CISA AA24-241A
|
CrowdStrike ProcessRollup2, Palo Alto Network Threat, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4648, Windows Event Log Security 4688, Windows Event Log Security 4720, Windows Event Log Security 4732, Windows Event Log TaskScheduler 200, Windows IIS
|
Command And Control
Defense Evasion
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-10-07
|
Emotet Malware DHS Report TA18-201A
|
CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688
|
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-09-24
|
BlackSuit Ransomware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 8, Windows Event Log Security 4624, Windows Event Log Security 4662, Windows Event Log Security 4688, Windows Event Log Security 4738, Windows Event Log Security 5145, Windows Event Log System 7045, Windows Event Log TaskScheduler 200
|
Collection
Credential Access
Defense Evasion
Discovery
Execution
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-08-26
|
Gozi Malware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Windows Event Log Security 4627, Windows Event Log Security 4688
|
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-07-24
|
Sneaky Active Directory Persistence Tricks
|
CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Active Directory Admon, Windows Event Log Security 4624, Windows Event Log Security 4662, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4719, Windows Event Log Security 4720, Windows Event Log Security 4738, Windows Event Log Security 4742, Windows Event Log Security 4794, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 5141
|
Credential Access
Defense Evasion
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-03-14
|
Okta Account Takeover
|
Okta
|
Credential Access
Defense Evasion
Discovery
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Resource Development
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-03-06
|
Splunk Vulnerabilities
|
Splunk Stream TCP, Splunk
|
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Resource Development
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-01-22
|
CISA AA23-347A
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4703, Windows Event Log System 7040, Windows Event Log System 7045
|
Collection
Credential Access
Defense Evasion
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-12-14
|
Rhysida Ransomware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 5, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log System 7045
|
Credential Access
Defense Evasion
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-12-12
|
DarkGate Malware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703
|
Collection
Credential Access
Defense Evasion
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-10-31
|
PlugX
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log System 7045
|
Defense Evasion
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-10-12
|
NjRAT
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-09-07
|
BlackByte Ransomware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Sysmon EventID 9, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4688, Windows Event Log System 7045, Windows IIS
|
Collection
Defense Evasion
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-07-10
|
Graceful Wipe Out Attack
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 8, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 5145
|
Collection
Credential Access
Defense Evasion
Discovery
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-06-15
|
Scheduled Tasks
|
CrowdStrike ProcessRollup2, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Syscall, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log TaskScheduler 200
|
Defense Evasion
Execution
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-06-12
|
Volt Typhoon
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4625, Windows Event Log Security 4648, Windows Event Log Security 4688, Windows Event Log Security 4768, Windows Event Log Security 4771, Windows Event Log Security 4776
|
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-05-25
|
Data Destruction
|
CrowdStrike ProcessRollup2, Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 5, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4769, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200
|
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Resource Development
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-04-06
|
Active Directory Privilege Escalation
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Active Directory Admon, Windows Event Log Security 4624, Windows Event Log Security 4625, Windows Event Log Security 4627, Windows Event Log Security 4672, Windows Event Log Security 4688, Windows Event Log Security 4732, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4781, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 5140, Windows Event Log Security 5145
|
Collection
Credential Access
Defense Evasion
Discovery
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-03-20
|
Windows Certificate Services
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log CAPI2 70, Windows Event Log CertificateServicesClient 1007, Windows Event Log Security 4688, Windows Event Log Security 4768, Windows Event Log Security 4876, Windows Event Log Security 4886, Windows Event Log Security 4887
|
Collection
Command And Control
Credential Access
Defense Evasion
Execution
Lateral Movement
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-02-01
|
Chaos Ransomware
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688
|
Defense Evasion
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-01-11
|
Prestige Ransomware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200
|
Collection
Credential Access
Defense Evasion
Discovery
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-11-30
|
CISA AA22-320A
|
CrowdStrike ProcessRollup2, Nginx Access, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 6, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7045
|
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-11-16
|
CISA AA22-277A
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4688
|
Collection
Command And Control
Defense Evasion
Discovery
Execution
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-10-05
|
CISA AA22-257A
|
CrowdStrike ProcessRollup2, Nginx Access, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4720, Windows Event Log Security 4732, Windows Event Log TaskScheduler 200
|
Command And Control
Credential Access
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-09-15
|
Linux Living Off The Land
|
CrowdStrike ProcessRollup2, Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688
|
Collection
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-07-27
|
Azorult
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-06-09
|
Industroyer2
|
CrowdStrike ProcessRollup2, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 5, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200
|
Credential Access
Defense Evasion
Discovery
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-04-21
|
Sandworm Tools
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 7, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200
|
Credential Access
Defense Evasion
Discovery
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-04-05
|
Windows Registry Abuse
|
CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688
|
Credential Access
Defense Evasion
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-03-17
|
Living Off The Land
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, osquery
|
Command And Control
Credential Access
Defense Evasion
Execution
Exfiltration
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-03-16
|
Hermetic Wiper
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4769, Windows Event Log Security 5145
|
Command And Control
Credential Access
Defense Evasion
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-03-02
|
Active Directory Kerberos Attacks
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4624, Windows Event Log Security 4627, Windows Event Log Security 4688, Windows Event Log Security 4738, Windows Event Log Security 4741, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4771, Windows Event Log Security 4781
|
Credential Access
Defense Evasion
Discovery
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-02-02
|
WhisperGate
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 9, Windows Event Log Security 4688
|
Defense Evasion
Discovery
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
Resource Development
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-01-19
|
Active Directory Lateral Movement
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4624, Windows Event Log Security 4625, Windows Event Log Security 4672, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4769, Windows Event Log Security 5140, Windows Event Log Security 5145, Windows Event Log System 4720, Windows Event Log System 4726, Windows Event Log System 7045
|
Credential Access
Defense Evasion
Discovery
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-12-09
|
Active Directory Discovery
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4662, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log System 7045
|
Collection
Credential Access
Defense Evasion
Discovery
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-08-20
|
IcedID
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5140, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200
|
Collection
Command And Control
Defense Evasion
Discovery
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-07-29
|
DarkSide Ransomware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688
|
Command And Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-05-12
|
Trickbot
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145
|
Defense Evasion
Discovery
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-04-20
|
HAFNIUM Group
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4720, Windows Event Log Security 4732
|
Collection
Command And Control
Credential Access
Execution
Initial Access
Lateral Movement
Persistence
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-03-03
|
Ryuk Ransomware
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698
|
Defense Evasion
Discovery
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-11-06
|
Detect Zerologon Attack
|
Sysmon EventID 10, Sysmon EventID 7, Windows Event Log Security 4624, Windows Event Log Security 4742
|
Credential Access
Initial Access
Lateral Movement
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-09-18
|
Ransomware
|
CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log System 7036
|
Collection
Command And Control
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Resource Development
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-02-04
|
Hidden Cobra Malware
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688
|
Command And Control
Defense Evasion
Execution
Exfiltration
Lateral Movement
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-01-22
|
DHS Report TA18-074A
|
CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4720, Windows Event Log Security 4732
|
Command And Control
Defense Evasion
Execution
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-01-22
|
SamSam Ransomware
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688
|
Credential Access
Defense Evasion
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2018-12-13
|
Prohibited Traffic Allowed or Protocol Mismatch
|
Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 22
|
Command And Control
Exfiltration
Initial Access
Lateral Movement
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2017-09-11
|
Malicious PowerShell
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7045
|
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2017-08-23
|