Execution Detections

Name Data Source Technique Type Analytic Story Date
Detect Risky SPL using Pretrained ML Model Command and Scripting Interpreter Anomaly Splunk Vulnerabilities 2024-10-17
Splunk Command and Scripting Interpreter Delete Usage Splunk Command and Scripting Interpreter Anomaly Splunk Vulnerabilities 2024-10-16
Splunk Command and Scripting Interpreter Risky Commands Splunk Command and Scripting Interpreter Hunting Splunk Vulnerabilities 2024-10-17
Splunk Command and Scripting Interpreter Risky SPL MLTK Splunk Command and Scripting Interpreter Anomaly Splunk Vulnerabilities 2024-10-16
ASL AWS ECR Container Upload Outside Business Hours Malicious Image User Execution Anomaly Dev Sec Ops 2024-09-30
ASL AWS ECR Container Upload Unknown User Malicious Image User Execution Anomaly Dev Sec Ops 2024-09-30
AWS ECR Container Scanning Findings High AWS CloudTrail DescribeImageScanFindings Malicious Image User Execution TTP Dev Sec Ops 2024-09-30
AWS ECR Container Scanning Findings Low Informational Unknown AWS CloudTrail DescribeImageScanFindings Malicious Image User Execution Anomaly Dev Sec Ops 2024-09-30
AWS ECR Container Scanning Findings Medium AWS CloudTrail DescribeImageScanFindings Malicious Image User Execution Anomaly Dev Sec Ops 2024-09-30
AWS ECR Container Upload Outside Business Hours AWS CloudTrail PutImage Malicious Image User Execution Anomaly Dev Sec Ops 2024-09-30
AWS ECR Container Upload Unknown User AWS CloudTrail PutImage Malicious Image User Execution Anomaly Dev Sec Ops 2024-09-30
AWS Lambda UpdateFunctionCode AWS CloudTrail User Execution Hunting Suspicious Cloud User Activities 2024-10-22
Kubernetes Anomalous Inbound Network Activity from Process User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Anomalous Inbound Outbound Network IO User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Anomalous Inbound to Outbound Network IO Ratio User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Anomalous Outbound Network Activity from Process User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Anomalous Traffic on Network Edge User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Create or Update Privileged Pod Kubernetes Audit User Execution Anomaly Kubernetes Security 2024-09-30
Kubernetes Cron Job Creation Kubernetes Audit Container Orchestration Job Anomaly Kubernetes Security 2024-09-30
Kubernetes DaemonSet Deployed Kubernetes Audit User Execution Anomaly Kubernetes Security 2024-09-30
Kubernetes Falco Shell Spawned Kubernetes Falco User Execution Anomaly Kubernetes Security 2024-09-30
Kubernetes newly seen TCP edge User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes newly seen UDP edge User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Node Port Creation Kubernetes Audit User Execution Anomaly Kubernetes Security 2024-09-30
Kubernetes Pod Created in Default Namespace Kubernetes Audit User Execution Anomaly Kubernetes Security 2024-09-30
Kubernetes Pod With Host Network Attachment Kubernetes Audit User Execution Anomaly Kubernetes Security 2024-09-30
Kubernetes Previously Unseen Container Image Name User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Previously Unseen Process User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Process Running From New Path User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Process with Anomalous Resource Utilisation User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Process with Resource Ratio Anomalies User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Shell Running on Worker Node User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Shell Running on Worker Node with CPU Activity User Execution Anomaly Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring 2024-10-17
Kubernetes Unauthorized Access Kubernetes Audit User Execution Anomaly Kubernetes Security 2024-09-30
O365 SharePoint Malware Detection Malicious File User Execution TTP Azure Active Directory Persistence, Office 365 Account Takeover, Ransomware Cloud 2024-09-30
O365 Threat Intelligence Suspicious File Detected Malicious File User Execution TTP Azure Active Directory Account Takeover, Office 365 Account Takeover, Ransomware Cloud 2024-09-30
Risk Rule for Dev Sec Ops by Repository Malicious Image User Execution Correlation Dev Sec Ops 2024-10-22
Correlation by Repository and Risk Malicious Image User Execution Correlation Dev Sec Ops 2024-10-17
Correlation by User and Risk Malicious Image User Execution Correlation Dev Sec Ops 2024-10-17
First time seen command line argument Sysmon EventID 1 PowerShell Windows Command Shell Hunting DHS Report TA18-074A, Hidden Cobra Malware, Orangeworm Attack Group, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Suspicious Command-Line Executions 2024-10-17
Scheduled tasks used in BadRabbit ransomware Sysmon EventID 1 Scheduled Task TTP Ransomware 2024-10-17
Suspicious Powershell Command-Line Arguments Sysmon EventID 1 PowerShell TTP CISA AA22-320A, Hermetic Wiper, Malicious PowerShell 2024-10-17
Uncommon Processes On Endpoint Sysmon EventID 1 Malicious File Hunting Hermetic Wiper, Unusual Processes, Windows Privilege Escalation 2024-10-17
Windows connhost exe started forcefully Sysmon EventID 1 Windows Command Shell TTP Ryuk Ransomware 2024-10-17
Any Powershell DownloadFile CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter PowerShell Ingress Tool Transfer TTP Braodo Stealer, DarkCrystal RAT, Data Destruction, Hermetic Wiper, Ingress Tool Transfer, Log4Shell CVE-2021-44228, Malicious PowerShell, Phemedrone Stealer 2024-09-30
Any Powershell DownloadString CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter PowerShell Ingress Tool Transfer TTP Data Destruction, HAFNIUM Group, Hermetic Wiper, IcedID, Ingress Tool Transfer, Malicious PowerShell, Phemedrone Stealer, SysAid On-Prem Software CVE-2023-47246 Vulnerability, Winter Vivern 2024-09-30
Batch File Write to System32 Sysmon EventID 1, Sysmon EventID 11 User Execution Malicious File TTP SamSam Ransomware 2024-09-30
CHCP Command Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter TTP Azorult, Forest Blizzard, IcedID 2024-09-30
Clop Common Exec Parameter CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 User Execution TTP Clop Ransomware 2024-09-30
CMD Carry Out String Command Parameter CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Windows Command Shell Command and Scripting Interpreter Hunting AsyncRAT, Azorult, CISA AA23-347A, Chaos Ransomware, DarkCrystal RAT, DarkGate Malware, Data Destruction, Hermetic Wiper, IcedID, Living Off The Land, Log4Shell CVE-2021-44228, NjRAT, PlugX, ProxyNotShell, Qakbot, RedLine Stealer, Rhysida Ransomware, Warzone RAT, WhisperGate, Winter Vivern 2024-10-17
CMD Echo Pipe - Escalation CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter Windows Command Shell Windows Service Create or Modify System Process TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack 2024-09-30
Cmdline Tool Not Executed In CMD Shell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter JavaScript TTP CISA AA22-277A, CISA AA23-347A, DarkGate Malware, FIN7, Gozi Malware, Qakbot, Rhysida Ransomware, Volt Typhoon 2024-09-30
Conti Common Exec parameter CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 User Execution TTP Ransomware 2024-09-30
Detect Certify With PowerShell Script Block Logging Powershell Script Block Logging 4104 Steal or Forge Authentication Certificates Command and Scripting Interpreter PowerShell TTP Malicious PowerShell, Windows Certificate Services 2024-09-30
Detect Empire with PowerShell Script Block Logging Powershell Script Block Logging 4104 Command and Scripting Interpreter PowerShell TTP Data Destruction, Hermetic Wiper, Malicious PowerShell 2024-09-30
Detect Mimikatz With PowerShell Script Block Logging Powershell Script Block Logging 4104 OS Credential Dumping PowerShell TTP CISA AA22-264A, CISA AA22-320A, CISA AA23-347A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Sandworm Tools 2024-09-30
Detect Prohibited Applications Spawning cmd exe CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter Windows Command Shell Hunting NOBELIUM Group, Suspicious Command-Line Executions, Suspicious MSHTA Activity, Suspicious Zoom Child Processes 2024-10-17
Detect Rare Executables CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 User Execution Anomaly Rhysida Ransomware, Unusual Processes 2024-09-30
Detect Renamed PSExec CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Services Service Execution Hunting Active Directory Lateral Movement, BlackByte Ransomware, CISA AA22-320A, DHS Report TA18-074A, DarkGate Malware, DarkSide Ransomware, HAFNIUM Group, Rhysida Ransomware, SamSam Ransomware, Sandworm Tools 2024-10-17
Detect suspicious processnames using pretrained model in DSDL Sysmon EventID 1 Command and Scripting Interpreter Anomaly Suspicious Command-Line Executions 2024-10-17
Detect Use of cmd exe to Launch Script Interpreters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter Windows Command Shell TTP Azorult, Emotet Malware DHS Report TA18-201A, Suspicious Command-Line Executions 2024-09-30
Detection of tools built by NirSoft CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Software Deployment Tools TTP Emotet Malware DHS Report TA18-201A 2024-10-17
Drop IcedID License dat Sysmon EventID 11 User Execution Malicious File Hunting IcedID 2024-10-17
Excessive distinct processes from Windows Temp CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter Anomaly Meterpreter 2024-09-30
Excessive number of taskhost processes CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter Anomaly Meterpreter 2024-09-30
Excessive Usage Of SC Service Utility CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 System Services Service Execution Anomaly Azorult, Ransomware 2024-09-30
Exchange PowerShell Module Usage Powershell Script Block Logging 4104 Command and Scripting Interpreter PowerShell TTP BlackByte Ransomware, CISA AA22-264A, CISA AA22-277A, ProxyNotShell, ProxyShell 2024-09-30
Execute Javascript With Jscript COM CLSID CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter Visual Basic TTP Ransomware 2024-09-30
First Time Seen Running Windows Service Windows Event Log System 7036 System Services Service Execution Anomaly NOBELIUM Group, Orangeworm Attack Group, Windows Service Abuse 2024-10-17
Get-ForestTrust with PowerShell Script Block Powershell Script Block Logging 4104 Domain Trust Discovery PowerShell TTP Active Directory Discovery 2024-09-30
GetLocalUser with PowerShell Script Block Powershell Script Block Logging 4104 Account Discovery Local Account PowerShell Hunting Active Directory Discovery, Malicious PowerShell 2024-10-17
GetWmiObject User Account with PowerShell Script Block Powershell Script Block Logging 4104 Account Discovery Local Account PowerShell Hunting Active Directory Discovery, Malicious PowerShell, Winter Vivern 2024-10-17
Impacket Lateral Movement Commandline Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Services SMB/Windows Admin Shares Distributed Component Object Model Windows Management Instrumentation Windows Service TTP Active Directory Lateral Movement, CISA AA22-277A, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate 2024-09-30
Impacket Lateral Movement smbexec CommandLine Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Services SMB/Windows Admin Shares Distributed Component Object Model Windows Management Instrumentation Windows Service TTP Active Directory Lateral Movement, CISA AA22-277A, Data Destruction, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate 2024-09-30
Impacket Lateral Movement WMIExec Commandline Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Services SMB/Windows Admin Shares Distributed Component Object Model Windows Management Instrumentation Windows Service TTP Active Directory Lateral Movement, CISA AA22-277A, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate 2024-09-30
Jscript Execution Using Cscript App CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter JavaScript TTP FIN7, Remcos 2024-09-30
Linux Add Files In Known Crontab Directories Sysmon for Linux EventID 11 Cron Scheduled Task/Job Anomaly Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Adding Crontab Using List Parameter Sysmon for Linux EventID 1 Cron Scheduled Task/Job Hunting Data Destruction, Gomir, Industroyer2, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-10-17
Linux At Allow Config File Creation Sysmon for Linux EventID 11 Cron Scheduled Task/Job Anomaly Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux At Application Execution Sysmon for Linux EventID 1 At Scheduled Task/Job Anomaly Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Auditd At Application Execution Linux Auditd Syscall At Scheduled Task/Job Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Auditd Edit Cron Table Parameter Linux Auditd Syscall Cron Scheduled Task/Job TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File Linux Auditd Path Cron Scheduled Task/Job Hunting Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-10-17
Linux Auditd Service Restarted Linux Auditd Proctitle Systemd Timers Scheduled Task/Job Anomaly AwfulShred, Compromised Linux Host, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Auditd Service Started Linux Auditd Proctitle Service Execution System Services TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Decode Base64 to Shell Sysmon for Linux EventID 1 Obfuscated Files or Information Unix Shell TTP Linux Living Off The Land 2024-09-30
Linux Edit Cron Table Parameter Sysmon for Linux EventID 1 Cron Scheduled Task/Job Hunting Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-10-17
Linux Possible Append Command To At Allow Config File Sysmon for Linux EventID 1 At Scheduled Task/Job Anomaly Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Possible Append Cronjob Entry on Existing Cronjob File Sysmon for Linux EventID 1 Cron Scheduled Task/Job Hunting Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-10-17
Linux Possible Cronjob Modification With Editor Sysmon for Linux EventID 1 Cron Scheduled Task/Job Hunting Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-10-17
Linux Service File Created In Systemd Directory Sysmon for Linux EventID 11 Systemd Timers Scheduled Task/Job Anomaly Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Service Restarted Sysmon for Linux EventID 1 Systemd Timers Scheduled Task/Job Anomaly AwfulShred, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Service Started Or Enabled Sysmon for Linux EventID 1 Systemd Timers Scheduled Task/Job Anomaly Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Unix Shell Enable All SysRq Functions Sysmon for Linux EventID 1 Unix Shell Command and Scripting Interpreter Anomaly AwfulShred, Data Destruction 2024-09-30
Living Off The Land Detection Ingress Tool Transfer Exploit Public-Facing Application Command and Scripting Interpreter External Remote Services Correlation Living Off The Land 2024-09-30
Log4Shell CVE-2021-44228 Exploitation Ingress Tool Transfer Exploit Public-Facing Application Command and Scripting Interpreter External Remote Services Correlation CISA AA22-320A, Log4Shell CVE-2021-44228 2024-09-30
MacOS LOLbin Unix Shell Command and Scripting Interpreter TTP Living Off The Land 2024-09-30
Malicious Powershell Executed As A Service Windows Event Log System 7045 System Services Service Execution TTP Malicious PowerShell, Rhysida Ransomware 2024-09-30
Malicious PowerShell Process - Execution Policy Bypass CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter PowerShell TTP AsyncRAT, DHS Report TA18-074A, DarkCrystal RAT, HAFNIUM Group, Volt Typhoon 2024-09-30
Malicious PowerShell Process With Obfuscation Techniques Sysmon EventID 1 Command and Scripting Interpreter PowerShell TTP Data Destruction, Hermetic Wiper, Malicious PowerShell 2024-09-30
MS Scripting Process Loading Ldap Module Sysmon EventID 7 Command and Scripting Interpreter JavaScript Anomaly FIN7 2024-09-30
MS Scripting Process Loading WMI Module Sysmon EventID 7 Command and Scripting Interpreter JavaScript Anomaly FIN7 2024-09-30
Nishang PowershellTCPOneLine CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter PowerShell TTP HAFNIUM Group 2024-09-30
Possible Lateral Movement PowerShell Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Services Distributed Component Object Model Windows Remote Management Windows Management Instrumentation Scheduled Task Windows Service PowerShell MMC TTP Active Directory Lateral Movement, CISA AA24-241A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Scheduled Tasks 2024-10-17
Potentially malicious code on commandline CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Windows Command Shell Anomaly Suspicious Command-Line Executions 2024-09-30
PowerShell 4104 Hunting Powershell Script Block Logging 4104 Command and Scripting Interpreter PowerShell Hunting Braodo Stealer, CISA AA23-347A, CISA AA24-241A, DarkGate Malware, Data Destruction, Flax Typhoon, Hermetic Wiper, Malicious PowerShell, Rhysida Ransomware 2024-10-17
PowerShell - Connect To Internet With Hidden Window CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 PowerShell Command and Scripting Interpreter Hunting AgentTesla, Data Destruction, HAFNIUM Group, Hermetic Wiper, Log4Shell CVE-2021-44228, Malicious PowerShell, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns 2024-10-17
Powershell COM Hijacking InprocServer32 Modification Powershell Script Block Logging 4104 Component Object Model Hijacking Command and Scripting Interpreter PowerShell TTP Malicious PowerShell 2024-09-30
Powershell Creating Thread Mutex Powershell Script Block Logging 4104 Obfuscated Files or Information Indicator Removal from Tools PowerShell TTP Malicious PowerShell 2024-09-30
PowerShell Domain Enumeration Powershell Script Block Logging 4104 Command and Scripting Interpreter PowerShell TTP CISA AA23-347A, Data Destruction, Hermetic Wiper, Malicious PowerShell 2024-09-30
PowerShell Enable PowerShell Remoting Powershell Script Block Logging 4104 PowerShell Command and Scripting Interpreter Anomaly Malicious PowerShell 2024-09-30
Powershell Execute COM Object Powershell Script Block Logging 4104 Component Object Model Hijacking Event Triggered Execution PowerShell TTP Data Destruction, Hermetic Wiper, Malicious PowerShell, Ransomware 2024-09-30
Powershell Fileless Process Injection via GetProcAddress Powershell Script Block Logging 4104 Command and Scripting Interpreter Process Injection PowerShell TTP Data Destruction, Hermetic Wiper, Malicious PowerShell 2024-09-30
Powershell Fileless Script Contains Base64 Encoded Content Powershell Script Block Logging 4104 Command and Scripting Interpreter Obfuscated Files or Information PowerShell TTP AsyncRAT, Data Destruction, Hermetic Wiper, IcedID, Malicious PowerShell, NjRAT, Winter Vivern 2024-09-30
PowerShell Invoke CIMMethod CIMSession Powershell Script Block Logging 4104 Windows Management Instrumentation Anomaly Active Directory Lateral Movement, Malicious PowerShell 2024-09-30
PowerShell Invoke WmiExec Usage Powershell Script Block Logging 4104 Windows Management Instrumentation TTP Suspicious WMI Use 2024-09-30
Powershell Load Module in Meterpreter Powershell Script Block Logging 4104 Command and Scripting Interpreter PowerShell TTP MetaSploit 2024-09-30
PowerShell Loading DotNET into Memory via Reflection Powershell Script Block Logging 4104 Command and Scripting Interpreter PowerShell TTP AgentTesla, AsyncRAT, Data Destruction, Hermetic Wiper, Malicious PowerShell, Winter Vivern 2024-09-30
Powershell Processing Stream Of Data Powershell Script Block Logging 4104 Command and Scripting Interpreter PowerShell TTP AsyncRAT, Braodo Stealer, Data Destruction, Hermetic Wiper, IcedID, Malicious PowerShell, MoonPeak 2024-09-30
PowerShell Script Block With URL Chain Powershell Script Block Logging 4104 PowerShell Ingress Tool Transfer TTP Malicious PowerShell 2024-09-30
PowerShell Start or Stop Service Powershell Script Block Logging 4104 PowerShell Anomaly Active Directory Lateral Movement 2024-09-30
Powershell Using memory As Backing Store Powershell Script Block Logging 4104 PowerShell Command and Scripting Interpreter TTP Data Destruction, Hermetic Wiper, IcedID, Malicious PowerShell, MoonPeak 2024-09-30
PowerShell WebRequest Using Memory Stream Powershell Script Block Logging 4104 PowerShell Ingress Tool Transfer Fileless Storage TTP Malicious PowerShell, MoonPeak 2024-09-30
Process Execution via WMI CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Windows Management Instrumentation TTP Suspicious WMI Use 2024-09-30
Process Writing DynamicWrapperX Sysmon EventID 1, Sysmon EventID 11 Command and Scripting Interpreter Component Object Model Hunting Remcos 2024-10-17
Randomly Generated Scheduled Task Name Windows Event Log Security 4698 Scheduled Task/Job Scheduled Task Hunting Active Directory Lateral Movement, CISA AA22-257A, Scheduled Tasks 2024-10-17
Recon Using WMI Class Powershell Script Block Logging 4104 Gather Victim Host Information PowerShell Anomaly AsyncRAT, Data Destruction, Hermetic Wiper, Industroyer2, LockBit Ransomware, Malicious PowerShell, MoonPeak, Qakbot 2024-09-30
Remote Process Instantiation via WMI CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Windows Management Instrumentation TTP Active Directory Lateral Movement, CISA AA23-347A, Ransomware, Suspicious WMI Use 2024-09-30
Remote Process Instantiation via WMI and PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Windows Management Instrumentation TTP Active Directory Lateral Movement 2024-09-30
Remote Process Instantiation via WMI and PowerShell Script Block Powershell Script Block Logging 4104 Windows Management Instrumentation TTP Active Directory Lateral Movement 2024-09-30
Remote WMI Command Attempt CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Windows Management Instrumentation TTP CISA AA23-347A, Graceful Wipe Out Attack, IcedID, Living Off The Land, Suspicious WMI Use, Volt Typhoon 2024-09-30
Revil Common Exec Parameter CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 User Execution TTP Ransomware, Revil Ransomware 2024-09-30
Ryuk Wake on LAN Command CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter Windows Command Shell TTP Ryuk Ransomware 2024-09-30
Schedule Task with HTTP Command Arguments Windows Event Log Security 4698 Scheduled Task/Job TTP Living Off The Land, Scheduled Tasks, Windows Persistence Techniques, Winter Vivern 2024-09-30
Schedule Task with Rundll32 Command Trigger Windows Event Log Security 4698 Scheduled Task/Job TTP IcedID, Living Off The Land, Scheduled Tasks, Trickbot, Windows Persistence Techniques 2024-09-30
Scheduled Task Creation on Remote Endpoint using At CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task/Job At TTP Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks 2024-09-30
Scheduled Task Deleted Or Created via CMD CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task Scheduled Task/Job TTP AgentTesla, Amadey, AsyncRAT, Azorult, CISA AA22-257A, CISA AA23-347A, CISA AA24-241A, DHS Report TA18-074A, DarkCrystal RAT, Living Off The Land, MoonPeak, NOBELIUM Group, NjRAT, Phemedrone Stealer, Prestige Ransomware, Qakbot, RedLine Stealer, Rhysida Ransomware, Sandworm Tools, Scheduled Tasks, ShrinkLocker, Trickbot, Windows Persistence Techniques, Winter Vivern 2024-09-30
Scheduled Task Initiation on Remote Endpoint CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task/Job Scheduled Task TTP Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks 2024-09-30
Schtasks Run Task On Demand CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task/Job TTP CISA AA22-257A, Data Destruction, Industroyer2, Qakbot, Scheduled Tasks, XMRig 2024-09-30
Schtasks scheduling job on remote system CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task Scheduled Task/Job TTP Active Directory Lateral Movement, Living Off The Land, NOBELIUM Group, Phemedrone Stealer, Prestige Ransomware, RedLine Stealer, Scheduled Tasks 2024-09-30
Schtasks used for forcing a reboot CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task Scheduled Task/Job TTP Ransomware, Scheduled Tasks, Windows Persistence Techniques 2024-09-30
Script Execution via WMI CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Windows Management Instrumentation TTP Suspicious WMI Use 2024-09-30
Set Default PowerShell Execution Policy To Unrestricted or Bypass CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688 Command and Scripting Interpreter PowerShell TTP Credential Dumping, DarkGate Malware, Data Destruction, HAFNIUM Group, Hermetic Wiper, Malicious PowerShell 2024-09-30
Short Lived Scheduled Task Windows Event Log Security 4698, Windows Event Log Security 4699 Scheduled Task TTP Active Directory Lateral Movement, CISA AA22-257A, CISA AA23-347A, Scheduled Tasks 2024-09-30
Single Letter Process On Endpoint CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 User Execution Malicious File TTP DHS Report TA18-074A 2024-09-30
Sunburst Correlation DLL and Network Event Sysmon EventID 22, Sysmon EventID 7 Exploitation for Client Execution TTP NOBELIUM Group 2024-10-17
Suspicious Linux Discovery Commands CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Unix Shell TTP Linux Post-Exploitation 2024-09-30
Suspicious Process DNS Query Known Abuse Web Services Sysmon EventID 22 Visual Basic Command and Scripting Interpreter TTP Data Destruction, Phemedrone Stealer, Remcos, Snake Keylogger, WhisperGate 2024-09-30
Suspicious Process Executed From Container File CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Malicious File Masquerade File Type TTP Amadey, Remcos, Snake Keylogger, Unusual Processes 2024-09-30
Suspicious Process With Discord DNS Query Sysmon EventID 22 Visual Basic Command and Scripting Interpreter Anomaly Data Destruction, WhisperGate 2024-09-30
Suspicious Scheduled Task from Public Directory CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task Scheduled Task/Job Anomaly Azorult, CISA AA23-347A, CISA AA24-241A, DarkCrystal RAT, Living Off The Land, MoonPeak, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Persistence Techniques 2024-09-30
Svchost LOLBAS Execution Process Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task/Job Scheduled Task TTP Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks 2024-09-30
Unloading AMSI via Reflection Powershell Script Block Logging 4104 Impair Defenses PowerShell Command and Scripting Interpreter TTP Data Destruction, Hermetic Wiper, Malicious PowerShell 2024-09-30
Vbscript Execution Using Wscript App CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Visual Basic Command and Scripting Interpreter TTP AsyncRAT, FIN7, Remcos 2024-09-30
Wermgr Process Spawned CMD Or Powershell Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter TTP Qakbot, Trickbot 2024-09-30
Windows Apache Benchmark Binary CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter Anomaly MetaSploit 2024-09-30
Windows AutoIt3 Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter TTP DarkGate Malware, Handala Wiper 2024-09-30
Windows Command and Scripting Interpreter Hunting Path Traversal CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter Hunting Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Windows Defense Evasion Tactics 2024-10-17
Windows Command and Scripting Interpreter Path Traversal Exec CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter TTP Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Windows Defense Evasion Tactics 2024-09-30
Windows Command Shell DCRat ForkBomb Payload CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Windows Command Shell Command and Scripting Interpreter TTP DarkCrystal RAT 2024-09-30
Windows Common Abused Cmd Shell Risk Behavior File and Directory Permissions Modification System Network Connections Discovery System Owner/User Discovery System Shutdown/Reboot System Network Configuration Discovery Command and Scripting Interpreter Correlation Azorult, CISA AA23-347A, DarkCrystal RAT, Disabling Security Tools, FIN7, Netsh Abuse, Qakbot, Sandworm Tools, Volt Typhoon, Windows Defense Evasion Tactics, Windows Post-Exploitation 2024-09-30
Windows Defender ASR Audit Events Windows Event Log Defender 1122 Command and Scripting Interpreter Spearphishing Attachment Spearphishing Link Anomaly Windows Attack Surface Reduction 2024-09-30
Windows Defender ASR Block Events Windows Event Log Defender 1121, Windows Event Log Defender 1129 Command and Scripting Interpreter Spearphishing Attachment Spearphishing Link Anomaly Windows Attack Surface Reduction 2024-09-30
Windows Defender ASR Rules Stacking Windows Event Log Defender 1121, Windows Event Log Defender 1122, Windows Event Log Defender 1129, Windows Event Log Defender 5007 Spearphishing Attachment Spearphishing Link Command and Scripting Interpreter Hunting Windows Attack Surface Reduction 2024-10-17
Windows Enable PowerShell Web Access Powershell Script Block Logging 4104 PowerShell TTP CISA AA24-241A, Malicious PowerShell 2024-09-30
Windows Enable Win32 ScheduledJob via Registry Sysmon EventID 12, Sysmon EventID 13 Scheduled Task Anomaly Active Directory Lateral Movement, Scheduled Tasks 2024-09-30
Windows Executable in Loaded Modules Sysmon EventID 7 Shared Modules TTP NjRAT 2024-09-30
Windows Hidden Schedule Task Settings Windows Event Log Security 4698 Scheduled Task/Job TTP Active Directory Discovery, CISA AA22-257A, Data Destruction, Industroyer2, Scheduled Tasks 2024-09-30
Windows Identify Protocol Handlers CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter Hunting Living Off The Land 2024-10-17
Windows ISO LNK File Creation Sysmon EventID 11 Spearphishing Attachment Phishing Malicious Link User Execution Hunting AgentTesla, Amadey, Azorult, Brute Ratel C4, Gozi Malware, IcedID, Qakbot, Remcos, Spearphishing Attachments, Warzone RAT 2024-10-17
Windows MSExchange Management Mailbox Cmdlet Usage CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter PowerShell Anomaly BlackByte Ransomware, ProxyNotShell, ProxyShell 2024-09-30
Windows PaperCut NG Spawn Shell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter Exploit Public-Facing Application External Remote Services TTP PaperCut MF NG Vulnerability 2024-09-30
Windows Powershell Cryptography Namespace Powershell Script Block Logging 4104 PowerShell Command and Scripting Interpreter Anomaly AsyncRAT 2024-09-30
Windows PowerShell Get CIMInstance Remote Computer Powershell Script Block Logging 4104 PowerShell Anomaly Active Directory Lateral Movement 2024-09-30
Windows Powershell Import Applocker Policy Powershell Script Block Logging 4104 PowerShell Command and Scripting Interpreter Disable or Modify Tools Impair Defenses TTP Azorult 2024-09-30
Windows Powershell RemoteSigned File CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 PowerShell Command and Scripting Interpreter Anomaly Amadey 2024-09-30
Windows PowerShell ScheduleTask Powershell Script Block Logging 4104 Scheduled Task PowerShell Command and Scripting Interpreter Anomaly Scheduled Tasks 2024-09-30
Windows PowerShell WMI Win32 ScheduledJob Powershell Script Block Logging 4104 PowerShell Command and Scripting Interpreter TTP Active Directory Lateral Movement 2024-09-30
Windows Registry Delete Task SD Sysmon EventID 12, Sysmon EventID 13 Scheduled Task Impair Defenses Anomaly Scheduled Tasks, Windows Persistence Techniques, Windows Registry Abuse 2024-09-30
Windows Scheduled Task Created Via XML CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task Scheduled Task/Job TTP CISA AA23-347A, MoonPeak, Scheduled Tasks, Winter Vivern 2024-09-30
Windows Scheduled Task DLL Module Loaded Sysmon EventID 7 Scheduled Task/Job TTP ValleyRAT 2024-09-30
Windows Scheduled Task Service Spawned Shell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task Command and Scripting Interpreter TTP Windows Persistence Techniques 2024-09-30
Windows Scheduled Task with Highest Privileges CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task/Job Scheduled Task TTP AsyncRAT, CISA AA23-347A, RedLine Stealer, Scheduled Tasks 2024-09-30
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr Scheduled Task/Job TTP ValleyRAT 2024-09-30
Windows Schtasks Create Run As System CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task Scheduled Task/Job TTP Qakbot, Scheduled Tasks, Windows Persistence Techniques 2024-09-30
Windows Service Create SliverC2 Windows Event Log System 7045 System Services Service Execution TTP BishopFox Sliver Adversary Emulation Framework 2024-09-30
Windows Service Created with Suspicious Service Path Windows Event Log System 7045 System Services Service Execution TTP Active Directory Lateral Movement, Brute Ratel C4, CISA AA23-347A, Clop Ransomware, Flax Typhoon, PlugX, Qakbot, Snake Malware 2024-09-30
Windows Snake Malware Service Create Windows Event Log System 7045 Kernel Modules and Extensions Service Execution TTP Snake Malware 2024-09-30
Windows Suspect Process With Authentication Traffic Sysmon EventID 3 Account Discovery Domain Account User Execution Malicious File Anomaly Active Directory Discovery 2024-09-30
Windows User Execution Malicious URL Shortcut File Sysmon EventID 11 Malicious File User Execution TTP Chaos Ransomware, NjRAT, Snake Keylogger 2024-09-30
Windows WinDBG Spawning AutoIt3 CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter TTP DarkGate Malware 2024-09-30
Windows WMI Impersonate Token Sysmon EventID 10 Windows Management Instrumentation Anomaly Qakbot 2024-09-30
Windows WMI Process And Service List CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Windows Management Instrumentation Anomaly Prestige Ransomware, Windows Post-Exploitation 2024-09-30
Windows WMI Process Call Create CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Windows Management Instrumentation Hunting CISA AA23-347A, IcedID, Qakbot, Suspicious WMI Use, Volt Typhoon 2024-10-17
WinEvent Scheduled Task Created to Spawn Shell Windows Event Log Security 4698 Scheduled Task Scheduled Task/Job TTP CISA AA22-257A, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Error Reporting Service Elevation of Privilege Vulnerability, Windows Persistence Techniques, Winter Vivern 2024-09-30
WinEvent Scheduled Task Created Within Public Path Windows Event Log Security 4698 Scheduled Task Scheduled Task/Job TTP Active Directory Lateral Movement, AsyncRAT, CISA AA22-257A, CISA AA23-347A, Data Destruction, IcedID, Industroyer2, Prestige Ransomware, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Persistence Techniques, Winter Vivern 2024-09-30
WinEvent Windows Task Scheduler Event Action Started Windows Event Log TaskScheduler 200 Scheduled Task Hunting Amadey, AsyncRAT, BlackSuit Ransomware, CISA AA22-257A, CISA AA24-241A, DarkCrystal RAT, Data Destruction, IcedID, Industroyer2, Prestige Ransomware, Qakbot, Sandworm Tools, Scheduled Tasks, ValleyRAT, Windows Persistence Techniques, Winter Vivern, Winter Vivern 2024-10-24
WMI Permanent Event Subscription Windows Management Instrumentation TTP Suspicious WMI Use 2024-10-17
WMI Temporary Event Subscription Windows Management Instrumentation TTP Suspicious WMI Use 2024-10-17
Wmiprsve LOLBAS Execution Process Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Windows Management Instrumentation TTP Active Directory Lateral Movement 2024-09-30
Detect Outbound LDAP Traffic Bro Exploit Public-Facing Application Command and Scripting Interpreter Hunting Log4Shell CVE-2021-44228 2024-10-17
Detect Windows DNS SIGRed via Splunk Stream Exploitation for Client Execution TTP Windows DNS SIGRed CVE-2020-1350 2024-10-17
Detect Windows DNS SIGRed via Zeek Exploitation for Client Execution TTP Windows DNS SIGRed CVE-2020-1350 2024-10-17
Juniper Networks Remote Code Execution Exploit Detection Suricata Exploit Public-Facing Application Ingress Tool Transfer Command and Scripting Interpreter TTP Juniper JunOS Remote Code Execution 2024-09-30