T1204.003

Malicious Image

Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services AMIs, Google Cloud Platform Images, Azure Images, and container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to public repositories, and users may download and deploy an instance or container without realizing the image is malicious. This technique is commonly used to deploy cryptocurrency miners, backdoors, and data exfiltration tools. TeamTNT is a prominent threat actor known for publishing malicious Docker images to Docker Hub containing XMRig cryptocurrency miners and credential stealers. Adversaries may also typosquat popular image names to increase the likelihood of accidental deployment.

Microsoft Sentinel / Defender

kusto

let MinerProcessNames = dynamic(["xmrig", "xmrig-notls", "minerd", "cpuminer", "cryptonight", "nbminer", "t-rex", "lolminer", "ethminer", "cgminer", "bfgminer", "claymore", "phoenixminer", "teamtntbot"]);
let MiningPoolArgs = dynamic(["stratum+tcp://", "stratum+ssl://", "--donate-level", "-o pool.", "xmrpool", "supportxmr", "minexmr", "moneroocean", "hashvault", "nanopool"]);
let MiningPorts = dynamic([3333, 3334, 4444, 4445, 14444, 45560, 5555, 8333, 7777, 9999, 13333, 19999]);
let MiningPoolDomains = dynamic(["minexmr.com", "supportxmr.com", "nanopool.org", "f2pool.com", "antpool.com", "pool.minergate.com", "xmrpool.eu", "hashvault.pro", "moneroocean.stream", "xmr.pool"]);
// Branch 1: Cryptocurrency miner process execution on endpoints and container hosts
let MinerProcessExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (MinerProcessNames)
    or ProcessCommandLine has_any (MinerProcessNames)
    or ProcessCommandLine has_any (MiningPoolArgs)
| extend DetectionBranch = "CryptoMinerProcessExecution"
| extend AlertSeverity = "High"
| project
    EventTime = Timestamp,
    HostName = DeviceName,
    UserName = AccountName,
    ProcessName = FileName,
    CommandLine = ProcessCommandLine,
    ParentProcess = InitiatingProcessFileName,
    ParentCommandLine = InitiatingProcessCommandLine,
    DetectionBranch,
    AlertSeverity,
    AdditionalContext = strcat("ParentPID:", tostring(InitiatingProcessId), " SHA256:", SHA256);
// Branch 2: Outbound connections to known mining pool ports and domains
let MiningNetworkConnections = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where (RemotePort in (MiningPorts) and RemoteIPType != "Private")
    or RemoteUrl has_any (MiningPoolDomains)
| where InitiatingProcessFileName !in~ ("firefox.exe", "chrome.exe", "msedge.exe", "brave.exe", "opera.exe", "iexplore.exe")
| extend DetectionBranch = "MiningPoolNetworkConnection"
| extend AlertSeverity = "High"
| project
    EventTime = Timestamp,
    HostName = DeviceName,
    UserName = InitiatingProcessAccountName,
    ProcessName = InitiatingProcessFileName,
    CommandLine = InitiatingProcessCommandLine,
    ParentProcess = InitiatingProcessParentFileName,
    ParentCommandLine = "",
    DetectionBranch,
    AlertSeverity,
    AdditionalContext = strcat("RemoteIP:", RemoteIP, " RemotePort:", tostring(RemotePort), " RemoteUrl:", RemoteUrl);
// Branch 3: Azure VM deployment from community gallery or unknown publisher image
let SuspiciousCloudImageDeploy = AzureActivity
| where TimeGenerated > ago(24h)
| where OperationNameValue =~ "MICROSOFT.COMPUTE/VIRTUALMACHINES/WRITE"
| where ActivityStatusValue =~ "Success"
| extend PropJson = parse_json(Properties)
| extend ImageRef = tostring(PropJson.requestBody)
| where ImageRef has_any ("communityGalleries", "sharedGalleries", "fromCommunityGalleryImageVersion")
    or (ImageRef !has_any ("MicrosoftWindowsServer", "Canonical", "RedHat", "SUSE", "Debian", "OpenLogic", "microsoftwindowsdesktop", "center-for-internet-security-inc")
        and isnotempty(ImageRef))
| extend DetectionBranch = "SuspiciousCloudImageDeployment"
| extend AlertSeverity = "Medium"
| project
    EventTime = TimeGenerated,
    HostName = ResourceGroup,
    UserName = Caller,
    ProcessName = "ARM VM Deployment",
    CommandLine = ImageRef,
    ParentProcess = CallerIpAddress,
    ParentCommandLine = "",
    DetectionBranch,
    AlertSeverity,
    AdditionalContext = strcat("SubscriptionId:", SubscriptionId, " Resource:", _ResourceId);
// Union all detection branches
union MinerProcessExecution, MiningNetworkConnections, SuspiciousCloudImageDeploy
| sort by EventTime desc

high severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Cloud Service: Cloud Service Modification Microsoft Defender for Endpoint Azure Activity Logs

Required Tables

DeviceProcessEvents DeviceNetworkEvents AzureActivity

False Positives

Legitimate GPU compute or rendering workloads using non-standard network ports that overlap with mining pool port ranges
Authorized red team or penetration testing exercises deploying containers or VMs with miner tooling under a formal engagement
Internal benchmark and performance testing tools with process names similar to mining tools (e.g., t-rex, cgminer used for GPU stress testing)
DevOps data pipeline workers with names like 'ethminer' or 'cpuminer' used for internal job queue processing (not mining)
Legitimate third-party marketplace VM deployments for network appliances, security tools, or specialized workloads not from major known publishers

Splunk

spl

index=* earliest=-24h
    (
    (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
        (Image IN ("*\\xmrig.exe", "*\\xmrig-notls.exe", "*\\minerd.exe", "*\\cpuminer.exe",
                   "*\\nbminer.exe", "*\\t-rex.exe", "*\\lolminer.exe", "*\\ethminer.exe",
                   "*\\cgminer.exe", "*\\bfgminer.exe", "*\\phoenixminer.exe")
         OR CommandLine IN ("*stratum+tcp*", "*stratum+ssl*", "*--donate-level*",
                            "*xmrpool*", "*supportxmr*", "*minexmr*", "*moneroocean*")))
    OR
    (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
        (DestinationPort IN (3333, 3334, 4444, 4445, 14444, 45560, 5555, 8333, 7777, 9999, 13333, 19999))
        NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*"
             OR DestinationIp="192.168.*" OR DestinationIp="127.*")
        NOT Image IN ("*\\chrome.exe", "*\\firefox.exe", "*\\msedge.exe",
                      "*\\brave.exe", "*\\opera.exe", "*\\iexplore.exe"))
    OR
    (sourcetype="aws:cloudtrail" eventName="RunInstances")
    OR
    (sourcetype IN ("linux_secure", "syslog", "linux:syslog")
        (process IN ("xmrig", "minerd", "cpuminer", "nbminer", "t-rex", "lolminer", "cgminer")
         OR message IN ("*stratum+tcp*", "*stratum+ssl*", "*xmrig*", "*donate-level*")))
    )
| eval DetectionBranch=case(
    sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode="1", "MinerProcessExecution",
    sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" AND EventCode="3", "MiningPoolNetworkConnection",
    sourcetype="aws:cloudtrail", "AWSInstanceLaunch",
    sourcetype IN ("linux_secure", "syslog", "linux:syslog"), "LinuxMinerProcess",
    true(), "Unknown"
)
| eval HostName=coalesce(host, "N/A")
| eval UserName=coalesce(User, 'userIdentity.userName', user, "N/A")
| eval ProcessImage=coalesce(Image, process, "N/A")
| eval CmdLine=coalesce(CommandLine, message, "N/A")
| eval DestPort=coalesce(DestinationPort, "N/A")
| eval DestIP=coalesce(DestinationIp, "N/A")
| eval ParentImage=coalesce(ParentImage, "N/A")
| spath input=requestParameters path=instancesSet.items{0}.imageId output=LaunchedAMIId
| eval LaunchedAMIId=coalesce(LaunchedAMIId, "N/A")
| eval AWSRegion=coalesce(awsRegion, "N/A")
| eval AWSAccount=coalesce(recipientAccountId, "N/A")
| table _time, DetectionBranch, HostName, UserName, ProcessImage, CmdLine,
        ParentImage, DestIP, DestPort, LaunchedAMIId, AWSRegion, AWSAccount
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Cloud Service: Cloud Service Modification Sysmon Event ID 1 Sysmon Event ID 3 AWS CloudTrail Linux Syslog

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational aws:cloudtrail linux_secure

False Positives

Legitimate GPU compute or rendering workloads using non-standard network ports that overlap with mining pool port ranges
Authorized red team or penetration testing exercises deploying containers or VMs with miner tooling
Internal benchmark tools with process names similar to mining utilities
AWS EC2 launches from shared AMIs used for legitimate specialized workloads (network virtual appliances, security scanners, BYOL software)
Linux processes with mining-related names used for legitimate CPU benchmarking or performance validation in lab environments

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS HostIP,
  username AS UserName,
  "Process Name" AS ProcessName,
  "Command" AS CommandLine,
  destinationip AS DestIP,
  destinationport AS DestPort,
  LOGSOURCENAME(logsourceid) AS LogSource,
  QIDNAME(qid) AS EventName,
  CASE
    WHEN "Process Name" ILIKE ANY ('%xmrig%','%minerd%','%cpuminer%','%nbminer%','%t-rex%','%lolminer%','%ethminer%','%cgminer%','%bfgminer%','%phoenixminer%','%teamtntbot%') THEN 'MinerProcessExecution'
    WHEN destinationport IN (3333, 3334, 4444, 4445, 14444, 45560, 5555, 8333, 7777, 9999, 13333, 19999) THEN 'MiningPoolNetworkConnection'
    WHEN "Command" ILIKE ANY ('%stratum+tcp%','%stratum+ssl%','%donate-level%','%xmrpool%','%supportxmr%','%minexmr%','%moneroocean%','%hashvault%','%nanopool%') THEN 'MinerCommandLineArgs'
    WHEN LOGSOURCETYPEID(logsourceid) = 347 AND QIDNAME(qid) ILIKE '%RunInstances%' THEN 'AWSInstanceLaunch'
    ELSE 'Unknown'
  END AS DetectionBranch
FROM events
WHERE LOGSOURCETYPEID(logsourceid) IN (12, 347, 433)
  AND devicetime > (NOW() - 86400000)
  AND (
    "Process Name" ILIKE ANY ('%xmrig%','%xmrig-notls%','%minerd%','%cpuminer%','%nbminer%','%t-rex%','%lolminer%','%ethminer%','%cgminer%','%bfgminer%','%phoenixminer%','%teamtntbot%','%cryptonight%')
    OR "Command" ILIKE ANY ('%stratum+tcp%','%stratum+ssl%','%--donate-level%','%xmrpool%','%supportxmr%','%minexmr%','%moneroocean%','%hashvault%','%nanopool%')
    OR (
      destinationport IN (3333, 3334, 4444, 4445, 14444, 45560, 5555, 8333, 7777, 9999, 13333, 19999)
      AND NOT (destinationip ILIKE '10.%' OR destinationip ILIKE '172.16.%' OR destinationip ILIKE '172.17.%' OR destinationip ILIKE '192.168.%' OR destinationip ILIKE '127.%')
      AND "Process Name" NOT ILIKE ANY ('%firefox%','%chrome%','%msedge%','%brave%','%opera%','%iexplore%')
    )
    OR (LOGSOURCETYPEID(logsourceid) = 347 AND QIDNAME(qid) ILIKE '%RunInstances%')
  )
ORDER BY devicetime DESC
LIMIT 1000

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Event Log (LOGSOURCETYPEID 12) Sysmon via QRadar DSM AWS CloudTrail (LOGSOURCETYPEID 347) Linux OS Logs (LOGSOURCETYPEID 433)

Required Tables

events

False Positives

Authorized cryptocurrency mining operations where the organization has deployed mining software as part of a legitimate business activity
AWS CI/CD pipelines that frequently launch EC2 instances from custom AMIs that may not match well-known publisher patterns, triggering RunInstances detections
Penetration testing engagements where testers execute miner binaries as part of post-exploitation simulation to validate endpoint detection capabilities

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*linux* OR _sourceCategory=*sysmon* OR _sourceCategory=*aws/cloudtrail*)
| where _messagetime > now() - 86400000
| parse "EventCode=*" as EventCode nodrop
| parse "Image=*\n" as ProcessImage nodrop
| parse "CommandLine=*\n" as CommandLine nodrop
| parse "DestinationIp=*\n" as DestIP nodrop
| parse "DestinationPort=*\n" as DestPort nodrop
| parse "ParentImage=*\n" as ParentImage nodrop
| parse "User=*\n" as UserName nodrop
| parse field=_raw "\"eventName\":\"*\"" as AWSEventName nodrop
| parse field=_raw "\"imageId\":\"*\"" as LaunchedAMI nodrop
| parse field=_raw "\"awsRegion\":\"*\"" as AWSRegion nodrop
| where (
    (EventCode = "1" and (
      ProcessImage matches "*xmrig*" or ProcessImage matches "*minerd*" or ProcessImage matches "*cpuminer*"
      or ProcessImage matches "*nbminer*" or ProcessImage matches "*t-rex*" or ProcessImage matches "*lolminer*"
      or ProcessImage matches "*ethminer*" or ProcessImage matches "*cgminer*" or ProcessImage matches "*bfgminer*"
      or ProcessImage matches "*phoenixminer*" or ProcessImage matches "*teamtntbot*"
      or CommandLine matches "*stratum+tcp*" or CommandLine matches "*stratum+ssl*"
      or CommandLine matches "*donate-level*" or CommandLine matches "*xmrpool*"
      or CommandLine matches "*supportxmr*" or CommandLine matches "*minexmr*"
      or CommandLine matches "*moneroocean*" or CommandLine matches "*hashvault*" or CommandLine matches "*nanopool*"
    ))
    or (EventCode = "3"
      and DestPort in ("3333","3334","4444","4445","14444","45560","5555","8333","7777","9999","13333","19999")
      and not (DestIP matches "10.*" or DestIP matches "172.16.*" or DestIP matches "172.17.*" or DestIP matches "192.168.*" or DestIP matches "127.*")
      and not (ProcessImage matches "*chrome*" or ProcessImage matches "*firefox*" or ProcessImage matches "*msedge*" or ProcessImage matches "*brave*" or ProcessImage matches "*opera*")
    )
    or AWSEventName = "RunInstances"
  )
| eval DetectionBranch = if(EventCode = "1" and (ProcessImage matches "*xmrig*" or ProcessImage matches "*minerd*"), "MinerProcessExecution",
    if(EventCode = "3", "MiningPoolNetworkConnection",
    if(AWSEventName = "RunInstances", "AWSInstanceLaunch",
    if(CommandLine matches "*stratum*", "MinerCommandLineArgs", "Unknown"))))
| eval HostName = if(!isNull(%"Computer"), %"Computer", "N/A")
| eval MinerIndicator = if(!isNull(ProcessImage), ProcessImage, CommandLine)
| fields _messagetime, DetectionBranch, HostName, UserName, ProcessImage, CommandLine, DestIP, DestPort, LaunchedAMI, AWSRegion, ParentImage
| sort by _messagetime desc

high severity medium confidence

Data Sources

Sumo Logic Installed Collector (Windows) Sumo Logic Installed Collector (Linux) Sumo Logic AWS CloudTrail integration Sysmon logs via Sumo Logic Windows collector

Required Tables

_sourceCategory=*windows* _sourceCategory=*linux* _sourceCategory=*sysmon* _sourceCategory=*aws/cloudtrail*

False Positives

DevOps teams launching EC2 instances from internal or partner-built AMIs that trigger RunInstances events but are part of authorized infrastructure deployment workflows
Gaming or creative applications that use GPU-intensive compute and may communicate over ports that overlap with mining pool port ranges
Security operations teams running miner detection test scripts or red team exercises to validate this detection rule's coverage

Google Chronicle / SecOps

yaral

rule t1204_003_malicious_image_execution {
  meta:
    author = "df00tech"
    description = "Detects T1204.003 Malicious Image execution via cryptocurrency miner processes, mining pool network connections, or suspicious cloud image deployments"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Execution"
    mitre_attack_technique = "T1204.003"
    reference = "https://attack.mitre.org/techniques/T1204/003/"
    rule_version = "1.0"

  events:
    (
      // Branch 1: Miner process execution by binary name
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and (
          re.regex($e.principal.process.file.full_path, `(?i)(xmrig|xmrig-notls|minerd|cpuminer|cryptonight|nbminer|t-rex|lolminer|ethminer|cgminer|bfgminer|claymore|phoenixminer|teamtntbot)(\.|$)`) nocase
          or re.regex($e.target.process.command_line, `(?i)(stratum\+tcp://|stratum\+ssl://|--donate-level|-o pool\.|xmrpool|supportxmr|minexmr|moneroocean|hashvault|nanopool)`) nocase
        )
      )
      or
      // Branch 2: Mining pool network connections on known ports
      (
        $e.metadata.event_type = "NETWORK_CONNECTION"
        and $e.target.port in (3333, 3334, 4444, 4445, 14444, 45560, 5555, 8333, 7777, 9999, 13333, 19999)
        and not net.ip_in_range_cidr($e.target.ip, "10.0.0.0/8")
        and not net.ip_in_range_cidr($e.target.ip, "172.16.0.0/12")
        and not net.ip_in_range_cidr($e.target.ip, "192.168.0.0/16")
        and not net.ip_in_range_cidr($e.target.ip, "127.0.0.0/8")
        and not re.regex($e.principal.process.file.full_path, `(?i)(chrome|firefox|msedge|brave|opera|iexplore)\.exe$`) nocase
      )
      or
      // Branch 3: DNS resolution for known mining pool domains
      (
        $e.metadata.event_type = "NETWORK_DNS"
        and (
          re.regex($e.network.dns.questions.name, `(?i)(minexmr\.com|supportxmr\.com|nanopool\.org|f2pool\.com|antpool\.com|pool\.minergate\.com|xmrpool\.eu|hashvault\.pro|moneroocean\.stream|xmr\.pool)`) nocase
        )
      )
      or
      // Branch 4: Cloud instance launch events (AWS/GCP/Azure)
      (
        $e.metadata.event_type = "USER_RESOURCE_CREATION"
        and (
          $e.metadata.product_name = "AWS CloudTrail"
          or $e.metadata.product_name = "Azure Activity"
          or $e.metadata.product_name = "GCP Cloud Audit"
        )
        and re.regex($e.metadata.description, `(?i)(RunInstances|VIRTUALMACHINES/WRITE|compute\.instances\.insert)`) nocase
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM Chronicle Ingestion API (Windows endpoints via EDR) Chronicle AWS CloudTrail ingestion Chronicle Azure Activity Log ingestion Chronicle GCP Cloud Audit ingestion Sysmon via Chronicle forwarder

Required Tables

UDM Events (PROCESS_LAUNCH) UDM Events (NETWORK_CONNECTION) UDM Events (NETWORK_DNS) UDM Events (USER_RESOURCE_CREATION)

False Positives

Internal cloud automation tools that launch EC2, Azure VM, or GCE instances from custom or marketplace images not recognized by well-known publisher allow-lists, causing false positives on the cloud image deployment branch
Legitimate developers working on blockchain or cryptocurrency projects who run mining software locally for testing consensus mechanisms or integration testing
Network appliances or IoT devices communicating over ports in the mining pool range for unrelated protocols (e.g., some industrial control systems use port 4444 for legitimate traffic)

CrowdStrike LogScale (CQL)

cql

// Branch 1: Cryptocurrency miner process execution
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(xmrig|xmrig-notls|minerd|cpuminer|cryptonight|nbminer|t-rex|lolminer|ethminer|cgminer|bfgminer|claymore|phoenixminer|teamtntbot)/
  OR CommandLine = /(?i)(stratum\+tcp:\/\/|stratum\+ssl:\/\/|--donate-level|-o pool\.|xmrpool|supportxmr|minexmr|moneroocean|hashvault|nanopool)/
| eval DetectionBranch = "MinerProcessExecution"
| eval AlertSeverity = "High"
| table _timeevent, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionBranch, AlertSeverity

union

// Branch 2: Mining pool network connections
#event_simpleName=NetworkConnectIP4
| RemotePort in [3333, 3334, 4444, 4445, 14444, 45560, 5555, 8333, 7777, 9999, 13333, 19999]
| NOT RemoteAddressIP4 = /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
| NOT ImageFileName = /(?i)(chrome|firefox|msedge|brave|opera|iexplore)\.exe$/
| eval DetectionBranch = "MiningPoolNetworkConnection"
| eval AlertSeverity = "High"
| table _timeevent, ComputerName, UserName, ImageFileName, RemoteAddressIP4, RemotePort, LocalAddressIP4, DetectionBranch, AlertSeverity

union

// Branch 3: DNS requests to mining pool domains
#event_simpleName=DnsRequest
| DomainName = /(?i)(minexmr\.com|supportxmr\.com|nanopool\.org|f2pool\.com|antpool\.com|pool\.minergate\.com|xmrpool\.eu|hashvault\.pro|moneroocean\.stream|xmr\.pool)/
| eval DetectionBranch = "MiningPoolDNSLookup"
| eval AlertSeverity = "High"
| table _timeevent, ComputerName, UserName, DomainName, RequestType, ContextBaseFileName, DetectionBranch, AlertSeverity

| sort field=_timeevent order=desc
| limit 500

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Falcon ProcessRollup2 events Falcon NetworkConnectIP4 events Falcon DnsRequest events Falcon Event Stream (real-time)

Required Tables

#event_simpleName=ProcessRollup2 #event_simpleName=NetworkConnectIP4 #event_simpleName=DnsRequest

False Positives

Authorized cryptocurrency mining nodes managed by the IT or finance team on dedicated hosts, which will generate both ProcessRollup2 miner process events and repeated NetworkConnectIP4 connections to pool addresses
Threat intelligence or malware analysis workstations running miner samples in isolated environments for research, triggering process and network detections without actual compromise
Container orchestration platforms (Kubernetes, Docker Swarm) deploying legitimate workloads on ports that overlap with known mining pool ports, particularly port 4444 used by some development and monitoring tools

Last updated: 2026-04-19 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1204.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1204User Execution

Related Sub-techniques

T1204.001Malicious Link T1204.002Malicious File T1204.004Malicious Copy and Paste T1204.005Malicious Library

Malicious Image

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Execution

Popular Detections