ESXi Bulk VM Termination
|
VMWare ESXi Syslog
|
Virtual Machine Discovery
System Shutdown/Reboot
Endpoint Denial of Service
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-05-12
|
ESXi System Information Discovery
|
VMWare ESXi Syslog
|
System Information Discovery
|
TTP
|
Black Basta Ransomware, ESXi Post Compromise
|
2025-05-14
|
ESXi VM Discovery
|
VMWare ESXi Syslog
|
Virtual Machine Discovery
|
TTP
|
Black Basta Ransomware, China-Nexus Threat Activity, ESXi Post Compromise
|
2025-08-06
|
Okta IDP Lifecycle Modifications
|
Okta
|
Cloud Account
|
Anomaly
|
Suspicious Okta Activity
|
2025-05-02
|
Okta Multiple Failed Requests to Access Applications
|
Okta
|
Web Session Cookie
Cloud Service Dashboard
|
Hunting
|
Okta Account Takeover
|
2025-05-02
|
Okta Unauthorized Access to Application
|
Okta
|
Cloud Account
|
Anomaly
|
Okta Account Takeover
|
2025-05-02
|
Splunk Authentication Token Exposure in Debug Log
|
|
Log Enumeration
|
TTP
|
Splunk Vulnerabilities
|
2025-05-02
|
Splunk Information Disclosure on Account Login
|
Splunk
|
Account Discovery
|
Hunting
|
Splunk Vulnerabilities
|
2025-05-02
|
Splunk Path Traversal In Splunk App For Lookup File Edit
|
Splunk
|
File and Directory Discovery
|
Hunting
|
Splunk Vulnerabilities
|
2025-05-02
|
Amazon EKS Kubernetes cluster scan detection
|
|
Cloud Service Discovery
|
Hunting
|
Kubernetes Scanning Activity
|
2025-05-02
|
Amazon EKS Kubernetes Pod scan detection
|
|
Cloud Service Discovery
|
Hunting
|
Kubernetes Scanning Activity
|
2025-05-02
|
ASL AWS IAM AccessDenied Discovery Events
|
ASL AWS CloudTrail
|
Cloud Infrastructure Discovery
|
Anomaly
|
Suspicious Cloud User Activities
|
2025-05-02
|
ASL AWS IAM Assume Role Policy Brute Force
|
ASL AWS CloudTrail
|
Cloud Infrastructure Discovery
Brute Force
|
TTP
|
AWS IAM Privilege Escalation
|
2025-05-02
|
ASL AWS IAM Successful Group Deletion
|
ASL AWS CloudTrail
|
Cloud Groups
Account Manipulation
|
Hunting
|
AWS IAM Privilege Escalation
|
2025-05-02
|
AWS Bedrock High Number List Foundation Model Failures
|
AWS CloudTrail
|
Cloud Infrastructure Discovery
|
TTP
|
AWS Bedrock Security
|
2025-05-02
|
AWS Excessive Security Scanning
|
AWS CloudTrail
|
Cloud Service Discovery
|
TTP
|
AWS User Monitoring
|
2025-05-02
|
AWS High Number Of Failed Authentications For User
|
AWS CloudTrail ConsoleLogin
|
Password Policy Discovery
|
Anomaly
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2025-05-02
|
AWS IAM AccessDenied Discovery Events
|
AWS CloudTrail
|
Cloud Infrastructure Discovery
|
Anomaly
|
Suspicious Cloud User Activities
|
2025-05-02
|
AWS IAM Assume Role Policy Brute Force
|
AWS CloudTrail
|
Cloud Infrastructure Discovery
Brute Force
|
TTP
|
AWS IAM Privilege Escalation
|
2025-05-02
|
AWS IAM Successful Group Deletion
|
AWS CloudTrail DeleteGroup
|
Cloud Groups
Account Manipulation
|
Hunting
|
AWS IAM Privilege Escalation
|
2025-05-02
|
AWS Password Policy Changes
|
AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail UpdateAccountPasswordPolicy
|
Password Policy Discovery
|
Hunting
|
AWS IAM Privilege Escalation, Compromised User Account
|
2025-05-02
|
Azure AD AzureHound UserAgent Detected
|
Azure Active Directory MicrosoftGraphActivityLogs, Azure Active Directory NonInteractiveUserSignInLogs
|
Cloud Account
Cloud Service Discovery
|
TTP
|
Azure Active Directory Privilege Escalation, Compromised User Account
|
2025-05-02
|
Azure AD Service Principal Enumeration
|
Azure Active Directory MicrosoftGraphActivityLogs
|
Cloud Account
Cloud Service Discovery
|
TTP
|
Azure Active Directory Privilege Escalation, Compromised User Account
|
2025-06-24
|
GCP Kubernetes cluster pod scan detection
|
|
Cloud Service Discovery
|
Hunting
|
Kubernetes Scanning Activity
|
2025-05-02
|
Kubernetes Access Scanning
|
Kubernetes Audit
|
Network Service Discovery
|
Anomaly
|
Kubernetes Security
|
2025-05-02
|
Kubernetes Scanner Image Pulling
|
|
Cloud Service Discovery
|
TTP
|
Dev Sec Ops
|
2025-05-02
|
Kubernetes Scanning by Unauthenticated IP Address
|
Kubernetes Audit
|
Network Service Discovery
|
Anomaly
|
Kubernetes Security
|
2025-05-02
|
Kubernetes Suspicious Image Pulling
|
Kubernetes Audit
|
Cloud Service Discovery
|
Anomaly
|
Kubernetes Security
|
2025-05-02
|
AdsiSearcher Account Discovery
|
Powershell Script Block Logging 4104
|
Domain Account
|
TTP
|
Active Directory Discovery, CISA AA23-347A, Data Destruction, Industroyer2
|
2025-05-02
|
Check Elevated CMD using whoami
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
TTP
|
FIN7
|
2025-05-02
|
Cisco NVM - Suspicious Network Connection to IP Lookup Service API
|
Cisco Network Visibility Module Flow Data
|
IP Addresses
System Network Configuration Discovery
|
Anomaly
|
Cisco Network Visibility Module Analytics
|
2025-09-09
|
Detect AzureHound Command-Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Local Groups
Domain Groups
Local Account
Domain Account
Domain Trust Discovery
|
TTP
|
Compromised Windows Host, Windows Discovery Techniques
|
2025-05-02
|
Detect AzureHound File Modifications
|
Sysmon EventID 11
|
Local Groups
Domain Groups
Local Account
Domain Account
Domain Trust Discovery
|
TTP
|
Windows Discovery Techniques
|
2025-05-02
|
Detect SharpHound Command-Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Local Groups
Domain Groups
Local Account
Domain Account
Domain Trust Discovery
|
TTP
|
BlackSuit Ransomware, Ransomware, Windows Discovery Techniques
|
2025-05-02
|
Detect SharpHound File Modifications
|
Sysmon EventID 11
|
Local Groups
Domain Groups
Local Account
Domain Account
Domain Trust Discovery
|
TTP
|
BlackSuit Ransomware, Ransomware, Windows Discovery Techniques
|
2025-05-02
|
Detect SharpHound Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Local Groups
Domain Groups
Local Account
Domain Account
Domain Trust Discovery
|
TTP
|
Ransomware, Windows Discovery Techniques
|
2025-05-02
|
Domain Account Discovery with Dsquery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
|
Anomaly
|
Active Directory Discovery, LAMEHUG
|
2025-08-27
|
Domain Account Discovery with Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
|
TTP
|
Active Directory Discovery, Interlock Ransomware
|
2025-07-28
|
Domain Controller Discovery with Nltest
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
TTP
|
Active Directory Discovery, BlackSuit Ransomware, CISA AA23-347A, Medusa Ransomware, Rhysida Ransomware
|
2025-05-02
|
Domain Controller Discovery with Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
Hunting
|
Active Directory Discovery
|
2025-05-02
|
Domain Group Discovery with Adsisearcher
|
Powershell Script Block Logging 4104
|
Domain Groups
|
TTP
|
Active Directory Discovery
|
2025-06-24
|
Domain Group Discovery With Dsquery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Groups
|
Anomaly
|
Active Directory Discovery, LAMEHUG
|
2025-08-27
|
Domain Group Discovery With Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Groups
|
Hunting
|
Active Directory Discovery
|
2025-05-02
|
DSQuery Domain Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Trust Discovery
|
TTP
|
Active Directory Discovery, Compromised Windows Host, Domain Trust Discovery
|
2025-05-02
|
Elevated Group Discovery with PowerView
|
Powershell Script Block Logging 4104
|
Domain Groups
|
Hunting
|
Active Directory Discovery
|
2025-06-24
|
Elevated Group Discovery With Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Groups
|
TTP
|
Active Directory Discovery
|
2025-05-02
|
Enumerate Users Local Group Using Telegram
|
Windows Event Log Security 4798
|
Account Discovery
|
TTP
|
Compromised Windows Host, Water Gamayun, XMRig
|
2025-05-02
|
Get ADDefaultDomainPasswordPolicy with Powershell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Password Policy Discovery
|
Hunting
|
Active Directory Discovery
|
2025-05-02
|
Get ADDefaultDomainPasswordPolicy with Powershell Script Block
|
Powershell Script Block Logging 4104
|
Password Policy Discovery
|
Hunting
|
Active Directory Discovery
|
2025-05-02
|
Get ADUser with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
|
Hunting
|
Active Directory Discovery, CISA AA23-347A
|
2025-05-02
|
Get ADUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Domain Account
|
Hunting
|
Active Directory Discovery, CISA AA23-347A
|
2025-05-02
|
Get ADUserResultantPasswordPolicy with Powershell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Password Policy Discovery
|
TTP
|
Active Directory Discovery, CISA AA23-347A
|
2025-05-02
|
Get ADUserResultantPasswordPolicy with Powershell Script Block
|
Powershell Script Block Logging 4104
|
Password Policy Discovery
|
TTP
|
Active Directory Discovery, CISA AA23-347A
|
2025-05-02
|
Get DomainPolicy with Powershell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Password Policy Discovery
|
TTP
|
Active Directory Discovery
|
2025-05-02
|
Get DomainPolicy with Powershell Script Block
|
Powershell Script Block Logging 4104
|
Password Policy Discovery
|
TTP
|
Active Directory Discovery
|
2025-05-02
|
Get-DomainTrust with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Trust Discovery
|
TTP
|
Active Directory Discovery
|
2025-05-02
|
Get-DomainTrust with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Domain Trust Discovery
|
TTP
|
Active Directory Discovery
|
2025-06-24
|
Get DomainUser with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
|
TTP
|
Active Directory Discovery, CISA AA23-347A
|
2025-05-02
|
Get DomainUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Domain Account
|
TTP
|
Active Directory Discovery, CISA AA23-347A
|
2025-05-02
|
Get-ForestTrust with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Trust Discovery
|
TTP
|
Active Directory Discovery
|
2025-05-02
|
Get-ForestTrust with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Domain Trust Discovery
PowerShell
|
TTP
|
Active Directory Discovery
|
2025-06-24
|
Get WMIObject Group Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Local Groups
|
Hunting
|
Active Directory Discovery
|
2025-05-02
|
Get WMIObject Group Discovery with Script Block Logging
|
Powershell Script Block Logging 4104
|
Local Groups
|
Hunting
|
Active Directory Discovery
|
2025-06-24
|
GetAdComputer with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
Hunting
|
Active Directory Discovery, Medusa Ransomware
|
2025-05-02
|
GetAdComputer with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Remote System Discovery
|
Hunting
|
Active Directory Discovery, CISA AA22-320A, Gozi Malware, Medusa Ransomware
|
2025-06-24
|
GetAdGroup with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Groups
|
Hunting
|
Active Directory Discovery
|
2025-05-02
|
GetAdGroup with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Domain Groups
|
Hunting
|
Active Directory Discovery
|
2025-06-24
|
GetCurrent User with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
Hunting
|
Active Directory Discovery
|
2025-05-02
|
GetCurrent User with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
System Owner/User Discovery
|
Hunting
|
Active Directory Discovery
|
2025-06-24
|
GetDomainComputer with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
TTP
|
Active Directory Discovery
|
2025-05-02
|
GetDomainComputer with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Remote System Discovery
|
TTP
|
Active Directory Discovery
|
2025-06-24
|
GetDomainController with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
Hunting
|
Active Directory Discovery
|
2025-05-02
|
GetDomainController with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Remote System Discovery
|
TTP
|
Active Directory Discovery
|
2025-06-24
|
GetDomainGroup with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Groups
|
TTP
|
Active Directory Discovery
|
2025-05-02
|
GetDomainGroup with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Domain Groups
|
TTP
|
Active Directory Discovery
|
2025-06-24
|
GetLocalUser with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Local Account
|
Hunting
|
Active Directory Discovery
|
2025-05-02
|
GetLocalUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
PowerShell
Local Account
|
Hunting
|
Active Directory Discovery, Malicious PowerShell
|
2025-06-24
|
GetNetTcpconnection with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Network Connections Discovery
|
Hunting
|
Active Directory Discovery
|
2025-05-02
|
GetNetTcpconnection with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
System Network Connections Discovery
|
Hunting
|
Active Directory Discovery
|
2025-06-24
|
GetWmiObject Ds Computer with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
TTP
|
Active Directory Discovery
|
2025-05-02
|
GetWmiObject Ds Computer with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Remote System Discovery
|
TTP
|
Active Directory Discovery
|
2025-06-24
|
GetWmiObject Ds Group with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Groups
|
TTP
|
Active Directory Discovery
|
2025-05-02
|
GetWmiObject Ds Group with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Domain Groups
|
TTP
|
Active Directory Discovery
|
2025-06-24
|
GetWmiObject DS User with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
|
TTP
|
Active Directory Discovery
|
2025-05-02
|
GetWmiObject DS User with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Domain Account
|
TTP
|
Active Directory Discovery
|
2025-05-02
|
GetWmiObject User Account with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Local Account
|
Hunting
|
Active Directory Discovery, Water Gamayun, Winter Vivern
|
2025-05-02
|
GetWmiObject User Account with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
PowerShell
Local Account
|
Hunting
|
Active Directory Discovery, Malicious PowerShell, Winter Vivern
|
2025-06-24
|
Linux Auditd Database File And Directory Discovery
|
Linux Auditd Execve
|
File and Directory Discovery
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-05-02
|
Linux Auditd File And Directory Discovery
|
Linux Auditd Execve
|
File and Directory Discovery
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-05-02
|
Linux Auditd Hidden Files And Directories Creation
|
Linux Auditd Execve
|
File and Directory Discovery
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-05-02
|
Linux Auditd Kernel Module Enumeration
|
Linux Auditd Syscall
|
System Information Discovery
Rootkit
|
Anomaly
|
Compromised Linux Host, Linux Rootkit, XorDDos
|
2025-05-02
|
Linux Auditd System Network Configuration Discovery
|
Linux Auditd Syscall
|
System Network Configuration Discovery
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-05-02
|
Linux Auditd Virtual Disk File And Directory Discovery
|
Linux Auditd Execve
|
File and Directory Discovery
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-05-02
|
Linux Auditd Whoami User Discovery
|
Linux Auditd Syscall
|
System Owner/User Discovery
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-05-02
|
Linux Kernel Module Enumeration
|
Sysmon for Linux EventID 1
|
System Information Discovery
Rootkit
|
Anomaly
|
Linux Rootkit, XorDDos
|
2025-05-02
|
Linux System Network Discovery
|
Sysmon for Linux EventID 1
|
System Network Configuration Discovery
|
Anomaly
|
Data Destruction, Industroyer2, Network Discovery
|
2025-05-02
|
Local Account Discovery With Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Local Account
|
Hunting
|
Active Directory Discovery
|
2025-05-02
|
Network Connection Discovery With Arp
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Network Connections Discovery
|
Hunting
|
Active Directory Discovery, IcedID, Interlock Ransomware, Prestige Ransomware, Qakbot, Volt Typhoon, Windows Post-Exploitation
|
2025-07-28
|
Network Connection Discovery With Netstat
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Network Connections Discovery
|
Hunting
|
Active Directory Discovery, CISA AA22-277A, CISA AA23-347A, Medusa Ransomware, PlugX, Prestige Ransomware, Qakbot, Volt Typhoon, Windows Post-Exploitation
|
2025-05-02
|
Network Discovery Using Route Windows App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Internet Connection Discovery
|
Hunting
|
Active Directory Discovery, CISA AA22-277A, Prestige Ransomware, Qakbot, Windows Post-Exploitation
|
2025-05-02
|
Network Share Discovery Via Dir Command
|
Windows Event Log Security 5140
|
Network Share Discovery
|
Hunting
|
IcedID
|
2025-05-02
|
Network Traffic to Active Directory Web Services Protocol
|
Sysmon EventID 3
|
Local Groups
Domain Groups
Local Account
Domain Account
Domain Trust Discovery
|
Hunting
|
Windows Discovery Techniques
|
2025-06-17
|
NLTest Domain Trust Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Trust Discovery
|
TTP
|
Active Directory Discovery, Cleo File Transfer Software, Domain Trust Discovery, IcedID, Medusa Ransomware, Qakbot, Rhysida Ransomware, Ryuk Ransomware
|
2025-05-02
|
Ping Sleep Batch Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
Time Based Evasion
|
Anomaly
|
BlackByte Ransomware, Data Destruction, Meduza Stealer, Quasar RAT, Warzone RAT, WhisperGate
|
2025-07-16
|
Potential System Network Configuration Discovery Activity
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Network Configuration Discovery
|
Anomaly
|
Unusual Processes
|
2025-05-02
|
PowerShell Get LocalGroup Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Local Groups
|
Hunting
|
Active Directory Discovery
|
2025-05-02
|
Powershell Get LocalGroup Discovery with Script Block Logging
|
Powershell Script Block Logging 4104
|
Local Groups
|
Hunting
|
Active Directory Discovery
|
2025-06-24
|
Remote System Discovery with Adsisearcher
|
Powershell Script Block Logging 4104
|
Remote System Discovery
|
TTP
|
Active Directory Discovery
|
2025-06-24
|
Remote System Discovery with Dsquery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
Anomaly
|
Active Directory Discovery, LAMEHUG
|
2025-08-27
|
Remote System Discovery with Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
TTP
|
Active Directory Discovery
|
2025-05-02
|
SchCache Change By App Connect And Create ADSI Object
|
Sysmon EventID 11
|
Domain Account
|
Anomaly
|
BlackMatter Ransomware
|
2025-05-02
|
System Information Discovery Detection
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Information Discovery
|
TTP
|
BlackSuit Ransomware, Cleo File Transfer Software, Gozi Malware, Interlock Ransomware, LAMEHUG, Medusa Ransomware, Windows Discovery Techniques
|
2025-08-27
|
System User Discovery With Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
Hunting
|
Active Directory Discovery, Medusa Ransomware
|
2025-05-02
|
System User Discovery With Whoami
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
Anomaly
|
Active Directory Discovery, CISA AA23-347A, LAMEHUG, PHP-CGI RCE Attack on Japanese Organizations, Qakbot, Rhysida Ransomware, Winter Vivern
|
2025-08-27
|
User Discovery With Env Vars PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
Hunting
|
Active Directory Discovery
|
2025-05-02
|
User Discovery With Env Vars PowerShell Script Block
|
Powershell Script Block Logging 4104
|
System Owner/User Discovery
|
Hunting
|
Active Directory Discovery
|
2025-06-24
|
Web Servers Executing Suspicious Processes
|
Sysmon EventID 1
|
System Information Discovery
|
TTP
|
Apache Struts Vulnerability
|
2025-05-02
|
Windows Account Discovery for None Disable User Account
|
Powershell Script Block Logging 4104
|
Local Account
|
Hunting
|
CISA AA23-347A
|
2025-06-24
|
Windows Account Discovery for Sam Account Name
|
Powershell Script Block Logging 4104
|
Account Discovery
|
Anomaly
|
CISA AA23-347A
|
2025-06-24
|
Windows Account Discovery With NetUser PreauthNotRequire
|
Powershell Script Block Logging 4104
|
Account Discovery
|
Hunting
|
CISA AA23-347A
|
2025-06-24
|
Windows AD Abnormal Object Access Activity
|
Windows Event Log Security 4662
|
Domain Account
|
Anomaly
|
Active Directory Discovery, BlackSuit Ransomware
|
2025-05-02
|
Windows AD Privileged Object Access Activity
|
Windows Event Log Security 4662
|
Domain Account
|
TTP
|
Active Directory Discovery, BlackSuit Ransomware
|
2025-05-02
|
Windows AdFind Exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote System Discovery
|
TTP
|
BlackSuit Ransomware, Domain Trust Discovery, Graceful Wipe Out Attack, IcedID, NOBELIUM Group
|
2025-05-02
|
Windows Admin Permission Discovery
|
Sysmon EventID 11
|
Local Groups
|
Anomaly
|
NjRAT
|
2025-05-02
|
Windows Administrative Shares Accessed On Multiple Hosts
|
Windows Event Log Security 5140, Windows Event Log Security 5145
|
Network Share Discovery
|
TTP
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2025-05-02
|
Windows Chromium Browser No Security Sandbox Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Virtualization/Sandbox Evasion
|
TTP
|
Malicious Inno Setup Loader
|
2025-05-26
|
Windows Chromium Browser with Custom User Data Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Virtualization/Sandbox Evasion
|
Anomaly
|
Lokibot, Malicious Inno Setup Loader
|
2025-09-30
|
Windows Common Abused Cmd Shell Risk Behavior
|
|
File and Directory Permissions Modification
System Network Connections Discovery
System Owner/User Discovery
System Shutdown/Reboot
System Network Configuration Discovery
Command and Scripting Interpreter
|
Correlation
|
Azorult, CISA AA23-347A, DarkCrystal RAT, Disabling Security Tools, FIN7, Netsh Abuse, Qakbot, Sandworm Tools, Volt Typhoon, Windows Defense Evasion Tactics, Windows Post-Exploitation
|
2025-05-02
|
Windows Credential Access From Browser Password Store
|
Windows Event Log Security 4663
|
Query Registry
|
Anomaly
|
0bj3ctivity Stealer, Braodo Stealer, China-Nexus Threat Activity, Earth Alux, Malicious Inno Setup Loader, Meduza Stealer, MoonPeak, PXA Stealer, Quasar RAT, Salt Typhoon, Scattered Spider, Snake Keylogger, SnappyBee
|
2025-08-22
|
Windows Credentials from Password Stores Chrome Extension Access
|
Windows Event Log Security 4663
|
Query Registry
|
Anomaly
|
0bj3ctivity Stealer, Amadey, Braodo Stealer, CISA AA23-347A, DarkGate Malware, Malicious Inno Setup Loader, Meduza Stealer, MoonPeak, Phemedrone Stealer, RedLine Stealer
|
2025-08-22
|
Windows Credentials from Password Stores Chrome LocalState Access
|
Windows Event Log Security 4663
|
Query Registry
|
Anomaly
|
0bj3ctivity Stealer, Amadey, Braodo Stealer, China-Nexus Threat Activity, DarkGate Malware, Earth Alux, Lokibot, Malicious Inno Setup Loader, Meduza Stealer, MoonPeak, NjRAT, PXA Stealer, Phemedrone Stealer, Quasar RAT, RedLine Stealer, Salt Typhoon, Snake Keylogger, SnappyBee, Warzone RAT
|
2025-09-30
|
Windows Credentials from Password Stores Chrome Login Data Access
|
Windows Event Log Security 4663
|
Query Registry
|
Anomaly
|
0bj3ctivity Stealer, Amadey, Braodo Stealer, China-Nexus Threat Activity, DarkGate Malware, Earth Alux, Lokibot, Malicious Inno Setup Loader, Meduza Stealer, MoonPeak, NjRAT, PXA Stealer, Phemedrone Stealer, Quasar RAT, RedLine Stealer, Salt Typhoon, Snake Keylogger, SnappyBee, Warzone RAT
|
2025-09-30
|
Windows Domain Account Discovery Via Get-NetComputer
|
Powershell Script Block Logging 4104
|
Domain Account
|
Anomaly
|
CISA AA23-347A
|
2025-06-24
|
Windows EventLog Recon Activity Using Log Query Utilities
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Log Enumeration
|
Anomaly
|
Windows Discovery Techniques
|
2025-05-02
|
Windows File Share Discovery With Powerview
|
Powershell Script Block Logging 4104
|
Network Share Discovery
|
TTP
|
Active Directory Discovery, Active Directory Privilege Escalation
|
2025-06-24
|
Windows Find Domain Organizational Units with GetDomainOU
|
Powershell Script Block Logging 4104
|
Domain Account
|
TTP
|
Active Directory Discovery
|
2025-05-02
|
Windows Find Interesting ACL with FindInterestingDomainAcl
|
Powershell Script Block Logging 4104
|
Domain Account
|
TTP
|
Active Directory Discovery
|
2025-05-02
|
Windows Forest Discovery with GetForestDomain
|
Powershell Script Block Logging 4104
|
Domain Account
|
TTP
|
Active Directory Discovery
|
2025-05-02
|
Windows Get-AdComputer Unconstrained Delegation Discovery
|
Powershell Script Block Logging 4104
|
Remote System Discovery
|
TTP
|
Active Directory Kerberos Attacks, Medusa Ransomware
|
2025-05-02
|
Windows Get Local Admin with FindLocalAdminAccess
|
Powershell Script Block Logging 4104
|
Domain Account
|
TTP
|
Active Directory Discovery
|
2025-05-02
|
Windows Group Discovery Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Local Groups
Domain Groups
|
Hunting
|
Active Directory Discovery, Azorult, Cleo File Transfer Software, Graceful Wipe Out Attack, IcedID, Medusa Ransomware, Prestige Ransomware, Rhysida Ransomware, Volt Typhoon, Windows Discovery Techniques, Windows Post-Exploitation
|
2025-05-02
|
Windows Information Discovery Fsutil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Information Discovery
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2025-10-07
|
Windows Large Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
Network Share Discovery
Valid Accounts
|
Anomaly
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2025-05-02
|
Windows Ldifde Directory Object Behavior
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Ingress Tool Transfer
Domain Groups
|
TTP
|
Volt Typhoon
|
2025-05-02
|
Windows Linked Policies In ADSI Discovery
|
Powershell Script Block Logging 4104
|
Domain Account
|
Anomaly
|
Active Directory Discovery, Data Destruction, Industroyer2
|
2025-05-02
|
Windows Net System Service Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Service Discovery
|
Anomaly
|
LAMEHUG
|
2025-08-25
|
Windows Network Connection Discovery Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Network Connections Discovery
|
Hunting
|
Active Directory Discovery, Azorult, Prestige Ransomware, Windows Post-Exploitation
|
2025-05-02
|
Windows Network Share Interaction Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Network Share Discovery
Data from Network Shared Drive
|
Anomaly
|
Active Directory Discovery, Active Directory Privilege Escalation, Network Discovery
|
2025-05-02
|
Windows Non Discord App Access Discord LevelDB
|
Windows Event Log Security 4663
|
Query Registry
|
Anomaly
|
PXA Stealer, Snake Keylogger
|
2025-05-02
|
Windows Password Policy Discovery with Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Password Policy Discovery
|
Hunting
|
Active Directory Discovery
|
2025-05-02
|
Windows Post Exploitation Risk Behavior
|
|
Query Registry
System Network Connections Discovery
Permission Groups Discovery
System Network Configuration Discovery
OS Credential Dumping
System Information Discovery
Clipboard Data
Unsecured Credentials
|
Correlation
|
Windows Post-Exploitation
|
2025-05-02
|
Windows PowerShell Invoke-RestMethod IP Information Collection
|
Powershell Script Block Logging 4104
|
System Information Discovery
System Network Configuration Discovery
PowerShell
|
Anomaly
|
Water Gamayun
|
2025-06-24
|
Windows PowerView AD Access Control List Enumeration
|
Powershell Script Block Logging 4104
|
Domain Accounts
Permission Groups Discovery
|
TTP
|
Active Directory Discovery, Active Directory Privilege Escalation, Rhysida Ransomware
|
2025-06-24
|
Windows PowerView Constrained Delegation Discovery
|
Powershell Script Block Logging 4104
|
Remote System Discovery
|
TTP
|
Active Directory Kerberos Attacks, CISA AA23-347A, Rhysida Ransomware
|
2025-05-02
|
Windows PowerView Unconstrained Delegation Discovery
|
Powershell Script Block Logging 4104
|
Remote System Discovery
|
TTP
|
Active Directory Kerberos Attacks, CISA AA23-347A, Rhysida Ransomware
|
2025-05-02
|
Windows Process Commandline Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Discovery
|
Hunting
|
CISA AA23-347A
|
2025-05-19
|
Windows Query Registry Browser List Application
|
Windows Event Log Security 4663
|
Query Registry
|
Anomaly
|
China-Nexus Threat Activity, RedLine Stealer, Salt Typhoon, SnappyBee
|
2025-05-02
|
Windows Query Registry UnInstall Program List
|
Windows Event Log Security 4663
|
Query Registry
|
Anomaly
|
Meduza Stealer, RedLine Stealer
|
2025-05-02
|
Windows Registry Entries Exported Via Reg
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Query Registry
|
Hunting
|
CISA AA23-347A, Prestige Ransomware, Windows Post-Exploitation
|
2025-05-02
|
Windows Registry Entries Restored Via Reg
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Query Registry
|
Hunting
|
Prestige Ransomware, Windows Post-Exploitation
|
2025-05-02
|
Windows Root Domain linked policies Discovery
|
Powershell Script Block Logging 4104
|
Domain Account
|
Anomaly
|
Active Directory Discovery, Data Destruction, Industroyer2
|
2025-05-02
|
Windows Sensitive Group Discovery With Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Groups
|
Anomaly
|
Active Directory Discovery, BlackSuit Ransomware, IcedID, Rhysida Ransomware, Volt Typhoon
|
2025-05-02
|
Windows SOAPHound Binary Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Local Groups
Domain Groups
Local Account
Domain Account
Domain Trust Discovery
|
TTP
|
Compromised Windows Host, Windows Discovery Techniques
|
2025-05-02
|
Windows Special Privileged Logon On Multiple Hosts
|
Windows Event Log Security 4672
|
Account Discovery
SMB/Windows Admin Shares
Network Share Discovery
|
TTP
|
Active Directory Lateral Movement, Active Directory Privilege Escalation, Compromised Windows Host
|
2025-05-02
|
Windows Suspect Process With Authentication Traffic
|
Sysmon EventID 3
|
Domain Account
Malicious File
|
Anomaly
|
Active Directory Discovery
|
2025-05-02
|
Windows System Discovery Using ldap Nslookup
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
Anomaly
|
Qakbot
|
2025-05-02
|
Windows System Discovery Using Qwinsta
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
Hunting
|
Qakbot
|
2025-05-02
|
Windows System Network Config Discovery Display DNS
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Network Configuration Discovery
|
Anomaly
|
Medusa Ransomware, Prestige Ransomware, Water Gamayun, Windows Post-Exploitation
|
2025-05-02
|
Windows System Network Connections Discovery Netsh
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Network Connections Discovery
|
Anomaly
|
Prestige Ransomware, Snake Keylogger, Windows Post-Exploitation
|
2025-05-02
|
Windows System Remote Discovery With Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
Anomaly
|
Active Directory Discovery, Medusa Ransomware
|
2025-05-02
|
Windows System Time Discovery W32tm Delay
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Time Discovery
|
Anomaly
|
DarkCrystal RAT
|
2025-05-02
|
Windows System User Discovery Via Quser
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
Hunting
|
Crypto Stealer, Prestige Ransomware, Windows Post-Exploitation
|
2025-05-02
|
Windows System User Privilege Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Owner/User Discovery
|
Hunting
|
CISA AA23-347A
|
2025-05-02
|
Windows Time Based Evasion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
Time Based Evasion
|
TTP
|
NjRAT
|
2025-05-02
|
Windows Time Based Evasion via Choice Exec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Time Based Evasion
|
Anomaly
|
0bj3ctivity Stealer, Snake Keylogger
|
2025-08-22
|
Windows User Discovery Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Local Account
|
Hunting
|
Active Directory Discovery, Medusa Ransomware, Sandworm Tools
|
2025-05-02
|
Windows Wmic CPU Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Information Discovery
|
Anomaly
|
LAMEHUG
|
2025-08-25
|
Windows Wmic DiskDrive Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Information Discovery
|
Anomaly
|
LAMEHUG
|
2025-08-25
|
Windows Wmic Memory Chip Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Information Discovery
|
Anomaly
|
LAMEHUG
|
2025-08-25
|
Windows Wmic Network Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Information Discovery
|
Anomaly
|
LAMEHUG
|
2025-08-25
|
Windows Wmic Systeminfo Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Information Discovery
|
Anomaly
|
LAMEHUG
|
2025-08-25
|
Wmic Group Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Local Groups
|
Anomaly
|
Active Directory Discovery, LAMEHUG
|
2025-08-27
|
Cisco Secure Firewall - Blocked Connection
|
Cisco Secure Firewall Threat Defense Connection Event
|
Remote System Discovery
Network Service Discovery
Brute Force
Exploitation for Client Execution
Vulnerability Scanning
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2025-07-10
|
Cisco Secure Firewall - Repeated Blocked Connections
|
Cisco Secure Firewall Threat Defense Connection Event
|
Remote System Discovery
Network Service Discovery
Brute Force
Exploitation for Client Execution
Vulnerability Scanning
|
Anomaly
|
Cisco Secure Firewall Threat Defense Analytics
|
2025-07-10
|
Cisco SNMP Community String Configuration Changes
|
Cisco IOS Logs
|
Disable or Modify Tools
Network Sniffing
Unsecured Credentials
|
Anomaly
|
Cisco Smart Install Remote Code Execution CVE-2018-0171
|
2025-08-21
|
Internal Horizontal Port Scan
|
AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event
|
Network Service Discovery
|
TTP
|
China-Nexus Threat Activity, Cisco Secure Firewall Threat Defense Analytics, Network Discovery
|
2025-08-18
|
Internal Horizontal Port Scan NMAP Top 20
|
AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event
|
Network Service Discovery
|
TTP
|
China-Nexus Threat Activity, Cisco Secure Firewall Threat Defense Analytics, Network Discovery
|
2025-08-18
|
Internal Vertical Port Scan
|
AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event
|
Network Service Discovery
|
TTP
|
China-Nexus Threat Activity, Cisco Secure Firewall Threat Defense Analytics, Network Discovery
|
2025-09-18
|
Internal Vulnerability Scan
|
|
Vulnerability Scanning
Network Service Discovery
|
TTP
|
Network Discovery
|
2025-05-02
|
Detect attackers scanning for vulnerable JBoss servers
|
|
System Information Discovery
External Remote Services
|
TTP
|
JBoss Vulnerability, SamSam Ransomware
|
2025-05-02
|