|
Detect Risky SPL using Pretrained ML Model
|
|
Command and Scripting Interpreter
|
Anomaly
|
Splunk Vulnerabilities
|
2024-12-17
|
|
Splunk Command and Scripting Interpreter Delete Usage
|
Splunk
|
Command and Scripting Interpreter
|
Anomaly
|
Splunk Vulnerabilities
|
2025-01-21
|
|
Splunk Command and Scripting Interpreter Risky Commands
|
Splunk
|
Command and Scripting Interpreter
|
Hunting
|
Splunk Vulnerabilities
|
2024-12-17
|
|
Splunk Command and Scripting Interpreter Risky SPL MLTK
|
Splunk
|
Command and Scripting Interpreter
|
Anomaly
|
Splunk Vulnerabilities
|
2024-12-16
|
|
ASL AWS ECR Container Upload Outside Business Hours
|
ASL AWS CloudTrail
|
Malicious Image
User Execution
|
Anomaly
|
Dev Sec Ops
|
2024-11-14
|
|
ASL AWS ECR Container Upload Unknown User
|
ASL AWS CloudTrail
|
Malicious Image
User Execution
|
Anomaly
|
Dev Sec Ops
|
2024-11-14
|
|
AWS ECR Container Scanning Findings High
|
AWS CloudTrail DescribeImageScanFindings
|
Malicious Image
User Execution
|
TTP
|
Dev Sec Ops
|
2024-11-14
|
|
AWS ECR Container Scanning Findings Low Informational Unknown
|
AWS CloudTrail DescribeImageScanFindings
|
Malicious Image
User Execution
|
Anomaly
|
Dev Sec Ops
|
2024-11-14
|
|
AWS ECR Container Scanning Findings Medium
|
AWS CloudTrail DescribeImageScanFindings
|
Malicious Image
User Execution
|
Anomaly
|
Dev Sec Ops
|
2024-11-14
|
|
AWS ECR Container Upload Outside Business Hours
|
AWS CloudTrail PutImage
|
Malicious Image
User Execution
|
Anomaly
|
Dev Sec Ops
|
2024-11-14
|
|
AWS ECR Container Upload Unknown User
|
AWS CloudTrail PutImage
|
Malicious Image
User Execution
|
Anomaly
|
Dev Sec Ops
|
2024-11-14
|
|
AWS Lambda UpdateFunctionCode
|
AWS CloudTrail
|
User Execution
|
Hunting
|
Suspicious Cloud User Activities
|
2024-11-14
|
|
Kubernetes Anomalous Inbound Network Activity from Process
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Anomalous Inbound Outbound Network IO
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Anomalous Inbound to Outbound Network IO Ratio
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Anomalous Outbound Network Activity from Process
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Anomalous Traffic on Network Edge
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Create or Update Privileged Pod
|
Kubernetes Audit
|
User Execution
|
Anomaly
|
Kubernetes Security
|
2024-11-14
|
|
Kubernetes Cron Job Creation
|
Kubernetes Audit
|
Container Orchestration Job
|
Anomaly
|
Kubernetes Security
|
2024-11-14
|
|
Kubernetes DaemonSet Deployed
|
Kubernetes Audit
|
User Execution
|
Anomaly
|
Kubernetes Security
|
2024-11-14
|
|
Kubernetes Falco Shell Spawned
|
Kubernetes Falco
|
User Execution
|
Anomaly
|
Kubernetes Security
|
2024-11-14
|
|
Kubernetes newly seen TCP edge
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes newly seen UDP edge
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Node Port Creation
|
Kubernetes Audit
|
User Execution
|
Anomaly
|
Kubernetes Security
|
2024-11-14
|
|
Kubernetes Pod Created in Default Namespace
|
Kubernetes Audit
|
User Execution
|
Anomaly
|
Kubernetes Security
|
2024-11-14
|
|
Kubernetes Pod With Host Network Attachment
|
Kubernetes Audit
|
User Execution
|
Anomaly
|
Kubernetes Security
|
2024-11-14
|
|
Kubernetes Previously Unseen Container Image Name
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Previously Unseen Process
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Process Running From New Path
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Process with Anomalous Resource Utilisation
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Process with Resource Ratio Anomalies
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Shell Running on Worker Node
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Shell Running on Worker Node with CPU Activity
|
|
User Execution
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-11-14
|
|
Kubernetes Unauthorized Access
|
Kubernetes Audit
|
User Execution
|
Anomaly
|
Kubernetes Security
|
2024-11-14
|
|
Microsoft Intune Device Health Scripts
|
Azure Monitor Activity
|
Software Deployment Tools
Cloud Services
Indirect Command Execution
Ingress Tool Transfer
|
Hunting
|
Azure Active Directory Account Takeover
|
2025-01-06
|
|
Microsoft Intune DeviceManagementConfigurationPolicies
|
Azure Monitor Activity
|
Software Deployment Tools
Domain or Tenant Policy Modification
Cloud Services
Disable or Modify Tools
Disable or Modify System Firewall
|
Hunting
|
Azure Active Directory Account Takeover
|
2025-01-07
|
|
Microsoft Intune Manual Device Management
|
Azure Monitor Activity
|
Cloud Services
Software Deployment Tools
System Shutdown/Reboot
|
Hunting
|
Azure Active Directory Account Takeover
|
2025-01-07
|
|
Microsoft Intune Mobile Apps
|
Azure Monitor Activity
|
Software Deployment Tools
Cloud Services
Indirect Command Execution
Ingress Tool Transfer
|
Hunting
|
Azure Active Directory Account Takeover
|
2025-01-07
|
|
O365 SharePoint Malware Detection
|
|
Malicious File
User Execution
|
TTP
|
Azure Active Directory Persistence, Office 365 Account Takeover, Ransomware Cloud
|
2024-11-14
|
|
O365 Threat Intelligence Suspicious File Detected
|
|
Malicious File
User Execution
|
TTP
|
Azure Active Directory Account Takeover, Office 365 Account Takeover, Ransomware Cloud
|
2024-11-14
|
|
Risk Rule for Dev Sec Ops by Repository
|
|
Malicious Image
User Execution
|
Correlation
|
Dev Sec Ops
|
2024-11-14
|
|
Cmdline Tool Not Executed In CMD Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
JavaScript
|
TTP
|
CISA AA22-277A, CISA AA23-347A, DarkGate Malware, FIN7, Gozi Malware, Qakbot, Rhysida Ransomware, Volt Typhoon
|
2025-01-24
|
|
Correlation by Repository and Risk
|
|
Malicious Image
User Execution
|
Correlation
|
Dev Sec Ops
|
2024-11-14
|
|
Correlation by User and Risk
|
|
Malicious Image
User Execution
|
Correlation
|
Dev Sec Ops
|
2024-11-14
|
|
First time seen command line argument
|
Sysmon EventID 1
|
PowerShell
Windows Command Shell
|
Hunting
|
DHS Report TA18-074A, Hidden Cobra Malware, Orangeworm Attack Group, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Suspicious Command-Line Executions
|
2024-11-14
|
|
Scheduled tasks used in BadRabbit ransomware
|
Sysmon EventID 1
|
Scheduled Task
|
TTP
|
Ransomware
|
2024-11-14
|
|
Suspicious Powershell Command-Line Arguments
|
Sysmon EventID 1
|
PowerShell
|
TTP
|
CISA AA22-320A, Hermetic Wiper, Malicious PowerShell
|
2024-11-14
|
|
Uncommon Processes On Endpoint
|
Sysmon EventID 1
|
Malicious File
|
Hunting
|
Hermetic Wiper, Unusual Processes, Windows Privilege Escalation
|
2024-11-14
|
|
Windows connhost exe started forcefully
|
Sysmon EventID 1
|
Windows Command Shell
|
TTP
|
Ryuk Ransomware
|
2024-11-14
|
|
Any Powershell DownloadFile
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
PowerShell
Ingress Tool Transfer
|
TTP
|
Braodo Stealer, Crypto Stealer, DarkCrystal RAT, Data Destruction, Earth Estries, Hermetic Wiper, Ingress Tool Transfer, Log4Shell CVE-2021-44228, Malicious PowerShell, Nexus APT Threat Activity, PXA Stealer, Phemedrone Stealer
|
2025-01-27
|
|
Any Powershell DownloadString
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
PowerShell
Ingress Tool Transfer
|
TTP
|
Data Destruction, HAFNIUM Group, Hermetic Wiper, IcedID, Ingress Tool Transfer, Malicious PowerShell, Phemedrone Stealer, SysAid On-Prem Software CVE-2023-47246 Vulnerability, Winter Vivern
|
2024-11-13
|
|
Batch File Write to System32
|
Sysmon EventID 1, Sysmon EventID 11
|
User Execution
Malicious File
|
TTP
|
Compromised Windows Host, SamSam Ransomware
|
2024-12-10
|
|
CHCP Command Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
TTP
|
Azorult, Crypto Stealer, Forest Blizzard, IcedID
|
2024-11-13
|
|
Clop Common Exec Parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
User Execution
|
TTP
|
Clop Ransomware, Compromised Windows Host
|
2024-12-10
|
|
CMD Carry Out String Command Parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Command Shell
Command and Scripting Interpreter
|
Hunting
|
AsyncRAT, Azorult, CISA AA23-347A, Chaos Ransomware, Crypto Stealer, DarkCrystal RAT, DarkGate Malware, Data Destruction, Hermetic Wiper, IcedID, Living Off The Land, Log4Shell CVE-2021-44228, NjRAT, PlugX, ProxyNotShell, Qakbot, RedLine Stealer, Rhysida Ransomware, Warzone RAT, WhisperGate, Winter Vivern
|
2024-11-13
|
|
CMD Echo Pipe - Escalation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
Windows Command Shell
Windows Service
Create or Modify System Process
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack
|
2024-12-10
|
|
Conti Common Exec parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
User Execution
|
TTP
|
Compromised Windows Host, Ransomware
|
2024-12-10
|
|
Detect Certify With PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
Steal or Forge Authentication Certificates
Command and Scripting Interpreter
PowerShell
|
TTP
|
Malicious PowerShell, Windows Certificate Services
|
2024-11-13
|
|
Detect Empire with PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
Command and Scripting Interpreter
PowerShell
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2024-11-13
|
|
Detect Mimikatz With PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
OS Credential Dumping
PowerShell
|
TTP
|
CISA AA22-264A, CISA AA22-320A, CISA AA23-347A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Sandworm Tools
|
2024-11-13
|
|
Detect Prohibited Applications Spawning cmd exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
Windows Command Shell
|
Hunting
|
NOBELIUM Group, Suspicious Command-Line Executions, Suspicious MSHTA Activity, Suspicious Zoom Child Processes
|
2024-11-13
|
|
Detect Rare Executables
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
User Execution
|
Anomaly
|
Crypto Stealer, Rhysida Ransomware, Unusual Processes
|
2024-11-13
|
|
Detect Renamed PSExec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Services
Service Execution
|
Hunting
|
Active Directory Lateral Movement, BlackByte Ransomware, CISA AA22-320A, DHS Report TA18-074A, DarkGate Malware, DarkSide Ransomware, Earth Estries, HAFNIUM Group, Nexus APT Threat Activity, Rhysida Ransomware, SamSam Ransomware, Sandworm Tools
|
2025-01-27
|
|
Detect suspicious processnames using pretrained model in DSDL
|
Sysmon EventID 1
|
Command and Scripting Interpreter
|
Anomaly
|
Suspicious Command-Line Executions
|
2024-11-13
|
|
Detect Use of cmd exe to Launch Script Interpreters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
Windows Command Shell
|
TTP
|
Azorult, Emotet Malware DHS Report TA18-201A, Suspicious Command-Line Executions
|
2024-11-13
|
|
Detection of tools built by NirSoft
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Software Deployment Tools
|
TTP
|
Emotet Malware DHS Report TA18-201A
|
2024-11-13
|
|
Drop IcedID License dat
|
Sysmon EventID 11
|
User Execution
Malicious File
|
Hunting
|
IcedID
|
2024-11-13
|
|
Excessive distinct processes from Windows Temp
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
Anomaly
|
Meterpreter
|
2024-11-13
|
|
Excessive number of taskhost processes
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
Anomaly
|
Meterpreter
|
2024-11-13
|
|
Excessive Usage Of SC Service Utility
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
System Services
Service Execution
|
Anomaly
|
Azorult, Crypto Stealer, Ransomware
|
2024-11-13
|
|
Exchange PowerShell Module Usage
|
Powershell Script Block Logging 4104
|
Command and Scripting Interpreter
PowerShell
|
TTP
|
BlackByte Ransomware, CISA AA22-264A, CISA AA22-277A, ProxyNotShell, ProxyShell
|
2024-11-13
|
|
Execute Javascript With Jscript COM CLSID
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
Visual Basic
|
TTP
|
Ransomware
|
2024-11-13
|
|
First Time Seen Running Windows Service
|
Windows Event Log System 7036
|
System Services
Service Execution
|
Anomaly
|
NOBELIUM Group, Orangeworm Attack Group, Windows Service Abuse
|
2024-11-13
|
|
Get-ForestTrust with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Domain Trust Discovery
PowerShell
|
TTP
|
Active Directory Discovery
|
2024-11-13
|
|
GetLocalUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Account Discovery
Local Account
PowerShell
|
Hunting
|
Active Directory Discovery, Malicious PowerShell
|
2024-11-13
|
|
GetWmiObject User Account with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Account Discovery
Local Account
PowerShell
|
Hunting
|
Active Directory Discovery, Malicious PowerShell, Winter Vivern
|
2024-11-13
|
|
Impacket Lateral Movement Commandline Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
SMB/Windows Admin Shares
Distributed Component Object Model
Windows Management Instrumentation
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate
|
2024-12-10
|
|
Impacket Lateral Movement smbexec CommandLine Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
SMB/Windows Admin Shares
Distributed Component Object Model
Windows Management Instrumentation
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate
|
2024-12-10
|
|
Impacket Lateral Movement WMIExec Commandline Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
SMB/Windows Admin Shares
Distributed Component Object Model
Windows Management Instrumentation
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate
|
2024-12-10
|
|
Jscript Execution Using Cscript App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
JavaScript
|
TTP
|
FIN7, Remcos
|
2024-11-13
|
|
Linux Add Files In Known Crontab Directories
|
Sysmon for Linux EventID 11
|
Cron
Scheduled Task/Job
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks, XorDDos
|
2024-12-19
|
|
Linux Adding Crontab Using List Parameter
|
Sysmon for Linux EventID 1
|
Cron
Scheduled Task/Job
|
Hunting
|
Data Destruction, Gomir, Industroyer2, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-11-13
|
|
Linux At Allow Config File Creation
|
Sysmon for Linux EventID 11
|
Cron
Scheduled Task/Job
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-11-13
|
|
Linux At Application Execution
|
Sysmon for Linux EventID 1
|
At
Scheduled Task/Job
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-11-13
|
|
Linux Auditd At Application Execution
|
Linux Auditd Syscall
|
At
Scheduled Task/Job
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-11-13
|
|
Linux Auditd Edit Cron Table Parameter
|
Linux Auditd Syscall
|
Cron
Scheduled Task/Job
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-11-13
|
|
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File
|
Linux Auditd Path
|
Cron
Scheduled Task/Job
|
Hunting
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks, XorDDos
|
2025-01-20
|
|
Linux Auditd Service Restarted
|
Linux Auditd Proctitle
|
Systemd Timers
Scheduled Task/Job
|
Anomaly
|
AwfulShred, Compromised Linux Host, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-11-13
|
|
Linux Auditd Service Started
|
Linux Auditd Proctitle
|
Service Execution
System Services
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-11-13
|
|
Linux Decode Base64 to Shell
|
Sysmon for Linux EventID 1
|
Obfuscated Files or Information
Unix Shell
|
TTP
|
Linux Living Off The Land
|
2024-11-13
|
|
Linux Edit Cron Table Parameter
|
Sysmon for Linux EventID 1
|
Cron
Scheduled Task/Job
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-11-13
|
|
Linux Possible Append Command To At Allow Config File
|
Sysmon for Linux EventID 1
|
At
Scheduled Task/Job
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-11-13
|
|
Linux Possible Append Cronjob Entry on Existing Cronjob File
|
Sysmon for Linux EventID 1
|
Cron
Scheduled Task/Job
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks, XorDDos
|
2024-12-19
|
|
Linux Possible Cronjob Modification With Editor
|
Sysmon for Linux EventID 1
|
Cron
Scheduled Task/Job
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks, XorDDos
|
2024-12-19
|
|
Linux Service File Created In Systemd Directory
|
Sysmon for Linux EventID 11
|
Systemd Timers
Scheduled Task/Job
|
Anomaly
|
Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-11-13
|
|
Linux Service Restarted
|
Sysmon for Linux EventID 1
|
Systemd Timers
Scheduled Task/Job
|
Anomaly
|
AwfulShred, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-11-13
|
|
Linux Service Started Or Enabled
|
Sysmon for Linux EventID 1
|
Systemd Timers
Scheduled Task/Job
|
Anomaly
|
Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-11-13
|
|
Linux Unix Shell Enable All SysRq Functions
|
Sysmon for Linux EventID 1
|
Unix Shell
Command and Scripting Interpreter
|
Anomaly
|
AwfulShred, Data Destruction
|
2024-11-13
|
|
Living Off The Land Detection
|
|
Ingress Tool Transfer
Exploit Public-Facing Application
Command and Scripting Interpreter
External Remote Services
|
Correlation
|
Living Off The Land
|
2024-11-13
|
|
Log4Shell CVE-2021-44228 Exploitation
|
|
Ingress Tool Transfer
Exploit Public-Facing Application
Command and Scripting Interpreter
External Remote Services
|
Correlation
|
CISA AA22-320A, Log4Shell CVE-2021-44228
|
2024-11-13
|
|
MacOS LOLbin
|
|
Unix Shell
Command and Scripting Interpreter
|
TTP
|
Living Off The Land
|
2024-11-13
|
|
Malicious Powershell Executed As A Service
|
Windows Event Log System 7045
|
System Services
Service Execution
|
TTP
|
Compromised Windows Host, Malicious PowerShell, Rhysida Ransomware
|
2024-12-10
|
|
Malicious PowerShell Process - Execution Policy Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
PowerShell
|
Anomaly
|
AsyncRAT, DHS Report TA18-074A, DarkCrystal RAT, Earth Estries, HAFNIUM Group, Nexus APT Threat Activity, Volt Typhoon
|
2025-01-27
|
|
Malicious PowerShell Process With Obfuscation Techniques
|
Sysmon EventID 1
|
Command and Scripting Interpreter
PowerShell
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2024-11-13
|
|
MS Scripting Process Loading Ldap Module
|
Sysmon EventID 7
|
Command and Scripting Interpreter
JavaScript
|
Anomaly
|
FIN7
|
2024-11-13
|
|
MS Scripting Process Loading WMI Module
|
Sysmon EventID 7
|
Command and Scripting Interpreter
JavaScript
|
Anomaly
|
FIN7
|
2024-11-13
|
|
Nishang PowershellTCPOneLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
PowerShell
|
TTP
|
Cleo File Transfer Software, HAFNIUM Group
|
2024-12-16
|
|
Possible Lateral Movement PowerShell Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
Distributed Component Object Model
Windows Remote Management
Windows Management Instrumentation
Scheduled Task
Windows Service
PowerShell
MMC
|
TTP
|
Active Directory Lateral Movement, CISA AA24-241A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Scheduled Tasks
|
2024-11-13
|
|
Potentially malicious code on commandline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Command Shell
|
Anomaly
|
Suspicious Command-Line Executions
|
2024-11-13
|
|
PowerShell 4104 Hunting
|
Powershell Script Block Logging 4104
|
Command and Scripting Interpreter
PowerShell
|
Hunting
|
Braodo Stealer, CISA AA23-347A, CISA AA24-241A, Cleo File Transfer Software, DarkGate Malware, Data Destruction, Earth Estries, Flax Typhoon, Hermetic Wiper, Lumma Stealer, Malicious PowerShell, Nexus APT Threat Activity, Rhysida Ransomware
|
2025-01-27
|
|
PowerShell - Connect To Internet With Hidden Window
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
PowerShell
Command and Scripting Interpreter
|
Hunting
|
AgentTesla, Data Destruction, HAFNIUM Group, Hermetic Wiper, Log4Shell CVE-2021-44228, Malicious PowerShell, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns
|
2024-11-13
|
|
Powershell COM Hijacking InprocServer32 Modification
|
Powershell Script Block Logging 4104
|
Component Object Model Hijacking
Command and Scripting Interpreter
PowerShell
|
TTP
|
Malicious PowerShell
|
2024-11-13
|
|
Powershell Creating Thread Mutex
|
Powershell Script Block Logging 4104
|
Obfuscated Files or Information
Indicator Removal from Tools
PowerShell
|
TTP
|
Malicious PowerShell
|
2024-11-13
|
|
PowerShell Domain Enumeration
|
Powershell Script Block Logging 4104
|
Command and Scripting Interpreter
PowerShell
|
TTP
|
CISA AA23-347A, Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2024-11-13
|
|
PowerShell Enable PowerShell Remoting
|
Powershell Script Block Logging 4104
|
PowerShell
Command and Scripting Interpreter
|
Anomaly
|
Malicious PowerShell
|
2024-11-13
|
|
Powershell Execute COM Object
|
Powershell Script Block Logging 4104
|
Component Object Model Hijacking
Event Triggered Execution
PowerShell
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell, Ransomware
|
2024-11-13
|
|
Powershell Fileless Process Injection via GetProcAddress
|
Powershell Script Block Logging 4104
|
Command and Scripting Interpreter
Process Injection
PowerShell
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2024-11-13
|
|
Powershell Fileless Script Contains Base64 Encoded Content
|
Powershell Script Block Logging 4104
|
Command and Scripting Interpreter
Obfuscated Files or Information
PowerShell
|
TTP
|
AsyncRAT, Data Destruction, Hermetic Wiper, IcedID, Malicious PowerShell, NjRAT, Winter Vivern
|
2024-11-13
|
|
PowerShell Invoke CIMMethod CIMSession
|
Powershell Script Block Logging 4104
|
Windows Management Instrumentation
|
Anomaly
|
Active Directory Lateral Movement, Malicious PowerShell
|
2024-11-13
|
|
PowerShell Invoke WmiExec Usage
|
Powershell Script Block Logging 4104
|
Windows Management Instrumentation
|
TTP
|
Suspicious WMI Use
|
2024-11-13
|
|
Powershell Load Module in Meterpreter
|
Powershell Script Block Logging 4104
|
Command and Scripting Interpreter
PowerShell
|
TTP
|
MetaSploit
|
2024-11-13
|
|
PowerShell Loading DotNET into Memory via Reflection
|
Powershell Script Block Logging 4104
|
Command and Scripting Interpreter
PowerShell
|
Anomaly
|
AgentTesla, AsyncRAT, Data Destruction, Hermetic Wiper, Malicious PowerShell, Winter Vivern
|
2025-01-16
|
|
Powershell Processing Stream Of Data
|
Powershell Script Block Logging 4104
|
Command and Scripting Interpreter
PowerShell
|
TTP
|
AsyncRAT, Braodo Stealer, Data Destruction, Hermetic Wiper, IcedID, Malicious PowerShell, MoonPeak, PXA Stealer
|
2024-11-22
|
|
PowerShell Script Block With URL Chain
|
Powershell Script Block Logging 4104
|
PowerShell
Ingress Tool Transfer
|
TTP
|
Malicious PowerShell
|
2024-11-13
|
|
PowerShell Start or Stop Service
|
Powershell Script Block Logging 4104
|
PowerShell
|
Anomaly
|
Active Directory Lateral Movement
|
2024-11-13
|
|
Powershell Using memory As Backing Store
|
Powershell Script Block Logging 4104
|
PowerShell
Command and Scripting Interpreter
|
TTP
|
Data Destruction, Hermetic Wiper, IcedID, Malicious PowerShell, MoonPeak
|
2024-11-13
|
|
PowerShell WebRequest Using Memory Stream
|
Powershell Script Block Logging 4104
|
PowerShell
Ingress Tool Transfer
Fileless Storage
|
TTP
|
Malicious PowerShell, MoonPeak
|
2024-11-13
|
|
Process Execution via WMI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
TTP
|
Suspicious WMI Use
|
2024-11-13
|
|
Process Writing DynamicWrapperX
|
Sysmon EventID 1, Sysmon EventID 11
|
Command and Scripting Interpreter
Component Object Model
|
Hunting
|
Remcos
|
2024-11-13
|
|
Randomly Generated Scheduled Task Name
|
Windows Event Log Security 4698
|
Scheduled Task/Job
Scheduled Task
|
Hunting
|
Active Directory Lateral Movement, CISA AA22-257A, Scheduled Tasks
|
2024-11-13
|
|
Recon Using WMI Class
|
Powershell Script Block Logging 4104
|
Gather Victim Host Information
PowerShell
|
Anomaly
|
AsyncRAT, Data Destruction, Hermetic Wiper, Industroyer2, LockBit Ransomware, Malicious PowerShell, MoonPeak, Qakbot
|
2024-11-13
|
|
Remote Process Instantiation via WMI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
TTP
|
Active Directory Lateral Movement, CISA AA23-347A, Earth Estries, Nexus APT Threat Activity, Ransomware, Suspicious WMI Use
|
2025-01-27
|
|
Remote Process Instantiation via WMI and PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
TTP
|
Active Directory Lateral Movement, Compromised Windows Host
|
2024-12-10
|
|
Remote Process Instantiation via WMI and PowerShell Script Block
|
Powershell Script Block Logging 4104
|
Windows Management Instrumentation
|
TTP
|
Active Directory Lateral Movement
|
2024-11-13
|
|
Remote WMI Command Attempt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
TTP
|
CISA AA23-347A, Graceful Wipe Out Attack, IcedID, Living Off The Land, Suspicious WMI Use, Volt Typhoon
|
2024-11-13
|
|
Revil Common Exec Parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
User Execution
|
TTP
|
Ransomware, Revil Ransomware
|
2024-11-13
|
|
Ryuk Wake on LAN Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
Windows Command Shell
|
TTP
|
Compromised Windows Host, Ryuk Ransomware
|
2024-12-10
|
|
Schedule Task with HTTP Command Arguments
|
Windows Event Log Security 4698
|
Scheduled Task/Job
|
TTP
|
Compromised Windows Host, Living Off The Land, Scheduled Tasks, Windows Persistence Techniques, Winter Vivern
|
2024-12-10
|
|
Schedule Task with Rundll32 Command Trigger
|
Windows Event Log Security 4698
|
Scheduled Task/Job
|
TTP
|
Compromised Windows Host, IcedID, Living Off The Land, Scheduled Tasks, Trickbot, Windows Persistence Techniques
|
2024-12-10
|
|
Scheduled Task Creation on Remote Endpoint using At
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task/Job
At
|
TTP
|
Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks
|
2024-11-13
|
|
Scheduled Task Deleted Or Created via CMD
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
Scheduled Task/Job
|
TTP
|
AgentTesla, Amadey, AsyncRAT, Azorult, CISA AA22-257A, CISA AA23-347A, CISA AA24-241A, DHS Report TA18-074A, DarkCrystal RAT, Earth Estries, Living Off The Land, MoonPeak, NOBELIUM Group, Nexus APT Threat Activity, NjRAT, Phemedrone Stealer, Prestige Ransomware, Qakbot, RedLine Stealer, Rhysida Ransomware, Sandworm Tools, Scheduled Tasks, ShrinkLocker, Trickbot, Windows Persistence Techniques, Winter Vivern
|
2025-01-27
|
|
Scheduled Task Initiation on Remote Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task/Job
Scheduled Task
|
TTP
|
Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks
|
2024-11-13
|
|
Schtasks Run Task On Demand
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task/Job
|
TTP
|
CISA AA22-257A, Data Destruction, Industroyer2, Qakbot, Scheduled Tasks, XMRig
|
2024-11-13
|
|
Schtasks scheduling job on remote system
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
Scheduled Task/Job
|
TTP
|
Active Directory Lateral Movement, Compromised Windows Host, Living Off The Land, NOBELIUM Group, Phemedrone Stealer, Prestige Ransomware, RedLine Stealer, Scheduled Tasks
|
2024-12-10
|
|
Schtasks used for forcing a reboot
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
Scheduled Task/Job
|
TTP
|
Ransomware, Scheduled Tasks, Windows Persistence Techniques
|
2024-11-13
|
|
Script Execution via WMI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
TTP
|
Suspicious WMI Use
|
2024-11-13
|
|
Set Default PowerShell Execution Policy To Unrestricted or Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688
|
Command and Scripting Interpreter
PowerShell
|
TTP
|
Credential Dumping, DarkGate Malware, Data Destruction, HAFNIUM Group, Hermetic Wiper, Malicious PowerShell
|
2024-11-13
|
|
Short Lived Scheduled Task
|
Windows Event Log Security 4698, Windows Event Log Security 4699
|
Scheduled Task
|
TTP
|
Active Directory Lateral Movement, CISA AA22-257A, CISA AA23-347A, Compromised Windows Host, Scheduled Tasks
|
2024-12-10
|
|
Single Letter Process On Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
User Execution
Malicious File
|
TTP
|
Compromised Windows Host, DHS Report TA18-074A
|
2024-12-10
|
|
Sunburst Correlation DLL and Network Event
|
Sysmon EventID 22, Sysmon EventID 7
|
Exploitation for Client Execution
|
TTP
|
NOBELIUM Group
|
2024-11-13
|
|
Suspicious Linux Discovery Commands
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Unix Shell
|
TTP
|
Linux Post-Exploitation
|
2024-11-13
|
|
Suspicious Process DNS Query Known Abuse Web Services
|
Sysmon EventID 22
|
Visual Basic
Command and Scripting Interpreter
|
TTP
|
Data Destruction, Meduza Stealer, PXA Stealer, Phemedrone Stealer, Remcos, Snake Keylogger, WhisperGate
|
2024-12-10
|
|
Suspicious Process Executed From Container File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Malicious File
Masquerade File Type
|
TTP
|
Amadey, Remcos, Snake Keylogger, Unusual Processes
|
2024-11-13
|
|
Suspicious Process With Discord DNS Query
|
Sysmon EventID 22
|
Visual Basic
Command and Scripting Interpreter
|
Anomaly
|
Data Destruction, PXA Stealer, WhisperGate
|
2024-11-22
|
|
Suspicious Scheduled Task from Public Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
Scheduled Task/Job
|
Anomaly
|
Azorult, CISA AA23-347A, CISA AA24-241A, Crypto Stealer, DarkCrystal RAT, Earth Estries, Living Off The Land, MoonPeak, Nexus APT Threat Activity, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Persistence Techniques
|
2025-01-27
|
|
Svchost LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task/Job
Scheduled Task
|
TTP
|
Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks
|
2024-11-13
|
|
Unloading AMSI via Reflection
|
Powershell Script Block Logging 4104
|
Impair Defenses
PowerShell
Command and Scripting Interpreter
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2024-11-13
|
|
Vbscript Execution Using Wscript App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Visual Basic
Command and Scripting Interpreter
|
TTP
|
AsyncRAT, FIN7, Remcos
|
2024-11-13
|
|
Wermgr Process Spawned CMD Or Powershell Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
TTP
|
Qakbot, Trickbot
|
2024-11-13
|
|
Windows Account Access Removal via Logoff Exec
|
Sysmon EventID 1
|
Account Access Removal
PowerShell
Command and Scripting Interpreter
|
Anomaly
|
Crypto Stealer
|
2024-12-17
|
|
Windows Apache Benchmark Binary
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
Anomaly
|
MetaSploit
|
2024-11-13
|
|
Windows AutoIt3 Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
TTP
|
Crypto Stealer, DarkGate Malware, Handala Wiper
|
2024-11-13
|
|
Windows Cmdline Tool Execution From Non-Shell Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
JavaScript
|
Anomaly
|
CISA AA22-277A, CISA AA23-347A, DarkGate Malware, FIN7, Gozi Malware, Qakbot, Rhysida Ransomware, Volt Typhoon
|
2025-01-13
|
|
Windows Command and Scripting Interpreter Hunting Path Traversal
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
Hunting
|
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Windows Defense Evasion Tactics
|
2024-11-13
|
|
Windows Command and Scripting Interpreter Path Traversal Exec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
TTP
|
Compromised Windows Host, Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Windows Defense Evasion Tactics
|
2024-12-10
|
|
Windows Command Shell DCRat ForkBomb Payload
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Command Shell
Command and Scripting Interpreter
|
TTP
|
Compromised Windows Host, DarkCrystal RAT
|
2024-12-10
|
|
Windows Common Abused Cmd Shell Risk Behavior
|
|
File and Directory Permissions Modification
System Network Connections Discovery
System Owner/User Discovery
System Shutdown/Reboot
System Network Configuration Discovery
Command and Scripting Interpreter
|
Correlation
|
Azorult, CISA AA23-347A, DarkCrystal RAT, Disabling Security Tools, FIN7, Netsh Abuse, Qakbot, Sandworm Tools, Volt Typhoon, Windows Defense Evasion Tactics, Windows Post-Exploitation
|
2025-01-20
|
|
Windows Defender ASR Audit Events
|
Windows Event Log Defender 1122
|
Command and Scripting Interpreter
Spearphishing Attachment
Spearphishing Link
|
Anomaly
|
Windows Attack Surface Reduction
|
2024-11-13
|
|
Windows Defender ASR Block Events
|
Windows Event Log Defender 1121, Windows Event Log Defender 1129
|
Command and Scripting Interpreter
Spearphishing Attachment
Spearphishing Link
|
Anomaly
|
Windows Attack Surface Reduction
|
2024-11-13
|
|
Windows Defender ASR Rules Stacking
|
Windows Event Log Defender 1121, Windows Event Log Defender 1122, Windows Event Log Defender 1129, Windows Event Log Defender 5007
|
Spearphishing Attachment
Spearphishing Link
Command and Scripting Interpreter
|
Hunting
|
Windows Attack Surface Reduction
|
2024-11-13
|
|
Windows Enable PowerShell Web Access
|
Powershell Script Block Logging 4104
|
PowerShell
|
TTP
|
CISA AA24-241A, Malicious PowerShell
|
2024-11-13
|
|
Windows Enable Win32 ScheduledJob via Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Scheduled Task
|
Anomaly
|
Active Directory Lateral Movement, Scheduled Tasks
|
2024-11-13
|
|
Windows Executable in Loaded Modules
|
Sysmon EventID 7
|
Shared Modules
|
TTP
|
NjRAT
|
2024-11-13
|
|
Windows Hidden Schedule Task Settings
|
Windows Event Log Security 4698
|
Scheduled Task/Job
|
TTP
|
Active Directory Discovery, CISA AA22-257A, Compromised Windows Host, Data Destruction, Industroyer2, Scheduled Tasks
|
2024-12-10
|
|
Windows Identify Protocol Handlers
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
Hunting
|
Living Off The Land
|
2024-11-13
|
|
Windows ISO LNK File Creation
|
Sysmon EventID 11
|
Spearphishing Attachment
Phishing
Malicious Link
User Execution
|
Hunting
|
AgentTesla, Amadey, Azorult, Brute Ratel C4, Gozi Malware, IcedID, Qakbot, Remcos, Spearphishing Attachments, Warzone RAT
|
2024-11-13
|
|
Windows MSExchange Management Mailbox Cmdlet Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
PowerShell
|
Anomaly
|
BlackByte Ransomware, ProxyNotShell, ProxyShell
|
2024-11-13
|
|
Windows PaperCut NG Spawn Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Compromised Windows Host, PaperCut MF NG Vulnerability
|
2024-12-10
|
|
Windows Powershell Cryptography Namespace
|
Powershell Script Block Logging 4104
|
PowerShell
Command and Scripting Interpreter
|
Anomaly
|
AsyncRAT
|
2024-11-13
|
|
Windows PowerShell Get CIMInstance Remote Computer
|
Powershell Script Block Logging 4104
|
PowerShell
|
Anomaly
|
Active Directory Lateral Movement
|
2024-11-13
|
|
Windows Powershell Import Applocker Policy
|
Powershell Script Block Logging 4104
|
PowerShell
Command and Scripting Interpreter
Disable or Modify Tools
Impair Defenses
|
TTP
|
Azorult
|
2024-11-13
|
|
Windows Powershell Logoff User via Quser
|
Powershell Script Block Logging 4104
|
Account Access Removal
PowerShell
Command and Scripting Interpreter
|
Anomaly
|
Crypto Stealer
|
2024-12-12
|
|
Windows Powershell RemoteSigned File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
PowerShell
Command and Scripting Interpreter
|
Anomaly
|
Amadey
|
2024-11-13
|
|
Windows PowerShell ScheduleTask
|
Powershell Script Block Logging 4104
|
Scheduled Task
PowerShell
Command and Scripting Interpreter
|
Anomaly
|
Scheduled Tasks
|
2024-11-13
|
|
Windows PowerShell WMI Win32 ScheduledJob
|
Powershell Script Block Logging 4104
|
PowerShell
Command and Scripting Interpreter
|
TTP
|
Active Directory Lateral Movement
|
2024-11-13
|
|
Windows Registry Delete Task SD
|
Sysmon EventID 12, Sysmon EventID 13
|
Scheduled Task
Impair Defenses
|
Anomaly
|
Scheduled Tasks, Windows Persistence Techniques, Windows Registry Abuse
|
2025-01-21
|
|
Windows Scheduled Task Created Via XML
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
Scheduled Task/Job
|
TTP
|
CISA AA23-347A, MoonPeak, Scheduled Tasks, Winter Vivern
|
2024-11-13
|
|
Windows Scheduled Task DLL Module Loaded
|
Sysmon EventID 7
|
Scheduled Task/Job
|
TTP
|
ValleyRAT
|
2024-11-13
|
|
Windows Scheduled Task Service Spawned Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
Command and Scripting Interpreter
|
TTP
|
Windows Persistence Techniques
|
2024-11-13
|
|
Windows Scheduled Task with Highest Privileges
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task/Job
Scheduled Task
|
TTP
|
AsyncRAT, CISA AA23-347A, Compromised Windows Host, RedLine Stealer, Scheduled Tasks
|
2024-12-10
|
|
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr
|
|
Scheduled Task/Job
|
TTP
|
ValleyRAT
|
2024-11-13
|
|
Windows Schtasks Create Run As System
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
Scheduled Task/Job
|
TTP
|
Qakbot, Scheduled Tasks, Windows Persistence Techniques
|
2024-11-13
|
|
Windows ScManager Security Descriptor Tampering Via Sc.EXE
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Service Execution
|
TTP
|
Defense Evasion or Unauthorized Access Via SDDL Tampering
|
2025-01-07
|
|
Windows Service Create SliverC2
|
Windows Event Log System 7045
|
System Services
Service Execution
|
TTP
|
BishopFox Sliver Adversary Emulation Framework, Compromised Windows Host
|
2024-12-10
|
|
Windows Service Created with Suspicious Service Path
|
Windows Event Log System 7045
|
System Services
Service Execution
|
TTP
|
Active Directory Lateral Movement, Brute Ratel C4, CISA AA23-347A, Clop Ransomware, Crypto Stealer, Derusbi, Earth Estries, Flax Typhoon, Nexus APT Threat Activity, PlugX, Qakbot, Snake Malware
|
2025-01-27
|
|
Windows Service Execution RemCom
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Service Execution
|
TTP
|
Active Directory Discovery
|
2025-01-07
|
|
Windows Snake Malware Service Create
|
Windows Event Log System 7045
|
Kernel Modules and Extensions
Service Execution
|
TTP
|
Compromised Windows Host, Snake Malware
|
2024-12-10
|
|
Windows Suspect Process With Authentication Traffic
|
Sysmon EventID 3
|
Account Discovery
Domain Account
User Execution
Malicious File
|
Anomaly
|
Active Directory Discovery
|
2024-11-13
|
|
Windows User Execution Malicious URL Shortcut File
|
Sysmon EventID 11
|
Malicious File
User Execution
|
TTP
|
Chaos Ransomware, NjRAT, Snake Keylogger
|
2024-11-13
|
|
Windows WinDBG Spawning AutoIt3
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
|
TTP
|
Compromised Windows Host, DarkGate Malware
|
2024-12-10
|
|
Windows WMI Impersonate Token
|
Sysmon EventID 10
|
Windows Management Instrumentation
|
Anomaly
|
Qakbot
|
2024-11-13
|
|
Windows WMI Process And Service List
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-11-13
|
|
Windows WMI Process Call Create
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
Hunting
|
CISA AA23-347A, IcedID, Qakbot, Suspicious WMI Use, Volt Typhoon
|
2024-11-13
|
|
WinEvent Scheduled Task Created to Spawn Shell
|
Windows Event Log Security 4698
|
Scheduled Task
Scheduled Task/Job
|
TTP
|
CISA AA22-257A, Compromised Windows Host, Earth Estries, Nexus APT Threat Activity, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Error Reporting Service Elevation of Privilege Vulnerability, Windows Persistence Techniques, Winter Vivern
|
2025-01-27
|
|
WinEvent Scheduled Task Created Within Public Path
|
Windows Event Log Security 4698
|
Scheduled Task
Scheduled Task/Job
|
TTP
|
Active Directory Lateral Movement, AsyncRAT, CISA AA22-257A, CISA AA23-347A, Compromised Windows Host, Data Destruction, Earth Estries, IcedID, Industroyer2, Nexus APT Threat Activity, Prestige Ransomware, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Persistence Techniques, Winter Vivern
|
2025-01-27
|
|
WinEvent Windows Task Scheduler Event Action Started
|
Windows Event Log TaskScheduler 200
|
Scheduled Task
|
Hunting
|
Amadey, AsyncRAT, BlackSuit Ransomware, CISA AA22-257A, CISA AA24-241A, DarkCrystal RAT, Data Destruction, IcedID, Industroyer2, Prestige Ransomware, Qakbot, Sandworm Tools, Scheduled Tasks, ValleyRAT, Windows Persistence Techniques, Winter Vivern, Winter Vivern
|
2024-11-13
|
|
WMI Permanent Event Subscription
|
|
Windows Management Instrumentation
|
TTP
|
Suspicious WMI Use
|
2024-11-13
|
|
WMI Temporary Event Subscription
|
|
Windows Management Instrumentation
|
TTP
|
Suspicious WMI Use
|
2024-11-13
|
|
Wmiprsve LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation
|
TTP
|
Active Directory Lateral Movement
|
2024-11-13
|
|
Detect Outbound LDAP Traffic
|
Bro
|
Exploit Public-Facing Application
Command and Scripting Interpreter
|
Hunting
|
Log4Shell CVE-2021-44228
|
2024-11-15
|
|
Detect Windows DNS SIGRed via Splunk Stream
|
|
Exploitation for Client Execution
|
TTP
|
Windows DNS SIGRed CVE-2020-1350
|
2024-11-15
|
|
Detect Windows DNS SIGRed via Zeek
|
|
Exploitation for Client Execution
|
TTP
|
Windows DNS SIGRed CVE-2020-1350
|
2024-11-15
|
|
Juniper Networks Remote Code Execution Exploit Detection
|
Suricata
|
Exploit Public-Facing Application
Ingress Tool Transfer
Command and Scripting Interpreter
|
TTP
|
Juniper JunOS Remote Code Execution
|
2024-11-15
|