TH4002 Multiple Failed Logins
TH4003 PowerShell
TH4003v1 PowerShell
TH4004 Metasploit Activity Observed
TH4005 Multiple Lockouts
TH4006 PSEXEC
TH4007 MS ATA
TH4008 Sysmon
TH4009 Anomaly User-Host Auth Failed NOT READY
TH4010 Local Malware Detected
TH4011 Integrity Check Failed
TH4012 Flowmon Portscan
TH4013 EPO Suspicious
TH4014 Inbound RDP/VNC
TH4015 Flowmon Security Violation
TH4016 Log Cleared
TH4017 IP Address Collision
TH4018 Webfilter infected
TH4019 Audit Error
TH4021 Kernel Driver Not Signed
TH4022 Cobalt Strike
TH4023 New Admin Abnormal Access
TH4025 New Common Event Spotted Short
TH4026 User Interactive
TH4027 Ops Repeating Error
TH4028 Corruption: Audit Disabled by Admin
TH4029 AV increase of blocked actions
TH4030 EPO Suspicious - Increase
TH4031 Barracuda AS Firmware Breach
TH4032 DBA Multiple User Login Failed
TH4033 MS ATA were deleted over a period of
TH4034 - Big amount of data uploaded
TH4035 EDR high risk event
TH4036 - SMB external detection
TH4037 DDOS long attack
TH4038 Surikata Anomaly
TH4039 DDOS High Packets Drop
TH4040 DDOS several long attacks
TH4041 - User Account Created and Deleted in a Short Period of Time
TH4042 - SELinux was disabled
TH4043 - SUDO: User NOT In Sudoers File
TH4044 Multiple Deletion In Short Time
TH4045 Linux Credential Dumping
TH4046 RSA Multiple Failed PIN Attempts
TH4047 RSA Multiple Authentication Failures
TH4048 Flowmon Big Amount of Data Uploaded
TH4049 Scheduled Task-Job Cron
TH4101 Execution : Execution through API
TH4102 T1003:OS Credential Dumping
TH4104 Query Registry P
TH4105 - System Network Configuration Discovery P
TH4106 Remote System Discovery P
TH4107 - SMB/Windows Admin Shares P
TH4107 T1021.002: SMB/Windows Admin Shares A IPC Clone
TH4108 System Owner/User Discovery P
TH4109 T1036.003:Rename System Utilities
TH4110 Windows Management Instrumentation P
TH4112 Scheduled Task/Job P
TH4113 Process Discovery P
TH4114 PowerShell P
TH4116 T1069:Permission Groups Discovery N
TH4117 T1070.006:Timestomp
TH4118 System Information Discovery P
TH4119 File and Directory Discovery P
TH4120 Account Discovery P
TH4121 T1090.001:Proxy
TH4122 T1098:Account Manipulation
TH4124 T1114.003:Email Forwarding Rule
TH4125 T1136.003:Cloud Account
TH4126 T1189:Drive-By Compromise
TH4127 T1218.010:Regsvr32
TH4128 T1218.011:Rundll32
TH4129 T1534:Internal Spearphishing
TH4130 Windows Service P
TH4131 T1547.001:Registry Run Keys/Startup Folder A
TH4132 T1550.002:Pass the Hash
TH4133 T1550.003:Pass the Ticket
TH4134 T1558.003:Kerberoasting
TH4136 T1566.002:Spearphishing Link
TH4137 T1566.002:Spearphishing Link:O365
TH4138 Service Execution P
TH42001 F5 DOS New Attack
TH4-OPS-1 MS SQL Failed
TH4-OPS-2 MS SQL Cluster Failed
TH5001 Brute Rate C4: Infrastructure linked To Domain
TH5002 Brute Rate C4: Infrastructure linked to X.509 Certs or Samples
TH5004 - Compromise: System Time Change
TH5007 - Corruption: Audit Disabled by Admin
TH5008 - Disruption: Files Deleted by Admin
TH5010 - Lateral: Admin Password Modified
TH5015 - Lateral: Multiple Account Passwords Modified by Admin
TH5017 - Lateral: Password Modified by Admin