Analytic Stories

Name Technique Tactic
AWS Cross Account Activity Valid Accounts, Use Alternate Authentication Material Defense Evasion, Initial Access, Lateral Movement, Persistence, Privilege Escalation
AWS Cryptomining Cloud Accounts, Unused/Unsupported Cloud Regions Defense Evasion, Initial Access, Persistence, Privilege Escalation
AWS IAM Privilege Escalation Cloud Accounts, Valid Accounts, Cloud Account, Create Account, Cloud Infrastructure Discovery, Brute Force, Account Manipulation, Cloud Groups, Permission Groups Discovery Credential Access, Defense Evasion, Discovery, Initial Access, Persistence, Privilege Escalation
AWS Network ACL Activity Disable or Modify Cloud Firewall, Impair Defenses Defense Evasion
AWS Security Hub Alerts None None
AWS Suspicious Provisioning Activities Unused/Unsupported Cloud Regions Defense Evasion
AWS User Monitoring Cloud Service Discovery, Cloud Accounts Defense Evasion, Discovery, Initial Access, Persistence, Privilege Escalation
AcidRain Data Destruction, File Deletion, Indicator Removal on Host Defense Evasion, Impact
Active Directory Discovery Domain Account, Account Discovery, Remote System Discovery, Permission Groups Discovery, Domain Groups, Domain Trust Discovery, Password Policy Discovery, Local Groups, System Owner/User Discovery, Local Account, System Network Connections Discovery, System Network Configuration Discovery, Internet Connection Discovery, Kerberoasting, Scheduled Task/Job Credential Access, Discovery, Execution, Persistence, Privilege Escalation
Active Directory Kerberos Attacks Steal or Forge Kerberos Tickets, AS-REP Roasting, Kerberoasting, Golden Ticket, Use Alternate Authentication Material, Gather Victim Identity Information, Email Addresses, Pass the Ticket, Password Spraying, Brute Force, OS Credential Dumping, Valid Accounts, Domain Accounts, Remote System Discovery Credential Access, Defense Evasion, Discovery, Initial Access, Lateral Movement, Persistence, Privilege Escalation, Reconnaissance
Active Directory Lateral Movement Use Alternate Authentication Material, Pass the Hash, Remote Services, SMB/Windows Admin Shares, System Services, Service Execution, Distributed Component Object Model, Windows Management Instrumentation, Windows Service, Windows Remote Management, Scheduled Task, PowerShell, Scheduled Task/Job, At, Create or Modify System Process, Services Registry Permissions Weakness, Remote Desktop Protocol, Valid Accounts Defense Evasion, Execution, Initial Access, Lateral Movement, Persistence, Privilege Escalation
Active Directory Password Spraying Password Spraying, Brute Force Credential Access
Apache Struts Vulnerability System Information Discovery Discovery
Asset Tracking None None
Atlassian Confluence Server and Data Center CVE-2022-26134 Exploit Public-Facing Application, Server Software Component Initial Access, Persistence
BITS Jobs BITS Jobs, Ingress Tool Transfer Command And Control, Defense Evasion, Persistence
Baron Samedit CVE-2021-3156 Exploitation for Privilege Escalation Privilege Escalation
BlackMatter Ransomware Credentials in Registry, Unsecured Credentials, Inhibit System Recovery, Defacement, Data Encrypted for Impact Credential Access, Impact
Brand Monitoring None None
Caddy Wiper Disk Structure Wipe, Disk Wipe Impact
Clop Ransomware User Execution, Create or Modify System Process, Data Destruction, Inhibit System Recovery, Data Encrypted for Impact, Indicator Removal on Host, Clear Windows Event Logs, System Services, Service Execution Defense Evasion, Execution, Impact, Persistence, Privilege Escalation
Cloud Cryptomining Cloud Accounts, Valid Accounts, Unused/Unsupported Cloud Regions Defense Evasion, Initial Access, Persistence, Privilege Escalation
Cloud Federated Credential Abuse Valid Accounts, Cloud Account, Create Account, Modify Authentication Process, LSASS Memory, OS Credential Dumping, Image File Execution Options Injection, Event Triggered Execution Credential Access, Defense Evasion, Initial Access, Persistence, Privilege Escalation
Cobalt Strike Archive via Utility, Archive Collected Data, Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process, Process Injection, System Binary Proxy Execution, Regsvr32, Rundll32, Abuse Elevation Control Mechanism, Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild Collection, Defense Evasion, Execution, Persistence, Privilege Escalation
ColdRoot MacOS RAT None None
Collection and Staging Masquerading, Archive via Utility, Archive Collected Data, Email Collection, Local Email Collection, Remote Email Collection Collection, Defense Evasion
Command and Control Exfiltration Over Unencrypted Non-C2 Protocol, DNS, Exfiltration Over Alternative Protocol, Non-Application Layer Protocol, Application Layer Protocol, Web Protocols, Drive-by Compromise Command And Control, Exfiltration, Initial Access
Common Phishing Frameworks Spearphishing via Service Initial Access
Container Implantation Monitoring and Investigation Implant Internal Image Persistence
Credential Dumping LSASS Memory, OS Credential Dumping, Security Account Manager, NTDS, Modify Registry, Local Accounts, Credentials In Files, Command and Scripting Interpreter, PowerShell Credential Access, Defense Evasion, Execution, Initial Access, Persistence, Privilege Escalation
CyclopsBLink Disable or Modify System Firewall, Impair Defenses, Masquerade Task or Service, Masquerading Defense Evasion
DHS Report TA18-074A PowerShell, Windows Command Shell, Local Account, Create Account, Remote Services, SMB/Windows Admin Shares, System Services, Service Execution, Command and Scripting Interpreter, Disable or Modify System Firewall, Impair Defenses, Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution, Windows Service, Create or Modify System Process, Scheduled Task, Scheduled Task/Job, User Execution, Malicious File, Modify Registry, File Transfer Protocols, Application Layer Protocol Command And Control, Defense Evasion, Execution, Lateral Movement, Persistence, Privilege Escalation
DNS Amplification Attacks Network Denial of Service, Reflection Amplification Impact
DNS Hijacking Exfiltration Over Unencrypted Non-C2 Protocol, DNS, Drive-by Compromise Command And Control, Exfiltration, Initial Access
DarkSide Ransomware Security Account Manager, OS Credential Dumping, BITS Jobs, Ingress Tool Transfer, System Binary Proxy Execution, CMSTP, Process Injection, Inhibit System Recovery, LSASS Memory, Remote Services, SMB/Windows Admin Shares, Automated Exfiltration, System Services, Service Execution, Data Encrypted for Impact, Bypass User Account Control, Abuse Elevation Control Mechanism Command And Control, Credential Access, Defense Evasion, Execution, Exfiltration, Impact, Lateral Movement, Persistence, Privilege Escalation
Data Destruction Windows Command Shell, Command and Scripting Interpreter, Remote Services, SMB/Windows Admin Shares, Masquerading, Data Destruction, File Deletion, Indicator Removal on Host, System Binary Proxy Execution, Regsvr32, Create or Modify System Process, Modify Registry, Disk Structure Wipe, Disk Wipe Defense Evasion, Execution, Impact, Lateral Movement, Persistence, Privilege Escalation
Data Exfiltration Transfer Data to Cloud Account, Email Collection, Email Forwarding Rule, Exfiltration Over Alternative Protocol, Local Email Collection, Phishing, Exfiltration Over C2 Channel, Exfiltration Over Unencrypted Non-C2 Protocol Collection, Exfiltration, Initial Access
Data Protection Exfiltration Over Unencrypted Non-C2 Protocol, Drive-by Compromise Exfiltration, Initial Access
Deobfuscate-Decode Files or Information Deobfuscate/Decode Files or Information Defense Evasion
Detect Zerologon Attack LSASS Memory, OS Credential Dumping, Exploitation of Remote Services, Exploit Public-Facing Application Credential Access, Initial Access, Lateral Movement
Dev Sec Ops Malicious Image, User Execution, Compromise Client Software Binary, Compromise Software Supply Chain, Supply Chain Compromise, Trusted Relationship, Compromise Software Dependencies and Development Tools, Exfiltration to Cloud Storage, Exfiltration Over Web Service, Spearphishing Attachment, Phishing, Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol, Exploitation for Credential Access, Cloud Service Discovery Credential Access, Discovery, Execution, Exfiltration, Initial Access, Persistence
Disabling Security Tools Install Root Certificate, Subvert Trust Controls, Disable or Modify Tools, Impair Defenses, Disable or Modify System Firewall, Windows Service, Create or Modify System Process, Modify Registry Defense Evasion, Persistence, Privilege Escalation
Domain Trust Discovery Domain Trust Discovery, Remote System Discovery Discovery
Double Zero Destructor Masquerading, Create or Modify System Process, Modify Registry, Disable or Modify Tools, Impair Defenses Defense Evasion, Persistence, Privilege Escalation
Dynamic DNS Web Protocols, Exfiltration Over Alternative Protocol, Drive-by Compromise Command And Control, Exfiltration, Initial Access
Emotet Malware DHS Report TA18-201A Command and Scripting Interpreter, Windows Command Shell, Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution, Spearphishing Attachment, Phishing, Software Deployment Tools, SMB/Windows Admin Shares, Remote Services Execution, Initial Access, Lateral Movement, Persistence, Privilege Escalation
F5 BIG-IP Vulnerability CVE-2022-1388 Exploit Public-Facing Application Initial Access
F5 TMUI RCE CVE-2020-5902 Exploit Public-Facing Application Initial Access
FIN7 System Owner/User Discovery, Command and Scripting Interpreter, JavaScript, Credentials from Password Stores, Credentials from Web Browsers, Phishing, Spearphishing Attachment, Visual Basic, Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation, XSL Script Processing Credential Access, Defense Evasion, Discovery, Execution, Initial Access, Persistence, Privilege Escalation
GCP Cross Account Activity Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
HAFNIUM Group LSASS Memory, Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer, Server Software Component, Web Shell, Exploit Public-Facing Application, Local Account, Create Account, Remote Services, SMB/Windows Admin Shares, System Services, Service Execution, OS Credential Dumping, NTDS, Email Collection, Remote Email Collection Collection, Command And Control, Credential Access, Execution, Initial Access, Lateral Movement, Persistence
Hermetic Wiper PowerShell, Malicious File, Active Setup, Boot or Logon Autostart Execution, Command and Scripting Interpreter, Ingress Tool Transfer, Change Default File Association, Event Triggered Execution, Windows Command Shell, OS Credential Dumping, Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses, Remote Services, SMB/Windows Admin Shares, Masquerading, Steal or Forge Kerberos Tickets, Kerberoasting, Exploit Public-Facing Application, Boot or Logon Initialization Scripts, Logon Script (Windows), Obfuscated Files or Information, DLL Side-Loading, Hijack Execution Flow, Accessibility Features, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, Indicator Removal from Tools, Component Object Model Hijacking, Process Injection, Gather Victim Host Information, Image File Execution Options Injection, System Binary Proxy Execution, Regsvr32, Access Token Manipulation, Token Impersonation/Theft, Screensaver, Create or Modify System Process, Time Providers, Server Software Component, Web Shell, Data Destruction, Modify Registry, Disk Structure Wipe, Disk Wipe, Spearphishing Attachment, Phishing, Exploitation for Privilege Escalation, Print Processors Command And Control, Credential Access, Defense Evasion, Execution, Impact, Initial Access, Lateral Movement, Persistence, Privilege Escalation, Reconnaissance
Hidden Cobra Malware PowerShell, Windows Command Shell, Indicator Removal on Host, Network Share Connection Removal, Remote Desktop Protocol, Remote Services, File Transfer Protocols, Application Layer Protocol, DNS, SMB/Windows Admin Shares, Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol Command And Control, Defense Evasion, Execution, Exfiltration, Lateral Movement
Host Redirection Exfiltration Over Unencrypted Non-C2 Protocol, DNS Command And Control, Exfiltration
IcedID Domain Account, Account Discovery, Command and Scripting Interpreter, Windows Command Shell, Process Injection, Disable or Modify Tools, Impair Defenses, User Execution, Malicious File, Bypass User Account Control, Abuse Elevation Control Mechanism, Modify Registry, Archive via Utility, Archive Collected Data, System Binary Proxy Execution, Mshta, Domain Trust Discovery, Phishing, Spearphishing Attachment, Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution, Regsvr32, Rundll32, Scheduled Task/Job, Data from Local System, Scheduled Task Collection, Defense Evasion, Discovery, Execution, Initial Access, Persistence, Privilege Escalation
Industroyer2 Domain Account, Account Discovery, Security Account Manager, OS Credential Dumping, LSASS Memory, Remote Services, SMB/Windows Admin Shares, Masquerading, Distributed Component Object Model, Windows Management Instrumentation, Windows Service, Cron, Scheduled Task/Job, Data Destruction, Service Stop, File Deletion, Indicator Removal on Host, System Network Configuration Discovery, Gather Victim Host Information, Create or Modify System Process, Scheduled Task, Disable or Modify System Firewall, Impair Defenses Credential Access, Defense Evasion, Discovery, Execution, Impact, Lateral Movement, Persistence, Privilege Escalation, Reconnaissance
Information Sabotage Transfer Data to Cloud Account Exfiltration
Ingress Tool Transfer Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer, BITS Jobs Command And Control, Defense Evasion, Execution, Persistence
Insider Threat Exfiltration to Cloud Storage, Exfiltration Over Web Service, Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol, Transfer Data to Cloud Account, Password Spraying, Brute Force, Local Accounts, Credentials In Files Credential Access, Defense Evasion, Exfiltration, Initial Access, Persistence, Privilege Escalation
JBoss Vulnerability System Information Discovery Discovery
Kubernetes Scanning Activity Cloud Service Discovery Discovery
Kubernetes Sensitive Object Access Activity None None
Kubernetes Sensitive Role Activity None None
Linux Persistence Techniques Cron, Scheduled Task/Job, Local Account, Create Account, At, Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification, Setuid and Setgid, Abuse Elevation Control Mechanism, Sudo and Sudo Caching, Kernel Modules and Extensions, Boot or Logon Autostart Execution, RC Scripts, Boot or Logon Initialization Scripts, Unix Shell Configuration Modification, Event Triggered Execution, SSH Authorized Keys, Account Manipulation, /etc/passwd and /etc/shadow, OS Credential Dumping, Dynamic Linker Hijacking, Hijack Execution Flow, Systemd Timers, Data Destruction Credential Access, Defense Evasion, Execution, Impact, Persistence, Privilege Escalation
Linux Post-Exploitation Unix Shell Execution
Linux Privilege Escalation Cron, Scheduled Task/Job, Local Account, Create Account, At, Linux and Mac File and Directory Permissions Modification, File and Directory Permissions Modification, Setuid and Setgid, Abuse Elevation Control Mechanism, Sudo and Sudo Caching, Kernel Modules and Extensions, Boot or Logon Autostart Execution, RC Scripts, Boot or Logon Initialization Scripts, Unix Shell Configuration Modification, Event Triggered Execution, Exploitation for Privilege Escalation, SSH Authorized Keys, Account Manipulation, /etc/passwd and /etc/shadow, OS Credential Dumping, Dynamic Linker Hijacking, Hijack Execution Flow, Systemd Timers, Data Destruction Credential Access, Defense Evasion, Execution, Impact, Persistence, Privilege Escalation
Living Off The Land BITS Jobs, Ingress Tool Transfer, Deobfuscate/Decode Files or Information, Windows Command Shell, Command and Scripting Interpreter, System Binary Proxy Execution, Control Panel, NTDS, OS Credential Dumping, Compiled HTML File, Mshta, Regsvcs/Regasm, Regsvr32, Rundll32, Disable or Modify Tools, Impair Defenses, LSASS Memory, Security Account Manager, Bypass User Account Control, Abuse Elevation Control Mechanism, Unix Shell, Plist File Modification, Remote Services, Distributed Component Object Model, Services Registry Permissions Weakness, Hijack Execution Flow, Windows Management Instrumentation, Process Injection, Modify Registry, Scheduled Task/Job, At, Scheduled Task, Create or Modify System Process, Windows Service, Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild, Indirect Command Execution, InstallUtil Command And Control, Credential Access, Defense Evasion, Execution, Lateral Movement, Persistence, Privilege Escalation
Local Privilege Escalation With KrbRelayUp Steal or Forge Kerberos Tickets, Windows Service Credential Access, Persistence, Privilege Escalation
Log4Shell CVE-2021-44228 Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer, Windows Command Shell, Exploit Public-Facing Application Command And Control, Execution, Initial Access
Malicious PowerShell PowerShell, Command and Scripting Interpreter, Ingress Tool Transfer, OS Credential Dumping, Obfuscated Files or Information, Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, Indicator Removal from Tools, Component Object Model Hijacking, Event Triggered Execution, Process Injection, Gather Victim Host Information, Impair Defenses Command And Control, Credential Access, Defense Evasion, Execution, Lateral Movement, Persistence, Privilege Escalation, Reconnaissance
Masquerading - Rename System Utilities Rename System Utilities, System Binary Proxy Execution, Masquerading, Rundll32, Data Destruction, File Deletion, Indicator Removal on Host, Trusted Developer Utilities Proxy Execution, MSBuild, InstallUtil Defense Evasion, Impact
Meterpreter Command and Scripting Interpreter Execution
Microsoft MSHTML Remote Code Execution CVE-2021-40444 System Binary Proxy Execution, Control Panel, Phishing, Spearphishing Attachment, Rundll32 Defense Evasion, Initial Access
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190 Command and Scripting Interpreter, System Binary Proxy Execution, Phishing, Spearphishing Attachment Defense Evasion, Execution, Initial Access
Monitor Backup Solution None None
Monitor for Unauthorized Software Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning Credential Access, Defense Evasion, Reconnaissance
Monitor for Updates None None
NOBELIUM Group Archive via Utility, Archive Collected Data, Command and Scripting Interpreter, Windows Command Shell, System Binary Proxy Execution, Mshta, Obfuscated Files or Information, Windows Service, Create or Modify System Process, Scheduled Task, Scheduled Task/Job, Remote System Discovery, System Services, Service Execution, Exploitation for Client Execution, File Transfer Protocols, Application Layer Protocol, Web Protocols, Web Shell Collection, Command And Control, Defense Evasion, Discovery, Execution, Persistence, Privilege Escalation
Netsh Abuse Disable or Modify System Firewall, Impair Defenses Defense Evasion
Network Discovery System Network Configuration Discovery Discovery
Office 365 Detections Cloud Account, Create Account, Disable or Modify Cloud Firewall, Impair Defenses, Modify Authentication Process, Brute Force, Email Collection, Email Forwarding Rule, Remote Email Collection, Password Guessing Collection, Credential Access, Defense Evasion, Persistence
Orangeworm Attack Group PowerShell, Windows Command Shell, Windows Service, Create or Modify System Process, System Services, Service Execution Execution, Persistence, Privilege Escalation
PetitPotam NTLM Relay on Active Directory Certificate Services Forced Authentication, OS Credential Dumping Credential Access
Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns PowerShell, Windows Command Shell, Command and Scripting Interpreter, Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution Execution, Persistence, Privilege Escalation
PrintNightmare CVE-2021-34527 Print Processors, Boot or Logon Autostart Execution, System Binary Proxy Execution, Rundll32, Exploitation for Privilege Escalation Defense Evasion, Persistence, Privilege Escalation
Prohibited Traffic Allowed or Protocol Mismatch Remote Desktop Protocol, Remote Services, Exfiltration Over Alternative Protocol, Exfiltration Over Unencrypted Non-C2 Protocol, Application Layer Protocol, Web Protocols, Drive-by Compromise Command And Control, Exfiltration, Initial Access, Lateral Movement
ProxyShell Server Software Component, Web Shell, Exploit Public-Facing Application, Command and Scripting Interpreter, PowerShell Execution, Initial Access, Persistence
Ransomware Scheduled Task, Archive via Utility, Archive Collected Data, Disable or Modify Cloud Firewall, Impair Defenses, Abuse Elevation Control Mechanism, Inhibit System Recovery, File Deletion, Indicator Removal on Host, System Binary Proxy Execution, CMSTP, Data Destruction, User Execution, Automated Exfiltration, Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery, Disable or Modify Tools, Clear Windows Event Logs, Service Stop, Account Access Removal, System Services, Service Execution, Command and Scripting Interpreter, Visual Basic, File and Directory Permissions Modification, Defacement, DLL Side-Loading, Hijack Execution Flow, Obfuscated Files or Information, Indicator Removal from Tools, Component Object Model Hijacking, Event Triggered Execution, Gather Victim Host Information, Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution, Windows Management Instrumentation, Modify Registry, Rundll32, Scheduled Task/Job, Masquerading, Rename System Utilities, Msiexec, Data Encrypted for Impact, InstallUtil, Tool, Server Software Component, Web Shell, Exploit Public-Facing Application, Exfiltration Over Alternative Protocol, SMB/Windows Admin Shares, Remote Services, Application Layer Protocol, Web Protocols Collection, Command And Control, Defense Evasion, Discovery, Execution, Exfiltration, Impact, Initial Access, Lateral Movement, Persistence, Privilege Escalation, Reconnaissance, Resource Development
Ransomware Cloud Data Encrypted for Impact Impact
Remcos Disable or Modify Tools, Impair Defenses, Bypass User Account Control, Abuse Elevation Control Mechanism, Masquerading, Command and Scripting Interpreter, JavaScript, Process Injection, Dynamic-link Library Injection, Regsvr32, Modify Registry, Credentials from Password Stores, Credentials from Web Browsers, Indicator Removal on Host, Component Object Model, Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution, System Binary Proxy Execution, Screen Capture, Visual Basic, Create or Modify System Process, Gather Victim Host Information, Parent PID Spoofing, Access Token Manipulation Collection, Credential Access, Defense Evasion, Execution, Persistence, Privilege Escalation, Reconnaissance
Revil Ransomware Disable or Modify Cloud Firewall, Impair Defenses, Inhibit System Recovery, Disable or Modify Tools, Defacement, DLL Side-Loading, Hijack Execution Flow, User Execution, Modify Registry, System Binary Proxy Execution, CMSTP Defense Evasion, Execution, Impact, Persistence, Privilege Escalation
Router and Infrastructure Security Hardware Additions, Network Denial of Service, Adversary-in-the-Middle, ARP Cache Poisoning, TFTP Boot, Pre-OS Boot, Automated Exfiltration, Traffic Duplication Collection, Credential Access, Defense Evasion, Exfiltration, Impact, Initial Access, Persistence
Ryuk Ransomware Windows Command Shell, Inhibit System Recovery, Data Destruction, Domain Trust Discovery, Data Encrypted for Impact, Command and Scripting Interpreter, Scheduled Task, Scheduled Task/Job, Disable or Modify Tools, Impair Defenses, Service Stop, Remote Desktop Protocol, Remote Services Defense Evasion, Discovery, Execution, Impact, Lateral Movement, Persistence, Privilege Escalation
SQL Injection Exploit Public-Facing Application Initial Access
SamSam Ransomware Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning, User Execution, Malicious File, Data Destruction, Inhibit System Recovery, Remote Services, SMB/Windows Admin Shares, System Services, Service Execution, Data Encrypted for Impact, Remote Desktop Protocol, System Information Discovery Credential Access, Defense Evasion, Discovery, Execution, Impact, Lateral Movement, Reconnaissance
Signed Binary Proxy Execution InstallUtil Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil Defense Evasion
Silver Sparrow Ingress Tool Transfer, Launch Agent, Create or Modify System Process, Data Staged Collection, Command And Control, Persistence, Privilege Escalation
Spearphishing Attachments Security Account Manager, OS Credential Dumping, Phishing, Spearphishing Attachment, Spearphishing Link, Malicious Link, User Execution Credential Access, Execution, Initial Access
Spectre And Meltdown Vulnerabilities None None
Splunk Vulnerabilities File and Directory Discovery, Command and Scripting Interpreter, Digital Certificates, Network Denial of Service, Process Injection, Protocol Impersonation, Digital Certificates, Valid Accounts, Drive-by Compromise, Network Sniffing Command And Control, Credential Access, Defense Evasion, Discovery, Execution, Impact, Initial Access, Persistence, Privilege Escalation, Resource Development
Spring4Shell CVE-2022-22965 Exploit Public-Facing Application, Web Shell, Server Software Component Initial Access, Persistence
Suspicious AWS EC2 Activities Cloud Accounts, Unused/Unsupported Cloud Regions Defense Evasion, Initial Access, Persistence, Privilege Escalation
Suspicious AWS Login Activities Unused/Unsupported Cloud Regions, Cloud Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
Suspicious AWS S3 Activities Data from Cloud Storage Object Collection
Suspicious AWS Traffic None None
Suspicious Cloud Authentication Activities Unused/Unsupported Cloud Regions Defense Evasion
Suspicious Cloud Instance Activities Cloud Accounts, Valid Accounts, Transfer Data to Cloud Account Defense Evasion, Exfiltration, Initial Access, Persistence, Privilege Escalation
Suspicious Cloud Provisioning Activities Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
Suspicious Cloud User Activities Cloud Accounts, Valid Accounts, Cloud Infrastructure Discovery, User Execution Defense Evasion, Discovery, Execution, Initial Access, Persistence, Privilege Escalation
Suspicious Command-Line Executions PowerShell, Windows Command Shell, Command and Scripting Interpreter, Masquerading, Rename System Utilities Defense Evasion, Execution
Suspicious Compiled HTML Activity System Binary Proxy Execution, Compiled HTML File Defense Evasion
Suspicious DNS Traffic Exfiltration Over Unencrypted Non-C2 Protocol, DNS, Exfiltration Over Alternative Protocol, Application Layer Protocol, Drive-by Compromise Command And Control, Exfiltration, Initial Access
Suspicious Emails Phishing, Spearphishing Attachment Initial Access
Suspicious GCP Storage Activities Data from Cloud Storage Object Collection
Suspicious MSHTA Activity System Binary Proxy Execution, Mshta, Command and Scripting Interpreter, Windows Command Shell, Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution Defense Evasion, Execution, Persistence, Privilege Escalation
Suspicious Okta Activity Valid Accounts, Default Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
Suspicious Regsvcs Regasm Activity System Binary Proxy Execution, Regsvcs/Regasm Defense Evasion
Suspicious Regsvr32 Activity System Binary Proxy Execution, Regsvr32, Modify Registry Defense Evasion
Suspicious Rundll32 Activity System Binary Proxy Execution, Masquerading, Rundll32, Rename System Utilities, LSASS Memory, OS Credential Dumping Credential Access, Defense Evasion
Suspicious WMI Use Windows Management Instrumentation Event Subscription, Event Triggered Execution, Windows Management Instrumentation, XSL Script Processing Defense Evasion, Execution, Persistence, Privilege Escalation
Suspicious Windows Registry Activities Hidden Files and Directories, Change Default File Association, Bypass User Account Control, Abuse Elevation Control Mechanism, Port Monitors, Boot or Logon Autostart Execution, Application Shimming, Event Triggered Execution, Registry Run Keys / Startup Folder, Image File Execution Options Injection, Services Registry Permissions Weakness Defense Evasion, Persistence, Privilege Escalation
Suspicious Zoom Child Processes Command and Scripting Interpreter, Windows Command Shell, Exploitation for Privilege Escalation Execution, Privilege Escalation
Trickbot Domain Account, Account Discovery, Disable or Modify Tools, Impair Defenses, Process Injection, Remote Services, SMB/Windows Admin Shares, System Binary Proxy Execution, Mshta, Phishing, Spearphishing Attachment, Scheduled Task/Job, Rundll32, Gather Victim Network Information, IP Addresses, Obfuscated Files or Information, Command and Scripting Interpreter Defense Evasion, Discovery, Execution, Initial Access, Lateral Movement, Persistence, Privilege Escalation, Reconnaissance
Trusted Developer Utilities Proxy Execution Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities Defense Evasion
Trusted Developer Utilities Proxy Execution MSBuild MSBuild, Trusted Developer Utilities Proxy Execution, Masquerading, Rename System Utilities Defense Evasion
Unusual AWS EC2 Modifications Cloud Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
Unusual Processes Malicious File, Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning, System Network Configuration Discovery, Modify Registry, System Binary Proxy Execution, Rundll32, Rename System Utilities, Verclsid, InstallUtil, Tool, Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation, Exploit Public-Facing Application Credential Access, Defense Evasion, Discovery, Execution, Initial Access, Persistence, Privilege Escalation, Reconnaissance, Resource Development
Use of Cleartext Protocols None None
VMware Server Side Injection and Privilege Escalation Exploit Public-Facing Application Initial Access
Web Fraud Detection Create Account, Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
WhisperGate Disable or Modify Tools, Impair Defenses, Windows Command Shell, Command and Scripting Interpreter, Data Destruction, Masquerading, Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service, Obfuscated Files or Information, Virtualization/Sandbox Evasion, Time Based Evasion, Indicator Removal on Host, Visual Basic, Create or Modify System Process, Rename System Utilities, System Binary Proxy Execution, InstallUtil, Tool, Disk Structure Wipe, Disk Wipe, Process Injection, Parent PID Spoofing, Access Token Manipulation Defense Evasion, Discovery, Execution, Impact, Lateral Movement, Persistence, Privilege Escalation, Resource Development
Windows DNS SIGRed CVE-2020-1350 Exploitation for Client Execution Execution
Windows Defense Evasion Tactics Hidden Files and Directories, Disable or Modify Tools, Impair Defenses, Compile After Delivery, Obfuscated Files or Information, Modify Registry, Hide Artifacts, Bypass User Account Control, Abuse Elevation Control Mechanism, Inhibit System Recovery, Disable or Modify System Firewall, File and Directory Permissions Modification, Windows File and Directory Permissions Modification, Command and Scripting Interpreter, Process Injection, Dynamic-link Library Injection, System Binary Proxy Execution Defense Evasion, Execution, Impact, Privilege Escalation
Windows Discovery Techniques Permission Groups Discovery, Local Groups Discovery
Windows Drivers Rootkit, Exploitation for Privilege Escalation, Install Root Certificate, Subvert Trust Controls, Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution, Windows Service, Create or Modify System Process Defense Evasion, Persistence, Privilege Escalation
Windows File Extension and Association Abuse Rename System Utilities, Change Default File Association, Masquerading Defense Evasion, Persistence, Privilege Escalation
Windows Log Manipulation Inhibit System Recovery, Indicator Removal on Host, Clear Windows Event Logs Defense Evasion, Impact
Windows Persistence Techniques Hidden Files and Directories, Active Setup, Boot or Logon Autostart Execution, Change Default File Association, Event Triggered Execution, Path Interception by Unquoted Path, Hijack Execution Flow, Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses, File and Directory Permissions Modification, Windows File and Directory Permissions Modification, Boot or Logon Initialization Scripts, Logon Script (Windows), Port Monitors, Services Registry Permissions Weakness, Application Shimming, Registry Run Keys / Startup Folder, Windows Service, Create or Modify System Process, Scheduled Task/Job, Scheduled Task, Screensaver, Time Providers, Print Processors Defense Evasion, Execution, Persistence, Privilege Escalation
Windows Privilege Escalation Malicious File, Active Setup, Boot or Logon Autostart Execution, Change Default File Association, Event Triggered Execution, Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses, Steal or Forge Kerberos Tickets, Kerberoasting, Boot or Logon Initialization Scripts, Logon Script (Windows), DLL Side-Loading, Hijack Execution Flow, Accessibility Features, Image File Execution Options Injection, Access Token Manipulation, Token Impersonation/Theft, Screensaver, Time Providers, Exploitation for Privilege Escalation, Print Processors Credential Access, Defense Evasion, Execution, Persistence, Privilege Escalation
Windows Registry Abuse Remote Desktop Protocol, Remote Services, Abuse Elevation Control Mechanism, Security Account Manager, OS Credential Dumping, Credentials in Registry, Unsecured Credentials, Change Default File Association, Event Triggered Execution, Disable or Modify Tools, Impair Defenses, Modify Registry, Hidden Files and Directories, Hide Artifacts, Bypass User Account Control, Inhibit System Recovery, Indicator Blocking, Trusted Developer Utilities Proxy Execution, Defacement, Port Monitors, Boot or Logon Autostart Execution, Application Shimming, Registry Run Keys / Startup Folder, Image File Execution Options Injection, Screensaver, Time Providers, Data Destruction, Install Root Certificate, Subvert Trust Controls, Scheduled Task, Services Registry Permissions Weakness Credential Access, Defense Evasion, Execution, Impact, Lateral Movement, Persistence, Privilege Escalation
Windows Service Abuse Services Registry Permissions Weakness, Hijack Execution Flow, Windows Service, Create or Modify System Process, System Services, Service Execution Defense Evasion, Execution, Persistence, Privilege Escalation
XMRig Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning, Account Access Removal, Disable or Modify Tools, Impair Defenses, Ingress Tool Transfer, Account Discovery, Service Stop, File and Directory Permissions Modification, Scheduled Task/Job, Windows Service, Create or Modify System Process Command And Control, Credential Access, Defense Evasion, Discovery, Execution, Impact, Persistence, Privilege Escalation, Reconnaissance
sAMAccountName Spoofing and Domain Controller Impersonation Valid Accounts, Domain Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation

AWS IAM Privilege Escalation

This analytic story contains detections that query your AWS Cloudtrail for activities related to privilege escalation.

FIN7

Try in Splunk Security Cloud

IcedID

Try in Splunk Security Cloud

Remcos

Try in Splunk Security Cloud

XMRig

Try in Splunk Security Cloud