Persistence Detections

Name Data Source Technique Type Analytic Story Date
Okta Authentication Failed During MFA Challenge Okta Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation TTP Okta Account Takeover 2024-09-30
Okta Multi-Factor Authentication Disabled Okta Modify Authentication Process Multi-Factor Authentication TTP Okta Account Takeover 2024-09-30
Okta New API Token Created Okta Valid Accounts Default Accounts TTP Okta Account Takeover 2024-09-30
Okta New Device Enrolled on Account Okta Account Manipulation Device Registration TTP Okta Account Takeover 2024-09-30
Okta Phishing Detection with FastPass Origin Check Okta Valid Accounts Default Accounts Modify Authentication Process TTP Okta Account Takeover 2024-10-17
Okta Risk Threshold Exceeded Okta Valid Accounts Brute Force Correlation Okta Account Takeover, Okta MFA Exhaustion, Suspicious Okta Activity 2024-09-30
Okta Successful Single Factor Authentication Okta Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation Anomaly Okta Account Takeover 2024-09-30
Okta Suspicious Activity Reported Okta Valid Accounts Default Accounts TTP Okta Account Takeover 2024-09-30
Okta ThreatInsight Threat Detected Okta Valid Accounts Cloud Accounts Anomaly Okta Account Takeover 2024-09-30
PingID Mismatch Auth Source and Verification Response PingID Multi-Factor Authentication Request Generation Multi-Factor Authentication Device Registration TTP Compromised User Account 2024-09-30
PingID Multiple Failed MFA Requests For User PingID Multi-Factor Authentication Request Generation Valid Accounts Brute Force TTP Compromised User Account 2024-09-30
PingID New MFA Method After Credential Reset PingID Multi-Factor Authentication Request Generation Multi-Factor Authentication Device Registration TTP Compromised User Account 2024-09-30
PingID New MFA Method Registered For User PingID Multi-Factor Authentication Request Generation Multi-Factor Authentication Device Registration TTP Compromised User Account 2024-09-30
Splunk User Enumeration Attempt Splunk Valid Accounts TTP Splunk Vulnerabilities 2024-10-16
Windows AD add Self to Group Account Manipulation TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Privileged Group Modification Account Manipulation TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-10-17
Windows AD Self DACL Assignment Domain or Tenant Policy Modification Account Manipulation TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows Increase in Group or Object Modification Activity Windows Event Log Security 4663 Account Manipulation Impair Defenses TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows Increase in User Modification Activity Windows Event Log Security 4720 Account Manipulation Impair Defenses TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Abnormally High Number Of Cloud Infrastructure API Calls AWS CloudTrail Cloud Accounts Valid Accounts Anomaly Compromised User Account, Suspicious Cloud User Activities 2024-10-17
Abnormally High Number Of Cloud Instances Destroyed AWS CloudTrail Cloud Accounts Valid Accounts Anomaly Suspicious Cloud Instance Activities 2024-10-22
Abnormally High Number Of Cloud Instances Launched AWS CloudTrail Cloud Accounts Valid Accounts Anomaly Cloud Cryptomining, Suspicious Cloud Instance Activities 2024-10-22
Abnormally High Number Of Cloud Security Group API Calls AWS CloudTrail Cloud Accounts Valid Accounts Anomaly Suspicious Cloud User Activities 2024-10-17
ASL AWS IAM Delete Policy Account Manipulation Hunting AWS IAM Privilege Escalation 2024-10-17
ASL AWS IAM Failure Group Deletion Account Manipulation Anomaly AWS IAM Privilege Escalation 2024-10-22
ASL AWS IAM Successful Group Deletion Cloud Groups Account Manipulation Permission Groups Discovery Hunting AWS IAM Privilege Escalation 2024-10-22
ASL AWS Multi-Factor Authentication Disabled Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Modify Authentication Process Multi-Factor Authentication TTP AWS Identity and Access Management Account Takeover 2024-09-30
ASL AWS New MFA Method Registered For User Modify Authentication Process Multi-Factor Authentication TTP AWS Identity and Access Management Account Takeover 2024-10-17
AWS Create Policy Version to allow all resources AWS CloudTrail CreatePolicyVersion Cloud Accounts Valid Accounts TTP AWS IAM Privilege Escalation 2024-09-30
AWS CreateAccessKey AWS CloudTrail CreateAccessKey Cloud Account Create Account Hunting AWS IAM Privilege Escalation 2024-10-17
AWS CreateLoginProfile AWS CloudTrail ConsoleLogin, AWS CloudTrail CreateLoginProfile Cloud Account Create Account TTP AWS IAM Privilege Escalation 2024-09-30
aws detect attach to role policy Valid Accounts Hunting AWS Cross Account Activity 2024-10-17
aws detect permanent key creation Valid Accounts Hunting AWS Cross Account Activity 2024-10-17
aws detect role creation Valid Accounts Hunting AWS Cross Account Activity 2024-10-17
aws detect sts assume role abuse Valid Accounts Hunting AWS Cross Account Activity 2024-10-17
AWS IAM Delete Policy AWS CloudTrail DeletePolicy Account Manipulation Hunting AWS IAM Privilege Escalation 2024-10-17
AWS IAM Failure Group Deletion AWS CloudTrail DeleteGroup Account Manipulation Anomaly AWS IAM Privilege Escalation 2024-10-22
AWS IAM Successful Group Deletion AWS CloudTrail DeleteGroup Cloud Groups Account Manipulation Permission Groups Discovery Hunting AWS IAM Privilege Escalation 2024-10-22
AWS Multi-Factor Authentication Disabled AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Modify Authentication Process Multi-Factor Authentication TTP AWS Identity and Access Management Account Takeover 2024-09-30
AWS New MFA Method Registered For User AWS CloudTrail CreateVirtualMFADevice Modify Authentication Process Multi-Factor Authentication TTP AWS Identity and Access Management Account Takeover 2024-09-30
AWS SAML Access by Provider User and Principal AWS CloudTrail AssumeRoleWithSAML Valid Accounts Anomaly Cloud Federated Credential Abuse 2024-09-30
AWS SAML Update identity provider AWS CloudTrail UpdateSAMLProvider Valid Accounts TTP Cloud Federated Credential Abuse 2024-09-30
AWS SetDefaultPolicyVersion AWS CloudTrail SetDefaultPolicyVersion Cloud Accounts Valid Accounts TTP AWS IAM Privilege Escalation 2024-09-30
AWS Successful Single-Factor Authentication AWS CloudTrail ConsoleLogin Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts TTP AWS Identity and Access Management Account Takeover 2024-09-30
AWS UpdateLoginProfile AWS CloudTrail UpdateLoginProfile Cloud Account Create Account TTP AWS IAM Privilege Escalation 2024-09-30
Azure AD Admin Consent Bypassed by Service Principal Azure Active Directory Add app role assignment to service principal Additional Cloud Roles TTP Azure Active Directory Privilege Escalation, NOBELIUM Group 2024-09-30
Azure AD Application Administrator Role Assigned Azure Active Directory Add member to role Account Manipulation Additional Cloud Roles TTP Azure Active Directory Privilege Escalation 2024-09-30
Azure AD Authentication Failed During MFA Challenge Azure Active Directory Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation TTP Azure Active Directory Account Takeover 2024-10-31
Azure AD External Guest User Invited Azure Active Directory Invite external user Cloud Account TTP Azure Active Directory Persistence 2024-09-30
Azure AD FullAccessAsApp Permission Assigned Azure Active Directory Update application Additional Email Delegate Permissions Additional Cloud Roles TTP Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD Global Administrator Role Assigned Azure Active Directory Add member to role Additional Cloud Roles TTP Azure Active Directory Persistence, Azure Active Directory Privilege Escalation 2024-09-30
Azure AD Multi-Factor Authentication Disabled Azure Active Directory Disable Strong Authentication Compromise Accounts Cloud Accounts Modify Authentication Process Multi-Factor Authentication TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Multiple AppIDs and UserAgents Authentication Spike Azure Active Directory Sign-in activity Valid Accounts Anomaly Azure Active Directory Account Takeover 2024-09-30
Azure AD Multiple Failed MFA Requests For User Azure Active Directory Sign-in activity Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Valid Accounts Cloud Accounts TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Multiple Service Principals Created by SP Azure Active Directory Add service principal Cloud Account Anomaly Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD Multiple Service Principals Created by User Azure Active Directory Add service principal Cloud Account Anomaly Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD New MFA Method Registered Azure Active Directory Update user Account Manipulation Device Registration TTP Azure Active Directory Persistence 2024-09-30
Azure AD New MFA Method Registered For User Azure Active Directory User registered security info Modify Authentication Process Multi-Factor Authentication TTP Azure Active Directory Account Takeover, Compromised User Account 2024-09-30
Azure AD PIM Role Assigned Azure Active Directory Account Manipulation Additional Cloud Roles TTP Azure Active Directory Persistence, Azure Active Directory Privilege Escalation 2024-09-30
Azure AD PIM Role Assignment Activated Azure Active Directory Account Manipulation Additional Cloud Roles TTP Azure Active Directory Persistence, Azure Active Directory Privilege Escalation 2024-09-30
Azure AD Privileged Role Assigned Azure Active Directory Add member to role Account Manipulation Additional Cloud Roles TTP Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD Privileged Role Assigned to Service Principal Azure Active Directory Add member to role Account Manipulation Additional Cloud Roles TTP Azure Active Directory Privilege Escalation, NOBELIUM Group 2024-09-30
Azure AD Service Principal Authentication Azure Active Directory Sign-in activity Cloud Accounts TTP Azure Active Directory Account Takeover, NOBELIUM Group 2024-09-30
Azure AD Service Principal Created Azure Active Directory Add service principal Cloud Account TTP Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD Service Principal New Client Credentials Azure Active Directory Account Manipulation Additional Cloud Credentials TTP Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group 2024-09-30
Azure AD Service Principal Owner Added Azure Active Directory Add owner to application Account Manipulation TTP Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group 2024-09-30
Azure AD Successful PowerShell Authentication Azure Active Directory Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Successful Single-Factor Authentication Azure Active Directory Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Tenant Wide Admin Consent Granted Azure Active Directory Consent to application Account Manipulation Additional Cloud Roles TTP Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD User Enabled And Password Reset Azure Active Directory Enable account, Azure Active Directory Reset password (by admin), Azure Active Directory Update user Account Manipulation TTP Azure Active Directory Persistence 2024-09-30
Azure AD User ImmutableId Attribute Updated Azure Active Directory Update user Account Manipulation TTP Azure Active Directory Persistence 2024-09-30
Azure Automation Account Created Azure Audit Create or Update an Azure Automation account Create Account Cloud Account TTP Azure Active Directory Persistence 2024-09-30
Azure Automation Runbook Created Azure Audit Create or Update an Azure Automation Runbook Create Account Cloud Account TTP Azure Active Directory Persistence 2024-09-30
Azure Runbook Webhook Created Azure Audit Create or Update an Azure Automation webhook Valid Accounts Cloud Accounts TTP Azure Active Directory Persistence 2024-09-30
Circle CI Disable Security Job CircleCI Compromise Host Software Binary Anomaly Dev Sec Ops 2024-09-30
Circle CI Disable Security Step CircleCI Compromise Host Software Binary Anomaly Dev Sec Ops 2024-10-17
Cloud API Calls From Previously Unseen User Roles AWS CloudTrail Valid Accounts Anomaly Suspicious Cloud User Activities 2024-10-17
Cloud Compute Instance Created By Previously Unseen User AWS CloudTrail Cloud Accounts Valid Accounts Anomaly Cloud Cryptomining 2024-10-17
Cloud Instance Modified By Previously Unseen User AWS CloudTrail Cloud Accounts Valid Accounts Anomaly Suspicious Cloud Instance Activities 2024-10-17
Cloud Provisioning Activity From Previously Unseen City AWS CloudTrail Valid Accounts Anomaly Suspicious Cloud Provisioning Activities 2024-09-30
Cloud Provisioning Activity From Previously Unseen Country AWS CloudTrail Valid Accounts Anomaly Suspicious Cloud Provisioning Activities 2024-09-30
Cloud Provisioning Activity From Previously Unseen IP Address AWS CloudTrail Valid Accounts Anomaly Suspicious Cloud Provisioning Activities 2024-09-30
Cloud Provisioning Activity From Previously Unseen Region AWS CloudTrail Valid Accounts Anomaly Suspicious Cloud Provisioning Activities 2024-09-30
GCP Authentication Failed During MFA Challenge Google Workspace login_failure Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation TTP GCP Account Takeover 2024-09-30
GCP Detect gcploit framework Valid Accounts TTP GCP Cross Account Activity 2024-10-17
GCP Multi-Factor Authentication Disabled Compromise Accounts Cloud Accounts Modify Authentication Process Multi-Factor Authentication TTP GCP Account Takeover 2024-09-30
GCP Multiple Failed MFA Requests For User Google Workspace login_failure Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Valid Accounts Cloud Accounts TTP GCP Account Takeover 2024-09-30
GCP Successful Single-Factor Authentication Google Workspace login_success Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts TTP GCP Account Takeover 2024-09-30
Kubernetes Cron Job Creation Kubernetes Audit Container Orchestration Job Anomaly Kubernetes Security 2024-09-30
O365 Add App Role Assignment Grant User O365 Add app role assignment grant to user. Cloud Account Create Account TTP Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms 2024-09-30
O365 Added Service Principal O365 Cloud Account Create Account TTP Cloud Federated Credential Abuse, NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 Admin Consent Bypassed by Service Principal O365 Add app role assignment to service principal. Additional Cloud Roles TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Application Available To Other Tenants Additional Cloud Roles Account Manipulation TTP Azure Active Directory Account Takeover, Azure Active Directory Persistence, Data Exfiltration 2024-09-30
O365 Application Registration Owner Added O365 Add owner to application. Account Manipulation TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 ApplicationImpersonation Role Assigned O365 Account Manipulation Additional Email Delegate Permissions TTP NOBELIUM Group, Office 365 Collection Techniques, Office 365 Persistence Mechanisms 2024-09-30
O365 Disable MFA O365 Disable Strong Authentication. Modify Authentication Process TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Elevated Mailbox Permission Assigned Account Manipulation Additional Email Delegate Permissions TTP Office 365 Collection Techniques 2024-09-30
O365 Excessive SSO logon errors O365 UserLoginFailed Modify Authentication Process Anomaly Cloud Federated Credential Abuse, Office 365 Account Takeover 2024-09-30
O365 External Guest User Invited Cloud Account TTP Azure Active Directory Persistence 2024-09-30
O365 External Identity Policy Changed Cloud Account TTP Azure Active Directory Persistence 2024-09-30
O365 FullAccessAsApp Permission Assigned O365 Update application. Additional Email Delegate Permissions Additional Cloud Roles TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 High Privilege Role Granted O365 Add member to role. Account Manipulation Additional Cloud Roles TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Mailbox Folder Read Permission Assigned Account Manipulation Additional Email Delegate Permissions TTP Office 365 Collection Techniques 2024-09-30
O365 Mailbox Folder Read Permission Granted Account Manipulation Additional Email Delegate Permissions TTP Office 365 Collection Techniques 2024-09-30
O365 Mailbox Read Access Granted to Application O365 Update application. Remote Email Collection Email Collection Account Manipulation Additional Cloud Roles TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Multiple AppIDs and UserAgents Authentication Spike O365 UserLoggedIn, O365 UserLoginFailed Valid Accounts Anomaly Office 365 Account Takeover 2024-09-30
O365 Multiple Service Principals Created by SP O365 Add service principal. Cloud Account Anomaly NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 Multiple Service Principals Created by User O365 Add service principal. Cloud Account Anomaly NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 New Federated Domain Added O365 Cloud Account Create Account TTP Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms 2024-09-30
O365 New MFA Method Registered O365 Update user. Account Manipulation Device Registration TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Privileged Role Assigned Account Manipulation Additional Cloud Roles TTP Azure Active Directory Persistence 2024-09-30
O365 Privileged Role Assigned To Service Principal Account Manipulation Additional Cloud Roles TTP Azure Active Directory Privilege Escalation 2024-09-30
O365 Security And Compliance Alert Triggered Valid Accounts Cloud Accounts TTP Office 365 Account Takeover 2024-09-30
O365 Service Principal New Client Credentials O365 Account Manipulation Additional Cloud Credentials TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 SharePoint Allowed Domains Policy Changed Cloud Account TTP Azure Active Directory Persistence 2024-09-30
O365 Tenant Wide Admin Consent Granted O365 Consent to application. Account Manipulation Additional Cloud Roles TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
Abnormally High AWS Instances Launched by User Cloud Accounts Anomaly AWS Cryptomining, Suspicious AWS EC2 Activities 2024-10-17
Abnormally High AWS Instances Launched by User - MLTK Cloud Accounts Anomaly AWS Cryptomining, Suspicious AWS EC2 Activities 2024-10-17
Abnormally High AWS Instances Terminated by User Cloud Accounts Anomaly Suspicious AWS EC2 Activities 2024-10-17
Abnormally High AWS Instances Terminated by User - MLTK Cloud Accounts Anomaly Suspicious AWS EC2 Activities 2024-10-17
ASL AWS CreateAccessKey Valid Accounts Hunting AWS IAM Privilege Escalation 2024-10-17
Detect AWS API Activities From Unapproved Accounts Cloud Accounts Hunting AWS User Monitoring 2024-10-17
Detect new API calls from user roles Cloud Accounts Anomaly AWS User Monitoring 2024-10-17
Detect new user AWS Console Login Cloud Accounts Hunting Suspicious AWS Login Activities 2024-10-17
Detect Spike in AWS API Activity Cloud Accounts Anomaly AWS User Monitoring 2024-10-17
Detect Spike in Security Group Activity Cloud Accounts Anomaly AWS User Monitoring 2024-10-17
EC2 Instance Modified With Previously Unseen User Cloud Accounts Anomaly Unusual AWS EC2 Modifications 2024-10-17
EC2 Instance Started With Previously Unseen User Cloud Accounts Anomaly AWS Cryptomining, Suspicious AWS EC2 Activities 2024-10-17
GCP Detect accounts with high risk roles by project Valid Accounts Hunting GCP Cross Account Activity 2024-10-17
GCP Detect high risk permissions by resource and account Valid Accounts Hunting GCP Cross Account Activity 2024-10-17
gcp detect oauth token abuse Valid Accounts Hunting GCP Cross Account Activity 2024-10-17
Identify New User Accounts Domain Accounts Hunting N/A 2024-10-17
Multiple Okta Users With Invalid Credentials From The Same IP Password Spraying Valid Accounts Default Accounts TTP Suspicious Okta Activity 2024-10-17
O365 Suspicious Rights Delegation Remote Email Collection Email Collection Additional Email Delegate Permissions Account Manipulation TTP Office 365 Collection Techniques 2024-10-17
Okta Account Lockout Events Valid Accounts Default Accounts Anomaly Suspicious Okta Activity 2024-10-17
Okta Failed SSO Attempts Valid Accounts Default Accounts Anomaly Suspicious Okta Activity 2024-10-17
Okta ThreatInsight Login Failure with High Unknown users Valid Accounts Default Accounts Credential Stuffing TTP Suspicious Okta Activity 2024-10-17
Okta ThreatInsight Suspected PasswordSpray Attack Valid Accounts Default Accounts Password Spraying TTP Suspicious Okta Activity 2024-10-17
Scheduled tasks used in BadRabbit ransomware Sysmon EventID 1 Scheduled Task TTP Ransomware 2024-10-17
Suspicious Changes to File Associations Sysmon EventID 1 Change Default File Association TTP Suspicious Windows Registry Activities, Windows File Extension and Association Abuse 2024-10-17
Web Fraud - Account Harvesting Create Account TTP Web Fraud Detection 2024-10-17
Web Fraud - Anomalous User Clickspeed Valid Accounts Anomaly Web Fraud Detection 2024-10-17
Windows DLL Search Order Hijacking Hunt CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 DLL Search Order Hijacking Hijack Execution Flow Hunting Living Off The Land, Windows Defense Evasion Tactics 2024-10-17
Active Setup Registry Autostart Sysmon EventID 12, Sysmon EventID 13 Active Setup Boot or Logon Autostart Execution TTP Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation 2024-09-30
BITS Job Persistence CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 BITS Jobs TTP BITS Jobs, Living Off The Land 2024-09-30
BITSAdmin Download File CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 BITS Jobs Ingress Tool Transfer TTP BITS Jobs, DarkSide Ransomware, Flax Typhoon, Gozi Malware, Ingress Tool Transfer, Living Off The Land 2024-09-30
Change Default File Association Sysmon EventID 12, Sysmon EventID 13 Change Default File Association Event Triggered Execution TTP Data Destruction, Hermetic Wiper, Prestige Ransomware, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse 2024-09-30
Clop Ransomware Known Service Name Windows Event Log System 7045 Create or Modify System Process TTP Clop Ransomware 2024-09-30
CMD Echo Pipe - Escalation CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter Windows Command Shell Windows Service Create or Modify System Process TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack 2024-09-30
Create local admin accounts using net exe CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Local Account Create Account TTP Azorult, CISA AA22-257A, CISA AA24-241A, DHS Report TA18-074A, DarkGate Malware 2024-09-30
Detect Excessive Account Lockouts From Endpoint Valid Accounts Domain Accounts Anomaly Active Directory Password Spraying 2024-09-30
Detect Excessive User Account Lockouts Valid Accounts Local Accounts Anomaly Active Directory Password Spraying 2024-09-30
Detect Exchange Web Shell Sysmon EventID 1, Sysmon EventID 11 Server Software Component Web Shell Exploit Public-Facing Application External Remote Services TTP BlackByte Ransomware, CISA AA22-257A, HAFNIUM Group, ProxyNotShell, ProxyShell 2024-09-30
Detect New Local Admin account Windows Event Log Security 4720, Windows Event Log Security 4732 Local Account Create Account TTP CISA AA22-257A, CISA AA24-241A, DHS Report TA18-074A, HAFNIUM Group 2024-09-30
Detect Path Interception By Creation Of program exe CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Path Interception by Unquoted Path Hijack Execution Flow TTP Windows Persistence Techniques 2024-09-30
Detect Webshell Exploit Behavior CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Server Software Component Web Shell TTP BlackByte Ransomware, CISA AA22-257A, CISA AA22-264A, Citrix ShareFile RCE CVE-2023-24489, Flax Typhoon, HAFNIUM Group, ProxyNotShell, ProxyShell, SysAid On-Prem Software CVE-2023-47246 Vulnerability, WS FTP Server Critical Vulnerabilities 2024-09-30
Detect WMI Event Subscription Persistence Sysmon EventID 20 Windows Management Instrumentation Event Subscription Event Triggered Execution TTP Suspicious WMI Use 2024-09-30
Disabling Windows Local Security Authority Defences via Registry Sysmon EventID 1, Sysmon EventID 13 Modify Authentication Process TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Exchange PowerShell Abuse via SSRF Exploit Public-Facing Application External Remote Services TTP BlackByte Ransomware, ProxyNotShell, ProxyShell 2024-10-17
Impacket Lateral Movement Commandline Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Services SMB/Windows Admin Shares Distributed Component Object Model Windows Management Instrumentation Windows Service TTP Active Directory Lateral Movement, CISA AA22-277A, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate 2024-09-30
Impacket Lateral Movement smbexec CommandLine Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Services SMB/Windows Admin Shares Distributed Component Object Model Windows Management Instrumentation Windows Service TTP Active Directory Lateral Movement, CISA AA22-277A, Data Destruction, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate 2024-09-30
Impacket Lateral Movement WMIExec Commandline Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Services SMB/Windows Admin Shares Distributed Component Object Model Windows Management Instrumentation Windows Service TTP Active Directory Lateral Movement, CISA AA22-277A, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate 2024-09-30
Java Writing JSP File Sysmon EventID 1, Sysmon EventID 11 Exploit Public-Facing Application External Remote Services TTP Atlassian Confluence Server and Data Center CVE-2022-26134, Spring4Shell CVE-2022-22965, SysAid On-Prem Software CVE-2023-47246 Vulnerability 2024-09-30
Linux Add Files In Known Crontab Directories Sysmon for Linux EventID 11 Cron Scheduled Task/Job Anomaly Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Add User Account Sysmon for Linux EventID 1 Local Account Create Account Hunting Linux Persistence Techniques, Linux Privilege Escalation 2024-10-17
Linux Adding Crontab Using List Parameter Sysmon for Linux EventID 1 Cron Scheduled Task/Job Hunting Data Destruction, Gomir, Industroyer2, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-10-17
Linux At Allow Config File Creation Sysmon for Linux EventID 11 Cron Scheduled Task/Job Anomaly Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux At Application Execution Sysmon for Linux EventID 1 At Scheduled Task/Job Anomaly Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Auditd Add User Account Linux Auditd Proctitle Local Account Create Account Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Add User Account Type Linux Auditd Add User Create Account Local Account Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd At Application Execution Linux Auditd Syscall At Scheduled Task/Job Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Auditd Edit Cron Table Parameter Linux Auditd Syscall Cron Scheduled Task/Job TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Auditd Insert Kernel Module Using Insmod Utility Linux Auditd Syscall Kernel Modules and Extensions Boot or Logon Autostart Execution Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit 2024-09-30
Linux Auditd Install Kernel Module Using Modprobe Utility Linux Auditd Syscall Kernel Modules and Extensions Boot or Logon Autostart Execution Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit 2024-09-30
Linux Auditd Kernel Module Using Rmmod Utility Linux Auditd Syscall Kernel Modules and Extensions Boot or Logon Autostart Execution TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Possible Access Or Modification Of Sshd Config File Linux Auditd Path SSH Authorized Keys Account Manipulation Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File Linux Auditd Path Cron Scheduled Task/Job Hunting Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-10-17
Linux Auditd Preload Hijack Library Calls Linux Auditd Execve Dynamic Linker Hijacking Hijack Execution Flow TTP Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Preload Hijack Via Preload File Linux Auditd Path Dynamic Linker Hijacking Hijack Execution Flow TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Service Restarted Linux Auditd Proctitle Systemd Timers Scheduled Task/Job Anomaly AwfulShred, Compromised Linux Host, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Auditd Unix Shell Configuration Modification Linux Auditd Path Unix Shell Configuration Modification Event Triggered Execution TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Unload Module Via Modprobe Linux Auditd Execve Kernel Modules and Extensions Boot or Logon Autostart Execution TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Edit Cron Table Parameter Sysmon for Linux EventID 1 Cron Scheduled Task/Job Hunting Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-10-17
Linux File Created In Kernel Driver Directory Sysmon for Linux EventID 11 Kernel Modules and Extensions Boot or Logon Autostart Execution Anomaly Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit 2024-09-30
Linux File Creation In Init Boot Directory Sysmon for Linux EventID 11 RC Scripts Boot or Logon Initialization Scripts Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux File Creation In Profile Directory Sysmon for Linux EventID 11 Unix Shell Configuration Modification Event Triggered Execution Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Insert Kernel Module Using Insmod Utility Sysmon for Linux EventID 1 Kernel Modules and Extensions Boot or Logon Autostart Execution Anomaly Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit 2024-09-30
Linux Install Kernel Module Using Modprobe Utility Sysmon for Linux EventID 1 Kernel Modules and Extensions Boot or Logon Autostart Execution Anomaly Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit 2024-09-30
Linux Java Spawning Shell Sysmon for Linux EventID 1 Exploit Public-Facing Application External Remote Services TTP Data Destruction, Hermetic Wiper, Log4Shell CVE-2021-44228, Spring4Shell CVE-2022-22965 2024-09-30
Linux Possible Access Or Modification Of sshd Config File Sysmon for Linux EventID 1 SSH Authorized Keys Account Manipulation Anomaly Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Possible Append Command To At Allow Config File Sysmon for Linux EventID 1 At Scheduled Task/Job Anomaly Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Possible Append Command To Profile Config File Sysmon for Linux EventID 1 Unix Shell Configuration Modification Event Triggered Execution Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Possible Append Cronjob Entry on Existing Cronjob File Sysmon for Linux EventID 1 Cron Scheduled Task/Job Hunting Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-10-17
Linux Possible Cronjob Modification With Editor Sysmon for Linux EventID 1 Cron Scheduled Task/Job Hunting Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-10-17
Linux Possible Ssh Key File Creation Sysmon for Linux EventID 11 SSH Authorized Keys Account Manipulation Anomaly Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Preload Hijack Library Calls Sysmon for Linux EventID 1 Dynamic Linker Hijacking Hijack Execution Flow TTP Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Service File Created In Systemd Directory Sysmon for Linux EventID 11 Systemd Timers Scheduled Task/Job Anomaly Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Service Restarted Sysmon for Linux EventID 1 Systemd Timers Scheduled Task/Job Anomaly AwfulShred, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Service Started Or Enabled Sysmon for Linux EventID 1 Systemd Timers Scheduled Task/Job Anomaly Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux SSH Authorized Keys Modification Sysmon for Linux EventID 1 SSH Authorized Keys Anomaly Linux Living Off The Land 2024-09-30
Living Off The Land Detection Ingress Tool Transfer Exploit Public-Facing Application Command and Scripting Interpreter External Remote Services Correlation Living Off The Land 2024-09-30
Log4Shell CVE-2021-44228 Exploitation Ingress Tool Transfer Exploit Public-Facing Application Command and Scripting Interpreter External Remote Services Correlation CISA AA22-320A, Log4Shell CVE-2021-44228 2024-09-30
Logon Script Event Trigger Execution Sysmon EventID 13 Boot or Logon Initialization Scripts Logon Script (Windows) TTP Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation 2024-09-30
Monitor Registry Keys for Print Monitors Sysmon EventID 12, Sysmon EventID 13 Port Monitors Boot or Logon Autostart Execution TTP Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse 2024-09-30
MS Exchange Mailbox Replication service writing Active Server Pages Sysmon EventID 1, Sysmon EventID 11 Server Software Component Web Shell Exploit Public-Facing Application External Remote Services TTP BlackByte Ransomware, ProxyShell, Ransomware 2024-10-17
MSI Module Loaded by Non-System Binary Sysmon EventID 7 DLL Side-Loading Hijack Execution Flow Hunting Data Destruction, Hermetic Wiper, Windows Privilege Escalation 2024-10-17
Msmpeng Application DLL Side Loading CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 DLL Side-Loading Hijack Execution Flow TTP Ransomware, Revil Ransomware 2024-09-30
Outbound Network Connection from Java Using Default Ports Sysmon EventID 1, Sysmon EventID 3 Exploit Public-Facing Application External Remote Services TTP Log4Shell CVE-2021-44228 2024-09-30
Overwriting Accessibility Binaries Sysmon EventID 11 Event Triggered Execution Accessibility Features TTP Data Destruction, Flax Typhoon, Hermetic Wiper, Windows Privilege Escalation 2024-09-30
PaperCut NG Suspicious Behavior Debug Log Exploit Public-Facing Application External Remote Services Hunting PaperCut MF NG Vulnerability 2024-10-17
Possible Lateral Movement PowerShell Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Services Distributed Component Object Model Windows Remote Management Windows Management Instrumentation Scheduled Task Windows Service PowerShell MMC TTP Active Directory Lateral Movement, CISA AA24-241A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Scheduled Tasks 2024-10-17
Potential password in username Linux Secure Local Accounts Credentials In Files Hunting Credential Dumping, Insider Threat 2024-10-17
Powershell COM Hijacking InprocServer32 Modification Powershell Script Block Logging 4104 Component Object Model Hijacking Command and Scripting Interpreter PowerShell TTP Malicious PowerShell 2024-09-30
Powershell Execute COM Object Powershell Script Block Logging 4104 Component Object Model Hijacking Event Triggered Execution PowerShell TTP Data Destruction, Hermetic Wiper, Malicious PowerShell, Ransomware 2024-09-30
PowerShell Start-BitsTransfer CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 BITS Jobs TTP BITS Jobs, Gozi Malware 2024-09-30
Print Processor Registry Autostart Sysmon EventID 12, Sysmon EventID 13 Print Processors Boot or Logon Autostart Execution TTP Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation 2024-10-17
Print Spooler Adding A Printer Driver Windows Event Log Printservice 316 Print Processors Boot or Logon Autostart Execution TTP PrintNightmare CVE-2021-34527 2024-09-30
Print Spooler Failed to Load a Plug-in Windows Event Log Printservice 808 Print Processors Boot or Logon Autostart Execution TTP PrintNightmare CVE-2021-34527 2024-09-30
Randomly Generated Scheduled Task Name Windows Event Log Security 4698 Scheduled Task/Job Scheduled Task Hunting Active Directory Lateral Movement, CISA AA22-257A, Scheduled Tasks 2024-10-17
Randomly Generated Windows Service Name Windows Event Log System 7045 Create or Modify System Process Windows Service Hunting Active Directory Lateral Movement, BlackSuit Ransomware 2024-10-17
Reg exe Manipulating Windows Services Registry Keys CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Services Registry Permissions Weakness Hijack Execution Flow TTP Living Off The Land, Windows Persistence Techniques, Windows Service Abuse 2024-09-30
Registry Keys for Creating SHIM Databases Sysmon EventID 12, Sysmon EventID 13 Application Shimming Event Triggered Execution TTP Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse 2024-09-30
Registry Keys Used For Persistence Sysmon EventID 12, Sysmon EventID 13 Registry Run Keys / Startup Folder Boot or Logon Autostart Execution TTP Amadey, AsyncRAT, Azorult, BlackByte Ransomware, BlackSuit Ransomware, Braodo Stealer, CISA AA23-347A, Chaos Ransomware, DHS Report TA18-074A, DarkGate Malware, Emotet Malware DHS Report TA18-201A, IcedID, MoonPeak, NjRAT, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Qakbot, Ransomware, RedLine Stealer, Remcos, Snake Keylogger, Sneaky Active Directory Persistence Tricks, Suspicious MSHTA Activity, Suspicious Windows Registry Activities, Warzone RAT, Windows Persistence Techniques, Windows Registry Abuse 2024-09-30
Registry Keys Used For Privilege Escalation Sysmon EventID 12, Sysmon EventID 13 Image File Execution Options Injection Event Triggered Execution TTP Cloud Federated Credential Abuse, Data Destruction, Hermetic Wiper, Suspicious Windows Registry Activities, Windows Privilege Escalation, Windows Registry Abuse 2024-09-30
Sc exe Manipulating Windows Services CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Windows Service Create or Modify System Process TTP Azorult, DHS Report TA18-074A, Disabling Security Tools, NOBELIUM Group, Orangeworm Attack Group, Windows Drivers, Windows Persistence Techniques, Windows Service Abuse 2024-09-30
Schedule Task with HTTP Command Arguments Windows Event Log Security 4698 Scheduled Task/Job TTP Living Off The Land, Scheduled Tasks, Windows Persistence Techniques, Winter Vivern 2024-09-30
Schedule Task with Rundll32 Command Trigger Windows Event Log Security 4698 Scheduled Task/Job TTP IcedID, Living Off The Land, Scheduled Tasks, Trickbot, Windows Persistence Techniques 2024-09-30
Scheduled Task Creation on Remote Endpoint using At CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task/Job At TTP Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks 2024-09-30
Scheduled Task Deleted Or Created via CMD CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task Scheduled Task/Job TTP AgentTesla, Amadey, AsyncRAT, Azorult, CISA AA22-257A, CISA AA23-347A, CISA AA24-241A, DHS Report TA18-074A, DarkCrystal RAT, Living Off The Land, MoonPeak, NOBELIUM Group, NjRAT, Phemedrone Stealer, Prestige Ransomware, Qakbot, RedLine Stealer, Rhysida Ransomware, Sandworm Tools, Scheduled Tasks, ShrinkLocker, Trickbot, Windows Persistence Techniques, Winter Vivern 2024-09-30
Scheduled Task Initiation on Remote Endpoint CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task/Job Scheduled Task TTP Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks 2024-09-30
Schtasks Run Task On Demand CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task/Job TTP CISA AA22-257A, Data Destruction, Industroyer2, Qakbot, Scheduled Tasks, XMRig 2024-09-30
Schtasks scheduling job on remote system CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task Scheduled Task/Job TTP Active Directory Lateral Movement, Living Off The Land, NOBELIUM Group, Phemedrone Stealer, Prestige Ransomware, RedLine Stealer, Scheduled Tasks 2024-09-30
Schtasks used for forcing a reboot CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task Scheduled Task/Job TTP Ransomware, Scheduled Tasks, Windows Persistence Techniques 2024-09-30
Screensaver Event Trigger Execution Sysmon EventID 12, Sysmon EventID 13 Event Triggered Execution Screensaver TTP Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse 2024-09-30
Services LOLBAS Execution Process Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Create or Modify System Process Windows Service TTP Active Directory Lateral Movement, CISA AA23-347A, Living Off The Land, Qakbot 2024-09-30
Shim Database File Creation Sysmon EventID 11 Application Shimming Event Triggered Execution TTP Windows Persistence Techniques 2024-09-30
Shim Database Installation With Suspicious Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Application Shimming Event Triggered Execution TTP Windows Persistence Techniques 2024-09-30
Short Lived Scheduled Task Windows Event Log Security 4698, Windows Event Log Security 4699 Scheduled Task TTP Active Directory Lateral Movement, CISA AA22-257A, CISA AA23-347A, Scheduled Tasks 2024-09-30
Short Lived Windows Accounts Windows Event Log System 4720, Windows Event Log System 4726 Local Account Create Account TTP Active Directory Lateral Movement 2024-09-30
Spoolsv Spawning Rundll32 CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Print Processors Boot or Logon Autostart Execution TTP PrintNightmare CVE-2021-34527 2024-09-30
Spoolsv Suspicious Loaded Modules Sysmon EventID 7 Print Processors Boot or Logon Autostart Execution TTP PrintNightmare CVE-2021-34527 2024-09-30
Spoolsv Writing a DLL CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688 Print Processors Boot or Logon Autostart Execution TTP PrintNightmare CVE-2021-34527 2024-09-30
Spoolsv Writing a DLL - Sysmon Sysmon EventID 11 Print Processors Boot or Logon Autostart Execution TTP PrintNightmare CVE-2021-34527 2024-09-30
Suspicious Computer Account Name Change Windows Event Log Security 4781 Valid Accounts Domain Accounts TTP Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation 2024-09-30
Suspicious Driver Loaded Path Sysmon EventID 6 Windows Service Create or Modify System Process TTP AgentTesla, BlackByte Ransomware, CISA AA22-320A, Snake Keylogger, XMRig 2024-09-30
Suspicious Kerberos Service Ticket Request Windows Event Log Security 4769 Valid Accounts Domain Accounts TTP Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation 2024-09-30
Suspicious PlistBuddy Usage CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Launch Agent Create or Modify System Process TTP Silver Sparrow 2024-10-17
Suspicious PlistBuddy Usage via OSquery Launch Agent Create or Modify System Process TTP Silver Sparrow 2024-10-17
Suspicious Process File Path CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Create or Modify System Process TTP AgentTesla, Amadey, AsyncRAT, Azorult, BlackByte Ransomware, Brute Ratel C4, CISA AA23-347A, Chaos Ransomware, DarkCrystal RAT, DarkGate Malware, Data Destruction, Double Zero Destructor, Graceful Wipe Out Attack, Handala Wiper, Hermetic Wiper, IcedID, Industroyer2, LockBit Ransomware, MoonPeak, Phemedrone Stealer, PlugX, Prestige Ransomware, Qakbot, RedLine Stealer, Remcos, Rhysida Ransomware, Swift Slicer, Trickbot, ValleyRAT, Volt Typhoon, Warzone RAT, WhisperGate, XMRig 2024-09-30
Suspicious Scheduled Task from Public Directory CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task Scheduled Task/Job Anomaly Azorult, CISA AA23-347A, CISA AA24-241A, DarkCrystal RAT, Living Off The Land, MoonPeak, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Persistence Techniques 2024-09-30
Suspicious Ticket Granting Ticket Request Windows Event Log Security 4768, Windows Event Log Security 4781 Valid Accounts Domain Accounts Hunting Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation 2024-10-17
Svchost LOLBAS Execution Process Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task/Job Scheduled Task TTP Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks 2024-09-30
Time Provider Persistence Registry Sysmon EventID 12, Sysmon EventID 13 Time Providers Boot or Logon Autostart Execution TTP Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse 2024-09-30
Unusual Number of Computer Service Tickets Requested Windows Event Log Security 4769 Valid Accounts Hunting Active Directory Kerberos Attacks, Active Directory Lateral Movement, Active Directory Privilege Escalation 2024-10-17
Unusual Number of Remote Endpoint Authentication Events Windows Event Log Security 4624 Valid Accounts Hunting Active Directory Lateral Movement, Active Directory Privilege Escalation 2024-10-17
W3WP Spawning Shell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Server Software Component Web Shell TTP BlackByte Ransomware, CISA AA22-257A, CISA AA22-264A, Data Destruction, Flax Typhoon, HAFNIUM Group, Hermetic Wiper, ProxyNotShell, ProxyShell, WS FTP Server Critical Vulnerabilities 2024-09-30
Windows AD AdminSDHolder ACL Modified Windows Event Log Security 5136 Event Triggered Execution TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD DSRM Account Changes Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13 Account Manipulation TTP Sneaky Active Directory Persistence Tricks, Windows Persistence Techniques, Windows Registry Abuse 2024-09-30
Windows AD DSRM Password Reset Windows Event Log Security 4794 Account Manipulation TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD ServicePrincipalName Added To Domain Account Windows Event Log Security 5136 Account Manipulation TTP Sneaky Active Directory Persistence Tricks 2024-10-16
Windows AD Short Lived Domain Account ServicePrincipalName Windows Event Log Security 5136 Account Manipulation TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows Autostart Execution LSASS Driver Registry Modification Sysmon EventID 12, Sysmon EventID 13 LSASS Driver TTP Windows Registry Abuse 2024-09-30
Windows Boot or Logon Autostart Execution In Startup Folder Sysmon EventID 11 Registry Run Keys / Startup Folder Boot or Logon Autostart Execution Anomaly Chaos Ransomware, Gozi Malware, NjRAT, RedLine Stealer 2024-09-30
Windows BootLoader Inventory System Firmware Pre-OS Boot Hunting BlackLotus Campaign, Windows BootKits 2024-10-17
Windows Change Default File Association For No File Ext CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Change Default File Association Event Triggered Execution TTP Prestige Ransomware 2024-09-30
Windows COM Hijacking InprocServer32 Modification CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Component Object Model Hijacking Event Triggered Execution TTP Living Off The Land 2024-09-30
Windows Create Local Account Local Account Create Account Anomaly Active Directory Password Spraying, CISA AA24-241A 2024-09-30
Windows Disable Windows Event Logging Disable HTTP Logging CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Disable Windows Event Logging Impair Defenses Server Software Component IIS Components TTP CISA AA23-347A, IIS Components, Windows Defense Evasion Tactics 2024-09-30
Windows DLL Search Order Hijacking Hunt with Sysmon Sysmon EventID 7 DLL Search Order Hijacking Hijack Execution Flow Hunting Living Off The Land, Qakbot, Windows Defense Evasion Tactics 2024-10-17
Windows DLL Search Order Hijacking with iscsicpl CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 DLL Search Order Hijacking TTP Living Off The Land, Windows Defense Evasion Tactics 2024-09-30
Windows DLL Side-Loading In Calc Sysmon EventID 7 DLL Side-Loading Hijack Execution Flow TTP Qakbot 2024-09-30
Windows DLL Side-Loading Process Child Of Calc CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 DLL Side-Loading Hijack Execution Flow Anomaly Qakbot 2024-09-30
Windows DnsAdmins New Member Added Windows Event Log Security 4732 Account Manipulation TTP Active Directory Privilege Escalation 2024-09-30
Windows Enable Win32 ScheduledJob via Registry Sysmon EventID 12, Sysmon EventID 13 Scheduled Task Anomaly Active Directory Lateral Movement, Scheduled Tasks 2024-09-30
Windows ESX Admins Group Creation Security Event Local Account Domain Account TTP VMware ESXi AD Integration Authentication Bypass CVE-2024-37085 2024-09-30
Windows ESX Admins Group Creation via Net Sysmon EventID 1 Domain Account Local Account TTP VMware ESXi AD Integration Authentication Bypass CVE-2024-37085 2024-09-30
Windows ESX Admins Group Creation via PowerShell Powershell Script Block Logging 4104 Domain Account Local Account TTP VMware ESXi AD Integration Authentication Bypass CVE-2024-37085 2024-09-30
Windows Event Triggered Image File Execution Options Injection Windows Event Log Application 3000 Image File Execution Options Injection Hunting Windows Persistence Techniques 2024-10-17
Windows Group Policy Object Created Windows Event Log Security 5136, Windows Event Log Security 5137 Domain or Tenant Policy Modification Group Policy Modification Domain Accounts TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-09-30
Windows Hidden Schedule Task Settings Windows Event Log Security 4698 Scheduled Task/Job TTP Active Directory Discovery, CISA AA22-257A, Data Destruction, Industroyer2, Scheduled Tasks 2024-09-30
Windows Hijack Execution Flow Version Dll Side Load Sysmon EventID 7 DLL Search Order Hijacking Hijack Execution Flow Anomaly Brute Ratel C4 2024-09-30
Windows IIS Components Add New Module CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Server Software Component IIS Components Anomaly IIS Components 2024-09-30
Windows IIS Components Get-WebGlobalModule Module Query Powershell Installed IIS Modules IIS Components Server Software Component Hunting IIS Components, WS FTP Server Critical Vulnerabilities 2024-10-17
Windows IIS Components Module Failed to Load Windows Event Log Application 2282 Server Software Component IIS Components Anomaly IIS Components 2024-09-30
Windows IIS Components New Module Added Windows IIS 29 Server Software Component IIS Components TTP IIS Components 2024-09-30
Windows Java Spawning Shells CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Exploit Public-Facing Application External Remote Services TTP Log4Shell CVE-2021-44228, SysAid On-Prem Software CVE-2023-47246 Vulnerability 2024-10-17
Windows Known Abused DLL Created Sysmon EventID 1, Sysmon EventID 11 DLL Search Order Hijacking DLL Side-Loading Hijack Execution Flow Anomaly Living Off The Land, Windows Defense Evasion Tactics 2024-09-30
Windows Known Abused DLL Loaded Suspiciously Sysmon EventID 7 DLL Search Order Hijacking DLL Side-Loading Hijack Execution Flow TTP Living Off The Land, Windows Defense Evasion Tactics 2024-09-30
Windows Known GraphicalProton Loaded Modules Sysmon EventID 7 DLL Side-Loading Hijack Execution Flow Anomaly CISA AA23-347A 2024-09-30
Windows KrbRelayUp Service Creation Windows Event Log System 7045 Windows Service TTP Local Privilege Escalation With KrbRelayUp 2024-09-30
Windows Large Number of Computer Service Tickets Requested Windows Event Log Security 4769 Network Share Discovery Valid Accounts Anomaly Active Directory Lateral Movement, Active Directory Privilege Escalation 2024-09-30
Windows Masquerading Explorer As Child Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 DLL Side-Loading Hijack Execution Flow TTP Qakbot 2024-09-30
Windows MOF Event Triggered Execution via WMI CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Windows Management Instrumentation Event Subscription TTP Living Off The Land 2024-09-30
Windows MOVEit Transfer Writing ASPX Sysmon EventID 11 Exploit Public-Facing Application External Remote Services TTP MOVEit Transfer Critical Vulnerability 2024-10-17
Windows Multiple Account Passwords Changed Windows Event Log Security 4724 Account Manipulation Valid Accounts TTP Azure Active Directory Persistence 2024-09-30
Windows Multiple Accounts Deleted Windows Event Log Security 4726 Account Manipulation Valid Accounts TTP Azure Active Directory Persistence 2024-09-30
Windows Multiple Accounts Disabled Windows Event Log Security 4725 Account Manipulation Valid Accounts TTP Azure Active Directory Persistence 2024-09-30
Windows PaperCut NG Spawn Shell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter Exploit Public-Facing Application External Remote Services TTP PaperCut MF NG Vulnerability 2024-09-30
Windows PowerShell Add Module to Global Assembly Cache Powershell Script Block Logging 4104 Server Software Component IIS Components TTP IIS Components 2024-09-30
Windows PowerShell Disable HTTP Logging Powershell Script Block Logging 4104 Impair Defenses Disable Windows Event Logging Server Software Component IIS Components TTP IIS Components, Windows Defense Evasion Tactics 2024-09-30
Windows PowerShell IIS Components WebGlobalModule Usage Powershell Script Block Logging 4104 Server Software Component IIS Components Anomaly IIS Components 2024-09-30
Windows PowerShell ScheduleTask Powershell Script Block Logging 4104 Scheduled Task PowerShell Command and Scripting Interpreter Anomaly Scheduled Tasks 2024-09-30
Windows PowerView AD Access Control List Enumeration Powershell Script Block Logging 4104 Domain Accounts Permission Groups Discovery TTP Active Directory Discovery, Active Directory Privilege Escalation, Rhysida Ransomware 2024-09-30
Windows Privileged Group Modification Local Account Domain Account TTP VMware ESXi AD Integration Authentication Bypass CVE-2024-37085 2024-09-30
Windows Registry BootExecute Modification Sysmon EventID 12, Sysmon EventID 13 Pre-OS Boot Registry Run Keys / Startup Folder TTP Windows BootKits 2024-09-30
Windows Registry Delete Task SD Sysmon EventID 12, Sysmon EventID 13 Scheduled Task Impair Defenses Anomaly Scheduled Tasks, Windows Persistence Techniques, Windows Registry Abuse 2024-09-30
Windows Registry Modification for Safe Mode Persistence Sysmon EventID 12, Sysmon EventID 13 Registry Run Keys / Startup Folder Boot or Logon Autostart Execution TTP Ransomware, Windows Drivers, Windows Registry Abuse 2024-09-30
Windows Remote Create Service CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Create or Modify System Process Windows Service Anomaly Active Directory Lateral Movement, BlackSuit Ransomware, CISA AA23-347A 2024-09-30
Windows Scheduled Task Created Via XML CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task Scheduled Task/Job TTP CISA AA23-347A, MoonPeak, Scheduled Tasks, Winter Vivern 2024-09-30
Windows Scheduled Task DLL Module Loaded Sysmon EventID 7 Scheduled Task/Job TTP ValleyRAT 2024-09-30
Windows Scheduled Task Service Spawned Shell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task Command and Scripting Interpreter TTP Windows Persistence Techniques 2024-09-30
Windows Scheduled Task with Highest Privileges CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task/Job Scheduled Task TTP AsyncRAT, CISA AA23-347A, RedLine Stealer, Scheduled Tasks 2024-09-30
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr Scheduled Task/Job TTP ValleyRAT 2024-09-30
Windows Schtasks Create Run As System CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task Scheduled Task/Job TTP Qakbot, Scheduled Tasks, Windows Persistence Techniques 2024-09-30
Windows Security Support Provider Reg Query CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Security Support Provider Boot or Logon Autostart Execution Anomaly Prestige Ransomware, Sneaky Active Directory Persistence Tricks, Windows Post-Exploitation 2024-09-30
Windows Server Software Component GACUtil Install to GAC CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Server Software Component IIS Components TTP IIS Components 2024-09-30
Windows Service Create Kernel Mode Driver CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Windows Service Create or Modify System Process Exploitation for Privilege Escalation TTP CISA AA22-320A, Windows Drivers 2024-09-30
Windows Service Create RemComSvc Windows Event Log System 7045 Windows Service Create or Modify System Process Anomaly Active Directory Discovery 2024-09-30
Windows Service Create with Tscon CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 RDP Hijacking Remote Service Session Hijacking Windows Service TTP Active Directory Lateral Movement 2024-09-30
Windows Service Created Within Public Path Windows Event Log System 7045 Create or Modify System Process Windows Service TTP Active Directory Lateral Movement, Snake Malware 2024-09-30
Windows Service Creation on Remote Endpoint CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Create or Modify System Process Windows Service TTP Active Directory Lateral Movement, CISA AA23-347A 2024-09-30
Windows Service Creation Using Registry Entry Sysmon EventID 12, Sysmon EventID 13 Services Registry Permissions Weakness TTP Active Directory Lateral Movement, Brute Ratel C4, CISA AA23-347A, PlugX, Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse 2024-09-30
Windows Service Initiation on Remote Endpoint CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Create or Modify System Process Windows Service TTP Active Directory Lateral Movement, CISA AA23-347A 2024-09-30
Windows Snake Malware Kernel Driver Comadmin Sysmon EventID 11 Kernel Modules and Extensions TTP Snake Malware 2024-09-30
Windows Snake Malware Service Create Windows Event Log System 7045 Kernel Modules and Extensions Service Execution TTP Snake Malware 2024-09-30
Windows SqlWriter SQLDumper DLL Sideload Sysmon EventID 7 DLL Side-Loading TTP APT29 Diplomatic Deceptions with WINELOADER 2024-09-30
Windows Unsigned DLL Side-Loading Sysmon EventID 7 DLL Side-Loading Anomaly NjRAT, Warzone RAT 2024-09-30
Windows Unsigned DLL Side-Loading In Same Process Path Sysmon EventID 7 DLL Side-Loading Hijack Execution Flow TTP DarkGate Malware, PlugX 2024-09-30
Windows Unsigned MS DLL Side-Loading Sysmon EventID 7 DLL Side-Loading Boot or Logon Autostart Execution Anomaly APT29 Diplomatic Deceptions with WINELOADER 2024-09-30
Windows Vulnerable Driver Installed Windows Event Log System 7045 Windows Service TTP Windows Drivers 2024-09-30
Windows Vulnerable Driver Loaded Sysmon EventID 6 Windows Service Hunting BlackByte Ransomware, Windows Drivers 2024-10-17
Windows WinLogon with Public Network Connection Sysmon EventID 1, Sysmon EventID 3 Bootkit Hunting BlackLotus Campaign 2024-10-17
WinEvent Scheduled Task Created to Spawn Shell Windows Event Log Security 4698 Scheduled Task Scheduled Task/Job TTP CISA AA22-257A, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Error Reporting Service Elevation of Privilege Vulnerability, Windows Persistence Techniques, Winter Vivern 2024-09-30
WinEvent Scheduled Task Created Within Public Path Windows Event Log Security 4698 Scheduled Task Scheduled Task/Job TTP Active Directory Lateral Movement, AsyncRAT, CISA AA22-257A, CISA AA23-347A, Data Destruction, IcedID, Industroyer2, Prestige Ransomware, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Persistence Techniques, Winter Vivern 2024-09-30
WinEvent Windows Task Scheduler Event Action Started Windows Event Log TaskScheduler 200 Scheduled Task Hunting Amadey, AsyncRAT, BlackSuit Ransomware, CISA AA22-257A, CISA AA24-241A, DarkCrystal RAT, Data Destruction, IcedID, Industroyer2, Prestige Ransomware, Qakbot, Sandworm Tools, Scheduled Tasks, ValleyRAT, Windows Persistence Techniques, Winter Vivern, Winter Vivern 2024-10-24
WMI Permanent Event Subscription - Sysmon Sysmon EventID 21 Windows Management Instrumentation Event Subscription Event Triggered Execution TTP Suspicious WMI Use 2024-09-30
Wscript Or Cscript Suspicious Child Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Process Injection Create or Modify System Process Parent PID Spoofing Access Token Manipulation TTP Data Destruction, FIN7, NjRAT, Remcos, ShrinkLocker, Unusual Processes, WhisperGate 2024-09-30
XMRIG Driver Loaded Sysmon EventID 6 Windows Service Create or Modify System Process TTP CISA AA22-320A, XMRig 2024-09-30
Detect Software Download To Network Device TFTP Boot Pre-OS Boot TTP Router and Infrastructure Security 2024-10-17
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 Palo Alto Network Threat Exploit Public-Facing Application External Remote Services TTP CISA AA24-241A, F5 BIG-IP Vulnerability CVE-2022-1388 2024-09-30
Confluence Unauthenticated Remote Code Execution CVE-2022-26134 Palo Alto Network Threat Server Software Component Exploit Public-Facing Application External Remote Services TTP Atlassian Confluence Server and Data Center CVE-2022-26134, Confluence Data Center and Confluence Server Vulnerabilities 2024-09-30
Detect attackers scanning for vulnerable JBoss servers System Information Discovery External Remote Services TTP JBoss Vulnerability, SamSam Ransomware 2024-10-17
Exploit Public Facing Application via Apache Commons Text Nginx Access Web Shell Server Software Component Exploit Public-Facing Application External Remote Services Anomaly Text4Shell CVE-2022-42889 2024-09-30
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 Palo Alto Network Threat Exploit Public-Facing Application External Remote Services TTP Fortinet FortiNAC CVE-2022-39952 2024-09-30
Fortinet Appliance Auth bypass Palo Alto Network Threat Exploit Public-Facing Application External Remote Services TTP CVE-2022-40684 Fortinet Appliance Auth bypass 2024-09-30
Hunting for Log4Shell Nginx Access Exploit Public-Facing Application External Remote Services Hunting CISA AA22-320A, Log4Shell CVE-2021-44228 2024-10-17
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 Suricata Exploit Public-Facing Application External Remote Services TTP Ivanti EPMM Remote Unauthenticated Access 2024-09-30
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082 Suricata Exploit Public-Facing Application External Remote Services TTP Ivanti EPMM Remote Unauthenticated Access 2024-09-30
Log4Shell JNDI Payload Injection Attempt Nginx Access Exploit Public-Facing Application External Remote Services Anomaly CISA AA22-257A, CISA AA22-320A, Log4Shell CVE-2021-44228 2024-09-30
Log4Shell JNDI Payload Injection with Outbound Connection Exploit Public-Facing Application External Remote Services Anomaly CISA AA22-320A, Log4Shell CVE-2021-44228 2024-09-30
PaperCut NG Remote Web Access Attempt Suricata Exploit Public-Facing Application External Remote Services TTP PaperCut MF NG Vulnerability 2024-09-30
ProxyShell ProxyNotShell Behavior Detected Exploit Public-Facing Application External Remote Services Correlation BlackByte Ransomware, ProxyNotShell, ProxyShell 2024-09-30
Spring4Shell Payload URL Request Nginx Access Web Shell Server Software Component Exploit Public-Facing Application External Remote Services TTP Spring4Shell CVE-2022-22965 2024-09-30
Supernova Webshell Web Shell External Remote Services TTP NOBELIUM Group 2024-10-17
VMWare Aria Operations Exploit Attempt Palo Alto Network Threat External Remote Services Exploit Public-Facing Application Exploitation of Remote Services Exploitation for Privilege Escalation TTP VMware Aria Operations vRealize CVE-2023-20887 2024-09-30
VMware Server Side Template Injection Hunt Palo Alto Network Threat Exploit Public-Facing Application External Remote Services Hunting VMware Server Side Injection and Privilege Escalation 2024-10-17
VMware Workspace ONE Freemarker Server-side Template Injection Palo Alto Network Threat Exploit Public-Facing Application External Remote Services Anomaly VMware Server Side Injection and Privilege Escalation 2024-09-30
Web JSP Request via URL Nginx Access Web Shell Server Software Component Exploit Public-Facing Application External Remote Services TTP Spring4Shell CVE-2022-22965 2024-09-30
Web Spring4Shell HTTP Request Class Module Splunk Stream HTTP Exploit Public-Facing Application External Remote Services TTP Spring4Shell CVE-2022-22965 2024-09-30
Web Spring Cloud Function FunctionRouter Splunk Stream HTTP Exploit Public-Facing Application External Remote Services TTP Spring4Shell CVE-2022-22965 2024-09-30
Windows Exchange Autodiscover SSRF Abuse Windows IIS Exploit Public-Facing Application External Remote Services TTP BlackByte Ransomware, ProxyNotShell, ProxyShell 2024-09-30