Within the MITRE-Based Falcon Detections Framework, what is the correct way to interpret Keep Access > Persistence > Create Account?
An adversary is trying to keep access through persistence by creating an account
An adversary is trying to keep access through persistence using browser extensions
An adversary is trying to keep access through persistence using external remote services
adversary is trying to keep access through persistence using application skimming
Submit