Detections

Name Data Source Technique Type Analytic Story Date
Path traversal SPL injection Splunk icon Splunk T1083 TTP Splunk Vulnerabilities 2024-09-25
Splunk User Enumeration Attempt Splunk icon Splunk T1078 TTP Splunk Vulnerabilities 2024-09-25
Splunk XSS in Monitoring Console T1189 TTP Splunk Vulnerabilities 2024-09-25
Okta Multi-Factor Authentication Disabled Okta T1556 T1556.006 TTP Okta Account Takeover 2024-09-24
Okta Multiple Failed MFA Requests For User Okta T1621 Anomaly Okta Account Takeover 2024-09-24
Okta Multiple Users Failing To Authenticate From Ip Okta T1110.003 Anomaly Okta Account Takeover 2024-09-24
Okta New API Token Created Okta T1078 T1078.001 TTP Okta Account Takeover 2024-09-24
Okta New Device Enrolled on Account Okta T1098 T1098.005 TTP Okta Account Takeover 2024-09-24
Windows AD Object Owner Updated T1484 T1222 T1222.001 TTP Sneaky Active Directory Persistence Tricks 2024-09-24
ASL AWS Concurrent Sessions From Different Ips T1185 Anomaly AWS Identity and Access Management Account Takeover, Compromised User Account 2024-09-24
ASL AWS New MFA Method Registered For User T1556 T1556.006 TTP AWS Identity and Access Management Account Takeover 2024-09-24
AWS Concurrent Sessions From Different Ips AWS icon AWS CloudTrail DescribeEventAggregates T1185 TTP AWS Identity and Access Management Account Takeover, Compromised User Account 2024-09-24
AWS New MFA Method Registered For User AWS icon AWS CloudTrail CreateVirtualMFADevice T1556 T1556.006 TTP AWS Identity and Access Management Account Takeover 2024-09-24
AWS Successful Console Authentication From Multiple IPs AWS icon AWS CloudTrail ConsoleLogin T1586 T1535 Anomaly Compromised User Account, Suspicious AWS Login Activities 2024-09-24
AWS UpdateLoginProfile AWS icon AWS CloudTrail UpdateLoginProfile T1136.003 T1136 TTP AWS IAM Privilege Escalation 2024-09-24
Azure Active Directory High Risk Sign-in Azure icon Azure Active Directory T1586 T1586.003 T1110 T1110.003 TTP Azure Active Directory Account Takeover 2024-09-24
Azure AD Application Administrator Role Assigned Azure icon Azure Active Directory Add member to role T1098 T1098.003 TTP Azure Active Directory Privilege Escalation 2024-09-24
Azure AD Authentication Failed During MFA Challenge Azure icon Azure Active Directory T1586 T1586.003 T1078 T1078.004 T1621 TTP Azure Active Directory Account Takeover 2024-09-24
Azure AD Concurrent Sessions From Different Ips Azure icon Azure Active Directory T1185 TTP Azure Active Directory Account Takeover, Compromised User Account 2024-09-24
Azure AD High Number Of Failed Authentications For User Azure icon Azure Active Directory T1110 T1110.001 TTP Azure Active Directory Account Takeover, Compromised User Account 2024-09-24
Azure AD High Number Of Failed Authentications From Ip Azure icon Azure Active Directory T1110 T1110.001 T1110.003 TTP Azure Active Directory Account Takeover, Compromised User Account, NOBELIUM Group 2024-09-24
Azure AD Multi-Source Failed Authentications Spike Azure icon Azure Active Directory T1586 T1586.003 T1110 T1110.003 T1110.004 Hunting Azure Active Directory Account Takeover, NOBELIUM Group 2024-09-24
Azure AD Multiple AppIDs and UserAgents Authentication Spike Azure icon Azure Active Directory Sign-in activity T1078 Anomaly Azure Active Directory Account Takeover 2024-09-24
Azure AD Multiple Failed MFA Requests For User Azure icon Azure Active Directory Sign-in activity T1586 T1586.003 T1621 T1078 T1078.004 TTP Azure Active Directory Account Takeover 2024-09-24
Azure AD Multiple Service Principals Created by SP Azure icon Azure Active Directory Add service principal T1136.003 Anomaly Azure Active Directory Persistence, NOBELIUM Group 2024-09-24
Azure AD Multiple Service Principals Created by User Azure icon Azure Active Directory Add service principal T1136.003 Anomaly Azure Active Directory Persistence, NOBELIUM Group 2024-09-24
Azure AD Multiple Users Failing To Authenticate From Ip Azure icon Azure Active Directory T1586 T1586.003 T1110 T1110.003 T1110.004 Anomaly Azure Active Directory Account Takeover 2024-09-24
Azure AD New Custom Domain Added Azure icon Azure Active Directory Add unverified domain T1484 T1484.002 TTP Azure Active Directory Persistence 2024-09-24
Azure AD New Federated Domain Added Azure icon Azure Active Directory Set domain authentication T1484 T1484.002 TTP Azure Active Directory Persistence 2024-09-24
Azure AD New MFA Method Registered For User Azure icon Azure Active Directory User registered security info T1556 T1556.006 TTP Azure Active Directory Account Takeover, Compromised User Account 2024-09-24
Azure AD PIM Role Assigned Azure icon Azure Active Directory T1098 T1098.003 TTP Azure Active Directory Persistence, Azure Active Directory Privilege Escalation 2024-09-24
Azure AD PIM Role Assignment Activated Azure icon Azure Active Directory T1098 T1098.003 TTP Azure Active Directory Persistence, Azure Active Directory Privilege Escalation 2024-09-24
Azure AD Privileged Authentication Administrator Role Assigned Azure icon Azure Active Directory Add member to role T1003.002 TTP Azure Active Directory Privilege Escalation 2024-09-24
Azure AD Privileged Role Assigned Azure icon Azure Active Directory Add member to role T1098 T1098.003 TTP Azure Active Directory Persistence, NOBELIUM Group 2024-09-24
Azure AD Privileged Role Assigned to Service Principal Azure icon Azure Active Directory Add member to role T1098 T1098.003 TTP Azure Active Directory Privilege Escalation, NOBELIUM Group 2024-09-24
Azure AD Service Principal Authentication Azure icon Azure Active Directory Sign-in activity T1078.004 TTP Azure Active Directory Account Takeover, NOBELIUM Group 2024-09-24
Azure AD Service Principal New Client Credentials Azure icon Azure Active Directory T1098 T1098.001 TTP Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group 2024-09-24
Azure AD Service Principal Owner Added Azure icon Azure Active Directory Add owner to application T1098 TTP Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group 2024-09-24
Azure AD Successful Authentication From Different Ips Azure icon Azure Active Directory T1110 T1110.001 T1110.003 TTP Azure Active Directory Account Takeover, Compromised User Account 2024-09-24
Azure AD Successful PowerShell Authentication Azure icon Azure Active Directory T1586 T1586.003 T1078 T1078.004 TTP Azure Active Directory Account Takeover 2024-09-24
Azure AD Successful Single-Factor Authentication Azure icon Azure Active Directory T1586 T1586.003 T1078 T1078.004 TTP Azure Active Directory Account Takeover 2024-09-24
Azure AD Unusual Number of Failed Authentications From Ip Azure icon Azure Active Directory T1586 T1586.003 T1110 T1110.003 T1110.004 Anomaly Azure Active Directory Account Takeover 2024-09-24
Azure AD User Consent Denied for OAuth Application Azure icon Azure Active Directory Sign-in activity T1528 TTP Azure Active Directory Account Takeover 2024-09-24
Azure AD User Enabled And Password Reset Azure icon Azure Active Directory Enable account, Azure icon Azure Active Directory Reset password (by admin), Azure icon Azure Active Directory Update user T1098 TTP Azure Active Directory Persistence 2024-09-24
Azure AD User ImmutableId Attribute Updated Azure icon Azure Active Directory Update user T1098 TTP Azure Active Directory Persistence 2024-09-24
Azure Automation Account Created Azure icon Azure Audit Create or Update an Azure Automation account T1136 T1136.003 TTP Azure Active Directory Persistence 2024-09-24
Azure Automation Runbook Created Azure icon Azure Audit Create or Update an Azure Automation Runbook T1136 T1136.003 TTP Azure Active Directory Persistence 2024-09-24
Azure Runbook Webhook Created Azure icon Azure Audit Create or Update an Azure Automation webhook T1078 T1078.004 TTP Azure Active Directory Persistence 2024-09-24
GCP Authentication Failed During MFA Challenge Google Workspace login_failure T1586 T1586.003 T1078 T1078.004 T1621 TTP GCP Account Takeover 2024-09-24
Kubernetes Anomalous Inbound Outbound Network IO T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-09-24
Kubernetes Anomalous Inbound to Outbound Network IO Ratio T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-09-24
Kubernetes Previously Unseen Container Image Name T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-09-24
Kubernetes Previously Unseen Process T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-09-24
Kubernetes Process Running From New Path T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-09-24
Kubernetes Process with Anomalous Resource Utilisation T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-09-24
Kubernetes Process with Resource Ratio Anomalies T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-09-24
Kubernetes Shell Running on Worker Node T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-09-24
Kubernetes Shell Running on Worker Node with CPU Activity T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-09-24
O365 Application Available To Other Tenants T1098.003 T1098 TTP Azure Active Directory Account Takeover, Azure Active Directory Persistence, Data Exfiltration 2024-09-24
O365 Compliance Content Search Exported T1114 T1114.002 TTP Office 365 Collection Techniques 2024-09-24
O365 Compliance Content Search Started T1114 T1114.002 TTP Office 365 Collection Techniques 2024-09-24
O365 Concurrent Sessions From Different Ips O365 UserLoggedIn T1185 TTP Office 365 Account Takeover 2024-09-24
O365 Cross-Tenant Access Change T1484.002 TTP Azure Active Directory Persistence 2024-09-24
O365 DLP Rule Triggered T1048 T1567 Anomaly Data Exfiltration 2024-09-24
O365 Elevated Mailbox Permission Assigned T1098 T1098.002 TTP Office 365 Collection Techniques 2024-09-24
O365 External Guest User Invited T1136.003 TTP Azure Active Directory Persistence 2024-09-24
O365 External Identity Policy Changed T1136.003 TTP Azure Active Directory Persistence 2024-09-24
O365 High Number Of Failed Authentications for User O365 UserLoginFailed T1110 T1110.001 TTP Office 365 Account Takeover 2024-09-24
O365 Mailbox Folder Read Permission Granted T1098 T1098.002 TTP Office 365 Collection Techniques 2024-09-24
O365 Multi-Source Failed Authentications Spike O365 UserLoginFailed T1586 T1586.003 T1110 T1110.003 T1110.004 Hunting NOBELIUM Group, Office 365 Account Takeover 2024-09-24
O365 Multiple AppIDs and UserAgents Authentication Spike O365 UserLoggedIn, O365 UserLoginFailed T1078 Anomaly Office 365 Account Takeover 2024-09-24
O365 Multiple Failed MFA Requests For User O365 UserLoginFailed T1621 TTP Office 365 Account Takeover 2024-09-24
O365 Multiple Mailboxes Accessed via API O365 MailItemsAccessed T1114.002 TTP NOBELIUM Group, Office 365 Collection Techniques 2024-09-24
O365 Multiple Users Failing To Authenticate From Ip O365 UserLoginFailed T1586 T1586.003 T1110 T1110.003 T1110.004 TTP NOBELIUM Group, Office 365 Account Takeover 2024-09-24
O365 OAuth App Mailbox Access via EWS O365 MailItemsAccessed T1114.002 TTP NOBELIUM Group, Office 365 Collection Techniques 2024-09-24
O365 OAuth App Mailbox Access via Graph API O365 MailItemsAccessed T1114.002 TTP NOBELIUM Group, Office 365 Collection Techniques 2024-09-24
O365 Privileged Role Assigned T1098 T1098.003 TTP Azure Active Directory Persistence 2024-09-24
O365 Privileged Role Assigned To Service Principal T1098 T1098.003 TTP Azure Active Directory Privilege Escalation 2024-09-24
O365 Security And Compliance Alert Triggered T1078 T1078.004 TTP Office 365 Account Takeover 2024-09-24
O365 Service Principal New Client Credentials O365 T1098 T1098.001 TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-24
O365 SharePoint Allowed Domains Policy Changed T1136.003 TTP Azure Active Directory Persistence 2024-09-24
O365 User Consent Denied for OAuth Application O365 T1528 TTP Office 365 Account Takeover 2024-09-24
AWS Cloud Provisioning From Previously Unseen City T1535 Anomaly AWS Suspicious Provisioning Activities 2024-09-24
AWS Cloud Provisioning From Previously Unseen Country T1535 Anomaly AWS Suspicious Provisioning Activities 2024-09-24
AWS Cloud Provisioning From Previously Unseen IP Address Anomaly AWS Suspicious Provisioning Activities 2024-09-24
Kubernetes AWS detect sensitive role access Hunting Kubernetes Sensitive Role Activity 2024-09-24
Kubernetes Azure detect sensitive role access Hunting Kubernetes Sensitive Role Activity 2024-09-24
Kubernetes GCP detect sensitive role access Hunting Kubernetes Sensitive Role Activity 2024-09-24
Windows connhost exe started forcefully Windows icon Sysmon EventID 1 T1059.003 TTP Ryuk Ransomware 2024-09-24
Add or Set Windows Defender Exclusion CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.001 T1562 TTP AgentTesla, CISA AA22-320A, Data Destruction, Remcos, ValleyRAT, WhisperGate, Windows Defense Evasion Tactics 2024-09-24
CMLUA Or CMSTPLUA UAC Bypass Windows icon Sysmon EventID 7 T1218 T1218.003 TTP DarkSide Ransomware, LockBit Ransomware, Ransomware, ValleyRAT 2024-09-24
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser Windows icon Powershell Script Block Logging 4104 T1558 T1558.004 TTP Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A 2024-09-24
Disabled Kerberos Pre-Authentication Discovery With PowerView Windows icon Powershell Script Block Logging 4104 T1558 T1558.004 TTP Active Directory Kerberos Attacks 2024-09-24
Eventvwr UAC Bypass CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1548.002 T1548 TTP IcedID, Living Off The Land, ValleyRAT, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-24
Executables Or Script Creation In Suspicious Path Windows icon Sysmon EventID 11 T1036 Anomaly AcidPour, AgentTesla, Amadey, AsyncRAT, Azorult, BlackByte Ransomware, Brute Ratel C4, CISA AA23-347A, Chaos Ransomware, DarkCrystal RAT, DarkGate Malware, Data Destruction, Double Zero Destructor, Graceful Wipe Out Attack, Handala Wiper, Hermetic Wiper, IcedID, Industroyer2, LockBit Ransomware, MoonPeak, NjRAT, PlugX, Qakbot, RedLine Stealer, Remcos, Rhysida Ransomware, Snake Keylogger, Swift Slicer, Trickbot, ValleyRAT, Volt Typhoon, Warzone RAT, WhisperGate, XMRig 2024-09-24
FodHelper UAC Bypass CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1112 T1548.002 T1548 TTP IcedID, ValleyRAT, Windows Defense Evasion Tactics 2024-09-24
Kerberos Pre-Authentication Flag Disabled in UserAccountControl Windows icon Windows Event Log Security 4738 T1558 T1558.004 TTP Active Directory Kerberos Attacks, BlackSuit Ransomware 2024-09-24
Kerberos Service Ticket Request Using RC4 Encryption Windows icon Windows Event Log Security 4769 T1558 T1558.001 TTP Active Directory Kerberos Attacks, Active Directory Privilege Escalation 2024-09-24
Kerberos TGT Request Using RC4 Encryption Windows icon Windows Event Log Security 4768 T1550 TTP Active Directory Kerberos Attacks 2024-09-24
Kerberos User Enumeration Windows icon Windows Event Log Security 4768 T1589 T1589.002 Anomaly Active Directory Kerberos Attacks 2024-09-24
Linux Auditd Add User Account Type Linux icon Linux Auditd Add User T1136 T1136.001 Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-24
Linux Auditd Database File And Directory Discovery Linux icon Linux Auditd Execve T1083 Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-24
Linux Auditd Find Private Keys Linux icon Linux Auditd Execve T1552.004 T1552 TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-24
Linux Auditd Hidden Files And Directories Creation Linux icon Linux Auditd Execve T1083 TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-24
Linux Auditd Virtual Disk File And Directory Discovery Linux icon Linux Auditd Execve T1083 Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-24
LOLBAS With Network Traffic Windows icon Sysmon EventID 3 T1105 T1567 T1218 TTP Living Off The Land 2024-09-24
Malicious Powershell Executed As A Service Windows icon Windows Event Log System 7045 T1569 T1569.002 TTP Malicious PowerShell, Rhysida Ransomware 2024-09-24
Malicious PowerShell Process With Obfuscation Techniques Windows icon Sysmon EventID 1 T1059 T1059.001 TTP Data Destruction, Hermetic Wiper, Malicious PowerShell 2024-09-24
Randomly Generated Scheduled Task Name Windows icon Windows Event Log Security 4698 T1053 T1053.005 Hunting Active Directory Lateral Movement, CISA AA22-257A, Scheduled Tasks 2024-09-24
Randomly Generated Windows Service Name Windows icon Windows Event Log System 7045 T1543 T1543.003 Hunting Active Directory Lateral Movement, BlackSuit Ransomware 2024-09-24
Rubeus Kerberos Ticket Exports Through Winlogon Access Windows icon Sysmon EventID 10 T1550 T1550.003 TTP Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A 2024-09-24
Short Lived Scheduled Task Windows icon Windows Event Log Security 4698, Windows icon Windows Event Log Security 4699 T1053.005 TTP Active Directory Lateral Movement, CISA AA22-257A, CISA AA23-347A, Scheduled Tasks 2024-09-24
Suspicious Kerberos Service Ticket Request Windows icon Windows Event Log Security 4769 T1078 T1078.002 TTP Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation 2024-09-24
Suspicious Process File Path CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1543 TTP AgentTesla, Amadey, AsyncRAT, Azorult, BlackByte Ransomware, Brute Ratel C4, CISA AA23-347A, Chaos Ransomware, DarkCrystal RAT, DarkGate Malware, Data Destruction, Double Zero Destructor, Graceful Wipe Out Attack, Handala Wiper, Hermetic Wiper, IcedID, Industroyer2, LockBit Ransomware, MoonPeak, Phemedrone Stealer, PlugX, Prestige Ransomware, Qakbot, RedLine Stealer, Remcos, Rhysida Ransomware, Swift Slicer, Trickbot, ValleyRAT, Volt Typhoon, Warzone RAT, WhisperGate, XMRig 2024-09-24
Suspicious Ticket Granting Ticket Request Windows icon Windows Event Log Security 4768, Windows icon Windows Event Log Security 4781 T1078 T1078.002 Hunting Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation 2024-09-24
Unusual Number of Computer Service Tickets Requested Windows icon Windows Event Log Security 4769 T1078 Hunting Active Directory Kerberos Attacks, Active Directory Lateral Movement, Active Directory Privilege Escalation 2024-09-24
Unusual Number of Kerberos Service Tickets Requested Windows icon Windows Event Log Security 4769 T1558 T1558.003 Anomaly Active Directory Kerberos Attacks 2024-09-24
Unusual Number of Remote Endpoint Authentication Events Windows icon Windows Event Log Security 4624 T1078 Hunting Active Directory Lateral Movement, Active Directory Privilege Escalation 2024-09-24
Windows Access Token Manipulation SeDebugPrivilege Windows icon Windows Event Log Security 4703 T1134.002 T1134 Anomaly AsyncRAT, Brute Ratel C4, CISA AA23-347A, DarkGate Malware, PlugX, ValleyRAT 2024-09-24
Windows AD ServicePrincipalName Added To Domain Account Windows icon Windows Event Log Security 5136 T1098 TTP Sneaky Active Directory Persistence Tricks 2024-09-24
Windows AD Short Lived Domain Account ServicePrincipalName Windows icon Windows Event Log Security 5136 T1098 TTP Sneaky Active Directory Persistence Tricks 2024-09-24
Windows AD Short Lived Server Object Windows icon Windows Event Log Security 5137, Windows icon Windows Event Log Security 5141 T1207 TTP Sneaky Active Directory Persistence Tricks 2024-09-24
Windows AD SID History Attribute Modified Windows icon Windows Event Log Security 5136 T1134 T1134.005 TTP Sneaky Active Directory Persistence Tricks 2024-09-24
Windows Administrative Shares Accessed On Multiple Hosts Windows icon Windows Event Log Security 5140, Windows icon Windows Event Log Security 5145 T1135 TTP Active Directory Lateral Movement, Active Directory Privilege Escalation 2024-09-24
Windows Admon Default Group Policy Object Modified Windows icon Windows Active Directory Admon T1484 T1484.001 TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-09-24
Windows Admon Group Policy Object Created Windows icon Windows Active Directory Admon T1484 T1484.001 TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-09-24
Windows Default Group Policy Object Modified Windows icon Windows Event Log Security 5136 T1484 T1484.001 TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-09-24
Windows Defender Exclusion Registry Entry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Azorult, Qakbot, Remcos, ValleyRAT, Warzone RAT, Windows Defense Evasion Tactics 2024-09-24
Windows DISM Install PowerShell Web Access T1548.002 TTP CISA AA24-241A 2024-09-24
Windows DnsAdmins New Member Added Windows icon Windows Event Log Security 4732 T1098 TTP Active Directory Privilege Escalation 2024-09-24
Windows Domain Admin Impersonation Indicator Windows icon Windows Event Log Security 4627 T1558 TTP Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Gozi Malware 2024-09-24
Windows ESX Admins Group Creation Security Event T1136.001 T1136.002 TTP VMware ESXi AD Integration Authentication Bypass CVE-2024-37085 2024-09-24
Windows Get-AdComputer Unconstrained Delegation Discovery Windows icon Powershell Script Block Logging 4104 T1018 TTP Active Directory Kerberos Attacks 2024-09-24
Windows Group Policy Object Created Windows icon Windows Event Log Security 5136, Windows icon Windows Event Log Security 5137 T1484 T1484.001 T1078.002 TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-09-24
Windows Large Number of Computer Service Tickets Requested Windows icon Windows Event Log Security 4769 T1135 T1078 Anomaly Active Directory Lateral Movement, Active Directory Privilege Escalation 2024-09-24
Windows Local Administrator Credential Stuffing Windows icon Windows Event Log Security 4624, Windows icon Windows Event Log Security 4625 T1110 T1110.004 TTP Active Directory Lateral Movement, Active Directory Privilege Escalation 2024-09-24
Windows Multiple Account Passwords Changed Windows icon Windows Event Log Security 4724 T1098 T1078 TTP Azure Active Directory Persistence 2024-09-24
Windows Multiple Accounts Deleted Windows icon Windows Event Log Security 4726 T1098 T1078 TTP Azure Active Directory Persistence 2024-09-24
Windows Multiple Accounts Disabled Windows icon Windows Event Log Security 4725 T1098 T1078 TTP Azure Active Directory Persistence 2024-09-24
Windows Multiple Invalid Users Failed To Authenticate Using NTLM Windows icon Windows Event Log Security 4776 T1110.003 T1110 TTP Active Directory Password Spraying, Volt Typhoon 2024-09-24
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials Windows icon Windows Event Log Security 4648 T1110.003 T1110 TTP Active Directory Password Spraying, Insider Threat, Volt Typhoon 2024-09-24
Windows Multiple Users Failed To Authenticate From Host Using NTLM Windows icon Windows Event Log Security 4776 T1110.003 T1110 TTP Active Directory Password Spraying, Volt Typhoon 2024-09-24
Windows Multiple Users Failed To Authenticate From Process Windows icon Windows Event Log Security 4625 T1110.003 T1110 TTP Active Directory Password Spraying, Insider Threat, Volt Typhoon 2024-09-24
Windows Multiple Users Remotely Failed To Authenticate From Host Windows icon Windows Event Log Security 4625 T1110.003 T1110 TTP Active Directory Password Spraying, Volt Typhoon 2024-09-24
Windows PowerSploit GPP Discovery Windows icon Powershell Script Block Logging 4104 T1552 T1552.006 TTP Active Directory Privilege Escalation 2024-09-24
Windows PowerView AD Access Control List Enumeration Windows icon Powershell Script Block Logging 4104 T1078.002 T1069 TTP Active Directory Discovery, Active Directory Privilege Escalation, Rhysida Ransomware 2024-09-24
Windows Rapid Authentication On Multiple Hosts Windows icon Windows Event Log Security 4624 T1003.002 TTP Active Directory Lateral Movement, Active Directory Privilege Escalation 2024-09-24
Windows Service Created with Suspicious Service Path Windows icon Windows Event Log System 7045 T1569 T1569.002 TTP Active Directory Lateral Movement, Brute Ratel C4, CISA AA23-347A, Clop Ransomware, Flax Typhoon, PlugX, Qakbot, Snake Malware 2024-09-24
Windows Special Privileged Logon On Multiple Hosts Windows icon Windows Event Log Security 4672 T1087 T1021.002 T1135 TTP Active Directory Lateral Movement, Active Directory Privilege Escalation 2024-09-24
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM Windows icon Windows Event Log Security 4776 T1110.003 T1110 Anomaly Active Directory Password Spraying, Volt Typhoon 2024-09-24
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials Windows icon Windows Event Log Security 4648 T1110.003 T1110 Anomaly Active Directory Password Spraying, Insider Threat, Volt Typhoon 2024-09-24
Windows Unusual Count Of Users Failed To Authenticate From Process Windows icon Windows Event Log Security 4625 T1110.003 T1110 Anomaly Active Directory Password Spraying, Insider Threat, Volt Typhoon 2024-09-24
Windows Unusual Count Of Users Failed To Authenticate Using NTLM Windows icon Windows Event Log Security 4776 T1110.003 T1110 Anomaly Active Directory Password Spraying, Volt Typhoon 2024-09-24
Windows Unusual Count Of Users Remotely Failed To Auth From Host Windows icon Windows Event Log Security 4625 T1110.003 T1110 Anomaly Active Directory Password Spraying, Volt Typhoon 2024-09-24
WinEvent Windows Task Scheduler Event Action Started Windows icon Windows Event Log TaskScheduler 200 T1053.005 Hunting Amadey, AsyncRAT, BlackSuit Ransomware, CISA AA22-257A, CISA AA24-241A, DarkCrystal RAT, Data Destruction, IcedID, Industroyer2, Prestige Ransomware, Qakbot, Sandworm Tools, Scheduled Tasks, ValleyRAT, Windows Persistence Techniques, Winter Vivern, Winter Vivern 2024-09-24
Detect Windows DNS SIGRed via Zeek T1203 TTP Windows DNS SIGRed CVE-2020-1350 2024-09-24
Windows Modify Registry Utilize ProgIDs T1112 Anomaly ValleyRAT 2024-09-18
Windows Impair Defenses Disable AV AutoStart via Registry T1112 TTP ValleyRAT 2024-09-11
Windows Modify Registry ValleyRAT C2 Config T1112 TTP ValleyRAT 2024-09-11
Windows Modify Registry ValleyRat PWN Reg Entry T1112 TTP ValleyRAT 2024-09-11
Windows Scheduled Task DLL Module Loaded T1053 TTP ValleyRAT 2024-09-11
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr T1053 TTP ValleyRAT 2024-09-11
Linux Auditd Add User Account Linux icon Linux Auditd Proctitle T1136.001 T1136 Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-04
Linux Auditd At Application Execution Linux icon Linux Auditd Syscall T1053.002 T1053 Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-04
Linux Auditd Auditd Service Stop Linux icon Linux Auditd Service Stop T1489 Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-04
Linux Auditd Base64 Decode Files Linux icon Linux Auditd Execve T1140 Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-04
Linux Auditd Change File Owner To Root Linux icon Linux Auditd Proctitle T1222.002 T1222 TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-04
Linux Auditd Clipboard Data Copy Linux icon Linux Auditd Execve T1115 Anomaly Compromised Linux Host, Linux Living Off The Land 2024-09-04
Linux Auditd Data Destruction Command Linux icon Linux Auditd Execve T1485 TTP AwfulShred, Compromised Linux Host, Data Destruction 2024-09-04
Linux Auditd Data Transfer Size Limits Via Split Linux icon Linux Auditd Execve T1030 Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-04
Linux Auditd Data Transfer Size Limits Via Split Syscall Linux icon Linux Auditd Syscall T1030 Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-04
Linux Auditd Dd File Overwrite Linux icon Linux Auditd Proctitle T1485 TTP Compromised Linux Host, Data Destruction, Industroyer2 2024-09-04
Linux Auditd Disable Or Modify System Firewall Linux icon Linux Auditd Service Stop T1562.004 T1562 Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-04
Linux Auditd Doas Conf File Creation Linux icon Linux Auditd Path T1548.003 T1548 TTP Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-04
Linux Auditd Doas Tool Execution Linux icon Linux Auditd Syscall T1548.003 T1548 Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-04
Linux Auditd Edit Cron Table Parameter Linux icon Linux Auditd Syscall T1053.003 T1053 TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-04
Linux Auditd File And Directory Discovery Linux icon Linux Auditd Execve T1083 Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-04
Linux Auditd File Permission Modification Via Chmod Linux icon Linux Auditd Proctitle T1222.002 T1222 Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-04
Linux Auditd File Permissions Modification Via Chattr Linux icon Linux Auditd Execve T1222.002 T1222 TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-04
Linux Auditd Find Credentials From Password Managers Linux icon Linux Auditd Execve T1555.005 T1555 TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-04
Linux Auditd Find Credentials From Password Stores Linux icon Linux Auditd Execve T1555.005 T1555 TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-04
Linux Auditd Find Ssh Private Keys Linux icon Linux Auditd Execve T1552.004 T1552 Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-04
Linux Auditd Hardware Addition Swapoff Linux icon Linux Auditd Execve T1200 Anomaly AwfulShred, Compromised Linux Host, Data Destruction 2024-09-04
Linux Auditd Insert Kernel Module Using Insmod Utility Linux icon Linux Auditd Syscall T1547.006 T1547 Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit 2024-09-04
Linux Auditd Install Kernel Module Using Modprobe Utility Linux icon Linux Auditd Syscall T1547.006 T1547 Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit 2024-09-04
Linux Auditd Kernel Module Enumeration Linux icon Linux Auditd Syscall T1082 T1014 Anomaly Compromised Linux Host, Linux Rootkit 2024-09-04
Linux Auditd Kernel Module Using Rmmod Utility Linux icon Linux Auditd Syscall T1547.006 T1547 TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-04
Linux Auditd Nopasswd Entry In Sudoers File Linux icon Linux Auditd Proctitle T1548.003 T1548 Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-04
Linux Auditd Osquery Service Stop Linux icon Linux Auditd Service Stop T1489 TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-04
Linux Auditd Possible Access Or Modification Of Sshd Config File Linux icon Linux Auditd Path T1098.004 T1098 Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-04
Linux Auditd Possible Access To Credential Files Linux icon Linux Auditd Proctitle T1003.008 T1003 Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-04
Linux Auditd Possible Access To Sudoers File Linux icon Linux Auditd Path T1548.003 T1548 Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-04
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File Linux icon Linux Auditd Path T1053.003 T1053 Hunting Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-04
Linux Auditd Preload Hijack Library Calls Linux icon Linux Auditd Execve T1574.006 T1574 TTP Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-04
Linux Auditd Preload Hijack Via Preload File Linux icon Linux Auditd Path T1574.006 T1574 TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-04
Linux Auditd Service Restarted Linux icon Linux Auditd Proctitle T1053.006 T1053 Anomaly AwfulShred, Compromised Linux Host, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-04
Linux Auditd Service Started Linux icon Linux Auditd Proctitle T1569.002 T1569 TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-04
Linux Auditd Setuid Using Chmod Utility Linux icon Linux Auditd Proctitle T1548.001 T1548 Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-04
Linux Auditd Setuid Using Setcap Utility Linux icon Linux Auditd Execve T1548.001 T1548 TTP Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-04
Linux Auditd Shred Overwrite Command Linux icon Linux Auditd Proctitle T1485 TTP AwfulShred, Compromised Linux Host, Data Destruction, Industroyer2, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-04
Linux Auditd Stop Services Linux icon Linux Auditd Service Stop T1489 TTP AwfulShred, Compromised Linux Host, Data Destruction, Industroyer2 2024-09-04
Linux Auditd Sudo Or Su Execution Linux icon Linux Auditd Proctitle T1548.003 T1548 Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-04
Linux Auditd Sysmon Service Stop Linux icon Linux Auditd Service Stop T1489 TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-04
Linux Auditd System Network Configuration Discovery Linux icon Linux Auditd Syscall T1016 Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-04
Linux Auditd Unix Shell Configuration Modification Linux icon Linux Auditd Path T1546.004 T1546 TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-04
Linux Auditd Unload Module Via Modprobe Linux icon Linux Auditd Execve T1547.006 T1547 TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-04
Linux Auditd Whoami User Discovery Linux icon Linux Auditd Syscall T1033 Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-04
Windows Enable PowerShell Web Access T1059.001 TTP CISA AA24-241A, Malicious PowerShell 2024-09-03
Ivanti VTM New Account Creation Ivanti VTM Audit T1190 TTP Ivanti Virtual Traffic Manager CVE-2024-7593 2024-08-19
AWS SAML Update identity provider AWS icon AWS CloudTrail UpdateSAMLProvider T1078 TTP Cloud Federated Credential Abuse 2024-08-19
Detect new API calls from user roles T1078.004 Anomaly AWS User Monitoring 2024-08-19
Dump LSASS via procdump Rename Windows icon Sysmon EventID 1 T1003.001 Hunting CISA AA22-257A, Credential Dumping, HAFNIUM Group 2024-08-19
GCP Detect accounts with high risk roles by project T1078 Hunting GCP Cross Account Activity 2024-08-19
Cobalt Strike Named Pipes Windows icon Sysmon EventID 17, Windows icon Sysmon EventID 18 T1055 TTP BlackByte Ransomware, Cobalt Strike, DarkSide Ransomware, Gozi Malware, Graceful Wipe Out Attack, LockBit Ransomware, Trickbot 2024-08-19
Detect mshta renamed CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.005 Hunting Living Off The Land, Suspicious MSHTA Activity 2024-08-19
Detect Renamed 7-Zip CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1560.001 T1560 Hunting Collection and Staging 2024-08-19
Detect Renamed PSExec CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1569 T1569.002 Hunting Active Directory Lateral Movement, BlackByte Ransomware, CISA AA22-320A, DHS Report TA18-074A, DarkGate Malware, DarkSide Ransomware, HAFNIUM Group, Rhysida Ransomware, SamSam Ransomware, Sandworm Tools 2024-08-19
Detect Renamed RClone CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1020 Hunting DarkSide Ransomware, Ransomware 2024-08-19
Detect Renamed WinRAR CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1560.001 T1560 Hunting CISA AA22-277A, Collection and Staging 2024-08-19
First Time Seen Child Process of Zoom CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1068 Anomaly Suspicious Zoom Child Processes 2024-08-19
ServicePrincipalNames Discovery with SetSPN CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1558.003 TTP Active Directory Discovery, Active Directory Kerberos Attacks, Active Directory Privilege Escalation 2024-08-19
Windows Default Group Policy Object Modified with GPME CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1484 T1484.001 TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-08-19
Windows Ingress Tool Transfer Using Explorer CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1105 Anomaly DarkCrystal RAT 2024-08-19
Abnormally High Number Of Cloud Infrastructure API Calls AWS icon AWS CloudTrail T1078.004 T1078 Anomaly Compromised User Account, Suspicious Cloud User Activities 2024-08-16
Abnormally High Number Of Cloud Security Group API Calls AWS icon AWS CloudTrail T1078.004 T1078 Anomaly Suspicious Cloud User Activities 2024-08-16
Cloud Instance Modified By Previously Unseen User AWS icon AWS CloudTrail T1078.004 T1078 Anomaly Suspicious Cloud Instance Activities 2024-08-16
ASL AWS Excessive Security Scanning T1526 Anomaly AWS User Monitoring 2024-08-16
Detect DNS requests to Phishing Sites leveraging EvilGinx2 T1566.003 TTP Common Phishing Frameworks 2024-08-16
Detect Spike in Security Group Activity T1078.004 Anomaly AWS User Monitoring 2024-08-16
DNS Query Requests Resolved by Unauthorized DNS Servers T1071.004 TTP Command And Control, DNS Hijacking, Host Redirection, Suspicious DNS Traffic 2024-08-16
EC2 Instance Modified With Previously Unseen User T1078.004 Anomaly Unusual AWS EC2 Modifications 2024-08-16
EC2 Instance Started In Previously Unseen Region T1535 Anomaly AWS Cryptomining, Suspicious AWS EC2 Activities 2024-08-16
EC2 Instance Started With Previously Unseen Instance Type Anomaly AWS Cryptomining 2024-08-16
EC2 Instance Started With Previously Unseen User T1078.004 Anomaly AWS Cryptomining, Suspicious AWS EC2 Activities 2024-08-16
Execution of File With Spaces Before Extension Windows icon Sysmon EventID 1 T1036.003 TTP Masquerading - Rename System Utilities, Windows File Extension and Association Abuse 2024-08-16
GCP Detect high risk permissions by resource and account T1078 Hunting GCP Cross Account Activity 2024-08-16
Identify New User Accounts T1078.002 Hunting N/A 2024-08-16
Kubernetes AWS detect most active service accounts by pod Hunting Kubernetes Sensitive Role Activity 2024-08-16
Kubernetes AWS detect service accounts forbidden failure access Hunting Kubernetes Sensitive Object Access Activity 2024-08-16
Kubernetes GCP detect most active service accounts by pod Hunting Kubernetes Sensitive Role Activity 2024-08-16
Kubernetes GCP detect service accounts forbidden failure access Hunting Kubernetes Sensitive Object Access Activity 2024-08-16
Kubernetes GCP detect suspicious kubectl calls Hunting Kubernetes Sensitive Object Access Activity 2024-08-16
Monitor DNS For Brand Abuse TTP Brand Monitoring 2024-08-16
Okta ThreatInsight Login Failure with High Unknown users T1078 T1078.001 T1110.004 TTP Suspicious Okta Activity 2024-08-16
Okta ThreatInsight Suspected PasswordSpray Attack T1078 T1078.001 T1110.003 TTP Suspicious Okta Activity 2024-08-16
Okta Two or More Rejected Okta Pushes T1110 TTP Okta MFA Exhaustion, Suspicious Okta Activity 2024-08-16
Suspicious Changes to File Associations Windows icon Sysmon EventID 1 T1546.001 TTP Suspicious Windows Registry Activities, Windows File Extension and Association Abuse 2024-08-16
Suspicious Email - UBA Anomaly T1566 Anomaly Suspicious Emails 2024-08-16
Suspicious File Write Windows icon Sysmon EventID 11 Hunting Hidden Cobra Malware 2024-08-16
Web Fraud - Account Harvesting T1136 TTP Web Fraud Detection 2024-08-16
Web Fraud - Anomalous User Clickspeed T1078 Anomaly Web Fraud Detection 2024-08-16
Windows hosts file modification Windows icon Sysmon EventID 11 TTP Host Redirection 2024-08-16
Detect Baron Samedit CVE-2021-3156 T1068 TTP Baron Samedit CVE-2021-3156 2024-08-16
Detect Baron Samedit CVE-2021-3156 Segfault T1068 TTP Baron Samedit CVE-2021-3156 2024-08-16
Detect Baron Samedit CVE-2021-3156 via OSQuery T1068 TTP Baron Samedit CVE-2021-3156 2024-08-16
Known Services Killed by Ransomware Windows icon Windows Event Log System 7036 T1490 TTP BlackMatter Ransomware, LockBit Ransomware, Ransomware 2024-08-16
Linux SSH Authorized Keys Modification Linux icon Sysmon for Linux EventID 1 T1098.004 Anomaly Linux Living Off The Land 2024-08-16
Linux SSH Remote Services Script Execute Linux icon Sysmon for Linux EventID 1 T1021.004 TTP Linux Living Off The Land 2024-08-16
Windows Curl Upload to Remote Destination CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1105 TTP Ingress Tool Transfer 2024-08-16
Windows Service Created Within Public Path Windows icon Windows Event Log System 7045 T1543 T1543.003 TTP Active Directory Lateral Movement, Snake Malware 2024-08-16
Detect Port Security Violation T1200 T1498 T1557 T1557.002 TTP Router and Infrastructure Security 2024-08-16
Detect F5 TMUI RCE CVE-2020-5902 T1190 TTP F5 TMUI RCE CVE-2020-5902 2024-08-16
JetBrains TeamCity RCE Attempt Suricata T1190 TTP CISA AA23-347A, JetBrains TeamCity Unauthenticated RCE, JetBrains TeamCity Vulnerabilities 2024-08-16
WS FTP Remote Code Execution Suricata T1190 TTP WS FTP Server Critical Vulnerabilities 2024-08-16
Abnormally High AWS Instances Launched by User T1078.004 Anomaly AWS Cryptomining, Suspicious AWS EC2 Activities 2024-08-15
Abnormally High AWS Instances Launched by User - MLTK T1078.004 Anomaly AWS Cryptomining, Suspicious AWS EC2 Activities 2024-08-15
Abnormally High AWS Instances Terminated by User T1078.004 Anomaly Suspicious AWS EC2 Activities 2024-08-15
Abnormally High AWS Instances Terminated by User - MLTK T1078.004 Anomaly Suspicious AWS EC2 Activities 2024-08-15
AWS Cloud Provisioning From Previously Unseen Region T1535 Anomaly AWS Suspicious Provisioning Activities 2024-08-15
AWS EKS Kubernetes cluster sensitive object access Hunting Kubernetes Sensitive Object Access Activity 2024-08-15
Clients Connecting to Multiple DNS Servers T1048.003 TTP Command And Control, DNS Hijacking, Host Redirection, Suspicious DNS Traffic 2024-08-15
Cloud Network Access Control List Deleted Anomaly AWS Network ACL Activity 2024-08-15
Detect Activity Related to Pass the Hash Attacks Windows icon Windows Event Log Security 4624 T1550 T1550.002 Hunting Active Directory Lateral Movement, BlackSuit Ransomware 2024-08-15
Detect API activity from users without MFA Hunting AWS User Monitoring 2024-08-15
Detect AWS API Activities From Unapproved Accounts T1078.004 Hunting AWS User Monitoring 2024-08-15
Detect Long DNS TXT Record Response T1048.003 TTP Command And Control, Suspicious DNS Traffic 2024-08-15
Detect Mimikatz Via PowerShell And EventCode 4703 T1003.001 TTP Cloud Federated Credential Abuse 2024-08-15
Detect new user AWS Console Login T1078.004 Hunting Suspicious AWS Login Activities 2024-08-15
Detect Spike in AWS API Activity T1078.004 Anomaly AWS User Monitoring 2024-08-15
Detect Spike in Network ACL Activity T1562.007 Anomaly AWS Network ACL Activity 2024-08-15
Detect USB device insertion TTP Data Protection 2024-08-15
Detect web traffic to dynamic domain providers T1071.001 TTP Dynamic DNS 2024-08-15
Detection of DNS Tunnels T1048.003 TTP Command And Control, Data Protection, Suspicious DNS Traffic 2024-08-15
DNS record changed T1071.004 TTP DNS Hijacking 2024-08-15
EC2 Instance Started With Previously Unseen AMI Anomaly AWS Cryptomining 2024-08-15
Extended Period Without Successful Netbackup Backups Hunting Monitor Backup Solution 2024-08-15
First time seen command line argument Windows icon Sysmon EventID 1 T1059.001 T1059.003 Hunting DHS Report TA18-074A, Hidden Cobra Malware, Orangeworm Attack Group, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Suspicious Command-Line Executions 2024-08-15
gcp detect oauth token abuse T1078 Hunting GCP Cross Account Activity 2024-08-15
GCP Kubernetes cluster scan detection T1526 TTP Kubernetes Scanning Activity 2024-08-15
Kubernetes AWS detect RBAC authorization by account Hunting Kubernetes Sensitive Role Activity 2024-08-15
Kubernetes Azure active service accounts by pod namespace Hunting Kubernetes Sensitive Role Activity 2024-08-15
Kubernetes Azure detect RBAC authorization by account Hunting Kubernetes Sensitive Role Activity 2024-08-15
Kubernetes Azure detect sensitive object access Hunting Kubernetes Sensitive Object Access Activity 2024-08-15
Kubernetes Azure detect service accounts forbidden failure access Hunting Kubernetes Sensitive Object Access Activity 2024-08-15
Kubernetes Azure detect suspicious kubectl calls Hunting Kubernetes Sensitive Object Access Activity 2024-08-15
Kubernetes Azure pod scan fingerprint Hunting Kubernetes Scanning Activity 2024-08-15
Kubernetes Azure scan fingerprint T1526 Hunting Kubernetes Scanning Activity 2024-08-15
Kubernetes GCP detect RBAC authorizations by account Hunting Kubernetes Sensitive Role Activity 2024-08-15
Kubernetes GCP detect sensitive object access Hunting Kubernetes Sensitive Object Access Activity 2024-08-15
O365 Suspicious User Email Forwarding T1114.003 T1114 Anomaly Data Exfiltration, Office 365 Collection Techniques 2024-08-15
Osquery pack - ColdRoot detection TTP ColdRoot MacOS RAT 2024-08-15
Processes created by netsh Windows icon Sysmon EventID 1 T1562.004 TTP Netsh Abuse 2024-08-15
Prohibited Software On Endpoint Windows icon Sysmon EventID 1 Hunting Emotet Malware DHS Report TA18-201A, Monitor for Unauthorized Software, SamSam Ransomware 2024-08-15
Reg exe used to hide files directories via registry keys Windows icon Sysmon EventID 1 T1564.001 TTP Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Persistence Techniques 2024-08-15
Remote Registry Key modifications Windows icon Sysmon EventID 13 TTP Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Persistence Techniques 2024-08-15
Scheduled tasks used in BadRabbit ransomware Windows icon Sysmon EventID 1 T1053.005 TTP Ransomware 2024-08-15
Spectre and Meltdown Vulnerable Systems TTP Spectre And Meltdown Vulnerabilities 2024-08-15
Suspicious Powershell Command-Line Arguments Windows icon Sysmon EventID 1 T1059.001 TTP CISA AA22-320A, Hermetic Wiper, Malicious PowerShell 2024-08-15
Suspicious writes to System Volume Information Windows icon Sysmon EventID 1 T1036 Hunting Collection and Staging 2024-08-15
Uncommon Processes On Endpoint Windows icon Sysmon EventID 1 T1204.002 Hunting Hermetic Wiper, Unusual Processes, Windows Privilege Escalation 2024-08-15
Unsigned Image Loaded by LSASS Windows icon Sysmon EventID 7 T1003.001 TTP Credential Dumping 2024-08-15
Unsuccessful Netbackup backups Hunting Monitor Backup Solution 2024-08-15
Web Fraud - Password Sharing Across Accounts Anomaly Web Fraud Detection 2024-08-15
Account Discovery With Net App CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1087.002 T1087 TTP IcedID, Trickbot 2024-08-15
Anomalous usage of 7zip CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1560.001 T1560 Anomaly BlackByte Ransomware, BlackSuit Ransomware, Cobalt Strike, Graceful Wipe Out Attack, NOBELIUM Group 2024-08-15
Attempt To Add Certificate To Untrusted Store CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1553.004 T1553 TTP Disabling Security Tools 2024-08-15
BITSAdmin Download File CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1197 T1105 TTP BITS Jobs, DarkSide Ransomware, Flax Typhoon, Gozi Malware, Ingress Tool Transfer, Living Off The Land 2024-08-15
CertUtil Download With VerifyCtl and Split Arguments CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1105 TTP DarkSide Ransomware, Ingress Tool Transfer, Living Off The Land 2024-08-15
CertUtil With Decode Argument CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1140 TTP APT29 Diplomatic Deceptions with WINELOADER, Deobfuscate-Decode Files or Information, Forest Blizzard, Living Off The Land 2024-08-15
Clear Unallocated Sector Using Cipher App CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1070.004 T1070 TTP Ransomware 2024-08-15
CMD Echo Pipe - Escalation CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 T1059.003 T1543.003 T1543 TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack 2024-08-15
Conti Common Exec parameter CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1204 TTP Ransomware 2024-08-15
Control Loading from World Writable Directory CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.002 TTP Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444 2024-08-15
Create or delete windows shares using net exe CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1070 T1070.005 TTP CISA AA22-277A, DarkGate Malware, Hidden Cobra Malware, Prestige Ransomware, Windows Post-Exploitation 2024-08-15
Deleting Of Net Users CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1531 TTP DarkGate Malware, Graceful Wipe Out Attack, XMRig 2024-08-15
Deleting Shadow Copies CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1490 TTP CISA AA22-264A, Chaos Ransomware, Clop Ransomware, DarkGate Malware, LockBit Ransomware, Prestige Ransomware, Ransomware, Rhysida Ransomware, SamSam Ransomware, Windows Log Manipulation 2024-08-15
Detect HTML Help Renamed CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.001 Hunting Living Off The Land, Suspicious Compiled HTML Activity 2024-08-15
Detect HTML Help Spawn Child Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.001 TTP AgentTesla, Living Off The Land, Suspicious Compiled HTML Activity 2024-08-15
Detect HTML Help URL in Command Line CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.001 TTP Living Off The Land, Suspicious Compiled HTML Activity 2024-08-15
Detect mshta inline hta execution CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.005 TTP Gozi Malware, Living Off The Land, Suspicious MSHTA Activity 2024-08-15
Detect MSHTA Url in Command Line CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.005 TTP Living Off The Land, Suspicious MSHTA Activity 2024-08-15
Detect Path Interception By Creation Of program exe CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1574.009 T1574 TTP Windows Persistence Techniques 2024-08-15
Detect PsExec With accepteula Flag CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1021 T1021.002 TTP Active Directory Lateral Movement, BlackByte Ransomware, CISA AA22-320A, DHS Report TA18-074A, DarkGate Malware, DarkSide Ransomware, HAFNIUM Group, IcedID, Rhysida Ransomware, SamSam Ransomware, Sandworm Tools, Volt Typhoon 2024-08-15
Detect RClone Command-Line Usage CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1020 TTP DarkSide Ransomware, Ransomware 2024-08-15
Disabling Net User Account CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1531 TTP XMRig 2024-08-15
DNS Exfiltration Using Nslookup App CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1048 TTP Command And Control, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic 2024-08-15
DSQuery Domain Discovery CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1482 TTP Active Directory Discovery, Domain Trust Discovery 2024-08-15
Excessive number of service control start as disabled CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.001 T1562 Anomaly Windows Defense Evasion Tactics 2024-08-15
GPUpdate with no Command Line Arguments with Network Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 3 T1055 TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack 2024-08-15
Hunting 3CXDesktopApp Software CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1195.002 Hunting 3CX Supply Chain Attack 2024-08-15
Java Class File download by Java User Agent Splunk icon Splunk Stream HTTP T1190 TTP Log4Shell CVE-2021-44228 2024-08-15
Malicious InProcServer32 Modification Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1218.010 T1112 TTP Remcos, Suspicious Regsvr32 Activity 2024-08-15
Mimikatz PassTheTicket CommandLine Parameters CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1550 T1550.003 TTP Active Directory Kerberos Attacks, CISA AA22-320A, CISA AA23-347A, Sandworm Tools 2024-08-15
Office Spawning Control CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments 2024-08-15
Password Policy Discovery with Net CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1201 Hunting Active Directory Discovery 2024-08-15
Process Writing DynamicWrapperX Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11 T1059 T1559.001 Hunting Remcos 2024-08-15
Regsvr32 Silent and Install Param Dll Loading CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.010 Anomaly AsyncRAT, Data Destruction, Hermetic Wiper, Living Off The Land, Remcos, Suspicious Regsvr32 Activity 2024-08-15
Rubeus Command Line Parameters CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1550 T1550.003 T1558 T1558.003 T1558.004 TTP Active Directory Kerberos Attacks, Active Directory Privilege Escalation, BlackSuit Ransomware, CISA AA23-347A 2024-08-15
Rundll32 Control RunDLL World Writable Directory CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.011 TTP Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Suspicious Rundll32 Activity 2024-08-15
Suspicious Reg exe Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1112 Anomaly DHS Report TA18-074A, Disabling Security Tools, Windows Defense Evasion Tactics 2024-08-15
Wget Download and Bash Execution CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1105 TTP Ingress Tool Transfer, Log4Shell CVE-2021-44228 2024-08-15
Windows Access Token Manipulation Winlogon Duplicate Token Handle Windows icon Sysmon EventID 10 T1134.001 T1134 Hunting Brute Ratel C4 2024-08-15
Windows Access Token Winlogon Duplicate Handle In Uncommon Path Windows icon Sysmon EventID 10 T1134.001 T1134 Anomaly Brute Ratel C4 2024-08-15
Windows Binary Proxy Execution Mavinject DLL Injection CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218.013 T1218 TTP Living Off The Land 2024-08-15
Windows COM Hijacking InprocServer32 Modification CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1546.015 T1546 TTP Living Off The Land 2024-08-15
Windows Curl Download to Suspicious Path CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1105 TTP Forest Blizzard, IcedID, Ingress Tool Transfer 2024-08-15
Windows Defender ASR Block Events Windows icon Windows Event Log Defender 1121, Windows icon Windows Event Log Defender 1129 T1059 T1566.001 T1566.002 Anomaly Windows Attack Surface Reduction 2024-08-15
Windows Defender ASR Rule Disabled Windows icon Windows Event Log Defender 5007 T1112 TTP Windows Attack Surface Reduction 2024-08-15
Windows Defender ASR Rules Stacking Windows icon Windows Event Log Defender 1121, Windows icon Windows Event Log Defender 1122, Windows icon Windows Event Log Defender 1129, Windows icon Windows Event Log Defender 5007 T1566.001 T1566.002 T1059 Hunting Windows Attack Surface Reduction 2024-08-15
Windows DiskCryptor Usage CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1486 Hunting Ransomware 2024-08-15
Windows DLL Search Order Hijacking with iscsicpl CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1574.001 TTP Living Off The Land, Windows Defense Evasion Tactics 2024-08-15
Windows Execute Arbitrary Commands with MSDT CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 TTP Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190 2024-08-15
Windows Java Spawning Shells CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1190 T1133 TTP Log4Shell CVE-2021-44228, SysAid On-Prem Software CVE-2023-47246 Vulnerability 2024-08-15
Windows Lateral Tool Transfer RemCom CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1570 TTP Active Directory Discovery 2024-08-15
Windows Ldifde Directory Object Behavior CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1105 T1069.002 TTP Volt Typhoon 2024-08-15
Windows Mimikatz Binary Execution CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003 TTP CISA AA22-320A, CISA AA23-347A, Credential Dumping, Flax Typhoon, Sandworm Tools, Volt Typhoon 2024-08-15
Windows MOF Event Triggered Execution via WMI CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1546.003 TTP Living Off The Land 2024-08-15
Windows Ngrok Reverse Proxy Usage CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1572 T1090 T1102 Anomaly CISA AA22-320A, CISA AA24-241A, Reverse Network Proxy 2024-08-15
Windows NirSoft AdvancedRun CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1588.002 TTP Data Destruction, Ransomware, Unusual Processes, WhisperGate 2024-08-15
Windows NirSoft Utilities CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1588.002 Hunting Data Destruction, WhisperGate 2024-08-15
Windows Non-System Account Targeting Lsass Windows icon Sysmon EventID 10 T1003.001 T1003 TTP CISA AA23-347A, Credential Dumping 2024-08-15
Windows Odbcconf Load Response File CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218.008 TTP Living Off The Land 2024-08-15
Windows PaperCut NG Spawn Shell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 T1190 T1133 TTP PaperCut MF NG Vulnerability 2024-08-15
Windows Privileged Group Modification T1136.001 T1136.002 TTP VMware ESXi AD Integration Authentication Bypass CVE-2024-37085 2024-08-15
Windows Raccine Scheduled Task Deletion CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.001 TTP Ransomware 2024-08-15
Windows Rasautou DLL Execution CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1055.001 T1218 T1055 TTP Windows Defense Evasion Tactics 2024-08-15
Windows Remote Create Service CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1543 T1543.003 Anomaly Active Directory Lateral Movement, BlackSuit Ransomware, CISA AA23-347A 2024-08-15
Windows Rundll32 WebDAV Request CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1048.003 TTP CVE-2023-23397 Outlook Elevation of Privilege 2024-08-15
Windows Rundll32 WebDav With Network Connection T1048.003 TTP CVE-2023-23397 Outlook Elevation of Privilege 2024-08-15
Windows Schtasks Create Run As System CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1053.005 T1053 TTP Qakbot, Scheduled Tasks, Windows Persistence Techniques 2024-08-15
Windows System Script Proxy Execution Syncappvpublishingserver CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1216 T1218 TTP Living Off The Land 2024-08-15
Windows Terminating Lsass Process Windows icon Sysmon EventID 10 T1562.001 T1562 Anomaly Data Destruction, Double Zero Destructor 2024-08-15
Windows Vulnerable 3CX Software CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1195.002 TTP 3CX Supply Chain Attack 2024-08-15
Winhlp32 Spawning a Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1055 TTP Remcos 2024-08-15
Winword Spawning Cmd CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP CVE-2023-21716 Word RTF Heap Corruption, DarkCrystal RAT, Spearphishing Attachments 2024-08-15
WMI Temporary Event Subscription T1047 TTP Suspicious WMI Use 2024-08-15
Wmic NonInteractive App Uninstallation CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.001 T1562 Hunting Azorult, IcedID 2024-08-15
Access LSASS Memory for Dump Creation Windows icon Sysmon EventID 10 T1003.001 T1003 TTP CISA AA23-347A, Credential Dumping 2024-08-14
Any Powershell DownloadFile CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 T1059.001 T1105 TTP DarkCrystal RAT, Data Destruction, Hermetic Wiper, Ingress Tool Transfer, Log4Shell CVE-2021-44228, Malicious PowerShell, Phemedrone Stealer 2024-08-14
Any Powershell DownloadString CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 T1059.001 T1105 TTP Data Destruction, HAFNIUM Group, Hermetic Wiper, IcedID, Ingress Tool Transfer, Malicious PowerShell, Phemedrone Stealer, SysAid On-Prem Software CVE-2023-47246 Vulnerability, Winter Vivern 2024-08-14
Attempt To Stop Security Service CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.001 T1562 TTP Azorult, Data Destruction, Disabling Security Tools, Graceful Wipe Out Attack, Trickbot, WhisperGate 2024-08-14
Attempted Credential Dump From Registry via Reg exe CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003.002 T1003 TTP CISA AA23-347A, Credential Dumping, DarkSide Ransomware, Data Destruction, Industroyer2, Windows Registry Abuse 2024-08-14
BCDEdit Failure Recovery Modification CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1490 TTP Ransomware, Ryuk Ransomware 2024-08-14
BITS Job Persistence CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1197 TTP BITS Jobs, Living Off The Land 2024-08-14
CertUtil Download With URLCache and Split Arguments CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1105 TTP CISA AA22-277A, DarkSide Ransomware, Flax Typhoon, Forest Blizzard, Ingress Tool Transfer, Living Off The Land, ProxyNotShell 2024-08-14
Certutil exe certificate extraction CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 TTP Cloud Federated Credential Abuse, Living Off The Land, Windows Certificate Services, Windows Persistence Techniques 2024-08-14
Clop Common Exec Parameter CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1204 TTP Clop Ransomware 2024-08-14
Cmdline Tool Not Executed In CMD Shell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 T1059.007 TTP CISA AA22-277A, CISA AA23-347A, DarkGate Malware, FIN7, Gozi Malware, Qakbot, Rhysida Ransomware, Volt Typhoon 2024-08-14
Create local admin accounts using net exe CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1136.001 T1136 TTP Azorult, CISA AA22-257A, CISA AA24-241A, DHS Report TA18-074A, DarkGate Malware 2024-08-14
Create Remote Thread into LSASS Windows icon Sysmon EventID 8 T1003.001 T1003 TTP BlackSuit Ransomware, Credential Dumping 2024-08-14
Curl Download and Bash Execution CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1105 TTP Ingress Tool Transfer, Linux Living Off The Land, Log4Shell CVE-2021-44228 2024-08-14
Detect AzureHound Command-Line Arguments CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1087.002 T1069.001 T1482 T1087.001 T1087 T1069.002 T1069 TTP Windows Discovery Techniques 2024-08-14
Detect Computer Changed with Anonymous Account Windows icon Windows Event Log Security 4624, Windows icon Windows Event Log Security 4742 T1210 Hunting Detect Zerologon Attack 2024-08-14
Detect HTML Help Using InfoTech Storage Handlers CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.001 TTP Living Off The Land, Suspicious Compiled HTML Activity 2024-08-14
Detect processes used for System Network Configuration Discovery CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1016 TTP Unusual Processes 2024-08-14
Detect Prohibited Applications Spawning cmd exe CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 T1059.003 Hunting NOBELIUM Group, Suspicious Command-Line Executions, Suspicious MSHTA Activity, Suspicious Zoom Child Processes 2024-08-14
Detect Regasm Spawning a Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.009 TTP DarkGate Malware, Handala Wiper, Living Off The Land, Snake Keylogger, Suspicious Regsvcs Regasm Activity 2024-08-14
Detect Regasm with Network Connection Windows icon Sysmon EventID 3 T1218 T1218.009 TTP Handala Wiper, Living Off The Land, Suspicious Regsvcs Regasm Activity 2024-08-14
Detect Regasm with no Command Line Arguments CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.009 TTP Handala Wiper, Living Off The Land, Suspicious Regsvcs Regasm Activity 2024-08-14
Detect Regsvcs Spawning a Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.009 TTP Living Off The Land, Suspicious Regsvcs Regasm Activity 2024-08-14
Detect Regsvcs with Network Connection Windows icon Sysmon EventID 3 T1218 T1218.009 TTP Living Off The Land, Suspicious Regsvcs Regasm Activity 2024-08-14
Detect Regsvcs with No Command Line Arguments CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.009 TTP Living Off The Land, Suspicious Regsvcs Regasm Activity 2024-08-14
Detect Regsvr32 Application Control Bypass CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.010 TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Suspicious Regsvr32 Activity 2024-08-14
Detect Rundll32 Application Control Bypass - advpack CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.011 TTP Living Off The Land, Suspicious Rundll32 Activity 2024-08-14
Detect Rundll32 Application Control Bypass - setupapi CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.011 TTP Living Off The Land, Suspicious Rundll32 Activity 2024-08-14
Detect Rundll32 Application Control Bypass - syssetup CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.011 TTP Living Off The Land, Suspicious Rundll32 Activity 2024-08-14
DLLHost with no Command Line Arguments with Network Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 3 T1055 TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack 2024-08-14
Domain Account Discovery with Dsquery CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1087.002 T1087 Hunting Active Directory Discovery 2024-08-14
Domain Account Discovery With Net App CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1087.002 T1087 TTP Active Directory Discovery, Graceful Wipe Out Attack, Rhysida Ransomware 2024-08-14
Domain Account Discovery with Wmic CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1087.002 T1087 TTP Active Directory Discovery 2024-08-14
Dump LSASS via comsvcs DLL CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003.001 T1003 TTP CISA AA22-257A, CISA AA22-264A, Credential Dumping, Data Destruction, Flax Typhoon, HAFNIUM Group, Industroyer2, Living Off The Land, Prestige Ransomware, Suspicious Rundll32 Activity, Volt Typhoon 2024-08-14
Dump LSASS via procdump CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003.001 T1003 TTP CISA AA22-257A, Credential Dumping, HAFNIUM Group 2024-08-14
Esentutl SAM Copy CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003.002 T1003 Hunting Credential Dumping, Living Off The Land 2024-08-14
Excel Spawning PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003.002 T1003 TTP Spearphishing Attachments 2024-08-14
Excel Spawning Windows Script Host CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003.002 T1003 TTP Spearphishing Attachments 2024-08-14
Excessive Attempt To Disable Services CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1489 Anomaly Azorult, XMRig 2024-08-14
Excessive Service Stop Attempt CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1489 Anomaly BlackByte Ransomware, Ransomware, XMRig 2024-08-14
Excessive Usage Of Cacls App CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1222 Anomaly Azorult, Prestige Ransomware, Windows Post-Exploitation, XMRig 2024-08-14
Excessive Usage Of Taskkill CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.001 T1562 Anomaly AgentTesla, Azorult, CISA AA22-264A, CISA AA22-277A, NjRAT, XMRig 2024-08-14
Execution of File with Multiple Extensions CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1036 T1036.003 TTP AsyncRAT, DarkGate Malware, Masquerading - Rename System Utilities, Windows File Extension and Association Abuse 2024-08-14
File with Samsam Extension CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 TTP SamSam Ransomware 2024-08-14
Get ADDefaultDomainPasswordPolicy with Powershell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1201 Hunting Active Directory Discovery 2024-08-14
Get ADUser with PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1087.002 T1087 Hunting Active Directory Discovery, CISA AA23-347A 2024-08-14
Get ADUserResultantPasswordPolicy with Powershell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1201 TTP Active Directory Discovery, CISA AA23-347A 2024-08-14
Get DomainPolicy with Powershell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1201 TTP Active Directory Discovery 2024-08-14
Get DomainUser with PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1087.002 T1087 TTP Active Directory Discovery, CISA AA23-347A 2024-08-14
GetWmiObject DS User with PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1087.002 T1087 TTP Active Directory Discovery 2024-08-14
High Process Termination Frequency Windows icon Sysmon EventID 5 T1486 Anomaly BlackByte Ransomware, Clop Ransomware, LockBit Ransomware, Rhysida Ransomware, Snake Keylogger 2024-08-14
Java Writing JSP File Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11 T1190 T1133 TTP Atlassian Confluence Server and Data Center CVE-2022-26134, Spring4Shell CVE-2022-22965, SysAid On-Prem Software CVE-2023-47246 Vulnerability 2024-08-14
Linux apt-get Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-08-14
Linux APT Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-08-14
Linux AWK Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-08-14
Linux Busybox Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-08-14
Linux c89 Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-08-14
Linux c99 Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-08-14
Linux Clipboard Data Copy Linux icon Sysmon for Linux EventID 1 T1115 Anomaly Linux Living Off The Land 2024-08-14
Linux Composer Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-08-14
Linux Cpulimit Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-08-14
Linux Csvtool Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-08-14
Linux Curl Upload File Linux icon Sysmon for Linux EventID 1 T1105 TTP Data Exfiltration, Ingress Tool Transfer, Linux Living Off The Land 2024-08-14
Linux Decode Base64 to Shell Linux icon Sysmon for Linux EventID 1 T1027 T1059.004 TTP Linux Living Off The Land 2024-08-14
Linux Docker Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-08-14
Linux Emacs Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-08-14
Linux Find Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-08-14
Linux GDB Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-08-14
Linux Gem Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-08-14
Linux GNU Awk Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-08-14
Linux Ingress Tool Transfer Hunting Linux icon Sysmon for Linux EventID 1 T1105 Hunting Ingress Tool Transfer, Linux Living Off The Land 2024-08-14
Linux Ingress Tool Transfer with Curl Linux icon Sysmon for Linux EventID 1 T1105 Anomaly Ingress Tool Transfer, Linux Living Off The Land 2024-08-14
Linux Java Spawning Shell Linux icon Sysmon for Linux EventID 1 T1190 T1133 TTP Data Destruction, Hermetic Wiper, Log4Shell CVE-2021-44228, Spring4Shell CVE-2022-22965 2024-08-14
Linux Kernel Module Enumeration Linux icon Sysmon for Linux EventID 1 T1082 T1014 Anomaly Linux Rootkit 2024-08-14
Linux Make Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-08-14
Linux MySQL Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-08-14
Linux Ngrok Reverse Proxy Usage Linux icon Sysmon for Linux EventID 1 T1572 T1090 T1102 Anomaly Reverse Network Proxy 2024-08-14
Linux Node Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-08-14
Linux Obfuscated Files or Information Base64 Decode Linux icon Sysmon for Linux EventID 1 T1027 Anomaly Linux Living Off The Land 2024-08-14
Linux Octave Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-08-14
Linux OpenVPN Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-08-14
Linux PHP Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-08-14
Linux pkexec Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1068 TTP Linux Living Off The Land, Linux Privilege Escalation 2024-08-14
Linux Proxy Socks Curl Linux icon Sysmon for Linux EventID 1 T1090 T1095 TTP Ingress Tool Transfer, Linux Living Off The Land 2024-08-14
Linux Puppet Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-08-14
Linux RPM Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-08-14
Linux Ruby Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-08-14
Linux Sqlite3 Privilege Escalation Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-08-14
MSI Module Loaded by Non-System Binary Windows icon Sysmon EventID 7 T1574.002 T1574 Hunting Data Destruction, Hermetic Wiper, Windows Privilege Escalation 2024-08-14
Notepad with no Command Line Arguments CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1055 TTP BishopFox Sliver Adversary Emulation Framework 2024-08-14
Office Product Spawning Windows Script Host CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Remcos, Spearphishing Attachments 2024-08-14
Office Product Writing cab or inf CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments 2024-08-14
Processes Tapping Keyboard Events TTP ColdRoot MacOS RAT 2024-08-14
Regsvr32 with Known Silent Switch Cmdline CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.010 Anomaly AsyncRAT, IcedID, Living Off The Land, Qakbot, Remcos, Suspicious Regsvr32 Activity 2024-08-14
Rundll32 Control RunDLL Hunt CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.011 Hunting Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Suspicious Rundll32 Activity 2024-08-14
Schtasks scheduling job on remote system CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1053.005 T1053 TTP Active Directory Lateral Movement, Living Off The Land, NOBELIUM Group, Phemedrone Stealer, Prestige Ransomware, RedLine Stealer, Scheduled Tasks 2024-08-14
Set Default PowerShell Execution Policy To Unrestricted or Bypass CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13, Windows icon Windows Event Log Security 4688 T1059 T1059.001 TTP Credential Dumping, DarkGate Malware, Data Destruction, HAFNIUM Group, Hermetic Wiper, Malicious PowerShell 2024-08-14
Shim Database File Creation Windows icon Sysmon EventID 11 T1546.011 T1546 TTP Windows Persistence Techniques 2024-08-14
Spoolsv Suspicious Process Access Windows icon Sysmon EventID 10 T1068 TTP PrintNightmare CVE-2021-34527 2024-08-14
Suspicious PlistBuddy Usage via OSquery T1543.001 T1543 TTP Silver Sparrow 2024-08-14
Suspicious Regsvr32 Register Suspicious Path CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.010 TTP IcedID, Living Off The Land, Qakbot, Suspicious Regsvr32 Activity 2024-08-14
Suspicious Rundll32 dllregisterserver CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.011 TTP IcedID, Living Off The Land, Suspicious Rundll32 Activity 2024-08-14
UAC Bypass With Colorui COM Object Windows icon Sysmon EventID 7 T1218 T1218.003 TTP LockBit Ransomware, Ransomware 2024-08-14
Windows Apache Benchmark Binary CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 Anomaly MetaSploit 2024-08-14
Windows AutoIt3 Execution CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 TTP DarkGate Malware, Handala Wiper 2024-08-14
Windows Credential Dumping LSASS Memory Createdump CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003.001 TTP Credential Dumping 2024-08-14
Windows Defender ASR Registry Modification Windows icon Windows Event Log Defender 5007 T1112 Hunting Windows Attack Surface Reduction 2024-08-14
Windows Disable or Modify Tools Via Taskkill CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562 T1562.001 Anomaly NjRAT 2024-08-14
Windows Disable Windows Event Logging Disable HTTP Logging CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.002 T1562 T1505 T1505.004 TTP CISA AA23-347A, IIS Components, Windows Defense Evasion Tactics 2024-08-14
Windows DISM Remove Defender CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.001 T1562 TTP CISA AA23-347A, Windows Defense Evasion Tactics 2024-08-14
Windows DotNet Binary in Non Standard Path CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1036 T1036.003 T1218 T1218.004 TTP Data Destruction, Masquerading - Rename System Utilities, Ransomware, Signed Binary Proxy Execution InstallUtil, Unusual Processes, WhisperGate 2024-08-14
Windows Hunting System Account Targeting Lsass Windows icon Sysmon EventID 10 T1003.001 T1003 Hunting CISA AA23-347A, Credential Dumping 2024-08-14
Windows Identify Protocol Handlers CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 Hunting Living Off The Land 2024-08-14
Windows IIS Components Add New Module CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1505 T1505.004 Anomaly IIS Components 2024-08-14
Windows InstallUtil in Non Standard Path CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1036 T1036.003 T1218 T1218.004 TTP Data Destruction, Living Off The Land, Masquerading - Rename System Utilities, Ransomware, Signed Binary Proxy Execution InstallUtil, Unusual Processes, WhisperGate 2024-08-14
Windows InstallUtil Remote Network Connection Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 3 T1218.004 T1218 TTP Living Off The Land, Signed Binary Proxy Execution InstallUtil 2024-08-14
Windows InstallUtil Uninstall Option CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218.004 T1218 TTP Living Off The Land, Signed Binary Proxy Execution InstallUtil 2024-08-14
Windows InstallUtil Uninstall Option with Network Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 3 T1218.004 T1218 TTP Living Off The Land, Signed Binary Proxy Execution InstallUtil 2024-08-14
Windows InstallUtil URL in Command Line CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218.004 T1218 TTP Living Off The Land, Signed Binary Proxy Execution InstallUtil 2024-08-14
Windows MSIExec DLLRegisterServer CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218.007 TTP Windows System Binary Proxy Execution MSIExec 2024-08-14
Windows MSIExec Remote Download CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218.007 TTP Windows System Binary Proxy Execution MSIExec 2024-08-14
Windows MSIExec Spawn Discovery Command CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218.007 TTP Windows System Binary Proxy Execution MSIExec 2024-08-14
Windows MSIExec Spawn WinDBG CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218.007 TTP DarkGate Malware 2024-08-14
Windows MSIExec Unregister DLLRegisterServer CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218.007 TTP Windows System Binary Proxy Execution MSIExec 2024-08-14
Windows MSIExec With Network Connections Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 3 T1218.007 TTP Windows System Binary Proxy Execution MSIExec 2024-08-14
Windows Odbcconf Hunting CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218.008 Hunting Living Off The Land 2024-08-14
Windows Odbcconf Load DLL CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218.008 TTP Living Off The Land 2024-08-14
Windows Office Product Spawning MSDT CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Spearphishing Attachments 2024-08-14
Windows Possible Credential Dumping Windows icon Sysmon EventID 10 T1003.001 T1003 TTP CISA AA22-257A, CISA AA22-264A, CISA AA23-347A, Credential Dumping, DarkSide Ransomware, Detect Zerologon Attack 2024-08-14
Windows Process Injection into Notepad Windows icon Sysmon EventID 10 T1055 T1055.002 Anomaly BishopFox Sliver Adversary Emulation Framework 2024-08-14
Windows Process Injection With Public Source Path Windows icon Sysmon EventID 8 T1055 T1055.002 Hunting Brute Ratel C4 2024-08-14
Windows Protocol Tunneling with Plink CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1572 T1021.004 TTP CISA AA22-257A 2024-08-14
Windows Remote Access Software Hunt CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1219 Hunting Command And Control, Insider Threat, Ransomware 2024-08-14
Windows Remote Assistance Spawning Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1055 TTP Unusual Processes 2024-08-14
Windows Server Software Component GACUtil Install to GAC CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1505 T1505.004 TTP IIS Components 2024-08-14
Windows Service Create with Tscon CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1563.002 T1563 T1543.003 TTP Active Directory Lateral Movement 2024-08-14
Windows SQL Spawning CertUtil CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1105 TTP Flax Typhoon 2024-08-14
Windows Steal Authentication Certificates CertUtil Backup CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1649 Anomaly Windows Certificate Services 2024-08-14
Windows Steal Authentication Certificates Export Certificate CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1649 Anomaly Windows Certificate Services 2024-08-14
Windows Steal Authentication Certificates Export PfxCertificate CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1649 Anomaly Windows Certificate Services 2024-08-14
Windows System Binary Proxy Execution Compiled HTML File Decompile CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218.001 T1218 TTP Living Off The Land, Suspicious Compiled HTML Activity 2024-08-14
Windows WinDBG Spawning AutoIt3 CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 TTP DarkGate Malware 2024-08-14
WinRAR Spawning Shell Application CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1105 TTP WinRAR Spoofing Attack CVE-2023-38831 2024-08-14
Winword Spawning PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP CVE-2023-21716 Word RTF Heap Corruption, DarkCrystal RAT, Spearphishing Attachments 2024-08-14
Winword Spawning Windows Script Host CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP CVE-2023-21716 Word RTF Heap Corruption, Spearphishing Attachments 2024-08-14
WMIC XSL Execution via URL CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1220 TTP Suspicious WMI Use 2024-08-14
XSL Script Execution With WMIC CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1220 TTP FIN7, Suspicious WMI Use 2024-08-14
Detect ARP Poisoning T1200 T1498 T1557 T1557.002 TTP Router and Infrastructure Security 2024-08-14
Detect Rogue DHCP Server T1200 T1498 T1557 TTP Router and Infrastructure Security 2024-08-14
Detect Traffic Mirroring T1200 T1020 T1498 T1020.001 TTP Router and Infrastructure Security 2024-08-14
Detect Windows DNS SIGRed via Splunk Stream T1203 TTP Windows DNS SIGRed CVE-2020-1350 2024-08-14
Hunting for Log4Shell Nginx Access T1190 T1133 Hunting CISA AA22-320A, Log4Shell CVE-2021-44228 2024-08-14
Windows AD Domain Replication ACL Addition T1484 TTP Sneaky Active Directory Persistence Tricks 2024-08-08
Powershell Windows Defender Exclusion Commands Windows icon Powershell Script Block Logging 4104 T1562.001 T1562 TTP AgentTesla, CISA AA22-320A, Data Destruction, Remcos, Warzone RAT, WhisperGate, Windows Defense Evasion Tactics 2024-08-07
Windows Vulnerable Driver Installed Windows icon Windows Event Log System 7045 T1543.003 TTP Windows Drivers 2024-08-07
Internal Horizontal Port Scan AWS icon AWS CloudWatchLogs VPCflow T1046 TTP Network Discovery 2024-08-07
Windows Gather Victim Network Info Through Ip Check Web Services Windows icon Sysmon EventID 22 T1590.005 T1590 Hunting Azorult, DarkCrystal RAT, Handala Wiper, Phemedrone Stealer, Snake Keylogger 2024-07-31
Windows ESX Admins Group Creation via Net Windows icon Sysmon EventID 1 T1136.002 T1136.001 TTP VMware ESXi AD Integration Authentication Bypass CVE-2024-37085 2024-07-30
Windows ESX Admins Group Creation via PowerShell Windows icon Powershell Script Block Logging 4104 T1136.002 T1136.001 TTP VMware ESXi AD Integration Authentication Bypass CVE-2024-37085 2024-07-30
Windows Outlook WebView Registry Modification Windows icon Sysmon EventID 13 T1112 Anomaly Suspicious Windows Registry Activities 2024-07-30
Malicious PowerShell Process - Encoded Command CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1027 Hunting CISA AA22-320A, DarkCrystal RAT, Data Destruction, Hermetic Wiper, Malicious PowerShell, NOBELIUM Group, Qakbot, Sandworm Tools, Volt Typhoon, WhisperGate 2024-07-26
MOVEit Certificate Store Access Failure T1190 Hunting MOVEit Transfer Authentication Bypass 2024-07-24
MOVEit Empty Key Fingerprint Authentication Attempt T1190 Hunting MOVEit Transfer Authentication Bypass 2024-07-24
Windows Event Log Cleared Windows icon Windows Event Log Security 1102 T1070 T1070.001 TTP CISA AA22-264A, Clop Ransomware, Ransomware, ShrinkLocker, Windows Log Manipulation 2024-07-24
Splunk risky Command Abuse disclosed february 2023 Splunk icon Splunk T1548 T1202 Hunting Splunk Vulnerabilities 2024-07-23
Disable Logs Using WevtUtil CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1070 T1070.001 TTP CISA AA23-347A, Ransomware, Rhysida Ransomware 2024-07-23
Disable Windows Behavior Monitoring Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Azorult, CISA AA23-347A, Ransomware, RedLine Stealer, Revil Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-07-23
Remote Process Instantiation via DCOM and PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1021 T1021.003 TTP Active Directory Lateral Movement 2024-07-23
Remote Process Instantiation via WinRM and PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1021 T1021.006 TTP Active Directory Lateral Movement 2024-07-23
Remote Process Instantiation via WinRM and Winrs CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1021 T1021.006 TTP Active Directory Lateral Movement 2024-07-23
Scheduled Task Creation on Remote Endpoint using At CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1053 T1053.002 TTP Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks 2024-07-23
Scheduled Task Initiation on Remote Endpoint CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1053 T1053.005 TTP Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks 2024-07-23
Windows New InProcServer32 Added Windows icon Sysmon EventID 13 T1112 Hunting Outlook RCE CVE-2024-21378 2024-07-23
Windows Service Creation on Remote Endpoint CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1543 T1543.003 TTP Active Directory Lateral Movement, CISA AA23-347A 2024-07-23
Windows Service Initiation on Remote Endpoint CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1543 T1543.003 TTP Active Directory Lateral Movement, CISA AA23-347A 2024-07-23
Crowdstrike High Identity Risk Severity T1110 TTP Compromised Windows Host 2024-07-17
Crowdstrike Multiple LOW Severity Alerts T1110 Anomaly Compromised Windows Host 2024-07-17
Crowdstrike Admin Weak Password Policy T1110 TTP Compromised Windows Host 2024-07-15
Crowdstrike Admin With Duplicate Password T1110 TTP Compromised Windows Host 2024-07-15
Crowdstrike Medium Identity Risk Severity T1110 TTP Compromised Windows Host 2024-07-15
Crowdstrike Medium Severity Alert T1110 Anomaly Compromised Windows Host 2024-07-15
Crowdstrike Privilege Escalation For Non-Admin User T1110 Anomaly Compromised Windows Host 2024-07-15
Crowdstrike User Weak Password Policy T1110 Anomaly Compromised Windows Host 2024-07-15
Crowdstrike User with Duplicate Password T1110 Anomaly Compromised Windows Host 2024-07-15
Windows Delete or Modify System Firewall CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562 T1562.004 Anomaly NjRAT, ShrinkLocker 2024-07-11
Wscript Or Cscript Suspicious Child Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1055 T1543 T1134.004 T1134 TTP Data Destruction, FIN7, NjRAT, Remcos, ShrinkLocker, Unusual Processes, WhisperGate 2024-07-11
Detect Remote Access Software Usage File Windows icon Sysmon EventID 11 T1219 Anomaly CISA AA24-241A, Command And Control, Gozi Malware, Insider Threat, Ransomware 2024-07-09
Detect Remote Access Software Usage FileInfo CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1219 Anomaly Command And Control, Gozi Malware, Insider Threat, Ransomware 2024-07-09
Detect Remote Access Software Usage Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1219 Anomaly CISA AA24-241A, Command And Control, Gozi Malware, Insider Threat, Ransomware 2024-07-09
Detect Remote Access Software Usage DNS Windows icon Sysmon EventID 22 T1219 Anomaly CISA AA24-241A, Command And Control, Insider Threat, Ransomware 2024-07-09
Detect Remote Access Software Usage Traffic Network icon Palo Alto Network Traffic T1219 Anomaly Command And Control, Insider Threat, Ransomware 2024-07-09
Detect Remote Access Software Usage URL Network icon Palo Alto Network Threat T1219 Anomaly CISA AA24-241A, Command And Control, Insider Threat, Ransomware 2024-07-09
Azure AD Admin Consent Bypassed by Service Principal Azure icon Azure Active Directory Add app role assignment to service principal T1098.003 TTP Azure Active Directory Privilege Escalation, NOBELIUM Group 2024-07-02
Windows AD AdminSDHolder ACL Modified Windows icon Windows Event Log Security 5136 T1546 TTP Sneaky Active Directory Persistence Tricks 2024-07-02
Splunk CSRF in the SSG kvstore Client Endpoint Splunk icon Splunk T1189 TTP Splunk Vulnerabilities 2024-07-01
Splunk DoS via POST Request Datamodel Endpoint T1499 Hunting Splunk Vulnerabilities 2024-07-01
Splunk Enterprise Windows Deserialization File Partition Splunk icon Splunk T1190 TTP Splunk Vulnerabilities 2024-07-01
Splunk Information Disclosure on Account Login Splunk icon Splunk T1087 Hunting Splunk Vulnerabilities 2024-07-01
Splunk RCE PDFgen Render Splunk icon Splunk T1210 TTP Splunk Vulnerabilities 2024-07-01
Splunk RCE via External Lookup Copybuckets Splunk icon Splunk T1210 Hunting Splunk Vulnerabilities 2024-07-01
Splunk Stored XSS conf-web Settings on Premises Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-07-01
Splunk Stored XSS via Data Model objectName Field Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-07-01
Splunk Stored XSS via Specially Crafted Bulletin Message Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-07-01
Splunk Unauthenticated DoS via Null Pointer References Splunk icon Splunk T1499 Hunting Splunk Vulnerabilities 2024-07-01
Splunk Unauthenticated Path Traversal Modules Messaging Splunk icon Splunk T1083 Hunting Splunk Vulnerabilities 2024-07-01
Splunk Unauthorized Experimental Items Creation Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-07-01
Splunk Unauthorized Notification Input by User Splunk icon Splunk T1548 Hunting Splunk Vulnerabilities 2024-07-01
Splunk XSS in Highlighted JSON Events Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-07-01
Splunk XSS in Save table dialog header in search page Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-07-01
Splunk XSS Privilege Escalation via Custom Urls in Dashboard Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-07-01
Splunk XSS Via External Urls in Dashboards SSRF Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-07-01
Windows Modify Registry Delete Firewall Rules Windows icon Sysmon EventID 12 T1112 TTP CISA AA24-241A, ShrinkLocker 2024-06-21
Windows Modify Registry to Add or Modify Firewall Rule Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly CISA AA24-241A, ShrinkLocker 2024-06-21
Suspicious wevtutil Usage CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1070.001 T1070 TTP CISA AA23-347A, Clop Ransomware, Ransomware, Rhysida Ransomware, ShrinkLocker, Windows Log Manipulation 2024-06-19
Windows Modify Registry Configure BitLocker Windows icon Sysmon EventID 13 T1112 TTP ShrinkLocker 2024-06-19
Windows Modify Registry Disable RDP Windows icon Sysmon EventID 13 T1112 Anomaly ShrinkLocker 2024-06-19
Windows Modify Registry on Smart Card Group Policy Windows icon Sysmon EventID 13 T1112 Anomaly ShrinkLocker 2024-06-19
Possible Lateral Movement PowerShell Spawn CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1021 T1021.003 T1021.006 T1047 T1053.005 T1543.003 T1059.001 T1218.014 TTP Active Directory Lateral Movement, Data Destruction, Hermetic Wiper, Malicious PowerShell, Scheduled Tasks 2024-06-18
Ivanti EPM SQL Injection Remote Code Execution Suricata T1190 TTP Ivanti EPM Vulnerabilities 2024-06-18
Elevated Group Discovery with PowerView Windows icon Powershell Script Block Logging 4104 T1069 T1069.002 Hunting Active Directory Discovery 2024-06-10
Windows Debugger Tool Execution T1036 Hunting DarkGate Malware, PlugX 2024-06-07
Windows Unsigned DLL Side-Loading In Same Process Path Windows icon Sysmon EventID 7 T1574.002 T1574 TTP DarkGate Malware, PlugX 2024-06-07
AWS Multiple Failed MFA Requests For User AWS icon AWS CloudTrail ConsoleLogin T1586 T1586.003 T1621 Anomaly AWS Identity and Access Management Account Takeover 2024-05-31
Detect Copy of ShadowCopy with Script Block Logging Windows icon Powershell Script Block Logging 4104 T1003.002 T1003 TTP Credential Dumping 2024-05-31
Exchange PowerShell Module Usage Windows icon Powershell Script Block Logging 4104 T1059 T1059.001 TTP BlackByte Ransomware, CISA AA22-264A, CISA AA22-277A, ProxyNotShell, ProxyShell 2024-05-31
PowerShell Invoke CIMMethod CIMSession Windows icon Powershell Script Block Logging 4104 T1047 Anomaly Active Directory Lateral Movement, Malicious PowerShell 2024-05-31
Services Escalate Exe CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1548 TTP BlackByte Ransomware, CISA AA23-347A, Cobalt Strike, Graceful Wipe Out Attack 2024-05-31
Windows Event Triggered Image File Execution Options Injection Windows icon Windows Event Log Application 3000 T1546.012 Hunting Windows Persistence Techniques 2024-05-31
Windows Impair Defense Define Win Defender Threat Action Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-05-31
Windows Impair Defense Disable Win Defender Signature Retirement Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-05-31
Windows Impair Defense Override SmartScreen Prompt Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-05-31
Windows Modify Registry Disable Restricted Admin Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 TTP CISA AA23-347A 2024-05-31
Windows Modify Registry wuStatusServer Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Hunting RedLine Stealer 2024-05-31
Windows Post Exploitation Risk Behavior T1012 T1049 T1069 T1016 T1003 T1082 T1115 T1552 Correlation Windows Post-Exploitation 2024-05-31
Windows PowerView Kerberos Service Ticket Request Windows icon Powershell Script Block Logging 4104 T1558 T1558.003 TTP Active Directory Kerberos Attacks, Rhysida Ransomware 2024-05-31
Windows Query Registry UnInstall Program List Windows icon Windows Event Log Security 4663 T1012 Anomaly RedLine Stealer 2024-05-31
Windows Remote Services Allow Rdp In Firewall CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1021.001 T1021 Anomaly Azorult 2024-05-31
Windows Unsigned DLL Side-Loading Windows icon Sysmon EventID 7 T1574.002 Anomaly NjRAT, Warzone RAT 2024-05-31
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos Windows icon Windows Event Log Security 4768 T1110.003 T1110 Anomaly Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon 2024-05-31
Okta Multiple Failed Requests to Access Applications Okta T1550.004 T1538 Hunting Okta Account Takeover 2024-05-30
Azure AD Service Principal Created Azure icon Azure Active Directory Add service principal T1136.003 TTP Azure Active Directory Persistence, NOBELIUM Group 2024-05-30
Azure AD User Consent Blocked for Risky Application Azure icon Azure Active Directory Consent to application T1528 TTP Azure Active Directory Account Takeover 2024-05-30
Cloud Compute Instance Created With Previously Unseen Image AWS icon AWS CloudTrail Anomaly Cloud Cryptomining 2024-05-30
Credential Dumping via Copy Command from Shadow Copy CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003.003 T1003 TTP Credential Dumping 2024-05-30
Impacket Lateral Movement Commandline Parameters CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1021 T1021.002 T1021.003 T1047 T1543.003 TTP Active Directory Lateral Movement, CISA AA22-277A, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate 2024-05-30
Linux DD File Overwrite Linux icon Sysmon for Linux EventID 1 T1485 TTP Data Destruction, Industroyer2 2024-05-30
Linux File Creation In Init Boot Directory Linux icon Sysmon for Linux EventID 11 T1037.004 T1037 Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-05-30
Linux Indicator Removal Clear Cache Linux icon Sysmon for Linux EventID 1 T1070 TTP AwfulShred, Data Destruction 2024-05-30
Linux Possible Append Command To Profile Config File Linux icon Sysmon for Linux EventID 1 T1546.004 T1546 Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-05-30
Ntdsutil Export NTDS CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1003.003 T1003 TTP Credential Dumping, HAFNIUM Group, Living Off The Land, Prestige Ransomware, Rhysida Ransomware, Volt Typhoon 2024-05-30
PaperCut NG Suspicious Behavior Debug Log T1190 T1133 Hunting PaperCut MF NG Vulnerability 2024-05-30
PetitPotam Suspicious Kerberos TGT Request Windows icon Windows Event Log Security 4768 T1003 TTP Active Directory Kerberos Attacks, PetitPotam NTLM Relay on Active Directory Certificate Services 2024-05-30
Ping Sleep Batch Command CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1497 T1497.003 Anomaly BlackByte Ransomware, Data Destruction, Warzone RAT, WhisperGate 2024-05-30
PowerShell Script Block With URL Chain Windows icon Powershell Script Block Logging 4104 T1059.001 T1105 TTP Malicious PowerShell 2024-05-30
Runas Execution in CommandLine CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1134 T1134.001 Hunting Data Destruction, Hermetic Wiper, Windows Privilege Escalation 2024-05-30
Suspicious MSBuild Spawn CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1127 T1127.001 TTP Living Off The Land, Trusted Developer Utilities Proxy Execution MSBuild 2024-05-30
Suspicious Rundll32 StartW CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.011 TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Suspicious Rundll32 Activity, Trickbot 2024-05-30
Windows Account Discovery for Sam Account Name Windows icon Powershell Script Block Logging 4104 T1087 Anomaly CISA AA23-347A 2024-05-30
Windows Admin Permission Discovery Windows icon Sysmon EventID 11 T1069.001 Anomaly NjRAT 2024-05-30
Windows Alternate DataStream - Executable Content Windows icon Sysmon EventID 15 T1564 T1564.004 TTP Windows Defense Evasion Tactics 2024-05-30
Windows AppLocker Rare Application Launch Detection T1218 Hunting Windows AppLocker 2024-05-30
Windows Disable LogOff Button Through Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly Ransomware, Windows Registry Abuse 2024-05-30
Windows DNS Gather Network Info CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1590.002 Anomaly Sandworm Tools, Volt Typhoon 2024-05-30
Windows Domain Account Discovery Via Get-NetComputer Windows icon Powershell Script Block Logging 4104 T1087 T1087.002 Anomaly CISA AA23-347A 2024-05-30
Windows Modify Registry NoChangingWallPaper Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 TTP Rhysida Ransomware 2024-05-30
Windows Phishing Recent ISO Exec Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1566.001 T1566 Hunting AgentTesla, Azorult, Brute Ratel C4, Gozi Malware, IcedID, Qakbot, Remcos, Warzone RAT 2024-05-30
Windows Private Keys Discovery CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1552.004 T1552 Anomaly Prestige Ransomware, Windows Post-Exploitation 2024-05-30
Windows Service Creation Using Registry Entry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1574.011 TTP Active Directory Lateral Movement, Brute Ratel C4, CISA AA23-347A, PlugX, Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse 2024-05-30
Zeek x509 Certificate with Punycode T1573 Hunting OpenSSL CVE-2022-3602 2024-05-30
Confluence Unauthenticated Remote Code Execution CVE-2022-26134 Network icon Palo Alto Network Threat T1505 T1190 T1133 TTP Atlassian Confluence Server and Data Center CVE-2022-26134, Confluence Data Center and Confluence Server Vulnerabilities 2024-05-30
Okta Authentication Failed During MFA Challenge Okta T1586 T1586.003 T1078 T1078.004 T1621 TTP Okta Account Takeover 2024-05-29
Okta Suspicious Use of a Session Cookie Okta T1539 Anomaly Okta Account Takeover, Suspicious Okta Activity 2024-05-29
PingID Multiple Failed MFA Requests For User PingID T1621 T1078 T1110 TTP Compromised User Account 2024-05-29
Splunk DoS Using Malformed SAML Request Splunk icon Splunk T1498 Hunting Splunk Vulnerabilities 2024-05-29
Splunk ES DoS Through Investigation Attachments Splunk icon Splunk T1499 TTP Splunk Vulnerabilities 2024-05-29
Splunk Low Privilege User Can View Hashed Splunk Password Splunk icon Splunk T1212 Hunting Splunk Vulnerabilities 2024-05-29
Suspicious Email Attachment Extensions T1566.001 T1566 Anomaly Data Destruction, Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails 2024-05-29
Amazon EKS Kubernetes Pod scan detection T1526 Hunting Kubernetes Scanning Activity 2024-05-29
ASL AWS Defense Evasion Delete Cloudtrail T1562.008 T1562 TTP AWS Defense Evasion 2024-05-29
AWS Console Login Failed During MFA Challenge AWS icon AWS CloudTrail ConsoleLogin T1586 T1586.003 T1621 TTP AWS Identity and Access Management Account Takeover, Compromised User Account 2024-05-29
AWS IAM Successful Group Deletion AWS icon AWS CloudTrail DeleteGroup T1069.003 T1098 T1069 Hunting AWS IAM Privilege Escalation 2024-05-29
Azure AD Global Administrator Role Assigned Azure icon Azure Active Directory Add member to role T1098.003 TTP Azure Active Directory Persistence, Azure Active Directory Privilege Escalation 2024-05-29
O365 Multiple Service Principals Created by SP O365 Add service principal. T1136.003 Anomaly NOBELIUM Group, Office 365 Persistence Mechanisms 2024-05-29
O365 New Email Forwarding Rule Created T1114 T1114.003 TTP Office 365 Collection Techniques 2024-05-29
O365 New Forwarding Mailflow Rule Created T1114 TTP Office 365 Collection Techniques 2024-05-29
O365 Tenant Wide Admin Consent Granted O365 Consent to application. T1098 T1098.003 TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2024-05-29
Attacker Tools On Endpoint CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1036.005 T1036 T1003 T1595 TTP CISA AA22-264A, Monitor for Unauthorized Software, SamSam Ransomware, Unusual Processes, XMRig 2024-05-29
Detect RTLO In Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1036.002 T1036 TTP Spearphishing Attachments 2024-05-29
Disable AMSI Through Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP CISA AA23-347A, Ransomware, Windows Registry Abuse 2024-05-29
Disable Security Logs Using MiniNt Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 TTP CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-05-29
Enable RDP In Other Port Number Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1021 TTP Prohibited Traffic Allowed or Protocol Mismatch, Windows Registry Abuse 2024-05-29
Excessive distinct processes from Windows Temp CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 Anomaly Meterpreter 2024-05-29
Get ADUser with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1087.002 T1087 Hunting Active Directory Discovery, CISA AA23-347A 2024-05-29
GetWmiObject Ds Computer with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1018 TTP Active Directory Discovery 2024-05-29
Headless Browser Mockbin or Mocky Request CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1564.003 TTP Forest Blizzard 2024-05-29
Linux Common Process For Elevation Control Linux icon Sysmon for Linux EventID 1 T1548.001 T1548 Hunting Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-05-29
Linux Possible Access To Sudoers File Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-05-29
Linux Service Started Or Enabled Linux icon Sysmon for Linux EventID 1 T1053.006 T1053 Anomaly Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-05-29
Local Account Discovery with Net CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1087 T1087.001 Hunting Active Directory Discovery, Sandworm Tools 2024-05-29
Monitor Registry Keys for Print Monitors Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1547.010 T1547 TTP Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse 2024-05-29
Rundll32 Create Remote Thread To A Process Windows icon Sysmon EventID 8 T1055 TTP IcedID, Living Off The Land 2024-05-29
Suspicious Curl Network Connection CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1105 TTP Ingress Tool Transfer, Linux Living Off The Land, Silver Sparrow 2024-05-29
Windows Credential Access From Browser Password Store Windows icon Windows Event Log Security 4663 T1012 Anomaly MoonPeak, Snake Keylogger 2024-05-29
Windows Findstr GPP Discovery CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1552 T1552.006 TTP Active Directory Privilege Escalation 2024-05-29
Windows Impair Defense Disable Controlled Folder Access Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-05-29
Windows Impair Defense Disable Win Defender Network Protection Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-05-29
Windows Information Discovery Fsutil CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1082 Anomaly Prestige Ransomware, Windows Post-Exploitation 2024-05-29
Windows MsiExec HideWindow Rundll32 Execution CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218.007 T1218 TTP Qakbot 2024-05-29
Windows Powershell Import Applocker Policy Windows icon Powershell Script Block Logging 4104 T1059.001 T1059 T1562.001 T1562 TTP Azorult 2024-05-29
Windows Registry BootExecute Modification Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1542 T1547.001 TTP Windows BootKits 2024-05-29
Windows Registry Certificate Added Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1553.004 T1553 Anomaly Windows Drivers, Windows Registry Abuse 2024-05-29
Windows Rundll32 Apply User Settings Changes CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.011 TTP Rhysida Ransomware 2024-05-29
Windows Screen Capture Via Powershell Windows icon Powershell Script Block Logging 4104 T1113 TTP Winter Vivern 2024-05-29
Windows WMI Impersonate Token Windows icon Sysmon EventID 10 T1047 Anomaly Qakbot 2024-05-29
Detect DGA domains using pretrained model in DSDL T1568.002 Anomaly Command And Control, DNS Hijacking, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic 2024-05-29
Protocol or Port Mismatch T1048.003 T1048 Anomaly Command And Control, Prohibited Traffic Allowed or Protocol Mismatch 2024-05-29
Protocols passing authentication in cleartext TTP Use of Cleartext Protocols 2024-05-29
Remote Desktop Network Traffic T1021.001 T1021 Anomaly Active Directory Lateral Movement, Hidden Cobra Malware, Ryuk Ransomware, SamSam Ransomware 2024-05-29
SSL Certificates with Punycode T1573 Hunting OpenSSL CVE-2022-3602 2024-05-29
TOR Traffic Network icon Palo Alto Network Traffic T1090 T1090.003 TTP Command And Control, NOBELIUM Group, Prohibited Traffic Allowed or Protocol Mismatch, Ransomware 2024-05-29
Adobe ColdFusion Access Control Bypass Suricata T1190 TTP Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360 2024-05-29
Citrix ShareFile Exploitation CVE-2023-24489 Suricata T1190 Hunting Citrix ShareFile RCE CVE-2023-24489 2024-05-29
Ivanti Connect Secure SSRF in SAML Component Suricata T1190 TTP Ivanti Connect Secure VPN Vulnerabilities 2024-05-29
Okta IDP Lifecycle Modifications Okta T1087.004 Anomaly Suspicious Okta Activity 2024-05-28
Okta Risk Threshold Exceeded Okta T1078 T1110 Correlation Okta Account Takeover, Okta MFA Exhaustion, Suspicious Okta Activity 2024-05-28
Splunk Protocol Impersonation Weak Encryption Configuration Splunk icon Splunk T1001.003 Hunting Splunk Vulnerabilities 2024-05-28
Splunk unnecessary file extensions allowed by lookup table uploads Splunk icon Splunk T1189 TTP Splunk Vulnerabilities 2024-05-28
AWS Defense Evasion PutBucketLifecycle AWS icon AWS CloudTrail PutBucketLifecycle T1562.008 T1562 Hunting AWS Defense Evasion 2024-05-28
AWS Detect Users creating keys with encrypt policy without MFA AWS icon AWS CloudTrail CreateKey, AWS icon AWS CloudTrail PutKeyPolicy T1486 TTP Ransomware Cloud 2024-05-28
AWS ECR Container Upload Unknown User AWS icon AWS CloudTrail PutImage T1204.003 T1204 Anomaly Dev Sec Ops 2024-05-28
AWS Exfiltration via DataSync Task AWS icon AWS CloudTrail CreateTask T1119 TTP Data Exfiltration, Suspicious AWS S3 Activities 2024-05-28
Azure AD Device Code Authentication Azure icon Azure Active Directory T1528 T1566 T1566.002 TTP Azure Active Directory Account Takeover 2024-05-28
Detect AWS Console Login by New User AWS icon AWS CloudTrail T1586 T1586.003 T1552 Hunting AWS Identity and Access Management Account Takeover, Suspicious Cloud Authentication Activities 2024-05-28
Kubernetes Create or Update Privileged Pod Kubernetes icon Kubernetes Audit T1204 Anomaly Kubernetes Security 2024-05-28
Kubernetes Cron Job Creation Kubernetes icon Kubernetes Audit T1053.007 Anomaly Kubernetes Security 2024-05-28
O365 New Federated Domain Added O365 T1136.003 T1136 TTP Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms 2024-05-28
Add DefaultUser And Password In Registry Windows icon Sysmon EventID 13 T1552.002 T1552 Anomaly BlackMatter Ransomware 2024-05-28
Detect Credential Dumping through LSASS access Windows icon Sysmon EventID 10 T1003.001 T1003 TTP BlackSuit Ransomware, CISA AA23-347A, Credential Dumping, Detect Zerologon Attack 2024-05-28
Disable Defender AntiVirus Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP CISA AA24-241A, IcedID, Windows Registry Abuse 2024-05-28
Domain Group Discovery With Net CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1069 T1069.002 Hunting Active Directory Discovery, Graceful Wipe Out Attack, Prestige Ransomware, Rhysida Ransomware, Windows Post-Exploitation 2024-05-28
GetAdComputer with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1018 Hunting Active Directory Discovery, CISA AA22-320A, Gozi Malware 2024-05-28
GetWmiObject Ds Group with PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1069 T1069.002 TTP Active Directory Discovery 2024-05-28
Linux Iptables Firewall Modification Linux icon Sysmon for Linux EventID 1 T1562.004 T1562 Anomaly Cyclops Blink, Sandworm Tools 2024-05-28
Linux Unix Shell Enable All SysRq Functions Linux icon Sysmon for Linux EventID 1 T1059.004 T1059 Anomaly AwfulShred, Data Destruction 2024-05-28
Modification Of Wallpaper Windows icon Sysmon EventID 13 T1491 TTP BlackMatter Ransomware, Brute Ratel C4, LockBit Ransomware, Ransomware, Revil Ransomware, Rhysida Ransomware, Windows Registry Abuse 2024-05-28
Network Connection Discovery With Net CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1049 Hunting Active Directory Discovery, Azorult, Prestige Ransomware, Windows Post-Exploitation 2024-05-28
Print Spooler Failed to Load a Plug-in Windows icon Windows Event Log Printservice 808 T1547.012 T1547 TTP PrintNightmare CVE-2021-34527 2024-05-28
Remcos client registry install entry CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13, Windows icon Windows Event Log Security 4688 T1112 TTP Remcos, Windows Registry Abuse 2024-05-28
Schtasks Run Task On Demand CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1053 TTP CISA AA22-257A, Data Destruction, Industroyer2, Qakbot, Scheduled Tasks, XMRig 2024-05-28
Suspicious SQLite3 LSQuarantine Behavior CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1074 TTP Silver Sparrow 2024-05-28
Windows Alternate DataStream - Base64 Content Windows icon Sysmon EventID 15 T1564 T1564.004 TTP Windows Defense Evasion Tactics 2024-05-28
Windows CAB File on Disk Windows icon Sysmon EventID 11 T1566.001 Anomaly DarkGate Malware 2024-05-28
Windows Command Shell Fetch Env Variables CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1055 TTP Qakbot 2024-05-28
Windows Disable Notification Center Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-05-28
Windows DisableAntiSpyware Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Azorult, CISA AA22-264A, CISA AA23-347A, RedLine Stealer, Ryuk Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-05-28
Windows Find Interesting ACL with FindInterestingDomainAcl Windows icon Powershell Script Block Logging 4104 T1087 T1087.002 TTP Active Directory Discovery 2024-05-28
Windows Hidden Schedule Task Settings Windows icon Windows Event Log Security 4698 T1053 TTP Active Directory Discovery, CISA AA22-257A, Data Destruction, Industroyer2, Scheduled Tasks 2024-05-28
Windows Impair Defense Disable Win Defender App Guard Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-05-28
Windows Impair Defense Disable Win Defender Scan On Update Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-05-28
Windows Indirect Command Execution Via forfiles CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1202 TTP Living Off The Land, Windows Post-Exploitation 2024-05-28
Windows Mail Protocol In Non-Common Process Path Windows icon Sysmon EventID 3 T1071.003 T1071 Anomaly AgentTesla 2024-05-28
Windows Modify Registry AuthenticationLevelOverride Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly DarkGate Malware 2024-05-28
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos Windows icon Windows Event Log Security 4768 T1110.003 T1110 TTP Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon 2024-05-28
Windows Password Managers Discovery CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1555.005 Anomaly Prestige Ransomware, Windows Post-Exploitation 2024-05-28
Windows Privilege Escalation System Process Without System Parent CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1068 T1548 T1134 TTP BlackSuit Ransomware, Windows Privilege Escalation 2024-05-28
Windows Process Injection Wermgr Child Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1055 Anomaly Qakbot, Windows Error Reporting Service Elevation of Privilege Vulnerability 2024-05-28
Windows Query Registry Browser List Application Windows icon Windows Event Log Security 4663 T1012 Anomaly RedLine Stealer 2024-05-28
Windows Raw Access To Disk Volume Partition Windows icon Sysmon EventID 9 T1561.002 T1561 Anomaly BlackByte Ransomware, CISA AA22-264A, Caddy Wiper, Data Destruction, Graceful Wipe Out Attack, Hermetic Wiper, NjRAT 2024-05-28
Windows Registry SIP Provider Modification Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1553.003 TTP Subvert Trust Controls SIP and Trust Provider Hijacking 2024-05-28
Windows Security Support Provider Reg Query CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1547.005 T1547 Anomaly Prestige Ransomware, Sneaky Active Directory Persistence Tricks, Windows Post-Exploitation 2024-05-28
Windows Spearphishing Attachment Onenote Spawn Mshta CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566.001 T1566 TTP AsyncRAT, Spearphishing Attachments 2024-05-28
Windows System Discovery Using ldap Nslookup CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1033 Anomaly Qakbot 2024-05-28
Windows System Reboot CommandLine CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1529 Anomaly DarkCrystal RAT, DarkGate Malware, MoonPeak, NjRAT 2024-05-28
Windows Time Based Evasion via Choice Exec CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1497.003 T1497 Anomaly Snake Keylogger 2024-05-28
Windows Unusual Count Of Users Failed To Auth Using Kerberos Windows icon Windows Event Log Security 4771 T1110.003 T1110 Anomaly Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon 2024-05-28
Windows Valid Account With Never Expires Password CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1489 TTP Azorult 2024-05-28
Detect Zerologon via Zeek T1190 TTP Detect Zerologon Attack, Rhysida Ransomware 2024-05-28
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 Network icon Palo Alto Network Threat T1190 T1133 TTP CISA AA24-241A, F5 BIG-IP Vulnerability CVE-2022-1388 2024-05-28
Confluence Data Center and Server Privilege Escalation Nginx Access T1190 TTP CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server, Confluence Data Center and Confluence Server Vulnerabilities 2024-05-28
Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527 Suricata T1190 TTP Confluence Data Center and Confluence Server Vulnerabilities 2024-05-28
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082 Suricata T1190 T1133 TTP Ivanti EPMM Remote Unauthenticated Access 2024-05-28
Web Spring4Shell HTTP Request Class Module Splunk icon Splunk Stream HTTP T1190 T1133 TTP Spring4Shell CVE-2022-22965 2024-05-28
Splunk Digital Certificates Infrastructure Version Splunk icon Splunk T1587.003 Hunting Splunk Vulnerabilities 2024-05-27
Splunk DoS via Malformed S2S Request Splunk icon Splunk T1498 TTP Splunk Vulnerabilities 2024-05-27
Splunk Endpoint Denial of Service DoS Zip Bomb Splunk icon Splunk T1499 TTP Splunk Vulnerabilities 2024-05-27
Splunk HTTP Response Splitting Via Rest SPL Command Splunk icon Splunk T1027.006 Hunting Splunk Vulnerabilities 2024-05-27
Abnormally High Number Of Cloud Instances Destroyed AWS icon AWS CloudTrail T1078.004 T1078 Anomaly Suspicious Cloud Instance Activities 2024-05-27
AWS IAM Delete Policy AWS icon AWS CloudTrail DeletePolicy T1098 Hunting AWS IAM Privilege Escalation 2024-05-27
GitHub Dependabot Alert AWS icon GitHub T1195.001 T1195 Anomaly Dev Sec Ops 2024-05-27
Kubernetes Abuse of Secret by Unusual User Name Kubernetes icon Kubernetes Audit T1552.007 Anomaly Kubernetes Security 2024-05-27
Kubernetes newly seen UDP edge T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-05-27
O365 Added Service Principal O365 T1136.003 T1136 TTP Cloud Federated Credential Abuse, NOBELIUM Group, Office 365 Persistence Mechanisms 2024-05-27
O365 File Permissioned Application Consent Granted by User O365 Consent to application. T1528 TTP Office 365 Account Takeover 2024-05-27
Active Setup Registry Autostart Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1547.014 T1547 TTP Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation 2024-05-27
Allow Network Discovery In Firewall CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.007 T1562 TTP BlackByte Ransomware, NjRAT, Ransomware, Revil Ransomware 2024-05-27
Detect Certipy File Modifications Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11 T1649 T1560 TTP Data Exfiltration, Ingress Tool Transfer, Windows Certificate Services 2024-05-27
Detect suspicious processnames using pretrained model in DSDL Windows icon Sysmon EventID 1 T1059 Anomaly Suspicious Command-Line Executions 2024-05-27
Disable Show Hidden Files Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1564.001 T1562.001 T1564 T1562 T1112 Anomaly Azorult, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-05-27
Get ADDefaultDomainPasswordPolicy with Powershell Script Block Windows icon Powershell Script Block Logging 4104 T1201 Hunting Active Directory Discovery 2024-05-27
Get-DomainTrust with PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1482 TTP Active Directory Discovery 2024-05-27
GetWmiObject Ds Computer with PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1018 TTP Active Directory Discovery 2024-05-27
Icacls Deny Command CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1222 TTP Azorult, Sandworm Tools, XMRig 2024-05-27
Linux Adding Crontab Using List Parameter Linux icon Sysmon for Linux EventID 1 T1053.003 T1053 Hunting Data Destruction, Gomir, Industroyer2, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-05-27
Linux Data Destruction Command Linux icon Sysmon for Linux EventID 1 T1485 TTP AwfulShred, Data Destruction 2024-05-27
Linux Service File Created In Systemd Directory Linux icon Sysmon for Linux EventID 11 T1053.006 T1053 Anomaly Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-05-27
Linux Visudo Utility Execution Linux icon Sysmon for Linux EventID 1 T1548.003 T1548 Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-05-27
MS Exchange Mailbox Replication service writing Active Server Pages Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11 T1505 T1505.003 T1190 T1133 TTP BlackByte Ransomware, ProxyShell, Ransomware 2024-05-27
Office Product Spawning MSHTA CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP Azorult, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, IcedID, NjRAT, Spearphishing Attachments 2024-05-27
Possible Browser Pass View Parameter CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1555.003 T1555 Hunting Remcos 2024-05-27
Process Deleting Its Process File Path CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1070 TTP Clop Ransomware, Data Destruction, Remcos, WhisperGate 2024-05-27
Single Letter Process On Endpoint CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1204 T1204.002 TTP DHS Report TA18-074A 2024-05-27
Spoolsv Writing a DLL CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 11, Windows icon Windows Event Log Security 4688 T1547.012 T1547 TTP PrintNightmare CVE-2021-34527 2024-05-27
Suspicious Rundll32 no Command Line Arguments CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.011 TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, PrintNightmare CVE-2021-34527, Suspicious Rundll32 Activity 2024-05-27
UAC Bypass MMC Load Unsigned Dll Windows icon Sysmon EventID 7 T1548.002 T1548 T1218.014 TTP Windows Defense Evasion Tactics 2024-05-27
Wermgr Process Connecting To IP Check Web Services Windows icon Sysmon EventID 22 T1590 T1590.005 TTP Trickbot 2024-05-27
Windows Account Discovery With NetUser PreauthNotRequire Windows icon Powershell Script Block Logging 4104 T1087 Hunting CISA AA23-347A 2024-05-27
Windows Archive Collected Data via Powershell Windows icon Powershell Script Block Logging 4104 T1560 Anomaly CISA AA23-347A 2024-05-27
Windows Credentials from Password Stores Query CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1555 Anomaly DarkGate Malware, Prestige Ransomware, Windows Post-Exploitation 2024-05-27
Windows Disable Windows Group Policy Features Through Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly CISA AA23-347A, Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-05-27
Windows Exfiltration Over C2 Via Powershell UploadString Windows icon Powershell Script Block Logging 4104 T1041 TTP Winter Vivern 2024-05-27
Windows Impair Defense Change Win Defender Quick Scan Interval Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-05-27
Windows Impair Defense Change Win Defender Throttle Rate Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-05-27
Windows Impair Defense Disable Web Evaluation Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-05-27
Windows Modify Show Compress Color And Info Tip Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 TTP Data Destruction, Hermetic Wiper, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-05-27
Windows Non Discord App Access Discord LevelDB Windows icon Windows Event Log Security 4663 T1012 Anomaly Snake Keylogger 2024-05-27
Windows Powershell Cryptography Namespace Windows icon Powershell Script Block Logging 4104 T1059.001 T1059 Anomaly AsyncRAT 2024-05-27
Windows Proxy Via Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1090.001 T1090 Anomaly Volt Typhoon 2024-05-27
Windows UAC Bypass Suspicious Escalation Behavior CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1548 T1548.002 TTP Living Off The Land, Windows Defense Evasion Tactics 2024-05-27
Windows Unsigned MS DLL Side-Loading Windows icon Sysmon EventID 7 T1574.002 T1547 Anomaly APT29 Diplomatic Deceptions with WINELOADER 2024-05-27
SMB Traffic Spike T1021.002 T1021 Anomaly DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware 2024-05-27
Zscaler Scam Destinations Threat Blocked T1566 Anomaly Zscaler Browser Proxy Threats 2024-05-27
Detect Risky SPL using Pretrained ML Model T1059 Anomaly Splunk Vulnerabilities 2024-05-26
Okta Successful Single Factor Authentication Okta T1586 T1586.003 T1078 T1078.004 T1621 Anomaly Okta Account Takeover 2024-05-26
Splunk RCE via Serialized Session Payload Splunk icon Splunk T1190 Hunting Splunk Vulnerabilities 2024-05-26
AWS Defense Evasion Delete CloudWatch Log Group AWS icon AWS CloudTrail DeleteLogGroup T1562 T1562.008 TTP AWS Defense Evasion 2024-05-26
AWS Defense Evasion Impair Security Services AWS icon AWS CloudTrail DeleteAlarms, AWS icon AWS CloudTrail DeleteDetector, AWS icon AWS CloudTrail DeleteIPSet, AWS icon AWS CloudTrail DeleteLogStream, AWS icon AWS CloudTrail DeleteRule, AWS icon AWS CloudTrail DeleteWebACL T1562.008 T1562 Hunting AWS Defense Evasion 2024-05-26
O365 Block User Consent For Risky Apps Disabled O365 Update authorization policy. T1562 TTP Office 365 Account Takeover 2024-05-26
O365 User Consent Blocked for Risky Application O365 Consent to application. T1528 TTP Office 365 Account Takeover 2024-05-26
Active Directory Privilege Escalation Identified T1484 Correlation Active Directory Privilege Escalation 2024-05-26
Change To Safe Mode With Network Config CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1490 TTP BlackMatter Ransomware 2024-05-26
Common Ransomware Extensions Windows icon Sysmon EventID 11 T1485 Hunting Clop Ransomware, LockBit Ransomware, Prestige Ransomware, Ransomware, Rhysida Ransomware, Ryuk Ransomware, SamSam Ransomware 2024-05-26
Detect Mimikatz With PowerShell Script Block Logging Windows icon Powershell Script Block Logging 4104 T1003 T1059.001 TTP CISA AA22-264A, CISA AA22-320A, CISA AA23-347A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Sandworm Tools 2024-05-26
Disable Schedule Task CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.001 T1562 TTP IcedID, Living Off The Land 2024-05-26
Disable Windows SmartScreen Protection Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-05-26
Headless Browser Usage CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1564.003 Hunting Forest Blizzard 2024-05-26
High Frequency Copy Of Files In Network Share Windows icon Windows Event Log Security 5145 T1537 Anomaly Information Sabotage, Insider Threat 2024-05-26
Impacket Lateral Movement WMIExec Commandline Parameters CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1021 T1021.002 T1021.003 T1047 T1543.003 TTP Active Directory Lateral Movement, CISA AA22-277A, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate 2024-05-26
Linux At Allow Config File Creation Linux icon Sysmon for Linux EventID 11 T1053.003 T1053 Anomaly Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-05-26
Loading Of Dynwrapx Module Windows icon Sysmon EventID 7 T1055 T1055.001 TTP AsyncRAT, Remcos 2024-05-26
Log4Shell CVE-2021-44228 Exploitation T1105 T1190 T1059 T1133 Correlation CISA AA22-320A, Log4Shell CVE-2021-44228 2024-05-26
Outbound Network Connection from Java Using Default Ports Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 3 T1190 T1133 TTP Log4Shell CVE-2021-44228 2024-05-26
PetitPotam Network Share Access Request Windows icon Windows Event Log Security 5145 T1187 TTP PetitPotam NTLM Relay on Active Directory Certificate Services 2024-05-26
Powershell Using memory As Backing Store Windows icon Powershell Script Block Logging 4104 T1059.001 T1059 TTP Data Destruction, Hermetic Wiper, IcedID, Malicious PowerShell, MoonPeak 2024-05-26
SLUI RunAs Elevated CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1548.002 T1548 TTP DarkSide Ransomware, Windows Defense Evasion Tactics 2024-05-26
Steal or Forge Authentication Certificates Behavior Identified T1649 Correlation Windows Certificate Services 2024-05-26
Unusually Long Command Line - MLTK CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 Anomaly Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Ransomware, Suspicious Command-Line Executions, Unusual Processes 2024-05-26
Wermgr Process Spawned CMD Or Powershell Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059 TTP Qakbot, Trickbot 2024-05-26
Windows Account Discovery for None Disable User Account Windows icon Powershell Script Block Logging 4104 T1087 T1087.001 Hunting CISA AA23-347A 2024-05-26
Windows AD Privileged Account SID History Addition Windows icon Windows Event Log Security 4738, Windows icon Windows Event Log Security 4742 T1134.005 T1134 TTP Sneaky Active Directory Persistence Tricks 2024-05-26
Windows Hide Notification Features Through Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-05-26
Windows Modify Registry No Auto Reboot With Logon User Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly RedLine Stealer 2024-05-26
Windows MSHTA Writing to World Writable Path Windows icon Sysmon EventID 11 T1218.005 TTP APT29 Diplomatic Deceptions with WINELOADER, Suspicious MSHTA Activity 2024-05-26
Windows Powershell RemoteSigned File CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059.001 T1059 Anomaly Amadey 2024-05-26
Windows Query Registry Reg Save CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1012 Hunting CISA AA23-347A, Prestige Ransomware, Windows Post-Exploitation 2024-05-26
Windows Root Domain linked policies Discovery Windows icon Powershell Script Block Logging 4104 T1087.002 T1087 Anomaly Active Directory Discovery, Data Destruction, Industroyer2 2024-05-26
WMI Permanent Event Subscription T1047 TTP Suspicious WMI Use 2024-05-26
Plain HTTP POST Exfiltrated Data Splunk icon Splunk Stream HTTP T1048.003 T1048 TTP Command And Control, Data Exfiltration 2024-05-26
JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199 Suricata T1190 TTP JetBrains TeamCity Vulnerabilities 2024-05-26
Spring4Shell Payload URL Request Nginx Access T1505.003 T1505 T1190 T1133 TTP Spring4Shell CVE-2022-22965 2024-05-26
Supernova Webshell T1505.003 T1133 TTP NOBELIUM Group 2024-05-26
Splunk Authentication Token Exposure in Debug Log T1654 TTP Splunk Vulnerabilities 2024-05-25
Splunk Data exfiltration from Analytics Workspace using sid query Splunk icon Splunk T1567 Hunting Splunk Vulnerabilities 2024-05-25
Splunk DOS via printf search function Splunk icon Splunk T1499.004 Hunting Splunk Vulnerabilities 2024-05-25
Splunk ES DoS Investigations Manager via Investigation Creation Splunk icon Splunk T1499 TTP Splunk Vulnerabilities 2024-05-25
ASL AWS Defense Evasion Delete CloudWatch Log Group T1562 T1562.008 TTP AWS Defense Evasion 2024-05-25
AWS ECR Container Upload Outside Business Hours AWS icon AWS CloudTrail PutImage T1204.003 T1204 Anomaly Dev Sec Ops 2024-05-25
AWS High Number Of Failed Authentications For User AWS icon AWS CloudTrail ConsoleLogin T1201 Anomaly AWS Identity and Access Management Account Takeover, Compromised User Account 2024-05-25
Circle CI Disable Security Step CircleCI T1554 Anomaly Dev Sec Ops 2024-05-25
Detect AWS Console Login by User from New City AWS icon AWS CloudTrail T1586 T1586.003 T1535 Hunting AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities 2024-05-25
GCP Multi-Factor Authentication Disabled T1586 T1586.003 T1556 T1556.006 TTP GCP Account Takeover 2024-05-25
GCP Successful Single-Factor Authentication Google Workspace login_success T1586 T1586.003 T1078 T1078.004 TTP GCP Account Takeover 2024-05-25
High Number of Login Failures from a single source O365 UserLoginFailed T1110.001 T1110 Anomaly Office 365 Account Takeover 2024-05-25
Kubernetes Abuse of Secret by Unusual User Group Kubernetes icon Kubernetes Audit T1552.007 Anomaly Kubernetes Security 2024-05-25
Kubernetes Anomalous Outbound Network Activity from Process T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-05-25
Kubernetes Falco Shell Spawned Kubernetes icon Kubernetes Falco T1204 Anomaly Kubernetes Security 2024-05-25
Detect Certify Command Line Arguments CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1649 T1105 TTP Ingress Tool Transfer, Windows Certificate Services 2024-05-25
Domain Controller Discovery with Wmic CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1018 Hunting Active Directory Discovery 2024-05-25
Drop IcedID License dat Windows icon Sysmon EventID 11 T1204 T1204.002 Hunting IcedID 2024-05-25
GetDomainController with PowerShell CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1018 Hunting Active Directory Discovery 2024-05-25
Linux Edit Cron Table Parameter Linux icon Sysmon for Linux EventID 1 T1053.003 T1053 Hunting Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-05-25
Linux Hardware Addition SwapOff Linux icon Sysmon for Linux EventID 1 T1200 Anomaly AwfulShred, Data Destruction 2024-05-25
Linux Possible Access To Credential Files Linux icon Sysmon for Linux EventID 1 T1003.008 T1003 Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-05-25
Linux Possible Append Command To At Allow Config File Linux icon Sysmon for Linux EventID 1 T1053.002 T1053 Anomaly Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-05-25
Local Account Discovery With Wmic CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1087 T1087.001 Hunting Active Directory Discovery 2024-05-25
Non Chrome Process Accessing Chrome Default Dir Windows icon Windows Event Log Security 4663 T1555 T1555.003 Anomaly 3CX Supply Chain Attack, AgentTesla, CISA AA23-347A, DarkGate Malware, FIN7, NjRAT, Phemedrone Stealer, RedLine Stealer, Remcos, Snake Keylogger, Warzone RAT 2024-05-25
Office Application Spawn rundll32 process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP AgentTesla, IcedID, NjRAT, Spearphishing Attachments, Trickbot 2024-05-25
Overwriting Accessibility Binaries Windows icon Sysmon EventID 11 T1546 T1546.008 TTP Data Destruction, Flax Typhoon, Hermetic Wiper, Windows Privilege Escalation 2024-05-25
Print Processor Registry Autostart Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1547.012 T1547 TTP Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation 2024-05-25
Ransomware Notes bulk creation Windows icon Sysmon EventID 11 T1486 Anomaly BlackMatter Ransomware, Chaos Ransomware, Clop Ransomware, DarkSide Ransomware, LockBit Ransomware, Rhysida Ransomware 2024-05-25
Registry Keys Used For Persistence Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1547.001 T1547 TTP Amadey, AsyncRAT, Azorult, BlackByte Ransomware, BlackSuit Ransomware, CISA AA23-347A, Chaos Ransomware, DHS Report TA18-074A, DarkGate Malware, Emotet Malware DHS Report TA18-201A, IcedID, MoonPeak, NjRAT, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Qakbot, Ransomware, RedLine Stealer, Remcos, Snake Keylogger, Sneaky Active Directory Persistence Tricks, Suspicious MSHTA Activity, Suspicious Windows Registry Activities, Warzone RAT, Windows Persistence Techniques, Windows Registry Abuse 2024-05-25
Remote Process Instantiation via WinRM and PowerShell Script Block Windows icon Powershell Script Block Logging 4104 T1021 T1021.006 TTP Active Directory Lateral Movement 2024-05-25
Suspicious SearchProtocolHost no Command Line Arguments CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1055 TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack 2024-05-25
System Processes Run From Unexpected Locations CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1036 T1036.003 Anomaly DarkGate Malware, Masquerading - Rename System Utilities, Qakbot, Ransomware, Suspicious Command-Line Executions, Unusual Processes, Windows Error Reporting Service Elevation of Privilege Vulnerability 2024-05-25
Windows AppLocker Execution from Uncommon Locations T1218 Hunting Windows AppLocker 2024-05-25
Windows Disable Lock Workstation Feature Through Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 Anomaly Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-05-25
Windows InProcServer32 New Outlook Form Windows icon Sysmon EventID 13 T1566 T1112 Anomaly Outlook RCE CVE-2024-21378 2024-05-25
Windows Modify Registry With MD5 Reg Key Name Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1112 TTP NjRAT 2024-05-25
Windows Parent PID Spoofing with Explorer CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1134.004 T1134 TTP Windows Defense Evasion Tactics 2024-05-25
Windows Service Create SliverC2 Windows icon Windows Event Log System 7045 T1569 T1569.002 TTP BishopFox Sliver Adversary Emulation Framework 2024-05-25
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos Windows icon Windows Event Log Security 4768 T1110.003 T1110 Anomaly Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon 2024-05-25
Detect Outbound SMB Traffic T1071.002 T1071 TTP DHS Report TA18-074A, Hidden Cobra Malware, NOBELIUM Group 2024-05-25
Citrix ADC Exploitation CVE-2023-3519 Network icon Palo Alto Network Threat T1190 Hunting CISA AA24-241A, Citrix Netscaler ADC CVE-2023-3519 2024-05-25
Log4Shell JNDI Payload Injection Attempt Nginx Access T1190 T1133 Anomaly CISA AA22-257A, CISA AA22-320A, Log4Shell CVE-2021-44228 2024-05-25
Persistent XSS in RapidDiag through User Interface Views Splunk icon Splunk T1189 TTP Splunk Vulnerabilities 2024-05-24
Splunk Code Injection via custom dashboard leading to RCE T1210 Hunting Splunk Vulnerabilities 2024-05-24
AWS Disable Bucket Versioning AWS icon AWS CloudTrail PutBucketVersioning T1490 Anomaly Data Exfiltration, Suspicious AWS S3 Activities 2024-05-24
AWS Unusual Number of Failed Authentications From Ip AWS icon AWS CloudTrail ConsoleLogin T1586 T1586.003 T1110 T1110.003 T1110.004 Anomaly AWS Identity and Access Management Account Takeover 2024-05-24
Azure AD OAuth Application Consent Granted By User Azure icon Azure Active Directory Consent to application T1528 TTP Azure Active Directory Account Takeover 2024-05-24
GCP Unusual Number of Failed Authentications From Ip Google Workspace login_failure T1586 T1586.003 T1110 T1110.003 T1110.004 Anomaly GCP Account Takeover 2024-05-24
Github Commit In Develop AWS icon GitHub T1199 Anomaly Dev Sec Ops 2024-05-24
Kubernetes Anomalous Traffic on Network Edge T1204 Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-05-24
O365 Mailbox Email Forwarding Enabled T1114 T1114.003 TTP Office 365 Collection Techniques 2024-05-24
Risk Rule for Dev Sec Ops by Repository T1204.003 T1204 Correlation Dev Sec Ops 2024-05-24
AdsiSearcher Account Discovery Windows icon Powershell Script Block Logging 4104 T1087.002 T1087 TTP Active Directory Discovery, CISA AA23-347A, Data Destruction, Industroyer2 2024-05-24
Detect RTLO In File Name Windows icon Sysmon EventID 11 T1036.002 T1036 TTP Spearphishing Attachments 2024-05-24
Disable Defender Enhanced Notification Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse 2024-05-24
Disable ETW Through Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP CISA AA23-347A, Ransomware, Windows Registry Abuse 2024-05-24
Disable UAC Remote Restriction Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1548.002 T1548 TTP CISA AA23-347A, Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-05-24
Elevated Group Discovery With Wmic CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1069 T1069.002 TTP Active Directory Discovery 2024-05-24
Linux Disable Services Linux icon Sysmon for Linux EventID 1 T1489 TTP AwfulShred, Data Destruction, Industroyer2 2024-05-24
Linux Persistence and Privilege Escalation Risk Behavior T1548 Correlation Linux Persistence Techniques, Linux Privilege Escalation 2024-05-24
Linux Possible Access Or Modification Of sshd Config File Linux icon Sysmon for Linux EventID 1 T1098.004 T1098 Anomaly Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-05-24
Linux Setuid Using Setcap Utility Linux icon Sysmon for Linux EventID 1 T1548.001 T1548 Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-05-24
Linux System Network Discovery Linux icon Sysmon for Linux EventID 1 T1016 Anomaly Data Destruction, Industroyer2, Network Discovery 2024-05-24
Office Product Spawn CMD Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1566 T1566.001 TTP AgentTesla, Azorult, CVE-2023-21716 Word RTF Heap Corruption, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, DarkCrystal RAT, NjRAT, PlugX, Qakbot, Remcos, Trickbot, Warzone RAT 2024-05-24
Powershell Fileless Script Contains Base64 Encoded Content Windows icon Powershell Script Block Logging 4104 T1059 T1027 T1059.001 TTP AsyncRAT, Data Destruction, Hermetic Wiper, IcedID, Malicious PowerShell, NjRAT, Winter Vivern 2024-05-24
Powershell Get LocalGroup Discovery with Script Block Logging Windows icon Powershell Script Block Logging 4104 T1069 T1069.001 Hunting Active Directory Discovery 2024-05-24
Processes launching netsh CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1562.004 T1562 Anomaly Azorult, DHS Report TA18-074A, Disabling Security Tools, Netsh Abuse, ShrinkLocker, Snake Keylogger, Volt Typhoon 2024-05-24
Remcos RAT File Creation in Remcos Folder Windows icon Sysmon EventID 11 T1113 TTP Remcos 2024-05-24
Remote Desktop Process Running On System CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1021.001 T1021 Hunting Active Directory Lateral Movement, Hidden Cobra Malware 2024-05-24
Remote System Discovery with Wmic CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1018 TTP Active Directory Discovery 2024-05-24
Revil Registry Entry CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13, Windows icon Windows Event Log Security 4688 T1112 TTP Ransomware, Revil Ransomware, Windows Registry Abuse 2024-05-24
Suspicious mshta child process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1218 T1218.005 TTP Living Off The Land, Suspicious MSHTA Activity 2024-05-24
Unloading AMSI via Reflection Windows icon Powershell Script Block Logging 4104 T1562 T1059.001 T1059 TTP Data Destruction, Hermetic Wiper, Malicious PowerShell 2024-05-24
Windows AD DSRM Account Changes Windows icon Sysmon EventID 1, Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1098 TTP Sneaky Active Directory Persistence Tricks, Windows Persistence Techniques, Windows Registry Abuse 2024-05-24
Windows App Layer Protocol Wermgr Connect To NamedPipe Windows icon Sysmon EventID 17, Windows icon Sysmon EventID 18 T1071 Anomaly Qakbot 2024-05-24
Windows Command Shell DCRat ForkBomb Payload CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1059.003 T1059 TTP DarkCrystal RAT 2024-05-24
Windows Data Destruction Recursive Exec Files Deletion Windows icon Sysmon EventID 23 T1485 TTP Data Destruction, Handala Wiper, Swift Slicer 2024-05-24
Windows Impair Defense Disable Defender Protocol Recognition Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-05-24
Windows Impair Defense Disable PUA Protection Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-05-24
Windows Impair Defenses Disable HVCI Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1562.001 T1562 TTP BlackLotus Campaign, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-05-24
Windows LSA Secrets NoLMhash Registry Windows icon Sysmon EventID 12, Windows icon Sysmon EventID 13 T1003.004 TTP CISA AA23-347A 2024-05-24
Windows Masquerading Explorer As Child Process CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1574.002 T1574 TTP Qakbot 2024-05-24
Windows Process Injection Remote Thread Windows icon Sysmon EventID 8 T1055 T1055.002 TTP Graceful Wipe Out Attack, Qakbot, Warzone RAT 2024-05-24
Windows Steal Authentication Certificates - ESC1 Authentication Windows icon Windows Event Log Security 4768, Windows icon Windows Event Log Security 4887 T1649 T1550 TTP Windows Certificate Services 2024-05-24
Windows Steal Authentication Certificates Certificate Request Windows icon Windows Event Log Security 4886 T1649 Anomaly Windows Certificate Services 2024-05-24
Windows System File on Disk Windows icon Sysmon EventID 11 T1068 Hunting CISA AA22-264A, Windows Drivers 2024-05-24
Windows Time Based Evasion CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1497 T1497.003 TTP NjRAT 2024-05-24
Detect Large Outbound ICMP Packets T1095 TTP Command And Control 2024-05-24
High Volume of Bytes Out to Url Nginx Access T1567 Anomaly Data Exfiltration 2024-05-24
Ngrok Reverse Proxy on Network Windows icon Sysmon EventID 22 T1572 T1090 T1102 Anomaly CISA AA22-320A, CISA AA24-241A, Reverse Network Proxy 2024-05-24
ConnectWise ScreenConnect Authentication Bypass Suricata T1190 TTP ConnectWise ScreenConnect Vulnerabilities 2024-05-24
F5 TMUI Authentication Bypass Suricata TTP F5 Authentication Bypass with TMUI 2024-05-24
Jenkins Arbitrary File Read CVE-2024-23897 Nginx Access T1190 TTP Jenkins Server Vulnerabilities 2024-05-24
Zscaler Privacy Risk Destinations Threat Blocked T1566 Anomaly Zscaler Browser Proxy Threats 2024-05-24
Splunk Process Injection Forwarder Bundle Downloads Splunk icon Splunk T1055 Hunting Splunk Vulnerabilities 2024-05-23
Splunk protocol impersonation weak encryption simplerequest Splunk icon Splunk T1588.004 Hunting Splunk Vulnerabilities 2024-05-23
Splunk Reflected XSS in the templates lists radio Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-05-23
Splunk Reflected XSS on App Search Table Endpoint Splunk icon Splunk T1189 Hunting Splunk Vulnerabilities 2024-05-23
aws detect permanent key creation T1078 Hunting AWS Cross Account Activity 2024-05-23
AWS Exfiltration via Batch Service AWS icon AWS CloudTrail JobCreated T1119 TTP Data Exfiltration 2024-05-23
AWS High Number Of Failed Authentications From Ip AWS icon AWS CloudTrail ConsoleLogin T1110 T1110.003 T1110.004 Anomaly AWS Identity and Access Management Account Takeover, Compromised User Account 2024-05-23
AWS IAM Assume Role Policy Brute Force AWS icon AWS CloudTrail T1580 T1110 TTP AWS IAM Privilege Escalation 2024-05-23
AWS SAML Access by Provider User and Principal AWS icon AWS CloudTrail AssumeRoleWithSAML T1078 Anomaly Cloud Federated Credential Abuse 2024-05-23
Azure AD Block User Consent For Risky Apps Disabled Azure icon Azure Active Directory Update authorization policy T1562 TTP Azure Active Directory Account Takeover 2024-05-23
Azure AD Multi-Factor Authentication Disabled Azure icon Azure Active Directory Disable Strong Authentication T1586 T1586.003 T1556 T1556.006 TTP Azure Active Directory Account Takeover 2024-05-23
Azure AD Tenant Wide Admin Consent Granted Azure icon Azure Active Directory Consent to application T1098 T1098.003 TTP Azure Active Directory Persistence, NOBELIUM Group 2024-05-23
GCP Multiple Failed MFA Requests For User Google Workspace login_failure T1586 T1586.003 T1621 T1078 T1078.004 TTP GCP Account Takeover 2024-05-23
O365 ApplicationImpersonation Role Assigned O365 T1098 T1098.002 TTP NOBELIUM Group, Office 365 Collection Techniques, Office 365 Persistence Mechanisms 2024-05-23
O365 New Email Forwarding Rule Enabled T1114 T1114.003 TTP Office 365 Collection Techniques 2024-05-23
Allow Inbound Traffic In Firewall Rule Windows icon Powershell Script Block Logging 4104 T1021.001 T1021 TTP Prohibited Traffic Allowed or Protocol Mismatch 2024-05-23
Delete ShadowCopy With PowerShell Windows icon Powershell Script Block Logging 4104 T1490 TTP DarkGate Malware, DarkSide Ransomware, Ransomware, Revil Ransomware 2024-05-23
Download Files Using Telegram Windows icon Sysmon EventID 15 T1105 TTP Phemedrone Stealer, Snake Keylogger, XMRig 2024-05-23
Excessive Usage Of Net App CrowdStrike ProcessRollup2, Windows icon Sysmon EventID 1, Windows icon Windows Event Log Security 4688 T1531 Anomaly Azorult, Graceful Wipe Out Attack, Prestige Ransomware, Ransomware, Rhysida Ransomware, Windows Post-Exploitation,