T1027 W32.CaretCommandObfuscation AMP Cloud IOC T1027 W32.BacktickCommandObfuscation AMP Cloud IOC T1027 W32.EnvVariableCharacterUse AMP Cloud IOC T1027 W32.SuspiciousPowershellCommand AMP Cloud IOC T1027 29580 Snort rule T1027 43672 Snort rule T1027 43673 Snort rule T1027 16339 Snort rule T1027 4916 Snort rule T1027 4917 Snort rule T1027 12770 Snort rule T1027 12771 Snort rule T1027 12772 Snort rule T1027 12773 Snort rule T1027 12774 Snort rule T1027 12775 Snort rule T1027 17571 Snort rule T1027 16574 Snort rule T1027 16573 Snort rule T1027 21108 Snort rule T1027 25391 Snort rule T1027 26349 Snort rule T1027 28609 Snort rule T1027 32804 Snort rule T1027 33983 Snort rule T1027 35109 Snort rule T1027 35110 Snort rule T1027 36824 Snort rule T1027 38876 Snort rule T1027 39130 Snort rule T1027 41084 Snort rule T1027 41092 Snort rule T1027 40755 Snort rule T1027 37130 Snort rule T1027 37132 Snort rule T1027 25562 Snort rule T1027 16390 Snort rule T1027 16354 Snort rule T1027 21582 Snort rule T1027 23611 Snort rule T1027 23612 Snort rule T1027 25475 Snort rule T1027 42292 Snort rule T1027 45915 Snort rule T1027 21519 Snort rule T1027 17400 Snort rule T1027 21040 Snort rule T1027 21039 Snort rule T1027 21038 Snort rule T1027 20276 Snort rule T1027 19889 Snort rule T1027 19888 Snort rule T1027 19887 Snort rule T1027 19884 Snort rule T1027 19867 Snort rule T1027 21037 Snort rule T1027 19437 Snort rule T1027 14008 Snort rule T1027 13989 Snort rule T1027 13988 Snort rule T1027 13987 Snort rule T1027 13791 Snort rule T1027 21580 Snort rule T1027 21579 Snort rule T1027 21578 Snort rule T1027 21577 Snort rule T1027 18132 Snort rule T1027 19868 Snort rule T1027 17111 Snort rule T1027 15363 Snort rule T1027 15697 Snort rule T1027 15362 Snort rule T1027 18493 Snort rule T1027 22071 Snort rule T1027 22072 Snort rule T1027 22073 Snort rule T1027 22074 Snort rule T1027 23018 Snort rule T1027 23085 Snort rule T1027 23086 Snort rule T1027 23087 Snort rule T1027 23088 Snort rule T1027 23089 Snort rule T1027 23113 Snort rule T1027 23114 Snort rule T1027 23160 Snort rule T1027 23161 Snort rule T1027 23226 Snort rule T1027 23481 Snort rule T1027 23482 Snort rule T1027 23621 Snort rule T1027 23636 Snort rule T1027 17291 Snort rule T1027 21780 Snort rule T1027 21781 Snort rule T1027 21782 Snort rule T1027 21783 Snort rule T1027 21784 Snort rule T1027 21785 Snort rule T1027 21786 Snort rule T1027 21787 Snort rule T1027 24167 Snort rule T1027 24168 Snort rule T1027 25060 Snort rule T1027 25451 Snort rule T1027 25452 Snort rule T1027 25453 Snort rule T1027 25454 Snort rule T1027 25455 Snort rule T1027 25456 Snort rule T1027 25457 Snort rule T1027 25458 Snort rule T1027 25592 Snort rule T1027 25783 Snort rule T1027 23831 Snort rule T1027 23832 Snort rule T1027 25983 Snort rule T1027 26092 Snort rule T1027 26101 Snort rule T1027 26352 Snort rule T1027 3679 Snort rule T1027 18239 Snort rule T1027 19074 Snort rule T1027 19075 Snort rule T1027 20137 Snort rule T1027 26440 Snort rule T1027 26441 Snort rule T1027 26565 Snort rule T1027 26566 Snort rule T1027 26567 Snort rule T1027 26568 Snort rule T1027 26595 Snort rule T1027 26596 Snort rule T1027 26615 Snort rule T1027 26616 Snort rule T1027 26619 Snort rule T1027 26620 Snort rule T1027 26451 Snort rule T1027 27073 Snort rule T1027 27074 Snort rule T1027 27258 Snort rule T1027 27259 Snort rule T1027 27272 Snort rule T1027 27593 Snort rule T1027 27119 Snort rule T1027 27735 Snort rule T1027 27736 Snort rule T1027 27920 Snort rule T1027 28023 Snort rule T1027 28024 Snort rule T1027 28025 Snort rule T1027 28344 Snort rule T1027 27592 Snort rule T1027 28345 Snort rule T1027 28346 Snort rule T1027 28420 Snort rule T1027 28421 Snort rule T1027 28422 Snort rule T1027 28629 Snort rule T1027 28630 Snort rule T1027 28811 Snort rule T1027 28812 Snort rule T1027 19081 Snort rule T1027 28941 Snort rule T1027 29190 Snort rule T1027 29213 Snort rule T1027 29509 Snort rule T1027 29510 Snort rule T1027 29519 Snort rule T1027 29745 Snort rule T1027 29807 Snort rule T1027 29813 Snort rule T1027 30327 Snort rule T1027 30328 Snort rule T1027 32355 Snort rule T1027 34118 Snort rule T1027 34226 Snort rule T1027 34227 Snort rule T1027 35737 Snort rule T1027 35738 Snort rule T1027 36036 Snort rule T1027 36070 Snort rule T1027 37728 Snort rule T1027 37729 Snort rule T1027 37891 Snort rule T1027 37892 Snort rule T1027 37903 Snort rule T1027 37904 Snort rule T1027 37905 Snort rule T1027 37906 Snort rule T1027 37907 Snort rule T1027 37908 Snort rule T1027 37909 Snort rule T1027 37948 Snort rule T1027 37949 Snort rule T1027 37950 Snort rule T1027 37971 Snort rule T1027 37972 Snort rule T1027 38104 Snort rule T1027 38105 Snort rule T1027 38250 Snort rule T1027 38251 Snort rule T1027 38332 Snort rule T1027 38337 Snort rule T1027 38340 Snort rule T1027 38341 Snort rule T1027 38368 Snort rule T1027 38369 Snort rule T1027 38394 Snort rule T1027 38541 Snort rule T1027 38595 Snort rule T1027 38596 Snort rule T1027 38597 Snort rule T1027 38598 Snort rule T1027 38599 Snort rule T1027 38600 Snort rule T1027 38601 Snort rule T1027 38602 Snort rule T1027 38614 Snort rule T1027 38615 Snort rule T1027 38616 Snort rule T1027 38617 Snort rule T1027 38618 Snort rule T1027 38637 Snort rule T1027 38641 Snort rule T1027 38642 Snort rule T1027 38666 Snort rule T1027 38667 Snort rule T1027 38677 Snort rule T1027 38678 Snort rule T1027 38679 Snort rule T1027 38734 Snort rule T1027 38922 Snort rule T1027 39320 Snort rule T1027 39321 Snort rule T1027 39323 Snort rule T1027 39488 Snort rule T1027 39489 Snort rule T1027 39490 Snort rule T1027 40250 Snort rule T1027 41714 Snort rule T1027 42017 Snort rule T1027 42111 Snort rule T1027 42946 Snort rule T1027 42947 Snort rule T1027 42948 Snort rule T1027 42949 Snort rule T1027 42950 Snort rule T1027 43216 Snort rule T1027 43256 Snort rule T1027 43707 Snort rule T1027 43708 Snort rule T1027 43836 Snort rule T1027 43837 Snort rule T1027 43989 Snort rule T1027 43990 Snort rule T1027 44172 Snort rule T1027 44235 Snort rule T1027 44615 Snort rule T1027 44692 Snort rule T1027 44693 Snort rule T1027 51632 Snort rule T1027 51633 Snort rule T1027 Antivirus Service Flagged Artifact As Encrypted ThreatGrid Behavioral Indicator T1027 Executable Artifact has Misleading File Extension ThreatGrid Behavioral Indicator T1027 Artifact With Obfuscated Extension Detected ThreatGrid Behavioral Indicator T1027 Static Analysis Flagged Artifact As Anomalous ThreatGrid Behavioral Indicator T1027 Static Analysis Flagged Artifact As Anti-Analysis ThreatGrid Behavioral Indicator T1027 HTML Containing PE File ThreatGrid Behavioral Indicator T1027 Static Analysis Flagged Artifact As Potentially Obfuscated ThreatGrid Behavioral Indicator T1027 Static Analysis Flagged Script Artifact Containing PE File ThreatGrid Behavioral Indicator T1027 AutoIT Script Contains Suspicious Code ThreatGrid Behavioral Indicator T1027 HTML Uses Image Alternate JavaScript Redirection ThreatGrid Behavioral Indicator T1027 Malicious Document Javascript OLE Object Detected ThreatGrid Behavioral Indicator T1027 A Shortcut That References Active Documents was Detected ThreatGrid Behavioral Indicator T1027 Artifact Packed with RAR ThreatGrid Behavioral Indicator T1027 PE Header Overlaps the DOS Header ThreatGrid Behavioral Indicator T1027 PE Artifact Found Without a Name ThreatGrid Behavioral Indicator T1027 Executable With Suspicious Overlay Data Detected ThreatGrid Behavioral Indicator T1027 Windows Expand Utility Was Run on a Cab File ThreatGrid Behavioral Indicator T1027 Certutil Decoded An Executable ThreatGrid Behavioral Indicator T1027 Command Substring Obfuscation Detected ThreatGrid Behavioral Indicator T1027 Command Line Obfuscation Detected ThreatGrid Behavioral Indicator T1027 CDF File Used as an Archive ThreatGrid Behavioral Indicator T1027 Document Contains an Embedded Executable File ThreatGrid Behavioral Indicator T1027 Document Contains an Embedded Flash File ThreatGrid Behavioral Indicator T1027 Document Contains an Embedded JAR File ThreatGrid Behavioral Indicator T1027 Document Contains an Embedded JavaScript ThreatGrid Behavioral Indicator T1027 Document Contains an Embedded Shortcut File ThreatGrid Behavioral Indicator T1027 Office Document Contains Encapsulated PostScript ThreatGrid Behavioral Indicator T1027 Document Contains an Embedded Visual Basic Script ThreatGrid Behavioral Indicator T1027 Document Failed Parsing ThreatGrid Behavioral Indicator T1027 Office Document Requires Internal Password ThreatGrid Behavioral Indicator T1027 Office Document Requires Password ThreatGrid Behavioral Indicator T1027 Office Document Uses Content Obfuscation ThreatGrid Behavioral Indicator T1027 Javascript in HTML Contains Randomly Generated Variables ThreatGrid Behavioral Indicator T1027 HTML Contains JavaScript Using 'eval()' Function ThreatGrid Behavioral Indicator T1027 Internet Explorer Launched With Multiple Redirects ThreatGrid Behavioral Indicator T1027 JAR Contains Overly Large Number Of File Types ThreatGrid Behavioral Indicator T1027 JAR Contains File with Executable Extension ThreatGrid Behavioral Indicator T1027 JAR Contains a Windows Executable File ThreatGrid Behavioral Indicator T1027 Jar Containing Classes With Random Names Detected ThreatGrid Behavioral Indicator T1027 JAR Contains Classes with Very Short Names ThreatGrid Behavioral Indicator T1027 JAR Uses Crypto Package ThreatGrid Behavioral Indicator T1027 JAR Uses Reflection Package ThreatGrid Behavioral Indicator T1027 Javascript Contains Encoded Executable ThreatGrid Behavioral Indicator T1027 A Javascript file containing hexadecimal variables was seen ThreatGrid Behavioral Indicator T1027 Javascript Contains a Long Char-Code String ThreatGrid Behavioral Indicator T1027 Javascript Contains a Long Hex Escaped String ThreatGrid Behavioral Indicator T1027 Javascript Contains an Excessively Long String ThreatGrid Behavioral Indicator T1027 Javascript Contains Randomly Generated Variables ThreatGrid Behavioral Indicator T1027 JavaScript Contains Suspicious Unused Code ThreatGrid Behavioral Indicator T1027 Javascript References Executable ThreatGrid Behavioral Indicator T1027 Javascript References Encryption/Decryption ThreatGrid Behavioral Indicator T1027 JavaScript Obfuscation Using "eval()" Function ThreatGrid Behavioral Indicator T1027 JavaScript Obfuscation Using "fromCharCode()" Function ThreatGrid Behavioral Indicator T1027 An Embedded VBA Macro Contains Very Long Variable Names ThreatGrid Behavioral Indicator T1027 An Embedded VBA Macro Contains Randomly Generated Variables ThreatGrid Behavioral Indicator T1027 Installer Contains an Invalid Certificate Signature ThreatGrid Behavioral Indicator T1027 Downloaded PE Executable With Image Extension ThreatGrid Behavioral Indicator T1027 PE Executable Downloaded Via Propfind ThreatGrid Behavioral Indicator T1027 PDF Contains Embedded SWF Stream ThreatGrid Behavioral Indicator T1027 PDF Contains Embedded JavaScript Stream ThreatGrid Behavioral Indicator T1027 PDF Contains Named JavaScript ThreatGrid Behavioral Indicator T1027 PDF Contains Embedded Microsoft Office Document Stream ThreatGrid Behavioral Indicator T1027 PDF Contains URI Using Shortener Service ThreatGrid Behavioral Indicator T1027 PDF JavaScript Obfuscation Using "eval()" Function ThreatGrid Behavioral Indicator T1027 PDF JavaScript Obfuscation Using "fromCharCode()" Function ThreatGrid Behavioral Indicator T1027 PDF JavaScript Using "alert()" Function ThreatGrid Behavioral Indicator T1027 PDF Contains JavaScript Which Uses the ExportDataObject() Function ThreatGrid Behavioral Indicator T1027 PDF Contains JavaScript Which Uses the "substring" Function ThreatGrid Behavioral Indicator T1027 PDF Contains JavaScript Which Uses the Unescape() Function ThreatGrid Behavioral Indicator T1027 PDF JavaScript Obfuscation Using Hex Escaping ThreatGrid Behavioral Indicator T1027 PDF JavaScript Obfuscation Using "replace()" Function ThreatGrid Behavioral Indicator T1027 PDF Contains Suspicious Identifiers ThreatGrid Behavioral Indicator T1027 PDF JavaScript Obfuscation Using "toString" Function ThreatGrid Behavioral Indicator T1027 JavaScript Obfuscates Call to "unescape" ThreatGrid Behavioral Indicator T1027 PDF Contains JavaScript with Very Long Variable Names ThreatGrid Behavioral Indicator T1027 PDF Document Requires Password ThreatGrid Behavioral Indicator T1027 PE DOS Header Initial CS Value is Abnormal ThreatGrid Behavioral Indicator T1027 PE DOS Header Initial IP Value is Abnormal ThreatGrid Behavioral Indicator T1027 PE DOS Header Initial SP Value is Abnormal ThreatGrid Behavioral Indicator T1027 PE DOS Header Number of Pages Was Abnormal ThreatGrid Behavioral Indicator T1027 PE DOS Header Size of the Header in Paragraphs Abnormal ThreatGrid Behavioral Indicator T1027 PE DOS Header Number of Relocations Was Abnormal ThreatGrid Behavioral Indicator T1027 Executable with Encrypted Sections ThreatGrid Behavioral Indicator T1027 PE Optional Header Linker Major Version Abnormal ThreatGrid Behavioral Indicator T1027 PE Optional Header Linker Minor Version Abnormal ThreatGrid Behavioral Indicator T1027 PE COFF File Header Had Unexpected NumberOfSymbols ThreatGrid Behavioral Indicator T1027 PE COFF Header Size of Optional Header is Abnormal ThreatGrid Behavioral Indicator T1027 PE Optional Header Target Subsystem Does not Match Known Subsystems ThreatGrid Behavioral Indicator T1027 PE COFF Has Writable Headers ThreatGrid Behavioral Indicator T1027 PE Contains an Invalid Certificate Signature ThreatGrid Behavioral Indicator T1027 Executable Packed with ASProtect ThreatGrid Behavioral Indicator T1027 Executable Packed with MPRESS ThreatGrid Behavioral Indicator T1027 Executable Packed with UPX ThreatGrid Behavioral Indicator T1027 Executable Packed with VMProtect ThreatGrid Behavioral Indicator T1027 PE Contains Section with Blank or No Name ThreatGrid Behavioral Indicator T1027 PE Has Sections Marked Executable and Writable ThreatGrid Behavioral Indicator T1027 PE Contains Only Encrypted or Empty Sections ThreatGrid Behavioral Indicator T1027 PE Has Sections Marked Shareable ThreatGrid Behavioral Indicator T1027 PE Contains A Suspicious Certificate Signature ThreatGrid Behavioral Indicator T1027 PE Contains TLS Callback Entries ThreatGrid Behavioral Indicator T1027 Executable Uses Armadillo ThreatGrid Behavioral Indicator T1027 Executable Uses AutoIt ThreatGrid Behavioral Indicator T1027 Executable Packed with Enigma Protector Detected ThreatGrid Behavioral Indicator T1027 Process Uses Very Large Command-Line ThreatGrid Behavioral Indicator T1027 Creation Of Randomly Named Files Detected ThreatGrid Behavioral Indicator T1027 An Executable Found in Recycle Bin Folder ThreatGrid Behavioral Indicator T1027 Process Created an Executable in a Recycle Bin Folder ThreatGrid Behavioral Indicator T1027 Process Executed From a Recycle Bin Folder ThreatGrid Behavioral Indicator T1027 Process Created a File in a Recycle Bin Folder ThreatGrid Behavioral Indicator T1027 RTF File Contains a Large Amount of Appended Data ThreatGrid Behavioral Indicator T1027 RTF Containing PE File ThreatGrid Behavioral Indicator T1027 RTF File has Unusually High Entropy ThreatGrid Behavioral Indicator T1027 RTF Object Obfuscation Detected ThreatGrid Behavioral Indicator T1027 RTF File Has a Suspicious Version ThreatGrid Behavioral Indicator T1027 Executable Signed With Stolen Digital Certificate ThreatGrid Behavioral Indicator T1027 Right to Left Unicode in Filename ThreatGrid Behavioral Indicator T1027 Roman Numeral Unicode in Filename ThreatGrid Behavioral Indicator T1027 VBA Macro Impersonates Browser User-Agent ThreatGrid Behavioral Indicator T1027 VBA Macro References Base64 ThreatGrid Behavioral Indicator T1027 VBA Macro Uses CallByName ThreatGrid Behavioral Indicator T1027 VBA Macro Uses CodeModule ThreatGrid Behavioral Indicator T1027 VBA Macro Accesses Document Properties ThreatGrid Behavioral Indicator T1027 VBA Macro May Hide Windows ThreatGrid Behavioral Indicator T1027 VBA Macro Suspected Obfuscation ThreatGrid Behavioral Indicator T1027 VBA Macro Uses ScriptControl ThreatGrid Behavioral Indicator T1027 VBA Macro Uses StrReverse ThreatGrid Behavioral Indicator T1027 VBA Macro References VisualBasic Script ThreatGrid Behavioral Indicator T1027 VBA Macro Uses Xor ThreatGrid Behavioral Indicator T1027 An Embedded VBA Macro Uses Arrays Excessively ThreatGrid Behavioral Indicator T1027 VBScript With Anomalous Casing Of Standard Functions Detected ThreatGrid Behavioral Indicator T1027 VBScript Contains Randomly Generated Variables ThreatGrid Behavioral Indicator T1027 Compound Document Format Contains an Embedded Executable File ThreatGrid Behavioral Indicator T1027 Document Contains an Embedded and Obfuscated File ThreatGrid Behavioral Indicator T1027 Document Properties Store Base64 Encoded String ThreatGrid Behavioral Indicator T1027 Massive Javascript Contains a Long Hex Escaped String ThreatGrid Behavioral Indicator T1027 PDF Contains Suspicious Embedded Microsoft Office Document Stream ThreatGrid Behavioral Indicator T1027 PDF Contains JavaScript with Randomly Generated Variables ThreatGrid Behavioral Indicator T1027 RTF Object with Multiple Obfuscations Detected ThreatGrid Behavioral Indicator T1027 VBA Macro Contains Encoded Executable ThreatGrid Behavioral Indicator T1027 VBA Macro Imports Function for Shell Code ThreatGrid Behavioral Indicator T1027 Windows Executable Copied and Renamed ThreatGrid Behavioral Indicator T1110 19559 Snort rule T1110 19933 Snort rule T1110 44651 Snort rule T1110 2273 Snort rule T1110 2274 Snort rule T1110 15414 Snort rule T1110 42133 Snort rule T1110 2275 Snort rule T1110 21232 Snort rule T1110 20212 Snort rule T1110 26645 Snort rule T1110 27240 Snort rule T1110 32204 Snort rule T1110 32205 Snort rule T1110 32755 Snort rule T1110 32756 Snort rule T1110 32757 Snort rule T1110 32758 Snort rule T1110 32759 Snort rule T1110 32760 Snort rule T1110 25907 Snort rule T1110 41920 Snort rule T1110 42451 Snort rule T1110 3152 Snort rule T1110 3273 Snort rule T1110 4984 Snort rule T1110 3542 Snort rule T1110 3543 Snort rule T1065 7808 Snort rule T1065 7807 Snort rule T1065 7806 Snort rule T1065 6143 Snort rule T1065 25106 Snort rule T1065 22053 Snort rule T1065 19037 Snort rule T1065 19036 Snort rule T1065 28399 Snort rule T1065 33547 Snort rule T1065 35471 Snort rule T1065 36666 Snort rule T1065 32001 Snort rule T1065 45469 Snort rule T1065 45470 Snort rule T1065 809 Snort rule T1065 Cryptominer Network Connection Detected ThreatGrid Behavioral Indicator T1065 Cryptominer Pool Contacted ThreatGrid Behavioral Indicator T1065 HTTP Traffic over Non Standard Port ThreatGrid Behavioral Indicator T1076 W32.RDCSAutostart AMP Cloud IOC T1076 W32.LateralMovementSessionHijacking AMP Cloud IOC T1076 W32.SecurityHolePossibleSessionHijacking AMP Cloud IOC T1076 4060 Snort rule T1076 15863 Snort rule T1076 15861 Snort rule T1076 20175 Snort rule T1076 16742 Snort rule T1076 22969 Snort rule T1076 22970 Snort rule T1076 16743 Snort rule T1076 21089 Snort rule T1076 21088 Snort rule T1076 19665 Snort rule T1076 15850 Snort rule T1076 25567 Snort rule T1076 45518 Snort rule T1076 13347 Snort rule T1076 13346 Snort rule T1076 21232 Snort rule T1023 Junction Creates Symbolic Link to Startup Folder ThreatGrid Behavioral Indicator T1023 VBA Macro Creates Shortcut ThreatGrid Behavioral Indicator T1023 App Path Registry Key Modified ThreatGrid Behavioral Indicator T1023 Document Uses Powershell and Macro for Create Shortcut ThreatGrid Behavioral Indicator T1021 W32.RemoteAtJob AMP Cloud IOC T1021 W32.Qakbot AMP Cloud IOC T1021 29382 Snort rule T1021 29383 Snort rule T1021 37298 Snort rule T1021 37299 Snort rule T1021 37300 Snort rule T1021 37301 Snort rule T1021 37302 Snort rule T1021 37303 Snort rule T1021 37304 Snort rule T1021 37305 Snort rule T1021 37306 Snort rule T1021 36198 Snort rule T1021 44646 Snort rule T1193 Antivirus Service Flagged Artifact As Containing A Macro ThreatGrid Behavioral Indicator T1193 Document Flagged for Known Social Engineering Content ThreatGrid Behavioral Indicator T1193 Windows Picture And Fax Viewer Used To Display Decoy Image ThreatGrid Behavioral Indicator T1193 Office Document Contains an Internal Macro ThreatGrid Behavioral Indicator T1193 Office Document Contains a VBA Macro ThreatGrid Behavioral Indicator T1193 PDF Uses Page Action to Reference Remote File ThreatGrid Behavioral Indicator T1193 Submitted PDF Contains Collaboration Review Material ThreatGrid Behavioral Indicator T1193 PDF Contains an Action on Close ThreatGrid Behavioral Indicator T1193 PDF Contains URIs with a Direct IP ThreatGrid Behavioral Indicator T1193 PDF Contains Embedded JavaScript Action ThreatGrid Behavioral Indicator T1193 PDF Contains a Trigger on Mouse Action ThreatGrid Behavioral Indicator T1193 PDF Contains an Open Action ThreatGrid Behavioral Indicator T1193 PDF Contains a Trigger on Page Action ThreatGrid Behavioral Indicator T1193 PDF Contains an Action on Print ThreatGrid Behavioral Indicator T1193 PDF Contains an Action on Save ThreatGrid Behavioral Indicator T1193 PDF Calls Known Vulnerable Function "getAnnots()" CVE-2009-1492 ThreatGrid Behavioral Indicator T1193 PDF Contains Hyperlink Inside An Image ThreatGrid Behavioral Indicator T1193 PDF Contains JavaScript Which Uses Known Vulnerable Function "Collab.collectEmailInfo" ThreatGrid Behavioral Indicator T1193 PDF Calls Known Vulnerable Function "media.newplayer" ThreatGrid Behavioral Indicator T1193 PDF Contains Known Heap Spray Return Address ThreatGrid Behavioral Indicator T1193 PDF Contains Javascript and Exploit ThreatGrid Behavioral Indicator T1193 PDF Contains "/Launch" Functionality ThreatGrid Behavioral Indicator T1193 PDF Uses Launch On OpenAction ThreatGrid Behavioral Indicator T1193 PDF Document Creates and Launches an External Script ThreatGrid Behavioral Indicator T1193 PDF Contains Few Pages And A Malicious Link ThreatGrid Behavioral Indicator T1193 PDF Calls Known Vulnerable Function "util.printf()" CVE-2008-2992 ThreatGrid Behavioral Indicator T1193 PDF Contains "URI" Action ThreatGrid Behavioral Indicator T1193 PDF Contains Known Phishing Domain ThreatGrid Behavioral Indicator T1193 RTF Using Embedded Equation (CVE 2017-11882) ThreatGrid Behavioral Indicator T1193 CVE-2007-5659 Adobe Vulnerability Detected ThreatGrid Behavioral Indicator T1193 PDF Contains Web Redirection URIs ThreatGrid Behavioral Indicator T1193 PDF With URI Action With A Single Page Detected ThreatGrid Behavioral Indicator T1033 WMIC Used to Enumerate User Account Information ThreatGrid Behavioral Indicator T1060 W32.PoweliksPersistence AMP Cloud IOC T1060 W32.UncommonStartupPaths AMP Cloud IOC T1060 W32.JavaRegistryAutorun AMP Cloud IOC T1060 W32.CmdModifiedAutoRun AMP Cloud IOC T1060 W32.SetupRegistryPersistenceWithMSHTA AMP Cloud IOC T1060 49289 Snort rule T1060 49290 Snort rule T1060 49291 Snort rule T1060 49292 Snort rule T1060 2176 Snort rule T1060 2177 Snort rule T1060 Process Added a Service to the ControlSet Registry Key ThreatGrid Behavioral Indicator T1060 Process Modified the Active Setup Registry Key ThreatGrid Behavioral Indicator T1060 Process Modified Command Processor Registry Key Value ThreatGrid Behavioral Indicator T1060 Process Modified Context Menu Handler Registry Key Value ThreatGrid Behavioral Indicator T1060 Registry Persistence Mechanism Refers to a Batch File ThreatGrid Behavioral Indicator T1060 Registry Persistence Mechanism Refers to an Executable in a User Data Directory ThreatGrid Behavioral Indicator T1060 Process Modified Shell Program Autorun Registry Key Value ThreatGrid Behavioral Indicator T1060 Process Modified Autorun Registry Key Value ThreatGrid Behavioral Indicator T1060 Registry Persistence Mechanism Refers to an Executable in a Recycler Folder ThreatGrid Behavioral Indicator T1060 Registry Persistence Mechanism Refers to an Executable in a Temporary Folder ThreatGrid Behavioral Indicator T1060 Process Registered a Password Filter DLL ThreatGrid Behavioral Indicator T1060 Process Added Registry Key (UserInitMprLogonScript) to Automatically Start Programs on User Logon ThreatGrid Behavioral Indicator T1060 Process Modified Script Registry Key Value ThreatGrid Behavioral Indicator T1060 Process Modified Shared Task Scheduler Registry Key Value ThreatGrid Behavioral Indicator T1060 Adds a Registry Key (DELAY) to Automatically Start Programs on System Startup ThreatGrid Behavioral Indicator T1060 Process Modified ShellExecuteHooks Registry Key Value ThreatGrid Behavioral Indicator T1060 Process Modified Shell Open Command Registry Key Value ThreatGrid Behavioral Indicator T1060 The BootExecute Registry Key Was Modified ThreatGrid Behavioral Indicator T1060 Process Specified An Image File Execution Debugger ThreatGrid Behavioral Indicator T1060 Process Modified RunOnceEx Depend Registry Key ThreatGrid Behavioral Indicator T1060 Process Modified Service Schedule And Created A Task ThreatGrid Behavioral Indicator T1060 Process Modified Startup Tasks Registry Key ThreatGrid Behavioral Indicator T1060 Shortcut Added in the Windows Startup Folder ThreatGrid Behavioral Indicator T1060 Process Created a File in the Windows Start Menu Folder ThreatGrid Behavioral Indicator T1060 VBScript Added in the Windows Startup Folder ThreatGrid Behavioral Indicator T1060 Junction Creates Symbolic Link to Startup Folder ThreatGrid Behavioral Indicator T1060 Process Modified the Windows System Startup File ThreatGrid Behavioral Indicator T1060 Registry Persistence Mechanism Refers to an Executable in a System Directory ThreatGrid Behavioral Indicator T1480 W32.MegaCortexRansomware AMP Cloud IOC T1078 23601 Snort rule T1078 233 Snort rule T1078 234 Snort rule T1078 235 Snort rule T1078 237 Snort rule T1078 19318 Snort rule T1078 19319 Snort rule T1078 19551 Snort rule T1078 27538 Snort rule T1078 41440 Snort rule T1078 20996 Snort rule T1078 20995 Snort rule T1078 18985 Snort rule T1078 20691 Snort rule T1078 20692 Snort rule T1078 31830 Snort rule T1078 31831 Snort rule T1078 31846 Snort rule T1078 32068 Snort rule T1078 32526 Snort rule T1078 32740 Snort rule T1078 32741 Snort rule T1078 34345 Snort rule T1078 35527 Snort rule T1078 35528 Snort rule T1078 36282 Snort rule T1078 42068 Snort rule T1078 35886 Snort rule T1078 44623 Snort rule T1078 44702 Snort rule T1078 47070 Snort rule T1078 2334 Snort rule T1078 24814 Snort rule T1078 2406 Snort rule T1078 21938 Snort rule T1078 10123 Snort rule T1078 6489 Snort rule T1078 24306 Snort rule T1078 40316 Snort rule T1078 40317 Snort rule T1078 40318 Snort rule T1078 40319 Snort rule T1078 40320 Snort rule T1078 1817 Snort rule T1078 3519 Snort rule T1078 4126 Snort rule T1078 27237 Snort rule T1078 27238 Snort rule T1078 27239 Snort rule T1078 35111 Snort rule T1078 36375 Snort rule T1078 40322 Snort rule T1078 40324 Snort rule T1078 40325 Snort rule T1078 45068 Snort rule T1078 49051 Snort rule T1078 49052 Snort rule T1078 49053 Snort rule T1078 49054 Snort rule T1078 49055 Snort rule T1078 49056 Snort rule T1078 49057 Snort rule T1078 49058 Snort rule T1078 49059 Snort rule T1078 49060 Snort rule T1078 49061 Snort rule T1078 49062 Snort rule T1078 49063 Snort rule T1078 49064 Snort rule T1078 2146 Snort rule T1078 2145 Snort rule T1078 24436 Snort rule T1078 24435 Snort rule T1078 18932 Snort rule T1078 2230 Snort rule T1078 1861 Snort rule T1078 1860 Snort rule T1078 1859 Snort rule T1078 20158 Snort rule T1078 27756 Snort rule T1078 36100 Snort rule T1078 37378 Snort rule T1078 37379 Snort rule T1078 37380 Snort rule T1078 37381 Snort rule T1078 37382 Snort rule T1078 37383 Snort rule T1078 37384 Snort rule T1078 37385 Snort rule T1078 37386 Snort rule T1078 37387 Snort rule T1078 37388 Snort rule T1078 37389 Snort rule T1078 37390 Snort rule T1078 37391 Snort rule T1078 37392 Snort rule T1078 37393 Snort rule T1078 37394 Snort rule T1078 37395 Snort rule T1078 37396 Snort rule T1078 38249 Snort rule T1078 40331 Snort rule T1078 40904 Snort rule T1078 40905 Snort rule T1078 41446 Snort rule T1078 41917 Snort rule T1078 42300 Snort rule T1078 47137 Snort rule T1078 47138 Snort rule T1078 48740 Snort rule T1078 17044 Snort rule T1078 43073 Snort rule T1078 A Possible Phishing HTML Page Was Found ThreatGrid Behavioral Indicator T1053 W32.RemoteAtJob AMP Cloud IOC T1053 W32.SuspiciousScheduledTask AMP Cloud IOC T1053 Task Creation Detected ThreatGrid Behavioral Indicator T1053 Forced Creation Of Temporary Scheduled Task ThreatGrid Behavioral Indicator T1053 Process Cancelled Program Execution ThreatGrid Behavioral Indicator T1053 Process Used SchTasks Utility ThreatGrid Behavioral Indicator T1053 Schtasks Utility Used to Create Task ThreatGrid Behavioral Indicator T1053 Using AT.exe to Schedule Task and a Process to Disable Hidden File Feature ThreatGrid Behavioral Indicator T1053 SchTasks Utility Used to Schedule System Shutdown ThreatGrid Behavioral Indicator T1053 Scheduled Task References Application Data Directory ThreatGrid Behavioral Indicator T1053 Scheduled Task Was Created And Run Using System Account ThreatGrid Behavioral Indicator T1203 Hyperlink with Mouse-Over Action Detected ThreatGrid Behavioral Indicator T1045 RAR Self-Extracting Archive Found ThreatGrid Behavioral Indicator T1043 W32.SuspiciousDNSTXTLookup AMP Cloud IOC T1043 Outbound HTTP GET Request ThreatGrid Behavioral Indicator T1068 OSX.VSearch.RET AMP Cloud IOC T1068 Possible Privilege Escalation Detected ThreatGrid Behavioral Indicator T1204 W32.Qakbot AMP Cloud IOC T1204 Dummy AMP Cloud IOC T1204 OSX.CrescentCore AMP Cloud IOC T1204 Executable Uses a Folder Icon ThreatGrid Behavioral Indicator T1204 Process Modified Event Viewer Online Help URL ThreatGrid Behavioral Indicator T1204 Process Enabled Autorun through the Creation of autorun.inf ThreatGrid Behavioral Indicator T1040 OSX.Dok AMP Cloud IOC T1040 W32.TsharkPacketCapture AMP Cloud IOC T1040 613 Snort rule T1040 616 Snort rule T1040 619 Snort rule T1040 622 Snort rule T1040 630 Snort rule T1040 626 Snort rule T1040 627 Snort rule T1040 634 Snort rule T1040 635 Snort rule T1040 636 Snort rule T1040 637 Snort rule T1040 1638 Snort rule T1040 1917 Snort rule T1040 8081 Snort rule T1040 1133 Snort rule T1040 18179 Snort rule T1040 2041 Snort rule T1040 2043 Snort rule T1040 23601 Snort rule T1040 23602 Snort rule T1040 23603 Snort rule T1040 23604 Snort rule T1040 19559 Snort rule T1040 1101 Snort rule T1040 1100 Snort rule T1040 19779 Snort rule T1040 19933 Snort rule T1040 28002 Snort rule T1040 28003 Snort rule T1040 28301 Snort rule T1040 28552 Snort rule T1040 29462 Snort rule T1040 40094 Snort rule T1040 40095 Snort rule T1040 41793 Snort rule T1040 42289 Snort rule T1040 42785 Snort rule T1040 Process Queries System Hostname ThreatGrid Behavioral Indicator T1040 Process Queries Active Network Connections ThreatGrid Behavioral Indicator T1040 WinDivert Dropped on System ThreatGrid Behavioral Indicator T1040 WinPCAP Dropped on System ThreatGrid Behavioral Indicator T1040 Process Modified Winsock Parameters ThreatGrid Behavioral Indicator T1016 W32.SuspiciousIPLookupAttempt AMP Cloud IOC T1016 W32.SuspectedInjection AMP Cloud IOC T1016 W32.PowershellLaunchedNetConfig AMP Cloud IOC T1016 W32.PowershellLaunchedNetUse AMP Cloud IOC T1016 Google Used to Identify Public IP Address ThreatGrid Behavioral Indicator T1016 Check for GeoIP Location Detected ThreatGrid Behavioral Indicator T1016 Netsh.exe Used to Alter Windows Firewall ThreatGrid Behavioral Indicator T1016 Process Uses Private IP Range for Network Traffic ThreatGrid Behavioral Indicator T1016 Check for Public IP Address Detected ThreatGrid Behavioral Indicator T1016 Windows IPConfig Used ThreatGrid Behavioral Indicator T1016 Process Mapped SMB Share ThreatGrid Behavioral Indicator T1016 Process Added Routing Table Entry ThreatGrid Behavioral Indicator T1016 Process Enumerates TCP/IP Network Configuration ThreatGrid Behavioral Indicator T1016 Ping Utility Check Localhost ThreatGrid Behavioral Indicator T1071 Round.Key AMP Cloud IOC T1071 W32.PossibleCryptowallInfection AMP Cloud IOC T1071 W32.SuspiciousDNSTXTLookup AMP Cloud IOC T1071 W32.ODBCCONFNetworkConnection AMP Cloud IOC T1071 W32.MSBuildURL AMP Cloud IOC T1071 W32.CertutilURLCache AMP Cloud IOC T1071 SuspiciousTLDQuery AMP Cloud IOC T1071 W32.Coinminer.DTLMiner AMP Cloud IOC T1071 W32.Coinminer.PCASTLE AMP Cloud IOC T1071 JS.Trojan.Generic_48153 AMP Cloud IOC T1071 Osx.Downloader.Crossrider_46700 AMP Cloud IOC T1071 Osx.Trojan.Calisto_47415 AMP Cloud IOC T1071 Vbs.Worm.SysinfY2X_46894 AMP Cloud IOC T1071 W32.Trojan.MirageFox_48092 AMP Cloud IOC T1071 HTML Using Hidden Iframe Detected ThreatGrid Behavioral Indicator T1071 HTML Iframe Static IP Referenced ThreatGrid Behavioral Indicator T1071 Files Exchanged Using FTP ThreatGrid Behavioral Indicator T1071 Outbound FTP Communications ThreatGrid Behavioral Indicator T1071 Outbound HTTP GET Request From URL Submission ThreatGrid Behavioral Indicator T1071 Outbound IRC Communications ThreatGrid Behavioral Indicator T1071 Outbound SMB Communications ThreatGrid Behavioral Indicator T1071 Outbound SMTP Communications ThreatGrid Behavioral Indicator T1071 An FTP Connection Was Made Without Transferring A File ThreatGrid Behavioral Indicator T1071 HTTP Request with Blank or Missing User-Agent ThreatGrid Behavioral Indicator T1071 An HTTP Request Was Made to a Numeric IP Address ThreatGrid Behavioral Indicator T1071 Suspicious User Agent String In HTTP Request ThreatGrid Behavioral Indicator T1071 Communication With a URL Ending in gate.php Detected ThreatGrid Behavioral Indicator T1071 VBA Macro Modifies HTTP Header ThreatGrid Behavioral Indicator T1132 23780 Snort rule T1132 22034 Snort rule T1132 22033 Snort rule T1132 21318 Snort rule T1132 21442 Snort rule T1132 24243 Snort rule T1132 37245 Snort rule T1105 W32.WgetExeDownload AMP Cloud IOC T1105 W32.WgetUAImpersonation AMP Cloud IOC T1105 W32.NetUseWebdav AMP Cloud IOC T1105 W32.CertutilURLCache AMP Cloud IOC T1105 Certutil Used To Download Content ThreatGrid Behavioral Indicator T1105 A Document Requested an Executable via URL ThreatGrid Behavioral Indicator T1105 Outbound HTTP GET Request ThreatGrid Behavioral Indicator T1105 Downloaded PE Executable With Image Extension ThreatGrid Behavioral Indicator T1105 Downloaded PE Executable ThreatGrid Behavioral Indicator T1105 Downloaded File Executed ThreatGrid Behavioral Indicator T1105 PE Executable Downloaded Via Propfind ThreatGrid Behavioral Indicator T1105 PowerShell Used to Download and Execute a File ThreatGrid Behavioral Indicator T1105 PowerShell Used to Download a File ThreatGrid Behavioral Indicator T1105 PowerShell Script Uses Call to Download Data ThreatGrid Behavioral Indicator T1105 NetCat Utility Used by Sample ThreatGrid Behavioral Indicator T1105 Wget Utility Used by Sample ThreatGrid Behavioral Indicator T1105 A Script Requested an Executable via URL ThreatGrid Behavioral Indicator T1105 Download Forced Open/Save Prompt ThreatGrid Behavioral Indicator T1105 Download Forced Save-Only Prompt ThreatGrid Behavioral Indicator T1105 VBA Macro References URLDownloadToFile Function ThreatGrid Behavioral Indicator T1105 Windows Utility Downloaded File ThreatGrid Behavioral Indicator T1105 VBA Macro Download With No Execution ThreatGrid Behavioral Indicator T1105 VBA Macro Imports URLDownloadToFile ThreatGrid Behavioral Indicator T1048 W32.SuspiciousDNSTXTLookup AMP Cloud IOC T1048 W32.SSHTunnelCreated AMP Cloud IOC T1048 SuspiciousTLDQuery AMP Cloud IOC T1048 47401 Snort rule T1048 47402 Snort rule T1048 47639 Snort rule T1048 24087 Snort rule T1048 24088 Snort rule T1048 HTML Sample Made HTTP POST Communications ThreatGrid Behavioral Indicator T1048 Outbound HTTP POST Communications ThreatGrid Behavioral Indicator T1100 W32.ChinaChopper AMP Cloud IOC T1100 23829 Snort rule T1100 23830 Snort rule T1100 21117 Snort rule T1100 21118 Snort rule T1100 21119 Snort rule T1100 21120 Snort rule T1100 21121 Snort rule T1100 21129 Snort rule T1100 21130 Snort rule T1100 21131 Snort rule T1100 21132 Snort rule T1100 21133 Snort rule T1100 21134 Snort rule T1100 21135 Snort rule T1100 21136 Snort rule T1100 21137 Snort rule T1100 21138 Snort rule T1100 21139 Snort rule T1100 21140 Snort rule T1100 27729 Snort rule T1100 27730 Snort rule T1100 27731 Snort rule T1100 27732 Snort rule T1100 50947 Snort rule T1100 50948 Snort rule T1100 50949 Snort rule T1100 50950 Snort rule T1100 50951 Snort rule T1100 50952 Snort rule T1100 50953 Snort rule T1100 50954 Snort rule T1100 50955 Snort rule T1100 51923 Snort rule T1100 46368 Snort rule T1100 46369 Snort rule T1100 27966 Snort rule T1100 27967 Snort rule T1100 27968 Snort rule T1100 28323 Snort rule T1100 37245 Snort rule T1100 42834 Snort rule T1100 42835 Snort rule T1100 42836 Snort rule T1100 42837 Snort rule T1100 1090 Snort rule T1003 W32.MimikatzDumpCredentials AMP Cloud IOC T1003 W32.ActiveDirectoryDatabaseExtractionAttempt AMP Cloud IOC T1003 W32.RegSaveSystem AMP Cloud IOC T1003 W32.RegistryCredentialDumping AMP Cloud IOC T1003 46675 Snort rule T1003 46676 Snort rule T1003 46677 Snort rule T1003 46678 Snort rule T1003 50467 Snort rule T1003 32602 Snort rule T1003 34944 Snort rule T1003 40321 Snort rule T1003 20618 Snort rule T1003 39642 Snort rule T1003 39930 Snort rule T1003 44388 Snort rule T1003 Process Attempted to Enumerate Browser Information ThreatGrid Behavioral Indicator T1003 Process Modified Firefox Certificate Database ThreatGrid Behavioral Indicator T1003 Process Attempted to Access the FireFox Password Manager Local Database ThreatGrid Behavioral Indicator T1003 Process Modified the FireFox Password Manager Local Database ThreatGrid Behavioral Indicator T1003 Process Disabled AutoComplete Settings in Internet Explorer ThreatGrid Behavioral Indicator T1192 45370 Snort rule T1192 45371 Snort rule T1192 50097 Snort rule T1192 50098 Snort rule T1192 48861 Snort rule T1192 48862 Snort rule T1192 48863 Snort rule T1192 48864 Snort rule T1192 28255 Snort rule T1192 29869 Snort rule T1192 25578 Snort rule T1192 25579 Snort rule T1192 25580 Snort rule T1192 26261 Snort rule T1192 26660 Snort rule T1192 30567 Snort rule T1192 30568 Snort rule T1192 30569 Snort rule T1192 32008 Snort rule T1192 32771 Snort rule T1192 32772 Snort rule T1192 36338 Snort rule T1192 21637 Snort rule T1192 19122 Snort rule T1192 29396 Snort rule T1192 29397 Snort rule T1192 29398 Snort rule T1192 29399 Snort rule T1192 48894 Snort rule T1192 48895 Snort rule T1192 47115 Snort rule T1192 47116 Snort rule T1192 An Encrypted Phishing HTML Page Was Found ThreatGrid Behavioral Indicator T1192 Blackhole Exploit Kit V2 Detected ThreatGrid Behavioral Indicator T1192 Blackhole Exploit Kit V2 Java Jar File Detected ThreatGrid Behavioral Indicator T1064 W32.PowershellCompressedExpression AMP Cloud IOC T1064 W32.AdditionVariableCommandObfuscation AMP Cloud IOC T1064 W32.CaretCommandObfuscation AMP Cloud IOC T1064 W32.WScriptLaunchedZippedJS AMP Cloud IOC T1064 W32.MaliciousJavascriptEncodings AMP Cloud IOC T1064 W32.PoweliksPersistence AMP Cloud IOC T1064 W32.PowershellDownloadString AMP Cloud IOC T1064 W32.WscriptLaunchTemp AMP Cloud IOC T1064 W32.BacktickCommandObfuscation AMP Cloud IOC T1064 W32.PowershellEncoded AMP Cloud IOC T1064 W32.CscriptRemoteSystemScript AMP Cloud IOC T1064 W32.Winrm_Execution AMP Cloud IOC T1064 W32.InvokeMethodExploitationFrameworks AMP Cloud IOC T1064 W32.WinwordLaunchedReplace AMP Cloud IOC T1064 W32.FLTLDRCreatedExecutable AMP Cloud IOC T1064 W32.WinwordLauchedCscript AMP Cloud IOC T1064 W32.WMIPRVSELaunchedEncodedPowershell AMP Cloud IOC T1064 Linux.CurlDownloadExecute AMP Cloud IOC T1064 W32.VBScriptEncodedEngineExecution AMP Cloud IOC T1064 W32.CmdObfuscatedBatchScriptExecution AMP Cloud IOC T1064 AutoIT Script Contains Suspicious Code ThreatGrid Behavioral Indicator T1064 Shortcut Runs Executable From Recycler or $Recycle.Bin Folder ThreatGrid Behavioral Indicator T1064 Artifact With Script Embedded In The Filename ThreatGrid Behavioral Indicator T1064 XML Stylesheet Contains Script ThreatGrid Behavioral Indicator T1064 Process Modified AUTOEXEC.BAT ThreatGrid Behavioral Indicator T1064 A Batch Script Launches PowerShell ThreatGrid Behavioral Indicator T1064 Document Properties Reference a Script ThreatGrid Behavioral Indicator T1064 Excessive Process Creation Detected ThreatGrid Behavioral Indicator T1064 Sample Created A Batch File ThreatGrid Behavioral Indicator T1064 Sample Created A Visual Basic Script ThreatGrid Behavioral Indicator T1064 Script Launched by HTML Sample ThreatGrid Behavioral Indicator T1064 Shortcut Without Creation Date Set ThreatGrid Behavioral Indicator T1064 Mshta Used to Run Command-Line Script ThreatGrid Behavioral Indicator T1064 Windows Script Host Service Established Direct IP Communications ThreatGrid Behavioral Indicator T1064 Windows Script Host Launched ThreatGrid Behavioral Indicator T1064 Registry Data Contains a Command Line that Could Launch a Script ThreatGrid Behavioral Indicator T1064 A Script Established Direct IP Communications ThreatGrid Behavioral Indicator T1064 Script Created a Document File ThreatGrid Behavioral Indicator T1064 Script Created an Executable File ThreatGrid Behavioral Indicator T1064 A Script Launched PowerShell ThreatGrid Behavioral Indicator T1064 A Script Requested an Executable via URL ThreatGrid Behavioral Indicator T1064 A Script File Established Network Communications ThreatGrid Behavioral Indicator T1064 Suspicious Nullsoft Installer Detected ThreatGrid Behavioral Indicator T1064 Script Launched by URL Sample ThreatGrid Behavioral Indicator T1064 VBA Macro Invokes Run Method On Created Object ThreatGrid Behavioral Indicator T1064 VBA Macro References the Application Task Count ThreatGrid Behavioral Indicator T1064 VBA Macro Checks the Default Printer ThreatGrid Behavioral Indicator T1064 VBA Macro References Recent Files List ThreatGrid Behavioral Indicator T1064 VBA Macro Has Action on Close ThreatGrid Behavioral Indicator T1064 VBA Macro Loads a COM Object ThreatGrid Behavioral Indicator T1064 VBA Macro Action on Image Refresh ThreatGrid Behavioral Indicator T1064 VBA Macro Has Action on Mouse Movement ThreatGrid Behavioral Indicator T1064 VBA Macro Has Action on Open ThreatGrid Behavioral Indicator T1064 VBA Macro References the WordBasic AppCount ThreatGrid Behavioral Indicator T1064 A VBScript Invoked Run Method On Created Object ThreatGrid Behavioral Indicator T1064 Script Communicates With Domain in Cisco Umbrella Block List ThreatGrid Behavioral Indicator T1064 VBA Macro Has Action on Open with a Suspicious Name ThreatGrid Behavioral Indicator T1046 50464 Snort rule T1046 50517 Snort rule T1046 613 Snort rule T1046 616 Snort rule T1046 619 Snort rule T1046 622 Snort rule T1046 630 Snort rule T1046 626 Snort rule T1046 627 Snort rule T1046 634 Snort rule T1046 635 Snort rule T1046 636 Snort rule T1046 637 Snort rule T1046 1638 Snort rule T1046 1917 Snort rule T1046 8081 Snort rule T1046 1133 Snort rule T1046 18179 Snort rule T1046 2041 Snort rule T1046 2043 Snort rule T1046 23601 Snort rule T1046 23602 Snort rule T1046 23603 Snort rule T1046 23604 Snort rule T1046 19559 Snort rule T1046 1101 Snort rule T1046 1100 Snort rule T1046 19779 Snort rule T1046 19933 Snort rule T1046 28002 Snort rule T1046 28003 Snort rule T1046 28301 Snort rule T1046 28552 Snort rule T1046 29462 Snort rule T1046 40094 Snort rule T1046 40095 Snort rule T1046 41793 Snort rule T1046 42289 Snort rule T1046 42785 Snort rule T1046 Windows ARP Utility Used ThreatGrid Behavioral Indicator T1046 Process Enumerates Network Resources ThreatGrid Behavioral Indicator T1046 Process Queries Domain Using NsLookup ThreatGrid Behavioral Indicator T1046 Process Enumerates Route Using PathPing ThreatGrid Behavioral Indicator T1046 Process Enumerates System Configuration ThreatGrid Behavioral Indicator T1046 Process Enumerates Route Using Tracert ThreatGrid Behavioral Indicator T1046 SMB Scanning Activity Observed ThreatGrid Behavioral Indicator T1086 W32.PowershellCompressedExpression AMP Cloud IOC T1086 W32.PowershellDownloadString AMP Cloud IOC T1086 W32.PowershellObfuscationAttempt AMP Cloud IOC T1086 W32.AMSIBypass AMP Cloud IOC T1086 W32.JavaPowershellLaunch AMP Cloud IOC T1086 W32.PowershellEncoded AMP Cloud IOC T1086 W32.PowershellGetForegroundWindow AMP Cloud IOC T1086 W32.SuspiciousPowershellCommand AMP Cloud IOC T1086 W32.WMIPRVSELaunchedEncodedPowershell AMP Cloud IOC T1086 W32.LemonDuckCryptoMiner AMP Cloud IOC T1086 47461 Snort rule T1086 47462 Snort rule T1086 43179 Snort rule T1086 43180 Snort rule T1086 37243 Snort rule T1086 37244 Snort rule T1086 45136 Snort rule T1086 45137 Snort rule T1086 47400 Snort rule T1086 30392 Snort rule T1086 35769 Snort rule T1086 35770 Snort rule T1086 45904 Snort rule T1086 45905 Snort rule T1086 38259 Snort rule T1086 38260 Snort rule T1086 38261 Snort rule T1086 44559 Snort rule T1086 44560 Snort rule T1086 44561 Snort rule T1086 44562 Snort rule T1086 44563 Snort rule T1086 44564 Snort rule T1086 45352 Snort rule T1086 39755 Snort rule T1086 39756 Snort rule T1086 47846 Snort rule T1086 47847 Snort rule T1086 47866 Snort rule T1086 47867 Snort rule T1086 49569 Snort rule T1086 46879 Snort rule T1086 A Shortcut That Calls PowerShell Detected ThreatGrid Behavioral Indicator T1086 A Batch Script Launches PowerShell ThreatGrid Behavioral Indicator T1086 Chocolatey Package Detected ThreatGrid Behavioral Indicator T1086 PowerShell Launched by HTML Sample ThreatGrid Behavioral Indicator T1086 Potential Sandbox Detection - PowerShell Used to Find VMWare ThreatGrid Behavioral Indicator T1086 PowerShell Used to Download and Execute a File ThreatGrid Behavioral Indicator T1086 PowerShell Used to Download a File ThreatGrid Behavioral Indicator T1086 PowerShell Used to Enable Windows Optional Feature ThreatGrid Behavioral Indicator T1086 PowerShell Used With Encoded Command ThreatGrid Behavioral Indicator T1086 PowerShell Used to Enumerate VPN Connections ThreatGrid Behavioral Indicator T1086 PowerShell Launched with Execution Policy Bypass ThreatGrid Behavioral Indicator T1086 PowerShell ExecutionPolicy Registry Key Modified ThreatGrid Behavioral Indicator T1086 PowerShell Was Seen Using The Expand Archive Feature ThreatGrid Behavioral Indicator T1086 PowerShell Launched with a Hidden Window ThreatGrid Behavioral Indicator T1086 PowerShell Invokes Expression from Environment Variable ThreatGrid Behavioral Indicator T1086 PowerShell Launched With the Invoke-Expression Cmdlet ThreatGrid Behavioral Indicator T1086 PowerShell Was Seen Invoking A Web Request ThreatGrid Behavioral Indicator T1086 PowerShell Launched PowerShell Script ThreatGrid Behavioral Indicator T1086 PowerShell Launched Compiler ThreatGrid Behavioral Indicator T1086 PowerShell Used To Create Scheduled Task ThreatGrid Behavioral Indicator T1086 PowerShell Used to Modify Firefox Profile ThreatGrid Behavioral Indicator T1086 PowerShell with Command-Line Obfuscation Detected ThreatGrid Behavioral Indicator T1086 Process Modified A Powershell Profile ThreatGrid Behavioral Indicator T1086 PowerShell References ScriptBlockLogging ThreatGrid Behavioral Indicator T1086 PowerShell Script Uses Call to Download Data ThreatGrid Behavioral Indicator T1086 PowerShell Was Seen Running With A Sleep Argument ThreatGrid Behavioral Indicator T1086 NetCat Utility Used by Sample ThreatGrid Behavioral Indicator T1086 Powershell Loaded A Remote Access Service DLL ThreatGrid Behavioral Indicator T1086 PowerShell Launched by URL Sample ThreatGrid Behavioral Indicator T1086 A Shortcut That Uses Powershell and BITS Transfer Detected ThreatGrid Behavioral Indicator T1086 PowerShell Command-Line References ScriptBlockLogging ThreatGrid Behavioral Indicator T1086 Powershell Potential Remote Code Execution ThreatGrid Behavioral Indicator T1086 Document Uses Powershell and Macro for Create Shortcut ThreatGrid Behavioral Indicator T1090 OSX.Dok AMP Cloud IOC T1090 OSX.Snake AMP Cloud IOC T1090 Netsh.exe Used to Forward Port ThreatGrid Behavioral Indicator T1090 Netsh.exe Used to Reset Winsock Catalog ThreatGrid Behavioral Indicator T1090 TOR Process Execution Detected ThreatGrid Behavioral Indicator T1090 Translation Service URL Detected ThreatGrid Behavioral Indicator