Deprecated Detections

Name	Data Source	Technique	Type	Analytic Story	Date
Abnormally High AWS Instances Launched by User		Cloud Accounts	Anomaly	AWS Cryptomining, Suspicious AWS EC2 Activities	2024-11-14
Abnormally High AWS Instances Launched by User - MLTK		Cloud Accounts	Anomaly	AWS Cryptomining, Suspicious AWS EC2 Activities	2024-11-14
Abnormally High AWS Instances Terminated by User		Cloud Accounts	Anomaly	Suspicious AWS EC2 Activities	2024-11-14
Abnormally High AWS Instances Terminated by User - MLTK		Cloud Accounts	Anomaly	Suspicious AWS EC2 Activities	2024-11-14
Account Discovery With Net App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Domain Account Account Discovery	TTP	IcedID, Trickbot	2025-01-13
ASL AWS CreateAccessKey		Valid Accounts	Hunting	AWS IAM Privilege Escalation	2024-11-14
ASL AWS Excessive Security Scanning		Cloud Service Discovery	Anomaly	AWS User Monitoring	2024-11-14
ASL AWS Password Policy Changes		Password Policy Discovery	Hunting	AWS IAM Privilege Escalation, Compromised User Account	2024-11-14
Attempt To Stop Security Service	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Disable or Modify Tools Impair Defenses	TTP	Azorult, Data Destruction, Disabling Security Tools, Graceful Wipe Out Attack, Trickbot, WhisperGate	2025-01-24
Attempted Credential Dump From Registry via Reg exe	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Security Account Manager OS Credential Dumping	TTP	CISA AA23-347A, Compromised Windows Host, Credential Dumping, DarkSide Ransomware, Data Destruction, Industroyer2, Windows Registry Abuse	2025-01-15
AWS Cloud Provisioning From Previously Unseen City		Unused/Unsupported Cloud Regions	Anomaly	AWS Suspicious Provisioning Activities	2024-11-14
AWS Cloud Provisioning From Previously Unseen Country		Unused/Unsupported Cloud Regions	Anomaly	AWS Suspicious Provisioning Activities	2024-11-14
AWS Cloud Provisioning From Previously Unseen IP Address		N/A	Anomaly	AWS Suspicious Provisioning Activities	2024-11-14
AWS Cloud Provisioning From Previously Unseen Region		Unused/Unsupported Cloud Regions	Anomaly	AWS Suspicious Provisioning Activities	2024-11-14
AWS EKS Kubernetes cluster sensitive object access		N/A	Hunting	Kubernetes Sensitive Object Access Activity	2024-11-14
Change Default File Association	Sysmon EventID 12, Sysmon EventID 13	Change Default File Association Event Triggered Execution	TTP	Data Destruction, Hermetic Wiper, Prestige Ransomware, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse	2025-01-24
Clients Connecting to Multiple DNS Servers		Exfiltration Over Unencrypted Non-C2 Protocol	TTP	Command And Control, DNS Hijacking, Host Redirection, Suspicious DNS Traffic	2024-11-14
Cloud Network Access Control List Deleted		N/A	Anomaly	AWS Network ACL Activity	2024-11-14
Cmdline Tool Not Executed In CMD Shell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Command and Scripting Interpreter JavaScript	TTP	CISA AA22-277A, CISA AA23-347A, DarkGate Malware, FIN7, Gozi Malware, Qakbot, Rhysida Ransomware, Volt Typhoon	2025-01-24
Correlation by Repository and Risk		Malicious Image User Execution	Correlation	Dev Sec Ops	2024-11-14
Correlation by User and Risk		Malicious Image User Execution	Correlation	Dev Sec Ops	2024-11-14
Create local admin accounts using net exe	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Local Account Create Account	TTP	Azorult, CISA AA22-257A, CISA AA24-241A, DHS Report TA18-074A, DarkGate Malware	2025-01-24
Deleting Of Net Users	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Account Access Removal	TTP	DarkGate Malware, Graceful Wipe Out Attack, XMRig	2025-01-24
Detect Activity Related to Pass the Hash Attacks	Windows Event Log Security 4624	Use Alternate Authentication Material Pass the Hash	Hunting	Active Directory Lateral Movement, BlackSuit Ransomware	2024-11-14
Detect API activity from users without MFA		N/A	Hunting	AWS User Monitoring	2024-11-14
Detect AWS API Activities From Unapproved Accounts		Cloud Accounts	Hunting	AWS User Monitoring	2024-11-14
Detect Critical Alerts from Security Tools	MS365 Defender Incident Alerts, Windows Defender Alerts	N/A	TTP	Critical Alerts	2025-01-13
Detect DNS requests to Phishing Sites leveraging EvilGinx2		Spearphishing via Service	TTP	Common Phishing Frameworks	2024-11-14
Detect Long DNS TXT Record Response		Exfiltration Over Unencrypted Non-C2 Protocol	TTP	Command And Control, Suspicious DNS Traffic	2024-11-14
Detect Mimikatz Using Loaded Images	Sysmon EventID 7	LSASS Memory OS Credential Dumping	TTP	CISA AA22-257A, CISA AA22-264A, CISA AA22-320A, Cloud Federated Credential Abuse, Credential Dumping, DarkSide Ransomware, Detect Zerologon Attack, Sandworm Tools	2024-11-14
Detect Mimikatz Via PowerShell And EventCode 4703		LSASS Memory	TTP	Cloud Federated Credential Abuse	2024-11-14
Detect new API calls from user roles		Cloud Accounts	Anomaly	AWS User Monitoring	2024-11-14
Detect new user AWS Console Login		Cloud Accounts	Hunting	Suspicious AWS Login Activities	2024-11-14
Detect processes used for System Network Configuration Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	System Network Configuration Discovery	TTP	Unusual Processes	2025-01-24
Detect Spike in AWS API Activity		Cloud Accounts	Anomaly	AWS User Monitoring	2024-11-14
Detect Spike in Network ACL Activity		Disable or Modify Cloud Firewall	Anomaly	AWS Network ACL Activity	2024-11-14
Detect Spike in Security Group Activity		Cloud Accounts	Anomaly	AWS User Monitoring	2024-11-14
Detect USB device insertion		N/A	TTP	Data Protection	2024-11-14
Detect web traffic to dynamic domain providers		Web Protocols	TTP	Dynamic DNS	2024-11-14
Detect Webshell Exploit Behavior	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Server Software Component Web Shell	TTP	BlackByte Ransomware, CISA AA22-257A, CISA AA22-264A, Citrix ShareFile RCE CVE-2023-24489, Compromised Windows Host, Flax Typhoon, HAFNIUM Group, ProxyNotShell, ProxyShell, SysAid On-Prem Software CVE-2023-47246 Vulnerability, WS FTP Server Critical Vulnerabilities	2025-01-24
Detection of DNS Tunnels		Exfiltration Over Unencrypted Non-C2 Protocol	TTP	Command And Control, Data Protection, Suspicious DNS Traffic	2024-11-14
Disabling Net User Account	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Account Access Removal	TTP	XMRig	2025-01-24
DNS Query Requests Resolved by Unauthorized DNS Servers		DNS	TTP	Command And Control, DNS Hijacking, Host Redirection, Suspicious DNS Traffic	2024-11-14
DNS record changed		DNS	TTP	DNS Hijacking	2024-11-14
Domain Account Discovery With Net App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Domain Account Account Discovery	TTP	Active Directory Discovery, Graceful Wipe Out Attack, Rhysida Ransomware	2025-01-13
Domain Group Discovery With Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Permission Groups Discovery Domain Groups	Hunting	Active Directory Discovery, Cleo File Transfer Software, Graceful Wipe Out Attack, Prestige Ransomware, Rhysida Ransomware, Windows Post-Exploitation	2025-01-13
Dump LSASS via procdump Rename	Sysmon EventID 1	LSASS Memory	Hunting	CISA AA22-257A, Credential Dumping, HAFNIUM Group	2024-11-14
EC2 Instance Modified With Previously Unseen User		Cloud Accounts	Anomaly	Unusual AWS EC2 Modifications	2024-11-14
EC2 Instance Started In Previously Unseen Region		Unused/Unsupported Cloud Regions	Hunting	AWS Cryptomining, Suspicious AWS EC2 Activities	2024-11-14
EC2 Instance Started With Previously Unseen AMI		N/A	Anomaly	AWS Cryptomining	2025-01-16
EC2 Instance Started With Previously Unseen Instance Type		N/A	Anomaly	AWS Cryptomining	2025-01-16
EC2 Instance Started With Previously Unseen User		Cloud Accounts	Anomaly	AWS Cryptomining, Suspicious AWS EC2 Activities	2025-01-16
Elevated Group Discovery With Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Permission Groups Discovery Domain Groups	TTP	Active Directory Discovery, BlackSuit Ransomware, Rhysida Ransomware, Volt Typhoon	2025-01-24
Excel Spawning PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Security Account Manager OS Credential Dumping	TTP	Compromised Windows Host, Spearphishing Attachments	2025-01-13
Excel Spawning Windows Script Host	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Security Account Manager OS Credential Dumping	TTP	Compromised Windows Host, Spearphishing Attachments	2025-01-13
Excessive Service Stop Attempt	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Service Stop	Anomaly	BlackByte Ransomware, Ransomware, XMRig	2025-01-24
Excessive Usage Of Net App	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Account Access Removal	Anomaly	Azorult, Graceful Wipe Out Attack, Prestige Ransomware, Ransomware, Rhysida Ransomware, Windows Post-Exploitation, XMRig	2025-01-24
Execution of File With Spaces Before Extension	Sysmon EventID 1	Rename System Utilities	TTP	Masquerading - Rename System Utilities, Windows File Extension and Association Abuse	2024-11-14
Extended Period Without Successful Netbackup Backups		N/A	Hunting	Monitor Backup Solution	2024-11-14
Extraction of Registry Hives	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Security Account Manager OS Credential Dumping	TTP	CISA AA22-257A, CISA AA23-347A, Credential Dumping, DarkSide Ransomware, Volt Typhoon	2025-01-24
First time seen command line argument	Sysmon EventID 1	PowerShell Windows Command Shell	Hunting	DHS Report TA18-074A, Hidden Cobra Malware, Orangeworm Attack Group, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Suspicious Command-Line Executions	2024-11-14
GCP Detect accounts with high risk roles by project		Valid Accounts	Hunting	GCP Cross Account Activity	2024-11-14
GCP Detect high risk permissions by resource and account		Valid Accounts	Hunting	GCP Cross Account Activity	2024-11-14
gcp detect oauth token abuse		Valid Accounts	Hunting	GCP Cross Account Activity	2024-11-14
GCP Kubernetes cluster scan detection		Cloud Service Discovery	TTP	Kubernetes Scanning Activity	2024-11-14
Identify New User Accounts		Domain Accounts	Hunting	N/A	2024-11-14
Kubernetes AWS detect most active service accounts by pod		N/A	Hunting	Kubernetes Sensitive Role Activity	2024-11-14
Kubernetes AWS detect RBAC authorization by account		N/A	Hunting	Kubernetes Sensitive Role Activity	2024-11-14
Kubernetes AWS detect sensitive role access		N/A	Hunting	Kubernetes Sensitive Role Activity	2024-11-14
Kubernetes AWS detect service accounts forbidden failure access		N/A	Hunting	Kubernetes Sensitive Object Access Activity	2024-11-14
Kubernetes Azure active service accounts by pod namespace		N/A	Hunting	Kubernetes Sensitive Role Activity	2024-11-14
Kubernetes Azure detect RBAC authorization by account		N/A	Hunting	Kubernetes Sensitive Role Activity	2024-11-14
Kubernetes Azure detect sensitive object access		N/A	Hunting	Kubernetes Sensitive Object Access Activity	2024-11-14
Kubernetes Azure detect sensitive role access		N/A	Hunting	Kubernetes Sensitive Role Activity	2024-11-14
Kubernetes Azure detect service accounts forbidden failure access		N/A	Hunting	Kubernetes Sensitive Object Access Activity	2024-11-14
Kubernetes Azure detect suspicious kubectl calls		N/A	Hunting	Kubernetes Sensitive Object Access Activity	2024-11-14
Kubernetes Azure pod scan fingerprint		N/A	Hunting	Kubernetes Scanning Activity	2024-11-14
Kubernetes Azure scan fingerprint		Cloud Service Discovery	Hunting	Kubernetes Scanning Activity	2024-11-14
Kubernetes GCP detect most active service accounts by pod		N/A	Hunting	Kubernetes Sensitive Role Activity	2024-11-14
Kubernetes GCP detect RBAC authorizations by account		N/A	Hunting	Kubernetes Sensitive Role Activity	2024-11-14
Kubernetes GCP detect sensitive object access		N/A	Hunting	Kubernetes Sensitive Object Access Activity	2024-11-14
Kubernetes GCP detect sensitive role access		N/A	Hunting	Kubernetes Sensitive Role Activity	2024-11-14
Kubernetes GCP detect service accounts forbidden failure access		N/A	Hunting	Kubernetes Sensitive Object Access Activity	2024-11-14
Kubernetes GCP detect suspicious kubectl calls		N/A	Hunting	Kubernetes Sensitive Object Access Activity	2024-11-14
Linux Auditd Find Private Keys	Linux Auditd Execve	Private Keys Unsecured Credentials	TTP	Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation	2025-01-24
Local Account Discovery with Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Account Discovery Local Account	Hunting	Active Directory Discovery, Sandworm Tools	2025-01-24
Monitor DNS For Brand Abuse		N/A	TTP	Brand Monitoring	2024-11-14
MSHTML Module Load in Office Product	Sysmon EventID 7	Phishing Spearphishing Attachment	TTP	CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments	2025-01-24
Multiple Okta Users With Invalid Credentials From The Same IP		Password Spraying Valid Accounts Default Accounts	TTP	Suspicious Okta Activity	2024-11-14
Net Localgroup Discovery	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Permission Groups Discovery Local Groups	Hunting	Active Directory Discovery, Azorult, Graceful Wipe Out Attack, IcedID, Prestige Ransomware, Rhysida Ransomware, Volt Typhoon, Windows Discovery Techniques, Windows Post-Exploitation	2025-01-13
Network Connection Discovery With Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	System Network Connections Discovery	Hunting	Active Directory Discovery, Azorult, Prestige Ransomware, Windows Post-Exploitation	2025-01-24
O365 Suspicious Admin Email Forwarding		Email Forwarding Rule Email Collection	Anomaly	Data Exfiltration, Office 365 Collection Techniques	2024-11-14
O365 Suspicious Rights Delegation		Remote Email Collection Email Collection Additional Email Delegate Permissions Account Manipulation	TTP	Office 365 Collection Techniques	2024-11-14
O365 Suspicious User Email Forwarding		Email Forwarding Rule Email Collection	Anomaly	Data Exfiltration, Office 365 Collection Techniques	2024-11-14
Office Application Drop Executable	Sysmon EventID 1, Sysmon EventID 11	Phishing Spearphishing Attachment	TTP	AgentTesla, CVE-2023-21716 Word RTF Heap Corruption, Compromised Windows Host, FIN7, PlugX, Warzone RAT	2025-01-24
Office Application Spawn Regsvr32 process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Phishing Spearphishing Attachment	TTP	Compromised Windows Host, IcedID, Qakbot	2025-01-13
Office Application Spawn rundll32 process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Phishing Spearphishing Attachment	TTP	AgentTesla, Compromised Windows Host, IcedID, NjRAT, Spearphishing Attachments, Trickbot	2025-01-13
Office Document Creating Schedule Task	Sysmon EventID 7	Phishing Spearphishing Attachment	TTP	Spearphishing Attachments	2025-01-24
Office Document Executing Macro Code	Sysmon EventID 7	Phishing Spearphishing Attachment	TTP	AgentTesla, Azorult, DarkCrystal RAT, IcedID, NjRAT, PlugX, Qakbot, Remcos, Spearphishing Attachments, Trickbot	2025-01-24
Office Document Spawned Child Process To Download	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Phishing Spearphishing Attachment	TTP	CVE-2023-36884 Office and Windows HTML RCE Vulnerability, NjRAT, PlugX, Spearphishing Attachments	2025-01-24
Office Product Spawn CMD Process	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Phishing Spearphishing Attachment	TTP	AgentTesla, Azorult, CVE-2023-21716 Word RTF Heap Corruption, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, DarkCrystal RAT, NjRAT, PlugX, Qakbot, Remcos, Trickbot, Warzone RAT	2025-01-13
Office Product Spawning BITSAdmin	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Phishing Spearphishing Attachment	TTP	CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Compromised Windows Host, Spearphishing Attachments	2025-01-13
Office Product Spawning CertUtil	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Phishing Spearphishing Attachment	TTP	AgentTesla, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Compromised Windows Host, Spearphishing Attachments, Trickbot	2025-01-13
Office Product Spawning MSHTA	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Phishing Spearphishing Attachment	TTP	Azorult, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Compromised Windows Host, IcedID, NjRAT, Spearphishing Attachments	2025-01-13
Office Product Spawning Rundll32 with no DLL	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Phishing Spearphishing Attachment	TTP	CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Compromised Windows Host, Spearphishing Attachments	2025-01-24
Office Product Spawning Windows Script Host	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Phishing Spearphishing Attachment	TTP	CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Compromised Windows Host, Remcos, Spearphishing Attachments	2025-01-13
Office Product Spawning Wmic	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Phishing Spearphishing Attachment	TTP	CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Compromised Windows Host, FIN7, Spearphishing Attachments	2025-01-13
Office Product Writing cab or inf	CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688	Phishing Spearphishing Attachment	TTP	Compromised Windows Host, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments	2025-01-24
Office Spawning Control	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Phishing Spearphishing Attachment	TTP	Compromised Windows Host, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments	2025-01-24
Okta Account Locked Out		Brute Force	Anomaly	Okta MFA Exhaustion, Suspicious Okta Activity	2024-11-14
Okta Account Lockout Events		Valid Accounts Default Accounts	Anomaly	Suspicious Okta Activity	2024-11-14
Okta Failed SSO Attempts		Valid Accounts Default Accounts	Anomaly	Suspicious Okta Activity	2024-11-14
Okta ThreatInsight Login Failure with High Unknown users		Valid Accounts Default Accounts Credential Stuffing	TTP	Suspicious Okta Activity	2024-11-14
Okta ThreatInsight Suspected PasswordSpray Attack		Valid Accounts Default Accounts Password Spraying	TTP	Suspicious Okta Activity	2024-11-14
Okta Two or More Rejected Okta Pushes		Brute Force	TTP	Okta MFA Exhaustion, Suspicious Okta Activity	2024-11-14
Open Redirect in Splunk Web		N/A	TTP	Splunk Vulnerabilities	2024-12-17
Osquery pack - ColdRoot detection		N/A	TTP	ColdRoot MacOS RAT	2024-11-14
Password Policy Discovery with Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Password Policy Discovery	Hunting	Active Directory Discovery	2025-01-24
Processes created by netsh	Sysmon EventID 1	Disable or Modify System Firewall	TTP	Netsh Abuse	2024-11-14
Prohibited Software On Endpoint	Sysmon EventID 1	N/A	Hunting	Emotet Malware DHS Report TA18-201A, Monitor for Unauthorized Software, SamSam Ransomware	2024-11-14
Reg exe used to hide files directories via registry keys	Sysmon EventID 1	Hidden Files and Directories	TTP	Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Persistence Techniques	2024-11-14
Remote Registry Key modifications	Sysmon EventID 13	N/A	TTP	Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Persistence Techniques	2024-11-14
Remote System Discovery with Net	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Remote System Discovery	Hunting	Active Directory Discovery, IcedID	2025-01-13
Scheduled tasks used in BadRabbit ransomware	Sysmon EventID 1	Scheduled Task	TTP	Ransomware	2024-11-14
Spectre and Meltdown Vulnerable Systems		N/A	TTP	Spectre And Meltdown Vulnerabilities	2024-11-14
Splunk Enterprise Information Disclosure		N/A	TTP	Splunk Vulnerabilities	2024-12-17
Suspicious Changes to File Associations	Sysmon EventID 1	Change Default File Association	TTP	Suspicious Windows Registry Activities, Windows File Extension and Association Abuse	2024-11-14
Suspicious Email - UBA Anomaly		Phishing	Anomaly	Suspicious Emails	2024-11-14
Suspicious File Write	Sysmon EventID 11	N/A	Hunting	Hidden Cobra Malware	2024-11-14
Suspicious Powershell Command-Line Arguments	Sysmon EventID 1	PowerShell	TTP	CISA AA22-320A, Hermetic Wiper, Malicious PowerShell	2024-11-14
Suspicious Rundll32 Rename	Sysmon EventID 1	System Binary Proxy Execution Masquerading Rundll32 Rename System Utilities	Hunting	Masquerading - Rename System Utilities, Suspicious Rundll32 Activity	2024-11-14
Suspicious writes to System Volume Information	Sysmon EventID 1	Masquerading	Hunting	Collection and Staging	2024-11-14
Uncommon Processes On Endpoint	Sysmon EventID 1	Malicious File	Hunting	Hermetic Wiper, Unusual Processes, Windows Privilege Escalation	2024-11-14
Unsigned Image Loaded by LSASS	Sysmon EventID 7	LSASS Memory	TTP	Credential Dumping	2024-11-14
Unsuccessful Netbackup backups		N/A	Hunting	Monitor Backup Solution	2024-11-14
Web Fraud - Account Harvesting		Create Account	TTP	Web Fraud Detection	2024-11-14
Web Fraud - Anomalous User Clickspeed		Valid Accounts	Anomaly	Web Fraud Detection	2024-11-14
Web Fraud - Password Sharing Across Accounts		N/A	Anomaly	Web Fraud Detection	2024-11-14
Windows Command Shell Fetch Env Variables	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Process Injection	TTP	Qakbot	2025-01-24
Windows connhost exe started forcefully	Sysmon EventID 1	Windows Command Shell	TTP	Ryuk Ransomware	2024-11-14
Windows DLL Search Order Hijacking Hunt	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	DLL Search Order Hijacking Hijack Execution Flow	Hunting	Living Off The Land, Windows Defense Evasion Tactics	2024-11-14
Windows hosts file modification	Sysmon EventID 11	N/A	TTP	Host Redirection	2024-11-14
Windows Lateral Tool Transfer RemCom	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Lateral Tool Transfer	TTP	Active Directory Discovery	2024-12-10
Windows Modify Registry Reg Restore	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Query Registry	Hunting	Prestige Ransomware, Windows Post-Exploitation	2025-01-24
Windows MSIExec With Network Connections	Sysmon EventID 1, Sysmon EventID 3	Msiexec	TTP	Windows System Binary Proxy Execution MSIExec	2025-01-24
Windows Network Share Interaction With Net	Sysmon EventID 1	Network Share Discovery Data from Network Shared Drive	TTP	Active Directory Discovery, Active Directory Privilege Escalation, Network Discovery	2025-01-24
Windows Office Product Spawning MSDT	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Phishing Spearphishing Attachment	TTP	Compromised Windows Host, Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Spearphishing Attachments	2025-01-24
Windows Query Registry Reg Save	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Query Registry	Hunting	CISA AA23-347A, Prestige Ransomware, Windows Post-Exploitation	2025-01-24
Windows Service Stop Via Net and SC Application	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Service Stop	Anomaly	Graceful Wipe Out Attack, Prestige Ransomware	2025-01-24
Windows Valid Account With Never Expires Password	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Service Stop	TTP	Azorult, Compromised Windows Host	2025-01-24
Winword Spawning Cmd	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Phishing Spearphishing Attachment	TTP	CVE-2023-21716 Word RTF Heap Corruption, Compromised Windows Host, DarkCrystal RAT, Spearphishing Attachments	2025-01-13
Winword Spawning PowerShell	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Phishing Spearphishing Attachment	TTP	CVE-2023-21716 Word RTF Heap Corruption, Compromised Windows Host, DarkCrystal RAT, Spearphishing Attachments	2025-01-13
Winword Spawning Windows Script Host	CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688	Phishing Spearphishing Attachment	TTP	CVE-2023-21716 Word RTF Heap Corruption, Compromised Windows Host, Spearphishing Attachments	2025-01-13