Reconnaissance Analytic Stories

Name Data Sources Tactics Products Date
Meduza Stealer windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703 Credential Access Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-11-28
PXA Stealer windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4663, Windows Event Log Security 4688 Command And Control Defense Evasion Discovery Execution Initial Access Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-11-18
MoonPeak windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688 Command And Control Defense Evasion Discovery Execution Impact Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-08-21
Handala Wiper windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 3, Windows Event Log Security 4688 Defense Evasion Execution Impact Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-07-31
Compromised Windows Host windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 1102, Windows Event Log Security 4624, Windows Event Log Security 4627, Windows Event Log Security 4662, Windows Event Log Security 4663, Windows Event Log Security 4672, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4738, Windows Event Log Security 4741, Windows Event Log Security 4742, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4781, Windows Event Log Security 4798, Windows Event Log Security 4887, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 5141, Windows Event Log Security 5145, Windows Event Log System 7036, Windows Event Log System 7040, Windows Event Log System 7045 Command And Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-04-18
Snake Keylogger windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Windows Event Log Security 4663, Windows Event Log Security 4688 Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-02-12
Volt Typhoon windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4625, Windows Event Log Security 4648, Windows Event Log Security 4688, Windows Event Log Security 4768, Windows Event Log Security 4771, Windows Event Log Security 4776 Command And Control Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-05-25
Data Destruction linux icon CrowdStrike ProcessRollup2, Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 5, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4769, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200 Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-04-06
AsyncRAT windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4703, Windows Event Log TaskScheduler 200 Defense Evasion Execution Initial Access Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-01-24
LockBit Ransomware windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 5, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7036 Defense Evasion Execution Impact Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-01-16
Prestige Ransomware windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200 Collection Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-11-30
Windows Post-Exploitation windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4688 Collection Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-11-30
Qakbot windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log System 7045, Windows Event Log TaskScheduler 200 Command And Control Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-11-14
CISA AA22-264A windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 9, Windows Event Log Security 1102, Windows Event Log Security 4688 Credential Access Defense Evasion Execution Impact Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-09-22
Brute Ratel C4 windows icon CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log System 7045 Collection Command And Control Credential Access Defense Evasion Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-08-23
DarkCrystal RAT windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200 Command And Control Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-07-26
Azorult windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688 Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-06-09
Industroyer2 linux icon CrowdStrike ProcessRollup2, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 5, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200 Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-04-21
Sandworm Tools linux icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 7, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200 Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-04-05
Hermetic Wiper linux icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4769, Windows Event Log Security 5145 Command And Control Credential Access Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-03-02
Active Directory Kerberos Attacks windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4624, Windows Event Log Security 4627, Windows Event Log Security 4688, Windows Event Log Security 4738, Windows Event Log Security 4741, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4771, Windows Event Log Security 4781 Credential Access Defense Evasion Discovery Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-02-02
Remcos windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688 Collection Credential Access Defense Evasion Execution Initial Access Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-09-23
XMRig windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 6, Windows Event Log Security 4688, Windows Event Log Security 4798 Command And Control Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-05-07
Trickbot windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145 Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-04-20
Ransomware windows icon CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log System 7036 Collection Command And Control Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-02-04
Unusual Processes windows icon CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688 Credential Access Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation Reconnaissance Resource Development Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-02-04
Spearphishing Attachments windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Microsoft Windows TerminalServices RDPClient 1024, Windows Event Log Security 4688 Credential Access Defense Evasion Execution Initial Access Lateral Movement Persistence Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2019-04-29
SamSam Ransomware windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688 Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2018-12-13
Malicious PowerShell windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7045 Command And Control Credential Access Defense Evasion Discovery Execution Lateral Movement Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2017-08-23