|
Scattered Lapsus$ Hunters
|
ASL AWS CloudTrail, AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice, AWS CloudTrail DescribeEventAggregates, AWS CloudTrail ModifyDBInstance, AWS CloudTrail, AWS CloudWatchLogs VPCflow, Azure Active Directory Add member to role, Azure Active Directory Disable Strong Authentication, Azure Active Directory Enable account, Azure Active Directory Reset password (by admin), Azure Active Directory Set domain authentication, Azure Active Directory Update user, Azure Active Directory User registered security info, Azure Active Directory, Cisco IOS Logs, Cisco Network Visibility Module Flow Data, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, G Suite Drive, Google Workspace login_failure, Google Workspace, Ivanti VTM Audit, Linux Auditd Execve, Nginx Access, O365 UserLoggedIn, O365 UserLoginFailed, Office 365 Universal Audit Log, Okta, Palo Alto Network Threat, Palo Alto Network Traffic, PingID, Powershell Script Block Logging 4104, Splunk Stream TCP, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon for Linux EventID 1, Windows Event Log Security 1100, Windows Event Log Security 4624, Windows Event Log Security 4625, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log Security 4720, Windows Event Log Security 4727, Windows Event Log Security 4731, Windows Event Log Security 4732, Windows Event Log Security 4744, Windows Event Log Security 4749, Windows Event Log Security 4754, Windows Event Log Security 4759, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4781, Windows Event Log Security 4783, Windows Event Log Security 4790, Windows Event Log Security 4794, Windows Event Log System 7036
|
Collection
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Resource Development
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2025-10-14
|
|
Hellcat Ransomware
|
AWS CloudTrail CreateTask, Azure Active Directory Set domain authentication, Azure Active Directory Update user, Cisco Network Visibility Module Flow Data, Cisco Secure Firewall Threat Defense File Event, CrowdStrike ProcessRollup2, CrushFTP, Ivanti VTM Audit, Linux Auditd Execve, Nginx Access, Palo Alto Network Threat, Powershell Script Block Logging 4104, Splunk Stream HTTP, Suricata, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 20, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 7, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, VMWare ESXi Syslog, Windows Event Log Application 17135, Windows Event Log CAPI2 70, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145, Windows Event Log System 7036, Windows Event Log System 7045, osquery
|
Collection
Command And Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2025-10-14
|
|
HTTP Request Smuggling
|
Nginx Access, Suricata
|
Command And Control
Initial Access
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2025-10-09
|
|
Suspicious Ollama Activities
|
Ollama Server
|
Command And Control
Execution
Exfiltration
Impact
Initial Access
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2025-10-05
|
|
China-Nexus Threat Activity
|
AWS CloudWatchLogs VPCflow, Cisco Network Visibility Module Flow Data, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Syscall, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, VMWare ESXi Syslog, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4703, Windows Event Log System 7045
|
Collection
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2025-08-18
|
|
Windows RDP Artifacts and Defense Evasion
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 3, Windows Event Log Microsoft Windows TerminalServices RDPClient 1024, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4624, Windows Event Log Security 4688, Zeek Conn
|
Credential Access
Defense Evasion
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2025-07-30
|
|
Scattered Spider
|
Cisco Network Visibility Module Flow Data, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Impact
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2025-07-29
|
|
Interlock Ransomware
|
Cisco Network Visibility Module Flow Data, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 5, Sysmon EventID 6, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4688, Windows Event Log Security 5136
|
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2025-07-28
|
|
Quasar RAT
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702
|
Credential Access
Defense Evasion
Discovery
Execution
Impact
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2025-07-16
|
|
Cisco Network Visibility Module Analytics
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688
|
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Initial Access
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2025-07-01
|
|
Malicious Inno Setup Loader
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Collection
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2025-05-25
|
|
XWorm
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4698
|
Command And Control
Defense Evasion
Execution
Impact
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2025-05-06
|
|
Cisco Secure Firewall Threat Defense Analytics
|
AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event, Cisco Secure Firewall Threat Defense File Event, Cisco Secure Firewall Threat Defense Intrusion Event, Palo Alto Network Traffic
|
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Resource Development
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2025-04-03
|
|
PHP-CGI RCE Attack on Japanese Organizations
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688
|
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Initial Access
Persistence
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2025-03-17
|
|
MoonPeak
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Command And Control
Defense Evasion
Discovery
Execution
Impact
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-08-21
|
|
Compromised Windows Host
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 7, Sysmon for Linux EventID 1, Windows Event Log Security 1102, Windows Event Log Security 4624, Windows Event Log Security 4627, Windows Event Log Security 4662, Windows Event Log Security 4663, Windows Event Log Security 4672, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4738, Windows Event Log Security 4741, Windows Event Log Security 4742, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4781, Windows Event Log Security 4798, Windows Event Log Security 4887, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 5141, Windows Event Log Security 5145, Windows Event Log System 104, Windows Event Log System 7036, Windows Event Log System 7040, Windows Event Log System 7045
|
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-04-18
|
|
Volt Typhoon
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4625, Windows Event Log Security 4648, Windows Event Log Security 4688, Windows Event Log Security 4768, Windows Event Log Security 4771, Windows Event Log Security 4776
|
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-05-25
|
|
Data Destruction
|
AWS Cloudfront, Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Office 365 Reporting Message Trace, Office 365 Universal Audit Log, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 5, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4769, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Collection
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Resource Development
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-04-06
|
|
AsyncRAT
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4703, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Defense Evasion
Execution
Initial Access
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-01-24
|
|
LockBit Ransomware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 5, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7036
|
Defense Evasion
Execution
Impact
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-01-16
|
|
Prestige Ransomware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Collection
Credential Access
Defense Evasion
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-11-30
|
|
Windows Post-Exploitation
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4688
|
Collection
Credential Access
Defense Evasion
Discovery
Execution
Impact
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-11-30
|
|
Qakbot
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log System 7045, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Command And Control
Defense Evasion
Discovery
Execution
Impact
Initial Access
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-11-14
|
|
CISA AA22-264A
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 9, Sysmon for Linux EventID 1, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log System 104
|
Credential Access
Defense Evasion
Execution
Impact
Initial Access
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-09-22
|
|
Brute Ratel C4
|
CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log System 7045
|
Collection
Command And Control
Credential Access
Defense Evasion
Execution
Impact
Initial Access
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-08-23
|
|
DarkCrystal RAT
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 26, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Command And Control
Defense Evasion
Discovery
Execution
Impact
Initial Access
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-07-26
|
|
Industroyer2
|
CrowdStrike ProcessRollup2, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 5, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Credential Access
Defense Evasion
Discovery
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-04-21
|
|
Sandworm Tools
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 26, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200, Windows Event Log TaskScheduler 201
|
Credential Access
Defense Evasion
Discovery
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-04-05
|
|
Hermetic Wiper
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4769, Windows Event Log Security 5145
|
Command And Control
Credential Access
Defense Evasion
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-03-02
|
|
Network Discovery
|
AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 3, Sysmon for Linux EventID 1, Windows Event Log Security 4688
|
Collection
Discovery
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-02-14
|
|
Active Directory Kerberos Attacks
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4624, Windows Event Log Security 4627, Windows Event Log Security 4688, Windows Event Log Security 4738, Windows Event Log Security 4741, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4771, Windows Event Log Security 4781
|
Credential Access
Defense Evasion
Discovery
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-02-02
|
|
Remcos
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Collection
Credential Access
Defense Evasion
Execution
Initial Access
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-09-23
|
|
XMRig
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 6, Windows Event Log Security 4688, Windows Event Log Security 4798
|
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-05-07
|
|
Windows Discovery Techniques
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688
|
Discovery
Reconnaissance
|
Splunk Behavioral Analytics, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-03-04
|
|
Unusual Processes
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688
|
Credential Access
Defense Evasion
Discovery
Execution
Initial Access
Persistence
Privilege Escalation
Reconnaissance
Resource Development
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-02-04
|
|
Ransomware
|
Cisco Network Visibility Module Flow Data, Cisco Secure Firewall Threat Defense Connection Event, CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4700, Windows Event Log Security 4702, Windows Event Log System 104, Windows Event Log System 7036
|
Collection
Command And Control
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Resource Development
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-02-04
|
|
Spearphishing Attachments
|
CrowdStrike ProcessRollup2, Office 365 Universal Audit Log, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Microsoft Windows TerminalServices RDPClient 1024, Windows Event Log Security 4688
|
Defense Evasion
Execution
Initial Access
Lateral Movement
Persistence
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2019-04-29
|
|
SamSam Ransomware
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688, Zeek Conn
|
Credential Access
Defense Evasion
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2018-12-13
|
|
Malicious PowerShell
|
Cisco Network Visibility Module Flow Data, CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7045
|
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2017-08-23
|
