Privilege Escalation Detections

Name Data Source Technique Type Analytic Story Date
Okta Authentication Failed During MFA Challenge Okta Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation TTP Okta Account Takeover 2024-09-30
Okta New API Token Created Okta Valid Accounts Default Accounts TTP Okta Account Takeover 2024-09-30
Okta New Device Enrolled on Account Okta Account Manipulation Device Registration TTP Okta Account Takeover 2024-09-30
Okta Phishing Detection with FastPass Origin Check Okta Valid Accounts Default Accounts Modify Authentication Process TTP Okta Account Takeover 2024-10-17
Okta Risk Threshold Exceeded Okta Valid Accounts Brute Force Correlation Okta Account Takeover, Okta MFA Exhaustion, Suspicious Okta Activity 2024-09-30
Okta Successful Single Factor Authentication Okta Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation Anomaly Okta Account Takeover 2024-09-30
Okta Suspicious Activity Reported Okta Valid Accounts Default Accounts TTP Okta Account Takeover 2024-09-30
Okta ThreatInsight Threat Detected Okta Valid Accounts Cloud Accounts Anomaly Okta Account Takeover 2024-09-30
PingID Mismatch Auth Source and Verification Response PingID Multi-Factor Authentication Request Generation Multi-Factor Authentication Device Registration TTP Compromised User Account 2024-09-30
PingID Multiple Failed MFA Requests For User PingID Multi-Factor Authentication Request Generation Valid Accounts Brute Force TTP Compromised User Account 2024-09-30
PingID New MFA Method After Credential Reset PingID Multi-Factor Authentication Request Generation Multi-Factor Authentication Device Registration TTP Compromised User Account 2024-09-30
PingID New MFA Method Registered For User PingID Multi-Factor Authentication Request Generation Multi-Factor Authentication Device Registration TTP Compromised User Account 2024-09-30
Splunk Edit User Privilege Escalation Splunk Abuse Elevation Control Mechanism Hunting Splunk Vulnerabilities 2024-10-17
Splunk Enterprise KV Store Incorrect Authorization Splunk Abuse Elevation Control Mechanism Hunting Splunk Vulnerabilities 2024-10-17
Splunk Low-Priv Search as nobody SplunkDeploymentServerConfig App Splunk Exploitation for Privilege Escalation Hunting Splunk Vulnerabilities 2024-10-17
Splunk Process Injection Forwarder Bundle Downloads Splunk Process Injection Hunting Splunk Vulnerabilities 2024-10-17
Splunk RBAC Bypass On Indexing Preview REST Endpoint Splunk Access Token Manipulation Hunting Splunk Vulnerabilities 2024-10-17
Splunk risky Command Abuse disclosed february 2023 Splunk Abuse Elevation Control Mechanism Indirect Command Execution Hunting Splunk Vulnerabilities 2024-10-17
Splunk Unauthorized Notification Input by User Splunk Abuse Elevation Control Mechanism Hunting Splunk Vulnerabilities 2024-10-17
Splunk User Enumeration Attempt Splunk Valid Accounts TTP Splunk Vulnerabilities 2024-10-16
Windows AD add Self to Group Account Manipulation TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Dangerous Deny ACL Modification Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Dangerous Group ACL Modification Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Dangerous User ACL Modification Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD DCShadow Privileges ACL Addition Domain or Tenant Policy Modification Rogue Domain Controller Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Domain Root ACL Deletion Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Domain Root ACL Modification Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD GPO Deleted Disable or Modify Tools Group Policy Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD GPO Disabled Disable or Modify Tools Group Policy Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD GPO New CSE Addition Domain or Tenant Policy Modification Group Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Hidden OU Creation Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Object Owner Updated Domain or Tenant Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Privileged Group Modification Account Manipulation TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-10-17
Windows AD Self DACL Assignment Domain or Tenant Policy Modification Account Manipulation TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Suspicious GPO Modification Domain or Tenant Policy Modification Group Policy Modification File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-10-17
Windows Increase in Group or Object Modification Activity Windows Event Log Security 4663 Account Manipulation Impair Defenses TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows Increase in User Modification Activity Windows Event Log Security 4720 Account Manipulation Impair Defenses TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Abnormally High Number Of Cloud Infrastructure API Calls AWS CloudTrail Cloud Accounts Valid Accounts Anomaly Compromised User Account, Suspicious Cloud User Activities 2024-10-17
Abnormally High Number Of Cloud Instances Destroyed AWS CloudTrail Cloud Accounts Valid Accounts Anomaly Suspicious Cloud Instance Activities 2024-10-22
Abnormally High Number Of Cloud Instances Launched AWS CloudTrail Cloud Accounts Valid Accounts Anomaly Cloud Cryptomining, Suspicious Cloud Instance Activities 2024-10-22
Abnormally High Number Of Cloud Security Group API Calls AWS CloudTrail Cloud Accounts Valid Accounts Anomaly Suspicious Cloud User Activities 2024-10-17
ASL AWS IAM Delete Policy Account Manipulation Hunting AWS IAM Privilege Escalation 2024-10-17
ASL AWS IAM Failure Group Deletion Account Manipulation Anomaly AWS IAM Privilege Escalation 2024-10-22
ASL AWS IAM Successful Group Deletion Cloud Groups Account Manipulation Permission Groups Discovery Hunting AWS IAM Privilege Escalation 2024-10-22
AWS Create Policy Version to allow all resources AWS CloudTrail CreatePolicyVersion Cloud Accounts Valid Accounts TTP AWS IAM Privilege Escalation 2024-09-30
aws detect attach to role policy Valid Accounts Hunting AWS Cross Account Activity 2024-10-17
aws detect permanent key creation Valid Accounts Hunting AWS Cross Account Activity 2024-10-17
aws detect role creation Valid Accounts Hunting AWS Cross Account Activity 2024-10-17
aws detect sts assume role abuse Valid Accounts Hunting AWS Cross Account Activity 2024-10-17
AWS IAM Delete Policy AWS CloudTrail DeletePolicy Account Manipulation Hunting AWS IAM Privilege Escalation 2024-10-17
AWS IAM Failure Group Deletion AWS CloudTrail DeleteGroup Account Manipulation Anomaly AWS IAM Privilege Escalation 2024-10-22
AWS IAM Successful Group Deletion AWS CloudTrail DeleteGroup Cloud Groups Account Manipulation Permission Groups Discovery Hunting AWS IAM Privilege Escalation 2024-10-22
AWS SAML Access by Provider User and Principal AWS CloudTrail AssumeRoleWithSAML Valid Accounts Anomaly Cloud Federated Credential Abuse 2024-09-30
AWS SAML Update identity provider AWS CloudTrail UpdateSAMLProvider Valid Accounts TTP Cloud Federated Credential Abuse 2024-09-30
AWS SetDefaultPolicyVersion AWS CloudTrail SetDefaultPolicyVersion Cloud Accounts Valid Accounts TTP AWS IAM Privilege Escalation 2024-09-30
AWS Successful Single-Factor Authentication AWS CloudTrail ConsoleLogin Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts TTP AWS Identity and Access Management Account Takeover 2024-09-30
Azure AD Admin Consent Bypassed by Service Principal Azure Active Directory Add app role assignment to service principal Additional Cloud Roles TTP Azure Active Directory Privilege Escalation, NOBELIUM Group 2024-09-30
Azure AD Application Administrator Role Assigned Azure Active Directory Add member to role Account Manipulation Additional Cloud Roles TTP Azure Active Directory Privilege Escalation 2024-09-30
Azure AD Authentication Failed During MFA Challenge Azure Active Directory Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation TTP Azure Active Directory Account Takeover 2024-10-31
Azure AD FullAccessAsApp Permission Assigned Azure Active Directory Update application Additional Email Delegate Permissions Additional Cloud Roles TTP Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD Global Administrator Role Assigned Azure Active Directory Add member to role Additional Cloud Roles TTP Azure Active Directory Persistence, Azure Active Directory Privilege Escalation 2024-09-30
Azure AD Multiple AppIDs and UserAgents Authentication Spike Azure Active Directory Sign-in activity Valid Accounts Anomaly Azure Active Directory Account Takeover 2024-09-30
Azure AD Multiple Failed MFA Requests For User Azure Active Directory Sign-in activity Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Valid Accounts Cloud Accounts TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD New Custom Domain Added Azure Active Directory Add unverified domain Domain or Tenant Policy Modification Trust Modification TTP Azure Active Directory Persistence 2024-09-30
Azure AD New Federated Domain Added Azure Active Directory Set domain authentication Domain or Tenant Policy Modification Trust Modification TTP Azure Active Directory Persistence 2024-09-30
Azure AD New MFA Method Registered Azure Active Directory Update user Account Manipulation Device Registration TTP Azure Active Directory Persistence 2024-09-30
Azure AD PIM Role Assigned Azure Active Directory Account Manipulation Additional Cloud Roles TTP Azure Active Directory Persistence, Azure Active Directory Privilege Escalation 2024-09-30
Azure AD PIM Role Assignment Activated Azure Active Directory Account Manipulation Additional Cloud Roles TTP Azure Active Directory Persistence, Azure Active Directory Privilege Escalation 2024-09-30
Azure AD Privileged Role Assigned Azure Active Directory Add member to role Account Manipulation Additional Cloud Roles TTP Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD Privileged Role Assigned to Service Principal Azure Active Directory Add member to role Account Manipulation Additional Cloud Roles TTP Azure Active Directory Privilege Escalation, NOBELIUM Group 2024-09-30
Azure AD Service Principal Authentication Azure Active Directory Sign-in activity Cloud Accounts TTP Azure Active Directory Account Takeover, NOBELIUM Group 2024-09-30
Azure AD Service Principal New Client Credentials Azure Active Directory Account Manipulation Additional Cloud Credentials TTP Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group 2024-09-30
Azure AD Service Principal Owner Added Azure Active Directory Add owner to application Account Manipulation TTP Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group 2024-09-30
Azure AD Successful PowerShell Authentication Azure Active Directory Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Successful Single-Factor Authentication Azure Active Directory Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Tenant Wide Admin Consent Granted Azure Active Directory Consent to application Account Manipulation Additional Cloud Roles TTP Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD User Enabled And Password Reset Azure Active Directory Enable account, Azure Active Directory Reset password (by admin), Azure Active Directory Update user Account Manipulation TTP Azure Active Directory Persistence 2024-09-30
Azure AD User ImmutableId Attribute Updated Azure Active Directory Update user Account Manipulation TTP Azure Active Directory Persistence 2024-09-30
Azure Runbook Webhook Created Azure Audit Create or Update an Azure Automation webhook Valid Accounts Cloud Accounts TTP Azure Active Directory Persistence 2024-09-30
Cloud API Calls From Previously Unseen User Roles AWS CloudTrail Valid Accounts Anomaly Suspicious Cloud User Activities 2024-10-17
Cloud Compute Instance Created By Previously Unseen User AWS CloudTrail Cloud Accounts Valid Accounts Anomaly Cloud Cryptomining 2024-10-17
Cloud Instance Modified By Previously Unseen User AWS CloudTrail Cloud Accounts Valid Accounts Anomaly Suspicious Cloud Instance Activities 2024-10-17
Cloud Provisioning Activity From Previously Unseen City AWS CloudTrail Valid Accounts Anomaly Suspicious Cloud Provisioning Activities 2024-09-30
Cloud Provisioning Activity From Previously Unseen Country AWS CloudTrail Valid Accounts Anomaly Suspicious Cloud Provisioning Activities 2024-09-30
Cloud Provisioning Activity From Previously Unseen IP Address AWS CloudTrail Valid Accounts Anomaly Suspicious Cloud Provisioning Activities 2024-09-30
Cloud Provisioning Activity From Previously Unseen Region AWS CloudTrail Valid Accounts Anomaly Suspicious Cloud Provisioning Activities 2024-09-30
GCP Authentication Failed During MFA Challenge Google Workspace login_failure Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation TTP GCP Account Takeover 2024-09-30
GCP Detect gcploit framework Valid Accounts TTP GCP Cross Account Activity 2024-10-17
GCP Multiple Failed MFA Requests For User Google Workspace login_failure Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Valid Accounts Cloud Accounts TTP GCP Account Takeover 2024-09-30
GCP Successful Single-Factor Authentication Google Workspace login_success Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts TTP GCP Account Takeover 2024-09-30
Kubernetes Cron Job Creation Kubernetes Audit Container Orchestration Job Anomaly Kubernetes Security 2024-09-30
O365 Admin Consent Bypassed by Service Principal O365 Add app role assignment to service principal. Additional Cloud Roles TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Application Available To Other Tenants Additional Cloud Roles Account Manipulation TTP Azure Active Directory Account Takeover, Azure Active Directory Persistence, Data Exfiltration 2024-09-30
O365 Application Registration Owner Added O365 Add owner to application. Account Manipulation TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 ApplicationImpersonation Role Assigned O365 Account Manipulation Additional Email Delegate Permissions TTP NOBELIUM Group, Office 365 Collection Techniques, Office 365 Persistence Mechanisms 2024-09-30
O365 Cross-Tenant Access Change Trust Modification TTP Azure Active Directory Persistence 2024-09-30
O365 Elevated Mailbox Permission Assigned Account Manipulation Additional Email Delegate Permissions TTP Office 365 Collection Techniques 2024-09-30
O365 FullAccessAsApp Permission Assigned O365 Update application. Additional Email Delegate Permissions Additional Cloud Roles TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 High Privilege Role Granted O365 Add member to role. Account Manipulation Additional Cloud Roles TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Mailbox Folder Read Permission Assigned Account Manipulation Additional Email Delegate Permissions TTP Office 365 Collection Techniques 2024-09-30
O365 Mailbox Folder Read Permission Granted Account Manipulation Additional Email Delegate Permissions TTP Office 365 Collection Techniques 2024-09-30
O365 Mailbox Read Access Granted to Application O365 Update application. Remote Email Collection Email Collection Account Manipulation Additional Cloud Roles TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Multiple AppIDs and UserAgents Authentication Spike O365 UserLoggedIn, O365 UserLoginFailed Valid Accounts Anomaly Office 365 Account Takeover 2024-09-30
O365 New MFA Method Registered O365 Update user. Account Manipulation Device Registration TTP Office 365 Persistence Mechanisms 2024-09-30
O365 Privileged Role Assigned Account Manipulation Additional Cloud Roles TTP Azure Active Directory Persistence 2024-09-30
O365 Privileged Role Assigned To Service Principal Account Manipulation Additional Cloud Roles TTP Azure Active Directory Privilege Escalation 2024-09-30
O365 Security And Compliance Alert Triggered Valid Accounts Cloud Accounts TTP Office 365 Account Takeover 2024-09-30
O365 Service Principal New Client Credentials O365 Account Manipulation Additional Cloud Credentials TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
O365 Tenant Wide Admin Consent Granted O365 Consent to application. Account Manipulation Additional Cloud Roles TTP NOBELIUM Group, Office 365 Persistence Mechanisms 2024-09-30
Abnormally High AWS Instances Launched by User Cloud Accounts Anomaly AWS Cryptomining, Suspicious AWS EC2 Activities 2024-10-17
Abnormally High AWS Instances Launched by User - MLTK Cloud Accounts Anomaly AWS Cryptomining, Suspicious AWS EC2 Activities 2024-10-17
Abnormally High AWS Instances Terminated by User Cloud Accounts Anomaly Suspicious AWS EC2 Activities 2024-10-17
Abnormally High AWS Instances Terminated by User - MLTK Cloud Accounts Anomaly Suspicious AWS EC2 Activities 2024-10-17
ASL AWS CreateAccessKey Valid Accounts Hunting AWS IAM Privilege Escalation 2024-10-17
Detect AWS API Activities From Unapproved Accounts Cloud Accounts Hunting AWS User Monitoring 2024-10-17
Detect new API calls from user roles Cloud Accounts Anomaly AWS User Monitoring 2024-10-17
Detect new user AWS Console Login Cloud Accounts Hunting Suspicious AWS Login Activities 2024-10-17
Detect Spike in AWS API Activity Cloud Accounts Anomaly AWS User Monitoring 2024-10-17
Detect Spike in Security Group Activity Cloud Accounts Anomaly AWS User Monitoring 2024-10-17
EC2 Instance Modified With Previously Unseen User Cloud Accounts Anomaly Unusual AWS EC2 Modifications 2024-10-17
EC2 Instance Started With Previously Unseen User Cloud Accounts Anomaly AWS Cryptomining, Suspicious AWS EC2 Activities 2024-10-17
GCP Detect accounts with high risk roles by project Valid Accounts Hunting GCP Cross Account Activity 2024-10-17
GCP Detect high risk permissions by resource and account Valid Accounts Hunting GCP Cross Account Activity 2024-10-17
gcp detect oauth token abuse Valid Accounts Hunting GCP Cross Account Activity 2024-10-17
Identify New User Accounts Domain Accounts Hunting N/A 2024-10-17
Multiple Okta Users With Invalid Credentials From The Same IP Password Spraying Valid Accounts Default Accounts TTP Suspicious Okta Activity 2024-10-17
O365 Suspicious Rights Delegation Remote Email Collection Email Collection Additional Email Delegate Permissions Account Manipulation TTP Office 365 Collection Techniques 2024-10-17
Okta Account Lockout Events Valid Accounts Default Accounts Anomaly Suspicious Okta Activity 2024-10-17
Okta Failed SSO Attempts Valid Accounts Default Accounts Anomaly Suspicious Okta Activity 2024-10-17
Okta ThreatInsight Login Failure with High Unknown users Valid Accounts Default Accounts Credential Stuffing TTP Suspicious Okta Activity 2024-10-17
Okta ThreatInsight Suspected PasswordSpray Attack Valid Accounts Default Accounts Password Spraying TTP Suspicious Okta Activity 2024-10-17
Scheduled tasks used in BadRabbit ransomware Sysmon EventID 1 Scheduled Task TTP Ransomware 2024-10-17
Suspicious Changes to File Associations Sysmon EventID 1 Change Default File Association TTP Suspicious Windows Registry Activities, Windows File Extension and Association Abuse 2024-10-17
Web Fraud - Anomalous User Clickspeed Valid Accounts Anomaly Web Fraud Detection 2024-10-17
Windows DLL Search Order Hijacking Hunt CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 DLL Search Order Hijacking Hijack Execution Flow Hunting Living Off The Land, Windows Defense Evasion Tactics 2024-10-17
Active Directory Privilege Escalation Identified Domain or Tenant Policy Modification Correlation Active Directory Privilege Escalation 2024-09-30
Active Setup Registry Autostart Sysmon EventID 12, Sysmon EventID 13 Active Setup Boot or Logon Autostart Execution TTP Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation 2024-09-30
Allow Operation with Consent Admin Sysmon EventID 12, Sysmon EventID 13 Abuse Elevation Control Mechanism TTP Azorult, MoonPeak, Ransomware, Windows Registry Abuse 2024-09-30
Change Default File Association Sysmon EventID 12, Sysmon EventID 13 Change Default File Association Event Triggered Execution TTP Data Destruction, Hermetic Wiper, Prestige Ransomware, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse 2024-09-30
Child Processes of Spoolsv exe CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Exploitation for Privilege Escalation TTP Data Destruction, Hermetic Wiper, Windows Privilege Escalation 2024-10-17
Clop Ransomware Known Service Name Windows Event Log System 7045 Create or Modify System Process TTP Clop Ransomware 2024-09-30
CMD Echo Pipe - Escalation CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command and Scripting Interpreter Windows Command Shell Windows Service Create or Modify System Process TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack 2024-09-30
Cobalt Strike Named Pipes Sysmon EventID 17, Sysmon EventID 18 Process Injection TTP BlackByte Ransomware, Cobalt Strike, DarkSide Ransomware, Gozi Malware, Graceful Wipe Out Attack, LockBit Ransomware, Trickbot 2024-09-30
Create Remote Thread In Shell Application Sysmon EventID 8 Process Injection TTP IcedID, Qakbot, Warzone RAT 2024-09-30
Detect Baron Samedit CVE-2021-3156 Exploitation for Privilege Escalation TTP Baron Samedit CVE-2021-3156 2024-10-17
Detect Baron Samedit CVE-2021-3156 Segfault Exploitation for Privilege Escalation TTP Baron Samedit CVE-2021-3156 2024-10-17
Detect Baron Samedit CVE-2021-3156 via OSQuery Exploitation for Privilege Escalation TTP Baron Samedit CVE-2021-3156 2024-10-17
Detect Excessive Account Lockouts From Endpoint Valid Accounts Domain Accounts Anomaly Active Directory Password Spraying 2024-09-30
Detect Excessive User Account Lockouts Valid Accounts Local Accounts Anomaly Active Directory Password Spraying 2024-09-30
Detect Path Interception By Creation Of program exe CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Path Interception by Unquoted Path Hijack Execution Flow TTP Windows Persistence Techniques 2024-09-30
Detect WMI Event Subscription Persistence Sysmon EventID 20 Windows Management Instrumentation Event Subscription Event Triggered Execution TTP Suspicious WMI Use 2024-09-30
Disable UAC Remote Restriction Sysmon EventID 12, Sysmon EventID 13 Bypass User Account Control Abuse Elevation Control Mechanism TTP CISA AA23-347A, Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
Disabling Remote User Account Control Sysmon EventID 12, Sysmon EventID 13 Bypass User Account Control Abuse Elevation Control Mechanism TTP AgentTesla, Azorult, Remcos, Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
DLLHost with no Command Line Arguments with Network Sysmon EventID 1, Sysmon EventID 3 Process Injection TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack 2024-10-17
Eventvwr UAC Bypass CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Bypass User Account Control Abuse Elevation Control Mechanism TTP IcedID, Living Off The Land, ValleyRAT, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
First Time Seen Child Process of Zoom CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Exploitation for Privilege Escalation Anomaly Suspicious Zoom Child Processes 2024-10-17
FodHelper UAC Bypass CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Modify Registry Bypass User Account Control Abuse Elevation Control Mechanism TTP IcedID, ValleyRAT, Windows Defense Evasion Tactics 2024-09-30
GPUpdate with no Command Line Arguments with Network Sysmon EventID 1, Sysmon EventID 3 Process Injection TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack 2024-09-30
Impacket Lateral Movement Commandline Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Services SMB/Windows Admin Shares Distributed Component Object Model Windows Management Instrumentation Windows Service TTP Active Directory Lateral Movement, CISA AA22-277A, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate 2024-09-30
Impacket Lateral Movement smbexec CommandLine Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Services SMB/Windows Admin Shares Distributed Component Object Model Windows Management Instrumentation Windows Service TTP Active Directory Lateral Movement, CISA AA22-277A, Data Destruction, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate 2024-09-30
Impacket Lateral Movement WMIExec Commandline Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Services SMB/Windows Admin Shares Distributed Component Object Model Windows Management Instrumentation Windows Service TTP Active Directory Lateral Movement, CISA AA22-277A, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate 2024-09-30
Linux Add Files In Known Crontab Directories Sysmon for Linux EventID 11 Cron Scheduled Task/Job Anomaly Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Adding Crontab Using List Parameter Sysmon for Linux EventID 1 Cron Scheduled Task/Job Hunting Data Destruction, Gomir, Industroyer2, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-10-17
Linux apt-get Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux APT Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux At Allow Config File Creation Sysmon for Linux EventID 11 Cron Scheduled Task/Job Anomaly Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux At Application Execution Sysmon for Linux EventID 1 At Scheduled Task/Job Anomaly Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Auditd At Application Execution Linux Auditd Syscall At Scheduled Task/Job Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Auditd Doas Conf File Creation Linux Auditd Path Sudo and Sudo Caching Abuse Elevation Control Mechanism TTP Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Doas Tool Execution Linux Auditd Syscall Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Edit Cron Table Parameter Linux Auditd Syscall Cron Scheduled Task/Job TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Auditd Insert Kernel Module Using Insmod Utility Linux Auditd Syscall Kernel Modules and Extensions Boot or Logon Autostart Execution Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit 2024-09-30
Linux Auditd Install Kernel Module Using Modprobe Utility Linux Auditd Syscall Kernel Modules and Extensions Boot or Logon Autostart Execution Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit 2024-09-30
Linux Auditd Kernel Module Using Rmmod Utility Linux Auditd Syscall Kernel Modules and Extensions Boot or Logon Autostart Execution TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Nopasswd Entry In Sudoers File Linux Auditd Proctitle Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Possible Access Or Modification Of Sshd Config File Linux Auditd Path SSH Authorized Keys Account Manipulation Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Possible Access To Sudoers File Linux Auditd Path Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File Linux Auditd Path Cron Scheduled Task/Job Hunting Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-10-17
Linux Auditd Preload Hijack Library Calls Linux Auditd Execve Dynamic Linker Hijacking Hijack Execution Flow TTP Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Preload Hijack Via Preload File Linux Auditd Path Dynamic Linker Hijacking Hijack Execution Flow TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Service Restarted Linux Auditd Proctitle Systemd Timers Scheduled Task/Job Anomaly AwfulShred, Compromised Linux Host, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Auditd Setuid Using Chmod Utility Linux Auditd Proctitle Setuid and Setgid Abuse Elevation Control Mechanism Anomaly Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Setuid Using Setcap Utility Linux Auditd Execve Setuid and Setgid Abuse Elevation Control Mechanism TTP Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Sudo Or Su Execution Linux Auditd Proctitle Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Unix Shell Configuration Modification Linux Auditd Path Unix Shell Configuration Modification Event Triggered Execution TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Auditd Unload Module Via Modprobe Linux Auditd Execve Kernel Modules and Extensions Boot or Logon Autostart Execution TTP Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux AWK Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Busybox Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux c89 Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux c99 Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Common Process For Elevation Control Sysmon for Linux EventID 1 Setuid and Setgid Abuse Elevation Control Mechanism Hunting Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-10-17
Linux Composer Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Cpulimit Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Csvtool Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Doas Conf File Creation Sysmon for Linux EventID 11 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Doas Tool Execution Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Docker Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Edit Cron Table Parameter Sysmon for Linux EventID 1 Cron Scheduled Task/Job Hunting Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-10-17
Linux Emacs Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux File Created In Kernel Driver Directory Sysmon for Linux EventID 11 Kernel Modules and Extensions Boot or Logon Autostart Execution Anomaly Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit 2024-09-30
Linux File Creation In Init Boot Directory Sysmon for Linux EventID 11 RC Scripts Boot or Logon Initialization Scripts Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux File Creation In Profile Directory Sysmon for Linux EventID 11 Unix Shell Configuration Modification Event Triggered Execution Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Find Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux GDB Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Gem Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux GNU Awk Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Insert Kernel Module Using Insmod Utility Sysmon for Linux EventID 1 Kernel Modules and Extensions Boot or Logon Autostart Execution Anomaly Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit 2024-09-30
Linux Install Kernel Module Using Modprobe Utility Sysmon for Linux EventID 1 Kernel Modules and Extensions Boot or Logon Autostart Execution Anomaly Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit 2024-09-30
Linux Make Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux MySQL Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Node Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux NOPASSWD Entry In Sudoers File Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Octave Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux OpenVPN Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Persistence and Privilege Escalation Risk Behavior Abuse Elevation Control Mechanism Correlation Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux PHP Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux pkexec Privilege Escalation Sysmon for Linux EventID 1 Exploitation for Privilege Escalation TTP Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Possible Access Or Modification Of sshd Config File Sysmon for Linux EventID 1 SSH Authorized Keys Account Manipulation Anomaly Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Possible Access To Sudoers File Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Possible Append Command To At Allow Config File Sysmon for Linux EventID 1 At Scheduled Task/Job Anomaly Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Possible Append Command To Profile Config File Sysmon for Linux EventID 1 Unix Shell Configuration Modification Event Triggered Execution Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Possible Append Cronjob Entry on Existing Cronjob File Sysmon for Linux EventID 1 Cron Scheduled Task/Job Hunting Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-10-17
Linux Possible Cronjob Modification With Editor Sysmon for Linux EventID 1 Cron Scheduled Task/Job Hunting Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-10-17
Linux Possible Ssh Key File Creation Sysmon for Linux EventID 11 SSH Authorized Keys Account Manipulation Anomaly Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Preload Hijack Library Calls Sysmon for Linux EventID 1 Dynamic Linker Hijacking Hijack Execution Flow TTP Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Puppet Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux RPM Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Ruby Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux Service File Created In Systemd Directory Sysmon for Linux EventID 11 Systemd Timers Scheduled Task/Job Anomaly Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Service Restarted Sysmon for Linux EventID 1 Systemd Timers Scheduled Task/Job Anomaly AwfulShred, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Service Started Or Enabled Sysmon for Linux EventID 1 Systemd Timers Scheduled Task/Job Anomaly Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks 2024-09-30
Linux Setuid Using Chmod Utility Sysmon for Linux EventID 1 Setuid and Setgid Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Setuid Using Setcap Utility Sysmon for Linux EventID 1 Setuid and Setgid Abuse Elevation Control Mechanism Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Sqlite3 Privilege Escalation Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Living Off The Land, Linux Privilege Escalation 2024-09-30
Linux SSH Authorized Keys Modification Sysmon for Linux EventID 1 SSH Authorized Keys Anomaly Linux Living Off The Land 2024-09-30
Linux Sudo OR Su Execution Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Hunting Linux Persistence Techniques, Linux Privilege Escalation 2024-10-17
Linux Sudoers Tmp File Creation Sysmon for Linux EventID 11 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Linux Visudo Utility Execution Sysmon for Linux EventID 1 Sudo and Sudo Caching Abuse Elevation Control Mechanism Anomaly Linux Persistence Techniques, Linux Privilege Escalation 2024-09-30
Loading Of Dynwrapx Module Sysmon EventID 7 Process Injection Dynamic-link Library Injection TTP AsyncRAT, Remcos 2024-09-30
Logon Script Event Trigger Execution Sysmon EventID 13 Boot or Logon Initialization Scripts Logon Script (Windows) TTP Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation 2024-09-30
Monitor Registry Keys for Print Monitors Sysmon EventID 12, Sysmon EventID 13 Port Monitors Boot or Logon Autostart Execution TTP Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse 2024-09-30
MSI Module Loaded by Non-System Binary Sysmon EventID 7 DLL Side-Loading Hijack Execution Flow Hunting Data Destruction, Hermetic Wiper, Windows Privilege Escalation 2024-10-17
Msmpeng Application DLL Side Loading CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 DLL Side-Loading Hijack Execution Flow TTP Ransomware, Revil Ransomware 2024-09-30
NET Profiler UAC bypass Sysmon EventID 12, Sysmon EventID 13 Bypass User Account Control Abuse Elevation Control Mechanism TTP Windows Defense Evasion Tactics 2024-09-30
Notepad with no Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Process Injection TTP BishopFox Sliver Adversary Emulation Framework 2024-09-30
Overwriting Accessibility Binaries Sysmon EventID 11 Event Triggered Execution Accessibility Features TTP Data Destruction, Flax Typhoon, Hermetic Wiper, Windows Privilege Escalation 2024-09-30
Possible Lateral Movement PowerShell Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Services Distributed Component Object Model Windows Remote Management Windows Management Instrumentation Scheduled Task Windows Service PowerShell MMC TTP Active Directory Lateral Movement, CISA AA24-241A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Scheduled Tasks 2024-10-17
Potential password in username Linux Secure Local Accounts Credentials In Files Hunting Credential Dumping, Insider Threat 2024-10-17
Powershell COM Hijacking InprocServer32 Modification Powershell Script Block Logging 4104 Component Object Model Hijacking Command and Scripting Interpreter PowerShell TTP Malicious PowerShell 2024-09-30
Powershell Execute COM Object Powershell Script Block Logging 4104 Component Object Model Hijacking Event Triggered Execution PowerShell TTP Data Destruction, Hermetic Wiper, Malicious PowerShell, Ransomware 2024-09-30
Powershell Fileless Process Injection via GetProcAddress Powershell Script Block Logging 4104 Command and Scripting Interpreter Process Injection PowerShell TTP Data Destruction, Hermetic Wiper, Malicious PowerShell 2024-09-30
Powershell Remote Thread To Known Windows Process Sysmon EventID 8 Process Injection TTP Trickbot 2024-09-30
Print Processor Registry Autostart Sysmon EventID 12, Sysmon EventID 13 Print Processors Boot or Logon Autostart Execution TTP Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation 2024-10-17
Print Spooler Adding A Printer Driver Windows Event Log Printservice 316 Print Processors Boot or Logon Autostart Execution TTP PrintNightmare CVE-2021-34527 2024-09-30
Print Spooler Failed to Load a Plug-in Windows Event Log Printservice 808 Print Processors Boot or Logon Autostart Execution TTP PrintNightmare CVE-2021-34527 2024-09-30
Randomly Generated Scheduled Task Name Windows Event Log Security 4698 Scheduled Task/Job Scheduled Task Hunting Active Directory Lateral Movement, CISA AA22-257A, Scheduled Tasks 2024-10-17
Randomly Generated Windows Service Name Windows Event Log System 7045 Create or Modify System Process Windows Service Hunting Active Directory Lateral Movement, BlackSuit Ransomware 2024-10-17
Reg exe Manipulating Windows Services Registry Keys CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Services Registry Permissions Weakness Hijack Execution Flow TTP Living Off The Land, Windows Persistence Techniques, Windows Service Abuse 2024-09-30
Registry Keys for Creating SHIM Databases Sysmon EventID 12, Sysmon EventID 13 Application Shimming Event Triggered Execution TTP Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse 2024-09-30
Registry Keys Used For Persistence Sysmon EventID 12, Sysmon EventID 13 Registry Run Keys / Startup Folder Boot or Logon Autostart Execution TTP Amadey, AsyncRAT, Azorult, BlackByte Ransomware, BlackSuit Ransomware, Braodo Stealer, CISA AA23-347A, Chaos Ransomware, DHS Report TA18-074A, DarkGate Malware, Emotet Malware DHS Report TA18-201A, IcedID, MoonPeak, NjRAT, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Qakbot, Ransomware, RedLine Stealer, Remcos, Snake Keylogger, Sneaky Active Directory Persistence Tricks, Suspicious MSHTA Activity, Suspicious Windows Registry Activities, Warzone RAT, Windows Persistence Techniques, Windows Registry Abuse 2024-09-30
Registry Keys Used For Privilege Escalation Sysmon EventID 12, Sysmon EventID 13 Image File Execution Options Injection Event Triggered Execution TTP Cloud Federated Credential Abuse, Data Destruction, Hermetic Wiper, Suspicious Windows Registry Activities, Windows Privilege Escalation, Windows Registry Abuse 2024-09-30
Runas Execution in CommandLine CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Access Token Manipulation Token Impersonation/Theft Hunting Data Destruction, Hermetic Wiper, Windows Privilege Escalation 2024-10-17
Rundll32 Create Remote Thread To A Process Sysmon EventID 8 Process Injection TTP IcedID, Living Off The Land 2024-09-30
Rundll32 CreateRemoteThread In Browser Sysmon EventID 8 Process Injection TTP IcedID, Living Off The Land 2024-09-30
Sc exe Manipulating Windows Services CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Windows Service Create or Modify System Process TTP Azorult, DHS Report TA18-074A, Disabling Security Tools, NOBELIUM Group, Orangeworm Attack Group, Windows Drivers, Windows Persistence Techniques, Windows Service Abuse 2024-09-30
Schedule Task with HTTP Command Arguments Windows Event Log Security 4698 Scheduled Task/Job TTP Living Off The Land, Scheduled Tasks, Windows Persistence Techniques, Winter Vivern 2024-09-30
Schedule Task with Rundll32 Command Trigger Windows Event Log Security 4698 Scheduled Task/Job TTP IcedID, Living Off The Land, Scheduled Tasks, Trickbot, Windows Persistence Techniques 2024-09-30
Scheduled Task Creation on Remote Endpoint using At CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task/Job At TTP Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks 2024-09-30
Scheduled Task Deleted Or Created via CMD CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task Scheduled Task/Job TTP AgentTesla, Amadey, AsyncRAT, Azorult, CISA AA22-257A, CISA AA23-347A, CISA AA24-241A, DHS Report TA18-074A, DarkCrystal RAT, Living Off The Land, MoonPeak, NOBELIUM Group, NjRAT, Phemedrone Stealer, Prestige Ransomware, Qakbot, RedLine Stealer, Rhysida Ransomware, Sandworm Tools, Scheduled Tasks, ShrinkLocker, Trickbot, Windows Persistence Techniques, Winter Vivern 2024-09-30
Scheduled Task Initiation on Remote Endpoint CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task/Job Scheduled Task TTP Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks 2024-09-30
Schtasks Run Task On Demand CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task/Job TTP CISA AA22-257A, Data Destruction, Industroyer2, Qakbot, Scheduled Tasks, XMRig 2024-09-30
Schtasks scheduling job on remote system CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task Scheduled Task/Job TTP Active Directory Lateral Movement, Living Off The Land, NOBELIUM Group, Phemedrone Stealer, Prestige Ransomware, RedLine Stealer, Scheduled Tasks 2024-09-30
Schtasks used for forcing a reboot CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task Scheduled Task/Job TTP Ransomware, Scheduled Tasks, Windows Persistence Techniques 2024-09-30
Screensaver Event Trigger Execution Sysmon EventID 12, Sysmon EventID 13 Event Triggered Execution Screensaver TTP Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse 2024-09-30
Sdclt UAC Bypass CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688 Bypass User Account Control Abuse Elevation Control Mechanism TTP Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
SearchProtocolHost with no Command Line with Network Sysmon EventID 1, Sysmon EventID 3 Process Injection TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack 2024-09-30
Services Escalate Exe CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Abuse Elevation Control Mechanism TTP BlackByte Ransomware, CISA AA23-347A, Cobalt Strike, Graceful Wipe Out Attack 2024-09-30
Services LOLBAS Execution Process Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Create or Modify System Process Windows Service TTP Active Directory Lateral Movement, CISA AA23-347A, Living Off The Land, Qakbot 2024-09-30
Shim Database File Creation Sysmon EventID 11 Application Shimming Event Triggered Execution TTP Windows Persistence Techniques 2024-09-30
Shim Database Installation With Suspicious Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Application Shimming Event Triggered Execution TTP Windows Persistence Techniques 2024-09-30
Short Lived Scheduled Task Windows Event Log Security 4698, Windows Event Log Security 4699 Scheduled Task TTP Active Directory Lateral Movement, CISA AA22-257A, CISA AA23-347A, Scheduled Tasks 2024-09-30
SilentCleanup UAC Bypass CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688 Bypass User Account Control Abuse Elevation Control Mechanism TTP MoonPeak, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
SLUI RunAs Elevated CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Bypass User Account Control Abuse Elevation Control Mechanism TTP DarkSide Ransomware, Windows Defense Evasion Tactics 2024-09-30
SLUI Spawning a Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Bypass User Account Control Abuse Elevation Control Mechanism TTP DarkSide Ransomware, Windows Defense Evasion Tactics 2024-09-30
Spoolsv Spawning Rundll32 CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Print Processors Boot or Logon Autostart Execution TTP PrintNightmare CVE-2021-34527 2024-09-30
Spoolsv Suspicious Loaded Modules Sysmon EventID 7 Print Processors Boot or Logon Autostart Execution TTP PrintNightmare CVE-2021-34527 2024-09-30
Spoolsv Suspicious Process Access Sysmon EventID 10 Exploitation for Privilege Escalation TTP PrintNightmare CVE-2021-34527 2024-09-30
Spoolsv Writing a DLL CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688 Print Processors Boot or Logon Autostart Execution TTP PrintNightmare CVE-2021-34527 2024-09-30
Spoolsv Writing a DLL - Sysmon Sysmon EventID 11 Print Processors Boot or Logon Autostart Execution TTP PrintNightmare CVE-2021-34527 2024-09-30
Suspicious Computer Account Name Change Windows Event Log Security 4781 Valid Accounts Domain Accounts TTP Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation 2024-09-30
Suspicious DLLHost no Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Process Injection TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack 2024-09-30
Suspicious Driver Loaded Path Sysmon EventID 6 Windows Service Create or Modify System Process TTP AgentTesla, BlackByte Ransomware, CISA AA22-320A, Snake Keylogger, XMRig 2024-09-30
Suspicious GPUpdate no Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Process Injection TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack 2024-09-30
Suspicious Kerberos Service Ticket Request Windows Event Log Security 4769 Valid Accounts Domain Accounts TTP Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation 2024-09-30
Suspicious PlistBuddy Usage CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Launch Agent Create or Modify System Process TTP Silver Sparrow 2024-10-17
Suspicious PlistBuddy Usage via OSquery Launch Agent Create or Modify System Process TTP Silver Sparrow 2024-10-17
Suspicious Process File Path CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Create or Modify System Process TTP AgentTesla, Amadey, AsyncRAT, Azorult, BlackByte Ransomware, Brute Ratel C4, CISA AA23-347A, Chaos Ransomware, DarkCrystal RAT, DarkGate Malware, Data Destruction, Double Zero Destructor, Graceful Wipe Out Attack, Handala Wiper, Hermetic Wiper, IcedID, Industroyer2, LockBit Ransomware, MoonPeak, Phemedrone Stealer, PlugX, Prestige Ransomware, Qakbot, RedLine Stealer, Remcos, Rhysida Ransomware, Swift Slicer, Trickbot, ValleyRAT, Volt Typhoon, Warzone RAT, WhisperGate, XMRig 2024-09-30
Suspicious Scheduled Task from Public Directory CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task Scheduled Task/Job Anomaly Azorult, CISA AA23-347A, CISA AA24-241A, DarkCrystal RAT, Living Off The Land, MoonPeak, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Persistence Techniques 2024-09-30
Suspicious SearchProtocolHost no Command Line Arguments CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Process Injection TTP BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack 2024-09-30
Suspicious Ticket Granting Ticket Request Windows Event Log Security 4768, Windows Event Log Security 4781 Valid Accounts Domain Accounts Hunting Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation 2024-10-17
Svchost LOLBAS Execution Process Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task/Job Scheduled Task TTP Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks 2024-09-30
Time Provider Persistence Registry Sysmon EventID 12, Sysmon EventID 13 Time Providers Boot or Logon Autostart Execution TTP Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse 2024-09-30
Trickbot Named Pipe Sysmon EventID 17, Sysmon EventID 18 Process Injection TTP Trickbot 2024-09-30
UAC Bypass MMC Load Unsigned Dll Sysmon EventID 7 Bypass User Account Control Abuse Elevation Control Mechanism MMC TTP Windows Defense Evasion Tactics 2024-09-30
Unusual Number of Computer Service Tickets Requested Windows Event Log Security 4769 Valid Accounts Hunting Active Directory Kerberos Attacks, Active Directory Lateral Movement, Active Directory Privilege Escalation 2024-10-17
Unusual Number of Remote Endpoint Authentication Events Windows Event Log Security 4624 Valid Accounts Hunting Active Directory Lateral Movement, Active Directory Privilege Escalation 2024-10-17
Windows Access Token Manipulation SeDebugPrivilege Windows Event Log Security 4703 Create Process with Token Access Token Manipulation Anomaly AsyncRAT, Brute Ratel C4, CISA AA23-347A, DarkGate Malware, PlugX, ValleyRAT 2024-09-30
Windows Access Token Manipulation Winlogon Duplicate Token Handle Sysmon EventID 10 Token Impersonation/Theft Access Token Manipulation Hunting Brute Ratel C4 2024-10-17
Windows Access Token Winlogon Duplicate Handle In Uncommon Path Sysmon EventID 10 Token Impersonation/Theft Access Token Manipulation Anomaly Brute Ratel C4 2024-09-30
Windows AD AdminSDHolder ACL Modified Windows Event Log Security 5136 Event Triggered Execution TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Cross Domain SID History Addition Windows Event Log Security 4738, Windows Event Log Security 4742 SID-History Injection Access Token Manipulation TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Domain Replication ACL Addition Domain or Tenant Policy Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD DSRM Account Changes Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13 Account Manipulation TTP Sneaky Active Directory Persistence Tricks, Windows Persistence Techniques, Windows Registry Abuse 2024-09-30
Windows AD DSRM Password Reset Windows Event Log Security 4794 Account Manipulation TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Privileged Account SID History Addition Windows Event Log Security 4738, Windows Event Log Security 4742 SID-History Injection Access Token Manipulation TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD Same Domain SID History Addition Windows Event Log Security 4738, Windows Event Log Security 4742 SID-History Injection Access Token Manipulation TTP Sneaky Active Directory Persistence Tricks, Windows Persistence Techniques 2024-09-30
Windows AD ServicePrincipalName Added To Domain Account Windows Event Log Security 5136 Account Manipulation TTP Sneaky Active Directory Persistence Tricks 2024-10-16
Windows AD Short Lived Domain Account ServicePrincipalName Windows Event Log Security 5136 Account Manipulation TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows AD SID History Attribute Modified Windows Event Log Security 5136 Access Token Manipulation SID-History Injection TTP Sneaky Active Directory Persistence Tricks 2024-09-30
Windows Admon Default Group Policy Object Modified Windows Active Directory Admon Domain or Tenant Policy Modification Group Policy Modification TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-09-30
Windows Admon Group Policy Object Created Windows Active Directory Admon Domain or Tenant Policy Modification Group Policy Modification TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-09-30
Windows Autostart Execution LSASS Driver Registry Modification Sysmon EventID 12, Sysmon EventID 13 LSASS Driver TTP Windows Registry Abuse 2024-09-30
Windows Boot or Logon Autostart Execution In Startup Folder Sysmon EventID 11 Registry Run Keys / Startup Folder Boot or Logon Autostart Execution Anomaly Chaos Ransomware, Gozi Malware, NjRAT, RedLine Stealer 2024-09-30
Windows Bypass UAC via Pkgmgr Tool CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Bypass User Account Control Anomaly Warzone RAT 2024-09-30
Windows Change Default File Association For No File Ext CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Change Default File Association Event Triggered Execution TTP Prestige Ransomware 2024-09-30
Windows COM Hijacking InprocServer32 Modification CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Component Object Model Hijacking Event Triggered Execution TTP Living Off The Land 2024-09-30
Windows Command Shell Fetch Env Variables CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Process Injection TTP Qakbot 2024-09-30
Windows Default Group Policy Object Modified Windows Event Log Security 5136 Domain or Tenant Policy Modification Group Policy Modification TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-09-30
Windows Default Group Policy Object Modified with GPME CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Domain or Tenant Policy Modification Group Policy Modification TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-09-30
Windows DISM Install PowerShell Web Access Sysmon EventID 1, Windows Event Log Security 4688 Bypass User Account Control TTP CISA AA24-241A 2024-09-30
Windows DLL Search Order Hijacking Hunt with Sysmon Sysmon EventID 7 DLL Search Order Hijacking Hijack Execution Flow Hunting Living Off The Land, Qakbot, Windows Defense Evasion Tactics 2024-10-17
Windows DLL Search Order Hijacking with iscsicpl CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 DLL Search Order Hijacking TTP Living Off The Land, Windows Defense Evasion Tactics 2024-09-30
Windows DLL Side-Loading In Calc Sysmon EventID 7 DLL Side-Loading Hijack Execution Flow TTP Qakbot 2024-09-30
Windows DLL Side-Loading Process Child Of Calc CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 DLL Side-Loading Hijack Execution Flow Anomaly Qakbot 2024-09-30
Windows DnsAdmins New Member Added Windows Event Log Security 4732 Account Manipulation TTP Active Directory Privilege Escalation 2024-09-30
Windows Driver Inventory Exploitation for Privilege Escalation Hunting Windows Drivers 2024-10-17
Windows Driver Load Non-Standard Path Windows Event Log System 7045 Rootkit Exploitation for Privilege Escalation TTP AgentTesla, BlackByte Ransomware, BlackSuit Ransomware, CISA AA22-320A, Windows Drivers 2024-10-17
Windows Drivers Loaded by Signature Sysmon EventID 6 Rootkit Exploitation for Privilege Escalation Hunting AgentTesla, BlackByte Ransomware, CISA AA22-320A, Windows Drivers 2024-10-17
Windows Enable Win32 ScheduledJob via Registry Sysmon EventID 12, Sysmon EventID 13 Scheduled Task Anomaly Active Directory Lateral Movement, Scheduled Tasks 2024-09-30
Windows Event Triggered Image File Execution Options Injection Windows Event Log Application 3000 Image File Execution Options Injection Hunting Windows Persistence Techniques 2024-10-17
Windows Group Policy Object Created Windows Event Log Security 5136, Windows Event Log Security 5137 Domain or Tenant Policy Modification Group Policy Modification Domain Accounts TTP Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks 2024-09-30
Windows Hidden Schedule Task Settings Windows Event Log Security 4698 Scheduled Task/Job TTP Active Directory Discovery, CISA AA22-257A, Data Destruction, Industroyer2, Scheduled Tasks 2024-09-30
Windows Hijack Execution Flow Version Dll Side Load Sysmon EventID 7 DLL Search Order Hijacking Hijack Execution Flow Anomaly Brute Ratel C4 2024-09-30
Windows Known Abused DLL Created Sysmon EventID 1, Sysmon EventID 11 DLL Search Order Hijacking DLL Side-Loading Hijack Execution Flow Anomaly Living Off The Land, Windows Defense Evasion Tactics 2024-09-30
Windows Known Abused DLL Loaded Suspiciously Sysmon EventID 7 DLL Search Order Hijacking DLL Side-Loading Hijack Execution Flow TTP Living Off The Land, Windows Defense Evasion Tactics 2024-09-30
Windows Known GraphicalProton Loaded Modules Sysmon EventID 7 DLL Side-Loading Hijack Execution Flow Anomaly CISA AA23-347A 2024-09-30
Windows KrbRelayUp Service Creation Windows Event Log System 7045 Windows Service TTP Local Privilege Escalation With KrbRelayUp 2024-09-30
Windows Large Number of Computer Service Tickets Requested Windows Event Log Security 4769 Network Share Discovery Valid Accounts Anomaly Active Directory Lateral Movement, Active Directory Privilege Escalation 2024-09-30
Windows Masquerading Explorer As Child Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 DLL Side-Loading Hijack Execution Flow TTP Qakbot 2024-09-30
Windows MOF Event Triggered Execution via WMI CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Windows Management Instrumentation Event Subscription TTP Living Off The Land 2024-09-30
Windows Multiple Account Passwords Changed Windows Event Log Security 4724 Account Manipulation Valid Accounts TTP Azure Active Directory Persistence 2024-09-30
Windows Multiple Accounts Deleted Windows Event Log Security 4726 Account Manipulation Valid Accounts TTP Azure Active Directory Persistence 2024-09-30
Windows Multiple Accounts Disabled Windows Event Log Security 4725 Account Manipulation Valid Accounts TTP Azure Active Directory Persistence 2024-09-30
Windows Parent PID Spoofing with Explorer CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Parent PID Spoofing Access Token Manipulation TTP Windows Defense Evasion Tactics 2024-09-30
Windows PowerShell ScheduleTask Powershell Script Block Logging 4104 Scheduled Task PowerShell Command and Scripting Interpreter Anomaly Scheduled Tasks 2024-09-30
Windows PowerView AD Access Control List Enumeration Powershell Script Block Logging 4104 Domain Accounts Permission Groups Discovery TTP Active Directory Discovery, Active Directory Privilege Escalation, Rhysida Ransomware 2024-09-30
Windows Privilege Escalation Suspicious Process Elevation CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Exploitation for Privilege Escalation Abuse Elevation Control Mechanism Access Token Manipulation TTP BlackSuit Ransomware, Windows Privilege Escalation 2024-09-30
Windows Privilege Escalation System Process Without System Parent CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Exploitation for Privilege Escalation Abuse Elevation Control Mechanism Access Token Manipulation TTP BlackSuit Ransomware, Windows Privilege Escalation 2024-09-30
Windows Privilege Escalation User Process Spawn System Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Exploitation for Privilege Escalation Abuse Elevation Control Mechanism Access Token Manipulation TTP BlackSuit Ransomware, Windows Privilege Escalation 2024-09-30
Windows Process Injection In Non-Service SearchIndexer CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Process Injection TTP Qakbot 2024-09-30
Windows Process Injection into Notepad Sysmon EventID 10 Process Injection Portable Executable Injection Anomaly BishopFox Sliver Adversary Emulation Framework 2024-09-30
Windows Process Injection Of Wermgr to Known Browser Sysmon EventID 8 Dynamic-link Library Injection Process Injection TTP Qakbot 2024-09-30
Windows Process Injection Remote Thread Sysmon EventID 8 Process Injection Portable Executable Injection TTP Graceful Wipe Out Attack, Qakbot, Warzone RAT 2024-09-30
Windows Process Injection Wermgr Child Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Process Injection Anomaly Qakbot, Windows Error Reporting Service Elevation of Privilege Vulnerability 2024-09-30
Windows Process Injection With Public Source Path Sysmon EventID 8 Process Injection Portable Executable Injection Hunting Brute Ratel C4 2024-10-17
Windows Process With NamedPipe CommandLine CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Process Injection Anomaly Windows Defense Evasion Tactics 2024-09-30
Windows Rasautou DLL Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Dynamic-link Library Injection System Binary Proxy Execution Process Injection TTP Windows Defense Evasion Tactics 2024-09-30
Windows Registry BootExecute Modification Sysmon EventID 12, Sysmon EventID 13 Pre-OS Boot Registry Run Keys / Startup Folder TTP Windows BootKits 2024-09-30
Windows Registry Delete Task SD Sysmon EventID 12, Sysmon EventID 13 Scheduled Task Impair Defenses Anomaly Scheduled Tasks, Windows Persistence Techniques, Windows Registry Abuse 2024-09-30
Windows Registry Modification for Safe Mode Persistence Sysmon EventID 12, Sysmon EventID 13 Registry Run Keys / Startup Folder Boot or Logon Autostart Execution TTP Ransomware, Windows Drivers, Windows Registry Abuse 2024-09-30
Windows Remote Assistance Spawning Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Process Injection TTP Unusual Processes 2024-09-30
Windows Remote Create Service CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Create or Modify System Process Windows Service Anomaly Active Directory Lateral Movement, BlackSuit Ransomware, CISA AA23-347A 2024-09-30
Windows Scheduled Task Created Via XML CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task Scheduled Task/Job TTP CISA AA23-347A, MoonPeak, Scheduled Tasks, Winter Vivern 2024-09-30
Windows Scheduled Task DLL Module Loaded Sysmon EventID 7 Scheduled Task/Job TTP ValleyRAT 2024-09-30
Windows Scheduled Task Service Spawned Shell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task Command and Scripting Interpreter TTP Windows Persistence Techniques 2024-09-30
Windows Scheduled Task with Highest Privileges CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task/Job Scheduled Task TTP AsyncRAT, CISA AA23-347A, RedLine Stealer, Scheduled Tasks 2024-09-30
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr Scheduled Task/Job TTP ValleyRAT 2024-09-30
Windows Schtasks Create Run As System CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Scheduled Task Scheduled Task/Job TTP Qakbot, Scheduled Tasks, Windows Persistence Techniques 2024-09-30
Windows Security Support Provider Reg Query CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Security Support Provider Boot or Logon Autostart Execution Anomaly Prestige Ransomware, Sneaky Active Directory Persistence Tricks, Windows Post-Exploitation 2024-09-30
Windows Service Create Kernel Mode Driver CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Windows Service Create or Modify System Process Exploitation for Privilege Escalation TTP CISA AA22-320A, Windows Drivers 2024-09-30
Windows Service Create RemComSvc Windows Event Log System 7045 Windows Service Create or Modify System Process Anomaly Active Directory Discovery 2024-09-30
Windows Service Create with Tscon CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 RDP Hijacking Remote Service Session Hijacking Windows Service TTP Active Directory Lateral Movement 2024-09-30
Windows Service Created Within Public Path Windows Event Log System 7045 Create or Modify System Process Windows Service TTP Active Directory Lateral Movement, Snake Malware 2024-09-30
Windows Service Creation on Remote Endpoint CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Create or Modify System Process Windows Service TTP Active Directory Lateral Movement, CISA AA23-347A 2024-09-30
Windows Service Creation Using Registry Entry Sysmon EventID 12, Sysmon EventID 13 Services Registry Permissions Weakness TTP Active Directory Lateral Movement, Brute Ratel C4, CISA AA23-347A, PlugX, Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse 2024-09-30
Windows Service Initiation on Remote Endpoint CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Create or Modify System Process Windows Service TTP Active Directory Lateral Movement, CISA AA23-347A 2024-09-30
Windows Snake Malware Kernel Driver Comadmin Sysmon EventID 11 Kernel Modules and Extensions TTP Snake Malware 2024-09-30
Windows Snake Malware Service Create Windows Event Log System 7045 Kernel Modules and Extensions Service Execution TTP Snake Malware 2024-09-30
Windows SqlWriter SQLDumper DLL Sideload Sysmon EventID 7 DLL Side-Loading TTP APT29 Diplomatic Deceptions with WINELOADER 2024-09-30
Windows System File on Disk Sysmon EventID 11 Exploitation for Privilege Escalation Hunting CISA AA22-264A, Windows Drivers 2024-10-17
Windows UAC Bypass Suspicious Child Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Abuse Elevation Control Mechanism Bypass User Account Control TTP Living Off The Land, Windows Defense Evasion Tactics 2024-09-30
Windows UAC Bypass Suspicious Escalation Behavior CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Abuse Elevation Control Mechanism Bypass User Account Control TTP Living Off The Land, Windows Defense Evasion Tactics 2024-09-30
Windows Unsigned DLL Side-Loading Sysmon EventID 7 DLL Side-Loading Anomaly NjRAT, Warzone RAT 2024-09-30
Windows Unsigned DLL Side-Loading In Same Process Path Sysmon EventID 7 DLL Side-Loading Hijack Execution Flow TTP DarkGate Malware, PlugX 2024-09-30
Windows Unsigned MS DLL Side-Loading Sysmon EventID 7 DLL Side-Loading Boot or Logon Autostart Execution Anomaly APT29 Diplomatic Deceptions with WINELOADER 2024-09-30
Windows Vulnerable Driver Installed Windows Event Log System 7045 Windows Service TTP Windows Drivers 2024-09-30
Windows Vulnerable Driver Loaded Sysmon EventID 6 Windows Service Hunting BlackByte Ransomware, Windows Drivers 2024-10-17
WinEvent Scheduled Task Created to Spawn Shell Windows Event Log Security 4698 Scheduled Task Scheduled Task/Job TTP CISA AA22-257A, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Error Reporting Service Elevation of Privilege Vulnerability, Windows Persistence Techniques, Winter Vivern 2024-09-30
WinEvent Scheduled Task Created Within Public Path Windows Event Log Security 4698 Scheduled Task Scheduled Task/Job TTP Active Directory Lateral Movement, AsyncRAT, CISA AA22-257A, CISA AA23-347A, Data Destruction, IcedID, Industroyer2, Prestige Ransomware, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Persistence Techniques, Winter Vivern 2024-09-30
WinEvent Windows Task Scheduler Event Action Started Windows Event Log TaskScheduler 200 Scheduled Task Hunting Amadey, AsyncRAT, BlackSuit Ransomware, CISA AA22-257A, CISA AA24-241A, DarkCrystal RAT, Data Destruction, IcedID, Industroyer2, Prestige Ransomware, Qakbot, Sandworm Tools, Scheduled Tasks, ValleyRAT, Windows Persistence Techniques, Winter Vivern, Winter Vivern 2024-10-24
Winhlp32 Spawning a Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Process Injection TTP Remcos 2024-09-30
WMI Permanent Event Subscription - Sysmon Sysmon EventID 21 Windows Management Instrumentation Event Subscription Event Triggered Execution TTP Suspicious WMI Use 2024-09-30
Wscript Or Cscript Suspicious Child Process CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Process Injection Create or Modify System Process Parent PID Spoofing Access Token Manipulation TTP Data Destruction, FIN7, NjRAT, Remcos, ShrinkLocker, Unusual Processes, WhisperGate 2024-09-30
WSReset UAC Bypass Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13 Bypass User Account Control Abuse Elevation Control Mechanism TTP Living Off The Land, MoonPeak, Windows Defense Evasion Tactics, Windows Registry Abuse 2024-09-30
XMRIG Driver Loaded Sysmon EventID 6 Windows Service Create or Modify System Process TTP CISA AA22-320A, XMRig 2024-09-30
Microsoft SharePoint Server Elevation of Privilege Suricata Exploitation for Privilege Escalation TTP Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357 2024-09-30
VMWare Aria Operations Exploit Attempt Palo Alto Network Threat External Remote Services Exploit Public-Facing Application Exploitation of Remote Services Exploitation for Privilege Escalation TTP VMware Aria Operations vRealize CVE-2023-20887 2024-09-30