- Elastic 安全其他版本
- Elastic 安全概览
- 8.17 版本的新增功能
- 将 Elastic 安全升级到 8.17.0
- 升级后步骤(可选)
- 开始使用 Elastic 安全
- 安全人工智能
- 检测和告警
- 检测要求
- 在 Elastic 安全中使用 logsdb 索引模式
- 关于检测规则
- 创建检测规则
- 安装和管理 Elastic 预构建规则
- 管理检测规则
- 监控和排除规则执行故障
- 规则例外
- 关于构建块规则
- MITRE ATT&CK® 覆盖范围
- 管理检测告警
- 减少通知和告警
- 查询告警索引
- 调整检测规则
- 预构建规则参考
- 创建了计划任务
- 更新了计划任务
- APT 包管理器配置文件创建
- AWS Bedrock 检测到单个用户多次尝试使用被拒绝的模型
- AWS Bedrock 检测到单个用户多次验证异常错误
- AWS Bedrock Guardrails 检测到单个被阻止请求中存在多个策略违规
- AWS Bedrock Guardrails 检测到单个用户在会话中存在多个违规行为
- AWS Bedrock 单个用户在会话中检测到未启用 Guardrails 的调用
- 带有自定义终端 URL 的 AWS CLI 命令
- 已创建 AWS CloudTrail 日志
- 已删除 AWS CloudTrail 日志
- 已暂停 AWS CloudTrail 日志
- 已更新 AWS CloudTrail 日志
- AWS CloudWatch 告警删除
- AWS CloudWatch 日志组删除
- AWS CloudWatch 日志流删除
- AWS Config 资源删除
- AWS 配置记录器已停止
- 在容器内搜索 AWS 凭证
- AWS 删除 RDS 实例或集群
- 通过来自单个资源的 CLI 进行 AWS 发现 API 调用
- 通过承担的角色获取 AWS EC2 管理员凭证
- AWS EC2 EBS 快照与另一个帐户共享
- 禁用 AWS EC2 加密
- 检测到 AWS EC2 完全网络数据包捕获
- 已上传 AWS EC2 实例连接 SSH 公钥
- 通过承担的角色登录 AWS EC2 实例控制台
- AWS EC2 实例与 IAM 服务交互
- AWS EC2 多区域 DescribeInstances API 调用
- AWS EC2 网络访问控制列表创建
- AWS EC2 网络访问控制列表删除
- AWS EC2 安全组配置更改
- AWS EC2 快照活动
- AWS EC2 VM 导出失败
- AWS EFS 文件系统或挂载已删除
- 已创建 AWS ElastiCache 安全组
- 已修改或删除 AWS ElastiCache 安全组
- 已禁用或删除 AWS EventBridge 规则
- AWS GuardDuty 检测器删除
- 附加到组的 AWS IAM AdministratorAccess 策略
- 附加到角色的 AWS IAM AdministratorAccess 策略
- 附加到用户的 AWS IAM AdministratorAccess 策略
- AWS IAM 承担角色策略更新
- AWS IAM 承担角色策略的暴力破解
- 附加到用户的 AWS IAM CompromisedKeyQuarantine 策略
- 在 EC2 实例上通过承担的角色创建 AWS IAM 用户
- 罕见用户附加到角色的 AWS IAM 客户托管策略
- AWS IAM MFA 设备停用
- AWS IAM 组创建
- AWS IAM 组删除
- 为根用户添加 AWS IAM 登录配置文件
- 为用户添加 AWS IAM 登录配置文件
- 已请求 AWS IAM 密码恢复
- AWS IAM Roles Anywhere 配置文件创建
- 使用外部 CA 创建的 AWS IAM Roles Anywhere 信任锚
- 已更新 AWS IAM SAML 提供商
- 将 AWS IAM 用户添加到组
- AWS IAM 用户为其他用户创建访问密钥
- 已禁用或计划删除的 AWS KMS 客户托管密钥
- 已创建或更新的 AWS Lambda 函数
- 已更新 AWS Lambda 函数策略以允许公共调用
- 已添加到现有函数的 AWS Lambda 层
- AWS 管理控制台对根用户身份的暴力破解
- AWS 管理控制台根登录
- AWS RDS 集群创建
- 已公开的 AWS RDS 数据库实例
- 已还原 AWS RDS 数据库实例
- 已禁用的 AWS RDS 数据库实例或集群删除保护
- 已修改的 AWS RDS 数据库实例或集群密码
- 已创建的 AWS RDS 数据库快照
- AWS RDS 数据库快照与另一个帐户共享
- AWS RDS 实例创建
- AWS RDS 实例/集群停止
- AWS RDS 安全组创建
- AWS RDS 安全组删除
- 已删除 AWS RDS 快照
- AWS RDS 快照导出
- AWS Redshift 集群创建
- 未使用 MFA 的 AWS 根登录
- 已禁用的 AWS Route 53 域传输锁定
- 已传输到另一个帐户的 AWS Route 53 域
- AWS 路由表创建
- 已修改或删除的 AWS 路由表
- 与 VPC 关联的 AWS Route53 私有托管区域
- AWS S3 存储桶配置删除
- AWS S3 存储桶枚举或暴力破解
- 已添加的 AWS S3 存储桶过期生命周期配置
- 已添加 AWS S3 存储桶策略以与外部帐户共享
- AWS S3 存储桶已复制到另一个帐户
- 已禁用的 AWS S3 存储桶服务器访问日志记录
- 使用外部 KMS 密钥的 AWS S3 对象加密
- 已暂停的 AWS S3 对象版本控制
- 罕见用户的 AWS SNS 电子邮件订阅
- 罕见用户创建的 AWS SSM 命令文档
- 罕见用户执行的 AWS SSM
SendCommand - 带有运行 Shell 命令参数的 AWS SSM
SendCommand - 带有新 MFA 设备的 AWS STS AssumeRole
- 罕见用户和成员帐户承担的 AWS STS AssumeRoot
- 首次调用的 AWS STS GetCallerIdentity API
- 滥用 AWS STS GetSessionToken
- 服务承担的 AWS STS 角色
- 用户承担的 AWS STS 角色
- AWS STS 角色链接
- AWS 服务配额多区域
GetServiceQuota请求 - 使用联合用户的 AWS 登录单因素控制台登录
- 带有解密标志的 AWS Systems Manager SecureString 参数请求
- AWS VPC 流日志删除
- AWS WAF 访问控制列表删除
- AWS WAF 规则或规则组删除
- 创建的异常进程 ID 或锁定文件
- 异常大的 DNS 响应
- 已接受的默认 Telnet 端口连接
- 通过 setfacl 修改访问控制列表
- 访问密钥链凭证目录
- 访问敏感的 LDAP 属性
- 访问 Outlook 数据文件
- 配置为永不过期密码的帐户
- 通过 SYSTEM 帐户执行的帐户发现命令
- 远程重置帐户密码
- 通过内置工具进行帐户或组发现
- 来自 Linux 主机的 Active Directory 强制身份验证 - SMB 命名管道
- 通过 SYSTEM 修改 Active Directory 组
- AdFind 命令活动
- 通过 Attrib 添加隐藏文件属性
- AdminSDHolder 后门
- 已添加的 AdminSDHolder SDProp 排除项
- 分配给 Okta 组的管理员权限
- 分配给 Okta 用户的管理员角色
- Adobe 劫持持久性
- 对手行为 - 检测到 - Elastic Endgame
- 代理欺骗 - 代理 ID 不匹配
- 代理欺骗 - 多个主机使用同一个代理
- 卷根目录中的备用数据流创建/执行
- 异常的 Linux 编译器活动
- Linux 群体的异常进程
- Windows 群体的异常进程
- 异常的 Windows 进程创建
- Apple 脚本执行后跟网络连接
- 具有管理员权限的 Apple 脚本执行
- 已添加到 Google Workspace 域的应用程序
- 从 Google Workspace 中的阻止列表中删除的应用程序
- 具有不寻常扩展名的存档文件
- 已创建或修改的 At 作业
- At.exe 命令横向移动
- 尝试清除内核环缓冲区
- 尝试创建 Okta API 令牌
- 尝试停用 Okta 应用程序
- 尝试停用 Okta 网络区域
- 尝试停用 Okta 策略
- 尝试停用 Okta 策略规则
- 尝试删除 Okta 应用程序
- 尝试删除 Okta 网络区域
- 尝试删除 Okta 策略
- 尝试删除 Okta 策略规则
- 尝试禁用 Auditd 服务
- 尝试禁用 Gatekeeper
- 尝试禁用 IPTables 或防火墙
- 尝试禁用 Syslog 服务
- 尝试启用根帐户
- 尝试建立 VScode 远程隧道
- 尝试通过 WSL 安装 Kali Linux
- 尝试安装根证书
- 尝试修改 Okta 应用程序
- 尝试修改 Okta 网络区域
- 尝试修改 Okta 策略
- 尝试修改 Okta 策略规则
- 尝试通过命令行挂载 SMB 共享
- 尝试重置 Okta 用户帐户的 MFA 因素
- 尝试从 AWS EC2 实例检索用户数据
- 尝试撤销 Okta API 令牌
- 尝试卸载 Elastic Endpoint Security 内核扩展
- 尝试绕过 Okta MFA
- 尝试访问私钥
- 尝试暴力破解 Microsoft 365 用户帐户
- 尝试暴力破解 Okta 用户帐户
- 通过不常见的 PAM 授权者进行身份验证
- 授权插件修改
- 分配 Azure AD 全局管理员角色
- Azure Active Directory 高风险登录
- Azure Active Directory 高风险用户登录启发式
- Azure Active Directory PowerShell 登录
- 创建或修改 Azure 警报抑制规则
- Azure 应用程序凭据修改
- 创建 Azure 自动化帐户
- 创建或修改 Azure 自动化 Runbook
- 删除 Azure 自动化 Runbook
- 创建 Azure 自动化 Webhook
- 修改 Azure Blob 容器访问级别
- 修改 Azure Blob 权限
- 在虚拟机上执行 Azure 命令
- 修改 Azure 条件访问策略
- 删除 Azure 诊断设置
- 通过重复源暴力破解 Azure Entra 登录 Microsoft 365 帐户
- 针对 Microsoft 365 帐户的 Azure Entra 登录暴力破解
- 创建或更新 Azure 事件中心授权规则
- 删除 Azure 事件中心
- Azure 外部来宾用户邀请
- 删除 Azure 防火墙策略
- 删除 Azure Frontdoor Web 应用程序防火墙 (WAF) 策略
- 检测到 Azure 全网络数据包捕获
- 向 PIM 用户添加 Azure 全局管理员角色
- 修改 Azure Key Vault
- 删除 Azure Kubernetes 事件
- 删除 Azure Kubernetes Pod
- 创建 Azure Kubernetes Rolebindings
- 删除 Azure 网络观察器
- 修改 Azure 特权身份管理角色
- 删除 Azure 资源组
- 添加 Azure 服务主体
- 添加 Azure 服务主体凭据
- 重新生成 Azure 存储帐户密钥
- 修改或删除 Azure 虚拟网络设备
- 使用 TC 应用 BPF 过滤器
- Base16 或 Base32 编码/解码活动
- 修改 Bash Shell 配置文件
- 通过 Cmd.exe 复制二进制内容
- 从共享内存目录执行二进制文件
- Bitsadmin 活动
- 安装浏览器扩展
- 通过事件查看器绕过 UAC
- 将 CAP_SYS_ADMIN 分配给二进制文件
- 添加 Chkconfig 服务
- 清除 Windows 控制台历史记录
- 清除 Windows 事件日志
- Cobalt Strike 命令和控制信标
- 通过内置工具修改代码签名策略
- 通过注册表修改代码签名策略
- 通过 SolarWinds 进程执行命令
- 命令提示符网络连接
- 通过 RunDLL32 启动的命令 Shell 活动
- 组件对象模型劫持
- 由不常见进程加载的压缩 DLL
- 由可疑父进程生成的 Conhost
- 连接到常用滥用的免费 SSL 证书提供商
- 连接到常用滥用的 Web 服务
- 通过 Telnet 连接到外部网络
- 通过 Telnet 连接到内部网络
- 在容器内运行容器管理实用程序
- 容器工作负载保护
- 具有不常见参数的控制面板进程
- 通过命令行创建隐藏文件和目录
- 创建隐藏的启动代理或守护进程
- 通过 Apple Script 创建隐藏的登录项
- 创建隐藏的共享对象文件
- 创建内核模块
- 创建 SettingContent-ms 文件
- 创建 DNS 命名记录
- 创建隐藏的本地用户帐户
- 创建或修改域备份 DPAPI 私钥
- 创建或修改可插拔身份验证模块或配置
- 创建或修改根证书
- 创建或修改新的 GPO 计划任务或服务
- 通过注册表配置单元转储获取凭据
- 凭据转储 - 检测到 - Elastic Endgame
- 凭据转储 - 已阻止 - Elastic Endgame
- 凭据操纵 - 检测到 - Elastic Endgame
- 凭据操纵 - 已阻止 - Elastic Endgame
- 创建或修改 Cron 作业
- Cupsd 或 Foomatic-rip Shell 执行
- 来自不常见父进程的 Curl SOCKS 代理活动
- CyberArk 特权访问安全错误
- CyberArk 特权访问安全推荐监视器
- DNF 包管理器插件文件创建
- 修改或禁用 DNS 全局查询阻止列表
- DNS 隧道
- 通过注册表启用 DNS over HTTPS
- 由不常见父进程安装的 DPKG 包
- 默认 Cobalt Strike 团队服务器证书
- 通过 Ping 延迟执行
- 使用 Fsutil 删除卷 USN 日志
- 使用 Wbadmin 删除备份目录
- 已弃用 - Microsoft 365 用户帐户的潜在密码喷洒
- 已弃用 - 可疑 JAVA 子进程
- 在 /bin 目录中创建目录
- 使用内置工具禁用 Windows 事件和安全日志
- 通过 Netsh 禁用 Windows 防火墙规则
- 通过修改注册表禁用用户帐户控制
- 通过 PowerShell 禁用 Windows Defender 安全设置
- 发现域组
- 通过内置工具发现 Internet 功能
- 通过 Nsenter 进行 Docker 转义
- 将域添加到 Google Workspace 受信任域
- 下载的快捷方式文件
- 下载的 URL 文件
- 通过内置命令转储帐户哈希
- 通过安全命令转储密钥链内容
- 动态链接器复制
- 动态链接器创建或修改
- 与另一个帐户共享 EC2 AMI
- 通过 Find 进行 ESXI 发现
- 通过 Grep 进行 ESXI 发现
- 使用 Touch 命令进行 ESXI 时间戳修改
- EggShell 后门执行
- 来自容器中入口点的出口连接
- 终止 Elastic Agent 服务
- 创建或修改 Emond 规则
- 通过 Netsh 启用主机网络发现
- 存储在注册表中的编码可执行文件
- 使用 WinRar 或 7z 加密文件
- 端点安全
- 使用 Broker 客户端进行 Entra ID 设备代码身份验证
- 通过 DSQUERY.EXE 枚举域信任
- 通过 NLTEST.EXE 枚举域信任
- 通过 WMIPrvSE 生成的枚举命令
- 枚举管理员帐户
- 枚举内核模块
- 通过 Proc 枚举内核模块
- 枚举特权本地组成员身份
- 通过内置命令枚举用户或组
- 通过 PowerShell 导出 Exchange 邮箱
- 为潜在的持久性脚本设置可执行位
- 创建具有多个扩展名的可执行文件
- 具有不常见扩展名的可执行文件
- 伪装成内核进程的可执行文件
- 从不常见目录执行 - 命令行
- 从具有网络连接的可移动介质执行
- 通过 Xwizard 执行 COM 对象
- 执行由 Microsoft Office 写入或修改的文件
- 执行由 PDF 阅读器写入或修改的文件
- 执行持久性可疑程序
- 执行未签名的服务
- 通过 Electron 子进程 Node.js 模块执行
- 通过 MS VisualStudio 预/后生成事件执行
- 通过 MSSQL xp_cmdshell 存储过程执行
- 通过 Microsoft DotNet ClickOnce 主机执行
- 通过 TSClient 装载点执行
- 通过 Windows 命令调试实用程序执行
- 通过适用于 Linux 的 Windows 子系统执行
- 通过本地 SxS 共享模块执行
- 通过脚本使用显式凭据执行
- 加载过期或吊销的驱动程序
- 漏洞利用 - 检测到 - Elastic Endgame
- 漏洞利用 - 已阻止 - Elastic Endgame
- 通过 PowerShell 导出 Exchange 邮箱
- 外部警报
- 从非浏览器进程进行外部 IP 查找
- 将外部用户添加到 Google Workspace 群组
- 将文件压缩或存档为常见格式
- 文件创建时间已更改
- 通过 Cups 或 Foomatic-rip 子进程创建文件
- 在可疑目录中创建、执行和自删除文件
- 通过 Shred 删除文件
- 在容器内通过 Chmod 使文件可执行
- 在可写目录中修改文件权限
- 在回收站根文件夹中暂存文件
- 在特权容器内启动文件系统调试器
- 通过 Netcat 建立文件传输或侦听器
- 修改文件和目录权限
- 通过 Chattr 使文件不可变
- 文件或目录删除命令
- 下载了具有可疑扩展名的文件
- 注册并启用 Finder 同步插件
- 首次出现个人访问令牌 (PAT) 的 GitHub 事件
- 首次出现通过 DeviceCode 协议进行的 Entra ID 身份验证
- 首次出现来自新 IP 的 GitHub 存储库交互
- 首次出现 GitHub 用户与私有存储库交互
- 首次出现 GitHub 个人访问令牌 (PAT) 的 IP 地址
- 首次出现 GitHub 用户的 IP 地址
- 首次出现通过代理启动的 Okta 用户会话
- 首次出现 GitHub 用户使用个人访问令牌 (PAT)
- 首次出现来自特定 GitHub 个人访问令牌 (PAT) 的私有存储库事件
- 首次出现用户 STS GetFederationToken 请求
- 首次出现 GitHub 个人访问令牌 (PAT) 的用户代理
- 首次出现 GitHub 用户的用户代理
- 用户首次创建 AWS Cloudformation 堆栈
- 首次在 Secrets Manager 中访问 AWS 机密值
- 首次看到常用滥用的远程访问工具执行
- 首次看到加载的驱动程序
- 首次看到来自第三方应用程序的 Google Workspace OAuth 登录
- 首次看到 NewCredentials 登录过程
- 首次看到可移动设备
- 首次看到执行 DCSync 的帐户
- 转发的 Google Workspace 安全警报
- 系统范围启用的完整用户模式转储
- 创建 GCP 防火墙规则
- 删除 GCP 防火墙规则
- 修改 GCP 防火墙规则
- 创建 GCP IAM 自定义角色
- 删除 GCP IAM 角色
- 删除 GCP IAM 服务帐户密钥
- 删除 GCP 日志记录存储桶
- 删除 GCP 日志记录接收器
- 修改 GCP 日志记录接收器
- 创建 GCP Pub/Sub 订阅
- 删除 GCP Pub/Sub 订阅
- 创建 GCP Pub/Sub 主题
- 删除 GCP Pub/Sub 主题
- 创建 GCP 服务帐户
- 删除 GCP 服务帐户
- 禁用 GCP 服务帐户
- 创建 GCP 服务帐户密钥
- 修改 GCP 存储桶配置
- 删除 GCP 存储桶
- 修改 GCP 存储桶权限
- 删除 GCP 虚拟私有云网络
- 创建 GCP 虚拟私有云路由
- 删除 GCP 虚拟私有云路由
- Git Hook 子进程
- Git Hook 命令执行
- 创建或修改 Git Hook
- Git Hook 出口网络连接
- 删除 GitHub 应用
- 授予用户 GitHub 所有者角色
- 撤销 GitHub PAT 访问权限
- 更改 GitHub 受保护分支设置
- 创建 GitHub 存储库
- 删除 GitHub 存储库
- GitHub UEBA - 来自 GitHub 帐户的多个警报
- 阻止 GitHub 用户加入组织
- 通过 Google Workspace 转移 Google Drive 所有权
- 禁用 Google Workspace 2SV 策略
- 通过域范围委派授予 Google Workspace API 访问权限
- 将 Google Workspace 管理员角色分配给用户
- 删除 Google Workspace 管理员角色
- 禁用 Google Workspace Bitlocker 设置
- 创建 Google Workspace 自定义管理员角色
- 创建或修改 Google Workspace 自定义 Gmail 路由
- 从匿名用户访问 Google Workspace Drive 加密密钥
- 禁用 Google Workspace MFA 强制执行
- 在应用同意的情况下将 Google Workspace 对象复制到外部驱动器
- 修改 Google Workspace 密码策略
- 修改 Marketplace 的 Google Workspace 限制以允许任何应用
- 修改 Google Workspace 角色
- 恢复已暂停的 Google Workspace 用户帐户
- 更改 Google Workspace 用户组织单位
- 利用组策略进行特权添加
- 通过 Microsoft GPResult 实用程序发现组策略
- Halfbaked 命令和控制信标
- 通过不常见的父进程创建隐藏目录
- 通过隐藏标志创建隐藏文件和目录
- RDP 会话中进程参数的平均值较高
- RDP 会话持续时间平均值较高
- 从 PAT 克隆的大量 GitHub 存储库
- 为身份验证生成的大量 Okta 设备令牌 Cookie
- 大量 Okta 用户密码重置或解锁尝试
- 大量进程终止
- 大量进程和/或服务终止
- RDP会话时长差异较大
- 通过 Windows Subsystem for Linux 更改主机文件系统
- Hosts 文件被修改
- Hping 进程活动
- IIS HTTP 日志记录已禁用
- IPSEC NAT 遍历端口活动
- IPv4/IPv6 转发活动
- 映像文件执行选项注入
- 加载了无效签名的映像
- 通过 Windows 更新自动更新客户端加载映像
- 入站连接到不安全的 Elasticsearch 节点
- 通过 MSHTA 的入站 DCOM 横向移动
- 通过 MMC 的入站 DCOM 横向移动
- 通过 ShellBrowserWindow 或 ShellWindows 的入站 DCOM 横向移动
- 通过 PowerShell 远程处理的入站执行
- 通过 WinRM 远程 Shell 的入站执行
- 通过 Forfiles/Pcalua 的间接命令执行
- 通过 Windows BITS 的入口传输
- 添加了不安全的 AWS EC2 VPC 安全组入口规则
- InstallUtil 活动
- InstallUtil 进程建立网络连接
- 自定义 Shim 数据库的安装
- 安全支持提供程序的安装
- 针对正在运行的容器启动交互式 exec 命令
- 异常进程的交互式登录
- 通过 Perl 生成的交互式终端
- 通过 Python 生成的交互式终端
- KRBTGT 委派后门
- Kerberos 缓存凭据转储
- 为用户禁用 Kerberos 预身份验证
- 来自异常进程的 Kerberos 流量
- 内核驱动程序加载
- 非 root 用户加载内核驱动程序
- 检测到通过 Kexec 加载或卸载内核
- 通过 insmod 加载内核模块
- 内核模块移除
- 通过命令行检索 Keychain 密码
- Kirbi 文件创建
- Kubernetes 匿名请求已授权
- 创建了具有过多 Linux 功能的 Kubernetes 容器
- Kubernetes 拒绝服务帐户请求
- 创建了类型为 NodePort 的 Kubernetes 公开服务
- 创建了带有 HostIPC 的 Kubernetes Pod
- 创建了带有 HostNetwork 的 Kubernetes Pod
- 创建了带有 HostPID 的 Kubernetes Pod
- 使用敏感 hostPath 卷创建的 Kubernetes Pod
- 创建了 Kubernetes 特权 Pod
- Kubernetes 控制器服务帐户的可疑分配
- Kubernetes 可疑的自我主题审查
- Kubernetes 用户执行进入 Pod
- LSASS 内存转储创建
- LSASS 内存转储句柄访问
- 通过 Windows API 访问 LSASS 进程
- 通过启动文件夹的横向移动
- 启动代理的创建或修改以及立即加载
- 启动守护进程的创建或修改以及立即加载
- 检测到 Linux 剪贴板活动
- Linux 组创建
- 通过 GDB 的 Linux 进程挂钩
- 通过 Linux 二进制文件的 Linux 受限 Shell 突破
- Linux SSH X11 转发
- Linux 系统信息发现
- Linux 用户帐户创建
- Linux 用户添加到特权组
- 通过 GDB 转储 Linux init (PID 1) 密钥
- 禁用本地帐户 TokenFilter 策略
- 本地计划任务创建
- Okta 用户帐户 MFA 停用且未重新激活
- 为 Google Workspace 组织禁用 MFA
- MS Office 宏安全注册表修改
- MacOS 安装程序包生成网络事件
- 机器学习检测到使用已知 SUNBURST DNS 域的 DGA 活动
- 机器学习检测到预测为 DGA 域的 DNS 请求
- 机器学习检测到具有高 DGA 概率分数的 DNS 请求
- 机器学习检测到具有高恶意概率分数的 Windows 可疑事件
- 机器学习检测到具有低恶意概率分数的 Windows 可疑事件
- 恶意软件 - 检测到 - Elastic Endgame
- 恶意软件 - 已阻止 - Elastic Endgame
- 文件名后伪装空格
- 从 GitHub 组织中删除的成员
- 具有异常扩展名的内存转储文件
- 内存交换修改
- 每日消息 (MOTD) 文件创建
- Microsoft 365 Exchange 反网络钓鱼策略删除
- Microsoft 365 Exchange 反网络钓鱼规则修改
- Microsoft 365 Exchange DKIM 签名配置已禁用
- Microsoft 365 Exchange DLP 策略已删除
- Microsoft 365 Exchange 恶意软件筛选器策略删除
- Microsoft 365 Exchange 恶意软件筛选器规则修改
- Microsoft 365 Exchange 管理组角色分配
- Microsoft 365 Exchange 安全附件规则已禁用
- Microsoft 365 Exchange 安全链接策略已禁用
- Microsoft 365 Exchange 传输规则创建
- Microsoft 365 Exchange 传输规则修改
- 已分配 Microsoft 365 全局管理员角色
- 创建了 Microsoft 365 收件箱转发规则
- 来自罕见位置的 Microsoft 365 门户登录
- 来自不可能的旅行位置的 Microsoft 365 门户登录
- Microsoft 365 潜在的勒索软件活动
- 允许 Microsoft 365 Teams 自定义应用程序交互
- 已启用 Microsoft 365 Teams 外部访问
- 已启用 Microsoft 365 Teams 访客访问
- Microsoft 365 异常大量文件删除
- Microsoft 365 用户被限制发送电子邮件
- Microsoft Build Engine 启动了异常进程
- Microsoft Build Engine 由脚本进程启动
- Microsoft Build Engine 由系统进程启动
- Microsoft Build Engine 由 Office 应用程序启动
- Microsoft Build Engine 使用备用名称
- Microsoft Exchange Server UM 生成可疑进程
- Microsoft Exchange Server UM 写入可疑文件
- Microsoft Exchange 传输代理安装脚本
- Microsoft Exchange Worker 生成可疑进程
- Microsoft IIS 连接字符串解密
- 转储了 Microsoft IIS 服务帐户密码
- 来自异常路径的 Microsoft 管理控制台文件
- Microsoft Windows Defender 篡改
- 检测到 Mimikatz Memssp 日志文件
- AmsiEnable 注册表项的修改
- 启动配置的修改
- 动态链接器预加载共享对象的修改
- 容器内动态链接器预加载共享对象的修改
- 通过未签名或不受信任的父级修改环境变量
- OpenSSH 二进制文件的修改
- 通过 Defaults 命令修改 Safari 设置
- 标准身份验证模块或配置的修改
- WDigest 安全提供程序的修改
- msPKIAccountCredentials 的修改
- Okta 应用程序登录策略的修改或删除
- Mofcomp 活动
- 在特权容器内部启动的挂载
- 挂载隐藏或 WebDav 远程共享
- MsBuild 建立网络连接
- Mshta 建立网络连接
- 具有网络连接的 MsiExec 服务子进程
- 为 Azure 用户禁用多因素身份验证
- 涉及用户的多个警报
- 单个主机上不同 ATT&CK 策略中的多个警报
- 单个 Okta 会话的多个设备令牌哈希
- 多次登录失败后登录成功
- 来自同一源地址的多次登录失败
- 检测到单个用户的多个 Okta 会话
- 代理后具有相同设备令牌哈希的多个 Okta 用户身份验证事件
- 具有客户端地址的多个 Okta 用户身份验证事件
- 具有相同设备令牌哈希的多个 Okta 用户身份验证事件
- 多次读取 Vault Web 凭据
- 我的第一个规则
- 通过 Wbadmin 转储 NTDS
- 复制 NTDS 或 SAM 数据库文件
- 使用 Unshare 的命名空间操作
- 容器内建立的 Netcat 侦听器
- 通过 rlwrap 建立的 Netcat 侦听器
- Netsh 助手 DLL
- 通过 Kworker 检测到的网络活动
- 通过 cat 检测到的网络活动
- 由 SSHD 子进程发起的网络连接
- Cups 或 Foomatic-rip 子进程的网络连接
- 来自具有 RWX 内存区域的二进制文件的网络连接
- 通过 Certutil 的网络连接
- 通过编译的 HTML 文件的网络连接
- 通过 MsXsl 的网络连接
- 通过最近编译的可执行文件的网络连接
- 通过注册实用程序的网络连接
- 通过签名二进制文件的网络连接
- 通过 Sudo 二进制文件的网络连接
- 通过 XDG 自动启动条目发起的网络连接
- 网络登录提供程序注册表修改
- 通过 CAP_NET_RAW 的网络流量捕获
- 到罕见目标国家的网络流量
- 已禁用网络级身份验证 (NLA)
- 通过 PowerShell 添加了新的 ActiveSyncAllowedDeviceID
- 安装了新的 GitHub 应用程序
- 添加了新的 GitHub 所有者
- 检测到新的 Okta 身份验证行为
- 管理员添加了新的 Okta 身份提供程序 (IdP)
- 向 GitHub 组织添加了新用户
- 新的或修改的联合域
- Nping 进程活动
- NullSessionPipe 注册表修改
- 用户报告为恶意软件或网络钓鱼的 O365 电子邮件
- O365 过多的单一登录错误
- O365 Exchange 可疑邮箱权限委派
- O365 邮箱审核日志记录绕过
- Office 测试注册表持久性
- Okta 暴力破解或密码喷射攻击
- Okta FastPass 网络钓鱼检测
- 通过第三方 IdP 的 Okta 登录事件
- Okta ThreatInsight 威胁疑似提升
- Okta 用户会话模拟
- 从不同地理位置启动的 Okta 用户会话
- OneDrive 恶意软件文件上传
- Openssl 客户端或服务器活动
- 通过 PowerShell 的出站计划任务活动
- Outlook 主页注册表修改
- 父进程 PID 欺骗
- 外围设备发现
- 权限盗窃 - 检测到 - Elastic Endgame
- 权限盗窃 - 已阻止 - Elastic Endgame
- 通过 BITS 作业通知命令行实现的持久性
- 通过 DirectoryService 插件修改实现的持久性
- 通过 Docker 快捷方式修改实现的持久性
- 通过文件夹操作脚本实现的持久性
- 检测到通过隐藏运行键实现的持久性
- 通过 KDE 自动启动脚本或桌面文件修改实现的持久性
- 通过登录或注销挂钩实现的持久性
- 通过 Microsoft Office 加载项实现的持久性
- 通过 Microsoft Outlook VBA 实现的持久性
- 通过 PowerShell 配置文件实现的持久性
- 通过计划作业创建实现的持久性
- 通过 TelemetryController 计划任务劫持实现的持久性
- 通过更新协调器服务劫持实现的持久性
- 通过 WMI 事件订阅实现的持久性
- 通过 WMI 标准注册表提供程序实现的持久性
- 通过 Windows 安装程序实现的持久性
- 启动目录中的持久性脚本
- 端口转发规则添加
- 通过 Azure 注册的应用程序的潜在同意授予攻击
- 可能的 FIN7 DGA 命令和控制行为
- 可能的 Okta DoS 攻击
- 通过通配符记录创建的潜在 ADIDNS 投毒
- 已上传潜在的 AWS S3 存储桶勒索软件注释
- 高令牌计数和大型响应大小对资源的潜在滥用
- 潜在的 Active Directory 复制帐户后门
- 潜在的管理组帐户添加
- 通过 PowerShell 的潜在反恶意软件扫描接口绕过
- 通过 Sdbinst 的潜在应用程序填充
- 检测到潜在的缓冲区溢出攻击
- 通过挂载的潜在 Chroot 容器逃逸
- 通过 Postgresql 的潜在代码执行
- 通过 Internet Explorer 的潜在命令和控制
- 通过修改的 notify_on_release 文件的潜在容器逃逸
- 通过修改的 release_agent 文件的潜在容器逃逸
- 通过浏览器调试的潜在 Cookie 盗窃
- 通过 DCSync 的潜在凭据访问
- 通过 LSASS 中的 DuplicateHandle 的潜在凭据访问
- 通过 LSASS 内存转储的潜在凭据访问
- 通过内存转储文件创建的潜在凭据访问
- 通过重命名的 COM+ 服务 DLL 的潜在凭据访问
- 通过受信任的开发人员实用程序的潜在凭据访问
- 通过 Windows 实用程序的潜在凭据访问
- 潜在的跨站点脚本 (XSS)
- 潜在的 DGA 活动
- 通过 Microsoft 反恶意软件服务可执行文件的潜在 DLL 侧加载
- 通过受信任的 Microsoft 程序的潜在 DLL 侧加载
- 通过 NsLookup 的潜在 DNS 隧道
- 到异常目标端口的潜在数据渗漏活动
- 到异常 IP 地址的潜在数据渗漏活动
- 到异常 ISO 代码的潜在数据渗漏活动
- 到异常区域的潜在数据渗漏活动
- 检测到潜在的数据拆分
- 可能通过 CMSTP.exe 进行防御规避
- 可能通过 Doas 进行防御规避
- 可能通过 PRoot 进行防御规避
- 可能禁用 AppArmor
- 可能禁用 SELinux
- 可能通过 Active Directory Web 服务进行枚举
- 可能通过易受攻击的 MSI 修复进行提权
- 可能通过 Filter Manager 进行规避
- 可能通过 Windows Filtering Platform 进行规避
- 可能执行 rc.local 脚本
- 可能通过 XZBackdoor 执行
- 可能利用未加引号的服务路径漏洞
- 检测到潜在的外部 Linux SSH 暴力破解
- 可能通过无头浏览器下载文件
- 可能通过 Certreq 进行文件传输
- 可能的 Foxmail 利用
- 可能执行十六进制 Payload
- 可能创建隐藏的本地用户帐户
- 可能通过 Mount Hidepid 隐藏进程
- 检测到潜在的内部 Linux SSH 暴力破解
- 可能的 Invoke-Mimikatz PowerShell 脚本
- 潜在的 JAVA/JNDI 利用尝试
- 可能通过 Bifrost 进行 Kerberos 攻击
- 可能滥用 LSA 身份验证包
- 可能通过 PssCaptureSnapShot 创建 LSASS 克隆
- 可能通过 PssCaptureSnapShot 转储 LSASS 内存
- 可能通过 SMB 共享进行横向工具传输
- 可能创建 Linux 后门用户帐户
- 可能通过 Proc 文件系统转储 Linux 凭据
- 可能通过 Unshadow 转储 Linux 凭据
- 可能启动 Linux 黑客工具
- 检测到潜在的 Linux 本地帐户暴力破解
- 检测到可能创建 Linux 勒索软件提示
- 潜在的 Linux 隧道和/或端口转发
- 潜在的通过 HTTP 的本地 NTLM 中继
- 可能伪装成浏览器进程
- 可能伪装成商业应用安装程序
- 可能伪装成通信应用
- 可能伪装成 System32 DLL
- 可能伪装成 System32 可执行文件
- 可能伪装成 VLC DLL
- 潜在的内存搜索活动
- 潜在的 Meterpreter 反向 Shell
- 可能规避 Microsoft Office 沙箱
- 可能修改辅助功能二进制文件
- 检测到潜在的网络扫描
- 检测到主机执行的潜在网络扫描
- 潜在的网络共享发现
- 检测到潜在的网络扫描
- 潜在的非标准端口 HTTP/HTTPS 连接
- 潜在的非标准端口 SSH 连接
- 可能通过推送通知进行 Okta MFA 轰炸
- 潜在的 OpenSSH 后门日志记录活动
- 潜在的异常进程发起的出站 RDP 连接
- 潜在的哈希传递(PtH)尝试
- 可能通过 Atom Init 脚本修改实现持久化
- 可能通过文件修改实现持久化
- 可能通过登录钩子实现持久化
- 可能通过定期任务实现持久化
- 可能通过时间提供程序修改实现持久化
- 可能滥用端口监视器或打印处理器注册
- 作者编写的潜在 PowerShell 黑客工具脚本
- 通过函数名称识别的潜在 PowerShell 黑客工具脚本
- 潜在的 PowerShell 混淆脚本
- 潜在的 PowerShell 哈希传递/中继脚本
- 可能通过本地主机安全复制绕过隐私控制
- 可能通过 TCCDB 修改绕过隐私控制
- 可能通过可写 Docker 套接字进行特权提升
- 可能通过 CVE-2023-4911 进行特权提升
- 可能通过容器错误配置进行特权提升
- 可能通过 Enlightenment 进行特权提升
- 可能通过 InstallerFileTakeOver 进行特权提升
- 可能通过 Linux DAC 权限进行特权提升
- 可能通过 OverlayFS 进行特权提升
- 可能通过 PKEXEC 进行特权提升
- 可能通过 Python cap_setuid 进行特权提升
- 可能通过最近编译的可执行文件进行特权提升
- 可能通过服务 ImagePath 修改进行特权提升
- 可能通过 Sudoers 文件修改进行特权提升
- 检测到可能通过 UID INT_MAX 漏洞进行特权提升
- 可能通过 SamAccountName 欺骗进行特权提升
- 可能从恶意文档进行进程注入
- 可能通过 PowerShell 进行进程注入
- 可能通过 Chisel 客户端进行协议隧道
- 可能通过 Chisel 服务器进行协议隧道
- 可能通过 EarthWorm 进行协议隧道
- 检测到潜在的 Pspy 进程监控
- 潜在的勒索软件行为 - 系统创建大量 Readme 文件
- 可能通过 SMB 投放勒索软件提示文件
- 潜在的针对域控制器的中继攻击
- 可能通过 Web 服务器执行远程代码
- 可能通过注册表进行远程凭据访问
- 潜在的远程桌面影子活动
- 检测到潜在的远程桌面隧道
- 可能通过 MSIEXEC 执行远程文件
- 潜在的反向 Shell
- 可能通过终端进行反向 Shell 活动
- 可能通过后台进程进行反向 Shell
- 可能通过子进程进行反向 Shell
- 可能通过 Java 进行反向 Shell
- 可能通过可疑二进制文件进行反向 Shell
- 可能通过可疑子进程进行反向 Shell
- 可能通过 UDP 进行反向 Shell
- 可能下载了 SSH-IT SSH 蠕虫
- 检测到潜在的基于 SYN 的网络扫描
- 可能通过 SDelete 实用程序进行安全文件删除
- 可能向 AD 对象添加了影子凭据
- 可能通过命令行实用程序读取影子文件
- 潜在的 SharpRDP 行为
- 检测到可能通过通配符注入进行 Shell 利用
- 检测到潜在的成功 Linux FTP 暴力破解攻击
- 检测到潜在的成功 Linux RDP 暴力破解攻击
- 潜在的成功 SSH 暴力破解攻击
- 潜在的 Sudo 劫持
- 可能通过 CVE-2019-14287 进行 Sudo 特权提升
- 可能通过进程注入进行 Sudo 令牌操纵
- 潜在的可疑 DebugFS 根设备访问
- 潜在的可疑文件编辑
- 检测到可能通过通配符注入进行未授权访问
- 可能升级非交互式 Shell
- 潜在的 Veeam 凭据访问命令
- 可能通过 DNS 记录创建进行 WPAD 欺骗
- 可能滥用 WSUS 进行横向移动
- 潜在的跨多个主机的广泛恶意软件感染
- 潜在的 Windows 错误管理器伪装
- 可能通过 CcmExec 进行 Windows 会话劫持
- 潜在的 curl CVE-2023-38545 利用
- 检测到潜在的 macOS SSH 暴力破解
- 可能通过 CVE-2022-38028 进行特权提升
- 潜在的通过推送通知进行的成功 MFA 轰炸
- 可能通过 tmux 或 screen 启动的可疑进程
- PowerShell Invoke-NinjaCopy 脚本
- PowerShell Kerberos 票证转储
- PowerShell Kerberos 票证请求
- PowerShell 键盘记录脚本
- PowerShell 邮箱收集脚本
- PowerShell MiniDump 脚本
- PowerShell PSReflect 脚本
- PowerShell 脚本块日志记录已禁用
- 具有存档压缩功能的 PowerShell 脚本
- 具有发现功能的 PowerShell 脚本
- 具有加密/解密功能的 PowerShell 脚本
- 具有日志清除功能的 PowerShell 脚本
- 具有密码策略发现功能的 PowerShell 脚本
- 具有通过 WinRM 进行远程执行功能的 PowerShell 脚本
- 具有令牌模拟功能的 PowerShell 脚本
- 具有 Veeam 凭据访问功能的 PowerShell 脚本
- 具有网络摄像头视频捕获功能的 PowerShell 脚本
- 具有 Windows Defender 篡改功能的 PowerShell 脚本
- PowerShell 共享枚举脚本
- PowerShell 可疑的与发现相关的 Windows API 函数
- PowerShell 可疑的有效负载已编码和压缩
- 具有音频捕获功能的可疑 PowerShell 脚本
- 具有剪贴板检索功能的可疑 PowerShell 脚本
- 具有屏幕截图功能的可疑 PowerShell 脚本
- 打印机用户 (lp) Shell 执行
- 私钥搜索活动
- 通过 CAP_CHOWN/CAP_FOWNER 功能进行特权提升
- 通过 CAP_SETUID/SETGID 功能进行特权提升
- 通过 GDB CAP_SYS_PTRACE 进行特权提升
- 通过命名管道模拟进行特权提升
- 通过恶意命名管道模拟进行特权提升
- 通过修改 Root Crontab 文件进行特权提升
- 通过 SUID/SGID 进行特权提升
- 通过 Windir 环境变量进行特权提升
- 特权帐户暴力破解
- 创建特权 Docker 容器
- 通过父进程 PID 欺骗进行特权提升
- 通过编译的 HTML 文件进行的进程活动
- 进程功能枚举
- 通过 setcap 实用程序设置进程功能
- 使用复制的令牌创建的进程
- 使用提升的令牌创建的进程
- 通过辅助登录创建进程
- 使用内置工具进行进程发现
- 通过内置应用程序进行进程发现
- 从异常目录执行的进程
- 进程注入 - 已检测到 - Elastic Endgame
- 进程注入 - 已阻止 - Elastic Endgame
- Microsoft Build Engine 进行的进程注入
- 从每日消息 (MOTD) 派生的进程
- 从进程 ID (PID) 文件启动的进程
- 终止后删除的进程
- 带有尾随空格的进程
- Program Files 目录伪装
- 使用 OSASCRIPT 提示凭据
- ProxyChains 活动
- PsExec 网络连接
- 未签名或不受信任的进程删除了隔离属性
- 使用内置工具查询注册表
- 来自 Internet 的 RDP(远程桌面协议)
- 通过注册表启用的 RDP
- 执行 ROT 编码的 Python 脚本
- 来自 Internet 的 RPC(远程过程调用)
- 到 Internet 的 RPC(远程过程调用)
- 由异常父进程安装的 RPM 包
- 勒索软件 - 已检测到 - Elastic Endgame
- 勒索软件 - 已阻止 - Elastic Endgame
- 从 AWS SecretsManager 快速检索秘密的尝试
- Rapid7 威胁命令 CVE 相关性
- 罕见的 AWS 错误代码
- 罕见的到 Internet 的 SMB 连接
- 罕见的用户登录
- 通过 AppCert DLL 进行注册表持久化
- 通过 AppInit DLL 进行注册表持久化
- 远程计算机帐户 DnsHostName 更新
- 通过 Netsh 在 Windows 防火墙中启用的远程桌面
- 从可疑路径打开的远程桌面文件
- 通过文件共享进行远程执行
- 远程文件复制到隐藏共享
- 通过 TeamViewer 进行远程文件复制
- 通过 Desktopimgdownldr 实用程序进行远程文件下载
- 通过 MpCmdRun 进行远程文件下载
- 通过 PowerShell 进行远程文件下载
- 通过脚本解释器进行远程文件下载
- 通过 systemsetup 命令启用的远程 SSH 登录
- 创建远程计划任务
- 通过 RPC 创建远程计划任务
- 远程系统发现命令
- 安装远程 Windows 服务
- 通过 COM 执行远程 XSL 脚本
- 通过 RPC 远程启动的服务
- 重命名的 AutoIt 脚本解释器
- 使用短程序名称执行的重命名实用程序
- 根证书安装
- 通过 GDB CAP_SYS_PTRACE 的根网络连接
- 从互联网下载的 Roshal 档案 (RAR) 或 PowerShell 文件
- Route53 解析器查询日志配置已删除
- SELinux 配置创建或重命名
- SIP 提供商修改
- SMB(Windows 文件共享)活动到互联网
- 通过 LOLBin 或不受信任的进程进行的 SMB 连接
- 端口 26/TCP 上的 SMTP
- SSH 授权密钥文件修改
- 容器内部修改 SSH 授权密钥文件
- 在运行的容器内部建立 SSH 连接
- 通过 ssh-keygen 生成 SSH 密钥
- 从容器内部启动 SSH 进程
- SSL 证书删除
- 启动到 EC2 实例的 SSM 会话
- 设置 SUID/SGID 位
- 检测到 SUID/SGUID 枚举
- SUNBURST 命令和控制活动
- Windows 脚本创建的计划任务
- 通过 GPO 大规模执行计划任务
- 启用了计划任务 AT 命令
- ScreenConnect 服务器产生可疑进程
- 意外进程修改屏幕保护程序 Plist 文件
- 通过 Microsoft HTML 应用程序执行脚本
- 可疑进程启用了 SeDebugPrivilege
- 通过 VaultCmd 搜索已保存的凭据
- 通过常用实用程序进行安全文件访问
- 使用 WMIC 发现安全软件
- 通过 Grep 发现安全软件
- 检测到段错误
- 敏感文件压缩
- 容器内部的敏感文件压缩
- 在容器内部搜索敏感密钥或密码
- 将敏感权限 SeEnableDelegationPrivilege 分配给用户
- 通过 RegBack 访问敏感注册表配置单元
- 服务命令横向移动
- 通过脚本解释器生成服务控制
- 通过本地 Kerberos 身份验证创建服务
- 通过 sc.exe 修改服务 DACL
- 通过注册表修改禁用服务
- 服务路径修改
- 通过 sc.exe 修改服务路径
- Setcap 设置 setuid/setgid 功能
- 影子文件修改
- SharePoint 恶意软件文件上传
- 以前未知进程创建或更改共享对象
- Shell 配置创建或修改
- 通过 Apple 脚本执行 Shell
- 在启动文件夹中写入或修改快捷方式文件
- 通过 MS Work Folders 执行签名代理
- SoftwareUpdate 首选项修改
- SolarWinds 进程通过注册表禁用服务
- AWS 错误消息激增
- 发送到外部设备的字节数激增
- 通过 Airdrop 发送到外部设备的字节数激增
- 失败的登录事件激增
- 防火墙拒绝激增
- 登录事件激增
- 网络流量激增
- 到某个国家/地区的网络流量激增
- 从源 IP 建立的连接数激增
- 建立到目标 IP 的连接数激增
- RDP 会话中进程数量激增
- 远程文件传输激增
- 来自源 IP 的成功登录事件激增
- 通过未签名的进程进行启动文件夹持久化
- 通过可疑进程进行启动持久化
- 启动或运行键注册表修改
- 添加到组策略对象的启动/登录脚本
- 统计模型检测到 C2 信标活动
- 统计模型检测到高可信度的 C2 信标活动
- 在 MFA 重置后使用被盗凭据登录 Okta 帐户
- Sublime 插件或应用程序脚本修改
- 来自罕见的未知客户端设备的成功应用程序 SSO
- 检测到 Sudo 命令枚举
- Sudo 基于堆的缓冲区溢出尝试
- Sudoers 文件修改
- 可疑的 .NET 代码编译
- 通过 PowerShell 进行可疑的 .NET 反射
- 可疑的 /proc/maps 发现
- 可疑的 APT 包管理器执行
- 可疑的 APT 包管理器网络连接
- 对 LDAP 属性的可疑访问
- Okta 用户报告的可疑活动
- 可疑的反恶意软件扫描接口 DLL
- 可疑的 Automator 工作流执行
- 可疑的浏览器子进程
- 可疑的日历文件修改
- 可疑的 CertUtil 命令
- Adobe Acrobat Reader 更新服务的可疑子进程
- 通过 WMI 执行可疑的 Cmd
- 可疑的通信应用程序子进程
- 通过 Funzip 提取或解压缩可疑内容
- 可疑的 CronTab 创建或修改
- 为持久性或权限提升加载的可疑 DLL
- 通过 OpenSSL 实用程序进行可疑的数据加密
- 通过 od 进行可疑的动态链接器发现
- 可疑的 Emond 子进程
- 可疑的端点安全父进程
- 从 Foomatic-rip 或 Cupsd 父进程进行可疑的执行
- 从 INET 缓存进行可疑的执行
- 从已挂载的设备进行可疑的执行
- 通过 MSIEXEC 进行可疑的执行
- 通过 Microsoft Office 加载项进行可疑的执行
- 通过计划任务进行可疑的执行
- 通过适用于 Linux 的 Windows 子系统进行可疑的执行
- 可疑的资源管理器子进程
- 为了持久性在 /etc 中创建可疑文件
- 通过 Kworker 创建可疑文件
- 从 Google Drive 下载的可疑文件
- 通过 SMB 重命名可疑文件
- 可疑的 HTML 文件创建
- Launchd 的可疑隐藏子进程
- 来自 MS Office 的可疑映像加载 (taskschd.dll)
- 可疑的 ImagePath 服务创建
- 通过 Outlook 进行可疑的进程间通信
- 从容器内部生成的交互式 Shell
- 可疑的 JetBrains TeamCity 子进程
- 可疑的 Kworker UID 提升
- 通过 MalSecLogon 对 LSASS 进行可疑访问
- 可疑的 Lsass 进程访问
- 可疑的 MS Office 子进程
- 可疑的 MS Outlook 子进程
- 可疑的托管代码托管进程
- 可疑的内存 grep 活动
- 可疑的 Microsoft 365 邮件通过 ClientAppId 进行访问
- 可疑的 Microsoft Diagnostics Wizard 执行
- 可疑的挖掘进程创建事件
- 可疑的 Modprobe 文件事件
- LSASS 加载的可疑模块
- 以前未知可执行文件到互联网的可疑网络活动
- 通过 systemd 进行可疑的网络连接
- 在容器内部启动的可疑网络工具
- 可疑的 PDF 阅读器子进程
- 可疑的 Passwd 文件事件操作
- 在 Powershell 脚本中编码的可疑可移植可执行文件
- 可疑的 PowerShell 引擎 ImageLoad
- 通过 Windows 脚本进行可疑的 PowerShell 执行
- 可疑的 Powershell 脚本
- 可疑的打印后台处理程序文件删除
- 可疑的打印后台处理程序即点即印 DLL
- 创建的可疑打印后台处理程序 SPL 文件
- 可疑的 PrintSpooler 服务可执行文件创建
- 可疑的 Proc 伪文件系统枚举
- 通过直接系统调用进行可疑的进程访问
- 可疑的进程创建 CallTrace
- 通过重命名的 PsExec 可执行文件进行可疑的进程执行
- 加载的可疑 RDP ActiveX 客户端
- 通过 SeBackupPrivilege 进行可疑的远程注册表访问
- 可疑的 ESXI 文件重命名
- 可疑的 ESXI index.html 文件重命名
- 可疑的 ScreenConnect 客户端子进程
- 可疑的脚本对象执行
- 在系统中安装的可疑服务
- 可疑的 SolarWinds 子进程
- 可疑的启动 Shell 文件夹修改
- 创建的可疑符号链接
- 可疑的 Sysctl 文件事件
- 以前未知可执行文件执行的可疑系统命令
- 可疑的 ESXI 进程终止
- 可疑的故障排除包 Cabinet 执行
- 通过 ProxyChains 启动的可疑实用程序
- 创建的可疑 WMI 事件订阅
- 来自 MS Office 的可疑 WMI 映像加载
- 可疑的 WMIC XSL 脚本执行
- 可疑的网络浏览器敏感文件访问
- 可疑的 WerFault 子进程
- 可疑的 Windows 命令 Shell 参数
- 可疑的 Windows Powershell 参数
- 由主机生成的可疑 Windows 进程群集
- 由父进程生成的可疑 Windows 进程群集
- 由用户生成的可疑 Windows 进程群集
- 可疑的 Zoom 子进程
- 可疑的 macOS MS Office 子进程
- 可疑的 pbpaste 高流量活动
- 可疑的 rc.local 错误消息
- 可疑的 which 枚举
- Svchost 生成 Cmd
- 创建到卷影副本的符号链接
- 移动或复制系统二进制文件
- 系统 Hosts 文件访问
- 通过 Windows 命令 Shell 发现系统信息
- 系统日志文件删除
- 系统网络连接发现
- 系统所有者/用户发现 Linux
- 通过内置 Windows 实用程序进行系统服务发现
- 通过服务进行系统 Shell
- 系统时间发现
- 创建的系统 V Init 脚本
- 通过命令行进行 SystemKey 访问
- 创建的 Systemd 生成器
- 创建的 Systemd 服务
- 由不寻常的父进程启动的 Systemd 服务
- 创建的 Systemd 计时器
- 创建的 Systemd-udevd 规则文件
- 通过挂载的 APFS 快照访问绕过 TCC
- 受污染的内核模块加载
- 受污染的树外内核模块加载
- 篡改 Shell 命令行历史记录
- 临时计划任务创建
- 通过意外进程删除第三方备份文件
- 威胁情报哈希指示符匹配
- 威胁情报 IP 地址指示符匹配
- 威胁情报 URL 指示符匹配
- 威胁情报 Windows 注册表指示符匹配
- 使用 Touch 命令进行时间戳篡改
- 陷阱信号执行
- 通过提升的 COM Internet Explorer 加载项安装程序尝试绕过 UAC
- 通过特权 IFileOperation COM 接口尝试绕过 UAC
- 通过 Windows 目录伪装尝试绕过 UAC
- 使用 IEditionUpgradeManager 提升的 COM 接口尝试绕过 UAC
- 通过 DiskCleanup 计划任务劫持绕过 UAC
- 通过 ICMLuaUtil 提升的 COM 接口绕过 UAC
- 通过 Windows 防火墙管理单元劫持绕过 UAC
- 来自以前未知可执行文件的 UID 提升
- 未经授权访问 Okta 应用程序
- 公共应用程序 OAuth2 令牌授权(使用客户端凭据)的未经授权范围
- 不常见的注册表持久性更改
- macOS 屏幕保护程序引擎的意外子进程
- Unix 套接字连接
- 具有 RWX 内存区域的二进制文件的未知执行
- 未签名的 BITS 服务客户端进程
- Svchost 加载的未签名 DLL
- 受信任进程加载的未签名 DLL
- 从可疑文件夹进行的未签名 DLL 侧加载
- DNS 服务加载的未签名 DLL
- Azure AD 同步服务加载的不受信任 DLL
- 加载的不受信任驱动程序
- 用户的异常 AWS 命令
- 来自系统虚拟进程的不寻常子进程
- dns.exe 的不寻常子进程
- RunDLL32 的不寻常子进程
- AWS 命令的不寻常城市
- AWS 命令的不寻常国家/地区
- 不寻常的 DNS 活动
- 不寻常的 DPKG 执行
- 用户的不寻常发现活动
- 具有不寻常进程命令行的不寻常发现信号警报
- 具有不寻常进程可执行文件的不寻常发现信号警报
- 系统关键进程创建的不寻常可执行文件
- 通过 Microsoft Common Console 文件进行不寻常的执行
- 异常文件创建 - 备用数据流
- dns.exe 异常文件修改
- 检测到异常高置信度内容过滤器阻止
- 检测到异常高拒绝敏感信息策略阻止
- 检测到异常高拒绝主题阻止
- 检测到异常高字词策略阻止
- 用户登录的异常时间
- 异常实例元数据服务 (IMDS) API 请求
- 从系统用户启动的异常交互式 Shell
- 异常 Linux 网络活动
- 异常 Linux 网络配置发现
- 异常 Linux 网络连接发现
- 异常 Linux 网络端口活动
- 异常 Linux 进程调用元数据服务
- 异常 Linux 进程发现活动
- 异常 Linux 系统信息发现活动
- 异常 Linux 用户调用元数据服务
- 异常 Linux 用户发现活动
- 异常 Linux 用户名
- 异常登录活动
- 来自 Windows 系统二进制文件的异常网络活动
- 通过 DllHost 的异常网络连接
- 通过 RunDLL32 的异常网络连接
- 异常网络目标域名
- cmd.exe 的异常父进程
- 异常的父子关系
- 通过服务注册表的异常持久性
- 异常打印后台处理程序子进程
- 异常进程执行路径 - 备用数据流
- 在 WBEM 路径上的异常进程执行
- 异常进程扩展名
- MSSQL 服务帐户的异常进程
- Linux 主机的异常进程
- Windows 主机的异常进程
- 异常进程网络连接
- 由主机生成的异常进程
- 由父进程生成的异常进程
- 由用户生成的异常进程
- 异常进程将数据写入外部设备
- 异常远程文件目录
- 异常远程文件扩展名
- 异常远程文件大小
- 异常服务主机子进程 - 无子服务
- 用户登录的异常源 IP
- 异常 Sudo 活动
- RDP 会话的异常时间或日期
- 通过 id 的异常用户权限枚举
- 异常 Web 请求
- 异常 Web 用户代理
- 异常 Windows 网络活动
- 异常 Windows 路径活动
- 异常 Windows 进程调用元数据服务
- 异常 Windows 远程用户
- 异常 Windows 服务
- 异常 Windows 用户调用元数据服务
- 异常 Windows 用户权限提升活动
- 异常 Windows 用户名
- 用户帐户创建
- 用户被添加为 Azure 应用程序的所有者
- 用户被添加为 Azure 服务主体的所有者
- 用户被添加到特权组
- 用户被添加到管理员组
- 暴露于 Kerberoasting 的用户帐户
- 用户或组的创建/修改
- 来自 Internet 的 VNC(虚拟网络计算)
- 到 Internet 的 VNC(虚拟网络计算)
- 由异常进程加载的 Veeam 备份库
- 虚拟机指纹识别
- 通过 Grep 的虚拟机指纹识别
- 虚拟专用网络连接尝试
- 通过 VssAdmin 删除或调整大小的卷影副本
- 通过 PowerShell 删除卷影副本
- 通过 WMIC 删除卷影副本
- WMI 入站横向移动
- WMI WBEMTEST 实用程序执行
- WMIC 远程命令
- 通过 DLL 劫持的 WPS Office 利用
- 对 Active Directory 对象的 WRITEDAC 访问
- Web 应用程序可疑活动:POST 请求被拒绝
- Web 应用程序可疑活动:未经授权的方法
- Web 应用程序可疑活动:sqlmap 用户代理
- 通过 Python 生成的 Web 服务器
- Web Shell 检测:常见 Web 进程的脚本子进程
- WebProxy 设置修改
- WebServer 访问日志已删除
- Werfault ReflectDebugger 持久性
- Whoami 进程活动
- Windows 帐户或组发现
- Windows CryptoAPI 欺骗漏洞 (CVE-2020-0601 - CurveBall)
- 通过注册表修改禁用的 Windows Defender
- 通过 PowerShell 添加的 Windows Defender 排除项
- Windows 事件日志已清除
- 通过 PowerShell 禁用的 Windows 防火墙
- 具有可疑属性的 Windows 安装程序
- Windows 网络枚举
- 在 SMB 共享中的 Windows 注册表文件创建
- 执行 PowerShell 的 Windows 脚本
- 通过 WMI 执行进程的 Windows 脚本解释器
- 通过异常客户端安装的 Windows 服务
- 安装的 Windows Linux 子系统分发
- 通过 Dism 实用程序启用的 Windows Linux 子系统
- Windows 系统信息发现
- Windows 系统网络连接发现
- 使用 Netsh 命令转储无线凭据
- Yum 包管理器插件文件创建
- Yum/DNF 插件状态发现
- 没有密码的 Zoom 会议
- rc.local/rc.common 文件创建
- 可下载的规则更新
- 使用 Elastic Defend 配置端点保护
- 管理 Elastic Defend
- 端点响应操作
- 云安全
- 仪表板
- 探索
- 高级实体分析
- 调查工具
- Elastic Security API
- Elastic Security 字段和对象架构
- 故障排除
- 发行说明
伪装成 System32 DLL 的潜在行为
编辑伪装成 System32 DLL 的潜在行为
编辑识别默认 system32 DLL 的可疑实例,这些实例要么未签名,要么使用非 Microsoft 证书签名。 这可能表明尝试伪装成系统 DLL、执行 DLL 搜索顺序劫持或后门攻击以及重新签名合法的 DLL。
规则类型: eql
规则索引:
- logs-endpoint.events.library-*
严重性: 低
风险评分: 21
运行频率: 5m
搜索索引起始时间: now-9m (日期数学格式,另请参阅 额外回溯时间)
每次执行的最大告警数: 100
参考: 无
标签:
- 域: 端点
- 数据源: Elastic Defend
- 操作系统: Windows
- 用例: 威胁检测
- 策略: 防御规避
- 策略: 持久化
- 规则类型: BBR
版本: 105
规则作者:
- Elastic
规则许可证: Elastic License v2
规则查询
编辑library where event.action == "load" and dll.Ext.relative_file_creation_time <= 3600 and not ( dll.path : ( "?:\\Windows\\System32\\*", "?:\\Windows\\SysWOW64\\*", "?:\\Windows\\SystemTemp\\*", "?:\\$WINDOWS.~BT\\NewOS\\Windows\\WinSxS\\*", "?:\\$WINDOWS.~BT\\NewOS\\Windows\\System32\\*", "?:\\$WINDOWS.~BT\\Sources\\*", "?:\\$WINDOWS.~BT\\Work\\*", "?:\\Windows\\WinSxS\\*", "?:\\Windows\\SoftwareDistribution\\Download\\*", "?:\\Windows\\assembly\\NativeImages_v*" ) ) and not ( dll.code_signature.subject_name in ( "Microsoft Windows", "Microsoft Corporation", "Microsoft Windows Hardware Abstraction Layer Publisher", "Microsoft Windows Publisher", "Microsoft Windows 3rd party Component", "Microsoft 3rd Party Application Component" ) and dll.code_signature.trusted == true ) and not dll.code_signature.status : ("errorCode_endpoint*", "errorUntrustedRoot", "errorChaining") and dll.name : ( "aadauthhelper.dll", "aadcloudap.dll", "aadjcsp.dll", "aadtb.dll", "aadwamextension.dll", "aarsvc.dll", "abovelockapphost.dll", "accessibilitycpl.dll", "accountaccessor.dll", "accountsrt.dll", "acgenral.dll", "aclayers.dll", "acledit.dll", "aclui.dll", "acmigration.dll", "acppage.dll", "acproxy.dll", "acspecfc.dll", "actioncenter.dll", "actioncentercpl.dll", "actionqueue.dll", "activationclient.dll", "activeds.dll", "activesynccsp.dll", "actxprxy.dll", "acwinrt.dll", "acxtrnal.dll", "adaptivecards.dll", "addressparser.dll", "adhapi.dll", "adhsvc.dll", "admtmpl.dll", "adprovider.dll", "adrclient.dll", "adsldp.dll", "adsldpc.dll", "adsmsext.dll", "adsnt.dll", "adtschema.dll", "advancedemojids.dll", "advapi32.dll", "advapi32res.dll", "advpack.dll", "aeevts.dll", "aeinv.dll", "aepic.dll", "ajrouter.dll", "altspace.dll", "amsi.dll", "amsiproxy.dll", "amstream.dll", "apds.dll", "aphostclient.dll", "aphostres.dll", "aphostservice.dll", "apisampling.dll", "apisetschema.dll", "apmon.dll", "apmonui.dll", "appcontracts.dll", "appextension.dll", "apphelp.dll", "apphlpdm.dll", "appidapi.dll", "appidsvc.dll", "appinfo.dll", "appinfoext.dll", "applicationframe.dll", "applockercsp.dll", "appmgmts.dll", "appmgr.dll", "appmon.dll", "appointmentapis.dll", "appraiser.dll", "appreadiness.dll", "apprepapi.dll", "appresolver.dll", "appsruprov.dll", "appvcatalog.dll", "appvclientps.dll", "appvetwclientres.dll", "appvintegration.dll", "appvmanifest.dll", "appvpolicy.dll", "appvpublishing.dll", "appvreporting.dll", "appvscripting.dll", "appvsentinel.dll", "appvstreamingux.dll", "appvstreammap.dll", "appvterminator.dll", "appxalluserstore.dll", "appxpackaging.dll", "appxsip.dll", "appxsysprep.dll", "archiveint.dll", "asferror.dll", "aspnet_counters.dll", "asycfilt.dll", "atl.dll", "atlthunk.dll", "atmlib.dll", "audioeng.dll", "audiohandlers.dll", "audiokse.dll", "audioses.dll", "audiosrv.dll", "auditcse.dll", "auditpolcore.dll", "auditpolmsg.dll", "authbroker.dll", "authbrokerui.dll", "authentication.dll", "authext.dll", "authfwcfg.dll", "authfwgp.dll", "authfwsnapin.dll", "authfwwizfwk.dll", "authhostproxy.dll", "authui.dll", "authz.dll", "autopilot.dll", "autopilotdiag.dll", "autoplay.dll", "autotimesvc.dll", "avicap32.dll", "avifil32.dll", "avrt.dll", "axinstsv.dll", "azroles.dll", "azroleui.dll", "azsqlext.dll", "basecsp.dll", "basesrv.dll", "batmeter.dll", "bcastdvrbroker.dll", "bcastdvrclient.dll", "bcastdvrcommon.dll", "bcd.dll", "bcdprov.dll", "bcdsrv.dll", "bcp47langs.dll", "bcp47mrm.dll", "bcrypt.dll", "bcryptprimitives.dll", "bdehdcfglib.dll", "bderepair.dll", "bdesvc.dll", "bdesysprep.dll", "bdeui.dll", "bfe.dll", "bi.dll", "bidispl.dll", "bindfltapi.dll", "bingasds.dll", "bingfilterds.dll", "bingmaps.dll", "biocredprov.dll", "bisrv.dll", "bitlockercsp.dll", "bitsigd.dll", "bitsperf.dll", "bitsproxy.dll", "biwinrt.dll", "blbevents.dll", "blbres.dll", "blb_ps.dll", "bluetoothapis.dll", "bnmanager.dll", "bootmenuux.dll", "bootstr.dll", "bootux.dll", "bootvid.dll", "bridgeres.dll", "brokerlib.dll", "browcli.dll", "browserbroker.dll", "browseui.dll", "btagservice.dll", "bthavctpsvc.dll", "bthavrcp.dll", "bthavrcpappsvc.dll", "bthci.dll", "bthpanapi.dll", "bthradiomedia.dll", "bthserv.dll", "bthtelemetry.dll", "btpanui.dll", "bwcontexthandler.dll", "cabapi.dll", "cabinet.dll", "cabview.dll", "callbuttons.dll", "cameracaptureui.dll", "capauthz.dll", "capiprovider.dll", "capisp.dll", "captureservice.dll", "castingshellext.dll", "castlaunch.dll", "catsrv.dll", "catsrvps.dll", "catsrvut.dll", "cbdhsvc.dll", "cca.dll", "cdd.dll", "cdosys.dll", "cdp.dll", "cdprt.dll", "cdpsvc.dll", "cdpusersvc.dll", "cemapi.dll", "certca.dll", "certcli.dll", "certcredprovider.dll", "certenc.dll", "certenroll.dll", "certenrollui.dll", "certmgr.dll", "certpkicmdlet.dll", "certpoleng.dll", "certprop.dll", "cewmdm.dll", "cfgbkend.dll", "cfgmgr32.dll", "cfgspcellular.dll", "cfgsppolicy.dll", "cflapi.dll", "cfmifs.dll", "cfmifsproxy.dll", "chakra.dll", "chakradiag.dll", "chakrathunk.dll", "chartv.dll", "chatapis.dll", "chkwudrv.dll", "chsstrokeds.dll", "chtbopomofods.dll", "chtcangjieds.dll", "chthkstrokeds.dll", "chtquickds.dll", "chxapds.dll", "chxdecoder.dll", "chxhapds.dll", "chxinputrouter.dll", "chxranker.dll", "ci.dll", "cic.dll", "cimfs.dll", "circoinst.dll", "ciwmi.dll", "clb.dll", "clbcatq.dll", "cldapi.dll", "cleanpccsp.dll", "clfsw32.dll", "cliconfg.dll", "clipboardserver.dll", "clipc.dll", "clipsvc.dll", "clipwinrt.dll", "cloudap.dll", "cloudidsvc.dll", "clrhost.dll", "clusapi.dll", "cmcfg32.dll", "cmdext.dll", "cmdial32.dll", "cmgrcspps.dll", "cmifw.dll", "cmintegrator.dll", "cmlua.dll", "cmpbk32.dll", "cmstplua.dll", "cmutil.dll", "cngcredui.dll", "cngprovider.dll", "cnvfat.dll", "cofiredm.dll", "colbact.dll", "colorcnv.dll", "colorui.dll", "combase.dll", "comcat.dll", "comctl32.dll", "comdlg32.dll", "coml2.dll", "comppkgsup.dll", "compstui.dll", "computecore.dll", "computenetwork.dll", "computestorage.dll", "comrepl.dll", "comres.dll", "comsnap.dll", "comsvcs.dll", "comuid.dll", "configmanager2.dll", "conhostv1.dll", "connect.dll", "consentux.dll", "consentuxclient.dll", "console.dll", "consolelogon.dll", "contactapis.dll", "container.dll", "coredpus.dll", "coreglobconfig.dll", "coremas.dll", "coremessaging.dll", "coremmres.dll", "coreshell.dll", "coreshellapi.dll", "coreuicomponents.dll", "correngine.dll", "courtesyengine.dll", "cpfilters.dll", "creddialogbroker.dll", "credprovhelper.dll", "credprovhost.dll", "credprovs.dll", "credprovslegacy.dll", "credssp.dll", "credui.dll", "crypt32.dll", "cryptbase.dll", "cryptcatsvc.dll", "cryptdlg.dll", "cryptdll.dll", "cryptext.dll", "cryptnet.dll", "cryptngc.dll", "cryptowinrt.dll", "cryptsp.dll", "cryptsvc.dll", "crypttpmeksvc.dll", "cryptui.dll", "cryptuiwizard.dll", "cryptxml.dll", "cscapi.dll", "cscdll.dll", "cscmig.dll", "cscobj.dll", "cscsvc.dll", "cscui.dll", "csplte.dll", "cspproxy.dll", "csrsrv.dll", "cxcredprov.dll", "c_g18030.dll", "c_gsm7.dll", "c_is2022.dll", "c_iscii.dll", "d2d1.dll", "d3d10.dll", "d3d10core.dll", "d3d10level9.dll", "d3d10warp.dll", "d3d10_1.dll", "d3d10_1core.dll", "d3d11.dll", "d3d11on12.dll", "d3d12.dll", "d3d12core.dll", "d3d8thk.dll", "d3d9.dll", "d3d9on12.dll", "d3dscache.dll", "dab.dll", "dabapi.dll", "daconn.dll", "dafbth.dll", "dafdnssd.dll", "dafescl.dll", "dafgip.dll", "dafiot.dll", "dafipp.dll", "dafmcp.dll", "dafpos.dll", "dafprintprovider.dll", "dafupnp.dll", "dafwcn.dll", "dafwfdprovider.dll", "dafwiprov.dll", "dafwsd.dll", "damediamanager.dll", "damm.dll", "das.dll", "dataclen.dll", "datusage.dll", "davclnt.dll", "davhlpr.dll", "davsyncprovider.dll", "daxexec.dll", "dbgcore.dll", "dbgeng.dll", "dbghelp.dll", "dbgmodel.dll", "dbnetlib.dll", "dbnmpntw.dll", "dciman32.dll", "dcntel.dll", "dcomp.dll", "ddaclsys.dll", "ddcclaimsapi.dll", "ddds.dll", "ddisplay.dll", "ddoiproxy.dll", "ddores.dll", "ddpchunk.dll", "ddptrace.dll", "ddputils.dll", "ddp_ps.dll", "ddraw.dll", "ddrawex.dll", "defragproxy.dll", "defragres.dll", "defragsvc.dll", "deploymentcsps.dll", "deskadp.dll", "deskmon.dll", "desktopshellext.dll", "devenum.dll", "deviceaccess.dll", "devicecenter.dll", "devicecredential.dll", "devicepairing.dll", "deviceuxres.dll", "devinv.dll", "devmgr.dll", "devobj.dll", "devpropmgr.dll", "devquerybroker.dll", "devrtl.dll", "dfdts.dll", "dfscli.dll", "dfshim.dll", "dfsshlex.dll", "dggpext.dll", "dhcpcmonitor.dll", "dhcpcore.dll", "dhcpcore6.dll", "dhcpcsvc.dll", "dhcpcsvc6.dll", "dhcpsapi.dll", "diagcpl.dll", "diagnosticlogcsp.dll", "diagperf.dll", "diagsvc.dll", "diagtrack.dll", "dialclient.dll", "dialserver.dll", "dictationmanager.dll", "difxapi.dll", "dimsjob.dll", "dimsroam.dll", "dinput.dll", "dinput8.dll", "direct2ddesktop.dll", "directml.dll", "discan.dll", "dismapi.dll", "dispbroker.dll", "dispex.dll", "display.dll", "displaymanager.dll", "dlnashext.dll", "dmappsres.dll", "dmcfgutils.dll", "dmcmnutils.dll", "dmcsps.dll", "dmdlgs.dll", "dmdskmgr.dll", "dmdskres.dll", "dmdskres2.dll", "dmenrollengine.dll", "dmintf.dll", "dmiso8601utils.dll", "dmloader.dll", "dmocx.dll", "dmoleaututils.dll", "dmpushproxy.dll", "dmpushroutercore.dll", "dmrcdecoder.dll", "dmrserver.dll", "dmsynth.dll", "dmusic.dll", "dmutil.dll", "dmvdsitf.dll", "dmwappushsvc.dll", "dmwmicsp.dll", "dmxmlhelputils.dll", "dnsapi.dll", "dnscmmc.dll", "dnsext.dll", "dnshc.dll", "dnsrslvr.dll", "docprop.dll", "dolbydecmft.dll", "domgmt.dll", "dosettings.dll", "dosvc.dll", "dot3api.dll", "dot3cfg.dll", "dot3conn.dll", "dot3dlg.dll", "dot3gpclnt.dll", "dot3gpui.dll", "dot3hc.dll", "dot3mm.dll", "dot3msm.dll", "dot3svc.dll", "dot3ui.dll", "dpapi.dll", "dpapiprovider.dll", "dpapisrv.dll", "dpnaddr.dll", "dpnathlp.dll", "dpnet.dll", "dpnhpast.dll", "dpnhupnp.dll", "dpnlobby.dll", "dps.dll", "dpx.dll", "drprov.dll", "drt.dll", "drtprov.dll", "drttransport.dll", "drvsetup.dll", "drvstore.dll", "dsauth.dll", "dsccore.dll", "dsccoreconfprov.dll", "dsclient.dll", "dscproxy.dll", "dsctimer.dll", "dsdmo.dll", "dskquota.dll", "dskquoui.dll", "dsound.dll", "dsparse.dll", "dsprop.dll", "dsquery.dll", "dsreg.dll", "dsregtask.dll", "dsrole.dll", "dssec.dll", "dssenh.dll", "dssvc.dll", "dsui.dll", "dsuiext.dll", "dswave.dll", "dtsh.dll", "ducsps.dll", "dui70.dll", "duser.dll", "dusmapi.dll", "dusmsvc.dll", "dwmapi.dll", "dwmcore.dll", "dwmghost.dll", "dwminit.dll", "dwmredir.dll", "dwmscene.dll", "dwrite.dll", "dxcore.dll", "dxdiagn.dll", "dxgi.dll", "dxgwdi.dll", "dxilconv.dll", "dxmasf.dll", "dxp.dll", "dxpps.dll", "dxptasksync.dll", "dxtmsft.dll", "dxtrans.dll", "dxva2.dll", "dynamoapi.dll", "eapp3hst.dll", "eappcfg.dll", "eappcfgui.dll", "eappgnui.dll", "eapphost.dll", "eappprxy.dll", "eapprovp.dll", "eapputil.dll", "eapsimextdesktop.dll", "eapsvc.dll", "eapteapauth.dll", "eapteapconfig.dll", "eapteapext.dll", "easconsent.dll", "easwrt.dll", "edgeangle.dll", "edgecontent.dll", "edgehtml.dll", "edgeiso.dll", "edgemanager.dll", "edpauditapi.dll", "edpcsp.dll", "edptask.dll", "edputil.dll", "eeprov.dll", "eeutil.dll", "efsadu.dll", "efscore.dll", "efsext.dll", "efslsaext.dll", "efssvc.dll", "efsutil.dll", "efswrt.dll", "ehstorapi.dll", "ehstorpwdmgr.dll", "ehstorshell.dll", "els.dll", "elscore.dll", "elshyph.dll", "elslad.dll", "elstrans.dll", "emailapis.dll", "embeddedmodesvc.dll", "emojids.dll", "encapi.dll", "energy.dll", "energyprov.dll", "energytask.dll", "enrollmentapi.dll", "enterpriseapncsp.dll", "enterprisecsps.dll", "enterpriseetw.dll", "eqossnap.dll", "errordetails.dll", "errordetailscore.dll", "es.dll", "esclprotocol.dll", "esclscan.dll", "esclwiadriver.dll", "esdsip.dll", "esent.dll", "esentprf.dll", "esevss.dll", "eshims.dll", "etwrundown.dll", "euiccscsp.dll", "eventaggregation.dll", "eventcls.dll", "evr.dll", "execmodelclient.dll", "execmodelproxy.dll", "explorerframe.dll", "exsmime.dll", "extrasxmlparser.dll", "f3ahvoas.dll", "facilitator.dll", "familysafetyext.dll", "faultrep.dll", "fcon.dll", "fdbth.dll", "fdbthproxy.dll", "fddevquery.dll", "fde.dll", "fdeploy.dll", "fdphost.dll", "fdpnp.dll", "fdprint.dll", "fdproxy.dll", "fdrespub.dll", "fdssdp.dll", "fdwcn.dll", "fdwnet.dll", "fdwsd.dll", "feclient.dll", "ffbroker.dll", "fhcat.dll", "fhcfg.dll", "fhcleanup.dll", "fhcpl.dll", "fhengine.dll", "fhevents.dll", "fhshl.dll", "fhsrchapi.dll", "fhsrchph.dll", "fhsvc.dll", "fhsvcctl.dll", "fhtask.dll", "fhuxadapter.dll", "fhuxapi.dll", "fhuxcommon.dll", "fhuxgraphics.dll", "fhuxpresentation.dll", "fidocredprov.dll", "filemgmt.dll", "filterds.dll", "findnetprinters.dll", "firewallapi.dll", "flightsettings.dll", "fltlib.dll", "fluencyds.dll", "fmapi.dll", "fmifs.dll", "fms.dll", "fntcache.dll", "fontext.dll", "fontprovider.dll", "fontsub.dll", "fphc.dll", "framedyn.dll", "framedynos.dll", "frameserver.dll", "frprov.dll", "fsutilext.dll", "fthsvc.dll", "fundisc.dll", "fveapi.dll", "fveapibase.dll", "fvecerts.dll", "fvecpl.dll", "fveskybackup.dll", "fveui.dll", "fvewiz.dll", "fwbase.dll", "fwcfg.dll", "fwmdmcsp.dll", "fwpolicyiomgr.dll", "fwpuclnt.dll", "fwremotesvr.dll", "gameinput.dll", "gamemode.dll", "gamestreamingext.dll", "gameux.dll", "gamingtcui.dll", "gcdef.dll", "gdi32.dll", "gdi32full.dll", "gdiplus.dll", "generaltel.dll", "geocommon.dll", "geolocation.dll", "getuname.dll", "glmf32.dll", "globinputhost.dll", "glu32.dll", "gmsaclient.dll", "gpapi.dll", "gpcsewrappercsp.dll", "gpedit.dll", "gpprefcl.dll", "gpprnext.dll", "gpscript.dll", "gpsvc.dll", "gptext.dll", "graphicscapture.dll", "graphicsperfsvc.dll", "groupinghc.dll", "hal.dll", "halextpl080.dll", "hascsp.dll", "hashtagds.dll", "hbaapi.dll", "hcproviders.dll", "hdcphandler.dll", "heatcore.dll", "helppaneproxy.dll", "hgcpl.dll", "hhsetup.dll", "hid.dll", "hidcfu.dll", "hidserv.dll", "hlink.dll", "hmkd.dll", "hnetcfg.dll", "hnetcfgclient.dll", "hnetmon.dll", "hologramworld.dll", "holoshellruntime.dll", "holoshextensions.dll", "hotplug.dll", "hrtfapo.dll", "httpapi.dll", "httpprxc.dll", "httpprxm.dll", "httpprxp.dll", "httpsdatasource.dll", "htui.dll", "hvhostsvc.dll", "hvloader.dll", "hvsigpext.dll", "hvsocket.dll", "hydrogen.dll", "ia2comproxy.dll", "ias.dll", "iasacct.dll", "iasads.dll", "iasdatastore.dll", "iashlpr.dll", "iasmigplugin.dll", "iasnap.dll", "iaspolcy.dll", "iasrad.dll", "iasrecst.dll", "iassam.dll", "iassdo.dll", "iassvcs.dll", "icfupgd.dll", "icm32.dll", "icmp.dll", "icmui.dll", "iconcodecservice.dll", "icsigd.dll", "icsvc.dll", "icsvcext.dll", "icu.dll", "icuin.dll", "icuuc.dll", "idctrls.dll", "idlisten.dll", "idndl.dll", "idstore.dll", "ieadvpack.dll", "ieapfltr.dll", "iedkcs32.dll", "ieframe.dll", "iemigplugin.dll", "iepeers.dll", "ieproxy.dll", "iernonce.dll", "iertutil.dll", "iesetup.dll", "iesysprep.dll", "ieui.dll", "ifmon.dll", "ifsutil.dll", "ifsutilx.dll", "igddiag.dll", "ihds.dll", "ikeext.dll", "imagehlp.dll", "imageres.dll", "imagesp1.dll", "imapi.dll", "imapi2.dll", "imapi2fs.dll", "imgutil.dll", "imm32.dll", "implatsetup.dll", "indexeddblegacy.dll", "inetcomm.dll", "inetmib1.dll", "inetpp.dll", "inetppui.dll", "inetres.dll", "inked.dll", "inkobjcore.dll", "inproclogger.dll", "input.dll", "inputcloudstore.dll", "inputcontroller.dll", "inputhost.dll", "inputservice.dll", "inputswitch.dll", "inseng.dll", "installservice.dll", "internetmail.dll", "internetmailcsp.dll", "invagent.dll", "iologmsg.dll", "iphlpapi.dll", "iphlpsvc.dll", "ipnathlp.dll", "ipnathlpclient.dll", "ippcommon.dll", "ippcommonproxy.dll", "iprtprio.dll", "iprtrmgr.dll", "ipsecsnp.dll", "ipsecsvc.dll", "ipsmsnap.dll", "ipxlatcfg.dll", "iri.dll", "iscsicpl.dll", "iscsidsc.dll", "iscsied.dll", "iscsiexe.dll", "iscsilog.dll", "iscsium.dll", "iscsiwmi.dll", "iscsiwmiv2.dll", "ism.dll", "itircl.dll", "itss.dll", "iuilp.dll", "iumbase.dll", "iumcrypt.dll", "iumdll.dll", "iumsdk.dll", "iyuv_32.dll", "joinproviderol.dll", "joinutil.dll", "jpmapcontrol.dll", "jpndecoder.dll", "jpninputrouter.dll", "jpnranker.dll", "jpnserviceds.dll", "jscript.dll", "jscript9.dll", "jscript9diag.dll", "jsproxy.dll", "kbd101.dll", "kbd101a.dll", "kbd101b.dll", "kbd101c.dll", "kbd103.dll", "kbd106.dll", "kbd106n.dll", "kbda1.dll", "kbda2.dll", "kbda3.dll", "kbdadlm.dll", "kbdal.dll", "kbdarme.dll", "kbdarmph.dll", "kbdarmty.dll", "kbdarmw.dll", "kbdax2.dll", "kbdaze.dll", "kbdazel.dll", "kbdazst.dll", "kbdbash.dll", "kbdbe.dll", "kbdbene.dll", "kbdbgph.dll", "kbdbgph1.dll", "kbdbhc.dll", "kbdblr.dll", "kbdbr.dll", "kbdbu.dll", "kbdbug.dll", "kbdbulg.dll", "kbdca.dll", "kbdcan.dll", "kbdcher.dll", "kbdcherp.dll", "kbdcr.dll", "kbdcz.dll", "kbdcz1.dll", "kbdcz2.dll", "kbdda.dll", "kbddiv1.dll", "kbddiv2.dll", "kbddv.dll", "kbddzo.dll", "kbdes.dll", "kbdest.dll", "kbdfa.dll", "kbdfar.dll", "kbdfc.dll", "kbdfi.dll", "kbdfi1.dll", "kbdfo.dll", "kbdfr.dll", "kbdfthrk.dll", "kbdgae.dll", "kbdgeo.dll", "kbdgeoer.dll", "kbdgeome.dll", "kbdgeooa.dll", "kbdgeoqw.dll", "kbdgkl.dll", "kbdgn.dll", "kbdgr.dll", "kbdgr1.dll", "kbdgrlnd.dll", "kbdgthc.dll", "kbdhau.dll", "kbdhaw.dll", "kbdhe.dll", "kbdhe220.dll", "kbdhe319.dll", "kbdheb.dll", "kbdhebl3.dll", "kbdhela2.dll", "kbdhela3.dll", "kbdhept.dll", "kbdhu.dll", "kbdhu1.dll", "kbdibm02.dll", "kbdibo.dll", "kbdic.dll", "kbdinasa.dll", "kbdinbe1.dll", "kbdinbe2.dll", "kbdinben.dll", "kbdindev.dll", "kbdinen.dll", "kbdinguj.dll", "kbdinhin.dll", "kbdinkan.dll", "kbdinmal.dll", "kbdinmar.dll", "kbdinori.dll", "kbdinpun.dll", "kbdintam.dll", "kbdintel.dll", "kbdinuk2.dll", "kbdir.dll", "kbdit.dll", "kbdit142.dll", "kbdiulat.dll", "kbdjav.dll", "kbdjpn.dll", "kbdkaz.dll", "kbdkhmr.dll", "kbdkni.dll", "kbdkor.dll", "kbdkurd.dll", "kbdkyr.dll", "kbdla.dll", "kbdlao.dll", "kbdlisub.dll", "kbdlisus.dll", "kbdlk41a.dll", "kbdlt.dll", "kbdlt1.dll", "kbdlt2.dll", "kbdlv.dll", "kbdlv1.dll", "kbdlvst.dll", "kbdmac.dll", "kbdmacst.dll", "kbdmaori.dll", "kbdmlt47.dll", "kbdmlt48.dll", "kbdmon.dll", "kbdmonmo.dll", "kbdmonst.dll", "kbdmyan.dll", "kbdne.dll", "kbdnec.dll", "kbdnec95.dll", "kbdnecat.dll", "kbdnecnt.dll", "kbdnepr.dll", "kbdnko.dll", "kbdno.dll", "kbdno1.dll", "kbdnso.dll", "kbdntl.dll", "kbdogham.dll", "kbdolch.dll", "kbdoldit.dll", "kbdosa.dll", "kbdosm.dll", "kbdpash.dll", "kbdphags.dll", "kbdpl.dll", "kbdpl1.dll", "kbdpo.dll", "kbdro.dll", "kbdropr.dll", "kbdrost.dll", "kbdru.dll", "kbdru1.dll", "kbdrum.dll", "kbdsf.dll", "kbdsg.dll", "kbdsl.dll", "kbdsl1.dll", "kbdsmsfi.dll", "kbdsmsno.dll", "kbdsn1.dll", "kbdsora.dll", "kbdsorex.dll", "kbdsors1.dll", "kbdsorst.dll", "kbdsp.dll", "kbdsw.dll", "kbdsw09.dll", "kbdsyr1.dll", "kbdsyr2.dll", "kbdtaile.dll", "kbdtajik.dll", "kbdtam99.dll", "kbdtat.dll", "kbdth0.dll", "kbdth1.dll", "kbdth2.dll", "kbdth3.dll", "kbdtifi.dll", "kbdtifi2.dll", "kbdtiprc.dll", "kbdtiprd.dll", "kbdtt102.dll", "kbdtuf.dll", "kbdtuq.dll", "kbdturme.dll", "kbdtzm.dll", "kbdughr.dll", "kbdughr1.dll", "kbduk.dll", "kbdukx.dll", "kbdur.dll", "kbdur1.dll", "kbdurdu.dll", "kbdus.dll", "kbdusa.dll", "kbdusl.dll", "kbdusr.dll", "kbdusx.dll", "kbduzb.dll", "kbdvntc.dll", "kbdwol.dll", "kbdyak.dll", "kbdyba.dll", "kbdycc.dll", "kbdycl.dll", "kd.dll", "kdcom.dll", "kdcpw.dll", "kdhvcom.dll", "kdnet.dll", "kdnet_uart16550.dll", "kdscli.dll", "kdstub.dll", "kdusb.dll", "kd_02_10df.dll", "kd_02_10ec.dll", "kd_02_1137.dll", "kd_02_14e4.dll", "kd_02_15b3.dll", "kd_02_1969.dll", "kd_02_19a2.dll", "kd_02_1af4.dll", "kd_02_8086.dll", "kd_07_1415.dll", "kd_0c_8086.dll", "kerbclientshared.dll", "kerberos.dll", "kernel32.dll", "kernelbase.dll", "keycredmgr.dll", "keyiso.dll", "keymgr.dll", "knobscore.dll", "knobscsp.dll", "ksuser.dll", "ktmw32.dll", "l2gpstore.dll", "l2nacp.dll", "l2sechc.dll", "laprxy.dll", "legacynetux.dll", "lfsvc.dll", "libcrypto.dll", "licensemanager.dll", "licensingcsp.dll", "licensingdiagspp.dll", "licensingwinrt.dll", "licmgr10.dll", "linkinfo.dll", "lltdapi.dll", "lltdres.dll", "lltdsvc.dll", "lmhsvc.dll", "loadperf.dll", "localsec.dll", "localspl.dll", "localui.dll", "locationapi.dll", "lockappbroker.dll", "lockcontroller.dll", "lockscreendata.dll", "loghours.dll", "logoncli.dll", "logoncontroller.dll", "lpasvc.dll", "lpk.dll", "lsasrv.dll", "lscshostpolicy.dll", "lsm.dll", "lsmproxy.dll", "lstelemetry.dll", "luainstall.dll", "luiapi.dll", "lz32.dll", "magnification.dll", "maintenanceui.dll", "manageci.dll", "mapconfiguration.dll", "mapcontrolcore.dll", "mapgeocoder.dll", "mapi32.dll", "mapistub.dll", "maprouter.dll", "mapsbtsvc.dll", "mapsbtsvcproxy.dll", "mapscsp.dll", "mapsstore.dll", "mapstoasttask.dll", "mapsupdatetask.dll", "mbaeapi.dll", "mbaeapipublic.dll", "mbaexmlparser.dll", "mbmediamanager.dll", "mbsmsapi.dll", "mbussdapi.dll", "mccsengineshared.dll", "mccspal.dll", "mciavi32.dll", "mcicda.dll", "mciqtz32.dll", "mciseq.dll", "mciwave.dll", "mcrecvsrc.dll", "mdmcommon.dll", "mdmdiagnostics.dll", "mdminst.dll", "mdmmigrator.dll", "mdmregistration.dll", "memorydiagnostic.dll", "messagingservice.dll", "mf.dll", "mf3216.dll", "mfaacenc.dll", "mfasfsrcsnk.dll", "mfaudiocnv.dll", "mfc42.dll", "mfc42u.dll", "mfcaptureengine.dll", "mfcore.dll", "mfcsubs.dll", "mfds.dll", "mfdvdec.dll", "mferror.dll", "mfh263enc.dll", "mfh264enc.dll", "mfksproxy.dll", "mfmediaengine.dll", "mfmjpegdec.dll", "mfmkvsrcsnk.dll", "mfmp4srcsnk.dll", "mfmpeg2srcsnk.dll", "mfnetcore.dll", "mfnetsrc.dll", "mfperfhelper.dll", "mfplat.dll", "mfplay.dll", "mfps.dll", "mfreadwrite.dll", "mfsensorgroup.dll", "mfsrcsnk.dll", "mfsvr.dll", "mftranscode.dll", "mfvdsp.dll", "mfvfw.dll", "mfwmaaec.dll", "mgmtapi.dll", "mi.dll", "mibincodec.dll", "midimap.dll", "migisol.dll", "miguiresource.dll", "mimefilt.dll", "mimofcodec.dll", "minstoreevents.dll", "miracastinputmgr.dll", "miracastreceiver.dll", "mirrordrvcompat.dll", "mispace.dll", "mitigationclient.dll", "miutils.dll", "mlang.dll", "mmcbase.dll", "mmcndmgr.dll", "mmcshext.dll", "mmdevapi.dll", "mmgaclient.dll", "mmgaproxystub.dll", "mmres.dll", "mobilenetworking.dll", "modemui.dll", "modernexecserver.dll", "moricons.dll", "moshost.dll", "moshostclient.dll", "moshostcore.dll", "mosstorage.dll", "mp3dmod.dll", "mp43decd.dll", "mp4sdecd.dll", "mpeval.dll", "mpg4decd.dll", "mpr.dll", "mprapi.dll", "mprddm.dll", "mprdim.dll", "mprext.dll", "mprmsg.dll", "mpssvc.dll", "mpunits.dll", "mrmcorer.dll", "mrmdeploy.dll", "mrmindexer.dll", "mrt100.dll", "mrt_map.dll", "msaatext.dll", "msac3enc.dll", "msacm32.dll", "msafd.dll", "msajapi.dll", "msalacdecoder.dll", "msalacencoder.dll", "msamrnbdecoder.dll", "msamrnbencoder.dll", "msamrnbsink.dll", "msamrnbsource.dll", "msasn1.dll", "msauddecmft.dll", "msaudite.dll", "msauserext.dll", "mscandui.dll", "mscat32.dll", "msclmd.dll", "mscms.dll", "mscoree.dll", "mscorier.dll", "mscories.dll", "msctf.dll", "msctfmonitor.dll", "msctfp.dll", "msctfui.dll", "msctfuimanager.dll", "msdadiag.dll", "msdart.dll", "msdelta.dll", "msdmo.dll", "msdrm.dll", "msdtckrm.dll", "msdtclog.dll", "msdtcprx.dll", "msdtcspoffln.dll", "msdtctm.dll", "msdtcuiu.dll", "msdtcvsp1res.dll", "msfeeds.dll", "msfeedsbs.dll", "msflacdecoder.dll", "msflacencoder.dll", "msftedit.dll", "msheif.dll", "mshtml.dll", "mshtmldac.dll", "mshtmled.dll", "mshtmler.dll", "msi.dll", "msicofire.dll", "msidcrl40.dll", "msident.dll", "msidle.dll", "msidntld.dll", "msieftp.dll", "msihnd.dll", "msiltcfg.dll", "msimg32.dll", "msimsg.dll", "msimtf.dll", "msisip.dll", "msiso.dll", "msiwer.dll", "mskeyprotcli.dll", "mskeyprotect.dll", "msls31.dll", "msmpeg2adec.dll", "msmpeg2enc.dll", "msmpeg2vdec.dll", "msobjs.dll", "msoert2.dll", "msopusdecoder.dll", "mspatcha.dll", "mspatchc.dll", "msphotography.dll", "msports.dll", "msprivs.dll", "msrahc.dll", "msrating.dll", "msrawimage.dll", "msrdc.dll", "msrdpwebaccess.dll", "msrle32.dll", "msscntrs.dll", "mssecuser.dll", "mssign32.dll", "mssip32.dll", "mssitlb.dll", "mssph.dll", "mssprxy.dll", "mssrch.dll", "mssvp.dll", "mstask.dll", "mstextprediction.dll", "mstscax.dll", "msutb.dll", "msv1_0.dll", "msvcirt.dll", "msvcp110_win.dll", "msvcp120_clr0400.dll", "msvcp140_clr0400.dll", "msvcp60.dll", "msvcp_win.dll", "msvcr100_clr0400.dll", "msvcr120_clr0400.dll", "msvcrt.dll", "msvfw32.dll", "msvidc32.dll", "msvidctl.dll", "msvideodsp.dll", "msvp9dec.dll", "msvproc.dll", "msvpxenc.dll", "mswb7.dll", "mswebp.dll", "mswmdm.dll", "mswsock.dll", "msxml3.dll", "msxml3r.dll", "msxml6.dll", "msxml6r.dll", "msyuv.dll", "mtcmodel.dll", "mtf.dll", "mtfappserviceds.dll", "mtfdecoder.dll", "mtffuzzyds.dll", "mtfserver.dll", "mtfspellcheckds.dll", "mtxclu.dll", "mtxdm.dll", "mtxex.dll", "mtxoci.dll", "muifontsetup.dll", "mycomput.dll", "mydocs.dll", "napcrypt.dll", "napinsp.dll", "naturalauth.dll", "naturallanguage6.dll", "navshutdown.dll", "ncaapi.dll", "ncasvc.dll", "ncbservice.dll", "ncdautosetup.dll", "ncdprop.dll", "nci.dll", "ncobjapi.dll", "ncrypt.dll", "ncryptprov.dll", "ncryptsslp.dll", "ncsi.dll", "ncuprov.dll", "nddeapi.dll", "ndfapi.dll", "ndfetw.dll", "ndfhcdiscovery.dll", "ndishc.dll", "ndproxystub.dll", "nduprov.dll", "negoexts.dll", "netapi32.dll", "netbios.dll", "netcenter.dll", "netcfgx.dll", "netcorehc.dll", "netdiagfx.dll", "netdriverinstall.dll", "netevent.dll", "netfxperf.dll", "neth.dll", "netid.dll", "netiohlp.dll", "netjoin.dll", "netlogon.dll", "netman.dll", "netmsg.dll", "netplwiz.dll", "netprofm.dll", "netprofmsvc.dll", "netprovfw.dll", "netprovisionsp.dll", "netsetupapi.dll", "netsetupengine.dll", "netsetupshim.dll", "netsetupsvc.dll", "netshell.dll", "nettrace.dll", "netutils.dll", "networkexplorer.dll", "networkhelper.dll", "networkicon.dll", "networkproxycsp.dll", "networkstatus.dll", "networkuxbroker.dll", "newdev.dll", "nfcradiomedia.dll", "ngccredprov.dll", "ngcctnr.dll", "ngcctnrsvc.dll", "ngcisoctnr.dll", "ngckeyenum.dll", "ngcksp.dll", "ngclocal.dll", "ngcpopkeysrv.dll", "ngcprocsp.dll", "ngcrecovery.dll", "ngcsvc.dll", "ngctasks.dll", "ninput.dll", "nlaapi.dll", "nlahc.dll", "nlasvc.dll", "nlhtml.dll", "nlmgp.dll", "nlmproxy.dll", "nlmsprep.dll", "nlsbres.dll", "nlsdata0000.dll", "nlsdata0009.dll", "nlsdl.dll", "nlslexicons0009.dll", "nmadirect.dll", "normaliz.dll", "npmproxy.dll", "npsm.dll", "nrpsrv.dll", "nshhttp.dll", "nshipsec.dll", "nshwfp.dll", "nsi.dll", "nsisvc.dll", "ntasn1.dll", "ntdll.dll", "ntdsapi.dll", "ntlanman.dll", "ntlanui2.dll", "ntlmshared.dll", "ntmarta.dll", "ntprint.dll", "ntshrui.dll", "ntvdm64.dll", "objsel.dll", "occache.dll", "ocsetapi.dll", "odbc32.dll", "odbcbcp.dll", "odbcconf.dll", "odbccp32.dll", "odbccr32.dll", "odbccu32.dll", "odbcint.dll", "odbctrac.dll", "oemlicense.dll", "offfilt.dll", "officecsp.dll", "offlinelsa.dll", "offlinesam.dll", "offreg.dll", "ole32.dll", "oleacc.dll", "oleacchooks.dll", "oleaccrc.dll", "oleaut32.dll", "oledlg.dll", "oleprn.dll", "omadmagent.dll", "omadmapi.dll", "onebackuphandler.dll", "onex.dll", "onexui.dll", "opcservices.dll", "opengl32.dll", "ortcengine.dll", "osbaseln.dll", "osksupport.dll", "osuninst.dll", "p2p.dll", "p2pgraph.dll", "p2pnetsh.dll", "p2psvc.dll", "packager.dll", "panmap.dll", "pautoenr.dll", "pcacli.dll", "pcadm.dll", "pcaevts.dll", "pcasvc.dll", "pcaui.dll", "pcpksp.dll", "pcsvdevice.dll", "pcwum.dll", "pcwutl.dll", "pdh.dll", "pdhui.dll", "peerdist.dll", "peerdistad.dll", "peerdistcleaner.dll", "peerdistsh.dll", "peerdistsvc.dll", "peopleapis.dll", "peopleband.dll", "perceptiondevice.dll", "perfctrs.dll", "perfdisk.dll", "perfnet.dll", "perfos.dll", "perfproc.dll", "perfts.dll", "phoneom.dll", "phoneproviders.dll", "phoneservice.dll", "phoneserviceres.dll", "phoneutil.dll", "phoneutilres.dll", "photowiz.dll", "pickerplatform.dll", "pid.dll", "pidgenx.dll", "pifmgr.dll", "pimstore.dll", "pkeyhelper.dll", "pktmonapi.dll", "pku2u.dll", "pla.dll", "playlistfolder.dll", "playsndsrv.dll", "playtodevice.dll", "playtomanager.dll", "playtomenu.dll", "playtoreceiver.dll", "ploptin.dll", "pmcsnap.dll", "pngfilt.dll", "pnidui.dll", "pnpclean.dll", "pnppolicy.dll", "pnpts.dll", "pnpui.dll", "pnpxassoc.dll", "pnpxassocprx.dll", "pnrpauto.dll", "pnrphc.dll", "pnrpnsp.dll", "pnrpsvc.dll", "policymanager.dll", "polstore.dll", "posetup.dll", "posyncservices.dll", "pots.dll", "powercpl.dll", "powrprof.dll", "ppcsnap.dll", "prauthproviders.dll", "prflbmsg.dll", "printui.dll", "printwsdahost.dll", "prm0009.dll", "prncache.dll", "prnfldr.dll", "prnntfy.dll", "prntvpt.dll", "profapi.dll", "profext.dll", "profprov.dll", "profsvc.dll", "profsvcext.dll", "propsys.dll", "provcore.dll", "provdatastore.dll", "provdiagnostics.dll", "provengine.dll", "provhandlers.dll", "provisioningcsp.dll", "provmigrate.dll", "provops.dll", "provplugineng.dll", "provsysprep.dll", "provthrd.dll", "proximitycommon.dll", "proximityservice.dll", "prvdmofcomp.dll", "psapi.dll", "pshed.dll", "psisdecd.dll", "psmsrv.dll", "pstask.dll", "pstorec.dll", "ptpprov.dll", "puiapi.dll", "puiobj.dll", "pushtoinstall.dll", "pwlauncher.dll", "pwrshplugin.dll", "pwsso.dll", "qasf.dll", "qcap.dll", "qdv.dll", "qdvd.dll", "qedit.dll", "qedwipes.dll", "qmgr.dll", "query.dll", "quiethours.dll", "qwave.dll", "racengn.dll", "racpldlg.dll", "radardt.dll", "radarrs.dll", "radcui.dll", "rasadhlp.dll", "rasapi32.dll", "rasauto.dll", "raschap.dll", "raschapext.dll", "rasctrs.dll", "rascustom.dll", "rasdiag.dll", "rasdlg.dll", "rasgcw.dll", "rasman.dll", "rasmans.dll", "rasmbmgr.dll", "rasmediamanager.dll", "rasmm.dll", "rasmontr.dll", "rasplap.dll", "rasppp.dll", "rastapi.dll", "rastls.dll", "rastlsext.dll", "rdbui.dll", "rdpbase.dll", "rdpcfgex.dll", "rdpcore.dll", "rdpcorets.dll", "rdpencom.dll", "rdpendp.dll", "rdpnano.dll", "rdpsaps.dll", "rdpserverbase.dll", "rdpsharercom.dll", "rdpudd.dll", "rdpviewerax.dll", "rdsappxhelper.dll", "rdsdwmdr.dll", "rdvvmtransport.dll", "rdxservice.dll", "rdxtaskfactory.dll", "reagent.dll", "reagenttask.dll", "recovery.dll", "regapi.dll", "regctrl.dll", "regidle.dll", "regsvc.dll", "reguwpapi.dll", "reinfo.dll", "remotepg.dll", "remotewipecsp.dll", "reportingcsp.dll", "resampledmo.dll", "resbparser.dll", "reseteng.dll", "resetengine.dll", "resetengonline.dll", "resourcemapper.dll", "resutils.dll", "rgb9rast.dll", "riched20.dll", "riched32.dll", "rjvmdmconfig.dll", "rmapi.dll", "rmclient.dll", "rnr20.dll", "roamingsecurity.dll", "rometadata.dll", "rotmgr.dll", "rpcepmap.dll", "rpchttp.dll", "rpcns4.dll", "rpcnsh.dll", "rpcrt4.dll", "rpcrtremote.dll", "rpcss.dll", "rsaenh.dll", "rshx32.dll", "rstrtmgr.dll", "rtffilt.dll", "rtm.dll", "rtmediaframe.dll", "rtmmvrortc.dll", "rtutils.dll", "rtworkq.dll", "rulebasedds.dll", "samcli.dll", "samlib.dll", "samsrv.dll", "sas.dll", "sbe.dll", "sbeio.dll", "sberes.dll", "sbservicetrigger.dll", "scansetting.dll", "scardbi.dll", "scarddlg.dll", "scardsvr.dll", "scavengeui.dll", "scdeviceenum.dll", "scecli.dll", "scesrv.dll", "schannel.dll", "schedcli.dll", "schedsvc.dll", "scksp.dll", "scripto.dll", "scrobj.dll", "scrptadm.dll", "scrrun.dll", "sdcpl.dll", "sdds.dll", "sdengin2.dll", "sdfhost.dll", "sdhcinst.dll", "sdiageng.dll", "sdiagprv.dll", "sdiagschd.dll", "sdohlp.dll", "sdrsvc.dll", "sdshext.dll", "searchfolder.dll", "sechost.dll", "seclogon.dll", "secproc.dll", "secproc_isv.dll", "secproc_ssp.dll", "secproc_ssp_isv.dll", "secur32.dll", "security.dll", "semgrps.dll", "semgrsvc.dll", "sendmail.dll", "sens.dll", "sensapi.dll", "sensorsapi.dll", "sensorscpl.dll", "sensorservice.dll", "sensorsnativeapi.dll", "sensorsutilsv2.dll", "sensrsvc.dll", "serialui.dll", "servicinguapi.dll", "serwvdrv.dll", "sessenv.dll", "setbcdlocale.dll", "settingmonitor.dll", "settingsync.dll", "settingsynccore.dll", "setupapi.dll", "setupcl.dll", "setupcln.dll", "setupetw.dll", "sfc.dll", "sfc_os.dll", "sgrmenclave.dll", "shacct.dll", "shacctprofile.dll", "sharedpccsp.dll", "sharedrealitysvc.dll", "sharehost.dll", "sharemediacpl.dll", "shcore.dll", "shdocvw.dll", "shell32.dll", "shellstyle.dll", "shfolder.dll", "shgina.dll", "shimeng.dll", "shimgvw.dll", "shlwapi.dll", "shpafact.dll", "shsetup.dll", "shsvcs.dll", "shunimpl.dll", "shutdownext.dll", "shutdownux.dll", "shwebsvc.dll", "signdrv.dll", "simauth.dll", "simcfg.dll", "skci.dll", "slc.dll", "slcext.dll", "slwga.dll", "smartscreenps.dll", "smbhelperclass.dll", "smbwmiv2.dll", "smiengine.dll", "smphost.dll", "smsroutersvc.dll", "sndvolsso.dll", "snmpapi.dll", "socialapis.dll", "softkbd.dll", "softpub.dll", "sortwindows61.dll", "sortwindows62.dll", "spacebridge.dll", "spacecontrol.dll", "spatializerapo.dll", "spatialstore.dll", "spbcd.dll", "speechpal.dll", "spfileq.dll", "spinf.dll", "spmpm.dll", "spnet.dll", "spoolss.dll", "spopk.dll", "spp.dll", "sppc.dll", "sppcext.dll", "sppcomapi.dll", "sppcommdlg.dll", "sppinst.dll", "sppnp.dll", "sppobjs.dll", "sppwinob.dll", "sppwmi.dll", "spwinsat.dll", "spwizeng.dll", "spwizimg.dll", "spwizres.dll", "spwmp.dll", "sqlsrv32.dll", "sqmapi.dll", "srchadmin.dll", "srclient.dll", "srcore.dll", "srevents.dll", "srh.dll", "srhelper.dll", "srm.dll", "srmclient.dll", "srmlib.dll", "srmscan.dll", "srmshell.dll", "srmstormod.dll", "srmtrace.dll", "srm_ps.dll", "srpapi.dll", "srrstr.dll", "srumapi.dll", "srumsvc.dll", "srvcli.dll", "srvsvc.dll", "srwmi.dll", "sscore.dll", "sscoreext.dll", "ssdm.dll", "ssdpapi.dll", "ssdpsrv.dll", "sspicli.dll", "sspisrv.dll", "ssshim.dll", "sstpsvc.dll", "starttiledata.dll", "startupscan.dll", "stclient.dll", "sti.dll", "sti_ci.dll", "stobject.dll", "storageusage.dll", "storagewmi.dll", "storewuauth.dll", "storprop.dll", "storsvc.dll", "streamci.dll", "structuredquery.dll", "sud.dll", "svf.dll", "svsvc.dll", "swprv.dll", "sxproxy.dll", "sxs.dll", "sxshared.dll", "sxssrv.dll", "sxsstore.dll", "synccenter.dll", "synccontroller.dll", "synchostps.dll", "syncproxy.dll", "syncreg.dll", "syncres.dll", "syncsettings.dll", "syncutil.dll", "sysclass.dll", "sysfxui.dll", "sysmain.dll", "sysntfy.dll", "syssetup.dll", "systemcpl.dll", "t2embed.dll", "tabbtn.dll", "tabbtnex.dll", "tabsvc.dll", "tapi3.dll", "tapi32.dll", "tapilua.dll", "tapimigplugin.dll", "tapiperf.dll", "tapisrv.dll", "tapisysprep.dll", "tapiui.dll", "taskapis.dll", "taskbarcpl.dll", "taskcomp.dll", "taskschd.dll", "taskschdps.dll", "tbauth.dll", "tbs.dll", "tcbloader.dll", "tcpipcfg.dll", "tcpmib.dll", "tcpmon.dll", "tcpmonui.dll", "tdh.dll", "tdlmigration.dll", "tellib.dll", "termmgr.dll", "termsrv.dll", "tetheringclient.dll", "tetheringmgr.dll", "tetheringservice.dll", "tetheringstation.dll", "textshaping.dll", "themecpl.dll", "themeservice.dll", "themeui.dll", "threadpoolwinrt.dll", "thumbcache.dll", "timebrokerclient.dll", "timebrokerserver.dll", "timesync.dll", "timesynctask.dll", "tlscsp.dll", "tokenbinding.dll", "tokenbroker.dll", "tokenbrokerui.dll", "tpmcertresources.dll", "tpmcompc.dll", "tpmtasks.dll", "tpmvsc.dll", "tquery.dll", "traffic.dll", "transportdsa.dll", "trie.dll", "trkwks.dll", "tsbyuv.dll", "tscfgwmi.dll", "tserrredir.dll", "tsf3gip.dll", "tsgqec.dll", "tsmf.dll", "tspkg.dll", "tspubwmi.dll", "tssessionux.dll", "tssrvlic.dll", "tsworkspace.dll", "ttdloader.dll", "ttdplm.dll", "ttdrecord.dll", "ttdrecordcpu.dll", "ttlsauth.dll", "ttlscfg.dll", "ttlsext.dll", "tvratings.dll", "twext.dll", "twinapi.dll", "twinui.dll", "txflog.dll", "txfw32.dll", "tzautoupdate.dll", "tzres.dll", "tzsyncres.dll", "ubpm.dll", "ucmhc.dll", "ucrtbase.dll", "ucrtbase_clr0400.dll", "ucrtbase_enclave.dll", "udhisapi.dll", "udwm.dll", "ueficsp.dll", "uexfat.dll", "ufat.dll", "uiamanager.dll", "uianimation.dll", "uiautomationcore.dll", "uicom.dll", "uireng.dll", "uiribbon.dll", "uiribbonres.dll", "ulib.dll", "umb.dll", "umdmxfrm.dll", "umpdc.dll", "umpnpmgr.dll", "umpo-overrides.dll", "umpo.dll", "umpoext.dll", "umpowmi.dll", "umrdp.dll", "unattend.dll", "unenrollhook.dll", "unimdmat.dll", "uniplat.dll", "unistore.dll", "untfs.dll", "updateagent.dll", "updatecsp.dll", "updatepolicy.dll", "upnp.dll", "upnphost.dll", "upshared.dll", "urefs.dll", "urefsv1.dll", "ureg.dll", "url.dll", "urlmon.dll", "usbcapi.dll", "usbceip.dll", "usbmon.dll", "usbperf.dll", "usbpmapi.dll", "usbtask.dll", "usbui.dll", "user32.dll", "usercpl.dll", "userdataservice.dll", "userdatatimeutil.dll", "userenv.dll", "userinitext.dll", "usermgr.dll", "usermgrcli.dll", "usermgrproxy.dll", "usoapi.dll", "usocoreps.dll", "usosvc.dll", "usp10.dll", "ustprov.dll", "utcutil.dll", "utildll.dll", "uudf.dll", "uvcmodel.dll", "uwfcfgmgmt.dll", "uwfcsp.dll", "uwfservicingapi.dll", "uxinit.dll", "uxlib.dll", "uxlibres.dll", "uxtheme.dll", "vac.dll", "van.dll", "vault.dll", "vaultcds.dll", "vaultcli.dll", "vaultroaming.dll", "vaultsvc.dll", "vbsapi.dll", "vbscript.dll", "vbssysprep.dll", "vcardparser.dll", "vdsbas.dll", "vdsdyn.dll", "vdsutil.dll", "vdsvd.dll", "vds_ps.dll", "verifier.dll", "vertdll.dll", "vfuprov.dll", "vfwwdm32.dll", "vhfum.dll", "vid.dll", "videohandlers.dll", "vidreszr.dll", "virtdisk.dll", "vmbuspipe.dll", "vmdevicehost.dll", "vmictimeprovider.dll", "vmrdvcore.dll", "voiprt.dll", "vpnike.dll", "vpnikeapi.dll", "vpnsohdesktop.dll", "vpnv2csp.dll", "vscmgrps.dll", "vssapi.dll", "vsstrace.dll", "vss_ps.dll", "w32time.dll", "w32topl.dll", "waasassessment.dll", "waasmediccapsule.dll", "waasmedicps.dll", "waasmedicsvc.dll", "wabsyncprovider.dll", "walletproxy.dll", "walletservice.dll", "wavemsp.dll", "wbemcomn.dll", "wbiosrvc.dll", "wci.dll", "wcimage.dll", "wcmapi.dll", "wcmcsp.dll", "wcmsvc.dll", "wcnapi.dll", "wcncsvc.dll", "wcneapauthproxy.dll", "wcneappeerproxy.dll", "wcnnetsh.dll", "wcnwiz.dll", "wc_storage.dll", "wdc.dll", "wdi.dll", "wdigest.dll", "wdscore.dll", "webauthn.dll", "webcamui.dll", "webcheck.dll", "webclnt.dll", "webio.dll", "webservices.dll", "websocket.dll", "wecapi.dll", "wecsvc.dll", "wephostsvc.dll", "wer.dll", "werconcpl.dll", "wercplsupport.dll", "werenc.dll", "weretw.dll", "wersvc.dll", "werui.dll", "wevtapi.dll", "wevtfwd.dll", "wevtsvc.dll", "wfapigp.dll", "wfdprov.dll", "wfdsconmgr.dll", "wfdsconmgrsvc.dll", "wfhc.dll", "whealogr.dll", "whhelper.dll", "wiaaut.dll", "wiadefui.dll", "wiadss.dll", "wiarpc.dll", "wiascanprofiles.dll", "wiaservc.dll", "wiashext.dll", "wiatrace.dll", "wificloudstore.dll", "wificonfigsp.dll", "wifidisplay.dll", "wimgapi.dll", "win32spl.dll", "win32u.dll", "winbio.dll", "winbiodatamodel.dll", "winbioext.dll", "winbrand.dll", "wincorlib.dll", "wincredprovider.dll", "wincredui.dll", "windowmanagement.dll", "windowscodecs.dll", "windowscodecsext.dll", "windowscodecsraw.dll", "windowsiotcsp.dll", "windowslivelogin.dll", "winethc.dll", "winhttp.dll", "winhttpcom.dll", "winhvemulation.dll", "winhvplatform.dll", "wininet.dll", "wininetlui.dll", "wininitext.dll", "winipcfile.dll", "winipcsecproc.dll", "winipsec.dll", "winlangdb.dll", "winlogonext.dll", "winmde.dll", "winml.dll", "winmm.dll", "winmmbase.dll", "winmsipc.dll", "winnlsres.dll", "winnsi.dll", "winreagent.dll", "winrnr.dll", "winrscmd.dll", "winrsmgr.dll", "winrssrv.dll", "winrttracing.dll", "winsatapi.dll", "winscard.dll", "winsetupui.dll", "winshfhc.dll", "winsku.dll", "winsockhc.dll", "winsqlite3.dll", "winsrpc.dll", "winsrv.dll", "winsrvext.dll", "winsta.dll", "winsync.dll", "winsyncmetastore.dll", "winsyncproviders.dll", "wintrust.dll", "wintypes.dll", "winusb.dll", "wirednetworkcsp.dll", "wisp.dll", "wkscli.dll", "wkspbrokerax.dll", "wksprtps.dll", "wkssvc.dll", "wlanapi.dll", "wlancfg.dll", "wlanconn.dll", "wlandlg.dll", "wlangpui.dll", "wlanhc.dll", "wlanhlp.dll", "wlanmediamanager.dll", "wlanmm.dll", "wlanmsm.dll", "wlanpref.dll", "wlanradiomanager.dll", "wlansec.dll", "wlansvc.dll", "wlansvcpal.dll", "wlanui.dll", "wlanutil.dll", "wldap32.dll", "wldp.dll", "wlgpclnt.dll", "wlidcli.dll", "wlidcredprov.dll", "wlidfdp.dll", "wlidnsp.dll", "wlidprov.dll", "wlidres.dll", "wlidsvc.dll", "wmadmod.dll", "wmadmoe.dll", "wmalfxgfxdsp.dll", "wmasf.dll", "wmcodecdspps.dll", "wmdmlog.dll", "wmdmps.dll", "wmdrmsdk.dll", "wmerror.dll", "wmi.dll", "wmiclnt.dll", "wmicmiplugin.dll", "wmidcom.dll", "wmidx.dll", "wmiprop.dll", "wmitomi.dll", "wmnetmgr.dll", "wmp.dll", "wmpdui.dll", "wmpdxm.dll", "wmpeffects.dll", "wmphoto.dll", "wmploc.dll", "wmpps.dll", "wmpshell.dll", "wmsgapi.dll", "wmspdmod.dll", "wmspdmoe.dll", "wmvcore.dll", "wmvdecod.dll", "wmvdspa.dll", "wmvencod.dll", "wmvsdecd.dll", "wmvsencd.dll", "wmvxencd.dll", "woftasks.dll", "wofutil.dll", "wordbreakers.dll", "workfoldersgpext.dll", "workfoldersres.dll", "workfoldersshell.dll", "workfolderssvc.dll", "wosc.dll", "wow64.dll", "wow64cpu.dll", "wow64win.dll", "wpbcreds.dll", "wpc.dll", "wpcapi.dll", "wpcdesktopmonsvc.dll", "wpcproxystubs.dll", "wpcrefreshtask.dll", "wpcwebfilter.dll", "wpdbusenum.dll", "wpdshext.dll", "wpdshserviceobj.dll", "wpdsp.dll", "wpd_ci.dll", "wpnapps.dll", "wpnclient.dll", "wpncore.dll", "wpninprc.dll", "wpnprv.dll", "wpnservice.dll", "wpnsruprov.dll", "wpnuserservice.dll", "wpportinglibrary.dll", "wpprecorderum.dll", "wptaskscheduler.dll", "wpx.dll", "ws2help.dll", "ws2_32.dll", "wscapi.dll", "wscinterop.dll", "wscisvif.dll", "wsclient.dll", "wscproxystub.dll", "wscsvc.dll", "wsdapi.dll", "wsdchngr.dll", "wsdprintproxy.dll", "wsdproviderutil.dll", "wsdscanproxy.dll", "wsecedit.dll", "wsepno.dll", "wshbth.dll", "wshcon.dll", "wshelper.dll", "wshext.dll", "wshhyperv.dll", "wship6.dll", "wshqos.dll", "wshrm.dll", "wshtcpip.dll", "wshunix.dll", "wslapi.dll", "wsmagent.dll", "wsmauto.dll", "wsmplpxy.dll", "wsmres.dll", "wsmsvc.dll", "wsmwmipl.dll", "wsnmp32.dll", "wsock32.dll", "wsplib.dll", "wsp_fs.dll", "wsp_health.dll", "wsp_sr.dll", "wtsapi32.dll", "wuapi.dll", "wuaueng.dll", "wuceffects.dll", "wudfcoinstaller.dll", "wudfplatform.dll", "wudfsmcclassext.dll", "wudfx.dll", "wudfx02000.dll", "wudriver.dll", "wups.dll", "wups2.dll", "wuuhext.dll", "wuuhosdeployment.dll", "wvc.dll", "wwaapi.dll", "wwaext.dll", "wwanapi.dll", "wwancfg.dll", "wwanhc.dll", "wwanprotdim.dll", "wwanradiomanager.dll", "wwansvc.dll", "wwapi.dll", "xamltilerender.dll", "xaudio2_8.dll", "xaudio2_9.dll", "xblauthmanager.dll", "xblgamesave.dll", "xblgamesaveext.dll", "xblgamesaveproxy.dll", "xboxgipsvc.dll", "xboxgipsynthetic.dll", "xboxnetapisvc.dll", "xinput1_4.dll", "xinput9_1_0.dll", "xinputuap.dll", "xmlfilter.dll", "xmllite.dll", "xmlprovi.dll", "xolehlp.dll", "xpsgdiconverter.dll", "xpsprint.dll", "xpspushlayer.dll", "xpsrasterservice.dll", "xpsservices.dll", "xwizards.dll", "xwreg.dll", "xwtpdui.dll", "xwtpw32.dll", "zipcontainer.dll", "zipfldr.dll", "bootsvc.dll", "halextintcpsedma.dll", "icsvcvss.dll", "ieproxydesktop.dll", "lsaadt.dll", "nlansp_c.dll", "nrtapi.dll", "opencl.dll", "pfclient.dll", "pnpdiag.dll", "prxyqry.dll", "rdpnanotransport.dll", "servicingcommon.dll", "sortwindows63.dll", "sstpcfg.dll", "tdhres.dll", "umpodev.dll", "utcapi.dll", "windlp.dll", "wow64base.dll", "wow64con.dll", "blbuires.dll", "bpainst.dll", "cbclient.dll", "certadm.dll", "certocm.dll", "certpick.dll", "csdeployres.dll", "dsdeployres.dll", "eapa3hst.dll", "eapacfg.dll", "eapahost.dll", "elsext.dll", "encdump.dll", "escmigplugin.dll", "fsclient.dll", "fsdeployres.dll", "fssminst.dll", "fssmres.dll", "fssprov.dll", "ipamapi.dll", "kpssvc.dll", "lbfoadminlib.dll", "mintdh.dll", "mmci.dll", "mmcico.dll", "mprsnap.dll", "mstsmhst.dll", "mstsmmc.dll", "muxinst.dll", "personax.dll", "rassfm.dll", "rasuser.dll", "rdmsinst.dll", "rdmsres.dll", "rtrfiltr.dll", "sacsvr.dll", "scrdenrl.dll", "sdclient.dll", "sharedstartmodel.dll", "smsrouter.dll", "spwizimg_svr.dll", "sqlcecompact40.dll", "sqlceoledb40.dll", "sqlceqp40.dll", "sqlcese40.dll", "srvmgrinst.dll", "svrmgrnc.dll", "tapisnap.dll", "tlsbrand.dll", "tsec.dll", "tsprop.dll", "tspubiconhelper.dll", "tssdjet.dll", "tsuserex.dll", "ualapi.dll", "ualsvc.dll", "umcres.dll", "updatehandlers.dll", "usocore.dll", "vssui.dll", "wsbappres.dll", "wsbonline.dll", "wsmselpl.dll", "wsmselrr.dll", "xpsfilt.dll", "xpsshhdr.dll" ) and not ( ( dll.name : "icuuc.dll" and dll.code_signature.subject_name in ( "Valve", "Valve Corp.", "Avanquest Software (7270356 Canada Inc)", "Adobe Inc." ) and dll.code_signature.trusted == true ) or ( dll.name : ("timeSync.dll", "appInfo.dll") and dll.code_signature.subject_name in ( "VMware Inc.", "VMware, Inc." ) and dll.code_signature.trusted == true ) or ( dll.name : "libcrypto.dll" and dll.code_signature.subject_name in ( "NoMachine S.a.r.l.", "Oculus VR, LLC" ) and dll.code_signature.trusted == true ) or ( dll.name : "ucrtbase.dll" and dll.code_signature.subject_name in ( "Proofpoint, Inc.", "Rapid7 LLC", "Eclipse.org Foundation, Inc.", "Amazon.com Services LLC", "Windows Phone" ) and dll.code_signature.trusted == true ) or ( dll.name : ("libcrypto.dll", "wmi.dll", "geolocation.dll", "kerberos.dll") and dll.code_signature.subject_name == "Bitdefender SRL" and dll.code_signature.trusted == true ) or (dll.name : "ICMP.dll" and dll.code_signature.subject_name == "Paessler AG" and dll.code_signature.trusted == true) or (dll.name : "dbghelp.dll" and dll.code_signature.trusted == true) or (dll.name : "DirectML.dll" and dll.code_signature.subject_name == "Adobe Inc." and dll.code_signature.trusted == true) or (dll.name : "icsvc.dll" and dll.code_signature.subject_name in ("Dell Inc", "Dell Technologies Inc.") and dll.code_signature.trusted == true) or (dll.name : "offreg.dll" and dll.code_signature.subject_name == "Malwarebytes Inc." and dll.code_signature.trusted == true) or (dll.name : "AppMgr.dll" and dll.code_signature.subject_name == "Autodesk, Inc" and dll.code_signature.trusted == true) or (dll.name : ("SsShim.dll", "Msi.dll", "wdscore.dll") and process.name : "DismHost.exe" and dll.path : "C:\\Windows\\Temp\\*") or ( dll.path : ( "?:\\Windows\\SystemApps\\*\\dxgi.dll", "?:\\Windows\\SystemApps\\*\\wincorlib.dll", "?:\\Windows\\dxgi.dll", "?:\\Users\\*\\AppData\\Local\\LINE\\bin\\current\\dbghelp.dll" ) ) )
框架: MITRE ATT&CKTM
-
策略
- 名称: 防御规避
- ID: TA0005
- 参考 URL: https://attack.mitre.org/tactics/TA0005/
-
技术
- 名称: 伪装
- ID: T1036
- 参考 URL: https://attack.mitre.org/techniques/T1036/
-
子技术
- 名称: 无效代码签名
- ID: T1036.001
- 参考 URL: https://attack.mitre.org/techniques/T1036/001/
-
子技术
- 名称: 匹配合法名称或位置
- ID: T1036.005
- 参考 URL: https://attack.mitre.org/techniques/T1036/005/
-
技术
- 名称: 劫持执行流程
- ID: T1574
- 参考 URL: https://attack.mitre.org/techniques/T1574/
-
子技术
- 名称: DLL 搜索顺序劫持
- ID: T1574.001
- 参考 URL: https://attack.mitre.org/techniques/T1574/001/
-
子技术
- 名称: DLL 侧加载
- ID: T1574.002
- 参考 URL: https://attack.mitre.org/techniques/T1574/002/
-
策略
- 名称: 持久化
- ID: TA0003
- 参考 URL: https://attack.mitre.org/tactics/TA0003/
-
技术
- 名称: 破坏主机软件二进制文件
- ID: T1554
- 参考 URL: https://attack.mitre.org/techniques/T1554/
On this page
Was this helpful?
Thank you for your feedback.