Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
Outlook Rules - T1137.005 (3d1b9d7e-3921-4d25-845a-7d9f15c0da44) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
KernelCallbackTable - T1574.013 (a4657bc9-d22f-47d2-a7b7-dd6ec33f3dde) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
Direct Volume Access - T1006 (0c8ab3eb-df48-4b9c-ace7-beacaac81cc5) |
Attack Pattern |
1 |
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
VDSO Hijacking - T1055.014 (98be40f2-c86b-4ade-b6fc-4964932040e5) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
LNK Icon Smuggling - T1027.012 (887274fc-2d63-4bdc-82f3-fae56d1d5fdc) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
Portable Executable Injection - T1055.002 (806a49c4-970d-43f9-9acc-ac0ee11e6662) |
Attack Pattern |
1 |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) |
Attack Pattern |
1 |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
ListPlanting - T1055.015 (eb2cb5cb-ae87-4de0-8c35-da2a17aafb99) |
Attack Pattern |
1 |
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
Proc Memory - T1055.009 (d201d4cc-214d-4a74-a1ba-b3fa09fd4591) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
Add-ins - T1137.006 (34f1d81d-fe88-4f97-bd3b-a3164536255d) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) |
Attack Pattern |
1 |
Thread Execution Hijacking - T1055.003 (41d9846c-f6af-4302-a654-24bba2729bc6) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
Outlook Home Page - T1137.004 (bf147104-abf9-4221-95d1-e81585859441) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
Masquerade File Type - T1036.008 (208884f1-7b83-4473-ac22-4e1cf6c41471) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
Office Test - T1137.002 (ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605) |
Attack Pattern |
1 |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) |
Attack Pattern |
1 |
Extra Window Memory Injection - T1055.011 (0042a9f5-f053-4769-b3ef-9ad018dfa298) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) |
Attack Pattern |
1 |
Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) |
Attack Pattern |
1 |
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
Thread Local Storage - T1055.005 (e49ee9d2-0d98-44ef-85e5-5d3100065744) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
Ptrace System Calls - T1055.008 (ea016b56-ae0e-47fe-967a-cc0ad51af67f) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
PubPrn - T1216.001 (09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58) |
Attack Pattern |
1 |
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
Outlook Forms - T1137.003 (a9e2cea0-c805-4bf8-9e31-f5f0513a3634) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
Embedded Payloads - T1027.009 (0533ab23-3f7d-463f-9bd8-634d27e4dee1) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) |
Attack Pattern |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
1 |
Behavior Prevention on Endpoint - M1040 (90f39ee1-d5a3-4aaa-9f28-3b42815b0d46) |
Course of Action |
Process Doppelgänging - T1055.013 (7007935a-a8a7-4c0b-bd98-4e85be8ed197) |
Attack Pattern |
1 |
Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21) |
Attack Pattern |
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) |
Attack Pattern |
2 |
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) |
Attack Pattern |
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) |
Attack Pattern |
2 |
Outlook Rules - T1137.005 (3d1b9d7e-3921-4d25-845a-7d9f15c0da44) |
Attack Pattern |
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) |
Attack Pattern |
2 |
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) |
Attack Pattern |
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) |
Attack Pattern |
2 |
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) |
Attack Pattern |
KernelCallbackTable - T1574.013 (a4657bc9-d22f-47d2-a7b7-dd6ec33f3dde) |
Attack Pattern |
2 |
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) |
Attack Pattern |
VDSO Hijacking - T1055.014 (98be40f2-c86b-4ade-b6fc-4964932040e5) |
Attack Pattern |
2 |
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) |
Attack Pattern |
LNK Icon Smuggling - T1027.012 (887274fc-2d63-4bdc-82f3-fae56d1d5fdc) |
Attack Pattern |
2 |
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) |
Attack Pattern |
Portable Executable Injection - T1055.002 (806a49c4-970d-43f9-9acc-ac0ee11e6662) |
Attack Pattern |
2 |
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) |
Attack Pattern |
ListPlanting - T1055.015 (eb2cb5cb-ae87-4de0-8c35-da2a17aafb99) |
Attack Pattern |
2 |
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) |
Attack Pattern |
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) |
Attack Pattern |
2 |
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) |
Attack Pattern |
Proc Memory - T1055.009 (d201d4cc-214d-4a74-a1ba-b3fa09fd4591) |
Attack Pattern |
2 |
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) |
Attack Pattern |
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) |
Attack Pattern |
2 |
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) |
Attack Pattern |
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) |
Attack Pattern |
2 |
Add-ins - T1137.006 (34f1d81d-fe88-4f97-bd3b-a3164536255d) |
Attack Pattern |
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) |
Attack Pattern |
2 |
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) |
Attack Pattern |
Thread Execution Hijacking - T1055.003 (41d9846c-f6af-4302-a654-24bba2729bc6) |
Attack Pattern |
2 |
Outlook Home Page - T1137.004 (bf147104-abf9-4221-95d1-e81585859441) |
Attack Pattern |
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) |
Attack Pattern |
2 |
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) |
Attack Pattern |
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) |
Attack Pattern |
2 |
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) |
Attack Pattern |
Masquerade File Type - T1036.008 (208884f1-7b83-4473-ac22-4e1cf6c41471) |
Attack Pattern |
2 |
Office Test - T1137.002 (ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a) |
Attack Pattern |
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) |
Attack Pattern |
2 |
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) |
Attack Pattern |
Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605) |
Attack Pattern |
2 |
Extra Window Memory Injection - T1055.011 (0042a9f5-f053-4769-b3ef-9ad018dfa298) |
Attack Pattern |
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) |
Attack Pattern |
2 |
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) |
Attack Pattern |
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) |
Attack Pattern |
2 |
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) |
Attack Pattern |
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) |
Attack Pattern |
2 |
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) |
Attack Pattern |
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) |
Attack Pattern |
2 |
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) |
Attack Pattern |
Thread Local Storage - T1055.005 (e49ee9d2-0d98-44ef-85e5-5d3100065744) |
Attack Pattern |
2 |
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) |
Attack Pattern |
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) |
Attack Pattern |
2 |
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) |
Attack Pattern |
Ptrace System Calls - T1055.008 (ea016b56-ae0e-47fe-967a-cc0ad51af67f) |
Attack Pattern |
2 |
System Script Proxy Execution - T1216 (f6fe9070-7a65-49ea-ae72-76292f42cebe) |
Attack Pattern |
PubPrn - T1216.001 (09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58) |
Attack Pattern |
2 |
Outlook Forms - T1137.003 (a9e2cea0-c805-4bf8-9e31-f5f0513a3634) |
Attack Pattern |
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) |
Attack Pattern |
2 |
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) |
Attack Pattern |
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) |
Attack Pattern |
2 |
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) |
Attack Pattern |
Embedded Payloads - T1027.009 (0533ab23-3f7d-463f-9bd8-634d27e4dee1) |
Attack Pattern |
2 |
Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d) |
Attack Pattern |
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) |
Attack Pattern |
2 |
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) |
Attack Pattern |
Process Doppelgänging - T1055.013 (7007935a-a8a7-4c0b-bd98-4e85be8ed197) |
Attack Pattern |
2 |