Defense Evasion Detections

Name Data Source Technique Type Analytic Story Date
Okta Authentication Failed During MFA Challenge Okta Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation TTP Okta Account Takeover 2024-09-30
Okta Multi-Factor Authentication Disabled Okta Modify Authentication Process Multi-Factor Authentication TTP Okta Account Takeover 2024-09-30
Okta Multiple Failed Requests to Access Applications Okta Web Session Cookie Cloud Service Dashboard Hunting Okta Account Takeover 2024-10-17
Okta New API Token Created Okta Valid Accounts Default Accounts TTP Okta Account Takeover 2024-09-30
Okta Phishing Detection with FastPass Origin Check Okta Valid Accounts Default Accounts Modify Authentication Process TTP Okta Account Takeover 2024-10-17
Okta Risk Threshold Exceeded Okta Valid Accounts Brute Force Correlation Okta Account Takeover, Okta MFA Exhaustion, Suspicious Okta Activity 2024-09-30
Okta Successful Single Factor Authentication Okta Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation Anomaly Okta Account Takeover 2024-09-30
Okta Suspicious Activity Reported Okta Valid Accounts Default Accounts TTP Okta Account Takeover 2024-09-30
Okta ThreatInsight Threat Detected Okta Valid Accounts Cloud Accounts Anomaly Okta Account Takeover 2024-09-30
PingID Mismatch Auth Source and Verification Response PingID Multi-Factor Authentication Request Generation Multi-Factor Authentication Device Registration TTP Compromised User Account 2024-09-30
PingID Multiple Failed MFA Requests For User PingID Multi-Factor Authentication Request Generation Valid Accounts Brute Force TTP Compromised User Account 2024-09-30
PingID New MFA Method After Credential Reset PingID Multi-Factor Authentication Request Generation Multi-Factor Authentication Device Registration TTP Compromised User Account 2024-09-30
PingID New MFA Method Registered For User PingID Multi-Factor Authentication Request Generation Multi-Factor Authentication Device Registration TTP Compromised User Account 2024-09-30
Splunk Edit User Privilege Escalation Splunk Abuse Elevation Control Mechanism Hunting Splunk Vulnerabilities 2024-10-17
Splunk Enterprise KV Store Incorrect Authorization Splunk Abuse Elevation Control Mechanism Hunting Splunk Vulnerabilities 2024-10-17
Splunk HTTP Response Splitting Via Rest SPL Command Splunk HTML Smuggling Hunting Splunk Vulnerabilities 2024-10-17
Splunk Process Injection Forwarder Bundle Downloads Splunk Process Injection Hunting Splunk Vulnerabilities 2024-10-17
Splunk RBAC Bypass On Indexing Preview REST Endpoint Splunk Access Token Manipulation Hunting Splunk Vulnerabilities 2024-10-17
Splunk risky Command Abuse disclosed february 2023 Splunk Abuse Elevation Control Mechanism Indirect Command Execution Hunting Splunk Vulnerabilities 2024-10-17
Splunk Unauthorized Notification Input by User Splunk Abuse Elevation Control Mechanism Hunting Splunk Vulnerabilities 2024-10-17
Splunk User Enumeration Attempt Splunk Valid Accounts TTP Splunk Vulnerabilities 2024-10-16
Windows AD Dangerous Deny ACL Modification Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Dangerous Group ACL Modification Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Dangerous User ACL Modification Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD DCShadow Privileges ACL Addition Domain or Tenant Policy Modification Rogue Domain Controller Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Domain Root ACL Deletion Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Domain Root ACL Modification Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD GPO Deleted Disable or Modify Tools Group Policy Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD GPO Disabled Disable or Modify Tools Group Policy Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD GPO New CSE Addition Domain or Tenant Policy Modification Group Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Hidden OU Creation Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Object Owner Updated Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Self DACL Assignment Domain or Tenant Policy Modification Account Manipulation TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Suspicious Attribute Modification Use Alternate Authentication Material File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Suspicious GPO Modification Domain or Tenant Policy Modification Group Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-10-17
Windows Increase in Group or Object Modification Activity Windows Event Log Security 4663 Account Manipulation Impair Defenses TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows Increase in User Modification Activity Windows Event Log Security 4720 Account Manipulation Impair Defenses TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Abnormally High Number Of Cloud Infrastructure API Calls AWS CloudTrail Cloud Accounts Valid Accounts Anomaly Compromised User Account, Suspicious Cloud User Activities 2024-10-17
Abnormally High Number Of Cloud Instances Destroyed AWS CloudTrail Cloud Accounts Valid Accounts Anomaly Suspicious Cloud Instance Activities 2024-10-22
Abnormally High Number Of Cloud Instances Launched AWS CloudTrail Cloud Accounts Valid Accounts Anomaly Cloud Cryptomining, Suspicious Cloud Instance Activities 2024-10-22
Abnormally High Number Of Cloud Security Group API Calls AWS CloudTrail Cloud Accounts Valid Accounts Anomaly Suspicious Cloud User Activities 2024-10-17
ASL AWS Defense Evasion Delete Cloudtrail Disable or Modify Cloud Logs Impair Defenses TTP AWS Defense Evasion 2024-09-30
ASL AWS Defense Evasion Delete CloudWatch Log Group Impair Defenses Disable or Modify Cloud Logs TTP AWS Defense Evasion 2024-09-30
ASL AWS Defense Evasion Impair Security Services Disable or Modify Cloud Logs Impair Defenses Hunting AWS Defense Evasion 2024-10-17
ASL AWS Defense Evasion Stop Logging Cloudtrail Disable or Modify Cloud Logs Impair Defenses TTP AWS Defense Evasion 2024-09-30
ASL AWS Defense Evasion Update Cloudtrail Impair Defenses Disable or Modify Cloud Logs TTP AWS Defense Evasion 2024-09-30
ASL AWS Multi-Factor Authentication Disabled Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Modify Authentication Process Multi-Factor Authentication TTP AWS Identity and Access Management Account Takeover 2024-09-30
ASL AWS New MFA Method Registered For User Modify Authentication Process Multi-Factor Authentication TTP AWS Identity and Access Management Account Takeover 2024-10-17
AWS Create Policy Version to allow all resources AWS CloudTrail CreatePolicyVersion Cloud Accounts Valid Accounts TTP AWS IAM Privilege Escalation 2024-09-30
AWS Defense Evasion Delete Cloudtrail AWS CloudTrail DeleteTrail Disable or Modify Cloud Logs Impair Defenses TTP AWS Defense Evasion 2024-09-30
AWS Defense Evasion Delete CloudWatch Log Group AWS CloudTrail DeleteLogGroup Impair Defenses Disable or Modify Cloud Logs TTP AWS Defense Evasion 2024-09-30
AWS Defense Evasion Impair Security Services AWS CloudTrail DeleteAlarms, AWS CloudTrail DeleteDetector, AWS CloudTrail DeleteIPSet, AWS CloudTrail DeleteLogStream, AWS CloudTrail DeleteRule, AWS CloudTrail DeleteWebACL Disable or Modify Cloud Logs Impair Defenses Hunting AWS Defense Evasion 2024-10-17
AWS Defense Evasion PutBucketLifecycle AWS CloudTrail PutBucketLifecycle Disable or Modify Cloud Logs Impair Defenses Lifecycle-Triggered Deletion Data Destruction Hunting AWS Defense Evasion 2024-10-17
AWS Defense Evasion Stop Logging Cloudtrail AWS CloudTrail StopLogging Disable or Modify Cloud Logs Impair Defenses TTP AWS Defense Evasion 2024-09-30
AWS Defense Evasion Update Cloudtrail AWS CloudTrail UpdateTrail Impair Defenses Disable or Modify Cloud Logs TTP AWS Defense Evasion 2024-09-30
aws detect attach to role policy Valid Accounts Hunting AWS Cross Account Activity 2024-10-17
aws detect permanent key creation Valid Accounts Hunting AWS Cross Account Activity 2024-10-17
aws detect role creation Valid Accounts Hunting AWS Cross Account Activity 2024-10-17
aws detect sts assume role abuse Valid Accounts Hunting AWS Cross Account Activity 2024-10-17
aws detect sts get session token abuse Use Alternate Authentication Material Hunting AWS Cross Account Activity 2024-10-17
AWS Multi-Factor Authentication Disabled AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Modify Authentication Process Multi-Factor Authentication TTP AWS Identity and Access Management Account Takeover 2024-09-30
AWS Network Access Control List Created with All Open Ports AWS CloudTrail CreateNetworkAclEntry, AWS CloudTrail ReplaceNetworkAclEntry Disable or Modify Cloud Firewall Impair Defenses TTP AWS Network ACL Activity 2024-09-30
AWS Network Access Control List Deleted AWS CloudTrail DeleteNetworkAclEntry Disable or Modify Cloud Firewall Impair Defenses Anomaly AWS Network ACL Activity 2024-09-30
AWS New MFA Method Registered For User AWS CloudTrail CreateVirtualMFADevice Modify Authentication Process Multi-Factor Authentication TTP AWS Identity and Access Management Account Takeover 2024-09-30
AWS SAML Access by Provider User and Principal AWS CloudTrail AssumeRoleWithSAML Valid Accounts Anomaly Cloud Federated Credential Abuse 2024-09-30
AWS SAML Update identity provider AWS CloudTrail UpdateSAMLProvider Valid Accounts TTP Cloud Federated Credential Abuse 2024-09-30
AWS SetDefaultPolicyVersion AWS CloudTrail SetDefaultPolicyVersion Cloud Accounts Valid Accounts TTP AWS IAM Privilege Escalation 2024-09-30
AWS Successful Console Authentication From Multiple IPs AWS CloudTrail ConsoleLogin Compromise Accounts Unused/Unsupported Cloud Regions Anomaly Compromised User Account, Suspicious AWS Login Activities 2024-09-30
AWS Successful Single-Factor Authentication AWS CloudTrail ConsoleLogin Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts TTP AWS Identity and Access Management Account Takeover 2024-09-30
Azure AD Authentication Failed During MFA Challenge Azure Active Directory Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation TTP Azure Active Directory Account Takeover 2024-10-31
Azure AD Block User Consent For Risky Apps Disabled Azure Active Directory Update authorization policy Impair Defenses TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Multi-Factor Authentication Disabled Azure Active Directory Disable Strong Authentication Compromise Accounts Cloud Accounts Modify Authentication Process Multi-Factor Authentication TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Multiple AppIDs and UserAgents Authentication Spike Azure Active Directory Sign-in activity Valid Accounts Anomaly Azure Active Directory Account Takeover 2024-09-30
Azure AD Multiple Failed MFA Requests For User Azure Active Directory Sign-in activity Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Valid Accounts Cloud Accounts TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD New Custom Domain Added Azure Active Directory Add unverified domain Domain or Tenant Policy Modification Trust Modification TTP Azure Active Directory Persistence 2024-09-30
Azure AD New Federated Domain Added Azure Active Directory Set domain authentication Domain or Tenant Policy Modification Trust Modification TTP Azure Active Directory Persistence 2024-09-30
Azure AD New MFA Method Registered For User Azure Active Directory User registered security info Modify Authentication Process Multi-Factor Authentication TTP Azure Active Directory Account Takeover, Compromised User Account 2024-09-30
Azure AD Service Principal Authentication Azure Active Directory Sign-in activity Cloud Accounts TTP Azure Active Directory Account Takeover, NOBELIUM Group 2024-09-30
Azure AD Successful PowerShell Authentication Azure Active Directory Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Successful Single-Factor Authentication Azure Active Directory Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts TTP Azure Active Directory Account Takeover 2024-09-30
Azure Runbook Webhook Created Azure Audit Create or Update an Azure Automation webhook Valid Accounts Cloud Accounts TTP Azure Active Directory Persistence 2024-09-30
Cloud API Calls From Previously Unseen User Roles AWS CloudTrail Valid Accounts Anomaly Suspicious Cloud User Activities 2024-10-17
Cloud Compute Instance Created By Previously Unseen User AWS CloudTrail Cloud Accounts Valid Accounts Anomaly Cloud Cryptomining 2024-10-17
Cloud Compute Instance Created In Previously Unused Region AWS CloudTrail Unused/Unsupported Cloud Regions Anomaly Cloud Cryptomining 2024-10-17
Cloud Instance Modified By Previously Unseen User AWS CloudTrail Cloud Accounts Valid Accounts Anomaly Suspicious Cloud Instance Activities 2024-10-17
Cloud Provisioning Activity From Previously Unseen City AWS CloudTrail Valid Accounts Anomaly Suspicious Cloud Provisioning Activities 2024-09-30
Cloud Provisioning Activity From Previously Unseen Country AWS CloudTrail Valid Accounts Anomaly Suspicious Cloud Provisioning Activities 2024-09-30
Cloud Provisioning Activity From Previously Unseen IP Address AWS CloudTrail Valid Accounts Anomaly Suspicious Cloud Provisioning Activities 2024-09-30
Cloud Provisioning Activity From Previously Unseen Region AWS CloudTrail Valid Accounts Anomaly Suspicious Cloud Provisioning Activities 2024-09-30
Cloud Security Groups Modifications by User AWS CloudTrail Modify Cloud Compute Configurations Anomaly Suspicious Cloud User Activities 2024-09-30
Detect AWS Console Login by User from New City AWS CloudTrail Compromise Accounts Cloud Accounts Unused/Unsupported Cloud Regions Hunting AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities 2024-10-17
Detect AWS Console Login by User from New Country AWS CloudTrail Compromise Accounts Cloud Accounts Unused/Unsupported Cloud Regions Hunting AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities 2024-10-17
Detect AWS Console Login by User from New Region AWS CloudTrail Compromise Accounts Cloud Accounts Unused/Unsupported Cloud Regions Hunting AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities 2024-10-17
GCP Authentication Failed During MFA Challenge Google Workspace login_failure Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation TTP GCP Account Takeover 2024-09-30
GCP Detect gcploit framework Valid Accounts TTP GCP Cross Account Activity 2024-10-17
GCP Multi-Factor Authentication Disabled Compromise Accounts Cloud Accounts Modify Authentication Process Multi-Factor Authentication TTP GCP Account Takeover 2024-09-30
GCP Multiple Failed MFA Requests For User Google Workspace login_failure Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Valid Accounts Cloud Accounts TTP GCP Account Takeover 2024-09-30
GCP Successful Single-Factor Authentication Google Workspace login_success Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts TTP GCP Account Takeover 2024-09-30
O365 Advanced Audit Disabled O365 Change user license. Impair Defenses Disable or Modify Cloud Logs TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Block User Consent For Risky Apps Disabled O365 Update authorization policy. Impair Defenses TTP Office 365 Account Takeover 2024-09-30
O365 Bypass MFA via Trusted IP O365 Set Company Information. Disable or Modify Cloud Firewall Impair Defenses TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Cross-Tenant Access Change Trust Modification TTP Azure Active Directory Persistence 2024-09-30
O365 Disable MFA O365 Disable Strong Authentication. Modify Authentication Process TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Email Security Feature Changed Impair Defenses Disable or Modify Cloud Logs Disable or Modify Tools TTP Office 365 Account Takeover, Office 365 Persistence Mechanisms 2024-09-30
O365 Excessive SSO logon errors O365 UserLoginFailed Modify Authentication Process Anomaly Cloud Federated Credential Abuse, Office 365 Account Takeover 2024-09-30
O365 Multiple AppIDs and UserAgents Authentication Spike O365 UserLoggedIn, O365 UserLoginFailed Valid Accounts Anomaly Office 365 Account Takeover 2024-09-30
O365 Security And Compliance Alert Triggered Valid Accounts Cloud Accounts TTP Office 365 Account Takeover 2024-09-30
Abnormally High AWS Instances Launched by User Cloud Accounts Anomaly AWS Cryptomining, Suspicious AWS EC2 Activities 2024-10-17
Abnormally High AWS Instances Launched by User - MLTK Cloud Accounts Anomaly AWS Cryptomining, Suspicious AWS EC2 Activities 2024-10-17
Abnormally High AWS Instances Terminated by User Cloud Accounts Anomaly Suspicious AWS EC2 Activities 2024-10-17
Abnormally High AWS Instances Terminated by User - MLTK Cloud Accounts Anomaly Suspicious AWS EC2 Activities 2024-10-17
ASL AWS CreateAccessKey Valid Accounts Hunting AWS IAM Privilege Escalation 2024-10-17
AWS Cloud Provisioning From Previously Unseen City Unused/Unsupported Cloud Regions Anomaly AWS Suspicious Provisioning Activities 2024-10-17
AWS Cloud Provisioning From Previously Unseen Country Unused/Unsupported Cloud Regions Anomaly AWS Suspicious Provisioning Activities 2024-10-17
AWS Cloud Provisioning From Previously Unseen Region Unused/Unsupported Cloud Regions Anomaly AWS Suspicious Provisioning Activities 2024-10-17
Detect Activity Related to Pass the Hash Attacks Windows Event Log Security 4624 Use Alternate Authentication Material Pass the Hash Hunting Active Directory Lateral Movement, BlackSuit Ransomware 2024-10-17
Detect AWS API Activities From Unapproved Accounts Cloud Accounts Hunting AWS User Monitoring 2024-10-17
Detect new API calls from user roles Cloud Accounts Anomaly AWS User Monitoring 2024-10-17
Detect new user AWS Console Login Cloud Accounts Hunting Suspicious AWS Login Activities 2024-10-17
Detect Spike in AWS API Activity Cloud Accounts Anomaly AWS User Monitoring 2024-10-17
Detect Spike in Network ACL Activity Disable or Modify Cloud Firewall Anomaly AWS Network ACL Activity 2024-10-17
Detect Spike in Security Group Activity Cloud Accounts Anomaly AWS User Monitoring 2024-10-17
EC2 Instance Modified With Previously Unseen User Cloud Accounts Anomaly Unusual AWS EC2 Modifications 2024-10-17
EC2 Instance Started In Previously Unseen Region Unused/Unsupported Cloud Regions Anomaly AWS Cryptomining, Suspicious AWS EC2 Activities 2024-10-17
EC2 Instance Started With Previously Unseen User Cloud Accounts Anomaly AWS Cryptomining, Suspicious AWS EC2 Activities 2024-10-17
Execution of File With Spaces Before Extension Sysmon EventID 1 Rename System Utilities TTP Masquerading - Rename System Utilities, Windows File Extension and Association Abuse 2024-10-17
GCP Detect accounts with high risk roles by project Valid Accounts Hunting GCP Cross Account Activity 2024-10-17
GCP Detect high risk permissions by resource and account Valid Accounts Hunting GCP Cross Account Activity 2024-10-17
gcp detect oauth token abuse Valid Accounts Hunting GCP Cross Account Activity 2024-10-17
Identify New User Accounts Domain Accounts Hunting N/A 2024-10-17
Multiple Okta Users With Invalid Credentials From The Same IP Password Spraying Valid Accounts Default Accounts TTP Suspicious Okta Activity 2024-10-17
Okta Account Lockout Events Valid Accounts Default Accounts Anomaly Suspicious Okta Activity 2024-10-17
Okta Failed SSO Attempts Valid Accounts Default Accounts Anomaly Suspicious Okta Activity 2024-10-17
Okta ThreatInsight Login Failure with High Unknown users Valid Accounts Default Accounts Credential Stuffing TTP Suspicious Okta Activity 2024-10-17
Okta ThreatInsight Suspected PasswordSpray Attack Valid Accounts Default Accounts Password Spraying TTP Suspicious Okta Activity 2024-10-17
Processes created by netsh Sysmon EventID 1 Disable or Modify System Firewall TTP Netsh Abuse 2024-10-17
Reg exe used to hide files directories via registry keys Sysmon EventID 1 Hidden Files and Directories TTP Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Persistence Techniques 2024-10-17
Suspicious Rundll32 Rename Sysmon EventID 1 System Binary Proxy Execution Masquerading Rundll32 Rename System Utilities Hunting Masquerading - Rename System Utilities, Suspicious Rundll32 Activity 2024-10-17
Suspicious writes to System Volume Information Sysmon EventID 1 Masquerading Hunting Collection and Staging 2024-10-17
Web Fraud - Anomalous User Clickspeed Valid Accounts Anomaly Web Fraud Detection 2024-10-17
Windows DLL Search Order Hijacking Hunt CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 DLL Search Order Hijacking Hijack Execution Flow Hunting Living Off The Land, Windows Defense Evasion Tactics 2024-10-17
Active Directory Privilege Escalation Identified Domain or Tenant Policy Modification Correlation Active Directory Privilege Escalation 2024-09-30
Add or Set Windows Defender Exclusion CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify Tools Impair Defenses TTP AgentTesla, CISA AA22-320A, Compromised Windows Host, Data Destruction, Remcos, ValleyRAT, WhisperGate, Windows Defense Evasion Tactics 2024-11-28
Allow File And Printing Sharing In Firewall CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify Cloud Firewall Impair Defenses TTP BlackByte Ransomware, Ransomware 2024-09-30
Allow Network Discovery In Firewall CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify Cloud Firewall Impair Defenses TTP BlackByte Ransomware, NjRAT, Ransomware, Revil Ransomware 2024-09-30
Allow Operation with Consent Admin Sysmon EventID 12, Sysmon EventID 13 Abuse Elevation Control Mechanism TTP Azorult, MoonPeak, Ransomware, Windows Registry Abuse 2024-11-14
Attacker Tools On Endpoint CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Match Legitimate Name or Location Masquerading OS Credential Dumping Active Scanning TTP CISA AA22-264A, Compromised Windows Host, Monitor for Unauthorized Software, SamSam Ransomware, Unusual Processes, XMRig 2024-11-28
Attempt To Add Certificate To Untrusted Store CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Install Root Certificate Subvert Trust Controls TTP Disabling Security Tools 2024-09-30
Attempt To Stop Security Service CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify Tools Impair Defenses TTP Azorult, Data Destruction, Disabling Security Tools, Graceful Wipe Out Attack, Trickbot, WhisperGate 2024-09-30
BITS Job Persistence CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 BITS Jobs TTP BITS Jobs, Living Off The Land 2024-09-30
BITSAdmin Download File CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 BITS Jobs Ingress Tool Transfer TTP BITS Jobs, DarkSide Ransomware, Flax Typhoon, Gozi Malware, Ingress Tool Transfer, Living Off The Land 2024-09-30
CertUtil With Decode Argument CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Deobfuscate/Decode Files or Information TTP APT29 Diplomatic Deceptions with WINELOADER, Deobfuscate-Decode Files or Information, Forest Blizzard, Living Off The Land 2024-09-30
Clear Unallocated Sector Using Cipher App CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 File Deletion Indicator Removal TTP Compromised Windows Host, Ransomware 2024-11-28
CMLUA Or CMSTPLUA UAC Bypass Sysmon EventID 7 System Binary Proxy Execution CMSTP TTP DarkSide Ransomware, LockBit Ransomware, Ransomware, ValleyRAT 2024-09-30
Cobalt Strike Named Pipes Sysmon EventID 17, Sysmon EventID 18 Process Injection TTP BlackByte Ransomware, Cobalt Strike, DarkSide Ransomware, Gozi Malware, Graceful Wipe Out Attack, LockBit Ransomware, Trickbot 2024-09-30
Control Loading from World Writable Directory CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Control Panel TTP Compromised Windows Host, Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444 2024-11-28
Create or delete windows shares using net exe CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Indicator Removal Network Share Connection Removal TTP CISA AA22-277A, DarkGate Malware, Hidden Cobra Malware, Prestige Ransomware, Windows Post-Exploitation 2024-09-30
Create Remote Thread In Shell Application Sysmon EventID 8 Process Injection TTP IcedID, Qakbot, Warzone RAT 2024-11-26
CSC Net On The Fly Compilation CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Compile After Delivery Obfuscated Files or Information Hunting Windows Defense Evasion Tactics 2024-10-17
Detect Excessive Account Lockouts From Endpoint Valid Accounts Domain Accounts Anomaly Active Directory Password Spraying 2024-09-30
Detect Excessive User Account Lockouts Valid Accounts Local Accounts Anomaly Active Directory Password Spraying 2024-09-30
Detect HTML Help Renamed CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Compiled HTML File Hunting Living Off The Land, Suspicious Compiled HTML Activity 2024-10-17
Detect HTML Help Spawn Child Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Compiled HTML File TTP AgentTesla, Compromised Windows Host, Living Off The Land, Suspicious Compiled HTML Activity 2024-11-28
Detect HTML Help URL in Command Line CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Compiled HTML File TTP Compromised Windows Host, Living Off The Land, Suspicious Compiled HTML Activity 2024-11-28
Detect HTML Help Using InfoTech Storage Handlers CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Compiled HTML File TTP Compromised Windows Host, Living Off The Land, Suspicious Compiled HTML Activity 2024-11-28
Detect mshta inline hta execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Mshta TTP Compromised Windows Host, Gozi Malware, Living Off The Land, Suspicious MSHTA Activity 2024-11-28
Detect mshta renamed CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Mshta Hunting Living Off The Land, Suspicious MSHTA Activity 2024-10-17
Detect MSHTA Url in Command Line CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Mshta TTP Compromised Windows Host, Living Off The Land, Lumma Stealer, Suspicious MSHTA Activity 2024-11-28
Detect Path Interception By Creation Of program exe CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Path Interception by Unquoted Path Hijack Execution Flow TTP Windows Persistence Techniques 2024-09-30
Detect Regasm Spawning a Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Regsvcs/Regasm TTP Compromised Windows Host, DarkGate Malware, Handala Wiper, Living Off The Land, Snake Keylogger, Suspicious Regsvcs Regasm Activity 2024-11-28
Detect Regasm with Network Connection Sysmon EventID 3 System Binary Proxy Execution Regsvcs/Regasm TTP Handala Wiper, Living Off The Land, Suspicious Regsvcs Regasm Activity 2024-09-30
Detect Regasm with no Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Regsvcs/Regasm TTP Handala Wiper, Living Off The Land, Suspicious Regsvcs Regasm Activity 2024-09-30
Detect Regsvcs Spawning a Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Regsvcs/Regasm TTP Compromised Windows Host, Living Off The Land, Suspicious Regsvcs Regasm Activity 2024-11-28
Detect Regsvcs with Network Connection Sysmon EventID 3 System Binary Proxy Execution Regsvcs/Regasm TTP Living Off The Land, Suspicious Regsvcs Regasm Activity 2024-09-30
Detect Regsvcs with No Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Regsvcs/Regasm TTP Living Off The Land, Suspicious Regsvcs Regasm Activity 2024-09-30
Detect Regsvr32 Application Control Bypass CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Regsvr32 TTP BlackByte Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack, Living Off The Land, Suspicious Regsvr32 Activity 2024-11-28
Detect RTLO In File Name Sysmon EventID 11 Right-to-Left Override Masquerading TTP Spearphishing Attachments 2024-09-30
Detect RTLO In Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Right-to-Left Override Masquerading TTP Spearphishing Attachments 2024-09-30
Detect Rundll32 Application Control Bypass - advpack CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Rundll32 TTP Compromised Windows Host, Living Off The Land, Suspicious Rundll32 Activity 2024-11-28
Detect Rundll32 Application Control Bypass - setupapi CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Rundll32 TTP Compromised Windows Host, Living Off The Land, Suspicious Rundll32 Activity 2024-11-28
Detect Rundll32 Application Control Bypass - syssetup CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Rundll32 TTP Compromised Windows Host, Living Off The Land, Suspicious Rundll32 Activity 2024-11-28
Detect Rundll32 Inline HTA Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Mshta TTP Living Off The Land, NOBELIUM Group, Suspicious MSHTA Activity 2024-09-30
Disable AMSI Through Registry Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP CISA AA23-347A, Ransomware, Windows Registry Abuse 2024-11-14
Disable Defender AntiVirus Registry Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP CISA AA24-241A, IcedID, Windows Registry Abuse 2024-11-14
Disable Defender BlockAtFirstSeen Feature Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse 2024-11-14
Disable Defender Enhanced Notification Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse 2024-11-14
Disable Defender MpEngine Registry Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP IcedID, Windows Registry Abuse 2024-10-04
Disable Defender Spynet Reporting Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Azorult, CISA AA23-347A, IcedID, Qakbot, Windows Registry Abuse 2024-11-14
Disable Defender Submit Samples Consent Feature Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse 2024-11-14
Disable ETW Through Registry Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP CISA AA23-347A, Ransomware, Windows Registry Abuse 2024-11-14
Disable Logs Using WevtUtil CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Indicator Removal Clear Windows Event Logs TTP CISA AA23-347A, Ransomware, Rhysida Ransomware 2024-11-26
Disable Registry Tool Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses Modify Registry TTP NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disable Schedule Task CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify Tools Impair Defenses TTP IcedID, Living Off The Land 2024-09-30
Disable Security Logs Using MiniNt Registry Sysmon EventID 12, Sysmon EventID 13 Modify Registry TTP CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disable Show Hidden Files Sysmon EventID 12, Sysmon EventID 13 Hidden Files and Directories Disable or Modify Tools Hide Artifacts Impair Defenses Modify Registry Anomaly Azorult, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disable UAC Remote Restriction Sysmon EventID 12, Sysmon EventID 13 Bypass User Account Control Abuse Elevation Control Mechanism TTP CISA AA23-347A, Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disable Windows App Hotkeys Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses Modify Registry TTP Windows Registry Abuse, XMRig 2024-11-14
Disable Windows Behavior Monitoring Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Azorult, CISA AA23-347A, Ransomware, RedLine Stealer, Revil Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disable Windows SmartScreen Protection Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disabling CMD Application Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses Modify Registry TTP NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disabling ControlPanel Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses Modify Registry TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disabling Defender Services Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP IcedID, RedLine Stealer, Windows Registry Abuse 2024-11-14
Disabling Firewall with Netsh CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify Tools Impair Defenses Anomaly BlackByte Ransomware, Windows Defense Evasion Tactics 2024-09-30
Disabling FolderOptions Windows Feature Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disabling NoRun Windows App Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses Modify Registry TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disabling Remote User Account Control Sysmon EventID 12, Sysmon EventID 13 Bypass User Account Control Abuse Elevation Control Mechanism TTP AgentTesla, Azorult, Remcos, Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Disabling Task Manager Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Disabling Windows Local Security Authority Defences via Registry Sysmon EventID 1, Sysmon EventID 13 Modify Authentication Process TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
DLLHost with no Command Line Arguments with Network Sysmon EventID 1, Sysmon EventID 3 Process Injection TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack 2024-10-17
Enable WDigest UseLogonCredential Registry Sysmon EventID 12, Sysmon EventID 13 Modify Registry OS Credential Dumping TTP CISA AA22-320A, Credential Dumping, Windows Registry Abuse 2024-11-14
ETW Registry Disabled Sysmon EventID 12, Sysmon EventID 13 Indicator Blocking Trusted Developer Utilities Proxy Execution Impair Defenses TTP CISA AA23-347A, Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse 2024-11-14
Eventvwr UAC Bypass CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Bypass User Account Control Abuse Elevation Control Mechanism TTP IcedID, Living Off The Land, ValleyRAT, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Excessive number of service control start as disabled CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify Tools Impair Defenses Anomaly Windows Defense Evasion Tactics 2024-09-30
Excessive Usage Of Cacls App CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 File and Directory Permissions Modification Anomaly Azorult, Prestige Ransomware, Windows Post-Exploitation, XMRig 2024-09-30
Excessive Usage Of Taskkill CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify Tools Impair Defenses Anomaly AgentTesla, Azorult, CISA AA22-264A, CISA AA22-277A, NjRAT, XMRig 2024-09-30
Executables Or Script Creation In Suspicious Path Sysmon EventID 11 Masquerading Anomaly AcidPour, AgentTesla, Amadey, AsyncRAT, Azorult, BlackByte Ransomware, Brute Ratel C4, CISA AA23-347A, Chaos Ransomware, DarkCrystal RAT, DarkGate Malware, Data Destruction, Double Zero Destructor, Graceful Wipe Out Attack, Handala Wiper, Hermetic Wiper, IcedID, Industroyer2, LockBit Ransomware, Meduza Stealer, MoonPeak, NjRAT, PlugX, Qakbot, RedLine Stealer, Remcos, Rhysida Ransomware, Snake Keylogger, Swift Slicer, Trickbot, ValleyRAT, Volt Typhoon, Warzone RAT, WhisperGate, XMRig 2024-11-28
Execution of File with Multiple Extensions CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Masquerading Rename System Utilities TTP AsyncRAT, DarkGate Malware, Masquerading - Rename System Utilities, Windows File Extension and Association Abuse 2024-09-30
Firewall Allowed Program Enable CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify System Firewall Impair Defenses Anomaly Azorult, BlackByte Ransomware, NjRAT, PlugX, Windows Defense Evasion Tactics 2024-09-30
FodHelper UAC Bypass CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Modify Registry Bypass User Account Control Abuse Elevation Control Mechanism TTP Compromised Windows Host, IcedID, ValleyRAT, Windows Defense Evasion Tactics 2024-11-28
Fsutil Zeroing File CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Indicator Removal TTP LockBit Ransomware, Ransomware 2024-09-30
GPUpdate with no Command Line Arguments with Network Sysmon EventID 1, Sysmon EventID 3 Process Injection TTP BlackByte Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack 2024-11-28
Headless Browser Mockbin or Mocky Request CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Hidden Window TTP Forest Blizzard 2024-09-30
Headless Browser Usage CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Hidden Window Hunting Forest Blizzard 2024-10-17
Hide User Account From Sign-In Screen Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Azorult, Warzone RAT, Windows Registry Abuse, XMRig 2024-11-14
Hiding Files And Directories With Attrib exe CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Azorult, Compromised Windows Host, Windows Defense Evasion Tactics, Windows Persistence Techniques 2024-11-28
Icacls Deny Command CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 File and Directory Permissions Modification TTP Azorult, Compromised Windows Host, Sandworm Tools, XMRig 2024-11-28
ICACLS Grant Command CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 File and Directory Permissions Modification TTP Ransomware, XMRig 2024-09-30
Kerberos TGT Request Using RC4 Encryption Windows Event Log Security 4768 Use Alternate Authentication Material TTP Active Directory Kerberos Attacks 2024-09-30
Linux Account Manipulation Of SSH Config and Keys Sysmon for Linux EventID 11 Data Destruction File Deletion Indicator Removal Anomaly AcidRain 2024-09-30
Linux apt-get Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux APT Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Auditd Base64 Decode Files Linux Auditd Execve Deobfuscate/Decode Files or Information Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Change File Owner To Root Linux Auditd Proctitle Linux and Mac File and Directory Permissions Modification File and Directory Permissions Modification TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-10-17
Linux Auditd Disable Or Modify System Firewall Linux Auditd Service Stop Disable or Modify System Firewall Impair Defenses Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Doas Conf File Creation Linux Auditd Path Sudo and Sudo Caching Abuse Elevation Control Mechanism TTP Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Doas Tool Execution Linux Auditd Syscall Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd File Permission Modification Via Chmod Linux Auditd Proctitle Linux and Mac File and Directory Permissions Modification File and Directory Permissions Modification Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-12-02
Linux Auditd File Permissions Modification Via Chattr Linux Auditd Execve Linux and Mac File and Directory Permissions Modification File and Directory Permissions Modification TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Kernel Module Enumeration Linux Auditd Syscall System Information Discovery Rootkit Anomaly Compromised Linux Host, Linux Rootkit 2024-09-30
Linux Auditd Nopasswd Entry In Sudoers File Linux Auditd Proctitle Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Possible Access To Sudoers File Linux Auditd Path Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Preload Hijack Library Calls Linux Auditd Execve Dynamic Linker Hijacking Hijack Execution Flow TTP Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Preload Hijack Via Preload File Linux Auditd Path Dynamic Linker Hijacking Hijack Execution Flow TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Setuid Using Chmod Utility Linux Auditd Proctitle Setuid and Setgid Abuse Elevation Control Mechanism Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Setuid Using Setcap Utility Linux Auditd Execve Setuid and Setgid Abuse Elevation Control Mechanism TTP Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Sudo Or Su Execution Linux Auditd Proctitle Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux AWK Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Busybox Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux c89 Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux c99 Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Change File Owner To Root Sysmon for Linux EventID 1 Linux and Mac File and Directory Permissions Modification File and Directory Permissions Modification Anomaly Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Common Process For Elevation Control Sysmon for Linux EventID 1 Setuid and Setgid Abuse Elevation Control Mechanism Hunting Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-10-17
Linux Composer Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Cpulimit Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Csvtool Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Decode Base64 to Shell Sysmon for Linux EventID 1 Obfuscated Files or Information Unix Shell TTP Linux Living Off The Land 2024-09-30
Linux Deletion Of Cron Jobs Sysmon for Linux EventID 11 Data Destruction File Deletion Indicator Removal Anomaly AcidPour, AcidRain, Data Destruction 2024-09-30
Linux Deletion Of Init Daemon Script Sysmon for Linux EventID 11 Data Destruction File Deletion Indicator Removal TTP AcidPour, AcidRain, Data Destruction 2024-09-30
Linux Deletion Of Services Sysmon for Linux EventID 11 Data Destruction File Deletion Indicator Removal TTP AcidPour, AcidRain, AwfulShred, Data Destruction 2024-09-30
Linux Deletion of SSL Certificate Sysmon for Linux EventID 11 Data Destruction File Deletion Indicator Removal Anomaly AcidPour, AcidRain 2024-09-30
Linux Doas Conf File Creation Sysmon for Linux EventID 11 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Doas Tool Execution Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Docker Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Emacs Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Find Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux GDB Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Gem Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux GNU Awk Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux High Frequency Of File Deletion In Boot Folder Sysmon for Linux EventID 11 Data Destruction File Deletion Indicator Removal TTP AcidPour, Data Destruction, Industroyer2 2024-09-30
Linux High Frequency Of File Deletion In Etc Folder Sysmon for Linux EventID 11 Data Destruction File Deletion Indicator Removal Anomaly AcidRain, Data Destruction 2024-09-30
Linux Impair Defenses Process Kill Sysmon for Linux EventID 1 Disable or Modify Tools Impair Defenses Hunting AwfulShred, Data Destruction 2024-10-17
Linux Indicator Removal Clear Cache Sysmon for Linux EventID 1 Indicator Removal TTP AwfulShred, Data Destruction 2024-09-30
Linux Indicator Removal Service File Deletion Sysmon for Linux EventID 1 File Deletion Indicator Removal Anomaly AwfulShred, Data Destruction 2024-09-30
Linux Iptables Firewall Modification Sysmon for Linux EventID 1 Disable or Modify System Firewall Impair Defenses Anomaly Cyclops Blink, Sandworm Tools 2024-09-30
Linux Kernel Module Enumeration Sysmon for Linux EventID 1 System Information Discovery Rootkit Anomaly Linux Rootkit 2024-09-30
Linux Kworker Process In Writable Process Path Sysmon for Linux EventID 1 Masquerade Task or Service Masquerading Hunting Cyclops Blink, Sandworm Tools 2024-10-17
Linux Make Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux MySQL Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Node Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux NOPASSWD Entry In Sudoers File Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Obfuscated Files or Information Base64 Decode Sysmon for Linux EventID 1 Obfuscated Files or Information Anomaly Linux Living Off The Land 2024-09-30
Linux Octave Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux OpenVPN Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Persistence and Privilege Escalation Risk Behavior Abuse Elevation Control Mechanism Correlation Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux PHP Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Possible Access To Sudoers File Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Preload Hijack Library Calls Sysmon for Linux EventID 1 Dynamic Linker Hijacking Hijack Execution Flow TTP Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Puppet Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux RPM Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Ruby Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Setuid Using Chmod Utility Sysmon for Linux EventID 1 Setuid and Setgid Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Setuid Using Setcap Utility Sysmon for Linux EventID 1 Setuid and Setgid Abuse Elevation Control Mechanism Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Sqlite3 Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Stdout Redirection To Dev Null File Sysmon for Linux EventID 1 Disable or Modify System Firewall Impair Defenses Anomaly Cyclops Blink, Data Destruction, Industroyer2 2024-10-17
Linux Sudo OR Su Execution Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Hunting Linux Persistence Techniques, Linux Privilege Escalation 2024-10-17
Linux Sudoers Tmp File Creation Sysmon for Linux EventID 11 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Visudo Utility Execution Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Loading Of Dynwrapx Module Sysmon EventID 7 Process Injection Dynamic-link Library Injection TTP AsyncRAT, Remcos 2024-09-30
LOLBAS With Network Traffic Sysmon EventID 3 Ingress Tool Transfer Exfiltration Over Web Service System Binary Proxy Execution TTP Living Off The Land 2024-09-30
MacOS plutil osquery Plist File Modification TTP Living Off The Land 2024-09-30
Malicious InProcServer32 Modification Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13 Regsvr32 Modify Registry TTP Remcos, Suspicious Regsvr32 Activity 2024-09-30
Malicious PowerShell Process - Encoded Command CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Obfuscated Files or Information Hunting CISA AA22-320A, DarkCrystal RAT, Data Destruction, Hermetic Wiper, Lumma Stealer, Malicious PowerShell, NOBELIUM Group, Qakbot, Sandworm Tools, Volt Typhoon, WhisperGate 2024-10-17
Mimikatz PassTheTicket CommandLine Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Use Alternate Authentication Material Pass the Ticket TTP Active Directory Kerberos Attacks, CISA AA22-320A, CISA AA23-347A, Sandworm Tools 2024-09-30
Mmc LOLBAS Execution Process Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Services Distributed Component Object Model MMC TTP Active Directory Lateral Movement, Living Off The Land 2024-09-30
Modify ACL permission To Files Or Folder CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 File and Directory Permissions Modification Anomaly XMRig 2024-09-30
MSBuild Suspicious Spawned By Script Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 MSBuild Trusted Developer Utilities Proxy Execution TTP Trusted Developer Utilities Proxy Execution MSBuild 2024-09-30
Mshta spawning Rundll32 OR Regsvr32 Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Mshta TTP IcedID, Living Off The Land, Trickbot 2024-09-30
MSI Module Loaded by Non-System Binary Sysmon EventID 7 DLL Side-Loading Hijack Execution Flow Hunting Data Destruction, Hermetic Wiper, Windows Privilege Escalation 2024-10-17
Msmpeng Application DLL Side Loading CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 DLL Side-Loading Hijack Execution Flow TTP Ransomware, Revil Ransomware 2024-09-30
NET Profiler UAC bypass Sysmon EventID 12, Sysmon EventID 13 Bypass User Account Control Abuse Elevation Control Mechanism TTP Windows Defense Evasion Tactics 2024-09-30
Notepad with no Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Process Injection TTP BishopFox Sliver Adversary Emulation Framework 2024-09-30
Permission Modification using Takeown App CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 File and Directory Permissions Modification TTP Ransomware, Sandworm Tools 2024-09-30
Ping Sleep Batch Command CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Virtualization/Sandbox Evasion Time Based Evasion Anomaly BlackByte Ransomware, Data Destruction, Meduza Stealer, Warzone RAT, WhisperGate 2024-11-28
Possible Lateral Movement PowerShell Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Services Distributed Component Object Model Windows Remote Management Windows Management Instrumentation Scheduled Task Windows Service PowerShell MMC TTP Active Directory Lateral Movement, CISA AA24-241A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Scheduled Tasks 2024-10-17
Potential password in username Linux Secure Local Accounts Credentials In Files Hunting Credential Dumping, Insider Threat 2024-10-17
Powershell Creating Thread Mutex Powershell Script Block Logging 4104 Obfuscated Files or Information Indicator Removal from Tools PowerShell TTP Malicious PowerShell 2024-09-30
Powershell Disable Security Monitoring CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify Tools Impair Defenses TTP CISA AA24-241A, Ransomware, Revil Ransomware 2024-11-26
Powershell Enable SMB1Protocol Feature Powershell Script Block Logging 4104 Obfuscated Files or Information Indicator Removal from Tools TTP Data Destruction, Hermetic Wiper, Malicious PowerShell, Ransomware 2024-09-30
Powershell Fileless Process Injection via GetProcAddress Powershell Script Block Logging 4104 Command and Scripting Interpreter Process Injection PowerShell TTP Data Destruction, Hermetic Wiper, Malicious PowerShell 2024-09-30
Powershell Fileless Script Contains Base64 Encoded Content Powershell Script Block Logging 4104 Command and Scripting Interpreter Obfuscated Files or Information PowerShell TTP AsyncRAT, Data Destruction, Hermetic Wiper, IcedID, Malicious PowerShell, NjRAT, Winter Vivern 2024-09-30
Powershell Remote Thread To Known Windows Process Sysmon EventID 8 Process Injection TTP Trickbot 2024-09-30
Powershell Remove Windows Defender Directory Powershell Script Block Logging 4104 Disable or Modify Tools Impair Defenses TTP Data Destruction, WhisperGate 2024-09-30
PowerShell Start-BitsTransfer CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 BITS Jobs TTP BITS Jobs, Gozi Malware 2024-09-30
PowerShell WebRequest Using Memory Stream Powershell Script Block Logging 4104 PowerShell Ingress Tool Transfer Fileless Storage TTP Malicious PowerShell, MoonPeak 2024-09-30
Powershell Windows Defender Exclusion Commands Powershell Script Block Logging 4104 Disable or Modify Tools Impair Defenses TTP AgentTesla, CISA AA22-320A, Data Destruction, Remcos, Warzone RAT, WhisperGate, Windows Defense Evasion Tactics 2024-09-30
Process Deleting Its Process File Path CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Indicator Removal TTP Clop Ransomware, Data Destruction, Remcos, WhisperGate 2024-09-30
Process Kill Base On File Path CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify Tools Impair Defenses TTP XMRig 2024-09-30
Processes launching netsh CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify System Firewall Impair Defenses Anomaly Azorult, DHS Report TA18-074A, Disabling Security Tools, Netsh Abuse, ShrinkLocker, Snake Keylogger, Volt Typhoon 2024-09-30
Recursive Delete of Directory In Batch CMD CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 File Deletion Indicator Removal TTP Ransomware 2024-09-30
Reg exe Manipulating Windows Services Registry Keys CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Services Registry Permissions Weakness Hijack Execution Flow TTP Living Off The Land, Windows Persistence Techniques, Windows Service Abuse 2024-09-30
Regsvr32 Silent and Install Param Dll Loading CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Regsvr32 Anomaly AsyncRAT, Data Destruction, Hermetic Wiper, Living Off The Land, Remcos, Suspicious Regsvr32 Activity 2024-09-30
Regsvr32 with Known Silent Switch Cmdline CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Regsvr32 Anomaly AsyncRAT, IcedID, Living Off The Land, Qakbot, Remcos, Suspicious Regsvr32 Activity 2024-09-30
Remcos client registry install entry CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688 Modify Registry TTP Remcos, Windows Registry Abuse 2024-09-30
Revil Registry Entry CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688 Modify Registry TTP Ransomware, Revil Ransomware, Windows Registry Abuse 2024-09-30
Rubeus Command Line Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Use Alternate Authentication Material Pass the Ticket Steal or Forge Kerberos Tickets Kerberoasting AS-REP Roasting TTP Active Directory Kerberos Attacks, Active Directory Privilege Escalation, BlackSuit Ransomware, CISA AA23-347A 2024-09-30
Rubeus Kerberos Ticket Exports Through Winlogon Access Sysmon EventID 10 Use Alternate Authentication Material Pass the Ticket TTP Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A 2024-09-30
Runas Execution in CommandLine CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Access Token Manipulation Token Impersonation/Theft Hunting Data Destruction, Hermetic Wiper, Windows Privilege Escalation 2024-10-17
Rundll32 Control RunDLL Hunt CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Rundll32 Hunting Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Suspicious Rundll32 Activity 2024-10-17
Rundll32 Control RunDLL World Writable Directory CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Rundll32 TTP Compromised Windows Host, Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Suspicious Rundll32 Activity 2024-11-28
Rundll32 Create Remote Thread To A Process Sysmon EventID 8 Process Injection TTP IcedID, Living Off The Land 2024-09-30
Rundll32 CreateRemoteThread In Browser Sysmon EventID 8 Process Injection TTP IcedID, Living Off The Land 2024-09-30
Rundll32 DNSQuery Sysmon EventID 22 System Binary Proxy Execution Rundll32 TTP IcedID, Living Off The Land 2024-09-30
Rundll32 LockWorkStation CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Rundll32 Anomaly Ransomware 2024-09-30
Rundll32 Process Creating Exe Dll Files Sysmon EventID 11 System Binary Proxy Execution Rundll32 TTP IcedID, Living Off The Land 2024-09-30
Rundll32 Shimcache Flush CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Modify Registry TTP Compromised Windows Host, Living Off The Land, Unusual Processes 2024-11-28
Rundll32 with no Command Line Arguments with Network Sysmon EventID 1, Sysmon EventID 3 System Binary Proxy Execution Rundll32 TTP BlackByte Ransomware, BlackSuit Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack, PrintNightmare CVE-2021-34527, Suspicious Rundll32 Activity 2024-11-28
RunDLL Loading DLL By Ordinal CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Rundll32 TTP IcedID, Living Off The Land, Suspicious Rundll32 Activity, Unusual Processes 2024-09-30
Sdclt UAC Bypass CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688 Bypass User Account Control Abuse Elevation Control Mechanism TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Sdelete Application Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Data Destruction File Deletion Indicator Removal TTP Masquerading - Rename System Utilities 2024-09-30
SearchProtocolHost with no Command Line with Network Sysmon EventID 1, Sysmon EventID 3 Process Injection TTP BlackByte Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack 2024-11-28
Services Escalate Exe CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Abuse Elevation Control Mechanism TTP BlackByte Ransomware, CISA AA23-347A, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack 2024-11-28
Short Lived Windows Accounts Windows Event Log System 4720, Windows Event Log System 4726 Local Account Create Account Local Accounts TTP Active Directory Lateral Movement 2024-11-14
SilentCleanup UAC Bypass CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688 Bypass User Account Control Abuse Elevation Control Mechanism TTP MoonPeak, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
SLUI RunAs Elevated CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Bypass User Account Control Abuse Elevation Control Mechanism TTP Compromised Windows Host, DarkSide Ransomware, Windows Defense Evasion Tactics 2024-11-28
SLUI Spawning a Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Bypass User Account Control Abuse Elevation Control Mechanism TTP Compromised Windows Host, DarkSide Ransomware, Windows Defense Evasion Tactics 2024-11-28
Suspicious Computer Account Name Change Windows Event Log Security 4781 Valid Accounts Domain Accounts TTP Active Directory Privilege Escalation, Compromised Windows Host, sAMAccountName Spoofing and Domain Controller Impersonation 2024-11-28
Suspicious Copy on System32 CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Rename System Utilities Masquerading TTP AsyncRAT, Compromised Windows Host, IcedID, Qakbot, Sandworm Tools, Unusual Processes, Volt Typhoon 2024-11-28
Suspicious DLLHost no Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Process Injection TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack 2024-09-30
Suspicious Event Log Service Behavior Windows Event Log Security 1100 Indicator Removal Clear Windows Event Logs Hunting Clop Ransomware, Ransomware, Windows Log Manipulation 2024-10-17
Suspicious GPUpdate no Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Process Injection TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack 2024-09-30
Suspicious IcedID Rundll32 Cmdline CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Rundll32 TTP IcedID, Living Off The Land 2024-09-30
Suspicious Kerberos Service Ticket Request Windows Event Log Security 4769 Valid Accounts Domain Accounts TTP Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation 2024-09-30
Suspicious microsoft workflow compiler rename CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Masquerading Trusted Developer Utilities Proxy Execution Rename System Utilities Hunting BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution 2024-10-17
Suspicious microsoft workflow compiler usage CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Trusted Developer Utilities Proxy Execution TTP Living Off The Land, Trusted Developer Utilities Proxy Execution 2024-09-30
Suspicious msbuild path CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Masquerading Trusted Developer Utilities Proxy Execution Rename System Utilities MSBuild TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution MSBuild 2024-09-30
Suspicious MSBuild Rename CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Masquerading Trusted Developer Utilities Proxy Execution Rename System Utilities MSBuild Hunting BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution MSBuild 2024-10-17
Suspicious MSBuild Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Trusted Developer Utilities Proxy Execution MSBuild TTP Living Off The Land, Trusted Developer Utilities Proxy Execution MSBuild 2024-09-30
Suspicious mshta child process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Mshta TTP Living Off The Land, Lumma Stealer, Suspicious MSHTA Activity 2024-09-30
Suspicious mshta spawn CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Mshta TTP Living Off The Land, Suspicious MSHTA Activity 2024-09-30
Suspicious Process Executed From Container File CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Malicious File Masquerade File Type TTP Amadey, Remcos, Snake Keylogger, Unusual Processes 2024-09-30
Suspicious Reg exe Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Modify Registry Anomaly DHS Report TA18-074A, Disabling Security Tools, Windows Defense Evasion Tactics 2024-09-30
Suspicious Regsvr32 Register Suspicious Path CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Regsvr32 TTP IcedID, Living Off The Land, Qakbot, Suspicious Regsvr32 Activity 2024-09-30
Suspicious Rundll32 dllregisterserver CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Rundll32 TTP IcedID, Living Off The Land, Suspicious Rundll32 Activity 2024-09-30
Suspicious Rundll32 no Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Rundll32 TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, PrintNightmare CVE-2021-34527, Suspicious Rundll32 Activity 2024-09-30
Suspicious Rundll32 PluginInit CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Rundll32 TTP IcedID 2024-09-30
Suspicious Rundll32 StartW CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Rundll32 TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Suspicious Rundll32 Activity, Trickbot 2024-09-30
Suspicious SearchProtocolHost no Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Process Injection TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack 2024-09-30
Suspicious Ticket Granting Ticket Request Windows Event Log Security 4768, Windows Event Log Security 4781 Valid Accounts Domain Accounts Hunting Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation 2024-10-17
Suspicious wevtutil Usage CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Clear Windows Event Logs Indicator Removal TTP CISA AA23-347A, Clop Ransomware, Ransomware, Rhysida Ransomware, ShrinkLocker, Windows Log Manipulation 2024-09-30
Suspicious writes to windows Recycle Bin Sysmon EventID 1, Sysmon EventID 11 Masquerading TTP Collection and Staging, PlugX 2024-09-30
System Processes Run From Unexpected Locations CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Masquerading Rename System Utilities Anomaly DarkGate Malware, Masquerading - Rename System Utilities, Qakbot, Ransomware, Suspicious Command-Line Executions, Unusual Processes, Windows Error Reporting Service Elevation of Privilege Vulnerability 2024-09-30
Trickbot Named Pipe Sysmon EventID 17, Sysmon EventID 18 Process Injection TTP Trickbot 2024-09-30
UAC Bypass MMC Load Unsigned Dll Sysmon EventID 7 Bypass User Account Control Abuse Elevation Control Mechanism MMC TTP Windows Defense Evasion Tactics 2024-09-30
UAC Bypass With Colorui COM Object Sysmon EventID 7 System Binary Proxy Execution CMSTP TTP LockBit Ransomware, Ransomware 2024-09-30
Uninstall App Using MsiExec CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Msiexec System Binary Proxy Execution TTP Ransomware 2024-09-30
Unknown Process Using The Kerberos Protocol Sysmon EventID 1, Sysmon EventID 3 Use Alternate Authentication Material TTP Active Directory Kerberos Attacks, BlackSuit Ransomware 2024-09-30
Unload Sysmon Filter Driver CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify Tools Impair Defenses TTP CISA AA23-347A, Disabling Security Tools 2024-09-30
Unloading AMSI via Reflection Powershell Script Block Logging 4104 Impair Defenses PowerShell Command and Scripting Interpreter TTP Data Destruction, Hermetic Wiper, Malicious PowerShell 2024-09-30
Unusual Number of Computer Service Tickets Requested Windows Event Log Security 4769 Valid Accounts Hunting Active Directory Kerberos Attacks, Active Directory Lateral Movement, Active Directory Privilege Escalation 2024-10-17
Unusual Number of Remote Endpoint Authentication Events Windows Event Log Security 4624 Valid Accounts Hunting Active Directory Lateral Movement, Active Directory Privilege Escalation 2024-10-17
USN Journal Deletion CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Indicator Removal TTP Ransomware, Windows Log Manipulation 2024-09-30
Verclsid CLSID Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Verclsid System Binary Proxy Execution Hunting Unusual Processes 2024-10-17
Wbemprox COM Object Execution Sysmon EventID 7 System Binary Proxy Execution CMSTP TTP LockBit Ransomware, Ransomware, Revil Ransomware 2024-09-30
Wermgr Process Create Executable File Sysmon EventID 11 Obfuscated Files or Information TTP Trickbot 2024-09-30
Windows Access Token Manipulation SeDebugPrivilege Windows Event Log Security 4703 Create Process with Token Access Token Manipulation Anomaly AsyncRAT, Brute Ratel C4, CISA AA23-347A, DarkGate Malware, Meduza Stealer, PlugX, ValleyRAT 2024-11-28
Windows Access Token Manipulation Winlogon Duplicate Token Handle Sysmon EventID 10 Token Impersonation/Theft Access Token Manipulation Hunting Brute Ratel C4 2024-10-17
Windows Access Token Winlogon Duplicate Handle In Uncommon Path Sysmon EventID 10 Token Impersonation/Theft Access Token Manipulation Anomaly Brute Ratel C4 2024-09-30
Windows AD Cross Domain SID History Addition Windows Event Log Security 4738, Windows Event Log Security 4742 SID-History Injection Access Token Manipulation TTP Compromised Windows Host, Sneaky Active Directory Persistence Tricks 2024-11-28
Windows AD Domain Controller Audit Policy Disabled Windows Event Log Security 4719 Disable or Modify Tools TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Domain Controller Promotion Windows Event Log Security 4742 Rogue Domain Controller TTP Compromised Windows Host, Sneaky Active Directory Persistence Tricks 2024-11-28
Windows AD Domain Replication ACL Addition Domain or Tenant Policy Modification TTP Compromised Windows Host, Sneaky Active Directory Persistence Tricks 2024-11-28
Windows AD Privileged Account SID History Addition Windows Event Log Security 4738, Windows Event Log Security 4742 SID-History Injection Access Token Manipulation TTP Compromised Windows Host, Sneaky Active Directory Persistence Tricks 2024-11-28
Windows AD Same Domain SID History Addition Windows Event Log Security 4738, Windows Event Log Security 4742 SID-History Injection Access Token Manipulation TTP Compromised Windows Host, Sneaky Active Directory Persistence Tricks, Windows Persistence Techniques 2024-11-28
Windows AD Short Lived Domain Controller SPN Attribute Windows Event Log Security 4624, Windows Event Log Security 5136 Rogue Domain Controller TTP Compromised Windows Host, Sneaky Active Directory Persistence Tricks 2024-11-28
Windows AD Short Lived Server Object Windows Event Log Security 5137, Windows Event Log Security 5141 Rogue Domain Controller TTP Compromised Windows Host, Sneaky Active Directory Persistence Tricks 2024-11-28
Windows AD SID History Attribute Modified Windows Event Log Security 5136 Access Token Manipulation SID-History Injection TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows Admon Default Group Policy Object Modified Windows Active Directory Admon Domain or Tenant Policy Modification Group Policy Modification TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-09-30
Windows Admon Group Policy Object Created Windows Active Directory Admon Domain or Tenant Policy Modification Group Policy Modification TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-09-30
Windows Alternate DataStream - Base64 Content Sysmon EventID 15 Hide Artifacts NTFS File Attributes TTP Windows Defense Evasion Tactics 2024-09-30
Windows Alternate DataStream - Executable Content Sysmon EventID 15 Hide Artifacts NTFS File Attributes TTP Windows Defense Evasion Tactics 2024-09-30
Windows Alternate DataStream - Process Execution Sysmon EventID 1, Windows Event Log Security 4688 Hide Artifacts NTFS File Attributes TTP Compromised Windows Host, Windows Defense Evasion Tactics 2024-11-28
Windows AppLocker Block Events System Binary Proxy Execution Anomaly Windows AppLocker 2024-09-30
Windows AppLocker Execution from Uncommon Locations System Binary Proxy Execution Hunting Windows AppLocker 2024-10-17
Windows AppLocker Privilege Escalation via Unauthorized Bypass System Binary Proxy Execution TTP Windows AppLocker 2024-09-30
Windows AppLocker Rare Application Launch Detection System Binary Proxy Execution Hunting Windows AppLocker 2024-10-17
Windows Binary Proxy Execution Mavinject DLL Injection CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Mavinject System Binary Proxy Execution TTP Living Off The Land 2024-09-30
Windows BitLockerToGo Process Execution System Binary Proxy Execution Hunting Lumma Stealer 2024-11-13
Windows BitLockerToGo with Network Activity System Binary Proxy Execution Hunting Lumma Stealer 2024-11-13
Windows BootLoader Inventory System Firmware Pre-OS Boot Hunting BlackLotus Campaign, Windows BootKits 2024-10-17
Windows Bypass UAC via Pkgmgr Tool CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Bypass User Account Control Anomaly Warzone RAT 2024-09-30
Windows Command Shell Fetch Env Variables CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Process Injection TTP Qakbot 2024-09-30
Windows Common Abused Cmd Shell Risk Behavior File and Directory Permissions Modification System Network Connections Discovery System Owner/User Discovery System Shutdown/Reboot System Network Configuration Discovery Command and Scripting Interpreter Correlation Azorult, CISA AA23-347A, DarkCrystal RAT, Disabling Security Tools, FIN7, Netsh Abuse, Qakbot, Sandworm Tools, Volt Typhoon, Windows Defense Evasion Tactics, Windows Post-Exploitation 2024-09-30
Windows ConHost with Headless Argument CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Hidden Window Run Virtual Instance TTP Compromised Windows Host, Spearphishing Attachments 2024-11-28
Windows Debugger Tool Execution Masquerading Hunting DarkGate Malware, PlugX 2024-10-17
Windows Default Group Policy Object Modified Windows Event Log Security 5136 Domain or Tenant Policy Modification Group Policy Modification TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-09-30
Windows Default Group Policy Object Modified with GPME CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Domain or Tenant Policy Modification Group Policy Modification TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-09-30
Windows Defender ASR Registry Modification Windows Event Log Defender 5007 Modify Registry Hunting Windows Attack Surface Reduction 2024-10-17
Windows Defender ASR Rule Disabled Windows Event Log Defender 5007 Modify Registry TTP Windows Attack Surface Reduction 2024-09-30
Windows Defender Exclusion Registry Entry Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Azorult, Qakbot, Remcos, ValleyRAT, Warzone RAT, Windows Defense Evasion Tactics 2024-11-14
Windows Delete or Modify System Firewall CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Impair Defenses Disable or Modify System Firewall Anomaly NjRAT, ShrinkLocker 2024-09-30
Windows Deleted Registry By A Non Critical Process File Path Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly Data Destruction, Double Zero Destructor 2024-09-30
Windows Disable Change Password Through Registry Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly Ransomware, Windows Defense Evasion Tactics 2024-11-14
Windows Disable Lock Workstation Feature Through Registry Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Windows Disable LogOff Button Through Registry Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly Ransomware, Windows Registry Abuse 2024-11-14
Windows Disable Notification Center Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Windows Disable or Modify Tools Via Taskkill CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Impair Defenses Disable or Modify Tools Anomaly NjRAT, PXA Stealer 2024-09-30
Windows Disable or Stop Browser Process Disable or Modify Tools Impair Defenses TTP Braodo Stealer 2024-09-24
Windows Disable Shutdown Button Through Registry Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly Ransomware, Windows Registry Abuse 2024-11-14
Windows Disable Windows Event Logging Disable HTTP Logging CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable Windows Event Logging Impair Defenses Server Software Component IIS Components TTP CISA AA23-347A, Compromised Windows Host, IIS Components, Windows Defense Evasion Tactics 2024-11-28
Windows Disable Windows Group Policy Features Through Registry Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly CISA AA23-347A, Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows DisableAntiSpyware Registry Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Azorult, CISA AA22-264A, CISA AA23-347A, RedLine Stealer, Ryuk Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Diskshadow Proxy Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution TTP Living Off The Land 2024-09-30
Windows DISM Install PowerShell Web Access Sysmon EventID 1, Windows Event Log Security 4688 Bypass User Account Control TTP CISA AA24-241A 2024-09-30
Windows DISM Remove Defender CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify Tools Impair Defenses TTP CISA AA23-347A, Compromised Windows Host, Windows Defense Evasion Tactics 2024-11-28
Windows DLL Search Order Hijacking Hunt with Sysmon Sysmon EventID 7 DLL Search Order Hijacking Hijack Execution Flow Hunting Living Off The Land, Qakbot, Windows Defense Evasion Tactics 2024-10-17
Windows DLL Search Order Hijacking with iscsicpl CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 DLL Search Order Hijacking TTP Compromised Windows Host, Living Off The Land, Windows Defense Evasion Tactics 2024-11-28
Windows DLL Side-Loading In Calc Sysmon EventID 7 DLL Side-Loading Hijack Execution Flow TTP Qakbot 2024-09-30
Windows DLL Side-Loading Process Child Of Calc CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 DLL Side-Loading Hijack Execution Flow Anomaly Qakbot 2024-09-30
Windows DotNet Binary in Non Standard Path CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Masquerading Rename System Utilities System Binary Proxy Execution InstallUtil TTP Data Destruction, Masquerading - Rename System Utilities, Ransomware, Signed Binary Proxy Execution InstallUtil, Unusual Processes, WhisperGate 2024-09-30
Windows Driver Load Non-Standard Path Windows Event Log System 7045 Rootkit Exploitation for Privilege Escalation TTP AgentTesla, BlackByte Ransomware, BlackSuit Ransomware, CISA AA22-320A, Windows Drivers 2024-10-17
Windows Drivers Loaded by Signature Sysmon EventID 6 Rootkit Exploitation for Privilege Escalation Hunting AgentTesla, BlackByte Ransomware, CISA AA22-320A, Windows Drivers 2024-10-17
Windows Event For Service Disabled Windows Event Log System 7040 Disable or Modify Tools Impair Defenses Hunting RedLine Stealer, Windows Defense Evasion Tactics 2024-10-17
Windows Event Log Cleared Windows Event Log Security 1102 Indicator Removal Clear Windows Event Logs TTP CISA AA22-264A, Clop Ransomware, Compromised Windows Host, Ransomware, ShrinkLocker, Windows Log Manipulation 2024-11-28
Windows Excessive Disabled Services Event Windows Event Log System 7040 Disable or Modify Tools Impair Defenses TTP CISA AA23-347A, Compromised Windows Host, Windows Defense Evasion Tactics 2024-11-28
Windows Execute Arbitrary Commands with MSDT CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution TTP Compromised Windows Host, Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190 2024-11-28
Windows Files and Dirs Access Rights Modification Via Icacls CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Windows File and Directory Permissions Modification File and Directory Permissions Modification TTP Amadey 2024-09-30
Windows Group Policy Object Created Windows Event Log Security 5136, Windows Event Log Security 5137 Domain or Tenant Policy Modification Group Policy Modification Domain Accounts TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-09-30
Windows Hide Notification Features Through Registry Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Windows Hijack Execution Flow Version Dll Side Load Sysmon EventID 7 DLL Search Order Hijacking Hijack Execution Flow Anomaly Brute Ratel C4 2024-09-30
Windows Impair Defense Add Xml Applocker Rules CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify Tools Impair Defenses Hunting Azorult 2024-10-17
Windows Impair Defense Change Win Defender Health Check Intervals Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Change Win Defender Quick Scan Interval Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Change Win Defender Throttle Rate Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Change Win Defender Tracing Level Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Configure App Install Control Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Windows Impair Defense Define Win Defender Threat Action Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Delete Win Defender Context Menu Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses Hunting Windows Defense Evasion Tactics, Windows Registry Abuse 2024-10-17
Windows Impair Defense Delete Win Defender Profile Registry Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses Anomaly Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Deny Security Software With Applocker Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Azorult 2024-09-30
Windows Impair Defense Disable Controlled Folder Access Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Disable Defender Firewall And Network Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Disable Defender Protocol Recognition Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Disable PUA Protection Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Disable Realtime Signature Delivery Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Disable Web Evaluation Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Windows Impair Defense Disable Win Defender App Guard Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Disable Win Defender Compute File Hashes Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Disable Win Defender Gen reports Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Disable Win Defender Network Protection Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Disable Win Defender Report Infection Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Disable Win Defender Scan On Update Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Disable Win Defender Signature Retirement Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Overide Win Defender Phishing Filter Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defense Override SmartScreen Prompt Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Windows Impair Defense Set Win Defender Smart Screen Level To Warn Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defenses Disable AV AutoStart via Registry Sysmon EventID 13 Modify Registry TTP ValleyRAT 2024-09-30
Windows Impair Defenses Disable HVCI Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses TTP BlackLotus Campaign, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Impair Defenses Disable Win Defender Auto Logging Sysmon EventID 12, Sysmon EventID 13 Disable or Modify Tools Impair Defenses Anomaly CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Windows Indicator Removal Via Rmdir CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Indicator Removal Anomaly DarkGate Malware 2024-09-30
Windows Indirect Command Execution Via forfiles CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Indirect Command Execution TTP Living Off The Land, Windows Post-Exploitation 2024-09-30
Windows Indirect Command Execution Via pcalua CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Indirect Command Execution TTP Living Off The Land 2024-09-30
Windows Indirect Command Execution Via Series Of Forfiles CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Indirect Command Execution Anomaly Prestige Ransomware, Windows Post-Exploitation 2024-09-30
Windows InProcServer32 New Outlook Form Sysmon EventID 13 Phishing Modify Registry Anomaly Outlook RCE CVE-2024-21378 2024-09-30
Windows InstallUtil Credential Theft Sysmon EventID 7 InstallUtil System Binary Proxy Execution TTP Signed Binary Proxy Execution InstallUtil 2024-09-30
Windows InstallUtil in Non Standard Path CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Masquerading Rename System Utilities System Binary Proxy Execution InstallUtil TTP Data Destruction, Living Off The Land, Masquerading - Rename System Utilities, Ransomware, Signed Binary Proxy Execution InstallUtil, Unusual Processes, WhisperGate 2024-09-30
Windows InstallUtil Remote Network Connection Sysmon EventID 1, Sysmon EventID 3 InstallUtil System Binary Proxy Execution TTP Compromised Windows Host, Living Off The Land, Signed Binary Proxy Execution InstallUtil 2024-11-28
Windows InstallUtil Uninstall Option CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 InstallUtil System Binary Proxy Execution TTP Compromised Windows Host, Living Off The Land, Signed Binary Proxy Execution InstallUtil 2024-11-28
Windows InstallUtil Uninstall Option with Network Sysmon EventID 1, Sysmon EventID 3 InstallUtil System Binary Proxy Execution TTP Compromised Windows Host, Living Off The Land, Signed Binary Proxy Execution InstallUtil 2024-11-28
Windows InstallUtil URL in Command Line CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 InstallUtil System Binary Proxy Execution TTP Compromised Windows Host, Living Off The Land, Signed Binary Proxy Execution InstallUtil 2024-11-28
Windows Known Abused DLL Created Sysmon EventID 1, Sysmon EventID 11 DLL Search Order Hijacking DLL Side-Loading Hijack Execution Flow Anomaly Living Off The Land, Windows Defense Evasion Tactics 2024-09-30
Windows Known Abused DLL Loaded Suspiciously Sysmon EventID 7 DLL Search Order Hijacking DLL Side-Loading Hijack Execution Flow TTP Living Off The Land, Windows Defense Evasion Tactics 2024-09-30
Windows Known GraphicalProton Loaded Modules Sysmon EventID 7 DLL Side-Loading Hijack Execution Flow Anomaly CISA AA23-347A 2024-09-30
Windows Large Number of Computer Service Tickets Requested Windows Event Log Security 4769 Network Share Discovery Valid Accounts Anomaly Active Directory Lateral Movement, Active Directory Privilege Escalation 2024-09-30
Windows LOLBAS Executed As Renamed File CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Masquerading Rename System Utilities Rundll32 TTP Living Off The Land, Masquerading - Rename System Utilities, Windows Defense Evasion Tactics 2024-09-30
Windows LOLBAS Executed Outside Expected Path Sysmon EventID 1, Windows Event Log Security 4688 Masquerading Match Legitimate Name or Location Rundll32 TTP Living Off The Land, Masquerading - Rename System Utilities, Windows Defense Evasion Tactics 2024-09-30
Windows Mark Of The Web Bypass Sysmon EventID 23 Mark-of-the-Web Bypass TTP Warzone RAT 2024-09-30
Windows Masquerading Explorer As Child Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 DLL Side-Loading Hijack Execution Flow TTP Compromised Windows Host, Qakbot 2024-11-28
Windows Masquerading Msdtc Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Masquerading TTP Compromised Windows Host, PlugX 2024-11-28
Windows Modify Registry AuthenticationLevelOverride Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly DarkGate Malware 2024-09-30
Windows Modify Registry Auto Minor Updates Sysmon EventID 12, Sysmon EventID 13 Modify Registry Hunting RedLine Stealer 2024-10-17
Windows Modify Registry Auto Update Notif Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly RedLine Stealer 2024-09-30
Windows Modify Registry Configure BitLocker Sysmon EventID 13 Modify Registry TTP ShrinkLocker 2024-09-30
Windows Modify Registry Default Icon Setting Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly LockBit Ransomware 2024-09-30
Windows Modify Registry Delete Firewall Rules Sysmon EventID 12 Modify Registry TTP CISA AA24-241A, ShrinkLocker 2024-09-30
Windows Modify Registry Disable RDP Sysmon EventID 13 Modify Registry Anomaly ShrinkLocker 2024-09-30
Windows Modify Registry Disable Restricted Admin Sysmon EventID 12, Sysmon EventID 13 Modify Registry TTP CISA AA23-347A 2024-11-14
Windows Modify Registry Disable Toast Notifications Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly Azorult 2024-09-30
Windows Modify Registry Disable Win Defender Raw Write Notif Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly Azorult, CISA AA23-347A 2024-09-30
Windows Modify Registry Disable WinDefender Notifications Sysmon EventID 12, Sysmon EventID 13 Modify Registry TTP CISA AA23-347A, RedLine Stealer 2024-09-30
Windows Modify Registry Disable Windows Security Center Notif Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly Azorult, CISA AA23-347A 2024-09-30
Windows Modify Registry DisableRemoteDesktopAntiAlias Sysmon EventID 12, Sysmon EventID 13 Modify Registry TTP DarkGate Malware 2024-09-30
Windows Modify Registry DisableSecuritySettings Sysmon EventID 12, Sysmon EventID 13 Modify Registry TTP CISA AA23-347A, DarkGate Malware 2024-09-30
Windows Modify Registry Disabling WER Settings Sysmon EventID 12, Sysmon EventID 13 Modify Registry TTP Azorult, CISA AA23-347A 2024-09-30
Windows Modify Registry DisAllow Windows App Sysmon EventID 12, Sysmon EventID 13 Modify Registry TTP Azorult 2024-09-30
Windows Modify Registry Do Not Connect To Win Update Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly RedLine Stealer 2024-09-30
Windows Modify Registry DontShowUI Sysmon EventID 12, Sysmon EventID 13 Modify Registry TTP DarkGate Malware 2024-09-30
Windows Modify Registry EnableLinkedConnections Sysmon EventID 12, Sysmon EventID 13 Modify Registry TTP BlackByte Ransomware 2024-11-14
Windows Modify Registry LongPathsEnabled Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly BlackByte Ransomware 2024-11-14
Windows Modify Registry MaxConnectionPerServer Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly Warzone RAT 2024-09-30
Windows Modify Registry No Auto Reboot With Logon User Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly RedLine Stealer 2024-09-30
Windows Modify Registry No Auto Update Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly CISA AA23-347A, RedLine Stealer 2024-09-30
Windows Modify Registry NoChangingWallPaper Sysmon EventID 12, Sysmon EventID 13 Modify Registry TTP Rhysida Ransomware 2024-11-14
Windows Modify Registry on Smart Card Group Policy Sysmon EventID 13 Modify Registry Anomaly ShrinkLocker 2024-09-30
Windows Modify Registry ProxyEnable Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly DarkGate Malware 2024-09-30
Windows Modify Registry ProxyServer Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly DarkGate Malware 2024-09-30
Windows Modify Registry Qakbot Binary Data Registry Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly Qakbot 2024-09-30
Windows Modify Registry Regedit Silent Reg Import CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Modify Registry Anomaly Azorult 2024-09-30
Windows Modify Registry Risk Behavior Modify Registry Correlation Windows Registry Abuse 2024-09-30
Windows Modify Registry Suppress Win Defender Notif Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly Azorult, CISA AA23-347A 2024-09-30
Windows Modify Registry Tamper Protection Sysmon EventID 12, Sysmon EventID 13 Modify Registry TTP RedLine Stealer 2024-09-30
Windows Modify Registry to Add or Modify Firewall Rule Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly CISA AA24-241A, ShrinkLocker 2024-11-14
Windows Modify Registry UpdateServiceUrlAlternate Sysmon EventID 12, Sysmon EventID 13 Modify Registry Anomaly RedLine Stealer 2024-09-30
Windows Modify Registry USeWuServer Sysmon EventID 12, Sysmon EventID 13 Modify Registry Hunting RedLine Stealer 2024-10-17
Windows Modify Registry Utilize ProgIDs Sysmon EventID 13 Modify Registry Anomaly ValleyRAT 2024-09-30
Windows Modify Registry ValleyRAT C2 Config Sysmon EventID 12, Sysmon EventID 13 Modify Registry TTP ValleyRAT 2024-09-30
Windows Modify Registry ValleyRat PWN Reg Entry Sysmon EventID 13 Modify Registry TTP ValleyRAT 2024-09-30
Windows Modify Registry With MD5 Reg Key Name Sysmon EventID 12, Sysmon EventID 13 Modify Registry TTP NjRAT 2024-09-30
Windows Modify Registry WuServer Sysmon EventID 12, Sysmon EventID 13 Modify Registry Hunting RedLine Stealer 2024-10-17
Windows Modify Registry wuStatusServer Sysmon EventID 12, Sysmon EventID 13 Modify Registry Hunting RedLine Stealer 2024-10-17
Windows Modify Show Compress Color And Info Tip Registry Sysmon EventID 12, Sysmon EventID 13 Modify Registry TTP Data Destruction, Hermetic Wiper, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-11-14
Windows Modify System Firewall with Notable Process Path CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify System Firewall Impair Defenses TTP Compromised Windows Host, NjRAT 2024-11-28
Windows Mshta Execution In Registry Sysmon EventID 12, Sysmon EventID 13 Mshta TTP Suspicious Windows Registry Activities, Windows Persistence Techniques 2024-09-30
Windows MSHTA Writing to World Writable Path Sysmon EventID 11 Mshta TTP APT29 Diplomatic Deceptions with WINELOADER, Suspicious MSHTA Activity 2024-09-30
Windows MSIExec DLLRegisterServer CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Msiexec TTP Windows System Binary Proxy Execution MSIExec 2024-09-30
Windows MsiExec HideWindow Rundll32 Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Msiexec System Binary Proxy Execution TTP Qakbot 2024-09-30
Windows MSIExec Remote Download CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Msiexec TTP Windows System Binary Proxy Execution MSIExec 2024-09-30
Windows MSIExec Spawn Discovery Command CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Msiexec TTP Windows System Binary Proxy Execution MSIExec 2024-11-26
Windows MSIExec Spawn WinDBG CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Msiexec TTP Compromised Windows Host, DarkGate Malware 2024-11-28
Windows MSIExec Unregister DLLRegisterServer CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Msiexec TTP Windows System Binary Proxy Execution MSIExec 2024-09-30
Windows MSIExec With Network Connections Sysmon EventID 1, Sysmon EventID 3 Msiexec TTP Windows System Binary Proxy Execution MSIExec 2024-09-30
Windows Multiple Account Passwords Changed Windows Event Log Security 4724 Account Manipulation Valid Accounts TTP Azure Active Directory Persistence 2024-09-30
Windows Multiple Accounts Deleted Windows Event Log Security 4726 Account Manipulation Valid Accounts TTP Azure Active Directory Persistence 2024-09-30
Windows Multiple Accounts Disabled Windows Event Log Security 4725 Account Manipulation Valid Accounts TTP Azure Active Directory Persistence 2024-09-30
Windows New InProcServer32 Added Sysmon EventID 13 Modify Registry Hunting Outlook RCE CVE-2024-21378 2024-10-17
Windows Njrat Fileless Storage via Registry Sysmon EventID 12, Sysmon EventID 13 Fileless Storage Obfuscated Files or Information TTP NjRAT 2024-09-30
Windows Odbcconf Hunting CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Odbcconf Hunting Living Off The Land 2024-10-17
Windows Odbcconf Load DLL CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Odbcconf TTP Living Off The Land 2024-09-30
Windows Odbcconf Load Response File CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Odbcconf TTP Living Off The Land 2024-09-30
Windows Outlook WebView Registry Modification Sysmon EventID 13 Modify Registry Anomaly Suspicious Windows Registry Activities 2024-09-30
Windows Parent PID Spoofing with Explorer CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Parent PID Spoofing Access Token Manipulation TTP Compromised Windows Host, Windows Defense Evasion Tactics 2024-11-28
Windows PowerShell Disable HTTP Logging Powershell Script Block Logging 4104 Impair Defenses Disable Windows Event Logging Server Software Component IIS Components TTP IIS Components, Windows Defense Evasion Tactics 2024-09-30
Windows Powershell Import Applocker Policy Powershell Script Block Logging 4104 PowerShell Command and Scripting Interpreter Disable or Modify Tools Impair Defenses TTP Azorult 2024-09-30
Windows PowerView AD Access Control List Enumeration Powershell Script Block Logging 4104 Domain Accounts Permission Groups Discovery TTP Active Directory Discovery, Active Directory Privilege Escalation, Rhysida Ransomware 2024-09-30
Windows Privilege Escalation Suspicious Process Elevation CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Exploitation for Privilege Escalation Abuse Elevation Control Mechanism Access Token Manipulation TTP BlackSuit Ransomware, Windows Privilege Escalation 2024-09-30
Windows Privilege Escalation System Process Without System Parent CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Exploitation for Privilege Escalation Abuse Elevation Control Mechanism Access Token Manipulation TTP BlackSuit Ransomware, Windows Privilege Escalation 2024-09-30
Windows Privilege Escalation User Process Spawn System Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Exploitation for Privilege Escalation Abuse Elevation Control Mechanism Access Token Manipulation TTP BlackSuit Ransomware, Compromised Windows Host, Windows Privilege Escalation 2024-11-28
Windows Process Injection In Non-Service SearchIndexer CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Process Injection TTP Qakbot 2024-09-30
Windows Process Injection into Notepad Sysmon EventID 10 Process Injection Portable Executable Injection Anomaly BishopFox Sliver Adversary Emulation Framework 2024-09-30
Windows Process Injection Of Wermgr to Known Browser Sysmon EventID 8 Dynamic-link Library Injection Process Injection TTP Qakbot 2024-09-30
Windows Process Injection Remote Thread Sysmon EventID 8 Process Injection Portable Executable Injection TTP Graceful Wipe Out Attack, Qakbot, Warzone RAT 2024-09-30
Windows Process Injection Wermgr Child Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Process Injection Anomaly Qakbot, Windows Error Reporting Service Elevation of Privilege Vulnerability 2024-09-30
Windows Process Injection With Public Source Path Sysmon EventID 8 Process Injection Portable Executable Injection Hunting Brute Ratel C4 2024-10-17
Windows Process With NamedPipe CommandLine CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Process Injection Anomaly Windows Defense Evasion Tactics 2024-09-30
Windows Process Writing File to World Writable Path Mshta Hunting APT29 Diplomatic Deceptions with WINELOADER 2024-10-17
Windows Raccine Scheduled Task Deletion CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify Tools TTP Compromised Windows Host, Ransomware 2024-11-28
Windows Rasautou DLL Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Dynamic-link Library Injection System Binary Proxy Execution Process Injection TTP Compromised Windows Host, Windows Defense Evasion Tactics 2024-11-28
Windows Registry BootExecute Modification Sysmon EventID 12, Sysmon EventID 13 Pre-OS Boot Registry Run Keys / Startup Folder TTP Windows BootKits 2024-11-14
Windows Registry Certificate Added Sysmon EventID 12, Sysmon EventID 13 Install Root Certificate Subvert Trust Controls Anomaly Windows Drivers, Windows Registry Abuse 2024-11-14
Windows Registry Delete Task SD Sysmon EventID 12, Sysmon EventID 13 Scheduled Task Impair Defenses Anomaly Scheduled Tasks, Windows Persistence Techniques, Windows Registry Abuse 2024-11-14
Windows Registry Payload Injection Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13 Obfuscated Files or Information Fileless Storage TTP Unusual Processes 2024-09-30
Windows Registry SIP Provider Modification Sysmon EventID 12, Sysmon EventID 13 SIP and Trust Provider Hijacking TTP Subvert Trust Controls SIP and Trust Provider Hijacking 2024-09-30
Windows Regsvr32 Renamed Binary CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Regsvr32 System Binary Proxy Execution TTP Compromised Windows Host, Qakbot 2024-11-28
Windows Remote Assistance Spawning Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Process Injection TTP Compromised Windows Host, Unusual Processes 2024-11-28
Windows Rundll32 Apply User Settings Changes CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Binary Proxy Execution Rundll32 TTP Rhysida Ransomware 2024-09-30
Windows RunMRU Command Execution Indirect Command Execution Anomaly Lumma Stealer 2024-11-08
Windows Service Creation Using Registry Entry Sysmon EventID 12, Sysmon EventID 13 Services Registry Permissions Weakness TTP Active Directory Lateral Movement, Brute Ratel C4, CISA AA23-347A, PlugX, Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse 2024-11-14
Windows SIP Provider Inventory SIP and Trust Provider Hijacking Hunting Subvert Trust Controls SIP and Trust Provider Hijacking 2024-10-17
Windows SIP WinVerifyTrust Failed Trust Validation Windows Event Log CAPI2 81 SIP and Trust Provider Hijacking Anomaly Subvert Trust Controls SIP and Trust Provider Hijacking 2024-09-30
Windows Snake Malware File Modification Crmlog Sysmon EventID 11 Obfuscated Files or Information TTP Snake Malware 2024-09-30
Windows Snake Malware Registry Modification wav OpenWithProgIds Sysmon EventID 12, Sysmon EventID 13 Modify Registry TTP Snake Malware 2024-09-30
Windows SqlWriter SQLDumper DLL Sideload Sysmon EventID 7 DLL Side-Loading TTP APT29 Diplomatic Deceptions with WINELOADER 2024-09-30
Windows Steal Authentication Certificates - ESC1 Authentication Windows Event Log Security 4768, Windows Event Log Security 4887 Steal or Forge Authentication Certificates Use Alternate Authentication Material TTP Compromised Windows Host, Windows Certificate Services 2024-11-28
Windows System Binary Proxy Execution Compiled HTML File Decompile CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Compiled HTML File System Binary Proxy Execution TTP Compromised Windows Host, Living Off The Land, Suspicious Compiled HTML Activity 2024-11-28
Windows System Script Proxy Execution Syncappvpublishingserver CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Script Proxy Execution System Binary Proxy Execution TTP Living Off The Land 2024-09-30
Windows Terminating Lsass Process Sysmon EventID 10 Disable or Modify Tools Impair Defenses Anomaly Data Destruction, Double Zero Destructor 2024-09-30
Windows Time Based Evasion CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Virtualization/Sandbox Evasion Time Based Evasion TTP NjRAT 2024-09-30
Windows Time Based Evasion via Choice Exec CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Time Based Evasion Virtualization/Sandbox Evasion Anomaly Snake Keylogger 2024-09-30
Windows UAC Bypass Suspicious Child Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Abuse Elevation Control Mechanism Bypass User Account Control TTP Living Off The Land, Windows Defense Evasion Tactics 2024-09-30
Windows UAC Bypass Suspicious Escalation Behavior CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Abuse Elevation Control Mechanism Bypass User Account Control TTP Compromised Windows Host, Living Off The Land, Windows Defense Evasion Tactics 2024-11-28
Windows Unsigned DLL Side-Loading Sysmon EventID 7 DLL Side-Loading Anomaly NjRAT, Warzone RAT 2024-09-30
Windows Unsigned DLL Side-Loading In Same Process Path Sysmon EventID 7 DLL Side-Loading Hijack Execution Flow TTP DarkGate Malware, PlugX 2024-09-30
Windows Unsigned MS DLL Side-Loading Sysmon EventID 7 DLL Side-Loading Boot or Logon Autostart Execution Anomaly APT29 Diplomatic Deceptions with WINELOADER 2024-09-30
Windows WinLogon with Public Network Connection Sysmon EventID 1, Sysmon EventID 3 Bootkit Hunting BlackLotus Campaign 2024-10-17
Winhlp32 Spawning a Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Process Injection TTP Compromised Windows Host, Remcos 2024-11-28
Wmic NonInteractive App Uninstallation CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable or Modify Tools Impair Defenses Hunting Azorult, IcedID 2024-10-17
WMIC XSL Execution via URL CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 XSL Script Processing TTP Compromised Windows Host, Suspicious WMI Use 2024-11-28
Wscript Or Cscript Suspicious Child Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Process Injection Create or Modify System Process Parent PID Spoofing Access Token Manipulation TTP Data Destruction, FIN7, NjRAT, Remcos, ShrinkLocker, Unusual Processes, WhisperGate 2024-11-26
WSReset UAC Bypass Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13 Bypass User Account Control Abuse Elevation Control Mechanism TTP Living Off The Land, MoonPeak, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
XSL Script Execution With WMIC CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 XSL Script Processing TTP FIN7, Suspicious WMI Use 2024-09-30
Detect Software Download To Network Device TFTP Boot Pre-OS Boot TTP Router and Infrastructure Security 2024-10-17
Windows AD Replication Service Traffic OS Credential Dumping DCSync Rogue Domain Controller TTP Sneaky Active Directory Persistence Tricks 2024-10-17
Windows AD Rogue Domain Controller Network Activity Rogue Domain Controller TTP Sneaky Active Directory Persistence Tricks 2024-10-17