Analytic Stories

Name Technique Tactic
AWS Credential Access Unused/Unsupported Cloud Regions Defense Evasion
AWS Cross Account Activity Use Alternate Authentication Material Defense Evasion
AWS Defense Evasion Impair Defenses, Disable Cloud Logs Defense Evasion
AWS IAM Privilege Escalation Cloud Account, Create Account Persistence
AWS Network ACL Activity Disable or Modify Cloud Firewall Defense Evasion
AWS Security Hub Alerts None None
AWS User Monitoring Cloud Accounts Defense Evasion
AcidRain Data Destruction, File Deletion, Indicator Removal on Host Impact
Active Directory Discovery Permission Groups Discovery, Local Groups Discovery
Active Directory Kerberos Attacks Remote System Discovery Discovery
Active Directory Lateral Movement Remote Services, Windows Remote Management Lateral Movement
Active Directory Password Spraying Password Spraying, Brute Force Credential Access
AgentTesla Spearphishing Attachment, Phishing Initial Access
Apache Struts Vulnerability System Information Discovery Discovery
Asset Tracking None None
Atlassian Confluence Server and Data Center CVE-2022-26134 Exploit Public-Facing Application Initial Access
Azorult Disable or Modify Tools, Impair Defenses Defense Evasion
Azure Active Directory Account Takeover Brute Force, Password Spraying Credential Access
Azure Active Directory Persistence Valid Accounts, Cloud Accounts Defense Evasion
BITS Jobs BITS Jobs, Ingress Tool Transfer Defense Evasion
Baron Samedit CVE-2021-3156 Exploitation for Privilege Escalation Privilege Escalation
BlackMatter Ransomware Data Encrypted for Impact Impact
Brand Monitoring None None
Brute Ratel C4 Service Stop Impact
CISA AA22-257A Protocol Tunneling, SSH Command And Control
Caddy Wiper Disk Structure Wipe, Disk Wipe Impact
Clop Ransomware System Services, Service Execution Execution
Cloud Cryptomining Unused/Unsupported Cloud Regions Defense Evasion
Cloud Federated Credential Abuse Image File Execution Options Injection, Event Triggered Execution Privilege Escalation
Cobalt Strike Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild Defense Evasion
ColdRoot MacOS RAT None None
Collection and Staging Masquerading Defense Evasion
Command and Control Remote Access Software Command And Control
Credential Dumping NTDS, OS Credential Dumping Credential Access
CyclopsBLink Disable or Modify System Firewall, Impair Defenses Defense Evasion
DHS Report TA18-074A Modify Registry Defense Evasion
DNS Amplification Attacks Network Denial of Service, Reflection Amplification Impact
DNS Hijacking Drive-by Compromise Initial Access
DarkCrystal RAT Phishing, Spearphishing Attachment Initial Access
DarkSide Ransomware LSASS Memory, OS Credential Dumping Credential Access
Data Destruction Disk Structure Wipe, Disk Wipe Impact
Data Exfiltration Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol Exfiltration
Data Protection Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration
Deobfuscate-Decode Files or Information Deobfuscate/Decode Files or Information Defense Evasion
Detect Zerologon Attack LSASS Memory, OS Credential Dumping Credential Access
Dev Sec Ops Cloud Service Discovery Discovery
Disabling Security Tools Disable or Modify Tools, Impair Defenses Defense Evasion
Domain Trust Discovery Remote System Discovery Discovery
Double Zero Destructor Disable or Modify Tools, Impair Defenses Defense Evasion
Dynamic DNS Exfiltration Over Alternative Protocol Exfiltration
Emotet Malware DHS Report TA18-201A Spearphishing Attachment, Phishing Initial Access
F5 BIG-IP Vulnerability CVE-2022-1388 Exploit Public-Facing Application Initial Access
F5 TMUI RCE CVE-2020-5902 Exploit Public-Facing Application Initial Access
FIN7 XSL Script Processing Defense Evasion
GCP Cross Account Activity Valid Accounts Defense Evasion
HAFNIUM Group Automated Exfiltration Exfiltration
Hermetic Wiper Disk Structure Wipe, Disk Wipe Impact
Hidden Cobra Malware SMB/Windows Admin Shares, Remote Services Lateral Movement
IcedID Disable or Modify Tools, Impair Defenses Defense Evasion
Industroyer2 Domain Account, Account Discovery Discovery
Information Sabotage Indicator Removal on Host, Clear Windows Event Logs Defense Evasion
Ingress Tool Transfer Automated Exfiltration Exfiltration
Insider Threat Password Spraying, Brute Force Credential Access
JBoss Vulnerability System Information Discovery Discovery
Kubernetes Scanning Activity Cloud Service Discovery Discovery
Kubernetes Sensitive Object Access Activity None None
Linux Living Off The Land Ingress Tool Transfer Command And Control
Linux Persistence Techniques Sudo and Sudo Caching, Abuse Elevation Control Mechanism Privilege Escalation
Linux Post-Exploitation Unix Shell Execution
Linux Privilege Escalation Exploitation for Privilege Escalation Privilege Escalation
Linux Rootkit System Information Discovery, Rootkit Discovery
Living Off The Land Bypass User Account Control, Abuse Elevation Control Mechanism Privilege Escalation
Local Privilege Escalation With KrbRelayUp Windows Service Persistence
Log4Shell CVE-2021-44228 Automated Exfiltration Exfiltration
Malicious PowerShell Automated Exfiltration Exfiltration
Masquerading - Rename System Utilities Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil Defense Evasion
Meterpreter Command and Scripting Interpreter Execution
Microsoft MSHTML Remote Code Execution CVE-2021-40444 System Binary Proxy Execution, Rundll32 Defense Evasion
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190 Phishing, Spearphishing Attachment Initial Access
Monitor for Updates None None
NOBELIUM Group System Binary Proxy Execution, Mshta Defense Evasion
Netsh Abuse Disable or Modify System Firewall, Impair Defenses Defense Evasion
Network Discovery System Network Configuration Discovery Discovery
Office 365 Detections Email Forwarding Rule, Email Collection Collection
Orangeworm Attack Group Windows Service, Create or Modify System Process Persistence
PetitPotam NTLM Relay on Active Directory Certificate Services OS Credential Dumping Credential Access
Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns Automated Exfiltration Exfiltration
PrintNightmare CVE-2021-34527 System Binary Proxy Execution, Rundll32 Defense Evasion
Prohibited Traffic Allowed or Protocol Mismatch Application Layer Protocol, Web Protocols Command And Control
ProxyShell Server Software Component, Web Shell Persistence
Ransomware Remote Access Software Command And Control
Ransomware Cloud Data Encrypted for Impact Impact
Remcos Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation Defense Evasion
Revil Ransomware System Binary Proxy Execution, CMSTP Defense Evasion
Router and Infrastructure Security Hardware Additions, Automated Exfiltration, Network Denial of Service, Traffic Duplication Initial Access
Ryuk Ransomware Windows Command Shell Execution
SQL Injection Exploit Public-Facing Application Initial Access
SamSam Ransomware Data Encrypted for Impact Impact
Signed Binary Proxy Execution InstallUtil Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil Defense Evasion
Silver Sparrow Data Staged Collection
Spearphishing Attachments Phishing, Spearphishing Attachment Initial Access
Splunk Vulnerabilities Digital Certificates Resource Development
Spring4Shell CVE-2022-22965 Exploit Public-Facing Application Initial Access
Suspicious AWS Login Activities Cloud Accounts Defense Evasion
Suspicious AWS S3 Activities Data from Cloud Storage Object Collection
Suspicious AWS Traffic None None
Suspicious Cloud Authentication Activities Unused/Unsupported Cloud Regions Defense Evasion
Suspicious Cloud Instance Activities Transfer Data to Cloud Account Exfiltration
Suspicious Cloud Provisioning Activities Valid Accounts Defense Evasion
Suspicious Cloud User Activities Valid Accounts Defense Evasion
Suspicious Command-Line Executions Masquerading, Rename System Utilities Defense Evasion
Suspicious Compiled HTML Activity Compiled HTML File, System Binary Proxy Execution Defense Evasion
Suspicious DNS Traffic Exfiltration Over Alternative Protocol Exfiltration
Suspicious Emails Spearphishing Attachment, Phishing Initial Access
Suspicious GCP Storage Activities Data from Cloud Storage Object Collection
Suspicious MSHTA Activity System Binary Proxy Execution, Mshta Defense Evasion
Suspicious Okta Activity Valid Accounts, Default Accounts Defense Evasion
Suspicious Regsvcs Regasm Activity System Binary Proxy Execution, Regsvcs/Regasm Defense Evasion
Suspicious Regsvr32 Activity System Binary Proxy Execution, Regsvr32 Defense Evasion
Suspicious Rundll32 Activity NTDS, OS Credential Dumping Credential Access
Suspicious WMI Use XSL Script Processing Defense Evasion
Suspicious Windows Registry Activities Services Registry Permissions Weakness Persistence
Suspicious Zoom Child Processes Exploitation for Privilege Escalation Privilege Escalation
Trickbot Command and Scripting Interpreter Execution
Trusted Developer Utilities Proxy Execution Trusted Developer Utilities Proxy Execution Defense Evasion
Trusted Developer Utilities Proxy Execution MSBuild Trusted Developer Utilities Proxy Execution, MSBuild Defense Evasion
Unusual Processes Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation Defense Evasion
Use of Cleartext Protocols None None
VMware Server Side Injection and Privilege Escalation Exploit Public-Facing Application Initial Access
WhisperGate Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation Defense Evasion
Windows DNS SIGRed CVE-2020-1350 Exploitation for Client Execution Execution
Windows Defense Evasion Tactics Bypass User Account Control, Abuse Elevation Control Mechanism Privilege Escalation
Windows Discovery Techniques Permission Groups Discovery, Local Groups Discovery
Windows Drivers Exploitation for Privilege Escalation Privilege Escalation
Windows File Extension and Association Abuse Change Default File Association Privilege Escalation
Windows Log Manipulation Indicator Removal on Host, Clear Windows Event Logs Defense Evasion
Windows Persistence Techniques Services Registry Permissions Weakness Persistence
Windows Privilege Escalation Malicious File Execution
Windows Registry Abuse Services Registry Permissions Weakness Persistence
Windows Service Abuse Windows Service, Create or Modify System Process Persistence
Windows System Binary Proxy Execution MSIExec Msiexec Defense Evasion
XMRig Windows Service, Create or Modify System Process Persistence
sAMAccountName Spoofing and Domain Controller Impersonation Valid Accounts, Domain Accounts Defense Evasion

AWS IAM Privilege Escalation

This analytic story contains detections that query your AWS Cloudtrail for activities related to privilege escalation.

FIN7

Try in Splunk Security Cloud

IcedID

Try in Splunk Security Cloud

Remcos

Try in Splunk Security Cloud

XMRig

Try in Splunk Security Cloud