Detect Risky SPL using Pretrained ML Model
|
|
Command and Scripting Interpreter
|
Anomaly
|
Splunk Vulnerabilities
|
2024-10-17
|
Splunk Command and Scripting Interpreter Delete Usage
|
Splunk
|
Command and Scripting Interpreter
|
Anomaly
|
Splunk Vulnerabilities
|
2024-10-16
|
Splunk Command and Scripting Interpreter Risky Commands
|
Splunk
|
Command and Scripting Interpreter
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
Splunk Command and Scripting Interpreter Risky SPL MLTK
|
Splunk
|
Command and Scripting Interpreter
|
Anomaly
|
Splunk Vulnerabilities
|
2024-10-16
|
ASL AWS ECR Container Upload Outside Business Hours
|
|
Malicious Image
User Execution
|
Anomaly
|
Dev Sec Ops
|
2024-09-30
|
ASL AWS ECR Container Upload Unknown User
|
|
Malicious Image
User Execution
|
Anomaly
|
Dev Sec Ops
|
2024-09-30
|
AWS ECR Container Scanning Findings High
|
AWS CloudTrail DescribeImageScanFindings
|
Malicious Image
User Execution
|
TTP
|
Dev Sec Ops
|
2024-09-30
|
AWS ECR Container Scanning Findings Low Informational Unknown
|
AWS CloudTrail DescribeImageScanFindings
|
Malicious Image
User Execution
|
Anomaly
|
Dev Sec Ops
|
2024-09-30
|
AWS ECR Container Scanning Findings Medium
|
AWS CloudTrail DescribeImageScanFindings
|
Malicious Image
User Execution
|
Anomaly
|
Dev Sec Ops
|
2024-09-30
|
AWS ECR Container Upload Outside Business Hours
|
AWS CloudTrail PutImage
|
Malicious Image
User Execution
|
Anomaly
|
Dev Sec Ops
|
2024-09-30
|
AWS ECR Container Upload Unknown User
|
AWS CloudTrail PutImage
|
Malicious Image
User Execution
|
Anomaly
|
Dev Sec Ops
|
2024-09-30
|
AWS Lambda UpdateFunctionCode
|
AWS CloudTrail
|
User Execution
|
Hunting
|
Suspicious Cloud User Activities
|
2024-10-22
|
Kubernetes Anomalous Inbound Network Activity from Process
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-10-17
|
Kubernetes Anomalous Inbound Outbound Network IO
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-10-17
|
Kubernetes Anomalous Inbound to Outbound Network IO Ratio
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-10-17
|
Kubernetes Anomalous Outbound Network Activity from Process
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-10-17
|
Kubernetes Anomalous Traffic on Network Edge
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-10-17
|
Kubernetes Create or Update Privileged Pod
|
Kubernetes Audit
|
User Execution
|
Anomaly
|
Kubernetes Security
|
2024-09-30
|
Kubernetes Cron Job Creation
|
Kubernetes Audit
|
Container Orchestration Job
|
Anomaly
|
Kubernetes Security
|
2024-09-30
|
Kubernetes DaemonSet Deployed
|
Kubernetes Audit
|
User Execution
|
Anomaly
|
Kubernetes Security
|
2024-09-30
|
Kubernetes Falco Shell Spawned
|
Kubernetes Falco
|
User Execution
|
Anomaly
|
Kubernetes Security
|
2024-09-30
|
Kubernetes newly seen TCP edge
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-10-17
|
Kubernetes newly seen UDP edge
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-10-17
|
Kubernetes Node Port Creation
|
Kubernetes Audit
|
User Execution
|
Anomaly
|
Kubernetes Security
|
2024-09-30
|
Kubernetes Pod Created in Default Namespace
|
Kubernetes Audit
|
User Execution
|
Anomaly
|
Kubernetes Security
|
2024-09-30
|
Kubernetes Pod With Host Network Attachment
|
Kubernetes Audit
|
User Execution
|
Anomaly
|
Kubernetes Security
|
2024-09-30
|
Kubernetes Previously Unseen Container Image Name
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-10-17
|
Kubernetes Previously Unseen Process
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-10-17
|
Kubernetes Process Running From New Path
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-10-17
|
Kubernetes Process with Anomalous Resource Utilisation
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-10-17
|
Kubernetes Process with Resource Ratio Anomalies
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-10-17
|
Kubernetes Shell Running on Worker Node
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-10-17
|
Kubernetes Shell Running on Worker Node with CPU Activity
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-10-17
|
Kubernetes Unauthorized Access
|
Kubernetes Audit
|
User Execution
|
Anomaly
|
Kubernetes Security
|
2024-09-30
|
O365 SharePoint Malware Detection
|
|
Malicious File
User Execution
|
TTP
|
Azure Active Directory Persistence, Office 365 Account Takeover, Ransomware Cloud
|
2024-09-30
|
O365 Threat Intelligence Suspicious File Detected
|
|
Malicious File
User Execution
|
TTP
|
Azure Active Directory Account Takeover, Office 365 Account Takeover, Ransomware Cloud
|
2024-09-30
|
Risk Rule for Dev Sec Ops by Repository
|
|
Malicious Image
User Execution
|
Correlation
|
Dev Sec Ops
|
2024-10-22
|
Correlation by Repository and Risk
|
|
Malicious Image
User Execution
|
Correlation
|
Dev Sec Ops
|
2024-10-17
|
Correlation by User and Risk
|
|
Malicious Image
User Execution
|
Correlation
|
Dev Sec Ops
|
2024-10-17
|
First time seen command line argument
|
Sysmon EventID 1
|
PowerShell
Windows Command Shell
|
Hunting
|
DHS Report TA18-074A, Hidden Cobra Malware, Orangeworm Attack Group, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Suspicious Command-Line Executions
|
2024-10-17
|
Scheduled tasks used in BadRabbit ransomware
|
Sysmon EventID 1
|
Scheduled Task
|
TTP
|
Ransomware
|
2024-10-17
|
Suspicious Powershell Command-Line Arguments
|
Sysmon EventID 1
|
PowerShell
|
TTP
|
CISA AA22-320A, Hermetic Wiper, Malicious PowerShell
|
2024-10-17
|
Uncommon Processes On Endpoint
|
Sysmon EventID 1
|
Malicious File
|
Hunting
|
Hermetic Wiper, Unusual Processes, Windows Privilege Escalation
|
2024-10-17
|
Windows connhost exe started forcefully
|
Sysmon EventID 1
|
Windows Command Shell
|
TTP
|
Ryuk Ransomware
|
2024-10-17
|
Any Powershell DownloadFile
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
PowerShell
Ingress Tool Transfer
|
TTP
|
Braodo Stealer, DarkCrystal RAT, Data Destruction, Hermetic Wiper, Ingress Tool Transfer, Log4Shell CVE-2021-44228, Malicious PowerShell, PXA Stealer, Phemedrone Stealer
|
2024-09-30
|
Any Powershell DownloadString
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
PowerShell
Ingress Tool Transfer
|
TTP
|
Data Destruction, HAFNIUM Group, Hermetic Wiper, IcedID, Ingress Tool Transfer, Malicious PowerShell, Phemedrone Stealer, SysAid On-Prem Software CVE-2023-47246 Vulnerability, Winter Vivern
|
2024-09-30
|
Batch File Write to System32
|
Sysmon EventID 1, Sysmon EventID 11
|
User Execution
Malicious File
|
TTP
|
Compromised Windows Host, SamSam Ransomware
|
2024-11-28
|
CHCP Command Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
TTP
|
Azorult, Forest Blizzard, IcedID
|
2024-09-30
|
Clop Common Exec Parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
User Execution
|
TTP
|
Clop Ransomware, Compromised Windows Host
|
2024-11-28
|
CMD Carry Out String Command Parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Command Shell
Command and Scripting Interpreter
|
Hunting
|
AsyncRAT, Azorult, CISA AA23-347A, Chaos Ransomware, DarkCrystal RAT, DarkGate Malware, Data Destruction, Hermetic Wiper, IcedID, Living Off The Land, Log4Shell CVE-2021-44228, NjRAT, PlugX, ProxyNotShell, Qakbot, RedLine Stealer, Rhysida Ransomware, Warzone RAT, WhisperGate, Winter Vivern
|
2024-10-17
|
CMD Echo Pipe - Escalation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
Windows Command Shell
Windows Service
Create or Modify System Process
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack
|
2024-11-28
|
Cmdline Tool Not Executed In CMD Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
JavaScript
|
TTP
|
CISA AA22-277A, CISA AA23-347A, DarkGate Malware, FIN7, Gozi Malware, Qakbot, Rhysida Ransomware, Volt Typhoon
|
2024-09-30
|
Conti Common Exec parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
User Execution
|
TTP
|
Compromised Windows Host, Ransomware
|
2024-11-28
|
Detect Certify With PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
Steal or Forge Authentication Certificates
Command and Scripting Interpreter
PowerShell
|
TTP
|
Malicious PowerShell, Windows Certificate Services
|
2024-09-30
|
Detect Empire with PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
Command and Scripting Interpreter
PowerShell
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2024-09-30
|
Detect Mimikatz With PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
OS Credential Dumping
PowerShell
|
TTP
|
CISA AA22-264A, CISA AA22-320A, CISA AA23-347A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Sandworm Tools
|
2024-09-30
|
Detect Prohibited Applications Spawning cmd exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
Windows Command Shell
|
Hunting
|
NOBELIUM Group, Suspicious Command-Line Executions, Suspicious MSHTA Activity, Suspicious Zoom Child Processes
|
2024-10-17
|
Detect Rare Executables
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
User Execution
|
Anomaly
|
Rhysida Ransomware, Unusual Processes
|
2024-09-30
|
Detect Renamed PSExec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Services
Service Execution
|
Hunting
|
Active Directory Lateral Movement, BlackByte Ransomware, CISA AA22-320A, DHS Report TA18-074A, DarkGate Malware, DarkSide Ransomware, HAFNIUM Group, Rhysida Ransomware, SamSam Ransomware, Sandworm Tools
|
2024-10-17
|
Detect suspicious processnames using pretrained model in DSDL
|
Sysmon EventID 1
|
Command and Scripting Interpreter
|
Anomaly
|
Suspicious Command-Line Executions
|
2024-10-17
|
Detect Use of cmd exe to Launch Script Interpreters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
Windows Command Shell
|
TTP
|
Azorult, Emotet Malware DHS Report TA18-201A, Suspicious Command-Line Executions
|
2024-09-30
|
Detection of tools built by NirSoft
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Software Deployment Tools
|
TTP
|
Emotet Malware DHS Report TA18-201A
|
2024-10-17
|
Drop IcedID License dat
|
Sysmon EventID 11
|
User Execution
Malicious File
|
Hunting
|
IcedID
|
2024-10-17
|
Excessive distinct processes from Windows Temp
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
Anomaly
|
Meterpreter
|
2024-09-30
|
Excessive number of taskhost processes
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
Anomaly
|
Meterpreter
|
2024-09-30
|
Excessive Usage Of SC Service Utility
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Services
Service Execution
|
Anomaly
|
Azorult, Ransomware
|
2024-09-30
|
Exchange PowerShell Module Usage
|
Powershell Script Block Logging 4104
|
Command and Scripting Interpreter
PowerShell
|
TTP
|
BlackByte Ransomware, CISA AA22-264A, CISA AA22-277A, ProxyNotShell, ProxyShell
|
2024-09-30
|
Execute Javascript With Jscript COM CLSID
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
Visual Basic
|
TTP
|
Ransomware
|
2024-09-30
|
First Time Seen Running Windows Service
|
Windows Event Log System 7036
|
System Services
Service Execution
|
Anomaly
|
NOBELIUM Group, Orangeworm Attack Group, Windows Service Abuse
|
2024-10-17
|
Get-ForestTrust with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Domain Trust Discovery
PowerShell
|
TTP
|
Active Directory Discovery
|
2024-09-30
|
GetLocalUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Account Discovery
Local Account
PowerShell
|
Hunting
|
Active Directory Discovery, Malicious PowerShell
|
2024-10-17
|
GetWmiObject User Account with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Account Discovery
Local Account
PowerShell
|
Hunting
|
Active Directory Discovery, Malicious PowerShell, Winter Vivern
|
2024-10-17
|
Impacket Lateral Movement Commandline Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
SMB/Windows Admin Shares
Distributed Component Object Model
Windows Management Instrumentation
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate
|
2024-11-28
|
Impacket Lateral Movement smbexec CommandLine Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
SMB/Windows Admin Shares
Distributed Component Object Model
Windows Management Instrumentation
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate
|
2024-11-28
|
Impacket Lateral Movement WMIExec Commandline Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
SMB/Windows Admin Shares
Distributed Component Object Model
Windows Management Instrumentation
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate
|
2024-11-28
|
Jscript Execution Using Cscript App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
JavaScript
|
TTP
|
FIN7, Remcos
|
2024-09-30
|
Linux Add Files In Known Crontab Directories
|
Sysmon for Linux EventID 11
|
Cron
Scheduled Task/Job
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
Linux Adding Crontab Using List Parameter
|
Sysmon for Linux EventID 1
|
Cron
Scheduled Task/Job
|
Hunting
|
Data Destruction, Gomir, Industroyer2, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-10-17
|
Linux At Allow Config File Creation
|
Sysmon for Linux EventID 11
|
Cron
Scheduled Task/Job
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
Linux At Application Execution
|
Sysmon for Linux EventID 1
|
At
Scheduled Task/Job
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
Linux Auditd At Application Execution
|
Linux Auditd Syscall
|
At
Scheduled Task/Job
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
Linux Auditd Edit Cron Table Parameter
|
Linux Auditd Syscall
|
Cron
Scheduled Task/Job
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File
|
Linux Auditd Path
|
Cron
Scheduled Task/Job
|
Hunting
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-10-17
|
Linux Auditd Service Restarted
|
Linux Auditd Proctitle
|
Systemd Timers
Scheduled Task/Job
|
Anomaly
|
AwfulShred, Compromised Linux Host, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
Linux Auditd Service Started
|
Linux Auditd Proctitle
|
Service Execution
System Services
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Decode Base64 to Shell
|
Sysmon for Linux EventID 1
|
Obfuscated Files or Information
Unix Shell
|
TTP
|
Linux Living Off The Land
|
2024-09-30
|
Linux Edit Cron Table Parameter
|
Sysmon for Linux EventID 1
|
Cron
Scheduled Task/Job
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-10-17
|
Linux Possible Append Command To At Allow Config File
|
Sysmon for Linux EventID 1
|
At
Scheduled Task/Job
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
Linux Possible Append Cronjob Entry on Existing Cronjob File
|
Sysmon for Linux EventID 1
|
Cron
Scheduled Task/Job
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-10-17
|
Linux Possible Cronjob Modification With Editor
|
Sysmon for Linux EventID 1
|
Cron
Scheduled Task/Job
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-10-17
|
Linux Service File Created In Systemd Directory
|
Sysmon for Linux EventID 11
|
Systemd Timers
Scheduled Task/Job
|
Anomaly
|
Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
Linux Service Restarted
|
Sysmon for Linux EventID 1
|
Systemd Timers
Scheduled Task/Job
|
Anomaly
|
AwfulShred, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
Linux Service Started Or Enabled
|
Sysmon for Linux EventID 1
|
Systemd Timers
Scheduled Task/Job
|
Anomaly
|
Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
Linux Unix Shell Enable All SysRq Functions
|
Sysmon for Linux EventID 1
|
Unix Shell
Command and Scripting Interpreter
|
Anomaly
|
AwfulShred, Data Destruction
|
2024-09-30
|
Living Off The Land Detection
|
|
Ingress Tool Transfer
Exploit Public-Facing Application
Command and Scripting Interpreter
External Remote Services
|
Correlation
|
Living Off The Land
|
2024-09-30
|
Log4Shell CVE-2021-44228 Exploitation
|
|
Ingress Tool Transfer
Exploit Public-Facing Application
Command and Scripting Interpreter
External Remote Services
|
Correlation
|
CISA AA22-320A, Log4Shell CVE-2021-44228
|
2024-09-30
|
MacOS LOLbin
|
|
Unix Shell
Command and Scripting Interpreter
|
TTP
|
Living Off The Land
|
2024-09-30
|
Malicious Powershell Executed As A Service
|
Windows Event Log System 7045
|
System Services
Service Execution
|
TTP
|
Compromised Windows Host, Malicious PowerShell, Rhysida Ransomware
|
2024-11-28
|
Malicious PowerShell Process - Execution Policy Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
PowerShell
|
TTP
|
AsyncRAT, DHS Report TA18-074A, DarkCrystal RAT, HAFNIUM Group, Volt Typhoon
|
2024-09-30
|
Malicious PowerShell Process With Obfuscation Techniques
|
Sysmon EventID 1
|
Command and Scripting Interpreter
PowerShell
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2024-09-30
|
MS Scripting Process Loading Ldap Module
|
Sysmon EventID 7
|
Command and Scripting Interpreter
JavaScript
|
Anomaly
|
FIN7
|
2024-09-30
|
MS Scripting Process Loading WMI Module
|
Sysmon EventID 7
|
Command and Scripting Interpreter
JavaScript
|
Anomaly
|
FIN7
|
2024-09-30
|
Nishang PowershellTCPOneLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
PowerShell
|
TTP
|
HAFNIUM Group
|
2024-09-30
|
Possible Lateral Movement PowerShell Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
Distributed Component Object Model
Windows Remote Management
Windows Management Instrumentation
Scheduled Task
Windows Service
PowerShell
MMC
|
TTP
|
Active Directory Lateral Movement, CISA AA24-241A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Scheduled Tasks
|
2024-10-17
|
Potentially malicious code on commandline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Command Shell
|
Anomaly
|
Suspicious Command-Line Executions
|
2024-09-30
|
PowerShell 4104 Hunting
|
Powershell Script Block Logging 4104
|
Command and Scripting Interpreter
PowerShell
|
Hunting
|
Braodo Stealer, CISA AA23-347A, CISA AA24-241A, DarkGate Malware, Data Destruction, Flax Typhoon, Hermetic Wiper, Lumma Stealer, Malicious PowerShell, Rhysida Ransomware
|
2024-10-17
|
PowerShell - Connect To Internet With Hidden Window
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
PowerShell
Command and Scripting Interpreter
|
Hunting
|
AgentTesla, Data Destruction, HAFNIUM Group, Hermetic Wiper, Log4Shell CVE-2021-44228, Malicious PowerShell, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns
|
2024-10-17
|
Powershell COM Hijacking InprocServer32 Modification
|
Powershell Script Block Logging 4104
|
Component Object Model Hijacking
Command and Scripting Interpreter
PowerShell
|
TTP
|
Malicious PowerShell
|
2024-09-30
|
Powershell Creating Thread Mutex
|
Powershell Script Block Logging 4104
|
Obfuscated Files or Information
Indicator Removal from Tools
PowerShell
|
TTP
|
Malicious PowerShell
|
2024-09-30
|
PowerShell Domain Enumeration
|
Powershell Script Block Logging 4104
|
Command and Scripting Interpreter
PowerShell
|
TTP
|
CISA AA23-347A, Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2024-09-30
|
PowerShell Enable PowerShell Remoting
|
Powershell Script Block Logging 4104
|
PowerShell
Command and Scripting Interpreter
|
Anomaly
|
Malicious PowerShell
|
2024-09-30
|
Powershell Execute COM Object
|
Powershell Script Block Logging 4104
|
Component Object Model Hijacking
Event Triggered Execution
PowerShell
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell, Ransomware
|
2024-09-30
|
Powershell Fileless Process Injection via GetProcAddress
|
Powershell Script Block Logging 4104
|
Command and Scripting Interpreter
Process Injection
PowerShell
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2024-09-30
|
Powershell Fileless Script Contains Base64 Encoded Content
|
Powershell Script Block Logging 4104
|
Command and Scripting Interpreter
Obfuscated Files or Information
PowerShell
|
TTP
|
AsyncRAT, Data Destruction, Hermetic Wiper, IcedID, Malicious PowerShell, NjRAT, Winter Vivern
|
2024-09-30
|
PowerShell Invoke CIMMethod CIMSession
|
Powershell Script Block Logging 4104
|
Windows Management Instrumentation
|
Anomaly
|
Active Directory Lateral Movement, Malicious PowerShell
|
2024-09-30
|
PowerShell Invoke WmiExec Usage
|
Powershell Script Block Logging 4104
|
Windows Management Instrumentation
|
TTP
|
Suspicious WMI Use
|
2024-09-30
|
Powershell Load Module in Meterpreter
|
Powershell Script Block Logging 4104
|
Command and Scripting Interpreter
PowerShell
|
TTP
|
MetaSploit
|
2024-09-30
|
PowerShell Loading DotNET into Memory via Reflection
|
Powershell Script Block Logging 4104
|
Command and Scripting Interpreter
PowerShell
|
TTP
|
AgentTesla, AsyncRAT, Data Destruction, Hermetic Wiper, Malicious PowerShell, Winter Vivern
|
2024-09-30
|
Powershell Processing Stream Of Data
|
Powershell Script Block Logging 4104
|
Command and Scripting Interpreter
PowerShell
|
TTP
|
AsyncRAT, Braodo Stealer, Data Destruction, Hermetic Wiper, IcedID, Malicious PowerShell, MoonPeak, PXA Stealer
|
2024-09-30
|
PowerShell Script Block With URL Chain
|
Powershell Script Block Logging 4104
|
PowerShell
Ingress Tool Transfer
|
TTP
|
Malicious PowerShell
|
2024-09-30
|
PowerShell Start or Stop Service
|
Powershell Script Block Logging 4104
|
PowerShell
|
Anomaly
|
Active Directory Lateral Movement
|
2024-09-30
|
Powershell Using memory As Backing Store
|
Powershell Script Block Logging 4104
|
PowerShell
Command and Scripting Interpreter
|
TTP
|
Data Destruction, Hermetic Wiper, IcedID, Malicious PowerShell, MoonPeak
|
2024-09-30
|
PowerShell WebRequest Using Memory Stream
|
Powershell Script Block Logging 4104
|
PowerShell
Ingress Tool Transfer
Fileless Storage
|
TTP
|
Malicious PowerShell, MoonPeak
|
2024-09-30
|
Process Execution via WMI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
TTP
|
Suspicious WMI Use
|
2024-09-30
|
Process Writing DynamicWrapperX
|
Sysmon EventID 1, Sysmon EventID 11
|
Command and Scripting Interpreter
Component Object Model
|
Hunting
|
Remcos
|
2024-10-17
|
Randomly Generated Scheduled Task Name
|
Windows Event Log Security 4698
|
Scheduled Task/Job
Scheduled Task
|
Hunting
|
Active Directory Lateral Movement, CISA AA22-257A, Scheduled Tasks
|
2024-10-17
|
Recon Using WMI Class
|
Powershell Script Block Logging 4104
|
Gather Victim Host Information
PowerShell
|
Anomaly
|
AsyncRAT, Data Destruction, Hermetic Wiper, Industroyer2, LockBit Ransomware, Malicious PowerShell, MoonPeak, Qakbot
|
2024-09-30
|
Remote Process Instantiation via WMI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
TTP
|
Active Directory Lateral Movement, CISA AA23-347A, Ransomware, Suspicious WMI Use
|
2024-09-30
|
Remote Process Instantiation via WMI and PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
TTP
|
Active Directory Lateral Movement, Compromised Windows Host
|
2024-11-28
|
Remote Process Instantiation via WMI and PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Windows Management Instrumentation
|
TTP
|
Active Directory Lateral Movement
|
2024-09-30
|
Remote WMI Command Attempt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
TTP
|
CISA AA23-347A, Graceful Wipe Out Attack, IcedID, Living Off The Land, Suspicious WMI Use, Volt Typhoon
|
2024-09-30
|
Revil Common Exec Parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
User Execution
|
TTP
|
Ransomware, Revil Ransomware
|
2024-09-30
|
Ryuk Wake on LAN Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
Windows Command Shell
|
TTP
|
Compromised Windows Host, Ryuk Ransomware
|
2024-11-28
|
Schedule Task with HTTP Command Arguments
|
Windows Event Log Security 4698
|
Scheduled Task/Job
|
TTP
|
Compromised Windows Host, Living Off The Land, Scheduled Tasks, Windows Persistence Techniques, Winter Vivern
|
2024-11-28
|
Schedule Task with Rundll32 Command Trigger
|
Windows Event Log Security 4698
|
Scheduled Task/Job
|
TTP
|
Compromised Windows Host, IcedID, Living Off The Land, Scheduled Tasks, Trickbot, Windows Persistence Techniques
|
2024-11-28
|
Scheduled Task Creation on Remote Endpoint using At
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task/Job
At
|
TTP
|
Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks
|
2024-09-30
|
Scheduled Task Deleted Or Created via CMD
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
Scheduled Task/Job
|
TTP
|
AgentTesla, Amadey, AsyncRAT, Azorult, CISA AA22-257A, CISA AA23-347A, CISA AA24-241A, DHS Report TA18-074A, DarkCrystal RAT, Living Off The Land, MoonPeak, NOBELIUM Group, NjRAT, Phemedrone Stealer, Prestige Ransomware, Qakbot, RedLine Stealer, Rhysida Ransomware, Sandworm Tools, Scheduled Tasks, ShrinkLocker, Trickbot, Windows Persistence Techniques, Winter Vivern
|
2024-09-30
|
Scheduled Task Initiation on Remote Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task/Job
Scheduled Task
|
TTP
|
Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks
|
2024-09-30
|
Schtasks Run Task On Demand
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task/Job
|
TTP
|
CISA AA22-257A, Data Destruction, Industroyer2, Qakbot, Scheduled Tasks, XMRig
|
2024-09-30
|
Schtasks scheduling job on remote system
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
Scheduled Task/Job
|
TTP
|
Active Directory Lateral Movement, Compromised Windows Host, Living Off The Land, NOBELIUM Group, Phemedrone Stealer, Prestige Ransomware, RedLine Stealer, Scheduled Tasks
|
2024-11-28
|
Schtasks used for forcing a reboot
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
Scheduled Task/Job
|
TTP
|
Ransomware, Scheduled Tasks, Windows Persistence Techniques
|
2024-09-30
|
Script Execution via WMI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
TTP
|
Suspicious WMI Use
|
2024-09-30
|
Set Default PowerShell Execution Policy To Unrestricted or Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688
|
Command and Scripting Interpreter
PowerShell
|
TTP
|
Credential Dumping, DarkGate Malware, Data Destruction, HAFNIUM Group, Hermetic Wiper, Malicious PowerShell
|
2024-09-30
|
Short Lived Scheduled Task
|
Windows Event Log Security 4698, Windows Event Log Security 4699
|
Scheduled Task
|
TTP
|
Active Directory Lateral Movement, CISA AA22-257A, CISA AA23-347A, Compromised Windows Host, Scheduled Tasks
|
2024-11-28
|
Single Letter Process On Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
User Execution
Malicious File
|
TTP
|
Compromised Windows Host, DHS Report TA18-074A
|
2024-11-28
|
Sunburst Correlation DLL and Network Event
|
Sysmon EventID 22, Sysmon EventID 7
|
Exploitation for Client Execution
|
TTP
|
NOBELIUM Group
|
2024-10-17
|
Suspicious Linux Discovery Commands
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Unix Shell
|
TTP
|
Linux Post-Exploitation
|
2024-09-30
|
Suspicious Process DNS Query Known Abuse Web Services
|
Sysmon EventID 22
|
Visual Basic
Command and Scripting Interpreter
|
TTP
|
Data Destruction, Meduza Stealer, PXA Stealer, Phemedrone Stealer, Remcos, Snake Keylogger, WhisperGate
|
2024-11-28
|
Suspicious Process Executed From Container File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Malicious File
Masquerade File Type
|
TTP
|
Amadey, Remcos, Snake Keylogger, Unusual Processes
|
2024-09-30
|
Suspicious Process With Discord DNS Query
|
Sysmon EventID 22
|
Visual Basic
Command and Scripting Interpreter
|
Anomaly
|
Data Destruction, PXA Stealer, WhisperGate
|
2024-09-30
|
Suspicious Scheduled Task from Public Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
Scheduled Task/Job
|
Anomaly
|
Azorult, CISA AA23-347A, CISA AA24-241A, DarkCrystal RAT, Living Off The Land, MoonPeak, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Persistence Techniques
|
2024-09-30
|
Svchost LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task/Job
Scheduled Task
|
TTP
|
Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks
|
2024-09-30
|
Unloading AMSI via Reflection
|
Powershell Script Block Logging 4104
|
Impair Defenses
PowerShell
Command and Scripting Interpreter
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2024-09-30
|
Vbscript Execution Using Wscript App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Visual Basic
Command and Scripting Interpreter
|
TTP
|
AsyncRAT, FIN7, Remcos
|
2024-09-30
|
Wermgr Process Spawned CMD Or Powershell Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
TTP
|
Qakbot, Trickbot
|
2024-09-30
|
Windows Apache Benchmark Binary
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
Anomaly
|
MetaSploit
|
2024-09-30
|
Windows AutoIt3 Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
TTP
|
DarkGate Malware, Handala Wiper
|
2024-09-30
|
Windows Command and Scripting Interpreter Hunting Path Traversal
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
Hunting
|
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Windows Defense Evasion Tactics
|
2024-10-17
|
Windows Command and Scripting Interpreter Path Traversal Exec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
TTP
|
Compromised Windows Host, Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Windows Defense Evasion Tactics
|
2024-11-28
|
Windows Command Shell DCRat ForkBomb Payload
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Command Shell
Command and Scripting Interpreter
|
TTP
|
Compromised Windows Host, DarkCrystal RAT
|
2024-11-28
|
Windows Common Abused Cmd Shell Risk Behavior
|
|
File and Directory Permissions Modification
System Network Connections Discovery
System Owner/User Discovery
System Shutdown/Reboot
System Network Configuration Discovery
Command and Scripting Interpreter
|
Correlation
|
Azorult, CISA AA23-347A, DarkCrystal RAT, Disabling Security Tools, FIN7, Netsh Abuse, Qakbot, Sandworm Tools, Volt Typhoon, Windows Defense Evasion Tactics, Windows Post-Exploitation
|
2024-09-30
|
Windows Defender ASR Audit Events
|
Windows Event Log Defender 1122
|
Command and Scripting Interpreter
Spearphishing Attachment
Spearphishing Link
|
Anomaly
|
Windows Attack Surface Reduction
|
2024-09-30
|
Windows Defender ASR Block Events
|
Windows Event Log Defender 1121, Windows Event Log Defender 1129
|
Command and Scripting Interpreter
Spearphishing Attachment
Spearphishing Link
|
Anomaly
|
Windows Attack Surface Reduction
|
2024-09-30
|
Windows Defender ASR Rules Stacking
|
Windows Event Log Defender 1121, Windows Event Log Defender 1122, Windows Event Log Defender 1129, Windows Event Log Defender 5007
|
Spearphishing Attachment
Spearphishing Link
Command and Scripting Interpreter
|
Hunting
|
Windows Attack Surface Reduction
|
2024-10-17
|
Windows Enable PowerShell Web Access
|
Powershell Script Block Logging 4104
|
PowerShell
|
TTP
|
CISA AA24-241A, Malicious PowerShell
|
2024-09-30
|
Windows Enable Win32 ScheduledJob via Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Scheduled Task
|
Anomaly
|
Active Directory Lateral Movement, Scheduled Tasks
|
2024-09-30
|
Windows Executable in Loaded Modules
|
Sysmon EventID 7
|
Shared Modules
|
TTP
|
NjRAT
|
2024-09-30
|
Windows Hidden Schedule Task Settings
|
Windows Event Log Security 4698
|
Scheduled Task/Job
|
TTP
|
Active Directory Discovery, CISA AA22-257A, Compromised Windows Host, Data Destruction, Industroyer2, Scheduled Tasks
|
2024-11-28
|
Windows Identify Protocol Handlers
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
Hunting
|
Living Off The Land
|
2024-10-17
|
Windows ISO LNK File Creation
|
Sysmon EventID 11
|
Spearphishing Attachment
Phishing
Malicious Link
User Execution
|
Hunting
|
AgentTesla, Amadey, Azorult, Brute Ratel C4, Gozi Malware, IcedID, Qakbot, Remcos, Spearphishing Attachments, Warzone RAT
|
2024-10-17
|
Windows MSExchange Management Mailbox Cmdlet Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
PowerShell
|
Anomaly
|
BlackByte Ransomware, ProxyNotShell, ProxyShell
|
2024-09-30
|
Windows PaperCut NG Spawn Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Compromised Windows Host, PaperCut MF NG Vulnerability
|
2024-11-28
|
Windows Powershell Cryptography Namespace
|
Powershell Script Block Logging 4104
|
PowerShell
Command and Scripting Interpreter
|
Anomaly
|
AsyncRAT
|
2024-09-30
|
Windows PowerShell Get CIMInstance Remote Computer
|
Powershell Script Block Logging 4104
|
PowerShell
|
Anomaly
|
Active Directory Lateral Movement
|
2024-09-30
|
Windows Powershell Import Applocker Policy
|
Powershell Script Block Logging 4104
|
PowerShell
Command and Scripting Interpreter
Disable or Modify Tools
Impair Defenses
|
TTP
|
Azorult
|
2024-09-30
|
Windows Powershell RemoteSigned File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
PowerShell
Command and Scripting Interpreter
|
Anomaly
|
Amadey
|
2024-09-30
|
Windows PowerShell ScheduleTask
|
Powershell Script Block Logging 4104
|
Scheduled Task
PowerShell
Command and Scripting Interpreter
|
Anomaly
|
Scheduled Tasks
|
2024-09-30
|
Windows PowerShell WMI Win32 ScheduledJob
|
Powershell Script Block Logging 4104
|
PowerShell
Command and Scripting Interpreter
|
TTP
|
Active Directory Lateral Movement
|
2024-09-30
|
Windows Registry Delete Task SD
|
Sysmon EventID 12, Sysmon EventID 13
|
Scheduled Task
Impair Defenses
|
Anomaly
|
Scheduled Tasks, Windows Persistence Techniques, Windows Registry Abuse
|
2024-11-14
|
Windows Scheduled Task Created Via XML
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
Scheduled Task/Job
|
TTP
|
CISA AA23-347A, MoonPeak, Scheduled Tasks, Winter Vivern
|
2024-09-30
|
Windows Scheduled Task DLL Module Loaded
|
Sysmon EventID 7
|
Scheduled Task/Job
|
TTP
|
ValleyRAT
|
2024-09-30
|
Windows Scheduled Task Service Spawned Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
Command and Scripting Interpreter
|
TTP
|
Windows Persistence Techniques
|
2024-09-30
|
Windows Scheduled Task with Highest Privileges
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task/Job
Scheduled Task
|
TTP
|
AsyncRAT, CISA AA23-347A, Compromised Windows Host, RedLine Stealer, Scheduled Tasks
|
2024-11-28
|
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr
|
|
Scheduled Task/Job
|
TTP
|
ValleyRAT
|
2024-09-30
|
Windows Schtasks Create Run As System
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
Scheduled Task/Job
|
TTP
|
Qakbot, Scheduled Tasks, Windows Persistence Techniques
|
2024-09-30
|
Windows Service Create SliverC2
|
Windows Event Log System 7045
|
System Services
Service Execution
|
TTP
|
BishopFox Sliver Adversary Emulation Framework, Compromised Windows Host
|
2024-11-28
|
Windows Service Created with Suspicious Service Path
|
Windows Event Log System 7045
|
System Services
Service Execution
|
TTP
|
Active Directory Lateral Movement, Brute Ratel C4, CISA AA23-347A, Clop Ransomware, Flax Typhoon, PlugX, Qakbot, Snake Malware
|
2024-09-30
|
Windows Snake Malware Service Create
|
Windows Event Log System 7045
|
Kernel Modules and Extensions
Service Execution
|
TTP
|
Compromised Windows Host, Snake Malware
|
2024-11-28
|
Windows Suspect Process With Authentication Traffic
|
Sysmon EventID 3
|
Account Discovery
Domain Account
User Execution
Malicious File
|
Anomaly
|
Active Directory Discovery
|
2024-09-30
|
Windows User Execution Malicious URL Shortcut File
|
Sysmon EventID 11
|
Malicious File
User Execution
|
TTP
|
Chaos Ransomware, NjRAT, Snake Keylogger
|
2024-09-30
|
Windows WinDBG Spawning AutoIt3
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
TTP
|
Compromised Windows Host, DarkGate Malware
|
2024-11-28
|
Windows WMI Impersonate Token
|
Sysmon EventID 10
|
Windows Management Instrumentation
|
Anomaly
|
Qakbot
|
2024-09-30
|
Windows WMI Process And Service List
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-09-30
|
Windows WMI Process Call Create
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
Hunting
|
CISA AA23-347A, IcedID, Qakbot, Suspicious WMI Use, Volt Typhoon
|
2024-10-17
|
WinEvent Scheduled Task Created to Spawn Shell
|
Windows Event Log Security 4698
|
Scheduled Task
Scheduled Task/Job
|
TTP
|
CISA AA22-257A, Compromised Windows Host, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Error Reporting Service Elevation of Privilege Vulnerability, Windows Persistence Techniques, Winter Vivern
|
2024-11-28
|
WinEvent Scheduled Task Created Within Public Path
|
Windows Event Log Security 4698
|
Scheduled Task
Scheduled Task/Job
|
TTP
|
Active Directory Lateral Movement, AsyncRAT, CISA AA22-257A, CISA AA23-347A, Compromised Windows Host, Data Destruction, IcedID, Industroyer2, Prestige Ransomware, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Persistence Techniques, Winter Vivern
|
2024-11-28
|
WinEvent Windows Task Scheduler Event Action Started
|
Windows Event Log TaskScheduler 200
|
Scheduled Task
|
Hunting
|
Amadey, AsyncRAT, BlackSuit Ransomware, CISA AA22-257A, CISA AA24-241A, DarkCrystal RAT, Data Destruction, IcedID, Industroyer2, Prestige Ransomware, Qakbot, Sandworm Tools, Scheduled Tasks, ValleyRAT, Windows Persistence Techniques, Winter Vivern, Winter Vivern
|
2024-10-24
|
WMI Permanent Event Subscription
|
|
Windows Management Instrumentation
|
TTP
|
Suspicious WMI Use
|
2024-10-17
|
WMI Temporary Event Subscription
|
|
Windows Management Instrumentation
|
TTP
|
Suspicious WMI Use
|
2024-10-17
|
Wmiprsve LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
TTP
|
Active Directory Lateral Movement
|
2024-09-30
|
Detect Outbound LDAP Traffic
|
Bro
|
Exploit Public-Facing Application
Command and Scripting Interpreter
|
Hunting
|
Log4Shell CVE-2021-44228
|
2024-10-17
|
Detect Windows DNS SIGRed via Splunk Stream
|
|
Exploitation for Client Execution
|
TTP
|
Windows DNS SIGRed CVE-2020-1350
|
2024-10-17
|
Detect Windows DNS SIGRed via Zeek
|
|
Exploitation for Client Execution
|
TTP
|
Windows DNS SIGRed CVE-2020-1350
|
2024-10-17
|
Juniper Networks Remote Code Execution Exploit Detection
|
Suricata
|
Exploit Public-Facing Application
Ingress Tool Transfer
Command and Scripting Interpreter
|
TTP
|
Juniper JunOS Remote Code Execution
|
2024-09-30
|