|
Okta Authentication Failed During MFA Challenge
|
Okta
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
Okta Account Takeover
|
2024-05-29
|
|
Okta Multi-Factor Authentication Disabled
|
Okta
|
Modify Authentication Process
Multi-Factor Authentication
|
TTP
|
Okta Account Takeover
|
2024-09-24
|
|
Okta Multiple Failed Requests to Access Applications
|
Okta
|
Web Session Cookie
Cloud Service Dashboard
|
Hunting
|
Okta Account Takeover
|
2024-05-30
|
|
Okta New API Token Created
|
Okta
|
Valid Accounts
Default Accounts
|
TTP
|
Okta Account Takeover
|
2024-09-24
|
|
Okta Phishing Detection with FastPass Origin Check
|
Okta
|
Valid Accounts
Default Accounts
Modify Authentication Process
|
TTP
|
Okta Account Takeover
|
2024-05-15
|
|
Okta Risk Threshold Exceeded
|
Okta
|
Valid Accounts
Brute Force
|
Correlation
|
Okta Account Takeover, Okta MFA Exhaustion, Suspicious Okta Activity
|
2024-05-28
|
|
Okta Successful Single Factor Authentication
|
Okta
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
Anomaly
|
Okta Account Takeover
|
2024-05-26
|
|
Okta Suspicious Activity Reported
|
Okta
|
Valid Accounts
Default Accounts
|
TTP
|
Okta Account Takeover
|
2024-05-13
|
|
Okta ThreatInsight Threat Detected
|
Okta
|
Valid Accounts
Cloud Accounts
|
Anomaly
|
Okta Account Takeover
|
2024-05-21
|
|
PingID Mismatch Auth Source and Verification Response
|
PingID
|
Multi-Factor Authentication Request Generation
Multi-Factor Authentication
Device Registration
|
TTP
|
Compromised User Account
|
2024-05-22
|
|
PingID Multiple Failed MFA Requests For User
|
PingID
|
Multi-Factor Authentication Request Generation
Valid Accounts
Brute Force
|
TTP
|
Compromised User Account
|
2024-05-29
|
|
PingID New MFA Method After Credential Reset
|
PingID
|
Multi-Factor Authentication Request Generation
Multi-Factor Authentication
Device Registration
|
TTP
|
Compromised User Account
|
2024-05-21
|
|
PingID New MFA Method Registered For User
|
PingID
|
Multi-Factor Authentication Request Generation
Multi-Factor Authentication
Device Registration
|
TTP
|
Compromised User Account
|
2024-05-07
|
|
Splunk Edit User Privilege Escalation
|
Splunk
|
Abuse Elevation Control Mechanism
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-15
|
|
Splunk Enterprise KV Store Incorrect Authorization
|
Splunk
|
Abuse Elevation Control Mechanism
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-10
|
|
Splunk HTTP Response Splitting Via Rest SPL Command
|
Splunk
|
HTML Smuggling
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-27
|
|
Splunk Process Injection Forwarder Bundle Downloads
|
Splunk
|
Process Injection
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-23
|
|
Splunk RBAC Bypass On Indexing Preview REST Endpoint
|
Splunk
|
Access Token Manipulation
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-15
|
|
Splunk risky Command Abuse disclosed february 2023
|
Splunk
|
Abuse Elevation Control Mechanism
Indirect Command Execution
|
Hunting
|
Splunk Vulnerabilities
|
2024-07-23
|
|
Splunk Unauthorized Notification Input by User
|
Splunk
|
Abuse Elevation Control Mechanism
|
Hunting
|
Splunk Vulnerabilities
|
2024-07-01
|
|
Splunk User Enumeration Attempt
|
Splunk
|
Valid Accounts
|
TTP
|
Splunk Vulnerabilities
|
2024-09-25
|
|
Windows AD Dangerous Deny ACL Modification
|
|
Domain or Tenant Policy Modification
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2023-11-21
|
|
Windows AD Dangerous Group ACL Modification
|
|
Domain or Tenant Policy Modification
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2023-11-13
|
|
Windows AD Dangerous User ACL Modification
|
|
Domain or Tenant Policy Modification
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2023-11-15
|
|
Windows AD DCShadow Privileges ACL Addition
|
|
Domain or Tenant Policy Modification
Rogue Domain Controller
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2023-11-10
|
|
Windows AD Domain Root ACL Deletion
|
|
Domain or Tenant Policy Modification
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2023-11-13
|
|
Windows AD Domain Root ACL Modification
|
|
Domain or Tenant Policy Modification
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2023-11-11
|
|
Windows AD GPO Deleted
|
|
Disable or Modify Tools
Group Policy Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2023-11-24
|
|
Windows AD GPO Disabled
|
|
Disable or Modify Tools
Group Policy Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2023-11-24
|
|
Windows AD GPO New CSE Addition
|
|
Domain or Tenant Policy Modification
Group Policy Modification
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2023-11-22
|
|
Windows AD Hidden OU Creation
|
|
Domain or Tenant Policy Modification
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2023-11-16
|
|
Windows AD Object Owner Updated
|
|
Domain or Tenant Policy Modification
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-24
|
|
Windows AD Self DACL Assignment
|
|
Domain or Tenant Policy Modification
Account Manipulation
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2023-12-18
|
|
Windows AD Suspicious Attribute Modification
|
|
Use Alternate Authentication Material
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2023-11-13
|
|
Windows AD Suspicious GPO Modification
|
|
Domain or Tenant Policy Modification
Group Policy Modification
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2023-12-19
|
|
Windows Increase in Group or Object Modification Activity
|
Windows Event Log Security 4663
|
Account Manipulation
Impair Defenses
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2023-10-13
|
|
Windows Increase in User Modification Activity
|
Windows Event Log Security 4720
|
Account Manipulation
Impair Defenses
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2023-10-13
|
|
Abnormally High Number Of Cloud Infrastructure API Calls
|
AWS CloudTrail
|
Cloud Accounts
Valid Accounts
|
Anomaly
|
Compromised User Account, Suspicious Cloud User Activities
|
2024-08-16
|
|
Abnormally High Number Of Cloud Instances Destroyed
|
AWS CloudTrail
|
Cloud Accounts
Valid Accounts
|
Anomaly
|
Suspicious Cloud Instance Activities
|
2024-05-27
|
|
Abnormally High Number Of Cloud Instances Launched
|
AWS CloudTrail
|
Cloud Accounts
Valid Accounts
|
Anomaly
|
Cloud Cryptomining, Suspicious Cloud Instance Activities
|
2024-05-16
|
|
Abnormally High Number Of Cloud Security Group API Calls
|
AWS CloudTrail
|
Cloud Accounts
Valid Accounts
|
Anomaly
|
Suspicious Cloud User Activities
|
2024-08-16
|
|
ASL AWS Defense Evasion Delete Cloudtrail
|
|
Disable or Modify Cloud Logs
Impair Defenses
|
TTP
|
AWS Defense Evasion
|
2024-05-29
|
|
ASL AWS Defense Evasion Delete CloudWatch Log Group
|
|
Impair Defenses
Disable or Modify Cloud Logs
|
TTP
|
AWS Defense Evasion
|
2024-05-25
|
|
ASL AWS Defense Evasion Impair Security Services
|
|
Disable or Modify Cloud Logs
Impair Defenses
|
Hunting
|
AWS Defense Evasion
|
2024-05-13
|
|
ASL AWS Defense Evasion Stop Logging Cloudtrail
|
|
Disable or Modify Cloud Logs
Impair Defenses
|
TTP
|
AWS Defense Evasion
|
2024-02-12
|
|
ASL AWS Defense Evasion Update Cloudtrail
|
|
Impair Defenses
Disable or Modify Cloud Logs
|
TTP
|
AWS Defense Evasion
|
2024-02-12
|
|
ASL AWS Multi-Factor Authentication Disabled
|
|
Compromise Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
Modify Authentication Process
Multi-Factor Authentication
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-05-22
|
|
ASL AWS New MFA Method Registered For User
|
|
Modify Authentication Process
Multi-Factor Authentication
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-09-24
|
|
AWS Create Policy Version to allow all resources
|
AWS CloudTrail CreatePolicyVersion
|
Cloud Accounts
Valid Accounts
|
TTP
|
AWS IAM Privilege Escalation
|
2024-05-10
|
|
AWS Defense Evasion Delete Cloudtrail
|
AWS CloudTrail DeleteTrail
|
Disable or Modify Cloud Logs
Impair Defenses
|
TTP
|
AWS Defense Evasion
|
2024-05-14
|
|
AWS Defense Evasion Delete CloudWatch Log Group
|
AWS CloudTrail DeleteLogGroup
|
Impair Defenses
Disable or Modify Cloud Logs
|
TTP
|
AWS Defense Evasion
|
2024-05-26
|
|
AWS Defense Evasion Impair Security Services
|
AWS CloudTrail DeleteAlarms, AWS CloudTrail DeleteDetector, AWS CloudTrail DeleteIPSet, AWS CloudTrail DeleteLogStream, AWS CloudTrail DeleteRule, AWS CloudTrail DeleteWebACL
|
Disable or Modify Cloud Logs
Impair Defenses
|
Hunting
|
AWS Defense Evasion
|
2024-05-26
|
|
AWS Defense Evasion PutBucketLifecycle
|
AWS CloudTrail PutBucketLifecycle
|
Disable or Modify Cloud Logs
Impair Defenses
|
Hunting
|
AWS Defense Evasion
|
2024-05-28
|
|
AWS Defense Evasion Stop Logging Cloudtrail
|
AWS CloudTrail StopLogging
|
Disable or Modify Cloud Logs
Impair Defenses
|
TTP
|
AWS Defense Evasion
|
2024-05-15
|
|
AWS Defense Evasion Update Cloudtrail
|
AWS CloudTrail UpdateTrail
|
Impair Defenses
Disable or Modify Cloud Logs
|
TTP
|
AWS Defense Evasion
|
2024-05-17
|
|
aws detect attach to role policy
|
|
Valid Accounts
|
Hunting
|
AWS Cross Account Activity
|
2024-05-12
|
|
aws detect permanent key creation
|
|
Valid Accounts
|
Hunting
|
AWS Cross Account Activity
|
2024-05-23
|
|
aws detect role creation
|
|
Valid Accounts
|
Hunting
|
AWS Cross Account Activity
|
2024-05-15
|
|
aws detect sts assume role abuse
|
|
Valid Accounts
|
Hunting
|
AWS Cross Account Activity
|
2024-05-20
|
|
aws detect sts get session token abuse
|
|
Use Alternate Authentication Material
|
Hunting
|
AWS Cross Account Activity
|
2024-05-14
|
|
AWS Multi-Factor Authentication Disabled
|
AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice
|
Compromise Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
Modify Authentication Process
Multi-Factor Authentication
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-05-15
|
|
AWS Network Access Control List Created with All Open Ports
|
AWS CloudTrail CreateNetworkAclEntry, AWS CloudTrail ReplaceNetworkAclEntry
|
Disable or Modify Cloud Firewall
Impair Defenses
|
TTP
|
AWS Network ACL Activity
|
2024-05-14
|
|
AWS Network Access Control List Deleted
|
AWS CloudTrail DeleteNetworkAclEntry
|
Disable or Modify Cloud Firewall
Impair Defenses
|
Anomaly
|
AWS Network ACL Activity
|
2024-05-15
|
|
AWS New MFA Method Registered For User
|
AWS CloudTrail CreateVirtualMFADevice
|
Modify Authentication Process
Multi-Factor Authentication
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-09-24
|
|
AWS SAML Access by Provider User and Principal
|
AWS CloudTrail AssumeRoleWithSAML
|
Valid Accounts
|
Anomaly
|
Cloud Federated Credential Abuse
|
2024-05-23
|
|
AWS SAML Update identity provider
|
AWS CloudTrail UpdateSAMLProvider
|
Valid Accounts
|
TTP
|
Cloud Federated Credential Abuse
|
2024-08-19
|
|
AWS SetDefaultPolicyVersion
|
AWS CloudTrail SetDefaultPolicyVersion
|
Cloud Accounts
Valid Accounts
|
TTP
|
AWS IAM Privilege Escalation
|
2024-05-16
|
|
AWS Successful Console Authentication From Multiple IPs
|
AWS CloudTrail ConsoleLogin
|
Compromise Accounts
Unused/Unsupported Cloud Regions
|
Anomaly
|
Compromised User Account, Suspicious AWS Login Activities
|
2024-09-24
|
|
AWS Successful Single-Factor Authentication
|
AWS CloudTrail ConsoleLogin
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-05-12
|
|
Azure AD Authentication Failed During MFA Challenge
|
Azure Active Directory
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
Azure Active Directory Account Takeover
|
2024-09-24
|
|
Azure AD Block User Consent For Risky Apps Disabled
|
Azure Active Directory Update authorization policy
|
Impair Defenses
|
TTP
|
Azure Active Directory Account Takeover
|
2024-05-23
|
|
Azure AD Multi-Factor Authentication Disabled
|
Azure Active Directory Disable Strong Authentication
|
Compromise Accounts
Cloud Accounts
Modify Authentication Process
Multi-Factor Authentication
|
TTP
|
Azure Active Directory Account Takeover
|
2024-05-23
|
|
Azure AD Multiple AppIDs and UserAgents Authentication Spike
|
Azure Active Directory Sign-in activity
|
Valid Accounts
|
Anomaly
|
Azure Active Directory Account Takeover
|
2024-09-24
|
|
Azure AD Multiple Failed MFA Requests For User
|
Azure Active Directory Sign-in activity
|
Compromise Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
Valid Accounts
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2024-09-24
|
|
Azure AD New Custom Domain Added
|
Azure Active Directory Add unverified domain
|
Domain or Tenant Policy Modification
Trust Modification
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
|
Azure AD New Federated Domain Added
|
Azure Active Directory Set domain authentication
|
Domain or Tenant Policy Modification
Trust Modification
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
|
Azure AD New MFA Method Registered For User
|
Azure Active Directory User registered security info
|
Modify Authentication Process
Multi-Factor Authentication
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account
|
2024-09-24
|
|
Azure AD Service Principal Authentication
|
Azure Active Directory Sign-in activity
|
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover, NOBELIUM Group
|
2024-09-24
|
|
Azure AD Successful PowerShell Authentication
|
Azure Active Directory
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2024-09-24
|
|
Azure AD Successful Single-Factor Authentication
|
Azure Active Directory
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2024-09-24
|
|
Azure Runbook Webhook Created
|
Azure Audit Create or Update an Azure Automation webhook
|
Valid Accounts
Cloud Accounts
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
|
Cloud API Calls From Previously Unseen User Roles
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud User Activities
|
2024-05-15
|
|
Cloud Compute Instance Created By Previously Unseen User
|
AWS CloudTrail
|
Cloud Accounts
Valid Accounts
|
Anomaly
|
Cloud Cryptomining
|
2024-05-18
|
|
Cloud Compute Instance Created In Previously Unused Region
|
AWS CloudTrail
|
Unused/Unsupported Cloud Regions
|
Anomaly
|
Cloud Cryptomining
|
2024-05-10
|
|
Cloud Instance Modified By Previously Unseen User
|
AWS CloudTrail
|
Cloud Accounts
Valid Accounts
|
Anomaly
|
Suspicious Cloud Instance Activities
|
2024-08-16
|
|
Cloud Provisioning Activity From Previously Unseen City
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-05-16
|
|
Cloud Provisioning Activity From Previously Unseen Country
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-05-22
|
|
Cloud Provisioning Activity From Previously Unseen IP Address
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-05-16
|
|
Cloud Provisioning Activity From Previously Unseen Region
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-05-17
|
|
Cloud Security Groups Modifications by User
|
AWS CloudTrail
|
Modify Cloud Compute Configurations
|
Anomaly
|
Suspicious Cloud User Activities
|
2024-05-18
|
|
Detect AWS Console Login by User from New City
|
AWS CloudTrail
|
Compromise Accounts
Cloud Accounts
Unused/Unsupported Cloud Regions
|
Hunting
|
AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities
|
2024-05-25
|
|
Detect AWS Console Login by User from New Country
|
AWS CloudTrail
|
Compromise Accounts
Cloud Accounts
Unused/Unsupported Cloud Regions
|
Hunting
|
AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities
|
2024-05-16
|
|
Detect AWS Console Login by User from New Region
|
AWS CloudTrail
|
Compromise Accounts
Cloud Accounts
Unused/Unsupported Cloud Regions
|
Hunting
|
AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities
|
2024-05-18
|
|
GCP Authentication Failed During MFA Challenge
|
Google Workspace login_failure
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
GCP Account Takeover
|
2024-09-24
|
|
GCP Detect gcploit framework
|
|
Valid Accounts
|
TTP
|
GCP Cross Account Activity
|
2024-05-14
|
|
GCP Multi-Factor Authentication Disabled
|
|
Compromise Accounts
Cloud Accounts
Modify Authentication Process
Multi-Factor Authentication
|
TTP
|
GCP Account Takeover
|
2024-05-25
|
|
GCP Multiple Failed MFA Requests For User
|
Google Workspace login_failure
|
Compromise Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
Valid Accounts
Cloud Accounts
|
TTP
|
GCP Account Takeover
|
2024-05-23
|
|
GCP Successful Single-Factor Authentication
|
Google Workspace login_success
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
|
TTP
|
GCP Account Takeover
|
2024-05-25
|
|
O365 Advanced Audit Disabled
|
O365 Change user license.
|
Impair Defenses
Disable or Modify Cloud Logs
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-05-17
|
|
O365 Block User Consent For Risky Apps Disabled
|
O365 Update authorization policy.
|
Impair Defenses
|
TTP
|
Office 365 Account Takeover
|
2024-05-26
|
|
O365 Bypass MFA via Trusted IP
|
O365 Set Company Information.
|
Disable or Modify Cloud Firewall
Impair Defenses
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-05-15
|
|
O365 Cross-Tenant Access Change
|
|
Trust Modification
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
|
O365 Disable MFA
|
O365 Disable Strong Authentication.
|
Modify Authentication Process
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-05-11
|
|
O365 Email Security Feature Changed
|
|
Impair Defenses
Disable or Modify Cloud Logs
Disable or Modify Tools
|
TTP
|
Office 365 Account Takeover, Office 365 Persistence Mechanisms
|
2024-04-01
|
|
O365 Excessive SSO logon errors
|
O365 UserLoginFailed
|
Modify Authentication Process
|
Anomaly
|
Cloud Federated Credential Abuse, Office 365 Account Takeover
|
2024-05-17
|
|
O365 Multiple AppIDs and UserAgents Authentication Spike
|
O365 UserLoggedIn, O365 UserLoginFailed
|
Valid Accounts
|
Anomaly
|
Office 365 Account Takeover
|
2024-09-24
|
|
O365 Security And Compliance Alert Triggered
|
|
Valid Accounts
Cloud Accounts
|
TTP
|
Office 365 Account Takeover
|
2024-09-24
|
|
Abnormally High AWS Instances Launched by User
|
|
Cloud Accounts
|
Anomaly
|
AWS Cryptomining, Suspicious AWS EC2 Activities
|
2024-08-15
|
|
Abnormally High AWS Instances Launched by User - MLTK
|
|
Cloud Accounts
|
Anomaly
|
AWS Cryptomining, Suspicious AWS EC2 Activities
|
2024-08-15
|
|
Abnormally High AWS Instances Terminated by User
|
|
Cloud Accounts
|
Anomaly
|
Suspicious AWS EC2 Activities
|
2024-08-15
|
|
Abnormally High AWS Instances Terminated by User - MLTK
|
|
Cloud Accounts
|
Anomaly
|
Suspicious AWS EC2 Activities
|
2024-08-15
|
|
ASL AWS CreateAccessKey
|
|
Valid Accounts
|
Hunting
|
AWS IAM Privilege Escalation
|
2022-05-23
|
|
AWS Cloud Provisioning From Previously Unseen City
|
|
Unused/Unsupported Cloud Regions
|
Anomaly
|
AWS Suspicious Provisioning Activities
|
2024-09-24
|
|
AWS Cloud Provisioning From Previously Unseen Country
|
|
Unused/Unsupported Cloud Regions
|
Anomaly
|
AWS Suspicious Provisioning Activities
|
2024-09-24
|
|
AWS Cloud Provisioning From Previously Unseen Region
|
|
Unused/Unsupported Cloud Regions
|
Anomaly
|
AWS Suspicious Provisioning Activities
|
2024-08-15
|
|
Detect Activity Related to Pass the Hash Attacks
|
Windows Event Log Security 4624
|
Use Alternate Authentication Material
Pass the Hash
|
Hunting
|
Active Directory Lateral Movement, BlackSuit Ransomware
|
2024-08-15
|
|
Detect AWS API Activities From Unapproved Accounts
|
|
Cloud Accounts
|
Hunting
|
AWS User Monitoring
|
2024-08-15
|
|
Detect new API calls from user roles
|
|
Cloud Accounts
|
Anomaly
|
AWS User Monitoring
|
2024-08-19
|
|
Detect new user AWS Console Login
|
|
Cloud Accounts
|
Hunting
|
Suspicious AWS Login Activities
|
2024-08-15
|
|
Detect Spike in AWS API Activity
|
|
Cloud Accounts
|
Anomaly
|
AWS User Monitoring
|
2024-08-15
|
|
Detect Spike in Network ACL Activity
|
|
Disable or Modify Cloud Firewall
|
Anomaly
|
AWS Network ACL Activity
|
2024-08-15
|
|
Detect Spike in Security Group Activity
|
|
Cloud Accounts
|
Anomaly
|
AWS User Monitoring
|
2024-08-16
|
|
EC2 Instance Modified With Previously Unseen User
|
|
Cloud Accounts
|
Anomaly
|
Unusual AWS EC2 Modifications
|
2024-08-16
|
|
EC2 Instance Started In Previously Unseen Region
|
|
Unused/Unsupported Cloud Regions
|
Anomaly
|
AWS Cryptomining, Suspicious AWS EC2 Activities
|
2024-08-16
|
|
EC2 Instance Started With Previously Unseen User
|
|
Cloud Accounts
|
Anomaly
|
AWS Cryptomining, Suspicious AWS EC2 Activities
|
2024-08-16
|
|
Execution of File With Spaces Before Extension
|
Sysmon EventID 1
|
Rename System Utilities
|
TTP
|
Masquerading - Rename System Utilities, Windows File Extension and Association Abuse
|
2024-08-16
|
|
GCP Detect accounts with high risk roles by project
|
|
Valid Accounts
|
Hunting
|
GCP Cross Account Activity
|
2024-08-19
|
|
GCP Detect high risk permissions by resource and account
|
|
Valid Accounts
|
Hunting
|
GCP Cross Account Activity
|
2024-08-16
|
|
gcp detect oauth token abuse
|
|
Valid Accounts
|
Hunting
|
GCP Cross Account Activity
|
2024-08-15
|
|
Identify New User Accounts
|
|
Domain Accounts
|
Hunting
|
N/A
|
2024-08-16
|
|
Multiple Okta Users With Invalid Credentials From The Same IP
|
|
Password Spraying
Valid Accounts
Default Accounts
|
TTP
|
Suspicious Okta Activity
|
2024-02-29
|
|
Okta Account Lockout Events
|
|
Valid Accounts
Default Accounts
|
Anomaly
|
Suspicious Okta Activity
|
2022-09-19
|
|
Okta Failed SSO Attempts
|
|
Valid Accounts
Default Accounts
|
Anomaly
|
Suspicious Okta Activity
|
2022-09-21
|
|
Okta ThreatInsight Login Failure with High Unknown users
|
|
Valid Accounts
Default Accounts
Credential Stuffing
|
TTP
|
Suspicious Okta Activity
|
2024-08-16
|
|
Okta ThreatInsight Suspected PasswordSpray Attack
|
|
Valid Accounts
Default Accounts
Password Spraying
|
TTP
|
Suspicious Okta Activity
|
2024-08-16
|
|
Processes created by netsh
|
Sysmon EventID 1
|
Disable or Modify System Firewall
|
TTP
|
Netsh Abuse
|
2024-08-15
|
|
Reg exe used to hide files directories via registry keys
|
Sysmon EventID 1
|
Hidden Files and Directories
|
TTP
|
Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Persistence Techniques
|
2024-08-15
|
|
Suspicious Rundll32 Rename
|
Sysmon EventID 1
|
System Binary Proxy Execution
Masquerading
Rundll32
Rename System Utilities
|
Hunting
|
Masquerading - Rename System Utilities, Suspicious Rundll32 Activity
|
2022-04-07
|
|
Suspicious writes to System Volume Information
|
Sysmon EventID 1
|
Masquerading
|
Hunting
|
Collection and Staging
|
2024-08-15
|
|
Web Fraud - Anomalous User Clickspeed
|
|
Valid Accounts
|
Anomaly
|
Web Fraud Detection
|
2024-08-16
|
|
Windows DLL Search Order Hijacking Hunt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL Search Order Hijacking
Hijack Execution Flow
|
Hunting
|
Living Off The Land, Windows Defense Evasion Tactics
|
2023-11-07
|
|
Active Directory Privilege Escalation Identified
|
|
Domain or Tenant Policy Modification
|
Correlation
|
Active Directory Privilege Escalation
|
2024-05-26
|
|
Add or Set Windows Defender Exclusion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
AgentTesla, CISA AA22-320A, Data Destruction, Remcos, ValleyRAT, WhisperGate, Windows Defense Evasion Tactics
|
2024-09-24
|
|
Allow File And Printing Sharing In Firewall
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Cloud Firewall
Impair Defenses
|
TTP
|
BlackByte Ransomware, Ransomware
|
2024-05-17
|
|
Allow Network Discovery In Firewall
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Cloud Firewall
Impair Defenses
|
TTP
|
BlackByte Ransomware, NjRAT, Ransomware, Revil Ransomware
|
2024-05-27
|
|
Allow Operation with Consent Admin
|
Sysmon EventID 12, Sysmon EventID 13
|
Abuse Elevation Control Mechanism
|
TTP
|
Azorult, MoonPeak, Ransomware, Windows Registry Abuse
|
2024-05-20
|
|
Attacker Tools On Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Match Legitimate Name or Location
Masquerading
OS Credential Dumping
Active Scanning
|
TTP
|
CISA AA22-264A, Monitor for Unauthorized Software, SamSam Ransomware, Unusual Processes, XMRig
|
2024-05-29
|
|
Attempt To Add Certificate To Untrusted Store
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Install Root Certificate
Subvert Trust Controls
|
TTP
|
Disabling Security Tools
|
2024-08-15
|
|
Attempt To Stop Security Service
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Azorult, Data Destruction, Disabling Security Tools, Graceful Wipe Out Attack, Trickbot, WhisperGate
|
2024-08-14
|
|
BITS Job Persistence
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
BITS Jobs
|
TTP
|
BITS Jobs, Living Off The Land
|
2024-08-14
|
|
BITSAdmin Download File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
BITS Jobs
Ingress Tool Transfer
|
TTP
|
BITS Jobs, DarkSide Ransomware, Flax Typhoon, Gozi Malware, Ingress Tool Transfer, Living Off The Land
|
2024-08-15
|
|
CertUtil With Decode Argument
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Deobfuscate/Decode Files or Information
|
TTP
|
APT29 Diplomatic Deceptions with WINELOADER, Deobfuscate-Decode Files or Information, Forest Blizzard, Living Off The Land
|
2024-08-15
|
|
Clear Unallocated Sector Using Cipher App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File Deletion
Indicator Removal
|
TTP
|
Ransomware
|
2024-08-15
|
|
CMLUA Or CMSTPLUA UAC Bypass
|
Sysmon EventID 7
|
System Binary Proxy Execution
CMSTP
|
TTP
|
DarkSide Ransomware, LockBit Ransomware, Ransomware, ValleyRAT
|
2024-09-24
|
|
Cobalt Strike Named Pipes
|
Sysmon EventID 17, Sysmon EventID 18
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, DarkSide Ransomware, Gozi Malware, Graceful Wipe Out Attack, LockBit Ransomware, Trickbot
|
2024-08-19
|
|
Control Loading from World Writable Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Control Panel
|
TTP
|
Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444
|
2024-08-15
|
|
Create or delete windows shares using net exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Indicator Removal
Network Share Connection Removal
|
TTP
|
CISA AA22-277A, DarkGate Malware, Hidden Cobra Malware, Prestige Ransomware, Windows Post-Exploitation
|
2024-08-15
|
|
Create Remote Thread In Shell Application
|
Sysmon EventID 8
|
Process Injection
|
TTP
|
IcedID, Qakbot, Warzone RAT
|
2024-05-21
|
|
CSC Net On The Fly Compilation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Compile After Delivery
Obfuscated Files or Information
|
Hunting
|
Windows Defense Evasion Tactics
|
2024-05-20
|
|
Detect Excessive Account Lockouts From Endpoint
|
|
Valid Accounts
Domain Accounts
|
Anomaly
|
Active Directory Password Spraying
|
2024-05-19
|
|
Detect Excessive User Account Lockouts
|
|
Valid Accounts
Local Accounts
|
Anomaly
|
Active Directory Password Spraying
|
2024-05-20
|
|
Detect HTML Help Renamed
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Compiled HTML File
|
Hunting
|
Living Off The Land, Suspicious Compiled HTML Activity
|
2024-08-15
|
|
Detect HTML Help Spawn Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Compiled HTML File
|
TTP
|
AgentTesla, Living Off The Land, Suspicious Compiled HTML Activity
|
2024-08-15
|
|
Detect HTML Help URL in Command Line
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Compiled HTML File
|
TTP
|
Living Off The Land, Suspicious Compiled HTML Activity
|
2024-08-15
|
|
Detect HTML Help Using InfoTech Storage Handlers
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Compiled HTML File
|
TTP
|
Living Off The Land, Suspicious Compiled HTML Activity
|
2024-08-14
|
|
Detect mshta inline hta execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Mshta
|
TTP
|
Gozi Malware, Living Off The Land, Suspicious MSHTA Activity
|
2024-08-15
|
|
Detect mshta renamed
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Mshta
|
Hunting
|
Living Off The Land, Suspicious MSHTA Activity
|
2024-08-19
|
|
Detect MSHTA Url in Command Line
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Mshta
|
TTP
|
Living Off The Land, Suspicious MSHTA Activity
|
2024-08-15
|
|
Detect Path Interception By Creation Of program exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Path Interception by Unquoted Path
Hijack Execution Flow
|
TTP
|
Windows Persistence Techniques
|
2024-08-15
|
|
Detect Regasm Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Regsvcs/Regasm
|
TTP
|
DarkGate Malware, Handala Wiper, Living Off The Land, Snake Keylogger, Suspicious Regsvcs Regasm Activity
|
2024-08-14
|
|
Detect Regasm with Network Connection
|
Sysmon EventID 3
|
System Binary Proxy Execution
Regsvcs/Regasm
|
TTP
|
Handala Wiper, Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2024-08-14
|
|
Detect Regasm with no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Regsvcs/Regasm
|
TTP
|
Handala Wiper, Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2024-08-14
|
|
Detect Regsvcs Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Regsvcs/Regasm
|
TTP
|
Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2024-08-14
|
|
Detect Regsvcs with Network Connection
|
Sysmon EventID 3
|
System Binary Proxy Execution
Regsvcs/Regasm
|
TTP
|
Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2024-09-26
|
|
Detect Regsvcs with No Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Regsvcs/Regasm
|
TTP
|
Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2024-08-14
|
|
Detect Regsvr32 Application Control Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Regsvr32
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Suspicious Regsvr32 Activity
|
2024-08-14
|
|
Detect RTLO In File Name
|
Sysmon EventID 11
|
Right-to-Left Override
Masquerading
|
TTP
|
Spearphishing Attachments
|
2024-05-24
|
|
Detect RTLO In Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Right-to-Left Override
Masquerading
|
TTP
|
Spearphishing Attachments
|
2024-05-29
|
|
Detect Rundll32 Application Control Bypass - advpack
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Rundll32
|
TTP
|
Living Off The Land, Suspicious Rundll32 Activity
|
2024-08-14
|
|
Detect Rundll32 Application Control Bypass - setupapi
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Rundll32
|
TTP
|
Living Off The Land, Suspicious Rundll32 Activity
|
2024-08-14
|
|
Detect Rundll32 Application Control Bypass - syssetup
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Rundll32
|
TTP
|
Living Off The Land, Suspicious Rundll32 Activity
|
2024-08-14
|
|
Detect Rundll32 Inline HTA Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Mshta
|
TTP
|
Living Off The Land, NOBELIUM Group, Suspicious MSHTA Activity
|
2024-05-22
|
|
Disable AMSI Through Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
CISA AA23-347A, Ransomware, Windows Registry Abuse
|
2024-05-29
|
|
Disable Defender AntiVirus Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
CISA AA24-241A, IcedID, Windows Registry Abuse
|
2024-05-28
|
|
Disable Defender BlockAtFirstSeen Feature
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse
|
2024-05-22
|
|
Disable Defender Enhanced Notification
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse
|
2024-05-24
|
|
Disable Defender MpEngine Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
IcedID, Windows Registry Abuse
|
2024-05-21
|
|
Disable Defender Spynet Reporting
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Azorult, CISA AA23-347A, IcedID, Qakbot, Windows Registry Abuse
|
2024-05-07
|
|
Disable Defender Submit Samples Consent Feature
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse
|
2024-05-14
|
|
Disable ETW Through Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
CISA AA23-347A, Ransomware, Windows Registry Abuse
|
2024-05-24
|
|
Disable Logs Using WevtUtil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Indicator Removal
Clear Windows Event Logs
|
TTP
|
CISA AA23-347A, Ransomware, Rhysida Ransomware
|
2024-07-23
|
|
Disable Registry Tool
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
Modify Registry
|
TTP
|
NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-14
|
|
Disable Schedule Task
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
IcedID, Living Off The Land
|
2024-05-26
|
|
Disable Security Logs Using MiniNt Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
TTP
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-29
|
|
Disable Show Hidden Files
|
Sysmon EventID 12, Sysmon EventID 13
|
Hidden Files and Directories
Disable or Modify Tools
Hide Artifacts
Impair Defenses
Modify Registry
|
Anomaly
|
Azorult, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-27
|
|
Disable UAC Remote Restriction
|
Sysmon EventID 12, Sysmon EventID 13
|
Bypass User Account Control
Abuse Elevation Control Mechanism
|
TTP
|
CISA AA23-347A, Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-24
|
|
Disable Windows App Hotkeys
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
Modify Registry
|
TTP
|
Windows Registry Abuse, XMRig
|
2024-05-11
|
|
Disable Windows Behavior Monitoring
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Azorult, CISA AA23-347A, Ransomware, RedLine Stealer, Revil Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-07-23
|
|
Disable Windows SmartScreen Protection
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-26
|
|
Disabling CMD Application
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
Modify Registry
|
TTP
|
NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-16
|
|
Disabling ControlPanel
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
Modify Registry
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-18
|
|
Disabling Defender Services
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
IcedID, RedLine Stealer, Windows Registry Abuse
|
2024-05-19
|
|
Disabling Firewall with Netsh
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
Impair Defenses
|
Anomaly
|
BlackByte Ransomware, Windows Defense Evasion Tactics
|
2024-05-04
|
|
Disabling FolderOptions Windows Feature
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-11
|
|
Disabling NoRun Windows App
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
Modify Registry
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-13
|
|
Disabling Remote User Account Control
|
Sysmon EventID 12, Sysmon EventID 13
|
Bypass User Account Control
Abuse Elevation Control Mechanism
|
TTP
|
AgentTesla, Azorult, Remcos, Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-18
|
|
Disabling Task Manager
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-15
|
|
Disabling Windows Local Security Authority Defences via Registry
|
Sysmon EventID 1, Sysmon EventID 13
|
Modify Authentication Process
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-19
|
|
DLLHost with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2024-08-14
|
|
Enable WDigest UseLogonCredential Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
OS Credential Dumping
|
TTP
|
CISA AA22-320A, Credential Dumping, Windows Registry Abuse
|
2024-05-12
|
|
ETW Registry Disabled
|
Sysmon EventID 12, Sysmon EventID 13
|
Indicator Blocking
Trusted Developer Utilities Proxy Execution
Impair Defenses
|
TTP
|
CISA AA23-347A, Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse
|
2024-05-10
|
|
Eventvwr UAC Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Bypass User Account Control
Abuse Elevation Control Mechanism
|
TTP
|
IcedID, Living Off The Land, ValleyRAT, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-24
|
|
Excessive number of service control start as disabled
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
Impair Defenses
|
Anomaly
|
Windows Defense Evasion Tactics
|
2024-08-15
|
|
Excessive Usage Of Cacls App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File and Directory Permissions Modification
|
Anomaly
|
Azorult, Prestige Ransomware, Windows Post-Exploitation, XMRig
|
2024-08-14
|
|
Excessive Usage Of Taskkill
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
Impair Defenses
|
Anomaly
|
AgentTesla, Azorult, CISA AA22-264A, CISA AA22-277A, NjRAT, XMRig
|
2024-08-14
|
|
Executables Or Script Creation In Suspicious Path
|
Sysmon EventID 11
|
Masquerading
|
Anomaly
|
AcidPour, AgentTesla, Amadey, AsyncRAT, Azorult, BlackByte Ransomware, Brute Ratel C4, CISA AA23-347A, Chaos Ransomware, DarkCrystal RAT, DarkGate Malware, Data Destruction, Double Zero Destructor, Graceful Wipe Out Attack, Handala Wiper, Hermetic Wiper, IcedID, Industroyer2, LockBit Ransomware, MoonPeak, NjRAT, PlugX, Qakbot, RedLine Stealer, Remcos, Rhysida Ransomware, Snake Keylogger, Swift Slicer, Trickbot, ValleyRAT, Volt Typhoon, Warzone RAT, WhisperGate, XMRig
|
2024-09-24
|
|
Execution of File with Multiple Extensions
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Masquerading
Rename System Utilities
|
TTP
|
AsyncRAT, DarkGate Malware, Masquerading - Rename System Utilities, Windows File Extension and Association Abuse
|
2024-08-14
|
|
Firewall Allowed Program Enable
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify System Firewall
Impair Defenses
|
Anomaly
|
Azorult, BlackByte Ransomware, NjRAT, PlugX, Windows Defense Evasion Tactics
|
2024-05-11
|
|
FodHelper UAC Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Modify Registry
Bypass User Account Control
Abuse Elevation Control Mechanism
|
TTP
|
IcedID, ValleyRAT, Windows Defense Evasion Tactics
|
2024-09-24
|
|
Fsutil Zeroing File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Indicator Removal
|
TTP
|
LockBit Ransomware, Ransomware
|
2024-05-20
|
|
GPUpdate with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2024-08-15
|
|
Headless Browser Mockbin or Mocky Request
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Hidden Window
|
TTP
|
Forest Blizzard
|
2024-05-29
|
|
Headless Browser Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Hidden Window
|
Hunting
|
Forest Blizzard
|
2024-05-26
|
|
Hide User Account From Sign-In Screen
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Azorult, Warzone RAT, Windows Registry Abuse, XMRig
|
2024-05-17
|
|
Hiding Files And Directories With Attrib exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Azorult, Windows Defense Evasion Tactics, Windows Persistence Techniques
|
2024-05-13
|
|
Icacls Deny Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File and Directory Permissions Modification
|
TTP
|
Azorult, Sandworm Tools, XMRig
|
2024-05-27
|
|
ICACLS Grant Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File and Directory Permissions Modification
|
TTP
|
Ransomware, XMRig
|
2024-05-15
|
|
Kerberos TGT Request Using RC4 Encryption
|
Windows Event Log Security 4768
|
Use Alternate Authentication Material
|
TTP
|
Active Directory Kerberos Attacks
|
2024-09-24
|
|
Linux Account Manipulation Of SSH Config and Keys
|
Sysmon for Linux EventID 11
|
Data Destruction
File Deletion
Indicator Removal
|
Anomaly
|
AcidRain
|
2024-05-23
|
|
Linux apt-get Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
|
Linux APT Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
|
Linux Auditd Base64 Decode Files
|
Linux Auditd Execve
|
Deobfuscate/Decode Files or Information
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
|
Linux Auditd Change File Owner To Root
|
Linux Auditd Proctitle
|
Linux and Mac File and Directory Permissions Modification
File and Directory Permissions Modification
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-10-09
|
|
Linux Auditd Disable Or Modify System Firewall
|
Linux Auditd Service Stop
|
Disable or Modify System Firewall
Impair Defenses
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
|
Linux Auditd Doas Conf File Creation
|
Linux Auditd Path
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
TTP
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
|
Linux Auditd Doas Tool Execution
|
Linux Auditd Syscall
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
|
Linux Auditd File Permission Modification Via Chmod
|
Linux Auditd Proctitle
|
Linux and Mac File and Directory Permissions Modification
File and Directory Permissions Modification
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
|
Linux Auditd File Permissions Modification Via Chattr
|
Linux Auditd Execve
|
Linux and Mac File and Directory Permissions Modification
File and Directory Permissions Modification
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
|
Linux Auditd Kernel Module Enumeration
|
Linux Auditd Syscall
|
System Information Discovery
Rootkit
|
Anomaly
|
Compromised Linux Host, Linux Rootkit
|
2024-09-04
|
|
Linux Auditd Nopasswd Entry In Sudoers File
|
Linux Auditd Proctitle
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
|
Linux Auditd Possible Access To Sudoers File
|
Linux Auditd Path
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
|
Linux Auditd Preload Hijack Library Calls
|
Linux Auditd Execve
|
Dynamic Linker Hijacking
Hijack Execution Flow
|
TTP
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
|
Linux Auditd Preload Hijack Via Preload File
|
Linux Auditd Path
|
Dynamic Linker Hijacking
Hijack Execution Flow
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
|
Linux Auditd Setuid Using Chmod Utility
|
Linux Auditd Proctitle
|
Setuid and Setgid
Abuse Elevation Control Mechanism
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
|
Linux Auditd Setuid Using Setcap Utility
|
Linux Auditd Execve
|
Setuid and Setgid
Abuse Elevation Control Mechanism
|
TTP
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
|
Linux Auditd Sudo Or Su Execution
|
Linux Auditd Proctitle
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
|
Linux AWK Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
|
Linux Busybox Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
|
Linux c89 Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
|
Linux c99 Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
|
Linux Change File Owner To Root
|
Sysmon for Linux EventID 1
|
Linux and Mac File and Directory Permissions Modification
File and Directory Permissions Modification
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-22
|
|
Linux Common Process For Elevation Control
|
Sysmon for Linux EventID 1
|
Setuid and Setgid
Abuse Elevation Control Mechanism
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-29
|
|
Linux Composer Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
|
Linux Cpulimit Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
|
Linux Csvtool Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
|
Linux Decode Base64 to Shell
|
Sysmon for Linux EventID 1
|
Obfuscated Files or Information
Unix Shell
|
TTP
|
Linux Living Off The Land
|
2024-08-14
|
|
Linux Deletion Of Cron Jobs
|
Sysmon for Linux EventID 11
|
Data Destruction
File Deletion
Indicator Removal
|
Anomaly
|
AcidPour, AcidRain, Data Destruction
|
2024-05-21
|
|
Linux Deletion Of Init Daemon Script
|
Sysmon for Linux EventID 11
|
Data Destruction
File Deletion
Indicator Removal
|
TTP
|
AcidPour, AcidRain, Data Destruction
|
2024-05-18
|
|
Linux Deletion Of Services
|
Sysmon for Linux EventID 11
|
Data Destruction
File Deletion
Indicator Removal
|
TTP
|
AcidPour, AcidRain, AwfulShred, Data Destruction
|
2024-05-17
|
|
Linux Deletion of SSL Certificate
|
Sysmon for Linux EventID 11
|
Data Destruction
File Deletion
Indicator Removal
|
Anomaly
|
AcidPour, AcidRain
|
2024-05-18
|
|
Linux Doas Conf File Creation
|
Sysmon for Linux EventID 11
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-17
|
|
Linux Doas Tool Execution
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-22
|
|
Linux Docker Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
|
Linux Emacs Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
|
Linux Find Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
|
Linux GDB Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
|
Linux Gem Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
|
Linux GNU Awk Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
|
Linux High Frequency Of File Deletion In Boot Folder
|
Sysmon for Linux EventID 11
|
Data Destruction
File Deletion
Indicator Removal
|
TTP
|
AcidPour, Data Destruction, Industroyer2
|
2024-05-19
|
|
Linux High Frequency Of File Deletion In Etc Folder
|
Sysmon for Linux EventID 11
|
Data Destruction
File Deletion
Indicator Removal
|
Anomaly
|
AcidRain, Data Destruction
|
2024-05-10
|
|
Linux Impair Defenses Process Kill
|
Sysmon for Linux EventID 1
|
Disable or Modify Tools
Impair Defenses
|
Hunting
|
AwfulShred, Data Destruction
|
2024-05-11
|
|
Linux Indicator Removal Clear Cache
|
Sysmon for Linux EventID 1
|
Indicator Removal
|
TTP
|
AwfulShred, Data Destruction
|
2024-05-30
|
|
Linux Indicator Removal Service File Deletion
|
Sysmon for Linux EventID 1
|
File Deletion
Indicator Removal
|
Anomaly
|
AwfulShred, Data Destruction
|
2024-05-14
|
|
Linux Iptables Firewall Modification
|
Sysmon for Linux EventID 1
|
Disable or Modify System Firewall
Impair Defenses
|
Anomaly
|
Cyclops Blink, Sandworm Tools
|
2024-05-28
|
|
Linux Kernel Module Enumeration
|
Sysmon for Linux EventID 1
|
System Information Discovery
Rootkit
|
Anomaly
|
Linux Rootkit
|
2024-08-14
|
|
Linux Kworker Process In Writable Process Path
|
Sysmon for Linux EventID 1
|
Masquerade Task or Service
Masquerading
|
Hunting
|
Cyclops Blink, Sandworm Tools
|
2024-05-14
|
|
Linux Make Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
|
Linux MySQL Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
|
Linux Node Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
|
Linux NOPASSWD Entry In Sudoers File
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-17
|
|
Linux Obfuscated Files or Information Base64 Decode
|
Sysmon for Linux EventID 1
|
Obfuscated Files or Information
|
Anomaly
|
Linux Living Off The Land
|
2024-08-14
|
|
Linux Octave Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
|
Linux OpenVPN Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
|
Linux Persistence and Privilege Escalation Risk Behavior
|
|
Abuse Elevation Control Mechanism
|
Correlation
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-24
|
|
Linux PHP Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
|
Linux Possible Access To Sudoers File
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-29
|
|
Linux Preload Hijack Library Calls
|
Sysmon for Linux EventID 1
|
Dynamic Linker Hijacking
Hijack Execution Flow
|
TTP
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-14
|
|
Linux Puppet Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
|
Linux RPM Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
|
Linux Ruby Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
|
Linux Setuid Using Chmod Utility
|
Sysmon for Linux EventID 1
|
Setuid and Setgid
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-18
|
|
Linux Setuid Using Setcap Utility
|
Sysmon for Linux EventID 1
|
Setuid and Setgid
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-24
|
|
Linux Sqlite3 Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
|
Linux Stdout Redirection To Dev Null File
|
Sysmon for Linux EventID 1
|
Disable or Modify System Firewall
Impair Defenses
|
Anomaly
|
Cyclops Blink, Data Destruction, Industroyer2
|
2024-05-21
|
|
Linux Sudo OR Su Execution
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Hunting
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-17
|
|
Linux Sudoers Tmp File Creation
|
Sysmon for Linux EventID 11
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-19
|
|
Linux Visudo Utility Execution
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-27
|
|
Loading Of Dynwrapx Module
|
Sysmon EventID 7
|
Process Injection
Dynamic-link Library Injection
|
TTP
|
AsyncRAT, Remcos
|
2024-05-26
|
|
LOLBAS With Network Traffic
|
Sysmon EventID 3
|
Ingress Tool Transfer
Exfiltration Over Web Service
System Binary Proxy Execution
|
TTP
|
Living Off The Land
|
2024-09-24
|
|
MacOS plutil
|
osquery
|
Plist File Modification
|
TTP
|
Living Off The Land
|
2024-05-22
|
|
Malicious InProcServer32 Modification
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
Regsvr32
Modify Registry
|
TTP
|
Remcos, Suspicious Regsvr32 Activity
|
2024-08-15
|
|
Malicious PowerShell Process - Encoded Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Obfuscated Files or Information
|
Hunting
|
CISA AA22-320A, DarkCrystal RAT, Data Destruction, Hermetic Wiper, Malicious PowerShell, NOBELIUM Group, Qakbot, Sandworm Tools, Volt Typhoon, WhisperGate
|
2024-07-26
|
|
Mimikatz PassTheTicket CommandLine Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Use Alternate Authentication Material
Pass the Ticket
|
TTP
|
Active Directory Kerberos Attacks, CISA AA22-320A, CISA AA23-347A, Sandworm Tools
|
2024-08-15
|
|
Mmc LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
Distributed Component Object Model
MMC
|
TTP
|
Active Directory Lateral Movement, Living Off The Land
|
2024-05-12
|
|
Modify ACL permission To Files Or Folder
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File and Directory Permissions Modification
|
Anomaly
|
XMRig
|
2024-05-19
|
|
MSBuild Suspicious Spawned By Script Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
MSBuild
Trusted Developer Utilities Proxy Execution
|
TTP
|
Trusted Developer Utilities Proxy Execution MSBuild
|
2024-05-13
|
|
Mshta spawning Rundll32 OR Regsvr32 Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Mshta
|
TTP
|
IcedID, Living Off The Land, Trickbot
|
2024-05-09
|
|
MSI Module Loaded by Non-System Binary
|
Sysmon EventID 7
|
DLL Side-Loading
Hijack Execution Flow
|
Hunting
|
Data Destruction, Hermetic Wiper, Windows Privilege Escalation
|
2024-08-14
|
|
Msmpeng Application DLL Side Loading
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL Side-Loading
Hijack Execution Flow
|
TTP
|
Ransomware, Revil Ransomware
|
2024-05-16
|
|
NET Profiler UAC bypass
|
Sysmon EventID 12, Sysmon EventID 13
|
Bypass User Account Control
Abuse Elevation Control Mechanism
|
TTP
|
Windows Defense Evasion Tactics
|
2024-05-16
|
|
Notepad with no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
BishopFox Sliver Adversary Emulation Framework
|
2024-08-14
|
|
Permission Modification using Takeown App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File and Directory Permissions Modification
|
TTP
|
Ransomware, Sandworm Tools
|
2024-05-11
|
|
Ping Sleep Batch Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Virtualization/Sandbox Evasion
Time Based Evasion
|
Anomaly
|
BlackByte Ransomware, Data Destruction, Warzone RAT, WhisperGate
|
2024-05-30
|
|
Possible Lateral Movement PowerShell Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
Distributed Component Object Model
Windows Remote Management
Windows Management Instrumentation
Scheduled Task
Windows Service
PowerShell
MMC
|
TTP
|
Active Directory Lateral Movement, CISA AA24-241A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Scheduled Tasks
|
2024-10-07
|
|
Potential password in username
|
Linux Secure
|
Local Accounts
Credentials In Files
|
Hunting
|
Credential Dumping, Insider Threat
|
2024-05-11
|
|
Powershell Creating Thread Mutex
|
Powershell Script Block Logging 4104
|
Obfuscated Files or Information
Indicator Removal from Tools
PowerShell
|
TTP
|
Malicious PowerShell
|
2024-05-14
|
|
Powershell Disable Security Monitoring
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
CISA AA24-241A, Ransomware, Revil Ransomware
|
2024-05-21
|
|
Powershell Enable SMB1Protocol Feature
|
Powershell Script Block Logging 4104
|
Obfuscated Files or Information
Indicator Removal from Tools
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell, Ransomware
|
2024-05-13
|
|
Powershell Fileless Process Injection via GetProcAddress
|
Powershell Script Block Logging 4104
|
Command and Scripting Interpreter
Process Injection
PowerShell
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2024-05-18
|
|
Powershell Fileless Script Contains Base64 Encoded Content
|
Powershell Script Block Logging 4104
|
Command and Scripting Interpreter
Obfuscated Files or Information
PowerShell
|
TTP
|
AsyncRAT, Data Destruction, Hermetic Wiper, IcedID, Malicious PowerShell, NjRAT, Winter Vivern
|
2024-05-24
|
|
Powershell Remote Thread To Known Windows Process
|
Sysmon EventID 8
|
Process Injection
|
TTP
|
Trickbot
|
2024-05-13
|
|
Powershell Remove Windows Defender Directory
|
Powershell Script Block Logging 4104
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Data Destruction, WhisperGate
|
2024-05-18
|
|
PowerShell Start-BitsTransfer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
BITS Jobs
|
TTP
|
BITS Jobs, Gozi Malware
|
2024-05-17
|
|
PowerShell WebRequest Using Memory Stream
|
Powershell Script Block Logging 4104
|
PowerShell
Ingress Tool Transfer
Fileless Storage
|
TTP
|
Malicious PowerShell, MoonPeak
|
2024-05-12
|
|
Powershell Windows Defender Exclusion Commands
|
Powershell Script Block Logging 4104
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
AgentTesla, CISA AA22-320A, Data Destruction, Remcos, Warzone RAT, WhisperGate, Windows Defense Evasion Tactics
|
2024-08-07
|
|
Process Deleting Its Process File Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Indicator Removal
|
TTP
|
Clop Ransomware, Data Destruction, Remcos, WhisperGate
|
2024-05-27
|
|
Process Kill Base On File Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
XMRig
|
2024-05-18
|
|
Processes launching netsh
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify System Firewall
Impair Defenses
|
Anomaly
|
Azorult, DHS Report TA18-074A, Disabling Security Tools, Netsh Abuse, ShrinkLocker, Snake Keylogger, Volt Typhoon
|
2024-05-24
|
|
Recursive Delete of Directory In Batch CMD
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
File Deletion
Indicator Removal
|
TTP
|
Ransomware
|
2024-05-10
|
|
Reg exe Manipulating Windows Services Registry Keys
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Services Registry Permissions Weakness
Hijack Execution Flow
|
TTP
|
Living Off The Land, Windows Persistence Techniques, Windows Service Abuse
|
2024-05-17
|
|
Regsvr32 Silent and Install Param Dll Loading
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Regsvr32
|
Anomaly
|
AsyncRAT, Data Destruction, Hermetic Wiper, Living Off The Land, Remcos, Suspicious Regsvr32 Activity
|
2024-08-15
|
|
Regsvr32 with Known Silent Switch Cmdline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Regsvr32
|
Anomaly
|
AsyncRAT, IcedID, Living Off The Land, Qakbot, Remcos, Suspicious Regsvr32 Activity
|
2024-08-14
|
|
Remcos client registry install entry
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688
|
Modify Registry
|
TTP
|
Remcos, Windows Registry Abuse
|
2024-05-28
|
|
Revil Registry Entry
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688
|
Modify Registry
|
TTP
|
Ransomware, Revil Ransomware, Windows Registry Abuse
|
2024-05-24
|
|
Rubeus Command Line Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Use Alternate Authentication Material
Pass the Ticket
Steal or Forge Kerberos Tickets
Kerberoasting
AS-REP Roasting
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, BlackSuit Ransomware, CISA AA23-347A
|
2024-08-15
|
|
Rubeus Kerberos Ticket Exports Through Winlogon Access
|
Sysmon EventID 10
|
Use Alternate Authentication Material
Pass the Ticket
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A
|
2024-09-24
|
|
Runas Execution in CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Access Token Manipulation
Token Impersonation/Theft
|
Hunting
|
Data Destruction, Hermetic Wiper, Windows Privilege Escalation
|
2024-05-30
|
|
Rundll32 Control RunDLL Hunt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Rundll32
|
Hunting
|
Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Suspicious Rundll32 Activity
|
2024-08-14
|
|
Rundll32 Control RunDLL World Writable Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Rundll32
|
TTP
|
Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Suspicious Rundll32 Activity
|
2024-08-15
|
|
Rundll32 Create Remote Thread To A Process
|
Sysmon EventID 8
|
Process Injection
|
TTP
|
IcedID, Living Off The Land
|
2024-05-29
|
|
Rundll32 CreateRemoteThread In Browser
|
Sysmon EventID 8
|
Process Injection
|
TTP
|
IcedID, Living Off The Land
|
2024-05-11
|
|
Rundll32 DNSQuery
|
Sysmon EventID 22
|
System Binary Proxy Execution
Rundll32
|
TTP
|
IcedID, Living Off The Land
|
2024-05-14
|
|
Rundll32 LockWorkStation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Rundll32
|
Anomaly
|
Ransomware
|
2024-05-19
|
|
Rundll32 Process Creating Exe Dll Files
|
Sysmon EventID 11
|
System Binary Proxy Execution
Rundll32
|
TTP
|
IcedID, Living Off The Land
|
2024-05-22
|
|
Rundll32 Shimcache Flush
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Modify Registry
|
TTP
|
Living Off The Land, Unusual Processes
|
2024-05-13
|
|
Rundll32 with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
System Binary Proxy Execution
Rundll32
|
TTP
|
BlackByte Ransomware, BlackSuit Ransomware, Cobalt Strike, Graceful Wipe Out Attack, PrintNightmare CVE-2021-34527, Suspicious Rundll32 Activity
|
2024-05-21
|
|
RunDLL Loading DLL By Ordinal
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Rundll32
|
TTP
|
IcedID, Living Off The Land, Suspicious Rundll32 Activity, Unusual Processes
|
2024-05-20
|
|
Sdclt UAC Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688
|
Bypass User Account Control
Abuse Elevation Control Mechanism
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-12
|
|
Sdelete Application Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Data Destruction
File Deletion
Indicator Removal
|
TTP
|
Masquerading - Rename System Utilities
|
2024-05-23
|
|
SearchProtocolHost with no Command Line with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2024-05-20
|
|
Services Escalate Exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Abuse Elevation Control Mechanism
|
TTP
|
BlackByte Ransomware, CISA AA23-347A, Cobalt Strike, Graceful Wipe Out Attack
|
2024-05-31
|
|
SilentCleanup UAC Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688
|
Bypass User Account Control
Abuse Elevation Control Mechanism
|
TTP
|
MoonPeak, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-18
|
|
SLUI RunAs Elevated
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Bypass User Account Control
Abuse Elevation Control Mechanism
|
TTP
|
DarkSide Ransomware, Windows Defense Evasion Tactics
|
2024-05-26
|
|
SLUI Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Bypass User Account Control
Abuse Elevation Control Mechanism
|
TTP
|
DarkSide Ransomware, Windows Defense Evasion Tactics
|
2024-05-18
|
|
Suspicious Computer Account Name Change
|
Windows Event Log Security 4781
|
Valid Accounts
Domain Accounts
|
TTP
|
Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2024-05-17
|
|
Suspicious Copy on System32
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Rename System Utilities
Masquerading
|
TTP
|
AsyncRAT, IcedID, Qakbot, Sandworm Tools, Unusual Processes, Volt Typhoon
|
2024-05-16
|
|
Suspicious DLLHost no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2024-05-12
|
|
Suspicious Event Log Service Behavior
|
Windows Event Log Security 1100
|
Indicator Removal
Clear Windows Event Logs
|
Hunting
|
Clop Ransomware, Ransomware, Windows Log Manipulation
|
2024-05-14
|
|
Suspicious GPUpdate no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2024-05-11
|
|
Suspicious IcedID Rundll32 Cmdline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Rundll32
|
TTP
|
IcedID, Living Off The Land
|
2024-05-22
|
|
Suspicious Kerberos Service Ticket Request
|
Windows Event Log Security 4769
|
Valid Accounts
Domain Accounts
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2024-09-24
|
|
Suspicious microsoft workflow compiler rename
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Masquerading
Trusted Developer Utilities Proxy Execution
Rename System Utilities
|
Hunting
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution
|
2024-05-13
|
|
Suspicious microsoft workflow compiler usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Trusted Developer Utilities Proxy Execution
|
TTP
|
Living Off The Land, Trusted Developer Utilities Proxy Execution
|
2024-05-03
|
|
Suspicious msbuild path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Masquerading
Trusted Developer Utilities Proxy Execution
Rename System Utilities
MSBuild
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution MSBuild
|
2024-05-11
|
|
Suspicious MSBuild Rename
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Masquerading
Trusted Developer Utilities Proxy Execution
Rename System Utilities
MSBuild
|
Hunting
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution MSBuild
|
2024-05-22
|
|
Suspicious MSBuild Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Trusted Developer Utilities Proxy Execution
MSBuild
|
TTP
|
Living Off The Land, Trusted Developer Utilities Proxy Execution MSBuild
|
2024-05-30
|
|
Suspicious mshta child process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Mshta
|
TTP
|
Living Off The Land, Suspicious MSHTA Activity
|
2024-05-24
|
|
Suspicious mshta spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Mshta
|
TTP
|
Living Off The Land, Suspicious MSHTA Activity
|
2024-05-14
|
|
Suspicious Process Executed From Container File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Malicious File
Masquerade File Type
|
TTP
|
Amadey, Remcos, Snake Keylogger, Unusual Processes
|
2024-05-09
|
|
Suspicious Reg exe Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Modify Registry
|
Anomaly
|
DHS Report TA18-074A, Disabling Security Tools, Windows Defense Evasion Tactics
|
2024-08-15
|
|
Suspicious Regsvr32 Register Suspicious Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Regsvr32
|
TTP
|
IcedID, Living Off The Land, Qakbot, Suspicious Regsvr32 Activity
|
2024-08-14
|
|
Suspicious Rundll32 dllregisterserver
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Rundll32
|
TTP
|
IcedID, Living Off The Land, Suspicious Rundll32 Activity
|
2024-08-14
|
|
Suspicious Rundll32 no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Rundll32
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, PrintNightmare CVE-2021-34527, Suspicious Rundll32 Activity
|
2024-05-27
|
|
Suspicious Rundll32 PluginInit
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Rundll32
|
TTP
|
IcedID
|
2024-05-23
|
|
Suspicious Rundll32 StartW
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Rundll32
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Suspicious Rundll32 Activity, Trickbot
|
2024-05-30
|
|
Suspicious SearchProtocolHost no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2024-05-25
|
|
Suspicious Ticket Granting Ticket Request
|
Windows Event Log Security 4768, Windows Event Log Security 4781
|
Valid Accounts
Domain Accounts
|
Hunting
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2024-09-24
|
|
Suspicious wevtutil Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Clear Windows Event Logs
Indicator Removal
|
TTP
|
CISA AA23-347A, Clop Ransomware, Ransomware, Rhysida Ransomware, ShrinkLocker, Windows Log Manipulation
|
2024-06-19
|
|
Suspicious writes to windows Recycle Bin
|
Sysmon EventID 1, Sysmon EventID 11
|
Masquerading
|
TTP
|
Collection and Staging, PlugX
|
2024-05-18
|
|
System Processes Run From Unexpected Locations
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Masquerading
Rename System Utilities
|
Anomaly
|
DarkGate Malware, Masquerading - Rename System Utilities, Qakbot, Ransomware, Suspicious Command-Line Executions, Unusual Processes, Windows Error Reporting Service Elevation of Privilege Vulnerability
|
2024-05-25
|
|
Trickbot Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
Process Injection
|
TTP
|
Trickbot
|
2024-05-16
|
|
UAC Bypass MMC Load Unsigned Dll
|
Sysmon EventID 7
|
Bypass User Account Control
Abuse Elevation Control Mechanism
MMC
|
TTP
|
Windows Defense Evasion Tactics
|
2024-05-27
|
|
UAC Bypass With Colorui COM Object
|
Sysmon EventID 7
|
System Binary Proxy Execution
CMSTP
|
TTP
|
LockBit Ransomware, Ransomware
|
2024-08-14
|
|
Uninstall App Using MsiExec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Msiexec
System Binary Proxy Execution
|
TTP
|
Ransomware
|
2024-05-14
|
|
Unknown Process Using The Kerberos Protocol
|
Sysmon EventID 1, Sysmon EventID 3
|
Use Alternate Authentication Material
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware
|
2024-05-19
|
|
Unload Sysmon Filter Driver
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
CISA AA23-347A, Disabling Security Tools
|
2024-05-15
|
|
Unloading AMSI via Reflection
|
Powershell Script Block Logging 4104
|
Impair Defenses
PowerShell
Command and Scripting Interpreter
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2024-05-24
|
|
Unusual Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
Valid Accounts
|
Hunting
|
Active Directory Kerberos Attacks, Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-09-24
|
|
Unusual Number of Remote Endpoint Authentication Events
|
Windows Event Log Security 4624
|
Valid Accounts
|
Hunting
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-09-24
|
|
USN Journal Deletion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Indicator Removal
|
TTP
|
Ransomware, Windows Log Manipulation
|
2024-05-12
|
|
Verclsid CLSID Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Verclsid
System Binary Proxy Execution
|
Hunting
|
Unusual Processes
|
2024-05-21
|
|
Wbemprox COM Object Execution
|
Sysmon EventID 7
|
System Binary Proxy Execution
CMSTP
|
TTP
|
LockBit Ransomware, Ransomware, Revil Ransomware
|
2024-05-13
|
|
Wermgr Process Create Executable File
|
Sysmon EventID 11
|
Obfuscated Files or Information
|
TTP
|
Trickbot
|
2024-05-23
|
|
Windows Access Token Manipulation SeDebugPrivilege
|
Windows Event Log Security 4703
|
Create Process with Token
Access Token Manipulation
|
Anomaly
|
AsyncRAT, Brute Ratel C4, CISA AA23-347A, DarkGate Malware, PlugX, ValleyRAT
|
2024-09-24
|
|
Windows Access Token Manipulation Winlogon Duplicate Token Handle
|
Sysmon EventID 10
|
Token Impersonation/Theft
Access Token Manipulation
|
Hunting
|
Brute Ratel C4
|
2024-08-15
|
|
Windows Access Token Winlogon Duplicate Handle In Uncommon Path
|
Sysmon EventID 10
|
Token Impersonation/Theft
Access Token Manipulation
|
Anomaly
|
Brute Ratel C4
|
2024-08-15
|
|
Windows AD Cross Domain SID History Addition
|
Windows Event Log Security 4738, Windows Event Log Security 4742
|
SID-History Injection
Access Token Manipulation
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-05-11
|
|
Windows AD Domain Controller Audit Policy Disabled
|
Windows Event Log Security 4719
|
Disable or Modify Tools
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-05-12
|
|
Windows AD Domain Controller Promotion
|
Windows Event Log Security 4742
|
Rogue Domain Controller
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-05-18
|
|
Windows AD Domain Replication ACL Addition
|
|
Domain or Tenant Policy Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-08-08
|
|
Windows AD Privileged Account SID History Addition
|
Windows Event Log Security 4738, Windows Event Log Security 4742
|
SID-History Injection
Access Token Manipulation
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-05-26
|
|
Windows AD Same Domain SID History Addition
|
Windows Event Log Security 4738, Windows Event Log Security 4742
|
SID-History Injection
Access Token Manipulation
|
TTP
|
Sneaky Active Directory Persistence Tricks, Windows Persistence Techniques
|
2024-05-22
|
|
Windows AD Short Lived Domain Controller SPN Attribute
|
Windows Event Log Security 4624, Windows Event Log Security 5136
|
Rogue Domain Controller
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-05-11
|
|
Windows AD Short Lived Server Object
|
Windows Event Log Security 5137, Windows Event Log Security 5141
|
Rogue Domain Controller
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-24
|
|
Windows AD SID History Attribute Modified
|
Windows Event Log Security 5136
|
Access Token Manipulation
SID-History Injection
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-24
|
|
Windows Admon Default Group Policy Object Modified
|
Windows Active Directory Admon
|
Domain or Tenant Policy Modification
Group Policy Modification
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2024-09-24
|
|
Windows Admon Group Policy Object Created
|
Windows Active Directory Admon
|
Domain or Tenant Policy Modification
Group Policy Modification
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2024-09-24
|
|
Windows Alternate DataStream - Base64 Content
|
Sysmon EventID 15
|
Hide Artifacts
NTFS File Attributes
|
TTP
|
Windows Defense Evasion Tactics
|
2024-05-28
|
|
Windows Alternate DataStream - Executable Content
|
Sysmon EventID 15
|
Hide Artifacts
NTFS File Attributes
|
TTP
|
Windows Defense Evasion Tactics
|
2024-05-30
|
|
Windows Alternate DataStream - Process Execution
|
Sysmon EventID 1, Windows Event Log Security 4688
|
Hide Artifacts
NTFS File Attributes
|
TTP
|
Windows Defense Evasion Tactics
|
2024-05-16
|
|
Windows AppLocker Block Events
|
|
System Binary Proxy Execution
|
Anomaly
|
Windows AppLocker
|
2024-05-15
|
|
Windows AppLocker Execution from Uncommon Locations
|
|
System Binary Proxy Execution
|
Hunting
|
Windows AppLocker
|
2024-05-25
|
|
Windows AppLocker Privilege Escalation via Unauthorized Bypass
|
|
System Binary Proxy Execution
|
TTP
|
Windows AppLocker
|
2024-03-21
|
|
Windows AppLocker Rare Application Launch Detection
|
|
System Binary Proxy Execution
|
Hunting
|
Windows AppLocker
|
2024-05-30
|
|
Windows Binary Proxy Execution Mavinject DLL Injection
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Mavinject
System Binary Proxy Execution
|
TTP
|
Living Off The Land
|
2024-08-15
|
|
Windows BootLoader Inventory
|
|
System Firmware
Pre-OS Boot
|
Hunting
|
BlackLotus Campaign, Windows BootKits
|
2024-05-15
|
|
Windows Bypass UAC via Pkgmgr Tool
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Bypass User Account Control
|
Anomaly
|
Warzone RAT
|
2024-05-20
|
|
Windows Command Shell Fetch Env Variables
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
Qakbot
|
2024-05-28
|
|
Windows Common Abused Cmd Shell Risk Behavior
|
|
File and Directory Permissions Modification
System Network Connections Discovery
System Owner/User Discovery
System Shutdown/Reboot
System Network Configuration Discovery
Command and Scripting Interpreter
|
Correlation
|
Azorult, CISA AA23-347A, DarkCrystal RAT, Disabling Security Tools, FIN7, Netsh Abuse, Qakbot, Sandworm Tools, Volt Typhoon, Windows Defense Evasion Tactics, Windows Post-Exploitation
|
2024-05-18
|
|
Windows ConHost with Headless Argument
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Hidden Window
Run Virtual Instance
|
TTP
|
Spearphishing Attachments
|
2024-05-17
|
|
Windows Debugger Tool Execution
|
|
Masquerading
|
Hunting
|
DarkGate Malware, PlugX
|
2024-06-07
|
|
Windows Default Group Policy Object Modified
|
Windows Event Log Security 5136
|
Domain or Tenant Policy Modification
Group Policy Modification
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2024-09-24
|
|
Windows Default Group Policy Object Modified with GPME
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain or Tenant Policy Modification
Group Policy Modification
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2024-08-19
|
|
Windows Defender ASR Registry Modification
|
Windows Event Log Defender 5007
|
Modify Registry
|
Hunting
|
Windows Attack Surface Reduction
|
2024-08-14
|
|
Windows Defender ASR Rule Disabled
|
Windows Event Log Defender 5007
|
Modify Registry
|
TTP
|
Windows Attack Surface Reduction
|
2024-08-15
|
|
Windows Defender Exclusion Registry Entry
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Azorult, Qakbot, Remcos, ValleyRAT, Warzone RAT, Windows Defense Evasion Tactics
|
2024-09-24
|
|
Windows Delete or Modify System Firewall
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Impair Defenses
Disable or Modify System Firewall
|
Anomaly
|
NjRAT, ShrinkLocker
|
2024-07-11
|
|
Windows Deleted Registry By A Non Critical Process File Path
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Data Destruction, Double Zero Destructor
|
2024-05-16
|
|
Windows Disable Change Password Through Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Ransomware, Windows Defense Evasion Tactics
|
2024-05-19
|
|
Windows Disable Lock Workstation Feature Through Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-25
|
|
Windows Disable LogOff Button Through Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Ransomware, Windows Registry Abuse
|
2024-05-30
|
|
Windows Disable Notification Center
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-28
|
|
Windows Disable or Modify Tools Via Taskkill
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Impair Defenses
Disable or Modify Tools
|
Anomaly
|
NjRAT
|
2024-08-14
|
|
Windows Disable Shutdown Button Through Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Ransomware, Windows Registry Abuse
|
2024-05-19
|
|
Windows Disable Windows Event Logging Disable HTTP Logging
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable Windows Event Logging
Impair Defenses
Server Software Component
IIS Components
|
TTP
|
CISA AA23-347A, IIS Components, Windows Defense Evasion Tactics
|
2024-08-14
|
|
Windows Disable Windows Group Policy Features Through Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
CISA AA23-347A, Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-27
|
|
Windows DisableAntiSpyware Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Azorult, CISA AA22-264A, CISA AA23-347A, RedLine Stealer, Ryuk Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-28
|
|
Windows Diskshadow Proxy Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
|
TTP
|
Living Off The Land
|
2024-05-18
|
|
Windows DISM Install PowerShell Web Access
|
Sysmon EventID 1, Windows Event Log Security 4688
|
Bypass User Account Control
|
TTP
|
CISA AA24-241A
|
2024-09-26
|
|
Windows DISM Remove Defender
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
CISA AA23-347A, Windows Defense Evasion Tactics
|
2024-08-14
|
|
Windows DLL Search Order Hijacking Hunt with Sysmon
|
Sysmon EventID 7
|
DLL Search Order Hijacking
Hijack Execution Flow
|
Hunting
|
Living Off The Land, Qakbot, Windows Defense Evasion Tactics
|
2024-05-11
|
|
Windows DLL Search Order Hijacking with iscsicpl
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL Search Order Hijacking
|
TTP
|
Living Off The Land, Windows Defense Evasion Tactics
|
2024-08-15
|
|
Windows DLL Side-Loading In Calc
|
Sysmon EventID 7
|
DLL Side-Loading
Hijack Execution Flow
|
TTP
|
Qakbot
|
2024-05-10
|
|
Windows DLL Side-Loading Process Child Of Calc
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL Side-Loading
Hijack Execution Flow
|
Anomaly
|
Qakbot
|
2024-05-22
|
|
Windows DotNet Binary in Non Standard Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Masquerading
Rename System Utilities
System Binary Proxy Execution
InstallUtil
|
TTP
|
Data Destruction, Masquerading - Rename System Utilities, Ransomware, Signed Binary Proxy Execution InstallUtil, Unusual Processes, WhisperGate
|
2024-08-14
|
|
Windows Driver Load Non-Standard Path
|
Windows Event Log System 7045
|
Rootkit
Exploitation for Privilege Escalation
|
TTP
|
AgentTesla, BlackByte Ransomware, BlackSuit Ransomware, CISA AA22-320A, Windows Drivers
|
2024-05-22
|
|
Windows Drivers Loaded by Signature
|
Sysmon EventID 6
|
Rootkit
Exploitation for Privilege Escalation
|
Hunting
|
AgentTesla, BlackByte Ransomware, CISA AA22-320A, Windows Drivers
|
2024-05-10
|
|
Windows Event For Service Disabled
|
Windows Event Log System 7040
|
Disable or Modify Tools
Impair Defenses
|
Hunting
|
RedLine Stealer, Windows Defense Evasion Tactics
|
2024-05-11
|
|
Windows Event Log Cleared
|
Windows Event Log Security 1102
|
Indicator Removal
Clear Windows Event Logs
|
TTP
|
CISA AA22-264A, Clop Ransomware, Ransomware, ShrinkLocker, Windows Log Manipulation
|
2024-07-24
|
|
Windows Excessive Disabled Services Event
|
Windows Event Log System 7040
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
CISA AA23-347A, Windows Defense Evasion Tactics
|
2024-05-19
|
|
Windows Execute Arbitrary Commands with MSDT
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
|
TTP
|
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190
|
2024-08-15
|
|
Windows Files and Dirs Access Rights Modification Via Icacls
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows File and Directory Permissions Modification
File and Directory Permissions Modification
|
TTP
|
Amadey
|
2024-05-21
|
|
Windows Group Policy Object Created
|
Windows Event Log Security 5136, Windows Event Log Security 5137
|
Domain or Tenant Policy Modification
Group Policy Modification
Domain Accounts
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2024-09-24
|
|
Windows Hide Notification Features Through Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-26
|
|
Windows Hijack Execution Flow Version Dll Side Load
|
Sysmon EventID 7
|
DLL Search Order Hijacking
Hijack Execution Flow
|
Anomaly
|
Brute Ratel C4
|
2024-05-15
|
|
Windows Impair Defense Add Xml Applocker Rules
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
Impair Defenses
|
Hunting
|
Azorult
|
2024-05-23
|
|
Windows Impair Defense Change Win Defender Health Check Intervals
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-15
|
|
Windows Impair Defense Change Win Defender Quick Scan Interval
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-27
|
|
Windows Impair Defense Change Win Defender Throttle Rate
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-27
|
|
Windows Impair Defense Change Win Defender Tracing Level
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-13
|
|
Windows Impair Defense Configure App Install Control
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-22
|
|
Windows Impair Defense Define Win Defender Threat Action
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-31
|
|
Windows Impair Defense Delete Win Defender Context Menu
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
Hunting
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-11
|
|
Windows Impair Defense Delete Win Defender Profile Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
Anomaly
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-13
|
|
Windows Impair Defense Deny Security Software With Applocker
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Azorult
|
2024-05-09
|
|
Windows Impair Defense Disable Controlled Folder Access
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-29
|
|
Windows Impair Defense Disable Defender Firewall And Network
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-19
|
|
Windows Impair Defense Disable Defender Protocol Recognition
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-24
|
|
Windows Impair Defense Disable PUA Protection
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-24
|
|
Windows Impair Defense Disable Realtime Signature Delivery
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-14
|
|
Windows Impair Defense Disable Web Evaluation
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-27
|
|
Windows Impair Defense Disable Win Defender App Guard
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-28
|
|
Windows Impair Defense Disable Win Defender Compute File Hashes
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-10
|
|
Windows Impair Defense Disable Win Defender Gen reports
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-14
|
|
Windows Impair Defense Disable Win Defender Network Protection
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-29
|
|
Windows Impair Defense Disable Win Defender Report Infection
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-23
|
|
Windows Impair Defense Disable Win Defender Scan On Update
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-28
|
|
Windows Impair Defense Disable Win Defender Signature Retirement
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-31
|
|
Windows Impair Defense Overide Win Defender Phishing Filter
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-20
|
|
Windows Impair Defense Override SmartScreen Prompt
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-31
|
|
Windows Impair Defense Set Win Defender Smart Screen Level To Warn
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-21
|
|
Windows Impair Defenses Disable AV AutoStart via Registry
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
ValleyRAT
|
2024-09-26
|
|
Windows Impair Defenses Disable HVCI
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
TTP
|
BlackLotus Campaign, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-24
|
|
Windows Impair Defenses Disable Win Defender Auto Logging
|
Sysmon EventID 12, Sysmon EventID 13
|
Disable or Modify Tools
Impair Defenses
|
Anomaly
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-18
|
|
Windows Indicator Removal Via Rmdir
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Indicator Removal
|
Anomaly
|
DarkGate Malware
|
2024-05-13
|
|
Windows Indirect Command Execution Via forfiles
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Indirect Command Execution
|
TTP
|
Living Off The Land, Windows Post-Exploitation
|
2024-05-28
|
|
Windows Indirect Command Execution Via pcalua
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Indirect Command Execution
|
TTP
|
Living Off The Land
|
2024-05-10
|
|
Windows Indirect Command Execution Via Series Of Forfiles
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Indirect Command Execution
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-05-19
|
|
Windows InProcServer32 New Outlook Form
|
Sysmon EventID 13
|
Phishing
Modify Registry
|
Anomaly
|
Outlook RCE CVE-2024-21378
|
2024-05-25
|
|
Windows InstallUtil Credential Theft
|
Sysmon EventID 7
|
InstallUtil
System Binary Proxy Execution
|
TTP
|
Signed Binary Proxy Execution InstallUtil
|
2024-05-18
|
|
Windows InstallUtil in Non Standard Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Masquerading
Rename System Utilities
System Binary Proxy Execution
InstallUtil
|
TTP
|
Data Destruction, Living Off The Land, Masquerading - Rename System Utilities, Ransomware, Signed Binary Proxy Execution InstallUtil, Unusual Processes, WhisperGate
|
2024-08-14
|
|
Windows InstallUtil Remote Network Connection
|
Sysmon EventID 1, Sysmon EventID 3
|
InstallUtil
System Binary Proxy Execution
|
TTP
|
Living Off The Land, Signed Binary Proxy Execution InstallUtil
|
2024-08-14
|
|
Windows InstallUtil Uninstall Option
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
InstallUtil
System Binary Proxy Execution
|
TTP
|
Living Off The Land, Signed Binary Proxy Execution InstallUtil
|
2024-08-14
|
|
Windows InstallUtil Uninstall Option with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
InstallUtil
System Binary Proxy Execution
|
TTP
|
Living Off The Land, Signed Binary Proxy Execution InstallUtil
|
2024-08-14
|
|
Windows InstallUtil URL in Command Line
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
InstallUtil
System Binary Proxy Execution
|
TTP
|
Living Off The Land, Signed Binary Proxy Execution InstallUtil
|
2024-08-14
|
|
Windows Known Abused DLL Created
|
Sysmon EventID 1, Sysmon EventID 11
|
DLL Search Order Hijacking
DLL Side-Loading
Hijack Execution Flow
|
Anomaly
|
Living Off The Land, Windows Defense Evasion Tactics
|
2024-05-17
|
|
Windows Known Abused DLL Loaded Suspiciously
|
Sysmon EventID 7
|
DLL Search Order Hijacking
DLL Side-Loading
Hijack Execution Flow
|
TTP
|
Living Off The Land, Windows Defense Evasion Tactics
|
2024-04-06
|
|
Windows Known GraphicalProton Loaded Modules
|
Sysmon EventID 7
|
DLL Side-Loading
Hijack Execution Flow
|
Anomaly
|
CISA AA23-347A
|
2024-05-11
|
|
Windows Large Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
Network Share Discovery
Valid Accounts
|
Anomaly
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-09-24
|
|
Windows LOLBAS Executed As Renamed File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Masquerading
Rename System Utilities
Rundll32
|
TTP
|
Living Off The Land, Masquerading - Rename System Utilities, Windows Defense Evasion Tactics
|
2024-04-30
|
|
Windows LOLBAS Executed Outside Expected Path
|
Sysmon EventID 1, Windows Event Log Security 4688
|
Masquerading
Match Legitimate Name or Location
Rundll32
|
TTP
|
Living Off The Land, Masquerading - Rename System Utilities, Windows Defense Evasion Tactics
|
2024-04-29
|
|
Windows Mark Of The Web Bypass
|
Sysmon EventID 23
|
Mark-of-the-Web Bypass
|
TTP
|
Warzone RAT
|
2024-05-11
|
|
Windows Masquerading Explorer As Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL Side-Loading
Hijack Execution Flow
|
TTP
|
Qakbot
|
2024-05-24
|
|
Windows Masquerading Msdtc Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Masquerading
|
TTP
|
PlugX
|
2024-05-19
|
|
Windows Modify Registry AuthenticationLevelOverride
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
DarkGate Malware
|
2024-05-28
|
|
Windows Modify Registry Auto Minor Updates
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Hunting
|
RedLine Stealer
|
2024-05-20
|
|
Windows Modify Registry Auto Update Notif
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
RedLine Stealer
|
2024-05-22
|
|
Windows Modify Registry Configure BitLocker
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
ShrinkLocker
|
2024-06-19
|
|
Windows Modify Registry Default Icon Setting
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
LockBit Ransomware
|
2024-05-15
|
|
Windows Modify Registry Delete Firewall Rules
|
Sysmon EventID 12
|
Modify Registry
|
TTP
|
CISA AA24-241A, ShrinkLocker
|
2024-06-21
|
|
Windows Modify Registry Disable RDP
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
ShrinkLocker
|
2024-06-19
|
|
Windows Modify Registry Disable Restricted Admin
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
TTP
|
CISA AA23-347A
|
2024-05-31
|
|
Windows Modify Registry Disable Toast Notifications
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Azorult
|
2024-05-21
|
|
Windows Modify Registry Disable Win Defender Raw Write Notif
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Azorult, CISA AA23-347A
|
2024-05-11
|
|
Windows Modify Registry Disable WinDefender Notifications
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
TTP
|
CISA AA23-347A, RedLine Stealer
|
2024-05-09
|
|
Windows Modify Registry Disable Windows Security Center Notif
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Azorult, CISA AA23-347A
|
2024-05-21
|
|
Windows Modify Registry DisableRemoteDesktopAntiAlias
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
TTP
|
DarkGate Malware
|
2024-05-16
|
|
Windows Modify Registry DisableSecuritySettings
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
TTP
|
CISA AA23-347A, DarkGate Malware
|
2024-05-13
|
|
Windows Modify Registry Disabling WER Settings
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
TTP
|
Azorult, CISA AA23-347A
|
2024-05-12
|
|
Windows Modify Registry DisAllow Windows App
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
TTP
|
Azorult
|
2024-05-22
|
|
Windows Modify Registry Do Not Connect To Win Update
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
RedLine Stealer
|
2024-05-21
|
|
Windows Modify Registry DontShowUI
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
TTP
|
DarkGate Malware
|
2024-05-16
|
|
Windows Modify Registry EnableLinkedConnections
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
TTP
|
BlackByte Ransomware
|
2024-05-13
|
|
Windows Modify Registry LongPathsEnabled
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
BlackByte Ransomware
|
2024-05-21
|
|
Windows Modify Registry MaxConnectionPerServer
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Warzone RAT
|
2024-05-23
|
|
Windows Modify Registry No Auto Reboot With Logon User
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
RedLine Stealer
|
2024-05-26
|
|
Windows Modify Registry No Auto Update
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
CISA AA23-347A, RedLine Stealer
|
2024-05-15
|
|
Windows Modify Registry NoChangingWallPaper
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
TTP
|
Rhysida Ransomware
|
2024-05-30
|
|
Windows Modify Registry on Smart Card Group Policy
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
ShrinkLocker
|
2024-06-19
|
|
Windows Modify Registry ProxyEnable
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
DarkGate Malware
|
2024-05-22
|
|
Windows Modify Registry ProxyServer
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
DarkGate Malware
|
2024-05-11
|
|
Windows Modify Registry Qakbot Binary Data Registry
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Qakbot
|
2024-05-12
|
|
Windows Modify Registry Regedit Silent Reg Import
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Modify Registry
|
Anomaly
|
Azorult
|
2024-05-14
|
|
Windows Modify Registry Risk Behavior
|
|
Modify Registry
|
Correlation
|
Windows Registry Abuse
|
2024-05-15
|
|
Windows Modify Registry Suppress Win Defender Notif
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Azorult, CISA AA23-347A
|
2024-05-17
|
|
Windows Modify Registry Tamper Protection
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
TTP
|
RedLine Stealer
|
2024-05-13
|
|
Windows Modify Registry to Add or Modify Firewall Rule
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
CISA AA24-241A, ShrinkLocker
|
2024-06-21
|
|
Windows Modify Registry UpdateServiceUrlAlternate
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
RedLine Stealer
|
2024-05-20
|
|
Windows Modify Registry USeWuServer
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Hunting
|
RedLine Stealer
|
2024-05-16
|
|
Windows Modify Registry Utilize ProgIDs
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
ValleyRAT
|
2024-09-26
|
|
Windows Modify Registry ValleyRAT C2 Config
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
TTP
|
ValleyRAT
|
2024-09-26
|
|
Windows Modify Registry ValleyRat PWN Reg Entry
|
Sysmon EventID 13
|
Modify Registry
|
TTP
|
ValleyRAT
|
2024-09-26
|
|
Windows Modify Registry With MD5 Reg Key Name
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
TTP
|
NjRAT
|
2024-05-25
|
|
Windows Modify Registry WuServer
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Hunting
|
RedLine Stealer
|
2024-05-15
|
|
Windows Modify Registry wuStatusServer
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
Hunting
|
RedLine Stealer
|
2024-05-31
|
|
Windows Modify Show Compress Color And Info Tip Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-27
|
|
Windows Modify System Firewall with Notable Process Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify System Firewall
Impair Defenses
|
TTP
|
NjRAT
|
2024-05-10
|
|
Windows Mshta Execution In Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Mshta
|
TTP
|
Suspicious Windows Registry Activities, Windows Persistence Techniques
|
2024-05-12
|
|
Windows MSHTA Writing to World Writable Path
|
Sysmon EventID 11
|
Mshta
|
TTP
|
APT29 Diplomatic Deceptions with WINELOADER, Suspicious MSHTA Activity
|
2024-05-26
|
|
Windows MSIExec DLLRegisterServer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Msiexec
|
TTP
|
Windows System Binary Proxy Execution MSIExec
|
2024-08-14
|
|
Windows MsiExec HideWindow Rundll32 Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Msiexec
System Binary Proxy Execution
|
TTP
|
Qakbot
|
2024-05-29
|
|
Windows MSIExec Remote Download
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Msiexec
|
TTP
|
Windows System Binary Proxy Execution MSIExec
|
2024-08-14
|
|
Windows MSIExec Spawn Discovery Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Msiexec
|
TTP
|
Windows System Binary Proxy Execution MSIExec
|
2024-08-14
|
|
Windows MSIExec Spawn WinDBG
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Msiexec
|
TTP
|
DarkGate Malware
|
2024-08-14
|
|
Windows MSIExec Unregister DLLRegisterServer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Msiexec
|
TTP
|
Windows System Binary Proxy Execution MSIExec
|
2024-08-14
|
|
Windows MSIExec With Network Connections
|
Sysmon EventID 1, Sysmon EventID 3
|
Msiexec
|
TTP
|
Windows System Binary Proxy Execution MSIExec
|
2024-08-14
|
|
Windows Multiple Account Passwords Changed
|
Windows Event Log Security 4724
|
Account Manipulation
Valid Accounts
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
|
Windows Multiple Accounts Deleted
|
Windows Event Log Security 4726
|
Account Manipulation
Valid Accounts
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
|
Windows Multiple Accounts Disabled
|
Windows Event Log Security 4725
|
Account Manipulation
Valid Accounts
|
TTP
|
Azure Active Directory Persistence
|
2024-09-24
|
|
Windows New InProcServer32 Added
|
Sysmon EventID 13
|
Modify Registry
|
Hunting
|
Outlook RCE CVE-2024-21378
|
2024-07-23
|
|
Windows Njrat Fileless Storage via Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Fileless Storage
Obfuscated Files or Information
|
TTP
|
NjRAT
|
2024-05-23
|
|
Windows Odbcconf Hunting
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Odbcconf
|
Hunting
|
Living Off The Land
|
2024-08-14
|
|
Windows Odbcconf Load DLL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Odbcconf
|
TTP
|
Living Off The Land
|
2024-08-14
|
|
Windows Odbcconf Load Response File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Odbcconf
|
TTP
|
Living Off The Land
|
2024-08-15
|
|
Windows Outlook WebView Registry Modification
|
Sysmon EventID 13
|
Modify Registry
|
Anomaly
|
Suspicious Windows Registry Activities
|
2024-07-30
|
|
Windows Parent PID Spoofing with Explorer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Parent PID Spoofing
Access Token Manipulation
|
TTP
|
Windows Defense Evasion Tactics
|
2024-05-25
|
|
Windows PowerShell Disable HTTP Logging
|
Powershell Script Block Logging 4104
|
Impair Defenses
Disable Windows Event Logging
Server Software Component
IIS Components
|
TTP
|
IIS Components, Windows Defense Evasion Tactics
|
2024-05-05
|
|
Windows Powershell Import Applocker Policy
|
Powershell Script Block Logging 4104
|
PowerShell
Command and Scripting Interpreter
Disable or Modify Tools
Impair Defenses
|
TTP
|
Azorult
|
2024-05-29
|
|
Windows PowerView AD Access Control List Enumeration
|
Powershell Script Block Logging 4104
|
Domain Accounts
Permission Groups Discovery
|
TTP
|
Active Directory Discovery, Active Directory Privilege Escalation, Rhysida Ransomware
|
2024-09-24
|
|
Windows Privilege Escalation Suspicious Process Elevation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exploitation for Privilege Escalation
Abuse Elevation Control Mechanism
Access Token Manipulation
|
TTP
|
BlackSuit Ransomware, Windows Privilege Escalation
|
2024-05-23
|
|
Windows Privilege Escalation System Process Without System Parent
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exploitation for Privilege Escalation
Abuse Elevation Control Mechanism
Access Token Manipulation
|
TTP
|
BlackSuit Ransomware, Windows Privilege Escalation
|
2024-05-28
|
|
Windows Privilege Escalation User Process Spawn System Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exploitation for Privilege Escalation
Abuse Elevation Control Mechanism
Access Token Manipulation
|
TTP
|
BlackSuit Ransomware, Windows Privilege Escalation
|
2024-05-13
|
|
Windows Process Injection In Non-Service SearchIndexer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
Qakbot
|
2024-05-20
|
|
Windows Process Injection into Notepad
|
Sysmon EventID 10
|
Process Injection
Portable Executable Injection
|
Anomaly
|
BishopFox Sliver Adversary Emulation Framework
|
2024-08-14
|
|
Windows Process Injection Of Wermgr to Known Browser
|
Sysmon EventID 8
|
Dynamic-link Library Injection
Process Injection
|
TTP
|
Qakbot
|
2024-05-21
|
|
Windows Process Injection Remote Thread
|
Sysmon EventID 8
|
Process Injection
Portable Executable Injection
|
TTP
|
Graceful Wipe Out Attack, Qakbot, Warzone RAT
|
2024-05-24
|
|
Windows Process Injection Wermgr Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
Anomaly
|
Qakbot, Windows Error Reporting Service Elevation of Privilege Vulnerability
|
2024-05-28
|
|
Windows Process Injection With Public Source Path
|
Sysmon EventID 8
|
Process Injection
Portable Executable Injection
|
Hunting
|
Brute Ratel C4
|
2024-08-14
|
|
Windows Process With NamedPipe CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
Anomaly
|
Windows Defense Evasion Tactics
|
2024-05-13
|
|
Windows Process Writing File to World Writable Path
|
|
Mshta
|
Hunting
|
APT29 Diplomatic Deceptions with WINELOADER
|
2024-05-23
|
|
Windows Raccine Scheduled Task Deletion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
|
TTP
|
Ransomware
|
2024-08-15
|
|
Windows Rasautou DLL Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Dynamic-link Library Injection
System Binary Proxy Execution
Process Injection
|
TTP
|
Windows Defense Evasion Tactics
|
2024-08-15
|
|
Windows Registry BootExecute Modification
|
Sysmon EventID 12, Sysmon EventID 13
|
Pre-OS Boot
Registry Run Keys / Startup Folder
|
TTP
|
Windows BootKits
|
2024-05-29
|
|
Windows Registry Certificate Added
|
Sysmon EventID 12, Sysmon EventID 13
|
Install Root Certificate
Subvert Trust Controls
|
Anomaly
|
Windows Drivers, Windows Registry Abuse
|
2024-05-29
|
|
Windows Registry Delete Task SD
|
Sysmon EventID 12, Sysmon EventID 13
|
Scheduled Task
Impair Defenses
|
Anomaly
|
Scheduled Tasks, Windows Persistence Techniques, Windows Registry Abuse
|
2024-05-12
|
|
Windows Registry Payload Injection
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
Obfuscated Files or Information
Fileless Storage
|
TTP
|
Unusual Processes
|
2024-05-10
|
|
Windows Registry SIP Provider Modification
|
Sysmon EventID 12, Sysmon EventID 13
|
SIP and Trust Provider Hijacking
|
TTP
|
Subvert Trust Controls SIP and Trust Provider Hijacking
|
2024-05-28
|
|
Windows Regsvr32 Renamed Binary
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Regsvr32
System Binary Proxy Execution
|
TTP
|
Qakbot
|
2024-05-14
|
|
Windows Remote Assistance Spawning Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
Unusual Processes
|
2024-08-14
|
|
Windows Rundll32 Apply User Settings Changes
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Binary Proxy Execution
Rundll32
|
TTP
|
Rhysida Ransomware
|
2024-05-29
|
|
Windows Service Creation Using Registry Entry
|
Sysmon EventID 12, Sysmon EventID 13
|
Services Registry Permissions Weakness
|
TTP
|
Active Directory Lateral Movement, Brute Ratel C4, CISA AA23-347A, PlugX, Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse
|
2024-05-30
|
|
Windows SIP Provider Inventory
|
|
SIP and Trust Provider Hijacking
|
Hunting
|
Subvert Trust Controls SIP and Trust Provider Hijacking
|
2024-05-09
|
|
Windows SIP WinVerifyTrust Failed Trust Validation
|
Windows Event Log CAPI2 81
|
SIP and Trust Provider Hijacking
|
Anomaly
|
Subvert Trust Controls SIP and Trust Provider Hijacking
|
2024-05-13
|
|
Windows Snake Malware File Modification Crmlog
|
Sysmon EventID 11
|
Obfuscated Files or Information
|
TTP
|
Snake Malware
|
2024-05-07
|
|
Windows Snake Malware Registry Modification wav OpenWithProgIds
|
Sysmon EventID 12, Sysmon EventID 13
|
Modify Registry
|
TTP
|
Snake Malware
|
2024-05-13
|
|
Windows SqlWriter SQLDumper DLL Sideload
|
Sysmon EventID 7
|
DLL Side-Loading
|
TTP
|
APT29 Diplomatic Deceptions with WINELOADER
|
2024-05-17
|
|
Windows Steal Authentication Certificates - ESC1 Authentication
|
Windows Event Log Security 4768, Windows Event Log Security 4887
|
Steal or Forge Authentication Certificates
Use Alternate Authentication Material
|
TTP
|
Windows Certificate Services
|
2024-05-24
|
|
Windows System Binary Proxy Execution Compiled HTML File Decompile
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Compiled HTML File
System Binary Proxy Execution
|
TTP
|
Living Off The Land, Suspicious Compiled HTML Activity
|
2024-08-14
|
|
Windows System Script Proxy Execution Syncappvpublishingserver
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Script Proxy Execution
System Binary Proxy Execution
|
TTP
|
Living Off The Land
|
2024-08-15
|
|
Windows Terminating Lsass Process
|
Sysmon EventID 10
|
Disable or Modify Tools
Impair Defenses
|
Anomaly
|
Data Destruction, Double Zero Destructor
|
2024-08-15
|
|
Windows Time Based Evasion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Virtualization/Sandbox Evasion
Time Based Evasion
|
TTP
|
NjRAT
|
2024-05-24
|
|
Windows Time Based Evasion via Choice Exec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Time Based Evasion
Virtualization/Sandbox Evasion
|
Anomaly
|
Snake Keylogger
|
2024-05-28
|
|
Windows UAC Bypass Suspicious Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Abuse Elevation Control Mechanism
Bypass User Account Control
|
TTP
|
Living Off The Land, Windows Defense Evasion Tactics
|
2024-05-22
|
|
Windows UAC Bypass Suspicious Escalation Behavior
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Abuse Elevation Control Mechanism
Bypass User Account Control
|
TTP
|
Living Off The Land, Windows Defense Evasion Tactics
|
2024-05-27
|
|
Windows Unsigned DLL Side-Loading
|
Sysmon EventID 7
|
DLL Side-Loading
|
Anomaly
|
NjRAT, Warzone RAT
|
2024-05-31
|
|
Windows Unsigned DLL Side-Loading In Same Process Path
|
Sysmon EventID 7
|
DLL Side-Loading
Hijack Execution Flow
|
TTP
|
DarkGate Malware, PlugX
|
2024-06-07
|
|
Windows Unsigned MS DLL Side-Loading
|
Sysmon EventID 7
|
DLL Side-Loading
Boot or Logon Autostart Execution
|
Anomaly
|
APT29 Diplomatic Deceptions with WINELOADER
|
2024-05-27
|
|
Windows WinLogon with Public Network Connection
|
Sysmon EventID 1, Sysmon EventID 3
|
Bootkit
|
Hunting
|
BlackLotus Campaign
|
2024-05-23
|
|
Winhlp32 Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
Remcos
|
2024-08-15
|
|
Wmic NonInteractive App Uninstallation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Disable or Modify Tools
Impair Defenses
|
Hunting
|
Azorult, IcedID
|
2024-08-15
|
|
WMIC XSL Execution via URL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
XSL Script Processing
|
TTP
|
Suspicious WMI Use
|
2024-08-14
|
|
Wscript Or Cscript Suspicious Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
Create or Modify System Process
Parent PID Spoofing
Access Token Manipulation
|
TTP
|
Data Destruction, FIN7, NjRAT, Remcos, ShrinkLocker, Unusual Processes, WhisperGate
|
2024-07-11
|
|
WSReset UAC Bypass
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
Bypass User Account Control
Abuse Elevation Control Mechanism
|
TTP
|
Living Off The Land, MoonPeak, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-19
|
|
XSL Script Execution With WMIC
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
XSL Script Processing
|
TTP
|
FIN7, Suspicious WMI Use
|
2024-08-14
|
|
Detect Software Download To Network Device
|
|
TFTP Boot
Pre-OS Boot
|
TTP
|
Router and Infrastructure Security
|
2024-05-20
|
|
Windows AD Replication Service Traffic
|
|
OS Credential Dumping
DCSync
Rogue Domain Controller
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-05-19
|
|
Windows AD Rogue Domain Controller Network Activity
|
|
Rogue Domain Controller
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-05-18
|