Meduza Stealer
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703
|
Credential Access
Defense Evasion
Discovery
Execution
Initial Access
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-11-28
|
PXA Stealer
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Command And Control
Defense Evasion
Discovery
Execution
Initial Access
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-11-18
|
Lumma Stealer
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4688
|
Defense Evasion
Execution
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-11-13
|
Braodo Stealer
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Collection
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-10-24
|
CISA AA24-241A
|
CrowdStrike ProcessRollup2, Palo Alto Network Threat, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4648, Windows Event Log Security 4688, Windows Event Log Security 4720, Windows Event Log Security 4732, Windows Event Log TaskScheduler 200, Windows IIS
|
Command And Control
Defense Evasion
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-10-07
|
Azure Active Directory Persistence
|
Azure Active Directory Add member to role, Azure Active Directory Add owner to application, Azure Active Directory Add service principal, Azure Active Directory Add unverified domain, Azure Active Directory Consent to application, Azure Active Directory Enable account, Azure Active Directory Invite external user, Azure Active Directory Reset password (by admin), Azure Active Directory Set domain authentication, Azure Active Directory Update application, Azure Active Directory Update user, Azure Active Directory, Azure Audit Create or Update an Azure Automation Runbook, Azure Audit Create or Update an Azure Automation account, Azure Audit Create or Update an Azure Automation webhook, Windows Event Log Security 4724, Windows Event Log Security 4725, Windows Event Log Security 4726
|
Credential Access
Defense Evasion
Execution
Initial Access
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-09-24
|
Emotet Malware DHS Report TA18-201A
|
CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688
|
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-09-24
|
Windows Defense Evasion Tactics
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7040
|
Credential Access
Defense Evasion
Discovery
Execution
Impact
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-09-24
|
Lateral Movement
|
|
N/A
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-09-24
|
Common Phishing Frameworks
|
|
Initial Access
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-09-24
|
Ivanti EPM Vulnerabilities
|
Suricata
|
Initial Access
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-09-24
|
Suspicious Regsvcs Regasm Activity
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688
|
Defense Evasion
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-09-24
|
ValleyRAT
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log TaskScheduler 200
|
Defense Evasion
Execution
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-09-11
|
BlackSuit Ransomware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 8, Windows Event Log Security 4624, Windows Event Log Security 4662, Windows Event Log Security 4688, Windows Event Log Security 4738, Windows Event Log Security 5145, Windows Event Log System 7045, Windows Event Log TaskScheduler 200
|
Collection
Credential Access
Defense Evasion
Discovery
Execution
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-08-26
|
MoonPeak
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Command And Control
Defense Evasion
Discovery
Execution
Impact
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-08-21
|
Ivanti Virtual Traffic Manager CVE-2024-7593
|
Ivanti VTM Audit
|
Initial Access
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-08-19
|
Handala Wiper
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 3, Windows Event Log Security 4688
|
Defense Evasion
Execution
Impact
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-07-31
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
Powershell Script Block Logging 4104, Sysmon EventID 1
|
Persistence
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-07-30
|
Gozi Malware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Windows Event Log Security 4627, Windows Event Log Security 4688
|
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-07-24
|
MOVEit Transfer Authentication Bypass
|
|
Initial Access
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-06-28
|
Compromised Linux Host
|
Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall
|
Collection
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-06-25
|
Critical Alerts
|
AWS Security Hub, MS Defender ATP Alerts, MS365 Defender Incident Alerts, Windows Defender Alerts
|
N/A
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-06-21
|
ShrinkLocker
|
CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 1102, Windows Event Log Security 4688
|
Defense Evasion
Execution
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-06-17
|
Gomir
|
Linux Auditd Proctitle, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1
|
Execution
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-05-29
|
CrushFTP Vulnerabilities
|
CrushFTP
|
Initial Access
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-05-16
|
Compromised Windows Host
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 1102, Windows Event Log Security 4624, Windows Event Log Security 4627, Windows Event Log Security 4662, Windows Event Log Security 4663, Windows Event Log Security 4672, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4738, Windows Event Log Security 4741, Windows Event Log Security 4742, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4781, Windows Event Log Security 4798, Windows Event Log Security 4887, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 5141, Windows Event Log Security 5145, Windows Event Log System 7036, Windows Event Log System 7040, Windows Event Log System 7045
|
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-04-18
|
AcidPour
|
Sysmon EventID 11, Sysmon for Linux EventID 11
|
Defense Evasion
Impact
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-04-01
|
APT29 Diplomatic Deceptions with WINELOADER
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688
|
Defense Evasion
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-03-26
|
Windows AppLocker
|
|
Defense Evasion
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-03-21
|
Outlook RCE CVE-2024-21378
|
Sysmon EventID 11, Sysmon EventID 13
|
Defense Evasion
Initial Access
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-03-20
|
Cyclops Blink
|
Sysmon for Linux EventID 1
|
Defense Evasion
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-03-14
|
Sneaky Active Directory Persistence Tricks
|
CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Active Directory Admon, Windows Event Log Security 4624, Windows Event Log Security 4662, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4719, Windows Event Log Security 4720, Windows Event Log Security 4738, Windows Event Log Security 4742, Windows Event Log Security 4794, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 5141
|
Credential Access
Defense Evasion
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-03-14
|
Okta Account Takeover
|
Okta
|
Credential Access
Defense Evasion
Discovery
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Resource Development
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-03-06
|
JetBrains TeamCity Vulnerabilities
|
Suricata
|
Initial Access
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-03-04
|
WordPress Vulnerabilities
|
Nginx Access
|
Initial Access
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-02-22
|
ConnectWise ScreenConnect Vulnerabilities
|
Nginx Access, Suricata, Sysmon EventID 11, Windows Event Log Security 4663
|
Initial Access
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-02-21
|
Office 365 Collection Techniques
|
O365 MailItemsAccessed, O365
|
Collection
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-02-12
|
Snake Keylogger
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Impact
Initial Access
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-02-12
|
Jenkins Server Vulnerabilities
|
Nginx Access
|
Initial Access
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-01-29
|
Phemedrone Stealer
|
CrowdStrike ProcessRollup2, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Command And Control
Credential Access
Discovery
Execution
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-01-24
|
Confluence Data Center and Confluence Server Vulnerabilities
|
Nginx Access, Palo Alto Network Threat, Suricata
|
Initial Access
Persistence
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-01-22
|
Ivanti Connect Secure VPN Vulnerabilities
|
Suricata
|
Initial Access
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2024-01-16
|
CISA AA23-347A
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Suricata, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4703, Windows Event Log System 7040, Windows Event Log System 7045
|
Collection
Credential Access
Defense Evasion
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-12-14
|
Rhysida Ransomware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 5, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log System 7045
|
Credential Access
Defense Evasion
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-12-12
|
SysAid On-Prem Software CVE-2023-47246 Vulnerability
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688
|
Command And Control
Execution
Initial Access
Persistence
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-11-09
|
DarkGate Malware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 4703
|
Collection
Credential Access
Defense Evasion
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-10-31
|
F5 Authentication Bypass with TMUI
|
Suricata
|
N/A
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-10-30
|
Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966
|
Suricata
|
Initial Access
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-10-24
|
Office 365 Account Takeover
|
O365 Consent to application., O365 Update authorization policy., O365 UserLoggedIn, O365 UserLoginFailed, O365
|
Collection
Credential Access
Defense Evasion
Execution
Exfiltration
Initial Access
Persistence
Privilege Escalation
Resource Development
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-10-17
|
Office 365 Persistence Mechanisms
|
O365 Add app role assignment grant to user., O365 Add app role assignment to service principal., O365 Add member to role., O365 Add owner to application., O365 Add service principal., O365 Change user license., O365 Consent to application., O365 Disable Strong Authentication., O365 ModifyFolderPermissions, O365 Set Company Information., O365 Update application., O365 Update user., O365
|
Collection
Credential Access
Defense Evasion
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-10-17
|
Cisco IOS XE Software Web Management User Interface vulnerability
|
Suricata
|
Initial Access
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-10-17
|
PlugX
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log System 7045
|
Defense Evasion
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-10-12
|
Subvert Trust Controls SIP and Trust Provider Hijacking
|
Sysmon EventID 12, Sysmon EventID 13, Windows Event Log CAPI2 81
|
Defense Evasion
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-10-10
|
CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server
|
Nginx Access, Suricata
|
Initial Access
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-10-04
|
JetBrains TeamCity Unauthenticated RCE
|
Suricata
|
Initial Access
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-10-01
|
WS FTP Server Critical Vulnerabilities
|
CrowdStrike ProcessRollup2, Powershell Installed IIS Modules, Suricata, Sysmon EventID 1, Windows Event Log Security 4688
|
Initial Access
Persistence
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-10-01
|
Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357
|
Suricata
|
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-09-27
|
Forest Blizzard
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command And Control
Defense Evasion
Execution
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-09-11
|
NjRAT
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-09-07
|
Juniper JunOS Remote Code Execution
|
Suricata
|
Command And Control
Execution
Initial Access
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-08-29
|
WinRAR Spoofing Attack CVE-2023-38831
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command And Control
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-08-29
|
Flax Typhoon
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7045
|
Command And Control
Credential Access
Defense Evasion
Execution
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-08-25
|
Ivanti Sentry Authentication Bypass CVE-2023-38035
|
Suricata
|
Initial Access
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-08-24
|
Windows Error Reporting Service Elevation of Privilege Vulnerability
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698
|
Defense Evasion
Execution
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-08-24
|
Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360
|
Suricata
|
Initial Access
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-08-23
|
Ivanti EPMM Remote Unauthenticated Access
|
Suricata
|
Initial Access
Persistence
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-08-08
|
Warzone RAT
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Credential Access
Defense Evasion
Discovery
Execution
Initial Access
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-07-26
|
Citrix ShareFile RCE CVE-2023-24489
|
CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 1, Windows Event Log Security 4688
|
Initial Access
Persistence
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-07-26
|
Citrix Netscaler ADC CVE-2023-3519
|
Palo Alto Network Threat
|
Initial Access
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-07-20
|
CVE-2023-36884 Office and Windows HTML RCE Vulnerability
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688
|
Initial Access
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-07-11
|
BlackByte Ransomware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 3, Sysmon EventID 5, Sysmon EventID 6, Sysmon EventID 9, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4688, Windows Event Log System 7045, Windows IIS
|
Collection
Defense Evasion
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-07-10
|
VMware Aria Operations vRealize CVE-2023-20887
|
Palo Alto Network Threat
|
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-06-21
|
Amadey
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200
|
Defense Evasion
Discovery
Execution
Initial Access
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-06-16
|
Graceful Wipe Out Attack
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 8, Sysmon EventID 9, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log Security 5145
|
Collection
Credential Access
Defense Evasion
Discovery
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-06-15
|
Scheduled Tasks
|
CrowdStrike ProcessRollup2, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Syscall, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log TaskScheduler 200
|
Defense Evasion
Execution
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-06-12
|
MOVEit Transfer Critical Vulnerability
|
Sysmon EventID 11
|
Initial Access
Persistence
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-06-01
|
Volt Typhoon
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4625, Windows Event Log Security 4648, Windows Event Log Security 4688, Windows Event Log Security 4768, Windows Event Log Security 4771, Windows Event Log Security 4776
|
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-05-25
|
Data Exfiltration
|
AWS CloudTrail CreateSnapshot, AWS CloudTrail CreateTask, AWS CloudTrail DeleteSnapshot, AWS CloudTrail GetObject, AWS CloudTrail JobCreated, AWS CloudTrail ModifyImageAttribute, AWS CloudTrail ModifySnapshotAttribute, AWS CloudTrail PutBucketReplication, AWS CloudTrail PutBucketVersioning, CrowdStrike ProcessRollup2, Nginx Access, O365, Powershell Script Block Logging 4104, Splunk Stream HTTP, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688
|
Collection
Command And Control
Credential Access
Exfiltration
Impact
Initial Access
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-05-17
|
PaperCut MF NG Vulnerability
|
CrowdStrike ProcessRollup2, Suricata, Sysmon EventID 1, Windows Event Log Security 4688
|
Execution
Initial Access
Persistence
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-05-15
|
Snake Malware
|
Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log System 7045
|
Defense Evasion
Execution
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-05-10
|
Windows BootKits
|
Sysmon EventID 12, Sysmon EventID 13
|
Defense Evasion
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-05-03
|
RedLine Stealer
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log System 7040
|
Credential Access
Defense Evasion
Discovery
Execution
Impact
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-04-24
|
BlackLotus Campaign
|
Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 3
|
Defense Evasion
Persistence
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-04-14
|
Data Destruction
|
CrowdStrike ProcessRollup2, Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 5, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4769, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200
|
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Resource Development
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-04-06
|
3CX Supply Chain Attack
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Credential Access
Initial Access
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-03-30
|
Active Directory Privilege Escalation
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Active Directory Admon, Windows Event Log Security 4624, Windows Event Log Security 4625, Windows Event Log Security 4627, Windows Event Log Security 4672, Windows Event Log Security 4688, Windows Event Log Security 4732, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4781, Windows Event Log Security 5136, Windows Event Log Security 5137, Windows Event Log Security 5140, Windows Event Log Security 5145
|
Collection
Credential Access
Defense Evasion
Discovery
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-03-20
|
CVE-2023-23397 Outlook Elevation of Privilege
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Exfiltration
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-03-15
|
CVE-2023-21716 Word RTF Heap Corruption
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688
|
Initial Access
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-03-10
|
Fortinet FortiNAC CVE-2022-39952
|
Palo Alto Network Threat
|
Initial Access
Persistence
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-02-21
|
Winter Vivern
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log TaskScheduler 200
|
Collection
Command And Control
Defense Evasion
Discovery
Execution
Exfiltration
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-02-16
|
Swift Slicer
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 23, Windows Event Log Security 4688
|
Defense Evasion
Impact
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-02-01
|
Windows Certificate Services
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log CAPI2 70, Windows Event Log CertificateServicesClient 1007, Windows Event Log Security 4688, Windows Event Log Security 4768, Windows Event Log Security 4876, Windows Event Log Security 4886, Windows Event Log Security 4887
|
Collection
Command And Control
Credential Access
Defense Evasion
Execution
Lateral Movement
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-02-01
|
AsyncRAT
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4703, Windows Event Log TaskScheduler 200
|
Defense Evasion
Execution
Initial Access
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-01-24
|
BishopFox Sliver Adversary Emulation Framework
|
CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7045
|
Defense Evasion
Execution
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-01-24
|
AwfulShred
|
Linux Auditd Execve, Linux Auditd Proctitle, Linux Auditd Service Stop, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1
|
Defense Evasion
Execution
Impact
Initial Access
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-01-24
|
Compromised User Account
|
AWS CloudTrail ConsoleLogin, AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail DescribeEventAggregates, AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail UpdateAccountPasswordPolicy, AWS CloudTrail, Azure Active Directory Sign-in activity, Azure Active Directory User registered security info, Azure Active Directory, PingID, Windows Event Log Security 4625
|
Collection
Credential Access
Defense Evasion
Discovery
Initial Access
Persistence
Privilege Escalation
Resource Development
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-01-19
|
LockBit Ransomware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 5, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7036
|
Defense Evasion
Execution
Impact
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-01-16
|
Chaos Ransomware
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688
|
Defense Evasion
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2023-01-11
|
IIS Components
|
CrowdStrike ProcessRollup2, Powershell Installed IIS Modules, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Application 2282, Windows Event Log Security 4688, Windows IIS 29
|
Defense Evasion
Persistence
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-12-19
|
Prestige Ransomware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200
|
Collection
Credential Access
Defense Evasion
Discovery
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-11-30
|
MetaSploit
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4688
|
Execution
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-11-21
|
Reverse Network Proxy
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 22, Sysmon for Linux EventID 1, Windows Event Log Security 4688
|
Command And Control
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-11-16
|
CISA AA22-320A
|
CrowdStrike ProcessRollup2, Nginx Access, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 6, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7045
|
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-11-16
|
Qakbot
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log System 7045, Windows Event Log TaskScheduler 200
|
Command And Control
Defense Evasion
Discovery
Execution
Impact
Initial Access
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-11-14
|
OpenSSL CVE-2022-3602
|
|
Command And Control
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-11-02
|
CVE-2022-40684 Fortinet Appliance Auth bypass
|
Palo Alto Network Threat
|
Initial Access
Persistence
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-10-14
|
GCP Account Takeover
|
Google Workspace login_failure, Google Workspace login_success
|
Credential Access
Defense Evasion
Initial Access
Persistence
Privilege Escalation
Resource Development
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-10-12
|
CISA AA22-277A
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Windows Event Log Security 4688
|
Collection
Command And Control
Defense Evasion
Discovery
Execution
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-10-05
|
ProxyNotShell
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688, Windows IIS
|
Command And Control
Execution
Initial Access
Persistence
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-09-30
|
Okta MFA Exhaustion
|
Okta
|
Credential Access
Defense Evasion
Initial Access
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-09-27
|
CISA AA22-264A
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 9, Windows Event Log Security 1102, Windows Event Log Security 4688
|
Credential Access
Defense Evasion
Execution
Impact
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-09-22
|
CISA AA22-257A
|
CrowdStrike ProcessRollup2, Nginx Access, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4720, Windows Event Log Security 4732, Windows Event Log TaskScheduler 200
|
Command And Control
Credential Access
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-09-15
|
Brute Ratel C4
|
CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4703, Windows Event Log System 7045
|
Collection
Command And Control
Credential Access
Defense Evasion
Execution
Impact
Initial Access
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-08-23
|
Linux Living Off The Land
|
CrowdStrike ProcessRollup2, Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon EventID 1, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688
|
Collection
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-07-27
|
Linux Rootkit
|
Linux Auditd Syscall, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1
|
Defense Evasion
Discovery
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-07-27
|
DarkCrystal RAT
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200
|
Command And Control
Defense Evasion
Discovery
Execution
Impact
Initial Access
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-07-26
|
Azure Active Directory Account Takeover
|
Azure Active Directory Consent to application, Azure Active Directory Disable Strong Authentication, Azure Active Directory Sign-in activity, Azure Active Directory Update authorization policy, Azure Active Directory User registered security info, Azure Active Directory
|
Collection
Credential Access
Defense Evasion
Execution
Exfiltration
Initial Access
Persistence
Privilege Escalation
Resource Development
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-07-14
|
Windows System Binary Proxy Execution MSIExec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688
|
Defense Evasion
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-06-16
|
Azorult
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-06-09
|
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Defense Evasion
Execution
Initial Access
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-05-31
|
VMware Server Side Injection and Privilege Escalation
|
Palo Alto Network Threat
|
Initial Access
Persistence
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-05-19
|
Insider Threat
|
CrowdStrike ProcessRollup2, G Suite Drive, G Suite Gmail, Linux Secure, Palo Alto Network Threat, Palo Alto Network Traffic, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4625, Windows Event Log Security 4648, Windows Event Log Security 4688, Windows Event Log Security 5145
|
Command And Control
Credential Access
Defense Evasion
Exfiltration
Initial Access
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, Splunk Behavioral Analytics
|
2022-05-19
|
F5 BIG-IP Vulnerability CVE-2022-1388
|
Palo Alto Network Threat
|
Initial Access
Persistence
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-05-10
|
Local Privilege Escalation With KrbRelayUp
|
Windows Event Log Security 4624, Windows Event Log Security 4741, Windows Event Log Security 4768, Windows Event Log System 7045
|
Credential Access
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-04-28
|
Industroyer2
|
CrowdStrike ProcessRollup2, Linux Auditd Proctitle, Linux Auditd Service Stop, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 5, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200
|
Credential Access
Defense Evasion
Discovery
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-04-21
|
AgentTesla
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 3, Sysmon EventID 6, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688, Windows Event Log System 7045
|
Command And Control
Credential Access
Defense Evasion
Execution
Initial Access
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-04-12
|
AcidRain
|
Sysmon for Linux EventID 11
|
Defense Evasion
Impact
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-04-12
|
Sandworm Tools
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 7, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log TaskScheduler 200
|
Credential Access
Defense Evasion
Discovery
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-04-05
|
Windows Drivers
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 6, Windows Event Log Security 4688, Windows Event Log System 7045
|
Defense Evasion
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-03-30
|
Double Zero Destructor
|
CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688
|
Defense Evasion
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-03-25
|
Caddy Wiper
|
Sysmon EventID 9
|
Impact
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-03-25
|
Windows Registry Abuse
|
CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688
|
Credential Access
Defense Evasion
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-03-17
|
Hermetic Wiper
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 9, Sysmon for Linux EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4769, Windows Event Log Security 5145
|
Command And Control
Credential Access
Defense Evasion
Execution
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-03-02
|
Network Discovery
|
AWS CloudWatchLogs VPCflow, Sysmon EventID 1, Sysmon for Linux EventID 1
|
Collection
Discovery
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-02-14
|
Active Directory Kerberos Attacks
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4624, Windows Event Log Security 4627, Windows Event Log Security 4688, Windows Event Log Security 4738, Windows Event Log Security 4741, Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4771, Windows Event Log Security 4781
|
Credential Access
Defense Evasion
Discovery
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-02-02
|
WhisperGate
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 23, Sysmon EventID 9, Windows Event Log Security 4688
|
Defense Evasion
Discovery
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
Resource Development
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2022-01-19
|
sAMAccountName Spoofing and Domain Controller Impersonation
|
Windows Event Log Security 4768, Windows Event Log Security 4769, Windows Event Log Security 4781
|
Defense Evasion
Initial Access
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-12-20
|
Linux Privilege Escalation
|
Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1
|
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-12-17
|
Linux Persistence Techniques
|
Linux Auditd Add User, Linux Auditd Execve, Linux Auditd Path, Linux Auditd Proctitle, Linux Auditd Service Stop, Linux Auditd Syscall, Sysmon for Linux EventID 11, Sysmon for Linux EventID 1
|
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-12-17
|
Active Directory Lateral Movement
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log RemoteConnectionManager 1149, Windows Event Log Security 4624, Windows Event Log Security 4625, Windows Event Log Security 4672, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4699, Windows Event Log Security 4769, Windows Event Log Security 5140, Windows Event Log Security 5145, Windows Event Log System 4720, Windows Event Log System 4726, Windows Event Log System 7045
|
Credential Access
Defense Evasion
Discovery
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-12-09
|
Signed Binary Proxy Execution InstallUtil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 7, Windows Event Log Security 4688
|
Defense Evasion
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-11-12
|
Remcos
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Collection
Credential Access
Defense Evasion
Execution
Initial Access
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-09-23
|
FIN7
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Credential Access
Defense Evasion
Discovery
Execution
Impact
Initial Access
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-09-14
|
Microsoft MSHTML Remote Code Execution CVE-2021-40444
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688
|
Defense Evasion
Initial Access
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-09-08
|
BlackMatter Ransomware
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7036
|
Credential Access
Discovery
Impact
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-09-06
|
PetitPotam NTLM Relay on Active Directory Certificate Services
|
Windows Event Log Security 4768, Windows Event Log Security 5145
|
Credential Access
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-08-31
|
ProxyShell
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688, Windows IIS
|
Execution
Initial Access
Persistence
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-08-24
|
Active Directory Discovery
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4662, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log System 7045
|
Collection
Credential Access
Defense Evasion
Discovery
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-08-20
|
IcedID
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5140, Windows Event Log Security 5145, Windows Event Log TaskScheduler 200
|
Collection
Command And Control
Defense Evasion
Discovery
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-07-29
|
PrintNightmare CVE-2021-34527
|
CrowdStrike ProcessRollup2, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 3, Sysmon EventID 7, Windows Event Log Printservice 316, Windows Event Log Printservice 808, Windows Event Log Security 4688
|
Defense Evasion
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-07-01
|
Meterpreter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Execution
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-06-08
|
Revil Ransomware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688
|
Defense Evasion
Execution
Impact
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-06-04
|
DarkSide Ransomware
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688
|
Command And Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-05-12
|
XMRig
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 15, Sysmon EventID 1, Sysmon EventID 6, Windows Event Log Security 4688, Windows Event Log Security 4798
|
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Impact
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-05-07
|
Masquerading - Rename System Utilities
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Defense Evasion
Impact
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-04-26
|
Trickbot
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 5145
|
Defense Evasion
Discovery
Execution
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-04-20
|
Active Directory Password Spraying
|
Azure Active Directory Sign-in activity, Windows Event Log Security 4625, Windows Event Log Security 4648, Windows Event Log Security 4768, Windows Event Log Security 4771, Windows Event Log Security 4776
|
Credential Access
Defense Evasion
Initial Access
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-04-07
|
BITS Jobs
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Command And Control
Defense Evasion
Persistence
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-03-26
|
Domain Trust Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Discovery
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-03-25
|
Deobfuscate-Decode Files or Information
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Defense Evasion
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-03-24
|
Ingress Tool Transfer
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon for Linux EventID 1, Windows Event Log Security 4688
|
Collection
Command And Control
Credential Access
Defense Evasion
Execution
Persistence
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-03-24
|
Clop Ransomware
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 23, Sysmon EventID 5, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log System 7045
|
Defense Evasion
Execution
Impact
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-03-17
|
Windows Discovery Techniques
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688
|
Discovery
|
Splunk Behavioral Analytics, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-03-04
|
HAFNIUM Group
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4720, Windows Event Log Security 4732
|
Collection
Command And Control
Credential Access
Execution
Initial Access
Lateral Movement
Persistence
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-03-03
|
Silver Sparrow
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Collection
Command And Control
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-02-24
|
Cobalt Strike
|
CrowdStrike ProcessRollup2, Sysmon EventID 17, Sysmon EventID 18, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688
|
Collection
Defense Evasion
Execution
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-02-16
|
Suspicious Compiled HTML Activity
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Defense Evasion
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-02-11
|
Suspicious Rundll32 Activity
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 3, Windows Event Log Security 4688
|
Credential Access
Defense Evasion
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-02-03
|
Suspicious Regsvr32 Activity
|
CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688
|
Defense Evasion
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-01-29
|
Baron Samedit CVE-2021-3156
|
|
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-01-27
|
Trusted Developer Utilities Proxy Execution MSBuild
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Defense Evasion
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-01-21
|
Suspicious MSHTA Activity
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688
|
Defense Evasion
Execution
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-01-20
|
Trusted Developer Utilities Proxy Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Defense Evasion
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2021-01-12
|
NOBELIUM Group
|
Azure Active Directory Add app role assignment to service principal, Azure Active Directory Add member to role, Azure Active Directory Add owner to application, Azure Active Directory Add service principal, Azure Active Directory Consent to application, Azure Active Directory Sign-in activity, Azure Active Directory Update application, Azure Active Directory, CrowdStrike ProcessRollup2, O365 Add owner to application., O365 Add service principal., O365 Consent to application., O365 MailItemsAccessed, O365 Update application., O365 UserLoginFailed, O365, Palo Alto Network Traffic, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log System 7036
|
Collection
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Initial Access
Persistence
Privilege Escalation
Resource Development
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-12-14
|
Ryuk Ransomware
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4698
|
Defense Evasion
Discovery
Execution
Impact
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-11-06
|
Ransomware Cloud
|
AWS CloudTrail CreateKey, AWS CloudTrail PutKeyPolicy, AWS CloudTrail
|
Execution
Impact
|
Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-10-27
|
Detect Zerologon Attack
|
Sysmon EventID 10, Sysmon EventID 7, Windows Event Log Security 4624, Windows Event Log Security 4742
|
Credential Access
Initial Access
Lateral Movement
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-09-18
|
F5 TMUI RCE CVE-2020-5902
|
|
Initial Access
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-08-02
|
Windows DNS SIGRed CVE-2020-1350
|
|
Execution
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-07-28
|
Suspicious Zoom Child Processes
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Execution
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-04-13
|
Windows Privilege Escalation
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Windows Event Log Security 4688, Windows Event Log Security 4769
|
Credential Access
Defense Evasion
Execution
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-02-04
|
DNS Hijacking
|
Sysmon EventID 22
|
Command And Control
Exfiltration
Initial Access
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-02-04
|
Credential Dumping
|
CrowdStrike ProcessRollup2, Linux Secure, Powershell Script Block Logging 4104, Sysmon EventID 10, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 7, Sysmon EventID 8, Windows Event Log Security 4624, Windows Event Log Security 4662, Windows Event Log Security 4663, Windows Event Log Security 4688
|
Credential Access
Defense Evasion
Execution
Initial Access
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-02-04
|
Ransomware
|
CrowdStrike ProcessRollup2, Palo Alto Network Threat, Palo Alto Network Traffic, Powershell Script Block Logging 4104, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Security 1100, Windows Event Log Security 1102, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log System 7036
|
Collection
Command And Control
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
Resource Development
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-02-04
|
Unusual Processes
|
CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688
|
Credential Access
Defense Evasion
Discovery
Execution
Initial Access
Persistence
Privilege Escalation
Reconnaissance
Resource Development
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-02-04
|
Suspicious Command-Line Executions
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Defense Evasion
Execution
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-02-03
|
Suspicious Emails
|
|
Collection
Initial Access
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-01-27
|
Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns
|
CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688
|
Execution
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-01-22
|
Hidden Cobra Malware
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688
|
Command And Control
Defense Evasion
Execution
Exfiltration
Lateral Movement
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-01-22
|
DHS Report TA18-074A
|
CrowdStrike ProcessRollup2, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log Security 4720, Windows Event Log Security 4732
|
Command And Control
Defense Evasion
Execution
Lateral Movement
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-01-22
|
Orangeworm Attack Group
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7036
|
Execution
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2020-01-22
|
Spearphishing Attachments
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Sysmon EventID 22, Sysmon EventID 7, Windows Event Log Microsoft Windows TerminalServices RDPClient 1024, Windows Event Log Security 4688
|
Credential Access
Defense Evasion
Execution
Initial Access
Lateral Movement
Persistence
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2019-04-29
|
ColdRoot MacOS RAT
|
Sysmon EventID 1
|
N/A
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2019-01-09
|
SamSam Ransomware
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 1, Windows Event Log Security 4688
|
Credential Access
Defense Evasion
Discovery
Execution
Impact
Initial Access
Lateral Movement
Persistence
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2018-12-13
|
Apache Struts Vulnerability
|
Sysmon EventID 1
|
Discovery
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2018-12-06
|
Suspicious WMI Use
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 1, Sysmon EventID 20, Sysmon EventID 21, Windows Event Log Security 4688
|
Defense Evasion
Execution
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2018-10-23
|
Windows Persistence Techniques
|
CrowdStrike ProcessRollup2, Sysmon EventID 11, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Application 3000, Windows Event Log Security 4688, Windows Event Log Security 4698, Windows Event Log Security 4738, Windows Event Log Security 4742, Windows Event Log TaskScheduler 200
|
Defense Evasion
Execution
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2018-05-31
|
Suspicious Windows Registry Activities
|
Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1
|
Defense Evasion
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2018-05-31
|
Windows File Extension and Association Abuse
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Defense Evasion
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2018-01-26
|
Brand Monitoring
|
|
N/A
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2017-12-19
|
Windows Service Abuse
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7036
|
Defense Evasion
Execution
Persistence
Privilege Escalation
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2017-11-02
|
SQL Injection
|
|
Initial Access
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2017-09-19
|
Suspicious DNS Traffic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 22, Windows Event Log Security 4688
|
Command And Control
Exfiltration
Initial Access
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2017-09-18
|
JBoss Vulnerability
|
|
Discovery
Initial Access
Persistence
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2017-09-14
|
Host Redirection
|
Sysmon EventID 11
|
Command And Control
Exfiltration
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2017-09-14
|
Malicious PowerShell
|
CrowdStrike ProcessRollup2, Powershell Script Block Logging 4104, Sysmon EventID 12, Sysmon EventID 13, Sysmon EventID 1, Windows Event Log Security 4688, Windows Event Log System 7045
|
Command And Control
Credential Access
Defense Evasion
Discovery
Execution
Lateral Movement
Persistence
Privilege Escalation
Reconnaissance
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2017-08-23
|
Netsh Abuse
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
Defense Evasion
Discovery
Execution
Impact
|
Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
|
2017-01-05
|