Analytic Stories

Name Technique Tactic
AWS Cross Account Activity Use Alternate Authentication Material Defense Evasion
AWS IAM Privilege Escalation Cloud Account, Create Account Persistence
AWS Network ACL Activity Disable or Modify Cloud Firewall, Impair Defenses Defense Evasion
AWS Security Hub Alerts None None
AWS User Monitoring Cloud Service Discovery Discovery
Active Directory Discovery Permission Groups Discovery, Local Groups Discovery
Active Directory Password Spraying Password Spraying, Brute Force Credential Access
Apache Struts Vulnerability System Information Discovery Discovery
Asset Tracking None None
BITS Jobs BITS Jobs Defense Evasion
Baron Samedit CVE-2021-3156 Exploitation for Privilege Escalation Privilege Escalation
BlackMatter Ransomware Data Encrypted for Impact Impact
Brand Monitoring None None
Clop Ransomware Indicator Removal on Host, Clear Windows Event Logs Defense Evasion
Cloud Cryptomining Unused/Unsupported Cloud Regions Defense Evasion
Cloud Federated Credential Abuse Image File Execution Options Injection, Event Triggered Execution Privilege Escalation
Cobalt Strike Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild Defense Evasion
ColdRoot MacOS RAT None None
Collection and Staging Masquerading Defense Evasion
Command and Control Application Layer Protocol, Web Protocols Command And Control
Container Implantation Monitoring and Investigation Implant Internal Image Persistence
Credential Dumping Command and Scripting Interpreter, PowerShell Execution
DHS Report TA18-074A Modify Registry Defense Evasion
DNS Amplification Attacks Network Denial of Service, Reflection Amplification Impact
DNS Hijacking Drive-by Compromise Initial Access
DarkSide Ransomware Bypass User Account Control, Abuse Elevation Control Mechanism Privilege Escalation
Data Exfiltration Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Exfiltration Over Alternative Protocol Exfiltration
Data Protection Drive-by Compromise Initial Access
Deobfuscate-Decode Files or Information Deobfuscate/Decode Files or Information Defense Evasion
Detect Zerologon Attack Exploit Public-Facing Application Initial Access
Dev Sec Ops Cloud Service Discovery Discovery
Disabling Security Tools Disable or Modify Tools, Impair Defenses Defense Evasion
Domain Trust Discovery Remote System Discovery Discovery
Dynamic DNS Exfiltration Over Alternative Protocol Exfiltration
Emotet Malware DHS Report TA18-201A Spearphishing Attachment, Phishing Initial Access
F5 TMUI RCE CVE-2020-5902 Exploit Public-Facing Application Initial Access
FIN7 XSL Script Processing Defense Evasion
GCP Cross Account Activity Valid Accounts Defense Evasion
HAFNIUM Group Server Software Component, Web Shell Persistence
Hidden Cobra Malware SMB/Windows Admin Shares, Remote Services Lateral Movement
IcedID Scheduled Task Execution
Ingress Tool Transfer Ingress Tool Transfer Command And Control
JBoss Vulnerability System Information Discovery Discovery
Kubernetes Scanning Activity Cloud Service Discovery Discovery
Kubernetes Sensitive Object Access Activity None None
Lateral Movement Kerberoasting Credential Access
Malicious PowerShell Gather Victim Host Information Reconnaissance
Masquerading - Rename System Utilities Masquerading, Rename System Utilities Defense Evasion
Meterpreter System Owner/User Discovery Discovery
Microsoft MSHTML Remote Code Execution CVE-2021-40444 Signed Binary Proxy Execution, Rundll32 Defense Evasion
Monitor for Updates None None
NOBELIUM Group Remote System Discovery Discovery
Netsh Abuse Disable or Modify System Firewall, Impair Defenses Defense Evasion
Office 365 Detections Email Forwarding Rule, Email Collection Collection
Orangeworm Attack Group Windows Service, Create or Modify System Process Persistence
PetitPotam NTLM Relay on Active Directory Certificate Services OS Credential Dumping Credential Access
Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution Persistence
PrintNightmare CVE-2021-34527 Signed Binary Proxy Execution, Rundll32 Defense Evasion
Prohibited Traffic Allowed or Protocol Mismatch Application Layer Protocol, Web Protocols Command And Control
ProxyShell Server Software Component, Web Shell Persistence
Ransomware Indicator Removal on Host, Clear Windows Event Logs Defense Evasion
Ransomware Cloud Data Encrypted for Impact Impact
Remcos Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation Defense Evasion
Revil Ransomware Signed Binary Proxy Execution, CMSTP Defense Evasion
Router and Infrastructure Security Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication Initial Access
Ryuk Ransomware Service Stop Impact
SQL Injection Exploit Public-Facing Application Initial Access
SamSam Ransomware Data Encrypted for Impact Impact
Silver Sparrow Data Staged Collection
Spearphishing Attachments Phishing, Spearphishing Attachment Initial Access
Suspicious AWS Login Activities Unused/Unsupported Cloud Regions Defense Evasion
Suspicious AWS S3 Activities Data from Cloud Storage Object Collection
Suspicious AWS Traffic None None
Suspicious Cloud Authentication Activities Unused/Unsupported Cloud Regions Defense Evasion
Suspicious Cloud Instance Activities Transfer Data to Cloud Account Exfiltration
Suspicious Cloud Provisioning Activities Valid Accounts Defense Evasion
Suspicious Cloud User Activities Valid Accounts Defense Evasion
Suspicious Command-Line Executions Masquerading, Rename System Utilities Defense Evasion
Suspicious Compiled HTML Activity Signed Binary Proxy Execution, Compiled HTML File Defense Evasion
Suspicious DNS Traffic Exfiltration Over Alternative Protocol Exfiltration
Suspicious Emails Spearphishing Attachment, Phishing Initial Access
Suspicious GCP Storage Activities Data from Cloud Storage Object Collection
Suspicious MSHTA Activity Signed Binary Proxy Execution, Mshta Defense Evasion
Suspicious Okta Activity Valid Accounts, Default Accounts Defense Evasion
Suspicious Regsvcs Regasm Activity Signed Binary Proxy Execution, Regsvcs/Regasm Defense Evasion
Suspicious Regsvr32 Activity Signed Binary Proxy Execution, Regsvr32 Defense Evasion
Suspicious Rundll32 Activity Signed Binary Proxy Execution, Rundll32 Defense Evasion
Suspicious WMI Use Windows Management Instrumentation Execution
Suspicious Windows Registry Activities Application Shimming, Event Triggered Execution Privilege Escalation
Suspicious Zoom Child Processes Exploitation for Privilege Escalation Privilege Escalation
Trickbot Remote Services, SMB/Windows Admin Shares Lateral Movement
Trusted Developer Utilities Proxy Execution Trusted Developer Utilities Proxy Execution Defense Evasion
Trusted Developer Utilities Proxy Execution MSBuild Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild Defense Evasion
Unusual Processes Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation Defense Evasion
Use of Cleartext Protocols None None
Windows DNS SIGRed CVE-2020-1350 Exploitation for Client Execution Execution
Windows Defense Evasion Tactics Disable or Modify Tools, Impair Defenses Defense Evasion
Windows Discovery Techniques Create or Modify System Process, Process Injection, Hijack Execution Flow Persistence
Windows File Extension and Association Abuse Masquerading, Rename System Utilities Defense Evasion
Windows Log Manipulation Indicator Removal on Host, Clear Windows Event Logs Defense Evasion
Windows Persistence Techniques Scheduled Task Execution
Windows Privilege Escalation Time Providers, Boot or Logon Autostart Execution Persistence
Windows Service Abuse Windows Service, Create or Modify System Process Persistence
XMRig Windows Service, Create or Modify System Process Persistence

AWS IAM Privilege Escalation

This analytic story contains detections that query your AWS Cloudtrail for activities related to privilege escalation.

FIN7

Try in Splunk Security Cloud

IcedID

Try in Splunk Security Cloud

Remcos

Try in Splunk Security Cloud

XMRig

Try in Splunk Security Cloud