Detection Chokepoints

TTPs evolve. Chokepoints don't.

Attack prerequisites that cannot be bypassed regardless of tool choice. High-signal, low-volume detection opportunities for every defender.

Every entry below targets an invariant prerequisite that attackers cannot bypass regardless of tool choice. Detections anchored to these chokepoints survive tool rotation, obfuscation, and variant evolution. Learn the framework →

? Badge guide

Research Broad baseline, high noise, not for alerting

Hunt Behavioral context, moderate noise, analyst triage

Analyst Production-ready, low noise, SOC alerting

Pre-Exec Fires before execution. ETW, web proxy, IOK.

High FP Expect significant noise

Medium FP Moderate noise, tune for your environment

Low FP Safe for production

New Added in latest update

Updated Modified in latest update

Tactic

Priority

CRITICAL

Infostealer Browser Credential Theft

Infostealers systematically harvest credentials, cookies, and autofill data from browser credential databases. This i...

T1555.003 T1539 T1041

12 variations

THE CONSTANT Stealer process → Login Data / logins.json file read → CryptUnprotectData() /...

CRITICAL

LSASS Credential Dumping

To extract plaintext credentials, NTLM hashes, or Kerberos tickets from a live Windows system, an attacker must read ...

T1003.001 T1003 T1547.005

24 variations

THE CONSTANT A process must open a kernel-mediated handle to lsass.exe and read its virtua...

CRITICAL

EDR Bypass Techniques

Adversaries impair or neutralize EDR/AV products before executing their primary payload to prevent detection and resp...

T1562.001 T1562.006 T1055.001 +1

14 variations

THE CONSTANT Admin/SYSTEM privileges → bypass mechanism → security telemetry impaired

CRITICAL

Ransomware Service Manipulation

Before encrypting files, ransomware operators stop and delete security tools, backup services, and database engines t...

T1562.001 T1489

5 variations

THE CONSTANT SYSTEM-level process → service enumeration → bulk service stop/delete → encry...

CRITICAL

Web Shell Persistence

Adversaries plant web-accessible scripts (web shells) on compromised servers to maintain persistent command execution...

T1505.003 T1190 T1059.004

11 variations

THE CONSTANT HTTP request → web server process → child OS interpreter

HIGH

BYOSI Scripting Interpreters

Adversaries bring legitimate, vendor-signed scripting interpreters (Python, PHP, Node.js, Ruby, Perl, AutoHotKey, etc...

T1059.006 T1059.007 T1059 +2

8 variations

THE CONSTANT Non-default interpreter binary written to disk → interpreter process launched...

HIGH

ClickFix Techniques

User pastes a malicious command from their clipboard into a Run dialog, terminal, or Explorer address bar. The lure p...

T1204.004

9 variations

THE CONSTANT Clipboard write → user pastes into interpreter → outbound C2 connection

HIGH

Renamed RMM Tools

Legitimate remote management and monitoring (RMM) tools are renamed or masqueraded to appear as trusted applications ...

T1219.002

9 variations

THE CONSTANT Browser download → renamed signed binary execution → persistent RMM C2 connec...

HIGH

Remote Execution Tools (HackTools)

Offensive security tools (Impacket, NetExec, CrackMapExec, Evil-WinRM) used for remote code execution across Windows ...

T1021.002 T1021.003 T1021.006 +3

7 variations

THE CONSTANT Valid admin credentials → authenticated protocol (SMB/WMI/WinRM) → remote com...