Linux Auditd Add User Account
|
Linux Auditd Proctitle
|
T1136.001
T1136
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd Add User Account Type
|
Linux Auditd Add User
|
T1136
T1136.001
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd At Application Execution
|
Linux Auditd Syscall
|
T1053.002
T1053
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-04
|
Linux Auditd Auditd Service Stop
|
Linux Auditd Service Stop
|
T1489
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd Base64 Decode Files
|
Linux Auditd Execve
|
T1140
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd Change File Owner To Root
|
Linux Auditd Proctitle
|
T1222.002
T1222
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd Clipboard Data Copy
|
Linux Auditd Execve
|
T1115
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land
|
2024-09-04
|
Linux Auditd Data Destruction Command
|
Linux Auditd Execve
|
T1485
|
TTP
|
AwfulShred, Compromised Linux Host, Data Destruction
|
2024-09-04
|
Linux Auditd Data Transfer Size Limits Via Split
|
Linux Auditd Execve
|
T1030
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd Data Transfer Size Limits Via Split Syscall
|
Linux Auditd Syscall
|
T1030
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd Database File And Directory Discovery
|
Linux Auditd Execve
|
T1083
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd Dd File Overwrite
|
Linux Auditd Proctitle
|
T1485
|
TTP
|
Compromised Linux Host, Data Destruction, Industroyer2
|
2024-09-04
|
Linux Auditd Disable Or Modify System Firewall
|
Linux Auditd Service Stop
|
T1562.004
T1562
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd Doas Conf File Creation
|
Linux Auditd Path
|
T1548.003
T1548
|
TTP
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd Doas Tool Execution
|
Linux Auditd Syscall
|
T1548.003
T1548
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd Edit Cron Table Parameter
|
Linux Auditd Syscall
|
T1053.003
T1053
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-04
|
Linux Auditd File And Directory Discovery
|
Linux Auditd Execve
|
T1083
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd File Permission Modification Via Chmod
|
Linux Auditd Proctitle
|
T1222.002
T1222
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd File Permissions Modification Via Chattr
|
Linux Auditd Execve
|
T1222.002
T1222
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd Find Credentials From Password Managers
|
Linux Auditd Execve
|
T1555.005
T1555
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd Find Credentials From Password Stores
|
Linux Auditd Execve
|
T1555.005
T1555
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd Find Private Keys
|
Linux Auditd Execve
|
T1552.004
T1552
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd Find Ssh Private Keys
|
Linux Auditd Execve
|
T1552.004
T1552
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd Hardware Addition Swapoff
|
Linux Auditd Execve
|
T1200
|
Anomaly
|
AwfulShred, Compromised Linux Host, Data Destruction
|
2024-09-04
|
Linux Auditd Hidden Files And Directories Creation
|
Linux Auditd Execve
|
T1083
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd Insert Kernel Module Using Insmod Utility
|
Linux Auditd Syscall
|
T1547.006
T1547
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit
|
2024-09-04
|
Linux Auditd Install Kernel Module Using Modprobe Utility
|
Linux Auditd Syscall
|
T1547.006
T1547
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit
|
2024-09-04
|
Linux Auditd Kernel Module Enumeration
|
Linux Auditd Syscall
|
T1082
T1014
|
Anomaly
|
Compromised Linux Host, Linux Rootkit
|
2024-09-04
|
Linux Auditd Kernel Module Using Rmmod Utility
|
Linux Auditd Syscall
|
T1547.006
T1547
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd Nopasswd Entry In Sudoers File
|
Linux Auditd Proctitle
|
T1548.003
T1548
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd Osquery Service Stop
|
Linux Auditd Service Stop
|
T1489
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd Possible Access Or Modification Of Sshd Config File
|
Linux Auditd Path
|
T1098.004
T1098
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd Possible Access To Credential Files
|
Linux Auditd Proctitle
|
T1003.008
T1003
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd Possible Access To Sudoers File
|
Linux Auditd Path
|
T1548.003
T1548
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File
|
Linux Auditd Path
|
T1053.003
T1053
|
Hunting
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-04
|
Linux Auditd Preload Hijack Library Calls
|
Linux Auditd Execve
|
T1574.006
T1574
|
TTP
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd Preload Hijack Via Preload File
|
Linux Auditd Path
|
T1574.006
T1574
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd Service Restarted
|
Linux Auditd Proctitle
|
T1053.006
T1053
|
Anomaly
|
AwfulShred, Compromised Linux Host, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-09-04
|
Linux Auditd Service Started
|
Linux Auditd Proctitle
|
T1569.002
T1569
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd Setuid Using Chmod Utility
|
Linux Auditd Proctitle
|
T1548.001
T1548
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd Setuid Using Setcap Utility
|
Linux Auditd Execve
|
T1548.001
T1548
|
TTP
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd Shred Overwrite Command
|
Linux Auditd Proctitle
|
T1485
|
TTP
|
AwfulShred, Compromised Linux Host, Data Destruction, Industroyer2, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd Stop Services
|
Linux Auditd Service Stop
|
T1489
|
TTP
|
AwfulShred, Compromised Linux Host, Data Destruction, Industroyer2
|
2024-09-04
|
Linux Auditd Sudo Or Su Execution
|
Linux Auditd Proctitle
|
T1548.003
T1548
|
Anomaly
|
Compromised Linux Host, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd Sysmon Service Stop
|
Linux Auditd Service Stop
|
T1489
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd System Network Configuration Discovery
|
Linux Auditd Syscall
|
T1016
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd Unix Shell Configuration Modification
|
Linux Auditd Path
|
T1546.004
T1546
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd Unload Module Via Modprobe
|
Linux Auditd Execve
|
T1547.006
T1547
|
TTP
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd Virtual Disk File And Directory Discovery
|
Linux Auditd Execve
|
T1083
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Linux Auditd Whoami User Discovery
|
Linux Auditd Syscall
|
T1033
|
Anomaly
|
Compromised Linux Host, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-09-04
|
Windows DISM Install PowerShell Web Access
|
|
T1548.002
|
TTP
|
CISA AA24-241A
|
2024-09-03
|
Windows Enable PowerShell Web Access
|
|
T1059.001
|
TTP
|
CISA AA24-241A, Malicious PowerShell
|
2024-09-03
|
Ivanti VTM New Account Creation
|
Ivanti VTM Audit
|
T1190
|
TTP
|
Ivanti Virtual Traffic Manager CVE-2024-7593
|
2024-08-19
|
AWS SAML Update identity provider
|
AWS CloudTrail UpdateSAMLProvider
|
T1078
|
TTP
|
Cloud Federated Credential Abuse
|
2024-08-19
|
Detect new API calls from user roles
|
|
T1078.004
|
Anomaly
|
AWS User Monitoring
|
2024-08-19
|
Dump LSASS via procdump Rename
|
Sysmon EventID 1
|
T1003.001
|
Hunting
|
CISA AA22-257A, Credential Dumping, HAFNIUM Group
|
2024-08-19
|
GCP Detect accounts with high risk roles by project
|
|
T1078
|
Hunting
|
GCP Cross Account Activity
|
2024-08-19
|
Cobalt Strike Named Pipes
|
Sysmon EventID 17, Sysmon EventID 18
|
T1055
|
TTP
|
BlackByte Ransomware, Cobalt Strike, DarkSide Ransomware, Gozi Malware, Graceful Wipe Out Attack, LockBit Ransomware, Trickbot
|
2024-08-19
|
Detect mshta renamed
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
T1218.005
|
Hunting
|
Living Off The Land, Suspicious MSHTA Activity
|
2024-08-19
|
Detect Renamed 7-Zip
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1560.001
T1560
|
Hunting
|
Collection and Staging
|
2024-08-19
|
Detect Renamed PSExec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1569
T1569.002
|
Hunting
|
Active Directory Lateral Movement, BlackByte Ransomware, CISA AA22-320A, DHS Report TA18-074A, DarkGate Malware, DarkSide Ransomware, HAFNIUM Group, Rhysida Ransomware, SamSam Ransomware, Sandworm Tools
|
2024-08-19
|
Detect Renamed RClone
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1020
|
Hunting
|
DarkSide Ransomware, Ransomware
|
2024-08-19
|
Detect Renamed WinRAR
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1560.001
T1560
|
Hunting
|
CISA AA22-277A, Collection and Staging
|
2024-08-19
|
First Time Seen Child Process of Zoom
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1068
|
Anomaly
|
Suspicious Zoom Child Processes
|
2024-08-19
|
Randomly Generated Windows Service Name
|
Windows Event Log System 7045
|
T1543
T1543.003
|
Hunting
|
Active Directory Lateral Movement, BlackSuit Ransomware
|
2024-08-19
|
ServicePrincipalNames Discovery with SetSPN
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1558.003
|
TTP
|
Active Directory Discovery, Active Directory Kerberos Attacks, Active Directory Privilege Escalation
|
2024-08-19
|
Windows Default Group Policy Object Modified with GPME
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1484
T1484.001
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2024-08-19
|
Windows Ingress Tool Transfer Using Explorer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
|
Anomaly
|
DarkCrystal RAT
|
2024-08-19
|
Detect Windows DNS SIGRed via Zeek
|
|
T1203
|
TTP
|
Windows DNS SIGRed CVE-2020-1350
|
2024-08-19
|
Abnormally High Number Of Cloud Infrastructure API Calls
|
AWS CloudTrail
|
T1078.004
T1078
|
Anomaly
|
Compromised User Account, Suspicious Cloud User Activities
|
2024-08-16
|
Abnormally High Number Of Cloud Security Group API Calls
|
AWS CloudTrail
|
T1078.004
T1078
|
Anomaly
|
Suspicious Cloud User Activities
|
2024-08-16
|
Cloud Instance Modified By Previously Unseen User
|
AWS CloudTrail
|
T1078.004
T1078
|
Anomaly
|
Suspicious Cloud Instance Activities
|
2024-08-16
|
ASL AWS Excessive Security Scanning
|
|
T1526
|
Anomaly
|
AWS User Monitoring
|
2024-08-16
|
AWS Cloud Provisioning From Previously Unseen City
|
|
T1535
|
Anomaly
|
AWS Suspicious Provisioning Activities
|
2024-08-16
|
Detect DNS requests to Phishing Sites leveraging EvilGinx2
|
|
T1566.003
|
TTP
|
Common Phishing Frameworks
|
2024-08-16
|
Detect Spike in Security Group Activity
|
|
T1078.004
|
Anomaly
|
AWS User Monitoring
|
2024-08-16
|
DNS Query Requests Resolved by Unauthorized DNS Servers
|
|
T1071.004
|
TTP
|
Command And Control, DNS Hijacking, Host Redirection, Suspicious DNS Traffic
|
2024-08-16
|
EC2 Instance Modified With Previously Unseen User
|
|
T1078.004
|
Anomaly
|
Unusual AWS EC2 Modifications
|
2024-08-16
|
EC2 Instance Started In Previously Unseen Region
|
|
T1535
|
Anomaly
|
AWS Cryptomining, Suspicious AWS EC2 Activities
|
2024-08-16
|
EC2 Instance Started With Previously Unseen Instance Type
|
|
|
Anomaly
|
AWS Cryptomining
|
2024-08-16
|
EC2 Instance Started With Previously Unseen User
|
|
T1078.004
|
Anomaly
|
AWS Cryptomining, Suspicious AWS EC2 Activities
|
2024-08-16
|
Execution of File With Spaces Before Extension
|
Sysmon EventID 1
|
T1036.003
|
TTP
|
Masquerading - Rename System Utilities, Windows File Extension and Association Abuse
|
2024-08-16
|
GCP Detect high risk permissions by resource and account
|
|
T1078
|
Hunting
|
GCP Cross Account Activity
|
2024-08-16
|
Identify New User Accounts
|
|
T1078.002
|
Hunting
|
N/A
|
2024-08-16
|
Kubernetes AWS detect most active service accounts by pod
|
|
|
Hunting
|
Kubernetes Sensitive Role Activity
|
2024-08-16
|
Kubernetes AWS detect service accounts forbidden failure access
|
|
|
Hunting
|
Kubernetes Sensitive Object Access Activity
|
2024-08-16
|
Kubernetes GCP detect most active service accounts by pod
|
|
|
Hunting
|
Kubernetes Sensitive Role Activity
|
2024-08-16
|
Kubernetes GCP detect service accounts forbidden failure access
|
|
|
Hunting
|
Kubernetes Sensitive Object Access Activity
|
2024-08-16
|
Kubernetes GCP detect suspicious kubectl calls
|
|
|
Hunting
|
Kubernetes Sensitive Object Access Activity
|
2024-08-16
|
Monitor DNS For Brand Abuse
|
|
|
TTP
|
Brand Monitoring
|
2024-08-16
|
Okta ThreatInsight Login Failure with High Unknown users
|
|
T1078
T1078.001
T1110.004
|
TTP
|
Suspicious Okta Activity
|
2024-08-16
|
Okta ThreatInsight Suspected PasswordSpray Attack
|
|
T1078
T1078.001
T1110.003
|
TTP
|
Suspicious Okta Activity
|
2024-08-16
|
Okta Two or More Rejected Okta Pushes
|
|
T1110
|
TTP
|
Okta MFA Exhaustion, Suspicious Okta Activity
|
2024-08-16
|
Suspicious Changes to File Associations
|
Sysmon EventID 1
|
T1546.001
|
TTP
|
Suspicious Windows Registry Activities, Windows File Extension and Association Abuse
|
2024-08-16
|
Suspicious Email - UBA Anomaly
|
|
T1566
|
Anomaly
|
Suspicious Emails
|
2024-08-16
|
Suspicious File Write
|
Sysmon EventID 11
|
|
Hunting
|
Hidden Cobra Malware
|
2024-08-16
|
Web Fraud - Account Harvesting
|
|
T1136
|
TTP
|
Web Fraud Detection
|
2024-08-16
|
Web Fraud - Anomalous User Clickspeed
|
|
T1078
|
Anomaly
|
Web Fraud Detection
|
2024-08-16
|
Windows hosts file modification
|
Sysmon EventID 11
|
|
TTP
|
Host Redirection
|
2024-08-16
|
Detect Baron Samedit CVE-2021-3156
|
|
T1068
|
TTP
|
Baron Samedit CVE-2021-3156
|
2024-08-16
|
Detect Baron Samedit CVE-2021-3156 Segfault
|
|
T1068
|
TTP
|
Baron Samedit CVE-2021-3156
|
2024-08-16
|
Detect Baron Samedit CVE-2021-3156 via OSQuery
|
|
T1068
|
TTP
|
Baron Samedit CVE-2021-3156
|
2024-08-16
|
Known Services Killed by Ransomware
|
Windows Event Log System 7036
|
T1490
|
TTP
|
BlackMatter Ransomware, LockBit Ransomware, Ransomware
|
2024-08-16
|
Linux SSH Authorized Keys Modification
|
Sysmon for Linux EventID 1
|
T1098.004
|
Anomaly
|
Linux Living Off The Land
|
2024-08-16
|
Linux SSH Remote Services Script Execute
|
Sysmon for Linux EventID 1
|
T1021.004
|
TTP
|
Linux Living Off The Land
|
2024-08-16
|
Windows Curl Upload to Remote Destination
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
|
TTP
|
Ingress Tool Transfer
|
2024-08-16
|
Windows Service Created Within Public Path
|
Windows Event Log System 7045
|
T1543
T1543.003
|
TTP
|
Active Directory Lateral Movement, Snake Malware
|
2024-08-16
|
Detect Port Security Violation
|
|
T1200
T1498
T1557
T1557.002
|
TTP
|
Router and Infrastructure Security
|
2024-08-16
|
Detect F5 TMUI RCE CVE-2020-5902
|
|
T1190
|
TTP
|
F5 TMUI RCE CVE-2020-5902
|
2024-08-16
|
JetBrains TeamCity RCE Attempt
|
Suricata
|
T1190
|
TTP
|
CISA AA23-347A, JetBrains TeamCity Unauthenticated RCE, JetBrains TeamCity Vulnerabilities
|
2024-08-16
|
WS FTP Remote Code Execution
|
Suricata
|
T1190
|
TTP
|
WS FTP Server Critical Vulnerabilities
|
2024-08-16
|
Abnormally High AWS Instances Launched by User
|
|
T1078.004
|
Anomaly
|
AWS Cryptomining, Suspicious AWS EC2 Activities
|
2024-08-15
|
Abnormally High AWS Instances Launched by User - MLTK
|
|
T1078.004
|
Anomaly
|
AWS Cryptomining, Suspicious AWS EC2 Activities
|
2024-08-15
|
Abnormally High AWS Instances Terminated by User
|
|
T1078.004
|
Anomaly
|
Suspicious AWS EC2 Activities
|
2024-08-15
|
Abnormally High AWS Instances Terminated by User - MLTK
|
|
T1078.004
|
Anomaly
|
Suspicious AWS EC2 Activities
|
2024-08-15
|
AWS Cloud Provisioning From Previously Unseen Country
|
|
T1535
|
Anomaly
|
AWS Suspicious Provisioning Activities
|
2024-08-15
|
AWS Cloud Provisioning From Previously Unseen IP Address
|
|
|
Anomaly
|
AWS Suspicious Provisioning Activities
|
2024-08-15
|
AWS Cloud Provisioning From Previously Unseen Region
|
|
T1535
|
Anomaly
|
AWS Suspicious Provisioning Activities
|
2024-08-15
|
AWS EKS Kubernetes cluster sensitive object access
|
|
|
Hunting
|
Kubernetes Sensitive Object Access Activity
|
2024-08-15
|
Clients Connecting to Multiple DNS Servers
|
|
T1048.003
|
TTP
|
Command And Control, DNS Hijacking, Host Redirection, Suspicious DNS Traffic
|
2024-08-15
|
Cloud Network Access Control List Deleted
|
|
|
Anomaly
|
AWS Network ACL Activity
|
2024-08-15
|
Detect Activity Related to Pass the Hash Attacks
|
Windows Event Log Security 4624
|
T1550
T1550.002
|
Hunting
|
Active Directory Lateral Movement, BlackSuit Ransomware
|
2024-08-15
|
Detect API activity from users without MFA
|
|
|
Hunting
|
AWS User Monitoring
|
2024-08-15
|
Detect AWS API Activities From Unapproved Accounts
|
|
T1078.004
|
Hunting
|
AWS User Monitoring
|
2024-08-15
|
Detect Long DNS TXT Record Response
|
|
T1048.003
|
TTP
|
Command And Control, Suspicious DNS Traffic
|
2024-08-15
|
Detect Mimikatz Via PowerShell And EventCode 4703
|
|
T1003.001
|
TTP
|
Cloud Federated Credential Abuse
|
2024-08-15
|
Detect new user AWS Console Login
|
|
T1078.004
|
Hunting
|
Suspicious AWS Login Activities
|
2024-08-15
|
Detect Spike in AWS API Activity
|
|
T1078.004
|
Anomaly
|
AWS User Monitoring
|
2024-08-15
|
Detect Spike in Network ACL Activity
|
|
T1562.007
|
Anomaly
|
AWS Network ACL Activity
|
2024-08-15
|
Detect USB device insertion
|
|
|
TTP
|
Data Protection
|
2024-08-15
|
Detect web traffic to dynamic domain providers
|
|
T1071.001
|
TTP
|
Dynamic DNS
|
2024-08-15
|
Detection of DNS Tunnels
|
|
T1048.003
|
TTP
|
Command And Control, Data Protection, Suspicious DNS Traffic
|
2024-08-15
|
DNS record changed
|
|
T1071.004
|
TTP
|
DNS Hijacking
|
2024-08-15
|
EC2 Instance Started With Previously Unseen AMI
|
|
|
Anomaly
|
AWS Cryptomining
|
2024-08-15
|
Extended Period Without Successful Netbackup Backups
|
|
|
Hunting
|
Monitor Backup Solution
|
2024-08-15
|
First time seen command line argument
|
Sysmon EventID 1
|
T1059.001
T1059.003
|
Hunting
|
DHS Report TA18-074A, Hidden Cobra Malware, Orangeworm Attack Group, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Suspicious Command-Line Executions
|
2024-08-15
|
gcp detect oauth token abuse
|
|
T1078
|
Hunting
|
GCP Cross Account Activity
|
2024-08-15
|
GCP Kubernetes cluster scan detection
|
|
T1526
|
TTP
|
Kubernetes Scanning Activity
|
2024-08-15
|
Kubernetes AWS detect RBAC authorization by account
|
|
|
Hunting
|
Kubernetes Sensitive Role Activity
|
2024-08-15
|
Kubernetes AWS detect sensitive role access
|
|
|
Hunting
|
Kubernetes Sensitive Role Activity
|
2024-08-15
|
Kubernetes Azure active service accounts by pod namespace
|
|
|
Hunting
|
Kubernetes Sensitive Role Activity
|
2024-08-15
|
Kubernetes Azure detect RBAC authorization by account
|
|
|
Hunting
|
Kubernetes Sensitive Role Activity
|
2024-08-15
|
Kubernetes Azure detect sensitive object access
|
|
|
Hunting
|
Kubernetes Sensitive Object Access Activity
|
2024-08-15
|
Kubernetes Azure detect sensitive role access
|
|
|
Hunting
|
Kubernetes Sensitive Role Activity
|
2024-08-15
|
Kubernetes Azure detect service accounts forbidden failure access
|
|
|
Hunting
|
Kubernetes Sensitive Object Access Activity
|
2024-08-15
|
Kubernetes Azure detect suspicious kubectl calls
|
|
|
Hunting
|
Kubernetes Sensitive Object Access Activity
|
2024-08-15
|
Kubernetes Azure pod scan fingerprint
|
|
|
Hunting
|
Kubernetes Scanning Activity
|
2024-08-15
|
Kubernetes Azure scan fingerprint
|
|
T1526
|
Hunting
|
Kubernetes Scanning Activity
|
2024-08-15
|
Kubernetes GCP detect RBAC authorizations by account
|
|
|
Hunting
|
Kubernetes Sensitive Role Activity
|
2024-08-15
|
Kubernetes GCP detect sensitive object access
|
|
|
Hunting
|
Kubernetes Sensitive Object Access Activity
|
2024-08-15
|
Kubernetes GCP detect sensitive role access
|
|
|
Hunting
|
Kubernetes Sensitive Role Activity
|
2024-08-15
|
O365 Suspicious User Email Forwarding
|
|
T1114.003
T1114
|
Anomaly
|
Data Exfiltration, Office 365 Collection Techniques
|
2024-08-15
|
Osquery pack - ColdRoot detection
|
|
|
TTP
|
ColdRoot MacOS RAT
|
2024-08-15
|
Processes created by netsh
|
Sysmon EventID 1
|
T1562.004
|
TTP
|
Netsh Abuse
|
2024-08-15
|
Prohibited Software On Endpoint
|
Sysmon EventID 1
|
|
Hunting
|
Emotet Malware DHS Report TA18-201A, Monitor for Unauthorized Software, SamSam Ransomware
|
2024-08-15
|
Reg exe used to hide files directories via registry keys
|
Sysmon EventID 1
|
T1564.001
|
TTP
|
Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Persistence Techniques
|
2024-08-15
|
Remote Registry Key modifications
|
Sysmon EventID 13
|
|
TTP
|
Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Persistence Techniques
|
2024-08-15
|
Scheduled tasks used in BadRabbit ransomware
|
Sysmon EventID 1
|
T1053.005
|
TTP
|
Ransomware
|
2024-08-15
|
Spectre and Meltdown Vulnerable Systems
|
|
|
TTP
|
Spectre And Meltdown Vulnerabilities
|
2024-08-15
|
Suspicious Powershell Command-Line Arguments
|
Sysmon EventID 1
|
T1059.001
|
TTP
|
CISA AA22-320A, Hermetic Wiper, Malicious PowerShell
|
2024-08-15
|
Suspicious writes to System Volume Information
|
Sysmon EventID 1
|
T1036
|
Hunting
|
Collection and Staging
|
2024-08-15
|
Uncommon Processes On Endpoint
|
Sysmon EventID 1
|
T1204.002
|
Hunting
|
Hermetic Wiper, Unusual Processes, Windows Privilege Escalation
|
2024-08-15
|
Unsigned Image Loaded by LSASS
|
Sysmon EventID 7
|
T1003.001
|
TTP
|
Credential Dumping
|
2024-08-15
|
Unsuccessful Netbackup backups
|
|
|
Hunting
|
Monitor Backup Solution
|
2024-08-15
|
Web Fraud - Password Sharing Across Accounts
|
|
|
Anomaly
|
Web Fraud Detection
|
2024-08-15
|
Windows connhost exe started forcefully
|
Sysmon EventID 1
|
T1059.003
|
TTP
|
Ryuk Ransomware
|
2024-08-15
|
Account Discovery With Net App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.002
T1087
|
TTP
|
IcedID, Trickbot
|
2024-08-15
|
Anomalous usage of 7zip
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1560.001
T1560
|
Anomaly
|
BlackByte Ransomware, BlackSuit Ransomware, Cobalt Strike, Graceful Wipe Out Attack, NOBELIUM Group
|
2024-08-15
|
Attempt To Add Certificate To Untrusted Store
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1553.004
T1553
|
TTP
|
Disabling Security Tools
|
2024-08-15
|
BITSAdmin Download File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1197
T1105
|
TTP
|
BITS Jobs, DarkSide Ransomware, Flax Typhoon, Gozi Malware, Ingress Tool Transfer, Living Off The Land
|
2024-08-15
|
CertUtil Download With VerifyCtl and Split Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
|
TTP
|
DarkSide Ransomware, Ingress Tool Transfer, Living Off The Land
|
2024-08-15
|
CertUtil With Decode Argument
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1140
|
TTP
|
APT29 Diplomatic Deceptions with WINELOADER, Deobfuscate-Decode Files or Information, Forest Blizzard, Living Off The Land
|
2024-08-15
|
Clear Unallocated Sector Using Cipher App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1070.004
T1070
|
TTP
|
Ransomware
|
2024-08-15
|
CMD Echo Pipe - Escalation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
T1059.003
T1543.003
T1543
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2024-08-15
|
Conti Common Exec parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1204
|
TTP
|
Ransomware
|
2024-08-15
|
Control Loading from World Writable Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
T1218.002
|
TTP
|
Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444
|
2024-08-15
|
Create or delete windows shares using net exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1070
T1070.005
|
TTP
|
CISA AA22-277A, DarkGate Malware, Hidden Cobra Malware, Prestige Ransomware, Windows Post-Exploitation
|
2024-08-15
|
Deleting Of Net Users
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1531
|
TTP
|
DarkGate Malware, Graceful Wipe Out Attack, XMRig
|
2024-08-15
|
Deleting Shadow Copies
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
CISA AA22-264A, Chaos Ransomware, Clop Ransomware, DarkGate Malware, LockBit Ransomware, Prestige Ransomware, Ransomware, Rhysida Ransomware, SamSam Ransomware, Windows Log Manipulation
|
2024-08-15
|
Detect HTML Help Renamed
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
T1218.001
|
Hunting
|
Living Off The Land, Suspicious Compiled HTML Activity
|
2024-08-15
|
Detect HTML Help Spawn Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
T1218.001
|
TTP
|
AgentTesla, Living Off The Land, Suspicious Compiled HTML Activity
|
2024-08-15
|
Detect HTML Help URL in Command Line
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
T1218.001
|
TTP
|
Living Off The Land, Suspicious Compiled HTML Activity
|
2024-08-15
|
Detect mshta inline hta execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
T1218.005
|
TTP
|
Gozi Malware, Living Off The Land, Suspicious MSHTA Activity
|
2024-08-15
|
Detect MSHTA Url in Command Line
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
T1218.005
|
TTP
|
Living Off The Land, Suspicious MSHTA Activity
|
2024-08-15
|
Detect Path Interception By Creation Of program exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1574.009
T1574
|
TTP
|
Windows Persistence Techniques
|
2024-08-15
|
Detect PsExec With accepteula Flag
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021
T1021.002
|
TTP
|
Active Directory Lateral Movement, BlackByte Ransomware, CISA AA22-320A, DHS Report TA18-074A, DarkGate Malware, DarkSide Ransomware, HAFNIUM Group, IcedID, Rhysida Ransomware, SamSam Ransomware, Sandworm Tools, Volt Typhoon
|
2024-08-15
|
Detect RClone Command-Line Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1020
|
TTP
|
DarkSide Ransomware, Ransomware
|
2024-08-15
|
Disabling Net User Account
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1531
|
TTP
|
XMRig
|
2024-08-15
|
DNS Exfiltration Using Nslookup App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1048
|
TTP
|
Command And Control, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic
|
2024-08-15
|
DSQuery Domain Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1482
|
TTP
|
Active Directory Discovery, Domain Trust Discovery
|
2024-08-15
|
Excessive number of service control start as disabled
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.001
T1562
|
Anomaly
|
Windows Defense Evasion Tactics
|
2024-08-15
|
GPUpdate with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
T1055
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2024-08-15
|
Hunting 3CXDesktopApp Software
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1195.002
|
Hunting
|
3CX Supply Chain Attack
|
2024-08-15
|
Java Class File download by Java User Agent
|
Splunk Stream HTTP
|
T1190
|
TTP
|
Log4Shell CVE-2021-44228
|
2024-08-15
|
Malicious InProcServer32 Modification
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
T1218.010
T1112
|
TTP
|
Remcos, Suspicious Regsvr32 Activity
|
2024-08-15
|
Mimikatz PassTheTicket CommandLine Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1550
T1550.003
|
TTP
|
Active Directory Kerberos Attacks, CISA AA22-320A, CISA AA23-347A, Sandworm Tools
|
2024-08-15
|
Office Spawning Control
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566
T1566.001
|
TTP
|
Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments
|
2024-08-15
|
Password Policy Discovery with Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1201
|
Hunting
|
Active Directory Discovery
|
2024-08-15
|
Process Writing DynamicWrapperX
|
Sysmon EventID 1, Sysmon EventID 11
|
T1059
T1559.001
|
Hunting
|
Remcos
|
2024-08-15
|
Regsvr32 Silent and Install Param Dll Loading
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
T1218.010
|
Anomaly
|
AsyncRAT, Data Destruction, Hermetic Wiper, Living Off The Land, Remcos, Suspicious Regsvr32 Activity
|
2024-08-15
|
Rubeus Command Line Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1550
T1550.003
T1558
T1558.003
T1558.004
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, BlackSuit Ransomware, CISA AA23-347A
|
2024-08-15
|
Rundll32 Control RunDLL World Writable Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
T1218.011
|
TTP
|
Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Suspicious Rundll32 Activity
|
2024-08-15
|
Suspicious Reg exe Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1112
|
Anomaly
|
DHS Report TA18-074A, Disabling Security Tools, Windows Defense Evasion Tactics
|
2024-08-15
|
Wget Download and Bash Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
|
TTP
|
Ingress Tool Transfer, Log4Shell CVE-2021-44228
|
2024-08-15
|
Windows Access Token Manipulation Winlogon Duplicate Token Handle
|
Sysmon EventID 10
|
T1134.001
T1134
|
Hunting
|
Brute Ratel C4
|
2024-08-15
|
Windows Access Token Winlogon Duplicate Handle In Uncommon Path
|
Sysmon EventID 10
|
T1134.001
T1134
|
Anomaly
|
Brute Ratel C4
|
2024-08-15
|
Windows Binary Proxy Execution Mavinject DLL Injection
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.013
T1218
|
TTP
|
Living Off The Land
|
2024-08-15
|
Windows COM Hijacking InprocServer32 Modification
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1546.015
T1546
|
TTP
|
Living Off The Land
|
2024-08-15
|
Windows Curl Download to Suspicious Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
|
TTP
|
Forest Blizzard, IcedID, Ingress Tool Transfer
|
2024-08-15
|
Windows Defender ASR Block Events
|
Windows Event Log Defender 1121, Windows Event Log Defender 1129
|
T1059
T1566.001
T1566.002
|
Anomaly
|
Windows Attack Surface Reduction
|
2024-08-15
|
Windows Defender ASR Rule Disabled
|
Windows Event Log Defender 5007
|
T1112
|
TTP
|
Windows Attack Surface Reduction
|
2024-08-15
|
Windows Defender ASR Rules Stacking
|
Windows Event Log Defender 1121, Windows Event Log Defender 1122, Windows Event Log Defender 1129, Windows Event Log Defender 5007
|
T1566.001
T1566.002
T1059
|
Hunting
|
Windows Attack Surface Reduction
|
2024-08-15
|
Windows DiskCryptor Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1486
|
Hunting
|
Ransomware
|
2024-08-15
|
Windows DLL Search Order Hijacking with iscsicpl
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1574.001
|
TTP
|
Living Off The Land, Windows Defense Evasion Tactics
|
2024-08-15
|
Windows Execute Arbitrary Commands with MSDT
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
|
TTP
|
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190
|
2024-08-15
|
Windows Java Spawning Shells
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1190
T1133
|
TTP
|
Log4Shell CVE-2021-44228, SysAid On-Prem Software CVE-2023-47246 Vulnerability
|
2024-08-15
|
Windows Lateral Tool Transfer RemCom
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1570
|
TTP
|
Active Directory Discovery
|
2024-08-15
|
Windows Ldifde Directory Object Behavior
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
T1069.002
|
TTP
|
Volt Typhoon
|
2024-08-15
|
Windows Mimikatz Binary Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003
|
TTP
|
CISA AA22-320A, CISA AA23-347A, Credential Dumping, Flax Typhoon, Sandworm Tools, Volt Typhoon
|
2024-08-15
|
Windows MOF Event Triggered Execution via WMI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1546.003
|
TTP
|
Living Off The Land
|
2024-08-15
|
Windows Ngrok Reverse Proxy Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1572
T1090
T1102
|
Anomaly
|
CISA AA22-320A, CISA AA24-241A, Reverse Network Proxy
|
2024-08-15
|
Windows NirSoft AdvancedRun
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1588.002
|
TTP
|
Data Destruction, Ransomware, Unusual Processes, WhisperGate
|
2024-08-15
|
Windows NirSoft Utilities
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1588.002
|
Hunting
|
Data Destruction, WhisperGate
|
2024-08-15
|
Windows Non-System Account Targeting Lsass
|
Sysmon EventID 10
|
T1003.001
T1003
|
TTP
|
CISA AA23-347A, Credential Dumping
|
2024-08-15
|
Windows Odbcconf Load Response File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.008
|
TTP
|
Living Off The Land
|
2024-08-15
|
Windows PaperCut NG Spawn Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
T1190
T1133
|
TTP
|
PaperCut MF NG Vulnerability
|
2024-08-15
|
Windows Privileged Group Modification
|
|
T1136.001
T1136.002
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2024-08-15
|
Windows Raccine Scheduled Task Deletion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.001
|
TTP
|
Ransomware
|
2024-08-15
|
Windows Rasautou DLL Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055.001
T1218
T1055
|
TTP
|
Windows Defense Evasion Tactics
|
2024-08-15
|
Windows Remote Create Service
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543
T1543.003
|
Anomaly
|
Active Directory Lateral Movement, BlackSuit Ransomware, CISA AA23-347A
|
2024-08-15
|
Windows Rundll32 WebDAV Request
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1048.003
|
TTP
|
CVE-2023-23397 Outlook Elevation of Privilege
|
2024-08-15
|
Windows Rundll32 WebDav With Network Connection
|
|
T1048.003
|
TTP
|
CVE-2023-23397 Outlook Elevation of Privilege
|
2024-08-15
|
Windows Schtasks Create Run As System
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
T1053
|
TTP
|
Qakbot, Scheduled Tasks, Windows Persistence Techniques
|
2024-08-15
|
Windows System Script Proxy Execution Syncappvpublishingserver
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1216
T1218
|
TTP
|
Living Off The Land
|
2024-08-15
|
Windows Terminating Lsass Process
|
Sysmon EventID 10
|
T1562.001
T1562
|
Anomaly
|
Data Destruction, Double Zero Destructor
|
2024-08-15
|
Windows Vulnerable 3CX Software
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1195.002
|
TTP
|
3CX Supply Chain Attack
|
2024-08-15
|
Winhlp32 Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
TTP
|
Remcos
|
2024-08-15
|
Winword Spawning Cmd
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566
T1566.001
|
TTP
|
CVE-2023-21716 Word RTF Heap Corruption, DarkCrystal RAT, Spearphishing Attachments
|
2024-08-15
|
WMI Temporary Event Subscription
|
|
T1047
|
TTP
|
Suspicious WMI Use
|
2024-08-15
|
Wmic NonInteractive App Uninstallation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.001
T1562
|
Hunting
|
Azorult, IcedID
|
2024-08-15
|
Access LSASS Memory for Dump Creation
|
Sysmon EventID 10
|
T1003.001
T1003
|
TTP
|
CISA AA23-347A, Credential Dumping
|
2024-08-14
|
Any Powershell DownloadFile
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
T1059.001
T1105
|
TTP
|
DarkCrystal RAT, Data Destruction, Hermetic Wiper, Ingress Tool Transfer, Log4Shell CVE-2021-44228, Malicious PowerShell, Phemedrone Stealer
|
2024-08-14
|
Any Powershell DownloadString
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
T1059.001
T1105
|
TTP
|
Data Destruction, HAFNIUM Group, Hermetic Wiper, IcedID, Ingress Tool Transfer, Malicious PowerShell, Phemedrone Stealer, SysAid On-Prem Software CVE-2023-47246 Vulnerability, Winter Vivern
|
2024-08-14
|
Attempt To Stop Security Service
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.001
T1562
|
TTP
|
Azorult, Data Destruction, Disabling Security Tools, Graceful Wipe Out Attack, Trickbot, WhisperGate
|
2024-08-14
|
Attempted Credential Dump From Registry via Reg exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.002
T1003
|
TTP
|
CISA AA23-347A, Credential Dumping, DarkSide Ransomware, Data Destruction, Industroyer2, Windows Registry Abuse
|
2024-08-14
|
BCDEdit Failure Recovery Modification
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
Ransomware, Ryuk Ransomware
|
2024-08-14
|
BITS Job Persistence
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1197
|
TTP
|
BITS Jobs, Living Off The Land
|
2024-08-14
|
CertUtil Download With URLCache and Split Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
|
TTP
|
CISA AA22-277A, DarkSide Ransomware, Flax Typhoon, Forest Blizzard, Ingress Tool Transfer, Living Off The Land, ProxyNotShell
|
2024-08-14
|
Certutil exe certificate extraction
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
|
TTP
|
Cloud Federated Credential Abuse, Living Off The Land, Windows Certificate Services, Windows Persistence Techniques
|
2024-08-14
|
Clop Common Exec Parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1204
|
TTP
|
Clop Ransomware
|
2024-08-14
|
Cmdline Tool Not Executed In CMD Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
T1059.007
|
TTP
|
CISA AA22-277A, CISA AA23-347A, DarkGate Malware, FIN7, Gozi Malware, Qakbot, Rhysida Ransomware, Volt Typhoon
|
2024-08-14
|
Create local admin accounts using net exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1136.001
T1136
|
TTP
|
Azorult, CISA AA22-257A, CISA AA24-241A, DHS Report TA18-074A, DarkGate Malware
|
2024-08-14
|
Create Remote Thread into LSASS
|
Sysmon EventID 8
|
T1003.001
T1003
|
TTP
|
BlackSuit Ransomware, Credential Dumping
|
2024-08-14
|
Curl Download and Bash Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
|
TTP
|
Ingress Tool Transfer, Linux Living Off The Land, Log4Shell CVE-2021-44228
|
2024-08-14
|
Detect AzureHound Command-Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.002
T1069.001
T1482
T1087.001
T1087
T1069.002
T1069
|
TTP
|
Windows Discovery Techniques
|
2024-08-14
|
Detect Computer Changed with Anonymous Account
|
Windows Event Log Security 4624, Windows Event Log Security 4742
|
T1210
|
Hunting
|
Detect Zerologon Attack
|
2024-08-14
|
Detect HTML Help Using InfoTech Storage Handlers
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
T1218.001
|
TTP
|
Living Off The Land, Suspicious Compiled HTML Activity
|
2024-08-14
|
Detect processes used for System Network Configuration Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1016
|
TTP
|
Unusual Processes
|
2024-08-14
|
Detect Prohibited Applications Spawning cmd exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
T1059.003
|
Hunting
|
NOBELIUM Group, Suspicious Command-Line Executions, Suspicious MSHTA Activity, Suspicious Zoom Child Processes
|
2024-08-14
|
Detect Regasm Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
T1218.009
|
TTP
|
DarkGate Malware, Handala Wiper, Living Off The Land, Snake Keylogger, Suspicious Regsvcs Regasm Activity
|
2024-08-14
|
Detect Regasm with Network Connection
|
Sysmon EventID 3
|
T1218
T1218.009
|
TTP
|
Handala Wiper, Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2024-08-14
|
Detect Regasm with no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
T1218.009
|
TTP
|
Handala Wiper, Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2024-08-14
|
Detect Regsvcs Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
T1218.009
|
TTP
|
Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2024-08-14
|
Detect Regsvcs with Network Connection
|
Sysmon EventID 3
|
T1218
T1218.009
|
TTP
|
Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2024-08-14
|
Detect Regsvcs with No Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
T1218.009
|
TTP
|
Living Off The Land, Suspicious Regsvcs Regasm Activity
|
2024-08-14
|
Detect Regsvr32 Application Control Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
T1218.010
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Suspicious Regsvr32 Activity
|
2024-08-14
|
Detect Rundll32 Application Control Bypass - advpack
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
T1218.011
|
TTP
|
Living Off The Land, Suspicious Rundll32 Activity
|
2024-08-14
|
Detect Rundll32 Application Control Bypass - setupapi
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
T1218.011
|
TTP
|
Living Off The Land, Suspicious Rundll32 Activity
|
2024-08-14
|
Detect Rundll32 Application Control Bypass - syssetup
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
T1218.011
|
TTP
|
Living Off The Land, Suspicious Rundll32 Activity
|
2024-08-14
|
DLLHost with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
T1055
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2024-08-14
|
Domain Account Discovery with Dsquery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.002
T1087
|
Hunting
|
Active Directory Discovery
|
2024-08-14
|
Domain Account Discovery With Net App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.002
T1087
|
TTP
|
Active Directory Discovery, Graceful Wipe Out Attack, Rhysida Ransomware
|
2024-08-14
|
Domain Account Discovery with Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.002
T1087
|
TTP
|
Active Directory Discovery
|
2024-08-14
|
Dump LSASS via comsvcs DLL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.001
T1003
|
TTP
|
CISA AA22-257A, CISA AA22-264A, Credential Dumping, Data Destruction, Flax Typhoon, HAFNIUM Group, Industroyer2, Living Off The Land, Prestige Ransomware, Suspicious Rundll32 Activity, Volt Typhoon
|
2024-08-14
|
Dump LSASS via procdump
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.001
T1003
|
TTP
|
CISA AA22-257A, Credential Dumping, HAFNIUM Group
|
2024-08-14
|
Esentutl SAM Copy
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.002
T1003
|
Hunting
|
Credential Dumping, Living Off The Land
|
2024-08-14
|
Excel Spawning PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.002
T1003
|
TTP
|
Spearphishing Attachments
|
2024-08-14
|
Excel Spawning Windows Script Host
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.002
T1003
|
TTP
|
Spearphishing Attachments
|
2024-08-14
|
Excessive Attempt To Disable Services
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1489
|
Anomaly
|
Azorult, XMRig
|
2024-08-14
|
Excessive Service Stop Attempt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1489
|
Anomaly
|
BlackByte Ransomware, Ransomware, XMRig
|
2024-08-14
|
Excessive Usage Of Cacls App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1222
|
Anomaly
|
Azorult, Prestige Ransomware, Windows Post-Exploitation, XMRig
|
2024-08-14
|
Excessive Usage Of Taskkill
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.001
T1562
|
Anomaly
|
AgentTesla, Azorult, CISA AA22-264A, CISA AA22-277A, NjRAT, XMRig
|
2024-08-14
|
Execution of File with Multiple Extensions
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036
T1036.003
|
TTP
|
AsyncRAT, DarkGate Malware, Masquerading - Rename System Utilities, Windows File Extension and Association Abuse
|
2024-08-14
|
File with Samsam Extension
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
|
TTP
|
SamSam Ransomware
|
2024-08-14
|
Get ADDefaultDomainPasswordPolicy with Powershell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1201
|
Hunting
|
Active Directory Discovery
|
2024-08-14
|
Get ADUser with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.002
T1087
|
Hunting
|
Active Directory Discovery, CISA AA23-347A
|
2024-08-14
|
Get ADUserResultantPasswordPolicy with Powershell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1201
|
TTP
|
Active Directory Discovery, CISA AA23-347A
|
2024-08-14
|
Get DomainPolicy with Powershell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1201
|
TTP
|
Active Directory Discovery
|
2024-08-14
|
Get DomainUser with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.002
T1087
|
TTP
|
Active Directory Discovery, CISA AA23-347A
|
2024-08-14
|
GetWmiObject DS User with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.002
T1087
|
TTP
|
Active Directory Discovery
|
2024-08-14
|
High Process Termination Frequency
|
Sysmon EventID 5
|
T1486
|
Anomaly
|
BlackByte Ransomware, Clop Ransomware, LockBit Ransomware, Rhysida Ransomware, Snake Keylogger
|
2024-08-14
|
Java Writing JSP File
|
Sysmon EventID 1, Sysmon EventID 11
|
T1190
T1133
|
TTP
|
Atlassian Confluence Server and Data Center CVE-2022-26134, Spring4Shell CVE-2022-22965, SysAid On-Prem Software CVE-2023-47246 Vulnerability
|
2024-08-14
|
Linux apt-get Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
T1548
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
Linux APT Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
T1548
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
Linux AWK Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
T1548
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
Linux Busybox Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
T1548
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
Linux c89 Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
T1548
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
Linux c99 Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
T1548
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
Linux Clipboard Data Copy
|
Sysmon for Linux EventID 1
|
T1115
|
Anomaly
|
Linux Living Off The Land
|
2024-08-14
|
Linux Composer Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
T1548
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
Linux Cpulimit Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
T1548
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
Linux Csvtool Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
T1548
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
Linux Curl Upload File
|
Sysmon for Linux EventID 1
|
T1105
|
TTP
|
Data Exfiltration, Ingress Tool Transfer, Linux Living Off The Land
|
2024-08-14
|
Linux Decode Base64 to Shell
|
Sysmon for Linux EventID 1
|
T1027
T1059.004
|
TTP
|
Linux Living Off The Land
|
2024-08-14
|
Linux Docker Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
T1548
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
Linux Emacs Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
T1548
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
Linux Find Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
T1548
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
Linux GDB Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
T1548
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
Linux Gem Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
T1548
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
Linux GNU Awk Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
T1548
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
Linux Ingress Tool Transfer Hunting
|
Sysmon for Linux EventID 1
|
T1105
|
Hunting
|
Ingress Tool Transfer, Linux Living Off The Land
|
2024-08-14
|
Linux Ingress Tool Transfer with Curl
|
Sysmon for Linux EventID 1
|
T1105
|
Anomaly
|
Ingress Tool Transfer, Linux Living Off The Land
|
2024-08-14
|
Linux Java Spawning Shell
|
Sysmon for Linux EventID 1
|
T1190
T1133
|
TTP
|
Data Destruction, Hermetic Wiper, Log4Shell CVE-2021-44228, Spring4Shell CVE-2022-22965
|
2024-08-14
|
Linux Kernel Module Enumeration
|
Sysmon for Linux EventID 1
|
T1082
T1014
|
Anomaly
|
Linux Rootkit
|
2024-08-14
|
Linux Make Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
T1548
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
Linux MySQL Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
T1548
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
Linux Ngrok Reverse Proxy Usage
|
Sysmon for Linux EventID 1
|
T1572
T1090
T1102
|
Anomaly
|
Reverse Network Proxy
|
2024-08-14
|
Linux Node Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
T1548
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
Linux Obfuscated Files or Information Base64 Decode
|
Sysmon for Linux EventID 1
|
T1027
|
Anomaly
|
Linux Living Off The Land
|
2024-08-14
|
Linux Octave Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
T1548
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
Linux OpenVPN Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
T1548
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
Linux PHP Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
T1548
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
Linux pkexec Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1068
|
TTP
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
Linux Proxy Socks Curl
|
Sysmon for Linux EventID 1
|
T1090
T1095
|
TTP
|
Ingress Tool Transfer, Linux Living Off The Land
|
2024-08-14
|
Linux Puppet Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
T1548
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
Linux RPM Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
T1548
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
Linux Ruby Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
T1548
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
Linux Sqlite3 Privilege Escalation
|
Sysmon for Linux EventID 1
|
T1548.003
T1548
|
Anomaly
|
Linux Living Off The Land, Linux Privilege Escalation
|
2024-08-14
|
MSI Module Loaded by Non-System Binary
|
Sysmon EventID 7
|
T1574.002
T1574
|
Hunting
|
Data Destruction, Hermetic Wiper, Windows Privilege Escalation
|
2024-08-14
|
Notepad with no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
TTP
|
BishopFox Sliver Adversary Emulation Framework
|
2024-08-14
|
Office Product Spawning Windows Script Host
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566
T1566.001
|
TTP
|
CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Remcos, Spearphishing Attachments
|
2024-08-14
|
Office Product Writing cab or inf
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688
|
T1566
T1566.001
|
TTP
|
Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments
|
2024-08-14
|
Processes Tapping Keyboard Events
|
|
|
TTP
|
ColdRoot MacOS RAT
|
2024-08-14
|
Regsvr32 with Known Silent Switch Cmdline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
T1218.010
|
Anomaly
|
AsyncRAT, IcedID, Living Off The Land, Qakbot, Remcos, Suspicious Regsvr32 Activity
|
2024-08-14
|
Rubeus Kerberos Ticket Exports Through Winlogon Access
|
Sysmon EventID 10
|
T1550
T1550.003
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A
|
2024-08-14
|
Rundll32 Control RunDLL Hunt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
T1218.011
|
Hunting
|
Living Off The Land, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Suspicious Rundll32 Activity
|
2024-08-14
|
Schtasks scheduling job on remote system
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
T1053
|
TTP
|
Active Directory Lateral Movement, Living Off The Land, NOBELIUM Group, Phemedrone Stealer, Prestige Ransomware, RedLine Stealer, Scheduled Tasks
|
2024-08-14
|
Set Default PowerShell Execution Policy To Unrestricted or Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688
|
T1059
T1059.001
|
TTP
|
Credential Dumping, DarkGate Malware, Data Destruction, HAFNIUM Group, Hermetic Wiper, Malicious PowerShell
|
2024-08-14
|
Shim Database File Creation
|
Sysmon EventID 11
|
T1546.011
T1546
|
TTP
|
Windows Persistence Techniques
|
2024-08-14
|
Spoolsv Suspicious Process Access
|
Sysmon EventID 10
|
T1068
|
TTP
|
PrintNightmare CVE-2021-34527
|
2024-08-14
|
Suspicious PlistBuddy Usage via OSquery
|
|
T1543.001
T1543
|
TTP
|
Silver Sparrow
|
2024-08-14
|
Suspicious Regsvr32 Register Suspicious Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
T1218.010
|
TTP
|
IcedID, Living Off The Land, Qakbot, Suspicious Regsvr32 Activity
|
2024-08-14
|
Suspicious Rundll32 dllregisterserver
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
T1218.011
|
TTP
|
IcedID, Living Off The Land, Suspicious Rundll32 Activity
|
2024-08-14
|
UAC Bypass With Colorui COM Object
|
Sysmon EventID 7
|
T1218
T1218.003
|
TTP
|
LockBit Ransomware, Ransomware
|
2024-08-14
|
Windows Apache Benchmark Binary
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
Anomaly
|
MetaSploit
|
2024-08-14
|
Windows AutoIt3 Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
TTP
|
DarkGate Malware, Handala Wiper
|
2024-08-14
|
Windows Credential Dumping LSASS Memory Createdump
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.001
|
TTP
|
Credential Dumping
|
2024-08-14
|
Windows Defender ASR Registry Modification
|
Windows Event Log Defender 5007
|
T1112
|
Hunting
|
Windows Attack Surface Reduction
|
2024-08-14
|
Windows Disable or Modify Tools Via Taskkill
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562
T1562.001
|
Anomaly
|
NjRAT
|
2024-08-14
|
Windows Disable Windows Event Logging Disable HTTP Logging
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.002
T1562
T1505
T1505.004
|
TTP
|
CISA AA23-347A, IIS Components, Windows Defense Evasion Tactics
|
2024-08-14
|
Windows DISM Remove Defender
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.001
T1562
|
TTP
|
CISA AA23-347A, Windows Defense Evasion Tactics
|
2024-08-14
|
Windows DotNet Binary in Non Standard Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036
T1036.003
T1218
T1218.004
|
TTP
|
Data Destruction, Masquerading - Rename System Utilities, Ransomware, Signed Binary Proxy Execution InstallUtil, Unusual Processes, WhisperGate
|
2024-08-14
|
Windows Hunting System Account Targeting Lsass
|
Sysmon EventID 10
|
T1003.001
T1003
|
Hunting
|
CISA AA23-347A, Credential Dumping
|
2024-08-14
|
Windows Identify Protocol Handlers
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
Hunting
|
Living Off The Land
|
2024-08-14
|
Windows IIS Components Add New Module
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1505
T1505.004
|
Anomaly
|
IIS Components
|
2024-08-14
|
Windows InstallUtil in Non Standard Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036
T1036.003
T1218
T1218.004
|
TTP
|
Data Destruction, Living Off The Land, Masquerading - Rename System Utilities, Ransomware, Signed Binary Proxy Execution InstallUtil, Unusual Processes, WhisperGate
|
2024-08-14
|
Windows InstallUtil Remote Network Connection
|
Sysmon EventID 1, Sysmon EventID 3
|
T1218.004
T1218
|
TTP
|
Living Off The Land, Signed Binary Proxy Execution InstallUtil
|
2024-08-14
|
Windows InstallUtil Uninstall Option
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.004
T1218
|
TTP
|
Living Off The Land, Signed Binary Proxy Execution InstallUtil
|
2024-08-14
|
Windows InstallUtil Uninstall Option with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
T1218.004
T1218
|
TTP
|
Living Off The Land, Signed Binary Proxy Execution InstallUtil
|
2024-08-14
|
Windows InstallUtil URL in Command Line
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.004
T1218
|
TTP
|
Living Off The Land, Signed Binary Proxy Execution InstallUtil
|
2024-08-14
|
Windows MSIExec DLLRegisterServer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.007
|
TTP
|
Windows System Binary Proxy Execution MSIExec
|
2024-08-14
|
Windows MSIExec Remote Download
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.007
|
TTP
|
Windows System Binary Proxy Execution MSIExec
|
2024-08-14
|
Windows MSIExec Spawn Discovery Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.007
|
TTP
|
Windows System Binary Proxy Execution MSIExec
|
2024-08-14
|
Windows MSIExec Spawn WinDBG
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.007
|
TTP
|
DarkGate Malware
|
2024-08-14
|
Windows MSIExec Unregister DLLRegisterServer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.007
|
TTP
|
Windows System Binary Proxy Execution MSIExec
|
2024-08-14
|
Windows MSIExec With Network Connections
|
Sysmon EventID 1, Sysmon EventID 3
|
T1218.007
|
TTP
|
Windows System Binary Proxy Execution MSIExec
|
2024-08-14
|
Windows Odbcconf Hunting
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.008
|
Hunting
|
Living Off The Land
|
2024-08-14
|
Windows Odbcconf Load DLL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.008
|
TTP
|
Living Off The Land
|
2024-08-14
|
Windows Office Product Spawning MSDT
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566
T1566.001
|
TTP
|
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Spearphishing Attachments
|
2024-08-14
|
Windows Possible Credential Dumping
|
Sysmon EventID 10
|
T1003.001
T1003
|
TTP
|
CISA AA22-257A, CISA AA22-264A, CISA AA23-347A, Credential Dumping, DarkSide Ransomware, Detect Zerologon Attack
|
2024-08-14
|
Windows Process Injection into Notepad
|
Sysmon EventID 10
|
T1055
T1055.002
|
Anomaly
|
BishopFox Sliver Adversary Emulation Framework
|
2024-08-14
|
Windows Process Injection With Public Source Path
|
Sysmon EventID 8
|
T1055
T1055.002
|
Hunting
|
Brute Ratel C4
|
2024-08-14
|
Windows Protocol Tunneling with Plink
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1572
T1021.004
|
TTP
|
CISA AA22-257A
|
2024-08-14
|
Windows Remote Access Software Hunt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1219
|
Hunting
|
Command And Control, Insider Threat, Ransomware
|
2024-08-14
|
Windows Remote Assistance Spawning Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
TTP
|
Unusual Processes
|
2024-08-14
|
Windows Server Software Component GACUtil Install to GAC
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1505
T1505.004
|
TTP
|
IIS Components
|
2024-08-14
|
Windows Service Create with Tscon
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1563.002
T1563
T1543.003
|
TTP
|
Active Directory Lateral Movement
|
2024-08-14
|
Windows SQL Spawning CertUtil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
|
TTP
|
Flax Typhoon
|
2024-08-14
|
Windows Steal Authentication Certificates CertUtil Backup
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1649
|
Anomaly
|
Windows Certificate Services
|
2024-08-14
|
Windows Steal Authentication Certificates Export Certificate
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1649
|
Anomaly
|
Windows Certificate Services
|
2024-08-14
|
Windows Steal Authentication Certificates Export PfxCertificate
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1649
|
Anomaly
|
Windows Certificate Services
|
2024-08-14
|
Windows System Binary Proxy Execution Compiled HTML File Decompile
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.001
T1218
|
TTP
|
Living Off The Land, Suspicious Compiled HTML Activity
|
2024-08-14
|
Windows WinDBG Spawning AutoIt3
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
TTP
|
DarkGate Malware
|
2024-08-14
|
WinRAR Spawning Shell Application
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
|
TTP
|
WinRAR Spoofing Attack CVE-2023-38831
|
2024-08-14
|
Winword Spawning PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566
T1566.001
|
TTP
|
CVE-2023-21716 Word RTF Heap Corruption, DarkCrystal RAT, Spearphishing Attachments
|
2024-08-14
|
Winword Spawning Windows Script Host
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566
T1566.001
|
TTP
|
CVE-2023-21716 Word RTF Heap Corruption, Spearphishing Attachments
|
2024-08-14
|
WMIC XSL Execution via URL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1220
|
TTP
|
Suspicious WMI Use
|
2024-08-14
|
XSL Script Execution With WMIC
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1220
|
TTP
|
FIN7, Suspicious WMI Use
|
2024-08-14
|
Detect ARP Poisoning
|
|
T1200
T1498
T1557
T1557.002
|
TTP
|
Router and Infrastructure Security
|
2024-08-14
|
Detect Rogue DHCP Server
|
|
T1200
T1498
T1557
|
TTP
|
Router and Infrastructure Security
|
2024-08-14
|
Detect Traffic Mirroring
|
|
T1200
T1020
T1498
T1020.001
|
TTP
|
Router and Infrastructure Security
|
2024-08-14
|
Detect Windows DNS SIGRed via Splunk Stream
|
|
T1203
|
TTP
|
Windows DNS SIGRed CVE-2020-1350
|
2024-08-14
|
Hunting for Log4Shell
|
Nginx Access
|
T1190
T1133
|
Hunting
|
CISA AA22-320A, Log4Shell CVE-2021-44228
|
2024-08-14
|
Windows AD Domain Replication ACL Addition
|
|
T1484
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-08-08
|
Powershell Windows Defender Exclusion Commands
|
Powershell Script Block Logging 4104
|
T1562.001
T1562
|
TTP
|
AgentTesla, CISA AA22-320A, Data Destruction, Remcos, Warzone RAT, WhisperGate, Windows Defense Evasion Tactics
|
2024-08-07
|
Windows Vulnerable Driver Installed
|
Windows Event Log System 7045
|
T1543.003
|
TTP
|
Windows Drivers
|
2024-08-07
|
Internal Horizontal Port Scan
|
AWS CloudWatchLogs VPCflow
|
T1046
|
TTP
|
Network Discovery
|
2024-08-07
|
Azure AD Concurrent Sessions From Different Ips
|
Azure Active Directory
|
T1185
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account
|
2024-08-05
|
Azure AD High Number Of Failed Authentications From Ip
|
Azure Active Directory
|
T1110
T1110.001
T1110.003
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account, NOBELIUM Group
|
2024-08-05
|
Windows Gather Victim Network Info Through Ip Check Web Services
|
Sysmon EventID 22
|
T1590.005
T1590
|
Hunting
|
Azorult, DarkCrystal RAT, Handala Wiper, Phemedrone Stealer, Snake Keylogger
|
2024-07-31
|
Windows ESX Admins Group Creation Security Event
|
|
T1136.001
T1136.002
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2024-07-30
|
Windows ESX Admins Group Creation via Net
|
Sysmon EventID 1
|
T1136.002
T1136.001
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2024-07-30
|
Windows ESX Admins Group Creation via PowerShell
|
Powershell Script Block Logging 4104
|
T1136.002
T1136.001
|
TTP
|
VMware ESXi AD Integration Authentication Bypass CVE-2024-37085
|
2024-07-30
|
Windows Outlook WebView Registry Modification
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
Suspicious Windows Registry Activities
|
2024-07-30
|
Malicious PowerShell Process - Encoded Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1027
|
Hunting
|
CISA AA22-320A, DarkCrystal RAT, Data Destruction, Hermetic Wiper, Malicious PowerShell, NOBELIUM Group, Qakbot, Sandworm Tools, Volt Typhoon, WhisperGate
|
2024-07-26
|
MOVEit Certificate Store Access Failure
|
|
T1190
|
Hunting
|
MOVEit Transfer Authentication Bypass
|
2024-07-24
|
MOVEit Empty Key Fingerprint Authentication Attempt
|
|
T1190
|
Hunting
|
MOVEit Transfer Authentication Bypass
|
2024-07-24
|
Windows Event Log Cleared
|
Windows Event Log Security 1102
|
T1070
T1070.001
|
TTP
|
CISA AA22-264A, Clop Ransomware, Ransomware, ShrinkLocker, Windows Log Manipulation
|
2024-07-24
|
Splunk risky Command Abuse disclosed february 2023
|
Splunk
|
T1548
T1202
|
Hunting
|
Splunk Vulnerabilities
|
2024-07-23
|
Disable Logs Using WevtUtil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1070
T1070.001
|
TTP
|
CISA AA23-347A, Ransomware, Rhysida Ransomware
|
2024-07-23
|
Disable Windows Behavior Monitoring
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
Azorult, CISA AA23-347A, Ransomware, RedLine Stealer, Revil Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-07-23
|
Remote Process Instantiation via DCOM and PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021
T1021.003
|
TTP
|
Active Directory Lateral Movement
|
2024-07-23
|
Remote Process Instantiation via WinRM and PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021
T1021.006
|
TTP
|
Active Directory Lateral Movement
|
2024-07-23
|
Remote Process Instantiation via WinRM and Winrs
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021
T1021.006
|
TTP
|
Active Directory Lateral Movement
|
2024-07-23
|
Scheduled Task Creation on Remote Endpoint using At
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053
T1053.002
|
TTP
|
Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks
|
2024-07-23
|
Scheduled Task Initiation on Remote Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053
T1053.005
|
TTP
|
Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks
|
2024-07-23
|
Windows New InProcServer32 Added
|
Sysmon EventID 13
|
T1112
|
Hunting
|
Outlook RCE CVE-2024-21378
|
2024-07-23
|
Windows Service Creation on Remote Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543
T1543.003
|
TTP
|
Active Directory Lateral Movement, CISA AA23-347A
|
2024-07-23
|
Windows Service Initiation on Remote Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543
T1543.003
|
TTP
|
Active Directory Lateral Movement, CISA AA23-347A
|
2024-07-23
|
Crowdstrike High Identity Risk Severity
|
|
T1110
|
TTP
|
Compromised Windows Host
|
2024-07-17
|
Crowdstrike Multiple LOW Severity Alerts
|
|
T1110
|
Anomaly
|
Compromised Windows Host
|
2024-07-17
|
Crowdstrike Admin Weak Password Policy
|
|
T1110
|
TTP
|
Compromised Windows Host
|
2024-07-15
|
Crowdstrike Admin With Duplicate Password
|
|
T1110
|
TTP
|
Compromised Windows Host
|
2024-07-15
|
Crowdstrike Medium Identity Risk Severity
|
|
T1110
|
TTP
|
Compromised Windows Host
|
2024-07-15
|
Crowdstrike Medium Severity Alert
|
|
T1110
|
Anomaly
|
Compromised Windows Host
|
2024-07-15
|
Crowdstrike Privilege Escalation For Non-Admin User
|
|
T1110
|
Anomaly
|
Compromised Windows Host
|
2024-07-15
|
Crowdstrike User Weak Password Policy
|
|
T1110
|
Anomaly
|
Compromised Windows Host
|
2024-07-15
|
Crowdstrike User with Duplicate Password
|
|
T1110
|
Anomaly
|
Compromised Windows Host
|
2024-07-15
|
Windows Delete or Modify System Firewall
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562
T1562.004
|
Anomaly
|
NjRAT, ShrinkLocker
|
2024-07-11
|
Wscript Or Cscript Suspicious Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
T1543
T1134.004
T1134
|
TTP
|
Data Destruction, FIN7, NjRAT, Remcos, ShrinkLocker, Unusual Processes, WhisperGate
|
2024-07-11
|
Detect Remote Access Software Usage File
|
Sysmon EventID 11
|
T1219
|
Anomaly
|
CISA AA24-241A, Command And Control, Gozi Malware, Insider Threat, Ransomware
|
2024-07-09
|
Detect Remote Access Software Usage FileInfo
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1219
|
Anomaly
|
Command And Control, Gozi Malware, Insider Threat, Ransomware
|
2024-07-09
|
Detect Remote Access Software Usage Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1219
|
Anomaly
|
CISA AA24-241A, Command And Control, Gozi Malware, Insider Threat, Ransomware
|
2024-07-09
|
Detect Remote Access Software Usage DNS
|
Sysmon EventID 22
|
T1219
|
Anomaly
|
CISA AA24-241A, Command And Control, Insider Threat, Ransomware
|
2024-07-09
|
Detect Remote Access Software Usage Traffic
|
Palo Alto Network Traffic
|
T1219
|
Anomaly
|
Command And Control, Insider Threat, Ransomware
|
2024-07-09
|
Detect Remote Access Software Usage URL
|
Palo Alto Network Threat
|
T1219
|
Anomaly
|
CISA AA24-241A, Command And Control, Insider Threat, Ransomware
|
2024-07-09
|
Azure AD Admin Consent Bypassed by Service Principal
|
Azure Active Directory Add app role assignment to service principal
|
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2024-07-02
|
Windows AD AdminSDHolder ACL Modified
|
Windows Event Log Security 5136
|
T1546
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-07-02
|
Splunk CSRF in the SSG kvstore Client Endpoint
|
Splunk
|
T1189
|
TTP
|
Splunk Vulnerabilities
|
2024-07-01
|
Splunk DoS via POST Request Datamodel Endpoint
|
|
T1499
|
Hunting
|
Splunk Vulnerabilities
|
2024-07-01
|
Splunk Enterprise Windows Deserialization File Partition
|
Splunk
|
T1190
|
TTP
|
Splunk Vulnerabilities
|
2024-07-01
|
Splunk Information Disclosure on Account Login
|
Splunk
|
T1087
|
Hunting
|
Splunk Vulnerabilities
|
2024-07-01
|
Splunk RCE PDFgen Render
|
Splunk
|
T1210
|
TTP
|
Splunk Vulnerabilities
|
2024-07-01
|
Splunk RCE via External Lookup Copybuckets
|
Splunk
|
T1210
|
Hunting
|
Splunk Vulnerabilities
|
2024-07-01
|
Splunk Stored XSS conf-web Settings on Premises
|
Splunk
|
T1189
|
Hunting
|
Splunk Vulnerabilities
|
2024-07-01
|
Splunk Stored XSS via Data Model objectName Field
|
Splunk
|
T1189
|
Hunting
|
Splunk Vulnerabilities
|
2024-07-01
|
Splunk Stored XSS via Specially Crafted Bulletin Message
|
Splunk
|
T1189
|
Hunting
|
Splunk Vulnerabilities
|
2024-07-01
|
Splunk Unauthenticated DoS via Null Pointer References
|
Splunk
|
T1499
|
Hunting
|
Splunk Vulnerabilities
|
2024-07-01
|
Splunk Unauthenticated Path Traversal Modules Messaging
|
Splunk
|
T1083
|
Hunting
|
Splunk Vulnerabilities
|
2024-07-01
|
Splunk Unauthorized Experimental Items Creation
|
Splunk
|
T1189
|
Hunting
|
Splunk Vulnerabilities
|
2024-07-01
|
Splunk Unauthorized Notification Input by User
|
Splunk
|
T1548
|
Hunting
|
Splunk Vulnerabilities
|
2024-07-01
|
Splunk XSS in Highlighted JSON Events
|
Splunk
|
T1189
|
Hunting
|
Splunk Vulnerabilities
|
2024-07-01
|
Splunk XSS in Save table dialog header in search page
|
Splunk
|
T1189
|
Hunting
|
Splunk Vulnerabilities
|
2024-07-01
|
Splunk XSS Privilege Escalation via Custom Urls in Dashboard
|
Splunk
|
T1189
|
Hunting
|
Splunk Vulnerabilities
|
2024-07-01
|
Splunk XSS Via External Urls in Dashboards SSRF
|
Splunk
|
T1189
|
Hunting
|
Splunk Vulnerabilities
|
2024-07-01
|
Windows Modify Registry Delete Firewall Rules
|
Sysmon EventID 12
|
T1112
|
TTP
|
CISA AA24-241A, ShrinkLocker
|
2024-06-21
|
Windows Modify Registry to Add or Modify Firewall Rule
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
Anomaly
|
CISA AA24-241A, ShrinkLocker
|
2024-06-21
|
Suspicious wevtutil Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1070.001
T1070
|
TTP
|
CISA AA23-347A, Clop Ransomware, Ransomware, Rhysida Ransomware, ShrinkLocker, Windows Log Manipulation
|
2024-06-19
|
Windows Modify Registry Configure BitLocker
|
Sysmon EventID 13
|
T1112
|
TTP
|
ShrinkLocker
|
2024-06-19
|
Windows Modify Registry Disable RDP
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
ShrinkLocker
|
2024-06-19
|
Windows Modify Registry on Smart Card Group Policy
|
Sysmon EventID 13
|
T1112
|
Anomaly
|
ShrinkLocker
|
2024-06-19
|
Possible Lateral Movement PowerShell Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021
T1021.003
T1021.006
T1047
T1053.005
T1543.003
T1059.001
T1218.014
|
TTP
|
Active Directory Lateral Movement, Data Destruction, Hermetic Wiper, Malicious PowerShell, Scheduled Tasks
|
2024-06-18
|
Ivanti EPM SQL Injection Remote Code Execution
|
Suricata
|
T1190
|
TTP
|
Ivanti EPM Vulnerabilities
|
2024-06-18
|
Elevated Group Discovery with PowerView
|
Powershell Script Block Logging 4104
|
T1069
T1069.002
|
Hunting
|
Active Directory Discovery
|
2024-06-10
|
Windows Debugger Tool Execution
|
|
T1036
|
Hunting
|
DarkGate Malware, PlugX
|
2024-06-07
|
Windows Unsigned DLL Side-Loading In Same Process Path
|
Sysmon EventID 7
|
T1574.002
T1574
|
TTP
|
DarkGate Malware, PlugX
|
2024-06-07
|
AWS Multiple Failed MFA Requests For User
|
AWS CloudTrail ConsoleLogin
|
T1586
T1586.003
T1621
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2024-05-31
|
Azure AD Privileged Role Assigned to Service Principal
|
Azure Active Directory Add member to role
|
T1098
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2024-05-31
|
O365 Multi-Source Failed Authentications Spike
|
O365 UserLoginFailed
|
T1586
T1586.003
T1110
T1110.003
T1110.004
|
Hunting
|
NOBELIUM Group, Office 365 Account Takeover
|
2024-05-31
|
Detect Copy of ShadowCopy with Script Block Logging
|
Powershell Script Block Logging 4104
|
T1003.002
T1003
|
TTP
|
Credential Dumping
|
2024-05-31
|
Exchange PowerShell Module Usage
|
Powershell Script Block Logging 4104
|
T1059
T1059.001
|
TTP
|
BlackByte Ransomware, CISA AA22-264A, CISA AA22-277A, ProxyNotShell, ProxyShell
|
2024-05-31
|
PowerShell Invoke CIMMethod CIMSession
|
Powershell Script Block Logging 4104
|
T1047
|
Anomaly
|
Active Directory Lateral Movement, Malicious PowerShell
|
2024-05-31
|
Services Escalate Exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1548
|
TTP
|
BlackByte Ransomware, CISA AA23-347A, Cobalt Strike, Graceful Wipe Out Attack
|
2024-05-31
|
Windows Event Triggered Image File Execution Options Injection
|
Windows Event Log Application 3000
|
T1546.012
|
Hunting
|
Windows Persistence Techniques
|
2024-05-31
|
Windows Impair Defense Define Win Defender Threat Action
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-31
|
Windows Impair Defense Disable Win Defender Signature Retirement
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-31
|
Windows Impair Defense Override SmartScreen Prompt
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-31
|
Windows Modify Registry Disable Restricted Admin
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
TTP
|
CISA AA23-347A
|
2024-05-31
|
Windows Modify Registry wuStatusServer
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
Hunting
|
RedLine Stealer
|
2024-05-31
|
Windows Post Exploitation Risk Behavior
|
|
T1012
T1049
T1069
T1016
T1003
T1082
T1115
T1552
|
Correlation
|
Windows Post-Exploitation
|
2024-05-31
|
Windows PowerView Kerberos Service Ticket Request
|
Powershell Script Block Logging 4104
|
T1558
T1558.003
|
TTP
|
Active Directory Kerberos Attacks, Rhysida Ransomware
|
2024-05-31
|
Windows Query Registry UnInstall Program List
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
RedLine Stealer
|
2024-05-31
|
Windows Remote Services Allow Rdp In Firewall
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.001
T1021
|
Anomaly
|
Azorult
|
2024-05-31
|
Windows Unsigned DLL Side-Loading
|
Sysmon EventID 7
|
T1574.002
|
Anomaly
|
NjRAT, Warzone RAT
|
2024-05-31
|
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos
|
Windows Event Log Security 4768
|
T1110.003
T1110
|
Anomaly
|
Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon
|
2024-05-31
|
Okta Multiple Failed Requests to Access Applications
|
Okta
|
T1550.004
T1538
|
Hunting
|
Okta Account Takeover
|
2024-05-30
|
Azure AD Service Principal Created
|
Azure Active Directory Add service principal
|
T1136.003
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-05-30
|
Azure AD User Consent Blocked for Risky Application
|
Azure Active Directory Consent to application
|
T1528
|
TTP
|
Azure Active Directory Account Takeover
|
2024-05-30
|
Cloud Compute Instance Created With Previously Unseen Image
|
AWS CloudTrail
|
|
Anomaly
|
Cloud Cryptomining
|
2024-05-30
|
Kubernetes Process with Resource Ratio Anomalies
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-05-30
|
Credential Dumping via Copy Command from Shadow Copy
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.003
T1003
|
TTP
|
Credential Dumping
|
2024-05-30
|
Impacket Lateral Movement Commandline Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate
|
2024-05-30
|
Linux DD File Overwrite
|
Sysmon for Linux EventID 1
|
T1485
|
TTP
|
Data Destruction, Industroyer2
|
2024-05-30
|
Linux File Creation In Init Boot Directory
|
Sysmon for Linux EventID 11
|
T1037.004
T1037
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-30
|
Linux Indicator Removal Clear Cache
|
Sysmon for Linux EventID 1
|
T1070
|
TTP
|
AwfulShred, Data Destruction
|
2024-05-30
|
Linux Possible Append Command To Profile Config File
|
Sysmon for Linux EventID 1
|
T1546.004
T1546
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-30
|
Ntdsutil Export NTDS
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.003
T1003
|
TTP
|
Credential Dumping, HAFNIUM Group, Living Off The Land, Prestige Ransomware, Rhysida Ransomware, Volt Typhoon
|
2024-05-30
|
PaperCut NG Suspicious Behavior Debug Log
|
|
T1190
T1133
|
Hunting
|
PaperCut MF NG Vulnerability
|
2024-05-30
|
PetitPotam Suspicious Kerberos TGT Request
|
Windows Event Log Security 4768
|
T1003
|
TTP
|
Active Directory Kerberos Attacks, PetitPotam NTLM Relay on Active Directory Certificate Services
|
2024-05-30
|
Ping Sleep Batch Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1497
T1497.003
|
Anomaly
|
BlackByte Ransomware, Data Destruction, Warzone RAT, WhisperGate
|
2024-05-30
|
PowerShell Script Block With URL Chain
|
Powershell Script Block Logging 4104
|
T1059.001
T1105
|
TTP
|
Malicious PowerShell
|
2024-05-30
|
Runas Execution in CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1134
T1134.001
|
Hunting
|
Data Destruction, Hermetic Wiper, Windows Privilege Escalation
|
2024-05-30
|
Suspicious MSBuild Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1127
T1127.001
|
TTP
|
Living Off The Land, Trusted Developer Utilities Proxy Execution MSBuild
|
2024-05-30
|
Suspicious Rundll32 StartW
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
T1218.011
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Suspicious Rundll32 Activity, Trickbot
|
2024-05-30
|
Windows Account Discovery for Sam Account Name
|
Powershell Script Block Logging 4104
|
T1087
|
Anomaly
|
CISA AA23-347A
|
2024-05-30
|
Windows Admin Permission Discovery
|
Sysmon EventID 11
|
T1069.001
|
Anomaly
|
NjRAT
|
2024-05-30
|
Windows Alternate DataStream - Executable Content
|
Sysmon EventID 15
|
T1564
T1564.004
|
TTP
|
Windows Defense Evasion Tactics
|
2024-05-30
|
Windows AppLocker Rare Application Launch Detection
|
|
T1218
|
Hunting
|
Windows AppLocker
|
2024-05-30
|
Windows Disable LogOff Button Through Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
Anomaly
|
Ransomware, Windows Registry Abuse
|
2024-05-30
|
Windows DNS Gather Network Info
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1590.002
|
Anomaly
|
Sandworm Tools, Volt Typhoon
|
2024-05-30
|
Windows Domain Account Discovery Via Get-NetComputer
|
Powershell Script Block Logging 4104
|
T1087
T1087.002
|
Anomaly
|
CISA AA23-347A
|
2024-05-30
|
Windows Modify Registry NoChangingWallPaper
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
TTP
|
Rhysida Ransomware
|
2024-05-30
|
Windows Phishing Recent ISO Exec Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
T1566.001
T1566
|
Hunting
|
AgentTesla, Azorult, Brute Ratel C4, Gozi Malware, IcedID, Qakbot, Remcos, Warzone RAT
|
2024-05-30
|
Windows Private Keys Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1552.004
T1552
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-05-30
|
Windows Service Creation Using Registry Entry
|
Sysmon EventID 12, Sysmon EventID 13
|
T1574.011
|
TTP
|
Active Directory Lateral Movement, Brute Ratel C4, CISA AA23-347A, PlugX, Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse
|
2024-05-30
|
Zeek x509 Certificate with Punycode
|
|
T1573
|
Hunting
|
OpenSSL CVE-2022-3602
|
2024-05-30
|
Confluence Unauthenticated Remote Code Execution CVE-2022-26134
|
Palo Alto Network Threat
|
T1505
T1190
T1133
|
TTP
|
Atlassian Confluence Server and Data Center CVE-2022-26134, Confluence Data Center and Confluence Server Vulnerabilities
|
2024-05-30
|
Okta Authentication Failed During MFA Challenge
|
Okta
|
T1586
T1586.003
T1078
T1078.004
T1621
|
TTP
|
Okta Account Takeover
|
2024-05-29
|
Okta Suspicious Use of a Session Cookie
|
Okta
|
T1539
|
Anomaly
|
Okta Account Takeover, Suspicious Okta Activity
|
2024-05-29
|
PingID Multiple Failed MFA Requests For User
|
PingID
|
T1621
T1078
T1110
|
TTP
|
Compromised User Account
|
2024-05-29
|
Splunk DoS Using Malformed SAML Request
|
Splunk
|
T1498
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-29
|
Splunk ES DoS Through Investigation Attachments
|
Splunk
|
T1499
|
TTP
|
Splunk Vulnerabilities
|
2024-05-29
|
Splunk Low Privilege User Can View Hashed Splunk Password
|
Splunk
|
T1212
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-29
|
Suspicious Email Attachment Extensions
|
|
T1566.001
T1566
|
Anomaly
|
Data Destruction, Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails
|
2024-05-29
|
Amazon EKS Kubernetes Pod scan detection
|
|
T1526
|
Hunting
|
Kubernetes Scanning Activity
|
2024-05-29
|
ASL AWS Defense Evasion Delete Cloudtrail
|
|
T1562.008
T1562
|
TTP
|
AWS Defense Evasion
|
2024-05-29
|
AWS Console Login Failed During MFA Challenge
|
AWS CloudTrail ConsoleLogin
|
T1586
T1586.003
T1621
|
TTP
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2024-05-29
|
AWS IAM Successful Group Deletion
|
AWS CloudTrail DeleteGroup
|
T1069.003
T1098
T1069
|
Hunting
|
AWS IAM Privilege Escalation
|
2024-05-29
|
Azure AD Global Administrator Role Assigned
|
Azure Active Directory Add member to role
|
T1098.003
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2024-05-29
|
Azure AD High Number Of Failed Authentications For User
|
Azure Active Directory
|
T1110
T1110.001
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account
|
2024-05-29
|
Azure AD New MFA Method Registered For User
|
Azure Active Directory User registered security info
|
T1556
T1556.006
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account
|
2024-05-29
|
Azure AD Privileged Role Assigned
|
Azure Active Directory Add member to role
|
T1098
T1098.003
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-05-29
|
O365 Multiple Service Principals Created by SP
|
O365 Add service principal.
|
T1136.003
|
Anomaly
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-05-29
|
O365 New Email Forwarding Rule Created
|
|
T1114
T1114.003
|
TTP
|
Office 365 Collection Techniques
|
2024-05-29
|
O365 New Forwarding Mailflow Rule Created
|
|
T1114
|
TTP
|
Office 365 Collection Techniques
|
2024-05-29
|
O365 Tenant Wide Admin Consent Granted
|
O365 Consent to application.
|
T1098
T1098.003
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-05-29
|
Add or Set Windows Defender Exclusion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.001
T1562
|
TTP
|
AgentTesla, CISA AA22-320A, Data Destruction, Remcos, WhisperGate, Windows Defense Evasion Tactics
|
2024-05-29
|
Attacker Tools On Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.005
T1036
T1003
T1595
|
TTP
|
CISA AA22-264A, Monitor for Unauthorized Software, SamSam Ransomware, Unusual Processes, XMRig
|
2024-05-29
|
Detect RTLO In Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.002
T1036
|
TTP
|
Spearphishing Attachments
|
2024-05-29
|
Disable AMSI Through Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
CISA AA23-347A, Ransomware, Windows Registry Abuse
|
2024-05-29
|
Disable Security Logs Using MiniNt Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
TTP
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-29
|
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
|
Powershell Script Block Logging 4104
|
T1558
T1558.004
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A
|
2024-05-29
|
Enable RDP In Other Port Number
|
Sysmon EventID 12, Sysmon EventID 13
|
T1021
|
TTP
|
Prohibited Traffic Allowed or Protocol Mismatch, Windows Registry Abuse
|
2024-05-29
|
Excessive distinct processes from Windows Temp
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
Anomaly
|
Meterpreter
|
2024-05-29
|
Get ADUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1087.002
T1087
|
Hunting
|
Active Directory Discovery, CISA AA23-347A
|
2024-05-29
|
GetWmiObject Ds Computer with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Discovery
|
2024-05-29
|
Headless Browser Mockbin or Mocky Request
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1564.003
|
TTP
|
Forest Blizzard
|
2024-05-29
|
Linux Common Process For Elevation Control
|
Sysmon for Linux EventID 1
|
T1548.001
T1548
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-29
|
Linux Possible Access To Sudoers File
|
Sysmon for Linux EventID 1
|
T1548.003
T1548
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-29
|
Linux Service Started Or Enabled
|
Sysmon for Linux EventID 1
|
T1053.006
T1053
|
Anomaly
|
Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-05-29
|
Local Account Discovery with Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087
T1087.001
|
Hunting
|
Active Directory Discovery, Sandworm Tools
|
2024-05-29
|
Monitor Registry Keys for Print Monitors
|
Sysmon EventID 12, Sysmon EventID 13
|
T1547.010
T1547
|
TTP
|
Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse
|
2024-05-29
|
Rundll32 Create Remote Thread To A Process
|
Sysmon EventID 8
|
T1055
|
TTP
|
IcedID, Living Off The Land
|
2024-05-29
|
Suspicious Curl Network Connection
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1105
|
TTP
|
Ingress Tool Transfer, Linux Living Off The Land, Silver Sparrow
|
2024-05-29
|
Windows Credential Access From Browser Password Store
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
MoonPeak, Snake Keylogger
|
2024-05-29
|
Windows DnsAdmins New Member Added
|
Windows Event Log Security 4732
|
T1098
|
TTP
|
Active Directory Privilege Escalation
|
2024-05-29
|
Windows Findstr GPP Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1552
T1552.006
|
TTP
|
Active Directory Privilege Escalation
|
2024-05-29
|
Windows Impair Defense Disable Controlled Folder Access
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-29
|
Windows Impair Defense Disable Win Defender Network Protection
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-29
|
Windows Information Discovery Fsutil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1082
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-05-29
|
Windows MsiExec HideWindow Rundll32 Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.007
T1218
|
TTP
|
Qakbot
|
2024-05-29
|
Windows Powershell Import Applocker Policy
|
Powershell Script Block Logging 4104
|
T1059.001
T1059
T1562.001
T1562
|
TTP
|
Azorult
|
2024-05-29
|
Windows Registry BootExecute Modification
|
Sysmon EventID 12, Sysmon EventID 13
|
T1542
T1547.001
|
TTP
|
Windows BootKits
|
2024-05-29
|
Windows Registry Certificate Added
|
Sysmon EventID 12, Sysmon EventID 13
|
T1553.004
T1553
|
Anomaly
|
Windows Drivers, Windows Registry Abuse
|
2024-05-29
|
Windows Rundll32 Apply User Settings Changes
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
T1218.011
|
TTP
|
Rhysida Ransomware
|
2024-05-29
|
Windows Screen Capture Via Powershell
|
Powershell Script Block Logging 4104
|
T1113
|
TTP
|
Winter Vivern
|
2024-05-29
|
Windows WMI Impersonate Token
|
Sysmon EventID 10
|
T1047
|
Anomaly
|
Qakbot
|
2024-05-29
|
Detect DGA domains using pretrained model in DSDL
|
|
T1568.002
|
Anomaly
|
Command And Control, DNS Hijacking, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic
|
2024-05-29
|
Protocol or Port Mismatch
|
|
T1048.003
T1048
|
Anomaly
|
Command And Control, Prohibited Traffic Allowed or Protocol Mismatch
|
2024-05-29
|
Protocols passing authentication in cleartext
|
|
|
TTP
|
Use of Cleartext Protocols
|
2024-05-29
|
Remote Desktop Network Traffic
|
|
T1021.001
T1021
|
Anomaly
|
Active Directory Lateral Movement, Hidden Cobra Malware, Ryuk Ransomware, SamSam Ransomware
|
2024-05-29
|
SSL Certificates with Punycode
|
|
T1573
|
Hunting
|
OpenSSL CVE-2022-3602
|
2024-05-29
|
TOR Traffic
|
Palo Alto Network Traffic
|
T1090
T1090.003
|
TTP
|
Command And Control, NOBELIUM Group, Prohibited Traffic Allowed or Protocol Mismatch, Ransomware
|
2024-05-29
|
Adobe ColdFusion Access Control Bypass
|
Suricata
|
T1190
|
TTP
|
Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360
|
2024-05-29
|
Citrix ShareFile Exploitation CVE-2023-24489
|
Suricata
|
T1190
|
Hunting
|
Citrix ShareFile RCE CVE-2023-24489
|
2024-05-29
|
Ivanti Connect Secure SSRF in SAML Component
|
Suricata
|
T1190
|
TTP
|
Ivanti Connect Secure VPN Vulnerabilities
|
2024-05-29
|
Okta IDP Lifecycle Modifications
|
Okta
|
T1087.004
|
Anomaly
|
Suspicious Okta Activity
|
2024-05-28
|
Okta Multiple Users Failing To Authenticate From Ip
|
Okta
|
T1110.003
|
Anomaly
|
Okta Account Takeover
|
2024-05-28
|
Okta Risk Threshold Exceeded
|
Okta
|
T1078
T1110
|
Correlation
|
Okta Account Takeover, Okta MFA Exhaustion, Suspicious Okta Activity
|
2024-05-28
|
Splunk Protocol Impersonation Weak Encryption Configuration
|
Splunk
|
T1001.003
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-28
|
Splunk unnecessary file extensions allowed by lookup table uploads
|
Splunk
|
T1189
|
TTP
|
Splunk Vulnerabilities
|
2024-05-28
|
AWS Defense Evasion PutBucketLifecycle
|
AWS CloudTrail PutBucketLifecycle
|
T1562.008
T1562
|
Hunting
|
AWS Defense Evasion
|
2024-05-28
|
AWS Detect Users creating keys with encrypt policy without MFA
|
AWS CloudTrail CreateKey, AWS CloudTrail PutKeyPolicy
|
T1486
|
TTP
|
Ransomware Cloud
|
2024-05-28
|
AWS ECR Container Upload Unknown User
|
AWS CloudTrail PutImage
|
T1204.003
T1204
|
Anomaly
|
Dev Sec Ops
|
2024-05-28
|
AWS Exfiltration via DataSync Task
|
AWS CloudTrail CreateTask
|
T1119
|
TTP
|
Data Exfiltration, Suspicious AWS S3 Activities
|
2024-05-28
|
Azure AD Device Code Authentication
|
Azure Active Directory
|
T1528
T1566
T1566.002
|
TTP
|
Azure Active Directory Account Takeover
|
2024-05-28
|
Azure AD New Federated Domain Added
|
Azure Active Directory Set domain authentication
|
T1484
T1484.002
|
TTP
|
Azure Active Directory Persistence
|
2024-05-28
|
Azure AD Service Principal Owner Added
|
Azure Active Directory Add owner to application
|
T1098
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2024-05-28
|
Detect AWS Console Login by New User
|
AWS CloudTrail
|
T1586
T1586.003
T1552
|
Hunting
|
AWS Identity and Access Management Account Takeover, Suspicious Cloud Authentication Activities
|
2024-05-28
|
Kubernetes Create or Update Privileged Pod
|
Kubernetes Audit
|
T1204
|
Anomaly
|
Kubernetes Security
|
2024-05-28
|
Kubernetes Cron Job Creation
|
Kubernetes Audit
|
T1053.007
|
Anomaly
|
Kubernetes Security
|
2024-05-28
|
O365 New Federated Domain Added
|
O365
|
T1136.003
T1136
|
TTP
|
Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms
|
2024-05-28
|
Add DefaultUser And Password In Registry
|
Sysmon EventID 13
|
T1552.002
T1552
|
Anomaly
|
BlackMatter Ransomware
|
2024-05-28
|
Detect Credential Dumping through LSASS access
|
Sysmon EventID 10
|
T1003.001
T1003
|
TTP
|
BlackSuit Ransomware, CISA AA23-347A, Credential Dumping, Detect Zerologon Attack
|
2024-05-28
|
Disable Defender AntiVirus Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
CISA AA24-241A, IcedID, Windows Registry Abuse
|
2024-05-28
|
Domain Group Discovery With Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069
T1069.002
|
Hunting
|
Active Directory Discovery, Graceful Wipe Out Attack, Prestige Ransomware, Rhysida Ransomware, Windows Post-Exploitation
|
2024-05-28
|
GetAdComputer with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1018
|
Hunting
|
Active Directory Discovery, CISA AA22-320A, Gozi Malware
|
2024-05-28
|
GetWmiObject Ds Group with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069
T1069.002
|
TTP
|
Active Directory Discovery
|
2024-05-28
|
Linux Iptables Firewall Modification
|
Sysmon for Linux EventID 1
|
T1562.004
T1562
|
Anomaly
|
Cyclops Blink, Sandworm Tools
|
2024-05-28
|
Linux Unix Shell Enable All SysRq Functions
|
Sysmon for Linux EventID 1
|
T1059.004
T1059
|
Anomaly
|
AwfulShred, Data Destruction
|
2024-05-28
|
Modification Of Wallpaper
|
Sysmon EventID 13
|
T1491
|
TTP
|
BlackMatter Ransomware, Brute Ratel C4, LockBit Ransomware, Ransomware, Revil Ransomware, Rhysida Ransomware, Windows Registry Abuse
|
2024-05-28
|
Network Connection Discovery With Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1049
|
Hunting
|
Active Directory Discovery, Azorult, Prestige Ransomware, Windows Post-Exploitation
|
2024-05-28
|
Print Spooler Failed to Load a Plug-in
|
Windows Event Log Printservice 808
|
T1547.012
T1547
|
TTP
|
PrintNightmare CVE-2021-34527
|
2024-05-28
|
Randomly Generated Scheduled Task Name
|
Windows Event Log Security 4698
|
T1053
T1053.005
|
Hunting
|
Active Directory Lateral Movement, CISA AA22-257A, Scheduled Tasks
|
2024-05-28
|
Remcos client registry install entry
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688
|
T1112
|
TTP
|
Remcos, Windows Registry Abuse
|
2024-05-28
|
Schtasks Run Task On Demand
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053
|
TTP
|
CISA AA22-257A, Data Destruction, Industroyer2, Qakbot, Scheduled Tasks, XMRig
|
2024-05-28
|
Suspicious SQLite3 LSQuarantine Behavior
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1074
|
TTP
|
Silver Sparrow
|
2024-05-28
|
Windows Admon Default Group Policy Object Modified
|
Windows Active Directory Admon
|
T1484
T1484.001
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2024-05-28
|
Windows Alternate DataStream - Base64 Content
|
Sysmon EventID 15
|
T1564
T1564.004
|
TTP
|
Windows Defense Evasion Tactics
|
2024-05-28
|
Windows CAB File on Disk
|
Sysmon EventID 11
|
T1566.001
|
Anomaly
|
DarkGate Malware
|
2024-05-28
|
Windows Command Shell Fetch Env Variables
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
TTP
|
Qakbot
|
2024-05-28
|
Windows Disable Notification Center
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
Anomaly
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-28
|
Windows DisableAntiSpyware Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
Azorult, CISA AA22-264A, CISA AA23-347A, RedLine Stealer, Ryuk Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-28
|
Windows Find Interesting ACL with FindInterestingDomainAcl
|
Powershell Script Block Logging 4104
|
T1087
T1087.002
|
TTP
|
Active Directory Discovery
|
2024-05-28
|
Windows Hidden Schedule Task Settings
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Active Directory Discovery, CISA AA22-257A, Data Destruction, Industroyer2, Scheduled Tasks
|
2024-05-28
|
Windows Impair Defense Disable Win Defender App Guard
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-28
|
Windows Impair Defense Disable Win Defender Scan On Update
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-28
|
Windows Indirect Command Execution Via forfiles
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1202
|
TTP
|
Living Off The Land, Windows Post-Exploitation
|
2024-05-28
|
Windows Mail Protocol In Non-Common Process Path
|
Sysmon EventID 3
|
T1071.003
T1071
|
Anomaly
|
AgentTesla
|
2024-05-28
|
Windows Modify Registry AuthenticationLevelOverride
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
Anomaly
|
DarkGate Malware
|
2024-05-28
|
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos
|
Windows Event Log Security 4768
|
T1110.003
T1110
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon
|
2024-05-28
|
Windows Multiple Users Remotely Failed To Authenticate From Host
|
Windows Event Log Security 4625
|
T1110.003
T1110
|
TTP
|
Active Directory Password Spraying, Volt Typhoon
|
2024-05-28
|
Windows Password Managers Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1555.005
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-05-28
|
Windows Privilege Escalation System Process Without System Parent
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1068
T1548
T1134
|
TTP
|
BlackSuit Ransomware, Windows Privilege Escalation
|
2024-05-28
|
Windows Process Injection Wermgr Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
Anomaly
|
Qakbot, Windows Error Reporting Service Elevation of Privilege Vulnerability
|
2024-05-28
|
Windows Query Registry Browser List Application
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
RedLine Stealer
|
2024-05-28
|
Windows Raw Access To Disk Volume Partition
|
Sysmon EventID 9
|
T1561.002
T1561
|
Anomaly
|
BlackByte Ransomware, CISA AA22-264A, Caddy Wiper, Data Destruction, Graceful Wipe Out Attack, Hermetic Wiper, NjRAT
|
2024-05-28
|
Windows Registry SIP Provider Modification
|
Sysmon EventID 12, Sysmon EventID 13
|
T1553.003
|
TTP
|
Subvert Trust Controls SIP and Trust Provider Hijacking
|
2024-05-28
|
Windows Security Support Provider Reg Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1547.005
T1547
|
Anomaly
|
Prestige Ransomware, Sneaky Active Directory Persistence Tricks, Windows Post-Exploitation
|
2024-05-28
|
Windows Spearphishing Attachment Onenote Spawn Mshta
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566.001
T1566
|
TTP
|
AsyncRAT, Spearphishing Attachments
|
2024-05-28
|
Windows System Discovery Using ldap Nslookup
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
Anomaly
|
Qakbot
|
2024-05-28
|
Windows System Reboot CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1529
|
Anomaly
|
DarkCrystal RAT, DarkGate Malware, MoonPeak, NjRAT
|
2024-05-28
|
Windows Time Based Evasion via Choice Exec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1497.003
T1497
|
Anomaly
|
Snake Keylogger
|
2024-05-28
|
Windows Unusual Count Of Users Failed To Auth Using Kerberos
|
Windows Event Log Security 4771
|
T1110.003
T1110
|
Anomaly
|
Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon
|
2024-05-28
|
Windows Valid Account With Never Expires Password
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1489
|
TTP
|
Azorult
|
2024-05-28
|
Detect Zerologon via Zeek
|
|
T1190
|
TTP
|
Detect Zerologon Attack, Rhysida Ransomware
|
2024-05-28
|
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388
|
Palo Alto Network Threat
|
T1190
T1133
|
TTP
|
CISA AA24-241A, F5 BIG-IP Vulnerability CVE-2022-1388
|
2024-05-28
|
Confluence Data Center and Server Privilege Escalation
|
Nginx Access
|
T1190
|
TTP
|
CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server, Confluence Data Center and Confluence Server Vulnerabilities
|
2024-05-28
|
Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527
|
Suricata
|
T1190
|
TTP
|
Confluence Data Center and Confluence Server Vulnerabilities
|
2024-05-28
|
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082
|
Suricata
|
T1190
T1133
|
TTP
|
Ivanti EPMM Remote Unauthenticated Access
|
2024-05-28
|
Web Spring4Shell HTTP Request Class Module
|
Splunk Stream HTTP
|
T1190
T1133
|
TTP
|
Spring4Shell CVE-2022-22965
|
2024-05-28
|
Splunk Digital Certificates Infrastructure Version
|
Splunk
|
T1587.003
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-27
|
Splunk DoS via Malformed S2S Request
|
Splunk
|
T1498
|
TTP
|
Splunk Vulnerabilities
|
2024-05-27
|
Splunk Endpoint Denial of Service DoS Zip Bomb
|
Splunk
|
T1499
|
TTP
|
Splunk Vulnerabilities
|
2024-05-27
|
Splunk HTTP Response Splitting Via Rest SPL Command
|
Splunk
|
T1027.006
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-27
|
Abnormally High Number Of Cloud Instances Destroyed
|
AWS CloudTrail
|
T1078.004
T1078
|
Anomaly
|
Suspicious Cloud Instance Activities
|
2024-05-27
|
AWS IAM Delete Policy
|
AWS CloudTrail DeletePolicy
|
T1098
|
Hunting
|
AWS IAM Privilege Escalation
|
2024-05-27
|
GitHub Dependabot Alert
|
GitHub
|
T1195.001
T1195
|
Anomaly
|
Dev Sec Ops
|
2024-05-27
|
Kubernetes Abuse of Secret by Unusual User Name
|
Kubernetes Audit
|
T1552.007
|
Anomaly
|
Kubernetes Security
|
2024-05-27
|
Kubernetes newly seen UDP edge
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-05-27
|
Kubernetes Previously Unseen Container Image Name
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-05-27
|
Kubernetes Process Running From New Path
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-05-27
|
Kubernetes Process with Anomalous Resource Utilisation
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-05-27
|
O365 Added Service Principal
|
O365
|
T1136.003
T1136
|
TTP
|
Cloud Federated Credential Abuse, NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-05-27
|
O365 Concurrent Sessions From Different Ips
|
O365 UserLoggedIn
|
T1185
|
TTP
|
Office 365 Account Takeover
|
2024-05-27
|
O365 File Permissioned Application Consent Granted by User
|
O365 Consent to application.
|
T1528
|
TTP
|
Office 365 Account Takeover
|
2024-05-27
|
Active Setup Registry Autostart
|
Sysmon EventID 12, Sysmon EventID 13
|
T1547.014
T1547
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation
|
2024-05-27
|
Allow Network Discovery In Firewall
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.007
T1562
|
TTP
|
BlackByte Ransomware, NjRAT, Ransomware, Revil Ransomware
|
2024-05-27
|
Detect Certipy File Modifications
|
Sysmon EventID 1, Sysmon EventID 11
|
T1649
T1560
|
TTP
|
Data Exfiltration, Ingress Tool Transfer, Windows Certificate Services
|
2024-05-27
|
Detect suspicious processnames using pretrained model in DSDL
|
Sysmon EventID 1
|
T1059
|
Anomaly
|
Suspicious Command-Line Executions
|
2024-05-27
|
Disable Show Hidden Files
|
Sysmon EventID 12, Sysmon EventID 13
|
T1564.001
T1562.001
T1564
T1562
T1112
|
Anomaly
|
Azorult, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-27
|
Get ADDefaultDomainPasswordPolicy with Powershell Script Block
|
Powershell Script Block Logging 4104
|
T1201
|
Hunting
|
Active Directory Discovery
|
2024-05-27
|
Get-DomainTrust with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1482
|
TTP
|
Active Directory Discovery
|
2024-05-27
|
GetWmiObject Ds Computer with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
|
TTP
|
Active Directory Discovery
|
2024-05-27
|
Icacls Deny Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1222
|
TTP
|
Azorult, Sandworm Tools, XMRig
|
2024-05-27
|
Kerberos Service Ticket Request Using RC4 Encryption
|
Windows Event Log Security 4769
|
T1558
T1558.001
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation
|
2024-05-27
|
Kerberos TGT Request Using RC4 Encryption
|
Windows Event Log Security 4768
|
T1550
|
TTP
|
Active Directory Kerberos Attacks
|
2024-05-27
|
Linux Adding Crontab Using List Parameter
|
Sysmon for Linux EventID 1
|
T1053.003
T1053
|
Hunting
|
Data Destruction, Gomir, Industroyer2, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-05-27
|
Linux Data Destruction Command
|
Sysmon for Linux EventID 1
|
T1485
|
TTP
|
AwfulShred, Data Destruction
|
2024-05-27
|
Linux Service File Created In Systemd Directory
|
Sysmon for Linux EventID 11
|
T1053.006
T1053
|
Anomaly
|
Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-05-27
|
Linux Visudo Utility Execution
|
Sysmon for Linux EventID 1
|
T1548.003
T1548
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-27
|
MS Exchange Mailbox Replication service writing Active Server Pages
|
Sysmon EventID 1, Sysmon EventID 11
|
T1505
T1505.003
T1190
T1133
|
TTP
|
BlackByte Ransomware, ProxyShell, Ransomware
|
2024-05-27
|
Office Product Spawning MSHTA
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566
T1566.001
|
TTP
|
Azorult, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, IcedID, NjRAT, Spearphishing Attachments
|
2024-05-27
|
Possible Browser Pass View Parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1555.003
T1555
|
Hunting
|
Remcos
|
2024-05-27
|
Process Deleting Its Process File Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1070
|
TTP
|
Clop Ransomware, Data Destruction, Remcos, WhisperGate
|
2024-05-27
|
Single Letter Process On Endpoint
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1204
T1204.002
|
TTP
|
DHS Report TA18-074A
|
2024-05-27
|
Spoolsv Writing a DLL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688
|
T1547.012
T1547
|
TTP
|
PrintNightmare CVE-2021-34527
|
2024-05-27
|
Suspicious Rundll32 no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
T1218.011
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, PrintNightmare CVE-2021-34527, Suspicious Rundll32 Activity
|
2024-05-27
|
UAC Bypass MMC Load Unsigned Dll
|
Sysmon EventID 7
|
T1548.002
T1548
T1218.014
|
TTP
|
Windows Defense Evasion Tactics
|
2024-05-27
|
Wermgr Process Connecting To IP Check Web Services
|
Sysmon EventID 22
|
T1590
T1590.005
|
TTP
|
Trickbot
|
2024-05-27
|
Windows Account Discovery With NetUser PreauthNotRequire
|
Powershell Script Block Logging 4104
|
T1087
|
Hunting
|
CISA AA23-347A
|
2024-05-27
|
Windows Archive Collected Data via Powershell
|
Powershell Script Block Logging 4104
|
T1560
|
Anomaly
|
CISA AA23-347A
|
2024-05-27
|
Windows Credentials from Password Stores Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1555
|
Anomaly
|
DarkGate Malware, Prestige Ransomware, Windows Post-Exploitation
|
2024-05-27
|
Windows Disable Windows Group Policy Features Through Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
Anomaly
|
CISA AA23-347A, Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-27
|
Windows Exfiltration Over C2 Via Powershell UploadString
|
Powershell Script Block Logging 4104
|
T1041
|
TTP
|
Winter Vivern
|
2024-05-27
|
Windows Impair Defense Change Win Defender Quick Scan Interval
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-27
|
Windows Impair Defense Change Win Defender Throttle Rate
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-27
|
Windows Impair Defense Disable Web Evaluation
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-27
|
Windows Modify Show Compress Color And Info Tip Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-27
|
Windows Non Discord App Access Discord LevelDB
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Snake Keylogger
|
2024-05-27
|
Windows Powershell Cryptography Namespace
|
Powershell Script Block Logging 4104
|
T1059.001
T1059
|
Anomaly
|
AsyncRAT
|
2024-05-27
|
Windows Proxy Via Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
T1090.001
T1090
|
Anomaly
|
Volt Typhoon
|
2024-05-27
|
Windows UAC Bypass Suspicious Escalation Behavior
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1548
T1548.002
|
TTP
|
Living Off The Land, Windows Defense Evasion Tactics
|
2024-05-27
|
Windows Unsigned MS DLL Side-Loading
|
Sysmon EventID 7
|
T1574.002
T1547
|
Anomaly
|
APT29 Diplomatic Deceptions with WINELOADER
|
2024-05-27
|
SMB Traffic Spike
|
|
T1021.002
T1021
|
Anomaly
|
DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware
|
2024-05-27
|
Zscaler Scam Destinations Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2024-05-27
|
Detect Risky SPL using Pretrained ML Model
|
|
T1059
|
Anomaly
|
Splunk Vulnerabilities
|
2024-05-26
|
Okta Successful Single Factor Authentication
|
Okta
|
T1586
T1586.003
T1078
T1078.004
T1621
|
Anomaly
|
Okta Account Takeover
|
2024-05-26
|
Path traversal SPL injection
|
Splunk
|
T1083
|
TTP
|
Splunk Vulnerabilities
|
2024-05-26
|
Splunk RCE via Serialized Session Payload
|
Splunk
|
T1190
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-26
|
AWS Defense Evasion Delete CloudWatch Log Group
|
AWS CloudTrail DeleteLogGroup
|
T1562
T1562.008
|
TTP
|
AWS Defense Evasion
|
2024-05-26
|
AWS Defense Evasion Impair Security Services
|
AWS CloudTrail DeleteAlarms, AWS CloudTrail DeleteDetector, AWS CloudTrail DeleteIPSet, AWS CloudTrail DeleteLogStream, AWS CloudTrail DeleteRule, AWS CloudTrail DeleteWebACL
|
T1562.008
T1562
|
Hunting
|
AWS Defense Evasion
|
2024-05-26
|
AWS Successful Console Authentication From Multiple IPs
|
AWS CloudTrail ConsoleLogin
|
T1586
T1535
|
Anomaly
|
Compromised User Account, Suspicious AWS Login Activities
|
2024-05-26
|
Azure AD Multiple AppIDs and UserAgents Authentication Spike
|
Azure Active Directory Sign-in activity
|
T1078
|
Anomaly
|
Azure Active Directory Account Takeover
|
2024-05-26
|
Azure AD Successful Authentication From Different Ips
|
Azure Active Directory
|
T1110
T1110.001
T1110.003
|
TTP
|
Azure Active Directory Account Takeover, Compromised User Account
|
2024-05-26
|
Azure AD User Enabled And Password Reset
|
Azure Active Directory Enable account, Azure Active Directory Reset password (by admin), Azure Active Directory Update user
|
T1098
|
TTP
|
Azure Active Directory Persistence
|
2024-05-26
|
Kubernetes Anomalous Inbound to Outbound Network IO Ratio
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-05-26
|
O365 Block User Consent For Risky Apps Disabled
|
O365 Update authorization policy.
|
T1562
|
TTP
|
Office 365 Account Takeover
|
2024-05-26
|
O365 Multiple Failed MFA Requests For User
|
O365 UserLoginFailed
|
T1621
|
TTP
|
Office 365 Account Takeover
|
2024-05-26
|
O365 User Consent Blocked for Risky Application
|
O365 Consent to application.
|
T1528
|
TTP
|
Office 365 Account Takeover
|
2024-05-26
|
Active Directory Privilege Escalation Identified
|
|
T1484
|
Correlation
|
Active Directory Privilege Escalation
|
2024-05-26
|
Change To Safe Mode With Network Config
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
BlackMatter Ransomware
|
2024-05-26
|
Common Ransomware Extensions
|
Sysmon EventID 11
|
T1485
|
Hunting
|
Clop Ransomware, LockBit Ransomware, Prestige Ransomware, Ransomware, Rhysida Ransomware, Ryuk Ransomware, SamSam Ransomware
|
2024-05-26
|
Detect Mimikatz With PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
T1003
T1059.001
|
TTP
|
CISA AA22-264A, CISA AA22-320A, CISA AA23-347A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Sandworm Tools
|
2024-05-26
|
Disable Schedule Task
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.001
T1562
|
TTP
|
IcedID, Living Off The Land
|
2024-05-26
|
Disable Windows SmartScreen Protection
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-26
|
Eventvwr UAC Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1548.002
T1548
|
TTP
|
IcedID, Living Off The Land, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-26
|
Headless Browser Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1564.003
|
Hunting
|
Forest Blizzard
|
2024-05-26
|
High Frequency Copy Of Files In Network Share
|
Windows Event Log Security 5145
|
T1537
|
Anomaly
|
Information Sabotage, Insider Threat
|
2024-05-26
|
Impacket Lateral Movement WMIExec Commandline Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate
|
2024-05-26
|
Linux At Allow Config File Creation
|
Sysmon for Linux EventID 11
|
T1053.003
T1053
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-05-26
|
Loading Of Dynwrapx Module
|
Sysmon EventID 7
|
T1055
T1055.001
|
TTP
|
AsyncRAT, Remcos
|
2024-05-26
|
Log4Shell CVE-2021-44228 Exploitation
|
|
T1105
T1190
T1059
T1133
|
Correlation
|
CISA AA22-320A, Log4Shell CVE-2021-44228
|
2024-05-26
|
Outbound Network Connection from Java Using Default Ports
|
Sysmon EventID 1, Sysmon EventID 3
|
T1190
T1133
|
TTP
|
Log4Shell CVE-2021-44228
|
2024-05-26
|
PetitPotam Network Share Access Request
|
Windows Event Log Security 5145
|
T1187
|
TTP
|
PetitPotam NTLM Relay on Active Directory Certificate Services
|
2024-05-26
|
Powershell Using memory As Backing Store
|
Powershell Script Block Logging 4104
|
T1059.001
T1059
|
TTP
|
Data Destruction, Hermetic Wiper, IcedID, Malicious PowerShell, MoonPeak
|
2024-05-26
|
SLUI RunAs Elevated
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1548.002
T1548
|
TTP
|
DarkSide Ransomware, Windows Defense Evasion Tactics
|
2024-05-26
|
Steal or Forge Authentication Certificates Behavior Identified
|
|
T1649
|
Correlation
|
Windows Certificate Services
|
2024-05-26
|
Unusually Long Command Line - MLTK
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
|
Anomaly
|
Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Ransomware, Suspicious Command-Line Executions, Unusual Processes
|
2024-05-26
|
Wermgr Process Spawned CMD Or Powershell Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
TTP
|
Qakbot, Trickbot
|
2024-05-26
|
Windows Account Discovery for None Disable User Account
|
Powershell Script Block Logging 4104
|
T1087
T1087.001
|
Hunting
|
CISA AA23-347A
|
2024-05-26
|
Windows AD Privileged Account SID History Addition
|
Windows Event Log Security 4738, Windows Event Log Security 4742
|
T1134.005
T1134
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-05-26
|
Windows Default Group Policy Object Modified
|
Windows Event Log Security 5136
|
T1484
T1484.001
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2024-05-26
|
Windows Hide Notification Features Through Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
Anomaly
|
Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-26
|
Windows Modify Registry No Auto Reboot With Logon User
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
Anomaly
|
RedLine Stealer
|
2024-05-26
|
Windows MSHTA Writing to World Writable Path
|
Sysmon EventID 11
|
T1218.005
|
TTP
|
APT29 Diplomatic Deceptions with WINELOADER, Suspicious MSHTA Activity
|
2024-05-26
|
Windows Multiple Users Failed To Authenticate From Host Using NTLM
|
Windows Event Log Security 4776
|
T1110.003
T1110
|
TTP
|
Active Directory Password Spraying, Volt Typhoon
|
2024-05-26
|
Windows Powershell RemoteSigned File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.001
T1059
|
Anomaly
|
Amadey
|
2024-05-26
|
Windows Query Registry Reg Save
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1012
|
Hunting
|
CISA AA23-347A, Prestige Ransomware, Windows Post-Exploitation
|
2024-05-26
|
Windows Root Domain linked policies Discovery
|
Powershell Script Block Logging 4104
|
T1087.002
T1087
|
Anomaly
|
Active Directory Discovery, Data Destruction, Industroyer2
|
2024-05-26
|
WMI Permanent Event Subscription
|
|
T1047
|
TTP
|
Suspicious WMI Use
|
2024-05-26
|
Plain HTTP POST Exfiltrated Data
|
Splunk Stream HTTP
|
T1048.003
T1048
|
TTP
|
Command And Control, Data Exfiltration
|
2024-05-26
|
JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199
|
Suricata
|
T1190
|
TTP
|
JetBrains TeamCity Vulnerabilities
|
2024-05-26
|
Spring4Shell Payload URL Request
|
Nginx Access
|
T1505.003
T1505
T1190
T1133
|
TTP
|
Spring4Shell CVE-2022-22965
|
2024-05-26
|
Supernova Webshell
|
|
T1505.003
T1133
|
TTP
|
NOBELIUM Group
|
2024-05-26
|
Splunk Authentication Token Exposure in Debug Log
|
|
T1654
|
TTP
|
Splunk Vulnerabilities
|
2024-05-25
|
Splunk Data exfiltration from Analytics Workspace using sid query
|
Splunk
|
T1567
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-25
|
Splunk DOS via printf search function
|
Splunk
|
T1499.004
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-25
|
Splunk ES DoS Investigations Manager via Investigation Creation
|
Splunk
|
T1499
|
TTP
|
Splunk Vulnerabilities
|
2024-05-25
|
ASL AWS Defense Evasion Delete CloudWatch Log Group
|
|
T1562
T1562.008
|
TTP
|
AWS Defense Evasion
|
2024-05-25
|
AWS ECR Container Upload Outside Business Hours
|
AWS CloudTrail PutImage
|
T1204.003
T1204
|
Anomaly
|
Dev Sec Ops
|
2024-05-25
|
AWS High Number Of Failed Authentications For User
|
AWS CloudTrail ConsoleLogin
|
T1201
|
Anomaly
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2024-05-25
|
Azure AD PIM Role Assignment Activated
|
Azure Active Directory
|
T1098
T1098.003
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2024-05-25
|
Circle CI Disable Security Step
|
CircleCI
|
T1554
|
Anomaly
|
Dev Sec Ops
|
2024-05-25
|
Detect AWS Console Login by User from New City
|
AWS CloudTrail
|
T1586
T1586.003
T1535
|
Hunting
|
AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities
|
2024-05-25
|
GCP Multi-Factor Authentication Disabled
|
|
T1586
T1586.003
T1556
T1556.006
|
TTP
|
GCP Account Takeover
|
2024-05-25
|
GCP Successful Single-Factor Authentication
|
Google Workspace login_success
|
T1586
T1586.003
T1078
T1078.004
|
TTP
|
GCP Account Takeover
|
2024-05-25
|
High Number of Login Failures from a single source
|
O365 UserLoginFailed
|
T1110.001
T1110
|
Anomaly
|
Office 365 Account Takeover
|
2024-05-25
|
Kubernetes Abuse of Secret by Unusual User Group
|
Kubernetes Audit
|
T1552.007
|
Anomaly
|
Kubernetes Security
|
2024-05-25
|
Kubernetes Anomalous Outbound Network Activity from Process
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-05-25
|
Kubernetes Falco Shell Spawned
|
Kubernetes Falco
|
T1204
|
Anomaly
|
Kubernetes Security
|
2024-05-25
|
Kubernetes Shell Running on Worker Node
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-05-25
|
O365 Mailbox Folder Read Permission Granted
|
|
T1098
T1098.002
|
TTP
|
Office 365 Collection Techniques
|
2024-05-25
|
Detect Certify Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1649
T1105
|
TTP
|
Ingress Tool Transfer, Windows Certificate Services
|
2024-05-25
|
Domain Controller Discovery with Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
|
Hunting
|
Active Directory Discovery
|
2024-05-25
|
Drop IcedID License dat
|
Sysmon EventID 11
|
T1204
T1204.002
|
Hunting
|
IcedID
|
2024-05-25
|
GetDomainController with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
|
Hunting
|
Active Directory Discovery
|
2024-05-25
|
Kerberos User Enumeration
|
Windows Event Log Security 4768
|
T1589
T1589.002
|
Anomaly
|
Active Directory Kerberos Attacks
|
2024-05-25
|
Linux Edit Cron Table Parameter
|
Sysmon for Linux EventID 1
|
T1053.003
T1053
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-05-25
|
Linux Hardware Addition SwapOff
|
Sysmon for Linux EventID 1
|
T1200
|
Anomaly
|
AwfulShred, Data Destruction
|
2024-05-25
|
Linux Possible Access To Credential Files
|
Sysmon for Linux EventID 1
|
T1003.008
T1003
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-25
|
Linux Possible Append Command To At Allow Config File
|
Sysmon for Linux EventID 1
|
T1053.002
T1053
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-05-25
|
Local Account Discovery With Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087
T1087.001
|
Hunting
|
Active Directory Discovery
|
2024-05-25
|
Non Chrome Process Accessing Chrome Default Dir
|
Windows Event Log Security 4663
|
T1555
T1555.003
|
Anomaly
|
3CX Supply Chain Attack, AgentTesla, CISA AA23-347A, DarkGate Malware, FIN7, NjRAT, Phemedrone Stealer, RedLine Stealer, Remcos, Snake Keylogger, Warzone RAT
|
2024-05-25
|
Office Application Spawn rundll32 process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566
T1566.001
|
TTP
|
AgentTesla, IcedID, NjRAT, Spearphishing Attachments, Trickbot
|
2024-05-25
|
Overwriting Accessibility Binaries
|
Sysmon EventID 11
|
T1546
T1546.008
|
TTP
|
Data Destruction, Flax Typhoon, Hermetic Wiper, Windows Privilege Escalation
|
2024-05-25
|
Print Processor Registry Autostart
|
Sysmon EventID 12, Sysmon EventID 13
|
T1547.012
T1547
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation
|
2024-05-25
|
Ransomware Notes bulk creation
|
Sysmon EventID 11
|
T1486
|
Anomaly
|
BlackMatter Ransomware, Chaos Ransomware, Clop Ransomware, DarkSide Ransomware, LockBit Ransomware, Rhysida Ransomware
|
2024-05-25
|
Registry Keys Used For Persistence
|
Sysmon EventID 12, Sysmon EventID 13
|
T1547.001
T1547
|
TTP
|
Amadey, AsyncRAT, Azorult, BlackByte Ransomware, BlackSuit Ransomware, CISA AA23-347A, Chaos Ransomware, DHS Report TA18-074A, DarkGate Malware, Emotet Malware DHS Report TA18-201A, IcedID, MoonPeak, NjRAT, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Qakbot, Ransomware, RedLine Stealer, Remcos, Snake Keylogger, Sneaky Active Directory Persistence Tricks, Suspicious MSHTA Activity, Suspicious Windows Registry Activities, Warzone RAT, Windows Persistence Techniques, Windows Registry Abuse
|
2024-05-25
|
Remote Process Instantiation via WinRM and PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1021
T1021.006
|
TTP
|
Active Directory Lateral Movement
|
2024-05-25
|
Suspicious SearchProtocolHost no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2024-05-25
|
Suspicious Ticket Granting Ticket Request
|
Windows Event Log Security 4768, Windows Event Log Security 4781
|
T1078
T1078.002
|
Hunting
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2024-05-25
|
System Processes Run From Unexpected Locations
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036
T1036.003
|
Anomaly
|
DarkGate Malware, Masquerading - Rename System Utilities, Qakbot, Ransomware, Suspicious Command-Line Executions, Unusual Processes, Windows Error Reporting Service Elevation of Privilege Vulnerability
|
2024-05-25
|
Unusual Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
T1078
|
Hunting
|
Active Directory Kerberos Attacks, Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-05-25
|
Windows AppLocker Execution from Uncommon Locations
|
|
T1218
|
Hunting
|
Windows AppLocker
|
2024-05-25
|
Windows Disable Lock Workstation Feature Through Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
Anomaly
|
Ransomware, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-25
|
Windows InProcServer32 New Outlook Form
|
Sysmon EventID 13
|
T1566
T1112
|
Anomaly
|
Outlook RCE CVE-2024-21378
|
2024-05-25
|
Windows Modify Registry With MD5 Reg Key Name
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
TTP
|
NjRAT
|
2024-05-25
|
Windows Multiple Users Failed To Authenticate From Process
|
Windows Event Log Security 4625
|
T1110.003
T1110
|
TTP
|
Active Directory Password Spraying, Insider Threat, Volt Typhoon
|
2024-05-25
|
Windows Parent PID Spoofing with Explorer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1134.004
T1134
|
TTP
|
Windows Defense Evasion Tactics
|
2024-05-25
|
Windows Service Create SliverC2
|
Windows Event Log System 7045
|
T1569
T1569.002
|
TTP
|
BishopFox Sliver Adversary Emulation Framework
|
2024-05-25
|
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos
|
Windows Event Log Security 4768
|
T1110.003
T1110
|
Anomaly
|
Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon
|
2024-05-25
|
Detect Outbound SMB Traffic
|
|
T1071.002
T1071
|
TTP
|
DHS Report TA18-074A, Hidden Cobra Malware, NOBELIUM Group
|
2024-05-25
|
Citrix ADC Exploitation CVE-2023-3519
|
Palo Alto Network Threat
|
T1190
|
Hunting
|
CISA AA24-241A, Citrix Netscaler ADC CVE-2023-3519
|
2024-05-25
|
Log4Shell JNDI Payload Injection Attempt
|
Nginx Access
|
T1190
T1133
|
Anomaly
|
CISA AA22-257A, CISA AA22-320A, Log4Shell CVE-2021-44228
|
2024-05-25
|
Okta New Device Enrolled on Account
|
Okta
|
T1098
T1098.005
|
TTP
|
Okta Account Takeover
|
2024-05-24
|
Persistent XSS in RapidDiag through User Interface Views
|
Splunk
|
T1189
|
TTP
|
Splunk Vulnerabilities
|
2024-05-24
|
Splunk Code Injection via custom dashboard leading to RCE
|
|
T1210
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-24
|
ASL AWS Concurrent Sessions From Different Ips
|
|
T1185
|
Anomaly
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2024-05-24
|
AWS Disable Bucket Versioning
|
AWS CloudTrail PutBucketVersioning
|
T1490
|
Anomaly
|
Data Exfiltration, Suspicious AWS S3 Activities
|
2024-05-24
|
AWS Unusual Number of Failed Authentications From Ip
|
AWS CloudTrail ConsoleLogin
|
T1586
T1586.003
T1110
T1110.003
T1110.004
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2024-05-24
|
Azure AD OAuth Application Consent Granted By User
|
Azure Active Directory Consent to application
|
T1528
|
TTP
|
Azure Active Directory Account Takeover
|
2024-05-24
|
Azure AD Successful PowerShell Authentication
|
Azure Active Directory
|
T1586
T1586.003
T1078
T1078.004
|
TTP
|
Azure Active Directory Account Takeover
|
2024-05-24
|
Azure AD User ImmutableId Attribute Updated
|
Azure Active Directory Update user
|
T1098
|
TTP
|
Azure Active Directory Persistence
|
2024-05-24
|
Azure Automation Account Created
|
Azure Audit Create or Update an Azure Automation account
|
T1136
T1136.003
|
TTP
|
Azure Active Directory Persistence
|
2024-05-24
|
GCP Unusual Number of Failed Authentications From Ip
|
Google Workspace login_failure
|
T1586
T1586.003
T1110
T1110.003
T1110.004
|
Anomaly
|
GCP Account Takeover
|
2024-05-24
|
Github Commit In Develop
|
GitHub
|
T1199
|
Anomaly
|
Dev Sec Ops
|
2024-05-24
|
Kubernetes Anomalous Traffic on Network Edge
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-05-24
|
O365 Compliance Content Search Exported
|
|
T1114
T1114.002
|
TTP
|
Office 365 Collection Techniques
|
2024-05-24
|
O365 Mailbox Email Forwarding Enabled
|
|
T1114
T1114.003
|
TTP
|
Office 365 Collection Techniques
|
2024-05-24
|
Risk Rule for Dev Sec Ops by Repository
|
|
T1204.003
T1204
|
Correlation
|
Dev Sec Ops
|
2024-05-24
|
AdsiSearcher Account Discovery
|
Powershell Script Block Logging 4104
|
T1087.002
T1087
|
TTP
|
Active Directory Discovery, CISA AA23-347A, Data Destruction, Industroyer2
|
2024-05-24
|
Detect RTLO In File Name
|
Sysmon EventID 11
|
T1036.002
T1036
|
TTP
|
Spearphishing Attachments
|
2024-05-24
|
Disable Defender Enhanced Notification
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse
|
2024-05-24
|
Disable ETW Through Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
CISA AA23-347A, Ransomware, Windows Registry Abuse
|
2024-05-24
|
Disable UAC Remote Restriction
|
Sysmon EventID 12, Sysmon EventID 13
|
T1548.002
T1548
|
TTP
|
CISA AA23-347A, Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-24
|
Elevated Group Discovery With Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069
T1069.002
|
TTP
|
Active Directory Discovery
|
2024-05-24
|
Kerberos Pre-Authentication Flag Disabled in UserAccountControl
|
Windows Event Log Security 4738
|
T1558
T1558.004
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware
|
2024-05-24
|
Linux Disable Services
|
Sysmon for Linux EventID 1
|
T1489
|
TTP
|
AwfulShred, Data Destruction, Industroyer2
|
2024-05-24
|
Linux Persistence and Privilege Escalation Risk Behavior
|
|
T1548
|
Correlation
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-24
|
Linux Possible Access Or Modification Of sshd Config File
|
Sysmon for Linux EventID 1
|
T1098.004
T1098
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-24
|
Linux Setuid Using Setcap Utility
|
Sysmon for Linux EventID 1
|
T1548.001
T1548
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-24
|
Linux System Network Discovery
|
Sysmon for Linux EventID 1
|
T1016
|
Anomaly
|
Data Destruction, Industroyer2, Network Discovery
|
2024-05-24
|
Office Product Spawn CMD Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566
T1566.001
|
TTP
|
AgentTesla, Azorult, CVE-2023-21716 Word RTF Heap Corruption, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, DarkCrystal RAT, NjRAT, PlugX, Qakbot, Remcos, Trickbot, Warzone RAT
|
2024-05-24
|
Powershell Fileless Script Contains Base64 Encoded Content
|
Powershell Script Block Logging 4104
|
T1059
T1027
T1059.001
|
TTP
|
AsyncRAT, Data Destruction, Hermetic Wiper, IcedID, Malicious PowerShell, NjRAT, Winter Vivern
|
2024-05-24
|
Powershell Get LocalGroup Discovery with Script Block Logging
|
Powershell Script Block Logging 4104
|
T1069
T1069.001
|
Hunting
|
Active Directory Discovery
|
2024-05-24
|
Processes launching netsh
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.004
T1562
|
Anomaly
|
Azorult, DHS Report TA18-074A, Disabling Security Tools, Netsh Abuse, ShrinkLocker, Snake Keylogger, Volt Typhoon
|
2024-05-24
|
Remcos RAT File Creation in Remcos Folder
|
Sysmon EventID 11
|
T1113
|
TTP
|
Remcos
|
2024-05-24
|
Remote Desktop Process Running On System
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.001
T1021
|
Hunting
|
Active Directory Lateral Movement, Hidden Cobra Malware
|
2024-05-24
|
Remote System Discovery with Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
|
TTP
|
Active Directory Discovery
|
2024-05-24
|
Revil Registry Entry
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688
|
T1112
|
TTP
|
Ransomware, Revil Ransomware, Windows Registry Abuse
|
2024-05-24
|
Suspicious mshta child process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
T1218.005
|
TTP
|
Living Off The Land, Suspicious MSHTA Activity
|
2024-05-24
|
Unloading AMSI via Reflection
|
Powershell Script Block Logging 4104
|
T1562
T1059.001
T1059
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2024-05-24
|
Windows AD DSRM Account Changes
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
T1098
|
TTP
|
Sneaky Active Directory Persistence Tricks, Windows Persistence Techniques, Windows Registry Abuse
|
2024-05-24
|
Windows App Layer Protocol Wermgr Connect To NamedPipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1071
|
Anomaly
|
Qakbot
|
2024-05-24
|
Windows Command Shell DCRat ForkBomb Payload
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.003
T1059
|
TTP
|
DarkCrystal RAT
|
2024-05-24
|
Windows Data Destruction Recursive Exec Files Deletion
|
Sysmon EventID 23
|
T1485
|
TTP
|
Data Destruction, Handala Wiper, Swift Slicer
|
2024-05-24
|
Windows Impair Defense Disable Defender Protocol Recognition
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-24
|
Windows Impair Defense Disable PUA Protection
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-24
|
Windows Impair Defenses Disable HVCI
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
BlackLotus Campaign, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-24
|
Windows LSA Secrets NoLMhash Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
T1003.004
|
TTP
|
CISA AA23-347A
|
2024-05-24
|
Windows Masquerading Explorer As Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1574.002
T1574
|
TTP
|
Qakbot
|
2024-05-24
|
Windows Process Injection Remote Thread
|
Sysmon EventID 8
|
T1055
T1055.002
|
TTP
|
Graceful Wipe Out Attack, Qakbot, Warzone RAT
|
2024-05-24
|
Windows Special Privileged Logon On Multiple Hosts
|
Windows Event Log Security 4672
|
T1087
T1021.002
T1135
|
TTP
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-05-24
|
Windows Steal Authentication Certificates - ESC1 Authentication
|
Windows Event Log Security 4768, Windows Event Log Security 4887
|
T1649
T1550
|
TTP
|
Windows Certificate Services
|
2024-05-24
|
Windows Steal Authentication Certificates Certificate Request
|
Windows Event Log Security 4886
|
T1649
|
Anomaly
|
Windows Certificate Services
|
2024-05-24
|
Windows System File on Disk
|
Sysmon EventID 11
|
T1068
|
Hunting
|
CISA AA22-264A, Windows Drivers
|
2024-05-24
|
Windows Time Based Evasion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1497
T1497.003
|
TTP
|
NjRAT
|
2024-05-24
|
Detect Large Outbound ICMP Packets
|
|
T1095
|
TTP
|
Command And Control
|
2024-05-24
|
High Volume of Bytes Out to Url
|
Nginx Access
|
T1567
|
Anomaly
|
Data Exfiltration
|
2024-05-24
|
Ngrok Reverse Proxy on Network
|
Sysmon EventID 22
|
T1572
T1090
T1102
|
Anomaly
|
CISA AA22-320A, CISA AA24-241A, Reverse Network Proxy
|
2024-05-24
|
ConnectWise ScreenConnect Authentication Bypass
|
Suricata
|
T1190
|
TTP
|
ConnectWise ScreenConnect Vulnerabilities
|
2024-05-24
|
F5 TMUI Authentication Bypass
|
Suricata
|
|
TTP
|
F5 Authentication Bypass with TMUI
|
2024-05-24
|
Jenkins Arbitrary File Read CVE-2024-23897
|
Nginx Access
|
T1190
|
TTP
|
Jenkins Server Vulnerabilities
|
2024-05-24
|
Zscaler Privacy Risk Destinations Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2024-05-24
|
Splunk Process Injection Forwarder Bundle Downloads
|
Splunk
|
T1055
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-23
|
Splunk protocol impersonation weak encryption simplerequest
|
Splunk
|
T1588.004
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-23
|
Splunk Reflected XSS in the templates lists radio
|
Splunk
|
T1189
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-23
|
Splunk Reflected XSS on App Search Table Endpoint
|
Splunk
|
T1189
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-23
|
aws detect permanent key creation
|
|
T1078
|
Hunting
|
AWS Cross Account Activity
|
2024-05-23
|
AWS Exfiltration via Batch Service
|
AWS CloudTrail JobCreated
|
T1119
|
TTP
|
Data Exfiltration
|
2024-05-23
|
AWS High Number Of Failed Authentications From Ip
|
AWS CloudTrail ConsoleLogin
|
T1110
T1110.003
T1110.004
|
Anomaly
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2024-05-23
|
AWS IAM Assume Role Policy Brute Force
|
AWS CloudTrail
|
T1580
T1110
|
TTP
|
AWS IAM Privilege Escalation
|
2024-05-23
|
AWS SAML Access by Provider User and Principal
|
AWS CloudTrail AssumeRoleWithSAML
|
T1078
|
Anomaly
|
Cloud Federated Credential Abuse
|
2024-05-23
|
Azure AD Block User Consent For Risky Apps Disabled
|
Azure Active Directory Update authorization policy
|
T1562
|
TTP
|
Azure Active Directory Account Takeover
|
2024-05-23
|
Azure AD Multi-Factor Authentication Disabled
|
Azure Active Directory Disable Strong Authentication
|
T1586
T1586.003
T1556
T1556.006
|
TTP
|
Azure Active Directory Account Takeover
|
2024-05-23
|
Azure AD Successful Single-Factor Authentication
|
Azure Active Directory
|
T1586
T1586.003
T1078
T1078.004
|
TTP
|
Azure Active Directory Account Takeover
|
2024-05-23
|
Azure AD Tenant Wide Admin Consent Granted
|
Azure Active Directory Consent to application
|
T1098
T1098.003
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-05-23
|
Azure Runbook Webhook Created
|
Azure Audit Create or Update an Azure Automation webhook
|
T1078
T1078.004
|
TTP
|
Azure Active Directory Persistence
|
2024-05-23
|
GCP Multiple Failed MFA Requests For User
|
Google Workspace login_failure
|
T1586
T1586.003
T1621
T1078
T1078.004
|
TTP
|
GCP Account Takeover
|
2024-05-23
|
O365 ApplicationImpersonation Role Assigned
|
O365
|
T1098
T1098.002
|
TTP
|
NOBELIUM Group, Office 365 Collection Techniques, Office 365 Persistence Mechanisms
|
2024-05-23
|
O365 Multiple Users Failing To Authenticate From Ip
|
O365 UserLoginFailed
|
T1586
T1586.003
T1110
T1110.003
T1110.004
|
TTP
|
NOBELIUM Group, Office 365 Account Takeover
|
2024-05-23
|
O365 New Email Forwarding Rule Enabled
|
|
T1114
T1114.003
|
TTP
|
Office 365 Collection Techniques
|
2024-05-23
|
Allow Inbound Traffic In Firewall Rule
|
Powershell Script Block Logging 4104
|
T1021.001
T1021
|
TTP
|
Prohibited Traffic Allowed or Protocol Mismatch
|
2024-05-23
|
Delete ShadowCopy With PowerShell
|
Powershell Script Block Logging 4104
|
T1490
|
TTP
|
DarkGate Malware, DarkSide Ransomware, Ransomware, Revil Ransomware
|
2024-05-23
|
Download Files Using Telegram
|
Sysmon EventID 15
|
T1105
|
TTP
|
Phemedrone Stealer, Snake Keylogger, XMRig
|
2024-05-23
|
Excessive Usage Of Net App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1531
|
Anomaly
|
Azorult, Graceful Wipe Out Attack, Prestige Ransomware, Ransomware, Rhysida Ransomware, Windows Post-Exploitation, XMRig
|
2024-05-23
|
Extraction of Registry Hives
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.002
T1003
|
TTP
|
CISA AA22-257A, CISA AA23-347A, Credential Dumping, DarkSide Ransomware, Volt Typhoon
|
2024-05-23
|
Get WMIObject Group Discovery with Script Block Logging
|
Powershell Script Block Logging 4104
|
T1069
T1069.001
|
Hunting
|
Active Directory Discovery
|
2024-05-23
|
GetLocalUser with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087
T1087.001
|
Hunting
|
Active Directory Discovery
|
2024-05-23
|
Linux Account Manipulation Of SSH Config and Keys
|
Sysmon for Linux EventID 11
|
T1485
T1070.004
T1070
|
Anomaly
|
AcidRain
|
2024-05-23
|
Linux Add User Account
|
Sysmon for Linux EventID 1
|
T1136.001
T1136
|
Hunting
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-23
|
Network Connection Discovery With Netstat
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1049
|
Hunting
|
Active Directory Discovery, CISA AA22-277A, CISA AA23-347A, PlugX, Prestige Ransomware, Qakbot, Volt Typhoon, Windows Post-Exploitation
|
2024-05-23
|
Remote Process Instantiation via WMI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1047
|
TTP
|
Active Directory Lateral Movement, CISA AA23-347A, Ransomware, Suspicious WMI Use
|
2024-05-23
|
Sdelete Application Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1485
T1070.004
T1070
|
TTP
|
Masquerading - Rename System Utilities
|
2024-05-23
|
Spoolsv Suspicious Loaded Modules
|
Sysmon EventID 7
|
T1547.012
T1547
|
TTP
|
PrintNightmare CVE-2021-34527
|
2024-05-23
|
Suspicious Rundll32 PluginInit
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
T1218.011
|
TTP
|
IcedID
|
2024-05-23
|
System User Discovery With Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
Hunting
|
Active Directory Discovery
|
2024-05-23
|
Wermgr Process Create Executable File
|
Sysmon EventID 11
|
T1027
|
TTP
|
Trickbot
|
2024-05-23
|
Windows Driver Inventory
|
|
T1068
|
Hunting
|
Windows Drivers
|
2024-05-23
|
Windows File Transfer Protocol In Non-Common Process Path
|
Sysmon EventID 3
|
T1071.003
T1071
|
Anomaly
|
AgentTesla, Snake Keylogger
|
2024-05-23
|
Windows Impair Defense Add Xml Applocker Rules
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.001
T1562
|
Hunting
|
Azorult
|
2024-05-23
|
Windows Impair Defense Disable Win Defender Report Infection
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-23
|
Windows Modify Registry MaxConnectionPerServer
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
Anomaly
|
Warzone RAT
|
2024-05-23
|
Windows Njrat Fileless Storage via Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
T1027.011
T1027
|
TTP
|
NjRAT
|
2024-05-23
|
Windows Phishing PDF File Executes URL Link
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566.001
T1566
|
Anomaly
|
Snake Keylogger, Spearphishing Attachments
|
2024-05-23
|
Windows PowerShell Get CIMInstance Remote Computer
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
Active Directory Lateral Movement
|
2024-05-23
|
Windows Privilege Escalation Suspicious Process Elevation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1068
T1548
T1134
|
TTP
|
BlackSuit Ransomware, Windows Privilege Escalation
|
2024-05-23
|
Windows Process Writing File to World Writable Path
|
|
T1218.005
|
Hunting
|
APT29 Diplomatic Deceptions with WINELOADER
|
2024-05-23
|
Windows Remote Service Rdpwinst Tool Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021.001
T1021
|
TTP
|
Azorult
|
2024-05-23
|
Windows Spearphishing Attachment Connect To None MS Office Domain
|
Sysmon EventID 22
|
T1566.001
T1566
|
Hunting
|
AsyncRAT, Spearphishing Attachments
|
2024-05-23
|
Windows System User Privilege Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
Hunting
|
CISA AA23-347A
|
2024-05-23
|
Windows WinLogon with Public Network Connection
|
Sysmon EventID 1, Sysmon EventID 3
|
T1542.003
|
Hunting
|
BlackLotus Campaign
|
2024-05-23
|
Splunk Identified SSL TLS Certificates
|
Splunk Stream TCP
|
T1040
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-23
|
PaperCut NG Remote Web Access Attempt
|
Suricata
|
T1190
T1133
|
TTP
|
PaperCut MF NG Vulnerability
|
2024-05-23
|
Zscaler Legal Liability Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2024-05-23
|
PingID Mismatch Auth Source and Verification Response
|
PingID
|
T1621
T1556.006
T1098.005
|
TTP
|
Compromised User Account
|
2024-05-22
|
Splunk Path Traversal In Splunk App For Lookup File Edit
|
Splunk
|
T1083
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-22
|
ASL AWS IAM Delete Policy
|
|
T1098
|
Hunting
|
AWS IAM Privilege Escalation
|
2024-05-22
|
ASL AWS Multi-Factor Authentication Disabled
|
|
T1586
T1586.003
T1621
T1556
T1556.006
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-05-22
|
Azure Active Directory High Risk Sign-in
|
Azure Active Directory
|
T1586
T1586.003
T1110
T1110.003
|
TTP
|
Azure Active Directory Account Takeover
|
2024-05-22
|
Cloud Provisioning Activity From Previously Unseen Country
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-05-22
|
GCP Multiple Users Failing To Authenticate From Ip
|
Google Workspace login_failure
|
T1586
T1586.003
T1110
T1110.003
T1110.004
|
Anomaly
|
GCP Account Takeover
|
2024-05-22
|
Github Commit Changes In Master
|
GitHub
|
T1199
|
Anomaly
|
Dev Sec Ops
|
2024-05-22
|
Kubernetes Abuse of Secret by Unusual User Agent
|
Kubernetes Audit
|
T1552.007
|
Anomaly
|
Kubernetes Security
|
2024-05-22
|
O365 User Consent Denied for OAuth Application
|
O365
|
T1528
|
TTP
|
Office 365 Account Takeover
|
2024-05-22
|
Allow Inbound Traffic By Firewall Rule Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
T1021.001
T1021
|
TTP
|
Azorult, NjRAT, PlugX, Prohibited Traffic Allowed or Protocol Mismatch, Windows Registry Abuse
|
2024-05-22
|
Bcdedit Command Back To Normal Mode Boot
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
BlackMatter Ransomware
|
2024-05-22
|
Common Ransomware Notes
|
Sysmon EventID 11
|
T1485
|
Hunting
|
Chaos Ransomware, Clop Ransomware, LockBit Ransomware, Ransomware, Rhysida Ransomware, Ryuk Ransomware, SamSam Ransomware
|
2024-05-22
|
Creation of lsass Dump with Taskmgr
|
Sysmon EventID 11
|
T1003.001
T1003
|
TTP
|
CISA AA22-257A, Credential Dumping
|
2024-05-22
|
Detect Rundll32 Inline HTA Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
T1218.005
|
TTP
|
Living Off The Land, NOBELIUM Group, Suspicious MSHTA Activity
|
2024-05-22
|
Disable Defender BlockAtFirstSeen Feature
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse
|
2024-05-22
|
Disabling SystemRestore In Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
T1490
|
TTP
|
NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-22
|
Domain Group Discovery With Dsquery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069
T1069.002
|
Hunting
|
Active Directory Discovery
|
2024-05-22
|
Elevated Group Discovery With Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069
T1069.002
|
TTP
|
Active Directory Discovery, BlackSuit Ransomware, Rhysida Ransomware, Volt Typhoon
|
2024-05-22
|
Get WMIObject Group Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069
T1069.001
|
Hunting
|
Active Directory Discovery
|
2024-05-22
|
GetAdGroup with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1069
T1069.002
|
Hunting
|
Active Directory Discovery
|
2024-05-22
|
GetNetTcpconnection with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1049
|
Hunting
|
Active Directory Discovery
|
2024-05-22
|
GetWmiObject User Account with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087
T1087.001
|
Hunting
|
Active Directory Discovery, Winter Vivern
|
2024-05-22
|
Linux Change File Owner To Root
|
Sysmon for Linux EventID 1
|
T1222.002
T1222
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-22
|
Linux Doas Tool Execution
|
Sysmon for Linux EventID 1
|
T1548.003
T1548
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-22
|
Linux Shred Overwrite Command
|
Sysmon for Linux EventID 1
|
T1485
|
TTP
|
AwfulShred, Data Destruction, Industroyer2, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-22
|
MacOS plutil
|
osquery
|
T1647
|
TTP
|
Living Off The Land
|
2024-05-22
|
Process Execution via WMI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1047
|
TTP
|
Suspicious WMI Use
|
2024-05-22
|
Rundll32 Process Creating Exe Dll Files
|
Sysmon EventID 11
|
T1218
T1218.011
|
TTP
|
IcedID, Living Off The Land
|
2024-05-22
|
Ryuk Wake on LAN Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
T1059.003
|
TTP
|
Ryuk Ransomware
|
2024-05-22
|
SAM Database File Access Attempt
|
Windows Event Log Security 4663
|
T1003.002
T1003
|
Hunting
|
Credential Dumping, Graceful Wipe Out Attack, Rhysida Ransomware
|
2024-05-22
|
Suspicious IcedID Rundll32 Cmdline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
T1218.011
|
TTP
|
IcedID, Living Off The Land
|
2024-05-22
|
Suspicious MSBuild Rename
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036
T1127
T1036.003
T1127.001
|
Hunting
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution MSBuild
|
2024-05-22
|
Windows Abused Web Services
|
Sysmon EventID 22
|
T1102
|
TTP
|
CISA AA24-241A, NjRAT
|
2024-05-22
|
Windows AD Same Domain SID History Addition
|
Windows Event Log Security 4738, Windows Event Log Security 4742
|
T1134.005
T1134
|
TTP
|
Sneaky Active Directory Persistence Tricks, Windows Persistence Techniques
|
2024-05-22
|
Windows AD ServicePrincipalName Added To Domain Account
|
Windows Event Log Security 5136
|
T1098
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-05-22
|
Windows App Layer Protocol Qakbot NamedPipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1071
|
Anomaly
|
Qakbot
|
2024-05-22
|
Windows Archive Collected Data via Rar
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1560.001
T1560
|
Anomaly
|
DarkGate Malware
|
2024-05-22
|
Windows DLL Side-Loading Process Child Of Calc
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1574.002
T1574
|
Anomaly
|
Qakbot
|
2024-05-22
|
Windows Driver Load Non-Standard Path
|
Windows Event Log System 7045
|
T1014
T1068
|
TTP
|
AgentTesla, BlackByte Ransomware, BlackSuit Ransomware, CISA AA22-320A, Windows Drivers
|
2024-05-22
|
Windows File Without Extension In Critical Folder
|
Sysmon EventID 1, Sysmon EventID 11
|
T1485
|
TTP
|
Data Destruction, Hermetic Wiper
|
2024-05-22
|
Windows Get Local Admin with FindLocalAdminAccess
|
Powershell Script Block Logging 4104
|
T1087
T1087.002
|
TTP
|
Active Directory Discovery
|
2024-05-22
|
Windows Impair Defense Configure App Install Control
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-22
|
Windows Modify Registry Auto Update Notif
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
Anomaly
|
RedLine Stealer
|
2024-05-22
|
Windows Modify Registry DisAllow Windows App
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
TTP
|
Azorult
|
2024-05-22
|
Windows Modify Registry ProxyEnable
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
Anomaly
|
DarkGate Malware
|
2024-05-22
|
Windows MSExchange Management Mailbox Cmdlet Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
T1059.001
|
Anomaly
|
BlackByte Ransomware, ProxyNotShell, ProxyShell
|
2024-05-22
|
Windows Multi hop Proxy TOR Website Query
|
Sysmon EventID 22
|
T1071.003
T1071
|
Anomaly
|
AgentTesla
|
2024-05-22
|
Windows Phishing Outlook Drop Dll In FORM Dir
|
Sysmon EventID 11
|
T1566
|
TTP
|
Outlook RCE CVE-2024-21378
|
2024-05-22
|
Windows PowerShell Add Module to Global Assembly Cache
|
Powershell Script Block Logging 4104
|
T1505
T1505.004
|
TTP
|
IIS Components
|
2024-05-22
|
Windows Remote Services Allow Remote Assistance
|
Sysmon EventID 12, Sysmon EventID 13
|
T1021.001
T1021
|
Anomaly
|
Azorult
|
2024-05-22
|
Windows Service Create RemComSvc
|
Windows Event Log System 7045
|
T1543.003
T1543
|
Anomaly
|
Active Directory Discovery
|
2024-05-22
|
Windows System LogOff Commandline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1529
|
Anomaly
|
DarkCrystal RAT, NjRAT
|
2024-05-22
|
Windows UAC Bypass Suspicious Child Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1548
T1548.002
|
TTP
|
Living Off The Land, Windows Defense Evasion Tactics
|
2024-05-22
|
Windows Unsecured Outlook Credentials Access In Registry
|
Windows Event Log Security 4663
|
T1552
|
Anomaly
|
Snake Keylogger
|
2024-05-22
|
Detect DNS Data Exfiltration using pretrained model in DSDL
|
|
T1048.003
|
Anomaly
|
Command And Control, DNS Hijacking, Suspicious DNS Traffic
|
2024-05-22
|
DNS Query Length Outliers - MLTK
|
|
T1071.004
T1071
|
Anomaly
|
Command And Control, Hidden Cobra Malware, Suspicious DNS Traffic
|
2024-05-22
|
Confluence CVE-2023-22515 Trigger Vulnerability
|
Suricata
|
T1190
|
TTP
|
CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server
|
2024-05-22
|
Web Spring Cloud Function FunctionRouter
|
Splunk Stream HTTP
|
T1190
T1133
|
TTP
|
Spring4Shell CVE-2022-22965
|
2024-05-22
|
Zscaler CryptoMiner Downloaded Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2024-05-22
|
Zscaler Potentially Abused File Download
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2024-05-22
|
Okta ThreatInsight Threat Detected
|
Okta
|
T1078
T1078.004
|
Anomaly
|
Okta Account Takeover
|
2024-05-21
|
PingID New MFA Method After Credential Reset
|
PingID
|
T1621
T1556.006
T1098.005
|
TTP
|
Compromised User Account
|
2024-05-21
|
Splunk Command and Scripting Interpreter Delete Usage
|
Splunk
|
T1059
|
Anomaly
|
Splunk Vulnerabilities
|
2024-05-21
|
Splunk list all nonstandard admin accounts
|
Splunk
|
T1189
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-21
|
Splunk protocol impersonation weak encryption selfsigned
|
Splunk
|
T1588.004
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-21
|
Splunk User Enumeration Attempt
|
Splunk
|
T1078
|
TTP
|
Splunk Vulnerabilities
|
2024-05-21
|
AWS Credential Access GetPasswordData
|
AWS CloudTrail GetPasswordData
|
T1586
T1586.003
T1110
T1110.001
|
Anomaly
|
AWS Identity and Access Management Account Takeover
|
2024-05-21
|
Azure AD Service Principal Authentication
|
Azure Active Directory Sign-in activity
|
T1078.004
|
TTP
|
Azure Active Directory Account Takeover, NOBELIUM Group
|
2024-05-21
|
Gsuite Drive Share In External Email
|
G Suite Drive
|
T1567.002
T1567
|
Anomaly
|
Dev Sec Ops, Insider Threat
|
2024-05-21
|
Gsuite suspicious calendar invite
|
|
T1566
|
Hunting
|
Spearphishing Attachments
|
2024-05-21
|
Kubernetes Unauthorized Access
|
Kubernetes Audit
|
T1204
|
Anomaly
|
Kubernetes Security
|
2024-05-21
|
O365 Multiple Service Principals Created by User
|
O365 Add service principal.
|
T1136.003
|
Anomaly
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-05-21
|
3CX Supply Chain Attack Network Indicators
|
Sysmon EventID 22
|
T1195.002
|
TTP
|
3CX Supply Chain Attack
|
2024-05-21
|
Clop Ransomware Known Service Name
|
Windows Event Log System 7045
|
T1543
|
TTP
|
Clop Ransomware
|
2024-05-21
|
Create Remote Thread In Shell Application
|
Sysmon EventID 8
|
T1055
|
TTP
|
IcedID, Qakbot, Warzone RAT
|
2024-05-21
|
Detect Exchange Web Shell
|
Sysmon EventID 1, Sysmon EventID 11
|
T1505
T1505.003
T1190
T1133
|
TTP
|
BlackByte Ransomware, CISA AA22-257A, HAFNIUM Group, ProxyNotShell, ProxyShell
|
2024-05-21
|
Detect Rare Executables
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1204
|
Anomaly
|
Rhysida Ransomware, Unusual Processes
|
2024-05-21
|
Disable Defender MpEngine Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
IcedID, Windows Registry Abuse
|
2024-05-21
|
Exchange PowerShell Abuse via SSRF
|
|
T1190
T1133
|
TTP
|
BlackByte Ransomware, ProxyNotShell, ProxyShell
|
2024-05-21
|
Executables Or Script Creation In Suspicious Path
|
Sysmon EventID 11
|
T1036
|
Anomaly
|
AcidPour, AgentTesla, Amadey, AsyncRAT, Azorult, BlackByte Ransomware, Brute Ratel C4, CISA AA23-347A, Chaos Ransomware, DarkCrystal RAT, DarkGate Malware, Data Destruction, Double Zero Destructor, Graceful Wipe Out Attack, Handala Wiper, Hermetic Wiper, IcedID, Industroyer2, LockBit Ransomware, MoonPeak, NjRAT, PlugX, Qakbot, RedLine Stealer, Remcos, Rhysida Ransomware, Snake Keylogger, Swift Slicer, Trickbot, Volt Typhoon, Warzone RAT, WhisperGate, XMRig
|
2024-05-21
|
First Time Seen Running Windows Service
|
Windows Event Log System 7036
|
T1569
T1569.002
|
Anomaly
|
NOBELIUM Group, Orangeworm Attack Group, Windows Service Abuse
|
2024-05-21
|
Get-DomainTrust with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1482
|
TTP
|
Active Directory Discovery
|
2024-05-21
|
GetCurrent User with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1033
|
Hunting
|
Active Directory Discovery
|
2024-05-21
|
Linux Deletion Of Cron Jobs
|
Sysmon for Linux EventID 11
|
T1485
T1070.004
T1070
|
Anomaly
|
AcidPour, AcidRain, Data Destruction
|
2024-05-21
|
Linux Stdout Redirection To Dev Null File
|
Sysmon for Linux EventID 1
|
T1562.004
T1562
|
Anomaly
|
Cyclops Blink, Data Destruction, Industroyer2
|
2024-05-21
|
Living Off The Land Detection
|
|
T1105
T1190
T1059
T1133
|
Correlation
|
Living Off The Land
|
2024-05-21
|
MS Scripting Process Loading WMI Module
|
Sysmon EventID 7
|
T1059
T1059.007
|
Anomaly
|
FIN7
|
2024-05-21
|
Net Localgroup Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069
T1069.001
|
Hunting
|
Active Directory Discovery, Azorult, Graceful Wipe Out Attack, IcedID, Prestige Ransomware, Rhysida Ransomware, Volt Typhoon, Windows Discovery Techniques, Windows Post-Exploitation
|
2024-05-21
|
Powershell COM Hijacking InprocServer32 Modification
|
Powershell Script Block Logging 4104
|
T1546.015
T1059
T1059.001
|
TTP
|
Malicious PowerShell
|
2024-05-21
|
Powershell Disable Security Monitoring
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.001
T1562
|
TTP
|
CISA AA24-241A, Ransomware, Revil Ransomware
|
2024-05-21
|
PowerShell Domain Enumeration
|
Powershell Script Block Logging 4104
|
T1059
T1059.001
|
TTP
|
CISA AA23-347A, Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2024-05-21
|
PowerShell Get LocalGroup Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069
T1069.001
|
Hunting
|
Active Directory Discovery
|
2024-05-21
|
Recon AVProduct Through Pwh or WMI
|
Powershell Script Block Logging 4104
|
T1592
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell, MoonPeak, Prestige Ransomware, Qakbot, Ransomware, Windows Post-Exploitation
|
2024-05-21
|
Rundll32 with no Command Line Arguments with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
T1218
T1218.011
|
TTP
|
BlackByte Ransomware, BlackSuit Ransomware, Cobalt Strike, Graceful Wipe Out Attack, PrintNightmare CVE-2021-34527, Suspicious Rundll32 Activity
|
2024-05-21
|
Suspicious WAV file in Appdata Folder
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 11, Windows Event Log Security 4688
|
T1113
|
TTP
|
Remcos
|
2024-05-21
|
System Info Gathering Using Dxdiag Application
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1592
|
Hunting
|
Remcos
|
2024-05-21
|
Verclsid CLSID Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.012
T1218
|
Hunting
|
Unusual Processes
|
2024-05-21
|
Windows AD Abnormal Object Access Activity
|
Windows Event Log Security 4662
|
T1087
T1087.002
|
Anomaly
|
Active Directory Discovery, BlackSuit Ransomware
|
2024-05-21
|
Windows AD Short Lived Server Object
|
Windows Event Log Security 5137, Windows Event Log Security 5141
|
T1207
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-05-21
|
Windows Change Default File Association For No File Ext
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1546.001
T1546
|
TTP
|
Prestige Ransomware
|
2024-05-21
|
Windows Defacement Modify Transcodedwallpaper File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1491
|
Anomaly
|
Brute Ratel C4
|
2024-05-21
|
Windows Defender Exclusion Registry Entry
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
Azorult, Qakbot, Remcos, Warzone RAT, Windows Defense Evasion Tactics
|
2024-05-21
|
Windows Executable in Loaded Modules
|
Sysmon EventID 7
|
T1129
|
TTP
|
NjRAT
|
2024-05-21
|
Windows Exfiltration Over C2 Via Invoke RestMethod
|
Powershell Script Block Logging 4104
|
T1041
|
TTP
|
Winter Vivern
|
2024-05-21
|
Windows Files and Dirs Access Rights Modification Via Icacls
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1222.001
T1222
|
TTP
|
Amadey
|
2024-05-21
|
Windows Impair Defense Set Win Defender Smart Screen Level To Warn
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-21
|
Windows Modify Registry Disable Toast Notifications
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
Anomaly
|
Azorult
|
2024-05-21
|
Windows Modify Registry Disable Windows Security Center Notif
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
Anomaly
|
Azorult, CISA AA23-347A
|
2024-05-21
|
Windows Modify Registry Do Not Connect To Win Update
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
Anomaly
|
RedLine Stealer
|
2024-05-21
|
Windows Modify Registry LongPathsEnabled
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
Anomaly
|
BlackByte Ransomware
|
2024-05-21
|
Windows Multiple Accounts Deleted
|
Windows Event Log Security 4726
|
T1098
T1078
|
TTP
|
Azure Active Directory Persistence
|
2024-05-21
|
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos
|
Windows Event Log Security 4768
|
T1110.003
T1110
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon
|
2024-05-21
|
Windows PowerShell Export PfxCertificate
|
Powershell Script Block Logging 4104
|
T1552.004
T1552
T1649
|
Anomaly
|
Windows Certificate Services
|
2024-05-21
|
Windows Process Injection Of Wermgr to Known Browser
|
Sysmon EventID 8
|
T1055.001
T1055
|
TTP
|
Qakbot
|
2024-05-21
|
Windows Remote Access Software BRC4 Loaded Dll
|
Sysmon EventID 7
|
T1219
T1003
|
Anomaly
|
Brute Ratel C4
|
2024-05-21
|
Windows Service Created with Suspicious Service Path
|
Windows Event Log System 7045
|
T1569
T1569.002
|
TTP
|
Active Directory Lateral Movement, Brute Ratel C4, CISA AA23-347A, Clop Ransomware, Flax Typhoon, PlugX, Qakbot, Snake Malware
|
2024-05-21
|
Windows SOAPHound Binary Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.002
T1069.001
T1482
T1087.001
T1087
T1069.002
T1069
|
TTP
|
Windows Discovery Techniques
|
2024-05-21
|
Windows System Time Discovery W32tm Delay
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1124
|
Anomaly
|
DarkCrystal RAT
|
2024-05-21
|
Windows Unusual Count Of Users Failed To Authenticate From Process
|
Windows Event Log Security 4625
|
T1110.003
T1110
|
Anomaly
|
Active Directory Password Spraying, Insider Threat, Volt Typhoon
|
2024-05-21
|
Windows WMI Process And Service List
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1047
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-05-21
|
Detect Outbound LDAP Traffic
|
Bro
|
T1190
T1059
|
Hunting
|
Log4Shell CVE-2021-44228
|
2024-05-21
|
Detect SNICat SNI Exfiltration
|
|
T1041
|
TTP
|
Data Exfiltration
|
2024-05-21
|
SMB Traffic Spike - MLTK
|
|
T1021.002
T1021
|
Anomaly
|
DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware
|
2024-05-21
|
Exploit Public Facing Application via Apache Commons Text
|
Nginx Access
|
T1505.003
T1505
T1190
T1133
|
Anomaly
|
Text4Shell CVE-2022-42889
|
2024-05-21
|
ProxyShell ProxyNotShell Behavior Detected
|
|
T1190
T1133
|
Correlation
|
BlackByte Ransomware, ProxyNotShell, ProxyShell
|
2024-05-21
|
Okta Multiple Failed MFA Requests For User
|
Okta
|
T1621
|
Anomaly
|
Okta Account Takeover
|
2024-05-20
|
Splunk Information Disclosure in Splunk Add-on Builder
|
Splunk
|
T1082
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-20
|
Splunk Persistent XSS Via URL Validation Bypass W Dashboard
|
Splunk
|
T1189
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-20
|
aws detect sts assume role abuse
|
|
T1078
|
Hunting
|
AWS Cross Account Activity
|
2024-05-20
|
AWS IAM AccessDenied Discovery Events
|
AWS CloudTrail
|
T1580
|
Anomaly
|
Suspicious Cloud User Activities
|
2024-05-20
|
Azure AD Multiple Failed MFA Requests For User
|
Azure Active Directory Sign-in activity
|
T1586
T1586.003
T1621
T1078
T1078.004
|
TTP
|
Azure Active Directory Account Takeover
|
2024-05-20
|
Azure AD Privileged Authentication Administrator Role Assigned
|
Azure Active Directory Add member to role
|
T1003.002
|
TTP
|
Azure Active Directory Privilege Escalation
|
2024-05-20
|
Circle CI Disable Security Job
|
CircleCI
|
T1554
|
Anomaly
|
Dev Sec Ops
|
2024-05-20
|
Kubernetes Scanner Image Pulling
|
|
T1526
|
TTP
|
Dev Sec Ops
|
2024-05-20
|
Active Directory Lateral Movement Identified
|
|
T1210
|
Correlation
|
Active Directory Lateral Movement
|
2024-05-20
|
Allow Operation with Consent Admin
|
Sysmon EventID 12, Sysmon EventID 13
|
T1548
|
TTP
|
Azorult, MoonPeak, Ransomware, Windows Registry Abuse
|
2024-05-20
|
CMD Carry Out String Command Parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.003
T1059
|
Hunting
|
AsyncRAT, Azorult, CISA AA23-347A, Chaos Ransomware, DarkCrystal RAT, DarkGate Malware, Data Destruction, Hermetic Wiper, IcedID, Living Off The Land, Log4Shell CVE-2021-44228, NjRAT, PlugX, ProxyNotShell, Qakbot, RedLine Stealer, Rhysida Ransomware, Warzone RAT, WhisperGate, Winter Vivern
|
2024-05-20
|
ConnectWise ScreenConnect Path Traversal Windows SACL
|
Windows Event Log Security 4663
|
T1190
|
TTP
|
ConnectWise ScreenConnect Vulnerabilities
|
2024-05-20
|
Credential Dumping via Symlink to Shadow Copy
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.003
T1003
|
TTP
|
Credential Dumping
|
2024-05-20
|
CSC Net On The Fly Compilation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1027.004
T1027
|
Hunting
|
Windows Defense Evasion Tactics
|
2024-05-20
|
Detect Excessive User Account Lockouts
|
|
T1078
T1078.003
|
Anomaly
|
Active Directory Password Spraying
|
2024-05-20
|
Detect Use of cmd exe to Launch Script Interpreters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
T1059.003
|
TTP
|
Azorult, Emotet Malware DHS Report TA18-201A, Suspicious Command-Line Executions
|
2024-05-20
|
Detect Webshell Exploit Behavior
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1505
T1505.003
|
TTP
|
BlackByte Ransomware, CISA AA22-257A, CISA AA22-264A, Citrix ShareFile RCE CVE-2023-24489, Flax Typhoon, HAFNIUM Group, ProxyNotShell, ProxyShell, SysAid On-Prem Software CVE-2023-47246 Vulnerability, WS FTP Server Critical Vulnerabilities
|
2024-05-20
|
Detection of tools built by NirSoft
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1072
|
TTP
|
Emotet Malware DHS Report TA18-201A
|
2024-05-20
|
Excessive number of taskhost processes
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
Anomaly
|
Meterpreter
|
2024-05-20
|
Fsutil Zeroing File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1070
|
TTP
|
LockBit Ransomware, Ransomware
|
2024-05-20
|
GetAdGroup with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069
T1069.002
|
Hunting
|
Active Directory Discovery
|
2024-05-20
|
GetDomainGroup with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069
T1069.002
|
TTP
|
Active Directory Discovery
|
2024-05-20
|
Linux At Application Execution
|
Sysmon for Linux EventID 1
|
T1053.002
T1053
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-05-20
|
Linux System Reboot Via System Request Key
|
Sysmon for Linux EventID 1
|
T1529
|
TTP
|
AwfulShred, Data Destruction
|
2024-05-20
|
Malicious Powershell Executed As A Service
|
Windows Event Log System 7045
|
T1569
T1569.002
|
TTP
|
Malicious PowerShell, Rhysida Ransomware
|
2024-05-20
|
Office Application Spawn Regsvr32 process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566
T1566.001
|
TTP
|
IcedID, Qakbot
|
2024-05-20
|
Powershell Remote Services Add TrustedHost
|
Powershell Script Block Logging 4104
|
T1021.006
T1021
|
TTP
|
DarkGate Malware
|
2024-05-20
|
RunDLL Loading DLL By Ordinal
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
T1218.011
|
TTP
|
IcedID, Living Off The Land, Suspicious Rundll32 Activity, Unusual Processes
|
2024-05-20
|
Ryuk Test Files Detected
|
Sysmon EventID 11
|
T1486
|
TTP
|
Ryuk Ransomware
|
2024-05-20
|
Sc exe Manipulating Windows Services
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543.003
T1543
|
TTP
|
Azorult, DHS Report TA18-074A, Disabling Security Tools, NOBELIUM Group, Orangeworm Attack Group, Windows Drivers, Windows Persistence Techniques, Windows Service Abuse
|
2024-05-20
|
SearchProtocolHost with no Command Line with Network
|
Sysmon EventID 1, Sysmon EventID 3
|
T1055
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2024-05-20
|
SecretDumps Offline NTDS Dumping Tool
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.003
T1003
|
TTP
|
Credential Dumping, Graceful Wipe Out Attack, Rhysida Ransomware
|
2024-05-20
|
Services LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543
T1543.003
|
TTP
|
Active Directory Lateral Movement, CISA AA23-347A, Living Off The Land, Qakbot
|
2024-05-20
|
Sqlite Module In Temp Folder
|
Sysmon EventID 11
|
T1005
|
TTP
|
IcedID
|
2024-05-20
|
Suspicious Scheduled Task from Public Directory
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
T1053
|
Anomaly
|
Azorult, CISA AA23-347A, CISA AA24-241A, DarkCrystal RAT, Living Off The Land, MoonPeak, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Persistence Techniques
|
2024-05-20
|
Unusually Long Command Line
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
|
Anomaly
|
Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns, Ransomware, Suspicious Command-Line Executions, Unusual Processes
|
2024-05-20
|
Windows Access Token Manipulation SeDebugPrivilege
|
Windows Event Log Security 4703
|
T1134.002
T1134
|
Anomaly
|
AsyncRAT, Brute Ratel C4, CISA AA23-347A, DarkGate Malware, PlugX
|
2024-05-20
|
Windows AD Replication Request Initiated from Unsanctioned Location
|
Windows Event Log Security 4624, Windows Event Log Security 4662
|
T1003.006
T1003
|
TTP
|
Credential Dumping, Sneaky Active Directory Persistence Tricks
|
2024-05-20
|
Windows Admon Group Policy Object Created
|
Windows Active Directory Admon
|
T1484
T1484.001
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2024-05-20
|
Windows Bypass UAC via Pkgmgr Tool
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1548.002
|
Anomaly
|
Warzone RAT
|
2024-05-20
|
Windows Computer Account Created by Computer Account
|
Windows Event Log Security 4741
|
T1558
|
TTP
|
Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp
|
2024-05-20
|
Windows Impair Defense Overide Win Defender Phishing Filter
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-20
|
Windows Modify Registry Auto Minor Updates
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
Hunting
|
RedLine Stealer
|
2024-05-20
|
Windows Modify Registry Reg Restore
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1012
|
Hunting
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-05-20
|
Windows Modify Registry UpdateServiceUrlAlternate
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
Anomaly
|
RedLine Stealer
|
2024-05-20
|
Windows Process Commandline Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1057
|
Hunting
|
CISA AA23-347A
|
2024-05-20
|
Windows Process Injection In Non-Service SearchIndexer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
TTP
|
Qakbot
|
2024-05-20
|
Windows RDP Connection Successful
|
Windows Event Log RemoteConnectionManager 1149
|
T1563.002
|
Hunting
|
Active Directory Lateral Movement, BlackByte Ransomware
|
2024-05-20
|
Windows Registry Modification for Safe Mode Persistence
|
Sysmon EventID 12, Sysmon EventID 13
|
T1547.001
T1547
|
TTP
|
Ransomware, Windows Drivers, Windows Registry Abuse
|
2024-05-20
|
Windows Scheduled Task with Highest Privileges
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053
T1053.005
|
TTP
|
AsyncRAT, CISA AA23-347A, RedLine Stealer, Scheduled Tasks
|
2024-05-20
|
Windows Security Account Manager Stopped
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1489
|
TTP
|
Ryuk Ransomware
|
2024-05-20
|
Windows Service Stop Win Updates
|
Windows Event Log System 7040
|
T1489
|
Anomaly
|
CISA AA23-347A, RedLine Stealer
|
2024-05-20
|
Windows Snake Malware Kernel Driver Comadmin
|
Sysmon EventID 11
|
T1547.006
|
TTP
|
Snake Malware
|
2024-05-20
|
Windows System Shutdown CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1529
|
Anomaly
|
DarkCrystal RAT, DarkGate Malware, MoonPeak, NjRAT, Sandworm Tools
|
2024-05-20
|
Windows System User Discovery Via Quser
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
Hunting
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-05-20
|
WinEvent Windows Task Scheduler Event Action Started
|
Windows Event Log TaskScheduler 200
|
T1053.005
|
Hunting
|
Amadey, AsyncRAT, BlackSuit Ransomware, CISA AA22-257A, CISA AA24-241A, DarkCrystal RAT, Data Destruction, IcedID, Industroyer2, Prestige Ransomware, Qakbot, Sandworm Tools, Scheduled Tasks, Windows Persistence Techniques, Winter Vivern, Winter Vivern
|
2024-05-20
|
WinRM Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1190
|
TTP
|
CISA AA23-347A, Rhysida Ransomware, Unusual Processes
|
2024-05-20
|
WMI Permanent Event Subscription - Sysmon
|
Sysmon EventID 21
|
T1546.003
T1546
|
TTP
|
Suspicious WMI Use
|
2024-05-20
|
Wmic Group Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069
T1069.001
|
Hunting
|
Active Directory Discovery
|
2024-05-20
|
Detect Software Download To Network Device
|
|
T1542.005
T1542
|
TTP
|
Router and Infrastructure Security
|
2024-05-20
|
Excessive DNS Failures
|
|
T1071.004
T1071
|
Anomaly
|
Command And Control, Suspicious DNS Traffic
|
2024-05-20
|
Ivanti Connect Secure Command Injection Attempts
|
Suricata
|
T1190
|
TTP
|
CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities
|
2024-05-20
|
JetBrains TeamCity Authentication Bypass CVE-2024-27198
|
Suricata
|
T1190
|
TTP
|
JetBrains TeamCity Vulnerabilities
|
2024-05-20
|
Monitor Web Traffic For Brand Abuse
|
|
|
TTP
|
Brand Monitoring
|
2024-05-20
|
Okta Mismatch Between Source and Response for Verify Push Request
|
Okta
|
T1621
|
TTP
|
Okta Account Takeover, Okta MFA Exhaustion
|
2024-05-19
|
Splunk Command and Scripting Interpreter Risky Commands
|
Splunk
|
T1059
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-19
|
Splunk Unauthenticated Log Injection Web Service Log
|
Splunk
|
T1190
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-19
|
Suspicious Java Classes
|
|
|
Anomaly
|
Apache Struts Vulnerability
|
2024-05-19
|
Detect New Open S3 buckets
|
AWS CloudTrail
|
T1530
|
TTP
|
Suspicious AWS S3 Activities
|
2024-05-19
|
Detect New Open S3 Buckets over AWS CLI
|
AWS CloudTrail
|
T1530
|
TTP
|
Suspicious AWS S3 Activities
|
2024-05-19
|
Detect S3 access from a new IP
|
|
T1530
|
Anomaly
|
Suspicious AWS S3 Activities
|
2024-05-19
|
Detect Spike in AWS Security Hub Alerts for EC2 Instance
|
AWS Security Hub
|
|
Anomaly
|
AWS Security Hub Alerts
|
2024-05-19
|
Kubernetes Nginx Ingress LFI
|
|
T1212
|
TTP
|
Dev Sec Ops
|
2024-05-19
|
Kubernetes Nginx Ingress RFI
|
|
T1212
|
TTP
|
Dev Sec Ops
|
2024-05-19
|
Kubernetes Pod With Host Network Attachment
|
Kubernetes Audit
|
T1204
|
Anomaly
|
Kubernetes Security
|
2024-05-19
|
O365 Add App Role Assignment Grant User
|
O365 Add app role assignment grant to user.
|
T1136.003
T1136
|
TTP
|
Cloud Federated Credential Abuse, Office 365 Persistence Mechanisms
|
2024-05-19
|
Batch File Write to System32
|
Sysmon EventID 1, Sysmon EventID 11
|
T1204
T1204.002
|
TTP
|
SamSam Ransomware
|
2024-05-19
|
Creation of Shadow Copy
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.003
T1003
|
TTP
|
Credential Dumping, Volt Typhoon
|
2024-05-19
|
Detect Excessive Account Lockouts From Endpoint
|
|
T1078
T1078.002
|
Anomaly
|
Active Directory Password Spraying
|
2024-05-19
|
Detect Outlook exe writing a zip file
|
Sysmon EventID 1, Sysmon EventID 11
|
T1566
T1566.001
|
TTP
|
Amadey, Remcos, Spearphishing Attachments
|
2024-05-19
|
Disabling Defender Services
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
IcedID, RedLine Stealer, Windows Registry Abuse
|
2024-05-19
|
Disabling Windows Local Security Authority Defences via Registry
|
Sysmon EventID 1, Sysmon EventID 13
|
T1556
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-19
|
Excessive Usage Of SC Service Utility
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1569
T1569.002
|
Anomaly
|
Azorult, Ransomware
|
2024-05-19
|
GetNetTcpconnection with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1049
|
Hunting
|
Active Directory Discovery
|
2024-05-19
|
Linux High Frequency Of File Deletion In Boot Folder
|
Sysmon for Linux EventID 11
|
T1485
T1070.004
T1070
|
TTP
|
AcidPour, Data Destruction, Industroyer2
|
2024-05-19
|
Linux Possible Append Cronjob Entry on Existing Cronjob File
|
Sysmon for Linux EventID 1
|
T1053.003
T1053
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-05-19
|
Linux Sudoers Tmp File Creation
|
Sysmon for Linux EventID 11
|
T1548.003
T1548
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-19
|
Modify ACL permission To Files Or Folder
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1222
|
Anomaly
|
XMRig
|
2024-05-19
|
MS Scripting Process Loading Ldap Module
|
Sysmon EventID 7
|
T1059
T1059.007
|
Anomaly
|
FIN7
|
2024-05-19
|
Network Discovery Using Route Windows App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1016
T1016.001
|
Hunting
|
Active Directory Discovery, CISA AA22-277A, Prestige Ransomware, Qakbot, Windows Post-Exploitation
|
2024-05-19
|
Network Share Discovery Via Dir Command
|
Windows Event Log Security 5140
|
T1135
|
Hunting
|
IcedID
|
2024-05-19
|
Non Firefox Process Access Firefox Profile Dir
|
Windows Event Log Security 4663
|
T1555
T1555.003
|
Anomaly
|
3CX Supply Chain Attack, AgentTesla, Azorult, CISA AA23-347A, DarkGate Malware, FIN7, NjRAT, Phemedrone Stealer, RedLine Stealer, Remcos, Snake Keylogger, Warzone RAT
|
2024-05-19
|
Powershell Load Module in Meterpreter
|
Powershell Script Block Logging 4104
|
T1059
T1059.001
|
TTP
|
MetaSploit
|
2024-05-19
|
Rundll32 LockWorkStation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
T1218.011
|
Anomaly
|
Ransomware
|
2024-05-19
|
Unknown Process Using The Kerberos Protocol
|
Sysmon EventID 1, Sysmon EventID 3
|
T1550
|
TTP
|
Active Directory Kerberos Attacks, BlackSuit Ransomware
|
2024-05-19
|
User Discovery With Env Vars PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
Hunting
|
Active Directory Discovery
|
2024-05-19
|
Windows Administrative Shares Accessed On Multiple Hosts
|
Windows Event Log Security 5140, Windows Event Log Security 5145
|
T1135
|
TTP
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-05-19
|
Windows Boot or Logon Autostart Execution In Startup Folder
|
Sysmon EventID 11
|
T1547.001
T1547
|
Anomaly
|
Chaos Ransomware, Gozi Malware, NjRAT, RedLine Stealer
|
2024-05-19
|
Windows Create Local Account
|
|
T1136.001
T1136
|
Anomaly
|
Active Directory Password Spraying, CISA AA24-241A
|
2024-05-19
|
Windows Credentials from Password Stores Chrome LocalState Access
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Amadey, DarkGate Malware, MoonPeak, NjRAT, Phemedrone Stealer, RedLine Stealer, Snake Keylogger, Warzone RAT
|
2024-05-19
|
Windows Disable Change Password Through Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
Anomaly
|
Ransomware, Windows Defense Evasion Tactics
|
2024-05-19
|
Windows Disable Shutdown Button Through Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
Anomaly
|
Ransomware, Windows Registry Abuse
|
2024-05-19
|
Windows Excessive Disabled Services Event
|
Windows Event Log System 7040
|
T1562.001
T1562
|
TTP
|
CISA AA23-347A, Windows Defense Evasion Tactics
|
2024-05-19
|
Windows Impair Defense Disable Defender Firewall And Network
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-19
|
Windows Indirect Command Execution Via Series Of Forfiles
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1202
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-05-19
|
Windows Masquerading Msdtc Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036
|
TTP
|
PlugX
|
2024-05-19
|
Windows Multiple Account Passwords Changed
|
Windows Event Log Security 4724
|
T1098
T1078
|
TTP
|
Azure Active Directory Persistence
|
2024-05-19
|
Windows PowerShell ScheduleTask
|
Powershell Script Block Logging 4104
|
T1053.005
T1059.001
T1059
|
Anomaly
|
Scheduled Tasks
|
2024-05-19
|
Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM
|
Windows Event Log Security 4776
|
T1110.003
T1110
|
Anomaly
|
Active Directory Password Spraying, Volt Typhoon
|
2024-05-19
|
WSReset UAC Bypass
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
T1548.002
T1548
|
TTP
|
Living Off The Land, MoonPeak, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-19
|
Windows AD Replication Service Traffic
|
|
T1003
T1003.006
T1207
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-05-19
|
Detect attackers scanning for vulnerable JBoss servers
|
|
T1082
T1133
|
TTP
|
JBoss Vulnerability, SamSam Ransomware
|
2024-05-19
|
Detect malicious requests to exploit JBoss servers
|
|
|
TTP
|
JBoss Vulnerability, SamSam Ransomware
|
2024-05-19
|
Microsoft SharePoint Server Elevation of Privilege
|
Suricata
|
T1068
|
TTP
|
Microsoft SharePoint Server Elevation of Privilege CVE-2023-29357
|
2024-05-19
|
VMWare Aria Operations Exploit Attempt
|
Palo Alto Network Threat
|
T1133
T1190
T1210
T1068
|
TTP
|
VMware Aria Operations vRealize CVE-2023-20887
|
2024-05-19
|
VMware Workspace ONE Freemarker Server-side Template Injection
|
Palo Alto Network Threat
|
T1190
T1133
|
Anomaly
|
VMware Server Side Injection and Privilege Escalation
|
2024-05-19
|
Web Remote ShellServlet Access
|
Nginx Access
|
T1190
|
TTP
|
CVE-2023-22515 Privilege Escalation Vulnerability Confluence Data Center and Server
|
2024-05-19
|
Email servers sending high volume traffic to hosts
|
|
T1114
T1114.002
|
Anomaly
|
Collection and Staging, HAFNIUM Group
|
2024-05-18
|
Okta MFA Exhaustion Hunt
|
Okta
|
T1110
|
Hunting
|
Okta Account Takeover, Okta MFA Exhaustion
|
2024-05-18
|
Splunk Digital Certificates Lack of Encryption
|
Splunk
|
T1587.003
|
Anomaly
|
Splunk Vulnerabilities
|
2024-05-18
|
ASL AWS New MFA Method Registered For User
|
|
T1556
T1556.006
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-05-18
|
AWS Detect Users with KMS keys performing encryption S3
|
AWS CloudTrail
|
T1486
|
Anomaly
|
Ransomware Cloud
|
2024-05-18
|
Azure AD Authentication Failed During MFA Challenge
|
Azure Active Directory
|
T1586
T1586.003
T1078
T1078.004
T1621
|
TTP
|
Azure Active Directory Account Takeover
|
2024-05-18
|
Azure AD Multiple Denied MFA Requests For User
|
Azure Active Directory Sign-in activity
|
T1621
|
TTP
|
Azure Active Directory Account Takeover
|
2024-05-18
|
Azure AD User Consent Denied for OAuth Application
|
Azure Active Directory Sign-in activity
|
T1528
|
TTP
|
Azure Active Directory Account Takeover
|
2024-05-18
|
Cloud Compute Instance Created By Previously Unseen User
|
AWS CloudTrail
|
T1078.004
T1078
|
Anomaly
|
Cloud Cryptomining
|
2024-05-18
|
Cloud Security Groups Modifications by User
|
AWS CloudTrail
|
T1578.005
|
Anomaly
|
Suspicious Cloud User Activities
|
2024-05-18
|
Detect AWS Console Login by User from New Region
|
AWS CloudTrail
|
T1586
T1586.003
T1535
|
Hunting
|
AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities
|
2024-05-18
|
Detect Spike in AWS Security Hub Alerts for User
|
AWS Security Hub
|
|
Anomaly
|
AWS Security Hub Alerts
|
2024-05-18
|
GCP Kubernetes cluster pod scan detection
|
|
T1526
|
Hunting
|
Kubernetes Scanning Activity
|
2024-05-18
|
Kubernetes AWS detect suspicious kubectl calls
|
Kubernetes Audit
|
|
Anomaly
|
Kubernetes Security
|
2024-05-18
|
O365 Admin Consent Bypassed by Service Principal
|
O365 Add app role assignment to service principal.
|
T1098.003
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-05-18
|
O365 Excessive Authentication Failures Alert
|
|
T1110
|
Anomaly
|
Office 365 Account Takeover
|
2024-05-18
|
O365 Mailbox Inbox Folder Shared with All Users
|
O365 ModifyFolderPermissions
|
T1114
T1114.002
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-05-18
|
O365 OAuth App Mailbox Access via Graph API
|
O365 MailItemsAccessed
|
T1114.002
|
TTP
|
NOBELIUM Group, Office 365 Collection Techniques
|
2024-05-18
|
Creation of Shadow Copy with wmic and powershell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.003
T1003
|
TTP
|
Credential Dumping, Living Off The Land, Volt Typhoon
|
2024-05-18
|
Disabling ControlPanel
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
T1112
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-18
|
Disabling Remote User Account Control
|
Sysmon EventID 12, Sysmon EventID 13
|
T1548.002
T1548
|
TTP
|
AgentTesla, Azorult, Remcos, Suspicious Windows Registry Activities, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-18
|
Get-ForestTrust with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1482
|
TTP
|
Active Directory Discovery
|
2024-05-18
|
GetWmiObject Ds Group with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1069
T1069.002
|
TTP
|
Active Directory Discovery
|
2024-05-18
|
IcedID Exfiltrated Archived File Creation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1560.001
T1560
|
Hunting
|
IcedID
|
2024-05-18
|
Linux Deletion Of Init Daemon Script
|
Sysmon for Linux EventID 11
|
T1485
T1070.004
T1070
|
TTP
|
AcidPour, AcidRain, Data Destruction
|
2024-05-18
|
Linux Deletion of SSL Certificate
|
Sysmon for Linux EventID 11
|
T1485
T1070.004
T1070
|
Anomaly
|
AcidPour, AcidRain
|
2024-05-18
|
Linux Service Restarted
|
Sysmon for Linux EventID 1
|
T1053.006
T1053
|
Anomaly
|
AwfulShred, Data Destruction, Gomir, Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-05-18
|
Linux Setuid Using Chmod Utility
|
Sysmon for Linux EventID 1
|
T1548.001
T1548
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-18
|
Malicious PowerShell Process With Obfuscation Techniques
|
Sysmon EventID 1
|
T1059
T1059.001
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2024-05-18
|
Network Traffic to Active Directory Web Services Protocol
|
Sysmon EventID 3
|
T1087.002
T1069.001
T1482
T1087.001
T1087
T1069.002
T1069
|
Hunting
|
Windows Discovery Techniques
|
2024-05-18
|
Nishang PowershellTCPOneLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
T1059.001
|
TTP
|
HAFNIUM Group
|
2024-05-18
|
Office Product Spawning Rundll32 with no DLL
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566
T1566.001
|
TTP
|
CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Spearphishing Attachments
|
2024-05-18
|
Powershell Fileless Process Injection via GetProcAddress
|
Powershell Script Block Logging 4104
|
T1059
T1055
T1059.001
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2024-05-18
|
PowerShell Loading DotNET into Memory via Reflection
|
Powershell Script Block Logging 4104
|
T1059
T1059.001
|
TTP
|
AgentTesla, AsyncRAT, Data Destruction, Hermetic Wiper, Malicious PowerShell, Winter Vivern
|
2024-05-18
|
Powershell Remove Windows Defender Directory
|
Powershell Script Block Logging 4104
|
T1562.001
T1562
|
TTP
|
Data Destruction, WhisperGate
|
2024-05-18
|
PowerShell Start or Stop Service
|
Powershell Script Block Logging 4104
|
T1059.001
|
Anomaly
|
Active Directory Lateral Movement
|
2024-05-18
|
Print Spooler Adding A Printer Driver
|
Windows Event Log Printservice 316
|
T1547.012
T1547
|
TTP
|
PrintNightmare CVE-2021-34527
|
2024-05-18
|
Process Kill Base On File Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.001
T1562
|
TTP
|
XMRig
|
2024-05-18
|
Recon Using WMI Class
|
Powershell Script Block Logging 4104
|
T1592
T1059.001
|
Anomaly
|
AsyncRAT, Data Destruction, Hermetic Wiper, Industroyer2, LockBit Ransomware, Malicious PowerShell, MoonPeak, Qakbot
|
2024-05-18
|
Registry Keys Used For Privilege Escalation
|
Sysmon EventID 12, Sysmon EventID 13
|
T1546.012
T1546
|
TTP
|
Cloud Federated Credential Abuse, Data Destruction, Hermetic Wiper, Suspicious Windows Registry Activities, Windows Privilege Escalation, Windows Registry Abuse
|
2024-05-18
|
SilentCleanup UAC Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688
|
T1548.002
T1548
|
TTP
|
MoonPeak, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-18
|
SLUI Spawning a Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1548.002
T1548
|
TTP
|
DarkSide Ransomware, Windows Defense Evasion Tactics
|
2024-05-18
|
Suspicious writes to windows Recycle Bin
|
Sysmon EventID 1, Sysmon EventID 11
|
T1036
|
TTP
|
Collection and Staging, PlugX
|
2024-05-18
|
Windows AD Domain Controller Promotion
|
Windows Event Log Security 4742
|
T1207
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-05-18
|
Windows AD Privileged Object Access Activity
|
Windows Event Log Security 4662
|
T1087
T1087.002
|
TTP
|
Active Directory Discovery, BlackSuit Ransomware
|
2024-05-18
|
Windows AD Short Lived Domain Account ServicePrincipalName
|
Windows Event Log Security 5136
|
T1098
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-05-18
|
Windows Application Layer Protocol RMS Radmin Tool Namedpipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1071
|
TTP
|
Azorult
|
2024-05-18
|
Windows Common Abused Cmd Shell Risk Behavior
|
|
T1222
T1049
T1033
T1529
T1016
T1059
|
Correlation
|
Azorult, CISA AA23-347A, DarkCrystal RAT, Disabling Security Tools, FIN7, Netsh Abuse, Qakbot, Sandworm Tools, Volt Typhoon, Windows Defense Evasion Tactics, Windows Post-Exploitation
|
2024-05-18
|
Windows Computer Account With SPN
|
Windows Event Log Security 4741
|
T1558
|
TTP
|
Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp
|
2024-05-18
|
Windows Credentials from Password Stores Chrome Extension Access
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Amadey, CISA AA23-347A, DarkGate Malware, MoonPeak, Phemedrone Stealer, RedLine Stealer
|
2024-05-18
|
Windows Credentials from Password Stores Creation
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1555
|
TTP
|
DarkGate Malware
|
2024-05-18
|
Windows Diskshadow Proxy Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
|
TTP
|
Living Off The Land
|
2024-05-18
|
Windows File Share Discovery With Powerview
|
Powershell Script Block Logging 4104
|
T1135
|
TTP
|
Active Directory Discovery, Active Directory Privilege Escalation
|
2024-05-18
|
Windows High File Deletion Frequency
|
Sysmon EventID 23
|
T1485
|
Anomaly
|
Clop Ransomware, DarkCrystal RAT, Data Destruction, Handala Wiper, Sandworm Tools, Swift Slicer, WhisperGate
|
2024-05-18
|
Windows Impair Defenses Disable Win Defender Auto Logging
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
Anomaly
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-18
|
Windows InstallUtil Credential Theft
|
Sysmon EventID 7
|
T1218.004
T1218
|
TTP
|
Signed Binary Proxy Execution InstallUtil
|
2024-05-18
|
Windows Linked Policies In ADSI Discovery
|
Powershell Script Block Logging 4104
|
T1087.002
T1087
|
Anomaly
|
Active Directory Discovery, Data Destruction, Industroyer2
|
2024-05-18
|
Windows PowerShell Export Certificate
|
Powershell Script Block Logging 4104
|
T1552.004
T1552
T1649
|
Anomaly
|
Windows Certificate Services
|
2024-05-18
|
Windows Unusual Count Of Users Remotely Failed To Auth From Host
|
Windows Event Log Security 4625
|
T1110.003
T1110
|
Anomaly
|
Active Directory Password Spraying, Volt Typhoon
|
2024-05-18
|
Windows Vulnerable Driver Loaded
|
Sysmon EventID 6
|
T1543.003
|
Hunting
|
BlackByte Ransomware, Windows Drivers
|
2024-05-18
|
WinEvent Scheduled Task Created to Spawn Shell
|
Windows Event Log Security 4698
|
T1053.005
T1053
|
TTP
|
CISA AA22-257A, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Error Reporting Service Elevation of Privilege Vulnerability, Windows Persistence Techniques, Winter Vivern
|
2024-05-18
|
Detect hosts connecting to dynamic domain providers
|
Sysmon EventID 22
|
T1189
|
TTP
|
Command And Control, DNS Hijacking, Data Protection, Dynamic DNS, Prohibited Traffic Allowed or Protocol Mismatch, Suspicious DNS Traffic
|
2024-05-18
|
Windows AD Rogue Domain Controller Network Activity
|
|
T1207
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-05-18
|
Ivanti Connect Secure System Information Access via Auth Bypass
|
Suricata
|
T1190
|
Anomaly
|
CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities
|
2024-05-18
|
Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078
|
Suricata
|
T1190
T1133
|
TTP
|
Ivanti EPMM Remote Unauthenticated Access
|
2024-05-18
|
Splunk Absolute Path Traversal Using runshellscript
|
Splunk
|
T1083
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-17
|
Splunk XSS in Monitoring Console
|
|
T1189
|
TTP
|
Splunk Vulnerabilities
|
2024-05-17
|
AWS Defense Evasion Update Cloudtrail
|
AWS CloudTrail UpdateTrail
|
T1562
T1562.008
|
TTP
|
AWS Defense Evasion
|
2024-05-17
|
AWS UpdateLoginProfile
|
AWS CloudTrail UpdateLoginProfile
|
T1136.003
T1136
|
TTP
|
AWS IAM Privilege Escalation
|
2024-05-17
|
Cloud Provisioning Activity From Previously Unseen Region
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-05-17
|
Detect New Open GCP Storage Buckets
|
|
T1530
|
TTP
|
Suspicious GCP Storage Activities
|
2024-05-17
|
GitHub Actions Disable Security Workflow
|
GitHub
|
T1195.002
T1195
|
Anomaly
|
Dev Sec Ops
|
2024-05-17
|
Kubernetes Anomalous Inbound Network Activity from Process
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-05-17
|
O365 Advanced Audit Disabled
|
O365 Change user license.
|
T1562
T1562.008
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-05-17
|
O365 Excessive SSO logon errors
|
O365 UserLoginFailed
|
T1556
|
Anomaly
|
Cloud Federated Credential Abuse, Office 365 Account Takeover
|
2024-05-17
|
7zip CommandLine To SMB Share Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1560.001
T1560
|
Hunting
|
Ransomware
|
2024-05-17
|
Allow File And Printing Sharing In Firewall
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.007
T1562
|
TTP
|
BlackByte Ransomware, Ransomware
|
2024-05-17
|
Change Default File Association
|
Sysmon EventID 12, Sysmon EventID 13
|
T1546.001
T1546
|
TTP
|
Data Destruction, Hermetic Wiper, Prestige Ransomware, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse
|
2024-05-17
|
Hide User Account From Sign-In Screen
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
Azorult, Warzone RAT, Windows Registry Abuse, XMRig
|
2024-05-17
|
Linux Deletion Of Services
|
Sysmon for Linux EventID 11
|
T1485
T1070.004
T1070
|
TTP
|
AcidPour, AcidRain, AwfulShred, Data Destruction
|
2024-05-17
|
Linux Doas Conf File Creation
|
Sysmon for Linux EventID 11
|
T1548.003
T1548
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-17
|
Linux NOPASSWD Entry In Sudoers File
|
Sysmon for Linux EventID 1
|
T1548.003
T1548
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-17
|
Linux Possible Cronjob Modification With Editor
|
Sysmon for Linux EventID 1
|
T1053.003
T1053
|
Hunting
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-05-17
|
Linux Sudo OR Su Execution
|
Sysmon for Linux EventID 1
|
T1548.003
T1548
|
Hunting
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-17
|
MacOS LOLbin
|
|
T1059.004
T1059
|
TTP
|
Living Off The Land
|
2024-05-17
|
NLTest Domain Trust Discovery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1482
|
TTP
|
Active Directory Discovery, Domain Trust Discovery, IcedID, Qakbot, Rhysida Ransomware, Ryuk Ransomware
|
2024-05-17
|
Office Product Spawning CertUtil
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566
T1566.001
|
TTP
|
AgentTesla, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Spearphishing Attachments, Trickbot
|
2024-05-17
|
PowerShell Enable PowerShell Remoting
|
Powershell Script Block Logging 4104
|
T1059.001
T1059
|
Anomaly
|
Malicious PowerShell
|
2024-05-17
|
PowerShell Start-BitsTransfer
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1197
|
TTP
|
BITS Jobs, Gozi Malware
|
2024-05-17
|
Reg exe Manipulating Windows Services Registry Keys
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1574.011
T1574
|
TTP
|
Living Off The Land, Windows Persistence Techniques, Windows Service Abuse
|
2024-05-17
|
Registry Keys for Creating SHIM Databases
|
Sysmon EventID 12, Sysmon EventID 13
|
T1546.011
T1546
|
TTP
|
Suspicious Windows Registry Activities, Windows Persistence Techniques, Windows Registry Abuse
|
2024-05-17
|
Remote Process Instantiation via WMI and PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1047
|
TTP
|
Active Directory Lateral Movement
|
2024-05-17
|
Remote WMI Command Attempt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1047
|
TTP
|
CISA AA23-347A, Graceful Wipe Out Attack, IcedID, Living Off The Land, Suspicious WMI Use, Volt Typhoon
|
2024-05-17
|
Scheduled Task Deleted Or Created via CMD
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
T1053
|
TTP
|
AgentTesla, Amadey, AsyncRAT, Azorult, CISA AA22-257A, CISA AA23-347A, CISA AA24-241A, DHS Report TA18-074A, DarkCrystal RAT, Living Off The Land, MoonPeak, NOBELIUM Group, NjRAT, Phemedrone Stealer, Prestige Ransomware, Qakbot, RedLine Stealer, Rhysida Ransomware, Sandworm Tools, Scheduled Tasks, ShrinkLocker, Trickbot, Windows Persistence Techniques, Winter Vivern
|
2024-05-17
|
Short Lived Scheduled Task
|
Windows Event Log Security 4698, Windows Event Log Security 4699
|
T1053.005
|
TTP
|
Active Directory Lateral Movement, CISA AA22-257A, CISA AA23-347A, Scheduled Tasks
|
2024-05-17
|
Spoolsv Writing a DLL - Sysmon
|
Sysmon EventID 11
|
T1547.012
T1547
|
TTP
|
PrintNightmare CVE-2021-34527
|
2024-05-17
|
Suspicious Computer Account Name Change
|
Windows Event Log Security 4781
|
T1078
T1078.002
|
TTP
|
Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2024-05-17
|
Windows ConHost with Headless Argument
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1564.003
T1564.006
|
TTP
|
Spearphishing Attachments
|
2024-05-17
|
Windows Defender ASR Audit Events
|
Windows Event Log Defender 1122
|
T1059
T1566.001
T1566.002
|
Anomaly
|
Windows Attack Surface Reduction
|
2024-05-17
|
Windows Find Domain Organizational Units with GetDomainOU
|
Powershell Script Block Logging 4104
|
T1087
T1087.002
|
TTP
|
Active Directory Discovery
|
2024-05-17
|
Windows Group Policy Object Created
|
Windows Event Log Security 5136, Windows Event Log Security 5137
|
T1484
T1484.001
T1078.002
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2024-05-17
|
Windows Known Abused DLL Created
|
Sysmon EventID 1, Sysmon EventID 11
|
T1574.001
T1574.002
T1574
|
Anomaly
|
Living Off The Land, Windows Defense Evasion Tactics
|
2024-05-17
|
Windows Modify Registry Suppress Win Defender Notif
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
Anomaly
|
Azorult, CISA AA23-347A
|
2024-05-17
|
Windows Multiple Invalid Users Failed To Authenticate Using NTLM
|
Windows Event Log Security 4776
|
T1110.003
T1110
|
TTP
|
Active Directory Password Spraying, Volt Typhoon
|
2024-05-17
|
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials
|
Windows Event Log Security 4648
|
T1110.003
T1110
|
TTP
|
Active Directory Password Spraying, Insider Threat, Volt Typhoon
|
2024-05-17
|
Windows PowerShell WMI Win32 ScheduledJob
|
Powershell Script Block Logging 4104
|
T1059.001
T1059
|
TTP
|
Active Directory Lateral Movement
|
2024-05-17
|
Windows PowerView AD Access Control List Enumeration
|
Powershell Script Block Logging 4104
|
T1078.002
T1069
|
TTP
|
Active Directory Discovery, Active Directory Privilege Escalation, Rhysida Ransomware
|
2024-05-17
|
Windows Scheduled Task Created Via XML
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
T1053
|
TTP
|
CISA AA23-347A, MoonPeak, Scheduled Tasks, Winter Vivern
|
2024-05-17
|
Windows SqlWriter SQLDumper DLL Sideload
|
Sysmon EventID 7
|
T1574.002
|
TTP
|
APT29 Diplomatic Deceptions with WINELOADER
|
2024-05-17
|
Windows System Discovery Using Qwinsta
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
Hunting
|
Qakbot
|
2024-05-17
|
Windows System Network Config Discovery Display DNS
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1016
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-05-17
|
Windows System Network Connections Discovery Netsh
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1049
|
Anomaly
|
Prestige Ransomware, Snake Keylogger, Windows Post-Exploitation
|
2024-05-17
|
Remote Desktop Network Bruteforce
|
|
T1021.001
T1021
|
TTP
|
Ryuk Ransomware, SamSam Ransomware
|
2024-05-17
|
Adobe ColdFusion Unauthenticated Arbitrary File Read
|
Suricata
|
T1190
|
TTP
|
Adobe ColdFusion Arbitrary Code Execution CVE-2023-29298 CVE-2023-26360
|
2024-05-17
|
Ivanti Sentry Authentication Bypass
|
Suricata
|
T1190
|
TTP
|
Ivanti Sentry Authentication Bypass CVE-2023-38035
|
2024-05-17
|
WordPress Bricks Builder plugin RCE
|
Nginx Access
|
T1190
|
TTP
|
WordPress Vulnerabilities
|
2024-05-17
|
Zscaler Behavior Analysis Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2024-05-17
|
Zscaler Virus Download threat blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2024-05-17
|
CrushFTP Server Side Template Injection
|
CrushFTP
|
T1190
|
TTP
|
CrushFTP Vulnerabilities
|
2024-05-16
|
Email Attachments With Lots Of Spaces
|
|
|
Anomaly
|
Data Destruction, Emotet Malware DHS Report TA18-201A, Hermetic Wiper, Suspicious Emails
|
2024-05-16
|
Splunk App for Lookup File Editing RCE via User XSLT
|
|
T1210
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-16
|
Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature
|
Splunk
|
T1210
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-16
|
Splunk RCE via User XSLT
|
|
T1210
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-16
|
Abnormally High Number Of Cloud Instances Launched
|
AWS CloudTrail
|
T1078.004
T1078
|
Anomaly
|
Cloud Cryptomining, Suspicious Cloud Instance Activities
|
2024-05-16
|
AWS CreateLoginProfile
|
AWS CloudTrail ConsoleLogin, AWS CloudTrail CreateLoginProfile
|
T1136.003
T1136
|
TTP
|
AWS IAM Privilege Escalation
|
2024-05-16
|
AWS Credential Access Failed Login
|
AWS CloudTrail
|
T1586
T1586.003
T1110
T1110.001
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-05-16
|
AWS Cross Account Activity From Previously Unseen Account
|
AWS CloudTrail
|
|
Anomaly
|
Suspicious Cloud Authentication Activities
|
2024-05-16
|
AWS SetDefaultPolicyVersion
|
AWS CloudTrail SetDefaultPolicyVersion
|
T1078.004
T1078
|
TTP
|
AWS IAM Privilege Escalation
|
2024-05-16
|
Azure AD New MFA Method Registered
|
Azure Active Directory Update user
|
T1098
T1098.005
|
TTP
|
Azure Active Directory Persistence
|
2024-05-16
|
Cloud Provisioning Activity From Previously Unseen City
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-05-16
|
Cloud Provisioning Activity From Previously Unseen IP Address
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud Provisioning Activities
|
2024-05-16
|
Detect AWS Console Login by User from New Country
|
AWS CloudTrail
|
T1586
T1586.003
T1535
|
Hunting
|
AWS Identity and Access Management Account Takeover, Compromised User Account, Suspicious AWS Login Activities, Suspicious Cloud Authentication Activities
|
2024-05-16
|
GSuite Email Suspicious Attachment
|
G Suite Gmail
|
T1566.001
T1566
|
Anomaly
|
Dev Sec Ops
|
2024-05-16
|
Kubernetes DaemonSet Deployed
|
Kubernetes Audit
|
T1204
|
Anomaly
|
Kubernetes Security
|
2024-05-16
|
O365 High Number Of Failed Authentications for User
|
O365 UserLoginFailed
|
T1110
T1110.001
|
TTP
|
Office 365 Account Takeover
|
2024-05-16
|
O365 Multiple Mailboxes Accessed via API
|
O365 MailItemsAccessed
|
T1114.002
|
TTP
|
NOBELIUM Group, Office 365 Collection Techniques
|
2024-05-16
|
O365 PST export alert
|
O365
|
T1114
|
TTP
|
Data Exfiltration, Office 365 Collection Techniques
|
2024-05-16
|
Disabling CMD Application
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
T1112
|
TTP
|
NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-16
|
Executable File Written in Administrative SMB Share
|
Windows Event Log Security 5145
|
T1021
T1021.002
|
TTP
|
Active Directory Lateral Movement, BlackSuit Ransomware, Data Destruction, Graceful Wipe Out Attack, Hermetic Wiper, IcedID, Industroyer2, Prestige Ransomware, Trickbot
|
2024-05-16
|
Kerberoasting spn request with RC4 encryption
|
Windows Event Log Security 4769
|
T1558
T1558.003
|
TTP
|
Active Directory Kerberos Attacks, Data Destruction, Hermetic Wiper, Windows Privilege Escalation
|
2024-05-16
|
Linux Deleting Critical Directory Using RM Command
|
Sysmon for Linux EventID 1
|
T1485
|
TTP
|
AwfulShred, Data Destruction, Industroyer2
|
2024-05-16
|
Linux File Creation In Profile Directory
|
Sysmon for Linux EventID 11
|
T1546.004
T1546
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-16
|
Msmpeng Application DLL Side Loading
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1574.002
T1574
|
TTP
|
Ransomware, Revil Ransomware
|
2024-05-16
|
NET Profiler UAC bypass
|
Sysmon EventID 12, Sysmon EventID 13
|
T1548.002
T1548
|
TTP
|
Windows Defense Evasion Tactics
|
2024-05-16
|
Network Connection Discovery With Arp
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1049
|
Hunting
|
Active Directory Discovery, IcedID, Prestige Ransomware, Qakbot, Volt Typhoon, Windows Post-Exploitation
|
2024-05-16
|
Office Document Creating Schedule Task
|
Sysmon EventID 7
|
T1566
T1566.001
|
TTP
|
Spearphishing Attachments
|
2024-05-16
|
Powershell Processing Stream Of Data
|
Powershell Script Block Logging 4104
|
T1059
T1059.001
|
TTP
|
AsyncRAT, Data Destruction, Hermetic Wiper, IcedID, Malicious PowerShell, MoonPeak
|
2024-05-16
|
Prevent Automatic Repair Mode using Bcdedit
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
Chaos Ransomware, Ransomware
|
2024-05-16
|
Spike in File Writes
|
Sysmon EventID 11
|
|
Anomaly
|
Ransomware, Rhysida Ransomware, Ryuk Ransomware, SamSam Ransomware
|
2024-05-16
|
Suspicious Copy on System32
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036.003
T1036
|
TTP
|
AsyncRAT, IcedID, Qakbot, Sandworm Tools, Unusual Processes, Volt Typhoon
|
2024-05-16
|
Suspicious Driver Loaded Path
|
Sysmon EventID 6
|
T1543.003
T1543
|
TTP
|
AgentTesla, BlackByte Ransomware, CISA AA22-320A, Snake Keylogger, XMRig
|
2024-05-16
|
Suspicious Kerberos Service Ticket Request
|
Windows Event Log Security 4769
|
T1078
T1078.002
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, sAMAccountName Spoofing and Domain Controller Impersonation
|
2024-05-16
|
Suspicious PlistBuddy Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543.001
T1543
|
TTP
|
Silver Sparrow
|
2024-05-16
|
Suspicious Process With Discord DNS Query
|
Sysmon EventID 22
|
T1059.005
T1059
|
Anomaly
|
Data Destruction, WhisperGate
|
2024-05-16
|
Trickbot Named Pipe
|
Sysmon EventID 17, Sysmon EventID 18
|
T1055
|
TTP
|
Trickbot
|
2024-05-16
|
W3WP Spawning Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1505
T1505.003
|
TTP
|
BlackByte Ransomware, CISA AA22-257A, CISA AA22-264A, Data Destruction, Flax Typhoon, HAFNIUM Group, Hermetic Wiper, ProxyNotShell, ProxyShell, WS FTP Server Critical Vulnerabilities
|
2024-05-16
|
Windows AD Replication Request Initiated by User Account
|
Windows Event Log Security 4662
|
T1003.006
T1003
|
TTP
|
Credential Dumping, Sneaky Active Directory Persistence Tricks
|
2024-05-16
|
Windows AD SID History Attribute Modified
|
Windows Event Log Security 5136
|
T1134
T1134.005
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-05-16
|
Windows Alternate DataStream - Process Execution
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1564
T1564.004
|
TTP
|
Windows Defense Evasion Tactics
|
2024-05-16
|
Windows Autostart Execution LSASS Driver Registry Modification
|
Sysmon EventID 12, Sysmon EventID 13
|
T1547.008
|
TTP
|
Windows Registry Abuse
|
2024-05-16
|
Windows Computer Account Requesting Kerberos Ticket
|
Windows Event Log Security 4768
|
T1558
|
TTP
|
Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp
|
2024-05-16
|
Windows Credentials from Password Stores Deletion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1555
|
TTP
|
DarkGate Malware
|
2024-05-16
|
Windows Credentials in Registry Reg Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1552.002
T1552
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-05-16
|
Windows Deleted Registry By A Non Critical Process File Path
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
Anomaly
|
Data Destruction, Double Zero Destructor
|
2024-05-16
|
Windows Enable Win32 ScheduledJob via Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
T1053.005
|
Anomaly
|
Active Directory Lateral Movement, Scheduled Tasks
|
2024-05-16
|
Windows Export Certificate
|
Windows Event Log CertificateServicesClient 1007
|
T1552.004
T1552
T1649
|
Anomaly
|
Windows Certificate Services
|
2024-05-16
|
Windows Forest Discovery with GetForestDomain
|
Powershell Script Block Logging 4104
|
T1087
T1087.002
|
TTP
|
Active Directory Discovery
|
2024-05-16
|
Windows Local Administrator Credential Stuffing
|
Windows Event Log Security 4624, Windows Event Log Security 4625
|
T1110
T1110.004
|
TTP
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-05-16
|
Windows Modify Registry DisableRemoteDesktopAntiAlias
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
TTP
|
DarkGate Malware
|
2024-05-16
|
Windows Modify Registry DontShowUI
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
TTP
|
DarkGate Malware
|
2024-05-16
|
Windows Modify Registry USeWuServer
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
Hunting
|
RedLine Stealer
|
2024-05-16
|
Windows Multiple Users Failed To Authenticate Using Kerberos
|
Windows Event Log Security 4771
|
T1110.003
T1110
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Password Spraying, Volt Typhoon
|
2024-05-16
|
Windows Processes Killed By Industroyer2 Malware
|
Sysmon EventID 5
|
T1489
|
Anomaly
|
Data Destruction, Industroyer2
|
2024-05-16
|
Windows Rapid Authentication On Multiple Hosts
|
Windows Event Log Security 4624
|
T1003.002
|
TTP
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-05-16
|
Windows Service Stop By Deletion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1489
|
TTP
|
Azorult, Graceful Wipe Out Attack
|
2024-05-16
|
Windows Service Stop Via Net and SC Application
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1489
|
Anomaly
|
Graceful Wipe Out Attack, Prestige Ransomware
|
2024-05-16
|
Windows Steal Authentication Certificates CryptoAPI
|
Windows Event Log CAPI2 70
|
T1649
|
Anomaly
|
Windows Certificate Services
|
2024-05-16
|
Windows User Execution Malicious URL Shortcut File
|
Sysmon EventID 11
|
T1204.002
T1204
|
TTP
|
Chaos Ransomware, NjRAT, Snake Keylogger
|
2024-05-16
|
Windows WMI Process Call Create
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1047
|
Hunting
|
CISA AA23-347A, IcedID, Qakbot, Suspicious WMI Use, Volt Typhoon
|
2024-05-16
|
WinEvent Scheduled Task Created Within Public Path
|
Windows Event Log Security 4698
|
T1053.005
T1053
|
TTP
|
Active Directory Lateral Movement, AsyncRAT, CISA AA22-257A, CISA AA23-347A, Data Destruction, IcedID, Industroyer2, Prestige Ransomware, Ransomware, Ryuk Ransomware, Scheduled Tasks, Windows Persistence Techniques, Winter Vivern
|
2024-05-16
|
Multiple Archive Files Http Post Traffic
|
Splunk Stream HTTP
|
T1048.003
T1048
|
TTP
|
Command And Control, Data Exfiltration
|
2024-05-16
|
Cisco IOS XE Implant Access
|
Suricata
|
T1190
|
TTP
|
Cisco IOS XE Software Web Management User Interface vulnerability
|
2024-05-16
|
JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198
|
Suricata
|
T1190
|
TTP
|
JetBrains TeamCity Vulnerabilities
|
2024-05-16
|
Log4Shell JNDI Payload Injection with Outbound Connection
|
|
T1190
T1133
|
Anomaly
|
CISA AA22-320A, Log4Shell CVE-2021-44228
|
2024-05-16
|
Nginx ConnectWise ScreenConnect Authentication Bypass
|
Nginx Access
|
T1190
|
TTP
|
ConnectWise ScreenConnect Vulnerabilities
|
2024-05-16
|
Windows Exchange Autodiscover SSRF Abuse
|
Windows IIS
|
T1190
T1133
|
TTP
|
BlackByte Ransomware, ProxyNotShell, ProxyShell
|
2024-05-16
|
Email files written outside of the Outlook directory
|
Sysmon EventID 11
|
T1114
T1114.001
|
TTP
|
Collection and Staging
|
2024-05-15
|
No Windows Updates in a time frame
|
|
|
Hunting
|
Monitor for Updates
|
2024-05-15
|
Okta Phishing Detection with FastPass Origin Check
|
Okta
|
T1078
T1078.001
T1556
|
TTP
|
Okta Account Takeover
|
2024-05-15
|
Splunk Account Discovery Drilldown Dashboard Disclosure
|
|
T1087
|
TTP
|
Splunk Vulnerabilities
|
2024-05-15
|
Splunk Command and Scripting Interpreter Risky SPL MLTK
|
Splunk
|
T1059
|
Anomaly
|
Splunk Vulnerabilities
|
2024-05-15
|
Splunk Edit User Privilege Escalation
|
Splunk
|
T1548
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-15
|
Splunk RBAC Bypass On Indexing Preview REST Endpoint
|
Splunk
|
T1134
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-15
|
Amazon EKS Kubernetes cluster scan detection
|
|
T1526
|
Hunting
|
Kubernetes Scanning Activity
|
2024-05-15
|
AWS Concurrent Sessions From Different Ips
|
AWS CloudTrail DescribeEventAggregates
|
T1185
|
TTP
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2024-05-15
|
AWS Defense Evasion Stop Logging Cloudtrail
|
AWS CloudTrail StopLogging
|
T1562.008
T1562
|
TTP
|
AWS Defense Evasion
|
2024-05-15
|
aws detect role creation
|
|
T1078
|
Hunting
|
AWS Cross Account Activity
|
2024-05-15
|
AWS ECR Container Scanning Findings Low Informational Unknown
|
AWS CloudTrail DescribeImageScanFindings
|
T1204.003
T1204
|
Anomaly
|
Dev Sec Ops
|
2024-05-15
|
AWS Exfiltration via Anomalous GetObject API Activity
|
AWS CloudTrail GetObject
|
T1119
|
Anomaly
|
Data Exfiltration
|
2024-05-15
|
AWS Multi-Factor Authentication Disabled
|
AWS CloudTrail DeactivateMFADevice, AWS CloudTrail DeleteVirtualMFADevice
|
T1586
T1586.003
T1621
T1556
T1556.006
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-05-15
|
AWS Network Access Control List Deleted
|
AWS CloudTrail DeleteNetworkAclEntry
|
T1562.007
T1562
|
Anomaly
|
AWS Network ACL Activity
|
2024-05-15
|
Azure AD Application Administrator Role Assigned
|
Azure Active Directory Add member to role
|
T1098
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation
|
2024-05-15
|
Azure AD Unusual Number of Failed Authentications From Ip
|
Azure Active Directory
|
T1586
T1586.003
T1110
T1110.003
T1110.004
|
Anomaly
|
Azure Active Directory Account Takeover
|
2024-05-15
|
Cloud API Calls From Previously Unseen User Roles
|
AWS CloudTrail
|
T1078
|
Anomaly
|
Suspicious Cloud User Activities
|
2024-05-15
|
Gsuite Email Suspicious Subject With Attachment
|
G Suite Gmail
|
T1566.001
T1566
|
Anomaly
|
Dev Sec Ops
|
2024-05-15
|
Kubernetes newly seen TCP edge
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-05-15
|
O365 Bypass MFA via Trusted IP
|
O365 Set Company Information.
|
T1562.007
T1562
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-05-15
|
O365 Compliance Content Search Started
|
|
T1114
T1114.002
|
TTP
|
Office 365 Collection Techniques
|
2024-05-15
|
O365 Elevated Mailbox Permission Assigned
|
|
T1098
T1098.002
|
TTP
|
Office 365 Collection Techniques
|
2024-05-15
|
O365 New MFA Method Registered
|
O365 Update user.
|
T1098
T1098.005
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-05-15
|
Child Processes of Spoolsv exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1068
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Privilege Escalation
|
2024-05-15
|
Detect New Local Admin account
|
Windows Event Log Security 4720, Windows Event Log Security 4732
|
T1136.001
T1136
|
TTP
|
CISA AA22-257A, CISA AA24-241A, DHS Report TA18-074A, HAFNIUM Group
|
2024-05-15
|
Detect SharpHound Command-Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.002
T1069.001
T1482
T1087.001
T1087
T1069.002
T1069
|
TTP
|
BlackSuit Ransomware, Ransomware, Windows Discovery Techniques
|
2024-05-15
|
Detect SharpHound File Modifications
|
Sysmon EventID 11
|
T1087.002
T1069.001
T1482
T1087.001
T1087
T1069.002
T1069
|
TTP
|
BlackSuit Ransomware, Ransomware, Windows Discovery Techniques
|
2024-05-15
|
Detect WMI Event Subscription Persistence
|
Sysmon EventID 20
|
T1546.003
T1546
|
TTP
|
Suspicious WMI Use
|
2024-05-15
|
Disabling Task Manager
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-15
|
Domain Controller Discovery with Nltest
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
|
TTP
|
Active Directory Discovery, BlackSuit Ransomware, CISA AA23-347A, Rhysida Ransomware
|
2024-05-15
|
Enumerate Users Local Group Using Telegram
|
Windows Event Log Security 4798
|
T1087
|
TTP
|
XMRig
|
2024-05-15
|
Excessive Usage of NSLOOKUP App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1048
|
Anomaly
|
Command And Control, Data Exfiltration, Dynamic DNS, Suspicious DNS Traffic
|
2024-05-15
|
FodHelper UAC Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1112
T1548.002
T1548
|
TTP
|
IcedID, Windows Defense Evasion Tactics
|
2024-05-15
|
GetDomainGroup with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1069
T1069.002
|
TTP
|
Active Directory Discovery
|
2024-05-15
|
GetWmiObject User Account with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1087
T1087.001
T1059.001
|
Hunting
|
Active Directory Discovery, Malicious PowerShell, Winter Vivern
|
2024-05-15
|
ICACLS Grant Command
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1222
|
TTP
|
Ransomware, XMRig
|
2024-05-15
|
Linux Add Files In Known Crontab Directories
|
Sysmon for Linux EventID 11
|
T1053.003
T1053
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation, Scheduled Tasks
|
2024-05-15
|
Linux Insert Kernel Module Using Insmod Utility
|
Sysmon for Linux EventID 1
|
T1547.006
T1547
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit
|
2024-05-15
|
Linux Install Kernel Module Using Modprobe Utility
|
Sysmon for Linux EventID 1
|
T1547.006
T1547
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit
|
2024-05-15
|
Linux Possible Ssh Key File Creation
|
Sysmon for Linux EventID 11
|
T1098.004
T1098
|
Anomaly
|
Linux Living Off The Land, Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-15
|
Process Creating LNK file in Suspicious Location
|
Sysmon EventID 1, Sysmon EventID 11
|
T1566
T1566.002
|
TTP
|
Amadey, Gozi Malware, IcedID, Qakbot, Spearphishing Attachments
|
2024-05-15
|
Schedule Task with HTTP Command Arguments
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
Living Off The Land, Scheduled Tasks, Windows Persistence Techniques, Winter Vivern
|
2024-05-15
|
Schedule Task with Rundll32 Command Trigger
|
Windows Event Log Security 4698
|
T1053
|
TTP
|
IcedID, Living Off The Land, Scheduled Tasks, Trickbot, Windows Persistence Techniques
|
2024-05-15
|
System User Discovery With Whoami
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
Hunting
|
Active Directory Discovery, CISA AA23-347A, Qakbot, Rhysida Ransomware, Winter Vivern
|
2024-05-15
|
Unload Sysmon Filter Driver
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.001
T1562
|
TTP
|
CISA AA23-347A, Disabling Security Tools
|
2024-05-15
|
Unusual Number of Kerberos Service Tickets Requested
|
Windows Event Log Security 4769
|
T1558
T1558.003
|
Anomaly
|
Active Directory Kerberos Attacks
|
2024-05-15
|
Windows AppLocker Block Events
|
|
T1218
|
Anomaly
|
Windows AppLocker
|
2024-05-15
|
Windows BootLoader Inventory
|
|
T1542.001
T1542
|
Hunting
|
BlackLotus Campaign, Windows BootKits
|
2024-05-15
|
Windows Command and Scripting Interpreter Hunting Path Traversal
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
Hunting
|
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Windows Defense Evasion Tactics
|
2024-05-15
|
Windows Hijack Execution Flow Version Dll Side Load
|
Sysmon EventID 7
|
T1574.001
T1574
|
Anomaly
|
Brute Ratel C4
|
2024-05-15
|
Windows IIS Components Module Failed to Load
|
Windows Event Log Application 2282
|
T1505
T1505.004
|
Anomaly
|
IIS Components
|
2024-05-15
|
Windows Impair Defense Change Win Defender Health Check Intervals
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-15
|
Windows Modify Registry Default Icon Setting
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
Anomaly
|
LockBit Ransomware
|
2024-05-15
|
Windows Modify Registry No Auto Update
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
Anomaly
|
CISA AA23-347A, RedLine Stealer
|
2024-05-15
|
Windows Modify Registry Risk Behavior
|
|
T1112
|
Correlation
|
Windows Registry Abuse
|
2024-05-15
|
Windows Modify Registry WuServer
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
Hunting
|
RedLine Stealer
|
2024-05-15
|
Windows Suspect Process With Authentication Traffic
|
Sysmon EventID 3
|
T1087
T1087.002
T1204
T1204.002
|
Anomaly
|
Active Directory Discovery
|
2024-05-15
|
WMI Recon Running Process Or Services
|
Powershell Script Block Logging 4104
|
T1592
|
Anomaly
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2024-05-15
|
DNS Query Length With High Standard Deviation
|
Sysmon EventID 22
|
T1048.003
T1048
|
Anomaly
|
Command And Control, Hidden Cobra Malware, Suspicious DNS Traffic
|
2024-05-15
|
Hosts receiving high volume of network traffic from email server
|
|
T1114.002
T1114
|
Anomaly
|
Collection and Staging
|
2024-05-15
|
Large Volume of DNS ANY Queries
|
|
T1498
T1498.002
|
Anomaly
|
DNS Amplification Attacks
|
2024-05-15
|
Web JSP Request via URL
|
Nginx Access
|
T1505.003
T1505
T1190
T1133
|
TTP
|
Spring4Shell CVE-2022-22965
|
2024-05-15
|
Zscaler Adware Activities Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2024-05-15
|
Detect New Login Attempts to Routers
|
|
|
TTP
|
Router and Infrastructure Security
|
2024-05-14
|
Splunk Improperly Formatted Parameter Crashes splunkd
|
|
T1499
|
TTP
|
Splunk Vulnerabilities
|
2024-05-14
|
AWS Defense Evasion Delete Cloudtrail
|
AWS CloudTrail DeleteTrail
|
T1562.008
T1562
|
TTP
|
AWS Defense Evasion
|
2024-05-14
|
aws detect sts get session token abuse
|
|
T1550
|
Hunting
|
AWS Cross Account Activity
|
2024-05-14
|
AWS Network Access Control List Created with All Open Ports
|
AWS CloudTrail CreateNetworkAclEntry, AWS CloudTrail ReplaceNetworkAclEntry
|
T1562.007
T1562
|
TTP
|
AWS Network ACL Activity
|
2024-05-14
|
Azure AD Multi-Source Failed Authentications Spike
|
Azure Active Directory
|
T1586
T1586.003
T1110
T1110.003
T1110.004
|
Hunting
|
Azure Active Directory Account Takeover, NOBELIUM Group
|
2024-05-14
|
Azure AD New Custom Domain Added
|
Azure Active Directory Add unverified domain
|
T1484
T1484.002
|
TTP
|
Azure Active Directory Persistence
|
2024-05-14
|
Azure AD PIM Role Assigned
|
Azure Active Directory
|
T1098
T1098.003
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation
|
2024-05-14
|
Cloud Compute Instance Created With Previously Unseen Instance Type
|
AWS CloudTrail
|
|
Anomaly
|
Cloud Cryptomining
|
2024-05-14
|
Detect GCP Storage access from a new IP
|
|
T1530
|
Anomaly
|
Suspicious GCP Storage Activities
|
2024-05-14
|
GCP Detect gcploit framework
|
|
T1078
|
TTP
|
GCP Cross Account Activity
|
2024-05-14
|
Gsuite Suspicious Shared File Name
|
G Suite Drive
|
T1566.001
T1566
|
Anomaly
|
Dev Sec Ops
|
2024-05-14
|
O365 Mail Permissioned Application Consent Granted by User
|
O365 Consent to application.
|
T1528
|
TTP
|
Office 365 Account Takeover
|
2024-05-14
|
O365 Mailbox Folder Read Permission Assigned
|
|
T1098
T1098.002
|
TTP
|
Office 365 Collection Techniques
|
2024-05-14
|
O365 Mailbox Read Access Granted to Application
|
O365 Update application.
|
T1114.002
T1114
T1098
T1098.003
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-05-14
|
O365 OAuth App Mailbox Access via EWS
|
O365 MailItemsAccessed
|
T1114.002
|
TTP
|
NOBELIUM Group, Office 365 Collection Techniques
|
2024-05-14
|
O365 Privileged Graph API Permission Assigned
|
O365 Update application.
|
T1003.002
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-05-14
|
Detect SharpHound Usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1087.002
T1069.001
T1482
T1087.001
T1087
T1069.002
T1069
|
TTP
|
Ransomware, Windows Discovery Techniques
|
2024-05-14
|
Disable Defender Submit Samples Consent Feature
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
Azorult, CISA AA23-347A, IcedID, Windows Registry Abuse
|
2024-05-14
|
Disable Registry Tool
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
T1112
|
TTP
|
NjRAT, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-14
|
Get-ForestTrust with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1482
T1059.001
|
TTP
|
Active Directory Discovery
|
2024-05-14
|
Interactive Session on Remote Endpoint with PowerShell
|
Powershell Script Block Logging 4104
|
T1021
T1021.006
|
TTP
|
Active Directory Lateral Movement
|
2024-05-14
|
Linux Indicator Removal Service File Deletion
|
Sysmon for Linux EventID 1
|
T1070.004
T1070
|
Anomaly
|
AwfulShred, Data Destruction
|
2024-05-14
|
Linux Kworker Process In Writable Process Path
|
Sysmon for Linux EventID 1
|
T1036.004
T1036
|
Hunting
|
Cyclops Blink, Sandworm Tools
|
2024-05-14
|
Linux Preload Hijack Library Calls
|
Sysmon for Linux EventID 1
|
T1574.006
T1574
|
TTP
|
Linux Persistence Techniques, Linux Privilege Escalation
|
2024-05-14
|
Linux Stop Services
|
Sysmon for Linux EventID 1
|
T1489
|
TTP
|
AwfulShred, Data Destruction, Industroyer2
|
2024-05-14
|
MacOS - Re-opened Applications
|
Sysmon EventID 1
|
|
TTP
|
ColdRoot MacOS RAT
|
2024-05-14
|
MSHTML Module Load in Office Product
|
Sysmon EventID 7
|
T1566
T1566.001
|
TTP
|
CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Spearphishing Attachments
|
2024-05-14
|
Office Application Drop Executable
|
Sysmon EventID 1, Sysmon EventID 11
|
T1566
T1566.001
|
TTP
|
AgentTesla, CVE-2023-21716 Word RTF Heap Corruption, FIN7, PlugX, Warzone RAT
|
2024-05-14
|
Powershell Creating Thread Mutex
|
Powershell Script Block Logging 4104
|
T1027
T1027.005
T1059.001
|
TTP
|
Malicious PowerShell
|
2024-05-14
|
PowerShell Invoke WmiExec Usage
|
Powershell Script Block Logging 4104
|
T1047
|
TTP
|
Suspicious WMI Use
|
2024-05-14
|
Remote Process Instantiation via WMI and PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1047
|
TTP
|
Active Directory Lateral Movement
|
2024-05-14
|
Rundll32 DNSQuery
|
Sysmon EventID 22
|
T1218
T1218.011
|
TTP
|
IcedID, Living Off The Land
|
2024-05-14
|
Samsam Test File Write
|
Sysmon EventID 11
|
T1486
|
TTP
|
SamSam Ransomware
|
2024-05-14
|
Short Lived Windows Accounts
|
Windows Event Log System 4720, Windows Event Log System 4726
|
T1136.001
T1136
|
TTP
|
Active Directory Lateral Movement
|
2024-05-14
|
Spoolsv Spawning Rundll32
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1547.012
T1547
|
TTP
|
PrintNightmare CVE-2021-34527
|
2024-05-14
|
Suspicious Event Log Service Behavior
|
Windows Event Log Security 1100
|
T1070
T1070.001
|
Hunting
|
Clop Ransomware, Ransomware, Windows Log Manipulation
|
2024-05-14
|
Suspicious mshta spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
T1218.005
|
TTP
|
Living Off The Land, Suspicious MSHTA Activity
|
2024-05-14
|
Svchost LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053
T1053.005
|
TTP
|
Active Directory Lateral Movement, Living Off The Land, Scheduled Tasks
|
2024-05-14
|
System Information Discovery Detection
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1082
|
TTP
|
BlackSuit Ransomware, Gozi Malware, Windows Discovery Techniques
|
2024-05-14
|
Uninstall App Using MsiExec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.007
T1218
|
TTP
|
Ransomware
|
2024-05-14
|
Vbscript Execution Using Wscript App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.005
T1059
|
TTP
|
AsyncRAT, FIN7, Remcos
|
2024-05-14
|
Windows Impair Defense Disable Realtime Signature Delivery
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-14
|
Windows Impair Defense Disable Win Defender Gen reports
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-14
|
Windows Kerberos Local Successful Logon
|
Windows Event Log Security 4624
|
T1558
|
TTP
|
Active Directory Kerberos Attacks, Local Privilege Escalation With KrbRelayUp
|
2024-05-14
|
Windows Modify Registry Regedit Silent Reg Import
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1112
|
Anomaly
|
Azorult
|
2024-05-14
|
Windows PowerShell IIS Components WebGlobalModule Usage
|
Powershell Script Block Logging 4104
|
T1505
T1505.004
|
Anomaly
|
IIS Components
|
2024-05-14
|
Windows Proxy Via Netsh
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1090.001
T1090
|
Anomaly
|
Volt Typhoon
|
2024-05-14
|
Windows Regsvr32 Renamed Binary
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218.010
T1218
|
TTP
|
Qakbot
|
2024-05-14
|
Windows Remote Access Software RMS Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
T1219
|
TTP
|
Azorult
|
2024-05-14
|
Windows Replication Through Removable Media
|
Sysmon EventID 11
|
T1091
|
TTP
|
Chaos Ransomware, NjRAT, PlugX
|
2024-05-14
|
Windows Scheduled Task Service Spawned Shell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
T1059
|
TTP
|
Windows Persistence Techniques
|
2024-05-14
|
Windows Service Deletion In Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
T1489
|
Anomaly
|
Brute Ratel C4, PlugX
|
2024-05-14
|
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials
|
Windows Event Log Security 4648
|
T1110.003
T1110
|
Anomaly
|
Active Directory Password Spraying, Insider Threat, Volt Typhoon
|
2024-05-14
|
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint
|
Suricata
|
T1190
|
TTP
|
CISA AA24-241A, Ivanti Connect Secure VPN Vulnerabilities
|
2024-05-14
|
Juniper Networks Remote Code Execution Exploit Detection
|
Suricata
|
T1190
T1105
T1059
|
TTP
|
Juniper JunOS Remote Code Execution
|
2024-05-14
|
Okta Multi-Factor Authentication Disabled
|
Okta
|
T1556
T1556.006
|
TTP
|
Okta Account Takeover
|
2024-05-13
|
Okta Suspicious Activity Reported
|
Okta
|
T1078
T1078.001
|
TTP
|
Okta Account Takeover
|
2024-05-13
|
Splunk XSS via View
|
Splunk
|
T1189
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-13
|
ASL AWS Defense Evasion Impair Security Services
|
|
T1562.008
T1562
|
Hunting
|
AWS Defense Evasion
|
2024-05-13
|
AWS Lambda UpdateFunctionCode
|
AWS CloudTrail
|
T1204
|
Hunting
|
Suspicious Cloud User Activities
|
2024-05-13
|
AWS New MFA Method Registered For User
|
AWS CloudTrail CreateVirtualMFADevice
|
T1556
T1556.006
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-05-13
|
AWS S3 Exfiltration Behavior Identified
|
|
T1537
|
Correlation
|
Data Exfiltration, Suspicious Cloud Instance Activities
|
2024-05-13
|
Azure AD Multiple Service Principals Created by SP
|
Azure Active Directory Add service principal
|
T1136.003
|
Anomaly
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-05-13
|
Azure AD Multiple Service Principals Created by User
|
Azure Active Directory Add service principal
|
T1136.003
|
Anomaly
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-05-13
|
Azure AD Multiple Users Failing To Authenticate From Ip
|
Azure Active Directory
|
T1586
T1586.003
T1110
T1110.003
T1110.004
|
Anomaly
|
Azure Active Directory Account Takeover
|
2024-05-13
|
Gdrive suspicious file sharing
|
|
T1566
|
Hunting
|
Data Exfiltration, Spearphishing Attachments
|
2024-05-13
|
GitHub Pull Request from Unknown User
|
GitHub
|
T1195.001
T1195
|
Anomaly
|
Dev Sec Ops
|
2024-05-13
|
Kubernetes Anomalous Inbound Outbound Network IO
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-05-13
|
Kubernetes Previously Unseen Process
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-05-13
|
Kubernetes Suspicious Image Pulling
|
Kubernetes Audit
|
T1526
|
Anomaly
|
Kubernetes Security
|
2024-05-13
|
ConnectWise ScreenConnect Path Traversal
|
Sysmon EventID 11
|
T1190
|
TTP
|
ConnectWise ScreenConnect Vulnerabilities
|
2024-05-13
|
Disabling NoRun Windows App
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
T1112
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-13
|
GetDomainController with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Discovery
|
2024-05-13
|
GetLocalUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1087
T1087.001
T1059.001
|
Hunting
|
Active Directory Discovery, Malicious PowerShell
|
2024-05-13
|
Hiding Files And Directories With Attrib exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1222
T1222.001
|
TTP
|
Azorult, Windows Defense Evasion Tactics, Windows Persistence Techniques
|
2024-05-13
|
Malicious PowerShell Process - Execution Policy Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
T1059.001
|
TTP
|
AsyncRAT, DHS Report TA18-074A, DarkCrystal RAT, HAFNIUM Group, Volt Typhoon
|
2024-05-13
|
MSBuild Suspicious Spawned By Script Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1127.001
T1127
|
TTP
|
Trusted Developer Utilities Proxy Execution MSBuild
|
2024-05-13
|
Office Product Spawning Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566
T1566.001
|
TTP
|
CVE-2023-36884 Office and Windows HTML RCE Vulnerability, FIN7, Spearphishing Attachments
|
2024-05-13
|
Powershell Enable SMB1Protocol Feature
|
Powershell Script Block Logging 4104
|
T1027
T1027.005
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell, Ransomware
|
2024-05-13
|
Powershell Remote Thread To Known Windows Process
|
Sysmon EventID 8
|
T1055
|
TTP
|
Trickbot
|
2024-05-13
|
Remote System Discovery with Dsquery
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
|
Hunting
|
Active Directory Discovery
|
2024-05-13
|
Resize ShadowStorage volume
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
BlackByte Ransomware, Clop Ransomware
|
2024-05-13
|
Rundll32 Shimcache Flush
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1112
|
TTP
|
Living Off The Land, Unusual Processes
|
2024-05-13
|
SchCache Change By App Connect And Create ADSI Object
|
Sysmon EventID 11
|
T1087.002
T1087
|
Anomaly
|
BlackMatter Ransomware
|
2024-05-13
|
Screensaver Event Trigger Execution
|
Sysmon EventID 12, Sysmon EventID 13
|
T1546
T1546.002
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse
|
2024-05-13
|
Suspicious microsoft workflow compiler rename
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036
T1127
T1036.003
|
Hunting
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution
|
2024-05-13
|
Suspicious Process DNS Query Known Abuse Web Services
|
Sysmon EventID 22
|
T1059.005
T1059
|
TTP
|
Data Destruction, Phemedrone Stealer, Remcos, Snake Keylogger, WhisperGate
|
2024-05-13
|
Time Provider Persistence Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
T1547.003
T1547
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse
|
2024-05-13
|
WBAdmin Delete System Backups
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1490
|
TTP
|
Chaos Ransomware, Prestige Ransomware, Ransomware, Ryuk Ransomware
|
2024-05-13
|
Wbemprox COM Object Execution
|
Sysmon EventID 7
|
T1218
T1218.003
|
TTP
|
LockBit Ransomware, Ransomware, Revil Ransomware
|
2024-05-13
|
Windows AdFind Exe
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
|
TTP
|
BlackSuit Ransomware, Domain Trust Discovery, Graceful Wipe Out Attack, IcedID, NOBELIUM Group
|
2024-05-13
|
Windows Command and Scripting Interpreter Path Traversal Exec
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
TTP
|
Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190, Windows Defense Evasion Tactics
|
2024-05-13
|
Windows Credentials from Password Stores Chrome Login Data Access
|
Windows Event Log Security 4663
|
T1012
|
Anomaly
|
Amadey, DarkGate Malware, MoonPeak, NjRAT, Phemedrone Stealer, RedLine Stealer, Snake Keylogger, Warzone RAT
|
2024-05-13
|
Windows Get-AdComputer Unconstrained Delegation Discovery
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Kerberos Attacks
|
2024-05-13
|
Windows Impair Defense Change Win Defender Tracing Level
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-13
|
Windows Impair Defense Delete Win Defender Profile Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
Anomaly
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-13
|
Windows Indicator Removal Via Rmdir
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1070
|
Anomaly
|
DarkGate Malware
|
2024-05-13
|
Windows Modify Registry DisableSecuritySettings
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
TTP
|
CISA AA23-347A, DarkGate Malware
|
2024-05-13
|
Windows Modify Registry EnableLinkedConnections
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
TTP
|
BlackByte Ransomware
|
2024-05-13
|
Windows Modify Registry Tamper Protection
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
TTP
|
RedLine Stealer
|
2024-05-13
|
Windows PowerView SPN Discovery
|
Powershell Script Block Logging 4104
|
T1558
T1558.003
|
TTP
|
Active Directory Kerberos Attacks, CISA AA23-347A, Rhysida Ransomware
|
2024-05-13
|
Windows Privilege Escalation User Process Spawn System Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1068
T1548
T1134
|
TTP
|
BlackSuit Ransomware, Windows Privilege Escalation
|
2024-05-13
|
Windows Process With NamedPipe CommandLine
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
Anomaly
|
Windows Defense Evasion Tactics
|
2024-05-13
|
Windows Remote Services Rdp Enable
|
Sysmon EventID 12, Sysmon EventID 13
|
T1021.001
T1021
|
TTP
|
Azorult, BlackSuit Ransomware
|
2024-05-13
|
Windows Service Create Kernel Mode Driver
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543.003
T1543
T1068
|
TTP
|
CISA AA22-320A, Windows Drivers
|
2024-05-13
|
Windows SIP WinVerifyTrust Failed Trust Validation
|
Windows Event Log CAPI2 81
|
T1553.003
|
Anomaly
|
Subvert Trust Controls SIP and Trust Provider Hijacking
|
2024-05-13
|
Windows Snake Malware Registry Modification wav OpenWithProgIds
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
TTP
|
Snake Malware
|
2024-05-13
|
Windows Snake Malware Service Create
|
Windows Event Log System 7045
|
T1547.006
T1569.002
|
TTP
|
Snake Malware
|
2024-05-13
|
Windows Steal or Forge Kerberos Tickets Klist
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1558
|
Hunting
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-05-13
|
Detect suspicious DNS TXT records using pretrained model in DSDL
|
|
T1568.002
|
Anomaly
|
Command And Control, DNS Hijacking, Suspicious DNS Traffic
|
2024-05-13
|
Unusually Long Content-Type Length
|
|
|
Anomaly
|
Apache Struts Vulnerability
|
2024-05-13
|
Zscaler Exploit Threat Blocked
|
|
T1566
|
TTP
|
Zscaler Browser Proxy Threats
|
2024-05-13
|
Okta Unauthorized Access to Application
|
Okta
|
T1087.004
|
Anomaly
|
Okta Account Takeover
|
2024-05-12
|
AWS CreateAccessKey
|
AWS CloudTrail CreateAccessKey
|
T1136.003
T1136
|
Hunting
|
AWS IAM Privilege Escalation
|
2024-05-12
|
aws detect attach to role policy
|
|
T1078
|
Hunting
|
AWS Cross Account Activity
|
2024-05-12
|
AWS ECR Container Scanning Findings High
|
AWS CloudTrail DescribeImageScanFindings
|
T1204.003
T1204
|
TTP
|
Dev Sec Ops
|
2024-05-12
|
AWS Successful Single-Factor Authentication
|
AWS CloudTrail ConsoleLogin
|
T1586
T1586.003
T1078
T1078.004
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-05-12
|
Azure AD FullAccessAsApp Permission Assigned
|
Azure Active Directory Update application
|
T1098.002
T1098.003
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-05-12
|
Detect Spike in blocked Outbound Traffic from your AWS
|
|
|
Anomaly
|
AWS Network ACL Activity, Command And Control, Suspicious AWS Traffic
|
2024-05-12
|
Kubernetes Access Scanning
|
Kubernetes Audit
|
T1046
|
Anomaly
|
Kubernetes Security
|
2024-05-12
|
Kubernetes Node Port Creation
|
Kubernetes Audit
|
T1204
|
Anomaly
|
Kubernetes Security
|
2024-05-12
|
Kubernetes Pod Created in Default Namespace
|
Kubernetes Audit
|
T1204
|
Anomaly
|
Kubernetes Security
|
2024-05-12
|
O365 High Privilege Role Granted
|
O365 Add member to role.
|
T1098
T1098.003
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-05-12
|
O365 Multiple AppIDs and UserAgents Authentication Spike
|
O365 UserLoggedIn, O365 UserLoginFailed
|
T1078
|
Anomaly
|
Office 365 Account Takeover
|
2024-05-12
|
O365 Service Principal New Client Credentials
|
O365
|
T1098
T1098.001
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-05-12
|
Detect AzureHound File Modifications
|
Sysmon EventID 11
|
T1087.002
T1069.001
T1482
T1087.001
T1087
T1069.002
T1069
|
TTP
|
Windows Discovery Techniques
|
2024-05-12
|
Detect Certify With PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
T1649
T1059
T1059.001
|
TTP
|
Malicious PowerShell, Windows Certificate Services
|
2024-05-12
|
Disabled Kerberos Pre-Authentication Discovery With PowerView
|
Powershell Script Block Logging 4104
|
T1558
T1558.004
|
TTP
|
Active Directory Kerberos Attacks
|
2024-05-12
|
Domain Group Discovery with Adsisearcher
|
Powershell Script Block Logging 4104
|
T1069
T1069.002
|
TTP
|
Active Directory Discovery
|
2024-05-12
|
Domain Group Discovery With Wmic
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1069
T1069.002
|
Hunting
|
Active Directory Discovery
|
2024-05-12
|
Enable WDigest UseLogonCredential Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
T1003
|
TTP
|
CISA AA22-320A, Credential Dumping, Windows Registry Abuse
|
2024-05-12
|
Excessive File Deletion In WinDefender Folder
|
Sysmon EventID 23
|
T1485
|
TTP
|
BlackByte Ransomware, Data Destruction, WhisperGate
|
2024-05-12
|
Execute Javascript With Jscript COM CLSID
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
T1059.005
|
TTP
|
Ransomware
|
2024-05-12
|
GetDomainComputer with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Discovery
|
2024-05-12
|
Impacket Lateral Movement smbexec CommandLine Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021
T1021.002
T1021.003
T1047
T1543.003
|
TTP
|
Active Directory Lateral Movement, CISA AA22-277A, Data Destruction, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate
|
2024-05-12
|
Jscript Execution Using Cscript App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
T1059.007
|
TTP
|
FIN7, Remcos
|
2024-05-12
|
Kerberos Pre-Authentication Flag Disabled with PowerShell
|
Powershell Script Block Logging 4104
|
T1558
T1558.004
|
TTP
|
Active Directory Kerberos Attacks
|
2024-05-12
|
Mmc LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021
T1021.003
T1218.014
|
TTP
|
Active Directory Lateral Movement, Living Off The Land
|
2024-05-12
|
Office Document Executing Macro Code
|
Sysmon EventID 7
|
T1566
T1566.001
|
TTP
|
AgentTesla, Azorult, DarkCrystal RAT, IcedID, NjRAT, PlugX, Qakbot, Remcos, Spearphishing Attachments, Trickbot
|
2024-05-12
|
Office Document Spawned Child Process To Download
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566
T1566.001
|
TTP
|
CVE-2023-36884 Office and Windows HTML RCE Vulnerability, NjRAT, PlugX, Spearphishing Attachments
|
2024-05-12
|
Potentially malicious code on commandline
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.003
|
Anomaly
|
Suspicious Command-Line Executions
|
2024-05-12
|
PowerShell - Connect To Internet With Hidden Window
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.001
T1059
|
Hunting
|
AgentTesla, Data Destruction, HAFNIUM Group, Hermetic Wiper, Log4Shell CVE-2021-44228, Malicious PowerShell, Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns
|
2024-05-12
|
PowerShell WebRequest Using Memory Stream
|
Powershell Script Block Logging 4104
|
T1059.001
T1105
T1027.011
|
TTP
|
Malicious PowerShell, MoonPeak
|
2024-05-12
|
Remote Process Instantiation via DCOM and PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1021
T1021.003
|
TTP
|
Active Directory Lateral Movement
|
2024-05-12
|
Remote System Discovery with Net
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
|
Hunting
|
Active Directory Discovery, IcedID
|
2024-05-12
|
Revil Common Exec Parameter
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1204
|
TTP
|
Ransomware, Revil Ransomware
|
2024-05-12
|
Sdclt UAC Bypass
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13, Windows Event Log Security 4688
|
T1548.002
T1548
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-12
|
Suspicious DLLHost no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2024-05-12
|
Suspicious Image Creation In Appdata Folder
|
Sysmon EventID 1, Sysmon EventID 11
|
T1113
|
TTP
|
Remcos
|
2024-05-12
|
Suspicious Process File Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1543
|
TTP
|
AgentTesla, Amadey, AsyncRAT, Azorult, BlackByte Ransomware, Brute Ratel C4, CISA AA23-347A, Chaos Ransomware, DarkCrystal RAT, DarkGate Malware, Data Destruction, Double Zero Destructor, Graceful Wipe Out Attack, Handala Wiper, Hermetic Wiper, IcedID, Industroyer2, LockBit Ransomware, MoonPeak, Phemedrone Stealer, PlugX, Prestige Ransomware, Qakbot, RedLine Stealer, Remcos, Rhysida Ransomware, Swift Slicer, Trickbot, Volt Typhoon, Warzone RAT, WhisperGate, XMRig
|
2024-05-12
|
USN Journal Deletion
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1070
|
TTP
|
Ransomware, Windows Log Manipulation
|
2024-05-12
|
Windows AD Domain Controller Audit Policy Disabled
|
Windows Event Log Security 4719
|
T1562.001
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-05-12
|
Windows AD DSRM Password Reset
|
Windows Event Log Security 4794
|
T1098
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-05-12
|
Windows ClipBoard Data via Get-ClipBoard
|
Powershell Script Block Logging 4104
|
T1115
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-05-12
|
Windows Disable Memory Crash Dump
|
Sysmon EventID 12, Sysmon EventID 13
|
T1485
|
TTP
|
Data Destruction, Hermetic Wiper, Ransomware, Windows Registry Abuse
|
2024-05-12
|
Windows Domain Admin Impersonation Indicator
|
Windows Event Log Security 4627
|
T1558
|
TTP
|
Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Gozi Malware
|
2024-05-12
|
Windows IIS Components New Module Added
|
Windows IIS 29
|
T1505
T1505.004
|
TTP
|
IIS Components
|
2024-05-12
|
Windows Modify Registry Disabling WER Settings
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
TTP
|
Azorult, CISA AA23-347A
|
2024-05-12
|
Windows Modify Registry Qakbot Binary Data Registry
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
Anomaly
|
Qakbot
|
2024-05-12
|
Windows Mshta Execution In Registry
|
Sysmon EventID 12, Sysmon EventID 13
|
T1218.005
|
TTP
|
Suspicious Windows Registry Activities, Windows Persistence Techniques
|
2024-05-12
|
Windows Multiple Accounts Disabled
|
Windows Event Log Security 4725
|
T1098
T1078
|
TTP
|
Azure Active Directory Persistence
|
2024-05-12
|
Windows PowerSploit GPP Discovery
|
Powershell Script Block Logging 4104
|
T1552
T1552.006
|
TTP
|
Active Directory Privilege Escalation
|
2024-05-12
|
Windows Registry Delete Task SD
|
Sysmon EventID 12, Sysmon EventID 13
|
T1053.005
T1562
|
Anomaly
|
Scheduled Tasks, Windows Persistence Techniques, Windows Registry Abuse
|
2024-05-12
|
Windows Unusual Count Of Users Failed To Authenticate Using NTLM
|
Windows Event Log Security 4776
|
T1110.003
T1110
|
Anomaly
|
Active Directory Password Spraying, Volt Typhoon
|
2024-05-12
|
Wsmprovhost LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1021
T1021.006
|
TTP
|
Active Directory Lateral Movement, CISA AA24-241A
|
2024-05-12
|
Detect IPv6 Network Infrastructure Threats
|
|
T1200
T1498
T1557
T1557.002
|
TTP
|
Router and Infrastructure Security
|
2024-05-12
|
Fortinet Appliance Auth bypass
|
Palo Alto Network Threat
|
T1190
T1133
|
TTP
|
CVE-2022-40684 Fortinet Appliance Auth bypass
|
2024-05-12
|
SQL Injection with Long URLs
|
|
T1190
|
TTP
|
SQL Injection
|
2024-05-12
|
VMware Server Side Template Injection Hunt
|
Palo Alto Network Threat
|
T1190
T1133
|
Hunting
|
VMware Server Side Injection and Privilege Escalation
|
2024-05-12
|
Zscaler Malware Activity Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2024-05-12
|
Zscaler Phishing Activity Threat Blocked
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2024-05-12
|
Okta Multiple Accounts Locked Out
|
Okta
|
T1110
|
Anomaly
|
Okta Account Takeover
|
2024-05-11
|
Okta New API Token Created
|
Okta
|
T1078
T1078.001
|
TTP
|
Okta Account Takeover
|
2024-05-11
|
Web Servers Executing Suspicious Processes
|
Sysmon EventID 1
|
T1082
|
TTP
|
Apache Struts Vulnerability
|
2024-05-11
|
AWS Exfiltration via Bucket Replication
|
AWS CloudTrail PutBucketReplication
|
T1537
|
TTP
|
Data Exfiltration, Suspicious AWS S3 Activities
|
2024-05-11
|
AWS IAM Failure Group Deletion
|
AWS CloudTrail DeleteGroup
|
T1098
|
Anomaly
|
AWS IAM Privilege Escalation
|
2024-05-11
|
Azure AD External Guest User Invited
|
Azure Active Directory Invite external user
|
T1136.003
|
TTP
|
Azure Active Directory Persistence
|
2024-05-11
|
Azure AD Privileged Graph API Permission Assigned
|
Azure Active Directory Update application
|
T1003.002
|
TTP
|
Azure Active Directory Persistence, NOBELIUM Group
|
2024-05-11
|
Azure AD Service Principal New Client Credentials
|
Azure Active Directory
|
T1098
T1098.001
|
TTP
|
Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group
|
2024-05-11
|
Azure Automation Runbook Created
|
Azure Audit Create or Update an Azure Automation Runbook
|
T1136
T1136.003
|
TTP
|
Azure Active Directory Persistence
|
2024-05-11
|
GCP Authentication Failed During MFA Challenge
|
Google Workspace login_failure
|
T1586
T1586.003
T1078
T1078.004
T1621
|
TTP
|
GCP Account Takeover
|
2024-05-11
|
Gsuite Email With Known Abuse Web Service Link
|
G Suite Gmail
|
T1566.001
T1566
|
Anomaly
|
Dev Sec Ops
|
2024-05-11
|
Kubernetes Abuse of Secret by Unusual Location
|
Kubernetes Audit
|
T1552.007
|
Anomaly
|
Kubernetes Security
|
2024-05-11
|
Kubernetes Shell Running on Worker Node with CPU Activity
|
|
T1204
|
Anomaly
|
Abnormal Kubernetes Behavior using Splunk Infrastructure Monitoring
|
2024-05-11
|
O365 Application Registration Owner Added
|
O365 Add owner to application.
|
T1098
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-05-11
|
O365 Disable MFA
|
O365 Disable Strong Authentication.
|
T1556
|
TTP
|
Office 365 Persistence Mechanisms
|
2024-05-11
|
O365 FullAccessAsApp Permission Assigned
|
O365 Update application.
|
T1098.002
T1098.003
|
TTP
|
NOBELIUM Group, Office 365 Persistence Mechanisms
|
2024-05-11
|
Check Elevated CMD using whoami
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
TTP
|
FIN7
|
2024-05-11
|
Detect Empire with PowerShell Script Block Logging
|
Powershell Script Block Logging 4104
|
T1059
T1059.001
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell
|
2024-05-11
|
Disable Windows App Hotkeys
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
T1112
|
TTP
|
Windows Registry Abuse, XMRig
|
2024-05-11
|
Disabling FolderOptions Windows Feature
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
CISA AA23-347A, Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-11
|
Firewall Allowed Program Enable
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.004
T1562
|
Anomaly
|
Azorult, BlackByte Ransomware, NjRAT, PlugX, Windows Defense Evasion Tactics
|
2024-05-11
|
Get DomainPolicy with Powershell Script Block
|
Powershell Script Block Logging 4104
|
T1201
|
TTP
|
Active Directory Discovery
|
2024-05-11
|
GetWmiObject DS User with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1087.002
T1087
|
TTP
|
Active Directory Discovery
|
2024-05-11
|
Linux File Created In Kernel Driver Directory
|
Sysmon for Linux EventID 11
|
T1547.006
T1547
|
Anomaly
|
Linux Persistence Techniques, Linux Privilege Escalation, Linux Rootkit
|
2024-05-11
|
Linux Impair Defenses Process Kill
|
Sysmon for Linux EventID 1
|
T1562.001
T1562
|
Hunting
|
AwfulShred, Data Destruction
|
2024-05-11
|
LOLBAS With Network Traffic
|
Sysmon EventID 3
|
T1105
T1567
T1218
|
TTP
|
Living Off The Land
|
2024-05-11
|
Office Product Spawning BITSAdmin
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1566
T1566.001
|
TTP
|
CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Spearphishing Attachments
|
2024-05-11
|
Permission Modification using Takeown App
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1222
|
TTP
|
Ransomware, Sandworm Tools
|
2024-05-11
|
Potential password in username
|
Linux Secure
|
T1078.003
T1552.001
|
Hunting
|
Credential Dumping, Insider Threat
|
2024-05-11
|
PowerShell 4104 Hunting
|
Powershell Script Block Logging 4104
|
T1059
T1059.001
|
Hunting
|
CISA AA23-347A, CISA AA24-241A, DarkGate Malware, Data Destruction, Flax Typhoon, Hermetic Wiper, Malicious PowerShell, Rhysida Ransomware
|
2024-05-11
|
Rundll32 CreateRemoteThread In Browser
|
Sysmon EventID 8
|
T1055
|
TTP
|
IcedID, Living Off The Land
|
2024-05-11
|
Schtasks used for forcing a reboot
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1053.005
T1053
|
TTP
|
Ransomware, Scheduled Tasks, Windows Persistence Techniques
|
2024-05-11
|
Script Execution via WMI
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1047
|
TTP
|
Suspicious WMI Use
|
2024-05-11
|
ServicePrincipalNames Discovery with PowerShell
|
Powershell Script Block Logging 4104
|
T1558.003
|
TTP
|
Active Directory Discovery, Active Directory Kerberos Attacks, Active Directory Privilege Escalation, Malicious PowerShell
|
2024-05-11
|
Sunburst Correlation DLL and Network Event
|
Sysmon EventID 22, Sysmon EventID 7
|
T1203
|
TTP
|
NOBELIUM Group
|
2024-05-11
|
Suspicious GPUpdate no Command Line Arguments
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1055
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack
|
2024-05-11
|
Suspicious Linux Discovery Commands
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059.004
|
TTP
|
Linux Post-Exploitation
|
2024-05-11
|
Suspicious msbuild path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036
T1127
T1036.003
T1127.001
|
TTP
|
BlackByte Ransomware, Cobalt Strike, Graceful Wipe Out Attack, Living Off The Land, Masquerading - Rename System Utilities, Trusted Developer Utilities Proxy Execution MSBuild
|
2024-05-11
|
Unusual Number of Remote Endpoint Authentication Events
|
Windows Event Log Security 4624
|
T1078
|
Hunting
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-05-11
|
Windows AD Cross Domain SID History Addition
|
Windows Event Log Security 4738, Windows Event Log Security 4742
|
T1134.005
T1134
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-05-11
|
Windows AD Short Lived Domain Controller SPN Attribute
|
Windows Event Log Security 4624, Windows Event Log Security 5136
|
T1207
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2024-05-11
|
Windows Cached Domain Credentials Reg Query
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1003.005
T1003
|
Anomaly
|
Prestige Ransomware, Windows Post-Exploitation
|
2024-05-11
|
Windows DLL Search Order Hijacking Hunt with Sysmon
|
Sysmon EventID 7
|
T1574.001
T1574
|
Hunting
|
Living Off The Land, Qakbot, Windows Defense Evasion Tactics
|
2024-05-11
|
Windows Event For Service Disabled
|
Windows Event Log System 7040
|
T1562.001
T1562
|
Hunting
|
RedLine Stealer, Windows Defense Evasion Tactics
|
2024-05-11
|
Windows Impair Defense Delete Win Defender Context Menu
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
Hunting
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-11
|
Windows Input Capture Using Credential UI Dll
|
Sysmon EventID 7
|
T1056.002
T1056
|
Hunting
|
Brute Ratel C4
|
2024-05-11
|
Windows Known GraphicalProton Loaded Modules
|
Sysmon EventID 7
|
T1574.002
T1574
|
Anomaly
|
CISA AA23-347A
|
2024-05-11
|
Windows Large Number of Computer Service Tickets Requested
|
Windows Event Log Security 4769
|
T1135
T1078
|
Anomaly
|
Active Directory Lateral Movement, Active Directory Privilege Escalation
|
2024-05-11
|
Windows Mark Of The Web Bypass
|
Sysmon EventID 23
|
T1553.005
|
TTP
|
Warzone RAT
|
2024-05-11
|
Windows Modify Registry Disable Win Defender Raw Write Notif
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
Anomaly
|
Azorult, CISA AA23-347A
|
2024-05-11
|
Windows Modify Registry ProxyServer
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
Anomaly
|
DarkGate Malware
|
2024-05-11
|
Windows MOVEit Transfer Writing ASPX
|
Sysmon EventID 11
|
T1190
T1133
|
TTP
|
MOVEit Transfer Critical Vulnerability
|
2024-05-11
|
Windows Raw Access To Master Boot Record Drive
|
Sysmon EventID 9
|
T1561.002
T1561
|
TTP
|
BlackByte Ransomware, CISA AA22-264A, Caddy Wiper, Data Destruction, Graceful Wipe Out Attack, Hermetic Wiper, NjRAT, WhisperGate
|
2024-05-11
|
Windows Steal Authentication Certificates - ESC1 Abuse
|
Windows Event Log Security 4886, Windows Event Log Security 4887
|
T1649
|
TTP
|
Windows Certificate Services
|
2024-05-11
|
Windows Steal Authentication Certificates Certificate Issued
|
Windows Event Log Security 4887
|
T1649
|
Anomaly
|
Windows Certificate Services
|
2024-05-11
|
Windows Steal Authentication Certificates CS Backup
|
Windows Event Log Security 4876
|
T1649
|
Anomaly
|
Windows Certificate Services
|
2024-05-11
|
Prohibited Network Traffic Allowed
|
|
T1048
|
TTP
|
Command And Control, Prohibited Traffic Allowed or Protocol Mismatch, Ransomware
|
2024-05-11
|
Citrix ADC and Gateway Unauthorized Data Disclosure
|
Suricata
|
T1190
|
TTP
|
Citrix NetScaler ADC and NetScaler Gateway CVE-2023-4966
|
2024-05-11
|
Zscaler Employment Search Web Activity
|
|
T1566
|
Anomaly
|
Zscaler Browser Proxy Threats
|
2024-05-11
|
Splunk Enterprise KV Store Incorrect Authorization
|
Splunk
|
T1548
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-10
|
AWS Create Policy Version to allow all resources
|
AWS CloudTrail CreatePolicyVersion
|
T1078.004
T1078
|
TTP
|
AWS IAM Privilege Escalation
|
2024-05-10
|
AWS Exfiltration via EC2 Snapshot
|
AWS CloudTrail CreateSnapshot, AWS CloudTrail DeleteSnapshot, AWS CloudTrail ModifySnapshotAttribute
|
T1537
|
TTP
|
Data Exfiltration, Suspicious Cloud Instance Activities
|
2024-05-10
|
AWS Multiple Users Failing To Authenticate From Ip
|
AWS CloudTrail ConsoleLogin
|
T1110
T1110.003
T1110.004
|
Anomaly
|
AWS Identity and Access Management Account Takeover, Compromised User Account
|
2024-05-10
|
AWS Password Policy Changes
|
AWS CloudTrail DeleteAccountPasswordPolicy, AWS CloudTrail GetAccountPasswordPolicy, AWS CloudTrail UpdateAccountPasswordPolicy
|
T1201
|
Hunting
|
AWS IAM Privilege Escalation, Compromised User Account
|
2024-05-10
|
Cloud Compute Instance Created In Previously Unused Region
|
AWS CloudTrail
|
T1535
|
Anomaly
|
Cloud Cryptomining
|
2024-05-10
|
Gsuite Outbound Email With Attachment To External Domain
|
G Suite Gmail
|
T1048.003
T1048
|
Hunting
|
Dev Sec Ops, Insider Threat
|
2024-05-10
|
Kubernetes Scanning by Unauthenticated IP Address
|
Kubernetes Audit
|
T1046
|
Anomaly
|
Kubernetes Security
|
2024-05-10
|
Auto Admin Logon Registry Entry
|
Sysmon EventID 12, Sysmon EventID 13
|
T1552.002
T1552
|
TTP
|
BlackMatter Ransomware, Windows Registry Abuse
|
2024-05-10
|
ETW Registry Disabled
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.006
T1127
T1562
|
TTP
|
CISA AA23-347A, Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation, Windows Registry Abuse
|
2024-05-10
|
GetAdComputer with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
|
Hunting
|
Active Directory Discovery
|
2024-05-10
|
GetCurrent User with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1033
|
Hunting
|
Active Directory Discovery
|
2024-05-10
|
GetDomainComputer with PowerShell
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1018
|
TTP
|
Active Directory Discovery
|
2024-05-10
|
Linux High Frequency Of File Deletion In Etc Folder
|
Sysmon for Linux EventID 11
|
T1485
T1070.004
T1070
|
Anomaly
|
AcidRain, Data Destruction
|
2024-05-10
|
Logon Script Event Trigger Execution
|
Sysmon EventID 13
|
T1037
T1037.001
|
TTP
|
Data Destruction, Hermetic Wiper, Windows Persistence Techniques, Windows Privilege Escalation
|
2024-05-10
|
Recursive Delete of Directory In Batch CMD
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1070.004
T1070
|
TTP
|
Ransomware
|
2024-05-10
|
User Discovery With Env Vars PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1033
|
Hunting
|
Active Directory Discovery
|
2024-05-10
|
Windows DLL Side-Loading In Calc
|
Sysmon EventID 7
|
T1574.002
T1574
|
TTP
|
Qakbot
|
2024-05-10
|
Windows Drivers Loaded by Signature
|
Sysmon EventID 6
|
T1014
T1068
|
Hunting
|
AgentTesla, BlackByte Ransomware, CISA AA22-320A, Windows Drivers
|
2024-05-10
|
Windows Gather Victim Host Information Camera
|
Powershell Script Block Logging 4104
|
T1592.001
T1592
|
Anomaly
|
DarkCrystal RAT
|
2024-05-10
|
Windows Gather Victim Identity SAM Info
|
Sysmon EventID 7
|
T1589.001
T1589
|
Hunting
|
Brute Ratel C4
|
2024-05-10
|
Windows Impair Defense Disable Win Defender Compute File Hashes
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
Windows Defense Evasion Tactics, Windows Registry Abuse
|
2024-05-10
|
Windows Indirect Command Execution Via pcalua
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1202
|
TTP
|
Living Off The Land
|
2024-05-10
|
Windows Modify System Firewall with Notable Process Path
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.004
T1562
|
TTP
|
NjRAT
|
2024-05-10
|
Windows PowerView Constrained Delegation Discovery
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Kerberos Attacks, CISA AA23-347A, Rhysida Ransomware
|
2024-05-10
|
Windows PowerView Unconstrained Delegation Discovery
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Kerberos Attacks, CISA AA23-347A, Rhysida Ransomware
|
2024-05-10
|
Windows Registry Payload Injection
|
Sysmon EventID 1, Sysmon EventID 12, Sysmon EventID 13
|
T1027
T1027.011
|
TTP
|
Unusual Processes
|
2024-05-10
|
Wmiprsve LOLBAS Execution Process Spawn
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1047
|
TTP
|
Active Directory Lateral Movement
|
2024-05-10
|
Detect Unauthorized Assets by MAC address
|
|
|
TTP
|
Asset Tracking
|
2024-05-10
|
Okta User Logins from Multiple Cities
|
Okta
|
T1586.003
|
Anomaly
|
Okta Account Takeover
|
2024-05-09
|
AWS AMI Attribute Modification for Exfiltration
|
AWS CloudTrail ModifyImageAttribute
|
T1537
|
TTP
|
Data Exfiltration, Suspicious Cloud Instance Activities
|
2024-05-09
|
AWS Credential Access RDS Password reset
|
AWS CloudTrail ModifyDBInstance
|
T1586
T1586.003
T1110
|
TTP
|
AWS Identity and Access Management Account Takeover
|
2024-05-09
|
O365 Security And Compliance Alert Triggered
|
|
T1078
T1078.004
|
TTP
|
Office 365 Account Takeover
|
2024-05-09
|
CHCP Command Execution
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1059
|
TTP
|
Azorult, Forest Blizzard, IcedID
|
2024-05-09
|
Get ADUserResultantPasswordPolicy with Powershell Script Block
|
Powershell Script Block Logging 4104
|
T1201
|
TTP
|
Active Directory Discovery, CISA AA23-347A
|
2024-05-09
|
Get DomainUser with PowerShell Script Block
|
Powershell Script Block Logging 4104
|
T1087.002
T1087
|
TTP
|
Active Directory Discovery, CISA AA23-347A
|
2024-05-09
|
Mshta spawning Rundll32 OR Regsvr32 Process
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1218
T1218.005
|
TTP
|
IcedID, Living Off The Land, Trickbot
|
2024-05-09
|
Powershell Execute COM Object
|
Powershell Script Block Logging 4104
|
T1546.015
T1546
T1059.001
|
TTP
|
Data Destruction, Hermetic Wiper, Malicious PowerShell, Ransomware
|
2024-05-09
|
Remote System Discovery with Adsisearcher
|
Powershell Script Block Logging 4104
|
T1018
|
TTP
|
Active Directory Discovery
|
2024-05-09
|
Shim Database Installation With Suspicious Parameters
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1546.011
T1546
|
TTP
|
Windows Persistence Techniques
|
2024-05-09
|
Suspicious Process Executed From Container File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1204.002
T1036.008
|
TTP
|
Amadey, Remcos, Snake Keylogger, Unusual Processes
|
2024-05-09
|
Windows Impair Defense Deny Security Software With Applocker
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
Azorult
|
2024-05-09
|
Windows ISO LNK File Creation
|
Sysmon EventID 11
|
T1566.001
T1566
T1204.001
T1204
|
Hunting
|
AgentTesla, Amadey, Azorult, Brute Ratel C4, Gozi Malware, IcedID, Qakbot, Remcos, Spearphishing Attachments, Warzone RAT
|
2024-05-09
|
Windows KrbRelayUp Service Creation
|
Windows Event Log System 7045
|
T1543.003
|
TTP
|
Local Privilege Escalation With KrbRelayUp
|
2024-05-09
|
Windows Mimikatz Crypto Export File Extensions
|
Sysmon EventID 11
|
T1649
|
Anomaly
|
CISA AA23-347A, Sandworm Tools, Windows Certificate Services
|
2024-05-09
|
Windows Modify Registry Disable WinDefender Notifications
|
Sysmon EventID 12, Sysmon EventID 13
|
T1112
|
TTP
|
CISA AA23-347A, RedLine Stealer
|
2024-05-09
|
Windows SIP Provider Inventory
|
|
T1553.003
|
Hunting
|
Subvert Trust Controls SIP and Trust Provider Hijacking
|
2024-05-09
|
Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952
|
Palo Alto Network Threat
|
T1190
T1133
|
TTP
|
Fortinet FortiNAC CVE-2022-39952
|
2024-05-09
|
AWS Excessive Security Scanning
|
AWS CloudTrail
|
T1526
|
TTP
|
AWS User Monitoring
|
2024-05-08
|
PingID New MFA Method Registered For User
|
PingID
|
T1621
T1556.006
T1098.005
|
TTP
|
Compromised User Account
|
2024-05-07
|
AWS EC2 Snapshot Shared Externally
|
AWS CloudTrail ModifySnapshotAttribute
|
T1537
|
TTP
|
Data Exfiltration, Suspicious Cloud Instance Activities
|
2024-05-07
|
Disable Defender Spynet Reporting
|
Sysmon EventID 12, Sysmon EventID 13
|
T1562.001
T1562
|
TTP
|
Azorult, CISA AA23-347A, IcedID, Qakbot, Windows Registry Abuse
|
2024-05-07
|
Mailsniper Invoke functions
|
Powershell Script Block Logging 4104
|
T1114
T1114.001
|
TTP
|
Data Exfiltration
|
2024-05-07
|
Windows Snake Malware File Modification Crmlog
|
Sysmon EventID 11
|
T1027
|
TTP
|
Snake Malware
|
2024-05-07
|
AWS ECR Container Scanning Findings Medium
|
AWS CloudTrail DescribeImageScanFindings
|
T1204.003
T1204
|
Anomaly
|
Dev Sec Ops
|
2024-05-06
|
XMRIG Driver Loaded
|
Sysmon EventID 6
|
T1543.003
T1543
|
TTP
|
CISA AA22-320A, XMRig
|
2024-05-06
|
CMLUA Or CMSTPLUA UAC Bypass
|
Sysmon EventID 7
|
T1218
T1218.003
|
TTP
|
DarkSide Ransomware, LockBit Ransomware, Ransomware
|
2024-05-05
|
Windows PowerShell Disable HTTP Logging
|
Powershell Script Block Logging 4104
|
T1562
T1562.002
T1505
T1505.004
|
TTP
|
IIS Components, Windows Defense Evasion Tactics
|
2024-05-05
|
Disabling Firewall with Netsh
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1562.001
T1562
|
Anomaly
|
BlackByte Ransomware, Windows Defense Evasion Tactics
|
2024-05-04
|
Splunk DOS Via Dump SPL Command
|
Splunk
|
T1499.004
|
Hunting
|
Splunk Vulnerabilities
|
2024-05-03
|
Detect Spike in S3 Bucket deletion
|
AWS CloudTrail
|
T1530
|
Anomaly
|
Suspicious AWS S3 Activities
|
2024-05-03
|
Suspicious microsoft workflow compiler usage
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1127
|
TTP
|
Living Off The Land, Trusted Developer Utilities Proxy Execution
|
2024-05-03
|
Windows IIS Components Get-WebGlobalModule Module Query
|
Powershell Installed IIS Modules
|
T1505.004
T1505
|
Hunting
|
IIS Components, WS FTP Server Critical Vulnerabilities
|
2024-05-03
|
Windows LOLBAS Executed As Renamed File
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1036
T1036.003
T1218.011
|
TTP
|
Living Off The Land, Masquerading - Rename System Utilities, Windows Defense Evasion Tactics
|
2024-04-30
|
Windows LOLBAS Executed Outside Expected Path
|
Sysmon EventID 1, Windows Event Log Security 4688
|
T1036
T1036.005
T1218.011
|
TTP
|
Living Off The Land, Masquerading - Rename System Utilities, Windows Defense Evasion Tactics
|
2024-04-29
|
Monitor Email For Brand Abuse
|
|
|
TTP
|
Brand Monitoring, Suspicious Emails
|
2024-04-16
|
O365 Application Available To Other Tenants
|
|
T1098.003
T1098
|
TTP
|
Azure Active Directory Account Takeover, Azure Active Directory Persistence, Data Exfiltration
|
2024-04-11
|
O365 Cross-Tenant Access Change
|
|
T1484.002
|
TTP
|
Azure Active Directory Persistence
|
2024-04-11
|
O365 External Guest User Invited
|
|
T1136.003
|
TTP
|
Azure Active Directory Persistence
|
2024-04-11
|
O365 External Identity Policy Changed
|
|
T1136.003
|
TTP
|
Azure Active Directory Persistence
|
2024-04-11
|
O365 Privileged Role Assigned
|
|
T1098
T1098.003
|
TTP
|
Azure Active Directory Persistence
|
2024-04-11
|
O365 Privileged Role Assigned To Service Principal
|
|
T1098
T1098.003
|
TTP
|
Azure Active Directory Privilege Escalation
|
2024-04-11
|
Windows Known Abused DLL Loaded Suspiciously
|
Sysmon EventID 7
|
T1574.001
T1574.002
T1574
|
TTP
|
Living Off The Land, Windows Defense Evasion Tactics
|
2024-04-06
|
O365 DLP Rule Triggered
|
|
T1048
T1567
|
Anomaly
|
Data Exfiltration
|
2024-04-01
|
O365 Email Access By Security Administrator
|
|
T1567
T1114
T1114.002
|
TTP
|
Azure Active Directory Account Takeover, Data Exfiltration, Office 365 Account Takeover
|
2024-04-01
|
O365 Email Reported By Admin Found Malicious
|
|
T1566
T1566.001
T1566.002
|
TTP
|
Spearphishing Attachments, Suspicious Emails
|
2024-04-01
|
O365 Email Reported By User Found Malicious
|
|
T1566
T1566.001
T1566.002
|
TTP
|
Spearphishing Attachments, Suspicious Emails
|
2024-04-01
|
O365 Email Security Feature Changed
|
|
T1562
T1562.008
T1562.001
|
TTP
|
Office 365 Account Takeover, Office 365 Persistence Mechanisms
|
2024-04-01
|
O365 Email Suspicious Behavior Alert
|
|
T1114
T1114.003
|
TTP
|
Office 365 Account Takeover, Office 365 Collection Techniques, Suspicious Emails
|
2024-04-01
|
O365 SharePoint Allowed Domains Policy Changed
|
|
T1136.003
|
TTP
|
Azure Active Directory Persistence
|
2024-04-01
|
O365 SharePoint Malware Detection
|
|
T1204.002
T1204
|
TTP
|
Azure Active Directory Persistence, Office 365 Account Takeover, Ransomware Cloud
|
2024-04-01
|
O365 Threat Intelligence Suspicious Email Delivered
|
|
T1566
T1566.001
T1566.002
|
Anomaly
|
Spearphishing Attachments, Suspicious Emails
|
2024-04-01
|
O365 Threat Intelligence Suspicious File Detected
|
|
T1204.002
T1204
|
TTP
|
Azure Active Directory Account Takeover, Office 365 Account Takeover, Ransomware Cloud
|
2024-04-01
|
O365 ZAP Activity Detection
|
|
T1566
T1566.001
T1566.002
|
Anomaly
|
Spearphishing Attachments, Suspicious Emails
|
2024-04-01
|
O365 Safe Links Detection
|
|
T1566
T1566.001
|
TTP
|
Office 365 Account Takeover, Spearphishing Attachments
|
2024-03-30
|
Windows AppLocker Privilege Escalation via Unauthorized Bypass
|
|
T1218
|
TTP
|
Windows AppLocker
|
2024-03-21
|
Windows Multiple NTLM Null Domain Authentications
|
|
T1110
T1110.003
|
TTP
|
Active Directory Password Spraying
|
2024-03-16
|
Windows Unusual NTLM Authentication Destinations By Source
|
|
T1110
T1110.003
|
Anomaly
|
Active Directory Password Spraying
|
2024-03-16
|
Windows Unusual NTLM Authentication Destinations By User
|
|
T1110
T1110.003
|
Anomaly
|
Active Directory Password Spraying
|
2024-03-16
|
Windows Unusual NTLM Authentication Users By Destination
|
|
T1110
T1110.003
|
Anomaly
|
Active Directory Password Spraying
|
2024-03-16
|
Windows Unusual NTLM Authentication Users By Source
|
|
T1110
T1110.003
|
Anomaly
|
Active Directory Password Spraying
|
2024-03-16
|
Multiple Okta Users With Invalid Credentials From The Same IP
|
|
T1110.003
T1078
T1078.001
|
TTP
|
Suspicious Okta Activity
|
2024-02-29
|
ASL AWS ECR Container Upload Outside Business Hours
|
|
T1204.003
T1204
|
Anomaly
|
Dev Sec Ops
|
2024-02-14
|
ASL AWS ECR Container Upload Unknown User
|
|
T1204.003
T1204
|
Anomaly
|
Dev Sec Ops
|
2024-02-14
|
ASL AWS IAM Failure Group Deletion
|
|
T1098
|
Anomaly
|
AWS IAM Privilege Escalation
|
2024-02-14
|
ASL AWS IAM Successful Group Deletion
|
|
T1069.003
T1098
T1069
|
Hunting
|
AWS IAM Privilege Escalation
|
2024-02-14
|
ASL AWS Defense Evasion Stop Logging Cloudtrail
|
|
T1562.008
T1562
|
TTP
|
AWS Defense Evasion
|
2024-02-12
|
ASL AWS Defense Evasion Update Cloudtrail
|
|
T1562
T1562.008
|
TTP
|
AWS Defense Evasion
|
2024-02-12
|
Windows AD Suspicious GPO Modification
|
|
T1484
T1484.001
T1222
T1222.001
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2023-12-19
|
Windows AD add Self to Group
|
|
T1098
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2023-12-18
|
Windows AD Self DACL Assignment
|
|
T1484
T1098
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2023-12-18
|
Windows AD GPO Deleted
|
|
T1562.001
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2023-11-24
|
Windows AD GPO Disabled
|
|
T1562.001
T1484.001
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2023-11-24
|
Windows AD GPO New CSE Addition
|
|
T1484
T1484.001
T1222
T1222.001
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2023-11-22
|
Windows AD Dangerous Deny ACL Modification
|
|
T1484
T1222
T1222.001
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2023-11-21
|
Windows AD Hidden OU Creation
|
|
T1484
T1222
T1222.001
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2023-11-16
|
Windows AD Dangerous User ACL Modification
|
|
T1484
T1222
T1222.001
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2023-11-15
|
Windows AD Dangerous Group ACL Modification
|
|
T1484
T1222
T1222.001
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2023-11-13
|
Windows AD Domain Root ACL Deletion
|
|
T1484
T1222
T1222.001
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2023-11-13
|
Windows AD Object Owner Updated
|
|
T1484
T1222
T1222.001
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2023-11-13
|
Windows AD Suspicious Attribute Modification
|
|
T1550
T1222
T1222.001
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2023-11-13
|
Windows AD Domain Root ACL Modification
|
|
T1484
T1222
T1222.001
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2023-11-11
|
Windows AD DCShadow Privileges ACL Addition
|
|
T1484
T1207
T1222.001
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2023-11-10
|
Windows DLL Search Order Hijacking Hunt
|
CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688
|
T1574.001
T1574
|
Hunting
|
Living Off The Land, Windows Defense Evasion Tactics
|
2023-11-07
|
Detect Distributed Password Spray Attempts
|
Azure Active Directory Sign-in activity
|
T1110.003
T1110
|
Hunting
|
Active Directory Password Spraying, Compromised User Account
|
2023-11-01
|
Detect Password Spray Attempts
|
Windows Event Log Security 4625
|
T1110.003
T1110
|
TTP
|
Active Directory Password Spraying, Compromised User Account
|
2023-11-01
|
Detect Password Spray Attack Behavior From Source
|
|
T1110.003
T1110
|
TTP
|
Compromised User Account
|
2023-10-30
|
Detect Password Spray Attack Behavior On User
|
|
T1110.003
T1110
|
TTP
|
Compromised User Account
|
2023-10-30
|
Internal Vulnerability Scan
|
|
T1595.002
T1046
|
TTP
|
Network Discovery
|
2023-10-27
|
Internal Vertical Port Scan
|
AWS CloudWatchLogs VPCflow
|
T1046
|
TTP
|
Network Discovery
|
2023-10-20
|
Windows Increase in Group or Object Modification Activity
|
Windows Event Log Security 4663
|
T1098
T1562
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2023-10-13
|
Windows Increase in User Modification Activity
|
Windows Event Log Security 4720
|
T1098
T1562
|
TTP
|
Sneaky Active Directory Persistence Tricks
|
2023-10-13
|
Windows AD Privileged Group Modification
|
|
T1098
|
TTP
|
Active Directory Privilege Escalation, Sneaky Active Directory Persistence Tricks
|
2023-09-27
|
ASL AWS Password Policy Changes
|
|
T1201
|
Hunting
|
AWS IAM Privilege Escalation, Compromised User Account
|
2023-05-22
|
Windows Network Share Interaction With Net
|
Sysmon EventID 1
|
T1135
T1039
|
TTP
|
Active Directory Discovery, Active Directory Privilege Escalation, Network Discovery
|
2023-04-21
|
Okta Account Locked Out
|
|
T1110
|
Anomaly
|
Okta MFA Exhaustion, Suspicious Okta Activity
|
2022-09-21
|
Okta Failed SSO Attempts
|
|
T1078
T1078.001
|
Anomaly
|
Suspicious Okta Activity
|
2022-09-21
|
Okta Account Lockout Events
|
|
T1078
T1078.001
|
Anomaly
|
Suspicious Okta Activity
|
2022-09-19
|
ASL AWS CreateAccessKey
|
|
T1078
|
Hunting
|
AWS IAM Privilege Escalation
|
2022-05-23
|
Suspicious Rundll32 Rename
|
Sysmon EventID 1
|
T1218
T1036
T1218.011
T1036.003
|
Hunting
|
Masquerading - Rename System Utilities, Suspicious Rundll32 Activity
|
2022-04-07
|
Correlation by Repository and Risk
|
|
T1204.003
T1204
|
Correlation
|
Dev Sec Ops
|
2021-09-06
|
Correlation by User and Risk
|
|
T1204.003
T1204
|
Correlation
|
Dev Sec Ops
|
2021-09-06
|
O365 Suspicious Admin Email Forwarding
|
|
T1114.003
T1114
|
Anomaly
|
Data Exfiltration, Office 365 Collection Techniques
|
2020-12-16
|
O365 Suspicious Rights Delegation
|
|
T1114.002
T1114
T1098.002
T1098
|
TTP
|
Office 365 Collection Techniques
|
2020-12-15
|
Detect Mimikatz Using Loaded Images
|
Sysmon EventID 7
|
T1003.001
T1003
|
TTP
|
CISA AA22-257A, CISA AA22-264A, CISA AA22-320A, Cloud Federated Credential Abuse, Credential Dumping, DarkSide Ransomware, Detect Zerologon Attack, Sandworm Tools
|
2019-12-03
|
Splunk Enterprise Information Disclosure
|
|
|
TTP
|
Splunk Vulnerabilities
|
2018-06-14
|
Open Redirect in Splunk Web
|
|
|
TTP
|
Splunk Vulnerabilities
|
2017-09-19
|