Attacker Tools On Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Match Legitimate Name or Location
Masquerading
OS Credential Dumping
Active Scanning
|
TTP
|
CISA AA22-264A, Compromised Windows Host, Monitor for Unauthorized Software, SamSam Ransomware, Unusual Processes, XMRig
|
2024-11-28
|
Kerberos User Enumeration
|
Windows Event Log Security 4768
|
Gather Victim Identity Information
Email Addresses
|
Anomaly
|
Active Directory Kerberos Attacks
|
2024-09-30
|
Recon AVProduct Through Pwh or WMI
|
Powershell Script Block Logging 4104
|
Gather Victim Host Information
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell, MoonPeak, Prestige Ransomware, Qakbot, Ransomware, Windows Post-Exploitation
|
2024-09-30
|
Recon Using WMI Class
|
Powershell Script Block Logging 4104
|
Gather Victim Host Information
PowerShell
|
Anomaly
|
AsyncRAT, Data Destruction, Hermetic Wiper, Industroyer2, LockBit Ransomware, Malicious PowerShell, MoonPeak, Qakbot
|
2024-09-30
|
System Info Gathering Using Dxdiag Application
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Gather Victim Host Information
|
Hunting
|
Remcos
|
2024-10-17
|
Wermgr Process Connecting To IP Check Web Services
|
Sysmon EventID 22
|
Gather Victim Network Information
IP Addresses
|
TTP
|
Trickbot
|
2024-09-30
|
Windows DNS Gather Network Info
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
DNS
|
Anomaly
|
Sandworm Tools, Volt Typhoon
|
2024-09-30
|
Windows Gather Victim Host Information Camera
|
Powershell Script Block Logging 4104
|
Hardware
Gather Victim Host Information
|
Anomaly
|
DarkCrystal RAT
|
2024-09-30
|
Windows Gather Victim Identity SAM Info
|
Sysmon EventID 7
|
Credentials
Gather Victim Identity Information
|
Hunting
|
Brute Ratel C4
|
2024-10-17
|
Windows Gather Victim Network Info Through Ip Check Web Services
|
Sysmon EventID 22
|
IP Addresses
Gather Victim Network Information
|
Hunting
|
Azorult, DarkCrystal RAT, Handala Wiper, Meduza Stealer, PXA Stealer, Phemedrone Stealer, Snake Keylogger
|
2024-11-28
|
Windows RDP File Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Spearphishing Attachment
Remote Desktop Protocol
|
TTP
|
Spearphishing Attachments
|
2024-11-21
|
WMI Recon Running Process Or Services
|
Powershell Script Block Logging 4104
|
Gather Victim Host Information
|
Anomaly
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2024-09-30
|
Internal Vulnerability Scan
|
|
Vulnerability Scanning
Network Service Discovery
|
TTP
|
Network Discovery
|
2024-10-17
|