Advanced Threat Detection Analytic Stories

Name Data Sources Tactics Products Date
CISA AA24-241A windows icon CrowdStrike ProcessRollup2, Palo Alto Network Threat, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688, Windows Event Log Security 4720, Windows Event Log Security 4732, Windows Event Log TaskScheduler 200 Command And Control Defense Evasion Execution Initial Access Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-10-07
Common Phishing Frameworks Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-09-24
Ivanti EPM Vulnerabilities Suricata Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-09-24
Windows Defense Evasion Tactics windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7040 Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-09-24
Emotet Malware DHS Report TA18-201A windows icon CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688 Execution Initial Access Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-09-24
Azure Active Directory Persistence windows icon Azure Active Directory Add member to role, Azure Active Directory Add owner to application, Azure Active Directory Add service principal, Azure Active Directory Add unverified domain, Azure Active Directory Consent to application, Azure Active Directory Enable account, Azure Active Directory Invite external user, Azure Active Directory Reset password (by admin), Azure Active Directory Set domain authentication, Azure Active Directory Update application, Azure Active Directory Update user, Azure Active Directory, Azure Audit Create or Update an Azure Automation Runbook, Azure Audit Create or Update an Azure Automation account, Azure Audit Create or Update an Azure Automation webhook, Windows Event Log Security 4724, Windows Event Log Security 4725, Windows Event Log Security 4726 Credential Access Defense Evasion Execution Initial Access Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-09-24
Lateral Movement N/A Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-09-24
Suspicious Regsvcs Regasm Activity windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688 Defense Evasion Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-09-24
ValleyRAT windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log TaskScheduler 200 Defense Evasion Execution Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-09-11
BlackSuit Ransomware windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 8, Windows Event Log Security 4624, Windows Event Log Security 4662, Windows Event Log Security 4688, Windows Event Log Security 4738, Windows Event Log Security 5145, Windows Event Log System 7045, Windows Event Log TaskScheduler 200 Collection Credential Access Defense Evasion Discovery Execution Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-08-26
MoonPeak windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688 Command And Control Defense Evasion Discovery Execution Impact Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-08-21
Ivanti Virtual Traffic Manager CVE-2024-7593 Ivanti VTM Audit Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-08-19
Handala Wiper windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 3, Windows Event Log Security 4688 Defense Evasion Execution Impact Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-07-31
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085 windows icon Powershell Script Block Logging 4104, Sysmon EventID 1 Persistence Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-07-30
Gozi Malware windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Windows Event Log Security 4627, Windows Event Log Security 4688 Command And Control Credential Access Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-07-24
MOVEit Transfer Authentication Bypass Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-06-28
Compromised Linux Host linux icon Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall Collection Credential Access Defense Evasion Discovery Execution Exfiltration Impact Initial Access Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-06-25
ShrinkLocker windows icon CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 1102, Windows Event Log Security 4688 Defense Evasion Execution Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-06-17
Gomir linux icon Linux Auditd Proctitle, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1 Execution Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-05-29
CrushFTP Vulnerabilities CrushFTP Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-05-16
Compromised Windows Host Credential Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-04-18
AcidPour linux icon Sysmon EventID 11, Sysmon for Linux EventID 11 Defense Evasion Impact Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-04-01
APT29 Diplomatic Deceptions with WINELOADER windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688 Defense Evasion Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-03-26
Windows AppLocker Defense Evasion Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-03-21
Outlook RCE CVE-2024-21378 windows icon Sysmon EventID 11, Sysmon EventID 13 Defense Evasion Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-03-20
Cyclops Blink linux icon Sysmon for Linux EventID 1 Defense Evasion Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-03-14
Sneaky Active Directory Persistence Tricks windows icon CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Active Directory Admon, Windows Event Log Security 4624, Windows Event Log Security 4662, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4719, Windows Event Log Security 4720, Windows Event Log Security 4738, Windows Event Log Security 4742, Windows Event Log Security 4794, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 5141 Credential Access Defense Evasion Initial Access Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-03-14
Okta Account Takeover Okta Credential Access Defense Evasion Discovery Initial Access Lateral Movement Persistence Privilege Escalation Resource Development Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-03-06
JetBrains TeamCity Vulnerabilities Suricata Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-03-04
WordPress Vulnerabilities Nginx Access Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-02-22
ConnectWise ScreenConnect Vulnerabilities windows icon Nginx Access, Suricata, Sysmon EventID 11, Windows Event Log Security 4663 Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-02-21
Office 365 Collection Techniques O365 MailItemsAccessed, O365 Collection Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-02-12
Snake Keylogger windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Windows Event Log Security 4663, Windows Event Log Security 4688 Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-02-12
Jenkins Server Vulnerabilities Nginx Access Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-01-29
Phemedrone Stealer windows icon CrowdStrike ProcessRollup2, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4663, Windows Event Log Security 4688 Command And Control Credential Access Discovery Execution Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-01-24
Confluence Data Center and Confluence Server Vulnerabilities network icon Nginx Access, Palo Alto Network Threat, Suricata Initial Access Persistence Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-01-22
Ivanti Connect Secure VPN Vulnerabilities Suricata Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2024-01-16
CISA AA23-347A windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4703, Windows Event Log System 7040, Windows Event Log System 7045 Collection Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-12-14
Rhysida Ransomware windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 5, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log System 7045 Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-12-12
SysAid On-Prem Software CVE-2023-47246 Vulnerability windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688 Command And Control Execution Initial Access Persistence Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-11-09
DarkGate Malware windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703 Collection Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-10-31
F5 Authentication Bypass with TMUI Suricata N/A Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-10-30
Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966 Suricata Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-10-24
Office 365 Account Takeover O365 Consent to application., O365 Update authorization policy., O365 UserLoggedIn, O365 UserLoginFailed, O365 Collection Credential Access Defense Evasion Execution Exfiltration Initial Access Persistence Privilege Escalation Resource Development Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-10-17
Cisco IOS XE Software Web Management User Interface vulnerability Suricata Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-10-17
Office 365 Persistence Mechanisms O365 Add app role assignment grant to user., O365 Add app role assignment to service principal., O365 Add member to role., O365 Add owner to application., O365 Add service principal., O365 Change user license., O365 Consent to application., O365 Disable Strong Authentication., O365 ModifyFolderPermissions, O365 Set Company Information., O365 Update application., O365 Update user., O365 Collection Credential Access Defense Evasion Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-10-17
PlugX windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log System 7045 Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-10-12
Subvert Trust Controls SIP and Trust Provider Hijacking windows icon Sysmon EventID 12, Sysmon EventID 13, Windows Event Log CAPI2 81 Defense Evasion Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-10-10
CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server Nginx Access, Suricata Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-10-04
WS FTP Server Critical Vulnerabilities windows icon CrowdStrike ProcessRollup2, Powershell Installed IIS Modules, Suricata, Sysmon EventID 1, Windows Event Log Security 4688 Initial Access Persistence Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-10-01
JetBrains TeamCity Unauthenticated RCE Suricata Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-10-01
Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357 Suricata Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-09-27
Forest Blizzard windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command And Control Defense Evasion Execution Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-09-11
NjRAT windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688 Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-09-07
Juniper JunOS Remote Code Execution Suricata Command And Control Execution Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-08-29
WinRAR Spoofing Attack CVE-2023-38831 windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command And Control Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-08-29
Flax Typhoon windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7045 Command And Control Credential Access Defense Evasion Execution Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-08-25
Windows Error Reporting Service Elevation of Privilege Vulnerability windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698 Defense Evasion Execution Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-08-24
Ivanti Sentry Authentication Bypass CVE-2023-38035 Suricata Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-08-24
Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360 Suricata Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-08-23
Ivanti EPMM Remote Unauthenticated Access Suricata Initial Access Persistence Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-08-08
Warzone RAT windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4663, Windows Event Log Security 4688 Credential Access Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-07-26
Citrix ShareFile RCE CVE-2023-24489 windows icon CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 1, Windows Event Log Security 4688 Initial Access Persistence Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-07-26
Citrix Netscaler ADC CVE-2023-3519 network icon Palo Alto Network Threat Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-07-20
CVE-2023-36884 Office and Windows HTML RCE Vulnerability windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688 Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-07-11
BlackByte Ransomware windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Sysmon EventID 9, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4688, Windows Event Log System 7045, Windows IIS Collection Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-07-10
VMware Aria Operations vRealize CVE-2023-20887 network icon Palo Alto Network Threat Initial Access Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-06-21
Amadey windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200 Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-06-16
Graceful Wipe Out Attack windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 8, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 5145 Collection Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-06-15
Scheduled Tasks linux icon CrowdStrike ProcessRollup2, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Syscall, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log TaskScheduler 200 Defense Evasion Execution Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-06-12
MOVEit Transfer Critical Vulnerability windows icon Sysmon EventID 11 Initial Access Persistence Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-06-01
Volt Typhoon windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4625, Windows Event Log Security 4648, Windows Event Log Security 4688, Windows Event Log Security 4768, Windows Event Log Security 4771, Windows Event Log Security 4776 Command And Control Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-05-25
Data Exfiltration linux icon AWS CloudTrail CreateSnapshot, AWS CloudTrail CreateTask, AWS CloudTrail DeleteSnapshot, AWS CloudTrail GetObject, AWS CloudTrail JobCreated, AWS CloudTrail ModifyImageAttribute, AWS CloudTrail ModifySnapshotAttribute, AWS CloudTrail PutBucketReplication, AWS CloudTrail PutBucketVersioning, CrowdStrike ProcessRollup2, Nginx Access, O365, Powershell Script Block Logging 4104, Splunk Stream HTTP, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688 Collection Command And Control Credential Access Exfiltration Impact Initial Access Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-05-17
PaperCut MF NG Vulnerability windows icon CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 1, Windows Event Log Security 4688 Execution Initial Access Persistence Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-05-15
Snake Malware windows icon Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log System 7045 Defense Evasion Execution Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-05-10
Windows BootKits windows icon Sysmon EventID 12, Sysmon EventID 13 Defense Evasion Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-05-03
RedLine Stealer windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log System 7040 Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-04-24
BlackLotus Campaign windows icon Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 3 Defense Evasion Persistence Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-04-14
Data Destruction linux icon CrowdStrike ProcessRollup2, Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 5, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4769, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200 Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-04-06
3CX Supply Chain Attack windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4663, Windows Event Log Security 4688 Credential Access Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-03-30
Active Directory Privilege Escalation windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Active Directory Admon, Windows Event Log Security 4624, Windows Event Log Security 4625, Windows Event Log Security 4627, Windows Event Log Security 4672, Windows Event Log Security 4688, Windows Event Log Security 4732, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4781, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 5140, Windows Event Log Security 5145 Collection Credential Access Defense Evasion Discovery Initial Access Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-03-20
CVE-2023-23397 Outlook Elevation of Privilege windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Exfiltration Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-03-15
CVE-2023-21716 Word RTF Heap Corruption windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688 Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-03-10
Fortinet FortiNAC CVE-2022-39952 network icon Palo Alto Network Threat Initial Access Persistence Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-02-21
Winter Vivern windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log TaskScheduler 200 Collection Command And Control Defense Evasion Discovery Execution Exfiltration Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-02-16
Swift Slicer windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 23, Windows Event Log Security 4688 Defense Evasion Impact Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-02-01
Windows Certificate Services windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log CAPI2 70, Windows Event Log CertificateServicesClient 1007, Windows Event Log Security 4688, Windows Event Log Security 4768, Windows Event Log Security 4876, Windows Event Log Security 4886, Windows Event Log Security 4887 Collection Command And Control Credential Access Defense Evasion Execution Lateral Movement Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-02-01
BishopFox Sliver Adversary Emulation Framework windows icon CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7045 Defense Evasion Execution Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-01-24
AsyncRAT windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4703, Windows Event Log TaskScheduler 200 Defense Evasion Execution Initial Access Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-01-24
AwfulShred linux icon Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1 Defense Evasion Execution Impact Initial Access Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-01-24
Compromised User Account windows icon AWS CloudTrail ConsoleLogin, AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail DescribeEventAggregates, AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail UpdateAccountPasswordPolicy, AWS CloudTrail, Azure Active Directory Sign-in activity, Azure Active Directory User registered security info, Azure Active Directory, PingID, Windows Event Log Security 4625 Collection Credential Access Defense Evasion Discovery Initial Access Persistence Privilege Escalation Resource Development Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-01-19
LockBit Ransomware windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 5, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7036 Defense Evasion Execution Impact Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-01-16
Chaos Ransomware windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688 Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2023-01-11
IIS Components windows icon CrowdStrike ProcessRollup2, Powershell Installed IIS Modules, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Application 2282, Windows Event Log Security 4688, Windows IIS 29 Defense Evasion Persistence Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-12-19
Prestige Ransomware windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200 Collection Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-11-30
MetaSploit windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4688 Execution Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-11-21
Reverse Network Proxy linux icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 22, Sysmon for Linux EventID 1, Windows Event Log Security 4688 Command And Control Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-11-16
CISA AA22-320A windows icon CrowdStrike ProcessRollup2, Nginx Access, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 6, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7045 Command And Control Credential Access Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-11-16
Qakbot windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log System 7045, Windows Event Log TaskScheduler 200 Command And Control Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-11-14
OpenSSL CVE-2022-3602 Command And Control Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-11-02
CVE-2022-40684 Fortinet Appliance Auth bypass network icon Palo Alto Network Threat Initial Access Persistence Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-10-14
GCP Account Takeover Google Workspace login_failure, Google Workspace login_success Credential Access Defense Evasion Initial Access Persistence Privilege Escalation Resource Development Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-10-12
CISA AA22-277A windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4688 Collection Command And Control Defense Evasion Discovery Execution Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-10-05
ProxyNotShell windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688, Windows IIS Command And Control Execution Initial Access Persistence Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-09-30
Okta MFA Exhaustion Okta Credential Access Defense Evasion Initial Access Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-09-27
CISA AA22-264A windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 9, Windows Event Log Security 1102, Windows Event Log Security 4688 Credential Access Defense Evasion Execution Impact Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-09-22
CISA AA22-257A windows icon CrowdStrike ProcessRollup2, Nginx Access, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4720, Windows Event Log Security 4732, Windows Event Log TaskScheduler 200 Command And Control Credential Access Execution Initial Access Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-09-15
Brute Ratel C4 windows icon CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log System 7045 Collection Command And Control Credential Access Defense Evasion Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-08-23
Linux Living Off The Land linux icon CrowdStrike ProcessRollup2, Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688 Collection Command And Control Credential Access Defense Evasion Discovery Execution Exfiltration Impact Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-07-27
Linux Rootkit linux icon Linux Auditd Syscall, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1 Defense Evasion Discovery Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-07-27
DarkCrystal RAT windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200 Command And Control Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-07-26
Azure Active Directory Account Takeover azure icon Azure Active Directory Consent to application, Azure Active Directory Disable Strong Authentication, Azure Active Directory Sign-in activity, Azure Active Directory Update authorization policy, Azure Active Directory User registered security info, Azure Active Directory Collection Credential Access Defense Evasion Execution Exfiltration Initial Access Persistence Privilege Escalation Resource Development Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-07-14
Windows System Binary Proxy Execution MSIExec windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688 Defense Evasion Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-06-16
Azorult windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688 Command And Control Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-06-09
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190 windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Defense Evasion Execution Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-05-31
VMware Server Side Injection and Privilege Escalation network icon Palo Alto Network Threat Initial Access Persistence Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-05-19
Insider Threat linux icon CrowdStrike ProcessRollup2, G Suite Drive, G Suite Gmail, Linux Secure, Palo Alto Network Threat, Palo Alto Network Traffic, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4625, Windows Event Log Security 4648, Windows Event Log Security 4688, Windows Event Log Security 5145 Command And Control Credential Access Defense Evasion Exfiltration Initial Access Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, Splunk Behavioral Analytics 2022-05-19
F5 BIG-IP Vulnerability CVE-2022-1388 network icon Palo Alto Network Threat Initial Access Persistence Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-05-10
Local Privilege Escalation With KrbRelayUp windows icon Windows Event Log Security 4624, Windows Event Log Security 4741, Windows Event Log Security 4768, Windows Event Log System 7045 Credential Access Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-04-28
Industroyer2 linux icon CrowdStrike ProcessRollup2, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 5, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200 Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-04-21
AcidRain linux icon Sysmon for Linux EventID 11 Defense Evasion Impact Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-04-12
AgentTesla windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 6, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log System 7045 Command And Control Credential Access Defense Evasion Execution Initial Access Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-04-12
Sandworm Tools linux icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 7, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200 Credential Access Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-04-05
Windows Drivers windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 6, Windows Event Log Security 4688, Windows Event Log System 7045 Defense Evasion Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-03-30
Double Zero Destructor windows icon CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688 Defense Evasion Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-03-25
Caddy Wiper windows icon Sysmon EventID 9 Impact Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-03-25
Windows Registry Abuse windows icon CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688 Credential Access Defense Evasion Execution Impact Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-03-17
Hermetic Wiper linux icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4769, Windows Event Log Security 5145 Command And Control Credential Access Defense Evasion Execution Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-03-02
Network Discovery linux icon AWS CloudWatchLogs VPCflow, Sysmon EventID 1, Sysmon for Linux EventID 1 Collection Discovery Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-02-14
Active Directory Kerberos Attacks windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4624, Windows Event Log Security 4627, Windows Event Log Security 4688, Windows Event Log Security 4738, Windows Event Log Security 4741, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4771, Windows Event Log Security 4781 Credential Access Defense Evasion Discovery Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-02-02
WhisperGate windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 9, Windows Event Log Security 4688 Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Resource Development Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2022-01-19
sAMAccountName Spoofing and Domain Controller Impersonation windows icon Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4781 Defense Evasion Initial Access Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-12-20
Linux Persistence Techniques linux icon Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1 Credential Access Defense Evasion Discovery Execution Exfiltration Impact Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-12-17
Linux Privilege Escalation linux icon Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1 Credential Access Defense Evasion Discovery Execution Exfiltration Impact Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-12-17
Active Directory Lateral Movement windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4624, Windows Event Log Security 4625, Windows Event Log Security 4672, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4769, Windows Event Log Security 5140, Windows Event Log Security 5145, Windows Event Log System 4720, Windows Event Log System 4726, Windows Event Log System 7045 Credential Access Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-12-09
Signed Binary Proxy Execution InstallUtil windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 7, Windows Event Log Security 4688 Defense Evasion Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-11-12
Remcos windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688 Collection Credential Access Defense Evasion Execution Initial Access Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-09-23
FIN7 windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688 Credential Access Defense Evasion Discovery Execution Impact Initial Access Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-09-14
Microsoft MSHTML Remote Code Execution CVE-2021-40444 windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688 Defense Evasion Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-09-08
BlackMatter Ransomware windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7036 Credential Access Discovery Impact Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-09-06
PetitPotam NTLM Relay on Active Directory Certificate Services windows icon Windows Event Log Security 4768, Windows Event Log Security 5145 Credential Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-08-31
ProxyShell windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688, Windows IIS Execution Initial Access Persistence Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-08-24
Active Directory Discovery windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4662, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log System 7045 Collection Credential Access Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-08-20
IcedID windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5140, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200 Collection Command And Control Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-07-29
PrintNightmare CVE-2021-34527 windows icon CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 7, Windows Event Log Printservice 316, Windows Event Log Printservice 808, Windows Event Log Security 4688 Defense Evasion Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-07-01
Meterpreter windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Execution Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-06-08
Revil Ransomware windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688 Defense Evasion Execution Impact Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-06-04
DarkSide Ransomware windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688 Command And Control Credential Access Defense Evasion Execution Exfiltration Impact Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-05-12
XMRig windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 6, Windows Event Log Security 4688, Windows Event Log Security 4798 Command And Control Credential Access Defense Evasion Discovery Execution Impact Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-05-07
Masquerading - Rename System Utilities windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Defense Evasion Impact Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-04-26
Trickbot windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145 Defense Evasion Discovery Execution Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-04-20
Active Directory Password Spraying windows icon Azure Active Directory Sign-in activity, Windows Event Log Security 4625, Windows Event Log Security 4648, Windows Event Log Security 4768, Windows Event Log Security 4771, Windows Event Log Security 4776 Credential Access Defense Evasion Initial Access Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-04-07
BITS Jobs windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Command And Control Defense Evasion Persistence Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-03-26
Domain Trust Discovery windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Discovery Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-03-25
Ingress Tool Transfer linux icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688 Collection Command And Control Credential Access Defense Evasion Execution Persistence Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-03-24
Deobfuscate-Decode Files or Information windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Defense Evasion Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-03-24
Clop Ransomware windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 5, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log System 7045 Defense Evasion Execution Impact Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-03-17
Windows Discovery Techniques windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688 Discovery Splunk Behavioral Analytics, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-03-04
HAFNIUM Group windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4720, Windows Event Log Security 4732 Collection Command And Control Credential Access Execution Initial Access Lateral Movement Persistence Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-03-03
Silver Sparrow windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Collection Command And Control Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-02-24
Cobalt Strike windows icon CrowdStrike ProcessRollup2, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688 Collection Defense Evasion Execution Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-02-16
Suspicious Compiled HTML Activity windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Defense Evasion Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-02-11
Suspicious Rundll32 Activity windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688 Credential Access Defense Evasion Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-02-03
Suspicious Regsvr32 Activity windows icon CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688 Defense Evasion Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-01-29
Baron Samedit CVE-2021-3156 Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-01-27
Trusted Developer Utilities Proxy Execution MSBuild windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Defense Evasion Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-01-21
Suspicious MSHTA Activity windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688 Defense Evasion Execution Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-01-20
Trusted Developer Utilities Proxy Execution windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Defense Evasion Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2021-01-12
NOBELIUM Group windows icon Azure Active Directory Add app role assignment to service principal, Azure Active Directory Add member to role, Azure Active Directory Add owner to application, Azure Active Directory Add service principal, Azure Active Directory Consent to application, Azure Active Directory Sign-in activity, Azure Active Directory Update application, Azure Active Directory, CrowdStrike ProcessRollup2, O365 Add owner to application., O365 Add service principal., O365 Consent to application., O365 MailItemsAccessed, O365 Update application., O365 UserLoginFailed, O365, Palo Alto Network Traffic, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7036 Collection Command And Control Credential Access Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation Resource Development Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-12-14
Ryuk Ransomware windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698 Defense Evasion Discovery Execution Impact Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-11-06
Ransomware Cloud aws icon AWS CloudTrail CreateKey, AWS CloudTrail PutKeyPolicy, AWS CloudTrail Execution Impact Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-10-27
Detect Zerologon Attack windows icon Sysmon EventID 10, Sysmon EventID 7, Windows Event Log Security 4624, Windows Event Log Security 4742 Credential Access Initial Access Lateral Movement Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-09-18
F5 TMUI RCE CVE-2020-5902 Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-08-02
Windows DNS SIGRed CVE-2020-1350 Execution Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-07-28
Suspicious Zoom Child Processes windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Execution Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-04-13
Unusual Processes windows icon CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688 Credential Access Defense Evasion Discovery Execution Initial Access Persistence Privilege Escalation Reconnaissance Resource Development Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-02-04
DNS Hijacking windows icon Sysmon EventID 22 Command And Control Exfiltration Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-02-04
Windows Privilege Escalation windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4769 Credential Access Defense Evasion Execution Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-02-04
Credential Dumping linux icon CrowdStrike ProcessRollup2, Linux Secure, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4624, Windows Event Log Security 4662, Windows Event Log Security 4663, Windows Event Log Security 4688 Credential Access Defense Evasion Execution Initial Access Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-02-04
Ransomware windows icon CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log System 7036 Collection Command And Control Defense Evasion Discovery Execution Exfiltration Impact Initial Access Lateral Movement Persistence Privilege Escalation Reconnaissance Resource Development Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-02-04
Suspicious Command-Line Executions windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Defense Evasion Execution Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-02-03
Suspicious Emails Collection Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-01-27
Hidden Cobra Malware windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688 Command And Control Defense Evasion Execution Exfiltration Lateral Movement Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-01-22
Orangeworm Attack Group windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7036 Execution Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-01-22
DHS Report TA18-074A windows icon CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4720, Windows Event Log Security 4732 Command And Control Defense Evasion Execution Lateral Movement Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-01-22
Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns windows icon CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688 Execution Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2020-01-22
Spearphishing Attachments windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688 Credential Access Defense Evasion Execution Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2019-04-29
ColdRoot MacOS RAT windows icon Sysmon EventID 1 N/A Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2019-01-09
SamSam Ransomware windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688 Credential Access Defense Evasion Discovery Execution Impact Initial Access Lateral Movement Persistence Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2018-12-13
Apache Struts Vulnerability windows icon Sysmon EventID 1 Discovery Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2018-12-06
Suspicious WMI Use windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Sysmon EventID 20, Sysmon EventID 21, Windows Event Log Security 4688 Defense Evasion Execution Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2018-10-23
Suspicious Windows Registry Activities windows icon Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1 Defense Evasion Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2018-05-31
Windows Persistence Techniques windows icon CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Application 3000, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4738, Windows Event Log Security 4742, Windows Event Log TaskScheduler 200 Defense Evasion Execution Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2018-05-31
Windows File Extension and Association Abuse windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Defense Evasion Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2018-01-26
Brand Monitoring N/A Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2017-12-19
Windows Service Abuse windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7036 Defense Evasion Execution Persistence Privilege Escalation Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2017-11-02
SQL Injection Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2017-09-19
Suspicious DNS Traffic windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688 Command And Control Exfiltration Initial Access Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2017-09-18
Host Redirection windows icon Sysmon EventID 11 Command And Control Exfiltration Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2017-09-14
JBoss Vulnerability Discovery Initial Access Persistence Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2017-09-14
Malicious PowerShell windows icon CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7045 Command And Control Credential Access Defense Evasion Discovery Execution Lateral Movement Persistence Privilege Escalation Reconnaissance Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2017-08-23
Netsh Abuse windows icon CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Defense Evasion Discovery Execution Impact Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud 2017-01-05