|
3CX Supply Chain Attack Network Indicators
|
Sysmon EventID 22
|
Compromise Software Supply Chain
|
TTP
|
3CX Supply Chain Attack
|
2024-10-17
|
|
7zip CommandLine To SMB Share Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Archive via Utility
Archive Collected Data
|
Hunting
|
Ransomware
|
2024-10-17
|
|
Access LSASS Memory for Dump Creation
|
Sysmon EventID 10
|
LSASS Memory
OS Credential Dumping
|
TTP
|
CISA AA23-347A, Credential Dumping
|
2024-09-30
|
|
Account Discovery With Net App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
Account Discovery
|
TTP
|
IcedID, Trickbot
|
2024-09-30
|
|
Active Directory Lateral Movement Identified
|
|
Exploitation of Remote Services
|
Correlation
|
Active Directory Lateral Movement
|
2024-09-30
|
|
Active Directory Privilege Escalation Identified
|
|
Domain or Tenant Policy Modification
|
Correlation
|
Active Directory Privilege Escalation
|
2024-09-30
|
|
Active Setup Registry Autostart
|
Sysmon EventID 12, Sysmon EventID 13
|
Active Setup
Boot or Logon Autostart Execution
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation
|
2024-09-30
|
|
Add DefaultUser And Password In Registry
|
Sysmon EventID 13
|
Credentials in Registry
Unsecured Credentials
|
Anomaly
|
BlackMatter Ransomware
|
2024-09-30
|
|
Add or Set Windows Defender Exclusion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
AgentTesla, CISA AA22-320A, Data Destruction, Remcos, ValleyRAT, WhisperGate, Windows Defense Evasion Tactics
|
2024-09-30
|
|
AdsiSearcher Account Discovery
|
Powershell Script Block Logging 4104
|
Domain Account
Account Discovery
|
TTP
|
Active Directory Discovery, CISA AA23-347A, Data Destruction, Industroyer2
|
2024-09-30
|
|
Allow File And Printing Sharing In Firewall
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Cloud Firewall
Impair Defenses
|
TTP
|
BlackByte Ransomware, Ransomware
|
2024-09-30
|
|
Allow Inbound Traffic By Firewall Rule Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Remote Desktop Protocol
Remote Services
|
TTP
|
Azorult, NjRAT, PlugX, Prohibited Traffic Allowed or Protocol Mismatch, Windows Registry Abuse
|
2024-09-30
|
|
Allow Inbound Traffic In Firewall Rule
|
Powershell Script Block Logging 4104
|
Remote Desktop Protocol
Remote Services
|
TTP
|
Prohibited Traffic Allowed or Protocol Mismatch
|
2024-09-30
|
|
Allow Network Discovery In Firewall
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Cloud Firewall
Impair Defenses
|
TTP
|
BlackByte Ransomware, NjRAT, Ransomware, Revil Ransomware
|
2024-09-30
|
|
Allow Operation with Consent Admin
|
Sysmon EventID 12, Sysmon EventID 13
|
Abuse Elevation Control Mechanism
|
TTP
|
Azorult, MoonPeak, Ransomware, Windows Registry Abuse
|
2024-09-30
|
|
Anomalous usage of 7zip
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Archive via Utility
Archive Collected Data
|
Anomaly
|
BlackByte Ransomware, BlackSuit Ransomware, Cobalt Strike, Graceful Wipe Out Attack, NOBELIUM Group
|
2024-09-30
|
|
Any Powershell DownloadFile
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
PowerShell
Ingress Tool Transfer
|
TTP
|
Braodo Stealer, DarkCrystal RAT, Data Destruction, Hermetic Wiper, Ingress Tool Transfer, Log4Shell CVE-2021-44228, Malicious PowerShell, Phemedrone Stealer
|
2024-09-30
|
|
Any Powershell DownloadString
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
PowerShell
Ingress Tool Transfer
|
TTP
|
Data Destruction, HAFNIUM Group, Hermetic Wiper, IcedID, Ingress Tool Transfer, Malicious PowerShell, Phemedrone Stealer, SysAid On-Prem Software CVE-2023-47246 Vulnerability, Winter Vivern
|
2024-09-30
|
|
Attacker Tools On Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Match Legitimate Name or Location
Masquerading
OS Credential Dumping
Active Scanning
|
TTP
|
CISA AA22-264A, Monitor for Unauthorized Software, SamSam Ransomware, Unusual Processes, XMRig
|
2024-09-30
|
|
Attempt To Add Certificate To Untrusted Store
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Install Root Certificate
Subvert Trust Controls
|
TTP
|
Disabling Security Tools
|
2024-09-30
|
|
Attempt To Stop Security Service
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Azorult, Data Destruction, Disabling Security Tools, Graceful Wipe Out Attack, Trickbot, WhisperGate
|
2024-09-30
|
|
Attempted Credential Dump From Registry via Reg exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Security Account Manager
OS Credential Dumping
|
TTP
|
CISA AA23-347A, Credential Dumping, DarkSide Ransomware, Data Destruction, Industroyer2, Windows Registry Abuse
|
2024-09-30
|
|
Auto Admin Logon Registry Entry
|
Sysmon EventID 12, Sysmon EventID 13
|
Credentials in Registry
Unsecured Credentials
|
TTP
|
BlackMatter Ransomware, Windows Registry Abuse
|
2024-09-30
|
|
Batch File Write to System32
|
Sysmon EventID 1, Sysmon EventID 11
|
User Execution
Malicious File
|
TTP
|
SamSam Ransomware
|
2024-09-30
|
|
Bcdedit Command Back To Normal Mode Boot
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Inhibit System Recovery
|
TTP
|
BlackMatter Ransomware
|
2024-09-30
|
|
BCDEdit Failure Recovery Modification
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Inhibit System Recovery
|
TTP
|
Ransomware, Ryuk Ransomware
|
2024-09-30
|
|
BITS Job Persistence
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
BITS Jobs
|
TTP
|
BITS Jobs, Living Off The Land
|
2024-09-30
|
|
BITSAdmin Download File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
BITS Jobs
Ingress Tool Transfer
|
TTP
|
BITS Jobs, DarkSide Ransomware, Flax Typhoon, Gozi Malware, Ingress Tool Transfer, Living Off The Land
|
2024-09-30
|
|
CertUtil Download With URLCache and Split Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
CISA AA22-277A, DarkSide Ransomware, Flax Typhoon, Forest Blizzard, Ingress Tool Transfer, Living Off The Land, ProxyNotShell
|
2024-09-30
|
|
CertUtil Download With VerifyCtl and Split Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
DarkSide Ransomware, Ingress Tool Transfer, Living Off The Land
|
2024-09-30
|
|
Certutil exe certificate extraction
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
N/A
|
TTP
|
Cloud Federated Credential Abuse, Living Off The Land, Windows Certificate Services, Windows Persistence Techniques
|
2024-09-30
|
|
CertUtil With Decode Argument
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Deobfuscate/Decode Files or Information
|
TTP
|
APT29 Diplomatic Deceptions with WINELOADER, Deobfuscate-Decode Files or Information, Forest Blizzard, Living Off The Land
|
2024-09-30
|
|
Change Default File Association
|
Sysmon EventID 12, Sysmon EventID 13
|
Change Default File Association
Event Triggered Execution
|
TTP
|
Data Destruction, Hermetic Wiper, Prestige Ransomware, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse
|
2024-09-30
|
|
Change To Safe Mode With Network Config
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Inhibit System Recovery
|
TTP
|
BlackMatter Ransomware
|
2024-09-30
|
|
CHCP Command Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
TTP
|
Azorult, Forest Blizzard, IcedID
|
2024-09-30
|
|
Check Elevated CMD using whoami
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
TTP
|
FIN7
|
2024-09-30
|
|
Child Processes of Spoolsv exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exploitation for Privilege Escalation
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Privilege Escalation
|
2024-10-17
|
|
Clear Unallocated Sector Using Cipher App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File Deletion
Indicator Removal
|
TTP
|
Ransomware
|
2024-09-30
|
|
Clop Common Exec Parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
User Execution
|
TTP
|
Clop Ransomware
|
2024-09-30
|
|
Clop Ransomware Known Service Name
|
Windows Event Log System 7045
|
Create or Modify System Process
|
TTP
|
Clop Ransomware
|
2024-09-30
|
|
CMD Carry Out String Command Parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Command Shell
Command and Scripting Interpreter
|
Hunting
|
AsyncRAT, Azorult, CISA AA23-347A, Chaos Ransomware, DarkCrystal RAT, DarkGate Malware, Data Destruction, Hermetic Wiper, IcedID, Living Off The Land, Log4Shell CVE-2021-44228, NjRAT, PlugX, ProxyNotShell, Qakbot, RedLine Stealer, Rhysida Ransomware, Warzone RAT, WhisperGate, Winter Vivern
|
2024-10-17
|
|
CMD Echo Pipe - Escalation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
Windows Command Shell
Windows Service
Create or Modify System Process
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2024-09-30
|
|
Cmdline Tool Not Executed In CMD Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
JavaScript
|
TTP
|
CISA AA22-277A, CISA AA23-347A, DarkGate Malware, FIN7, Gozi Malware, Qakbot, Rhysida Ransomware, Volt Typhoon
|
2024-09-30
|
|
CMLUA Or CMSTPLUA UAC Bypass
|
Sysmon EventID 7
|
System Binary Proxy Execution
CMSTP
|
TTP
|
DarkSide Ransomware, LockBit Ransomware, Ransomware, ValleyRAT
|
2024-09-30
|
|
Cobalt Strike Named Pipes
|
Sysmon EventID 17, Sysmon EventID 18
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, DarkSide Ransomware, Gozi Malware, Graceful Wipe Out Attack, LockBit Ransomware, Trickbot
|
2024-09-30
|
|
Common Ransomware Extensions
|
Sysmon EventID 11
|
Data Destruction
|
Hunting
|
Clop Ransomware, LockBit Ransomware, Prestige Ransomware, Ransomware, Rhysida Ransomware, Ryuk Ransomware, SamSam Ransomware
|
2024-10-17
|
|
Common Ransomware Notes
|
Sysmon EventID 11
|
Data Destruction
|
Hunting
|
Chaos Ransomware, Clop Ransomware, LockBit Ransomware, Ransomware, Rhysida Ransomware, Ryuk Ransomware, SamSam Ransomware
|
2024-10-17
|
|
ConnectWise ScreenConnect Path Traversal
|
Sysmon EventID 11
|
Exploit Public-Facing Application
|
TTP
|
ConnectWise ScreenConnect Vulnerabilities
|
2024-09-30
|
|
ConnectWise ScreenConnect Path Traversal Windows SACL
|
Windows Event Log Security 4663
|
Exploit Public-Facing Application
|
TTP
|
ConnectWise ScreenConnect Vulnerabilities
|
2024-09-30
|
|
Conti Common Exec parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
User Execution
|
TTP
|
Ransomware
|
2024-09-30
|
|
Control Loading from World Writable Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Control Panel
|
TTP
|
Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444
|
2024-09-30
|
|
Create local admin accounts using net exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Local Account
Create Account
|
TTP
|
Azorult, CISA AA22-257A, CISA AA24-241A, DHS Report TA18-074A, DarkGate Malware
|
2024-09-30
|
|
Create or delete windows shares using net exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Indicator Removal
Network Share Connection Removal
|
TTP
|
CISA AA22-277A, DarkGate Malware, Hidden Cobra Malware, Prestige Ransomware, Windows Post-Exploitation
|
2024-09-30
|
|
Create Remote Thread In Shell Application
|
Sysmon EventID 8
|
Process Injection
|
TTP
|
IcedID, Qakbot, Warzone RAT
|
2024-09-30
|
|
Create Remote Thread into LSASS
|
Sysmon EventID 8
|
LSASS Memory
OS Credential Dumping
|
TTP
|
BlackSuit Ransomware, Credential Dumping
|
2024-09-30
|
|
Creation of lsass Dump with Taskmgr
|
Sysmon EventID 11
|
LSASS Memory
OS Credential Dumping
|
TTP
|
CISA AA22-257A, Credential Dumping
|
2024-09-30
|
|
Creation of Shadow Copy
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
NTDS
OS Credential Dumping
|
TTP
|
Credential Dumping, Volt Typhoon
|
2024-09-30
|
|
Creation of Shadow Copy with wmic and powershell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
NTDS
OS Credential Dumping
|
TTP
|
Credential Dumping, Living Off The Land, Volt Typhoon
|
2024-09-30
|
|
Credential Dumping via Copy Command from Shadow Copy
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
NTDS
OS Credential Dumping
|
TTP
|
Credential Dumping
|
2024-09-30
|
|
Credential Dumping via Symlink to Shadow Copy
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
NTDS
OS Credential Dumping
|
TTP
|
Credential Dumping
|
2024-09-30
|
|
Crowdstrike Admin Weak Password Policy
|
|
Brute Force
|
TTP
|
Compromised Windows Host
|
2024-09-30
|
|
Crowdstrike Admin With Duplicate Password
|
|
Brute Force
|
TTP
|
Compromised Windows Host
|
2024-09-30
|
|
Crowdstrike High Identity Risk Severity
|
|
Brute Force
|
TTP
|
Compromised Windows Host
|
2024-09-30
|
|
Crowdstrike Medium Identity Risk Severity
|
|
Brute Force
|
TTP
|
Compromised Windows Host
|
2024-09-30
|
|
Crowdstrike Medium Severity Alert
|
|
Brute Force
|
Anomaly
|
Compromised Windows Host
|
2024-09-30
|
|
Crowdstrike Multiple LOW Severity Alerts
|
|
Brute Force
|
Anomaly
|
Compromised Windows Host
|
2024-09-30
|
|
Crowdstrike Privilege Escalation For Non-Admin User
|
|
Brute Force
|
Anomaly
|
Compromised Windows Host
|
2024-09-30
|
|
Crowdstrike User Weak Password Policy
|
|
Brute Force
|
Anomaly
|
Compromised Windows Host
|
2024-09-30
|
|
Crowdstrike User with Duplicate Password
|
|
Brute Force
|
Anomaly
|
Compromised Windows Host
|
2024-09-30
|
|
CSC Net On The Fly Compilation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Compile After Delivery
Obfuscated Files or Information
|
Hunting
|
Windows Defense Evasion Tactics
|
2024-10-17
|
|
Curl Download and Bash Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
Ingress Tool Transfer, Linux Living Off The Land, Log4Shell CVE-2021-44228
|
2024-09-30
|
|
Delete ShadowCopy With PowerShell
|
Powershell Script Block Logging 4104
|
Inhibit System Recovery
|
TTP
|
DarkGate Malware, DarkSide Ransomware, Ransomware, Revil Ransomware
|
2024-09-30
|
|
Deleting Of Net Users
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Account Access Removal
|
TTP
|
DarkGate Malware, Graceful Wipe Out Attack, XMRig
|
2024-09-30
|
|
Deleting Shadow Copies
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Inhibit System Recovery
|
TTP
|
CISA AA22-264A, Chaos Ransomware, Clop Ransomware, DarkGate Malware, LockBit Ransomware, Prestige Ransomware, Ransomware, Rhysida Ransomware, SamSam Ransomware, Windows Log Manipulation
|
2024-09-30
|
|
Detect AzureHound Command-Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
Local Groups
Domain Trust Discovery
Local Account
Account Discovery
Domain Groups
Permission Groups Discovery
|
TTP
|
Windows Discovery Techniques
|
2024-09-30
|
|
Detect AzureHound File Modifications
|
Sysmon EventID 11
|
Domain Account
Local Groups
Domain Trust Discovery
Local Account
Account Discovery
Domain Groups
Permission Groups Discovery
|
TTP
|
Windows Discovery Techniques
|
2024-09-30
|
|
Detect Baron Samedit CVE-2021-3156
|
|
Exploitation for Privilege Escalation
|
TTP
|
Baron Samedit CVE-2021-3156
|
2024-10-17
|
|
Detect Baron Samedit CVE-2021-3156 Segfault
|
|
Exploitation for Privilege Escalation
|
TTP
|
Baron Samedit CVE-2021-3156
|
2024-10-17
|
|
Detect Baron Samedit CVE-2021-3156 via OSQuery
|
|
Exploitation for Privilege Escalation
|
TTP
|
Baron Samedit CVE-2021-3156
|
2024-10-17
|
|
Detect Certify Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Steal or Forge Authentication Certificates
Ingress Tool Transfer
|
TTP
|
Ingress Tool Transfer, Windows Certificate Services
|
2024-09-30
|
|
Detect Certify With PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
Steal or Forge Authentication Certificates
Command and Scripting Interpreter
PowerShell
|
TTP
|
Malicious PowerShell, Windows Certificate Services
|
2024-09-30
|
|
Detect Certipy File Modifications
|
Sysmon EventID 1, Sysmon EventID 11
|
Steal or Forge Authentication Certificates
Archive Collected Data
|
TTP
|
Data Exfiltration, Ingress Tool Transfer, Windows Certificate Services
|
2024-09-30
|
|
Detect Computer Changed with Anonymous Account
|
Windows Event Log Security 4624, Windows Event Log Security 4742
|
Exploitation of Remote Services
|
Hunting
|
Detect Zerologon Attack
|
2024-10-17
|
|
Detect Copy of ShadowCopy with Script Block Logging
|
Powershell Script Block Logging 4104
|
Security Account Manager
OS Credential Dumping
|
TTP
|
Credential Dumping
|
2024-09-30
|
|
Detect Credential Dumping through LSASS access
|
Sysmon EventID 10
|
LSASS Memory
OS Credential Dumping
|
TTP
|
BlackSuit Ransomware, CISA AA23-347A, Credential Dumping, Detect Zerologon Attack
|
2024-09-30
|
|
Detect Critical Alerts from Security Tools
|
MS365 Defender Incident Alerts, Windows Defender Alerts
|
N/A
|
TTP
|
Critical Alerts
|
2024-10-09
|
|
Detect Empire with PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
Command and Scripting Interpreter
PowerShell
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2024-09-30
|
|
Detect Excessive Account Lockouts From Endpoint
|
|
Valid Accounts
Domain Accounts
|
Anomaly
|
Active Directory Password Spraying
|
2024-09-30
|
|
Detect Excessive User Account Lockouts
|
|
Valid Accounts
Local Accounts
|
Anomaly
|
Active Directory Password Spraying
|
2024-09-30
|
|
Detect Exchange Web Shell
|
Sysmon EventID 1, Sysmon EventID 11
|
Server Software Component
Web Shell
Exploit Public-Facing Application
External Remote Services
|
TTP
|
BlackByte Ransomware, CISA AA22-257A, HAFNIUM Group, ProxyNotShell, ProxyShell
|
2024-09-30
|
|
Detect HTML Help Renamed
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Compiled HTML File
|
Hunting
|
Living Off The Land, Suspicious Compiled HTML Activity
|
2024-10-17
|
|
Detect HTML Help Spawn Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Compiled HTML File
|
TTP
|
AgentTesla, Living Off The Land, Suspicious Compiled HTML Activity
|
2024-09-30
|
|
Detect HTML Help URL in Command Line
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Compiled HTML File
|
TTP
|
Living Off The Land, Suspicious Compiled HTML Activity
|
2024-09-30
|
|
Detect HTML Help Using InfoTech Storage Handlers
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Compiled HTML File
|
TTP
|
Living Off The Land, Suspicious Compiled HTML Activity
|
2024-09-30
|
|
Detect Mimikatz With PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
OS Credential Dumping
PowerShell
|
TTP
|
CISA AA22-264A, CISA AA22-320A, CISA AA23-347A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Sandworm Tools
|
2024-09-30
|
|
Detect mshta inline hta execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Mshta
|
TTP
|
Gozi Malware, Living Off The Land, Suspicious MSHTA Activity
|
2024-09-30
|
|
Detect mshta renamed
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Mshta
|
Hunting
|
Living Off The Land, Suspicious MSHTA Activity
|
2024-10-17
|
|
Detect MSHTA Url in Command Line
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Mshta
|
TTP
|
Living Off The Land, Suspicious MSHTA Activity
|
2024-09-30
|
|
Detect New Local Admin account
|
Windows Event Log Security 4720, Windows Event Log Security 4732
|
Local Account
Create Account
|
TTP
|
CISA AA22-257A, CISA AA24-241A, DHS Report TA18-074A, HAFNIUM Group
|
2024-09-30
|
|
Detect Outlook exe writing a zip file
|
Sysmon EventID 1, Sysmon EventID 11
|
Phishing
Spearphishing Attachment
|
TTP
|
Amadey, Remcos, Spearphishing Attachments
|
2024-10-17
|
|
Detect Password Spray Attack Behavior From Source
|
|
Password Spraying
Brute Force
|
TTP
|
Compromised User Account
|
2024-09-30
|
|
Detect Password Spray Attack Behavior On User
|
|
Password Spraying
Brute Force
|
TTP
|
Compromised User Account
|
2024-09-30
|
|
Detect Path Interception By Creation Of program exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Path Interception by Unquoted Path
Hijack Execution Flow
|
TTP
|
Windows Persistence Techniques
|
2024-09-30
|
|
Detect processes used for System Network Configuration Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Network Configuration Discovery
|
TTP
|
Unusual Processes
|
2024-09-30
|
|
Detect Prohibited Applications Spawning cmd exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
Windows Command Shell
|
Hunting
|
NOBELIUM Group, Suspicious Command-Line Executions, Suspicious MSHTA Activity, Suspicious Zoom Child Processes
|
2024-10-17
|
|
Detect PsExec With accepteula Flag
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
SMB/Windows Admin Shares
|
TTP
|
Active Directory Lateral Movement, BlackByte Ransomware, CISA AA22-320A, DHS Report TA18-074A, DarkGate Malware, DarkSide Ransomware, HAFNIUM Group, IcedID, Rhysida Ransomware, SamSam Ransomware, Sandworm Tools, Volt Typhoon
|
2024-09-30
|
|
Detect Rare Executables
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
User Execution
|
Anomaly
|
Rhysida Ransomware, Unusual Processes
|
2024-09-30
|
|
Detect RClone Command-Line Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Automated Exfiltration
|
TTP
|
DarkSide Ransomware, Ransomware
|
2024-09-30
|
|
Detect Regasm Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Regsvcs/Regasm
|
TTP
|
DarkGate Malware, Handala Wiper, Living Off The Land, Snake Keylogger, Suspicious Regsvcs Regasm Activity
|
2024-09-30
|
|
Detect Regasm with Network Connection
|
Sysmon EventID 3
|
System Binary Proxy Execution
Regsvcs/Regasm
|
TTP
|
Handala Wiper, Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2024-09-30
|
|
Detect Regasm with no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Regsvcs/Regasm
|
TTP
|
Handala Wiper, Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2024-09-30
|
|
Detect Regsvcs Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Regsvcs/Regasm
|
TTP
|
Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2024-09-30
|
|
Detect Regsvcs with Network Connection
|
Sysmon EventID 3
|
System Binary Proxy Execution
Regsvcs/Regasm
|
TTP
|
Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2024-09-30
|
|
Detect Regsvcs with No Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Regsvcs/Regasm
|
TTP
|
Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2024-09-30
|
|
Detect Regsvr32 Application Control Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Regsvr32
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Suspicious Regsvr32 Activity
|
2024-09-30
|
|
Detect Remote Access Software Usage File
|
Sysmon EventID 11
|
Remote Access Software
|
Anomaly
|
CISA AA24-241A, Command And Control, Gozi Malware, Insider Threat, Ransomware
|
2024-09-30
|
|
Detect Remote Access Software Usage FileInfo
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Access Software
|
Anomaly
|
Command And Control, Gozi Malware, Insider Threat, Ransomware
|
2024-09-30
|
|
Detect Remote Access Software Usage Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Access Software
|
Anomaly
|
CISA AA24-241A, Command And Control, Gozi Malware, Insider Threat, Ransomware
|
2024-09-30
|
|
Detect Renamed 7-Zip
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Archive via Utility
Archive Collected Data
|
Hunting
|
Collection and Staging
|
2024-10-17
|
|
Detect Renamed PSExec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Services
Service Execution
|
Hunting
|
Active Directory Lateral Movement, BlackByte Ransomware, CISA AA22-320A, DHS Report TA18-074A, DarkGate Malware, DarkSide Ransomware, HAFNIUM Group, Rhysida Ransomware, SamSam Ransomware, Sandworm Tools
|
2024-10-17
|
|
Detect Renamed RClone
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Automated Exfiltration
|
Hunting
|
DarkSide Ransomware, Ransomware
|
2024-10-17
|
|
Detect Renamed WinRAR
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Archive via Utility
Archive Collected Data
|
Hunting
|
CISA AA22-277A, Collection and Staging
|
2024-10-17
|
|
Detect RTLO In File Name
|
Sysmon EventID 11
|
Right-to-Left Override
Masquerading
|
TTP
|
Spearphishing Attachments
|
2024-09-30
|
|
Detect RTLO In Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Right-to-Left Override
Masquerading
|
TTP
|
Spearphishing Attachments
|
2024-09-30
|
|
Detect Rundll32 Application Control Bypass - advpack
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Rundll32
|
TTP
|
Living Off The Land, Suspicious Rundll32 Activity
|
2024-09-30
|
|
Detect Rundll32 Application Control Bypass - setupapi
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Rundll32
|
TTP
|
Living Off The Land, Suspicious Rundll32 Activity
|
2024-09-30
|
|
Detect Rundll32 Application Control Bypass - syssetup
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Rundll32
|
TTP
|
Living Off The Land, Suspicious Rundll32 Activity
|
2024-09-30
|
|
Detect Rundll32 Inline HTA Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Mshta
|
TTP
|
Living Off The Land, NOBELIUM Group, Suspicious MSHTA Activity
|
2024-09-30
|
|
Detect SharpHound Command-Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
Local Groups
Domain Trust Discovery
Local Account
Account Discovery
Domain Groups
Permission Groups Discovery
|
TTP
|
BlackSuit Ransomware, Ransomware, Windows Discovery Techniques
|
2024-09-30
|
|
Detect SharpHound File Modifications
|
Sysmon EventID 11
|
Domain Account
Local Groups
Domain Trust Discovery
Local Account
Account Discovery
Domain Groups
Permission Groups Discovery
|
TTP
|
BlackSuit Ransomware, Ransomware, Windows Discovery Techniques
|
2024-09-30
|
|
Detect SharpHound Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
Local Groups
Domain Trust Discovery
Local Account
Account Discovery
Domain Groups
Permission Groups Discovery
|
TTP
|
Ransomware, Windows Discovery Techniques
|
2024-09-30
|
|
Detect suspicious processnames using pretrained model in DSDL
|
Sysmon EventID 1
|
Command and Scripting Interpreter
|
Anomaly
|
Suspicious Command-Line Executions
|
2024-10-17
|
|
Detect Use of cmd exe to Launch Script Interpreters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
Windows Command Shell
|
TTP
|
Azorult, Emotet Malware DHS Report TA18-201A, Suspicious Command-Line Executions
|
2024-09-30
|
|
Detect Webshell Exploit Behavior
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Server Software Component
Web Shell
|
TTP
|
BlackByte Ransomware, CISA AA22-257A, CISA AA22-264A, Citrix ShareFile RCE CVE-2023-24489, Flax Typhoon, HAFNIUM Group, ProxyNotShell, ProxyShell, SysAid On-Prem Software CVE-2023-47246 Vulnerability, WS FTP Server Critical Vulnerabilities
|
2024-09-30
|
|
Detect WMI Event Subscription Persistence
|
Sysmon EventID 20
|
Windows Management Instrumentation Event Subscription
Event Triggered Execution
|
TTP
|
Suspicious WMI Use
|
2024-09-30
|
|
Detection of tools built by NirSoft
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Software Deployment Tools
|
TTP
|
Emotet Malware DHS Report TA18-201A
|
2024-10-17
|
|
Disable AMSI Through Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
CISA AA23-347A, Ransomware, Windows Registry Abuse
|
2024-09-30
|
|
Disable Defender AntiVirus Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
CISA AA24-241A, IcedID, Windows Registry Abuse
|
2024-09-30
|
|
Disable Defender BlockAtFirstSeen Feature
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse
|
2024-09-30
|
|
Disable Defender Enhanced Notification
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse
|
2024-09-30
|
|
Disable Defender MpEngine Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
IcedID, Windows Registry Abuse
|
2024-09-30
|
|
Disable Defender Spynet Reporting
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Azorult, CISA AA23-347A, IcedID, Qakbot, Windows Registry Abuse
|
2024-09-30
|
|
Disable Defender Submit Samples Consent Feature
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse
|
2024-09-30
|
|
Disable ETW Through Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
CISA AA23-347A, Ransomware, Windows Registry Abuse
|
2024-09-30
|
|
Disable Logs Using WevtUtil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Indicator Removal
Clear Windows Event Logs
|
TTP
|
CISA AA23-347A, Ransomware, Rhysida Ransomware
|
2024-09-30
|
|
Disable Registry Tool
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
Modify Registry
|
TTP
|
NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Disable Schedule Task
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
IcedID, Living Off The Land
|
2024-09-30
|
|
Disable Security Logs Using MiniNt Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
TTP
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Disable Show Hidden Files
|
Sysmon EventID 12, Sysmon EventID 13
|
Hidden Files and Directories
Disable or Modify Tools
Hide Artifacts
Impair Defenses
Modify Registry
|
Anomaly
|
Azorult, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Disable UAC Remote Restriction
|
Sysmon EventID 12, Sysmon EventID 13
|
Bypass User Account Control
Abuse Elevation Control Mechanism
|
TTP
|
CISA AA23-347A, Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Disable Windows App Hotkeys
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
Modify Registry
|
TTP
|
Windows Registry Abuse, XMRig
|
2024-09-30
|
|
Disable Windows Behavior Monitoring
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Azorult, CISA AA23-347A, Ransomware, RedLine Stealer, Revil Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Disable Windows SmartScreen Protection
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
|
Powershell Script Block Logging 4104
|
Steal or Forge Kerberos Tickets
AS-REP Roasting
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A
|
2024-09-30
|
|
Disabled Kerberos Pre-Authentication Discovery With PowerView
|
Powershell Script Block Logging 4104
|
Steal or Forge Kerberos Tickets
AS-REP Roasting
|
TTP
|
Active Directory Kerberos Attacks
|
2024-09-30
|
|
Disabling CMD Application
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
Modify Registry
|
TTP
|
NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Disabling ControlPanel
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
Modify Registry
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Disabling Defender Services
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
IcedID, RedLine Stealer, Windows Registry Abuse
|
2024-09-30
|
|
Disabling Firewall with Netsh
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
Impair Defenses
|
Anomaly
|
BlackByte Ransomware, Windows Defense Evasion Tactics
|
2024-09-30
|
|
Disabling FolderOptions Windows Feature
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Disabling Net User Account
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Account Access Removal
|
TTP
|
XMRig
|
2024-09-30
|
|
Disabling NoRun Windows App
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
Modify Registry
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Disabling Remote User Account Control
|
Sysmon EventID 12, Sysmon EventID 13
|
Bypass User Account Control
Abuse Elevation Control Mechanism
|
TTP
|
AgentTesla, Azorult, Remcos, Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Disabling SystemRestore In Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Inhibit System Recovery
|
TTP
|
NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Disabling Task Manager
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Disabling Windows Local Security Authority Defences via Registry
|
Sysmon EventID 1, Sysmon EventID 13
|
Modify Authentication Process
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
DLLHost with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2024-10-17
|
|
DNS Exfiltration Using Nslookup App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exfiltration Over Alternative Protocol
|
TTP
|
Command And Control, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic
|
2024-10-23
|
|
Domain Account Discovery with Dsquery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
Account Discovery
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
|
Domain Account Discovery With Net App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
Account Discovery
|
TTP
|
Active Directory Discovery, Graceful Wipe Out Attack, Rhysida Ransomware
|
2024-09-30
|
|
Domain Account Discovery with Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
Account Discovery
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
|
Domain Controller Discovery with Nltest
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
TTP
|
Active Directory Discovery, BlackSuit Ransomware, CISA AA23-347A, Rhysida Ransomware
|
2024-09-30
|
|
Domain Controller Discovery with Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
|
Domain Group Discovery with Adsisearcher
|
Powershell Script Block Logging 4104
|
Permission Groups Discovery
Domain Groups
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
|
Domain Group Discovery With Dsquery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Permission Groups Discovery
Domain Groups
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
|
Domain Group Discovery With Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Permission Groups Discovery
Domain Groups
|
Hunting
|
Active Directory Discovery, Graceful Wipe Out Attack, Prestige Ransomware, Rhysida Ransomware, Windows Post-Exploitation
|
2024-10-17
|
|
Domain Group Discovery With Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Permission Groups Discovery
Domain Groups
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
|
Download Files Using Telegram
|
Sysmon EventID 15
|
Ingress Tool Transfer
|
TTP
|
Phemedrone Stealer, Snake Keylogger, XMRig
|
2024-09-30
|
|
Drop IcedID License dat
|
Sysmon EventID 11
|
User Execution
Malicious File
|
Hunting
|
IcedID
|
2024-10-17
|
|
DSQuery Domain Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Trust Discovery
|
TTP
|
Active Directory Discovery, Domain Trust Discovery
|
2024-09-30
|
|
Dump LSASS via comsvcs DLL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
LSASS Memory
OS Credential Dumping
|
TTP
|
CISA AA22-257A, CISA AA22-264A, Credential Dumping, Data Destruction, Flax Typhoon, HAFNIUM Group, Industroyer2, Living Off The Land, Prestige Ransomware, Suspicious Rundll32 Activity, Volt Typhoon
|
2024-09-30
|
|
Dump LSASS via procdump
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
LSASS Memory
OS Credential Dumping
|
TTP
|
CISA AA22-257A, Credential Dumping, HAFNIUM Group
|
2024-09-30
|
|
Elevated Group Discovery With Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Permission Groups Discovery
Domain Groups
|
TTP
|
Active Directory Discovery, BlackSuit Ransomware, Rhysida Ransomware, Volt Typhoon
|
2024-09-30
|
|
Elevated Group Discovery with PowerView
|
Powershell Script Block Logging 4104
|
Permission Groups Discovery
Domain Groups
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
|
Elevated Group Discovery With Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Permission Groups Discovery
Domain Groups
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
|
Enable RDP In Other Port Number
|
Sysmon EventID 12, Sysmon EventID 13
|
Remote Services
|
TTP
|
Prohibited Traffic Allowed or Protocol Mismatch, Windows Registry Abuse
|
2024-09-30
|
|
Enable WDigest UseLogonCredential Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
OS Credential Dumping
|
TTP
|
CISA AA22-320A, Credential Dumping, Windows Registry Abuse
|
2024-09-30
|
|
Enumerate Users Local Group Using Telegram
|
Windows Event Log Security 4798
|
Account Discovery
|
TTP
|
XMRig
|
2024-09-30
|
|
Esentutl SAM Copy
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Security Account Manager
OS Credential Dumping
|
Hunting
|
Credential Dumping, Living Off The Land
|
2024-10-17
|
|
ETW Registry Disabled
|
Sysmon EventID 12, Sysmon EventID 13
|
Indicator Blocking
Trusted Developer Utilities Proxy Execution
Impair Defenses
|
TTP
|
CISA AA23-347A, Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse
|
2024-09-30
|
|
Eventvwr UAC Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Bypass User Account Control
Abuse Elevation Control Mechanism
|
TTP
|
IcedID, Living Off The Land, ValleyRAT, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Excel Spawning PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Security Account Manager
OS Credential Dumping
|
TTP
|
Spearphishing Attachments
|
2024-09-30
|
|
Excel Spawning Windows Script Host
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Security Account Manager
OS Credential Dumping
|
TTP
|
Spearphishing Attachments
|
2024-09-30
|
|
Excessive Attempt To Disable Services
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Service Stop
|
Anomaly
|
Azorult, XMRig
|
2024-09-30
|
|
Excessive distinct processes from Windows Temp
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
Anomaly
|
Meterpreter
|
2024-09-30
|
|
Excessive File Deletion In WinDefender Folder
|
Sysmon EventID 23
|
Data Destruction
|
TTP
|
BlackByte Ransomware, Data Destruction, WhisperGate
|
2024-09-30
|
|
Excessive number of service control start as disabled
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
Impair Defenses
|
Anomaly
|
Windows Defense Evasion Tactics
|
2024-09-30
|
|
Excessive number of taskhost processes
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
Anomaly
|
Meterpreter
|
2024-09-30
|
|
Excessive Service Stop Attempt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Service Stop
|
Anomaly
|
BlackByte Ransomware, Ransomware, XMRig
|
2024-09-30
|
|
Excessive Usage Of Cacls App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File and Directory Permissions Modification
|
Anomaly
|
Azorult, Prestige Ransomware, Windows Post-Exploitation, XMRig
|
2024-09-30
|
|
Excessive Usage Of Net App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Account Access Removal
|
Anomaly
|
Azorult, Graceful Wipe Out Attack, Prestige Ransomware, Ransomware, Rhysida Ransomware, Windows Post-Exploitation, XMRig
|
2024-09-30
|
|
Excessive Usage of NSLOOKUP App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exfiltration Over Alternative Protocol
|
Anomaly
|
Command And Control, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic
|
2024-09-30
|
|
Excessive Usage Of SC Service Utility
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Services
Service Execution
|
Anomaly
|
Azorult, Ransomware
|
2024-09-30
|
|
Excessive Usage Of Taskkill
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
Impair Defenses
|
Anomaly
|
AgentTesla, Azorult, CISA AA22-264A, CISA AA22-277A, NjRAT, XMRig
|
2024-09-30
|
|
Exchange PowerShell Abuse via SSRF
|
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
BlackByte Ransomware, ProxyNotShell, ProxyShell
|
2024-10-17
|
|
Exchange PowerShell Module Usage
|
Powershell Script Block Logging 4104
|
Command and Scripting Interpreter
PowerShell
|
TTP
|
BlackByte Ransomware, CISA AA22-264A, CISA AA22-277A, ProxyNotShell, ProxyShell
|
2024-09-30
|
|
Executable File Written in Administrative SMB Share
|
Windows Event Log Security 5145
|
Remote Services
SMB/Windows Admin Shares
|
TTP
|
Active Directory Lateral Movement, BlackSuit Ransomware, Data Destruction, Graceful Wipe Out Attack, Hermetic Wiper, IcedID, Industroyer2, Prestige Ransomware, Trickbot
|
2024-09-30
|
|
Executables Or Script Creation In Suspicious Path
|
Sysmon EventID 11
|
Masquerading
|
Anomaly
|
AcidPour, AgentTesla, Amadey, AsyncRAT, Azorult, BlackByte Ransomware, Brute Ratel C4, CISA AA23-347A, Chaos Ransomware, DarkCrystal RAT, DarkGate Malware, Data Destruction, Double Zero Destructor, Graceful Wipe Out Attack, Handala Wiper, Hermetic Wiper, IcedID, Industroyer2, LockBit Ransomware, MoonPeak, NjRAT, PlugX, Qakbot, RedLine Stealer, Remcos, Rhysida Ransomware, Snake Keylogger, Swift Slicer, Trickbot, ValleyRAT, Volt Typhoon, Warzone RAT, WhisperGate, XMRig
|
2024-09-30
|
|
Execute Javascript With Jscript COM CLSID
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
Visual Basic
|
TTP
|
Ransomware
|
2024-09-30
|
|
Execution of File with Multiple Extensions
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Masquerading
Rename System Utilities
|
TTP
|
AsyncRAT, DarkGate Malware, Masquerading - Rename System Utilities, Windows File Extension and Association Abuse
|
2024-09-30
|
|
Extraction of Registry Hives
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Security Account Manager
OS Credential Dumping
|
TTP
|
CISA AA22-257A, CISA AA23-347A, Credential Dumping, DarkSide Ransomware, Volt Typhoon
|
2024-09-30
|
|
File with Samsam Extension
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
N/A
|
TTP
|
SamSam Ransomware
|
2024-09-30
|
|
Firewall Allowed Program Enable
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify System Firewall
Impair Defenses
|
Anomaly
|
Azorult, BlackByte Ransomware, NjRAT, PlugX, Windows Defense Evasion Tactics
|
2024-09-30
|
|
First Time Seen Child Process of Zoom
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exploitation for Privilege Escalation
|
Anomaly
|
Suspicious Zoom Child Processes
|
2024-10-17
|
|
First Time Seen Running Windows Service
|
Windows Event Log System 7036
|
System Services
Service Execution
|
Anomaly
|
NOBELIUM Group, Orangeworm Attack Group, Windows Service Abuse
|
2024-10-17
|
|
FodHelper UAC Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Modify Registry
Bypass User Account Control
Abuse Elevation Control Mechanism
|
TTP
|
IcedID, ValleyRAT, Windows Defense Evasion Tactics
|
2024-09-30
|
|
Fsutil Zeroing File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Indicator Removal
|
TTP
|
LockBit Ransomware, Ransomware
|
2024-09-30
|
|
Get ADDefaultDomainPasswordPolicy with Powershell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Password Policy Discovery
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
|
Get ADDefaultDomainPasswordPolicy with Powershell Script Block
|
Powershell Script Block Logging 4104
|
Password Policy Discovery
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
|
Get ADUser with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
Account Discovery
|
Hunting
|
Active Directory Discovery, CISA AA23-347A
|
2024-10-17
|
|
Get ADUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Domain Account
Account Discovery
|
Hunting
|
Active Directory Discovery, CISA AA23-347A
|
2024-10-17
|
|
Get ADUserResultantPasswordPolicy with Powershell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Password Policy Discovery
|
TTP
|
Active Directory Discovery, CISA AA23-347A
|
2024-09-30
|
|
Get ADUserResultantPasswordPolicy with Powershell Script Block
|
Powershell Script Block Logging 4104
|
Password Policy Discovery
|
TTP
|
Active Directory Discovery, CISA AA23-347A
|
2024-09-30
|
|
Get DomainPolicy with Powershell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Password Policy Discovery
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
|
Get DomainPolicy with Powershell Script Block
|
Powershell Script Block Logging 4104
|
Password Policy Discovery
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
|
Get-DomainTrust with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Trust Discovery
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
|
Get-DomainTrust with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Domain Trust Discovery
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
|
Get DomainUser with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
Account Discovery
|
TTP
|
Active Directory Discovery, CISA AA23-347A
|
2024-09-30
|
|
Get DomainUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Domain Account
Account Discovery
|
TTP
|
Active Directory Discovery, CISA AA23-347A
|
2024-09-30
|
|
Get-ForestTrust with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Trust Discovery
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
|
Get-ForestTrust with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Domain Trust Discovery
PowerShell
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
|
Get WMIObject Group Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Permission Groups Discovery
Local Groups
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
|
Get WMIObject Group Discovery with Script Block Logging
|
Powershell Script Block Logging 4104
|
Permission Groups Discovery
Local Groups
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
|
GetAdComputer with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
|
GetAdComputer with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Remote System Discovery
|
Hunting
|
Active Directory Discovery, CISA AA22-320A, Gozi Malware
|
2024-10-17
|
|
GetAdGroup with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Permission Groups Discovery
Domain Groups
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
|
GetAdGroup with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Permission Groups Discovery
Domain Groups
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
|
GetCurrent User with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
|
GetCurrent User with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
System Owner/User Discovery
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
|
GetDomainComputer with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
|
GetDomainComputer with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Remote System Discovery
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
|
GetDomainController with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
|
GetDomainController with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Remote System Discovery
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
|
GetDomainGroup with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Permission Groups Discovery
Domain Groups
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
|
GetDomainGroup with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Permission Groups Discovery
Domain Groups
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
|
GetLocalUser with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Account Discovery
Local Account
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
|
GetLocalUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Account Discovery
Local Account
PowerShell
|
Hunting
|
Active Directory Discovery, Malicious PowerShell
|
2024-10-17
|
|
GetNetTcpconnection with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Network Connections Discovery
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
|
GetNetTcpconnection with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
System Network Connections Discovery
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
|
GetWmiObject Ds Computer with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
|
GetWmiObject Ds Computer with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Remote System Discovery
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
|
GetWmiObject Ds Group with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Permission Groups Discovery
Domain Groups
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
|
GetWmiObject Ds Group with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Permission Groups Discovery
Domain Groups
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
|
GetWmiObject DS User with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
Account Discovery
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
|
GetWmiObject DS User with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Domain Account
Account Discovery
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
|
GetWmiObject User Account with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Account Discovery
Local Account
|
Hunting
|
Active Directory Discovery, Winter Vivern
|
2024-10-17
|
|
GetWmiObject User Account with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Account Discovery
Local Account
PowerShell
|
Hunting
|
Active Directory Discovery, Malicious PowerShell, Winter Vivern
|
2024-10-17
|
|
GPUpdate with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2024-09-30
|
|
Headless Browser Mockbin or Mocky Request
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Hidden Window
|
TTP
|
Forest Blizzard
|
2024-09-30
|
|
Headless Browser Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Hidden Window
|
Hunting
|
Forest Blizzard
|
2024-10-17
|
|
Hide User Account From Sign-In Screen
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Azorult, Warzone RAT, Windows Registry Abuse, XMRig
|
2024-09-30
|
|
Hiding Files And Directories With Attrib exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Azorult, Windows Defense Evasion Tactics, Windows Persistence Techniques
|
2024-09-30
|
|
High Frequency Copy Of Files In Network Share
|
Windows Event Log Security 5145
|
Transfer Data to Cloud Account
|
Anomaly
|
Information Sabotage, Insider Threat
|
2024-09-30
|
|
High Process Termination Frequency
|
Sysmon EventID 5
|
Data Encrypted for Impact
|
Anomaly
|
BlackByte Ransomware, Clop Ransomware, LockBit Ransomware, Rhysida Ransomware, Snake Keylogger
|
2024-09-30
|
|
Hunting 3CXDesktopApp Software
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Compromise Software Supply Chain
|
Hunting
|
3CX Supply Chain Attack
|
2024-10-17
|
|
Icacls Deny Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File and Directory Permissions Modification
|
TTP
|
Azorult, Sandworm Tools, XMRig
|
2024-09-30
|
|
ICACLS Grant Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File and Directory Permissions Modification
|
TTP
|
Ransomware, XMRig
|
2024-09-30
|
|
IcedID Exfiltrated Archived File Creation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Archive via Utility
Archive Collected Data
|
Hunting
|
IcedID
|
2024-10-17
|
|
Impacket Lateral Movement Commandline Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
SMB/Windows Admin Shares
Distributed Component Object Model
Windows Management Instrumentation
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate
|
2024-09-30
|
|
Impacket Lateral Movement smbexec CommandLine Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
SMB/Windows Admin Shares
Distributed Component Object Model
Windows Management Instrumentation
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Data Destruction, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate
|
2024-09-30
|
|
Impacket Lateral Movement WMIExec Commandline Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
SMB/Windows Admin Shares
Distributed Component Object Model
Windows Management Instrumentation
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate
|
2024-09-30
|
|
Interactive Session on Remote Endpoint with PowerShell
|
Powershell Script Block Logging 4104
|
Remote Services
Windows Remote Management
|
TTP
|
Active Directory Lateral Movement
|
2024-09-30
|
|
Java Writing JSP File
|
Sysmon EventID 1, Sysmon EventID 11
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Atlassian Confluence Server and Data Center CVE-2022-26134, Spring4Shell CVE-2022-22965, SysAid On-Prem Software CVE-2023-47246 Vulnerability
|
2024-09-30
|
|
Jscript Execution Using Cscript App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
JavaScript
|
TTP
|
FIN7, Remcos
|
2024-09-30
|
|
Kerberoasting spn request with RC4 encryption
|
Windows Event Log Security 4769
|
Steal or Forge Kerberos Tickets
Kerberoasting
|
TTP
|
Active Directory Kerberos Attacks, Data Destruction, Hermetic Wiper, Windows Privilege Escalation
|
2024-10-16
|
|
Kerberos Pre-Authentication Flag Disabled in UserAccountControl
|
Windows Event Log Security 4738
|
Steal or Forge Kerberos Tickets
AS-REP Roasting
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware
|
2024-09-30
|
|
Kerberos Pre-Authentication Flag Disabled with PowerShell
|
Powershell Script Block Logging 4104
|
Steal or Forge Kerberos Tickets
AS-REP Roasting
|
TTP
|
Active Directory Kerberos Attacks
|
2024-09-30
|
|
Kerberos Service Ticket Request Using RC4 Encryption
|
Windows Event Log Security 4769
|
Steal or Forge Kerberos Tickets
Golden Ticket
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation
|
2024-09-30
|
|
Kerberos TGT Request Using RC4 Encryption
|
Windows Event Log Security 4768
|
Use Alternate Authentication Material
|
TTP
|
Active Directory Kerberos Attacks
|
2024-09-30
|
|
Kerberos User Enumeration
|
Windows Event Log Security 4768
|
Gather Victim Identity Information
Email Addresses
|
Anomaly
|
Active Directory Kerberos Attacks
|
2024-09-30
|
|
Known Services Killed by Ransomware
|
Windows Event Log System 7036
|
Inhibit System Recovery
|
TTP
|
BlackMatter Ransomware, LockBit Ransomware, Ransomware
|
2024-09-30
|
|
Linux Account Manipulation Of SSH Config and Keys
|
Sysmon for Linux EventID 11
|
Data Destruction
File Deletion
Indicator Removal
|
Anomaly
|
AcidRain
|
2024-09-30
|
|
Linux Add Files In Known Crontab Directories
|
Sysmon for Linux EventID 11
|
Cron
Scheduled Task/Job
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
|
Linux Add User Account
|
Sysmon for Linux EventID 1
|
Local Account
Create Account
|
Hunting
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-10-17
|
|
Linux Adding Crontab Using List Parameter
|
Sysmon for Linux EventID 1
|
Cron
Scheduled Task/Job
|
Hunting
|
Data Destruction, Gomir, Industroyer2, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-10-17
|
|
Linux apt-get Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
|
Linux APT Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
|
Linux At Allow Config File Creation
|
Sysmon for Linux EventID 11
|
Cron
Scheduled Task/Job
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
|
Linux At Application Execution
|
Sysmon for Linux EventID 1
|
At
Scheduled Task/Job
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
|
Linux Auditd Add User Account
|
Linux Auditd Proctitle
|
Local Account
Create Account
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Auditd Add User Account Type
|
Linux Auditd Add User
|
Create Account
Local Account
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Auditd At Application Execution
|
Linux Auditd Syscall
|
At
Scheduled Task/Job
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
|
Linux Auditd Auditd Service Stop
|
Linux Auditd Service Stop
|
Service Stop
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Auditd Base64 Decode Files
|
Linux Auditd Execve
|
Deobfuscate/Decode Files or Information
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Auditd Change File Owner To Root
|
Linux Auditd Proctitle
|
Linux and Mac File and Directory Permissions Modification
File and Directory Permissions Modification
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-10-17
|
|
Linux Auditd Clipboard Data Copy
|
Linux Auditd Execve
|
Clipboard Data
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land
|
2024-09-30
|
|
Linux Auditd Data Destruction Command
|
Linux Auditd Execve
|
Data Destruction
|
TTP
|
AwfulShred, Compromised Linux Host, Data Destruction
|
2024-09-30
|
|
Linux Auditd Data Transfer Size Limits Via Split
|
Linux Auditd Execve
|
Data Transfer Size Limits
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Auditd Data Transfer Size Limits Via Split Syscall
|
Linux Auditd Syscall
|
Data Transfer Size Limits
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Auditd Database File And Directory Discovery
|
Linux Auditd Execve
|
File and Directory Discovery
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Auditd Dd File Overwrite
|
Linux Auditd Proctitle
|
Data Destruction
|
TTP
|
Compromised Linux Host, Data Destruction, Industroyer2
|
2024-09-30
|
|
Linux Auditd Disable Or Modify System Firewall
|
Linux Auditd Service Stop
|
Disable or Modify System Firewall
Impair Defenses
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Auditd Doas Conf File Creation
|
Linux Auditd Path
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
TTP
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Auditd Doas Tool Execution
|
Linux Auditd Syscall
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Auditd Edit Cron Table Parameter
|
Linux Auditd Syscall
|
Cron
Scheduled Task/Job
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
|
Linux Auditd File And Directory Discovery
|
Linux Auditd Execve
|
File and Directory Discovery
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Auditd File Permission Modification Via Chmod
|
Linux Auditd Proctitle
|
Linux and Mac File and Directory Permissions Modification
File and Directory Permissions Modification
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Auditd File Permissions Modification Via Chattr
|
Linux Auditd Execve
|
Linux and Mac File and Directory Permissions Modification
File and Directory Permissions Modification
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Auditd Find Credentials From Password Managers
|
Linux Auditd Execve
|
Password Managers
Credentials from Password Stores
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Auditd Find Credentials From Password Stores
|
Linux Auditd Execve
|
Password Managers
Credentials from Password Stores
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Auditd Find Private Keys
|
Linux Auditd Execve
|
Private Keys
Unsecured Credentials
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Auditd Find Ssh Private Keys
|
Linux Auditd Execve
|
Private Keys
Unsecured Credentials
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Auditd Hardware Addition Swapoff
|
Linux Auditd Execve
|
Hardware Additions
|
Anomaly
|
AwfulShred, Compromised Linux Host, Data Destruction
|
2024-09-30
|
|
Linux Auditd Hidden Files And Directories Creation
|
Linux Auditd Execve
|
File and Directory Discovery
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Auditd Insert Kernel Module Using Insmod Utility
|
Linux Auditd Syscall
|
Kernel Modules and Extensions
Boot or Logon Autostart Execution
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit
|
2024-09-30
|
|
Linux Auditd Install Kernel Module Using Modprobe Utility
|
Linux Auditd Syscall
|
Kernel Modules and Extensions
Boot or Logon Autostart Execution
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit
|
2024-09-30
|
|
Linux Auditd Kernel Module Enumeration
|
Linux Auditd Syscall
|
System Information Discovery
Rootkit
|
Anomaly
|
Compromised Linux Host, Linux Rootkit
|
2024-09-30
|
|
Linux Auditd Kernel Module Using Rmmod Utility
|
Linux Auditd Syscall
|
Kernel Modules and Extensions
Boot or Logon Autostart Execution
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Auditd Nopasswd Entry In Sudoers File
|
Linux Auditd Proctitle
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Auditd Osquery Service Stop
|
Linux Auditd Service Stop
|
Service Stop
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Auditd Possible Access Or Modification Of Sshd Config File
|
Linux Auditd Path
|
SSH Authorized Keys
Account Manipulation
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Auditd Possible Access To Credential Files
|
Linux Auditd Proctitle
|
/etc/passwd and /etc/shadow
OS Credential Dumping
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Auditd Possible Access To Sudoers File
|
Linux Auditd Path
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File
|
Linux Auditd Path
|
Cron
Scheduled Task/Job
|
Hunting
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-10-17
|
|
Linux Auditd Preload Hijack Library Calls
|
Linux Auditd Execve
|
Dynamic Linker Hijacking
Hijack Execution Flow
|
TTP
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Auditd Preload Hijack Via Preload File
|
Linux Auditd Path
|
Dynamic Linker Hijacking
Hijack Execution Flow
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Auditd Service Restarted
|
Linux Auditd Proctitle
|
Systemd Timers
Scheduled Task/Job
|
Anomaly
|
AwfulShred, Compromised Linux Host, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
|
Linux Auditd Service Started
|
Linux Auditd Proctitle
|
Service Execution
System Services
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Auditd Setuid Using Chmod Utility
|
Linux Auditd Proctitle
|
Setuid and Setgid
Abuse Elevation Control Mechanism
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Auditd Setuid Using Setcap Utility
|
Linux Auditd Execve
|
Setuid and Setgid
Abuse Elevation Control Mechanism
|
TTP
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Auditd Shred Overwrite Command
|
Linux Auditd Proctitle
|
Data Destruction
|
TTP
|
AwfulShred, Compromised Linux Host, Data Destruction, Industroyer2, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Auditd Stop Services
|
Linux Auditd Service Stop
|
Service Stop
|
TTP
|
AwfulShred, Compromised Linux Host, Data Destruction, Industroyer2
|
2024-09-30
|
|
Linux Auditd Sudo Or Su Execution
|
Linux Auditd Proctitle
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Auditd Sysmon Service Stop
|
Linux Auditd Service Stop
|
Service Stop
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Auditd System Network Configuration Discovery
|
Linux Auditd Syscall
|
System Network Configuration Discovery
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Auditd Unix Shell Configuration Modification
|
Linux Auditd Path
|
Unix Shell Configuration Modification
Event Triggered Execution
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Auditd Unload Module Via Modprobe
|
Linux Auditd Execve
|
Kernel Modules and Extensions
Boot or Logon Autostart Execution
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Auditd Virtual Disk File And Directory Discovery
|
Linux Auditd Execve
|
File and Directory Discovery
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Auditd Whoami User Discovery
|
Linux Auditd Syscall
|
System Owner/User Discovery
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux AWK Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Busybox Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
|
Linux c89 Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
|
Linux c99 Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Change File Owner To Root
|
Sysmon for Linux EventID 1
|
Linux and Mac File and Directory Permissions Modification
File and Directory Permissions Modification
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Clipboard Data Copy
|
Sysmon for Linux EventID 1
|
Clipboard Data
|
Anomaly
|
Linux Living Off The Land
|
2024-09-30
|
|
Linux Common Process For Elevation Control
|
Sysmon for Linux EventID 1
|
Setuid and Setgid
Abuse Elevation Control Mechanism
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-10-17
|
|
Linux Composer Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Cpulimit Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Csvtool Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Curl Upload File
|
Sysmon for Linux EventID 1
|
Ingress Tool Transfer
|
TTP
|
Data Exfiltration, Ingress Tool Transfer, Linux Living Off The Land
|
2024-09-30
|
|
Linux Data Destruction Command
|
Sysmon for Linux EventID 1
|
Data Destruction
|
TTP
|
AwfulShred, Data Destruction
|
2024-09-30
|
|
Linux DD File Overwrite
|
Sysmon for Linux EventID 1
|
Data Destruction
|
TTP
|
Data Destruction, Industroyer2
|
2024-09-30
|
|
Linux Decode Base64 to Shell
|
Sysmon for Linux EventID 1
|
Obfuscated Files or Information
Unix Shell
|
TTP
|
Linux Living Off The Land
|
2024-09-30
|
|
Linux Deleting Critical Directory Using RM Command
|
Sysmon for Linux EventID 1
|
Data Destruction
|
TTP
|
AwfulShred, Data Destruction, Industroyer2
|
2024-09-30
|
|
Linux Deletion Of Cron Jobs
|
Sysmon for Linux EventID 11
|
Data Destruction
File Deletion
Indicator Removal
|
Anomaly
|
AcidPour, AcidRain, Data Destruction
|
2024-09-30
|
|
Linux Deletion Of Init Daemon Script
|
Sysmon for Linux EventID 11
|
Data Destruction
File Deletion
Indicator Removal
|
TTP
|
AcidPour, AcidRain, Data Destruction
|
2024-09-30
|
|
Linux Deletion Of Services
|
Sysmon for Linux EventID 11
|
Data Destruction
File Deletion
Indicator Removal
|
TTP
|
AcidPour, AcidRain, AwfulShred, Data Destruction
|
2024-09-30
|
|
Linux Deletion of SSL Certificate
|
Sysmon for Linux EventID 11
|
Data Destruction
File Deletion
Indicator Removal
|
Anomaly
|
AcidPour, AcidRain
|
2024-09-30
|
|
Linux Disable Services
|
Sysmon for Linux EventID 1
|
Service Stop
|
TTP
|
AwfulShred, Data Destruction, Industroyer2
|
2024-09-30
|
|
Linux Doas Conf File Creation
|
Sysmon for Linux EventID 11
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Doas Tool Execution
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Docker Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Edit Cron Table Parameter
|
Sysmon for Linux EventID 1
|
Cron
Scheduled Task/Job
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-10-17
|
|
Linux Emacs Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
|
Linux File Created In Kernel Driver Directory
|
Sysmon for Linux EventID 11
|
Kernel Modules and Extensions
Boot or Logon Autostart Execution
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit
|
2024-09-30
|
|
Linux File Creation In Init Boot Directory
|
Sysmon for Linux EventID 11
|
RC Scripts
Boot or Logon Initialization Scripts
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux File Creation In Profile Directory
|
Sysmon for Linux EventID 11
|
Unix Shell Configuration Modification
Event Triggered Execution
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Find Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
|
Linux GDB Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Gem Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
|
Linux GNU Awk Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Hardware Addition SwapOff
|
Sysmon for Linux EventID 1
|
Hardware Additions
|
Anomaly
|
AwfulShred, Data Destruction
|
2024-09-30
|
|
Linux High Frequency Of File Deletion In Boot Folder
|
Sysmon for Linux EventID 11
|
Data Destruction
File Deletion
Indicator Removal
|
TTP
|
AcidPour, Data Destruction, Industroyer2
|
2024-09-30
|
|
Linux High Frequency Of File Deletion In Etc Folder
|
Sysmon for Linux EventID 11
|
Data Destruction
File Deletion
Indicator Removal
|
Anomaly
|
AcidRain, Data Destruction
|
2024-09-30
|
|
Linux Impair Defenses Process Kill
|
Sysmon for Linux EventID 1
|
Disable or Modify Tools
Impair Defenses
|
Hunting
|
AwfulShred, Data Destruction
|
2024-10-17
|
|
Linux Indicator Removal Clear Cache
|
Sysmon for Linux EventID 1
|
Indicator Removal
|
TTP
|
AwfulShred, Data Destruction
|
2024-09-30
|
|
Linux Indicator Removal Service File Deletion
|
Sysmon for Linux EventID 1
|
File Deletion
Indicator Removal
|
Anomaly
|
AwfulShred, Data Destruction
|
2024-09-30
|
|
Linux Ingress Tool Transfer Hunting
|
Sysmon for Linux EventID 1
|
Ingress Tool Transfer
|
Hunting
|
Ingress Tool Transfer, Linux Living Off The Land
|
2024-10-17
|
|
Linux Ingress Tool Transfer with Curl
|
Sysmon for Linux EventID 1
|
Ingress Tool Transfer
|
Anomaly
|
Ingress Tool Transfer, Linux Living Off The Land
|
2024-09-30
|
|
Linux Insert Kernel Module Using Insmod Utility
|
Sysmon for Linux EventID 1
|
Kernel Modules and Extensions
Boot or Logon Autostart Execution
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit
|
2024-09-30
|
|
Linux Install Kernel Module Using Modprobe Utility
|
Sysmon for Linux EventID 1
|
Kernel Modules and Extensions
Boot or Logon Autostart Execution
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit
|
2024-09-30
|
|
Linux Iptables Firewall Modification
|
Sysmon for Linux EventID 1
|
Disable or Modify System Firewall
Impair Defenses
|
Anomaly
|
Cyclops Blink, Sandworm Tools
|
2024-09-30
|
|
Linux Java Spawning Shell
|
Sysmon for Linux EventID 1
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Data Destruction, Hermetic Wiper, Log4Shell CVE-2021-44228, Spring4Shell CVE-2022-22965
|
2024-09-30
|
|
Linux Kernel Module Enumeration
|
Sysmon for Linux EventID 1
|
System Information Discovery
Rootkit
|
Anomaly
|
Linux Rootkit
|
2024-09-30
|
|
Linux Kworker Process In Writable Process Path
|
Sysmon for Linux EventID 1
|
Masquerade Task or Service
Masquerading
|
Hunting
|
Cyclops Blink, Sandworm Tools
|
2024-10-17
|
|
Linux Make Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
|
Linux MySQL Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Ngrok Reverse Proxy Usage
|
Sysmon for Linux EventID 1
|
Protocol Tunneling
Proxy
Web Service
|
Anomaly
|
Reverse Network Proxy
|
2024-09-30
|
|
Linux Node Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
|
Linux NOPASSWD Entry In Sudoers File
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Obfuscated Files or Information Base64 Decode
|
Sysmon for Linux EventID 1
|
Obfuscated Files or Information
|
Anomaly
|
Linux Living Off The Land
|
2024-09-30
|
|
Linux Octave Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
|
Linux OpenVPN Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Persistence and Privilege Escalation Risk Behavior
|
|
Abuse Elevation Control Mechanism
|
Correlation
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux PHP Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
|
Linux pkexec Privilege Escalation
|
Sysmon for Linux EventID 1
|
Exploitation for Privilege Escalation
|
TTP
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Possible Access Or Modification Of sshd Config File
|
Sysmon for Linux EventID 1
|
SSH Authorized Keys
Account Manipulation
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Possible Access To Credential Files
|
Sysmon for Linux EventID 1
|
/etc/passwd and /etc/shadow
OS Credential Dumping
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Possible Access To Sudoers File
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Possible Append Command To At Allow Config File
|
Sysmon for Linux EventID 1
|
At
Scheduled Task/Job
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
|
Linux Possible Append Command To Profile Config File
|
Sysmon for Linux EventID 1
|
Unix Shell Configuration Modification
Event Triggered Execution
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Possible Append Cronjob Entry on Existing Cronjob File
|
Sysmon for Linux EventID 1
|
Cron
Scheduled Task/Job
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-10-17
|
|
Linux Possible Cronjob Modification With Editor
|
Sysmon for Linux EventID 1
|
Cron
Scheduled Task/Job
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-10-17
|
|
Linux Possible Ssh Key File Creation
|
Sysmon for Linux EventID 11
|
SSH Authorized Keys
Account Manipulation
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Preload Hijack Library Calls
|
Sysmon for Linux EventID 1
|
Dynamic Linker Hijacking
Hijack Execution Flow
|
TTP
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Proxy Socks Curl
|
Sysmon for Linux EventID 1
|
Proxy
Non-Application Layer Protocol
|
TTP
|
Ingress Tool Transfer, Linux Living Off The Land
|
2024-09-30
|
|
Linux Puppet Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
|
Linux RPM Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Ruby Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Service File Created In Systemd Directory
|
Sysmon for Linux EventID 11
|
Systemd Timers
Scheduled Task/Job
|
Anomaly
|
Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
|
Linux Service Restarted
|
Sysmon for Linux EventID 1
|
Systemd Timers
Scheduled Task/Job
|
Anomaly
|
AwfulShred, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
|
Linux Service Started Or Enabled
|
Sysmon for Linux EventID 1
|
Systemd Timers
Scheduled Task/Job
|
Anomaly
|
Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
|
Linux Setuid Using Chmod Utility
|
Sysmon for Linux EventID 1
|
Setuid and Setgid
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Setuid Using Setcap Utility
|
Sysmon for Linux EventID 1
|
Setuid and Setgid
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Shred Overwrite Command
|
Sysmon for Linux EventID 1
|
Data Destruction
|
TTP
|
AwfulShred, Data Destruction, Industroyer2, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux Sqlite3 Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
|
Linux SSH Authorized Keys Modification
|
Sysmon for Linux EventID 1
|
SSH Authorized Keys
|
Anomaly
|
Linux Living Off The Land
|
2024-09-30
|
|
Linux SSH Remote Services Script Execute
|
Sysmon for Linux EventID 1
|
SSH
|
TTP
|
Linux Living Off The Land
|
2024-09-30
|
|
Linux Stdout Redirection To Dev Null File
|
Sysmon for Linux EventID 1
|
Disable or Modify System Firewall
Impair Defenses
|
Anomaly
|
Cyclops Blink, Data Destruction, Industroyer2
|
2024-10-17
|
|
Linux Stop Services
|
Sysmon for Linux EventID 1
|
Service Stop
|
TTP
|
AwfulShred, Data Destruction, Industroyer2
|
2024-09-30
|
|
Linux Sudo OR Su Execution
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Hunting
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-10-17
|
|
Linux Sudoers Tmp File Creation
|
Sysmon for Linux EventID 11
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Linux System Network Discovery
|
Sysmon for Linux EventID 1
|
System Network Configuration Discovery
|
Anomaly
|
Data Destruction, Industroyer2, Network Discovery
|
2024-09-30
|
|
Linux System Reboot Via System Request Key
|
Sysmon for Linux EventID 1
|
System Shutdown/Reboot
|
TTP
|
AwfulShred, Data Destruction
|
2024-09-30
|
|
Linux Unix Shell Enable All SysRq Functions
|
Sysmon for Linux EventID 1
|
Unix Shell
Command and Scripting Interpreter
|
Anomaly
|
AwfulShred, Data Destruction
|
2024-09-30
|
|
Linux Visudo Utility Execution
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
|
Living Off The Land Detection
|
|
Ingress Tool Transfer
Exploit Public-Facing Application
Command and Scripting Interpreter
External Remote Services
|
Correlation
|
Living Off The Land
|
2024-09-30
|
|
Loading Of Dynwrapx Module
|
Sysmon EventID 7
|
Process Injection
Dynamic-link Library Injection
|
TTP
|
AsyncRAT, Remcos
|
2024-09-30
|
|
Local Account Discovery with Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Account Discovery
Local Account
|
Hunting
|
Active Directory Discovery, Sandworm Tools
|
2024-10-17
|
|
Local Account Discovery With Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Account Discovery
Local Account
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
|
Log4Shell CVE-2021-44228 Exploitation
|
|
Ingress Tool Transfer
Exploit Public-Facing Application
Command and Scripting Interpreter
External Remote Services
|
Correlation
|
CISA AA22-320A, Log4Shell CVE-2021-44228
|
2024-09-30
|
|
Logon Script Event Trigger Execution
|
Sysmon EventID 13
|
Boot or Logon Initialization Scripts
Logon Script (Windows)
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation
|
2024-09-30
|
|
LOLBAS With Network Traffic
|
Sysmon EventID 3
|
Ingress Tool Transfer
Exfiltration Over Web Service
System Binary Proxy Execution
|
TTP
|
Living Off The Land
|
2024-09-30
|
|
MacOS - Re-opened Applications
|
Sysmon EventID 1
|
N/A
|
TTP
|
ColdRoot MacOS RAT
|
2024-10-17
|
|
MacOS LOLbin
|
|
Unix Shell
Command and Scripting Interpreter
|
TTP
|
Living Off The Land
|
2024-09-30
|
|
MacOS plutil
|
osquery
|
Plist File Modification
|
TTP
|
Living Off The Land
|
2024-09-30
|
|
Mailsniper Invoke functions
|
Powershell Script Block Logging 4104
|
Email Collection
Local Email Collection
|
TTP
|
Data Exfiltration
|
2024-09-30
|
|
Malicious InProcServer32 Modification
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
Regsvr32
Modify Registry
|
TTP
|
Remcos, Suspicious Regsvr32 Activity
|
2024-09-30
|
|
Malicious Powershell Executed As A Service
|
Windows Event Log System 7045
|
System Services
Service Execution
|
TTP
|
Malicious PowerShell, Rhysida Ransomware
|
2024-09-30
|
|
Malicious PowerShell Process - Encoded Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Obfuscated Files or Information
|
Hunting
|
CISA AA22-320A, DarkCrystal RAT, Data Destruction, Hermetic Wiper, Malicious PowerShell, NOBELIUM Group, Qakbot, Sandworm Tools, Volt Typhoon, WhisperGate
|
2024-10-17
|
|
Malicious PowerShell Process - Execution Policy Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
PowerShell
|
TTP
|
AsyncRAT, DHS Report TA18-074A, DarkCrystal RAT, HAFNIUM Group, Volt Typhoon
|
2024-09-30
|
|
Malicious PowerShell Process With Obfuscation Techniques
|
Sysmon EventID 1
|
Command and Scripting Interpreter
PowerShell
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2024-09-30
|
|
Mimikatz PassTheTicket CommandLine Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Use Alternate Authentication Material
Pass the Ticket
|
TTP
|
Active Directory Kerberos Attacks, CISA AA22-320A, CISA AA23-347A, Sandworm Tools
|
2024-09-30
|
|
Mmc LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
Distributed Component Object Model
MMC
|
TTP
|
Active Directory Lateral Movement, Living Off The Land
|
2024-09-30
|
|
Modification Of Wallpaper
|
Sysmon EventID 13
|
Defacement
|
TTP
|
BlackMatter Ransomware, Brute Ratel C4, LockBit Ransomware, Ransomware, Revil Ransomware, Rhysida Ransomware, Windows Registry Abuse
|
2024-09-30
|
|
Modify ACL permission To Files Or Folder
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File and Directory Permissions Modification
|
Anomaly
|
XMRig
|
2024-09-30
|
|
Monitor Registry Keys for Print Monitors
|
Sysmon EventID 12, Sysmon EventID 13
|
Port Monitors
Boot or Logon Autostart Execution
|
TTP
|
Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse
|
2024-09-30
|
|
MOVEit Certificate Store Access Failure
|
|
Exploit Public-Facing Application
|
Hunting
|
MOVEit Transfer Authentication Bypass
|
2024-10-17
|
|
MOVEit Empty Key Fingerprint Authentication Attempt
|
|
Exploit Public-Facing Application
|
Hunting
|
MOVEit Transfer Authentication Bypass
|
2024-10-17
|
|
MS Exchange Mailbox Replication service writing Active Server Pages
|
Sysmon EventID 1, Sysmon EventID 11
|
Server Software Component
Web Shell
Exploit Public-Facing Application
External Remote Services
|
TTP
|
BlackByte Ransomware, ProxyShell, Ransomware
|
2024-10-17
|
|
MS Scripting Process Loading Ldap Module
|
Sysmon EventID 7
|
Command and Scripting Interpreter
JavaScript
|
Anomaly
|
FIN7
|
2024-09-30
|
|
MS Scripting Process Loading WMI Module
|
Sysmon EventID 7
|
Command and Scripting Interpreter
JavaScript
|
Anomaly
|
FIN7
|
2024-09-30
|
|
MSBuild Suspicious Spawned By Script Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
MSBuild
Trusted Developer Utilities Proxy Execution
|
TTP
|
Trusted Developer Utilities Proxy Execution MSBuild
|
2024-09-30
|
|
Mshta spawning Rundll32 OR Regsvr32 Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Mshta
|
TTP
|
IcedID, Living Off The Land, Trickbot
|
2024-09-30
|
|
MSHTML Module Load in Office Product
|
Sysmon EventID 7
|
Phishing
Spearphishing Attachment
|
TTP
|
CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments
|
2024-09-30
|
|
MSI Module Loaded by Non-System Binary
|
Sysmon EventID 7
|
DLL Side-Loading
Hijack Execution Flow
|
Hunting
|
Data Destruction, Hermetic Wiper, Windows Privilege Escalation
|
2024-10-17
|
|
Msmpeng Application DLL Side Loading
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL Side-Loading
Hijack Execution Flow
|
TTP
|
Ransomware, Revil Ransomware
|
2024-09-30
|
|
Net Localgroup Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Permission Groups Discovery
Local Groups
|
Hunting
|
Active Directory Discovery, Azorult, Graceful Wipe Out Attack, IcedID, Prestige Ransomware, Rhysida Ransomware, Volt Typhoon, Windows Discovery Techniques, Windows Post-Exploitation
|
2024-10-17
|
|
NET Profiler UAC bypass
|
Sysmon EventID 12, Sysmon EventID 13
|
Bypass User Account Control
Abuse Elevation Control Mechanism
|
TTP
|
Windows Defense Evasion Tactics
|
2024-09-30
|
|
Network Connection Discovery With Arp
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Network Connections Discovery
|
Hunting
|
Active Directory Discovery, IcedID, Prestige Ransomware, Qakbot, Volt Typhoon, Windows Post-Exploitation
|
2024-10-17
|
|
Network Connection Discovery With Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Network Connections Discovery
|
Hunting
|
Active Directory Discovery, Azorult, Prestige Ransomware, Windows Post-Exploitation
|
2024-10-17
|
|
Network Connection Discovery With Netstat
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Network Connections Discovery
|
Hunting
|
Active Directory Discovery, CISA AA22-277A, CISA AA23-347A, PlugX, Prestige Ransomware, Qakbot, Volt Typhoon, Windows Post-Exploitation
|
2024-10-17
|
|
Network Discovery Using Route Windows App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Network Configuration Discovery
Internet Connection Discovery
|
Hunting
|
Active Directory Discovery, CISA AA22-277A, Prestige Ransomware, Qakbot, Windows Post-Exploitation
|
2024-10-17
|
|
Network Share Discovery Via Dir Command
|
Windows Event Log Security 5140
|
Network Share Discovery
|
Hunting
|
IcedID
|
2024-10-17
|
|
Network Traffic to Active Directory Web Services Protocol
|
Sysmon EventID 3
|
Domain Account
Local Groups
Domain Trust Discovery
Local Account
Account Discovery
Domain Groups
Permission Groups Discovery
|
Hunting
|
Windows Discovery Techniques
|
2024-10-17
|
|
Nishang PowershellTCPOneLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
PowerShell
|
TTP
|
HAFNIUM Group
|
2024-09-30
|
|
NLTest Domain Trust Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Trust Discovery
|
TTP
|
Active Directory Discovery, Domain Trust Discovery, IcedID, Qakbot, Rhysida Ransomware, Ryuk Ransomware
|
2024-09-30
|
|
Non Chrome Process Accessing Chrome Default Dir
|
Windows Event Log Security 4663
|
Credentials from Password Stores
Credentials from Web Browsers
|
Anomaly
|
3CX Supply Chain Attack, AgentTesla, CISA AA23-347A, DarkGate Malware, FIN7, NjRAT, Phemedrone Stealer, RedLine Stealer, Remcos, Snake Keylogger, Warzone RAT
|
2024-09-30
|
|
Non Firefox Process Access Firefox Profile Dir
|
Windows Event Log Security 4663
|
Credentials from Password Stores
Credentials from Web Browsers
|
Anomaly
|
3CX Supply Chain Attack, AgentTesla, Azorult, CISA AA23-347A, DarkGate Malware, FIN7, NjRAT, Phemedrone Stealer, RedLine Stealer, Remcos, Snake Keylogger, Warzone RAT
|
2024-09-30
|
|
Notepad with no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
BishopFox Sliver Adversary Emulation Framework
|
2024-09-30
|
|
Ntdsutil Export NTDS
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
NTDS
OS Credential Dumping
|
TTP
|
Credential Dumping, HAFNIUM Group, Living Off The Land, Prestige Ransomware, Rhysida Ransomware, Volt Typhoon
|
2024-09-30
|
|
Office Application Drop Executable
|
Sysmon EventID 1, Sysmon EventID 11
|
Phishing
Spearphishing Attachment
|
TTP
|
AgentTesla, CVE-2023-21716 Word RTF Heap Corruption, FIN7, PlugX, Warzone RAT
|
2024-09-30
|
|
Office Application Spawn Regsvr32 process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Phishing
Spearphishing Attachment
|
TTP
|
IcedID, Qakbot
|
2024-09-30
|
|
Office Application Spawn rundll32 process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Phishing
Spearphishing Attachment
|
TTP
|
AgentTesla, IcedID, NjRAT, Spearphishing Attachments, Trickbot
|
2024-09-30
|
|
Office Document Creating Schedule Task
|
Sysmon EventID 7
|
Phishing
Spearphishing Attachment
|
TTP
|
Spearphishing Attachments
|
2024-09-30
|
|
Office Document Executing Macro Code
|
Sysmon EventID 7
|
Phishing
Spearphishing Attachment
|
TTP
|
AgentTesla, Azorult, DarkCrystal RAT, IcedID, NjRAT, PlugX, Qakbot, Remcos, Spearphishing Attachments, Trickbot
|
2024-09-30
|
|
Office Document Spawned Child Process To Download
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Phishing
Spearphishing Attachment
|
TTP
|
CVE-2023-36884 Office and Windows HTML RCE Vulnerability, NjRAT, PlugX, Spearphishing Attachments
|
2024-09-30
|
|
Office Product Spawn CMD Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Phishing
Spearphishing Attachment
|
TTP
|
AgentTesla, Azorult, CVE-2023-21716 Word RTF Heap Corruption, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, DarkCrystal RAT, NjRAT, PlugX, Qakbot, Remcos, Trickbot, Warzone RAT
|
2024-09-30
|
|
Office Product Spawning BITSAdmin
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Phishing
Spearphishing Attachment
|
TTP
|
CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Spearphishing Attachments
|
2024-09-30
|
|
Office Product Spawning CertUtil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Phishing
Spearphishing Attachment
|
TTP
|
AgentTesla, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Spearphishing Attachments, Trickbot
|
2024-09-30
|
|
Office Product Spawning MSHTA
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Phishing
Spearphishing Attachment
|
TTP
|
Azorult, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, IcedID, NjRAT, Spearphishing Attachments
|
2024-09-30
|
|
Office Product Spawning Rundll32 with no DLL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Phishing
Spearphishing Attachment
|
TTP
|
CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Spearphishing Attachments
|
2024-09-30
|
|
Office Product Spawning Windows Script Host
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Phishing
Spearphishing Attachment
|
TTP
|
CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Remcos, Spearphishing Attachments
|
2024-09-30
|
|
Office Product Spawning Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Phishing
Spearphishing Attachment
|
TTP
|
CVE-2023-36884 Office and Windows HTML RCE Vulnerability, FIN7, Spearphishing Attachments
|
2024-09-30
|
|
Office Product Writing cab or inf
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688
|
Phishing
Spearphishing Attachment
|
TTP
|
Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments
|
2024-09-30
|
|
Office Spawning Control
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Phishing
Spearphishing Attachment
|
TTP
|
Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments
|
2024-09-30
|
|
Outbound Network Connection from Java Using Default Ports
|
Sysmon EventID 1, Sysmon EventID 3
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Log4Shell CVE-2021-44228
|
2024-09-30
|
|
Overwriting Accessibility Binaries
|
Sysmon EventID 11
|
Event Triggered Execution
Accessibility Features
|
TTP
|
Data Destruction, Flax Typhoon, Hermetic Wiper, Windows Privilege Escalation
|
2024-09-30
|
|
PaperCut NG Suspicious Behavior Debug Log
|
|
Exploit Public-Facing Application
External Remote Services
|
Hunting
|
PaperCut MF NG Vulnerability
|
2024-10-17
|
|
Password Policy Discovery with Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Password Policy Discovery
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
|
Permission Modification using Takeown App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File and Directory Permissions Modification
|
TTP
|
Ransomware, Sandworm Tools
|
2024-09-30
|
|
PetitPotam Network Share Access Request
|
Windows Event Log Security 5145
|
Forced Authentication
|
TTP
|
PetitPotam NTLM Relay on Active Directory Certificate Services
|
2024-09-30
|
|
PetitPotam Suspicious Kerberos TGT Request
|
Windows Event Log Security 4768
|
OS Credential Dumping
|
TTP
|
Active Directory Kerberos Attacks, PetitPotam NTLM Relay on Active Directory Certificate Services
|
2024-09-30
|
|
Ping Sleep Batch Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Virtualization/Sandbox Evasion
Time Based Evasion
|
Anomaly
|
BlackByte Ransomware, Data Destruction, Warzone RAT, WhisperGate
|
2024-09-30
|
|
Possible Browser Pass View Parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Credentials from Web Browsers
Credentials from Password Stores
|
Hunting
|
Remcos
|
2024-10-17
|
|
Possible Lateral Movement PowerShell Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
Distributed Component Object Model
Windows Remote Management
Windows Management Instrumentation
Scheduled Task
Windows Service
PowerShell
MMC
|
TTP
|
Active Directory Lateral Movement, CISA AA24-241A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Scheduled Tasks
|
2024-10-17
|
|
Potential password in username
|
Linux Secure
|
Local Accounts
Credentials In Files
|
Hunting
|
Credential Dumping, Insider Threat
|
2024-10-17
|
|
Potentially malicious code on commandline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Command Shell
|
Anomaly
|
Suspicious Command-Line Executions
|
2024-09-30
|
|
PowerShell 4104 Hunting
|
Powershell Script Block Logging 4104
|
Command and Scripting Interpreter
PowerShell
|
Hunting
|
Braodo Stealer, CISA AA23-347A, CISA AA24-241A, DarkGate Malware, Data Destruction, Flax Typhoon, Hermetic Wiper, Malicious PowerShell, Rhysida Ransomware
|
2024-10-17
|
|
PowerShell - Connect To Internet With Hidden Window
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
PowerShell
Command and Scripting Interpreter
|
Hunting
|
AgentTesla, Data Destruction, HAFNIUM Group, Hermetic Wiper, Log4Shell CVE-2021-44228, Malicious PowerShell, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns
|
2024-10-17
|
|
Powershell COM Hijacking InprocServer32 Modification
|
Powershell Script Block Logging 4104
|
Component Object Model Hijacking
Command and Scripting Interpreter
PowerShell
|
TTP
|
Malicious PowerShell
|
2024-09-30
|
|
Powershell Creating Thread Mutex
|
Powershell Script Block Logging 4104
|
Obfuscated Files or Information
Indicator Removal from Tools
PowerShell
|
TTP
|
Malicious PowerShell
|
2024-09-30
|
|
Powershell Disable Security Monitoring
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
CISA AA24-241A, Ransomware, Revil Ransomware
|
2024-09-30
|
|
PowerShell Domain Enumeration
|
Powershell Script Block Logging 4104
|
Command and Scripting Interpreter
PowerShell
|
TTP
|
CISA AA23-347A, Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2024-09-30
|
|
PowerShell Enable PowerShell Remoting
|
Powershell Script Block Logging 4104
|
PowerShell
Command and Scripting Interpreter
|
Anomaly
|
Malicious PowerShell
|
2024-09-30
|
|
Powershell Enable SMB1Protocol Feature
|
Powershell Script Block Logging 4104
|
Obfuscated Files or Information
Indicator Removal from Tools
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell, Ransomware
|
2024-09-30
|
|
Powershell Execute COM Object
|
Powershell Script Block Logging 4104
|
Component Object Model Hijacking
Event Triggered Execution
PowerShell
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell, Ransomware
|
2024-09-30
|
|
Powershell Fileless Process Injection via GetProcAddress
|
Powershell Script Block Logging 4104
|
Command and Scripting Interpreter
Process Injection
PowerShell
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2024-09-30
|
|
Powershell Fileless Script Contains Base64 Encoded Content
|
Powershell Script Block Logging 4104
|
Command and Scripting Interpreter
Obfuscated Files or Information
PowerShell
|
TTP
|
AsyncRAT, Data Destruction, Hermetic Wiper, IcedID, Malicious PowerShell, NjRAT, Winter Vivern
|
2024-09-30
|
|
PowerShell Get LocalGroup Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Permission Groups Discovery
Local Groups
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
|
Powershell Get LocalGroup Discovery with Script Block Logging
|
Powershell Script Block Logging 4104
|
Permission Groups Discovery
Local Groups
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
|
PowerShell Invoke CIMMethod CIMSession
|
Powershell Script Block Logging 4104
|
Windows Management Instrumentation
|
Anomaly
|
Active Directory Lateral Movement, Malicious PowerShell
|
2024-09-30
|
|
PowerShell Invoke WmiExec Usage
|
Powershell Script Block Logging 4104
|
Windows Management Instrumentation
|
TTP
|
Suspicious WMI Use
|
2024-09-30
|
|
Powershell Load Module in Meterpreter
|
Powershell Script Block Logging 4104
|
Command and Scripting Interpreter
PowerShell
|
TTP
|
MetaSploit
|
2024-09-30
|
|
PowerShell Loading DotNET into Memory via Reflection
|
Powershell Script Block Logging 4104
|
Command and Scripting Interpreter
PowerShell
|
TTP
|
AgentTesla, AsyncRAT, Data Destruction, Hermetic Wiper, Malicious PowerShell, Winter Vivern
|
2024-09-30
|
|
Powershell Processing Stream Of Data
|
Powershell Script Block Logging 4104
|
Command and Scripting Interpreter
PowerShell
|
TTP
|
AsyncRAT, Braodo Stealer, Data Destruction, Hermetic Wiper, IcedID, Malicious PowerShell, MoonPeak
|
2024-09-30
|
|
Powershell Remote Services Add TrustedHost
|
Powershell Script Block Logging 4104
|
Windows Remote Management
Remote Services
|
TTP
|
DarkGate Malware
|
2024-09-30
|
|
Powershell Remote Thread To Known Windows Process
|
Sysmon EventID 8
|
Process Injection
|
TTP
|
Trickbot
|
2024-09-30
|
|
Powershell Remove Windows Defender Directory
|
Powershell Script Block Logging 4104
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Data Destruction, WhisperGate
|
2024-09-30
|
|
PowerShell Script Block With URL Chain
|
Powershell Script Block Logging 4104
|
PowerShell
Ingress Tool Transfer
|
TTP
|
Malicious PowerShell
|
2024-09-30
|
|
PowerShell Start-BitsTransfer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
BITS Jobs
|
TTP
|
BITS Jobs, Gozi Malware
|
2024-09-30
|
|
PowerShell Start or Stop Service
|
Powershell Script Block Logging 4104
|
PowerShell
|
Anomaly
|
Active Directory Lateral Movement
|
2024-09-30
|
|
Powershell Using memory As Backing Store
|
Powershell Script Block Logging 4104
|
PowerShell
Command and Scripting Interpreter
|
TTP
|
Data Destruction, Hermetic Wiper, IcedID, Malicious PowerShell, MoonPeak
|
2024-09-30
|
|
PowerShell WebRequest Using Memory Stream
|
Powershell Script Block Logging 4104
|
PowerShell
Ingress Tool Transfer
Fileless Storage
|
TTP
|
Malicious PowerShell, MoonPeak
|
2024-09-30
|
|
Powershell Windows Defender Exclusion Commands
|
Powershell Script Block Logging 4104
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
AgentTesla, CISA AA22-320A, Data Destruction, Remcos, Warzone RAT, WhisperGate, Windows Defense Evasion Tactics
|
2024-09-30
|
|
Prevent Automatic Repair Mode using Bcdedit
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Inhibit System Recovery
|
TTP
|
Chaos Ransomware, Ransomware
|
2024-09-30
|
|
Print Processor Registry Autostart
|
Sysmon EventID 12, Sysmon EventID 13
|
Print Processors
Boot or Logon Autostart Execution
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation
|
2024-10-17
|
|
Print Spooler Adding A Printer Driver
|
Windows Event Log Printservice 316
|
Print Processors
Boot or Logon Autostart Execution
|
TTP
|
PrintNightmare CVE-2021-34527
|
2024-09-30
|
|
Print Spooler Failed to Load a Plug-in
|
Windows Event Log Printservice 808
|
Print Processors
Boot or Logon Autostart Execution
|
TTP
|
PrintNightmare CVE-2021-34527
|
2024-09-30
|
|
Process Creating LNK file in Suspicious Location
|
Sysmon EventID 1, Sysmon EventID 11
|
Phishing
Spearphishing Link
|
TTP
|
Amadey, Gozi Malware, IcedID, Qakbot, Spearphishing Attachments
|
2024-09-30
|
|
Process Deleting Its Process File Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Indicator Removal
|
TTP
|
Clop Ransomware, Data Destruction, Remcos, WhisperGate
|
2024-09-30
|
|
Process Execution via WMI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
TTP
|
Suspicious WMI Use
|
2024-09-30
|
|
Process Kill Base On File Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
XMRig
|
2024-09-30
|
|
Process Writing DynamicWrapperX
|
Sysmon EventID 1, Sysmon EventID 11
|
Command and Scripting Interpreter
Component Object Model
|
Hunting
|
Remcos
|
2024-10-17
|
|
Processes launching netsh
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify System Firewall
Impair Defenses
|
Anomaly
|
Azorult, DHS Report TA18-074A, Disabling Security Tools, Netsh Abuse, ShrinkLocker, Snake Keylogger, Volt Typhoon
|
2024-09-30
|
|
Processes Tapping Keyboard Events
|
|
N/A
|
TTP
|
ColdRoot MacOS RAT
|
2024-10-17
|
|
Randomly Generated Scheduled Task Name
|
Windows Event Log Security 4698
|
Scheduled Task/Job
Scheduled Task
|
Hunting
|
Active Directory Lateral Movement, CISA AA22-257A, Scheduled Tasks
|
2024-10-17
|
|
Randomly Generated Windows Service Name
|
Windows Event Log System 7045
|
Create or Modify System Process
Windows Service
|
Hunting
|
Active Directory Lateral Movement, BlackSuit Ransomware
|
2024-10-17
|
|
Ransomware Notes bulk creation
|
Sysmon EventID 11
|
Data Encrypted for Impact
|
Anomaly
|
BlackMatter Ransomware, Chaos Ransomware, Clop Ransomware, DarkSide Ransomware, LockBit Ransomware, Rhysida Ransomware
|
2024-09-30
|
|
Recon AVProduct Through Pwh or WMI
|
Powershell Script Block Logging 4104
|
Gather Victim Host Information
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell, MoonPeak, Prestige Ransomware, Qakbot, Ransomware, Windows Post-Exploitation
|
2024-09-30
|
|
Recon Using WMI Class
|
Powershell Script Block Logging 4104
|
Gather Victim Host Information
PowerShell
|
Anomaly
|
AsyncRAT, Data Destruction, Hermetic Wiper, Industroyer2, LockBit Ransomware, Malicious PowerShell, MoonPeak, Qakbot
|
2024-09-30
|
|
Recursive Delete of Directory In Batch CMD
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File Deletion
Indicator Removal
|
TTP
|
Ransomware
|
2024-09-30
|
|
Reg exe Manipulating Windows Services Registry Keys
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Services Registry Permissions Weakness
Hijack Execution Flow
|
TTP
|
Living Off The Land, Windows Persistence Techniques, Windows Service Abuse
|
2024-09-30
|
|
Registry Keys for Creating SHIM Databases
|
Sysmon EventID 12, Sysmon EventID 13
|
Application Shimming
Event Triggered Execution
|
TTP
|
Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse
|
2024-09-30
|
|
Registry Keys Used For Persistence
|
Sysmon EventID 12, Sysmon EventID 13
|
Registry Run Keys / Startup Folder
Boot or Logon Autostart Execution
|
TTP
|
Amadey, AsyncRAT, Azorult, BlackByte Ransomware, BlackSuit Ransomware, Braodo Stealer, CISA AA23-347A, Chaos Ransomware, DHS Report TA18-074A, DarkGate Malware, Emotet Malware DHS Report TA18-201A, IcedID, MoonPeak, NjRAT, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Qakbot, Ransomware, RedLine Stealer, Remcos, Snake Keylogger, Sneaky Active Directory Persistence Tricks, Suspicious MSHTA Activity, Suspicious Windows Registry Activities, Warzone RAT, Windows Persistence Techniques, Windows Registry Abuse
|
2024-09-30
|
|
Registry Keys Used For Privilege Escalation
|
Sysmon EventID 12, Sysmon EventID 13
|
Image File Execution Options Injection
Event Triggered Execution
|
TTP
|
Cloud Federated Credential Abuse, Data Destruction, Hermetic Wiper, Suspicious Windows Registry Activities, Windows Privilege Escalation, Windows Registry Abuse
|
2024-09-30
|
|
Regsvr32 Silent and Install Param Dll Loading
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Regsvr32
|
Anomaly
|
AsyncRAT, Data Destruction, Hermetic Wiper, Living Off The Land, Remcos, Suspicious Regsvr32 Activity
|
2024-09-30
|
|
Regsvr32 with Known Silent Switch Cmdline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Regsvr32
|
Anomaly
|
AsyncRAT, IcedID, Living Off The Land, Qakbot, Remcos, Suspicious Regsvr32 Activity
|
2024-09-30
|
|
Remcos client registry install entry
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688
|
Modify Registry
|
TTP
|
Remcos, Windows Registry Abuse
|
2024-09-30
|
|
Remcos RAT File Creation in Remcos Folder
|
Sysmon EventID 11
|
Screen Capture
|
TTP
|
Remcos
|
2024-09-30
|
|
Remote Desktop Process Running On System
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Desktop Protocol
Remote Services
|
Hunting
|
Active Directory Lateral Movement, Hidden Cobra Malware
|
2024-10-17
|
|
Remote Process Instantiation via DCOM and PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
Distributed Component Object Model
|
TTP
|
Active Directory Lateral Movement
|
2024-09-30
|
|
Remote Process Instantiation via DCOM and PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Remote Services
Distributed Component Object Model
|
TTP
|
Active Directory Lateral Movement
|
2024-09-30
|
|
Remote Process Instantiation via WinRM and PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
Windows Remote Management
|
TTP
|
Active Directory Lateral Movement
|
2024-09-30
|
|
Remote Process Instantiation via WinRM and PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Remote Services
Windows Remote Management
|
TTP
|
Active Directory Lateral Movement
|
2024-09-30
|
|
Remote Process Instantiation via WinRM and Winrs
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
Windows Remote Management
|
TTP
|
Active Directory Lateral Movement
|
2024-09-30
|
|
Remote Process Instantiation via WMI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
TTP
|
Active Directory Lateral Movement, CISA AA23-347A, Ransomware, Suspicious WMI Use
|
2024-09-30
|
|
Remote Process Instantiation via WMI and PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
TTP
|
Active Directory Lateral Movement
|
2024-09-30
|
|
Remote Process Instantiation via WMI and PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Windows Management Instrumentation
|
TTP
|
Active Directory Lateral Movement
|
2024-09-30
|
|
Remote System Discovery with Adsisearcher
|
Powershell Script Block Logging 4104
|
Remote System Discovery
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
|
Remote System Discovery with Dsquery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
|
Remote System Discovery with Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
Hunting
|
Active Directory Discovery, IcedID
|
2024-10-17
|
|
Remote System Discovery with Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
|
Remote WMI Command Attempt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
TTP
|
CISA AA23-347A, Graceful Wipe Out Attack, IcedID, Living Off The Land, Suspicious WMI Use, Volt Typhoon
|
2024-09-30
|
|
Resize ShadowStorage volume
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Inhibit System Recovery
|
TTP
|
BlackByte Ransomware, Clop Ransomware
|
2024-09-30
|
|
Revil Common Exec Parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
User Execution
|
TTP
|
Ransomware, Revil Ransomware
|
2024-09-30
|
|
Revil Registry Entry
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688
|
Modify Registry
|
TTP
|
Ransomware, Revil Ransomware, Windows Registry Abuse
|
2024-09-30
|
|
Rubeus Command Line Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Use Alternate Authentication Material
Pass the Ticket
Steal or Forge Kerberos Tickets
Kerberoasting
AS-REP Roasting
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, BlackSuit Ransomware, CISA AA23-347A
|
2024-09-30
|
|
Rubeus Kerberos Ticket Exports Through Winlogon Access
|
Sysmon EventID 10
|
Use Alternate Authentication Material
Pass the Ticket
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A
|
2024-09-30
|
|
Runas Execution in CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Access Token Manipulation
Token Impersonation/Theft
|
Hunting
|
Data Destruction, Hermetic Wiper, Windows Privilege Escalation
|
2024-10-17
|
|
Rundll32 Control RunDLL Hunt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Rundll32
|
Hunting
|
Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Suspicious Rundll32 Activity
|
2024-10-17
|
|
Rundll32 Control RunDLL World Writable Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Rundll32
|
TTP
|
Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Suspicious Rundll32 Activity
|
2024-09-30
|
|
Rundll32 Create Remote Thread To A Process
|
Sysmon EventID 8
|
Process Injection
|
TTP
|
IcedID, Living Off The Land
|
2024-09-30
|
|
Rundll32 CreateRemoteThread In Browser
|
Sysmon EventID 8
|
Process Injection
|
TTP
|
IcedID, Living Off The Land
|
2024-09-30
|
|
Rundll32 DNSQuery
|
Sysmon EventID 22
|
System Binary Proxy Execution
Rundll32
|
TTP
|
IcedID, Living Off The Land
|
2024-09-30
|
|
Rundll32 LockWorkStation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Rundll32
|
Anomaly
|
Ransomware
|
2024-09-30
|
|
Rundll32 Process Creating Exe Dll Files
|
Sysmon EventID 11
|
System Binary Proxy Execution
Rundll32
|
TTP
|
IcedID, Living Off The Land
|
2024-09-30
|
|
Rundll32 Shimcache Flush
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Modify Registry
|
TTP
|
Living Off The Land, Unusual Processes
|
2024-09-30
|
|
Rundll32 with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
System Binary Proxy Execution
Rundll32
|
TTP
|
BlackByte Ransomware, BlackSuit Ransomware, Cobalt Strike, Graceful Wipe Out Attack, PrintNightmare CVE-2021-34527, Suspicious Rundll32 Activity
|
2024-09-30
|
|
RunDLL Loading DLL By Ordinal
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Rundll32
|
TTP
|
IcedID, Living Off The Land, Suspicious Rundll32 Activity, Unusual Processes
|
2024-09-30
|
|
Ryuk Test Files Detected
|
Sysmon EventID 11
|
Data Encrypted for Impact
|
TTP
|
Ryuk Ransomware
|
2024-09-30
|
|
Ryuk Wake on LAN Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
Windows Command Shell
|
TTP
|
Ryuk Ransomware
|
2024-09-30
|
|
SAM Database File Access Attempt
|
Windows Event Log Security 4663
|
Security Account Manager
OS Credential Dumping
|
Hunting
|
Credential Dumping, Graceful Wipe Out Attack, Rhysida Ransomware
|
2024-10-17
|
|
Samsam Test File Write
|
Sysmon EventID 11
|
Data Encrypted for Impact
|
TTP
|
SamSam Ransomware
|
2024-09-30
|
|
Sc exe Manipulating Windows Services
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Service
Create or Modify System Process
|
TTP
|
Azorult, DHS Report TA18-074A, Disabling Security Tools, NOBELIUM Group, Orangeworm Attack Group, Windows Drivers, Windows Persistence Techniques, Windows Service Abuse
|
2024-09-30
|
|
SchCache Change By App Connect And Create ADSI Object
|
Sysmon EventID 11
|
Domain Account
Account Discovery
|
Anomaly
|
BlackMatter Ransomware
|
2024-09-30
|
|
Schedule Task with HTTP Command Arguments
|
Windows Event Log Security 4698
|
Scheduled Task/Job
|
TTP
|
Living Off The Land, Scheduled Tasks, Windows Persistence Techniques, Winter Vivern
|
2024-09-30
|
|
Schedule Task with Rundll32 Command Trigger
|
Windows Event Log Security 4698
|
Scheduled Task/Job
|
TTP
|
IcedID, Living Off The Land, Scheduled Tasks, Trickbot, Windows Persistence Techniques
|
2024-09-30
|
|
Scheduled Task Creation on Remote Endpoint using At
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task/Job
At
|
TTP
|
Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks
|
2024-09-30
|
|
Scheduled Task Deleted Or Created via CMD
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
Scheduled Task/Job
|
TTP
|
AgentTesla, Amadey, AsyncRAT, Azorult, CISA AA22-257A, CISA AA23-347A, CISA AA24-241A, DHS Report TA18-074A, DarkCrystal RAT, Living Off The Land, MoonPeak, NOBELIUM Group, NjRAT, Phemedrone Stealer, Prestige Ransomware, Qakbot, RedLine Stealer, Rhysida Ransomware, Sandworm Tools, Scheduled Tasks, ShrinkLocker, Trickbot, Windows Persistence Techniques, Winter Vivern
|
2024-09-30
|
|
Scheduled Task Initiation on Remote Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task/Job
Scheduled Task
|
TTP
|
Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks
|
2024-09-30
|
|
Schtasks Run Task On Demand
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task/Job
|
TTP
|
CISA AA22-257A, Data Destruction, Industroyer2, Qakbot, Scheduled Tasks, XMRig
|
2024-09-30
|
|
Schtasks scheduling job on remote system
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
Scheduled Task/Job
|
TTP
|
Active Directory Lateral Movement, Living Off The Land, NOBELIUM Group, Phemedrone Stealer, Prestige Ransomware, RedLine Stealer, Scheduled Tasks
|
2024-09-30
|
|
Schtasks used for forcing a reboot
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
Scheduled Task/Job
|
TTP
|
Ransomware, Scheduled Tasks, Windows Persistence Techniques
|
2024-09-30
|
|
Screensaver Event Trigger Execution
|
Sysmon EventID 12, Sysmon EventID 13
|
Event Triggered Execution
Screensaver
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse
|
2024-09-30
|
|
Script Execution via WMI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
TTP
|
Suspicious WMI Use
|
2024-09-30
|
|
Sdclt UAC Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688
|
Bypass User Account Control
Abuse Elevation Control Mechanism
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Sdelete Application Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Data Destruction
File Deletion
Indicator Removal
|
TTP
|
Masquerading - Rename System Utilities
|
2024-09-30
|
|
SearchProtocolHost with no Command Line with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2024-09-30
|
|
SecretDumps Offline NTDS Dumping Tool
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
NTDS
OS Credential Dumping
|
TTP
|
Credential Dumping, Graceful Wipe Out Attack, Rhysida Ransomware
|
2024-09-30
|
|
ServicePrincipalNames Discovery with PowerShell
|
Powershell Script Block Logging 4104
|
Kerberoasting
|
TTP
|
Active Directory Discovery, Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Malicious PowerShell
|
2024-09-30
|
|
ServicePrincipalNames Discovery with SetSPN
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Kerberoasting
|
TTP
|
Active Directory Discovery, Active Directory Kerberos Attacks, Active Directory Privilege Escalation
|
2024-09-30
|
|
Services Escalate Exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Abuse Elevation Control Mechanism
|
TTP
|
BlackByte Ransomware, CISA AA23-347A, Cobalt Strike, Graceful Wipe Out Attack
|
2024-09-30
|
|
Services LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Create or Modify System Process
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA23-347A, Living Off The Land, Qakbot
|
2024-09-30
|
|
Set Default PowerShell Execution Policy To Unrestricted or Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688
|
Command and Scripting Interpreter
PowerShell
|
TTP
|
Credential Dumping, DarkGate Malware, Data Destruction, HAFNIUM Group, Hermetic Wiper, Malicious PowerShell
|
2024-09-30
|
|
Shim Database File Creation
|
Sysmon EventID 11
|
Application Shimming
Event Triggered Execution
|
TTP
|
Windows Persistence Techniques
|
2024-09-30
|
|
Shim Database Installation With Suspicious Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Application Shimming
Event Triggered Execution
|
TTP
|
Windows Persistence Techniques
|
2024-09-30
|
|
Short Lived Scheduled Task
|
Windows Event Log Security 4698, Windows Event Log Security 4699
|
Scheduled Task
|
TTP
|
Active Directory Lateral Movement, CISA AA22-257A, CISA AA23-347A, Scheduled Tasks
|
2024-09-30
|
|
Short Lived Windows Accounts
|
Windows Event Log System 4720, Windows Event Log System 4726
|
Local Account
Create Account
|
TTP
|
Active Directory Lateral Movement
|
2024-09-30
|
|
SilentCleanup UAC Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688
|
Bypass User Account Control
Abuse Elevation Control Mechanism
|
TTP
|
MoonPeak, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Single Letter Process On Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
User Execution
Malicious File
|
TTP
|
DHS Report TA18-074A
|
2024-09-30
|
|
SLUI RunAs Elevated
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Bypass User Account Control
Abuse Elevation Control Mechanism
|
TTP
|
DarkSide Ransomware, Windows Defense Evasion Tactics
|
2024-09-30
|
|
SLUI Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Bypass User Account Control
Abuse Elevation Control Mechanism
|
TTP
|
DarkSide Ransomware, Windows Defense Evasion Tactics
|
2024-09-30
|
|
Spike in File Writes
|
Sysmon EventID 11
|
N/A
|
Anomaly
|
Ransomware, Rhysida Ransomware, Ryuk Ransomware, SamSam Ransomware
|
2024-10-17
|
|
Spoolsv Spawning Rundll32
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Print Processors
Boot or Logon Autostart Execution
|
TTP
|
PrintNightmare CVE-2021-34527
|
2024-09-30
|
|
Spoolsv Suspicious Loaded Modules
|
Sysmon EventID 7
|
Print Processors
Boot or Logon Autostart Execution
|
TTP
|
PrintNightmare CVE-2021-34527
|
2024-09-30
|
|
Spoolsv Suspicious Process Access
|
Sysmon EventID 10
|
Exploitation for Privilege Escalation
|
TTP
|
PrintNightmare CVE-2021-34527
|
2024-09-30
|
|
Spoolsv Writing a DLL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688
|
Print Processors
Boot or Logon Autostart Execution
|
TTP
|
PrintNightmare CVE-2021-34527
|
2024-09-30
|
|
Spoolsv Writing a DLL - Sysmon
|
Sysmon EventID 11
|
Print Processors
Boot or Logon Autostart Execution
|
TTP
|
PrintNightmare CVE-2021-34527
|
2024-09-30
|
|
Sqlite Module In Temp Folder
|
Sysmon EventID 11
|
Data from Local System
|
TTP
|
IcedID
|
2024-09-30
|
|
Steal or Forge Authentication Certificates Behavior Identified
|
|
Steal or Forge Authentication Certificates
|
Correlation
|
Windows Certificate Services
|
2024-09-30
|
|
Sunburst Correlation DLL and Network Event
|
Sysmon EventID 22, Sysmon EventID 7
|
Exploitation for Client Execution
|
TTP
|
NOBELIUM Group
|
2024-10-17
|
|
Suspicious Computer Account Name Change
|
Windows Event Log Security 4781
|
Valid Accounts
Domain Accounts
|
TTP
|
Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2024-09-30
|
|
Suspicious Copy on System32
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rename System Utilities
Masquerading
|
TTP
|
AsyncRAT, IcedID, Qakbot, Sandworm Tools, Unusual Processes, Volt Typhoon
|
2024-09-30
|
|
Suspicious Curl Network Connection
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
Ingress Tool Transfer, Linux Living Off The Land, Silver Sparrow
|
2024-10-17
|
|
Suspicious DLLHost no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2024-09-30
|
|
Suspicious Driver Loaded Path
|
Sysmon EventID 6
|
Windows Service
Create or Modify System Process
|
TTP
|
AgentTesla, BlackByte Ransomware, CISA AA22-320A, Snake Keylogger, XMRig
|
2024-09-30
|
|
Suspicious Event Log Service Behavior
|
Windows Event Log Security 1100
|
Indicator Removal
Clear Windows Event Logs
|
Hunting
|
Clop Ransomware, Ransomware, Windows Log Manipulation
|
2024-10-17
|
|
Suspicious GPUpdate no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2024-09-30
|
|
Suspicious IcedID Rundll32 Cmdline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Rundll32
|
TTP
|
IcedID, Living Off The Land
|
2024-09-30
|
|
Suspicious Image Creation In Appdata Folder
|
Sysmon EventID 1, Sysmon EventID 11
|
Screen Capture
|
TTP
|
Remcos
|
2024-09-30
|
|
Suspicious Kerberos Service Ticket Request
|
Windows Event Log Security 4769
|
Valid Accounts
Domain Accounts
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2024-09-30
|
|
Suspicious Linux Discovery Commands
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Unix Shell
|
TTP
|
Linux Post-Exploitation
|
2024-09-30
|
|
Suspicious microsoft workflow compiler rename
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Masquerading
Trusted Developer Utilities Proxy Execution
Rename System Utilities
|
Hunting
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution
|
2024-10-17
|
|
Suspicious microsoft workflow compiler usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Trusted Developer Utilities Proxy Execution
|
TTP
|
Living Off The Land, Trusted Developer Utilities Proxy Execution
|
2024-09-30
|
|
Suspicious msbuild path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Masquerading
Trusted Developer Utilities Proxy Execution
Rename System Utilities
MSBuild
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution MSBuild
|
2024-09-30
|
|
Suspicious MSBuild Rename
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Masquerading
Trusted Developer Utilities Proxy Execution
Rename System Utilities
MSBuild
|
Hunting
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution MSBuild
|
2024-10-17
|
|
Suspicious MSBuild Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Trusted Developer Utilities Proxy Execution
MSBuild
|
TTP
|
Living Off The Land, Trusted Developer Utilities Proxy Execution MSBuild
|
2024-09-30
|
|
Suspicious mshta child process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Mshta
|
TTP
|
Living Off The Land, Suspicious MSHTA Activity
|
2024-09-30
|
|
Suspicious mshta spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Mshta
|
TTP
|
Living Off The Land, Suspicious MSHTA Activity
|
2024-09-30
|
|
Suspicious PlistBuddy Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Launch Agent
Create or Modify System Process
|
TTP
|
Silver Sparrow
|
2024-10-17
|
|
Suspicious PlistBuddy Usage via OSquery
|
|
Launch Agent
Create or Modify System Process
|
TTP
|
Silver Sparrow
|
2024-10-17
|
|
Suspicious Process DNS Query Known Abuse Web Services
|
Sysmon EventID 22
|
Visual Basic
Command and Scripting Interpreter
|
TTP
|
Data Destruction, Phemedrone Stealer, Remcos, Snake Keylogger, WhisperGate
|
2024-09-30
|
|
Suspicious Process Executed From Container File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Malicious File
Masquerade File Type
|
TTP
|
Amadey, Remcos, Snake Keylogger, Unusual Processes
|
2024-09-30
|
|
Suspicious Process File Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Create or Modify System Process
|
TTP
|
AgentTesla, Amadey, AsyncRAT, Azorult, BlackByte Ransomware, Brute Ratel C4, CISA AA23-347A, Chaos Ransomware, DarkCrystal RAT, DarkGate Malware, Data Destruction, Double Zero Destructor, Graceful Wipe Out Attack, Handala Wiper, Hermetic Wiper, IcedID, Industroyer2, LockBit Ransomware, MoonPeak, Phemedrone Stealer, PlugX, Prestige Ransomware, Qakbot, RedLine Stealer, Remcos, Rhysida Ransomware, Swift Slicer, Trickbot, ValleyRAT, Volt Typhoon, Warzone RAT, WhisperGate, XMRig
|
2024-09-30
|
|
Suspicious Process With Discord DNS Query
|
Sysmon EventID 22
|
Visual Basic
Command and Scripting Interpreter
|
Anomaly
|
Data Destruction, WhisperGate
|
2024-09-30
|
|
Suspicious Reg exe Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Modify Registry
|
Anomaly
|
DHS Report TA18-074A, Disabling Security Tools, Windows Defense Evasion Tactics
|
2024-09-30
|
|
Suspicious Regsvr32 Register Suspicious Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Regsvr32
|
TTP
|
IcedID, Living Off The Land, Qakbot, Suspicious Regsvr32 Activity
|
2024-09-30
|
|
Suspicious Rundll32 dllregisterserver
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Rundll32
|
TTP
|
IcedID, Living Off The Land, Suspicious Rundll32 Activity
|
2024-09-30
|
|
Suspicious Rundll32 no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Rundll32
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, PrintNightmare CVE-2021-34527, Suspicious Rundll32 Activity
|
2024-09-30
|
|
Suspicious Rundll32 PluginInit
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Rundll32
|
TTP
|
IcedID
|
2024-09-30
|
|
Suspicious Rundll32 StartW
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Rundll32
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Suspicious Rundll32 Activity, Trickbot
|
2024-09-30
|
|
Suspicious Scheduled Task from Public Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
Scheduled Task/Job
|
Anomaly
|
Azorult, CISA AA23-347A, CISA AA24-241A, DarkCrystal RAT, Living Off The Land, MoonPeak, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Persistence Techniques
|
2024-09-30
|
|
Suspicious SearchProtocolHost no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2024-09-30
|
|
Suspicious SQLite3 LSQuarantine Behavior
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Data Staged
|
TTP
|
Silver Sparrow
|
2024-10-17
|
|
Suspicious Ticket Granting Ticket Request
|
Windows Event Log Security 4768, Windows Event Log Security 4781
|
Valid Accounts
Domain Accounts
|
Hunting
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2024-10-17
|
|
Suspicious WAV file in Appdata Folder
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688
|
Screen Capture
|
TTP
|
Remcos
|
2024-09-30
|
|
Suspicious wevtutil Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Clear Windows Event Logs
Indicator Removal
|
TTP
|
CISA AA23-347A, Clop Ransomware, Ransomware, Rhysida Ransomware, ShrinkLocker, Windows Log Manipulation
|
2024-09-30
|
|
Suspicious writes to windows Recycle Bin
|
Sysmon EventID 1, Sysmon EventID 11
|
Masquerading
|
TTP
|
Collection and Staging, PlugX
|
2024-09-30
|
|
Svchost LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task/Job
Scheduled Task
|
TTP
|
Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks
|
2024-09-30
|
|
System Info Gathering Using Dxdiag Application
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Gather Victim Host Information
|
Hunting
|
Remcos
|
2024-10-17
|
|
System Information Discovery Detection
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Information Discovery
|
TTP
|
BlackSuit Ransomware, Gozi Malware, Windows Discovery Techniques
|
2024-09-30
|
|
System Processes Run From Unexpected Locations
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Masquerading
Rename System Utilities
|
Anomaly
|
DarkGate Malware, Masquerading - Rename System Utilities, Qakbot, Ransomware, Suspicious Command-Line Executions, Unusual Processes, Windows Error Reporting Service Elevation of Privilege Vulnerability
|
2024-09-30
|
|
System User Discovery With Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
|
System User Discovery With Whoami
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
Hunting
|
Active Directory Discovery, CISA AA23-347A, Qakbot, Rhysida Ransomware, Winter Vivern
|
2024-10-17
|
|
Time Provider Persistence Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Time Providers
Boot or Logon Autostart Execution
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse
|
2024-09-30
|
|
Trickbot Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
Process Injection
|
TTP
|
Trickbot
|
2024-09-30
|
|
UAC Bypass MMC Load Unsigned Dll
|
Sysmon EventID 7
|
Bypass User Account Control
Abuse Elevation Control Mechanism
MMC
|
TTP
|
Windows Defense Evasion Tactics
|
2024-09-30
|
|
UAC Bypass With Colorui COM Object
|
Sysmon EventID 7
|
System Binary Proxy Execution
CMSTP
|
TTP
|
LockBit Ransomware, Ransomware
|
2024-09-30
|
|
Uninstall App Using MsiExec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Msiexec
System Binary Proxy Execution
|
TTP
|
Ransomware
|
2024-09-30
|
|
Unknown Process Using The Kerberos Protocol
|
Sysmon EventID 1, Sysmon EventID 3
|
Use Alternate Authentication Material
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware
|
2024-09-30
|
|
Unload Sysmon Filter Driver
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
CISA AA23-347A, Disabling Security Tools
|
2024-09-30
|
|
Unloading AMSI via Reflection
|
Powershell Script Block Logging 4104
|
Impair Defenses
PowerShell
Command and Scripting Interpreter
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2024-09-30
|
|
Unusual Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
Valid Accounts
|
Hunting
|
Active Directory Kerberos Attacks, Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-10-17
|
|
Unusual Number of Kerberos Service Tickets Requested
|
Windows Event Log Security 4769
|
Steal or Forge Kerberos Tickets
Kerberoasting
|
Anomaly
|
Active Directory Kerberos Attacks
|
2024-10-17
|
|
Unusual Number of Remote Endpoint Authentication Events
|
Windows Event Log Security 4624
|
Valid Accounts
|
Hunting
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-10-17
|
|
Unusually Long Command Line
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
N/A
|
Anomaly
|
Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Ransomware, Suspicious Command-Line Executions, Unusual Processes
|
2024-10-17
|
|
Unusually Long Command Line - MLTK
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
N/A
|
Anomaly
|
Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Ransomware, Suspicious Command-Line Executions, Unusual Processes
|
2024-10-17
|
|
User Discovery With Env Vars PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
|
User Discovery With Env Vars PowerShell Script Block
|
Powershell Script Block Logging 4104
|
System Owner/User Discovery
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
|
USN Journal Deletion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Indicator Removal
|
TTP
|
Ransomware, Windows Log Manipulation
|
2024-09-30
|
|
Vbscript Execution Using Wscript App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Visual Basic
Command and Scripting Interpreter
|
TTP
|
AsyncRAT, FIN7, Remcos
|
2024-09-30
|
|
Verclsid CLSID Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Verclsid
System Binary Proxy Execution
|
Hunting
|
Unusual Processes
|
2024-10-17
|
|
W3WP Spawning Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Server Software Component
Web Shell
|
TTP
|
BlackByte Ransomware, CISA AA22-257A, CISA AA22-264A, Data Destruction, Flax Typhoon, HAFNIUM Group, Hermetic Wiper, ProxyNotShell, ProxyShell, WS FTP Server Critical Vulnerabilities
|
2024-09-30
|
|
WBAdmin Delete System Backups
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Inhibit System Recovery
|
TTP
|
Chaos Ransomware, Prestige Ransomware, Ransomware, Ryuk Ransomware
|
2024-09-30
|
|
Wbemprox COM Object Execution
|
Sysmon EventID 7
|
System Binary Proxy Execution
CMSTP
|
TTP
|
LockBit Ransomware, Ransomware, Revil Ransomware
|
2024-09-30
|
|
Wermgr Process Connecting To IP Check Web Services
|
Sysmon EventID 22
|
Gather Victim Network Information
IP Addresses
|
TTP
|
Trickbot
|
2024-09-30
|
|
Wermgr Process Create Executable File
|
Sysmon EventID 11
|
Obfuscated Files or Information
|
TTP
|
Trickbot
|
2024-09-30
|
|
Wermgr Process Spawned CMD Or Powershell Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
TTP
|
Qakbot, Trickbot
|
2024-09-30
|
|
Wget Download and Bash Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
Ingress Tool Transfer, Log4Shell CVE-2021-44228
|
2024-09-30
|
|
Windows Abused Web Services
|
Sysmon EventID 22
|
Web Service
|
TTP
|
CISA AA24-241A, NjRAT
|
2024-09-30
|
|
Windows Access Token Manipulation SeDebugPrivilege
|
Windows Event Log Security 4703
|
Create Process with Token
Access Token Manipulation
|
Anomaly
|
AsyncRAT, Brute Ratel C4, CISA AA23-347A, DarkGate Malware, PlugX, ValleyRAT
|
2024-09-30
|
|
Windows Access Token Manipulation Winlogon Duplicate Token Handle
|
Sysmon EventID 10
|
Token Impersonation/Theft
Access Token Manipulation
|
Hunting
|
Brute Ratel C4
|
2024-10-17
|
|
Windows Access Token Winlogon Duplicate Handle In Uncommon Path
|
Sysmon EventID 10
|
Token Impersonation/Theft
Access Token Manipulation
|
Anomaly
|
Brute Ratel C4
|
2024-09-30
|
|
Windows Account Discovery for None Disable User Account
|
Powershell Script Block Logging 4104
|
Account Discovery
Local Account
|
Hunting
|
CISA AA23-347A
|
2024-10-17
|
|
Windows Account Discovery for Sam Account Name
|
Powershell Script Block Logging 4104
|
Account Discovery
|
Anomaly
|
CISA AA23-347A
|
2024-09-30
|
|
Windows Account Discovery With NetUser PreauthNotRequire
|
Powershell Script Block Logging 4104
|
Account Discovery
|
Hunting
|
CISA AA23-347A
|
2024-10-17
|
|
Windows AD Abnormal Object Access Activity
|
Windows Event Log Security 4662
|
Account Discovery
Domain Account
|
Anomaly
|
Active Directory Discovery, BlackSuit Ransomware
|
2024-09-30
|
|
Windows AD AdminSDHolder ACL Modified
|
Windows Event Log Security 5136
|
Event Triggered Execution
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
|
Windows AD Cross Domain SID History Addition
|
Windows Event Log Security 4738, Windows Event Log Security 4742
|
SID-History Injection
Access Token Manipulation
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
|
Windows AD Domain Controller Audit Policy Disabled
|
Windows Event Log Security 4719
|
Disable or Modify Tools
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
|
Windows AD Domain Controller Promotion
|
Windows Event Log Security 4742
|
Rogue Domain Controller
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
|
Windows AD Domain Replication ACL Addition
|
|
Domain or Tenant Policy Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
|
Windows AD DSRM Account Changes
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
Account Manipulation
|
TTP
|
Sneaky Active Directory Persistence Tricks, Windows Persistence Techniques, Windows Registry Abuse
|
2024-09-30
|
|
Windows AD DSRM Password Reset
|
Windows Event Log Security 4794
|
Account Manipulation
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
|
Windows AD Privileged Account SID History Addition
|
Windows Event Log Security 4738, Windows Event Log Security 4742
|
SID-History Injection
Access Token Manipulation
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
|
Windows AD Privileged Object Access Activity
|
Windows Event Log Security 4662
|
Account Discovery
Domain Account
|
TTP
|
Active Directory Discovery, BlackSuit Ransomware
|
2024-09-30
|
|
Windows AD Replication Request Initiated by User Account
|
Windows Event Log Security 4662
|
DCSync
OS Credential Dumping
|
TTP
|
Credential Dumping, Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
|
Windows AD Replication Request Initiated from Unsanctioned Location
|
Windows Event Log Security 4624, Windows Event Log Security 4662
|
DCSync
OS Credential Dumping
|
TTP
|
Credential Dumping, Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
|
Windows AD Same Domain SID History Addition
|
Windows Event Log Security 4738, Windows Event Log Security 4742
|
SID-History Injection
Access Token Manipulation
|
TTP
|
Sneaky Active Directory Persistence Tricks, Windows Persistence Techniques
|
2024-09-30
|
|
Windows AD ServicePrincipalName Added To Domain Account
|
Windows Event Log Security 5136
|
Account Manipulation
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-10-16
|
|
Windows AD Short Lived Domain Account ServicePrincipalName
|
Windows Event Log Security 5136
|
Account Manipulation
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
|
Windows AD Short Lived Domain Controller SPN Attribute
|
Windows Event Log Security 4624, Windows Event Log Security 5136
|
Rogue Domain Controller
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
|
Windows AD Short Lived Server Object
|
Windows Event Log Security 5137, Windows Event Log Security 5141
|
Rogue Domain Controller
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
|
Windows AD SID History Attribute Modified
|
Windows Event Log Security 5136
|
Access Token Manipulation
SID-History Injection
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
|
Windows AdFind Exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
TTP
|
BlackSuit Ransomware, Domain Trust Discovery, Graceful Wipe Out Attack, IcedID, NOBELIUM Group
|
2024-10-17
|
|
Windows Admin Permission Discovery
|
Sysmon EventID 11
|
Local Groups
|
Anomaly
|
NjRAT
|
2024-09-30
|
|
Windows Administrative Shares Accessed On Multiple Hosts
|
Windows Event Log Security 5140, Windows Event Log Security 5145
|
Network Share Discovery
|
TTP
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-09-30
|
|
Windows Admon Default Group Policy Object Modified
|
Windows Active Directory Admon
|
Domain or Tenant Policy Modification
Group Policy Modification
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
|
Windows Admon Group Policy Object Created
|
Windows Active Directory Admon
|
Domain or Tenant Policy Modification
Group Policy Modification
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
|
Windows Alternate DataStream - Base64 Content
|
Sysmon EventID 15
|
Hide Artifacts
NTFS File Attributes
|
TTP
|
Windows Defense Evasion Tactics
|
2024-09-30
|
|
Windows Alternate DataStream - Executable Content
|
Sysmon EventID 15
|
Hide Artifacts
NTFS File Attributes
|
TTP
|
Windows Defense Evasion Tactics
|
2024-09-30
|
|
Windows Alternate DataStream - Process Execution
|
Sysmon EventID 1, Windows Event Log Security 4688
|
Hide Artifacts
NTFS File Attributes
|
TTP
|
Windows Defense Evasion Tactics
|
2024-09-30
|
|
Windows Apache Benchmark Binary
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
Anomaly
|
MetaSploit
|
2024-09-30
|
|
Windows App Layer Protocol Qakbot NamedPipe
|
Sysmon EventID 17, Sysmon EventID 18
|
Application Layer Protocol
|
Anomaly
|
Qakbot
|
2024-09-30
|
|
Windows App Layer Protocol Wermgr Connect To NamedPipe
|
Sysmon EventID 17, Sysmon EventID 18
|
Application Layer Protocol
|
Anomaly
|
Qakbot
|
2024-09-30
|
|
Windows Application Layer Protocol RMS Radmin Tool Namedpipe
|
Sysmon EventID 17, Sysmon EventID 18
|
Application Layer Protocol
|
TTP
|
Azorult
|
2024-09-30
|
|
Windows AppLocker Block Events
|
|
System Binary Proxy Execution
|
Anomaly
|
Windows AppLocker
|
2024-09-30
|
|
Windows AppLocker Execution from Uncommon Locations
|
|
System Binary Proxy Execution
|
Hunting
|
Windows AppLocker
|
2024-10-17
|
|
Windows AppLocker Privilege Escalation via Unauthorized Bypass
|
|
System Binary Proxy Execution
|
TTP
|
Windows AppLocker
|
2024-09-30
|
|
Windows AppLocker Rare Application Launch Detection
|
|
System Binary Proxy Execution
|
Hunting
|
Windows AppLocker
|
2024-10-17
|
|
Windows Archive Collected Data via Powershell
|
Powershell Script Block Logging 4104
|
Archive Collected Data
|
Anomaly
|
CISA AA23-347A
|
2024-09-30
|
|
Windows Archive Collected Data via Rar
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Archive via Utility
Archive Collected Data
|
Anomaly
|
DarkGate Malware
|
2024-09-30
|
|
Windows Archived Collected Data In TEMP Folder
|
|
Archive Collected Data
|
TTP
|
Braodo Stealer
|
2024-09-24
|
|
Windows AutoIt3 Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
TTP
|
DarkGate Malware, Handala Wiper
|
2024-09-30
|
|
Windows Autostart Execution LSASS Driver Registry Modification
|
Sysmon EventID 12, Sysmon EventID 13
|
LSASS Driver
|
TTP
|
Windows Registry Abuse
|
2024-09-30
|
|
Windows Binary Proxy Execution Mavinject DLL Injection
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Mavinject
System Binary Proxy Execution
|
TTP
|
Living Off The Land
|
2024-09-30
|
|
Windows Boot or Logon Autostart Execution In Startup Folder
|
Sysmon EventID 11
|
Registry Run Keys / Startup Folder
Boot or Logon Autostart Execution
|
Anomaly
|
Chaos Ransomware, Gozi Malware, NjRAT, RedLine Stealer
|
2024-09-30
|
|
Windows BootLoader Inventory
|
|
System Firmware
Pre-OS Boot
|
Hunting
|
BlackLotus Campaign, Windows BootKits
|
2024-10-17
|
|
Windows Bypass UAC via Pkgmgr Tool
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Bypass User Account Control
|
Anomaly
|
Warzone RAT
|
2024-09-30
|
|
Windows CAB File on Disk
|
Sysmon EventID 11
|
Spearphishing Attachment
|
Anomaly
|
DarkGate Malware
|
2024-09-30
|
|
Windows Cached Domain Credentials Reg Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Cached Domain Credentials
OS Credential Dumping
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-09-30
|
|
Windows Change Default File Association For No File Ext
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Change Default File Association
Event Triggered Execution
|
TTP
|
Prestige Ransomware
|
2024-09-30
|
|
Windows ClipBoard Data via Get-ClipBoard
|
Powershell Script Block Logging 4104
|
Clipboard Data
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-09-30
|
|
Windows COM Hijacking InprocServer32 Modification
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Component Object Model Hijacking
Event Triggered Execution
|
TTP
|
Living Off The Land
|
2024-09-30
|
|
Windows Command and Scripting Interpreter Hunting Path Traversal
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
Hunting
|
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Windows Defense Evasion Tactics
|
2024-10-17
|
|
Windows Command and Scripting Interpreter Path Traversal Exec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
TTP
|
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Windows Defense Evasion Tactics
|
2024-09-30
|
|
Windows Command Shell DCRat ForkBomb Payload
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Command Shell
Command and Scripting Interpreter
|
TTP
|
DarkCrystal RAT
|
2024-09-30
|
|
Windows Command Shell Fetch Env Variables
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
Qakbot
|
2024-09-30
|
|
Windows Common Abused Cmd Shell Risk Behavior
|
|
File and Directory Permissions Modification
System Network Connections Discovery
System Owner/User Discovery
System Shutdown/Reboot
System Network Configuration Discovery
Command and Scripting Interpreter
|
Correlation
|
Azorult, CISA AA23-347A, DarkCrystal RAT, Disabling Security Tools, FIN7, Netsh Abuse, Qakbot, Sandworm Tools, Volt Typhoon, Windows Defense Evasion Tactics, Windows Post-Exploitation
|
2024-09-30
|
|
Windows Computer Account Created by Computer Account
|
Windows Event Log Security 4741
|
Steal or Forge Kerberos Tickets
|
TTP
|
Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp
|
2024-09-30
|
|
Windows Computer Account Requesting Kerberos Ticket
|
Windows Event Log Security 4768
|
Steal or Forge Kerberos Tickets
|
TTP
|
Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp
|
2024-09-30
|
|
Windows Computer Account With SPN
|
Windows Event Log Security 4741
|
Steal or Forge Kerberos Tickets
|
TTP
|
Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp
|
2024-09-30
|
|
Windows ConHost with Headless Argument
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Hidden Window
Run Virtual Instance
|
TTP
|
Spearphishing Attachments
|
2024-09-30
|
|
Windows Create Local Account
|
|
Local Account
Create Account
|
Anomaly
|
Active Directory Password Spraying, CISA AA24-241A
|
2024-09-30
|
|
Windows Credential Access From Browser Password Store
|
Windows Event Log Security 4663
|
Query Registry
|
Anomaly
|
Braodo Stealer, MoonPeak, Snake Keylogger
|
2024-09-30
|
|
Windows Credential Dumping LSASS Memory Createdump
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
LSASS Memory
|
TTP
|
Credential Dumping
|
2024-09-30
|
|
Windows Credentials from Password Stores Chrome Copied in TEMP Dir
|
|
Credentials from Web Browsers
Credentials from Password Stores
|
TTP
|
Braodo Stealer
|
2024-09-24
|
|
Windows Credentials from Password Stores Chrome Extension Access
|
Windows Event Log Security 4663
|
Query Registry
|
Anomaly
|
Amadey, Braodo Stealer, CISA AA23-347A, DarkGate Malware, MoonPeak, Phemedrone Stealer, RedLine Stealer
|
2024-09-30
|
|
Windows Credentials from Password Stores Chrome LocalState Access
|
Windows Event Log Security 4663
|
Query Registry
|
Anomaly
|
Amadey, Braodo Stealer, DarkGate Malware, MoonPeak, NjRAT, Phemedrone Stealer, RedLine Stealer, Snake Keylogger, Warzone RAT
|
2024-09-30
|
|
Windows Credentials from Password Stores Chrome Login Data Access
|
Windows Event Log Security 4663
|
Query Registry
|
Anomaly
|
Amadey, Braodo Stealer, DarkGate Malware, MoonPeak, NjRAT, Phemedrone Stealer, RedLine Stealer, Snake Keylogger, Warzone RAT
|
2024-09-30
|
|
Windows Credentials from Password Stores Creation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Credentials from Password Stores
|
TTP
|
DarkGate Malware
|
2024-09-30
|
|
Windows Credentials from Password Stores Deletion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Credentials from Password Stores
|
TTP
|
DarkGate Malware
|
2024-09-30
|
|
Windows Credentials from Password Stores Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Credentials from Password Stores
|
Anomaly
|
DarkGate Malware, Prestige Ransomware, Windows Post-Exploitation
|
2024-09-30
|
|
Windows Credentials from Web Browsers Saved in TEMP Folder
|
|
Credentials from Web Browsers
Credentials from Password Stores
|
TTP
|
Braodo Stealer
|
2024-09-24
|
|
Windows Credentials in Registry Reg Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Credentials in Registry
Unsecured Credentials
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-09-30
|
|
Windows Curl Download to Suspicious Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
Forest Blizzard, IcedID, Ingress Tool Transfer
|
2024-09-30
|
|
Windows Curl Upload to Remote Destination
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
Ingress Tool Transfer
|
2024-09-30
|
|
Windows Data Destruction Recursive Exec Files Deletion
|
Sysmon EventID 23
|
Data Destruction
|
TTP
|
Data Destruction, Handala Wiper, Swift Slicer
|
2024-09-30
|
|
Windows Debugger Tool Execution
|
|
Masquerading
|
Hunting
|
DarkGate Malware, PlugX
|
2024-10-17
|
|
Windows Defacement Modify Transcodedwallpaper File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Defacement
|
Anomaly
|
Brute Ratel C4
|
2024-09-30
|
|
Windows Default Group Policy Object Modified
|
Windows Event Log Security 5136
|
Domain or Tenant Policy Modification
Group Policy Modification
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
|
Windows Default Group Policy Object Modified with GPME
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain or Tenant Policy Modification
Group Policy Modification
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
|
Windows Defender ASR Audit Events
|
Windows Event Log Defender 1122
|
Command and Scripting Interpreter
Spearphishing Attachment
Spearphishing Link
|
Anomaly
|
Windows Attack Surface Reduction
|
2024-09-30
|
|
Windows Defender ASR Block Events
|
Windows Event Log Defender 1121, Windows Event Log Defender 1129
|
Command and Scripting Interpreter
Spearphishing Attachment
Spearphishing Link
|
Anomaly
|
Windows Attack Surface Reduction
|
2024-09-30
|
|
Windows Defender ASR Registry Modification
|
Windows Event Log Defender 5007
|
Modify Registry
|
Hunting
|
Windows Attack Surface Reduction
|
2024-10-17
|
|
Windows Defender ASR Rule Disabled
|
Windows Event Log Defender 5007
|
Modify Registry
|
TTP
|
Windows Attack Surface Reduction
|
2024-09-30
|
|
Windows Defender ASR Rules Stacking
|
Windows Event Log Defender 1121, Windows Event Log Defender 1122, Windows Event Log Defender 1129, Windows Event Log Defender 5007
|
Spearphishing Attachment
Spearphishing Link
Command and Scripting Interpreter
|
Hunting
|
Windows Attack Surface Reduction
|
2024-10-17
|
|
Windows Defender Exclusion Registry Entry
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Azorult, Qakbot, Remcos, ValleyRAT, Warzone RAT, Windows Defense Evasion Tactics
|
2024-09-30
|
|
Windows Delete or Modify System Firewall
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Impair Defenses
Disable or Modify System Firewall
|
Anomaly
|
NjRAT, ShrinkLocker
|
2024-09-30
|
|
Windows Deleted Registry By A Non Critical Process File Path
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Data Destruction, Double Zero Destructor
|
2024-09-30
|
|
Windows Disable Change Password Through Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Ransomware, Windows Defense Evasion Tactics
|
2024-09-30
|
|
Windows Disable Lock Workstation Feature Through Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Windows Disable LogOff Button Through Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Ransomware, Windows Registry Abuse
|
2024-09-30
|
|
Windows Disable Memory Crash Dump
|
Sysmon EventID 12, Sysmon EventID 13
|
Data Destruction
|
TTP
|
Data Destruction, Hermetic Wiper, Ransomware, Windows Registry Abuse
|
2024-09-30
|
|
Windows Disable Notification Center
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Windows Disable or Modify Tools Via Taskkill
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Impair Defenses
Disable or Modify Tools
|
Anomaly
|
NjRAT
|
2024-09-30
|
|
Windows Disable or Stop Browser Process
|
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Braodo Stealer
|
2024-09-24
|
|
Windows Disable Shutdown Button Through Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Ransomware, Windows Registry Abuse
|
2024-09-30
|
|
Windows Disable Windows Event Logging Disable HTTP Logging
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable Windows Event Logging
Impair Defenses
Server Software Component
IIS Components
|
TTP
|
CISA AA23-347A, IIS Components, Windows Defense Evasion Tactics
|
2024-09-30
|
|
Windows Disable Windows Group Policy Features Through Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
CISA AA23-347A, Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Windows DisableAntiSpyware Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Azorult, CISA AA22-264A, CISA AA23-347A, RedLine Stealer, Ryuk Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Windows DiskCryptor Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Data Encrypted for Impact
|
Hunting
|
Ransomware
|
2024-10-17
|
|
Windows Diskshadow Proxy Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
|
TTP
|
Living Off The Land
|
2024-09-30
|
|
Windows DISM Install PowerShell Web Access
|
Sysmon EventID 1, Windows Event Log Security 4688
|
Bypass User Account Control
|
TTP
|
CISA AA24-241A
|
2024-09-30
|
|
Windows DISM Remove Defender
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
CISA AA23-347A, Windows Defense Evasion Tactics
|
2024-09-30
|
|
Windows DLL Search Order Hijacking Hunt with Sysmon
|
Sysmon EventID 7
|
DLL Search Order Hijacking
Hijack Execution Flow
|
Hunting
|
Living Off The Land, Qakbot, Windows Defense Evasion Tactics
|
2024-10-17
|
|
Windows DLL Search Order Hijacking with iscsicpl
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL Search Order Hijacking
|
TTP
|
Living Off The Land, Windows Defense Evasion Tactics
|
2024-09-30
|
|
Windows DLL Side-Loading In Calc
|
Sysmon EventID 7
|
DLL Side-Loading
Hijack Execution Flow
|
TTP
|
Qakbot
|
2024-09-30
|
|
Windows DLL Side-Loading Process Child Of Calc
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL Side-Loading
Hijack Execution Flow
|
Anomaly
|
Qakbot
|
2024-09-30
|
|
Windows DNS Gather Network Info
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DNS
|
Anomaly
|
Sandworm Tools, Volt Typhoon
|
2024-09-30
|
|
Windows DnsAdmins New Member Added
|
Windows Event Log Security 4732
|
Account Manipulation
|
TTP
|
Active Directory Privilege Escalation
|
2024-09-30
|
|
Windows Domain Account Discovery Via Get-NetComputer
|
Powershell Script Block Logging 4104
|
Account Discovery
Domain Account
|
Anomaly
|
CISA AA23-347A
|
2024-09-30
|
|
Windows Domain Admin Impersonation Indicator
|
Windows Event Log Security 4627
|
Steal or Forge Kerberos Tickets
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Gozi Malware
|
2024-09-30
|
|
Windows DotNet Binary in Non Standard Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Masquerading
Rename System Utilities
System Binary Proxy Execution
InstallUtil
|
TTP
|
Data Destruction, Masquerading - Rename System Utilities, Ransomware, Signed Binary Proxy Execution InstallUtil, Unusual Processes, WhisperGate
|
2024-09-30
|
|
Windows Driver Inventory
|
|
Exploitation for Privilege Escalation
|
Hunting
|
Windows Drivers
|
2024-10-17
|
|
Windows Driver Load Non-Standard Path
|
Windows Event Log System 7045
|
Rootkit
Exploitation for Privilege Escalation
|
TTP
|
AgentTesla, BlackByte Ransomware, BlackSuit Ransomware, CISA AA22-320A, Windows Drivers
|
2024-10-17
|
|
Windows Drivers Loaded by Signature
|
Sysmon EventID 6
|
Rootkit
Exploitation for Privilege Escalation
|
Hunting
|
AgentTesla, BlackByte Ransomware, CISA AA22-320A, Windows Drivers
|
2024-10-17
|
|
Windows Enable PowerShell Web Access
|
Powershell Script Block Logging 4104
|
PowerShell
|
TTP
|
CISA AA24-241A, Malicious PowerShell
|
2024-09-30
|
|
Windows Enable Win32 ScheduledJob via Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Scheduled Task
|
Anomaly
|
Active Directory Lateral Movement, Scheduled Tasks
|
2024-09-30
|
|
Windows ESX Admins Group Creation Security Event
|
|
Local Account
Domain Account
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2024-09-30
|
|
Windows ESX Admins Group Creation via Net
|
Sysmon EventID 1
|
Domain Account
Local Account
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2024-09-30
|
|
Windows ESX Admins Group Creation via PowerShell
|
Powershell Script Block Logging 4104
|
Domain Account
Local Account
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2024-09-30
|
|
Windows Event For Service Disabled
|
Windows Event Log System 7040
|
Disable or Modify Tools
Impair Defenses
|
Hunting
|
RedLine Stealer, Windows Defense Evasion Tactics
|
2024-10-17
|
|
Windows Event Log Cleared
|
Windows Event Log Security 1102
|
Indicator Removal
Clear Windows Event Logs
|
TTP
|
CISA AA22-264A, Clop Ransomware, Ransomware, ShrinkLocker, Windows Log Manipulation
|
2024-09-30
|
|
Windows Event Triggered Image File Execution Options Injection
|
Windows Event Log Application 3000
|
Image File Execution Options Injection
|
Hunting
|
Windows Persistence Techniques
|
2024-10-17
|
|
Windows Excessive Disabled Services Event
|
Windows Event Log System 7040
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
CISA AA23-347A, Windows Defense Evasion Tactics
|
2024-09-30
|
|
Windows Executable in Loaded Modules
|
Sysmon EventID 7
|
Shared Modules
|
TTP
|
NjRAT
|
2024-09-30
|
|
Windows Execute Arbitrary Commands with MSDT
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
|
TTP
|
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190
|
2024-09-30
|
|
Windows Exfiltration Over C2 Via Invoke RestMethod
|
Powershell Script Block Logging 4104
|
Exfiltration Over C2 Channel
|
TTP
|
Winter Vivern
|
2024-09-30
|
|
Windows Exfiltration Over C2 Via Powershell UploadString
|
Powershell Script Block Logging 4104
|
Exfiltration Over C2 Channel
|
TTP
|
Winter Vivern
|
2024-09-30
|
|
Windows Export Certificate
|
Windows Event Log CertificateServicesClient 1007
|
Private Keys
Unsecured Credentials
Steal or Forge Authentication Certificates
|
Anomaly
|
Windows Certificate Services
|
2024-09-30
|
|
Windows File Share Discovery With Powerview
|
Powershell Script Block Logging 4104
|
Network Share Discovery
|
TTP
|
Active Directory Discovery, Active Directory Privilege Escalation
|
2024-09-30
|
|
Windows File Transfer Protocol In Non-Common Process Path
|
Sysmon EventID 3
|
Mail Protocols
Application Layer Protocol
|
Anomaly
|
AgentTesla, Snake Keylogger
|
2024-09-30
|
|
Windows File Without Extension In Critical Folder
|
Sysmon EventID 1, Sysmon EventID 11
|
Data Destruction
|
TTP
|
Data Destruction, Hermetic Wiper
|
2024-09-30
|
|
Windows Files and Dirs Access Rights Modification Via Icacls
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows File and Directory Permissions Modification
File and Directory Permissions Modification
|
TTP
|
Amadey
|
2024-09-30
|
|
Windows Find Domain Organizational Units with GetDomainOU
|
Powershell Script Block Logging 4104
|
Account Discovery
Domain Account
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
|
Windows Find Interesting ACL with FindInterestingDomainAcl
|
Powershell Script Block Logging 4104
|
Account Discovery
Domain Account
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
|
Windows Findstr GPP Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Unsecured Credentials
Group Policy Preferences
|
TTP
|
Active Directory Privilege Escalation
|
2024-09-30
|
|
Windows Forest Discovery with GetForestDomain
|
Powershell Script Block Logging 4104
|
Account Discovery
Domain Account
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
|
Windows Gather Victim Host Information Camera
|
Powershell Script Block Logging 4104
|
Hardware
Gather Victim Host Information
|
Anomaly
|
DarkCrystal RAT
|
2024-09-30
|
|
Windows Gather Victim Identity SAM Info
|
Sysmon EventID 7
|
Credentials
Gather Victim Identity Information
|
Hunting
|
Brute Ratel C4
|
2024-10-17
|
|
Windows Gather Victim Network Info Through Ip Check Web Services
|
Sysmon EventID 22
|
IP Addresses
Gather Victim Network Information
|
Hunting
|
Azorult, DarkCrystal RAT, Handala Wiper, Phemedrone Stealer, Snake Keylogger
|
2024-10-17
|
|
Windows Get-AdComputer Unconstrained Delegation Discovery
|
Powershell Script Block Logging 4104
|
Remote System Discovery
|
TTP
|
Active Directory Kerberos Attacks
|
2024-09-30
|
|
Windows Get Local Admin with FindLocalAdminAccess
|
Powershell Script Block Logging 4104
|
Account Discovery
Domain Account
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
|
Windows Group Policy Object Created
|
Windows Event Log Security 5136, Windows Event Log Security 5137
|
Domain or Tenant Policy Modification
Group Policy Modification
Domain Accounts
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
|
Windows Hidden Schedule Task Settings
|
Windows Event Log Security 4698
|
Scheduled Task/Job
|
TTP
|
Active Directory Discovery, CISA AA22-257A, Data Destruction, Industroyer2, Scheduled Tasks
|
2024-09-30
|
|
Windows Hide Notification Features Through Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Windows High File Deletion Frequency
|
Sysmon EventID 23
|
Data Destruction
|
Anomaly
|
Clop Ransomware, DarkCrystal RAT, Data Destruction, Handala Wiper, Sandworm Tools, Swift Slicer, WhisperGate
|
2024-09-30
|
|
Windows Hijack Execution Flow Version Dll Side Load
|
Sysmon EventID 7
|
DLL Search Order Hijacking
Hijack Execution Flow
|
Anomaly
|
Brute Ratel C4
|
2024-09-30
|
|
Windows Hunting System Account Targeting Lsass
|
Sysmon EventID 10
|
LSASS Memory
OS Credential Dumping
|
Hunting
|
CISA AA23-347A, Credential Dumping
|
2024-10-17
|
|
Windows Identify PowerShell Web Access IIS Pool
|
Windows Event Log Security 4648
|
Exploit Public-Facing Application
|
Hunting
|
CISA AA24-241A
|
2024-10-17
|
|
Windows Identify Protocol Handlers
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
Hunting
|
Living Off The Land
|
2024-10-17
|
|
Windows IIS Components Add New Module
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Server Software Component
IIS Components
|
Anomaly
|
IIS Components
|
2024-09-30
|
|
Windows IIS Components Get-WebGlobalModule Module Query
|
Powershell Installed IIS Modules
|
IIS Components
Server Software Component
|
Hunting
|
IIS Components, WS FTP Server Critical Vulnerabilities
|
2024-10-17
|
|
Windows IIS Components Module Failed to Load
|
Windows Event Log Application 2282
|
Server Software Component
IIS Components
|
Anomaly
|
IIS Components
|
2024-09-30
|
|
Windows IIS Components New Module Added
|
Windows IIS 29
|
Server Software Component
IIS Components
|
TTP
|
IIS Components
|
2024-09-30
|
|
Windows Impair Defense Add Xml Applocker Rules
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
Impair Defenses
|
Hunting
|
Azorult
|
2024-10-17
|
|
Windows Impair Defense Change Win Defender Health Check Intervals
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Windows Impair Defense Change Win Defender Quick Scan Interval
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Windows Impair Defense Change Win Defender Throttle Rate
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Windows Impair Defense Change Win Defender Tracing Level
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Windows Impair Defense Configure App Install Control
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Windows Impair Defense Define Win Defender Threat Action
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Windows Impair Defense Delete Win Defender Context Menu
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
Hunting
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-10-17
|
|
Windows Impair Defense Delete Win Defender Profile Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
Anomaly
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Windows Impair Defense Deny Security Software With Applocker
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Azorult
|
2024-09-30
|
|
Windows Impair Defense Disable Controlled Folder Access
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Windows Impair Defense Disable Defender Firewall And Network
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Windows Impair Defense Disable Defender Protocol Recognition
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Windows Impair Defense Disable PUA Protection
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Windows Impair Defense Disable Realtime Signature Delivery
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Windows Impair Defense Disable Web Evaluation
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Windows Impair Defense Disable Win Defender App Guard
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Windows Impair Defense Disable Win Defender Compute File Hashes
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Windows Impair Defense Disable Win Defender Gen reports
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Windows Impair Defense Disable Win Defender Network Protection
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Windows Impair Defense Disable Win Defender Report Infection
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Windows Impair Defense Disable Win Defender Scan On Update
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Windows Impair Defense Disable Win Defender Signature Retirement
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Windows Impair Defense Overide Win Defender Phishing Filter
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Windows Impair Defense Override SmartScreen Prompt
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Windows Impair Defense Set Win Defender Smart Screen Level To Warn
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Windows Impair Defenses Disable AV AutoStart via Registry
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
ValleyRAT
|
2024-09-30
|
|
Windows Impair Defenses Disable HVCI
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
BlackLotus Campaign, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Windows Impair Defenses Disable Win Defender Auto Logging
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
Anomaly
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Windows Indicator Removal Via Rmdir
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Indicator Removal
|
Anomaly
|
DarkGate Malware
|
2024-09-30
|
|
Windows Indirect Command Execution Via forfiles
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Indirect Command Execution
|
TTP
|
Living Off The Land, Windows Post-Exploitation
|
2024-09-30
|
|
Windows Indirect Command Execution Via pcalua
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Indirect Command Execution
|
TTP
|
Living Off The Land
|
2024-09-30
|
|
Windows Indirect Command Execution Via Series Of Forfiles
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Indirect Command Execution
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-09-30
|
|
Windows Information Discovery Fsutil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Information Discovery
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-09-30
|
|
Windows Ingress Tool Transfer Using Explorer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
Anomaly
|
DarkCrystal RAT
|
2024-09-30
|
|
Windows InProcServer32 New Outlook Form
|
Sysmon EventID 13
|
Phishing
Modify Registry
|
Anomaly
|
Outlook RCE CVE-2024-21378
|
2024-09-30
|
|
Windows Input Capture Using Credential UI Dll
|
Sysmon EventID 7
|
GUI Input Capture
Input Capture
|
Hunting
|
Brute Ratel C4
|
2024-10-17
|
|
Windows InstallUtil Credential Theft
|
Sysmon EventID 7
|
InstallUtil
System Binary Proxy Execution
|
TTP
|
Signed Binary Proxy Execution InstallUtil
|
2024-09-30
|
|
Windows InstallUtil in Non Standard Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Masquerading
Rename System Utilities
System Binary Proxy Execution
InstallUtil
|
TTP
|
Data Destruction, Living Off The Land, Masquerading - Rename System Utilities, Ransomware, Signed Binary Proxy Execution InstallUtil, Unusual Processes, WhisperGate
|
2024-09-30
|
|
Windows InstallUtil Remote Network Connection
|
Sysmon EventID 1, Sysmon EventID 3
|
InstallUtil
System Binary Proxy Execution
|
TTP
|
Living Off The Land, Signed Binary Proxy Execution InstallUtil
|
2024-09-30
|
|
Windows InstallUtil Uninstall Option
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
InstallUtil
System Binary Proxy Execution
|
TTP
|
Living Off The Land, Signed Binary Proxy Execution InstallUtil
|
2024-09-30
|
|
Windows InstallUtil Uninstall Option with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
InstallUtil
System Binary Proxy Execution
|
TTP
|
Living Off The Land, Signed Binary Proxy Execution InstallUtil
|
2024-09-30
|
|
Windows InstallUtil URL in Command Line
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
InstallUtil
System Binary Proxy Execution
|
TTP
|
Living Off The Land, Signed Binary Proxy Execution InstallUtil
|
2024-09-30
|
|
Windows ISO LNK File Creation
|
Sysmon EventID 11
|
Spearphishing Attachment
Phishing
Malicious Link
User Execution
|
Hunting
|
AgentTesla, Amadey, Azorult, Brute Ratel C4, Gozi Malware, IcedID, Qakbot, Remcos, Spearphishing Attachments, Warzone RAT
|
2024-10-17
|
|
Windows Java Spawning Shells
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Log4Shell CVE-2021-44228, SysAid On-Prem Software CVE-2023-47246 Vulnerability
|
2024-10-17
|
|
Windows Kerberos Local Successful Logon
|
Windows Event Log Security 4624
|
Steal or Forge Kerberos Tickets
|
TTP
|
Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp
|
2024-09-30
|
|
Windows Known Abused DLL Created
|
Sysmon EventID 1, Sysmon EventID 11
|
DLL Search Order Hijacking
DLL Side-Loading
Hijack Execution Flow
|
Anomaly
|
Living Off The Land, Windows Defense Evasion Tactics
|
2024-09-30
|
|
Windows Known Abused DLL Loaded Suspiciously
|
Sysmon EventID 7
|
DLL Search Order Hijacking
DLL Side-Loading
Hijack Execution Flow
|
TTP
|
Living Off The Land, Windows Defense Evasion Tactics
|
2024-09-30
|
|
Windows Known GraphicalProton Loaded Modules
|
Sysmon EventID 7
|
DLL Side-Loading
Hijack Execution Flow
|
Anomaly
|
CISA AA23-347A
|
2024-09-30
|
|
Windows KrbRelayUp Service Creation
|
Windows Event Log System 7045
|
Windows Service
|
TTP
|
Local Privilege Escalation With KrbRelayUp
|
2024-09-30
|
|
Windows Large Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
Network Share Discovery
Valid Accounts
|
Anomaly
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-09-30
|
|
Windows Lateral Tool Transfer RemCom
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Lateral Tool Transfer
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
|
Windows Ldifde Directory Object Behavior
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
Domain Groups
|
TTP
|
Volt Typhoon
|
2024-09-30
|
|
Windows Linked Policies In ADSI Discovery
|
Powershell Script Block Logging 4104
|
Domain Account
Account Discovery
|
Anomaly
|
Active Directory Discovery, Data Destruction, Industroyer2
|
2024-09-30
|
|
Windows Local Administrator Credential Stuffing
|
Windows Event Log Security 4624, Windows Event Log Security 4625
|
Brute Force
Credential Stuffing
|
TTP
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-09-30
|
|
Windows LOLBAS Executed As Renamed File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Masquerading
Rename System Utilities
Rundll32
|
TTP
|
Living Off The Land, Masquerading - Rename System Utilities, Windows Defense Evasion Tactics
|
2024-09-30
|
|
Windows LOLBAS Executed Outside Expected Path
|
Sysmon EventID 1, Windows Event Log Security 4688
|
Masquerading
Match Legitimate Name or Location
Rundll32
|
TTP
|
Living Off The Land, Masquerading - Rename System Utilities, Windows Defense Evasion Tactics
|
2024-09-30
|
|
Windows LSA Secrets NoLMhash Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
LSA Secrets
|
TTP
|
CISA AA23-347A
|
2024-09-30
|
|
Windows Mail Protocol In Non-Common Process Path
|
Sysmon EventID 3
|
Mail Protocols
Application Layer Protocol
|
Anomaly
|
AgentTesla
|
2024-09-30
|
|
Windows Mark Of The Web Bypass
|
Sysmon EventID 23
|
Mark-of-the-Web Bypass
|
TTP
|
Warzone RAT
|
2024-09-30
|
|
Windows Masquerading Explorer As Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL Side-Loading
Hijack Execution Flow
|
TTP
|
Qakbot
|
2024-09-30
|
|
Windows Masquerading Msdtc Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Masquerading
|
TTP
|
PlugX
|
2024-09-30
|
|
Windows Mimikatz Binary Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
OS Credential Dumping
|
TTP
|
CISA AA22-320A, CISA AA23-347A, Credential Dumping, Flax Typhoon, Sandworm Tools, Volt Typhoon
|
2024-09-30
|
|
Windows Mimikatz Crypto Export File Extensions
|
Sysmon EventID 11
|
Steal or Forge Authentication Certificates
|
Anomaly
|
CISA AA23-347A, Sandworm Tools, Windows Certificate Services
|
2024-09-30
|
|
Windows Modify Registry AuthenticationLevelOverride
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
DarkGate Malware
|
2024-09-30
|
|
Windows Modify Registry Auto Minor Updates
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Hunting
|
RedLine Stealer
|
2024-10-17
|
|
Windows Modify Registry Auto Update Notif
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
RedLine Stealer
|
2024-09-30
|
|
Windows Modify Registry Configure BitLocker
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
ShrinkLocker
|
2024-09-30
|
|
Windows Modify Registry Default Icon Setting
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
LockBit Ransomware
|
2024-09-30
|
|
Windows Modify Registry Delete Firewall Rules
|
Sysmon EventID 12
|
Modify Registry
|
TTP
|
CISA AA24-241A, ShrinkLocker
|
2024-09-30
|
|
Windows Modify Registry Disable RDP
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
ShrinkLocker
|
2024-09-30
|
|
Windows Modify Registry Disable Restricted Admin
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
TTP
|
CISA AA23-347A
|
2024-09-30
|
|
Windows Modify Registry Disable Toast Notifications
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Azorult
|
2024-09-30
|
|
Windows Modify Registry Disable Win Defender Raw Write Notif
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Azorult, CISA AA23-347A
|
2024-09-30
|
|
Windows Modify Registry Disable WinDefender Notifications
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
TTP
|
CISA AA23-347A, RedLine Stealer
|
2024-09-30
|
|
Windows Modify Registry Disable Windows Security Center Notif
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Azorult, CISA AA23-347A
|
2024-09-30
|
|
Windows Modify Registry DisableRemoteDesktopAntiAlias
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
TTP
|
DarkGate Malware
|
2024-09-30
|
|
Windows Modify Registry DisableSecuritySettings
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
TTP
|
CISA AA23-347A, DarkGate Malware
|
2024-09-30
|
|
Windows Modify Registry Disabling WER Settings
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
TTP
|
Azorult, CISA AA23-347A
|
2024-09-30
|
|
Windows Modify Registry DisAllow Windows App
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
TTP
|
Azorult
|
2024-09-30
|
|
Windows Modify Registry Do Not Connect To Win Update
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
RedLine Stealer
|
2024-09-30
|
|
Windows Modify Registry DontShowUI
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
TTP
|
DarkGate Malware
|
2024-09-30
|
|
Windows Modify Registry EnableLinkedConnections
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
TTP
|
BlackByte Ransomware
|
2024-09-30
|
|
Windows Modify Registry LongPathsEnabled
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
BlackByte Ransomware
|
2024-09-30
|
|
Windows Modify Registry MaxConnectionPerServer
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Warzone RAT
|
2024-09-30
|
|
Windows Modify Registry No Auto Reboot With Logon User
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
RedLine Stealer
|
2024-09-30
|
|
Windows Modify Registry No Auto Update
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
CISA AA23-347A, RedLine Stealer
|
2024-09-30
|
|
Windows Modify Registry NoChangingWallPaper
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
TTP
|
Rhysida Ransomware
|
2024-09-30
|
|
Windows Modify Registry on Smart Card Group Policy
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
ShrinkLocker
|
2024-09-30
|
|
Windows Modify Registry ProxyEnable
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
DarkGate Malware
|
2024-09-30
|
|
Windows Modify Registry ProxyServer
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
DarkGate Malware
|
2024-09-30
|
|
Windows Modify Registry Qakbot Binary Data Registry
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Qakbot
|
2024-09-30
|
|
Windows Modify Registry Reg Restore
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Query Registry
|
Hunting
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-10-17
|
|
Windows Modify Registry Regedit Silent Reg Import
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Modify Registry
|
Anomaly
|
Azorult
|
2024-09-30
|
|
Windows Modify Registry Risk Behavior
|
|
Modify Registry
|
Correlation
|
Windows Registry Abuse
|
2024-09-30
|
|
Windows Modify Registry Suppress Win Defender Notif
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Azorult, CISA AA23-347A
|
2024-09-30
|
|
Windows Modify Registry Tamper Protection
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
TTP
|
RedLine Stealer
|
2024-09-30
|
|
Windows Modify Registry to Add or Modify Firewall Rule
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
CISA AA24-241A, ShrinkLocker
|
2024-09-30
|
|
Windows Modify Registry UpdateServiceUrlAlternate
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
RedLine Stealer
|
2024-09-30
|
|
Windows Modify Registry USeWuServer
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Hunting
|
RedLine Stealer
|
2024-10-17
|
|
Windows Modify Registry Utilize ProgIDs
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
ValleyRAT
|
2024-09-30
|
|
Windows Modify Registry ValleyRAT C2 Config
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
TTP
|
ValleyRAT
|
2024-09-30
|
|
Windows Modify Registry ValleyRat PWN Reg Entry
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
ValleyRAT
|
2024-09-30
|
|
Windows Modify Registry With MD5 Reg Key Name
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
TTP
|
NjRAT
|
2024-09-30
|
|
Windows Modify Registry WuServer
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Hunting
|
RedLine Stealer
|
2024-10-17
|
|
Windows Modify Registry wuStatusServer
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Hunting
|
RedLine Stealer
|
2024-10-17
|
|
Windows Modify Show Compress Color And Info Tip Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
Windows Modify System Firewall with Notable Process Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify System Firewall
Impair Defenses
|
TTP
|
NjRAT
|
2024-09-30
|
|
Windows MOF Event Triggered Execution via WMI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation Event Subscription
|
TTP
|
Living Off The Land
|
2024-09-30
|
|
Windows MOVEit Transfer Writing ASPX
|
Sysmon EventID 11
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
MOVEit Transfer Critical Vulnerability
|
2024-10-17
|
|
Windows MSExchange Management Mailbox Cmdlet Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
PowerShell
|
Anomaly
|
BlackByte Ransomware, ProxyNotShell, ProxyShell
|
2024-09-30
|
|
Windows Mshta Execution In Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Mshta
|
TTP
|
Suspicious Windows Registry Activities, Windows Persistence Techniques
|
2024-09-30
|
|
Windows MSHTA Writing to World Writable Path
|
Sysmon EventID 11
|
Mshta
|
TTP
|
APT29 Diplomatic Deceptions with WINELOADER, Suspicious MSHTA Activity
|
2024-09-30
|
|
Windows MSIExec DLLRegisterServer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Msiexec
|
TTP
|
Windows System Binary Proxy Execution MSIExec
|
2024-09-30
|
|
Windows MsiExec HideWindow Rundll32 Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Msiexec
System Binary Proxy Execution
|
TTP
|
Qakbot
|
2024-09-30
|
|
Windows MSIExec Remote Download
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Msiexec
|
TTP
|
Windows System Binary Proxy Execution MSIExec
|
2024-09-30
|
|
Windows MSIExec Spawn Discovery Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Msiexec
|
TTP
|
Windows System Binary Proxy Execution MSIExec
|
2024-09-30
|
|
Windows MSIExec Spawn WinDBG
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Msiexec
|
TTP
|
DarkGate Malware
|
2024-09-30
|
|
Windows MSIExec Unregister DLLRegisterServer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Msiexec
|
TTP
|
Windows System Binary Proxy Execution MSIExec
|
2024-09-30
|
|
Windows MSIExec With Network Connections
|
Sysmon EventID 1, Sysmon EventID 3
|
Msiexec
|
TTP
|
Windows System Binary Proxy Execution MSIExec
|
2024-09-30
|
|
Windows Multi hop Proxy TOR Website Query
|
Sysmon EventID 22
|
Mail Protocols
Application Layer Protocol
|
Anomaly
|
AgentTesla
|
2024-09-30
|
|
Windows Multiple Account Passwords Changed
|
Windows Event Log Security 4724
|
Account Manipulation
Valid Accounts
|
TTP
|
Azure Active Directory Persistence
|
2024-09-30
|
|
Windows Multiple Accounts Deleted
|
Windows Event Log Security 4726
|
Account Manipulation
Valid Accounts
|
TTP
|
Azure Active Directory Persistence
|
2024-09-30
|
|
Windows Multiple Accounts Disabled
|
Windows Event Log Security 4725
|
Account Manipulation
Valid Accounts
|
TTP
|
Azure Active Directory Persistence
|
2024-09-30
|
|
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos
|
Windows Event Log Security 4768
|
Password Spraying
Brute Force
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon
|
2024-09-30
|
|
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos
|
Windows Event Log Security 4768
|
Password Spraying
Brute Force
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon
|
2024-09-30
|
|
Windows Multiple Invalid Users Failed To Authenticate Using NTLM
|
Windows Event Log Security 4776
|
Password Spraying
Brute Force
|
TTP
|
Active Directory Password Spraying, Volt Typhoon
|
2024-09-30
|
|
Windows Multiple NTLM Null Domain Authentications
|
|
Brute Force
Password Spraying
|
TTP
|
Active Directory Password Spraying
|
2024-09-30
|
|
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials
|
Windows Event Log Security 4648
|
Password Spraying
Brute Force
|
TTP
|
Active Directory Password Spraying, Insider Threat, Volt Typhoon
|
2024-09-30
|
|
Windows Multiple Users Failed To Authenticate From Host Using NTLM
|
Windows Event Log Security 4776
|
Password Spraying
Brute Force
|
TTP
|
Active Directory Password Spraying, Volt Typhoon
|
2024-09-30
|
|
Windows Multiple Users Failed To Authenticate From Process
|
Windows Event Log Security 4625
|
Password Spraying
Brute Force
|
TTP
|
Active Directory Password Spraying, Insider Threat, Volt Typhoon
|
2024-09-30
|
|
Windows Multiple Users Failed To Authenticate Using Kerberos
|
Windows Event Log Security 4771
|
Password Spraying
Brute Force
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon
|
2024-09-30
|
|
Windows Multiple Users Remotely Failed To Authenticate From Host
|
Windows Event Log Security 4625
|
Password Spraying
Brute Force
|
TTP
|
Active Directory Password Spraying, Volt Typhoon
|
2024-09-30
|
|
Windows Network Share Interaction With Net
|
Sysmon EventID 1
|
Network Share Discovery
Data from Network Shared Drive
|
TTP
|
Active Directory Discovery, Active Directory Privilege Escalation, Network Discovery
|
2024-09-30
|
|
Windows New InProcServer32 Added
|
Sysmon EventID 13
|
Modify Registry
|
Hunting
|
Outlook RCE CVE-2024-21378
|
2024-10-17
|
|
Windows Ngrok Reverse Proxy Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Protocol Tunneling
Proxy
Web Service
|
Anomaly
|
CISA AA22-320A, CISA AA24-241A, Reverse Network Proxy
|
2024-09-30
|
|
Windows NirSoft AdvancedRun
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Tool
|
TTP
|
Data Destruction, Ransomware, Unusual Processes, WhisperGate
|
2024-09-30
|
|
Windows NirSoft Utilities
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Tool
|
Hunting
|
Data Destruction, WhisperGate
|
2024-10-17
|
|
Windows Njrat Fileless Storage via Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Fileless Storage
Obfuscated Files or Information
|
TTP
|
NjRAT
|
2024-09-30
|
|
Windows Non Discord App Access Discord LevelDB
|
Windows Event Log Security 4663
|
Query Registry
|
Anomaly
|
Snake Keylogger
|
2024-09-30
|
|
Windows Non-System Account Targeting Lsass
|
Sysmon EventID 10
|
LSASS Memory
OS Credential Dumping
|
TTP
|
CISA AA23-347A, Credential Dumping
|
2024-09-30
|
|
Windows Odbcconf Hunting
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Odbcconf
|
Hunting
|
Living Off The Land
|
2024-10-17
|
|
Windows Odbcconf Load DLL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Odbcconf
|
TTP
|
Living Off The Land
|
2024-09-30
|
|
Windows Odbcconf Load Response File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Odbcconf
|
TTP
|
Living Off The Land
|
2024-09-30
|
|
Windows Office Product Spawning MSDT
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Phishing
Spearphishing Attachment
|
TTP
|
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Spearphishing Attachments
|
2024-09-30
|
|
Windows Outlook WebView Registry Modification
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Suspicious Windows Registry Activities
|
2024-09-30
|
|
Windows PaperCut NG Spawn Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
Exploit Public-Facing Application
External Remote Services
|
TTP
|
PaperCut MF NG Vulnerability
|
2024-09-30
|
|
Windows Parent PID Spoofing with Explorer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Parent PID Spoofing
Access Token Manipulation
|
TTP
|
Windows Defense Evasion Tactics
|
2024-09-30
|
|
Windows Password Managers Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Password Managers
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-09-30
|
|
Windows Phishing Outlook Drop Dll In FORM Dir
|
Sysmon EventID 11
|
Phishing
|
TTP
|
Outlook RCE CVE-2024-21378
|
2024-09-30
|
|
Windows Phishing PDF File Executes URL Link
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Spearphishing Attachment
Phishing
|
Anomaly
|
Snake Keylogger, Spearphishing Attachments
|
2024-09-30
|
|
Windows Phishing Recent ISO Exec Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Spearphishing Attachment
Phishing
|
Hunting
|
AgentTesla, Azorult, Brute Ratel C4, Gozi Malware, IcedID, Qakbot, Remcos, Warzone RAT
|
2024-10-17
|
|
Windows Possible Credential Dumping
|
Sysmon EventID 10
|
LSASS Memory
OS Credential Dumping
|
TTP
|
CISA AA22-257A, CISA AA22-264A, CISA AA23-347A, Credential Dumping, DarkSide Ransomware, Detect Zerologon Attack
|
2024-09-30
|
|
Windows Post Exploitation Risk Behavior
|
|
Query Registry
System Network Connections Discovery
Permission Groups Discovery
System Network Configuration Discovery
OS Credential Dumping
System Information Discovery
Clipboard Data
Unsecured Credentials
|
Correlation
|
Windows Post-Exploitation
|
2024-09-30
|
|
Windows PowerShell Add Module to Global Assembly Cache
|
Powershell Script Block Logging 4104
|
Server Software Component
IIS Components
|
TTP
|
IIS Components
|
2024-09-30
|
|
Windows Powershell Cryptography Namespace
|
Powershell Script Block Logging 4104
|
PowerShell
Command and Scripting Interpreter
|
Anomaly
|
AsyncRAT
|
2024-09-30
|
|
Windows PowerShell Disable HTTP Logging
|
Powershell Script Block Logging 4104
|
Impair Defenses
Disable Windows Event Logging
Server Software Component
IIS Components
|
TTP
|
IIS Components, Windows Defense Evasion Tactics
|
2024-09-30
|
|
Windows PowerShell Export Certificate
|
Powershell Script Block Logging 4104
|
Private Keys
Unsecured Credentials
Steal or Forge Authentication Certificates
|
Anomaly
|
Windows Certificate Services
|
2024-09-30
|
|
Windows PowerShell Export PfxCertificate
|
Powershell Script Block Logging 4104
|
Private Keys
Unsecured Credentials
Steal or Forge Authentication Certificates
|
Anomaly
|
Windows Certificate Services
|
2024-09-30
|
|
Windows PowerShell Get CIMInstance Remote Computer
|
Powershell Script Block Logging 4104
|
PowerShell
|
Anomaly
|
Active Directory Lateral Movement
|
2024-09-30
|
|
Windows PowerShell IIS Components WebGlobalModule Usage
|
Powershell Script Block Logging 4104
|
Server Software Component
IIS Components
|
Anomaly
|
IIS Components
|
2024-09-30
|
|
Windows Powershell Import Applocker Policy
|
Powershell Script Block Logging 4104
|
PowerShell
Command and Scripting Interpreter
Disable or Modify Tools
Impair Defenses
|
TTP
|
Azorult
|
2024-09-30
|
|
Windows Powershell RemoteSigned File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
PowerShell
Command and Scripting Interpreter
|
Anomaly
|
Amadey
|
2024-09-30
|
|
Windows PowerShell ScheduleTask
|
Powershell Script Block Logging 4104
|
Scheduled Task
PowerShell
Command and Scripting Interpreter
|
Anomaly
|
Scheduled Tasks
|
2024-09-30
|
|
Windows PowerShell WMI Win32 ScheduledJob
|
Powershell Script Block Logging 4104
|
PowerShell
Command and Scripting Interpreter
|
TTP
|
Active Directory Lateral Movement
|
2024-09-30
|
|
Windows PowerSploit GPP Discovery
|
Powershell Script Block Logging 4104
|
Unsecured Credentials
Group Policy Preferences
|
TTP
|
Active Directory Privilege Escalation
|
2024-09-30
|
|
Windows PowerView AD Access Control List Enumeration
|
Powershell Script Block Logging 4104
|
Domain Accounts
Permission Groups Discovery
|
TTP
|
Active Directory Discovery, Active Directory Privilege Escalation, Rhysida Ransomware
|
2024-09-30
|
|
Windows PowerView Constrained Delegation Discovery
|
Powershell Script Block Logging 4104
|
Remote System Discovery
|
TTP
|
Active Directory Kerberos Attacks, CISA AA23-347A, Rhysida Ransomware
|
2024-09-30
|
|
Windows PowerView Kerberos Service Ticket Request
|
Powershell Script Block Logging 4104
|
Steal or Forge Kerberos Tickets
Kerberoasting
|
TTP
|
Active Directory Kerberos Attacks, Rhysida Ransomware
|
2024-09-30
|
|
Windows PowerView SPN Discovery
|
Powershell Script Block Logging 4104
|
Steal or Forge Kerberos Tickets
Kerberoasting
|
TTP
|
Active Directory Kerberos Attacks, CISA AA23-347A, Rhysida Ransomware
|
2024-09-30
|
|
Windows PowerView Unconstrained Delegation Discovery
|
Powershell Script Block Logging 4104
|
Remote System Discovery
|
TTP
|
Active Directory Kerberos Attacks, CISA AA23-347A, Rhysida Ransomware
|
2024-09-30
|
|
Windows Private Keys Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Private Keys
Unsecured Credentials
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-09-30
|
|
Windows Privilege Escalation Suspicious Process Elevation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exploitation for Privilege Escalation
Abuse Elevation Control Mechanism
Access Token Manipulation
|
TTP
|
BlackSuit Ransomware, Windows Privilege Escalation
|
2024-09-30
|
|
Windows Privilege Escalation System Process Without System Parent
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exploitation for Privilege Escalation
Abuse Elevation Control Mechanism
Access Token Manipulation
|
TTP
|
BlackSuit Ransomware, Windows Privilege Escalation
|
2024-09-30
|
|
Windows Privilege Escalation User Process Spawn System Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exploitation for Privilege Escalation
Abuse Elevation Control Mechanism
Access Token Manipulation
|
TTP
|
BlackSuit Ransomware, Windows Privilege Escalation
|
2024-09-30
|
|
Windows Privileged Group Modification
|
|
Local Account
Domain Account
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2024-09-30
|
|
Windows Process Commandline Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Discovery
|
Hunting
|
CISA AA23-347A
|
2024-10-17
|
|
Windows Process Injection In Non-Service SearchIndexer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
Qakbot
|
2024-09-30
|
|
Windows Process Injection into Notepad
|
Sysmon EventID 10
|
Process Injection
Portable Executable Injection
|
Anomaly
|
BishopFox Sliver Adversary Emulation Framework
|
2024-09-30
|
|
Windows Process Injection Of Wermgr to Known Browser
|
Sysmon EventID 8
|
Dynamic-link Library Injection
Process Injection
|
TTP
|
Qakbot
|
2024-09-30
|
|
Windows Process Injection Remote Thread
|
Sysmon EventID 8
|
Process Injection
Portable Executable Injection
|
TTP
|
Graceful Wipe Out Attack, Qakbot, Warzone RAT
|
2024-09-30
|
|
Windows Process Injection Wermgr Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
Anomaly
|
Qakbot, Windows Error Reporting Service Elevation of Privilege Vulnerability
|
2024-09-30
|
|
Windows Process Injection With Public Source Path
|
Sysmon EventID 8
|
Process Injection
Portable Executable Injection
|
Hunting
|
Brute Ratel C4
|
2024-10-17
|
|
Windows Process With NamedPipe CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
Anomaly
|
Windows Defense Evasion Tactics
|
2024-09-30
|
|
Windows Process Writing File to World Writable Path
|
|
Mshta
|
Hunting
|
APT29 Diplomatic Deceptions with WINELOADER
|
2024-10-17
|
|
Windows Processes Killed By Industroyer2 Malware
|
Sysmon EventID 5
|
Service Stop
|
Anomaly
|
Data Destruction, Industroyer2
|
2024-09-30
|
|
Windows Protocol Tunneling with Plink
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Protocol Tunneling
SSH
|
TTP
|
CISA AA22-257A
|
2024-09-30
|
|
Windows Proxy Via Netsh
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Internal Proxy
Proxy
|
Anomaly
|
Volt Typhoon
|
2024-09-30
|
|
Windows Proxy Via Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Internal Proxy
Proxy
|
Anomaly
|
Volt Typhoon
|
2024-09-30
|
|
Windows Query Registry Browser List Application
|
Windows Event Log Security 4663
|
Query Registry
|
Anomaly
|
RedLine Stealer
|
2024-09-30
|
|
Windows Query Registry Reg Save
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Query Registry
|
Hunting
|
CISA AA23-347A, Prestige Ransomware, Windows Post-Exploitation
|
2024-10-17
|
|
Windows Query Registry UnInstall Program List
|
Windows Event Log Security 4663
|
Query Registry
|
Anomaly
|
RedLine Stealer
|
2024-09-30
|
|
Windows Raccine Scheduled Task Deletion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
TTP
|
Ransomware
|
2024-09-30
|
|
Windows Rapid Authentication On Multiple Hosts
|
Windows Event Log Security 4624
|
Security Account Manager
|
TTP
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-09-30
|
|
Windows Rasautou DLL Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Dynamic-link Library Injection
System Binary Proxy Execution
Process Injection
|
TTP
|
Windows Defense Evasion Tactics
|
2024-09-30
|
|
Windows Raw Access To Disk Volume Partition
|
Sysmon EventID 9
|
Disk Structure Wipe
Disk Wipe
|
Anomaly
|
BlackByte Ransomware, CISA AA22-264A, Caddy Wiper, Data Destruction, Graceful Wipe Out Attack, Hermetic Wiper, NjRAT
|
2024-09-30
|
|
Windows Raw Access To Master Boot Record Drive
|
Sysmon EventID 9
|
Disk Structure Wipe
Disk Wipe
|
TTP
|
BlackByte Ransomware, CISA AA22-264A, Caddy Wiper, Data Destruction, Graceful Wipe Out Attack, Hermetic Wiper, NjRAT, WhisperGate
|
2024-09-30
|
|
Windows RDP Connection Successful
|
Windows Event Log RemoteConnectionManager 1149
|
RDP Hijacking
|
Hunting
|
Active Directory Lateral Movement, BlackByte Ransomware
|
2024-10-17
|
|
Windows Registry BootExecute Modification
|
Sysmon EventID 12, Sysmon EventID 13
|
Pre-OS Boot
Registry Run Keys / Startup Folder
|
TTP
|
Windows BootKits
|
2024-09-30
|
|
Windows Registry Certificate Added
|
Sysmon EventID 12, Sysmon EventID 13
|
Install Root Certificate
Subvert Trust Controls
|
Anomaly
|
Windows Drivers, Windows Registry Abuse
|
2024-09-30
|
|
Windows Registry Delete Task SD
|
Sysmon EventID 12, Sysmon EventID 13
|
Scheduled Task
Impair Defenses
|
Anomaly
|
Scheduled Tasks, Windows Persistence Techniques, Windows Registry Abuse
|
2024-09-30
|
|
Windows Registry Modification for Safe Mode Persistence
|
Sysmon EventID 12, Sysmon EventID 13
|
Registry Run Keys / Startup Folder
Boot or Logon Autostart Execution
|
TTP
|
Ransomware, Windows Drivers, Windows Registry Abuse
|
2024-09-30
|
|
Windows Registry Payload Injection
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
Obfuscated Files or Information
Fileless Storage
|
TTP
|
Unusual Processes
|
2024-09-30
|
|
Windows Registry SIP Provider Modification
|
Sysmon EventID 12, Sysmon EventID 13
|
SIP and Trust Provider Hijacking
|
TTP
|
Subvert Trust Controls SIP and Trust Provider Hijacking
|
2024-09-30
|
|
Windows Regsvr32 Renamed Binary
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Regsvr32
System Binary Proxy Execution
|
TTP
|
Qakbot
|
2024-09-30
|
|
Windows Remote Access Software BRC4 Loaded Dll
|
Sysmon EventID 7
|
Remote Access Software
OS Credential Dumping
|
Anomaly
|
Brute Ratel C4
|
2024-09-30
|
|
Windows Remote Access Software Hunt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Access Software
|
Hunting
|
Command And Control, Insider Threat, Ransomware
|
2024-10-17
|
|
Windows Remote Access Software RMS Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Remote Access Software
|
TTP
|
Azorult
|
2024-09-30
|
|
Windows Remote Assistance Spawning Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
Unusual Processes
|
2024-09-30
|
|
Windows Remote Create Service
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Create or Modify System Process
Windows Service
|
Anomaly
|
Active Directory Lateral Movement, BlackSuit Ransomware, CISA AA23-347A
|
2024-09-30
|
|
Windows Remote Service Rdpwinst Tool Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Desktop Protocol
Remote Services
|
TTP
|
Azorult
|
2024-09-30
|
|
Windows Remote Services Allow Rdp In Firewall
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Desktop Protocol
Remote Services
|
Anomaly
|
Azorult
|
2024-09-30
|
|
Windows Remote Services Allow Remote Assistance
|
Sysmon EventID 12, Sysmon EventID 13
|
Remote Desktop Protocol
Remote Services
|
Anomaly
|
Azorult
|
2024-09-30
|
|
Windows Remote Services Rdp Enable
|
Sysmon EventID 12, Sysmon EventID 13
|
Remote Desktop Protocol
Remote Services
|
TTP
|
Azorult, BlackSuit Ransomware
|
2024-09-30
|
|
Windows Replication Through Removable Media
|
Sysmon EventID 11
|
Replication Through Removable Media
|
TTP
|
Chaos Ransomware, NjRAT, PlugX
|
2024-09-30
|
|
Windows Root Domain linked policies Discovery
|
Powershell Script Block Logging 4104
|
Domain Account
Account Discovery
|
Anomaly
|
Active Directory Discovery, Data Destruction, Industroyer2
|
2024-09-30
|
|
Windows Rundll32 Apply User Settings Changes
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Rundll32
|
TTP
|
Rhysida Ransomware
|
2024-09-30
|
|
Windows Rundll32 WebDAV Request
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exfiltration Over Unencrypted Non-C2 Protocol
|
TTP
|
CVE-2023-23397 Outlook Elevation of Privilege
|
2024-09-30
|
|
Windows Rundll32 WebDav With Network Connection
|
|
Exfiltration Over Unencrypted Non-C2 Protocol
|
TTP
|
CVE-2023-23397 Outlook Elevation of Privilege
|
2024-10-17
|
|
Windows Scheduled Task Created Via XML
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
Scheduled Task/Job
|
TTP
|
CISA AA23-347A, MoonPeak, Scheduled Tasks, Winter Vivern
|
2024-09-30
|
|
Windows Scheduled Task DLL Module Loaded
|
Sysmon EventID 7
|
Scheduled Task/Job
|
TTP
|
ValleyRAT
|
2024-09-30
|
|
Windows Scheduled Task Service Spawned Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
Command and Scripting Interpreter
|
TTP
|
Windows Persistence Techniques
|
2024-09-30
|
|
Windows Scheduled Task with Highest Privileges
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task/Job
Scheduled Task
|
TTP
|
AsyncRAT, CISA AA23-347A, RedLine Stealer, Scheduled Tasks
|
2024-09-30
|
|
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr
|
|
Scheduled Task/Job
|
TTP
|
ValleyRAT
|
2024-09-30
|
|
Windows Schtasks Create Run As System
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
Scheduled Task/Job
|
TTP
|
Qakbot, Scheduled Tasks, Windows Persistence Techniques
|
2024-09-30
|
|
Windows Screen Capture in TEMP folder
|
|
Screen Capture
|
TTP
|
Braodo Stealer
|
2024-09-24
|
|
Windows Screen Capture Via Powershell
|
Powershell Script Block Logging 4104
|
Screen Capture
|
TTP
|
Winter Vivern
|
2024-09-30
|
|
Windows Security Account Manager Stopped
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Service Stop
|
TTP
|
Ryuk Ransomware
|
2024-09-30
|
|
Windows Security Support Provider Reg Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Security Support Provider
Boot or Logon Autostart Execution
|
Anomaly
|
Prestige Ransomware, Sneaky Active Directory Persistence Tricks, Windows Post-Exploitation
|
2024-09-30
|
|
Windows Server Software Component GACUtil Install to GAC
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Server Software Component
IIS Components
|
TTP
|
IIS Components
|
2024-09-30
|
|
Windows Service Create Kernel Mode Driver
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Service
Create or Modify System Process
Exploitation for Privilege Escalation
|
TTP
|
CISA AA22-320A, Windows Drivers
|
2024-09-30
|
|
Windows Service Create RemComSvc
|
Windows Event Log System 7045
|
Windows Service
Create or Modify System Process
|
Anomaly
|
Active Directory Discovery
|
2024-09-30
|
|
Windows Service Create SliverC2
|
Windows Event Log System 7045
|
System Services
Service Execution
|
TTP
|
BishopFox Sliver Adversary Emulation Framework
|
2024-09-30
|
|
Windows Service Create with Tscon
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
RDP Hijacking
Remote Service Session Hijacking
Windows Service
|
TTP
|
Active Directory Lateral Movement
|
2024-09-30
|
|
Windows Service Created with Suspicious Service Path
|
Windows Event Log System 7045
|
System Services
Service Execution
|
TTP
|
Active Directory Lateral Movement, Brute Ratel C4, CISA AA23-347A, Clop Ransomware, Flax Typhoon, PlugX, Qakbot, Snake Malware
|
2024-09-30
|
|
Windows Service Created Within Public Path
|
Windows Event Log System 7045
|
Create or Modify System Process
Windows Service
|
TTP
|
Active Directory Lateral Movement, Snake Malware
|
2024-09-30
|
|
Windows Service Creation on Remote Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Create or Modify System Process
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA23-347A
|
2024-09-30
|
|
Windows Service Creation Using Registry Entry
|
Sysmon EventID 12, Sysmon EventID 13
|
Services Registry Permissions Weakness
|
TTP
|
Active Directory Lateral Movement, Brute Ratel C4, CISA AA23-347A, PlugX, Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse
|
2024-09-30
|
|
Windows Service Deletion In Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Service Stop
|
Anomaly
|
Brute Ratel C4, PlugX
|
2024-09-30
|
|
Windows Service Initiation on Remote Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Create or Modify System Process
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA23-347A
|
2024-09-30
|
|
Windows Service Stop By Deletion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Service Stop
|
TTP
|
Azorult, Graceful Wipe Out Attack
|
2024-09-30
|
|
Windows Service Stop Via Net and SC Application
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Service Stop
|
Anomaly
|
Graceful Wipe Out Attack, Prestige Ransomware
|
2024-09-30
|
|
Windows Service Stop Win Updates
|
Windows Event Log System 7040
|
Service Stop
|
Anomaly
|
CISA AA23-347A, RedLine Stealer
|
2024-09-30
|
|
Windows SIP Provider Inventory
|
|
SIP and Trust Provider Hijacking
|
Hunting
|
Subvert Trust Controls SIP and Trust Provider Hijacking
|
2024-10-17
|
|
Windows SIP WinVerifyTrust Failed Trust Validation
|
Windows Event Log CAPI2 81
|
SIP and Trust Provider Hijacking
|
Anomaly
|
Subvert Trust Controls SIP and Trust Provider Hijacking
|
2024-09-30
|
|
Windows Snake Malware File Modification Crmlog
|
Sysmon EventID 11
|
Obfuscated Files or Information
|
TTP
|
Snake Malware
|
2024-09-30
|
|
Windows Snake Malware Kernel Driver Comadmin
|
Sysmon EventID 11
|
Kernel Modules and Extensions
|
TTP
|
Snake Malware
|
2024-09-30
|
|
Windows Snake Malware Registry Modification wav OpenWithProgIds
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
TTP
|
Snake Malware
|
2024-09-30
|
|
Windows Snake Malware Service Create
|
Windows Event Log System 7045
|
Kernel Modules and Extensions
Service Execution
|
TTP
|
Snake Malware
|
2024-09-30
|
|
Windows SOAPHound Binary Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
Local Groups
Domain Trust Discovery
Local Account
Account Discovery
Domain Groups
Permission Groups Discovery
|
TTP
|
Windows Discovery Techniques
|
2024-09-30
|
|
Windows Spearphishing Attachment Connect To None MS Office Domain
|
Sysmon EventID 22
|
Spearphishing Attachment
Phishing
|
Hunting
|
AsyncRAT, Spearphishing Attachments
|
2024-10-17
|
|
Windows Spearphishing Attachment Onenote Spawn Mshta
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Spearphishing Attachment
Phishing
|
TTP
|
AsyncRAT, Spearphishing Attachments
|
2024-09-30
|
|
Windows Special Privileged Logon On Multiple Hosts
|
Windows Event Log Security 4672
|
Account Discovery
SMB/Windows Admin Shares
Network Share Discovery
|
TTP
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-09-30
|
|
Windows SQL Spawning CertUtil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
Flax Typhoon
|
2024-10-17
|
|
Windows SqlWriter SQLDumper DLL Sideload
|
Sysmon EventID 7
|
DLL Side-Loading
|
TTP
|
APT29 Diplomatic Deceptions with WINELOADER
|
2024-09-30
|
|
Windows Steal Authentication Certificates - ESC1 Abuse
|
Windows Event Log Security 4886, Windows Event Log Security 4887
|
Steal or Forge Authentication Certificates
|
TTP
|
Windows Certificate Services
|
2024-09-30
|
|
Windows Steal Authentication Certificates - ESC1 Authentication
|
Windows Event Log Security 4768, Windows Event Log Security 4887
|
Steal or Forge Authentication Certificates
Use Alternate Authentication Material
|
TTP
|
Windows Certificate Services
|
2024-09-30
|
|
Windows Steal Authentication Certificates Certificate Issued
|
Windows Event Log Security 4887
|
Steal or Forge Authentication Certificates
|
Anomaly
|
Windows Certificate Services
|
2024-09-30
|
|
Windows Steal Authentication Certificates Certificate Request
|
Windows Event Log Security 4886
|
Steal or Forge Authentication Certificates
|
Anomaly
|
Windows Certificate Services
|
2024-09-30
|
|
Windows Steal Authentication Certificates CertUtil Backup
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Steal or Forge Authentication Certificates
|
Anomaly
|
Windows Certificate Services
|
2024-09-30
|
|
Windows Steal Authentication Certificates CryptoAPI
|
Windows Event Log CAPI2 70
|
Steal or Forge Authentication Certificates
|
Anomaly
|
Windows Certificate Services
|
2024-09-30
|
|
Windows Steal Authentication Certificates CS Backup
|
Windows Event Log Security 4876
|
Steal or Forge Authentication Certificates
|
Anomaly
|
Windows Certificate Services
|
2024-09-30
|
|
Windows Steal Authentication Certificates Export Certificate
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Steal or Forge Authentication Certificates
|
Anomaly
|
Windows Certificate Services
|
2024-09-30
|
|
Windows Steal Authentication Certificates Export PfxCertificate
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Steal or Forge Authentication Certificates
|
Anomaly
|
Windows Certificate Services
|
2024-09-30
|
|
Windows Steal or Forge Kerberos Tickets Klist
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Steal or Forge Kerberos Tickets
|
Hunting
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-10-17
|
|
Windows Suspect Process With Authentication Traffic
|
Sysmon EventID 3
|
Account Discovery
Domain Account
User Execution
Malicious File
|
Anomaly
|
Active Directory Discovery
|
2024-09-30
|
|
Windows System Binary Proxy Execution Compiled HTML File Decompile
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Compiled HTML File
System Binary Proxy Execution
|
TTP
|
Living Off The Land, Suspicious Compiled HTML Activity
|
2024-09-30
|
|
Windows System Discovery Using ldap Nslookup
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
Anomaly
|
Qakbot
|
2024-09-30
|
|
Windows System Discovery Using Qwinsta
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
Hunting
|
Qakbot
|
2024-10-17
|
|
Windows System File on Disk
|
Sysmon EventID 11
|
Exploitation for Privilege Escalation
|
Hunting
|
CISA AA22-264A, Windows Drivers
|
2024-10-17
|
|
Windows System LogOff Commandline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Shutdown/Reboot
|
Anomaly
|
DarkCrystal RAT, NjRAT
|
2024-09-30
|
|
Windows System Network Config Discovery Display DNS
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Network Configuration Discovery
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-09-30
|
|
Windows System Network Connections Discovery Netsh
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Network Connections Discovery
|
Anomaly
|
Prestige Ransomware, Snake Keylogger, Windows Post-Exploitation
|
2024-09-30
|
|
Windows System Reboot CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Shutdown/Reboot
|
Anomaly
|
DarkCrystal RAT, DarkGate Malware, MoonPeak, NjRAT
|
2024-09-30
|
|
Windows System Script Proxy Execution Syncappvpublishingserver
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Script Proxy Execution
System Binary Proxy Execution
|
TTP
|
Living Off The Land
|
2024-09-30
|
|
Windows System Shutdown CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Shutdown/Reboot
|
Anomaly
|
DarkCrystal RAT, DarkGate Malware, MoonPeak, NjRAT, Sandworm Tools
|
2024-09-30
|
|
Windows System Time Discovery W32tm Delay
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Time Discovery
|
Anomaly
|
DarkCrystal RAT
|
2024-09-30
|
|
Windows System User Discovery Via Quser
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
Hunting
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-10-17
|
|
Windows System User Privilege Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
Hunting
|
CISA AA23-347A
|
2024-10-17
|
|
Windows Terminating Lsass Process
|
Sysmon EventID 10
|
Disable or Modify Tools
Impair Defenses
|
Anomaly
|
Data Destruction, Double Zero Destructor
|
2024-09-30
|
|
Windows Time Based Evasion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Virtualization/Sandbox Evasion
Time Based Evasion
|
TTP
|
NjRAT
|
2024-09-30
|
|
Windows Time Based Evasion via Choice Exec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Time Based Evasion
Virtualization/Sandbox Evasion
|
Anomaly
|
Snake Keylogger
|
2024-09-30
|
|
Windows UAC Bypass Suspicious Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Abuse Elevation Control Mechanism
Bypass User Account Control
|
TTP
|
Living Off The Land, Windows Defense Evasion Tactics
|
2024-09-30
|
|
Windows UAC Bypass Suspicious Escalation Behavior
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Abuse Elevation Control Mechanism
Bypass User Account Control
|
TTP
|
Living Off The Land, Windows Defense Evasion Tactics
|
2024-09-30
|
|
Windows Unsecured Outlook Credentials Access In Registry
|
Windows Event Log Security 4663
|
Unsecured Credentials
|
Anomaly
|
Snake Keylogger
|
2024-09-30
|
|
Windows Unsigned DLL Side-Loading
|
Sysmon EventID 7
|
DLL Side-Loading
|
Anomaly
|
NjRAT, Warzone RAT
|
2024-09-30
|
|
Windows Unsigned DLL Side-Loading In Same Process Path
|
Sysmon EventID 7
|
DLL Side-Loading
Hijack Execution Flow
|
TTP
|
DarkGate Malware, PlugX
|
2024-09-30
|
|
Windows Unsigned MS DLL Side-Loading
|
Sysmon EventID 7
|
DLL Side-Loading
Boot or Logon Autostart Execution
|
Anomaly
|
APT29 Diplomatic Deceptions with WINELOADER
|
2024-09-30
|
|
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos
|
Windows Event Log Security 4768
|
Password Spraying
Brute Force
|
Anomaly
|
Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon
|
2024-09-30
|
|
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos
|
Windows Event Log Security 4768
|
Password Spraying
Brute Force
|
Anomaly
|
Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon
|
2024-09-30
|
|
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
|
Windows Event Log Security 4776
|
Password Spraying
Brute Force
|
Anomaly
|
Active Directory Password Spraying, Volt Typhoon
|
2024-09-30
|
|
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials
|
Windows Event Log Security 4648
|
Password Spraying
Brute Force
|
Anomaly
|
Active Directory Password Spraying, Insider Threat, Volt Typhoon
|
2024-09-30
|
|
Windows Unusual Count Of Users Failed To Auth Using Kerberos
|
Windows Event Log Security 4771
|
Password Spraying
Brute Force
|
Anomaly
|
Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon
|
2024-09-30
|
|
Windows Unusual Count Of Users Failed To Authenticate From Process
|
Windows Event Log Security 4625
|
Password Spraying
Brute Force
|
Anomaly
|
Active Directory Password Spraying, Insider Threat, Volt Typhoon
|
2024-09-30
|
|
Windows Unusual Count Of Users Failed To Authenticate Using NTLM
|
Windows Event Log Security 4776
|
Password Spraying
Brute Force
|
Anomaly
|
Active Directory Password Spraying, Volt Typhoon
|
2024-09-30
|
|
Windows Unusual Count Of Users Remotely Failed To Auth From Host
|
Windows Event Log Security 4625
|
Password Spraying
Brute Force
|
Anomaly
|
Active Directory Password Spraying, Volt Typhoon
|
2024-09-30
|
|
Windows Unusual NTLM Authentication Destinations By Source
|
|
Brute Force
Password Spraying
|
Anomaly
|
Active Directory Password Spraying
|
2024-09-30
|
|
Windows Unusual NTLM Authentication Destinations By User
|
|
Brute Force
Password Spraying
|
Anomaly
|
Active Directory Password Spraying
|
2024-09-30
|
|
Windows Unusual NTLM Authentication Users By Destination
|
|
Brute Force
Password Spraying
|
Anomaly
|
Active Directory Password Spraying
|
2024-09-30
|
|
Windows Unusual NTLM Authentication Users By Source
|
|
Brute Force
Password Spraying
|
Anomaly
|
Active Directory Password Spraying
|
2024-09-30
|
|
Windows User Execution Malicious URL Shortcut File
|
Sysmon EventID 11
|
Malicious File
User Execution
|
TTP
|
Chaos Ransomware, NjRAT, Snake Keylogger
|
2024-09-30
|
|
Windows Valid Account With Never Expires Password
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Service Stop
|
TTP
|
Azorult
|
2024-09-30
|
|
Windows Vulnerable 3CX Software
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Compromise Software Supply Chain
|
TTP
|
3CX Supply Chain Attack
|
2024-09-30
|
|
Windows Vulnerable Driver Installed
|
Windows Event Log System 7045
|
Windows Service
|
TTP
|
Windows Drivers
|
2024-09-30
|
|
Windows Vulnerable Driver Loaded
|
Sysmon EventID 6
|
Windows Service
|
Hunting
|
BlackByte Ransomware, Windows Drivers
|
2024-10-17
|
|
Windows WinDBG Spawning AutoIt3
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
TTP
|
DarkGate Malware
|
2024-09-30
|
|
Windows WinLogon with Public Network Connection
|
Sysmon EventID 1, Sysmon EventID 3
|
Bootkit
|
Hunting
|
BlackLotus Campaign
|
2024-10-17
|
|
Windows WMI Impersonate Token
|
Sysmon EventID 10
|
Windows Management Instrumentation
|
Anomaly
|
Qakbot
|
2024-09-30
|
|
Windows WMI Process And Service List
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-09-30
|
|
Windows WMI Process Call Create
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
Hunting
|
CISA AA23-347A, IcedID, Qakbot, Suspicious WMI Use, Volt Typhoon
|
2024-10-17
|
|
WinEvent Scheduled Task Created to Spawn Shell
|
Windows Event Log Security 4698
|
Scheduled Task
Scheduled Task/Job
|
TTP
|
CISA AA22-257A, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Error Reporting Service Elevation of Privilege Vulnerability, Windows Persistence Techniques, Winter Vivern
|
2024-09-30
|
|
WinEvent Scheduled Task Created Within Public Path
|
Windows Event Log Security 4698
|
Scheduled Task
Scheduled Task/Job
|
TTP
|
Active Directory Lateral Movement, AsyncRAT, CISA AA22-257A, CISA AA23-347A, Data Destruction, IcedID, Industroyer2, Prestige Ransomware, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Persistence Techniques, Winter Vivern
|
2024-09-30
|
|
WinEvent Windows Task Scheduler Event Action Started
|
Windows Event Log TaskScheduler 200
|
Scheduled Task
|
Hunting
|
Amadey, AsyncRAT, BlackSuit Ransomware, CISA AA22-257A, CISA AA24-241A, DarkCrystal RAT, Data Destruction, IcedID, Industroyer2, Prestige Ransomware, Qakbot, Sandworm Tools, Scheduled Tasks, ValleyRAT, Windows Persistence Techniques, Winter Vivern, Winter Vivern
|
2024-10-24
|
|
Winhlp32 Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
Remcos
|
2024-09-30
|
|
WinRAR Spawning Shell Application
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
WinRAR Spoofing Attack CVE-2023-38831
|
2024-09-30
|
|
WinRM Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exploit Public-Facing Application
|
TTP
|
CISA AA23-347A, Rhysida Ransomware, Unusual Processes
|
2024-10-17
|
|
Winword Spawning Cmd
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Phishing
Spearphishing Attachment
|
TTP
|
CVE-2023-21716 Word RTF Heap Corruption, DarkCrystal RAT, Spearphishing Attachments
|
2024-09-30
|
|
Winword Spawning PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Phishing
Spearphishing Attachment
|
TTP
|
CVE-2023-21716 Word RTF Heap Corruption, DarkCrystal RAT, Spearphishing Attachments
|
2024-09-30
|
|
Winword Spawning Windows Script Host
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Phishing
Spearphishing Attachment
|
TTP
|
CVE-2023-21716 Word RTF Heap Corruption, Spearphishing Attachments
|
2024-09-30
|
|
WMI Permanent Event Subscription
|
|
Windows Management Instrumentation
|
TTP
|
Suspicious WMI Use
|
2024-10-17
|
|
WMI Permanent Event Subscription - Sysmon
|
Sysmon EventID 21
|
Windows Management Instrumentation Event Subscription
Event Triggered Execution
|
TTP
|
Suspicious WMI Use
|
2024-09-30
|
|
WMI Recon Running Process Or Services
|
Powershell Script Block Logging 4104
|
Gather Victim Host Information
|
Anomaly
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2024-09-30
|
|
WMI Temporary Event Subscription
|
|
Windows Management Instrumentation
|
TTP
|
Suspicious WMI Use
|
2024-10-17
|
|
Wmic Group Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Permission Groups Discovery
Local Groups
|
Hunting
|
Active Directory Discovery
|
2024-10-17
|
|
Wmic NonInteractive App Uninstallation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
Impair Defenses
|
Hunting
|
Azorult, IcedID
|
2024-10-17
|
|
WMIC XSL Execution via URL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
XSL Script Processing
|
TTP
|
Suspicious WMI Use
|
2024-09-30
|
|
Wmiprsve LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
TTP
|
Active Directory Lateral Movement
|
2024-09-30
|
|
Wscript Or Cscript Suspicious Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
Create or Modify System Process
Parent PID Spoofing
Access Token Manipulation
|
TTP
|
Data Destruction, FIN7, NjRAT, Remcos, ShrinkLocker, Unusual Processes, WhisperGate
|
2024-09-30
|
|
Wsmprovhost LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
Windows Remote Management
|
TTP
|
Active Directory Lateral Movement, CISA AA24-241A
|
2024-09-30
|
|
WSReset UAC Bypass
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
Bypass User Account Control
Abuse Elevation Control Mechanism
|
TTP
|
Living Off The Land, MoonPeak, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
|
XMRIG Driver Loaded
|
Sysmon EventID 6
|
Windows Service
Create or Modify System Process
|
TTP
|
CISA AA22-320A, XMRig
|
2024-09-30
|
|
XSL Script Execution With WMIC
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
XSL Script Processing
|
TTP
|
FIN7, Suspicious WMI Use
|
2024-09-30
|