Detections

Name Data Source Technique Type Analytic Story Date
Wget Download and Bash Execution CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1105 TTP Compromised Windows Host, Ingress Tool Transfer, Log4Shell CVE-2021-44228 2024-12-03
Linux Auditd File Permission Modification Via Chmod Linux icon Linux Auditd Proctitle T1222.002 T1222 Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-12-02
Windows Credentials Access via VaultCli Module T1555.004 Anomaly Meduza Stealer 2024-11-29
Add or Set Windows Defender Exclusion CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.001 T1562 TTP AgentTesla, CISA AA22-320A, Compromised Windows Host, Data Destruction, Remcos, ValleyRAT, WhisperGate, Windows Defense Evasion Tactics 2024-11-28
Attacker Tools On Endpoint CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1036.005 T1036 T1003 T1595 TTP CISA AA22-264A, Compromised Windows Host, Monitor for Unauthorized Software, SamSam Ransomware, Unusual Processes, XMRig 2024-11-28
Attempted Credential Dump From Registry via Reg exe CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003.002 T1003 TTP CISA AA23-347A, Compromised Windows Host, Credential Dumping, DarkSide Ransomware, Data Destruction, Industroyer2, Windows Registry Abuse 2024-11-28
Batch File Write to System32 Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11 T1204 T1204.002 TTP Compromised Windows Host, SamSam Ransomware 2024-11-28
BCDEdit Failure Recovery Modification CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1490 TTP Compromised Windows Host, Ransomware, Ryuk Ransomware 2024-11-28
CertUtil Download With URLCache and Split Arguments CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1105 TTP CISA AA22-277A, Compromised Windows Host, DarkSide Ransomware, Flax Typhoon, Forest Blizzard, Ingress Tool Transfer, Living Off The Land, ProxyNotShell 2024-11-28
CertUtil Download With VerifyCtl and Split Arguments CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1105 TTP Compromised Windows Host, DarkSide Ransomware, Ingress Tool Transfer, Living Off The Land 2024-11-28
Certutil exe certificate extraction CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 TTP Cloud Federated Credential Abuse, Compromised Windows Host, Living Off The Land, Windows Certificate Services, Windows Persistence Techniques 2024-11-28
Clear Unallocated Sector Using Cipher App CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1070.004 T1070 TTP Compromised Windows Host, Ransomware 2024-11-28
Clop Common Exec Parameter CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1204 TTP Clop Ransomware, Compromised Windows Host 2024-11-28
Clop Ransomware Known Service Name Windows icon Windows Event Log System 7045 T1543 TTP Clop Ransomware, Compromised Windows Host 2024-11-28
CMD Echo Pipe - Escalation CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 T1059.003 T1543.003 T1543 TTP BlackByte Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack 2024-11-28
ConnectWise ScreenConnect Path Traversal Windows SACL Windows icon Windows Event Log Security 4663 T1190 TTP Compromised Windows Host, ConnectWise ScreenConnect Vulnerabilities 2024-11-28
Conti Common Exec parameter CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1204 TTP Compromised Windows Host, Ransomware 2024-11-28
Control Loading from World Writable Directory CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.002 TTP Compromised Windows Host, Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444 2024-11-28
Creation of Shadow Copy CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003.003 T1003 TTP Compromised Windows Host, Credential Dumping, Volt Typhoon 2024-11-28
Creation of Shadow Copy with wmic and powershell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003.003 T1003 TTP Compromised Windows Host, Credential Dumping, Living Off The Land, Volt Typhoon 2024-11-28
Credential Dumping via Copy Command from Shadow Copy CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003.003 T1003 TTP Compromised Windows Host, Credential Dumping 2024-11-28
Credential Dumping via Symlink to Shadow Copy CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003.003 T1003 TTP Compromised Windows Host, Credential Dumping 2024-11-28
Curl Download and Bash Execution CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1105 TTP Compromised Windows Host, Ingress Tool Transfer, Linux Living Off The Land, Log4Shell CVE-2021-44228 2024-11-28
Deleting Shadow Copies CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1490 TTP CISA AA22-264A, Chaos Ransomware, Clop Ransomware, Compromised Windows Host, DarkGate Malware, LockBit Ransomware, Prestige Ransomware, Ransomware, Rhysida Ransomware, SamSam Ransomware, Windows Log Manipulation 2024-11-28
Detect AzureHound Command-Line Arguments CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1087.002 T1069.001 T1482 T1087.001 T1087 T1069.002 T1069 TTP Compromised Windows Host, Windows Discovery Techniques 2024-11-28
Detect Certify Command Line Arguments CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1649 T1105 TTP Compromised Windows Host, Ingress Tool Transfer, Windows Certificate Services 2024-11-28
Detect Exchange Web Shell Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11 T1505 T1505.003 T1190 T1133 TTP BlackByte Ransomware, CISA AA22-257A, Compromised Windows Host, HAFNIUM Group, ProxyNotShell, ProxyShell 2024-11-28
Detect HTML Help Spawn Child Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.001 TTP AgentTesla, Compromised Windows Host, Living Off The Land, Suspicious Compiled HTML Activity 2024-11-28
Detect HTML Help URL in Command Line CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.001 TTP Compromised Windows Host, Living Off The Land, Suspicious Compiled HTML Activity 2024-11-28
Detect HTML Help Using InfoTech Storage Handlers CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.001 TTP Compromised Windows Host, Living Off The Land, Suspicious Compiled HTML Activity 2024-11-28
Detect mshta inline hta execution CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.005 TTP Compromised Windows Host, Gozi Malware, Living Off The Land, Suspicious MSHTA Activity 2024-11-28
Detect MSHTA Url in Command Line CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.005 TTP Compromised Windows Host, Living Off The Land, Lumma Stealer, Suspicious MSHTA Activity 2024-11-28
Detect Outlook exe writing a zip file Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11 T1566 T1566.001 TTP Amadey, Meduza Stealer, PXA Stealer, Remcos, Spearphishing Attachments 2024-11-28
Detect Regasm Spawning a Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.009 TTP Compromised Windows Host, DarkGate Malware, Handala Wiper, Living Off The Land, Snake Keylogger, Suspicious Regsvcs Regasm Activity 2024-11-28
Detect Regsvcs Spawning a Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.009 TTP Compromised Windows Host, Living Off The Land, Suspicious Regsvcs Regasm Activity 2024-11-28
Detect Regsvr32 Application Control Bypass CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.010 TTP BlackByte Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack, Living Off The Land, Suspicious Regsvr32 Activity 2024-11-28
Detect Rundll32 Application Control Bypass - advpack CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.011 TTP Compromised Windows Host, Living Off The Land, Suspicious Rundll32 Activity 2024-11-28
Detect Rundll32 Application Control Bypass - setupapi CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.011 TTP Compromised Windows Host, Living Off The Land, Suspicious Rundll32 Activity 2024-11-28
Detect Rundll32 Application Control Bypass - syssetup CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.011 TTP Compromised Windows Host, Living Off The Land, Suspicious Rundll32 Activity 2024-11-28
Detect Webshell Exploit Behavior CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1505 T1505.003 TTP BlackByte Ransomware, CISA AA22-257A, CISA AA22-264A, Citrix ShareFile RCE CVE-2023-24489, Compromised Windows Host, Flax Typhoon, HAFNIUM Group, ProxyNotShell, ProxyShell, SysAid On-Prem Software CVE-2023-47246 Vulnerability, WS FTP Server Critical Vulnerabilities 2024-11-28
DNS Exfiltration Using Nslookup App CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1048 TTP Command And Control, Compromised Windows Host, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic 2024-11-28
DSQuery Domain Discovery CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1482 TTP Active Directory Discovery, Compromised Windows Host, Domain Trust Discovery 2024-11-28
Dump LSASS via comsvcs DLL CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003.001 T1003 TTP CISA AA22-257A, CISA AA22-264A, Compromised Windows Host, Credential Dumping, Data Destruction, Flax Typhoon, HAFNIUM Group, Industroyer2, Living Off The Land, Prestige Ransomware, Suspicious Rundll32 Activity, Volt Typhoon 2024-11-28
Dump LSASS via procdump CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003.001 T1003 TTP CISA AA22-257A, Compromised Windows Host, Credential Dumping, HAFNIUM Group 2024-11-28
Enumerate Users Local Group Using Telegram Windows icon Windows Event Log Security 4798 T1087 TTP Compromised Windows Host, XMRig 2024-11-28
Excel Spawning PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003.002 T1003 TTP Compromised Windows Host, Spearphishing Attachments 2024-11-28
Excel Spawning Windows Script Host CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003.002 T1003 TTP Compromised Windows Host, Spearphishing Attachments 2024-11-28
Executable File Written in Administrative SMB Share Windows icon Windows Event Log Security 5145 T1021 T1021.002 TTP Active Directory Lateral Movement, BlackSuit Ransomware, Compromised Windows Host, Data Destruction, Graceful Wipe Out Attack, Hermetic Wiper, IcedID, Industroyer2, Prestige Ransomware, Trickbot 2024-11-28
Executables Or Script Creation In Suspicious Path Windows icon Sysmon EventID 11 T1036 Anomaly AcidPour, AgentTesla, Amadey, AsyncRAT, Azorult, BlackByte Ransomware, Brute Ratel C4, CISA AA23-347A, Chaos Ransomware, DarkCrystal RAT, DarkGate Malware, Data Destruction, Double Zero Destructor, Graceful Wipe Out Attack, Handala Wiper, Hermetic Wiper, IcedID, Industroyer2, LockBit Ransomware, Meduza Stealer, MoonPeak, NjRAT, PlugX, Qakbot, RedLine Stealer, Remcos, Rhysida Ransomware, Snake Keylogger, Swift Slicer, Trickbot, ValleyRAT, Volt Typhoon, Warzone RAT, WhisperGate, XMRig 2024-11-28
FodHelper UAC Bypass CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1112 T1548.002 T1548 TTP Compromised Windows Host, IcedID, ValleyRAT, Windows Defense Evasion Tactics 2024-11-28
GPUpdate with no Command Line Arguments with Network Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 3 T1055 TTP BlackByte Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack 2024-11-28
Hiding Files And Directories With Attrib exe CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1222 T1222.001 TTP Azorult, Compromised Windows Host, Windows Defense Evasion Tactics, Windows Persistence Techniques 2024-11-28
Icacls Deny Command CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1222 TTP Azorult, Compromised Windows Host, Sandworm Tools, XMRig 2024-11-28
Impacket Lateral Movement Commandline Parameters CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1021 T1021.002 T1021.003 T1047 T1543.003 TTP Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate 2024-11-28
Impacket Lateral Movement smbexec CommandLine Parameters CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1021 T1021.002 T1021.003 T1047 T1543.003 TTP Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate 2024-11-28
Impacket Lateral Movement WMIExec Commandline Parameters CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1021 T1021.002 T1021.003 T1047 T1543.003 TTP Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate 2024-11-28
Kerberoasting spn request with RC4 encryption Windows icon Windows Event Log Security 4769 T1558 T1558.003 TTP Active Directory Kerberos Attacks, Compromised Windows Host, Data Destruction, Hermetic Wiper, Windows Privilege Escalation 2024-11-28
Known Services Killed by Ransomware Windows icon Windows Event Log System 7036 T1490 TTP BlackMatter Ransomware, Compromised Windows Host, LockBit Ransomware, Ransomware 2024-11-28
Malicious Powershell Executed As A Service Windows icon Windows Event Log System 7045 T1569 T1569.002 TTP Compromised Windows Host, Malicious PowerShell, Rhysida Ransomware 2024-11-28
Office Application Drop Executable Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11 T1566 T1566.001 TTP AgentTesla, CVE-2023-21716 Word RTF Heap Corruption, Compromised Windows Host, FIN7, PlugX, Warzone RAT 2024-11-28
Office Application Spawn Regsvr32 process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP Compromised Windows Host, IcedID, Qakbot 2024-11-28
Office Application Spawn rundll32 process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP AgentTesla, Compromised Windows Host, IcedID, NjRAT, Spearphishing Attachments, Trickbot 2024-11-28
Office Product Spawning BITSAdmin CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Compromised Windows Host, Spearphishing Attachments 2024-11-28
Office Product Spawning CertUtil CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP AgentTesla, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Compromised Windows Host, Spearphishing Attachments, Trickbot 2024-11-28
Office Product Spawning MSHTA CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP Azorult, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Compromised Windows Host, IcedID, NjRAT, Spearphishing Attachments 2024-11-28
Office Product Spawning Rundll32 with no DLL CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Compromised Windows Host, Spearphishing Attachments 2024-11-28
Office Product Spawning Windows Script Host CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Compromised Windows Host, Remcos, Spearphishing Attachments 2024-11-28
Office Product Spawning Wmic CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Compromised Windows Host, FIN7, Spearphishing Attachments 2024-11-28
Office Product Writing cab or inf CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP Compromised Windows Host, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments 2024-11-28
Office Spawning Control CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP Compromised Windows Host, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments 2024-11-28
Ping Sleep Batch Command CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1497 T1497.003 Anomaly BlackByte Ransomware, Data Destruction, Meduza Stealer, Warzone RAT, WhisperGate 2024-11-28
Remote Process Instantiation via DCOM and PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1021 T1021.003 TTP Active Directory Lateral Movement, Compromised Windows Host 2024-11-28
Remote Process Instantiation via WMI and PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1047 TTP Active Directory Lateral Movement, Compromised Windows Host 2024-11-28
Resize ShadowStorage volume CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1490 TTP BlackByte Ransomware, Clop Ransomware, Compromised Windows Host 2024-11-28
Rundll32 Control RunDLL World Writable Directory CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.011 TTP Compromised Windows Host, Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Suspicious Rundll32 Activity 2024-11-28
Rundll32 Shimcache Flush CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1112 TTP Compromised Windows Host, Living Off The Land, Unusual Processes 2024-11-28
Rundll32 with no Command Line Arguments with Network Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 3 T1218 T1218.011 TTP BlackByte Ransomware, BlackSuit Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack, PrintNightmare CVE-2021-34527, Suspicious Rundll32 Activity 2024-11-28
Ryuk Wake on LAN Command CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 T1059.003 TTP Compromised Windows Host, Ryuk Ransomware 2024-11-28
Schedule Task with HTTP Command Arguments Windows icon Windows Event Log Security 4698 T1053 TTP Compromised Windows Host, Living Off The Land, Scheduled Tasks, Windows Persistence Techniques, Winter Vivern 2024-11-28
Schedule Task with Rundll32 Command Trigger Windows icon Windows Event Log Security 4698 T1053 TTP Compromised Windows Host, IcedID, Living Off The Land, Scheduled Tasks, Trickbot, Windows Persistence Techniques 2024-11-28
Schtasks scheduling job on remote system CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1053.005 T1053 TTP Active Directory Lateral Movement, Compromised Windows Host, Living Off The Land, NOBELIUM Group, Phemedrone Stealer, Prestige Ransomware, RedLine Stealer, Scheduled Tasks 2024-11-28
SearchProtocolHost with no Command Line with Network Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 3 T1055 TTP BlackByte Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack 2024-11-28
SecretDumps Offline NTDS Dumping Tool CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003.003 T1003 TTP Compromised Windows Host, Credential Dumping, Graceful Wipe Out Attack, Rhysida Ransomware 2024-11-28
ServicePrincipalNames Discovery with SetSPN CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1558.003 TTP Active Directory Discovery, Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Compromised Windows Host 2024-11-28
Services Escalate Exe CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1548 TTP BlackByte Ransomware, CISA AA23-347A, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack 2024-11-28
Shim Database Installation With Suspicious Parameters CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1546.011 T1546 TTP Compromised Windows Host, Windows Persistence Techniques 2024-11-28
Short Lived Scheduled Task Windows icon Windows Event Log Security 4698, Windows icon Windows Event Log Security 4699 T1053.005 TTP Active Directory Lateral Movement, CISA AA22-257A, CISA AA23-347A, Compromised Windows Host, Scheduled Tasks 2024-11-28
Single Letter Process On Endpoint CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1204 T1204.002 TTP Compromised Windows Host, DHS Report TA18-074A 2024-11-28
SLUI RunAs Elevated CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1548.002 T1548 TTP Compromised Windows Host, DarkSide Ransomware, Windows Defense Evasion Tactics 2024-11-28
SLUI Spawning a Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1548.002 T1548 TTP Compromised Windows Host, DarkSide Ransomware, Windows Defense Evasion Tactics 2024-11-28
Spoolsv Spawning Rundll32 CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1547.012 T1547 TTP Compromised Windows Host, PrintNightmare CVE-2021-34527 2024-11-28
Spoolsv Writing a DLL CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11, Windows icon Windows Event Log Security 4688 T1547.012 T1547 TTP Compromised Windows Host, PrintNightmare CVE-2021-34527 2024-11-28
Suspicious Computer Account Name Change Windows icon Windows Event Log Security 4781 T1078 T1078.002 TTP Active Directory Privilege Escalation, Compromised Windows Host, sAMAccountName Spoofing and Domain Controller Impersonation 2024-11-28
Suspicious Copy on System32 CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1036.003 T1036 TTP AsyncRAT, Compromised Windows Host, IcedID, Qakbot, Sandworm Tools, Unusual Processes, Volt Typhoon 2024-11-28
Suspicious Process DNS Query Known Abuse Web Services Windows icon Sysmon EventID 22 T1059.005 T1059 TTP Data Destruction, Meduza Stealer, PXA Stealer, Phemedrone Stealer, Remcos, Snake Keylogger, WhisperGate 2024-11-28
Suspicious Process File Path CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1543 TTP AgentTesla, Amadey, AsyncRAT, Azorult, BlackByte Ransomware, Brute Ratel C4, CISA AA23-347A, Chaos Ransomware, DarkCrystal RAT, DarkGate Malware, Data Destruction, Double Zero Destructor, Graceful Wipe Out Attack, Handala Wiper, Hermetic Wiper, IcedID, Industroyer2, LockBit Ransomware, Meduza Stealer, MoonPeak, Phemedrone Stealer, PlugX, Prestige Ransomware, Qakbot, RedLine Stealer, Remcos, Rhysida Ransomware, Swift Slicer, Trickbot, ValleyRAT, Volt Typhoon, Warzone RAT, WhisperGate, XMRig 2024-11-28
Windows Access Token Manipulation SeDebugPrivilege Windows icon Windows Event Log Security 4703 T1134.002 T1134 Anomaly AsyncRAT, Brute Ratel C4, CISA AA23-347A, DarkGate Malware, Meduza Stealer, PlugX, ValleyRAT 2024-11-28
Windows AD Cross Domain SID History Addition Windows icon Windows Event Log Security 4738, Windows icon Windows Event Log Security 4742 T1134.005 T1134 TTP Compromised Windows Host, Sneaky Active Directory Persistence Tricks 2024-11-28
Windows AD Domain Controller Promotion Windows icon Windows Event Log Security 4742 T1207 TTP Compromised Windows Host, Sneaky Active Directory Persistence Tricks 2024-11-28
Windows AD Domain Replication ACL Addition T1484 TTP Compromised Windows Host, Sneaky Active Directory Persistence Tricks 2024-11-28
Windows AD Privileged Account SID History Addition Windows icon Windows Event Log Security 4738, Windows icon Windows Event Log Security 4742 T1134.005 T1134 TTP Compromised Windows Host, Sneaky Active Directory Persistence Tricks 2024-11-28
Windows AD Replication Request Initiated by User Account Windows icon Windows Event Log Security 4662 T1003.006 T1003 TTP Compromised Windows Host, Credential Dumping, Sneaky Active Directory Persistence Tricks 2024-11-28
Windows AD Replication Request Initiated from Unsanctioned Location Windows icon Windows Event Log Security 4624, Windows icon Windows Event Log Security 4662 T1003.006 T1003 TTP Compromised Windows Host, Credential Dumping, Sneaky Active Directory Persistence Tricks 2024-11-28
Windows AD Same Domain SID History Addition Windows icon Windows Event Log Security 4738, Windows icon Windows Event Log Security 4742 T1134.005 T1134 TTP Compromised Windows Host, Sneaky Active Directory Persistence Tricks, Windows Persistence Techniques 2024-11-28
Windows AD Short Lived Domain Controller SPN Attribute Windows icon Windows Event Log Security 4624, Windows icon Windows Event Log Security 5136 T1207 TTP Compromised Windows Host, Sneaky Active Directory Persistence Tricks 2024-11-28
Windows AD Short Lived Server Object Windows icon Windows Event Log Security 5137, Windows icon Windows Event Log Security 5141 T1207 TTP Compromised Windows Host, Sneaky Active Directory Persistence Tricks 2024-11-28
Windows Alternate DataStream - Process Execution Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1564 T1564.004 TTP Compromised Windows Host, Windows Defense Evasion Tactics 2024-11-28
Windows Change Default File Association For No File Ext CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1546.001 T1546 TTP Compromised Windows Host, Prestige Ransomware 2024-11-28
Windows COM Hijacking InprocServer32 Modification CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1546.015 T1546 TTP Compromised Windows Host, Living Off The Land 2024-11-28
Windows Command and Scripting Interpreter Path Traversal Exec CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 TTP Compromised Windows Host, Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Windows Defense Evasion Tactics 2024-11-28
Windows Command Shell DCRat ForkBomb Payload CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059.003 T1059 TTP Compromised Windows Host, DarkCrystal RAT 2024-11-28
Windows Computer Account With SPN Windows icon Windows Event Log Security 4741 T1558 TTP Active Directory Kerberos Attacks, Compromised Windows Host, Local Privilege Escalation With KrbRelayUp 2024-11-28
Windows ConHost with Headless Argument CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1564.003 T1564.006 TTP Compromised Windows Host, Spearphishing Attachments 2024-11-28
Windows Credential Access From Browser Password Store Windows icon Windows Event Log Security 4663 T1012 Anomaly Braodo Stealer, Meduza Stealer, MoonPeak, PXA Stealer, Snake Keylogger 2024-11-28
Windows Credential Dumping LSASS Memory Createdump CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003.001 TTP Compromised Windows Host, Credential Dumping 2024-11-28
Windows Credentials from Password Stores Chrome Extension Access Windows icon Windows Event Log Security 4663 T1012 Anomaly Amadey, Braodo Stealer, CISA AA23-347A, DarkGate Malware, Meduza Stealer, MoonPeak, Phemedrone Stealer, RedLine Stealer 2024-11-28
Windows Credentials from Password Stores Chrome LocalState Access Windows icon Windows Event Log Security 4663 T1012 Anomaly Amadey, Braodo Stealer, DarkGate Malware, Meduza Stealer, MoonPeak, NjRAT, PXA Stealer, Phemedrone Stealer, RedLine Stealer, Snake Keylogger, Warzone RAT 2024-11-28
Windows Credentials from Password Stores Chrome Login Data Access Windows icon Windows Event Log Security 4663 T1012 Anomaly Amadey, Braodo Stealer, DarkGate Malware, Meduza Stealer, MoonPeak, NjRAT, PXA Stealer, Phemedrone Stealer, RedLine Stealer, Snake Keylogger, Warzone RAT 2024-11-28
Windows Credentials from Password Stores Creation CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1555 TTP Compromised Windows Host, DarkGate Malware 2024-11-28
Windows Credentials from Password Stores Deletion CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1555 TTP Compromised Windows Host, DarkGate Malware 2024-11-28
Windows Curl Download to Suspicious Path CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1105 TTP Compromised Windows Host, Forest Blizzard, IcedID, Ingress Tool Transfer 2024-11-28
Windows Curl Upload to Remote Destination CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1105 TTP Compromised Windows Host, Ingress Tool Transfer 2024-11-28
Windows Disable Windows Event Logging Disable HTTP Logging CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.002 T1562 T1505 T1505.004 TTP CISA AA23-347A, Compromised Windows Host, IIS Components, Windows Defense Evasion Tactics 2024-11-28
Windows DISM Remove Defender CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.001 T1562 TTP CISA AA23-347A, Compromised Windows Host, Windows Defense Evasion Tactics 2024-11-28
Windows DLL Search Order Hijacking with iscsicpl CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1574.001 TTP Compromised Windows Host, Living Off The Land, Windows Defense Evasion Tactics 2024-11-28
Windows Domain Admin Impersonation Indicator Windows icon Windows Event Log Security 4627 T1558 TTP Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Compromised Windows Host, Gozi Malware 2024-11-28
Windows Event Log Cleared Windows icon Windows Event Log Security 1102 T1070 T1070.001 TTP CISA AA22-264A, Clop Ransomware, Compromised Windows Host, Ransomware, ShrinkLocker, Windows Log Manipulation 2024-11-28
Windows Excessive Disabled Services Event Windows icon Windows Event Log System 7040 T1562.001 T1562 TTP CISA AA23-347A, Compromised Windows Host, Windows Defense Evasion Tactics 2024-11-28
Windows Execute Arbitrary Commands with MSDT CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 TTP Compromised Windows Host, Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190 2024-11-28
Windows Gather Victim Network Info Through Ip Check Web Services Windows icon Sysmon EventID 22 T1590.005 T1590 Hunting Azorult, DarkCrystal RAT, Handala Wiper, Meduza Stealer, PXA Stealer, Phemedrone Stealer, Snake Keylogger 2024-11-28
Windows Hidden Schedule Task Settings Windows icon Windows Event Log Security 4698 T1053 TTP Active Directory Discovery, CISA AA22-257A, Compromised Windows Host, Data Destruction, Industroyer2, Scheduled Tasks 2024-11-28
Windows InstallUtil Remote Network Connection Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 3 T1218.004 T1218 TTP Compromised Windows Host, Living Off The Land, Signed Binary Proxy Execution InstallUtil 2024-11-28
Windows InstallUtil Uninstall Option CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218.004 T1218 TTP Compromised Windows Host, Living Off The Land, Signed Binary Proxy Execution InstallUtil 2024-11-28
Windows InstallUtil Uninstall Option with Network Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 3 T1218.004 T1218 TTP Compromised Windows Host, Living Off The Land, Signed Binary Proxy Execution InstallUtil 2024-11-28
Windows InstallUtil URL in Command Line CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218.004 T1218 TTP Compromised Windows Host, Living Off The Land, Signed Binary Proxy Execution InstallUtil 2024-11-28
Windows Kerberos Local Successful Logon Windows icon Windows Event Log Security 4624 T1558 TTP Active Directory Kerberos Attacks, Compromised Windows Host, Local Privilege Escalation With KrbRelayUp 2024-11-28
Windows KrbRelayUp Service Creation Windows icon Windows Event Log System 7045 T1543.003 TTP Compromised Windows Host, Local Privilege Escalation With KrbRelayUp 2024-11-28
Windows Masquerading Explorer As Child Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1574.002 T1574 TTP Compromised Windows Host, Qakbot 2024-11-28
Windows Masquerading Msdtc Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1036 TTP Compromised Windows Host, PlugX 2024-11-28
Windows Mimikatz Binary Execution CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003 TTP CISA AA22-320A, CISA AA23-347A, Compromised Windows Host, Credential Dumping, Flax Typhoon, Sandworm Tools, Volt Typhoon 2024-11-28
Windows Modify System Firewall with Notable Process Path CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.004 T1562 TTP Compromised Windows Host, NjRAT 2024-11-28
Windows MOF Event Triggered Execution via WMI CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1546.003 TTP Compromised Windows Host, Living Off The Land 2024-11-28
Windows MSIExec Spawn WinDBG CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218.007 TTP Compromised Windows Host, DarkGate Malware 2024-11-28
Windows Office Product Spawning MSDT CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP Compromised Windows Host, Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Spearphishing Attachments 2024-11-28
Windows PaperCut NG Spawn Shell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 T1190 T1133 TTP Compromised Windows Host, PaperCut MF NG Vulnerability 2024-11-28
Windows Parent PID Spoofing with Explorer CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1134.004 T1134 TTP Compromised Windows Host, Windows Defense Evasion Tactics 2024-11-28
Windows Privilege Escalation User Process Spawn System Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1068 T1548 T1134 TTP BlackSuit Ransomware, Compromised Windows Host, Windows Privilege Escalation 2024-11-28
Windows Query Registry UnInstall Program List Windows icon Windows Event Log Security 4663 T1012 Anomaly Meduza Stealer, RedLine Stealer 2024-11-28
Windows Raccine Scheduled Task Deletion CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.001 TTP Compromised Windows Host, Ransomware 2024-11-28
Windows Rasautou DLL Execution CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1055.001 T1218 T1055 TTP Compromised Windows Host, Windows Defense Evasion Tactics 2024-11-28
Windows Regsvr32 Renamed Binary CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218.010 T1218 TTP Compromised Windows Host, Qakbot 2024-11-28
Windows Remote Assistance Spawning Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1055 TTP Compromised Windows Host, Unusual Processes 2024-11-28
Windows Remote Service Rdpwinst Tool Execution CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1021.001 T1021 TTP Azorult, Compromised Windows Host 2024-11-28
Windows Scheduled Task with Highest Privileges CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1053 T1053.005 TTP AsyncRAT, CISA AA23-347A, Compromised Windows Host, RedLine Stealer, Scheduled Tasks 2024-11-28
Windows Security Account Manager Stopped CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1489 TTP Compromised Windows Host, Ryuk Ransomware 2024-11-28
Windows Service Create SliverC2 Windows icon Windows Event Log System 7045 T1569 T1569.002 TTP BishopFox Sliver Adversary Emulation Framework, Compromised Windows Host 2024-11-28
Windows Service Create with Tscon CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1563.002 T1563 T1543.003 TTP Active Directory Lateral Movement, Compromised Windows Host 2024-11-28
Windows Snake Malware Service Create Windows icon Windows Event Log System 7045 T1547.006 T1569.002 TTP Compromised Windows Host, Snake Malware 2024-11-28
Windows SOAPHound Binary Execution CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1087.002 T1069.001 T1482 T1087.001 T1087 T1069.002 T1069 TTP Compromised Windows Host, Windows Discovery Techniques 2024-11-28
Windows Spearphishing Attachment Onenote Spawn Mshta CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566.001 T1566 TTP AsyncRAT, Compromised Windows Host, Spearphishing Attachments 2024-11-28
Windows Special Privileged Logon On Multiple Hosts Windows icon Windows Event Log Security 4672 T1087 T1021.002 T1135 TTP Active Directory Lateral Movement, Active Directory Privilege Escalation, Compromised Windows Host 2024-11-28
Windows Steal Authentication Certificates - ESC1 Authentication Windows icon Windows Event Log Security 4768, Windows icon Windows Event Log Security 4887 T1649 T1550 TTP Compromised Windows Host, Windows Certificate Services 2024-11-28
Windows System Binary Proxy Execution Compiled HTML File Decompile CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218.001 T1218 TTP Compromised Windows Host, Living Off The Land, Suspicious Compiled HTML Activity 2024-11-28
Windows UAC Bypass Suspicious Escalation Behavior CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1548 T1548.002 TTP Compromised Windows Host, Living Off The Land, Windows Defense Evasion Tactics 2024-11-28
Windows Unsecured Outlook Credentials Access In Registry Windows icon Windows Event Log Security 4663 T1552 Anomaly Meduza Stealer, Snake Keylogger 2024-11-28
Windows Valid Account With Never Expires Password CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1489 TTP Azorult, Compromised Windows Host 2024-11-28
Windows WinDBG Spawning AutoIt3 CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 TTP Compromised Windows Host, DarkGate Malware 2024-11-28
WinEvent Scheduled Task Created to Spawn Shell Windows icon Windows Event Log Security 4698 T1053.005 T1053 TTP CISA AA22-257A, Compromised Windows Host, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Error Reporting Service Elevation of Privilege Vulnerability, Windows Persistence Techniques, Winter Vivern 2024-11-28
WinEvent Scheduled Task Created Within Public Path Windows icon Windows Event Log Security 4698 T1053.005 T1053 TTP Active Directory Lateral Movement, AsyncRAT, CISA AA22-257A, CISA AA23-347A, Compromised Windows Host, Data Destruction, IcedID, Industroyer2, Prestige Ransomware, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Persistence Techniques, Winter Vivern 2024-11-28
Winhlp32 Spawning a Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1055 TTP Compromised Windows Host, Remcos 2024-11-28
WinRAR Spawning Shell Application CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1105 TTP Compromised Windows Host, WinRAR Spoofing Attack CVE-2023-38831 2024-11-28
Winword Spawning Cmd CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP CVE-2023-21716 Word RTF Heap Corruption, Compromised Windows Host, DarkCrystal RAT, Spearphishing Attachments 2024-11-28
Winword Spawning PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP CVE-2023-21716 Word RTF Heap Corruption, Compromised Windows Host, DarkCrystal RAT, Spearphishing Attachments 2024-11-28
Winword Spawning Windows Script Host CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP CVE-2023-21716 Word RTF Heap Corruption, Compromised Windows Host, Spearphishing Attachments 2024-11-28
WMIC XSL Execution via URL CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1220 TTP Compromised Windows Host, Suspicious WMI Use 2024-11-28
7zip CommandLine To SMB Share Path CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1560.001 T1560 Hunting Ransomware 2024-11-26
Create local admin accounts using net exe CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1136.001 T1136 TTP Azorult, CISA AA22-257A, CISA AA24-241A, DHS Report TA18-074A, DarkGate Malware 2024-11-26
Create Remote Thread In Shell Application Windows icon Sysmon EventID 8 T1055 TTP IcedID, Qakbot, Warzone RAT 2024-11-26
Disable Logs Using WevtUtil CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1070 T1070.001 TTP CISA AA23-347A, Ransomware, Rhysida Ransomware 2024-11-26
Domain Controller Discovery with Nltest CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1018 TTP Active Directory Discovery, BlackSuit Ransomware, CISA AA23-347A, Rhysida Ransomware 2024-11-26
Domain Group Discovery With Net CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1069 T1069.002 Hunting Active Directory Discovery, Graceful Wipe Out Attack, Prestige Ransomware, Rhysida Ransomware, Windows Post-Exploitation 2024-11-26
Domain Group Discovery With Wmic CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1069 T1069.002 Hunting Active Directory Discovery 2024-11-26
Elevated Group Discovery With Net CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1069 T1069.002 TTP Active Directory Discovery, BlackSuit Ransomware, Rhysida Ransomware, Volt Typhoon 2024-11-26
Net Localgroup Discovery CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1069 T1069.001 Hunting Active Directory Discovery, Azorult, Graceful Wipe Out Attack, IcedID, Prestige Ransomware, Rhysida Ransomware, Volt Typhoon, Windows Discovery Techniques, Windows Post-Exploitation 2024-11-26
Network Connection Discovery With Net CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1049 Hunting Active Directory Discovery, Azorult, Prestige Ransomware, Windows Post-Exploitation 2024-11-26
Password Policy Discovery with Net CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1201 Hunting Active Directory Discovery 2024-11-26
Powershell Disable Security Monitoring CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.001 T1562 TTP CISA AA24-241A, Ransomware, Revil Ransomware 2024-11-26
Remote System Discovery with Net CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1018 Hunting Active Directory Discovery, IcedID 2024-11-26
WBAdmin Delete System Backups CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1490 TTP Chaos Ransomware, Prestige Ransomware, Ransomware, Ryuk Ransomware 2024-11-26
Windows ESX Admins Group Creation via Net Windows icon Sysmon EventID 1 T1136.002 T1136.001 TTP VMware ESXi AD Integration Authentication Bypass CVE-2024-37085 2024-11-26
Windows MSIExec Spawn Discovery Command CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218.007 TTP Windows System Binary Proxy Execution MSIExec 2024-11-26
Windows Network Share Interaction With Net Windows icon Sysmon EventID 1 T1135 T1039 TTP Active Directory Discovery, Active Directory Privilege Escalation, Network Discovery 2024-11-26
Wscript Or Cscript Suspicious Child Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1055 T1543 T1134.004 T1134 TTP Data Destruction, FIN7, NjRAT, Remcos, ShrinkLocker, Unusual Processes, WhisperGate 2024-11-26
Windows RDP File Execution CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1598.002 T1021.001 TTP Spearphishing Attachments 2024-11-21
Windows RDPClient Connection Sequence Events Windows icon Windows Event Log Microsoft Windows TerminalServices RDPClient 1024 T1133 Anomaly Spearphishing Attachments 2024-11-21
Okta Mismatch Between Source and Response for Verify Push Request Okta T1621 TTP Okta Account Takeover, Okta MFA Exhaustion 2024-11-19
Active Setup Registry Autostart Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1547.014 T1547 TTP Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation 2024-11-14
Add DefaultUser And Password In Registry Windows icon Sysmon EventID 13 T1552.002 T1552 Anomaly BlackMatter Ransomware 2024-11-14
Allow Inbound Traffic By Firewall Rule Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1021.001 T1021 TTP Azorult, NjRAT, PlugX, Prohibited Traffic Allowed or Protocol Mismatch, Windows Registry Abuse 2024-11-14
Allow Operation with Consent Admin Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1548 TTP Azorult, MoonPeak, Ransomware, Windows Registry Abuse 2024-11-14
Auto Admin Logon Registry Entry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1552.002 T1552 TTP BlackMatter Ransomware, Windows Registry Abuse 2024-11-14
Disable AMSI Through Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP CISA AA23-347A, Ransomware, Windows Registry Abuse 2024-11-14
Disable Defender AntiVirus Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP CISA AA24-241A, IcedID, Windows Registry Abuse 2024-11-14
Disable Defender BlockAtFirstSeen Feature Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse 2024-11-14
Disable Defender Enhanced Notification Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse 2024-11-14
Disable Defender Spynet Reporting Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Azorult, CISA AA23-347A, IcedID, Qakbot, Windows Registry Abuse 2024-11-14
Disable Defender Submit Samples Consent Feature Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse 2024-11-14
Disable ETW Through Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP CISA AA23-347A, Ransomware, Windows Registry Abuse 2024-11-14
Disable Registry Tool Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 T1112 TTP NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disable Security Logs Using MiniNt Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 TTP CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disable Show Hidden Files Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1564.001 T1562.001 T1564 T1562 T1112 Anomaly Azorult, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disable UAC Remote Restriction Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1548.002 T1548 TTP CISA AA23-347A, Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disable Windows App Hotkeys Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 T1112 TTP Windows Registry Abuse, XMRig 2024-11-14
Disable Windows Behavior Monitoring Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Azorult, CISA AA23-347A, Ransomware, RedLine Stealer, Revil Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disable Windows SmartScreen Protection Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disabling CMD Application Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 T1112 TTP NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disabling ControlPanel Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 T1112 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disabling Defender Services Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP IcedID, RedLine Stealer, Windows Registry Abuse 2024-11-14
Disabling FolderOptions Windows Feature Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disabling NoRun Windows App Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 T1112 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disabling SystemRestore In Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1490 TTP NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disabling Task Manager Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Enable RDP In Other Port Number Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1021 TTP Prohibited Traffic Allowed or Protocol Mismatch, Windows Registry Abuse 2024-11-14
Enable WDigest UseLogonCredential Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 T1003 TTP CISA AA22-320A, Credential Dumping, Windows Registry Abuse 2024-11-14
ETW Registry Disabled Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.006 T1127 T1562 TTP CISA AA23-347A, Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse 2024-11-14
Hide User Account From Sign-In Screen Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Azorult, Warzone RAT, Windows Registry Abuse, XMRig 2024-11-14
Monitor Registry Keys for Print Monitors Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1547.010 T1547 TTP Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse 2024-11-14
Registry Keys for Creating SHIM Databases Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1546.011 T1546 TTP Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse 2024-11-14
Registry Keys Used For Privilege Escalation Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1546.012 T1546 TTP Cloud Federated Credential Abuse, Data Destruction, Hermetic Wiper, Suspicious Windows Registry Activities, Windows Privilege Escalation, Windows Registry Abuse 2024-11-14
Short Lived Windows Accounts Windows icon Windows Event Log System 4720, Windows icon Windows Event Log System 4726 T1136.001 T1136 T1078.003 TTP Active Directory Lateral Movement 2024-11-14
Time Provider Persistence Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1547.003 T1547 TTP Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse 2024-11-14
Windows Defender Exclusion Registry Entry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Azorult, Qakbot, Remcos, ValleyRAT, Warzone RAT, Windows Defense Evasion Tactics 2024-11-14
Windows Disable Change Password Through Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly Ransomware, Windows Defense Evasion Tactics 2024-11-14
Windows Disable Lock Workstation Feature Through Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Windows Disable LogOff Button Through Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly Ransomware, Windows Registry Abuse 2024-11-14
Windows Disable Notification Center Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Windows Disable Shutdown Button Through Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly Ransomware, Windows Registry Abuse 2024-11-14
Windows Hide Notification Features Through Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Windows Impair Defense Configure App Install Control Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Windows Impair Defense Disable Web Evaluation Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Windows Impair Defense Override SmartScreen Prompt Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Windows LSA Secrets NoLMhash Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1003.004 TTP CISA AA23-347A 2024-11-14
Windows Modify Registry Disable Restricted Admin Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 TTP CISA AA23-347A 2024-11-14
Windows Modify Registry EnableLinkedConnections Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 TTP BlackByte Ransomware 2024-11-14
Windows Modify Registry LongPathsEnabled Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly BlackByte Ransomware 2024-11-14
Windows Modify Registry NoChangingWallPaper Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 TTP Rhysida Ransomware 2024-11-14
Windows Modify Registry to Add or Modify Firewall Rule Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly CISA AA24-241A, ShrinkLocker 2024-11-14
Windows Modify Show Compress Color And Info Tip Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 TTP Data Destruction, Hermetic Wiper, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Windows Registry BootExecute Modification Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1542 T1547.001 TTP Windows BootKits 2024-11-14
Windows Registry Certificate Added Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1553.004 T1553 Anomaly Windows Drivers, Windows Registry Abuse 2024-11-14
Windows Registry Delete Task SD Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1053.005 T1562 Anomaly Scheduled Tasks, Windows Persistence Techniques, Windows Registry Abuse 2024-11-14
Windows Registry Modification for Safe Mode Persistence Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1547.001 T1547 TTP Ransomware, Windows Drivers, Windows Registry Abuse 2024-11-14
Windows Service Creation Using Registry Entry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1574.011 TTP Active Directory Lateral Movement, Brute Ratel C4, CISA AA23-347A, PlugX, Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse 2024-11-14
Windows BitLockerToGo Process Execution T1218 Hunting Lumma Stealer 2024-11-13
Windows BitLockerToGo with Network Activity T1218 Hunting Lumma Stealer 2024-11-13
Windows RunMRU Command Execution T1202 Anomaly Lumma Stealer 2024-11-08
Detect Large Outbound ICMP Packets Network icon Palo Alto Network Traffic T1095 TTP Command And Control 2024-11-06
Azure AD Authentication Failed During MFA Challenge Azure icon Azure Active Directory T1586 T1586.003 T1078 T1078.004 T1621 TTP Azure Active Directory Account Takeover 2024-10-31
Microsoft Defender ATP Alerts MS Defender ATP Alerts TTP Critical Alerts 2024-10-30
Microsoft Defender Incident Alerts MS365 Defender Incident Alerts TTP Critical Alerts 2024-10-30
WinEvent Windows Task Scheduler Event Action Started Windows icon Windows Event Log TaskScheduler 200 T1053.005 Hunting Amadey, AsyncRAT, BlackSuit Ransomware, CISA AA22-257A, CISA AA24-241A, DarkCrystal RAT, Data Destruction, IcedID, Industroyer2, Prestige Ransomware, Qakbot, Sandworm Tools, Scheduled Tasks, ValleyRAT, Windows Persistence Techniques, Winter Vivern, Winter Vivern 2024-10-24
Splunk Unauthenticated Log Injection Web Service Log Splunk icon Splunk T1190 Hunting Splunk Vulnerabilities 2024-10-22
Abnormally High Number Of Cloud Instances Destroyed AWS icon AWS CloudTrail T1078.004 T1078 Anomaly Suspicious Cloud Instance Activities 2024-10-22
Abnormally High Number Of Cloud Instances Launched AWS icon AWS CloudTrail T1078.004 T1078 Anomaly Cloud Cryptomining, Suspicious Cloud Instance Activities 2024-10-22
ASL AWS IAM Failure Group Deletion T1098 Anomaly AWS IAM Privilege Escalation 2024-10-22
ASL AWS IAM Successful Group Deletion T1069.003 T1098 T1069 Hunting AWS IAM Privilege Escalation 2024-10-22
AWS IAM Failure Group Deletion AWS icon AWS CloudTrail DeleteGroup T1098 Anomaly AWS IAM Privilege Escalation 2024-10-22
AWS IAM Successful Group Deletion AWS icon AWS CloudTrail DeleteGroup T1069.003 T1098 T1069 Hunting AWS IAM Privilege Escalation 2024-10-22
AWS Lambda UpdateFunctionCode AWS icon AWS CloudTrail T1204 Hunting Suspicious Cloud User Activities 2024-10-22
Risk Rule for Dev Sec Ops by Repository T1204.003 T1204 Correlation Dev Sec Ops 2024-10-22
Detect Distributed Password Spray Attempts Azure icon Azure Active Directory Sign-in activity T1110.003 T1110 Hunting Active Directory Password Spraying, Compromised User Account 2024-10-17
Detect New Login Attempts to Routers TTP Router and Infrastructure Security 2024-10-17
Detect Password Spray Attempts Windows icon Windows Event Log Security 4625 T1110.003 T1110 TTP Active Directory Password Spraying, Compromised User Account 2024-10-17
Detect Risky SPL using Pretrained ML Model T1059 Anomaly Splunk Vulnerabilities 2024-10-17
Email Attachments With Lots Of Spaces Anomaly Data Destruction, Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails 2024-10-17
Email files written outside of the Outlook directory Windows icon Sysmon EventID 11 T1114 T1114.001 TTP Collection and Staging 2024-10-17
Email servers sending high volume traffic to hosts T1114 T1114.002 Anomaly Collection and Staging, HAFNIUM Group 2024-10-17
Monitor Email For Brand Abuse TTP Brand Monitoring, Suspicious Emails 2024-10-17
No Windows Updates in a time frame Hunting Monitor for Updates 2024-10-17
Okta MFA Exhaustion Hunt Okta T1110 Hunting Okta Account Takeover, Okta MFA Exhaustion 2024-10-17
Okta Multiple Failed Requests to Access Applications Okta T1550.004 T1538 Hunting Okta Account Takeover 2024-10-17
Okta Phishing Detection with FastPass Origin Check Okta T1078 T1078.001 T1556 TTP Okta Account Takeover 2024-10-17
Splunk Absolute Path Traversal Using runshellscript Splunk icon Splunk T1083 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Account Discovery Drilldown Dashboard Disclosure T1087 TTP Splunk Vulnerabilities 2024-10-17
Splunk App for Lookup File Editing RCE via User XSLT T1210 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Code Injection via custom dashboard leading to RCE T1210 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Command and Scripting Interpreter Risky Commands Splunk icon Splunk T1059 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Data exfiltration from Analytics Workspace using sid query Splunk icon Splunk T1567 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Digital Certificates Infrastructure Version Splunk icon Splunk T1587.003 Hunting Splunk Vulnerabilities 2024-10-17
Splunk DoS Using Malformed SAML Request Splunk icon Splunk T1498 Hunting Splunk Vulnerabilities 2024-10-17
Splunk DOS Via Dump SPL Command Splunk icon Splunk T1499.004 Hunting Splunk Vulnerabilities 2024-10-17
Splunk DoS via POST Request Datamodel Endpoint T1499 Hunting Splunk Vulnerabilities 2024-10-17
Splunk DOS via printf search function Splunk icon Splunk T1499.004 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Edit User Privilege Escalation Splunk icon Splunk T1548 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Enterprise KV Store Incorrect Authorization Splunk icon Splunk T1548 Hunting Splunk Vulnerabilities 2024-10-17
Splunk HTTP Response Splitting Via Rest SPL Command Splunk icon Splunk T1027.006 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Image File Disclosure via PDF Export in Classic Dashboard Splunk icon Splunk T1087 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Improperly Formatted Parameter Crashes splunkd Splunk icon Splunk T1499 TTP Splunk Vulnerabilities 2024-10-17
Splunk Information Disclosure in Splunk Add-on Builder Splunk icon Splunk T1082 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Information Disclosure on Account Login Splunk icon Splunk T1087 Hunting Splunk Vulnerabilities 2024-10-17
Splunk list all nonstandard admin accounts Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Low-Priv Search as nobody SplunkDeploymentServerConfig App Splunk icon Splunk T1068 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Low Privilege User Can View Hashed Splunk Password Splunk icon Splunk T1212 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Path Traversal In Splunk App For Lookup File Edit Splunk icon Splunk T1083 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Persistent XSS via Props Conf Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Persistent XSS via Scheduled Views Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Persistent XSS Via URL Validation Bypass W Dashboard Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Process Injection Forwarder Bundle Downloads Splunk icon Splunk T1055 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Protocol Impersonation Weak Encryption Configuration Splunk icon Splunk T1001.003 Hunting Splunk Vulnerabilities 2024-10-17
Splunk protocol impersonation weak encryption selfsigned Splunk icon Splunk T1588.004 Hunting Splunk Vulnerabilities 2024-10-17
Splunk protocol impersonation weak encryption simplerequest Splunk icon Splunk T1588.004 Hunting Splunk Vulnerabilities 2024-10-17
Splunk RBAC Bypass On Indexing Preview REST Endpoint Splunk icon Splunk T1134 Hunting Splunk Vulnerabilities 2024-10-17
Splunk RCE Through Arbitrary File Write to Windows System Root Splunk icon Splunk T1210 Hunting Splunk Vulnerabilities 2024-10-17
Splunk RCE via External Lookup Copybuckets Splunk icon Splunk T1210 Hunting Splunk Vulnerabilities 2024-10-17
Splunk RCE via Serialized Session Payload Splunk icon Splunk T1190 Hunting Splunk Vulnerabilities 2024-10-17
Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature Splunk icon Splunk T1210 Hunting Splunk Vulnerabilities 2024-10-17
Splunk RCE via User XSLT T1210 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Reflected XSS in the templates lists radio Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Reflected XSS on App Search Table Endpoint Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-10-17
Splunk risky Command Abuse disclosed february 2023 Splunk icon Splunk T1548 T1202 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Sensitive Information Disclosure in DEBUG Logging Channels Splunk icon Splunk T1552 Hunting Splunk Vulnerabilities 2024-10-17
Splunk SG Information Disclosure for Low Privs User Splunk icon Splunk T1087 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Stored XSS conf-web Settings on Premises Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Stored XSS via Data Model objectName Field Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Stored XSS via Specially Crafted Bulletin Message Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Unauthenticated DoS via Null Pointer References Splunk icon Splunk T1499 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Unauthenticated Path Traversal Modules Messaging Splunk icon Splunk T1083 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Unauthorized Experimental Items Creation Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-10-17
Splunk Unauthorized Notification Input by User Splunk icon Splunk T1548 Hunting Splunk Vulnerabilities 2024-10-17
Splunk XSS in Highlighted JSON Events Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-10-17
Splunk XSS in Monitoring Console T1189 TTP Splunk Vulnerabilities 2024-10-17
Splunk XSS in Save table dialog header in search page Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-10-17
Splunk XSS Privilege Escalation via Custom Urls in Dashboard Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-10-17
Splunk XSS Via External Urls in Dashboards SSRF Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-10-17
Splunk XSS via View Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-10-17
Suspicious Email Attachment Extensions T1566.001 T1566 Anomaly Data Destruction, Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails 2024-10-17
Suspicious Java Classes Anomaly Apache Struts Vulnerability 2024-10-17
Web Servers Executing Suspicious Processes Windows icon Sysmon EventID 1 T1082 TTP Apache Struts Vulnerability 2024-10-17
Windows AD Privileged Group Modification T1098 TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-10-17
Windows AD Suspicious GPO Modification T1484 T1484.001 T1222 T1222.001 TTP Sneaky Active Directory Persistence Tricks 2024-10-17
Abnormally High Number Of Cloud Infrastructure API Calls AWS icon AWS CloudTrail T1078.004 T1078 Anomaly Compromised User Account, Suspicious Cloud User Activities 2024-10-17
Abnormally High Number Of Cloud Security Group API Calls AWS icon AWS CloudTrail T1078.004 T1078 Anomaly Suspicious Cloud User Activities 2024-10-17
Amazon EKS Kubernetes cluster scan detection T1526 Hunting Kubernetes Scanning Activity 2024-10-17
Amazon EKS Kubernetes Pod scan detection T1526 Hunting Kubernetes Scanning Activity 2024-10-17
ASL AWS Defense Evasion Impair Security Services T1562.008 T1562 Hunting AWS Defense Evasion 2024-10-17
ASL AWS IAM Delete Policy T1098 Hunting AWS IAM Privilege Escalation 2024-10-17
ASL AWS New MFA Method Registered For User T1556 T1556.006 TTP AWS Identity and Access Management Account Takeover 2024-10-17
AWS CreateAccessKey AWS icon AWS CloudTrail CreateAccessKey T1136.003 T1136 Hunting AWS IAM Privilege Escalation 2024-10-17
AWS Cross Account Activity From Previously Unseen Account AWS icon AWS CloudTrail Anomaly Suspicious Cloud Authentication Activities 2024-10-17
AWS Defense Evasion Impair Security Services AWS icon AWS CloudTrail DeleteAlarms, AWS icon AWS CloudTrail DeleteDetector, AWS icon AWS CloudTrail DeleteIPSet, AWS icon AWS CloudTrail DeleteLogStream, AWS icon AWS CloudTrail DeleteRule, AWS icon AWS CloudTrail DeleteWebACL T1562.008 T1562 Hunting AWS Defense Evasion 2024-10-17
AWS Defense Evasion PutBucketLifecycle AWS icon AWS CloudTrail PutBucketLifecycle T1562.008 T1562 T1485.001 T1485 Hunting AWS Defense Evasion 2024-10-17
aws detect attach to role policy T1078 Hunting AWS Cross Account Activity 2024-10-17
aws detect permanent key creation T1078 Hunting AWS Cross Account Activity 2024-10-17
aws detect role creation T1078 Hunting AWS Cross Account Activity 2024-10-17
aws detect sts assume role abuse T1078 Hunting AWS Cross Account Activity 2024-10-17
aws detect sts get session token abuse T1550 Hunting AWS Cross Account Activity 2024-10-17
AWS IAM Delete Policy AWS icon AWS CloudTrail DeletePolicy T1098 Hunting AWS IAM Privilege Escalation 2024-10-17
AWS Password Policy Changes AWS icon AWS CloudTrail DeleteAccountPasswordPolicy, AWS icon AWS CloudTrail GetAccountPasswordPolicy, AWS icon AWS CloudTrail UpdateAccountPasswordPolicy T1201 Hunting AWS IAM Privilege Escalation, Compromised User Account 2024-10-17
Azure AD Multi-Source Failed Authentications Spike Azure icon Azure Active Directory T1586 T1586.003 T1110 T1110.003 T1110.004 Hunting Azure Active Directory Account Takeover, NOBELIUM Group 2024-10-17
Circle CI Disable Security Step CircleCI T1554 Anomaly Dev Sec Ops 2024-10-17
Cloud API Calls From Previously Unseen User Roles AWS icon AWS CloudTrail T1078 Anomaly Suspicious Cloud User Activities 2024-10-17
Cloud Compute Instance Created By Previously Unseen User AWS icon AWS CloudTrail T1078.004 T1078 Anomaly Cloud Cryptomining 2024-10-17
Cloud Compute Instance Created In Previously Unused Region AWS icon AWS CloudTrail T1535 Anomaly Cloud Cryptomining 2024-10-17
Cloud Compute Instance Created With Previously Unseen Image AWS icon AWS CloudTrail Anomaly Cloud Cryptomining 2024-10-17
Cloud Compute Instance Created With Previously Unseen Instance Type AWS icon AWS CloudTrail Anomaly Cloud Cryptomining 2024-10-17
Cloud Instance Modified By Previously Unseen User AWS icon AWS CloudTrail T1078.004 T1078 Anomaly Suspicious Cloud Instance Activities 2024-10-17
Detect AWS Console Login by New User AWS icon AWS CloudTrail T1586 T1586.003 T1552 Hunting AWS Identity and Access Management Account Takeover, Suspicious Cloud Authentication Activities 2024-10-17
Detect AWS Console Login by User from New City AWS icon AWS CloudTrail T1586 T1586.003 T1535 Hunting AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities 2024-10-17
Detect AWS Console Login by User from New Country AWS icon AWS CloudTrail T1586 T1586.003 T1535 Hunting AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities 2024-10-17
Detect AWS Console Login by User from New Region AWS icon AWS CloudTrail T1586 T1586.003 T1535 Hunting AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities 2024-10-17
Detect GCP Storage access from a new IP T1530 Anomaly Suspicious GCP Storage Activities 2024-10-17
Detect New Open GCP Storage Buckets T1530 TTP Suspicious GCP Storage Activities 2024-10-17
Detect S3 access from a new IP T1530 Anomaly Suspicious AWS S3 Activities 2024-10-17
Detect Spike in blocked Outbound Traffic from your AWS Anomaly AWS Network ACL Activity, Command And Control, Suspicious AWS Traffic 2024-10-17
Detect Spike in S3 Bucket deletion AWS icon AWS CloudTrail T1530 Anomaly Suspicious AWS S3 Activities 2024-10-17
GCP Detect gcploit framework T1078 TTP GCP Cross Account Activity 2024-10-17
GCP Kubernetes cluster pod scan detection T1526 Hunting Kubernetes Scanning Activity 2024-10-17
Gdrive suspicious file sharing T1566 Hunting Data Exfiltration, Spearphishing Attachments 2024-10-17
Gsuite Drive Share In External Email G Suite Drive T1567.002 T1567 Anomaly Dev Sec Ops, Insider Threat 2024-10-17
Gsuite Outbound Email With Attachment To External Domain G Suite Gmail T1048.003 T1048 Hunting Dev Sec Ops, Insider Threat 2024-10-17
Gsuite suspicious calendar invite T1566 Hunting Spearphishing Attachments 2024-10-17
Kubernetes Anomalous Inbound Network Activity from Process T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Anomalous Inbound Outbound Network IO T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Anomalous Inbound to Outbound Network IO Ratio T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Anomalous Outbound Network Activity from Process T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Anomalous Traffic on Network Edge T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes AWS detect suspicious kubectl calls Kubernetes icon Kubernetes Audit Anomaly Kubernetes Security 2024-10-17
Kubernetes newly seen TCP edge T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes newly seen UDP edge T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Previously Unseen Container Image Name T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Previously Unseen Process T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Process Running From New Path T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Process with Anomalous Resource Utilisation T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Process with Resource Ratio Anomalies T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Shell Running on Worker Node T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Shell Running on Worker Node with CPU Activity T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
O365 Multi-Source Failed Authentications Spike O365 UserLoginFailed T1586 T1586.003 T1110 T1110.003 T1110.004 Hunting NOBELIUM Group, Office 365 Account Takeover 2024-10-17
Abnormally High AWS Instances Launched by User T1078.004 Anomaly AWS Cryptomining, Suspicious AWS EC2 Activities 2024-10-17
Abnormally High AWS Instances Launched by User - MLTK T1078.004 Anomaly AWS Cryptomining, Suspicious AWS EC2 Activities 2024-10-17
Abnormally High AWS Instances Terminated by User T1078.004 Anomaly Suspicious AWS EC2 Activities 2024-10-17
Abnormally High AWS Instances Terminated by User - MLTK T1078.004 Anomaly Suspicious AWS EC2 Activities 2024-10-17
ASL AWS CreateAccessKey T1078 Hunting AWS IAM Privilege Escalation 2024-10-17
ASL AWS Excessive Security Scanning T1526 Anomaly AWS User Monitoring 2024-10-17
ASL AWS Password Policy Changes T1201 Hunting AWS IAM Privilege Escalation, Compromised User Account 2024-10-17
AWS Cloud Provisioning From Previously Unseen City T1535 Anomaly AWS Suspicious Provisioning Activities 2024-10-17
AWS Cloud Provisioning From Previously Unseen Country T1535 Anomaly AWS Suspicious Provisioning Activities 2024-10-17
AWS Cloud Provisioning From Previously Unseen IP Address Anomaly AWS Suspicious Provisioning Activities 2024-10-17
AWS Cloud Provisioning From Previously Unseen Region T1535 Anomaly AWS Suspicious Provisioning Activities 2024-10-17
AWS EKS Kubernetes cluster sensitive object access Hunting Kubernetes Sensitive Object Access Activity 2024-10-17
Clients Connecting to Multiple DNS Servers T1048.003 TTP Command And Control, DNS Hijacking, Host Redirection, Suspicious DNS Traffic 2024-10-17
Cloud Network Access Control List Deleted Anomaly AWS Network ACL Activity 2024-10-17
Correlation by Repository and Risk T1204.003 T1204 Correlation Dev Sec Ops 2024-10-17
Correlation by User and Risk T1204.003 T1204 Correlation Dev Sec Ops 2024-10-17
Detect Activity Related to Pass the Hash Attacks Windows icon Windows Event Log Security 4624 T1550 T1550.002 Hunting Active Directory Lateral Movement, BlackSuit Ransomware 2024-10-17
Detect API activity from users without MFA Hunting AWS User Monitoring 2024-10-17
Detect AWS API Activities From Unapproved Accounts T1078.004 Hunting AWS User Monitoring 2024-10-17
Detect DNS requests to Phishing Sites leveraging EvilGinx2 T1566.003 TTP Common Phishing Frameworks 2024-10-17
Detect Long DNS TXT Record Response T1048.003 TTP Command And Control, Suspicious DNS Traffic 2024-10-17
Detect Mimikatz Using Loaded Images Windows icon Sysmon EventID 7 T1003.001 T1003 TTP CISA AA22-257A, CISA AA22-264A, CISA AA22-320A, Cloud Federated Credential Abuse, Credential Dumping, DarkSide Ransomware, Detect Zerologon Attack, Sandworm Tools 2024-10-17
Detect Mimikatz Via PowerShell And EventCode 4703 T1003.001 TTP Cloud Federated Credential Abuse 2024-10-17
Detect new API calls from user roles T1078.004 Anomaly AWS User Monitoring 2024-10-17
Detect new user AWS Console Login T1078.004 Hunting Suspicious AWS Login Activities 2024-10-17
Detect Spike in AWS API Activity T1078.004 Anomaly AWS User Monitoring 2024-10-17
Detect Spike in Network ACL Activity T1562.007 Anomaly AWS Network ACL Activity 2024-10-17
Detect Spike in Security Group Activity T1078.004 Anomaly AWS User Monitoring 2024-10-17
Detect USB device insertion TTP Data Protection 2024-10-17
Detect web traffic to dynamic domain providers T1071.001 TTP Dynamic DNS 2024-10-17
Detection of DNS Tunnels T1048.003 TTP Command And Control, Data Protection, Suspicious DNS Traffic 2024-10-17
DNS Query Requests Resolved by Unauthorized DNS Servers T1071.004 TTP Command And Control, DNS Hijacking, Host Redirection, Suspicious DNS Traffic 2024-10-17
DNS record changed T1071.004 TTP DNS Hijacking 2024-10-17
Dump LSASS via procdump Rename Windows icon Sysmon EventID 1 T1003.001 Hunting CISA AA22-257A, Credential Dumping, HAFNIUM Group 2024-10-17
EC2 Instance Modified With Previously Unseen User T1078.004 Anomaly Unusual AWS EC2 Modifications 2024-10-17
EC2 Instance Started In Previously Unseen Region T1535 Anomaly AWS Cryptomining, Suspicious AWS EC2 Activities 2024-10-17
EC2 Instance Started With Previously Unseen AMI Anomaly AWS Cryptomining 2024-10-17
EC2 Instance Started With Previously Unseen Instance Type Anomaly AWS Cryptomining 2024-10-17
EC2 Instance Started With Previously Unseen User T1078.004 Anomaly AWS Cryptomining, Suspicious AWS EC2 Activities 2024-10-17
Execution of File With Spaces Before Extension Windows icon Sysmon EventID 1 T1036.003 TTP Masquerading - Rename System Utilities, Windows File Extension and Association Abuse 2024-10-17
Extended Period Without Successful Netbackup Backups Hunting Monitor Backup Solution 2024-10-17
First time seen command line argument Windows icon Sysmon EventID 1 T1059.001 T1059.003 Hunting DHS Report TA18-074A, Hidden Cobra Malware, Orangeworm Attack Group, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Suspicious Command-Line Executions 2024-10-17
GCP Detect accounts with high risk roles by project T1078 Hunting GCP Cross Account Activity 2024-10-17
GCP Detect high risk permissions by resource and account T1078 Hunting GCP Cross Account Activity 2024-10-17
gcp detect oauth token abuse T1078 Hunting GCP Cross Account Activity 2024-10-17
GCP Kubernetes cluster scan detection T1526 TTP Kubernetes Scanning Activity 2024-10-17
Identify New User Accounts T1078.002 Hunting N/A 2024-10-17
Kubernetes AWS detect most active service accounts by pod Hunting Kubernetes Sensitive Role Activity 2024-10-17
Kubernetes AWS detect RBAC authorization by account Hunting Kubernetes Sensitive Role Activity 2024-10-17
Kubernetes AWS detect sensitive role access Hunting Kubernetes Sensitive Role Activity 2024-10-17
Kubernetes AWS detect service accounts forbidden failure access Hunting Kubernetes Sensitive Object Access Activity 2024-10-17
Kubernetes Azure active service accounts by pod namespace Hunting Kubernetes Sensitive Role Activity 2024-10-17
Kubernetes Azure detect RBAC authorization by account Hunting Kubernetes Sensitive Role Activity 2024-10-17
Kubernetes Azure detect sensitive object access Hunting Kubernetes Sensitive Object Access Activity 2024-10-17
Kubernetes Azure detect sensitive role access Hunting Kubernetes Sensitive Role Activity 2024-10-17
Kubernetes Azure detect service accounts forbidden failure access Hunting Kubernetes Sensitive Object Access Activity 2024-10-17
Kubernetes Azure detect suspicious kubectl calls Hunting Kubernetes Sensitive Object Access Activity 2024-10-17
Kubernetes Azure pod scan fingerprint Hunting Kubernetes Scanning Activity 2024-10-17
Kubernetes Azure scan fingerprint T1526 Hunting Kubernetes Scanning Activity 2024-10-17
Kubernetes GCP detect most active service accounts by pod Hunting Kubernetes Sensitive Role Activity 2024-10-17
Kubernetes GCP detect RBAC authorizations by account Hunting Kubernetes Sensitive Role Activity 2024-10-17
Kubernetes GCP detect sensitive object access Hunting Kubernetes Sensitive Object Access Activity 2024-10-17
Kubernetes GCP detect sensitive role access Hunting Kubernetes Sensitive Role Activity 2024-10-17
Kubernetes GCP detect service accounts forbidden failure access Hunting Kubernetes Sensitive Object Access Activity 2024-10-17
Kubernetes GCP detect suspicious kubectl calls Hunting Kubernetes Sensitive Object Access Activity 2024-10-17
Monitor DNS For Brand Abuse TTP Brand Monitoring 2024-10-17
Multiple Okta Users With Invalid Credentials From The Same IP T1110.003 T1078 T1078.001 TTP Suspicious Okta Activity 2024-10-17
O365 Suspicious Admin Email Forwarding T1114.003 T1114 Anomaly Data Exfiltration, Office 365 Collection Techniques 2024-10-17
O365 Suspicious Rights Delegation T1114.002 T1114 T1098.002 T1098 TTP Office 365 Collection Techniques 2024-10-17
O365 Suspicious User Email Forwarding T1114.003 T1114 Anomaly Data Exfiltration, Office 365 Collection Techniques 2024-10-17
Okta Account Locked Out T1110 Anomaly Okta MFA Exhaustion, Suspicious Okta Activity 2024-10-17
Okta Account Lockout Events T1078 T1078.001 Anomaly Suspicious Okta Activity 2024-10-17
Okta Failed SSO Attempts T1078 T1078.001 Anomaly Suspicious Okta Activity 2024-10-17
Okta ThreatInsight Login Failure with High Unknown users T1078 T1078.001 T1110.004 TTP Suspicious Okta Activity 2024-10-17
Okta ThreatInsight Suspected PasswordSpray Attack T1078 T1078.001 T1110.003 TTP Suspicious Okta Activity 2024-10-17
Okta Two or More Rejected Okta Pushes T1110 TTP Okta MFA Exhaustion, Suspicious Okta Activity 2024-10-17
Open Redirect in Splunk Web TTP Splunk Vulnerabilities 2024-10-17
Osquery pack - ColdRoot detection TTP ColdRoot MacOS RAT 2024-10-17
Processes created by netsh Windows icon Sysmon EventID 1 T1562.004 TTP Netsh Abuse 2024-10-17
Prohibited Software On Endpoint Windows icon Sysmon EventID 1 Hunting Emotet Malware DHS Report TA18-201A, Monitor for Unauthorized Software, SamSam Ransomware 2024-10-17
Reg exe used to hide files directories via registry keys Windows icon Sysmon EventID 1 T1564.001 TTP Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Persistence Techniques 2024-10-17
Remote Registry Key modifications Windows icon Sysmon EventID 13 TTP Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Persistence Techniques 2024-10-17
Scheduled tasks used in BadRabbit ransomware Windows icon Sysmon EventID 1 T1053.005 TTP Ransomware 2024-10-17
Spectre and Meltdown Vulnerable Systems TTP Spectre And Meltdown Vulnerabilities 2024-10-17
Splunk Enterprise Information Disclosure TTP Splunk Vulnerabilities 2024-10-17
Suspicious Changes to File Associations Windows icon Sysmon EventID 1 T1546.001 TTP Suspicious Windows Registry Activities, Windows File Extension and Association Abuse 2024-10-17
Suspicious Email - UBA Anomaly T1566 Anomaly Suspicious Emails 2024-10-17
Suspicious File Write Windows icon Sysmon EventID 11 Hunting Hidden Cobra Malware 2024-10-17
Suspicious Powershell Command-Line Arguments Windows icon Sysmon EventID 1 T1059.001 TTP CISA AA22-320A, Hermetic Wiper, Malicious PowerShell 2024-10-17
Suspicious Rundll32 Rename Windows icon Sysmon EventID 1 T1218 T1036 T1218.011 T1036.003 Hunting Masquerading - Rename System Utilities, Suspicious Rundll32 Activity 2024-10-17
Suspicious writes to System Volume Information Windows icon Sysmon EventID 1 T1036 Hunting Collection and Staging 2024-10-17
Uncommon Processes On Endpoint Windows icon Sysmon EventID 1 T1204.002 Hunting Hermetic Wiper, Unusual Processes, Windows Privilege Escalation 2024-10-17
Unsigned Image Loaded by LSASS Windows icon Sysmon EventID 7 T1003.001 TTP Credential Dumping 2024-10-17
Unsuccessful Netbackup backups Hunting Monitor Backup Solution 2024-10-17
Web Fraud - Account Harvesting T1136 TTP Web Fraud Detection 2024-10-17
Web Fraud - Anomalous User Clickspeed T1078 Anomaly Web Fraud Detection 2024-10-17
Web Fraud - Password Sharing Across Accounts Anomaly Web Fraud Detection 2024-10-17
Windows connhost exe started forcefully Windows icon Sysmon EventID 1 T1059.003 TTP Ryuk Ransomware 2024-10-17
Windows DLL Search Order Hijacking Hunt CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1574.001 T1574 Hunting Living Off The Land, Windows Defense Evasion Tactics 2024-10-17
Windows hosts file modification Windows icon Sysmon EventID 11 TTP Host Redirection 2024-10-17
3CX Supply Chain Attack Network Indicators Windows icon Sysmon EventID 22 T1195.002 TTP 3CX Supply Chain Attack 2024-10-17
Child Processes of Spoolsv exe CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1068 TTP Data Destruction, Hermetic Wiper, Windows Privilege Escalation 2024-10-17
CMD Carry Out String Command Parameter CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059.003 T1059 Hunting AsyncRAT, Azorult, CISA AA23-347A, Chaos Ransomware, DarkCrystal RAT, DarkGate Malware, Data Destruction, Hermetic Wiper, IcedID, Living Off The Land, Log4Shell CVE-2021-44228, NjRAT, PlugX, ProxyNotShell, Qakbot, RedLine Stealer, Rhysida Ransomware, Warzone RAT, WhisperGate, Winter Vivern 2024-10-17
Common Ransomware Extensions Windows icon Sysmon EventID 11 T1485 Hunting Clop Ransomware, LockBit Ransomware, Prestige Ransomware, Ransomware, Rhysida Ransomware, Ryuk Ransomware, SamSam Ransomware 2024-10-17
Common Ransomware Notes Windows icon Sysmon EventID 11 T1485 Hunting Chaos Ransomware, Clop Ransomware, LockBit Ransomware, Ransomware, Rhysida Ransomware, Ryuk Ransomware, SamSam Ransomware 2024-10-17
CSC Net On The Fly Compilation CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1027.004 T1027 Hunting Windows Defense Evasion Tactics 2024-10-17
Detect Baron Samedit CVE-2021-3156 T1068 TTP Baron Samedit CVE-2021-3156 2024-10-17
Detect Baron Samedit CVE-2021-3156 Segfault T1068 TTP Baron Samedit CVE-2021-3156 2024-10-17
Detect Baron Samedit CVE-2021-3156 via OSQuery T1068 TTP Baron Samedit CVE-2021-3156 2024-10-17
Detect Computer Changed with Anonymous Account Windows icon Windows Event Log Security 4624, Windows icon Windows Event Log Security 4742 T1210 Hunting Detect Zerologon Attack 2024-10-17
Detect HTML Help Renamed CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.001 Hunting Living Off The Land, Suspicious Compiled HTML Activity 2024-10-17
Detect mshta renamed CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.005 Hunting Living Off The Land, Suspicious MSHTA Activity 2024-10-17
Detect Prohibited Applications Spawning cmd exe CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 T1059.003 Hunting NOBELIUM Group, Suspicious Command-Line Executions, Suspicious MSHTA Activity, Suspicious Zoom Child Processes 2024-10-17
Detect Renamed 7-Zip CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1560.001 T1560 Hunting Collection and Staging 2024-10-17
Detect Renamed PSExec CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1569 T1569.002 Hunting Active Directory Lateral Movement, BlackByte Ransomware, CISA AA22-320A, DHS Report TA18-074A, DarkGate Malware, DarkSide Ransomware, HAFNIUM Group, Rhysida Ransomware, SamSam Ransomware, Sandworm Tools 2024-10-17
Detect Renamed RClone CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1020 Hunting DarkSide Ransomware, Ransomware 2024-10-17
Detect Renamed WinRAR CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1560.001 T1560 Hunting CISA AA22-277A, Collection and Staging 2024-10-17
Detect suspicious processnames using pretrained model in DSDL Windows icon Sysmon EventID 1 T1059 Anomaly Suspicious Command-Line Executions 2024-10-17
Detection of tools built by NirSoft CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1072 TTP Emotet Malware DHS Report TA18-201A 2024-10-17
DLLHost with no Command Line Arguments with Network Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 3 T1055 TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack 2024-10-17
Domain Account Discovery with Dsquery CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1087.002 T1087 Hunting Active Directory Discovery 2024-10-17
Domain Controller Discovery with Wmic CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1018 Hunting Active Directory Discovery 2024-10-17
Domain Group Discovery With Dsquery CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1069 T1069.002 Hunting Active Directory Discovery 2024-10-17
Drop IcedID License dat Windows icon Sysmon EventID 11 T1204 T1204.002 Hunting IcedID 2024-10-17
Elevated Group Discovery with PowerView Windows icon Powershell Script Block Logging 4104 T1069 T1069.002 Hunting Active Directory Discovery 2024-10-17
Esentutl SAM Copy CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003.002 T1003 Hunting Credential Dumping, Living Off The Land 2024-10-17
Exchange PowerShell Abuse via SSRF T1190 T1133 TTP BlackByte Ransomware, ProxyNotShell, ProxyShell 2024-10-17
First Time Seen Child Process of Zoom CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1068 Anomaly Suspicious Zoom Child Processes 2024-10-17
First Time Seen Running Windows Service Windows icon Windows Event Log System 7036 T1569 T1569.002 Anomaly NOBELIUM Group, Orangeworm Attack Group, Windows Service Abuse 2024-10-17
Get ADDefaultDomainPasswordPolicy with Powershell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1201 Hunting Active Directory Discovery 2024-10-17
Get ADDefaultDomainPasswordPolicy with Powershell Script Block Windows icon Powershell Script Block Logging 4104 T1201 Hunting Active Directory Discovery 2024-10-17
Get ADUser with PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1087.002 T1087 Hunting Active Directory Discovery, CISA AA23-347A 2024-10-17
Get ADUser with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1087.002 T1087 Hunting Active Directory Discovery, CISA AA23-347A 2024-10-17
Get WMIObject Group Discovery CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1069 T1069.001 Hunting Active Directory Discovery 2024-10-17
Get WMIObject Group Discovery with Script Block Logging Windows icon Powershell Script Block Logging 4104 T1069 T1069.001 Hunting Active Directory Discovery 2024-10-17
GetAdComputer with PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1018 Hunting Active Directory Discovery 2024-10-17
GetAdComputer with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1018 Hunting Active Directory Discovery, CISA AA22-320A, Gozi Malware 2024-10-17
GetAdGroup with PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1069 T1069.002 Hunting Active Directory Discovery 2024-10-17
GetAdGroup with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1069 T1069.002 Hunting Active Directory Discovery 2024-10-17
GetCurrent User with PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1033 Hunting Active Directory Discovery 2024-10-17
GetCurrent User with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1033 Hunting Active Directory Discovery 2024-10-17
GetDomainController with PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1018 Hunting Active Directory Discovery 2024-10-17
GetLocalUser with PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1087 T1087.001 Hunting Active Directory Discovery 2024-10-17
GetLocalUser with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1087 T1087.001 T1059.001 Hunting Active Directory Discovery, Malicious PowerShell 2024-10-17
GetNetTcpconnection with PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1049 Hunting Active Directory Discovery 2024-10-17
GetNetTcpconnection with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1049 Hunting Active Directory Discovery 2024-10-17
GetWmiObject User Account with PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1087 T1087.001 Hunting Active Directory Discovery, Winter Vivern 2024-10-17
GetWmiObject User Account with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1087 T1087.001 T1059.001 Hunting Active Directory Discovery, Malicious PowerShell, Winter Vivern 2024-10-17
Headless Browser Usage CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1564.003 Hunting Forest Blizzard 2024-10-17
Hunting 3CXDesktopApp Software CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1195.002 Hunting 3CX Supply Chain Attack 2024-10-17
IcedID Exfiltrated Archived File Creation CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1560.001 T1560 Hunting IcedID 2024-10-17
Linux Add User Account Linux icon Sysmon for Linux EventID 1 T1136.001 T1136 Hunting Linux Persistence Techniques, Linux Privilege Escalation 2024-10-17
Linux Adding Crontab Using List Parameter Linux icon Sysmon for Linux EventID 1 T1053.003 T1053 Hunting Data Destruction, Gomir, Industroyer2, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-10-17
Linux Auditd Change File Owner To Root Linux icon Linux Auditd Proctitle T1222.002 T1222 TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-10-17
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File Linux icon Linux Auditd Path T1053.003 T1053 Hunting Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-10-17
Linux Common Process For Elevation Control Linux icon Sysmon for Linux EventID 1 T1548.001 T1548 Hunting Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-10-17
Linux Edit Cron Table Parameter Linux icon Sysmon for Linux EventID 1 T1053.003 T1053 Hunting Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-10-17
Linux Impair Defenses Process Kill Linux icon Sysmon for Linux EventID 1 T1562.001 T1562 Hunting AwfulShred, Data Destruction 2024-10-17
Linux Ingress Tool Transfer Hunting Linux icon Sysmon for Linux EventID 1 T1105 Hunting Ingress Tool Transfer, Linux Living Off The Land 2024-10-17
Linux Kworker Process In Writable Process Path Linux icon Sysmon for Linux EventID 1 T1036.004 T1036 Hunting Cyclops Blink, Sandworm Tools 2024-10-17
Linux Possible Append Cronjob Entry on Existing Cronjob File Linux icon Sysmon for Linux EventID 1 T1053.003 T1053 Hunting Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-10-17
Linux Possible Cronjob Modification With Editor Linux icon Sysmon for Linux EventID 1 T1053.003 T1053 Hunting Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-10-17
Linux Stdout Redirection To Dev Null File Linux icon Sysmon for Linux EventID 1 T1562.004 T1562 Anomaly Cyclops Blink, Data Destruction, Industroyer2 2024-10-17
Linux Sudo OR Su Execution Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Hunting Linux Persistence Techniques, Linux Privilege Escalation 2024-10-17
Local Account Discovery with Net CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1087 T1087.001 Hunting Active Directory Discovery, Sandworm Tools 2024-10-17
Local Account Discovery With Wmic CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1087 T1087.001 Hunting Active Directory Discovery 2024-10-17
MacOS - Re-opened Applications Windows icon Sysmon EventID 1 TTP ColdRoot MacOS RAT 2024-10-17
Malicious PowerShell Process - Encoded Command CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1027 Hunting CISA AA22-320A, DarkCrystal RAT, Data Destruction, Hermetic Wiper, Lumma Stealer, Malicious PowerShell, NOBELIUM Group, Qakbot, Sandworm Tools, Volt Typhoon, WhisperGate 2024-10-17
MOVEit Certificate Store Access Failure T1190 Hunting MOVEit Transfer Authentication Bypass 2024-10-17
MOVEit Empty Key Fingerprint Authentication Attempt T1190 Hunting MOVEit Transfer Authentication Bypass 2024-10-17
MS Exchange Mailbox Replication service writing Active Server Pages Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11 T1505 T1505.003 T1190 T1133 TTP BlackByte Ransomware, ProxyShell, Ransomware 2024-10-17
MSI Module Loaded by Non-System Binary Windows icon Sysmon EventID 7 T1574.002 T1574 Hunting Data Destruction, Hermetic Wiper, Windows Privilege Escalation 2024-10-17
Network Connection Discovery With Arp CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1049 Hunting Active Directory Discovery, IcedID, Prestige Ransomware, Qakbot, Volt Typhoon, Windows Post-Exploitation 2024-10-17
Network Connection Discovery With Netstat CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1049 Hunting Active Directory Discovery, CISA AA22-277A, CISA AA23-347A, PlugX, Prestige Ransomware, Qakbot, Volt Typhoon, Windows Post-Exploitation 2024-10-17
Network Discovery Using Route Windows App CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1016 T1016.001 Hunting Active Directory Discovery, CISA AA22-277A, Prestige Ransomware, Qakbot, Windows Post-Exploitation 2024-10-17
Network Share Discovery Via Dir Command Windows icon Windows Event Log Security 5140 T1135 Hunting IcedID 2024-10-17
Network Traffic to Active Directory Web Services Protocol Windows icon Sysmon EventID 3 T1087.002 T1069.001 T1482 T1087.001 T1087 T1069.002 T1069 Hunting Windows Discovery Techniques 2024-10-17
PaperCut NG Suspicious Behavior Debug Log T1190 T1133 Hunting PaperCut MF NG Vulnerability 2024-10-17
Possible Browser Pass View Parameter CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1555.003 T1555 Hunting Remcos 2024-10-17
Possible Lateral Movement PowerShell Spawn CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1021 T1021.003 T1021.006 T1047 T1053.005 T1543.003 T1059.001 T1218.014 TTP Active Directory Lateral Movement, CISA AA24-241A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Scheduled Tasks 2024-10-17
Potential password in username Linux icon Linux Secure T1078.003 T1552.001 Hunting Credential Dumping, Insider Threat 2024-10-17
PowerShell 4104 Hunting Windows icon Powershell Script Block Logging 4104 T1059 T1059.001 Hunting Braodo Stealer, CISA AA23-347A, CISA AA24-241A, DarkGate Malware, Data Destruction, Flax Typhoon, Hermetic Wiper, Lumma Stealer, Malicious PowerShell, Rhysida Ransomware 2024-10-17
PowerShell - Connect To Internet With Hidden Window CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059.001 T1059 Hunting AgentTesla, Data Destruction, HAFNIUM Group, Hermetic Wiper, Log4Shell CVE-2021-44228, Malicious PowerShell, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns 2024-10-17
PowerShell Get LocalGroup Discovery CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1069 T1069.001 Hunting Active Directory Discovery 2024-10-17
Powershell Get LocalGroup Discovery with Script Block Logging Windows icon Powershell Script Block Logging 4104 T1069 T1069.001 Hunting Active Directory Discovery 2024-10-17
Print Processor Registry Autostart Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1547.012 T1547 TTP Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation 2024-10-17
Process Writing DynamicWrapperX Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11 T1059 T1559.001 Hunting Remcos 2024-10-17
Processes Tapping Keyboard Events TTP ColdRoot MacOS RAT 2024-10-17
Randomly Generated Scheduled Task Name Windows icon Windows Event Log Security 4698 T1053 T1053.005 Hunting Active Directory Lateral Movement, CISA AA22-257A, Scheduled Tasks 2024-10-17
Randomly Generated Windows Service Name Windows icon Windows Event Log System 7045 T1543 T1543.003 Hunting Active Directory Lateral Movement, BlackSuit Ransomware 2024-10-17
Remote Desktop Process Running On System CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1021.001 T1021 Hunting Active Directory Lateral Movement, Hidden Cobra Malware 2024-10-17
Remote System Discovery with Dsquery CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1018 Hunting Active Directory Discovery 2024-10-17
Runas Execution in CommandLine CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1134 T1134.001 Hunting Data Destruction, Hermetic Wiper, Windows Privilege Escalation 2024-10-17
Rundll32 Control RunDLL Hunt CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.011 Hunting Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Suspicious Rundll32 Activity 2024-10-17
SAM Database File Access Attempt Windows icon Windows Event Log Security 4663 T1003.002 T1003 Hunting Credential Dumping, Graceful Wipe Out Attack, Rhysida Ransomware 2024-10-17
Spike in File Writes Windows icon Sysmon EventID 11 Anomaly Ransomware, Rhysida Ransomware, Ryuk Ransomware, SamSam Ransomware 2024-10-17
Sunburst Correlation DLL and Network Event Windows icon Sysmon EventID 22, Windows icon Sysmon EventID 7 T1203 TTP NOBELIUM Group 2024-10-17
Suspicious Curl Network Connection CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1105 TTP Ingress Tool Transfer, Linux Living Off The Land, Silver Sparrow 2024-10-17
Suspicious Event Log Service Behavior Windows icon Windows Event Log Security 1100 T1070 T1070.001 Hunting Clop Ransomware, Ransomware, Windows Log Manipulation 2024-10-17
Suspicious microsoft workflow compiler rename CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1036 T1127 T1036.003 Hunting BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution 2024-10-17
Suspicious MSBuild Rename CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1036 T1127 T1036.003 T1127.001 Hunting BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution MSBuild 2024-10-17
Suspicious PlistBuddy Usage CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1543.001 T1543 TTP Silver Sparrow 2024-10-17
Suspicious PlistBuddy Usage via OSquery T1543.001 T1543 TTP Silver Sparrow 2024-10-17
Suspicious SQLite3 LSQuarantine Behavior CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1074 TTP Silver Sparrow 2024-10-17
Suspicious Ticket Granting Ticket Request Windows icon Windows Event Log Security 4768, Windows icon Windows Event Log Security 4781 T1078 T1078.002 Hunting Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation 2024-10-17
System Info Gathering Using Dxdiag Application CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1592 Hunting Remcos 2024-10-17
System User Discovery With Query CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1033 Hunting Active Directory Discovery 2024-10-17
System User Discovery With Whoami CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1033 Hunting Active Directory Discovery, CISA AA23-347A, Qakbot, Rhysida Ransomware, Winter Vivern 2024-10-17
Unusual Number of Computer Service Tickets Requested Windows icon Windows Event Log Security 4769 T1078 Hunting Active Directory Kerberos Attacks, Active Directory Lateral Movement, Active Directory Privilege Escalation 2024-10-17
Unusual Number of Kerberos Service Tickets Requested Windows icon Windows Event Log Security 4769 T1558 T1558.003 Anomaly Active Directory Kerberos Attacks 2024-10-17
Unusual Number of Remote Endpoint Authentication Events Windows icon Windows Event Log Security 4624 T1078 Hunting Active Directory Lateral Movement, Active Directory Privilege Escalation 2024-10-17
Unusually Long Command Line CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 Anomaly Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Ransomware, Suspicious Command-Line Executions, Unusual Processes 2024-10-17
Unusually Long Command Line - MLTK CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 Anomaly Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Ransomware, Suspicious Command-Line Executions, Unusual Processes 2024-10-17
User Discovery With Env Vars PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1033 Hunting Active Directory Discovery 2024-10-17
User Discovery With Env Vars PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1033 Hunting Active Directory Discovery 2024-10-17
Verclsid CLSID Execution CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218.012 T1218 Hunting Unusual Processes 2024-10-17
Windows Access Token Manipulation Winlogon Duplicate Token Handle Windows icon Sysmon EventID 10 T1134.001 T1134 Hunting Brute Ratel C4 2024-10-17
Windows Account Discovery for None Disable User Account Windows icon Powershell Script Block Logging 4104 T1087 T1087.001 Hunting CISA AA23-347A 2024-10-17
Windows Account Discovery With NetUser PreauthNotRequire Windows icon Powershell Script Block Logging 4104 T1087 Hunting CISA AA23-347A 2024-10-17
Windows AdFind Exe CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1018 TTP BlackSuit Ransomware, Domain Trust Discovery, Graceful Wipe Out Attack, IcedID, NOBELIUM Group 2024-10-17
Windows AppLocker Execution from Uncommon Locations T1218 Hunting Windows AppLocker 2024-10-17
Windows AppLocker Rare Application Launch Detection T1218 Hunting Windows AppLocker 2024-10-17
Windows BootLoader Inventory T1542.001 T1542 Hunting BlackLotus Campaign, Windows BootKits 2024-10-17
Windows Command and Scripting Interpreter Hunting Path Traversal CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 Hunting Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Windows Defense Evasion Tactics 2024-10-17
Windows Debugger Tool Execution T1036 Hunting DarkGate Malware, PlugX 2024-10-17
Windows Defender ASR Registry Modification Windows icon Windows Event Log Defender 5007 T1112 Hunting Windows Attack Surface Reduction 2024-10-17
Windows Defender ASR Rules Stacking Windows icon Windows Event Log Defender 1121, Windows icon Windows Event Log Defender 1122, Windows icon Windows Event Log Defender 1129, Windows icon Windows Event Log Defender 5007 T1566.001 T1566.002 T1059 Hunting Windows Attack Surface Reduction 2024-10-17
Windows DiskCryptor Usage CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1486 Hunting Ransomware 2024-10-17
Windows DLL Search Order Hijacking Hunt with Sysmon Windows icon Sysmon EventID 7 T1574.001 T1574 Hunting Living Off The Land, Qakbot, Windows Defense Evasion Tactics 2024-10-17
Windows Driver Inventory T1068 Hunting Windows Drivers 2024-10-17
Windows Driver Load Non-Standard Path Windows icon Windows Event Log System 7045 T1014 T1068 TTP AgentTesla, BlackByte Ransomware, BlackSuit Ransomware, CISA AA22-320A, Windows Drivers 2024-10-17
Windows Drivers Loaded by Signature Windows icon Sysmon EventID 6 T1014 T1068 Hunting AgentTesla, BlackByte Ransomware, CISA AA22-320A, Windows Drivers 2024-10-17
Windows Event For Service Disabled Windows icon Windows Event Log System 7040 T1562.001 T1562 Hunting RedLine Stealer, Windows Defense Evasion Tactics 2024-10-17
Windows Event Triggered Image File Execution Options Injection Windows icon Windows Event Log Application 3000 T1546.012 Hunting Windows Persistence Techniques 2024-10-17
Windows Gather Victim Identity SAM Info Windows icon Sysmon EventID 7 T1589.001 T1589 Hunting Brute Ratel C4 2024-10-17
Windows Hunting System Account Targeting Lsass Windows icon Sysmon EventID 10 T1003.001 T1003 Hunting CISA AA23-347A, Credential Dumping 2024-10-17
Windows Identify PowerShell Web Access IIS Pool Windows icon Windows Event Log Security 4648 T1190 Hunting CISA AA24-241A 2024-10-17
Windows Identify Protocol Handlers CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 Hunting Living Off The Land 2024-10-17
Windows IIS Components Get-WebGlobalModule Module Query Windows icon Powershell Installed IIS Modules T1505.004 T1505 Hunting IIS Components, WS FTP Server Critical Vulnerabilities 2024-10-17
Windows Impair Defense Add Xml Applocker Rules CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.001 T1562 Hunting Azorult 2024-10-17
Windows Impair Defense Delete Win Defender Context Menu Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 Hunting Windows Defense Evasion Tactics, Windows Registry Abuse 2024-10-17
Windows Input Capture Using Credential UI Dll Windows icon Sysmon EventID 7 T1056.002 T1056 Hunting Brute Ratel C4 2024-10-17
Windows ISO LNK File Creation Windows icon Sysmon EventID 11 T1566.001 T1566 T1204.001 T1204 Hunting AgentTesla, Amadey, Azorult, Brute Ratel C4, Gozi Malware, IcedID, Qakbot, Remcos, Spearphishing Attachments, Warzone RAT 2024-10-17
Windows Java Spawning Shells CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1190 T1133 TTP Log4Shell CVE-2021-44228, SysAid On-Prem Software CVE-2023-47246 Vulnerability 2024-10-17
Windows Modify Registry Auto Minor Updates Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Hunting RedLine Stealer 2024-10-17
Windows Modify Registry Reg Restore CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1012 Hunting Prestige Ransomware, Windows Post-Exploitation 2024-10-17
Windows Modify Registry USeWuServer Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Hunting RedLine Stealer 2024-10-17
Windows Modify Registry WuServer Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Hunting RedLine Stealer 2024-10-17
Windows Modify Registry wuStatusServer Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Hunting RedLine Stealer 2024-10-17
Windows MOVEit Transfer Writing ASPX Windows icon Sysmon EventID 11 T1190 T1133 TTP MOVEit Transfer Critical Vulnerability 2024-10-17
Windows New InProcServer32 Added Windows icon Sysmon EventID 13 T1112 Hunting Outlook RCE CVE-2024-21378 2024-10-17
Windows NirSoft Utilities CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1588.002 Hunting Data Destruction, WhisperGate 2024-10-17
Windows Odbcconf Hunting CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218.008 Hunting Living Off The Land 2024-10-17
Windows Phishing Recent ISO Exec Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1566.001 T1566 Hunting AgentTesla, Azorult, Brute Ratel C4, Gozi Malware, IcedID, Qakbot, Remcos, Warzone RAT 2024-10-17
Windows Process Commandline Discovery CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1057 Hunting CISA AA23-347A 2024-10-17
Windows Process Injection With Public Source Path Windows icon Sysmon EventID 8 T1055 T1055.002 Hunting Brute Ratel C4 2024-10-17
Windows Process Writing File to World Writable Path T1218.005 Hunting APT29 Diplomatic Deceptions with WINELOADER 2024-10-17
Windows Query Registry Reg Save CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1012 Hunting CISA AA23-347A, Prestige Ransomware, Windows Post-Exploitation 2024-10-17
Windows RDP Connection Successful Windows icon Windows Event Log RemoteConnectionManager 1149 T1563.002 Hunting Active Directory Lateral Movement, BlackByte Ransomware 2024-10-17
Windows Remote Access Software Hunt CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1219 Hunting Command And Control, Insider Threat, Ransomware 2024-10-17
Windows Rundll32 WebDav With Network Connection T1048.003 TTP CVE-2023-23397 Outlook Elevation of Privilege 2024-10-17
Windows SIP Provider Inventory T1553.003 Hunting Subvert Trust Controls SIP and Trust Provider Hijacking 2024-10-17
Windows Spearphishing Attachment Connect To None MS Office Domain Windows icon Sysmon EventID 22 T1566.001 T1566 Hunting AsyncRAT, Spearphishing Attachments 2024-10-17
Windows SQL Spawning CertUtil CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1105 TTP Flax Typhoon 2024-10-17
Windows Steal or Forge Kerberos Tickets Klist CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1558 Hunting Prestige Ransomware, Windows Post-Exploitation 2024-10-17
Windows System Discovery Using Qwinsta CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1033 Hunting Qakbot 2024-10-17
Windows System File on Disk Windows icon Sysmon EventID 11 T1068 Hunting CISA AA22-264A, Windows Drivers 2024-10-17
Windows System User Discovery Via Quser CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1033 Hunting Prestige Ransomware, Windows Post-Exploitation 2024-10-17
Windows System User Privilege Discovery CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1033 Hunting CISA AA23-347A 2024-10-17
Windows Vulnerable Driver Loaded Windows icon Sysmon EventID 6 T1543.003 Hunting BlackByte Ransomware, Windows Drivers 2024-10-17
Windows WinLogon with Public Network Connection Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 3 T1542.003 Hunting BlackLotus Campaign 2024-10-17
Windows WMI Process Call Create CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1047 Hunting CISA AA23-347A, IcedID, Qakbot, Suspicious WMI Use, Volt Typhoon 2024-10-17
WinRM Spawning a Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1190 TTP CISA AA23-347A, Rhysida Ransomware, Unusual Processes 2024-10-17
WMI Permanent Event Subscription T1047 TTP Suspicious WMI Use 2024-10-17
WMI Temporary Event Subscription T1047 TTP Suspicious WMI Use 2024-10-17
Wmic Group Discovery CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1069 T1069.001 Hunting Active Directory Discovery 2024-10-17
Wmic NonInteractive App Uninstallation CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.001 T1562 Hunting Azorult, IcedID 2024-10-17
Detect ARP Poisoning T1200 T1498 T1557 T1557.002 TTP Router and Infrastructure Security 2024-10-17
Detect DGA domains using pretrained model in DSDL T1568.002 Anomaly Command And Control, DNS Hijacking, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic 2024-10-17
Detect DNS Data Exfiltration using pretrained model in DSDL T1048.003 Anomaly Command And Control, DNS Hijacking, Suspicious DNS Traffic 2024-10-17
Detect IPv6 Network Infrastructure Threats T1200 T1498 T1557 T1557.002 TTP Router and Infrastructure Security 2024-10-17
Detect Outbound LDAP Traffic Bro T1190 T1059 Hunting Log4Shell CVE-2021-44228 2024-10-17
Detect Port Security Violation T1200 T1498 T1557 T1557.002 TTP Router and Infrastructure Security 2024-10-17
Detect Rogue DHCP Server T1200 T1498 T1557 TTP Router and Infrastructure Security 2024-10-17
Detect SNICat SNI Exfiltration T1041 TTP Data Exfiltration 2024-10-17
Detect Software Download To Network Device T1542.005 T1542 TTP Router and Infrastructure Security 2024-10-17
Detect suspicious DNS TXT records using pretrained model in DSDL T1568.002 Anomaly Command And Control, DNS Hijacking, Suspicious DNS Traffic 2024-10-17
Detect Traffic Mirroring T1200 T1020 T1498 T1020.001 TTP Router and Infrastructure Security 2024-10-17
Detect Unauthorized Assets by MAC address TTP Asset Tracking 2024-10-17
Detect Windows DNS SIGRed via Splunk Stream T1203 TTP Windows DNS SIGRed CVE-2020-1350 2024-10-17
Detect Windows DNS SIGRed via Zeek T1203 TTP Windows DNS SIGRed CVE-2020-1350 2024-10-17
Detect Zerologon via Zeek T1190 TTP Detect Zerologon Attack, Rhysida Ransomware 2024-10-17
DNS Query Length Outliers - MLTK T1071.004 T1071 Anomaly Command And Control, Hidden Cobra Malware, Suspicious DNS Traffic 2024-10-17
Excessive DNS Failures T1071.004 T1071 Anomaly Command And Control, Suspicious DNS Traffic 2024-10-17
Hosts receiving high volume of network traffic from email server T1114.002 T1114 Anomaly Collection and Staging 2024-10-17
Internal Vulnerability Scan T1595.002 T1046 TTP Network Discovery 2024-10-17
Large Volume of DNS ANY Queries T1498 T1498.002 Anomaly DNS Amplification Attacks 2024-10-17
Protocol or Port Mismatch T1048.003 T1048 Anomaly Command And Control, Prohibited Traffic Allowed or Protocol Mismatch 2024-10-17
Protocols passing authentication in cleartext TTP Use of Cleartext Protocols 2024-10-17
SMB Traffic Spike T1021.002 T1021 Anomaly DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware 2024-10-17
SMB Traffic Spike - MLTK T1021.002 T1021 Anomaly DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware 2024-10-17
Splunk Identified SSL TLS Certificates Splunk icon Splunk Stream TCP T1040 Hunting Splunk Vulnerabilities 2024-10-17
SSL Certificates with Punycode T1573 Hunting OpenSSL CVE-2022-3602 2024-10-17
Windows AD Replication Service Traffic T1003 T1003.006 T1207 TTP Sneaky Active Directory Persistence Tricks 2024-10-17
Windows AD Rogue Domain Controller Network Activity T1207 TTP Sneaky Active Directory Persistence Tricks 2024-10-17
Zeek x509 Certificate with Punycode T1573 Hunting OpenSSL CVE-2022-3602 2024-10-17
Citrix ADC Exploitation CVE-2023-3519 Network icon Palo Alto Network Threat T1190 Hunting CISA AA24-241A, Citrix Netscaler ADC CVE-2023-3519 2024-10-17
Citrix ShareFile Exploitation CVE-2023-24489 Suricata T1190 Hunting Citrix ShareFile RCE CVE-2023-24489 2024-10-17
Detect attackers scanning for vulnerable JBoss servers T1082 T1133 TTP JBoss Vulnerability, SamSam Ransomware 2024-10-17
Detect F5 TMUI RCE CVE-2020-5902 T1190 TTP F5 TMUI RCE CVE-2020-5902 2024-10-17
Detect malicious requests to exploit JBoss servers TTP JBoss Vulnerability, SamSam Ransomware 2024-10-17
Hunting for Log4Shell Nginx Access T1190 T1133 Hunting CISA AA22-320A, Log4Shell CVE-2021-44228 2024-10-17
Monitor Web Traffic For Brand Abuse TTP Brand Monitoring 2024-10-17
SQL Injection with Long URLs T1190 TTP SQL Injection 2024-10-17
Supernova Webshell T1505.003 T1133 TTP NOBELIUM Group 2024-10-17
Unusually Long Content-Type Length Anomaly Apache Struts Vulnerability 2024-10-17
VMware Server Side Template Injection Hunt Network icon Palo Alto Network Threat T1190 T1133 Hunting VMware Server Side Injection and Privilege Escalation 2024-10-17
Windows IIS Server PSWA Console Access Windows icon Windows IIS T1190 Hunting CISA AA24-241A 2024-10-17
Path traversal SPL injection Splunk icon Splunk T1083 TTP Splunk Vulnerabilities 2024-10-16
Persistent XSS in RapidDiag through User Interface Views Splunk icon Splunk T1189 TTP Splunk Vulnerabilities 2024-10-16
Splunk Authentication Token Exposure in Debug Log T1654 TTP Splunk Vulnerabilities 2024-10-16
Splunk Command and Scripting Interpreter Delete Usage Splunk icon Splunk T1059 Anomaly Splunk Vulnerabilities 2024-10-16
Splunk Command and Scripting Interpreter Risky SPL MLTK Splunk icon Splunk T1059 Anomaly Splunk Vulnerabilities 2024-10-16
Splunk CSRF in the SSG kvstore Client Endpoint Splunk icon Splunk T1189 TTP Splunk Vulnerabilities 2024-10-16
Splunk Digital Certificates Lack of Encryption Splunk icon Splunk T1587.003 Anomaly Splunk Vulnerabilities 2024-10-16
Splunk Disable KVStore via CSRF Enabling Maintenance Mode Splunk icon Splunk T1489 TTP Splunk Vulnerabilities 2024-10-16
Splunk DoS via Malformed S2S Request Splunk icon Splunk T1498 TTP Splunk Vulnerabilities 2024-10-16
Splunk Endpoint Denial of Service DoS Zip Bomb Splunk icon Splunk T1499 TTP Splunk Vulnerabilities 2024-10-16
Splunk Enterprise Windows Deserialization File Partition Splunk icon Splunk T1190 TTP Splunk Vulnerabilities 2024-10-16
Splunk ES DoS Investigations Manager via Investigation Creation Splunk icon Splunk T1499 TTP Splunk Vulnerabilities 2024-10-16
Splunk ES DoS Through Investigation Attachments Splunk icon Splunk T1499 TTP Splunk Vulnerabilities 2024-10-16
Splunk RCE PDFgen Render Splunk icon Splunk T1210 TTP Splunk Vulnerabilities 2024-10-16
Splunk unnecessary file extensions allowed by lookup table uploads Splunk icon Splunk T1189 TTP Splunk Vulnerabilities 2024-10-16
Splunk User Enumeration Attempt Splunk icon Splunk T1078 TTP Splunk Vulnerabilities 2024-10-16
AWS Multiple Users Failing To Authenticate From Ip AWS icon AWS CloudTrail ConsoleLogin T1110 T1110.003 T1110.004 Anomaly AWS Identity and Access Management Account Takeover, Compromised User Account 2024-10-16
Windows AD ServicePrincipalName Added To Domain Account Windows icon Windows Event Log Security 5136 T1098 TTP Sneaky Active Directory Persistence Tricks 2024-10-16
Detect Outbound SMB Traffic T1071.002 T1071 TTP DHS Report TA18-074A, Hidden Cobra Malware, NOBELIUM Group 2024-10-16
Remote Desktop Network Bruteforce T1021.001 T1021 TTP Ryuk Ransomware, SamSam Ransomware 2024-10-16
Remote Desktop Network Traffic T1021.001 T1021 Anomaly Active Directory Lateral Movement, Hidden Cobra Malware, Ryuk Ransomware, SamSam Ransomware 2024-10-16
Java Class File download by Java User Agent Splunk icon Splunk Stream HTTP T1190 TTP Log4Shell CVE-2021-44228 2024-10-16
Detect Spike in AWS Security Hub Alerts for EC2 Instance AWS icon AWS Security Hub Anomaly AWS Security Hub Alerts, Critical Alerts 2024-10-09
Detect Spike in AWS Security Hub Alerts for User AWS icon AWS Security Hub Anomaly AWS Security Hub Alerts, Critical Alerts 2024-10-09
Detect Critical Alerts from Security Tools MS365 Defender Incident Alerts, Windows icon Windows Defender Alerts TTP Critical Alerts 2024-10-09
Disable Defender MpEngine Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP IcedID, Windows Registry Abuse 2024-10-04
CrushFTP Server Side Template Injection CrushFTP T1190 TTP CrushFTP Vulnerabilities 2024-09-30
Ivanti VTM New Account Creation Ivanti VTM Audit T1190 TTP Ivanti Virtual Traffic Manager CVE-2024-7593 2024-09-30
Okta Authentication Failed During MFA Challenge Okta T1586 T1586.003 T1078 T1078.004 T1621 TTP Okta Account Takeover 2024-09-30
Okta IDP Lifecycle Modifications Okta T1087.004 Anomaly Suspicious Okta Activity 2024-09-30
Okta Multi-Factor Authentication Disabled Okta T1556 T1556.006 TTP Okta Account Takeover 2024-09-30
Okta Multiple Accounts Locked Out Okta T1110 Anomaly Okta Account Takeover 2024-09-30
Okta Multiple Failed MFA Requests For User Okta T1621 Anomaly Okta Account Takeover 2024-09-30
Okta Multiple Users Failing To Authenticate From Ip Okta T1110.003 Anomaly Okta Account Takeover 2024-09-30
Okta New API Token Created Okta T1078 T1078.001 TTP Okta Account Takeover 2024-09-30
Okta New Device Enrolled on Account Okta T1098 T1098.005 TTP Okta Account Takeover 2024-09-30
Okta Risk Threshold Exceeded Okta T1078 T1110 Correlation Okta Account Takeover, Okta MFA Exhaustion, Suspicious Okta Activity 2024-09-30
Okta Successful Single Factor Authentication Okta T1586 T1586.003 T1078 T1078.004 T1621 Anomaly Okta Account Takeover 2024-09-30
Okta Suspicious Activity Reported Okta T1078 T1078.001 TTP Okta Account Takeover 2024-09-30
Okta Suspicious Use of a Session Cookie Okta T1539 Anomaly Okta Account Takeover, Suspicious Okta Activity 2024-09-30
Okta ThreatInsight Threat Detected Okta T1078 T1078.004 Anomaly Okta Account Takeover 2024-09-30
Okta Unauthorized Access to Application Okta T1087.004 Anomaly Okta Account Takeover 2024-09-30
Okta User Logins from Multiple Cities Okta T1586.003 Anomaly Okta Account Takeover 2024-09-30
PingID Mismatch Auth Source and Verification Response PingID T1621 T1556.006 T1098.005 TTP Compromised User Account 2024-09-30
PingID Multiple Failed MFA Requests For User PingID T1621 T1078 T1110 TTP Compromised User Account 2024-09-30
PingID New MFA Method After Credential Reset PingID T1621 T1556.006 T1098.005 TTP Compromised User Account 2024-09-30
PingID New MFA Method Registered For User PingID T1621 T1556.006 T1098.005 TTP Compromised User Account 2024-09-30
Windows AD add Self to Group T1098 TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Dangerous Deny ACL Modification T1484 T1222 T1222.001 TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Dangerous Group ACL Modification T1484 T1222 T1222.001 TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Dangerous User ACL Modification T1484 T1222 T1222.001 TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD DCShadow Privileges ACL Addition T1484 T1207 T1222.001 TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Domain Root ACL Deletion T1484 T1222 T1222.001 TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Domain Root ACL Modification T1484 T1222 T1222.001 TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD GPO Deleted T1562.001 T1484.001 TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD GPO Disabled T1562.001 T1484.001 TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD GPO New CSE Addition T1484 T1484.001 T1222 T1222.001 TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Hidden OU Creation T1484 T1222 T1222.001 TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Object Owner Updated T1484 T1222 T1222.001 TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Self DACL Assignment T1484 T1098 TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Suspicious Attribute Modification T1550 T1222 T1222.001 TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows Increase in Group or Object Modification Activity Windows icon Windows Event Log Security 4663 T1098 T1562 TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows Increase in User Modification Activity Windows icon Windows Event Log Security 4720 T1098 T1562 TTP Sneaky Active Directory Persistence Tricks 2024-09-30
ASL AWS Concurrent Sessions From Different Ips T1185 Anomaly AWS Identity and Access Management Account Takeover, Compromised User Account 2024-09-30
ASL AWS Defense Evasion Delete Cloudtrail T1562.008 T1562 TTP AWS Defense Evasion 2024-09-30
ASL AWS Defense Evasion Delete CloudWatch Log Group T1562 T1562.008 TTP AWS Defense Evasion 2024-09-30
ASL AWS Defense Evasion Stop Logging Cloudtrail T1562.008 T1562 TTP AWS Defense Evasion 2024-09-30
ASL AWS Defense Evasion Update Cloudtrail T1562 T1562.008 TTP AWS Defense Evasion 2024-09-30
ASL AWS ECR Container Upload Outside Business Hours T1204.003 T1204 Anomaly Dev Sec Ops 2024-09-30
ASL AWS ECR Container Upload Unknown User T1204.003 T1204 Anomaly Dev Sec Ops 2024-09-30
ASL AWS Multi-Factor Authentication Disabled T1586 T1586.003 T1621 T1556 T1556.006 TTP AWS Identity and Access Management Account Takeover 2024-09-30
AWS AMI Attribute Modification for Exfiltration AWS icon AWS CloudTrail ModifyImageAttribute T1537 TTP Data Exfiltration, Suspicious Cloud Instance Activities 2024-09-30
AWS Concurrent Sessions From Different Ips AWS icon AWS CloudTrail DescribeEventAggregates T1185 TTP AWS Identity and Access Management Account Takeover, Compromised User Account 2024-09-30
AWS Console Login Failed During MFA Challenge AWS icon AWS CloudTrail ConsoleLogin T1586 T1586.003 T1621 TTP AWS Identity and Access Management Account Takeover, Compromised User Account 2024-09-30
AWS Create Policy Version to allow all resources AWS icon AWS CloudTrail CreatePolicyVersion T1078.004 T1078 TTP AWS IAM Privilege Escalation 2024-09-30
AWS CreateLoginProfile AWS icon AWS CloudTrail ConsoleLogin, AWS icon AWS CloudTrail CreateLoginProfile T1136.003 T1136 TTP AWS IAM Privilege Escalation 2024-09-30
AWS Credential Access Failed Login AWS icon AWS CloudTrail T1586 T1586.003 T1110 T1110.001 TTP AWS Identity and Access Management Account Takeover 2024-09-30
AWS Credential Access GetPasswordData AWS icon AWS CloudTrail GetPasswordData T1586 T1586.003 T1110 T1110.001 Anomaly AWS Identity and Access Management Account Takeover 2024-09-30
AWS Credential Access RDS Password reset AWS icon AWS CloudTrail ModifyDBInstance T1586 T1586.003 T1110 TTP AWS Identity and Access Management Account Takeover 2024-09-30
AWS Defense Evasion Delete Cloudtrail AWS icon AWS CloudTrail DeleteTrail T1562.008 T1562 TTP AWS Defense Evasion 2024-09-30
AWS Defense Evasion Delete CloudWatch Log Group AWS icon AWS CloudTrail DeleteLogGroup T1562 T1562.008 TTP AWS Defense Evasion 2024-09-30
AWS Defense Evasion Stop Logging Cloudtrail AWS icon AWS CloudTrail StopLogging T1562.008 T1562 TTP AWS Defense Evasion 2024-09-30
AWS Defense Evasion Update Cloudtrail AWS icon AWS CloudTrail UpdateTrail T1562 T1562.008 TTP AWS Defense Evasion 2024-09-30
AWS Detect Users creating keys with encrypt policy without MFA AWS icon AWS CloudTrail CreateKey, AWS icon AWS CloudTrail PutKeyPolicy T1486 TTP Ransomware Cloud 2024-09-30
AWS Detect Users with KMS keys performing encryption S3 AWS icon AWS CloudTrail T1486 Anomaly Ransomware Cloud 2024-09-30
AWS Disable Bucket Versioning AWS icon AWS CloudTrail PutBucketVersioning T1490 Anomaly Data Exfiltration, Suspicious AWS S3 Activities 2024-09-30
AWS EC2 Snapshot Shared Externally AWS icon AWS CloudTrail ModifySnapshotAttribute T1537 TTP Data Exfiltration, Suspicious Cloud Instance Activities 2024-09-30
AWS ECR Container Scanning Findings High AWS icon AWS CloudTrail DescribeImageScanFindings T1204.003 T1204 TTP Dev Sec Ops 2024-09-30
AWS ECR Container Scanning Findings Low Informational Unknown AWS icon AWS CloudTrail DescribeImageScanFindings T1204.003 T1204 Anomaly Dev Sec Ops 2024-09-30
AWS ECR Container Scanning Findings Medium AWS icon AWS CloudTrail DescribeImageScanFindings T1204.003 T1204 Anomaly Dev Sec Ops 2024-09-30
AWS ECR Container Upload Outside Business Hours AWS icon AWS CloudTrail PutImage T1204.003 T1204 Anomaly Dev Sec Ops 2024-09-30
AWS ECR Container Upload Unknown User AWS icon AWS CloudTrail PutImage T1204.003 T1204 Anomaly Dev Sec Ops 2024-09-30
AWS Excessive Security Scanning AWS icon AWS CloudTrail T1526 TTP AWS User Monitoring 2024-09-30
AWS Exfiltration via Anomalous GetObject API Activity AWS icon AWS CloudTrail GetObject T1119 Anomaly Data Exfiltration 2024-09-30
AWS Exfiltration via Batch Service AWS icon AWS CloudTrail JobCreated T1119 TTP Data Exfiltration 2024-09-30
AWS Exfiltration via Bucket Replication AWS icon AWS CloudTrail PutBucketReplication T1537 TTP Data Exfiltration, Suspicious AWS S3 Activities 2024-09-30
AWS Exfiltration via DataSync Task AWS icon AWS CloudTrail CreateTask T1119 TTP Data Exfiltration, Suspicious AWS S3 Activities 2024-09-30
AWS Exfiltration via EC2 Snapshot AWS icon AWS CloudTrail CreateSnapshot, AWS icon AWS CloudTrail DeleteSnapshot, AWS icon AWS CloudTrail ModifySnapshotAttribute T1537 TTP Data Exfiltration, Suspicious Cloud Instance Activities 2024-09-30
AWS High Number Of Failed Authentications For User AWS icon AWS CloudTrail ConsoleLogin T1201 Anomaly AWS Identity and Access Management Account Takeover, Compromised User Account 2024-09-30
AWS High Number Of Failed Authentications From Ip AWS icon AWS CloudTrail ConsoleLogin T1110 T1110.003 T1110.004 Anomaly AWS Identity and Access Management Account Takeover, Compromised User Account 2024-09-30
AWS IAM AccessDenied Discovery Events AWS icon AWS CloudTrail T1580 Anomaly Suspicious Cloud User Activities 2024-09-30
AWS IAM Assume Role Policy Brute Force AWS icon AWS CloudTrail T1580 T1110 TTP AWS IAM Privilege Escalation 2024-09-30
AWS Multi-Factor Authentication Disabled AWS icon AWS CloudTrail DeactivateMFADevice, AWS icon AWS CloudTrail DeleteVirtualMFADevice T1586 T1586.003 T1621 T1556 T1556.006 TTP AWS Identity and Access Management Account Takeover 2024-09-30
AWS Multiple Failed MFA Requests For User AWS icon AWS CloudTrail ConsoleLogin T1586 T1586.003 T1621 Anomaly AWS Identity and Access Management Account Takeover 2024-09-30
AWS Network Access Control List Created with All Open Ports AWS icon AWS CloudTrail CreateNetworkAclEntry, AWS icon AWS CloudTrail ReplaceNetworkAclEntry T1562.007 T1562 TTP AWS Network ACL Activity 2024-09-30
AWS Network Access Control List Deleted AWS icon AWS CloudTrail DeleteNetworkAclEntry T1562.007 T1562 Anomaly AWS Network ACL Activity 2024-09-30
AWS New MFA Method Registered For User AWS icon AWS CloudTrail CreateVirtualMFADevice T1556 T1556.006 TTP AWS Identity and Access Management Account Takeover 2024-09-30
AWS S3 Exfiltration Behavior Identified T1537 Correlation Data Exfiltration, Suspicious Cloud Instance Activities 2024-09-30
AWS SAML Access by Provider User and Principal AWS icon AWS CloudTrail AssumeRoleWithSAML T1078 Anomaly Cloud Federated Credential Abuse 2024-09-30
AWS SAML Update identity provider AWS icon AWS CloudTrail UpdateSAMLProvider T1078 TTP Cloud Federated Credential Abuse 2024-09-30
AWS SetDefaultPolicyVersion AWS icon AWS CloudTrail SetDefaultPolicyVersion T1078.004 T1078 TTP AWS IAM Privilege Escalation 2024-09-30
AWS Successful Console Authentication From Multiple IPs AWS icon AWS CloudTrail ConsoleLogin T1586 T1535 Anomaly Compromised User Account, Suspicious AWS Login Activities 2024-09-30
AWS Successful Single-Factor Authentication AWS icon AWS CloudTrail ConsoleLogin T1586 T1586.003 T1078 T1078.004 TTP AWS Identity and Access Management Account Takeover 2024-09-30
AWS Unusual Number of Failed Authentications From Ip AWS icon AWS CloudTrail ConsoleLogin T1586 T1586.003 T1110 T1110.003 T1110.004 Anomaly AWS Identity and Access Management Account Takeover 2024-09-30
AWS UpdateLoginProfile AWS icon AWS CloudTrail UpdateLoginProfile T1136.003 T1136 TTP AWS IAM Privilege Escalation 2024-09-30
Azure Active Directory High Risk Sign-in Azure icon Azure Active Directory T1586 T1586.003 T1110 T1110.003 TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Admin Consent Bypassed by Service Principal Azure icon Azure Active Directory Add app role assignment to service principal T1098.003 TTP Azure Active Directory Privilege Escalation, NOBELIUM Group 2024-09-30
Azure AD Application Administrator Role Assigned Azure icon Azure Active Directory Add member to role T1098 T1098.003 TTP Azure Active Directory Privilege Escalation 2024-09-30
Azure AD Block User Consent For Risky Apps Disabled Azure icon Azure Active Directory Update authorization policy T1562 TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Concurrent Sessions From Different Ips Azure icon Azure Active Directory T1185 TTP Azure Active Directory Account Takeover, Compromised User Account 2024-09-30
Azure AD Device Code Authentication Azure icon Azure Active Directory T1528 T1566 T1566.002 TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD External Guest User Invited Azure icon Azure Active Directory Invite external user T1136.003 TTP Azure Active Directory Persistence 2024-09-30
Azure AD FullAccessAsApp Permission Assigned Azure icon Azure Active Directory Update application T1098.002 T1098.003 TTP Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD Global Administrator Role Assigned Azure icon Azure Active Directory Add member to role T1098.003 TTP Azure Active Directory Persistence, Azure Active Directory Privilege Escalation 2024-09-30
Azure AD High Number Of Failed Authentications For User Azure icon Azure Active Directory T1110 T1110.001 TTP Azure Active Directory Account Takeover, Compromised User Account 2024-09-30
Azure AD High Number Of Failed Authentications From Ip Azure icon Azure Active Directory T1110 T1110.001 T1110.003 TTP Azure Active Directory Account Takeover, Compromised User Account, NOBELIUM Group 2024-09-30
Azure AD Multi-Factor Authentication Disabled Azure icon Azure Active Directory Disable Strong Authentication T1586 T1586.003 T1556 T1556.006 TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Multiple AppIDs and UserAgents Authentication Spike Azure icon Azure Active Directory Sign-in activity T1078 Anomaly Azure Active Directory Account Takeover 2024-09-30
Azure AD Multiple Denied MFA Requests For User Azure icon Azure Active Directory Sign-in activity T1621 TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Multiple Failed MFA Requests For User Azure icon Azure Active Directory Sign-in activity T1586 T1586.003 T1621 T1078 T1078.004 TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Multiple Service Principals Created by SP Azure icon Azure Active Directory Add service principal T1136.003 Anomaly Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD Multiple Service Principals Created by User Azure icon Azure Active Directory Add service principal T1136.003 Anomaly Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD Multiple Users Failing To Authenticate From Ip Azure icon Azure Active Directory T1586 T1586.003 T1110 T1110.003 T1110.004 Anomaly Azure Active Directory Account Takeover 2024-09-30
Azure AD New Custom Domain Added Azure icon Azure Active Directory Add unverified domain T1484 T1484.002 TTP Azure Active Directory Persistence 2024-09-30
Azure AD New Federated Domain Added Azure icon Azure Active Directory Set domain authentication T1484 T1484.002 TTP Azure Active Directory Persistence 2024-09-30
Azure AD New MFA Method Registered Azure icon Azure Active Directory Update user T1098 T1098.005 TTP Azure Active Directory Persistence 2024-09-30
Azure AD New MFA Method Registered For User Azure icon Azure Active Directory User registered security info T1556 T1556.006 TTP Azure Active Directory Account Takeover, Compromised User Account 2024-09-30
Azure AD OAuth Application Consent Granted By User Azure icon Azure Active Directory Consent to application T1528 TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD PIM Role Assigned Azure icon Azure Active Directory T1098 T1098.003 TTP Azure Active Directory Persistence, Azure Active Directory Privilege Escalation 2024-09-30
Azure AD PIM Role Assignment Activated Azure icon Azure Active Directory T1098 T1098.003 TTP Azure Active Directory Persistence, Azure Active Directory Privilege Escalation 2024-09-30
Azure AD Privileged Authentication Administrator Role Assigned Azure icon Azure Active Directory Add member to role T1003.002 TTP Azure Active Directory Privilege Escalation 2024-09-30
Azure AD Privileged Graph API Permission Assigned Azure icon Azure Active Directory Update application T1003.002 TTP Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD Privileged Role Assigned Azure icon Azure Active Directory Add member to role T1098 T1098.003 TTP Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD Privileged Role Assigned to Service Principal Azure icon Azure Active Directory Add member to role T1098 T1098.003 TTP Azure Active Directory Privilege Escalation, NOBELIUM Group 2024-09-30
Azure AD Service Principal Authentication Azure icon Azure Active Directory Sign-in activity T1078.004 TTP Azure Active Directory Account Takeover, NOBELIUM Group 2024-09-30
Azure AD Service Principal Created Azure icon Azure Active Directory Add service principal T1136.003 TTP Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD Service Principal New Client Credentials Azure icon Azure Active Directory T1098 T1098.001 TTP Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group 2024-09-30
Azure AD Service Principal Owner Added Azure icon Azure Active Directory Add owner to application T1098 TTP Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group 2024-09-30
Azure AD Successful Authentication From Different Ips Azure icon Azure Active Directory T1110 T1110.001 T1110.003 TTP Azure Active Directory Account Takeover, Compromised User Account 2024-09-30
Azure AD Successful PowerShell Authentication Azure icon Azure Active Directory T1586 T1586.003 T1078 T1078.004 TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Successful Single-Factor Authentication Azure icon Azure Active Directory T1586 T1586.003 T1078 T1078.004 TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Tenant Wide Admin Consent Granted Azure icon Azure Active Directory Consent to application T1098 T1098.003 TTP Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD Unusual Number of Failed Authentications From Ip Azure icon Azure Active Directory T1586 T1586.003 T1110 T1110.003 T1110.004 Anomaly Azure Active Directory Account Takeover 2024-09-30
Azure AD User Consent Blocked for Risky Application Azure icon Azure Active Directory Consent to application T1528 TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD User Consent Denied for OAuth Application Azure icon Azure Active Directory Sign-in activity T1528 TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD User Enabled And Password Reset Azure icon Azure Active Directory Enable account, Azure icon Azure Active Directory Reset password (by admin), Azure icon Azure Active Directory Update user T1098 TTP Azure Active Directory Persistence 2024-09-30
Azure AD User ImmutableId Attribute Updated Azure icon Azure Active Directory Update user T1098 TTP Azure Active Directory Persistence 2024-09-30
Azure Automation Account Created Azure icon Azure Audit Create or Update an Azure Automation account T1136 T1136.003 TTP Azure Active Directory Persistence 2024-09-30
Azure Automation Runbook Created Azure icon Azure Audit Create or Update an Azure Automation Runbook T1136 T1136.003 TTP Azure Active Directory Persistence 2024-09-30
Azure Runbook Webhook Created Azure icon Azure Audit Create or Update an Azure Automation webhook T1078 T1078.004 TTP Azure Active Directory Persistence 2024-09-30
Circle CI Disable Security Job CircleCI T1554 Anomaly Dev Sec Ops 2024-09-30
Cloud Provisioning Activity From Previously Unseen City AWS icon AWS CloudTrail T1078 Anomaly Suspicious Cloud Provisioning Activities 2024-09-30
Cloud Provisioning Activity From Previously Unseen Country AWS icon AWS CloudTrail T1078 Anomaly Suspicious Cloud Provisioning Activities 2024-09-30
Cloud Provisioning Activity From Previously Unseen IP Address AWS icon AWS CloudTrail T1078 Anomaly Suspicious Cloud Provisioning Activities 2024-09-30
Cloud Provisioning Activity From Previously Unseen Region AWS icon AWS CloudTrail T1078 Anomaly Suspicious Cloud Provisioning Activities 2024-09-30
Cloud Security Groups Modifications by User AWS icon AWS CloudTrail T1578.005 Anomaly Suspicious Cloud User Activities 2024-09-30
Detect New Open S3 buckets AWS icon AWS CloudTrail T1530 TTP Suspicious AWS S3 Activities 2024-09-30
Detect New Open S3 Buckets over AWS CLI AWS icon AWS CloudTrail T1530 TTP Suspicious AWS S3 Activities 2024-09-30
GCP Authentication Failed During MFA Challenge Google Workspace login_failure T1586 T1586.003 T1078 T1078.004 T1621 TTP GCP Account Takeover 2024-09-30
GCP Multi-Factor Authentication Disabled T1586 T1586.003 T1556 T1556.006 TTP GCP Account Takeover 2024-09-30
GCP Multiple Failed MFA Requests For User Google Workspace login_failure T1586 T1586.003 T1621 T1078 T1078.004 TTP GCP Account Takeover 2024-09-30
GCP Multiple Users Failing To Authenticate From Ip Google Workspace login_failure T1586 T1586.003 T1110 T1110.003 T1110.004 Anomaly GCP Account Takeover 2024-09-30
GCP Successful Single-Factor Authentication Google Workspace login_success T1586 T1586.003 T1078 T1078.004 TTP GCP Account Takeover 2024-09-30
GCP Unusual Number of Failed Authentications From Ip Google Workspace login_failure T1586 T1586.003 T1110 T1110.003 T1110.004 Anomaly GCP Account Takeover 2024-09-30
GitHub Actions Disable Security Workflow AWS icon GitHub T1195.002 T1195 Anomaly Dev Sec Ops 2024-09-30
Github Commit Changes In Master AWS icon GitHub T1199 Anomaly Dev Sec Ops 2024-09-30
Github Commit In Develop AWS icon GitHub T1199 Anomaly Dev Sec Ops 2024-09-30
GitHub Dependabot Alert AWS icon GitHub T1195.001 T1195 Anomaly Dev Sec Ops 2024-09-30
GitHub Pull Request from Unknown User AWS icon GitHub T1195.001 T1195 Anomaly Dev Sec Ops 2024-09-30
GSuite Email Suspicious Attachment G Suite Gmail T1566.001 T1566 Anomaly Dev Sec Ops 2024-09-30
Gsuite Email Suspicious Subject With Attachment G Suite Gmail T1566.001 T1566 Anomaly Dev Sec Ops 2024-09-30
Gsuite Email With Known Abuse Web Service Link G Suite Gmail T1566.001 T1566 Anomaly Dev Sec Ops 2024-09-30
Gsuite Suspicious Shared File Name G Suite Drive T1566.001 T1566 Anomaly Dev Sec Ops 2024-09-30
High Number of Login Failures from a single source O365 UserLoginFailed T1110.001 T1110 Anomaly Office 365 Account Takeover 2024-09-30
Kubernetes Abuse of Secret by Unusual Location Kubernetes icon Kubernetes Audit T1552.007 Anomaly Kubernetes Security 2024-09-30
Kubernetes Abuse of Secret by Unusual User Agent Kubernetes icon Kubernetes Audit T1552.007 Anomaly Kubernetes Security 2024-09-30
Kubernetes Abuse of Secret by Unusual User Group Kubernetes icon Kubernetes Audit T1552.007 Anomaly Kubernetes Security 2024-09-30
Kubernetes Abuse of Secret by Unusual User Name Kubernetes icon Kubernetes Audit T1552.007 Anomaly Kubernetes Security 2024-09-30
Kubernetes Access Scanning Kubernetes icon Kubernetes Audit T1046 Anomaly Kubernetes Security 2024-09-30
Kubernetes Create or Update Privileged Pod Kubernetes icon Kubernetes Audit T1204 Anomaly Kubernetes Security 2024-09-30
Kubernetes Cron Job Creation Kubernetes icon Kubernetes Audit T1053.007 Anomaly Kubernetes Security 2024-09-30
Kubernetes DaemonSet Deployed Kubernetes icon Kubernetes Audit T1204 Anomaly Kubernetes Security 2024-09-30
Kubernetes Falco Shell Spawned Kubernetes icon Kubernetes Falco T1204 Anomaly Kubernetes Security 2024-09-30
Kubernetes Nginx Ingress LFI T1212 TTP Dev Sec Ops 2024-09-30
Kubernetes Nginx Ingress RFI T1212 TTP Dev Sec Ops 2024-09-30
Kubernetes Node Port Creation Kubernetes icon Kubernetes Audit T1204 Anomaly Kubernetes Security 2024-09-30
Kubernetes Pod Created in Default Namespace Kubernetes icon Kubernetes Audit T1204 Anomaly Kubernetes Security 2024-09-30
Kubernetes Pod With Host Network Attachment Kubernetes icon Kubernetes Audit T1204 Anomaly Kubernetes Security 2024-09-30
Kubernetes Scanner Image Pulling T1526 TTP Dev Sec Ops 2024-09-30
Kubernetes Scanning by Unauthenticated IP Address Kubernetes icon Kubernetes Audit T1046 Anomaly Kubernetes Security 2024-09-30
Kubernetes Suspicious Image Pulling Kubernetes icon Kubernetes Audit T1526 Anomaly Kubernetes Security 2024-09-30
Kubernetes Unauthorized Access Kubernetes icon Kubernetes Audit T1204 Anomaly Kubernetes Security 2024-09-30
O365 Add App Role Assignment Grant User O365 Add app role assignment grant to user. T1136.003 T1136 TTP Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms 2024-09-30
O365 Added Service Principal O365 T1136.003 T1136 TTP Cloud Federated Credential Abuse, NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 Admin Consent Bypassed by Service Principal O365 Add app role assignment to service principal. T1098.003 TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Advanced Audit Disabled O365 Change user license. T1562 T1562.008 TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Application Available To Other Tenants T1098.003 T1098 TTP Azure Active Directory Account Takeover, Azure Active Directory Persistence, Data Exfiltration 2024-09-30
O365 Application Registration Owner Added O365 Add owner to application. T1098 TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 ApplicationImpersonation Role Assigned O365 T1098 T1098.002 TTP NOBELIUM Group, Office 365 Collection Techniques, Office 365 Persistence Mechanisms 2024-09-30
O365 Block User Consent For Risky Apps Disabled O365 Update authorization policy. T1562 TTP Office 365 Account Takeover 2024-09-30
O365 Bypass MFA via Trusted IP O365 Set Company Information. T1562.007 T1562 TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Compliance Content Search Exported T1114 T1114.002 TTP Office 365 Collection Techniques 2024-09-30
O365 Compliance Content Search Started T1114 T1114.002 TTP Office 365 Collection Techniques 2024-09-30
O365 Concurrent Sessions From Different Ips O365 UserLoggedIn T1185 TTP Office 365 Account Takeover 2024-09-30
O365 Cross-Tenant Access Change T1484.002 TTP Azure Active Directory Persistence 2024-09-30
O365 Disable MFA O365 Disable Strong Authentication. T1556 TTP Office 365 Persistence Mechanisms 2024-09-30
O365 DLP Rule Triggered T1048 T1567 Anomaly Data Exfiltration 2024-09-30
O365 Elevated Mailbox Permission Assigned T1098 T1098.002 TTP Office 365 Collection Techniques 2024-09-30
O365 Email Access By Security Administrator T1567 T1114 T1114.002 TTP Azure Active Directory Account Takeover, Data Exfiltration, Office 365 Account Takeover 2024-09-30
O365 Email Reported By Admin Found Malicious T1566 T1566.001 T1566.002 TTP Spearphishing Attachments, Suspicious Emails 2024-09-30
O365 Email Reported By User Found Malicious T1566 T1566.001 T1566.002 TTP Spearphishing Attachments, Suspicious Emails 2024-09-30
O365 Email Security Feature Changed T1562 T1562.008 T1562.001 TTP Office 365 Account Takeover, Office 365 Persistence Mechanisms 2024-09-30
O365 Email Suspicious Behavior Alert T1114 T1114.003 TTP Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails 2024-09-30
O365 Excessive Authentication Failures Alert T1110 Anomaly Office 365 Account Takeover 2024-09-30
O365 Excessive SSO logon errors O365 UserLoginFailed T1556 Anomaly Cloud Federated Credential Abuse, Office 365 Account Takeover 2024-09-30
O365 External Guest User Invited T1136.003 TTP Azure Active Directory Persistence 2024-09-30
O365 External Identity Policy Changed T1136.003 TTP Azure Active Directory Persistence 2024-09-30
O365 File Permissioned Application Consent Granted by User O365 Consent to application. T1528 TTP Office 365 Account Takeover 2024-09-30
O365 FullAccessAsApp Permission Assigned O365 Update application. T1098.002 T1098.003 TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 High Number Of Failed Authentications for User O365 UserLoginFailed T1110 T1110.001 TTP Office 365 Account Takeover 2024-09-30
O365 High Privilege Role Granted O365 Add member to role. T1098 T1098.003 TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Mail Permissioned Application Consent Granted by User O365 Consent to application. T1528 TTP Office 365 Account Takeover 2024-09-30
O365 Mailbox Email Forwarding Enabled T1114 T1114.003 TTP Office 365 Collection Techniques 2024-09-30
O365 Mailbox Folder Read Permission Assigned T1098 T1098.002 TTP Office 365 Collection Techniques 2024-09-30
O365 Mailbox Folder Read Permission Granted T1098 T1098.002 TTP Office 365 Collection Techniques 2024-09-30
O365 Mailbox Inbox Folder Shared with All Users O365 ModifyFolderPermissions T1114 T1114.002 TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Mailbox Read Access Granted to Application O365 Update application. T1114.002 T1114 T1098 T1098.003 TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Multiple AppIDs and UserAgents Authentication Spike O365 UserLoggedIn, O365 UserLoginFailed T1078 Anomaly Office 365 Account Takeover 2024-09-30
O365 Multiple Failed MFA Requests For User O365 UserLoginFailed T1621 TTP Office 365 Account Takeover 2024-09-30
O365 Multiple Mailboxes Accessed via API O365 MailItemsAccessed T1114.002 TTP NOBELIUM Group, Office 365 Collection Techniques 2024-09-30
O365 Multiple Service Principals Created by SP O365 Add service principal. T1136.003 Anomaly NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 Multiple Service Principals Created by User O365 Add service principal. T1136.003 Anomaly NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 Multiple Users Failing To Authenticate From Ip O365 UserLoginFailed T1586 T1586.003 T1110 T1110.003 T1110.004 TTP NOBELIUM Group, Office 365 Account Takeover 2024-09-30
O365 New Email Forwarding Rule Created T1114 T1114.003 TTP Office 365 Collection Techniques 2024-09-30
O365 New Email Forwarding Rule Enabled T1114 T1114.003 TTP Office 365 Collection Techniques 2024-09-30
O365 New Federated Domain Added O365 T1136.003 T1136 TTP Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms 2024-09-30
O365 New Forwarding Mailflow Rule Created T1114 TTP Office 365 Collection Techniques 2024-09-30
O365 New MFA Method Registered O365 Update user. T1098 T1098.005 TTP Office 365 Persistence Mechanisms 2024-09-30
O365 OAuth App Mailbox Access via EWS O365 MailItemsAccessed T1114.002 TTP NOBELIUM Group, Office 365 Collection Techniques 2024-09-30
O365 OAuth App Mailbox Access via Graph API O365 MailItemsAccessed T1114.002 TTP NOBELIUM Group, Office 365 Collection Techniques 2024-09-30
O365 Privileged Graph API Permission Assigned O365 Update application. T1003.002 TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 Privileged Role Assigned T1098 T1098.003 TTP Azure Active Directory Persistence 2024-09-30
O365 Privileged Role Assigned To Service Principal T1098 T1098.003 TTP Azure Active Directory Privilege Escalation 2024-09-30
O365 PST export alert O365 T1114 TTP Data Exfiltration, Office 365 Collection Techniques 2024-09-30
O365 Safe Links Detection T1566 T1566.001 TTP Office 365 Account Takeover, Spearphishing Attachments 2024-09-30
O365 Security And Compliance Alert Triggered T1078 T1078.004 TTP Office 365 Account Takeover 2024-09-30
O365 Service Principal New Client Credentials O365 T1098 T1098.001 TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 SharePoint Allowed Domains Policy Changed T1136.003 TTP Azure Active Directory Persistence 2024-09-30
O365 SharePoint Malware Detection T1204.002 T1204 TTP Azure Active Directory Persistence, Office 365 Account Takeover, Ransomware Cloud 2024-09-30
O365 Tenant Wide Admin Consent Granted O365 Consent to application. T1098 T1098.003 TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 Threat Intelligence Suspicious Email Delivered T1566 T1566.001 T1566.002 Anomaly Spearphishing Attachments, Suspicious Emails 2024-09-30
O365 Threat Intelligence Suspicious File Detected T1204.002 T1204 TTP Azure Active Directory Account Takeover, Office 365 Account Takeover, Ransomware Cloud 2024-09-30
O365 User Consent Blocked for Risky Application O365 Consent to application. T1528 TTP Office 365 Account Takeover 2024-09-30
O365 User Consent Denied for OAuth Application O365 T1528 TTP Office 365 Account Takeover 2024-09-30
O365 ZAP Activity Detection T1566 T1566.001 T1566.002 Anomaly Spearphishing Attachments, Suspicious Emails 2024-09-30
Access LSASS Memory for Dump Creation Windows icon Sysmon EventID 10 T1003.001 T1003 TTP CISA AA23-347A, Credential Dumping 2024-09-30
Account Discovery With Net App CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1087.002 T1087 TTP IcedID, Trickbot 2024-09-30
Active Directory Lateral Movement Identified T1210 Correlation Active Directory Lateral Movement 2024-09-30
Active Directory Privilege Escalation Identified T1484 Correlation Active Directory Privilege Escalation 2024-09-30
AdsiSearcher Account Discovery Windows icon Powershell Script Block Logging 4104 T1087.002 T1087 TTP Active Directory Discovery, CISA AA23-347A, Data Destruction, Industroyer2 2024-09-30
Allow File And Printing Sharing In Firewall CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.007 T1562 TTP BlackByte Ransomware, Ransomware 2024-09-30
Allow Inbound Traffic In Firewall Rule Windows icon Powershell Script Block Logging 4104 T1021.001 T1021 TTP Prohibited Traffic Allowed or Protocol Mismatch 2024-09-30
Allow Network Discovery In Firewall CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.007 T1562 TTP BlackByte Ransomware, NjRAT, Ransomware, Revil Ransomware 2024-09-30
Anomalous usage of 7zip CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1560.001 T1560 Anomaly BlackByte Ransomware, BlackSuit Ransomware, Cobalt Strike, Graceful Wipe Out Attack, NOBELIUM Group 2024-09-30
Any Powershell DownloadFile CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 T1059.001 T1105 TTP Braodo Stealer, DarkCrystal RAT, Data Destruction, Hermetic Wiper, Ingress Tool Transfer, Log4Shell CVE-2021-44228, Malicious PowerShell, PXA Stealer, Phemedrone Stealer 2024-09-30
Any Powershell DownloadString CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 T1059.001 T1105 TTP Data Destruction, HAFNIUM Group, Hermetic Wiper, IcedID, Ingress Tool Transfer, Malicious PowerShell, Phemedrone Stealer, SysAid On-Prem Software CVE-2023-47246 Vulnerability, Winter Vivern 2024-09-30
Attempt To Add Certificate To Untrusted Store CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1553.004 T1553 TTP Disabling Security Tools 2024-09-30
Attempt To Stop Security Service CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.001 T1562 TTP Azorult, Data Destruction, Disabling Security Tools, Graceful Wipe Out Attack, Trickbot, WhisperGate 2024-09-30
Bcdedit Command Back To Normal Mode Boot CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1490 TTP BlackMatter Ransomware 2024-09-30
BITS Job Persistence CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1197 TTP BITS Jobs, Living Off The Land 2024-09-30
BITSAdmin Download File CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1197 T1105 TTP BITS Jobs, DarkSide Ransomware, Flax Typhoon, Gozi Malware, Ingress Tool Transfer, Living Off The Land 2024-09-30
CertUtil With Decode Argument CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1140 TTP APT29 Diplomatic Deceptions with WINELOADER, Deobfuscate-Decode Files or Information, Forest Blizzard, Living Off The Land 2024-09-30
Change Default File Association Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1546.001 T1546 TTP Data Destruction, Hermetic Wiper, Prestige Ransomware, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse 2024-09-30
Change To Safe Mode With Network Config CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1490 TTP BlackMatter Ransomware 2024-09-30
CHCP Command Execution CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 TTP Azorult, Forest Blizzard, IcedID 2024-09-30
Check Elevated CMD using whoami CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1033 TTP FIN7 2024-09-30
Cmdline Tool Not Executed In CMD Shell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 T1059.007 TTP CISA AA22-277A, CISA AA23-347A, DarkGate Malware, FIN7, Gozi Malware, Qakbot, Rhysida Ransomware, Volt Typhoon 2024-09-30
CMLUA Or CMSTPLUA UAC Bypass Windows icon Sysmon EventID 7 T1218 T1218.003 TTP DarkSide Ransomware, LockBit Ransomware, Ransomware, ValleyRAT 2024-09-30
Cobalt Strike Named Pipes Windows icon Sysmon EventID 17, Windows icon Sysmon EventID 18 T1055 TTP BlackByte Ransomware, Cobalt Strike, DarkSide Ransomware, Gozi Malware, Graceful Wipe Out Attack, LockBit Ransomware, Trickbot 2024-09-30
ConnectWise ScreenConnect Path Traversal Windows icon Sysmon EventID 11 T1190 TTP ConnectWise ScreenConnect Vulnerabilities 2024-09-30
Create or delete windows shares using net exe CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1070 T1070.005 TTP CISA AA22-277A, DarkGate Malware, Hidden Cobra Malware, Prestige Ransomware, Windows Post-Exploitation 2024-09-30
Create Remote Thread into LSASS Windows icon Sysmon EventID 8 T1003.001 T1003 TTP BlackSuit Ransomware, Credential Dumping 2024-09-30
Creation of lsass Dump with Taskmgr Windows icon Sysmon EventID 11 T1003.001 T1003 TTP CISA AA22-257A, Credential Dumping 2024-09-30
Crowdstrike Admin Weak Password Policy T1110 TTP Compromised Windows Host 2024-09-30
Crowdstrike Admin With Duplicate Password T1110 TTP Compromised Windows Host 2024-09-30
Crowdstrike High Identity Risk Severity T1110 TTP Compromised Windows Host 2024-09-30
Crowdstrike Medium Identity Risk Severity T1110 TTP Compromised Windows Host 2024-09-30
Crowdstrike Medium Severity Alert T1110 Anomaly Compromised Windows Host 2024-09-30
Crowdstrike Multiple LOW Severity Alerts T1110 Anomaly Compromised Windows Host 2024-09-30
Crowdstrike Privilege Escalation For Non-Admin User T1110 Anomaly Compromised Windows Host 2024-09-30
Crowdstrike User Weak Password Policy T1110 Anomaly Compromised Windows Host 2024-09-30
Crowdstrike User with Duplicate Password T1110 Anomaly Compromised Windows Host 2024-09-30
Delete ShadowCopy With PowerShell Windows icon Powershell Script Block Logging 4104 T1490 TTP DarkGate Malware, DarkSide Ransomware, Ransomware, Revil Ransomware 2024-09-30
Deleting Of Net Users CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1531 TTP DarkGate Malware, Graceful Wipe Out Attack, XMRig 2024-09-30
Detect AzureHound File Modifications Windows icon Sysmon EventID 11 T1087.002 T1069.001 T1482 T1087.001 T1087 T1069.002 T1069 TTP Windows Discovery Techniques 2024-09-30
Detect Certify With PowerShell Script Block Logging Windows icon Powershell Script Block Logging 4104 T1649 T1059 T1059.001 TTP Malicious PowerShell, Windows Certificate Services 2024-09-30
Detect Certipy File Modifications Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11 T1649 T1560 TTP Data Exfiltration, Ingress Tool Transfer, Windows Certificate Services 2024-09-30
Detect Copy of ShadowCopy with Script Block Logging Windows icon Powershell Script Block Logging 4104 T1003.002 T1003 TTP Credential Dumping 2024-09-30
Detect Credential Dumping through LSASS access Windows icon Sysmon EventID 10 T1003.001 T1003 TTP BlackSuit Ransomware, CISA AA23-347A, Credential Dumping, Detect Zerologon Attack 2024-09-30
Detect Empire with PowerShell Script Block Logging Windows icon Powershell Script Block Logging 4104 T1059 T1059.001 TTP Data Destruction, Hermetic Wiper, Malicious PowerShell 2024-09-30
Detect Excessive Account Lockouts From Endpoint T1078 T1078.002 Anomaly Active Directory Password Spraying 2024-09-30
Detect Excessive User Account Lockouts T1078 T1078.003 Anomaly Active Directory Password Spraying 2024-09-30
Detect Mimikatz With PowerShell Script Block Logging Windows icon Powershell Script Block Logging 4104 T1003 T1059.001 TTP CISA AA22-264A, CISA AA22-320A, CISA AA23-347A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Sandworm Tools 2024-09-30
Detect New Local Admin account Windows icon Windows Event Log Security 4720, Windows icon Windows Event Log Security 4732 T1136.001 T1136 TTP CISA AA22-257A, CISA AA24-241A, DHS Report TA18-074A, HAFNIUM Group 2024-09-30
Detect Password Spray Attack Behavior From Source T1110.003 T1110 TTP Compromised User Account 2024-09-30
Detect Password Spray Attack Behavior On User T1110.003 T1110 TTP Compromised User Account 2024-09-30
Detect Path Interception By Creation Of program exe CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1574.009 T1574 TTP Windows Persistence Techniques 2024-09-30
Detect processes used for System Network Configuration Discovery CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1016 TTP Unusual Processes 2024-09-30
Detect PsExec With accepteula Flag CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1021 T1021.002 TTP Active Directory Lateral Movement, BlackByte Ransomware, CISA AA22-320A, DHS Report TA18-074A, DarkGate Malware, DarkSide Ransomware, HAFNIUM Group, IcedID, Rhysida Ransomware, SamSam Ransomware, Sandworm Tools, Volt Typhoon 2024-09-30
Detect Rare Executables CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1204 Anomaly Rhysida Ransomware, Unusual Processes 2024-09-30
Detect RClone Command-Line Usage CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1020 TTP DarkSide Ransomware, Ransomware 2024-09-30
Detect Regasm with Network Connection Windows icon Sysmon EventID 3 T1218 T1218.009 TTP Handala Wiper, Living Off The Land, Suspicious Regsvcs Regasm Activity 2024-09-30
Detect Regasm with no Command Line Arguments CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.009 TTP Handala Wiper, Living Off The Land, Suspicious Regsvcs Regasm Activity 2024-09-30
Detect Regsvcs with Network Connection Windows icon Sysmon EventID 3 T1218 T1218.009 TTP Living Off The Land, Suspicious Regsvcs Regasm Activity 2024-09-30
Detect Regsvcs with No Command Line Arguments CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.009 TTP Living Off The Land, Suspicious Regsvcs Regasm Activity 2024-09-30
Detect Remote Access Software Usage File Windows icon Sysmon EventID 11 T1219 Anomaly CISA AA24-241A, Command And Control, Gozi Malware, Insider Threat, Ransomware 2024-09-30
Detect Remote Access Software Usage FileInfo CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1219 Anomaly Command And Control, Gozi Malware, Insider Threat, Ransomware 2024-09-30
Detect Remote Access Software Usage Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1219 Anomaly CISA AA24-241A, Command And Control, Gozi Malware, Insider Threat, Ransomware 2024-09-30
Detect RTLO In File Name Windows icon Sysmon EventID 11 T1036.002 T1036 TTP Spearphishing Attachments 2024-09-30
Detect RTLO In Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1036.002 T1036 TTP Spearphishing Attachments 2024-09-30
Detect Rundll32 Inline HTA Execution CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.005 TTP Living Off The Land, NOBELIUM Group, Suspicious MSHTA Activity 2024-09-30
Detect SharpHound Command-Line Arguments CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1087.002 T1069.001 T1482 T1087.001 T1087 T1069.002 T1069 TTP BlackSuit Ransomware, Ransomware, Windows Discovery Techniques 2024-09-30
Detect SharpHound File Modifications Windows icon Sysmon EventID 11 T1087.002 T1069.001 T1482 T1087.001 T1087 T1069.002 T1069 TTP BlackSuit Ransomware, Ransomware, Windows Discovery Techniques 2024-09-30
Detect SharpHound Usage CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1087.002 T1069.001 T1482 T1087.001 T1087 T1069.002 T1069 TTP Ransomware, Windows Discovery Techniques 2024-09-30
Detect Use of cmd exe to Launch Script Interpreters CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 T1059.003 TTP Azorult, Emotet Malware DHS Report TA18-201A, Suspicious Command-Line Executions 2024-09-30
Detect WMI Event Subscription Persistence Windows icon Sysmon EventID 20 T1546.003 T1546 TTP Suspicious WMI Use 2024-09-30
Disable Schedule Task CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.001 T1562 TTP IcedID, Living Off The Land 2024-09-30
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser Windows icon Powershell Script Block Logging 4104 T1558 T1558.004 TTP Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A 2024-09-30
Disabled Kerberos Pre-Authentication Discovery With PowerView Windows icon Powershell Script Block Logging 4104 T1558 T1558.004 TTP Active Directory Kerberos Attacks 2024-09-30
Disabling Firewall with Netsh CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.001 T1562 Anomaly BlackByte Ransomware, Windows Defense Evasion Tactics 2024-09-30
Disabling Net User Account CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1531 TTP XMRig 2024-09-30
Disabling Remote User Account Control Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1548.002 T1548 TTP AgentTesla, Azorult, Remcos, Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Disabling Windows Local Security Authority Defences via Registry Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 13 T1556 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Domain Account Discovery With Net App CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1087.002 T1087 TTP Active Directory Discovery, Graceful Wipe Out Attack, Rhysida Ransomware 2024-09-30
Domain Account Discovery with Wmic CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1087.002 T1087 TTP Active Directory Discovery 2024-09-30
Domain Group Discovery with Adsisearcher Windows icon Powershell Script Block Logging 4104 T1069 T1069.002 TTP Active Directory Discovery 2024-09-30
Download Files Using Telegram Windows icon Sysmon EventID 15 T1105 TTP Phemedrone Stealer, Snake Keylogger, XMRig 2024-09-30
Elevated Group Discovery With Wmic CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1069 T1069.002 TTP Active Directory Discovery 2024-09-30
Eventvwr UAC Bypass CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1548.002 T1548 TTP IcedID, Living Off The Land, ValleyRAT, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Excessive Attempt To Disable Services CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1489 Anomaly Azorult, XMRig 2024-09-30
Excessive distinct processes from Windows Temp CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 Anomaly Meterpreter 2024-09-30
Excessive File Deletion In WinDefender Folder Windows icon Sysmon EventID 23 T1485 TTP BlackByte Ransomware, Data Destruction, WhisperGate 2024-09-30
Excessive number of service control start as disabled CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.001 T1562 Anomaly Windows Defense Evasion Tactics 2024-09-30
Excessive number of taskhost processes CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 Anomaly Meterpreter 2024-09-30
Excessive Service Stop Attempt CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1489 Anomaly BlackByte Ransomware, Ransomware, XMRig 2024-09-30
Excessive Usage Of Cacls App CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1222 Anomaly Azorult, Prestige Ransomware, Windows Post-Exploitation, XMRig 2024-09-30
Excessive Usage Of Net App CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1531 Anomaly Azorult, Graceful Wipe Out Attack, Prestige Ransomware, Ransomware, Rhysida Ransomware, Windows Post-Exploitation, XMRig 2024-09-30
Excessive Usage of NSLOOKUP App CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1048 Anomaly Command And Control, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic 2024-09-30
Excessive Usage Of SC Service Utility CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1569 T1569.002 Anomaly Azorult, Ransomware 2024-09-30
Excessive Usage Of Taskkill CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.001 T1562 Anomaly AgentTesla, Azorult, CISA AA22-264A, CISA AA22-277A, NjRAT, XMRig 2024-09-30
Exchange PowerShell Module Usage Windows icon Powershell Script Block Logging 4104 T1059 T1059.001 TTP BlackByte Ransomware, CISA AA22-264A, CISA AA22-277A, ProxyNotShell, ProxyShell 2024-09-30
Execute Javascript With Jscript COM CLSID CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 T1059.005 TTP Ransomware 2024-09-30
Execution of File with Multiple Extensions CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1036 T1036.003 TTP AsyncRAT, DarkGate Malware, Masquerading - Rename System Utilities, Windows File Extension and Association Abuse 2024-09-30
Extraction of Registry Hives CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003.002 T1003 TTP CISA AA22-257A, CISA AA23-347A, Credential Dumping, DarkSide Ransomware, Volt Typhoon 2024-09-30
File with Samsam Extension CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 TTP SamSam Ransomware 2024-09-30
Firewall Allowed Program Enable CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.004 T1562 Anomaly Azorult, BlackByte Ransomware, NjRAT, PlugX, Windows Defense Evasion Tactics 2024-09-30
Fsutil Zeroing File CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1070 TTP LockBit Ransomware, Ransomware 2024-09-30
Get ADUserResultantPasswordPolicy with Powershell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1201 TTP Active Directory Discovery, CISA AA23-347A 2024-09-30
Get ADUserResultantPasswordPolicy with Powershell Script Block Windows icon Powershell Script Block Logging 4104 T1201 TTP Active Directory Discovery, CISA AA23-347A 2024-09-30
Get DomainPolicy with Powershell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1201 TTP Active Directory Discovery 2024-09-30
Get DomainPolicy with Powershell Script Block Windows icon Powershell Script Block Logging 4104 T1201 TTP Active Directory Discovery 2024-09-30
Get-DomainTrust with PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1482 TTP Active Directory Discovery 2024-09-30
Get-DomainTrust with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1482 TTP Active Directory Discovery 2024-09-30
Get DomainUser with PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1087.002 T1087 TTP Active Directory Discovery, CISA AA23-347A 2024-09-30
Get DomainUser with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1087.002 T1087 TTP Active Directory Discovery, CISA AA23-347A 2024-09-30
Get-ForestTrust with PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1482 TTP Active Directory Discovery 2024-09-30
Get-ForestTrust with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1482 T1059.001 TTP Active Directory Discovery 2024-09-30
GetDomainComputer with PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1018 TTP Active Directory Discovery 2024-09-30
GetDomainComputer with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1018 TTP Active Directory Discovery 2024-09-30
GetDomainController with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1018 TTP Active Directory Discovery 2024-09-30
GetDomainGroup with PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1069 T1069.002 TTP Active Directory Discovery 2024-09-30
GetDomainGroup with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1069 T1069.002 TTP Active Directory Discovery 2024-09-30
GetWmiObject Ds Computer with PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1018 TTP Active Directory Discovery 2024-09-30
GetWmiObject Ds Computer with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1018 TTP Active Directory Discovery 2024-09-30
GetWmiObject Ds Group with PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1069 T1069.002 TTP Active Directory Discovery 2024-09-30
GetWmiObject Ds Group with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1069 T1069.002 TTP Active Directory Discovery 2024-09-30
GetWmiObject DS User with PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1087.002 T1087 TTP Active Directory Discovery 2024-09-30
GetWmiObject DS User with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1087.002 T1087 TTP Active Directory Discovery 2024-09-30
Headless Browser Mockbin or Mocky Request CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1564.003 TTP Forest Blizzard 2024-09-30
High Frequency Copy Of Files In Network Share Windows icon Windows Event Log Security 5145 T1537 Anomaly Information Sabotage, Insider Threat 2024-09-30
High Process Termination Frequency Windows icon Sysmon EventID 5 T1486 Anomaly BlackByte Ransomware, Clop Ransomware, LockBit Ransomware, Rhysida Ransomware, Snake Keylogger 2024-09-30
ICACLS Grant Command CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1222 TTP Ransomware, XMRig 2024-09-30
Interactive Session on Remote Endpoint with PowerShell Windows icon Powershell Script Block Logging 4104 T1021 T1021.006 TTP Active Directory Lateral Movement 2024-09-30
Java Writing JSP File Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11 T1190 T1133 TTP Atlassian Confluence Server and Data Center CVE-2022-26134, Spring4Shell CVE-2022-22965, SysAid On-Prem Software CVE-2023-47246 Vulnerability 2024-09-30
Jscript Execution Using Cscript App CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 T1059.007 TTP FIN7, Remcos 2024-09-30
Kerberos Pre-Authentication Flag Disabled in UserAccountControl Windows icon Windows Event Log Security 4738 T1558 T1558.004 TTP Active Directory Kerberos Attacks, BlackSuit Ransomware 2024-09-30
Kerberos Pre-Authentication Flag Disabled with PowerShell Windows icon Powershell Script Block Logging 4104 T1558 T1558.004 TTP Active Directory Kerberos Attacks 2024-09-30
Kerberos Service Ticket Request Using RC4 Encryption Windows icon Windows Event Log Security 4769 T1558 T1558.001 TTP Active Directory Kerberos Attacks, Active Directory Privilege Escalation 2024-09-30
Kerberos TGT Request Using RC4 Encryption Windows icon Windows Event Log Security 4768 T1550 TTP Active Directory Kerberos Attacks 2024-09-30
Kerberos User Enumeration Windows icon Windows Event Log Security 4768 T1589 T1589.002 Anomaly Active Directory Kerberos Attacks 2024-09-30
Linux Account Manipulation Of SSH Config and Keys Linux icon Sysmon for Linux EventID 11 T1485 T1070.004 T1070 Anomaly AcidRain 2024-09-30
Linux Add Files In Known Crontab Directories Linux icon Sysmon for Linux EventID 11 T1053.003 T1053 Anomaly Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux apt-get Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux APT Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux At Allow Config File Creation Linux icon Sysmon for Linux EventID 11 T1053.003 T1053 Anomaly Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux At Application Execution Linux icon Sysmon for Linux EventID 1 T1053.002 T1053 Anomaly Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Auditd Add User Account Linux icon Linux Auditd Proctitle T1136.001 T1136 Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Add User Account Type Linux icon Linux Auditd Add User T1136 T1136.001 Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd At Application Execution Linux icon Linux Auditd Syscall T1053.002 T1053 Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Auditd Auditd Service Stop Linux icon Linux Auditd Service Stop T1489 Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Base64 Decode Files Linux icon Linux Auditd Execve T1140 Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Clipboard Data Copy Linux icon Linux Auditd Execve T1115 Anomaly Compromised Linux Host, Linux Living Off The Land 2024-09-30
Linux Auditd Data Destruction Command Linux icon Linux Auditd Execve T1485 TTP AwfulShred, Compromised Linux Host, Data Destruction 2024-09-30
Linux Auditd Data Transfer Size Limits Via Split Linux icon Linux Auditd Execve T1030 Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Data Transfer Size Limits Via Split Syscall Linux icon Linux Auditd Syscall T1030 Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Database File And Directory Discovery Linux icon Linux Auditd Execve T1083 Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Dd File Overwrite Linux icon Linux Auditd Proctitle T1485 TTP Compromised Linux Host, Data Destruction, Industroyer2 2024-09-30
Linux Auditd Disable Or Modify System Firewall Linux icon Linux Auditd Service Stop T1562.004 T1562 Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Doas Conf File Creation Linux icon Linux Auditd Path T1548.003 T1548 TTP Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Doas Tool Execution Linux icon Linux Auditd Syscall T1548.003 T1548 Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Edit Cron Table Parameter Linux icon Linux Auditd Syscall T1053.003 T1053 TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Auditd File And Directory Discovery Linux icon Linux Auditd Execve T1083 Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd File Permissions Modification Via Chattr Linux icon Linux Auditd Execve T1222.002 T1222 TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Find Credentials From Password Managers Linux icon Linux Auditd Execve T1555.005 T1555 TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Find Credentials From Password Stores Linux icon Linux Auditd Execve T1555.005 T1555 TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Find Private Keys Linux icon Linux Auditd Execve T1552.004 T1552 TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Find Ssh Private Keys Linux icon Linux Auditd Execve T1552.004 T1552 Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Hardware Addition Swapoff Linux icon Linux Auditd Execve T1200 Anomaly AwfulShred, Compromised Linux Host, Data Destruction 2024-09-30
Linux Auditd Hidden Files And Directories Creation Linux icon Linux Auditd Execve T1083 TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Insert Kernel Module Using Insmod Utility Linux icon Linux Auditd Syscall T1547.006 T1547 Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit 2024-09-30
Linux Auditd Install Kernel Module Using Modprobe Utility Linux icon Linux Auditd Syscall T1547.006 T1547 Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit 2024-09-30
Linux Auditd Kernel Module Enumeration Linux icon Linux Auditd Syscall T1082 T1014 Anomaly Compromised Linux Host, Linux Rootkit 2024-09-30
Linux Auditd Kernel Module Using Rmmod Utility Linux icon Linux Auditd Syscall T1547.006 T1547 TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Nopasswd Entry In Sudoers File Linux icon Linux Auditd Proctitle T1548.003 T1548 Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Osquery Service Stop Linux icon Linux Auditd Service Stop T1489 TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Possible Access Or Modification Of Sshd Config File Linux icon Linux Auditd Path T1098.004 T1098 Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Possible Access To Credential Files Linux icon Linux Auditd Proctitle T1003.008 T1003 Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Possible Access To Sudoers File Linux icon Linux Auditd Path T1548.003 T1548 Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Preload Hijack Library Calls Linux icon Linux Auditd Execve T1574.006 T1574 TTP Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Preload Hijack Via Preload File Linux icon Linux Auditd Path T1574.006 T1574 TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Service Restarted Linux icon Linux Auditd Proctitle T1053.006 T1053 Anomaly AwfulShred, Compromised Linux Host, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Auditd Service Started Linux icon Linux Auditd Proctitle T1569.002 T1569 TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Setuid Using Chmod Utility Linux icon Linux Auditd Proctitle T1548.001 T1548 Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Setuid Using Setcap Utility Linux icon Linux Auditd Execve T1548.001 T1548 TTP Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Shred Overwrite Command Linux icon Linux Auditd Proctitle T1485 TTP AwfulShred, Compromised Linux Host, Data Destruction, Industroyer2, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Stop Services Linux icon Linux Auditd Service Stop T1489 TTP AwfulShred, Compromised Linux Host, Data Destruction, Industroyer2 2024-09-30
Linux Auditd Sudo Or Su Execution Linux icon Linux Auditd Proctitle T1548.003 T1548 Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Sysmon Service Stop Linux icon Linux Auditd Service Stop T1489 TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd System Network Configuration Discovery Linux icon Linux Auditd Syscall T1016 Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Unix Shell Configuration Modification Linux icon Linux Auditd Path T1546.004 T1546 TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Unload Module Via Modprobe Linux icon Linux Auditd Execve T1547.006 T1547 TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Virtual Disk File And Directory Discovery Linux icon Linux Auditd Execve T1083 Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Whoami User Discovery Linux icon Linux Auditd Syscall T1033 Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux AWK Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Busybox Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux c89 Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux c99 Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Change File Owner To Root Linux icon Sysmon for Linux EventID 1 T1222.002 T1222 Anomaly Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Clipboard Data Copy Linux icon Sysmon for Linux EventID 1 T1115 Anomaly Linux Living Off The Land 2024-09-30
Linux Composer Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Cpulimit Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Csvtool Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Curl Upload File Linux icon Sysmon for Linux EventID 1 T1105 TTP Data Exfiltration, Ingress Tool Transfer, Linux Living Off The Land 2024-09-30
Linux Data Destruction Command Linux icon Sysmon for Linux EventID 1 T1485 TTP AwfulShred, Data Destruction 2024-09-30
Linux DD File Overwrite Linux icon Sysmon for Linux EventID 1 T1485 TTP Data Destruction, Industroyer2 2024-09-30
Linux Decode Base64 to Shell Linux icon Sysmon for Linux EventID 1 T1027 T1059.004 TTP Linux Living Off The Land 2024-09-30
Linux Deleting Critical Directory Using RM Command Linux icon Sysmon for Linux EventID 1 T1485 TTP AwfulShred, Data Destruction, Industroyer2 2024-09-30
Linux Deletion Of Cron Jobs Linux icon Sysmon for Linux EventID 11 T1485 T1070.004 T1070 Anomaly AcidPour, AcidRain, Data Destruction 2024-09-30
Linux Deletion Of Init Daemon Script Linux icon Sysmon for Linux EventID 11 T1485 T1070.004 T1070 TTP AcidPour, AcidRain, Data Destruction 2024-09-30
Linux Deletion Of Services Linux icon Sysmon for Linux EventID 11 T1485 T1070.004 T1070 TTP AcidPour, AcidRain, AwfulShred, Data Destruction 2024-09-30
Linux Deletion of SSL Certificate Linux icon Sysmon for Linux EventID 11 T1485 T1070.004 T1070 Anomaly AcidPour, AcidRain 2024-09-30
Linux Disable Services Linux icon Sysmon for Linux EventID 1 T1489 TTP AwfulShred, Data Destruction, Industroyer2 2024-09-30
Linux Doas Conf File Creation Linux icon Sysmon for Linux EventID 11 T1548.003 T1548 Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Doas Tool Execution Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Docker Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Emacs Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux File Created In Kernel Driver Directory Linux icon Sysmon for Linux EventID 11 T1547.006 T1547 Anomaly Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit 2024-09-30
Linux File Creation In Init Boot Directory Linux icon Sysmon for Linux EventID 11 T1037.004 T1037 Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux File Creation In Profile Directory Linux icon Sysmon for Linux EventID 11 T1546.004 T1546 Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Find Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux GDB Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Gem Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux GNU Awk Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Hardware Addition SwapOff Linux icon Sysmon for Linux EventID 1 T1200 Anomaly AwfulShred, Data Destruction 2024-09-30
Linux High Frequency Of File Deletion In Boot Folder Linux icon Sysmon for Linux EventID 11 T1485 T1070.004 T1070 TTP AcidPour, Data Destruction, Industroyer2 2024-09-30
Linux High Frequency Of File Deletion In Etc Folder Linux icon Sysmon for Linux EventID 11 T1485 T1070.004 T1070 Anomaly AcidRain, Data Destruction 2024-09-30
Linux Indicator Removal Clear Cache Linux icon Sysmon for Linux EventID 1 T1070 TTP AwfulShred, Data Destruction 2024-09-30
Linux Indicator Removal Service File Deletion Linux icon Sysmon for Linux EventID 1 T1070.004 T1070 Anomaly AwfulShred, Data Destruction 2024-09-30
Linux Ingress Tool Transfer with Curl Linux icon Sysmon for Linux EventID 1 T1105 Anomaly Ingress Tool Transfer, Linux Living Off The Land 2024-09-30
Linux Insert Kernel Module Using Insmod Utility Linux icon Sysmon for Linux EventID 1 T1547.006 T1547 Anomaly Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit 2024-09-30
Linux Install Kernel Module Using Modprobe Utility Linux icon Sysmon for Linux EventID 1 T1547.006 T1547 Anomaly Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit 2024-09-30
Linux Iptables Firewall Modification Linux icon Sysmon for Linux EventID 1 T1562.004 T1562 Anomaly Cyclops Blink, Sandworm Tools 2024-09-30
Linux Java Spawning Shell Linux icon Sysmon for Linux EventID 1 T1190 T1133 TTP Data Destruction, Hermetic Wiper, Log4Shell CVE-2021-44228, Spring4Shell CVE-2022-22965 2024-09-30
Linux Kernel Module Enumeration Linux icon Sysmon for Linux EventID 1 T1082 T1014 Anomaly Linux Rootkit 2024-09-30
Linux Make Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux MySQL Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Ngrok Reverse Proxy Usage Linux icon Sysmon for Linux EventID 1 T1572 T1090 T1102 Anomaly Reverse Network Proxy 2024-09-30
Linux Node Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux NOPASSWD Entry In Sudoers File Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Obfuscated Files or Information Base64 Decode Linux icon Sysmon for Linux EventID 1 T1027 Anomaly Linux Living Off The Land 2024-09-30
Linux Octave Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux OpenVPN Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Persistence and Privilege Escalation Risk Behavior T1548 Correlation Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux PHP Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux pkexec Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1068 TTP Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Possible Access Or Modification Of sshd Config File Linux icon Sysmon for Linux EventID 1 T1098.004 T1098 Anomaly Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Possible Access To Credential Files Linux icon Sysmon for Linux EventID 1 T1003.008 T1003 Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Possible Access To Sudoers File Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Possible Append Command To At Allow Config File Linux icon Sysmon for Linux EventID 1 T1053.002 T1053 Anomaly Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Possible Append Command To Profile Config File Linux icon Sysmon for Linux EventID 1 T1546.004 T1546 Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Possible Ssh Key File Creation Linux icon Sysmon for Linux EventID 11 T1098.004 T1098 Anomaly Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Preload Hijack Library Calls Linux icon Sysmon for Linux EventID 1 T1574.006 T1574 TTP Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Proxy Socks Curl Linux icon Sysmon for Linux EventID 1 T1090 T1095 TTP Ingress Tool Transfer, Linux Living Off The Land 2024-09-30
Linux Puppet Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux RPM Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Ruby Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Service File Created In Systemd Directory Linux icon Sysmon for Linux EventID 11 T1053.006 T1053 Anomaly Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Service Restarted Linux icon Sysmon for Linux EventID 1 T1053.006 T1053 Anomaly AwfulShred, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Service Started Or Enabled Linux icon Sysmon for Linux EventID 1 T1053.006 T1053 Anomaly Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Setuid Using Chmod Utility Linux icon Sysmon for Linux EventID 1 T1548.001 T1548 Anomaly Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Setuid Using Setcap Utility Linux icon Sysmon for Linux EventID 1 T1548.001 T1548 Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Shred Overwrite Command Linux icon Sysmon for Linux EventID 1 T1485 TTP AwfulShred, Data Destruction, Industroyer2, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Sqlite3 Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux SSH Authorized Keys Modification Linux icon Sysmon for Linux EventID 1 T1098.004 Anomaly Linux Living Off The Land 2024-09-30
Linux SSH Remote Services Script Execute Linux icon Sysmon for Linux EventID 1 T1021.004 TTP Linux Living Off The Land 2024-09-30
Linux Stop Services Linux icon Sysmon for Linux EventID 1 T1489 TTP AwfulShred, Data Destruction, Industroyer2 2024-09-30
Linux Sudoers Tmp File Creation Linux icon Sysmon for Linux EventID 11 T1548.003 T1548 Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux System Network Discovery Linux icon Sysmon for Linux EventID 1 T1016 Anomaly Data Destruction, Industroyer2, Network Discovery 2024-09-30
Linux System Reboot Via System Request Key Linux icon Sysmon for Linux EventID 1 T1529 TTP AwfulShred, Data Destruction 2024-09-30
Linux Unix Shell Enable All SysRq Functions Linux icon Sysmon for Linux EventID 1 T1059.004 T1059 Anomaly AwfulShred, Data Destruction 2024-09-30
Linux Visudo Utility Execution Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Living Off The Land Detection T1105 T1190 T1059 T1133 Correlation Living Off The Land 2024-09-30
Loading Of Dynwrapx Module Windows icon Sysmon EventID 7 T1055 T1055.001 TTP AsyncRAT, Remcos 2024-09-30
Log4Shell CVE-2021-44228 Exploitation T1105 T1190 T1059 T1133 Correlation CISA AA22-320A, Log4Shell CVE-2021-44228 2024-09-30
Logon Script Event Trigger Execution Windows icon Sysmon EventID 13 T1037 T1037.001 TTP Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation 2024-09-30
LOLBAS With Network Traffic Windows icon Sysmon EventID 3 T1105 T1567 T1218 TTP Living Off The Land 2024-09-30
MacOS LOLbin T1059.004 T1059 TTP Living Off The Land 2024-09-30
MacOS plutil osquery T1647 TTP Living Off The Land 2024-09-30
Mailsniper Invoke functions Windows icon Powershell Script Block Logging 4104 T1114 T1114.001 TTP Data Exfiltration 2024-09-30
Malicious InProcServer32 Modification Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1218.010 T1112 TTP Remcos, Suspicious Regsvr32 Activity 2024-09-30
Malicious PowerShell Process - Execution Policy Bypass CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 T1059.001 TTP AsyncRAT, DHS Report TA18-074A, DarkCrystal RAT, HAFNIUM Group, Volt Typhoon 2024-09-30
Malicious PowerShell Process With Obfuscation Techniques Windows icon Sysmon EventID 1 T1059 T1059.001 TTP Data Destruction, Hermetic Wiper, Malicious PowerShell 2024-09-30
Mimikatz PassTheTicket CommandLine Parameters CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1550 T1550.003 TTP Active Directory Kerberos Attacks, CISA AA22-320A, CISA AA23-347A, Sandworm Tools 2024-09-30
Mmc LOLBAS Execution Process Spawn CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1021 T1021.003 T1218.014 TTP Active Directory Lateral Movement, Living Off The Land 2024-09-30
Modification Of Wallpaper Windows icon Sysmon EventID 13 T1491 TTP BlackMatter Ransomware, Brute Ratel C4, LockBit Ransomware, Ransomware, Revil Ransomware, Rhysida Ransomware, Windows Registry Abuse 2024-09-30
Modify ACL permission To Files Or Folder CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1222 Anomaly XMRig 2024-09-30
MS Scripting Process Loading Ldap Module Windows icon Sysmon EventID 7 T1059 T1059.007 Anomaly FIN7 2024-09-30
MS Scripting Process Loading WMI Module Windows icon Sysmon EventID 7 T1059 T1059.007 Anomaly FIN7 2024-09-30
MSBuild Suspicious Spawned By Script Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1127.001 T1127 TTP Trusted Developer Utilities Proxy Execution MSBuild 2024-09-30
Mshta spawning Rundll32 OR Regsvr32 Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.005 TTP IcedID, Living Off The Land, Trickbot 2024-09-30
MSHTML Module Load in Office Product Windows icon Sysmon EventID 7 T1566 T1566.001 TTP CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments 2024-09-30
Msmpeng Application DLL Side Loading CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1574.002 T1574 TTP Ransomware, Revil Ransomware 2024-09-30
NET Profiler UAC bypass Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1548.002 T1548 TTP Windows Defense Evasion Tactics 2024-09-30
Nishang PowershellTCPOneLine CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 T1059.001 TTP HAFNIUM Group 2024-09-30
NLTest Domain Trust Discovery CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1482 TTP Active Directory Discovery, Domain Trust Discovery, IcedID, Qakbot, Rhysida Ransomware, Ryuk Ransomware 2024-09-30
Non Chrome Process Accessing Chrome Default Dir Windows icon Windows Event Log Security 4663 T1555 T1555.003 Anomaly 3CX Supply Chain Attack, AgentTesla, CISA AA23-347A, DarkGate Malware, FIN7, NjRAT, Phemedrone Stealer, RedLine Stealer, Remcos, Snake Keylogger, Warzone RAT 2024-09-30
Non Firefox Process Access Firefox Profile Dir Windows icon Windows Event Log Security 4663 T1555 T1555.003 Anomaly 3CX Supply Chain Attack, AgentTesla, Azorult, CISA AA23-347A, DarkGate Malware, FIN7, NjRAT, Phemedrone Stealer, RedLine Stealer, Remcos, Snake Keylogger, Warzone RAT 2024-09-30
Notepad with no Command Line Arguments CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1055 TTP BishopFox Sliver Adversary Emulation Framework 2024-09-30
Ntdsutil Export NTDS CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003.003 T1003 TTP Credential Dumping, HAFNIUM Group, Living Off The Land, Prestige Ransomware, Rhysida Ransomware, Volt Typhoon 2024-09-30
Office Document Creating Schedule Task Windows icon Sysmon EventID 7 T1566 T1566.001 TTP Spearphishing Attachments 2024-09-30
Office Document Executing Macro Code Windows icon Sysmon EventID 7 T1566 T1566.001 TTP AgentTesla, Azorult, DarkCrystal RAT, IcedID, NjRAT, PlugX, Qakbot, Remcos, Spearphishing Attachments, Trickbot 2024-09-30
Office Document Spawned Child Process To Download CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP CVE-2023-36884 Office and Windows HTML RCE Vulnerability, NjRAT, PlugX, Spearphishing Attachments 2024-09-30
Office Product Spawn CMD Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP AgentTesla, Azorult, CVE-2023-21716 Word RTF Heap Corruption, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, DarkCrystal RAT, NjRAT, PlugX, Qakbot, Remcos, Trickbot, Warzone RAT 2024-09-30
Outbound Network Connection from Java Using Default Ports Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 3 T1190 T1133 TTP Log4Shell CVE-2021-44228 2024-09-30
Overwriting Accessibility Binaries Windows icon Sysmon EventID 11 T1546 T1546.008 TTP Data Destruction, Flax Typhoon, Hermetic Wiper, Windows Privilege Escalation 2024-09-30
Permission Modification using Takeown App CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1222 TTP Ransomware, Sandworm Tools 2024-09-30
PetitPotam Network Share Access Request Windows icon Windows Event Log Security 5145 T1187 TTP PetitPotam NTLM Relay on Active Directory Certificate Services 2024-09-30
PetitPotam Suspicious Kerberos TGT Request Windows icon Windows Event Log Security 4768 T1003 TTP Active Directory Kerberos Attacks, PetitPotam NTLM Relay on Active Directory Certificate Services 2024-09-30
Potentially malicious code on commandline CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059.003 Anomaly Suspicious Command-Line Executions 2024-09-30
Powershell COM Hijacking InprocServer32 Modification Windows icon Powershell Script Block Logging 4104 T1546.015 T1059 T1059.001 TTP Malicious PowerShell 2024-09-30
Powershell Creating Thread Mutex Windows icon Powershell Script Block Logging 4104 T1027 T1027.005 T1059.001 TTP Malicious PowerShell 2024-09-30
PowerShell Domain Enumeration Windows icon Powershell Script Block Logging 4104 T1059 T1059.001 TTP CISA AA23-347A, Data Destruction, Hermetic Wiper, Malicious PowerShell 2024-09-30
PowerShell Enable PowerShell Remoting Windows icon Powershell Script Block Logging 4104 T1059.001 T1059 Anomaly Malicious PowerShell 2024-09-30
Powershell Enable SMB1Protocol Feature Windows icon Powershell Script Block Logging 4104 T1027 T1027.005 TTP Data Destruction, Hermetic Wiper, Malicious PowerShell, Ransomware 2024-09-30
Powershell Execute COM Object Windows icon Powershell Script Block Logging 4104 T1546.015 T1546 T1059.001 TTP Data Destruction, Hermetic Wiper, Malicious PowerShell, Ransomware 2024-09-30
Powershell Fileless Process Injection via GetProcAddress Windows icon Powershell Script Block Logging 4104 T1059 T1055 T1059.001 TTP Data Destruction, Hermetic Wiper, Malicious PowerShell 2024-09-30
Powershell Fileless Script Contains Base64 Encoded Content Windows icon Powershell Script Block Logging 4104 T1059 T1027 T1059.001 TTP AsyncRAT, Data Destruction, Hermetic Wiper, IcedID, Malicious PowerShell, NjRAT, Winter Vivern 2024-09-30
PowerShell Invoke CIMMethod CIMSession Windows icon Powershell Script Block Logging 4104 T1047 Anomaly Active Directory Lateral Movement, Malicious PowerShell 2024-09-30
PowerShell Invoke WmiExec Usage Windows icon Powershell Script Block Logging 4104 T1047 TTP Suspicious WMI Use 2024-09-30
Powershell Load Module in Meterpreter Windows icon Powershell Script Block Logging 4104 T1059 T1059.001 TTP MetaSploit 2024-09-30
PowerShell Loading DotNET into Memory via Reflection Windows icon Powershell Script Block Logging 4104 T1059 T1059.001 TTP AgentTesla, AsyncRAT, Data Destruction, Hermetic Wiper, Malicious PowerShell, Winter Vivern 2024-09-30
Powershell Processing Stream Of Data Windows icon Powershell Script Block Logging 4104 T1059 T1059.001 TTP AsyncRAT, Braodo Stealer, Data Destruction, Hermetic Wiper, IcedID, Malicious PowerShell, MoonPeak, PXA Stealer 2024-09-30
Powershell Remote Services Add TrustedHost Windows icon Powershell Script Block Logging 4104 T1021.006 T1021 TTP DarkGate Malware 2024-09-30
Powershell Remote Thread To Known Windows Process Windows icon Sysmon EventID 8 T1055 TTP Trickbot 2024-09-30
Powershell Remove Windows Defender Directory Windows icon Powershell Script Block Logging 4104 T1562.001 T1562 TTP Data Destruction, WhisperGate 2024-09-30
PowerShell Script Block With URL Chain Windows icon Powershell Script Block Logging 4104 T1059.001 T1105 TTP Malicious PowerShell 2024-09-30
PowerShell Start-BitsTransfer CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1197 TTP BITS Jobs, Gozi Malware 2024-09-30
PowerShell Start or Stop Service Windows icon Powershell Script Block Logging 4104 T1059.001 Anomaly Active Directory Lateral Movement 2024-09-30
Powershell Using memory As Backing Store Windows icon Powershell Script Block Logging 4104 T1059.001 T1059 TTP Data Destruction, Hermetic Wiper, IcedID, Malicious PowerShell, MoonPeak 2024-09-30
PowerShell WebRequest Using Memory Stream Windows icon Powershell Script Block Logging 4104 T1059.001 T1105 T1027.011 TTP Malicious PowerShell, MoonPeak 2024-09-30
Powershell Windows Defender Exclusion Commands Windows icon Powershell Script Block Logging 4104 T1562.001 T1562 TTP AgentTesla, CISA AA22-320A, Data Destruction, Remcos, Warzone RAT, WhisperGate, Windows Defense Evasion Tactics 2024-09-30
Prevent Automatic Repair Mode using Bcdedit CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1490 TTP Chaos Ransomware, Ransomware 2024-09-30
Print Spooler Adding A Printer Driver Windows icon Windows Event Log Printservice 316 T1547.012 T1547 TTP PrintNightmare CVE-2021-34527 2024-09-30
Print Spooler Failed to Load a Plug-in Windows icon Windows Event Log Printservice 808 T1547.012 T1547 TTP PrintNightmare CVE-2021-34527 2024-09-30
Process Creating LNK file in Suspicious Location Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11 T1566 T1566.002 TTP Amadey, Gozi Malware, IcedID, Qakbot, Spearphishing Attachments 2024-09-30
Process Deleting Its Process File Path CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1070 TTP Clop Ransomware, Data Destruction, Remcos, WhisperGate 2024-09-30
Process Execution via WMI CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1047 TTP Suspicious WMI Use 2024-09-30
Process Kill Base On File Path CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.001 T1562 TTP XMRig 2024-09-30
Processes launching netsh CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.004 T1562 Anomaly Azorult, DHS Report TA18-074A, Disabling Security Tools, Netsh Abuse, ShrinkLocker, Snake Keylogger, Volt Typhoon 2024-09-30
Ransomware Notes bulk creation Windows icon Sysmon EventID 11 T1486 Anomaly BlackMatter Ransomware, Chaos Ransomware, Clop Ransomware, DarkSide Ransomware, LockBit Ransomware, Rhysida Ransomware 2024-09-30
Recon AVProduct Through Pwh or WMI Windows icon Powershell Script Block Logging 4104 T1592 TTP Data Destruction, Hermetic Wiper, Malicious PowerShell, MoonPeak, Prestige Ransomware, Qakbot, Ransomware, Windows Post-Exploitation 2024-09-30
Recon Using WMI Class Windows icon Powershell Script Block Logging 4104 T1592 T1059.001 Anomaly AsyncRAT, Data Destruction, Hermetic Wiper, Industroyer2, LockBit Ransomware, Malicious PowerShell, MoonPeak, Qakbot 2024-09-30
Recursive Delete of Directory In Batch CMD CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1070.004 T1070 TTP Ransomware 2024-09-30
Reg exe Manipulating Windows Services Registry Keys CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1574.011 T1574 TTP Living Off The Land, Windows Persistence Techniques, Windows Service Abuse 2024-09-30
Registry Keys Used For Persistence Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1547.001 T1547 TTP Amadey, AsyncRAT, Azorult, BlackByte Ransomware, BlackSuit Ransomware, Braodo Stealer, CISA AA23-347A, Chaos Ransomware, DHS Report TA18-074A, DarkGate Malware, Emotet Malware DHS Report TA18-201A, IcedID, MoonPeak, NjRAT, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Qakbot, Ransomware, RedLine Stealer, Remcos, Snake Keylogger, Sneaky Active Directory Persistence Tricks, Suspicious MSHTA Activity, Suspicious Windows Registry Activities, Warzone RAT, Windows Persistence Techniques, Windows Registry Abuse 2024-09-30
Regsvr32 Silent and Install Param Dll Loading CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.010 Anomaly AsyncRAT, Data Destruction, Hermetic Wiper, Living Off The Land, Remcos, Suspicious Regsvr32 Activity 2024-09-30
Regsvr32 with Known Silent Switch Cmdline CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.010 Anomaly AsyncRAT, IcedID, Living Off The Land, Qakbot, Remcos, Suspicious Regsvr32 Activity 2024-09-30
Remcos client registry install entry CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13, Windows icon Windows Event Log Security 4688 T1112 TTP Remcos, Windows Registry Abuse 2024-09-30
Remcos RAT File Creation in Remcos Folder Windows icon Sysmon EventID 11 T1113 TTP Remcos 2024-09-30
Remote Process Instantiation via DCOM and PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1021 T1021.003 TTP Active Directory Lateral Movement 2024-09-30
Remote Process Instantiation via WinRM and PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1021 T1021.006 TTP Active Directory Lateral Movement 2024-09-30
Remote Process Instantiation via WinRM and PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1021 T1021.006 TTP Active Directory Lateral Movement 2024-09-30
Remote Process Instantiation via WinRM and Winrs CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1021 T1021.006 TTP Active Directory Lateral Movement 2024-09-30
Remote Process Instantiation via WMI CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1047 TTP Active Directory Lateral Movement, CISA AA23-347A, Ransomware, Suspicious WMI Use 2024-09-30
Remote Process Instantiation via WMI and PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1047 TTP Active Directory Lateral Movement 2024-09-30
Remote System Discovery with Adsisearcher Windows icon Powershell Script Block Logging 4104 T1018 TTP Active Directory Discovery 2024-09-30
Remote System Discovery with Wmic CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1018 TTP Active Directory Discovery 2024-09-30
Remote WMI Command Attempt CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1047 TTP CISA AA23-347A, Graceful Wipe Out Attack, IcedID, Living Off The Land, Suspicious WMI Use, Volt Typhoon 2024-09-30
Revil Common Exec Parameter CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1204 TTP Ransomware, Revil Ransomware 2024-09-30
Revil Registry Entry CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13, Windows icon Windows Event Log Security 4688 T1112 TTP Ransomware, Revil Ransomware, Windows Registry Abuse 2024-09-30
Rubeus Command Line Parameters CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1550 T1550.003 T1558 T1558.003 T1558.004 TTP Active Directory Kerberos Attacks, Active Directory Privilege Escalation, BlackSuit Ransomware, CISA AA23-347A 2024-09-30
Rubeus Kerberos Ticket Exports Through Winlogon Access Windows icon Sysmon EventID 10 T1550 T1550.003 TTP Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A 2024-09-30
Rundll32 Create Remote Thread To A Process Windows icon Sysmon EventID 8 T1055 TTP IcedID, Living Off The Land 2024-09-30
Rundll32 CreateRemoteThread In Browser Windows icon Sysmon EventID 8 T1055 TTP IcedID, Living Off The Land 2024-09-30
Rundll32 DNSQuery Windows icon Sysmon EventID 22 T1218 T1218.011 TTP IcedID, Living Off The Land 2024-09-30
Rundll32 LockWorkStation CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.011 Anomaly Ransomware 2024-09-30
Rundll32 Process Creating Exe Dll Files Windows icon Sysmon EventID 11 T1218 T1218.011 TTP IcedID, Living Off The Land 2024-09-30
RunDLL Loading DLL By Ordinal CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.011 TTP IcedID, Living Off The Land, Suspicious Rundll32 Activity, Unusual Processes 2024-09-30
Ryuk Test Files Detected Windows icon Sysmon EventID 11 T1486 TTP Ryuk Ransomware 2024-09-30
Samsam Test File Write Windows icon Sysmon EventID 11 T1486 TTP SamSam Ransomware 2024-09-30
Sc exe Manipulating Windows Services CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1543.003 T1543 TTP Azorult, DHS Report TA18-074A, Disabling Security Tools, NOBELIUM Group, Orangeworm Attack Group, Windows Drivers, Windows Persistence Techniques, Windows Service Abuse 2024-09-30
SchCache Change By App Connect And Create ADSI Object Windows icon Sysmon EventID 11 T1087.002 T1087 Anomaly BlackMatter Ransomware 2024-09-30
Scheduled Task Creation on Remote Endpoint using At CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1053 T1053.002 TTP Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks 2024-09-30
Scheduled Task Deleted Or Created via CMD CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1053.005 T1053 TTP AgentTesla, Amadey, AsyncRAT, Azorult, CISA AA22-257A, CISA AA23-347A, CISA AA24-241A, DHS Report TA18-074A, DarkCrystal RAT, Living Off The Land, MoonPeak, NOBELIUM Group, NjRAT, Phemedrone Stealer, Prestige Ransomware, Qakbot, RedLine Stealer, Rhysida Ransomware, Sandworm Tools, Scheduled Tasks, ShrinkLocker, Trickbot, Windows Persistence Techniques, Winter Vivern 2024-09-30
Scheduled Task Initiation on Remote Endpoint CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1053 T1053.005 TTP Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks 2024-09-30
Schtasks Run Task On Demand CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1053 TTP CISA AA22-257A, Data Destruction, Industroyer2, Qakbot, Scheduled Tasks, XMRig 2024-09-30
Schtasks used for forcing a reboot CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1053.005 T1053 TTP Ransomware, Scheduled Tasks, Windows Persistence Techniques 2024-09-30
Screensaver Event Trigger Execution Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1546 T1546.002 TTP Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse 2024-09-30
Script Execution via WMI CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1047 TTP Suspicious WMI Use 2024-09-30
Sdclt UAC Bypass CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13, Windows icon Windows Event Log Security 4688 T1548.002 T1548 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Sdelete Application Execution CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1485 T1070.004 T1070 TTP Masquerading - Rename System Utilities 2024-09-30
ServicePrincipalNames Discovery with PowerShell Windows icon Powershell Script Block Logging 4104 T1558.003 TTP Active Directory Discovery, Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Malicious PowerShell 2024-09-30
Services LOLBAS Execution Process Spawn CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1543 T1543.003 TTP Active Directory Lateral Movement, CISA AA23-347A, Living Off The Land, Qakbot 2024-09-30
Set Default PowerShell Execution Policy To Unrestricted or Bypass CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13, Windows icon Windows Event Log Security 4688 T1059 T1059.001 TTP Credential Dumping, DarkGate Malware, Data Destruction, HAFNIUM Group, Hermetic Wiper, Malicious PowerShell 2024-09-30
Shim Database File Creation Windows icon Sysmon EventID 11 T1546.011 T1546 TTP Windows Persistence Techniques 2024-09-30
SilentCleanup UAC Bypass CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13, Windows icon Windows Event Log Security 4688 T1548.002 T1548 TTP MoonPeak, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Spoolsv Suspicious Loaded Modules Windows icon Sysmon EventID 7 T1547.012 T1547 TTP PrintNightmare CVE-2021-34527 2024-09-30
Spoolsv Suspicious Process Access Windows icon Sysmon EventID 10 T1068 TTP PrintNightmare CVE-2021-34527 2024-09-30
Spoolsv Writing a DLL - Sysmon Windows icon Sysmon EventID 11 T1547.012 T1547 TTP PrintNightmare CVE-2021-34527 2024-09-30
Sqlite Module In Temp Folder Windows icon Sysmon EventID 11 T1005 TTP IcedID 2024-09-30
Steal or Forge Authentication Certificates Behavior Identified T1649 Correlation Windows Certificate Services 2024-09-30
Suspicious DLLHost no Command Line Arguments CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1055 TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack 2024-09-30
Suspicious Driver Loaded Path Windows icon Sysmon EventID 6 T1543.003 T1543 TTP AgentTesla, BlackByte Ransomware, CISA AA22-320A, Snake Keylogger, XMRig 2024-09-30
Suspicious GPUpdate no Command Line Arguments CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1055 TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack 2024-09-30
Suspicious IcedID Rundll32 Cmdline CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.011 TTP IcedID, Living Off The Land 2024-09-30
Suspicious Image Creation In Appdata Folder Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11 T1113 TTP Remcos 2024-09-30
Suspicious Kerberos Service Ticket Request Windows icon Windows Event Log Security 4769 T1078 T1078.002 TTP Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation 2024-09-30
Suspicious Linux Discovery Commands CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059.004 TTP Linux Post-Exploitation 2024-09-30
Suspicious microsoft workflow compiler usage CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1127 TTP Living Off The Land, Trusted Developer Utilities Proxy Execution 2024-09-30
Suspicious msbuild path CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1036 T1127 T1036.003 T1127.001 TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution MSBuild 2024-09-30
Suspicious MSBuild Spawn CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1127 T1127.001 TTP Living Off The Land, Trusted Developer Utilities Proxy Execution MSBuild 2024-09-30
Suspicious mshta child process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.005 TTP Living Off The Land, Lumma Stealer, Suspicious MSHTA Activity 2024-09-30
Suspicious mshta spawn CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.005 TTP Living Off The Land, Suspicious MSHTA Activity 2024-09-30
Suspicious Process Executed From Container File CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1204.002 T1036.008 TTP Amadey, Remcos, Snake Keylogger, Unusual Processes 2024-09-30
Suspicious Process With Discord DNS Query Windows icon Sysmon EventID 22 T1059.005 T1059 Anomaly Data Destruction, PXA Stealer, WhisperGate 2024-09-30
Suspicious Reg exe Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1112 Anomaly DHS Report TA18-074A, Disabling Security Tools, Windows Defense Evasion Tactics 2024-09-30
Suspicious Regsvr32 Register Suspicious Path CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.010 TTP IcedID, Living Off The Land, Qakbot, Suspicious Regsvr32 Activity 2024-09-30
Suspicious Rundll32 dllregisterserver CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.011 TTP IcedID, Living Off The Land, Suspicious Rundll32 Activity 2024-09-30
Suspicious Rundll32 no Command Line Arguments CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.011 TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, PrintNightmare CVE-2021-34527, Suspicious Rundll32 Activity 2024-09-30
Suspicious Rundll32 PluginInit CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.011 TTP IcedID 2024-09-30
Suspicious Rundll32 StartW CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.011 TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Suspicious Rundll32 Activity, Trickbot 2024-09-30
Suspicious Scheduled Task from Public Directory CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1053.005 T1053 Anomaly Azorult, CISA AA23-347A, CISA AA24-241A, DarkCrystal RAT, Living Off The Land, MoonPeak, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Persistence Techniques 2024-09-30
Suspicious SearchProtocolHost no Command Line Arguments CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1055 TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack 2024-09-30
Suspicious WAV file in Appdata Folder CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11, Windows icon Windows Event Log Security 4688 T1113 TTP Remcos 2024-09-30
Suspicious wevtutil Usage CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1070.001 T1070 TTP CISA AA23-347A, Clop Ransomware, Ransomware, Rhysida Ransomware, ShrinkLocker, Windows Log Manipulation 2024-09-30
Suspicious writes to windows Recycle Bin Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11 T1036 TTP Collection and Staging, PlugX 2024-09-30
Svchost LOLBAS Execution Process Spawn CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1053 T1053.005 TTP Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks 2024-09-30
System Information Discovery Detection CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1082 TTP BlackSuit Ransomware, Gozi Malware, Windows Discovery Techniques 2024-09-30
System Processes Run From Unexpected Locations CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1036 T1036.003 Anomaly DarkGate Malware, Masquerading - Rename System Utilities, Qakbot, Ransomware, Suspicious Command-Line Executions, Unusual Processes, Windows Error Reporting Service Elevation of Privilege Vulnerability 2024-09-30
Trickbot Named Pipe Windows icon Sysmon EventID 17, Windows icon Sysmon EventID 18 T1055 TTP Trickbot 2024-09-30
UAC Bypass MMC Load Unsigned Dll Windows icon Sysmon EventID 7 T1548.002 T1548 T1218.014 TTP Windows Defense Evasion Tactics 2024-09-30
UAC Bypass With Colorui COM Object Windows icon Sysmon EventID 7 T1218 T1218.003 TTP LockBit Ransomware, Ransomware 2024-09-30
Uninstall App Using MsiExec CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218.007 T1218 TTP Ransomware 2024-09-30
Unknown Process Using The Kerberos Protocol Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 3 T1550 TTP Active Directory Kerberos Attacks, BlackSuit Ransomware 2024-09-30
Unload Sysmon Filter Driver CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.001 T1562 TTP CISA AA23-347A, Disabling Security Tools 2024-09-30
Unloading AMSI via Reflection Windows icon Powershell Script Block Logging 4104 T1562 T1059.001 T1059 TTP Data Destruction, Hermetic Wiper, Malicious PowerShell 2024-09-30
USN Journal Deletion CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1070 TTP Ransomware, Windows Log Manipulation 2024-09-30
Vbscript Execution Using Wscript App CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059.005 T1059 TTP AsyncRAT, FIN7, Remcos 2024-09-30
W3WP Spawning Shell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1505 T1505.003 TTP BlackByte Ransomware, CISA AA22-257A, CISA AA22-264A, Data Destruction, Flax Typhoon, HAFNIUM Group, Hermetic Wiper, ProxyNotShell, ProxyShell, WS FTP Server Critical Vulnerabilities 2024-09-30
Wbemprox COM Object Execution Windows icon Sysmon EventID 7 T1218 T1218.003 TTP LockBit Ransomware, Ransomware, Revil Ransomware 2024-09-30
Wermgr Process Connecting To IP Check Web Services Windows icon Sysmon EventID 22 T1590 T1590.005 TTP Trickbot 2024-09-30
Wermgr Process Create Executable File Windows icon Sysmon EventID 11 T1027 TTP Trickbot 2024-09-30
Wermgr Process Spawned CMD Or Powershell Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 TTP Qakbot, Trickbot 2024-09-30
Windows Abused Web Services Windows icon Sysmon EventID 22 T1102 TTP CISA AA24-241A, NjRAT 2024-09-30
Windows Access Token Winlogon Duplicate Handle In Uncommon Path Windows icon Sysmon EventID 10 T1134.001 T1134 Anomaly Brute Ratel C4 2024-09-30
Windows Account Discovery for Sam Account Name Windows icon Powershell Script Block Logging 4104 T1087 Anomaly CISA AA23-347A 2024-09-30
Windows AD Abnormal Object Access Activity Windows icon Windows Event Log Security 4662 T1087 T1087.002 Anomaly Active Directory Discovery, BlackSuit Ransomware 2024-09-30
Windows AD AdminSDHolder ACL Modified Windows icon Windows Event Log Security 5136 T1546 TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Domain Controller Audit Policy Disabled Windows icon Windows Event Log Security 4719 T1562.001 TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD DSRM Account Changes Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1098 TTP Sneaky Active Directory Persistence Tricks, Windows Persistence Techniques, Windows Registry Abuse 2024-09-30
Windows AD DSRM Password Reset Windows icon Windows Event Log Security 4794 T1098 TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Privileged Object Access Activity Windows icon Windows Event Log Security 4662 T1087 T1087.002 TTP Active Directory Discovery, BlackSuit Ransomware 2024-09-30
Windows AD Short Lived Domain Account ServicePrincipalName Windows icon Windows Event Log Security 5136 T1098 TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD SID History Attribute Modified Windows icon Windows Event Log Security 5136 T1134 T1134.005 TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows Admin Permission Discovery Windows icon Sysmon EventID 11 T1069.001 Anomaly NjRAT 2024-09-30
Windows Administrative Shares Accessed On Multiple Hosts Windows icon Windows Event Log Security 5140, Windows icon Windows Event Log Security 5145 T1135 TTP Active Directory Lateral Movement, Active Directory Privilege Escalation 2024-09-30
Windows Admon Default Group Policy Object Modified Windows icon Windows Active Directory Admon T1484 T1484.001 TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-09-30
Windows Admon Group Policy Object Created Windows icon Windows Active Directory Admon T1484 T1484.001 TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-09-30
Windows Alternate DataStream - Base64 Content Windows icon Sysmon EventID 15 T1564 T1564.004 TTP Windows Defense Evasion Tactics 2024-09-30
Windows Alternate DataStream - Executable Content Windows icon Sysmon EventID 15 T1564 T1564.004 TTP Windows Defense Evasion Tactics 2024-09-30
Windows Apache Benchmark Binary CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 Anomaly MetaSploit 2024-09-30
Windows App Layer Protocol Qakbot NamedPipe Windows icon Sysmon EventID 17, Windows icon Sysmon EventID 18 T1071 Anomaly Qakbot 2024-09-30
Windows App Layer Protocol Wermgr Connect To NamedPipe Windows icon Sysmon EventID 17, Windows icon Sysmon EventID 18 T1071 Anomaly Qakbot 2024-09-30
Windows Application Layer Protocol RMS Radmin Tool Namedpipe Windows icon Sysmon EventID 17, Windows icon Sysmon EventID 18 T1071 TTP Azorult 2024-09-30
Windows AppLocker Block Events T1218 Anomaly Windows AppLocker 2024-09-30
Windows AppLocker Privilege Escalation via Unauthorized Bypass T1218 TTP Windows AppLocker 2024-09-30
Windows Archive Collected Data via Powershell Windows icon Powershell Script Block Logging 4104 T1560 Anomaly CISA AA23-347A 2024-09-30
Windows Archive Collected Data via Rar CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1560.001 T1560 Anomaly DarkGate Malware 2024-09-30
Windows AutoIt3 Execution CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 TTP DarkGate Malware, Handala Wiper 2024-09-30
Windows Autostart Execution LSASS Driver Registry Modification Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1547.008 TTP Windows Registry Abuse 2024-09-30
Windows Binary Proxy Execution Mavinject DLL Injection CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218.013 T1218 TTP Living Off The Land 2024-09-30
Windows Boot or Logon Autostart Execution In Startup Folder Windows icon Sysmon EventID 11 T1547.001 T1547 Anomaly Chaos Ransomware, Gozi Malware, NjRAT, RedLine Stealer 2024-09-30
Windows Bypass UAC via Pkgmgr Tool CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1548.002 Anomaly Warzone RAT 2024-09-30
Windows CAB File on Disk Windows icon Sysmon EventID 11 T1566.001 Anomaly DarkGate Malware 2024-09-30
Windows Cached Domain Credentials Reg Query CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003.005 T1003 Anomaly Prestige Ransomware, Windows Post-Exploitation 2024-09-30
Windows ClipBoard Data via Get-ClipBoard Windows icon Powershell Script Block Logging 4104 T1115 Anomaly Prestige Ransomware, Windows Post-Exploitation 2024-09-30
Windows Command Shell Fetch Env Variables CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1055 TTP Qakbot 2024-09-30
Windows Common Abused Cmd Shell Risk Behavior T1222 T1049 T1033 T1529 T1016 T1059 Correlation Azorult, CISA AA23-347A, DarkCrystal RAT, Disabling Security Tools, FIN7, Netsh Abuse, Qakbot, Sandworm Tools, Volt Typhoon, Windows Defense Evasion Tactics, Windows Post-Exploitation 2024-09-30
Windows Computer Account Created by Computer Account Windows icon Windows Event Log Security 4741 T1558 TTP Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp 2024-09-30
Windows Computer Account Requesting Kerberos Ticket Windows icon Windows Event Log Security 4768 T1558 TTP Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp 2024-09-30
Windows Create Local Account T1136.001 T1136 Anomaly Active Directory Password Spraying, CISA AA24-241A 2024-09-30
Windows Credentials from Password Stores Query CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1555 Anomaly DarkGate Malware, Prestige Ransomware, Windows Post-Exploitation 2024-09-30
Windows Credentials in Registry Reg Query CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1552.002 T1552 Anomaly Prestige Ransomware, Windows Post-Exploitation 2024-09-30
Windows Data Destruction Recursive Exec Files Deletion Windows icon Sysmon EventID 23 T1485 TTP Data Destruction, Handala Wiper, Swift Slicer 2024-09-30
Windows Defacement Modify Transcodedwallpaper File CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1491 Anomaly Brute Ratel C4 2024-09-30
Windows Default Group Policy Object Modified Windows icon Windows Event Log Security 5136 T1484 T1484.001 TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-09-30
Windows Default Group Policy Object Modified with GPME CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1484 T1484.001 TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-09-30
Windows Defender ASR Audit Events Windows icon Windows Event Log Defender 1122 T1059 T1566.001 T1566.002 Anomaly Windows Attack Surface Reduction 2024-09-30
Windows Defender ASR Block Events Windows icon Windows Event Log Defender 1121, Windows icon Windows Event Log Defender 1129 T1059 T1566.001 T1566.002 Anomaly Windows Attack Surface Reduction 2024-09-30
Windows Defender ASR Rule Disabled Windows icon Windows Event Log Defender 5007 T1112 TTP Windows Attack Surface Reduction 2024-09-30
Windows Delete or Modify System Firewall CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562 T1562.004 Anomaly NjRAT, ShrinkLocker 2024-09-30
Windows Deleted Registry By A Non Critical Process File Path Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly Data Destruction, Double Zero Destructor 2024-09-30
Windows Disable Memory Crash Dump Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1485 TTP Data Destruction, Hermetic Wiper, Ransomware, Windows Registry Abuse 2024-09-30
Windows Disable or Modify Tools Via Taskkill CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562 T1562.001 Anomaly NjRAT, PXA Stealer 2024-09-30
Windows Disable Windows Group Policy Features Through Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly CISA AA23-347A, Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows DisableAntiSpyware Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Azorult, CISA AA22-264A, CISA AA23-347A, RedLine Stealer, Ryuk Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Diskshadow Proxy Execution CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 TTP Living Off The Land 2024-09-30
Windows DISM Install PowerShell Web Access Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1548.002 TTP CISA AA24-241A 2024-09-30
Windows DLL Side-Loading In Calc Windows icon Sysmon EventID 7 T1574.002 T1574 TTP Qakbot 2024-09-30
Windows DLL Side-Loading Process Child Of Calc CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1574.002 T1574 Anomaly Qakbot 2024-09-30
Windows DNS Gather Network Info CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1590.002 Anomaly Sandworm Tools, Volt Typhoon 2024-09-30
Windows DnsAdmins New Member Added Windows icon Windows Event Log Security 4732 T1098 TTP Active Directory Privilege Escalation 2024-09-30
Windows Domain Account Discovery Via Get-NetComputer Windows icon Powershell Script Block Logging 4104 T1087 T1087.002 Anomaly CISA AA23-347A 2024-09-30
Windows DotNet Binary in Non Standard Path CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1036 T1036.003 T1218 T1218.004 TTP Data Destruction, Masquerading - Rename System Utilities, Ransomware, Signed Binary Proxy Execution InstallUtil, Unusual Processes, WhisperGate 2024-09-30
Windows Enable PowerShell Web Access Windows icon Powershell Script Block Logging 4104 T1059.001 TTP CISA AA24-241A, Malicious PowerShell 2024-09-30
Windows Enable Win32 ScheduledJob via Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1053.005 Anomaly Active Directory Lateral Movement, Scheduled Tasks 2024-09-30
Windows ESX Admins Group Creation Security Event T1136.001 T1136.002 TTP VMware ESXi AD Integration Authentication Bypass CVE-2024-37085 2024-09-30
Windows ESX Admins Group Creation via PowerShell Windows icon Powershell Script Block Logging 4104 T1136.002 T1136.001 TTP VMware ESXi AD Integration Authentication Bypass CVE-2024-37085 2024-09-30
Windows Executable in Loaded Modules Windows icon Sysmon EventID 7 T1129 TTP NjRAT 2024-09-30
Windows Exfiltration Over C2 Via Invoke RestMethod Windows icon Powershell Script Block Logging 4104 T1041 TTP Winter Vivern 2024-09-30
Windows Exfiltration Over C2 Via Powershell UploadString Windows icon Powershell Script Block Logging 4104 T1041 TTP Winter Vivern 2024-09-30
Windows Export Certificate Windows icon Windows Event Log CertificateServicesClient 1007 T1552.004 T1552 T1649 Anomaly Windows Certificate Services 2024-09-30
Windows File Share Discovery With Powerview Windows icon Powershell Script Block Logging 4104 T1135 TTP Active Directory Discovery, Active Directory Privilege Escalation 2024-09-30
Windows File Transfer Protocol In Non-Common Process Path Windows icon Sysmon EventID 3 T1071.003 T1071 Anomaly AgentTesla, Snake Keylogger 2024-09-30
Windows File Without Extension In Critical Folder Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11 T1485 TTP Data Destruction, Hermetic Wiper 2024-09-30
Windows Files and Dirs Access Rights Modification Via Icacls CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1222.001 T1222 TTP Amadey 2024-09-30
Windows Find Domain Organizational Units with GetDomainOU Windows icon Powershell Script Block Logging 4104 T1087 T1087.002 TTP Active Directory Discovery 2024-09-30
Windows Find Interesting ACL with FindInterestingDomainAcl Windows icon Powershell Script Block Logging 4104 T1087 T1087.002 TTP Active Directory Discovery 2024-09-30
Windows Findstr GPP Discovery CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1552 T1552.006 TTP Active Directory Privilege Escalation 2024-09-30
Windows Forest Discovery with GetForestDomain Windows icon Powershell Script Block Logging 4104 T1087 T1087.002 TTP Active Directory Discovery 2024-09-30
Windows Gather Victim Host Information Camera Windows icon Powershell Script Block Logging 4104 T1592.001 T1592 Anomaly DarkCrystal RAT 2024-09-30
Windows Get-AdComputer Unconstrained Delegation Discovery Windows icon Powershell Script Block Logging 4104 T1018 TTP Active Directory Kerberos Attacks 2024-09-30
Windows Get Local Admin with FindLocalAdminAccess Windows icon Powershell Script Block Logging 4104 T1087 T1087.002 TTP Active Directory Discovery 2024-09-30
Windows Group Policy Object Created Windows icon Windows Event Log Security 5136, Windows icon Windows Event Log Security 5137 T1484 T1484.001 T1078.002 TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-09-30
Windows High File Deletion Frequency Windows icon Sysmon EventID 23 T1485 Anomaly Clop Ransomware, DarkCrystal RAT, Data Destruction, Handala Wiper, Sandworm Tools, Swift Slicer, WhisperGate 2024-09-30
Windows Hijack Execution Flow Version Dll Side Load Windows icon Sysmon EventID 7 T1574.001 T1574 Anomaly Brute Ratel C4 2024-09-30
Windows IIS Components Add New Module CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1505 T1505.004 Anomaly IIS Components 2024-09-30
Windows IIS Components Module Failed to Load Windows icon Windows Event Log Application 2282 T1505 T1505.004 Anomaly IIS Components 2024-09-30
Windows IIS Components New Module Added Windows icon Windows IIS 29 T1505 T1505.004 TTP IIS Components 2024-09-30
Windows Impair Defense Change Win Defender Health Check Intervals Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Change Win Defender Quick Scan Interval Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Change Win Defender Throttle Rate Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Change Win Defender Tracing Level Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Define Win Defender Threat Action Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Delete Win Defender Profile Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 Anomaly Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Deny Security Software With Applocker Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Azorult 2024-09-30
Windows Impair Defense Disable Controlled Folder Access Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Disable Defender Firewall And Network Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Disable Defender Protocol Recognition Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Disable PUA Protection Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Disable Realtime Signature Delivery Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Disable Win Defender App Guard Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Disable Win Defender Compute File Hashes Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Disable Win Defender Gen reports Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Disable Win Defender Network Protection Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Disable Win Defender Report Infection Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Disable Win Defender Scan On Update Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Disable Win Defender Signature Retirement Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Overide Win Defender Phishing Filter Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Set Win Defender Smart Screen Level To Warn Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defenses Disable AV AutoStart via Registry Windows icon Sysmon EventID 13 T1112 TTP ValleyRAT 2024-09-30
Windows Impair Defenses Disable HVCI Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP BlackLotus Campaign, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defenses Disable Win Defender Auto Logging Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 Anomaly CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Indicator Removal Via Rmdir CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1070 Anomaly DarkGate Malware 2024-09-30
Windows Indirect Command Execution Via forfiles CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1202 TTP Living Off The Land, Windows Post-Exploitation 2024-09-30
Windows Indirect Command Execution Via pcalua CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1202 TTP Living Off The Land 2024-09-30
Windows Indirect Command Execution Via Series Of Forfiles CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1202 Anomaly Prestige Ransomware, Windows Post-Exploitation 2024-09-30
Windows Information Discovery Fsutil CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1082 Anomaly Prestige Ransomware, Windows Post-Exploitation 2024-09-30
Windows Ingress Tool Transfer Using Explorer CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1105 Anomaly DarkCrystal RAT 2024-09-30
Windows InProcServer32 New Outlook Form Windows icon Sysmon EventID 13 T1566 T1112 Anomaly Outlook RCE CVE-2024-21378 2024-09-30
Windows InstallUtil Credential Theft Windows icon Sysmon EventID 7 T1218.004 T1218 TTP Signed Binary Proxy Execution InstallUtil 2024-09-30
Windows InstallUtil in Non Standard Path CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1036 T1036.003 T1218 T1218.004 TTP Data Destruction, Living Off The Land, Masquerading - Rename System Utilities, Ransomware, Signed Binary Proxy Execution InstallUtil, Unusual Processes, WhisperGate 2024-09-30
Windows Known Abused DLL Created Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11 T1574.001 T1574.002 T1574 Anomaly Living Off The Land, Windows Defense Evasion Tactics 2024-09-30
Windows Known Abused DLL Loaded Suspiciously Windows icon Sysmon EventID 7 T1574.001 T1574.002 T1574 TTP Living Off The Land, Windows Defense Evasion Tactics 2024-09-30
Windows Known GraphicalProton Loaded Modules Windows icon Sysmon EventID 7 T1574.002 T1574 Anomaly CISA AA23-347A 2024-09-30
Windows Large Number of Computer Service Tickets Requested Windows icon Windows Event Log Security 4769 T1135 T1078 Anomaly Active Directory Lateral Movement, Active Directory Privilege Escalation 2024-09-30
Windows Lateral Tool Transfer RemCom CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1570 TTP Active Directory Discovery 2024-09-30
Windows Ldifde Directory Object Behavior CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1105 T1069.002 TTP Volt Typhoon 2024-09-30
Windows Linked Policies In ADSI Discovery Windows icon Powershell Script Block Logging 4104 T1087.002 T1087 Anomaly Active Directory Discovery, Data Destruction, Industroyer2 2024-09-30
Windows Local Administrator Credential Stuffing Windows icon Windows Event Log Security 4624, Windows icon Windows Event Log Security 4625 T1110 T1110.004 TTP Active Directory Lateral Movement, Active Directory Privilege Escalation 2024-09-30
Windows LOLBAS Executed As Renamed File CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1036 T1036.003 T1218.011 TTP Living Off The Land, Masquerading - Rename System Utilities, Windows Defense Evasion Tactics 2024-09-30
Windows LOLBAS Executed Outside Expected Path Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1036 T1036.005 T1218.011 TTP Living Off The Land, Masquerading - Rename System Utilities, Windows Defense Evasion Tactics 2024-09-30
Windows Mail Protocol In Non-Common Process Path Windows icon Sysmon EventID 3 T1071.003 T1071 Anomaly AgentTesla 2024-09-30
Windows Mark Of The Web Bypass Windows icon Sysmon EventID 23 T1553.005 TTP Warzone RAT 2024-09-30
Windows Mimikatz Crypto Export File Extensions Windows icon Sysmon EventID 11 T1649 Anomaly CISA AA23-347A, Sandworm Tools, Windows Certificate Services 2024-09-30
Windows Modify Registry AuthenticationLevelOverride Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly DarkGate Malware 2024-09-30
Windows Modify Registry Auto Update Notif Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly RedLine Stealer 2024-09-30
Windows Modify Registry Configure BitLocker Windows icon Sysmon EventID 13 T1112 TTP ShrinkLocker 2024-09-30
Windows Modify Registry Default Icon Setting Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly LockBit Ransomware 2024-09-30
Windows Modify Registry Delete Firewall Rules Windows icon Sysmon EventID 12 T1112 TTP CISA AA24-241A, ShrinkLocker 2024-09-30
Windows Modify Registry Disable RDP Windows icon Sysmon EventID 13 T1112 Anomaly ShrinkLocker 2024-09-30
Windows Modify Registry Disable Toast Notifications Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly Azorult 2024-09-30
Windows Modify Registry Disable Win Defender Raw Write Notif Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly Azorult, CISA AA23-347A 2024-09-30
Windows Modify Registry Disable WinDefender Notifications Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 TTP CISA AA23-347A, RedLine Stealer 2024-09-30
Windows Modify Registry Disable Windows Security Center Notif Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly Azorult, CISA AA23-347A 2024-09-30
Windows Modify Registry DisableRemoteDesktopAntiAlias Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 TTP DarkGate Malware 2024-09-30
Windows Modify Registry DisableSecuritySettings Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 TTP CISA AA23-347A, DarkGate Malware 2024-09-30
Windows Modify Registry Disabling WER Settings Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 TTP Azorult, CISA AA23-347A 2024-09-30
Windows Modify Registry DisAllow Windows App Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 TTP Azorult 2024-09-30
Windows Modify Registry Do Not Connect To Win Update Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly RedLine Stealer 2024-09-30
Windows Modify Registry DontShowUI Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 TTP DarkGate Malware 2024-09-30
Windows Modify Registry MaxConnectionPerServer Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly Warzone RAT 2024-09-30
Windows Modify Registry No Auto Reboot With Logon User Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly RedLine Stealer 2024-09-30
Windows Modify Registry No Auto Update Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly CISA AA23-347A, RedLine Stealer 2024-09-30
Windows Modify Registry on Smart Card Group Policy Windows icon Sysmon EventID 13 T1112 Anomaly ShrinkLocker 2024-09-30
Windows Modify Registry ProxyEnable Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly DarkGate Malware 2024-09-30
Windows Modify Registry ProxyServer Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly DarkGate Malware 2024-09-30
Windows Modify Registry Qakbot Binary Data Registry Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly Qakbot 2024-09-30
Windows Modify Registry Regedit Silent Reg Import CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1112 Anomaly Azorult 2024-09-30
Windows Modify Registry Risk Behavior T1112 Correlation Windows Registry Abuse 2024-09-30
Windows Modify Registry Suppress Win Defender Notif Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly Azorult, CISA AA23-347A 2024-09-30
Windows Modify Registry Tamper Protection Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 TTP RedLine Stealer 2024-09-30
Windows Modify Registry UpdateServiceUrlAlternate Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly RedLine Stealer 2024-09-30
Windows Modify Registry Utilize ProgIDs Windows icon Sysmon EventID 13 T1112 Anomaly ValleyRAT 2024-09-30
Windows Modify Registry ValleyRAT C2 Config Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 TTP ValleyRAT 2024-09-30
Windows Modify Registry ValleyRat PWN Reg Entry Windows icon Sysmon EventID 13 T1112 TTP ValleyRAT 2024-09-30
Windows Modify Registry With MD5 Reg Key Name Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 TTP NjRAT 2024-09-30
Windows MSExchange Management Mailbox Cmdlet Usage CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 T1059.001 Anomaly BlackByte Ransomware, ProxyNotShell, ProxyShell 2024-09-30
Windows Mshta Execution In Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1218.005 TTP Suspicious Windows Registry Activities, Windows Persistence Techniques 2024-09-30
Windows MSHTA Writing to World Writable Path Windows icon Sysmon EventID 11 T1218.005 TTP APT29 Diplomatic Deceptions with WINELOADER, Suspicious MSHTA Activity 2024-09-30
Windows MSIExec DLLRegisterServer CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218.007 TTP Windows System Binary Proxy Execution MSIExec 2024-09-30
Windows MsiExec HideWindow Rundll32 Execution CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218.007 T1218 TTP Qakbot 2024-09-30
Windows MSIExec Remote Download CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218.007 TTP Windows System Binary Proxy Execution MSIExec 2024-09-30
Windows MSIExec Unregister DLLRegisterServer CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218.007 TTP Windows System Binary Proxy Execution MSIExec 2024-09-30
Windows MSIExec With Network Connections Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 3 T1218.007 TTP Windows System Binary Proxy Execution MSIExec 2024-09-30
Windows Multi hop Proxy TOR Website Query Windows icon Sysmon EventID 22 T1071.003 T1071 Anomaly AgentTesla 2024-09-30
Windows Multiple Account Passwords Changed Windows icon Windows Event Log Security 4724 T1098 T1078 TTP Azure Active Directory Persistence 2024-09-30
Windows Multiple Accounts Deleted Windows icon Windows Event Log Security 4726 T1098 T1078 TTP Azure Active Directory Persistence 2024-09-30
Windows Multiple Accounts Disabled Windows icon Windows Event Log Security 4725 T1098 T1078 TTP Azure Active Directory Persistence 2024-09-30
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos Windows icon Windows Event Log Security 4768 T1110.003 T1110 TTP Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon 2024-09-30
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos Windows icon Windows Event Log Security 4768 T1110.003 T1110 TTP Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon 2024-09-30
Windows Multiple Invalid Users Failed To Authenticate Using NTLM Windows icon Windows Event Log Security 4776 T1110.003 T1110 TTP Active Directory Password Spraying, Volt Typhoon 2024-09-30
Windows Multiple NTLM Null Domain Authentications T1110 T1110.003 TTP Active Directory Password Spraying 2024-09-30
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials Windows icon Windows Event Log Security 4648 T1110.003 T1110 TTP Active Directory Password Spraying, Insider Threat, Volt Typhoon 2024-09-30
Windows Multiple Users Failed To Authenticate From Host Using NTLM Windows icon Windows Event Log Security 4776 T1110.003 T1110 TTP Active Directory Password Spraying, Volt Typhoon 2024-09-30
Windows Multiple Users Failed To Authenticate From Process Windows icon Windows Event Log Security 4625 T1110.003 T1110 TTP Active Directory Password Spraying, Insider Threat, Volt Typhoon 2024-09-30
Windows Multiple Users Failed To Authenticate Using Kerberos Windows icon Windows Event Log Security 4771 T1110.003 T1110 TTP Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon 2024-09-30
Windows Multiple Users Remotely Failed To Authenticate From Host Windows icon Windows Event Log Security 4625 T1110.003 T1110 TTP Active Directory Password Spraying, Volt Typhoon 2024-09-30
Windows Ngrok Reverse Proxy Usage CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1572 T1090 T1102 Anomaly CISA AA22-320A, CISA AA24-241A, Reverse Network Proxy 2024-09-30
Windows NirSoft AdvancedRun CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1588.002 TTP Data Destruction, Ransomware, Unusual Processes, WhisperGate 2024-09-30
Windows Njrat Fileless Storage via Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1027.011 T1027 TTP NjRAT 2024-09-30
Windows Non Discord App Access Discord LevelDB Windows icon Windows Event Log Security 4663 T1012 Anomaly PXA Stealer, Snake Keylogger 2024-09-30
Windows Non-System Account Targeting Lsass Windows icon Sysmon EventID 10 T1003.001 T1003 TTP CISA AA23-347A, Credential Dumping 2024-09-30
Windows Odbcconf Load DLL CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218.008 TTP Living Off The Land 2024-09-30
Windows Odbcconf Load Response File CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218.008 TTP Living Off The Land 2024-09-30
Windows Outlook WebView Registry Modification Windows icon Sysmon EventID 13 T1112 Anomaly Suspicious Windows Registry Activities 2024-09-30
Windows Password Managers Discovery CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1555.005 Anomaly Prestige Ransomware, Windows Post-Exploitation 2024-09-30
Windows Phishing Outlook Drop Dll In FORM Dir Windows icon Sysmon EventID 11 T1566 TTP Outlook RCE CVE-2024-21378 2024-09-30
Windows Phishing PDF File Executes URL Link CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566.001 T1566 Anomaly Snake Keylogger, Spearphishing Attachments 2024-09-30
Windows Possible Credential Dumping Windows icon Sysmon EventID 10 T1003.001 T1003 TTP CISA AA22-257A, CISA AA22-264A, CISA AA23-347A, Credential Dumping, DarkSide Ransomware, Detect Zerologon Attack 2024-09-30
Windows Post Exploitation Risk Behavior T1012 T1049 T1069 T1016 T1003 T1082 T1115 T1552 Correlation Windows Post-Exploitation 2024-09-30
Windows PowerShell Add Module to Global Assembly Cache Windows icon Powershell Script Block Logging 4104 T1505 T1505.004 TTP IIS Components 2024-09-30
Windows Powershell Cryptography Namespace Windows icon Powershell Script Block Logging 4104 T1059.001 T1059 Anomaly AsyncRAT 2024-09-30
Windows PowerShell Disable HTTP Logging Windows icon Powershell Script Block Logging 4104 T1562 T1562.002 T1505 T1505.004 TTP IIS Components, Windows Defense Evasion Tactics 2024-09-30
Windows PowerShell Export Certificate Windows icon Powershell Script Block Logging 4104 T1552.004 T1552 T1649 Anomaly Windows Certificate Services 2024-09-30
Windows PowerShell Export PfxCertificate Windows icon Powershell Script Block Logging 4104 T1552.004 T1552 T1649 Anomaly Windows Certificate Services 2024-09-30
Windows PowerShell Get CIMInstance Remote Computer Windows icon Powershell Script Block Logging 4104 T1059.001 Anomaly Active Directory Lateral Movement 2024-09-30
Windows PowerShell IIS Components WebGlobalModule Usage Windows icon Powershell Script Block Logging 4104 T1505 T1505.004 Anomaly IIS Components 2024-09-30
Windows Powershell Import Applocker Policy Windows icon Powershell Script Block Logging 4104 T1059.001 T1059 T1562.001 T1562 TTP Azorult 2024-09-30
Windows Powershell RemoteSigned File CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059.001 T1059 Anomaly Amadey 2024-09-30
Windows PowerShell ScheduleTask Windows icon Powershell Script Block Logging 4104 T1053.005 T1059.001 T1059 Anomaly Scheduled Tasks 2024-09-30
Windows PowerShell WMI Win32 ScheduledJob Windows icon Powershell Script Block Logging 4104 T1059.001 T1059 TTP Active Directory Lateral Movement 2024-09-30
Windows PowerSploit GPP Discovery Windows icon Powershell Script Block Logging 4104 T1552 T1552.006 TTP Active Directory Privilege Escalation 2024-09-30
Windows PowerView AD Access Control List Enumeration Windows icon Powershell Script Block Logging 4104 T1078.002 T1069 TTP Active Directory Discovery, Active Directory Privilege Escalation, Rhysida Ransomware 2024-09-30
Windows PowerView Constrained Delegation Discovery Windows icon Powershell Script Block Logging 4104 T1018 TTP Active Directory Kerberos Attacks, CISA AA23-347A, Rhysida Ransomware 2024-09-30
Windows PowerView Kerberos Service Ticket Request Windows icon Powershell Script Block Logging 4104 T1558 T1558.003 TTP Active Directory Kerberos Attacks, Rhysida Ransomware 2024-09-30
Windows PowerView SPN Discovery Windows icon Powershell Script Block Logging 4104 T1558 T1558.003 TTP Active Directory Kerberos Attacks, CISA AA23-347A, Rhysida Ransomware 2024-09-30
Windows PowerView Unconstrained Delegation Discovery Windows icon Powershell Script Block Logging 4104 T1018 TTP Active Directory Kerberos Attacks, CISA AA23-347A, Rhysida Ransomware 2024-09-30
Windows Private Keys Discovery CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1552.004 T1552 Anomaly Prestige Ransomware, Windows Post-Exploitation 2024-09-30
Windows Privilege Escalation Suspicious Process Elevation CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1068 T1548 T1134 TTP BlackSuit Ransomware, Windows Privilege Escalation 2024-09-30
Windows Privilege Escalation System Process Without System Parent CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1068 T1548 T1134 TTP BlackSuit Ransomware, Windows Privilege Escalation 2024-09-30
Windows Privileged Group Modification T1136.001 T1136.002 TTP VMware ESXi AD Integration Authentication Bypass CVE-2024-37085 2024-09-30
Windows Process Injection In Non-Service SearchIndexer CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1055 TTP Qakbot 2024-09-30
Windows Process Injection into Notepad Windows icon Sysmon EventID 10 T1055 T1055.002 Anomaly BishopFox Sliver Adversary Emulation Framework 2024-09-30
Windows Process Injection Of Wermgr to Known Browser Windows icon Sysmon EventID 8 T1055.001 T1055 TTP Qakbot 2024-09-30
Windows Process Injection Remote Thread Windows icon Sysmon EventID 8 T1055 T1055.002 TTP Graceful Wipe Out Attack, Qakbot, Warzone RAT 2024-09-30
Windows Process Injection Wermgr Child Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1055 Anomaly Qakbot, Windows Error Reporting Service Elevation of Privilege Vulnerability 2024-09-30
Windows Process With NamedPipe CommandLine CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1055 Anomaly Windows Defense Evasion Tactics 2024-09-30
Windows Processes Killed By Industroyer2 Malware Windows icon Sysmon EventID 5 T1489 Anomaly Data Destruction, Industroyer2 2024-09-30
Windows Protocol Tunneling with Plink CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1572 T1021.004 TTP CISA AA22-257A 2024-09-30
Windows Proxy Via Netsh CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1090.001 T1090 Anomaly Volt Typhoon 2024-09-30
Windows Proxy Via Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1090.001 T1090 Anomaly Volt Typhoon 2024-09-30
Windows Query Registry Browser List Application Windows icon Windows Event Log Security 4663 T1012 Anomaly RedLine Stealer 2024-09-30
Windows Rapid Authentication On Multiple Hosts Windows icon Windows Event Log Security 4624 T1003.002 TTP Active Directory Lateral Movement, Active Directory Privilege Escalation 2024-09-30
Windows Raw Access To Disk Volume Partition Windows icon Sysmon EventID 9 T1561.002 T1561 Anomaly BlackByte Ransomware, CISA AA22-264A, Caddy Wiper, Data Destruction, Graceful Wipe Out Attack, Hermetic Wiper, NjRAT 2024-09-30
Windows Raw Access To Master Boot Record Drive Windows icon Sysmon EventID 9 T1561.002 T1561 TTP BlackByte Ransomware, CISA AA22-264A, Caddy Wiper, Data Destruction, Graceful Wipe Out Attack, Hermetic Wiper, NjRAT, WhisperGate 2024-09-30
Windows Registry Payload Injection Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1027 T1027.011 TTP Unusual Processes 2024-09-30
Windows Registry SIP Provider Modification Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1553.003 TTP Subvert Trust Controls SIP and Trust Provider Hijacking 2024-09-30
Windows Remote Access Software BRC4 Loaded Dll Windows icon Sysmon EventID 7 T1219 T1003 Anomaly Brute Ratel C4 2024-09-30
Windows Remote Access Software RMS Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1219 TTP Azorult 2024-09-30
Windows Remote Create Service CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1543 T1543.003 Anomaly Active Directory Lateral Movement, BlackSuit Ransomware, CISA AA23-347A 2024-09-30
Windows Remote Services Allow Rdp In Firewall CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1021.001 T1021 Anomaly Azorult 2024-09-30
Windows Remote Services Allow Remote Assistance Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1021.001 T1021 Anomaly Azorult 2024-09-30
Windows Remote Services Rdp Enable Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1021.001 T1021 TTP Azorult, BlackSuit Ransomware 2024-09-30
Windows Replication Through Removable Media Windows icon Sysmon EventID 11 T1091 TTP Chaos Ransomware, NjRAT, PlugX 2024-09-30
Windows Root Domain linked policies Discovery Windows icon Powershell Script Block Logging 4104 T1087.002 T1087 Anomaly Active Directory Discovery, Data Destruction, Industroyer2 2024-09-30
Windows Rundll32 Apply User Settings Changes CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.011 TTP Rhysida Ransomware 2024-09-30
Windows Rundll32 WebDAV Request CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1048.003 TTP CVE-2023-23397 Outlook Elevation of Privilege 2024-09-30
Windows Scheduled Task Created Via XML CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1053.005 T1053 TTP CISA AA23-347A, MoonPeak, Scheduled Tasks, Winter Vivern 2024-09-30
Windows Scheduled Task DLL Module Loaded Windows icon Sysmon EventID 7 T1053 TTP ValleyRAT 2024-09-30
Windows Scheduled Task Service Spawned Shell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1053.005 T1059 TTP Windows Persistence Techniques 2024-09-30
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr T1053 TTP ValleyRAT 2024-09-30
Windows Schtasks Create Run As System CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1053.005 T1053 TTP Qakbot, Scheduled Tasks, Windows Persistence Techniques 2024-09-30
Windows Screen Capture Via Powershell Windows icon Powershell Script Block Logging 4104 T1113 TTP Winter Vivern 2024-09-30
Windows Security Support Provider Reg Query CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1547.005 T1547 Anomaly Prestige Ransomware, Sneaky Active Directory Persistence Tricks, Windows Post-Exploitation 2024-09-30
Windows Server Software Component GACUtil Install to GAC CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1505 T1505.004 TTP IIS Components 2024-09-30
Windows Service Create Kernel Mode Driver CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1543.003 T1543 T1068 TTP CISA AA22-320A, Windows Drivers 2024-09-30
Windows Service Create RemComSvc Windows icon Windows Event Log System 7045 T1543.003 T1543 Anomaly Active Directory Discovery 2024-09-30
Windows Service Created with Suspicious Service Path Windows icon Windows Event Log System 7045 T1569 T1569.002 TTP Active Directory Lateral Movement, Brute Ratel C4, CISA AA23-347A, Clop Ransomware, Flax Typhoon, PlugX, Qakbot, Snake Malware 2024-09-30
Windows Service Created Within Public Path Windows icon Windows Event Log System 7045 T1543 T1543.003 TTP Active Directory Lateral Movement, Snake Malware 2024-09-30
Windows Service Creation on Remote Endpoint CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1543 T1543.003 TTP Active Directory Lateral Movement, CISA AA23-347A 2024-09-30
Windows Service Deletion In Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1489 Anomaly Brute Ratel C4, PlugX 2024-09-30
Windows Service Initiation on Remote Endpoint CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1543 T1543.003 TTP Active Directory Lateral Movement, CISA AA23-347A 2024-09-30
Windows Service Stop By Deletion CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1489 TTP Azorult, Graceful Wipe Out Attack 2024-09-30
Windows Service Stop Via Net and SC Application CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1489 Anomaly Graceful Wipe Out Attack, Prestige Ransomware 2024-09-30
Windows Service Stop Win Updates Windows icon Windows Event Log System 7040 T1489 Anomaly CISA AA23-347A, RedLine Stealer 2024-09-30
Windows SIP WinVerifyTrust Failed Trust Validation Windows icon Windows Event Log CAPI2 81 T1553.003 Anomaly Subvert Trust Controls SIP and Trust Provider Hijacking 2024-09-30
Windows Snake Malware File Modification Crmlog Windows icon Sysmon EventID 11 T1027 TTP Snake Malware 2024-09-30
Windows Snake Malware Kernel Driver Comadmin Windows icon Sysmon EventID 11 T1547.006 TTP Snake Malware 2024-09-30
Windows Snake Malware Registry Modification wav OpenWithProgIds Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 TTP Snake Malware 2024-09-30
Windows SqlWriter SQLDumper DLL Sideload Windows icon Sysmon EventID 7 T1574.002 TTP APT29 Diplomatic Deceptions with WINELOADER 2024-09-30
Windows Steal Authentication Certificates - ESC1 Abuse Windows icon Windows Event Log Security 4886, Windows icon Windows Event Log Security 4887 T1649 TTP Windows Certificate Services 2024-09-30
Windows Steal Authentication Certificates Certificate Issued Windows icon Windows Event Log Security 4887 T1649 Anomaly Windows Certificate Services 2024-09-30
Windows Steal Authentication Certificates Certificate Request Windows icon Windows Event Log Security 4886 T1649 Anomaly Windows Certificate Services 2024-09-30
Windows Steal Authentication Certificates CertUtil Backup CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1649 Anomaly Windows Certificate Services 2024-09-30
Windows Steal Authentication Certificates CryptoAPI Windows icon Windows Event Log CAPI2 70 T1649 Anomaly Windows Certificate Services 2024-09-30
Windows Steal Authentication Certificates CS Backup Windows icon Windows Event Log Security 4876 T1649 Anomaly Windows Certificate Services 2024-09-30
Windows Steal Authentication Certificates Export Certificate CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1649 Anomaly Windows Certificate Services 2024-09-30
Windows Steal Authentication Certificates Export PfxCertificate CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1649 Anomaly Windows Certificate Services 2024-09-30
Windows Suspect Process With Authentication Traffic Windows icon Sysmon EventID 3 T1087 T1087.002 T1204 T1204.002 Anomaly Active Directory Discovery 2024-09-30
Windows System Discovery Using ldap Nslookup CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1033 Anomaly Qakbot 2024-09-30
Windows System LogOff Commandline CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1529 Anomaly DarkCrystal RAT, NjRAT 2024-09-30
Windows System Network Config Discovery Display DNS CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1016 Anomaly Prestige Ransomware, Windows Post-Exploitation 2024-09-30
Windows System Network Connections Discovery Netsh CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1049 Anomaly Prestige Ransomware, Snake Keylogger, Windows Post-Exploitation 2024-09-30
Windows System Reboot CommandLine CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1529 Anomaly DarkCrystal RAT, DarkGate Malware, MoonPeak, NjRAT 2024-09-30
Windows System Script Proxy Execution Syncappvpublishingserver CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1216 T1218 TTP Living Off The Land 2024-09-30
Windows System Shutdown CommandLine CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1529 Anomaly DarkCrystal RAT, DarkGate Malware, MoonPeak, NjRAT, Sandworm Tools 2024-09-30
Windows System Time Discovery W32tm Delay CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1124 Anomaly DarkCrystal RAT 2024-09-30
Windows Terminating Lsass Process Windows icon Sysmon EventID 10 T1562.001 T1562 Anomaly Data Destruction, Double Zero Destructor 2024-09-30
Windows Time Based Evasion CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1497 T1497.003 TTP NjRAT 2024-09-30
Windows Time Based Evasion via Choice Exec CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1497.003 T1497 Anomaly Snake Keylogger 2024-09-30
Windows UAC Bypass Suspicious Child Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1548 T1548.002 TTP Living Off The Land, Windows Defense Evasion Tactics 2024-09-30
Windows Unsigned DLL Side-Loading Windows icon Sysmon EventID 7 T1574.002 Anomaly NjRAT, Warzone RAT 2024-09-30
Windows Unsigned DLL Side-Loading In Same Process Path Windows icon Sysmon EventID 7 T1574.002 T1574 TTP DarkGate Malware, PlugX 2024-09-30
Windows Unsigned MS DLL Side-Loading Windows icon Sysmon EventID 7 T1574.002 T1547 Anomaly APT29 Diplomatic Deceptions with WINELOADER 2024-09-30
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos Windows icon Windows Event Log Security 4768 T1110.003 T1110 Anomaly Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon 2024-09-30
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos Windows icon Windows Event Log Security 4768 T1110.003 T1110 Anomaly Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon 2024-09-30
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM Windows icon Windows Event Log Security 4776 T1110.003 T1110 Anomaly Active Directory Password Spraying, Volt Typhoon 2024-09-30
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials Windows icon Windows Event Log Security 4648 T1110.003 T1110 Anomaly Active Directory Password Spraying, Insider Threat, Volt Typhoon 2024-09-30
Windows Unusual Count Of Users Failed To Auth Using Kerberos Windows icon Windows Event Log Security 4771 T1110.003 T1110 Anomaly Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon 2024-09-30
Windows Unusual Count Of Users Failed To Authenticate From Process Windows icon Windows Event Log Security 4625 T1110.003 T1110 Anomaly Active Directory Password Spraying, Insider Threat, Volt Typhoon 2024-09-30
Windows Unusual Count Of Users Failed To Authenticate Using NTLM Windows icon Windows Event Log Security 4776 T1110.003 T1110 Anomaly Active Directory Password Spraying, Volt Typhoon 2024-09-30
Windows Unusual Count Of Users Remotely Failed To Auth From Host Windows icon Windows Event Log Security 4625 T1110.003 T1110 Anomaly Active Directory Password Spraying, Volt Typhoon 2024-09-30
Windows Unusual NTLM Authentication Destinations By Source T1110 T1110.003 Anomaly Active Directory Password Spraying 2024-09-30
Windows Unusual NTLM Authentication Destinations By User T1110 T1110.003 Anomaly Active Directory Password Spraying 2024-09-30
Windows Unusual NTLM Authentication Users By Destination T1110 T1110.003 Anomaly Active Directory Password Spraying 2024-09-30
Windows Unusual NTLM Authentication Users By Source T1110 T1110.003 Anomaly Active Directory Password Spraying 2024-09-30
Windows User Execution Malicious URL Shortcut File Windows icon Sysmon EventID 11 T1204.002 T1204 TTP Chaos Ransomware, NjRAT, Snake Keylogger 2024-09-30
Windows Vulnerable 3CX Software CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1195.002 TTP 3CX Supply Chain Attack 2024-09-30
Windows Vulnerable Driver Installed Windows icon Windows Event Log System 7045 T1543.003 TTP Windows Drivers 2024-09-30
Windows WMI Impersonate Token Windows icon Sysmon EventID 10 T1047 Anomaly Qakbot 2024-09-30
Windows WMI Process And Service List CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1047 Anomaly Prestige Ransomware, Windows Post-Exploitation 2024-09-30
WMI Permanent Event Subscription - Sysmon Windows icon Sysmon EventID 21 T1546.003 T1546 TTP Suspicious WMI Use 2024-09-30
WMI Recon Running Process Or Services Windows icon Powershell Script Block Logging 4104 T1592 Anomaly Data Destruction, Hermetic Wiper, Malicious PowerShell 2024-09-30
Wmiprsve LOLBAS Execution Process Spawn CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1047 TTP Active Directory Lateral Movement 2024-09-30
Wsmprovhost LOLBAS Execution Process Spawn CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1021 T1021.006 TTP Active Directory Lateral Movement, CISA AA24-241A 2024-09-30
WSReset UAC Bypass Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1548.002 T1548 TTP Living Off The Land, MoonPeak, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
XMRIG Driver Loaded Windows icon Sysmon EventID 6 T1543.003 T1543 TTP CISA AA22-320A, XMRig 2024-09-30
XSL Script Execution With WMIC CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1220 TTP FIN7, Suspicious WMI Use 2024-09-30
Detect hosts connecting to dynamic domain providers Windows icon Sysmon EventID 22 T1189 TTP Command And Control, DNS Hijacking, Data Protection, Dynamic DNS, Prohibited Traffic Allowed or Protocol Mismatch, Suspicious DNS Traffic 2024-09-30
Detect Remote Access Software Usage DNS Windows icon Sysmon EventID 22 T1219 Anomaly CISA AA24-241A, Command And Control, Insider Threat, Ransomware 2024-09-30
Detect Remote Access Software Usage Traffic Network icon Palo Alto Network Traffic T1219 Anomaly Command And Control, Insider Threat, Ransomware 2024-09-30
DNS Query Length With High Standard Deviation Windows icon Sysmon EventID 22 T1048.003 T1048 Anomaly Command And Control, Hidden Cobra Malware, Suspicious DNS Traffic 2024-09-30
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 Network icon Palo Alto Network Threat T1190 T1133 TTP CISA AA24-241A, F5 BIG-IP Vulnerability CVE-2022-1388 2024-09-30
Internal Horizontal Port Scan AWS icon AWS CloudWatchLogs VPCflow T1046 TTP Network Discovery 2024-09-30
Internal Vertical Port Scan AWS icon AWS CloudWatchLogs VPCflow T1046 TTP Network Discovery 2024-09-30
Ngrok Reverse Proxy on Network Windows icon Sysmon EventID 22 T1572 T1090 T1102 Anomaly CISA AA22-320A, CISA AA24-241A, Reverse Network Proxy 2024-09-30
Prohibited Network Traffic Allowed T1048 TTP Command And Control, Prohibited Traffic Allowed or Protocol Mismatch, Ransomware 2024-09-30
TOR Traffic Network icon Palo Alto Network Traffic T1090 T1090.003 TTP Command And Control, NOBELIUM Group, Prohibited Traffic Allowed or Protocol Mismatch, Ransomware 2024-09-30
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint Suricata T1190 TTP CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities 2024-09-30
Adobe ColdFusion Access Control Bypass Suricata T1190 TTP Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360 2024-09-30
Adobe ColdFusion Unauthenticated Arbitrary File Read Suricata T1190 TTP Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360 2024-09-30
Cisco IOS XE Implant Access Suricata T1190 TTP Cisco IOS XE Software Web Management User Interface vulnerability 2024-09-30
Citrix ADC and Gateway Unauthorized Data Disclosure Suricata T1190 TTP Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966 2024-09-30
Confluence CVE-2023-22515 Trigger Vulnerability Suricata T1190 TTP CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server 2024-09-30
Confluence Data Center and Server Privilege Escalation Nginx Access T1190 TTP CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server, Confluence Data Center and Confluence Server Vulnerabilities 2024-09-30
Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527 Suricata T1190 TTP Confluence Data Center and Confluence Server Vulnerabilities 2024-09-30
Confluence Unauthenticated Remote Code Execution CVE-2022-26134 Network icon Palo Alto Network Threat T1505 T1190 T1133 TTP Atlassian Confluence Server and Data Center CVE-2022-26134, Confluence Data Center and Confluence Server Vulnerabilities 2024-09-30
ConnectWise ScreenConnect Authentication Bypass Suricata T1190 TTP ConnectWise ScreenConnect Vulnerabilities 2024-09-30
Detect Remote Access Software Usage URL Network icon Palo Alto Network Threat T1219 Anomaly CISA AA24-241A, Command And Control, Insider Threat, Ransomware 2024-09-30
Exploit Public Facing Application via Apache Commons Text Nginx Access T1505.003 T1505 T1190 T1133 Anomaly Text4Shell CVE-2022-42889 2024-09-30
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 Network icon Palo Alto Network Threat T1190 T1133 TTP Fortinet FortiNAC CVE-2022-39952 2024-09-30
F5 TMUI Authentication Bypass Suricata TTP F5 Authentication Bypass with TMUI 2024-09-30
Fortinet Appliance Auth bypass Network icon Palo Alto Network Threat T1190 T1133 TTP CVE-2022-40684 Fortinet Appliance Auth bypass 2024-09-30
High Volume of Bytes Out to Url Nginx Access T1567 Anomaly Data Exfiltration 2024-09-30
Ivanti Connect Secure Command Injection Attempts Suricata T1190 TTP CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities 2024-09-30
Ivanti Connect Secure SSRF in SAML Component Suricata T1190 TTP Ivanti Connect Secure VPN Vulnerabilities 2024-09-30
Ivanti Connect Secure System Information Access via Auth Bypass Suricata T1190 Anomaly CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities 2024-09-30
Ivanti EPM SQL Injection Remote Code Execution Suricata T1190 TTP Ivanti EPM Vulnerabilities 2024-09-30
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 Suricata T1190 T1133 TTP Ivanti EPMM Remote Unauthenticated Access 2024-09-30
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082 Suricata T1190 T1133 TTP Ivanti EPMM Remote Unauthenticated Access 2024-09-30
Ivanti Sentry Authentication Bypass Suricata T1190 TTP Ivanti Sentry Authentication Bypass CVE-2023-38035 2024-09-30
Jenkins Arbitrary File Read CVE-2024-23897 Nginx Access T1190 TTP Jenkins Server Vulnerabilities 2024-09-30
JetBrains TeamCity Authentication Bypass CVE-2024-27198 Suricata T1190 TTP JetBrains TeamCity Vulnerabilities 2024-09-30
JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198 Suricata T1190 TTP JetBrains TeamCity Vulnerabilities 2024-09-30
JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199 Suricata T1190 TTP JetBrains TeamCity Vulnerabilities 2024-09-30
JetBrains TeamCity RCE Attempt Suricata T1190 TTP CISA AA23-347A, JetBrains TeamCity Unauthenticated RCE, JetBrains TeamCity Vulnerabilities 2024-09-30
Juniper Networks Remote Code Execution Exploit Detection Suricata T1190 T1105 T1059 TTP Juniper JunOS Remote Code Execution 2024-09-30
Log4Shell JNDI Payload Injection Attempt Nginx Access T1190 T1133 Anomaly CISA AA22-257A, CISA AA22-320A, Log4Shell CVE-2021-44228 2024-09-30
Log4Shell JNDI Payload Injection with Outbound Connection T1190 T1133 Anomaly CISA AA22-320A, Log4Shell CVE-2021-44228 2024-09-30
Microsoft SharePoint Server Elevation of Privilege Suricata T1068 TTP Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357 2024-09-30
Multiple Archive Files Http Post Traffic Splunk icon Splunk Stream HTTP T1048.003 T1048 TTP Command And Control, Data Exfiltration 2024-09-30
Nginx ConnectWise ScreenConnect Authentication Bypass Nginx Access T1190 TTP ConnectWise ScreenConnect Vulnerabilities 2024-09-30
PaperCut NG Remote Web Access Attempt Suricata T1190 T1133 TTP PaperCut MF NG Vulnerability 2024-09-30
Plain HTTP POST Exfiltrated Data Splunk icon Splunk Stream HTTP T1048.003 T1048 TTP Command And Control, Data Exfiltration 2024-09-30
ProxyShell ProxyNotShell Behavior Detected T1190 T1133 Correlation BlackByte Ransomware, ProxyNotShell, ProxyShell 2024-09-30
Spring4Shell Payload URL Request Nginx Access T1505.003 T1505 T1190 T1133 TTP Spring4Shell CVE-2022-22965 2024-09-30
VMWare Aria Operations Exploit Attempt Network icon Palo Alto Network Threat T1133 T1190 T1210 T1068 TTP VMware Aria Operations vRealize CVE-2023-20887 2024-09-30
VMware Workspace ONE Freemarker Server-side Template Injection Network icon Palo Alto Network Threat T1190 T1133 Anomaly VMware Server Side Injection and Privilege Escalation 2024-09-30
Web JSP Request via URL Nginx Access T1505.003 T1505 T1190 T1133 TTP Spring4Shell CVE-2022-22965 2024-09-30
Web Remote ShellServlet Access Nginx Access T1190 TTP CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server 2024-09-30
Web Spring4Shell HTTP Request Class Module Splunk icon Splunk Stream HTTP T1190 T1133 TTP Spring4Shell CVE-2022-22965 2024-09-30
Web Spring Cloud Function FunctionRouter Splunk icon Splunk Stream HTTP T1190 T1133 TTP Spring4Shell CVE-2022-22965 2024-09-30
Windows Exchange Autodiscover SSRF Abuse Windows icon Windows IIS T1190 T1133 TTP BlackByte Ransomware, ProxyNotShell, ProxyShell 2024-09-30
WordPress Bricks Builder plugin RCE Nginx Access T1190 TTP WordPress Vulnerabilities 2024-09-30
WS FTP Remote Code Execution Suricata T1190 TTP WS FTP Server Critical Vulnerabilities 2024-09-30
Zscaler Adware Activities Threat Blocked T1566 Anomaly Zscaler Browser Proxy Threats 2024-09-30
Zscaler Behavior Analysis Threat Blocked T1566 Anomaly Zscaler Browser Proxy Threats 2024-09-30
Zscaler CryptoMiner Downloaded Threat Blocked T1566 Anomaly Zscaler Browser Proxy Threats 2024-09-30
Zscaler Employment Search Web Activity T1566 Anomaly Zscaler Browser Proxy Threats 2024-09-30
Zscaler Exploit Threat Blocked T1566 TTP Zscaler Browser Proxy Threats 2024-09-30
Zscaler Legal Liability Threat Blocked T1566 Anomaly Zscaler Browser Proxy Threats 2024-09-30
Zscaler Malware Activity Threat Blocked T1566 Anomaly Zscaler Browser Proxy Threats 2024-09-30
Zscaler Phishing Activity Threat Blocked T1566 Anomaly Zscaler Browser Proxy Threats 2024-09-30
Zscaler Potentially Abused File Download T1566 Anomaly Zscaler Browser Proxy Threats 2024-09-30
Zscaler Privacy Risk Destinations Threat Blocked T1566 Anomaly Zscaler Browser Proxy Threats 2024-09-30
Zscaler Scam Destinations Threat Blocked T1566 Anomaly Zscaler Browser Proxy Threats 2024-09-30
Zscaler Virus Download threat blocked T1566 Anomaly Zscaler Browser Proxy Threats 2024-09-30
Internal Horizontal Port Scan NMAP Top 20 AWS icon AWS CloudWatchLogs VPCflow T1046 TTP Network Discovery 2024-09-25
Windows Archived Collected Data In TEMP Folder T1560 TTP Braodo Stealer 2024-09-24
Windows Credentials from Password Stores Chrome Copied in TEMP Dir T1555.003 T1555 TTP Braodo Stealer 2024-09-24
Windows Credentials from Web Browsers Saved in TEMP Folder T1555.003 T1555 TTP Braodo Stealer 2024-09-24
Windows Disable or Stop Browser Process T1562.001 T1562 TTP Braodo Stealer 2024-09-24
Windows Screen Capture in TEMP folder T1113 TTP Braodo Stealer 2024-09-24