Okta Authentication Failed During MFA Challenge
|
Okta
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
Okta Account Takeover
|
2024-09-30
|
Okta New API Token Created
|
Okta
|
Valid Accounts
Default Accounts
|
TTP
|
Okta Account Takeover
|
2024-09-30
|
Okta New Device Enrolled on Account
|
Okta
|
Account Manipulation
Device Registration
|
TTP
|
Okta Account Takeover
|
2024-09-30
|
Okta Phishing Detection with FastPass Origin Check
|
Okta
|
Valid Accounts
Default Accounts
Modify Authentication Process
|
TTP
|
Okta Account Takeover
|
2024-10-17
|
Okta Risk Threshold Exceeded
|
Okta
|
Valid Accounts
Brute Force
|
Correlation
|
Okta Account Takeover, Okta MFA Exhaustion, Suspicious Okta Activity
|
2024-09-30
|
Okta Successful Single Factor Authentication
|
Okta
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
Anomaly
|
Okta Account Takeover
|
2024-09-30
|
Okta Suspicious Activity Reported
|
Okta
|
Valid Accounts
Default Accounts
|
TTP
|
Okta Account Takeover
|
2024-09-30
|
Okta ThreatInsight Threat Detected
|
Okta
|
Valid Accounts
Cloud Accounts
|
Anomaly
|
Okta Account Takeover
|
2024-09-30
|
PingID Mismatch Auth Source and Verification Response
|
PingID
|
Multi-Factor Authentication Request Generation
Multi-Factor Authentication
Device Registration
|
TTP
|
Compromised User Account
|
2024-09-30
|
PingID Multiple Failed MFA Requests For User
|
PingID
|
Multi-Factor Authentication Request Generation
Valid Accounts
Brute Force
|
TTP
|
Compromised User Account
|
2024-09-30
|
PingID New MFA Method After Credential Reset
|
PingID
|
Multi-Factor Authentication Request Generation
Multi-Factor Authentication
Device Registration
|
TTP
|
Compromised User Account
|
2024-09-30
|
PingID New MFA Method Registered For User
|
PingID
|
Multi-Factor Authentication Request Generation
Multi-Factor Authentication
Device Registration
|
TTP
|
Compromised User Account
|
2024-09-30
|
Splunk Edit User Privilege Escalation
|
Splunk
|
Abuse Elevation Control Mechanism
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
Splunk Enterprise KV Store Incorrect Authorization
|
Splunk
|
Abuse Elevation Control Mechanism
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
Splunk Low-Priv Search as nobody SplunkDeploymentServerConfig App
|
Splunk
|
Exploitation for Privilege Escalation
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
Splunk Process Injection Forwarder Bundle Downloads
|
Splunk
|
Process Injection
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
Splunk RBAC Bypass On Indexing Preview REST Endpoint
|
Splunk
|
Access Token Manipulation
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
Splunk risky Command Abuse disclosed february 2023
|
Splunk
|
Abuse Elevation Control Mechanism
Indirect Command Execution
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
Splunk Unauthorized Notification Input by User
|
Splunk
|
Abuse Elevation Control Mechanism
|
Hunting
|
Splunk Vulnerabilities
|
2024-10-17
|
Splunk User Enumeration Attempt
|
Splunk
|
Valid Accounts
|
TTP
|
Splunk Vulnerabilities
|
2024-10-16
|
Windows AD add Self to Group
|
|
Account Manipulation
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows AD Dangerous Deny ACL Modification
|
|
Domain or Tenant Policy Modification
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows AD Dangerous Group ACL Modification
|
|
Domain or Tenant Policy Modification
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows AD Dangerous User ACL Modification
|
|
Domain or Tenant Policy Modification
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows AD DCShadow Privileges ACL Addition
|
|
Domain or Tenant Policy Modification
Rogue Domain Controller
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows AD Domain Root ACL Deletion
|
|
Domain or Tenant Policy Modification
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows AD Domain Root ACL Modification
|
|
Domain or Tenant Policy Modification
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows AD GPO Deleted
|
|
Disable or Modify Tools
Group Policy Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows AD GPO Disabled
|
|
Disable or Modify Tools
Group Policy Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows AD GPO New CSE Addition
|
|
Domain or Tenant Policy Modification
Group Policy Modification
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows AD Hidden OU Creation
|
|
Domain or Tenant Policy Modification
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows AD Object Owner Updated
|
|
Domain or Tenant Policy Modification
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows AD Privileged Group Modification
|
|
Account Manipulation
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2024-10-17
|
Windows AD Self DACL Assignment
|
|
Domain or Tenant Policy Modification
Account Manipulation
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows AD Suspicious GPO Modification
|
|
Domain or Tenant Policy Modification
Group Policy Modification
File and Directory Permissions Modification
Windows File and Directory Permissions Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-10-17
|
Windows Increase in Group or Object Modification Activity
|
Windows Event Log Security 4663
|
Account Manipulation
Impair Defenses
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows Increase in User Modification Activity
|
Windows Event Log Security 4720
|
Account Manipulation
Impair Defenses
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Abnormally High Number Of Cloud Infrastructure API Calls
|
AWS CloudTrail
|
Cloud Accounts
Valid Accounts
|
Anomaly
|
Compromised User Account, Suspicious Cloud User Activities
|
2024-10-17
|
Abnormally High Number Of Cloud Instances Destroyed
|
AWS CloudTrail
|
Cloud Accounts
Valid Accounts
|
Anomaly
|
Suspicious Cloud Instance Activities
|
2024-10-22
|
Abnormally High Number Of Cloud Instances Launched
|
AWS CloudTrail
|
Cloud Accounts
Valid Accounts
|
Anomaly
|
Cloud Cryptomining, Suspicious Cloud Instance Activities
|
2024-10-22
|
Abnormally High Number Of Cloud Security Group API Calls
|
AWS CloudTrail
|
Cloud Accounts
Valid Accounts
|
Anomaly
|
Suspicious Cloud User Activities
|
2024-10-17
|
ASL AWS IAM Delete Policy
|
|
Account Manipulation
|
Hunting
|
AWS IAM Privilege Escalation
|
2024-10-17
|
ASL AWS IAM Failure Group Deletion
|
|
Account Manipulation
|
Anomaly
|
AWS IAM Privilege Escalation
|
2024-10-22
|
ASL AWS IAM Successful Group Deletion
|
|
Cloud Groups
Account Manipulation
Permission Groups Discovery
|
Hunting
|
AWS IAM Privilege Escalation
|
2024-10-22
|
AWS Create Policy Version to allow all resources
|
AWS CloudTrail CreatePolicyVersion
|
Cloud Accounts
Valid Accounts
|
TTP
|
AWS IAM Privilege Escalation
|
2024-09-30
|
aws detect attach to role policy
|
|
Valid Accounts
|
Hunting
|
AWS Cross Account Activity
|
2024-10-17
|
aws detect permanent key creation
|
|
Valid Accounts
|
Hunting
|
AWS Cross Account Activity
|
2024-10-17
|
aws detect role creation
|
|
Valid Accounts
|
Hunting
|
AWS Cross Account Activity
|
2024-10-17
|
aws detect sts assume role abuse
|
|
Valid Accounts
|
Hunting
|
AWS Cross Account Activity
|
2024-10-17
|
AWS IAM Delete Policy
|
AWS CloudTrail DeletePolicy
|
Account Manipulation
|
Hunting
|
AWS IAM Privilege Escalation
|
2024-10-17
|
AWS IAM Failure Group Deletion
|
AWS CloudTrail DeleteGroup
|
Account Manipulation
|
Anomaly
|
AWS IAM Privilege Escalation
|
2024-10-22
|
AWS IAM Successful Group Deletion
|
AWS CloudTrail DeleteGroup
|
Cloud Groups
Account Manipulation
Permission Groups Discovery
|
Hunting
|
AWS IAM Privilege Escalation
|
2024-10-22
|
AWS SAML Access by Provider User and Principal
|
AWS CloudTrail AssumeRoleWithSAML
|
Valid Accounts
|
Anomaly
|
Cloud Federated Credential Abuse
|
2024-09-30
|
AWS SAML Update identity provider
|
AWS CloudTrail UpdateSAMLProvider
|
Valid Accounts
|
TTP
|
Cloud Federated Credential Abuse
|
2024-09-30
|
AWS SetDefaultPolicyVersion
|
AWS CloudTrail SetDefaultPolicyVersion
|
Cloud Accounts
Valid Accounts
|
TTP
|
AWS IAM Privilege Escalation
|
2024-09-30
|
AWS Successful Single-Factor Authentication
|
AWS CloudTrail ConsoleLogin
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-09-30
|
Azure AD Admin Consent Bypassed by Service Principal
|
Azure Active Directory Add app role assignment to service principal
|
Additional Cloud Roles
|
TTP
|
Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2024-09-30
|
Azure AD Application Administrator Role Assigned
|
Azure Active Directory Add member to role
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
Azure Active Directory Privilege Escalation
|
2024-09-30
|
Azure AD Authentication Failed During MFA Challenge
|
Azure Active Directory
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
Azure Active Directory Account Takeover
|
2024-10-31
|
Azure AD FullAccessAsApp Permission Assigned
|
Azure Active Directory Update application
|
Additional Email Delegate Permissions
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-09-30
|
Azure AD Global Administrator Role Assigned
|
Azure Active Directory Add member to role
|
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2024-09-30
|
Azure AD Multiple AppIDs and UserAgents Authentication Spike
|
Azure Active Directory Sign-in activity
|
Valid Accounts
|
Anomaly
|
Azure Active Directory Account Takeover
|
2024-09-30
|
Azure AD Multiple Failed MFA Requests For User
|
Azure Active Directory Sign-in activity
|
Compromise Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
Valid Accounts
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2024-09-30
|
Azure AD New Custom Domain Added
|
Azure Active Directory Add unverified domain
|
Domain or Tenant Policy Modification
Trust Modification
|
TTP
|
Azure Active Directory Persistence
|
2024-09-30
|
Azure AD New Federated Domain Added
|
Azure Active Directory Set domain authentication
|
Domain or Tenant Policy Modification
Trust Modification
|
TTP
|
Azure Active Directory Persistence
|
2024-09-30
|
Azure AD New MFA Method Registered
|
Azure Active Directory Update user
|
Account Manipulation
Device Registration
|
TTP
|
Azure Active Directory Persistence
|
2024-09-30
|
Azure AD PIM Role Assigned
|
Azure Active Directory
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2024-09-30
|
Azure AD PIM Role Assignment Activated
|
Azure Active Directory
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2024-09-30
|
Azure AD Privileged Role Assigned
|
Azure Active Directory Add member to role
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-09-30
|
Azure AD Privileged Role Assigned to Service Principal
|
Azure Active Directory Add member to role
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2024-09-30
|
Azure AD Service Principal Authentication
|
Azure Active Directory Sign-in activity
|
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover, NOBELIUM Group
|
2024-09-30
|
Azure AD Service Principal New Client Credentials
|
Azure Active Directory
|
Account Manipulation
Additional Cloud Credentials
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2024-09-30
|
Azure AD Service Principal Owner Added
|
Azure Active Directory Add owner to application
|
Account Manipulation
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2024-09-30
|
Azure AD Successful PowerShell Authentication
|
Azure Active Directory
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2024-09-30
|
Azure AD Successful Single-Factor Authentication
|
Azure Active Directory
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
|
TTP
|
Azure Active Directory Account Takeover
|
2024-09-30
|
Azure AD Tenant Wide Admin Consent Granted
|
Azure Active Directory Consent to application
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-09-30
|
Azure AD User Enabled And Password Reset
|
Azure Active Directory Enable account, Azure Active Directory Reset password (by admin), Azure Active Directory Update user
|
Account Manipulation
|
TTP
|
Azure Active Directory Persistence
|
2024-09-30
|
Azure AD User ImmutableId Attribute Updated
|
Azure Active Directory Update user
|
Account Manipulation
|
TTP
|
Azure Active Directory Persistence
|
2024-09-30
|
Azure Runbook Webhook Created
|
Azure Audit Create or Update an Azure Automation webhook
|
Valid Accounts
Cloud Accounts
|
TTP
|
Azure Active Directory Persistence
|
2024-09-30
|
Cloud API Calls From Previously Unseen User Roles
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud User Activities
|
2024-10-17
|
Cloud Compute Instance Created By Previously Unseen User
|
AWS CloudTrail
|
Cloud Accounts
Valid Accounts
|
Anomaly
|
Cloud Cryptomining
|
2024-10-17
|
Cloud Instance Modified By Previously Unseen User
|
AWS CloudTrail
|
Cloud Accounts
Valid Accounts
|
Anomaly
|
Suspicious Cloud Instance Activities
|
2024-10-17
|
Cloud Provisioning Activity From Previously Unseen City
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-09-30
|
Cloud Provisioning Activity From Previously Unseen Country
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-09-30
|
Cloud Provisioning Activity From Previously Unseen IP Address
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-09-30
|
Cloud Provisioning Activity From Previously Unseen Region
|
AWS CloudTrail
|
Valid Accounts
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-09-30
|
GCP Authentication Failed During MFA Challenge
|
Google Workspace login_failure
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
|
TTP
|
GCP Account Takeover
|
2024-09-30
|
GCP Detect gcploit framework
|
|
Valid Accounts
|
TTP
|
GCP Cross Account Activity
|
2024-10-17
|
GCP Multiple Failed MFA Requests For User
|
Google Workspace login_failure
|
Compromise Accounts
Cloud Accounts
Multi-Factor Authentication Request Generation
Valid Accounts
Cloud Accounts
|
TTP
|
GCP Account Takeover
|
2024-09-30
|
GCP Successful Single-Factor Authentication
|
Google Workspace login_success
|
Compromise Accounts
Cloud Accounts
Valid Accounts
Cloud Accounts
|
TTP
|
GCP Account Takeover
|
2024-09-30
|
Kubernetes Cron Job Creation
|
Kubernetes Audit
|
Container Orchestration Job
|
Anomaly
|
Kubernetes Security
|
2024-09-30
|
O365 Admin Consent Bypassed by Service Principal
|
O365 Add app role assignment to service principal.
|
Additional Cloud Roles
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-09-30
|
O365 Application Available To Other Tenants
|
|
Additional Cloud Roles
Account Manipulation
|
TTP
|
Azure Active Directory Account Takeover, Azure Active Directory Persistence, Data Exfiltration
|
2024-09-30
|
O365 Application Registration Owner Added
|
O365 Add owner to application.
|
Account Manipulation
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-09-30
|
O365 ApplicationImpersonation Role Assigned
|
O365
|
Account Manipulation
Additional Email Delegate Permissions
|
TTP
|
NOBELIUM Group, Office 365 Collection Techniques, Office 365 Persistence Mechanisms
|
2024-09-30
|
O365 Cross-Tenant Access Change
|
|
Trust Modification
|
TTP
|
Azure Active Directory Persistence
|
2024-09-30
|
O365 Elevated Mailbox Permission Assigned
|
|
Account Manipulation
Additional Email Delegate Permissions
|
TTP
|
Office 365 Collection Techniques
|
2024-09-30
|
O365 FullAccessAsApp Permission Assigned
|
O365 Update application.
|
Additional Email Delegate Permissions
Additional Cloud Roles
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-09-30
|
O365 High Privilege Role Granted
|
O365 Add member to role.
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-09-30
|
O365 Mailbox Folder Read Permission Assigned
|
|
Account Manipulation
Additional Email Delegate Permissions
|
TTP
|
Office 365 Collection Techniques
|
2024-09-30
|
O365 Mailbox Folder Read Permission Granted
|
|
Account Manipulation
Additional Email Delegate Permissions
|
TTP
|
Office 365 Collection Techniques
|
2024-09-30
|
O365 Mailbox Read Access Granted to Application
|
O365 Update application.
|
Remote Email Collection
Email Collection
Account Manipulation
Additional Cloud Roles
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-09-30
|
O365 Multiple AppIDs and UserAgents Authentication Spike
|
O365 UserLoggedIn, O365 UserLoginFailed
|
Valid Accounts
|
Anomaly
|
Office 365 Account Takeover
|
2024-09-30
|
O365 New MFA Method Registered
|
O365 Update user.
|
Account Manipulation
Device Registration
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-09-30
|
O365 Privileged Role Assigned
|
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
Azure Active Directory Persistence
|
2024-09-30
|
O365 Privileged Role Assigned To Service Principal
|
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
Azure Active Directory Privilege Escalation
|
2024-09-30
|
O365 Security And Compliance Alert Triggered
|
|
Valid Accounts
Cloud Accounts
|
TTP
|
Office 365 Account Takeover
|
2024-09-30
|
O365 Service Principal New Client Credentials
|
O365
|
Account Manipulation
Additional Cloud Credentials
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-09-30
|
O365 Tenant Wide Admin Consent Granted
|
O365 Consent to application.
|
Account Manipulation
Additional Cloud Roles
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-09-30
|
Abnormally High AWS Instances Launched by User
|
|
Cloud Accounts
|
Anomaly
|
AWS Cryptomining, Suspicious AWS EC2 Activities
|
2024-10-17
|
Abnormally High AWS Instances Launched by User - MLTK
|
|
Cloud Accounts
|
Anomaly
|
AWS Cryptomining, Suspicious AWS EC2 Activities
|
2024-10-17
|
Abnormally High AWS Instances Terminated by User
|
|
Cloud Accounts
|
Anomaly
|
Suspicious AWS EC2 Activities
|
2024-10-17
|
Abnormally High AWS Instances Terminated by User - MLTK
|
|
Cloud Accounts
|
Anomaly
|
Suspicious AWS EC2 Activities
|
2024-10-17
|
ASL AWS CreateAccessKey
|
|
Valid Accounts
|
Hunting
|
AWS IAM Privilege Escalation
|
2024-10-17
|
Detect AWS API Activities From Unapproved Accounts
|
|
Cloud Accounts
|
Hunting
|
AWS User Monitoring
|
2024-10-17
|
Detect new API calls from user roles
|
|
Cloud Accounts
|
Anomaly
|
AWS User Monitoring
|
2024-10-17
|
Detect new user AWS Console Login
|
|
Cloud Accounts
|
Hunting
|
Suspicious AWS Login Activities
|
2024-10-17
|
Detect Spike in AWS API Activity
|
|
Cloud Accounts
|
Anomaly
|
AWS User Monitoring
|
2024-10-17
|
Detect Spike in Security Group Activity
|
|
Cloud Accounts
|
Anomaly
|
AWS User Monitoring
|
2024-10-17
|
EC2 Instance Modified With Previously Unseen User
|
|
Cloud Accounts
|
Anomaly
|
Unusual AWS EC2 Modifications
|
2024-10-17
|
EC2 Instance Started With Previously Unseen User
|
|
Cloud Accounts
|
Anomaly
|
AWS Cryptomining, Suspicious AWS EC2 Activities
|
2024-10-17
|
GCP Detect accounts with high risk roles by project
|
|
Valid Accounts
|
Hunting
|
GCP Cross Account Activity
|
2024-10-17
|
GCP Detect high risk permissions by resource and account
|
|
Valid Accounts
|
Hunting
|
GCP Cross Account Activity
|
2024-10-17
|
gcp detect oauth token abuse
|
|
Valid Accounts
|
Hunting
|
GCP Cross Account Activity
|
2024-10-17
|
Identify New User Accounts
|
|
Domain Accounts
|
Hunting
|
N/A
|
2024-10-17
|
Multiple Okta Users With Invalid Credentials From The Same IP
|
|
Password Spraying
Valid Accounts
Default Accounts
|
TTP
|
Suspicious Okta Activity
|
2024-10-17
|
O365 Suspicious Rights Delegation
|
|
Remote Email Collection
Email Collection
Additional Email Delegate Permissions
Account Manipulation
|
TTP
|
Office 365 Collection Techniques
|
2024-10-17
|
Okta Account Lockout Events
|
|
Valid Accounts
Default Accounts
|
Anomaly
|
Suspicious Okta Activity
|
2024-10-17
|
Okta Failed SSO Attempts
|
|
Valid Accounts
Default Accounts
|
Anomaly
|
Suspicious Okta Activity
|
2024-10-17
|
Okta ThreatInsight Login Failure with High Unknown users
|
|
Valid Accounts
Default Accounts
Credential Stuffing
|
TTP
|
Suspicious Okta Activity
|
2024-10-17
|
Okta ThreatInsight Suspected PasswordSpray Attack
|
|
Valid Accounts
Default Accounts
Password Spraying
|
TTP
|
Suspicious Okta Activity
|
2024-10-17
|
Scheduled tasks used in BadRabbit ransomware
|
Sysmon EventID 1
|
Scheduled Task
|
TTP
|
Ransomware
|
2024-10-17
|
Suspicious Changes to File Associations
|
Sysmon EventID 1
|
Change Default File Association
|
TTP
|
Suspicious Windows Registry Activities, Windows File Extension and Association Abuse
|
2024-10-17
|
Web Fraud - Anomalous User Clickspeed
|
|
Valid Accounts
|
Anomaly
|
Web Fraud Detection
|
2024-10-17
|
Windows DLL Search Order Hijacking Hunt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL Search Order Hijacking
Hijack Execution Flow
|
Hunting
|
Living Off The Land, Windows Defense Evasion Tactics
|
2024-10-17
|
Active Directory Privilege Escalation Identified
|
|
Domain or Tenant Policy Modification
|
Correlation
|
Active Directory Privilege Escalation
|
2024-09-30
|
Active Setup Registry Autostart
|
Sysmon EventID 12, Sysmon EventID 13
|
Active Setup
Boot or Logon Autostart Execution
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation
|
2024-09-30
|
Allow Operation with Consent Admin
|
Sysmon EventID 12, Sysmon EventID 13
|
Abuse Elevation Control Mechanism
|
TTP
|
Azorult, MoonPeak, Ransomware, Windows Registry Abuse
|
2024-09-30
|
Change Default File Association
|
Sysmon EventID 12, Sysmon EventID 13
|
Change Default File Association
Event Triggered Execution
|
TTP
|
Data Destruction, Hermetic Wiper, Prestige Ransomware, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse
|
2024-09-30
|
Child Processes of Spoolsv exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exploitation for Privilege Escalation
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Privilege Escalation
|
2024-10-17
|
Clop Ransomware Known Service Name
|
Windows Event Log System 7045
|
Create or Modify System Process
|
TTP
|
Clop Ransomware
|
2024-09-30
|
CMD Echo Pipe - Escalation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command and Scripting Interpreter
Windows Command Shell
Windows Service
Create or Modify System Process
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2024-09-30
|
Cobalt Strike Named Pipes
|
Sysmon EventID 17, Sysmon EventID 18
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, DarkSide Ransomware, Gozi Malware, Graceful Wipe Out Attack, LockBit Ransomware, Trickbot
|
2024-09-30
|
Create Remote Thread In Shell Application
|
Sysmon EventID 8
|
Process Injection
|
TTP
|
IcedID, Qakbot, Warzone RAT
|
2024-09-30
|
Detect Baron Samedit CVE-2021-3156
|
|
Exploitation for Privilege Escalation
|
TTP
|
Baron Samedit CVE-2021-3156
|
2024-10-17
|
Detect Baron Samedit CVE-2021-3156 Segfault
|
|
Exploitation for Privilege Escalation
|
TTP
|
Baron Samedit CVE-2021-3156
|
2024-10-17
|
Detect Baron Samedit CVE-2021-3156 via OSQuery
|
|
Exploitation for Privilege Escalation
|
TTP
|
Baron Samedit CVE-2021-3156
|
2024-10-17
|
Detect Excessive Account Lockouts From Endpoint
|
|
Valid Accounts
Domain Accounts
|
Anomaly
|
Active Directory Password Spraying
|
2024-09-30
|
Detect Excessive User Account Lockouts
|
|
Valid Accounts
Local Accounts
|
Anomaly
|
Active Directory Password Spraying
|
2024-09-30
|
Detect Path Interception By Creation Of program exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Path Interception by Unquoted Path
Hijack Execution Flow
|
TTP
|
Windows Persistence Techniques
|
2024-09-30
|
Detect WMI Event Subscription Persistence
|
Sysmon EventID 20
|
Windows Management Instrumentation Event Subscription
Event Triggered Execution
|
TTP
|
Suspicious WMI Use
|
2024-09-30
|
Disable UAC Remote Restriction
|
Sysmon EventID 12, Sysmon EventID 13
|
Bypass User Account Control
Abuse Elevation Control Mechanism
|
TTP
|
CISA AA23-347A, Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
Disabling Remote User Account Control
|
Sysmon EventID 12, Sysmon EventID 13
|
Bypass User Account Control
Abuse Elevation Control Mechanism
|
TTP
|
AgentTesla, Azorult, Remcos, Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
DLLHost with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2024-10-17
|
Eventvwr UAC Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Bypass User Account Control
Abuse Elevation Control Mechanism
|
TTP
|
IcedID, Living Off The Land, ValleyRAT, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
First Time Seen Child Process of Zoom
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exploitation for Privilege Escalation
|
Anomaly
|
Suspicious Zoom Child Processes
|
2024-10-17
|
FodHelper UAC Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Modify Registry
Bypass User Account Control
Abuse Elevation Control Mechanism
|
TTP
|
IcedID, ValleyRAT, Windows Defense Evasion Tactics
|
2024-09-30
|
GPUpdate with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2024-09-30
|
Impacket Lateral Movement Commandline Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
SMB/Windows Admin Shares
Distributed Component Object Model
Windows Management Instrumentation
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate
|
2024-09-30
|
Impacket Lateral Movement smbexec CommandLine Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
SMB/Windows Admin Shares
Distributed Component Object Model
Windows Management Instrumentation
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Data Destruction, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate
|
2024-09-30
|
Impacket Lateral Movement WMIExec Commandline Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
SMB/Windows Admin Shares
Distributed Component Object Model
Windows Management Instrumentation
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate
|
2024-09-30
|
Linux Add Files In Known Crontab Directories
|
Sysmon for Linux EventID 11
|
Cron
Scheduled Task/Job
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
Linux Adding Crontab Using List Parameter
|
Sysmon for Linux EventID 1
|
Cron
Scheduled Task/Job
|
Hunting
|
Data Destruction, Gomir, Industroyer2, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-10-17
|
Linux apt-get Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux APT Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux At Allow Config File Creation
|
Sysmon for Linux EventID 11
|
Cron
Scheduled Task/Job
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
Linux At Application Execution
|
Sysmon for Linux EventID 1
|
At
Scheduled Task/Job
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
Linux Auditd At Application Execution
|
Linux Auditd Syscall
|
At
Scheduled Task/Job
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
Linux Auditd Doas Conf File Creation
|
Linux Auditd Path
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
TTP
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Doas Tool Execution
|
Linux Auditd Syscall
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Edit Cron Table Parameter
|
Linux Auditd Syscall
|
Cron
Scheduled Task/Job
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
Linux Auditd Insert Kernel Module Using Insmod Utility
|
Linux Auditd Syscall
|
Kernel Modules and Extensions
Boot or Logon Autostart Execution
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit
|
2024-09-30
|
Linux Auditd Install Kernel Module Using Modprobe Utility
|
Linux Auditd Syscall
|
Kernel Modules and Extensions
Boot or Logon Autostart Execution
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit
|
2024-09-30
|
Linux Auditd Kernel Module Using Rmmod Utility
|
Linux Auditd Syscall
|
Kernel Modules and Extensions
Boot or Logon Autostart Execution
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Nopasswd Entry In Sudoers File
|
Linux Auditd Proctitle
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Possible Access Or Modification Of Sshd Config File
|
Linux Auditd Path
|
SSH Authorized Keys
Account Manipulation
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Possible Access To Sudoers File
|
Linux Auditd Path
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File
|
Linux Auditd Path
|
Cron
Scheduled Task/Job
|
Hunting
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-10-17
|
Linux Auditd Preload Hijack Library Calls
|
Linux Auditd Execve
|
Dynamic Linker Hijacking
Hijack Execution Flow
|
TTP
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Preload Hijack Via Preload File
|
Linux Auditd Path
|
Dynamic Linker Hijacking
Hijack Execution Flow
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Service Restarted
|
Linux Auditd Proctitle
|
Systemd Timers
Scheduled Task/Job
|
Anomaly
|
AwfulShred, Compromised Linux Host, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
Linux Auditd Setuid Using Chmod Utility
|
Linux Auditd Proctitle
|
Setuid and Setgid
Abuse Elevation Control Mechanism
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Setuid Using Setcap Utility
|
Linux Auditd Execve
|
Setuid and Setgid
Abuse Elevation Control Mechanism
|
TTP
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Sudo Or Su Execution
|
Linux Auditd Proctitle
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Unix Shell Configuration Modification
|
Linux Auditd Path
|
Unix Shell Configuration Modification
Event Triggered Execution
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Auditd Unload Module Via Modprobe
|
Linux Auditd Execve
|
Kernel Modules and Extensions
Boot or Logon Autostart Execution
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux AWK Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux Busybox Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux c89 Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux c99 Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux Common Process For Elevation Control
|
Sysmon for Linux EventID 1
|
Setuid and Setgid
Abuse Elevation Control Mechanism
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-10-17
|
Linux Composer Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux Cpulimit Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux Csvtool Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux Doas Conf File Creation
|
Sysmon for Linux EventID 11
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Doas Tool Execution
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Docker Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux Edit Cron Table Parameter
|
Sysmon for Linux EventID 1
|
Cron
Scheduled Task/Job
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-10-17
|
Linux Emacs Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux File Created In Kernel Driver Directory
|
Sysmon for Linux EventID 11
|
Kernel Modules and Extensions
Boot or Logon Autostart Execution
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit
|
2024-09-30
|
Linux File Creation In Init Boot Directory
|
Sysmon for Linux EventID 11
|
RC Scripts
Boot or Logon Initialization Scripts
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux File Creation In Profile Directory
|
Sysmon for Linux EventID 11
|
Unix Shell Configuration Modification
Event Triggered Execution
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Find Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux GDB Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux Gem Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux GNU Awk Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux Insert Kernel Module Using Insmod Utility
|
Sysmon for Linux EventID 1
|
Kernel Modules and Extensions
Boot or Logon Autostart Execution
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit
|
2024-09-30
|
Linux Install Kernel Module Using Modprobe Utility
|
Sysmon for Linux EventID 1
|
Kernel Modules and Extensions
Boot or Logon Autostart Execution
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit
|
2024-09-30
|
Linux Make Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux MySQL Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux Node Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux NOPASSWD Entry In Sudoers File
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Octave Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux OpenVPN Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux Persistence and Privilege Escalation Risk Behavior
|
|
Abuse Elevation Control Mechanism
|
Correlation
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux PHP Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux pkexec Privilege Escalation
|
Sysmon for Linux EventID 1
|
Exploitation for Privilege Escalation
|
TTP
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux Possible Access Or Modification Of sshd Config File
|
Sysmon for Linux EventID 1
|
SSH Authorized Keys
Account Manipulation
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Possible Access To Sudoers File
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Possible Append Command To At Allow Config File
|
Sysmon for Linux EventID 1
|
At
Scheduled Task/Job
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
Linux Possible Append Command To Profile Config File
|
Sysmon for Linux EventID 1
|
Unix Shell Configuration Modification
Event Triggered Execution
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Possible Append Cronjob Entry on Existing Cronjob File
|
Sysmon for Linux EventID 1
|
Cron
Scheduled Task/Job
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-10-17
|
Linux Possible Cronjob Modification With Editor
|
Sysmon for Linux EventID 1
|
Cron
Scheduled Task/Job
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-10-17
|
Linux Possible Ssh Key File Creation
|
Sysmon for Linux EventID 11
|
SSH Authorized Keys
Account Manipulation
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Preload Hijack Library Calls
|
Sysmon for Linux EventID 1
|
Dynamic Linker Hijacking
Hijack Execution Flow
|
TTP
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Puppet Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux RPM Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux Ruby Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux Service File Created In Systemd Directory
|
Sysmon for Linux EventID 11
|
Systemd Timers
Scheduled Task/Job
|
Anomaly
|
Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
Linux Service Restarted
|
Sysmon for Linux EventID 1
|
Systemd Timers
Scheduled Task/Job
|
Anomaly
|
AwfulShred, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
Linux Service Started Or Enabled
|
Sysmon for Linux EventID 1
|
Systemd Timers
Scheduled Task/Job
|
Anomaly
|
Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-30
|
Linux Setuid Using Chmod Utility
|
Sysmon for Linux EventID 1
|
Setuid and Setgid
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Setuid Using Setcap Utility
|
Sysmon for Linux EventID 1
|
Setuid and Setgid
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Sqlite3 Privilege Escalation
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-09-30
|
Linux SSH Authorized Keys Modification
|
Sysmon for Linux EventID 1
|
SSH Authorized Keys
|
Anomaly
|
Linux Living Off The Land
|
2024-09-30
|
Linux Sudo OR Su Execution
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Hunting
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-10-17
|
Linux Sudoers Tmp File Creation
|
Sysmon for Linux EventID 11
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Linux Visudo Utility Execution
|
Sysmon for Linux EventID 1
|
Sudo and Sudo Caching
Abuse Elevation Control Mechanism
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-30
|
Loading Of Dynwrapx Module
|
Sysmon EventID 7
|
Process Injection
Dynamic-link Library Injection
|
TTP
|
AsyncRAT, Remcos
|
2024-09-30
|
Logon Script Event Trigger Execution
|
Sysmon EventID 13
|
Boot or Logon Initialization Scripts
Logon Script (Windows)
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation
|
2024-09-30
|
Monitor Registry Keys for Print Monitors
|
Sysmon EventID 12, Sysmon EventID 13
|
Port Monitors
Boot or Logon Autostart Execution
|
TTP
|
Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse
|
2024-09-30
|
MSI Module Loaded by Non-System Binary
|
Sysmon EventID 7
|
DLL Side-Loading
Hijack Execution Flow
|
Hunting
|
Data Destruction, Hermetic Wiper, Windows Privilege Escalation
|
2024-10-17
|
Msmpeng Application DLL Side Loading
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL Side-Loading
Hijack Execution Flow
|
TTP
|
Ransomware, Revil Ransomware
|
2024-09-30
|
NET Profiler UAC bypass
|
Sysmon EventID 12, Sysmon EventID 13
|
Bypass User Account Control
Abuse Elevation Control Mechanism
|
TTP
|
Windows Defense Evasion Tactics
|
2024-09-30
|
Notepad with no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
BishopFox Sliver Adversary Emulation Framework
|
2024-09-30
|
Overwriting Accessibility Binaries
|
Sysmon EventID 11
|
Event Triggered Execution
Accessibility Features
|
TTP
|
Data Destruction, Flax Typhoon, Hermetic Wiper, Windows Privilege Escalation
|
2024-09-30
|
Possible Lateral Movement PowerShell Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Remote Services
Distributed Component Object Model
Windows Remote Management
Windows Management Instrumentation
Scheduled Task
Windows Service
PowerShell
MMC
|
TTP
|
Active Directory Lateral Movement, CISA AA24-241A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Scheduled Tasks
|
2024-10-17
|
Potential password in username
|
Linux Secure
|
Local Accounts
Credentials In Files
|
Hunting
|
Credential Dumping, Insider Threat
|
2024-10-17
|
Powershell COM Hijacking InprocServer32 Modification
|
Powershell Script Block Logging 4104
|
Component Object Model Hijacking
Command and Scripting Interpreter
PowerShell
|
TTP
|
Malicious PowerShell
|
2024-09-30
|
Powershell Execute COM Object
|
Powershell Script Block Logging 4104
|
Component Object Model Hijacking
Event Triggered Execution
PowerShell
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell, Ransomware
|
2024-09-30
|
Powershell Fileless Process Injection via GetProcAddress
|
Powershell Script Block Logging 4104
|
Command and Scripting Interpreter
Process Injection
PowerShell
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2024-09-30
|
Powershell Remote Thread To Known Windows Process
|
Sysmon EventID 8
|
Process Injection
|
TTP
|
Trickbot
|
2024-09-30
|
Print Processor Registry Autostart
|
Sysmon EventID 12, Sysmon EventID 13
|
Print Processors
Boot or Logon Autostart Execution
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation
|
2024-10-17
|
Print Spooler Adding A Printer Driver
|
Windows Event Log Printservice 316
|
Print Processors
Boot or Logon Autostart Execution
|
TTP
|
PrintNightmare CVE-2021-34527
|
2024-09-30
|
Print Spooler Failed to Load a Plug-in
|
Windows Event Log Printservice 808
|
Print Processors
Boot or Logon Autostart Execution
|
TTP
|
PrintNightmare CVE-2021-34527
|
2024-09-30
|
Randomly Generated Scheduled Task Name
|
Windows Event Log Security 4698
|
Scheduled Task/Job
Scheduled Task
|
Hunting
|
Active Directory Lateral Movement, CISA AA22-257A, Scheduled Tasks
|
2024-10-17
|
Randomly Generated Windows Service Name
|
Windows Event Log System 7045
|
Create or Modify System Process
Windows Service
|
Hunting
|
Active Directory Lateral Movement, BlackSuit Ransomware
|
2024-10-17
|
Reg exe Manipulating Windows Services Registry Keys
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Services Registry Permissions Weakness
Hijack Execution Flow
|
TTP
|
Living Off The Land, Windows Persistence Techniques, Windows Service Abuse
|
2024-09-30
|
Registry Keys for Creating SHIM Databases
|
Sysmon EventID 12, Sysmon EventID 13
|
Application Shimming
Event Triggered Execution
|
TTP
|
Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse
|
2024-09-30
|
Registry Keys Used For Persistence
|
Sysmon EventID 12, Sysmon EventID 13
|
Registry Run Keys / Startup Folder
Boot or Logon Autostart Execution
|
TTP
|
Amadey, AsyncRAT, Azorult, BlackByte Ransomware, BlackSuit Ransomware, Braodo Stealer, CISA AA23-347A, Chaos Ransomware, DHS Report TA18-074A, DarkGate Malware, Emotet Malware DHS Report TA18-201A, IcedID, MoonPeak, NjRAT, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Qakbot, Ransomware, RedLine Stealer, Remcos, Snake Keylogger, Sneaky Active Directory Persistence Tricks, Suspicious MSHTA Activity, Suspicious Windows Registry Activities, Warzone RAT, Windows Persistence Techniques, Windows Registry Abuse
|
2024-09-30
|
Registry Keys Used For Privilege Escalation
|
Sysmon EventID 12, Sysmon EventID 13
|
Image File Execution Options Injection
Event Triggered Execution
|
TTP
|
Cloud Federated Credential Abuse, Data Destruction, Hermetic Wiper, Suspicious Windows Registry Activities, Windows Privilege Escalation, Windows Registry Abuse
|
2024-09-30
|
Runas Execution in CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Access Token Manipulation
Token Impersonation/Theft
|
Hunting
|
Data Destruction, Hermetic Wiper, Windows Privilege Escalation
|
2024-10-17
|
Rundll32 Create Remote Thread To A Process
|
Sysmon EventID 8
|
Process Injection
|
TTP
|
IcedID, Living Off The Land
|
2024-09-30
|
Rundll32 CreateRemoteThread In Browser
|
Sysmon EventID 8
|
Process Injection
|
TTP
|
IcedID, Living Off The Land
|
2024-09-30
|
Sc exe Manipulating Windows Services
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Service
Create or Modify System Process
|
TTP
|
Azorult, DHS Report TA18-074A, Disabling Security Tools, NOBELIUM Group, Orangeworm Attack Group, Windows Drivers, Windows Persistence Techniques, Windows Service Abuse
|
2024-09-30
|
Schedule Task with HTTP Command Arguments
|
Windows Event Log Security 4698
|
Scheduled Task/Job
|
TTP
|
Living Off The Land, Scheduled Tasks, Windows Persistence Techniques, Winter Vivern
|
2024-09-30
|
Schedule Task with Rundll32 Command Trigger
|
Windows Event Log Security 4698
|
Scheduled Task/Job
|
TTP
|
IcedID, Living Off The Land, Scheduled Tasks, Trickbot, Windows Persistence Techniques
|
2024-09-30
|
Scheduled Task Creation on Remote Endpoint using At
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task/Job
At
|
TTP
|
Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks
|
2024-09-30
|
Scheduled Task Deleted Or Created via CMD
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
Scheduled Task/Job
|
TTP
|
AgentTesla, Amadey, AsyncRAT, Azorult, CISA AA22-257A, CISA AA23-347A, CISA AA24-241A, DHS Report TA18-074A, DarkCrystal RAT, Living Off The Land, MoonPeak, NOBELIUM Group, NjRAT, Phemedrone Stealer, Prestige Ransomware, Qakbot, RedLine Stealer, Rhysida Ransomware, Sandworm Tools, Scheduled Tasks, ShrinkLocker, Trickbot, Windows Persistence Techniques, Winter Vivern
|
2024-09-30
|
Scheduled Task Initiation on Remote Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task/Job
Scheduled Task
|
TTP
|
Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks
|
2024-09-30
|
Schtasks Run Task On Demand
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task/Job
|
TTP
|
CISA AA22-257A, Data Destruction, Industroyer2, Qakbot, Scheduled Tasks, XMRig
|
2024-09-30
|
Schtasks scheduling job on remote system
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
Scheduled Task/Job
|
TTP
|
Active Directory Lateral Movement, Living Off The Land, NOBELIUM Group, Phemedrone Stealer, Prestige Ransomware, RedLine Stealer, Scheduled Tasks
|
2024-09-30
|
Schtasks used for forcing a reboot
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
Scheduled Task/Job
|
TTP
|
Ransomware, Scheduled Tasks, Windows Persistence Techniques
|
2024-09-30
|
Screensaver Event Trigger Execution
|
Sysmon EventID 12, Sysmon EventID 13
|
Event Triggered Execution
Screensaver
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse
|
2024-09-30
|
Sdclt UAC Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688
|
Bypass User Account Control
Abuse Elevation Control Mechanism
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
SearchProtocolHost with no Command Line with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2024-09-30
|
Services Escalate Exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Abuse Elevation Control Mechanism
|
TTP
|
BlackByte Ransomware, CISA AA23-347A, Cobalt Strike, Graceful Wipe Out Attack
|
2024-09-30
|
Services LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Create or Modify System Process
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA23-347A, Living Off The Land, Qakbot
|
2024-09-30
|
Shim Database File Creation
|
Sysmon EventID 11
|
Application Shimming
Event Triggered Execution
|
TTP
|
Windows Persistence Techniques
|
2024-09-30
|
Shim Database Installation With Suspicious Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Application Shimming
Event Triggered Execution
|
TTP
|
Windows Persistence Techniques
|
2024-09-30
|
Short Lived Scheduled Task
|
Windows Event Log Security 4698, Windows Event Log Security 4699
|
Scheduled Task
|
TTP
|
Active Directory Lateral Movement, CISA AA22-257A, CISA AA23-347A, Scheduled Tasks
|
2024-09-30
|
SilentCleanup UAC Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688
|
Bypass User Account Control
Abuse Elevation Control Mechanism
|
TTP
|
MoonPeak, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
SLUI RunAs Elevated
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Bypass User Account Control
Abuse Elevation Control Mechanism
|
TTP
|
DarkSide Ransomware, Windows Defense Evasion Tactics
|
2024-09-30
|
SLUI Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Bypass User Account Control
Abuse Elevation Control Mechanism
|
TTP
|
DarkSide Ransomware, Windows Defense Evasion Tactics
|
2024-09-30
|
Spoolsv Spawning Rundll32
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Print Processors
Boot or Logon Autostart Execution
|
TTP
|
PrintNightmare CVE-2021-34527
|
2024-09-30
|
Spoolsv Suspicious Loaded Modules
|
Sysmon EventID 7
|
Print Processors
Boot or Logon Autostart Execution
|
TTP
|
PrintNightmare CVE-2021-34527
|
2024-09-30
|
Spoolsv Suspicious Process Access
|
Sysmon EventID 10
|
Exploitation for Privilege Escalation
|
TTP
|
PrintNightmare CVE-2021-34527
|
2024-09-30
|
Spoolsv Writing a DLL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688
|
Print Processors
Boot or Logon Autostart Execution
|
TTP
|
PrintNightmare CVE-2021-34527
|
2024-09-30
|
Spoolsv Writing a DLL - Sysmon
|
Sysmon EventID 11
|
Print Processors
Boot or Logon Autostart Execution
|
TTP
|
PrintNightmare CVE-2021-34527
|
2024-09-30
|
Suspicious Computer Account Name Change
|
Windows Event Log Security 4781
|
Valid Accounts
Domain Accounts
|
TTP
|
Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2024-09-30
|
Suspicious DLLHost no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2024-09-30
|
Suspicious Driver Loaded Path
|
Sysmon EventID 6
|
Windows Service
Create or Modify System Process
|
TTP
|
AgentTesla, BlackByte Ransomware, CISA AA22-320A, Snake Keylogger, XMRig
|
2024-09-30
|
Suspicious GPUpdate no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2024-09-30
|
Suspicious Kerberos Service Ticket Request
|
Windows Event Log Security 4769
|
Valid Accounts
Domain Accounts
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2024-09-30
|
Suspicious PlistBuddy Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Launch Agent
Create or Modify System Process
|
TTP
|
Silver Sparrow
|
2024-10-17
|
Suspicious PlistBuddy Usage via OSquery
|
|
Launch Agent
Create or Modify System Process
|
TTP
|
Silver Sparrow
|
2024-10-17
|
Suspicious Process File Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Create or Modify System Process
|
TTP
|
AgentTesla, Amadey, AsyncRAT, Azorult, BlackByte Ransomware, Brute Ratel C4, CISA AA23-347A, Chaos Ransomware, DarkCrystal RAT, DarkGate Malware, Data Destruction, Double Zero Destructor, Graceful Wipe Out Attack, Handala Wiper, Hermetic Wiper, IcedID, Industroyer2, LockBit Ransomware, MoonPeak, Phemedrone Stealer, PlugX, Prestige Ransomware, Qakbot, RedLine Stealer, Remcos, Rhysida Ransomware, Swift Slicer, Trickbot, ValleyRAT, Volt Typhoon, Warzone RAT, WhisperGate, XMRig
|
2024-09-30
|
Suspicious Scheduled Task from Public Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
Scheduled Task/Job
|
Anomaly
|
Azorult, CISA AA23-347A, CISA AA24-241A, DarkCrystal RAT, Living Off The Land, MoonPeak, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Persistence Techniques
|
2024-09-30
|
Suspicious SearchProtocolHost no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2024-09-30
|
Suspicious Ticket Granting Ticket Request
|
Windows Event Log Security 4768, Windows Event Log Security 4781
|
Valid Accounts
Domain Accounts
|
Hunting
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2024-10-17
|
Svchost LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task/Job
Scheduled Task
|
TTP
|
Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks
|
2024-09-30
|
Time Provider Persistence Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Time Providers
Boot or Logon Autostart Execution
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse
|
2024-09-30
|
Trickbot Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
Process Injection
|
TTP
|
Trickbot
|
2024-09-30
|
UAC Bypass MMC Load Unsigned Dll
|
Sysmon EventID 7
|
Bypass User Account Control
Abuse Elevation Control Mechanism
MMC
|
TTP
|
Windows Defense Evasion Tactics
|
2024-09-30
|
Unusual Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
Valid Accounts
|
Hunting
|
Active Directory Kerberos Attacks, Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-10-17
|
Unusual Number of Remote Endpoint Authentication Events
|
Windows Event Log Security 4624
|
Valid Accounts
|
Hunting
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-10-17
|
Windows Access Token Manipulation SeDebugPrivilege
|
Windows Event Log Security 4703
|
Create Process with Token
Access Token Manipulation
|
Anomaly
|
AsyncRAT, Brute Ratel C4, CISA AA23-347A, DarkGate Malware, PlugX, ValleyRAT
|
2024-09-30
|
Windows Access Token Manipulation Winlogon Duplicate Token Handle
|
Sysmon EventID 10
|
Token Impersonation/Theft
Access Token Manipulation
|
Hunting
|
Brute Ratel C4
|
2024-10-17
|
Windows Access Token Winlogon Duplicate Handle In Uncommon Path
|
Sysmon EventID 10
|
Token Impersonation/Theft
Access Token Manipulation
|
Anomaly
|
Brute Ratel C4
|
2024-09-30
|
Windows AD AdminSDHolder ACL Modified
|
Windows Event Log Security 5136
|
Event Triggered Execution
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows AD Cross Domain SID History Addition
|
Windows Event Log Security 4738, Windows Event Log Security 4742
|
SID-History Injection
Access Token Manipulation
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows AD Domain Replication ACL Addition
|
|
Domain or Tenant Policy Modification
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows AD DSRM Account Changes
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
Account Manipulation
|
TTP
|
Sneaky Active Directory Persistence Tricks, Windows Persistence Techniques, Windows Registry Abuse
|
2024-09-30
|
Windows AD DSRM Password Reset
|
Windows Event Log Security 4794
|
Account Manipulation
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows AD Privileged Account SID History Addition
|
Windows Event Log Security 4738, Windows Event Log Security 4742
|
SID-History Injection
Access Token Manipulation
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows AD Same Domain SID History Addition
|
Windows Event Log Security 4738, Windows Event Log Security 4742
|
SID-History Injection
Access Token Manipulation
|
TTP
|
Sneaky Active Directory Persistence Tricks, Windows Persistence Techniques
|
2024-09-30
|
Windows AD ServicePrincipalName Added To Domain Account
|
Windows Event Log Security 5136
|
Account Manipulation
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-10-16
|
Windows AD Short Lived Domain Account ServicePrincipalName
|
Windows Event Log Security 5136
|
Account Manipulation
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows AD SID History Attribute Modified
|
Windows Event Log Security 5136
|
Access Token Manipulation
SID-History Injection
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows Admon Default Group Policy Object Modified
|
Windows Active Directory Admon
|
Domain or Tenant Policy Modification
Group Policy Modification
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows Admon Group Policy Object Created
|
Windows Active Directory Admon
|
Domain or Tenant Policy Modification
Group Policy Modification
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows Autostart Execution LSASS Driver Registry Modification
|
Sysmon EventID 12, Sysmon EventID 13
|
LSASS Driver
|
TTP
|
Windows Registry Abuse
|
2024-09-30
|
Windows Boot or Logon Autostart Execution In Startup Folder
|
Sysmon EventID 11
|
Registry Run Keys / Startup Folder
Boot or Logon Autostart Execution
|
Anomaly
|
Chaos Ransomware, Gozi Malware, NjRAT, RedLine Stealer
|
2024-09-30
|
Windows Bypass UAC via Pkgmgr Tool
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Bypass User Account Control
|
Anomaly
|
Warzone RAT
|
2024-09-30
|
Windows Change Default File Association For No File Ext
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Change Default File Association
Event Triggered Execution
|
TTP
|
Prestige Ransomware
|
2024-09-30
|
Windows COM Hijacking InprocServer32 Modification
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Component Object Model Hijacking
Event Triggered Execution
|
TTP
|
Living Off The Land
|
2024-09-30
|
Windows Command Shell Fetch Env Variables
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
Qakbot
|
2024-09-30
|
Windows Default Group Policy Object Modified
|
Windows Event Log Security 5136
|
Domain or Tenant Policy Modification
Group Policy Modification
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows Default Group Policy Object Modified with GPME
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Domain or Tenant Policy Modification
Group Policy Modification
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows DISM Install PowerShell Web Access
|
Sysmon EventID 1, Windows Event Log Security 4688
|
Bypass User Account Control
|
TTP
|
CISA AA24-241A
|
2024-09-30
|
Windows DLL Search Order Hijacking Hunt with Sysmon
|
Sysmon EventID 7
|
DLL Search Order Hijacking
Hijack Execution Flow
|
Hunting
|
Living Off The Land, Qakbot, Windows Defense Evasion Tactics
|
2024-10-17
|
Windows DLL Search Order Hijacking with iscsicpl
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL Search Order Hijacking
|
TTP
|
Living Off The Land, Windows Defense Evasion Tactics
|
2024-09-30
|
Windows DLL Side-Loading In Calc
|
Sysmon EventID 7
|
DLL Side-Loading
Hijack Execution Flow
|
TTP
|
Qakbot
|
2024-09-30
|
Windows DLL Side-Loading Process Child Of Calc
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL Side-Loading
Hijack Execution Flow
|
Anomaly
|
Qakbot
|
2024-09-30
|
Windows DnsAdmins New Member Added
|
Windows Event Log Security 4732
|
Account Manipulation
|
TTP
|
Active Directory Privilege Escalation
|
2024-09-30
|
Windows Driver Inventory
|
|
Exploitation for Privilege Escalation
|
Hunting
|
Windows Drivers
|
2024-10-17
|
Windows Driver Load Non-Standard Path
|
Windows Event Log System 7045
|
Rootkit
Exploitation for Privilege Escalation
|
TTP
|
AgentTesla, BlackByte Ransomware, BlackSuit Ransomware, CISA AA22-320A, Windows Drivers
|
2024-10-17
|
Windows Drivers Loaded by Signature
|
Sysmon EventID 6
|
Rootkit
Exploitation for Privilege Escalation
|
Hunting
|
AgentTesla, BlackByte Ransomware, CISA AA22-320A, Windows Drivers
|
2024-10-17
|
Windows Enable Win32 ScheduledJob via Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
Scheduled Task
|
Anomaly
|
Active Directory Lateral Movement, Scheduled Tasks
|
2024-09-30
|
Windows Event Triggered Image File Execution Options Injection
|
Windows Event Log Application 3000
|
Image File Execution Options Injection
|
Hunting
|
Windows Persistence Techniques
|
2024-10-17
|
Windows Group Policy Object Created
|
Windows Event Log Security 5136, Windows Event Log Security 5137
|
Domain or Tenant Policy Modification
Group Policy Modification
Domain Accounts
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2024-09-30
|
Windows Hidden Schedule Task Settings
|
Windows Event Log Security 4698
|
Scheduled Task/Job
|
TTP
|
Active Directory Discovery, CISA AA22-257A, Data Destruction, Industroyer2, Scheduled Tasks
|
2024-09-30
|
Windows Hijack Execution Flow Version Dll Side Load
|
Sysmon EventID 7
|
DLL Search Order Hijacking
Hijack Execution Flow
|
Anomaly
|
Brute Ratel C4
|
2024-09-30
|
Windows Known Abused DLL Created
|
Sysmon EventID 1, Sysmon EventID 11
|
DLL Search Order Hijacking
DLL Side-Loading
Hijack Execution Flow
|
Anomaly
|
Living Off The Land, Windows Defense Evasion Tactics
|
2024-09-30
|
Windows Known Abused DLL Loaded Suspiciously
|
Sysmon EventID 7
|
DLL Search Order Hijacking
DLL Side-Loading
Hijack Execution Flow
|
TTP
|
Living Off The Land, Windows Defense Evasion Tactics
|
2024-09-30
|
Windows Known GraphicalProton Loaded Modules
|
Sysmon EventID 7
|
DLL Side-Loading
Hijack Execution Flow
|
Anomaly
|
CISA AA23-347A
|
2024-09-30
|
Windows KrbRelayUp Service Creation
|
Windows Event Log System 7045
|
Windows Service
|
TTP
|
Local Privilege Escalation With KrbRelayUp
|
2024-09-30
|
Windows Large Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
Network Share Discovery
Valid Accounts
|
Anomaly
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-09-30
|
Windows Masquerading Explorer As Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DLL Side-Loading
Hijack Execution Flow
|
TTP
|
Qakbot
|
2024-09-30
|
Windows MOF Event Triggered Execution via WMI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Management Instrumentation Event Subscription
|
TTP
|
Living Off The Land
|
2024-09-30
|
Windows Multiple Account Passwords Changed
|
Windows Event Log Security 4724
|
Account Manipulation
Valid Accounts
|
TTP
|
Azure Active Directory Persistence
|
2024-09-30
|
Windows Multiple Accounts Deleted
|
Windows Event Log Security 4726
|
Account Manipulation
Valid Accounts
|
TTP
|
Azure Active Directory Persistence
|
2024-09-30
|
Windows Multiple Accounts Disabled
|
Windows Event Log Security 4725
|
Account Manipulation
Valid Accounts
|
TTP
|
Azure Active Directory Persistence
|
2024-09-30
|
Windows Parent PID Spoofing with Explorer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Parent PID Spoofing
Access Token Manipulation
|
TTP
|
Windows Defense Evasion Tactics
|
2024-09-30
|
Windows PowerShell ScheduleTask
|
Powershell Script Block Logging 4104
|
Scheduled Task
PowerShell
Command and Scripting Interpreter
|
Anomaly
|
Scheduled Tasks
|
2024-09-30
|
Windows PowerView AD Access Control List Enumeration
|
Powershell Script Block Logging 4104
|
Domain Accounts
Permission Groups Discovery
|
TTP
|
Active Directory Discovery, Active Directory Privilege Escalation, Rhysida Ransomware
|
2024-09-30
|
Windows Privilege Escalation Suspicious Process Elevation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exploitation for Privilege Escalation
Abuse Elevation Control Mechanism
Access Token Manipulation
|
TTP
|
BlackSuit Ransomware, Windows Privilege Escalation
|
2024-09-30
|
Windows Privilege Escalation System Process Without System Parent
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exploitation for Privilege Escalation
Abuse Elevation Control Mechanism
Access Token Manipulation
|
TTP
|
BlackSuit Ransomware, Windows Privilege Escalation
|
2024-09-30
|
Windows Privilege Escalation User Process Spawn System Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exploitation for Privilege Escalation
Abuse Elevation Control Mechanism
Access Token Manipulation
|
TTP
|
BlackSuit Ransomware, Windows Privilege Escalation
|
2024-09-30
|
Windows Process Injection In Non-Service SearchIndexer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
Qakbot
|
2024-09-30
|
Windows Process Injection into Notepad
|
Sysmon EventID 10
|
Process Injection
Portable Executable Injection
|
Anomaly
|
BishopFox Sliver Adversary Emulation Framework
|
2024-09-30
|
Windows Process Injection Of Wermgr to Known Browser
|
Sysmon EventID 8
|
Dynamic-link Library Injection
Process Injection
|
TTP
|
Qakbot
|
2024-09-30
|
Windows Process Injection Remote Thread
|
Sysmon EventID 8
|
Process Injection
Portable Executable Injection
|
TTP
|
Graceful Wipe Out Attack, Qakbot, Warzone RAT
|
2024-09-30
|
Windows Process Injection Wermgr Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
Anomaly
|
Qakbot, Windows Error Reporting Service Elevation of Privilege Vulnerability
|
2024-09-30
|
Windows Process Injection With Public Source Path
|
Sysmon EventID 8
|
Process Injection
Portable Executable Injection
|
Hunting
|
Brute Ratel C4
|
2024-10-17
|
Windows Process With NamedPipe CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
Anomaly
|
Windows Defense Evasion Tactics
|
2024-09-30
|
Windows Rasautou DLL Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Dynamic-link Library Injection
System Binary Proxy Execution
Process Injection
|
TTP
|
Windows Defense Evasion Tactics
|
2024-09-30
|
Windows Registry BootExecute Modification
|
Sysmon EventID 12, Sysmon EventID 13
|
Pre-OS Boot
Registry Run Keys / Startup Folder
|
TTP
|
Windows BootKits
|
2024-09-30
|
Windows Registry Delete Task SD
|
Sysmon EventID 12, Sysmon EventID 13
|
Scheduled Task
Impair Defenses
|
Anomaly
|
Scheduled Tasks, Windows Persistence Techniques, Windows Registry Abuse
|
2024-09-30
|
Windows Registry Modification for Safe Mode Persistence
|
Sysmon EventID 12, Sysmon EventID 13
|
Registry Run Keys / Startup Folder
Boot or Logon Autostart Execution
|
TTP
|
Ransomware, Windows Drivers, Windows Registry Abuse
|
2024-09-30
|
Windows Remote Assistance Spawning Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
Unusual Processes
|
2024-09-30
|
Windows Remote Create Service
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Create or Modify System Process
Windows Service
|
Anomaly
|
Active Directory Lateral Movement, BlackSuit Ransomware, CISA AA23-347A
|
2024-09-30
|
Windows Scheduled Task Created Via XML
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
Scheduled Task/Job
|
TTP
|
CISA AA23-347A, MoonPeak, Scheduled Tasks, Winter Vivern
|
2024-09-30
|
Windows Scheduled Task DLL Module Loaded
|
Sysmon EventID 7
|
Scheduled Task/Job
|
TTP
|
ValleyRAT
|
2024-09-30
|
Windows Scheduled Task Service Spawned Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
Command and Scripting Interpreter
|
TTP
|
Windows Persistence Techniques
|
2024-09-30
|
Windows Scheduled Task with Highest Privileges
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task/Job
Scheduled Task
|
TTP
|
AsyncRAT, CISA AA23-347A, RedLine Stealer, Scheduled Tasks
|
2024-09-30
|
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr
|
|
Scheduled Task/Job
|
TTP
|
ValleyRAT
|
2024-09-30
|
Windows Schtasks Create Run As System
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Scheduled Task
Scheduled Task/Job
|
TTP
|
Qakbot, Scheduled Tasks, Windows Persistence Techniques
|
2024-09-30
|
Windows Security Support Provider Reg Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Security Support Provider
Boot or Logon Autostart Execution
|
Anomaly
|
Prestige Ransomware, Sneaky Active Directory Persistence Tricks, Windows Post-Exploitation
|
2024-09-30
|
Windows Service Create Kernel Mode Driver
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Windows Service
Create or Modify System Process
Exploitation for Privilege Escalation
|
TTP
|
CISA AA22-320A, Windows Drivers
|
2024-09-30
|
Windows Service Create RemComSvc
|
Windows Event Log System 7045
|
Windows Service
Create or Modify System Process
|
Anomaly
|
Active Directory Discovery
|
2024-09-30
|
Windows Service Create with Tscon
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
RDP Hijacking
Remote Service Session Hijacking
Windows Service
|
TTP
|
Active Directory Lateral Movement
|
2024-09-30
|
Windows Service Created Within Public Path
|
Windows Event Log System 7045
|
Create or Modify System Process
Windows Service
|
TTP
|
Active Directory Lateral Movement, Snake Malware
|
2024-09-30
|
Windows Service Creation on Remote Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Create or Modify System Process
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA23-347A
|
2024-09-30
|
Windows Service Creation Using Registry Entry
|
Sysmon EventID 12, Sysmon EventID 13
|
Services Registry Permissions Weakness
|
TTP
|
Active Directory Lateral Movement, Brute Ratel C4, CISA AA23-347A, PlugX, Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse
|
2024-09-30
|
Windows Service Initiation on Remote Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Create or Modify System Process
Windows Service
|
TTP
|
Active Directory Lateral Movement, CISA AA23-347A
|
2024-09-30
|
Windows Snake Malware Kernel Driver Comadmin
|
Sysmon EventID 11
|
Kernel Modules and Extensions
|
TTP
|
Snake Malware
|
2024-09-30
|
Windows Snake Malware Service Create
|
Windows Event Log System 7045
|
Kernel Modules and Extensions
Service Execution
|
TTP
|
Snake Malware
|
2024-09-30
|
Windows SqlWriter SQLDumper DLL Sideload
|
Sysmon EventID 7
|
DLL Side-Loading
|
TTP
|
APT29 Diplomatic Deceptions with WINELOADER
|
2024-09-30
|
Windows System File on Disk
|
Sysmon EventID 11
|
Exploitation for Privilege Escalation
|
Hunting
|
CISA AA22-264A, Windows Drivers
|
2024-10-17
|
Windows UAC Bypass Suspicious Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Abuse Elevation Control Mechanism
Bypass User Account Control
|
TTP
|
Living Off The Land, Windows Defense Evasion Tactics
|
2024-09-30
|
Windows UAC Bypass Suspicious Escalation Behavior
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Abuse Elevation Control Mechanism
Bypass User Account Control
|
TTP
|
Living Off The Land, Windows Defense Evasion Tactics
|
2024-09-30
|
Windows Unsigned DLL Side-Loading
|
Sysmon EventID 7
|
DLL Side-Loading
|
Anomaly
|
NjRAT, Warzone RAT
|
2024-09-30
|
Windows Unsigned DLL Side-Loading In Same Process Path
|
Sysmon EventID 7
|
DLL Side-Loading
Hijack Execution Flow
|
TTP
|
DarkGate Malware, PlugX
|
2024-09-30
|
Windows Unsigned MS DLL Side-Loading
|
Sysmon EventID 7
|
DLL Side-Loading
Boot or Logon Autostart Execution
|
Anomaly
|
APT29 Diplomatic Deceptions with WINELOADER
|
2024-09-30
|
Windows Vulnerable Driver Installed
|
Windows Event Log System 7045
|
Windows Service
|
TTP
|
Windows Drivers
|
2024-09-30
|
Windows Vulnerable Driver Loaded
|
Sysmon EventID 6
|
Windows Service
|
Hunting
|
BlackByte Ransomware, Windows Drivers
|
2024-10-17
|
WinEvent Scheduled Task Created to Spawn Shell
|
Windows Event Log Security 4698
|
Scheduled Task
Scheduled Task/Job
|
TTP
|
CISA AA22-257A, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Error Reporting Service Elevation of Privilege Vulnerability, Windows Persistence Techniques, Winter Vivern
|
2024-09-30
|
WinEvent Scheduled Task Created Within Public Path
|
Windows Event Log Security 4698
|
Scheduled Task
Scheduled Task/Job
|
TTP
|
Active Directory Lateral Movement, AsyncRAT, CISA AA22-257A, CISA AA23-347A, Data Destruction, IcedID, Industroyer2, Prestige Ransomware, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Persistence Techniques, Winter Vivern
|
2024-09-30
|
WinEvent Windows Task Scheduler Event Action Started
|
Windows Event Log TaskScheduler 200
|
Scheduled Task
|
Hunting
|
Amadey, AsyncRAT, BlackSuit Ransomware, CISA AA22-257A, CISA AA24-241A, DarkCrystal RAT, Data Destruction, IcedID, Industroyer2, Prestige Ransomware, Qakbot, Sandworm Tools, Scheduled Tasks, ValleyRAT, Windows Persistence Techniques, Winter Vivern, Winter Vivern
|
2024-10-24
|
Winhlp32 Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
|
TTP
|
Remcos
|
2024-09-30
|
WMI Permanent Event Subscription - Sysmon
|
Sysmon EventID 21
|
Windows Management Instrumentation Event Subscription
Event Triggered Execution
|
TTP
|
Suspicious WMI Use
|
2024-09-30
|
Wscript Or Cscript Suspicious Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Process Injection
Create or Modify System Process
Parent PID Spoofing
Access Token Manipulation
|
TTP
|
Data Destruction, FIN7, NjRAT, Remcos, ShrinkLocker, Unusual Processes, WhisperGate
|
2024-09-30
|
WSReset UAC Bypass
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
Bypass User Account Control
Abuse Elevation Control Mechanism
|
TTP
|
Living Off The Land, MoonPeak, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-09-30
|
XMRIG Driver Loaded
|
Sysmon EventID 6
|
Windows Service
Create or Modify System Process
|
TTP
|
CISA AA22-320A, XMRig
|
2024-09-30
|
Microsoft SharePoint Server Elevation of Privilege
|
Suricata
|
Exploitation for Privilege Escalation
|
TTP
|
Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357
|
2024-09-30
|
VMWare Aria Operations Exploit Attempt
|
Palo Alto Network Threat
|
External Remote Services
Exploit Public-Facing Application
Exploitation of Remote Services
Exploitation for Privilege Escalation
|
TTP
|
VMware Aria Operations vRealize CVE-2023-20887
|
2024-09-30
|