|
Curl Download and Bash Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
Compromised Windows Host, Ingress Tool Transfer, Linux Living Off The Land, Log4Shell CVE-2021-44228
|
2025-10-16
|
|
Detect Rundll32 Application Control Bypass - advpack
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
TTP
|
Compromised Windows Host, Living Off The Land, Suspicious Rundll32 Activity
|
2025-10-06
|
|
Detect Rundll32 Application Control Bypass - setupapi
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
TTP
|
Compromised Windows Host, Living Off The Land, Suspicious Rundll32 Activity
|
2025-10-06
|
|
Detect Rundll32 Application Control Bypass - syssetup
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rundll32
|
TTP
|
Compromised Windows Host, Living Off The Land, Suspicious Rundll32 Activity
|
2025-10-06
|
|
Linux Java Spawning Shell
|
Sysmon for Linux EventID 1
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Data Destruction, Hermetic Wiper, Log4Shell CVE-2021-44228, Spring4Shell CVE-2022-22965
|
2025-10-25
|
|
W3WP Spawning Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Web Shell
|
TTP
|
BlackByte Ransomware, CISA AA22-257A, CISA AA22-264A, Data Destruction, Flax Typhoon, GhostRedirector IIS Module and Rungan Backdoor, HAFNIUM Group, Hermetic Wiper, Microsoft SharePoint Vulnerabilities, PHP-CGI RCE Attack on Japanese Organizations, ProxyNotShell, ProxyShell, WS FTP Server Critical Vulnerabilities
|
2025-10-16
|
|
Wget Download and Bash Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
Compromised Windows Host, Ingress Tool Transfer, Log4Shell CVE-2021-44228
|
2025-10-16
|
|
Windows Change Default File Association For No File Ext
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Change Default File Association
|
TTP
|
Compromised Windows Host, Prestige Ransomware
|
2025-10-06
|
|
Windows Default RDP File Creation
|
Sysmon EventID 11
|
Remote Desktop Protocol
|
Anomaly
|
Windows RDP Artifacts and Defense Evasion
|
2025-10-27
|
|
Windows Java Spawning Shells
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Cleo File Transfer Software, Log4Shell CVE-2021-44228, SAP NetWeaver Exploitation, SysAid On-Prem Software CVE-2023-47246 Vulnerability
|
2025-10-25
|
|
Windows Set Private Network Profile via Registry
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Secret Blizzard
|
2025-10-07
|
|
Wmiprsve LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
TTP
|
Active Directory Lateral Movement
|
2025-10-21
|
