| RP0005 |
Theft of user certificate and private key |
Response playbook for "Theft of user certificate and private key" attack |
| RP2002 |
Privilege escalation via named pipe impersonation |
Response playbook for detected "Privilege escalation via named pipe impersonation" activity. |
| RP2006 |
Lateral movement using SCM |
Response playbook for detected lateral movement by abusing service configuration manager by changing the service binpath. |
| RP0008 |
Windows host compromise |
Live Analysis on a suspicious Windows system |
| RP2005 |
Hijack default file extension |
Response playbook for detected persistence by hijacking default file extension. |
| RP0001 |
External Phishing Email Message |
Response playbook for external Phishing Email Message case |
| RP2003 |
Dumping mscash |
Response playbook for detected dumping MScash activity. |
| RP0009 |
Compromised active directory account |
Compromised active directory account |
| RP0007 |
Malware Outbrake |
Response playbook for malware outbrake response |
| RP0002 |
Domain user enumarate attack using the Kerberos protocol without a domain account |
Response playbook for domain user enumarate attack using the Kerberos protocol without a domain account |
| RP2008 |
Persistense using Windows Logon Helper |
Response playbook for detected persistence using Windows Logon Helper. |
| RP2007 |
Lateral Movement using WinRM or Powershell Remoting |
Response playbook for detected Lateral Movement using WinRM or Powershell Remoting. |
| RP0004 |
Pass the certificate |
Response playbook for pass the certificate attack |
| RP0003 |
Adding shadow credential |
Response playbook for adding shadow credential attack |
| RP2001 |
Load malicious Dll load via COM abuse |
Response playbook for detected "DLL load via COM object" activity. |
| RP2004 |
Wdigest credential access |
Response playbook for detected Wdigest credential access. |
| RP0006 |
Successfull OWA Password Spraying attack |
Response playbook for successfull OWA Password Spraying attack |