|
Okta Authentication Failed During MFA Challenge
|
Okta
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
Okta Account Takeover
|
2025-02-10
|
|
Okta Multi-Factor Authentication Disabled
|
Okta
|
Multi-Factor Authentication
|
TTP
|
Okta Account Takeover
|
2025-02-10
|
|
Okta New API Token Created
|
Okta
|
Default Accounts
|
TTP
|
Okta Account Takeover
|
2025-02-10
|
|
Okta New Device Enrolled on Account
|
Okta
|
Device Registration
|
TTP
|
Okta Account Takeover
|
2025-02-10
|
|
Okta Phishing Detection with FastPass Origin Check
|
Okta
|
Default Accounts
Modify Authentication Process
|
TTP
|
Okta Account Takeover
|
2025-02-10
|
|
Okta Risk Threshold Exceeded
|
Okta
|
Valid Accounts
Brute Force
|
Correlation
|
Okta Account Takeover, Okta MFA Exhaustion, Suspicious Okta Activity
|
2025-01-21
|
|
Okta Successful Single Factor Authentication
|
Okta
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
Anomaly
|
Okta Account Takeover
|
2025-02-10
|
|
Okta Suspicious Activity Reported
|
Okta
|
Default Accounts
|
TTP
|
Okta Account Takeover
|
2025-02-10
|
|
Okta ThreatInsight Threat Detected
|
Okta
|
Cloud Accounts
|
Anomaly
|
Okta Account Takeover
|
2025-02-10
|
|
PingID Mismatch Auth Source and Verification Response
|
PingID
|
Multi-Factor Authentication Request Generation
Multi-Factor Authentication
Device Registration
|
TTP
|
Compromised User Account
|
2025-01-21
|
|
PingID Multiple Failed MFA Requests For User
|
PingID
|
Multi-Factor Authentication Request Generation
Valid Accounts
Brute Force
|
TTP
|
Compromised User Account
|
2025-01-21
|
|
PingID New MFA Method After Credential Reset
|
PingID
|
Multi-Factor Authentication Request Generation
Multi-Factor Authentication
Device Registration
|
TTP
|
Compromised User Account
|
2025-01-21
|
|
PingID New MFA Method Registered For User
|
PingID
|
Multi-Factor Authentication Request Generation
Multi-Factor Authentication
Device Registration
|
TTP
|
Compromised User Account
|
2025-01-21
|
|
Splunk User Enumeration Attempt
|
Splunk
|
Valid Accounts
|
TTP
|
Splunk Vulnerabilities
|
2024-12-16
|
|
Windows AD add Self to Group
|
|
Account Manipulation
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2025-01-21
|
|
Windows AD Privileged Group Modification
|
|
Account Manipulation
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2025-01-21
|
|
Windows AD Self DACL Assignment
|
Windows Event Log Security 5136
|
Domain or Tenant Policy Modification
Account Manipulation
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2025-02-17
|
|
Windows Increase in Group or Object Modification Activity
|
Windows Event Log Security 4663
|
Account Manipulation
Impair Defenses
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2025-01-21
|
|
Windows Increase in User Modification Activity
|
Windows Event Log Security 4720
|
Account Manipulation
Impair Defenses
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2025-01-21
|
|
Abnormally High Number Of Cloud Infrastructure API Calls
|
AWS CloudTrail
|
Cloud Accounts
|
Anomaly
|
Compromised User Account, Suspicious Cloud User Activities
|
2025-02-10
|
|
Abnormally High Number Of Cloud Instances Destroyed
|
AWS CloudTrail
|
Cloud Accounts
|
Anomaly
|
Suspicious Cloud Instance Activities
|
2025-02-10
|
|
Abnormally High Number Of Cloud Instances Launched
|
AWS CloudTrail
|
Cloud Accounts
|
Anomaly
|
Cloud Cryptomining, Suspicious Cloud Instance Activities
|
2025-02-10
|
|
Abnormally High Number Of Cloud Security Group API Calls
|
AWS CloudTrail
|
Cloud Accounts
|
Anomaly
|
Suspicious Cloud User Activities
|
2025-02-10
|
|
ASL AWS Create Access Key
|
ASL AWS CloudTrail
|
Cloud Account
|
Hunting
|
AWS IAM Privilege Escalation
|
2025-02-10
|
|
ASL AWS Create Policy Version to allow all resources
|
ASL AWS CloudTrail
|
Cloud Accounts
|
TTP
|
AWS IAM Privilege Escalation
|
2025-02-10
|
|
ASL AWS IAM Delete Policy
|
ASL AWS CloudTrail
|
Account Manipulation
|
Hunting
|
AWS IAM Privilege Escalation
|
2024-11-14
|
|
ASL AWS IAM Failure Group Deletion
|
ASL AWS CloudTrail
|
Account Manipulation
|
Anomaly
|
AWS IAM Privilege Escalation
|
2024-11-14
|
|
ASL AWS IAM Successful Group Deletion
|
ASL AWS CloudTrail
|
Cloud Groups
Account Manipulation
|
Hunting
|
AWS IAM Privilege Escalation
|
2025-02-10
|
|
ASL AWS Multi-Factor Authentication Disabled
|
ASL AWS CloudTrail
|
Multi-Factor Authentication
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2025-02-10
|
|
ASL AWS New MFA Method Registered For User
|
ASL AWS CloudTrail
|
Multi-Factor Authentication
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2025-02-10
|
|
ASL AWS SAML Update identity provider
|
ASL AWS CloudTrail
|
Valid Accounts
|
TTP
|
Cloud Federated Credential Abuse
|
2025-01-09
|
|
ASL AWS UpdateLoginProfile
|
ASL AWS CloudTrail
|
Cloud Account
|
TTP
|
AWS IAM Privilege Escalation
|
2025-02-10
|
|
AWS Create Policy Version to allow all resources
|
AWS CloudTrail CreatePolicyVersion
|
Cloud Accounts
|
TTP
|
AWS IAM Privilege Escalation
|
2025-02-10
|
|
AWS CreateAccessKey
|
AWS CloudTrail CreateAccessKey
|
Cloud Account
|
Hunting
|
AWS IAM Privilege Escalation
|
2025-02-10
|
|
AWS CreateLoginProfile
|
AWS CloudTrail ConsoleLogin, AWS CloudTrail CreateLoginProfile
|
Cloud Account
|
TTP
|
AWS IAM Privilege Escalation
|
2025-02-10
|
|
aws detect attach to role policy
|
|
Valid Accounts
|
Hunting
|
AWS Cross Account Activity
|
2024-11-14
|
|
aws detect permanent key creation
|
|
Valid Accounts
|
Hunting
|
AWS Cross Account Activity
|
2024-11-14
|
|
aws detect role creation
|
|
Valid Accounts
|
Hunting
|
AWS Cross Account Activity
|
2024-11-14
|
|
aws detect sts assume role abuse
|
|
Valid Accounts
|
Hunting
|
AWS Cross Account Activity
|
2024-11-14
|
|
AWS IAM Delete Policy
|
AWS CloudTrail DeletePolicy
|
Account Manipulation
|
Hunting
|
AWS IAM Privilege Escalation
|
2024-11-14
|
|
AWS IAM Failure Group Deletion
|
AWS CloudTrail DeleteGroup
|
Account Manipulation
|
Anomaly
|
AWS IAM Privilege Escalation
|
2024-11-14
|
|
AWS IAM Successful Group Deletion
|
AWS CloudTrail DeleteGroup
|
Cloud Groups
Account Manipulation
|
Hunting
|
AWS IAM Privilege Escalation
|
2025-02-10
|
|
AWS Multi-Factor Authentication Disabled
|
AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice
|
Multi-Factor Authentication
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2025-02-10
|
|
AWS New MFA Method Registered For User
|
AWS CloudTrail CreateVirtualMFADevice
|
Multi-Factor Authentication
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2025-02-10
|
|
AWS SAML Access by Provider User and Principal
|
AWS CloudTrail AssumeRoleWithSAML
|
Valid Accounts
|
Anomaly
|
Cloud Federated Credential Abuse
|
2024-11-14
|
|
AWS SAML Update identity provider
|
AWS CloudTrail UpdateSAMLProvider
|
Valid Accounts
|
TTP
|
Cloud Federated Credential Abuse
|
2024-11-14
|
|
AWS SetDefaultPolicyVersion
|
AWS CloudTrail SetDefaultPolicyVersion
|
Cloud Accounts
|
TTP
|
AWS IAM Privilege Escalation
|
2025-02-10
|
|
AWS Successful Single-Factor Authentication
|
AWS CloudTrail ConsoleLogin
|
Cloud Accounts
Cloud Accounts
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2025-02-10
|
|
AWS UpdateLoginProfile
|
AWS CloudTrail UpdateLoginProfile
|
Cloud Account
|
TTP
|
AWS IAM Privilege Escalation
|
2025-02-10
|
|
Azure AD Admin Consent Bypassed by Service Principal
|
Azure Active Directory Add app role assignment to service principal
|
Additional Cloud Roles
|
TTP
|
Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2024-11-14
|
|
Azure AD Application Administrator Role Assigned
|
Azure Active Directory Add member to role
|
Additional Cloud Roles
|
TTP
|
Azure Active Directory Privilege Escalation
|
2025-02-10
|
|
Azure AD Authentication Failed During MFA Challenge
|
Azure Active Directory
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
Azure Active Directory Account Takeover
|
2025-02-10
|
|
Azure AD External Guest User Invited
|
Azure Active Directory Invite external user
|
Cloud Account
|
TTP
|
Azure Active Directory Persistence
|
2024-11-14
|
|
Azure AD FullAccessAsApp Permission Assigned
|
Azure Active Directory Update application
|
Additional Email Delegate Permissions
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-11-14
|
|
Azure AD Global Administrator Role Assigned
|
Azure Active Directory Add member to role
|
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2024-11-14
|
|
Azure AD Multi-Factor Authentication Disabled
|
Azure Active Directory Disable Strong Authentication
|
Multi-Factor Authentication
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2025-02-10
|
|
Azure AD Multiple AppIDs and UserAgents Authentication Spike
|
Azure Active Directory Sign-in activity
|
Valid Accounts
|
Anomaly
|
Azure Active Directory Account Takeover
|
2024-11-14
|
|
Azure AD Multiple Failed MFA Requests For User
|
Azure Active Directory Sign-in activity
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
Azure Active Directory Account Takeover
|
2025-02-10
|
|
Azure AD Multiple Service Principals Created by SP
|
Azure Active Directory Add service principal
|
Cloud Account
|
Anomaly
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-11-14
|
|
Azure AD Multiple Service Principals Created by User
|
Azure Active Directory Add service principal
|
Cloud Account
|
Anomaly
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-11-14
|
|
Azure AD New MFA Method Registered
|
Azure Active Directory Update user
|
Device Registration
|
TTP
|
Azure Active Directory Persistence
|
2025-02-10
|
|
Azure AD New MFA Method Registered For User
|
Azure Active Directory User registered security info
|
Multi-Factor Authentication
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account
|
2025-02-10
|
|
Azure AD PIM Role Assigned
|
Azure Active Directory
|
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2025-02-10
|
|
Azure AD PIM Role Assignment Activated
|
Azure Active Directory
|
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2025-02-10
|
|
Azure AD Privileged Role Assigned
|
Azure Active Directory Add member to role
|
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2025-02-10
|
|
Azure AD Privileged Role Assigned to Service Principal
|
Azure Active Directory Add member to role
|
Additional Cloud Roles
|
TTP
|
Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2025-02-10
|
|
Azure AD Service Principal Authentication
|
Azure Active Directory Sign-in activity
|
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover, NOBELIUM Group
|
2024-11-14
|
|
Azure AD Service Principal Created
|
Azure Active Directory Add service principal
|
Cloud Account
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-11-14
|
|
Azure AD Service Principal New Client Credentials
|
Azure Active Directory
|
Additional Cloud Credentials
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2025-02-10
|
|
Azure AD Service Principal Owner Added
|
Azure Active Directory Add owner to application
|
Account Manipulation
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2024-11-14
|
|
Azure AD Service Principal Privilege Escalation
|
Azure Active Directory Add app role assignment to service principal
|
Additional Cloud Roles
|
TTP
|
Azure Active Directory Privilege Escalation
|
2025-02-10
|
|
Azure AD Successful PowerShell Authentication
|
Azure Active Directory
|
Cloud Accounts
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2025-02-10
|
|
Azure AD Successful Single-Factor Authentication
|
Azure Active Directory
|
Cloud Accounts
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2025-02-10
|
|
Azure AD Tenant Wide Admin Consent Granted
|
Azure Active Directory Consent to application
|
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2025-02-10
|
|
Azure AD User Enabled And Password Reset
|
Azure Active Directory Enable account, Azure Active Directory Reset password (by admin), Azure Active Directory Update user
|
Account Manipulation
|
TTP
|
Azure Active Directory Persistence
|
2024-11-14
|
|
Azure AD User ImmutableId Attribute Updated
|
Azure Active Directory Update user
|
Account Manipulation
|
TTP
|
Azure Active Directory Persistence
|
2024-11-14
|
|
Azure Automation Account Created
|
Azure Audit Create or Update an Azure Automation account
|
Cloud Account
|
TTP
|
Azure Active Directory Persistence
|
2025-02-10
|
|
Azure Automation Runbook Created
|
Azure Audit Create or Update an Azure Automation Runbook
|
Cloud Account
|
TTP
|
Azure Active Directory Persistence
|
2025-02-10
|
|
Azure Runbook Webhook Created
|
Azure Audit Create or Update an Azure Automation webhook
|
Cloud Accounts
|
TTP
|
Azure Active Directory Persistence
|
2025-02-10
|
|
Circle CI Disable Security Job
|
CircleCI
|
Compromise Host Software Binary
|
Anomaly
|
Dev Sec Ops
|
2024-11-14
|
|
Circle CI Disable Security Step
|
CircleCI
|
Compromise Host Software Binary
|
Anomaly
|
Dev Sec Ops
|
2024-11-14
|
|
Cloud API Calls From Previously Unseen User Roles
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud User Activities
|
2024-11-14
|
|
Cloud Compute Instance Created By Previously Unseen User
|
AWS CloudTrail
|
Cloud Accounts
|
Anomaly
|
Cloud Cryptomining
|
2025-02-10
|
|
Cloud Instance Modified By Previously Unseen User
|
AWS CloudTrail
|
Cloud Accounts
|
Anomaly
|
Suspicious Cloud Instance Activities
|
2025-02-10
|
|
Cloud Provisioning Activity From Previously Unseen City
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-11-14
|
|
Cloud Provisioning Activity From Previously Unseen Country
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-11-14
|
|
Cloud Provisioning Activity From Previously Unseen IP Address
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-11-14
|
|
Cloud Provisioning Activity From Previously Unseen Region
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-11-14
|
|
GCP Authentication Failed During MFA Challenge
|
Google Workspace login_failure
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
GCP Account Takeover
|
2025-02-10
|
|
GCP Detect gcploit framework
|
|
Valid Accounts
|
TTP
|
GCP Cross Account Activity
|
2024-11-14
|
|
GCP Multi-Factor Authentication Disabled
|
|
Multi-Factor Authentication
Cloud Accounts
|
TTP
|
GCP Account Takeover
|
2025-02-10
|
|
GCP Multiple Failed MFA Requests For User
|
Google Workspace login_failure
|
Cloud Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
GCP Account Takeover
|
2025-02-10
|
|
GCP Successful Single-Factor Authentication
|
Google Workspace login_success
|
Cloud Accounts
Cloud Accounts
|
TTP
|
GCP Account Takeover
|
2025-02-10
|
|
Kubernetes Cron Job Creation
|
Kubernetes Audit
|
Container Orchestration Job
|
Anomaly
|
Kubernetes Security
|
2024-11-14
|
|
O365 Add App Role Assignment Grant User
|
O365 Add app role assignment grant to user.
|
Cloud Account
|
TTP
|
Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms
|
2025-02-10
|
|
O365 Added Service Principal
|
O365
|
Cloud Account
|
TTP
|
Cloud Federated Credential Abuse, NOBELIUM Group, Office 365 Persistence Mechanisms
|
2025-02-10
|
|
O365 Admin Consent Bypassed by Service Principal
|
O365 Add app role assignment to service principal.
|
Additional Cloud Roles
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-11-14
|
|
O365 Application Available To Other Tenants
|
|
Additional Cloud Roles
|
TTP
|
Azure Active Directory Account Takeover, Azure Active Directory Persistence, Data Exfiltration
|
2025-02-10
|
|
O365 Application Registration Owner Added
|
O365 Add owner to application.
|
Account Manipulation
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-11-14
|
|
O365 ApplicationImpersonation Role Assigned
|
O365
|
Additional Email Delegate Permissions
|
TTP
|
NOBELIUM Group, Office 365 Collection Techniques, Office 365 Persistence Mechanisms
|
2025-02-10
|
|
O365 Disable MFA
|
O365 Disable Strong Authentication.
|
Modify Authentication Process
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-11-14
|
|
O365 Elevated Mailbox Permission Assigned
|
|
Additional Email Delegate Permissions
|
TTP
|
Office 365 Collection Techniques
|
2025-02-10
|
|
O365 Excessive SSO logon errors
|
O365 UserLoginFailed
|
Modify Authentication Process
|
Anomaly
|
Cloud Federated Credential Abuse, Office 365 Account Takeover
|
2024-11-14
|
|
O365 External Guest User Invited
|
|
Cloud Account
|
TTP
|
Azure Active Directory Persistence
|
2024-11-14
|
|
O365 External Identity Policy Changed
|
|
Cloud Account
|
TTP
|
Azure Active Directory Persistence
|
2024-11-14
|
|
O365 FullAccessAsApp Permission Assigned
|
O365 Update application.
|
Additional Email Delegate Permissions
Additional Cloud Roles
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-11-14
|
|
O365 High Privilege Role Granted
|
O365 Add member to role.
|
Additional Cloud Roles
|
TTP
|
Office 365 Persistence Mechanisms
|
2025-02-10
|
|
O365 Mailbox Folder Read Permission Assigned
|
|
Additional Email Delegate Permissions
|
TTP
|
Office 365 Collection Techniques
|
2025-02-10
|
|
O365 Mailbox Folder Read Permission Granted
|
|
Additional Email Delegate Permissions
|
TTP
|
Office 365 Collection Techniques
|
2025-02-10
|
|
O365 Mailbox Read Access Granted to Application
|
O365 Update application.
|
Additional Cloud Roles
Remote Email Collection
|
TTP
|
Office 365 Persistence Mechanisms
|
2025-02-10
|
|
O365 Multiple AppIDs and UserAgents Authentication Spike
|
O365 UserLoggedIn, O365 UserLoginFailed
|
Valid Accounts
|
Anomaly
|
Office 365 Account Takeover
|
2024-11-14
|
|
O365 Multiple Service Principals Created by SP
|
O365 Add service principal.
|
Cloud Account
|
Anomaly
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-11-14
|
|
O365 Multiple Service Principals Created by User
|
O365 Add service principal.
|
Cloud Account
|
Anomaly
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-11-14
|
|
O365 New Federated Domain Added
|
O365
|
Cloud Account
|
TTP
|
Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms
|
2025-02-10
|
|
O365 New MFA Method Registered
|
O365 Update user.
|
Device Registration
|
TTP
|
Office 365 Persistence Mechanisms
|
2025-02-10
|
|
O365 Privileged Role Assigned
|
|
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence
|
2025-02-10
|
|
O365 Privileged Role Assigned To Service Principal
|
|
Additional Cloud Roles
|
TTP
|
Azure Active Directory Privilege Escalation
|
2025-02-10
|
|
O365 Security And Compliance Alert Triggered
|
|
Cloud Accounts
|
TTP
|
Office 365 Account Takeover
|
2025-02-10
|
|
O365 Service Principal New Client Credentials
|
O365
|
Additional Cloud Credentials
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2025-02-10
|
|
O365 Service Principal Privilege Escalation
|
O365 Add app role assignment grant to user.
|
Additional Cloud Roles
|
TTP
|
Azure Active Directory Privilege Escalation, Office 365 Account Takeover
|
2025-02-10
|
|
O365 SharePoint Allowed Domains Policy Changed
|
|
Cloud Account
|
TTP
|
Azure Active Directory Persistence
|
2024-11-14
|
|
O365 Tenant Wide Admin Consent Granted
|
O365 Consent to application.
|
Additional Cloud Roles
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2025-02-10
|
|
Abnormally High AWS Instances Launched by User
|
|
Cloud Accounts
|
Anomaly
|
AWS Cryptomining, Suspicious AWS EC2 Activities
|
2024-11-14
|
|
Abnormally High AWS Instances Launched by User - MLTK
|
|
Cloud Accounts
|
Anomaly
|
AWS Cryptomining, Suspicious AWS EC2 Activities
|
2024-11-14
|
|
Abnormally High AWS Instances Terminated by User
|
|
Cloud Accounts
|
Anomaly
|
Suspicious AWS EC2 Activities
|
2024-11-14
|
|
Abnormally High AWS Instances Terminated by User - MLTK
|
|
Cloud Accounts
|
Anomaly
|
Suspicious AWS EC2 Activities
|
2024-11-14
|
|
ASL AWS CreateAccessKey
|
|
Valid Accounts
|
Hunting
|
AWS IAM Privilege Escalation
|
2024-11-14
|
|
Change Default File Association
|
Sysmon EventID 12, Sysmon EventID 13
|
Change Default File Association
|
TTP
|
Data Destruction, Hermetic Wiper, Prestige Ransomware, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse
|
2025-02-10
|
|
Create local admin accounts using net exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Local Account
|
TTP
|
Azorult, CISA AA22-257A, CISA AA24-241A, DHS Report TA18-074A, DarkGate Malware
|
2025-02-10
|
|
Detect AWS API Activities From Unapproved Accounts
|
|
Cloud Accounts
|
Hunting
|
AWS User Monitoring
|
2024-11-14
|
|
Detect new API calls from user roles
|
|
Cloud Accounts
|
Anomaly
|
AWS User Monitoring
|
2024-11-14
|
|
Detect new user AWS Console Login
|
|
Cloud Accounts
|
Hunting
|
Suspicious AWS Login Activities
|
2024-11-14
|
|
Detect Spike in AWS API Activity
|
|
Cloud Accounts
|
Anomaly
|
AWS User Monitoring
|
2024-11-14
|
|
Detect Spike in Security Group Activity
|
|
Cloud Accounts
|
Anomaly
|
AWS User Monitoring
|
2024-11-14
|
|
Detect Webshell Exploit Behavior
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Web Shell
|
TTP
|
BlackByte Ransomware, CISA AA22-257A, CISA AA22-264A, Citrix ShareFile RCE CVE-2023-24489, Compromised Windows Host, Flax Typhoon, HAFNIUM Group, ProxyNotShell, ProxyShell, SysAid On-Prem Software CVE-2023-47246 Vulnerability, WS FTP Server Critical Vulnerabilities
|
2025-02-10
|
|
EC2 Instance Modified With Previously Unseen User
|
|
Cloud Accounts
|
Anomaly
|
Unusual AWS EC2 Modifications
|
2024-11-14
|
|
EC2 Instance Started With Previously Unseen User
|
|
Cloud Accounts
|
Anomaly
|
AWS Cryptomining, Suspicious AWS EC2 Activities
|
2025-01-16
|
|
GCP Detect accounts with high risk roles by project
|
|
Valid Accounts
|
Hunting
|
GCP Cross Account Activity
|
2024-11-14
|
|
GCP Detect high risk permissions by resource and account
|
|
Valid Accounts
|
Hunting
|
GCP Cross Account Activity
|
2024-11-14
|
|
gcp detect oauth token abuse
|
|
Valid Accounts
|
Hunting
|
GCP Cross Account Activity
|
2024-11-14
|
|
Identify New User Accounts
|
|
Domain Accounts
|
Hunting
|
N/A
|
2024-11-14
|
|
Multiple Okta Users With Invalid Credentials From The Same IP
|
|
Default Accounts
Password Spraying
|
TTP
|
Suspicious Okta Activity
|
2025-02-10
|
|
O365 Suspicious Rights Delegation
|
|
Additional Email Delegate Permissions
Remote Email Collection
|
TTP
|
Office 365 Collection Techniques
|
2025-02-10
|
|
Okta Account Lockout Events
|
|
Default Accounts
|
Anomaly
|
Suspicious Okta Activity
|
2025-02-10
|
|
Okta Failed SSO Attempts
|
|
Default Accounts
|
Anomaly
|
Suspicious Okta Activity
|
2025-02-10
|
|
Okta ThreatInsight Login Failure with High Unknown users
|
|
Default Accounts
Credential Stuffing
|
TTP
|
Suspicious Okta Activity
|
2025-02-10
|
|
Okta ThreatInsight Suspected PasswordSpray Attack
|
|
Default Accounts
Password Spraying
|
TTP
|
Suspicious Okta Activity
|
2025-02-10
|
|
Scheduled tasks used in BadRabbit ransomware
|
Sysmon EventID 1
|
Scheduled Task
|
TTP
|
Ransomware
|
2024-11-14
|
|
Suspicious Changes to File Associations
|
Sysmon EventID 1
|
Change Default File Association
|
TTP
|
Suspicious Windows Registry Activities, Windows File Extension and Association Abuse
|
2024-11-14
|
|
Suspicious Driver Loaded Path
|
Sysmon EventID 6
|
Windows Service
|
TTP
|
AgentTesla, BlackByte Ransomware, CISA AA22-320A, Snake Keylogger, XMRig
|
2025-02-06
|
|
Suspicious Process File Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Create or Modify System Process
|
TTP
|
AgentTesla, Amadey, AsyncRAT, Azorult, BlackByte Ransomware, Brute Ratel C4, CISA AA23-347A, Chaos Ransomware, Crypto Stealer, DarkCrystal RAT, DarkGate Malware, Data Destruction, Double Zero Destructor, Graceful Wipe Out Attack, Handala Wiper, Hermetic Wiper, IcedID, Industroyer2, LockBit Ransomware, Meduza Stealer, MoonPeak, Phemedrone Stealer, PlugX, Prestige Ransomware, Qakbot, RedLine Stealer, Remcos, Rhysida Ransomware, Swift Slicer, Trickbot, ValleyRAT, Volt Typhoon, Warzone RAT, WhisperGate, XMRig
|
2025-02-10
|
|
Web Fraud - Account Harvesting
|
|
Create Account
|
TTP
|
Web Fraud Detection
|
2024-11-14
|
|
Web Fraud - Anomalous User Clickspeed
|
|
Valid Accounts
|
Anomaly
|
Web Fraud Detection
|
2024-11-14
|
|
Windows DLL Search Order Hijacking Hunt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL Search Order Hijacking
|
Hunting
|
Living Off The Land, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Active Setup Registry Autostart
|
Sysmon EventID 13
|
Active Setup
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation
|
2025-02-10
|
|
BITS Job Persistence
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
BITS Jobs
|
TTP
|
BITS Jobs, Living Off The Land
|
2024-11-13
|
|
BITSAdmin Download File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
BITS Jobs
Ingress Tool Transfer
|
TTP
|
BITS Jobs, DarkSide Ransomware, Flax Typhoon, Gozi Malware, Ingress Tool Transfer, Living Off The Land
|
2024-11-13
|
|
Clop Ransomware Known Service Name
|
Windows Event Log System 7045
|
Create or Modify System Process
|
TTP
|
Clop Ransomware, Compromised Windows Host
|
2024-12-10
|
|
CMD Echo Pipe - Escalation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Command Shell
Windows Service
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Compromised Windows Host, Graceful Wipe Out Attack
|
2025-02-10
|
|
Detect Excessive Account Lockouts From Endpoint
|
|
Domain Accounts
|
Anomaly
|
Active Directory Password Spraying
|
2025-02-10
|
|
Detect Excessive User Account Lockouts
|
|
Local Accounts
|
Anomaly
|
Active Directory Password Spraying
|
2025-02-10
|
|
Detect Exchange Web Shell
|
Sysmon EventID 1, Sysmon EventID 11
|
External Remote Services
Exploit Public-Facing Application
Web Shell
|
TTP
|
BlackByte Ransomware, CISA AA22-257A, Compromised Windows Host, HAFNIUM Group, ProxyNotShell, ProxyShell
|
2025-02-10
|
|
Detect New Local Admin account
|
Windows Event Log Security 4720, Windows Event Log Security 4732
|
Local Account
|
TTP
|
CISA AA22-257A, CISA AA24-241A, DHS Report TA18-074A, HAFNIUM Group
|
2025-02-10
|
|
Detect Path Interception By Creation Of program exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Path Interception by Unquoted Path
|
TTP
|
Windows Persistence Techniques
|
2025-02-10
|
|
Detect WMI Event Subscription Persistence
|
Sysmon EventID 20
|
Windows Management Instrumentation Event Subscription
|
TTP
|
Suspicious WMI Use
|
2025-02-10
|
|
Disabling Windows Local Security Authority Defences via Registry
|
Sysmon EventID 1, Sysmon EventID 13
|
Modify Authentication Process
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-11-13
|
|
Exchange PowerShell Abuse via SSRF
|
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
BlackByte Ransomware, ProxyNotShell, ProxyShell
|
2025-02-19
|
|
Impacket Lateral Movement Commandline Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
SMB/Windows Admin Shares
Distributed Component Object Model
Windows Management Instrumentation
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate
|
2025-02-10
|
|
Impacket Lateral Movement smbexec CommandLine Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
SMB/Windows Admin Shares
Distributed Component Object Model
Windows Management Instrumentation
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate
|
2025-02-10
|
|
Impacket Lateral Movement WMIExec Commandline Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
SMB/Windows Admin Shares
Distributed Component Object Model
Windows Management Instrumentation
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate
|
2025-02-10
|
|
Java Writing JSP File
|
Sysmon EventID 1, Sysmon EventID 11
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Atlassian Confluence Server and Data Center CVE-2022-26134, Spring4Shell CVE-2022-22965, SysAid On-Prem Software CVE-2023-47246 Vulnerability
|
2024-11-13
|
|
Linux Add Files In Known Crontab Directories
|
Sysmon for Linux EventID 11
|
Cron
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks, XorDDos
|
2025-02-10
|
|
Linux Add User Account
|
Sysmon for Linux EventID 1
|
Local Account
|
Hunting
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Adding Crontab Using List Parameter
|
Sysmon for Linux EventID 1
|
Cron
|
Hunting
|
Data Destruction, Gomir, Industroyer2, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2025-02-10
|
|
Linux At Allow Config File Creation
|
Sysmon for Linux EventID 11
|
Cron
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2025-02-10
|
|
Linux At Application Execution
|
Sysmon for Linux EventID 1
|
At
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2025-02-10
|
|
Linux Auditd Add User Account
|
Linux Auditd Proctitle
|
Local Account
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Auditd Add User Account Type
|
Linux Auditd Add User
|
Local Account
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Auditd At Application Execution
|
Linux Auditd Syscall
|
At
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2025-02-10
|
|
Linux Auditd Edit Cron Table Parameter
|
Linux Auditd Syscall
|
Cron
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2025-02-10
|
|
Linux Auditd Insert Kernel Module Using Insmod Utility
|
Linux Auditd Syscall
|
Kernel Modules and Extensions
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit, XorDDos
|
2025-02-10
|
|
Linux Auditd Install Kernel Module Using Modprobe Utility
|
Linux Auditd Syscall
|
Kernel Modules and Extensions
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit
|
2025-02-10
|
|
Linux Auditd Kernel Module Using Rmmod Utility
|
Linux Auditd Syscall
|
Kernel Modules and Extensions
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Auditd Possible Access Or Modification Of Sshd Config File
|
Linux Auditd Path
|
SSH Authorized Keys
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File
|
Linux Auditd Path
|
Cron
|
Hunting
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks, XorDDos
|
2025-02-10
|
|
Linux Auditd Preload Hijack Library Calls
|
Linux Auditd Execve
|
Dynamic Linker Hijacking
|
TTP
|
Compromised Linux Host, Earth Estries, Linux Persistence Techniques, Linux Privilege Escalation, Nexus APT Threat Activity
|
2025-02-10
|
|
Linux Auditd Preload Hijack Via Preload File
|
Linux Auditd Path
|
Dynamic Linker Hijacking
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Auditd Service Restarted
|
Linux Auditd Proctitle
|
Systemd Timers
|
Anomaly
|
AwfulShred, Compromised Linux Host, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2025-02-10
|
|
Linux Auditd Unix Shell Configuration Modification
|
Linux Auditd Path
|
Unix Shell Configuration Modification
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Auditd Unload Module Via Modprobe
|
Linux Auditd Execve
|
Kernel Modules and Extensions
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Edit Cron Table Parameter
|
Sysmon for Linux EventID 1
|
Cron
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2025-02-10
|
|
Linux File Created In Kernel Driver Directory
|
Sysmon for Linux EventID 11
|
Kernel Modules and Extensions
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit
|
2025-02-10
|
|
Linux File Creation In Init Boot Directory
|
Sysmon for Linux EventID 11
|
RC Scripts
|
Anomaly
|
Backdoor Pingpong, Linux Persistence Techniques, Linux Privilege Escalation, Nexus APT Threat Activity, XorDDos
|
2025-02-10
|
|
Linux File Creation In Profile Directory
|
Sysmon for Linux EventID 11
|
Unix Shell Configuration Modification
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Insert Kernel Module Using Insmod Utility
|
Sysmon for Linux EventID 1
|
Kernel Modules and Extensions
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit, XorDDos
|
2025-02-10
|
|
Linux Install Kernel Module Using Modprobe Utility
|
Sysmon for Linux EventID 1
|
Kernel Modules and Extensions
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit
|
2025-02-10
|
|
Linux Java Spawning Shell
|
Sysmon for Linux EventID 1
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Data Destruction, Hermetic Wiper, Log4Shell CVE-2021-44228, Spring4Shell CVE-2022-22965
|
2024-11-13
|
|
Linux Possible Access Or Modification Of sshd Config File
|
Sysmon for Linux EventID 1
|
SSH Authorized Keys
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Possible Append Command To At Allow Config File
|
Sysmon for Linux EventID 1
|
At
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2025-02-10
|
|
Linux Possible Append Command To Profile Config File
|
Sysmon for Linux EventID 1
|
Unix Shell Configuration Modification
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Possible Append Cronjob Entry on Existing Cronjob File
|
Sysmon for Linux EventID 1
|
Cron
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks, XorDDos
|
2025-02-10
|
|
Linux Possible Cronjob Modification With Editor
|
Sysmon for Linux EventID 1
|
Cron
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks, XorDDos
|
2025-02-10
|
|
Linux Possible Ssh Key File Creation
|
Sysmon for Linux EventID 11
|
SSH Authorized Keys
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2025-02-10
|
|
Linux Preload Hijack Library Calls
|
Sysmon for Linux EventID 1
|
Dynamic Linker Hijacking
|
TTP
|
Earth Estries, Linux Persistence Techniques, Linux Privilege Escalation, Nexus APT Threat Activity
|
2025-02-10
|
|
Linux Service File Created In Systemd Directory
|
Sysmon for Linux EventID 11
|
Systemd Timers
|
Anomaly
|
Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2025-02-10
|
|
Linux Service Restarted
|
Sysmon for Linux EventID 1
|
Systemd Timers
|
Anomaly
|
AwfulShred, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2025-02-10
|
|
Linux Service Started Or Enabled
|
Sysmon for Linux EventID 1
|
Systemd Timers
|
Anomaly
|
Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2025-02-10
|
|
Linux SSH Authorized Keys Modification
|
Sysmon for Linux EventID 1
|
SSH Authorized Keys
|
Anomaly
|
Linux Living Off The Land
|
2024-11-13
|
|
Living Off The Land Detection
|
|
Ingress Tool Transfer
Exploit Public-Facing Application
Command and Scripting Interpreter
External Remote Services
|
Correlation
|
Living Off The Land
|
2024-11-13
|
|
Log4Shell CVE-2021-44228 Exploitation
|
|
Ingress Tool Transfer
Exploit Public-Facing Application
Command and Scripting Interpreter
External Remote Services
|
Correlation
|
CISA AA22-320A, Log4Shell CVE-2021-44228
|
2024-11-13
|
|
Logon Script Event Trigger Execution
|
Sysmon EventID 13
|
Logon Script (Windows)
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation
|
2025-02-10
|
|
Monitor Registry Keys for Print Monitors
|
Sysmon EventID 13
|
Port Monitors
|
TTP
|
Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse
|
2025-02-10
|
|
MS Exchange Mailbox Replication service writing Active Server Pages
|
Sysmon EventID 1, Sysmon EventID 11
|
External Remote Services
Exploit Public-Facing Application
Web Shell
|
TTP
|
BlackByte Ransomware, ProxyShell, Ransomware
|
2025-02-10
|
|
MSI Module Loaded by Non-System Binary
|
Sysmon EventID 7
|
DLL Side-Loading
|
Hunting
|
Data Destruction, Hermetic Wiper, Windows Privilege Escalation
|
2025-02-10
|
|
Msmpeng Application DLL Side Loading
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL Side-Loading
|
TTP
|
Ransomware, Revil Ransomware
|
2025-02-10
|
|
Outbound Network Connection from Java Using Default Ports
|
Sysmon EventID 1, Sysmon EventID 3
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Log4Shell CVE-2021-44228
|
2024-11-13
|
|
Overwriting Accessibility Binaries
|
Sysmon EventID 11
|
Accessibility Features
|
TTP
|
Data Destruction, Flax Typhoon, Hermetic Wiper, Windows Privilege Escalation
|
2025-02-10
|
|
PaperCut NG Suspicious Behavior Debug Log
|
|
Exploit Public-Facing Application
External Remote Services
|
Hunting
|
PaperCut MF NG Vulnerability
|
2024-11-13
|
|
Possible Lateral Movement PowerShell Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Distributed Component Object Model
Windows Remote Management
Windows Management Instrumentation
Scheduled Task
PowerShell
MMC
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA24-241A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Scheduled Tasks
|
2025-02-10
|
|
Potential password in username
|
Linux Secure
|
Local Accounts
Credentials In Files
|
Hunting
|
Credential Dumping, Insider Threat
|
2024-11-13
|
|
Powershell COM Hijacking InprocServer32 Modification
|
Powershell Script Block Logging 4104
|
PowerShell
Component Object Model Hijacking
|
TTP
|
Malicious PowerShell
|
2025-02-10
|
|
Powershell Execute COM Object
|
Powershell Script Block Logging 4104
|
PowerShell
Component Object Model Hijacking
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell, Ransomware
|
2025-02-10
|
|
PowerShell Start-BitsTransfer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
BITS Jobs
|
TTP
|
BITS Jobs, Gozi Malware
|
2024-11-13
|
|
Print Processor Registry Autostart
|
Sysmon EventID 13
|
Print Processors
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation
|
2025-02-10
|
|
Print Spooler Adding A Printer Driver
|
Windows Event Log Printservice 316
|
Print Processors
|
TTP
|
PrintNightmare CVE-2021-34527
|
2025-02-10
|
|
Print Spooler Failed to Load a Plug-in
|
Windows Event Log Printservice 808
|
Print Processors
|
TTP
|
PrintNightmare CVE-2021-34527
|
2025-02-10
|
|
Randomly Generated Scheduled Task Name
|
Windows Event Log Security 4698
|
Scheduled Task
|
Hunting
|
Active Directory Lateral Movement, CISA AA22-257A, Scheduled Tasks
|
2025-02-10
|
|
Randomly Generated Windows Service Name
|
Windows Event Log System 7045
|
Windows Service
|
Hunting
|
Active Directory Lateral Movement, BlackSuit Ransomware
|
2025-02-10
|
|
Reg exe Manipulating Windows Services Registry Keys
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Services Registry Permissions Weakness
|
TTP
|
Living Off The Land, Windows Persistence Techniques, Windows Service Abuse
|
2025-02-10
|
|
Registry Keys for Creating SHIM Databases
|
Sysmon EventID 13
|
Application Shimming
|
TTP
|
Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse
|
2025-02-10
|
|
Registry Keys Used For Persistence
|
Sysmon EventID 13
|
Registry Run Keys / Startup Folder
|
TTP
|
Amadey, AsyncRAT, Azorult, BlackByte Ransomware, BlackSuit Ransomware, Braodo Stealer, CISA AA23-347A, Chaos Ransomware, DHS Report TA18-074A, DarkGate Malware, Derusbi, Emotet Malware DHS Report TA18-201A, IcedID, MoonPeak, Nexus APT Threat Activity, NjRAT, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Qakbot, Ransomware, RedLine Stealer, Remcos, Snake Keylogger, Sneaky Active Directory Persistence Tricks, Suspicious MSHTA Activity, Suspicious Windows Registry Activities, Warzone RAT, WinDealer RAT, Windows Persistence Techniques, Windows Registry Abuse
|
2025-02-10
|
|
Registry Keys Used For Privilege Escalation
|
Sysmon EventID 13
|
Image File Execution Options Injection
|
TTP
|
Cloud Federated Credential Abuse, Data Destruction, Hermetic Wiper, Suspicious Windows Registry Activities, Windows Privilege Escalation, Windows Registry Abuse
|
2025-02-10
|
|
Sc exe Manipulating Windows Services
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Service
|
TTP
|
Azorult, Crypto Stealer, DHS Report TA18-074A, Disabling Security Tools, NOBELIUM Group, Orangeworm Attack Group, Windows Drivers, Windows Persistence Techniques, Windows Service Abuse
|
2025-02-10
|
|
Schedule Task with HTTP Command Arguments
|
Windows Event Log Security 4698
|
Scheduled Task/Job
|
TTP
|
Compromised Windows Host, Living Off The Land, Scheduled Tasks, Windows Persistence Techniques, Winter Vivern
|
2024-12-10
|
|
Schedule Task with Rundll32 Command Trigger
|
Windows Event Log Security 4698
|
Scheduled Task/Job
|
TTP
|
Compromised Windows Host, IcedID, Living Off The Land, Scheduled Tasks, Trickbot, Windows Persistence Techniques
|
2024-12-10
|
|
Scheduled Task Creation on Remote Endpoint using At
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
At
|
TTP
|
Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks
|
2025-02-10
|
|
Scheduled Task Deleted Or Created via CMD
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
|
TTP
|
AgentTesla, Amadey, AsyncRAT, Azorult, CISA AA22-257A, CISA AA23-347A, CISA AA24-241A, DHS Report TA18-074A, DarkCrystal RAT, Earth Estries, Living Off The Land, MoonPeak, NOBELIUM Group, Nexus APT Threat Activity, NjRAT, Phemedrone Stealer, Prestige Ransomware, Qakbot, RedLine Stealer, Rhysida Ransomware, Sandworm Tools, Scheduled Tasks, ShrinkLocker, Trickbot, Windows Persistence Techniques, Winter Vivern
|
2025-02-10
|
|
Scheduled Task Initiation on Remote Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
|
TTP
|
Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks
|
2025-02-10
|
|
Schtasks Run Task On Demand
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task/Job
|
TTP
|
CISA AA22-257A, Data Destruction, Industroyer2, Qakbot, Scheduled Tasks, XMRig
|
2024-11-13
|
|
Schtasks scheduling job on remote system
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
|
TTP
|
Active Directory Lateral Movement, Compromised Windows Host, Living Off The Land, NOBELIUM Group, Phemedrone Stealer, Prestige Ransomware, RedLine Stealer, Scheduled Tasks
|
2025-02-10
|
|
Schtasks used for forcing a reboot
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
|
TTP
|
Ransomware, Scheduled Tasks, Windows Persistence Techniques
|
2025-02-10
|
|
Screensaver Event Trigger Execution
|
Sysmon EventID 13
|
Screensaver
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse
|
2025-02-10
|
|
Services LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA23-347A, Living Off The Land, Qakbot
|
2025-02-10
|
|
Shim Database File Creation
|
Sysmon EventID 11
|
Application Shimming
|
TTP
|
Windows Persistence Techniques
|
2025-02-10
|
|
Shim Database Installation With Suspicious Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Application Shimming
|
TTP
|
Compromised Windows Host, Windows Persistence Techniques
|
2025-02-10
|
|
Short Lived Scheduled Task
|
Windows Event Log Security 4698, Windows Event Log Security 4699
|
Scheduled Task
|
TTP
|
Active Directory Lateral Movement, CISA AA22-257A, CISA AA23-347A, Compromised Windows Host, Scheduled Tasks
|
2024-12-10
|
|
Short Lived Windows Accounts
|
Windows Event Log System 4720, Windows Event Log System 4726
|
Local Accounts
Local Account
|
TTP
|
Active Directory Lateral Movement
|
2025-02-10
|
|
Spoolsv Spawning Rundll32
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Print Processors
|
TTP
|
Compromised Windows Host, PrintNightmare CVE-2021-34527
|
2025-02-10
|
|
Spoolsv Suspicious Loaded Modules
|
Sysmon EventID 7
|
Print Processors
|
TTP
|
PrintNightmare CVE-2021-34527
|
2025-02-10
|
|
Spoolsv Writing a DLL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688
|
Print Processors
|
TTP
|
Compromised Windows Host, PrintNightmare CVE-2021-34527
|
2025-02-10
|
|
Spoolsv Writing a DLL - Sysmon
|
Sysmon EventID 11
|
Print Processors
|
TTP
|
PrintNightmare CVE-2021-34527
|
2025-02-10
|
|
Suspicious Computer Account Name Change
|
Windows Event Log Security 4781
|
Domain Accounts
|
TTP
|
Active Directory Privilege Escalation, Compromised Windows Host, sAMAccountName Spoofing and Domain Controller Impersonation
|
2025-02-10
|
|
Suspicious Kerberos Service Ticket Request
|
Windows Event Log Security 4769
|
Domain Accounts
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2025-02-10
|
|
Suspicious PlistBuddy Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Launch Agent
|
TTP
|
Silver Sparrow
|
2025-02-10
|
|
Suspicious PlistBuddy Usage via OSquery
|
|
Launch Agent
|
TTP
|
Silver Sparrow
|
2025-02-10
|
|
Suspicious Scheduled Task from Public Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
|
Anomaly
|
Azorult, CISA AA23-347A, CISA AA24-241A, Crypto Stealer, DarkCrystal RAT, Earth Estries, Living Off The Land, MoonPeak, Nexus APT Threat Activity, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Persistence Techniques
|
2025-02-10
|
|
Suspicious Ticket Granting Ticket Request
|
Windows Event Log Security 4768, Windows Event Log Security 4781
|
Domain Accounts
|
Hunting
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2025-02-10
|
|
Svchost LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
|
TTP
|
Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks
|
2025-02-10
|
|
Time Provider Persistence Registry
|
Sysmon EventID 13
|
Time Providers
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse
|
2025-02-10
|
|
Unusual Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
Valid Accounts
|
Hunting
|
Active Directory Kerberos Attacks, Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-11-13
|
|
Unusual Number of Remote Endpoint Authentication Events
|
Windows Event Log Security 4624
|
Valid Accounts
|
Hunting
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-11-13
|
|
W3WP Spawning Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Web Shell
|
TTP
|
BlackByte Ransomware, CISA AA22-257A, CISA AA22-264A, Data Destruction, Flax Typhoon, HAFNIUM Group, Hermetic Wiper, ProxyNotShell, ProxyShell, WS FTP Server Critical Vulnerabilities
|
2025-02-10
|
|
Windows AD AdminSDHolder ACL Modified
|
Windows Event Log Security 5136
|
Event Triggered Execution
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-11-13
|
|
Windows AD DSRM Account Changes
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
Account Manipulation
|
TTP
|
Sneaky Active Directory Persistence Tricks, Windows Persistence Techniques, Windows Registry Abuse
|
2024-11-13
|
|
Windows AD DSRM Password Reset
|
Windows Event Log Security 4794
|
Account Manipulation
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-11-13
|
|
Windows AD ServicePrincipalName Added To Domain Account
|
Windows Event Log Security 5136
|
Account Manipulation
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-11-13
|
|
Windows AD Short Lived Domain Account ServicePrincipalName
|
Windows Event Log Security 5136
|
Account Manipulation
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-11-13
|
|
Windows Audit Policy Auditing Option Modified - Registry
|
Sysmon EventID 13
|
Active Setup
|
Anomaly
|
Windows Audit Policy Tampering
|
2025-01-27
|
|
Windows Autostart Execution LSASS Driver Registry Modification
|
Sysmon EventID 13
|
LSASS Driver
|
TTP
|
Windows Registry Abuse
|
2024-11-13
|
|
Windows Boot or Logon Autostart Execution In Startup Folder
|
Sysmon EventID 11
|
Registry Run Keys / Startup Folder
|
Anomaly
|
Chaos Ransomware, Crypto Stealer, Gozi Malware, NjRAT, RedLine Stealer
|
2025-02-10
|
|
Windows BootLoader Inventory
|
|
System Firmware
|
Hunting
|
BlackLotus Campaign, Windows BootKits
|
2025-02-10
|
|
Windows Change Default File Association For No File Ext
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Change Default File Association
|
TTP
|
Compromised Windows Host, Prestige Ransomware
|
2025-02-10
|
|
Windows COM Hijacking InprocServer32 Modification
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Component Object Model Hijacking
|
TTP
|
Compromised Windows Host, Living Off The Land
|
2025-02-10
|
|
Windows Compatibility Telemetry Suspicious Child Process
|
CrowdStrike ProcessRollup2
|
Event Triggered Execution
Scheduled Task
|
TTP
|
Windows Persistence Techniques
|
2025-02-13
|
|
Windows Compatibility Telemetry Tampering Through Registry
|
|
Event Triggered Execution
Scheduled Task
|
TTP
|
Windows Persistence Techniques
|
2025-02-13
|
|
Windows Create Local Account
|
|
Local Account
|
Anomaly
|
Active Directory Password Spraying, CISA AA24-241A
|
2025-02-10
|
|
Windows Create Local Administrator Account Via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Local Account
|
Anomaly
|
Azorult, CISA AA22-257A, CISA AA24-241A, DHS Report TA18-074A, DarkGate Malware
|
2025-02-10
|
|
Windows Disable Windows Event Logging Disable HTTP Logging
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
IIS Components
Disable Windows Event Logging
|
TTP
|
CISA AA23-347A, Compromised Windows Host, IIS Components, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows DLL Search Order Hijacking Hunt with Sysmon
|
Sysmon EventID 7
|
DLL Search Order Hijacking
|
Hunting
|
Living Off The Land, Qakbot, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows DLL Search Order Hijacking with iscsicpl
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL Search Order Hijacking
|
TTP
|
Compromised Windows Host, Living Off The Land, Windows Defense Evasion Tactics
|
2024-12-10
|
|
Windows DLL Side-Loading In Calc
|
Sysmon EventID 7
|
DLL Side-Loading
|
TTP
|
Qakbot
|
2025-02-10
|
|
Windows DLL Side-Loading Process Child Of Calc
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL Side-Loading
|
Anomaly
|
Qakbot
|
2025-02-10
|
|
Windows DnsAdmins New Member Added
|
Windows Event Log Security 4732
|
Account Manipulation
|
TTP
|
Active Directory Privilege Escalation
|
2024-11-13
|
|
Windows Enable Win32 ScheduledJob via Registry
|
Sysmon EventID 13
|
Scheduled Task
|
Anomaly
|
Active Directory Lateral Movement, Scheduled Tasks
|
2024-11-13
|
|
Windows ESX Admins Group Creation Security Event
|
|
Local Account
Domain Account
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2024-11-13
|
|
Windows ESX Admins Group Creation via Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain Account
Local Account
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2025-01-13
|
|
Windows ESX Admins Group Creation via PowerShell
|
Powershell Script Block Logging 4104
|
Domain Account
Local Account
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2024-11-13
|
|
Windows Event Triggered Image File Execution Options Injection
|
Windows Event Log Application 3000
|
Image File Execution Options Injection
|
Hunting
|
Windows Persistence Techniques
|
2024-11-13
|
|
Windows Group Policy Object Created
|
Windows Event Log Security 5136, Windows Event Log Security 5137
|
Domain Accounts
Group Policy Modification
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2025-02-10
|
|
Windows Hidden Schedule Task Settings
|
Windows Event Log Security 4698
|
Scheduled Task/Job
|
TTP
|
Active Directory Discovery, CISA AA22-257A, Compromised Windows Host, Data Destruction, Industroyer2, Scheduled Tasks
|
2024-12-10
|
|
Windows Hijack Execution Flow Version Dll Side Load
|
Sysmon EventID 7
|
DLL Search Order Hijacking
|
Anomaly
|
Brute Ratel C4
|
2025-02-10
|
|
Windows IIS Components Add New Module
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
IIS Components
|
Anomaly
|
IIS Components
|
2025-02-10
|
|
Windows IIS Components Get-WebGlobalModule Module Query
|
Powershell Installed IIS Modules
|
IIS Components
|
Hunting
|
IIS Components, WS FTP Server Critical Vulnerabilities
|
2025-02-10
|
|
Windows IIS Components Module Failed to Load
|
Windows Event Log Application 2282
|
IIS Components
|
Anomaly
|
IIS Components
|
2025-02-10
|
|
Windows IIS Components New Module Added
|
Windows IIS 29
|
IIS Components
|
TTP
|
IIS Components
|
2025-02-10
|
|
Windows Java Spawning Shells
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Cleo File Transfer Software, Log4Shell CVE-2021-44228, SysAid On-Prem Software CVE-2023-47246 Vulnerability
|
2024-12-16
|
|
Windows Known Abused DLL Created
|
Sysmon EventID 1, Sysmon EventID 11
|
DLL Search Order Hijacking
DLL Side-Loading
|
Anomaly
|
Living Off The Land, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows Known Abused DLL Loaded Suspiciously
|
Sysmon EventID 7
|
DLL Search Order Hijacking
DLL Side-Loading
|
TTP
|
Living Off The Land, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows Known GraphicalProton Loaded Modules
|
Sysmon EventID 7
|
DLL Side-Loading
|
Anomaly
|
CISA AA23-347A
|
2025-02-10
|
|
Windows KrbRelayUp Service Creation
|
Windows Event Log System 7045
|
Windows Service
|
TTP
|
Compromised Windows Host, Local Privilege Escalation With KrbRelayUp
|
2024-12-10
|
|
Windows Large Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
Network Share Discovery
Valid Accounts
|
Anomaly
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-11-13
|
|
Windows Masquerading Explorer As Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL Side-Loading
|
TTP
|
Compromised Windows Host, Qakbot
|
2025-02-10
|
|
Windows MOF Event Triggered Execution via WMI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation Event Subscription
|
TTP
|
Compromised Windows Host, Living Off The Land
|
2024-12-10
|
|
Windows MOVEit Transfer Writing ASPX
|
Sysmon EventID 11
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
MOVEit Transfer Critical Vulnerability
|
2024-11-13
|
|
Windows Multiple Account Passwords Changed
|
Windows Event Log Security 4724
|
Account Manipulation
Valid Accounts
|
TTP
|
Azure Active Directory Persistence
|
2024-11-13
|
|
Windows Multiple Accounts Deleted
|
Windows Event Log Security 4726
|
Account Manipulation
Valid Accounts
|
TTP
|
Azure Active Directory Persistence
|
2024-11-13
|
|
Windows Multiple Accounts Disabled
|
Windows Event Log Security 4725
|
Account Manipulation
Valid Accounts
|
TTP
|
Azure Active Directory Persistence
|
2024-11-13
|
|
Windows New Default File Association Value Set
|
Sysmon EventID 13
|
Change Default File Association
|
Hunting
|
Data Destruction, Hermetic Wiper, Prestige Ransomware, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse
|
2025-02-10
|
|
Windows PaperCut NG Spawn Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Compromised Windows Host, PaperCut MF NG Vulnerability
|
2024-12-10
|
|
Windows PowerShell Add Module to Global Assembly Cache
|
Powershell Script Block Logging 4104
|
IIS Components
|
TTP
|
IIS Components
|
2025-02-10
|
|
Windows PowerShell Disable HTTP Logging
|
Powershell Script Block Logging 4104
|
IIS Components
Disable Windows Event Logging
|
TTP
|
IIS Components, Windows Defense Evasion Tactics
|
2025-02-10
|
|
Windows PowerShell IIS Components WebGlobalModule Usage
|
Powershell Script Block Logging 4104
|
IIS Components
|
Anomaly
|
IIS Components
|
2025-02-10
|
|
Windows PowerShell ScheduleTask
|
Powershell Script Block Logging 4104
|
Scheduled Task
PowerShell
|
Anomaly
|
Scheduled Tasks
|
2025-02-10
|
|
Windows PowerView AD Access Control List Enumeration
|
Powershell Script Block Logging 4104
|
Domain Accounts
Permission Groups Discovery
|
TTP
|
Active Directory Discovery, Active Directory Privilege Escalation, Rhysida Ransomware
|
2024-11-13
|
|
Windows Privileged Group Modification
|
|
Local Account
Domain Account
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2024-11-13
|
|
Windows Process Execution in Temp Dir
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Create or Modify System Process
Match Legitimate Name or Location
|
Anomaly
|
AgentTesla, NjRAT, Qakbot, Ransomware, Remcos, Ryuk Ransomware, Trickbot
|
2025-01-27
|
|
Windows RDPClient Connection Sequence Events
|
Windows Event Log Microsoft Windows TerminalServices RDPClient 1024
|
External Remote Services
|
Anomaly
|
Spearphishing Attachments
|
2025-01-21
|
|
Windows Registry BootExecute Modification
|
Sysmon EventID 13
|
Pre-OS Boot
Registry Run Keys / Startup Folder
|
TTP
|
Windows BootKits
|
2024-12-16
|
|
Windows Registry Delete Task SD
|
Sysmon EventID 13
|
Scheduled Task
Impair Defenses
|
Anomaly
|
Scheduled Tasks, Windows Persistence Techniques, Windows Registry Abuse
|
2025-01-21
|
|
Windows Registry Modification for Safe Mode Persistence
|
Sysmon EventID 13
|
Registry Run Keys / Startup Folder
|
TTP
|
Ransomware, Windows Drivers, Windows Registry Abuse
|
2025-02-10
|
|
Windows Remote Create Service
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Service
|
Anomaly
|
Active Directory Lateral Movement, BlackSuit Ransomware, CISA AA23-347A
|
2025-02-10
|
|
Windows Scheduled Task Created Via XML
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
|
TTP
|
CISA AA23-347A, MoonPeak, Scheduled Tasks, Winter Vivern
|
2025-02-10
|
|
Windows Scheduled Task DLL Module Loaded
|
Sysmon EventID 7
|
Scheduled Task/Job
|
TTP
|
ValleyRAT
|
2024-11-13
|
|
Windows Scheduled Task Service Spawned Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1
|
Scheduled Task
Command and Scripting Interpreter
|
TTP
|
Windows Persistence Techniques
|
2025-02-19
|
|
Windows Scheduled Task with Highest Privileges
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
|
TTP
|
AsyncRAT, CISA AA23-347A, Compromised Windows Host, RedLine Stealer, Scheduled Tasks
|
2025-02-10
|
|
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr
|
Windows Event Log Security 4698
|
Scheduled Task/Job
|
TTP
|
ValleyRAT
|
2025-02-17
|
|
Windows Schtasks Create Run As System
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
|
TTP
|
Qakbot, Scheduled Tasks, Windows Persistence Techniques
|
2025-02-10
|
|
Windows Security Support Provider Reg Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Security Support Provider
|
Anomaly
|
Prestige Ransomware, Sneaky Active Directory Persistence Tricks, Windows Post-Exploitation
|
2025-02-10
|
|
Windows Server Software Component GACUtil Install to GAC
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
IIS Components
|
TTP
|
IIS Components
|
2025-02-10
|
|
Windows Service Create Kernel Mode Driver
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exploitation for Privilege Escalation
Windows Service
|
TTP
|
CISA AA22-320A, Windows Drivers
|
2025-02-10
|
|
Windows Service Create RemComSvc
|
Windows Event Log System 7045
|
Windows Service
|
Anomaly
|
Active Directory Discovery
|
2025-02-10
|
|
Windows Service Create with Tscon
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Service
RDP Hijacking
|
TTP
|
Active Directory Lateral Movement, Compromised Windows Host
|
2025-02-10
|
|
Windows Service Created Within Public Path
|
Windows Event Log System 7045
|
Windows Service
|
TTP
|
Active Directory Lateral Movement, Snake Malware
|
2025-02-10
|
|
Windows Service Creation on Remote Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA23-347A
|
2025-02-10
|
|
Windows Service Creation Using Registry Entry
|
Sysmon EventID 13
|
Services Registry Permissions Weakness
|
Anomaly
|
Active Directory Lateral Movement, Brute Ratel C4, CISA AA23-347A, Crypto Stealer, Derusbi, Earth Estries, Nexus APT Threat Activity, PlugX, Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse
|
2025-01-27
|
|
Windows Service Initiation on Remote Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA23-347A
|
2025-02-10
|
|
Windows Snake Malware Kernel Driver Comadmin
|
Sysmon EventID 11
|
Kernel Modules and Extensions
|
TTP
|
Snake Malware
|
2024-11-13
|
|
Windows Snake Malware Service Create
|
Windows Event Log System 7045
|
Kernel Modules and Extensions
Service Execution
|
TTP
|
Compromised Windows Host, Snake Malware
|
2024-12-10
|
|
Windows SqlWriter SQLDumper DLL Sideload
|
Sysmon EventID 7
|
DLL Side-Loading
|
TTP
|
APT29 Diplomatic Deceptions with WINELOADER
|
2024-11-13
|
|
Windows Suspicious Child Process Spawned From WebServer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Web Shell
|
TTP
|
BlackByte Ransomware, CISA AA22-257A, CISA AA22-264A, Citrix ShareFile RCE CVE-2023-24489, Compromised Windows Host, Flax Typhoon, HAFNIUM Group, ProxyNotShell, ProxyShell, SysAid On-Prem Software CVE-2023-47246 Vulnerability, WS FTP Server Critical Vulnerabilities
|
2025-02-10
|
|
Windows Suspicious Driver Loaded Path
|
Sysmon EventID 6
|
Windows Service
|
TTP
|
AgentTesla, BlackByte Ransomware, CISA AA22-320A, Snake Keylogger, XMRig
|
2025-02-03
|
|
Windows Suspicious Process File Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Create or Modify System Process
Match Legitimate Name or Location
|
TTP
|
AgentTesla, Amadey, AsyncRAT, Azorult, BlackByte Ransomware, Brute Ratel C4, CISA AA23-347A, Chaos Ransomware, DarkCrystal RAT, DarkGate Malware, Data Destruction, Double Zero Destructor, Graceful Wipe Out Attack, Handala Wiper, Hermetic Wiper, IcedID, Industroyer2, LockBit Ransomware, Meduza Stealer, MoonPeak, Phemedrone Stealer, PlugX, Prestige Ransomware, Qakbot, RedLine Stealer, Remcos, Rhysida Ransomware, Swift Slicer, Trickbot, ValleyRAT, Volt Typhoon, Warzone RAT, WhisperGate, XMRig
|
2025-02-10
|
|
Windows Unsigned DLL Side-Loading
|
Sysmon EventID 7
|
DLL Side-Loading
|
Anomaly
|
Derusbi, Earth Estries, Nexus APT Threat Activity, NjRAT, Warzone RAT
|
2025-01-27
|
|
Windows Unsigned DLL Side-Loading In Same Process Path
|
Sysmon EventID 7
|
DLL Side-Loading
|
TTP
|
DarkGate Malware, Derusbi, Earth Estries, Nexus APT Threat Activity, PlugX
|
2025-02-10
|
|
Windows Unsigned MS DLL Side-Loading
|
Sysmon EventID 7
|
DLL Side-Loading
Boot or Logon Autostart Execution
|
Anomaly
|
APT29 Diplomatic Deceptions with WINELOADER, Derusbi, Earth Estries, Nexus APT Threat Activity
|
2025-01-27
|
|
Windows Vulnerable Driver Installed
|
Windows Event Log System 7045
|
Windows Service
|
TTP
|
Windows Drivers
|
2024-11-13
|
|
Windows Vulnerable Driver Loaded
|
Sysmon EventID 6
|
Windows Service
|
Hunting
|
BlackByte Ransomware, Windows Drivers
|
2024-11-13
|
|
Windows WinLogon with Public Network Connection
|
Sysmon EventID 1, Sysmon EventID 3
|
Bootkit
|
Hunting
|
BlackLotus Campaign
|
2024-11-13
|
|
WinEvent Scheduled Task Created to Spawn Shell
|
Windows Event Log Security 4698
|
Scheduled Task
|
TTP
|
CISA AA22-257A, Compromised Windows Host, Earth Estries, Nexus APT Threat Activity, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Error Reporting Service Elevation of Privilege Vulnerability, Windows Persistence Techniques, Winter Vivern
|
2025-02-10
|
|
WinEvent Scheduled Task Created Within Public Path
|
Windows Event Log Security 4698
|
Scheduled Task
|
TTP
|
Active Directory Lateral Movement, AsyncRAT, CISA AA22-257A, CISA AA23-347A, Compromised Windows Host, Data Destruction, Earth Estries, IcedID, Industroyer2, Nexus APT Threat Activity, Prestige Ransomware, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Persistence Techniques, Winter Vivern
|
2025-02-10
|
|
WinEvent Windows Task Scheduler Event Action Started
|
Windows Event Log TaskScheduler 200
|
Scheduled Task
|
Hunting
|
Amadey, AsyncRAT, BlackSuit Ransomware, CISA AA22-257A, CISA AA24-241A, DarkCrystal RAT, Data Destruction, IcedID, Industroyer2, Prestige Ransomware, Qakbot, Sandworm Tools, Scheduled Tasks, ValleyRAT, Windows Persistence Techniques, Winter Vivern, Winter Vivern
|
2024-11-13
|
|
WMI Permanent Event Subscription - Sysmon
|
Sysmon EventID 21
|
Windows Management Instrumentation Event Subscription
|
TTP
|
Suspicious WMI Use
|
2025-02-10
|
|
Wscript Or Cscript Suspicious Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
Parent PID Spoofing
Create or Modify System Process
|
TTP
|
Data Destruction, FIN7, NjRAT, Remcos, ShrinkLocker, Unusual Processes, WhisperGate
|
2025-02-10
|
|
XMRIG Driver Loaded
|
Sysmon EventID 6
|
Windows Service
|
TTP
|
CISA AA22-320A, Crypto Stealer, XMRig
|
2025-02-10
|
|
Detect Software Download To Network Device
|
|
TFTP Boot
|
TTP
|
Router and Infrastructure Security
|
2025-02-10
|
|
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
|
Palo Alto Network Threat
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
CISA AA24-241A, F5 BIG-IP Vulnerability CVE-2022-1388
|
2024-11-15
|
|
Confluence Unauthenticated Remote Code Execution CVE-2022-26134
|
Palo Alto Network Threat
|
Server Software Component
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Atlassian Confluence Server and Data Center CVE-2022-26134, Confluence Data Center and Confluence Server Vulnerabilities
|
2024-11-15
|
|
Detect attackers scanning for vulnerable JBoss servers
|
|
System Information Discovery
External Remote Services
|
TTP
|
JBoss Vulnerability, SamSam Ransomware
|
2024-11-15
|
|
Exploit Public Facing Application via Apache Commons Text
|
Nginx Access
|
External Remote Services
Exploit Public-Facing Application
Web Shell
|
Anomaly
|
Text4Shell CVE-2022-42889
|
2025-02-10
|
|
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
|
Palo Alto Network Threat
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Fortinet FortiNAC CVE-2022-39952
|
2024-11-15
|
|
Fortinet Appliance Auth bypass
|
Palo Alto Network Threat
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
CVE-2022-40684 Fortinet Appliance Auth bypass
|
2024-11-15
|
|
Hunting for Log4Shell
|
Nginx Access
|
Exploit Public-Facing Application
External Remote Services
|
Hunting
|
CISA AA22-320A, Log4Shell CVE-2021-44228
|
2024-11-15
|
|
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078
|
Suricata
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Ivanti EPMM Remote Unauthenticated Access
|
2024-11-15
|
|
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
|
Suricata
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Ivanti EPMM Remote Unauthenticated Access
|
2024-11-15
|
|
Log4Shell JNDI Payload Injection Attempt
|
Nginx Access
|
Exploit Public-Facing Application
External Remote Services
|
Anomaly
|
CISA AA22-257A, CISA AA22-320A, Log4Shell CVE-2021-44228
|
2024-11-15
|
|
Log4Shell JNDI Payload Injection with Outbound Connection
|
|
Exploit Public-Facing Application
External Remote Services
|
Anomaly
|
CISA AA22-320A, Log4Shell CVE-2021-44228
|
2024-11-15
|
|
PaperCut NG Remote Web Access Attempt
|
Suricata
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
PaperCut MF NG Vulnerability
|
2024-11-15
|
|
ProxyShell ProxyNotShell Behavior Detected
|
|
Exploit Public-Facing Application
External Remote Services
|
Correlation
|
BlackByte Ransomware, ProxyNotShell, ProxyShell
|
2024-11-15
|
|
Spring4Shell Payload URL Request
|
Nginx Access
|
External Remote Services
Exploit Public-Facing Application
Web Shell
|
TTP
|
Spring4Shell CVE-2022-22965
|
2025-02-10
|
|
Supernova Webshell
|
|
Web Shell
External Remote Services
|
TTP
|
NOBELIUM Group
|
2024-11-15
|
|
VMWare Aria Operations Exploit Attempt
|
Palo Alto Network Threat
|
External Remote Services
Exploit Public-Facing Application
Exploitation of Remote Services
Exploitation for Privilege Escalation
|
TTP
|
VMware Aria Operations vRealize CVE-2023-20887
|
2024-11-15
|
|
VMware Server Side Template Injection Hunt
|
Palo Alto Network Threat
|
Exploit Public-Facing Application
External Remote Services
|
Hunting
|
VMware Server Side Injection and Privilege Escalation
|
2024-11-15
|
|
VMware Workspace ONE Freemarker Server-side Template Injection
|
Palo Alto Network Threat
|
Exploit Public-Facing Application
External Remote Services
|
Anomaly
|
VMware Server Side Injection and Privilege Escalation
|
2024-11-15
|
|
Web JSP Request via URL
|
Nginx Access
|
External Remote Services
Exploit Public-Facing Application
Web Shell
|
TTP
|
Spring4Shell CVE-2022-22965
|
2025-02-10
|
|
Web Spring4Shell HTTP Request Class Module
|
Splunk Stream HTTP
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Spring4Shell CVE-2022-22965
|
2024-11-15
|
|
Web Spring Cloud Function FunctionRouter
|
Splunk Stream HTTP
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
Spring4Shell CVE-2022-22965
|
2024-11-15
|
|
Windows Exchange Autodiscover SSRF Abuse
|
Windows IIS
|
Exploit Public-Facing Application
External Remote Services
|
TTP
|
BlackByte Ransomware, ProxyNotShell, ProxyShell
|
2025-01-16
|