "enumerate_files": "The process $Image_path has run the wildcard search $Search_pattern in the directory $Search_path (MITRE: T1005 Data from Local System).", "enumerate_usb": "The process $Image_path has obtained access to the list of available USB devices (MITRE: T1120 Peripheral Device Discovery).", "exception_call_av": "The access violation on call instruction execution has caused an exception in the trusted process $Image_path (MITRE: T1203 Exploitation for Client Execution).", "exception_dep_violation": "The violation of the Data Execution Prevention policy has caused an exception in the trusted process $Image_path (MITRE: T1203 Exploitation for Client Execution).", "exception_gs_violation": "An overrun of a protected stack buffer has caused an exception in the trusted process $Image_path (MITRE: T1203 Exploitation for Client Execution).", "exception_heap_corruption": "Heap corruption has caused an exception in the trusted process $Image_path (MITRE: T1203 Exploitation for Client Execution).", "exception_illegal_instruction": "An attempt to execute an illegal instruction has caused an exception in the trusted process $Image_path (MITRE: T1068 Exploitation for Privilege Escalation).", "exception_privileged_instruction": "An attempt to execute a privileged instruction has caused an exception in the trusted process $Image_path (MITRE: T1068 Exploitation for Privilege Escalation).", "exception_read_av_on_ip": "The memory read access violation at the instruction pointer has caused an exception in the trusted process $Image_path (MITRE: T1203 Exploitation for Client Execution).", "exception_write_av": "The memory write access violation at the instruction pointer has caused an exception in the trusted process $Image_path (MITRE: T1203 Exploitation for Client Execution).", "executing_ps1_from_public_directory": "The process $Image_path has launched a ps1 script from the public directory: $Command_line (MITRE: T1059.001 Command and Scripting Interpreter: PowerShell).", "execution_driver_from_suspicious_location_via_sc": "The process $Image_path has loaded the driver from the suspicious directory $Command_line (MITRE: T1569.002 System Services: Service Execution).", "execution_file_from_recycle_bin": "The process $Image_path has been executed from the Recycle Bin: $Command_line (MITRE: T1564.001 Hide Artifacts: Hidden Files and Directories).", "execution_of_a_windows_script_with_unusual_file_extension": "The process $Image_path has executed a Windows script with an unusual file extension: $Command_line (MITRE: T1059.005 Command and Scripting Interpreter: Visual Basic).", "execution_on_stack": "The trusted process $Image_path has executed the code in the memory space that corresponds to the process stack. It may lead to unauthorized access to the system (MITRE: T1203 Exploitation for Client Execution).", "execution_via_registerxll_com_method": "The process $Image_path has used a RegisterXLL COM method via PowerShell to provide a code execution: $Command_line (MITRE: T1559.001 Inter-Process Communication: Component Object Model).", "execution_via_spreview_file": "The process $Image_path has written the value $Registry_value in the registry key $Registry_key for execution or persistence (MITRE: T1547.001 Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder).", "executions_of_javascripts_from_public_directories_via_wscript_or_cscript": "JavaScript was started from the public directories: $Command_line (MITRE: T1059.007 Command and Scripting Interpreter: JavaScript).", "executions_of_scripts_from_public_directories_via_wscript_or_cscript": "A Visual Basic Script was started from the public directories: $Command_line (MITRE: T1059.005 Command and Scripting Interpreter: Visual Basic).", "exfiltration_or_downloading_via_pscp": "The process $Image_path has tried to exfiltrate or download data using the command: $Command_line (MITRE: T1041 Exfiltration Over C2 Channel).", "exfiltration_over_webhook": "The process $Image_path has sent a POST request to $URL (MITRE: T1567.004 Exfiltration Over Web Service: Exfiltration Over Webhook).", "exfiltration_over_webhook_via_powershell": "The process $Image_path has sent data to an external resource over Webhook: $Command_line (MITRE: T1567.004 Exfiltration Over Web Service: Exfiltration Over Webhook).", "exfiltration_over_webhook_via_powershell_ps1l": "The PowerShell script has tried to send data over Webhook: $Cmdlet $Arguments (MITRE: T1567.004 Exfiltration Over Web Service: Exfiltration Over Webhook).", "exfiltration_to_cloud_via_powershell": "The process $Image_path has sent data to a Cloud Service: $Command_line (MITRE: T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage).", "exfiltration_to_cloud_via_powershell_ps1l": "The PowerShell script has tried to send data to a Cloud Service: $Cmdlet $Arguments (MITRE: T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage).", "exfiltration_to_web_services": "The process $Image_path has sent a POST request to a known web service: $URL (MITRE: T1567 Exfiltration Over Web Service).", "exfiltration_via_certreq": "The process $Image_path has tried to exfiltrate data using the command: $Command_line (MITRE: T1041 Exfiltration Over C2 Channel).", "exfiltration_via_powershell": "The process $Image_path has attempted to perform exfiltration via PowerShell: $Command_line (MITRE: T1567.002 Exfiltration to Cloud Storage).", "exfiltration_via_rclone": "The process $Parent_image_path has used the Rclone tool: $Command_line (MITRE: T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage).", "exploitation_for_privilege_escalation_via_printnotify_com": "The process $Image_path has used PrintNotify Potato to escalate privileges (MITRE: T1068 Exploitation for Privilege Escalation).", "export_certificates_via_powershell": "The process $Image_path has exported certificates via PowerShell: $Command_line (MITRE: T1552.004 Unsecured Credentials: Private Keys).", "export_certificates_via_powershell_amsi": "The PowerShell script has exported certificates using the cmdlet $Cmdlet (MITRE: T1552.004 Unsecured Credentials: Private Keys).", "export_certificates_via_powershell_ps1l": "The PowerShell script has exported certificates using the cmdlet $Cmdlet with the following arguments: $Arguments (MITRE: T1552.004 Unsecured Credentials: Private Keys).", "export_private_keys_via_certutil": "The process $Image_path has exported cerificates via Certutil.exe: $Command_line (MITRE: T1552.004 Unsecured Credentials: Private Keys).", "external_ip_detect": "The process $Image_path has used $URL to detect the external IP address of the computer (MITRE: T1016 System Network Configuration Discovery).", "extract_files_using_wusa": "The process $Parent_image_path has started the process $Image_path to extract files: $Command_line (MITRE: T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control).", "extracting_credentials_from_files_via_powershell": "The process $Image_path has accessed to credentials in files: $Command_line (MITRE: T1552.001 Unsecured Credentials: Credentials In Files).", "extracting_credentials_from_files_via_powershell_amsi": "An attempt to find credentials in files using the PowerShell cmdlet \"$Command_line\" has been detected (MITRE: T1552.001 Unsecured Credentials: Credentials In Files).", "extracting_credentials_from_files_via_powershell_ps1l": "The PowerShell script has tried to find credentials in files using the cmdlet $Cmdlet with the following arguments: $Arguments (MITRE: T1552.001 Unsecured Credentials: Credentials In Files).", "fake_powershell_drop": "The process $Dropper_image_path dropped the executable renamed from powershell.exe to: $File_path (MITRE: T1036.003 Masquerading: Rename System Utilities).", "fake_powershell_launch": "The process $Parent_image_path executed PowerShell interpreter not with powershell.exe but with $Image_path. Command line: $Command_line (MITRE: T1059.001 Command and Scripting Interpreter: PowerShell).", "fake_service": "The process $Image_path has given the service a description that appears legitimate: $Reg_value (MITRE: T1036.004 Masquerading: Masquerade Task or Service).", "file_and_directory_permissions_deny_or_remove_via_stu": "The process $Image_path has denied or removed the Windows file and directory permissions: $Command_line (MITRE: T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification).", "file_and_directory_permissions_modification_via_stu": "The process $Image_path has modified the Windows file and directory permissions: $Command_line (MITRE: T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification).", "file_association": "The process $Image_path has set the registry key $Registry_key to $Registry_value. It modifies the file type association with its extension. (MITRE: T1546.001 Change Default File Association)", "file_download_via_bits_com": "The process $Image_path has download a file using a BITS COM object (MITRE: T1197 BITS Jobs).", "file_download_via_bitsadmin": "The process $Image_path has attempted to download a file using the command $Command_line (MITRE: T1197 BITS Jobs).", "file_drop_from_trusted_process": "The trusted process $Image_path has dropped the executable file $File_path (MITRE: T1204.002 User Execution: Malicious File).", "file_execution_options": "The process $Image_path has modified the Debugger parameter of the registry key $Registry_key to run the executable file $Registry_value with the existing program (MITRE: T1546.012 Image File Execution Options Injection).", "file_in_startup_modified_by_archiver": "The process $Image_path has modified a file in startup folder: $File_path (MITRE: T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder).", "file_replacement": "The process $Image_path has replaced its own executable file (MITRE: T1070.004 Indicator Removal on Host: File Deletion).", "file_transfering_or_file_downloading_via_powershell_cmdlet": "The process $Image_path has transferred or downloaded the file via PowerShell cmdlet: $Command_line (MITRE: T1048 Exfiltration Over Alternative Protocol).", "filename_like_system_tool_in_wrong_place_dropped": "The executable file $Image_path with the name of the system process was modified in a non-standard directory $File_path (MITRE: T1036.005 Masquerading).", "filename_like_system_tool_in_wrong_place_run": "The process $Image_path executed the program, which is named like a system file but located not in original folder: $Dropper_image_path. Command line: $Command_line (MITRE: T1036.005 Masquerading).", "find_bank_client": "The process $Image_path has compared the process names of each user with the list of the known process names of the online banking clients (MITRE: T1518 Software Discovery). This activity is typical of Trojan-Banker malware.", "find_file": "The process $Image_path has performed a search of file/folder with the name, containing the $Substring substring, in the $Search_path folder (MITRE: T1083 File and Directory Discovery).", "ftp_scan": "The process $Image_path has scanned the FTP connections (MITRE: T1046 Network Service Scanning).", "fw_modification_via_netsh": "The process $Parent_image_path has modified Microsoft Windows Firewall configuration via Netsh.exe: $Command_line (MITRE: T1562.004 Disable or Modify System Firewall).", "get_clipboard_via_powershell": "The process $Image_path has attempted to collect clipboard data: $Command_line (MITRE: T1115 Clipboard Data).", "get_clipboard_via_powershell/amsi": "The process PowerShell has attempted to collect clipboard data: $Cmdlet (MITRE: T1115 Clipboard Data).", "get_clipboard_via_powershell/ps1l": "The process PowerShell has attempted to collect clipboard data: $Cmdlet $Arguments (MITRE: T1115 Clipboard Data).", "get_computer_name_via_api": "The process $Image_path has requested the computer name via WinAPI (MITRE: T1082 System Information Discovery).", "get_privilege": "The process $Image_path has obtained the privilege $Privilege_name (MITRE: T1134 Access Token Manipulation).", "get_username_via_api": "The process $Image_path has requested the current username via WinAPI (MITRE: T1033 System Owner/User Discovery).", "getcursorpos": "The process $Image_path has tracked cursor activity (MITRE: T1497.002 Virtualization/Sandbox Evasion: User Activity Based Checks).", "gettickcount": "The process $Image_path has measured a delay between parts of code using GetTickCount() API function (MITRE: T1497.003 Virtualization/Sandbox Evasion: Time Based Evasion).", "granting_rights_to_user": "The process $Image_path has granted rights to the user using WinAPI (MITRE: T1098 Account Manipulation).", "group_policy_discovery_via_gpresult": "The process $Image_path has tried to discover group policies: $Command_line (MITRE: T1615 Group Policy Discovery).", "group_policy_discovery_via_powershell": "The process $Image_path has tried to discover group policies via PowerShell: $Command_line (MITRE: T1615 Group Policy Discovery).", "group_policy_discovery_via_powershell_ps1l": "PowerShell script has tried to discover information about group policies: $Cmdlet $Arguments (MITRE: T1615 Group Policy Discovery).", "group_policy_discovery_via_sysvol_directory": "The process $Image_path has tried to discover group policies via the Sysvol directory (MITRE: T1615 Group Policy Discovery).", "group_policy_settings_modification_via_powershell": "The process $Image_path has modified Group Policy settings via PowerShell: $Command_line (MITRE: T1484.001 Domain Policy Modification: Group Policy Modification).", "group_policy_settings_modification_via_powershell_ps1l": "The PowerShell script has modified group policy using the Cmdlet $Cmdlet with the following arguments: $Arguments (MITRE: T1484.001 Domain or Tenant Policy Modification: Group Policy Modification).", "group_policy_settings_modification_via_reg": "The process $Image_path has modified Group Policy settings via registry: $Command_line (MITRE: T1484.001 Domain Policy Modification: Group Policy Modification).", "hal_dll_deletion": "The process $Image_path has deleted the file $Target_file_path (MITRE: T1485 Data Destruction).", "heap_spray": "The binary code has been injected into dynamic memory of the trusted process $Image_path using the Heap-Spray method (MITRE: T1203 Exploitation for Client Execution).", "hidden_sfx": "A self-extracting archive $Image_path has started in hidden mode (MITRE: T1204.002 User Execution: Malicious File).", "hidden_via_pwsh": "The process $Parent_image_path has run PowerShell with the Hidden attribute: $Command_line (MITRE: T1564.003 Hidden Window).", "hide_data_in_ads": "The process $Parent_image_path has hidden data in Alternate Data Stream (ADS): $Command_line (MITRE: T1564.004 NTFS File Attributes).", "hide_user_account_via_registry": "The process $Image_path has hidden a user account via registry: $Registry_key (MITRE: T1564.002 Hide Artifacts: Hidden Users).", "hide_user_via_cmd": "User account has been hidden via Net.exe: $Command_line (MITRE: T1564.002 Hide Artifacts: Hidden Users).", "hiding_drive_via_registry": "The process $Image_path has hidden a drive via Windows registry: $Registry_key\\$Registry_value_name: $Registry_value (MITRE: T1564 Hide Artifacts).", "hosts_file_modification": "The process $Image_path has modified the Windows hosts file. It may impact DNS name resolution (MITRE: T1565 Data Manipulation).", "icmp_scan": "The program $Image_path has made multiple ICMP requests (MITRE: T1046 Network Service Discovery)", "image_file_execution_options_injection_via_silentprocessexit": "The process $Image_path has set the registry key $Registry_key to run the $Registry_value executable file along with the existing program (MITRE: T1546.012 Event Triggered Execution: Image File Execution Options Injection).", "impair_powershell_logging": "The $Parent_image_path process has impaired PowerShell command history logging by executing the following command: $Command_line (MITRE: T1562.003 Impair Defenses: Impair Command History Logging).", "impair_powershell_logging_ps1l": "The PowerShell script has impaired PowerShell command history logging by using the Cmdlet $Cmdlet with the following arguments: $Arguments (MITRE: T1562.003 Impair Defenses: Impair Command History Logging).", "import_google_api_in_powershell": "The process $Image_path has imported the Google API: $Command_line (MITRE: T1537 Transfer Data to Cloud Account).", "import_service_from_file": "The process $Image_path created or changed the service by reading a file on the disk and importing its content to the registry $Reg_Key (MITRE: T1543.003 New Service).", "ingress_tool_transfer_via_certoc": "The process $Image_path has transferred the Ingress tool to a computer: $Command_line (MITRE: T1105 Ingress Tool Transfer).", "ingress_tool_transfer_via_certreq": "The process $Image_path has transferred the Ingress tool to a computer: $Command_line (MITRE: T1105 Ingress Tool Transfer).", "ingress_tool_transfer_via_certutil": "The process $Image_path has transferred the Ingress tool to a computer: $Command_line (MITRE: T1105 Ingress Tool Transfer).", "ingress_tool_transfer_via_cmdl32": "The process $Image_path has transferred the Ingress tool to a computer: $Command_line (MITRE: T1105 Ingress Tool Transfer).", "ingress_tool_transfer_via_curl": "The process $Image_path has transferred the Ingress tool to a computer: $Command_line (MITRE: T1105 Ingress Tool Transfer).", "ingress_tool_transfer_via_desktopimgdownldr": "The process $Image_path has transferred the Ingress tool to a computer: $Command_line (MITRE: T1105 Ingress Tool Transfer).", "ingress_tool_transfer_via_esentutl": "The process $Image_path has transferred the Ingress tool to a computer: $Command_line (MITRE: T1105 Ingress Tool Transfer).", "ingress_tool_transfer_via_finger": "The process $Image_path has transferred the Ingress tool to a computer: $Command_line (MITRE: T1105 Ingress Tool Transfer).", "ingress_tool_transfer_via_hh": "The process $Image_path has transferred the Ingress tool to a computer: $Command_line (MITRE: T1218.001 System Binary Proxy Execution: Compiled HTML File).", "ingress_tool_transfer_via_imewdbld": "The process $Image_path has transferred the Ingress tool to a computer: $Command_line (MITRE: T1105 Ingress Tool Transfer).", "ingress_tool_transfer_via_microsoft_office_tools": "The process $Image_path has transferred the Ingress tool to a computer: $Command_line (MITRE: T1105 Ingress Tool Transfer).", "ingress_tool_transfer_via_mpcmdrun": "The process $Image_path has transferred the Ingress tool to a computer: $Command_line (MITRE: T1105 Ingress Tool Transfer).", "ingress_tool_transfer_via_msoxmled": "The process $Image_path has transferred the Ingress tool to a computer: $Command_line (MITRE: T1105 Ingress Tool Transfer).", "ingress_tool_transfer_via_print": "The process $Image_path has transferred the Ingress tool to a computer: $Command_line (MITRE: T1105 Ingress Tool Transfer).", "ingress_tool_transfer_via_printbrm": "The process $Image_path has transferred the Ingress tool to a computer: $Command_line (MITRE: T1105 Ingress Tool Transfer).", "ingress_tool_transfer_via_replace": "The process $Image_path has transferred the Ingress tool to a computer: $Command_line (MITRE: T1105 Ingress Tool Transfer).", "ingress_tool_transfer_via_xwizard": "The process $Image_path has transferred the Ingress tool to a computer: $Command_line (MITRE: T1105 Ingress Tool Transfer).", "inject_common": "The process $Image_path has injected the binary code into the process $Target_path (MITRE: T1055 Process Injection).", "inject_from_trusted_process": "The trusted process $Image_path has injected binary code into another process $Target_path (MITRE: T1055 Process Injection).", "inject_propagate": "The process $Image_path has injected the binary code into the explorer.exe (MITRE: T1055 Process Injection).", "inject_self_copy": "The process $Image_path has injected the binary code into its own copy of $Target_path (MITRE: T1055.002 Process Injection).", "install_chrome_extension": "The process $Image_path has tried to install a Google Chrome browser extension (MITRE: T1217 Browser Bookmark Discovery).", "install_chrome_extension_via_cmd": "The process $Image_path has tried to install a Google Chrome browser extension through a command line: $Command_line (MITRE: T1217 Browser Bookmark Discovery).", "install_chrome_extension_via_reg": "The process $Image_path has tried to install a Google Chrome browser extension through the registry: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1217 Browser Bookmark Discovery).", "install_edge_extension_via_cmd": "The process $Image_path has tried to install a Microsoft Edge browser extension through a command line: $Command_line (MITRE: T1217 Browser Bookmark Discovery).", "install_edge_extension_via_reg": "The process $Image_path has tried to install a Microsoft Edge browser extension through the registry: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1217 Browser Bookmark Discovery).", "install_screensaver": "The process $Image_path has installed a Windows screen saver $Target_file (MITRE: T1546.002 Screensaver).", "installdate_check": "The process $Image_path has checked system installation date by querying the key value $Registry_key\\$Registry_value_name (MITRE: T1497.001 Virtualization/Sandbox Evasion: System Checks).", "installed_components": "The process $Image_path has modified the parameter $Registry_key to install a new Active Setup component $Registry_value (MITRE: T1547.014 Boot or Logon Autostart Execution: Active Setup).", "installing_root_cert_via_certutil": "A root certificate has been installed via certutil.exe: $Command_line (MITRE: T1553.004 Install Root Certificate).", "internet_connection_discovery_via_standard_windows_utilities": "The process $Image_path has tried to discover the Internet connections via the standard Windows utilities: $Command_line (MITRE: T1016.001 System Network Configuration Discovery: Internet Connection Discovery).", "interpreter_installation_as_a_windows_service": "The process $Image_path has installed the interpreter $Registry_value as a Windows service: $Registry_key (MITRE: T1543.003 Create or Modify System Process: Windows Service).", "invalid_eh": "An invalid exception handler has been detected in the trusted process $Image_path (MITRE: T1203 Exploitation for Client Execution).", "invoke_obfuscation_via_use_clip": "The command line of the process $Image_path was obfuscated using clip.exe: $Command_line (MITRE: T1027 Obfuscated Files or Information).", "invoke_obfuscation_via_use_mshta": "The command line of the process $Image_path was obfuscated using MSHTA.exe: $Command_line (MITRE: T1027 Obfuscated Files or Information).", "invoke_obfuscation_via_use_var": "The command line of the process $Image_path was obfuscated using the environment variables: $Command_line (MITRE: T1027 Obfuscated Files or Information).", "invoke_powershell_tcp_reverse_shell": "The process $Parent_image_path could invoke Reverse Shell via PowerShell: $Command_line (MITRE: T1059.001 Command and Scripting Interpreter: PowerShell).", "invoke_wcmdump": "The process $Image_path has launched PowerShell script Invoke-WCMDump to dump Windows credentials (MITRE: T1555.004 Credentials from Password Stores: Windows Credential Manager).", "isdebuggerpresent": "The process $Image_path has called IsDebuggerPresent() API function (MITRE: T1622 Debugger Evasion).", "javascript_execution_via_msxsl_or_wmic": "JavaScript was started via $Image_path using load image $Loaded_image_path (MITRE: T1059.007 Command and Scripting Interpreter: JavaScript).", "keethief": "The process $Image_path has searched KDBX files (MITRE: T1555.005 Credentials from Password Stores: Password Managers).", "ldap_scan": "The process $Image_path has scanned ports 88, 389, 636 associated with LDAP server (MITRE: T1046 Network Service Discovery).", "leaked_lsass_handle": "The process $Source_image_path has attempted to get the Lsass.exe process handle via CreateProcessWithLogon. That handle is contained in the created process: $Image_path (MITRE: T1134.004 Access Token Manipulation: Parent PID Spoofing).", "library_modify_in_sxs_folder": "The process $Image_path has modified DLL in WinSxS folder: $Target_path (MITRE: T1129 Shared Modules).", "linux_add_cronjob": "The process $Image_path has edited the cron job file $File_path (MITRE T1053.003 Scheduled Task/Job: Cron).", "linux_add_pam_module": "The process $Image_path has added a PAM module $File_path (MITRE T1556.003 Modify Authentication Process: Pluggable Authentication Modules).", "linux_add_root_cert": "The process $Image_path has added a new root SSL certificate $File_path (T1553.004 Subvert Trust Controls: Install Root Certificate).", "linux_add_systemd_service": "The process $Image_path has created a new systemd service $File_path (MITRE T1543.002 Create or Modify System Process: Systemd Service).", "linux_change_auth_logs": "The process $Image_path has edited the system authentication logs (MITRE T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs).", "linux_change_bash_profile": "The process $Image_path has edited .bashrc or .bash_profile (MITRE T1546.004 Unix Shell Configuration Modification).", "linux_change_fw_rules": "The process $Image_path has edited the firewall rules (T1562.004 Impair Defenses: Disable or Modify System Firewall).", "linux_change_passwd": "The process $Image_path has edited /etc/passwd or /etc/shadow (MITRE T1098 Account Manipulation).", "linux_clear_command_history": "The process $Image_path has edited the shell command history (MITRE T1070.003 Indicator Removal on Host: Clear Command History).", "linux_connect_to_uncommon_port": "The process $Image_path has tried to connect to the uncommon port $Destination_port on the IP address $Destination_ip.", "linux_connect_without_dns": "The process $Image_path has tried to connect to the host $Destination_ip on the port $Destination_port without a DNS query.", "linux_create_linker_hook": "The process $Image_path has edited the configuration file of the dynamic linker $File_path (MITRE T1574.006 Hijack Execution Flow: Dynamic Linker Hijacking).", "linux_crypto_mining_indicators": "The process $Image_path has executed potential miner: $Command_line (MITRE T1496 Resource Hijacking).", "linux_decoded_base64_command_execution": "The process $Image_path has executed decoded Base64 command: $Command_line (MITRE T1027.013 Obfuscated Files or Information: Encrypted/Encoded File).", "linux_delete_file": "The process $Image_path has deleted the file $Target_file_path (MITRE T1070.004 Indicator Removal on Host: File Deletion).", "linux_edit_sudoers_by_visudo": "The process $Image_path has tried to modify the sudoers file: $File_path (MITRE T1098 Account Manipulation).", "linux_execute_downloader": "The process $Image_path has tried to execute the command-line HTTP client $Target_file_path with the arguments: $Command_line (MITRE T1105 Ingress Tool Transfer).", "linux_execute_dropped_file": "The process $Image_path has created and executed the file $Target_file_path with the arguments: $Command_line.", "linux_execute_file": "The process $Image_path has executed the file $Target_file_path with the arguments: $Command_line.", "linux_execute_suspicious_command": "The process $Image_path has tried to execute a suspicious command with the arguments: $Command_line.", "linux_execute_tcpshell": "The process $Image_path has executed a bind shell or a reverse shell on the host $Destination_ip:$Destination_port (MITRE T1059 Command and Scripting Interpreter).", "linux_hidden_file_access": "The process $Image_path has tried to open the hidden file $Target_file_path (MITRE T1564.001 Hide Artifacts: Hidden Files and Directories).", "linux_inmemory_exec": "The process $Image_path has tried to execute a binary from the memory descriptor (MITRE T1564 Hide Artifacts).", "linux_iptables_chains_deletion": "The process $Image_path has tried to clear all Iptables rules: $Command_line (MITRE T1562.004 Impair Defenses: Disable or Modify System Firewall).", "linux_keyboard_read": "The process $Image_path has tried to capture the keyboard input from file $File_path (MITRE T1056 Input Capture).", "linux_lateral_movement_ssh": "The process $Image_path has tried to bruteforce the SSH servers (MITRE T1021.004 Remote Services: SSH).", "linux_load_kernel_module": "The process $Image_path has loaded the kernel module (MITRE T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions).", "linux_modify_many_files": "The process $Image_path has tried to modify more than 128 files.", "linux_open_raw_socket": "The process $Image_path has opened the raw socket.", "linux_permissions_modification": "The process $Image_path has tried to change the permissions of file $File_path (T1222 File and Directory Permissions Modification).", "linux_port_scan": "The process $Image_path has tried to scan the ports on another host with IP address $Destination_ip (T1046 Network Service Scanning).", "linux_port_scan_many_hosts": "The process $Image_path has tried to scan the ports on other hosts (T1046 Network Service Scanning).", "linux_process_enumeration": "The process $Image_path has tried to enumerate all running processes via /proc (MITRE TA0007 Discovery, MITRE T1057 Process Discovery).", "linux_process_trace": "The process $Image_path has started to trace another process (T1055.008 Process Injection: Ptrace System Calls).", "linux_quiet_wget_usage": "The process $Image_path has executed the wget command with a quiet flag: $Command_line (MITRE T1105 Ingress Tool Transfer).", "linux_read_cpu_info": "The process $Image_path has tried to read the CPU info from /proc/cpuinfo (MITRE T1082 System Information Discovery).", "linux_read_fw_rules": "The process $Image_path reads the firewall rules (MITRE T1518.001 Software Discovery: Security Software Discovery).", "linux_read_kallsyms": "The process $Image_path has tried to get the pointers of the kernel functions (MITRE T1068 Exploitation for Privilege Escalation).", "linux_rename_file": "The process $Image_path has renamed the file $File_path to $Target_file_path.", "linux_reverse_shell": "The process $Image_path has initiated reverse shell: $Command_line (MITRE T1059.004 Command and Scripting Interpreter: Unix Shell).", "linux_self_copy": "The process $Image_path has copied its own executable to $Target_file_path.", "linux_self_delete": "The process $Image_path has deleted its own executable $Target_file_path (MITRE T1070.004 Indicator Removal on Host: File Deletion).", "linux_self_rename": "The process $Image_path has renamed its own executable $File_path to $Target_file_path (MITRE T1036 Masquerading).", "linux_send_signal": "The process $Image_path has sent a signal ($signal) to another process.", "linux_set_fake_file_time": "The process $Image_path has edited the last access or modification time of the file $File_path (MITRE T1070.006 Indicator Removal on Host: Timestomp).", "linux_set_process_name": "The process $Image_path has tried to change its own name (MITRE T1036 Masquerading).", "linux_ssh_key_access": "The process $Image_path has tried to read the SSH keys (MITRE T1552.004 Unsecured Credentials: Private Keys).", "linux_ssh_modify_authkeys": "The process $Image_path has tried to modify the SSH authorized keys: $File_path (MITRE T1098.004 Account Manipulation: SSH Authorized Keys).", "linux_suspicious_sudoers_file_access": "The process $Image_path has tried to access the file $File_path (MITRE T1098 Account Manipulation).", "linux_systemd_service_creation": "The process $Image_path has created systemd service: $File_path (MITRE T1543.002 Create or Modify System Process: Systemd Service).", "linux_systemd_service_start_or_reload": "The process $Image_path started or reloaded the Systemd service: $Command_line (MITRE T1543.002 Create or Modify System Process: Systemd Service).", "linux_tcp_connect": "The process $Image_path has connected to the TCP port $Destination_port on the IP address $Destination_ip.", "linux_tcp_listen": "The process $Image_path has opened the TCP port $Source_port on the IP address $Source_ip.", "linux_tmpfs_access": "The process $Image_path has tried to open the file $File_path in the temporary filesystem.", "linux_user_account_creation": "The process $Image_path has created a new user account: $Command_line (MITRE T1136.001 Create Account: Local Account).", "linux_userfaultd_usage": "The process $Image_path has tried to handle the page faults in the user space (MITRE T1068 Exploitation for Privilege Escalation).", "linux_using_standard_tools_to_add_account_to_a_privileged_group": "The process $Image_path has tried to add an account to a privileged group via standard tools: $Command_line (MITRE T1098 Account Manipulation).", "listing_domain_accounts": "The signs of the domain account discovery via $Image_path were detected: $Command_line (MITRE: T1087.002 Account Discovery: Domain Account).", "listing_domain_accounts_powershell": "The process $Image_path has tried to discover domain accounts: $Command_line (MITRE: T1087.002 Account Discovery: Domain Account).", "listing_domain_accounts_powershell_amsi": "The PowerShell script has tried to discover domain accounts using cmdlet $Cmdlet (MITRE: T1087.002 Account Discovery: Domain Account).", "listing_domain_accounts_powershell_ps1l": "The PowerShell script has tried to discover domain accounts: $Cmdlet $Arguments (MITRE: T1087.002 Account Discovery: Domain Account).", "listing_local_accounts": "The process $Image_path has tried to discover local accounts: $Command_line (MITRE: T1087.001 Account Discovery: Local Account).", "listing_local_accounts_reg": "The process has tried to discover the local accounts via the registry: $Command_line (MITRE: T1087.001 Account Discovery: Local Account).", "listing_shares_via_net": "The process $Image_path has tried to get network shares list: $Command_line (MITRE: T1135 Network Share Discovery).", "listplanting_process_injection": "The process $Image_path has injected a code into the process $Target_image_path (MITRE: T1055.015 Process Injection: ListPlanting).", "lnk_creation_from_archive": "The process $Image_path has created LNK file $File_path(MITRE: T1204.002 User Execution: Malicious File).", "lnk_modification": "The process $Image_path has modified shortcut file $File_path (MITRE: T1547.009 Boot or Logon Autostart Execution: Shortcut Modification).", "load_win_kernel": "The operating system kernel has been loaded into the address space of the process $Image_path (MITRE: T1068 Exploitation for Privilege Escalation).", "loading_dropped_dll": "The process $Image_path has loaded DLL $Loaded_image_path dropped by the process $Dropper_image_path (MITRE: T1574.001 DLL Search Order Hijacking).", "local_account_creation": "The process $Image_path has created a local account using WinAPI: $Registry_key (MITRE: T1136.001 Create Account: Local Account).", "local_account_creation_via_net": "The process $Image_path has created a local account: $Command_line (MITRE: T1136.001 Create Account: Local Account).", "local_account_creation_via_powershell": "The process $Image_path has created a local account: $Command_line (MITRE: T1136.001 Create Account: Local Account).", "local_account_creation_via_powershell_amsi": "The PowerShell script has created a new local user account using the Cmdlet $Cmdlet (MITRE: T1136.001 Create Account: Local Account).", "local_account_creation_via_powershell_ps1l": "The PowerShell script has created a new local user account using the Cmdlet $Cmdlet with the following arguments: $Arguments (MITRE: T1136.001 Create Account: Local Account).", "local_group_permition_discovery": "The process $Image_path has tried to discover local groups permissions: $Command_line (MITRE: T1069.001 Permission Groups Discovery: Local Groups).", "local_group_permition_discovery_powershell": "The process $Image_path has tried to discover the local groups permissions via PowerShell: $Command_line (MITRE: T1069.001 Permission Groups Discovery: Local Groups).", "local_group_permition_discovery_powershell_ps1l": "PowerShell script has tried to discover local groups permissions: $Cmdlet $Arguments (MITRE: T1069.001 Permission Groups Discovery: Local Groups).", "local_group_permition_discovery_wmic": "The process $Image_path has tried to discover the local groups permissions via wmic: $Command_line (MITRE: T1069.001 Permission Groups Discovery: Local Groups).", "local_ip_connect": "The process $Image_path has connected to an IP address belonging to the local network (MITRE: T1018 Remote System Discovery).", "localhost_ip_connect": "The process $Image_path has connected to the localhost IP address $Destination_ip (MITRE: T1205 Traffic Signaling).", "log_enumeration_via_powershell_commandlet": "The process $Image_path has attempted to enumerate Windows event log via PowerShell cmdlet: $Command_line (MITRE: T1654 Log Enumeration).", "log_enumeration_via_powershell_commandlet/amsi": "The process PowerShell has attempted to enumerate Windows event log $Cmdlet (MITRE: T1654 Log Enumeration).", "log_enumeration_via_powershell_commandlet/ps1l": "The process PowerShell has attempted to enumerate Windows event log via PowerShell commandlet: $Cmdlet $Arguments (MITRE: T1654 Log Enumeration).", "log_enumeration_via_wevtutil": "The process $Image_path has attempted to enumerate Windows event log via wevtutil: $Command_line (MITRE: T1654 Log Enumeration).", "logon_scripts": "The process $Image_path has modified the $Registry_value_name value of the registry key $Registry_key to the $Registry_value (MITRE: T1037.001 Logon Scripts)", "logon_user": "The process $Image_path has used the LogonUser() function to create a logon session for the user named $Username (MITRE: T1134.003 Access Token Manipulation: Make and Impersonate Token).", "lsass_created_unlegal_child_process": "The LSAAS process $Parent_image_path created an illegal child process $Image_path with the command line: $Command_line (MITRE: T1036 Masquerading).", "lsass_dump_via_lolbin": "The process $Parent_image_path has saved the Lsass.exe dump via LOLBin $Image_path: $Command_line (MITRE: T1003.001 OS Credential Dumping: LSASS Memory).", "mac_address_check": "The process $Image_path has checked MAC address. It can be used to detect a virtual machine (MITRE: T1497.001 Virtualization/Sandbox Evasion: System Checks).", "mail_communication": "The process $Image_path uses TCP/IP ports reserved for email protocols (MITRE: T1071.003 Commonly Used Port).", "malware_strings": "Strings specific to malware have been found in the memory dump of the process $Image_path (MITRE: T1486 Data Encrypted for Impact).", "masquerading_image_path": "The process $Parent_image_path has created a process specifying path to executable file via command line: $Command_line (MITRE: T1036 Masquerading).", "mavinject_process_injection": "The DLL process injection via the mavInject.exe utility was detected: $Command_line (MITRE: T1055.001 Process Injection: Dynamic-link Library Injection).", "memory_check": "The process $Image_path has checked amount of memory in a system. It can be used to detect a virtual machine (MITRE: T1497.001 Virtualization/Sandbox Evasion: System Checks).", "meterpreter_cobaltstrike_service_creation": "Meterpreter/Cobalt Strike service creation has been detected: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1543.003 Create or Modify System Process: Windows Service).", "minint_key_creation": "The process $Image_path has disabled the Windows Event Logging by creating the registry key: $Registry_key (MITRE: T1562.002 Impair Defenses: Disable Windows Event Logging).", "missing_call_ret": "The trusted process $Image_path has executed the call instruction without executing a return from procedure (ret) instruction (MITRE: T1203 Exploitation for Client Execution).", "mmc20_lateral_movement": "The process $Parent_image_path has spawned MMC20 with the command line: $Command_line (MITRE: T1021.003 Remote Services: Distributed Component Object Model).", "modification_authentication_packages_via_registry": "The process $Image_path has modified the Authentication Package registry key: $Registry_value (MITRE: T1547.002 Boot or Logon Autostart Execution: Authentication Package).", "modification_office_test_registry_hive": "The process $Image_path has set the registry key $Registry_value for the Office test registry hive (MITRE: T1137.002 Office Application Startup: Office Test).", "modification_time_providers_via_registry": "The process $Image_path has changed a time provider settings via registry: $Registry_value (MITRE: T1547.003 Boot or Logon Autostart Execution: Time Providers).", "modify_file_similar_system": "The process $Image_path has modified the file $Target_path with a name similar to the system file name (MITRE: T1036.003 Masquerading: Rename System Utilities).", "modify_startup_folder_location": "The process $Image_path has modified the parameter $Registry_key\\\\$Registry_value_name to set $Registry_value as the Startup folder (MITRE: T1547.001 Registry Run Keys / Startup Folder).", "modify_user_files": "The process $Image_path has modified user files $File_path. This action is typical for Trojan-Ransom malware (MITRE: T1486 Data Encrypted for Impact).", "mount_iso_image_via_powershell": "The process $Image_path has attempted to mount ISO image: $Command_line (MITRE: T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass).", "mount_iso_image_via_powershell/amsi": "The process PowerShell has attempted to mount ISO image: $Cmdlet (MITRE: T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass).", "mount_iso_image_via_powershell/ps1l": "The process Powershell has attempted to mount ISO image: $Cmdlet $Arguments (MITRE: T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass).", "mounting_windows_admin_shares": "The process $Image_path has mounted the Windows administrative share: $Command_line (MITRE: T1021.002 SMB/Windows Admin Shares).", "mouse_movement": "The process $Image_path tries to detect mouse movement (MITRE: T1497.002 Virtualization/Sandbox Evasion: User Activity Based Checks)", "mouse_movement_check": "The process $Image_path has set a hook to monitor mouse events. It can be used to detect a virtual machine (MITRE: T1497.002 Virtualization/Sandbox Evasion: User Activity Based Checks).", "ms_dfsnm_dfscoerce": "The process $Image_path has tried to force an authentication via the MS-DFSNM protocol (MITRE: 1187 Forced Authentication).", "ms_efsr_abuse_petitpotam": "The process $Image_path has tried to force an authentication via the MS-EFSR protocol (MITRE: 1187 Forced Authentication).", "ms_fsrvp_abuse_shadowcoerce": "The process $Image_path has tried to force an authentication via the MS-FSRVP protocol (MITRE: 1187 Forced Authentication).", "mshta_ADS": "Process $Image_path has executed .hta file from Alternative Data Stream: $Cmd_line (Mitre T1218.005 Signed Binary Proxy Execution: Mshta).", "mshta_executing_from_registry": "The process $Parent_image_path has started mshta.exe executing code from the registry: $Command_line (MITRE: T1218.005 Signed Binary Proxy Execution: Mshta). ", "mshta_external_hta": "The process $Image_path has executed a file from an external resource: $Command_line (Mitre T1218.005 Signed Binary Proxy Execution: Mshta)", "mshta_lateral_tool_transfer": "The process $Parent_image_path has used mshta.exe to execute a remote file: $Command_line (MITRE: T1570 Lateral Tool Transfer).", "mshta_network_connection": "The process $Image_path has established a network connection to $Destination_ip (MITRE: T1218.005 Signed Binary Proxy Execution: Mshta).", "mshta_public_directory_files": "Process $Image_path has executed .hta file located in the public directory: $Command_line (Mitre T1218.005 Signed Binary Proxy Execution: Mshta).", "mshta_susp_arguments": "The process $Image_path has run java scripts/vbscripts supplied as a command line argument: $Command_line (MIRTE: T1218.005 Signed Binary Proxy Execution: Mshta).", "mshta_unknown_files_execution": "Process $Image_path has executed a file with an extension differing from .hta: $Command_line (Mitre T1218.005 Signed Binary Proxy Execution: Mshta).", "msiexec_download": "The process $Image_path uses msiexec.exe with parameters $Command_line to launch malicious files using command line (MITRE: T1218.007 Signed Binary Proxy Execution).", "msiexec_external_msi": "The process $Image_path has run an installer from an external resource: $Command_line (MITRE: T1218.007 Signed Binary Proxy Execution: Msiexec).", "msiexec_network_connection": "The process $Image_path has established a network connection with $URL (MITRE: T1218.007 Signed Binary Proxy Execution: Msiexec).", "msiexec_repairing_operation": "The process $Image_path has been started with repair operation: $Command_line (MITRE: T1546.016 Event Triggered Execution: Installer Packages).", "msiexec_suspicious_arguments": "The process $Image_path has been executed with suspicious arguments: $Command_line (MITRE: T1218.007 Signed Binary Proxy Execution: Msiexec).", "msmsdt_follina_exploitation": "The process $Image_path has used the Follina (CVE-2022-30190) vulnerability of Microsoft Support Diagnostic Tool (MSDT) program: $Command_line (MITRE: T1203 Exploitation for Client Execution).", "msxml_com_object_usage_via_powershell": "The process $Image_path has used a MSXML COM object via PowerShell to a network connection: $Command_line (MITRE: T1559.001 Inter-Process Communication: Component Object Model).", "msxml_com_object_usage_via_powershell_amsi": "The PowerShell script has created a new Msxml2.XMLHTTP COM-object: $AMSI_buffer (MITRE: T1559.001 Inter-Process Communication: Component Object Model).", "msxml_com_object_usage_via_powershell_ps1d": "The PowerShell script has created a new Msxml2.XMLHTTP COM-object (MITRE: T1559.001 Inter-Process Communication: Component Object Model).", "name_like_system_file": "The process $Image_path has created a file $target_file with a name similar to the system file name: $system_name (MITRE: T1036.005 Masquerading).", "net_listen": "The process $Image_path has opened port $Port for listening (MITRE: T1095 Non-Application Layer Protocol).", "net_share_removal_via_net": "The process $Parent_image_path has removed network share connection: $Command_line (MITRE: T1070.005 Network Share Connection Removal).", "net_share_removal_via_pwsh": "The process $Parent_image_path has removed network share connection: $Command_line (MITRE: T1070.005 Network Share Connection Removal).", "net_share_removal_via_pwsh_amsi": "The PowerShell script has removed network share connection using the Cmdlet $Cmdlet (MITRE: T1070.005 Network Share Connection Removal).", "net_share_removal_via_pwsh_ps1l": "The PowerShell script has removed network share connection: $Cmdlet $Arguments (MITRE: T1070.005 Network Share Connection Removal).", "netsh_helper_dll_via_command_line": "The process $Image_path has used netsh.exe helper DLLs to trigger execution of arbitrary code via command line: $Command_line (MITRE: T1546.007 Event Triggered Execution: Netsh Helper DLL).", "netsh_helper_dll_via_registry": "The process $Image_path has set the $Registry_key registry key to use netsh.exe helper DLLs to trigger execution of arbitrary code (MITRE: T1546.007 Event Triggered Execution: Netsh Helper DLL).", "network_configuration_discovery_via_wmic": "The utility wmic.exe has been used to discover network configuration: $Command_line (MITRE: T1016 System Network Configuration Discovery).", "network_connection_from_cmstp": "The process $Image_path has established a network connection: $Command_line (MITRE: T1218.003 Signed Binary Proxy Execution: CMSTP).", "network_connection_from_regsvr32": "The process $Image_path has established a network connection: $Command_line (MITRE: T1218.010 Signed Binary Proxy Execution: Regsvr32).", "network_connection_from_sc": "A Windows Service was created on a remote host via sc.exe: $Command_line (MITRE: T1543.003 Create or Modify System Process: Windows Service).", "network_connection_from_trusted_process": "The process $Image_path has connected to $Destination_ip (MITRE: T1204.002 User Execution: Malicious File).", "network_connection_from_werfault_or_wermgr": "A network connection $Destination_ip from werfault or wermgr was established: $Image_path (MITRE: T1036 Masquerading).", "network_connection_from_wscript_or_cscript": "The process $Image_path has established a network connection: $Command_line (MITRE: T1059.005 Command and Scripting Interpreter: Visual Basic).", "network_rdp_connection_to_a_suspicious_port": "The process $Image_path has initiated RDP connection to uncommon port: $Destination_ip (MITRE: T1572 Protocol Tunneling).", "networkprovider_dll_installation": "The process $Image_path has registered new network provider in the Windows registry: $Registry_value (MITRE: T1556.008 Modify Authentication Process: Network Provider DLL).", "nishang": "The PowerShell script contains functions from Nishang framework (MITRE: T1059.001 Command and Scripting Interpreter: PowerShell).", "non_executable_extension": "The process has been started by the file with the non-executable extension $Image_path (MITRE: T1036.008 Masquerading: Masquerade File Type).", "non_standard_dll_in_spools": "The process $Image_path has loaded non standard DLL (MITRE: T1547.012 Boot or Logon Autostart Execution: Print Processors).", "non_standart_dll_loading_in_lsass": "Non standard DLL has been loaded into the process $Image_path address space: $Command_line (MITRE: T1547.008 Boot or Logon Autostart Execution: LSASS Driver)", "non_standart_dll_loading_in_lsass_mem": "The process $Image_path has loaded non standard DLL (MITRE: T1547.008 Boot or Logon Autostart Execution: LSASS Driver).", "not_http_on_80": "The process $Image_path has sent non-HTTP data to the port associated with HTTP (MITRE: T1571 Non-Standard Port).", "not_standard_directory_archive": "The archive utility process $Image_path has been started from a non-default folder: $Command_line (MITRE: T1560.001 Archive Collected Data: Archive via Utility).", "not_standard_parent_process_bitsadmin": "The process $Image_path was run by a non-standart parent process $Parent_image_path using the command line: $Command_line (MITRE: T1197 BITS Jobs).", "obfuscated_powershell": "The obfuscation patterns were detected in the PowerShell command line: $Command_line (MITRE: T1027 Obfuscated Files or Information).", "obfuscation_using_rundll32_in_cmd": "The rundll32.exe was used to obfuscate the command line: $Command_line (MITRE: T1027 Obfuscated Files or Information).", "obfuscation_using_rundll32_in_registry": "Obfuscation using the rundll32.exe was detected in the Registry: $Registry_value (MITRE: T1027 Obfuscated Files or Information).", "obfuscation_via_stdin": "Obfuscation via stdin/stdout was detected: $Command_line (MITRE: T1027 Obfuscated Files or Information).", "object_hiding_via_powershell": "The process $Parent_image_path has hid an object via PowerShell: $Command_line (MITRE: T1564.001 Hide Artifacts: Hidden Files and Directories).", "obtaining_cookies_from_google_chrome": "The process $Image_path has tried to obtain cookies saved in Google Chrome (MITRE: T1539 Steal Web Session Cookie).", "obtaining_cookies_from_microsoft_edge": "The process $Image_path has tried to obtain cookies saved in Microsoft Edge (MITRE: T1539 Steal Web Session Cookie).", "obtaining_cookies_from_mozilla_firefox": "The process $Image_path has tried to obtain cookies saved in Mozilla Firefox (MITRE: T1539 Steal Web Session Cookie).", "obtaining_cookies_from_opera": "The process $Image_path has tried to obtain cookies saved in Opera (MITRE: T1539 Steal Web Session Cookie).", "outlook_form_creation": "Potential form creation $File_path from the Outlook.exe process has been detected: $Command_line Outlook Form creation (MITRE: T1137.003 Office Application Startup: Outlook Forms).", "outlook_form_creation_registry_artifacts": "The $Image_path process has set the registry key $Registry_value (MITRE: T1137.003 Office Application Startup: Outlook Forms).", "outlook_macros_file_modification_or_replacement": "The process $Image_path has tried to modify Outlook macros file (MITRE: T1137.001 Office Application Startup: Office Template Macros).", "outlook_today_page_configuration_via_cmdline": "The process $Image_path has tried to configure Outlook Today page via command line: $Command_line (MITRE: T1137.004 Office Application Startup: Outlook Home Page).", "outlook_today_page_configuration_via_registry": "The $Image_path process has set the registry key $Registry_value (MITRE: T1137.004 Office Application Startup: Outlook Home Page).", "password_filter_modification_via_registry": "The process $Image_path has modified the Notification Packages registry key: $Registry_value (MITRE: T1556.003 Modify Authentication Process: Pluggable Authentication Modules).", "password_policy_discovery_via_powershell": "The process $Image_path has tried to discover the password policy via PowerShell: $Command_line (MITRE: T1201 Password Policy Discovery).", "password_policy_discovery_via_powershell_ps1l": "The Powershell script has tried to discover the password policy: $Cmdlet $Arguments (MITRE: T1201 Password Policy Discovery).", "password_policy_discovery_via_standard_windows_utilities": "The process $Image_path has discovered the password policy via the standard Windows utilities: $Command_line (MITRE: T1201 Password Policy Discovery).", "patching_amsi": "The process $Image_path could bypass AMSI (MITRE: T1562.001 Impair Defenses: Disable or Modify Tools).", "patching_etw": "The process $Image_path has patched ETW functions (Event Tracing for Windows) in the process memory for bypass logging (MITRE: T1562.006 Impair Defenses: Indicator Blocking).", "peripheral_device_discovery_via_powershell": "The process $Image_path has tried to discover the peripheral devices: $Command_line (MITRE: T1518.001 Software Discovery: Security Software Discovery).", "peripheral_device_discovery_via_powershell_ps1d": "Powershell script has tried to discover the peripheral devices: $Script_block (MITRE: T1518.001 Software Discovery: Security Software Discovery).", "peripheral_device_discovery_via_powershell_ps1l": "PowerShell script has tried to discover peripheral devices: $Cmdlet $Arguments (MITRE: T1518.001 Software Discovery: Security Software Discovery).", "peripheral_device_discovery_via_standard_windows_utilities": "The process $Image_path has tried to discover peripheral devices via the standard Windows utilities: $Command_line (MITRE: T1518.001 Software Discovery: Security Software Discovery).", "persistence_via_codepage_registry_key": "The process $Image_path has written the value $Registry_value in the registry key $Registry_key for persistence (MITRE: T1546 Event Triggered Execution).", "persistence_via_iofficeantivirus_interface": "The process $Image_path has created an Implemented Categories key: $Registry_key\\$registry_value_name: $Registry_value (MITRE: T1546.015 Event Triggered Execution: Component Object Model Hijacking).", "ping_delete": "The process $Parent_image_path has used the Ping command to delay deleting its executable file: $Command_line. (MITRE: T1070.004 Indicator Removal on Host: File Deletion).", "ping_hex_encoded_ip_address": "A hex encoded IP address was provided to the ping command: $Command_line (MITRE: T1027 Obfuscated Files or Information).", "popular_remote_administration_tools_execution": "The process $Parent_image_path has tried to execute remote access tool $Image_path: $Command_line (MITRE: T1219 Remote Access Software).", "port_monitor_via_reg": "The process $Image_path has modified settings of the port monitoring: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1547.010 Port Monitors).", "portable_executable_injection": "The process $Image_path has injected a portable executable into the process $Target_image_path (MITRE: T1055.002 Portable Executable Injection).", "portproxy_via_netsh": "The process $Image_path has enabled proxy via netsh.exe: $Command_line (MITRE: T1090 Proxy).", "portproxy_via_registry": "The process $Image_path has enabled proxy via registry: $Registry_key\\$Registry_value_name: $Registry_value (MITRE: T1090 Proxy).", "possible_audio_capture": "The process $Image_path has attempted to capture audio: $Command_line (MITRE: T1123 Audio Capture).", "possible_audio_capture_via_api": "The process $Image_path has attempted to capture audio via API (MITRE: T1123 Audio Capture).", "possible_data_exfiltration_or_downloading_via_ConfigSecurityPolicy": "The process $Image_path has tried to exfiltrate or download data using the command: $Command_line (MITRE: T1567 Exfiltration Over Web Service).", "possible_data_exfiltration_or_downloading_via_DataSvcUtil": "The process $Image_path has tried to exfiltrate or download data using the command: $Command_line (MITRE: T1048 Exfiltration Over Alternative Protocol).", "possible_data_exfiltration_via_mail": "The process $Image_path has tried to exfiltrate data using mail: $Command_line (MITRE: 1071.003 Application Layer Protocol: Mail Protocols).", "possible_data_exfiltration_via_powershell_ftp": "The process $Image_path has tried to exfiltrate data via FTP using PowerShell: $Command_line (MITRE: T1048 Exfiltration Over Alternative Protocol).", "possible_impacket_ntlmrelayx_default_service_name_reg": "The process $Image_path created a registry key following the standard Impacket ntlmrelayx service name: $Registry_key\\$Registry_value_name (MITRE: T1543.003 Create or Modify System Process: Windows Service).", "possible_miner_execution": "The process $Image_path has operated with command line containing miner parameters: $Command_line (MITRE: T1496 Resource Hijacking).", "possible_miner_execution_via_api": "The process $Image_path has operated with miner parameters string via API: $String (MITRE: T1496 Resource Hijacking).", "possible_nodejs_revese_shell": "The process $Parent_image_path could invoke Reverse Shell via node.exe: $Command_line (MITRE: T1059.007 Command and Scripting Interpreter: JavaScript).", "possible_ntlm_downgrade_attack": "The process $Image_path has set $Registry_value_name to $Registry_value for NTLM downgrade attack (MITRE: T1562.010 Impair Defenses: Downgrade Attack).", "possible_rdp_tunneling_using_loopback_address": "The process $Image_path has initiated a RDP connection to a loopback address: $Destination_ip (MITRE: T1572 Protocol Tunneling).", "possible_sip_or_trust_provider_hijacking": "The process $Image_path has set $Registry_key to $Registry_value possible hijack SIP or Trust Provider: (MITRE: T1553.003 Subvert Trust Controls: SIP and Trust Provider Hijacking).", "possible_timestamp_modification_via_powershell": "The process $Parent_image_path has tried to modify timestamp via PowerShell: $Command_line (MITRE: T1070.006 Indicator Removal: Timestomp).", "possible_timestamp_modification_via_powershell_ps1d": "The PowerShell script attempted to modify the timestamp: $Script_block (MITRE: T1070.006 Indicator Removal: Timestomp).", "possibly_mailbox_data_deletion": "The process $Image_path has cleared the mail data in the directory: $Target_file_path (MITRE: T1070.008 Indicator Removal: Clear Mailbox Data).", "post_exploitation_powershell_frameworks_ps1d": "The PowerShell script has used the $Function function from the $Framework post-exploitation framework (MITRE: T1059.001 Command and Scripting Interpreter: PowerShell).", "potential_commands_sharphoud": "The process $Image_path has probably used the commands Sharphoud/Bloodhound: $Command_line (MITRE: T1087 Account Discovery).", "potential_dns_tunneling_via_nslookup": "The process $Image_path was used to potentially exfiltrate information: $Command_line (MITRE: T1071.004 Application Layer Protocol: DNS).", "potential_network_connection_from_email": "The process $Parent_image_path has initiated network connection: $Command_line (MITRE: T1204.001 User Execution: Malicious Link).", "potential_persistence_via_office_addins_extensions": "The process $Image_path has created an extension file in Microsoft Office startup paths: $File_path (MITRE: T1137.006 Office Application Startup: Add-ins).", "potential_potato_exploit_via_calling_unmarshalling_function": "The process $Image_path has called the CoGetInstanceFromIStorage function. This is typical for Potato exploits (MITRE: T1068 Exploitation for Privilege Escalation).", "potential_protocol_tunneling_dns_over_https": "The process $Image_path has initiated tunneling of DNS-over-HTTPS protocol: $Command_line (MITRE: T1572 Protocol Tunneling).", "potential_protocol_tunneling_via_chisel": "The process $Parent_image_path has started a tunneling utility $Image_path: $Command_line (MITRE: T1572 Protocol Tunneling).", "potential_protocol_tunneling_via_cloudflared": "The process $Parent_image_path has run the tunneling utility $Image_path: $Command_line (MITRE: T1572 Protocol Tunneling).", "potential_protocol_tunneling_via_dtlspipe": "The process $Parent_image_path has run the tunneling utility $Image_path: $Command_line (MITRE: T1572 Protocol Tunneling).", "potential_protocol_tunneling_via_gost": "The process $Parent_image_path has started tunneling utility $Image_path: $Command_line (MITRE: T1572 Protocol Tunneling).", "potential_protocol_tunneling_via_iodine": "The process $Parent_image_path has run the tunneling utility $Image_path: $Command_line (MITRE: T1572 Protocol Tunneling).", "potential_protocol_tunneling_via_ligolo": "The process $Parent_image_path has started tunneling utility $Image_path: $Command_line (MITRE: T1572 Protocol Tunneling).", "potential_protocol_tunneling_via_ptunnel_ng": "The process $Parent_image_path has run the tunneling utility $Image_path: $Command_line (MITRE: T1572 Protocol Tunneling).", "potential_protocol_tunneling_via_qemu": "The process $Parent_image_path has run tunneling utility $Image_path: $Command_line (MITRE: T1572 Protocol Tunneling).", "potential_protocol_tunneling_via_revsocks": "The process $Parent_image_path has run the tunneling utility $Image_path: $Command_line (MITRE: T1572 Protocol Tunneling).", "potential_protocol_tunneling_via_wstunnel": "The process $Parent_image_path has run the tunneling utility $Image_path: $Command_line (MITRE: T1572 Protocol Tunneling).", "potential_remote_payload_execution_using_outlook_rules": "Suspicious start of process $Image_path from Outlook.exe was detected: $Command_line (MITRE: T1137.005 Office Application Startup: Outlook Rules)", "potential_tunneling_or_port_forwarding": "The process $Parent_image_path has started tunneling or port forwarding utility: $Command_line (MITRE: T1098 Account Manipulation).", "powershell_base64": "The PowerShell has executed a base-64 encoded code: $Cmd_line (Mitre: T1140 Deobfuscate/Decode Files or Information).", "powershell_bits_upload": "The process $Image_path has tried to exfiltrate data using the command: $Command_line (MITRE: T1041 Exfiltration Over C2 Channel).", "powershell_compression": "Compression methods were detected in the PowerShell: $Command_line (MITRE: T1027 Obfuscated Files or Information).", "powershell_compression_ps1d": "The PowerShell script has executed the code contained compressed parts: $Script_block (MITRE: T1027 Obfuscated Files or Information).", "powershell_compression_ps1l": "The PowerShell script executed the $Cmdlet commandlet with the following arguments: $Arguments (MITRE: T1027 Obfuscated Files or Information).", "powershell_connecting": "The PowerShell process has initiated a network connection to the remote host $Destination_ip (MITRE: T1105 Ingress Tool Transfer)", "powershell_download": "The PowerShell script has attempted to download a file by using the command $Command_line (MITRE: T1059.001 PowerShell).", "powershell_from_vbs": "The process $Parent_image_path has invoked Powershell from the SyncAppvPublishingServer.vbs script: $Command_line (MITRE: T1216 System Script Proxy Execution).", "powershell_ingress_tool_transfer_via_nslookup": "The process $Image_path has used nslookup.exe to start a download: $Command_line (MITRE: T1105 Ingress Tool Transfer).", "powershell_installation_as_service": "The process $Image_path has installed PowerShell as a Windows service: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1569.002 System Services: Service Execution).", "powershell_invoke_obfuscation": "The obfuscation patterns were detected in the PowerShell command line: $Command_line (MITRE: T1027 Obfuscated Files or Information).", "powershell_invoke_obfuscation_ps1d": "The PowerShell script has used obfuscation: $Script_block (MITRE: T1027 Obfuscated Files or Information).", "powershell_listening": "The PowerShell process $Image_path executed with the following command line $Command_line has started listening to the network traffic and waiting for incoming connections (MITRE: T1059.001 PowerShell).", "powershell_profile_modification": "The process $Image_path has modified PowerShell profile file $File_path (MITRE: T1546.013 Event Triggered Execution: PowerShell Profile).", "powershell_suspicious_arguments": "Suspicous arguments were detected in the PowerShell command line: $Command_line (MITRE: T1059.001 Command and Scripting Interpreter: PowerShell).", "powershell_suspicious_arguments_ps1l": "A suspicious PowerShell command has been detected: $Cmdlet $Arguments (Mitre T1059.001 Command and Scripting Interpreter: PowerShell).", "ppid_spoofing": "The process $Original_parent_image has spoofed the parent PID of the child process $Image_path. Assigned parent process: $Spoofed_parent_image (MITRE: T1134.004 Access Token Manipulation: Parent PID Spoofing).", "ppid_spoofing2": "The process $Original_parent_image has spoofed the parent PID of the child process $Image_path via UpdateProcThreadAttribute WinAPI. Assigned parent process: $Spoofed_parent_image (MITRE: T1134.004 Access Token Manipulation: Parent PID Spoofing).", "print_proc_via_reg": "The process $Image_path has added $Registry_value to the registry key: $Registry_key\\\\$Registry_value_name (MITRE: T1547.012 Boot or Logon Autostart Execution: Print Processors).", "privilege_escalation_via_dde_client_impersonation_abuse": "The process $Image_path has impersonated DDE client via WinAPI (MITRE: T1068 Exploitation for Privilege Escalation).", "privilege_escalation_via_named_pipe_client_impersonation_abuse": "The process $Image_path has impersonated Named Pipe client via WinAPI (MITRE: T1068 Exploitation for Privilege Escalation).", "process_crash": "The application $Image_path has been crashed.", "process_creation_via_runas": "The process $Parent_image_path has created a process in security context of another user: $Command_line (MITRE: T1134.002 Access Token Manipulation: Create Process with Token).", "process_discovery_via_powershell": "The process $Image_path has tried to discover the processes via PowerShell: $Command_line (MITRE: T1057 Process Discovery).", "process_discovery_via_powershell_ps1l": "PowerShell script has tried to discover processes: $Cmdlet $Arguments (MITRE: T1057 Process Discovery).", "process_discovery_via_standart_windows_utilities": "The process $Image_path has tried to discover processes via the standard Windows utilities: $Command_line (MITRE: T1057 Process Discovery).", "process_discovery_via_wmic": "The process $Parent_image_path has tried to discover processes via Wmic.exe: $Command_line (MITRE: T1057 Process Discovery).", "process_doppelganging": "The process $Image_path has injected a code into the process $Target_image_path using the Process Doppelgänging technique (MITRE: T1055.013 Process Injection: Process Doppelganging).", "process_dump_via_rundll32_comsvcs_dll": "The process $Image_path has dumped another process via the built-in Windows Comsvcs.dll: $Command_line (MITRE: T1003.001 OS Credential Dumping: LSASS Memory).", "process_hollowing": "The process $Image_path has injected a code into the hollowed process $Target_image_path (MITRE: T1055.012 Process Injection: Process Hollowing).", "process_injection": "The process $Image_path has injected code into the process $Target_image_path (MITRE: T1055 Process Injection).", "process_injection_via_alpc_port": "The process $Image_path has injected a code into the process $Target_image_path via the ALPC Port (MITRE: T1055 Process Injection).", "process_injection_via_clipbrdwndclass": "The process $Image_path has injected a code into the process $Target_image_path via the Clipboard Window Class (MITRE: T1055 Process Injection).", "process_injection_via_memory_section": "The process $Image_path has injected code into the process $Target_image_process using the NtMapViewOfSection function.", "process_injection_via_thread_pools": "The process $Image_path has injected into the target process via Thread Pools (MITRE: T1055 Process Injection).", "profile_ps1_modification": "The process $Image_path has modified the PowerShell profile ($File_path) - a script that runs when the PowerShell starts. (MITRE: T1546.013 Event Triggered Execution: PowerShell Profile).", "provider_enableproperty_value_modification_via_registry": "The process $Image_path has modified the \"EnableProperty\" value: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1562.006 Impair Defenses: Indicator Blocking).", "proxy_execution_via_pcalua": "The process $Parent_image_path has tried to execute a file using LOLBin $Image_path: $Command_line (MITRE: T1202 Indirect Command Execution).", "ps1_created_in_susp_directory": "The process $Image_path has created a new ps1 script in a suspicious directory: $File_path (MITRE: T1059.001 Command and Scripting Interpreter: PowerShell).", "pubprn_signed_script_bypass": "The process $Image_path has used pubprn.vbs scipt for proxy execution: $Command_line (MITRE: T1216.001 System Script Proxy Execution: PubPrn).", "pwsh_execute_from_file": "A Powershell code was executed from a file: $Command_line (MITRE: T1059.001 Command and Scripting Interpreter: PowerShell).", "pwsh_execute_from_internet": "A PowerShell code was executed from the Internet: $Cmd_line (MITRE: T1059.001 Command and Scripting Interpreter: PowerShell).", "pwsh_execute_from_registry": "A PowerShell code was executed from the Windows registry: $Command_line (MITRE: T1059.001 Command and Scripting Interpreter: PowerShell).", "pwsh_lateral_tool_transfer": "The process $Parent_image_path has run a PowerShell command to transfer a remote file: $Command_line (MITRE: T1570 Lateral Tool Transfer).", "query_registry_via_powershell": "The process $Image_path has tried to resolve the register query via PowerShell: $Command_line (MITRE: T1012 Query Registry).", "query_registry_via_powershell_amsi": "The PowerShell script has queried registry value via the Cmdlet: $Cmdlet (MITRE: T1012 Query Registry).", "query_registry_via_powershell_ps1l": "The PowerShell script has queried registry value using the cmdlet $Cmdlet with the following arguments: $Arguments (MITRE: T1012 Query Registry).", "query_registry_via_standard_windows_utilities": "The process $Image_path has tried to resolve the register query: $Command_line (MITRE: T1012 Query Registry).", "queryperformancecounter": "The process $Image_path has measured delay between parts of code using QueryPerformanceCounter() API function (MITRE: T1497.003 Virtualization/Sandbox Evasion: Time Based Evasion).", "ransom_wasted": "The process $Image_path renames user files with the $Extension extension, which is typical for the Trojan-Ransom family (MITRE: T1486 Data Encrypted for Impact)", "rdp_hijackinhg_via_tscon": "The process $Image_path has redirected RDP session via tscon: $Command_line (MITRE: T1021 Remote Desktop Protocol).", "rdp_network_connection_from_unusual_process": "An RDP/TCP network connection has been established from an unusual process: from $Image_path to IP address $Destination_ip (MITRE: T1021.001 Remote Desktop Protocol).", "rdp_registry_modification": "The process $Image_path has modified RDP service via the registry: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1021.001 Remote Desktop Protocol).", "rdp_scan": "The process $Image_path has checked port 3389 associated with RDP (MITRE: T1046 Network Service Discovery).", "rdp_service_modification_via_reg": "The process $Image_path has modified RDP service via Reg: $Command_line (MITRE: T1021 Remote Desktop Protocol).", "rdp_shadowing_via_mstsc": "The process $Image_path has shadowed RDP session via MSTSC: $Command_line (MITRE: T1021 Remote Desktop Protocol).", "read_bios_version": "The process $Image_path has read the BIOS version and compared it with the predefined value $Target_file_path (MITRE: T1497.001 Virtualization/Sandbox Evasion: System Checks).", "read_browser_user_data": "The process $Image_path tries to get access to user credentials from web browser (MITRE: T1555.003 Credentials from Web Browsers)", "read_chrome_bookmarks": "The process $Image_path has tried to access bookmarks saved in Google Chrome browser (MITRE: T1217 Browser Bookmark Discovery).", "read_chrome_credentials": "The process $Image_path has tried to access credentials saved in Google Chrome browser (MITRE: T1555.003 Credentials from Web Browsers).", "read_clipboard": "The process $Image_path has read data from the user clipboard (MITRE: T1115 Clipboard Data).", "read_credentials_in_files": "The process $Image_path has searched the file $File_path (MITRE: T1552.001 Unsecured Credentials: Credentials In Files).", "read_documents": "The process $Image_path has read multiple files from the folder \"Documents\" (MITRE: T1119 Automated Collection).", "read_edge_bookmarks": "The process $Image_path has tried to access bookmarks saved in Microsoft Edge browser (MITRE: T1217 Browser Bookmark Discovery).", "read_edge_credentials": "The process $Image_path has tried to access credentials saved in Microsoft Edge browser (MITRE: T1555.003 Credentials from Web Browsers).", "read_firefox_bookmarks": "The process $Image_path has tried to access bookmarks saved in Mozilla Firefox browser (MITRE: T1217 Browser Bookmark Discovery).", "read_firefox_credentials": "The process $Image_path has tried to access credentials saved in Mozilla Firefox browser (MITRE: T1555.003 Credentials from Web Browsers).", "read_ie_bookmarks": "The process $Image_path has tried to access bookmarks saved in Internet Explorer browser (MITRE: T1217 Browser Bookmark Discovery).", "read_ie_credentials": "The process $Image_path has tried to access credentials saved in Internet Explorer browser (MITRE: T1555.003 Credentials from Web Browsers).", "read_opera_bookmarks": "The process $Image_path has tried to access bookmarks saved in Opera browser (MITRE: T1217 Browser Bookmark Discovery).", "read_opera_credentials": "The process $Image_path has tried to access credentials saved in Opera browser (MITRE: T1555.003 Credentials from Web Browsers).", "read_outlook_pst": "The process $Image_path has read the data file of Microsoft Outlook $File_path (MITRE: T1114.001 Email Collection).", "read_system_files": "The process $Image_path has read multiple system files (MITRE: T1083 File and Directory Discovery).", "reading_bookmarks": "The process $Image_path has performed a search of a file containg browsers bookmarks: $File_path (MITRE: T1217 Browser Information Discovery).", "reboot_safe_mode": "The process $Parent_image_path has rebooted the Windows system in safe mode: $Command_line (MITRE: T1562.009 Impair Defenses: Safe Mode Boot).", "recursive_dir": "The process $Image_path has handled the directory tree, including subfolders and files, using the recursive method (MITRE: T1119 Automated Collection).", "redefine_http_protocol_handler_registry": "The process $Image_path has set $Registry_value as the HTTP protocol handler.", "redirection_to_local_admin_share": "The process $Image_path has redirected the output to the local administrative share: $Command_line (MITRE: T1021.002 SMB/Windows Admin Shares).", "reflective_code": "The process $Image_path has reflectively loaded a payload into the process $Target_image_path and executed it(MITRE: T1620 Reflective Code Loading).", "reflective_load_dot_net": "The process $Image_path has reflectively loaded code and invoked method $Method (MITRE: T1620 Reflective Code Loading).", "reg_delete": "The process $Parent_image_path has run the $Image_path program via the command line: $Command_line. This command uses standart tools to delete a registry value (MITRE: T1112 Modify Registry).", "register_hot_key": "The process $Image_path has registered a hot key.", "registry_artifacts_of_popular_rats": "The process $Image_path has modified registry hive of popular Remote Access Software: $Registry_value_name (MITRE: T1219 Remote Access Software).", "regsvr32_dll_from_public_directory": "The process $Image_path has loaded a DLL from the public directories: $Command_line (MITRE: T1218.010 Signed Binary Proxy Execution: Regsvr32).", "regsvr32_susp_arguments": "The process $Image_path has started with suspicious parameters: $Command_line (MITRE: T1218.010 Signed Binary Proxy Execution: Regsvr32).", "remote_execution_via_winrm": "The process $Parent_image_path has executed the command remotely using Windows Remote Management tool (WinRM): $Command_line (MITRE: T1021.006 Remote Services: Windows Remote Management).", "remote_powershell": "The Powershell comdlet for remote command execution was detected: $Command_line (MITRE: T1059.001 Command and Scripting Interpreter: PowerShell).", "remote_powershell_ps1l": "The Powershell commandlet for remote command execution has been detected: $Cmdlet $Arguments (MITRE: T1059.001 Command and Scripting Interpreter: PowerShell).", "remote_services_using_mmc20_application_com_object": "The process $Image_path has created a COM object MMC20.Application to perform lateral movement: $Command_line (MITRE: T1021.003 Remote Services: Distributed Component Object Model).", "remote_services_via_com_objects_in_command_line": "The process $Image_path has created a COM object with an explicit IP address in the command line: $Command_line (MITRE: T1021.003 Remote Services: Distributed Component Object Model).", "remote_system_discovery_via_powershell": "The process $Image_path has tried to discover remote systems via PowerShell: $Command_line (MITRE: T1018 Remote System Discovery).", "remote_system_discovery_via_powershell_ps1l": "PowerShell script has tried to discover remote systems: $Cmdlet $Arguments (MITRE: T1018 Remote System Discovery).", "remote_system_discovery_via_standard_windows_utilities": "The process $Image_path has tried to discover remote systems: $Command_line (MITRE: T1018 Remote System Discovery).", "remote_wmi_execution_via_powershell": "The process $Parent_image_path has tried to execute remote Windows Management Instrumentation (WMI) via PowerShell: $Command_line (MITRE: T1047 Windows Management Instrumentation).", "remote_wmi_execution_via_powershell/amsi": "The process PowerShell has tried to execute remote Windows Management Instrumentation (WMI) via PowerShell: $Cmdlet (MITRE: T1047 Windows Management Instrumentation).", "remote_wmi_execution_via_powershell/ps1l": "The process PowerShell has tried to execute remote Windows Management Instrumentation (WMI): $Cmdlet $Arguments (MITRE: T1047 Windows Management Instrumentation).", "remote_wmi_execution_via_wmic": "The process $Parent_image_path has tried to execute remote Windows Management Instrumentation (WMI) via wmic.exe: $Command_line (MITRE: T1047 Windows Management Instrumentation).", "remote_wmi_wbemcomn_dll_hijack": "The process $Image_path has hijacked a DLL using remote WMI and the library $Loaded_image_path (MITRE: T1047 Windows Management Instrumentation).", "remove_amsi_provider_registry_key": "The process $Image_path has removed AMSI provider registry key: $Registry_key (MITRE: T1562.001 Impair Defenses: Disable or Modify Tools).", "remove_the_zone_identifier_alternate_data_stream": "The process $Image_path has removed hidden NTFS ADS related to MOTW: $Command_line (MITRE: T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass).", "rename_system_files": "The process $Image_path has renamed the file $File_path to $Target_file_path (MITRE: T1036.003 Masquerading: Rename System Utilities).", "reversed_strings_in_powershell": "Reversed strings obfuscation was detected in PowerShell command line: $Command_line (MITRE: T1027 Obfuscated Files or Information).", "right_to_left_override": "The name of the file $Image_path contains Right to Left Override (RLO) vulnerability. It can be used to disguise the real file extension (MITRE: T1036.002 Masquerading: Right-to-Left Override).", "run_cpl": "The process $Image_path has started a Control Panel item (MITRE: T1218.002 Control Panel Items).", "run_from_app_data": "The process $Image_path has run the executable file $Target_path from the hidden system folder Application Data.", "run_from_program_data": "The process $Image_path has run the executable file $Target_path from the system hidden system folder ProgramData.", "run_from_recycler": "The process $Image_path has run the executable file $Target_image_path from the Recycle Bin.", "run_from_windir": "The process $Image_path has run the executable file $Target_path from the Windows system folder.", "rundll_comma_in_registry_run_runonce": "The process $Image_path has added the rundll32 with a function call to the registry Run key: $Registry_value (MITRE: T1547.001 Registry Run Keys/Startup Folder).", "rundll_in_registry_service_imagepath": "The process $Image_path has created a service, which contains the function call in the ImagePath, via rundll32.exe: $Registry_value (MITRE: T1543.003 Create or Modify System Process: Windows Service).", "rundll32_ads": "The process $Image_path has launched DLL via Alternate Data Stream (ADS): $Command_line (MITRE: T1218.011 System Binary Proxy Execution: Rundll32).", "rundll32_external_dll": "The process $Image_path has executed a .dll file from an external resource: $Command_line (MITRE: T1218.011 Signed Binary Proxy Execution: Rundll32).", "rundll32_lateral_tool_transfer": "The process $Parent_image_path has used rundll32.exe to execute a remote file: $Command_line (MITRE: T1570 Lateral Tool Transfer).", "rundll32_suspicious_arguments": "Suspicious arguments, which can be used to execute malicious payload, were detected in the process Rundll32.exe: $Command_line (MITRE: T1218.011 Signed Binary Proxy Execution: Rundll32).", "rundll32_without_parameters": "The process $Image_path has launched rundll32.exe without parameters: $Cmd_line (MITRE: T1218.011 Signed Binary Proxy Execution: Rundll32).", "save_remote_admin": "The process $Image_path has saved the remote administration tool $File_path (MITRE: T1219 Remote Access Software).", "saving_lsa_registry_hives": "The process $Parent_image_path has saved the SYSTEM registry hive dump: $Command_line (MITRE: T1003.004 OS Credential Dumping: LSA Secrets).", "scheduled_task_creation_to_launch_shell": "The process $Parent_image_path has created a scheduled task with a shell launch: $Command_line (MITRE: T1053.005 Scheduled Task/Job: Scheduled Task).", "scheduled_task_creation_via_loading_dll": "A scheduled task has been created: $Loaded_image is loaded into the address space of the process $Image_path (MITRE: T1053.005 Scheduled Task/Job: Scheduled Task).", "scheduled_task_creation_via_microsoft_office_application": "The scheduled task was created by the Microsoft Office Application $Image_path (MITRE: T1053.005 Scheduled Task/Job: Scheduled Task).", "scheduledtask_discovery_via_powershell_cmdlet": "The process $Image_path has searched for a scheduled task using the command: $Command_line (MITRE: T1082 System Information Discovery).", "screenshot": "The process $Image_path has taken a screenshot of the Desktop (MITRE: T1113 Screen Capture).", "script_event_consumer_via_file_create_from_scrcons": "The process $Image_path has created a file $File_path. It means that Script Event Consumer was created (MITRE: T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription).", "script_event_consumer_via_load_image_in_scrcons": "The process $Image_path has loaded an image $Loaded_image_path. It means that Script Event Consumer was created (MITRE: T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription).", "script_event_consumer_via_suspicious_parent_child_scrcons": "Script Event Consumer was created, indicated by a suspicious child process from $Parent_image_path: $Command_line (MITRE: T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription).", "script_execution_via_msxsl_or_wmic": "A Visual Basic Script was started via $Image_path using load image $Loaded_image_path (MITRE: T1059.005 Command and Scripting Interpreter: Visual Basic).", "sdiagnhost_suspicious_child_follina": "The process $Parent_image_path has started $Image_path via Sdiagnhost.exe: $Command_line (MITRE: T1203 Exploitation for Client Execution).", "security_software_discovery_via_powershell": "The process $Image_path has tried to discover security software via PowerShell: $Command_line (MITRE: T1518.001 Software Discovery: Security Software Discovery).", "security_software_discovery_via_powershell_ps1l": "The PowerShell script has tried to discover security software: $Cmdlet $Arguments (MITRE: T1518.001 Software Discovery: Security Software Discovery).", "security_software_discovery_via_registry": "The process $Image_path has tried to discover security software via the registry: $Command_line (MITRE: T1518.001 Software Discovery: Security Software Discovery).", "security_software_discovery_via_standard_windows_utilities": "The process $Image_path has tried to discover security software: $Command_line (MITRE: T1518.001 Software Discovery: Security Software Discovery).", "security_software_discovery_via_wmic": "The process $Image_path has tried to discover security software via wmic: $Command_line (MITRE: T1518.001 Software Discovery: Security Software Discovery).", "security_token_changed_to_system": "The security token has been changed in the trusted process $Image_path (MITRE: T1203 Exploitation for Client Execution).", "self_copy": "The process $Image_path has copied the file $Src_path to $Dst_path.", "self_copy_autorun": "The process $Image_path has moved/copied its own executable file to $Target_image_path and added it to run on system start (MITRE: T1547.001 Registry Run Keys / Start Folder).", "self_copy_recycler": "The process $Image_path has copied/moved the file $File_path to the Recycle Bin ($Target_file_path) (MITRE: T1074.001 Local Data Staging).", "self_copy_startup": "The process $Image_path has copied/moved the file $File_path to the Startup folder: $Target_file_path (MITRE: T1547.001 Registry Run Keys / Start Folder).", "self_delete": "The executable file $Target_file_path has been deleted by the process $Image_path (MITRE: T1070.004 File Deletion).", "self_modify": "The process $Image_path has modified the executable file $File_path (MITRE: T1036 Masquerading).", "self_rename": "The executable file $File_path has been renamed by the process $Image_path to $Target_file_path (MITRE: T1036 Masquerading).", "sending_data_via_curl_over_webhook": "The process $Parent_image_path has sent data to an external resource over Webhook: $Command_line (MITRE: T1567.004 Exfiltration Over Web Service: Exfiltration Over Webhook).", "service_authprovider_modification_in_registry": "The process $Image_path has set registry value $Registry_value_name to $Registry_value to obtain persistence (MITRE: T1543.003 Create or Modify System Process: Windows Service).", "service_creation_from_non_system_directory": "The process $Image_path has created the service $Service_name, which runs from a non-system directory: $Service_path (MITRE: T1543.003 Create or Modify System Process: Windows Service).", "service_creation_from_non_system_directory2": "The process $Image_path has created the Windows service, which runs from a non-system directory: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1543.003 Create or Modify System Process: Windows Service).", "service_creation_via_installutil": "The process $Parent_image_path has created a new Windows service via InstallUtil: $Command_line (MITRE: T1543.003 Create or Modify System Process: Windows Service).", "service_image_path_modification_via_powershell": "A Windows service image path has been modified via PowerShell.exe: $Command_line (MITRE: T1543.003 Create or Modify System Process: Windows Service).", "service_image_path_modification_via_registry": "The process $Image_path has modified path to Windows service image: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1543.003 Create or Modify System Process: Windows Service).", "service_image_path_modification_via_sc_exe": "Windows service image path modification has been detected: $Command_line (MITRE: T1543.003 Create or Modify System Process: Windows Service)", "service_stop_via_net": "The process $Image_path has stopped a service: $Command_line (MITRE: T1489 Service Stop).", "service_stop_via_powershell": "The process $Image_path has stopped a service via the PowerShell: $Command_line (MITRE: T1489 Service Stop).", "service_stop_via_sc": "A service has been stopped via the $Image_path: $Command_line (MITRE: T1489 Service Stop).", "service_stop_via_taskkill": "The process $Image_path has stopped a service using the taskkill command: $Command_line (MITRE: T1489 Service Stop).", "service_stop_via_wmic": "The process $Parent_image_path has stopped a service via WMIC: $Command_line (MITRE: T1489 Service Stop).", "set_desktop_wallpaper": "The process $Image_path has set a new wallpaper for the Windows desktop: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1491.001 Defacement: Internal Defacement).", "set_fake_file_time": "The process $Image_path has modified the time attributes of the file $File_path (MITRE: T1070.006 Indicator Removal on Host: Timestomp)", "set_hidden_attribute": "The process $Image_path has set the attribute \"Hidden\" to the file $File_path (MITRE: T1564.001 Hidden Files and Directories).", "set_hidden_attribute_via_attrib": "The process $Parent_image_path has set Hidden attribute to a file via attrib.exe: $Command_line. (MITRE: T1564.001 Hidden Files and Directories).", "set_keylogger": "The process $Image_path has installed a keylogger (MITRE: T1056.001 Input Capture: Keylogging).", "set_outlook_home_page_via_reg": "The process $Parent_image_path has tried to set Outlook home page via reg.exe: $Command_line (MITRE: T1137.004 Office Application Startup: Outlook Home Page).", "set_outlook_home_page_via_registry": "The $Image_path process has set the registry key $Registry_value (MITRE: T1137.004 Office Application Startup: Outlook Home Page).", "setting_user_password_to_never_expired_via_powershell": "The process $Image_path has disabled the user password expiry via the PowerShell: $Command_line (MITRE: T1098 Account Manipulation).", "setting_user_password_to_never_expired_via_powershell_amsi": "The PowerShell script has disabled expiration of user account password using the following arguments: $Arguments (MITRE: T1098 Account Manipulation).", "setting_user_password_to_never_expired_via_powershell_ps1l": "The PowerShell script has disabled expiration of user account password using the Cmdlet $Cmdlet with the following arguments: $Arguments (MITRE: T1098 Account Manipulation).", "setting_user_password_to_never_expired_via_wmic": "The process $Image_path has disabled the user password expiry: $Command_line (MITRE: T1098 Account Manipulation).", "setwindowshookex_use_to_inject_dll": "The process $Image_path has performed an attempt to inject $File_path into any process by calling SetWindowsHookEx() (MITRE: T1055 Process Injection).", "shared_modules_to_crit_proc": "The module $Loaded_image_path has been loaded into the address space of the $Image_path process (MITRE: T1129 Shared Modules).", "shared_modules_to_legal_soft": "The module $Loaded_image_path has been loaded into the address space of the $Image_path process (MITRE: T1129 Shared Modules).", "sharpersist_assembly": "The process $Image_path has been started: $Command_line (MITRE: T1588.002 Obtain Capabilities: Tool).", "shell_code_exec": "The trusted process $Image_path has executed the shellcode to obtain unauthorized access to the system (MITRE: T1203 Exploitation for Client Execution).", "shell_command_in_lnk_file": "Shell found in LNK file: $Command_line (MITRE: T1059.003 Command and Scripting Interpreter: Windows Command Shell).", "shell_from_verclsid": "The process verclsid.exe has launched the command shell: $Command_line (MITRE: T1218.012 Signed Binary Proxy Execution: Verclsid).", "shell_start_from_lnk_in_downloads": "The process $Image_path has been created from LNK file: $Command_line (MITRE: T1204.002 User Execution: Malicious File).", "shellcode_sign": "Shellcode has been found in the memory of the process $Image_path (MITRE: T1203 Exploitation for Client Execution).", "shimming": "The program $Image_path uses the shim database to redirect the application code (MITRE: T1546.011 Application Shimming)", "shutdown_system": "Windows has been shut down by the process $Image_path (MITRE: T1529 System Shutdown/Reboot).", "sleep_evasion": "The process $Image_path has set the delayed code execution (MITRE: T1497.003 Virtualization/Sandbox Evasion: Time Based Evasion).", "smb_scan": "The program $Image_path has sent multiple SMB requests (MITRE: T1018 Remote System Discovery).", "software_discovery_via_powershell": "The process $Image_path has tried to discover software via PowerShell: $Command_line (MITRE: T1518 Software Discovery).", "software_discovery_via_powershell_amsi": "The PowerShell script has tried to discover software using the command: $Command_line (MITRE: T1518 Software Discovery).", "software_discovery_via_powershell_ps1l": "The PowerShell script has tried to discover software using the cmdlet $Cmdlet with the following arguments: $Arguments (MITRE: T1518 Software Discovery).", "software_discovery_via_standard_windows_utilities": "The process $Image_path has tried to discover software via standard Windows utilities: $Command_line (MITRE: T1518 Software Discovery).", "ssh_scan": "The process $Image_path has scanned the SSH connections (MITRE: T1046 Network Service Scanning).", "ssp_configuration_modification": "The process $Image_path has registered a new Security Support Provider: $Registry_value (MITRE: T1547.005 Boot or Logon Autostart Execution: Security Support Provider).", "stack_pointer_out_teb": "The stack pointer has exceeded the Thread Environment Block structure limit in the trusted process $Image_path (MITRE: T1203 Exploitation for Client Execution).", "start_bcdedit": "Automatic Windows Recovery was disabled via BCDEdit utility: $Command_line (MITRE: T1490 Inhibit System Recovery).", "start_page": "The process $Image_path has changed the browser home page (MITRE: T1185 Man in the Browser).", "start_shell_rce_papercut": "The process $Parent_image_path has started the process $Image_path: $Command_line (MITRE: T1059 Command and Scripting Interpreter).", "start_with_cmd": "The process $Image_path has changed a registry entry $Registry_key so that the file $Target_image_path runs on startup of Windows Command Line Interpreter (MITRE: T1547.001 Registry Run Keys / Startup Folder).", "started_child_process_from_cmstp": "A process was created from $Parent_image_path in unusual way: $Command_line (MITRE: T1218.003 Signed Binary Proxy Execution: CMSTP).", "started_scheduled_task_from_public_directories": "A scheduled task to run a process from the public directories was created: $Command_line (MITRE: T1053.005 Scheduled Task/Job: Scheduled Task).", "started_windows_shell_from_browser": "The process $Parent_image_path has started the process $Image_path: $Command_line (MITRE: T1059 Command and Scripting Interpreter).", "started_windows_shell_from_hh": "The process $Image_path has run the Windows Shell: $Command_line (MITRE: T1218.001 Signed Binary Proxy Execution: Compiled HTML File).", "started_windows_shell_from_mmc": "The process $Parent_image_path has started the $Image_path command shell with the command line: $Command_line (MITRE: T1021.003 Remote Services: Distributed Component Object Model).", "started_windows_shell_from_mshta": "The process $Image_path has run the Windows Shell: $Command_line (MITRE: T1218.005 Signed Binary Proxy Execution: Mshta).", "started_windows_shell_from_regsvr": "The process $Image_path has run the Windows Shell: $Command_line (MITRE: T1218.010 Signed Binary Proxy Execution: Regsvr32).", "started_windows_shell_from_rundll32": "The process $Image_path has run the Windows Shell: $Command_line (MITRE: T1218.011 Signed Binary Proxy Execution: Rundll32).", "started_windows_shell_from_trusted_process": "The trusted application $Parent_image_path has run the Windows Shell process $Image_path with the command line $Command_line (MITRE: T1204.002 User Execution: Malicious File). ", "startup_system_file_name": "The process $Image_path has created a file $Target_image_path with a name similar to the system file name in the Startup folder (MITRE: T1547.001 Registry Run Keys / Start Folder, T1036.005 Masquerading).", "steal_browser_data_via_esentutl": "The process $Parent_image_path has tried to steal browser data via esentutl.exe: $Command_line (MITRE: T1005 Data from Local System).", "steal_web_session_cookie_via_command_line": "The process $Image_path has attempted to steal the session cookies via cmd.exe: $Command_line (MITRE: T1539 Steal Web Session Cookie).", "storsvc_service_dll_hijacking": "The process $Image_path has loaded non typical DLL: $Loaded_image_path (MITRE: T1574.001 Hijack Execution Flow: DLL Search Order Hijacking).", "susp_access_to_lsass": "The process $Image_path has got a read/write access to the LSASS memory. (MITRE:T1003.001 OS Credential Dumping: LSASS Memory).", "susp_ext_in_startup_folder": "A file with a suspicious extension was created in the startup folder (MITRE: T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder).", "susp_msiexec_embedding": "The process $Image_path has attempted to execute malicious payload: $Command_line (MITRE: T1218.007 System Binary Proxy Execution: Msiexec).", "susp_syntax_command_odbcconf": "The process $Image_path with arguments $Command_line may be abused to proxy the execution of malicious code (MITRE: T1218.008 Signed Binary Proxy Execution: Odbcconf).", "suspend_eventlog_service": "The process $Image_path has disabled event logging to the Windows Event Log by suspending EventLog service (MITRE: T1562.002 Impair Defenses: Disable Windows Event Logging).", "suspicious_access_to_vss_options_via_wmi_in_vbs": "The process $Image_path has accessed VSS via WMI in VBS (MITRE: T1006 Direct Volume Access).", "suspicious_adding_user_to_remote_desktop_users_group": "The process $Image_path has added users to RDP user group: $Command_line (MITRE: T1021 Remote Desktop Protocol).", "suspicious_autorun": "The process $Image_path has set the file $Registry_value to run on system startup via the suspicious registry key $Registry_key (MITRE: T1547.001 Registry Run Keys / Startup Folder).", "suspicious_certificates_file_creation": "The process $Image_path has created a cerificate file: $File_path (MITRE: T1552.004 Unsecured Credentials: Private Keys).", "suspicious_child_process_wmiprvse": "Suspicious Child Process $Parent_image_path: $Command_line (MITRE: T1047 Windows Management Instrumentation)", "suspicious_clipboard_output_via_wmic": "A suspicious clipboard output was detected in the process $Image_path: $Command_line (MITRE: T1047 Windows Management Instrumentation).", "suspicious_command_wmic": "The utility wmic.exe was run with a suspicious syntax: $Command_line (MITRE: T1047 Windows Management Instrumentation).", "suspicious_compattelrunner_set_persistance_via_registry": "The process $Image_path has modified the registry key value for persistence: $Registry_value_name\\\\$Registry_value (MITRE: T1547.001 Registry Run Keys / Startup Folder).", "suspicious_escape_characters_in_use_api": "The process $Image_path operates with the obfuscated string containing escape-characters: $String (MITRE: T1027 Obfuscated Files or Information).", "suspicious_escape_characters_in_use_cmd": "Suspicious use of escape characters was detected in the command line: $Command_line (MITRE: T1027 Obfuscated Files or Information).", "suspicious_gs_netcat_utility_usage": "The process $Parent_image_path has started utility $Image_path: $Command_line (MITRE: T1098 Account Manipulation).", "suspicious_jobs_via_bitsadmin": "The process $Image_path has attempted to create a suspicious job using the command $Command_line (MITRE: T1197 BITS Jobs).", "suspicious_loading_dll_via_regsvcs_regasm": "The process $Image_path has loaded a DLL: $Command_line (MITRE: T1218.009 Signed Binary Proxy Execution: Regsvcs/Regasm).", "suspicious_lsass_memory_access_via_unknown_method": "The process $Image_path has accessed to the process memory $Target_image_path an suspicious method (MITRE: T1003.001 OS Credential Dumping: LSASS Memory).", "suspicious_named_pipe_creation_cobalt_strike": "The process $Image_path has created the named pipe $Pipe related to the Cobalt Strike (MITRE: T1055 Process Injection).", "suspicious_named_pipe_interaction_from_shell": "The process $Image_path has interacted with the named pipe: $Pipe (MITRE: T1055 Process Injection).", "suspicious_nslookup_usage_for_discovery_purposes": "The process $Image_path was used to discover the domain controller: $Command_line (MITRE: T1018 Remote System Discovery).", "suspicious_parent_process_regsvr32": "The process $Parent_image_path has run regsvr32.exe: $Command_line (MITRE: T1218.010 Signed Binary Proxy Execution: Regsvr32).", "suspicious_powershell_host_process_dropped": "The process $Image_path has performed an operation with an executable renamed from powershell.exe to another file name: $Drop_path (MITRE: T1036.005 Masquerading).", "suspicious_powershell_host_process_run": "The process $Image_path executed PowerShell interpreter not with powershell.exe but with $Drop_path. Command line: $Cmd_line (MITRE: T1059.001 Command and Scripting Interpreter: PowerShell).", "suspicious_query_to_the_lsa_in_registry": "The process $Image_path requests the registry key $Registry_key containing the Local Security Authority (LSA) secrets (MITRE: T1003.004 OS Credential Dumping: LSA Secrets).", "suspicious_query_to_the_sam_in_registry": "The process $Image_path has queried the SAM registry hives: $Registry_key (MITRE: T1003.002 OS Credential Dumping: Security Account Manager).", "suspicious_query_to_the_security_in_registry": "The process $Image_path has requested a registry key $Registry_key containing security data (MITRE: T1003.004 OS Credential Dumping: LSA Secrets).", "suspicious_scheduled_task_created": "The process $Image_path has created suspicious Windows scheduled task: $Registry_key (MITRE: T1053.005 Scheduled Task/Job: Scheduled Task).", "suspicious_service_created": "The process $Image_path has created suspicious Windows service $Registry_key (MITRE: T1543.003 Create or Modify System Process: Windows Service).", "suspicious_sockets_usage_via_powershell": "The process $Parent_image_path has suspiciously used system sockets via PowerShell: $Command_line (MITRE: T1059.001 Command and Scripting Interpreter: PowerShell).", "suspicious_sockets_usage_via_powershell_amsi": "The PowerShell script uses network sockets: $Object (MITRE: T1059.001 Command and Scripting Interpreter: PowerShell).", "suspicious_sockets_usage_via_powershell_ps1l": "The PowerShell script has created a new socket using the cmdlet $Cmdlet with the following argumnets: $Arguments (MITRE: T1059.001 Command and Scripting Interpreter: PowerShell).", "suspicious_syntax_in_command_execution_InstallUtill": "Unusual arguments were detected in the $Image_path command line: $Command_line (MITRE: T1218.004 Signed Binary Proxy Execution: InstallUtil).", "suspicious_syntax_in_command_execution_regasm": "The process $Image_path has started with suspicious arguments: $Command_line (MITRE: T1218.009 Signed Binary Proxy Execution: Regsvcs/Regasm).", "suspicious_syntax_in_command_execution_schtasks": "The process $Image_path was started with suspicious arguments: $Command_line (MITRE: T1053.005 Scheduled Task/Job: Scheduled Task).", "suspicious_userinit_activity": "The process $Image_path has perfomed suspicious activity with the $File_path (MITRE: T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL).", "suspicious_wsman_provider_image_loads": "The process $Image_path has loaded DLL $Loaded_image_path (MITRE: T1021.003 Remote Services: Distributed Component Object Model)", "svc_stop": "The $Image_path process attempts to manipulate security tools using the utility sc.exe (MITRE T1562.001 Impair Defenses: Disable or Modify Tools).", "svchost_without_parameters": "The process svchost ($Image_path) was executed without parameters: $Command_line (MITRE: T1036 Masquerading).", "system_information_discovery_via_powershell": "The process $Image_path has tried to discover the system information via PowerShell: $Command_line (MITRE: T1082 System Information Discovery).", "system_information_discovery_via_powershell_ps1d": "PowerShell script has tried to discover system information: $Script_block (MITRE: T1082 System Information Discovery).", "system_information_discovery_via_powershell_ps1l": "Powershell script has tried to discover a system information: $Cmdlet $Arguments (MITRE: T1082 System Information Discovery).", "system_information_discovery_via_standard_windows_utilities": "The process $Image_path has tried to discover the system information via the standard Windows utilities: $Command_line (MITRE: T1082 System Information Discovery).", "system_language_discovery_via_registry": "The process $Image_path has tried to discover the system language via the registry: $Command_line (MITRE: T1614.001 System Location Discovery: System Language Discovery).", "system_language_discovery_via_standard_windows_utilities": "The process $Image_path has tried to discover the system language via the standard Windows utilities: $Command_line (MITRE: T1614.001 System Location Discovery: System Language Discovery).", "system_network_configuration_discovery_via_standard_windows_utilities": "The process $Image_path has tried to discover the system network configuration via the standard Windows utilities: $Command_line (MITRE: T1016 System Network Configuration Discovery).", "system_network_connections_discovery_via_powershell": "The process $Image_path has tried to discover system network connections via PowerShell: $Command_line (MITRE: T1049 System Network Configuration Discovery).", "system_network_connections_discovery_via_standard_windows_utilities": "The process $Image_path has tried to discover system network connections via the standard Windows utilities: $Command_line (MITRE: T1049 System Network Configuration Discovery).", "system_owner_or_user_discovery": "The process $Parent_path has launched the program $Image_path with following command line: $Cmd_line. This command has signs of system owner or user account discovery (MITRE: T1033 System Owner/User Discovery).", "system_owner_or_user_discovery_via_powershell": "The process $Image_path has tried to discover the system owner/user via PowerShell: $Command_line (MITRE: T1033 System Owner/User Discovery).", "system_owner_or_user_discovery_via_suspicious_commandline_whoami": "The process $Image_path has tried to discover the system owner/user executing a suspicious whoami command in the command line: $Command_line (MITRE: T1033 System Owner/User Discovery).", "system_ownr_or_user_discovery_via_standard_windows_utilities": "The process $Image_path has tried to discover the system owner/user via the standard Windows utilities: $Command_line (MITRE: T1033 System Owner/User Discovery).", "system_service_discovery_via_powershell": "The process $Image_path has tried to discover system services via PowerShell: $Command_line (MITRE: T1007 System Service Discovery).", "system_service_discovery_via_standard_registry": "The process $Image_path has tried to discover system services via the registry: $Command_line (MITRE: T1007 System Service Discovery).", "system_service_discovery_via_standard_windows_utilities": "The process $Image_path has tried to discover system services: $Command_line (MITRE: T1007 System Service Discovery).", "system_service_discovery_via_standard_wmic": "The proces $Image_path has tried to discover system services via wmic: $Command_line (MITRE: T1007 System Service Discovery).", "system_time_discovery_via_api": "The process $Image_path has tried to discover the system time (MITRE: T1124 System Time Discovery).", "system_time_discovery_via_powershell": "The process $Image_path has tried to discover the system time via PowerShell: $Command_line (MITRE: T1124 System Time Discovery).", "system_time_discovery_via_powershell_ps1l": "PowerShell script has tried to discover a system time: $Cmdlet $Arguments (MITRE: T1124 System Time Discovery).", "system_time_discovery_via_standard_windows_utilities": "The process $Image_path has tried to discover the system time: $Command_line (MITRE: T1124 System Time Discovery).", "sysvol_check": "The process $Image_path has attempted to access the SYSVOL folder (MITRE: T1497.001 Virtualization/Sandbox Evasion: System Checks).", "task_cache": "The process $Image_path has modified the task scheduler cache in order to launch applications hiddenly: $Registry_key\\$Registry_value_name: $Registry_value (MITRE: T1053.005 Scheduled Task).", "task_creation_via_api": "The process $Image_path has created scheduled task using API (MITRE: T1053.005 Scheduled Task/Job: Scheduled Task).", "thread_creation_into_critical_win_process": "The process $Image_path has performed an attempt to create a remote thread in the $Target_image_path (MITRE: T1055 Process Injection).", "thread_execution_hijacking": "The process $Image_path hijacked the thread execution to inject a code into the process $Target_image_path (MITRE: T1055.003 Process Injection: Thread Execution Hijacking).", "time_evasion_detected": "We recommend to send the file for long-time processing", "token_manipulation": "The process $Image_path bypassed User Account Control (UAC): obtained token of the auto-elevate process, modified and reused it to execute as administrator (MITRE: T1548.002 Bypass User Account Control).", "token_manipulation_via_createprocessasuser": "The process $Image_path has duplicated an access token for the process $Target_image_path and created the process $Created_image_path using a new token (MITRE: T1134.001 Access Token Manipulation: Token Impersonation/Theft).", "token_manipulation_via_createprocesswithtoken": "The process $Image_path has duplicated an access token from the process $Target_image_path and created the process $Created_image_path using new token (MITRE: T1134.001 Access Token Manipulation: Token Impersonation/Theft).", "token_manipulation_via_impersonateloggedonuser": "The process $Image_path has impersonated an access token of the process $Target_image_path via ImpersonateLoggedOnUser (MITRE: T1134.001 Access Token Manipulation: Token Impersonation/Theft).", "tor_connect": "The process $Image_path has connected to a Tor network resource \"$URL\" (MITRE: T1090.003 Multi-hop Proxy).", "uac_bypass_eventvwr_via_mscfile_commandline": "The process $Image_path has tried bypass UAC via command line: $Command_line (MITRE: T1546.015 Event Triggered Execution: Component Object Model Hijacking).", "uac_bypass_via_com_object_access_cmstp": "The UAC is bypassed via the COM object: $Command_line (MITRE: T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control).", "unknown_dll_launch_or_from_public_directories_rundll32": "The process $Image_path has run a dll from a public directory: $Command_line (MITRE: T1218.011 Signed Binary Proxy Execution: Rundll32).", "unknown_file_execution_via_regsvr32": "The process $Parent_image_path has executed file with atypical extension via $Image_path: $Command_line (MITRE: T1218.010 System Binary Proxy Execution: Regsvr32).", "unknown_file_execution_via_rundll32": "The process $Parent_image_path has executed file with atypical extension via $Image_path: $Command_line (MITRE: T1218.011 System Binary Proxy Execution: Rundll32).", "unusual_processes_relation_with_colorcpl": "Process anomaly detected, the process $Parent_image_path has tried to execute $Image_path: $Command_line (MITRE: T1564 Hide Artifacts).", "use_alternate_data_stream_via_winapi": "$Image_path has created Alternate Data Stream via WinAPI (MITRE: T1564.004 Hide Artifacts: NTFS File Attributes)", "use_of_internetopenurl": "The process $Image_path has opened URL $URL (MITRE: T1071.001 Application Layer Protocol: Web Protocols).", "use_of_presentationhost": "The process $Parent_image_path has used Presentationhost.exe to execute code from XBAP file: $Command_line (MITRE: T1218 System Binary Proxy Execution).", "use_of_winhttpconnect": "The process $Image_path has connected to $URL_host:$Destination_port via HTTP protocol (MITRE: T1071.001 Application Layer Protocol: Web Protocols).", "use_of_winhttpopenrequest": "The process $Image_path has sent HTTP request $URL using $Method method (MITRE: T1071.001 Application Layer Protocol: Web Protocols).", "user_account_deletion_via_net": "The process $Image_path has deleted a user account: $Command_line (MITRE: T1531 Account Access Removal).", "user_account_deletion_via_powershell": "The process $Image_path has deleted a user account via the PowerShell: $Command_line (MITRE: T1531 Account Access Removal).", "user_account_discovery_via_wmic": "The wmic.exe utility has been used to discover user accounts: $Command_line (MITRE: T1087 Account Discovery).", "user_rights_modification_via_secedit": "The process $Image_path has modified the user rights: $Command_line (MITRE: T1098 Account Manipulation).", "user_supervisor_cpl": "The process $Process_name started with the standard user privilege level has obtained the privilege of user SYSTEM (MITRE: T1203 Exploitation for Client Execution).", "using_alternate_data_stream_in_shell": "The process $Image_path has used Alternate Data Stream via shell: $Command_line (MITRE: T1564.004 Hide Artifacts: NTFS File Attributes).", "using_comspec_environment_var_not_in_cmd": "The process $Parent_image_path has launched the program $Image_path with parameter %comspec%: $Command_line (MITRE: T1059.003 Windows Command Shell).", "using_mofcomp_to_compile_mof_file_from_suspicious_folder": "The process $Image_path has tried to compile a mof-file from a suspicious folder: $Command_line (MITRE: T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription).", "using_netsh_for_sniffing": "The process $Image_path has attempted to sniff traffic: $Command_line (MITRE: T1040 Network Sniffing).", "using_plink_or_putty_for_port_forwarding": "The process $Parent_image_path has started utility $Image_path: $Command_line (MITRE: T1572 Protocol Tunneling).", "using_plink_or_putty_for_rdp_tunneling": "The process $Parent_image_path has started tunneling utility $Image_path: $Command_line (MITRE: T1572 Protocol Tunneling).", "using_schtasks_to_create_minute_task": "The process $Image_path has created a task that runs every N minutes: $Command_line (MITRE: T1053.005 Scheduled Task/Job: Scheduled Task).", "using_ssh_for_port_forwarding": "The process $Parent_image_path has run the utility $Image_path to set up port forwarding: $Command_line (MITRE: T1572 Protocol Tunneling).", "using_ssh_for_rdp_tunneling": "The process $Parent_image_path has started tunneling utility $Image_path: $Command_line (MITRE: T1572 Protocol Tunneling).", "using_standard_tools_for_interaction_with_remote_registry": "The process $Parent_image_path has launched the program $Image_path with the following command line: $Command_line. This command has signs of accessing the registry on the remote machine (MITRE: T1112 Modify Registry).", "using_utility_for_archive": "The archiving utility process $Image_path has been started: $Command_line (MITRE: T1560.001 Archive Collected Data: Archive via Utility).", "using_whoami_to_check_that_current_user_is_system": "The system utility whoami.exe was executed on behalf of NT AUTHORITY\\\\SYSTEM account (MITRE: T1033 System Owner/User Discovery).", "vbawarnings_check": "The process $Image_path has checked the VBAWarnings registry value. If the value of VBAWarnings is 1 (Enable all macros) it may indicate a sandbox execution.", "vbs_network": "The process $Image_path is trying to access the network.", "virtual_device_check": "The process $Image_path has checked a presence of virtual devices to detect a virtual machine (MITRE: T1497.001 Virtualization/Sandbox Evasion: System Checks).", "virtualalloc_with_getwritewatch": "The process $Image_path has attempted to track debugger using VirtualAlloc()/GetWithWatch() (MITRE: T1622 Debugger Evasion).", "vm_driver_service": "The process $Image_path tries to detect virtualization related services (MITRE: T1497 Virtualization/Sandbox Evasion)", "vm_files_check": "The process $Image_path has checked presence of specific for a virtual environment file: $File_path (MITRE: T1497.001 Virtualization/Sandbox Evasion: System Checks).", "vm_keys_check": "The process $Image_path has checked the presence of specific for virtual environment registry key: $Registry_key (MITRE: T1497.001 Virtualization/Sandbox Evasion: System Checks).", "vm_modules_check": "The process $Image_path has checked if the module $Module_name is loaded (MITRE: T1497.001 Virtualization/Sandbox Evasion: System Checks).", "vm_processes_check": "The process $Image_path has checked if the process $Process_name is running in a system (MITRE: T1497.001 Virtualization/Sandbox Evasion: System Checks).", "vm_values_check": "The process $Image_path has checked if the registry value of $Registry_key\\$Registry_value_name matches $Substring (MITRE: T1497.001 Virtualization/Sandbox Evasion: System Checks).", "vmwsu_credssp_hijack": "The process $Image_path has downloaded a suspicious DLL as SSP: $File_path (MITRE: T1547.005 Boot or Logon Autostart Execution: Security Support Provider).", "vnc_connection": "The $Image_path process has used a typical Virtual Network Computing (VNC) port during network connection to the IP address $Destination_ip (MITRE: T1021.005 Remote Services: VNC).", "wab_dllpath": "The process $Image_path has modified WAB DLLPath to $Registry_value. When launched, wab.exe will load the new DLL (MITRE: T1546 Event Triggered Execution).", "webclient_downloaddata": "The process $Image_path has downloaded a file from the external resource: $URL (MITRE: T1105 Ingress Tool Transfer).", "webclient_uploaddata": "The process $Image_path has uploaded data to the URL host $URL_host via WebClient.UploadData method (MITRE: T1567 Exfiltration Over Web Service).", "wifi_network_profile_enumeration": "The process $Image_path has attempted to enumerate Wi-Fi profiles: $Command_line (MITRE: T1016.002 System Network Configuration Discovery: Wi-Fi Discovery).", "wildcard_search": "The process $Image_path has run the wildcard search: $File_path (MITRE: T1005 Data from Local System).", "win_defender_exclusions_modification_via_registry": "The process $Image_path has modified the Windows Defender exclusions: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1562.001 Impair Defenses: Disable or Modify Tools).", "win_defender_modification_via_powershell": "The Windows Defender configuration was modified via the PowerShell: $Command_line (MITRE: T1562.001 Impair Defenses: Disable or Modify Tools).", "win_defender_modification_via_powershell/amsi": "The Windows Defender configuration has been modified via the PowerShell: $Cmdlet (MITRE: T1562.001 Impair Defenses: Disable or Modify Tools).", "win_defender_modification_via_powershell/ps1l": "The Windows Defender configuration was modified via the PowerShell: $Cmdlet $Arguments (MITRE: T1562.001 Impair Defenses: Disable or Modify Tools).", "windows_enum_via_api": "The process $Image_path has attempted to enumerate open application windows via API (MITRE: T1010 Application Window Discovery).", "windows_service_creation_via_net": "The process $Parent_image_path has started a service via Net.exe: $Command_line (MITRE: T1569.002 System Services: Service Execution).", "windows_shell_in_registry_run_key": "The process $Image_path has added the value $Registry_value to the registry startup key (MITRE: T1547.001 Registry Run Keys / Start Folder).", "windows_shell_started_archive_utility": "The archive utility process $Image_path has been started from Windows Shell $Parent_image_path with command line: $Command_line (MITRE: T1560.001 Archive Collected Data: Archive via Utility).", "windows_shell_started_at_exe": "The process $Image_path was started from the Windows Shell: $Command_line (MITRE: T1053.002 Scheduled Task/Job: At (Windows)).", "windows_shell_started_schtasks": "The process $Image_path was started from the Windows Shell: $Command_line (MITRE: T1053.005 Scheduled Task/Job: Scheduled Task).", "windows_title_enum_via_api": "The process $Image_path has attempted to enumerate titles of open application windows via API (MITRE: T1010 Application Window Discovery).", "windows_wlan_profile_enum_via_api": "The process $Image_path has attempted to enumerate Wi-Fi profiles via API (MITRE: T1016.002 System Network Configuration Discovery: Wi-Fi Discovery).", "winlogon_helper_dll": "The process $Image_path may abuse the features of the Winlogon via the registry key $Registry_key to execute $Registry_value when a user logs in (MITRE: Winlogon Helper DLL).", "winsxs_dll_search_order_hijacking": "The process $Image_path has been used to load the file $Loaded_image_path (MITRE: T1574.001 Hijack Execution Flow: DLL Search Order Hijacking).", "winword_connection_to_external_resource": "The process $Image_path has connected to external network resource (MITRE: T1204.002 User Execution: Malicious File).", "wipe_mbr_via_deviceiocontrol": "The process $Image_path has wiped Master boot record (MBR) via DeviceIoControl function. This action is typical of Rootkit malware (MITRE: T1561.002 Disk Wipe: Disk Structure Wipe).", "wmi_execution_via_microsoft_office_application": "MS Office application has run a command via Windows Management Instrumentation (WMI): $Loaded_image_path is loaded into the address space of the process $Image_path (MITRE: T1047 Windows Management Instrumentation).", "wmi_get_info": "The process $Image_path tries to determine the parameters of the system using WMI , which is typical for attempts to determine the given environment (MITRE: T1082 System Information Discovery)", "wmi_squiblytwo_attack": "The process $Parent_image_path has started Windows Management Instrumentation (WMI) with parameters that may indicate a SquablyTwo attack: $Command_line (MITRE: T1047 Windows Management Instrumentation).", "wmi_via_powershell": "The process $Image_path has accessed the Windows Management Instrumentation via the PowerShell: $Command_line (MITRE: T1047 Windows Management Instrumentation).", "wmi_via_powershell/amsi": "The process has accessed the Windows Management Instrumentation (WMI) using the PowerShell: $Cmdlet (MITRE: T1047 Windows Management Instrumentation).", "wmi_via_powershell/ps1l": "The process has accessed the Windows Management Instrumentation via the PowerShell: $Cmdlet $Arguments (MITRE: T1047 Windows Management Instrumentation).", "write_physical_device": "The process $Image_path has recorded data to the device $Device_path sector-by-sector (MITRE: T1561.002 Disk Wipe: Disk Structure Wipe).", "x509enrollment_encoded": "The PowerShell has executed a x509-encoded code: $Command_line (MITRE: T1027 Obfuscated Files or Information).", "x509enrollment_encoded_ps1d": "The PowerShell script has used x509 encoding: $Script_block (MITRE: T1027 Obfuscated Files or Information).", "x509enrollment_encoded_ps1l": "The PowerShell script has used the x509 encoding: $Cmdlet $Arguments (MITRE: T1027 Obfuscated Files or Information).", "xor-ed_powershell_command": "The XOR obfuscation patterns were detected in the PowerShell command line: $Command_line (MITRE: T1027 Obfuscated Files or Information).", "xor-ed_powershell_command_ps1l": "The PowerShell script has used the XOR operator: $Cmdlet $Arguments (MITRE: T1027 Obfuscated Files or Information)." }