Analytic Stories

Name Technique Tactic
3CX Supply Chain Attack Compromise Software Supply Chain Initial Access
AWS Cross Account Activity Use Alternate Authentication Material Defense Evasion
AWS Defense Evasion Impair Defenses, Disable Cloud Logs Defense Evasion
AWS IAM Privilege Escalation Cloud Account, Create Account Persistence
AWS Identity and Access Management Account Takeover Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions Resource Development
AWS Network ACL Activity Disable or Modify Cloud Firewall Defense Evasion
AWS Security Hub Alerts None None
AWS User Monitoring Cloud Accounts Defense Evasion
AcidRain Data Destruction, File Deletion, Indicator Removal Impact
Active Directory Discovery Permission Groups Discovery, Local Groups Discovery
Active Directory Kerberos Attacks Password Spraying, Brute Force Credential Access
Active Directory Lateral Movement Remote Services, Windows Remote Management Lateral Movement
Active Directory Password Spraying Password Spraying, Brute Force Credential Access
Active Directory Privilege Escalation Account Discovery, SMB/Windows Admin Shares, Network Share Discovery Discovery
AgentTesla Spearphishing Attachment, Phishing Initial Access
Apache Struts Vulnerability System Information Discovery Discovery
Asset Tracking None None
AsyncRAT Spearphishing Attachment, Phishing Initial Access
Atlassian Confluence Server and Data Center CVE-2022-26134 Exploit Public-Facing Application Initial Access
AwfulShred Unix Shell, Command and Scripting Interpreter Execution
Azorult Disable or Modify Tools, Impair Defenses Defense Evasion
Azure Active Directory Account Takeover Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying Resource Development
Azure Active Directory Persistence Valid Accounts, Cloud Accounts Defense Evasion
Azure Active Directory Privilege Escalation Account Manipulation Persistence
BITS Jobs BITS Jobs, Ingress Tool Transfer Defense Evasion
Baron Samedit CVE-2021-3156 Exploitation for Privilege Escalation Privilege Escalation
BishopFox Sliver Adversary Emulation Framework System Services, Service Execution Execution
BlackLotus Campaign Bootkit Persistence
BlackMatter Ransomware Data Encrypted for Impact Impact
Brand Monitoring None None
Brute Ratel C4 Service Stop Impact
CISA AA22-257A Protocol Tunneling, SSH Command And Control
CISA AA22-264A Exploitation for Privilege Escalation Privilege Escalation
CISA AA22-277A System Network Configuration Discovery, Internet Connection Discovery Discovery
CISA AA22-320A Windows Service, Create or Modify System Process Persistence
CVE-2022-40684 Fortinet Appliance Auth bypass Exploit Public-Facing Application Initial Access
CVE-2023-21716 Word RTF Heap Corruption Phishing, Spearphishing Attachment Initial Access
CVE-2023-23397 Outlook Elevation of Privilege Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration
Caddy Wiper Disk Structure Wipe, Disk Wipe Impact
Chaos Ransomware Malicious File, User Execution Execution
Clop Ransomware System Services, Service Execution Execution
Cloud Cryptomining Unused/Unsupported Cloud Regions Defense Evasion
Cloud Federated Credential Abuse Image File Execution Options Injection, Event Triggered Execution Privilege Escalation
Cobalt Strike Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild Defense Evasion
ColdRoot MacOS RAT None None
Collection and Staging Masquerading Defense Evasion
Command And Control Remote Access Software Command And Control
Compromised User Account Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions Resource Development
Credential Dumping NTDS, OS Credential Dumping Credential Access
CyclopsBLink Disable or Modify System Firewall, Impair Defenses Defense Evasion
DHS Report TA18-074A Modify Registry Defense Evasion
DNS Amplification Attacks Network Denial of Service, Reflection Amplification Impact
DNS Hijacking Domain Generation Algorithms Command And Control
DarkCrystal RAT Phishing, Spearphishing Attachment Initial Access
DarkSide Ransomware LSASS Memory, OS Credential Dumping Credential Access
Data Destruction Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation Defense Evasion
Data Exfiltration Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol Exfiltration
Data Protection Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration
Deobfuscate-Decode Files or Information Deobfuscate/Decode Files or Information Defense Evasion
Detect Zerologon Attack LSASS Memory, OS Credential Dumping Credential Access
Dev Sec Ops Cloud Service Discovery Discovery
Disabling Security Tools Disable or Modify Tools, Impair Defenses Defense Evasion
Domain Trust Discovery Remote System Discovery Discovery
Double Zero Destructor Disable or Modify Tools, Impair Defenses Defense Evasion
Dynamic DNS Exfiltration Over Alternative Protocol Exfiltration
Emotet Malware DHS Report TA18-201A Spearphishing Attachment, Phishing Initial Access
F5 BIG-IP Vulnerability CVE-2022-1388 Exploit Public-Facing Application Initial Access
F5 TMUI RCE CVE-2020-5902 Exploit Public-Facing Application Initial Access
FIN7 XSL Script Processing Defense Evasion
Fortinet FortiNAC CVE-2022-39952 Exploit Public-Facing Application Initial Access
GCP Account Takeover Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing Resource Development
GCP Cross Account Activity Valid Accounts Defense Evasion
HAFNIUM Group Automated Exfiltration Exfiltration
Hermetic Wiper Disk Structure Wipe, Disk Wipe Impact
Hidden Cobra Malware SMB/Windows Admin Shares, Remote Services Lateral Movement
IIS Components Server Software Component, IIS Components Persistence
IcedID Disable or Modify Tools, Impair Defenses Defense Evasion
Industroyer2 Domain Account, Account Discovery Discovery
Information Sabotage Indicator Removal, Clear Windows Event Logs Defense Evasion
Ingress Tool Transfer Automated Exfiltration Exfiltration
Insider Threat Password Spraying, Brute Force Credential Access
JBoss Vulnerability System Information Discovery Discovery
Kubernetes Scanning Activity Cloud Service Discovery Discovery
Kubernetes Sensitive Object Access Activity None None
Linux Living Off The Land Ingress Tool Transfer Command And Control
Linux Persistence Techniques Sudo and Sudo Caching, Abuse Elevation Control Mechanism Privilege Escalation
Linux Post-Exploitation Unix Shell Execution
Linux Privilege Escalation Exploitation for Privilege Escalation Privilege Escalation
Linux Rootkit System Information Discovery, Rootkit Discovery
Living Off The Land Trusted Developer Utilities Proxy Execution, MSBuild Defense Evasion
Local Privilege Escalation With KrbRelayUp Windows Service Persistence
LockBit Ransomware Modify Registry Defense Evasion
Log4Shell CVE-2021-44228 Automated Exfiltration Exfiltration
Malicious PowerShell Automated Exfiltration Exfiltration
Masquerading - Rename System Utilities Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil Defense Evasion
MetaSploit Command and Scripting Interpreter Execution
Meterpreter Command and Scripting Interpreter Execution
Microsoft MSHTML Remote Code Execution CVE-2021-40444 System Binary Proxy Execution, Rundll32 Defense Evasion
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190 Phishing, Spearphishing Attachment Initial Access
Monitor for Updates None None
NOBELIUM Group System Binary Proxy Execution, Mshta Defense Evasion
Netsh Abuse Disable or Modify System Firewall, Impair Defenses Defense Evasion
Network Discovery System Network Configuration Discovery Discovery
Office 365 Detections Email Forwarding Rule, Email Collection Collection
Okta MFA Exhaustion Brute Force Credential Access
OpenSSL CVE-2022-3602 Encrypted Channel Command And Control
Orangeworm Attack Group Windows Service, Create or Modify System Process Persistence
PaperCut MF NG Vulnerability Command and Scripting Interpreter, Exploit Public-Facing Application Execution
PetitPotam NTLM Relay on Active Directory Certificate Services OS Credential Dumping Credential Access
Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns Automated Exfiltration Exfiltration
Prestige Ransomware Windows Management Instrumentation Execution
PrintNightmare CVE-2021-34527 System Binary Proxy Execution, Rundll32 Defense Evasion
Prohibited Traffic Allowed or Protocol Mismatch Application Layer Protocol, Web Protocols Command And Control
ProxyNotShell Command and Scripting Interpreter, PowerShell Execution
ProxyShell Command and Scripting Interpreter, PowerShell Execution
Qakbot Windows Management Instrumentation Execution
Ransomware Remote Access Software Command And Control
Ransomware Cloud Data Encrypted for Impact Impact
RedLine Stealer Service Stop Impact
Remcos Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation Defense Evasion
Reverse Network Proxy Protocol Tunneling, Proxy, Web Service Command And Control
Revil Ransomware System Binary Proxy Execution, CMSTP Defense Evasion
Router and Infrastructure Security Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication Initial Access
Ryuk Ransomware Windows Command Shell Execution
SQL Injection Exploit Public-Facing Application Initial Access
SamSam Ransomware Data Encrypted for Impact Impact
Sandworm Tools Steal or Forge Authentication Certificates Credential Access
Signed Binary Proxy Execution InstallUtil Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil Defense Evasion
Silver Sparrow Data Staged Collection
Snake Malware Kernel Modules and Extensions, Service Execution Persistence
Sneaky Active Directory Persistence Tricks Security Support Provider, Boot or Logon Autostart Execution Persistence
Spearphishing Attachments Phishing, Spearphishing Attachment Initial Access
Splunk Vulnerabilities Drive-by Compromise Initial Access
Spring4Shell CVE-2022-22965 Exploit Public-Facing Application Initial Access
Suspicious AWS Login Activities Cloud Accounts Defense Evasion
Suspicious AWS S3 Activities Data from Cloud Storage Collection
Suspicious AWS Traffic None None
Suspicious Cloud Authentication Activities Compromise Accounts, Cloud Accounts, Unused/Unsupported Cloud Regions Resource Development
Suspicious Cloud Instance Activities Cloud Accounts, Valid Accounts Defense Evasion
Suspicious Cloud Provisioning Activities Valid Accounts Defense Evasion
Suspicious Cloud User Activities Valid Accounts Defense Evasion
Suspicious Command-Line Executions Masquerading, Rename System Utilities Defense Evasion
Suspicious Compiled HTML Activity Compiled HTML File, System Binary Proxy Execution Defense Evasion
Suspicious DNS Traffic Exfiltration Over Alternative Protocol Exfiltration
Suspicious Emails Spearphishing Attachment, Phishing Initial Access
Suspicious GCP Storage Activities Data from Cloud Storage Collection
Suspicious MSHTA Activity System Binary Proxy Execution, Mshta Defense Evasion
Suspicious Okta Activity Valid Accounts, Default Accounts Defense Evasion
Suspicious Regsvcs Regasm Activity System Binary Proxy Execution, Regsvcs/Regasm Defense Evasion
Suspicious Regsvr32 Activity System Binary Proxy Execution, Regsvr32 Defense Evasion
Suspicious Rundll32 Activity NTDS, OS Credential Dumping Credential Access
Suspicious WMI Use XSL Script Processing Defense Evasion
Suspicious Windows Registry Activities Services Registry Permissions Weakness Persistence
Suspicious Zoom Child Processes Exploitation for Privilege Escalation Privilege Escalation
Swift Slicer Data Destruction Impact
Text4Shell CVE-2022-42889 Web Shell, Server Software Component, Exploit Public-Facing Application Persistence
Trickbot Command and Scripting Interpreter Execution
Trusted Developer Utilities Proxy Execution Trusted Developer Utilities Proxy Execution Defense Evasion
Trusted Developer Utilities Proxy Execution MSBuild Trusted Developer Utilities Proxy Execution, MSBuild Defense Evasion
Unusual Processes Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation Defense Evasion
Use of Cleartext Protocols None None
VMware Server Side Injection and Privilege Escalation Exploit Public-Facing Application Initial Access
Volt Typhoon Windows Management Instrumentation Execution
WhisperGate Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation Defense Evasion
Windows BootKits Pre-OS Boot, Registry Run Keys / Startup Folder Defense Evasion
Windows Certificate Services Steal or Forge Authentication Certificates Credential Access
Windows DNS SIGRed CVE-2020-1350 Exploitation for Client Execution Execution
Windows Defense Evasion Tactics Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection Defense Evasion
Windows Discovery Techniques Permission Groups Discovery, Local Groups Discovery
Windows Drivers Windows Service Persistence
Windows File Extension and Association Abuse Change Default File Association Privilege Escalation
Windows Log Manipulation Indicator Removal, Clear Windows Event Logs Defense Evasion
Windows Persistence Techniques Services Registry Permissions Weakness Persistence
Windows Post-Exploitation Windows Management Instrumentation Execution
Windows Privilege Escalation Malicious File Execution
Windows Registry Abuse Services Registry Permissions Weakness Persistence
Windows Service Abuse Windows Service, Create or Modify System Process Persistence
Windows System Binary Proxy Execution MSIExec Msiexec Defense Evasion
Winter Vivern Screen Capture Collection
XMRig Windows Service, Create or Modify System Process Persistence
sAMAccountName Spoofing and Domain Controller Impersonation Valid Accounts, Domain Accounts Defense Evasion

FIN7

Try in Splunk Security Cloud

IcedID

Try in Splunk Security Cloud

Qakbot

Try in Splunk Security Cloud

Remcos

Try in Splunk Security Cloud

XMRig

Try in Splunk Security Cloud