{ "access_ie_passwords": "The program $Image_path has tried to access passwords saved in Internet Explorer browser (MITRE: T1555.003 Credentials from Web Browsers).", "accessibility_features_anomaly_child_process": "The abnormal child process $Image_path has been launched via Windows Accessibility Features: $Parent_image_path (MITRE: T1546.008 Event Triggered Execution: Accessibility Features).", "accessibility_features_via_command_line": "The process $Image_path has tried to use Windows accessibility features via command line: $Command_line (MITRE: T1546.008 Event Triggered Execution: Accessibility Features).", "accessibility_features_via_powershell": "The process $Image_path has tried to use Windows accessibility features via PowerShell: $Command_line (MITRE: T1546.008 Event Triggered Execution: Accessibility Features).", "accessibility_features_via_registry": "The process $Image_path has set the $Registry_key registry key to use Windows accessibility features (MITRE: T1546.008 Event Triggered Execution: Accessibility Features).", "accessing_admin_shares_by_standard_tools": "The process $Image_path executed a command line with Windows Admin Shares specified: $Command_line (MITRE: T1219 Remote Access Software).", "account_removing_from_group_via_net": "The process $Image_path has removed a user account from the group: $Command_line (MITRE: T1531 Account Access Removal).", "account_removing_from_group_via_powershell": "The process $Image_path has removed a user from the group using the PowerShell: $Command_line (MITRE: T1531 Account Access Removal).", "ad_ds_check": "The process $Image_path has checked for the presence of AD DS utilities on the computer (MITRE: T1497.001 Virtualization/Sandbox Evasion: System Checks).", "add_cert_via_registry": "The process $Image_path has installed a certificate in the Windows registry: $Registry_key (MITRE: T1553.004 Subvert Trust Controls: Install Root Certificate).", "add_trusted_cert": "The process $Image_path tries to add its certificate to the system trusted certificates (MITRE: T1553.004 Subvert Trust Controls: Install Root Certificate).", "addedToFirewallList": "The process $Image_path has added the file/rule to the Firewall exclusions via registry: $Registry_value (MITRE: T1562.004 Impair Defenses: Disable or Modify System Firewall).", "adding_account_to_domain_admin_group_via_net": "An account was added to the domain administrators group via $Image_path: $Command_line (MITRE: T1098 Account Manipulation).", "adding_account_to_domain_admin_group_via_powershell": "The process $Image_path has added an account to the domain administrators group via the PowerShell: $Command_line (MITRE: T1098 Account Manipulation).", "adding_account_to_global_group": "The process $Image_path has added an account to the global group using WinAPI (MITRE: T1098 Account Manipulation).", "adding_account_to_local_admin_group_via_net": "An account was added to the Local admin group via $Image_path: $Command_line (MITRE: T1098 Account Manipulation).", "adding_account_to_local_admin_group_via_powershell": "The process $Image_path has added an account to the Local administrators group via the PowerShell: $Command_line (MITRE: T1098 Account Manipulation).", "adding_account_to_local_group": "The process $Image_path has added an account to the local group using WinAPI: (MITRE: T1098 Account Manipulation).", "adding_account_to_local_group_via_net": "An account was added to the local group via $Image_path: $Command_line (MITRE: T1098 Account Manipulation).", "adding_account_to_local_group_via_powershell": "The process $Image_path has added an account to the local group via the PowerShell: $Command_line (MITRE: T1098 Account Manipulation).", "adodb_stream_com_object_usage_via_powershell": "The process $Image_path has managed a data stream via PowerShell, using the ADODB COM object: $Command_line (MITRE: T1559.001 Inter-Process Communication: Component Object Model).", "anomaly_in_the_windows_critical_process_tree": "The critical Windows system process $Image_path was run by an anomalous parent process $Parent_image_path with the command line $Command_line (MITRE: T1036 Masquerading)", "anomaly_parent_process_whoami_exe": "The process $Image_path was run by an anomalous parent process $Parent_image_path using the command line: $Command_line (MITRE: T1033 System Owner/User Discovery).", "apc_injection": "The process $Image_path has injected a code into the process $Target_image_path via an APC (MITRE: T1055.004 Process Injection: Asynchronous Procedure Call).", "appcert_dlls": "The program $Image_path has replaced the value AppCertDlls in the registry key $Registry_key with $Reg_value. It can be used to inject into processes (MITRE: T1546.009 AppCert DLLs).", "appinit_dlls_via_registry": "The process $Image_path has set the registry key $Registry_key\\\\$Registry_value_name: $Registry_value to executing content triggered by AppInit DLLs (MITRE: T1546.010 Event Triggered Execution: AppInit DLLs).", "application_shimming_via_dropped_file_sdb": "The process $Image_path has created shim database to redirect the application code execution: $File_path (MITRE: T1546.011 Event Triggered Execution: Application Shimming).", "archive_file_in_local_users_folders_via_makecab": "The process $Image_path has tried to archive file in local user folder via makecab.exe: $Command_line (MITRE: T1560.001 Archive Collected Data: Archive via Utility).", "archive_via_powershell": "The process $Image_path has tried to archive collected data using PowerShell: $Command_line (MITRE: T1560.001 Archive Collected Data: Archive via Utility).", "archiving_files_in_recycle_via_archive": "The archive utility process $Image_path has been started to archive files in the Recycle Bin with command line: $Command_line (MITRE: T1560.001 Archive Collected Data: Archive via Utility).", "atm_filenames": "The process $Image_path has modified the file $Target_file_path specific to automated teller machine software (MITRE: T1574.001 Hijack Execution Flow: DLL Search Order Hijacking).", "attempt_to_launch_ntdsutil": "The process $Image_path tried to launch ntdsutil.exe (MITRE: T1003.003 OS Credential Dumping: NTDS).", "autologger_provider_removal_via_registry": "The process $Image_path has disabled Windows Logger by removing the registry key: $Registry_key (MITRE: T1562.006 Impair Defenses: Indicator Blocking).", "autorun": "The process $Image_path has set the file $Registry_value to run on system startup (registry key $Registry_key) (MITRE: T1547.001 Registry Run Keys / Startup Folder).", "autorun_open_dir": "The process $Image_path has set the file $Registry_value, which is located in an open for recording directory, to run on system startup (registry key $Registry_key) (MITRE: T1547.001 Registry Run Keys / Startup Folder).", "autorun_susp_extension": "The process $Image_path has set the file $Registry_value with suspicious extension to run on system startup (registry key $Registry_key) (MITRE: T1547.001 Registry Run Keys / Startup Folder).", "bitsadmin_job_via_powershell": "The process $Image_path has attempted to create a BITS job using the command $Command_line (MITRE: T1197 BITS Jobs).", "brute_password": "The process $Image_path has attempted to guess the user password to access the system (MITRE: T1110.001 Brute Force).", "bypass_ps_execution_policy": "PowerShell script has been started with an argument $Command_line to bypass PowerShell execution policy (MITRE: T1059.001 Command and Scripting Interpreter: PowerShell).", "bypass_uac": "The process $Image_path has obtained administrator rights, bypassing User Account Control (MITRE: T1548.002 Bypass User Account Control).", "bypassing_application_whitelisting_with_bginfo": "The application whitelisting was bypassed by the process $Image_path via the command line: $Command_line (MITRE: T1059.005 Command and Scripting Interpreter: Visual Basic).", "certutil_decode": "The process $Image_path has been executed to encode/decode a file to evade defensive measures: $Command_line (Mitre T1140 Deobfuscate/Decode Files or Information).", "certutil_malicious_action": "Process $Image_path has started the system application Certutil.exe with parameters $Command_line (MITRE: T1140 Deobfuscate/Decode Files or Information).", "change_account_password_via_powershell": "The process $Image_path has changed the user account password: $Command_line (MITRE: T1531 Account Access Removal).", "change_default_file_association_via_assoc": "The process $Image_path has changed the file type mapping parameters with the extension via command line: $Command_line (MITRE: T1546.001 Change Default File Association).", "change_dns": "The process $Image_path has changed the DNS server address (MITRE: T1562.001 Impair Defenses: Disable or Modify Tools).", "change_mbr": "The process $Image_path has changed Master boot record (MBR). This action is typical of Rootkit malware (MITRE: T1561.002 Disk Wipe: Disk Structure Wipe).", "change_mof_directory": "The process $Image_path has changed the self-install directory for MOF files $Registry_value (MITRE: T1546.003 Windows Management Instrumentation Event Subscription).", "change_path_environment_var": "The process $Image_path has changed the PATH environment variable via registry: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1574.007 Hijack Execution Flow: Path Interception by PATH Environment Variable).", "change_proxy_settings": "The program $Image_path has changed the system proxy settings (MITRE: T1090 Connection Proxy)", "change_reg_via_powershell": "The process $Parent_image_path has changed a registry value via the PowerShell: $Command_line (MITRE: T1112 Modify Registry).", "change_service_binary_location_in_registry": "The process $Image_path has modified a service image path: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1543.003 Create or Modify System Process: Windows Service).", "check_code_integrity_param": "The process $Image_path is trying to check integrity of the Operating System code (MITRE: T1082 System Information Discovery).", "check_cpu_number": "The process $Image_path has attempted to detect the sandbox virtual machine by checking the CPU number (MITRE: T1497.001 Virtualization/Sandbox Evasion: System Checks).", "clear_event_log_cmd": "The process $Parent_image_path has cleared the Windows Event Log: $Command_line (MITRE: T1070.001 Clear Windows Event Logs).", "clear_eventlog": "The program $Image_path has cleaned the Windows Event Log (MITRE: T1070.001 Indicator Removal on Host)", "clear_pwsh_command_history": "PowerShell command history has been cleared: $Command_line (MITRE: T1070.003 Clear Command History).", "cmstp_susp_arguments": "The syntax of $Command_line executed by $Image_path is suspicious (MITRE: T1218.003 Signed Binary Proxy Execution: CMSTP).", "code_execution_through_change_registry_via_control_panel_or_cpls": "The code was executed by changing the registry via Control Panel/CPLs: $Registry_key\\\\$Registry_value_name: $Registry_value (Mitre T1218.002 Signed Binary Proxy Execution: Control Panel).", "collect_info": "The program $Image_path collects network and system information", "collect_system_info": "The process $Image_path has obtained information about the operating system and hardware configuration of the computer (MITRE: T1082 System Information Discovery).", "collecting_credentials_from_registry_via_powershell": "The process $Image_path has accessed credentials in the registry via PowerShell: $Command_line (MITRE: T1552.002 Unsecured Credentials: Credentials in Registry).", "collecting_credentials_from_registry_via_reg": "The process $Image_path has accessed credentials in the registry: $Command_line (MITRE: T1552.002 Unsecured Credentials: Credentials in Registry).", "com_obj_via_verclsid": "Verclsid.exe with arguments $Command_line may be abused to proxy execution of malicious code (MITRE: T1218.012 Signed Binary Proxy Execution: Verclsid)", "com_object_registration_via_inpocserver_and_localserver": "The process $Image_path has registered COM component via $Registry_key: $Registry_value (MITRE: T1559.001 Inter-Process Communication: Component Object Model).", "com_objects_discovery_via_powershell": "Receiving information about COM objects via $Image_path: $Command_line (MITRE: T1546.015 Event Triggered Execution: Component Object Model Hijacking).", "com_objects_execution_via_cmd": "The process $Image_path has executed COM methods in command line: $Command_line (MITRE: T1546.015 Event Triggered Execution: Component Object Model Hijacking).", "com_objects_hijack_via_creating_registry_links": "The process $Image_path has created a symbolic link in the registry to potentially COM Hijacking: $Registry_value (MITRE: T1546.015 Event Triggered Execution: Component Object Model Hijacking).", "com_objects_hijack_via_delegateexecute": "COM Hijacking by changing the DelegateExecute registry parameter: $Registry_key (MITRE: T1546.015 Event Triggered Execution: Component Object Model Hijacking).", "com_objects_hijack_via_mscfile": "COM Hijacking by changing open command for mscfile: $Registry_key (MITRE: T1546.015 Event Triggered Execution: Component Object Model Hijacking).", "com_objects_hijack_via_powershell": "COM Hijacking via $Image_path: $Command_line (MITRE: T1546.015 Event Triggered Execution: Component Object Model Hijacking).", "com_objects_hijack_via_reg": "The process $Image_path has added or deleted shell command key to COM Hijacking: $Command_line (MITRE: T1546.015 Event Triggered Execution: Component Object Model Hijacking).", "com_objects_hijack_via_rundll": "COM Hijacking by changing $Image_path: $Command_line (MITRE: T1546.015 Event Triggered Execution: Component Object Model Hijacking).", "com_objects_hijack_via_sdclt": "COM Hijacking by changing the isolatedCommand registry parameter: $Registry_key (MITRE: T1546.015 Event Triggered Execution: Component Object Model Hijacking).", "com_objects_hijack_via_threatas": "The process $Image_path has set the $Registry_key registry key to COM Hijacking (MITRE: T1546.015 Event Triggered Execution: Component Object Model Hijacking).", "communication_via_telegram": "The process $Image_path can communicate with C2 via Telegram (MITRE: T1102.002 Web Service: Bidirectional Communication).", "compress_data_for_exfiltration_via_archiver": "The archive utility process $Image_path has been started to compress data with command line $Command_line (MITRE: T1560.001 Archive Collected Data: Archive via Utility).", "computer_name_evasion": "The process $Image_path has attempted to detect the computer name of the sandbox virtual machine according to the predetermined list of computer names. The list is stored in the code of the program running this process (MITRE: T1082 System Information Discovery).", "control_panel_item_from_public_directories": "The process $Image_path has executed a Control Panel item from public directories. The command line is $Command_line (MITRE: T1218.002 Signed Binary Proxy Execution: Control Panel).", "copying_from_admin_share_via_default_tools": "The process $Image_path has performed a copy from the administrator's share via default tools: $Command_line (MITRE: T1021.002 Remote Services: SMB/Windows Admin Shares).", "copying_saving_sam_registry_hives": "The process $Image_path has copied/saved the SAM registry hives: $Command_line (MITRE: T1003.002 OS Credential Dumping: Security Account Manager).", "cor_profiler_change": "The process $Image_path has changed the COR_PROFILER environment variable via registry: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1574.012 Hijack Execution Flow: COR_PROFILER).", "cor_profiler_via_pwsh": "The COR_PROFILER environment variable has been changed via PowerShell: $Command_line (MITRE: T1574.012 Hijack Execution Flow: COR_PROFILER).", "cpu_name_check": "The process $Image_path has checked if a CPU name matches $CPU_name (MITRE: T1497.001 Virtualization/Sandbox Evasion: System Checks).", "create_alternate_data_stream_via_powershell": "The process $Image_path has created Alternate Data Stream via PowerShell: $Command_line (MITRE: T1564.004 Hide Artifacts: NTFS File Attributes).", "create_autoruninf": "The process $Image_path has created a file to run another executable: $File_path (MITRE: T1091 Replication Through Removable Media).", "create_file_startup": "The process $Image_path has created a file $File_path in the Startup folder (MITRE: T1547.001 Registry Run Keys / Start Folder).", "create_job": "The process $Image_path has created a job $File_path in Windows Scheduler (MITRE: T1053.005 Scheduled Task/Job: Scheduled Task).", "create_job_via_at": "The process $Image_path has created a job in Windows Scheduler via at.exe : $Command_line (MITRE: T1053.002 Scheduled Task/Job: At).", "create_job_via_schtasks": "The process $Image_path has created a job in Windows Scheduler via schtasks.exe : $Command_line (MITRE: T1053.005 Scheduled Task/Job: Scheduled Task).", "create_mof_file": "The process $Image_path has created a new MOF file $File_path (MITRE: T1546.003 Windows Management Instrumentation Event Subscription).", "create_process_parameters": "The process $Image_path was created with the use of undocumented API functions. The DLL import directory was changed to $Target_file_path. This action is typical of DLL hijacking (MITRE: T1574.001 DLL Search Order Hijacking).", "create_service": "The process $Image_path has created the Windows service $Service_name based on this file: $Service_path (MITRE: T1543.003 Create or Modify System Process: Windows Service).", "create_shadow_copy": "The process $Image_path has created a shadow copy via $Command_line (MITRE: T1003 OS Credential Dumping).", "created_compressed_file_without_archive_utility": "The process $Image_path has created archive $File_path without any archive utility (MITRE: T1560.003 Archive Collected Data: Archive via Custom Method).", "created_windows_shell_from_critical_windows_process": "The Windows Shell ($Image_path) was run by a critical Windows process $Parent_image_path with the command line: $Command_line (MITRE: T1036 Masquerading)", "creation_of_execuatable_or_script_by_certutil": "Certutil $Image_path has copied an executable file $File_path (MITRE: T1027 Obfuscated Files or Information).", "credential_dump_pipe": "The process $Image_path has connected to the named pipe $Pipe, which is typical for credential dumping tools (MITRE: T1003.001 OS Credential Dumping: LSASS Memory).", "credentials_dumping_tools_artefacts": "The process $Image_path created a file $File_path related to password dump utilities (MITRE: T1003 OS Credential Dumping).", "credentials_in_file_unattend_xml": "The process $Image_path has accessed to credentials in the file $File_path (MITRE: T1552.001 Unsecured Credentials: Credentials In Files).", "database_port_scan": "The process $Image_path has scanned the ports typically used for databases (MITRE: T1046 Network Service Scanning).", "default_rdp_port_opening_via_netsh": "The process $Image_path has opened default RDP port via Netsh: $Command_line (MITRE: T1021.001 Remote Desktop Protocol).", "delayed_delete": "The process $Image_path has performed a delayed delete operation on the file $Target_file_path (MITRE: T1070.004 File Deletion).", "delayed_move": "The process $Image_path has performed a delayed move operation with the file from $File_path to $Target_file_path (MITRE: T1119 Automated Collection).", "delayed_move_hosts": "The process $Image_path has performed a delayed move operation with the file \"hosts\" of the Windows OS from $File_path to $Target_file_path (MITRE: T1016 System Network Configuration Discovery).", "delete_hosts": "The process $Image_path has deleted the file \"hosts\" of the Windows OS. It may impact DNS name resolution (MITRE: T1070.004 File Deletion).", "delete_restore_point_via_pwsh": "The Windows Restore Point has been deleted via Powershell: $Command_line (MITRE: T1490 Inhibit System Recovery).", "delete_shadow_copy": "The process $Image_path has deleted shadow copies of user files (MITRE: T1490 Inhibit System Recovery). This action is typical for the malware of the Trojan-Ransom family.", "detect_av_by_device": "The process $Image_path has tried to open a virtual device $Device_name specific to anti-virus software (MITRE: T1518.001 Security Software Discovery).", "detect_debugger_by_device": "The process $Image_path has tried to access virtual device $File_path to check for a debugger in the system (MITRE: T1518.001 Software Discovery: Security Software Discovery).", "detect_vm": "The process $Image_path has attempted to detect a virtual environment (MITRE: T1497.001 Virtualization/Sandbox Evasion: System Checks).", "detect_vm_alkhaser": "The process $Image_path tries to detect its execution in a virtual environment (MITRE: T1497 Virtualization/Sandbox Evasion).", "detect_vm_by_hostname": "The process $Image_path has compared the computer name with the list of known Sandbox server names in order to bypass Sandbox scanning (MITRE: T1497.001 Virtualization/Sandbox Evasion: System Checks).", "detected_powershell_execution_without_powershell_exe": "The process $Image_path has loaded the $Loaded_image_path and executed the PowerShell code without launching powershell.exe (MITRE: T1059.001 Command and Scripting Interpreter: PowerShell).", "detected_screensaver_via_scr": "The Windows screensaver application $Image_path was launched by $Parent_image_path (MITRE: T1546.002 Event Triggered Execution: Screensaver).", "detected_winapi_functions_in_powershell": "The process $Image_path has called a WinAPI function (MITRE: T1059.001 Command and Scripting Interpreter: PowerShell).", "disabing_service_via_registry": "The process $Image_path has disabled Windows service: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1562.001 Impair Defenses: Disable or Modify Tools).", "disable_action_center": "The process $Image_path has disabled the Windows Action Center (MITRE: T1562.001 Disabling Security Tools).", "disable_auto_update": "The process $Image_path has disabled the Windows automatic update option (MITRE: T1562.001 Disabling Security Tools).", "disable_av_notify": "The program $Image_path is trying to block the balloon notifications from Security Center indicating that antivirus functionality has been disabled.", "disable_cmd": "The process $Image_path has disabled the Windows Command Prompt Interpreter (MITRE: T1562.001 Disabling Security Tools).", "disable_consent_prompt_behavior_admin": "The process $Image_path has disabled the credentials prompt for the User Account Control (MITRE: T1548.002 Bypass User Account Control).", "disable_dep": "The process $Image_path has disabled Data Execution Prevention (MITRE: T1562.001 Disabling Security Tools).", "disable_firewall": "The process $Image_path has disabled the Windows Firewall (MITRE: T1562.004 Impair Defenses: Disable or Modify System Firewall).", "disable_or_modify_system_firewall_via_powershell": "Windows Firewall has been disabled via Powershell: $Command_line (MITRE: T1562.004 Impair Defenses: Disable or Modify System Firewall).", "disable_prompt_on_secure_desktop": "The process $Image_path has disabled the Windows secure desktop (MITRE: T1562.002 Impair Defenses: Disable Windows Event Logging).", "disable_registry_tools": "The process $Image_path has disabled Windows Registry Editor (MITRE: T1562.001 Disabling Security Tools).", "disable_safe_boot": "The process $Image_path has disabled the Windows safe boot mode (MITRE: T1562.001 Disabling Security Tools).", "disable_security_center": "The process $Image_path has modified the parameter $Registry_key to disable the Windows Security Center notifications (MITRE: T1562.001 Disabling Security Tools).", "disable_show_super_hidden": "The process $Image_path has disabled the file option \"Show hidden\" (MITRE: T1564.001 Hide Artifacts: Hidden Files and Directories).", "disable_system_restore": "The process $Image_path has disabled Windows System Restore (MITRE: T1562.001 Disabling Security Tools).", "disable_task_manager": "The process $Image_path has disabled Windows Task Manager: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1562.001 Disabling Security Tools).", "disable_uac": "The process $Image_path has disabled User Account Control (MITRE: T1548.002 Bypass User Account Control).", "disable_update_notify": "The program $Image_path is trying to block the balloon notifications from Security Center indicating that Windows updates have been disabled.", "disabling_admin_share_via_registry": "The process $Image_path has disabled Administrative share autocreation via registry: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1070.005 Network Share Connection Removal).", "disabling_amsi": "The process $Image_path has disabled the AMSI protection: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1562 Impair Defenses).", "disabling_amsi_via_powershell": "The process $Image_path has bypassed the AMSI protection by setting true for the amsiInitFailed field: $Command_line (MITRE: Impair Defenses: Disable or Modify Tools T1562.001).", "disabling_etw_via_powershell": "The Event Tracing for Windows (ETW) has been disabled via PowerShell: $Command_line (MITRE: T1562.006 Impair Defenses: Indicator Blocking).", "disabling_etw_via_registry": "The process $Image_path has disabled the Event Tracing for Windows (ETW): $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1562.006 Impair Defenses: Indicator Blocking).", "disabling_event_logging_via_auditpol": "The Windows Event Logging was disabled via AuditPol: $Command_line (MITRE: T1562.002 Impair Defenses: Disable Windows Event Logging).", "disabling_event_logging_via_wevtutil": "The process $Image_path has disabled the Windows Event Logging via Wevtutil: $Command_line (MITRE: T1562.002 Impair Defenses: Disable Windows Event Logging).", "disabling_fw_via_netsh": "The process $Image_path has disabled Microsoft Windows Firewall via Netsh.exe: $Command_line (MITRE: T1562.004 Disable or Modify System Firewall).", "disabling_lsa_protection": "The process $Image_path has disabled the LSA protection: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1562 Impair Defenses).", "disabling_restricted_admin": "The process $Image_path has disabled Restricted Admin Mode: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1562 Impair Defenses).", "disabling_run_win_app": "The process $Image_path has disabled the Run command from the Windows Start Menu (MITRE: T1562.001 Impair Defenses: Disable or Modify Tools).", "disabling_safedllsearchmode_via_registry": "The process $Image_path has disabled the value $Registry_value_name in the registry: $Registry_key (MITRE: T1574.001 Hijack Execution Flow: DLL Search Order Hijacking).", "disabling_smartscreen_protection": "The process $Image_path has disabled the SmartScreen protection: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1562.001 Impair Defenses: Disable or Modify Tools).", "disabling_smartscreen_protection_2": "The process $Image_path has disabled the SmartScreen protection: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1562.001 Impair Defenses: Disable or Modify Tools).", "disabling_task_via_powershell": "The scheduled task was disabled via the PowerShell: $Command_line (MITRE: T1562.001 Impair Defenses: Disable or Modify Tools).", "disabling_win_defender_via_registry": "The process $Image_path has disabled some of the Windows Defender functions: $Registry_value_name (MITRE: T1562.001 Impair Defenses: Disable or Modify Tools).", "disabling_win_logger_via_registry": "The process $Image_path has disabled a Windows Logger: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1562.002 Impair Defenses: Disable Windows Event Logging).", "disabling_win_task_via_schtask": "The scheduled task was disabled: $Command_line (MITRE: T1562.001 Impair Defenses: Disable or Modify Tools).", "disabling_windefend_via_dism": "The process $Parent_image_path has disabled Windows Defender: $Command_line (MITRE: T1562.001 Disable or Modify Tools).", "disabling_windows_firewall_via_net": "The process $Image_path has disabled Microsoft Windows Firewall via Net.exe: $Command_line (MITRE: T1562.004 Disable or Modify System Firewall).", "discovery_gpp_passwords_via_command_line": "The process $Image_path has discovered GPP passwords via command line: $Command_line (MITRE: T1552.006 Unsecured Credentials: Group Policy Preferences).", "discovery_private_keys_via_command_line": "The $Image_path has discovered private keys via command line: $Command_line (MITRE: T1552.004 Unsecured Credentials: Private Keys).", "disk_size_check": "The process $Image_path has checked the hard drive size. It can be used to detect virtual machine (MITRE: T1497.001 Virtualization/Sandbox Evasion: System Checks).", "dll_import_table_modified_via_setdll": "The DLL import table of the PE has been modified by the process $Image_path: $Command_line(MITRE: T1574.001 Hijack Execution Flow: DLL Search Order Hijacking).", "dll_injection_via_custom_dotnet_garbage_collector": "A DLL has been injected into a process via a garbage collector: $Command_line (MITRE: T1055.001 Dynamic-link Library Injection).", "dll_injection_via_loadlibrary": "The process $Image_path has injected DLL into the process $Target_image_path via the Loadlibrary (MITRE: T1055.001 Dynamic-link Library Injection).", "dll_loading_in_lsass_via_undocumented_registry_key": "The process $Image_path has loaded $Registry_value into the address space of the lsass.exe process via registry: $Registry_key (MITRE: T1547.008 Boot or Logon Autostart Execution: LSASS Driver).", "dll_sideloading": "The DLL $Loaded_image_path has been loaded into the address space of the process $Image_path using DLL Side-Loading (MITRE: T1574.002 Hijack Execution Flow: DLL Side-Loading).", "dns_scan": "The program $Image_path has sent multiple DNS requests (MITRE: T1016 System Network Configuration Discovery).", "domain_account_creation_via_net": "The process $Image_path has created a domain account: $Command_line (MITRE: T1136.002 Create Account: Domain Account).", "domain_account_creation_via_powershell": "The process $Image_path has created a domain account: $Command_line (MITRE: T1136.002 Create Account: Domain Account).", "domain_group_permition_discovery": "The process $Image_path has tried to discover domain groups permissions: $Command_line (MITRE: T1069.002 Permission Groups Discovery: Domain Groups).", "domain_group_permition_discovery_powershell": "The process $Image_path has tried to discover the domain groups permissions via PowerShell: $Command_line (MITRE: T1069.002 Permission Groups Discovery: Domain Groups).", "domain_joined_check": "The process $Image_path has checked if computer is domain joined via Win API NetGetJoinInformation() (MITRE: T1497.001 Virtualization/Sandbox Evasion: System Checks).", "domain_trust_discovery_attempt_via_dsquery_or_adfind": "The process $Image_path has tried to discover a domain trust via Dsquery or Adfind (MITRE: T1482 Domain Trust Discovery).", "domain_trust_discovery_via_api": "The signs of the domain trust discovery via API were detected: $Image_path (MITRE: T1482 Domain Trust Discovery).", "domain_trust_discovery_via_nltest_exe": "The signs of the domain trust discovery via $Image_path were detected: $Command_line (MITRE: T1482 Domain Trust Discovery).", "download_executable_from_trusted_process": "The trusted process $Image_path has downloaded an executable file $Target_file_path from the following source: $URL (MITRE: T1071.001 Application Layer Protocol: Web Protocols).", "download_from_cloud": "The process $Image_path tried to connect to the cloud service $URL (MITRE: T1102 Web Service).", "download_from_trusted_process": "The trusted process $Image_path has connected to an unknown URL $URL (MITRE: T1071.001 Application Layer Protocol: Web Protocols).", "download_payload_via_installutil": "The process $Parent_image_path has downloaded a file via install.exe: $Command_line (MITRE: T1105 Ingress Tool Transfer).", "download_via_excel_com_object": "The process $Image_path has used an Excel COM object via PowerShell to establish a network connection: $Command_line (MITRE: T1559.001 Inter-Process Communication: Component Object Model).", "download_via_ie_com_object": "The process $Image_path has used an InternetExplorer COM object via PowerShell to establish a network connection: $Command_line (MITRE: T1559.001 Inter-Process Communication: Component Object Model).", "download_via_serverxmlhttp_com_object": "The process $Image_path has used a Msxml2.ServerXmlHttp COM object via PowerShell to establish a network connection: $Command_line (MITRE: T1559.001 Inter-Process Communication: Component Object Model).", "download_via_winhttp_com_object": "The process $Image_path has used a WinHttpRequest COM object via PowerShell to establish a network connection: $Command_line (MITRE: T1559.001 Inter-Process Communication: Component Object Model).", "download_via_word_com_object": "The process $Image_path has used a Word COM object via PowerShell to establish a network connection: $Command_line (MITRE: T1559.001 Inter-Process Communication: Component Object Model).", "downloading_via_curl": "The process $Parent_image_path has downloaded a file via cURL: $Command_line (MITRE: T1071.001 Application Layer Protocol: Web Protocols).", "drop_from_trusted_process": "The trusted process $Image_path has saved the executable file $Drop_path (MITRE: T1204.002 User Execution: Malicious File).", "drop_run_from_trusted_process": "The trusted application $Parent_image_path has run the process $Image_path (MITRE: T1204.002 User Execution: Malicious File).", "dropper": "The process $Image_path has run the file $File_path, which was created by the process $Dropper_image_path. The file was started as follows: $Command_line (MITRE: T1204.002 User Execution: Malicious File).", "dropping_executable_format_file_from_certutil": "The process $Image_path has dropped on a computer an executable file: $Command_line (MITRE: T1105 Ingress Tool Transfer).", "dumping_ntds_via_commandline": "The process $Image_path tried to dump ntds.dit via the command line: $Command_line (MITRE: T1003.003 OS Credential Dumping: NTDS).", "dyndns_connect": "The process $Image_path has connected to the Internet resource with an automatically generated DNS name (MITRE: T1568 Dynamic Resolution).", "echo_in_file_via_cmd_for_further_execution": "Suspicious command containing \"echo\" was executed: $Command_line (MITRE: T1059.003 Command-Line Interface).", "enable_cor_profiler": "The process $Image_path has enabled the COR_PROFILER: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1574.012 Hijack Execution Flow: COR_PROFILER).", "enabled_dns_over_https_via_registry": "The process $Image_path has enabled the use of DNS over HTTPS (DoH) via registry: $Registry_key (MITRE: T1572 Protocol Tunneling).", "enabling_wdigest": "The process $Image_path has forced the WDigest to store credentials as a plaintext in the LSASS memory (MITRE: T1003.001 OS Credential Dumping: LSASS Memory).", "enum_modules": "The process $Image_path tries to enumerate modules to detect whether it is running in a virtual environment (MITRE: T1497.001 Virtualization/Sandbox Evasion: System Checks)", "enumerate_usb": "The process $Image_path has obtained access to the list of available USB devices (MITRE: T1120 Peripheral Device Discovery).", "exception_call_av": "The access violation on call instruction execution has caused an exception in the trusted process $Image_path (MITRE: T1203 Exploitation for Client Execution).", "exception_dep_violation": "The violation of the Data Execution Prevention policy has caused an exception in the trusted process $Image_path (MITRE: T1203 Exploitation for Client Execution).", "exception_gs_violation": "An overrun of a protected stack buffer has caused an exception in the trusted process $Image_path (MITRE: T1203 Exploitation for Client Execution).", "exception_heap_corruption": "Heap corruption has caused an exception in the trusted process $Image_path (MITRE: T1203 Exploitation for Client Execution).", "exception_illegal_instruction": "An attempt to execute an illegal instruction has caused an exception in the trusted process $Image_path (MITRE: T1068 Exploitation for Privilege Escalation).", "exception_privileged_instruction": "An attempt to execute a privileged instruction has caused an exception in the trusted process $Image_path (MITRE: T1068 Exploitation for Privilege Escalation).", "exception_read_av_on_ip": "The memory read access violation at the instruction pointer has caused an exception in the trusted process $Image_path (MITRE: T1203 Exploitation for Client Execution).", "exception_write_av": "The memory write access violation at the instruction pointer has caused an exception in the trusted process $Image_path (MITRE: T1203 Exploitation for Client Execution).", "executing_ps1_from_public_directory": "The process $Image_path has launched a ps1 script from the public directory: $Command_line (MITRE: T1059.001 Command and Scripting Interpreter: PowerShell).", "execution_of_a_windows_script_with_unusual_file_extension": "The process $Image_path has executed a Windows script with an unusual file extension: $Command_line (MITRE: T1059.005 Command and Scripting Interpreter: Visual Basic).", "execution_on_stack": "The trusted process $Image_path has executed the code in the memory space that corresponds to the process stack. It may lead to unauthorized access to the system (MITRE: T1203 Exploitation for Client Execution).", "execution_via_registerxll_com_method": "The process $Image_path has used a RegisterXLL COM method via PowerShell to provide a code execution: $Command_line (MITRE: T1559.001 Inter-Process Communication: Component Object Model).", "executions_of_javascripts_from_public_directories_via_wscript_or_cscript": "JavaScript was started from the public directories: $Command_line (MITRE: T1059.007 Command and Scripting Interpreter: JavaScript).", "executions_of_scripts_from_public_directories_via_wscript_or_cscript": "A Visual Basic Script was started from the public directories: $Command_line (MITRE: T1059.005 Command and Scripting Interpreter: Visual Basic).", "export_certificates_via_powershell": "The process $Image_path has exported certificates via PowerShell: $Command_line (MITRE: T1552.004 Unsecured Credentials: Private Keys).", "export_private_keys_via_certutil": "The process $Image_path has exported cerificates via Certutil.exe: $Command_line (MITRE: T1552.004 Unsecured Credentials: Private Keys).", "external_ip_detect": "The process $Image_path has used $URL to detect the external IP address of the computer (MITRE: T1016 System Network Configuration Discovery).", "extracting_credentials_from_files_via_powershell": "The process $Image_path has accessed to credentials in files: $Command_line (MITRE: T1552.001 Unsecured Credentials: Credentials In Files).", "fake_powershell_drop": "The process $Dropper_image_path dropped the executable renamed from powershell.exe to: $File_path (MITRE: T1036.003 Masquerading: Rename System Utilities).", "fake_powershell_launch": "The process $Parent_image_path executed PowerShell interpreter not with powershell.exe but with $Image_path. Command line: $Command_line (MITRE: T1059.001 Command and Scripting Interpreter: PowerShell).", "fake_service": "The process $Image_path has given the service a description that appears legitimate: $Reg_value (MITRE: T1036.004 Masquerading: Masquerade Task or Service).", "file_and_directory_permissions_deny_or_remove_via_stu": "The process $Image_path has denied or removed the Windows file and directory permissions: $Command_line (MITRE: T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification).", "file_and_directory_permissions_modification_via_stu": "The process $Image_path has modified the Windows file and directory permissions: $Command_line (MITRE: T1222.001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification).", "file_association": "The process $Image_path has set the registry key $Registry_key to $Registry_value. It modifies the file type association with its extension. (MITRE: T1546.001 Change Default File Association)", "file_download_via_bits_com": "The process $Image_path has download a file using a BITS COM object (MITRE: T1197 BITS Jobs).", "file_download_via_bitsadmin": "The process $Image_path has attempted to download a file using the command $Command_line (MITRE: T1197 BITS Jobs).", "file_drop_from_trusted_process": "The trusted process $Image_path has dropped the executable file $File_path (MITRE: T1204.002 User Execution: Malicious File).", "file_execution_options": "The process $Image_path has modified the Debugger parameter of the registry key $Registry_key to run the executable file $Registry_value with the existing program (MITRE: T1546.012 Image File Execution Options Injection).", "file_replacement": "The process $Image_path has replaced its own executable file (MITRE: T1070.004 Indicator Removal on Host: File Deletion).", "filename_like_system_tool_in_wrong_place_dropped": "The executable file $Image_path with the name of the system process was modified in a non-standard directory $File_path (MITRE: T1036.005 Masquerading).", "filename_like_system_tool_in_wrong_place_run": "The process $Image_path executed the program, which is named like a system file but located not in original folder: $Dropper_image_path. Command line: $Command_line (MITRE: T1036.005 Masquerading).", "find_bank_client": "The process $Image_path has compared the process names of each user with the list of the known process names of the online banking clients (MITRE: T1518 Software Discovery). This activity is typical of Trojan-Banker malware.", "find_file": "The process $Image_path has performed a search of file/folder with the name, containing the $Substring substring, in the $Search_path folder (MITRE: T1083 File and Directory Discovery).", "ftp_scan": "The process $Image_path has scanned the FTP connections (MITRE: T1046 Network Service Scanning).", "fw_modification_via_netsh": "The process $Image_path has modified Microsoft Windows Firewall configuration via Netsh.exe: $Command_line (MITRE: T1562.004 Disable or Modify System Firewall).", "get_privilege": "The process $Image_path has obtained the privilege $Privilege_name (MITRE: T1134 Access Token Manipulation).", "granting_rights_to_user": "The process $Image_path has granted rights to the user using WinAPI (MITRE: T1098 Account Manipulation).", "group_policy_discovery_via_gpresult": "The process $Image_path has tried to discover group policies: $Command_line (MITRE: T1615 Group Policy Discovery).", "group_policy_discovery_via_powershell": "The process $Image_path has tried to discover group policies via PowerShell: $Command_line (MITRE: T1615 Group Policy Discovery).", "group_policy_discovery_via_sysvol_directory": "The process $Image_path has tried to discover group policies via the Sysvol directory (MITRE: T1615 Group Policy Discovery).", "group_policy_settings_modification_via_powershell": "The process $Image_path has modified Group Policy settings via PowerShell: $Command_line (MITRE: T1484.001 Domain Policy Modification: Group Policy Modification).", "group_policy_settings_modification_via_reg": "The process $Image_path has modified Group Policy settings via registry: $Command_line (MITRE: T1484.001 Domain Policy Modification: Group Policy Modification).", "heap_spray": "The binary code has been injected into dynamic memory of the trusted process $Image_path using the Heap-Spray method (MITRE: T1203 Exploitation for Client Execution).", "hidden_sfx": "A self-extracting archive $Image_path has started in hidden mode (MITRE: T1204.002 User Execution: Malicious File).", "hidden_via_pwsh": "The process $Parent_image_path has run PowerShell with the Hidden attribute: $Command_line (MITRE: T1564.003 Hidden Window).", "hide_user_account_via_registry": "The process $Image_path has hidden a user account via registry: $Registry_key (MITRE: T1564.002 Hide Artifacts: Hidden Users).", "hosts_file_modification": "The process $Image_path has modified the Windows hosts file. It may impact DNS name resolution (MITRE: T1565 Data Manipulation).", "icmp_scan": "The program $Image_path has made multiple ICMP requests (MITRE: T1046 Network Service Discovery)", "image_file_execution_options_injection_via_silentprocessexit": "The process $Image_path has set the registry key $Registry_key to run the $Registry_value executable file along with the existing program (MITRE: T1546.012 Event Triggered Execution: Image File Execution Options Injection).", "import_service_from_file": "The process $Image_path created or changed the service by reading a file on the disk and importing its content to the registry $Reg_Key (MITRE: T1543.003 New Service).", "ingress_tool_transfer_via_certoc": "The process $Image_path has transferred the Ingress tool to a computer: $Command_line (MITRE: T1105 Ingress Tool Transfer).", "ingress_tool_transfer_via_certreq": "The process $Image_path has transferred the Ingress tool to a computer: $Command_line (MITRE: T1105 Ingress Tool Transfer).", "ingress_tool_transfer_via_certutil": "The process $Image_path has transferred the Ingress tool to a computer: $Command_line (MITRE: T1105 Ingress Tool Transfer).", "ingress_tool_transfer_via_cmdl32": "The process $Image_path has transferred the Ingress tool to a computer: $Command_line (MITRE: T1105 Ingress Tool Transfer).", "ingress_tool_transfer_via_curl": "The process $Image_path has transferred the Ingress tool to a computer: $Command_line (MITRE: T1105 Ingress Tool Transfer).", "ingress_tool_transfer_via_desktopimgdownldr": "The process $Image_path has transferred the Ingress tool to a computer: $Command_line (MITRE: T1105 Ingress Tool Transfer).", "ingress_tool_transfer_via_esentutl": "The process $Image_path has transferred the Ingress tool to a computer: $Command_line (MITRE: T1105 Ingress Tool Transfer).", "ingress_tool_transfer_via_finger": "The process $Image_path has transferred the Ingress tool to a computer: $Command_line (MITRE: T1105 Ingress Tool Transfer).", "ingress_tool_transfer_via_hh": "The process $Image_path has transferred the Ingress tool to a computer: $Command_line (MITRE: T1218.001 System Binary Proxy Execution: Compiled HTML File).", "ingress_tool_transfer_via_imewdbld": "The process $Image_path has transferred the Ingress tool to a computer: $Command_line (MITRE: T1105 Ingress Tool Transfer).", "ingress_tool_transfer_via_microsoft_office_tools": "The process $Image_path has transferred the Ingress tool to a computer: $Command_line (MITRE: T1105 Ingress Tool Transfer).", "ingress_tool_transfer_via_mpcmdrun": "The process $Image_path has transferred the Ingress tool to a computer: $Command_line (MITRE: T1105 Ingress Tool Transfer).", "ingress_tool_transfer_via_msoxmled": "The process $Image_path has transferred the Ingress tool to a computer: $Command_line (MITRE: T1105 Ingress Tool Transfer).", "ingress_tool_transfer_via_print": "The process $Image_path has transferred the Ingress tool to a computer: $Command_line (MITRE: T1105 Ingress Tool Transfer).", "ingress_tool_transfer_via_printbrm": "The process $Image_path has transferred the Ingress tool to a computer: $Command_line (MITRE: T1105 Ingress Tool Transfer).", "ingress_tool_transfer_via_replace": "The process $Image_path has transferred the Ingress tool to a computer: $Command_line (MITRE: T1105 Ingress Tool Transfer).", "ingress_tool_transfer_via_xwizard": "The process $Image_path has transferred the Ingress tool to a computer: $Command_line (MITRE: T1105 Ingress Tool Transfer).", "inject_common": "The process $Image_path has injected the binary code into the process $Target_path (MITRE: T1055 Process Injection).", "inject_from_trusted_process": "The trusted process $Image_path has injected binary code into another process $Target_path (MITRE: T1055 Process Injection).", "inject_propagate": "The process $Image_path has injected the binary code into the explorer.exe (MITRE: T1055 Process Injection).", "inject_self_copy": "The process $Image_path has injected the binary code into its own copy of $Target_path (MITRE: T1055.002 Process Injection).", "install_chrome_extension": "The process $Image_path has tried to install a Google Chrome browser extension (MITRE: T1217 Browser Bookmark Discovery).", "install_chrome_extension_via_cmd": "The process $Image_path has tried to install a Google Chrome browser extension through a command line: $Command_line (MITRE: T1217 Browser Bookmark Discovery).", "install_chrome_extension_via_reg": "The process $Image_path has tried to install a Google Chrome browser extension through the registry: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1217 Browser Bookmark Discovery).", "install_edge_extension_via_cmd": "The process $Image_path has tried to install a Microsoft Edge browser extension through a command line: $Command_line (MITRE: T1217 Browser Bookmark Discovery).", "install_edge_extension_via_reg": "The process $Image_path has tried to install a Microsoft Edge browser extension through the registry: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1217 Browser Bookmark Discovery).", "install_screensaver": "The process $Image_path has installed a Windows screen saver $Target_file (MITRE: T1546.002 Screensaver).", "installed_components": "The process $Image_path has modified the parameter $Registry_key to install a new Active Setup component $Target_path (MITRE: T1547.014 Boot or Logon Autostart Execution: Active Setup).", "installing_root_cert_via_certutil": "A root certificate has been installed via certutil.exe: $Command_line (MITRE: T1553.004 Install Root Certificate).", "internet_connection_discovery_via_standard_windows_utilities": "The process $Image_path has tried to discover the Internet connections via the standard Windows utilities: $Command_line (MITRE: T1016.001 System Network Configuration Discovery: Internet Connection Discovery).", "invalid_eh": "An invalid exception handler has been detected in the trusted process $Image_path (MITRE: T1203 Exploitation for Client Execution).", "invoke_obfuscation_via_use_clip": "The command line of the process $Image_path was obfuscated using clip.exe: $Command_line (MITRE: T1027 Obfuscated Files or Information).", "invoke_obfuscation_via_use_mshta": "The command line of the process $Image_path was obfuscated using MSHTA.exe: $Command_line (MITRE: T1027 Obfuscated Files or Information).", "invoke_obfuscation_via_use_var": "The command line of the process $Image_path was obfuscated using the environment variables: $Command_line (MITRE: T1027 Obfuscated Files or Information).", "invoke_powershell_tcp_reverse_shell": "The process $Parent_image_path could invoke Reverse Shell via PowerShell: $Command_line (MITRE: T1059.001 Command and Scripting Interpreter: PowerShell).", "javascript_execution_via_msxsl_or_wmic": "JavaScript was started via $Image_path using load image $Loaded_image_path (MITRE: T1059.007 Command and Scripting Interpreter: JavaScript).", "ldap_scan": "The process $Image_path has scanned ports 88, 389, 636 associated with LDAP server (MITRE: T1046 Network Service Discovery).", "leaked_lsass_handle": "The process $Source_image_path has attempted to get the Lsass.exe process handle via CreateProcessWithLogon. That handle is contained in the created process: $Image_path (MITRE: T1134.004 Access Token Manipulation: Parent PID Spoofing).", "library_modify_in_sxs_folder": "The process $Image_path has modified DLL in WinSxS folder: $Target_path (MITRE: T1129 Shared Modules).", "linux_add_cronjob": "The process $Image_name has edited the cron job file $File_name (MITRE TA0003 Persistence, MITRE TA0002 Execution, MITRE T1053.003 Scheduled Task/Job: Cron).", "linux_add_pam_module": "The process $Image_name has added a PAM module $File_name (MITRE T1556.003 Modify Authentication Process: Pluggable Authentication Modules).", "linux_add_root_cert": "The process $Image_name has added a new root SSL certificate $File_name (MITRE TA0005 Defense Evasion, T1553.004 Subvert Trust Controls: Install Root Certificate).", "linux_add_systemd_service": "The process $Image_name has created a new systemd service $File_name (MITRE TA0003 Persistence, MITRE T1543.002 Create or Modify System Process: Systemd Service).", "linux_change_auth_logs": "The process $Image_name has edited the system authentication logs (MITRE T1070.002 Indicator Removal on Host: Clear Linux or Mac System Logs).", "linux_change_bash_profile": "The process $Image_name has edited .bashrc or .bash_profile (MITRE TA0003 Persistence, MITRE T1546.004 Unix Shell Configuration Modification).", "linux_change_fw_rules": "The process $Image_name has edited the firewall rules (MITRE TA0005 Defense Evasion, T1562.004 Impair Defenses: Disable or Modify System Firewall).", "linux_change_passwd": "The process $Image_name has edited /etc/passwd or /etc/shadow (MITRE TA0003 Persistence, MITRE T1098 Account Manipulation).", "linux_clear_command_history": "The process $Image_name has edited the shell command history (MITRE TA0005 Defense Evasion, MITRE T1070.003 Indicator Removal on Host: Clear Command History).", "linux_connect_to_uncommon_port": "The process $Image_name has tried to connect to the uncommon port $Port on the IP address $IP.", "linux_connect_without_dns": "The process $Image_name has tried to connect to the host $IP on the port $Port without a DNS query.", "linux_create_linker_hook": "The process $Image_name has edited the configuration file of the dynamic linker (MITRE T1574.006 Hijack Execution Flow: Dynamic Linker Hijacking).", "linux_delete_file": "The process $Image_name has deleted the file $Target_path (MITRE TA0005 Defense Evasion, MITRE T1070.004 Indicator Removal on Host: File Deletion).", "linux_execute_downloader": "The process $Image_name has tried to execute the command-line HTTP client $Target_file with the arguments: $Argv (MITRE TA0011 Command and Control, MITRE T1105 Ingress Tool Transfer).", "linux_execute_dropped_file": "The process has created and executed the file $Target_file with the arguments: $Argv.", "linux_execute_file": "The process $Image_name has executed the file $Target_file with the arguments: $Argv.", "linux_execute_suspicious_command": "The process $Image_name has tried to execute a suspicious command with the arguments: $Argv.", "linux_execute_tcpshell": "The process $Image_name has executed a bind shell or a reverse shell on the host $IP:$Port (MITRE TA0002 Execution, MITRE T1059 Command and Scripting Interpreter).", "linux_hidden_file_access": "The process $Image_name has tried to open the hidden file $Target_file (MITRE TA0005 Defense Evasion, MITRE T1564.001 Hide Artifacts: Hidden Files and Directories).", "linux_inmemory_exec": "The process $Image_name has tried to execute a binary from the memory descriptor (MITRE TA0005 Defense Evasion, MITRE T1564 Hide Artifacts).", "linux_keyboard_read": "The process $Image_name has tried to capture the keyboard input from file $File_name (MITRE TA0009 Collection, MITRE T1056 Input Capture).", "linux_lateral_movement_ssh": "The process $Image_name has tried to bruteforce the SSH servers (MITRE TA0008 Lateral Movement, MITRE T1021.004 Remote Services: SSH).", "linux_load_kernel_module": "The process $Image_name has loaded the kernel module (MITRE TA0003 Persistence, MITRE T1547.006 Boot or Logon Autostart Execution: Kernel Modules and Extensions).", "linux_modify_many_files": "The process $Image_name has tried to modify more than 128 files.", "linux_open_raw_socket": "The process $Image_name has opened the raw socket.", "linux_permissions_modification": "The process $Image_name has tried to change the permissions of file $File_name (MITRE TA0005 Defense Evasion, T1222 File and Directory Permissions Modification).", "linux_port_scan": "The process $Image_name has tried to scan the ports on another host with IP address $IP (MITRE TA0007 Discovery, T1046 Network Service Scanning).", "linux_port_scan_many_hosts": "The process $Image_name has tried to scan the ports on other hosts (MITRE TA0007 Discovery, T1046 Network Service Scanning).", "linux_process_enumeration": "The process $Image_name has tried to enumerate all running processes via /proc (MITRE TA0007 Discovery, MITRE T1057 Process Discovery).", "linux_process_trace": "The process $Image_name has started to trace another process (MITRE TA0005 Defense Evasion, T1055.008 Process Injection: Ptrace System Calls).", "linux_read_cpu_info": "The process $Image_name has tried to read the CPU info from /proc/cpuinfo (MITRE TA0007 Discovery, MITRE T1082 System Information Discovery).", "linux_read_fw_rules": "The process $Image_name reads the firewall rules (MITRE TA0007 Discovery, MITRE T1518.001 Software Discovery: Security Software Discovery).", "linux_read_kallsyms": "The process $Image_name has tried to get the pointers of the kernel functions (MITRE T1068 Exploitation for Privilege Escalation).", "linux_rename_file": "The process $Image_name has renamed the file $Previous_name to $New_name.", "linux_self_copy": "The process $Image_name has copied its own executable to $Target_file.", "linux_self_delete": "The process $Image_name has deleted its own executable $Target_file (MITRE TA0005 Defense Evasion, MITRE T1070.004 Indicator Removal on Host: File Deletion).", "linux_self_rename": "The process $Image_name has renamed its own executable $Previous_file to $New_name (MITRE TA0005 Defense Evasion, MITRE T1036 Masquerading).", "linux_send_signal": "The process $Image_name has sent a signal to another process.", "linux_set_fake_file_time": "The process $Image_name has edited the last access or modification time of the file $File_name (MITRE T1070.006 Indicator Removal on Host: Timestomp).", "linux_set_process_name": "The process $Image_name has tried to change its own name (MITRE TA0005 Defense Evasion, MITRE T1036 Masquerading).", "linux_ssh_key_access": "The process $Image_name has tried to read the SSH keys (MITRE TA0006 Credential Access, MITRE T1552.004 Unsecured Credentials: Private Keys).", "linux_ssh_modify_authkeys": "The process $Image_name has tried to modify the SSH authorized keys (MITRE TA0003 Persistence, MITRE T1098.004 Account Manipulation: SSH Authorized Keys).", "linux_tcp_connect": "The process $Image_name has connected to the TCP port $Port on the IP address $IP.", "linux_tcp_listen": "The process $Image_name has opened the TCP port $Port on the IP address $IP.", "linux_tmpfs_access": "The process $Image_name has tried to open the file $File_name in the temporary filesystem.", "linux_userfaultd_usage": "The process $Image_name has tried to handle the page faults in the user space (MITRE T1068 Exploitation for Privilege Escalation).", "listing_domain_accounts": "The signs of the domain account discovery via $Image_path were detected: $Command_line (MITRE: T1087.002 Account Discovery: Domain Account).", "listing_domain_accounts_powershell": "The process $Image_path has tried to discover domain accounts: $Command_line (MITRE: T1087.002 Account Discovery: Domain Account).", "listing_local_accounts": "The process $Image_path has tried to discover local accounts: $Command_line (MITRE: T1087.001 Account Discovery: Local Account).", "listing_local_accounts_reg": "The process has tried to discover the local accounts via the registry: $Command_line (MITRE: T1087.001 Account Discovery: Local Account).", "listing_shares_via_net": "The process $Image_path has tried to get network shares list: $Command_line (MITRE: T1135 Network Share Discovery).", "lnk_creation_from_archive": "The process $Image_path has created LNK file $File_path(MITRE: T1204.002 User Execution: Malicious File).", "lnk_modification": "The process $Image_path has modified shortcut file $Target_file (MITRE: T1547.009 Boot or Logon Autostart Execution: Shortcut Modification).", "load_win_kernel": "The operating system kernel has been loaded into the address space of the process $Image_path (MITRE: T1068 Exploitation for Privilege Escalation).", "loading_dropped_dll": "The process $Image_path has loaded DLL $Loaded_image_path dropped by the process $Dropper_image_path (MITRE: T1574.001 DLL Search Order Hijacking).", "local_account_creation": "The process $Image_path has created a local account using WinAPI: $Registry_key (MITRE: T1136.001 Create Account: Local Account).", "local_account_creation_via_net": "The process $Image_path has created a local account: $Command_line (MITRE: T1136.001 Create Account: Local Account).", "local_account_creation_via_powershell": "The process $Image_path has created a local account: $Command_line (MITRE: T1136.001 Create Account: Local Account).", "local_group_permition_discovery": "The process $Image_path has tried to discover local groups permissions: $Command_line (MITRE: T1069.001 Permission Groups Discovery: Local Groups).", "local_group_permition_discovery_powershell": "The process $Image_path has tried to discover the local groups permissions via PowerShell: $Command_line (MITRE: T1069.001 Permission Groups Discovery: Local Groups).", "local_group_permition_discovery_wmic": "The process $Image_path has tried to discover the local groups permissions via wmic: $Command_line (MITRE: T1069.001 Permission Groups Discovery: Local Groups).", "local_ip_connect": "The process $Image_path has connected to an IP address belonging to the local network (MITRE: T1018 Remote System Discovery).", "localhost_ip_connect": "The process $Image_path has connected to the localhost IP address $Destination_ip (MITRE: T1205 Traffic Signaling).", "logon_scripts": "The process $Image_path has modified the $Registry_value_name value of the registry key $Registry_key to the $Registry_value (MITRE: T1037.001 Logon Scripts)", "logon_user": "The process $Image_path has used the LogonUser() function to create a logon session for the user named $Username (MITRE: T1134.003 Access Token Manipulation: Make and Impersonate Token).", "lsass_created_unlegal_child_process": "The LSAAS process $Parent_image_path created an illegal child process $Image_path with the command line: $Command_line (MITRE: T1036 Masquerading).", "mac_address_check": "The process $Image_path has checked MAC address. It can be used to detect a virtual machine (MITRE: T1497.001 Virtualization/Sandbox Evasion: System Checks).", "mail_communication": "The process $Image_path uses TCP/IP ports reserved for email protocols (MITRE: T1071.003 Commonly Used Port).", "malware_strings": "Strings specific to malware have been found in the memory dump of the process $Image_path (MITRE: T1486 Data Encrypted for Impact).", "masquerading_image_path": "The process $Parent_image_path has created a process specifying path to executable file via command line: $Command_line (MITRE: T1036 Masquerading).", "mavinject_process_injection": "The DLL process injection via the mavInject.exe utility was detected: $Command_line (MITRE: T1055.001 Process Injection: Dynamic-link Library Injection).", "memory_check": "The process $Image_path has checked amount of memory in a system. It can be used to detect a virtual machine (MITRE: T1497.001 Virtualization/Sandbox Evasion: System Checks).", "meterpreter_cobaltstrike_service_creation": "Meterpreter/Cobalt Strike service creation has been detected: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1543.003 Create or Modify System Process: Windows Service).", "minint_key_creation": "The process $Image_path has disabled the Windows Event Logging by creating the registry key: $Registry_key (MITRE: T1562.002 Impair Defenses: Disable Windows Event Logging).", "missing_call_ret": "The trusted process $Image_path has executed the call instruction without executing a return from procedure (ret) instruction (MITRE: T1203 Exploitation for Client Execution).", "mmc20_lateral_movement": "The process $Parent_image_path has spawned MMC20 with the command line: $Command_line (MITRE: T1021.003 Remote Services: Distributed Component Object Model).", "modification_authentication_packages_via_registry": "The process $Image_path has modified the Authentication Package registry key: $Registry_value (MITRE: T1547.002 Boot or Logon Autostart Execution: Authentication Package).", "modification_time_providers_via_registry": "The process $Image_path has changed a time provider settings via registry: $Registry_value (MITRE: T1547.003 Boot or Logon Autostart Execution: Time Providers).", "modify_file_similar_system": "The process $Image_path has modified the file $Target_path with a name similar to the system file name (MITRE: T1036.003 Masquerading: Rename System Utilities).", "modify_startup_folder_location": "The process $Image_path has modified the parameter $Registry_key\\\\$Registry_value_name to set $Registry_value as the Startup folder (MITRE: T1547.001 Registry Run Keys / Startup Folder).", "modify_user_files": "The process $Image_path has modified user files $File_path. This action is typical for Trojan-Ransom malware (MITRE: T1486 Data Encrypted for Impact).", "mounting_windows_admin_shares": "The process $Image_path has mounted the Windows administrative share: $Command_line (MITRE: T1021.002 SMB/Windows Admin Shares).", "mouse_movement": "The process $Image_path tries to detect mouse movement (MITRE: T1497.002 Virtualization/Sandbox Evasion: User Activity Based Checks)", "mouse_movement_check": "The process $Image_path has set a hook to monitor mouse events. It can be used to detect a virtual machine (MITRE: T1497.002 Virtualization/Sandbox Evasion: User Activity Based Checks).", "mshta_ADS": "Process $Image_path has executed .hta file from Alternative Data Stream: $Cmd_line (Mitre T1218.005 Signed Binary Proxy Execution: Mshta).", "mshta_external_hta": "The process $Image_path has executed a file from an external resource: $Command_line (Mitre T1218.005 Signed Binary Proxy Execution: Mshta)", "mshta_network_connection": "The process $Image_path has established a network connection to $Destination_ip (MITRE: T1218.005 Signed Binary Proxy Execution: Mshta).", "mshta_public_directory_files": "Process $Image_path has executed .hta file located in the public directory: $Command_line (Mitre T1218.005 Signed Binary Proxy Execution: Mshta).", "mshta_susp_arguments": "The process $Image_path has run java scripts/vbscripts supplied as a command line argument: $Command_line (MIRTE: T1218.005 Signed Binary Proxy Execution: Mshta).", "mshta_unknown_files_execution": "Process $Image_path has executed a file with an extension differing from .hta: $Command_line (Mitre T1218.005 Signed Binary Proxy Execution: Mshta).", "msiexec_download": "The process $Image_path uses msiexec.exe with parameters $Command_line to launch malicious files using command line (MITRE: T1218.007 Signed Binary Proxy Execution).", "msiexec_external_msi": "The process $Image_path has run an installer from an external resource: $Command_line (MITRE: T1218.007 Signed Binary Proxy Execution: Msiexec).", "msiexec_network_connection": "The process $Image_path has established a network connection with $URL (MITRE: T1218.007 Signed Binary Proxy Execution: Msiexec).", "msiexec_suspicious_arguments": "The process $Image_path has been executed with suspicious arguments: $Command_line (MITRE: T1218.007 Signed Binary Proxy Execution: Msiexec).", "msmsdt_follina_exploitation": "The process $Image_path has used the Follina (CVE-2022-30190) vulnerability of Microsoft Support Diagnostic Tool (MSDT) program: $Command_line (MITRE: T1203 Exploitation for Client Execution).", "msxml_com_object_usage_via_powershell": "The process $Image_path has used a MSXML COM object via PowerShell to a network connection: $Command_line (MITRE: T1559.001 Inter-Process Communication: Component Object Model).", "name_like_system_file": "The process $Image_path has created a file $target_file with a name similar to the system file name: $system_name (MITRE: T1036.005 Masquerading).", "net_share_removal_via_net": "The process $Parent_image_path has removed network share connection: $Command_line (MITRE: T1070.005 Network Share Connection Removal).", "net_share_removal_via_pwsh": "The process $Parent_image_path has removed network share connection: $Command_line (MITRE: T1070.005 Network Share Connection Removal).", "netsh_helper_dll_via_command_line": "The process $Image_path has used netsh.exe helper DLLs to trigger execution of arbitrary code via command line: $Command_line (MITRE: T1546.007 Event Triggered Execution: Netsh Helper DLL).", "netsh_helper_dll_via_registry": "The process $Image_path has set the $Registry_key registry key to use netsh.exe helper DLLs to trigger execution of arbitrary code (MITRE: T1546.007 Event Triggered Execution: Netsh Helper DLL).", "network_connection_from_cmstp": "The process $Image_path has established a network connection: $Command_line (MITRE: T1218.003 Signed Binary Proxy Execution: CMSTP).", "network_connection_from_regsvr32": "The process $Image_path has established a network connection: $Command_line (MITRE: T1218.010 Signed Binary Proxy Execution: Regsvr32).", "network_connection_from_sc": "A connection to a remote host via sc.exe was detected: $Command_line (MITRE: T1021 Remote Services).", "network_connection_from_werfault_or_wermgr": "A network connection $Destination_ip from werfault or wermgr was established: $Image_path (MITRE: T1036 Masquerading).", "network_connection_from_wscript_or_cscript": "The process $Image_path has established a network connection: $Command_line (MITRE: T1059.005 Command and Scripting Interpreter: Visual Basic).", "non_executable_extension": "The process has been started by the file with the non-executable extension $Image_path.", "non_standard_dll_in_spools": "The process $Image_path has loaded non standard DLL (MITRE: T1547.012 Boot or Logon Autostart Execution: Print Processors).", "non_standart_dll_loading_in_lsass": "Non standard DLL has been loaded into the process $Image_path address space: $Command_line (MITRE: T1547.008 Boot or Logon Autostart Execution: LSASS Driver)", "non_standart_dll_loading_in_lsass_mem": "The process $Image_path has loaded non standard DLL (MITRE: T1547.008 Boot or Logon Autostart Execution: LSASS Driver).", "not_http_on_80": "The process $Image_path has sent non-HTTP data to the port associated with HTTP (MITRE: T1571 Non-Standard Port)", "not_standard_directory_archive": "The archive utility process $Image_path has been started from a non-default folder: $Command_line (MITRE: T1560.001 Archive Collected Data: Archive via Utility).", "not_standard_parent_process_bitsadmin": "The process $Image_path was run by a non-standart parent process $Parent_image_path using the command line: $Command_line (MITRE: T1197 BITS Jobs).", "obfuscated_powershell": "The obfuscation patterns were detected in the PowerShell command line: $Command_line (MITRE: T1027 Obfuscated Files or Information).", "obfuscation_using_rundll32_in_cmd": "The rundll32.exe was used to obfuscate the command line: $Command_line (MITRE: T1027 Obfuscated Files or Information).", "obfuscation_using_rundll32_in_registry": "Obfuscation using the rundll32.exe was detected in the Registry: $Registry_value (MITRE: T1027 Obfuscated Files or Information).", "obfuscation_via_stdin": "Obfuscation via stdin/stdout was detected: $Command_line (MITRE: T1027 Obfuscated Files or Information).", "password_filter_modification_via_registry": "The process $Image_path has modified the Notification Packages registry key: $Registry_value (MITRE: T1556.003 Modify Authentication Process: Pluggable Authentication Modules).", "password_policy_discovery_via_powershell": "The process $Image_path has tried to discover the password policy via PowerShell: $Command_line (MITRE: T1201 Password Policy Discovery).", "password_policy_discovery_via_standard_windows_utilities": "The process $Image_path has discovered the password policy via the standard Windows utilities: $Command_line (MITRE: T1201 Password Policy Discovery).", "peripheral_device_discovery_via_powershell": "The process $Image_path has tried to discover the peripheral devices: $Command_line (MITRE: T1518.001 Software Discovery: Security Software Discovery).", "peripheral_device_discovery_via_standard_windows_utilities": "The process $Image_path has tried to discover peripheral devices via the standard Windows utilities: $Command_line (MITRE: T1518.001 Software Discovery: Security Software Discovery).", "ping_delete": "The process $Parent_image_path has used the Ping command to delay deleting its executable file: $Command_line. (MITRE: T1070.004 Indicator Removal on Host: File Deletion).", "ping_hex_encoded_ip_address": "A hex encoded IP address was provided to the ping command: $Command_line (MITRE: T1027 Obfuscated Files or Information).", "port_monitor_via_reg": "The process $Image_path has modified settings of the port monitoring: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1547.010 Port Monitors).", "portable_executable_injection": "The process $Image_path has injected a portable executable into the process $Target_image_path (MITRE: T1055.002 Portable Executable Injection).", "possible_nodejs_revese_shell": "The process $Parent_image_path could invoke Reverse Shell via node.exe: $Command_line (MITRE: T1059.007 Command and Scripting Interpreter: JavaScript).", "potential_commands_sharphoud": "The process $Image_path has probably used the commands Sharphoud/Bloodhound: $Command_line (MITRE: T1087 Account Discovery).", "powershell_base64": "The PowerShell has executed a base-64 encoded code: $Cmd_line (Mitre: T1140 Deobfuscate/Decode Files or Information).", "powershell_compression": "Compression methods were detected in the PowerShell: $Command_line (MITRE: T1027 Obfuscated Files or Information).", "powershell_connecting": "The PowerShell process $Image_path executed with the following command line $Cmd_line has connected to the remote host $Destination_address (MITRE: T1059.001 PowerShell).", "powershell_download": "The PowerShell script has attempted to download a file by using the command $Command_line (MITRE: T1059.001 PowerShell).", "powershell_from_vbs": "The process $Parent_image_path has invoked Powershell from the SyncAppvPublishingServer.vbs script: $Command_line (MITRE: T1216 System Script Proxy Execution).", "powershell_installation_as_service": "The process $Image_path has installed PowerShell as a Windows service: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1569.002 System Services: Service Execution).", "powershell_invoke_obfuscation": "The obfuscation patterns were detected in the PowerShell command line: $Command_line (MITRE: T1027 Obfuscated Files or Information).", "powershell_listening": "The PowerShell process $Image_path executed with the following command line $Command_line has started listening to the network traffic and waiting for incoming connections (MITRE: T1059.001 PowerShell).", "powershell_suspicious_arguments": "Suspicous arguments were detected in the PowerShell command line: $Command_line (MITRE: T1059.001 Command and Scripting Interpreter: PowerShell).", "ppid_spoofing": "The process $Original_parent_image has spoofed the parent PID of the child process $Image_path. Assigned parent process: $Spoofed_parent_image (MITRE: T1134.004 Access Token Manipulation: Parent PID Spoofing).", "ppid_spoofing2": "The process $Original_parent_image has spoofed the parent PID of the child process $Image_path via UpdateProcThreadAttribute WinAPI. Assigned parent process: $Spoofed_parent_image (MITRE: T1134.004 Access Token Manipulation: Parent PID Spoofing).", "print_proc_via_reg": "The process $Image_path has added $Registry_value to the registry key: $Registry_key\\\\$Registry_value_name (MITRE: T1547.012 Boot or Logon Autostart Execution: Print Processors).", "privilege_escalation_via_dde_client_impersonation_abuse": "The process $Image_path has impersonated DDE client via WinAPI (MITRE: T1068 Exploitation for Privilege Escalation).", "privilege_escalation_via_named_pipe_client_impersonation_abuse": "The process $Image_path has impersonated Named Pipe client via WinAPI (MITRE: T1068 Exploitation for Privilege Escalation).", "process_crash": "The application $Image_path has been crashed.", "process_creation_via_runas": "The process $Parent_image_path has created a process in security context of another user: $Command_line (MITRE: T1134.002 Access Token Manipulation: Create Process with Token).", "process_discovery_via_powershell": "The process $Image_path has tried to discover the processes via PowerShell: $Command_line (MITRE: T1057 Process Discovery).", "process_discovery_via_standart_windows_utilities": "The process $Image_path has tried to discover processes via the standard Windows utilities: $Command_line (MITRE: T1057 Process Discovery).", "process_doppelganging": "The process $Image_path has injected a code into the process $Target_image_path using the Process Doppelgänging technique (MITRE: T1055.013 Process Injection: Process Doppelganging).", "process_dump_via_rundll32_comsvcs_dll": "The process $Image_path has dumped another process via the built-in Windows Comsvcs.dll: $Command_line (MITRE: T1003.001 OS Credential Dumping: LSASS Memory).", "process_hollowing": "The process $Image_path has injected a code into the hollowed process $Target_image_path (MITRE: T1055.012 Process Injection: Process Hollowing).", "process_injection_via_alpc_port": "The process $Image_path has injected a code into the process $Target_image_path via the ALPC Port (MITRE: T1055 Process Injection).", "process_injection_via_clipbrdwndclass": "The process $Image_path has injected a code into the process $Target_image_path via the Clipboard Window Class (MITRE: T1055 Process Injection).", "profile_ps1_modification": "The process $Image_path has modified the PowerShell profile ($File_path) - a script that runs when the PowerShell starts. (MITRE: T1546.013 Event Triggered Execution: PowerShell Profile).", "provider_enableproperty_value_modification_via_registry": "The process $Image_path has modified the \"EnableProperty\" value: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1562.006 Impair Defenses: Indicator Blocking).", "ps1_created_in_susp_directory": "The process $Image_path has created a new ps1 script in a suspicious directory: $File_path (MITRE: T1059.001 Command and Scripting Interpreter: PowerShell).", "pwsh_execute_from_file": "A Powershell code was executed from a file: $Command_line (MITRE: T1059.001 Command and Scripting Interpreter: PowerShell).", "pwsh_execute_from_internet": "A PowerShell code was executed from the Internet: $Cmd_line (MITRE: T1059.001 Command and Scripting Interpreter: PowerShell).", "pwsh_execute_from_registry": "A PowerShell code was executed from the Windows registry: $Command_line (MITRE: T1059.001 Command and Scripting Interpreter: PowerShell).", "query_registry_via_powershell": "The process $Image_path has tried to resolve the register query via PowerShell: $Command_line (MITRE: T1012 Query Registry).", "query_registry_via_standard_windows_utilities": "The process $Image_path has tried to resolve the register query: $Command_line (MITRE: T1012 Query Registry).", "ransom_wasted": "The process $Image_path renames user files with the $Extension extension, which is typical for the Trojan-Ransom family (MITRE: T1486 Data Encrypted for Impact)", "rdp_hijackinhg_via_tscon": "The process $Image_path has redirected RDP session via tscon: $Command_line (MITRE: T1021 Remote Desktop Protocol).", "rdp_network_connection_from_unusual_process": "An RDP/TCP network connection has been established from an unusual process: from $Image_path to IP address $Destination_ip (MITRE: T1021.001 Remote Desktop Protocol).", "rdp_registry_modification": "The process $Image_path has modified RDP service via the registry: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1021.001 Remote Desktop Protocol).", "rdp_service_modification_via_reg": "The process $Image_path has modified RDP service via Reg: $Command_line (MITRE: T1021 Remote Desktop Protocol).", "rdp_shadowing_via_mstsc": "The process $Image_path has shadowed RDP session via MSTSC: $Command_line (MITRE: T1021 Remote Desktop Protocol).", "read_bios_version": "The process $Image_path has read the BIOS version and compared it with the predefined value $Target_file_path (MITRE: T1497.001 Virtualization/Sandbox Evasion: System Checks).", "read_browser_user_data": "The process $Image_path tries to get access to user credentials from web browser (MITRE: T1555.003 Credentials from Web Browsers)", "read_chrome_bookmarks": "The process $Image_path has tried to access bookmarks saved in Google Chrome browser (MITRE: T1217 Browser Bookmark Discovery).", "read_chrome_credentials": "The process $Image_path has tried to access credentials saved in Google Chrome browser (MITRE: T1555.003 Credentials from Web Browsers).", "read_clipboard": "The process $Image_path has read data from the user clipboard (MITRE: T1115 Clipboard Data).", "read_credentials_in_files": "The process $Image_path has searched the file $File_path (MITRE: T1552.001 Unsecured Credentials: Credentials In Files).", "read_documents": "The process $Image_path has read multiple files from the folder \"Documents\" (MITRE: T1119 Automated Collection).", "read_edge_bookmarks": "The process $Image_path has tried to access bookmarks saved in Microsoft Edge browser (MITRE: T1217 Browser Bookmark Discovery).", "read_edge_credentials": "The process $Image_path has tried to access credentials saved in Microsoft Edge browser (MITRE: T1555.003 Credentials from Web Browsers).", "read_firefox_bookmarks": "The process $Image_path has tried to access bookmarks saved in Mozilla Firefox browser (MITRE: T1217 Browser Bookmark Discovery).", "read_firefox_credentials": "The process $Image_path has tried to access credentials saved in Mozilla Firefox browser (MITRE: T1555.003 Credentials from Web Browsers).", "read_ie_bookmarks": "The process $Image_path has tried to access bookmarks saved in Internet Explorer browser (MITRE: T1217 Browser Bookmark Discovery).", "read_ie_credentials": "The process $Image_path has tried to access credentials saved in Internet Explorer browser (MITRE: T1555.003 Credentials from Web Browsers).", "read_opera_bookmarks": "The process $Image_path has tried to access bookmarks saved in Opera browser (MITRE: T1217 Browser Bookmark Discovery).", "read_opera_credentials": "The process $Image_path has tried to access credentials saved in Opera browser (MITRE: T1555.003 Credentials from Web Browsers).", "read_outlook_pst": "The process $Image_path has read the data file of Microsoft Outlook (MITRE: T1114.001 Email Collection).", "read_system_files": "The process $Image_path has read multiple system files (MITRE: T1083 File and Directory Discovery).", "reboot_safe_mode": "The process $Parent_image_path has rebooted the Windows system in safe mode: $Command_line (MITRE: T1562.009 Impair Defenses: Safe Mode Boot).", "recursive_dir": "The process $Image_path has handled the directory tree, including subfolders and files, using the recursive method (MITRE: T1119 Automated Collection).", "redefine_http_protocol_handler_registry": "The process $Image_path has set $Registry_value as the HTTP protocol handler.", "redirection_to_local_admin_share": "The process $Image_path has redirected the output to the local administrative share: $Command_line (MITRE: T1021.002 SMB/Windows Admin Shares).", "reg_delete": "The process $Parent_image_path has run the $Image_path program via the command line: $Command_line. This command uses standart tools to delete a registry value (MITRE: T1112 Modify Registry).", "register_hot_key": "The process $Image_path has registered a hot key.", "regsvr32_dll_from_public_directory": "The process $Image_path has loaded a DLL from the public directories: $Command_line (MITRE: T1218.010 Signed Binary Proxy Execution: Regsvr32).", "regsvr32_susp_arguments": "The process $Image_path has started with suspicious parameters: $Command_line (MITRE: T1218.010 Signed Binary Proxy Execution: Regsvr32).", "remote_execution_via_winrm": "The process $Parent_image_path has used WinRM for remote execution: $Command_line (MITRE: T1216 System Script Proxy Execution).", "remote_powershell": "The Powershell comdlet for remote command execution was detected: $Command_line (MITRE: T1059.001 Command and Scripting Interpreter: PowerShell).", "remote_services_using_mmc20_application_com_object": "The process $Image_path has created a COM object MMC20.Application to perform lateral movement: $Command_line (MITRE: T1021.003 Remote Services: Distributed Component Object Model).", "remote_services_via_com_objects_in_command_line": "The process $Image_path has created a COM object with an explicit IP address in the command line: $Command_line (MITRE: T1021.003 Remote Services: Distributed Component Object Model).", "remote_system_discovery_via_powershell": "The process $Image_path has tried to discover remote systems via PowerShell: $Command_line (MITRE: T1018 Remote System Discovery).", "remote_system_discovery_via_standard_windows_utilities": "The process $Image_path has tried to discover remote systems: $Command_line (MITRE: T1018 Remote System Discovery).", "remote_wmi_wbemcomn_dll_hijack": "The process $Image_path has hijacked a DLL using remote WMI and the library $Loaded_image_path (MITRE: T1047 Windows Management Instrumentation).", "rename_system_files": "The process $Image_path has renamed the file $File_path to $Target_file_path (MITRE: T1036.003 Masquerading: Rename System Utilities).", "right_to_left_override": "The name of the file $Image_path contains Right to Left Override (RLO) vulnerability. It can be used to disguise the real file extension (MITRE: T1036.002 Masquerading: Right-to-Left Override).", "run_cpl": "The process $Image_path has started a Control Panel item (MITRE: T1218.002 Control Panel Items).", "run_from_app_data": "The process $Image_path has run the executable file $Target_path from the hidden system folder Application Data.", "run_from_program_data": "The process $Image_path has run the executable file $Target_path from the system hidden system folder ProgramData.", "run_from_recycler": "The process $Image_path has run the executable file $Target_image_path from the Recycle Bin.", "run_from_windir": "The process $Image_path has run the executable file $Target_path from the Windows system folder.", "rundll_comma_in_registry_run_runonce": "The process $Image_path has added the rundll32 with a function call to the registry Run key: $Registry_value (MITRE: T1547.001 Registry Run Keys/Startup Folder).", "rundll_in_registry_service_imagepath": "The process $Image_path has created a service, which contains the function call in the ImagePath, via rundll32.exe: $Registry_value (MITRE: T1543.003 Create or Modify System Process: Windows Service).", "rundll32_external_dll": "The process $Image_path has executed a .dll file from an external resource: $Command_line (MITRE: T1218.011 Signed Binary Proxy Execution: Rundll32).", "rundll32_suspicious_arguments": "Suspicious arguments, which can be used to execute malicious payload, were detected in the process Rundll32.exe: $Command_line (MITRE: T1218.011 Signed Binary Proxy Execution: Rundll32).", "rundll32_without_parameters": "The process $Image_path has launched rundll32.exe without parameters: $Cmd_line (MITRE: T1218.011 Signed Binary Proxy Execution: Rundll32).", "save_remote_admin": "The process $Image_path has saved the remote administration tool $File_path (MITRE: T1219 Remote Access Software).", "saving_lsa_registry_hives": "The process $Parent_image_path has tried to save the Local Security Authority (LSA) registry secrets using $Image_path with command line $Command_line (MITRE: T1003.004 OS Credential Dumping: LSA Secrets).", "scheduled_task_creation_via_loading_dll": "A scheduled task has been created: $Loaded_image is loaded into the address space of the process $Image_path (MITRE: T1053.005 Scheduled Task/Job: Scheduled Task).", "scheduled_task_creation_via_microsoft_office_application": "The scheduled task was created by the Microsoft Office Application $Image_path (MITRE: T1053.005 Scheduled Task/Job: Scheduled Task).", "screenshot": "The process $Image_path has taken a screenshot of the Desktop (MITRE: T1113 Screen Capture).", "script_event_consumer_via_file_create_from_scrcons": "The process $Image_path has created a file $File_path. It means that Script Event Consumer was created (MITRE: T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription).", "script_event_consumer_via_load_image_in_scrcons": "The process $Image_path has loaded an image $Loaded_image_path. It means that Script Event Consumer was created (MITRE: T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription).", "script_event_consumer_via_suspicious_parent_child_scrcons": "Script Event Consumer was created, indicated by a suspicious child process from $Parent_image_path: $Command_line (MITRE: T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription).", "script_execution_via_msxsl_or_wmic": "A Visual Basic Script was started via $Image_path using load image $Loaded_image_path (MITRE: T1059.005 Command and Scripting Interpreter: Visual Basic).", "sdiagnhost_suspicious_child_follina": "The process $Parent_image_path has started $Image_path via Sdiagnhost.exe: $Command_line (MITRE: T1203 Exploitation for Client Execution).", "security_software_discovery_via_powershell": "The process $Image_path has tried to discover security software via PowerShell: $Command_line (MITRE: T1518.001 Software Discovery: Security Software Discovery).", "security_software_discovery_via_registry": "The process $Image_path has tried to discover security software via the registry: $Command_line (MITRE: T1518.001 Software Discovery: Security Software Discovery).", "security_software_discovery_via_standard_windows_utilities": "The process $Image_path has tried to discover security software: $Command_line (MITRE: T1518.001 Software Discovery: Security Software Discovery).", "security_software_discovery_via_wmic": "The process $Image_path has tried to discover security software via wmic: $Command_line (MITRE: T1518.001 Software Discovery: Security Software Discovery).", "security_token_changed_to_system": "The security token has been changed in the trusted process $Image_path (MITRE: T1203 Exploitation for Client Execution).", "self_copy": "The process $Image_path has copied the file $Src_path to $Dst_path.", "self_copy_autorun": "The process $Image_path has moved/copied its own executable file to $Target_image_path and added it to run on system start (MITRE: T1547.001 Registry Run Keys / Start Folder).", "self_copy_recycler": "The process $Image_path has copied/moved the file $File_path to the Recycle Bin ($Target_file_path) (MITRE: T1074.001 Local Data Staging).", "self_copy_startup": "The process $Image_path has copied/moved the file $File_path to the Startup folder: $Target_file_path (MITRE: T1547.001 Registry Run Keys / Start Folder).", "self_delete": "The executable file $Target_file_path has been deleted by the process $Image_path (MITRE: T1070.004 File Deletion).", "self_modify": "The process $Image_path has modified the executable file $File_path (MITRE: T1036 Masquerading).", "self_rename": "The executable file $File_path has been renamed by the process $Image_path to $Target_file_path (MITRE: T1036 Masquerading).", "service_creation_from_non_system_directory": "The process $Image_path has created the service $Service_name, which runs from a non-system directory: $Service_path (MITRE: T1543.003 Create or Modify System Process: Windows Service).", "service_creation_from_non_system_directory2": "The process $Image_path has created the Windows service, which runs from a non-system directory: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1543.003 Create or Modify System Process: Windows Service).", "service_image_path_modification_via_powershell": "A Windows service image path has been modified via PowerShell.exe: $Command_line (MITRE: T1543.003 Create or Modify System Process: Windows Service).", "service_image_path_modification_via_registry": "The process $Image_path has modified path to Windows service image: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1543.003 Create or Modify System Process: Windows Service).", "service_image_path_modification_via_sc_exe": "Windows service image path modification has been detected: $Command_line (MITRE: T1543.003 Create or Modify System Process: Windows Service)", "service_stop_via_net": "The process $Image_path has stopped a service: $Command_line (MITRE: T1489 Service Stop).", "service_stop_via_powershell": "The process $Image_path has stopped a service via the PowerShell: $Command_line (MITRE: T1489 Service Stop).", "service_stop_via_sc": "A service has been stopped via the $Image_path: $Command_line (MITRE: T1489 Service Stop).", "service_stop_via_taskkill": "The process $Image_path has stopped a service using the taskkill command: $Command_line (MITRE: T1489 Service Stop).", "service_stop_via_wmic": "The process $Parent_image_path has stopped a service via WMIC: $Command_line (MITRE: T1489 Service Stop).", "set_desktop_wallpaper": "The process $Image_path has set a new wallpaper for the Windows desktop: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1491.001 Defacement: Internal Defacement).", "set_fake_file_time": "The process $Image_path has modified the time attributes of the file $File_path (MITRE: T1070.006 Indicator Removal on Host: Timestomp)", "set_hidden_attribute": "The process $Image_path has set the attribute \"Hidden\" to the file $File_path (MITRE: T1564.001 Hidden Files and Directories).", "set_hidden_attribute_via_attrib": "The process $Parent_image_path has set Hidden attribute to a file via attrib.exe: $Command_line. (MITRE: T1564.001 Hidden Files and Directories).", "set_keylogger": "The process $Image_path has installed a keylogger (MITRE: T1056.001 Input Capture: Keylogging).", "setting_user_password_to_never_expired_via_powershell": "The process $Image_path has disabled the user password expiry via the PowerShell: $Command_line (MITRE: T1098 Account Manipulation).", "setting_user_password_to_never_expired_via_wmic": "The process $Image_path has disabled the user password expiry: $Command_line (MITRE: T1098 Account Manipulation).", "setwindowshookex_use_to_inject_dll": "The process $Image_path has performed an attempt to inject $File_path into any process by calling SetWindowsHookEx() (MITRE: T1055 Process Injection).", "shared_modules_to_crit_proc": "The module $Loaded_image_path has been loaded into the address space of the $Image_path process (MITRE: T1129 Shared Modules).", "shared_modules_to_legal_soft": "The module $Loaded_image_path has been loaded into the address space of the $Image_path process (MITRE: T1129 Shared Modules).", "shell_code_exec": "The trusted process $Image_path has executed the shellcode to obtain unauthorized access to the system (MITRE: T1203 Exploitation for Client Execution).", "shell_command_in_lnk_file": "Shell found in LNK file: $Command_line (MITRE: T1059.003 Command and Scripting Interpreter: Windows Command Shell).", "shell_from_verclsid": "The process verclsid.exe has launched the command shell: $Command_line (MITRE: T1218.012 Signed Binary Proxy Execution: Verclsid).", "shell_start_from_lnk_in_downloads": "The process $Image_path has been created from LNK file: $Command_line (MITRE: T1204.002 User Execution: Malicious File).", "shellcode_sign": "Shellcode has been found in the memory of the process $Image_path (MITRE: T1203 Exploitation for Client Execution).", "shimming": "The program $Image_path uses the shim database to redirect the application code (MITRE: T1546.011 Application Shimming)", "shutdown_system": "Windows has been shut down by the process $Image_path (MITRE: T1529 System Shutdown/Reboot).", "sleep_evasion": "The process $Image_path has set the delayed code execution (MITRE: T1497.003 Virtualization/Sandbox Evasion: Time Based Evasion).", "smb_scan": "The program $Image_path has sent multiple SMB requests (MITRE: T1018 Remote System Discovery).", "software_discovery_via_powershell": "The process $Image_path has tried to discover software via PowerShell: $Command_line (MITRE: T1518 Software Discovery).", "software_discovery_via_standard_windows_utilities": "The process $Image_path has tried to discover software via standard Windows utilities: $Command_line (MITRE: T1518 Software Discovery).", "ssh_scan": "The process $Image_path has scanned the SSH connections (MITRE: T1046 Network Service Scanning).", "ssp_configuration_modification": "The process $Image_path has registered a new Security Support Provider: $Registry_value (MITRE: T1547.005 Boot or Logon Autostart Execution: Security Support Provider).", "stack_pointer_out_teb": "The stack pointer has exceeded the Thread Environment Block structure limit in the trusted process $Image_path (MITRE: T1203 Exploitation for Client Execution).", "start_bcdedit": "Automatic Windows Recovery was disabled via BCDEdit utility: $Command_line (MITRE: T1490 Inhibit System Recovery).", "start_page": "The process $Image_path has changed the browser home page (MITRE: T1185 Man in the Browser).", "start_with_cmd": "The process $Image_path has changed a registry entry $Registry_key so that the file $Target_image_path runs on startup of Windows Command Line Interpreter (MITRE: T1547.001 Registry Run Keys / Startup Folder).", "started_child_process_from_cmstp": "A process was created from $Parent_image_path in unusual way: $Command_line (MITRE: T1218.003 Signed Binary Proxy Execution: CMSTP).", "started_scheduled_task_from_public_directories": "A scheduled task to run a process from the public directories was created: $Command_line (MITRE: T1053.005 Scheduled Task/Job: Scheduled Task).", "started_windows_shell_from_hh": "The process $Image_path has run the Windows Shell: $Command_line (MITRE: T1218.001 Signed Binary Proxy Execution: Compiled HTML File).", "started_windows_shell_from_mmc": "The process $Parent_image_path has started the $Image_path command shell with the command line: $Command_line (MITRE: T1021.003 Remote Services: Distributed Component Object Model).", "started_windows_shell_from_mshta": "The process $Image_path has run the Windows Shell: $Command_line (MITRE: T1218.005 Signed Binary Proxy Execution: Mshta).", "started_windows_shell_from_regsvr": "The process $Image_path has run the Windows Shell: $Command_line (MITRE: T1218.010 Signed Binary Proxy Execution: Regsvr32).", "started_windows_shell_from_rundll32": "The process $Image_path has run the Windows Shell: $Command_line (MITRE: T1218.011 Signed Binary Proxy Execution: Rundll32).", "started_windows_shell_from_trusted_process": "The trusted application $Parent_image_path has run the Windows Shell process $Image_path with the command line $Command_line (MITRE: T1204.002 User Execution: Malicious File). ", "startup_system_file_name": "The process $Image_path has created a file $Target_image_path with a name similar to the system file name in the Startup folder (MITRE: T1547.001 Registry Run Keys / Start Folder, T1036.005 Masquerading).", "steal_browser_data_via_esentutl": "The process $Parent_image_path has tried to steal browser data via esentutl.exe: $Command_line (MITRE: T1005 Data from Local System).", "susp_access_to_lsass": "The process $Image_path has got a read/write access to the LSASS memory. (MITRE:T1003.001 OS Credential Dumping: LSASS Memory).", "susp_ext_in_startup_folder": "A file with a suspicious extension was created in the startup folder (MITRE: T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder).", "susp_syntax_command_odbcconf": "The process $Image_path with arguments $Command_line may be abused to proxy the execution of malicious code (MITRE: T1218.008 Signed Binary Proxy Execution: Odbcconf).", "suspend_eventlog_service": "The process $Image_path has disabled event logging to the Windows Event Log by suspending EventLog service (MITRE: T1562.002 Impair Defenses: Disable Windows Event Logging).", "suspicious_adding_user_to_remote_desktop_users_group": "The process $Image_path has added users to RDP user group: $Command_line (MITRE: T1021 Remote Desktop Protocol).", "suspicious_autorun": "The process $Image_path has set the file $Registry_value to run on system startup via the suspicious registry key $Registry_key (MITRE: T1547.001 Registry Run Keys / Startup Folder).", "suspicious_certificates_file_creation": "The process $Image_path has created a cerificate file: $File_path (MITRE: T1552.004 Unsecured Credentials: Private Keys).", "suspicious_child_process_wmiprvse": "Suspicious Child Process $Parent_image_path: $Command_line (MITRE: T1047 Windows Management Instrumentation)", "suspicious_clipboard_output_via_wmic": "A suspicious clipboard output was detected in the process $Image_path: $Command_line (MITRE: T1047 Windows Management Instrumentation).", "suspicious_command_wmic": "The utility wmic.exe was run with a suspicious syntax: $Command_line (MITRE: T1047 Windows Management Instrumentation).", "suspicious_escape_characters_in_use_api": "The process $Image_path operates with the obfuscated string containing escape-characters: $String (MITRE: T1027 Obfuscated Files or Information).", "suspicious_escape_characters_in_use_cmd": "Suspicious use of escape characters was detected in the command line: $Command_line (MITRE: T1027 Obfuscated Files or Information).", "suspicious_jobs_via_bitsadmin": "The process $Image_path has attempted to create a suspicious job using the command $Command_line (MITRE: T1197 BITS Jobs).", "suspicious_loading_dll_via_regsvcs_regasm": "The process $Image_path has loaded a DLL: $Command_line (MITRE: T1218.009 Signed Binary Proxy Execution: Regsvcs/Regasm).", "suspicious_parent_process_regsvr32": "The process $Parent_image_path has run regsvr32.exe: $Command_line (MITRE: T1218.010 Signed Binary Proxy Execution: Regsvr32).", "suspicious_powershell_host_process_dropped": "The process $Image_path has performed an operation with an executable renamed from powershell.exe to another file name: $Drop_path (MITRE: T1036.005 Masquerading).", "suspicious_powershell_host_process_run": "The process $Image_path executed PowerShell interpreter not with powershell.exe but with $Drop_path. Command line: $Cmd_line (MITRE: T1059.001 Command and Scripting Interpreter: PowerShell).", "suspicious_query_to_the_lsa_in_registry": "The process $Image_path requests the registry key $Registry_key containing the Local Security Authority (LSA) secrets (MITRE: T1003.004 OS Credential Dumping: LSA Secrets).", "suspicious_query_to_the_sam_in_registry": "The process $Image_path has queried the SAM registry hives: $Registry_key (MITRE: T1003.002 OS Credential Dumping: Security Account Manager).", "suspicious_query_to_the_security_in_registry": "The process $Image_path has requested a registry key $Registry_key containing security data (MITRE: T1003.004 OS Credential Dumping: LSA Secrets).", "suspicious_sockets_usage_via_powershell": "The process $Parent_image_path has suspiciously used system sockets via PowerShell: $Command_line (MITRE: T1059.001 Command and Scripting Interpreter: PowerShell).", "suspicious_syntax_in_command_execution_InstallUtill": "Unusual arguments were detected in the $Image_path command line: $Command_line (MITRE: T1218.004 Signed Binary Proxy Execution: InstallUtil).", "suspicious_syntax_in_command_execution_regasm": "The process $Image_path has started with suspicious arguments: $Command_line (MITRE: T1218.009 Signed Binary Proxy Execution: Regsvcs/Regasm).", "suspicious_syntax_in_command_execution_schtasks": "The process $Image_path was started with suspicious arguments: $Command_line (MITRE: T1053.005 Scheduled Task/Job: Scheduled Task).", "suspicious_wsman_provider_image_loads": "The process $Image_path has loaded DLL $Loaded_image_path (MITRE: T1021.003 Remote Services: Distributed Component Object Model)", "svc_stop": "The $Image_path process attempts to manipulate security tools using the utility sc.exe (MITRE T1562.001 Impair Defenses: Disable or Modify Tools).", "svchost_without_parameters": "The process svchost ($Image_path) was executed without parameters: $Command_line (MITRE: T1036 Masquerading).", "system_information_discovery_via_powershell": "The process $Image_path has tried to discover the system information via PowerShell: $Command_line (MITRE: T1082 System Information Discovery).", "system_information_discovery_via_standard_windows_utilities": "The process $Image_path has tried to discover the system information via the standard Windows utilities: $Command_line (MITRE: T1082 System Information Discovery).", "system_language_discovery_via_registry": "The process $Image_path has tried to discover the system language via the registry: $Command_line (MITRE: T1614.001 System Location Discovery: System Language Discovery).", "system_language_discovery_via_standard_windows_utilities": "The process $Image_path has tried to discover the system language via the standard Windows utilities: $Command_line (MITRE: T1614.001 System Location Discovery: System Language Discovery).", "system_network_configuration_discovery_via_standard_windows_utilities": "The process $Image_path has tried to discover the system network configuration via the standard Windows utilities: $Command_line (MITRE: T1016 System Network Configuration Discovery).", "system_network_connections_discovery_via_powershell": "The process $Image_path has tried to discover system network connections via PowerShell: $Command_line (MITRE: T1049 System Network Configuration Discovery).", "system_network_connections_discovery_via_standard_windows_utilities": "The process $Image_path has tried to discover system network connections via the standard Windows utilities: $Command_line (MITRE: T1049 System Network Configuration Discovery).", "system_owner_or_user_discovery": "The process $Parent_path has launched the program $Image_path with following command line: $Cmd_line. This command has signs of system owner or user account discovery (MITRE: T1033 System Owner/User Discovery).", "system_owner_or_user_discovery_via_powershell": "The process $Image_path has tried to discover the system owner/user via PowerShell: $Command_line (MITRE: T1033 System Owner/User Discovery).", "system_owner_or_user_discovery_via_suspicious_commandline_whoami": "The process $Image_path has tried to discover the system owner/user executing a suspicious whoami command in the command line: $Command_line (MITRE: T1033 System Owner/User Discovery).", "system_ownr_or_user_discovery_via_standard_windows_utilities": "The process $Image_path has tried to discover the system owner/user via the standard Windows utilities: $Command_line (MITRE: T1033 System Owner/User Discovery).", "system_service_discovery_via_powershell": "The process $Image_path has tried to discover system services via PowerShell: $Command_line (MITRE: T1007 System Service Discovery).", "system_service_discovery_via_standard_registry": "The process $Image_path has tried to discover system services via the registry: $Command_line (MITRE: T1007 System Service Discovery).", "system_service_discovery_via_standard_windows_utilities": "The process $Image_path has tried to discover system services: $Command_line (MITRE: T1007 System Service Discovery).", "system_service_discovery_via_standard_wmic": "The proces $Image_path has tried to discover system services via wmic: $Command_line (MITRE: T1007 System Service Discovery).", "system_time_discovery_via_api": "The process $Image_path has tried to discover the system time (MITRE: T1124 System Time Discovery).", "system_time_discovery_via_powershell": "The process $Image_path has tried to discover the system time via PowerShell: $Command_line (MITRE: T1124 System Time Discovery).", "system_time_discovery_via_standard_windows_utilities": "The process $Image_path has tried to discover the system time: $Command_line (MITRE: T1124 System Time Discovery).", "sysvol_check": "The process $Image_path has attempted to access the SYSVOL folder (MITRE: T1497.001 Virtualization/Sandbox Evasion: System Checks).", "task_cache": "The program $Image_path is trying to modify the task scheduler cache in order to launch applications hiddenly: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1053.005 Scheduled Task).", "thread_creation_into_critical_win_process": "The process $Image_path has performed an attempt to create a remote thread in the $Target_image_path (MITRE: T1055 Process Injection).", "thread_execution_hijacking": "The process $Image_path hijacked the thread execution to inject a code into the process $Target_image_path (MITRE: T1055.003 Process Injection: Thread Execution Hijacking).", "time_evasion_detected": "Avoiding of the sandbox analysis was detected. We recommend to send the file for long-time processing (MIRTE: T1497.003 Virtualization/Sandbox Evasion: Time Based Evasion)", "token_manipulation": "The process $Image_path bypassed User Account Control (UAC): obtained token of the auto-elevate process, modified and reused it to execute as administrator (MITRE: T1548.002 Bypass User Account Control).", "token_manipulation_via_createprocessasuser": "The process $Image_path has duplicated an access token for the process $Target_image_path and created the process $Created_image_path using a new token (MITRE: T1134.001 Access Token Manipulation: Token Impersonation/Theft).", "token_manipulation_via_createprocesswithtoken": "The process $Image_path has duplicated an access token from the process $Target_image_path and created the process $Created_image_path using new token (MITRE: T1134.001 Access Token Manipulation: Token Impersonation/Theft).", "token_manipulation_via_impersonateloggedonuser": "The process $Image_path has impersonated an access token of the process $Target_image_path via ImpersonateLoggedOnUser (MITRE: T1134.001 Access Token Manipulation: Token Impersonation/Theft).", "tor_connect": "The process $Image_path has connected to a Tor network resource \"$URL\" (MITRE: T1090.003 Multi-hop Proxy).", "uac_bypass_via_com_object_access_cmstp": "The UAC is bypassed via the COM object: $Command_line (MITRE: T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control).", "unknown_dll_launch_or_from_public_directories_rundll32": "The process $Image_path has run a dll from a public directory: $Command_line (MITRE: T1218.011 Signed Binary Proxy Execution: Rundll32).", "unknown_file_execution_via_regsvr32": "The process $Parent_image_path has executed file with atypical extension via $Image_path: $Command_line (MITRE: T1218.010 System Binary Proxy Execution: Regsvr32).", "unknown_file_execution_via_rundll32": "The process $Parent_image_path has executed file with atypical extension via $Image_path: $Command_line (MITRE: T1218.011 System Binary Proxy Execution: Rundll32).", "use_alternate_data_stream_via_winapi": "$Image_path has created Alternate Data Stream via WinAPI (MITRE: T1564.004 Hide Artifacts: NTFS File Attributes)", "use_of_presentationhost": "The process $Parent_image_path has used Presentationhost.exe to execute code from XBAP file: $Command_line (MITRE: T1218 System Binary Proxy Execution).", "user_account_deletion_via_net": "The process $Image_path has deleted a user account: $Command_line (MITRE: T1531 Account Access Removal).", "user_account_deletion_via_powershell": "The process $Image_path has deleted a user account via the PowerShell: $Command_line (MITRE: T1531 Account Access Removal).", "user_rights_modification_via_secedit": "The process $Image_path has modified the user rights: $Command_line (MITRE: T1098 Account Manipulation).", "user_supervisor_cpl": "The process $Process_name started with the standard user privilege level has obtained the privilege of user SYSTEM (MITRE: T1203 Exploitation for Client Execution).", "using_alternate_data_stream_in_shell": "The process $Image_path has used Alternate Data Stream via shell: $Command_line (MITRE: T1564.004 Hide Artifacts: NTFS File Attributes).", "using_comspec_environment_var_not_in_cmd": "The process $Parent_image_path has launched the program $Image_path with parameter %comspec%: $Command_line (MITRE: T1059.003 Windows Command Shell).", "using_mofcomp_to_compile_mof_file_from_suspicious_folder": "The process $Image_path has tried to compile a mof-file from a suspicious folder: $Command_line (MITRE: T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription).", "using_standard_tools_for_interaction_with_remote_registry": "The process $Parent_image_path has launched the program $Image_path with the following command line: $Command_line. This command has signs of accessing the registry on the remote machine (MITRE: T1112 Modify Registry).", "using_utility_for_archive": "The archiving utility process $Image_path has been started: $Command_line (MITRE: T1560.001 Archive Collected Data: Archive via Utility).", "using_whoami_to_check_that_current_user_is_system": "The system utility whoami.exe was executed on behalf of NT AUTHORITY\\\\SYSTEM account (MITRE: T1033 System Owner/User Discovery).", "vbs_network": "The process $Image_path is trying to access the network.", "virtual_device_check": "The process $Image_path has checked a presence of virtual devices to detect a virtual machine (MITRE: T1497.001 Virtualization/Sandbox Evasion: System Checks).", "vm_driver_service": "The process $Image_path tries to detect virtualization related services (MITRE: T1497 Virtualization/Sandbox Evasion)", "vm_files_check": "The process $Image_path has checked presence of specific for a virtual environment file: $File_path (MITRE: T1497.001 Virtualization/Sandbox Evasion: System Checks).", "vm_keys_check": "The process $Image_path has checked the presence of specific for virtual environment registry key: $Registry_key (MITRE: T1497.001 Virtualization/Sandbox Evasion: System Checks).", "vm_modules_check": "The process $Image_path has checked if the module $Module_name is loaded (MITRE: T1497.001 Virtualization/Sandbox Evasion: System Checks).", "vm_processes_check": "The process $Image_path has checked if the process $Process_name is running in a system (MITRE: T1497.001 Virtualization/Sandbox Evasion: System Checks).", "vm_values_check": "The process $Image_path has checked if the registry value of $Registry_key\\$Registry_value_name matches $Substring (MITRE: T1497.001 Virtualization/Sandbox Evasion: System Checks).", "wildcard_search": "The process $Image_path has run the wildcard search: $File_path (MITRE: T1005 Data from Local System).", "win_defender_exclusions_modification_via_registry": "The process $Image_path has modified the Windows Defender exclusions: $Registry_key\\\\$Registry_value_name: $Registry_value (MITRE: T1562.001 Impair Defenses: Disable or Modify Tools).", "win_defender_modification_via_powershell": "The Windows Defender configuration was modified via the PowerShell: $Command_line (MITRE: T1562.001 Impair Defenses: Disable or Modify Tools).", "windows_service_creation_via_net": "The process $Parent_image_path has created a service via Net.exe: $Command_line (MITRE: T1543.003 Create or Modify System Process: Windows Service).", "windows_shell_started_archive_utility": "The archive utility process $Image_path has been started from Windows Shell $Parent_image_path with command line: $Command_line (MITRE: T1560.001 Archive Collected Data: Archive via Utility).", "windows_shell_started_at_exe": "The process $Image_path was started from the Windows Shell: $Command_line (MITRE: T1053.002 Scheduled Task/Job: At (Windows)).", "windows_shell_started_schtasks": "The process $Image_path was started from the Windows Shell: $Command_line (MITRE: T1053.002 Scheduled Task/Job: Scheduled Task Windows).", "winlogon_helper_dll": "The process $Image_path may abuse the features of the Winlogon via the registry key $Registry_key to execute $Target_path when a user logs in (MITRE: Winlogon Helper DLL).", "winword_connection_to_external_resource": "The process $Image_path has connected to external network resource (MITRE: T1204.002 User Execution: Malicious File).", "wipe_mbr_via_deviceiocontrol": "The process $Image_path has wiped Master boot record (MBR) via DeviceIoControl function. This action is typical of Rootkit malware (MITRE: T1561.002 Disk Wipe: Disk Structure Wipe).", "wmi_execution_via_microsoft_office_application": "MS Office application has run a command via Windows Management Instrumentation (WMI): $Loaded_image_path is loaded into the address space of the process $Image_path (MITRE: T1047 Windows Management Instrumentation).", "wmi_get_info": "The process $Image_path tries to determine the parameters of the system using WMI , which is typical for attempts to determine the given environment (MITRE: T1082 System Information Discovery)", "wmi_via_powershell": "The process $Image_path has accessed the Windows Management Instrumentation via the PowerShell: $Command_line (MITRE: T1047 Windows Management Instrumentation).", "write_physical_device": "The process $Image_path has recorded data to the device $Device_path sector-by-sector (MITRE: T1561.002 Disk Wipe: Disk Structure Wipe).", "x509enrollment_encoded": "The PowerShell has executed a x509-encoded code: $Command_line (MITRE: T1027 Obfuscated Files or Information).", "xor-ed_powershell_command": "The XOR obfuscation patterns were detected in the PowerShell command line: $Command_line (MITRE: T1027 Obfuscated Files or Information)." }