7Zip Compressing Dump Files · Active Directory Group Enumeration via Directory Service Access · AdminSDHolder Security Descriptor Modification · BITS Job Creation and File Download Completion · BloodHound Discovery Activity with Security Log Clearance · Certutil Abuse for Malware Download and Write Block Detection · Compiled HTML Help Execution with Rundll32 Staging · CrackMapExec Payload Execution via Obfuscated PowerShell · DCOM Lateral Movement with Script Execution and Privilege Escalation · DLL Hijacking via Unsigned System DLL Load and Process Injection · DNS Server Audit Configuration Disabled · Diskshadow Script Execution for Credential Dumping · Driver Signature Enforcement Bypass via Signed Vulnerable Driver Loading · Event Log Clearing via wevtutil.exe · FTP Execution via Command Shell and Python Script · File Share Permissions Modified and Network Share Access · Guest Account Activated · IIS Process Network Tunneling via Localhost RDP and SMB Ports · Interactive Shell Creation via AT Scheduled Task Execution · Kerberos Constrained Delegation Configuration on Computer Account
ADCS PKI OCSP Configuration and Audit Policy Modification · Active Directory Group Membership Discovery via Get-ADGroupMember · Administrative-Like User Account Creation · BITS Job Execution via desktopimgdownldr.exe with Remote File Download · Browser Credential Dump via Network Share Access · Certutil Download with Audit Log Clearing · Compiled HTML Help File Exploitation With Command Execution · CrackMapExec Payload Execution via PowerShell · DCOM Object Instantiation via PowerShell Script Block · DLL Hijacking via rundll32 and Malicious Module Load · DNS Server DLL Hijacking via serverlevelplugindll Configuration · DnsAdmins Group Member Addition · EDR Testing Script with Living-off-the-Land and Network Reconnaissance · Event Log Deletion via WMI · Failed Administrative Share Access Attempts · File Timestamp Modification (MACE Timestomp) · Guest Account RID Hijacking via Registry Modification · IIS Process RDP and SMB Tunneling Over Localhost · Internet Explorer Process Injection Into Command Shell · Kerberos Golden Ticket Authentication
Accessibility Feature Abuse for Privilege Escalation via AppCompat Shimming · Active Directory Module Loaded in PowerShell · Anonymous Logon with Domain Specification via NTLM · BITS Job Notification Command Line Execution for Persistence · Browser Process Execution via Command Line with Malware Download URL · Code Injection via Conhost Process Memory Access · Computer Account Created With Privileges · Credential Database Access and Log Clearing · DCOM Remote Launch Permission Denied · DLL Side-Loading and Service Persistence via Java jjs.exe · DNS Zone Transfer Failure from Remote Server · Domain Admin Group Enumeration via SAM Access · EDR Testing Tool Activity With Living-Off-The-Land Binaries · Event Viewer UAC Bypass via Registry COM Handler Hijacking · Failed DLL Load Injection Attempt in DNS Server Process · File Timestamp Modification (MACE) via Explorer Process · HackTool - NetExec Execution · IIS Worker Process Command Execution and Process Access · JScript9 Engine Invocation and Regsvr32 Script Execution · Kerberos Password Spray Attack with Log Clearing
Accessibility Features Abuse for Persistence via OSK Registry Modification · Active Directory Object Attribute Modification via localizationDisplayId · Anonymous Logon with Security Log Clearance · BITS Job Notification Command Line Execution via mobsync · Bulk Group Membership Addition to Multiple Groups · Code Injection via Print Spooler Process Access · Computer Account Creation with Dollar Sign Suffix · Credential Dumping Driver Service Installation · DCOM Remote Process Execution via ShellBrowserWindow · DLL Side-Loading via Java Executable with Service Persistence · DSRM Password Reset via NTDSutil · Domain Group Enumeration via Net Command · Emotet Malware PowerShell Command Execution with Obfuscation · EventVwr UAC Bypass via Registry Class Handler Hijacking · Failed Login with Account Restriction Denial · Firewall Configuration Enumeration via Get-NetFirewallProfile · HackTool - NetExec File Indicators · IIS Worker Process Command Execution and System Reconnaissance · JScript9 Engine Invocation via CLSID and Regsvcs Script Loading · Kerberos Pre-Authentication Failure Brute Force Attack
Accessibility Features Abuse for Persistence via On-Screen Keyboard · Active Directory Object Owner and Security Descriptor Modification · AppContainer Integrity Level Broker File Write Privilege Escalation · BITS Transfer Initiated via PowerShell Script · C# Compiler Execution with Obfuscated Output Generation · Code Injection via Spoolsv Process Memory Access · Computer Account Delegation Enabled for Service Impersonation · Credential Dumping via LSASS Process Injection and Memory Access · DCOM ShellBrowserWindow Lateral Movement Network Connection · DLL Sideloading via ProgramData Intel Directory · De Fake Computeraccount 4720 · Domain Object ACL Modification for DCSync Rights · Emotet Malware PowerShell Script Block Execution · Eventlog Service Named Pipe Creation and Connection · Failed RDP Connection Attempt with Valid Credentials · Firewall Configuration Enumeration via netsh · Hidden Local Account Creation via Registry Modification · IPC$ Share Access with Spoolss Service Enumeration · KeePass Password Extraction via DLL Injection (KeeFarce) · Kerberos Preauthentication Disabled on User Account
Account Marked as Sensitive and Cannot be Delegated · Active Directory Object Permission Modification on Organizational Unit · Atomic Red Team Test Suite Execution with Multi-Stage Persistence · BITS Transfer Job Execution via Command Line · CMSTP UAC Bypass via INI Profile Installation · Command Execution via SQL Server xp_cmdshell · Computer Account Delegation Privilege Enabled · Credential Dumping via RunAsCS and Log Clearing · DCshadow Attack with Directory Replication Failure · DLL Sideloading with Process Injection and Run Key Persistence · De Wineventlogsvc Crash System 7036 · Domain Policy Modified by Non-System Account · Encoded PowerShell Metasploit Payload via Service Installation and Process Execution · Exchange Server Privilege Escalation via DCSync Attack · Failed SQL Server Login with Disabled SA Account · Firewall Rule Creation via PowerShell · Hidden User Account Creation with Privilege Escalation and Cleanup · Image File Execution Options Injection via Registry and Sticky Keys Execution · Kekeo Credential Theft via TSSSP Named Pipe · Kerberos Relay Privilege Escalation via Network Logon
Account Password Reset via Privileged User · Active Directory Organizational Unit Permission Modification · Audit Policy Clear Attempt · BITS Transfer of Suspicious Executables and Staged Downloads · COM Object Hijacking via CLSID Registry Modification · Command Execution via Sticky Keys Registry Injection · Computer Account Renamed Without Trailing Dollar Sign (CVE-2021-42278) · Credential Extraction and Lateral Movement via DonPAPI · DLL Hijacking via CDPSvc Service Manipulation · DLL Sideloading with UAC Bypass and Remote Code Injection · DirectInput Registry Modification by Keylogger Process · Domain Trust Establishment and Forest Link Creation · Encrypted Payload Service Installation via SMB with PowerShell Execution · Exchange Server Transport Configuration File Modification · Failed Sticky Keys Executable Replacement Attempt · Firewall Rule Creation with Wildcard Addresses · High-Volume File Download via BITS Job · Image File Execution Options Injection via Sticky Keys Hijacking · Kekeo Named Pipe Creation and Connection for Credential Theft · Kerberos TGS Ticket Enumeration for Host Discovery
Account Self-Addition to Active Directory Group · Active Directory Security Descriptor Modification on Domain Root · Audit Policy Disable via auditpol.exe · BITS Transfer to System Binary with Suspicious Job Naming · COM Object Hijacking via Registry and DLL Injection · Command Execution via Visual Studio MSBuild Prebuild Event · Control Panel Applet Execution via Program Compatibility Assistant · Credential Harvesting via Fake Login Prompt Injection · DLL Hijacking via Fax Service with Bind Shell and Process Injection · DMSA Link Attributes Modified · Directory Replication Services Access for Credential Dumping · Drive-By Download Process Execution via Browser · EternalRomance MS17-010 Remote Code Execution via PsExec · Executable Write to Personalization Directory via Svchost Abuse · Failed Transport Agent Installation Attempt · Golden Ticket Kerberos Service Ticket Issuance · Honeypot Account Property Enumeration via Directory Service Access · Image File Execution Options and Silent Process Exit Registry Hijacking · Kerberoast Attack With Weak Encryption Type · Kerberos TGT and Service Ticket Request for Host Without Trailing Dollar Sign
Active Directory ACL Modification and Credential Manipulation · Addition of User Account to Sensitive Domain Groups · Audit Policy Enumeration and Event Log Clearing · Bidirectional SMB Authentication Connection via Print Spooler · CVE-2020-0796 SMBv3 Remote Code Execution with Privilege Escalation · Compatibility Fix Application Execution Tracking · Control Panel File Execution via Rundll32 Shell32.dll · Credential Manager Vault Access and Credential Enumeration · DLL Hijacking via Rundll32 with Suspicious Module Loading · DMSA Service Account Created in Specific OUs - PowerShell · Directory Service Object Access with Replication Rights · Driver Load - RwDrv (RwEverything) Hardware Access Tool · Event Log Cleared · Explorer Process Execution with Shell Command Handler Invocation · Failed xp_cmdshell Execution Attempt via MSSQL · Group Policy Object Modification via Directory Service Access · IIS AppPool Credential and Configuration Discovery via AppCmd · InstallUtil Signed Binary Proxy Execution · Kerberos AS-REP Roasting Attack · Kerberos User Enumeration via Pre-Authentication Requests
Active Directory Forest Discovery via DirectoryServices API · Admin Share Connection with Golden Ticket · Audit Policy Modification · BitLocker Volume Encryption Activation · CVE-2021-42287 noPac SAM Database Compromise and Computer Account Manipulation · Compiled HTML Help (HH.exe) Execution and Payload Delivery · Control Panel File Execution via rundll32 and control.exe · DC Shadow Attack with Log Clearing and Computer Account Manipulation · DLL Hijacking via Service Binary Planting - CDPSvc · DNS Hosts File Modified · Directory Services Restore Mode Password Change · Driver Signature Enforcement Bypass via Bring Your Own Vulnerable Driver · Event Log Clearing via PowerShell Clear-EventLog · Explorer Process Execution with Suspicious Root Parameter and Binary Load · File Hidden via Attrib Command Execution · Group Policy Object Security Descriptor Modification · IIS Application Pool Credential and Configuration Discovery via PowerShell and AppCmd · Interactive Logon Attempts via Browser Process with Failed Authentication · Kerberos Brute Force Attack Against Non-Existent and Valid Users · Kernel Debug and Test Signing Mode Enabled
7Zip Compressing Dump Files · Active Directory Group Enumeration via Directory Service Access · AdminSDHolder Security Descriptor Modification · BITS Job Creation and File Download Completion · BloodHound Discovery Activity with Security Log Clearance · Certutil Abuse for Malware Download and Write Block Detection · Compiled HTML Help Execution with Rundll32 Staging · CrackMapExec Payload Execution via Obfuscated PowerShell · DCOM Lateral Movement with Script Execution and Privilege Escalation · DLL Hijacking via Unsigned System DLL Load and Process Injection · DNS Server Audit Configuration Disabled · Diskshadow Script Execution for Credential Dumping · Driver Signature Enforcement Bypass via Signed Vulnerable Driver Loading · Event Log Clearing via wevtutil.exe · FTP Execution via Command Shell and Python Script · File Share Permissions Modified and Network Share Access · Guest Account Activated · IIS Process Network Tunneling via Localhost RDP and SMB Ports · Interactive Shell Creation via AT Scheduled Task Execution · Kerberos Constrained Delegation Configuration on Computer Account
ADCS PKI OCSP Configuration and Audit Policy Modification · Active Directory Group Membership Discovery via Get-ADGroupMember · Administrative-Like User Account Creation · BITS Job Execution via desktopimgdownldr.exe with Remote File Download · Browser Credential Dump via Network Share Access · Certutil Download with Audit Log Clearing · Compiled HTML Help File Exploitation With Command Execution · CrackMapExec Payload Execution via PowerShell · DCOM Object Instantiation via PowerShell Script Block · DLL Hijacking via rundll32 and Malicious Module Load · DNS Server DLL Hijacking via serverlevelplugindll Configuration · DnsAdmins Group Member Addition · EDR Testing Script with Living-off-the-Land and Network Reconnaissance · Event Log Deletion via WMI · Failed Administrative Share Access Attempts · File Timestamp Modification (MACE Timestomp) · Guest Account RID Hijacking via Registry Modification · IIS Process RDP and SMB Tunneling Over Localhost · Internet Explorer Process Injection Into Command Shell · Kerberos Golden Ticket Authentication
Accessibility Feature Abuse for Privilege Escalation via AppCompat Shimming · Active Directory Module Loaded in PowerShell · Anonymous Logon with Domain Specification via NTLM · BITS Job Notification Command Line Execution for Persistence · Browser Process Execution via Command Line with Malware Download URL · Code Injection via Conhost Process Memory Access · Computer Account Created With Privileges · Credential Database Access and Log Clearing · DCOM Remote Launch Permission Denied · DLL Side-Loading and Service Persistence via Java jjs.exe · DNS Zone Transfer Failure from Remote Server · Domain Admin Group Enumeration via SAM Access · EDR Testing Tool Activity With Living-Off-The-Land Binaries · Event Viewer UAC Bypass via Registry COM Handler Hijacking · Failed DLL Load Injection Attempt in DNS Server Process · File Timestamp Modification (MACE) via Explorer Process · HackTool - NetExec Execution · IIS Worker Process Command Execution and Process Access · JScript9 Engine Invocation and Regsvr32 Script Execution · Kerberos Password Spray Attack with Log Clearing
Accessibility Features Abuse for Persistence via OSK Registry Modification · Active Directory Object Attribute Modification via localizationDisplayId · Anonymous Logon with Security Log Clearance · BITS Job Notification Command Line Execution via mobsync · Bulk Group Membership Addition to Multiple Groups · Code Injection via Print Spooler Process Access · Computer Account Creation with Dollar Sign Suffix · Credential Dumping Driver Service Installation · DCOM Remote Process Execution via ShellBrowserWindow · DLL Side-Loading via Java Executable with Service Persistence · DSRM Password Reset via NTDSutil · Domain Group Enumeration via Net Command · Emotet Malware PowerShell Command Execution with Obfuscation · EventVwr UAC Bypass via Registry Class Handler Hijacking · Failed Login with Account Restriction Denial · Firewall Configuration Enumeration via Get-NetFirewallProfile · HackTool - NetExec File Indicators · IIS Worker Process Command Execution and System Reconnaissance · JScript9 Engine Invocation via CLSID and Regsvcs Script Loading · Kerberos Pre-Authentication Failure Brute Force Attack
Accessibility Features Abuse for Persistence via On-Screen Keyboard · Active Directory Object Owner and Security Descriptor Modification · AppContainer Integrity Level Broker File Write Privilege Escalation · BITS Transfer Initiated via PowerShell Script · C# Compiler Execution with Obfuscated Output Generation · Code Injection via Spoolsv Process Memory Access · Computer Account Delegation Enabled for Service Impersonation · Credential Dumping via LSASS Process Injection and Memory Access · DCOM ShellBrowserWindow Lateral Movement Network Connection · DLL Sideloading via ProgramData Intel Directory · De Fake Computeraccount 4720 · Domain Object ACL Modification for DCSync Rights · Emotet Malware PowerShell Script Block Execution · Eventlog Service Named Pipe Creation and Connection · Failed RDP Connection Attempt with Valid Credentials · Firewall Configuration Enumeration via netsh · Hidden Local Account Creation via Registry Modification · IPC$ Share Access with Spoolss Service Enumeration · KeePass Password Extraction via DLL Injection (KeeFarce) · Kerberos Preauthentication Disabled on User Account
Account Marked as Sensitive and Cannot be Delegated · Active Directory Object Permission Modification on Organizational Unit · Atomic Red Team Test Suite Execution with Multi-Stage Persistence · BITS Transfer Job Execution via Command Line · CMSTP UAC Bypass via INI Profile Installation · Command Execution via SQL Server xp_cmdshell · Computer Account Delegation Privilege Enabled · Credential Dumping via RunAsCS and Log Clearing · DCshadow Attack with Directory Replication Failure · DLL Sideloading with Process Injection and Run Key Persistence · De Wineventlogsvc Crash System 7036 · Domain Policy Modified by Non-System Account · Encoded PowerShell Metasploit Payload via Service Installation and Process Execution · Exchange Server Privilege Escalation via DCSync Attack · Failed SQL Server Login with Disabled SA Account · Firewall Rule Creation via PowerShell · Hidden User Account Creation with Privilege Escalation and Cleanup · Image File Execution Options Injection via Registry and Sticky Keys Execution · Kekeo Credential Theft via TSSSP Named Pipe · Kerberos Relay Privilege Escalation via Network Logon
Account Password Reset via Privileged User · Active Directory Organizational Unit Permission Modification · Audit Policy Clear Attempt · BITS Transfer of Suspicious Executables and Staged Downloads · COM Object Hijacking via CLSID Registry Modification · Command Execution via Sticky Keys Registry Injection · Computer Account Renamed Without Trailing Dollar Sign (CVE-2021-42278) · Credential Extraction and Lateral Movement via DonPAPI · DLL Hijacking via CDPSvc Service Manipulation · DLL Sideloading with UAC Bypass and Remote Code Injection · DirectInput Registry Modification by Keylogger Process · Domain Trust Establishment and Forest Link Creation · Encrypted Payload Service Installation via SMB with PowerShell Execution · Exchange Server Transport Configuration File Modification · Failed Sticky Keys Executable Replacement Attempt · Firewall Rule Creation with Wildcard Addresses · High-Volume File Download via BITS Job · Image File Execution Options Injection via Sticky Keys Hijacking · Kekeo Named Pipe Creation and Connection for Credential Theft · Kerberos TGS Ticket Enumeration for Host Discovery
Account Self-Addition to Active Directory Group · Active Directory Security Descriptor Modification on Domain Root · Audit Policy Disable via auditpol.exe · BITS Transfer to System Binary with Suspicious Job Naming · COM Object Hijacking via Registry and DLL Injection · Command Execution via Visual Studio MSBuild Prebuild Event · Control Panel Applet Execution via Program Compatibility Assistant · Credential Harvesting via Fake Login Prompt Injection · DLL Hijacking via Fax Service with Bind Shell and Process Injection · DMSA Link Attributes Modified · Directory Replication Services Access for Credential Dumping · Drive-By Download Process Execution via Browser · EternalRomance MS17-010 Remote Code Execution via PsExec · Executable Write to Personalization Directory via Svchost Abuse · Failed Transport Agent Installation Attempt · Golden Ticket Kerberos Service Ticket Issuance · Honeypot Account Property Enumeration via Directory Service Access · Image File Execution Options and Silent Process Exit Registry Hijacking · Kerberoast Attack With Weak Encryption Type · Kerberos TGT and Service Ticket Request for Host Without Trailing Dollar Sign
Active Directory ACL Modification and Credential Manipulation · Addition of User Account to Sensitive Domain Groups · Audit Policy Enumeration and Event Log Clearing · Bidirectional SMB Authentication Connection via Print Spooler · CVE-2020-0796 SMBv3 Remote Code Execution with Privilege Escalation · Compatibility Fix Application Execution Tracking · Control Panel File Execution via Rundll32 Shell32.dll · Credential Manager Vault Access and Credential Enumeration · DLL Hijacking via Rundll32 with Suspicious Module Loading · DMSA Service Account Created in Specific OUs - PowerShell · Directory Service Object Access with Replication Rights · Driver Load - RwDrv (RwEverything) Hardware Access Tool · Event Log Cleared · Explorer Process Execution with Shell Command Handler Invocation · Failed xp_cmdshell Execution Attempt via MSSQL · Group Policy Object Modification via Directory Service Access · IIS AppPool Credential and Configuration Discovery via AppCmd · InstallUtil Signed Binary Proxy Execution · Kerberos AS-REP Roasting Attack · Kerberos User Enumeration via Pre-Authentication Requests
Active Directory Forest Discovery via DirectoryServices API · Admin Share Connection with Golden Ticket · Audit Policy Modification · BitLocker Volume Encryption Activation · CVE-2021-42287 noPac SAM Database Compromise and Computer Account Manipulation · Compiled HTML Help (HH.exe) Execution and Payload Delivery · Control Panel File Execution via rundll32 and control.exe · DC Shadow Attack with Log Clearing and Computer Account Manipulation · DLL Hijacking via Service Binary Planting - CDPSvc · DNS Hosts File Modified · Directory Services Restore Mode Password Change · Driver Signature Enforcement Bypass via Bring Your Own Vulnerable Driver · Event Log Clearing via PowerShell Clear-EventLog · Explorer Process Execution with Suspicious Root Parameter and Binary Load · File Hidden via Attrib Command Execution · Group Policy Object Security Descriptor Modification · IIS Application Pool Credential and Configuration Discovery via PowerShell and AppCmd · Interactive Logon Attempts via Browser Process with Failed Authentication · Kerberos Brute Force Attack Against Non-Existent and Valid Users · Kernel Debug and Test Signing Mode Enabled
Capabilities
Use authentic threat behavior for detection engineering without the risk
Browse a comprehensive catalog of malicious activity logs from real threats. Find the exact behavior you need to test your detections. Filter by MITRE tactic, technique, log type, and source.
Use logs from sandboxes, incident response, or threat intelligence to build detections based on actual threats.
Insert logs directly into Splunk or Elasticsearch without test environments or running threats.
Integrations
Directly integrate with the platforms your team already uses
More integrations coming soon