Windows Detections

Name Data Source Technique Type Analytic Story Date
Detect Password Spray Attempts Windows Event Log Security 4625 Password Spraying Brute Force TTP Active Directory Password Spraying, Compromised User Account 2024-10-17
Email files written outside of the Outlook directory Sysmon EventID 11 Email Collection Local Email Collection TTP Collection and Staging 2024-10-17
No Windows Updates in a time frame N/A Hunting Monitor for Updates 2024-10-17
Splunk Enterprise Windows Deserialization File Partition Splunk Exploit Public-Facing Application TTP Splunk Vulnerabilities 2024-10-16
Splunk RCE Through Arbitrary File Write to Windows System Root Splunk Exploitation of Remote Services Hunting Splunk Vulnerabilities 2024-10-17
Web Servers Executing Suspicious Processes Sysmon EventID 1 System Information Discovery TTP Apache Struts Vulnerability 2024-10-17
Windows AD add Self to Group Account Manipulation TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Dangerous Deny ACL Modification Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Dangerous Group ACL Modification Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Dangerous User ACL Modification Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD DCShadow Privileges ACL Addition Domain or Tenant Policy Modification Rogue Domain Controller Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Domain Root ACL Deletion Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Domain Root ACL Modification Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD GPO Deleted Disable or Modify Tools Group Policy Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD GPO Disabled Disable or Modify Tools Group Policy Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD GPO New CSE Addition Domain or Tenant Policy Modification Group Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Hidden OU Creation Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Object Owner Updated Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Privileged Group Modification Account Manipulation TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-10-17
Windows AD Self DACL Assignment Domain or Tenant Policy Modification Account Manipulation TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Suspicious Attribute Modification Use Alternate Authentication Material File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Suspicious GPO Modification Domain or Tenant Policy Modification Group Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-10-17
Windows Increase in Group or Object Modification Activity Windows Event Log Security 4663 Account Manipulation Impair Defenses TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows Increase in User Modification Activity Windows Event Log Security 4720 Account Manipulation Impair Defenses TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Azure AD Successful PowerShell Authentication Azure Active Directory Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts TTP Azure Active Directory Account Takeover 2024-09-30
Detect Activity Related to Pass the Hash Attacks Windows Event Log Security 4624 Use Alternate Authentication Material Pass the Hash Hunting Active Directory Lateral Movement, BlackSuit Ransomware 2024-10-17
Detect Mimikatz Using Loaded Images Sysmon EventID 7 LSASS Memory OS Credential Dumping TTP CISA AA22-257A, CISA AA22-264A, CISA AA22-320A, Cloud Federated Credential Abuse, Credential Dumping, DarkSide Ransomware, Detect Zerologon Attack, Sandworm Tools 2024-10-17
Detect Mimikatz Via PowerShell And EventCode 4703 LSASS Memory TTP Cloud Federated Credential Abuse 2024-10-17
Dump LSASS via procdump Rename Sysmon EventID 1 LSASS Memory Hunting CISA AA22-257A, Credential Dumping, HAFNIUM Group 2024-10-17
Execution of File With Spaces Before Extension Sysmon EventID 1 Rename System Utilities TTP Masquerading - Rename System Utilities, Windows File Extension and Association Abuse 2024-10-17
First time seen command line argument Sysmon EventID 1 PowerShell Windows Command Shell Hunting DHS Report TA18-074A, Hidden Cobra Malware, Orangeworm Attack Group, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Suspicious Command-Line Executions 2024-10-17
Processes created by netsh Sysmon EventID 1 Disable or Modify System Firewall TTP Netsh Abuse 2024-10-17
Prohibited Software On Endpoint Sysmon EventID 1 N/A Hunting Emotet Malware DHS Report TA18-201A, Monitor for Unauthorized Software, SamSam Ransomware 2024-10-17
Reg exe used to hide files directories via registry keys Sysmon EventID 1 Hidden Files and Directories TTP Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Persistence Techniques 2024-10-17
Remote Registry Key modifications Sysmon EventID 13 N/A TTP Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Persistence Techniques 2024-10-17
Scheduled tasks used in BadRabbit ransomware Sysmon EventID 1 Scheduled Task TTP Ransomware 2024-10-17
Suspicious Changes to File Associations Sysmon EventID 1 Change Default File Association TTP Suspicious Windows Registry Activities, Windows File Extension and Association Abuse 2024-10-17
Suspicious File Write Sysmon EventID 11 N/A Hunting Hidden Cobra Malware 2024-10-17
Suspicious Powershell Command-Line Arguments Sysmon EventID 1 PowerShell TTP CISA AA22-320A, Hermetic Wiper, Malicious PowerShell 2024-10-17
Suspicious Rundll32 Rename Sysmon EventID 1 System Binary Proxy Execution Masquerading Rundll32 Rename System Utilities Hunting Masquerading - Rename System Utilities, Suspicious Rundll32 Activity 2024-10-17
Suspicious writes to System Volume Information Sysmon EventID 1 Masquerading Hunting Collection and Staging 2024-10-17
Uncommon Processes On Endpoint Sysmon EventID 1 Malicious File Hunting Hermetic Wiper, Unusual Processes, Windows Privilege Escalation 2024-10-17
Unsigned Image Loaded by LSASS Sysmon EventID 7 LSASS Memory TTP Credential Dumping 2024-10-17
Windows connhost exe started forcefully Sysmon EventID 1 Windows Command Shell TTP Ryuk Ransomware 2024-10-17
Windows DLL Search Order Hijacking Hunt CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 DLL Search Order Hijacking Hijack Execution Flow Hunting Living Off The Land, Windows Defense Evasion Tactics 2024-10-17
Windows hosts file modification Sysmon EventID 11 N/A TTP Host Redirection 2024-10-17
3CX Supply Chain Attack Network Indicators Sysmon EventID 22 Compromise Software Supply Chain TTP 3CX Supply Chain Attack 2024-10-17
7zip CommandLine To SMB Share Path CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Archive via Utility Archive Collected Data Hunting Ransomware 2024-11-26
Access LSASS Memory for Dump Creation Sysmon EventID 10 LSASS Memory OS Credential Dumping TTP CISA AA23-347A, Credential Dumping 2024-09-30
Account Discovery With Net App CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Domain Account Account Discovery TTP IcedID, Trickbot 2024-09-30
Active Setup Registry Autostart Sysmon EventID 12, Sysmon EventID 13 Active Setup Boot or Logon Autostart Execution TTP Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation 2024-11-14
Add DefaultUser And Password In Registry Sysmon EventID 13 Credentials in Registry Unsecured Credentials Anomaly BlackMatter Ransomware 2024-11-14
Add or Set Windows Defender Exclusion CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify Tools Impair Defenses TTP AgentTesla, CISA AA22-320A, Compromised Windows Host, Data Destruction, Remcos, ValleyRAT, WhisperGate, Windows Defense Evasion Tactics 2024-11-28
AdsiSearcher Account Discovery Powershell Script Block Logging 4104 Domain Account Account Discovery TTP Active Directory Discovery, CISA AA23-347A, Data Destruction, Industroyer2 2024-09-30
Allow File And Printing Sharing In Firewall CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify Cloud Firewall Impair Defenses TTP BlackByte Ransomware, Ransomware 2024-09-30
Allow Inbound Traffic By Firewall Rule Registry Sysmon EventID 12, Sysmon EventID 13 Remote Desktop Protocol Remote Services TTP Azorult, NjRAT, PlugX, Prohibited Traffic Allowed or Protocol Mismatch, Windows Registry Abuse 2024-11-14
Allow Inbound Traffic In Firewall Rule Powershell Script Block Logging 4104 Remote Desktop Protocol Remote Services TTP Prohibited Traffic Allowed or Protocol Mismatch 2024-09-30
Allow Network Discovery In Firewall CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify Cloud Firewall Impair Defenses TTP BlackByte Ransomware, NjRAT, Ransomware, Revil Ransomware 2024-09-30
Allow Operation with Consent Admin Sysmon EventID 12, Sysmon EventID 13 Abuse Elevation Control Mechanism TTP Azorult, MoonPeak, Ransomware, Windows Registry Abuse 2024-11-14
Anomalous usage of 7zip CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Archive via Utility Archive Collected Data Anomaly BlackByte Ransomware, BlackSuit Ransomware, Cobalt Strike, Graceful Wipe Out Attack, NOBELIUM Group 2024-09-30
Any Powershell DownloadFile CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter PowerShell Ingress Tool Transfer TTP Braodo Stealer, DarkCrystal RAT, Data Destruction, Hermetic Wiper, Ingress Tool Transfer, Log4Shell CVE-2021-44228, Malicious PowerShell, PXA Stealer, Phemedrone Stealer 2024-09-30
Any Powershell DownloadString CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter PowerShell Ingress Tool Transfer TTP Data Destruction, HAFNIUM Group, Hermetic Wiper, IcedID, Ingress Tool Transfer, Malicious PowerShell, Phemedrone Stealer, SysAid On-Prem Software CVE-2023-47246 Vulnerability, Winter Vivern 2024-09-30
Attacker Tools On Endpoint CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Match Legitimate Name or Location Masquerading OS Credential Dumping Active Scanning TTP CISA AA22-264A, Compromised Windows Host, Monitor for Unauthorized Software, SamSam Ransomware, Unusual Processes, XMRig 2024-11-28
Attempt To Add Certificate To Untrusted Store CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Install Root Certificate Subvert Trust Controls TTP Disabling Security Tools 2024-09-30
Attempt To Stop Security Service CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify Tools Impair Defenses TTP Azorult, Data Destruction, Disabling Security Tools, Graceful Wipe Out Attack, Trickbot, WhisperGate 2024-09-30
Attempted Credential Dump From Registry via Reg exe CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Security Account Manager OS Credential Dumping TTP CISA AA23-347A, Compromised Windows Host, Credential Dumping, DarkSide Ransomware, Data Destruction, Industroyer2, Windows Registry Abuse 2024-11-28
Auto Admin Logon Registry Entry Sysmon EventID 12, Sysmon EventID 13 Credentials in Registry Unsecured Credentials TTP BlackMatter Ransomware, Windows Registry Abuse 2024-11-14
Batch File Write to System32 Sysmon EventID 1, Sysmon EventID 11 User Execution Malicious File TTP Compromised Windows Host, SamSam Ransomware 2024-11-28
Bcdedit Command Back To Normal Mode Boot CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Inhibit System Recovery TTP BlackMatter Ransomware 2024-09-30
BCDEdit Failure Recovery Modification CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Inhibit System Recovery TTP Compromised Windows Host, Ransomware, Ryuk Ransomware 2024-11-28
BITS Job Persistence CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 BITS Jobs TTP BITS Jobs, Living Off The Land 2024-09-30
BITSAdmin Download File CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 BITS Jobs Ingress Tool Transfer TTP BITS Jobs, DarkSide Ransomware, Flax Typhoon, Gozi Malware, Ingress Tool Transfer, Living Off The Land 2024-09-30
CertUtil Download With URLCache and Split Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Ingress Tool Transfer TTP CISA AA22-277A, Compromised Windows Host, DarkSide Ransomware, Flax Typhoon, Forest Blizzard, Ingress Tool Transfer, Living Off The Land, ProxyNotShell 2024-11-28
CertUtil Download With VerifyCtl and Split Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Ingress Tool Transfer TTP Compromised Windows Host, DarkSide Ransomware, Ingress Tool Transfer, Living Off The Land 2024-11-28
Certutil exe certificate extraction CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 N/A TTP Cloud Federated Credential Abuse, Compromised Windows Host, Living Off The Land, Windows Certificate Services, Windows Persistence Techniques 2024-11-28
CertUtil With Decode Argument CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Deobfuscate/Decode Files or Information TTP APT29 Diplomatic Deceptions with WINELOADER, Deobfuscate-Decode Files or Information, Forest Blizzard, Living Off The Land 2024-09-30
Change Default File Association Sysmon EventID 12, Sysmon EventID 13 Change Default File Association Event Triggered Execution TTP Data Destruction, Hermetic Wiper, Prestige Ransomware, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse 2024-09-30
Change To Safe Mode With Network Config CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Inhibit System Recovery TTP BlackMatter Ransomware 2024-09-30
CHCP Command Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter TTP Azorult, Forest Blizzard, IcedID 2024-09-30
Check Elevated CMD using whoami CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Owner/User Discovery TTP FIN7 2024-09-30
Child Processes of Spoolsv exe CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Exploitation for Privilege Escalation TTP Data Destruction, Hermetic Wiper, Windows Privilege Escalation 2024-10-17
Clear Unallocated Sector Using Cipher App CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 File Deletion Indicator Removal TTP Compromised Windows Host, Ransomware 2024-11-28
Clop Common Exec Parameter CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 User Execution TTP Clop Ransomware, Compromised Windows Host 2024-11-28
Clop Ransomware Known Service Name Windows Event Log System 7045 Create or Modify System Process TTP Clop Ransomware, Compromised Windows Host 2024-11-28
CMD Carry Out String Command Parameter CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Windows Command Shell Command and Scripting Interpreter Hunting AsyncRAT, Azorult, CISA AA23-347A, Chaos Ransomware, DarkCrystal RAT, DarkGate Malware, Data Destruction, Hermetic Wiper, IcedID, Living Off The Land, Log4Shell CVE-2021-44228, NjRAT, PlugX, ProxyNotShell, Qakbot, RedLine Stealer, Rhysida Ransomware, Warzone RAT, WhisperGate, Winter Vivern 2024-10-17
CMD Echo Pipe - Escalation CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter Windows Command Shell Windows Service Create or Modify System Process TTP BlackByte Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack 2024-11-28
Cmdline Tool Not Executed In CMD Shell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter JavaScript TTP CISA AA22-277A, CISA AA23-347A, DarkGate Malware, FIN7, Gozi Malware, Qakbot, Rhysida Ransomware, Volt Typhoon 2024-09-30
CMLUA Or CMSTPLUA UAC Bypass Sysmon EventID 7 System Binary Proxy Execution CMSTP TTP DarkSide Ransomware, LockBit Ransomware, Ransomware, ValleyRAT 2024-09-30
Cobalt Strike Named Pipes Sysmon EventID 17, Sysmon EventID 18 Process Injection TTP BlackByte Ransomware, Cobalt Strike, DarkSide Ransomware, Gozi Malware, Graceful Wipe Out Attack, LockBit Ransomware, Trickbot 2024-09-30
Common Ransomware Extensions Sysmon EventID 11 Data Destruction Hunting Clop Ransomware, LockBit Ransomware, Prestige Ransomware, Ransomware, Rhysida Ransomware, Ryuk Ransomware, SamSam Ransomware 2024-10-17
Common Ransomware Notes Sysmon EventID 11 Data Destruction Hunting Chaos Ransomware, Clop Ransomware, LockBit Ransomware, Ransomware, Rhysida Ransomware, Ryuk Ransomware, SamSam Ransomware 2024-10-17
ConnectWise ScreenConnect Path Traversal Sysmon EventID 11 Exploit Public-Facing Application TTP ConnectWise ScreenConnect Vulnerabilities 2024-09-30
ConnectWise ScreenConnect Path Traversal Windows SACL Windows Event Log Security 4663 Exploit Public-Facing Application TTP Compromised Windows Host, ConnectWise ScreenConnect Vulnerabilities 2024-11-28
Conti Common Exec parameter CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 User Execution TTP Compromised Windows Host, Ransomware 2024-11-28
Control Loading from World Writable Directory CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Control Panel TTP Compromised Windows Host, Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444 2024-11-28
Create local admin accounts using net exe CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Local Account Create Account TTP Azorult, CISA AA22-257A, CISA AA24-241A, DHS Report TA18-074A, DarkGate Malware 2024-11-26
Create or delete windows shares using net exe CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Indicator Removal Network Share Connection Removal TTP CISA AA22-277A, DarkGate Malware, Hidden Cobra Malware, Prestige Ransomware, Windows Post-Exploitation 2024-09-30
Create Remote Thread In Shell Application Sysmon EventID 8 Process Injection TTP IcedID, Qakbot, Warzone RAT 2024-11-26
Create Remote Thread into LSASS Sysmon EventID 8 LSASS Memory OS Credential Dumping TTP BlackSuit Ransomware, Credential Dumping 2024-09-30
Creation of lsass Dump with Taskmgr Sysmon EventID 11 LSASS Memory OS Credential Dumping TTP CISA AA22-257A, Credential Dumping 2024-09-30
Creation of Shadow Copy CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 NTDS OS Credential Dumping TTP Compromised Windows Host, Credential Dumping, Volt Typhoon 2024-11-28
Creation of Shadow Copy with wmic and powershell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 NTDS OS Credential Dumping TTP Compromised Windows Host, Credential Dumping, Living Off The Land, Volt Typhoon 2024-11-28
Credential Dumping via Copy Command from Shadow Copy CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 NTDS OS Credential Dumping TTP Compromised Windows Host, Credential Dumping 2024-11-28
Credential Dumping via Symlink to Shadow Copy CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 NTDS OS Credential Dumping TTP Compromised Windows Host, Credential Dumping 2024-11-28
CSC Net On The Fly Compilation CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Compile After Delivery Obfuscated Files or Information Hunting Windows Defense Evasion Tactics 2024-10-17
Curl Download and Bash Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Ingress Tool Transfer TTP Compromised Windows Host, Ingress Tool Transfer, Linux Living Off The Land, Log4Shell CVE-2021-44228 2024-11-28
Delete ShadowCopy With PowerShell Powershell Script Block Logging 4104 Inhibit System Recovery TTP DarkGate Malware, DarkSide Ransomware, Ransomware, Revil Ransomware 2024-09-30
Deleting Of Net Users CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Account Access Removal TTP DarkGate Malware, Graceful Wipe Out Attack, XMRig 2024-09-30
Deleting Shadow Copies CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Inhibit System Recovery TTP CISA AA22-264A, Chaos Ransomware, Clop Ransomware, Compromised Windows Host, DarkGate Malware, LockBit Ransomware, Prestige Ransomware, Ransomware, Rhysida Ransomware, SamSam Ransomware, Windows Log Manipulation 2024-11-28
Detect AzureHound Command-Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Domain Account Local Groups Domain Trust Discovery Local Account Account Discovery Domain Groups Permission Groups Discovery TTP Compromised Windows Host, Windows Discovery Techniques 2024-11-28
Detect AzureHound File Modifications Sysmon EventID 11 Domain Account Local Groups Domain Trust Discovery Local Account Account Discovery Domain Groups Permission Groups Discovery TTP Windows Discovery Techniques 2024-09-30
Detect Certify Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Steal or Forge Authentication Certificates Ingress Tool Transfer TTP Compromised Windows Host, Ingress Tool Transfer, Windows Certificate Services 2024-11-28
Detect Certify With PowerShell Script Block Logging Powershell Script Block Logging 4104 Steal or Forge Authentication Certificates Command and Scripting Interpreter PowerShell TTP Malicious PowerShell, Windows Certificate Services 2024-09-30
Detect Certipy File Modifications Sysmon EventID 1, Sysmon EventID 11 Steal or Forge Authentication Certificates Archive Collected Data TTP Data Exfiltration, Ingress Tool Transfer, Windows Certificate Services 2024-09-30
Detect Computer Changed with Anonymous Account Windows Event Log Security 4624, Windows Event Log Security 4742 Exploitation of Remote Services Hunting Detect Zerologon Attack 2024-10-17
Detect Copy of ShadowCopy with Script Block Logging Powershell Script Block Logging 4104 Security Account Manager OS Credential Dumping TTP Credential Dumping 2024-09-30
Detect Credential Dumping through LSASS access Sysmon EventID 10 LSASS Memory OS Credential Dumping TTP BlackSuit Ransomware, CISA AA23-347A, Credential Dumping, Detect Zerologon Attack 2024-09-30
Detect Critical Alerts from Security Tools MS365 Defender Incident Alerts, Windows Defender Alerts N/A TTP Critical Alerts 2024-10-09
Detect Empire with PowerShell Script Block Logging Powershell Script Block Logging 4104 Command and Scripting Interpreter PowerShell TTP Data Destruction, Hermetic Wiper, Malicious PowerShell 2024-09-30
Detect Exchange Web Shell Sysmon EventID 1, Sysmon EventID 11 Server Software Component Web Shell Exploit Public-Facing Application External Remote Services TTP BlackByte Ransomware, CISA AA22-257A, Compromised Windows Host, HAFNIUM Group, ProxyNotShell, ProxyShell 2024-11-28
Detect HTML Help Renamed CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Compiled HTML File Hunting Living Off The Land, Suspicious Compiled HTML Activity 2024-10-17
Detect HTML Help Spawn Child Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Compiled HTML File TTP AgentTesla, Compromised Windows Host, Living Off The Land, Suspicious Compiled HTML Activity 2024-11-28
Detect HTML Help URL in Command Line CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Compiled HTML File TTP Compromised Windows Host, Living Off The Land, Suspicious Compiled HTML Activity 2024-11-28
Detect HTML Help Using InfoTech Storage Handlers CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Compiled HTML File TTP Compromised Windows Host, Living Off The Land, Suspicious Compiled HTML Activity 2024-11-28
Detect Mimikatz With PowerShell Script Block Logging Powershell Script Block Logging 4104 OS Credential Dumping PowerShell TTP CISA AA22-264A, CISA AA22-320A, CISA AA23-347A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Sandworm Tools 2024-09-30
Detect mshta inline hta execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Mshta TTP Compromised Windows Host, Gozi Malware, Living Off The Land, Suspicious MSHTA Activity 2024-11-28
Detect mshta renamed CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Mshta Hunting Living Off The Land, Suspicious MSHTA Activity 2024-10-17
Detect MSHTA Url in Command Line CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Mshta TTP Compromised Windows Host, Living Off The Land, Lumma Stealer, Suspicious MSHTA Activity 2024-11-28
Detect New Local Admin account Windows Event Log Security 4720, Windows Event Log Security 4732 Local Account Create Account TTP CISA AA22-257A, CISA AA24-241A, DHS Report TA18-074A, HAFNIUM Group 2024-09-30
Detect Outlook exe writing a zip file Sysmon EventID 1, Sysmon EventID 11 Phishing Spearphishing Attachment TTP Amadey, Meduza Stealer, PXA Stealer, Remcos, Spearphishing Attachments 2024-11-28
Detect Path Interception By Creation Of program exe CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Path Interception by Unquoted Path Hijack Execution Flow TTP Windows Persistence Techniques 2024-09-30
Detect processes used for System Network Configuration Discovery CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Network Configuration Discovery TTP Unusual Processes 2024-09-30
Detect Prohibited Applications Spawning cmd exe CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter Windows Command Shell Hunting NOBELIUM Group, Suspicious Command-Line Executions, Suspicious MSHTA Activity, Suspicious Zoom Child Processes 2024-10-17
Detect PsExec With accepteula Flag CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Services SMB/Windows Admin Shares TTP Active Directory Lateral Movement, BlackByte Ransomware, CISA AA22-320A, DHS Report TA18-074A, DarkGate Malware, DarkSide Ransomware, HAFNIUM Group, IcedID, Rhysida Ransomware, SamSam Ransomware, Sandworm Tools, Volt Typhoon 2024-09-30
Detect Rare Executables CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 User Execution Anomaly Rhysida Ransomware, Unusual Processes 2024-09-30
Detect RClone Command-Line Usage CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Automated Exfiltration TTP DarkSide Ransomware, Ransomware 2024-09-30
Detect Regasm Spawning a Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Regsvcs/Regasm TTP Compromised Windows Host, DarkGate Malware, Handala Wiper, Living Off The Land, Snake Keylogger, Suspicious Regsvcs Regasm Activity 2024-11-28
Detect Regasm with Network Connection Sysmon EventID 3 System Binary Proxy Execution Regsvcs/Regasm TTP Handala Wiper, Living Off The Land, Suspicious Regsvcs Regasm Activity 2024-09-30
Detect Regasm with no Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Regsvcs/Regasm TTP Handala Wiper, Living Off The Land, Suspicious Regsvcs Regasm Activity 2024-09-30
Detect Regsvcs Spawning a Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Regsvcs/Regasm TTP Compromised Windows Host, Living Off The Land, Suspicious Regsvcs Regasm Activity 2024-11-28
Detect Regsvcs with Network Connection Sysmon EventID 3 System Binary Proxy Execution Regsvcs/Regasm TTP Living Off The Land, Suspicious Regsvcs Regasm Activity 2024-09-30
Detect Regsvcs with No Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Regsvcs/Regasm TTP Living Off The Land, Suspicious Regsvcs Regasm Activity 2024-09-30
Detect Regsvr32 Application Control Bypass CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Regsvr32 TTP BlackByte Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack, Living Off The Land, Suspicious Regsvr32 Activity 2024-11-28
Detect Remote Access Software Usage File Sysmon EventID 11 Remote Access Software Anomaly CISA AA24-241A, Command And Control, Gozi Malware, Insider Threat, Ransomware 2024-09-30
Detect Remote Access Software Usage FileInfo CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Access Software Anomaly Command And Control, Gozi Malware, Insider Threat, Ransomware 2024-09-30
Detect Remote Access Software Usage Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Access Software Anomaly CISA AA24-241A, Command And Control, Gozi Malware, Insider Threat, Ransomware 2024-09-30
Detect Renamed 7-Zip CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Archive via Utility Archive Collected Data Hunting Collection and Staging 2024-10-17
Detect Renamed PSExec CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Services Service Execution Hunting Active Directory Lateral Movement, BlackByte Ransomware, CISA AA22-320A, DHS Report TA18-074A, DarkGate Malware, DarkSide Ransomware, HAFNIUM Group, Rhysida Ransomware, SamSam Ransomware, Sandworm Tools 2024-10-17
Detect Renamed RClone CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Automated Exfiltration Hunting DarkSide Ransomware, Ransomware 2024-10-17
Detect Renamed WinRAR CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Archive via Utility Archive Collected Data Hunting CISA AA22-277A, Collection and Staging 2024-10-17
Detect RTLO In File Name Sysmon EventID 11 Right-to-Left Override Masquerading TTP Spearphishing Attachments 2024-09-30
Detect RTLO In Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Right-to-Left Override Masquerading TTP Spearphishing Attachments 2024-09-30
Detect Rundll32 Application Control Bypass - advpack CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Rundll32 TTP Compromised Windows Host, Living Off The Land, Suspicious Rundll32 Activity 2024-11-28
Detect Rundll32 Application Control Bypass - setupapi CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Rundll32 TTP Compromised Windows Host, Living Off The Land, Suspicious Rundll32 Activity 2024-11-28
Detect Rundll32 Application Control Bypass - syssetup CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Rundll32 TTP Compromised Windows Host, Living Off The Land, Suspicious Rundll32 Activity 2024-11-28
Detect Rundll32 Inline HTA Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Mshta TTP Living Off The Land, NOBELIUM Group, Suspicious MSHTA Activity 2024-09-30
Detect SharpHound Command-Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Domain Account Local Groups Domain Trust Discovery Local Account Account Discovery Domain Groups Permission Groups Discovery TTP BlackSuit Ransomware, Ransomware, Windows Discovery Techniques 2024-09-30
Detect SharpHound File Modifications Sysmon EventID 11 Domain Account Local Groups Domain Trust Discovery Local Account Account Discovery Domain Groups Permission Groups Discovery TTP BlackSuit Ransomware, Ransomware, Windows Discovery Techniques 2024-09-30
Detect SharpHound Usage CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Domain Account Local Groups Domain Trust Discovery Local Account Account Discovery Domain Groups Permission Groups Discovery TTP Ransomware, Windows Discovery Techniques 2024-09-30
Detect suspicious processnames using pretrained model in DSDL Sysmon EventID 1 Command and Scripting Interpreter Anomaly Suspicious Command-Line Executions 2024-10-17
Detect Use of cmd exe to Launch Script Interpreters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter Windows Command Shell TTP Azorult, Emotet Malware DHS Report TA18-201A, Suspicious Command-Line Executions 2024-09-30
Detect Webshell Exploit Behavior CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Server Software Component Web Shell TTP BlackByte Ransomware, CISA AA22-257A, CISA AA22-264A, Citrix ShareFile RCE CVE-2023-24489, Compromised Windows Host, Flax Typhoon, HAFNIUM Group, ProxyNotShell, ProxyShell, SysAid On-Prem Software CVE-2023-47246 Vulnerability, WS FTP Server Critical Vulnerabilities 2024-11-28
Detect WMI Event Subscription Persistence Sysmon EventID 20 Windows Management Instrumentation Event Subscription Event Triggered Execution TTP Suspicious WMI Use 2024-09-30
Detection of tools built by NirSoft CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Software Deployment Tools TTP Emotet Malware DHS Report TA18-201A 2024-10-17
Disable AMSI Through Registry Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP CISA AA23-347A, Ransomware, Windows Registry Abuse 2024-11-14
Disable Defender AntiVirus Registry Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP CISA AA24-241A, IcedID, Windows Registry Abuse 2024-11-14
Disable Defender BlockAtFirstSeen Feature Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse 2024-11-14
Disable Defender Enhanced Notification Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse 2024-11-14
Disable Defender MpEngine Registry Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP IcedID, Windows Registry Abuse 2024-10-04
Disable Defender Spynet Reporting Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Azorult, CISA AA23-347A, IcedID, Qakbot, Windows Registry Abuse 2024-11-14
Disable Defender Submit Samples Consent Feature Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse 2024-11-14
Disable ETW Through Registry Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP CISA AA23-347A, Ransomware, Windows Registry Abuse 2024-11-14
Disable Logs Using WevtUtil CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Indicator Removal Clear Windows Event Logs TTP CISA AA23-347A, Ransomware, Rhysida Ransomware 2024-11-26
Disable Registry Tool Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses Modify Registry TTP NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disable Schedule Task CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify Tools Impair Defenses TTP IcedID, Living Off The Land 2024-09-30
Disable Security Logs Using MiniNt Registry Sysmon EventID 12, Sysmon EventID 13 Modify Registry TTP CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disable Show Hidden Files Sysmon EventID 12, Sysmon EventID 13 Hidden Files and Directories Disable or Modify Tools Hide Artifacts Impair Defenses Modify Registry Anomaly Azorult, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disable UAC Remote Restriction Sysmon EventID 12, Sysmon EventID 13 Bypass User Account Control Abuse Elevation Control Mechanism TTP CISA AA23-347A, Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disable Windows App Hotkeys Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses Modify Registry TTP Windows Registry Abuse, XMRig 2024-11-14
Disable Windows Behavior Monitoring Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Azorult, CISA AA23-347A, Ransomware, RedLine Stealer, Revil Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disable Windows SmartScreen Protection Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser Powershell Script Block Logging 4104 Steal or Forge Kerberos Tickets AS-REP Roasting TTP Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A 2024-09-30
Disabled Kerberos Pre-Authentication Discovery With PowerView Powershell Script Block Logging 4104 Steal or Forge Kerberos Tickets AS-REP Roasting TTP Active Directory Kerberos Attacks 2024-09-30
Disabling CMD Application Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses Modify Registry TTP NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disabling ControlPanel Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses Modify Registry TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disabling Defender Services Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP IcedID, RedLine Stealer, Windows Registry Abuse 2024-11-14
Disabling Firewall with Netsh CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify Tools Impair Defenses Anomaly BlackByte Ransomware, Windows Defense Evasion Tactics 2024-09-30
Disabling FolderOptions Windows Feature Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disabling Net User Account CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Account Access Removal TTP XMRig 2024-09-30
Disabling NoRun Windows App Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses Modify Registry TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disabling Remote User Account Control Sysmon EventID 12, Sysmon EventID 13 Bypass User Account Control Abuse Elevation Control Mechanism TTP AgentTesla, Azorult, Remcos, Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Disabling SystemRestore In Registry Sysmon EventID 12, Sysmon EventID 13 Inhibit System Recovery TTP NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disabling Task Manager Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disabling Windows Local Security Authority Defences via Registry Sysmon EventID 1, Sysmon EventID 13 Modify Authentication Process TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
DLLHost with no Command Line Arguments with Network Sysmon EventID 1, Sysmon EventID 3 Process Injection TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack 2024-10-17
DNS Exfiltration Using Nslookup App CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Exfiltration Over Alternative Protocol TTP Command And Control, Compromised Windows Host, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic 2024-11-28
Domain Account Discovery with Dsquery CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Domain Account Account Discovery Hunting Active Directory Discovery 2024-10-17
Domain Account Discovery With Net App CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Domain Account Account Discovery TTP Active Directory Discovery, Graceful Wipe Out Attack, Rhysida Ransomware 2024-09-30
Domain Account Discovery with Wmic CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Domain Account Account Discovery TTP Active Directory Discovery 2024-09-30
Domain Controller Discovery with Nltest CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote System Discovery TTP Active Directory Discovery, BlackSuit Ransomware, CISA AA23-347A, Rhysida Ransomware 2024-11-26
Domain Controller Discovery with Wmic CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote System Discovery Hunting Active Directory Discovery 2024-10-17
Domain Group Discovery with Adsisearcher Powershell Script Block Logging 4104 Permission Groups Discovery Domain Groups TTP Active Directory Discovery 2024-09-30
Domain Group Discovery With Dsquery CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Permission Groups Discovery Domain Groups Hunting Active Directory Discovery 2024-10-17
Domain Group Discovery With Net CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Permission Groups Discovery Domain Groups Hunting Active Directory Discovery, Graceful Wipe Out Attack, Prestige Ransomware, Rhysida Ransomware, Windows Post-Exploitation 2024-11-26
Domain Group Discovery With Wmic CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Permission Groups Discovery Domain Groups Hunting Active Directory Discovery 2024-11-26
Download Files Using Telegram Sysmon EventID 15 Ingress Tool Transfer TTP Phemedrone Stealer, Snake Keylogger, XMRig 2024-09-30
Drop IcedID License dat Sysmon EventID 11 User Execution Malicious File Hunting IcedID 2024-10-17
DSQuery Domain Discovery CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Domain Trust Discovery TTP Active Directory Discovery, Compromised Windows Host, Domain Trust Discovery 2024-11-28
Dump LSASS via comsvcs DLL CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 LSASS Memory OS Credential Dumping TTP CISA AA22-257A, CISA AA22-264A, Compromised Windows Host, Credential Dumping, Data Destruction, Flax Typhoon, HAFNIUM Group, Industroyer2, Living Off The Land, Prestige Ransomware, Suspicious Rundll32 Activity, Volt Typhoon 2024-11-28
Dump LSASS via procdump CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 LSASS Memory OS Credential Dumping TTP CISA AA22-257A, Compromised Windows Host, Credential Dumping, HAFNIUM Group 2024-11-28
Elevated Group Discovery With Net CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Permission Groups Discovery Domain Groups TTP Active Directory Discovery, BlackSuit Ransomware, Rhysida Ransomware, Volt Typhoon 2024-11-26
Elevated Group Discovery with PowerView Powershell Script Block Logging 4104 Permission Groups Discovery Domain Groups Hunting Active Directory Discovery 2024-10-17
Elevated Group Discovery With Wmic CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Permission Groups Discovery Domain Groups TTP Active Directory Discovery 2024-09-30
Enable RDP In Other Port Number Sysmon EventID 12, Sysmon EventID 13 Remote Services TTP Prohibited Traffic Allowed or Protocol Mismatch, Windows Registry Abuse 2024-11-14
Enable WDigest UseLogonCredential Registry Sysmon EventID 12, Sysmon EventID 13 Modify Registry OS Credential Dumping TTP CISA AA22-320A, Credential Dumping, Windows Registry Abuse 2024-11-14
Enumerate Users Local Group Using Telegram Windows Event Log Security 4798 Account Discovery TTP Compromised Windows Host, XMRig 2024-11-28
Esentutl SAM Copy CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Security Account Manager OS Credential Dumping Hunting Credential Dumping, Living Off The Land 2024-10-17
ETW Registry Disabled Sysmon EventID 12, Sysmon EventID 13 Indicator Blocking Trusted Developer Utilities Proxy Execution Impair Defenses TTP CISA AA23-347A, Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse 2024-11-14
Eventvwr UAC Bypass CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Bypass User Account Control Abuse Elevation Control Mechanism TTP IcedID, Living Off The Land, ValleyRAT, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Excel Spawning PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Security Account Manager OS Credential Dumping TTP Compromised Windows Host, Spearphishing Attachments 2024-11-28
Excel Spawning Windows Script Host CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Security Account Manager OS Credential Dumping TTP Compromised Windows Host, Spearphishing Attachments 2024-11-28
Excessive Attempt To Disable Services CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Service Stop Anomaly Azorult, XMRig 2024-09-30
Excessive distinct processes from Windows Temp CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter Anomaly Meterpreter 2024-09-30
Excessive File Deletion In WinDefender Folder Sysmon EventID 23 Data Destruction TTP BlackByte Ransomware, Data Destruction, WhisperGate 2024-09-30
Excessive number of service control start as disabled CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify Tools Impair Defenses Anomaly Windows Defense Evasion Tactics 2024-09-30
Excessive number of taskhost processes CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter Anomaly Meterpreter 2024-09-30
Excessive Service Stop Attempt CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Service Stop Anomaly BlackByte Ransomware, Ransomware, XMRig 2024-09-30
Excessive Usage Of Cacls App CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 File and Directory Permissions Modification Anomaly Azorult, Prestige Ransomware, Windows Post-Exploitation, XMRig 2024-09-30
Excessive Usage Of Net App CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Account Access Removal Anomaly Azorult, Graceful Wipe Out Attack, Prestige Ransomware, Ransomware, Rhysida Ransomware, Windows Post-Exploitation, XMRig 2024-09-30
Excessive Usage of NSLOOKUP App CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Exfiltration Over Alternative Protocol Anomaly Command And Control, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic 2024-09-30
Excessive Usage Of SC Service Utility CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Services Service Execution Anomaly Azorult, Ransomware 2024-09-30
Excessive Usage Of Taskkill CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify Tools Impair Defenses Anomaly AgentTesla, Azorult, CISA AA22-264A, CISA AA22-277A, NjRAT, XMRig 2024-09-30
Exchange PowerShell Abuse via SSRF Exploit Public-Facing Application External Remote Services TTP BlackByte Ransomware, ProxyNotShell, ProxyShell 2024-10-17
Exchange PowerShell Module Usage Powershell Script Block Logging 4104 Command and Scripting Interpreter PowerShell TTP BlackByte Ransomware, CISA AA22-264A, CISA AA22-277A, ProxyNotShell, ProxyShell 2024-09-30
Executable File Written in Administrative SMB Share Windows Event Log Security 5145 Remote Services SMB/Windows Admin Shares TTP Active Directory Lateral Movement, BlackSuit Ransomware, Compromised Windows Host, Data Destruction, Graceful Wipe Out Attack, Hermetic Wiper, IcedID, Industroyer2, Prestige Ransomware, Trickbot 2024-11-28
Executables Or Script Creation In Suspicious Path Sysmon EventID 11 Masquerading Anomaly AcidPour, AgentTesla, Amadey, AsyncRAT, Azorult, BlackByte Ransomware, Brute Ratel C4, CISA AA23-347A, Chaos Ransomware, DarkCrystal RAT, DarkGate Malware, Data Destruction, Double Zero Destructor, Graceful Wipe Out Attack, Handala Wiper, Hermetic Wiper, IcedID, Industroyer2, LockBit Ransomware, Meduza Stealer, MoonPeak, NjRAT, PlugX, Qakbot, RedLine Stealer, Remcos, Rhysida Ransomware, Snake Keylogger, Swift Slicer, Trickbot, ValleyRAT, Volt Typhoon, Warzone RAT, WhisperGate, XMRig 2024-11-28
Execute Javascript With Jscript COM CLSID CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter Visual Basic TTP Ransomware 2024-09-30
Execution of File with Multiple Extensions CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Masquerading Rename System Utilities TTP AsyncRAT, DarkGate Malware, Masquerading - Rename System Utilities, Windows File Extension and Association Abuse 2024-09-30
Extraction of Registry Hives CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Security Account Manager OS Credential Dumping TTP CISA AA22-257A, CISA AA23-347A, Credential Dumping, DarkSide Ransomware, Volt Typhoon 2024-09-30
File with Samsam Extension CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 N/A TTP SamSam Ransomware 2024-09-30
Firewall Allowed Program Enable CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify System Firewall Impair Defenses Anomaly Azorult, BlackByte Ransomware, NjRAT, PlugX, Windows Defense Evasion Tactics 2024-09-30
First Time Seen Child Process of Zoom CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Exploitation for Privilege Escalation Anomaly Suspicious Zoom Child Processes 2024-10-17
First Time Seen Running Windows Service Windows Event Log System 7036 System Services Service Execution Anomaly NOBELIUM Group, Orangeworm Attack Group, Windows Service Abuse 2024-10-17
FodHelper UAC Bypass CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Modify Registry Bypass User Account Control Abuse Elevation Control Mechanism TTP Compromised Windows Host, IcedID, ValleyRAT, Windows Defense Evasion Tactics 2024-11-28
Fsutil Zeroing File CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Indicator Removal TTP LockBit Ransomware, Ransomware 2024-09-30
Get ADDefaultDomainPasswordPolicy with Powershell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Password Policy Discovery Hunting Active Directory Discovery 2024-10-17
Get ADDefaultDomainPasswordPolicy with Powershell Script Block Powershell Script Block Logging 4104 Password Policy Discovery Hunting Active Directory Discovery 2024-10-17
Get ADUser with PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Domain Account Account Discovery Hunting Active Directory Discovery, CISA AA23-347A 2024-10-17
Get ADUser with PowerShell Script Block Powershell Script Block Logging 4104 Domain Account Account Discovery Hunting Active Directory Discovery, CISA AA23-347A 2024-10-17
Get ADUserResultantPasswordPolicy with Powershell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Password Policy Discovery TTP Active Directory Discovery, CISA AA23-347A 2024-09-30
Get ADUserResultantPasswordPolicy with Powershell Script Block Powershell Script Block Logging 4104 Password Policy Discovery TTP Active Directory Discovery, CISA AA23-347A 2024-09-30
Get DomainPolicy with Powershell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Password Policy Discovery TTP Active Directory Discovery 2024-09-30
Get DomainPolicy with Powershell Script Block Powershell Script Block Logging 4104 Password Policy Discovery TTP Active Directory Discovery 2024-09-30
Get-DomainTrust with PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Domain Trust Discovery TTP Active Directory Discovery 2024-09-30
Get-DomainTrust with PowerShell Script Block Powershell Script Block Logging 4104 Domain Trust Discovery TTP Active Directory Discovery 2024-09-30
Get DomainUser with PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Domain Account Account Discovery TTP Active Directory Discovery, CISA AA23-347A 2024-09-30
Get DomainUser with PowerShell Script Block Powershell Script Block Logging 4104 Domain Account Account Discovery TTP Active Directory Discovery, CISA AA23-347A 2024-09-30
Get-ForestTrust with PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Domain Trust Discovery TTP Active Directory Discovery 2024-09-30
Get-ForestTrust with PowerShell Script Block Powershell Script Block Logging 4104 Domain Trust Discovery PowerShell TTP Active Directory Discovery 2024-09-30
Get WMIObject Group Discovery CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Permission Groups Discovery Local Groups Hunting Active Directory Discovery 2024-10-17
Get WMIObject Group Discovery with Script Block Logging Powershell Script Block Logging 4104 Permission Groups Discovery Local Groups Hunting Active Directory Discovery 2024-10-17
GetAdComputer with PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote System Discovery Hunting Active Directory Discovery 2024-10-17
GetAdComputer with PowerShell Script Block Powershell Script Block Logging 4104 Remote System Discovery Hunting Active Directory Discovery, CISA AA22-320A, Gozi Malware 2024-10-17
GetAdGroup with PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Permission Groups Discovery Domain Groups Hunting Active Directory Discovery 2024-10-17
GetAdGroup with PowerShell Script Block Powershell Script Block Logging 4104 Permission Groups Discovery Domain Groups Hunting Active Directory Discovery 2024-10-17
GetCurrent User with PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Owner/User Discovery Hunting Active Directory Discovery 2024-10-17
GetCurrent User with PowerShell Script Block Powershell Script Block Logging 4104 System Owner/User Discovery Hunting Active Directory Discovery 2024-10-17
GetDomainComputer with PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote System Discovery TTP Active Directory Discovery 2024-09-30
GetDomainComputer with PowerShell Script Block Powershell Script Block Logging 4104 Remote System Discovery TTP Active Directory Discovery 2024-09-30
GetDomainController with PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote System Discovery Hunting Active Directory Discovery 2024-10-17
GetDomainController with PowerShell Script Block Powershell Script Block Logging 4104 Remote System Discovery TTP Active Directory Discovery 2024-09-30
GetDomainGroup with PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Permission Groups Discovery Domain Groups TTP Active Directory Discovery 2024-09-30
GetDomainGroup with PowerShell Script Block Powershell Script Block Logging 4104 Permission Groups Discovery Domain Groups TTP Active Directory Discovery 2024-09-30
GetLocalUser with PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Account Discovery Local Account Hunting Active Directory Discovery 2024-10-17
GetLocalUser with PowerShell Script Block Powershell Script Block Logging 4104 Account Discovery Local Account PowerShell Hunting Active Directory Discovery, Malicious PowerShell 2024-10-17
GetNetTcpconnection with PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Network Connections Discovery Hunting Active Directory Discovery 2024-10-17
GetNetTcpconnection with PowerShell Script Block Powershell Script Block Logging 4104 System Network Connections Discovery Hunting Active Directory Discovery 2024-10-17
GetWmiObject Ds Computer with PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote System Discovery TTP Active Directory Discovery 2024-09-30
GetWmiObject Ds Computer with PowerShell Script Block Powershell Script Block Logging 4104 Remote System Discovery TTP Active Directory Discovery 2024-09-30
GetWmiObject Ds Group with PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Permission Groups Discovery Domain Groups TTP Active Directory Discovery 2024-09-30
GetWmiObject Ds Group with PowerShell Script Block Powershell Script Block Logging 4104 Permission Groups Discovery Domain Groups TTP Active Directory Discovery 2024-09-30
GetWmiObject DS User with PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Domain Account Account Discovery TTP Active Directory Discovery 2024-09-30
GetWmiObject DS User with PowerShell Script Block Powershell Script Block Logging 4104 Domain Account Account Discovery TTP Active Directory Discovery 2024-09-30
GetWmiObject User Account with PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Account Discovery Local Account Hunting Active Directory Discovery, Winter Vivern 2024-10-17
GetWmiObject User Account with PowerShell Script Block Powershell Script Block Logging 4104 Account Discovery Local Account PowerShell Hunting Active Directory Discovery, Malicious PowerShell, Winter Vivern 2024-10-17
GPUpdate with no Command Line Arguments with Network Sysmon EventID 1, Sysmon EventID 3 Process Injection TTP BlackByte Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack 2024-11-28
Headless Browser Mockbin or Mocky Request CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Hidden Window TTP Forest Blizzard 2024-09-30
Headless Browser Usage CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Hidden Window Hunting Forest Blizzard 2024-10-17
Hide User Account From Sign-In Screen Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Azorult, Warzone RAT, Windows Registry Abuse, XMRig 2024-11-14
Hiding Files And Directories With Attrib exe CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Azorult, Compromised Windows Host, Windows Defense Evasion Tactics, Windows Persistence Techniques 2024-11-28
High Frequency Copy Of Files In Network Share Windows Event Log Security 5145 Transfer Data to Cloud Account Anomaly Information Sabotage, Insider Threat 2024-09-30
High Process Termination Frequency Sysmon EventID 5 Data Encrypted for Impact Anomaly BlackByte Ransomware, Clop Ransomware, LockBit Ransomware, Rhysida Ransomware, Snake Keylogger 2024-09-30
Hunting 3CXDesktopApp Software CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Compromise Software Supply Chain Hunting 3CX Supply Chain Attack 2024-10-17
Icacls Deny Command CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 File and Directory Permissions Modification TTP Azorult, Compromised Windows Host, Sandworm Tools, XMRig 2024-11-28
ICACLS Grant Command CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 File and Directory Permissions Modification TTP Ransomware, XMRig 2024-09-30
IcedID Exfiltrated Archived File Creation CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Archive via Utility Archive Collected Data Hunting IcedID 2024-10-17
Impacket Lateral Movement Commandline Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Services SMB/Windows Admin Shares Distributed Component Object Model Windows Management Instrumentation Windows Service TTP Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate 2024-11-28
Impacket Lateral Movement smbexec CommandLine Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Services SMB/Windows Admin Shares Distributed Component Object Model Windows Management Instrumentation Windows Service TTP Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate 2024-11-28
Impacket Lateral Movement WMIExec Commandline Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Services SMB/Windows Admin Shares Distributed Component Object Model Windows Management Instrumentation Windows Service TTP Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate 2024-11-28
Interactive Session on Remote Endpoint with PowerShell Powershell Script Block Logging 4104 Remote Services Windows Remote Management TTP Active Directory Lateral Movement 2024-09-30
Java Writing JSP File Sysmon EventID 1, Sysmon EventID 11 Exploit Public-Facing Application External Remote Services TTP Atlassian Confluence Server and Data Center CVE-2022-26134, Spring4Shell CVE-2022-22965, SysAid On-Prem Software CVE-2023-47246 Vulnerability 2024-09-30
Jscript Execution Using Cscript App CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter JavaScript TTP FIN7, Remcos 2024-09-30
Kerberoasting spn request with RC4 encryption Windows Event Log Security 4769 Steal or Forge Kerberos Tickets Kerberoasting TTP Active Directory Kerberos Attacks, Compromised Windows Host, Data Destruction, Hermetic Wiper, Windows Privilege Escalation 2024-11-28
Kerberos Pre-Authentication Flag Disabled in UserAccountControl Windows Event Log Security 4738 Steal or Forge Kerberos Tickets AS-REP Roasting TTP Active Directory Kerberos Attacks, BlackSuit Ransomware 2024-09-30
Kerberos Pre-Authentication Flag Disabled with PowerShell Powershell Script Block Logging 4104 Steal or Forge Kerberos Tickets AS-REP Roasting TTP Active Directory Kerberos Attacks 2024-09-30
Kerberos Service Ticket Request Using RC4 Encryption Windows Event Log Security 4769 Steal or Forge Kerberos Tickets Golden Ticket TTP Active Directory Kerberos Attacks, Active Directory Privilege Escalation 2024-09-30
Kerberos TGT Request Using RC4 Encryption Windows Event Log Security 4768 Use Alternate Authentication Material TTP Active Directory Kerberos Attacks 2024-09-30
Kerberos User Enumeration Windows Event Log Security 4768 Gather Victim Identity Information Email Addresses Anomaly Active Directory Kerberos Attacks 2024-09-30
Known Services Killed by Ransomware Windows Event Log System 7036 Inhibit System Recovery TTP BlackMatter Ransomware, Compromised Windows Host, LockBit Ransomware, Ransomware 2024-11-28
Loading Of Dynwrapx Module Sysmon EventID 7 Process Injection Dynamic-link Library Injection TTP AsyncRAT, Remcos 2024-09-30
Local Account Discovery with Net CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Account Discovery Local Account Hunting Active Directory Discovery, Sandworm Tools 2024-10-17
Local Account Discovery With Wmic CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Account Discovery Local Account Hunting Active Directory Discovery 2024-10-17
Logon Script Event Trigger Execution Sysmon EventID 13 Boot or Logon Initialization Scripts Logon Script (Windows) TTP Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation 2024-09-30
LOLBAS With Network Traffic Sysmon EventID 3 Ingress Tool Transfer Exfiltration Over Web Service System Binary Proxy Execution TTP Living Off The Land 2024-09-30
MacOS - Re-opened Applications Sysmon EventID 1 N/A TTP ColdRoot MacOS RAT 2024-10-17
Mailsniper Invoke functions Powershell Script Block Logging 4104 Email Collection Local Email Collection TTP Data Exfiltration 2024-09-30
Malicious InProcServer32 Modification Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13 Regsvr32 Modify Registry TTP Remcos, Suspicious Regsvr32 Activity 2024-09-30
Malicious Powershell Executed As A Service Windows Event Log System 7045 System Services Service Execution TTP Compromised Windows Host, Malicious PowerShell, Rhysida Ransomware 2024-11-28
Malicious PowerShell Process - Encoded Command CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Obfuscated Files or Information Hunting CISA AA22-320A, DarkCrystal RAT, Data Destruction, Hermetic Wiper, Lumma Stealer, Malicious PowerShell, NOBELIUM Group, Qakbot, Sandworm Tools, Volt Typhoon, WhisperGate 2024-10-17
Malicious PowerShell Process - Execution Policy Bypass CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter PowerShell TTP AsyncRAT, DHS Report TA18-074A, DarkCrystal RAT, HAFNIUM Group, Volt Typhoon 2024-09-30
Malicious PowerShell Process With Obfuscation Techniques Sysmon EventID 1 Command and Scripting Interpreter PowerShell TTP Data Destruction, Hermetic Wiper, Malicious PowerShell 2024-09-30
Mimikatz PassTheTicket CommandLine Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Use Alternate Authentication Material Pass the Ticket TTP Active Directory Kerberos Attacks, CISA AA22-320A, CISA AA23-347A, Sandworm Tools 2024-09-30
Mmc LOLBAS Execution Process Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Services Distributed Component Object Model MMC TTP Active Directory Lateral Movement, Living Off The Land 2024-09-30
Modification Of Wallpaper Sysmon EventID 13 Defacement TTP BlackMatter Ransomware, Brute Ratel C4, LockBit Ransomware, Ransomware, Revil Ransomware, Rhysida Ransomware, Windows Registry Abuse 2024-09-30
Modify ACL permission To Files Or Folder CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 File and Directory Permissions Modification Anomaly XMRig 2024-09-30
Monitor Registry Keys for Print Monitors Sysmon EventID 12, Sysmon EventID 13 Port Monitors Boot or Logon Autostart Execution TTP Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse 2024-11-14
MS Exchange Mailbox Replication service writing Active Server Pages Sysmon EventID 1, Sysmon EventID 11 Server Software Component Web Shell Exploit Public-Facing Application External Remote Services TTP BlackByte Ransomware, ProxyShell, Ransomware 2024-10-17
MS Scripting Process Loading Ldap Module Sysmon EventID 7 Command and Scripting Interpreter JavaScript Anomaly FIN7 2024-09-30
MS Scripting Process Loading WMI Module Sysmon EventID 7 Command and Scripting Interpreter JavaScript Anomaly FIN7 2024-09-30
MSBuild Suspicious Spawned By Script Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 MSBuild Trusted Developer Utilities Proxy Execution TTP Trusted Developer Utilities Proxy Execution MSBuild 2024-09-30
Mshta spawning Rundll32 OR Regsvr32 Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Mshta TTP IcedID, Living Off The Land, Trickbot 2024-09-30
MSHTML Module Load in Office Product Sysmon EventID 7 Phishing Spearphishing Attachment TTP CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments 2024-09-30
MSI Module Loaded by Non-System Binary Sysmon EventID 7 DLL Side-Loading Hijack Execution Flow Hunting Data Destruction, Hermetic Wiper, Windows Privilege Escalation 2024-10-17
Msmpeng Application DLL Side Loading CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 DLL Side-Loading Hijack Execution Flow TTP Ransomware, Revil Ransomware 2024-09-30
Net Localgroup Discovery CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Permission Groups Discovery Local Groups Hunting Active Directory Discovery, Azorult, Graceful Wipe Out Attack, IcedID, Prestige Ransomware, Rhysida Ransomware, Volt Typhoon, Windows Discovery Techniques, Windows Post-Exploitation 2024-11-26
NET Profiler UAC bypass Sysmon EventID 12, Sysmon EventID 13 Bypass User Account Control Abuse Elevation Control Mechanism TTP Windows Defense Evasion Tactics 2024-09-30
Network Connection Discovery With Arp CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Network Connections Discovery Hunting Active Directory Discovery, IcedID, Prestige Ransomware, Qakbot, Volt Typhoon, Windows Post-Exploitation 2024-10-17
Network Connection Discovery With Net CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Network Connections Discovery Hunting Active Directory Discovery, Azorult, Prestige Ransomware, Windows Post-Exploitation 2024-11-26
Network Connection Discovery With Netstat CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Network Connections Discovery Hunting Active Directory Discovery, CISA AA22-277A, CISA AA23-347A, PlugX, Prestige Ransomware, Qakbot, Volt Typhoon, Windows Post-Exploitation 2024-10-17
Network Discovery Using Route Windows App CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Network Configuration Discovery Internet Connection Discovery Hunting Active Directory Discovery, CISA AA22-277A, Prestige Ransomware, Qakbot, Windows Post-Exploitation 2024-10-17
Network Share Discovery Via Dir Command Windows Event Log Security 5140 Network Share Discovery Hunting IcedID 2024-10-17
Network Traffic to Active Directory Web Services Protocol Sysmon EventID 3 Domain Account Local Groups Domain Trust Discovery Local Account Account Discovery Domain Groups Permission Groups Discovery Hunting Windows Discovery Techniques 2024-10-17
Nishang PowershellTCPOneLine CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter PowerShell TTP HAFNIUM Group 2024-09-30
NLTest Domain Trust Discovery CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Domain Trust Discovery TTP Active Directory Discovery, Domain Trust Discovery, IcedID, Qakbot, Rhysida Ransomware, Ryuk Ransomware 2024-09-30
Non Chrome Process Accessing Chrome Default Dir Windows Event Log Security 4663 Credentials from Password Stores Credentials from Web Browsers Anomaly 3CX Supply Chain Attack, AgentTesla, CISA AA23-347A, DarkGate Malware, FIN7, NjRAT, Phemedrone Stealer, RedLine Stealer, Remcos, Snake Keylogger, Warzone RAT 2024-09-30
Non Firefox Process Access Firefox Profile Dir Windows Event Log Security 4663 Credentials from Password Stores Credentials from Web Browsers Anomaly 3CX Supply Chain Attack, AgentTesla, Azorult, CISA AA23-347A, DarkGate Malware, FIN7, NjRAT, Phemedrone Stealer, RedLine Stealer, Remcos, Snake Keylogger, Warzone RAT 2024-09-30
Notepad with no Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Process Injection TTP BishopFox Sliver Adversary Emulation Framework 2024-09-30
Ntdsutil Export NTDS CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 NTDS OS Credential Dumping TTP Credential Dumping, HAFNIUM Group, Living Off The Land, Prestige Ransomware, Rhysida Ransomware, Volt Typhoon 2024-09-30
Office Application Drop Executable Sysmon EventID 1, Sysmon EventID 11 Phishing Spearphishing Attachment TTP AgentTesla, CVE-2023-21716 Word RTF Heap Corruption, Compromised Windows Host, FIN7, PlugX, Warzone RAT 2024-11-28
Office Application Spawn Regsvr32 process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Phishing Spearphishing Attachment TTP Compromised Windows Host, IcedID, Qakbot 2024-11-28
Office Application Spawn rundll32 process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Phishing Spearphishing Attachment TTP AgentTesla, Compromised Windows Host, IcedID, NjRAT, Spearphishing Attachments, Trickbot 2024-11-28
Office Document Creating Schedule Task Sysmon EventID 7 Phishing Spearphishing Attachment TTP Spearphishing Attachments 2024-09-30
Office Document Executing Macro Code Sysmon EventID 7 Phishing Spearphishing Attachment TTP AgentTesla, Azorult, DarkCrystal RAT, IcedID, NjRAT, PlugX, Qakbot, Remcos, Spearphishing Attachments, Trickbot 2024-09-30
Office Document Spawned Child Process To Download CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Phishing Spearphishing Attachment TTP CVE-2023-36884 Office and Windows HTML RCE Vulnerability, NjRAT, PlugX, Spearphishing Attachments 2024-09-30
Office Product Spawn CMD Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Phishing Spearphishing Attachment TTP AgentTesla, Azorult, CVE-2023-21716 Word RTF Heap Corruption, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, DarkCrystal RAT, NjRAT, PlugX, Qakbot, Remcos, Trickbot, Warzone RAT 2024-09-30
Office Product Spawning BITSAdmin CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Phishing Spearphishing Attachment TTP CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Compromised Windows Host, Spearphishing Attachments 2024-11-28
Office Product Spawning CertUtil CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Phishing Spearphishing Attachment TTP AgentTesla, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Compromised Windows Host, Spearphishing Attachments, Trickbot 2024-11-28
Office Product Spawning MSHTA CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Phishing Spearphishing Attachment TTP Azorult, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Compromised Windows Host, IcedID, NjRAT, Spearphishing Attachments 2024-11-28
Office Product Spawning Rundll32 with no DLL CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Phishing Spearphishing Attachment TTP CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Compromised Windows Host, Spearphishing Attachments 2024-11-28
Office Product Spawning Windows Script Host CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Phishing Spearphishing Attachment TTP CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Compromised Windows Host, Remcos, Spearphishing Attachments 2024-11-28
Office Product Spawning Wmic CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Phishing Spearphishing Attachment TTP CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Compromised Windows Host, FIN7, Spearphishing Attachments 2024-11-28
Office Product Writing cab or inf CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688 Phishing Spearphishing Attachment TTP Compromised Windows Host, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments 2024-11-28
Office Spawning Control CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Phishing Spearphishing Attachment TTP Compromised Windows Host, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments 2024-11-28
Outbound Network Connection from Java Using Default Ports Sysmon EventID 1, Sysmon EventID 3 Exploit Public-Facing Application External Remote Services TTP Log4Shell CVE-2021-44228 2024-09-30
Overwriting Accessibility Binaries Sysmon EventID 11 Event Triggered Execution Accessibility Features TTP Data Destruction, Flax Typhoon, Hermetic Wiper, Windows Privilege Escalation 2024-09-30
Password Policy Discovery with Net CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Password Policy Discovery Hunting Active Directory Discovery 2024-11-26
Permission Modification using Takeown App CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 File and Directory Permissions Modification TTP Ransomware, Sandworm Tools 2024-09-30
PetitPotam Network Share Access Request Windows Event Log Security 5145 Forced Authentication TTP PetitPotam NTLM Relay on Active Directory Certificate Services 2024-09-30
PetitPotam Suspicious Kerberos TGT Request Windows Event Log Security 4768 OS Credential Dumping TTP Active Directory Kerberos Attacks, PetitPotam NTLM Relay on Active Directory Certificate Services 2024-09-30
Ping Sleep Batch Command CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Virtualization/Sandbox Evasion Time Based Evasion Anomaly BlackByte Ransomware, Data Destruction, Meduza Stealer, Warzone RAT, WhisperGate 2024-11-28
Possible Browser Pass View Parameter CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Credentials from Web Browsers Credentials from Password Stores Hunting Remcos 2024-10-17
Possible Lateral Movement PowerShell Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Services Distributed Component Object Model Windows Remote Management Windows Management Instrumentation Scheduled Task Windows Service PowerShell MMC TTP Active Directory Lateral Movement, CISA AA24-241A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Scheduled Tasks 2024-10-17
Potentially malicious code on commandline CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Windows Command Shell Anomaly Suspicious Command-Line Executions 2024-09-30
PowerShell 4104 Hunting Powershell Script Block Logging 4104 Command and Scripting Interpreter PowerShell Hunting Braodo Stealer, CISA AA23-347A, CISA AA24-241A, DarkGate Malware, Data Destruction, Flax Typhoon, Hermetic Wiper, Lumma Stealer, Malicious PowerShell, Rhysida Ransomware 2024-10-17
PowerShell - Connect To Internet With Hidden Window CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 PowerShell Command and Scripting Interpreter Hunting AgentTesla, Data Destruction, HAFNIUM Group, Hermetic Wiper, Log4Shell CVE-2021-44228, Malicious PowerShell, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns 2024-10-17
Powershell COM Hijacking InprocServer32 Modification Powershell Script Block Logging 4104 Component Object Model Hijacking Command and Scripting Interpreter PowerShell TTP Malicious PowerShell 2024-09-30
Powershell Creating Thread Mutex Powershell Script Block Logging 4104 Obfuscated Files or Information Indicator Removal from Tools PowerShell TTP Malicious PowerShell 2024-09-30
Powershell Disable Security Monitoring CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify Tools Impair Defenses TTP CISA AA24-241A, Ransomware, Revil Ransomware 2024-11-26
PowerShell Domain Enumeration Powershell Script Block Logging 4104 Command and Scripting Interpreter PowerShell TTP CISA AA23-347A, Data Destruction, Hermetic Wiper, Malicious PowerShell 2024-09-30
PowerShell Enable PowerShell Remoting Powershell Script Block Logging 4104 PowerShell Command and Scripting Interpreter Anomaly Malicious PowerShell 2024-09-30
Powershell Enable SMB1Protocol Feature Powershell Script Block Logging 4104 Obfuscated Files or Information Indicator Removal from Tools TTP Data Destruction, Hermetic Wiper, Malicious PowerShell, Ransomware 2024-09-30
Powershell Execute COM Object Powershell Script Block Logging 4104 Component Object Model Hijacking Event Triggered Execution PowerShell TTP Data Destruction, Hermetic Wiper, Malicious PowerShell, Ransomware 2024-09-30
Powershell Fileless Process Injection via GetProcAddress Powershell Script Block Logging 4104 Command and Scripting Interpreter Process Injection PowerShell TTP Data Destruction, Hermetic Wiper, Malicious PowerShell 2024-09-30
Powershell Fileless Script Contains Base64 Encoded Content Powershell Script Block Logging 4104 Command and Scripting Interpreter Obfuscated Files or Information PowerShell TTP AsyncRAT, Data Destruction, Hermetic Wiper, IcedID, Malicious PowerShell, NjRAT, Winter Vivern 2024-09-30
PowerShell Get LocalGroup Discovery CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Permission Groups Discovery Local Groups Hunting Active Directory Discovery 2024-10-17
Powershell Get LocalGroup Discovery with Script Block Logging Powershell Script Block Logging 4104 Permission Groups Discovery Local Groups Hunting Active Directory Discovery 2024-10-17
PowerShell Invoke CIMMethod CIMSession Powershell Script Block Logging 4104 Windows Management Instrumentation Anomaly Active Directory Lateral Movement, Malicious PowerShell 2024-09-30
PowerShell Invoke WmiExec Usage Powershell Script Block Logging 4104 Windows Management Instrumentation TTP Suspicious WMI Use 2024-09-30
Powershell Load Module in Meterpreter Powershell Script Block Logging 4104 Command and Scripting Interpreter PowerShell TTP MetaSploit 2024-09-30
PowerShell Loading DotNET into Memory via Reflection Powershell Script Block Logging 4104 Command and Scripting Interpreter PowerShell TTP AgentTesla, AsyncRAT, Data Destruction, Hermetic Wiper, Malicious PowerShell, Winter Vivern 2024-09-30
Powershell Processing Stream Of Data Powershell Script Block Logging 4104 Command and Scripting Interpreter PowerShell TTP AsyncRAT, Braodo Stealer, Data Destruction, Hermetic Wiper, IcedID, Malicious PowerShell, MoonPeak, PXA Stealer 2024-09-30
Powershell Remote Services Add TrustedHost Powershell Script Block Logging 4104 Windows Remote Management Remote Services TTP DarkGate Malware 2024-09-30
Powershell Remote Thread To Known Windows Process Sysmon EventID 8 Process Injection TTP Trickbot 2024-09-30
Powershell Remove Windows Defender Directory Powershell Script Block Logging 4104 Disable or Modify Tools Impair Defenses TTP Data Destruction, WhisperGate 2024-09-30
PowerShell Script Block With URL Chain Powershell Script Block Logging 4104 PowerShell Ingress Tool Transfer TTP Malicious PowerShell 2024-09-30
PowerShell Start-BitsTransfer CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 BITS Jobs TTP BITS Jobs, Gozi Malware 2024-09-30
PowerShell Start or Stop Service Powershell Script Block Logging 4104 PowerShell Anomaly Active Directory Lateral Movement 2024-09-30
Powershell Using memory As Backing Store Powershell Script Block Logging 4104 PowerShell Command and Scripting Interpreter TTP Data Destruction, Hermetic Wiper, IcedID, Malicious PowerShell, MoonPeak 2024-09-30
PowerShell WebRequest Using Memory Stream Powershell Script Block Logging 4104 PowerShell Ingress Tool Transfer Fileless Storage TTP Malicious PowerShell, MoonPeak 2024-09-30
Powershell Windows Defender Exclusion Commands Powershell Script Block Logging 4104 Disable or Modify Tools Impair Defenses TTP AgentTesla, CISA AA22-320A, Data Destruction, Remcos, Warzone RAT, WhisperGate, Windows Defense Evasion Tactics 2024-09-30
Prevent Automatic Repair Mode using Bcdedit CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Inhibit System Recovery TTP Chaos Ransomware, Ransomware 2024-09-30
Print Processor Registry Autostart Sysmon EventID 12, Sysmon EventID 13 Print Processors Boot or Logon Autostart Execution TTP Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation 2024-10-17
Print Spooler Adding A Printer Driver Windows Event Log Printservice 316 Print Processors Boot or Logon Autostart Execution TTP PrintNightmare CVE-2021-34527 2024-09-30
Print Spooler Failed to Load a Plug-in Windows Event Log Printservice 808 Print Processors Boot or Logon Autostart Execution TTP PrintNightmare CVE-2021-34527 2024-09-30
Process Creating LNK file in Suspicious Location Sysmon EventID 1, Sysmon EventID 11 Phishing Spearphishing Link TTP Amadey, Gozi Malware, IcedID, Qakbot, Spearphishing Attachments 2024-09-30
Process Deleting Its Process File Path CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Indicator Removal TTP Clop Ransomware, Data Destruction, Remcos, WhisperGate 2024-09-30
Process Execution via WMI CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Windows Management Instrumentation TTP Suspicious WMI Use 2024-09-30
Process Kill Base On File Path CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify Tools Impair Defenses TTP XMRig 2024-09-30
Process Writing DynamicWrapperX Sysmon EventID 1, Sysmon EventID 11 Command and Scripting Interpreter Component Object Model Hunting Remcos 2024-10-17
Processes launching netsh CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify System Firewall Impair Defenses Anomaly Azorult, DHS Report TA18-074A, Disabling Security Tools, Netsh Abuse, ShrinkLocker, Snake Keylogger, Volt Typhoon 2024-09-30
Randomly Generated Scheduled Task Name Windows Event Log Security 4698 Scheduled Task/Job Scheduled Task Hunting Active Directory Lateral Movement, CISA AA22-257A, Scheduled Tasks 2024-10-17
Randomly Generated Windows Service Name Windows Event Log System 7045 Create or Modify System Process Windows Service Hunting Active Directory Lateral Movement, BlackSuit Ransomware 2024-10-17
Ransomware Notes bulk creation Sysmon EventID 11 Data Encrypted for Impact Anomaly BlackMatter Ransomware, Chaos Ransomware, Clop Ransomware, DarkSide Ransomware, LockBit Ransomware, Rhysida Ransomware 2024-09-30
Recon AVProduct Through Pwh or WMI Powershell Script Block Logging 4104 Gather Victim Host Information TTP Data Destruction, Hermetic Wiper, Malicious PowerShell, MoonPeak, Prestige Ransomware, Qakbot, Ransomware, Windows Post-Exploitation 2024-09-30
Recon Using WMI Class Powershell Script Block Logging 4104 Gather Victim Host Information PowerShell Anomaly AsyncRAT, Data Destruction, Hermetic Wiper, Industroyer2, LockBit Ransomware, Malicious PowerShell, MoonPeak, Qakbot 2024-09-30
Recursive Delete of Directory In Batch CMD CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 File Deletion Indicator Removal TTP Ransomware 2024-09-30
Reg exe Manipulating Windows Services Registry Keys CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Services Registry Permissions Weakness Hijack Execution Flow TTP Living Off The Land, Windows Persistence Techniques, Windows Service Abuse 2024-09-30
Registry Keys for Creating SHIM Databases Sysmon EventID 12, Sysmon EventID 13 Application Shimming Event Triggered Execution TTP Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse 2024-11-14
Registry Keys Used For Persistence Sysmon EventID 12, Sysmon EventID 13 Registry Run Keys / Startup Folder Boot or Logon Autostart Execution TTP Amadey, AsyncRAT, Azorult, BlackByte Ransomware, BlackSuit Ransomware, Braodo Stealer, CISA AA23-347A, Chaos Ransomware, DHS Report TA18-074A, DarkGate Malware, Emotet Malware DHS Report TA18-201A, IcedID, MoonPeak, NjRAT, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Qakbot, Ransomware, RedLine Stealer, Remcos, Snake Keylogger, Sneaky Active Directory Persistence Tricks, Suspicious MSHTA Activity, Suspicious Windows Registry Activities, Warzone RAT, Windows Persistence Techniques, Windows Registry Abuse 2024-09-30
Registry Keys Used For Privilege Escalation Sysmon EventID 12, Sysmon EventID 13 Image File Execution Options Injection Event Triggered Execution TTP Cloud Federated Credential Abuse, Data Destruction, Hermetic Wiper, Suspicious Windows Registry Activities, Windows Privilege Escalation, Windows Registry Abuse 2024-11-14
Regsvr32 Silent and Install Param Dll Loading CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Regsvr32 Anomaly AsyncRAT, Data Destruction, Hermetic Wiper, Living Off The Land, Remcos, Suspicious Regsvr32 Activity 2024-09-30
Regsvr32 with Known Silent Switch Cmdline CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Regsvr32 Anomaly AsyncRAT, IcedID, Living Off The Land, Qakbot, Remcos, Suspicious Regsvr32 Activity 2024-09-30
Remcos client registry install entry CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688 Modify Registry TTP Remcos, Windows Registry Abuse 2024-09-30
Remcos RAT File Creation in Remcos Folder Sysmon EventID 11 Screen Capture TTP Remcos 2024-09-30
Remote Desktop Process Running On System CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Desktop Protocol Remote Services Hunting Active Directory Lateral Movement, Hidden Cobra Malware 2024-10-17
Remote Process Instantiation via DCOM and PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Services Distributed Component Object Model TTP Active Directory Lateral Movement, Compromised Windows Host 2024-11-28
Remote Process Instantiation via DCOM and PowerShell Script Block Powershell Script Block Logging 4104 Remote Services Distributed Component Object Model TTP Active Directory Lateral Movement 2024-09-30
Remote Process Instantiation via WinRM and PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Services Windows Remote Management TTP Active Directory Lateral Movement 2024-09-30
Remote Process Instantiation via WinRM and PowerShell Script Block Powershell Script Block Logging 4104 Remote Services Windows Remote Management TTP Active Directory Lateral Movement 2024-09-30
Remote Process Instantiation via WinRM and Winrs CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Services Windows Remote Management TTP Active Directory Lateral Movement 2024-09-30
Remote Process Instantiation via WMI CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Windows Management Instrumentation TTP Active Directory Lateral Movement, CISA AA23-347A, Ransomware, Suspicious WMI Use 2024-09-30
Remote Process Instantiation via WMI and PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Windows Management Instrumentation TTP Active Directory Lateral Movement, Compromised Windows Host 2024-11-28
Remote Process Instantiation via WMI and PowerShell Script Block Powershell Script Block Logging 4104 Windows Management Instrumentation TTP Active Directory Lateral Movement 2024-09-30
Remote System Discovery with Adsisearcher Powershell Script Block Logging 4104 Remote System Discovery TTP Active Directory Discovery 2024-09-30
Remote System Discovery with Dsquery CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote System Discovery Hunting Active Directory Discovery 2024-10-17
Remote System Discovery with Net CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote System Discovery Hunting Active Directory Discovery, IcedID 2024-11-26
Remote System Discovery with Wmic CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote System Discovery TTP Active Directory Discovery 2024-09-30
Remote WMI Command Attempt CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Windows Management Instrumentation TTP CISA AA23-347A, Graceful Wipe Out Attack, IcedID, Living Off The Land, Suspicious WMI Use, Volt Typhoon 2024-09-30
Resize ShadowStorage volume CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Inhibit System Recovery TTP BlackByte Ransomware, Clop Ransomware, Compromised Windows Host 2024-11-28
Revil Common Exec Parameter CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 User Execution TTP Ransomware, Revil Ransomware 2024-09-30
Revil Registry Entry CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688 Modify Registry TTP Ransomware, Revil Ransomware, Windows Registry Abuse 2024-09-30
Rubeus Command Line Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Use Alternate Authentication Material Pass the Ticket Steal or Forge Kerberos Tickets Kerberoasting AS-REP Roasting TTP Active Directory Kerberos Attacks, Active Directory Privilege Escalation, BlackSuit Ransomware, CISA AA23-347A 2024-09-30
Rubeus Kerberos Ticket Exports Through Winlogon Access Sysmon EventID 10 Use Alternate Authentication Material Pass the Ticket TTP Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A 2024-09-30
Runas Execution in CommandLine CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Access Token Manipulation Token Impersonation/Theft Hunting Data Destruction, Hermetic Wiper, Windows Privilege Escalation 2024-10-17
Rundll32 Control RunDLL Hunt CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Rundll32 Hunting Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Suspicious Rundll32 Activity 2024-10-17
Rundll32 Control RunDLL World Writable Directory CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Rundll32 TTP Compromised Windows Host, Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Suspicious Rundll32 Activity 2024-11-28
Rundll32 Create Remote Thread To A Process Sysmon EventID 8 Process Injection TTP IcedID, Living Off The Land 2024-09-30
Rundll32 CreateRemoteThread In Browser Sysmon EventID 8 Process Injection TTP IcedID, Living Off The Land 2024-09-30
Rundll32 DNSQuery Sysmon EventID 22 System Binary Proxy Execution Rundll32 TTP IcedID, Living Off The Land 2024-09-30
Rundll32 LockWorkStation CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Rundll32 Anomaly Ransomware 2024-09-30
Rundll32 Process Creating Exe Dll Files Sysmon EventID 11 System Binary Proxy Execution Rundll32 TTP IcedID, Living Off The Land 2024-09-30
Rundll32 Shimcache Flush CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Modify Registry TTP Compromised Windows Host, Living Off The Land, Unusual Processes 2024-11-28
Rundll32 with no Command Line Arguments with Network Sysmon EventID 1, Sysmon EventID 3 System Binary Proxy Execution Rundll32 TTP BlackByte Ransomware, BlackSuit Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack, PrintNightmare CVE-2021-34527, Suspicious Rundll32 Activity 2024-11-28
RunDLL Loading DLL By Ordinal CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Rundll32 TTP IcedID, Living Off The Land, Suspicious Rundll32 Activity, Unusual Processes 2024-09-30
Ryuk Test Files Detected Sysmon EventID 11 Data Encrypted for Impact TTP Ryuk Ransomware 2024-09-30
Ryuk Wake on LAN Command CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter Windows Command Shell TTP Compromised Windows Host, Ryuk Ransomware 2024-11-28
SAM Database File Access Attempt Windows Event Log Security 4663 Security Account Manager OS Credential Dumping Hunting Credential Dumping, Graceful Wipe Out Attack, Rhysida Ransomware 2024-10-17
Samsam Test File Write Sysmon EventID 11 Data Encrypted for Impact TTP SamSam Ransomware 2024-09-30
Sc exe Manipulating Windows Services CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Windows Service Create or Modify System Process TTP Azorult, DHS Report TA18-074A, Disabling Security Tools, NOBELIUM Group, Orangeworm Attack Group, Windows Drivers, Windows Persistence Techniques, Windows Service Abuse 2024-09-30
SchCache Change By App Connect And Create ADSI Object Sysmon EventID 11 Domain Account Account Discovery Anomaly BlackMatter Ransomware 2024-09-30
Schedule Task with HTTP Command Arguments Windows Event Log Security 4698 Scheduled Task/Job TTP Compromised Windows Host, Living Off The Land, Scheduled Tasks, Windows Persistence Techniques, Winter Vivern 2024-11-28
Schedule Task with Rundll32 Command Trigger Windows Event Log Security 4698 Scheduled Task/Job TTP Compromised Windows Host, IcedID, Living Off The Land, Scheduled Tasks, Trickbot, Windows Persistence Techniques 2024-11-28
Scheduled Task Creation on Remote Endpoint using At CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task/Job At TTP Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks 2024-09-30
Scheduled Task Deleted Or Created via CMD CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task Scheduled Task/Job TTP AgentTesla, Amadey, AsyncRAT, Azorult, CISA AA22-257A, CISA AA23-347A, CISA AA24-241A, DHS Report TA18-074A, DarkCrystal RAT, Living Off The Land, MoonPeak, NOBELIUM Group, NjRAT, Phemedrone Stealer, Prestige Ransomware, Qakbot, RedLine Stealer, Rhysida Ransomware, Sandworm Tools, Scheduled Tasks, ShrinkLocker, Trickbot, Windows Persistence Techniques, Winter Vivern 2024-09-30
Scheduled Task Initiation on Remote Endpoint CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task/Job Scheduled Task TTP Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks 2024-09-30
Schtasks Run Task On Demand CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task/Job TTP CISA AA22-257A, Data Destruction, Industroyer2, Qakbot, Scheduled Tasks, XMRig 2024-09-30
Schtasks scheduling job on remote system CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task Scheduled Task/Job TTP Active Directory Lateral Movement, Compromised Windows Host, Living Off The Land, NOBELIUM Group, Phemedrone Stealer, Prestige Ransomware, RedLine Stealer, Scheduled Tasks 2024-11-28
Schtasks used for forcing a reboot CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task Scheduled Task/Job TTP Ransomware, Scheduled Tasks, Windows Persistence Techniques 2024-09-30
Screensaver Event Trigger Execution Sysmon EventID 12, Sysmon EventID 13 Event Triggered Execution Screensaver TTP Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse 2024-09-30
Script Execution via WMI CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Windows Management Instrumentation TTP Suspicious WMI Use 2024-09-30
Sdclt UAC Bypass CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688 Bypass User Account Control Abuse Elevation Control Mechanism TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Sdelete Application Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Data Destruction File Deletion Indicator Removal TTP Masquerading - Rename System Utilities 2024-09-30
SearchProtocolHost with no Command Line with Network Sysmon EventID 1, Sysmon EventID 3 Process Injection TTP BlackByte Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack 2024-11-28
SecretDumps Offline NTDS Dumping Tool CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 NTDS OS Credential Dumping TTP Compromised Windows Host, Credential Dumping, Graceful Wipe Out Attack, Rhysida Ransomware 2024-11-28
ServicePrincipalNames Discovery with PowerShell Powershell Script Block Logging 4104 Kerberoasting TTP Active Directory Discovery, Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Malicious PowerShell 2024-09-30
ServicePrincipalNames Discovery with SetSPN CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Kerberoasting TTP Active Directory Discovery, Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Compromised Windows Host 2024-11-28
Services Escalate Exe CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Abuse Elevation Control Mechanism TTP BlackByte Ransomware, CISA AA23-347A, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack 2024-11-28
Services LOLBAS Execution Process Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Create or Modify System Process Windows Service TTP Active Directory Lateral Movement, CISA AA23-347A, Living Off The Land, Qakbot 2024-09-30
Set Default PowerShell Execution Policy To Unrestricted or Bypass CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688 Command and Scripting Interpreter PowerShell TTP Credential Dumping, DarkGate Malware, Data Destruction, HAFNIUM Group, Hermetic Wiper, Malicious PowerShell 2024-09-30
Shim Database File Creation Sysmon EventID 11 Application Shimming Event Triggered Execution TTP Windows Persistence Techniques 2024-09-30
Shim Database Installation With Suspicious Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Application Shimming Event Triggered Execution TTP Compromised Windows Host, Windows Persistence Techniques 2024-11-28
Short Lived Scheduled Task Windows Event Log Security 4698, Windows Event Log Security 4699 Scheduled Task TTP Active Directory Lateral Movement, CISA AA22-257A, CISA AA23-347A, Compromised Windows Host, Scheduled Tasks 2024-11-28
Short Lived Windows Accounts Windows Event Log System 4720, Windows Event Log System 4726 Local Account Create Account Local Accounts TTP Active Directory Lateral Movement 2024-11-14
SilentCleanup UAC Bypass CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688 Bypass User Account Control Abuse Elevation Control Mechanism TTP MoonPeak, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Single Letter Process On Endpoint CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 User Execution Malicious File TTP Compromised Windows Host, DHS Report TA18-074A 2024-11-28
SLUI RunAs Elevated CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Bypass User Account Control Abuse Elevation Control Mechanism TTP Compromised Windows Host, DarkSide Ransomware, Windows Defense Evasion Tactics 2024-11-28
SLUI Spawning a Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Bypass User Account Control Abuse Elevation Control Mechanism TTP Compromised Windows Host, DarkSide Ransomware, Windows Defense Evasion Tactics 2024-11-28
Spike in File Writes Sysmon EventID 11 N/A Anomaly Ransomware, Rhysida Ransomware, Ryuk Ransomware, SamSam Ransomware 2024-10-17
Spoolsv Spawning Rundll32 CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Print Processors Boot or Logon Autostart Execution TTP Compromised Windows Host, PrintNightmare CVE-2021-34527 2024-11-28
Spoolsv Suspicious Loaded Modules Sysmon EventID 7 Print Processors Boot or Logon Autostart Execution TTP PrintNightmare CVE-2021-34527 2024-09-30
Spoolsv Suspicious Process Access Sysmon EventID 10 Exploitation for Privilege Escalation TTP PrintNightmare CVE-2021-34527 2024-09-30
Spoolsv Writing a DLL CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688 Print Processors Boot or Logon Autostart Execution TTP Compromised Windows Host, PrintNightmare CVE-2021-34527 2024-11-28
Spoolsv Writing a DLL - Sysmon Sysmon EventID 11 Print Processors Boot or Logon Autostart Execution TTP PrintNightmare CVE-2021-34527 2024-09-30
Sqlite Module In Temp Folder Sysmon EventID 11 Data from Local System TTP IcedID 2024-09-30
Sunburst Correlation DLL and Network Event Sysmon EventID 22, Sysmon EventID 7 Exploitation for Client Execution TTP NOBELIUM Group 2024-10-17
Suspicious Computer Account Name Change Windows Event Log Security 4781 Valid Accounts Domain Accounts TTP Active Directory Privilege Escalation, Compromised Windows Host, sAMAccountName Spoofing and Domain Controller Impersonation 2024-11-28
Suspicious Copy on System32 CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Rename System Utilities Masquerading TTP AsyncRAT, Compromised Windows Host, IcedID, Qakbot, Sandworm Tools, Unusual Processes, Volt Typhoon 2024-11-28
Suspicious Curl Network Connection CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Ingress Tool Transfer TTP Ingress Tool Transfer, Linux Living Off The Land, Silver Sparrow 2024-10-17
Suspicious DLLHost no Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Process Injection TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack 2024-09-30
Suspicious Driver Loaded Path Sysmon EventID 6 Windows Service Create or Modify System Process TTP AgentTesla, BlackByte Ransomware, CISA AA22-320A, Snake Keylogger, XMRig 2024-09-30
Suspicious Event Log Service Behavior Windows Event Log Security 1100 Indicator Removal Clear Windows Event Logs Hunting Clop Ransomware, Ransomware, Windows Log Manipulation 2024-10-17
Suspicious GPUpdate no Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Process Injection TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack 2024-09-30
Suspicious IcedID Rundll32 Cmdline CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Rundll32 TTP IcedID, Living Off The Land 2024-09-30
Suspicious Image Creation In Appdata Folder Sysmon EventID 1, Sysmon EventID 11 Screen Capture TTP Remcos 2024-09-30
Suspicious Kerberos Service Ticket Request Windows Event Log Security 4769 Valid Accounts Domain Accounts TTP Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation 2024-09-30
Suspicious microsoft workflow compiler rename CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Masquerading Trusted Developer Utilities Proxy Execution Rename System Utilities Hunting BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution 2024-10-17
Suspicious microsoft workflow compiler usage CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Trusted Developer Utilities Proxy Execution TTP Living Off The Land, Trusted Developer Utilities Proxy Execution 2024-09-30
Suspicious msbuild path CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Masquerading Trusted Developer Utilities Proxy Execution Rename System Utilities MSBuild TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution MSBuild 2024-09-30
Suspicious MSBuild Rename CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Masquerading Trusted Developer Utilities Proxy Execution Rename System Utilities MSBuild Hunting BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution MSBuild 2024-10-17
Suspicious MSBuild Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Trusted Developer Utilities Proxy Execution MSBuild TTP Living Off The Land, Trusted Developer Utilities Proxy Execution MSBuild 2024-09-30
Suspicious mshta child process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Mshta TTP Living Off The Land, Lumma Stealer, Suspicious MSHTA Activity 2024-09-30
Suspicious mshta spawn CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Mshta TTP Living Off The Land, Suspicious MSHTA Activity 2024-09-30
Suspicious PlistBuddy Usage CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Launch Agent Create or Modify System Process TTP Silver Sparrow 2024-10-17
Suspicious Process DNS Query Known Abuse Web Services Sysmon EventID 22 Visual Basic Command and Scripting Interpreter TTP Data Destruction, Meduza Stealer, PXA Stealer, Phemedrone Stealer, Remcos, Snake Keylogger, WhisperGate 2024-11-28
Suspicious Process Executed From Container File CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Malicious File Masquerade File Type TTP Amadey, Remcos, Snake Keylogger, Unusual Processes 2024-09-30
Suspicious Process File Path CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Create or Modify System Process TTP AgentTesla, Amadey, AsyncRAT, Azorult, BlackByte Ransomware, Brute Ratel C4, CISA AA23-347A, Chaos Ransomware, DarkCrystal RAT, DarkGate Malware, Data Destruction, Double Zero Destructor, Graceful Wipe Out Attack, Handala Wiper, Hermetic Wiper, IcedID, Industroyer2, LockBit Ransomware, Meduza Stealer, MoonPeak, Phemedrone Stealer, PlugX, Prestige Ransomware, Qakbot, RedLine Stealer, Remcos, Rhysida Ransomware, Swift Slicer, Trickbot, ValleyRAT, Volt Typhoon, Warzone RAT, WhisperGate, XMRig 2024-11-28
Suspicious Process With Discord DNS Query Sysmon EventID 22 Visual Basic Command and Scripting Interpreter Anomaly Data Destruction, PXA Stealer, WhisperGate 2024-09-30
Suspicious Reg exe Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Modify Registry Anomaly DHS Report TA18-074A, Disabling Security Tools, Windows Defense Evasion Tactics 2024-09-30
Suspicious Regsvr32 Register Suspicious Path CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Regsvr32 TTP IcedID, Living Off The Land, Qakbot, Suspicious Regsvr32 Activity 2024-09-30
Suspicious Rundll32 dllregisterserver CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Rundll32 TTP IcedID, Living Off The Land, Suspicious Rundll32 Activity 2024-09-30
Suspicious Rundll32 no Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Rundll32 TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, PrintNightmare CVE-2021-34527, Suspicious Rundll32 Activity 2024-09-30
Suspicious Rundll32 PluginInit CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Rundll32 TTP IcedID 2024-09-30
Suspicious Rundll32 StartW CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Rundll32 TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Suspicious Rundll32 Activity, Trickbot 2024-09-30
Suspicious Scheduled Task from Public Directory CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task Scheduled Task/Job Anomaly Azorult, CISA AA23-347A, CISA AA24-241A, DarkCrystal RAT, Living Off The Land, MoonPeak, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Persistence Techniques 2024-09-30
Suspicious SearchProtocolHost no Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Process Injection TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack 2024-09-30
Suspicious SQLite3 LSQuarantine Behavior CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Data Staged TTP Silver Sparrow 2024-10-17
Suspicious Ticket Granting Ticket Request Windows Event Log Security 4768, Windows Event Log Security 4781 Valid Accounts Domain Accounts Hunting Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation 2024-10-17
Suspicious WAV file in Appdata Folder CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688 Screen Capture TTP Remcos 2024-09-30
Suspicious wevtutil Usage CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Clear Windows Event Logs Indicator Removal TTP CISA AA23-347A, Clop Ransomware, Ransomware, Rhysida Ransomware, ShrinkLocker, Windows Log Manipulation 2024-09-30
Suspicious writes to windows Recycle Bin Sysmon EventID 1, Sysmon EventID 11 Masquerading TTP Collection and Staging, PlugX 2024-09-30
Svchost LOLBAS Execution Process Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task/Job Scheduled Task TTP Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks 2024-09-30
System Info Gathering Using Dxdiag Application CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Gather Victim Host Information Hunting Remcos 2024-10-17
System Information Discovery Detection CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Information Discovery TTP BlackSuit Ransomware, Gozi Malware, Windows Discovery Techniques 2024-09-30
System Processes Run From Unexpected Locations CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Masquerading Rename System Utilities Anomaly DarkGate Malware, Masquerading - Rename System Utilities, Qakbot, Ransomware, Suspicious Command-Line Executions, Unusual Processes, Windows Error Reporting Service Elevation of Privilege Vulnerability 2024-09-30
System User Discovery With Query CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Owner/User Discovery Hunting Active Directory Discovery 2024-10-17
System User Discovery With Whoami CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Owner/User Discovery Hunting Active Directory Discovery, CISA AA23-347A, Qakbot, Rhysida Ransomware, Winter Vivern 2024-10-17
Time Provider Persistence Registry Sysmon EventID 12, Sysmon EventID 13 Time Providers Boot or Logon Autostart Execution TTP Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse 2024-11-14
Trickbot Named Pipe Sysmon EventID 17, Sysmon EventID 18 Process Injection TTP Trickbot 2024-09-30
UAC Bypass MMC Load Unsigned Dll Sysmon EventID 7 Bypass User Account Control Abuse Elevation Control Mechanism MMC TTP Windows Defense Evasion Tactics 2024-09-30
UAC Bypass With Colorui COM Object Sysmon EventID 7 System Binary Proxy Execution CMSTP TTP LockBit Ransomware, Ransomware 2024-09-30
Uninstall App Using MsiExec CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Msiexec System Binary Proxy Execution TTP Ransomware 2024-09-30
Unknown Process Using The Kerberos Protocol Sysmon EventID 1, Sysmon EventID 3 Use Alternate Authentication Material TTP Active Directory Kerberos Attacks, BlackSuit Ransomware 2024-09-30
Unload Sysmon Filter Driver CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify Tools Impair Defenses TTP CISA AA23-347A, Disabling Security Tools 2024-09-30
Unloading AMSI via Reflection Powershell Script Block Logging 4104 Impair Defenses PowerShell Command and Scripting Interpreter TTP Data Destruction, Hermetic Wiper, Malicious PowerShell 2024-09-30
Unusual Number of Computer Service Tickets Requested Windows Event Log Security 4769 Valid Accounts Hunting Active Directory Kerberos Attacks, Active Directory Lateral Movement, Active Directory Privilege Escalation 2024-10-17
Unusual Number of Kerberos Service Tickets Requested Windows Event Log Security 4769 Steal or Forge Kerberos Tickets Kerberoasting Anomaly Active Directory Kerberos Attacks 2024-10-17
Unusual Number of Remote Endpoint Authentication Events Windows Event Log Security 4624 Valid Accounts Hunting Active Directory Lateral Movement, Active Directory Privilege Escalation 2024-10-17
Unusually Long Command Line CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 N/A Anomaly Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Ransomware, Suspicious Command-Line Executions, Unusual Processes 2024-10-17
Unusually Long Command Line - MLTK CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 N/A Anomaly Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Ransomware, Suspicious Command-Line Executions, Unusual Processes 2024-10-17
User Discovery With Env Vars PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Owner/User Discovery Hunting Active Directory Discovery 2024-10-17
User Discovery With Env Vars PowerShell Script Block Powershell Script Block Logging 4104 System Owner/User Discovery Hunting Active Directory Discovery 2024-10-17
USN Journal Deletion CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Indicator Removal TTP Ransomware, Windows Log Manipulation 2024-09-30
Vbscript Execution Using Wscript App CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Visual Basic Command and Scripting Interpreter TTP AsyncRAT, FIN7, Remcos 2024-09-30
Verclsid CLSID Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Verclsid System Binary Proxy Execution Hunting Unusual Processes 2024-10-17
W3WP Spawning Shell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Server Software Component Web Shell TTP BlackByte Ransomware, CISA AA22-257A, CISA AA22-264A, Data Destruction, Flax Typhoon, HAFNIUM Group, Hermetic Wiper, ProxyNotShell, ProxyShell, WS FTP Server Critical Vulnerabilities 2024-09-30
WBAdmin Delete System Backups CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Inhibit System Recovery TTP Chaos Ransomware, Prestige Ransomware, Ransomware, Ryuk Ransomware 2024-11-26
Wbemprox COM Object Execution Sysmon EventID 7 System Binary Proxy Execution CMSTP TTP LockBit Ransomware, Ransomware, Revil Ransomware 2024-09-30
Wermgr Process Connecting To IP Check Web Services Sysmon EventID 22 Gather Victim Network Information IP Addresses TTP Trickbot 2024-09-30
Wermgr Process Create Executable File Sysmon EventID 11 Obfuscated Files or Information TTP Trickbot 2024-09-30
Wermgr Process Spawned CMD Or Powershell Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter TTP Qakbot, Trickbot 2024-09-30
Wget Download and Bash Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Ingress Tool Transfer TTP Compromised Windows Host, Ingress Tool Transfer, Log4Shell CVE-2021-44228 2024-12-03
Windows Abused Web Services Sysmon EventID 22 Web Service TTP CISA AA24-241A, NjRAT 2024-09-30
Windows Access Token Manipulation SeDebugPrivilege Windows Event Log Security 4703 Create Process with Token Access Token Manipulation Anomaly AsyncRAT, Brute Ratel C4, CISA AA23-347A, DarkGate Malware, Meduza Stealer, PlugX, ValleyRAT 2024-11-28
Windows Access Token Manipulation Winlogon Duplicate Token Handle Sysmon EventID 10 Token Impersonation/Theft Access Token Manipulation Hunting Brute Ratel C4 2024-10-17
Windows Access Token Winlogon Duplicate Handle In Uncommon Path Sysmon EventID 10 Token Impersonation/Theft Access Token Manipulation Anomaly Brute Ratel C4 2024-09-30
Windows Account Discovery for None Disable User Account Powershell Script Block Logging 4104 Account Discovery Local Account Hunting CISA AA23-347A 2024-10-17
Windows Account Discovery for Sam Account Name Powershell Script Block Logging 4104 Account Discovery Anomaly CISA AA23-347A 2024-09-30
Windows Account Discovery With NetUser PreauthNotRequire Powershell Script Block Logging 4104 Account Discovery Hunting CISA AA23-347A 2024-10-17
Windows AD Abnormal Object Access Activity Windows Event Log Security 4662 Account Discovery Domain Account Anomaly Active Directory Discovery, BlackSuit Ransomware 2024-09-30
Windows AD AdminSDHolder ACL Modified Windows Event Log Security 5136 Event Triggered Execution TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Cross Domain SID History Addition Windows Event Log Security 4738, Windows Event Log Security 4742 SID-History Injection Access Token Manipulation TTP Compromised Windows Host, Sneaky Active Directory Persistence Tricks 2024-11-28
Windows AD Domain Controller Audit Policy Disabled Windows Event Log Security 4719 Disable or Modify Tools TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Domain Controller Promotion Windows Event Log Security 4742 Rogue Domain Controller TTP Compromised Windows Host, Sneaky Active Directory Persistence Tricks 2024-11-28
Windows AD Domain Replication ACL Addition Domain or Tenant Policy Modification TTP Compromised Windows Host, Sneaky Active Directory Persistence Tricks 2024-11-28
Windows AD DSRM Account Changes Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13 Account Manipulation TTP Sneaky Active Directory Persistence Tricks, Windows Persistence Techniques, Windows Registry Abuse 2024-09-30
Windows AD DSRM Password Reset Windows Event Log Security 4794 Account Manipulation TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Privileged Account SID History Addition Windows Event Log Security 4738, Windows Event Log Security 4742 SID-History Injection Access Token Manipulation TTP Compromised Windows Host, Sneaky Active Directory Persistence Tricks 2024-11-28
Windows AD Privileged Object Access Activity Windows Event Log Security 4662 Account Discovery Domain Account TTP Active Directory Discovery, BlackSuit Ransomware 2024-09-30
Windows AD Replication Request Initiated by User Account Windows Event Log Security 4662 DCSync OS Credential Dumping TTP Compromised Windows Host, Credential Dumping, Sneaky Active Directory Persistence Tricks 2024-11-28
Windows AD Replication Request Initiated from Unsanctioned Location Windows Event Log Security 4624, Windows Event Log Security 4662 DCSync OS Credential Dumping TTP Compromised Windows Host, Credential Dumping, Sneaky Active Directory Persistence Tricks 2024-11-28
Windows AD Same Domain SID History Addition Windows Event Log Security 4738, Windows Event Log Security 4742 SID-History Injection Access Token Manipulation TTP Compromised Windows Host, Sneaky Active Directory Persistence Tricks, Windows Persistence Techniques 2024-11-28
Windows AD ServicePrincipalName Added To Domain Account Windows Event Log Security 5136 Account Manipulation TTP Sneaky Active Directory Persistence Tricks 2024-10-16
Windows AD Short Lived Domain Account ServicePrincipalName Windows Event Log Security 5136 Account Manipulation TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Short Lived Domain Controller SPN Attribute Windows Event Log Security 4624, Windows Event Log Security 5136 Rogue Domain Controller TTP Compromised Windows Host, Sneaky Active Directory Persistence Tricks 2024-11-28
Windows AD Short Lived Server Object Windows Event Log Security 5137, Windows Event Log Security 5141 Rogue Domain Controller TTP Compromised Windows Host, Sneaky Active Directory Persistence Tricks 2024-11-28
Windows AD SID History Attribute Modified Windows Event Log Security 5136 Access Token Manipulation SID-History Injection TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AdFind Exe CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote System Discovery TTP BlackSuit Ransomware, Domain Trust Discovery, Graceful Wipe Out Attack, IcedID, NOBELIUM Group 2024-10-17
Windows Admin Permission Discovery Sysmon EventID 11 Local Groups Anomaly NjRAT 2024-09-30
Windows Administrative Shares Accessed On Multiple Hosts Windows Event Log Security 5140, Windows Event Log Security 5145 Network Share Discovery TTP Active Directory Lateral Movement, Active Directory Privilege Escalation 2024-09-30
Windows Admon Default Group Policy Object Modified Windows Active Directory Admon Domain or Tenant Policy Modification Group Policy Modification TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-09-30
Windows Admon Group Policy Object Created Windows Active Directory Admon Domain or Tenant Policy Modification Group Policy Modification TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-09-30
Windows Alternate DataStream - Base64 Content Sysmon EventID 15 Hide Artifacts NTFS File Attributes TTP Windows Defense Evasion Tactics 2024-09-30
Windows Alternate DataStream - Executable Content Sysmon EventID 15 Hide Artifacts NTFS File Attributes TTP Windows Defense Evasion Tactics 2024-09-30
Windows Alternate DataStream - Process Execution Sysmon EventID 1, Windows Event Log Security 4688 Hide Artifacts NTFS File Attributes TTP Compromised Windows Host, Windows Defense Evasion Tactics 2024-11-28
Windows Apache Benchmark Binary CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter Anomaly MetaSploit 2024-09-30
Windows App Layer Protocol Qakbot NamedPipe Sysmon EventID 17, Sysmon EventID 18 Application Layer Protocol Anomaly Qakbot 2024-09-30
Windows App Layer Protocol Wermgr Connect To NamedPipe Sysmon EventID 17, Sysmon EventID 18 Application Layer Protocol Anomaly Qakbot 2024-09-30
Windows Application Layer Protocol RMS Radmin Tool Namedpipe Sysmon EventID 17, Sysmon EventID 18 Application Layer Protocol TTP Azorult 2024-09-30
Windows AppLocker Block Events System Binary Proxy Execution Anomaly Windows AppLocker 2024-09-30
Windows AppLocker Execution from Uncommon Locations System Binary Proxy Execution Hunting Windows AppLocker 2024-10-17
Windows AppLocker Privilege Escalation via Unauthorized Bypass System Binary Proxy Execution TTP Windows AppLocker 2024-09-30
Windows AppLocker Rare Application Launch Detection System Binary Proxy Execution Hunting Windows AppLocker 2024-10-17
Windows Archive Collected Data via Powershell Powershell Script Block Logging 4104 Archive Collected Data Anomaly CISA AA23-347A 2024-09-30
Windows Archive Collected Data via Rar CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Archive via Utility Archive Collected Data Anomaly DarkGate Malware 2024-09-30
Windows Archived Collected Data In TEMP Folder Archive Collected Data TTP Braodo Stealer 2024-09-24
Windows AutoIt3 Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter TTP DarkGate Malware, Handala Wiper 2024-09-30
Windows Autostart Execution LSASS Driver Registry Modification Sysmon EventID 12, Sysmon EventID 13 LSASS Driver TTP Windows Registry Abuse 2024-09-30
Windows Binary Proxy Execution Mavinject DLL Injection CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Mavinject System Binary Proxy Execution TTP Living Off The Land 2024-09-30
Windows BitLockerToGo Process Execution System Binary Proxy Execution Hunting Lumma Stealer 2024-11-13
Windows BitLockerToGo with Network Activity System Binary Proxy Execution Hunting Lumma Stealer 2024-11-13
Windows Boot or Logon Autostart Execution In Startup Folder Sysmon EventID 11 Registry Run Keys / Startup Folder Boot or Logon Autostart Execution Anomaly Chaos Ransomware, Gozi Malware, NjRAT, RedLine Stealer 2024-09-30
Windows BootLoader Inventory System Firmware Pre-OS Boot Hunting BlackLotus Campaign, Windows BootKits 2024-10-17
Windows Bypass UAC via Pkgmgr Tool CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Bypass User Account Control Anomaly Warzone RAT 2024-09-30
Windows CAB File on Disk Sysmon EventID 11 Spearphishing Attachment Anomaly DarkGate Malware 2024-09-30
Windows Cached Domain Credentials Reg Query CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Cached Domain Credentials OS Credential Dumping Anomaly Prestige Ransomware, Windows Post-Exploitation 2024-09-30
Windows Change Default File Association For No File Ext CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Change Default File Association Event Triggered Execution TTP Compromised Windows Host, Prestige Ransomware 2024-11-28
Windows ClipBoard Data via Get-ClipBoard Powershell Script Block Logging 4104 Clipboard Data Anomaly Prestige Ransomware, Windows Post-Exploitation 2024-09-30
Windows COM Hijacking InprocServer32 Modification CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Component Object Model Hijacking Event Triggered Execution TTP Compromised Windows Host, Living Off The Land 2024-11-28
Windows Command and Scripting Interpreter Hunting Path Traversal CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter Hunting Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Windows Defense Evasion Tactics 2024-10-17
Windows Command and Scripting Interpreter Path Traversal Exec CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter TTP Compromised Windows Host, Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Windows Defense Evasion Tactics 2024-11-28
Windows Command Shell DCRat ForkBomb Payload CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Windows Command Shell Command and Scripting Interpreter TTP Compromised Windows Host, DarkCrystal RAT 2024-11-28
Windows Command Shell Fetch Env Variables CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Process Injection TTP Qakbot 2024-09-30
Windows Common Abused Cmd Shell Risk Behavior File and Directory Permissions Modification System Network Connections Discovery System Owner/User Discovery System Shutdown/Reboot System Network Configuration Discovery Command and Scripting Interpreter Correlation Azorult, CISA AA23-347A, DarkCrystal RAT, Disabling Security Tools, FIN7, Netsh Abuse, Qakbot, Sandworm Tools, Volt Typhoon, Windows Defense Evasion Tactics, Windows Post-Exploitation 2024-09-30
Windows Computer Account Created by Computer Account Windows Event Log Security 4741 Steal or Forge Kerberos Tickets TTP Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp 2024-09-30
Windows Computer Account Requesting Kerberos Ticket Windows Event Log Security 4768 Steal or Forge Kerberos Tickets TTP Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp 2024-09-30
Windows Computer Account With SPN Windows Event Log Security 4741 Steal or Forge Kerberos Tickets TTP Active Directory Kerberos Attacks, Compromised Windows Host, Local Privilege Escalation With KrbRelayUp 2024-11-28
Windows ConHost with Headless Argument CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Hidden Window Run Virtual Instance TTP Compromised Windows Host, Spearphishing Attachments 2024-11-28
Windows Create Local Account Local Account Create Account Anomaly Active Directory Password Spraying, CISA AA24-241A 2024-09-30
Windows Credential Access From Browser Password Store Windows Event Log Security 4663 Query Registry Anomaly Braodo Stealer, Meduza Stealer, MoonPeak, PXA Stealer, Snake Keylogger 2024-11-28
Windows Credential Dumping LSASS Memory Createdump CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 LSASS Memory TTP Compromised Windows Host, Credential Dumping 2024-11-28
Windows Credentials Access via VaultCli Module Windows Credential Manager Anomaly Meduza Stealer 2024-11-29
Windows Credentials from Password Stores Chrome Copied in TEMP Dir Credentials from Web Browsers Credentials from Password Stores TTP Braodo Stealer 2024-09-24
Windows Credentials from Password Stores Chrome Extension Access Windows Event Log Security 4663 Query Registry Anomaly Amadey, Braodo Stealer, CISA AA23-347A, DarkGate Malware, Meduza Stealer, MoonPeak, Phemedrone Stealer, RedLine Stealer 2024-11-28
Windows Credentials from Password Stores Chrome LocalState Access Windows Event Log Security 4663 Query Registry Anomaly Amadey, Braodo Stealer, DarkGate Malware, Meduza Stealer, MoonPeak, NjRAT, PXA Stealer, Phemedrone Stealer, RedLine Stealer, Snake Keylogger, Warzone RAT 2024-11-28
Windows Credentials from Password Stores Chrome Login Data Access Windows Event Log Security 4663 Query Registry Anomaly Amadey, Braodo Stealer, DarkGate Malware, Meduza Stealer, MoonPeak, NjRAT, PXA Stealer, Phemedrone Stealer, RedLine Stealer, Snake Keylogger, Warzone RAT 2024-11-28
Windows Credentials from Password Stores Creation CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Credentials from Password Stores TTP Compromised Windows Host, DarkGate Malware 2024-11-28
Windows Credentials from Password Stores Deletion CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Credentials from Password Stores TTP Compromised Windows Host, DarkGate Malware 2024-11-28
Windows Credentials from Password Stores Query CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Credentials from Password Stores Anomaly DarkGate Malware, Prestige Ransomware, Windows Post-Exploitation 2024-09-30
Windows Credentials from Web Browsers Saved in TEMP Folder Credentials from Web Browsers Credentials from Password Stores TTP Braodo Stealer 2024-09-24
Windows Credentials in Registry Reg Query CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Credentials in Registry Unsecured Credentials Anomaly Prestige Ransomware, Windows Post-Exploitation 2024-09-30
Windows Curl Download to Suspicious Path CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Ingress Tool Transfer TTP Compromised Windows Host, Forest Blizzard, IcedID, Ingress Tool Transfer 2024-11-28
Windows Curl Upload to Remote Destination CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Ingress Tool Transfer TTP Compromised Windows Host, Ingress Tool Transfer 2024-11-28
Windows Data Destruction Recursive Exec Files Deletion Sysmon EventID 23 Data Destruction TTP Data Destruction, Handala Wiper, Swift Slicer 2024-09-30
Windows Debugger Tool Execution Masquerading Hunting DarkGate Malware, PlugX 2024-10-17
Windows Defacement Modify Transcodedwallpaper File CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Defacement Anomaly Brute Ratel C4 2024-09-30
Windows Default Group Policy Object Modified Windows Event Log Security 5136 Domain or Tenant Policy Modification Group Policy Modification TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-09-30
Windows Default Group Policy Object Modified with GPME CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Domain or Tenant Policy Modification Group Policy Modification TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-09-30
Windows Defender ASR Audit Events Windows Event Log Defender 1122 Command and Scripting Interpreter Spearphishing Attachment Spearphishing Link Anomaly Windows Attack Surface Reduction 2024-09-30
Windows Defender ASR Block Events Windows Event Log Defender 1121, Windows Event Log Defender 1129 Command and Scripting Interpreter Spearphishing Attachment Spearphishing Link Anomaly Windows Attack Surface Reduction 2024-09-30
Windows Defender ASR Registry Modification Windows Event Log Defender 5007 Modify Registry Hunting Windows Attack Surface Reduction 2024-10-17
Windows Defender ASR Rule Disabled Windows Event Log Defender 5007 Modify Registry TTP Windows Attack Surface Reduction 2024-09-30
Windows Defender ASR Rules Stacking Windows Event Log Defender 1121, Windows Event Log Defender 1122, Windows Event Log Defender 1129, Windows Event Log Defender 5007 Spearphishing Attachment Spearphishing Link Command and Scripting Interpreter Hunting Windows Attack Surface Reduction 2024-10-17
Windows Defender Exclusion Registry Entry Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Azorult, Qakbot, Remcos, ValleyRAT, Warzone RAT, Windows Defense Evasion Tactics 2024-11-14
Windows Delete or Modify System Firewall CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Impair Defenses Disable or Modify System Firewall Anomaly NjRAT, ShrinkLocker 2024-09-30
Windows Deleted Registry By A Non Critical Process File Path Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly Data Destruction, Double Zero Destructor 2024-09-30
Windows Disable Change Password Through Registry Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly Ransomware, Windows Defense Evasion Tactics 2024-11-14
Windows Disable Lock Workstation Feature Through Registry Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Windows Disable LogOff Button Through Registry Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly Ransomware, Windows Registry Abuse 2024-11-14
Windows Disable Memory Crash Dump Sysmon EventID 12, Sysmon EventID 13 Data Destruction TTP Data Destruction, Hermetic Wiper, Ransomware, Windows Registry Abuse 2024-09-30
Windows Disable Notification Center Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Windows Disable or Modify Tools Via Taskkill CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Impair Defenses Disable or Modify Tools Anomaly NjRAT, PXA Stealer 2024-09-30
Windows Disable or Stop Browser Process Disable or Modify Tools Impair Defenses TTP Braodo Stealer 2024-09-24
Windows Disable Shutdown Button Through Registry Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly Ransomware, Windows Registry Abuse 2024-11-14
Windows Disable Windows Event Logging Disable HTTP Logging CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable Windows Event Logging Impair Defenses Server Software Component IIS Components TTP CISA AA23-347A, Compromised Windows Host, IIS Components, Windows Defense Evasion Tactics 2024-11-28
Windows Disable Windows Group Policy Features Through Registry Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly CISA AA23-347A, Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows DisableAntiSpyware Registry Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Azorult, CISA AA22-264A, CISA AA23-347A, RedLine Stealer, Ryuk Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows DiskCryptor Usage CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Data Encrypted for Impact Hunting Ransomware 2024-10-17
Windows Diskshadow Proxy Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution TTP Living Off The Land 2024-09-30
Windows DISM Install PowerShell Web Access Sysmon EventID 1, Windows Event Log Security 4688 Bypass User Account Control TTP CISA AA24-241A 2024-09-30
Windows DISM Remove Defender CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify Tools Impair Defenses TTP CISA AA23-347A, Compromised Windows Host, Windows Defense Evasion Tactics 2024-11-28
Windows DLL Search Order Hijacking Hunt with Sysmon Sysmon EventID 7 DLL Search Order Hijacking Hijack Execution Flow Hunting Living Off The Land, Qakbot, Windows Defense Evasion Tactics 2024-10-17
Windows DLL Search Order Hijacking with iscsicpl CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 DLL Search Order Hijacking TTP Compromised Windows Host, Living Off The Land, Windows Defense Evasion Tactics 2024-11-28
Windows DLL Side-Loading In Calc Sysmon EventID 7 DLL Side-Loading Hijack Execution Flow TTP Qakbot 2024-09-30
Windows DLL Side-Loading Process Child Of Calc CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 DLL Side-Loading Hijack Execution Flow Anomaly Qakbot 2024-09-30
Windows DNS Gather Network Info CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 DNS Anomaly Sandworm Tools, Volt Typhoon 2024-09-30
Windows DnsAdmins New Member Added Windows Event Log Security 4732 Account Manipulation TTP Active Directory Privilege Escalation 2024-09-30
Windows Domain Account Discovery Via Get-NetComputer Powershell Script Block Logging 4104 Account Discovery Domain Account Anomaly CISA AA23-347A 2024-09-30
Windows Domain Admin Impersonation Indicator Windows Event Log Security 4627 Steal or Forge Kerberos Tickets TTP Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Compromised Windows Host, Gozi Malware 2024-11-28
Windows DotNet Binary in Non Standard Path CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Masquerading Rename System Utilities System Binary Proxy Execution InstallUtil TTP Data Destruction, Masquerading - Rename System Utilities, Ransomware, Signed Binary Proxy Execution InstallUtil, Unusual Processes, WhisperGate 2024-09-30
Windows Driver Inventory Exploitation for Privilege Escalation Hunting Windows Drivers 2024-10-17
Windows Driver Load Non-Standard Path Windows Event Log System 7045 Rootkit Exploitation for Privilege Escalation TTP AgentTesla, BlackByte Ransomware, BlackSuit Ransomware, CISA AA22-320A, Windows Drivers 2024-10-17
Windows Drivers Loaded by Signature Sysmon EventID 6 Rootkit Exploitation for Privilege Escalation Hunting AgentTesla, BlackByte Ransomware, CISA AA22-320A, Windows Drivers 2024-10-17
Windows Enable PowerShell Web Access Powershell Script Block Logging 4104 PowerShell TTP CISA AA24-241A, Malicious PowerShell 2024-09-30
Windows Enable Win32 ScheduledJob via Registry Sysmon EventID 12, Sysmon EventID 13 Scheduled Task Anomaly Active Directory Lateral Movement, Scheduled Tasks 2024-09-30
Windows ESX Admins Group Creation Security Event Local Account Domain Account TTP VMware ESXi AD Integration Authentication Bypass CVE-2024-37085 2024-09-30
Windows ESX Admins Group Creation via Net Sysmon EventID 1 Domain Account Local Account TTP VMware ESXi AD Integration Authentication Bypass CVE-2024-37085 2024-11-26
Windows ESX Admins Group Creation via PowerShell Powershell Script Block Logging 4104 Domain Account Local Account TTP VMware ESXi AD Integration Authentication Bypass CVE-2024-37085 2024-09-30
Windows Event For Service Disabled Windows Event Log System 7040 Disable or Modify Tools Impair Defenses Hunting RedLine Stealer, Windows Defense Evasion Tactics 2024-10-17
Windows Event Log Cleared Windows Event Log Security 1102 Indicator Removal Clear Windows Event Logs TTP CISA AA22-264A, Clop Ransomware, Compromised Windows Host, Ransomware, ShrinkLocker, Windows Log Manipulation 2024-11-28
Windows Event Triggered Image File Execution Options Injection Windows Event Log Application 3000 Image File Execution Options Injection Hunting Windows Persistence Techniques 2024-10-17
Windows Excessive Disabled Services Event Windows Event Log System 7040 Disable or Modify Tools Impair Defenses TTP CISA AA23-347A, Compromised Windows Host, Windows Defense Evasion Tactics 2024-11-28
Windows Executable in Loaded Modules Sysmon EventID 7 Shared Modules TTP NjRAT 2024-09-30
Windows Execute Arbitrary Commands with MSDT CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution TTP Compromised Windows Host, Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190 2024-11-28
Windows Exfiltration Over C2 Via Invoke RestMethod Powershell Script Block Logging 4104 Exfiltration Over C2 Channel TTP Winter Vivern 2024-09-30
Windows Exfiltration Over C2 Via Powershell UploadString Powershell Script Block Logging 4104 Exfiltration Over C2 Channel TTP Winter Vivern 2024-09-30
Windows Export Certificate Windows Event Log CertificateServicesClient 1007 Private Keys Unsecured Credentials Steal or Forge Authentication Certificates Anomaly Windows Certificate Services 2024-09-30
Windows File Share Discovery With Powerview Powershell Script Block Logging 4104 Network Share Discovery TTP Active Directory Discovery, Active Directory Privilege Escalation 2024-09-30
Windows File Transfer Protocol In Non-Common Process Path Sysmon EventID 3 Mail Protocols Application Layer Protocol Anomaly AgentTesla, Snake Keylogger 2024-09-30
Windows File Without Extension In Critical Folder Sysmon EventID 1, Sysmon EventID 11 Data Destruction TTP Data Destruction, Hermetic Wiper 2024-09-30
Windows Files and Dirs Access Rights Modification Via Icacls CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Windows File and Directory Permissions Modification File and Directory Permissions Modification TTP Amadey 2024-09-30
Windows Find Domain Organizational Units with GetDomainOU Powershell Script Block Logging 4104 Account Discovery Domain Account TTP Active Directory Discovery 2024-09-30
Windows Find Interesting ACL with FindInterestingDomainAcl Powershell Script Block Logging 4104 Account Discovery Domain Account TTP Active Directory Discovery 2024-09-30
Windows Findstr GPP Discovery CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Unsecured Credentials Group Policy Preferences TTP Active Directory Privilege Escalation 2024-09-30
Windows Forest Discovery with GetForestDomain Powershell Script Block Logging 4104 Account Discovery Domain Account TTP Active Directory Discovery 2024-09-30
Windows Gather Victim Host Information Camera Powershell Script Block Logging 4104 Hardware Gather Victim Host Information Anomaly DarkCrystal RAT 2024-09-30
Windows Gather Victim Identity SAM Info Sysmon EventID 7 Credentials Gather Victim Identity Information Hunting Brute Ratel C4 2024-10-17
Windows Gather Victim Network Info Through Ip Check Web Services Sysmon EventID 22 IP Addresses Gather Victim Network Information Hunting Azorult, DarkCrystal RAT, Handala Wiper, Meduza Stealer, PXA Stealer, Phemedrone Stealer, Snake Keylogger 2024-11-28
Windows Get-AdComputer Unconstrained Delegation Discovery Powershell Script Block Logging 4104 Remote System Discovery TTP Active Directory Kerberos Attacks 2024-09-30
Windows Get Local Admin with FindLocalAdminAccess Powershell Script Block Logging 4104 Account Discovery Domain Account TTP Active Directory Discovery 2024-09-30
Windows Group Policy Object Created Windows Event Log Security 5136, Windows Event Log Security 5137 Domain or Tenant Policy Modification Group Policy Modification Domain Accounts TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-09-30
Windows Hidden Schedule Task Settings Windows Event Log Security 4698 Scheduled Task/Job TTP Active Directory Discovery, CISA AA22-257A, Compromised Windows Host, Data Destruction, Industroyer2, Scheduled Tasks 2024-11-28
Windows Hide Notification Features Through Registry Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Windows High File Deletion Frequency Sysmon EventID 23 Data Destruction Anomaly Clop Ransomware, DarkCrystal RAT, Data Destruction, Handala Wiper, Sandworm Tools, Swift Slicer, WhisperGate 2024-09-30
Windows Hijack Execution Flow Version Dll Side Load Sysmon EventID 7 DLL Search Order Hijacking Hijack Execution Flow Anomaly Brute Ratel C4 2024-09-30
Windows Hunting System Account Targeting Lsass Sysmon EventID 10 LSASS Memory OS Credential Dumping Hunting CISA AA23-347A, Credential Dumping 2024-10-17
Windows Identify PowerShell Web Access IIS Pool Windows Event Log Security 4648 Exploit Public-Facing Application Hunting CISA AA24-241A 2024-10-17
Windows Identify Protocol Handlers CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter Hunting Living Off The Land 2024-10-17
Windows IIS Components Add New Module CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Server Software Component IIS Components Anomaly IIS Components 2024-09-30
Windows IIS Components Get-WebGlobalModule Module Query Powershell Installed IIS Modules IIS Components Server Software Component Hunting IIS Components, WS FTP Server Critical Vulnerabilities 2024-10-17
Windows IIS Components Module Failed to Load Windows Event Log Application 2282 Server Software Component IIS Components Anomaly IIS Components 2024-09-30
Windows IIS Components New Module Added Windows IIS 29 Server Software Component IIS Components TTP IIS Components 2024-09-30
Windows Impair Defense Add Xml Applocker Rules CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify Tools Impair Defenses Hunting Azorult 2024-10-17
Windows Impair Defense Change Win Defender Health Check Intervals Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Change Win Defender Quick Scan Interval Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Change Win Defender Throttle Rate Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Change Win Defender Tracing Level Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Configure App Install Control Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Windows Impair Defense Define Win Defender Threat Action Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Delete Win Defender Context Menu Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses Hunting Windows Defense Evasion Tactics, Windows Registry Abuse 2024-10-17
Windows Impair Defense Delete Win Defender Profile Registry Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses Anomaly Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Deny Security Software With Applocker Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Azorult 2024-09-30
Windows Impair Defense Disable Controlled Folder Access Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Disable Defender Firewall And Network Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Disable Defender Protocol Recognition Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Disable PUA Protection Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Disable Realtime Signature Delivery Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Disable Web Evaluation Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Windows Impair Defense Disable Win Defender App Guard Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Disable Win Defender Compute File Hashes Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Disable Win Defender Gen reports Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Disable Win Defender Network Protection Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Disable Win Defender Report Infection Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Disable Win Defender Scan On Update Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Disable Win Defender Signature Retirement Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Overide Win Defender Phishing Filter Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Override SmartScreen Prompt Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Windows Impair Defense Set Win Defender Smart Screen Level To Warn Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defenses Disable AV AutoStart via Registry Sysmon EventID 13 Modify Registry TTP ValleyRAT 2024-09-30
Windows Impair Defenses Disable HVCI Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP BlackLotus Campaign, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defenses Disable Win Defender Auto Logging Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses Anomaly CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Indicator Removal Via Rmdir CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Indicator Removal Anomaly DarkGate Malware 2024-09-30
Windows Indirect Command Execution Via forfiles CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Indirect Command Execution TTP Living Off The Land, Windows Post-Exploitation 2024-09-30
Windows Indirect Command Execution Via pcalua CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Indirect Command Execution TTP Living Off The Land 2024-09-30
Windows Indirect Command Execution Via Series Of Forfiles CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Indirect Command Execution Anomaly Prestige Ransomware, Windows Post-Exploitation 2024-09-30
Windows Information Discovery Fsutil CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Information Discovery Anomaly Prestige Ransomware, Windows Post-Exploitation 2024-09-30
Windows Ingress Tool Transfer Using Explorer CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Ingress Tool Transfer Anomaly DarkCrystal RAT 2024-09-30
Windows InProcServer32 New Outlook Form Sysmon EventID 13 Phishing Modify Registry Anomaly Outlook RCE CVE-2024-21378 2024-09-30
Windows Input Capture Using Credential UI Dll Sysmon EventID 7 GUI Input Capture Input Capture Hunting Brute Ratel C4 2024-10-17
Windows InstallUtil Credential Theft Sysmon EventID 7 InstallUtil System Binary Proxy Execution TTP Signed Binary Proxy Execution InstallUtil 2024-09-30
Windows InstallUtil in Non Standard Path CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Masquerading Rename System Utilities System Binary Proxy Execution InstallUtil TTP Data Destruction, Living Off The Land, Masquerading - Rename System Utilities, Ransomware, Signed Binary Proxy Execution InstallUtil, Unusual Processes, WhisperGate 2024-09-30
Windows InstallUtil Remote Network Connection Sysmon EventID 1, Sysmon EventID 3 InstallUtil System Binary Proxy Execution TTP Compromised Windows Host, Living Off The Land, Signed Binary Proxy Execution InstallUtil 2024-11-28
Windows InstallUtil Uninstall Option CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 InstallUtil System Binary Proxy Execution TTP Compromised Windows Host, Living Off The Land, Signed Binary Proxy Execution InstallUtil 2024-11-28
Windows InstallUtil Uninstall Option with Network Sysmon EventID 1, Sysmon EventID 3 InstallUtil System Binary Proxy Execution TTP Compromised Windows Host, Living Off The Land, Signed Binary Proxy Execution InstallUtil 2024-11-28
Windows InstallUtil URL in Command Line CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 InstallUtil System Binary Proxy Execution TTP Compromised Windows Host, Living Off The Land, Signed Binary Proxy Execution InstallUtil 2024-11-28
Windows ISO LNK File Creation Sysmon EventID 11 Spearphishing Attachment Phishing Malicious Link User Execution Hunting AgentTesla, Amadey, Azorult, Brute Ratel C4, Gozi Malware, IcedID, Qakbot, Remcos, Spearphishing Attachments, Warzone RAT 2024-10-17
Windows Java Spawning Shells CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Exploit Public-Facing Application External Remote Services TTP Log4Shell CVE-2021-44228, SysAid On-Prem Software CVE-2023-47246 Vulnerability 2024-10-17
Windows Kerberos Local Successful Logon Windows Event Log Security 4624 Steal or Forge Kerberos Tickets TTP Active Directory Kerberos Attacks, Compromised Windows Host, Local Privilege Escalation With KrbRelayUp 2024-11-28
Windows Known Abused DLL Created Sysmon EventID 1, Sysmon EventID 11 DLL Search Order Hijacking DLL Side-Loading Hijack Execution Flow Anomaly Living Off The Land, Windows Defense Evasion Tactics 2024-09-30
Windows Known Abused DLL Loaded Suspiciously Sysmon EventID 7 DLL Search Order Hijacking DLL Side-Loading Hijack Execution Flow TTP Living Off The Land, Windows Defense Evasion Tactics 2024-09-30
Windows Known GraphicalProton Loaded Modules Sysmon EventID 7 DLL Side-Loading Hijack Execution Flow Anomaly CISA AA23-347A 2024-09-30
Windows KrbRelayUp Service Creation Windows Event Log System 7045 Windows Service TTP Compromised Windows Host, Local Privilege Escalation With KrbRelayUp 2024-11-28
Windows Large Number of Computer Service Tickets Requested Windows Event Log Security 4769 Network Share Discovery Valid Accounts Anomaly Active Directory Lateral Movement, Active Directory Privilege Escalation 2024-09-30
Windows Lateral Tool Transfer RemCom CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Lateral Tool Transfer TTP Active Directory Discovery 2024-09-30
Windows Ldifde Directory Object Behavior CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Ingress Tool Transfer Domain Groups TTP Volt Typhoon 2024-09-30
Windows Linked Policies In ADSI Discovery Powershell Script Block Logging 4104 Domain Account Account Discovery Anomaly Active Directory Discovery, Data Destruction, Industroyer2 2024-09-30
Windows Local Administrator Credential Stuffing Windows Event Log Security 4624, Windows Event Log Security 4625 Brute Force Credential Stuffing TTP Active Directory Lateral Movement, Active Directory Privilege Escalation 2024-09-30
Windows LOLBAS Executed As Renamed File CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Masquerading Rename System Utilities Rundll32 TTP Living Off The Land, Masquerading - Rename System Utilities, Windows Defense Evasion Tactics 2024-09-30
Windows LOLBAS Executed Outside Expected Path Sysmon EventID 1, Windows Event Log Security 4688 Masquerading Match Legitimate Name or Location Rundll32 TTP Living Off The Land, Masquerading - Rename System Utilities, Windows Defense Evasion Tactics 2024-09-30
Windows LSA Secrets NoLMhash Registry Sysmon EventID 12, Sysmon EventID 13 LSA Secrets TTP CISA AA23-347A 2024-11-14
Windows Mail Protocol In Non-Common Process Path Sysmon EventID 3 Mail Protocols Application Layer Protocol Anomaly AgentTesla 2024-09-30
Windows Mark Of The Web Bypass Sysmon EventID 23 Mark-of-the-Web Bypass TTP Warzone RAT 2024-09-30
Windows Masquerading Explorer As Child Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 DLL Side-Loading Hijack Execution Flow TTP Compromised Windows Host, Qakbot 2024-11-28
Windows Masquerading Msdtc Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Masquerading TTP Compromised Windows Host, PlugX 2024-11-28
Windows Mimikatz Binary Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 OS Credential Dumping TTP CISA AA22-320A, CISA AA23-347A, Compromised Windows Host, Credential Dumping, Flax Typhoon, Sandworm Tools, Volt Typhoon 2024-11-28
Windows Mimikatz Crypto Export File Extensions Sysmon EventID 11 Steal or Forge Authentication Certificates Anomaly CISA AA23-347A, Sandworm Tools, Windows Certificate Services 2024-09-30
Windows Modify Registry AuthenticationLevelOverride Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly DarkGate Malware 2024-09-30
Windows Modify Registry Auto Minor Updates Sysmon EventID 12, Sysmon EventID 13 Modify Registry Hunting RedLine Stealer 2024-10-17
Windows Modify Registry Auto Update Notif Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly RedLine Stealer 2024-09-30
Windows Modify Registry Configure BitLocker Sysmon EventID 13 Modify Registry TTP ShrinkLocker 2024-09-30
Windows Modify Registry Default Icon Setting Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly LockBit Ransomware 2024-09-30
Windows Modify Registry Delete Firewall Rules Sysmon EventID 12 Modify Registry TTP CISA AA24-241A, ShrinkLocker 2024-09-30
Windows Modify Registry Disable RDP Sysmon EventID 13 Modify Registry Anomaly ShrinkLocker 2024-09-30
Windows Modify Registry Disable Restricted Admin Sysmon EventID 12, Sysmon EventID 13 Modify Registry TTP CISA AA23-347A 2024-11-14
Windows Modify Registry Disable Toast Notifications Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly Azorult 2024-09-30
Windows Modify Registry Disable Win Defender Raw Write Notif Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly Azorult, CISA AA23-347A 2024-09-30
Windows Modify Registry Disable WinDefender Notifications Sysmon EventID 12, Sysmon EventID 13 Modify Registry TTP CISA AA23-347A, RedLine Stealer 2024-09-30
Windows Modify Registry Disable Windows Security Center Notif Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly Azorult, CISA AA23-347A 2024-09-30
Windows Modify Registry DisableRemoteDesktopAntiAlias Sysmon EventID 12, Sysmon EventID 13 Modify Registry TTP DarkGate Malware 2024-09-30
Windows Modify Registry DisableSecuritySettings Sysmon EventID 12, Sysmon EventID 13 Modify Registry TTP CISA AA23-347A, DarkGate Malware 2024-09-30
Windows Modify Registry Disabling WER Settings Sysmon EventID 12, Sysmon EventID 13 Modify Registry TTP Azorult, CISA AA23-347A 2024-09-30
Windows Modify Registry DisAllow Windows App Sysmon EventID 12, Sysmon EventID 13 Modify Registry TTP Azorult 2024-09-30
Windows Modify Registry Do Not Connect To Win Update Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly RedLine Stealer 2024-09-30
Windows Modify Registry DontShowUI Sysmon EventID 12, Sysmon EventID 13 Modify Registry TTP DarkGate Malware 2024-09-30
Windows Modify Registry EnableLinkedConnections Sysmon EventID 12, Sysmon EventID 13 Modify Registry TTP BlackByte Ransomware 2024-11-14
Windows Modify Registry LongPathsEnabled Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly BlackByte Ransomware 2024-11-14
Windows Modify Registry MaxConnectionPerServer Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly Warzone RAT 2024-09-30
Windows Modify Registry No Auto Reboot With Logon User Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly RedLine Stealer 2024-09-30
Windows Modify Registry No Auto Update Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly CISA AA23-347A, RedLine Stealer 2024-09-30
Windows Modify Registry NoChangingWallPaper Sysmon EventID 12, Sysmon EventID 13 Modify Registry TTP Rhysida Ransomware 2024-11-14
Windows Modify Registry on Smart Card Group Policy Sysmon EventID 13 Modify Registry Anomaly ShrinkLocker 2024-09-30
Windows Modify Registry ProxyEnable Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly DarkGate Malware 2024-09-30
Windows Modify Registry ProxyServer Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly DarkGate Malware 2024-09-30
Windows Modify Registry Qakbot Binary Data Registry Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly Qakbot 2024-09-30
Windows Modify Registry Reg Restore CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Query Registry Hunting Prestige Ransomware, Windows Post-Exploitation 2024-10-17
Windows Modify Registry Regedit Silent Reg Import CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Modify Registry Anomaly Azorult 2024-09-30
Windows Modify Registry Risk Behavior Modify Registry Correlation Windows Registry Abuse 2024-09-30
Windows Modify Registry Suppress Win Defender Notif Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly Azorult, CISA AA23-347A 2024-09-30
Windows Modify Registry Tamper Protection Sysmon EventID 12, Sysmon EventID 13 Modify Registry TTP RedLine Stealer 2024-09-30
Windows Modify Registry to Add or Modify Firewall Rule Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly CISA AA24-241A, ShrinkLocker 2024-11-14
Windows Modify Registry UpdateServiceUrlAlternate Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly RedLine Stealer 2024-09-30
Windows Modify Registry USeWuServer Sysmon EventID 12, Sysmon EventID 13 Modify Registry Hunting RedLine Stealer 2024-10-17
Windows Modify Registry Utilize ProgIDs Sysmon EventID 13 Modify Registry Anomaly ValleyRAT 2024-09-30
Windows Modify Registry ValleyRAT C2 Config Sysmon EventID 12, Sysmon EventID 13 Modify Registry TTP ValleyRAT 2024-09-30
Windows Modify Registry ValleyRat PWN Reg Entry Sysmon EventID 13 Modify Registry TTP ValleyRAT 2024-09-30
Windows Modify Registry With MD5 Reg Key Name Sysmon EventID 12, Sysmon EventID 13 Modify Registry TTP NjRAT 2024-09-30
Windows Modify Registry WuServer Sysmon EventID 12, Sysmon EventID 13 Modify Registry Hunting RedLine Stealer 2024-10-17
Windows Modify Registry wuStatusServer Sysmon EventID 12, Sysmon EventID 13 Modify Registry Hunting RedLine Stealer 2024-10-17
Windows Modify Show Compress Color And Info Tip Registry Sysmon EventID 12, Sysmon EventID 13 Modify Registry TTP Data Destruction, Hermetic Wiper, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Windows Modify System Firewall with Notable Process Path CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify System Firewall Impair Defenses TTP Compromised Windows Host, NjRAT 2024-11-28
Windows MOF Event Triggered Execution via WMI CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Windows Management Instrumentation Event Subscription TTP Compromised Windows Host, Living Off The Land 2024-11-28
Windows MOVEit Transfer Writing ASPX Sysmon EventID 11 Exploit Public-Facing Application External Remote Services TTP MOVEit Transfer Critical Vulnerability 2024-10-17
Windows MSExchange Management Mailbox Cmdlet Usage CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter PowerShell Anomaly BlackByte Ransomware, ProxyNotShell, ProxyShell 2024-09-30
Windows Mshta Execution In Registry Sysmon EventID 12, Sysmon EventID 13 Mshta TTP Suspicious Windows Registry Activities, Windows Persistence Techniques 2024-09-30
Windows MSHTA Writing to World Writable Path Sysmon EventID 11 Mshta TTP APT29 Diplomatic Deceptions with WINELOADER, Suspicious MSHTA Activity 2024-09-30
Windows MSIExec DLLRegisterServer CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Msiexec TTP Windows System Binary Proxy Execution MSIExec 2024-09-30
Windows MsiExec HideWindow Rundll32 Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Msiexec System Binary Proxy Execution TTP Qakbot 2024-09-30
Windows MSIExec Remote Download CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Msiexec TTP Windows System Binary Proxy Execution MSIExec 2024-09-30
Windows MSIExec Spawn Discovery Command CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Msiexec TTP Windows System Binary Proxy Execution MSIExec 2024-11-26
Windows MSIExec Spawn WinDBG CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Msiexec TTP Compromised Windows Host, DarkGate Malware 2024-11-28
Windows MSIExec Unregister DLLRegisterServer CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Msiexec TTP Windows System Binary Proxy Execution MSIExec 2024-09-30
Windows MSIExec With Network Connections Sysmon EventID 1, Sysmon EventID 3 Msiexec TTP Windows System Binary Proxy Execution MSIExec 2024-09-30
Windows Multi hop Proxy TOR Website Query Sysmon EventID 22 Mail Protocols Application Layer Protocol Anomaly AgentTesla 2024-09-30
Windows Multiple Account Passwords Changed Windows Event Log Security 4724 Account Manipulation Valid Accounts TTP Azure Active Directory Persistence 2024-09-30
Windows Multiple Accounts Deleted Windows Event Log Security 4726 Account Manipulation Valid Accounts TTP Azure Active Directory Persistence 2024-09-30
Windows Multiple Accounts Disabled Windows Event Log Security 4725 Account Manipulation Valid Accounts TTP Azure Active Directory Persistence 2024-09-30
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos Windows Event Log Security 4768 Password Spraying Brute Force TTP Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon 2024-09-30
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos Windows Event Log Security 4768 Password Spraying Brute Force TTP Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon 2024-09-30
Windows Multiple Invalid Users Failed To Authenticate Using NTLM Windows Event Log Security 4776 Password Spraying Brute Force TTP Active Directory Password Spraying, Volt Typhoon 2024-09-30
Windows Multiple NTLM Null Domain Authentications Brute Force Password Spraying TTP Active Directory Password Spraying 2024-09-30
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials Windows Event Log Security 4648 Password Spraying Brute Force TTP Active Directory Password Spraying, Insider Threat, Volt Typhoon 2024-09-30
Windows Multiple Users Failed To Authenticate From Host Using NTLM Windows Event Log Security 4776 Password Spraying Brute Force TTP Active Directory Password Spraying, Volt Typhoon 2024-09-30
Windows Multiple Users Failed To Authenticate From Process Windows Event Log Security 4625 Password Spraying Brute Force TTP Active Directory Password Spraying, Insider Threat, Volt Typhoon 2024-09-30
Windows Multiple Users Failed To Authenticate Using Kerberos Windows Event Log Security 4771 Password Spraying Brute Force TTP Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon 2024-09-30
Windows Multiple Users Remotely Failed To Authenticate From Host Windows Event Log Security 4625 Password Spraying Brute Force TTP Active Directory Password Spraying, Volt Typhoon 2024-09-30
Windows Network Share Interaction With Net Sysmon EventID 1 Network Share Discovery Data from Network Shared Drive TTP Active Directory Discovery, Active Directory Privilege Escalation, Network Discovery 2024-11-26
Windows New InProcServer32 Added Sysmon EventID 13 Modify Registry Hunting Outlook RCE CVE-2024-21378 2024-10-17
Windows Ngrok Reverse Proxy Usage CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Protocol Tunneling Proxy Web Service Anomaly CISA AA22-320A, CISA AA24-241A, Reverse Network Proxy 2024-09-30
Windows NirSoft AdvancedRun CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Tool TTP Data Destruction, Ransomware, Unusual Processes, WhisperGate 2024-09-30
Windows NirSoft Utilities CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Tool Hunting Data Destruction, WhisperGate 2024-10-17
Windows Njrat Fileless Storage via Registry Sysmon EventID 12, Sysmon EventID 13 Fileless Storage Obfuscated Files or Information TTP NjRAT 2024-09-30
Windows Non Discord App Access Discord LevelDB Windows Event Log Security 4663 Query Registry Anomaly PXA Stealer, Snake Keylogger 2024-09-30
Windows Non-System Account Targeting Lsass Sysmon EventID 10 LSASS Memory OS Credential Dumping TTP CISA AA23-347A, Credential Dumping 2024-09-30
Windows Odbcconf Hunting CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Odbcconf Hunting Living Off The Land 2024-10-17
Windows Odbcconf Load DLL CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Odbcconf TTP Living Off The Land 2024-09-30
Windows Odbcconf Load Response File CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Odbcconf TTP Living Off The Land 2024-09-30
Windows Office Product Spawning MSDT CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Phishing Spearphishing Attachment TTP Compromised Windows Host, Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Spearphishing Attachments 2024-11-28
Windows Outlook WebView Registry Modification Sysmon EventID 13 Modify Registry Anomaly Suspicious Windows Registry Activities 2024-09-30
Windows PaperCut NG Spawn Shell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter Exploit Public-Facing Application External Remote Services TTP Compromised Windows Host, PaperCut MF NG Vulnerability 2024-11-28
Windows Parent PID Spoofing with Explorer CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Parent PID Spoofing Access Token Manipulation TTP Compromised Windows Host, Windows Defense Evasion Tactics 2024-11-28
Windows Password Managers Discovery CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Password Managers Anomaly Prestige Ransomware, Windows Post-Exploitation 2024-09-30
Windows Phishing Outlook Drop Dll In FORM Dir Sysmon EventID 11 Phishing TTP Outlook RCE CVE-2024-21378 2024-09-30
Windows Phishing PDF File Executes URL Link CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Spearphishing Attachment Phishing Anomaly Snake Keylogger, Spearphishing Attachments 2024-09-30
Windows Phishing Recent ISO Exec Registry Sysmon EventID 12, Sysmon EventID 13 Spearphishing Attachment Phishing Hunting AgentTesla, Azorult, Brute Ratel C4, Gozi Malware, IcedID, Qakbot, Remcos, Warzone RAT 2024-10-17
Windows Possible Credential Dumping Sysmon EventID 10 LSASS Memory OS Credential Dumping TTP CISA AA22-257A, CISA AA22-264A, CISA AA23-347A, Credential Dumping, DarkSide Ransomware, Detect Zerologon Attack 2024-09-30
Windows Post Exploitation Risk Behavior Query Registry System Network Connections Discovery Permission Groups Discovery System Network Configuration Discovery OS Credential Dumping System Information Discovery Clipboard Data Unsecured Credentials Correlation Windows Post-Exploitation 2024-09-30
Windows PowerShell Add Module to Global Assembly Cache Powershell Script Block Logging 4104 Server Software Component IIS Components TTP IIS Components 2024-09-30
Windows Powershell Cryptography Namespace Powershell Script Block Logging 4104 PowerShell Command and Scripting Interpreter Anomaly AsyncRAT 2024-09-30
Windows PowerShell Disable HTTP Logging Powershell Script Block Logging 4104 Impair Defenses Disable Windows Event Logging Server Software Component IIS Components TTP IIS Components, Windows Defense Evasion Tactics 2024-09-30
Windows PowerShell Export Certificate Powershell Script Block Logging 4104 Private Keys Unsecured Credentials Steal or Forge Authentication Certificates Anomaly Windows Certificate Services 2024-09-30
Windows PowerShell Export PfxCertificate Powershell Script Block Logging 4104 Private Keys Unsecured Credentials Steal or Forge Authentication Certificates Anomaly Windows Certificate Services 2024-09-30
Windows PowerShell Get CIMInstance Remote Computer Powershell Script Block Logging 4104 PowerShell Anomaly Active Directory Lateral Movement 2024-09-30
Windows PowerShell IIS Components WebGlobalModule Usage Powershell Script Block Logging 4104 Server Software Component IIS Components Anomaly IIS Components 2024-09-30
Windows Powershell Import Applocker Policy Powershell Script Block Logging 4104 PowerShell Command and Scripting Interpreter Disable or Modify Tools Impair Defenses TTP Azorult 2024-09-30
Windows Powershell RemoteSigned File CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 PowerShell Command and Scripting Interpreter Anomaly Amadey 2024-09-30
Windows PowerShell ScheduleTask Powershell Script Block Logging 4104 Scheduled Task PowerShell Command and Scripting Interpreter Anomaly Scheduled Tasks 2024-09-30
Windows PowerShell WMI Win32 ScheduledJob Powershell Script Block Logging 4104 PowerShell Command and Scripting Interpreter TTP Active Directory Lateral Movement 2024-09-30
Windows PowerSploit GPP Discovery Powershell Script Block Logging 4104 Unsecured Credentials Group Policy Preferences TTP Active Directory Privilege Escalation 2024-09-30
Windows PowerView AD Access Control List Enumeration Powershell Script Block Logging 4104 Domain Accounts Permission Groups Discovery TTP Active Directory Discovery, Active Directory Privilege Escalation, Rhysida Ransomware 2024-09-30
Windows PowerView Constrained Delegation Discovery Powershell Script Block Logging 4104 Remote System Discovery TTP Active Directory Kerberos Attacks, CISA AA23-347A, Rhysida Ransomware 2024-09-30
Windows PowerView Kerberos Service Ticket Request Powershell Script Block Logging 4104 Steal or Forge Kerberos Tickets Kerberoasting TTP Active Directory Kerberos Attacks, Rhysida Ransomware 2024-09-30
Windows PowerView SPN Discovery Powershell Script Block Logging 4104 Steal or Forge Kerberos Tickets Kerberoasting TTP Active Directory Kerberos Attacks, CISA AA23-347A, Rhysida Ransomware 2024-09-30
Windows PowerView Unconstrained Delegation Discovery Powershell Script Block Logging 4104 Remote System Discovery TTP Active Directory Kerberos Attacks, CISA AA23-347A, Rhysida Ransomware 2024-09-30
Windows Private Keys Discovery CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Private Keys Unsecured Credentials Anomaly Prestige Ransomware, Windows Post-Exploitation 2024-09-30
Windows Privilege Escalation Suspicious Process Elevation CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Exploitation for Privilege Escalation Abuse Elevation Control Mechanism Access Token Manipulation TTP BlackSuit Ransomware, Windows Privilege Escalation 2024-09-30
Windows Privilege Escalation System Process Without System Parent CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Exploitation for Privilege Escalation Abuse Elevation Control Mechanism Access Token Manipulation TTP BlackSuit Ransomware, Windows Privilege Escalation 2024-09-30
Windows Privilege Escalation User Process Spawn System Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Exploitation for Privilege Escalation Abuse Elevation Control Mechanism Access Token Manipulation TTP BlackSuit Ransomware, Compromised Windows Host, Windows Privilege Escalation 2024-11-28
Windows Privileged Group Modification Local Account Domain Account TTP VMware ESXi AD Integration Authentication Bypass CVE-2024-37085 2024-09-30
Windows Process Commandline Discovery CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Process Discovery Hunting CISA AA23-347A 2024-10-17
Windows Process Injection In Non-Service SearchIndexer CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Process Injection TTP Qakbot 2024-09-30
Windows Process Injection into Notepad Sysmon EventID 10 Process Injection Portable Executable Injection Anomaly BishopFox Sliver Adversary Emulation Framework 2024-09-30
Windows Process Injection Of Wermgr to Known Browser Sysmon EventID 8 Dynamic-link Library Injection Process Injection TTP Qakbot 2024-09-30
Windows Process Injection Remote Thread Sysmon EventID 8 Process Injection Portable Executable Injection TTP Graceful Wipe Out Attack, Qakbot, Warzone RAT 2024-09-30
Windows Process Injection Wermgr Child Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Process Injection Anomaly Qakbot, Windows Error Reporting Service Elevation of Privilege Vulnerability 2024-09-30
Windows Process Injection With Public Source Path Sysmon EventID 8 Process Injection Portable Executable Injection Hunting Brute Ratel C4 2024-10-17
Windows Process With NamedPipe CommandLine CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Process Injection Anomaly Windows Defense Evasion Tactics 2024-09-30
Windows Process Writing File to World Writable Path Mshta Hunting APT29 Diplomatic Deceptions with WINELOADER 2024-10-17
Windows Processes Killed By Industroyer2 Malware Sysmon EventID 5 Service Stop Anomaly Data Destruction, Industroyer2 2024-09-30
Windows Protocol Tunneling with Plink CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Protocol Tunneling SSH TTP CISA AA22-257A 2024-09-30
Windows Proxy Via Netsh CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Internal Proxy Proxy Anomaly Volt Typhoon 2024-09-30
Windows Proxy Via Registry Sysmon EventID 12, Sysmon EventID 13 Internal Proxy Proxy Anomaly Volt Typhoon 2024-09-30
Windows Query Registry Browser List Application Windows Event Log Security 4663 Query Registry Anomaly RedLine Stealer 2024-09-30
Windows Query Registry Reg Save CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Query Registry Hunting CISA AA23-347A, Prestige Ransomware, Windows Post-Exploitation 2024-10-17
Windows Query Registry UnInstall Program List Windows Event Log Security 4663 Query Registry Anomaly Meduza Stealer, RedLine Stealer 2024-11-28
Windows Raccine Scheduled Task Deletion CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify Tools TTP Compromised Windows Host, Ransomware 2024-11-28
Windows Rapid Authentication On Multiple Hosts Windows Event Log Security 4624 Security Account Manager TTP Active Directory Lateral Movement, Active Directory Privilege Escalation 2024-09-30
Windows Rasautou DLL Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Dynamic-link Library Injection System Binary Proxy Execution Process Injection TTP Compromised Windows Host, Windows Defense Evasion Tactics 2024-11-28
Windows Raw Access To Disk Volume Partition Sysmon EventID 9 Disk Structure Wipe Disk Wipe Anomaly BlackByte Ransomware, CISA AA22-264A, Caddy Wiper, Data Destruction, Graceful Wipe Out Attack, Hermetic Wiper, NjRAT 2024-09-30
Windows Raw Access To Master Boot Record Drive Sysmon EventID 9 Disk Structure Wipe Disk Wipe TTP BlackByte Ransomware, CISA AA22-264A, Caddy Wiper, Data Destruction, Graceful Wipe Out Attack, Hermetic Wiper, NjRAT, WhisperGate 2024-09-30
Windows RDP Connection Successful Windows Event Log RemoteConnectionManager 1149 RDP Hijacking Hunting Active Directory Lateral Movement, BlackByte Ransomware 2024-10-17
Windows RDP File Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Spearphishing Attachment Remote Desktop Protocol TTP Spearphishing Attachments 2024-11-21
Windows RDPClient Connection Sequence Events Windows Event Log Microsoft Windows TerminalServices RDPClient 1024 External Remote Services Anomaly Spearphishing Attachments 2024-11-21
Windows Registry BootExecute Modification Sysmon EventID 12, Sysmon EventID 13 Pre-OS Boot Registry Run Keys / Startup Folder TTP Windows BootKits 2024-11-14
Windows Registry Certificate Added Sysmon EventID 12, Sysmon EventID 13 Install Root Certificate Subvert Trust Controls Anomaly Windows Drivers, Windows Registry Abuse 2024-11-14
Windows Registry Delete Task SD Sysmon EventID 12, Sysmon EventID 13 Scheduled Task Impair Defenses Anomaly Scheduled Tasks, Windows Persistence Techniques, Windows Registry Abuse 2024-11-14
Windows Registry Modification for Safe Mode Persistence Sysmon EventID 12, Sysmon EventID 13 Registry Run Keys / Startup Folder Boot or Logon Autostart Execution TTP Ransomware, Windows Drivers, Windows Registry Abuse 2024-11-14
Windows Registry Payload Injection Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13 Obfuscated Files or Information Fileless Storage TTP Unusual Processes 2024-09-30
Windows Registry SIP Provider Modification Sysmon EventID 12, Sysmon EventID 13 SIP and Trust Provider Hijacking TTP Subvert Trust Controls SIP and Trust Provider Hijacking 2024-09-30
Windows Regsvr32 Renamed Binary CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Regsvr32 System Binary Proxy Execution TTP Compromised Windows Host, Qakbot 2024-11-28
Windows Remote Access Software BRC4 Loaded Dll Sysmon EventID 7 Remote Access Software OS Credential Dumping Anomaly Brute Ratel C4 2024-09-30
Windows Remote Access Software Hunt CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Access Software Hunting Command And Control, Insider Threat, Ransomware 2024-10-17
Windows Remote Access Software RMS Registry Sysmon EventID 12, Sysmon EventID 13 Remote Access Software TTP Azorult 2024-09-30
Windows Remote Assistance Spawning Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Process Injection TTP Compromised Windows Host, Unusual Processes 2024-11-28
Windows Remote Create Service CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Create or Modify System Process Windows Service Anomaly Active Directory Lateral Movement, BlackSuit Ransomware, CISA AA23-347A 2024-09-30
Windows Remote Service Rdpwinst Tool Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Desktop Protocol Remote Services TTP Azorult, Compromised Windows Host 2024-11-28
Windows Remote Services Allow Rdp In Firewall CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Desktop Protocol Remote Services Anomaly Azorult 2024-09-30
Windows Remote Services Allow Remote Assistance Sysmon EventID 12, Sysmon EventID 13 Remote Desktop Protocol Remote Services Anomaly Azorult 2024-09-30
Windows Remote Services Rdp Enable Sysmon EventID 12, Sysmon EventID 13 Remote Desktop Protocol Remote Services TTP Azorult, BlackSuit Ransomware 2024-09-30
Windows Replication Through Removable Media Sysmon EventID 11 Replication Through Removable Media TTP Chaos Ransomware, NjRAT, PlugX 2024-09-30
Windows Root Domain linked policies Discovery Powershell Script Block Logging 4104 Domain Account Account Discovery Anomaly Active Directory Discovery, Data Destruction, Industroyer2 2024-09-30
Windows Rundll32 Apply User Settings Changes CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Rundll32 TTP Rhysida Ransomware 2024-09-30
Windows Rundll32 WebDAV Request CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Exfiltration Over Unencrypted Non-C2 Protocol TTP CVE-2023-23397 Outlook Elevation of Privilege 2024-09-30
Windows Rundll32 WebDav With Network Connection Exfiltration Over Unencrypted Non-C2 Protocol TTP CVE-2023-23397 Outlook Elevation of Privilege 2024-10-17
Windows RunMRU Command Execution Indirect Command Execution Anomaly Lumma Stealer 2024-11-08
Windows Scheduled Task Created Via XML CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task Scheduled Task/Job TTP CISA AA23-347A, MoonPeak, Scheduled Tasks, Winter Vivern 2024-09-30
Windows Scheduled Task DLL Module Loaded Sysmon EventID 7 Scheduled Task/Job TTP ValleyRAT 2024-09-30
Windows Scheduled Task Service Spawned Shell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task Command and Scripting Interpreter TTP Windows Persistence Techniques 2024-09-30
Windows Scheduled Task with Highest Privileges CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task/Job Scheduled Task TTP AsyncRAT, CISA AA23-347A, Compromised Windows Host, RedLine Stealer, Scheduled Tasks 2024-11-28
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr Scheduled Task/Job TTP ValleyRAT 2024-09-30
Windows Schtasks Create Run As System CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task Scheduled Task/Job TTP Qakbot, Scheduled Tasks, Windows Persistence Techniques 2024-09-30
Windows Screen Capture in TEMP folder Screen Capture TTP Braodo Stealer 2024-09-24
Windows Screen Capture Via Powershell Powershell Script Block Logging 4104 Screen Capture TTP Winter Vivern 2024-09-30
Windows Security Account Manager Stopped CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Service Stop TTP Compromised Windows Host, Ryuk Ransomware 2024-11-28
Windows Security Support Provider Reg Query CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Security Support Provider Boot or Logon Autostart Execution Anomaly Prestige Ransomware, Sneaky Active Directory Persistence Tricks, Windows Post-Exploitation 2024-09-30
Windows Server Software Component GACUtil Install to GAC CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Server Software Component IIS Components TTP IIS Components 2024-09-30
Windows Service Create Kernel Mode Driver CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Windows Service Create or Modify System Process Exploitation for Privilege Escalation TTP CISA AA22-320A, Windows Drivers 2024-09-30
Windows Service Create RemComSvc Windows Event Log System 7045 Windows Service Create or Modify System Process Anomaly Active Directory Discovery 2024-09-30
Windows Service Create SliverC2 Windows Event Log System 7045 System Services Service Execution TTP BishopFox Sliver Adversary Emulation Framework, Compromised Windows Host 2024-11-28
Windows Service Create with Tscon CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 RDP Hijacking Remote Service Session Hijacking Windows Service TTP Active Directory Lateral Movement, Compromised Windows Host 2024-11-28
Windows Service Created with Suspicious Service Path Windows Event Log System 7045 System Services Service Execution TTP Active Directory Lateral Movement, Brute Ratel C4, CISA AA23-347A, Clop Ransomware, Flax Typhoon, PlugX, Qakbot, Snake Malware 2024-09-30
Windows Service Created Within Public Path Windows Event Log System 7045 Create or Modify System Process Windows Service TTP Active Directory Lateral Movement, Snake Malware 2024-09-30
Windows Service Creation on Remote Endpoint CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Create or Modify System Process Windows Service TTP Active Directory Lateral Movement, CISA AA23-347A 2024-09-30
Windows Service Creation Using Registry Entry Sysmon EventID 12, Sysmon EventID 13 Services Registry Permissions Weakness TTP Active Directory Lateral Movement, Brute Ratel C4, CISA AA23-347A, PlugX, Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse 2024-11-14
Windows Service Deletion In Registry Sysmon EventID 12, Sysmon EventID 13 Service Stop Anomaly Brute Ratel C4, PlugX 2024-09-30
Windows Service Initiation on Remote Endpoint CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Create or Modify System Process Windows Service TTP Active Directory Lateral Movement, CISA AA23-347A 2024-09-30
Windows Service Stop By Deletion CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Service Stop TTP Azorult, Graceful Wipe Out Attack 2024-09-30
Windows Service Stop Via Net and SC Application CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Service Stop Anomaly Graceful Wipe Out Attack, Prestige Ransomware 2024-09-30
Windows Service Stop Win Updates Windows Event Log System 7040 Service Stop Anomaly CISA AA23-347A, RedLine Stealer 2024-09-30
Windows SIP Provider Inventory SIP and Trust Provider Hijacking Hunting Subvert Trust Controls SIP and Trust Provider Hijacking 2024-10-17
Windows SIP WinVerifyTrust Failed Trust Validation Windows Event Log CAPI2 81 SIP and Trust Provider Hijacking Anomaly Subvert Trust Controls SIP and Trust Provider Hijacking 2024-09-30
Windows Snake Malware File Modification Crmlog Sysmon EventID 11 Obfuscated Files or Information TTP Snake Malware 2024-09-30
Windows Snake Malware Kernel Driver Comadmin Sysmon EventID 11 Kernel Modules and Extensions TTP Snake Malware 2024-09-30
Windows Snake Malware Registry Modification wav OpenWithProgIds Sysmon EventID 12, Sysmon EventID 13 Modify Registry TTP Snake Malware 2024-09-30
Windows Snake Malware Service Create Windows Event Log System 7045 Kernel Modules and Extensions Service Execution TTP Compromised Windows Host, Snake Malware 2024-11-28
Windows SOAPHound Binary Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Domain Account Local Groups Domain Trust Discovery Local Account Account Discovery Domain Groups Permission Groups Discovery TTP Compromised Windows Host, Windows Discovery Techniques 2024-11-28
Windows Spearphishing Attachment Connect To None MS Office Domain Sysmon EventID 22 Spearphishing Attachment Phishing Hunting AsyncRAT, Spearphishing Attachments 2024-10-17
Windows Spearphishing Attachment Onenote Spawn Mshta CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Spearphishing Attachment Phishing TTP AsyncRAT, Compromised Windows Host, Spearphishing Attachments 2024-11-28
Windows Special Privileged Logon On Multiple Hosts Windows Event Log Security 4672 Account Discovery SMB/Windows Admin Shares Network Share Discovery TTP Active Directory Lateral Movement, Active Directory Privilege Escalation, Compromised Windows Host 2024-11-28
Windows SQL Spawning CertUtil CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Ingress Tool Transfer TTP Flax Typhoon 2024-10-17
Windows SqlWriter SQLDumper DLL Sideload Sysmon EventID 7 DLL Side-Loading TTP APT29 Diplomatic Deceptions with WINELOADER 2024-09-30
Windows Steal Authentication Certificates - ESC1 Abuse Windows Event Log Security 4886, Windows Event Log Security 4887 Steal or Forge Authentication Certificates TTP Windows Certificate Services 2024-09-30
Windows Steal Authentication Certificates - ESC1 Authentication Windows Event Log Security 4768, Windows Event Log Security 4887 Steal or Forge Authentication Certificates Use Alternate Authentication Material TTP Compromised Windows Host, Windows Certificate Services 2024-11-28
Windows Steal Authentication Certificates Certificate Issued Windows Event Log Security 4887 Steal or Forge Authentication Certificates Anomaly Windows Certificate Services 2024-09-30
Windows Steal Authentication Certificates Certificate Request Windows Event Log Security 4886 Steal or Forge Authentication Certificates Anomaly Windows Certificate Services 2024-09-30
Windows Steal Authentication Certificates CertUtil Backup CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Steal or Forge Authentication Certificates Anomaly Windows Certificate Services 2024-09-30
Windows Steal Authentication Certificates CryptoAPI Windows Event Log CAPI2 70 Steal or Forge Authentication Certificates Anomaly Windows Certificate Services 2024-09-30
Windows Steal Authentication Certificates CS Backup Windows Event Log Security 4876 Steal or Forge Authentication Certificates Anomaly Windows Certificate Services 2024-09-30
Windows Steal Authentication Certificates Export Certificate CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Steal or Forge Authentication Certificates Anomaly Windows Certificate Services 2024-09-30
Windows Steal Authentication Certificates Export PfxCertificate CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Steal or Forge Authentication Certificates Anomaly Windows Certificate Services 2024-09-30
Windows Steal or Forge Kerberos Tickets Klist CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Steal or Forge Kerberos Tickets Hunting Prestige Ransomware, Windows Post-Exploitation 2024-10-17
Windows Suspect Process With Authentication Traffic Sysmon EventID 3 Account Discovery Domain Account User Execution Malicious File Anomaly Active Directory Discovery 2024-09-30
Windows System Binary Proxy Execution Compiled HTML File Decompile CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Compiled HTML File System Binary Proxy Execution TTP Compromised Windows Host, Living Off The Land, Suspicious Compiled HTML Activity 2024-11-28
Windows System Discovery Using ldap Nslookup CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Owner/User Discovery Anomaly Qakbot 2024-09-30
Windows System Discovery Using Qwinsta CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Owner/User Discovery Hunting Qakbot 2024-10-17
Windows System File on Disk Sysmon EventID 11 Exploitation for Privilege Escalation Hunting CISA AA22-264A, Windows Drivers 2024-10-17
Windows System LogOff Commandline CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Shutdown/Reboot Anomaly DarkCrystal RAT, NjRAT 2024-09-30
Windows System Network Config Discovery Display DNS CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Network Configuration Discovery Anomaly Prestige Ransomware, Windows Post-Exploitation 2024-09-30
Windows System Network Connections Discovery Netsh CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Network Connections Discovery Anomaly Prestige Ransomware, Snake Keylogger, Windows Post-Exploitation 2024-09-30
Windows System Reboot CommandLine CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Shutdown/Reboot Anomaly DarkCrystal RAT, DarkGate Malware, MoonPeak, NjRAT 2024-09-30
Windows System Script Proxy Execution Syncappvpublishingserver CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Script Proxy Execution System Binary Proxy Execution TTP Living Off The Land 2024-09-30
Windows System Shutdown CommandLine CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Shutdown/Reboot Anomaly DarkCrystal RAT, DarkGate Malware, MoonPeak, NjRAT, Sandworm Tools 2024-09-30
Windows System Time Discovery W32tm Delay CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Time Discovery Anomaly DarkCrystal RAT 2024-09-30
Windows System User Discovery Via Quser CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Owner/User Discovery Hunting Prestige Ransomware, Windows Post-Exploitation 2024-10-17
Windows System User Privilege Discovery CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Owner/User Discovery Hunting CISA AA23-347A 2024-10-17
Windows Terminating Lsass Process Sysmon EventID 10 Disable or Modify Tools Impair Defenses Anomaly Data Destruction, Double Zero Destructor 2024-09-30
Windows Time Based Evasion CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Virtualization/Sandbox Evasion Time Based Evasion TTP NjRAT 2024-09-30
Windows Time Based Evasion via Choice Exec CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Time Based Evasion Virtualization/Sandbox Evasion Anomaly Snake Keylogger 2024-09-30
Windows UAC Bypass Suspicious Child Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Abuse Elevation Control Mechanism Bypass User Account Control TTP Living Off The Land, Windows Defense Evasion Tactics 2024-09-30
Windows UAC Bypass Suspicious Escalation Behavior CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Abuse Elevation Control Mechanism Bypass User Account Control TTP Compromised Windows Host, Living Off The Land, Windows Defense Evasion Tactics 2024-11-28
Windows Unsecured Outlook Credentials Access In Registry Windows Event Log Security 4663 Unsecured Credentials Anomaly Meduza Stealer, Snake Keylogger 2024-11-28
Windows Unsigned DLL Side-Loading Sysmon EventID 7 DLL Side-Loading Anomaly NjRAT, Warzone RAT 2024-09-30
Windows Unsigned DLL Side-Loading In Same Process Path Sysmon EventID 7 DLL Side-Loading Hijack Execution Flow TTP DarkGate Malware, PlugX 2024-09-30
Windows Unsigned MS DLL Side-Loading Sysmon EventID 7 DLL Side-Loading Boot or Logon Autostart Execution Anomaly APT29 Diplomatic Deceptions with WINELOADER 2024-09-30
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos Windows Event Log Security 4768 Password Spraying Brute Force Anomaly Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon 2024-09-30
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos Windows Event Log Security 4768 Password Spraying Brute Force Anomaly Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon 2024-09-30
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM Windows Event Log Security 4776 Password Spraying Brute Force Anomaly Active Directory Password Spraying, Volt Typhoon 2024-09-30
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials Windows Event Log Security 4648 Password Spraying Brute Force Anomaly Active Directory Password Spraying, Insider Threat, Volt Typhoon 2024-09-30
Windows Unusual Count Of Users Failed To Auth Using Kerberos Windows Event Log Security 4771 Password Spraying Brute Force Anomaly Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon 2024-09-30
Windows Unusual Count Of Users Failed To Authenticate From Process Windows Event Log Security 4625 Password Spraying Brute Force Anomaly Active Directory Password Spraying, Insider Threat, Volt Typhoon 2024-09-30
Windows Unusual Count Of Users Failed To Authenticate Using NTLM Windows Event Log Security 4776 Password Spraying Brute Force Anomaly Active Directory Password Spraying, Volt Typhoon 2024-09-30
Windows Unusual Count Of Users Remotely Failed To Auth From Host Windows Event Log Security 4625 Password Spraying Brute Force Anomaly Active Directory Password Spraying, Volt Typhoon 2024-09-30
Windows Unusual NTLM Authentication Destinations By Source Brute Force Password Spraying Anomaly Active Directory Password Spraying 2024-09-30
Windows Unusual NTLM Authentication Destinations By User Brute Force Password Spraying Anomaly Active Directory Password Spraying 2024-09-30
Windows Unusual NTLM Authentication Users By Destination Brute Force Password Spraying Anomaly Active Directory Password Spraying 2024-09-30
Windows Unusual NTLM Authentication Users By Source Brute Force Password Spraying Anomaly Active Directory Password Spraying 2024-09-30
Windows User Execution Malicious URL Shortcut File Sysmon EventID 11 Malicious File User Execution TTP Chaos Ransomware, NjRAT, Snake Keylogger 2024-09-30
Windows Valid Account With Never Expires Password CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Service Stop TTP Azorult, Compromised Windows Host 2024-11-28
Windows Vulnerable 3CX Software CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Compromise Software Supply Chain TTP 3CX Supply Chain Attack 2024-09-30
Windows Vulnerable Driver Installed Windows Event Log System 7045 Windows Service TTP Windows Drivers 2024-09-30
Windows Vulnerable Driver Loaded Sysmon EventID 6 Windows Service Hunting BlackByte Ransomware, Windows Drivers 2024-10-17
Windows WinDBG Spawning AutoIt3 CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter TTP Compromised Windows Host, DarkGate Malware 2024-11-28
Windows WinLogon with Public Network Connection Sysmon EventID 1, Sysmon EventID 3 Bootkit Hunting BlackLotus Campaign 2024-10-17
Windows WMI Impersonate Token Sysmon EventID 10 Windows Management Instrumentation Anomaly Qakbot 2024-09-30
Windows WMI Process And Service List CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Windows Management Instrumentation Anomaly Prestige Ransomware, Windows Post-Exploitation 2024-09-30
Windows WMI Process Call Create CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Windows Management Instrumentation Hunting CISA AA23-347A, IcedID, Qakbot, Suspicious WMI Use, Volt Typhoon 2024-10-17
WinEvent Scheduled Task Created to Spawn Shell Windows Event Log Security 4698 Scheduled Task Scheduled Task/Job TTP CISA AA22-257A, Compromised Windows Host, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Error Reporting Service Elevation of Privilege Vulnerability, Windows Persistence Techniques, Winter Vivern 2024-11-28
WinEvent Scheduled Task Created Within Public Path Windows Event Log Security 4698 Scheduled Task Scheduled Task/Job TTP Active Directory Lateral Movement, AsyncRAT, CISA AA22-257A, CISA AA23-347A, Compromised Windows Host, Data Destruction, IcedID, Industroyer2, Prestige Ransomware, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Persistence Techniques, Winter Vivern 2024-11-28
WinEvent Windows Task Scheduler Event Action Started Windows Event Log TaskScheduler 200 Scheduled Task Hunting Amadey, AsyncRAT, BlackSuit Ransomware, CISA AA22-257A, CISA AA24-241A, DarkCrystal RAT, Data Destruction, IcedID, Industroyer2, Prestige Ransomware, Qakbot, Sandworm Tools, Scheduled Tasks, ValleyRAT, Windows Persistence Techniques, Winter Vivern, Winter Vivern 2024-10-24
Winhlp32 Spawning a Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Process Injection TTP Compromised Windows Host, Remcos 2024-11-28
WinRAR Spawning Shell Application CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Ingress Tool Transfer TTP Compromised Windows Host, WinRAR Spoofing Attack CVE-2023-38831 2024-11-28
WinRM Spawning a Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Exploit Public-Facing Application TTP CISA AA23-347A, Rhysida Ransomware, Unusual Processes 2024-10-17
Winword Spawning Cmd CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Phishing Spearphishing Attachment TTP CVE-2023-21716 Word RTF Heap Corruption, Compromised Windows Host, DarkCrystal RAT, Spearphishing Attachments 2024-11-28
Winword Spawning PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Phishing Spearphishing Attachment TTP CVE-2023-21716 Word RTF Heap Corruption, Compromised Windows Host, DarkCrystal RAT, Spearphishing Attachments 2024-11-28
Winword Spawning Windows Script Host CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Phishing Spearphishing Attachment TTP CVE-2023-21716 Word RTF Heap Corruption, Compromised Windows Host, Spearphishing Attachments 2024-11-28
WMI Permanent Event Subscription - Sysmon Sysmon EventID 21 Windows Management Instrumentation Event Subscription Event Triggered Execution TTP Suspicious WMI Use 2024-09-30
WMI Recon Running Process Or Services Powershell Script Block Logging 4104 Gather Victim Host Information Anomaly Data Destruction, Hermetic Wiper, Malicious PowerShell 2024-09-30
Wmic Group Discovery CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Permission Groups Discovery Local Groups Hunting Active Directory Discovery 2024-10-17
Wmic NonInteractive App Uninstallation CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify Tools Impair Defenses Hunting Azorult, IcedID 2024-10-17
WMIC XSL Execution via URL CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 XSL Script Processing TTP Compromised Windows Host, Suspicious WMI Use 2024-11-28
Wmiprsve LOLBAS Execution Process Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Windows Management Instrumentation TTP Active Directory Lateral Movement 2024-09-30
Wscript Or Cscript Suspicious Child Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Process Injection Create or Modify System Process Parent PID Spoofing Access Token Manipulation TTP Data Destruction, FIN7, NjRAT, Remcos, ShrinkLocker, Unusual Processes, WhisperGate 2024-11-26
Wsmprovhost LOLBAS Execution Process Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Services Windows Remote Management TTP Active Directory Lateral Movement, CISA AA24-241A 2024-09-30
WSReset UAC Bypass Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13 Bypass User Account Control Abuse Elevation Control Mechanism TTP Living Off The Land, MoonPeak, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
XMRIG Driver Loaded Sysmon EventID 6 Windows Service Create or Modify System Process TTP CISA AA22-320A, XMRig 2024-09-30
XSL Script Execution With WMIC CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 XSL Script Processing TTP FIN7, Suspicious WMI Use 2024-09-30
Detect hosts connecting to dynamic domain providers Sysmon EventID 22 Drive-by Compromise TTP Command And Control, DNS Hijacking, Data Protection, Dynamic DNS, Prohibited Traffic Allowed or Protocol Mismatch, Suspicious DNS Traffic 2024-09-30
Detect Remote Access Software Usage DNS Sysmon EventID 22 Remote Access Software Anomaly CISA AA24-241A, Command And Control, Insider Threat, Ransomware 2024-09-30
Detect Windows DNS SIGRed via Splunk Stream Exploitation for Client Execution TTP Windows DNS SIGRed CVE-2020-1350 2024-10-17
Detect Windows DNS SIGRed via Zeek Exploitation for Client Execution TTP Windows DNS SIGRed CVE-2020-1350 2024-10-17
DNS Query Length With High Standard Deviation Sysmon EventID 22 Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration Over Alternative Protocol Anomaly Command And Control, Hidden Cobra Malware, Suspicious DNS Traffic 2024-09-30
Ngrok Reverse Proxy on Network Sysmon EventID 22 Protocol Tunneling Proxy Web Service Anomaly CISA AA22-320A, CISA AA24-241A, Reverse Network Proxy 2024-09-30
Windows AD Replication Service Traffic OS Credential Dumping DCSync Rogue Domain Controller TTP Sneaky Active Directory Persistence Tricks 2024-10-17
Windows AD Rogue Domain Controller Network Activity Rogue Domain Controller TTP Sneaky Active Directory Persistence Tricks 2024-10-17
Windows Exchange Autodiscover SSRF Abuse Windows IIS Exploit Public-Facing Application External Remote Services TTP BlackByte Ransomware, ProxyNotShell, ProxyShell 2024-09-30
Windows IIS Server PSWA Console Access Windows IIS Exploit Public-Facing Application Hunting CISA AA24-241A 2024-10-17