T1553.005

Mark-of-the-Web Bypass

Adversaries abuse container file formats such as ISO disk images, VHD/VHDX virtual hard disks, and compressed archives (ZIP, RAR, 7z, ARJ) to deliver malicious payloads that bypass Mark-of-the-Web (MOTW) protections. When a container file is downloaded from the Internet, Windows tags it with a Zone.Identifier NTFS Alternate Data Stream (ZoneId=3), but files extracted or mounted from containers typically do not inherit this tag because MOTW is an NTFS feature and many container formats do not support NTFS ADS. This allows embedded executables, scripts, and LNK files to bypass Protected View in Microsoft Office, Windows Defender SmartScreen warnings, and other MOTW-dependent security controls. Adversaries also directly manipulate or delete the Zone.Identifier ADS from already-downloaded files (Amadey sets ZoneId=0; attackers use streams.exe or PowerShell Remove-Item -Stream). This technique has been widely adopted by TA505 (ISO/LNK chains), QakBot (ISO packaging), APT29 (ISO/VHDX embedded in HTML), and APT38 (ISO/VHD delivery).

Microsoft Sentinel / Defender

kusto

// T1553.005 — Mark-of-the-Web Bypass Detection
// Four detection branches: ADS deletion, PowerShell mounting, execution from mounted volume, ADS manipulation tools
let ZoneIDDeletion = DeviceFileEvents
    | where Timestamp > ago(24h)
    | where ActionType == "FileDeleted"
    | where FileName has ":Zone.Identifier" or FolderPath has ":Zone.Identifier"
    | extend DetectionType = "Zone.Identifier_ADS_Deleted"
    | project Timestamp, DeviceName, AccountName, DetectionType, FileName, FolderPath,
              InitiatingProcessFileName, InitiatingProcessCommandLine;
let DiskImageMount = DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName in~ ("powershell.exe", "pwsh.exe")
    | where ProcessCommandLine has_any ("Mount-DiskImage", "Mount-VHD")
          or (ProcessCommandLine has_any (".iso", ".vhd", ".vhdx", ".img")
              and ProcessCommandLine has_any ("mount", "attach", "diskpart"))
    | extend DetectionType = "DiskImage_Mount_PowerShell"
    | project Timestamp, DeviceName, AccountName, DetectionType, FileName,
              ProcessCommandLine as CommandInfo, InitiatingProcessFileName, InitiatingProcessCommandLine;
let SuspiciousVolumeExec = DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FolderPath matches regex @"^[D-Z]:\\"
    | where FileName endswith ".exe" or FileName endswith ".dll" or FileName endswith ".lnk"
          or FileName endswith ".js" or FileName endswith ".vbs" or FileName endswith ".hta"
    | where InitiatingProcessFileName in~ ("explorer.exe", "cmd.exe")
    | where not (FolderPath has_any ("Program Files", "Games", "Steam", "GOG", "Epic Games"))
    | extend DetectionType = "Exec_From_Mounted_Volume"
    | project Timestamp, DeviceName, AccountName, DetectionType, FileName, FolderPath,
              ProcessCommandLine as CommandInfo, InitiatingProcessFileName, InitiatingProcessCommandLine;
let ADSManipulation = DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where (FileName in~ ("streams.exe", "streams64.exe"))
          or (FileName in~ ("powershell.exe", "pwsh.exe")
              and ProcessCommandLine has "Zone.Identifier"
              and ProcessCommandLine has_any ("Remove-Item", "-Stream", "Clear-Content", "Set-Content", "Out-Null"))
          or (FileName =~ "cmd.exe"
              and ProcessCommandLine has "Zone.Identifier")
    | extend DetectionType = "ADS_Manipulation_Tool"
    | project Timestamp, DeviceName, AccountName, DetectionType, FileName,
              ProcessCommandLine as CommandInfo, InitiatingProcessFileName, InitiatingProcessCommandLine;
union ZoneIDDeletion, DiskImageMount, SuspiciousVolumeExec, ADSManipulation
| sort by Timestamp desc

high severity medium confidence

Data Sources

File: File Deletion File: File Modification Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents DeviceProcessEvents

False Positives

IT administrators legitimately mounting Windows Server or application installer ISO files for software deployment via PowerShell scripting
Virtual machine management software (VMware vCenter, Hyper-V Manager, VirtualBox) programmatically mounting VHD/VHDX files for VM provisioning or backup restoration
Backup and recovery software (Veeam, Acronis, Macrium Reflect) that mounts disk images to facilitate granular file restoration
Security administrators using Sysinternals streams.exe to audit alternate data streams on files during investigations or system hardening
Developer workflows using Mount-DiskImage for application packaging pipelines, Docker Desktop disk image management, or WSL2 virtual hard disk operations
CD/DVD ripping and burning software creating and locally mounting ISO images for verification prior to burning to physical media

Splunk

spl

(
  sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=15
  TargetFilename="*:Zone.Identifier"
)
OR
(
  sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (
    (Image="*\\powershell.exe" OR Image="*\\pwsh.exe")
    OR Image="*\\streams.exe" OR Image="*\\streams64.exe"
    OR Image="*\\cmd.exe"
  )
)
| eval DetectionType=case(
    EventCode=15 AND match(TargetFilename, ":Zone\.Identifier$"), "Sysmon_ADS_Zone_Identifier",
    EventCode=1 AND (match(Image, "streams(64)?\.exe$") OR (match(lower(CommandLine), "zone\.identifier") AND match(lower(Image), "(powershell|cmd)\.exe$"))), "ADS_Manipulation_Tool",
    EventCode=1 AND (match(lower(CommandLine), "mount-diskimage") OR match(lower(CommandLine), "mount-vhd") OR (match(lower(CommandLine), "(\.iso|\.vhd|\.vhdx|\.img)") AND match(lower(CommandLine), "(mount|attach|diskpart)"))), "DiskImage_Mount_PowerShell",
    EventCode=1 AND match(Image, "^[D-Zd-z]:\\\\.+\.(exe|dll|lnk|js|vbs|hta|bat|cmd|ps1|msi)$") AND (ParentImage="*\\explorer.exe" OR ParentImage="*\\cmd.exe"), "Exec_From_Mounted_Volume",
    true(), "Other"
  )
| where DetectionType != "Other"
| eval IsADSEvent=if(EventCode=15, 1, 0)
| eval IsMountCmd=if(DetectionType="DiskImage_Mount_PowerShell", 1, 0)
| eval IsADSStrip=if(DetectionType="ADS_Manipulation_Tool", 1, 0)
| eval IsMountedExec=if(DetectionType="Exec_From_Mounted_Volume", 1, 0)
| eval ZoneStream=if(EventCode=15, TargetFilename, null())
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, TargetFilename, Hash, DetectionType, IsADSEvent, IsMountCmd, IsADSStrip, IsMountedExec, ZoneStream
| sort - _time

high severity medium confidence

Data Sources

File: File Creation (Alternate Data Streams) Process: Process Creation Sysmon Event ID 1 Sysmon Event ID 15

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

IT administrators legitimately mounting ISO files for Windows deployment or software distribution using PowerShell scripts
Virtual machine management software (VMware Workstation, VirtualBox, Hyper-V) that programmatically attaches and detaches VHD/VHDX disk images
Backup and recovery agents that mount disk image snapshots for granular file-level restores
Security administrators using Sysinternals streams.exe to audit NTFS alternate data streams during system hardening exercises
Enterprise software packaging tools that clear MOTW as part of SCCM or Intune deployment staging workflows
Sysmon Event ID 15 will fire for every legitimate Zone.Identifier ADS creation (normal browser downloads) — tune to focus on absence of Zone.Identifier on executables in download paths rather than its presence

IBM QRadar (AQL)

sql

-- Branch 1: Zone.Identifier ADS Deletion (Sysmon EventID 15 = FileCreateStreamHash, or Security 4663)
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  "TargetFilename",
  "Image",
  "CommandLine",
  'Zone_Identifier_ADS_Deleted' AS detection_type
FROM events
WHERE LOGSOURCETYPEID = 119  -- Microsoft Windows Security Event Log (Sysmon via WEC)
  AND "EventID" = '15'
  AND "TargetFilename" LIKE '%:Zone.Identifier'
  AND devicetime > NOW() - 86400000

UNION ALL

-- Branch 2: ADS Manipulation Tools
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  NULL AS "TargetFilename",
  "Image",
  "CommandLine",
  'ADS_Manipulation_Tool' AS detection_type
FROM events
WHERE LOGSOURCETYPEID = 119
  AND "EventID" = '1'
  AND (
    LOWER("Image") LIKE '%streams.exe'
    OR LOWER("Image") LIKE '%streams64.exe'
    OR (
      (LOWER("Image") LIKE '%powershell.exe' OR LOWER("Image") LIKE '%pwsh.exe')
      AND LOWER("CommandLine") LIKE '%zone.identifier%'
      AND (
        LOWER("CommandLine") LIKE '%remove-item%'
        OR LOWER("CommandLine") LIKE '%-stream%'
        OR LOWER("CommandLine") LIKE '%clear-content%'
        OR LOWER("CommandLine") LIKE '%set-content%'
      )
    )
    OR (
      LOWER("Image") LIKE '%cmd.exe'
      AND LOWER("CommandLine") LIKE '%zone.identifier%'
    )
  )
  AND devicetime > NOW() - 86400000

UNION ALL

-- Branch 3: PowerShell Disk Image Mount
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  NULL AS "TargetFilename",
  "Image",
  "CommandLine",
  'DiskImage_Mount_PowerShell' AS detection_type
FROM events
WHERE LOGSOURCETYPEID = 119
  AND "EventID" = '1'
  AND (LOWER("Image") LIKE '%powershell.exe' OR LOWER("Image") LIKE '%pwsh.exe')
  AND (
    LOWER("CommandLine") LIKE '%mount-diskimage%'
    OR LOWER("CommandLine") LIKE '%mount-vhd%'
    OR (
      (
        LOWER("CommandLine") LIKE '%.iso%'
        OR LOWER("CommandLine") LIKE '%.vhd%'
        OR LOWER("CommandLine") LIKE '%.vhdx%'
        OR LOWER("CommandLine") LIKE '%.img%'
      )
      AND (
        LOWER("CommandLine") LIKE '%mount%'
        OR LOWER("CommandLine") LIKE '%attach%'
        OR LOWER("CommandLine") LIKE '%diskpart%'
      )
    )
  )
  AND devicetime > NOW() - 86400000

UNION ALL

-- Branch 4: Execution from Mounted Volume (non-C: drive via explorer/cmd)
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  NULL AS "TargetFilename",
  "Image",
  "CommandLine",
  'Exec_From_Mounted_Volume' AS detection_type
FROM events
WHERE LOGSOURCETYPEID = 119
  AND "EventID" = '1'
  AND REGEXP("Image", '^[D-Zd-z]:\\\\.*\\.(exe|dll|lnk|js|vbs|hta|bat|cmd|ps1|msi)$')
  AND (
    LOWER("ParentImage") LIKE '%explorer.exe'
    OR LOWER("ParentImage") LIKE '%cmd.exe'
  )
  AND LOWER("Image") NOT LIKE '%program files%'
  AND LOWER("Image") NOT LIKE '%games%'
  AND LOWER("Image") NOT LIKE '%steam%'
  AND devicetime > NOW() - 86400000
ORDER BY event_time DESC

high severity medium confidence

Data Sources

IBM QRadar Microsoft Sysmon via Windows Event Collector QRadar WinCollect agent

Required Tables

events

False Positives

IT automation scripts mounting ISOs for patch management (SCCM, Ansible, PDQ Deploy)
Sysinternals Streams.exe used legitimately by administrators to audit NTFS ADS
Portable software distributions running from secondary drives or USB volumes
Security tools or EDR products that interact with Zone.Identifier during file scanning

Sumo Logic CSE

sql

// T1553.005 — MOTW Bypass Detection in Sumo Logic
// Covers ADS deletion, PowerShell mounting, ADS tool use, and mounted volume execution

(_sourceCategory="*windows*sysmon*" OR _sourceCategory="*WinEventLog*")
| parse field=_raw "<EventID>*</EventID>" as EventID nodrop
| parse field=_raw "<Data Name='Image'>*</Data>" as Image nodrop
| parse field=_raw "<Data Name='CommandLine'>*</Data>" as CommandLine nodrop
| parse field=_raw "<Data Name='ParentImage'>*</Data>" as ParentImage nodrop
| parse field=_raw "<Data Name='ParentCommandLine'>*</Data>" as ParentCommandLine nodrop
| parse field=_raw "<Data Name='TargetFilename'>*</Data>" as TargetFilename nodrop
| parse field=_raw "<Data Name='User'>*</Data>" as User nodrop
| parse field=_raw "<Data Name='Computer'>*</Data>" as Computer nodrop
| parse field=_raw "<Data Name='Hashes'>*</Data>" as Hashes nodrop
| where EventID in ("1", "15")
| eval ImageLower = toLowerCase(Image)
| eval CmdLower = toLowerCase(CommandLine)
| eval TargetLower = toLowerCase(TargetFilename)
| eval DetectionType = ""
// Branch 1: Sysmon FileCreateStreamHash (15) — Zone.Identifier ADS
| eval DetectionType = if (EventID = "15" AND matchesRegex(TargetLower, ".*:zone\.identifier$"), "Sysmon_ADS_Zone_Identifier", DetectionType)
// Branch 2: ADS Manipulation Tools
| eval DetectionType = if (
    EventID = "1" AND (
      matchesRegex(ImageLower, ".*streams(64)?\.exe$")
      OR (matchesRegex(ImageLower, ".*(powershell|pwsh)\.exe$") AND contains(CmdLower, "zone.identifier") AND (contains(CmdLower, "remove-item") OR contains(CmdLower, "-stream") OR contains(CmdLower, "clear-content") OR contains(CmdLower, "set-content")))
      OR (contains(ImageLower, "cmd.exe") AND contains(CmdLower, "zone.identifier"))
    ), "ADS_Manipulation_Tool", DetectionType)
// Branch 3: PowerShell Disk Image Mount
| eval DetectionType = if (
    EventID = "1"
    AND matchesRegex(ImageLower, ".*(powershell|pwsh)\.exe$")
    AND (contains(CmdLower, "mount-diskimage") OR contains(CmdLower, "mount-vhd")
         OR ((contains(CmdLower, ".iso") OR contains(CmdLower, ".vhd") OR contains(CmdLower, ".vhdx") OR contains(CmdLower, ".img"))
              AND (contains(CmdLower, "mount") OR contains(CmdLower, "attach") OR contains(CmdLower, "diskpart")))),
    "DiskImage_Mount_PowerShell", DetectionType)
// Branch 4: Execution from Mounted Volume
| eval DetectionType = if (
    EventID = "1"
    AND matchesRegex(Image, "^[D-Zd-z]:\\\\.*\\.(exe|dll|lnk|js|vbs|hta|bat|cmd|ps1|msi)$")
    AND (contains(toLowerCase(ParentImage), "explorer.exe") OR contains(toLowerCase(ParentImage), "cmd.exe"))
    AND NOT (contains(ImageLower, "program files") OR contains(ImageLower, "games") OR contains(ImageLower, "steam")),
    "Exec_From_Mounted_Volume", DetectionType)
| where DetectionType != ""
| fields - ImageLower, CmdLower, TargetLower
| table _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, TargetFilename, Hashes, DetectionType
| sort by _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Windows Sysmon via Sumo Logic collector WinEventLog source

Required Tables

_sourceCategory=*windows*sysmon* _sourceCategory=*WinEventLog*

False Positives

Software deployment tools (SCCM, Intune, PDQ) mounting ISOs during provisioning workflows
IT staff using Sysinternals Streams.exe for legitimate ADS auditing or forensic investigations
Developers running portable applications or development environments from secondary volumes (D:, E:)
Backup or imaging software that mounts VHD/VHDX files as part of restore operations

Google Chronicle / SecOps

yaral

rule t1553_005_motw_bypass {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Mark-of-the-Web bypass via Zone.Identifier ADS deletion, PowerShell disk image mounting, ADS manipulation tools, and execution from mounted volumes — T1553.005"
    mitre_attack = "T1553.005"
    severity = "HIGH"
    priority = "HIGH"
    version = "1.0"

  events:
    (
      // Branch 1: Zone.Identifier ADS deletion or stream manipulation via file events
      $e1.metadata.event_type = "FILE_DELETION"
      and re.regex($e1.target.file.full_path, `(?i):Zone\.Identifier$`)
    )
    or
    (
      // Branch 2: ADS manipulation tools — streams.exe or PowerShell Remove-Item Zone.Identifier
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e1.principal.process.file.full_path, `(?i)\\streams(64)?\.exe$`)
        or (
          re.regex($e1.principal.process.file.full_path, `(?i)\\(powershell|pwsh)\.exe$`)
          and re.regex($e1.target.process.command_line, `(?i)Zone\.Identifier`)
          and re.regex($e1.target.process.command_line, `(?i)(Remove-Item|-Stream|Clear-Content|Set-Content)`)
        )
        or (
          re.regex($e1.principal.process.file.full_path, `(?i)\\cmd\.exe$`)
          and re.regex($e1.target.process.command_line, `(?i)Zone\.Identifier`)
        )
      )
    )
    or
    (
      // Branch 3: PowerShell disk image mount
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e1.target.process.file.full_path, `(?i)\\(powershell|pwsh)\.exe$`)
      and (
        re.regex($e1.target.process.command_line, `(?i)(Mount-DiskImage|Mount-VHD)`)
        or (
          re.regex($e1.target.process.command_line, `(?i)\.(iso|vhd|vhdx|img)`)
          and re.regex($e1.target.process.command_line, `(?i)(mount|attach|diskpart)`)
        )
      )
    )
    or
    (
      // Branch 4: Execution from non-C: mounted volume via explorer or cmd
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e1.target.process.file.full_path, `^[D-Zd-z]:\\.*\.(exe|dll|lnk|js|vbs|hta|bat|cmd|ps1|msi)$`)
      and re.regex($e1.principal.process.file.full_path, `(?i)\\(explorer|cmd)\.exe$`)
      and not re.regex($e1.target.process.file.full_path, `(?i)(Program Files|Games|Steam|GOG|Epic Games)`)
    )

  condition:
    $e1
}

high severity high confidence

Data Sources

Google Chronicle Chronicle Ingestion API Windows Event Logs via Chronicle forwarder Sysmon UDM ingestion

Required Tables

UDM Events (process_launch, file_deletion)

False Positives

Enterprise deployment tools running ISOs on non-C: drives during imaging or provisioning
Legitimate forensic or incident response tools such as FTK or Arsenal Image Mounter operating on mounted volumes
IT administrators using streams.exe for ADS inventory or cleanup tasks as part of hardening procedures
Developers or testers running isolated environments from secondary volumes or VHDs

CrowdStrike LogScale (CQL)

cql

// T1553.005 — MOTW Bypass Detection in CrowdStrike LogScale (Falcon telemetry)
// Branch 1: Zone.Identifier ADS deletion or write (WrittenRemotely, file stream events)
#event_simpleName = "PeFileWritten" OR #event_simpleName = "SuspiciousRawDiskRead" OR #event_simpleName = "MotwWritten"
| TargetFileName = /(?i):Zone\.Identifier$/
| eval DetectionType = "Zone_Identifier_ADS_Event"

// Branch 2: ADS Manipulation Tools — union via separate query
| union [
  #event_simpleName = "ProcessRollup2"
  | ImageFileName = /(?i)\\(streams|streams64)\.exe$/
    OR (
      ImageFileName = /(?i)\\(powershell|pwsh)\.exe$/
      AND CommandLine = /(?i)Zone\.Identifier/
      AND CommandLine = /(?i)(Remove-Item|-Stream|Clear-Content|Set-Content)/
    )
    OR (
      ImageFileName = /(?i)\\cmd\.exe$/
      AND CommandLine = /(?i)Zone\.Identifier/
    )
  | eval DetectionType = "ADS_Manipulation_Tool"
]

// Branch 3: PowerShell Disk Image Mount
| union [
  #event_simpleName = "ProcessRollup2"
  | ImageFileName = /(?i)\\(powershell|pwsh)\.exe$/
  | CommandLine = /(?i)(Mount-DiskImage|Mount-VHD)/
    OR (
      CommandLine = /(?i)\.(iso|vhd|vhdx|img)/
      AND CommandLine = /(?i)(mount|attach|diskpart)/
    )
  | eval DetectionType = "DiskImage_Mount_PowerShell"
]

// Branch 4: Execution from mounted non-system volume
| union [
  #event_simpleName = "ProcessRollup2"
  | ImageFileName = /^[D-Zd-z]:\\.+\.(exe|dll|lnk|js|vbs|hta|bat|cmd|ps1|msi)$/
  | ParentBaseFileName = /(?i)^(explorer|cmd)\.exe$/
  | ImageFileName != /(?i)(Program Files|Games|Steam|GOG|Epic)/
  | eval DetectionType = "Exec_From_Mounted_Volume"
]

| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, TargetFileName, DetectionType])
| sort(timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike Falcon LogScale Humio (CrowdStrike-managed)

Required Tables

ProcessRollup2 PeFileWritten MotwWritten SuspiciousRawDiskRead

False Positives

Falcon sensor itself may generate MotwWritten events during legitimate file scanning or remediation activity
Virtual machine tools such as VMware Workstation or VirtualBox mounting VHD/ISO files via PowerShell automation
Software lifecycle management tools that unpack ISO images to secondary volumes as part of deployment pipelines
Penetration testing or red team operations on authorized engagements — exclude known red team host CIDs

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1553.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1553Subvert Trust Controls

Related Sub-techniques

T1553.001Gatekeeper Bypass T1553.002Code Signing T1553.003SIP and Trust Provider Hijacking T1553.004Install Root Certificate T1553.006Code Signing Policy Modification

Mark-of-the-Web Bypass

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections